Beruflich Dokumente
Kultur Dokumente
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good
standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Course Description
This five day course covers the basic skills and knowledge that are required in order to build a Windows
Server Infrastructure. It covers storage considerations and implementation, networking architecture and
topologies, security considerations and best practices as well as basic Windows Server administration skills
and specific technologies such as Windows Server 2012 Installation, configuration, maintenance and
performance. Within that it will also cover specific areas such as Active Directory Domain Services (AD DS),
Domain Name Services (DNS), Group Policy and many others. This course is needed as a first step in
preparing for a job in IT or as prerequisite training before beginning the Microsoft Certified System
Administrator (MCSA) training and certification path
Audience
Candidates for this course are people who are starting out their career or looking to change careers into
Windows Server Technologies and need the fundamental knowledge to help them achieve that. It would
be of interest to home computer users, small business owners, academic students, information workers,
developers, technical managers, help desk technicians or IT Professionals who are looking to cross train
from an alternative technology.
Student Prerequisites
In addition to their professional experience, before attending this course, students must have:
• Knowledge of general computing concepts.
• Knowledge equivalent to the MTA exam 98-349: Windows Operating System Fundamentals
Course Objectives
After completing this course, students will be able to:
• Identify and implement additional software components to enhance your organization’s security.
• Monitor a server to determine the performance level.
• Identify the Windows Server tools available to maintain and troubleshoot Windows Server.
Course Outline
The course outline is as follows:
In this module, students will learn how to describe fundamental network component and terminology
thus enabling the student to select an appropriate network component in a particular scenario. After
completing this module, you will be able to:
• Describe physical network topologies and standards.
• Define local area networks (LANs).
• Define wide area networks (WANs).
• Describe wireless networking technologies.
• Explain how to connect a network to the Internet.
• Describe how technologies are used for remote access.
This module explores the functionality of low-level networking components, including switches and
routers. In addition, the module provides guidance on how best to connect these and other components
together to provide additional network functionality. After completing this module, you will be able to:
• Describe the industry standard protocol model.
• Describe routing technologies and protocols.
• Describe adapters, hubs, and switches.
• Describe wiring methodologies and standards.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xix
This module describes the requirements of a protocol stack and then focuses on the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol stack. After completing this module, you will be able to:
This module explains the functional requirements of a server computer and how to select and deploy
appropriate server roles to support these functional requirements. After completing this module, you will
be able to:
• Describe role-based deployment.
• Deploy role-specific servers.
• Describe deployment options for server roles.
• Implement best practices for server roles.
This module explains that, as a directory service, how AD DS stores information about objects on a
network and makes this information available to users and network administrators. After completing this
module you will be able to:
• Describe the fundamental features of AD DS.
• Implement AD DS.
• Implement organizational units (OUs) for managing groups and objects.
• Configure client computers centrally with Group Policy objects (GPOs).
This module explains how, in addition to file and share permissions; you can also use data encryption to
restrict data access. After completing this module, you will be able to:
• Identify security threats at all levels and reduce those threats.
• Describe physical security risks and identify mitigations.
• Identify Internet-based security threats and protect against them.
This module reviews the tools and concepts available for implementing security within a Microsoft
Windows infrastructure. After completing this module, you will be able to:
• Describe the Windows Server features that help improve the network’s security.
• Explain how to secure files and folders in a Windows Server environment.
• Explain how to use Windows Server encryption features to help secure access to resources.
This module explains possible threats when you connect your computers to a network, how to identify
them, and how implement appropriate Windows network security features to help to eliminate them.
After completing this module, you will be able to:
• Identify network-based security threats and mitigation strategies.
• Implement Windows Firewall to secure Windows hosts.
This module explains how an information technology (IT) administrator can account for and mitigate the
risks of malicious code, unauthorized use, and data theft. After completing this module, you will be able
to:
• Implement Windows Server® technologies and features that improve client security.
• Describe security threats posed by email and how to reduce these threats.
• Explain how to improve server security by using Windows Server security analysis and hardening
tools.
This module discusses the importance of monitoring the performance of servers, and how you monitor
servers to ensure that they run efficiently and use available server capacity. It also explains performance
monitoring tools to identify components that require additional tuning and troubleshooting, so that you
can improve the efficiency of your servers. After completing this module, you will be able to:
• Use the Event Viewer to identify and interpret Windows® Logs, and Application and Services
Logs.
• Measure system resource usage, identify component bottlenecks, and use monitoring tools such
as Performance Monitor.
This module explains the importance of system updates, how to troubleshoot the Windows Server boot
process, and how to implement high availability and recovery technologies to improve system availability.
After completing this module, you will be able to:
• Troubleshoot the Windows Server startup process.
• Implement high availability and recovery technologies to improve system availability.
• Explain the importance of system updates.
• Implement an appropriate troubleshooting methodology to resolve problems with Windows
Server.
Exam/Course Mapping
This course, 10967A: Fundamentals of a Windows Server Infrastructure, does not have a direct mapping to
any Microsoft exam and taking this course does guarantee passing of any such exams.
This course does however cover some of the required content from the below Microsoft Technology
Associate (MTA) exams, and may be useful study material in preparation for those exams, further details of
which are available on http://www.microsoft.com/learning
Course Materials
The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it’s
needed.
MCT USE ONLY. STUDENT USE PROHIBITED
xxii About This Course
• Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
• Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
• Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Important At the end of each lab, you must close the virtual machine and must not save
any changes. Labs in each module are independent of each other and require the virtual
machines to be in a clean state at the start of each module in order to function correctly. To
close a virtual machine without saving the changes, perform the following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course.
Software Configuration
The following software is installed or available for use in the Labs
• Remote Server Administration Toolkit (RSAT) for Windows 8: Available as part of lab files for
installation and use during lab.
• Report Viewer 200f8 Sp1: Used for Windows Server Update services reporting
synchronization.
• Microsoft® System CLR Types for Microsoft® SQL Server® 2012: Used as example msi installer fir use
with AppLocker.
• Windows Server 2012 Evaluation Installation files: used for use during Windows Server 2012
Installation lab.
Course Files
There are lab files associated with the labs in this course which contains software listed above and samples
files for use during the course labs. These lab files are located on the E:\ drive within the 10967A-LON-
DC1 virtual machine.
Classroom Setup
Each classroom computer will have the same virtual machines configured in the same way.
Hardware Level 6
• DVD drive
• Network adapter
• Move your mouse to the lower right corner of the desktop to open a menu with:
Module1
Installing and Configuring Windows Server
Contents:
Module Overview 1-1
Module Overview
In order to have a server that fits the needs of your organization and that operates in an efficient and
consistent manner, specific steps and considerations have to be taken. A critical piece of a Windows
Server® operating system’s ability to operate successfully and efficiently is the initial installation of the
operating system and the configuration of the services and devices. These areas are covered in this
module.
Objectives
After completing this module, you will be able to:
• Describe Windows Server components and architecture.
• Configure services.
Lesson 1
Windows Server Architecture
Before you start to install and configure Windows Server, you must have a basic understanding of servers
and operating systems. You must also understand server components and how those components work
together. Understanding these basic concepts will help you make more informed decisions and have a
better understanding of how servers work.
Lesson Objectives
After completing this lesson, you will be able to:
What Is a Server?
A server is a computer that provides shared
resources—such as files, printers, email messages,
web services, and databases—to network users.
Unlike a client, whose primary role is performing
tasks for the end-user who is logged on locally to
the computer, a server is responsible for serving
many resources to the rest of the network. Which
resources the server provides is determined by the
assignment of server roles. Server roles define a
server’s function such as Web Server, Application
Server, File and Storage Service server, and Print
Server.
Servers also play a key role in maintaining the integrity of a computer network. Servers use authentication
and resource access rules to make sure that information and resources on the network are available only
to those who are authorized to use them. Servers also provide additional network-related services such as
assigning IP addresses, performing name resolution, or routing network traffic.
The main component to supplying these services in an effective manner is the server operating system.
The server operating system communicates with the server’s hardware to enable communication to occur
and data to be transferred internally between the various server components and externally to resources
that want to access information. A server operating system provides a centralized environment to manage
the server’s functionality and resources. It lets administrators interact with the server in a meaningful and
efficient way. Operating systems control the allocation and usage of hardware resources such as memory,
CPU time, disk space, and peripheral devices. An operating system is the foundation on which programs
and applications are built.
Question: What different functions might a server perform in a network environment?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-3
• Motherboards
• CPU/processors
• Memory
• Hard disks
• Expansion devices
• Integrated peripherals
• Power supplies
• Cooling systems
• Keyboards
• Mouse devices
• Monitors
Generally, servers are a group of individual components. How these components interact and operate
determines the performance of the server. At its most basic level, the server consists of a series of resistors,
capacitors, semiconductors, and transistors, connected through conductive cabling.
The following topics cover some common components, such as the motherboard, CPU (or processor),
hard disk, random access memory, and network access. Understanding how these hardware components
are used by the operating system and how they interact with one another is an important step to
understanding how servers function.
Motherboard
The motherboard is the printed circuit board (PCB) that controls all the other components in a server. It is
typically the largest single physical component on which all other physical components are installed.
Motherboards can be very different from server to server and are built to accommodate particular
technologies or kinds of devices. Server motherboards can be housed in several different ways, such as the
following:
• Towers. Server motherboards can be mounted in a stand-alone box. This is known as a tower, much
as you might see in a desktop workstation. Desktop workstations are mainly used in small to medium-
sized businesses and are not usually centrally managed or configured.
• Racking or shelving units. Server motherboards can be mounted in single self-contained units.
These units can then be stacked in a rack or shelving unit. Typically racks and shelving units contain
multiple servers and are located in a secure server room. These servers can be managed by using a
single monitor or keyboard present in the racking unit, or remotely managed. Remotely managing
servers is most common in modern data center environments.
• Blade servers. Server motherboards can be mounted as “blade” servers. These are stripped-down
versions (no chassis) with just the motherboard and necessary components. This configuration is
becoming more common in data center environments because there are fewer components and the
blades can be quickly swapped out.
MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Installing and Configuring Windows Server
CPU or Processor
The CPU or processor is the computational, mathematical, and control unit of a computer. CPUs are
everywhere in modern devices, such as TVs, telephones, washing machines, cars, and refrigerators. The
processor is the component that executes instructions and, at its most basic level, is a layer of silicon with
millions of transistors, known as a core. Typically, CPUs in modern servers have more than one core or
separate CPUs built in to one device. Having two processors is known as dual core and having four
processors is known as quad core.
CPU performance can be measured in many ways. Factors such as memory cache size, bus width, and
number of transistors all affect CPU performance. Processor speed, or clock speed, measured in Hertz, is
probably the most common measurement used to differentiate CPUs.
CPUs can have either a 32-bit or 64-bit architecture. A 32-bit processor can directly address up to a
maximum limit of approximately 4 gigabytes (GB) of address space. A 64-bit processor can support up to
1,024 GB of both physical and addressable memory. Additionally, 64-bit systems can scale up (increase
processor cores and memory) more than 32-bit systems.
Not all software and operating systems can take advantage of a 64-bit architecture. Legacy applications
might require 32-bit architecture. The Windows Server 2012 operating system is available only in 64-bit
versions.
Note:
Windows Server requires a repository into which it can store and retrieve data. Modern servers typically
access some form of shared storage. This shared storage provides redundancy and is typically external to
the physical server. There are two primary competing physical elements that can be used:
• Disks. Hard disk drives (HDDs) have been used for a long time. They consist of circular disks and a
“head” that can read and write to the disks. The disks spin very quickly and the head accesses and
writes data as directed. This is much like an old vinyl record player, except a lot faster and able to
access different areas of the disk as needed. Disks can be stand-alone or attached together in an
array. Disks are categorized with two main metrics, as follows:
o Speed of access. This is defined by the bus technology which can have a significant affect the
disk performance. Bus technologies are discussed in more detail in the next topic.
• Solid-state drives (SSD). These, as the name suggests, are based on semiconductors and have no
disks or mechanical components. There are no moving parts. SSDs have the same metrics as HDDs.
o Capacity. Have smaller capacities than HDDs, generally only up to several hundred megabytes.
SSDs are not as scalable and are usually more expensive than HDDs. This may change as the
technology evolves and becomes more common in the industry.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-5
o Speed of access. SSDs provide for faster read and write access to data than HDDs. They require a
separate controller to control read and write functions. SSDs generally provide faster access to
data and are fairly new to the industry.
Disk space is also used by the operating system and applications to cache items for quick access. Storage
costs generally have come down in recent times and the technologies implementing them are evolving.
This is transforming storage options for servers and for consumers.
Memory
Data that is stored in a storage device must be transferred into memory before it can be used. So server
memory can have a significant effect on the number of concurrent tasks a server can perform. If multiple
applications or services are operating in parallel, the available memory can determine whether a particular
application will load and how long it will take to execute.
Typically, memory refers to the main memory or random access memory (RAM). This is known as random
because any part of the memory device can be written or accessed. However, there are other kinds of
memory, such as memory dedicated to graphics or CPUs. These devices typically contain read-only
memory (ROM).
There are different kinds of RAM, such as Synchronous Dynamic RAM (SD RAM), Double Data Rate
Synchronous DRAM (DDR SDRAM), and Double Data Rate 2 RAM (DDR2 RAM). Each kind of memory has
its own characteristics. Motherboards have memory slots. This determines the kind of memory supported
and how much memory is supported.
• Single inline memory module (SIMM). The slot on the motherboard in which the RAM is inserted.
The connection type has 32 or 72 pin varieties.
• Error Correction Checking (ECC). Supports verifying integrity of data entering or leaving the storage
area. If the data is corrupted, ECC will correct the error.
• Registered memory. Holds the data until it is passed on to the motherboard for transfer. It increases
the speed and reliability of data access.
• Buffered memory. Contains a buffer to allow for overspill of data when it is dealing with the memory
controller—that is, there is more data than the controller can handle or process. Buffered memory is
more reliable and has faster transfers.
Generally, more memory is better. With 64-bit chip architecture, you can have significant values of RAM.
Note: RAM is considered volatile because without power, all memory stored in it will be
lost.
Network
By definition, servers provide resources to clients. Therefore, network access is very important to server
performance. Although there might be some network components integrated into the motherboard,
network support within servers is provided through network adapters which are inserted into the
expansion slots of a server’s motherboard.
Many different network adapters are available and most of the network adapter functionality can be
determined by the software that is used to manage the transfer of data. Some features—such as single-
root I/O virtualization (SR-IOV), which allows for the direct transfer of data between network adapters on
MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Installing and Configuring Windows Server
different computers, bypassing the need for CPU intervention—require that functionality be supported by
the network adapter itself. NIC teaming, where multiple network adapters can be combined to provide
redundancy, is such a scenario; Multipath IO (MPIO) for redundancy is another such scenario.
You need to be aware of the network functionality and network adapter functionality and what your
requirements are for transfer rates and feature sets. Ultimately poor network performance could lead to
very poor end-user experience.
Power Supply
As with any electrical device, servers require power. They need a regulated power supply and are very
sensitive to power surges or sudden drops in power. Either scenario can result in damaged components.
Therefore, most servers will have an uninterruptible power supply (UPS) as a backup power supply if there
is a sudden power failure, and a surge protector to prevent sudden spikes in electrical power.
Electronic components generate heat. This heat can cause an electronic component to fail and result in
damage or data loss. The heat can be “drawn off” or dissipated in several ways, such as the following:
• Use air or water. Typically, servers have fans that speed up and slow down to blow air across a hot
device to cool it down. You can also use water or other liquid-cooled mechanisms. But these are not
widely used. Liquid cooling systems must be carefully managed.
• Provide conduction or radiation. Putting heat sinks over CPUs can move heat away from the
device. Also, not positioning individual components over one another and leaving open space
between devices also helps dissipate heat.
Heat management is a significant consideration in modern data centers. Using fans can be very noisy and
require additional power consumption. This has additional costs.
o Serial Advanced Technology Attachment (SATA). Connects storage devices to CPU hard disk
drives and optical drives. Variations exist, such as external SATA (eSATA) and mini-SATA (mSATA).
SATA version 2 provides speeds of up to 300 megabytes per second (MBps). SATA version 3
provides speeds up to 600 MBps.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-7
o Serial-attached SCSI. Provides for speeds of potentially up 300 MBps. Supports hot swapping,
replacing the component without shutting down the system
o Peripheral Component Interconnect (PCI) and PCI Express. Typically used to attach peripheral
devices to a server. PCIe supports speeds up to 200 MBps
o Universal serial bus (USB). Several versions are available. USB 3.0 provides speeds of up to 5
gigabytes per second (GBps), but in practice, a good deal less than that, of the order of several
hundred MBps. Used in many peripheral devices.
o Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1394. Also known as FireWire,
i.LINK, and Lynx. Supports speeds of 800 MBps and provides for very fast transfer speeds. Used in
many peripheral devices, specifically multimedia devices.
o Infiniband. Infiniband has three implementations, each multiples of a 2.5 GBps transfer rate.
Infiniband 1x provides transfer rates of 2.5 GBps. Infiniband 4x provides transfer rates of 10 GBps.
Infiniband 12x provides transfer rates of 30 GBps. Infiniband is intended for use with high-speed
storage, clustering, and cloud computing in data centers.
• Parallel Bus. Data is broken up into packages and transmitted to its destination over multiple
connections at the same time. At the destination the packets are then reassembled.
o Parallel ATA (PATA). Generally known as Integrated Drive Electronics (IDE) and in later versions
as Enhanced IDE (EIDE). Used for HDD connections. This is a legacy technology.
o Parallel SCSI. Used primarily for data storage with hard disk drives. It provides maximum transfer
rates of approximately 320 MBps. This legacy technology was replaced by serial-attached SCSI.
o Industry Standard Architecture (ISA). This is legacy technology provided for a 16-bit bus.
Replaced by PCI.
Serial buses have generally replaced parallel buses and are currently more widely used in servers.
The internal bus types can be categorized by the type of data that they transmit, such as the following:
• Address bus. An internal bus from the CPU to the memory. This is used to transfer the addresses of
data, not the actual data itself. The address bus width is the determining factor in how much
addressable memory is available.
• Data bus. An internal bus that connects the CPU and the memory, across which the actual data is
transferred. For example, RAM.
• Control bus. A bus that controls the communication between the CPU and memory.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Installing and Configuring Windows Server
Kernel Mode
Operating system components that require direct access to hardware run in kernel mode. For example,
file system drivers run in kernel mode and can access memory, CPU, bus technologies, and peripheral
devices.
Be aware that code running in kernel mode is not isolated. If a driver running in kernel mode accesses or
writes data to an address space, it could affect other parts of the operating system or other applications
that are running. This can be seen in a fatal error that displays a stop error, more commonly known as a
blue screen.
User Mode
User mode does not have direct access to the hardware and requests access through kernel mode.
When an application or service is started, it runs in its own process or private address space. So, each
application or service runs in isolation. If you open Task Manager and select the Details tab, a list of
processes and associated IDs will be displayed. Even where multiple instances of the same application are
running, each instance runs in isolation.
Running processes in isolation provides a level of redundancy should an application crash—that is, only
the application crashes.
If you right-click a process, you can raise the priority level of the process so that if there are two requests
for CPU access, the priority level will determine which process has access to the CPU. You can also set an
affinity for an application so that it runs on a specific processor that you designate.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-9
Lesson 2
Installing Windows Server
The method by which you install Windows Server 2012 can vary, depending on your individual
environment and requirements. This lesson will introduce you to the key installation components and
considerations involved with installing Windows Server 2012.
Lesson Objectives
After completing this lesson, you will be able to:
Edition Description
Windows Server Provides all roles and features that are available on the Windows Server 2012
2012 Standard platform. Supports up to 64 sockets and up to 4 terabytes (TB) of RAM. Includes two
virtual machine licenses. Suitable where there are low numbers of virtual servers
being run.
Windows Server Provides all roles and features that are available on the Windows Server 2012
2012 Datacenter platform. Includes unlimited virtual machine licenses for virtual machines that are
run on the same hardware. Supports 64 sockets, up to 640 processor cores, and up
to 4 TB of RAM. Suitable where there are lots of virtual machines being run.
Windows Server Designed for small business owners, allows only 15 users, cannot be joined to a
2012 Foundation domain, and includes limited server roles. Supports one processor core and up to 32
GB of RAM.
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Installing and Configuring Windows Server
Edition Description
Foundation Server is available only through original equipment manufacturers
(OEMs). That is, third-party manufacturers ship computers that have this edition and
the edition does not include rights to run virtual machines or as a virtual machine in
a Standard or Datacenter edition.
Windows Server An edition of Windows Small Business Server Essentials. Must be a root server in the
2012 Essentials domain. Is limited to 25 users and 50 devices. Supports two processor cores and
64 GB of RAM. Does not contain all features and functionality as the Standard and
Datacenter editions. For example, the Hyper-V role is not available.
Note: Windows Server 2012 has a more simplified edition set than previous Windows
Server versions. Unlike earlier versions of Windows Server, there is no difference in features or
functionality between the Standard and Datacenter editions. The difference is only in licensing,
related to the number of virtual machines that you can run in Hyper-V. There is no Enterprise
edition.
Windows Server 2012 is now licensed in two processor increments. For example, if you are licensing:
• A two-processor server that has Windows Server 2012 Datacenter Edition, you buy one license.
• A four-processor server that has Windows Server 2012 Datacenter Edition, you buy two licenses.
• An eight processor server that has Windows Server 2012 Datacenter Edition, you buy four licenses.
Most servers now have multiple processor cores running, and this is to help simplify the licensing process.
However, if you do have single-increment cores present—three processor cores present for example—you
then have to buy the next available increment. This would be two licenses.
The Standard and Datacenter editions are the general-purpose deployment. The only differentiator is
whether you want to run many virtualized environments.
There are also other function-specific editions of Windows Server 2012 available, such as the following:
• Microsoft Hyper-V Server 2012. Available as a free download that contains just the Hyper-V role
and some other virtualization-related functionality, such as failover clustering and storage features. It
does not contain other features and functionality present in Standard and Datacenter editions.
Therefore, it has a smaller installation footprint, and also does not include any guest licenses. It is very
useful in running Linux virtual machines or in a Virtual Desktop Infrastructure (VDI) environment,
where clients and other operating systems are licensed separately.
• Windows Storage Server 2012. This is a storage-specific edition that is available through OEMs only,
and is intended as a storage specific product that supports complex storage requirements to be run
with the third-party manufacturers’ dedicated hardware and drivers.
Note: Windows Server 2012 runs only on x64 processor architecture. Unlike earlier versions
of Windows Server, there is no support for x86 or Itanium-based processor architecture.
More information about the differences between the Windows Server 2012 editions can be
found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=266736
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-11
Installation Methods
Various methods exist for installing Windows
Server. These methods are determined primarily
by the media from which the operating system is
installed. Depending on your installation scenario
and the availability of specific hardware or the
degree of physical access to the server, several
general methods exist to make sure that Windows
Server can be installed in any situation.
Installation Methods
• Local media. The standard and simplest
method of installing Windows Server 2012 is
using local media. Windows Server can be
installed locally by using an installation DVD inserted into the DVD drive of the server or run from a
USB flash drive attached to the computer.
• Network share. Windows Server 2012 can also be installed from a shared location on the network.
This allows for installation on servers where only remote access is available or for servers that do not
have a DVD drive or USB ports available to support a local media installation. Network share
installations also allow for multiple servers to use the same copy of the installation files at the same
time. So you do not have to have multiple DVDs or USB flash drives.
Media Considerations
Media Considerations
virtualized installations.
Start in virtual hard • Can boot directly into a VHD or a VHDX file that has the operating system
disk (VHD) already installed on the files.
• This is known as "native boot" or "boot from vhd."
• VHD/VHDX files are writable and can update installation files.
Network share • You can start a server from installation files that are hosted on a network
share.
• Slower than Windows Deployment Services.
• If you already have access to a DVD or USB media, it is simpler to use those
tools for operating system deployment.
Windows Deployment • Windows Deployment Services allows for multiple concurrent installations
Services of Windows Server 2012 with .wim or .vhd files, multicast network
transmissions, the Windows Automated Installation Kit (AIK), and client Pre-
Boot EXecution Environment (PXE) startups.
There are other automated options to deploy Windows Server 2012, such as Microsoft® System Center
Operations Manager and System Center Virtual Machine Manager (VMM). These other options are
dedicated Enterprise Server management or Virtualization management products and are not covered in
this course. These options allow for multiple servers to be deployed across different environments and
allow for customization.
Note: An answer file automates Windows setup. This file enables the configuration of
Windows settings, the addition and removal of components, and many Windows setup tasks,
such as disk configuration.
Question: Why is it important to be able to change the installation files on a writable media
type?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-13
Note: You can only upgrade to an equivalent or newer edition of Windows Server 2012
from x64 versions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and
Windows Server 2003 R2.
Migration
A migration install is characterized by the backing up of data or settings from an existing server
installation and erasing or overwriting that server by using a new installation of Windows Server 2012. The
backed-up data or settings are then restored to the newly installed server. This kind of migration
installation is typically used when the data and settings involved can easily be backed up and you do not
have to maintain the complete configuration of the existing server. Or, a migration can also involve the
installation of Windows Server 2012 on a new physical server and transferring the settings and
applications from the original server to the new one.
This method has the benefit of leaving the old server completely intact should the need arise to roll back
to the old configuration. Unfortunately, this method also involves a lot of planning to make sure all
relevant data from the old server are transferred to the new server.
Note: Use migration when you migrate from an x86 version of Windows Server 2008,
Windows Server 2003, or Windows Server 2003 R2 to Windows Server 2012. You can use the
Windows Server Migration Tools feature in Windows Server 2012 to transfer files and settings.
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Installing and Configuring Windows Server
• Graphical Management Tools and Infrastructure. This also contains a minimal server interface but
has some GUI components to provide some server management UI tools, such as Server Manager and
Administrative Tools.
• Server Graphical Shell. Contains the full GUI. This includes Windows Internet Explorer®, File Explorer,
and other UI components. This has a larger footprint than the Graphical Management Tools and
Infrastructure option.
Reducing the GUI component down to the minimum required to manage the server serves several
functions, such as the following:
• Reduced servicing overhead. Fewer updates are required for installation. This means less downtime
and less administrative overhead testing and deploying updates, in addition to reduced restart
requirements.
• Reduced administrative overhead. Fewer updates means that there will be less administrative
overhead testing and deploying updates.
• Reduced resource overhead. Disk space and memory requirements are reduced by removing files
that are not needed.
• Reduced attack surface. Fewer files are installed. This means a smaller server install footprint
exposed to potential security threats. Also, without a GUI, it limits a local user’s ability to interact with
it.
When installation is complete in a Windows Server 2012 Server Core installation, you will know it is a
Server Core installation by the presence of a command-line window without a Start menu or other GUI
components visible.
A Windows Server 2012 Server Core installation can be managed locally by using several options, such as
the following:
• Command-line tools. Traditional command-line tool commands such as netsh.
• Windows PowerShell®. By typing PowerShell in the command-line tool, you start Windows
PowerShell mode and can run Windows PowerShell commands.
A Windows Server 2012 Server Core installation can be managed remotely by using the following
methods:
• Server Manager. From another Windows Server 2012 server using Server Manager, which allows for
remote and multiple server management.
• Remote Server Administrative Tools for Windows 8 (RSAT for Windows 8). By installing the
RSAT for Windows 8 and managing from a Windows 8 client.
Note: Windows Server 2012 can only be managed through RSAT on Windows 8. Similarly,
Windows Server 2008 can only be managed by using the RSAT on Windows 7 clients. RSAT is
version and operating system–specific.
• Windows PowerShell. By using WinRM capabilities, you can remotely manage single or multiple
Windows Server 2012 servers by using Windows PowerShell.
• Microsoft Management Console (MMC). By adding the remote server to the individual MMC on
another server.
All GUI elements are removed from a Server Core installation except for those in the following list:
Note: In Windows Server 2008, performing a Server Core installation was a one-way event.
That is, you could not install the GUI after a Server Core installation and you could not change
between the GUI and non-GUI environments. Only in Windows Server 2012 is it possible to add
and remove the GUI components as you need.
Adding or removing the GUI components requires a restart of the server.
Question: In what situations might a Server Core installation be used instead of a full
installation of Windows Server 2012?
Demonstration Steps
1. Open Server Manager.
5. Use Windows PowerShell commands to view the windows features which will install or uninstall the
GUI components of the server.
6. Switch to the LON-SVR3 virtual machine and using Windows PowerShell view the list of installed
features
Note: Minimum requirements are just that; a minimum. In a production environment, the
hardware that is used for a server should always be appropriately scaled to meet the resource
requirements for the server operating system, installed roles, features and applications and,
typically, future growth.
In addition, specific features might have to be configured on the server hardware to support Windows
Server 2012. For example, basic input/output system (BIOS)–level virtualization settings must be enabled
for the Hyper-V virtualization role to run.
Also, some hardware that is used during the installation process (typically hard disks) might not have
device driver support built into Windows Server 2012. In these cases, the device driver must be preloaded
before installation or a copy of the media that contains the driver must be available during installation.
Also, make sure that you back up all pertinent data if you are installing Windows Server 2012 in an
upgrade or migration scenario.
4. Select Install Now or Repair Your Computer. Use the repair option if your operating system is
corrupted and you can no longer start in Windows Server 2012.
9. Wait for the installation files to install. The computer will restart several times.
After initial setup is complete, Windows Server 2012 starts for the first time and presents options for
additional configuration.
Note: The Windows Server 2012 installation bits you are using in this course are Evaluation,
or “Eval”, bits. Therefore, you are not required to insert a product key as part of the installation
process. However, for all other bit types, such as Retail or Volume License, you have to insert a
product key during setup and activate the software.
The product key comes in the format of XXXXX-XXXX-XXXX-XXXXX-XXXXX, and will be available
through the mechanism you obtained the software installation bits. If the software is not
activated, there will be reduced functionality and eventually the software will no longer function.
Post-Installation Configuration
After installation several tasks have to be
performed. These include time zone and clock
settings, network configuration, setting a unique
computer name and domain membership,
configuring Windows Update settings, adding
server roles and features, changing Remote
Desktop settings, and configuring Windows
Firewall settings.
• Set the time zone. It is important to configure the time zone because many network-related services
do not function correctly if the computer clocks of networked computers are too much out of sync.
• Configure the network settings. By default, both IPv4 and IPv6 are configured to obtain an IP
address automatically. Most server installations will use static IP address information.
• Configure computer name and domain membership. By default, the computer name is
automatically generated. The suggested name might not comply with organizational standards that
your organization requires. By default, the computer is assigned membership of a workgroup. In most
cases, the computer will have to be joined to a domain.
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Installing and Configuring Windows Server
• Enable automatic updating and feedback settings. By default, automatic updates are disabled and
Windows error reporting is turned off.
• Download and install updates. Make sure that the computer is up to date with urgent and security-
related updates.
• Add roles. A role refers to the primary function of the server, as enabled by the grouping of features
and services that the server administrator specifies. Examples of a server role include Domain Name
System (DNS) and Web Server. By default, no roles are installed.
• Add features. Features are independent components that frequently support role services or support
the server directly. For example, Windows Server Backup is a feature. By default, no features are
installed.
• Enable Remote Desktop. By default, Remote Desktop is disabled in Windows Server 2012.
• Configure Windows Firewall. By default, the computer is connected to a public network location
and Windows Firewall is enabled, by using the public location profile.
In a deployment situation, many of these tasks are completed during the deployment process by using
answer files.
Note: In a Server Core installation, many GUI elements are removed. Therefore, Server Core
post-installation configuration must be done locally by using the command line, the
sconfig.cmd tool, or remotely by using MMC on another computer. This additional effort
required for configuration makes Server Core installations excellent candidates for using answer
files for automated configuration in a deployment scenario.
More information about Windows Deployment Services can be found at the following
webpage:
http://go.microsoft.com/fwlink/?LinkID=309134
Demonstration Steps
1. Set the time zone.
• Windows Deployment Services client components. The client components run on the computers
that the operating system is being deployed to. They enable the computer to communicate correctly
with the Windows Deployment Services server and determine which operating systems are available
for deployment.
A typical Windows Deployment Services deployment of Windows Server involves the following steps:
1. Build image file(s). Windows Deployment Services in Windows Server 2012 uses Windows Imaging
Format (WIM) or VHD file types to package operating system files for deployment. Both file types
allow for a single file to contain all the information that you must have to deploy one or several
versions of an operating system. These images are copied to deployed computers and unpackaged
on the computer’s hard disk into a ready-to-run version of the operating system. The operating
systems in the following table are supported for deployment with Windows Deployment Services in
Windows Server 2012.
Client Server
2. Build unattended answer file(s). Windows Deployment Services lets you automate operating
system installation during deployment by using unattended answer files. This provides information to
the deployment process about various configuration options available. These files allow for an
administrator to deploy the operating system without any intervention or manual entry of
information during the deployment process. These files can be reused or customized for multiple
deployments.
MCT USE ONLY. STUDENT USE PROHIBITED
1-20 Installing and Configuring Windows Server
4. Initiate installation from client. When a computer loads a Windows Deployment Services boot
image (typically from DVD or by booting from the network), Windows Deployment Services displays a
list of available images for deployment. After an image is selected, the deployment process is
initialized and the Windows Deployment Services server begins unpacking the image file onto the
new computer.
Some general tools that can be used or that you might see as part of the Windows Deployment Services
process are as follows:
• WDSUtil.exe. Command-line tool that is used for managing your Windows Deployment Services
server.
