Sie sind auf Seite 1von 548

M I C R O S O F T

20417A

L E A R N I N G

P R O D U C T

Upgrading Your Skills to MCSA


Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

O F F I C I A L

Upgrading Your Skills to MCSA Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

ii

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners

Product Number: 20417A


Part Number: X18-48638
Released: 08/2012

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS


OFFICIAL MICROSOFT LEARNING PRODUCTS
MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions

These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1.

DEFINITIONS.

a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f.

Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.

g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.

h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i.

Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.

MCT USE ONLY. STUDENT USE PROHIBITED

j.

Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.

k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.

m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2.

INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1

Below are four separate sets of installation and use rights. Only one set of rights apply to you.

a. If you are a Authorized Learning Center:


i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure
server located on your premises where the Authorized Training Session is held for access and
use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching
the Authorized Training Session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom
Device for access and use by one (1) End User attending the Authorized Training Session, or by
one (1) MCT teaching the Authorized Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior to
their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their accessing
the Licensed Content,
3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,

MCT USE ONLY. STUDENT USE PROHIBITED

5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.

b. If you are a MPN Member.


i. If the Licensed Content is in digital format for each license you acquire you may either:
1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1)
Classroom Device, or (B) one (1) dedicated, secure server located at your premises where
the training session is held for use by one (1) of your employees attending a training session
provided by you, or by one (1) MCT that is teaching the training session, or
2. install one (1) copy of the Licensed Content in the form provided to you on one (1)
Classroom Device for use by one (1) End User attending a Private Training Session, or one (1)
MCT that is teaching the Private Training Session.
ii. You agree that:
1. you will acquire a license for each End User and MCT that accesses the Licensed Content,
2. each End User and MCT will be presented with a copy of this agreement and each individual
will agree that their use of the Licensed Content will be subject to these license terms prior
to their accessing the Licensed Content. Each individual will be required to denote their
acceptance of the EULA in a manner that is enforceable under local law prior to their
accessing the Licensed Content,
3. for all training sessions, you will only use qualified MCTs who hold the applicable
competency to teach the particular MOC Course that is the subject of the training session,
4. you will not alter or remove any copyright or other protective notices contained in the
Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of each training session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
c. If you are an End User:
You may use the Licensed Content solely for your personal training use. If the Licensed Content is in
digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in
the form provided to you on one (1) Personal Device and install another copy on another Personal
Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1)
copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device
you do not own or control.

MCT USE ONLY. STUDENT USE PROHIBITED

d. If you are a MCT.


i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an
Authorized Training Session or Private Training Session. For each license you acquire, you may
install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal
Device and install one (1) additional copy on another Personal Device as a backup copy, which may
be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed
Content on a device you do not own or control.
ii.

Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.

2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable


installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion
thereof (including any permitted modifications) to any third parties without the express written permission
of Microsoft.

2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3.

PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights

MCT USE ONLY. STUDENT USE PROHIBITED

survive this agreement.

c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4.

INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.

a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.

b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5.

SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:

install more copies of the Licensed Content on devices than the number of licenses you acquired;

allow more individuals to access the Licensed Content than the number of licenses you acquired;

publicly display, or make the Licensed Content available for others to access or use;

install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.

reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;

access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;

access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or

transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.

6.

RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.

MCT USE ONLY. STUDENT USE PROHIBITED

7.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.

8.

LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.

9.

SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

10.

TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.

11.

LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.

12.

ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.

13.

APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

14.

LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

15.

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.

MCT USE ONLY. STUDENT USE PROHIBITED

16.

LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.

This limitation applies to


o
anything related to the Licensed Content, services made available through the Licensed Content, or
content (including code) on third party Internet sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011

Upgrading Your Skills to MCSA Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

Acknowledgments

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

xi

Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some
of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft
Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12
years.

Damir Dizdarevic Subject Matter Expert/Content Developer

Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology
Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager
and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has
more than 17 years of experience on Microsoft platforms and he specializes in Windows Server,
Exchange Server, security, and virtualization. He has worked as a subject-matter expert and technical
reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in
various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated
speaker on most of Microsoft conferences in Eastern Europe. Additionally, he is a Microsoft Most Valuable
Professional for Windows Server Infrastructure Management.

Gary Dunlop Subject Matter Expert


Gary Dunlop is based in Winnipeg, Canada and is a technical consultant and trainer for Broadview
Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.

Siegfried Jagott Content Developer

Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team at
Atos Germany. He is an award-winning author of Microsoft Exchange Server 2010 Best Practices (Microsoft
Press), and has authored and technically reviewed several Microsoft Official Curriculum (MOC) courses
on various topics such as MOC 10165: Updating Your Skills from Microsoft Exchange Server 2003 or
Exchange Server 2007 to Exchange Server 2010 SP1. He has coauthored various books on Windows,
Microsoft System Center Virtual Machine Manager, and Exchange, and is a frequent presenter on these
topics at international conferences such as IT & Dev Connections Spring 2012 in Las Vegas. Siegfried
has planned, designed, and implemented some of the worlds largest Windows and Exchange Server
infrastructures for international customers. He received an MBA from Open University in England, and has
been an MCSE since 1997.

Orin Thomas Content Developer

Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft Press and is a contributing editor at Windows IT Pro magazine.
He has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in
Australia and around the world on Windows Server, Windows Client, System Center, and security topics.
Orin founded and runs the Melbourne System Center Users Group.

Upgrading Your Skills to MCSA Windows Server 2012

Vladimir Meloski Content Developer

MCT USE ONLY. STUDENT USE PROHIBITED

xii

Vladimir is a Microsoft Certified Trainer, an MVP on Exchange Server, and consultant, providing unified
communications and infrastructure solutions based on Microsoft Exchange Server, Lync Server, and
System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft
conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and
technical expert. He has also been involved as a subject matter expert and technical reviewer for several
Microsoft Official Curriculum courses.

Contents
Module 1: Installing and Configuring Servers Based on Windows Server 2012
Lesson 1: Installing Windows Server 2012
Lesson 2: Configuring Windows Server 2012
Lesson 3: Configuring Remote Management for Windows
Server 2012 Servers
Lab: Installing and Configuring Servers Based on Windows
Server 2012

1-2
1-13
1-21
1-25

Module 2: Monitoring and Maintaining Windows Server 2012


Lesson 1: Reasons for Monitoring Servers
Lesson 2: Implementing Windows Server Backup
Lesson 3: Implementing Server and Data Recovery
Lab: Monitoring and Maintaining Windows 2012 Servers

2-2
2-11
2-15
2-19

Module 3: Managing Windows Server 2012 by Using Windows PowerShell 3.0


Lesson 1: Overview of Windows PowerShell 3.0
Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS
Lesson 3: Managing Servers by Using Windows PowerShell 3.0
Lab: Managing Servers Running Windows Server 2012 by Using
Windows PowerShell 3.0

3-2
3-9
3-20
3-26

Module 4: Managing Storage for Windows Server 2012


Lesson 1: New Features in Windows Server 2012 Storage
Lesson 2: Configuring iSCSI Storage
Lesson 3: Configuring Storage Spaces in Windows Server 2012
Lab A: Managing Storage for Servers Based on Windows Server 2012
Lesson 4: Configuring BrancheCache in Windows Server 2012
Lab: Implementing BranchCache

4-2
4-12
4-18
4-23
4-25
4-36

Module 5: Implementing Network Services


Lesson 1: Implementing DNS and DHCP Enhancements
Lesson 2: Implementing IP Address Management
Lesson 3: NAP Overview
Lesson 4: Implementing NAP
Lab: Implementing Network Services

5-2
5-10
5-14
5-20
5-25

Module 6: Implementing DirectAccess


Lesson 1: Overview of DirectAccess
Lesson 2: Installing and Configuring DirectAccess Components
Lab: Implementing DirectAccess

6-2
6-14
6-24

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

xiii

Upgrading Your Skills to MCSA Windows Server 2012

Module 7: Implementing Failover Clustering


Lesson 1: Overview of Failover Clustering
Lesson 2: Implementing a Failover Cluster
Lesson 3: Configuring Highly Available Applications and Services
on a Failover Cluster
Lesson 4: Maintaining a Failover Cluster
Lesson 5: Implementing a Multisite Failover Cluster
Lab: Implementing Failover Clustering

7-2
7-13
7-18
7-22
7-27
7-32

Module 8: Implementing Hyper-V


Lesson 1: Configuring Hyper-V Servers
Lesson 2: Configuring Hyper-V Storage
Lesson 3: Configuring Hyper-V Networking
Lesson 4: Configuring Hyper-V Virtual Machines
Lab: Implementing Server Virtualization with Hyper-V

8-2
8-8
8-16
8-21
8-27

Module 9: Implementing Failover Clustering with Hyper-V


Lesson 1: Overview of the Integration of Hyper-V with
Failover Clustering
Lesson 2: Implementing Hyper-V Virtual Machines on Failover
Clusters
Lesson 3: Implementing Hyper-V Virtual Machine Movement
Lesson 4: Managing Hyper-V Virtual Environments by Using
System Center Virtual Machine Manager
Lab: Implementing Failover Clustering with Hyper-V

9-2
9-7
9-14
9-19
9-29

Module 10: Implementing Dynamic Access Control


Lesson 1: Overview of Dynamic Access Control
Lesson 2: Planning for a Dynamic Access Control Implementation
Lesson 3: Configuring Dynamic Access Control
Lab: Implementing Dynamic Access Control

10-2
10-8
10-13
10-22

Module 11: Implementing Active Directory Domain Services


Lesson 1: Deploying AD DS Domain Controllers
Lesson 2: Configuring AD DS Domain Controllers
Lesson 3: Implementing Service Accounts
Lesson 4: Implementing Group Policy in AD DS
Lesson 5: Maintaining AD DS
Lab: Implementing AD DS

11-2
11-11
11-16
11-19
11-28
11-35

MCT USE ONLY. STUDENT USE PROHIBITED

xiv

Module 12: Implementing Active Directory Federation Services


Lesson 1: Overview of Active Directory Federation Services
Lesson 2: Deploying Active Directory Federation Services
Lesson 3: Implementing AD FS for a Single Organization
Lesson 4: Deploying AD FS in a Business-to-Business Federation
Scenario
Lab: Implementing AD FS

12-2
12-11
12-17
12-23
12-28

Lab Answer Keys


Module 1 Lab: Installing and Configuring Servers Based on Windows
Server 2012
Module 2 Lab: Monitoring and Maintaining Windows 2012 Servers
Module 3 Lab: Managing Servers Running Windows Server 2012 by
Using Windows PowerShell 3.0
Module 4 Lab A: Managing Storage for Servers Based on Windows
Server 2012
Module 4 Lab B: Implementing BrancheCache
Module 5 Lab: Implementing Network Services
Module 6 Lab: Implementing DirectAccess
Module 7 Lab: Implementing Failover Clustering
Module 8 Lab: Implementing Server Virtualization with Hyper-V
Module 9 Lab: Implementing Failover Clustering with Hyper-V
Module 10 Lab: Implementing Dynamic Access Control
Module 11 Lab: Implementing AD DS
Module 12 Lab: Implementing AD FS

L1-1
L2-7
L3-15
L4-19
L4-26
L5-31
L6-43
L7-55
L8-63
L9-71
L10-77
L11-89
L12-97

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

xv

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xvii

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.

Course Description
Note: This first release (A) Microsoft Official Courses (MOC) version of course 20417A has
been developed on Windows Server 2012 RC. Microsoft Learning will release a B version of
this course after the release-to-manufacturing (RTM) version of the software is available.

This course is designed primarily for people who want to upgrade their technical skills from Windows
Server 2008 and Windows Server 2008 R2 to Windows Server 2012. It presumes a high level of knowledge
about previous Windows Server versions. This course also serves as preparation for taking exam 70-417,
on the upgrade path to a new MCSA: Windows Server 2012 certification.

Audience

The primary audience for this course is Information Technology (IT) professionals who are experienced
Windows Server 2008 Server Administrators, and who carry out day-to-day management and
administrative tasks, and want to update their skills and knowledge to Windows Server 2012.

The secondary audience for this course includes candidates who hold existing credentials in Windows
Server 2008 at Technology Specialist (TS) or Professional (PRO) level, and who want to migrate their
current credentials to the new credential of Microsoft Certified Solutions Associate (MCSA) with Windows
Server 2012.

Student Prerequisites

In addition to their professional experience, students who attend this training should have the following
technical knowledge:

Two or more years of experience deploying and managing Windows Server 2008

Experience with Windows networking technologies and implementation

Experience with Active Directory technologies and implementation

Experience with Windows Server 2008 server virtualization technologies and implementation

Students attending this course are expected to have passed the following exams, or have equivalent
knowledge:

Exam 70-640: Windows Server 2008 Active Directory, Configuring

Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring

Exam 70-646: Windows Server 2008, Server Administrator

About This Course

Course Objectives
After completing this course, students will be able to:

MCT USE ONLY. STUDENT USE PROHIBITED

xviii

Install and configure Windows Server 2012 servers.

Monitor and maintain Windows Server 2012 servers.

Use Windows PowerShell 3.0 to manage Windows Server 2012 servers.

Configure storage on Windows Server 2012 servers.

Deploy and manage network services.

Deploy and manage a DirectAccess infrastructure.

Provide high availability for network services and applications by implementing failover clustering.

Deploy and configure virtual machines on Hyper-V.

Deploy and manage Hyper-V virtual machines in a failover cluster.

Configure Dynamic Access Control to manage and audit access to shared files.

Implement the new features in Active Directory Domain Services (AD DS) for Windows Server 2012.

Plan and implement an Active Directory Federation Services (AD FS) deployment.

Course Outline
This section provides an outline of the course:
Module 1, Installing and Configuring Servers Based on Windows Server 2012
Module 2, Monitoring and Maintaining Windows Server 2012
Module 3, Managing Windows Server 2012 by Using Windows PowerShell 3.0
Module 4, Managing Storage for Windows Server 2012
Module 5, Implementing Network Services
Module 6, Implementing DirectAccess
Module 7, Implementing Failover Clustering
Module 8, Implementing Hyper-V
Module 9, Implementing Failover Clustering with Hyper-V
Module 10, Implementing Dynamic Access Control
Module 11, Implementing Active Directory Domain Services
Module 12, Implementing Active Directory Federation Services

Exam/Course Mapping

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xix

This course, 20417A: Upgrading Your Skills to MCSA Windows Server 2012, has a direct mapping of its
content to the objective domain for the Microsoft exam 70-417: Upgrading Your Skills to MCSA Windows
Server 2012.
The below table is provided as a study aid that will assist you in preparation for taking this exam and
to show you how the exam objectives and the course content fit together. The course is not designed
exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world
implementation of the particular technology. The course will also contain content that is not directly
covered in the examination and will use the unique experience and skills of your qualified Microsoft
Certified Trainer.
Note: The exam objectives are available online at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab2.

Exam Objective Domains


Course Content
Exam 70-410: Installing and Configuring Windows Server 2012
Install and Configure Servers
Module Lesson
This objective may include but is not limited
Mod 1
Lesson 1/2
to: Plan for a server installation; plan for
server roles; plan for a server upgrade; install
Server Core; optimize resource utilization by
using Features on Demand; migrate roles from
Install servers.
previous versions of Windows Server
This objective may include but is not limited
Mod 1
Lesson 2/3
to: Configure Server Core; delegate
administration; add and remove features in
offline images; deploy roles on remote
servers; convert Server Core to/from full GUI;
Configure servers.
configure services; configure NIC teaming
This objective may include but is not limited
Mod 4
Lesson 3
to: Design storage spaces; configure basic and
dynamic disks; configure MBR and GPT disks;
manage volumes; create and mount virtual
Configure local
hard disks (VHDs); configure storage pools and
storage.
disk pools
Configure Server Roles and Features
This objective may include but is not limited
Mod 1
Lesson 1/2/3
to: Configure WinRM; configure down-level
server management; configure servers for
Configure servers for day-to-day management tasks; configure
remote
multi-server management; configure Server
management.
Core; configure Windows Firewall

Lab
Mod 1
Ex 1

Mod 1
Ex 2/3

Mod 4
Ex 2/3

Mod 1
Ex 1/2

About This Course

Exam Objective Domains


Course Content
Exam 70-410: Installing and Configuring Windows Server 2012 (continued)
Configure Hyper-V
This objective may include but is not limited
Mod 8
Lesson 1/4
Create and configure to: Configure dynamic memory; configure
virtual machine
smart paging; configure Resource Metering;
settings.
configure guest integration services
This objective may include but is not limited
Mod 8
Lesson 2
to: Create VHDs and VHDX; configure
Create and configure differencing drives; modify VHDs; configure
virtual machine
pass-through disks; manage snapshots;
storage.
implement a virtual Fibre Channel adapter
This objective may include but is not limited
Mod 8
Lesson 3
to: Implement Hyper-V Network
Virtualization; configure Hyper-V virtual
switches; optimize network performance;
configure MAC addresses; configure network
Create and configure isolation; configure synthetic and legacy
virtual networks.
virtual network adapters
Install and Administer Active Directory
This objective may include but is not limited
Mod 11 Lesson 1/2
to: Add or remove a domain controller from a
domain; upgrade a domain controller; install
Active Directory Domain Services (AD DS) on a
Server Core installation; install a domain
controller from Install from Media (IFM);
Install domain
resolve DNS SRV record registration issues;
controllers.
configure a global catalog server
Exam 70-411: Administering Windows Server 2012
Deploy, Manage, and Maintain Servers
This objective may include but is not limited
Mod 2
Lesson 1
to: Configure Data Collector Sets (DCS);
configure alerts; monitor real-time
performance; monitor virtual machines (VMs);
monitor events; configure event subscriptions;
Monitor servers.
configure network monitoring
Configure Network Services and Access
This objective may include but is not limited
Mod 6
Lesson 1/2
to: Implement server requirements;
implement client configuration; configure DNS
Configure
for Direct Access; configure certificates for
DirectAccess.
Direct Access

MCT USE ONLY. STUDENT USE PROHIBITED

xx

Mod 8
Ex 3

Mod 8
Ex 2/3

Mod 11
Ex 2/3

Mod 2
Ex 1

Mod 6
Ex
1/2/3

Exam Objective Domains


Course Content
Exam 70-411: Administering Windows Server 2012 (continued)
Configure a Network Policy Server Infrastructure
This objective may include but is not limited
Mod 5
Lesson 4
to: Configure System Health Validators (SHVs);
configure health policies; configure NAP
enforcement using DHCP and VPN; configure
Configure Network
isolation and remediation of non-compliant
Access Protection
computers using DHCP and VPN; configure
(NAP).
NAP client settings
Configure and Manage Active Directory
This objective may include but is not limited
Mod 11 Lesson 1/2
to: Configure Universal Group Membership
Caching (UGMC); transfer and seize
operations masters; install and configure a
Configure Domain
read-only domain controller (RODC); configure
Controllers.
Domain Controller cloning
This objective may include but is not limited
Mon 11 Lesson 5
to: Back up Active Directory and SYSVOL;
manage Active Directory offline; optimize an
Active Directory database; clean up metadata;
configure Active Directory snapshots; perform
Maintain Active
object- and container-level recovery; perform
Directory.
Active Directory restore
Configure and Manage Group Policy
This objective may include but is not limited
Mod 11 Lesson 4
to: Configure processing order and
precedence; configure blocking of inheritance;
configure enforced policies; configure security
filtering and WMI filtering; configure loopback
processing; configure and manage slow-link
Configure Group
processing; configure client-side extension
Policy processing.
(CSE) behavior

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xxi

Mod 5
Ex 3

Mod 11
Ex 1

Mod 11
Ex 2

About This Course

Exam Objective Domains


Course Content
Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure and Manage High Availability
This objective may include but is not limited
Mod 7
Lesson 1/2/4
to: Configure Quorum; configure cluster
networking; restore single node or cluster
configuration; configure cluster storage;
Configure failover
implement Cluster Aware Updating; upgrade a
clustering.
cluster
This objective may include but is not limited
Mod 7
Lesson 3/4
to: Configure role-specific settings including
continuously available shares; configure VM
Manage failover
monitoring; configure failover and preference
clustering roles.
settings
Mod 8
Lesson 4
This objective may include but is not limited
to: Perform live migration; perform quick
Manage Virtual
migration; perform storage migration; import,
Machine (VM)
export, and copy VMs; migrate from other
movement.
platforms (P2V and V2V)
Configure File and Storage Solutions
This objective may include but is not limited
to: Configure user and device claim types;
implement policy changes and staging;
Implement Dynamic
perform access-denied remediation; configure
Access Control (DAC). file classification
Implement Business Continuity and Disaster Recovery
This objective may include but is not limited
to: Configure Windows Server backups;
configure Windows Online backups; configure
role-specific backups; manage VSS settings
Configure and
using VSSAdmin; create System Restore
manage backups.
snapshots
This objective may include but is not limited
to: Configure Hyper-V Replica including HyperV Replica Broker and VMs; configure multi-site
Configure site-level
clustering including network settings,
fault tolerance.
Quorum, and failover settings
Configure Network Services
This objective may include but is not limited
to: Configure IPAM manually or by using
Group Policy; configure server discovery;
create and manage IP blocks and ranges;
monitor utilization of IP address space;
Deploy and manage
migrate to IPAM; delegate IPAM
administration; manage IPAM collections
IPAM.

MCT USE ONLY. STUDENT USE PROHIBITED

xxii

Mod 7
Ex
1/2/4

Mod 7
Ex 2

Mod 9

Lesson 3/4

Mod 9
Ex 3

Mod 10

Lesson 1/2/3 Mod 10


Ex
2/3/4/5

Mod 2

Lesson 2

Mod 2
Ex
2/3/4

Mod 9

Lesson 1/3

Mod 9
Ex 1

Mod 5

Lesson 2

Mod 5
Ex 2

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xxiii

Exam Objective Domains


Course Content
Exam 70-412: Configuring Advanced Windows Server 2012 Services
Configure Identity and Access Solutions
This objective may include but is not limited
Mod 12 Lesson 1/2/3 Mod 12
to: Implement claims-based authentication
Ex
including Relying Party Trusts; configure
1/2/3/4
Claims Provider Trust rules; configure
Implement Active
attribute stores including Active Directory
Directory Federation Lightweight Directory Services (AD LDS);
Services 2.1 (AD
manage AD FS certificates; configure AD FS
FSv2.1).
proxy, Integration with Cloud Services
Important Attending this course in itself will not successfully prepare you to pass any
associated certification exams.

The taking of this course does not guarantee that you will automatically pass any certification exam. In
addition to attendance at this course, you should also have the following:

Experience with implementing, managing and administering a Windows Server 2008 and Windows
Server 2008 R2 environment

Knowledge equivalent to the MCSA: Windows Server 2008 credential

Minimum of one to two years real world, hands-on experience Installing and configuring a Windows
Server Infrastructure

Additional study outside of the content in this handbook

There may also be additional study and preparation resources, such as practice tests, available for you to
prepare for this exam. Details of these are available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are
sufficiently prepared before taking the certification exam. The complete audience profile for this exam is
available at the following URL:
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-417&locale=en-us#tab1

The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to
change at any time and Microsoft bears no responsibility for any discrepancies between the version
published here and the version available online and will provide no notification of such changes.

About This Course

Course Materials

The following materials are included with your kit:

Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.

MCT USE ONLY. STUDENT USE PROHIBITED

xxiv

Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.

Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.

Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.

Course evaluation At the end of the course, you have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send email to


support@mscourseware.com. To inquire about the Microsoft Certification Program, send email to
mcphelp@microsoft.com.

Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Hyper-V to perform the labs.
Important At the end of each lab, you must revert the virtual machines to a snapshot.
You can find the instructions for this procedure at the end of each lab. For the Module 8
lab, you should leave the virtual machines running for the Module 9 lab.
The following table shows the role of each virtual machine used in this course:
Virtual machine

Role

20417A-LON-DC1

Domain controller that is running Windows Server 2012 in the Adatum.com


domain

20417A-LON-SVR1

Windows Server 2012 server, member of Adatum.com domain

20417A-LON-SVR2

Windows Server 2012 server, member of Adatum.com domain

20417A-LON-SVR3

Windows Server 2012 server, member of Adatum.com domain

20417A-LON-SVR4

Windows Server 2012 server, member of Adatum.com domain

20417A-LON-SVR5

Server with blank vhd

Virtual machine

Role

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xxv

20417A-LON-TMG

Threat Management Gateway server in Adatum.com domain

20417A-MUN-DC1

Domain controller that is running Windows Server 2012 in the


TreyResearch.com

20417A-LON-CL1

Client computer running Windows 8 and Office 2010 Service Pack 1 (SP1)
in the Adatum.com domain

20417A-LON-CL2

Client computer running Windows 8 and Office 2010 SP1 in the


Adatum.com domain

Software Configuration
The following software is installed on each virtual machine:

Windows Server 2012 RC

Windows 8 RP

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment


configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

Hardware Level 6

Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor

Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*

8 GB random access memory (RAM) or higher

DVD drive

Network adapter

Super VGA (SVGA) 17-inch monitor

Microsoft Mouse or compatible pointing device

Sound card with amplified speakers

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


1-1

Module 1
Installing and Configuring Servers Based on
Windows Server 2012
Contents:
Module Overview

1-1

Lesson 1: Installing Windows Server 2012

1-2

Lesson 2: Configuring Windows Server 2012

1-13

Lesson 3: Configuring Remote Management for Windows Server 2012 Servers 1-21
Lab: Installing and Configuring Servers Based on Windows Server 2012

1-25

Module Review and Takeaways

1-30

Module Overview

Knowing the capabilities of the Windows Server 2012 operating system enables you to use it effectively,
and to take complete advantage of what it can offer your organization. Some of the many improvements
to Windows Server 2012 include:

Increased scalability and performance

Virtualization features, such as Hyper-V Replica

Improved Windows PowerShell and scripting support

High performance SMB 3.0 file shares

This module introduces you to Windows Server 2012, how to install it, how to perform post-installation
configuration tasks, and how to configure it to support remote management.

Objectives
After completing this module, you will be able to:

Describe the installation requirements for Windows Server 2012.

Configure Windows Server 2012.

Configure Windows Remote Management.

Install the Windows Server 2012 operating system on servers.

Installing and Configuring Serveers Based on Window


ws Server 2012

Lesson 1

Installiing Win
ndows Server
S
2012
2
You
u must have a firm
f
understan
nding of your organization's
o
s requirementss so that you can deploy the
e
app
propriate editio
on of Windowss Server 2012. You must also
o understand w
which hardwarre configuratio
on
is ap
ppropriate for Windows Servver 2012, whetther a virtual d
deployment m
might be more suitable than a
phyysical deployment, and which
h installation source enabless you to deployy Windows Server 2012
efficciently.

MCT USE ONLY. STUDENT USE PROHIBITED

1-2

Thiss lesson provid


des an overview
w of the differe
ent Windows SServer 2012 ed
ditions, hardw
ware requireme
ents,
dep
ployment optio
ons, and installlation process..

Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t

Describe the different editio


ons of Window
ws Server 20122.

Determine wh
hether a particcular hardware
e configuration
n is appropriatte for Window
ws Server 2012..

Explain how to
t perform a physical
p
or a virtual deploym
ment of Window
ws Server 2012
2.

Select an app
propriate installlation source for a Windowss Server 2012 deployment.

Determine wh
hen you can upgrade and when
w
you mustt migrate to W
Windows Serverr 2012.

Decide betwe
een a Server Core installation
n and full instaallation.

Install Windows Server 2012.

Perform post-installation co
onfiguration ta
asks.

Wiindows Server 2012 Editions


There are several editions of Wiindows Server 2012.
Org
ganizations can
n select the edition of Windo
ows
Servver 2012 that best
b
meets the
eir needs. Syste
ems
Adm
ministrators can save costs by selecting the
e
app
propriate editio
on when deplo
oying a server for a
speccific role. The editions
e
of Windows Server 2012
are listed in the fo
ollowing table..

Edittion
Win
ndows Server 2012 Standard
d edition

Description
D

Provides alll roles and fea tures available


e on the Windows
Server 20122 platform.
p to 64 socketts and up to 4 terabytes (TB)) of
Supports up
RAM.
Includes 2 vvirtual machin
ne licenses.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Edition
Windows Server 2012 Datacenter edition

Description

1-3

Provides all roles and features that are available on the


Windows Server 2012 platform.

Supports 64 sockets, up to 640 processor cores, and up


to 4 terabytes of RAM.
Includes unlimited virtual machine licenses for virtual
machines run on the same hardware.
Windows Server 2012 Foundation
edition

Allows only 15 users and cannot be joined to a domain.


Supports one processor core and up to 32 GB of RAM.
Includes limited server roles.

Windows Server 2012 Essentials

Serves as the next edition of Small Business Server.

Cannot function as a Hyper-V, failover clustering, server


core, or remote desktop services server.
Supports up to 25 users, 50 devices.
Supports 2 processor cores and 64 GB of RAM.
Must be root server in domain.
Microsoft Hyper-V Server 2012

Stand-alone Hyper-V platform for virtual machines with


no UI.
No licensing cost for host OS, virtual machines to be
licensed normally.
Supports 64 sockets and 4 TB of RAM.
Supports domain join.

Does not support other Windows Server 2012 roles other


than limited file services features.
Windows Storage Server 2012
Workgroup

Entry-level unified storage appliance.


Supports up to 50 users.
Supports one processor core, 32 GB of RAM.
Supports domain join.

Windows Storage Server 2012 Standard

Supports 64 sockets, but is licensed on a 2 socket


incrementing basis.
Supports 4 TB of RAM.
Includes 2 virtual machine licenses.
Supports domain join.

Supports some roles, including DNS and DHCP Server


roles, but does not support others, including Active
Directory Domain Services (AD DS), Active Directory
Certificate Services (AD CS), and Active Directory
Federation Services (AD FS).

Installing and Configuring Serveers Based on Window


ws Server 2012

Edittion
Win
ndows MultiPo
oint Server 201
12
Standard

Description
D

MCT USE ONLY. STUDENT USE PROHIBITED

1-4

Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.
Supports on
ne socket, 32 G
GB of RAM and a maximum of
12 sessions .

Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others inclu
uding, AD DS, AD
CS, and AD
D FS.
Does not su
upport domain
n join.
Win
ndows MultiPo
oint Server 201
12
Pre
emium

Supports m
multiple users aaccessing the ssame host
computer d
directly using sseparate mousse, keyboard, aand
monitors.

Limited to 2 sockets, 4 TB
B of RAM and a maximum of 22
sessions.
Supports so
ome roles, including DNS an
nd DHCP Serve
er
roles, but d
does not suppo
ort others, including AD DS, AD
D FS.
CS, and AD
Supports do
omain join.

Additional Reading: For more informa


ation about thee differences b
between Windows Server
2012 editions, see
e http://www.w
windowsserverrcatalog.com/ssvvp.aspx.

Ha
ardware Re
equiremen
nts for Insttalling Win
ndows Servver 2012
Hardware requirements define the
t absolute
min
nimum required to run the se
erver software. The
actu
ual hardware requirements depend
d
on the
e
servvices that the server
s
is hostin
ng, the load on
n the
servver, and how re
esponsive you want the servver to
be.
The services and features
f
of eacch role put a unique
load
d on network, disk I/O, proce
essor, and mem
mory
reso
ources.
Virtualized deployyments of Win
ndows Server 2012
2
musst match the sa
ame hardware
e specificationss as
phyysical deployments. Windowss Server 2012 is
supported on Hyp
per-V and certain third-parrty virtualizatio
on platforms.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgradingg Your Skills to MCSAA Windows Server 2012

Th
he minimum hardware
h
requirements for Windows
W
Serveer 2012 are sho
own in the folllowing table.
Component

Requirement

Processor
P
architecture

x86-64
4

Processor
P
spee
ed

1.4 GH
Hz

Memory
M
(RAM)

512 MB
M

Hard
H
disk drive
e space

32 GB,, or more if thee server has m


more than 16 G
GB of RAM

Additiona
al Reading: Fo
or more inform
mation about tthe Windows SServer Virtualizzation
Validation Program, see http:///www.window
wsservercatalo
og.com/svvp.asspx.

Considerat
C
ions for Deploying Physical
P
orr Virtual M
Machines
With
W virtualization you can be
e more efficien
nt in the
way
w that you allocate resourcces to servers. Instead
I
off allocating sep
parate hardwa
are to a server that
minimally
m
uses resources, you
u can virtualize
e that
se
erver and enab
ble those minim
mally used harrdware
re
esources to be shared with other
o
virtual machines.
When
W
determin
ning whether to
o deploy a serrver
physically or virrtually, you mu
ust determine how
th
hat server usess hardware reso
ources. Consid
der
th
hese points:

1-5

Servers thatt constantly pu


ut hardware under
resource prressure are poo
or candidates for
virtualizatio
on. This is beca
ause virtual ma
achines share resources. A siingle virtual m
machine that usses a
disproportionate amountt of hypervisorr resources can
n have an adveerse effect on other virtual
machines hosted
h
on the same
s
hypervisor.

Servers thatt put minimal pressure on hardware resou


urces are good
d candidates fo
or virtualization. These
servers are unlikely to mo
onopolize the host resourcess, ensuring thaat each virtual machine hosted on
the hyperviisor can accesss enough hard
dware resourcees to perform aadequately.

Fo
or example, a particular data
abase server th
hat heavily usees disk and nettwork resource
es would be be
etter
de
eployed on a physical
p
comp
puter. If it were
e deployed as a virtual mach
hine, other virtu
ual machines o
on the
sa
ame hypervisor would have to
t compete fo
or access to tho
ose heavily-us ed disk and ne
etwork resourcces.
Alternatively, allocating a phyysical platform to a server th at requires miinimal hardware resources, ssuch as
a server running
g Certificate Se
ervices, meanss that powerfu l hardware is u
underused.
Other
O
things to consider when determining
g whether to d eploy a serverr virtually or ph
hysically are:

High Availlability. After you


y have builtt a highly availlable virtual m
machine clusterr, any virtual m
machine
deployed to
o that cluster also
a becomes highly availab
ble. This is simp
pler than settin
ng up separate
e
failover clusters for physical servers tha
at host the sam
me role.

Installing and Configuring Serveers Based on Window


ws Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

1-6

Scalability. Moving
M
a virtua
al machine witth its associateed applicationss and data to a new host plaatform
is significantlyy simpler than migrating a physically
p
depl oyed server, itts applications, and data to a new
host platform
m. If you must quickly
q
scale-u
up capacity, yo
ou can also mi grate a virtual machine to a cloud
provider, som
mething that is far more difficult to do with
h a physically d
deployed server.

Wiindows Server 2012 Installatio


on Sourcess
Microsoft distribu
utes Windows Server
S
2012 either
on optical
o
media or in an .iso im
mage format.
You
u can install Wiindows Server 2012 by using
g
seve
eral methods, including thosse listed in the
follo
owing table.

Method

Note
es

Optical
O
media

Requires
R
that th
he computer h
has access to a DVD drive.
Optical
O
media is
i usually sloweer than USB m
media.
You
Y cannot upd
date the installlation image w
without replaccing the mediaa.
You
Y can only perform one insstallation per D
DVD at a time
e.

USB media

Requires
R
the ad
dministrator to
o perform speccial steps to prrepare USB me
edia
frrom ISO file.
All
A computers support
s
bootin
ng from USB m
media.
Im
mage can be updated
u
as new
w software up dates and drivvers become
available.
Answer
A
file can be stored on USB drive, red
ducing the inte
eraction that the
administrator must
m
perform.

Mounted
M
ISO im
mage

Virtualization
V
so
oftware enablees you to direcctly mount the
e ISO image.
Does
D
not require writing the ISO image to optical media.

Network share

Deploy
D
from installation files on network sh
hare.
Requires
R
you boot the serverr off a boot de vice (DVD or U
USB drive) and
d
in
nstall from insttallation files h
hosted on a neetwork share.
Much
M
slower th
han using Wind
dows Deploym
ment Services ((WDS).
Iff you already have
h
access to a DVD or USB
B media, it is siimpler to use
th
hose tools for operating systtem deploymeent.

Windows
W
Deplo
oyment
Se
ervices (WDS)

WDS
W let you de
eploy Window
ws Server 2012 from Window
ws Imaging Forrmat
(W
WIM) image files or speciallyy prepared VH
HD files.
You
Y can use the
e Windows Au
utomated Instaallation Kit to cconfigure liteto
ouch deploym
ment.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Method

Notes

1-7

Clients perform a Pre-Boot Execution Environment (PXE) boot to contact


the WDS server. The operating system image is then transmitted to the
server over the network.
WDS supports multiple concurrent installations of Windows Server 2012
using multicast network transmissions.
System Center
Configuration
Manager

Microsoft System Center Configuration Manager enables you to fully


automate the deployment of Windows Server 2012 to bare metal
servers.
Enables Zero Touch deployment.

Virtual Machine
Manager templates

Requires Virtual Machine Manager (VMM) in System Center.


Enables rapid deployment of Windows Server 2012 in private cloud
scenarios.

Can be used to enable self-service deployment of Windows Server 2012


virtual machines.

Microsoft distributes Windows Server 2012 either on optical media or in an .iso image format.

You can install Windows Server 2012 by using several methods, including those listed in the following
table.
Method
Optical media

Notes
Requires that the computer has access to a DVD drive.
Optical media is usually slower than USB media.

You cannot update the installation image without replacing the media.
You can only perform one installation per DVD at a time.
USB media

Requires the administrator to perform special steps to prepare USB


media from ISO file.
All computers support booting from USB media.
Image can be updated as new software updates and drivers become
available.

Answer file can be stored on USB drive, reducing the interaction that the
administrator must perform.
Mounted ISO image

Virtualization software enables you to directly mount the ISO image.


Does not require writing the ISO image to optical media.

Network share

Deploy from installation files on network share.

Requires you boot the server off a boot device (DVD or USB drive) and
install from installation files hosted on a network share.
Much slower than using Windows Deployment Services (WDS).
If you already have access to a DVD or USB media, it is simpler to use
those tools for operating system deployment.

Installing and Configuring Serveers Based on Window


ws Server 2012

Method

No
otes

Windows
W
Deplo
oyment
Se
ervices (WDS)

WDS let you deploy


d
Window
ws Server 2012
2 from Window
ws Imaging
Format (WIM)) image files o r specially pre pared VHD file
es.
he Windows A
Automated Insttallation Kit to
o configure lite
e You can use th
touch deploym
ment.

MCT USE ONLY. STUDENT USE PROHIBITED

1-8

Clients perform a Pre-Boot Execution Envvironment (PXEE) boot to contact


the WDS serve
er. The operat ing system im age is then traansmitted to th
he
server over the network.
dows Server 20
012
WDS supportss multiple conccurrent installaations of Wind
using multicasst network tran
nsmissions.
Syystem Center
Configuration Manager
M

Microsoft Syystem Center C


Configuration M
Manager enab
bles you to fullly
automate the deployment o
of Windows Seerver 2012 to bare metal
servers.
Enables Zero Touch
T
deploym
ment.

Virtual Machine
e
Manager
M
templates

Requires Virtu
ual Machine M
Manager (VMM
M) in System Ce
enter.
of Windows Seerver 2012 in p
private cloud
Enables rapid deployment o
scenarios.

t enable self-sservice deployyment of Wind


dows Server 20
012
Can be used to
virtual machin
nes.

Op
ptions for Upgrading
U
g and Migrating to W
Windows SServer 201
12
Whe
en considering
g whether to upgrade
u
or mig
grate
a se
erver to Windo
ows Server 201
12, consider the
e
options described
d in the followiing table.

Insttallation optio
on
Upgrade

Descrip
ption

An upgrade preserve
es the files, setttings, and app
plications instaalled on the
al server. You perform an up
pgrade when yyou want to ke
eep all these ittems
origina
and want to continu
ue using the saame server harrdware. Upgrade requires an
n x64
processsor architectu
ure and an x644 edition of thee Windows Serrver operating
system
m. You can onlyy upgrade to W
Windows Servver 2012 from xx64 versions o
of
Windo
ows Server 200
03, Windows S erver 2003 R2
2, Windows Serrver 2008, and
d
Windo
ows Server 200
08 R2. You can
n only upgradee to an equivalent or a later
edition
n of Windows Server 2012. Y
You start an up
pgrade by running Setup.exe
e
from the
t original op
perating system
m.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgradingg Your Skills to MCSAA Windows Server 2012

In
nstallation opttion
Migration
M

Desccription

1-9

Use migration whe


en you migratte from an x86
6 version of Wiindows Server 2003,
ndows Server 2008. Use mig
gration when yyou
Windows Server 2003 R2, or Win
he original servver with one ru
unning an earlier edition, for
want to replace th
mple replacing
g Windows Serrver 2008 R2 EEnterprise editiion with Windows
exam
Servver 2012 Stand
dard edition. Yo
ou can use thee Windows Serrver Migration
n Tools
feature in Window
ws Server 20122 to transfer fil es and settings from compu
uters
ning the Windows Server 20 03, Windows SServer 2003 R2
2, Windows Se
erver
runn
2008
8, Windows Se
erver 2008 R2 aand Windows Server 2012 o
operating syste
ems.

Choosing
C
Between
B
Se
erver Core
e and Full Installation
Se
erver Core is a minimal insta
allation option for
Windows
W
Server 2012. With Server Core, yo
ou
pe
erform manag
gement tasks lo
ocally from the
e
co
ommand-line or remotely fro
om another
co
omputer. Serve
er Core is the default
d
installa
ation
op
ption for Wind
dows Server 20
012. Server Core has
th
he following ad
dvantages ove
er a traditional
de
eployment of Windows Servver 2012:

Reduced up
pdate requirem
ments. Because
e Server
Core installs fewer compo
onents, Server Core
deploymen
nts require the application off fewer
software up
pdates. This reduces the time
e that is
required fo
or an administrrator to service
e Server Core.

Reduced ha
ardware footprint. Server Co
ore computers require less RA
AM and less h
hard disk space
e. This
means thatt when virtualizzed, more servvers can be deeployed on thee same host.

In
ncreasing numbers of Microssoft server app
plications are d
designed to ru n on compute
ers that have SServer
Core installation
ns. Microsoft SQL
S Server 20
012 can be insttalled on com puters running
g the Server Core
ve
ersion of Wind
dows Server 20
008 R2.
Th
here are two options
o
for insttalling the Servver Core, as deescribed in thee following tab
ble.
Option
O

Descripttion

Server
S
Core

This is the standard deployment of Server Core. B


By default all g
graphical
onents are in a Removed staate. Simply statted, Removed
adminisstration compo
compon
nents occupy no
n disk space o
on the server. Server Core syystems are managed
locally by
b using comm
mand-line inte rface only, or can be manag
ged by a remotte
system using graphica
al administrati on tools. You can convert to the full versiion of
Window
ws Server 2012
2 that includes the graphical administration componentss only
if you have access to an
a installation source with aall server files, ssuch as a mou
unted
mage. Any Servver Core comp onent in a Rem
moved state caan only be insttalled
WIM im
by using
g an installatio
on source.

Server
S
Core witth
Management
M

This is also
a known as Server Core-Fu
ull Server. Thiss works the sam
me as a deployyment
of Wind
dows Server 20
012 with the g raphical comp
ponents. With this installation
option the
t graphical administration
a
n components are not in a Removed state..
Instead,, these components are avai lable (they aree located on th
he servers diskk), but
not installed into the OS. You can c onvert betweeen Server Core
e with Manage
ement
ndows Server 2012
2
with a grraphical interfaace by installin
ng the graphiccal
and Win
featuress, but without having to speccify an installaation source.

On a local connection, you can use the tools described in the following table to manage Server Core
installations of Windows Server 2012.
Tool

Function

MCT USE ONLY. STUDENT USE PROHIBITED

1-10 Installing and Configuring Servers Based on Windows Server 2012

Cmd.exe

Enables you to run traditional command-line utilities, such as ping.exe,


ipconfig.exe, and netsh.exe.

PowerShell.exe

Enables you to start a Windows PowerShell session on the Server Core


deployment. You can then perform Windows PowerShell tasks as usual.

Sconfig.cmd

Command-line menu driven administrative tool that enables you to perform


most common server administrative tasks.

Notepad.exe

Enables you to use the Notepad.exe Text Editor in the Server Core environment.

Registry Editor

Provides registry access within the Server Core environment.

Msinfo32.exe

Enables you to view system information about the server core deployment.

Taskmgr.exe

Starts the Task Manager.

Note: If you accidentally close the Command Prompt window on a computer running
Server Core, you can restore it using this procedure:
1.

Press Ctrl+Alt+Delete.

2.

On the menu, click Task Manager.

3.

On the File menu, click New Task (Run).

4.

Type cmd.exe and then press Enter.

Server Core supports most, but not all, Windows Server 2012 roles and features. You cannot install the
following roles on a computer running Server Core:
1.

AD FS

2.

Application Server

3.

Network Policy and Access Services

4.

Windows Deployment Services

Even if a role is available to a computer running the Server Core installation option, a specific role service
associated with that role may not be.
Note: You can check which roles are not available on Server Core by running the following
query.
Get-WindowsFeature | where-object {$_.InstallState -eq Removed}

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-11

The Windows Server 2012 administration model focuses on managing many servers from one console
instead of the traditional method of managing each server separately. When you want to perform an
administrative task, you are more likely to manage multiple computers running the Server Core operating
system from one computer than you are to connect to each computer individually. You can enable
remote management of a computer running Server Core by using sconfig.cmd or by executing the
command:
Netsh.exe firewall set service remoteadmin enable ALL

Installation Process for Windows Server 2012

In a typical installation of Windows Server 2012, if you do not have an existing answer file, you perform
the following steps:
1.

2.

Connect to the installation source. Some options for this include:


o

Inserting a DVD-ROM that has the Windows Server 2012 installation files and booting from the
DVD-ROM.

Connecting a USB drive that is made bootable and contains a copy of the Windows Server 2012
installation files.

Performing a PXE boot from the computer that Windows Server 2012 will be installed on to, and
connecting to a WDS server.

On the first page of the Windows Setup Wizard, select the following:
o

Language to install

Time and currency format

Keyboard or input method

3.

On the second page of the Windows Setup Wizard, click Install now. You can also use this page to
select Repair Your Computer. Use this option if an installation has become corrupted and you can
no longer boot into Windows Server 2012.

4.

On the Select The Operating System You Want To Install page of the Windows Setup Wizard,
select from the available operating system installation options. The default option is Server Core
installation.

5.

On the License Terms page of the Windows Setup Wizard, review the terms of the operating system
license. You must accept the license terms before you can continue with the installation process.

6.

On the Which Type Of Installation Do You Want page of the Windows Setup Wizard, you have the
following options:

7.

Upgrade. Select this option if you have an existing Windows Server installation that you want to
upgrade to Windows Server 2012. You should start upgrades from the earlier version of Windows
Server instead of booting from the installation source.

Custom. Select this option if you want to perform a new installation.

On the Where do you want to install Windows page of the Windows Setup Wizard, select an
available disk on which to install Windows. You can also choose to repartition and reformat disks
from this page. When you click Next, the installation process will copy files and restart the computer
several times. This part of the installation can take several minutes, depending on the speed of the
platform on which you are installing Windows Server 2012.

8.

On the Settin
ngs page, provvide a passworrd for the loca l Administrato
or account. Aftter you have
provided this password, you
u can log on to the server an
nd begin perfo
orming post in
nstallation
configuration
n tasks.

Post-Installation Taskss
In earlier
e
versions of Windows operating
o
syste
ems,
the installation required you to configure network
connections, computer name, user
u
account, and
a
dom
main membersship informatio
on. The Windo
ows
Servver 2012 installlation processs reduces the
num
mber of questio
ons that you have
h
to answerr.
The only informattion that you provide
p
during
g
installation is the password thatt is used by the
e
defa
ault local Adm
ministrator acco
ount.
Afte
er it is installed
d, all the follow
wing steps can be
perfformed when you
y select the Local Server node
in th
he Server Man
nager console:

Configure the
e IP address

Set the comp


puter name

Join an Active
e Directory domain

Configure the
e time zone

Enable autom
matic updates

Add roles and


d features

Enable remotte desktop

Configure Windows Firewall settings

MCT USE ONLY. STUDENT USE PROHIBITED

1-12 Installing and Configuring Serrvers Based on Windoows Server 2012

Lesson 2

Configuring Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-13

By correctly configuring a server first, you can avoid significant problems later. When planning to
configure a server, you must determine what roles to deploy. You must also assess whether roles can be
co-located on the same server or if you deploy certain roles on separate servers.

Lesson Objectives
After completing this lesson you will be able to:

Describe Windows Server 2012 server roles.

Install roles and use the Best Practice Analyzer to check role configuration.

Configure a computer running the Server Core installation option.

Switch a computer between Server Core and the full GUI installation option.

Configure networking and network interface teaming.

Demonstration: Exploring Server Manager in Windows Server 2012


In this demonstration, you will see how to use Server Manager to perform the following tasks:

Log on to Windows Server 2012.

View the Windows Server 2012 desktop.

Start the Server Manager console.

Add a server role or feature.

View role related events.

Run the Best Practice Analyzer for a role.

List the tools available from Server Manager.

Open the Start menu.

Log off the currently logged on user.

Restart Windows Server 2012.

Demonstration Steps
1.

On LON-DC1, open the Add Roles and Features Wizard from the Server Manager Console.

2.

Start the Add Roles and Features Wizard and select the following options:
o

Role-based or feature-based installation

LON-DC1

FAX Server role

BranchCache feature

3.

Use the notification area to review the messages.

4.

On the Dashboard, view DNS Events.

5.

6.

Configure the
e DNS - Eventss Detail View with
w the follow
wing settings:
o

Time perriod: 12 hours

Event Sources: All

View the DNS


S Best Practice
e Analyzer (BPA
A) with the fol lowing setting
gs:
o

Severity Levels:
L
All

7.

Use the Toolss menu to view


w the tools tha
at are installed
d on LON-DC1
1.

8.

Demonstrate log off LON-D


DC1 and then log back on.

9.

Open Window
ws PowerShell and then use the shutdown
n command to
o shut the serve
er down.

Serrver Roles in Window


ws Server 2012
Role
es and their asssociated Role Services are sttill a
prim
mary function of
o a server. Sim
milarly, if you install
the Web Server (IIS) role, Windo
ows Server 201
12 by
defa
ault only selects critical services that are
requ
uired for the ro
ole to function
n. If you want to
t
use additional com
mponents with
h the Web Servver
(IIS) role, such as Windows
W
Auth
hentication, yo
ou
musst select and in
nstall that com
mponent as a ro
ole
servvice.
Win
ndows Server 2012
2
supports the roles desccribed
in th
he following ta
able.
Role
e

Fun
nction

MCT USE ONLY. STUDENT USE PROHIBITED

1-14 Installing and Configuring Serrvers Based on Windoows Server 2012

Acttive Directory Certificate


C
Servvices

Ena
ables the deplo
oyment of cerrtification auth
horities and rellated
role
e services.

AD
D DS

Cen
ntralized storee of informatio
on about network objects
including user an
nd computer aaccounts. Used
d for
autthentication an
nd authorization.

AD
D FS

Pro
ovides web sin gle sign-on (SSSO) and securred identify
fed
deration suppo
ort.

Acttive Directory Lightweight


Dirrectory Services (AD LDS)

Sup
pports storagee of application
n specific dataa for directory-aware application
ns that do nott require the fu
ull infrastructure of
AD
D DS.

Acttive Directory Rights Manage


ement
Serrvices(AD RMS)

Ena
ables you to p
prevent unauth
horized access to sensitive
doccuments by ap
pplying rights management policies.

Application Serve
er

Sup
pports centraliized managem
ment and hostiing of highperrformance disttributed business application
ns, such as tho
ose
buiilt with the .NEET Frameworkk 4.5 and Enterrprise Services.

DH
HCP Server

Pro
ovisions client computers on
n the network w
with temporarry IP
add
dresses.

DN
NS Server

Pro
ovides name reesolution for TTCP/IP networkks.

Role

Function

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-15

Fax Server

Supports sending and receiving of faxes. Also enables you to


manage fax resource on the network.

File and Storage Services

Supports the storage of management of shared folders,


Distributed File System, and network storage.

Hyper-V

Enables you to host virtual machines on computers running


Windows Server 2012.

Network Policy and Access Services

Authorization infrastructure for remote connections, including


Health Registration Authority for Network Access Protection.

Print and Document Services

Supports centralized management of document tasks,


including network scanners and networked printers.

Remote Access

Supports Seamless Connectivity, Always On, Always Managed


features based on DirectAccess. Also supports Remote Access
through VPN and dial-up.

Remote Desktop Services

Supports access to virtual desktops, session-based desktops,


and RemoteApp programs.

Volume Activation Services

New to Windows Server 2012. Enables you to automate and


simplify the management of volume license keys and volume
key activation. Also enables you to manage a Key
Management Service host or configure AD DS-based
activation for computers that are members of the domain.

Web Server (IIS)

The Windows Server 2012 web server component.

Windows Deployment Services

Enables you to deploy server operating systems to clients over


the network.

Windows Server Update Services

Provides a method of deploying updates for Microsoft


products to computers on the network.

When you deploy a role, Windows Server 2012 automatically configures aspects of the servers
configuration, such as firewall settings, to support the role. When you deploy a role, Windows Server 2012
automatically deploys role dependencies at the same time. For example, when you install the Windows
Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are
required to support the Web Server role.
You add and remove roles using the Add Roles and Features Wizard, available from the Server Manager
console. You can also add and remove roles using the Install-WindowsFeature and RemoveWindowsFeature Windows PowerShell cmdlets.

De
emonstration: Installing and Optimizing
O
Server Ro
oles in
Wiindows Server 2012
In th
his demonstration you will see how to insttall and optimiize a server role in Windowss Server 2012.

Dem
monstration
n Steps
1.

Use the Add Roles and Feattures Wizard to add the App
plication Serv
ver role to LON
N-DC1.

2.

View App Serrver Performan


nce.

3.

View DHCP BPA


B results.

Co
onfiguring Server Core in Wind
dows Serveer 2012
You
u must perform
m several aspeccts of postinstallation config
guration of servver core opera
ating
systems from the command-line
e. You can perrform
mosst post-installa
ation configura
ation tasks usin
ng
the menu-driven command pro
ompt utility
sconfig.cmd. By using
u
this utilitty, you minimiize
the possibility of the
t Administra
ator making syyntax
erro
ors when you use
u more complex command
d-line
utilities. You can use
u sconfig.cm
md to perform
m the
follo
owing tasks:

Configure Do
omain and Workgroup
information

Configure the
e computers name
n

Add local Adm


ministrator acccounts

Configure Remote Manage


ement

Enable Windo
ows Update

Download an
nd install updates

Enable Remote Desktop

Configure Ne
etwork Address information

Set the date and


a time

Perform Wind
dows Activatio
on

Enable the Grraphic User Intterface

Log off

Restart the se
erver

Shut down th
he server

Con
nfigure IP Address
A
Info
ormation

MCT USE ONLY. STUDENT USE PROHIBITED

1-16 Installing and Configuring Serrvers Based on Windoows Server 2012

You
u can configure
e the IP addresss and DNS infformation by u
using sconfig..cmd or netsh
h.exe. To confiigure
IP address information by using
g sconfig.cmd
d, perform the following step
ps:
1.

Run sconfig.cmd from the command-lin


ne.

2.

Select option
n 8 to configurre Network Settings.

3.

Select the index number of the network adapter to which you want to assign an IP address.

4.

In the Network Adapter Settings area, select between one of the following options:
o

Set Network Adapter Address

Set DNS Servers

Clear DNS Server Settings

Return to Main Menu

Change Server Name

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-17

You can change the server name using the netdom command with the renamecomputer option. For
example, to rename a computer to Melbourne, type the following command:
Netdom renamecomputer %computername% /newname:Melbourne

You can change a server name using sconfig.cmd by performing the following steps:
1.

Run sconfig.cmd from the command-line.

2.

Select option 2 to configure the computer name.

3.

Type the new computer name and then press Enter.

You must restart a server for the configuration change to take effect.

Joining the Domain

You can join a Server Core computer to a domain using the netdom command with the join option. For
example, to join the adatum.com domain using the Administrator account, and to be prompted for a
password, issue the command:
Netdom join %computername% /domain:adatum.com /UserD:Administrator /PasswordD:*

To join a server core computer to the domain using sconfig.cmd, perform the following steps:
1.

Run sconfig.cmd from the command-line.

2.

Select option 1 to configure Domain/Workgroup.

3.

Type D and press Enter to select the Domain option.

4.

Type the name of the domain to which you want to join the computer.

5.

Provide the details of an account authorized to join the domain in domain\username format.

6.

Type the password associated with that account.

To complete a domain join operation you must restart the computer.


Note: Before joining the domain, verify that you can ping the DNS server by host name.

Add Roles and Features Using Windows PowerShell

You can add and remove roles and features to a computer running the Server Core installation option by
using the Get-WindowsFeature, Install-WindowsFeature, and Remove-WindowsFeature Windows
PowerShell cmdlets. These cmdlets are available after you load the Server Manager module.

For example, you can view a listt of roles and features


f
that aare installed byy executing the
e following
Win
ndows PowerSh
hell command
d:
Get-WindowsFeature | Where-Object {$_.I
InstallState -eq Install
led}

You
u can install a Windows
W
role or feature usin
ng the Install--WindowsFea
ature cmdlet. FFor example, to
o
install the Networrk Load Balanccing feature, exxecute the com
mmand:
Install-WindowsFeature NLB

Nott all features arre directly available for insta


allation on a co
omputer runniing the Server Core operatin
ng
system. You can determine
d
whicch features are
e not directly aavailable for in
nstallation by rrunning the
follo
owing command:
Get-WindowsFeature | Where-Object {$_.I
InstallState -eq Removed}
}

MCT USE ONLY. STUDENT USE PROHIBITED

1-18 Installing and Configuring Serrvers Based on Windoows Server 2012

You
u can add a role or feature th
hat is not available for instal lation by using
g the -Source parameter of the
Insttall-WindowsFeature cmdle
et. You must specify
s
a sourcce location that hosts a mounted installatio
on
image that includes the full verssion of Window
ws Server 20122. You can mo
ount an installaation image ussing
the DISM.exe com
mmand promp
pt utility.

Sw
witching Be
etween Server Core, Full, and M
Minimal SServer Interface Optiions
Win
ndows Server 2012
2
offers the
e option of
swittching between Server Core and the full
installation. When
n you install Se
erver Core, the
e
necessary compon
nents to conve
ert to the full
verssion are not installed. You ca
an install these
e if
you have access to a mounted image
i
of the full
verssion of the Win
ndows Server 2012
2
installatio
on
filess.
You
u can switch fro
om Server Corre to the graph
hical
verssion of Window
ws Server 2012
2 by running the
follo
owing Window
ws PowerShell cmdlet, where
e
c:\m
mount is the ro
oot directory of
o a mounted
image that hosts the
t full version
n of the Windo
ows Server 20112 installation files:
Impo
ort-Module ServerManager
r
Install-WindowsFeature -Inc
cludeAllSubFe
eature User-I
Interfaces-In
nfra -Source c:\mount

Thiss gives you the


e option of perrforming admiinistrative taskks using the grraphical tools. You can also aadd
the graphical toolls using the sconfig.cmd me
enu-driven co mmand prompt utility.

Afte
er you have pe
erformed the necessary
n
administrative taskks, you can retturn the computer to its orig
ginal
Servver Core config
guration. You can switch a computer that has the graph
hical version off Windows Serrver
2012 to Server Co
ore by removin
ng the followin
ng features:

Graphical Ma
anagement Too
ols and Infrastructure

Server Graphical Shell

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

1-19

Th
he Minimal Server interface differs from Se
erver Core beccause it has alll components available and does
no
ot require you to provide acccess to a mounted directoryy that containss the full versio
on of the Wind
dows
Se
erver 2012 insttallation files. You
Y can use th
he Install-Win
ndowsFeature
e command without specifying a
so
ource location when you con
nvert the Minim
mal Server inteerface to the ffull installation
n of Windows SServer
20
012. The advan
ntage of the Server Core installation optio
on over Minim al Server is thaat, even thoug
gh they
lo
ook similar, Serrver Core requ
uires a smaller amount of harrd disk space aas it does not have all components
avvailable for insstallation.

Configuring
C
g Network
king and Network
N
In
nterface Te
eaming
Configuring the
e network invo
olves setting orr
ve
erifying the servers IP addre
ess configuratio
on. By
de
efault, a newlyy-deployed serrver tries to ob
btain IP
ad
ddress informa
ation from a DHCP
D
server. Yo
ou can
view a servers IP address configuration by clicking
c
th
he Local Serve
er node in Servver Manager.
If the server hass an IPv4 addre
ess in the Auto
omatic
Prrivate Internet Protocol Addressing (APIPA
A) range
off 169.254.0.1 to
t 169.254.255
5.254, the serve
er has
no
ot been config
gured with an IP address from
ma
DHCP server. Th
his may be beccause a DHCP server
ha
as not been co
onfigured on the network, or
be
ecause there iss a problem with
w the networrk infrastructurre that blocks the adapter frrom receiving an
ad
ddress.
y are using a purely IPv6 network,
n
an IPvv4 address in tthis range is no
ot a problem,
Note: If you
an
nd IPv6 addresss information is still configu
ured automaticcally. You will learn more ab
bout
im
mplementing IPv6 in Module
e 8, Implemen
nting IPv6.

Configuratio
C
on Using Serrver Manag
ger
To
o manually configure IP add
dress information for a serve r, perform thee following step
ps:
1..

In the Serve
er Manager co
onsole, click the address nextt to the netwo
ork adapter thaat you want to
o
configure. This
T will open the Network Connections
C
w
window.

2..

Right-click the network adapter


a
that yo
ou want to con
nfigure an add
dress for, and tthen click Prop
perties.

3..

In the Adap
pter Propertie
es dialog box, click Internett Protocol Version 4 (TCP//IPv4), and the
en click
Properties.

4..

In the Interrnet Protocol Version 4 (TC


CP/IPv4) Prop
perties dialog
g box, enter the following IPvv4
address info
ormation, and then click OK
K, and then clicck OK again:
o

IP addrress

Subnett Mask

Defaultt Gateway

Preferrred DNS serverr

Alterna
ative DNS servver

Command-Line IPv4 Address Configuration

MCT USE ONLY. STUDENT USE PROHIBITED

1-20 Installing and Configuring Servers Based on Windows Server 2012

You can manually set IPv4 address information from an elevated command prompt by using the
netsh.exe command from the interface ipv4 context. For example, to configure the adapter named Local
Area Connection with the IPv4 address 10.10.10.10 and subnet mask 255.255.255.0, type the following
command:
Netsh interface ipv4 set address Local Area Connection static 10.10.10.10 255.255.255.0

You can use the same context of the netsh.exe command to configure DNS configuration. For example, to
configure the adapter named Local Area Connection to use the DNS server at IP address 10.10.10.5 as
the primary DNS server, type the following command:
Netsh interface ipv4 set dnsservers Local Area Connection static 10.10.10.5 primary

Network Card Teaming

Network Card Teaming is a new feature in Windows Server 2012. With Network Card Teaming you
can increase the availability of a network resource. When you configure Network Card Teaming, a
computer uses one network address for multiple cards. If one of the cards fails, the computer continues
communicating with other hosts on the network that are using that shared address. This enables you to
provide hardware redundancy for a server's network cards. Network Card Teaming does not require that
the network cards be the same model or use the same driver.
Windows Server 2012 supports up to 32 network adapters in a team. When a computer has separate
network adapters that are not part of a team, incoming and outgoing traffic may not be balanced across
those adapters. Network Card Teaming also provides bandwidth aggregation, ensuring that traffic is
balanced across network interfaces as a way to increase effective bandwidth.
To team network cards, perform the following steps:
1.

Ensure that the server has more than one network adapter.

2.

In Server Manager, click the Local Server node.

3.

Click Disabled next to Network Adapter Teaming. This opens the NIC Teaming dialog box.

4.

In the NIC Teaming dialog box, press the Ctrl key, and then click each network adapter that you
want to add to the team.

5.

Right-click these selected network adapters, and then click Add to New Team.

6.

In the New Team dialog box, enter a name for the team, and then click OK.

Lesson
n3

Configuring Remote Mana


agemen
nt for
Windows Server 2012 Serv
vers

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

1-21

When
W
you wantt to perform an administratio
on task, it is m
more efficient tto manage mu
ultiple servers ffrom
a single console
e than to conn
nect to each se
erver separatelyy. You should spend time en
nsuring that ne
ewly
de
eployed serverrs are configurred so that you
u can managee them centrallly. This enables you to spend
d more
time at your desk administering those serve
ers, instead of having to trekk into the dataacenter to startt a
diirect connectio
on.

Le
esson Objecctives
After completin
ng this lesson you
y will be able to:

Describe th
he different Wiindows Server 2012 remote management technologies.

Configure Windows
W
Serve
er 2012 to sup
pport Remote Management.

Collect servvers into Serve


er Groups.

Deploy role
es and featuress remotely.

What
W
Is Rem
mote Man
nagement??

With
W Windows Remote Management, you can
c
usse Remote She
ell, remote Win
ndows PowerS
Shell,
an
nd remote management too
ols to remotelyy
manage
m
a comp
puter. Remote Shell enables you
to
o run comman
nd-line utilities against correcctly
co
onfigured remote servers as long as the
co
ommand prom
mpt utility is prresent on the remote
r
se
erver. Remote Windows Pow
werShell lets yo
ou run
Windows
W
PowerShell comman
nds or scripts against
a
co
orrectly config
gured remote servers
s
when the
sccript is hosted on the local se
erver. Remote
Windows
W
PowerShell also letss you load Win
ndows
Po
owerShell mod
dules, such as Server Manager locally and execute the cm
mdlets availab
ble in that mod
dule
ag
gainst suitablyy configured re
emote servers. Remote Manaagement is enabled by default on computters
ru
unning Window
ws Server 2012
2.

Yo
ou can enable and disable Remote
R
Manag
gement from SServer Manageer by clicking tthe text next to
o the
Re
emote Management item when
w
you have the Local Servver node selec ted in the Servver Manager cconsole.
To
o enable remo
ote manageme
ent from the co
ommand-line, type the com
mmand WinRM
M qc. The "qc" is an
ab
bbreviation of Quick Configu
uration. You ca
an disable Rem
mote Managem
ment by using
g the same metthod
th
hat you use to enable it.
To
o disable remo
ote manageme
ent on a comp
puter running tthe Server Corre installation o
option, use
scconfig.cmd.

MCT USE ONLY. STUDENT USE PROHIBITED

1-22 Installing and Configuring Serrvers Based on Windoows Server 2012

Rem
mote Desktop is still a necesssary Windows Server 2012 reemote manageement technology because
som
me environmen
nts have not up
pgraded their administrator 's workstations from Window
ws XP and otther
environments may have Window
ws Server 2012
2 deployed evven when the u
users in those environments
prim
marily use third
d-party operatting systems. You
Y can config
gure Remote D
Desktop on a ccomputer runn
ning
the full version off Windows Servver 2012 by pe
erforming the following step
ps:
1.

In the Server Manager conssole, click the Local


L
Server n
node.

2.

Click Disable
ed next to Rem
mote Desktop.

3.

On the Remo
ote tab of the System Prope
erties dialog b
box, select bettween one of tthe following
options:
o

default state o
Dont alllow connectio
ons to this co
omputer. The d
of remote deskktop is disabled.

Allow co
onnections fro
om computerrs running anyy version of R
Remote Desktop. Enables
Authentication
connectio
ons from Remote Desktop clients that do not support N
Network Level A
n

Allow Co
onnections on
nly from Com
mputers runni ng Remote D
Desktop with N
Network Leve
el
Authentication. Enables secure conn
nections from computers running Remote
e Desktop clien
nts
that supp
port network le
evel authentication.

You
u can enable an
nd disable Rem
mote Desktop on computerss running the SServer Core installation optio
on by
usin
ng the sconfig
g.cmd menu-d
driven comman
nd prompt uti lity.

Ho
ow Remote
e Managem
ment Worrks In Wind
dows Servver 2012
Win
ndows Remote
e Managementt (WinRM) is
a co
ollection of tecchnologies that enables
adm
ministrators to manage serve
er hardware wh
hen
logg
ged on directlyy or over the network.
n
Windows
Servver 2012 uses WinRM
W
to ena
able managem
ment
of multiple
m
compu
uters concurre
ently through a
sing
gle Server Man
nager console. Windows Rem
mote
Man
nagement includes the follow
wing components:

WS-Management protoco
ol. A SOAP-ba
ased
firewall-aware
e protocol that enables
computers to
o exchange ma
anagement
information. SOAP
S
uses XM
ML messages when
w
transmitting information.
i

WinRM Scrip
pting API. This scripting APII enables systeems to obtain d
data from rem
mote computerrs
through WS-Management protocol operrations.

Winrm.cmd. Command-lin
ne systems management too
ol that enabless you to config
gure WinRM. FFor
example, you can use this tool to enable Windows Rem
mote Managem
ment on a servver.

Winrs.exe. Tool that enables you to execcute most cmd


d.exe comman
nds on remote
e servers.

For example, to obtain the IP ad


ddress informa
ation and list o
of running taskks on server LO
ON-SVR1, issue
e the
com
mmand:
Winrs -r:lon-svr1 ipconfig;tasklist

Note: You can


c learn more
e about Windo
ows Remote M
Management att:
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/aa384291(v=
=vs.85).aspx.

You can enable Windows Remote Management by issuing the following command:
Winrm qc

Running this command does the following:


1.

Configures the WinRM service to with the Automatic startup type.

2.

Starts the WinRM service.

3.

Configures a listener that will accept WinRM requests on any IP address.

4.

Creates a firewall exception for WS-Management traffic using the HTTP protocol.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-23

If you do not know whether a server is configured for Windows Remote Management, you can run the
following command to obtain Windows Remote Management configuration information:
Winrm get winrm/config

Additional Reading: You can learn more about configuring Windows Remote
Management by reading the following Performance Team post: http://blogs.technet.com/b
/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx.

You can use Remote Windows PowerShell to run commands against a correctly configured remote server.
There are several methods that you can use to accomplish this. You can use the Invoke-Command
cmdlet to run a command or a script. For example, to view the list of installed roles and features on
LON-SVR1 and LON-SVR2 when the ServerManager module is loaded and both are configured for
Windows Remote Management, issue the command:
Invoke-Command -Computername LON-SVR1, LON-SVR2 -scriptblock {Get-WindowsFeature | WhereObject {$_.InstallState -eq "Installed"}}

You can also start a remote Windows PowerShell session by using the Enter-PSSession cmdlet. To end
the session, run the Exit-PSSession cmdlet. For example, to start a remote Windows PowerShell session to
LON-SVR1, issue the command:
Enter-PSSession -computername LON-SVR1

Additional Reading: You can learn more about Remote Windows PowerShell at:
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx.

Demonstration: Configuring Servers for Remote Management


In this demonstration you will disable and enable Remote Management from Server Manager.

Demonstration Steps
1.

Use Server Manger on LON-DC1 to disable Remote Management.

2.

Use the winrm qc command from a Windows PowerShell prompt to re-enable remote management
on LON-DC1.

3.

Use Server Manager to verify that Remote Management is re-enabled.

Ma
anaging Se
erver Grou
ups in Serv
ver Manag
ger
Servver Manager in
n Windows Server 2012
auto
omatically groups servers byy role. This ena
ables
you to perform ro
ole-based tasks across all serrvers
thatt host that role
e in the organiization. For
exam
mple, rather th
han connecting to each DNS
S
servver in the domain to perform
m a particular task,
t
you can select the
e DNS node, se
elect all servers that
hostt DNS that you
u want to perfform the task on,
o
and then perform
m the task again
nst that selection of
servvers.
A be
enefit to administrators is th
hat servers in your
y
orga
anization are automatically
a
grouped
g
by ro
ole.
For example, all se
ervers that hosst the IIS or NA
AP roles are au
utomatically grouped underr the category
nod
des for those ro
oles in the Servver Manager console.
c

MCT USE ONLY. STUDENT USE PROHIBITED

1-24 Installing and Configuring Serrvers Based on Windoows Server 2012

You
u can also use the
t Server Manager console to create custtom server gro
oups. A custom
m server group
p is a
userr-defined grou
up of servers ra
ather than a group of serverrs that share a specific role.

De
emonstration: Mana
aging Rem
mote Serverrs by Using
g Server M
Manager
In th
his demonstration you will see how to crea
ate a server grroup. You will then perform a remote
man
nagement task
k on both serve
ers that are members of thee group using a single action
n.

Dem
monstration
n Steps
1.

On LON-DC1
1, use Server Manager
M
to create a server grroup named L ONDON-GRO
OUP that has
LON-DC1 and
d LON-SVR4 as
a members.

2.

Use the group node as a method


m
of starting the perforrmance counteers on both servers using the
e one
action, ratherr than enabling
dividually.
g performance
e counters on eeach server ind

3.

Use the Mana


ageability colu
umn to verify that both LON -DC1 and LON
N-SVR5 are listted as Online.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-25

Lab: Installing and Configuring Servers Based on Windows


Server 2012
Scenario

A. Datum is an engineering and manufacturing company. The organization is based in London, England.
The organization is quickly expanding the London location as well as internationally. Because the
company has expanded, some business requirements are changing as well. To address some business
requirements, A. Datum has decided to deploy Windows Server 2012 on an existing network populated
with servers running the Windows Server 2008 and Windows Server 2008 R2 operating systems.
As one of the experienced Windows Server 2008 administrators, you are responsible for implementing
many of the new features on Windows Server 2012. To become familiar with the new operating system,
you plan to install a new Windows Server 2012 server running the Server Core version and complete the
initial configuration tasks. You also plan to configure and explore the remote management features that
are available in Windows Server 2012.

Objectives

Install Windows Server 2012 server core.

Configure a Windows Server 2012 server core.

Configure remote management for Windows Server 2012 Servers.

Lab Setup
Estimated time: 60 minutes

Virtual Machines

20417A-LON-DC1
20417A-LON-SVR5

User Name

Adatum\Administrator

Password

Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

Exercise 1: Install Windows Server 2012 Server Core


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

1-26 Installing and Configuring Servers Based on Windows Server 2012

After having problems effectively deploying and configuring the Server Core version of Windows Server
2008, A. Datum is interested in using the Server Core installation of Windows Server 2012 when possible
because of the reduced hardware footprint and minimized update requirements. To become familiar with
the new operating system, you plan to install and configure a new Windows Server 2012 server running
the Server Core version as a way to determine whether the product is more easily managed than the
earlier version.
The main tasks in this exercise are:
1.

Install Windows Server 2012.

2.

Convert a Windows Server 2012 server core installation to a full installation.

3.

Convert a Windows Server 2012 full installation to a server core installation.

X Task 1: Install Windows Server 2012


1.

In the Hyper-V Manager console, open the settings for 20417A-LON-SVR5.

2.

Configure the DVD drive to use the Windows Server 2012 image file named Win2012_RC.ISO. This
file is located at C:\Program Files\Microsoft Learning\20417\Drives.

3.

Start 20417A-LON-SVR5. On the Windows Server 2012 page of the Windows Setup Wizard, verify
the following settings, click Next, and then click Install Now:
o

Language to install: English (United States)

Time and currency format: English (United States)

Keyboard or input method: US

4.

Select to install the Windows Server 2012 Release Candidate Datacenter (Server Core
Installation) operating system.

5.

Accept the license terms and then select Custom: Install Windows Only (Advanced).

6.

Install Windows Server 2012 on Drive 0.


o

Depending on the speed of the host computer, the installation will take approximately 20
minutes.

The virtual machine will restart several times during this process.

7.

On the log on page, click OK and then enter Pa$$w0rd in both the Password and Confirm
password boxes.

8.

Click OK to complete the installation and log on.

X Task 2: Convert a Windows Server 2012 Server Core Installation to a Full Installation
1.

On LON-SVR5 at the command prompt type:


mkdir c:\mount

2.

Issue the following command and press Enter:


dism.exe /mount-image /ImageFile:d:\sources\install.wim /Index:4 /Mountdir:c:\mount
/readonly

3.

Start Windows PowerShell by typing the following command:


PowerShell.exe

4.

From Windows PowerShell issue the following commands, pressing Enter after each:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubfeature User-Interfaces-Infra Source:c:\mount\windows

5.

When prompted, restart the server and then log on as Administrator with the password of
Pa$$w0rd to verify the presence of the full GUI components.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-27

X Task 3: Convert a Windows Server 2012 Full Installation to a Server Core Installation
1.

Log on to LON-SVR5 and attempt to start Internet Explorer.

2.

Start Windows PowerShell and issue the following commands:


Import-Module ServerManager
Uninstall-WindowsFeature User-Interfaces-Infra
Shutdown /r /t 5

3.

Log on to LON-SVR5 as Administrator with the password of Pa$$w0rd and verify that it now
configured to use the Server Core configuration.

Exercise 2: Configure a Computer Running a Server Core Installation of


Windows Server 2012
Scenario

After you install Server Core, you want to configure some basic network and firewall settings and join
computer to domain. During this initial deployment, you plan to perform these steps manually from the
command-line.
The main tasks for this exercise are as follows:
1.

Configure the network.

2.

Add the server to the domain.

3.

Configure Windows Firewall.

X Task 1: Configure the network


1.

On LON-SVR5 in the command prompt, type sconfig.

2.

Set the computer name LON-SVR5.

3.

Restart the server as prompted and log on to LON-SVR5 as Administrator with the password of
Pa$$w0rd.

4.

Use the hostname command to verify the name change.

5.

Start sconfig and configure Network Settings.

6.

Select the index number of the network adapter that you want to configure.

7.

Set the Network Adapter Address to the following:


o

IP address: 172.16.0.111.

Subnet Mask: 255.255.0.0.

Default gateway 172.16.0.1.

8.

Set the preferred DNS server to 172.16.0.10. Do not configure an alternative DNS server address.

9.

Exit sconfig and verify network connectivity to lon-dc1.adatum.com using the ping utility.

X Task 2: Add the server to the domain


1.

Use sconfig to switch to configure Domain/Workgroup.

2.

Join the domain adatum.com using account adatum\administrator and the password of
Pa$$w0rd.

3.

Restart the server.

4.

Log on to LON-SVR5 with the adatum\administrator account and a password of Pa$$w0rd.

X Task 3: Configure Windows Firewall


1.

Use sconfig.cmd to Enable Remote Management.

2.

At the command prompt, type PowerShell.exe.

3.

Issue the following command to view the enabled Firewall rules that allow traffic:
Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Format-Table -Property
DisplayName

4.

Issue the following command to view all disabled Firewall rules:

MCT USE ONLY. STUDENT USE PROHIBITED

1-28 Installing and Configuring Servers Based on Windows Server 2012

Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Format-Table -Property


Displayname

5.

Issue the following command to view all Windows PowerShell cmdlets related to NetFirewallRule:
Get-Command -Noun NetFirewallRule

6.

View the status of the Remote Desktop inbound firewall rule by issuing the following command:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP

7.

Issue the following command to enable the Remote Desktop Inbound Firewall rule:
Enable-NetFirewallRule RemoteDesktop-UserMode-In-TCP

8.

Issue the following command to verify that the Remote Desktop Inbound Firewall rule is enabled:
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP

9.

Issue the following command to disable the Remote Desktop Inbound Firewall Rule:
Disable-NetFirewallRule RemoteDesktop-UserMode-In-TCP

10. Verify that the Remote Desktop Inbound Firewall Rule is disabled.
Get-NetFirewallRule RemoteDesktop-UserMode-In-TCP

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1-29

Exercise 3: Configure Remote Management for Servers Running Windows


Server 2012
Scenario

IT management at A. Datum expects that many servers running Windows Server 2012 will be deployed
in remote offices or as part of an online services deployment. To ensure that these servers can all be
managed from a central location, you must configure the server for remote management. You must also
verify the remote management functionality, and use Server Manager to manage multiple servers.
The main tasks for this exercise are as follows:
1.

Validate the WinRM configuration.

2.

Configure Server Manager for multiple server management.

3.

Deploy a feature to the Server Core server.

4.

To prepare for next module.

X Task 1: Validate the WinRM configuration


1.

On LON-DC1 use Server Manager to disable Remote Management.

2.

Close the Server Manager console.

3.

Open Windows PowerShell and issue the command winrm qc. When you are prompted, type Y and
press Enter.

4.

Open the Server Manager console and verify that Remote Management is now enabled.

X Task 2: Configure Server Manager for multiple server management


1.

On LON-DC1 in Server Manager, create a server group named LONDON-GROUP that has LON-DC1
and LON-SVR5 as members.

2.

In the details pane, select both servers.

3.

Scroll down to the Performance section, select both listed servers, right-click LON-DC1, and then
click Start Performance Counters.

4.

Scroll up and verify that in the Manageability column, both LON-DC1 and LON-SVR5 are listed as
Online.

X Task 3: Deploy a feature to the Server Core server


1.

In the Server Manager console on LON-DC1, click LONDON-GROUP.

2.

Add the Windows Server Backup feature to LON-SVR5.

3.

In Server Manager, click the Flag and verify that the remote installation of Windows Server Backup
has occurred.

X Task 4: To prepare for next module

When you are finished with the lab, revert the virtual machines to their initial state.

Module Review and Takeaways


Best Practices

MCT USE ONLY. STUDENT USE PROHIBITED

1-30 Installing and Configuring Servers Based on Windows Server 2012

Unless you must have a full installation to support roles and features, deploy Server Core.

Use Windows Remote Management to manage multiple servers from a single server using the Server
Manager console.

Use Windows PowerShell remoting to run remote Windows PowerShell sessions rather than logging
on locally to perform the same task.

Common Issues and Troubleshooting Tips


Common Issue

Troubleshooting Tip

Remote management connections fail

Windows PowerShell commands not


available

Cannot install GUI features on Server Core


Deployment

Unable to restart a computer running


Server Core

Unable to join the domain

Review Question
Why is the Server Core installation the default installation option for Windows Server 2012
installations?

Real-world Issues and Scenarios

Unless a particular role requires it, consider using the Server Core installation option as your default server
deployment option. You can always install the GUI later if required.
Understand what roles and features you must deploy on a server prior to deploying that server, rather
than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.

MCT USE ONLY. STUDENT USE PROHIBITED


2-1

Module 2
Monitoring and Maintaining Windows Server 2012
Contents:
Module Overview

2-1

Lesson 1: Monitoring Windows Server 2012

2-2

Lesson 2: Implementing Windows Server Backup

2-11

Lesson 3: Implementing Server and Data Recovery

2-15

Lab: Monitoring and Maintaining Windows 2012 Servers

2-19

Module Review and Takeaways

2-26

Module Overview

After you deploy Windows Server 2012, you must ensure that it continues to run optimally by
maintaining a healthy and stable environment. As in earlier versions of Windows Server, to maintain
a healthy and stable environment, you must monitor Windows Server 2012 performance and make
adjustments as required. Additionally, you must identify your important data and create backup copies.
Finally, you must know how to restore your important data and servers by using the backup copies that
you have created.

Objectives
After completing this module, you will be able to:

Monitor Windows Server 2012.

Implement Windows Server Backup.

Restore data and servers by using Windows Server Backup.

Monitoringg and Maintaining Wiindows Server 2012

Lesson 1

Monito
oring Window
W
ws Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

2-2

Whe
en a system fa
ailure or an eve
ent that affectss system perfo
ormance occurrs, you must be
e able to repair the
problem or resolvve the issue qu
uickly and efficciently. With so
o many variablles and possibilities in the m
modern
netw
work environm
ment, the abilitty to determine the cause qu
uickly frequenttly depends on
n having an
effe
ective performa
ance monitoring methodolo
ogy and tool seet.
You
u can use perfo
ormance-moniitoring tools to
o identify com
mponents that rrequire additio
onal tuning an
nd
trou
ubleshooting. By
B identifying components that
t
require ad
dditional tunin
ng, you can im
mprove the efficciency
of your
y
servers. In
n addition to monitoring
m
systtem performan
nce, Windows Server 2012 p
provides tools for
reso
ource management. In this le
esson, you will learn about t ools in Windo
ows Server 2012 that you can
n use
for performance and
a resource monitoring
m
and
d managemen
nt.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the reasons for mo


onitoring serve
ers.

Describe the typical perform


mance bottlen
necks.

Describe the tools for moniitoring in Wind


dows Server 20012.

Create data collector


c
sets.

Describe the most common


n performance
e counters.

Describe the use of alerts.

Describe the use of event subscriptions.

Configure eve
ent subscriptio
ons.

Describe how
w to monitor a network.

Reasons for Monitorin


ng Servers
Mon
nitoring serverrs provides sevveral benefits, and
you might monito
or a Windows--based server for
f
seve
eral reasons. So
ome reasons include:

To monitor th
he health of th
he IT infrastruccture.

To monitor se
ervice-level ag
greements (SLA
As).

To plan for fu
uture requirem
ments.

To identify isssues.

IT Infrastructu
I
ure Health
The effective operration of the server infrastructure
is frequently criticcal to your organizations
business goals.
The key factors in maintaining the
t consistencyy of server opeeration includee correctly fun
nctioning and
configured hardw
ware, and sufficcient use and assignment
a
of resources.

Usin
ng performancce-monitoring tools, you can
n record perfo rmance statisttics that you caan use to dete
ermine
whe
en a server is slower at respo
onding to user requests, insteead of relying on user perce
eption of slow and

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

2-3

fa
ast response tim
mes. You can use
u these statistics to determ
mine which com
mponent or co
omponents off the
se
erver infrastruccture may be the
t source of performance-r
p
related issues.

SLA Monitorring

Many
M
organizattions maintain SLAs that dicttate the requirred availabilityy for servers an
nd server-hoste
ed
ap
pplications. Th
hese SLAs may contain stipulations about sserver availability (for examp
ple, the LON-D
DC1
se
erver must be available 99.99
95 percent of business hourss), or they mayy specify perfo
ormance-relate
ed
re
equirements (for example, th
he average que
ery time for th
his database seerver must be less than five sseconds
fo
or any given da
ay).
Frrequently, violation of an SLA
A results in red
duction of payyment for services or similar penalties. The
erefore,
yo
ou want to enssure that the SLAs
S
imposed upon your envvironment are met on a continuing basis.
Yo
ou can use performance-mo
onitoring toolss to monitor th
he specific areaas related to yyour SLAs and help
yo
ou identify issu
ues that could affect your SLLA before theyy become a pro
oblem.

Planning
P
forr Future Req
quirements

Th
he business an
nd technical ne
eeds of your organization arre subject to ch
hange. New in
nitiatives may rrequire
ne
ew servers to host
h
new applications or increased storagee within your eenvironment. Monitoring these
arreas over time enables you to
t assess effecttively how the server resourcces are being used currentlyy. Then,
yo
ou can make an
a informed de
ecision on how
w the server en
nvironment haas to grow or cchange to mee
et future
re
equirements.

Id
dentifying Issues

Trroubleshooting
g problems that arise in the server environ
nment can be tedious. Issuess that affect ussers
ha
ave to be resolved as quicklyy as possible and with minim
mal effect on th
he business ne
eeds of your
orrganization.

Trroubleshooting
g an issue onlyy on the symptoms provided
d by users or aanecdotal evidence frequenttly leads
to
o misdiagnosiss and wasted tiime and resou
urces. Monitoriing the server environment lets you take a more
in
nformed and proactive
p
appro
oach to troubleshooting. Wh
hen you have an effective m
monitoring solu
ution
im
mplemented, you
y can identiffy issues within
n your infrastru
ucture before they cause a p
problem for th
he endussers. You can also
a have more
e concrete evid
dence of repo rted issues and
d narrow the ccause of problems,
sa
aving you inve
estigative time..
Question: List four troub
bleshooting pro
ocedures that would benefitt from server m
monitoring.

Typical
T
Perrformance Bottleneccks
Analysis of yourr monitoring data
d
can reveal
problems such as
a excessive de
emand on certtain
ha
ardware resources that resullt in bottlenecks.

Causes
C
of Bo
ottlenecks
Demand on cerrtain hardware resources may
be
ecome extrem
me enough to cause
c
resource
e
bo
ottlenecks for the following reasons:

The resourcces are insufficcient, and addiitional


or upgrade
ed components are required..

The resourcces are not sha


aring workload
ds
evenly and have to be ba
alanced.

A resource is malfunction
ning and has to
o be replaced..

Monitoring and Maintaining Windows Server 2012

A program is monopolizing a particular resource. This might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.

A resource is configured incorrectly and configuration settings have to be changed.

A security issue, such as viruses or Denial of Service attacks can be the reason for a bottleneck.

MCT USE ONLY. STUDENT USE PROHIBITED

2-4

By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune the servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Hardware
Processors

Suggestion
You may be able to overcome performance bottlenecks that occur with
processors by:
Adding processors.
Increasing the speed of processors.

Reducing or controlling process or affinity, or the number of processor cores an


application uses. Limiting an application to only some processor cores frees the
remaining cores for other applications to use.
Disks

You may be able to increase disk performance by:


Adding faster disks.
Performing routine maintenance tasks such as defragmenting.
Moving data, applications, and the page files onto separate disks.

Memory

Networks

You can improve memory bottlenecks by adding additional physical memory. If


the memory requested exceeds the physical memory, information will be written
to virtual memory, which is slower than physical memory.
However, increasing a computers virtual memory could enable applications that
consume a large amount of memory to run on a computer that has limited
physical memory.
Or, you can reduce the load on the server by reducing the number of users on
the server or through application tuning.
You can reduce network bottlenecks by:
Upgrading network infrastructure, including network adapters to support
increased network bandwidth.
Installing multiple network adapters in a server to distribute network load.
Reducing the traffic.

You should consider the limitations of network bandwidth and segment networks,
where appropriate. You can increase network throughput by tuning the network
adapter and other network devices such as switches, firewalls, and routers.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Tools
T
for Monitoring
M
g in Windo
ows Serverr 2012
Se
everal tools are
e available to help you in
monitoring
m
the server environ
nment, both historical
an
nd real time. The
T following is a list of toolss to
he
elp you in mon
nitoring the se
erver environm
ment.

Tool
T

Description
n

2-5

Event Viewer

Event View
wer collects infformation thatt relates to servver operationss. This
informatio
on can help ideentify perform
mance issues on
n a server. You
u
should sea
arch for specifiic events in thee event log file
e to locate and
d
identify prroblems.

Task Manager

Task Mana
ager helps you
u monitor the rreal-time aspe
ects of the servver.
You can view informatio
on related to h
hardware perfo
ormance and the
application
ns and processses that are cu
urrently runnin
ng on the serve
er.

Resource Mon
nitor

Resource Monitor
M
helps you to look deeper into the
e real-time
performan
nce of the servver. It provides performance information re
elated
to the CPU
U, memory, ha rd disk, and neetwork compo
onents of the sserver.

Performance Monitor

Performan
nce Monitor is the most robu
ust monitoring
g tool in Windo
ows
Server 201
12. It enables b
both real-time and historicall monitoring o
of the
servers pe
erformance an d configuratio
on data.

Reliability Mo
onitor

Reliability Monitor proviides a historicaal view of the sservers reliabiilityh as event log errors and warnings.
related infformation such

Demonstra
D
ation: Crea
ating Data
a Collectorr Sets

Th
he data collecttor set is a custom set of perrformance cou
unters, event trraces, and systtem configurattion
da
ata.

A data collectorr set organizess multiple data


a-collection po
oints into a single, portable ccomponent. Yo
ou can
usse a data colle
ector set on its own, group itt with other daata collector seets, and incorp
porate it into lo
ogs, or
view it in the Pe
erformance Mo
onitor. You can configure a data collector set to generatte alerts when
n it
re
eaches thresho
olds.

Yo
ou can also co
onfigure a data
a collector set to run at a sch
heduled time, for a specific length of time,, or until
hour
it reaches a predefined size. For
F example, yo
ou can run thee data collecto
or set for ten m
minutes every h
du
uring your working hours to
o create a perfo
ormance base line. You can aalso set the daata collector to
o restart
when
w
set limits are reached so
o that a separa
ate file is creatted for each in
nterval.
After you have created a com
mbination of da
ata collectors tthat describe u
useful system iinformation, you can
sa
ave them as a data collector set, and then run the set an
nd view the ressults.
In
n this demonsttration, you will create a data
a collector set..

Monitoringg and Maintaining Wiindows Server 2012

Dem
monstration
n Steps
Cre
eate a new data
d
collector set name
ed Windowss Server Mo
onitoring
1.

On LON-SVR1, open the Pe


erformance Mo
onitor, and creeate a data collector set nam
med Windowss
Server Monitoring.

2.

Configure the
e data collecto
or set to includ
de the Perform
mance counter data logs for Processor/%
Processor Tim
me, Memory/ Available
A
Mbyttes, and Logicaal Disk/% Freee Disk Space.

Verrify that the


e data collecctor set worrks correctly
y
1.

Start the Windows Server Monitoring


M
datta collector sett, and let it run
n for one minu
ute.

2.

M
datta collector sett, and then revview the latest report.
Stop the Windows Server Monitoring

Mo
ost Common Perform
mance Cou
unters
Specific server roles install a ran
nge of perform
mance
obje
ects and associated counterss. The common
n
perfformance coun
nters include:

MCT USE ONLY. STUDENT USE PROHIBITED

2-6

Cache counteers. These coun


nters monitor the
t
file system ca
ache. The cache
e is an area off
physical mem
mory that is use
ed to store
recently-used
d data to enable access to th
he
data without having to read
d from the disk.

Memory coun
nters. These co
ounters monito
or
physical, rand
dom access me
emory (RAM),
virtual memo
ory, and disks, including
i
pagiing,
which is the movement
m
of pages
p
of code and
data between
n disk and phyysical memory.

Counters for objects.


o
These counters mon
nitor logical ob
bjects in the syystem, includin
ng threads and
d
processes.

Paging file co
ounters. Paging
g file is the rese
erved space o n the disk thatt complementts committed
physical mem
mory.

Physical disk counters. Thesse counters mo


onitor the phyysical disks such
ers or fixed driives.
h as hard drive
The drives tha
at appear in th
he Disk Manag
gement consolle are monitorred by these co
ounters. Hardw
ware
redundant array of indepen
ndent disks (RA
AID) may not b
be visible to th
hese counters.

Process countters. These cou


unters monitorr running appl ications and syystem processses. All the thre
eads
in a process share
s
the same
e address space and have ac cess to the sam
me data.

Processor cou
unters. These counters measu
ure aspects of processor actiivity. Each processor is
represented as
a an instance of the object.

Server counteers. These coun


nters measure communicatio
on between th
he local compu
uter and netwo
ork.

System countters. These cou


unters apply to
o more than on
ne instance of component p
processes on th
he
computer.

Thread countters. These counters measure


e aspects of th read behaviorr. A thread is th
he basic objectt that
runs instructio
ons on a proce
essor. All running processes have at least o
one thread.

Win
ndows Server 2012
2
uses serve
er roles to imp
prove server effficiency and ssecurity. Only tthe performan
nce
obje
ects and countters that are re
elevant to the installed serveer role are avaiilable to monittor.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-7

You can enable missing performance objects and counters by installing additional server roles or adding
features. Additional performance objects that are installed with each server role can help with server
monitoring. The following table identifies common server roles and the performance objects that can be
monitored to assess performance.
Server role
Active Directory Domain
Services (AD DS)

Performance counters to monitor


If you notice slow write or read operations, under the Physical Disk
category, check the following disk I/O counters to see whether
many queued disk operations exist:
Avg. Disk Queue Length
Avg. Disk Read Queue Length
Avg. Disk Write Queue Length

If Local Security Authority Subsystem or lsass.exe uses lots of physical


memory, under the Database category, check the following Database
counters to see how much memory is used to cache the database for
Active Directory Domain Services:
Database Cache % Hit
Database Cache Size (MB)
File Server

File Servers are typically heavily dependent on their physical disk


systems for file read and write operations. You should measure the
following counters to ensure that the PhysicalDisk subsystem is keeping
up with server demand:
% Disk Time
Avg. Disk Queue Length
Avg. Disk Bytes/Transfer

Network performance is also a primary component of file server


performance. You should monitor the following counters to ensure that
required network bandwidth is available to the file server:
Bytes Received Per Second
Bytes Sent Per Second
Output Queue Length
Hyper-V (virtualization)

Performance troubleshooting and tuning can be difficult on virtualized


servers. Virtual hardware provides a less consistent monitoring
environment than physical hardware.
Two layers of performance monitoring are usually recommended in a
virtualized scenario. One at the physical or host server level to monitor
key physical hardware components, and one at the virtualized server
level to monitor the virtual hardware and its effect on the operating
system and applications of the virtual server.

Web Server (IIS)

Network-related performance counters are an important tool in


measuring web server performance.
Additionally, processor related counters can be helpful in identifying
issues in which web server applications are running processor intensive
processes.
The Web Service performance counters provide valuable information
about requests to the web server, bandwidth consumed, and web
serverspecific statistics like page not found errors.

Monitoringg and Maintaining Wiindows Server 2012

Wh
hat Are Ale
erts?
Alerrt is a functionality in Windo
ows Server 201
12
thatt notifies you when
w
certain events
e
have
occu
urred or when
n certain perforrmance thresh
holds
are reached. You can configure alerts in Wind
dows
Servver 2012 as ne
etwork messages or as events that
are logged in the application evvent log. You can
c
also
o configure ale
erts to start app
plications and
perfformance logss.
You
u can configure
e alerts when you
y create datta
colle
ectors, by selecting the Perfformance Cou
unter
Alerrt type of the data
d
collector.
Whe
en you create the alert, conffigure the follo
owing
settings:

MCT USE ONLY. STUDENT USE PROHIBITED

2-8

Alert when. This is the alert threshold settting for a speccific performan
nce counter.

Alert Action. This


T setting specifies whethe
er to log an en
ntry in the app lication event log, or start
another data collector set.

his setting speccifies which command task sshould be trigg


gered and whe
en alert thresh
hold is
Alert Task. Th
reached. In ad
ddition, you may
m specify com
mmand param
meters, if appliccable.

Wh
hat Are Ev
vent Subscriptions?
Event log subscrip
ptions is a featture when it is
configured, enables a single serrver to collect
copies of events from
f
multiple systems.
s
Using
g
Win
nRM and the Windows
W
Eventt Collector servvice,
you can collect evvents in the evvent logs of a
centtralized serverr, where you ca
an analyze the
em
toge
ether with the event logs of other computters
thatt are being colllected on the same central
servver.
Sub
bscriptions can be either colle
ector-initiated
d or
source computer
initiated:

Collector-initiiated. A collecttor-initiated
subscription, or a pull subsccription identiffies all the com
mputers that th
will receive even
nts
he collector w
from, and will typically pull events from these
t
computeers. In a collecttor-initiated su
ubscription, the
subscription definition
d
is sto
ored and main
ntained on thee collector com
mputer. You usse pull subscrip
ptions
when much of
o the compute
ers have to be configured to
o forward the ssame types of events to a ce
entral
location. In th
his manner, on
nly one subscription definitio
on has to be defined and spe
ecified to applly to
all computerss in the group..

Source compu
uterinitiated. In a source computerinitiatted subscriptio
on, or push sub
bscription, sou
urce
computers pu
ush events to the
t collector. In a source com
mputerinitiat ed subscriptio
on, the subscrip
ption
definition is created
c
and managed on the
e source comp
puter, which is the computerr that is sendin
ng
events to a ce
entral source. You
Y can define
e these subscr iptions manuaally, or by using Group Policyy. You
create push subscriptions when
w
each servver is forwardin
ng a different set of event th
han other servvers,
or when conttrol over the evvent forwardin
ng process hass to be maintained at the source computer;
possibly when
n frequent cha
anges have to be made to th
he subscription
n.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Event Subscription Requirements


To implement event subscriptions in your environment, several prerequisites must be met:

You must enable and configure WinRM on both the source and the collector computers by using the
following command.
winrm qc

2-9

You must start and configure the Windows Event Collector (Wecutil) service to receive events on the
collector computer. You can achieve this by running the following command.
Wecutil qc

Events that are collected by a subscription can be collected into any of the collector computers default
event logs, or they can be collected into an event log specifically created to host collected events.

Demonstration: Configuring Event Subscriptions

Event subscription is a cost-effective and customizable tool to get a consolidated view of monitored
activities and events in target servers, and timely issue alerts. In Windows Server 2012, subscribing and
forwarding events with triggers to send out alerts is a straight-forward process.

Demonstration Steps
Configure the source computer
1.

Switch to LON-SVR1.

2.

At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.

3.

Add the LON-DC1 computer to the local Administrators group.

Configure the collector computer


1.

Switch to LON-DC1.

2.

At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.

Create a subscribed log


1.

Open Event Viewer.

2.

Create a new subscription with the following properties:


o

Computers: LON-SVR1

Name: LON-SVR1 Events

Type of subscription: Collector Initiated

Events: Critical, Warning, Information, Verbose, and Error

Logged: last 7 days

Logs: Windows Logs

Check the subscribed log


1.

Switch to LON-DC1.

2.

In Performance Monitor, check for events in the subscribed Application log.

Mo
onitoring a Network
k
Because network infrastructure services are an
n
imp
portant founda
ation of many other server-b
based
servvices, you mustt make sure th
hat they are
configured correcctly and are running optimally.
Colllecting perform
mance-related data on the
netw
work infrastruccture services benefits your
orga
anization in:

MCT USE ONLY. STUDENT USE PROHIBITED

2-10 Monitorinng and Maintaining Windows


W
Server 20122

Helping to op
ptimize network infrastructure
server perform
mance. By pro
oviding
performance baseline and trend
t
data, you
can help yourr organization optimize netw
work
infrastructure
e server performance.

Troubleshootting servers. Where


W
server pe
erformance haas decreased, eeither over tim
me or during pe
eriods
of peak activiity, you can he
elp identify possible causes aand take corrective action to
o ensure that yyou
can bring the
e service back within
w
the limiits of your SLA
A.

You
u can use Perfo
ormance Monitor to collect and
a analyze th
he relevant datta.

Mo
onitoring Do
omain Nam
me System DNS
D

Dom
main Name System (DNS) prrovides name resolution
r
servvices on the neetwork. You caan monitor the
e DNS
Servver role of Win
ndows Server 2012
2
to determ
mine the follow
wing aspects o
of your DNS infrastructure:

General DNS server statisticcs, including th


he number of overall queriess and response
es that are
processed by the DNS serve
er

User Datagram Protocol (UDP) or Transm


mission Contro l Protocol (TCP
P) counters, fo
or measuring D
DNS
queries and responses that are processed
d respectively b
by using either of these tran
nsport protoco
ols

Dynamic upd
date and secure
e dynamic upd
date counters, for measuring
g registration aand update acctivity
that is genera
ated by dynam
mic clients

Memory usag
ge counters, fo
or measuring system memorry usage and m
memory allocation patterns tthat
are created by
b operating th
he server as a DNS
D
server

Recursive lookup counters, for measuring


g queries and rresponses wheen the DNS serrvice uses recu
ursion
to look up an
nd fully resolve
e DNS names on
o behalf of reequesting clien
nts

Zone transferr counters, inclluding specificc counters for m


measuring thee following: all zone transfer
(AXFR), increm
mental zone trransfer (IXFR), and DNS zonee update notiffication activityy

Mo
onitoring DH
HCP

The Dynamic Host Configuratio


on Protocol (DH
HCP) service p
provides dynam
mic IP configuration servicess on
the network. You can monitor the Windows Server
S
2012 DH
HCP Server rol e to determine the following
aspe
ects of your DHCP server:

The Average Queue Length


h indicates the current lengt h of the intern
nal message qu
ueue of the DH
HCP
server. This number represe
ents the numb
ber of unproce ssed messagess that are rece
eived by the se
erver.
A large numb
ber might indiccate heavy server traffic.

The Milliseconds per packet (Avg.) counte


er is the avera ge time in milliseconds thatt is used by
the DHCP serrver to processs each packet it
i receives. Thi s number varies, depending
g on the serverr
hardware and
d its I/O subsysstem. A spike could
c
indicatee a problem, eiither with the I/O subsystem
m
becoming slo
ower or becausse of a processsing overhead on the server..

Lesson
n2

Imple
ementin
ng Wind
dows Se
erver Baackup

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

2-11

In
n order to prottect critical datta, every organ
nization must perform a bacckup regularly.. Having a wellde
efined and tessted backup strategy ensuress that compan
nies can restoree data if there is any unexpe
ected
fa
ailures or data loss. This lesso
on describes th
he Windows Seerver Backup ffeature in Windows Server 2
2012 and
th
he Microsoft Online
O
Backup Service for Windows Server 2012.

Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:

Describe th
he features of Windows
W
Serve
er Backup.

Describe th
he Microsoft Online
O
Backup Service.
S

Describe th
he methods forr backing up server roles run
nning Window
ws Server 2012.

Back up Wiindows Server 2012 by using


g Windows Serrver Backup.

Features off Windowss Server Ba


ackup in W
Windows 2
2012
Th
he Windows Server Backup feature
f
in Windows
Se
erver 2012 con
nsists of a Micrrosoft Manage
ement
Console (MMC)) snap-in and command-line
c
e tools.
Yo
ou can use wizzards in the Windows
W
Serverr
Ba
ackup feature to guide you through
t
running
ba
ackups and reccoveries. You can
c use Windo
ows
Se
erver Backup 2012
2
to back up:
u

Full server (all


( volumes)

Selected vo
olumes

Select specific items for backup


b

In
n addition, Win
ndows Server Backup
B
2012 le
ets you:

Perform a bare-metal
b
resstore. Bare-me
etal restore inc ludes all volum
mes that are re
equired for Windows
to run. You can use this backup
b
type to
ogether with th
he Windows R
Recovery Enviro
onment to reccover
from a hard
d disk failure, or
o if you have to recover thee whole compu
uter image to new hardware
e.

Use system state. System state is the ab


bility to use thee GUI interfacee to create a system state baackup.

Recover ind
dividual files and folders. The
e Individual fil es and folderss option enable
es you to backk up
selected file
es and folders,, instead of jusst full volumes .

Exclude sele
ected files or file
f types. For example,
e
you ccan exclude .tm
mp files.

Select from
m more storage
e locations. You can store baackups on rem
mote shares or non-dedicated
d
volumes.

Use the Miccrosoft Online Backup Servicce. The Microssoft Online Bacckup Service iss a cloud-based
backup solu
ution for Wind
dows Server 20
012 which ena bles files and ffolders to be b
backed up and
d
recovered from
f
the cloud
d to provide offf-site backup..

If there are disa


asters such as hard
h
disk failurres, you can peerform system
m recovery by u
using a full servver
ba
ackup and the
e Windows Reccovery Environ
nmentthis w ill restore yourr complete sysstem onto the new
ha
ard disk.

MCT USE ONLY. STUDENT USE PROHIBITED

2-12 Monitorinng and Maintaining Windows


W
Server 20122

The ab
bility to take ju
ust a system sttate backup is not exposed i n the GUI inteerface of backu
up. If you wantt to
take ju
ust a system sttate backup, yo
ou must use th
he wbadmin.exxe utility. WBaadmin.exe is a command pro
ompt
utility..

Wha
at Is Micro
osoft Onlin
ne Backup Service?
The Microsoft
M
Onlin
ne Backup Servvice is a cloud-based backup solutiion for Window
ws Server 2012
2
manag
ged by Microssoft. You can use
u this service
e to
back up
u files and folders and reco
over them from
m the
cloud to provide offf-site protectio
on against data
a loss
caused
d by disasters. You can use this
t service to back
up and protect criticcal data from any
a location.
This se
ervice is built on
o the Window
ws Azure plattform
and uses Windows Azure
A
blob sto
orage for storin
ng
custom
mer data. Wind
dows Server 2012 uses the
downloadable Micro
osoft Online Backup Agent to
t
transfe
er file and fold
der data secure
ely to the Micrrosoft
Online
e Backup Serviice. After you install
i
the Microsoft Online Backup Agentt, the Microsofft Online Backu
up
Service Agent integrates its functionality throug
gh the familiar Windows Servver Backup intterface.

Key Features
F

The ke
ey features tha
at Windows Se
erver 2012 provides through
h the Microsoftt Online Backu
up service inclu
ude:

Simple configuration and management.


m
In
ntegration wit h the familiar Windows Servver Backup utillity
provides a seamless backup
p and recoveryy experience to
o a local disk, o
or to the cloud
d. Other features
include:
o

Simple user interface to


o configure an
nd monitor thee backups

Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud

ny server of yo
Easily reccover any data that was back
ked up onto an
our choice

Scripting capability tha


at is provided by
b the Window
ws PowerShell command-lin
ne interface

Block-level incremental bacckups. The Microsoft Online B


Backup Agentt performs incrremental backups
by tracking file and block-le
evel changes and
a only trans ferring the chaanged blocks, therefore, red
ducing
the storage and bandwidth
h usage. Differe
ent point-in-ti me versions o
of the backups use storage
efficiently by only storing th
he changed bllocks between
n these version
ns.

Data compresssion, encryptio


on and throttliing. The Micro
osoft Online Baackup Agent ensures that daata is
compressed and
a encrypted on the serverr before it is seent to the Micrrosoft Online B
Backup Service
e on
the network. Therefore, the
e Microsoft On
nline Backup Seervice only sto
ores encrypted
d data in the cloud
storage. The encryption
e
passsphrase is nott available to tthe Microsoft O
Online Backup
p Service, and
therefore, the
e data is neverr decrypted in the service. Al so, users can sset up throttlin
ng and configu
ure
how the Micrrosoft Online Backup
B
service
e uses the netw
work bandwidtth when backin
ng up or resto
oring
information.

Data integrityy verified in thee cloud. In add


dition to the seecure backups,, the backed u
up data is also
automaticallyy checked for integrity after the backup is finished. Thereefore, any corrruptions which
h may
arise because
e of data transffer can be easiily identified a nd they are fixxed in next backup automattically.

Configurable retention po
olicies for storin
ng data in the cloud. The Miccrosoft Online
e Backup Servicce
accepts and
d implements retention policcies to recycle backups that exceed the de
esired retentio
on
range, thereby meeting business
b
policie
es and manag
ging backup co
osts.

nal Reading: Windows


W
Azure
e Storage
Addition
htttp://www.windowsazure.com/en-us/home/features/sto
orage/

Methods
M
to
o Back Up Server Ro
oles
Yo
ou can back up most service
es on compute
ers
ru
unning Window
ws Server 2012
2 by performin
ng a
syystem state backup. Some se
ervices also ena
able
co
onfiguration and data backu
up from their
re
espective mana
agement console.
Th
he following ta
able lists the methods
m
that you
y can
usse to back up specific roles on
o computers
ru
unning Window
ws Server 2012
2.

Role
DHCP

Method
M
System state backup backss up all scopes and options.
ual scopes or all scopes.
DHCP console backup bac ks up individu

Certificate

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

2-13

System state backup backss up whole con


nfiguration and certificate se
ervices
database.
nsole backup b
backs up certifiicate services d
data
Certification Authority con
and settings.

Internet Information
Services (IIS)

System state backup enablles the back up


p of IIS data an
nd settings.
Appcmd.exe lets you back up IIS compo nents.

Website files and folders h ave to be backked up. When backing up IISS
ed up.
components,, ensure that t he website filees and folders are also backe
These are no
ot backed up b
by a system staate backup.
Network Policcy and
Access Service
es
(NPAS)

p of NPAS con
nfiguration.
System state backup enablles the back up

DNS

System state backup backss up all DNS co


onfigurations aand zones storred on
the server.
Dnscmd.exe lets you exporrt and import zzones.

File and Print Services

System state backs up sharred folder perm


missions and ssettings.

kup enables a back up of all files and folde


ers that are loccated
Volume back
on that volum
me.
er backup baccks up contentt of shared fold
ders.
File and folde

Demonstration: Backing Up Windows Server 2012 by Using Windows


Server Backup
In this demonstration, you will see how to use the backup wizard to back up a folder.

Demonstration Steps
1.

On LON-SVR1, start Windows Server Backup.

2.

Run the Backup Once Wizard to back up the C:\HR Data folder to the remote folder,
\\LON-DC1\Backup.

MCT USE ONLY. STUDENT USE PROHIBITED

2-14 Monitoring and Maintaining Windows Server 2012

Lesson
n3

Imple
ementin
ng Serve
er and Data
D
Re
ecovery

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

2-15

Evvery organization might exp


perience losing
g some of its daata, because o
of reasons, such as hardware
e
fa
ailures, file systtem corruption
n, or when a user unintentio
onally deletes ccritical data. Th
herefore,
orrganizations must
m
have well-defined and tested
t
recoverry strategies th
hat will help them to bring th
heir
se
ervers and data
a back to a healthy and operational state, in the fastest time possible. This lesson de
escribes
ho
ow to restore data
d
and serve
ers by using Windows
W
Serverr Backup featu
ure in Window
ws Server 2012 and
Microsoft
M
Onlin
ne Backup Servvice in Window
ws Server 20122.

Le
esson Objecctives

Describe th
he options for server
s
recoverry.

Describe th
he option for se
erver restore.

Describe th
he consideratio
ons for data recovery.

Perform a restore
r
with Windows
W
Serverr Backup.

Describe ho
ow to perform a restore with
h online backu
up.

Options
O
forr Server Re
ecovery
Windows
W
Server Backup in Windows
W
Serverr 2012
provides the folllowing recove
ery options:

Files and fo
olders. You can back up indivvidual
files or fold
ders as long as the backup is on an
external dissk or in a remo
ote shared fold
der.

Applications and data. Yo


ou can recoverr
applications and data if the application
n has a
Volume Sha
adow Copy Se
ervice writer an
nd is
registered with
w Windows Server Backup
p.

Volumes. Restoring a volu


ume always restores
all the conttents of the vo
olume. You can
nnot
restore indiividual files or folders.

Operating system.
s
You ca
an recover the operating systtem through W
Windows Reco
overy Environm
ment
(WinRE).

Full server. You can recovver the full servver through W


WinRE.

System statte. System state creates a point-in-time baackup that you


u can use to restore a server to a
previous wo
orking state.

he Windows Server Backup Recovery


R
Wiza
ard provides seeveral options for managing
g file and folde
er
Th
re
ecovery. They are:
a

Recovery Destination. Und


der Recovery Destination,
D
yo
ou can select aany one of the
e following opttions:
o

Origina
al location. The
e original locattion restores t he data to thee location it waas backed up
origina
ally.

Anotheer location. Ano


other location restores the d
data to a differrent location.

MCT USE ONLY. STUDENT USE PROHIBITED

2-16 Monitorinng and Maintaining Windows


W
Server 20122

Conflict Resollution. Restorin


ng data from a backup frequ
uently conflictss with existing versions of th
he
data. Conflictt resolution letts you determine how those conflicts will b
be handled. W
When these con
nflicts
occur, you ha
ave the following options:
o

Create co
opies and have
e both versions

Overwrite
e existing version with recovvered version

Do not re
ecover items iff they already exist in the reccovery locatio n

Security Settin
ngs. You can use
u this option to restore perrmissions to th
he data being recovered.

Op
ptions for Server
S
Resstore
You
u perform serve
er restore by starting
s
the
com
mputer from th
he Windows Se
erver 2012
installation media
a, selecting the
e computer rep
pair
option, and then selecting the full
f server resto
ore
option.
Whe
en you perform
m full server re
estore, conside
er the
follo
owing aspects::

Bare-metal reestore. Bare-metal restore is the


process durin
ng which you restore
r
an existting
server in its entirety to new
w or replaceme
ent
hardware. Wh
hen you perform a bare-mettal
restore, the re
estore proceed
ds and the servver
restarts. Laterr, the server be
ecomes operattional. In somee cases, you may have to resset the computters
Active Directo
ory account be
ecause these can
c sometimess become desyynchronized.

Same or largeer disk drives. The


T server hard
dware that yo u are restoring
g to must have
e disk drives th
hat
are the same size or larger than the drive
es of the origin
nal host server . If this is not tthe case, the re
estore
will fail. It is possible,
p
althou
ugh not advise
ed, to successffully restore to
o hosts that havve slower
processors an
nd less RAM.

Importing to Hyper-V.
H
Because server bacckup data is wrritten to the V
VHD format, wh
hich is also the
e
format that iss used for virtu
ual machine ha
ard disks, it is p
possible, with some care, to use full serverr
backup data as the basis off creating a virtual machine. Doing this givves you the op
ption of ensurin
ng
business conttinuity while so
ourcing the ap
ppropriate repllacement hard
dware.

Co
onsideratio
ons for Datta Recoverry
There are several strategies thatt you can purssue in
developing a data
a recovery procedure. Data is the
mosst frequently re
ecovered component of an IT
infra
astructure.
Con
nsider the follo
owing compon
nents in a data
reco
overy strategy::

Letting users recover their own


o
data by using
u
the earlier versions functionality (volume
e
shadow copy)

Performing a recovery to an alternative location

Performing a recovery to the original location

Performing a full volume recovery

Earlier Versions of Files: Users Recover Their Own Data

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-17

The most common form of data recovery performed by IT departments is the recovery of files and folders
that users have deleted, lost, or in some way made corrupted. The Previous Versions of Files functionality,
which you can enable on all computers running Windows Server 2012 lets users recover their own files.
After end-users are trained to do this, the IT department spends time recovering more important data.
From a planning perspective, you should consider increasing the frequency at which snapshots for
previous versions of files are generated. This gives users more options when they try to recover files that
have recently become deleted or corrupted.

Recovering Data to an Alternative Location

A common recovery problem is the unintentional replacement of important data when recovering from
backup. This can occur when recovery is performed to a location with live data, instead of to a separate
location where the necessary data can be located and the unnecessary data discarded.

When you perform a recovery to an alternative location, always ensure that permissions are also restored.
A common problem is administrators recovering data that includes restricted material to a location where
important permissions are not applied, enabling unintended access to data for those that should not have
it.

Recovering Data to the Original Location

During some types of failures, such as data corruption or deletion, you have to restore data to the original
location, because applications or users who access those data are preconfigured with the information on
where the data is located.

Recovering Volumes
If a disk fails, the quickest way to recover the data sometimes is to do a volume recovery, instead of a
selective recovery of files and folders. When you do a volume recovery, you must check whether any
shared folders are configured for the disks, and if the quotas and File Server Resource Manager
management policies are still in effect.

Demonstration: Restoring with Windows Server Backup


In this demonstration, you will see how to use the Recovery Wizard to restore a folder.

Demonstration Steps
1.

On LON-SVR1, delete the C:\HR Data folder.

2.

In the Windows Server Backup MMC, run Recovery Wizard and specify the following information:
o

Getting Started: A backup stored on another location

Specify Location type: Remote Shared Folder

Specify Remote Folder: \\LON-DC1\Backup

Select Backup Date: Default value, Today

Select Recovery Type: Default value, Files and Folders

3.

Select Ite
ems to Recover: LON-SVR1\\Local Disk (C
C:)\HR Data

Specify Recovery
R
Optio
ons: Another Location
L
(C:)

Locate C:\ an
nd ensure that the files are re
estored.

Restoring wiith an Onliine Backup


p Solution
n
You
u can use Micro
osoft Online Backup Service only
on Windows
W
Serve
er 2012 serverrs. You do not have
to restore data on
n the same servver that you
backed up. You ca
an restore data
a on some oth
her
servver, instead.
You
u can recover files
f
and folderrs by using botth
Microsoft Online Backup MMC in Server Man
nager,
or Windows
W
Powe
erShell by perrforming the
follo
owing steps:

MCT USE ONLY. STUDENT USE PROHIBITED

2-18 Monitorinng and Maintaining Windows


W
Server 20122

1.

Select the serrver where bacckup data was


originally crea
ated, that is, whether
w
it is a local
server or another server. If you
y select Ano
other
server option, you must pro
ovide your Miccrosoft Online Backup Servicce Administrattor credentials.

2.

Browse for files that have to


o be restored can
c be browseed or search fo
or them in the Microsoft Online
Backup Servicce.

3.

After you loca


ate the files, se
elect them for recovery, and select a locat ion where the files will be
restored.

4.

When restorin
ng files, select from the follo
owing options::
o

Create co
opies so that you
y have both the restored ffile and originaal file in the saame location. T
The
restored file has its nam
me in the following format: R
Recovery Datee+Copy of+Orriginal File Nam
me

Overwrite
e the existing versions with the
t recovered version

Do not re
ecover the item
ms that already exist on the recovery destiination

Afte
er you complette the restore procedure, the
e files will be rrestored on W
Windows Serverr 2012 located in
your site.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-19

Lab: Monitoring and Maintaining Windows 2012 Servers


Scenario

To obtain accurate information about server usage, it is important to establish a performance baseline
with a typical load for the new Windows Server 2012 servers. In addition, to make the process of
monitoring and troubleshooting easier, IT management wants to implement centralized monitoring of
event logs.

Much of the data that is stored on the A. Datum network is very valuable to the organization. Losing this
data permanently would be a very significant loss to the organization. Also, several servers that run on the
network provide very valuable services for the organization; losing these servers for a significant time
would also result in losses to the organization. Because of the significance of the data and services, it is
important that they can be restored even if there is any disaster.
One of the options that A. Datum is considering is backing up some critical data to a cloud-based service.
A. Datum is considering this as an option for small branch offices that do not have a full data center
infrastructure.
As one of the senior network administrators at A. Datum, you are responsible for planning and
implementing a monitoring and system recovery solution that will meet the management and business
requirements.

Objectives
After completing this lab, you will be able to:

Configure centralized monitoring for Windows 2012 servers.

Back up Windows Server 2012 Servers.

Restore files by using Windows Server Backup.

Perform an online backup and restore for Windows Server 2012 servers.

Lab Setup
Estimated time: 75 minutes

Virtual Machine(s)

20417A-LON-DC1
20417A-LON-SVR1

User Name

Adatum\Administrator

Password

Pa$$w0rd

Virtual Machine(s)

MSL-TMG1

User Name

Administrator

Password

Pa$$w0rd

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

MCT USE ONLY. STUDENT USE PROHIBITED

2-20 Monitoring and Maintaining Windows Server 2012

1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:


a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20417A-LON-SVR1.

6.

Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.

Exercise 1: Configuring Centralized Monitoring for Windows Server 2012


servers
Scenario
The management at A.Datum has asked for a monthly report on server performance. To provide a
monthly report, you plan to establish centralized monitoring of the server. You decide to configure
Server Manager to monitor all servers from a single console. You also decide to configure performance
monitoring for some critical resources, and to collect events from several business-critical servers at a
central location.
The main tasks for this exercise are as follows:
1.

Configure Server Manager to monitor multiple servers.

2.

Configure a data collector set.

3.

Configure an event subscription.

X Task 1: Configure Server Manager to monitor multiple servers


1.

Switch to LON-SVR1.

2.

In the Server Manager console, in the navigation pane, click All Servers.

3.

In the Server Manager console add LON-DC1 as another server to be monitored.

4.

In the Actions pane, start the performance counters for both LON-SVR1 and LON-DC1.

X Task 2: Configure a data collector set


1.

On LON-SVR1, open the Performance Monitor, and create a data collector set named Windows
Server Monitoring.

2.

Configure the data collector set to include the Performance counter data logs for
Processor/% Processor Time, Memory/ Available MBytes and Logical Disk/% Free Disk Space.

3.

Start the Windows Server Monitoring data collector set, and let it run for one minute.

4.

Stop the Windows Server Monitoring data collector set, and then review the latest report.

X Task 3: Configure an event subscription

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-21

1.

Switch to LON-SVR1.

2.

At the command prompt, run the winrm quickconfig command to enable the administrative
changes that are required on a source computer.

3.

Add the LON-DC1 computer to the local Administrators group.

4.

Switch to LON-DC1.

5.

At the command prompt, run the wecutil qc command to enable the administrative changes that are
required on a collector computer.

6.

Open Event Viewer.

7.

Create a new subscription with the following properties:

8.

Computers: LON-SVR1

Name: LON-SVR1 Events

Type of subscription: Collector Initiated

Events: Critical, Warning, Information, Verbose, and Error

Logged: last 7 days

Logs: Windows Logs

Expand Event Viewer, expand Windows Logs, and then click Forwarded Events. Verify that events are
forwarded from LON-SVR1.

Results: After completing this exercise, you will have configured Server Manager to monitor multiple
servers, configured a data collector set, and configured an event subscription.

Exercise 2: Backing up Windows Server 2012


Scenario

The LON-SVR1 server contains financial data that must be backed up regularly. This data is important to
the organization. You decide to use Windows Server Backup to back up critical data. You plan to install
this feature and configure a scheduled backup.
The main tasks for this exercise are as follows:
1.

Install the Windows Server Backup feature.

2.

Configure a scheduled backup.

3.

Complete an on-demand backup.

X Task 1: Install the Windows Server Backup feature


1.

Switch to LON-SVR1.

2.

Open Server Manager and install the Windows Server Backup role.

3.

Install the role on LON-SVR1 and then accept the default values on the Add Role wizard.

X Task 2: Configure a scheduled backup


1.

On LON-SVR1, start Windows Server Backup.

2.

Configure Backup Schedule with the following options:

3.

Backup Configuration: Full server (recommended).

Backup Time: Once a day, 1:00 AM.

Destination Type: Back up to a shared network folder

Remote Shared Folder: \\LON-DC1\Backup.

Register Backup Schedule: Username: Administrator

Password: Pa$$w0rd

Close Windows Server Backup.

X Task 3: Complete an on-demand backup

MCT USE ONLY. STUDENT USE PROHIBITED

2-22 Monitoring and Maintaining Windows Server 2012

To prepare for this task, you need to create a folder on LON-SVR1, with a name Financial Data on drive
C: and within Financial Data folder you need to create a text file with a name Financial Report.txt.
To complete an on-demand backup, perform the following steps:
1.

On LON-SVR1, start Windows Server Backup.

2.

Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder,
\\LON-DC1\Backup.

Results: After completing this exercise, you will have installed the Windows Server Backup feature,
configured a scheduled backup, and ran an on demand backup.

Exercise 3: Restoring files by using Windows Server Backup


Scenario

To ensure that the financial data can be restored, you must validate the procedure for restoring the data
to an alternative location. You may also have to restore different versions of the data. For this purpose,
you may have to use the Vssadmin tool to review backups.
The main tasks for this exercise are as follows:
1.

Delete a file from the file server.

2.

View the available restores by using the Vssadmin command.

3.

Restore the file from backup.

X Task 1: Delete a file from the file server

On LON-SVR1, delete the C:\Financial Data folder.

X Task 2: View the available restores by using the Vssadmin command


1.

On LON-SVR1, run Windows PowerShell.

2.

At the Windows PowerShell prompt, run Vssadmin list shadows command to list existing volume
shadow copies.

X Task 3: Restore the file from backup


1.

2.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-23

In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
o

Getting Started: A backup stored on another location

Specify Location type: Remote Shared Folder

Specify Remote Folder: \\LON-DC1\Backup

Select Backup Date: Default value, Today

Select Recovery Type: Default value, Files and Folders

Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data

Specify Recovery Options: Another Location (C:)

Locate C:\ and ensure that the files are restored.

Results: After completing this exercise, you will have deleted a folder to simulate data loss, viewed
available resources, and then restored the folder the backup that you created.

Exercise 4: Implementing Microsoft Online Backup and Restore


Scenario

A. Datum has to protect critical data in small branch offices. Those offices do not have backup hardware
and full data center infrastructure. Therefore A. Datum has decided to back up the critical data in branch
offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012.
The main tasks for this exercise are as follows:
1.

Install the Microsoft Online Backup Service component.

2.

Register the server with Microsoft Online Backup.

3.

Configure an online backup.

4.

Restore files by using the online backup.

5.

Unregister the server from the Microsoft Online Backup Service.

X Task 1: Install the Microsoft Online Backup Service component


1.

On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Sign-in Assistant,
msoidcli.msi. Install the application.

2.

On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent,
OBSInstaller.exe.

3.

Start the installation of Microsoft Online Backup Agent by double-clicking the installation file
OBSInstaller.exe.

4.

Complete the setup by specifying the following information:


o

Installation Folder: C:\Program Files

Cache Location: C:\Program Files\Microsoft Online Backup Service Agent

Microsoft Update Opt-In: I don't want to use Microsoft Update.

MCT USE ONLY. STUDENT USE PROHIBITED

2-24 Monitoring and Maintaining Windows Server 2012

5.

Verify the installation; ensure you receive the following message: Microsoft Online Backup Service
Agent installation has completed successfully. Clear the Check for newer updates check box, and
then click Finish.

6.

On the Start screen, verify the installation by clicking Microsoft Online Backup Service and
Microsoft Online Backup Service Shell.

X Task 2: Register the server with Microsoft Online Backup

Before you start this task, you should rename LON-SVR1 to YOURCITYNAME-YOURNAME, for example
NEWYORK-ALICE. This is because this exercise will be performed online, and therefore the computer
names used in this lab should be unique. If there is more than one student in the classroom with the same
name, add a number at the end of the computer name, such as NEWYORK-ALICE-1.
To rename LON-SVR1, perform the following steps:
1.

In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart
YOURCITYNAME-YOURNAME.

2.

Wait until YOURCITYNAME-YOURNAME is restarted, and then log on as Adatum\Administrator


with password Pa$$w0rd.

To register the server with Microsoft Online Backup, perform the following steps:
1.

In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following
information:
o

Account Credentials:

Username: holuser@onlinebackupservice.onmicrosoft.com,

Password: Pa$$w0rd

Note: In real-life scenario, you would type username and password of your Microsoft Online
Backup Service subscription account.
o

2.

Encryption Settings:

Enter passphrase: Pa$$w0rdPa$$w0rd

Confirm passphrase: Pa$$w0rdPa$$w0rd

Verify that you receive the following message: Microsoft Online Backup Service is now available
for this server.

X Task 3: Configure an online backup


1.

Switch to the Microsoft Online Backup Service console.

2.

Configure an online backup by using the following options:

3.

Select Items to back up: C:\Financial Data

Specify Backup Time: Saturday, 1:00AM

Specify Retention Setting: Default values

In the Microsoft Online Backup Service console, start the backup by clicking Backup Now.

X Task 4: Restore files by using the online backup

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1.

Switch to the Microsoft Online Backup Service console.

2.

Restore files and folders by using the Recover Data option and specify the following information:

2-25

Identify the server on which the backup was originally created: This server

Select Recovery Mode: Browse for files

Select Volume and Date: C:\ and date and time of the latest backup.

Select Items to Recover: C:\Financial Data

Specify Recovery Options: Original location and Create copies so that you have both versions

X Task 5: Unregister the server from the Microsoft Online Backup Service
1.

Switch to the Microsoft Online Backup Service console.

2.

Unregister the server from the Microsoft Online Backup Service using the following credentials:
o

Username: holuser@onlinebackupservice.onmicrosoft.com,

Password: Pa$$w0rd

Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent,
registered the server with Microsoft Online Backup Service, configured a scheduled backup, and
performed a restore by using Microsoft Online Backup Service.

X Task: To prepare for next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20417A-LON-SVR1 and MSL-TMG1.

Module Review and Takeaways


Review Questions
Question: Why is monitoring important?
Question: You want to create a strategy on how to back up different technologies that are
used in your organization such as DHCP, DNS, Active Directory, and SQL Server. What should
you do?
Question: How frequently should we perform backup on critical data?

Best Practices

MCT USE ONLY. STUDENT USE PROHIBITED

2-26 Monitoring and Maintaining Windows Server 2012

Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.

When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.

Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.

Identify with the organizations business managers the minimum recovery time for business-critical
data. Based on that information, create an optimal restore strategy.

Always test backup and restore procedures regularly, even if data loss or system failures never occur.
Perform testing in a non-production and isolated environment.

Common Issues and Troubleshooting Tips


Common Issue
During monitoring, multiple sources are
concurrently reporting different problems.

The server has suffered a major failure on


its components.

You must have a way to back up and


restore your data quickly on a different
company's locations. You do not have
backup media or backup hardware in each
site
You must restore your data because of
failure of the disk system. However, you
find that your backup media is corrupted.

Real-world Issues and Scenarios

Troubleshooting Tip

Your organization needs information on which data to back up, how frequently to back up different types
of data and technologies, where to store backed up data (onsite or in the cloud), and how fast they can
restore backed up data if a failure were to occur? Also, what is your suggestion to improve your
organizations ability to efficiently restore data when it is necessary?

Tools
Tool

Use for

Where to find it

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

2-27

Server Manager Dashboard

Monitoring multiple servers

Server Manager

Performance Monitor

Monitoring services and application and


hardware performance data

Server Manager/Tools

Resource Monitor

Controlling how your system resources are


being used by processes and services

Server Manager/Tools

Windows Server Backup

Performing on demand or scheduled


backup and restoring data and servers

Server Manager/Tools

Microsoft Online Backup


Service

Performing on demand or schedule backup


to the cloud and restoring data from the
backup located in the cloud

Server Manager/Tools

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


3-1

Module 3
Managing Windows Server 2012 by Using Windows
PowerShell 3.0
Contents:
Module Overview

3-1

Lesson 1: Overview of Windows PowerShell 3.0

3-2

Lesson 2: Using Windows PowerShell 3.0 to Manage AD DS

3-9

Lesson 3: Managing Servers by Using Windows PowerShell 3.0

3-20

Lab: Managing Servers Running Windows Server 2012 by Using Windows


PowerShell 3.0

3-26

Module Review and Takeaways

3-31

Module Overview

Windows PowerShell is a core feature of Windows Server 2012 that enables command line management
and configuration of the operating system. It is a standardized, task-based command-line shell and
scripting language that offers administrators more flexibility and choice in how they manage computers
running Windows.
Windows PowerShell 3.0, included in Windows Server 2012, has more functionality and features than
earlier versions. You can now use Windows PowerShell to manage all the Windows Server roles and
features. This enables administrators to quickly automate configuration tasks with a single tool, instead of
having to use multiple tools, such as batch scripts, Microsoft Visual Basic Script Edition scripts (VBScript),
and manual configuration steps.

In this module, you will learn key Windows PowerShell concepts and new Windows PowerShell 3.0
features. This module will also describe how to practically use Windows PowerShell in your daily activities.

Objectives
After completing this module, you will be able to:

Describe the Windows PowerShell command-line interface.

Use Windows PowerShell to manage Active Directory Domain Service (AD DS).

Manage servers by using Windows PowerShell.

Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0

Lesson 1

Overviiew of Window
W
ws Powe
erShell 3
3.0

MCT USE ONLY. STUDENT USE PROHIBITED

3-2

As a Windows Serrver administra


ator, you can use
u Windows P
PowerShell to install and con
nfigure native
Win
ndows Server 2012
2
roles and features and to administer software such as Microsoft EExchange Servver
and Microsoft Sysstem Center 20
012. Although you can use a graphical useer interface (GUI) for
adm
ministration, ussing Windows PowerShell wiith these appli cations enablees bulk adminiistration. This
provvides the abilitty to create au
utomation scrip
pts for admini stration and a ccess to config
guration optio
ons
thatt are not availa
able when you
u use a GUI. So
ome tasks thatt you can perfo
orm in Windows PowerShelll will
already be familia
ar to you, such as listing the contents of a d
directory. To u
use Windows P
PowerShell
effe
ectively, you must have a bassic understand
ding of Window
ws PowerShell.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe Windows PowerSh


hell.

Describe the Windows Pow


werShell syntaxx.

Describe cmd
dlet aliases.

Use the Wind


dows PowerShe
ell Integrated Scripting Envirronment (ISE)..

Access Help in Windows Po


owerShell.

Describe Windows PowerSh


hell modules.

Describe Windows PowerSh


hell remoting.

Describe the new features in Windows Po


owerShell 3.0.

Wh
hat Is Wind
dows Pow
werShell?
Win
ndows PowerSh
hell is a comm
mand-line
man
nagement inte
erface that you
u can use to
configure Window
ws Server 2012
2 and productss
such
h as System Ce
enter 2012, Excchange Serverr
2010, and Microso
oft SharePointt Server 2010. This
man
nagement inte
erface providess an alternative
e to
the GUI managem
ment that enab
bles administra
ators
to:

Create autom
mation scripts.

Perform batch modification


ns.

Access setting
gs that might be unavailable
e or
more difficultt to configure in the GUI.

A GUI can guide you


y through co
omplex operattions, and can help you und
derstand your cchoices and.
How
wever, a GUI ca
an be inefficient for tasks that you have to
o perform repeeatedly, such aas creating new
w user
acco
ounts. By build
ding administrrative functionality in the forrm of Window
ws PowerShell ccommands,
Microsoft lets you
u select the right method forr a given task.
As you
y become more
m
comfortable with Windows PowerSheell, you may usse it in place o
of other low-levvel
adm
ministrative too
ols that you may have used. For example, W
Windows Pow
werShell has access to the sam
me
feattures that VBSccript does, butt in many cases provides eassier ways to peerform the sam
me tasks.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

3-3

Windows
W
PowerShell may also
o change the way
w you use W
Windows Manaagement Instru
umentation (W
WMI).
Windows
W
PowerShell can wrap task-specificc commands a round the und
derlying WMI functionality. W
When
yo
ou use Window
ws PowerShell with WMI, your work is sim plified becausse Windows Po
owerShell provvides
ea
asy to use, task
k-based comm
mands.

Windows
W
PowerShell
P
l Syntax
Windows
W
PowerShell has rules for naming and
a
im
mplementing functions.
f
For example,
e
Wind
dows
Po
owerShell com
mmands, known as cmdlets, use
u a
na
aming convention of verb or action, follow
wed by
a hyphen and a noun or subje
ect. For examp
ple, to
re
etrieve a list off virtual machin
nes (VMs), you
u would
usse the cmdlet Get-VM. This standardizatio
on
he
elps you more
e easily learn how to perform
m
ad
dministrative tasks.
t
For exam
mple, to change
se
ettings of a VM
M, you would use
u the cmdlett
Se
et-VM.

Optionally,
O
one or more parameters can be
e used
with
w a cmdlet to
o modify its be
ehavior or specify settings. P
Parameters aree written after the cmdlet.
Ea
ach parameterr that is used iss separated byy a space, and begins with a hyphen. Not aall cmdlets use
e the
sa
ame parameters. Some cmdllets have param
meters that ar e unique to itss functionality. For example, the
Move-Item
M
cm
mdlet has the Destination
D
parrameter to speecify the locatio
on to move th
he object; whereas the
Get-ChildItem has the -Recu
urse switch parameter. Theree are several k inds of parameters, including the
fo
ollowing:

Named. Na
amed parameters are most common. Theyy are parameteers that can be
e specified and
d require
a value or modifier.
m
For example,
e
by using the Move
e-Item cmdlet,, you would sp
pecify the -Desstination
parameter along with the
e exact destina
ation to move the item.

Switch. Swittch parameterrs modify the behavior


b
of thee cmdlet, but d
do not require
e any additional
modifiers or
o values. For example,
e
you can
c specify thee -Verbose paraameter withou
ut specifying a value
of $True.

Positional. Positional
P
para
ameters are pa
arameters thatt can be omitteed and can still accept value
es based
on where th
he information
n is specified in
n the comman
nd. For example, you could rrun Get-EventtLog
-EventLog System to rettrieve information from the System event log. However,, because the
-EventLog positional
p
para
ameter acceptss values for thee first position
n, you can also
o run Get-Even
ntLog
System to get the same results. When the -EventLog
g parameter iss not present, tthe cmdlet still
accepts the
e value of Syste
em because it is the first item
m after the cm
mdlet name.

arameters thatt are common to many cmdlets include op


ptions to test tthe actions of the cmdlet or to
Pa
ge
enerate verbose information
n about the execution of cm dlet. Common
n parameters include:

-Verbose. This
T parameter displays detaiiled informatio
on about the p
performed com
mmand. You sh
hould
use this parrameter to obttain more info
ormation aboutt the executio n of the comm
mand.

-WhatIf. Th
his parameter displays
d
the ou
utcome of run ning the comm
mand without running it. This is
helpful whe
en testing a ne
ew cmdlet or script
s
and you do not want tthe cmdlet to rrun.

-Confirm. This
T parameterr displays a con
nfirmation pro
ompt before exxecuting the command. Thiss is
helpful whe
en you are run
nning scripts an
nd you want to
o prompt the user before exxecuting a spe
ecific
step in the script.

Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0

Additional Reading: Cm
mdlet Verbs
http
p://msdn.micro
osoft.com/en-u
us/library/wind
dows/desktop
p/ms714428(v=
=vs.85).aspx

Cm
mdlet Aliasses
Alth
hough the stan
ndard naming convention
used
d by cmdlets facilitate
f
learniing, the namess
them
mselves can be
e very long, an
nd sometimes do
not match commo
on terminolog
gy associated with
w
perfforming a task
k. For example,, you may be
fam
miliar with the dir
d command which lists the
e
contents of a dire
ectory (or folde
er). The Windo
ows
Pow
werShell cmdle
et for this task, however, is
Gett-ChildItem. To make using cmdlets easier,
Win
ndows PowerSh
hell enables aliases to be cre
eated
for cmdlets.
c
There
e is an alias cre
eated by defau
ult for
dir that points to Get-ChildItem
m.
You
u can create ne
ew aliases for your
y
common cmdlets, scrip
pts, and prograams by using the New-Aliass
cmd
dlet. Default alliases include:

cd -> Set-Location

copy -> Copy-Item

kill -> Stop-P


Process

move -> Mo
ove-Item

rm -> Remov
ve-Item

type -> Get-Content

help -> Get-Help

De
emonstration: Using
g the Wind
dows PoweerShell ISEE

MCT USE ONLY. STUDENT USE PROHIBITED

3-4

The Windows Pow


werShell ISE ap
pplication is a graphical
g
tool that enables yyou to write an
nd test Windo
ows
Pow
werShell scriptss similar to the
e way a develo
oper would wriite an applicattion by using M
Microsoft Visuaal
Stud
dio. The Wind
dows PowerSh
hell ISE for Win
ndows PowerS hell 3.0 includ
des IntelliSense
e to provide
instance suggestio
ons on the corrrect script syn
ntax and availaable cmdlet paarameters. Win
ndows PowerSh
hell
ISE is divided into
o two main parrts: the Script pane
p
and the C
Console pane.

Dem
monstration
n Steps
1.

Logon to LON
N-DC1 as the domain
d
admin
nistrator.

2.

Open Window
ws PowerShell ISE as an adm
ministrator and
d review the Sccript pane and the Console p
pane.

3.