• Sysprep.exe: Command-line tool that reconfigures the installed operating system files so that when
the computer is first run, it will be displayed as a new installation to end-users.
• Windows PowerShell. Windows PowerShell cmdlets are available for Windows Deployment Services
in Windows Server 2012
• Deployment Imaging Servicing and Management (DISM). Allows for creation and manipulation of
.wim and .vhd files before deployment
• Windows System Image Manager (WSIM). Allows for creation and management of answer files
• OSCDIMG. Command-line tool for creating an image file (.iso) of a customized 32-bit or 64-bit
version of Windows PE.
• Volume Activation Management Tool (VAMT). Allows for management of activation process
across multiple image deployments
• Application and Compatibility Toolkit (ACT). Allows for identification of applications that are
potentially incompatible with Windows Server 2012
Question: In what situations would a Windows Deployment Services server be used by an
organization? In what situations would a Windows Deployment Services Server not be
efficient to implement?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-21
Lesson 3
Configuring Services
In Windows Server 2012, services provide the functionality for the core of the operating system. Services
provide the framework on which Windows roles and features are built. Effectively managing these services
is critical to the efficient and reliable operation of Windows Server.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a service.
What Is a Service?
In Windows Server 2012, a service or service
application is a long-running executable that
performs a specific function and requires no user
intervention. Where an application might be
started and closed many times by a user over any
given time, a service will typically remain running
for the whole time that the operating system is
running, unless directed to do otherwise by the
operating system or associated applications.
Services typically consist of an executable file and
a directory for storing service components.
Service Examples
Services are responsible for most of Windows Server functionality. Some common services and their
primary functions are as follows:
• Windows Error Reporting. Enables errors to be reported when programs stop working or
responding.
Note: As a best practice, you should disable all services except those that are required by
the roles, features, and applications that are installed on the server.
Service Startup
MCT USE ONLY. STUDENT USE PROHIBITED
1-22 Installing and Configuring Windows Server
Unlike applications that are executed by the user on an as-needed basis, the execution of services is
controlled by the operating system or related software applications. Each service is initialized at the
startup of the computer according to its startup type. Startup types are as follows:
• Automatic (Delayed). Starts the service on a timed delay from system start. This is used to speed up
system startup time in some cases, or to force the service to wait until any services that it depends on
to start.
You can manage services through the Services console. This is available in Server Manager on the Tools
menu. Each service can be configured for different recovery options. For example, the first time that the
service fails; just try to restart the service. By default, each service is run by the Local System account. This
logon account can be changed to restrict and control service startup.
Demonstration Steps
1. Open the Services tool.
Troubleshooting Services
Because of the important nature of Windows
services, service failure or service-related problems
can cause various forms of operating instability.
These issues have to be diagnosed and resolved
quickly in order to maintain consistent system
operation.
Note: It is not uncommon for administrators to forget passwords associated with service
accounts. This could lead to significant problems when you upgrade or configure specific services
or environments, or for passwords to be over simplistic, used across different servers and services,
and never be changed. Windows Server 2012 introduced Managed Service Accounts. These are
“special“ accounts to be used with services where the passwords are automatically changed
periodically.
• Service dependencies. Many services run as a solitary application, unrelated to any other services. In
other cases, a service might depend on the successful operation of other services to enable it to
correctly start. If one of these dependency services fails, it could also cause the dependent service not
to start.
• Corrupted or missing files. If the files that you must have for a service’s execution are missing or
corrupted, the service might not start or it might behave unpredictably.
Several different methods and tools exist to help with troubleshooting services in Windows Server:
• Safe mode. The safe mode boot feature is available when pressing the F8 key as the operating
system starts. Safe mode loads the minimal set of services that are required for the operating system
to run and could enable the repair, removal, or disabling of failing services that are preventing
Windows from starting correctly.
• Last Known Good Configuration. Also accessed by pressing the F8 key as the operating system
starts, Last Known Good Configuration restores operating system settings contained in the registry as
they were the last time that the computer started correctly.
• MSConfig.exe. MSConfig, or the Microsoft System Configuration Utility, is a graphically based utility
that can be used to change and troubleshoot the Windows startup process. It gives the user a
detailed level of control over which aspects of the operating system are enabled when the systems
starts. It also allows for more specific control over services and the separation of native services from
third-party installed services.
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Installing and Configuring Windows Server
Lesson 4
Configuring Devices and Device Drivers
Many individual components combine to provide the computer hardware on which Window Server runs.
Disk drives, processors, memory, keyboards, monitors, network adapters, printers, scanners, and many
other components play an important role in providing the functionality that you must have for a server to
perform its duties.
The correct management and maintenance of these components means that the server components work
cohesively to provide correct functionality.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a device.
• Describe typical settings required for a device.
What Is a Device?
A device is a hardware component that performs
a specific function and is installed in or attached
to a computer.
Devices work together to provide a computer’s complete functionality, and a single malfunctioning device
can affect the performance of other devices or the computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-25
• Direct memory access (DMA) channel. DMA enables certain devices attached to the computer to
directly access the computer’s memory without using the computer’s processor. Typically, each device
that uses DMA must have a unique DMA channel assigned to it.
• Interrupt request (IRQ) line. IRQ lines are used to send interrupt requests to a computer’s processor
when a device requires processor use.
• Input/Output range. Input/Output range specifies the range of addresses in memory that a device
uses to send and receive information between the device and Windows. A device’s input/output
range must be unique to that specific device.
• Memory range. Memory range refers to the specific physical memory address in the computer that a
device has reserved for its general use. A device’s memory range must be unique to that specific
device.
Note: The value for each of these settings for a particular device can be viewed in Device
Manager by clicking the Resource tab of the device’s Properties window.
Although some devices still require manual configuration of hardware settings, most computers and
computer devices use Plug and Play technology for device settings. With Plug and Play, new hardware is
discovered by the computer after it is installed. The computer, together with the computer’s operating
system, automatically assigns and tracks the resources necessary for the device to function, avoiding
conflict with other devices already installed in the computer. This functionality eliminates manual device
configuration and avoids unintended settings conflicts associated with manual configuration.
Windows Server fully supports Plug and Play devices and drivers. To support Plug and Play, devices must
meet the following requirements:
• Be uniquely identified.
Note: Plug and Play technology has existed for many years. Most current devices support
Plug and Play; very few devices still require resource settings to be configured manually.
Driver Staging
Additionally, device drivers can be installed into Windows Server 2012 and “staged” for future use. When
a driver is staged, the driver files are stored within Windows and treated as part of the original set of
drivers native to the operating system. This lets devices that are using the driver be recognized
immediately and have its driver installed automatically without requiring user intervention like specifying
a driver location or checking a manufacturer’s website.
Note: Device drivers are built for a specific processor architecture type. 64-bit device
drivers will work only on a 64-bit operating system and 32-bit device drivers will work only on a
32-bit operating system. Because Windows Server 2012 supports 64-bit architectures only, 32-bit
drivers will not work for devices that are installed on a Windows Server 2012 computer.
Driver Signing
A signed driver is a device driver that includes a
digital signature provided from a trusted third-
party source. This digital signature acts as an
electronic security mark that identifies the
publisher of the software and confirms that the
contents of the driver package are the original
contents and unchanged. If a driver is signed by a
publisher, you can be confident that the driver
comes from that publisher and is not altered.
• Improved security
When a device is installed and the device driver specified is digitally signed, Windows will install the driver
without requiring user intervention and start the driver after installation. All device drivers that come
preinstalled with Windows are digitally signed.
If you install a Plug and Play device into your computer, Windows Server 2012 will alert you with one of
the following messages if a driver is not signed, if it was signed by a publisher that has not verified its
identity with a certification authority, or if the driver was altered since it was released:
• Windows cannot verify the publisher of this driver. This driver either does not have a digital
signature, or it is signed with a digital signature that was not verified by a trusted certification
authority. You should only install this driver if you obtained it from a reliable source.
• This driver has been altered. This driver was altered after it was digitally signed by a verified
publisher. The package might have been altered to include malicious software that could harm your
computer or steal information. In rare cases, legitimate publishers do alter driver packages after they
are digitally signed. You should only install an altered driver if you obtained it from a reliable source.
• Windows cannot install this driver. A driver that does not have a valid digital signature, or that was
altered after it was signed, cannot be installed on 64-bit versions of Windows.
Note: When staging drivers into the Windows Server 2012 and Windows Server 2008 R2
driver store, all staged drivers must be digitally signed. After a device driver package is in the
driver store, a standard user on the computer can install its device without needing elevated user
permissions.
Windows Server 2012 will not load unsigned drivers.
If you have to disable the driver enforcement requirement, you can do so as outlined in the following list.
However, you should be aware that the loading and use of unsigned drivers might result in an inability to
start from access devices.
You can add, remove, and enumerate drivers into the driver store by using the PNPUtil.exe utility from
the command line, run as administrator. To list third-party drivers in the driver store, run the following
command.
Pnputil -e
Generally, before you deploy Windows Server 2012, you should make sure that the hardware that you are
installing on is certified for use with Windows Server 2012 by the manufacturer. It is an all too common
scenario where administrators realize that particular hardware is not supported and there are no drivers
available, or that particular functionality that is required is not available because of lack of support. This
results in increased cost and management overhead. The Windows Server Catalog helps you verify that
specific hardware, or even software, is certified for use with Windows Server 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Installing and Configuring Windows Server
More information about the Windows Server Catalog can be found at the following
webpage:
http://www.windowsservercatalog.com
Note: When you are managing Windows Server 2012 device drivers remotely by using
either Server Manager or RSAT for Windows 8, remote access to Plug and Play devices were
disabled in Windows 8 and Windows Server 2012. This means that remotely managing hardware
drivers through the Device Manager GUI management tool is not possible.
Remote hardware device driver management has to be done by using Windows management
instrumentation (WMI) commands or by using Windows PowerShell and the WMI-Getobject
cmdlet. You can enumerate and obtain some hardware information by using Windows
PowerShell remotely.
Demonstration Steps
1. Open Device Manager.
2. Update a device driver.
Demonstration Steps
1. Open Device Manager.
2. Roll back a device driver.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 1-29
Supporting Documentation
Jeff,
Please use the following information to install the new server for R&D.
Installation options
Language: English
Time and currency format: English (United States)
Keyboard or input method: English (United States)
Product: Windows Server 2012 Datacenter (Server with a GUI)
Administrator password: Pa$$w0rd
Please let Lisa from the Sr. Server Admin team know when you are finished. She’ll finish the
configuration and get the server to R&D.
Thanks,
Jim
Objectives
After completing this lab, students will be able to:
• Configure services.
• Configure devices.
Lab Setup
Estimated Time: 70 minutes
Password : Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Domain: ADATUM
b. In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c. In the DVD Drive pane, select Image file, and then click Browse.
3. Install the operating system by using the Installation Options section provided in the email message
from Jim Hance.
Note: Setup will continue by copying and expanding files, installing features and updates, and
finish the installation. This phase takes about 20 minutes. Your instructor might continue with other
activities during this phase.
Results: After this exercise, you should have installed a new Windows Server® 2012 server.
Results: After this exercise, you should have configured post-installation settings by using Server
Manager.
2. Use Server Manager to remove the Server Graphical Shell and Graphical Management Tools and
Infrastructure features.
Task 2: Install GUI administrative components in Windows Server 2012 Server Core
1. Continue to work on 10967A-LON-SVR4.
2. Using the Windows PowerShell Get-WindowsFeatures determine the Name of the Graphical
Management Tools and Infrastructure component to install
3. Use the Install-WindowsFeature Windows PowerShell cmdlet to reinstall the GUI Administrative
management components Server-Gui-Mgmt-Infra.
4. When the installation is complete, restart the computer using the Windows PowerShell command
Restart-Computer
5. Verify the command prompt displays and Server Manager also displays. Components such as File
Explorer are still not available.
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface
installation.
In order to prevent printers from being installed and used on the server, the Print Spooler service has to
be stopped and set to Disabled to prevent it from starting when the server is restarted.
Results: After this exercise, you should have used Server Manager to change service startup options.
Keyboard driver will update correctly. After correct operation is confirmed, you are asked to roll back the
driver to the earlier version.
2. Open Device Manager from the Computer Management console, and expand Keyboards.
3. Update the Standard PS/2 Keyboard driver to the new PC/AT Enhanced PS/2 Keyboard driver.
2. Open Device Manager from the Computer Management console, and expand Keyboards.
5. Verify that you have successfully rolled back the keyboard driver.
Results: After this exercise, you should have performed update and rollback operations on a device driver.
Question: How could the steps in this lab be performed remotely without the need for user
intervention?
Question: When would rolling back a driver not be an effective solution to driver-related
problems?
MCT USE ONLY. STUDENT USE PROHIBITED
1-34 Installing and Configuring Windows Server
Question: If you have to troubleshoot system instability, what tool should you use to disable
a specific set of services from running at startup?
Question: If a newly installed video adapter device driver is preventing Windows from
starting correctly, what tools would you use first to return the system to an operable state?
Question: What factors should be considered when staging drivers in the Windows driver
store?
Tools
Tool Use for Where to find it
Registry editor Editing settings in the Windows registry. From the Run prompt: regedit.exe
Device Manager Managing server devices and settings. Server Manager, Computer
Management, Device Manager
MCT USE ONLY. STUDENT USE PROHIBITED
2-1
Module2
Implementing Storage in Windows Server
Contents:
Module Overview 2-1
Module Overview
One of the key components when you plan and deploy Windows Server® is storage. Most organizations
require lots of storage because users and applications are constantly working with and creating data. This
data is frequently stored in a central location.
For example, every email message sent or received uses storage. Every time that a user visits a website, a
log is written and storage is consumed. Every time that a user logs on to a server, an audit trail is created
in an event log and storage is used. When files are created, copied, or moved, storage is used.
This module will introduce you to different storage technologies, cover how to implement Windows
Server storage solutions, and cover how to develop a flexible and responsive storage strategy. Developing
a good storage strategy helps avoid unplanned downtime and loss of data. There can also be significant
up-front capital costs and later administrative management costs that you should consider before you
decide what storage option to select.
Objectives
After completing this module, you will be able to:
Lesson 1
Identifying Storage Technologies
Any server deployment will require storage. There are various kinds of storage, from locally attached to
remotely accessed. Remotely accessed storage can be connected in many ways. This includes Ethernet and
fiber-optic cabling. Each storage option has advantages and disadvantages.
As you prepare to deploy storage for the server infrastructure, you will have to make some important
decisions.
• How easy will it be to expand the storage and meet future requirements?
Lesson Objectives
After completing this lesson you will be able to:
• Describe direct-attached storage (DAS).
The following sections describe some of the more typical DAS implementations.
Integrated drive electronics (IDE) is a kind of disk-drive interface in which the controller electronics reside
on the drive itself. This eliminates the need for a separate adapter card. Drives are usually connected by
using a 40-wire or 80-wire cable and only two devices can be chained together at one time. Enhanced
integrated drive electronics (EIDE) improves IDE through faster transfer rates and allows for multiple
channels, each connecting two devices. EIDE is limited to 128 gigabytes (GB) of storage and 133 megabits
per second (Mbps) data rates. EIDE drives are based on standards developed in 1986 and are almost never
used in servers today.
SATA was introduced in 2003 and has had several revisions to improve performance, as detailed in the
following table.
Revision Speed
2 300 MBps
3 600 MBps
Organizations select SATA drives when they require large amounts of storage, but not high speed
performance. SATA drives are typically less expensive than other drive options and are a common bus
interface that is used in internal hard disks. External SATA (eSATA) is a variation on SATA, designed to
enable high speed access to externally attached SATA drives.
Small Computer System Interface
Small computer system interface (SCSI) is a set of standards for physically connecting and transferring
data between computers and peripheral devices. SCSI was originally introduced in 1978 and became a
standard in 1986. SCSI was developed to take less processing power and perform transactions at increased
speeds. SCSI is available in many interfaces. Connector types can have 25, 50, or 86 pins. Over the years,
several revisions have been made and SCSI performance has improved. SCSI might also be known by
different names. For example, Ultra 640 SCSI, also known as Ultra 5, was introduced in 2003 and can
transfer data with speeds up to 640 MBps, by using a bus width of 16 bits. SCSI disks can provide better
performance than older SATA disks but are also more expensive.
Serial Attached SCSI
Serial-attached SCSI is an additional improvement on the SCSI standard. Serial-attached SCSI depends on
a point-to-point serial protocol that replaces the parallel SCSI bus technology. Serial-attached SCSI uses
the standard SCSI command set so that it is backward-compatible with second generation SATA drives.
Solid-state drives (SSDs) are data storage devices that use solid-state memory to store data instead of
using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips
to store the data and contain no moving parts. Therefore, they are less susceptible to failure from being
dropped. SSDs provide very fast disk access that uses less power. However, they are also more expensive
than other DAS storage options. SSDs typically use the SATA interface. Therefore, you can replace SATA
hard disk drives with SSDs without any modification.
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Implementing Storage in Windows Server
Advantages of DAS
• DAS is connected directly to the server. This makes it easy to deploy and maintain.
• Available with various bus technologies in various speeds and sizes so that you can customize cost for
your particular requirement.
• Usually a Plug and Play device that can easily be recognized by the server.
Disadvantages of DAS
• Can be more difficult to automate backup and restore strategies across many servers.
• Shares processing power and memory with the server. This means that disk performance might be
slower on a busy server.
• Reliant on software to control the transfer of data. This can mean increased latency.
Note: High-speed transfer rates for individual bus technologies may or may not be
achieveable in your existing environment. The bus technologies provide for these theoretical
transfer rates, however, each component must also support it and not be a limiting factor or
bottleneck. For example, disk read and write times, disk controller speeds, and motherboard
limitations may or may not support these speeds or even the bus technolgy. Before you try to
implement a particular bus technology in the server environment and a corresponding transfer
rate, you should be aware of the components involved in reaching these transfer speeds.
Advantages of NAS
• Provides performance and productivity gains over DAS because the NAS device is dedicated
completely to the distribution of files.
• Simple and cost-effective way to achieve fast data access for multiple clients at the file level.
• NAS storage capacity is usually much larger than DAS storage capacity.
• Provides a Plug and Play solution that is easy to install, deploy, and manage, with or without
information technology staff.
Disadvantages of NAS
• NAS is not an enterprise storage solution. This means less reliability, more possibility of data loss, and
slower performance than the enterprise storage solutions discussed in the next topic.
• Reliant on software to control the transfer of data. This can mean increased latency.
• NAS cannot and should not be used with data-intensive applications such as Microsoft® Exchange
Server and Microsoft SQL Server®.
More information about Windows Storage Server can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=199647
Unlike DAS or NAS, a SAN is controlled by a hardware device and does not rely on software to provide
access to storage.
Advantages of SAN
• Block level read and write access. SAN technologies provide faster data access by reading and writing
at the block level. For example, with most DAS and NAS solutions, if you write an 8-GB file, the whole
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Implementing Storage in Windows Server
file has to be written and its checksum calculated; with SAN, the file will be written based on the block
size the SAN is configured for.
• Centralization of storage into a single pool. This enables storage resources and server resources to
grow independently. It also enables storage to be dynamically assigned from the pool when it is
required. Server storage can be increased or decreased without complex configuration or cabling of
devices.
• Common infrastructure for attaching storage. This enables a single common management model for
configuration and deployment of storage.
• Storage devices that are shared by multiple systems.
• A high level of redundancy. Most SANs are deployed with multiple network devices and paths
through the network. Also, each storage device contains redundant components such as power
supplies and hard disks.
Disadvantages of SAN
• The main drawback to SAN technology is that it frequently requires management tools and special
knowledge. This is because of the complexity of the configuration.
• In order to manage a SAN, not only do you have to understand the command-line utilities, but you
also have to understand the underlying technology. For example, the LUN setup, the Fibre Channel
back-end, and the block sizing.
• SANs can be expensive. An entry-level SAN can frequently cost as much a fully loaded server that has
DAS or even an NAS device. SANs disks and configuration are usually not included in the price.
• Each storage vendor frequently implements SANs with different tools and features. Because of this,
organizations frequently require dedicated personnel to manage the SAN deployment.
Fibre Channel is usually found in speeds of 1, 2, or 4 gigabits per second (Gbps) and can operate in point-
to-point scenarios or over switches or looped networks. Fibre Channel SAN components include the
following:
• Interface cards. Specialized interface cards that connect the servers to the SAN. These devices,
known as Host Bus Adapters (HBAs), enable the server to communicate with the storage device across
the SAN.
Note: iSCSI SANs can also use HBAs. Each kind of HBA is specific to the technology that is
used to access the storage device.
• Storage device(s). SANs require one more dedicated storage device. Frequently, these devices can
contain hundreds of disks and store multiple terabytes of data.
• LUNs. In most cases, servers are given access to only a small part of the storage available on the
storage device. To implement this storage solution, the storage available is divided into smaller pieces
and then exposed to the servers through a LUN. On the server, each LUN is displayed as an attached
drive.
Multipath I/O
SANs are typically implemented because of a high-availability requirement. In most cases, you will deploy
multiple HBAs on each server that is connected to a SAN, and connect the HBAs to two separate Fibre
Channel networks. This means that the storage will still be available if there is a failure of one of the
networks.
In order to simplify the implementation of this solution, Microsoft provides a generic storage driver that
uses multipath I/O (MPIO) to simplify the implementation of this solution for storage vendors. MPIO
provides the following:
• Dynamic configuration and replacement of devices. In order to support multiple paths to the
same storage device, the operating system must be able to dynamically discover and configure
adapters that are connected to the same storage media.
• Generic device specific module. Microsoft supplies a generic device-specific module (DSM) that
interacts with the multipath bus driver on behalf of the storage device.
• Dynamic load balancing. The multipath software enables you to distribute input/output (I/O)
transactions across multiple adapters. The DSM is responsible for load-balancing policy for its storage
device.
• Fault tolerance. Multipath software can function in a fault-tolerant mode in which only a single
channel is active.
• Fibre Channel over Ethernet (FCoE). Instead of the traditional dedicated Fibre Channel networks
used in Fibre Channel SANs, the emergence of gigabit Ethernet networks and FCoE allows for the
running of a Fibre Channel storage system over an existing Ethernet network. FCoE can support
speeds up to 1 Gbps, or 1,000 Mbps.
MCT USE ONLY. STUDENT USE PROHIBITED
2-8 Implementing Storage in Windows Server
• Fibre Channel over IP (FCIP). Uses an IP tunneling technology to enable geographically dispersed
Fibre Channel storage systems to communicate over IP networks.
• Internet Fibre Channel Protocol (iFCP). Uses IP to control the routing and switching requirements
over the Internet to enable geographically dispersed Fibre Channel storage systems to communicate
over the Internet.
The Fibre Channel Industry Association (FCIA) defines and provides future direction for Fibre
Channel technology. More information about FCIA can be found at the following website.
http://www.fibrechannel.org/
Note: Although you can use a standard network connection to connect the server to the
iSCSI storage device, you can also use dedicated HBAs or dedicated network adapters.
• IP network. You can use standard network interface adapters and standard network switches to
connect the servers to the storage device. In order to provide sufficient performance, the network
should provide speeds of at least 1 Gbps and should provide multiple paths through the network.
• iSCSI targets. iSCSI targets are located on the storage device and are used to enable access to the
storage by presenting or advertising it. Many storage vendors implement hardware-level iSCSI targets
as part of their storage devices. Other devices or appliances, such as Windows Storage Server devices,
implement iSCSI target by using software. Windows Server 2012 provides the iSCSI target as part of
the operating system.
• iSCSI initiators. iSCSI initiators run on the servers that want to connect to the storage device. All
versions of Windows Server since Windows Server 2008 provide the iSCSI initiator as a standard
component and can connect to iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-9
• iSCSI qualified name (IQN). IQNs are globally unique identifiers that are used to address initiators
and targets on an iSCSI network. When you configure an iSCSI target, you must configure the IQN for
the iSCSI initiators that will be connecting to the target. iSCSI initiators also use IQNs to connect to
the iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Implementing Storage in Windows Server
Lesson 2
Managing Disks and Volumes
After you identify your storage technology, the next step is to determine how to manage the storage.
Administering storage includes deciding how disks and volumes will be configured, and what kind of file
system that you will use. Ask yourself the following questions:
• Will the disk size be fixed or dynamically adjusted to the data amount?
• Will all the disks be allocated the same amount of storage space?
• Will the kind of file systems be the same for all disks?
Lesson Objectives
After completing this lesson, you will be able to:
• Describe partition tables.
Note: System partitions can contain files that are used for startup. Boot partitions contain
operating system files but contain no files that are used during the startup process.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-11
When you add a new clean hard disk to your Windows Server 2012 server—whether you use SATA, SCSI,
VHD, or something else—before you can use or manage the hard disk, the first task that has to be done is
to initialize the disk. After you initialize the disk, you can start to configure the disk as you need, creating
volumes, partitions, and so on. You can initialize the disk by opening Disk Manager, right-clicking the disk
that has just been attached, and selecting Initialize Disk.
When the Initialize Disk dialog box appears, you have to make two more decisions.
• Which disk should be initialized: Disk 1, 2, 3, and so on? This should be a straightforward decision.
• What partition style do you want to use with the disk? There are two kinds: master boot record (MBR)
and GUID partition table (GPT). Which option you select depends on several factors. These factors are
explained in the following sections.
MBR
The MBR partition table format is the general standard partitioning model that has been used in
computers for a long time. The MBR partition table format has the following characteristics:
• A partition supports no more than four primary partitions per drive. You can have additional divisions
on the disk but this involves creating an extended partition within which are then created logical
drives.
• Data cannot be written across multiple disk MBRs. For example, you cannot use striping or mirroring
to provide redundancy.
GPT
The GPT is a newer table format that tries to overcome some limitations of MBR, and to address larger
disks. GPT has the following characteristics:
• To start from a GPT partition table, the basic input/output (BIOS) must support GPT.
You can convert from MBR to GPT table types or vice versa. However, this is only enabled on empty disks.
Converting partition table types will result in the loss of all data on the disk.
There are additional ways to view and specify partition tables outside Disk Manager. These include the
following:
• Diskpart. This is a Command Prompt utility used to configure disks. The Command Prompt will take
the focus to let you type additional Diskpart commands.
To view the help associated with the convert command, type the following command.
• Windows PowerShell®. Windows PowerShell provides dedicated commands to view and configure
partition tables that are part of the Storage module.
Get-Disk | FL Displays the properties of all disks installed on the host computer
and formats the output into a list. You can view the partition table
type under the PartitionStyle property.
Initialize-Disk –Number <4> – This cmdlet will initialize Disk Number 4 and specify an MBR-type
PartitionStyle <MBR> partition table.
Get-Command –module Storage Lists all available cmdlets in the Storage module.
Basic Disk
Most personal computers use basic disks because they are the simplest and easiest to manage. A basic
disk can have up to four primary partitions, or three primary partitions, one extended partition, and
multiple logical drives.
• Primary partition. A kind of partition created on basic disks that can host an operating system and
functions as if it were a physically separate disk. A primary partition has a file system with a drive
letter assigned to it.
• Extended partition. A kind of partition where you can create one or more logical drives within the
extended partition. Extended partitions are useful if you want to create more than four volumes on a
basic disk.
• Logical drive. A disk that you create in an extended partition. You can create an unlimited number of
logical drives per disk. A logical drive can be formatted and assigned a drive letter.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-13
Basic disks also support disk types such as USB disks or VHD files.
Dynamic Disk
A dynamic disk can contain simple volumes, spanned volumes, striped volumes, mirrored volumes, and
redundant array of independent disks (RAID)–5 volumes. It is only possible to create a dynamic disk on
fixed disks. However, you can convert USB disks and dynamically expanding VHDs to dynamic disks.
Dynamic disks use a data repository to track information about the dynamic volumes on the disk. The
repository also contains information about other dynamic disks in the computer. Each dynamic disk in a
computer contains a replica of the dynamic disk database. Therefore, a corrupted dynamic disk database
can repair one dynamic disk by using the database on another dynamic disk. The location of the database
is determined by the partition style of the disk. On MBR partitions, the database is contained in the last 1
megabyte (MB) of the disk. On a GPT partition, the database is contained in a 1 MB reserved (hidden)
partition.
Note: Some IT professionals use the terms partition and volume interchangeably. However,
it is more correct to refer to partitions on basic disks and volumes on dynamic disks. A volume is a
storage unit made from unallocated space on one or more disks. It can be formatted with a file
system and can be assigned a drive letter or configured by using a mount point.
• Simple volumes. A simple volume uses unallocated space from a single disk. It can be a single region
on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the
same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
• Spanned volumes. A spanned volume is created from free disk space that is linked from multiple
disks. You can extend a spanned volume to no more than 32 disks. Windows Server fills the spanned
volume by filling all the space on the first disk and then filling each of the additional disks in turn. This
means if you lose a disk, you lose all the spanned volume.
• Striped volumes. A striped volume is a volume where data is spread across two or more physical
disks. The data on this kind of volume is allocated alternatively and evenly to each of the physical
disks. This process is known as striping or RAID-0. A striped volume cannot be extended and is not
fault-tolerant. If a single physical disk in the striped volume fails, the whole volume is lost.
• Mirrored volumes. A mirrored volume is a fault-tolerant volume whose data is duplicated on two
physical disks. All the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended and is also known as RAID-1.
• RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume whose data is striped across a
minimum of three or more disks. Parity (a calculated value that can be used to reconstruct data after
a failure) is also striped across the disk array. If a physical disk fails, the part of the RAID-5 volume that
was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume
cannot be mirrored or extended.
Basic disks can easily be converted to dynamic disks without any loss of data. However, to convert a
dynamic disk to a basic disk means all data on the disk will be lost.
Regardless of which kind of disk that you use, you must configure a system volume and boot volume on
one of the hard disks in the server.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Implementing Storage in Windows Server
• System volumes. The system volume contains the hardware-specific files that are needed to load
Windows. For example, Bootmgr, BOOTSECT.bak, and Boot Configuration Data (BCD). The system
volume can be, but does not have to be, the same as the boot volume.
• Boot volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to
be, the same as the system volume.
More information about how basic disks and volumes work can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=199648
• FAT32
In addition to deciding what file system to use; you can also decide the cluster or allocation unit size. This
can be manually or automatically configured, but you should understand the concepts and the potential
performance issues associated with those decisions.
A sector is the smallest amount of data that can be written to a physical disk. The sector size is determined
by the manufacturer and although it can vary, it is typically 512 bytes. However, when allocating space on
a disk to files and data where the sector size is 512 bytes would be a significant overhead for the disk, and
increasingly so as the disk size becomes larger. Therefore, the disk uses clusters or allocation units. This
allocates groups of contiguous sectors as needed instead of sectors being allocated individually.
You should be aware that the size of the allocation unit can have a direct effect on performance. If, for
example, a disk has a sector size of 512 bytes and an allocation unit size of 4,096 bytes (4 KB), this means
that sectors are allocated in groups of eight. If you have a 4,100 byte file, it will be allocated two clusters—
that is, 16 sectors and a large part of the second cluster will have unused space.
Also, as files become larger and are deleted and moved, allocation units can be written to various parts of
the disk. This results in what is known as fragmentation
Generally, larger allocation unit sizes reduce the potential for fragmentation. However, they then
potentially increase the unused space in the allocation unit.
FAT is the most simplistic of the file systems supported by Windows. There is no organization to the FAT
directory structure, and files are given the first open location on the drive. A disk formatted with FAT is
allocated in clusters, or allocation units, whose sizes are dependent on the size of the volume. When a file
is created, the first cluster number that contains data is established. An entry is made in the FAT table to
indicate whether this is the last cluster for the file or points to the next cluster..
To protect the volume, two copies of the FAT table are kept in case one becomes damaged. In addition,
the FAT tables and the root directory must be stored in a fixed location so that the system's boot files can
be located.
• FAT. Also known as FAT16. Can only access partitions less than 2 GB in size.
• FAT32. An improvement over FAT. Supports partitions up to 2 TB. FAT32 supports smaller cluster
sizes than FAT. This results in more efficient space allocation on FAT32 volumes.
• exFAT. A Microsoft file system optimized for flash drives. exFAT can be used where NTFS is not a
solution, or the FAT32 file size limits are unacceptable i.e. a disk that is greater than 2 TB. This could
be the case with Media Centers for example.
FAT does not provide any security for files on the partition and as such you shouldn’t use FAT or FAT32 as
the file system for disks attached to a Windows Server. The primary scenario for use of FAT is in relation to
flash drives or external media.
NTFS
NTFS is the standard file system for all Windows operating systems starting with Windows NT Server 4.0.
NTFS has several improvements over FAT, such as improved support for metadata and advanced data
structures to improve performance, reliability, and disk space use. NTFS also provides a much better level
of security than FAT or FAT32. NTFS supports security access control lists (ACLs). This allows for auditing,
file system journaling, and encryption.
NTFS is required for several Windows Server roles and features, such as Active Directory® Domain Services,
Volume Shadow Copy Service (VSS), Distributed File System (DFS), and File Replication Service (FRS). You
should always use NTFS for all hard disks connected to Windows Server or Windows client computers.
ReFS
ReFS is a new file system that is built in to Windows Server 2012. ReFS is based on the NTFS file system,
and provides the following advantages:
• Maximizes reliability, especially during a loss of power (whereas NTFS is known to experience
corruption in similar circumstances).