Follow the ste


eps in the follo
owing demonsstration script: E:\ModXA\D
Democode\Ussing Windowss
PowerShell ISE.ps1.
I

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Accessing
A
Help
H
in Wiindows Po
owerShell
Whether
W
you arre an experienced profession
nal or
ne
ew to Window
ws PowerShell, the cmdlet He
elp
do
ocumentation is rich source of information
n. To
acccess the Help documentatio
on, use the Ge
et-Help
cm
mdlet or its alias help followe
ed by the cmd
dlet
na
ame. Get-Help
p has parametters to adjust the
t
Help content th
hat is displayed
d. The parametters
arre:

3-5

-Detailed. This
T parameterr displays more
e
detailed he
elp than the de
efault option.

-Examples. This paramete


er displays onlyy the
examples fo
or using the cm
mdlet.

-Full. This parameter


p
disp
plays detailed help
h
and usag e examples.

-Online. This parameter opens


o
a Web browser
b
to thee cmdlet docum
mentation on tthe Microsoft website.

Windows
W
PowerShell 3.0 inclu
udes the abilityy to download
d the latest hel p document from Microsoftt for
usse locally. To do
d this, use the
e Update-Help cmdlet. Also
o, new in Wind
dows PowerShe
ell 3.0 is the
Sh
how-Comman
nd cmdlet. Thiis helps PowerrShell beginnin
ng users interaact with the inp
put and outpu
ut
op
ptions for a cm
mdlet by using
g a graphical in
nterface.

Th
he Get-Comm
mand cmdlet re
eturns a list off all locally avaailable cmdletss, functions, an
nd aliases. You can use
it to discover ne
ew cmdlets by using wildcard searches. Fo
or example, to return a list off all cmdlets th
hat
in
nclude VM in them, you coulld run Get-Command *VM**.

Using
U
Wind
dows Powe
erShell Mo
odules
Windows
W
PowerShell is design
ned to be exte
ensible.
Adding new cm
mdlets and funcctions in Wind
dows
Po
owerShell 3.0 is performed in part through
h
modules.
m
Note: In earlier versions of Windows
Po
owerShell, exte
ensibility was provided
p
by using
sn
nap-ins. For ba
ackward comp
patibility, Windows
Po
owerShell 3.0 continues
c
to support snap-in
ns.

Windows
W
PowerShell uses the
e
Microsoft.Powe
M
rShell.Manage
ement module
e which provid es basic functiionality. When
n you install ad
dditional
ro
oles on a serve
er, additional Windows
W
Powe
erShell modulees are installed
d and registere
ed. For examplle, you
in
nstall the Micro
osoft Hyper-V Role and also
o choose to in
nstall the Hypeer-V module fo
or Windows
Po
owerShell. To manage Hyper-V from Wind
dows PowerSh
hell, you must iimport the Hyyper-V module
e into
th
he Windows Po
owerShell session. To importt the Hyper-V module, run tthe following ccommand:
Im
mport-Module Hyper-V

Managing Windows
W
Server 2012 by Using Windows PowerShell 3.0

Run
n the following
g command to list all module
es that are imp
ported:
Get-Module

MCT USE ONLY. STUDENT USE PROHIBITED

3-6

It is not always ne
ecessary to manually import modules. For example, the W
Windows Pow
werShell module for
Exch
hange Server 2010
2
is automatically importted during pro
oduct installatiion. However, if you cannot run
cmd
dlets for a speccific Windows Role or appliccation, it may i ndicate that yyou have to import the
app
propriate Wind
dows PowerShe
ell module.
There are two bassic module typ
pes:

Binary. A bina
ary module is created
c
by using the .NET Frramework and
d is frequently provided with
h
a product to provide Windo
ows PowerShe
ell support. Bin
nary modules m
many times ad
dd cmdlets thaat
consists of no
oun or subject types that are
e newly created
d in the AD DSS schema to su
upport the pro
oduct.
An example is the New-Ma
ailbox cmdlet of Exchange SServer 2010.

Script. A scrip
pt module is co
omposed of Windows
W
PowerrShell cmdlets that already e
exist in the
environment.. These scripts can provide additional funcctions and variables to autom
mate repetitive
e or
tedious tasks.. You may wan
nt to create your own modu le that includees functions orr variables speccific
to your enviro
onment as a tiimesaving or configuration
c
m
management m
measure.

Additional Reading: Win


ndows PowerS
Shell Modules
http
ps://msdn.micrrosoft.com/en--us/library/win
ndows/desktop
p/dd878324(vv=vs.85).aspx

Wh
hat Is Wind
dows Pow
werShell Re
emoting?
The purpose of Windows
W
PowerrShell remoting
is to
o connect to re
emote computters, to run
com
mmands on tho
ose computerss, and to directt the
resu
ults back to your local computer. This enab
bles
sing
gle-seat admin
nistration, or th
he ability to
man
nage the comp
puters on the network
n
from the
clien
nt computer, instead of haviing to physically
visitt each computter. A key goal of Windows
Pow
werShell remotting is to enable batch
adm
ministration, which lets you run commandss on a
who
ole set of remo
ote computers concurrently.
There are three main
m
ways to usse remoting:

One-to-One remoting.
r
In th
his scenario, yo
ou connect to a single remotte computer and run shell
ell
commands on it, exactly as if you had log
gged into the cconsole and o
opened a Wind
dows PowerShe
window.

One-to-Manyy remoting, or Fan-Out remo


oting. In this sccenario, you isssue a comman
nd that will be
executed on one
o or more remote computers in paralle l. You are not working with each remote
computer interactively. Insttead, your com
mmands are isssued and exec uted in a batch and the resu
ults
are returned to your compu
uter for your use.
u

Many-to-Onee remoting, or Fan-In remotin


ng. In this scen
nario, multiplee administratorrs make remotte
connections to
t a single com
mputer. Typica
ally, those adm
ministrators wil l have differen
nt permissions on
the remote co
omputer and might
m
be work
king in a restriccted runspace within the she
ell. This scenarrio
usually requirres custom devvelopment of the
t restricted runspace and will not be co
overed further in this
course.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

3-7

Re
emoting requiires both Wind
dows PowerShell and Windo
ows Remote M anagement (W
WinRM) utilitie
es on
yo
our local comp
puter and on any
a remote computers to wh
hich you want to connect. W
WinRM is a Miccrosoft
im
mplementation
n of Web Services for Manag
gement, or WSS-MAN, which is a set of pro
otocols that is w
widelyad
dopted across different operrating systemss. As the name implies, WS-M
MAN and WinRM use web-b
based
protocols. An ad
dvantage to th
hese protocolss is that they u se a single, deefinable port. T
This makes the
em
ea
asier to pass th
hrough firewallls than older protocols
p
that randomly seleected a port. W
WinRM commu
unicates
byy using the Hyypertext Transffer Protocol (H
HTTP). By defau
ult, WinRM an
nd Windows Po
owerShell remoting
usses TCP port 5985
5
for incom
ming connectio
ons that are no
ot encrypted a nd TCP port 5986 for incom
ming
en
ncrypted conn
nections. Applications that usse WinRM, succh as Windowss PowerShell, ccan also apply their
ow
wn encryption
n to the data th
hat is passed to
o the WinRM service. WinRM
M supports authentication and, by
de
efault, uses the
e Active Directtory native Kerrberos protoco
ol in a domain
n environment. Kerberos doe
es not
pa
ass credentialss over the netw
work and it sup
pports mutual authenticatio
on to ensure th
hat incoming
co
onnections are
e coming from
m valid computters.

Esstablishing a One-to-One
O
remoting session by using Win
ndows PowerSShell ISE is performed by cliccking
th
he New Remo
ote PowerShelll tab on the File
F menu. You
u can also establish a remote
e Windows Pow
werShell
se
ession by using
g the Enter-PS
SSession cmdllet. For examp
ple, to open a R
Remote PowerrShell session o
on a
co
omputer name
ed LON-SVR2, you would use the following
g syntax:
En
nter-PSSessio
on ComputerName LON-SVR
R2

One-to-Many
O
re
emoting is primarily perform
med by using tthe Invoke-Co
ommand cmdlet. To run the
e
Get-EventLog cmdlet against the compute
ers named LON
N-SVR1 and LO
ON-SVR2, use the following
co
ommand:

In
nvoke-Command
d -ScriptBlock { Get-EventLog System
m -Newest 5 } -Computerna
ame LON-SVR1, LONSV
VR2

Note: Un
nlike in earlier versions,
v
Wind
dows Server 20012 has Windo
ows PowerShell remoting
an
nd WinRM ena
abled by defau
ult.

What
W
Is Ne
ew in Wind
dows Powe
erShell 3.0
0?
Windows
W
PowerShell 3.0 has new features that
t
fa
acilitate manag
ging larger gro
oups of serverss
th
hrough better scaling, additional functiona
ality,
an
nd better man
nagement. Win
ndows PowerSh
hell 3.0
in
ncludes the following new fe
eatures:

Windows PowerShell Worrkflow. This enables


coordinatio
on of complex parallel and
sequenced commands.

Windows PowerShell Web


b Access. This feature
f
enables enccrypted and au
uthenticated access
a
to Windows PowerShell by
b using a Web
b
browser on
n any device.

Scheduled Jobs.
J
This featu
ure enables sch
heduling of W
Windows PowerrShell comman
nds and scriptss to
automatica
ally run administrative tasks.

Managing Windows Server 2012 by Using Windows PowerShell 3.0

MCT USE ONLY. STUDENT USE PROHIBITED

3-8

Enhanced Online Help. You can now download the latest Help files from Microsoft by using the
Update-Help cmdlet and view the latest help online. This guarantees you are getting the latest
information about how to use Windows PowerShell.

Windows PowerShell ISE Autosense. Windows PowerShell ISE provides hints for cmdlets, including
valid parameters that make it easier than ever to use Windows PowerShell.

Robust Session Connectivity. These connections enable you to connect to a remote server and if
connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was
disconnected. Previously, if connection to a session was lost, all the session data, variables, and
command history would be lost.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Lesson
n2

Using
g Windo
ows Pow
werShelll 3.0 to
o Manag
ge AD D
DS

3-9

Active Directoryy is the techno


ology that man
ny administrato
ors spend mosst of their time
e using, complleting
da
ay-to-day adm
ministrative tassks such as add
ding users and
d updating direectory objects.. With the num
mber
off Active Directoryfocused cmdlets in Windows Server 22012, those ad ministrators caan save time aand
en
nergy by using
g Windows Pow
werShell to au
utomate many of their more time-consuming or repetitive tasks.
Automation can
n also help imp
prove security and consisten
ncy because it is less prone to repeated hu
uman
errror than manu
ual administration. If you are
e already comffortable performing commo
on Active Direcctory
ad
dministrative tasks
t
in other tools,
t
you shou
uld quickly be able to learn tto perform eq
quivalent tasks in
Windows
W
PowerShell.
Th
his lesson will help you unde
erstand the approach used b
by the Active D
Directory cmdllets. It will help
p
yo
ou develop the
e skills that you must have to
o discover, exp
plore, learn, an
nd use other add-in commands,
whether
w
they arre included witth Windows Se
erver 2012 or w
with another M
Microsoft or th
hird-party softtware
product.

Le
esson Objecctives
After completin
ng this lesson, students
s
will be
b able to:

Describe th
he Active Direcctory modules for Windows P
PowerShell.

Describe ho
ow to use varia
ables.

Describe ho
ow to use pipe
elines and scrip
pts.

Describe ho
ow to format output
o
from a Windows Pow
werShell comm
mand.

Describe ho
ow to create and run Windo
ows PowerShel l scripts.

Describe ho
ow to use Windows PowerSh
hell loops and conditional exxpressions.

Manage AD
D DS with Windows PowerSh
hell.

Describe ho
ow to obtain the Windows PowerShell
P
histtory informatio
on from Active
e Directory
Administrattive Center.

Using
U
the Active
A
Dire
ectory Module for W
Windows P
PowerShelll
Yo
ou may be com
mfortable man
naging AD DS by
ussing the comm
mon graphical tools such as Active
A
Directory Users and Compute
ers. Another op
ption
th
hat you may no
ot be as comfo
ortable with is the
Windows
W
PowerShell cmdlets. Using the AD
D DS
cm
mdlets to perfo
orm common tasks will help
p you
le
earn how to use Windows Po
owerShell.
Th
he Active Direcctory PowerSh
hell module inccluded
in
n Windows Serrver 2012, provvides over 130
0
cm
mdlets for man
naging Active Directory obje
ects
su
uch as computter and user acccounts, group
ps,
trrusts, and policcies.

Using Windo
ows PowerrShell Variables

MCT USE ONLY. STUDENT USE PROHIBITED

3-10 Managingg Windows Server 20012 by Using Window


ws PowerShell 3.0

Win
ndows PowerSh
hell enables yo
ou to retrieve,
mod
dify, and filter data from many different
sources. In some cases,
c
you mayy want to store
e
data
a for comparisson or use. Forr example, you
u
mayy want to retrie
eve a list of the members off a
partticular securityy group and th
hen modify the
e
desccription field of
o each of the users. Variable
es are
used
d to store and retrieve data in memory du
uring
a Windows
W
PowerrShell session. A variable alw
ways
beg
gins with a dolllar ($) sign and
d can then be
nam
med with descrriptive text or numbers,
n
such
h
as $Variable1,
$
$x, and $MemberList. Windowss
Pow
werShell variab
bles are typed. This means th
hat they are creeated to store a specific type
e of data whetther it
is te
ext, numbers, objects,
o
time, arrays,
a
or other defined objeect.
You
u can declare a variable in on
ne of two wayss, the first of w
which is using tthe Set-Variab
ble cmdlet. Fo
or
exam
mple to declarre a variable named $ADDS and assign it tthe object retu
urned from Ge
et-ADDomain
n by
usin
ng the Set-Varriable cmdlet, use the follow
wing command
d:
Set-Variable Name ADDS Va
alue (Get-ADD
Domain)

You
u will notice yo
ou do not speccify the $ symb
bol when you u
use the Set-Va
ariable cmdlett to declare
variables. The seco
ond way to cre
eate a variable
e is by declarin
ng it, and then
n assigning a vaalue to it. To d
do
this,, start the com
wed by an equ
mmand with the name of the
e variable follow
ual sign and th
hen the comm
mand,
com
mmands, or vallue to assign. For
F example to
o declare a varriable named $
$ADDS and assign it the object
retu
urned from Ge
et-ADDomain use the follow
wing command
d:
$ADDS = Get-ADDomain

The $ADDS variab


ble now holds a copy of the object outputt by the Get-A
ADDomain cm
mdlet. The outp
put
obje
ect takes on th
he type that is defined in the
e relevant classs and the variaable maintains that structure
e.
You
u can now read
d and manipulate the variable as similar to
o how you wou
uld a .NET obje
ect. To obtain
info
ormation about the propertie
es or to run methods, you caan use dotted notation on th
he variable.
For example, to determine the domain
d
functio
onal level repo
orted by the D
DomainMode property of
Gett-ADDomain, you can use th
he following co
ommand:
> $A
ADDS.DomainMode
Windows2008R2Domain

You
u can also acce
ess methods orr actions from a variable. Forr example, to d
determine the
e BaseType of
$AD
DDS, you can use
u the GetTyp
pe() method byy running the following com
mmand:
> $A
ADDS.GetType().BaseType
Microsoft.ActiveDirecto
ory.Managemen
nt.ADPartitio
on

Whe
en you use me
ethods, you must follow the method with () to distinguissh that it is a m
method and no
ot a
property. You can
n also use varia
ables in calcula
ations, for exam
mple, you can add the conte
ents of two
variables. To decla
are two variab
bles and then add
a them togeether, use the ffollowing com
mmands:
> $A
A = 1
> $B = 2
> $A
A + $B
3

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-11

When
W
you use variables
v
in callculations, mak
ke sure that th
hey are typed ccorrectly because typing the
em
in
ncorrectly could lead to unexxpected resultss. For examplee, notice when variables are ttyped as string
g data
in
nstead of numb
bers:
> $C = 3
> $D = 4
> $C + $D
34
4

In
nstead of addin
ng the two values numerically, they are co
oncatenated to
ogether. When
n you mix type
es
to
ogether, there is more poten
ntial for unexpe
ected results b
because Windo
ows PowerShe
ell will automattically
ca
ast or convert some data typ
pes. For examp
ple, see how th
he data is cast in the followin
ng example:
> $A + $C
4
> $C + $A
31
1

In
n these examples, the type of the first varia
able is used to cast the other variables for the calculation. To
be
etter control how
h
data is casst, you can spe
ecify the data ttype for each vvariable. To co
ontrol how eacch
va
ariable is cast, see the follow
wing example:
> [string] $A + $C
13
3
> [int] $C + $A
$
2

Addition
nal Reading: about_Variable
es
htttp://technet.m
microsoft.com//en-us/library//dd347604.asp
px
Question: How do you declare
d
variable
es and assign vvalues to them
m?

The
T Windo
ows PowerS
Shell Pipeline

Windows
W
PowerShell is an objject-based
en
nvironment. Th
his means thatt the input and
d
ou
utputs of the cmdlets
c
are ob
bjects that can be
manipulated.
m
In
n some instancces, you may want
w
to
o take the outp
put of one cmd
dlet and pass it
to
o another cmd
dlet for additional actions. Fo
or
exxample, when you have to enable all disab
bled
AD DS accountss in the domain, you could
manually
m
list each user by using the Get-AD
DUser
cm
mdlet. Then byy using Windo
ows PowerShell, you
ca
an use the Ena
able-ADAccou
unt cmdlet forr each
lo
ocked user account. To make
e this easier, yo
ou can
diirectly pass the
e output data from one cmd
dlet into anoth
her cmdlet, wh
hich is called piping. Piping iss
pe
erformed by putting
p
the pip
pe (|) characterr between cmd
dlets. Each cmd
dlet is execute
ed from the lefft to the
rig
ght, each passsing its output to the next cm
mdlet in line. FFor example, yo
ou can get a liist of all users in the
do
omain and the
en pipe the listt to the Enable
e-ADAccountt cmdlet, by ru
unning the following commaand:
Ge
et-ADUser Fi
ilter * | Enable-ADAccount

MCT USE ONLY. STUDENT USE PROHIBITED

3-12 Managingg Windows Server 20012 by Using Window


ws PowerShell 3.0

Piping can be use


ed extensively in Windows Po
owerShell as itt is in other sheells. Windows PowerShell differs
from
m typical shellss because the data in the pip
peline is an obj
bject instead off just simple te
ext. Having an
obje
ect in the pipe
eline enables you to easily pe
ersist all the prroperties of the returned datta. The data in
n the
pipe
eline is assigne
ed to a special variable name
ed $_ which on
nly exists whilee the pipeline is executing. FFor
exam
mple, if you want to enable accounts that are disabled, yyou can use th
he Where-Objject cmdlet to
o
retu
urn only accounts are disable
ed. To do this, run the follow
wing command
d:
Get-ADUser | Where-Object {$_.Enabled eq

$false} |

Enable-ADA
Account

By piping
p
an obje
ect with a list of
o all the users, you can use tthe Where-Ob
bject cmdlet to
o filter the acccounts
thatt are disabled based on the Enabled prope
erty of the acc ount.
poses only. It eenables all thee disabled acco
ounts in the
Note: This example is forr teaching purp
dom
main and should not be perfformed in a pro
oduction envirronment because this may e
enable
acco
ounts that sho
ould remain dissabled.

Op
ptions for Formatting
F
g Window
ws PowerSh
hell Outpu
ut
Whe
en you work with
w AD DS datta, you may ha
ave
to retrieve lists of users, computters, or groupss and
have to visualize the
t data by using a tool such
h as
or you may
Microsoft Office Excel
E
m have to viiew
onlyy the specific properties
p
on screen.
s
Window
ws
Pow
werShell enable
es both such scenarios. First
form
matting data fo
or viewing on screen. There are
seve
eral default cm
mdlets available
e to control ho
ow
data
a is formatted.. These cmdletts are describe
ed in
the following tablle.

Cm
mdlet

Descriptio
on

Fo
ormat-List

This cmdlet outputs datta in a list form


mat with each property on itts
own line. You can speciify the propertties that you w
want displayed by
mdlet by using the
using the Property parrameter. You ccan call this cm
alias of FLL. This cmdlet is useful when
n you view a sm
mall number o
of
objects with
w a large num
mber of propeerties.

Fo
ormat-Table

This cmdlet outputs datta in a table fo


ormat with eacch property as its
mn. You can s pecify the pro
operties that yo
ou want displaayed
own colum
by using the
t Property parameter. Yo
ou can call thiss cmdlet by usiing
the alias of
o FT. This cmd
dlet is useful w
when you view a large numb
ber of
objects with
w a small num
mber of propeerties.

Fo
ormat-Wide

This cmdlet outputs datta in a table fo


ormat with onlly one propertty for
ect. You can sp
pecify the prop
perty that you want displaye
ed by
each obje
using the Property parrameter and th
he number of columns to dissplay
b using the column param
meter. You can call this cmdle
et by
the data by
using the alias of FW. TThis cmdlet is u
useful when yo
ou view a large
e
number of
o objects and you only need
d to see one property for each
object succh as the namee.

Cmdlet
C
Format-Custtom

Descripttion

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-13

This cm
mdlet outputs d
data in a formaat previously d
defined by usin
ng a
PS1XML file. The settiings in this filee can specify w
which propertie
es to
show an
nd how to arraange and grou
up them. You ccan call this cm
mdlet
by using
g the alias of FFC. This cmdleet is useful whe
en you view daata
that you access frequ
uently and hav e to customize
e which prope
erties
are shown.

Another set of cmdlets


c
enable
e complex form
matting and reeporting. Thesse are listed in the following table.
Cmdlet
C

Description

Measure-Objject

Th
his cmdlet take
es the input ob
bject from the pipelines or vvariable and
pe
erforms calcula
ations on spec ified propertiees and on text in strings and files.
Ca
alculations incllude counting objects, deterrmining the avverage, minimu
um,
ma
aximum, and sum
s
of properrty values. It caan also count tthe number orr
occcurrences of words
w
and cha racters in a filee or string. It is used when yyou
ha
ave to quickly calculate
c
the n
number of useers selected as part of a querry or
de
etermining the
e memory a sett of processes is using.

Select-Objecct

Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and outtputs
ob
bjects that have only the seleected properties. It can also select a subset of
ite
ems in each ob
bject by using the -First, -Lasst, -Unique, an
nd -Index param
meters,
wh
hich is valuable
e when you wo
ork large dataasets.

Sort-Object

Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and sorrts the
da
ata based on th
he selected pr operties. This is helpful when you have to
provide a sorted
d list of data.

Where-Objecct

Th
his cmdlet take
es the input ob
bject from the pipeline or vaariable and the
en
ap
pplies a filter th
hat is based on
n a specified q
query. The que
eries used for
filttering are encllosed in brace s and include a comparison.. This is helpfu
ul when
yo
ou have to sele
ect specific typ
pes of data.

Yo
ou can use all these cmdletss together to create customizzed output to the screen. Yo
ou can also use
e the
Out-File
O
to write the output to a text file, orr Export-Csv to
o export the d
data as a comm
ma separated vvalues
(C
CSV) file.

Creating
C
an
nd Running Window
ws PowerSh
hell Scriptts
Yo
ou can perform
m complicated
d multi-step ta
asks
byy using a pipeline and multiple cmdlets. There
may
m be times where
w
you have
e to run multip
ple
fu
unctions, make
e choices, wait for tasks to
co
omplete, or run the same co
ode repeatedlyy. In
th
hese cases, you
u can use a Windows PowerS
Shell
sccript to put all the steps toge
ether. A script is a
te
ext-based file that
t
includes at
a least one Wiindows
Po
owerShell com
mmand and savved with a .PS1
1 file
na
ame extension
n. Scripts can be
b created to take
in
nput from the command
c
line
e letting you
cu
ustomize how the script execcutes.

Execution Policy
By default, the execution policy does not enable Windows PowerShell scripts to be executed
automatically. This safeguards the computer from enabling unattended scripts to run without the
administrator from knowing. There are four execution policies that can be set and are as follows:

MCT USE ONLY. STUDENT USE PROHIBITED

3-14 Managing Windows Server 2012 by Using Windows PowerShell 3.0

Restricted. This is the default policy for Windows Server 2012 and does not enable configuration
files to load, nor does it enable scripts to be run. The Restricted execution policy is perfect for any
computer for which you do not run scripts or for which you run scripts only rarely. (Be Aware That
you could always manually open the shell with a less-restrictive execution policy.)

AllSigned. This policy requires that all scripts and configuration files be signed by a trusted publisher,
including scripts created on your local computer. This execution policy is useful for environments
where you do not want to accidentally run any script unless is has an intact, trusted digital signature.
This policy is less convenient because it requires you to digitally sign every script that you write, and
re-sign each script every time that you make any changes to it.

RemoteSigned. This policy requires that all scripts and configuration files downloaded from the
Internet be signed by a trusted publisher. This execution policy is useful because it assumes that local
scripts are ones that you create yourself, and you trust them. It does not require those scripts to be
signed. Scripts that are downloaded from the Internet or received through e-mail, however, are
not trusted unless they carry an intact, trusted digital signature. You could definitely still run those
scriptsby running the shell under a lesser execution policy, for example, or even by signing the
script yourselfbut those are additional steps that you have to take, so it is unlikely that you would
be able to run such a script accidentally or unknowingly.

Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must grant permission
for the script to run. The Unrestricted execution policy is not usually appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.

Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy is not
usually appropriate for production environments because it provides no protection against
accidentally or unknowingly running untrusted scripts.

You can view the execution policy for the computer by using the Get-ExecutionPolicy cmdlet. To
configure the execution policy, you must open an elevated Windows PowerShell window and run the
Set-ExecutionPolicy cmdlet. After the execution policy is configured, you can run a script by typing in
the name of the script.

Simple Scripts

Scripts are text files that have a .PS1 file name extension. These files contain one or more commands
that you want the shell to execute in a particular order. You can edit scripts by using Notepad, but the
Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively,
obtain hints on the correct command syntax, and immediately see the results. You can then paste those
results into a script for long-term use. Or you can type your commands directly into a script, highlight
each command, and press F8 to execute only the highlighted command. If you are pleased with the
results, you save the script and you are finished. Generally, there are very few differences between what
you can do in a script and what you would do on the command line. Commands work in the same
manner in a script. This means that a script can just be created by pasting commands that you have
already tested at the command line. The following is a simple script in a text file that is named
Get-LatestLogon.ps1.

# This script will return the last user who has l ogged on to the domain.
Ge
et-ADUser -Fi
ilter * -Properties lastLogon | `
So
ort-Object -P
Property lastLogon -Descending| `
Se
elect-Object -first 5 | `
Fo
ormat-Table name,
n
`
@{
{Label="LastL
Logon";Expression={[datetime]::FromF
FileTime($_.l
lastLogon)}}`
`
-AutoSize
-

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-15

Although this sccript contains a single pipeline statement it is broken up


p by using the backtick (`) ch
haracter.
Yo
ou can break up
u long lines of
o code by usin
ng the backtic k character to make the script easier to re
ead.
Notice that the first line of this script starts with a hash m
mark (#). A line that begins w
with a hash mark will
no
ot be processe
ed. Therefore, you
y can use sttart a line with
h a hash mark aand write note
es and comme
ents
ab
bout the scriptt. To run a script, you must type
t
either thee full or the relative path of tthe script. For
exxample, to run
n the Get-Late
estLogon.ps1 script, you can
n use either off the following
g options if the
e script
in
n your current directory or se
earch path:
.\
\Get-LatestLo
ogon.ps1
E:\ModXA\Democ
code\Get-LatestLogon.ps1

If the script nam


me or path hass spaces in it yo
ou have to encclose the nam e single or double quotation
n marks
an
nd echo the na
ame to the console by using
g an ampersan d (&) characteer. The followin
ng example sh
hows
ho
ow to do this by
b using both the relative an
nd a full path.
& .\Get Lates
st Logon.ps1
& E:\ModXA\De
emocode\Get Latest Logon.ps1

Using
U
Wind
dows Powe
erShell Loo
ops and Conditional Expressio
ons
Advanced Wind
dows PowerShell scripts mayy
re
equire repeatin
ng commands a certain num
mber of
times, until a sp
pecific conditio
on is met, or on
nly if a
sp
pecific conditio
on is met. Thesse test conditio
ons are
de
efined by using comparison statements.

Boolean
B
Com
mparisons

Te
est, or comparrison statemen
nts, are used ass test
co
onditions for lo
oops and cond
ditional constructs.
Th
hese typically compare,
c
eithe
er of two or more
m
ob
bjects or two or
o more prope
erty values, and
d are
de
esigned to result in a True or
o False value. These
T
co
omparisons are
e frequently known as Booleean
co
omparisons, be
ecause they ca
an only result in one of the tw
wo Boolean vaalues, True or False. As part o
of
de
esigning a Win
ndows PowerS
Shell script usin
ng Boolean co
omparisons aree common eno
ough task: You
u might
co
ompare two co
omputer name
es to see whether they are e qual, or comp
pare a performance counter vvalue to
a predetermined threshold va
alue to see which of the two is greater. Thee comparison operators sit b
between
th
he two items th
hat you want to
t compare. Yo
ou probably reemember simp
ple comparisons from grade
e school
math
m
with comp
parisons like 10 > 4, 5 < 10, and 15 = 15. W
Windows Pow
werShell performs compariso
ons the
sa
ame way, altho
ough it has its own syntax. So
ome common comparison o
operators are aas follows:

-eq. Equal to
t

-ne. Not eq
qual to

-le. Less tha


an or equal to

-ge. Greater than or equal to

-gt. Greater than

-lt. Less than

MCT USE ONLY. STUDENT USE PROHIBITED

3-16 Managing Windows Server 2012 by Using Windows PowerShell 3.0

Windows PowerShell defines two special variables for comparisons, $True, and $False, which represent
the Boolean values true and false. If a comparison is true, the expression is evaluated as $True and if the
comparison is not true, the expression is evaluated as $False. For example, the comparison 4 is greater
than 10 (4 gt 10), will produce $False as its result, whereas, 10 is equal to 10 (10 eq 10) would produce
$True. Windows PowerShell enables you to execute comparisons right on the command line. Type your
comparison and press Enter to see the result of the comparison. The real value of the Boolean
comparisons are shown when they are used in loops and conditional expressions.
There are several Windows PowerShell constructs that make use Boolean comparisons to control the
execution of code in a script. These constructs are if, switch, for, while, and foreach.

The if Statement
The if statement can be used to execute a block of code if the specified criteria are met. The basic
functionality of an if statement is shown in the following example:
if (Boolean comparison)
{
Code to complete if test expression is true
}

Another option available to allow for additional possibilities is using else and elseif statements. When you
want to execute special code if a condition exists or execute other code if it does not exist, you can use
the else. If there are additional conditions that you want to test for you could use the elseif statement
consider the following example:
$Today = Get-Date
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host $Admin.Name has an address of $Admin.StreetAddress
if ($Today.DayOfWeek eq Monday)
{
Set-ADUser Identity Administrator StreetAddress Headquarters
}
elseif ($Today.DayOfWeek eq Thursday)
{
Set-ADUser Identity Administrator StreetAddress London Office
}
else
{
Set-ADUser Identity Administrator StreetAddress Out of the Office
}
# Confirm Settings were made
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress

The switch Statement


The switch statement is closely related to how ifelse statements work. The statement enables a single
condition statement to have multiple options for execution. The switch statement has the following
syntax:
switch (Value Testing)
{
Value 1 { Code run if value 1 condition exists}
Value 2 { Code run if value 2 condition exists}
Value 3 { Code run if value 3 condition exists}
default { Code run if no other condition exists}
}

Using the previous example, you can achieve the same functionality with less work as shown in this
example:
$Today = Get-Date
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
# Write current settings to console
Write-Host $Admin.Name has an address of $Admin.StreetAddress
switch ($Today.DayOfWeek)
{
Monday {Set-ADUser Identity Administrator StreetAddress Headquarters}
Thursday {Set-ADUser Identity Administrator StreetAddress `
London Office}
default {Set-ADUser Identity Administrator StreetAddress `
Out of the office}
}
# Confirm Settings were made
$Admin = Get-ADUser Identity Administrator Properties StreetAddress
Write-Host Today is $Today.DayOfWeek and $Admin.Name `
is working from the $Admin.StreetAddress

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

3-17

If a larger number of false statements are needed, the switch statement may be an easier option to use
and debug.

The for Loop

The for loop can be used to execute a block of code a specific number of times. This can be when multiple
items have to be requested, or created. The for statement syntax is as follows:
for (setup loop variables ; Boolean comparison ; action after each loop)
{
Code to complete while Boolean comparison is true
}

The for loop begins with settings to configure variables, the Boolean comparison, and an action to
complete after each loop. Consider the following example that creates five new computer accounts with
unique names using a for statement:
# Create a variable named $i and assign it a value of 1
# Execute the for loop for as long as $i is less than 6
# After each loop add 1 to the value of $i
for ($i = 1 ; $i lt 6 ; $i++)
{
# Create a variable with the name of the computer account
$ComputerAcct = LON-SRV + $i
New-ADComputer Name $ComputerAcct
}

The while Loop

MCT USE ONLY. STUDENT USE PROHIBITED

3-18 Managing Windows Server 2012 by Using Windows PowerShell 3.0

The while loop can be used to execute a block of code while a specific condition exists and resembles the
for loop, except that it does not have built in mechanisms to set up variables and actions to run after each
loop. This enables the while statement to continue executing until a condition is met instead of a set
number of times. The while statement syntax is as follows:
while (Boolean comparison)
{
Code to complete while Boolean expression is true
}

This script prints a random number on the screen until one of the random numbers is less than
50,000,000. The $i variables value must be set before the while loop so that the while loop executes as
follows:
$i = 99999999999
while ($i -gt 50000000)
{
Write-Host Random Value: $i
$i = Get-Random
}

Also available is the do/while loop which works just as while loop however the Boolean expression is
evaluated at the end of the loop instead of the beginning. This means that the code block in a do/while
loop will always be executed at least one time. The value of $i does not have to be set before the do/while
loop because it is evaluated at the end of the loop. The following example shows a do/while loop:
do {
Write-Host Random Value: $i
$i = Get-Random
} while ($i -gt 50000000)

The foreach Statement

The foreach statement iterates through an array (collection), item by item, assigning a specifically named
variable to the current item of the collection. Then it runs the code block for that element.
foreach (item in collection)
{
Code to complete for each item in the collection.
}

Using the foreach statement can make batch modifications easier. Consider, for example, setting a
description for all users who are members of a specific group, as shown in the following example:
# Get a list of the members of the Domain Admins group
$DAdmins = Get-ADGroupMember "Domain Admins"
# Go through each member and set the Description
foreach ($user in $DAdmins)
{
Set-ADUser $user -Description In the Domain Admins Group
}

Demonstra
D
ation: Man
naging AD
D DS by Using Windo
ows PowerrShell
In
n this demonsttration, you will review how to
t manage useers and group in Windows P
PowerShell.

Demonstrati
D
ion Steps
1..

Start and lo
og on to LON-DC1. Log on as
a the domain administratorr.

2..

Open Wind
dows PowerShe
ell ISE as an ad
dministrator.

3..

Refer to the
e demonstratio
on script in virrtual machine LON-DC1 at EE:\ModXA\Dem
mocode
\Managing Users and Gro
oups.ps1.

Active
A
Dire
ectory Adm
ministrative
e Center In
ntegration
n with Win
ndows
PowerShell
P
l
Active Directoryy Administrativve Center is bu
uilt
on
n Windows Po
owerShell technology. It provvides
ad
dministrators the
t ability to perform
p
enhan
nced
da
ata manageme
ent by using a GUI. Using Acctive
Directory Administrative Centter, you can pe
erform
th
he following ta
asks:

Manage user and compu


uter accounts

Manage groups

Manage organizational units


u
(OUs)

Use build queries


q
to filterr Active Directory
information
n

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-19

Be
ecause Active Directory Adm
ministrative Center is built on
n Windows Po
owerShell, it can expose the
Windows
W
PowerShell comman
nds that are ussed to interactt with the GUI.. These commaands can be used to
le
earn Windows PowerShell, bu
uild Active Directory manag ement scripts,, and keep tracck of changes that are
made
m
within the
e GUI.

Lesson 3

Manag
ging Serrvers by
y Using Windo
ows Pow
werShelll 3.0

MCT USE ONLY. STUDENT USE PROHIBITED

3-20 Managingg Windows Server 20012 by Using Window


ws PowerShell 3.0

As you
y become fa
amiliar with Windows PowerrShell, you can perform adm
ministrative and
d managementt tasks
with
h more ease. There
T
are advanced features in Windows P
PowerShell 3.0 which let you manage a single
servver from a loca
al console and to manage many servers fro
om a remote location. The aadvanced featu
ures
include Windows PowerShell Web
W Access, Windows PowerSShell jobs, and
d Windows Pow
werShell workfflow.
Thiss lesson introduces some mo
ndows PowerSShell 3.0 and d
ore advanced features
f
of Win
discusses how yyou
mig
ght use the features to manage servers in your
y
environm
ment.

Lessson Objectiives
Afte
er completing this lesson, stu
udents will be able to:

W
PowerShell for man
naging servers..
Describe the need to use Windows

Describe how
w to configure and use Windows PowerSheell Web Accesss.

Describe Windows PowerSh


hell jobs.

Describe Windows PowerSh


hell workflows and how theyy can be used.

Manage a serrver by using Windows


W
Powe
erShell 3.0.

Disscussion: The
T Need for
f Windo
ows PowerShell for SServer Man
nagement
Win
ndows PowerSh
hell has many features that make
m
it usseful in both la
arge and smalll environments.
Freq
quently the mo
ost difficult pa
art of using
Win
ndows PowerSh
hell is the startting point. Using
Win
ndows PowerSh
hell to perform
m tasks that yo
ou
perfform every dayy will help you
u become more
com
mfortable and more proficien
nt in using it.
Con
nsider the follo
owing question
ns:
Que
estion: Why usse Windows Po
owerShell for
servver manageme
ent?
Que
estion: What tasks
t
will you use
u Windows
Pow
werShell to perrform?

What
W
Is Windows PowerShell Web
W Accesss?
Windows
W
PowerShell Web Access is a new feature
f
in
n Windows Serrver 2012 that provides a we
ebba
ased gateway to Windows PowerShell.
P
Thiis
en
nables authorized users to administer a server
without
w
having management tools directly
in
nstalled on their client computer, or having
g to use
Re
emote Desktop to connect to
t the server. The
T
ad
dministrator only has to configure a Windows
Po
owerShell Web
b Access gatew
way, and use a web
browser to conn
nect.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-21

Windows
W
PowerShell Web Access gateway
re
equires the We
eb Server Interrnet Informatio
on
Se
ervices (IIS) rolle, and the .NE
ET Framework 4.5 and Windo
ows PowerSheell 3.0 to be insstalled. Many
client types are supported to access Window
ws PowerShelll Web Access aand still otherss are tested to work
su
uccessfully. In order
o
to work,, the web brow
wser must allow
w cookies, sup
pport connecting to the gate
eway by
ussing Secure So
ockets Layer (SSL), and also support
s
JavaSccript.

In
nstalling Wiindows Pow
werShell We
eb Access Ga
ateway
To
o install Windo
ows PowerShe
ell Web Access gateway:
1..

Install Wind
dows PowerSh
hell Web Accesss role.

2..

Install a SSLL certificate. An SSL certificatte is required. A self-signed certificate can


n be created ass part of
the configu
uration processs, however a trrusted third-paarty certificatee is recommended.

3..

Create or configure an IIS


S site with the Windows Pow
werShell Web A
Access Gatewaay web applicaation.
This can be
e configured byy using Interne
et Information
n Services Man
nager or by usiing the
Install-Psw
waWebApplication cmdlet.

4..

Configure Windows
W
Powe
erShell Web Access
A
authorizzation rules. Byy default, no o
one will be able
e to use
Windows PowerShell
P
Web Access until at least one a uthorization ru
ule is created. An authorizattion rule
defines whiich users and groups
g
have acccess to speciffic cmdlets and
d which computers they can
n access
from the ga
ateway. Autho
orization rules are
a added by using the Add
d-PswaAuthorrizationRule ccmdlet.
You can validate the funcctionality of th
he rules by usin
ng the Test-PsswaAuthoriza
ationRule cmd
dlet.
Authorization rules are, by
b default, storre in %windir%
%\Web\Powe
erShellWebAcccess\data
\Authoriza
ationRules.xm
ml.

5..

Configure destination
d
computer authen
ntication and aauthorization rules. You must configure th
he
destination computer seccurity settings to enable rem
mote access fro
om the gatewaay. As you assig
gn
administrattive permission
n to the targett computers, w
we recommend
d assigning only the minimally
required pe
ermissions and
d setting the ap
ppropriate exeecution policy for your envirronment.

6..

Configure additional
a
secu
urity options. As
A in any envirronment, apprropriate security best practicces
should be followed.
f
One example is as installing and monitoring a ntivirus and an
nti-malware prroducts
on all the servers. Additio
onally, passwo
ord expiration, lockout, and ccomplexity po
olicies should aalso be
implemente
ed.

Using
U
Windo
ows PowerS
Shell Web Access
A

To
o use Window
ws PowerShell Web
W Access, open a web bro
owser and con
nnect to the server by using
htttps://ServerName/pswa. The logon page lets you conneect directly to the gateway, tto another serrver on
th
he organization network, or to a custom URI.
U Using the o
optional conneection settingss on the logon
n page
ca
an specify one user account to log on to th
he gateway an
nd specify another account tto connect to tthe

servver on the orga


anization netw
work. This is useful if the acco
ount authorizeed to connect to the gatewaay
doe
es not have permissions on the internal serrver.

MCT USE ONLY. STUDENT USE PROHIBITED

3-22 Managingg Windows Server 20012 by Using Window


ws PowerShell 3.0

Afte
er you have esttablished a Wiindows PowerShell session b
by using Windo
ows PowerShe
ell Web Accesss,
you can begin using Windows PowerShell
P
cm
mdlets and execcuting scripts based on the e
execution policy
settings. Although
h most of the functionality
f
iss the same as u
using Window
ws PowerShell rremoting, therre are
som
me differences. For example, you cannot usse some shortccut keys to int eract with Win
ndows PowerSShell
Web
b Access such as Ctrl+C to copy data, or any of the funcction keys used
d for things such as comman
nd
history.
ploy Windows PowerShell W
Web Access
Additional Reading: Dep
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831611.aspx

Wh
hat Are Windows Po
owerShell Jobs?
J
A Windows
W
PowerShell backgro
ound job runs a
com
mmand or set of
o commands without intera
acting
with
h the current Windows
W
Powe
erShell session. You
can start a backgrround job by using
u
the Startt-Job
cmd
dlet and then you
y can contin
nue to work in the
sesssion. Using job
bs can be usefu
ul when you
perfform tasks that can take an extended
e
time
e to
com
mplete. You can
n also use jobss to perform th
he
sam
me task on seve
eral computerss. The following
exam
mple shows crreating a new job
j on the local
com
mputer:

Start-J
Job -ScriptBl
lock {Get-ADUser Filter
r *}

You
u can see the sttatus of the job by using the
e Get-Job cmd
dlet and use th
he Wait-Job to
o be notified
whe
en the job is co
omplete. If you
u have to remo
ove a job that has not execu
uted, you can d
do so with the
e
Rem
move-Job cmd
dlet. These job
bs are run in th
he background
d so they do no
ot return results to your Win
ndows
Pow
werShell session. If you outpu
ut data to the console in a b
background job
b, you can retu
urn those resu
ults by
usin
ng the Receive
e-Job cmdlet.
Win
ndows PowerSh
hell 3.0 introduced an impro
ovement to baackground jobs, which are kn
nown as sched
duled
jobss. These jobs can be trigged to start autom
matically or pe rformed on a recurring sche
edule. When a
sche
eduled job is created
c
it is sto
ored on disk an
nd then registeered in Task S cheduler. Whe
en a scheduled
d job
is ru
un, it creates an instance of the
t job that ca
an then be ma naged by usin
ng the common job manage
ement
cmd
dlets. The onlyy difference between scheduled jobs and b
background jobs is that sche
eduled jobs savve
theiir results on disk.
edJob cmdlett. You can speccify the ScriptB
Sche
eduled jobs arre created by using
u
the Regiister-Schedule
Block
para
ameter to run a Windows Po
owerShell com
mmand, or you can specify a script by using
g the FilePath
para
ameter. The fo
ollowing example shows how
w to register a scheduled job
b to run the Ge
etLate
estLogon.ps1
1 script.
Register-ScheduledJob Name
e LastLogonJo
ob FilePath \\LON-SVR1\S
Scripts\Mod3\
\democode\GetLastLogon.ps1

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

3-23

To
o enable the scheduled job to
t run, a sched
dule or triggerr must be defin
ned. Triggers aare created byy using
th
he New-JobTrrigger cmdlet.. Using this cm
mdlet, you can use the Add-JJobTrigger ccmdlet to add the
trrigger to an alrready registere
ed scheduled job or use it to
o assign a trigg
ger when a new
w scheduled jo
ob is
re
egistered. Trigg
gers can be scheduled once,, daily, weekly,, at server starrtup, when you
u log on. The
fo
ollowing example shows crea
ating a triggerr that runs eve ry Monday an
nd Friday at 9:0
00 am and the
en
re
egisters the new scheduled jo
ob together with
w the triggerr:
$T
Trigger = New
w-JobTrigger Weekly DaysOfWeek Mon
nday,Friday
At 9:00AM
Re
egister-Sched
duledJob Name ScheduledLastLogonJob
b FilePath `
\\
\LON-SVR1\Scripts\Mod3\democode\Get-LastLogon.ps
s1 -Trigger $
$Trigger

Yo
ou can also use the Add-Job
bTrigger cmd
dlet to modify an existing sch
heduled job ass shown in the
e
fo
ollowing example:
Ad
dd-JobTrigger -Name LastLogonJob -Trigger `
(N
New-JobTrigge
er -Daily -At 9:00AM)

Sccheduled jobs can be used to automatically run task for:: creating repo
orts, verifying cconfiguration
se
ettings, perform
ming user and
d group mainte
enance, and m
many others.

In
ntroductio
on to Wind
dows Powe
erShell Wo
orkflow

Windows
W
PowerShell Workflo
ow is a new fea
ature
in
n Windows Pow
werShell 3.0. Itt enables easy to use
workflows,
w
or ta
ask sequences within the fam
miliar
Windows
W
PowerShell interface
e. A workflow
ca
an include ind
dividual Windo
ows PowerShe
ell
co
ommands or complete scriptts. The differen
nce
be
etween a work
kflow and perh
haps an intrica
ately
de
esigned script is that a work
kflow is designe
ed
to
o also be stopp
ped, paused, and resumed.
Th
he workflow ca
an wait until stteps successfully
co
omplete to con
ntinue to the next
n
workflow step.
Fo
or example, yo
ou can create a workflow tha
at
makes
m
changes to a multiple computers and waits for theem all to restarrt before continuing to the n
next
co
onfiguration sttep in the workflow.

Windows
W
PowerShell workflow
ws can be crea
ated by using a Windows Po
owerShell conssole, the Windo
ows
Po
owerShell ISE, or by using Microsoft
M
Visual Studio Worrkflow Designeer. Workflows ccreated in Visu
ual
Sttudio Workflow
w Designer are
e saved as with
h a XAML file n
name extensio
on. These workkflows are imp
ported
byy using the Im
mport-Module
e cmdlet.
Workflows
W
are run
r as Window
ws PowerShell jobs.
j
Thereforre, you can usee the same cmdlets to manage
ru
unning workflo
ows as you do jobs. A workflow is created by using the ffollowing syntaax:
Wo
orkflow Workf
flowName { Commands to execute as pa
art of the wo
orkflow }

MCT USE ONLY. STUDENT USE PROHIBITED

3-24 Managing Windows Server 2012 by Using Windows PowerShell 3.0

After a workflow is created, it is executed as a cmdlet is executed. Each workflow can be executed with the
parameters that are listed in the following table.
Parameter

Description

-PSComputerName

A list of target computers for the workflow to execute on

-PSRunningTimeoutSec

Length of time to allow for the workflow to execute

-PSConnectionRetryCount

Enable the workflow to retry connections several times

-PSPersist

Toggles the workflow to checkpoint data and state after each activity

In a workflow, commands can be performed in a parallel or sequential manner. Commands that can
be run in parallel are identified by using the parallel keyword. Commands that must be performed
sequentially are identified by using the sequence keyword. The following example shows a workflow
with both keywords being used:
Workflow Get-DomainServerStats
{
# The following are executed in any order
Parallel
{
Get-Process
Get-ADUser Filter *
# The following are executed sequentially
Sequence
{
Set-AdUser Administrator Description Updated content
Get-AdUser Administrator Properties Description
}
}
}

Windows has number of built in workflows to enable configuration of multi-server deployments of


Remote Desktop Services, retrieve information about installed Windows roles, and restarting servers. To
view defined workflows use the following command:
Get-Command CommandCapability workflow

Demonstration: Managing a Server by Using Windows PowerShell 3.0


In this demonstration, you will review how to use Windows PowerShell Web Access and Windows
PowerShell jobs.

Demonstration Steps
1.

Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then log on to LON-DC1 as the
domain administrator.

2.

Open Windows PowerShell Web Access at http://LON-DC1/pswa by using the following


information:
o

User name: Administrator

Password: Pa$$w0rd

Computer: LON-DC1

3.

Start a new job to list all Active Directory users, by using the Start-Job cmdlet.

4.

Obtain the status of the job by running Get-Job.

5.

Create a new scheduled job by running the following commands each followed by Enter:
$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM
Register-ScheduledJob Name ScheduledJob1 ScriptBlock {Get-ADUser Filter * } Trigger $Trigger

6.

Run the scheduled job immediately by using the Start-Job cmdlet.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

3-25

Lab: Managing Servers Running Windows Server 2012 by


Using Windows PowerShell 3.0
Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

3-26 Managing Windows Server 2012 by Using Windows PowerShell 3.0

As the A. Datum network grows in size and complexity, it is becoming increasingly apparent that some IT
management processes have to be streamlined. The number of users in the organization is increasing
quickly with users distributed in many locations. Servers are also being deployed in multiple data centers
and in private and public clouds. A. Datum is deploying most new servers as virtual servers in Hyper-V. A.
Datum has to ensure that both the host computers and virtual machines are managed consistently.

To address these server and AD DS management issues, you have to gain familiarity with Windows
PowerShell. You have to understand how to run simple and complex commands and how to create scripts
that will automate many of the regular management tasks.

Objectives
After completing this lab, you will be able to:

Explore Windows PowerShell commands and tools.

Manage AD DS by using Windows PowerShell.

Manage local and remote servers by using Windows PowerShell.

Lab Setup
Estimated time: 30-60 minutes

Virtual Machine(s)

20417-LON-DC1
20417-LON-SVR1
20417-LON-SVR2

User Name

Adatum\Administrator

Password

Pa$$w0rd

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

Repeat steps 2-4 for 20417A-LON-SVR1 and 20417A-LON-SVR2.

Exercise 1: Introduction to Windows PowerShell 3.0


Scenario
As a part of becoming familiar with the Windows PowerShell interface, you will explore interface and
browse through available cmdlets.
The main tasks for this exercise are as follows:
1.

Use Windows PowerShell ISE to retrieve basic information about LON-DC1.

2.

Use Windows PowerShell ISE to retrieve a list of stopped services on LON-DC1.

3.

Use a Remote Windows PowerShell session to install XPS Viewer on LON-SVR1.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

3-27

X Task 1: Use Windows PowerShell ISE to retrieve basic information about LON-DC1
1.

Start the following virtual machines: LON-DC1, LON-SVR1, and LON-SVR2.

1.

On LON-DC1, open Windows PowerShell ISE as an administrator.

2.

Retrieve a list of installed Windows features by using Get-WindowsFeature.

3. List the contents of the E:\ModX\Democode directory by running Get-ChildItem


E:\ModXA\Democode.
4. List the contents of C:\Windows, by running dir C:\Windows.
5.

Use tab completion to find the correct cmdlet that begins with Get-Ex to see the execution policy
setting on LON-DC1.

X Task 2: Use Windows PowerShell ISE to retrieve a list of stopped services on


LON-DC1
1.

If it is necessary, open Windows PowerShell ISE as an administrator.

2.

Retrieve a list of services by running Get-Service.

3.

Assign the results of Get-Service to the $Services variable.

4.

Use the Get-Help cmdlet to view the examples of how to use Where-Object.

5.

Use a pipeline to pipe the $Services variable to the Where-Object cmdlet to show only services that
have a status of stopped.

X Task 3: Use a Remote Windows PowerShell session to install XPS Viewer on


LON-SVR1
1.

If it is necessary, open Windows PowerShell ISE as an administrator and open a new remote
PowerShell tab.

2.

Establish a Remote PowerShell session with LON-SVR1.

3.

Retrieve a list of all installed Windows Features on LON-SVR1 by using Get-WindowsFeature.

4.

Install XPS Viewer on LON-SVR by using Add-WindowsFeature.

5.

Use command history to run Get-WindowsFeature and verify that XPS Viewer is installed.

6.

Close the Remote PowerShell session.

Results: After this exercise, you will have explored the Windows PowerShell ISE interface and used
cmdlets, variables, and pipelining.

Exercise 2: Managing AD DS by Using Windows PowerShell 3.0


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

3-28 Managing Windows Server 2012 by Using Windows PowerShell 3.0

After you explore Windows PowerShell interface and cmdlets, you want to explore options and available
cmdlets in the Active Directory module for Windows PowerShell and begin to use it for basic tasks such as
formatting Windows PowerShell output, using variables and loops, and creating scripts.
The main tasks for this exercise are as follows:
1.

Import the Active Directory PowerShell module and view the available cmdlets.

2.

View options on how to create a report of users in the Active Directory domain.

3.

Use a script to create new users in the domain by using a CSV-based file.

4.

Create a script to modify the address of a user based on the day of the week.

X Task 1: Import the Active Directory PowerShell module and view the available
cmdlets
1.

If it is necessary, open Windows PowerShell ISE as an administrator.

2.

Import the Active Directory module by using the Import-Module cmdlet.

3.

Use the Get-Command cmdlet to view the cmdlets available in the Active Directory module.

X Task 2: View options on how to create a report of users in the Active Directory
domain
1.

If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.

2.

Use the Get-Command cmdlet to view the cmdlets available in the ActiveDirectory module.

3.

Use Windows PowerShell to view a list of all Users in the domain. Review how Format-List modifies
formatting by running the following commands by using:
Get-ADUser -Filter * | Format-List
Get-ADUser Filter * |
Format-List -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-List *

4.

Use Windows PowerShell to view a list of all Users in the domain. Review how Format-Table modifies
the formatting by running the following commands by using:
Get-ADUser -Filter * | Format-Table
Get-ADUser Filter * |
Format-Table -Property GivenName, Surname
Get-ADUser Filter * -Properties * | Format-Table

5.

Use Windows PowerShell to view a list of all OUs in the domain. Review how Format-Wide modifies
the formatting by running the following commands:
Get-ADOrganizationalUnit -Filter * | Format-Wide
Get- ADOrganizationalUnit Filter * |
Format-Wide column 3

6.

3-29

Use Windows PowerShell to adjust the formatting of the users report. Review how the Sort-Object
cmdlet modified the output, by running the following:
Get-ADUser -Filter * | Sort-Object| Format-Wide
Get-ADUser -Filter * | Sort-Object -Property ObjectGUID | Format-Wide -Property
ObjectGUID

7.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Run the following commands to see how to use the Measure-Object cmdlet:
Get-ADUser -Filter * | Measure-Object

X Task 3: Use a script to create new users in the domain by using a CSV-based file
1.

On LON-DC1, browse to the Start screen and then type Notepad.exe. Press Enter.

2.

Use Notepad.exe to view E:\ModXA\Democode\LabUsers.csv. You will need to change the file type
to all files.

3.

Use Windows PowerShell ISE to open the script that is located at


E:\ModXA\Democode\LabUsers.ps1

4.

On line 13, modify the $OU variable to read: $OU = ou=sales, dc=adatum,dc=com

5.

Run the LabUsers.ps1 script.

6.

Use Get-ADUser Filter * SearchBase OU=Sales,DC=Adatum,DC=com to confirm Luka Abrus,


Marcel Truempy, Andy Brauninger, and Cynthia Cary were created were created.

X Task 4: Create a script to modify the address of a user based on the day of the week
1.

If it is necessary, open Windows PowerShell ISE as an administrator and import the Active Directory
module.

2.

Use Windows Powershell ISE to open the script that is located at E:\ModXA\Democode
\Using If Statements.ps1

3.

Verify that line 9 reads:


$Admin = Get-ADUser identity Administrator Properties StreetAddress

4.

Review each section of the script and then run the script. Run the script a second time to view the
changes.

Results: After completing this lab, you will have explored the Active Directory Windows PowerShell
module, experienced formatting output in Windows PowerShell, used a Windows PowerShell script to
create users, and used Windows PowerShell conditional loops to modify Active Directory properties.

Exercise 3: Managing Servers by Using Windows PowerShell 3.0


Scenario

Because of plans for remote server management, you want to explore possibilities to use Windows
PowerShell for remote management. You want to test remote connections in Windows PowerShell and
Windows PowerShell Web Access.
The main tasks for this exercise are as follows:
1.

1. Install and configure Windows PowerShell Web Access.

2.

2. Verify Windows PowerShell Web Access configuration.

X Task 1: Install and configure Windows PowerShell Web Access


1. Install Windows PowerShell Web Access on LON-DC1 by using the following command:
Install-WindowsFeature Name WindowsPowerShellWebAccess -ComputerName LON-DC1 IncludeManagementTools Restart

MCT USE ONLY. STUDENT USE PROHIBITED

3-30 Managing Windows Server 2012 by Using Windows PowerShell 3.0

2.

Configure Windows PowerShell Web Access by running Install-PswaWebApplication


UseTestCertificate.

3.

Create a Windows PowerShell Web Access Authorization Rule that only enables the administrator to
access the gateway by using the Add-PSWaAuthorizationRule.

X Task 2: Verify Windows PowerShell Web Access configuration


1.

Open Internet Explorer and navigate to https://LON-DC1/pswa.

2.

Sign in to Windows PowerShell Web Access by using the following information:

3.

User: Administrator

Password: Pa$$w0rd

Computer: LON-DC1

Verify that you can retrieve information from LON-SVR1 by retrieving the five newest System events.
Run the following command:
Get-EventLog System Newest 5

4.

Obtain the same information from LON-SVR2 and LON-DC1 by running the following command:
Invoke-Command -ScriptBlock { Get-Eventlog Security -Newest 20 } -ComputerName LONDC1,LON-SVR2

Results: After this exercise, you will have performed one to many management of remote servers by using
Windows PowerShell, installed and configured Windows PowerShell Web Access, and managed servers by
using Windows PowerShell Web Access.

X To prepare for the next module


When you are finished the lab, revert the virtual machines to their initial state. To do this, perform the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20417A-LON-SVR1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20417A-LON-SVR2 and 20417A-LON-DC1.

Module Review and Takeaways


Review Questions
Question: Which cmdlet will display the content of a text file?
Question: Which cmdlet will move a file to another directory?
Question: Which cmdlet will rename a file?
Question: Which cmdlet will create a new directory?
Question: Which cmdlet do you think would retrieve information from the event log?
Question: Which cmdlet do you think would start a stopped VM?

Best Practices

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

3-31

Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This will
make you more comfortable with working with Windows PowerShell and will equip you for using it to
resolve more difficult problems.

Save the commands that you have used to resolve problems in a script file for later reference.

Use Windows PowerShell ISE to help write scripts and ensure you have the correct syntax.

Common Issues and Troubleshooting Tips


Common Issue
Administrators cannot find the correct
Windows PowerShell cmdlet for a task.

Administrator cannot connect to a server


by using remote Windows PowerShell.

Get-Help does not provide any help for


cmdlets.

An administrator is new to Windows


PowerShell and is uncomfortable with the
command-line.

Troubleshooting Tip

Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool

Description

Windows PowerShell Integrated


Script Editor (ISE)

Windows PowerShell ISE provides a simple, yet powerful


interface to create and test scripts, and discover new
cmdlets.

Microsoft Visual Studio Workflow


Designer

This is a development tool that is used to create


Windows PowerShell workflows.

Powershell.exe

This is the Windows PowerShell executable.

Active Directory Administrative


Center

This tool enables you to perform common Active


Directory management tasks such as creating and
modifying user and computer accounts. All the changes
that you made by using this management tool are
logged in the Windows PowerShell History pane.

Real-world Issues and Scenarios

MCT USE ONLY. STUDENT USE PROHIBITED

3-32 Managing Windows Server 2012 by Using Windows PowerShell 3.0

Many common tools can be replaced with Windows PowerShell cmdlets. The following table gives some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012.
Old Command

Windows PowerShell Equivalent

ipconfig /a

Get-NetIPConfiguration

Shutdown.exe

Restart-Computer

Net Start

Start-Service (Restart-Service)

Net Stop

Stop-Service (Restart-Service)

Net Use

New-SmbMapping

Netstat

Get-NetTCPConnection

Netsh advfirewall add

New-NetFirewallRule

Route Print

Get-NetRoute

MCT USE ONLY. STUDENT USE PROHIBITED


4-1

Module 4
Managing Storage for Windows Server 2012
Contents:
Module Overview

4-1

Lesson 1: New Features in Windows Server 2012 Storage

4-2

Lesson 2: Configuring iSCSI Storage

4-12

Lesson 3: Configuring Storage Spaces in Windows Server 2012

4-18

Lab A: Managing Storage for Servers Based on Windows Server 2012

4-23

Lesson 4: Configuring BranchCache in Windows Server 2012

4-25

Lab B: Implementing BranchCache

4-36

Module Review and Takeaways

4-40

Module Overview

Storage space requirements have been increasing ever since the invention of server-based file shares. The
Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk
space that is required and to effectively manage physical disks: data deduplication and storage spaces.
This module provides an overview of these features and explains the steps required to configure them.

Another concern in storage is the connection between the storage and the remote disks. Internet small
computer system interface (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps
create a connection between the servers and the storage. To implement iSCSI storage in Windows Server
2012, you must be familiar with the iSCSI architecture and components. In addition, you must be
familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. Also,
in organizations that have branch offices, you have to consider slow links and how to use these links
efficiently when data is sent between your offices. The BranchCache feature in Windows Server 2012 helps
address the problem of slow connectivity. This module explains the BranchCache feature and the steps to
configure BranchCache.

Objectives
After completing this module, you will be able to:

Describe the new features in Windows Server 2012 storage.

Configure iSCSI storage.

Configure storage spaces.

Configure BranchCache.

Managing Storage for Windowss Server 2012

Lesson 1

New Featuress in Win


ndows Server
S
2
2012 Sto
orage

MCT USE ONLY. STUDENT USE PROHIBITED

4-2

The storage dema


and on serverss is ever-increa
asing, and storaage comprisess a larger part of an IT
dep
partments bud
dget. Larger vo
olumes are req
quired on flexib
ble disks that ccan be added or removed
dynamically. Wind
dows Server 20
012 includes changes to the storage area tthat will help aadministratorss to
ease
e the managem
ment of physiccal disks and provide
p
techno
ologies to redu
uce disk space consumption..

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the File and Storag


ge Services in Windows Servver 2012.

Describe the data deduplication process.

Configure data deduplicatio


on.

Describe the capabilities off thin provision


ning and trim sstorage.

Describe the new features in File Server Resource


R
Manaager.

Describe basic and dynamicc disks.

Describe Resilient File Syste


em (ReFS) and its advantage s.

Describe removed and dep


precated featurres.

File
e and Storrage Servicces in Windows Servver 2012
File and Storage Services
S
includes technologie
es
thatt help you set up and manag
ge one or morre file
servvers. File serverrs are servers that
t
act as central
loca
ations on the network
n
where
e you can store
e files
and optionally, sh
hare them with
h users.
Win
ndows Server 2012
2
offers the
e following new
w file
and storage servicces features:

Multiterabytee volumes. You can use this


feature to deploy multiterabyte NTFS file
e
system volum
mes, which support consolida
ation
scenarios and
d maximizes storage use. The
e
Chkdsk tool introduces a ne
ew approach that
t
prioritizes vollume availabiliity and allows for the detecttion of corrupttion while the volume remains
online with data available.

Data dedupliccation. You can


n use this featu
ure to save dissk space by sto
oring a single ccopy of identiccal
data on the volume.
v

iSCSI target seerver. You can use this featu


ure to block sto
orage to otherr servers and aapplications on
n the
network by using the iSCSI standard.

Storage spacees and storage pools. You can


n use this feat ure to virtualizze storage by g
grouping indu
ustrystandard disk
ks into storage pools, and the
en create storaage spaces fro
om the available capacity in the
storage poolss.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

4-3

Unified rem
mote managem
ment of File and
d Storage Serviices in Server M
Manager. You can use this fe
eature
to remotelyy manage multiple file servers, including th
heir role servicces and storag
ge, all from a siingle
window.

Windows PowerShell cm
mdlets for File and
a Storage Seervices. You can
n use the Wind
dows PowerSh
hell
cmdlets forr performing most
m
administrration tasks forr file and storaage servers.

Addition
nal Reading: File
F and Storage Services oveerview
htttp://technet.m
microsoft.com//en-us/library//hh831487(d=
=lightweight,v=
=ws.11)
Question: Are
A you curren
ntly implemen
nting volumes that are 10 terrabytes or larg
ger? What are
the problem
ms with volum
mes of that size
e?

What
W
Is Data Deduplication?
Data deduplicattion is a role se
ervice of Wind
dows
Se
erver 2012. Da
ata deduplicatiion identifies and
a
re
emoves duplica
ations within data
d
without
co
ompromising its
i integrity to achieve the ultimate
go
oal of storing more data while concurrently
ussing less physical disk space..

Data integrity and recoverability are mainta


ained
in
n a process tha
at involves evaluating checkssum
re
esults and othe
er algorithms. Data dedupliccation
is highly scalablle, resource effficient, and
no
onintrusive. It can run on do
ozens of large
vo
olumes of prim
mary data conccurrently witho
out
afffecting other workloads on the server. Low
w impact on t he server workkloads is maintained by thro
ottling
th
he CPU and me
emory resourcces that are consumed. Using
g data deduplication jobs, you can schedu
ule
when
w
data dedu
uplication should run, speciffy the resourcees to deduplicaate, and tune ffile selection.

When
W
combined with BranchCache, the sam
me optimizatio
on techniques are applied to
o data that is
trransferred over the wide area
a network (WA
AN) to a brancch office. This rresults in faste
er file downloaad times
an
nd reduced ba
andwidth consumption.

Volume
V
Requ
uirements for
f Data Ded
duplication
n

After the featurre is installed, you


y can enable
e data dedupl ication on a peer volume bassis. Each volum
me must
meet
m
the follow
wing requireme
ents:

Volumes must
m
not be a syystem or boott volume. Dedu
uplication is no
ot supported o
on volumes where the
operating system
s
is installled.

Volumes may
m be partition
ned by using master
m
boot reecord (MBR) or GUID partitio
on table (GPT) format,
and must be
b formatted by
b using the NT
TFS file system
m. The new Ressilient File Systtem (ReFS) file system
is not supported for use on
o a data dedu
uplication volu
ume.

Volumes must
m
be expose
ed to Windowss as non-removvable drives, that is, no USB or floppy drivves.

Volumes ca
an be on share
ed storage, succh as a Fibre C hannel or Serial Attached SC
CSI (SAS) arrayy, or an
iSCSI storag
ge area network (SAN).

Cluster Shared Volumes (CSV)


(
volumes are not suppo
orted.

Managing Storage for Windows Server 2012

The Data Deduplication Process

MCT USE ONLY. STUDENT USE PROHIBITED

4-4

When you enable data deduplication on a volume, a background task runs with low-priority that
processes the files on the volume. That is, the background task segments all file data on the volume into
small, variable sized chunks (32 to 128 KB). Then, it identifies chunks that have one or more duplicates on
the volume. All duplicate chunks are then replaced (erased from disk) with a reference to a single copy of
that chunk. Finally, all remaining chunks are compressed so that even more disk space is saved.

When to Use Data Deduplication

Data deduplication is designed to be installed on primary (and not logically extended) data volumes
without adding any additional dedicated hardware. You can install and use the feature without affecting
the primary workload on the server. The default settings are non-intrusive because only files older than
30 days are processed. The implementation is designed for low memory and CPU priority. However, if
memory use becomes high, deduplication backs off and waits for available resources. You can schedule
deduplication based on the type of data involved and the frequency and volume of changes that occur to
the volume or particular file types.
You should consider using deduplication for the following areas:

File shares. This includes group content publication or sharing, user home folders, and profile
redirection (offline files). You may be able to save approximately 3050 percent disk space.

Software deployment shares. This includes software binaries, images, and updates. You may be able to
save approximately 7080 percent space.

Virtual hard disk (VHD) libraries. This includes VHD file storage for provisioning to hypervisors. You
may be able to save approximately 8095 percent space.

Note: Use the deduplication evaluation tool (DDPEval.exe) to analyze a volume about
expected savings that you would get when enabling deduplication. This utility is automatically
installed to \\Windows\System32\ of the local computer when data deduplication is enabled.
When data deduplication is enabled, and the data is optimized, the volume contains the following:

Unoptimized files. These are skipped files. For example, system state files, encrypted files, files with
extended attributes, files smaller than 32KB, and reparse point filespreviously optimized files that
contain pointers to the respective chunks in the chunk store needed to build the file.

Optimized files. These are stored as reference points to the chunk store.

Chunk store. This is the optimized file data.

Additional Reading:
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602
Introduction to Data Deduplication in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-to-data-deduplication-inwindows-server-2012.aspx
Question: On which of your shares can you use data deduplication?

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Demonstra
D
ation: Configuring Data
D
Dedu plication
In
n this demonsttration, you will see how to add
a the data d
deduplication rrole service an
nd enable dataa
de
eduplication on
o drive E.

Demonstrati
D
ion Steps
Add
A
the Data Deduplication
D
n role service

4-5

1..

Log on to LON-DC1
L
with a username of
o Adatum\Ad
dministrator aand the passw
word of Pa$$w
w0rd.

2..

In Server Manager,
M
start the
t Add Roless and Feature
es Wizard, insttall the following roles and ffeatures
to the locall server and acccept the defau
ult values:
o

File An
nd Storage Se
ervices (Installed)\File and iSCSI Service
es\Data Deduplication

En
nable Data De
eduplication on E: Drive
1..

On LON-DC
C1, in Server Manager,
M
in the
e navigation p
pane, click File
e and Storage Services, and
d then
click Volum
mes.

2..

In the Volumes pane, righ


ht-click E:, and
d select Config
gure Data Ded
duplication.

3..

Configure data
d
deduplica
ation with the following sett ings:
o

Enable data dedupliccation: Enabled


d

Deduplicate files older than (in dayys): 3

Set Ded
duplication Schedule: Enablle throughputt optimizatio n

Start time: current tim


me

What
W
Are Thin
T
Provissioning an
nd Trim Sto
orage?
Windows
W
Server 2012 introdu
uces two new storage
s
co
oncepts. They are:

Thin provisiioning. This is a functionalityy that


you can use
e to allocate sttorage space on
o a
just-in-time
e basis and is available
a
with storage
spaces or virtual disks. Ussing traditional disk
provisioning methods, a volume
v
would
d
immediatelly consume all the disk space
e it was
sized for. For
F example, a 2 GB volume would
occupy 2 GB
G of disk space. Even if the data
d
inside that volume is less than 2 GB, tha
at
entire stora
age amount is reserved on th
he disk.
Similar to a dynamically expanding
e
VHD, a virtual dissk configured as thin provisioning would o
only use
the space from a storage pool on as-ne
eeded basis. Th
he virtual disk is only allocatted space on the
volume as data
d
is added. This also lets you
y create virttual disks that have a larger maximum size
e than
the free spa
ace in the storage pool. For example, with thin provision
ning, you can ccreate a 1 teraabyte
virtual disk even though your
y
storage pool
p
only has 5500 GB of freee space availab
ble.

Managing Storage for Windowss Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

4-6

Trim storage. This is a functtionality that you


y can use to reclaim storag
ge that is no lo
onger needed.. The
file system ca
an inform an underlying physical storage d
device that thee contents of specified sectors are
no longer important. There
efore, these secctors can be ussed by anotheer volume in a storage pool. Trim
requests to a mounted VHD
D or inside Hyper-V are now
w propagated
d to the underllying storage
device.

Thin
n provisioning and trim stora
age are availab
ble by default in Windows S erver 2012; no
o feature or ro
ole has
to be
b installed.
Thin
n provisioning and trim stora
age in Window
ws Server 20122 provides thee following cap
pabilities:

d method to d
detect and identify thinlyIdentification. Windows Servver 2012 uses a standardized
provisioned virtual
v
disks, th
hereby enabling additional ccapabilities delivered by the storage stack. The
storage stack
k is provided in
n the operating
g system and iis available thrrough storage management
applications.

Notification. When
W
the conffigured physiccal storage usee thresholds are reached, Windows Server 2012
notifies the ad
dministrator th
hrough eventss. This enables the administrator to take ap
ppropriate acttion as
soon as possible. These eve
ents can also sttart automated
d actions from
m sophisticated
d managementt
applications, such as Microssoft System Ce
enter.

Optimization.. Windows Server 2012 provvides a new AP


PI that enables applications rreturn storage when
it is no longer needed. NTFFS issues trim notifications
n
in
n real time, wh en appropriate. Additionallyy, trim
notifications are
a issued as part
p of storage
e consolidation
n (optimization
n), which is performed regularly
on a schedule
ed basis.

Additional Reading: Thin Provisioning


g and Trim Sto
orage Overview
w
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831391.aspx

Wh
hats New in File Serrver Resou
urce Manag
ger?
You
u can use the File
F Server Reso
ource Manage
er
to manage
m
and classify data tha
at is stored on file
servvers. File Server Resource Ma
anager include
es the
follo
owing featuress:

File classificattion infrastructture. This featu


ure
automates the data classificcation process. You
can dynamica
ally apply acce
ess policies to files
f
based on their classification
n. Example pollicies
include Dynamic Access Co
ontrol for restriicting
access to filess, file encryptio
on, and file
expiration. Yo
ou can classify files automatiically
by using file classification
c
ru
ules, or manua
ally
by modifying the propertie
es of a selected
d file or folder..

File managem
ment tasks. You
u can use this feature
f
to app
ply a condition
nal policy or acction to files,
based on their classification
n. The conditio
ons of a file maanagement tassk include the file location, tthe
classification properties, the
e date the file was created, tthe last modifi ed date of the
e file, or the lasst
time that the file was accessed. The actions that a file m
management ttask can take in
nclude the abiility to
expire files, encrypt files, orr run a custom command.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-7

Quota management. You can use this feature to limit the space allowed for a volume or folder.
Quotas can be automatically applied to new folders that are created on a volume. You can also define
quota templates that you can apply to new volumes or folders.

File screening management. You can use this feature to control the types of files that users can store
on a file server. You can limit the extension that can be stored on your file shares. For example, you
can create a file screen that does not enable files that have an MP3 extension to be stored in personal
shared folders on a file server.

Storage reports. You can use this feature to identify trends in disk usage and how your data is
classified, and monitor attempts by a selected group of users to save unauthorized files.

You can configure and manage the File Server Resource Manager by using the File Server Resource
Manager Microsoft Management Console (MMC) console or by using Windows PowerShell.

The following features of the File Server Resource Manager are new and are added in Windows Server
2012:

Dynamic Access Control. Dynamic Access Control uses file classification infrastructure to help you
centrally control and audit access to files on your file servers.

Manual classification. Manual classification enables users to classify files and folders manually without
the need to create automatic classification rules.

Access-denied assistance. You can use access-denied assistance to customize the access denied error
message that users see in Windows 8 Consumer Preview when they do not have access to a file or a
folder.

File management tasks. The updates to file management tasks include Active Directory Rights
Management Services (AD RMS) file management tasks, continuous file management tasks, and
dynamic namespace for file management tasks.

Automatic classification. The updates to automatic classification enable you to get more precise
control on how data is classified on your file servers, including continuous classification, using
Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic
namespace for classification rules.

Additional Reading: What's new in File Server Resource Manager


http://technet.microsoft.com/en-us/library/hh831746.aspx
Question: Are you currently using the File Server Resource Manager in Windows Server 2008
R2? If yes, what areas do you use it for?

Managing Storage for Windowss Server 2012

Wh
hat Are Ba
asic and Dy
ynamic Dissks?
Win
ndows Server 2012
2
continuess to support basic
disk
ks and dynamicc disks.

Bassic Disk
Basiic storage usess typical partition tables
supported by MS--DOS, and all versions
v
of the
e
Win
ndows operatin
ng system. A disk
d initialized
for basic storage is
i called a basiic disk. A basicc
disk
k contains basic partitions, su
uch as primaryy
parttitions and an extended parttition. An extended
parttition can be subdivided into
o logical drivess.

MCT USE ONLY. STUDENT USE PROHIBITED

4-8

By default,
d
when you
y initialize a disk in Windo
ows,
the disk is configu
ured as a basicc disk. Basic dissks can easily b
be converted tto dynamic dissks without an
ny loss
of data.
d
However, when you con
nvert a dynam
mic disk to basi c disk, all dataa on the disk w
will be lost.
Som
me applications such as the storage
s
spacess feature in Wi ndows Server 2012 cannot u
use dynamic disks.
In addition, there is no performance gain by converting
c
bassic disks to dyn
namic disks. Fo
or these reasons,
mosst administrato
ors do not con
nvert basic disk
ks to dynamic disks unless th
hey have to use some additio
onal
volu
ume configuration options available
a
with dynamic
d
disks..

Dyn
namic Disk
Dyn
namic storage is supported in
n all Windows operating sysstems including
g the Window
ws XP operating
g
Win
systems and the Microsoft
M
ndows NT Servver 4.0 operatiing system. A d
disk initialized for dynamic
storrage is called a dynamic disk
k. A dynamic disk contains dyynamic volum
mes. With dynamic storage, yyou
can perform disk and volume management
m
without
w
the neeed to restart W
Windows.

Whe
en you configu
ure dynamic disks,
d
you creatte volumes insstead of partitiions. A volume
e is a storage u
unit
mad
de from free sp
pace on one or
o more disks. It
I can be form atted with a fiile system and can be assign
ned a
drivve letter or con
nfigured with a mount point.
The dynamic volu
umes include:

Simple volum
mes. A simple vo
olume uses fre
ee space from a single disk. It can be a single region on a disk
or consist of multiple,
m
concatenated regio
ons. A simple vvolume can bee extended witthin the same disk
or onto addittional disks. If a simple volum
me is extended
d across multip
ple disks, it beccomes a spann
ned
volume.

Spanned volu
umes. A spanne
ed volume is created
c
from frree disk space that is linked from multiple
disks. You can
n extend a spa
anned volume onto a maxim
mum of 32 diskks. A spanned vvolume canno
ot be
mirrored and is not fault-to
olerant. Thereffore if you losee one disk, you
u lose all the sp
panned volum
me.

Striped volum
mes. A striped volume
v
is a volume whose d
data is spread aacross two or m
more physical disks.
The data on this
t type of volume is allocatted alternatelyy and evenly to
o each of the p
physical disks. A
striped volum
me cannot be mirrored
m
or exttended and is not fault-tolerant, again me
eaning the losss of
one disk will cause
c
the loss of data immediately. Stripin
ng is also know
wn as redundant array of
independent disks (RAID)-0
0.

Mirrored volu
umes. A mirrored volume is a fault-tolerantt volume whose data is duplicated on two
o
physical diskss. All the data on
o one volume is copied to another disk tto provide data redundancy.. If
one of the dissks fails, the da
ata can still be
e accessed from
m the remainin
ng disk. A mirrrored volume
cannot be exttended. Mirrorring is also kno
own as RAID-11.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

4-9

RAID-5 volu
umes. A RAID--5 volume is a fault-tolerant volume whosee data is stripe
ed across a minimum
of three or more disks. Pa
arity (a calculated value thatt can be used tto reconstruct data after a faailure) is
also striped
d across the dissk array. If a physical disk faiils, the portion
n of the RAID-5
5 volume that was on
that failed disk
d can be re--created from the remaining
g data and thee parity. A RAID
D-5 volume caannot be
mirrored orr extended.

Required
R
Dissk Volumes

Re
egardless of which
w
type of disk
d that you use, you must cconfigure a sysstem volume aand a boot volume on
on
ne of the hard
d disks in the se
erver:

System volu
umes. The system volume co
ontains the harrdware-specific files that are
e needed to loaad
Windows (ffor example, Bootmgr, BOOT
TSECT.bak, and
d BCD). The syystem volume can be, but do
oes not
have to be, the same as the
t boot volum
me.

mes. The boot volume


v
contain
ns the Window
ws operating system files thaat are located in the
Boot volum
%Systemroot% and %Sysstemroot%'Sysstem32 folderss. The boot vollume can be, b
but does not h
have to
be, the sam
me as the system volume.

Note: Wh
hen you installl the Windowss 8 operating ssystem or Wind
dows Server 2012 in a
on, a separate system
s
volume
e is created to enable encryp
pting the boott volume by
clean installatio
ussing BitLocker.
Addition
nal Reading:
How Basic Diskss and Volumess Work
htttp://go.microsoft.com/fwlin
nk/?LinkID=199648
Dynamic Disks and
a Volumes
htttp://go.microsoft.com/fwlin
nk/?LinkID=199649

What
W
Is the
e Resilient File System?
Re
esilient File Sysstem (ReFS) is a new file systtem
provided in Win
ndows Server 2012.
2
ReFS is based
b
on
n the NTFS file
e system and provides
p
the
fo
ollowing advan
ntages:

Metadata in
ntegrity with checksums
c

Integrity strreams providin


ng optional usser data
integrity

o write transa
actional mode
el for
Allocation on
robust disk updates (also known as cop
py on
write)

me, file, and diirectory sizes


Large volum

Storage pooling and virtu


ualization mak
king file system
m creation and
d managementt easy

ng for perform
mance (bandwid
dth can be maanaged) and reedundancy forr fault tolerancce
Data stripin

Disk scrubb
bing for protecction against la
atent disk erro
ors

Resiliency to
t corruptions with salvage for
f maximum vvolume availab
bility in every case

Shared storrage pools acro


oss computerss for additionaal failure toleraance and load balancing

ReFS inherits the features


f
from NTFS including BitLocker en
ncryption, acceess-control listts for security,
Upd
date Sequence
e Number (USN
N) journal, cha
ange notificatio
ons, symbolic links, junction points, mount
poin
nts, reparse po
oints, volume snapshots,
s
file IDs, and oploccks.

MCT USE ONLY. STUDENT USE PROHIBITED

4-10 Managingg Storage for Window


ws Server 2012

Because ReFS uses a subset of features from NTFS,


N
it is desi gned to mainttain backward compatibility with
its older
o
counterp
part. Therefore, Windows 8 clients
c
or earlieer can read and
d write to ReFS hard-drive
parttitions and sha
ares on a serve
er, just as they can with thosee running NTFFS. But, as implied in its nam
me, the
new
w file system offfers more resiiliency, meanin
ng better data verification, eerror correction
n, and scalability.
Beyond its greater resiliency, Re
eFS also surpassses NTFS by o
offering larger maximum size
es for individu
ual
filess, directories, disk
d volumes, and
a other item
ms, as listed in tthe following ttable.
Atttribute

Limit

Maximum
M
size of
o a single file

264-1 b
bytes (18.446.7
744.073.709.55
51.616 bytes)

Maximum
M
size of
o a single volu
ume

278 byytes with 16KB cluster size (2


264 * 16 * 210)
Windo
ows stack addressing allows 264 bytes

Maximum
M
number of files in a directory

264

Maximum
M
number of directorries in a volum
me

264

Maximum
M
file name
n
length

32K u nicode characcters

Maximum
M
path length

32K

Maximum
M
size of
o any storage
e pool

4 petaabyte

Maximum
M
number of storage
e pools in a sysstem

No lim
mit

Maximum
M
number of spaces in a storage po
ool

No lim
mit

Removed and Depreca


ated Featu
ures
The following storage-related fe
eatures are
rem
moved and dep
precated from Windows Servver
2012:

The Storage Manager


M
for SA
ANs snap-in fo
or
MMC is remo
oved. Instead, you
y can manage
storage with Windows
W
Pow
werShell cmdletts
and Server Manager.

The Storage Explorer


E
snap--in for MMC is
removed.

The SCSIport host-bus adap


pter driver is
removed. Insttead, you can either use a
Storport drive
er or a differen
nt host-bus adapter.

The File Serve


er Resource Manager command-line toolss such as dirqu
uota.exe, filescrrn.exe, and
storrept.exe are
a removed. This
T functionality is availablee in Windows P
PowerShell.

The File Repliication Service


e (FRS) is replacced by DFS Reeplication.

The Share and Storage Management snap-in is replaced by the File and Storage Services role in
Server Manager.

The Shared Folders snap-in is replaced by the File and Storage Services role in Server Manager.

The Virtual Disk Service (VDS) provider is replaced by the Storage Management APIs and storage
provider or the Storage Management Initiative Specification (SMI-S) standard and a compliant
storage provider.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-11

Lesson 2

Config
guring iSCSI Sto
orage

MCT USE ONLY. STUDENT USE PROHIBITED

4-12 Managingg Storage for Window


ws Server 2012

In th
his lesson, you
u will learn how
w to create a connection bettween servers and iSCSI storage. You will
d simple way tto
perfform these tassks by using IP-based iSCSI storage. iSCSI sstorage is an in
nexpensive and
configure a conne
ection to remo
ote disks. Manyy application rrequirements d
dictate that remote storage
connections mustt be redundantt in nature for fault toleranc e or high availability. For this purpose, you will
also
o learn how to create both single and redu
undant connecctions to an iSC
CSI target. You
u will do so byy using
the iSCSI initiator software that is available in Windows Servver 2012.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

SI and its comp


ponents.
Describe iSCS

Describe the iSCSI target se


erver and the iSCSI initiator.

Describe how
w to configure high-availability and locate iSCSI storage.

Configure iSC
CSI target.

Connect to th
he iSCSI storag
ge.

Wh
hat Is iSCSI?
iSCS
SI is a protocol that supportss access to rem
mote,
SCSI-based storag
ge devices ove
er a TCP/IP nettwork.
iSCS
SI carries stand
dard SCSI commands over IP
P
netw
works to facilittate data transsfers over intra
anets
and to manage sttorage over lon
ng distances. You
Y
can use iSCSI to trransmit data over
o
LANs, WA
ANs,
or even
e
over the larger Internett.
iSCS
SI relies on standard Etherne
et networking
arch
hitecture, and use of specialiized hardware such
as a host bus adap
pter (HBA) or network switch
hes is
optional. iSCSI use
es TCP/IP (typiically, TCP porrt
3260). This meanss that, iSCSI sim
mply enables two
t
or example) and then
hostts to negotiate
e (session establishment, flow
w control, and
d packet size, fo
exch
hange SCSI commands by ussing an existin
ng Ethernet nettwork. By doin
ng this, iSCSI taakes a popularr,
high
h performance
e, local storage
e bus subsystem architecturee and emulatees it over LANs and WANs,
crea
ating a SAN. Unlike some SA
AN protocols, iSCSI requires n
no specialized cabling; it can
n be run over
existing switching
g and IP infrasttructure. Howe
ever, the perfo
ormance of an iSCSI SAN dep
ployment can be
seve
erely decreased if not operatted on a dediccated networkk or subnet, as best practices recommend.
e you can use a standard Eth
hernet networrk adapter to cconnect the server to the
Note: While
iSCS
SI storage deviice, you can also use dedicatted HBAs.

An iSCSI SAN de
eployment inccludes the follo
owing:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-13

IP network. You can use standard


s
network interface aadapters and sstandard Etherrnet protocol n
network
switches to connect the servers
s
to the storage
s
devicee. To provide s ufficient perfo
ormance, the n
network
should provvide speeds off at least 1 gigabit per secon
nd (Gbps), and should provid
de multiple paths to
the iSCSI ta
arget. We recommend a ded
dicated physicaal and logical n
network in ord
der to achieve fast,
reliable thro
oughput.

iSCSI targetts. This is another way to refer to the netw


work interface o
of the storage device to gain
n access
to the stora
age. iSCSI targets present or advertise storrage, similar to
o controllers fo
or hard disk drrives of
locally attacched storage. However, this storage is acccessed over a n
network, insteaad of locally. M
Many
storage ven
ndors impleme
ent hardware level iSCSI targ
gets as part of their storage d
devices hardw
ware.
Other devicces or appliancces, such as Windows
W
Storag
ge Server devicces, implemen
nt iSCSI targetss by
using a softtware driver to
ogether with at least one Eth
hernet adapterr. Windows Server 2012 provvides
the iSCSI ta
arget serverw
which is effectiively a driver ffor the iSCSI prrotocolas a role service.

iSCSI initiattors. The iSCSI target displayys storage to th


he iSCSI initiator (also known
n as the client)), which
acts as a loccal disk contro
oller for the rem
mote disks. Al l versions of W
Windows Serve
er starting from
m
Windows Server 2008 incclude the iSCSII initiator and can connect to
o iSCSI targetss.

iSCSI Qualiffied Name (IQN). IQNs are unique


u
identifieers that are ussed to address initiators and targets
on an iSCSI network. Whe
en you configu
ure an iSCSI taarget, you musst configure th
he IQN for the iSCSI
initiators th
hat will be connecting to the
e target. iSCSI iinitiators also use IQNs to co
onnect to the iSCSI
targets. Ho
owever, if name resolution on
o the iSCSI neetwork is a posssible issue, iSC
CSI endpoints ((both
target and initiator) can always
a
be iden
ntified by theirr IP addresses.
Question: Can you use your
y
organizatiions internal I P network to p
provide iSCSI??

iS
SCSI Targe
et Server and iSCSI In
nitiator
Th
he iSCSI initiattor service is a standard part ever
since Windows Server 2008. Before
B
Window
ws
Se
erver 2012, the
e iSCSI Software Target, how
wever,
ne
eeded to be downloaded an
nd installed
op
ptionally. Now
w, it is integrate
ed as role servvice
in
nto Windows Server
S
2012. Th
he new feature
es in
Windows
W
Server 2012 include
e:

Authenticattion. You can enable


e
Challen
ngeHandshake Authenticatio
on Protocol (CH
HAP) to
authenticatte initiator con
nnections or en
nable
reverse CHA
AP to allow the initiator to
authenticatte the iSCSI tarrget.

Query initia
ator computer for ID. This is only
o
supported
d with Window
ws 8 or Windo
ows Server 201
12.

iSCSI Target Server

MCT USE ONLY. STUDENT USE PROHIBITED

4-14 Managing Storage for Windows Server 2012

The iSCSI target server role service provides for software-based and hardware-independent iSCSI disk
subsystem. You can use the iSCSI target server to create iSCSI targets and iSCSI virtual disks. You can then
use the Server Manager to manage these iSCSI targets and virtual disks.
The iSCSI target server included in Windows Server 2012 provides the following functionality:

Network/diskless boot. By using boot-capable network adapters or a software loader, you can use
iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to
90 percent of the storage space for the operating system images. This is ideal for large deployments
of identical operating system images, such as a Hyper-V server farm or High Performance Computing
(HPC) clusters.

Server application storage. Some applications such as for example, Hyper-V and Exchange Server
require block storage. The iSCSI target server can provide these applications with continuously
available block storage. Because the storage is remotely accessible, it can also combine block storage
for central or branch office locations.

Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on Windows, so
you can share storage on Windows Servers in mixed environments.

Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a
network-accessible block storage device. This is useful in situations such as when you want to test
applications before deployment on SAN storage.

Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.
No additional hardware is needed. If high availability is an important criterion, consider setting up a high
availability cluster. With a high availability cluster, you will need shared storage for the clustereither
hardware Fibre Channel storage or a serial attached SCSI (SAS) storage array. iSCSI target server is directly
integrated into the failover cluster feature as a cluster role.

iSCSI Initiator

The iSCSI Initiator is included in Windows Server 2012 and Windows 8 as a service and installed by default.
To connect your computer to an iSCSI target, you just have to start the service and configure it.
Additional Reading: Introduction of iSCSI Target in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windowsserver-2012.aspx
Question: When would you consider implementing diskless booting from iSCSI targets?

Advanced
A
iSCSI
i
Conffiguration Options
In
n addition to configuring the
e basic iSCSI ta
arget
se
erver and iSCSI initiator settings, you can
in
ntegrate these services into more
m
advanced
d
co
onfigurations.

Lo
ocating iSCSI Storage
Th
here are two common
c
appro
oaches for loca
ating
sttorage that is exposed
e
to a network
n
by an iSCSI
Ta
arget.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-15

Th
he first approa
ach is through the use of the
e
iS
SCSI SendTarge
ets command. This functiona
ality
is available with
hin the iSCSI In
nitiator wizard of
Windows
W
Server. Using SendT
Targets in the iSCSI
i
Initiator retrieves a list of available taargets from a ttarget
de
evice. To use this
t command,, you must kno
ow both the IP
P address of th
he storage devvice that is hostting the
ta
argets, and whether the deviice is suitable for
f your storag
ge needs. The iSCSI SendTarrgets command is only
workable
w
in sma
aller iSCSI environments beccause as the nu
umber of iSCSI targets increases in your
co
ompany, the more
m
complex this approach is.
Th
he second app
proach is for la
arge networks. On large netw
works, locating
g storage can b
be more difficult. One
so
olution that can help you is the
t Internet Sttorage Name SService (iSNS), which is a Win
ndows Server 2012
fe
eature similar to
t Domain Name System (DNS) and lets yo
ou locate a tarrget on severaal target device
es.
iS
SNS contains th
hree distinct se
ervices:

Name Regisstration Service. This service enables initiattors and targets to register aand query the iSNS
server direcctory for inform
mation about initiator and taarget IDs and addresses.

Network Zo
oning and Logo
on Control Serrvice. You can u
use this servicee to restrict iSN
NS initiators to
o
zones so th
hat iSCSI initiattors do not disscover any targ
get devices outside their own zone or disccovery
domains. This prevents in
nitiators from accessing
a
storaage devices th
hat are not inte
ended for their use.
Logon conttrol enables targets to determine which in itiators can acccess them.

State Chang
ge Notification
n Service. This service
s
enablees iSNS to notiffy clients of ch
hanges in the n
network,
such as the addition or re
emoval of targ
gets, or changees in zoning m
membership. Only initiators that you
register to receive notifications will gett these packetss, which reduc es random bro
oadcast traffic on the
network.

Configuring
C
iSCSI for Hiigh Availability

Creating a singlle connection to iSCSI storag


ge makes that storage availaable. However,, it does not m
make
th
hat storage hig
ghly available. Losing the con
nnection resullts in the serveer losing accesss to its storage
e.
Th
herefore, mostt iSCSI storage
e connections are
a made redu
undant throug
gh one of two high-availabiliity
te
echnologies: Multiple
M
Conne
ections per Session (MCS) an d Multipath I//O (MPIO).

Although simila
ar in the result they achieve, these two tech
hnologies use different apprroaches to ach
hieve
hiigh availabilityy for iSCSI storage connectio
ons.
MCS
M is a feature
e of the iSCSI protocol
p
that:

Enables mu
ultiple TCP/IP connections
c
from the initiato
or to the targeet for the same
e iSCSI session.

Supports au
utomatic failovver. If a failure
e were to occurr, all outstandiing iSCSI comm
mands are reassigned
to another connection au
utomatically.

Requires exxplicit support by iSCSI SAN devices, altho ugh the iSCSI target server rrole supports iit.

MPIO is a different way to provide redundancy that:

Requires a device specific module (DSM) if you want to connect to a third SAN device such as HPs
EVA SAN connected to the iSCSI initiator. Windows includes a default MPIO DSM, installed as the
Multipath I/O feature within Server Manager.

Is widely supported. Many SANs can use the default DSM without any additional software, while
others require a specialized DSM from the manufacturer.

Is more complex to configure and not as fully automated during failover as MCS.

Demonstration: Configuring iSCSI Target

MCT USE ONLY. STUDENT USE PROHIBITED

4-16 Managing Storage for Windows Server 2012

In this demonstration, you will add an iSCSI target server role service and create an iSCSI virtual disk and
iSCSI target on LON-DC1.

Demonstration Steps
Add the iSCSI Target Server role service
1.

On LON-DC1, in Server Manager, click the Dashboard button.

2.

In the Add Roles and Features Wizard, install the following roles and features to the local server and
accept the default values:
o

File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server

Create two iSCSI virtual disks and an iSCSI target on LON-DC1


1.

On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.

2.

In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has the following settings:
o

Name: iSCSIDisk1

Disk size: 5 GB

iSCSI target: New

Target name: LON-SVR2

Access servers: 172.16.0.22

3.

On the View results page, wait until the creation is completed, and then close the View Results
page.

4.

In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk. Create a virtual disk that has these settings:

5.

Name: iSCSIDisk2

Disk size: 5 GB

iSCSI target: LON-SVR2

On the View Results page, wait until the creation is completed, and then close the View Results
page.

Demonstration: Connecting to the iSCSI Storage


In this demonstration, you will connect LON-SVR2 to the iSCSI target and verify the presence of the
iSCSI drive.

Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1.

Log on to LON-SVR2 with username of Adatum\Administrator and password of Pa$$w0rd.

2.

In Server Manager on the Tools menu, open iSCSI Initiator.

3.

In the iSCSI Initiator Properties dialog box, configure the following:


o

Quick Connect: LON-DC1

Discover targets: iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target

Verify the presence of the iSCSI drive


1.

In Server Manager, on the Tools menu, open Computer Management.

2.

In the Computer Management console, under Storage, access Disk Management.


Notice that the new disks are added. They all are currently offline and not formatted.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-17

Lesson 3

Config
guring Storage
S
Spacess in Win
ndows SServer 2
2012

MCT USE ONLY. STUDENT USE PROHIBITED

4-18 Managingg Storage for Window


ws Server 2012

Man
naging physica
al disks attache
ed directly to a server proveed to be a tedious task for th
he administrato
ors.
To overcome
o
this problem, man
ny organizations used SANs that basically grouped physsically disks
toge
ether.

and sometimees special hard


How
wever, SANs re
equire special configuration
c
dware and are therefore
expensive. To ove
ercome these isssues, storage spaces in Win
ndows Server 2
2012 is a feature that pools d
disks
toge
ether and pressents them to the operating system as a siingle disk. Thiss lesson explains how to con
nfigure
and implement sttorage spaces.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the use of storage


e spaces.

Describe the features of sto


orage spaces.

Configure a storage
s
space.

Implement re
edundant stora
age spaces.

Wh
hat Are Sto
orage Spacces?
A sttorage space iss a storage virttualization
capability built intto Windows Se
erver 2012 and
d
Win
ndows 8. You can
c use storage
e spaces to ad
dd
phyysical disks of any
a type and size to a storag
ge
poo
ol and create highly-available
h
e virtual disks from
it. The primary advantage of sto
orage spaces iss that
you do not manag
ge single diskss any longer, but
b
man
nage them as one
o unit.
To create
c
a highlyy-available virttual disk, you must
m
have the following
g:

Disk drive. Th
his is a volume that you can
access from your
y
OS. For exxample, using a
drive letter.

Virtual disk (o
or storage spacce). This resem
mbles a physicaal disk from thee perspective o
of users and
applications. However, virtu
ual disks are more
m
flexible beecause it inclu des thin provisioning or justt-intime allocatio
ons and resilien
ncy to physical disk failures w
with built-in fu
unctionality su
uch as mirrorin
ng.

Storage pool. A storage poo


ol is a collectio
on of one or m
more physical d
disks that you ccan use to create
virtual disks. You
Y can add to
o a storage po
ool any availab
ble physical dissk that is not formatted or
attached to another storage pool.

Physical disk. These are con


nnected physiccal disks such aas SAS disks atttached to you
ur server. If you
u
want to add them
t
to a storage pool, theyy have to satisffy the followin
ng requirements:
o

One physsical drive is re


equired to crea
ate a storage p
pool; a minimu
um of two phyysical drives is
required to create a ressilient mirror virtual
v
disk.

A minimu
um of three ph
hysical drives are
a required to
o create a virtu
ual disk with re
esiliency throu
ugh
parity.

Three-w
way mirroring requires at lea
ast five physic al drives.

Drives must be blank


k and unforma
atted, no volum
me must exist on them.

ed using differrent bus interffaces including


g iSCSI, SAS, Se
erial Advanced
d
Drives can be attache
Techno
ology Attachm
ment (SATA), SC
CSI, and USB. Y
You cannot use SATA, USB o
or SCSI disks in
na
failover cluster.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-19

ReFS volumes that can provide redundanccy and


A storage space
e is a feature available for bo
oth NTFS and R
po
ooled storage for many internal and exterrnal drives of d
different sizes aand interfaces.

Storage Spaces Featu


ures
To
o configure sto
orage spaces as
a per your
re
equirements, you
y must have to consider th
he
fe
eatures describ
bed in the follo
owing table be
efore
yo
ou implement virtual disks.

Feature
Sttorage layout

Descrip
ption

This de
efines the num
mber of disks frrom the storag
ge pool that arre allocated. V
Valid
options are:
Simp
ple. A simple space has data striping but n
no redundancyy. In data striping,
logiccally sequentia
al data is segm
mented across aall disks in a w
way that accesss to
these sequential se
egments can b
be made to diffferent physicaal storage drives.
Strip
ping makes it possible
p
to acccess multiple seegments of daata at the same
e time.
Do not
n host imporrtant data on a simple volum
me, because it provides no faailover
capa
abilities when the
t disk wheree the data is sttored on fails.

Two-way and three-way mirrors.. Mirror spaces maintain two


o or three copies of
the data
d
they hostt (two data cop
pies for two-w
way mirrors and
d three data co
opies
for three-way mirrrors). Duplicatiion happens w
with every write
e to ensure all data
copies are always current.
c
Mirro r spaces also sstripe the data across multip
ple
physsical drives. Miirror spaces aree attractive beecause of theirr greater data
throughput and lo
ower access lattency. They alsso do not intro
oduce a risk off
corru
upting at-rest data and do n
not require thee additional jo
ournaling stage
e when
writing data.
ace resembles a simple spacce. Data, along with parity
Paritty. A parity spa
inforrmation, is striped across mu
ultiple physical drives. Parityy enables storage
spacces to continue
e to service reaad and write reequests even w
when a drive h
has
failed. Parity is alw
ways rotated accross availablee disks to enab
ble IO optimizaation.
A sto
orage space re
equires a minim
mum of three physical drives for parity spaaces.
Paritty spaces have
e increased res iliency throug h journaling.

Feature

Description

MCT USE ONLY. STUDENT USE PROHIBITED

4-20 Managing Storage for Windows Server 2012

Disk sector size

A storage pool's sector size is set the moment it is created. If the list of drives
being used contains only 512 and 512e drives, the pool is defaulted to 512e.
However, if the list contains at least one 4-KB drive, the pool sector size is
defaulted to 4 KB. Optionally, an administrator can explicitly define the sector size
that all contained spaces in the pool will inherit. After an administrator defines
this, Windows will only enable addition of drives that have a compliant sector size,
that is: 512 or 512e for a 512e storage pool and 512, 512e, or 4 KB for a 4-KB
pool.

Cluster disk
requirement

Failover clustering prevents interruption to workloads or data if there is a


computer failure. For a pool to support failover, clustering all assigned drives must
support a multi-initiator protocol, such as SAS.

Drive allocation

This defines how the drive is allocated to the pool. Options are:
Data-store. This is the default allocation when any drive is added to a pool.
Storage spaces can automatically select available capacity on data-store drives
for both storage space creation and just-in-time allocation.
Manual. Administrators can choose to specify manual as the usage type for
drives added to a pool. A manual drive is not automatically used as part of a
storage space unless it is specifically selected at the creation of that storage
space. This usage property lets administrators specify particular types of drives
for use by only certain storage spaces.
Hot-Spare. Drives added as Hot-Spares to a pool are reserve drives that are
not used in the creation of a storage space. If a failure occurs on a drive that is
hosting columns of a storage space, a reserve drive is called on to replace the
failed drive.

Provisioning
schemes

You can provision a virtual disk by using two schemes:

Thin provisioning space. Thin provisioning is a mechanism that enables storage


to be easily allocated on a just-enough and just-in-time basis. Storage capacity
in the pool is organized into provisioning slabs that are not allocated until the
point in time when datasets grow to actually require the storage. Instead of
the traditional fixed storage allocation method, where large pools of storage
capacity are allocated but may remain unused, thin provisioning optimizes use
of available storage. Organizations are also able to save on operating costs such
as electricity and floor space associated with keeping unused drives spinning.

Fixed provisioning space. In storage spaces, fixed provisioned spaces also use the
flexible provisioning slabs. The difference here is that the storage capacity is
allocated up front, at the time that the space is created.

Note: Storage spaces allows for the creation of both thin and fixed provisioning virtual
disks within the same storage pool. Having both provisioned types in the same storage pool is
very convenient especially when they are related to the same workload. For example, you can
choose to have a thin provisioning space to host a database and a fixed provisioning space to
host its log.

Demonstration: Configuring a Storage Space


In this demonstration, you will create a storage pool and create a simple virtual disk and a volume.

Demonstration Steps
Create a storage pool

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-21

1.

On LON-SVR2, in Server Manager, navigate to File and Storage Services, and Storage Pools.

2.

In the STORAGE POOLS pane, create a New Storage Pool named StoragePool1, and then add all
available disks.

Create a simple virtual disk and a volume


1.

In the VIRTUAL DISKS pane, create a New Virtual Disk with these settings:
o

Storage pool: StoragePool1

Disk name: Simple vDisk

Storage layout: Simple

Provisioning type: Thin

Size: 2 GB

2.

On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.

3.

In the New Volume Wizard, create a volume with these settings:


o

Virtual disk: Simple vDisk

File system: ReFS

Volume label: Simple Volume

Demonstration: Implementing Redundant Storage Spaces

In this demonstration, you will create a redundant virtual disk and a volume, simulate a drive failure, and
test volume access.

Demonstration Steps
Create a redundant virtual disk and a volume
1.

2.

On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk and create a virtual disk with these settings:
o

Storage pool: StoragePool1

Disk name: Mirrored vDisk

Storage layout: Mirror

Provisioning type: Thin

Size: 5 GB

On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.

3.

In the New Volume Wizard, create a volume with these settings:


o

Virtual disk: Mirrored vDisk

File system: ReFS

Volume label: Mirrored Volume

4.

On the Completion page, wait until the creation is completed, and then click Close.

5.

On the Start screen, type command prompt and then press Enter.

6.

At the command prompt, type the following command and then press Enter:
Copy C:\windows\system32\write.exe F:\

7.

In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select
Computer Management.

8.

In the Computer Management console, under Storage, click Disk Management.


Notice that the two volumes E: and F: are available.

Simulate a drive failure and test volume access


1.

On LON-DC1, in Server Manager, in the left pane, click File and Storage Services.

2.

In the File and Storage Services pane, click iSCSI.

3.

In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.

4.

Switch to LON-SVR2.

5.

In the Computer Management console, under Storage, right-click Disk Management, and then in
drop-down list, select Rescan Disks.
Notice that the Simple Volume (E:) is not available and the Mirrored Volume (F:) is available.

6.

On the taskbar, open Windows Explorer and then click Mirrored Volume (F:). You should now see
write.exe in the file list.

7.

In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button. Notice the warning that appears right next to Mirrored vDisk.

8.

In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.

9.

In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Notice the Health Status that should indicate Unknown. The Operational Status should indicate
Detached. This means that the disk is not available on this computer any longer.

10. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
11. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete or Degraded.

MCT USE ONLY. STUDENT USE PROHIBITED

4-22 Managing Storage for Windows Server 2012

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-23

Lab A: Managing Storage for Servers Based on Windows


Server 2012
Scenario

With the growth in A. Datum, the requirements for managing storage and shared file access has also
expanded. Although the cost of storage has decreased significantly over the last few years, the data
produced by the A. Datum business groups has increased even more. The organization is considering
alternative ways to reduce the cost of storing data on the network in addition to the options for
optimizing data access for both physical and virtual servers. Also, to meet some requirements for high
availability, the organization is exploring options for making storage highly available.

As one of the senior network administrators at A. Datum, you are responsible for implementing some new
file storage technologies for the organization. You will implement iSCSI storage to provide a less complex
option for deploying large amounts of storage in the organization. You will also implement the storage
spaces on the Windows Server 2012 servers to simplify storage access and to provide redundancy at the
storage level.

Objectives
After completing this lab, you will be able to:

Configure iSCSI storage for Windows Server 2012 servers.

Configure a redundant storage space.

Lab Setup
Estimated time: 40 minutes

Virtual Machine(s)

20417A-LON-DC1
20417A-LON-SVR2

User Name

Adatum\Administrator

Password

Pa$$w0rd

Lab Setup

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

Repeat steps 2 to 4 for 20417A-LON-SVR2.

For this lab, on 20417A-LON-SVR2, disable Routing and Remote Access. In Server Manager, click Tools,
and then click Routing and Remote Access. In the Routing and Remote Access console, right-click
LON-SVR2 and then click Disable Routing and Remote Access.

Exercise 1: Configuring iSCSI Storage


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

4-24 Managing Storage for Windows Server 2012

In order to reduce the cost and complexity of configuring centralized storage, A. Datum is exploring the
option of using iSCSI to provide storage. To get started, you will install and configure the iSCSI targets,
and configure access to the targets by configuring the iSCSI initiators.
The main tasks for this exercise are as follows:
1.

Install the iSCSI Target feature.

2.

Configure the iSCSI targets.

3.

Configure MPIO.

4.

Connect to and configure the iSCSI targets.

X Task 1: Install the iSCSI Target feature


1.

Log on to LON-DC1 with username of Adatum\Administrator and the password of Pa$$w0rd.

2.

In Server Manager, start the Add Roles and Features Wizard, install the following roles and features
to the local server and accept the default values:
o

File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server

X Task 2: Configure the iSCSI targets


1.

On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click iSCSI.

2.

Create a virtual disk with these settings:


o

Storage location: C:

Disk name: iSCSIDisk1

Size: 5 GB

iSCSI target: New

Target name: lon-svr2

Access servers: 172.16.0.22 and 131.107.0.2

3.

On the View results page, wait until the creation is completed, and then click Close.

4.

Create a New iSCSI Virtual Disk with these settings:

5.

Storage location: C:

Disk name: iSCSIDisk2

Size: 5 GB

iSCSI target: lon-svr2

Create a New iSCSI Virtual Disk with these settings:


o

Storage location: C:

Disk name: iSCSIDisk3

Size: 5 GB

iSCSI target: lon-svr2

6.

7.

Create a New iSCSI Virtual Disk with these settings:


o

Storage location: C:

Disk name: iSCSIDisk4

Size: 5 GB

iSCSI target: lon-svr2

Create a New iSCSI Virtual Disk with these settings:


o

Storage location: C:

Disk name: iSCSIDisk5

Size: 5 GB

iSCSI target: lon-svr2

X Task 3: Configure MPIO

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

1.

Log on to LON-SVR2.

2.

In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature.

3.

In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following:

4.

Enable the iSCSI Initiator service

Quick Connect to target: LON-DC1

In Server Manager, on the Tools menu, open MPIO, and configure the following:
o

5.

Enable Add support for iSCSI devices on Discover Multi-paths

After the computer restarts, log on to LON-SVR2, on the Tools menu in Server Manager, open MPIO
and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.

X Task 4: Connect to and configure the iSCSI targets


1.

On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator.

2.

In the iSCSI Initiator Properties dialog box, perform the following steps:
a.

Disconnect all Targets.

b.

Connect and Enable multi-path.

c.

Set Advanced options as follows:

d.

3.

4-25

Local Adapter: Microsoft iSCSI Initiator

Initiator IP: 172.16.0.22

Target Portal IP: 172.16.0.10 / 3260

Connect to another target, enable multi-path, and configure the following Advanced settings:

Local Adapter: Microsoft iSCSI Initiator

Initiator IP: 131.107.0.2

Target Portal IP: 131.107.0.1 / 3260

In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-svr2-target, access


the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify
that two paths are listed by looking at the IP addresses of both network adapters.

Results: After completing this exercise, you will have configured and connected to iSCSI targets.

Exercise 2: Configuring a Redundant Storage Space


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

4-26 Managing Storage for Windows Server 2012

After you have configured the iSCSI components, you want to take advantage of the storage pools to
simplify the configuration of storage on the Windows Server 2012 servers. To meet some requirements for
high availability, you decided to evaluate redundancy features in storage spaces. Also, you want to test
provisioning of new disks to the storage pool.
The main tasks for this exercise are as follows:
1.

Create a storage pool by using the iSCSI disks attached to the server.

2.

Create a 3-way mirrored disk.

3.

Copy a file to the volume and verify visibility in Windows Explorer.

4.

Disconnect an iSCSI disk.

5.

Verify that the file is still accessible and check the health of the virtual disk.

6.

Add a new iSCSI virtual disk.

7.

Add the new disk to the storage pool and extend the virtual disk.

X Task 1: Create a storage pool by using the iSCSI disks attached to the server
1.

On LON-SVR2, open Server Manager by clicking the icon on the taskbar.

2.

In the navigation pane, click File and Storage Services, and then in the Servers pane, click Storage
Pools.

3.

Create a storage pool with the following settings:


o

4.

Name: StoragePool1

On the View results page, wait until the creation is completed, then click Close.

X Task 2: Create a 3-way mirrored disk


1.

On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, create a virtual disk with these
settings:
o

Storage pool: StoragePool1

Name: Mirrored vDisk

Storage Layout: Mirror

Resiliency settings: Three-way mirror

Provisioning type: Thin

Virtual disk size: 10 GB

2.

On the View results page, wait until the creation is completed, make sure Create a volume when
this wizard closes is checked, and then click Close.

3.

In the New Volume Wizard, create a volume with these settings:

4.

Virtual disk: Mirrored vDisk

Drive letter: E

File system: ReFS

Volume label: Mirrored Volume

On the Completion page, wait until the creation is completed, and then click Close.

X Task 3: Copy a file to the volume and verify visibility in Windows Explorer
1.

On the Start screen, type command prompt and then press ENTER.

2.

Type the following command:


Copy C:\windows\system32\write.exe E:\

3.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-27

Use Windows Explorer and access Mirrored Volume (E:). You should now see write.exe in the file list.

X Task 4: Disconnect an iSCSI disk


1.

Switch to LON-DC1.

2.

In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, disable the iSCSI Virtual Disk named
iSCSIDisk1.vhd.

X Task 5: Verify that the file is still accessible and check the health of the virtual disk
1.

Switch to LON-SVR2.

2.

Use Windows Explorer and open E:\write.exe to make sure access to the volume is still available.

3.

In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button. Notice the warning that appears right next to Mirrored vDisk.

4.

In the VIRTUAL DISK pane, right-click Mirrored vDisk, in the drop-down list, select Properties.

5.

In Mirrored vDisk Properties window, in the Health pane, notice that the Health Status indicates a
Warning. The Operational Status should indicate Degraded.

X Task 6: Add a new iSCSI virtual disk


1.

Switch to LON-DC1.

2.

In Server Manager, in the iSCSI Virtual VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New iSCSI Virtual Disk.

3.

Create a NEW iSCSI Virtual Disk with these settings:


o

Storage location: C:

Disk name: iSCSIDisk6

Size: 5 GB

iSCSI target: lon-svr2

X Task 7: Add the new disk to the storage pool and extend the virtual disk
1.

Switch to LON-SVR2.

2.

In Server Manager, in the STORAGE POOLS pane, on the menu bar, click the Refresh Storage
Pools button.

3.

In the STORAGE POOLS pane, right-click StoragePool1, and then in the drop-down list, select Add
Physical Disk, and add PhysicalDisk1 (LON-SVR2).

4.

In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select Extend
Virtual Disk and extend the disk to 15 GB.

Results: After completing this exercise, you will have created a storage pool and added a new disk to the
storage pool and extended the disk.

X To prepare for the next lab

MCT USE ONLY. STUDENT USE PROHIBITED

4-28 Managing Storage for Windows Server 2012

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20417A-LON-SVR2.

Lesson
n4

Configuring Branch
hCache in
i Wind
dows Se
erver 20
012

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-29

Brranch offices have


h
unique management
m
ch
hallenges. A brranch office tyypically has slo
ow connectivityy to the
en
nterprise netw
work and limite
ed infrastructure for securing
g servers. Ther efore, the challenge is being
g able to
provide efficient access to nettwork resource
es for users in branch officess. The BranchC
Cache feature h
helps
yo
ou overcome these
t
problem
ms by caching files
f
so they do
o not have to b
be transferred over the netw
work
ag
gain.

Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:

Describe ho
ow BranchCache works.

Describe th
he BranchCache requirementts.

Configure the
t BranchCacche server settiings.

Configure the
t BranchCacche client settin
ngs.

Configure BranchCache.
B

Describe ho
ow to monitorr BranchCache.

How
H
Does BranchCacche Work??
Th
he BranchCach
he feature introduced with
Windows
W
Server 2008 R2 and Windows 7 re
educes
th
he network use
e on WAN con
nnections betw
ween
branch offices and
a the headquarters by loca
ally
ca
aching frequen
ntly used files on computers in the
branch office.
BrranchCache im
mproves the pe
erformance of
ap
pplications tha
at use one of the following
protocols:

HTTP or HT
TTPS protocols.. These protoccols are
used by we
eb browsers an
nd other appliccations.

Server messsage block (SM


MB), including signed
s
SMB tra
affic protocol. TThis protocol iis used for accessing
shared fold
ders.

Background
d Intelligent Trransfer Service (BITS). A Wind
dows componeent that distrib
butes content from a
server to clients by using only idle netw
work bandwidtth.

BrranchCache re
etrieves data frrom a server when
w
the clientt requests the data. Because BranchCache is a
pa
assive cache, itt will not incre
ease WAN use.. BranchCache only caches the read reque
ests and will no
ot
in
nterfere when a user saves a file.

BrranchCache im
mproves the re
esponsiveness of
o common neetwork applicaations that acccess intranet se
ervers
accross slow WA
AN links. Because BranchCach
he does not reequire addition
nal infrastructu
ure, you can im
mprove
th
he performancce of remote networks by de
eploying Windo
ows 7 or 8 to cclient computers and Windo
ows
Se
erver 2012 to servers,
s
and byy enabling the
e BranchCachee feature.

MCT USE ONLY. STUDENT USE PROHIBITED

4-30 Managing Storage for Windows Server 2012

BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end Internet Protocol Security (IPsec). You can use BranchCache to reduce the
network bandwidth use and improve application performance, even if the content is encrypted.
You can configure BranchCache to use Hosted Cache mode or Distributed Cache mode:

Hosted Cache. This mode operates by deploying a computer that is running Windows Server 2008 R2
or later versions as a hosted cache server in the branch office. Client computers are configured with
the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from
the Hosted Cache when available. If the content is not available in the Hosted Cache, the content is
retrieved from the content server by using a WAN link and then provided to the Hosted Cache so that
the successive client requests can get it from there.

Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices without requiring a server. In this mode, local client computers running Windows 7 or
Windows 8 keep a copy of the content and make it available to other authorized clients that request
the same data. This eliminates the need to have a server in the branch office. However, unlike the
Hosted Cache mode, this configuration works across a single subnet only. In addition, clients who
hibernate or disconnect from the network cannot provide content to other requesting clients.

BranchCache in Windows Server 2012 is improved in the following ways:

More than one hosted cache servers per location to allow for scale.

New underlying database that uses the Extensible Storage Engine (ESE) database technology from
Microsoft Exchange Server. This enables a hosted cache server to store significantly more data (in the
order of terabytes).

The deployment is made much simpler such that you do not require a Group Policy Object (GPO) for
each location. A single GPO that contains the settings is all that is required to deploy BranchCache.

How Client Computer Retrieves Data by Using BranchCache


When BranchCache is enabled on the client computer and the server, the client computer performs the
following process to retrieve data when using the HTTP, HTTPS, or SMB protocol:
1.

The client computer that is running Windows 7 connects to a content server that is running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.

2.

The content server in the head office authenticates the user and verifies that the user is authorized to
access the data.

3.

The content server in the head office returns identifiers or hashes of the requested content to the
client computer instead of sending the content itself. The content server sends that data over the
same connection that the content would have typically been sent.

4.

Using retrieved identifiers, the client computer does the following:

5.

If you configure it to use Distributed Cache, the client computer multicasts on the local subnet to
find other client computers that have already downloaded the content.

If you configure it to use Hosted Cache, the client computer searches for the content on the
configured Hosted Cache.

If the content is available in the branch office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from the branch office and ensures that the data is updated
and has not been tampered with or corrupted.

6..

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-31

If the conte
ent is not available in the rem
mote office, th
he client comp uter retrieves the content diirectly
from the se
erver across the
e WAN link. Th
he client comp
puter then eith
her makes it avvailable on the
e local
network to other requestting client com
mputers (Distrib
buted Cache m
mode) or sends it to the Hossted
Cache, whe
ere it is made available
a
to other client com
mputers.

BranchCach
B
he Require
ements
BrranchCache op
ptimizes trafficc flow between
n head
offfice and brancch offices. Win
ndows Server 2008
2
R2
2, Windows Se
erver 2012, and
d clients based
d on
client computerrs running Win
ndows 7 or Windows
8 Enterprise Edition can only benefit from
BrranchCache. The earlier verssions of Windo
ows
op
perating systems do not ben
nefit from this
fe
eature. You can
n cache only th
he content tha
at is
sttored on file se
ervers or web servers
s
running
g
Windows
W
Server 2008 R2 or Windows
W
Serve
er 2012
byy using Branch
hCache.

Requirement
R
ts for Using
g BranchCacche
To
o use BranchC
Cache, you musst perform the
e following tas ks:

Install the BranchCache


B
fe
eature or the BranchCache
B
ffor Network Fiiles role service
e on the serve
er
running Wiindows Server 2012 that is hosting the datta.

Configure client
c
compute
ers either by using Group Po
olicy or the nettsh branchcacche set servicce
command.

If you want to use


u BranchCache for caching
g content from
m the web servver, you must install the
BrranchCache fe
eature on the web
w server. Ad
dditional config
gurations are n
not needed. If you want to u
use
BrranchCache to
o cache conten
nt from the file
e server, you m
must install thee BranchCache
e for the Netwo
ork Files
ro
ole service on the
t file server, configure hassh publication for BranchCacche, and create
e BranchCache
een
nabled file sha
ares.
BrranchCache is supported on Full Installatio
on of Windowss Server 2012 and on Serverr Core.

Requirement
R
ts for Distributed Cach
he and Hoste
ed Cache M
Modes

In
n the Distribute
ed Cache mod
de, BranchCach
he works acrosss a single subnet only. If clie
ent computerss are
co
onfigured to use
u the Distribu
uted Cache mo
ode, any clientt computer ca n search locallly for the computer
th
hat has alreadyy downloaded and cached th
he content by using a multiccast protocol ccalled WS-Disccovery.
In
n the Distribute
ed Cache mod
de, content serrvers across thee WAN link m ust run Windo
ows Server 200
08 R2 or
la
ater versions, and the clients in the branch must run at leeast Windows 7 or Windowss Server 2008 R
R2. You
sh
hould configurre the client firrewall to enable incoming trraffic, HTTP, an
nd WS-Discove
ery.
In
n the Hosted Cache
C
mode, th
he client comp
puters are conffigured with th
he FQDN of th
he host server to
re
etrieve contentt from the Hossted Cache. Th
herefore, the B
BranchCache h ost server musst have a digital
ce
ertificate, whicch is used to en
ncrypt commu
unication with client computters. In the Hossted Cache mo
ode,
co
ontent servers across the WA
AN link must run Windows SServer 2008 R2
2 or later versio
ons. Hosted Caache in
th
he branch musst run Window
ws Server 2008 R2 or later verrsions and thee client in the b
branch must ru
un at
le
east Windows 7.
7 You must co
onfigure a firew
wall to enable incoming HTTTP traffic from
m the Hosted C
Cache
se
erver. In both cache
c
modes, BranchCache uses the HTTP
P protocol for d
data transfer b
between clientt
co
omputers and the computerr that is hosting
g the cached d
data.

Additional Reading: Win


ndows Server 2008
2
R2
http
p://go.microso
oft.com/fwlink//?LinkID=2148
828&clcid=0x4409

Co
onfiguring BranchCache Serverr Settings
You
u can use BrancchCache to cache web conte
ent,
which is delivered
d by HTTP or HTTPS.
H
You can
n also
use BranchCache to cache share
ed folder content,
which is delivered
d by the SMB protocol.
p
By
defa
ault, BranchCa
ache is not insttalled on Wind
dows
Servver 2012.
The following table lists the servvers that you can
c
configure for Bran
nchCache.

Se
erver

Desccription

MCT USE ONLY. STUDENT USE PROHIBITED

4-32 Managingg Storage for Window


ws Server 2012

Web
W server or Background
B
In
ntelligent Transsfer Service (BITS)
se
erver

To configure
c
a W indows Serverr 2012 web serrver or an
app
plication serverr that uses the BITS protocoll, install the
Bran
nchCache featture. Ensure th
hat the BranchC
Cache service has
starrted. Then, con
nfigure clients who will use tthe BranchCache
featture; no additio
onal configuraation of the we
eb server is
needed.

File server

The BranchCache for the Netwo


ork Files role service of the FFile
Servvices server ro le has to be in
nstalled before
e you can enab
ble
Bran
nchCache for aany file sharess. After you insstall the
Bran
nchCache for tthe Network FFiles role servicce, use Group
Policy to enable B
BranchCache o
on the server. FFinally, you mu
ust
have
configure each fil e share to enaable BranchCacche. You also h
c
clien
nts who will usee the BranchCache feature.
to configure

Hosted Cache server

For the Hosted Caache mode, yo


ou must add th
he BranchCach
he
featture to the Win
ndows Server 2012 server th
hat you are
configuring as a H
Hosted Cache server.
h
secure co
ommunication,, client computers use Transport
To help
Laye
er Security (TLLS) when comm
municating witth the Hosted
Cache server. To ssupport authentication, the Hosted Cache
e
servver must be prrovisioned with
h a certificate tthat is trusted by
clien
nts and is suitaable for serverr authenticatio
on.
By default,
d
Branch
hCache allocattes five percen
nt of disk space
e on
the active partitio
on for hosting cache data. Ho
owever, you caan
change this valuee by using Grou
up Policy or th
he netsh tool.

Configuring
C
g BranchC
Cache Clien
nt Settingss
Yo
ou do not havve to install the
e BranchCache
e
fe
eature because
e BranchCache
e is already included
if the client runss Windows 7 or
o Windows 8.
However, BrancchCache is disa
abled by defau
ult on
client computerrs. To enable and
a configure
BrranchCache, you must perfo
orm the following
stteps:
1..

Enable Bran
nchCache

2..

Enable the Distributed Ca


ache mode or Hosted
Cache mod
de

3..

Configure the
t client firew
wall To enable
BranchCach
he protocols

Enabling Bra
anchCache

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-33

If you enable th
he Distributed Cache or Hostted Cache mod
de without enabling the ove
erall BranchCache
fe
eature, the BranchCache featture will still be
e disabled on the client com
mputers. However, you can e
enable
th
he BranchCach
he feature on a client compu
uter without en
nabling the Distributed Cach
he mode or the
Hosted Cache mode.
m
In this configuration, the
t client com
mputer uses only the local cache and does not
atttempt to dow
wnload from otther BranchCache clients on the same sub net or from a Hosted Cache
e server.
Th
herefore, multiple users of a single compu
uter can benefiit from a shareed local cache in this local caaching
mode.
m

Enabling the
e Distributed
d Cache Mo
ode or Hoste
ed Cache M
Mode
Yo
ou can enable the BranchCa
ache feature on
n client compu
uters by using Group Policy or the netsh
branchcache se
et service com
mmand.
To
o configure BrranchCache setttings by using
g Group Policyy, perform the following step
ps for a domaiinba
ased GPO:
1..

Open the Group


G
Policy Management
M
console.

2..

Browse to C:\Computer
C
Configuration\
C
\Policies\Admi nistrative Tem
mplates\Network, and then click
BranchCach
he.

3..

Turn on Bra
anchCache and
d set either the
e Distributed C
Cache or the H
Hosted Cache mode.

To
o configure BrranchCache setttings by using
g the netsh braanchcache sett service comm
mand, perform the
fo
ollowing steps::
1..

Use the folllowing netsh syntax


s
for the Distributed Caache mode:
netsh bra
anchcache set
t service mode=distribut
ted

2..

Use the folllowing netsh syntax


s
for the hosted
h
mode:
netsh bra
anchcache set
t service mode=hostedcli ent location
n=<Hosted Cac
che server>

Configuring the Client Firewall To Enable BranchCache Protocols


In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between
client computers and the WS-Discovery protocol (WSD) for cached content discovery. You should
configure the client firewall to enable the following incoming rules:

BranchCacheContent Retrieval (Uses HTTP)

BranchCachePeer Discovery (Uses WSD)

In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses HTTP).

Additional Configuration Tasks for BranchCache


After you configure BranchCache, clients can access the cached data in BranchCache-enabled content
servers, available locally in the branch office, and not across a slow WAN link. You can modify
BranchCache settings and perform additional configuration tasks, such as:

Setting the cache size

Setting the location of the Hosted Cache server

Clearing the cache

Creating and replicating a shared key for using in a server cluster

Demonstration: How to Configure BranchCache

MCT USE ONLY. STUDENT USE PROHIBITED

4-34 Managing Storage for Windows Server 2012

In this demonstration, you will add BranchCache for the Network Files role service, configure BranchCache
in Local Group Policy Editor, and enable BranchCache for a file share.

Demonstration Steps
Add BranchCache for the Network Files role service
1.

Log on to LON-DC1 and open Server Manager.

2.

In the Add Roles and Features Wizard, install the following roles and features to the local server:
o

File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files

Enable BranchCache for the server


1.

On the Start screen, type gpedit.msc, and press ENTER.

2.

Browse to Computer Configuration\Administrative Templates\Network\Lanman Server and do


the following:
o

Enable Hash Publication for BranchCache

Select Allow hash publication only for shared folder on which BranchCache is enabled

Enable BranchCache for a file share


1.

Open Windows Explorer and create a folder named Share on C:\.

2.

Configure the Share folder properties as follows:


o

Enable Share this folder

Check Enable BranchCache in Offline Settings

Monitoring
M
g BranchCa
ache
After the initial configuration,, you might wa
ant to
ve
erify that BranchCache is con
nfigured corre
ectly
an
nd functioning
g correctly. You
u can use the netsh
branchcache sh
how status all command to
o
diisplay the Bran
nchCache service status. On client
an
nd Hosted Cacche servers, ad
dditional inform
mation
su
uch as the loca
ation of the loccal cache, the size of
th
he local cache, and the status of the firewa
all rules
fo
or HTTP and WS-Discovery
W
protocols
p
that
BrranchCache usses is shown.
Yo
ou can also use the following tools to mon
nitor
BrranchCache:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

4-35

e this tool to monitor


m
Branch
hCache eventss in Event View
wer.
Event Vieweer. You can use

Performancce counters. Yo
ou can use thiss tool to monittor BranchCac he work and p
performance b
by using
the BranchC
Cache perform
mance monitorr counters. BraanchCache perrformance monitor counterss are
useful debu
ugging tools fo
or monitoring BranchCache effectiveness and health. Yo
ou can also use
e
BranchCach
he performancce monitor for determining tthe bandwidth
h savings in the Distributed C
Cache
mode or in the Hosted Cache mode. If you have Systtem Center Op
perations Manager 2007 SP2
2 or
later versions implemente
ed in the envirronment, you can use Windo
ows BranchCache Managem
ment
Pack for Op
perations Manager 2007

Lab B: Implementing BranchCache


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

4-36 Managing Storage for Windows Server 2012

A. Datum has deployed a new branch office. This office has a single server. To support branch staff
requirements, you must configure BranchCache. Data is centralized at the head office. To reduce WAN use
out to the branch office, you must configure BranchCache for these data.

Objectives
After completing this lab, you will be able to:

Perform initial configuration tasks for BranchCache.

Configure BranchCache clients.

Configure BranchCache on the branch server.

Lab Setup
Estimated time: 40 minutes

Virtual Machine(s)

20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-CL1
20417A-LON-CL2

User Name

Adatum\Administrator

Password

Pa$$w0rd

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

Do not start 20417A-LON-SVR1, 20417A-LON-CL1 and 20417A-LON-CL2 until directed to do so.

Exercise 1: Performing Initial Configuration Tasks for BranchCache


Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the
network components.
The main tasks for this exercise are as follows:
1.

Configure LON-DC1 to use BranchCache.

2.

Simulate slow link to the branch office.

3.

Enable a file share for BranchCache.

4.

Configure client firewall rules for BranchCache.

X Task 1: Configure LON-DC1 to use BranchCache


1.

Switch to LON-DC1.

2.

Open Server Manager and install the BranchCache for network files role service.

3.

Open the Local Group Policy Editor (gpedit.msc).

4.

Navigate to and open Computer Configuration/Administrative Templates/Network


/Lanman Server/Hash Publication for BranchCache. Enable this setting and then select Allow
hash publication only for shared folders on which BranchCache is enabled.

X Task 2: Simulate slow Link to the branch office


1.

Navigate to Computer Configuration\Windows Settings\Policy-based QoS.

2.

Create a new policy with the following settings:


o

Name: Limit to 100Kbps

Specify Outbound Throttle Rate: 100

Note: This task is required to simulate a slow network connection in a test environment
where all the computers are connected by a fast network connection.

X Task 3: Enable a file share for BranchCache


1.

In Windows Explorer, create a new folder named C:\Share.

2.

Share this folder with the following properties:

3.

Sharename: Share

Permissions: default

Caching: Enable BranchCache

Copy C:\Windows\System32\mspaint.exe to the C:\Share folder.

X Task 4: Configure client firewall rules for BranchCache

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-37

1.

On LON-DC1, open Group Policy Management.

2.

Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy. Open the policy


for editing.

3.

Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows


Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.

4.

5.

Create a new inbound firewall rule with the following properties:


o

Rule type: predefined

Use BranchCache Content Retrieval (Uses HTTP)

Action: Allow

Create a new inbound firewall rule with the following properties:


o

Rule type: predefined

Use BranchCache Peer Discovery (Uses WSD)

Action: Allow

Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and
enabled BranchCache on a file share.

Exercise 2: Configuring BranchCache Client Computers


Scenario
After you have configured the network components, you must now make sure the client computers are
configured correctly. This is a preparatory task to be able to use BranchCache.

MCT USE ONLY. STUDENT USE PROHIBITED

4-38 Managing Storage for Windows Server 2012

The main task for this exercise is to configure client computers to use BranchCache in the Hosted Cache
mode.

X Task: Configure client computers to use BranchCache in the Hosted Cache mode
1.

On LON-DC1, in Group Policy Management Editor, and configure the following at Computer
Configuration\Policies\Administrative Templates\Network\BranchCache:
o

Turn on BranchCache: Enable

Set BranchCache Hosted Cache mode: Enable

Type the name of the hosted Cache server: LON-SVR1.adatum.com

Configure BranchCache for network files: Enable

Type the maximum round trip network latency value (milliseconds) after which caching begins: 0

2.

Start the 20417A-LON-CL1, open a Command Prompt window, and refresh the Group Policy settings
(gpupdate /force).

3.

At the command prompt, type netsh branchcache show status all, and then press Enter.

4.

Start the 20417A-LON-CL2, open the Command Prompt window, and refresh the Group Policy
settings (gpupdate /force).

5.

At the command prompt, type netsh branchcache show status all, and then press Enter.

Note: To test BranchCache in a test lab, you should deploy two client computers. This
enables you to request a file from one of the client computers, and then verify that the file is
retrieved from the local cache on the second client computer.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.

Exercise 3: Configuring BranchCache on the Branch Server


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

4-39

The next step you must perform is to configure a file server for the BranchCache feature. You will install
the BranchCache feature and configure it as BranchCache Host Server.
The main tasks for this exercise are as follows:
1.

Install the BranchCache Feature on LON-SVR1.

2.

Start the BranchCache Host Server.

X Task 1: Install the BranchCache feature on LON-SVR1


1.

Start 20417A-LON-SVR1. After the computer starts, log on as Adatum\Administrator with the
password of Pa$$w0rd.

2.

Open Server Manager and add the BranchCache for Network Files role service.

3.

Add the BranchCache feature.

X Task 2: Start the BranchCache host server


1.

On, LON-DC1, open Active Directory Users and Computers. Create a new OU called
BranchCacheHost and move LON-SVR1 into this OU.

2.

Open Group Policy Management and block GPO inheritance on the BranchCacheHost OU.

3.

Switch to LON-SVR1 and restart the computer. Log on as Adatum\Administrator with the password
of Pa$$w0rd

4.

Open Windows PowerShell by clicking the icon on the taskbar and run the following cmdlets:
Enable-BCHostedServer RegisterSCP
Get-BCStatus

Note: BranchCache is only available on Windows 8 Enterprise edition. This edition was not
available when this course was created, so the BranchCache verification steps are not included in
this lab.

Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.

X To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-CL1, and 20417A-LON-CL2.

Module Review and Takeaways


Question: How does BranchCache differ from DFS?
Question: Why would you want to implement BranchCache in Hosted Cache mode instead
of the Distributed Cache mode?
Question: Is the storage spaces feature also available on Windows 8?
Question: Can you configure data deduplication on a boot volume?

Tools
Tool

MCT USE ONLY. STUDENT USE PROHIBITED

4-40 Managing Storage for Windows Server 2012

Use

Where to find it

iSCSI target server

Configure iSCSI targets

In Server Manager, under File


and Storage Servers

iSCSI initiator

Configure a client to connect to


an iSCSI target virtual disk

In Server Manager, in the Tools


drop-down list

Deduplication Evaluation tool


(DDPEval.exe)

Analyze a volume on the


potential saving when enabling
data deduplication

C:\windows\system32

MCT USE ONLY. STUDENT USE PROHIBITED


5-1

Module 5
Implementing Network Services
Contents:
Module Overview

5-1

Lesson 1: Implementing DNS and DHCP Enhancements

5-2

Lesson 2: Implementing IP Address Management

5-10

Lesson 3: NAP Overview

5-14

Lesson 4: Implementing NAP

5-20

Lab: Implementing Network Services

5-25

Module Review and Takeaways

5-31

Module Overview

As seasoned administrators are aware, network services such as Domain Name System (DNS) provide
critical support for name resolution of network and Internet resources. With Dynamic Host Configuration
Protocol (DHCP) you can manage and distribute IP addresses to client computers. DHCP is essential in
managing IP-based networks. DHCP failover can prevent client computers from losing access to the
network if there is a DHCP server failure. IP Address Management provides a unified means of controlling
IP addressing. With Network Access Protection (NAP), administrators can control which computers have
access to corporate networks based on the computers adherence to corporate security policies.

This module introduces DNS and DHCP improvements, what is new in IP address management, and
describes how to implement these features. It also provides an overview and implementation guidance for
NAP.

Objectives
After completing this module, you will be able to:

Implement DHCP and DNS enhancements.

Implement IP address management.

Describe NAP.

Implement NAP.

Implementing Network Servicess

Lesson 1

Implem
menting
g DNS and
a DHCP Enhanceme
ents

MCT USE ONLY. STUDENT USE PROHIBITED

5-2

In TCP/IP
T
network
ks of any size, certain service
es are required
d. DNS is one o
of the most im
mportant netwo
ork
servvices. Many oth
her application
ns and servicess, including Acctive Directoryy Domain Services (AD DS), rely
on DNS
D
to resolve
e resource nam
mes to IP addre
esses. Withoutt DNS availability user authe
entications can
n fail,
and network base
ed resources an
nd application
ns can becomee inaccessible. TTo prevent thiis, DNS has to be
prottected. Windo
ows Server 2012 implementts DNS Securityy Extensions (D
DNSSEC) to prrotect the
auth
henticity of DN
NS responses.
DHC
CP has long be
een used to ea
ase the distribu
ution of IP add
dresses to netw
work client com
mputers. Wind
dows
Servver 2012 impro
oves the functionality of DHCP by providin
ng failover cap
pabilities.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the new DNS features in Windows Server 201 2.

Configure DN
NSSEC.

Describe the new DHCP fea


atures in Windows Server 20012.

Configure failover for DHCP.

Wh
hat's New in DNS in Windowss Server 20
012
DNS
SSEC and Glob
bal Name Zone
es are two feattures
thatt continue to be
b available in Windows Servver
2012. However, th
he DNSSEC implementation has
been simplified in
n Windows Serrver 2012.

DN
NSSEC

Inte
ercepting and tampering
t
with an organizattions
DNS
S query respon
nse is a common attack method.
If an
n attacker can alter the respo
onse from a DNS
D
servver, or send a spoofed
s
response to point client
com
mputers to theiir own servers,, they can gain
n
acce
ess to sensitive
e information. This is known as a
man
n-in-the-middle attack. Any service that re
elies
on DNS
D
for the initial connectio
on, such as e-commerce web
b servers and eemail servers aare vulnerable.
DNS
SSEC is intended to protect clients
c
that are
e making DNSS queries from accepting falsse DNS respon
nses.

New
w Resource
e Records
Validation of DNS
S responses is achieved
a
by asssociating a prrivate/public kkey pair (generrated by the
adm
ministrator) witth a DNS zone and defining additional DN
NS resource reccords to sign aand publish ke
eys.
Reso
ource records distribute the public key wh
hile the privatee key remains o
on the server. When the clie
ent
requ
uests validation, DNSSEC adds data to the response thatt enables the cclient to authe
enticate the
resp
ponse.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Windows Server 2012 defines the new resource records in the following table.
Resource Record

Purpose

DNSKEY

This record publishes the public key for the zone. It checks the
authority of a response against the private key held by the DNS
server. These keys require periodic replacement. This is known as
key rollovers. Windows Server 2012 supports automated key
rollovers.

DS

This is a delegation record that contains the hash of the public key
of a child zone. This record is signed by the parent zones private
key. If a child zone of a signed parent is also signed, the DS records
from the child must be manually added to the parent so a chain of
trust can be created.

RRSIG

This record holds a signature for a set of DNS records. It is used to


check the authority of a response.

NSEC

When the DNS response has no data to provide to the client this
record authenticates that the host does not exist.