• Storage pooling and virtualization. This makes creating and managing file systems easier.
• Shared storage pools across machines for additional failure tolerance and load balancing.
• You cannot run the chkdsk utility on ReFS because error checking and auto fixing is built in to the file
system. Therefore, it is not needed.
ReFS does not support all functionality currently available in NTFS. Some items not supported on ReFS
include the following:
• File compression
• Disk quotas
ReFS is recommended only for use with large volumes on Windows Server 2012 servers. An ReFS-
formatted drive is not recognized in computers that are running Windows Server operating systems
before Windows Server 2012. Also, it is possible to shrink or extend NTFS volumes whereas it is only
possible to extend ReFS volumes, not shrink them.
NTFS should still be used as the default file system for general purpose use on Windows Server 2012.
Question: What file system do you currently use on your file server? Will you continue to use
it?
Windows Server 2012 provides for two VHD file formats: .vhd and .vhdx. The .vhdx file format is a virtual
hard disk format that emerged with the release of Windows Server 2012. Both file formats have the same
basic function. The differences are based on scale and performance, as follows:
o The .vhd file format can have a maximum size of 2,040 GB.
• Sector size:
o The .vhdx file format uses 4-KB sectors to gain performance advantages with larger disk sizes.
You can convert from .vhdx to .vhd or from .vhd to .vhdx, by using the Edit Virtual Hard Disk Wizard in
Hyper-V Manager. Also, the .vhdx file format is only recognized by Windows Server 2012
Both .vhd and .vhdx virtual hard disks have three virtual hard disk types available when they are created.
These are described in the following sections.
Dynamically Expanding VHDs
Dynamically expanding VHDs are virtual disks that start very small and then grow as you write data to
them. They are ideal for use in an environment where performance is not your primary consideration.
Organizations typically use dynamically expanding disks in test and development environments. A
dynamically expanding disk grows only to the space that you allocate to it when you create the VHD. The
default maximum size is 127 GB, but dynamically expanding VHDs can be as large as 2 terabytes (TB).
Dynamically expanding disk performance has increased and has almost the same performance levels as
fixed-size disks.
One of the potential issues with using dynamically expanding VHDs is that you must manage storage
usage after deployment. If you have multiple dynamically expanding VHDs located in a single storage
location that is less than the total maximum size of the VHDs, you must monitor the storage location to
make sure that the VHDs do not expand to use up all available space.
Another potential issue with dynamically expanding virtual hard disks is that the .vhd file might become
fragmented on the host computer’s physical hard disk. This could affect the virtual disk’s performance.
Fixed-Size VHDs
Fixed-size VHDs are disks that use as much physical disk space as you specify when you create the disk.
For example, if you create a 100 GB fixed-size VHD, it will use 100 GB of physical disk space. The primary
benefit with using fixed-size disks is that all the storage required for the disks is committed when you
create the disks. This reduces the possibility that you will over-commit your storage resources.
One reason for selecting fixed-size VHDs is that dynamically expanding VHDs might not support some
applications. For example, Microsoft does not support Exchange Server 2010 or Exchange Server 2007
deployed on dynamically expanding VHDs.
One of the disadvantages of fixed-size disks is that the disks might take longer to move from one server
to another.
Differencing VHDs
A differencing virtual hard disk is a virtual hard disk associated with another virtual hard disk in a
parent/child relationship. The differencing disk is the child and the associated virtual disk is the parent.
The parent disk can be any kind of virtual hard disk. The differencing disk stores a record of all changes
that you make to the parent disk and lets you save changes without altering the parent disk. In other
words, by using differencing disks, you make sure that changes are made to the differencing disks and not
to the original virtual hard disk. When it is required, you can merge changes from the differencing disk to
the original virtual hard disk.
• The differencing hard disk expands dynamically as data intended for the parent disk is written to the
differencing disk. You should write-protect or lock the parent disk. If another process changes the
parent disk, and does not recognize the differencing disk’s parent/child relationship, then all
differencing disks related to the parent disk become invalid, and any data written to them is lost. By
locking the parent disk, you can mount the disk on more than one virtual machine, similar to a read-
only floppy disk or CD-ROM.
• You cannot specify a size for a differencing disk. Differencing disks can grow as large as the parent
disks to which they are associated. However, unlike dynamically expanding disks, differencing disks
MCT USE ONLY. STUDENT USE PROHIBITED
2-18 Implementing Storage in Windows Server
cannot be compacted directly. You can compact differencing disks only after merging the disk with a
dynamically expanding parent disk.
• If you are using differencing disks, you must have a standardized naming convention for your virtual
hard disks. It is not clear from examining the virtual hard disk in Hyper-V Manager whether it is a
differencing drive or a parent disk.
Virtual hard disks can be created in several ways, one such method is as follows:
• In Disk Management, right-click the server being managed, and then select Create VHD. You can
then specify the virtual hard disk format and type, as well as the location and size of the virtual hard
disk file.
Mount Points
• If you are running out of drive space on a server and you want to add disk space without changing
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
Note: You can assign volume mount points only to empty folders on an NTFS partition.
This means that if you want to use an existing folder name, you must first rename the folder,
create and mount the hard disk by using the required folder name, and then copy the data to the
mounted folder.
• If you are running out of available letters to assign to partitions or volumes. If you have many hard
disks attached to the server, you might run out of available letters in the alphabet to assign drive
letters. By using a volume mount point, you can add partitions or volumes without using more drive
letters.
• If you have to separate disk I/O in a folder structure. For example, if you are using an application that
requires a specific file structure, but which uses the hard disks extensively, you can separate the disk
I/O by creating a volume mount point within the folder structure.
Links
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-19
A link is a special kind of file that contains a reference to another file or directory in the form of an
absolute or relative path. Windows supports the following two kinds of links:
A link that is stored on a server share could refer back to a directory on a client that is not available from
the server where the link is stored. Because the link processing is performed by the client, the link would
work correctly to access the client, even though the server cannot access the client.
Links operate transparently. Applications that read or write to files that are named by a link behave as if
they are operating directly on the destination file. For example, you can use a symbolic link to link to a
Hyper-V parent virtual hard disk file (.vhd) from another location. Hyper-V uses the link to work with the
parent virtual hard disk (VHD) as it would the original file. The benefit of using symbolic links is that you
do not need to modify the properties of your differencing VHD.
This demonstration shows how to configure volumes by using Disk Management console and Windows
Powershell.
While not called out explicitly in the demonstration steps, you may want to also show Diskpart utility if
you have time as it is still a viable disk management method in Windows Server 2012. If so you can type
steps similar to the follow.
• At a Command Prompt type Diskpart
• Exit
Demonstration Steps
1. Bring a Disk online
2. Initialize a Disk
3. Create a simple volume
Quota Types
• A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
• A soft quota does not enforce the quota limit. However, it does provide notifications.
Quota Notifications
To determine what happens when the quota limit approaches, you configure notification thresholds. For
each threshold that you define, you can send email notifications, log an event, run a command or script,
or generate storage reports. For example, you might want to notify the administrator and the user when a
folder reaches 85 percent of its quota limit, and then send another notification when the quota limit is
reached. In some cases, you might want to run a script that raises the quota limit automatically when a
threshold is reached.
Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Using quota templates has benefits such as being able to reuse a quota template to
create additional quotas while also helping simplify ongoing quota maintenance.
You can also generate quotas automatically. When you configure an auto-apply quota, you apply a quota
template to a parent volume or folder. Then a quota that is based on the template is created for each of
the existing subfolders, and a quota is generated automatically for each new subfolder that is created.
In addition to managing and configuring quotas in the FSRM, you can use Windows PowerShell. Windows
PowerShell provides an extensive number of cmdlets for FSRM parameters. This includes quotas, as part of
the FileServerResourceManager module. The following table includes some cmdlets and commands that
might be useful.
There is a Command Prompt utility named Windows File System Utility (fsutil.exe). This utility can
manage file server settings, such as quotas.
Demonstration Steps
1. Verify you can create a 130 MB File successfully
Lesson 3
Fault Tolerance
Now that you have learned about the kinds of storage and the methods in which you can address the
storage, the next important thing is to consider reliability and availability. These can be critical elements to
the success of an organization. Windows Server 2012 has several methods for providing for reliability and
availability in the event of hardware failure, such as Storage Spaces and RAID implementations. This lesson
provides details of both those technologies.
Lesson Objectives
After completing this lesson, you will be able to:
• Extend the storage capacity by using thin provisioning. Thin provisioning is explained later in this
topic.
Storage Pools
Storage pools are hard disk units combined into a single logical unit. Storage Pools can be managed as a
single entity. To create a Storage Pool, consider the following:
• You can use different bus technologies such as SATA, SCSI, serial-attached SCSI, or USB disks even if
they are different capacities. You can also add .vhd and .vhdx virtual hard disk file types.
• Designate a specific disk as a “Hot-Spare,” which will automatically replace a disk that has suffered a
failure.
• Drives must be blank and unformatted; no volume must exist on them. Any information on disks
being added will be lost.
• A Storage Pool can use the whole disk or just a part of the disk.
Storage Spaces
After the Storage Pool is created, you can then create Storage Spaces from the Storage Pool. Storage
Spaces are the effective management entities for the storage pool. You should be aware of the following
in relation to Storage Spaces:
• Once the Storage Pool exists you then must create a “Virtual Disk”. This is not a virtual disk in the
sense of a virtual machine file, rather it is a virtual entity which you can then manage as a single
instance, despite having potentially multiple disk or volume types. It is specific to this concept and
should be considered as a drive as you would see it in Disk Management.
• Once you create a “Virtual Disk” you then need to create a volume, which you then format, partition,
and assign drive letters to as you would any other disk.
• Storage Spaces are displayed as a drive in File Explorer. For example drive D or E. The underlying
storage configuration is invisible to the user.
• Failover clustering is supported in Storage Spaces. However, it is limited to serial-attached SCSI disk
types. SATA, SCSI, or USB are not supported.
Providing a level of redundancy for disk failure can be an expensive and complex process involving
dedicated or specific hardware and software. When you create Storage Spaces in Windows Server 2012,
you can provide a software-based level of redundancy or resiliency without the need for additional
hardware or software. There are three options when you create Storage Spaces, two of which provide
redundancy:
• Simple. This requires at least one disk and the striping of the data across multiple disks—that is, as
data is written, it is spread out and written across multiple disks. This allows for quicker writing of data
but does not protect the data from a disk failure.
• Mirrored. This scenario requires at least two disks. When you write data to one of the disks, a copy of
the data is written to the other disk at the same time. This means if one of the disks fails, there is
another copy of the data available. Mirrored disks reduce capacity and if two disks fail, it provides no
level of redundancy. To provide protection from two disk failures, five disks would be required.
• Parity. This scenario requires at least three disks. When you write data, it writes half the data to the
first disk, the rest of the data is written to the second disk, and a checksum value is written to the
third disk. If one of the first two data disks fails, the data can be restored by using half the data and
the checksum value. It increases redundancy should a single disk fail but reduces capacity. It cannot
be used in failover clustering.
Thin Provisioning
MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Implementing Storage in Windows Server
There are benefits to using storage pools for providing storage. With thin provisioning, you can allocate
more space than is actually physically available when the drive is created. For example, if you have two, 5
TB external SATA drives, giving you a total of 10 TB of available space, you could create a storage pool
based off these two drives, and then create a Storage Space of up to 64 TB, even though you do not have
all that physical capacity available.
With thin provisioning, space or blocks are only allocated from the storage pool as they are needed.
Therefore, you can add capacity as needed. In contrast fixed, or thick, provisioning allocates all the
available space from the storage pool when the Storage Space is created.
Windows PowerShell
Windows PowerShell also provides management and configuration support for Storage Spaces in
Windows Server 2012. The following table includes some cmdlets and commands that might be useful.
Get-StoragePool Displays all storage pools. This is provided as part of the Storage
module.
Resize-SpacesVolume Resizes Storage Spaces and file system volumes. This is provided
as part of the Storage Spaces module. The module must be
separately downloaded. After you download the module it must
be imported into Windows PowerShell by using the import-
module cmdlet.
Get-Command –module Lists all available cmdlets in the Storage and StorageSpaces
Storage,StorageSpaces modules.
Demonstration Steps
1. Create a Storage Pool
What Is RAID?
RAID is a technology that has existed for a long
time. It enables you to configure storage systems
to provide high reliability and potentially high
performance. RAID implements these storage
systems by combining multiple disks into a single
logical unit called a RAID array that, depending on
the configuration, can withstand the failure of one
or more of the physical hard disks, or provide
better performance than is available by using a
single disk.
RAID enables fault tolerance by using additional disks to make sure that the disk subsystem can continue
to function even if one or more disks in the subsystem fail. RAID uses two options for enabling fault
tolerance:
• Disk mirroring. With disk mirroring, all the information that is written to one disk is also written to
another disk. If one of the disks fails, the other disk is still available.
• Parity information. Parity information is used to calculate the information that was stored on a disk
if there is a disk failure. If this option is used, the server or RAID controller calculates the parity
information for each block of data written to the disks, and then stores this information on another
disk or across multiple disks. If one of the disks in the RAID array fails, the server can use the data that
is still available on the functional disks and the parity information to re-create the data that was
stored on the failed disk.
RAID subsystems can also provide potentially better performance than single disk by distributing disk
reads and writes across multiple disks. For example, when you implement disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Hardware RAID is implemented by installing a RAID controller in the server, and then configuring RAID by
using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden
from the operating system. The RAID arrays are exposed to the operating system as single disks. The only
configuration that you have to perform in the operating system is to create volumes on the disks.
Software RAID is implemented by exposing all the disks that are available on the server to the operating
system, and then configuring RAID from the operating system. Windows Server 2012 supports software
RAID, and you can use Disk Management to configure several different levels of RAID. Given the
significant changes and functionality that is now available in Windows Server 2012 with Storage Spaces,
software RAID can now be a secondary choice.
MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Implementing Storage in Windows Server
Note: Although RAID can provide better tolerance for disk failure, you should not use RAID
to replace traditional backup. If all the disks were to fail, then you would still have to rely on
standard backups.
RAID 0 Striped set High read and All space on the A single disk Use only if you
without parity or write disks is failure results must have
mirroring performance available in the loss of high
Data is written all data performance
sequentially to and can
each disk tolerate data
loss
RAID 1 Mirrored set Good Can only use Can tolerate a Frequently
without parity or performance the amount of single disk used for
striping space that is failure system and
Data is written to available on the boot volumes
both disks at the smallest disk with hardware
same time RAID
RAID 2 Data is written in Very high One or more Can tolerate a Requires that
bits to each disk performance disks used for single disk all disks be
that has parity parity failure synchronized
written to a Currently not
separate disk or used
disks
RAID 3 Data is written in Very high One disk used Can tolerate a Requires that
bytes to each performance for parity single disk all disks be
disk that has failure synchronized
parity written to Rarely used
a separate disk
or disks
RAID 4 Data is written in Good read One disk used Can tolerate a Rarely used
blocks to each performance, for parity single disk
disk that has poor write failure
parity written to performance
a dedicated disk
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-27
RAID 5 Striped set with Good read The equivalent Can tolerate a Very
distributed parity performance, of one disk single disk frequently
Data is written in poor write used for parity failure used for data
blocks to each performance storage where
disk that has performance is
parity spread not important
across all disks but
maximizing
disk usage is
important
RAID 6 Striped set with Good read The equivalent Can tolerate Frequently
dual distributed performance, of two disks two disk used for data
parity poor write used for parity failures storage where
Data is written in performance performance is
blocks to each not important
disk that has but
double parity maximizing
written across all disk usage and
disks availability are
important
RAID 0+1 Striped sets in a Very good read Half the disk Can tolerate Not usually
mirrored set and write space is the failure of used
A set of drives is performance available two or more
striped, and then because of disks as long
the strip set is mirroring as all failed
mirrored disks are in the
same striped
set
RAID 1+0 Mirrored set in a Very good read Half the disk Can tolerate Frequently
striped set and write space is the failure of used in
Several drives performance available two or more scenarios
are mirrored to a because of disks as long where
second set of mirroring as both disks performance
drives, and then in a mirror do and
one drive from not fail redundancy
each mirror is are important,
striped and the cost
of the
additional
disks required
is acceptable
You can configure different levels of RAID. When you configure a RAID level, you have to be aware of the
following implications:
• Performance implications. Some RAID levels provide very high performance whereas other RAID
levels provide much worse performance. Some RAID levels provide high read performance, but
reduced write performance. You have to consider these performance characteristics when you select a
RAID level.
• Level of redundancy. RAID levels also provide different levels of redundancy. Some RAID levels
cannot support the loss of any disks; some RAID levels can support the loss of one or more disks. You
have to consider your requirements for redundancy when you select a RAID level.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Implementing Storage in Windows Server
• Storage use. RAID levels also have different levels of storage use. With some RAID levels, the storage
capacity for the RAID array is equal to the total amount of disk space for all disks in the array. For
other RAID levels, one or more disks might be used to store parity information. With disk mirroring,
the RAID array storage capacity is half of the storage capacity of the disks.
In most cases, you have to select which of the three options are most important for your RAID
implementation. Each RAID level provides a high level of functionality for one or two options, but no RAID
level provides high functionality for all options. This means that you have to evaluate the required RAID
level for each server or application separately.
Demonstration Steps
1. Create a new mirrored volume.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 50 minutes
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
follow these steps:
1. On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2. In Hyper-V Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: ADATUM
2. Use Windows PowerShell to identify the newly created disk, bring the disk online and initialize it
2. In Disk Management, create a new .vhd file with the following configuration:
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk
online and initialize it
1. Open the Windows PowerShell console.
2. Use the Get-Disk cmdlet to list all disks present on the Windows Server 2012 server and Identify the
disk that has just been created.
3. Use the Set-Disk cmdlet with the” –number” and “–isOffline” parameters to bring the .vhd file online.
4. Find a Windows PowerShell command that can initialize the newly created disk.
5. Use the newly discovered cmdlet with the parameters ”–number” and “–PartitionStyle” to initialize the
disk with a Master Boot Record (MBR) partition style.
Results: After this exercise, you should have a Hyper-V® .vhd file.
o FileSystem: NTFS
6. On Disk 2 Create another New Simple Volume with the following details and verify it is created
successfully
o FileSystem: ReFS
3. Mount the new SimpleVol_ReFS volume so it is accessible via the file location
C:\MountedVolume_ReFS
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume
3. Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still accessible
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume
size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the
reduced size the volume will need to be re-created.
2. In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3. Create a Storage Pool with the following settings:
• Name: StoragePool1
• Physical Disks to Add:
• PhysicalDisk3
• PhysicalDisk4
3. Server: LON-SVR1
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 2-33
2. Verify the health of the virtual disk and also that the .txt file created earlier is still available and
accessible
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data
in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk
failure
Review Question(s)
Question: What are the different kinds of disks?
Tools
Tool Use for Where to find it
Module3
Understanding Network Infrastructure
Contents:
Module Overview 3-1
Module Overview
Networks are a critical component of an effective Windows Server® infrastructure. Most computing
systems today are connected in some way to a network. A typical corporate network has many
components and can connect a computer to other computers in the next room, across a city, or on the
other side of the globe.
This module reviews the general characteristics of computer networks and introduces components and
concepts associated with networks, providing you with the basic information required to understand the
fundamentals of a network computing environment.
Objectives
After completing this module, you will be able to:
Lesson 1
Network Architecture Standard
A network is created by using several different physical components and logical standards that define the
specific qualities of a network. Network architecture refers to the set of physical components and logical
standards that provide the basis for communication in a network.
In order to troubleshoot a network environment, you must have an understanding about the composition
and capabilities of the network’s architecture.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802 standards.
One of the most significant and recognizable computer networking standards is the IEEE 802 family of
standards that define the functionality of different aspects of a network environment. The IEEE 802
standard has more than 15 sub-standards that apply to specific technologies found in a network
environment. Only some of the standards are discussed in this section; other standards will be discussed in
more detail later in this module and in the next module. All have different data flows—that is, how the
data is moved around the network—and, as such, might have different physical requirements
implementing them. They would also all have varying performance and security capabilities, in addition to
different associated costs. Therefore, some specifications are more widely used. Some of the more
important IEEE 802 standards you might have seen are listed here. (Notice That some of the 802.X
standards have subcategories within each standard definition.)
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-3
• IEEE 802.3. The 802.3 working group defines wired Ethernet network standards. This is generally a
local area network (LAN) technology, which you would see in a typical office environment, with some
wide area network (WAN) or metropolitan area network (MAN) applications.
• IEEE 802.5. The 802.5 working group defines token ring network standards. Currently this group is
inactive and the information has been archived for historical purposes.
• IEEE 802.11. The 802.11 working group defines standards for wireless local area networks (WLANs) in
the 2.4, 3.6, 5 and 60 gigahertz (GHz) frequency bands. This group of standards generally uses radio
frequency spectrum for the sending and receiving of data. The 802.11 networks exist as the most
common form of wireless network and benefit from simple setup, node addition, and fairly low
implementation costs.
• IEEE 802.15. The 802.15 working group defines wireless Personal Area Network (PAN) standards.
These wireless PANs address wireless networking of portable and mobile computing devices such as
computers, personal digital assistants (PDAs), peripherals, cell phones, pagers, and consumer
electronics. This group includes Bluetooth certification.
• IEEE 802.16. The 802.16 working group of standards governs broadband wireless WAN technology.
The 802.16 standards are generally known as Worldwide Interoperability for Microwave Access. The
802.16 networks use microwave transmission for the sending and receiving of data and are typically
used for backbone connections for a telecommunications network or high-capacity corporate WAN.
Because of the line-of-sight requirement for Worldwide Interoperability for Microwave Access devices
to communicate, additional infrastructure such as towers and large antennae are required for an
802.16 implementation. This can make implementation costly.
More information about the IEEE standards can be found at the following website.
http://www.ieee.org
• Byte. A group of 8 bits makes up a single byte. This typically holds a single character, such as a letter,
a digit, or a punctuation mark. Some single characters can require more than one byte. For example,
MCT USE ONLY. STUDENT USE PROHIBITED
3-4 Understanding Network Infrastructure
in languages such as Chinese, Japanese, and Thai, it requires two bytes to fully display the character.
Various standards outline how bytes translate to specific characters for a language. The general
industry standard is Unicode that provides mappings for all languages.
More information about Unicode can be found at the following website.
http://www.unicode.org
Bytes are binary representations and are more usually used in relation to storage, defining how much data
a hard disk can hold or provide. You need to be careful you interpret the terms bit and byte correctly.
An important distinction between the two, are that bits are indicated with a lower case “b” whereas Bytes
are indicated with an upper case “B”. Ultimately computers store data as a series of numbers, 1s and 0s.
These are converted to a format that humans can understand and interpret.
Node. A network node refers to a device that either sends or receives data on a network. Computers are
typical node, but nodes can be other devices that are directly attached to the network, such as printers,
scanners, or handheld devices.
Client. A computer on a network that primarily receives data or uses other resources on the network is
known as a client.
Server. A server is a computer on a network that is primarily responsible for sharing or “serving” data and
resources to other computers on the network. A server typically provides access to shared files, services, or
devices such as printers for the whole network, and access to the Internet, intranet, or email services, in
addition to many other items.
Peer. A peer performs the functions of a client computer, but also provides shared resources like a server
does. Peers are common in small networks when a dedicated server is not necessary or cost-efficient.
Network Adapter. A network adapter is a device that enables a node to physically connect to a network.
It provides the interface between the hardware of the device connecting to the network and the network
itself. A computer or device could have wired and wireless network adapters.
Media. The physical material used to connect devices on a network is known as that network’s media.
Media is typically a cable, but can also be wireless radio frequency, fiber-optic cables carrying light waves,
infrared, or some other less “physical” medium.
Hubs/switches/routers. These are devices that help direct and move data around and across networks.
Although there is some crossover in functionality, they each have specific uses and attributes. The
following provides a high-level definition here and discuss them in more detail in the next module.
Hubs. These are the most basic kind of connecting device. They are used in a wired network to enable
devices to talk to one another by using Ethernet cables. Typically, multiple cables are plugged into a
single hub. No configuration is required or complex functionality supported.
Switches. Similar to hubs, switches are used in a wired network to allow devices to talk to one another by
using Ethernet cables. However, they provide much more control over how data is transferred between
devices than a hub. Switches direct communication only to the nodes that require the information.
Routers. These also allow for connecting devices and networks together and can be used in wired or
wireless networks. Routers provide the greatest amount of functionality and customization, such as
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-5
controlling network access, preventing data from accessing networks if it does not meet certain criteria,
and “routing” traffic to certain networks.
Transport protocol. A transport protocol refers to the set of rules that govern how data is packaged,
sent, and unpackaged when it is transmitted over the network. Different network architectures will have
protocols with different structures to accommodate how the network functions.
Bandwidth. This term can have several different interpretations, depending on the context. Common
usage would be in relation to the throughput or transmission speed at which a network operates, and it
would be rated as a function of data transmitted per second. Bandwidth can be measured in various
denominations but you will typically see it known as the following:
Another more original use is in relation to signal transmission methodologies. There are two
implementations:
• Baseband transmissions, where a single signal is transmitted at a time along a single cable.
• Broadband transmissions, where multiple signals are transmitted along a single cable at the same
time. For example, this might be in a home where Internet access and multiple cable television
channels are simultaneously being transferred with the same cable.
Network Architecture
Network architecture refers to both the set of
physical components that work together to
connect computers in a network and the
functional organization and configuration of those
components. Network architecture standards also
govern how data is packaged and transmitted on
a network.
LAN standards include the most used Ethernet architecture and the older Attached Resource Computer
Network (ARCnet) and token ring architectures.
Ethernet
Ethernet’s low cost reliability and simplicity of implementation have made it the main architecture
standard found in modern networks. It is used in both small and large networking environments.
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Understanding Network Infrastructure
In basic form, an Ethernet network involves several nodes connected with copper wire cables to a hub or
switch. For larger bandwidth requirements, or long-distance connections, fiber-optic cable is frequently
used.
Ethernet has evolved into several specific standards. Over time, changes to network media, computing
technology, and bandwidth requirements have forced changes to the Ethernet standard to accommodate
the evolving network environment.
In an Ethernet-based network, data can be transmitted along the network media by any node at any time
to all other connected nodes. This mass transmittal is known as broadcasting. The broadcasted
transmission is detected by all nodes on the network, but only those nodes for which the transmission was
intended will accept and receive the incoming data.
The various Ethernet cabling standards are named using a bandwidth value, the term Base, and then a
number or letter designation. A bandwidth value of 100 indicates 100 Mbps. The number indicates the
distance over which a signal can carry. For example, a 2 represents 200 meters and a 5 represents 500
meters. A descriptor letter or letters help identify the cabling type. For example, T can indicate copper
wire, and F/L and E can indicate various kinds of fiber-optic cable. The following table provides key
characteristics of the most frequently implemented Ethernet standards.
Standard Bandwidth
10BASE2 10 Mbps
10BASE5 10 Mbps
10BASE-T 10 Mbps
1000BASE-LX 1 Gbps
10GBASE-T 10 Gbps
10GBASE-LR/ER 10 Gbps
Ethernet networks that have speeds of 100 Mbps are known as fast or high-speed Ethernet. Ethernet
networks that have speeds of 1 Gbps or greater are known as Gigabit Ethernet.
In a scenario where cabling is not easily available, you can use the existing power lines that transfer
electricity to implement an Ethernet network—that is, the electricity and data are transferred over the
same cabling. A typical scenario would be in a home environment where it is not possible to install a
network cabling system or where there is poor wireless signal reception. This scenario could extend the
network range by using existing power cabling. There are limitations around power and distances but this
scenario can provide relatively fast networks.
Token Ring
The network nodes in token ring networks are arranged in a circle so that the data flows logically in a
circular motion. It relies on the use of a “token,” which passes around the network. If a node wants to send
data over the network, it grabs the “token,” attaches its message to it, and then sends the data. The data
then travels in a circle around the network until it arrives at its intended destination. It uses primarily
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-7
copper wire for data transmission and can transmit at speeds of somewhere between 4 Mbps and 16
Mbps. Token ring was common in early corporate networks as an alternative to Ethernet. However, it has
been largely replaced by Ethernet.
Note: Support for token ring networks was removed in Windows Server 2012.
ARCnet is a form of token bus network architecture for PC-based LANs. It works by transferring data
according to position or sequence numbers assigned to computers in the network—that is, 1, 2, 3, and so
on. This is not the most efficient method for data transfer. ARCnet can support up to 255 nodes but is
typically suitable for small networks. Different versions run at speeds of 1.5 Mbps, 20 Mbps (ARCnet Plus),
and 100 Mbps. ARCnet is now rarely used for new general networks.
Fiber Distributed Data Interface
Fiber Distributed Data Interface (FDDI) also uses a token-based approach to transmitting data on a
network, as outlined earlier for token ring networks. However, it uses primarily fiber-optic cable as a
medium for transmission and can span distances of 200 km at a speed of 100 Mbps. FDDI was used in the
early to mid-1990s to connect geographically separated networks. It has been largely replaced by
Ethernet. FDDI is used mainly in mission-critical and high-traffic networks where a large amount of
bandwidth is needed.
All the architecture types discussed to this point are wired networks. There are also many wireless network
architecture types, such as WLAN or Wi-Fi, infrared, and Bluetooth. Ultimately, your requirements and
ability to implement—be it cost, hardware availability, and so on—will dictate which network architecture
you will deploy.
There are two basic network media access control methods: contention-based access and deterministic
access. In contention-based access networks, the nodes share or “contend” for access to the media. In
deterministic access networks, the nodes “determine” how long data transmission and confirmation will
take for an orderly flow of data.
Contention-Based Access
MCT USE ONLY. STUDENT USE PROHIBITED
3-8 Understanding Network Infrastructure
When Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used as a network media
access control method, a node first “listens” on the network media to make sure that there is no existing
data transmission in progress from another node. If no other transmission signal is present, the node will
transmit its data. If a transmission signal exists on the network media, the node will wait for a small
interval of time before checking again, repeating this process until the media is free of other data
transmissions before it sends its own transmission.
When two nodes that want to send data check the network at the same time and find no existing
transmission, they will both transmit their data. This causes a data “collision” on the network. When this
occurs, both nodes detect the collision, stop transmitting data immediately, and send out a signal that
informs all nodes on the media that a collision has occurred and that they should not transmit. Then, the
nodes that caused the collision will wait for a random time before trying to retransmit their data.
CSMA/CD is the network media access method used for Ethernet networks. It provides the network with a
fast method of data transmission and collision resolution, but because concurrent data transmission and
collisions can occur, it becomes increasingly less efficient as more nodes are added to a specific segment
of network media. This is not as relevant in modern networks because hubs are used less and less, and
with the use of switches, there are only two nodes per wire.
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
When CSMA/CA is implemented, nodes advertise their intent to transmit data on the network media
before actually transmitting the data. Nodes on the network media are constantly listening” for the
advertisements of other nodes, and if an advertisement is detected, the node will avoid transmitting its
own data.
This method allows for nodes to more efficiently avoid collisions with data transmitted from other nodes
on the network media when you compare it to CSMA/CD. It also allows for more consistent
communication on the network media for data transmission notification, especially if intermittent node
connectivity is an issue or if a node is not always aware of every other node on the network media. This
makes CSMA/CA an excellent candidate for wireless networks. It has been accepted as the network media
access control method for the 802.11 group of wireless networking standards. CSMA/CA’s collision
avoidance method does come at the cost of being generally a slower method than CSMA/CD.
Deterministic Access
Token Passing
Token passing is a method that uses a small piece of data or “token” to signify the intention to transmit
data. This token, together with the other data being sent, is passed around to all systems in the network.
When the token and data reach the intended destination, the data is passed to the destination system and
the token continues through the rest of the system until it reaches the originating system, confirming
transmission to the whole network. Both FDDI and token ring use the token passing method.
Demand Priority
Demand priority is a method that shifts network access control from the transmitting node to the hub.
Before transmitting data, a node must receive permission from the hub. The hub can provide both high-
priority and regular-priority transmission to the destination node. Demand priority guarantees bandwidth
and increases network traffic. Demand priority is used on 100 Mbps Ethernet networks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-9
Lesson 2
Local Area Networking
A LAN is the most basic and frequently implemented form of computer network. This lesson introduces
you to the LAN and its associated concepts and technologies.
The LAN is the building block for all major and more complex networks. So, this lesson will also familiarize
you with LAN structure, design, and implementation.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe LANs.
What Is a LAN?
A LAN is a computer network that typically covers
a specific physical area such as a home, office, or
closely built group of buildings, such as a school
campus or airport. LANs also typically feature a
high bandwidth capacity and can provide equal
bandwidth and network access to all nodes.
A network frame contains a part of the original data being sent, together with network-specific
information about the frame’s sender, the frame’s recipient, and information that lets the frame to be
reassembled into readable data at its destination. A frame also contains error-checking information, a
cyclic redundancy check (CRC) value, that allows it to be retransmitted from the sender should it not
arrive at its destination as planned. The actual structure of a frame depends on the kind of network being
used. For example, an Ethernet frame will differ slightly in structure from a token ring frame. Frames are
described in more detail in the next module.
Every node on the LAN has a unique network address and this unique identifier allows each frame to
contain the information about where it is going and where it is coming from. This unique address allows
for simple and precise delivery methods throughout the LAN and also allows for each node to be
distinctly identifiable on the network.
A media access control (MAC) address is the most basic form of unique identifier for a node on a LAN.
MAC addresses are assigned to all network adapters at the time of manufacture and are most frequently
represented in hexadecimal format (for example, 00-22-FB-8A-41-64).
with the LAN. For example, an Ethernet network adapter will not function when connected to a token
ring network.
• Wiring or cable. A LAN’s wiring provides the physical media along which a LANs data is sent. LAN
cable types will vary and are classified into a number of different types according to the physical
qualities of the cable. Common cable types include:
o Unshielded twisted pair (UTP). The cable is the most common type found in Ethernet LANs. It
consists of four pairs of copper wire twisted together and is usually terminated with what is called
an RJ-45 connector. The pairs of copper wires are twisted around each other to cancel out
electromagnetic interference or “crosstalk” as data moves along the cable, thus allowing for
better data integrity when received. Most technologies typically use just two of the four twisted
pairs. UTP is by far the most common cabling standard used in LANs.
o Coaxial copper. The cable is used in older Ethernet networks. It uses a barrel-type BNC
connector type and is typically terminated with a resistor.
o Fiber-optic. The cable uses light transmitted along glass or fiber tubes, rather than the electrical
signals sent across copper-based cable. It is capable of transmitting data over longer distances
than copper and is typically used for connections that exceed the length restrictions of copper
cables in areas where electromagnetic interference would prohibit the use of copper cable.
• Hubs. As explained earlier, a hub is a device for connecting multiple nodes on a network. Each node
that is physically connected to the hub can communicate with all other nodes connected to the same
hub. When using a hub, it is unclear that a signal sent from any node on the hub will be transmitted
to any other node; therefore, hubs have more collisions and are typically used only in small networks.
• Switches. A switch performs the same basic functions as a hub, but it allows for more sophisticated
and efficient interaction with the data. As such, a switch can provide much improved performance
over a hub when any more than a few nodes are connected to the network. Because of the
comparative cost of network switches and hubs, switches have largely replaced hubs, even in small
networks.
• Termination points. Termination points or jacks describe the physical termination of a network cable
that allows a node to physically connect to the LAN. Typically, termination points exist as wall plates
with an appropriate receptacle for a short network cable that runs from the jack to the network
adapter of the node device.
• Wiring cabinets. Wiring cabinets or wiring closets provide a location where a number of hubs,
switches, or other LAN connectivity devices are located to provide a central point of connection for
LAN nodes located in a specific physical area such as a building or floor of a building. These locations
are typically a small room or closet.
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Understanding Network Infrastructure
• Bus topology. In a LAN where physical bus topology is used, nodes are connected to each other in a
consecutive line along a segment of network media. The network media is then typically “terminated”
at each end with a special device or connector that acts as the boundary for that particular segment
or piece of the LAN. Bus topology technology has been largely replaced by star topology in LANs.
o Advantages: A LAN using bus topology is easy to set up, it minimizes the amount of actual
cabling required, and the ability to quickly add systems makes it suitable for small LANs or
temporary networks.
o Disadvantages: If one section of the network media becomes disconnected or breaks, the entire
network ceases to function. This makes a bus topology–based LAN difficult to troubleshoot. You
must also ensure the endpoints are terminated correctly and cable length considerations come
into play in terms of signal attenuation.
• Ring topology. In a physical ring topology, nodes are connected in much the same way as with a bus
topology, but rather than each end of the network media being terminated, the ends are connected
together to form a ring. Ring topology technology has been largely replaced by star topology
technology in LANs.
o Advantages: Similar to bus topology, a LAN using ring topology is easy to set up, and the ability
to quickly add systems makes it suitable for small LANs.
o Disadvantages: Unfortunately, similar disadvantages that a LAN using bus topology faces also
exist in a LAN based on ring topology. The LAN is based on out-of-date technology; if one
section of the network media becomes disconnected or breaks, the entire network ceases to
function. This can make a LAN based on ring topology difficult to troubleshoot.
• Star topology. When using star topology, nodes are not connected to each other as they are in a bus
or ring topology, but instead they are connected to a central device such as a hub or switch. Modern
Ethernet-based LANs typically use star topology for their physical configuration.
o Advantages: LANs using star topology become more reliable on a node-by-node basis because
of the presence of the switch. With the addition of this device, nodes are dependent only on their
individual connection to the switch for access to the rest of the network. When using star
topology, the break or disconnection of a cable affects only the node using that specific cable,
making the LAN generally more reliable and easier to troubleshoot.
o Disadvantages: LANs based on star topology typically require more hardware and planning to
implement, due primarily to the addition of the switch or hub device, in addition to the extra
length of network cable required to connect each node back to the centrally located switch or
hub. They also still contain a single point of failure; the network switch or hub. If this device fails,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-13
the entire network ceases to function. Switches would be used more than hubs in modern
implementations.
• Hybrid topology. Hybrid topology does not refer to a specific physical configuration, but rather to
the combination of one or more different topologies used together on the same LAN. The most
common form of hybrid topology consists of a multiple star topology–based network connected
together using bus topology to form a single LAN. LANs based on hybrid topology are very common,
and become necessary when designing large or complex LANs.
• Mesh topology. In a LAN based on mesh topology, extra connections are added to provide a level of
fault tolerance to the network. In a mesh topology–based LAN, information has more than one path it
can take between at least two individual nodes. This addition of extra connections or “meshing” is
typically done for critical or high-traffic connections within the LAN. Mesh topology features two
separate forms of meshing.
o Fully meshed. In this configuration, a direct link exists between every pair of nodes on the
network. This provides the highest level of fault tolerance available, but also cost and complexity
increase exponentially as more nodes are added to the network.
o Partially meshed. Partially meshed LANs are far more common than their fully meshed
counterparts. They do not provide direct connections between every pair of nodes, but rather
introduce a number of redundant connections based on both providing fault tolerance and
maintaining a reasonable cost of implementation.
A virtual LAN (VLAN) is a virtual implementation of a LAN that allows you to control what nodes receive
what traffic and group the nodes accordingly—that is, nodes in a different physical or geographical
location can behave as if they were on the same logical network. This is typically achieved with the use of
switches and software, whereby you can configure a switch, or switches, in such a way that traffic handled
between certain ports on the switch is treated as though it were traffic on a single LAN. Traffic from other
ports outside this VLAN is typically routed.
• Exert a fine degree of control over how traffic moves through the network.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Understanding Network Infrastructure
• Control network bandwidth by configuring nodes that frequently communicate with one another
onto the same VLAN.
• Easily reconfigure your VLAN to encompass more or fewer nodes. You might need to rewire the
network to achieve the same ends with a LAN.
• Isolate network traffic to a specific VLAN; for example, to isolate computers that do not meet
organizational security requirements.
Question: What topology configuration might you recommend for a new Ethernet LAN
being built to connect computers located in several buildings together on a school campus?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-15
Lesson 3
Wide Area Networking
Computer networks are found all across the world. Organizations that operate those networks frequently
have multiple offices or locations in different cities, countries, or continents. The organizations often
require their networks to be connected to each other in order to meet their organization’s business needs,
but are unable to connect these locations together with LAN technology because of its high cost to
implement over long distances.
WAN provides these organizations the ability to connect their networks regardless of geographic
boundaries, transcending the limitations of LAN technologies. WANs are the basis for the global level of
network connectivity that we have in today’s computing environment.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe WANs.
What Is a WAN?
A WAN is a geographically distributed network
composed of multiple LANs joined into a single
large network typically using leased or third-party
services.
• Speed. LAN cabling is primarily Ethernet with speeds up to 10 Gbps. WANs are typically slower with
speeds up to 150 Mbps. Latency in a WAN can frequently be due to delays between when data is
transmitted to when it is received.
• Cost. LAN components are usually less expensive than WAN components. LANs can be constructed
from inexpensive cabling and network interface cards (NICs). WANs require specialized routing
equipment.
• Complexity. LANs are easy to set up and expand. WANs, with a large number of users, require more
sophisticated optimization and communication plans.
• Size. LANs are usually confined to a small geographic area like an office or school. WANs cover a
larger geographical area like a city or multi-location business and can even be on a global scale.
• Router. A router is a device that is responsible for connecting individual networks together and
ensuring that the data traveling outside of any given network reaches its destination. Routers contain
a list of potential destinations or “routes” that it uses to send and receive data from other networks. A
router needs the IP protocol and does not care about “MAC Table” addressing. The network and
router must be configured to support the router so that the router knows which IP address segments
are where and that the network nodes are able to be distinguished between local and routed
communication and send the packages either directly or to the router requesting the forward. IP
Addressing is described in more details later in the course.
• Leased line. A leased line refers to a WAN connection that is usually provided by a third party,
typically a telecommunications company. The telecommunications company uses their existing
equipment to connect one or more separate LANs together. This service can be implemented by
using a number of different technologies. The actual technology used is usually transparent to the
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-17
connected LANs, which will typically be connected to the leased line through a router that contains
the proper routes to the other connected LANs.
• Backbone. A backbone segment of a WAN refers to a high-capacity section of the WAN over which
the bulk of WAN traffic will travel. In contrast to a leased line, many backbone segments are built and
owned by the organization operating the LANs connected by the backbone. This type of connection
allows for multiple LANs to be connected together at a high speed without having to pay ongoing
rental or leasing costs or rely on a third party for consistent WAN connectivity. Backbones do,
however, have the drawback of being relatively costly to implement.
WAN standards typically define the method used to manipulate the data along the connection, in
addition to the bandwidth capability of a WAN connection and the media used.
WAN standards also use multiplexing to allow efficient use of WAN connections. Multiplexing refers to
the process of combining and sending multiple, simultaneous data transmissions over the same media.
This allows for higher bandwidth capability and shared usage of a single WAN connection.
Some of the more commonly known and main WAN standards are called out here:
• T-Carrier standards. T-Carrier standards are a group of standards implemented primarily in North
America and some parts of eastern Asia and Japan that govern digital data transmission.
• E-Carrier standards. E-Carrier standards are a group of standards similar to the T-Carrier standards.
The E-Carrier standards were developed in Europe and used globally with the exception of the
regions that have adopted the T-Carrier standard as previously mentioned.
• Optical Carrier Standards. Optical Carrier standards contain specifications for transmitting digital
data over fiber-optic networks.
• ISDN. ISDN allows simultaneous voice and data transmission over existing public telephone network
infrastructure.
• Digital Subscriber Line (DSL). DSL uses existing telephone network infrastructure to transmit data. It
involves the simultaneous transmission of both voice and data over the same physical line by using a
separate higher frequency for data transmission and a filter on the physical line to separate the
frequencies. DSL comes in two main types, both of which use a modem for sending and receiving the
signal along the telephone infrastructure. Companies tend to use it for backup lines or small offices.
o Symmetric digital subscriber line (SDSL). SDSL allows equal bandwidth for both sending and
receiving data at the same speed.
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Understanding Network Infrastructure
o Asymmetric DSL (ADSL). ADSL uses different data rates for sending and receiving, with the
sending bandwidth typically considerably lower than the receiving bandwidth. Because it is less
expensive to implement, ADSL is typically provided for residential use.
• T1. A T1 line has a bandwidth capability of 1.544 Mbps. T1 typically uses two pairs of twisted-pair
copper wire as its media.
• T3. A T3 line provides a bandwidth capability of 44.736 Mbps. T3 typically uses fiber-optic cable as its
media.
• E1. An E1 line has a potential bandwidth of 2.048 Mbps. Similar to T1; E1 is typically carried over
copper wire–based media.
• E3. An E3 line has a potential throughput of 34.368 Mbps. Like T3, E3 typically uses fiber-optic cable
as its media.
Optical Carrier standards are used throughout the industry. For example:
• OC-12 is commonly used by ISPs for WAN connections at the regional or local level.
What Is ISDN?
ISDN uses the preexisting public telephone
network to provide digital voice and data services.
In early WANs, ISDN was a very popular method
for connecting LANs together, but has since been
largely replaced by standards built on more
modern technology.
• Basic Rate Interface (BRI). BRI typically uses two 64Kbps channels and supports a bandwidth of
128Kbps.
• Primary Rate Interface (PRI). PRI uses 23 64 Kbps channels and supports a bandwidth of 1.536
Mbps, roughly equivalent to the bandwidth of T1 and E1 lines. PRI ISDN connections are commonly
used as backup or alternate route connections for T1 or E1 connections.
Although everyday usage of ISDN is less common than it used to be, ISDN lines are still frequently used in
many parts of the world as low-cost backup connections to more robust WAN links.
MCT USE ONLY. STUDENT USE PROHIBITED
3-20 Understanding Network Infrastructure
Along with the previously discussed T-Carrier, E-Carrier, and ISDN technologies, other common WAN-
based Internet connection technologies are:
• Cable modem. Cable modems provide a service similar to that of DSL, but use the cable TV medium
as an intermediary connection to the Internet.
• 2G, 3G, and 4G wireless. Historically, mobile communications networks have been typically reserved
for voice communications over the wireless network. With the advent of faster, more robust networks
like 3G and 4G, however, the use of these networks for digital data transmission has become more
prevalent and has become a common method used by mobile computer users to access network
connectivity when not in a LAN environment.
• 2G is also known as Global System for Mobile Communication (GSM) and is an older technology.
• 3G is also known as Universal Mobile Telecommunications System (UMTS) in Europe and elsewhere.
• LTE (long-term evolution of UMTS) is sometimes referred to in the context of 4G technology. It is seen
as a faster technology and is becoming more popular.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-21
Lesson 4
Wireless Networking
Wireless networking has become an important part of both home and corporate networks. Wireless
networks allow nodes to operate apart from the confines of physically wired connections. The increased
mobility and freedom that a wireless network offers allow organizations to use computing resources in
ways not feasible using wired network components.
Wireless networks come in many configurations using multiple standards and different technology.
Familiarity with wireless networking components, terminology and standards is very important to overall
computer networking knowledge.
Lesson Objectives
After completing this lesson, you will be able to:
• Understand the fundamental concepts about how wireless networks work.
• Describe 802.11.
• Describe infrared and Bluetooth connectivity.
Wireless networking typically operates in the radio and microwave frequency range. The frequencies and
wavelengths of the waves have characteristics that can determine the distance it can travel or the speed at
which data can be transferred. Different types of waves also need different types of hardware to transmit
and receive the various signals, or need different specifications to outline who can use it.
A wireless computer network consists of two or more network devices connected together and able to
exchange information between each other by using some form of wireless technology—that is, no cables.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Understanding Network Infrastructure
The following are common components and terminology found in wireless networks:
• Wireless network adapter. Like its wired counterpart, a wireless network adapter connects a node to
the wireless network and is capable of both sending and receiving information on the wireless
network.
• Access point. An access point provides a means of connecting to the wireless network. This can be in
the form of another wireless network adapter or, more commonly, a centralized, dedicated access
point. This dedicated access point may or may not be used to connect the wireless network to an
existing wired network or LAN. An access point or multiple access points that are available publicly to
provide connection to Internet access are commonly known as hotspots. You would typically find
hotspots in airports, libraries, cafes, and other places.
• Ad-hoc network. An ad-hoc wireless network consists only of wireless nodes connecting to each
other and has no centralized access point. Ad-hoc wireless networks are typically used for temporary,
peer-to-peer connections between two computers.
• Infrastructure network. An infrastructure network is a wireless network that provides a centralized
access point for wireless network clients. Infrastructure networks are the most common wireless
network type used in enterprise network environments.
• Service set identifier (SSID). An SSID is a string of characters that identifies and advertises a wireless
access point’s existence to potential clients. This string is typically configurable to any alpha-numeric
value, so it also provides a method of applying naming schemes to SSIDs if necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-23
What Is 802.11?
As previously noted, the IEEE 802.11 working
group of standards defines the aspects of WLANs.
802.11 is one of the most recognizable IEEE
standard categories, because of the widespread
use of the numeric identifier to refer to WLANs
and devices in general. The IEEE 802.11 working
group consists of four commonly used standards.
Note: The 802.11 bandwidth is frequently discussed as theoretical. This is because factors
like distance from the access point, interference from other devices, and physical obstructions can
affect the wireless signal and decrease the actual bandwidth available to a client.
• 802.11b. These devices operate in the 2.4 GHz RF band and offer a slight improvement in range over
802.11a, especially when located in buildings or around multiple obstructions. However, the
maximum throughput of 802.11b is considerably lower than 802.11a at 11 Mbps.
• 802.11g. This was developed to combine the data throughput capabilities of 802.11a and the
increased range and reliability of 802.11b. It operates in the 2.4 GHz RF band and offers a theoretical
bandwidth of 54 Mbps.
• 802.11n. This is the most recently developed and published standard, and improves upon 802.11g in
both bandwidth and range. 802.11n also introduces the concept of multiple-input multiple-output
channels to allow the combining of multiple signals into a single data stream for increased network
throughput. Although the physical maximum throughput on an 802.11n network is 150 Mbps, the
ability combines the signals of up to four physical antennae and allows for a theoretical maximum
throughput of 600 Mbps. 802.11n is quickly becoming the most common form of 802.11 network
deployed.
The following table provides details about the most common 802.11 standards.
Indoor Outdoor
Standard Released Frequency Data Rate
Range Range
802.11b Sep 1999 2.4 GHz 11 Mbps 150 feet 300 feet
802.11g Jun 2003 2.4 GHz 54 Mbps 150 feet 300 feet
802.11n Oct 2009 2.4–2.5 GHz 600 Mbps 300 feet 600 feet
MCT USE ONLY. STUDENT USE PROHIBITED
3-24 Understanding Network Infrastructure
Where interference or security is a potential issue with wireless radio transmissions and line of sight or
distance is not an issue, IR could offer a potential solution for wireless device connectivity but it is has
become less and less popular. Most computers today would not have an IR capability built in.
Computers and devices, however, can use infrared ports to send and receive infrared signals.
The Infrared Data Association specifies and develops IR technology. More information about
the Infrared Data Association can be found at the following website.
http://www.irda.org
Bluetooth is a wireless radio frequency technology that is used to connect two or more portable devices
over short distances. You will typically see Bluetooth implementation in consumer devices such as
telephones, headsets, mice, keyboards, and Global Positioning Systems (GPS) in cars. It has an immediate
benefit over IR in that it doesn’t require direct line of sight. It operates over a range of approximately 10
meters and can have data transmission speeds of potentially up to 24 Mbps, which allows it to transmit
voice and data successfully. It is also relatively inexpensive to implement and can have low power
requirements, which has helped see broad adoption by manufacturers in consumer devices,
Bluetooth has had some security concerns in the past because of the ease at which devices using it could
be accessed or controlled. New specifications and changes in its implementation have led to improved
security, but like all wireless devices, security must be a key part of the process before implementation in
any organization.
The IEEE adopted and defined the Bluetooth specification in the 802.15.1 standard but subsequent
updates have been implemented to the specification by the Bluetooth Special Interest Group (SIG), which
is a private, not-for-profit organization that drives Bluetooth specifications and adoption.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-25
Interference is the interaction of other electromagnetic radiation signals on the wireless signal. This can
result in the signal not being clear enough to be received or interpreted correctly by a receiver. Each day
you are surrounded by electromagnetic “noise” such as radios, TV, microwaves, GPS, telecommunication
satellites, and mobile phones. There is a lot of competition for access to be able to broadcast on specific
areas of the spectrum. Governments typically license these areas to private companies to raise revenue.
This broadcast competition can cause interference in your wireless signal and reduce the quality of the
data you receive.
Even the weather can have an effect on your wireless signal. Items such as atmospheric pressure or even
sun activity, such as when we get an increased amount of electromagnetic radiation from the sun, can
interfere with or damage some wireless network data or equipment.
Various techniques and technologies have been developed to try to mitigate some of this interference,
but you need to be conscious of where you place your access points and receivers; for example, having
microwave ovens and access points next to each other would only increase the chances of interference
between the two.
If you deploy wireless networks within an organization, you should also be aware of what devices and
frequency ranges are operating at in that area. Some will be generated by your organization and
employees and some will be external (TV, radio masts, and so on). As a result, some locations will prove to
be more suitable access points than others. The structure of your building also has an impact, such as
rooftop versus basement, stairwells versus lift shafts, or beside support columns or on ceilings. Anywhere
there are large amounts of concrete or steel are typically bad for signal integrity and prone to wireless
signal attenuation and interference.
MCT USE ONLY. STUDENT USE PROHIBITED
3-26 Understanding Network Infrastructure
There are several different security protocols developed for 802.11 networks. The following provides two
examples:
• Wired Equivalent Privacy (WEP). The WEP encryption standard was the original standard for
wireless LANs. It provides 128-bit and 256-bit encryption of data transmitted over the network. WEP
uses a shared passcode or security key for the encryption of data. Users connecting to a WEP-
protected network are asked to enter this key upon initiating connection to the network in order to
be granted access. The overall strength of WEP security lies in the complexity of this key. Short, simple
keys that are easily guessable compromise the overall security of the protocol. Multiple technical
flaws were discovered in the WEP protocol encryption algorithm and were quickly exposed by
malicious hackers and industry watchdogs. WEP is the weakest of all wireless security protocols and is
considered to be outdated and has been largely superseded by other more secure protocols.
• Wi-Fi Protected Access (WPA). WPA standards provide an increased level of security and stability
over WEP. It is comprised of two different versions:
• WPAv1. This was originally designed as a firmware upgrade to WEP. It allows for WEP-based
networks to be upgraded to the newer, more secure standard without the addition or replacement of
any devices. WPAv1 can use a variety of encryption algorithms.
• WPAv2. This offers several technical improvements over WPAv1 but retains the same basic structure.
WPAv2 is the most secure and preferred method of encryption over most wireless networks.
Both WPAv1 and WPAv2 allow for two methods of security key configuration. They can use a single, pre-
shared key (PSK) that is used for universal access to the network in much the same way as a WEP key. This
method is known as WPA-Personal. The second method involves the incorporation of a Remote
Authentication Dial-In User Service (RADIUS) server to allow for individual nodes to retain their own key.
This implementation is known as WPA-Enterprise and eliminates the security risks of using a single, shared
key for universal network access.
The use of certificates with smart cards also allows for smart cards to be required for authentication when
joining a WPA2 network. In addition to the encryption methods previously listed, several non-encryption
methods exist that, when combined with the use of encryption methods, further enhance wireless network
security. Here are some examples:
• MAC filtering. MAC filtering allows a wireless access point to refuse connection to nodes accessing it
unless their MAC address is contained in a specific list stored on the access point. This allows for a
network administrator to enter the MAC addresses of only those nodes that should be allowed to
connect to the wireless access point.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-27
Note: MAC filtering can be easily circumvented by using a process known as MAC
spoofing, whereby a potential client provides a false MAC address with the purpose of obtaining
access to the network.
• Universal serial bus (USB) tokens. USB tokens are physical devices that also provide an additional
layer of physical security to wireless networks. These methods require the end-user to have a USB
token to physically attach to their computer before access to the network is granted.
• Hidden SSID. Another method for obscuring the identity of a wireless network is hiding the SSID.
Configurable at the access point, hiding the SSID prevents the SSID of the wireless network from
showing up in the list of available networks on a potential client. When a network’s SSID is hidden,
clients need to know the SSID of the network and enter it manually to connect, along with satisfying
any other security requirements the network might have. A hidden SSID can add a certain level of
security to the network, but it should not be considered a security measure in itself; numerous
commonly known methods exist for locating and identifying hidden SSIDs.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Understanding Network Infrastructure
Lesson 5
Connecting to the Internet
Almost every corporate LAN or WAN has a network link that connects it to the rest of the world through
the Internet. The Internet has become the most important medium for global communications, and, as
such, corporate networks need to be connected to this global network to take advantage of what the
Internet has to offer.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe a firewall.
• Describe proxy and reverse proxy servers.
The physical structure of the Internet is somewhat ambiguous and constantly changing, but at its core, the
Internet bears many similarities to a vast, global WAN. Although Internet communication appears
straightforward to the end-user, the path that data takes between two communicating nodes can travel
over hundreds of different physical connections and be relayed through numerous intermediary network
nodes before reaching its destination. The Internet uses IP as the basis for communication between nodes.
Individual nodes or networks are typically connected to the Internet by using the methods mentioned in
the last topic of the previous lesson. These methods typically involve connectivity through a
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-29
telecommunications provider. Global telecommunication providers provide the bulk of the physical
network infrastructure on which the Internet operates.
The Internet by nature is an open and generally non-secure system. When corporate LANs and WANs
connect to and through the Internet, specific devices, methods, and concepts are applied to ensure the
integrity and private nature of the corporate LAN or WAN architecture.
Note: The phrase World Wide Web pertains to a set of interlinked “documents” in a
hypertext system, which is made available through Hypertext Transfer Protocol (HTTP). The user
accesses the documents by using a web browser and enters the various document repositories on
the web through a home page.
In general, a LAN refers to the physical structure that provides network connectivity where the term
intranet refers primarily to a group of services provided on that LAN.
Extranet
In its typical form, an extranet is a piece of a company’s intranet that has been exposed to a larger
network, usually the Internet. This is usually done to share specific corporate information with partners or
customers and requires an extra level of security and network design to ensure that private information
within the intranet is separated from the information on the extranet and not inadvertently exposed to
the public. The information on the extranet itself is usually not left completely exposed to the public
Internet either, but protected with a security device such as data encryption or authentication
mechanisms like user names and passwords.
MCT USE ONLY. STUDENT USE PROHIBITED
3-30 Understanding Network Infrastructure
What Is a Firewall?
A firewall is the key component used in
segmenting networks to protect a private network
from security risks inherent to connecting to an
untrusted network. A firewall is a system or device
used as a single point of connection between
separate networks. It interprets network
communication and allows safe or desirable
network traffic to pass through while restricting or
denying unsafe or undesirable traffic.
The term firewall is also used to refer to a piece of software installed on a node computer that performs
traffic filtering similar to that of a dedicated firewall device. When the term is used in this lesson, it is used
to refer exclusively to the dedicated network firewall defined previously, and not the node-based software
type.
Different types of firewalls allow for varying levels of network data inspection. A basic firewall is included
in most Windows® operating systems.
The purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks for resources that must be shared by those who are not part of the internal network. A
perimeter network commonly contains any nodes that share information with the public Internet. This
may include items like email servers, web servers, or proxy servers.
Perimeter networks are generally implemented by using firewalls. A firewall is placed at the connection of
the perimeter network to the untrusted network; another firewall typically separates the perimeter
network from the private network. This configuration separates the participating networks into three
zones: the private network, the perimeter network, and the untrusted network. Firewalls can also be used
to secure traffic within a perimeter network. For example, allowing http(s) traffic from the internet to a
perimeter’s web server only, and allowing the web server to access a SQL database.
The main function of a perimeter network is security. A perimeter network is not entirely a public part of
the Internet, an untrusted network, or entirely a private part of the organization’s network. The purpose of
the perimeter network is to act as a security buffer between the untrusted and private networks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-31
Proxy servers are most commonly used in conjunction with a firewall. In this configuration, a firewall will
allow a specific type of traffic only if the traffic is originating from, or intended for, the proxy server. In this
way, clients wanting to send or receive that specific type of traffic must do so through the proxy server, or
their transmissions will be blocked or denied at the firewall.
Conversely, a reverse proxy server takes some or all data incoming to a network and distributes it to the
appropriate nodes on the network. Reverse proxy servers are commonly used for load balancing, which
allows the reverse proxy server to take large amounts of incoming data and distribute it among similarly
configured nodes, all capable of processing the data. Reverse proxy servers can also provide data security
filtering and caching in the same manner as a proxy server.
MCT USE ONLY. STUDENT USE PROHIBITED
3-32 Understanding Network Infrastructure
Lesson 6
Remote Access
Direct connections to private networks provide the fastest, most secure method for an organization to
share data and resources.
However, organizations are increasingly finding it necessary for their employees to have access to their
private network in situations where a direct physical connection is not possible.
Lesson Objectives
After completing this lesson, you will be able to:
• Customers or partners requiring access to information hosted on the organizations private network
In its basic form, a branch office refers to a location where an organization does business or hosts
employees outside of its central location of operations. It could be as large as or larger than the central
location itself, or as small as a single employee working from a home office.
Branch offices are typically located outside of the physical range of an organization’s central LAN, in
another section of a large city, or in another city, country, or continent. The term is typically used for a
location where several uses (like a sales office) are directly connected to the company but in a separate
physical office with WANs or VPNs connecting permanently to the corporate network. These branch
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-33
offices frequently require the ability to provide some or all the services provided by the central location,
and almost always require access to the same data and resources to operate efficiently. Placing a server in
the branch office is one solution; providing secure remote connectivity is another.
The branch office term is not typically used for home offices or employees working abroad.
An organization like a bank might require each of its branches to have access to financial information
stored in servers at the central office; a real estate agency might have brokers that work from home
offices that require access to updated property and client information; or a member of the sales staff
might require access to customer or product data while traveling.
Question: What other scenarios can you think of that would require remote access?
Typically, encryption is combined with a method used to prove that the nodes involved are indeed the
nodes for which the communication is intended. In other words, the identities of these nodes are verified.
This method of verification is known as authentication.
Authentication refers to the process of verifying the identity of a user, computer, process, or other entity
by validating the credentials provided by the entity. It is distinct from authorization, which is the process
of determining the level of access allowed for an already authenticated identity. Authentication is typically
implemented as a password or a combination of user identification and a password, but can also include
physical methods such as digital certificates, smart cards, or USB tokens.
MCT USE ONLY. STUDENT USE PROHIBITED
3-34 Understanding Network Infrastructure
Technically, VPNs are implemented using a variety of methods that govern communication mechanisms,
encryption, and authentication. The technical definition is outside the scope of this topic. Several of the
most common VPN protocols are listed below.
• Point-to-Point Tunneling Protocol (PPTP). PPTP has been a very widely used VPN protocol and is
described in RFC 2637. PPTP is supported by most computers, tablets, and smart phones. PPTP has a
low overhead, and is faster and easier to set up than other VPN protocols. PPTP requires its own
ports. More companies appear to be implementing HTTPS-based VPNs.
• Layer Two Tunneling Protocol (L2TP). L2TP is frequently used with Internet Protocol security (IPsec)
to provide data encryption and security. L2TP is described in RFC 2661.
• Secure Socket Layer (SSL) tunneling protocol. The SSL tunneling protocol uses 2,048 bit certificates
for authentication, making it the most secure of the VPN protocols. The SSL tunneling protocol lets
users pass through firewalls and proxy servers when other VPN protocols might be blocked. The SSL
tunneling protocol uses HTTPS over the Internet.
• IP HTTPS. This is replacing SSL tunneling protocol in DirectAccess, which is one of the remote access
solutions from Microsoft®. It is discussed further a bit later.
• IPsec. A set of industry-standard, cryptography-based services and protocols that help to protect
data over a network.
DirectAccess
DirectAccess was introduced in the Windows 7 and Windows Server 2008 R2 operating systems.
DirectAccess gives users the experience of being connected to their corporate network any time they have
Internet access without having to initiate or configure a connection.
When DirectAccess is enabled, requests for corporate resources (such as email servers, shared folders, or
intranet websites) are securely directed to the corporate network, thus allowing for the same user
experience regardless of whether the computer is connected to the corporate network. The DirectAccess
client is connected to the corporate network before the user even logs on, making the logon and
authentication process identical to the process used when connected directly to the corporate network.
Windows Server 2012 and Windows 8 DirectAccess can be configured to use either IP version 4 (IPv4) or
IP version 6 (IPv6) addresses. Windows Server 2008 R2 and Windows 7 can use only IPv6 for
communication between clients and servers. Connections between IPv4 and IPv6 networks can be
coordinated automatically using a number of different IPv6 translation technologies that are configured
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-35
at the DirectAccess server. The main benefit of using DirectAccess over VPNs is its lack of required user
interaction. In Windows Server 2012, DirectAccess is also a lot easier to deploy than was the case in
Windows Server 2008 R2. Furthermore, DirectAccess allows remote management such as software
distribution and updates of virus scanning engines.
Windows Server 2012 supports DirectAccess with Windows 7 and Windows 8 clients, whereas Windows
Server 2008 R2 only supports Windows 7 DirectAccess clients. Also, if you have operating systems older
than Windows 8 or Windows 7, DirectAccess is not supported for them and they will need to use an
alternative, such as VPN.
RADIUS
RADIUS is a widely used industry standard
authentication protocol that allows the exchange
of authentication information between various
elements of a remote access solution. It provides
for centralized authentication, authorization, and
accounting for network connection attempts and
nodes that connect to networks through any
means—whether it’s dial-up, VPN, wireless or a
physical connection through cable. It has been
defined by the Internet Engineering Task Force
(IETF) under RFC 2865 and RFC 2866 and updated
and modified in numerous subsequent RFC
standards. RADIUS is a very common protocol available for use in most network environments. It is used
to perform the following functions with regard to network access:
The main components that typically go into making a RADIUS infrastructure are as follows:
• RADIUS server. Provides centralized authentication, authorization, and accounting for network
access requests. The Network Policy and Access Services role in Windows Server 2012 can be
configured as a RADIUS server.
• RADIUS proxy. Can forward and route RADIUS access and accounting messages between RADIUS
clients and RADIUS servers.
• RADIUS clients. These are RADIUS access servers, such as wireless access points, dial-up servers,
authentication switches, and VPN servers. These are RADIUS clients because they use the RADIUS
protocol to communicate with RADIUS servers. User devices such as laptops are not RADIUS clients.