Trust Anchors

5-3

A trust anchor is an authoritative entity represented by a public key. The TrustAnchors zone stores
preconfigured public keys that are associated with a specific zone. In DNS the trust anchor is the DNSKEY
or DS resource record. Client computers use these records to build trust chains. A trust anchor from the
zone must be configured on every domain DNS server in order to validate responses from that signed
zone. If the DNS server is a domain controller then Active Directory integrated zones can distribute the
trust anchors.

Name Resolution Policy Table (NRPT)

The NRPT contains rules that control the DNS client behavior for sending DNS queries and processing
the responses from those queries. For example, a DNSSEC rule prompts the client computer to check for
validation of the response for a particular DNS domain suffix. Group policy is the preferred method of
configuring the NRPT. If there is no NRPT present the client computer does not validate responses.

Considerations when implementing DNSSEC


Consider the following before you implement DNSSEC:

The zone replication scope or type cannot be changed while a zone is signed.

DNS response messages are larger.

DNS traffic increases are caused by queries for DNSKEY records.

Zone files are larger.

The client computer has to spend more time authenticating responses.

There is an added level of administration to maintain.

GlobalNames Zones

GlobalNames zones address a problem in multiple DNS domain environments. GlobalName zones are
used when you must maintain a list of DNS search suffixes on client computers to resolve names among
these multiple DNS domains. For example, if an organization supports two DNS domains, such as
Widgets.com and Corp.com, users in the Widgets.com DNS domain have to use the fully qualified domain
name (FQDN) to locate the servers in corp or the domain administrator has to add a DNS search suffix for
Corp.com on all the systems in the Widgets.com domain. In other words, if users in the Widgets.com

Implementing Network Servicess

MCT USE ONLY. STUDENT USE PROHIBITED

5-4

dom
main want to lo
ocate a server named Data in the Corp.com
m domain, theey would have
e to search for the
FQD
DN of Data.Corp.com to loca
ate that server. If they just seearch for the s erver name Daata, then the search
wou
uld fail.
Global names are based on crea
ating Canonica
al Name (CNA
AME) records (o
or aliases) in a special forward
look
kup zone that use single nam
mes to point to
o FQDNs. Glob
balNames zones enables clie
ents in any DN
NS
dom
main to use a single
s
label name, such as Da
ata, to locate a server whosee FQDN is Dataa.corp.com witthout
having to use the FQDN.

Cre
eating Globa
alNames Zo
ones
To create
c
GlobalN
Names zones:

Use the Dnscmd utility to enable


e
GlobalN
Names zones f unctionality.

Create a new forward looku


up zone named GlobalNamees (not case-seensitive). Do no
ot enable dynaamic
updates for th
his zone.

Manually crea
ate CNAME re
ecords that poiint to records tthat already exxist in the othe
er zones hoste
ed on
your DNS servers.

For example, you could create a CNAME reco


ord in the Glob
balNames zonee for Data thatt points to
Data.corp.com. Th
his enables clie
ents from any DNS domain iin the organizaation to find th
his server by th
he
sing
gle label name of Data.

Ho
ow to Conffigure DNS
SSEC
Alth
hough DNSSEC
C was supporte
ed in Windowss
Servver 2008 R2, most
m
of the con
nfigurations an
nd
adm
ministration we
ere performed manually, and
d
zones were signed
d when they were
w
offline.
Win
ndows Server 2012
2
includes a DNSSEC wiza
ard
to simplify the configuration an
nd signing proccess,
and enables onlin
ne signing.

Dep
ploying DNSSEC
To deploy
d
DNSSEC:
1.

Install Windows Server 2012 in the


environment and assign the
e server the DNS
role. Typicallyy a domain con
ntroller also accts as the DNSS server. Howevver, that is nott a requiremen
nt.

2.

Sign the DNS


S zone by using
g the DNSSEC configuration
n wizard in the DNS Manage
er console.

3.

Configure tru
ust anchor distribution points.

4.

Configure the
e NRPT on the
e client computers.

Asssign the DN
NS Server Ro
ole

To add
a the DNS server role, from
m the Server Manager
M
Dash board, use thee Add Roles an
nd Features W
Wizard.
You
u can also add this role can when
w
you add the AD DS rolle. Configure tthe primary zo
ones on the DN
NS
servver. After a zon
ne is signed, an
ny new DNS se
ervers on Wind
dows Server 20
012 automaticcally receives the
DNS
SSEC paramete
ers.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Sign the Zone

5-5

To access the DNSSEC zone signing wizard, right-click the primary zone. You can sign zones on any
Windows Server 2012 that hosts a primary DNS zone. You cannot configure DNSSEC on secondary zones.
The wizard guides you through all the configuration steps required to sign the zone.
The following signing options are available:

The Configure the zone signing parameters option guides you through the steps and enables you
to set all values for the Key Signing Key (KSK) and the Zone Signing Key (ZSK).

The Sign the zone with parameters of an existing zone option enables you to keep the same
values and options as another signed zone.

The Use recommended settings option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface.

Configure Trust Anchor Distribution Points

If the zone is Active Directory Integrated, you should select to distribute the trust anchors to all the servers
in the forest. If trust anchors are required on computers that are not joined to the domain, for example, a
DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet), then
you should enable automated key rollover.

Configure NRPT on Client Computers

The DNS client computer only performs DNSSEC validation on domain names where it is configured to
do so by the NRPT. A client computer running Windows 7 is DNSSEC aware, but does not perform
validation. It relies on the security aware DNS server to perform validation on its behalf.

Demonstration: Configuring DNSSEC

In this demo you will see how to use the wizard in the DNS management console to configure DNSSEC.

Demonstration Steps
1.

Log on to LON-DC1 as Adatum\Administrator.

2.

Start the DNS Management console.

3.

Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.

4.

Verify the DNSKEY resource records were created in the Trust Points zone.

5.

Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.

6.

Close all open Windows.

Implementing Network Servicess

Wh
hats New in DHCP in
i Window
ws Server 2
2012
DHC
CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c
compute
ers
losin
ng connectivitty to the netwo
ork and all its
reso
ources if there is DHCP serve
er failure.
Ano
other new feature in Window
ws Server 2012
2
is DHCP name pro
otection. Nam
mes that are
regiistered in DNS
S by DHCP on behalf of syste
ems
musst be protected
d from being overwritten
o
byy nonMicrosoft systemss that have the
e same name. For
exam
mple, a Unix based
b
system named
n
Client1
could potentially overwrite the DNS address that
t
was assigned and registered by DHCP on beh
half of
a Windows-based
W
d system also named
n
Client1. DHCP name protection addresses this isssue.

DH
HCP Failoverr

MCT USE ONLY. STUDENT USE PROHIBITED

5-6

DHC
CP client comp
puters renew their
t
lease on their
t
IP addresss at regular, configurable in
ntervals. If the DHCP
servver service failss, then leases time-out,
t
and eventually clieent computers no longer havve IP addresses. In
the past, DHCP failover was nott possible beca
ause DHCP serrvers were indeependent and unaware of one
ano
other. Configuring two separate DHCP servers to distribu
ute IP addressses within the ssame pool cou
uld
lead
d to duplicate address assign
nment if the ad
dministrator in
ncorrectly conffigured overlapping ranges. The
DHC
CP server failover feature enables an altern
native DHCP s erver to distrib
bute IP addressses and associated
option configurattion to the sam
me subnet or sccope. Lease in formation is reeplicated betw
ween the two D
DHCP
servvers. If one of the
t DHCP servvers fails, then the other DHC
CP server serviices the client computers forr the
who
ole subnet. In Windows
W
Serve
er 2012 you ca
an configure o
one alternativee DHCP server for failover.
Add
ditionally, only IPv4 scopes and subnets are
e supported b
because IPv6 uses a differentt IP address
assignment schem
me.
Note: For more
m
information about DHC
CP options in I Pv6, see:
http
p://technet.miccrosoft.com/en
n-us/library/ccc753493.

DH
HCP Name Protection
P

Name squatting describes the


e problem whe
ere a DHCP clieent computer registers a nam
me with DNS, but
thatt name is activvely being used
d by another computer.
c
The original comp
puter then beccomes inaccesssible.
Thiss problem typically occurs be
etween non-W
Windows system
ms that have d
duplicate name
es of Windowss
systems. DHCP Na
ame Protection uses a resource record kno
own as a DHC ID to keep track of which
nd stored in D
com
mputer originally requested the
t name. Thiss record is provvided by the D
DHCP server an
DNS.
Whe
en the DHCP server
s
receivess a request to update
u
a host record that is currently asso
ociated with a
e requester is the
diffe
erent compute
er, the DHCP server
s
can veriffy the DHCID iin DNS to che ck whether the
orig
ginal owner of the name. If itt is not the sam
me computer, the record in DNS is not updated. To reso
olve
this issue, either the current hosst name ownerr must release the IP address, or the reque
ester must use
ea
diffe
erent host nam
me. You can im
mplement nam
me protection for both IPv4 and IPv6. Configuration is se
et in
the properties pag
ge at the IP ad
ddress level or the scope leveel.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgradingg Your Skills to MCSAA Windows Server 2012

How
H
to Configure Fa
ailover for DHCP
To
o configure failover of DHCP
P you must esttablish
a failover relatio
onship betwee
en the two servvers.
Yo
ou must give this
t relationshiip a unique na
ame.
Th
his name is excchanged with the failover pa
artner
du
uring the conffiguration. Thiss enables a single
DHCP server to have multiple
e failover relationships
with
w other DHC
CP servers, as lo
ong as they alll have
un
nique names. Failover is con
nfigured throug
gh a
wizard
w
that you can start on the
t shortcut menu
m
of
th
he IP node or the
t scope node.
Note: DH
HCP failover is time
t
sensitive. Time
must
m
be kept syynchronized be
etween the pa
artners in the rrelationship. If the time difference is
greater than on
ne minute the failover
f
processs will stop witth a critical errror.

Configure
C
Maximum
M
Cliient Lead Tiime

5-7

Th
he administrattor configures the Maximum
m Client Lead TTime (MCLT) parameter to determine the ttime
th
hat a DHCP serrver waits if the partner is un
navailable befo
ore assuming ccontrol of the whole addresss range.
Th
his value cannot be zero and
d the default iss one hour.

Configure
C
Fa
ailover Mod
de
Fa
ailover can be configured in one of two modes:
m
Mode
M

Characteristics

Hot
H Standby Mode
M

In this mode one server is the p


primary server and the otherr is a secondarry.
e primary serve
er actively dist ributes IP conffigurations forr the scope or
The
sub
bnet. The otherr DHCP server will only take over this role if the primaryy server
beccomes unavaila
able. A DHCP sserver can act as the primaryy for one scop
pe or
sub
bnet while it is the secondaryy for another. A
Administratorss must configu
ure a
percentage of the
e scope addressses to be assig
gned to the sttandby server. These
add
dresses are disttributed during
g the MCLT in
nterval if the prrimary server iis
dow
wn. The default value is 5 peercent of the sccope. The seco
ondary takes control
of the whole rang
ge after the MC
CLT has passed
d. Hot Standby mode is bestt
suitted to deploym
ments where a data recoveryy (DR) site is lo
ocated at a diffferent
loca
ation. Then, the DHCP serve r does not servvice client com
mputers unlesss there
is an outage of th
he main serverr.

Load
L
Sharing Mode
M

Thiss is the defaultt mode. In thiss mode both seervers concurrrently distributte IP
con
nfiguration to client
c
computeers. Which serrver responds to IP configuration
requests dependss on how the aadministrator cconfigures the
e load distributtion
ratio. The default ratio is 50:50.

Configure
C
Au
uto State Sw
witchover In
nterval

When
W
a server loses contact with
w its partnerr it goes into a communicatiion interrupted
d state. Because
th
he server cannot determine what
w
is causing
g the commun
nication loss, itt stays in this sstate until the
ad
dministrator manually
m
chang
ges it to a parttner down statte. The administrator can also enable auto
omatic
trransition to partner down sta
ate by configuring the auto state switchovver interval. Th
he default value for
th
his interval is 10
1 minutes.

Implementing Network Services

Configure Message Authentication


Windows Server 2012 enables you to authenticate the failover message traffic between the replication
partners. The administrator can establish a shared secret, much like a password, in the configuration
wizard for DHCP failover. This validates that the failover message comes from the failover partner.

Firewall Considerations

MCT USE ONLY. STUDENT USE PROHIBITED

5-8

DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following incoming
and outgoing firewall rules:

Microsoft-Windows-DHCP-Failover-TCP-In

Microsoft-Windows-DHCP-Failover-TCP-Out

Configure DHCP Failover

The Configuration Failover Wizard steps you through the process of creating a failover relationship. The
wizard prompts you to enter the following information:

Name of the relationship

Which scopes are selected for failover

Name of the partner server

The MCLT

The Mode

The Load Balance Percentage

The Auto State Switchover Interval

Message Authentication setting

A shared secret

The failover relationship can then be modified as required through the Failover tab in the properties
of IPv4.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Demonstration: Configuring Failover for DHCP


In the demonstration you will see how to use the DHCP console to configure DHCP failover in load
sharing mode.

Demonstration Steps
1.

Log on to LON-SVR1 as the Adatum\administrator.

2.

Start the DHCP console and view the current state of DHCP. Note the server is authorized but no
scopes are configured.

3.

Switch to LON-DC1.

4.

Open the DHCP Management console and start the Configure Failover Wizard.

5.

Configure failover replication with the following settings:

6.

Partner server = 172.16.0.21

Relationship Name = Adatum

Maximum Client Lead Time = 15 minutes

Mode = Load balance

Load Balance Percentage = 50%

State Switchover Interval = 60 minutes

Message authentication shared secret: Pa$$w0rd

Complete the wizard.

5-9

Lesson 2

Implem
menting
g IP Add
dress Managem
M
ment

MCT USE ONLY. STUDENT USE PROHIBITED

5-10 Implemennting Network Services

With the development of IPv6 and


a more and more devices requiring IP aaddresses, netw
works have beccome
veryy complex and
d difficult to manage. Windows Server 201 2 has implemeented IP Addre
ess Manageme
ent
(IPA
AM) as a tool to
o manage IP addresses.
a

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

M.
Describe IPAM

Describe the IPAM architeccture.

Describe the requirements for IPAM.

Wh
hat is IP Ad
ddress Ma
anagementt?
IP management
m
iss difficult in larrge networks
because tracking IP address usa
age is largely a
man
nual operation
n. IPAM is a fra
amework for
disccovering, utilization monitoring, auditing, and
a
man
naging the IP address
a
space in a network. IPAM
enables the admin
nistration and monitoring off
DHC
CP and DNS. IP
PAM provides a comprehensive
view
w of where IP addresses
a
are used. IPAM co
ollects
info
ormation from domain contrrollers and Nettwork
Policy Servers (NP
PS) and stores that information in
the Windows Inte
ernal Database.
IPAM
M assists in the
e areas of IP administration
show
wn in the follo
owing table.
IP Administration
A
n Area

IPAM Capab
bilities

Planning

Provides a tool
t
set that caan reduce the time and expe
ense of the
planning prrocess when ch
hanges occur iin the networkk.

Ma
anaging

Provides a single
s
point off managementt and assists in optimizing
utilization and capacity pllanning for DH
HCP and DNS.

Tra
acking

Enables traccking and foreecasting of IP aaddress utilizattion.

Aud
diting

Assists with compliance reequirements, ssuch as HIPAA and Sarbanessp


reporrting for foren
nsics and chang
ge manageme
ent.
Oxley, and provides

Ben
nefits of IPA
AM
IPAM
M benefits include:

IPv4 and IPv6


6 address space
e planning and
d allocation.

IP address spa
ace utilization statistics and trend monitorring.

Static IP inven
ntory management, lifetime managementt and DHCP an
nd DNS record
d creation and
deletion.

Service and
d zone monitoring of DNS se
ervices.

IP address lease
l
and logo
on event trackiing.

Role-based access contro


ol.

Remote administration su
upport through Remote Servver Administraation Tools (RSSAT).

AM does not su
upport management and co
onfiguration off non-Microsoft network
Note: IPA
ellements.

IP
PAM Architecture
IP
PAM consists of
o four main modules,
m
as sho
own in
th
he following ta
able:

Module
M

Desccription

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

5-11

IPAM discoveryy

You
u use Active Directory to disccover servers rrunning Windo
ows Server 200
08 and
late
er versions thatt have DNS, D HCP, or AD DSS installed. Administrators caan
defiine the scope of
o discovery to
o a subset of d
domains in the
e forest. They ccan also
man
nually add servvers.

IP address spacce
management
m
(ASM)

You
u can use this module
m
to view
w, monitor and
d manage the IP address spaace.
You
u can dynamica
ally issue or staatically assign addresses. Yo
ou can also tracck
add
dress utilization
n and detect o
overlapping DH
HCP scopes.

Multi-server
M
management
m
and
a
monitoring
m

You
u can manage and monitor m
multiple DHCP
P servers. This e
enables tasks tto be
execcuted across multiple
m
serverrs. For examplee, you can con
nfigure and edit DHCP
properties and sco
opes and trackk the status off DHCP and sco
ope utilization
n. You
monitor the he
ealth and statu
us of
can also monitor Multiple DNS servers, and m
S zones acrosss authoritative DNS servers.
DNS

Operational
O
au
uditing
and
a IP address
tracking

You
u can track use
e the auditing ttools to track potential conffiguration prob
blems.
You
u can also colle
ect, manage, a nd view detaills of configuraation changes from
man
naged DHCP servers.
s
You caan also collect address lease tracking from DHCP
leasse logs, and co
ollect logon evvent informatio
on from Netwo
ork Policy Servvers
(NP
PS) and domain
n controllers.

The IPAM server can


c only mana
age one Active
e Directory foreest. IPAM is deeployed in one
e of three
topo
ologies:

Distributed An IPAM server is deployed to every sitee in the forest.

Centralized Only one IPA


AM server is de
eployed in thee forest.

Hybrid A ce
entral IPAM se
erver is deployyed together w
with a dedicateed IPAM server in each site.

Note: IPAM
M servers do no
ot communicatte with one an
nother or sharee database information.
If yo
ou deploy multiple IPAM serrvers, you musst customize th
he discovery sccope of each sserver.
IPAM
M has two main componentts:

MCT USE ONLY. STUDENT USE PROHIBITED

5-12 Implemennting Network Services

IPAM Serverr performs th


he data collecttion from the m
managed serveers. It also man
nages the Win
ndows
Internal Database and provvides role base
ed access contrrol.

IPAM Client provides the


e client compu
uter user interfface and interaacts with the IP
PAM server an
nd
invokes Powe
erShell to perfo
orm DHCP con
nfiguration tassks, DNS monittoring and rem
mote managem
ment.

Requirementts for IPAM


M Implementation
You
u must meet se
everal prerequisites to ensure
ea
succcessful IPAM deployment:
d

The IPAM serrver must be a domain member,


but cannot be
e a domain co
ontroller.

The IPAM serrver should be a single purpo


ose
server. Do no
ot install other network roles such
as DHCP or DNS
D
on the sam
me server.

To manage th
he IPv6 addresss, space IPv6 must
m
be enabled on the IPAM se
erver.

e IPAM server with


w a domain
n
Log on to the
account, not a local accoun
nt.

You must be a member of the


t correct IPA
AM local securrity group on tthe IPAM serve
er.

Ensure that lo
ogging of acco
ount logon eve
ents is enabled
d on DC and N
NPS servers forr the IP Addresss
Tracking and auditing featu
ure of IPAM.

Hardware and sofftware requirem


ments:

Dual core pro


ocessor of 2.0 GHZ
G
or higherr

Windows Servver 2012 operating system

4 GB of RAM or more

80 GB of free hard disk space

Demonstration: Implementing IPAM

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-13

In this demonstration you will see how to install IPAM. You will also see how to create the related GPOs
and begin server discovery.

Demonstration Steps
1.

Log on to LON-SVR1 as Adatum\Administrator.

2.

In Server Manager add the IPAM feature and all required supporting features.

3.

From the IPAM Overview pane provision the IPAM server by using Group Policy.

4.

Enter IPAM as the GPO name prefix and provision IPAM.

5.

From the IPAM Overview pane configure server discovery for the Adatum domain.

6.

From the IPAM Overview pane start the server discovery process.

Lesson 3

NAP Overview
O
w

MCT USE ONLY. STUDENT USE PROHIBITED

5-14 Implemennting Network Services

NAP
P is a policy-en
nforcement pla
atform that is built into the W
Windows XP w
with Service Paack 3 (SP3) and
d
later operating syystems, and intto Windows Se
erver 2008 and
d later operatin
ng systems. NA
AP enables you
to protect
p
networrk assets by enforcing complliance with sysstem-health reequirements. N
NAP provides tthe
necessary softwarre componentss to help ensurre that compu
uters that are cconnected or cconnecting to the
netw
work remain manageable
m
so
o that they do not become a security risk tto the networkk and other
atta
ached compute
ers.

Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:

Describe NAP
P.

Describe NAP
P architecture.

Describe scen
narios for using
g NAP.

Describe the considerationss for using NA


AP.

Wh
hat is NAP
P?
NAP
P enforces client computer health
h
before it
enables client com
mputers to acccess the netwo
ork.
Client health can be based on characteristics
such
c
as antivirus
a
softwa
are status, Win
ndows Firewall
status, or the insta
allation of secu
urity updates. The
mon
nitored characcteristics are ba
ased on which
system health age
ents are installed.
NAP
P enables you to create solutions for valida
ating
com
mputers that co
onnect to yourr networks, in
add
dition to provid
ding needed updates or acce
ess to
needed health up
pdate resources, and limiting
g the
acce
ess or commun
nication of noncompliant
com
mputers.

You
u can integrate
e NAPs enforcement feature
es with softwarre from other vvendors or witth custom
prog
grams. You can customize th
he health-main
ntenance soluttion that deveelopers within your organization
mig
ght develop an
nd deploy, whe
ether for monitoring the com
mputers accesssing the netwo
ork for health policy
com
mpliance, autom
matically upda
ating compute
ers with softwaare updates to meet health p
policy requirem
ments,
or liimiting the acccess to a restricted network of computers that do not m
meet health policy requireme
ents.
NAP
P does not pro
otect a network from malicio
ous users. Insteead, it enables you maintain the health of
hich in turn heelps maintain tthe networks
your organization
ns networked computers auttomatically, wh
overall integrity. For
F example, iff a computer has
h all the softw
ware and conffiguration settings that the h
health
policy requires, th
he computer iss compliant and has unlimiteed network acccess. NAP does not prevent an
auth
horized user who
w has a compliant computter from uploaading a malicio
ous program to
o the network or
eng
gaging in otherr unsuitable be
ehavior.
Also
o, unless config
gured specifica
ally, NAP cann
not determine whether a clieent computer iis free of viruse
es,
troja
ans, rootkits or malware. Default behaviorr is to check fo
or compliance in having current antivirus
softtware and conffigurations.

Fe
eatures of NAP
N
NAP has three important and
d distinct features:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

5-15

Health statte validation: When a clientt computer tri es to connect to the networrk, NAP validattes the
computerss health state against
a
the hea
alth-requiremeent policies that the adminisstrator definess. You
can also de
efine what to do
d if a computer is not comp
pliant. In a mo nitoring-only environment, all
computers have their hea
alth state evalu
uated and the compliance sttate of each co
omputer is log
gged for
analysis. In a limited acce
ess environmen
nt, computers that comply w
with the health
h-requirement policies
have unlimited network access.
a
Compu
uters that do n
not comply witth health-requirement policies
could find their
t
access lim
mited to a restricted networkk.

Health pollicy compliance: You can he


elp ensure com
mpliance with health-require
ement policiess
omatically with missing software updates
by choosing
g to update no
oncompliant computers
c
auto
Microsoft Systtem Center
or configurration changess through man
nagement softw
ware, such as M
Configuratiion Manager. In
I a monitorin
ng-only environ
nment, compu
uters have netw
work access be
efore
they are up
pdated with req
quired update
es or configuraation changes. In a limited acccess environm
ment,
noncomplia
ant computerss have limited access until th
he updates and
d configuration changes are
completed.. In both enviro
onments, com
mputers that arre compatible w
with NAP can become comp
pliant
automatica
ally and you ca
an define excep
ptions for com
mputers that arre not NAP compatible.

Limited Acccess: You can protect your networks by li miting the acccess of noncom
mpliant compu
uters.
You can base limited netw
work access on
n a specific tim
me, or on the rresources that the noncompliant
computer can
c access. In the
t latter case,, you define a restricted netw
work that conttains health up
pdate
resources, and
a the limited
d access lasts until
u
the nonco
ompliant computer comes into compliancce. You
can also configure excepttions so that computers thatt are incompattible with NAP
P do not have limited
network access.

Whats
W
New
w for NAP in Windows Server 2012
Support for Windows
W
PowerShell
Yo
ou can now usse Windows Po
owerShell to
au
utomate the in
nstallation of the Network Po
olicy
an
nd Access Servvices server rolle. You can also use
Windows
W
PowerShell to deplo
oy and configu
ure
so
ome aspects off Network Poliicy Server.

Removed
R
Functionality
In
n Windows Serrver 2008 R2 and Windows Server
S
20
008, Network Policy and Acccess Services in
ncluded
th
he Routing and
d Remote Acce
ess Service role
e
se
ervice. In Wind
dows Server 20
012, RRAS is no
ow a role servi ce in the Rem ote Access serrver role

NA
AP Architecture
The following table describes th
he NAP
com
mponents.

Com
mponents
NA
AP Clients

Desccription
Com
mputers that su
upport the NA
AP platform forr system health
h-validated
netw
work access or communicatio
on. Client arch
hitecture consists of:
NAP enforcement client (EC
C): ECs monito
or attempts to connect to the
e
ne
etwork. Differe
ent EC compon
nents exist for different type
es of network
acccess.

MCT USE ONLY. STUDENT USE PROHIBITED

5-16 Implemennting Network Services

Sy
ystem health agents (SHA)): SHAs report on one or mo
ore elements o
of
syystem health. For
F example, th
here might bee an SHA for ch
hecking antivirrus
de
efinitions and another for ch
hecking Windo
ows updates. T
The SHA return
ns a
sta
atement of he
ealth (SoH) to tthe NAP agentt which passess that to the NAP
he
ealth policy server for evaluaation.
NAP agent: Collects and storres SoHs from the SHAs and supplies it to tthe
Cs when reque
ested.
EC
NA
AP enforcemen
nt
poiints

NAP
P enforcement points are com
mputers or neetwork-access devices that use
NAP
P to evaluate a NAP client co
omputers hea lth state. NAP enforcement
poin
nts rely on poliicies from a Neetwork Policy Server (NPS) to perform that
evaluation and determine wheth
her network acccess or comm
munication is
enab
bled, and the set
s of remediaation actions th
hat a noncomp
pliant NAP clie
ent
com
mputer must pe
erform.
NAP
P enforcement points can incclude:
Health Registra
ation Authoriity (HRA) is a server running
g Windows Se
erver
20
012 with Intern
net Informatio
on Services (IIS)) installed thatt obtains healtth
ce
ertificates from
m a certification
n authority (CA
A) for compliaant computers..
VP
PN server is a Windows 20112 server that runs Routing aand Remote
Acccess, and thatt enables remo
ote access VPN
N intranet connections throu
ugh
re
emote access.
DHCP server is a Windows 20012 server tha t runs the DHC
CP Server servvice.
Network access devices are Ethernet switcches or wirelesss access pointts
hat support IEE
EE 802.1X auth
hentication.
th

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

5-17

Components

De
escription

NAP
N health policy
servers

Windows
W
2012 servers
s
run thee NPS service aand store health-requiremen
nt
po
olicies and pro
ovide health-sttate validation for NAP. NPS replaces the
Intternet Authentication Servicce (IAS), and th
he Remote Autthentication D
Dial-In
Usser Service (RA
ADIUS) server aand proxy thatt Windows Serrver 2003 provvides.
Th
he NAP health policy server has the follow
wing componen
nts:
NPS service: Receives RADIIUS requests aand extracts the System State
e of
dministration sserver compon
nent.
Health (SSoH)) and passes it to the NAP ad
er: Makes Com
mmunication EEasier between
n the
NAP Adminisstration Serve
NPS service an
nd the SHVs.

h
System Healtth Validators (SHV): You deefine SHVs forr system health
elements and match them tto an SHA. An example of th
hese would be a SHV
for an antiviru
us software thaat tracks the laatest version of the antivirus
definition file..

PS also acts as an authenticaation, authorizzation, and acccounting (AAA


A)
NP
se
erver for netwo
ork access. Wh en acting as an AAA server or NAP health
h policy
se
erver, NPS typiccally runs on a separate servver for centralized configuration of
ne
etwork access and
a health-req
quirement pollicies. The NPSS service also runs on
Windows
W
Serverr 2012-based N
NAP enforcem
ment points thaat do not have
ea
bu
uilt-in RADIUS client computter, such as an
n HRA or DHCP
P server. Howe
ever, in
these configurattions, the NPS service acts ass a RADIUS proxy to exchange
RA
ADIUS messages with a NAP
P health policy server.
AD
A DS

Restricted
R
netw
work

AD
D DS stores account credenttials and propeerties, and storres Group Policy
se
ettings. Althoug
gh not requireed for health-sstate validation
n, Active Direcctory is
required for IPSe
ec-protected ccommunicatio
ons, 802.1X-autthenticated
co
onnections, and
d remote acceess VPN conneections.

Th
his is a separate logical or ph
hysical networkk that has the following
co
omponents:
Remediation servers
s
that co
ontain health u
update resourcces, such as an
ntivirus
definition disttribution pointts and Window
ws software up
pdate servers, w
which
NAP client computers can aaccess to remeedy their nonco
ompliant state
e.
have limited a ccess are adde
ed on the restrricted
NAP client computers that h
network when
n they do not ccomply with h
health-requirem
ment policies.

Scenarios for Using NAP


N
NAP provides a solution for th
he common sccenarios
de
escribed in this section. Depending on you
ur
ne
eeds, you can configure a so
olution to addrress
an
ny of these sce
enarios for you
ur network.

Roaming
R
Porrtable comp
puters
Po
ortability and flexibility are two
t
primary po
ortable
co
omputer advan
ntages, but the
ese features allso
present a system
m health threa
at. Users freque
ently
co
onnect their po
ortable compu
uters to other
ne
etworks. When
n users are awa
ay from your
orrganization, th
heir portable computers mig
ght not
re
eceive the mosst recent softw
ware updates or
o

MCT USE ONLY. STUDENT USE PROHIBITED

5-18 Implemennting Network Services

configuration changes. Addition


nally, exposure
e to unprotectted networks, ssuch as the Intternet, could
intro
oduce securityy-related threa
ats to the porta
able computerrs. NAP lets yo
ou check any p
portable comp
puters
health state when
n it reconnects to the organizzations netwo
ork, whether th
hrough a VPN,, DirectAccess
connection, or the
e workplace ne
etwork connecction.

Dessktop Comp
puters

Alth
hough desktop
p computers arre usually not taken out of t he company b
building, they sstill can presen
nt a
thre
eat to the netw
work. To minim
mize this threatt, you must maaintain these ccomputers with the most reccent
upd
dates and requ
uired software. Otherwise, these computerss are at risk off infection from
m websites, em
mail,
filess from shared folders,
f
and otther publicly available resou rces. NAP enaables you to au
utomate health
h
state checks to ve
erify each desk
ktop computerrs compliance with health-reequirement po
olicies. You can
n
check log files to determine which computerss do not comp
ply. Additionallly, by using maanagement
softtware enables you
y to generate automatic reports
r
and au
utomatically up
pdate noncom
mpliant computers.
Whe
en you change
e health-requirement policie
es, computers can be provisiioned automattically with the
e
mosst recent upda
ates.

Visiting Portab
ble Computters

Org
ganizations freq
quently have to
t enable conssultants, busineess partners, aand guests to cconnect to the
eir
privvate networks. The portable computers
c
tha
at these visitorrs bring into yo
our organizatio
on might not meet
system health req
quirements and
d can present health risks. N AP enables yo
ou to determin
ne which visitin
ng
porttable compute
ers are noncom
mpliant and lim
mit their accesss to restricted networks. Typ
pically, you wo
ould
not require or pro
ovide any upda
ates or configu
uration changees for visiting portable comp
puters. You can
configure Internett access for vissiting portable
e computers, b
but not for other organizatio
onal computerss that
have limited access.

Unmanaged Home
H
Comp
puters

Unm
managed home computers that
t
are not a member
m
of thee companys A
Active Directorry domain can
connect to a managed company network thro
ough VPN. Un
nmanaged hom
me computers provide an
add
ditional challen
nge because yo
ou cannot phyysically access tthese computeers. Lack of ph
hysical access m
makes
enfo
orcing complia
ance with health requiremen
ntssuch as th
he use of antivvirus software
more difficult.
How
wever, NAP enables you to verify
v
the healtth state of a ho
ome computer every time th
hat it makes a VPN
connection to the
e company nettwork, and to limit
l
its access to a restricted
d network until it meets systtem
health requiremen
nts.

Co
onsideratio
ons for NA
AP
Befo
ore you implem
ment NAP, you
u must conside
er the
follo
owing points.

Con
nsiderations for NAP Client
C
Comp
puter
Dep
ployment
Befo
ore you can usse NAP on client computers, you
musst configure th
he NAP setting
gs. Although yo
ou
can use the Netsh
h commands to
o configure alll
aspe
ects of the NA
AP client computer, Group Po
olicy
is th
he preferred method
m
of deplloying client
com
mputer settingss. The NAP Clie
ent Configurattion
console and NAP client computter configuration
settings in the Gro
oup Policy Management Console
provvide a graphiccal user interface for configuring NAP clien
nt computer seettings.

Consideration for a NAP Enforcement Type


Deciding on the best enforcement type for your organization is very important.
NAP provides four mechanisms:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-19

VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client
computer and performs the validation. This method requires a computer certificate to perform PEAPbased user or computer authentication.

DHCP: The DHCP server interacts with the policies from the NPS to determine the client computer's
compliance.

IPsec: enforces the policy and configures the systems out of compliance with a limited access local IP
security policy for remediation. This method requires a computer certificate to perform PEAP-based
user or computer authentication.

802.1X: authenticates over an 802.1X authenticated network and is the best solution when
integrating hardware from other vendors.

Considerations for a Remediation Network

You can provide a remediation network as a location for client computers that are out of compliance to
resolve issues and then gain access to the network. It is important to make the remediation network a
place where client computers can gain the required updates or definitions without help desk intervention.

Administrative Effort and Support


NAP is not a simple solution to implement and requires a good level of understanding and ongoing
support.

Lesson 4

Implem
menting
g NAP

MCT USE ONLY. STUDENT USE PROHIBITED

5-20 Implemennting Network Services

There are differen


nt NAP procedures, depending on the typee of enforcement you are im
mplementing. T
This
lesson describes the main requirements for ea
ach of the NAP
P enforcementt methods.

Lessson Objectiives
Afte
er completing this lesson you
u will be able to:
t

Describe the requirements for implementting NAP.

Describe the requirements for NAP with VPN.


V

Describe the requirements for NAP with IPsec.


I

Describe the requirements for NAP DHCP


P.

Describe the requirements for NAP with 802.1X.


8

Requirementts for Implementing


g NAP
All NAP
N enforcem
ment methods require that
the NAP Agent se
ervice is runnin
ng on the clien
nt
com
mputer and tha
at at least one enforcement client
com
mputer is enabled. Depending on the desirred
enfo
orcement method there mayy be other servvices
and settings required.
A Network Policy Server (NPS) is required to create
c
and enforce organ
nization-wide network accesss
policies for client computer hea
alth, connectio
on
requ
uest authentication and auth
horization. The
e NPS
can also act as a RADIUS
R
server.. The NPS evalluates
the statements off health (SoH) sent
s
by NAP client
com
mputers.

Systtem Health Validators (SHVs) are required to determine what the systeem health poliicy checks for. SHVs
can check for Win
ndows Firewall settings, antivvirus and spyw
ware protection
n, Windows Up
pdates, and so
o on.
Hea
alth policies co
ompare the sta
ate of a client computers
c
he alth according
g to SHVs that are defined b
by
corp
porate requirements and determine wheth
her the client ccomputer is co
ompliant or no
oncompliant w
with
the corporate policy. A health policy
p
can be defined
d
to checck one of the ffollowing:

Client passes all SHV checks

Client fails all SHV checks

Client passes one or more SHV


S
checks

Client fails on
ne or more SHV
V checks

Network policies are


a required to
o determine what
w
happens iif the client co
omputer reque
esting networkk
acce
ess is complian
nt or noncomp
pliant. These policies determ
mine what levell of access, if aany, the client
com
mputer will receive to the nettwork.
A ce
ertification autthority (CA) is required to isssue computer certificates to validate comp
puter identity if
Prottected EAP (PE
EAP) is used fo
or authenticatio
on. This may b
be an enterprisse CA or a thirrd-party CA.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

5-21

Re
emediation ne
etworks are no
ot an absolute requirement, b
but can provid
de a means forr a client comp
puter
to
o become com
mpliant. For exa
ample, a netwo
ork policy can direct a nonco
ompliant clien
nt computer to
oa
ne
etwork segment that contain
ns a Web site from
f
which th e client computer can obtain current viruss
de
efinitions or Windows
W
Updates.

NAP
N
with VPN
V
NAP enforceme
ent for VPN me
ethod works by
b using
a set of remote access IP pack
ket filters to lim
mit the
trraffic of a nonccompliant VPN
N client compu
uter
so
o that it can on
nly reach the resources
r
on th
he
re
estricted netwo
ork. Compliantt client compu
uters will
be
e granted full access. VPN se
ervers can enfo
orce the
he
ealth policy fo
or computers th
hat are considered to
be
e noncomplian
nt by applying
g the filters.
Note: Site
eto-site VPN connections do
d not
su
upport NAP he
ealth evaluatio
on.
To
o deploy NAP with VPN you
u must:

Install RRAS
S as a VPN servver and config
gure the NPS aas the primary RADIUS serve
er.

Configure the
t VPN servers as RADIUS client
c
computeers in the NPS..

Configure a connection request


r
policy with the sourcce set to the V
VPN server.

Configure SHVs
S
to test fo
or health conditions.

Create com
mpliant health policies to passs selected SHV
Vs and a noncompliant health policy to fail
selected SH
HVs.

Configure a network policy with the source set to thee VPN server. FFull access willl be granted to
o
compliant computers
c
and
d limited accesss to noncomp
pliant computeers.

Enable the NAP Remote Access


A
and EA
AP enforcemen
nt clients on cl ient computerrs. You can do this by
using Group Policy or loccal policy settin
ngs.

Enable the NAP agent service on clientt computers.

Issue comp
puter certificate
es to use PEAP
P authenticatio
on.

NA
AP with IPssec
NAP
P IP security (IPsec) enforcem
ment provides
the strongest and most flexible method for
maintaining clientt computer co
ompliance with
h
netw
work health re
equirements.
To implement NA
AP with IPsec you
y must:

MCT USE ONLY. STUDENT USE PROHIBITED

5-22 Implemennting Network Services

Configure a certification
c
au
uthority (CA) to
o
issue health certificates:
c
the
e System Healtth
Authenticatio
on template must be issued and
a
the HRA must be granted permission
p
to enroll
e
the certificate
e.

Install Health Registration Authority


A
(HRA
A): the
HRA is a component of NA
AP that is central to IPsec enfforcement. Thee HRA obtains health certificcates
on behalf of NAP
N client com
mputers when they are com pliant with nettwork health rrequirements. T
These
health certificcates authenticcate NAP clien
nt computers ffor IPsec-proteected commun
nications with o
other
NAP client co
omputers on an intranet. If a NAP client co
omputer does not have a health certificate
e, the
IPsec peer authentication fa
ails.

Select authen
ntication requirements: the HRA
H can provid
de health certiificate to authenticated dom
main
users only, orr optionally pro
ovide health certificates to aanonymous us ers.

Configure the
e NPS server with
w the require
ed health policcies.

Configure NA
AP client comp
puters for IPsecc NAP enforceement: NAP ag
gent must be rrunning and th
he
NAP IPsec EC
C must be runn
ning. You can do
d this throug h Group Polic y or local policcy or Netsh
commands.

Use IPsec policies to create logical netwo


orks: IPsec enfo
orcement divid
des a physical network into tthree
logical netwo
orks. A computer is a member of only onee logical netwo
ork at any time
e. The logical
networks are::
o

Secure ne
etwork - Comp
puters on the secure networrk have health certificates an
nd require thatt
incoming
g communication is authentiicated by using
g these certificcates.

Boundaryy network - Co
omputers on the boundary n
network have health certificaates, but do no
ot
require IP
Psec authenticcation of incom
ming commun ication attemp
pts.

Restricted
d network - Co
omputers on the
t restricted n
network do no
ot have health certificates.

NA
AP with DH
HCP
NAP
P enforcementt can be integrrated with DHCP
so that NAP policies can be enfo
orced when a client
com
mputer tries to lease or renew
w its DHCP add
dress.
The NPS server usses health policies and SHVs to
evaluate client computer health
h. Based on the
e
evaluation the NP
PS tells the DHCP server to
provvide full access to compliantt computers an
nd
to restrict access to
t noncomplia
ant computers.

Th
he componentts listed in the following table must be deffined on the N
NPS.
Component
C

Description

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading YYour Skills to MCSA W


Windows Server 20012

5-23

Radius client
computers

Iff DHCP is insta


alled on a sepaarate computeer, the NAP DH
HCP server must be
configured as a RADIUS clien
nt computer in
n NPS. You mu
ust also select
RADIUS
R
client computer
c
is NA
AP-capable.

Network policcy

Source
S
must be
e set to DHCP server. Both ccompliant and noncompliantt
policies
p
are set to grant accesss.

Connection re
equest
policy

Source
S
is set to
o DHCP server.. The policy au
uthenticates re
equests on thiss
server.

Health policie
es

Must
M
be config
gures to pass SSHVs in the com
mpliant policyy and fail SHVss in the
noncompliant
n
policy.
p

SHVs

Health
H
checks are
a configured
d on the NPS sserver.

NAP agent

Must
M
be runnin
ng on the clien
nt computer.

IP address
configuration
n

Must
M
be config
gured to use D
DHCP. Clients t hat have staticc IP address caannot
be
b evaluated.

Demonstra
D
ation: Imp
plementing
g NAP with
h DHCP

Be
ecause you are
e configuring NPS on the DH
HCP server you
u do not have to designate the DHCP servver as a
RA
ADIUS client computer.
c
Yo
ou will configu
ure the policy for all scopes.

Demonstrati
D
ion Steps
1..

Install Netw
work Policy and Access Serrvices on LON
N-DC1.

2..

Use the Configure NAP Wizard


W
to creatte a DHCP enfforcement poliicy.

3..

Configure DHCP
D
to enable Network Acccess Protectio
on for all scopees.

Network
N
Access Prottection witth 802.1X
Yo
ou can provide
e NAP enforce
ement to an IEEE
80
02.1X-capable
e device, such as
a a wireless acccess
po
oint, authenticcating switch, or
o other netwo
ork
de
evice. NAP enfforcement occcurs when clien
nt
co
omputers try to access the network
n
throug
gh these
de
evices.
NAP with 802.1x has the follo
owing characte
eristics:

Radius clien
nt computers must
m
be added
d in the
NPS console and are iden
ntified by host name
or IP address.

A shared se
ecret must be configured
c
in the
NPS server and the device to identify th
he radius clien
nt computer.

MCT USE ONLY. STUDENT USE PROHIBITED

5-24 Implementing Network Services

Server certificates must be installed and client computers must trust these certificates.

Network authentication must use EAP authentication methods secure passwords, smart cards or
other certificates.

If your access points support VLANs, you can configure that information for NPS. For example, the
restricted network may be a VLAN.

When you create network policies and connection request policies, the type of network access server
should be set to Unspecified.

Connection request policies must be configured to use PEAP authentication in the policy.

Lab: Implementing Network Services


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-25

A. Datum has grown quickly over the last few years in several ways. The company has deployed several
new branch offices, it has significantly increased the number of users in the organization, and it has
expanded the number of partner organizations and customers who are accessing A. Datum websites and
applications. This expansion has resulted in increasing complexity of the network infrastructure at A.
Datum, and has also meant that the organization has to be much more aware of network level security.

IT management and the security group at A. Datum are also concerned with the level of compliance for all
client computers on the network. A. Datum plans to implement NAP for all client computers and all client
computer connections, but is starting with a pilot program to enable NAP for VPN users.
As one of the senior network administrators at A. Datum, you are responsible for implementing the
new features in the Windows Server 2012 environment. You will implement some new DHCP and DNS
features, and then implement IPAM to simplify the process for managing the IP infrastructure. You will
also implement NAP for external VPN users.

Objectives

Configure new features in DNS and DHCP.

Configure IP Address Management.

Configure NAP for VPN client computers.

Verify the NAP deployment.

Lab Setup
Estimated time: 75 minutes

Virtual Machines

20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-CL1

User Name

Adatum\Administrator

Password

Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

Repeat steps 2 - 4 for 20417A-LON-SVR1, 20417A-LON-SVR2 and 20417A-LON-CL1.

Exercise 1: Configure new features in DNS and DHCP


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

5-26 Implementing Network Services

To increase security in your network, you want to implement new security features in DNS and DHCP.
Also, you want to achieve high availability for IP addressing system. Therefore, you decided to implement
DHCP Failover.
The main tasks for this exercise are as follows:
1.

Configure DNSSEC.

2.

Configure DHCP Name Protection.

3.

Configure DHCP Failover.

X Task 1: Configure DNSSEC


1.

On LON-DC1, start the DNS Management console.

2.

Use the DNSSEC zone signing wizard to sign the Adatum.com zone. Accept all the default settings.

3.

Verify the DNSKEY resource records were created in the Trust Points zone.

4.

Close the DNS Management console.

5.

Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for
the Adatum.com suffix and requires DNS client computers to check that the name and address data is
validated.

6.

Close the Group Policy Management Editor and Group Policy Management console.

X Task 2: Configure DHCP Name Protection


1.

Start the DHCP Management console.

2.

Configure Name Protection for the IPv4 node.

X Task 3: Configure DHCP Failover


1.

On LON-SVR1, start the DHCP console and view the current state of DHCP. Note the server is
authorized but no scopes are configured.

2.

On LON-DC1, in the DHCP Management console, start the failover wizard.

3.

Configure failover replication with the following settings:


o

Partner server = 172.16.0.21

Relationship Name = Adatum

Maximum Client Lead Time = 15 minutes

Mode = Load balance

Load Balance Percentage = 50%

State Switchover Interval = 60 minutes

Message authentication shared secret is Pa$$w0rd

Complete the wizard

4.

Switch to LON-SVR1 and notice that the IPv4 node is active and the Adatum scope is configured.

5.

Close the DHCP console on both LON-DC1 and LON-SVR1.

Results: After completing this exercise you will be able to configure DNSSEC, configure DHCP name
protection, and configure and verify DHCP failover.

Exercise 2: Configuring IP Address Management


Scenario
A. Datum is evaluating solutions for simplifying IP management. Because you implemented Windows
Server 2012, you decide to implement IPAM.
The main tasks for this exercise are as follows:
1.

Install the IPAM Feature.

2.

Configure IPAM Related GPOs.

3.

Configure IP Management Server Discovery.

4.

Configure Managed Servers.

5.

Configure and Verify a New DHCP Scope with IPAM.

X Task 1: Install the IPAM Feature

On LON-SVR2, in Server Manager, add the IPAM feature and all required supporting features.

X Task 2: Configure IPAM Related GPOs


1.

On LON-SVR2, in Server Manager, click IPAM.

2.

From the IPAM Overview pane provision the IPAM server.

3.

Enter IPAM as the GPO name prefix.

X Task 3: Configure IP Management Server Discovery


1.

From the IPAM Overview pane, configure server discovery for the Adatum domain.

2.

From the IPAM Overview pane, start the server discovery process.

3.

In the yellow banner, click the More link to determine the discovery status.

X Task 4: Configure Managed Servers


1.

From the IPAM Overview pane, add the servers to manage. Verify that IPAM access is currently
blocked for LON-DC1.

2.

Start Windows PowerShell and grant the IPAM server permission. Use the following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn
LON-SVR2.adatum.com

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-27

3.

In the IPAM console, for LON-SVR1 and LON-DC1, set the manageability status to be Managed.

4.

Switch to LON-DC1 and refresh Group Policy.

5.

Switch to LON-SVR1, and refresh Group Policy.

6.

Switch back to LON-SVR2 and refresh the IPAM console view.

7.

Switch back to LON-SVR2, and in the IPAM console, configure LON-SVR1 to be Managed.

8.

Refresh the Server Access Status and refresh the console view until LON-DC1 and LON-SVR1 shows an
IPAM Access Status Unblocked. This may take 10-15 minutes to complete.

9.

From the IPAM Overview pane retrieve data from the managed server.

X Task 5: Configure and Verify a New DHCP Scope with IPAM


1.

Use IPAM to create a new DHCP scope called TestScope with the following parameters:
o

The scope start address will be 10.0.0.50.

The scope end address will be 10.0.0.100.

The subnet mask will be 255.0.0.0.

The default gateway will be 10.0.0.1.

2.

On LON-DC1, verify the TestScope in the DHCP MMC.

3.

Right-click the TestScope and then click Deactivate. Click Yes.

4.

Close the DHCP console.

5.

On LON-SVR2, close all open windows.

MCT USE ONLY. STUDENT USE PROHIBITED

5-28 Implementing Network Services

Results: After completing this exercise you will be able to install and configure the IPAM feature,
configure IPAM related GPOs, configure IP Management server discovery, configure managed servers, and
configure and verify a new DHCP scope with IPAM.

Exercise 3: Configuring NAP


Scenario

A. Datum has identified that remote client computers who connect through VPN have inconsistent
security configuration. Because these client computers are accessing important data, it is important for all
client computers to comply with company security policy. To increase security of your network and better
manage client computers who establish remote connection, you decide to implement NAP for all VPN
connections.
The main tasks for this exercise are as follows:
1.

Configure Server and Client Certificate Requirements.

2.

Install the Network Policy Server Role.

3.

Configure Health Policies.

4.

Configure Network Policies for Compliant and Noncompliant Computers.

5.

Configure Connection Request Policies for VPN.

X Task 1: Configure Server and Client Certificate Requirements


1.

On LON-SVR2, create a new management console for Certificates focused on the local computer.

2.

Enroll a Computer certificate for LON-SVR2.

3.

Switch to LON-CL1 and log on as Adatum\administrator with the password of Pa$$w0rd.

4.

Create a new management console for Certificates focused on the local computer.

5.

Enroll a Computer certificate for LON-CL1.

X Task 2: Install the Network Policy Server Role

On LON-SVR2, add the Network Policy Server role service.

X Task 3: Configure Health Policies

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-29

1.

On LON-SVR2, open the Network Policy Server console.

2.

Configure the Windows Security Health Validator to only validate that the Windows Firewall is
enabled.

3.

Create two new Health Policies. One for compliant computers that pass all SHV checks and one for
noncompliant computers that fail one or more SHV checks.

X Task 4: Configure Network Policies for Compliant and Noncompliant Computers


1.

Configure a network policy for compliant computers in such a way that the health policy allows them
full network access. Name the policy Compliant Full-Access.

2.

Configure a network policy for noncompliant computers in such a way that the health policy enables
them to exchange packets with LON-DC1 at 172.16.0.10 only. Name the policy NoncompliantRestricted.

X Task 5: Configure Connection Request Policies for VPN


1.

Disable the two default connection request policies.

2.

Configure a new Connection Request Policy called VPN connections.

3.

Add conditions for Point to Point Tunneling Protocol (PPTP), Secure Socket Tunneling Protocol (SSTP),
and Layer 2 Tunneling Protocol (L2TP).

4.

Ensure requests are authenticated on this server and will override network policy authentication.

5.

Add Protected Extensible Authentication Protocol (PEAP) and edit it to enforce network access
protection.

Results: After completing this exercise you will be able to configure server and client computer certificate
requirements, install the NPS server role, configure health policies, configure network policies, and
configure connection request policies for VPN.

Exercise 4: Verifying the NAP Deployment


Scenario

After you implemented NAP infrastructure and configured policies, you want to test NAP with VPN client
computer.
The main tasks for this exercise are as follows:
1.

Configure Security Center.

2.

Enable a Client NAP Enforcement Method.

3.

Allow Ping on LON-SVR2.

4.

Move the Client to the Internet and Establish a VPN Connection.

5.

To prepare for next module.

X Task 1: Configure Security Center


1.

Log on to LON-CL1 as Adatum\Administrator with a password of Pa$$w0rd.

2.

Use gpedit.msc to open Local Group Policy and turn on the Security Center.

X Task 2: Enable a Client NAP Enforcement Method


1.

Use the NAP Client Configuration MMC to enable the EAP Quarantine Enforcement Client on
LON-CL1.

2.

Enable and start the NAP agent service.

X Task 3: Allow Ping on LON-SVR2

On LON-SVR2, open Windows Firewall with Advanced Security.

Configure a new inbound rule that allows ICMPv4 echo packets through the firewall.

X Task 4: Move the Client to the Internet and Establish a VPN Connection
1.

Configure LON-CL1 with the following IP address settings:


o

IP address: 131.107.0.20

Subnet Mask: 255.255.0.0

2.

In Hyper-V Manager, right-click 20417A-LON-CL1 and then click Settings.

3.

Click Legacy Network Adapter and then under Network select Private Network 2, click OK.

4.

Verify that you can ping 131.107.0.1.

5.

Create a VPN on LON-CL1 with the following settings:


o

Name: Adatum VPN

Internet address: 131.107.0.2

MCT USE ONLY. STUDENT USE PROHIBITED

5-30 Implementing Network Services

6.

Right-click the Adatum VPN connection, click Properties, and then click the Security tab.

7.

Under Authentication, click Use Extensible Authentication Protocol (EAP).

8.

In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft:
Protected EAP (PEAP) (encryption enabled) and then click Properties.

9.

Ensure that the Verify the servers identity by validating the certificate check box is already
selected. Clear the Connect to these servers check box, and then ensure that Secured password
(EAP-MSCHAP v2) is already selected under Select Authentication Method. Clear the Enable Fast
Reconnect check box and then select the Enforce Network Access Protection check box.

10. Test the VPN connection.

X To prepare for next module

Revert virtual machines to their initial state.

Results: After completing this exercise you will be able to configure Security Center, enable a client
computer NAP enforcement method, allow Ping on LON-SVR2, and move the client computer to the
Internet and establish a VPN connection.

Module Review and Takeaways


Best Practices

Ensure that IPv6 is enabled on the IPAM server in order to manage IPv6 address spaces.

Use Group Policy to configure NRPT tables for DNSSEC client computers.

Disable authentication protocols that you are not using.

Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.

Common Issues and Troubleshooting Tips


Common Issue

Troubleshooting Tip

Unable to connect to the IPAM server.

Noncompliant NAP client computers are


being denied network access instead of
being sent to the restricted network

Review Question
Question: What is a major drawback of IPAM?

Real-world Issues and Scenarios

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

5-31

Scenario: Tailspin Toys wants to implement IPsec NAP enforcement. What infrastructure components
have to be in place to support this method?

Scenario: You have implemented DNSSEC, but now you have to disable DNSSEC. How will you disable
DNSSEC?

Tools
Tool

Use

Where to find it

DNS Management Console

Configure all aspects of DNS

In Server Manager under the Tools


drop-down list.

DHCP Management
Console

Configure all aspects of DHCP

In Server Manager under the Tools


drop-down list.

Remote Access
Management Console

Configure remote access such


as VPN

In Server Manager under the Tools


drop-down list.

NAP configuration wizard

Configure the NAP


Enforcement Point

Open the NPS (Local) console. In


Getting Started, under Standard
Configuration, select Network Access
Protection (NAP), and then click
Configure NAP.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


6-1

Module 6
Implementing DirectAccess
Contents:
Module Overview

6-1

Lesson 1: Overview of DirectAccess

6-2

Lesson 2: Installing and Configuring DirectAccess Components

6-14

Lab: Implementing DirectAccess

6-24

Module Review and Takeaways

6-33

Module Overview

Introduced in Windows Server 2008 R2, the DirectAccess feature is a technology that enables users to
securely connect to data and resources in corporate networks without using traditional virtual private
network (VPN) technology. In Windows Server 2012, DirectAccess is now one of three component
technologies (DirectAccess, Routing, and Remote Access) that is integrated with a single, unified server
role called Windows Server 2012 Remote Access. DirectAccess seamlessly integrates and coexists with
what was formerly called Routing and Remote Access service (RRAS). Direct Access itself is expanded to
add features such as integrated accounting, express setup for small and medium deployments, and
multiple domain support.

In this module, you will learn how DirectAccess works for internal and external clients. You will also learn
the new DirectAccess features introduced in Windows Server 2012 and Windows 8. In addition, you will
learn how to install and configure DirectAccess in different scenarios.

Objectives
After completing this module, you will be able to:

Describe the DirectAccess functionality in Windows Server 2012 and Windows 8.

Install and configure DirectAccess in Windows Server 2012 and Windows 8.

Implementing DirectAccess

Lesson 1

Overviiew of DirectAc
D
ccess

MCT USE ONLY. STUDENT USE PROHIBITED

6-2

Dire
ectAccess enab
bles remote ussers to securelyy access corpo
orate resourcess, such as email servers,
sharred folders, or internal websites without co
onnecting to a VPN. Also, D irectAccess pro
ovides increased
prod
ductivity for a mobile workfo
orce by offerin
ng the same co
onnectivity exp
perience both inside and ou
utside
the office. With th
he new unified
d managementt experience, yyou can config
gure DirectAccess and older VPN
connections from one location. Other enhanccements in DireectAccess inclu
ude simplified
d deployment, and
imp
proved perform
mance and scalability. This le
esson providess an overview of the DirectA
Access architeccture
and components.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Discuss the problems with remote


r
connections.

Describe the use of DirectA


Access.

Describe the new features of


o DirectAccess in Windows Server 2012.

Describe the DirectAccess components.


c

Describe the use of the Nam


me Resolution Policy Table.

Describe how
w DirectAccess works for inte
ernal clients.

Describe how
w DirectAccess works for exte
ernal clients.

Pro
oblems with Remote
e Connections
Org
ganizations often rely on trad
ditional VPN
connections to prrovide remote users with seccure
acce
ess to data and
d resources on
n the corporate
e
netw
work. VPN con
nnections need
d to be configu
ured
mosst of the time manually. Thiss sometimes
pressent interoperability issues in
n situations wh
hen
the users are using multiple diffferent VPN clie
ents.
Add
ditionally, VPN connections face
f
the follow
wing
problems:

The user musst initiate the VPN


V
connectio
on.

The connectio
on requires sevveral steps and
d the
connection process takes att least several
seconds, or evven more.

The connectio
on could require additional configuration on the corporrate firewall. Iff not properly
configured on
n the firewall, VPN connectio
ons usually en
nable remote aaccess to the entire corporatte
network.

Troubleshootting failed VPN


N connections can make up a significant p
portion of Help
p Desk calls forr
many organizzations.

Morreover, organizzations cannott effectively manage


m
remotee computers u nless they are connected. VP
PNbase
ed remote clie
ent computers present a challenge to IT prrofessionals beecause these computers mig
ght
not connect to the internal netw
work for weekss at a time, preeventing them
m from downlo
oading Group Policy
obje
ects (GPOs) an
nd software up
pdates.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

6-3

Also, if the orga


anization does not require ad
dditional healtth checks in orrder to establissh a network V
VPN
co
onnection, com
mputers that are not updated and protect ed on a regulaar basis may co
ontain malwarre. This
malware
m
could attempt to sprread inside the
e corporate neetwork throug h e-mail, share
ed folders, or
au
utomated netw
work attacks.

DirectAccess
D
s Extends th
he Network to the Rem
motely-Conn
nected Computers and Users

To
o overcome th
hese limitations in traditional VPN connecttions, organizaations can imp
plement DirectAccess
to
o provide a sea
amless connecction between the internal neetwork and the remote com
mputer on the IInternet.
With
W DirectAcce
ess, organizatio
ons can effortlessly manage remote comp
puters because
e they are alwaays
co
onnected.

What
W
Is DirrectAccesss?
Th
he DirectAccesss feature in Windows
W
Server 2012
en
nables seamlesss remote acce
ess to intranet
re
esources witho
out first establishing a user-in
nitiated
VPN connection
n. The DirectAccess feature also
a
en
nsures seamlesss connectivityy to the applica
ation
in
nfrastructure fo
or internal users and remote
e users.
Unlike traditional VPNs that require
r
user
in
ntervention to initiate a conn
nection to an
in
ntranet, DirectA
Access enabless any IPv6-cap
pable
ap
pplication on the
t client computer to have
co
omplete access to intranet re
esources.
DirectAccess alsso enables you
u to specify ressources
an
nd client-side applications th
hat are restrictted for remotee access.

Organizations
O
benefit
b
from DirectAccess be
ecause remote computers caan be managed
d as if they are
e local
co
omputers. Usin
ng the same management
m
and update serv
rvers, you can eensure they arre always up-to
o-date
an
nd in complian
nce with security and system
m health policiees. You can alsso define more
e detailed acce
ess
co
ontrol policies for remote acccess when com
mpared with d
defining accesss control policies in VPN solu
utions.
DirectAccess offfers the follow
wing features:

Connects automatically to
o corporate in
ntranet when cconnected to tthe Internet

Uses variou
us protocols, in
ncluding HTTPS, to establish IPv6 connectiivityHTTPS iss typically allowed
through fire
ewalls and pro
oxy servers

Supports se
elected server access and end-to-end Interrnet Protocol SSecurity (IPsecc) authenticatio
on with
intranet nettwork servers

Supports en
nd-to-end autthentication an
nd encryption with intranet network serve
ers

Supports management
m
of remote client computers

Allows remote users to co


onnect directlyy to intranet seervers

DirectAccess provides the following benefitts:

Always-on connectivity. Whenever


W
the user
u
connects the client com
mputer to the IInternet, the client
computer is also connectted to the intra
anet. This conn
nectivity enablles remote clie
ent computers to
access and update appliccations more easily. It also m
makes intranet resources alwaays available, aand
enables use
ers to connect to the corpora
ate intranet fro
om anywhere and anytime, thereby impro
oving
their produ
uctivity and performance.

Implementing DirectAccess

MCT USE ONLY. STUDENT USE PROHIBITED

6-4

Seamless connectivity. DirecctAccess provides a consiste nt connectivityy experience w


whether the cliient
computer is local or remote
e. This allows users
u
to focus more on prod
ductivity and le
ess on connecttivity
options and process.
p
This co
onsistency can
n reduce traini ng costs for users, with fewe
er support inciidents.

Bidirectional access.
a
You can configure DiirectAccess in a way that thee DirectAccess clients have aaccess
to intranet resources and yo
ou can also ha
ave access from
m the intranet to those DirecctAccess clientts.
Therefore, DirectAccess can
n be bidirectional. This ensurres that the client computers are always
updated with
h recent securitty updates, the
e domain Grou
up Policy is en
nforced, and th
here is no diffe
erence
whether the users
u
are on th
he corporate in
ntranet or on tthe public netw
work. This bidirectional acce
ess
also results in
n:
o

Decrease
ed update time
e

Increased
d security

Decrease
ed update misss rate

Improved
d compliance monitoring

d provides the
Manage-out Support.
S
This feature
f
is new in Windows Seerver 2012 and
e ability to
enable only remote management functio
onality in the D
DirectAccess cl ient. This new sub-option off
the DirectAcccess client conffiguration wiza
ard automatess the deploym ent of policiess that are used
d for
oes not implem
managing the
e client compu
uter. Manage-out support do
ment any policcy options thaat
allow users to
o connect to th
he network forr file or applicaation access. M
Manage-out su
upport is
unidirectional, incoming on
nly access for administration
a
purposes onlyy.

Improved secu
urity. Unlike trraditional VPNs, DirectAcces s offers many levels of accesss control to
network resources. This tigh
hter degree off control allow
ws security arch
hitects to preciisely control re
emote
users who acccess specified resources. You
u can use a graanular policy to specifically d
define which u
user
can use DirecctAccess, and the location fro
om which the user can accesss it. IPsec encryption is used
d for
protecting DirectAccess traffic so that use
ers can ensuree that their com
mmunication is safe.

Integrated sollution. DirectA


Access fully inte
egrates with Seerver and Dom
main Isolation and Network
Access Protecction (NAP) solutions, resulting in the seam
mless integration of security,, access, and h
health
requirement policies betwe
een the intrane
et and remote computers.

Wh
hats New in DirectA
Access in Windows
W
SServer 2012
In Windows
W
Serve
er 2012, DirectAccess has
seve
eral enhancem
ments, especially in regards to
o
byp
passing some common
c
techn
nology issues such
s
as re
equirements fo
or public key infrastructure (PKI)
(
and public IP addresses.

Imp
proved Dire
ectAccess Management
M
t
Dire
ectAccess in Windows
W
Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:

DirectAccess and
a RRAS coexxistence.
Windows Servver 2012 DirecctAccess and RRAS
R
unified serverr role solve the
e problems of
interoperabiliity of Denial of Service Prote
ection (DoSP) aand Internet K
Key Exchange vversion 2 (IKEvv2).

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-5

Rich monitoring of clients. You can view the health of user computers and servers along with
deployment monitoring and diagnostics in a single console in DirectAccess. Using the dashboard,
you can have top-level information about Remote Access servers and client activity. User and client
computer monitoring can provide you with information on which resources are accessed by the
clients.

Integrated accounting and reporting. Accounting and reporting is now integrated in the console and
provides the ability to measure specific metrics. It also enables administrators to generate rich usage
reports on various user and server statistics.

Windows PowerShell and Server Core support. Windows Server 2012 provides full Windows
PowerShell support for the setup, configuration, management, monitoring, and troubleshooting of
the Remote Access Server Role.

Unified management wizard and tools. You can use a single wizard and console for DirectAccess
configuration, management, and monitoring.

Works with existing infrastructure. You do not need to upgrade your existing domain controllers to
Windows Server 2012.

IPv6 for internal network is no longer required. This is because transition technologies such as network
address translation 64 (NAT64) and Domain Name System 64 (DNS64) allow access to internal
resources that are run only on IPv4 computers. Previously, this functionality was only possible to
achieve with deployments that included Microsoft Unified Access Gateway Server.

Single network adapter. You can implement your DirectAccess server behind a NAT with a single
network adapter.

Single IP address. In certain deployment scenarios, you can even use a single IP address for the
DirectAccess server. This makes deployment easier in comparison to the DirectAccess deployment
in Windows Server 2008.

Simplified DirectAccess Deployment

The DirectAccess deployment has been simplified. Windows Server 2012 provides Express Setup for small
and medium deployment. Express Setup includes the following characteristics:

PKI deployment is optional, because the wizard creates a self-signed certificate without the need
for certificate revocation lists (CRL) lists. This functionality is achieved by the using the HTTPS-based
Kerberos proxy (built into Windows Server 2012) which accepts client authentication requests and
sends them to domain controllers on behalf of the client.

Single IPsec tunnel configuration.

Single factor authentication only; no support for smart card integration or using one-time
password (OTP).

Works only with client computers running Windows 8.

Performance and Scalability Improvements


DirectAccess includes the following improved features in performance and scalability:

Support for high availability and external load balancers. Windows Server 2012 supports network load
balancing (NLB) to achieve high availability and scalability for both DirectAccess and RRAS. The setup
process also provides integrated support for third party external hardware-based load balancer
solutions.

Implementing DirectAccess

Improved sup
pport for Receivve Site Scaling (RSS). DirectA
Access providess support for R
RSS and suppo
orts
running DirecctAccess in virttual machines with increased
d density:

MCT USE ONLY. STUDENT USE PROHIBITED

6-6

IP-HTTPS
S interoperabiliity and perform
mance improveements. Windo
ows Server 201
12 DirectAccesss
implementation removves double enccryption when using IP-HTTP
PS. Also, it reduces the time for
duplicate
e address detection, resulting
g in a significaant performancce improveme
ent.

Lower ba
andwidth utiliza
ation. Window
ws Server 2012 reduces the o
overhead assocciated with
establishing of connecttivity methodss, optimizes baatched send beehavior, and re
eceives bufferss,
which ressult in overall lower bandwid
dth utilization.. Additionally W
Windows Servver 2012
DirectAcccess receives site scaling with User Datagraam Protocol (U
UDP).

New
w Deploym
ment Scenariios
The new DirectAcccess deployme
ent scenarios in
i Windows Seerver 2012 incllude:

Deploying mu
ultiple endpoin
nts. When you implement Di rectAccess on multiple serve
ers in differentt
network locattions, the Wind
dows 8 device
e automaticallyy chooses the cclosest endpoint. (For the
Windows 7 operating system, you have to
o specify the eendpoint manu
ually). This also
o works for
distributed fille system (DFS
S) shares that are
a redirected to an approprriate Active Dirrectory site.

Multiple domain support. Th


his feature is in
ntegrated with
h Windows Serrver 2012.

Deploy a servver behind a NA


AT. You can de
eploy Window
ws Server 2012 DirectAccess behind a NAT
T
device, with the
t support for a single or multiple
m
interfa ces, removing the prerequissite for a public
address. In th
his configuratio
on, only IP ove
er HTTPS (IP-H
HTTPS) is deplo
oyed which allo
ows secure IP
tunnel to be established
e
byy using a securre HTTP conneection.

Support for OTP


O and virtuall smart cards. This
T feature reequires a PKI d
deployment. If the option is
selected in th
he DirectAccesss Setup Wizard
d, the Use com
mputer certificaates option is automatically
selected. Also
o, DirectAccesss can use the Trusted
T
Platforrm Module (TP
PM)based virttual smart card
d
which use TPM of a client computer
c
to acct as a virtual ssmart card forr two-factor au
uthentication.

Offload netwo
ork adapters with
w support forr network team
ming. Networkk teaming in W
Windows Server
2012 is fully supported
s
with
hout the need for third-partyy drivers.

Off-premise provisioning.
p
With
W the new djjoin tool, you can easily pro
ovision non-do
omain compute
er
with an Active
e Directory blo
ob, so that the
e computer can
n be joined in a domain with
hout the need to be
ever connecte
ed in your inte
ernal premises.

DirrectAccesss Compone
ents
To deploy
d
and configure DirectA
Access, your
orga
anization must support the following
f
infra
astructure com
mponents:

DirectAccess server

DirectAccess clients

Network loca
ation server

Internal resou
urces

Active Directo
ory domain

Group Policy

nal network)
PKI (Optional for the intern

DNS server

NAP server

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

DirectAccess Server

6-7

DirectAccess server can be any Windows Server 2012 joined in a domain, which accepts connections
from DirectAccess clients and establishes communication with intranet resources. This server provides
authentication services for DirectAccess clients and acts as an IPsec tunnel mode endpoint for external
traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.

Compared with previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium organizations, by removing the need for
full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the
physical adapter that is connected to the Internet. In Windows Server 2012, the wizard detects the actual
implementation state of the DirectAccess server, and automatically selects the best deployment; thereby,
hiding from the administrator the complexity of configuring manually IPv6 transition technologies.

DirectAccess Clients
DirectAccess clients can be any domain-joined computer running Windows 8, Windows 7 Enterprise
Edition, or Windows 7 Ultimate Edition.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.

The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.