A server implementing RADIUS allows an organization to simplify and better manage remote access to its
network, especially when multiple remote access points exist in the environment. RADIUS allows for
strongly securing a WLAN with the use of certificates.
Although NAP helps you automatically maintain the health of the network’s devices, which in turn helps
maintain the network’s overall integrity, NAP does not protect the network from malicious users. For
example, if a device has all the software and configuration settings that the health policy requires, then
that device is compliant and has unlimited network access; however, NAP does not prevent an authorized
user with a compliant device from uploading a malicious program to the network or engaging in other
inappropriate behavior.
NAP Functions
• Health policy compliance. You can help ensure compliance with health requirement policies by
automatically updating noncompliant computers with missing software updates and configuration
changes. You can do this by using management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers have network access before
they are updated with required updates or configuration changes. In a limited access environment,
noncompliant computers have limited access until the updates and configuration changes are
complete. In both environments, computers that are compatible with NAP can become compliant
automatically, and you can define exceptions for computers that are not NAP-compatible.
• Limited access. You can protect the network by limiting noncompliant computers’ access. You can
base limited network access on a specific time limit, or on what the noncompliant computer can
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-37
access. In the latter case, you define a restricted network containing health update resources, and the
limited access lasts until the noncompliant computer becomes compliant. You also can configure
exceptions, so computers that are not compatible with NAP do not have their network access limited.
In Windows Server 2012, NAP is installed as part of the Network Policy and Access Services role. Health
policies, validators, and remediation servers can all be defined and configured within the Network Policy
Server (NPS) management console in Windows Server 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
3-38 Understanding Network Infrastructure
You are responsible for choosing the LAN design and general components for the new office and
ensuring that the two offices are connected in a way that allows staff in the Seattle office to access the
information they need from the New York office.
You have received email messages from the Seattle office manager outlining the duties assigned to the
new office, a list of employees that will be using the Seattle office, and the primary job functions of those
employees.
Objectives
After completing the lab, students will be able to:
• Provide guidance on which network components are needed to complete a branch office
deployment.
Estimated Time: 30 minutes
Hi,
We have been working with the new building contractors and they have come up with a basic design.
No drawings have been drafted yet, so I will try to explain what they have in mind. The space will
basically be split into two parts. We will have six offices in one part of the office for our design team
members, typical office stuff. The other half will be a large, open conference room built for partner
consultation. Basically, it will be a place where our consultants meet with our partners to show them
progress on projects, samples of media, and things like that. It’s going to be pretty casual, with most of
the furniture being couches and coffee tables.
I hope that gives you a good enough idea for your side of things.
Thanks,
Susan
Email #2
Email #2
Subject: Seattle Staff
Hi again,
Here are the details on our Seattle staff and what each of their roles entails.
We will have three video editors that will be in three of the six offices: Frank, Lisa, and Peter. The bulk of
their day is spent editing video for various projects. They work as a collaborative team, so they are
constantly sending material (videos) back and forth to each other. Frank asked me to tell you that the
videos can be really big. They have issues with the videos taking a long time to copy to and from the
server in New York. I’m not sure if there is something you can do to improve that in Seattle.
There are four creative consultants. Nick and Brenda will be in the office and John and Martha will be
working from home offices. Their primary role is to meet with our partners to determine overall needs.
Then they come up with the basic design concept and forward it to the video editors who begin the
video design process. Throughout the process, the creative consultants provide samples of the work
being done and get feedback from the customers. This will be done using the conference room for local
partners. I’m hoping you can come up with something that will allow our out-of-town partners to view
and comment on the development process remotely.
Our internal staff will need to be able to view and update the material, and our home users and
partners will need to be able to view and update it from their locations. This is sensitive information, so
it needs to have some kind of password or security around it so not just anybody can see it. They have
also asked if there would be a way for both the in-office consultants and the two coming from home to
have access to the material located on the server to show clients on their laptops when they meet in the
conference room.
We also need to be able to share files with New York as well. My primary role is to manage the staff
here and provide general updates and material samples to New York. This typically doesn’t involve a lot
of files or very big files, but it does need to be secure, and our partner agreement doesn’t allow us to
use email to send the files, so they will have to be hosted on some sort of server, I guess. I am not very
technical, sorry.
Oh and one final thing: we’re getting new desktops and other devices, all which will be running
Windows 8 I’m told, in case that helps.
Hopefully that’s what you’re looking for. Thanks for your time.
Susan
Requirements Overview
Recommend basic infrastructure components for the implementation of the network in the new Seattle
location.
Recommend infrastructure to connect the Seattle location to the New York location. Recommend
infrastructure to allow home office users and partners access to the resources they need from the
Seattle location.
MCT USE ONLY. STUDENT USE PROHIBITED
3-40 Understanding Network Infrastructure
Proposals
1. What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
2. What infrastructure should be used to connect the conference room portion of the Seattle location?
3. What components and technology should be used to connect the New York and Seattle branches?
4. What is the best architecture to allow both partners and home office users to access their
information using only one method of access?
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
1. What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
2. What infrastructure should be used to connect the conference room portion of the Seattle location?
3. What components and technology would you use to connect the New York and Seattle branches?
4. What is the best architecture to allow both partners and home office users to access their information
using only one method of access?
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.
Question: What other options exist to connect the home office employees if their role
changes and requires consistent access to information on the Seattle LAN?
Question: What infrastructure should be used to connect the conference room portion of
the Seattle location?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 3-41
Question: What makes a wireless network more vulnerable to unauthorized access than a
wired network?
MCT USE ONLY. STUDENT USE PROHIBITED
3-42 Understanding Network Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
4-1
Module4
Connecting Network Components
Contents:
Module Overview 4-1
Module Overview
Networks consist of many components; these components fall into various categories based on their
operational characteristics. For example, those components that deal with electrical signaling are known
as low-level network components. However, those components that handle user requests—for example
applications—are known as high-level components.
This module explores the functionality of low-level networking components. This includes cabling,
network adapters, switches, hubs, and routers. In addition, the module provides guidance on how best to
connect these and other components together to provide additional network functionality.
Objectives
After completing this module, you will be able to:
Lesson 1
Understanding the Open Systems Interconnection
Reference Model
Over the years, many networking protocol stacks were developed by different vendors to support their
own networking products. In order to bring some structure and standardization to this independent
evolution of network protocol stacks, the International Organization for Standardization (ISO) developed
the Open Systems Interconnection (OSI) reference model.
As an aside explanation, the ISO organization would have different abbreviations in different languages.
Because of this, the organization decided to adopt the ISO abbreviation and standardize the name, taken
from the Greek word isos, meaning equal. As a result, this ISO acronym is used regardless of language.
Lesson Objectives
After completing this lesson, you will be able to:
Layer
Layer Name Description
Number
6 Presentation Translates the data generated by the application layer from its own
syntax into common transport syntax suitable for transmission over a
network.
Layer
Layer Name Description
Number
applications.
4 Transport Makes sure that packets are delivered in the order in which they are
sent and without loss or duplication.
3 Network Determines the physical path over which data is transmitted based
on network conditions, the priority of services, and other factors. This
is the only layer of the OSI model that uses logical networking and
can move packets between different networks.
2 Data-link Provides for the transfer of data frames from one computer to
another over the physical layer. The media access control (MAC)
address of a network adapter exists at this layer and is added to the
packet to create a frame. Data is passed from the data-link layer to
the physical layer as a stream of 1s and 0s. Some element of error
checking is possible at this layer to ensure frame delivery.
1 Physical Defines the physical mechanisms for sending a raw stream of data
bits on the network cabling, such as a network interface card (NIC)
and drivers.
The OSI model is used as a common reference point when you compare the function of different
protocols and kinds of network hardware. The OSI model is important for comparing different products
and understanding the functions that a device is performing. The model enables an understanding and
interpretation of various network architectures and network components within those architectures.
For example:
• A router is a layer 3 device. Based on this, you know that a router understands logical networks and
can move packets from one network to another.
• Hypertext Transfer Protocol (HTTP) is a layer 5-7 protocol. Based on this, you know that applications
use HTTP to communicate over the network.
• Ethernet is a standard for layers 1-2. Based on this, you know that Ethernet defines physical
characteristics for media (network cabling), how signals are transmitted over that media, and when
devices can communicate on the media.
More information about the OSI model definition can found at the following website.
http://www.iso.org
MCT USE ONLY. STUDENT USE PROHIBITED
4-4 Connecting Network Components
• Error checking.
• Converting the data-link frames into a meaningful signal for merging onto the media.
Here are examples of how data transfer occurs on a single local network and also across networks. This
may help give an understanding of how the lower layers of the network stack work.
• On a local link, communication is addressed by using MAC addresses. If one device wants to
communicate to another device, even if it knows the IP address and ensures that the device is on the
same network, it needs to resolve the remote MAC address in an Address Resolution Protocol (ARP)
request (MAC-level broadcast), and then send the data to the remote MAC address.
• IP and routers are used to extend networks beyond the local subnet. For example, say the IP wants to
address something beyond the local network. IP knows the address of its router—that is, its default
gateway—and leaves the target address of the target host but resolves the MAC of the local router.
The local router unwraps the IP and data, rewraps the package with the MAC of the next hop, and
then forwards the package.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-5
• Routing packets to the appropriate logical address as identified by the upper layers.
• Encapsulating transport layer datagrams into network packets and passing them to the data-link
layer.
• Passing incoming packets up the protocol stack to the appropriate transport layer protocol.
In the early days of networking, different vendors produced their own, proprietary networking protocols.
These included:
• Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX). This protocol was developed
to provide transport and network layer services for the Novell NetWare operating system. Although
proprietary, the protocol stack was widely implemented in other networking operating systems. This
includes the Windows Server® operating systems. SPX is a transport layer protocol, whereas IPX
provides network layer support.
• AppleTalk. This is another proprietary protocol providing transport and network layer functions. The
Apple Corp. implemented this protocol to support their Apple Mac computer systems. Microsoft
Corporation provided some support for this protocol in their Windows® platform.
• TCP/IP. This was first developed as a suite of protocols to support applications that run on the UNIX
platform. During the 1990s, this protocol began to gain acceptance by network product vendors. This
includes Microsoft, Novell, and Apple. TCP/IP provides a four-layer architecture that offers support for
all layers of the OSI reference model. TCP/IP implements two transport layer protocols: TCP and User
Datagram Protocol (UDP). At the network layer, IP is implemented.
Networking services sit on top of the protocol stack, and pass instructions down the stack to the media. It
is the job of the network protocol stack to interpret service requests and encapsulate them in a form
accessible by lower-level protocols.
MCT USE ONLY. STUDENT USE PROHIBITED
4-6 Connecting Network Components
The presentation layer provides independence from differences in how network data is presented. This
enables applications, which use different syntax, to communicate. The presentation layer:
• Establishing, maintaining, and terminating connections, known as sessions, between local and remote
applications.
• Selecting the appropriate transport layer protocol for communications with remote applications.
Different network operating systems implement different network services. However, they also provide
similar functionality:
• Authentication
• Email messages
Lesson 2
Understanding Media Types
Although you can connect devices to a network that uses wireless components, it is more common to use
wired media. There are many kinds of wired media types, each with different characteristics: cabling
distances, load and resistivity, and the ability to resist external electromagnetic interference. This lesson
explores the cabling characteristics and standards.
Lesson Objectives
After completing this lesson, you will be able to:
Coaxial Cable
Construction
Standards
American wire gauge (AWG). This defines the diameter of the central conductor. A numbering system
indicates the diameter used. For example, 14 AWG indicates a thicker cable than 18 AWG cable. Realize
that the electrical characteristics of the cable change with its diameter. Specifically, thicker wire carries
currents further because it has lower resistance over a given distance.
Radio grade or Radio guide (RG). These standards define coaxial cable characteristics from susceptibility
to interference and resistivity. There are many RG coaxial cable standards and networking components
use only a small subset of those. They are primarily grouped according to the cable impedance because it
is important that the impedance of the cable matches the impedance of the transmitter, otherwise there
might be significant data loss. The following lists some examples.
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Connecting Network Components
• 50 ohm impedance:
o RG58. Fairly thin and flexible. Ideal for connecting nodes to the network. However, RG58 does
not support long cable runs or lots of connected devices. It uses 20 AWG copper wire. Used in
early Ethernet networks known as a 10Base2 network (also known as ThinNet), as explained in
Module 3, “Understanding Network Infrastructure,” the 10 refers to the transmission speed, 10
Mbps; base refers to the transmission type, that is, baseband; and the 2 in this instance refers to
the distance over which it can operate, that is, approximately 200 meters. The actual distance is
less, approximately 165 meters. This network type was very popular before twisted pair cabling.
Today, it would only be found in older networks.
o RG8. RG8 is approximately 16 AWG. It is thicker than RG58 and not as flexible. Compared to
RG58, it provides less data loss over longer distances. RG8 was also commonly used in earlier
Ethernet networks, known then as a 10Base5 network, again the 10Base5 name indicating 10
Mbps, baseband transmission, and in this case, over distances of 500 meters. This network type
was commonly known as ThickNet because the cable type was comparatively thicker than the
network type used in 10Base2 networks. Today, RG8 would only be found in older networks. RG8
and RG58 might also be found in laboratory equipment or radio transmitters/receivers.
• 75 ohm impedance:
o RG59. Has an 18 AWG core. It is susceptible to signal loss at higher frequencies over long
distances.
o RG11. Thick coaxial cable with 14 AWG cable provides the solid core. It is fairly thick, so it is not
very flexible but has good comparative integrity of signals over length. It is mostly used in
backbones, where more robust cabling is needed.
o RG6. Thinner than RG11 with 75 ohm impedance and typically 18 AWG, similar to RG58. It is
more susceptible to attenuation than RG11 but is less expensive. Used mostly in consumer
devices, or over short distances. RG6 and RG59 are used mostly in video applications or cable
TV/TV antennae connections. RG6 would generally have better signal integrity over the distances
needed, so it might be more widely used than RG59. RG6 is typically more expensive than RG59
cable.
Generally, thicker cables mean longer distances with less data loss. But there are other things to consider
such as the shielding used in the cable. The main points to be aware of here are that different cable types
have different capabilities, and even within the previous categories there are sub-categories that will have
slightly different specifications. If you are intending to use coaxial cable, make sure that you know the
correct impedance to use and also the distance over which the data must travel.
Connectors
Coaxial cable connects network devices by using different connector types based on the thickness of the
wire. Connectors can be categorized into two groups as outlined earlier.
Thick coaxial cable (10Base5). RG8 cable types use a piercing tap, or vampire connector, to connect to
thick coaxial cable. The connector surrounds the cable, and conductive spikes penetrate the cable to the
central and outer conductors. The connector is then attached to the network device by using an
attachment unit interface (AUI) connector. This 15-pin connector is also sometimes known as a Digital
Intel Xerox (DIX) connector.
Thin coaxial cable (10Base2). RG58, RG59, and RG6 would typically use BNC or F type connectors.
• The BNC connector connects by using a press, twist, and lock mechanism and would usually be seen
with RG59 cable. BNC has different connection types, such as T-connector, Terminator, and barrel
connector types.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-9
• An F type connector has a sharp pin in its center that acts as the transfer medium. It connects by
using a press or a screw-and-lock mechanism and involves the pin and female receptacle connector
ends.
Note: Coaxial cable must be terminated. In order to prevent signals reflecting back up the
media, a resistor is attached to both ends of the cable. This absorbs the signal and prevents
reflection. You must use a terminator of the correct impedance.
Coaxial cable is not typically used in networking applications today. This is primarily because of the
unstructured nature of the wiring. In addition, coaxial cable is not especially fault-tolerant. A break in the
cable disrupts the whole segment because you now have two non-terminated segments. It is also very
difficult to locate the exact location of the cable break, although a device like a Time Domain
Reflectometer can be used to help. It is also useful to “ground” the cabling system to reduce interference
in the data signal, typically through devices it is connected to, such as antennae.
Coaxial cable is resistant to electromagnetic interference and can support long cable runs between hosts.
Although it might have some limited advantages it is a legacy option that has been replaced with other
cable types such as twisted pair (discussed in the next topic). It is becoming difficult to find modern
network adapters that support it.
Twisted-Pair Cable
The twisted-pair cabling type is common in
modern networks; it has generally replaced coaxial
cabling in Ethernet networks as the standard.
Although it is still copper based, it’s a less
expensive option than coaxial cable, although this
wasn’t always the case. This is mainly because
switches became less expensive than hubs and as
such, the number of collisions present in hubs
could be reduced. This enables the cable to span
larger networks. As it became more popular, the
relative cost came down. You can use twisted-pair
cabling to support several applications, including
telephony and networking.
Construction
As the name suggests, the cable is constructed from a pair, or sometimes several pairs, of insulated cables,
twisted around one another, all enclosed in a protective outer sheath of plastic.
Note: The nearness of the other cable in the pair can introduce crosstalk, or interference.
The twisting helps eliminate the crosstalk. The more twists per meter, the higher the cable rating.
For example Category (Cat) 4 cables have fewer twists per meter than Cat 5 cables.
There are two kinds of twisted-pair cable: unshielded twisted pair (UTP) and shielded twisted pair (STP).
The two types have several differences.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Connecting Network Components
• UTP is the more typically used twisted-pair type. UTP follows the 10BaseT specification and there are
several categories. The categories range from traditional telephone cable (voice but no data) to high
speed (1000 Mbps/10 Gbps) quality data transmission. UTP has a maximum distance of 100 m.
• STP overcomes the main UTP disadvantage (interference) by providing copper shielding. STP provides
faster transmission over longer distances than UTP, but STP is more expensive.
Connectors
You connect devices with STP or UTP to the network by using several different connectors.
• RJ11. A four-contact connector supporting two-pair cables, typically used for telephony. However,
there are different connector types in different parts of the world.
• RJ45. An eight-contact connector supporting four-pair cables. Typically used for data applications
such as network adapters but modern telephone lines (Integrated Services Digital Network [ISDN]) are
also now by using RJ45.
UTP is fairly inexpensive both in terms of the cabling and associated components, and in terms of the cost
to lay the cable. The potential for it to be affected by interference is also addressed by the twisted-pair
technology and using a different current between both wires. A weakness of UTP is that it is not shielded.
This means that it could influence other appliances and be easier to “listen in” on (by using a radio-like
device). This could make UTP less secure.
Typically, UTP should generally be the preferred choice. Where interference, longer cable runs, or
potential security threats exist, select STP.
Standards
Twisted Bandwidth
Category Capacity Use
Pairs (MHz)
Twisted Bandwidth
Category Capacity Use
Pairs (MHz)
Note: The term bandwidth is used to describe the transmission speed of a network.
Early networks operated at low bandwidths by today’s standards. For example, early
implementations of Ethernet operated at 3 million bits per second (3 Mbps). Modern network
technologies can transmit much faster than this. A typical Ethernet operates at a bandwidth of
between 100 Mbps for desktops to 10 Gbps in server rooms.
Consider that the bandwidth of the network might be 1 Gbps. The actual throughput (or the volume of
data in bits) might be much less. One reason for this is because popular network technologies such as
Ethernet operate on a contention basis. In other words, the nodes or hosts on the network compete for
bandwidth. This contention process leads to loss of throughput.
More information about the TIA/EIA organization can be found at the following website.
http://www.tiaonline.org
Fiber-Optic Cable
Copper cables experience the effects of
electromagnetic interference. In addition, it
experiences loss of signal, or attenuation, over
distance. Fiber-optic cables are less prone to
either of these. Because fiber-optic cables are
more reliable, they are used in situations that
demand longer cable runs or in areas where high-
levels of electromagnetic interference are
expected.
Construction
• Cladding. This covers the core. Light signals cannot traverse this layer. The reflective surface of the
cladding layer reflects the light signals back into the core.
Note: Because each optical fiber supports light signals in only one direction at a time, some
cables implement multiple fibers bundled in a single cable.
• Multimode fiber. Consists of several fibers. Light signals are generated by light-emitting diodes
(LEDs). Typically, multimode fiber supports bandwidths of around 100 Mbps at distances of up to 2
kilometers and 10 Gbps over 300 meters.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Connecting Network Components
• Single-mode fiber. Contains a single, thin fiber that supports higher bandwidths and longer cable
runs than multimode fiber. 40 Gbps is possible over distances of several hundred kilometers. Light
signals are generated by laser diodes. Single-mode fiber is typically more expensive than multimode
fiber.
Connectors
There are different connectors for use with fiber optic cabling, depending on whether you are using
multimode fiber or single-mode fiber, and the particular application of the cable.
• Straight Tip. The fiber equivalent of a coaxial BNC connector, by using a push-and-twist locking
system. Typically used with multimode fiber.
• Mechanical Transfer Registered Jack. Supports multimode fiber cables by using a snap-on
connector.
Fiber-optic cabling is more expensive than its copper equivalent. It is used where higher bandwidths over
long distances are required and the distance exceeds the capabilities of copper wiring. In areas of extreme
electromagnetic interference, fiber-optic cabling is also better.
Standards
The following table builds upon the table from Module 3 and includes the most frequently implemented
cabling standards and uses.
Of the standards listed in this table, 100BASE-TX and 1000BASE-T are most frequently found in today’s
local area networks (LANs). 1000BASE-LX and 10GBASE-LR/ER are the most frequently found in long
distance Ethernet connections.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-13
Question: Fabrikam’s R & D center is across the private parking lot from the head offices.
You will have to connect the R & D office back to the head office so that research staff has
access to corporate services. What cable would you recommend for this application to link
the two buildings?
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Connecting Network Components
Lesson 3
Understanding Adapters, Hubs, and Switches
Operating at the lower levels of the OSI network architecture, switches and hubs are responsible for
connecting physical devices together. The choices that you make about the deployment and
configuration of these components can have far-reaching effects on the behavior of interconnected
devices and overall network functionality and performance. Therefore, make sure that you can
differentiate between devices such as hubs and switches and be able to select a hub or switch based on its
functionality.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe hubs.
• Describe switches.
• Describe layer 2 and layer 3 switches.
The network adapter encapsulates the instructions it receives from the protocol stack into a logical
sequence known as a frame.
Frames contain addressing information to ensure that the protocol stack message reaches the correct
target network adapter on the local network. As discussed in Module 3, each network adapter has a
unique address known as a MAC address. This is usually assigned by the manufacturer of the network
adapter and is in hexadecimal format.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-15
Note: The authority responsible for allocating a unique address is the Institute of Electrical
and Electronics Engineers, Inc. (IEEE).
To determine the MAC address of the destination network adapter, the local network adapter typically
broadcasts a request for the required MAC address. This 48-bit address is stored by the network adapter
in the source MAC address field in the network frame.
Note: Other than these unique MAC addresses, the addressing fields in a frame can also
contain specially formatted addresses; these include broadcasts and multicasts. These special
addresses and the kinds of communications that require them are discussed later in the course.
Frame structures vary according to the architecture. Even within Ethernet, there are variations of frame
structure, depending on the Ethernet standard implemented. Some variations that include some older
implementations that you might hear of are as follows:
• Ethernet II. This would have been one of the earliest Ethernet frame types; it supports TCP/IP and
IPX/SPX.
• Ethernet 802.2 logical link control (LLC). Contains additional header information compared to
802.3 and allows for managing varying MAC types.
The last two types enable the encapsulation of the data to enable the insertion of other protocols.
Ethernet Subnetwork Access Protocol would be the most widely used and relevant frame type. There are
differences between the frame type structures but generally they can be described as consisting of the
following:
• Preamble. A series of bits that enables the transmitter and receiver network adapters to synchronize
and establish a link.
• Start frame delimiter. A single byte that signifies the start of the frame.
• Destination MAC address. MAC address of the network adapter receiving the data.
Note: The destination MAC address referred to above is present when on the local subnet
only. If the destination MAC Address were to be on a different network segment, the destination
MAC address would be the router’s interface.
• Source MAC address. MAC address of the network adapter sending the data.
• Length/type. The length field is present in all frame types except Ethernet II, which had a type field.
The Length field assigns a value to the frame size and the type indicates the protocol type that is
interpreting the frame data. The type information is contained in the data field in the Ethernet
Subnetwork Access Protocol frame type.
• Data. This data field contains the actual data. In all standard cases, it is between 46 bytes and 1,500
bytes. For 802.2 LLC and Ethernet SNAP, it encapsulates the data to allow for easier interaction with
other protocols.
(Note: Remote Direct Memory Access (RDMA) in Windows Server® 2012 allows for the transfer of data
from the memory of one computer to the memory of another computer without any interaction from
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Connecting Network Components
either computer’s operating system CPUs or caches. This is achieved by using NICs that support Server
Message Block (SMB) direct protocol. This can have a significant effect on data transfer rates.)
• Pad. The 802.3 frame type can pad the data field.
• Frame check sequence. The last field in a typical frame is the frame check sequence (FCS). This field
is used to calculate a checksum value to determine the integrity of the frame. As outlined previously,
the FCS that is used in Ethernet frames is cyclic redundancy checks (CRCs). Frames that are damaged
in transit are dropped by the network adapter.
Historically, those responsible for installing network adapters into computers had to fit the separate
network adapter into an available slot in the computer’s internal expansion. These days, it is more usual to
find network adapters as integrated components on the computer’s motherboard. As soon as the network
adapter is installed, you must connect it to the network. Typically, network adapters have a single
connector for this purpose.
Note: To determine what kind of network connector you have, view the back of the
desktop computer. Depending on what country/region you are in, you may see a Registered
Jack-45 (RJ-45) connector. This resembles a standard telephone jack.
After you have connected the network adapter to the network cabling, depending on your requirements,
you typically attach the other end of the wire to a network switch or hub.
In some instances, a Direct Cable Connection, or direct cabling, between two computers is required, such
as for use with a cluster heartbeat. This requires a cable to connect the two devices. The cabling required
in this scenario requires the cable pairs on one end of an Ethernet cable to be the reverse of the other
end. So either some customization of the cable is required, or a specific crossover cable is needed.
What Is a Hub?
Some early networks used wiring systems in which
each node was connected directly in a ring. Other
networks implemented a single cable that was
routed to each node in sequence, creating a chain
of networked computers. Both cabling methods
have several problems. First, if the cable was
damaged, network integrity was lost and
communication was disrupted. Second, because
cabling was frequently laid to limit cable lengths,
or finding a convenient path to the next node, it
was not always easy to locate the faulty cable. As
networks became more popular, administrators
have tried to resolve these problems.
Later, network devices that enabled star wiring of network nodes were adopted. These devices were
known as hubs and enabled each network node to be connected back to a central point. This addressed
the problem of unstructured wiring and also of network failure that results from a break in the cable. A
cable fault resulted in a single node being isolated.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-17
Some early hubs supported different kinds of cabling connectors, known as ports, to enable connection of
twisted-pair cabling, coaxial cabling, and other media. Even today’s simple consumer hubs support wired,
wireless, and Asymmetric Digital Subscriber Line (ADSL) ports.
You can use hubs to extend the network. Depending on the network topology being used, you can
connect a chain of hubs together potentially over very long distances.
Note: Ethernet has several rules that define how you can extend the network. As defined in
the 5-4-3 rule, you can connect five segments by using four repeaters as long as only three of the
segments have active nodes. In early coaxial implementations of Ethernet, the maximum segment
length with thick coaxial was 500 meters. The maximum end-to-end length of an Ethernet
network is defined as 2.5 kilometers. This does not allow for bridging or routing to extend the
network.
Note: Hubs are generally not used any longer and are considered legacy devices with
limited functionality for modern networks and data transmission requirements. Switches have
replaced hubs.
What Is a Switch?
In contention-based networks, such as Ethernet,
all connected nodes share the media and its
available bandwidth. Therefore, if there are 10
nodes on a network that has a 10 Mbps
bandwidth, it can be said that each node has an
available bandwidth of a tenth of the total
bandwidth, or 1 Mbps. If you add nodes to the
network, the share each has of the total decreases
in inverse proportion to the number of connected
nodes. Therefore, when there are 20 nodes, each
has a twentieth of the bandwidth. A significant
problem of contention networks with many
connected nodes is that throughput degrades. A bigger issue is the collision that occurs on a link, which
results in the further reduction of the available bandwidth. The simple solution is to reduce the number of
nodes in each segment. You can do this by implementing MAC-level bridging.
A switch is like a hub. It acts as a wiring concentrator to which all network devices are connected. It
performs the same isolation when a cable failure occurs while maintaining the integrity of the network.
However, there are some fundamental differences.
Characteristics of a Switch
Layer 2 Switches
The significant difference between a hub and switch is that the switch can perform MAC-level bridging
between ports. In other words, each node has exclusive use of the bandwidth of the segment during its
transmission. So every device connected to the switch is exclusively talking with the switch. The switch has
a table that shows which MACs are connected to which ports. This means that traffic is only sent to the
wires that require the information.
You can configure each host to have a single port, or you can connect a hub to a switch port. When you
connect a hub to a switch port, the nodes on the hub all share the bandwidth configured for the port on
the switch to which the hub is connected. In this manner, you can determine how much bandwidth is
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Connecting Network Components
available to each port and nodes connected to the ports. Switches that provide this function are known as
Layer 2 switches.
With modern switches, you can also program a group of ports to behave like a hub. For example, you
could create a group of ports to enable network load balancing or to provide for network level analysis.
Layer 3 Switches
Some switches can provide protocol-specific routing functions at the protocol stack layer. For example,
you can configure the switch to provide routing for IP packets, but not to perform MAC-level bridging for
non-IP-based frames. Switches that provide this routing functionality are known as Layer 3 switches.
Note: Network protocols, such as IP, encapsulate instructions received from higher-level
protocols, such as TCP, into a structure known as a packet.
Layer 3 switches route packets. The switch examines the packet and makes a routing decision based on
the destination packet address. Layer 3 switches also perform additional routing functions. For example,
Layer 3 switches can check packet integrity, respond to Simple Network Management Protocol (SNMP)
management systems, and observe and decrement packet Time-to-Live (TTL) values.
In some ways, a Layer 3 switch can provide several improvements over more traditional routers. For
example, Layer 3 switches:
• Divide networks into logical subnets by using the Layer 2 configuration instead of at the port level,
such as a traditional router. This provides a more flexible configuration.
Be aware that Layer 3 switches do not provide support for wide area networks (WANs).
Layer 4 Switches
Some more advanced switches are equipped with a firewall service module that enables the switch to
make forwarding decisions based on the type of data in the segment. These kinds of advanced
functionality switches are known as Layer 4 switches.
Also as discussed in Module 3, switches allow for creating a VLAN. A VLAN is a virtual implementation of a
LAN that lets you control what nodes receive what traffic and then group the nodes accordingly. For
example, nodes in a different physical or geographical location can behave as if they were on the same
logical network.
Note: Transport protocols, such as TCP, encapsulate instructions received from applications
into a structure known as a segment.
Switches with a firewall service module examine the content of segments received and determine whether
and how to route the segment based on the specific TCP port being used.
Note: Quality of Service (QoS) values are a way to indicate the priority of traffic. Some
network transport protocols implement QoS to support application prioritization needs. The
switch can read and interpret these QoS values.
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Connecting Network Components
Lesson 4
Understanding Routing
You must understand how routers make routing decisions so that you can plan their deployment and
configuration to support the desired functionality of the network. Different routing protocols are suited to
different network environments. A good understanding of these different protocols will enable you to
manage your LAN and wide area network (WAN) more efficiently.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe routers.
What Is a Router?
Historically, routers were implemented in
networks in order to extend the LAN into a WAN.
One router interface would be connected to the
LAN, and another to a telephony circuit of some
type. At the destination, a similarly configured
router was deployed. Packets could flow between
the networks as required.
Network nodes determine whether a destination host is a member of another LAN (or VLAN) when they
begin communications. Elements of the network transport protocol make this determination by
comparing the source and destination network addresses in the packet. When a node is determined to be
in a different network, the node tries to route the packet to that network. Usually, this means that the
packet is forwarded to a router on the local network. This behavior is a significant departure from the way
communications occur with Layer 2 switches or bridges. The nodes explicitly address the frame to the
router that will handle the routing process of the encapsulated packet.
In order to perform routing, the router must know what other networks exist and how to reach them.
Routers maintain this information in routing tables. Routing tables are either static or dynamic. Static
routing tables are maintained by a network administrator who must add the required routes manually to
the table. Dynamic routing tables are maintained by the propagation of routing information between
routers themselves using special routing protocols.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-21
The router tries to select which route to use based on factors such as the route with the most reliable link,
the route with the least cost, or perhaps the route with the lowest current network load; these criteria are
known as metrics. Frequently implemented metrics include the following:
• Bandwidth
• Path cost
• Reliability
• Hop count
When the router has selected a route, it forwards the packet to the next router in turn.
Note: Each packet on an IP network has a field named the TTL counter. Every time that the
packet transits through a network device, such as a router, the TTL counter is decremented by at
least one. When the TTL reaches zero, the router then holding the packet drops it. This makes
sure that packets do not loop around the network.
Routing Example
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Connecting Network Components
For example, in the following scenario, a packet is routed across three networks: network A, network B,
and network C. Two routers connect these networks, each configured by using a routing table. A host in
network A communicates with a host in network C. The following are steps describing how network A
communicates with network C:
1. The originating host creates a packet addressed to C:12. The host determines that network C is not
the local network.
3. The router receives the packet and examines the destination address. It compares the destination
network address and determines that it has an appropriate entry for the destination network in its
routing table.
5. The second router receives the packet and examines the destination address. It compares the
destination network address and determines that it has an appropriate entry for the destination
network in its routing table. In fact, the router is locally connected to the network destination
network.
In this example, communication is being performed by every device by using the MAC address of the next
device.
In small networks, you can maintain routing table entries manually. However, for larger networks that
have routers, this is not possible. You can configure routing tables for routers dynamically by installing a
routing protocol.
Note: Hosts and routers can be configured by using a default gateway property in IP
networks. When a host, or router, does not have a specific route to a target network, it forwards
the packet to its configured default gateway. This is the usual configuration for network nodes.
Configure each router to use the other router’s local interface as its default gateway. The only
exception where you do not have to configure anything is when you have only one router that
connects you to the Internet.
The main advantage of using dynamic routing, other than the benefit of not having to manually configure
your routers, is that dynamic routing supports changes in the routing infrastructure. If you add or remove
a network, you do not have to update all the routing tables. The routing protocols that you implement
make these changes automatically.
Note: Even with dynamic routing, you still have to configure each router for the LANs you
have to support. Dynamic routing only handles foreign LANs on other routers.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-23
• Routing Information Protocol (RIP). A popular Interior Gateway Protocol (IGP). RIP uses a distance
vector algorithm to identify remote networks and uses UDP. It supports fairly small internetworks as
destinations, with a hop count greater than 16 considered unreachable.
• Open Shortest Path First (OSPF). A popular link-state IGP routing protocol. OSPF uses a link-state
mechanism to propagate routing information. Link-state protocols maintain data about the network
segments to which they are connected and the current state of these networks. Therefore, OSPF
protocols are suitable for larger internal networks than RIP. OSPF does not use TCP/IP.
• Border Gateway Protocol (BGP). This widely used External Gateway Protocol (EGP) was designed
specifically to enable interconnection of many enterprises on the Internet.
Scenario 2:
Question: For the Fabrikam scenario, would you recommend static or dynamic routing?
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Connecting Network Components
Question: For the Fabrikam medium-sized network, is the use of a routing protocol
indicated? If so, which one would you recommend?
Question: For the Tailspin Toys scenario, would you recommend static or dynamic routing?
Question: For the Tailspin Toys small network, are routing tables required?
Question: If Tailspin Toys implements an Internet connection by using a router, how would
this change the configuration that you have selected?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-25
Objectives
After completing this lab, you will be able to:
• Answer the questions in the Branch Office Network Components Deployment Plan document.
• Answer the questions in the Branch Office Network Wiring Plan document.
Supporting Documentation
Charlotte,
The network diagrams you suggested are not quite completed yet, but you can update them with the details of
the components you require.
As you can see, there are three branches, and then the R & D function at the head office. We have to connect
the computers together in the branches and then connect the branches to the head offices.
Regards, Ed
MCT USE ONLY. STUDENT USE PROHIBITED
4-26 Connecting Network Components
Requirements Overview. To determine which components to install to connect nodes at branch offices
and to connect branch offices to the head office.
Additional Information
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span each
branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based on its priority.
Questions:
1. What devices are required to connect the branches together and connect the branches to the head
office?
3. Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-27
implement.
2. What devices are required to connect the branches together and connect the branches to the head
office?
4. Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will
implement.
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram
and the Branch Office Network Components Deployment Plan.
Additional Information
Very high bandwidths are expected.
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Connecting Network Components
High levels of electromagnetic interference are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What kind of cable would be suitable here, using the information supplied and the plan you outlined
for network components earlier?
2. How will you address the issue of high levels of electromagnetic interference?
3. What cable standards do you propose?
Task 2: Update the proposal document with your planned course of action
Update the proposal document with your planned course of action, by answering these proposal
questions.
1. What kind of cable would be suitable here, using the information supplied and the plan you outlined
for network components earlier?
2. How will you address the issue of high levels of electromagnetic interference?
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
Question: In the lab, you were asked to consider a wiring scheme for branch offices. You
were constrained by budget. Had you not been, how would that have changed your plans, if
at all?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 4-29
Question: You plan to implement a large, routed internetwork. What routing protocol would
you consider for this completely autonomous network?
Question: Why is coaxial cable generally not a good choice for data networks?
MCT USE ONLY. STUDENT USE PROHIBITED
4-30 Connecting Network Components
MCT USE ONLY. STUDENT USE PROHIBITED
5-1
Module5
Implementing TCP/IP
Contents:
Module Overview 5-1
Module Overview
Network protocols are responsible for providing a communications channel between applications running
on separate hosts. Most network protocols are actually a collection of multiple protocols, collectively
known as a protocol stack. Each protocol in the stack provides a different networking function. This
module focuses on the TCP/IP protocol stack.
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of TCP/IP
TCP/IP is an industry-standard suite of protocols that provides communication in a heterogeneous
network. With TCP/IP, you can connect different operating systems together in a manner that helps
enable cross-platform communications.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe Windows® Socket and identify port numbers for specified protocols.
• The TCP/IP model was developed to take advantage of the Internet, after protocols were developed.
• The TCP/IP model takes a horizontal approach to organizing the communication processes.
Another way to think of this is that the OSI model defines distinct layers related to packaging, sending,
and receiving data transmissions over a network. The TCP/IP stack layered protocol suite performs these
functions.
Dividing the network functions into a stack of separate protocols, instead of creating a single protocol,
provides several benefits:
• Separate protocols make it easier to support different computing platforms. Creating or modifying
protocols to support new standards does not require changing of the whole protocol stack.
• Having multiple protocols operating at the same layer makes it possible for applications to select the
protocols that provide only the level of service required.
• Because the stack is split into layers, the development of the protocols can proceed at the same time
by personnel who are uniquely qualified in the operations of the particular layers.
• Application layer. The application layer of the TCP/IP model corresponds to the application,
presentation, and session layers of the OSI model. The application layer provides services and utilities
that enable applications to access network resources.
• Transport layer. The transport layer corresponds to the transport layer of the OSI model and is
responsible for end-to-end communication using TCP or User Datagram Protocol (UDP).
• Internet layer. The Internet layer corresponds to the network layer of the OSI model. Protocols in this
layer are used to control packet movement between networks. It is at this layer that source and
destination address details are added to network data. The main protocol that operates at this layer is
IP and the main devices would typically be routers.
• Network interface layer. The network interface layer (sometimes known as the link layer or data-link
layer) corresponds to the data-link and physical layers of the OSI model. The network interface layer
specifies the requirements for sending and receiving packets on the network media. This layer is
usually not considered part of the TCP/IP protocol suite because the tasks are performed by network
devices. For example, hubs, some parts of switches, routers, and any device with a network adapter.
Application Layer
• Hypertext Transfer Protocol Secure (HTTPS). A version of HTTP that is used to encrypt
communication between web browsers and web servers. It is also typically used to ensure general
server and client authentication for more secure intranets or extranets.
• File Transfer Protocol (FTP). A protocol to copy files between two computers over the Internet.
• Dynamic Host Configuration Protocol (DHCP). Protocol to automate IP address assignment and
some additional options, such as Domain Naming Servers. Used by clients that do not require a static
IP address.
• Domain Name System (DNS). Enables locating computer and services by using user-friendly names
instead of IP addresses.
• Post Office Protocol version 3 (POP3). An IP that enables a user to download email from a server
to a client computer.
• Internet Message Access Protocol (IMAP). Another IP that enables an email client to download
email from an email server. Both IMAP and POP3 have traditionally been widely used for Internet
email.
• Simple Mail Transfer Protocol (SMTP). Standard protocol to transfer email messages between
email servers. Also used in combination with POP3 or IMAP to send email messages from clients to
email servers.
MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Implementing TCP/IP
• Simple Network Management Protocol (SNMP). An IP that is used to provide status information
about a host on a TCP/IP network.
• Remote Desktop Protocol (RDP). A proprietary protocol to provide remote display and input
capabilities over network connections for Windows-based applications between two computers.
• Network Time Protocol (NTP). An IP that enables computers to synchronize time with one another.
Time synchronization is an important function when dealing with networks and network nodes..
• Telnet. A protocol that operates over the Internet. Telnet enables communication between two
computers interactively, such as over a Command Prompt. Although it is not typically required in
Windows networks these days, it might still be encountered and can be useful in troubleshooting and
configuring network devices.
Transport Layer
The transport layer provides software developers the choice of TCP or UDP. The protocol is determined by
the software developer based on the communication requirements of the application.
• UDP. Provides connectionless and unreliable communication. Reliable delivery is the responsibility of
the application when UDP is used. Applications use UDP for faster communication with less overhead
than TCP. Applications such as streaming audio and video use UDP so that one missing packet will
not delay playback. UDP is also used by applications that send small amounts of data, such as DNS
lookups.
Note: We don’t discuss port number until the next topic but you should be aware as a
troubleshooting tip in this context that that since Windows Server® 2003, DNS servers might use
TCP over port 53 to communicate to their forwarders, depending on the amount of data, so DNS
Lookups are not exclusively done over UDP. This can potentially cause a network to fail because
firewall administrators might assume that DNS is 53 UDP only.
Internet Layer
The Internet layer protocols encapsulate transport-layer data into units called packets, addresses them,
and routes them to their destinations.
• IP. Responsible for IP routing and addressing for the Windows operating systems. Implements a dual-
layer IP protocol stack. This includes support for both IPv4 and IPv6.
• Address Resolution Protocol (ARP). Used by IP to determine the media access control (MAC)
address of local network adapters—that is, adapters installed on computers on the local network—
from the IP address of a local host. ARP is broadcast-based. This means ARP frames cannot transit a
router. The frames are localized and cannot be broadcast across the Internet. Some implementations
of TCP/IP provided support for Reverse ARP (RARP), in which the MAC address of a network adapter
is used to determine the corresponding IP address. In IPv6, ARP was replaced with IPv6 Network
Discovery (ND), which establishes the relationships between neighboring nodes in a network.
• Internet Group Management Protocol (IGMP). Provides support for multicast applications over
routers in IPv4 networks. Multicast involves the sending of data from a single source transmission to
multiple recipients. In IPv6, IGMP was replaced with Multicast Listener Discovery (MLD).
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-5
• Internet Control Message Protocol (ICMP). Used to send error, query, or diagnostic messages in
IPv4 networks. In IPv6, ICMP was updated to provide a framework for ND and MLD to operate.
These protocols define how data from the Internet layer is transmitted on the media and is determined by
the network architecture. Notice how the layer is not considered part of the TCP/IP protocol suite.
• Port number
21 TCP FTP
25 TCP SMTP that email servers and clients use to send email
110 TCP POP3 used for email retrieval from email clients
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Implementing TCP/IP
520 UDP Routing Information Protocol (RIP) for routing information communication
Usually it is not necessary for you to configure your applications to use specific ports. However, you must
be aware of the ports that applications are using to ensure that the required ports are open through any
firewalls in your organization. Typically, a port with a secured service behind it is not a security risk. But an
open port without a service is a security risk, because if a server is hacked, that open port can be used for
unmonitored communication.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-7
Lesson 2
IPv4 Addressing
In order to connect network hosts on an IPv4 network, you must know how to configure IPv4 addresses
and related properties. This lesson will cover the general concepts around IPv4 addressing as well as how
to analyze, configure and troubleshoot IPv4 Addresses. Understanding IPv4 is pivotal to any network
administration tasks that administrators need to perform.
More information about IPv4 addressing can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309109
Lesson Objectives
After completing this lesson, you will be able to:
IP Address
An IP address is a binary number that uniquely
identifies a host (computer) to other hosts, for the
purposes of network communication.
Subnet
Subnetting
Subnetting is a network design strategy that segregates a larger network into smaller components. A
virtual local area network (VLAN), as mentioned earlier, lets you use switches to divide a network into
virtual subnets, or VLANs, sometimes these terms can be used interchangeably.
Subnet Mask
A subnet mask is a 32-bit value that enables the recipient of the IPv4 packet to distinguish the network ID
and the host ID parts of the address. Typically, subnet masks use the format 255.x.x.x. The subnet mask
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Implementing TCP/IP
that you use determines in which subnet your computer is located. The subnet mask is used by the TCP/IP
protocol to determine whether a host is using the local subnet or on a remote network.
IPv4 Addresses
To configure network connectivity, you must be
familiar with IP addresses and how they work. The
TCP/IP Internet layer provides two protocols: IPv4
and IPv6. IPv4 is the older protocol and is still
much more widely used.
For example, if you view an IPv4 address in its binary format, it has 32 characters.
11000000101010000000000111001000
IPv4 divides the binary address into four 8-bit chunks, or octets.
11000000.10101000.00000001.11001000
Notice in an 8-bit octet that each bit position has an assigned decimal value (either 0 or 1). The low-order
bit, the rightmost bit in the octet, represents a decimal value of 1. The high-order bit, the leftmost bit in
the octet, represents a decimal value of 128. The highest decimal value of an octet is 255, that is, all bits
are set to 1.
To make the IP addresses more readable, the address is usually shown in its dotted decimal notation.
102.168.1.200
Note: You can use the Windows® calculator for binary-to-decimal and binary-to-hex
conversion.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-9
The following table outlines the various components that go into making network and host IDs and how
they interact. Lining up the IP address and the subnet mask together, the network and host parts of the
address can be displayed and broken out into their corresponding binary values. This is shown in the first
two rows of this table.
The first 24 bits (the number of 1s in the subnet mask) are identified as the network address, with the last
8 bits (the number of remaining 0s in the subnet mask) identified as the host address. This is shown in the
second set of numbers in the previous table.
So in this example, using a 255.255.255.0 subnet mask, the network ID is 192.168.2.0, and the host address
is 0.0.0.181. When a packet arrives on the 192.168.2.0 subnet (from the local subnet or a remote network),
and it has a destination address of 192.168.2.181, your computer will receive it from the network and
process it.
MCT USE ONLY. STUDENT USE PROHIBITED
5-10 Implementing TCP/IP
Note: The IPv4 address 127.0.0.1 is used as a loopback address. You can use this address to
test the local configuration of the IPv4 protocol stack. Therefore, the network address 127 is not
permitted for configuring IPv4 hosts.
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices
that do not connect directly to the Internet use a private IPv4 address. This means that it is not directly
exposed or visible.
Public IPv4 addresses must be unique. IANA assigns public IPv4 addresses. Usually, your Internet service
provider (ISP) allocates you one or more public addresses from its address pool. The number of addresses
that your ISP allocates to you depends on how many devices and hosts that you have to connect to the
Internet. In summary, public IPv4 addresses:
• Are required by devices and hosts that connect directly to the Internet.
The pool of IPv4 addresses is becoming smaller, so IANA issue very few private IPv4 addresses.
Technologies such as Network Address Translation (NAT) enable administrators to use a relatively small
number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and
services on the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-11
IANA defines the address ranges in the following table as private. Internet-based routers do not forward
packets originating from, or destined to, these ranges.
A 10.0.0.0/8 10.0.0.0–10.255.255.255
B 172.16.0.0/12 172.16.0.0–172.31.255.255
C 192.168.0.0/16 192.168.0.0–192.168.255.255
In order to select an appropriate addressing scheme for your organization, follow these steps:
2. Determine the number of subnets you need and then determine the subnet bits. For example, if you
need six subnets, then you would need three subnet bits (this will provide eight subnets). Subnets are
calculated by using the formula 2^n, where n is the number of bits. More examples are provided in
the following table.
2 1
4 2
8 3
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Implementing TCP/IP
16 4
32 5
64 6
3. To determine the subnet mask, evaluate the binary number of subnet bits. For example, if you are
using three subnet bits (11100000), then the subnet mask is 224. To determine the number of
increments, evaluate the lowest value bit in the subnet mask. For example, the lowest value bit in the
224 subnet mask is 32, and that would be the increment between addresses. More examples are
provided in the following table.
4 2 11000000 192 64
8 3 11100000 224 32
16 4 11110000 240 16
32 5 11111000 248 8
64 6 11111100 252 4
• The first host is one binary digit higher than the current subnet ID.
• The last host is two binary digits lower than the next subnet ID.
• The first and last address in any network or subnet cannot be assigned to any individual host.
• The number of hosts depends on the number of bits. The formula is 2^n-2, where n is the
number of bits.
• 0 is the network address, and the value of 255 (or whatever the last address is) is reserved for
broadcast communication. More examples are provided in the following table.
4 2 11000000 192 64 6 62
8 3 11100000 224 32 5 30
16 4 11110000 240 16 4 14
32 5 11111000 248 8 3 6
64 6 11111100 252 4 2 2
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-13
Note: Notice that you are trading off the number of subnets and the number of hosts.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on
each subnet. Using more bits than you need allows for subnet growth but limits growth for hosts.
Using fewer bits than you need allows for growth in the number of hosts you can have but limits
growth in subnets.
As a practical example, consider that you have seven locations (round up to eight subnets) in the
172.16.0.0 network. This means the subnet mask is 224 with the ranges shown in the following table.
Generally, if you have a full four octet IP, we would recommend that you use a four octet subnet mask.
Subnets Subnets
8 172.16.0.1–171.16.31.254
171.16.32.1–171.16.63.254
172.16.64.1–172.16.95.254
172.16.96.1–172.16.127.254
172.16.128.1–172.16.159.254
172.16.160.1–171.16.191.254
172.16.192.1–171.16.223.254
On the slide, notice the 172.16.17.0/24 branch office that results in host addresses from 172.16.17.1 to
172.16.17.254. How does this work?
172.16.17.0/24 In binary:
10101100.00010000.00010001.00000000
Hosts: 1 to 254
(The broadcast address is 172.16.18.255. Therefore, you
cannot use that as a host address.)
In the previous example, using a network of 172.16.17.0/24, the network address is 172.16.17.0, and the
hosts can use the addresses from 172.16.17.1 to 172.16.17.254.
Note: The /24 represents how many subnet bits are in the mask. This notation style is called
variable length subnet masking.
172.16.16.0/22 In binary:
10101100.00010000.00010000.00000000
Network ID is the Host ID is the last 2 bits of the third octet and all the bits
first 22 bits from the fourth octe—that is, the last 10 bits.
In the previous example, using a network of 172.16.16.0/22, the network address is 172.16.16.0, and the
hosts can use the addresses from 172.16.16.1 to 172.16.18.254. The broadcast address is 172.16.18.255,
which you cannot use as a host address.
Static Configuration
• IPv4 address
• Subnet mask
• Default gateway
• DNS server
• Can be very time-consuming, even if the network only has a few users.
• May not be possible if the computers are in another location or are in a secured area.
DHCPv4
With DHCPv4 you can assign automatic IPv4 configurations for many computers without having to assign
each one individually. The DHCP service receives requests for IPv4 configuration from computers that you
configure to obtain an IPv4 address automatically. It also assigns IPv4 information from scopes that you
define for each network subnets. The DHCP service identifies the subnet from which the request
originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process. But if you use DHCP to assign IPv4 information and the
service is business critical, you must also do the following:
1. Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
2. Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network and prevent communication.
If you use a laptop to connect to multiple networks, such as at work and at home, each network might
require a different IP configuration. If both networks use DHCP, nothing has to be done; addresses are
assigned automatically in both networks. If you must have a static address in one of the networks,
Windows supports the use of an alternate static IP address.
When you configure Windows operating system computers to obtain an IPv4 address from DHCP, use the
options on the Alternate Configuration tab to control the behavior. Configure the specific IP address,
subnet mask, and other related properties for when the DHCP server is not available.
Note: By default, Windows uses Automatic Private IP Addressing (APIPA) to assign itself an
IP address automatically from the 169.254.0.0 to 169.254.255.255 address range. If the computer
has an address from the APIPA range, it indicates that the computer cannot communicate with a
DHCP server. Be aware that an APIPA address can only be used to communicate with similarly
configured hosts on the local network. APIPA cannot be used with Active Directory® services,
Internet connectivity, other subnets, DNS, or Windows Internet Naming Service (WINS).
In this demonstration, you will see how to configure IPv4 settings manually and automatically.
Demonstration Steps
1. Create a new DHCP scope with the following parameters.
• Length: 16
• Subnet Mask: 255.255.0.0
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Implementing TCP/IP
o IP address: 172.16.0.20
IP Configuration Tools
Windows includes several utilities to help you
verify and define the IP configuration. Some of
these tools have been used for a long time. With
the release of Windows PowerShell 3.0 in
Windows Server 2012, there are now new ways of
doing things that allow for more control and
manipulation of operating systems and their
various components.
• IPConfig
• Ping
• Tracert
• Pathping
IPConfig
IPConfig is the primary client-side DHCP troubleshooting tool. If your computer is experiencing
connectivity problems, you can use IPConfig to determine the computer’s IP address. If the address is in
the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a
DHCP-related problem.
From the client computer, open an elevated Command Prompt, and then use the IPConfig options in the
following table to diagnose the problem.
Option Description
Option Description
indicates the server from which the client is attempting to obtain an address. Also, verify the
Lease Obtained and Lease Expires values to determine when the client last obtained an
address.
Be aware that IPConfig is listing the properties per local area network (LAN) adapter or
virtual adapter. Therefore, you must know which adapter is connected to the network.
/renew Forces the client computer to renew its DHCP lease. This is useful when you think that the
DHCP-related issue is resolved, and you want to obtain a new lease without restarting the
computer.
Ping
Ping verifies IP-level connectivity to another TCP/IP computer. Ping sends and receives ICMP Echo
Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary
TCP/IP command that is used to troubleshoot connectivity to a specific host or router.
Tracert
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path
that is displayed is the list of router interfaces between a source and a destination.
Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides
detailed statistics on the individual network steps or hops.
Windows PowerShell
Windows Server 2012 also has Windows PowerShell cmdlets that you can use to manage network
configuration. The functionality in these older tools are now present and expanded upon in Windows
PowerShell. The following table describes some of the available Windows PowerShell cmdlets that can be
used for configuring IPv4. This is just a small subset of the available cmdlets.
New-NetRoute Creates routing table entries, including the default gateway (0.0.0.0).
You cannot change the next hop of an existing route; instead, you
must remove an existing route and create a new route with the
correct next hop.
To view general Network Adapter configurations such as the IP address, DNS server, default gateway (but
not subnet mask), type the following in the Windows PowerShell console.
Get-NetIPConfiguration
Get-NetIPAddress
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Implementing TCP/IP
Be aware that Windows PowerShell uses the term PrefixLength instead of the term Subnet Mask, and it is
displayed in number of bits. For example, PrefixLength = ‘8’ is 11111111, and indicates the subnet mask is
255.0.0.0.
A replacement for the ping command is the Test-Connection cmdlet. To run this this, type the following:
To locate other cmdlets that can be used to configure the network type the following:
Help *Net*
You can use the Get-NetRoute cmdlet to browse through the Help files. This is a close equivalent for
tracert and pathping.
More information about Windows PowerShell Network TCP/IP cmdlets can be found at the
following webpage.
http://go.microsoft.com/fwlink/?LinkID=309110
Demonstration Steps
1. Use IPConfig or Windows PowerShell cmdlets to determine the client’s current IPv4 configuration.
Lesson 3
IPv6 Addressing
IPv6 is an important technology that will help ensure that the Internet can support a growing user base
and the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying
Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged
by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware
devices. IPv6 slowly is becoming more common. Although adoption might be slow, you should
understand how this technology will affect current networks and how to integrate IPv6 into those
networks.
More information about the IPv6 protocol can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkId=154442
Lesson Objectives
After completing this lesson, you will be able to:
• Complex host configuration. Automatic configuration of IPv4 hosts requires you to implement
stateful autoconfiguration. For example, a DHCP server or appropriately configured router.
• No built-in security. IPv4 does not include any method for securing network data. You must
implement IP security (IPsec) and other protocols to help secure data on IPv4 networks. However, this
requires significant configuration and can be complex to implement.
• Limited Quality of Service (QoS). The implementation of QoS in IPv4 relies on the use of TCP and
UDP ports to identify data. This might not be appropriate in all circumstances.
MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Implementing TCP/IP
IPv6 Improvements
IPv6 improvements help enable secure communication on the Internet and over corporate networks.
Some IPv6 features include the following:
• Larger address space. IPv6 uses a 128-bit address space. This provides significantly more addresses
than IPv4.
• More efficient routing. IANA provisions global addresses for the Internet to support hierarchical
routing. This reduces how many routes that Internet backbone routers must process and improves
routing efficiency.
• Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6. IPv6-
enabled hosts can assign themselves addresses automatically by taking the router’s address into
credit. The router’s network part of the address is extended with a host-unique part (static for servers,
random for clients).
• Built-in security. IPv6 includes native IPsec support. This means that all hosts encrypt data in transit.
• Better prioritized delivery support. IPv6 includes a Flow Label in the packet header to provide
prioritized delivery support. This enables communication using a priority level, instead of relying on
application port numbers. It also assigns a priority to the packets in which IPsec encrypts the data.
• Redesigned header. The design of the header for IPv6 packets is more efficient in processing and
extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient
processing. Extension headers are not larger than the full size of the IPv6 packet. This holds more
information than possible in the 40 bytes that the IPv4 packet header allocates.
IPv6 Syntax
To shorten IPv6 addresses further, you can drop leading zeros and use zero compression. Within each
group of four digits, drop leading zeros and include a single grouping of four zeros as a single zero. By
using zero compression, you can represent one contiguous group of zeros as a set of double colons. You
should ensure that this is done once per address only as shown in the following table, which shows how to
simplify addresses.
Description Example
Description Example
An IPv6 address that has contiguous groupings of The address cannot be represented as
zeros and leading zeros dropped 2001:0D88::2AA::FE28:9C5A/64
but can be represented either as
2001:0D88::2AA:0:FE28:9C5A/64
or
2001:0D88:0:0:2AA::FE28:9C5A/64
Each IPv6 address uses a prefix to define the network ID. You use this prefix in place of a subnet mask
similar to using CIDR in IPv4. The prefix is a forward slash (/) followed by the number of bits that the
network ID includes. In the previous examples, the prefix defines 64 bits in the network ID.
Transitioning to IPv6
The migration from IPv4 to IPv6 is expected to
take considerable time. This was considered IPv6
was designed, and the transition plan for IPv6 is a
multistep process that allows for extended
coexistence. To achieve the goal of a pure IPv6
environment, consider the following points:
• Applications must be independent of IPv4
and IPv6. Applications must be changed to
use new Windows sockets application
programming interfaces (APIs) so that name
resolution, socket creation, and other
functions are independent regardless of
whether you are using IPv4 or IPv6.
• DNS must support IPv6 record types. You might have to upgrade the DNS infrastructure to support
the new authentication, authorization, accounting, and auditing records (required) and pointer
records in the IP6v6 ARP reverse domain (optional). Additionally, ensure that the DNS servers support
DNS dynamic updates for authentication, authorization, accounting, and auditing records so that IPv6
hosts can register their names and IPv6 addresses automatically.
• Hosts must support both IPv6 and IPv4. You must upgrade hosts to use a dual-IP layer or stack. You
must also add DNS resolver support to process DNS query results that contain both IPv4 and IPv6
addresses. Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to ensure that IPv6/IPv4
hosts can reach one another over the IPv4-only intranet.
• Routing infrastructure must support native IPv6 routing. You must upgrade routers to support native
IPv6 routing and IPv6 routing protocols.
• An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in today’s mainly
IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4 routing
infrastructures. This enables IPv6 clients to communicate with one another by using 6to4 addresses or
ISATAP addresses and tunneling IPv6 packets across IPv4 networks.
• You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it
will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4-
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Implementing TCP/IP
only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, use translation gateways as
appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.
The first step in auto-configuration generates a link-local address with which the host communicates with
other hosts on the local network. This communication is necessary to perform additional auto-
configuration tasks. The host then performs the following actions in order to configure IPv6:
1. When the host generates the link-local address, the host also performs duplicate address detection to
ensure that it is unique. Note as well that a server by default is using a local address that has its MAC
address in there, to ensure it is using the same address, while a client is using a random address.
2. An IPv6 host will send up to three router solicitations on each interface to obtain IPv6 configuration
information. The configuration process that IPv6 uses varies , depending on the response it receives
to router solicitations:
• If IPv6 does not receive a router advertisement, it uses DHCPv6 to configure the interface.
• If IPv6 receives a router advertisement with the autonomous flag on, then the client uses stateless
auto-configuration and obtains the network part of the IP address from the router.
• If IPv6 receives a router advertisement with the managed address configuration flag on, then it uses
DHCPv6 to obtain an IPv6 address.
• If IPv6 receives a router advertisement with the managed address configuration flag off and the other
stateful configuration flag on, it obtains additional IPv6 configuration options from DHCPv6.
However, it obtains the IPv6 address by using stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration information such as DNS servers. This is the
same as DHCPv4 for IPv4 networks. DHCPv6 also provides additional standalone options, such as the DNS
servers, so while the client may be “autoconfiguring” its own address the DCHP-Server is providing
additional configuration.
When a host obtains an IPv6 address from a DHCPv6 server, the following steps occur:
2. The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration
options.
3. The client sends a Request message to a specific DHCPv6 server to request configuration information.
4. The selected server sends a Reply message to the client that contains the address and configuration
settings.
When a client requests configuration information only, the following additional steps occur:
6. A DHCPv6 server sends a Reply message to the client that has the requested configuration settings.
On large networks, you can DHCPv6 relay agents instead of adding a DHCP server on each subnet.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Implementing TCP/IP
Lesson 4
Name Resolution
Name resolution is the process of converting computer, device names, services or network nodes to IP
addresses so that when computers want to talk to one another, they can find what they need. It’s much
more intuitive and easier for humans to deal with names instead of a series of numbers like IP Addresses.
In order to make that transition from how humans prefer to operate and think into a format that
computers can easily understand, you need a process of name resolution.
The main purpose is to resolve host names to IP addresses and to provide a hierarchical structure to
enable name resolution across zones, company locations, and even across businesses and within the
Internet. On large networks, you can have DHCPv6 relay agents instead of putting a DHCP server on each
subnet. This is not exclusive to IPv6; it also applies to IPv4 and has similar functionality to bootstrap
protocol (BOOTP).
Over the years, the name resolution processes have evolved and morphed to meet changing realities of
networks. Because of this, there are several different name resolution methods in Windows Server 2012
such as WINS, NetBIOS over TCP/IP name resolution and DNS. DNS is the most important in modern
corporate environments. This will be the main focus of this lesson. The other resolution methods are older
technologies that only apply in limited scenarios. However, you should still understand the concepts and
processes behind all the methods because you will occasionally encounter them, whether in networks,
documentation, or even certification. Name resolution is a critical component of any network.
Lesson Objectives
After completing this lesson, you will be able to:
NetBIOS Names
A NetBIOS name is an older computer naming format. In smaller computer networks such as a home
network or workgroup you can provide a computer name such as Computer01, Computer02, and so on.
As long as the names are unique, the computers can communicate over the network. NetBIOS names
have the following characteristics:
• A single name identifies the computer, such as Computer01. The name does not have a second
identifier associated with it such as Computer01.HomeNetwork. This is a key point to understand.
• NetBIOS names are associated with small home networks or workgroups where traffic is not routed to
other subnets or to the Internet. It’s possible it could also be associated with older servers still present
on modern networks.
• It enables computers to identify one another on small networks where DNS is not available.
• Each NetBIOS name on a network must be unique. Otherwise, you will encounter problems when
trying to communicate between computers.
• There is a 16-character limit allowed for a NetBIOS name. The first 15 characters are used for the
actual computer name and the final sixteenth character is a hexadecimal number to identify a
resource or service on that computer. For example, Server01 [20h].
Host Name
A host name is typically associated with modern corporate networks that communicate across subnets or
to the Internet. If you open a Command Prompt on your computer and type hostname, the computer
name will be returned. For example, LON-DC1, one of the lab virtual machines. In its simplest form, the
host name can look very similar to a NetBIOS name. However, the host name and the name resolution
process it uses is different. Host names have the following characteristics:
• The host name is only the first part of the computer name. The computer name can contain multiple
subnames that enable it to be uniquely identified.
• Host names are typically associated with corporate or larger networks that communicate across
subnets or the Internet.
• The terminology associated with host names is typically used in relation to DNS.
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Implementing TCP/IP
• The host name can be combined with a domain name to create what is called a fully qualified domain
name (FQDN). An example of an FQDN would be webserverAdatum.com. The host name,
WEBSERVER, is the first part of this FQDN.
• Periods are used as separators between the name and identifiers. Applications use this structured
FQDN on the Internet.
• A host name cannot have more than 255 characters. This is longer than a NetBIOS name.
In Windows operating systems, applications can request network services through Windows Sockets,
Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or
Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS
name.
LLMNR is not intended as a direct replacement for NetBIOS name resolution. In Windows Server 2012,
LLMNR queries and NetBIOS queries are sent in parallel to improve performance. Also, LLMNR only works
with Windows Vista, Windows 8, Windows Server 2008, and Windows Server 2012 operating systems. So
where older operating systems exist, LLMNR is not a name resolution solution.
LLMNR does issue queries for IPv4 addresses but only returns values for IPv6. It is also compatible with
IPv6, whereas NetBIOS is not. So as IPv6 becomes more prominent, it could conceivably be a single name
non-DNS resolution method.
One other point to emphasize again, LLMR is not routable. For example, it cannot resolve computer
names beyond the local subnet.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-27
Broadcasts
Name resolution through broadcasting involves the requesting computer sending out a query to all
computers in a subnet for an owner of a computer name to respond with its IP address. This is broadcast
communication and cannot be passed across subnets. Broadcasting is not very efficient and adds to
network traffic. This can affect network performance.