Network Location Server

DirectAccess clients use the network location server (NLS) to determine their location. If the client
computer can connect with HTTPS, then the client computer assumes it is on the intranet and disables
DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS
server is installed with the web server role.
Note: The URL for the NLS is distributed by using GPO.

Internal Resources

You can configure any IPv6-capable application which is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers not based on Windows and
have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64)
and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for
the internal servers.
Note: As done in the past, this functionality can also be achieved with Microsoft
Forefront Unified Access Gateway Server. Likewise, as in past versions, these translation services
do not support sessions initiated by internal devices; rather they support requests originating
from ipv6 DirectAccess clients only.

Implementing DirectAccess

Active Directory Domain

MCT USE ONLY. STUDENT USE PROHIBITED

6-8

You must deploy at least one Active Directory domain, running at a minimum Windows Server 2008 R2
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support
which allows client computers from different domains to access resources that may be located in different
trusted domains.

Group Policy

Group Policy is required for the centralized administration and deployment of DirectAccess settings. The
DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.

PKI
PKI deployment is optional for simplified configuration and management. Windows Server 2012
DirectAccess enables client authentication requests to be sent over a HTTPS based Kerberos proxy
service running on the DirectAccess server. This eliminates the need for establishing a second IPsec
tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to
domain controllers on behalf of the client.
However, for a full DirectAccess configuration, that allows NAP integration, two-factor authentication,
and force tunneling, you still need to implement certificates for authentication for every client that will
participate in DirectAccess communication.

DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or later, or a
third-party DNS server that supports DNS message exchanges over the ISATAP.

NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. Windows Server 2012
DirectAccess provides the ability to configure NAP health check directly from the setup user interface
instead of manual editing of GPO as it was in Windows Server 2008 R2 DirectAccess.
Additional Reading: The DNS server does not listen on the ISATAP interface on a
Windows Server 2008-based computer
http://go.microsoft.com/fwlink/?LinkID=159951
IPv6 - Technology Overview
http://technet.microsoft.com/en-us/library/hh831730.aspx

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Name
N
Reso
olution Pollicy Table
To
o separate Inte
ernet traffic fro
om intranet tra
affic in
DirectAccess, Windows
W
Serverr 2012 and Windows
8 include the Name Resolutio
on Policy Table
e
(N
NRPT), a featurre that allows DNS
D
servers to
o be
de
efined per DNS namespace, rather than pe
er
in
nterface.
Th
he NRPT stores a list of ruless. Each rule defines a
DNS namespace
e and configurration settingss that
de
escribe the DN
NS clients behavior for that
na
amespace.
When
W
a DirectA
Access client is on the Interne
et, each
na
ame query req
quest is compa
ared against th
he
na
amespace rule
es stored in the
e NRPT:

If a match is found, the re


equest is proce
essed accordin
ng to the settin
ngs in the NRP
PT rule.

If a name query
q
request does
d
not matcch a namespacce listed in the NRPT, the req
quest is sent to
o the
DNS servers configured in the TCP/IP settings for thee specified network interface
e.

DNS settings arre configured depending


d
on the client locaation:

For a remotte client comp


puter, the DNS servers are tyypically the Inteernet DNS servvers configure
ed
through the
e Internet Servvice Provider (ISP).

For a DirecttAccess client on the intrane


et, the DNS serrvers are typicaally the intrane
et DNS serverss
configured through Dyna
amic Host Con
nfiguration Pro
otocol (DHCP)..

6-9

Siingle-label nam
mes, for examp
ple, http://inte
ernal, typically have configurred DNS search suffixes appe
ended
to
o the name before they are checked
c
against the NRPT.

If no DNS search suffixes are configured,


c
an
nd the single-laabel name doees not match aany other sing
gle-label
na
ame entry in the NRPT, the request
r
is sentt to the DNS seervers specified in the clients TCP/IP settin
ngs.
Namespaces, fo
or example, intternal.adatum.com, are ente red into the N
NRPT, followed by the DNS servers
to
P address is en
o which requessts matching that namespace should be diirected. If an IP
ntered for the DNS
se
erver, all DNS requests
r
are se
ent directly to the DNS serveer over the DirrectAccess con
nnection. You n
need
no
ot specify any additional seccurity for such configuration s. However, if a name is specified for the D
DNS
se
erver, such as dns.adatum.co
d
om in the NRPT
T, the name m
must be publiclly resolvable w
when the clientt
qu
ueries the DNS
S servers specified in its TCP//IP settings.

Th
he NRPT allow
ws DirectAccesss clients to use
e intranet DNSS servers for naame resolution
n of internal re
esources
an
nd Internet DN
NS for name re
esolution of otther resources.. Dedicated DN
NS servers are not required ffor
na
ame resolution
n. DirectAccesss is designed to
t prevent the exposure of yyour intranet n
namespace to tthe
In
nternet.
So
ome names ne
eed to be treatted differently with regards tto name resol ution; these naames should n
not be
re
esolved by usin
ng intranet DN
NS servers. To ensure
e
that th ese names aree resolved with
h the DNS servvers
sp
pecified in the clients TCP/IP
P settings, you must add theem as NRPT exxemptions.
NRPT is controlled through Group
G
Policy. When
W
the comp
puter is config
gured to use N
NRPT, the name
e
re
esolution mech
hanism uses th
he following in
n order:

The local na
ame cache

The hosts file

NRPT

MCT USE ONLY. STUDENT USE PROHIBITED

6-10 Implemennting DirectAccess

Then, the name re


esolution mech
hanism finally sends the queery to the DNSS servers speciffied in the TCP
P/IP
settings.
ow can you be
enefit from NR
RPT?
Question: Ho
Question: Ho
ow can you be
enefit by using connection seecurity rules fo
or Direct Accesss?

Ho
ow DirectA
Access Worrks for Inte
ernal Clien
nt Computters
An NLS is an interrnal network se
erver that hostts
an HTTPS-based
H
URL.
U
DirectAcccess clients try to
acce
ess a NLS URL to determine if they are located
on the
t intranet orr on a public network.
n
The
Dire
ectAccess serve
er can also be the NLS. In so
ome
orga
anizations whe
ere DirectAcce
ess is a businessscritical service, the
e NLS should be
b highly available.
Gen
nerally, the web server on the
e NLS does no
ot
have to be dedica
ated just for su
upporting
Dire
ectAccess clien
nts.

It is critical that th
he NLS is availa
able from each
h
com
mpany location
n, because the behavior of th
he
Dire
ectAccess clien
nt depends on the response from the NLS. Branch locatio
ons may need a separate NLLS at
each
h branch locattion to ensure that the NLS remains
r
accesssible even wheen there is a lin
nk failure betw
ween
bran
nches.

How DirectAcccess Works for Internal Clients


The DirectAccess connection prrocess happenss automaticallyy, without requiring user inttervention.
Dire
ectAccess clien
nts use the follo
owing processs to connect to
o intranet reso
ources:
1.

The DirectAcccess client tries to resolve the fully qualifieed domain nam
me (FQDN) of the NLS URL.

Because the FQDN


F
of the NLS
N URL corressponds to an eexemption rulee in the NRPT, the DirectAcccess
client instead sends the DN
NS query to a lo
ocally-configu
ured DNS serveer (an intranet-based DNS se
erver).
The intranet-based DNS server resolves the name.
2.

The DirectAcccess client acce


esses the HTTP
PS-based URL of the NLS, du
uring which prrocess it obtain
ns the
certificate of the NLS.

3.

Based on the CRL distribution points field


d of the NLSs certificate, thee DirectAccess client checks the
CRL revocatio
on files in the CRL
C distributio
on point to dettermine if the NLSs certificaate has been
revoked.

4.

Based on an HTTP
H
200 Succcess of the NLS URL (successsful access and
d certificate au
uthentication aand
revocation ch
heck), the DirecctAccess clientt switches to d
domain firewall profile and ig
gnores the
DirectAccess rules in the NR
RPT for the rem
mainder of thee session.

5.

The DirectAcccess client com


mputer attemp
pts to locate an
nd log on to th
he Active Direcctory Domain
Services (AD DS) domain byy using its com
mputer accoun
nt.

c
no longe
er references any
a DirectAcceess rules in thee NRPT for the rest of the
Because the client
connected se
ession, all DNS queries are se
ent through intterface-config ured DNS servvers (intranet-based
DNS servers).
With the com
mbination of ne
etwork location detection an
nd computer d
domain logon,, the DirectAcccess
client configu
ures itself for normal
n
intranet access.

6..

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

6-11

Based on th
he computers successful log
gon to the dom
main, the DirecctAccess clientt assigns the domain
(firewall network) profile to the attache
ed network.

Byy design the DirectAccess


D
Co
onnection Security tunnel ru
ules are scoped
d for the public and private firewall
profiles, they arre disabled from the list of acctive connectio
on security rulles.
Th
he DirectAccesss client has su
uccessfully determined that iit is connected
d to its intranet and does no
ot use
DirectAccess setttings (NRPT rules or Connection Security tunnel rules). The DirectAcccess client can access
in
ntranet resourcces normally. Itt can also acce
ess Internet ressources throug
gh normal means, such as a proxy
se
erver.

How
H
DirecttAccess Works for Ex
xternal Client Comp
puters
When
W
a DirectA
Access client starts, the DirectAccess
client assumes that
t
it is not co
onnected to th
he
in
ntranet by tryin
ng to reach the
e URL address
sp
pecified for NLLS. Because the
e client compu
uter
ca
annot commun
nicate with NLLS, it starts to use
u
NRPT and conn
nection securityy rules. The NR
RPT
ha
as DirectAccesss-based rules for name reso
olution,
an
nd connection
n security rules define DirectA
Access
IP
Psec tunnels fo
or communicattion with intranet
re
esources. Internet-connected
d DirectAccess clients
usse the followin
ng process to connect
c
to intrranet
re
esources.
Th
he DirectAccesss client first atttempts to acccess the NLS. TThen, the client attempts to locate a domaain
co
ontroller. Afterrwards, the clie
ent attempts to access intran
net resources aand internet re
esources.

DirectAccess
D
s Client Atte
empts To Acccess the Ne
etwork Loca
ation Server
Th
he DirectAccesss client attem
mpts to access the
t NLS as foll ows:
1..

The client tries


t
to resolve
e the FQDN of the NLS URL. Because the FQDN of the N
NLS URL corresponds
to an exem
mption rule in the NRPT, the DirectAccess cclient does nott send the DNSS query to a lo
ocallyconfigured DNS server (a
an Internet-bassed DNS serveer). An eternal Internet-based
d DNS server w
would
not be able
e to resolve the
e name.

2..

The DirectA
Access client processes the name
n
resolutio
on request as d
defined in the DirectAccess
exemption rules in the NRPT.

3..

Because the
e NLS is not fo
ound on the sa
ame network aas the DirectAcccess client is ccurrently locatted on,
the DirectA
Access client ap
pplies a public or private fireewall network profile to the attached netw
work.

4..

The Connecction Security tunnel rules fo


or DirectAccesss, scoped for tthe public and
d private profiles,
provide the
e public or privvate firewall ne
etwork profile..

Th
he DirectAccesss client uses a combination of NRPT ruless and connection security rules to locate and
acccess intranet resources acro
oss the Interne
et through the DirectAccess sserver.

DirectAccess Client Attempts To Locate a Domain Controller

MCT USE ONLY. STUDENT USE PROHIBITED

6-12 Implementing DirectAccess

After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel or infrastructure tunnel by using the IPsec
tunnel mode and Encapsulating Security Payload (ESP) to the DirectAccess server. The process is as
follows:
1.

The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS
name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.

2.

Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.

3.

Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NT LAN
Manager (NTLM) credentials, respectively.

Note: AuthIP enhances authentication in IPsec by adding support for user-based


authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol
negotiation and usage of multiple sets of credentials for authentication.
4.

The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.

5.

The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.

Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.

DirectAccess Client Attempts To Access Intranet Resources


The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following process occurs:
1.

The application or process that attempts to communicate constructs a message or payload and hands
it off to the TCP/IP stack for sending.

2.

Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.

3.

Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.

4.

The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.

5.

The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.

Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.

DirectAccess Client Attempts To Access Internet Resources

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-13

When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet web server), the following process occurs:
1.

The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the
IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.

2.

Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.

3.

Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.

4.

The Internet DNS server responds with the IP address of the Internet resource.

5.

The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.

6.

Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.

Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.

Like the connection process, accessing the domain controller and intranet resources is also a very similar
process, because both of these processes are using NRPT tables to locate appropriate DNS server to
resolve the name queries, with the differences of the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established
(intranet tunnel).

Lesson 2

Installiing and
d Config
guring DirectAc
D
ccess Co
omponents
In order
o
to install and configure
e DirectAcess in your organizzation, you neeed to meet a n
number of
requ
uirements perttaining to Active Directory configuration,
c
DNS configuraation, and certtificate services.
Afte
er these requirrements are met, you then in
nstall and conffigure the DireectAccess role. Finally, you
configure client co
omputers, and
d verify that DiirectAccess is ffunctional wheen connecting from both the
e
inte
ernal network and
a the Internet.

MCT USE ONLY. STUDENT USE PROHIBITED

6-14 Implemennting DirectAccess

In th
his lesson, you
u will learn abo
out DirectAccess requiremen
nts, how to pla n the DirectAcccess solution, and
the process of installation and deployment
d
off DirectAccess.. You will also learn about th
he new feature
es for
imp
plementing DirrectAcess in Windows
W
8.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the prerequisites for


f implementting DirectAcceess.

Describe the process of con


nfiguring DirecctAccess.

Configure AD
D DS services fo
or DirectAccesss.

Install and co
onfigure DirecttAccess Server..

Configure the
e DirectAccess clients.

Describe the differences in DirectAccess between


b
Wind
dows 7 and Wiindows 8.

Pre
erequisitess for Imple
ementing DirectAcceess
To deploy
d
DirectA
Access, the Dire
ectAccess servver,
the client computter, and infrasttructure should
d
mee
et certain requ
uirements.

Req
quirements for DirectA
Access Serve
er
In order
o
to deployy DirectAccess, you need to
ensu
ure that the se
erver meets the
e hardware an
nd
netw
work requirem
ments:

The server mu
ust be joined to
t an Active
Directory dom
main.

The server mu
ust have Wind
dows Server 20
012 or
Windows Servver 2008 R2 operating system
installed.

The Windowss Server 2012 that


t
will be insstalled as the D
DirectAccess Seerver can have
e a single netw
work
adapter installed which is connected to th
he intranet an d published over Microsoft Forefront Thre
eat
Managementt Gateway 2010 (TMG) or Miicrosoft Forefrront Unified Acccess Gatewayy 2010 (UAG) ffor
Internet conn
nection. In the deployment scenario
s
wheree DirectAccess is installed on
n an Edge server, it
needs to have
e two network
k adapters, one
e connected to
o the internal n
network and the other conn
nected
to the externa
al network.

Note: An Ed
dge server is any
a server thatt resides on thee edge betweeen two or morre
works, typicallyy a private nettwork and Inte
ernet.
netw

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-15

Implementation of DirectAccess in Windows Server 2012 does not require two consecutive
static, public IPv4 addresses be assigned to the network adapter. However, to achieve two-factor
authentication with smart card or OTP deployment, DirectAccess server will still need two public
IP addresses.

You can even deploy Windows Server 2012 DirectAccess behind a NAT device, with support for a
single or multiple interfaces, thereby circumnavigating the need for an additional public address. In
this configuration, only IP over HTTPS (IP-HTTPS) is deployed which allows a secure IP tunnel to be
established using a secure HTTP connection.

On the DirectAccess server, you can install the Remote Access role to configure DirectAccess settings
for the DirectAccess server and clients, and monitor the status of the DirectAccess server. The Remote
Access wizard provides you with the option to configure only DirectAccess, only VPN, or both
scenarios on the same server running Windows Server 2012. This was not possible in Windows Server
2008 R2 deployment of DirectAccess.

For Load Balancing Support, Windows Server 2012 has the ability to use NLB (up to 8 nodes) to
achieve high availability and scalability for both DirectAccess and RRAS.

Requirements for DirectAccess Client

To deploy DirectAccess, you also need to ensure that the client computer meets certain requirements:

The client computer should be joined to an Active Directory domain.

With the new 2012 DirectAccess scenario it is possible to offline provision computers for domain
membership without the need for the computer to be on premises.

The client computer can be loaded with Windows 8, Windows 7 Enterprise Edition, Windows 7
Ultimate Edition, Windows Server 2012, or Windows Server 2008 R2 operating system.

You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or other earlier
versions of the Windows operating systems.

Infrastructure Requirements
The following are the infrastructure requirements to deploy DirectAccess:

Active Directory. You must deploy at least one Active Directory domain. Workgroups are not
supported.

Group Policy. You need Group Policy for centralized administration and deployment of DirectAccess
client settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess
clients, DirectAccess servers, and management servers.

DNS and domain controller. You must have at least one domain controller and DNS server running
Windows Server 2012, or Windows Server 2008 SP2 or Windows Server 2008 R2.

PKI. You need to use PKI to issue computer certificates for authentication and health certificates
only when NAP is deployed. You do not need external certificates. The SSL certificate installed on
the DirectAccess server must have a CRL distribution point that is reachable from the Internet. The
certificate Subject field must contain the FQDN that can be resolved to a public IPv4 address assigned
to the DirectAccess server by using the Internet DNS.

IPsec policies. DirectAccess utilizes IPsec policies that are configured and administered as part of
Windows Firewall with Advanced Security.

MCT USE ONLY. STUDENT USE PROHIBITED

6-16 Implemennting DirectAccess

Internet Control Message Prrotocol Version


n 6 (ICMPv6) EEcho Request ttraffic. You must create separate
inbound and outbound rule
es that allow ICMPv6 Echo R
Request messaages. The inbound rule is req
quired
to allow ICMP
Pv6 Echo Requ
uest messages and is scoped
d to all profiless. The outboun
nd rule to allow
w
ICMPv6 Echo Request messsages is scoped
d to all profile s and is only rrequired if the Outbound blo
ock is
turned on. DirectAccess clie
ents that use Teredo
T
for IPv66 connectivity to the intrane
et use the ICMP
Pv6
message whe
en establishing
g communication.

IPv6 and tran


nsition technolo
ogies. IPv6 and
d the transition
n technologiess such as ISATA
AP, Teredo, an
nd
6to4 must be
e available for use on the DirrectAccess servver. For each D
DNS server run
nning Window
ws
Server 2008 or
o Windows Se
erver 2008 R2, you need to rremove the ISA
ATAP name fro
om the global query
block list.
Question: Yo
ou have Windo
ows Server 200
03 Certificate A
Authority serveer in your dom
main. Can
you use the existing
e
PKI inffrastructure forr DirectAccess or should you
u set up the ne
ew
Certificate Au
uthority server on Windows Server
S
2008 R22?

Pro
ocess of Co
onfiguring
g DirectAcccess
To configure
c
DirectAccess, perfo
orm the follow
wing
step
ps:
1.

2.

Configure AD DS and DNS requiremen


nts
o

Create a security group


p in Active
Directoryy and add all client compute
er
accounts that will be acccessing intran
net
through DirectAccess.

Configure both interna


al and externall DNS
servers with
w appropriatte host names and
IP addressses.

Configure th
he PKI environ
nment
o

3.

Add and configure the Certificate Au


uthority server role, create th
he certificate template and C
CRL
distribution point, publish the CRL lisst, and distribu
ute the compu
uter certificatess.

Configure DirectAccess Se
erver
o

Install Windows Server 2012 on a serrver computer with one or tw


wo physical ne
etwork adapte
ers
(dependss on DirectAcccess design sce
enario).

Join the DirectAccess


D
server to an Acctive Directory domain.

Install the
e Remote Acce
ess role and co
onfigure the D
DirectAccess seerver so that it is either one o
of the
following
g:

The DirectAccess server


s
is on the
e perimeter neetwork with on
ne network adaapter connecte
ed to
p
netw
work and at lea
ast one other network adapter connected to the intrane
et. In
the perimeter
this deployment
d
sccenario, DirecttAccess server is placed betw
ween a front-end firewall and
d
back
k-end firewall.

The DirectAccess server


s
is published by using IIPsec Gatewayy (TMG or UAG
G). In this
ess is placed b
behind a front--end firewall and it has one
deployment scenario, DirectAcce
work adapter connected to in
nternal networrk.
netw

The DirectAccess server


s
is installe
ed on an Edgee server (typicaally front end ffirewall) with o
one
work adapter connected to th
he Internet an
nd at least one other network adapter
netw
conn
nected to the intranet.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-17

An alternative design is that the DirectAccess server has only one, and not two, network interface. For
this design, perform the following steps:

4.

Verify that the ports and protocols needed for DirectAccess and Internet Control Message
Protocol (ICMP) Echo Request are enabled in the firewall exceptions and opened on the
perimeter and Internet-facing firewalls.

The DirectAccess server in simplified implementation can use a single public IP address in
combination with Kerberos Proxy services for client authentication against domain controllers.
For two-factor authentication and integration with NAP, you need to configure at least two
consecutive public static IPv4 addresses that are externally resolvable through DNS. Ensure that
you have an IPv4 address available and that you have the ability to publish that address in your
externally-facing DNS server.

If you have disabled IPv6 on clients and servers, enable IPv6 because it is required for
DirectAccess.

Install a web server on the DirectAccess server to enable DirectAccess clients and determine if
they are inside or outside the intranet. You can install this web server on a separate internal
server for determining the network location.

Based on the deployment scenario, you need to designate one of the server network adapters as
the Internet-facing interface (in deployment with two network adapters) or publish the
DirectAccess server which is deployed behind NAT for Internet access.

On the DirectAccess server, ensure that the Internet-facing interface is configured to be either a
Public or a Private interface, depending on your network design. Configure the intranet interfaces
as domain interfaces. If you have more than two interfaces, ensure that no more than two
classification types are selected.

Configure the DirectAccess clients and test intranet and Internet access
o

Verify that DirectAccess group policy has been applied and certificates have been distributed to
client computers:

Test whether you can connect to DirectAccess server from an intranet.

Test whether you can connect to DirectAccess server from the Internet.

Demonstration: Configuring AD DS and Network Services for DirectAccess


In this demonstration, you will see how to:

Create a security group for DirectAccess computers.

Configure firewall rules for ICMPv6 traffic.

Create required DNS records.

Configure the PKI environment.

Demonstration Steps
Create a security group for DirectAccess client computers
1.

On LON-DC1, open the Active Directory Users and Computers console, and create an organizational
unit with the name DA_Clients OU and inside that organizational unit, create a Global Security group
with the name DA_Clients.

2.

Add LON-SVR3 to the DA_Clients security group.

3.

Close the Active Directory Users and Computers console.


Question: Why did you create the DA_Clients group?

Configure firewall rules GPO for ICMPv6 traffic


1.

Open the Group Policy Management console, and then right-click Default Domain Policy.

2.

In the console tree of the Group Policy Management Editor, navigate to Computer Configuration
\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
\Windows Firewall with Advanced Security.

3.

Create a new inbound rule with the following settings:

4.

5.

Rule Type: Custom

Protocol type: ICMPv6

Specific ICMP types: Echo Request

Name: Inbound ICMPv6 Echo Requests

Create a new outbound rule with the following settings:


o

Rule Type: Custom

Protocol type: ICMPv6

Specific ICMP types: Echo Request

Action: Allow the connection

Name: Outbound ICMPv6 Echo Requests

Close the Group Policy Management Editor and Group Policy Management consoles.

Create required DNS records


1.

2.

Open the DNS Manager console and then create two new host records with the following settings:
o

Name: nls; IP Address: 172.16.0.22

Name: crl; IP Address: 172.16.0.22

Close the DNS Manager console.


Question: What is the purpose of the nls.adatum.com DNS host record that you associated
with an internal IP address?

Configure the PKI environment


1.

Switch to LON-DC1.

2.

Open the Certification Authority console.

3.

Configure the AdatumCA certification authority with the following extension settings:
o

Add Location: http://crl.adatum.com/crld/

Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed

Location: .crl

Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP
extension of issued certificates

Do not restart Certificate Services.

Add Location: \\lon-svr2\crldist$\

MCT USE ONLY. STUDENT USE PROHIBITED

6-18 Implementing DirectAccess

Variable: CAName, CRLNameSuffix, and DeltaCRLAllowed

Location: .crl

Select Publish CRLs to this location and Publish Delta CRLs to this location

4.

Restart Certificate Services.

5.

Close the Certificate Authority console.

Configure permissions on the web server certificate template


Note: Users require the Enroll permission on the certificate.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-19

1.

Right-click Certificate Template in the Certification Authority console and then click manage.

2.

In the Certificate Template console, in Web Server template Properties, configure security settings
for Authenticated Users to be allowed to Enroll for a certificate.

3.

Close the Certificate Templates console.

Configure computer certificate auto-enrollment


1.

On LON-DC1, open Group Policy Management console.

2.

In the console tree, expand Forest: Adatum.co\Domains\Adatum.com.

3.

Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor, open
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

4.

At Automatic Certificate Request Settings, configure Automatic Certificate Request with a


Computer.

5.

On the Certificate Template page, click Computer, click Next, and then click Finish.

6.

Close the Group Policy Management Editor and close the Group Policy.

Demonstration: Configuring the DirectAccess Server


In this demonstration, you will see how to:

Obtain certificates for IPsec.

Configure DirectAccess.

Demonstration Steps
Obtain the required certificates for LON-SVR2
1.

Switch to LON-SVR2.

2.

Open Microsoft Management Console by typing the mmc command, and then add the Certificates
snap-in for Local computer.

3.

In the Certificates snap-in, in the Microsoft Management Console, request a new certificate with the
following settings:

4.

Certificate template: Web Server

Common name: 131.107.0.2

Verify that a new certificate with the name 131.107.0.2 has been issued with Intended Purposes of
Server Authentication.

MCT USE ONLY. STUDENT USE PROHIBITED

6-20 Implementing DirectAccess

5.

For the 131.107.0.2 certificate, in Properties, specify the Friendly Name as IP-HTTPS Certificate,
and then click OK.

6.

In the Certificates console, right-click the certificate with the name lon-svr2.adatum.com, and then
click delete.

7.

Close the Certificates snap-in console without saving it.

8.

Close the console.

Complete the DirectAccess setup wizard on LON-SVR2


1.

Open the Server Manager console.

2.

In the Server Manager console, open the Remote Access Management console.

3.

Click Configuration; the Enable Direct Access Wizard will start automatically.

4.

Click Next. Wait until the DirectAccess prerequisites page completes loading.

5.

Complete the Enable Direct Access Wizard by using the following settings:
o

DirectAccess Client Setup page; Enter the object names to select: DA_clients

Remote Access Server setup page,

Network Topology: Edge

Type the public name or IPv4 address used by clients to connect to the Remote Access
server: 131.107.0.2

Note: On this page, you might notice that you are using IP address of the Edge server
instead of FQDN. This is because in this lab environment there is no public DNS server, as it
would exist in real-life scenario.

Infrastructure Server Setup page: Accept default values

Configure Remote Access page: Accept default values

6.

Wait until Enable DirectAccess Wizard Apply completes, and then click Close.

7.

At the command prompt, type the following command:


GPUpdate /force

8.

Close the Server Manager console.

Demonstration: Configuring the DirectAccess Client

To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:

Configure the DirectAccess client.

Verify that DirectAccess clients have the computer certificate that is required for DirectAccess
authentication. This should have been distributed with Group Policy.

Verify that the client can connect to intranet resources.

Demonstration Steps
Configure the DirectAccess client
1.

Switch to LON-SVR3.

2.

Open the Command Prompt window and type gpupdate/force to force apply Group Policy on
LON-SVR3.

3.

At command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.

Note: If DirectAccess Client Settings GPO is not applied, restart LON-SVR3, and then
repeat step 2 on LON-SVR3.
4.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-21

Verify that DNS Effective Name Resolution Policy Table Settings is applied by typing the following
command at the command prompt:
netsh name show effectivepolicy

5.

Verify that DNS Effective Name Resolution Policy Table Settings is displayed in the Command
Prompt window.

6.

Simulate moving the client computer LON-SVR3 out of the corporate network, that is to the Internet,
by changing the network adapter settings with external IP address to the following values:
o

IP address: 131.107.0.10

Subnet mask: 255.255.0.0

Default gateway: 131.107.0.2

7.

Disable and then again enable the Local Area Connection network adapter.

8.

In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network.

Verify connectivity to the internal network resources


1.

Move the mouse to the lower-left part of screen, click Start, and then click the Internet Explorer
icon.

2.

In the Address bar, type http://lon-svr1.adatum.com and then press Enter. The default IIS 8 web
page for LON-SVR1 appears.

3.

Leave the Internet Explorer window open.

4.

Click Start, type \\Lon-SVR1\Files, and then press Enter. A folder window with the contents of the
Files shared folder appears.

5.

In the Files shared folder window, double-click the example.txt file. The content of the example.txt
file is displayed.

6.

Close all open windows.

7.

Move the mouse pointer to the lower-right corner of the screen, and in the notification area, click
search, and in the search box, type cmd.

8.

At the command prompt, type ipconfig.

9.

Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.

Verrify connecttivity to the


e DirectAcce
ess server
1.

At the command prompt, type the follow


wing command
d:
Netsh name show effectivepolicy

Verify that DN
NS Effective Name
N
Resoluttion Policy Taable Settings present two e
entries for
adatum.com
m and Directacccess-NLS.Ada
atum.com.
2.

At the PowerShell prompt, type the follow


wing comman
nd, and then press Enter.
Get-DAClientExperienceConfiguratio
on

Notice the DirectAccess


D
cllient settings.

Verrify client co
onnectivity on DirectA
Access Serve
er
1.

Switch to LON
N-SVR2.

2.

In the Remote Access Mana


agement conso
ole pane, clickk Remote Clie
ent Status.
Notice that Client
C
is connected via IPHtttps. In the Con
nnection Detaiils pane, in the
e bottom rightt of
the screen, no
ote the use of Kerberos for the
t Machine a nd the User.

3.

Close all open


n programs.
Question: Ho
ow will you configure IPv6 ad
ddress for Win
ndows 8 to usee DirectAccesss?

Wiindows 7 Client
C
vs. Windows
W
8 Client Im
mplementaation
Users working witth DirectAccess in the Windo
ows 8
ope
erating system will have a be
etter user
experience than those working in Windows 7.
In Windows
W
8, the
e DirectAccess solution is
com
mpletely transp
parent for the user. Howeverr, in
Win
ndows 7, it is hard to trouble
eshoot the netw
work
connectivity problems. Usually, when problem
ms
start, there are no
o native tools that
t
can easily track
the network beha
avior and so ad
dministrators often
o
use network monitoring tools to
o get informattion
rega
arding connecctivity issues.

Win
ndows 8 Cliient Implem
mentation

Windows 8 in
ncludes an in-b
box user interfface for DirectA
Access clients that help userrs understand
network conn
nectivity experrience. Simplified user interfaace that run ab
bove the Wind
dows PowerSh
hell
commands provide basic in
nformation reg
garding conne ctivity.

s
Users caan even customize the look of the interfacce
Users can eassily check theirr connectivity status.
providing add
ditional inform
mation such as support emai l addresses.

Users might choose


c
the site
e that they want to connect to in the multtisite environm
ment and even
choose not to
o be connected
d to any site.

MCT USE ONLY. STUDENT USE PROHIBITED

6-22 Implemennting DirectAccess

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-23

Remediation options for actionable problems are presented clearly to the user. Instead of using other
tools, remediation and problem solving can be done in the same user interface for DirectAccess.
Typical problems that can be flagged for remediation are:
o

Credentials (Smartcard, TPM, and OTP)

NAP

Proxy authentication issue

Proxy configuration issue

Lack of Internet connectivity

Users can easily send customized logs to their helpdesk by using the properties of Network
Connectivity Assistance. Users can manually select the DirectAccess entry point that should be used.
They can collect logs (HTML plus custom logs) and send these logs to already configured email
addresses.

When using Windows 7 in a multi-site deployment, you need to create multiple GPOs with different
settings. However, in Windows 8, clients can easily select the closest DirectAccess server in a multisite
deployment.

Easy setup of DirectAccess automatically configures Windows 8 computers to participate in a


DirectAccess scenario without the need for additional configuration.

The receive side scaling concept for UDP traffic helps in improving performance in enterprise
deployment.

Lab: Implementing DirectAccess


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

6-24 Implementing DirectAccess

Because A. Datum has expanded, many of the employees are now frequently out of the office, either
working from home or traveling. A. Datum wants to implement a remote access solution for its employees
so they can connect to the corporate network while they are away from the office. Although the VPN
solution implemented with NAP provides a high level of security, business management is concerned
about the complexity of the environment for end users. Also IT management is concerned that they are
not able to manage the remote clients effectively.
To address these issues, A. Datum has decided to implement DirectAccess on client computers running
Windows 8.

As a senior network administrator, you are required to deploy and validate the DirectAccess deployment.
You will configure the DirectAccess environment and validate that the client computers can connect to
the internal network when operating remotely.

Objectives
After completing this lab, you will be able to:

Configure the server infrastructure to deploy DirectAccess.

Configure the DirectAccess clients.

Validate the DirectAccess implementation.

Lab Setup
Estimated time: 90 minutes

Virtual Machine(s)

20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR2
20417A-LON-SVR3

User Name

Adatum\Administrator

Password

Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:

5.

a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR2, and 20417A-LON-SVR3.

Exercise 1: Configuring the DirectAccess Infrastructure


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

You decided to implement DirectAccess as a solution for remote client computers that are not able to
connect through VPN. Also, you want to address management problems, such as GPO application for
remote client computers. For this purpose, you will configure the prerequisite components of
DirectAccess, and configure the DirectAccess server.
The main tasks for this exercise are as follows:
1.

Configure the AD DS and DNS requirements.

2.

Configure certificate requirements.

3.

Configure the internal resources for DirectAccess.

4.

Configure DirectAccess server.

X Task 1: Configure the AD DS and DNS requirements


1.

2.

Create a security group for DirectAccess client computers by performing the following steps:
a.

Switch to LON-DC1.

b.

Open the Active Directory Users and Computers console, and create an Organizational Unit
named DA_Clients OU, and within that organizational unit, create a Global Security group
named DA_Clients.

c.

Modify the membership of the DA_Clients group to include LON-SVR1.

d.

Close the Active Directory Users and Computers console.

Configure firewall rules for ICMPv6 traffic by performing the following steps:
a.

Open the Group Policy Management console, and then open Default Domain Policy.

b.

In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security.

c.

Create a new inbound rule with the following settings:

d.

e.

Rule Type: Custom

Protocol type: ICMPv6

Specific ICMP types: Echo Request

Name: Inbound ICMPv6 Echo Requests

Create a new outbound rule with the following settings:

Rule Type: Custom

Protocol type: ICMPv6

Specific ICMP types: Echo Request

Action: Allow the connection

Name: Outbound ICMPv6 Echo Requests

Close the Group Policy Management Editor and Group Policy Management consoles.

6-25

3.

Create required DNS records by performing the following steps:


a.

b.
4.

Open the DNS Manager console, and then create new host records with the following settings:

Name: nls; IP Address: 172.16.0.21

Name: crl; IP Address: 172.16.0.22

Close the DNS Manager console.

Remove ISATAP from the DNS global query block list by performing the following steps:
a.

Open the Command Prompt window, type the following command, and then press Enter:
dnscmd /config /globalqueryblocklist wpad
Ensure that the Command completed successfully message appears.

b.
5.

Close the Command Prompt window.

Configure the DNS suffix on LON-SVR2 by performing the following steps:


a.

Switch to LON-SVR2, and in the Local Area Connection Properties dialog box, in the Internet
Protocol Version 4 (TCP/IPv4) dialog box, add the Adatum.com DNS suffix.

b.

Close the Local Area Connection Properties dialog box.

X Task 2: Configure certificate requirements


1.

2.

MCT USE ONLY. STUDENT USE PROHIBITED

6-26 Implementing DirectAccess

Configure the CRL distribution settings by performing the following steps:


a.

Switch to LON-DC1 and open the Certification Authority console.

b.

Configure Adatum-LON-DC1-CA certification authority with the following extension settings:

Add Location: http://crl.adatum.com/crld/

Variable: CAName, CRLNameSuffix, DeltaCRLAllowed

Location: .crl

Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates

Do not restart Certificate Services.

Add Location: \\lon-svr2\crldist$\.

Variable: CAName, CRLNameSuffix, DeltaCRLAllowed

Location: .crl

Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the
CDP extension of issued certificates

Restart Certificate Services.

Close the Certificate Authority console.

To duplicate the web certificate template and configure appropriate permission by performing the
following steps:
a.

In the Certificate Templates console, in the contents pane, duplicate the Web Server template by
using the following options:

Template display name: Adatum Web Server Certificate

Request Handling: Allow private key to be exported

Authenticated Users permissions: under Allow, click Enroll

3.

Close the Certificate Templates console.

c.

In the Certification Authority console, choose to issue a New Certificate Template and select the
Adatum Web Server Certificate template.

d.

Close the Certification Authority console.

Configure computer certificate auto-enrollment by performing the following steps:


a.

On LON-DC1, open the Group Policy Management console.

b.

In the console tree, navigate to Forest: Adatum.com, Domains, and Adatum.com.

c.

Edit the Default Domain Policy and in the console tree of the Group Policy Management Editor,
navigate to Computer Configuration\Policies\Windows Settings\Security Settings
\Public Key Policies.

d.

Under Automatic Certificate Request Settings, configure Automatic Certificate Request to


issue the Computer certificate.

e.

Close the Group Policy Management Editor and close the Group Policy Management console.

To request a certificate for LON-SVR1 by performing the following steps:


a.

On LON-SVR1, open a command prompt, type the following command, and then press Enter.
gpupdate /force

b.

At the command prompt, type the following command, and then press Enter.
mmc

c.

Add the Certificates snap-in for Local computer.

d.

In the console tree of the Certificates snap-in, navigate to Certificates (Local Computer)
\Personal\Certificates, request a new certificate, and then under Request Certificates, select
Adatum Web Server Certificate with the following setting:

2.

Subject name: Under Common name, type nls.adatum.com

e.

In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.adatum.com was enrolled with Intended Purposes of Server Authentication.

f.

Close the console window. When you are prompted to save settings, click No.

To change the HTTPS bindings, perform the following steps:


a.

Open Internet Information Services (IIS) Manager.

b.

In the console tree of Internet Information Services (IIS), navigate to and click Default Web site.

c.

Configure Site Bindings by selecting nls.adatum.com for SSL Certificate.

d.

Close the Internet Information Services (IIS) Manager console.

X Task 4: Configure DirectAccess server.


1.

6-27

b.

X Task 3: Configure the internal resources for DirectAccess


1.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Obtain required certificates for LON-SVR2 by performing the following steps:


a.

Switch to LON-SVR2.

b.

Open a command prompt and refresh group policy by typing gpupdate /force.

c.

Open Microsoft Management Console by typing mmc command, and then add the Certificates
snap in for Local computer.

d.

In the Certificates snap-in, in the mmc console, request a new certificate with the following
settings:

e.
2.

3.

Certificate template: Adatum Web Server Certificate

Common name: 131.107.0.2

Friendly name: IP-HTTPS Certificate

Close the console.

Create CRL distribution point on LON-SVR2 by performing the following steps:


a.

Switch to Server Manager

b.

In Internet Information Services (IIS) Manager, create new virtual directory CRLD and assign
c:\crldist as a home directory.

Share and secure the CRL distribution point by performing the following step:
Note: You perform this step to assign permissions to the CRL distribution point.
In the details pane of Windows Explorer, right-click the CRLDist folder, and then click
Properties, and grant Full Share and NTFS permission.

4.

Publish the CRL to LON-SVR2 by performing the following steps:


Note: This step makes the CRL available on the edge server for Internet-based
DirectAccess clients.

5.

MCT USE ONLY. STUDENT USE PROHIBITED

6-28 Implementing DirectAccess

a.

Switch to LON-DC1.

b.

Start the Certification Authority console.

c.

In the console tree, open ADATUMCA, right-click Revoked Certificates, point to All Tasks, and
then click Publish.

Complete DirectAccess setup wizard on LON-SVR2 by performing the following steps:


a.

On LON-SVR2, open the Server Manager console.

b.

In the Server Manager console, start the Remote Access Management console, click
Configuration, and start the Enable Direct Access Wizard with following settings:

Select Groups: DA_Clients

Network Topology: Edge is selected, and verify that 131.107.0.2 is used by clients to
connect to the Remote Access server.

Infrastructure Server Setup page, click Next

Configure Remote Access page, click Next

In Summary, click Finish, to apply DirectAccess Settings

Note: Since the server you already configured is a VPN server, you can only
use the getting started wizard which generates self-signed certificate for DirectAccess
communication. Next steps will modify default DirectAccess settings to include already
deployed certificates from the internal Certification Authority.
c.

In the details pane of the Remote Access Management console, under Step 2, click Edit.

6-29

d.

On the Network Topology page, verify that Edge is selected, and type 131.107.0.2.

e.

On the Network Adapters page, verify that CN=131.107.0.2 is used as a certificate to


authenticate IP-HTTPS connection.

f.

On the Authentication page, select Use computer certificates, click Browse, and then select
Adatum Lon-Dc1 CA.

g.

On the VPN Configuration page, click Finish.

h.

In details pane of the Remote Access Management console, under Step 3, click Edit.

i.

On the Network Location Server page, select the The network location server is deployed on
a remote web server (recommended) and in the URL of the NLS, type
https://nls.adatum.com, and then click Validate.

j.

Ensure that URL is validated.

k.

On the DNS page, examine the values, and then click Next.

l.

In the DNS Suffix Search List, select Next.

m. On the Management page, click Finish.

6.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

n.

In details pane of the Remote Access Management console, review the setting for Step 4.

o.

In Remote Access Review, click Apply.

p.

Under Applying Remote Access Setup Wizard Settings, click Close.

Update Group Policy settings on LON-SVR2 by performing the following step:


Open the command prompt, and type the following commands:
gpupdate /force
Ipconfig

Note: Verify that LON-SVR2 has an IPv6 address for Tunnel adapter
IPHTTPSInterface starting with 2002.
Results: After completing this exercise, you will have configured the DirectAccess infrastructure.

Exercise 2: Configuring the DirectAccess Clients


Scenario
After you configured the DirectAccess server and the required infrastructure, you must configure
DirectAccess clients. You decide to use Group Policy mechanism to apply DirectAccess settings to the
clients and for certificate distribution.
The main tasks for this exercise are as follows:
1.

Configure Group Policy to configure client settings for DirectAccess.

2.

Verify client computer certificate distribution.

3.

Verify IP address configuration.

X Task 1: Configure Group Policy to configure client settings for DirectAccess.

MCT USE ONLY. STUDENT USE PROHIBITED

6-30 Implementing DirectAccess

1.

Switch to LON-SVR3.

2.

Restart LON-SVR3 and then log back on as Adatum\Administrator with the password of Pa$$w0rd.
Open the Command Prompt window and then type the following commands:
gpupdate /force

gpresult /R
3.

Verify that DirectAccess Client Settings GPO is displayed in the list of the Applied Policy objects for
the Computer Settings.

X Task 2: Verify client computer certificate distribution.


1.

On LON-SVR3, open the Certificates MMC.

2.

Verify that a certificate with the name LON-SVR3.adatum.com is present with Intended Purposes
of Client Authentication and Server Authentication.

3.

Close the console window without saving it.


Question: Why did you install a certificate on the client computer?

X Task 3: Verify IP address configuration.


1.

On LON-SVR3, open Internet Explorer and go to http://lon-svr1.adatum.com/. The default IIS 8


web page for LON-SVR1 appears.

2.

In Internet Explorer, go to https://nls.adatum.com/. The default IIS 8 web page for LON-SVR1
appears.

3.

Open Windows Explorer, and type \\Lon-SVR1\Files, and then press Enter. You should see a folder
window with the contents of the Files shared folder.

4.

Close all open windows.

Results: After completing this exercise, you will have configured the DirectAccess clients.

Exercise 3: Verifying the DirectAccess Configuration


Scenario
When client configuration is completed, it is important to verify that DirectAccess works. You do this by
moving the DirectAccess client to the Internet and trying to access internal resources.
The main tasks for this exercise are as follows:
1.

Move the client computer to the Internet virtual network.

2.

Verify connectivity to the DirectAccess server.

3.

Verify connectivity to the internal network resources.

X Task 1: Move the client computer to the Internet virtual network


Note: To verify the DirectAccess functionality, you must move the client computer to the
Internet.
1.

Switch to LON-SVR3.

2.

Change the network adapter configuration with the following settings:


o

IP address: 131.107.0.10

Subnet mask: 255.255.0.0

Default gateway: 131.107.0.2

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

3.

Disable and then again enable the Local Area Network network adapter.

4.

Close the Network Connections window.

5.

In Hyper-V Manager, right-click 20417A-LON-SVR3 and then click Settings. Change the Legacy
Network Adapter to be on the Private Network 2 network. Click OK.

X Task 2: Verify connectivity to the DirectAccess server


1.

On LON-SVR3, open a command prompt, and type the following command:


ipconfig

2.

Notice the IP address that starts with 2002. This is IP-HTTPS address.

3.

At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy

4.

At the command prompt, type the following command, and then press Enter.
powershell

5.

At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration

X Task 3: Verify connectivity to the internal network resources


1.

Open Internet Explorer and go to http://lon-svr1.adatum.com/. You should see the default IIS 8
web page for LON-SVR1.

2.

Open Windows Explorer, type \\LON-SVR1\Files, and then press Enter.

3.

You should see a folder window with the contents of the Files shared folder.

4.

At the command prompt, type the following command:


ping lon-dc1.adatum.com

Verify that you are receiving replies from lon-dc1.adatum.com.


5.

At the command prompt, type the following command, and then press Enter.
gpupdate /force

6.

6-31

Close all open windows.

7.

Switch to LON-SVR2.

8.

Start the Remote Access Management console and review the information on Remote Client
Status.

Note: Notice that LON-SVR3 is connected via IPHttps. In the Connection Details pane, in
the bottom-right of the screen, note the use of Kerberos for the Machine and the User.
9.

Close all open windows.

Results: After completing this exercise, you will have verified the DirectAccess configuration.

X To prepare for the next module

MCT USE ONLY. STUDENT USE PROHIBITED

6-32 Implementing DirectAccess

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20410A-LON-DC1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20410A-LON-SVR1, 20410A-LON-SVR2, and 20410A-LON-SVR3.

Module Review and Takeaways


Review Questions
Question: What are the main benefits of using DirectAccess for providing remote
connectivity?
Question: How do you configure a DirectAccess server?
Question: How do you configure DirectAccess clients?
Question: How does the DirectAccess client determine if it is connected to the intranet or
the Internet?
Question: What is the use of an NRPT?

Best Practices
Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 edition, Windows 8
introduces new features for improved manageability, ease of deployment, and improved scale and
performance.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

6-33

Monitoring of the environment is now much easier with support of PowerShell, Windows Management
Instrumentation (WMI), GUI monitoring, along with Network Connectivity Assistant on the client side.

One of the best enhancements is that DirectAccess can now access IP4 servers on your network and your
servers do not need to have IP6 addresses to be exposed through DirectAccess, because your DirectAccess
server acts as a proxy.
For ease of deployment you do not need to have IP addresses on the Internet-facing network. Therefore,
this is a good scenario for proof of concept. However, if you are concerned about security and if you want
to integrate with NAP, you still need two public addresses.
Consider integrating DirectAccess with your existing Remote Access solution because Windows Server
2012 can implement DirectAccess server behind the NAT device which is the most common Remote
Access Server (RAS) solution for companies.

Common Issues and Troubleshooting Tips


Common Issue

Troubleshooting Tip

You have configured DirectAcess, but users


are complaining about connectivity issues.
You want to troubleshoot those issues
more efficiently.

The DirectAccess client tries to connect to


the DirectAccess server by using IPv6 and
IPsec with no success.

Real-world Issues and Scenarios


You are considering implementing DirectAccess in your organization. You are planning to implement
Windows Server 2012 servers. What are the other considerations that you should be aware of?

Tools
Tool

Use for

Where to find it

Express Setup, Remote Access


Configuration

A graphical tool that simplifies


the configuration of DirectAccess

Server Manager/Tools

Dnscmd.exe

A command-line tool used for


DNS management

Run from command-line

Services.msc

Helps in managing Windows


services

Server Manager/Tools

Gpedit.msc

Helps in editing the Local Group


Policy

Run from command-line

IPconfig.exe

A command-line tool that


displays current TCP/IP network
configuration

Run from command-line

DNS Manager console

Helps in configuring name


resolution

Server Manager/Tools

Mmc.exe

Helps in the creation and


management of the Management
Console

Run from command-line

Gpupdate.exe

Helps in managing Group Policy


application

Run from command-line

Active Directory Users and


Computers

Is useful in configuring group


membership for client computers
that will be configured with
DirectAccess

Server Manager/Tools

MCT USE ONLY. STUDENT USE PROHIBITED

6-34 Implementing DirectAccess

MCT USE ONLY. STUDENT USE PROHIBITED


7-1

Module 7
Implementing Failover Clustering
Contents:
Module Overview

7-1

Lesson 1: Overview of Failover Clustering

7-2

Lesson 2: Implementing a Failover Cluster

7-13

Lesson 3: Configuring Highly-Available Applications and Services on a


Failover Cluster

7-18

Lesson 4: Maintaining a Failover Cluster

7-22

Lesson 5: Implementing a Multi-Site Failover Cluster

7-27

Lab: Implementing Failover Clustering

7-32

Module Review and Takeaways

7-37

Module Overview

Providing high availability is very important for any organization that wants to provide continuous
services to its users. Failover Clustering is one of the main technologies in Windows Server 2012 that can
provide high availability for various applications and services. In this module, you will learn about Failover
Clustering, Failover Clustering components, and implementation techniques.

Objectives
After completing this module, you will be able to:

Describe Failover Clustering.

Implement a failover cluster.

Configure highly-available applications and services.

Maintain a failover cluster.

Implement multi-site Failover Clustering.

Implementing Failover Clusterinng

Lesson 1

Overviiew of Failover
F
r Clusterring

MCT USE ONLY. STUDENT USE PROHIBITED

7-2

Failo
over clusters in
n Windows Server 2012 provvide a high-avvailability soluttion for many sserver roles an
nd
app
plications. By im
mplementing failover
f
clusterrs, you can maaintain applicattion or service
e availability if one
or more
m
compute
ers in the failovver cluster fail. Before you im
mplement Failo
over Clustering
g, you should b
be
fam
miliar with gene
eral high-availa
ability conceptts. You must u
understand clu
ustering termin
nology and also
how
w failover clusters work.
Also
o, it is important to be familiiar with new cllustering featu
ures in Window
ws Server 2012
2.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe availability.

Describe Failo
over Clustering
g improvemen
nts in Windowss Server 2012.

Describe failo
over cluster components.

Define failove
er and failback
k.

Describe failo
over cluster networks.

Describe failo
over cluster sto
orage.

Describe a qu
uorum.

Describe quorum modes.

Describe Clusster Shared Vo


olumes (CSVs).

Wh
hat Is Avaiilability?
Availability refers to a level of se
ervice that
app
plications, serviices, or system
ms provide, and
d is
expressed as the percentage
p
of time that a se
ervice
or system is availa
able. Highly-avvailable system
ms
have minimal dow
wntimewhetther planned or
o
unp
plannedand are available more
m
than 99
perccent of the tim
me, depending on the needs and
the budget of the
e organization.. For example, a
system that is una
available for 8.75 hours per year
y
wou
uld have a 99.9
9 percent availlability rating.

To improve availa
ability, you must implement faulttole
erance mechan
nisms that massk or minimize
e how
failu
ures of the servvices compon
nents and depe
endencies affeect the system. You can achie
eve fault toleraance
by implementing redundancy to
o single pointss of failure.
Availability requirrements must be
b expressed so
s that there aare no misundeerstandings ab
bout the
imp
plications. Misccommunication
n about service level expectaations betwee n the custome
er and the IT
orga
anization can result in poor business decissions, such as u
unsuitable inveestment levelss and customer
dissatisfaction.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

7-3

Th
he availability measurement period can alsso have a sign
nificant effect o
on the definitio
on of availability.
Fo
or example, a requirement fo
or 99.9 percen
nt availability o
over a one-yeaar period allow
ws for 8.75 hou
urs of
do
owntime, whereas a requirem
ment for 99.9 percent availaability over a ro
olling four-we
eek window allows for
on
nly 40 minutess of downtime
e per period.
Yo
ou also have to
o identify and negotiate planned outages maintenance activities, servvice pack updaates,
an
nd software up
pdates. These are
a scheduled outages, and typically are n
not included as downtime w
when
ca
alculating the systems availa
ability. You typ
pically calculatte availability b
based on unplaanned outage
es only.
However, you have
h
to negotia
ate exactly which planned o utages you co
onsider as dow
wntime.

Failover Clu
ustering Im
mproveme
ents in Win
ndows Serrver 2012
Fa
ailover Clustering has not sig
gnificantly changed
since Windows Server 2008 R2. However, th
here are
so
ome new featu
ures and techn
nologies in Win
ndows
Se
erver 2012 tha
at help increase
e scalability an
nd
cluster storage availability, an
nd provide better and
ea
asier managem
ment and faste
er failover.
Th
he important new
n
features in
n Windows Server
20
012 Failover Clustering inclu
ude:

Increased sccalability. In Windows


W
Server 2012,
failover cluster can have 64
6 physical no
odes
and can run
n 4,000 virtual machines on each
cluster. Thiss is a significan
nt improvemen
nt over
Windows Server 2008 R2 which supporrts only 16 phyysical nodes an
nd 1,000 virtuaal machines pe
er
cluster. Each cluster you create
c
is now available
a
from Server Manag
ger console. Se
erver Managerr in
Windows Server 2012 can
n discover and
d manage all c lusters created
d in an Active Directory Do
omain
Services (AD
D DS) domain.. If the cluster is deployed in
n multi-site sceenario, the adm
ministrator can
n now
control whiich nodes in a cluster have votes
v
for estab lishing quorum
m. Failover Clu
ustering scalab
bility is
also improvved for virtual machines thatt are running o
on clusters. Th
his will be discu
ussed in more detail
in Module 8:
8 Implementin
ng Hyper-V.

Improved Cluster
C
Shared Volumes (CSV
Vs) volumes. Th
his technology was introduce
ed in Windowss Server
2008 R2, an
nd it became very
v
popular fo
or providing viirtual machinee storage. In W
Windows Server 2012,
CSV volume
es appear as CSV
C File System
m and it suppo
orts server messsage block (SM
MB) version2.2
2
storage for Hyper-V and other applicattions. Also, CSV
V can use SMB
B multichannel and SMB Dire
ect to
enable trafffic to stream across
a
multiple
e networks in a cluster. For a dditional secu
urity, you can u
use
BitLocker Drive
D
Encryptio
on for CSV disk
ks, and you can
n also make C SV storage visible only to a ssubset
of nodes in
n a cluster. For reliability, CSV
V volumes can be scanned a nd repaired w
with zero offline
e time.

Cluster-awa
are updating. Updating
U
clustter nodes requ
uired a lot of p
preparation and planning in earlier
versions of Windows Servver, to minimizze or avoid do
owntime. Also, procedure of updating clustter
nodes was mostly manua
al, which cause
ed additional aadministrative effort. In Wind
dows Server 20
012, a
new techno
ology is introduced for this purpose.
p
This ttechnology is ccalled Cluster--Aware Updating. This
technologyy automaticallyy updates clustter nodes with
h Windows Up date hotfix, byy keeping the cluster
online, and minimizing downtime. This technology w
will be explaineed in more dettail in Lesson 4
4:
Maintaining
g a Failover Clluster.

Active Direcctory integrattion improvem


ments. Because Windows Servver 2008, Failo
over Clustering
g is
integrated in Active Direcctory Domain Services (AD D
DS). In Window
ws Server 2012
2, this integratiion is
improved. Administrators
A
s can create cluster computeer objects in taargeted organizational units (OUs),
or by defau
ult in the same
e OUs as the cluster nodes. TThis aligns failo
over cluster de
ependencies on
n AD DS

Implementing Failover Clusterinng

with the delegated domain


n administratio
on model that is used in man
ny IT organizattions. Also, now
w
failover cluste
ers can be dep
ployed with acccess only to reead-only domaain controllers.

MCT USE ONLY. STUDENT USE PROHIBITED

7-4

Managemeent improvemeents. Although Failover Clusttering in Windows Server 2012 still uses almost
the same management
m
console and the
e same admin istrative techn
niques, it bring
gs some imporrtant
manageme
ent improveme
ents. Validation
n wizard is imp
proved in whicch the validation speed for large
failover clusters is improvved and new te
ests for CSVs, tthe Hyper-V ro
ole, and virtuaal machines are
e
added. Also
o, new Window
ws PowerShell cmdlets are a vailable for managing cluste
ers, monitoring
g
clustered virtual machine
e applications, and creating h
highly availablle iSCSI target.

Rem
moved and Deprecated
d Features

In Windows
W
Serve
er 2012 clusterring, some feattures are remo
oved or depreccated. If you are moving from an
olde
er version of Failover Clusterring, you should be aware off these featurees:

precated. How
wever, it can bee optionally insstalled with th
he
The Cluster.exxe command-line tool is dep
Failover Clusttering Tools. Fa
ailover Clusterring Windows PowerShell cm
mdlets provide
e a functionalitty that
is generally th
he same as Clu
uster.exe comm
mands.

The Cluster Automation


A
Server (MSClus) COM interfacee is deprecated
d, but it can be
e optionally
installed with the Failover Clustering
C
Tools.

The Support for


f 32-bit cluster resource DLLs
D
is deprecaated, but 32-biit DLLs can be optionally
installed. Clusster resource DLLs
D
should be
e updated to 664 bit.

The Print Servver role is removed from the


e High Availab
bility Wizard, and it cannot b
be configured iin
Failover Clustter Manager.

The Add-ClussterPrintServerrRole cmdlet iss deprecated, aand it is not su


upported in W
Windows Serverr
2012.

Faiilover Clusster Components


A fa
ailover cluster is a group of in
ndependent
com
mputers that work
w
together to
t increase the
e
avaiilability of app
plications and services.
s
Physiccal
cables and softwa
are connect the
e clustered serrvers,
kno
own as nodes. If one of the clluster nodes fa
ails,
ano
other node beg
gins to provide
e service. This
proccess is known as failover. With failover, use
ers
experience a miniimum of servicce disruptions.
A Fa
ailover Clustering solution co
onsists of seve
eral
com
mponents, whicch include:

Nodes. These are computerrs that are


members of a failover clustter. These
computers ru
un cluster service and resourcces and appliccations associaated to cluster..

Network. Thiss is a network across


a
which cluster
c
nodes ccan communiccate with one aanother and w
with
clients. There are three type
es of networkss that can be u
used in a clusteer. These networks are discusssed
in more detaiil in the Failovver Cluster Nettworks sectio n.

Resource. Thiss is an entity that is hosted by


b a node. It iss managed by the Cluster service the Clustter
service and ca
an be started, stopped, and moved to ano
other node.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

7-5

Cluster storrage. This is a storage


s
system
m that is usuallyy shared betw
ween cluster no
odes. In some
scenarios, such
s
as clusterss of servers run
nning Microso
oft Exchange Server, shared
d storage is no
ot
required.

Clients. The
ese are computers (or users) that are using
g the Cluster seervice.

Service or application.
a
Thiis is a software
e entity that is presented to clients and use
ed by clients.

Witness. Th
his can be a file
e share or disk
k which is used
d to maintain q
quorum. Ideallyy the witness sshould
be located a network that is both logically and physiccally separate from those ussed by the failo
over
cluster. Ho
owever, the wittness must rem
main accessiblee by all clusterr node membe
ers. The conce
epts of
quorum and how the witness comes into play will bee examined mo
ore closely in tthe coming lesssons of
this module
e.

n a failover cluster, each node in the cluste


er:
In

nnectivity and communicatio


on with the ot her nodes in tthe cluster.
Has full con

Is aware wh
hen another no
ode joins or le
eaves the clusteer.

puters can acccess the cluster.


Is connecte
ed to a network through whiich client comp

Is connecte
ed through a shared bus or iSCSI connectio
on to shared sstorage.

Is aware of the services or applications that are runniing locally, and


d the resource
es that are runn
ning on
all other clu
uster nodes.

Cluster storage usually refers to logical devicestypicallyy hard disk drivves or logical u
unit numbers ((LUN)
th
hat all the clustter nodes attach to, through
h a shared bus . This bus is seeparate from th
he bus that co
ontains
th
he system and boot disks. Th
he shared diskss store resourcces such as app
plications and file shares thaat the
cluster will man
nage.
A failover cluste
er typically deffines at least tw
wo data comm
munications neetworks: one network enable
es the
cluster to comm
municate with clients, and the second, isolaated network eenables the clu
uster node me
embers
to
o communicate
e directly with one another. If a directly-co
onnected sharred storage is n
not being used
d, then
a third network segment (for iSCSI or Fibre Channel) can exist between
n the cluster no
odes and a datta
sttorage network
k.

Most
M
clustered applications and their associated resourcees are assigned
d to one cluste
er node at a tim
me. The
no
ode that proviides access to those cluster resources
r
is thee active node. If the nodes d
detect the failu
ure of
th
he active node
e for a clustered application, or if the activee node is taken offline for m
maintenance, th
he
clustered appliccation is started on another cluster
c
node. TTo minimize th
he impact of th
he failure, clien
nt
re
equests are immediately and
d transparentlyy redirected to
o the new clustter node.

What
W
Are Failover
F
an
nd Failback
k?
Fa
ailover transfers the responsibility of providing
acccess to resourrces in a cluste
er from one no
ode to
an
nother. Failove
er can occur when
w
an administrator
in
ntentionally mo
oves resourcess to another no
ode for
maintenance,
m
or when unplan
nned downtim
me of
on
ne node happens because of
o hardware faiilure or
otther reasons. Also,
A
service failure on an acttive
no
ode can initiatte failover to another node.

Implementing Failover Clusterinng

A fa
ailover attemptt consists of th
he following stteps:

MCT USE ONLY. STUDENT USE PROHIBITED

7-6

1.

The Cluster se
ervice takes alll the resourcess in the instancce offline in an
n order that is determined b
by
the instancess dependency hierarchy. Tha
at is, dependen
nt resources firrst, followed b
by the resource
es on
which they de
epend. For exa
ample, if an ap
pplication depeends on a phyysical disk resource, the Clustter
service the Cluster service takes the application offline first, which en
nables the application to writte
changes to th
he disk before the disk is tak
ken offline.

2.

After all the resources


r
are offline,
o
the Cluster service atttempts to tran
nsfer the instan
nce to the nod
de
that is listed next
n
on the insstances list of preferred own
ners.

3.

If the Cluster service successsfully moves the instance to


o another nodee, it attempts tto bring all the
e
resources online. This time, it starts at the
e lowermost paart of the depeendency hieraarchy. Failover is
complete whe
en all the reso
ources are onlin
ne on the new
w node.

The Cluster service can failback instances thatt were originallly hosted on tthe offline nod
de, after the offfline
nod
de becomes acctive again. Wh
hen the Cluster service fails b
back an instance, it uses the same procedu
ures
thatt it performs during failover. That is, the Cluster service ttakes all the reesources in the
e instance offline,
movves the instancce, and then brings all the re
esources in thee instance backk online.

Faiilover Clusster Netwo


orks
Network and netw
work adapters are importantt
partts of each clustter implementtation. You can
nnot
configure a cluste
er without conffiguring the
netw
works that the
e cluster will usse. A network can
c
perfform one of th
he following ro
oles in a cluster:

Private netwo
ork. A private network
n
carriess
internal cluste
er communica
ation. By using this
network, cluster nodes exch
hange heartbe
eats
and check forr another node
e or nodes. The
failover cluste
er authenticate
es all internal
communication. However, administrators
a
s who
are especiallyy concerned ab
bout security may
m
want to restrict internal com
mmunication to
t physically seecure networkks.

Public networrk. A public network provide


es client system
ms with access to cluster app
plication servicces. IP
address resou
urces are creatted on network
ks that providee clients with aaccess to the C
Cluster service..

Public-and-prrivate networkk. A public-and


d-private netwo
ork (also know
wn as a mixed network) carries
internal cluste
er communica
ation and conn
nects clients to
o cluster appliccation services..

Whe
en you configu
ure networks in failover clusters, you mustt also dedicatee a network to connect to th
he
sharred storage. If you use iSCSI for the shared
d storage conn
nection, the neetwork will use
e an IP-based
Ethe
ernet commun
nications network. However, you should no
ot use this nettwork for node
e or client
com
mmunication. Sharing the iSCSI network in
n this manner may result in ccontention and
d latency issue
es
for both users and
d for the resou
urce that is beiing provided b
by the cluster.

Tho
ough not a besst practice, you
u can use the private
p
and pu
ublic networks for both client and
nod
de communications. Preferab
bly, you should
d dedicate an iisolated netwo
ork for the privvate node
com
mmunication. The
T reasoning for this is similar using a sep
parate Etherneet network for iSCSI namelyy to
avoid issues resou
urce bottleneck and contention issues. Thee public netwo
ork is configurred to allow client
connections to the failover clustter. Although the
t public nettwork can provvide backup fo
or the private
netw
work, a better design practicce is to define alternative ne tworks for thee primary privaate and public
netw
works or at lea
ast team the ne
etwork interfaces used for th
hese networkss.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Th
he networking
g features in Windows
W
Serverr 2012based clusters includ
de the followin
ng:

7-7

The nodes transmit and receive


r
heartbe
eats by using U
User Datagram
m Protocol (UD
DP) unicast, insstead of
UDP broadcast (which wa
as used in lega
acy clusters). T he messages aare sent on po
ort 3343.

You can incclude clustered


d servers on diifferent IP subn
nets, which red
duces the com
mplexity of settting up
multi-site clusters.
c

The Failove
er Cluster Virtu
ual Adapter is a hidden devicce that is addeed to each nod
de when you in
nstall
the Failover Clustering fe
eature. The ada
apter is assigneed a media access control (M
MAC) address based
on the MAC
C address thatt is associated with the first eenumerated ph
hysical networrk adapter in the
node.

Failover clu
usters fully support IPv6 for both
b
node-to--node and nod
de-to-client co
ommunication..

You can use


e Dynamic Ho
ost Configuratio
on Protocol (D
DHCP) to assig
gn IP addressess, or assign staatic
IP addresse
es to all nodes in the cluster. However, if so
ome nodes have static IP addresses and yo
ou
configure others
o
to use DHCP,
D
the Valid
date a Configu
uration Wizard
d will raise an e
error. The clusster
IP address resources
r
are obtained
o
based on the confiiguration of th
he network interface supporting
that clusterr network.

Faiilover Clusster Storag


ge
Mosst Failover Clusstering scenarios require sha
ared
storrage to provide
e consistent da
ata to a highlyyavaiilable service or
o application after failover. There
T
are three shared storage
s
option
ns for a failover
cluster:

Shared seria
al attached SC
CSI (SAS). Share
ed
serial attach
hed SAS is the lowest cost option.
However, itt is not very fle
exible for deplo
oyment
because the
e two cluster nodes
n
must be
e
physically close
c
together.. In addition, the
shared storrage devices th
hat are supporrting
SAS have a limited numb
ber of connections for
cluster nodes.

Internet SCS
SI (iSCSI). iSCS
SI is a type of storage area neetwork (SAN) tthat transmits SCSI comman
nds
over IP netw
works. Perform
mance is accep
ptable for mostt scenarios wh
hen 1 gigabit p
per second (Gb
bps)
or 10 Gbps Ethernet is ussed as the physsical medium ffor data transm
mission. This tyype of SAN is fairly
inexpensive
e to implemen
nt because no specialized
s
nettworking hard
dware is requirred. In Window
ws
Server 2012
2, you can imp
plement iSCSI target
t
softwaree on any serveer, and presentt local storage
e over
iSCSI interfa
ace to clients.

Fibre chann
nel. Fibre channel SANs typiccally have bettter performancce than iSCSI SSANs, but are m
much
more expen
nsive. Specializzed knowledge
e and hardwarre are required
d to implemen
nt a fibre channel SAN.

Note: The Microsoft iSC


CSI Software Target
T
is now aan integrated ffeature in Win
ndows Server
20
012. It can pro
ovide storage from
f
a server over
o
a TCP/IP n
network, inclu ding shared sttorage for
ap
pplications tha
at are hosted in a failover clu
uster. Also, in W
Windows Serveer 2012, a high
hly-available
iS
SCSI Target Serrver can be configured as a clustered
c
role by using Failo
over Cluster Maanager or
Windows
W
PowerShell.

Implementing Failover Clusterinng

Sto
orage Requirements
Afte
er you choose the type of sto
orage, you sho
ould also be aw
ware of the following storag
ge requirementts:

MCT USE ONLY. STUDENT USE PROHIBITED

7-8

ative disk supp


port included in
n Failover Clusstering, use baasic disks and n
not dynamic d
disks.
To use the na

We recomme
end that you fo
ormat the parttitions with NTTFS. For the dissk witness, the
e partition musst be
NTFS, becausse FAT is not su
upported.

For the partition style of the disk, you can


n use either m aster boot reccord (MBR) or GUID partition
n
table (GPT).

Because imprrovements in failover


f
clusterrs require that the storage reespond correcttly to specific SSCSI
commands, the storage mu
ust follow the SCSI
S
Primary C
Commands-3 ((SPC-3) standaard. In particular,
the storage must
m
support Persistent
P
Reservations, as sp
pecified in the SPC-3 standarrd.

The miniport driver used fo


or the storage must work witth the Microso
oft Storport sto
orage driver.
Storport offerrs a higher perrformance arch
hitecture and better Fiber C hannel compaatibility in Windows
systems.

You must isollate storage de


evices. That is, one cluster peer device. Servvers from diffe
erent clusters m
must
be unable to access the sam
me storage devvices. In most cases, a logicaal unit numberr (LUN) that is used
for one set off cluster serverrs should be isolated from alll other serverss through LUN
N masking or
zoning.

Consider usin
ng multipath I//O software. In
n a highly-avaiilable storage ffabric, you can
n deploy failovver
clusters with multiple host bus adapters by
b using multi path I/O softw
ware. This provvides the highe
est
level of redun
ndancy and avvailability. For Windows
W
Serveer 2012, your multipath solu
ution must be based
on Microsoft Multipath I/O
O (MPIO). Your hardware ven
ndor usually su
upplies an MPIO device-speccific
module (DSM
M) for your harrdware, although Windows SServer 2012 inccludes one or more DSMs ass part
of the operating system.

Wh
hat Is Quo
orum?
Quo
orum is the number of eleme
ents that mustt be
online for a cluste
er to continue running. In efffect,
each
h element can cast one votee to determine
whe
ether the cluste
er continues to
o run. Each clu
uster
nod
de is an elemen
nt that has one
e vote. In case,
therre is an even number
n
of nod
des, then an
add
ditional elemen
nt, which is kno
own as a witneess is
assigned to the cluster. The witn
ness element can
c
be either
e
a disk orr a file share. Each
E
voting
elem
ment contains a copy of the cluster
configuration; and
d the Cluster service
s
works to
keep all copies synchronized at all times.

The cluster will sto


op providing failover
f
protection if most off the nodes faiil or if there is a problem witth
com
m, each set off nodes could
mmunication between
b
the clu
uster nodes. Without
W
a quorrum mechanism
continue to opera
ate as a failove
er cluster. This results in a paartition within tthe cluster. Qu
uorum preventts two
or more
m
nodes fro
om concurrenttly operating a failover clusteer resource. If a clear majority is not achie
eved
betw
ween the node
e members, th
hen the vote off the witness b
becomes cruciaal to maintain the validity off the
clusster. Concurren
nt operation co
ould occur wh
hen network prroblems preveent one set of n
nodes from
com
mmunicating with
w another se
et of nodes. Th
hat is, a situatio
on might occu
ur where more than one nod
de
triess to control access to a resou
urce. If that ressource is, for eexample, a dattabase applicattion, damage could
resu
ult. Imagine the consequence if two or mo
ore instances o
of the same dattabase are maade available o
on the

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

network, or if data was accessed and written to a target from more than one source at a time. If the
application itself is not damaged, the data could easily become corrupted.

7-9

Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster can
calculate the number of votes that are required for the cluster to continue providing failover protection.
If the number of votes drops below the majority, the cluster stops running. That is, it will not provide
failover protection if there is a node failure. Nodes will still listen for the presence of other nodes, in case
another node appears again on the network, but the nodes will not function as a cluster until a majority
consensus or quorum is achieved.
Note: The full functioning of a cluster depends not just on quorum, but on the capacity of
each node to support the services and applications that fail over to that node. For example, a
cluster that has five nodes could still have quorum after two nodes fail, but each remaining
cluster node would continue serving clients only if it has enough capacity (such as disk space,
processing power, network bandwidth, RAM) to support the services and applications that failed
over to it. An important part of the design process is planning each nodes failover capacity. A
failover node must be able to run its own load and also the load of additional resources that
might failover to it.

The Process of Achieving Quorum

Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster
software on each node stores information about how many votes constitute a quorum for that cluster. If
the number drops below the majority, the cluster stops providing services. Nodes will continue listening
for incoming connections from other nodes on port 3343, in case they appear again on the network, but
the nodes will not begin to function as a cluster until quorum is achieved.

There are several phases a cluster must complete to achieve quorum. As a given node comes up, it
determines whether there are other cluster members that can be communicated with. This process
may be in progress on multiple nodes at the same time. After communication is established with other
members, the members compare their membership views of the cluster until they agree on one view
(based on timestamps and other information). A determination is made whether this collection of
members has quorum; or has enough members the total of which creates sufficient votes so that a
split scenario cannot exist. A split scenario means that another set of nodes that are in this cluster are
running on a part of the network inaccessible to these nodes. Therefore, more than one node could be
actively trying to provide access to the same clustered resource. If there are not enough votes to achieve
quorum, the voters (the currently recognized members of the cluster) wait for more members to appear.
After at least the minimum vote total is attained, the Cluster service the Cluster service begins to bring
cluster resources and applications into service. With quorum attained, the cluster becomes fully functional.

Qu
uorum Modes in Win
ndows Serrver 2012 FFailover Cllustering
Sam
me quorum mo
odes from Win
ndows Server 2008
2
are also present in
n Windows Serrver 2012. As
befo
ore, a majorityy of votes dete
ermines whethe
er
a clu
uster achieves quorum. Nod
des can vote, and
whe
ere appropriate, either a disk
k in cluster storage
(kno
own as a disk witness)
w
or a file share (know
wn
as a file share witn
ness) can vote.. There is also a
quo
orum mode called No Majority: Disk Only,
which functions like the disk-ba
ased quorum in
n
Win
ndows Server 2003.
2
Other than that mode,,
therre is no single point of failurre with the quo
orum
mod
des, because only
o
the number of votes is
imp
portant and no
ot whether a pa
articular eleme
ent is availablee to vote.
Thiss quorum mod
de is flexible. You
Y can choose
e the mode beest suited to yo
our cluster.

MCT USE ONLY. STUDENT USE PROHIBITED

7-10 Implemennting Failover Clusterring

Be aware
a
that, mo
ost of the time
e, it is best to use
u the quorum
m mode selectted by the clusster software. IIf you
run the Quorum Configuration
C
Wizard, the qu
uorum mode tthat the wizard
d lists as reco
ommended is the
quo
orum mode chosen by the cluster software
e. We recomm end changing the quorum cconfiguration o
only if
you have determined that the change
c
is apprropriate for yo ur cluster.
There are four quorum modes:

Node Majority
ty. Each node that
t
is available and in comm
munication can
n vote. The clu
uster functionss only
with a majority of the votess. That is, more
e than half. Th is model is preeferred when tthe cluster con
nsists
of an odd number of serverr nodes (no wiitness is needeed to maintain
n or achieve qu
uorum).

Node and Dissk Majority. Each node plus a designated d


disk in the clusster storage, th
he disk witnesss, can
vote, when th
hey are availab
ble and in com
mmunication. TThe cluster fun ctions only witth a majority o
of the
e to
votes. That is,, more than ha
alf. This model is based on a n even numbeer of server no
odes being able
communicate
e with one ano
other in the clu
uster in additio
on to the disk witness.

Node and Filee Share Majoriity. Each node plus a designaated file share created by the administrato
or,
which is the file
f share witne
ess, can vote when
w
they are aavailable and in communicaation. The clustter
functions onlyy with a majorrity of the vote
es. That is, morre than half. Th
his model is baased on an eve
en
number of se
erver nodes being able to communicate wiith one anotheer in the cluste
er, in addition to the
file share witn
ness.

No Majority: Disk Only. The


e cluster has qu
uorum if one n
node is availab
ble and in com
mmunication w
with a
specific disk in the cluster storage. Only the nodes thatt are also in co
ommunication with that disk can
join the cluste
er.

Exce
ept for the No
o Majority: Disk
k Only mode, all
a quorum mo
odes in Windo
ows Server 201
12 failover clusters
are based on a sim
mple majority vote model. As
A long as a maajority of the vvotes are availaable, the cluste
er
continues to function. For exam
mple, if there arre five votes in
n the cluster, th
he cluster continues to functtion
as lo
ong as there are at least thre
ee available vo
otes. The sourcce of the votess is not relevan
ntthe vote co
ould
be a node, a disk witness, or a file share witne
ess. The clusterr will stop funcctioning if a m
majority of vote
es is
not available.
In th
he No Majorityy: Disk Only mode,
m
the quorrum-shared dissk can veto alll other possible votes. In thiss
mod
de, the cluster will continue to function as long as the q uorum-shared
d disk and at le
east one node are
avaiilable. This typ
pe of quorum also
a prevents more
m
than onee node from asssuming the p
primary role.

Note: If the
t quorum-sh
hared disk is no
ot available, th
he cluster will sstop functioning, even if all
no
odes are still available.
a
In thiis mode, the quorum-shared
d disk is a sing le point of faillure, so this
mode
m
is not reccommended.
When
W
you configure a failove
er cluster in Wiindows Server 2012, the Insttallation Wizarrd automatically
se
elects one of tw
wo default con
nfigurations. By
B default, Failo
over Clustering
g selects:

Node Majo
ority if there is an odd number of nodes in the cluster.

Node and Disk


D Majority if there is an evven number o
of nodes in thee cluster.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-11

Modify
M
this settting only if you
u determine th
hat a change iss appropriate ffor your cluste
er, and ensure that
yo
ou understand
d the implicatio
ons of making the change.

In
n addition to planning
p
your quorum
q
mode
e, you should aalso consider tthe capacity off the nodes in your
cluster, and their ability to sup
pport the services and appliccations that m
may fail over to
o that node. Fo
or
exxample, a clustter that has four nodes and a disk witness will still have quorum after two nodes fail.
However, if you
u have several applications or services dep loyed on the ccluster, each re
emaining clustter
no
ode may not have
h
the capaccity to provide
e services.

What
W
Are Cluster
C
Sha
ared Volum
mes?
In
n a classic failover cluster dep
ployment, onlyy a
single node at a time controlss an LUN on th
he
sh
hared storage. This means th
hat the other nodes
n
ca
annot see shared storage, until each nod
de
be
ecomes an acttive node. CSV
V is a technolog
gy
in
ntroduced in Windows
W
Serve
er 2008 R2 which
en
nables multiple nodes to con
ncurrently share a
single LUN. Each node obtain
ns exclusive acccess to
in
ndividual files on
o the LUN insstead of the whole
w
LU
UN. In other words,
w
CSVs pro
ovide a distributed
fille access solution so that mu
ultiple nodes in
n the
cluster can simu
ultaneously acccess the same NTFS
fille system.

In
n Windows Serrver 2008 R2, CSVs
C
were designed only forr hosting virtuaal machines ru
unning on a Hyyper-V
se
erver in a failovver cluster. This enabled adm
ministrators to
o have a single LUN that hosts multiple virttual
machines
m
in a fa
ailover cluster.. Multiple clustter nodes havee access to thee LUN, but eacch virtual mach
hine
ru
uns only on on
ne node at a tim
me. If the node on which thee virtual mach
hine was runnin
ng fails, CSV le
ets
th
he virtual mach
hine to be resttarted on a different node in
n the failover ccluster. Additio
onally, this pro
ovides
simplified disk management
m
for
f hosting virttual machines compared to each virtual m
machine requirring a
se
eparate LUN.

In
n Windows Serrver 2012, CSV
Vs have been additionally enh
o use CSVs for other
hanced. It is now possible to
ro
oles, and not ju
ust Hyper-V. For example, yo
ou can now co
onfigure file seerver role in a ffailover clusterr in a
Sccale-Out File Server
S
scenario
o. The Scale-Ou
ut File Server i s designed to provide scale--out file sharess that
he
arre continuously available forr file-based serrver applicatio
on storage. Scaale-out file shaares provides th
ab
bility to share the same folde
er from multip
ple nodes of th
he same clusteer. In this conte
ext, CSVs in W
Windows
Se
erver 2012 intrroduces suppo
ort for a read cache,
c
which caan significantl y improve perrformance in ccertain
sccenarios. Also, a CSV File System (CSVFS) can
c perform CH
HKDSK withou
ut affecting applications with
h open
ha
andles on the file system.

Other important improvements in Cluster Shared Volumes in Windows Server 2012 are:

MCT USE ONLY. STUDENT USE PROHIBITED

7-12 Implementing Failover Clustering

CSVFS benefits. In Disk Management, CSV volumes now appear as CSVFS. However, this is not a
new file system. The underlying technology is still the NTFS file system, and CSVFS volumes are still
formatted with NTFS. However, because volumes appear as CSVFS, applications can discover that they
are running on CSVs, which helps improves compatibility. And because of a single file namespace, all
files have the same name and path on any node in a cluster.

Multisubnet support for CSVs. CSVs have been enhanced to integrate with SMB Multichannel to help
achieve faster throughput for CSV volumes.

Support for BitLocker drive encryption. Windows Server 2012 support BitLocker volume encryption for
both traditional clustered disks and CSVs. Each node performs decryption by using the computer
account for the cluster itself.

Support for SMB 3.0 storage. CSVs in Windows Server 2012 provide support for SMB 3.0 storage for
Hyper-V and applications such as Microsoft SQL Server.

Integration with SMB Multichannel and SMB Direct. This allows CSV traffic to stream across multiple
networks in the cluster and to take advantage of network adapters that support Remote Direct
Memory Access (RDMA).

Integration with the Storage Spaces feature in Windows Server 2012. This can provide virtualized
storage on clusters of inexpensive disks.

Ability to scan and repair volumes. CSVs in Windows Server 2012 support the ability to scan and repair
volumes with zero offline time.

Implementing Cluster Shared Volumes

You can configure a CSV only when you create a failover cluster. After you create the failover cluster, you
can enable the CSV for the cluster, and then add storage to the CSV.

Before you can add storage to the CSV, the LUN must be available as shared storage to the cluster. When
you create a failover cluster, all the shared disks configured in Server Manager are added to the cluster,
and you can add them to a CSV. If you add more LUNs to the shared storage, you must first create
volumes on the LUN, add the storage to the cluster, and then add the storage to the CSV.

As a best practice, you should configure CSV before you make any virtual machines highly available.
However, you can convert from regular disk access to CSV after deployment. The following considerations
apply:

When you convert from regular disk access to CSV, the LUNs drive letter or mount point is removed.
This means that you must re-create all virtual machines that are stored on the shared storage. If you
must retain the same virtual machine settings, consider exporting the virtual machines, switching to
CSV, and then importing the virtual machines in Hyper-V.

You cannot add shared storage to CSV if it is in use. If you have a running virtual machine that is
using a cluster disk, you must shut down the virtual machine, and then add the disk to CSV.

Additional Reading:
Server Message Block overview
http://technet.microsoft.com/en-us/library/hh831795.aspx
Storage Spaces Overview
http://technet.microsoft.com/en-us/library/hh831739.aspx

Lesson
n2

Imple
ementin
ng a Failover Cluster

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-13

Fa
ailover clusterss Windows Serrver 2012 have
e specific recom
mmended harrdware and sofftware configu
urations
th
hat enable Miccrosoft to supp
port the cluster. Failover clussters are intend
ded to provide
e a higher leve
el of
se
ervice than stand-alone serve
ers. Therefore,, cluster hardw
ware requiremeents are freque
ently stricter th
han
re
equirements fo
or stand-alone
e servers.

Th
his lesson desccribes how to prepare
p
for clu
uster impleme ntation and allso discusses th
he hardware, n
network,
sttorage, infrastrructure, and so
oftware require
ements for Wi ndows Server 2012 failover clusters. This lesson
also outlines the
e steps for usin
ng the Validate a Configurattion Wizard to
o ensure correcct cluster
co
onfiguration.

Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:

Describe ho
ow to prepare for implemen
nting Failover C
Clustering.

Describe ha
ardware requirrements for Fa
ailover Clusteri ng.

Describe ne
etwork require
ements for Failover Clusterin
ng.

Describe infrastructure re
equirements fo
or Failover Clusstering.

Describe so
oftware require
ements for Failover Clusterin
ng.

Validate an
nd configure a cluster.

Preparing
P
for
f Implem
menting Fa
ailover Clu
ustering
Be
efore you implement Failove
er Clustering
te
echnology, you
u must identifyy services and
ap
pplications tha
at you want to make highly
avvailable. Failovver clustering cannot
c
be app
plied to
all applications. Also, you should be aware that
t
Fa
ailover Clustering does not provide
p
improvved
sccalability by ad
dding nodes. You
Y can only obtain
o
sccalability by scaling up and using
u
more po
owerful
ha
ardware for th
he individual no
odes. Thereforre, you
sh
hould only use
e Failover Clusttering when yo
our
go
oal is high ava
ailability, instea
ad of scalability.

Fa
ailover clusteriing is best suited for statefull
ap
pplications tha
at are restricted
d to a single se
et of data. On e example of ssuch an appliccation is a dataabase.
Data is stored in
n a single location and can only
o
be used b
by one databasse instance. Yo
ou can also use
e
Fa
ailover Clustering for Hyper--V virtual mach
hines.
Fa
ailover clusteriing uses only IP-based proto
ocols and is, th
herefore, suited
d only to IP-baased applicatio
ons.
Bo
oth IP version 4 (IPv4) and IP
P version 6 (IPvv6) are supporrted.

Th
he best resultss for Failover Clustering
C
occu
ur when the cliient can do recconnecting to the applicatio
on
au
utomatically affter failover. Iff the client doe
es not reconneect automaticaally, then the u
user must restaart the
client applicatio
on.

Con
nsider the follo
owing guidelines when plann
ning node cap
pacity in a failo
over cluster:

MCT USE ONLY. STUDENT USE PROHIBITED

7-14 Implemennting Failover Clusterring

Spread out th
he highly-available applicatio
ons from a failled node. Wheen all nodes in
n a failover clusster
are active, the
e highly-availa
able services or applications from a failed node should b
be spread out
among the re
emaining node
es to prevent a single node ffrom being ovverloaded.

Ensure that each node has sufficient idle capacity to se rvice the highly-available se
ervices or
applications that
t
are allocatted to it when another nodee fails. This idlee capacity should be a sufficcient
buffer to avoid nodes running at near cap
pacity after a ffailure event. FFailure to adeq
quately plan
resource utilizzation can resu
ult in decrease
e in performan
nce following n
node failure.

Use hardware
e with similar capacity
c
for all nodes in a clu
uster. This sim plifies the plan
nning process for
failover becau
use the failove
er load will be evenly distribu
uted among th
he surviving no
odes.

Use standby servers


s
to simp
plify capacity planning.
p
Wheen a passive no
ode is included
d in the clusterr, then
all highly-ava
ailable services or application
ns from a failed
d node can bee failed over to
o the passive n
node.
This avoids th
he need for complex capacity planning. If tthis configurattion is selected
d, it is importaant
that the stand
dby server has sufficient capacity to run th
he load from m
more than one node failure.

u should also examine


e
all cluster configuration componeents to identifyy single points of failure. You
u can
You
rem
medy many sing
gle points of fa
ailure with sim
mple solutions, such as addin
ng storage con
ntrollers to sep
parate
and stripe disks, or
o teaming nettwork adapterss, and using m
multipathing so
oftware. These solutions redu
uce
the probability that a failure of a single device
e causing a faiilure in the clu
uster. Typically,, server class
com
mputer hardwa
are has optionss for multiple power
p
suppliees for power reedundancy, and for creating
redu
undant array of
o independen
nt disks (RAID) sets for disk d
data redundanccy.

Ha
ardware Re
equiremen
nts for Failo
over Clustter Implem
mentation
It is very importan
nt to make goo
od decisions when
w
you select hardwa
are for cluster nodes. Failove
er
clussters have to sa
atisfy the following criteria to
mee
et availability and
a support re
equirements:

All hardware that you selecct for a failoverr


cluster should
d meet the Ce
ertified for
Windows Servver 2012 logo
o requirements.
Hardware tha
at has this logo
o was
independentlly tested to me
eet the highest
technical bar for reliability, availability,
stability, security, and platfo
orm compatib
bility.
Also, this mea
ans that officia
al support optiions
exist in case malfunctions
m
arise.
a

You should in
nstall the same
e or similar harrdware on eac h failover clus ter node. For e
example, if you
choose a speccific model of network adap
pter, you shoul d install this adapter on eacch of the cluste
er
nodes.

If you are usin


ng Serial Attacched SCSI or Fiber Channel sstorage conne ctions, the maass-storage devvice
controllers that are dedicatted to the clustter storage sho
ould be identical in all cluste
ered servers. T
They
should also use the same firmware versio
on.

If you are usin


ng iSCSI storag
ge connections, each clusterred server musst have one or more networkk
adapters or host
h
bus adapters dedicated to the cluster storage. The n
network that yyou use for iSC
CSI
storage connections should
d not be used for
f network co
ommunication
n. In all clustere
ed servers, the
e
network adap
pters that you use to connecct to the iSCSI storage targett should be ide
entical, and we
e
recommend that
t
you use Gigabit
G
Etherne
et or more.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-15

After you configure the servers with the


e hardware, al l tests provideed in the Validate a Configurration
Wizard must be passed before
b
the cluster is considerred a configuraation that is su
upported by
Microsoft.

Network
N
Re
equiremen
nts for Faillover Clustter Implem
mentation
Fa
ailover cluster network comp
ponents must have
th
he Certified forr Windows Serrver 2012 logo
o and
also pass the tests in the Valid
date a Configu
uration
Wizard.
W
Additio
onally:

The networrk adapters in each node sho


ould
be identical and have the
e same IP proto
ocol
version, spe
eed, duplex, an
nd flow contro
ol
capabilities that are availa
able.

The networrks and network equipment to


which you connect
c
the no
odes should be
redundant so that even a single failure allows
for the nod
des to continue
e communicating
with one an
nother. You ca
an use network
k adapter team
ming to provid e single netwo
ork redundanccy.
We recomm
mend multiple
e networks to provide
p
multip
ple paths betw
ween nodes forr inter-node
communica
ation; otherwisse, a warning will
w be generatted during thee validation pro
ocess.

The networrk adapters in a cluster netw


work must havee the same IP aaddress assign
nment method
d, which
means either that they all use static IP addresses
a
or t hat they all usse DHCP.

y connect cluster nodes with


w a single neetwork, the nettwork passes tthe
Note: If you
re
edundancy req
quirement in th
he Validate a Configuration
C
Wizard. Howeever, the reporrt from the
wizard
w
will inclu
ude a warning that the network should no
ot have single p
points of failurre.

In
nfrastructu
ure Requirrements fo
or Failoverr Cluster
Fa
ailover clusterss depend on in
nfrastructure services.
Ea
ach server nod
de must be in the
t same Activve
Directory doma
ain, and if you use Domain Name
N
Syystem (DNS), the
t nodes shou
uld use the sam
me
DNS servers forr name resolution.
We
W recommend
d that you install the same
Windows
W
Server 2012 feature
es and roles on
n each
no
ode. Inconsiste
ent configuration on cluster nodes
ca
an cause instab
bility and perfo
ormance issue
es. In
ad
ddition, you sh
hould not insta
all the AD DS role
r
on
an
ny of the cluster nodes because AD DS hass its
ow
wn fault-tolera
ance mechanissm. If you insta
all the
AD DS role on one
o of the nod
des, you must install it on all nodes.

You
u must have the following ne
etwork infrastrructure for a faailover cluster:

MCT USE ONLY. STUDENT USE PROHIBITED

7-16 Implemennting Failover Clusterring

Network settings and IP add


dresses. When you use identtical network aadapters for a network, also use
identical com
mmunication se
ettings on thosse adapters su ch as speed, d
duplex mode, fflow control, and
media type. Also,
A
compare the settings between the neetwork adapteer and the switch it connects to,
and ensure th
hat no settingss are in conflict. Otherwise, n
network congeestion or frame
e loss might occur
which could adversely
a
affecct how the clusster nodes com
mmunicate am
mong themselvves, with clientts or
with storage systems.

Unique subneets. If you have


e private netwo
orks that are n
not routed to tthe rest of the network
infrastructure
e, ensure that each
e
of these private
p
networrks uses a uniq
que subnet. Th
his is necessaryy even
if you give ea
ach network ad
dapter a uniqu
ue IP address. FFor example, iff you have a ccluster node in a
central office that uses one physical netw
work, and anot her node in a branch office that uses a sep
parate
physical netw
work; do not sp
pecify 10.0.0.0//24 for both n etworks, even if you give eaach adapter a
unique IP add
dress. This avoids routing loo
ops and other network com munications p
problems if, forr
example, the segments are accidentally configured
c
into
o the same colllision domain because of
incorrect vLAN assignments.

DNS. The servvers in the clusster typically use


u DNS for naame resolution
n. DNS dynamiic update prottocol
is a supported
d configuration.

Domain role. All servers in the


t cluster mu
ust be in the saame Active Dirrectory domain
n. As a best
practice, all clustered servers should have
e the same dom
main role (eith
her member se
erver or domaiin
controller). Th
he recommend
ded role is member server b
because AD DSS inherently inccludes its own
failover prote
ection mechanism.

Account for administering th


he cluster. When you first crreate a cluster or add serverss to it, you must be
logged on to the domain with
w an accoun
nt that has adm
ministrator righ
hts and permisssions on all se
ervers
in that clusterr. The accountt does not have to be a Dom
main Admins acccount, but caan be a Domain
Users account that is in the Administrators group on eaach clustered sserver. In addittion, if the acccount
is not a Doma
ain Admins acccount, the acccount (or the g
group that the account is a m
member of) mu
ust be
given the Cre
eate Computerr Objects perm
mission in the d
domain.

In Windows
W
Serve
er 2012, there is no cluster se
ervice accountt. Instead, the C
Cluster service
e the Cluster se
ervice
auto
omatically runs in a special context
c
that prrovides the speecific permissions and crede
entials that are
e
necessary for the service (similar to the local system
s
contextt, but with red
duced credentiials). When a
failo
over cluster is created
c
and a corresponding
g computer ob
bject is created
d in AD DS, that object is
configured to pre
event accidenta
al deletion. Alsso, the cluster Network Nam
me resource haas additional health
check logic, which
h periodically checks
c
the hea
alth and propeerties of the co
omputer objecct that represents
the Network Nam
me resource.

Sofftware Req
quirementts for Failo
over Clusteer Impleme
entation
Failo
over clusters re
equire that each cluster nod
de
musst run the same edition of Windows
W
Serverr
2012. The edition can be either Windows Servver
2012 Enterprise or Windows Server 2012
Datacenter. The nodes
n
should also
a have the
sam
me software up
pdates and servvice packs.
Dep
pending on the
e role that will be clustered,
a Se
erver Core installation may also
a meet the
softtware requirem
ments. Howeve
er, you cannot
install Server Core
e and full editions in the sam
me
clusster.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

7-17

It is also very important that the same version of service packs or any operating system updates, exist on
all nodes that are parts of a cluster.
Note: Windows Server 2012 provides Cluster-Aware Updating technology that can help
you maintain updates on cluster nodes. This feature will be discussed in more detail in Lesson 4:
Maintaining a Failover Cluster.

Each node must run the same processor architecture. This means that each node must have the same
processor family, which might be the Intel Xeon processor family with Extended Memory 64Technology,
the AMD Opteron AMD64 family, or the Intel Itaniumbased processor family.

Demonstration: Validating and Configuring a Failover Cluster

The Validate a Configuration Wizard runs tests that confirm if the hardware and hardware settings are
compatible with Failover Clustering. Using the wizard, you can run the complete set of configuration tests
or a subset of the tests. We recommend that you run the tests on servers and storage devices before you
configure the failover cluster, and again after any major changes are made to the cluster. You can access
the test results in the %windir%\cluster\Reports directory.

Demonstration Steps
1.

Start Failover Cluster Manager on the LON-SVR3 machine.

2.

Start the Validate Configuration Wizard. Add LON-SVR3 and LON-SVR4 as cluster nodes.

3.

Review the report.

4.

Create a new cluster. Add LON-SVR3 and LON-SVR4 as cluster nodes.

5.

Name the cluster as Cluster1.

6.

Use 172.16.0.125 as IP address.

Lesson 3

MCT USE ONLY. STUDENT USE PROHIBITED

7-18 Implemennting Failover Clusterring

Config
guring Highly-A
H
Available Applicationss and Se
ervices on
a Failo
over Cluster
Afte
er you have co
onfigured clusttering infrastru
ucture, you sho
ould configuree specific role o
or service to b
be
high
hly available. Not
N all roles ca
an be clustered
d. Therefore, y ou should firstt identify the rresource that yyou
wan
nt to put in a cluster
c
and che
eck whether it is supported. In this lesson, you will learn about configu
uring
role
es and applicattions in clusterrs as well as ab
bout configurin
ng cluster settings.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

er resources an
nd services.
Describe and identify cluste

Describe the process for clu


ustering serverr roles.

Configure a cluster
c
role.

Describe how
w to configure cluster properrties.

Describe how
w to manage clluster nodes.

Describe how
w to configure application failover settings .

Ide
entifying Cluster
C
Ressources an
nd Servicess
A clustered service that contains an IP address
reso
ource and a ne
etwork name resource (and other
o
reso
ources) is published to a client on the netw
work
und
der a unique se
erver name. Be
ecause this gro
oup
of re
esources is dissplayed as a sin
ngle logical server
to clients,
c
it is called a cluster in
nstance.
Users access appliications or servvices on an
instance in the same manner th
hey would if the
app
plications or services were on
n a nonclustere
ed
servver. Usually, ap
pplications or users
u
do not kn
now
thatt they are conn
necting to a cluster and the node
theyy are connecte
ed to.

Reso
ources are phyysical or logica
al entities, such
h as a file sharee, disk, or IP ad
ddress that the
e failover clustter
man
nages. Resourcces may provid
de a service to clients or mayy be an importtant part of th
he cluster. Reso
ources
are the most basicc and smallest configurable unit. At any tim
me, a resourcee can run only on a single no
ode in
a clu
uster, and it is online on a no
ode when it provides its servvice to that specific node.

Serrver Cluster Resources


A cluster resource
e is any physica
al or logical co
omponent thatt has the follow
wing characteristics:

It can be brou
ught online an
nd taken offline.

It can be man
naged in a servver cluster.

It can be hostted (owned) by only one nod


de at a time.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-19

To
o manage reso
ources, the Clu
uster service co
ommunicates tto a resource D
DLL through a resource mon
nitor.
When
W
the Cluster service mak
kes a request of
o a resource, tthe resource m
monitor calls th
he appropriate
e entrypo
oint function in the resource
e DLL to check
k and control tthe resource sttate.

Dependent
D
Resources
R

A dependent re
esource is one that requires another
a
resourrce to operatee. For example,, a network naame
must
m
be associa
ated with an IP
P address. Beca
ause of this req
quirement, a n
network name resource depe
ends
on
n an IP addresss resource. De
ependent resou
urces are take n offline beforre the resource
es upon which
h they
de
epend are take
en offline; similarly, they are
e brought onlin
ne after the reesources on wh
hich they depe
end
arre brought online. A resourcce can specify one
o or more reesources on w
which it is depe
endent. Resourrce
de
ependencies also
a determine
e bindings. For example, clien
nts will be bou
und to the parrticular IP addrress that
a network name
e resource dep
pends on.
When
W
you creatte resource de
ependencies, co
onsider the facct that, althou gh some depe
endencies are strictly
re
equired, otherss are not requiired but are re
ecommended. For example, a file share thaat is not a Disttributed
wever, if the d
File System (DFS
S) root has no required depe
endencies. How
disk resource that holds the ffile
sh
hare fails, the file
f share will be
b inaccessible
e to users. Therrefore, it is log
gical to make tthe file share
de
ependent on the
t disk resourrce.
A resource can also specify a list of nodes on
o which it can
n run. Possible nodes and de
ependencies arre
im
mportant considerations whe
en administrattors organize rresources into groups.

The
T Process for Clusttering Serv
ver Roles
Fa
ailover clusteriing supports th
he clustering of
o
se
everal Window
ws Server roles,, such as File Services,
DHCP, and Hyp
per-V. To imple
ement clusterin
ng for
a server role, orr for external applications such as
SQ
QL Server or Exchange Serve
er, perform the
e
fo
ollowing proce
edure:
1..

Install the Failover


F
Clustering feature. Use
U
Server Man
nager or Ocsetup to install th
he
Failover Clu
ustering featurre on all computers
that will be cluster memb
bers.

2..

Verify confiiguration and create a cluste


er with
the approp
priate nodes. Use the Failover
Cluster Man
nagement snap-in to first va
alidate a config
guration, and tthen create a ccluster with se
elected
nodes.

3..

Install the role


r
on all cluster nodes. Use
e Server Manag
ger to install t he server role that you wantt to use
in the cluster.

4..

Create a clu
ustered applica
ation by using the Failover C
Clustering Man
nagement snap-in.

5..

Configure the
t application
n. Configure options on the application th
hat is being use
ed in the cluster.

6..

Test failove
er. Use the Failover Cluster Management
M
sn
nap-in to test failover by inttentionally mo
oving
the service from one nod
de to another.

After the cluster is created, yo


ou can monitor its status by using the Failo
over Cluster M
Management co
onsole,
an
nd manage avvailable options.

De
emonstration: Cluste
ering a File
e Server Role
Dem
monstration
n Steps
1.

Open Failover Cluster Mana


ager and verifyy that three Clluster Disks aree available.

2.

Start the Configure Role Wizard and Configure the File


e Server as clu
ustered role.

3.

For the Clientt Access Point,, use the name


e AdatumFS aand the IP address of 172.16
6.0.130.

4.

Select Cluster Disk 2 as the


e storage for the File Server role.

Faiilover Clusster Manag


gement Ta
asks
You
u can perform several failove
er cluster
man
nagement task
ks. These tasks range from
add
ding and removving cluster no
odes to modifyying
the quorum settin
ngs. Some of the most frequently
used
d configuration tasks include
e:

MCT USE ONLY. STUDENT USE PROHIBITED

7-20 Implemennting Failover Clusterring

Managing clu
uster nodes for
f each node
in a cluster, you can stop cluster service
temporary, pa
ause it, initiate
e remote deskttop
to the node or
o evict node from
f
the cluste
er

Managing clu
uster networkss You can add
or remove clu
uster networkss and you can also
configure nettworks that will be dedicated
d just
for inter-clustter communica
ation

Managing pe
ermissions Byy managing pe
ermission you delegate rightts to administe
er cluster

Configuring cluster
c
quorum
m settings Byy configuring q
quorum setting
gs you determ
mine the way how
quorum is achieved as well as who can ha
ave vote in a ccluster

Migrating serrvices and app


plications to a cluster
c
You ccan implementt existing serviices to the clusster
and make the
em highly avaiilable

Configuring new
n
services and application
ns to work in a cluster You can implemen
nt new services to
the cluster

Removing a cluster
c

You
u can perform most of these administrative
e tasks by usin
ng the Failoverr Cluster Manaagement conso
ole.

Managing
M
Cluster No
odes
Cluster nodes are mandatory for each cluster.
After you create
e a cluster and
d put it into
production, you
u might have to
t manage cluster
no
odes occasionally.
Th
here are three aspects to ma
anaging cluster
no
odes:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-21

n established failover
f
You can add a node to an
cluster by selecting
s
Add Node
N
in the Fa
ailover
Cluster Man
nagement Acttions pane. The
e Add
Node Wizard prompts yo
ou for informattion
a
nod
de.
about the additional

You can pause a node to prevent resou


urces from bei ng failed over or moved to tthe node. You
ause a node wh
hen a node is undergoing m
maintenance orr troubleshootting.
typically pa

You can evict a node, which is an irreve


ersible processs for a cluster n
node. After yo
ou evict the node, it
must be re--added to the cluster. You evvict nodes wheen a node is d
damaged beyo
ond repair or iss no
longer need
ded in the clusster. If you evicct a damaged node, you can
n repair or reb
build it, and the
en add
it back to th
he cluster by using
u
the Add Node Wizard..

Yo
ou can manag
ge cluster node
es by using the
e Failover Clus ter Managemeent console.

Configuring
C
g Applicattion Failov
ver Setting
gs
Yo
ou can adjust the failover settings, includin
ng
preferred owners and failback
k settings, to control
c
ho
ow the cluster responds whe
en the applicattion or
se
ervice fails. You
u can configurre these setting
gs on
th
he property sheet for the clu
ustered service or
ap
pplication (on the General ta
ab or on the Fa
ailover
ta
ab). The follow
wing table provvides exampless that
sh
how how these
e settings work
k.

Settiing

Resu
ult

Exam
mple 1:
Gen
neral tab, Prefe
erred owner: Node1
N
Failo
over tab, Failback setting: Allow
failb
back (Immediately)

pplication failss over from No


ode1 to Node2
2, when
If the service or ap
de1 is again avvailable, the service or appliccation will fail b
back to
Nod
Nod
de1.

Exam
mple 2:
Failo
over tab, Maximum failures in the
speccified period: 2
Failo
over tab, Perio
od (hours): 6

od, if the appli cation or serviice fails no mo


ore than two
In a six-hour perio
es, it will be resstarted or faileed over every ttime. If the application or
time
service fails a third
d time in the s ix-hour period
d, it will be leftt in the
faile
ed state.
The default value for the maxim
mum number o
of failures is n-1, where n
is th
he number of n
nodes. You can
n change the vvalue, but we rrecommend
a faiirly low value sso that if mult iple node failu
ures occur, the application
or se
ervice will not be moved bettween nodes indefinitely.

Lesson 4

Mainta
aining a Failover Clustter

MCT USE ONLY. STUDENT USE PROHIBITED

7-22 Implemennting Failover Clusterring

Whe
en cluster infra
astructure is up and running
g, it is very imp
portant to estaablish monitoriing to preventt
possible failures. Also,
A
it is impo
ortant to have backup and reestore procedu
ures for clusterr configuration
n. In
Win
ndows Server 2012,
2
there is a new technolo
ogy that lets yyou update clu
uster nodes witthout downtim
me. In
this lesson, you will learn about monitoring, backup,
b
and reestore and abo
out updating ccluster nodes.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe how
w to monitor fa
ailover clusterss.

Describe how
w to back up an
nd restore clusster configurattion.

Describe how
w to troublesho
oot failover clu
usters.

Describe Clusster-Aware Updating.

Configure Clu
uster-Aware Updating.

Mo
onitoring Failover
F
Cllusters
Man
ny tools are avvailable to help
p you monitor
failo
over clusters. You
Y can use sta
andard Windo
ows
Servver tools, such as the Event Viewer
V
and the
e
Perfformance and Reliability Mo
onitor snap-in,
to review cluster event
e
logs, and
d performance
e
mettrics. You can also
a use Cluste
er.exe and
Traccerpt.exe to exxport data for analysis.
Add
ditionally, you can use the MHTML-format
M
tted
clusster configuration reports an
nd the Validate
ea
Con
nfiguration Wizzard to trouble
eshoot problems
with
h the cluster co
onfiguration and hardware
changes.

Eve
ent Viewer

Whe
en problems arise
a
in the clusster, use the Evvent Viewer to
o view events w
with a Critical, Error, or Warn
ning
seve
erity level. Add
ditionally, inforrmational leve
el events are lo
ogged to the FFailover Clusterring Operation
ns log,
which can be foun
nd in the Even
nt Viewer in the
e Applicationss and Services Logs\Microsofft\Windows fo
older.
Info
ormational-leve
el events are usually
u
commo
on cluster operrations, such aas cluster node
es leaving and
joining the clusterr, or resources going offline or coming on line.
In previous
p
Windo
ows Server verrsions, event lo
ogs were repliccated to each node in the cluster. This
w all event log
simplified cluster troubleshootin
ng, because yo
ou could review
gs on a single cluster node.
Win
ndows Server 2012
2
does not replicate the event
e
logs bettween nodes. H
However, the FFailover Cluste
er
Man
nagement snap-in has a Cluster Events option that enab
bles you to view
w and filter evvents across all
clusster nodes. This feature is helpful in correla
ating events accross cluster nodes.

The Failover Clustter Manageme


ent snap-in also provides a R
Recent Cluster Events option
n that will querry all
the Error and Warrning events frrom all the cluster nodes in tthe last 24 hou
urs.

You
u can access ad
dditional logs, such as the De
ebug and Ana lytic logs, in th
he Event Viewe
er. To display tthese
logss, modify the view
v
on the top menu by selecting the Sho
ow Analytic an
nd Debug Logss options.

Windows
W
Eve
ent Tracing

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-23

Windows
W
event tracing is a ke
ernel compone
ent that is avaiilable early aftter startup, and
d late into shutdown.
It is designed to
o allow for fastt tracing and delivery
d
of eve nts to trace files and to conssumers. Because it is
de
esigned to be fast, it enabless only basic in-process filteriing of events b
based on even
nt attributes.
Th
he event trace log contains a comprehensive accounting
g of the failoveer cluster actio
ons. Depending on
ho
ow you want to
t view the datta, use either Cluster.exe
C
or TTracerpt.exe to
o access the in
nformation in tthe
evvent trace log.

Trracerpt.exe willl parse the eve


ent trace logs only on the no
ode on which it is run. All th
he individual lo
ogs are
co
ollected in a ce
entral location
n. To transform
m the XML file into a text file or an HTML ffile that can be
e
op
pened in Interrnet Explorer, you can parse
e the XML-bassed file by usin
ng the Microso
oft XSL parsing
g
co
ommand prom
mpt utility msxsl.exe, and an XSL style sheeet.

Performance
P
e and Reliab
bility Monito
or Snap-In
Th
he Performancce and Reliability Monitor sn
nap-in lets you
u:

Trend application perform


mance on each
h node. To dettermine how aan application is performing, you
can view an
nd trend speciffic information
n on system reesources that aare being used
d on each node
e.

Trend application failuress and stability on each nodee. You can pinp
point when application failurres
occur and match
node.
m
the app
plication failure
es with other eevents on the n

Modify tracce log settings. You can startt, stop, and adj
djust trace logss, including the
eir size and loccation.

Backing
B
Up
p and Restoring Failo
over Clusteer Configu
uration
Cluster configurration can be a time-consum
ming
process with ma
any details, and so backup of
o
cluster configurration is very im
mportant. You
u
ca
an perform backup and resto
ore of cluster
co
onfiguration with
w Windows Server
S
Backup or
a third-party ba
ackup tool.
When
W
you back
k up the cluster configuration
n, be
aw
ware of the following:

You must te
est your backu
up and recovery
process, be
efore putting a cluster into
production.

You must fiirst add the Windows


W
Serverr Backup featu re, if you decid
de to use it. Yo
ou can do thiss by
using Serve
er Manager.

Windows
W
Server Backup is the
e built-in back
kup and recoveery software fo
or Windows Se
erver 2012. To
co
omplete a succcessful backup
p, consider the following:

For a backu
up to succeed in a failover clluster, the clusster must be ru
unning and mu
ust have quoru
um. In
other words, enough nod
des must be ru
unning and com
mmunicating (perhaps with a witness diskk or
witness file share, depend
ding on the qu
uorum configu
uration,) that t he cluster has achieved quorum.

You must back


b
up all clusstered applicattions. If you cl uster a Microssoft SQL Server database, yyou must
have a back
kup plan for th
he databases and
a configurattion outside th
he cluster conffiguration.

If applicatio
on data must be
b backed up, the disks that you store thee data on mustt be made available to
the backup
p software. You
u can achieve this
t by running
g the backup ssoftware from the cluster no
ode that
owns the disk resource, or
o by running a backup again
nst the clusterred resource ovver the network.

MCT USE ONLY. STUDENT USE PROHIBITED

7-24 Implemennting Failover Clusterring

The cluster se
ervice keeps tra
ack of which cluster
c
configu
uration is the m
most recent, an
nd it replicatess that
configuration
n to all cluster nodes. If the cluster
c
has a w
witness disk, thee Cluster servicce the Cluster
service also re
eplicates the configuration to
t the witness disk.

Resstoring a Cluster
There are two typ
pes of restore:

Non-authoritative restore. Use


U a non-auth
horitative resto
ore when a sin
ngle node in th
he cluster is
damaged or rebuilt,
r
and the rest of the cluster is operaating correctly.. Perform a no
on-authoritativve
restore by resstoring the sysstem recovery (system state) information t o the damage
ed node. When
n you
restart that no
ode, it will join
n the cluster an
nd receive thee latest cluster configuration automaticallyy.

Authoritative restore. Use an authoritative


e restore when
n the cluster co
onfiguration m
must be rolled back
to a previous point in time. For example, you would usee an authoritaative restore if an administrator
accidentally removed
r
cluste
ered resourcess or modified o
other cluster seettings. Perforrm the authoritative
restore by sto
opping the cluster resource on
o each node, and then perfforming a systtem recovery
(system state)) on a single node by using the
t command -line Windowss Server Backu
up interface. Affter
the restored node
n
restarts the
t cluster servvice, the rema ining cluster n
nodes can also start the clustter
service.

Tro
oubleshoo
oting Failov
ver Clusters
Alth
hough cluster validation
v
imp
plemented in
Win
ndows Server 2012
2
Failover Clustering
C
prevvents
miscconfigurationss and non-worrking clusters, in
som
me cases, you have
h
to perform
m cluster
trou
ubleshooting.
To troubleshoot
t
a failover cluste
er, follow these
guid
delines:

Use the Validate a Configurration Wizard to


highlight con
nfiguration issu
ues that might
cause cluster problems.

Review cluste
er events and trace
t
logs to
identify application or hard
dware issues th
hat might causse an unstable cluster.

Review hardw
ware events an
nd logs to help
p pinpoint speccific hardware components tthat might cau
use an
unstable clustter.

Review SAN components,


c
switches,
s
adaptters, and storaage controllerss to help identify any potenttial
problems.

Whe
en troubleshooting failover clusters, you must:
m

Identify the perceived


p
prob
blem by collectting and docu menting the s ymptoms of th
he problem.

Identify the scope of the prroblem so thatt you can undeerstand what is being affecte
ed by the prob
blem,
and what imp
pact that effect has on the application and
d the clients.

Collect inform
mation so that you can accurrately understaand and pinpo
oint the possib
ble problem. A
After
you identify a list of possible problems, you can prioritiize them by prrobability, or tthe impact of a
repair. If the problem
p
canno
ot be pinpointted, you shoul d attempt to rre-create the p
problem.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-25

Create a schedule for rep


pairing the pro
oblem. For exam
mple, if the prroblem only afffects a small ssubset of
users, you can
c delay the repair
r
to an offf-peak time so
o that you can
n schedule dow
wntime.

Complete and
a test each repair
r
one at a time so that yyou can identiify the fix.

To
o troubleshoott SAN issues, start
s
by checking physical co
onnections and
d each of the h
hardware component
lo
ogs. Additionallly, run the Vallidate a Config
guration Wizarrd to verify thaat the current cluster configu
uration
is still supportab
ble. When you
u run the Validate a Configurration Wizard, ensure that th
he storage testts that
yo
ou select can be
b run on an online
o
failover cluster. Severaal of the storag
ge tests cause loss of service
e on the
clustered disk when
w
the tests are run.

Troubleshoo
oting Group and Resource Failuress
To
o troubleshoott group and re
esource failure
es:

Use the Dependency View


wer in the Failover Cluster M
Management snap-in to iden
ntify dependen
nt
resources.

Check the Event


E
Viewer and
a trace logs for errors from
m the dependeent resources.

Determine whether the problem


p
only happens
h
on a sspecific node, or nodes, by ttrying to re-cre
eate the
problem on
n different nod
des.

What
W
Is Clu
uster-Awarre Updatin
ng?
Applying operating system up
pdates to node
es in a
cluster requires special attention. If you wan
nt to
provide zero do
owntime for a clustered role,, you
must
m
manually update clusterr nodes one affter
an
nother, and yo
ou must manua
ally move reso
ources
from the node being
b
updated
d to another node.
Th
his procedure can be very tim
me-consuming
g. In
Windows
W
Server 2012, Microssoft has implem
mented
a new feature fo
or automatic update
u
of clustter
no
odes.

Cluster-Aware Updating
U
(CAU
U) is a feature that
t
le
ets administrators automatica
ally update clu
uster
no
odes with little
e or no loss in availability du
uring the upda te process. Du
uring an updatte procedure, C
CAU
trransparently ta
akes each clustter node offline, installs the u
updates and aany dependentt updates, perfforms a
re
estart if necessary, brings the
e node back on
nline, and then
n moves to up
pdate the next node in a clusster.
Fo
or many cluste
ered roles, this automatic up
pdate process ttriggers a plan
nned failover, aand it can causse a
trransient service
e interruption for connected
d clients. Howeever, for contin
nuously availab
ble workloads in
Windows
W
Server 2012, such as Hyper-V with
h live migratio
on or file server with SMB Traansparent Failo
over,
CA
AU can orchesstrate cluster updates
u
with no effect on thee service availaability.

Cluster Updating Modes


CAU can orchestrate the complete cluster updating operation in two modes:

MCT USE ONLY. STUDENT USE PROHIBITED

7-26 Implementing Failover Clustering

Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or
Windows 8, is called and configured as an orchestrator. To configure a computer as a CAU
orchestrator, you must install Failover Clustering administrative tools on it. The orchestrator computer
is not a member of the cluster that is updated during the procedure. From the orchestrator computer,
the administrator triggers on-demand updating by using a default or custom Updating Run profile.
Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for
clusters that are running on Server Core installations of Windows Server 2012.

Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover
cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does
not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a
default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process
starts on the node that currently owns the CAU clustered role, and the process sequentially performs
updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by
using a fully automated, end-to-end updating process. An administrator can also trigger updates ondemand in this mode, or use the remote-updating approach if desired. In the self-updating mode, an
administrator can access summary information about an Updating Run in progress by connecting to
the cluster and running the Get-CauRun Windows PowerShell cmdlet.

To use CAU, you must install the Failover Clustering feature in Windows Server 2012 and create a failover
cluster. The components that support CAU functionality are automatically installed on each cluster node.
You must also install the CAU tools, which are included in the Failover Clustering Tools (which are also
part of the Remote Server Administration Tools, or RSAT). The CAU tools consist of the CAU UI and the
CAU Windows PowerShell cmdlets. The Failover Clustering Tools are installed by default on each cluster
node when you install the Failover Clustering feature. You can also install these tools on a local or a
remote computer that is running Windows Server 2012 or Windows 8 and that has network connectivity
to the failover cluster.

Demonstration: Configuring Cluster-Aware Updating


Demonstration Steps
1.

Make sure that the cluster is configured and running on LON-SVR3 and LON-SVR4.

2.

Add the Failover Clustering Feature to LON-DC1.

3.

Run Cluster-Aware Updating on LON-DC1 and configure it to connect to Cluster1.

4.

Preview updates that are available for nodes LON-SVR3 and LON-SVR4.

5.

Review available options for the Updating Run Profile.

6.

Apply available updates to Cluster1 from LON-DC1.

7.

After updates are applied, configure Cluster self-updating options on LON-SVR3.

Lesson
n5

Imple
ementin
ng a Mu
ulti-Site
e Failove
er Clustter

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-27

In
n some scenarios, you have to
t deploy clustter nodes on d
different sites. Usually, you d
do this when yo
ou build
diisaster-recoverry solutions. In
n this lesson, yo
ou will learn a bout deployin
ng multi-site cllusters.

Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:

Describe a multi-site cluster.

us replication.
Describe syynchronous and asynchronou

Describe ho
ow to choose a quorum mod
de for multi-si te clusters.

Describe th
he challenges for
f implementing multi-site clusters.

Describe th
he consideratio
ons for deploying multi-site clusters.

What
W
Is a Multi-Site
M
Cluster?
C
A multi-site clusster provides highly-availabl
h
le
se
ervices in more
e than one location. Multi-site
clusters can solvve several speccific problems..
However, they also
a present sp
pecific challeng
ges.
In
n a multi-site cluster,
c
each sitte usually has a
se
eparate storage system with replication be
etween
th
he sites. Multi-site cluster sto
orage replicatio
on
en
nables each sitte to be independent, and provides
p
fa
ast access to th
he local disk. With
W separate storage
s
syystems, you cannot share a single
s
disk betw
ween
sittes.
A multi-site clusster has three main advantag
ges in a
fa
ailover site com
mpared to a re
emote server:

When a site
e fails, a multi--site cluster au
utomatically fa ils over the clu
ustered service
e or application to
another site
e.

Because the
e cluster config
guration is auttomatically rep
plicated to eacch cluster node
e in a multi-sitte
cluster, there is less administrative overrhead than a ccold standby seerver, which re
equires you to
manually re
eplicate chang
ges.

The automa
ated processess in a multi-site cluster reducce the possibillity of human error, which iss present
in manual processes.
p

Be
ecause of incre
eased cost and
d complexity of
o a multi-site ffailover cluster, it might not be an ideal so
olution
fo
or every appliccation or business. When you
u are consideriing whether to
o deploy a mu
ulti-site cluster,, you
sh
hould evaluate
e the importan
nce of the appllications to thee business, thee type of applications, and any
alternative soluttions. Some ap
pplications can
n provide multti-site redundaancy easily with log shipping
g or
otther processess, and can still achieve sufficient availabilityy with only a m
modest increasse in cost and
co
omplexity.

Th
he complexity of a multi-site
e cluster requirres better arch
hitectural and hardware plan
nning. It also re
equires
yo
ou to develop business processes to routin
nely test the clluster function
nality.

Syn
nchronouss and Asyn
nchronouss Replicatio
on
It is not possible for
f a geograph
hically-disperse
ed
failo
over cluster to use shared sto
orage between
n
phyysical locations. Wide area ne
etwork (WAN)
links are too slow and have too much latencyy to
support shared storage. Geogra
aphically-dispe
ersed
failo
over clusters must
m
synchronize data betwe
een
loca
ations by using
g specialized hardware.
h
Multti-site
data
a replication ca
an be either syynchronous orr
asyn
nchronous:

MCT USE ONLY. STUDENT USE PROHIBITED

7-28 Implemennting Failover Clusterring

When you use synchronouss replication, the


host receives a write comp
plete response
e
from the prim
mary storage after the data iss
written successfully on both
h storage syste
ems. If the dat a is not written successfully to both storag
ge
systems, the application
a
mu
ust attempt to write to the d
disk again. With synchronouss replication, b
both
storage systems are identical.

When you use asynchronou


us replication, the node receeives a write co
omplete respo
onse from the
storage after the data is written successfu
ully on the prim
mary storage. The data is wrritten to the
secondary sto
orage on a diffferent schedule, depending on the hardwaare or software
e vendors
implementatiion. Asynchron
nous replicatio
on can be storaage-based, ho
ost-based, or evven applicatio
onbased. Howevver, not all forms of asynchro
onous replicattion are sufficieent for a multi-site cluster. FFor
example, Disttributed File Syystem Replicattions (DFS-R) p
provides file-leevel asynchron
nous replication.
However, it does not suppo
ort multi-site Failover
F
Cluste ring replicatio
on. This is because DFS-R
replicates sma
aller documen
nts that are nott held open co
ontinuously. Th
herefore, it waas not designed
d for
high-speed, open-file
o
repliccation.

Wh
hen to Use Synchronou
S
us or Asynch
hronous Rep
plication

Use synchronous replication wh


hen data loss cannot
c
be tolerrated. Synchro
onous replication solutions
requ
uire low-disk write
w
latency, because
b
the ap
pplication waitts for both storage solutionss to acknowled
dge
the data writes. Th
he requiremen
nt for low laten
ncy disk writess also limits thee distance betw
ween the storaage
systems because increased
i
dista
ance can cause
e higher latenccy. If the disk l atency is high, the performaance
and even the stab
bility of the application can be
b affected.
Asynchronous rep
plication overccomes latency and distance l imitations by acknowledging local disk wrrites
onlyy, and by repro
oducing the disk write on the remote storaage system in a separate traansaction. Becaause
asyn
nchronous rep
plication writess to the remote
e storage systeem after it writtes to the locaal storage syste
em,
the possibility of data
d
loss durin
ng a failure is increased.

Choosing
C
a Quorum Mode for Multi-Sitee Clusters
Fo
or a geographically-disperse
ed cluster, you cannot
usse quorum con
nfigurations th
hat require a sh
hared
diisk, because ge
eographically--dispersed clussters do
no
ot use shared disks. Both the
e Node and Diisk
Majority,
M
and No
N Majority: Disk Only quoru
um
modes
m
require a shared witne
ess disk to provvide a
vo
ote for determ
mining quorum
m. You should only
o
usse these two quorum
q
modess if the hardwa
are
ve
endor specifica
ally recommen
nds and suppo
orts
th
hem.
To
o use the Node and Disk Ma
ajority and No
Majority:
M
Disk Only
O
modes in a multi-site cluster,
th
he shared disk requires that:

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

7-29

You preservve the semantics of the SCSI commands accross the sites,, even if a com
mplete communication
failure occu
urs between sittes.

You replicate the witness disk in real-time synchrono


ous mode acro
oss all sites.

Be
ecause multi-ssite clusters can have WAN failures
f
in addiition to node aand local netw
work failures, N
Node
Majority
M
and No
ode and File Share Majority are better solu
utions for multi-site clusters. If there is a W
WAN
fa
ailure that causses the primaryy and seconda
ary sites to losee communicattion, a majorityy must still be
avvailable to con
ntinue operatio
ons.

If there are an odd


o number of nodes, then use the Node Majority quorrum. If there is an even number of
no
odes, which is typical in a ge
eographically-d
dispersed clus ter, you can use the Node M
Majority with FFile
Sh
hare quorum.

If you are using Node Majoritty and the sites lose commu nication, you n
need a mechanism to determ
mine
which
w
nodes sta
ay up, and whiich nodes drop
p out of clusteer membership
p. The second ssite requires another
vo
ote to obtain quorum
q
after a failure. To ob
btain another vvote for quoru
um, you must jjoin another n
node to
th
he cluster, or create a file sha
are witness.

Th
he Node and File
F Share Majo
ority mode can
n help maintaiin quorum witthout adding aanother node tto the
cluster. To provvide for a single
e-site failure and enable auttomatic failoveer, the file sharre witness mig
ght have
to
o exist at a thirrd site. In a mu
ulti-site clusterr, a single serveer can host thee file share wittness. However, you
must
m
create a se
eparate file sha
are for each clluster.
Yo
ou must use th
hree locations to enable auto
omatic failoveer of a highly-aavailable servicce or applicatio
on.
Lo
ocate one nod
de in the prima
ary location tha
at runs the hig
ghly-available service or app
plication. Locatte a
se
econd node in a disaster-reccovery site, and
d locate the th
hird node for t he file share w
witness in another
lo
ocation.

Th
here must be direct
d
network
k connectivity between all th
hree locations. In this manne
er, if one site b
becomes
un
navailable, the
e two remainin
ng sites can still communicatte and have en
nough nodes ffor a quorum.
Note: In Windows
W
Servver 2008 R2, ad
dministrators ccould configurre the quorum
m to include
no
odes. However, if the quorum configuratio
on included no
odes, all nodess were treated equally
acccording to their votes. In Windows
W
Serverr 2012, clusterr quorum settin
ngs can be adjjusted so
th
hat when the cluster
c
determines whether it has quorum,, some nodes h
have a vote an
nd some do
no
ot. This adjustm
ment, can be useful,
u
when so
olutions are im
mplemented accross multiple sites.

Challenges fo
or Implem
menting a Multi-Site
M
Cluster
Imp
plementation of
o multi-site clu
usters is more
com
mplex than imp
plementation of
o single-site
clussters, and can also
a present se
everal challeng
ges
to the administrattor. Most impo
ortant challeng
ges
whe
en you implem
ment multi-site
e clusters are
related to storage
e and network..
age
In a multi-site cluster, there is no shared stora
thatt the cluster no
ode uses. This means that no
odes
on each
e
site mustt have its own storage instan
nce.
On the other hand
d, Failover Clustering does not
n
include any built-in functionalitty to replicate data
betw
ween sites. The
ere are three options
o
for
repllicating data: block
b
level hardware-based replication,
r
sofftware-based file replication
n installed on tthe
hostt, or applicatio
on-based replication.

MCT USE ONLY. STUDENT USE PROHIBITED

7-30 Implemennting Failover Clusterring

Mullti-site data rep


plication can be
b either synch
hronous or asyynchronous. Syynchronous re
eplication doess
not acknowledge data changes that are made
e in, for examp
ple, Site A untiil the data is su
uccessfully written
to Site
S B. With asyynchronous replication, data
a changes thatt are made in SSite A are even
ntually written to
Site B.
Whe
en you deployy a multi-site cluster and run
n the Validate a Configuratio
on Wizard, the disk tests will not
find
d any shared sttorage, and will therefore no
ot run. Howeveer, you can still create a clustter. If you follo
ow
the hardware man
nufacturers re
ecommendatio
ons for Window
ws Server Failo
over Clustering
g hardware,
Microsoft will sup
pport the solution.

Win
ndows Server 2012
2
enables cluster
c
nodes to exist on diffeerent IP subneets, which enab
bles a clustered
app
plication or servvice to change
e its IP addresss based on thee IP subnet. DN
NS updates the
e clustered
app
plications DNS
S record so tha
at clients can lo
ocate the IP ad
ddress change. Because clien
nts rely on DNS to
find
d a service or application afte
er a failover, yo
ou might havee to adjust thee DNS records Time to Live, and
the speed at whicch DNS data is replicated. Ad
dditionally, wh en cluster nod
des are in multtiple sites, netw
work
latency might require you to modify the interr-node commu
unication (heartbeat) delay aand time-out
thre
esholds.

De
eploying Consideratiions for a Multi-Sitee Cluster
Mullti-site clusterss are not appro
opriate for eve
ery
app
plication or eve
ery business. When
W
you desig
gn
a multi-site solutio
on with a hard
dware vendor,
clea
arly identify the
e business requirements and
d
expectations. Nott every scenario
o that involvess
morre than one location is appro
opriate for mu
ultisite cluster.

Mullti-site clustering is a high-avvailability strattegy


thatt primarily focu
uses on hardw
ware platform
avaiilability. However, specific multi-site
m
cluste
er
configuration and
d deployment have availabiliity
ram
mifications, rang
ging from the ability of userrs to
connect to the ap
pplication to th
he quality of performance off the applicatio
on. Multi-site cclustering can be a
pow
werful solution in dealing witth planned and
d unplanned d
downtime, butt its benefits m
must be examin
ned
against all the dim
mensions of ap
pplication availability.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

7-31

Multi-site clusters do require some more overhead than local clusters. Instead of a local cluster, in which
each node of the cluster is attached to the mass storage device, each site of a multi-site cluster must have
comparable storage. In addition, you will also have to consider vendors to set up your data replication
schemes between cluster sites, possibly pay for additional network bandwidth between sites, and develop
the management resources within your organization to efficiently administer your multi-site cluster.
Additionally, carefully consider the quorum mode that you will use, and the location of the available
cluster votes.

Lab: Implementing Failover Clustering


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

7-32 Implementing Failover Clustering

As A. Datums business grows, it is becoming increasingly important that many of the applications and
services on the network are available at all times. A. Datum has many services and applications that have
to be available to internal and external users who work in different time zones around the world. Many of
these applications cannot be made highly available by using Network Load Balancing. Therefore, you have
to use a different technology to make these applications highly available.
As one of the senior network administrators at A. Datum, you will be responsible for implementing
Failover Clustering on the Windows Server 2012 servers in order to provide high availability for network
services and applications. You will also be responsible for planning the Failover Cluster configuration, and
deploying applications and services on the Failover Cluster.

Objectives
After completing this lab, you will be able to:

Configure a failover cluster.

Deploy and configure a highly-available file server.

Validate the deployment of the highly-available file server.

Configure Cluster-Aware Updating on the failover cluster.

Lab Setup
Estimated time: 90 minutes

Virtual Machine(s)

20417A-LON-DC1
20417A-LON-SVR1
20417A-LON-SVR3
20417A-LON-SVR4

User Name

Adatum\Administrator

Password

Pa$$w0rd

Virtual Machine(s)

MSL-TMG1

User Name

Administrator

Password

Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20417A-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Log on using the following credentials:


a.

User name: Adatum\Administrator

b.

Password: Pa$$w0rd

5.

Repeat steps 2-4 for 20417A-LON-SVR1, 20417A-LON-SVR3, and 20417A-LON-SVR4.

6.

Repeat steps 2-3 for MSL-TMG1. Log on as Administrator with the password of Pa$$w0rd.

Exercise 1: Configuring a Failover Cluster


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

7-33

A. Datum has important applications and services that they want to make highly available. Some of these
services cannot use Network Load Balancing. Therefore, you decided to implement Failover clustering.
Because iSCSI storage is set up, you decided to use the iSCSI storage for Failover Clustering. First, you will
implement the core components for Failover Clustering, validate the cluster, and then create the failover
cluster.
The main tasks for this exercise are as follows:
1.

Connect clients to the iSCSI targets.

2.

Install the Failover Clustering feature.

3.

Validate the servers for Failover Clustering.

4.

Create the Failover Cluster.

X Task 1: Connect clients to the iSCSI targets


1.

On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21.

2.

Connect to the discovered target in the Targets list.

3.

Repeat steps 1 and 2 on LON-SVR4.

4.

Open Disk Management on LON-SVR3.

5.

Bring online and initialize the three new disks.

6.

Make a simple volume on each disk and format it with NTFS.

7.

On LON-SVR4, open Disk Management, and bring online and initialize the three new disks.

X Task 2: Install the Failover Clustering feature


1.

On LON-SVR3, install the Failover Clustering feature by using Server Manager.

2.

On LON-SVR4, install the Failover Clustering feature by using Server Manager.

X Task 3: Validate the servers for Failover Clustering


1.

On LON-SVR3, open the Failover Cluster Manager console.

2.

Start the Validate a Configuration Wizard.

3.

Use LON-SVR3 and LON-SVR4 as nodes for test.

4.

Review report.

X Task 4: Create the Failover Cluster


1.

On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard.

2.

Use LON-SVR3 and LON-SVR4 as cluster nodes.

3.

Specify Cluster1 as the Access Point name.

4.

Specify the IP address as 172.16.0.125.

Results: After this exercise, you will have installed and configured the Failover Clustering feature.

Exercise 2: Deploying and Configuring a Highly-Available File Server


Scenario
In A. Datum, File Services is one of the important services that must be highly available. After you have
created a cluster infrastructure, you decided to configure a highly-available file server and implement
settings for failover and failback.
The main tasks for this exercise are as follows:
1.

Add the File Server application to the failover cluster.

2.

Add a shared folder to a highly-available file server.

3.

Configure failover and failback settings.

X Task 1: Add the File Server application to the failover cluster


1.

Add the File Server role service to LON-SVR3 and LON-SVR4.

2.

On LON-SVR3, open the Failover Cluster Manager console.

3.

In the Storage node, click Disks and verify that three cluster disks are online.

4.

Add File Server as a cluster role.

5.

Specify AdatumFS as Client Access Name.

6.

Specify 172.16.0.130 as the IP address for the cluster role.

7.

Select Cluster Disk 2 as the storage disk for AdatumFS role.

X Task 2: Add a shared folder to a highly-available file server


1.

On LON-SVR4, open Failover Cluster Manager.

2.

Start the New Share Wizard and add a new shared folder to the AdatumFS cluster role.

3.

Specify the File share profile as SMB Share Quick.

4.

Name the shared folder as Docs.

X Task 3: Configure failover and failback settings

MCT USE ONLY. STUDENT USE PROHIBITED

7-34 Implementing Failover Clustering

1.

On LON-SVR4, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.

2.

Enable failback between 4 and 5 hours.

3.

Select both LON-SVR3 and LON-SVR4 as the preferred owners.

4.

Move LON-SVR4 to be first in the Preferred Owners list.

Results: After this exercise, you will have configured a highly-available file server.

Exercise 3: Validate the Deployment of the Highly-Available File Server


Scenario
In the process of implementing failover cluster, you want to perform failover and failback tests.
The main tasks for this exercise are as follows:
1.

Validate the highly-available file server deployment.

2.

Validate the failover and quorum configuration for the File Server role.

X Task 1: Validate the highly-available file server deployment

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

7-35

1.

On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure
that you can access the Docs folder.

2.

Create a test text document inside this folder.

3.

On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node.

4.

On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.

X Task 2: Validate the failover and quorum configuration for the File Server role
1.

On LON-SVR3, determine the current owner for the AdatumFS role.

2.

Stop the Cluster service on the node that is the current owner of the AdatumFS role.

3.

Verify that AdatumFS has moved to another node and that the \\AdatumFS\ location is still
available.

4.

Start the Cluster service on the node in which you stopped it in step 2.

5.

Browse to the Disks node, and take the disk witness offline.

6.

Verify that AdatumFS is still available.

7.

Bring the disk witness online.

Results: After this exercise, you will have tested the failover scenarios.

Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster


Scenario

Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable
seamless and zero downtime cluster updating, you want to implement the Cluster-Aware Updating
feature and test updates for cluster nodes.
The main tasks for this exercise are as follows:
1.

Configure Cluster-Aware Updating.

2.

Update the failover cluster and configure self-updating.

X Task 1: Configure Cluster-Aware Updating


1.

On LON-DC1, install the Failover Clustering feature.

2.

From Server Manager, open Cluster-Aware Updating.

3.

Connect to Cluster1.

4.

Preview the updates available for nodes in Cluster1.

X Task 2: Update the failover cluster and configure self-updating


1.

On LON-DC1, start the update process for Cluster1.

2.

After the process is complete, configure self-updating for Cluster1, to be performed weekly, on
Sundays at 4A.M.

Results: After this exercise, you will have configured Cluster-Aware Updating.

X To prepare for next module

MCT USE ONLY. STUDENT USE PROHIBITED

7-36 Implementing Failover Clustering

When you finish the lab, revert the virtual machines to their initial state. To do this, perform the following
steps:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20417A-LON-DC1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20417A-LON-SVR1, 20417A-LON-SVR3, MSL-TMG1 and 20417A-LONSVR4.

Module Review and Takeaways


Review Questions
Question: Why is using a Disk-Only quorum configuration generally not a good idea?
Question: What is the purpose of Cluster-Aware Updating?
Question: What is the main difference between synchronous and asynchronous replication
in a multi-site cluster scenario?
Question: What is an enhanced feature in multi-site clusters in Windows Server 2012?

Best Practices

Try to avoid using quorum model that depends just on disk

Use Cluster Shared Volumes for Hyper-V high availability or Scale Out File server

Do regular backups of cluster configuration

Be sure that, in case of one node failure, other nodes can handle the load

Carefully plan multi-site clusters

Common Issues and Troubleshooting Tips


Common Issue

Troubleshooting Tip

Cluster Validation wizard reports and error

Create cluster wizard reports that not all


nodes support desired clustered role

You cant create Print Server cluster

Real-world Issues and Scenarios

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

7-37

Your organization is considering the use of a geographically-dispersed cluster that includes an alternative
data center. Your organization has only a single physical location together with an alternative data center.
Can you provide an automatic failover in this configuration?

Tools
The tools for implementing fail-over clustering include:

Failover Cluster Manager console

Cluster-Aware Updating console

Windows PowerShell

Server Manager

iSCSI initiator

Disk Management

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


8-1

Module 8
Implementing Hyper-V
Contents:
Module Overview

8-1

Lesson 1: Configuring Hyper-V Servers

8-2

Lesson 2: Configuring Hyper-V Storage

8-8

Lesson 3: Configuring Hyper-V Networking

8-16

Lesson 4: Configuring Hyper-V Virtual Machines

8-21

Lab: Implementing Server Virtualization with Hyper-V

8-27

Module Review and Takeaways

8-33

Module Overview

Although server virtualization was deployed rarely on corporate networks only a decade ago, today it is a
core networking technology. Server administrators must be able to distinguish which server workloads
might run effectively in virtual machines and which need to remain in a traditional, physical deployment.
This module introduces you to the new features of the Hyper-V role, the components of the role, and
the best practices for deploying the role.

Objectives
After completing this module, you will be able to:

Configure Hyper-V servers.

Configure Hyper-V storage.

Configure Hyper-V networking.

Configure Hyper-V virtual machines.

Implementing Hyper-V

Lesson 1

Config
guring Hyper-V
H
V Serverrs

MCT USE ONLY. STUDENT USE PROHIBITED

8-2

The Hyper-V role has undergon


ne a substantia
al change in W
Windows Serverr 2012. New ffeatures, such as
netw
work utilization and Resourcce Metering, provide you witth the ability tto manage virttual machines
effe
ectively with Hyyper-V version
n 3.0. In this lesson, you will learn about th
he new feature
es in Hyper-V, as
welll as Hyper-V In
ntegration Servvices and the factors
f
that yo
ou need to con
nsider when yo
ou are configu
uring
Hyp
per-V hosts.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the new features in Hyper-V 3.0


0.

Describe the hardware requ


uirements for Hyper-V
H
3.0.

Configure Hyyper-V settingss.

Describe Hyp
per-V Integratio
on services.

Describe the best practices for configurin


ng Hyper-V ho
osts.

Wh
hat's New in Hyper-V 3.0?
The Hyper-V role first became available
a
after the
rele
ease of Window
ws Server 2008
8. New feature
es
were added to the
e role, both in Windows Servver
2008 R2 and Wind
dows Server 20
008 R2 Service
e
Pack 1 (SP1).
Hyp
per-V in Windo
ows Server 201
12, also known
n as
Hyp
per-V 3.0, inclu
udes the follow
wing major
imp
provements:

Virtual machine replication

Hyper-V Pow
werShell support

Quality of Serrvice (QoS) bandwidth


managementt

Non-Uniform
m Memory Acce
ess (NUMA) su
upport

Memory improvements

Virtual Machin
ne Replication

You
u can use Hype
er-V replica to perform contiinuous replicattion of importtant virtual maachines from a host
servver to a replica
a server. In the event that the
e host server faails, you can c onfigure failovver to the replica
servver. For more information on
n Hyper-V repllicas, visit Mod
dule 9: Implem
menting Failove
er Clustering w
with
Hyp
per-V.