LMHosts
LMHosts is an actual file list of computer NetBIOS names mapped to IP addresses. It is a static list, which
means that it has to be manually created and maintained. It is stored on the local computer in the
directory %SystemRoot%\System32\Drivers\Etc. If LMHosts is enabled, it applies to all connections for
which TCP/IP is enabled. Because LMHosts requires manual configuration it has only limited applications.
For example, a remote employee who does not have another alternative name resolution process. An
example of an entry in the LMHosts files would be as follows.
102.54.94.117 localsrv
WINS
WINS requires a WINS server database that has the computer names and associated IP addresses
mappings. Using a database to resolve NetBIOS names enables computers to look up the IP address of a
computer’s NetBIOS name directly. They do not have to broadcast, multicast, or refer to files that have to
be manually configured and maintained. When WINS is enabled, it applies to all connections for which
TCP/IP is enabled.
WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast
communication. For example, when DHCP dynamically assigns new IPv4 addresses to a computer that
moves to another subnet, the moving computer automatically registers the new address in the WINS
server database.
The main advantage of WINS over other NetBIOS name resolution methods is that it is dynamic and
routable. This enables computers to obtain the IP addresses of nodes that are not on its subnet.
Also, one final method that can also be used is the computers local cache. As computers resolve NetBIOS
names to IP addresses, they store those mappings in a local cache. This means the computer doesn’t have
to look elsewhere for a mapping. Entries in the cache that have not come from the LMHosts file have a
limited lifetime, about 10 minutes. After that time, the cache entries are removed. At a Command Prompt,
type Nbtstat.exe –c to view a computer’s local NetBIOS cache. Nbstat.exe has other capabilities
including purging the cache, and listing the current NetBIOS sessions.
MCT USE ONLY. STUDENT USE PROHIBITED
5-28 Implementing TCP/IP
How the broadcast and WINS methods are used to resolve NetBIOS names on a computer is defined by
what is called a NetBIOS node type that is specified on the computer. This node type setting doesn’t affect
the computer using the local cache or referring to the LMHosts file; it just affects how broadcast and
WINS operate. These node types can be broken down as follows:
• b-node. This uses broadcasts to resolve NetBIOS names to IP addresses. It is not routable and
increases the network traffic.
• m-node. This is a mixed approach and uses broadcasts first and then, if that is unsuccessful, uses a
point-to-point approach and queries a WINS server.
• h-node. This is also a mixed approach but the reverse to the m-node—that is, it directly queries a
WINS server first and then uses broadcasts.
The node type on a computer can be configured in the registry or when clients are dynamically
configured by DHCP. In most cases, the default node type is not altered. By default, Windows Server 2012
and Windows 8 clients, in addition to earlier versions, are h-node (or hybrid). At the Command Prompt
type ipconfig /all to view the Node Type field value.
When a WINS server is configured on the computer and the node type has not been changed, the
NetBIOS name resolution process is as follows:
1. Windows checks the local NetBIOS name cache.
3. Windows broadcasts as many as three NetBIOS Name Query Request messages on the directly
attached subnet.
5. Windows checks whether the NetBIOS name is the same as the local host name.
6. Windows then tries DNS Resolver Cache.
You can also specify when the LMHosts file is used—that is, if a WINS query fails, the WINS server can
then query the LMHosts file before broadcasting. If all attempts fail, the name resolution process then
attempts to try DNS resolution if it is present. That process is described in more detail in the next topic.
The name resolution process stops when the first IPv4 address is found for the name.
If you ping another computer on a local network and the returned data is in IPv4 format and doesn’t
have an FQDN, which indicates the computer name was resolved by using NetBIOS name resolution. It
can’t have been LLMNR because that appears in the IPv6 format and DNS always returns an FQDN when
it resolves a computer name. If you have DNS configured and enabled on the network, this indicate a
problem with DNS.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-29
Before you learn how DNS works, you first have to understand some core concepts.
DNS Naming Structure
The naming structure used in DNS is called the DNS namespace. It is hierarchical, that means that it starts
with a “root” domain. That root domain can itself have any number of subdomains underneath it. Each
subdomain can also in turn have any number of sub-domains underneath it.
The domain names themselves can be either public (Internet-Facing) or private. If they are private, you
can decide on your own how to define your namespace. If they are public, you have to work with the
Internet Corporation for Assigned Names and Numbers (ICANN) or other Internet naming registration
authorities who can delegate, or sell, unique names to you. From these names, you can create subnames.
At the very root, DNS has a unique namespace, indicated by an empty string space “ “. Preceding this is a
single dot ‘.’. Below this, in the public namespace, is one of several other top-level domain namespaces.
There are three kinds of top-level domains in the public namespace:
• Organizational. This domain is based on the function of an organization. For example, .com, .net,
.org, and .edu. There are more than 20 variations, and these are distributed and managed by ICANN.
• Geographical. These are designated per country/region. For example, .uk for United Kingdom (co.uk
is the .com equivalent for UK-based businesses), .it for Italy, .de for Germany, and .jp for Japan. There
are more than 200 of these registered. Typically, each country/region has its own domain registration
service.
• Reverse domains. These are special domains used in resolving addresses to names—that is, a reverse
lookup. These domains are in the minusNotDot format, such as addr.arpa and ip6.arpa.
Typically, underneath these top-level domains, there are sub-domains. For example, microsoft.com,
university.edu, or government.gov. These sub-domains can also have subdomains, such as
unitedstates.microsoft.com or physicsdept.university.edu. Every computer and network node can be
identified by its FQDN. For example, Computer01.unitedstates.microsoft.com.
More information about TLDs and IP addresses can be found at the following website.
http://www.icann.org
Different from the NetBIOS naming convention is the use of multiple identities associated with each
network node. This lets you define the node’s location in relation to the root of the DNS namespace.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Implementing TCP/IP
Reference Links: In everyday usage, the trailing dot (.) at the end of the FQDN separating
the empty string root “ “ is usually not included in the name. For example, web browsers would
use “university.edu” and not “university.edu.” However, the DNS client service adds the dot ‘.’ back
in when it is querying.
Some of the main infrastructure components that are spanning a DNS infrastructure, or that are used to
build a DNS infrastructure are as follows:
• DNS server. Contains a database of host names and IP addresses. It responds to client requests and
provides required mapping information. It can cache information for other domains. Where it does
not have the needed mapping information, it can forward DNS client requests to another DNS server.
• DNS zones. A DNS infrastructure is broken up into zones, each of which is allocated a DNS server to
own, or potentially be an authoritative server for and process requests for that particular zone. For
example, one DNS server might be responsible for the paris.europe.microsoft.com DNS zone and
another DNS server might be responsible for the berlin.europe.microsoft.com. It’s possible to have
variations on the number of servers per zone and across multiple zones and also different authority
levels. You can also have different kinds of zones. For example:
o Reverse lookup zones. Resolve IP addresses to host names—that is, the opposite to what
happens in forward lookup zones. An organization typically controls the reverse lookup zones for
their internal network. However, some mappings for external IP addresses obtained from an ISP
might be managed by the ISP.
It is important to understand that the zone is the level of naming delegation. If a DNS server holds a zone,
either authoritative or not, it will not query other servers about names in that zone. The DNS server
considers its information up-to-date and valid (unless a sub-namespace was delegated). Administrative
delegation (who is in charge of doing what with that namespace) is also important. It is also the scope for
replication. In other words, a server cannot contain a part of the zone—either it holds a copy or not.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-31
• DNS Forwarders/Delegations
o DNS Forwarders are queries that the DNS server send up stream when it cannot resolve a request
locally. A DNS server only forwards data when it has not been able to resolve a query with its own
authoritative data or from its own cache.
o DNS delegation is when a DNS server delegates management of part of it namespace to another
DNS server.
How DNS servers forward, delegate, and replicate the name resolution databases can have a significant
effect on query response times. This is something that should be carefully considered before deployment.
• DNS resolver. Provides the service to query for host-to-IP address mappings. The DNS client service
in the Windows client operating system, Windows 8 for example, provides this functionality and also
facilitates the caching of resolved mappings in a local client cache for future use, called the DNS
resolver cache.
Windows operating system computers also contain a Hosts file. This is a file that is stored locally in the
%SystemRoot%\System32\Drivers\Etc directory. The file contains mappings for host names to IP
addresses. It can be edited manually and the DNS resolver cache can parse it to add its mapped entries to
the local DNS resolver cache when the DNS client service is started. Its structure resembles what was
shown earlier for an LMHosts file entry.
• Resource records. These are the actual entries in the DNS database used to answer queries. Each
entry contains several items, including Name, Record Type, and Record Data. Defining specific record
types allows entries to be classified and provides for faster query responses. Some typical record types
would be as follows:
o A. Used for resolving host names into IPv4 addresses
o CNAME. Used to resolve one name (alias) into another, fully qualified name, such as www into
webserver1.microsoft.com
o SRV. Used to find servers providing specific services, such as domain controllers
o PTR. Used in reverse lookup zones for resolving IP addresses into fully qualified host names
Note: Details about resource record definitions are also available at the IANA website.
MCT USE ONLY. STUDENT USE PROHIBITED
5-32 Implementing TCP/IP
2. If the local DNS server does not have the information, it queries a root DNS server in the organization
for the location of the .com DNS servers.
3. The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.
4. The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.
5. The local DNS server returns the IP address of www.microsoft.com to the workstation.
The name resolution process can be changed in several ways, but two common options that are used are
as follows:
• Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24
hours. Later resolution requests for the DNS name are given the cached information.
• Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead
of querying root servers. For example, requests for all Internet names can be forwarded to a DNS
server at an ISP, who performs the rest of the resolving chain on behalf of the requesting DNS server
and returns the answer. This is good because the local DNS server does not have to be able to
communicate with every DNS server on the Internet.
1. Checking whether the host name is the same as the local host name.
2. Searching the DNS resolver cache. The DNS resolver cache is a local cache that contains any DNS
addresses that were recently requested.
3. Sending a DNS request to its configured DNS servers and this server attempting to resolve that
request, either on its own or by forwarding that request to other DNS servers.
4. Using the LLMNR resolution method to resolve the host name in the local subnet using IPv6, if it is
enabled.
5. Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
6. Contacting the host’s configured WINS servers.
7. Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly
attached.
Note: You can control the precise order used to resolve names. For example, if you disable
NetBIOS over TCP/IP, the NetBIOS name resolution methods are not tried. Or, you can change
the NetBIOS node type. This causes a change in the order in which the NetBIOS name resolution
methods are tried.
MCT USE ONLY. STUDENT USE PROHIBITED
5-34 Implementing TCP/IP
It is designed specifically for static names, and therefore, in a corporate environment for centrally
managed servers (such as web or file servers) that are assigned static IP addresses. It is not for use with IP
addresses that are dynamically registered or for use as part of a peer-to-peer name resolution process.
Instead of using the GNZ, you could choose to configure DNS and WINS integration. You do this by
configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service,
DNS, and still be able to resolve NetBIOS-compliant names.
Note: A short name does not mean NetBIOS. Although a short name can be a compliant
NetBIOS name, the use of short names or non-FQDN does not mean the network requires
NetBIOS for them to function on a network. It can be common for the use of short names and
NetBIOS to be misunderstood.
GNZ is intended to help in the migration from WINS. For companies who want to eliminate WINS, they
should consider the following approach:
4. Names that are still required to be available should be created as global names via short names in a
GNZ.
5. Remove WINS if possible. If there are certain records that still have to be resolved as short names
across DNS zones/domains, enter them in a GNZ.
6. Determine how to configure applications correctly to remove unnecessary records in the GNZ.
First, there are the existing command-line tools such as ipconfig.exe, nslookup.exe, nbtstat.exe all outlined
earlier in the module. These are present on older Windows operating systems up to and including
Windows Server 2012 and Windows 8.
Second, in Windows Server 2012 and Windows 8, with the improvements made to Windows PowerShell,
the Windows PowerShell cmdlets are also an option to both troubleshoot and configure addressing and
name resolution issues. This section provides examples of both.
When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. Make sure that you clear the DNS resolver
cache between resolution attempts. If you cannot connect to a remote host and suspect a name
resolution problem, try the following steps:
1. Open an elevated Command Prompt, and then clear the DNS resolver cache by typing the following
command.
ipconfig /flushdns
Clear-DNSClientCache
2. Try to ping the remote host by its IP address, or use the Test-Connection Windows PowerShell
cmdlet. This helps identify whether the issue is related to name resolution. If the ping succeeds with
the IP address but fails by its host name, then the problem is related to name resolution.
3. Try to ping the remote host by its host name. For accuracy, use the FQDN with a trailing period. For
example, at the Command Prompt type the following:
ping lon-dc1.adatum.com
Test-Connection LON-DC1.Adatum.com
4. If the ping is successful, then the problem is probably not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry
to the end of the file. For example, add the following line and save the file.
172.16.0.10 lon-dc1.adatum.com
Or, you could also use the Test-Connection Windows PowerShell command.
5. Now perform the ping or Test-Connection by host name test again. Name resolution should now be
successful. Verify that the name resolved correctly by examining the DNS resolver cache. For example,
at the Command Prompt type the following:
ipconfig /displaydns
Get-DNSClientCache
6. Remove the entry that you added to the hosts file, and then clear the resolver cache again.
7. At the Command Prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution.
The output from the two commands is very different but both will give you options for troubleshooting
your particular problem. For example, if you examine the Help file for Resolve-DNSClientName, you will
find that you can specify specific name resolution methods that you want to try, LLMNR, NetBIOS, DNS,
and specific record types such as A or AAAA. This gives you a more targeted approach in your
troubleshooting, whereas the nslookup command performs a series of queries that you then interpret in
your troubleshooting approach.
You should understand how to interpret the output from both so that you can identify whether the name
resolution problem is with the client computer’s configuration, the name server, or the configuration of
records within the name server zone database.
Demonstration Steps
1. Stop the DNS service.
You are tasked with assigning several client computers appropriate IP configurations, but first you must
choose a suitable IP addressing scheme for the new branches.
Objectives
After completing this lab, you will be able to:
• Configure IPv4.
Lab Setup
Estimated Time: 90 minutes
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: ADATUM
Supporting Documentation
Charlotte,
I have attached the network diagram for the first three branches. There are around 100 hosts at each
branch, all require an IPv4 address. Don’t forget those wide area network links; we’ll need a network
address for each of them, too.
We’ll be putting a DHCP server at each branch to allocate IP addresses to the local hosts, so each
computer must be configured to obtain an IP address dynamically.
Regards,
Ed
Requirements Overview
To design an IPv4 addressing scheme for the A. Datum Corporation R & D branch offices.
Additional Information
• One router connects the three branches back to the head office.
• There are three wide area network (WAN) links.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-39
Proposal
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is
the next logical subnet using this initial subnet?
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
5. What is the first and last host in this subnet?
7. Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
MCT USE ONLY. STUDENT USE PROHIBITED
5-40 Implementing TCP/IP
3. Use the New Scope Wizard to create a new IPv4 address scope with the following parameters. Use the
default settings for all the other values.
o Length: 16
3. At the Command Prompt, type the following command, and then press Enter.
ipconfig /all
5. Is DHCP enabled?
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
3. Verify that there is now an error shown in the DHCP Management console, stating Cannot find the
DHCP Server.
4. This might take several minutes while the client computer tries to contact a DHCP server.
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in
the head office.
4. Verify a record
3. What is the current IP address of the LON-CL1 Host (A) record in the Adatum.com forward lookup
zone?
• IP address: 172.16.0.16
• Subnet mask: 255.255.0.0
• Default gateway: 172.16.0.1
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 5-43
3. Switch to LON-DC1.
5. What is the current IP address listed against the LON-CL1 Host (A) record?
2. Find a switch to use with the IPConfig command line tool to display DNS information.
4. Switch to 10967A-LON-SVR1 and find a Windows PowerShell cmdlet to display DNS information
5. Use the windows PowerShell cmdlet Test-Connection to test the connection to www.adatum.com
9. Switch to 10967A-LON-DC1.
Note: Depending on your Client cache you may or may not be successful at this point. If you are
not successful continue with the next step, Step 3. If you are successful you can skip ahead to Step 7.
9. Switch to 10967A-LON-SVR1
10. Identify a Windows PowerShell cmdlet that will clear the DNS cache and use that cmdlet to clear the
client DNS cache
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also
added a new DNS CNAME record type for www.Adatum.com
MCT USE ONLY. STUDENT USE PROHIBITED
5-44 Implementing TCP/IP
5. Find a Windows PowerShell cmdlet that you can use to identify the IPv6 address and determine the
IPv6 Address.
2. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address.
Question: In the lab, you were tasked with providing an addressing scheme that would
accommodate 100 hosts per subnet. Ed provided the first subnet ID of 172.16.16.0/20. How
many hosts could be accommodated within this subnet?
Question: The subnet might grow. If you had to accommodate 100 addresses, what would
you recommend as the subnet mask?
Question: Which transport layer protocol provides for connectionless oriented delivery in IP-
based networks?
Question: Your host computer was assigned the following IPv4 configuration: 10.10.16.1/20.
The default gateway is 10.10.8.1. You are experiencing communications problems. Why?
Question: You do not want to implement WINS in the network. However, you do have some
legacy applications that require Short name resolution. How could you manage short names
within your existing DNS infrastructure?
Question: You are troubleshooting DNS name resolution from a client computer. What must
you remember to do before each test?
Tools
Where to
Tool Use
find it
Test-Connection Functionality similar to ping. You can ping multiple computers Windows
concurrently by using Test-Connection. PowerShell
Resolve DNS-Cache Type help *DNS* in the Windows PowerShell console to see a list of Windows
Windows PowerShell commands that might help when PowerShell
troubleshooting or configuring DNS.
Module6
Windows Server Roles
Contents:
Module Overview 6-1
Module Overview
Servers perform many functions. In the past, these functions were combined into a monolithic operating
system. Each server was loaded with all the necessary software to perform all server functions regardless of
the actual functions that it performed. Starting with Windows Server® 2008, the operating system server
functions are separated into distinct server roles. By default, a server has no enabled roles. It is more
efficient to select which particular server roles that you want based on the functional requirements of the
server. You must understand the functional requirements of a server and select and deploy appropriate
server roles to support these functional requirements.
Objectives
After completing this module, you will be able to:
Lesson 1
Role-Based Deployment
This lesson will help you understand server roles and features so that you can install and support the
Windows Server components your organization needs.
Lesson Objectives
After completing this lesson, you will be able to:
Role Function
Active Directory Allows you deploy certification authorities and related role services.
Certificate Services (AD
CS)
Active Directory Domain A centralized store of information about network objects, such as user and
Services (AD DS) computer accounts. Used for authentication and authorization.
Active Directory Provides web single sign-on (SSO) and secured identify federation support.
Federation Services
(AD FS)
Active Directory Rights Allows you to apply rights management policies to prevent unauthorized
Management Services access to sensitive documents.
(AD RMS)
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-3
Role Function
Fax Server Supports sending and receiving of faxes. Also allows you to manage fax
resources on the network.
File and Storage Services Supports the management of shared folder storage, distributed file system
(DFS), and network storage.
Hyper-V® Enables you to host virtual machines on computers that are running
Windows Server 2012.
Network Policy and Authorization infrastructure for remote connections. This includes Health
Access Services Registration Authority (HRA) for Network Access Protection (NAP).
Print and Document Supports centralized management of document tasks, including network
Services scanners and networked printers.
Remote Access Supports Seamless Connectivity, Always On, and Always Managed features
based on the Windows® 7 DirectAccess feature. Also supports remote
access through virtual private network (VPN) and dial-up connections.
Volume Activation Allows you to automate and simplify the management of volume license
Services keys and volume key activation. Allows you to manage a Key Management
Server (KMS) host or configure AD DS–based activation for computers that
are members of the domain.
Web Server (IIS) The Windows Server 2012 web server component.
Windows Deployment Allows you to deploy server operating systems to clients over the network.
Services
Windows Server Update Provides a method of deploying updates for Microsoft products to network
Services (WSUS) computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s
configuration, such as firewall settings, to support the role. Also, when you deploy a role, Windows Server
2012 automatically deploys role dependencies at the same time. For example, when you install the
Windows Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components
that are required to support the Web Server (IIS) role.
Many server roles also have role services. Role services are software programs that provide various
functionalities of a role. When you install a role, you can select which role services the role provides for
other users and computers in your enterprise. Some roles, such as Domain Name System (DNS) Server,
MCT USE ONLY. STUDENT USE PROHIBITED
6-4 Windows Server Roles
have only a single function, and have no role services. Other roles, such as Web Server (IIS), have several
role services, such as File Transfer Protocol (FTP), that can be installed.
Role services let you control which role functionality is installed and enabled. This is useful where you only
require a subset of the functionality of a given server role.
Windows PowerShell® can also be sued to add and remove roles. The following table lists some
commands that might be useful.
Get-WindowsFeature | Where Displays the roles that are not installed but are available to
InstallState –eq Available install.
Get-WindowsFeature | Where Displays the roles that are not available. For example, roles
InstallState –eq Removed that cannot be installed on Server Core.
More information about Windows Server 2012 server roles and technologies can be found at
the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309111
Windows Server 2012 features are independent components that frequently support role services or
support the server directly. For example, Windows Server Backup is a feature because it only provides
backup support for the local server. It is not a resource that other servers on the network can use.
Windows Server 2012 includes the features that are listed in the following table.
Feature Description
.NET Framework 4.5 Features Installs .NET Framework 4.5 technologies. By default, this feature is
installed.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-5
Feature Description
Background Intelligent Enables asynchronous transfer of files to make sure that other network
Transfer Service (BITS) applications are not adversely affected.
BitLocker® Drive Encryption Supports full-disk and full-volume encryption, and startup
environment protection.
BitLocker network unlock Provides a network-based key protector that can unlock locked
BitLocker-protected domain-joined operating systems.
Windows BranchCache® Enables the server to function as either a hosted cache server or a
BranchCache content server for BranchCache clients.
Client for NFS Provides access to files that are stored on network file system (NFS)
servers.
Data Center Bridging Allows you to enforce bandwidth allocation on Converged Network
Adapters.
Failover Clustering A high availability feature that enables Windows Server 2012 to
participate in failover clustering.
Group Policy Management An administrative management tool for administering Group Policy
across an enterprise.
Ink and Handwriting Services Allows use of Ink Support and Handwriting Recognition.
Internet SCSI (iSCSI) Target Provides iSCSI target and disk management services to Windows Server
Storage Provider 2012.
Internet Storage name Supports discovery services of iSCSI storage area networks (SANs).
Service (iSNS) Server service
Line Printer Remote (LPR) Enables a computer to send print jobs to printers that are shared using
Port Monitor the Line Printer Daemon (LPD) service.
Management Open Data Allows you to expose Windows PowerShell cmdlets through an OData-
Protocol (OData) IIS based web service running on the Internet Information Services (IIS)
Extension platform.
Feature Description
(NLB) multiple servers that host the same stateless application.
Peer Name Resolution Name resolution protocol that allows applications to resolve names on
Protocol (PNRP) the computer.
Quality Windows Audio Supports audio and video streaming applications on IP home
Video Experience networks.
Remote Access Server (RAS) Allows you to create connection manager profiles that simplify remote
Connection Manager access configuration deployment to client computers.
Administration Kit
Remote Differential Transfers the differences between files over a network, minimizing
Compression (RDC) bandwidth use.
Remote Server Collection of consoles and tools for remotely managing roles and
Administration Tools features on other servers.
Remote Procedure Call (RPC) Relays RPC traffic over Hypertext Transfer Protocol (HTTP) as an
over HTTP Proxy alternative to VPN connections.
Simple TCP/IP Services Supports basic TCP/IP services, including Quote of the Day.
Simple Network Includes SNMP agents that are used with the network management
Management Protocol services.
(SNMP) Service
Subsystem for UNIX-based Supports Portable Operating System Interface for UNIX (POSIX)–
Applications compliant UNIX-based applications.
Telnet Client Allows outgoing connections to Telnet servers and other Transmission
Control Protocol (TCP)–based services.
Telnet Server Allows clients to connect to the server by using the Telnet protocol.
User Interfaces and Contains the components that you must have to support the graphical
Infrastructure interface installation option on Windows Server 2012. By default, on
graphical installations, this feature is installed.
Windows Identity Set of .NET Framework classes that support implementing claims-based
Foundation 3.5 identity on .NET Framework applications.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-7
Feature Description
Windows Internal Database Relational data store that can only be used by Windows roles and
features such as WSUS.
Windows PowerShell Task-based command-line shell and scripting language that is used to
administer computers that are running Windows operating systems. By
default, this feature is installed.
Windows Search service Allows fast searches of files hosted on a server for clients compatible
with the Windows Search service.
Windows Server Backup Backup and recovery software for Windows Server 2012.
Windows Server Migration Collection of Windows PowerShell cmdlets that help in the migration
Tools of server roles, operating system settings, files, and shares from
computers that are running earlier versions of Windows Server
operating systems to Windows Server 2012.
Windows Standards-Based Set of application programming interfaces (APIs) that allow the
Storage Management discovery, management, and monitoring of storage devices that use
standards such as Storage Management Initiative Specification (SMI-S).
Windows System Resource Allows you to control the allocation of CPU and memory resources.
Manager (WSRM)
Windows TIFF IFilter Supports Optical Character Recognition on Tagged Image File Format
(TIFF) 6.0-compliant files.
Wireless local area network Allows the server to use a wireless network interface.
(LAN) Service
XPS Viewer Supports the viewing and signing of documents in XPS formats.
Features on Demand
With Features on Demand, you can add and remove role and feature files, also known as feature payload,
from the Windows Server 2012 operating system to conserve space. You can install roles and features
where the feature payload is not present by using a remote source, such as a mounted image of the full
operating system. If an installation source is not present but an Internet connection is, source files will be
downloaded from Windows Update. The advantage of a “Features on Demand” installation is that it
requires less hard disk space than a traditional installation. The disadvantage is that if you want to add a
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Windows Server Roles
role or feature, you must have access to a mounted installation source. This is something that is not
necessary if you perform an installation of Windows Server 2012 with the graphical features enabled.
• Access local configuration settings such as networking, firewall, and remote management.
• Access all the available management consoles through the Tools menu, such as DNS, DHCP, and
Services.
• All Servers. This is a default server group and contains all servers that are added to server Manager
to manage—that is, added to the server pool.
When you create customized Server Groups, by clicking Manage and then clicking Create Server Group,
you can then manage a subset of servers as a logical unit based on whatever criteria is required, such as
Accounting, New York, or other criteria. After you create these, you then have the following areas:
• Server Status. Allows you to view the status of servers, for example activation status, last updates,
manageability status (online or not), and IP address. You can also filter the view by adding filter
criteria. You can right-click a server and view a whole range of other management tasks, such as
starting specific management consoles for the server, launching Windows PowerShell, or shutting
down the server.
• Events. You can view all event types in all logs for a specific server over a particular time period or be
as fine-grained as required. You should be careful not to monitor too many events because it can
generate a lot of data and as a result potentially affect server performance
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-9
• Services. You can start and stop or view the status of services.
• Best Practice Analyzer (BPA). Allows you to determine whether roles on the network are
performing efficiently or whether there are problems. You can view the health of a specific role based
on criteria that you specify.
• Performance. Allows you to configure Performance Alerts around CPU % Usage and Memory
availability and view as a graph over a period of up to seven days.
• Roles and features. Allows you to view roles, role services, and features that are currently installed on
each server and install or remove roles, role services, or features for the whole group concurrently or
for individual servers.
After a role is installed on a local server, it is displayed in the navigation pane of Server Manager. From
this navigation pane you can manage specific roles.
You can manage Windows Server 2008 and Windows Server 2008 R2 servers with Server Manager on
Windows Server 2012 but .NET Framework 4 and Windows Management Framework BITS 4.0 are required
to be installed.
Server Manager uses Remote Management capability, which is enabled by default in Windows Server
2012. This might also need to be enabled on other Windows Server versions if it is not already and you
want to manage those versions through Server Manager.
The Server Manager console uses integrated wizards to step you through adding server roles. You can use
Server Manager to add several roles at the same time, even if they are unrelated. For example, a server
being provisioned for a branch office could have the DNS Server, DHCP Server, and Print Server roles
added at one time. The Server Manager Wizard performs all the necessary dependency checks and
conflict resolution so that the server is stable, reliable, and secure.
In this demonstration, you will see how to add roles and features to a server.
Demonstration Steps
1. Open Server Manager.
3. Install the DHCP Server role and review the configuration settings in the wizard.
Lesson 2
Deploying Role-Specific Servers
In smaller organizations, server functions are frequently combined into a single server. In larger
organizations with many server computers, it is more common to dedicate a server to a specific subset of
server functions. This lesson will cover some common kinds of servers: file and print servers, domain
controllers, application servers, web servers, and remote access servers.
Lesson Objectives
After completing this lesson, you will be able to:
• Configure security settings to make sure appropriate levels of access to users’ files.
• Provide a mechanism that is used to back up and restore shared files.
As discussed in Module 2, “Fundamentals of a Windows Server Infrastructure,” the storage used to host
users’ files does not have to be locally attached to the file server. There are a range of technologies
available depending on your specific requirements and budget.
To deploy a file server, install the File and Storage Services server role. This role includes the following role
services:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-11
• File and iSCSI Services. Provides technologies that help manage file servers and storage, reduce
space utilization, replicate and cache files to branch offices, move or fail over a file share to another
cluster node, and share files by using the NFS protocol.
o File Server. Manages shared folders and enables users to access files on this server.
o Data Deduplication. Saves disk space by storing a single copy of identical data on the volume.
o Distributed File System (DFS) Namespaces and Replication. Enables you to group file shares
that are located on different servers into one or more logically structured namespaces. Each
namespace displays to users as a single file share with a series of subfolders. This service also
replicates data between multiple servers over limited-bandwidth network connections and LAN
connections.
o File Server Resource Manager (FSRM). Helps you manage and understand the files and folders
on a file server by scheduling file management tasks and storage reports, classifying files and
folders, configuring folder quotas, and defining file screening policies.
o File Server VSS Agent Service. Enables you to perform volume shadow copying of applications
that store data on the file server.
o iSCSI Target Server. Provides services and management tools for iSCSI targets.
o iSCSI Target Storage Provider. Enables server applications that are connected to an iSCSI Target
to create volume shadow copies and also allows for management of iSCSI virtual hard disks by
older applications that use Virtual Disk Service (VDS).
o Server for Network File System (NFS). Provides compatibility services for UNIX-based
computers.
• Storage Services. Provides storage management functionality that is always installed, including
storage pools and storage spaces.
As you can see from the previous list, a broad range of functionalities is available under the File and
Storage Services role with many different role services providing specific functions. Although you might
not need all these services for your particular scenario, it is wise to research into what functionality is
available in case it can help identify and simplify your own particular requirements.
File services are frequently combined in organizations with print server services. The print server services
are available in the Print and Document Services role in Windows Server 2012. The Print and Document
Services role provides the following services and features:
• Print Server. Used for managing multiple printers or printer servers and migrating to and from other
Windows print servers.
• Distributed Scan Server. Provides service to receive scanned documents from network scanners and
routes them to correct destinations. Also contains a scan management snap-in.
• Internet Printing. Creates a website where users can manage print jobs and enables users who have
an Internet Printing client installed to use a web browser to connect and print to shared printers.
• LPD Service. Enables UNIX-based computers using the LPR to print to shared printers on the server.
The print server can share locally or network-attached printers. By using network-attached printers, you
can reduce the overall number of print devices in your organization because users do not each need a
printer.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Windows Server Roles
In addition to installing the File and Storage Services and Print and Document Services roles through the
Add Roles And Features wizard, you can also install them by using Windows PowerShell with the following
commands.
Install-windowsfeature fileandstorage-services
Install-windowsfeature print-services
You can verify the installation by using the following command and viewing the output.
get-windowsfeature
Note: If you’re unsure what the feature name is in Windows PowerShell, you can use the
Get-WindowsFeature command and scroll through the output until you locate the role, role
service, or feature that you need.
• Client/server applications. Client/server applications are also known as traditional applications. Part
of the application runs on a client computer and part of the application runs on a server. Typically,
the client (front-end) application serves as an end-user interface for processing requests sent to and
receiving responses from the server (back-end). The bulk of data is stored on the server. In some
cases, the server part of the application is just a SQL Server database that all client computers
communicate with. In other cases, there is a middle tier with application logic that the client
computers communicate with and the middle tier communicates with a SQL Server database.
• Web-based applications. A web-based application uses a web browser to provide the UI. The
application logic is then performed on a web server and data is stored in a SQL Server database.
Windows Server 2012 includes features to support the application server role, regardless of whether the
application to be hosted has a web-based or a client/server kind of architecture.
To deploy an application server, install the Application Server role. This role consists of five role services.
These are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-13
• Web Server (IIS) Support. Enables the application server to host internal or external websites and
web services that communicate over HTTP.
• Microsoft Component Object Model (COM+) Network Access. Enables the server to host and
allow remote invocation of applications that are built with COM+ and Enterprise Services
components.
• TCP Port Sharing. Facilitates the sharing of TCP ports across multiple processes that use Windows
Communication Foundation (WCF) for communications. This enables multiple applications to coexist
on the same server while remaining logically separate.
• Windows Process Activation Service Support. Enables the server to start and stop applications
remotely and dynamically using protocols such as HTTP and TCP.
• Distributed Transactions. Provides services that make sure reliable and complete transactions over
multiple databases that are hosted on multiple computers on the network.
Note: An application server differs from a web server because it hosts applications that run
natively on the server and the client, instead of preparing and providing content to a browser.
There are no Windows PowerShell cmdlets available for installing and configuring the Application Server
role.
More information about the Application Server role can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309112
The following paragraphs describe the three kinds of web service content.
Static content. Static content is data that is the same for all users that view it. The data does not change
based on where the users connect from or which user is connected. This is the most common kind of data
on computer networks. Some examples of static content include the following:
Dynamic content. Dynamic content is data that can be different every time it is accessed by a user. This
content can change depending on variables such as which user is accessing the content or the user’s
location. This kind of content is most frequently found in modern websites and web-based applications.
A common way to build dynamic content is by using Active Server Pages (ASP) and ASP.NET. These
methods use scripts in webpages that are processed by the server to generate the webpages that are
delivered to users. Examples of dynamic content include the following:
• A webpage that displays a user’s name when the user accesses the website.
• A webpage that changes content depending on the demographics or location of the user.
Streaming content. Streaming content is data that is delivered to users at the speed required for
playback. This differs from non-streaming content that is delivered to users at the fastest possible speed
that the client, servers, and network can support. Streaming content could lead to increases in network
traffic and can cause network congestion. Windows Server and Windows Media® Services provide support
for streaming content. Examples of streaming content can include online radio stations and online video
feeds.
Security
Although users frequently connect anonymously to a web server, users frequently require the web server
to verify its identity. This is typically achieved by using a digital certificate installed on the web server and
the use of the Secure Sockets Layer (SSL) protocol.
Although users who connect to an Internet-connected web server do not have to authenticate
themselves, users who connect to a corporate web server through an intranet connection or remotely
from home are frequently required to provide credentials to identify themselves.
To deploy a web server, install the Web Server (IIS) role. This role consists of the following four role
services and their sub components:
• Web Server. Installing the Web Server role in Windows Server 2012 installs IIS 8.0. Provides support
for HTML websites with optional support for ASP.NET, ASP, and web server extensions. You can use
the web server to host an internal or external website or to provide an environment for developers to
create web-based applications.
• FTP Server. Enables the transfer of files between a client and server by using the FTP protocol. Users
can establish an FTP connection and transfer files by using an FTP client or FTP-enabled web browser.
• IIS Hostable Web Core. Enables you to write custom code that hosts core IIS functions within your
application.
• Management Tools. Provides tools to manage your IIS 6.0 or IIS 7.0 deployments, which are earlier
versions than what displays in Windows Server 2012. You can use the IIS UI, command line tools, and
scripts to manage the web server.
Note: In Windows Server, the Web Server (IIS) role is frequently required to support other
server roles or functions such as Application Server, Active Directory Federation Services (AD FS),
or Internet Printing. You can also install the Web Server (IIS) role on a Windows Server 2012
Server Core,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-15
Windows PowerShell provides an extensive range of cmdlets to help with web server installation and
configuration, as part of the WebAdministration module. Some useful commands are included in the
following table.
Get-Module –module Lists all the cmdlets that are present in the WebAdministration
WebAdministration module
For more information about Internet Information Service 8.0 can be found at the following
webpage.
http://www.iis.net
• Staff telecommuting
• Working from hotels during business trips
When you install the remote services role, you have two options:
o DirectAccess was introduced in Windows Server 2008 R2 and Windows 7, and is present in
Windows Server 2012 and Windows 8. DirectAccess allows users to securely access their
corporate network, shares, websites, and applications remotely across the corporate network
without any configuration or manual intervention on the end-user side. It creates a bi-directional
link that IT administrators can use to manage the device when the computer or device is
connected to the Internet. It provides a secure, seamless, always-on technology. If DirectAccess
loses connection, it will automatically reconnect.
o VPN is an older remote access technology that creates a secure point-to-point connection
between the remote device or computer. It uses tunneling protocols to provide the connection. It
can require some manual intervention and troubleshooting on the client-side.
• Routing. Routing provides for the management of data flow between network segments or subnets.
It provides support for network address translation (NAT) routers, LAN routers running Routing
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Windows Server Roles
Information Protocol (RIP), and multicast-capable routers. The Routing role service in Windows Server
2012 is a software-based routing solution that is best suited for smaller segmented networks that
carry fairly light network volumes.
Regardless of what kind of data is being accessed, security is a key concern when you allow devices from
outside your own secure corporate environment to gain access to the network. So although the remote
access role allows for external connections to the network, there are additional roles that are installed to
provide security for those devices. To provide that protection, one additional role to install would be
Network Policy and Access Services.
The Network Policy and Access Services role provides for a range of different technologies that provide
layers of security when you are deploying a remote access infrastructure in the network. This role consists
of four role services:
• Network Policy Server (NPS). Enables you to create and enforce network access policies for network
access connections, health enforcement, and network connection authorization. This controls access
to your corporate network and allows for remediation of clients who do not meet the specific
requirement that you set in your policies, such as the latest updates being installed or antivirus
software being present on the client devices.
• Health Registration Authority (HRA). Validates certificate requests that contain health claims; used
in NAP enforcement.
• Host Credential Authorization Protocol. Enables you to integrate your NAP solution with Cisco
Network Access Control.
Some of these technologies are described in more detail later in the course. But the main thing to
understand from this topic is that several roles might be necessary to provide for efficient and secure
deployment of a role. You should give full consideration to what your requirements are before you deploy
any server role.
Windows PowerShell provides an extensive range of cmdlets to help with remote access installation and
configuration, as part of the RemoteAccess and NPS modules. Some useful commands might include
those in the following table.
Get-command –module NPS Displays the cmdlets for the NPS module
Question: What are some examples of security concerns for data that is accessed remotely?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-17
You can manage Windows Server 2012 server RSAT for Windows 8 only. i.e. you cannot manage Windows
Server 2012 using the RSAT for Windows 7
You can download the Remote Server Administration Tools for Windows 8 at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309113
Demonstration Steps
1. Install the RSAT for Windows 8
Lesson 3
Considerations for Provisioning Roles
This lesson will cover considerations for deploying server roles and also the deployment options that are
available. Organizations are no longer required to provide the IT infrastructure for their business. Instead,
the availability of online cloud services allows for IT administrators to take advantage of large data center
functionality while focusing on their core business needs. Although externally hosted services may not be
suitable in all situations, the option is available and IT administrators must be aware of them.
Lesson Objectives
After completing this lesson, students will be able to:
• Describe Hyper-V.
What Is Hyper-V?
Hyper-V is a virtualization technology that is
installed as a role in Windows Server 2012. It
provides for the ability to create and manage
virtual machines. Virtual machines are virtual
instances of operating systems which allows for
multiple operating systems to be running
concurrently on a single server.
After installation of the Hyper-V role, the installed operating system becomes the “parent partition” from
where you can create and manage “child partitions.” Child partitions do not have direct access to other
hardware resources and are presented with a virtual view of the resources, as virtual devices.
Drivers in the parent partition are used for accessing the server hardware. Child partitions use virtualized
devices through virtualization service client drivers, which communicate through a virtual machine bus
(VMBus) with virtualization service providers in the parent partition. Requests to the virtual devices are
redirected either through the VMBus or through the hypervisor to the devices in the parent partition.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-19
Installation Requirements
The server on which you plan to install the Hyper-V role must meet the following hardware requirements:
• The server must have an x64 platform that supports the following:
o Hardware-assisted virtualization. If you want to run Hyper-V, you must have servers that can
run AMD Virtualization (AMD-V) or Intel Virtualization Technology (Intel VT).
o Data Execution Prevention (DEP). You must have hardware-enforced DEP enabled by
configuring either the Advanced Micro Devices (AMD) no execute bit (NX bit) or the Intel execute
disable bit (XD bit).
After you change the BIOS to support hardware virtualization and DEP you must turn off the computer
completely, and then restart it. Performing a restart may not enable the new settings.
• The server must have enough CPU capacity to meet the requirements of the guest virtual machines. A
virtual machine hosted on Hyper-V in Windows Server 2012 can support up to 64 virtual processors.
• The server must have enough memory to support all the virtual machines that must run concurrently,
plus enough memory to run the host Windows Server 2012 operating system.
o The server must have at least 4 gigabytes (GB) of RAM.
o A virtual machine hosted on Hyper-V in Windows Server 2012 can support no more than 2
terabytes (TB) of RAM.
• The storage subsystem performance must meet the input/output (I/O) needs of the guest virtual
machines. Whether deployed locally or on SANs, you might have to put different virtual machines on
separate physical disks, or you might have to deploy high-performance redundant array of
independent disks (RAID), solid-state drives (SSD), hybrid-SSD, or a combination of all three.
• The virtualization server's network adapters must be able to support the network throughput needs
of the guest virtual machines. You can improve network performance by installing multiple network
adapters.
Windows PowerShell provides an extensive range of cmdlets to help with Hyper-V implementation. These
cmdlets are part of the Hyper-V module and include those in the following table.
Get-Command –module Hyper-V Displays the cmdlets for the RemoteAccess module
As well as being able to install Hyper-V as a role in Windows Server 2012, it is also possible to obtain
Microsoft Hyper-V Server 2012 as a free download. This version just contains the virtualization technology
and does not contain the rich feature set that comes with Windows Server 2012. Hyper-V Server 2012
would typically be used where organizations are consolidating servers where no new Windows Server
licenses are required or where the servers being consolidated are running an alternative operating system.
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Windows Server Roles
Hyper-V Capabilities
Hyper-V is a cornerstone to several Microsoft
virtualization technologies. Microsoft provides
many virtualization solutions that address various
organizational needs. This includes the following:
• RDS and Virtual Desktop Infrastructure (VDI). This allows you to provision remote access to
machines and also provision client desktops and applications to end-users. VDI provides for more
centralized control and customization of the desktop environments, maintaining application storage
on centralized servers, while providing users with a familiar application interface on their
workstations.
• Application virtualization. This lets you run applications in a virtualized environment on a user’s
desktop. With application virtualization, the application is isolated from the underlying operating
system because the application is encapsulated in a virtual environment. When you deploy a
complete application virtualization solution, you can use centralized servers to distribute the virtual
applications.
• User-state virtualization. User-state virtualization lets users take advantage of separating their
documents and profile information from a specific computer. This makes it easy to get started again
on a new computer. Profile virtualization also makes it easy for users to move between computers, or
to experience the same desktop environment when using one of the other virtualization technologies.
Each virtualization strategy has specific tools or configurations that it requires in addition to Hyper-V.
One of the critical components in deploying virtualization is to be able to manage both the physical and
virtual components. The System Center suite of tools provides virtualization management. Tools such as
System Center Configuration Manager, System Center Operations Manager, and System Center Virtual
Machine Manager (VMM) provide a familiar set of tools for managing both the virtual environment and
the physical layer that hosts the virtual environment. These Enterprise server tools integrate with Hyper-V
to allow for more scalability and efficiency when you deal with many virtualized environments.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-21
On-Premise Servers
As an IT professional who has worked with locally
deployed servers, it would be reasonable to ask
why, if everything is moving to cloud computing
(discussed in the next topic) would you have to
learn about deploying Windows Server 2012
locally? The reality is that not every service and
application that is used daily should be hosted by
cloud computing. Locally deployed servers form
the backbone of an organizational network, and
provide the following resources to clients:
• Shared files and printers. Servers provide a centralized location that lets users store and share
documents. Servers also host resources such as shared printers that allow groups of users to take
advantage of resources more efficiently. Without these centralized, locally deployed resources,
sharing and backing up files centrally would be a more complex and time-intensive process. You
could host some of this information by using cloud computing. However, it does not always make
sense to send a job to a printer that is in the next room through a server that is hosted at a remote
location.
• Hosted applications. Servers host applications such as Exchange Server, SQL Server, Microsoft
Dynamics®, and System Center. Clients access these applications to perform different tasks, such as
accessing email or self-service deployment of desktop applications. In some cases, these resources can
be deployed to cloud computing. But frequently, these resources must be hosted locally for
performance, cost, and regulatory reasons. Whether it is best to host these resources locally or with
cloud computing depends on the specifics of the individual organization.
• Network access. Servers provide authentication and authorization resources to clients on the
network. By authenticating against a server, a user and client can prove their identity. Even when
many of an organization’s servers are located in a public or private cloud.
• Application, Update, and Operating System deployment. Servers are frequently deployed locally
to help with the deployment of applications, updates, and operating systems to clients on the
organizational network. Because of intensive bandwidth use, these servers must be in proximity to the
clients to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet
connectivity will have to rely more on on-premises servers than an organization that has access to high-
speed bandwidth. Make sure that, even in a case of Internet connectivity issues, work in an organization
can continue. Productivity will be adversely affected if the failure of the organization’s Internet connection
suddenly means that no one can access their shared files and printers.
Although Windows Server 2012 is ready for integration with cloud computing, it is also still eminently
suited to the traditional tasks that Windows Server operating systems have performed historically.
Therefore, you will still be able to configure and deploy Windows Server 2012 to perform the same or
similar workloads that you configured for servers running Windows Server 2003, and maybe even for the
Windows NT Server 4.0.
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Windows Server Roles
• Platform as a Service (PaaS). With PaaS, the cloud hosting provider provisions you with a particular
platform. For example, a provider could let you host databases. You manage the database itself, and
the cloud hosting provider hosts the database server. Windows Azure™ SQL Database (formerly
known as SQL Azure) is an example of PaaS.
• Software as a Service (SaaS). The cloud hosting provider hosts your application and the
infrastructure that supports that application. You buy and run a software application from a cloud
hosting provider. Windows Intune™ and Microsoft Office 365™ are examples of SaaS.
Private clouds are more than large-scale hypervisor deployments. They can use the System Center 2012
management suite, which makes it possible to provide self-service delivery of services and applications.
For example, in an organization that has its own private cloud; it would be possible for users to use a self-
service portal to request multitier applications including a web server, database server, and storage
components. Windows Server 2012 and the components of the System Center 2012 suite are configured
in such a way that this service request can be processed automatically, without requiring the manual
deployment of virtual machines and database server software.
In general, your organizations requirements will most likely involve some mix of the two scenarios in a
hybrid cloud and on-premise environment. This provides the core services that you must have, allows for
control over data that you do not want to leave your organization, and lets you take advantage of some
benefits of cloud services. These benefits include high availability, business continuity, disaster recovery,
reduced hardware costs, regular billing for services allowing for better forecasting, and management of
costs.
More information about Windows Azure can be found at the following webpage.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-23
http://www.windowsazure.com
Your task is to read the requirements document and determine what server roles are required to support
the needs of users at branch offices.
Objectives
After completing this lab, you will be able to:
• Determine the appropriate roles to deploy.
Lab Setup
Estimated Time: 90 minutes
Password: Pa$$w0rd
Supporting Documentation
Charlotte,
Please see Alan’s comments and review the attached document for more information.
Regards,
Ed
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Windows Server Roles
Ed,
I don’t understand all the technicalities, but what we want at the branches is the ability to work as usual
even if the link to the head offices is unavailable.
We have a database that we use; the branches synchronize their data with the head office database
periodically.
All workers at the branches are using standard office productivity software: Microsoft Word 2013,
Microsoft Excel® 2013, and other Office components. They save their work to a server. Shared printers
are available throughout the branches for all users.
We often have visiting laptops and users moving between branches, so they need to be able to connect
to the network without user or administrator intervention.
During interviews with staff and following research at each branch, I have determined the following
requirements:
• Client computers require automatic IPv4 configuration.
• A database server exists at each branch that contains a subset of the data for the whole Research
department; synchronization occurs automatically with the head office.
• Make sure that updates to computers are not obtained directly from the Internet, but instead from a
local server.
Requirements Overview
Deploy required server roles to the branch offices to ensure that the needs of the users are met.
Additional Information
None.
Proposals
1. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
2. How will you address the requirement that users must be able to access shared files?
3. How will you address the requirement that users must be able to use shared printers?
4. What kind of server best supports the needs of the database application?
6. How will you address the requirement that the computers must obtain updates from a local update
server?
2. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
3. How will you address the requirement that users must be able to access shared files?
4. How will you address the requirement that users must be able to use shared printers?
5. What kind of server best supports the needs of the database application?
7. How will you address the requirement that the computers must obtain updates from a local update
server?
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
o Application Server
2. Configure event data to track the below events that have occurred within the past three days
• Critical
• Error
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 6-27
• Warning
• Informational
Task 5: Run the Best Practice Analyzer for the DHCP role
1. On 10967A-LON-CL1 open Server Manager
2. In the DHCP node go to the Best practice Analyzer section and start a BPA scan
3. Review the resultant messages and determine what remains to be configured on the DHCP server.
3. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
Results: After this exercise, you should have deployed all required roles and features.
Question: When installing the File Services role during the lab, which role services might
prove especially useful for a branch office?
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Windows Server Roles
Supplement or modify the following best practices for your own work situations:
• Combine multiple roles on a single server when you deploy servers in smaller organizations; scale out
these roles in larger organizations so that you can optimize performance.
Review Question
Question: How is a server role different from a server feature?
Tools
Tool Use for Where to find it
Module7
Implementing Active Directory
Contents:
Module Overview 7-1
Module Overview
The Windows Server® operating system Active Directory® Domain Services (AD DS) is a Windows®–based
directory service. As a directory service, AD DS stores information about objects on a network and makes
this information available to users and network administrators.
Objectives
After completing this module you will be able to:
• Implement AD DS.
Lesson 1
Introducing Active Directory Domain Services
AD DS enables network users to access resources anywhere on the network by using a single logon
process. It also gives network administrators an intuitive, hierarchical view of the network and a single
point of administration for all network objects. By understanding the fundamental building blocks of AD
DS, you can make more informed decisions about how to implement and configuring AD DS.
More information about Active Directory Domain Services can be found at the following
webpage:
http://go.microsoft.com/fwlink/?LinkID=309114
Lesson Objectives
After completing this lesson you will be able to:
The AD DS Forest
In AD DS, a forest is the highest level in the logical
structure hierarchy. An Active Directory forest
represents a single, self-contained directory, and
within each forest there exists one or more
domains. A forest is a security boundary, a domain
being an administrative boundary. This means
that administrators in a forest have complete
control over all access to information that is
stored inside the forest and to the domain
controllers (DCs) that are used to implement the
forest.
Typically, an organization has a single forest.
There are reasons for multiple forests, such as the following: an organization requires complete data or
service isolation, or requires separate test or development networks, or if Domain Controllers are being
deployed in perimeter networks, or if there are mergers and acquisitions. If an organization requires
separate administrative areas for different parts of your organization, you should create multiple domains
to represent those administrative areas.
By default, if you implement multiple forests within your organization, the forests will operate separately
from one another as if they were the only directory service in your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-3
Note: You can integrate multiple forests by creating security relationships between them
known as external or forest trust relationships.
You can also use technologies such as Microsoft® Forefront® Identity Manager to synchronize
accounts (as in a resource forest model) or Active Directory Federation Services (AD FS) to enable
accounts from other forests to authenticate against resources in a non-trusted forest.
AD DS is a multi-master directory service. This means that many changes to the directory can be made at
any writable instance of the directory—that is, any writable domain controller. However, some changes
are single-master. This means that they can only be made on one specific domain controller in the forest
or domain, depending on the particular change. Domain controllers at which you can make these single-
master changes are said to hold operations master roles. There are five operations master roles. Two of
the roles are forest-wide and assigned for the forest. The remaining three roles are domain-wide and are
assigned for the domain.
The two operations master roles assigned for the forest are as follows:
• Domain naming master. The job of the domain naming master is to make sure that there are unique
names throughout the forest. That is, it makes sure that the fully qualified domain name (FQDN) of
each computer, among other objects, exists only one time in the forest.
• Schema master. The schema master tracks the schema of the forest and maintains changes to the
schema of the forest.
Because these are key critical forest-wide roles, each forest must have only one schema master and one
domain naming master.
What Is a Domain?
A domain is an administrative boundary. All
domains host an Administrator user account that
has full administrative capabilities over all objects
within the domain, frequently known as the
domain administrator. Although the administrator
can delegate administration on objects within the
domain, the account maintains full administrative
control of all objects within the domain.
A domain is also a replication boundary. AD DS consists of three elements, or partitions. These are the
schema, the configuration partition, and the domain partition. There is one of each per domain. Generally,
it is only the domain partition that frequently changes.
The domain partition contains objects that are likely to be frequently updated. These include users,
computers, groups, and OUs. Therefore, AD DS replication consists primarily of the updates to objects that
are defined within the domain partition. Only domain controllers in the same domain receive domain
partition updates from other domain controllers. Partitioning data enables organizations to replicate data
only to where it is needed. In this manner, the directory can scale globally over a network that has limited
available bandwidth.
MCT USE ONLY. STUDENT USE PROHIBITED
7-4 Implementing Active Directory
A domain is also an authentication boundary. Each user account in a domain can be authenticated by
domain controllers from that domain. Domains in a forest trust one another, and it is these trusts that
enable a user from one domain to access resources held in another domain.
There are three operations master roles per domain. By default, these roles are assigned to the first
domain controller in each domain and include the following:
• Relative identifier (RID) master. When an object is created in AD DS, the domain controller where
the object is created assigns the object a unique identifying number known as a security identifier
(SID). To make sure that no two domain controllers assign the same SID to two objects, the RID
master allocates blocks of SIDs to each domain controller within the domain.
• Primary domain controller emulator. This role is the most important because its failure is noticed
far more quickly than any other operations master role. It is responsible for several domain-wide
functions. This includes the following:
These three roles must be unique in each domain. Therefore, each domain can have only one RID master,
one primary domain controller (PDC) emulator, and one infrastructure master.
AD DS Trees
If your AD DS consists of more than one domain,
you must define the relationship between the
domains. If the domains share a common root
and a contiguous namespace, then they are
logically part of the same Active Directory tree. A
tree serves no administrative purpose. In other
words, there is no tree administrator as there is a
forest or domain administrator. A tree provides a
logical, hierarchical grouping of domains that
have parent/child relationships that are defined
through their names. Your Active Directory tree
maps to your Domain Name System (DNS)
namespace.
Active Directory trees are created by the relationship between the domains within the forest. There is no
specific reason you should, or indeed, should not create multiple trees within your forest. However, be
aware that a single tree, with its contiguous namespace, is easier to manage, and easier for users to
visualize.
Consider using multiple trees in a single forest if you have multiple namespaces to support. For example,
if within your organization there are several distinct operating divisions that have different public
identities, you could create a different tree for each operating division. Consider that with this scenario,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-5
there is no separation of administration because the forest root administrator still has complete control
over all objects in the forest—in whichever tree they reside.
Trust Relationships
A trust relationship enables one security entity to
trust another security entity for the purposes of
authentication. In the Windows Server operating
system, the security entity can be thought of as
the Windows domain.
Note: Just because there is a trust between domains that does not necessarily mean that
someone from a different domain has access to resources in other domains. Administrators can
grant the user rights to resources. By default, there are no user rights.
Types of Trusts
Trusts can be one-way or two-way.
A one-way trust means that, although one entity trusts the other, the reciprocal is not true. For example,
just because you lend Steve your laptop does not mean that Steve will lend you his car. In a two-way trust,
both entities trust one another.
Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, and then A also
implicitly trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you
might lend your mobile phone to Mary.
Windows Server supports several different trusts for use in different situations. In a single forest, all
domains trust one another with internal, two-way transitive trusts. Basically, this means that all domains
trust all other domains. These trusts extend across trees within the forest. Other than these automatically
created trusts, you can configure additional trusts between domains within your forest, between your
forest and other forests, and between your forest and other security entities, such as Kerberos realms or
an Active Directory domain. The following table provides more information.
Trust
Transitivity Direction Description
Type
External Nontransitive One-way or Use external trusts to provide access to resources that
two-way are located on a domain that is located in a separate
forest that is not joined by a forest trust.
Realm Transitive or One-way or Use realm trusts to form a trust relationship between
nontransitive two-way platforms other than Windows utilizing a Kerberos
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Implementing Active Directory
Trust
Transitivity Direction Description
Type
realm and an Active Directory domain.
Forest Transitive One-way or Use forest trusts to share resources between forests. If a
two-way forest trust is a two-way trust, authentication requests
that are made in either forest can reach the other
forest.
Shortcut Transitive One-way or Use shortcut trusts to improve user logon times
two-way between two domains in an Active Directory forest.
This is useful when two domains are separated by two
domain trees.
The AD DS Schema
The AD DS schema is the definition of all objects
and attributes that AD DS uses to store data.
Imagine you are creating a database (or Microsoft Excel® spreadsheet) with cars in it. You create a cars
table, which reflects to the objects definition, or class, in AD DS. Then you define that every car has a
license or registration plate, and you define that this is a string with no more than 12 digits and that every
car can only be entered if the license or registration plate exists. Additionally, you define that the car has a
specific number of doors, a specific number of wheels, and a maximum speed. All these attributes are
numbers. Next you define a six-digit color code and a manufactured date.
The definition of this table reflects to the class in the schema, the definition of the attributes, and
attaching the attributes to the class. You haven’t added any cars yet. However, you have the definition of
the car. When you enter a car, you are restricted to that definition and you cannot enter other data, such
as the engine size, if it is not defined in the schema.
Object definitions control the types of data that the objects can store and the syntax of the data. Using
this information, the schema makes sure that all objects comply with their standard definitions. Therefore,
AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is the
original source of the data. Only data that has an existing object definition in the schema can be stored in
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-7
the directory. If a new kind of data has to be stored, a new object definition for the data must first be
created in the schema.
The schema is a single master element of AD DS. This means that you must change the schema at the
domain controller that holds the schema operations master role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest. All domain controllers in the forest share the
same schema. Therefore the same definition of objects and attributes. When a change in the schema
occurs, DCs update the schema before they replicate objects and attributes. This makes sure that they
have the definition before they obtain the data.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should only be made when it is necessary.
Changes should follow a tightly controlled process.
Although you might not make any change to the schema directly, some applications change the schema
to support additional features. For example, when you install Microsoft Exchange Server into your AD DS
forest, the installation program extends the schema to support new object types and attributes.
Note: You can view the schema on a domain controller by running regsvr32
schmmgmt.dll in an administrative Command Prompt and then adding the Active Directory
Schema snap-in into the Microsoft Management Console (MMC). You can then scroll through
and view the classes and attributes.
More information about the Active Directory schema can be found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=309115
Organizational Units
An OU is a container object in a domain that you
can use to consolidate users, groups, computers,
and other objects. You can use OUs to organize
hundreds of thousands of directory objects into
manageable units. OUs are useful in grouping and
organizing objects for administrative purposes,
such as delegating administrative rights and
assigning policies to a collection of objects as a
single unit.
There are two reasons to create OUs:
• Configure objects that are contained within the OU. You can assign GPOs to the OU, and the settings
apply to all objects within the OU.
Note: An OU is very important for delegation. However, you have a lot of possibilities for
GPOs: you can use security filtering, Windows Management Instrumentation (WMI) filters, sites,
domains, and OUs. An OU is not the smallest scope to apply a GPO. If you want GPOs applied to
MCT USE ONLY. STUDENT USE PROHIBITED
7-8 Implementing Active Directory
a small subset of objects, you usually use security filtering and link the GPO as high as
appropriate.
OUs should match the administrative model in your organization. This is very important because OUs are
the only way to enable implementation of an administrative tasks delegation model. You should avoid
creating OUs based on departments, cost centers, or other business-related units that are likely to change.
OUs are a technical view for administrators, and users do not see the OU structure. Therefore, although it
is very important that unnecessary OU moves are avoided, administrative tasks can still be fulfilled if
moves are made.
For example, if you have a central administrator who is creating users, some server administrators who are
installing servers, project managers who grant rights to their project resources, some site administrators
who are maintaining some resource groups, and a telephone administrator who is managing the Voice
over Internet Protocol (VoIP) infrastructure, then these are functional structures that have to be
considered when you design your OU structure.
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD
DS. These include the following:
• Users container. The default location for new user accounts and groups that are created in the
domain.
• Computers container. The default location for new computer accounts that are created in the
domain.
• Domain controllers OU. The default location for the computer accounts for domain controllers
computer accounts.
OU Hierarchical Models
Organizations can deploy OU hierarchies by using several different models, such as the following:
• Geographic OUs. If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might decide to create
OUs for New York, Toronto, and Miami in a single domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-9
• Management-based OUs. Management-based OUs reflect the various administrative divisions within
the organization by mirroring its structure in the OU structure. For example, users and groups can be
organized into nested departmental OUs. These OUs can then be delegated to the managers of those
departments.
The main factor for designing OUs must be ease of management. If the OUs are too large and the
management structure doesn’t meet the requirements, consider creating OUs that combine the models.
For example, add geographical (site or country/region administrators), department (departmental
administrators), or resources (virtual machine, server, or desktop administrators, project managers, or
Microsoft SharePoint® site owners) information.
The final OU design should represent how the business will be administered. Delegation of authority,
separation of administrative duties, central versus distributed administration, and design flexibility are
important factors you should consider when you design Group Policy and select the scenarios to use for
your organization.
Question: Describe a scenario in which you would use a domain to organize a network.
Describe a scenario in which you would use an OU to organize a network.
Demonstration Steps
1. Access the Active Directory Administrative Center.
2. Move Claus Hansen from the Domain Users group to the Sales OU.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Implementing Active Directory
Lesson 2
Implementing AD DS
To implement AD DS, you must deploy domain controllers. Understanding where and how to create
domain controllers to optimize the network infrastructure is important to make sure that you optimize AD
DS.
Lesson Objectives
After completing this lesson, you will be able to:
• Host operations master roles (optional). These roles were formerly known as flexible single master
operations (FSMO) roles. There are five operations master roles: two forest-wide roles and three
domain roles. You can transfer these roles to other domain controllers as you need.
• Host the Global Catalog (optional). You can designate any domain controller as a Global Catalog
server.
Note: The Global Catalog server is a domain controller that holds, in addition to the
domain information, some partial information about every object in every other domain in the
forest. It is optimized for cross-domain searches.
• Support group policies and the System Volume (SYSVOL). By using Group Policies, you can specify
configuration for collections of users, groups, or computers by linking GPOs that contain
configuration instructions to OUs. Group Policies consist of Group Policy containers, stored in AD DS,
and Group Policy templates, stored in the SYSVOL folder in the file system of all domain controllers.
• Provide for consistent data throughout the organization. AD DS is a distributed directory service.
Objects such as users, computers, OUs, and services are distributed across all domain controllers in
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-11
the domain (a partial set is distributed across all DCs who are GCs in the forest), and can be updated
on any domain controller in the domain. Objects in the domain partition can only be updated in the
domain. When an application tries to change them in another domain, it receives a write referral to a
DC of the domain where the object resides.
Note: Domain controllers in a forest share a common schema, a common Global Catalog,
and a common forest root domain.
Installing a DC in Windows Server 2012 is effectively a two-step process that can be broken down as
follows:
2. Run the Active Directory Domain Services Configuration Wizard in Server Manager to promote the
server to a domain controller.
You can install multiple DCs remotely with the remote multi-server management capabilities present in
Server Manager in Windows Server 2012.
You can also use the Install-ADDSDomainController Windows PowerShell® cmdlet to automate the
installation. This cmdlet can be used remotely and across multiple computers.
Finally, before Windows Server 2012, a command-line tool named Active Directory Installation Wizard
(Dcpromo.exe) could be used to install DCs. This tool was deprecated in Windows Server 2012. However,
it can still be used to automate the installation when there are many parameters or an input file is
preferred.
• Improved security.
Be aware that applications that must run on a DC typically will not be compatible with RODCs.
Read-only Active Except for certain “secrets,” an RODC holds all the Active Directory objects and
Directory database attributes that a writable domain controller holds. However, changes cannot be
made to the replica that is stored on the RODC.
Changes must be made on a writable domain controller and replicated back to
the RODC. The RODC does not store multiple passwords or Microsoft BitLocker®
information.
Unidirectional Even if an RODC is being hacked and data is compromised, it would not
replication replicate out and would affect the island around the RODC only.
Credential caching Credential caching is the storage of user or computer credentials. By default,
RODCs do not store or cache user or computer passwords. The exception to this
is with the RODCs computer account password and krbtgt account of the RODC.
There are also 10 default user profiles that are cached on an RODC. Therefore, it
is considered best practice not to log on to RODC locally by using accounts that
have higher rights.
You do not allow credential caching on an RODC, but you allow password
replication to a defined subset of accounts..
Administrative role You can delegate the local administrator role of an RODC to any domain user
separation without granting that user any user rights for the domain or other domain
controllers. This enables a local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver. However, this does
not give the branch user the ability to log on to any other domain controller or
perform any other administrative task in the domain.
Read-only Domain You can install the DNS Server service on an RODC. An RODC can replicate all
Name System application directory partitions that DNS uses. If the DNS server is installed on
an RODC, clients can query it for name resolution as they would query any other
DNS server.
RODCs effectively behaves like a DNS server hosting a secondary zone—that is,
it will not accept changes but instead will redirect update requests to full
domain controllers hosting the DNS zones.
Delegated Two- Where no domain contollers exist in a remote office, you can delegate the
Stage Promotion of RODC promotion to any domain user.
an RODC The first stage involves having domain Admin privileges to create the relevant
information in AD DS, and the second stage involves the domain user who does
not have those privileges but can be delegated those permissions in this
scenario. This means a Domain Admin does not have to log on to the remote
office to complete the installation. This reduces risk.
Question: In your work environment, do you have scenarios where an RODC could be used?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-13
Sites can be configured and managed through the Active Directory Sites and