Hyper-V Powe
erShell supp
port

Win
ndows Server 2012
2
introduce
es extensive Windows
W
PowerrShell supporrt for Hyper-V through the
Hyp
per-V PowerSh
hell module. Yo
ou can manage all aspects o
of Hyper-V, inccluding creatin
ng virtual hard disks,
virtu
ual switches, and virtual macchines.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Quality of Service (QoS) Bandwidth Management

8-3

Hyper-V administrators can use Quality of Service (QoS) bandwidth management to converge multiple
traffic types through a virtual-machine network adapter, which allows a predictable service level for each
traffic type. You also can allocate minimum and maximum bandwidth allocations on a per-virtual machine
basis.

Non-Uniform Memory Access (NUMA) Support

Hyper-V 3.0 includes NUMA support. NUMA is a multiprocessor architecture that automatically groups
RAM and processors. This leads to performance improvements for virtual machines that are hosted on
servers that have multiple processors and large amounts of random access memory (RAM).

Memory Improvements

Dynamic memory is a feature that lets virtual machine memory to be allocated as necessary, rather than
as a fixed amount. For example, rather than setting a virtual machine with a fixed 4 gigabytes (GB) of
memory, which Hyper-V allocates to the virtual machine, an administrator can use dynamic memory to
allocate a minimum and maximum amount. In this scenario, the virtual machines requests only what it
needs. Although Windows Server 2008 R2 SP1 included the ability for virtual machines to use dynamic
memory, you had to make any adjustments to these settings after you shut down the server. Hyper-V 3.0
enables administrators to adjust dynamic memory settings on virtual machines that are running. You can
use smart paging to configure startup memory, which differs from the minimum and maximum memory
allocations. When you use smart paging, the Hyper-V host uses memory paging to ensure that a virtual
machine can start when there is not enough memory resources available to support startup, but enough
to support the virtual machine's minimum memory allocation.
Other improvements to Hyper-V include:

Resource Metering. Resource Metering allows administrators to track resource utilization of individual
virtual machines. You can enable resource metering on a per-virtual machine basis. Use PowerShell to
perform resource-metering operations.

Virtual Fibre Channel. Virtual Fibre Channel enables virtual machines to use a virtual Fibre Channel
host bus adapter (HBA) to connect to Fibre Channel resources on storage area networks (SANs). To
use Virtual Fibre Channel, the host Hyper-V server must have a compatible Fibre Channel HBA.

Live migration without shared storage. Hyper-V 3.0 supports live migration of virtual machines
between Hyper-V hosts, without requiring access to shared storage. For more information on live
migration, visit Module 9: Implementing Failover Clustering with Hyper-V.

New virtual hard disk format. Hyper-V 3.0 introduces the VHDX format. This disk format supports
larger virtual hard disks. It also includes a format that minimizes the chances of data loss during
unexpected power outages.

Server message block 3.0 (SMB 3.0) storage. Hyper-V 3.0 virtual machines can use virtual hard disks
stored on normal shared folders, as long as the folders are hosted on a server that supports the SMB
3.0 protocol.

Network virtualization. Network virtualization enables virtual machines to retain a static IP address
configuration when migrated to different Hyper-V hosts.

Implementing Hyper-V

Pre
erequisitess for Installling Hype
er-V
Hyp
per-V on Windows Server 20
012 requires th
hat
the host compute
er has an x64 processor,
p
whicch
supports Second Level Address Translation (SLAT).
SLA
AT is a special technology
t
tha
at allows a
proccessor to addrress memory more
m
efficientlyy.
The server that ho
osts the Hyper-V role needs a
min
nimum of 4 GB
B of RAM. A virrtual machine
hostted on Hyper--V in Windowss Server 2012 can
c
support a maximu
um of 1 terabyyte of RAM and
d up
to 32
3 virtual proce
essors.
Whe
en deciding on
n the server ha
ardware in which
you plan to install the Hyper-V role, you need
d to
ensu
ure the following:

MCT USE ONLY. STUDENT USE PROHIBITED

8-4

The server mu
ust have enough memory to
o support the m
memory requirements of all of the virtual
machines that must run con
ncurrently. The
e server also m
must have eno ugh memory tto run the host
Windows Servver 2012 operating system.

The storage subsystem


s
perfformance musst meet the I/O
O needs of thee guest virtual machines. It m
may be
necessary to place differentt virtual machiines on separaate physical dissks to deploy a high perform
mance
redundant array of indepen
ndent disks (RA
AID), Solid Statte Drives (SSD
D), hybrid-SSD, or a combination
of all three.

The CPU capa


acity of the ho
ost server mustt meet the req uirements of tthe guest virtu
ual machines.

The host servver's network adapters


a
must be able to sup
pport the netw
work throughp
put requiremen
nts of
the guest virttual machines. This may requ
uire installing m
multiple netwo
ork adapters aand using multtiple
network interrface card (NIC
C) teams for virtual machiness that have hig
gh network-usse requirementts.

De
emonstration: Configuring Hy
yper-V Setttings

It is necessary to start
s
a traditionally deployed
d server to run
n this demonsttration because
e you cannot rrun
Hyp
per-V from within a virtual machine.
m

Dem
monstration
n Steps
1.

Log on to LON-HOST1.

2.

Open the Hyp


per-V Manage
er console.

3.

In the Hyper-V Settings dialog box, review the followiing settings:


o

Virtual Hard Disks

Virtual Machines
M

Physical GPUs
G

NUMA Spanning

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Hyper-V
H
Integration Services
Hyper-V Integra
ation Services are a series off
se
ervices that you can use with
h supported virtualmachine
m
guest operating systtems. Supporte
ed
op
perating systems can use Inttegration Services
co
omponents an
nd functionalityy like Small
Computer Syste
em Interface (S
SCSI) adapters and
syynthetic netwo
ork adapters.
Th
he virtual-macchine guest op
perating system
ms that
Hyper-V supports include:

Windows Server 2012

Windows Server 2008 R2 with SP1

Windows Server 2008 witth Service Pack


k 2 (SP2)

Windows Server 2003 R2 with SP2

Windows Home
H
Server 20
011

Windows MultiPoint
M
Servver 2011

Windows Small Business Server 2011

Windows Server 2003 witth Service Pack


k2

CentOS 6.0
0-6.2

CentOS 5.5-5.7

Red Hat Enterprise Linux 6.0-6.2

Red Hat Enterprise Linux 5.5-5.7

SUSE Linux Enterprise Serrver 11 with Se


ervice Pack 1 o
or Service Packk 2

SUSE Linux Enterprise Serrver 10 with Se


ervice Pack 4

Windows 7 with Service Pack


P
1

Windows Vista
V with Servvice Pack 2

Windows XP
X with Service
e Pack 3

Addition
nal Reading: Note
N
that the Hyper-V
H
suppo
ort for the Win
ndows XP operrating system
en
nds in April 20
014, and suppo
ort for Window
ws Server 20033 and Window
ws Server 2003 R2 expires in
Ju
uly 2015. When
n available, a link will be pro
ovided here to the list of sup
pported Hyperr-V virtualmachine
m
guest operating systtems on Windo
ows Server 20112.

8-5

Yo
ou can install the
t Integration
n Services com
mponents on a n operating syystem by clickiing the Insert
In
ntegration Servvices Setup Dissk item on the Action menu in the Virtual Machine Conn
nection windo
ow. After
th
his is done, you
u can install th
he relevant ope
erating-system
m drivers either manually or automatically..

Implementing Hyper-V

You
u can enable th
he following viirtual-machine
e integration c omponents:

MCT USE ONLY. STUDENT USE PROHIBITED

8-6

his componen
Operating sysstem shutdown
n. The Hyper-V
V server uses th
nt to initiate a g
graceful shutd
down
of the guest virtual
v
machine.

Time synchronization. The virtual


v
machine
e uses this com
mponent to usse the host serrver's processo
or to
conduct time
e synchronization.

Data Exchang
ge. The Hyper--V host uses th
his componentt to write data to the virtual machines reg
gistry.

Heartbeat. Hyyper-V uses this component to determine if the virtual m


machine has become
unresponsive.

me snapshot). The provider of


o the Volumee Shadow Copyy Service (VSS)) uses this
Backup (volum
component to
o create virtua
al-machine sna
apshots for ba ckup operatio
ons, without intterrupting the
e
virtual machin
nes' normal op
peration.

Best Practice
es for Conffiguring Hyper-V Ho
osts
There are several best practices that you shou
uld
consider when pro
ovisioning Win
ndows Server 2012
2
to function as a Hyper-V
H
host:

Provision the host with ade


equate hardwa
are

Deploy virtua
al machines on
n separate disk
ks

Do not colloccate other servver roles

Manage Hype
er-V remotely

Run Hyper-V by using the Server


S
Core
configuration
n

Run the Best Practices Analyzer and Reso


ource
Metering

Pro
ovision the Host
H
with Adequate
A
Ha
ardware

Perh
haps the most important best practice is to
o ensure that tthe Hyper-V h
host is provisio
oned with adeq
quate
hard
dware. You sho
ould ensure th
hat there is app
propriate proccessing capacitty, an approprriate amount o
of
RAM
M, and fast and
d redundant sttorage. You sh
hould ensure th
hat the Hyper -V host is provvisioned with
mulltiple network cards that you
u configure as a team. If the Hyper-V host is not provisio
oned adequate
ely
with
h hardware, this has an effecct on the perfo
ormance of all virtual machin
nes that are ho
osted on the se
erver.

Dep
ploy Virtuall Machines on Separate
e Disks

You
u should use se
eparate disks to host virtual-machine files rather than haaving virtual-m
machine files
storred on the sam
me disk as the host
h
operating
g-system files. This minimizees contention aand ensures th
hat
read
d/write operattions occurring
g on virtual ma
achine files do not conflict w
with read/write
e operations
occu
urring at the host
h
operating-system level. It also minimizzes the chancee that the virtu
ual-machine
hard
d disks will gro
ow to consume
e all available space on the o
operating-systtem volume. Performance
considerations are
e lessened if yo
ou deploy to a disk that use s striping, such
h as a RAID 1+
+0 array. If you
u are
usin
ng shared stora
age, you can provision
p
multiiple virtual maachines on the same Logical Unit Number (LUN)
if yo
ou utilize Clustter Shared Volumes. Howeve
er, choosing beetween separaate LUNs for each virtual maachine
or a shared LUN depends
d
heavily on virtual machine
m
worklo
oad and SAN h
hardware.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

Do Not Colocate Other Server Roles

8-7

You should ensure that Hyper-V is the only server role deployed on the server. You should not colocate
the Hyper-V role with other roles, such as the Domain Controller or File Server role. Each role that you
deploy on a server requires resources, and when deploying Hyper-V, you want to ensure that the virtual
machines have access to as much of a host server's resources as possible. If it is necessary to locate these
roles on the same hardware, deploy these roles as virtual machines rather than installing them on the
physical host.

Manage Hyper-V Remotely

When you log on locally to a server, your logon session consumes server resources. By configuring a
Hyper-V server to be managed remotely and not performing administrative tasks by logging on locally,
you ensure that all possible resources on the Hyper-V host are available to the hosted virtual machines.
You also should restrict access to the Hyper-V server, so that only administrators responsible for the
management of virtual machines can make connections. A configuration error on a Hyper-V host can
cause downtime to all hosted virtual machines.

Run Hyper-V by Using the Server Core Configuration

There are two main reasons to run Hyper-V using the Server Core configuration. The first reason is that
running Windows Server 2012 in the server core configuration minimizes hardware-resource utilization for
the host operating-system. Running the server in server core configuration means that there are more
hardware resources for the hosted virtual machines.
The second reason to run the Hyper-V server in server core configuration is that server core requires fewer
software updates, which in turn means fewer reboots. When you restart a Hyper-V host, all virtual
machines that the server hosts become unavailable when it is unavailable. Because a Hyper-V host can
host many critical servers as virtual machines, you want to ensure that you minimize downtime.

Run the Best Practices Analyzer and Use Resource Metering

If you have enabled performance counters on the Hyper-V host, you can use the Best Practices Analyzer
to determine if there are any specific configuration issues that you should address. Enabling performance
counters does incur a slight cost to performance, so you should enable these only during periods when
you want to monitor server performance, rather than leaving them on permanently.

You can use Resource Metering, a new feature of Hyper-V 3.0, to monitor how hosted virtual machines
utilize server resources. You can use Resource Metering to determine if specific virtual machines are using
a disproportionate amount of a host server's resources. If the performance characteristics of one virtual
machine are having a deleterious effect on the performance of other virtual machines hosted on the same
server, you should consider migrating that virtual machine to another Hyper-V host.
Additional Reading: 7 Best Practices for Physical Servers Hosting Hyper-V Roles
http://technet.microsoft.com/en-us/magazine/dd744830.aspx

Implementing Hyper-V

Lesson 2

Config
guring Hyper-V
H
V Storag
ge

MCT USE ONLY. STUDENT USE PROHIBITED

8-8

Hyp
per-V provides many differen
nt virtual mach
hine storage o
options. If you know which o
option is appro
opriate
for a given situation, you can en
nsure that a virtual machine performs welll. But if you do
o not understaand
the different virtual-machine sto
orage options,, you may end
d up deploying
g virtual hard d
disks that conssume
unn
necessary space
e or that place
e an unnecessa
ary performan ce burden on the host Hype
er-V server.
Thiss lesson describ
bes about diffe
erent virtual hard disk typess, different virtual hard disk fformats, and th
he
ben
nefits and limitations of using
g virtual machine snapshots..

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

v
hard dissks in Hyper-V
V 3.0.
Describe the properties of virtual

Select a virtua
al hard disk type.

Convert betw
ween virtual hard disk types.

Maintain virtu
ual hard disks.

Determine wh
here to deployy virtual hard disks.
d

Describe the requirements for storing Hyyper-V data on


n SMB file sharres.

Implement virtual machine snapshots.

Describe the requirements of providing Fibre


F
Channel ssupport within
n virtual machines.

Virrtual Hard Disks in Hyper-V


H
3.0
A virtual hard disk
k is a special file format that
reprresents a traditional hard-dissk drive. You can
c
configure a virtua
al hard disk witth partitions an
nd an
ope
erating system.. Additionally, you can use virtual
v
hard
d disks with virrtual machiness and you also
o can
mou
unt virtual hard disks by usin
ng the Window
ws
Servver 2008, Wind
dows Server 20
008 R2, Windo
ows
8 and
Servver 2012, and Windows
W
a Windows 7
ope
erating systemss. Windows Se
erver 2012 supports
boo
oting to virtual hard disks. Yo
ou can use thiss
featture to configu
ure the compu
uter to start intto a
Win
ndows Server 2012
2
operating
g system or some
edittions of the Wiindows Server 8 operating syystem that aree deployed on a virtual hard disk. You can
crea
ate a virtual ha
ard disk by usin
ng:

The Hyper-V manger conso


ole.

The Disk Man


nagement console.

The diskpart command-line


c
e utility.

The New-VH
HD Windows PowerShell cmd
dlet.

Note: Some
e editions of Windows
W
7 and
d the Windowss Server 2008 R2 operating ssystem also
support booting to
t virtual hard disk.

MCT USE ONLY. STUDENT USE PROHIBITED

Upg
grading Your Ski lls to MCSA Win
ndows Server 2
2012

Comparing
C
VHDX
V
and VHD
V

8-9

Virtual hard disks use the .vhd


d extension. Windows
W
Serverr 2012 introdu
uces the new V
VHDX format ffor
virtual hard disk
2008
ks. In comparisson to the VHD
D format that was used in H yper-V on Win
ndows Server 2
an
nd Windows Server 2008 R2, the VHDX format has the ffollowing beneefits:

VHDX virtual hard disks can


c be as large
e as 64 terabyttes. VHD virtuaal hard disks w
were limited to
o 2 TB.

The VHDX virtual


v
hard disk file structurre minimizes th
he chance that the disk will become corru
upt if the
host server suffers an une
expected powe
er outage.

VHDX virtual hard disk fo


ormat supportss better alignm
ment when dep
ployed to large sector disk.

VHDX allow
ws larger block
k size for dynamic and differrencing disks, w
which provides better perforrmance
for these workloads.
w

graded a Windows Server 2008 or Window


ws Server 2008 R2 Hyper-V server to Windows
If you have upg
erver 2012, you can convert an existing VH
HD file to VHD
DX format by u
using the Edit D
Disk tool. It alsso is
Se
po
ossible to convvert from VHD
DX format to VHD.
V
Addition
nal Reading: Hyper-V
H
Virtua
al Hard Disk Fo
ormat Overview
w
htttp://technet.m
microsoft.com//en-us/library//hh831446.asp
px

Disk
D Types
When
W
you configure a virtual hard disk, you
u can
ch
hoose one of the
t following disk
d types:

Fixed

Dynamic

Pass-throug
gh

Differencing

Fixed Virtuall Hard Disk

When
W
you creatte a fixed virtu
ual hard disk, all
a
off the hard-disk
k space is alloccated during th
he
crreation process. This has the advantage off
minimizing
m
frag
gmentation, wh
hich improves virtual hard d
disk performan
nce when they are hosted on
n
trraditional stora
age devices. However, a disa
advantage is th
hat it requires all of the spacce that the virtual
ha
ard disk poten
ntially can use to be allocated
d on the host partition. In m
many situationss, you will not know
precisely how much
m
disk spacce a virtual machine needs. Iff you use fixed
d hard disks, yo
ou may end up
allocating space
e to storage th
hat is not actua
ally required.
To
o create a fixed
d virtual hard disk, perform the following steps:
1..

Open the Hyper-V


H
Manager console.

2..

In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.

3..

On the Beffore You Begin page of the New Virtual H


Hard Disk Wizaard, click Nextt.

4..

On the Cho
oose Disk Format page, sele
ect VHD or VH
HDX, and then
n click Next.

5..

On the Cho
oose Disk Typ
pe page, click Fixed
F
size, and
d then click N ext.

6..

On the Spe
ecify Name an
nd Location page,
p
enter a n
name for the viirtual hard disk, and then sp
pecify a
folder to ho
ost the virtual hard-disk file.

7.

On the Configure Disk page, select one of the following options:

MCT USE ONLY. STUDENT USE PROHIBITED

8-10 Implementing Hyper-V

Create a new blank virtual hard disk of the specified size.

Copy the contents of a specified physical disk. You can use this option to replicate an existing
physical disk on the server as a virtual hard disk. The fixed hard disk will be the same size as the
disk that you have replicated. Replicating an existing physical hard disk does not alter data on the
existing disk.

Copy the contents of a specified virtual hard disk. You can use this option to create a new fixed
hard disk based on the contents of an existing virtual hard disk.

You can create a new fixed hard disk by using the New-VHD Windows PowerShell cmdlet with the -Fixed
parameter.
Note: Disk fragmentation is less of an issue when virtual hard disks are hosted on RAID
volumes or on SSDs. Hyper-V improvements, since it was first introduced in Windows Server
2008, also minimize performance differences between dynamic and fixed virtual hard disks.

Dynamic Disks

When you create a dynamic virtual hard disk, you specify a maximum size for the file. The disk itself only
uses the amount of space that needs to be allocated, and it grows as necessary. For example, if you create
a new virtual machine, and specify a dynamic disk, only a small amount of disk space is allocated to the
new disk.
This space is as follows:

Approximately 260 kilobytes (KB) for a VHD format virtual hard disk

Approximately 4096 KB for a VHDX format virtual hard disk

As storage is allocated, such as when you deploy the operating system, the dynamic hard disk grows. If
you delete files from a dynamically expanding virtual hard disk, the virtual hard-disk file does not shrink.
You can only shrink a dynamically expanding virtual hard-disk file by performing a shrink operation.

Creating a dynamically expanding virtual hard disk is similar to creating a fixed disk. In the New Virtual
Hard Disk Wizard, on the Choose Disk Type page, select Dynamically expanding size instead of Fixed.
You can create a new dynamic hard disk by using the New-VHD Windows PowerShell cmdlet with the Dynamic parameter.

Pass-Through Disks

Virtual machines use the pass-through disks to access a physical disk drive, rather than use a virtual hard
disk. You can use pass-through disks to connect a virtual machine directly to an Internet SCSI (iSCSI) LUN.
When you use pass-through disks, the virtual machine must have exclusive access to the target disk. To do
this, you must use the hosts disk management console to take the disk offline. After the disk is offline,
you can connect it to one of the virtual machine's disk controllers.
You can attach a pass-through disk by performing the following steps:
1.

Ensure that the target hard disk is offline.

2.

Use the Hyper-V Manager console to edit an existing virtual machine's properties.

3.

Click an Integrated Drive Electronics (IDE) or SCSI controller, click Add, and then click Hard Drive.

4.

In the Hard Drive dialog box, select Physical Hard Disk. In the drop-down list, select the disk that
you want to use as the pass-through disk.

Note: You do not have


e to shut down
n a virtual mac hine if you con
nnect the passs-through
diisk to a virtual machine's SCSI controller. However,
H
if you
u want to con nect to a virtual machine's
ID
DE controller, it is necessary to
t shut down the
t virtual ma chine.

Differencing
D
g disks

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-11

Differencing dissks record the changes made


e to a parent d
disk. You can u
use differencin
ng disks to reduce
th
he amount of hard
h
disk space that virtual hard
h
disks con
nsume, but thaat comes at the
e cost of disk
pe
erformance. Differencing
D
dissks work well with
w SSD wherre there is limitted space available on the d
drive and
th
he performancce of the disk compensates
c
fo
or the perform
mance drawbaccks of using a differencing d
disk.
Differencing dissks have the fo
ollowing prope
erties:

You can link multiple diffferencing diskss to a single paarent disk.

When you modify the parent disk, all linked differenccing disks fail.

Yo
ou can reconn
nect a differenccing disk to the parent by ussing the Inspecct Disk tool, avvailable in the actions
pa
ane of the Hyp
per-V Manage
er console. You
u also can use the Inspect Disk tool to locaate a differencing
diisks parent dissk.
To
o create a diffe
erencing disk, follow these steps:
1..

Open the Hyper-V


H
Manager console.

2..

In the Actio
ons pane, click
k New, and the
en click Hard D
Disk.

3..

On the Beffore You Begin page of the New Virtual H


Hard Disk Wizaard, click Nextt.

4..

On the Cho
oose Disk Format page, sele
ect VHD, and then click Nex
xt.

5..

On the Cho
oose Disk Typ
pe page, selectt Differencing
g, and then clicck Next.

6..

On the Spe
ecify Name an
nd Location page,
p
provide tthe location off the parent haard disk, and then
click Finish
h.

Yo
ou can create a differencing hard disk by using
u
the New
w-VHD Windo
ows PowerShell cmdlet. For e
example,
to
o create a new
w differencing disk
d named c:\\diff-disk.vhd tthat uses the vvirtual hard dissk c:\parent.vh
hd, run
th
he following Windows
W
PowerShell comman
nd:
Ne
ew-VHD c:\dif
ff-disk.vhd -ParentPath C:\parent.vh
hd

Converting
C
g Disks
Frrom time to tim
me, it is necesssary to perform
m
maintenance
m
op
perations on virtual hard disks.
Yo
ou can perform
m the following maintenance
op
perations on virtual
v
hard dissks:

Convert the
e disk from fixed to dynamicc.

Convert the
e disk from dyynamic to fixed
d.

Convert a virtual
v
hard dissk in VHD form
mat
to VHDX.

Convert a virtual
v
hard dissk in VHDX forrmat
to VHD.

When you convert a hard disk, the contents of the existing virtual hard disk are copied to a new virtual
hard disk that has the properties that you have chosen. To convert a virtual hard disk, perform the
following steps:

MCT USE ONLY. STUDENT USE PROHIBITED

8-12 Implementing Hyper-V

1.

In the Actions pane of the Hyper-V Manager console, click Edit Disk.

2.

On the Before You Begin page of the Edit Virtual Hard Disk Wizard, click Next.

3.

On the Local Virtual Hard Disk page, click Browse. Select the virtual hard disk that you wish to
convert.

4.

On the Choose Action page, select Convert, and then click Next.

5.

On the Convert Virtual Hard Disk page, select VHD or VHDX format. By default, the current disk
format is selected. Click Next.

6.

If you want to convert the disk from fixed to dynamic or dynamic to fixed, on the Convert Virtual
Hard Disk page, select Fixed Size or Dynamically Expanding. If you want to convert the hard disk
type, choose the appropriate type, and then click Next.

7.

On the Configure Disk page, select the destination location for the disk, click Next, and then click
Finish.

You can shrink a dynamic virtual hard disk that is not taking up all the space that is allocated to it. For
example, a dynamic virtual hard disk might be 60 GB on the parent volume, but only use 20 GB of that
space. You shrink a virtual hard disk by choosing the Compact option in the Edit Virtual Hard Disk Wizard.
You cannot shrink fixed virtual hard disks. You must convert a fixed virtual hard disk to dynamic before
you can compact the disk. You can use the resize-partition and the resize-vhd Windows PowerShell
cmdlets to compact a dynamically expanding virtual hard disk.
You also can use the Edit Virtual Hard Disk Wizard to expand a disk. You can expand both dynamically
expanding and fixed virtual hard disks.

Demonstration: Managing Virtual Hard Disks in Hyper-V


In this demonstration, you create a differencing disk based on an existing disk by using both Hyper-V
Manager and PowerShell.

Demonstration Steps
1.

Use Windows Explorer to create the following folders on the physical host drive:
o

E:\Program Files\Microsoft Learning\Base \LON-GUEST1

E:\Program Files\Microsoft Learning\Base \LON-GUEST2

Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.

In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o

Disk Format: VHD

Disk Type: Differencing

Name: LON-GUEST1.vhd

Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\

Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

3..

Open Wind
dows PowerShe
ell, import the
e Hyper-V mod
dule, and then run the follow
wing command
d:
New-VHD E:\Program

Files\Microsoft Learning
g\Base\LON-GU
UEST2\LON-GUE
EST2.vhd
-ParentPa
ath E:\Program Files\Microsoft Lear
rning\Base\Ba
ase12A-WS2012
2-RC.vhd

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-13

4..

Inspect disk
k E:\Program Files\Microso
oft Learning\\Base\LON-GU
UEST2\LON-G
GUEST2.vhd.

5..

Verify that LON-GUEST2


2.vhd is configured as a diffeerencing virtuaal hard disk with E:\Program
m Files
\Microsoftt Learning\Ba
ase\Base12A-W
WS2012-RC.v
vhd as a paren
nt.

Location Co
onsiderations of Virttual Hard Disks
A key factor wh
hen provisionin
ng virtual mach
hines
is ensuring that virtual hard disks
d
are placed
d
co
orrectly. Virtua
al hard-disk pe
erformance can
n affect
virtual machine performance dramatically. Servers
S
th
hat are otherw
wise well provissioned with RA
AM and
processor capaccity can still exxperience bad
pe
erformance if the storage syystem is
ovverwhelmed.
Consider the following factors when planning the
lo
ocation of virtu
ual hard-disk fiiles:

High-perfo
ormance conn
nection to the
e
storage

You can loccate virtual harrd-disk files on


n local or remo
ote storage. W
When you locatte them on rem
mote
storage, you need to ensure that there is adequate b
bandwidth and
d minimal laten
ncy between the host
and the rem
mote storage. Slow network connections to
o storage, or cconnections w
where there is laatency,
result in po
oor virtual-macchine performa
ance.

Redundantt storage

The volume
e that the virtu
ual hard-disk files are stored on should be fault-tolerantt. This should aapply if
the virtual hard
h
disk is sto
ored on a local disk or a rem
mote SAN devicce. It is not uncommon for h
hard
disks to fail. Therefore, th
he virtual mach
hine and the H
Hyper-V host should remain in operation aafter a
disk failure.. Replacementt of failed diskss also should n
not affect the o
operation of th
he Hyper-V ho
ost or
virtual machines.

High-perfo
ormance storage

The storage
e device on wh
hich you store virtual hard-d
disk files should
d have excelle
ent I/O charactteristics.
Many enterrprises use SSD
D hybrid drivess in RAID 1+0 arrays to achieeve maximum performance and
redundancyy. Multiple virttual machines that are runni ng simultaneo
ously on the saame storage caan place
a tremendo
ous I/O burden
n on a disk sub
bsystem. Thereefore, you nee d to ensure th
hat you choose
e highperformancce storage. If you
y do not, virtual machine p
performance ssuffers.

Adequate growth space


e

If you have configured virtual hard disk


ks to grow auttomatically, en
nsure that there
e is adequate space
into which the files can grow. Also, care
efully monitor growth so thaat you are not shocked when
na
virtual hard
d disk fills the volume
v
that yo
ou allocated to
o host it. If you
u configure virrtual hard diskks to
grow autom
matically, place
e each virtual machine's
m
virtu
ual hard disk o
on a separate vvolume. This w
way, the
virtual hard
d disks of multiple virtual ma
achines are nott affected if th
he volumes capacity is excee
eded.

Sto
orage on SMB
S
3 File Shares
Hyp
per-V supportss storing virtua
al machine datta,
such
h as virtual-ma
achine configu
uration files,
snap
pshots, and virrtual hard-disk
k files, on SMB 3
file shares.
The file share musst support SMB 3. This limitss
placcement of virtu
ual hard disks on file shares
thatt are hosted on
n file servers th
hat are running
Win
ndows Server 2012.
2
Earlier Windows
W
Serverr
verssions do not su
upport SMB 3.
You
u must ensure that
t
network connectivity
c
to
o the
file share is 1 GB or
o more.

MCT USE ONLY. STUDENT USE PROHIBITED

8-14 Implemennting Hyper-V

SMB
B file share pro
ovides an alterrnative to storing virtual-macchine files on iSCSI or Fibre Channel SAN
devices. When cre
eating a virtual machine in Hyper-V
H
on Wiindows Server 2012, you can
n specify a netw
work
sharre when choossing the virtual machine loca
ation and the vvirtual hard-diisk location. Yo
ou also can atttach
disk
ks stored on SM
MB 3 file share
es. You can use
e both VHD an
nd VHDX diskss with SMB file
e shares.
Additional Reading: Serrver Message Block
B
overview
w
http
p://technet.miccrosoft.com/en
n-us/library/hh
h831795.aspx

Sna
apshot Ma
anagemen
nt in Hyperr-V
Snapshot is an important technology that
provvides administtrators with the
e ability to ma
ake
a re
eplica of a virtu
ual machine att a specific time.
You
u can take snap
pshots when a virtual machin
ne is
shutt down or running. Howeverr, when you ta
ake a
snap
pshot of a virtual machine th
hat is running, the
snap
pshot includess the contents of the virtual
macchines memorry.

Tak
king a Snapshot
You
u can take a snapshot on the
e Actions pane of
the Virtual Machin
ne Connection
n window or in
n the
Hyp
per-V Managerr console. Each
h virtual machine
can have a maxim
mum of 50 snap
pshots.

Whe
en taking snap
pshots of multiple virtual ma
achines, you sh
hould take theem at the same
e time. This ensures
syncchronization of
o items such as computer-acccount passwo
ords. Remember that when yyou revert to a
snap
pshot, you are
e reverting to a computers state at that sp
pecific time. If yyou take a com
mputer back to
oa
poin
nt before it pe
erformed a com
mputer-passwo
ord change wiith a domain ccontroller, you will need to re
ejoin
thatt computer to the domain.

Snapshots Do Not Repla


ace Backupss

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-15

Sn
napshots are not
n a replacem
ment for backups. Snapshot d
data is stored o
on the same vvolume as the vvirtual
ha
ard disks. If the
e volume hostting these files fails, both thee snapshot and
d the virtual haard disk files are lost.
Yo
ou can perform
m a virtual machine export of
o a snapshot. When you exp
port the snapsshot, Hyper-V ccreates
fu
ull virtual hard disks that represent the statte of the virtuaal machine at tthe time that yyou took the
sn
napshot. If you
u choose to export an entire virtual machin
ne, all snapsho
ots associated with the virtuaal
machine
m
also arre exported.

Avhd
A
files

When
W
you creatte a snapshot, Hyper-V write
es avhd files th
hat store the data that differentiates the sn
napshot
from either the previous snap
pshot or the pa
arent virtual haard disk. When
n you delete snapshots, this data is
diiscarded or me
erged into the
e previous snap
pshot or paren
nt virtual hard disk. For exam
mple, if you delete the
most
m
recent sna
apshot of a virttual machine, the data is disscarded. If you delete the seccond to last sn
napshot
ta
aken of a virtua
al machine, the data is merg
ged so that thee earlier and laatter snapshot states of the vvirtual
machine
m
retain their integrity.

Managing
M
Sn
napshots

When
W
you applyy a snapshot, the
t virtual macchine reverts tto the configuration as it existed at the tim
me that
th
he snapshot wa
as taken. Reve
erting to a snap
pshot does no t delete any exxisting snapshots. If you reve
ert to a
sn
napshot after making
m
a configuration chan
nge, you are p rompted to taake a snapshott. It only is neccessary
to
o create a new
w snapshot if yo
ou want to return to that cu rrent configurration.
branches. For example, if yo
It is possible to create snapshot trees that have
h
different b
ou took a snapshot of
a virtual machin
ne on Mondayy, Tuesday, and
d Wednesday, applied the Tu
uesday snapsh
hot, and then m
made
ch
hanges to the virtual machin
nes configurattion, you creatte a new brancch that diverts from the original
Tu
uesday snapsh
hot. You can ha
ave multiple branches
b
as lon
ng as you do n
not exceed the
e 50-snapshot limit
pe
er virtual mach
hine.

Fibre Channel Suppo


ort in Hype
er-V
Hyper-V virtual Fibre Channel is a virtual ha
ardware
co
omponent that you can add to a virtual machine,
an
nd which enab
bles the virtual machine to access
Fibre Channel storage on SAN
Ns. To deploy a
virtual Fibre Cha
annel:

You must configure


c
the Hyper-V
H
host with
w a
Fibre Chann
nel HBA.

The Fibre Channel


C
HBA must
m
have a driver
that supports virtual Fibre
e Channel.

The virtual machine mustt support virtual


machine exxtensions.

Virtual Fibre Ch
hannel adapterrs support portt virtualization
n by exposing HBA ports in tthe guest operrating
syystem. This allo
ows the virtuall machine to access the SAN
N by using a staandard World Wide Name (W
WWN)
asssociated with the virtual ma
achine.
Yo
ou can deployy up to four virrtual Fibre Cha
annel adapterss to each virtuaal machine.
Addition
nal Reading: Hyper-V
H
Virtua
al Fibre Channeel Overview
htttp://technet.m
microsoft.com//en-us/library//hh831413.asp
px

Lesson 3

Config
guring Hyper-V
H
V Netwo
orking

MCT USE ONLY. STUDENT USE PROHIBITED

8-16 Implemennting Hyper-V

Hyp
per-V provides several differe
ent options for allowing netw
work commun
nication betwe
een virtual
macchines. You can use Hyper-V
V to configure virtual machin
nes that comm
municate with aan external nettwork
in a manner simila
ar to physical hosts
h
that you deploy tradit ionally. You also can use Hyyper-V to confiigure
virtu
ual machines that
t
are able to
o communicatte only with a limited numbeer of other virttual machines
hostted on the sam
me Windows Server
S
2012 Hyyper-V host. Th
his lesson desccribes the vario
ous options
avaiilable for Hype
er-V virtual networks, which you can leveraage to best meet your organ
nization's need
ds.

Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:

Describe the new features in Hyper-V nettworking.

Describe virtu
ual switches.

Configure a public
p
and privvate switch.

Describe netw
work virtualization.

Describe the best practices for configurin


ng virtual netw
works.

Wh
hat's New in Hyper-V Network
king?
There are several new features in
i Hyper-V 3.0
0
netw
working that im
mprove the ne
etwork
perfformance of a large numberr of virtual
macchines in private and public cloud
environments. In most cases, yo
ou should use the
t
defa
ault settings in
n small scale de
eployments.
The new features in Hyper-V 3.0
0 networking
include:

Network virtu
ualization. This feature enables
IP addresses to
t be virtualize
ed in hosting
environmentss so that virtua
al machines
migrated to the
t host can ke
eep their original IP
address rathe
er than being allocated
a
an IP
P address on th
he Hyper-V server's networkk.

Bandwidth management. Yo
ou can use this feature to sp
pecify a minim
mum and a maxximum bandw
width
to be allocate
ed to the adap
pter by Hyper-V
V. Hyper-V resserves the min
nimum bandwiidth allocation
n for
the network adapter,
a
even when other virtual network adapters on vvirtual machine
es hosted on th
he
Hyper-V hostt are functionin
ng at capacity..

Dynamic Host Configuration


n Protocol (DH
HCP) guard. Th
his feature drops DHCP messsages from virttual
machines that are functioning as unautho
orized DHCP sservers. This m ay be necessary in scenarioss
where you are managing a Hyper-V serve
er that hosts vvirtual machinees for others, b
but in which yo
ou do
not have dire
ect control ove
er the virtual machines
m
confiiguration.

Router guard.. This feature drops


d
router advertisement aand redirectio
on messages from virtual
machines con
nfigured as unauthorized rou
uters. This mayy be necessaryy in scenarios w
where you do not
have direct co
ontrol over the
e configuration of virtual maachines.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-17

Port mirroriing. You can use


u this feature
e to copy incom
ming and outg
going packets from a netwo
ork
adapter to another virtua
al machine that you have co nfigured for m
monitoring.

ng. You can use


e this feature to
t add the virttual network a dapter to an e
existing team o
on the
NIC teamin
host Hyper-V server.

Virtual Macchine Queue. This


T feature req
quires that thee host computter has a netwo
ork adapter th
hat
supports th
he feature. Virttual Machine Queue
Q
uses ha rdware packett filtering to de
eliver networkk traffic
directly to the
t guest. Thiss improves perrformance beccause the packket does not ne
eed to be copied
from the ho
ost operating system
s
to the virtual machin
ne. Only syntheetic network a
adapters suppo
ort these
feature.

IP security (IPsec)
(
task offfloading. This feature
f
requirees that the gueest operating ssystem and network
adapter are
e supported. This feature ena
ables the hosts network adaapter to perforrm calculationintensive se
ecurity-associa
ation tasks. If sufficient hardw
ware resourcess are not availaable, the guestt
operating system
s
perform
ms these tasks.. You can conffigure a maxim
mum number o
of offloaded se
ecurity
associations between a ra
ange of one an
nd 4,096. This feature is supp
ported only on
n synthetic nettwork
adapters.

Single-root I/O virtualizattion (SR-IOV). This


T feature reequires specificc hardware and special drive
ers to be
installed on
n the guest operating system
m. SR-IOV enab
bles multiple vvirtual machine
es to share the
e same
Peripheral Component
C
In
nterconnect Exxpress (PCIe) p hysical hardwaare resources. If sufficient re
esources
are not ava
ailable, network connectivity falls back so tthat the virtual switch provid
des it. This featture is
only supported on synthe
etic network adapters.

What
W
Is a Hyper-V
H
Viirtual Switch?
Virtual switchess are virtual de
evices that you can
manage
m
throug
gh the Virtual Switch
S
Manage
er,
which
w
enables you
y to create three
t
types of virtual
sw
witches. The virtual switches control how the
ne
etwork traffic flows
f
between
n virtual machines
ho
osted on the Hyper-V
H
serverr, as well as ho
ow the
ne
etwork traffic flows
f
between
n virtual machines
an
nd the rest of the
t organizational network.
Hyper-V on Win
ndows Server 2012
2
supportss the
th
hree types of virtual
v
switchess that the follo
owing
ta
able details.
Type
T

Descriptio
on

External

You use th
his type of swittch to map a n
network to a specific networrk adapter or
network-a
adapter team. Windows Servver 2012 suppo
orts mapping an external ne
etwork
to a wirele
ess network ad
dapter, if you h
have installed the Wireless LLAN Service on
n the
host Hype
er-V server, and the Hyper-V
V server has a ccompatible ad
dapter.

Internal

You use in
nternal virtual switches to co
ommunicate beetween the virrtual machiness on the
Hyper-V host
h
and to communicate beetween the virttual machines and the Hype
er-V
host itself.

Private

You use private


p
switches only to comm
municate betw
ween virtual m
machines on the
e
Hyper-V host.
h
You cann
not use privatee switches to co
ommunicate b
between the viirtual
machines and the Hyper-V host.

Whe
en configuring
g a virtual netw
work, you can also configuree a virtual LAN
N (VLAN) ID to be associated
with
h the network. You can use this
t to extend existing VLAN
Ns on the exterrnal network to
o VLANs within
the Hyper-V host''s network swittch. You can use
u VLANs to p
partition netwo
ork traffic. VLA
ANs function as
sepa
arate logical networks. Traffiic can pass only from one VLLAN to anotheer if it passes through a routter.
You
u can configure
e the following
g extensions fo
or each virtual switch type:

MCT USE ONLY. STUDENT USE PROHIBITED

8-18 Implemennting Hyper-V

Microsoft Nettwork Driver In


nterface Specifiication (NDIS) Capture. This extension allo
ows the capture
e of
data travelling across the viirtual switch.

Microsoft Win
ndows Filtering
g Platform. This extension alllows filtering o
of data travelling across the
virtual switch.

per-V Virtual Switch


S
Overvieew
Additional Reading: Hyp
p://technet.miccrosoft.com/en
n-us/library/hh
h831452.aspx
http

De
emonstration: Configuring Hy
yper-V Nettworking
In th
his demonstration, you will see
s how to cre
eate two types of virtual netw
work switches..

Dem
monstration
n Steps
1.

2.

In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew External virtual networkk
switch with th
he following properties:
o

Name: Co
orporate Network

External Network: Map


pped to the ho
ost computer's physical netw
work adapter. W
Will vary depen
nding
on host computer
c

In Hyper-V Manager,
M
use th
he Virtual Swiitch Managerr to create a neew virtual swittch with the
following pro
operties.
o

Name: Prrivate Network

Connection type: Priva


ate network

Wh
hat Is Netw
work Virtu
ualization?
You
u can use netw
work virtualization to isolate
virtu
ual machines from
f
different organizations,
even if they share
e the same Hyp
per-V host. Forr
exam
mple, you mig
ght be providin
ng an Infrastru
ucture
as a Service (IaaS) to competing
g businesses. You
Y
can use network virtualization
v
to go beyond
assigning these virtual machines to separate
VLA
ANs as a way of
o isolating network traffic.
Network virtualiza
ation is a techn
nology that yo
ou
wou
uld deploy prim
marily in scena
arios where yo
ou use
Hyp
per-V to host virtual
v
machine
es for third-party
orga
anizations. Network virtualizzation has the
advantage that yo
ou can configu
ure all network
k isolation on tthe Hyper-V host. With VLANs, it also is
necessary to configure switchess with the apprropriate VLAN IDs.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-19

When
W
you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses, which
h work
ass follows:

P address. The
e customer assiigns this IP add
dress to the viirtual machine
e. You can conffigure
Customer IP
this IP addrress so that communication with the custo
omer's internall network can occur even though
the virtual machine
m
migh
ht be hosted on
n a Hyper-V seerver that is co
onnected to a separate public IP
network. Ussing the ipcon
nfig command
d on the virtuaal machine sho
ows the custom
mer IP address..

Provider IP address. The hosting


h
provider assigns thiss IP address, w
which is visible to the hosting
g
provider an
nd to other hosts on the phyysical network. This IP addresss is not visible
e from the virttual
machine.

Yo
ou can use nettwork virtualizzation to host multiple
m
mach
hines that use tthe same custo
omer address, such as
19
92.168.15.101,, on the same Hyper-V host. When you do
o this, the virtu
ual machines are assigned diifferent
IP
P addresses by the hosting provider, thoug
gh this addresss will not be ap
pparent from w
within the virtual
machine.
m
Yo
ou manage ne
etwork virtualizzation by using
g PowerShell ccmdlets. All Neetwork Virtualization cmdletts are in
th
he NetWNV Po
owerShell mod
dule. Tenants gain
g
access to virtual machin
nes that take aadvantage of n
network
virtualization th
hrough routing
g and remote access.
a
They m
make a tunneleed connection from their nettwork
th
hrough to the virtualized nettwork on the Hyper-V
H
serverr.
nal Reading: Hyper-V
H
Netwo
ork Virtualizatiion Overview
Addition
htttp://technet.m
microsoft.com//en-us/library//hh831395.asp
px

Best
B
Practicces for Configuring Virtual Neetworks
Be
est practices with
w respect to configuring virtual
v
ne
etworks typica
ally revolve aro
ound ensuring that
virtual machines are provision
ned with adequate
ba
andwidth. You
u do not want to have the
pe
erformance on
n all virtual ma
achines affecte
ed if a
ba
andwidth-inte
ensive operatio
on, such as a la
arge file
co
opy or website
e traffic spike, occurs
o
on one
e virtual
machine
m
on the
e same host.
Th
he following general
g
best prractices apply to
t
co
onfiguring virttual networks:

Consideratiions for NIC te


eaming. You sh
hould
deploy mulltiple network adapters to th
he
Hyper-V ho
ost, and then configure
c
those
e adapters as part of a team
m. This ensures that network
connectivityy will be retain
ned if the indivvidual networkk cards fail. Co
onfigure multip
ple teams conn
nected
to differentt switches to ensure that con
nnectivity remaains if a hardw
ware switch faills.

Consideratiions for bandw


width managem
ment. You can
n use bandwidtth manageme
ent to allocate a
minimum and
a a maximum
m bandwidth allocation
a
on a per-virtual-n
network adapter basis. You sshould
configure bandwidth
b
allo
ocation to guarantee that ea ch virtual macchine has a minimum bandw
width
allocation. This
T ensures th
hat if another virtual machin
ne hosted on the same Hype
er-V server
experiencess a traffic spike
e, other virtuall machines aree able to comm
municate with the network
normally.

MCT USE ONLY. STUDENT USE PROHIBITED

8-20 Implementing Hyper-V

Considerations for Virtual Machine Queue. You should provision the Hyper-V host with an adapter
that supports Virtual Machine Queue. Virtual Machine Queue uses hardware-packet filtering to
deliver network traffic directly to the virtual machine. This improves performance because the packet
does not need to be copied from the host operating system to the virtual machine. When you do not
configure virtual machines to support Virtual Machine Queue, the host operating system can become
a bottleneck when it processes large amounts of network traffic.

Considerations for network virtualization. Network virtualization is complicated to configure, but


has an advantage over VLAN. That is, it is not necessary to configure VLANs on all of the switches that
are connected to the Hyper-V host. You can perform all necessary configurations when you need to
isolate servers on the Hyper-V host without needing to involve the network team. If you are hosting
large numbers of virtual machines, and need to isolate them, use Network Virtualization rather than
VLANs.

Lesson
n4

Configuring Hyper--V Virtu


ual Mach
hines

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-21

When
W
planning a server-virtualization strate
egy, you need to know whatt you can and cannot accom
mplish
when
w
you are using Windowss Server 2012 as
a a virtual maachine host.

In
n this lesson, yo
ou will learn about Hyper-V,, the hardwaree requirementss required for deploying Hyp
per-V
on
n a computer running Windows Server 2012, the differeent components of a virtual machine, and the
be
enefits of virtu
ual machine Integration Servvices. You also will learn how
w to measure vvirtual machine
e
re
esource use with Windows PowerShell cmd
dlets.

Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:

Describe th
he hardware an
nd manageme
ent options in vvirtual machin
ne settings.

Describe ho
ow dynamic memory
m
works in Hyper-V.

Create a virrtual machine.

Import, exp
port, and move
e virtual machines in Hyper--V.

Describe th
he best practice
es for configurring virtual nettworks.

Overview
O
of
o Virtual Machine
M
Se
ettings
Virtual machine
e settings are grouped
g
into two
ge
eneral areas: Hardware
H
and Management..

Hardware
H
Virtual machine
es use simulate
ed hardware. The
T
hyypervisor uses this virtual ha
ardware to med
diate
acccess to actuall hardware. For example, you
u can
map
m a virtual ne
etwork adapte
er to a virtual network
n
th
hat, in turn, ma
aps to an actua
al network inte
erface.
Virtual machine
es have the following hardwa
are, by
de
efault:

BIOS. This virtual


v
hardware simulates th
he
computer'ss BIOS. You can
n configure the virtual mach
hine so that Nu
um Lock is switched on or offf. You
also can choose the boott order for the virtual machin
ne's virtual harrdware. You caan start a machine
from a DVD
D drive, integra
ated device ele
ectronics (IDE)) device, legacy network adaapter, or a flop
ppy disk.

Memory. Yo
ou can allocate
e memory reso
ources to the vvirtual machin
ne. An individual virtual mach
hine can
allocate as much as 1 tera
abyte of memory.

Processor. You
Y can allocate processor re
esources to th
he virtual mach
hine. You can aallocate up to 32
virtual proccessors to a sin
ngle virtual ma
achine.

IDE Controlller. A virtual machine


m
can su
upport only tw
wo IDE controllers. By default, two IDE controllers
are allocate
ed to the virtua
al machine. Th
hese are: IDE C
Controller 0 and IDE Controlller 1. Each IDEE
controller can
c support tw
wo devices. You
u can connect virtual disks o
or virtual DVD drives to an ID
DE
controller. If
I starting from
m a hard disk drive
d
or DVD-R
ROM, the boott device must be connected to an
IDE controller. Use IDE co
ontrollers to co
onnect virtual hard disks and
d DVD-ROMS to virtual machines
that use op
perating system
ms that do not support Integ
gration Servicees.

MCT USE ONLY. STUDENT USE PROHIBITED

8-22 Implementing Hyper-V

SCSI Controller. You can use SCSI controllers only on virtual machines that you deploy with operating
systems that support Integration Services.

Synthetic Network Adapter. Synthetic network adapters represent computer network adapters. You
can only use synthetic network adapters with supported virtual-machine guest operating systems.

COM port.Com port enables connections to a simulated serial port on the virtual machine.

Diskette Drive. You can map a .vhd floppy disk image to a virtual diskette drive.

You can add the following hardware to a virtual machine by editing the virtual machine's properties, and
clicking on Add Hardware:

SCSI Controller. You can add up to four virtual SCSI devices. Each controller supports up to 64 disks.

Network Adapter. A single virtual machine can have a maximum of eight synthetic network adapters.

Legacy network adapter. Legacy network adapters allow network adapters to be used with operating
systems that do not support Integration Services. You also can use legacy network adapters to allow
network deployment of operating-system images. A single virtual machine can have up to four legacy
network adapters.

Fibre Channel Adapter. Allows a virtual machine to connect directly to a Fibre Channel SAN. This
requires that the Hyper-V host have a Fibre Channel HBA that also has a Windows Server 2012 driver
that supports Virtual Fibre Channel.

RemoteFX 3D Adapter. The RemoteFX 3D Adapter allows virtual machines to take advantage of
DirectX and graphics processing power on the host Windows Server 2012 server to display high
performance graphics.

Management
You can use Management settings to configure how the virtual machine behaves on the Hyper-V host.
You can configure the following virtual-machine management settings:

Name. You can use this setting to configure the virtual machine's name on the Hyper-V host. This
does not alter the virtual machine's hostname.

Integration Services. You can use this setting to configure which virtual-machine integration settings
are enabled.

Snapshot File Location. You can use this setting to specify a location for storing virtual-machine
snapshots.

Smart Paging File Location. The location used when smart paging is required to start the virtual
machine.

Automatic Start Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is powered on.

Automatic Stop Action. You can use this setting to handle how the virtual machine responds when the
Hyper-V host is gracefully shut down.

How
H
Dynam
mic Memo
ory Works in Hyper-V
In
n the first relea
ase of Hyper-V
V with Window
ws
Se
erver 2008, virtual machines only could be
e
asssigned a staticc amount of memory.
m
Unless you
to
ook special pre
ecautions to measure
m
the pre
ecise
am
mount of mem
mory that a virttual machine
re
equires, you we
ere likely to un
nder-allocate or
o
ovver-allocate memory.
m

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrrading Your Skillss to MCSA Wind


dows Server 20
012

8-23

Windows
W
Server 2008 R2 SP1 introduced
dyynamic memo
ory, which you can use to allo
ocate
a minimum amo
ount of memo
ory to a virtual
machine.
m
You th
hen can allow the virtual ma
achine
to
o use request additional
a
mem
mory, as necesssary.
Ra
ather than atte
empting to gu
uess how much
h memory a vi rtual machine requires, dynaamic memory allows
yo
ou to configurre Hyper-V so that the virtua
al machine is aallocated as mu
uch as it needss. You can cho
oose a
minimum
m
value
e, which will alw
ways be alloca
ated to the virttual machine. Y
You can choosse a maximum
m value,
which
w
the virtua
al machine will not exceed, even
e
if more m
memory is requ
uested. Virtual machines mu
ust
su
upport Hyper-V Integration Services to be able to use dyynamic memo
ory.
With
W Windows Server 2012, you
y can modifyy dynamic mem
mory settings while the virtu
ual machine is
ru
unning. This wa
as not possible
e in Windows Server 2008 R 2 SP1.

Smart Paging
g

Another new memory feature


e available in Windows
W
Serveer 2012 is sma rt paging. Smaart paging pro
ovides
a solution to the
n, as it relates to virtual macchine startup. V
e problem of minimum
m
mem
mory allocation
Virtual
machines
m
can re
equire more memory
m
during
g startup than they would reequire during n
normal operation.
In
n the past, it was necessary to
o allocate the minimum req uired for startup to ensure tthat startup occcurred
evven though that value could
d be more than
n the virtual m
machine needed
d during norm
mal operation.
Sm
mart paging uses disk paging for additional temporary m
memory when
n additional memory beyond
d the
minimum
m
alloca
ated is required to restart a virtual
v
machin
ne. This providees you with the ability to allo
ocate
a minimum amo
ount of memo
ory based on th
he amount ne eded when the virtual mach
hine is operatin
ng
no
ormally, ratherr than the amo
ount required during startup
p. One drawbaack of smart paaging is a decrrease
in
n performance during virtuall-machine resttarts.
Yo
ou can configu
ure virtual macchine memoryy by using the Set-VMMemo
ory Windows PowerShell cm
mdlet.
Addition
nal Reading: Hyper-V
H
Dynam
mic Memory
htttp://technet.m
microsoft.com//en-us/library//hh831766.asp
px

Demonstra
D
ation: Crea
ating a Virrtual Mach
hine

In
n this demonsttration, you will see how to create
c
a virtuall machine by u
using the tradiitional method
d of
ussing the Hyperr-V Manager console.
c
You also will see ho
ow you can auttomate the pro
ocess by using
g
Windows
W
PowerShell.

Dem
monstration
n Steps
1.

2.

Use the Hype


er-V Manager console
c
to create a virtual m
machine with th
he following p
properties:
o

Name: LO
ON-GUEST1

Location:: E:\Program Files\Microso


oft Learning\B
Base\LON-GU
UEST1\

Memory:: 1024 MB

Use Dyna
amic Memory: Yes

Networking: Private Network


N

Connect Virtual Hard Disk:


D
E:\Progra
am Files\Micrrosoft Learnin
ng\Base\LON-GUEST1\lon
nguest1.v
vhd

Open Window
ws PowerShell, import the Hyper-V
H
modulle, and then ru
un the followin
ng command:
New-VM -Name LON-GUEST
T2 -MemorySta
artupBytes 10
024MB -VHDPat
th E:\Progra
am
Files\Microsoft Learning\Base\LON-GUEST2\LON-G
GUEST2.vhd -SwitchName "
"Private
Network"

3.

Use the Hype


er-V Manager console
c
and edit the setting
gs of LON-GUEEST2. Configurre the following:
o

Automatic Start Action


n: Nothing

Automatic Stop Action: Shut down the


t guest ope
erating system
m

Importing, Exporting,
E
and Movin
ng Virtual Machiness in Hyper--V
You
u can use the im
mport and exp
port functionalities
in Hyper-V
H
to tran
nsfer virtual machines betwe
een
Hyp
per-V hosts and
d create pointt-in-time backu
ups
of virtual
v
machine
es.

Imp
porting Virttual Machin
nes
The virtual machin
ne import featture in Window
ws
Servver 2012 provides more deta
ailed informatiion
than
n previous Hyp
per-V versions featured. You
u
can use this inform
mation to iden
ntify configuration
problems such as missing hard disks or virtual
swittches. This wass more difficultt to determine
e in
Win
ndows Server 2008
2
and Wind
dows Server 20
008
R2.

MCT USE ONLY. STUDENT USE PROHIBITED

8-24 Implemennting Hyper-V

In Hyper-V
H
3.0, yo
ou can import virtual machin
nes from copiees of virtual maachine configu
uration, snapsh
hot,
and virtual hard-d
disk files rather than speciallyy exported virttual machines. This is benefiicial in recoverry
situations where the
t operating--system volume might have failed but the virtual machin
ne files remain
n
intact.
To import a virtua
al machine by using Hyper-V
V Manager, peerform the follo
owing generall steps:
1.

In the Actionss pane of the Hyper-V


H
Mana
ager console, cclick Import V
Virtual Machin
ne.

2.

On the Beforre You Begin page of the Im


mport Virtual M
Machine wizar d, click Next.

3.

On the Locatte Folder page


e, specify the folder
f
that hossts the virtual m
machine files, and then
click Next.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

8-25

4.

On the Select Virtual Machine page, select the virtual machine that you want to import, and then
click Next.

5.

On the Choose Import Type page, choose from the following options:
o

Register the virtual machine in-place (use the existing unique ID)

Restore the virtual machine (use the existing unique ID)

Copy the virtual machine (create a new unique ID)

You can import virtual machines by using the Import-VM cmdlet.

Exporting Virtual Machines


When performing an export, you can select one of the following options:

Export a snapshot. You can do this by right-clicking the snapshot in the Hyper-V manager console,
and then selecting Export. This enables you to create an exported virtual machine as it existed at the
point that the snapshot was created. The exported virtual machine will have no snapshots.

Export Virtual Machine with Snapshot. You can do this by selecting the virtual machine, and then
clicking Export. This exports the virtual machine and all snapshots associated with the virtual
machine.

Exporting a virtual machine does not affect the existing virtual machine. However, you cannot import
the virtual machine again unless you use the Copy the Virtual Machine option, which creates a new
unique ID.
You can export virtual machines by using the Export-VM cmdlet.

Moving Virtual Machines

You can perform two types of moves by using the Hyper-V move function: a live migration and a move of
the actual virtual machine.
You can move virtual machines from one Hyper-V 3.0 server to another if you have enabled live
migrations. Live migration of virtual machines occurs when you move a virtual machine from one host
to another while keeping the virtual machine online and available to clients. For more information on
migrating virtual machines, visit Module 9: Implementing Failover Clustering with Hyper-V.

You can use the move functionality to move some or all of the virtual-machine files to a different location.
For example, if you want to move the virtual machines from one volume to an SMB share, while keeping
the virtual machine hosted in the same location, you have the following options:

Move all the virtual machine's data to a single location. This moves all configuration files, snapshots,
and virtual hard-disk files to the destination location.

Move the virtual machine's data to different locations. This moves the virtual machines configuration
files, snapshots, and virtual hard disks to separate locations.

Move the virtual machine's virtual hard disks. This moves the hard disks to a separate location, while
keeping the snapshot and configuration files in the same location.

You can move virtual machines in PowerShell by using the Move-VM cmdlet.

Best Practice
es for Conffiguring Virtual Macchines
Whe
en creating ne
ew virtual machines, keep the
follo
owing best pra
actices in mind
d:

MCT USE ONLY. STUDENT USE PROHIBITED

8-26 Implemennting Hyper-V

Use dynamic memory. The only time you


should avoid dynamic mem
mory is if you have
h
an application
n that does no
ot support it. For
example, som
me Microsoft Exxchange 2010 roles
keep requesting memory, iff it is available
e. In
such cases, se
et static memo
ory limits. You
should monittor memory uttilization, and
set the minim
mum memory to
t the server's
minimum me
emory utilizatio
on. Also, set a
maximum am
mount of memory. The defau
ult
maximum is more
m
memoryy than most ho
ost servers havee available.

Avoid differen
ncing disks. Diffferencing disk
ks reduce the aamount of spaace required, b
but decrease
performance as multiple virrtual machiness access the saame parent virttual hard disk file.

Use multiple synthetic


al virtual switcches. Configure
s
netw
work adapters connected
c
to di
different externa
e
virtual machin
nes to use multiple virtual network adapteers that are connected to ho
ost NICs, which
h in
turn are conn
nected to separate physical switches.
s
This m
means that neetwork connecttivity is retaine
ed if a
NIC fails or a switch fails.

Store virtual machine


m
files on
o its own volu
ume. This minim
mizes the chan
nce that one vvirtual machine
e's
virtual hard disk
d growth afffects the otherr virtual machi nes on the sam
me server.

Lab: Implementing Server Virtualization with Hyper-V


Scenario
IT management at A. Datum is concerned about the low utilization for many of the physical servers
deployed in the London data center. Also, A. Datum is exploring options for expanding into multiple
branch offices, and deploying servers in public and private clouds. For this purpose, the company is
exploring the use of virtual machines.

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

8-27

As one of the senior network administrators at A. Datum, you are responsible for implementing Hyper-V
in the London data center. You will deploy the Hyper-V server role, configure virtual machine storage and
networking, and deploy the virtual machines.

Objectives
After performing this lab you will be able to:

Install the Hyper-V Server role.

Configure virtual networking.

Configure a virtual machine.

Lab Setup
Estimated time: 60 minutes

Virtual Machine(s)

20417A-LON-HOST1
Or
20417A-LON-HOST2

User Name

Adatum\Administrator

Password

Pa$$w0rd

Lab Setup Instructions


1.

Restart the classroom computer and in Windows Boot Manager, select 20417A-LON-HOST1 or
20417A-LON-HOST2. Your instructor will specify which host to log on to.

2.

Log on to LON-HOST1 or LON-HOST2 server with the following credentials:


o

Account: Adatum\Administrator

Password: Pa$$w0rd

Exercise 1: Install the Hyper-V Server Role


Scenario
The first step in migrating to a virtualized environment is to install the Hyper-V server role on a new
server.
The main tasks for this exercise are as follows:
1.

Configure network settings on LON-HOST1 and LON-HOST2.

2.

Install the Hyper-V server role.

3.

Complete Hyper-V role installation and verify settings.

X Task 1: Configure network settings on LON-HOST1 and LON-HOST2


1.

Restart the classroom computer, and in the Windows Boot Manager, select either
20417A-LON-HOST1 or 20417A-LON-HOST2.
If you start LON-HOST1, your partner must start LON-HOST2.

2.

3.

Log on to the server by using the following credentials:


o

Account: Adatum\Administrator

Password: Pa$$w0rd

In Server Manager, click Local Server, and then configure the following network settings:
o

LON-HOST1: 172.16.0.31

LON-HOST2: 172.16.0.32

Subnet mask: 255.255.0.0

Default gateway: 172.16.0.1

Preferred DNS server: 172.16.0.10

X Task 2: Install the Hyper-V server role


1.

2.

In Server Manager, use the Add Roles and Features Wizard to add the Hyper-V role to LON-HOST1
or LON-HOST2 with the following options:
o

Do not create a virtual switch

Use the Default stores locations

Allow the server to restart automatically if required.

After a few minutes, the server will automatically restart. Ensure that you restart the machine by using
the Boot menu, and then selecting 20417-LON-HOST1 or 20417-LON-HOST2. The computer will
restart several times.

X Task 3: Complete Hyper-V role installation and verify settings


1.

Log on to LON-HOST1 or LON-HOST2 by using Adatum\Administrator with the password


Pa$$w0rd.

2.

When the installation of the Hyper-V tools completes, click Close.

3.

Open the Hyper-V Manager console, and then click LON-HOST1 or LON-HOST2.

4.

Open the Hyper-V settings, and then configure or verify the following settings:

5.

MCT USE ONLY. STUDENT USE PROHIBITED

8-28 Implementing Hyper-V

Keyboard: Use on the virtual machine

Virtual Hard Disks: C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks

Question: What additional features are required to support the Hyper-V role?

Results: After completing this exercise, you will have deployed the Hyper-V role to a physical server.

Exercise 2: Configuring Virtual Networking


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

8-29

After installing the Hyper-V server role on the new server, you need to configure the virtual networks you
are your manager specifies. You need to create a network that connects to the physical network and a
private network that you can use only for communication between virtual machines. The private network
is used when virtual machines are configured for high availability. You also need to configure a specific
range of media access control (MAC) addresses for the virtual machines.
The main tasks for this exercise are as follows:
1.

Configure the external network.

2.

Create a private network.

3.

Create an internal network.

X Task 1: Configure the external network


1.

In Hyper-V Manager, use the Virtual Switch Manager to create a new External virtual network
switch with the following properties:
o

2.

Name: Corporate Network

External Network: Mapped to the host computer's physical network adapter. Will vary depending on
host computer.

X Task 2: Create a private network

In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties.
o

Name: Private Network

Connection type: Private network

X Task 3: Create an internal network

In Hyper-V Manager, use the Virtual Switch Manager to create a new virtual switch with the
following properties:
o

Name: Internal Network

Connection type: Internal network

Results: After completing this exercise, you will have configured virtual switch options on a physically
deployed Windows Server 2012 server that is running the Hyper-V role.

Exercise 3: Creating and Configuring a Virtual Machine


Scenario
You have been asked to deploy two virtual machines and to import a third virtual machine. You have
copied a sysprepped VHD file that hosts a Windows Server 2012 Hyper-V host.

To minimize disk space use at the cost of performance, you are going to create two differencing files
based on the sysprepped VHD. You use these differencing files as the hard-disk files for the new virtual
machines.
You also will import a specially prepared virtual machine.

The main tasks for this exercise are as follows:


1.

Configure virtual machine storage.

2.

Create virtual machines.

3.

Configure VLANs and network bandwidth settings.

4.

Import a virtual machine.

5.

Configure virtual machine dynamic memory.

6.

Configure and test virtual machine snapshots.

X Task 1: Configure virtual machine storage


1.

Use Windows Explorer to create the following folders on the physical host drive:
o

E:\Program Files\Microsoft Learning\Base \LON-GUEST1

E:\Program Files\Microsoft Learning\Base \LON-GUEST2

Note: The drive letter may depend upon the number of drives on the physical host
machine)
2.

3.

In the Hyper-V Manager console, create a virtual hard disk with the following properties:
o

Disk Format: VHD

Disk Type: Differencing

Name: LON-GUEST1.vhd

Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\

Parent Location: E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base12A-WS2012-RC.vhd

MCT USE ONLY. STUDENT USE PROHIBITED

8-30 Implementing Hyper-V

4.

Inspect disk E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd.

5.

Verify that LON-GUEST2.vhd is configured as a differencing virtual hard disk with E:\Program Files
\Microsoft Learning\Base\Base12A-WS2012-RC.vhd as a parent.

X Task 2: Create virtual machines


1.

Use the Hyper-V Manager console to create a virtual machine with the following properties:
o

Name: LON-GUEST1

Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\

Memory: 1024 MB

Use Dynamic Memory: Yes

Networking: Private Network

Connect Virtual Hard Disk: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\longuest1.vhd

2.

Open Windows PowerShell, import the Hyper-V module, and then run the following command:
New-VM -Name LON-GUEST2 -MemoryStartupBytes 1024MB -VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd -SwitchName "Private
Network"

3.

Use the Hyper-V Manager console, and then edit the settings of LON-GUEST2. Configure the
following:
o

Automatic Start Action: Nothing

Automatic Stop Action: Shut down the guest operating system

X Task 3: Configure VLANs and network bandwidth settings

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

8-31

1.

In Hyper-V Manager, use Virtual Switch Manager to configure the Internal Network virtual switch
to use a VLAN ID of 4.

2.

Configure the following properties for the network adapter on LON-GUEST2:


o

Virtual Switch: Internal Network

VLAN ID: 4

Enable DHCP guard

Enable router advertisement guard

Question: What kind of switch would you create if you added a new physical network
adapter to the Hyper-V host and wanted to keep this separate from the existing networks
you create during this exercise?

X Task 4: Import a virtual machine


1.

2.

Perform the following task:


o

If you are using LON-HOST1, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-DC1-B.

If you are using LON-HOST2, use the Hyper-V Manager console to import the virtual machine
E:\Program Files\Microsoft Learning\20417\Drives\20417A-LON-SVR1-B.

When importing, select the Register the virtual machine in-place option.

X Task 5: Configure virtual machine dynamic memory.

Edit the properties of virtual machine LON-GUEST2, and then configure the following settings:
o

Startup RAM: 1024 MB

Enable Dynamic Memory

Minimum RAM: 512 MB

Maximum RAM: 2048 MB

X Task 6: Configure and test virtual machine snapshots


1.

If you are using LON-HOST1, start and then log on to 20417A-LON-DC1-B. If you are using LONHOST2, log on to virtual machine 20417A-LON-SVR1-B.

2.

On the desktop of the virtual machine, create the following folders:


o

Sydney

Melbourne

Brisbane

3.

Create a snapshot of the virtual machine named Before Change.

4.

Delete the following folders on the desktop:


o

Sydney

Brisbane

5.

Revert the virtual machine.

6.

Verify that the following folders are present on the desktop:

7.

Sydney

Melbourne

Brisbane

Delete all three folders from the desktop.


Question: What state must the virtual machine be in to configure dynamic memory when
using Windows Server 2008 R2 as a host? How is this different to Windows Server 2012 as a
host?

MCT USE ONLY. STUDENT USE PROHIBITED

8-32 Implementing Hyper-V

Results: After completing this exercise, you will have deployed two separate virtual machines by using a
sysprepped virtual hard-disk file to act as a parent disk for two differencing disks. You also will have
imported a specially prepared virtual machine.

X To prepare for the next module

When you are finished the lab, leave the virtual machines running, as they are needed for the lab in
Module 9.

Module Review and Takeaways


Review Questions
Question: In which situations, should you use a fixed-memory allocation rather than
dynamic memory?
Question: In which situations must you use virtual hard disks in VHDX format as opposed to
virtual hard disks in VHD format?
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard
disk on a file share. What operating system must the file server be running to support this
configuration?

Common Issues and Troubleshooting Tips


Common Issue

Troubleshooting Tip

Cannot deploy Hyper-V on x64 processor

Virtual machine does not use dynamic


memory

Real-world Issues and Scenarios

MCT USE ONLY. STUDENT USE PROHIBITED

Upgrading Your Skills to MCSA Windows Server 2012

You have 10 servers that run Windows Server 2008 with Hyper-V. You are planning to upgrade these
servers to Windows Server 2012 and want them to continue to run the Hyper-V role. What technology
should you verify that the processor supports before performing the upgrade?

Tools
Tool

Used for

Where to find it?

The Sysinternals disk2vhd


tool

Convert physical hard disks


to VHD format

Microsoft TechNet website


http://technet.microsoft.com/en-us
/sysinternals/bb842062

Virtual Machine Manager


2012

Manage virtual machines


across multiple Hyper-V
servers

Microsoft TechNet website


http://technet.microsoft.com/en-us
/library/gg610610.aspx

Perform online physical


to virtual conversions

8-33

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY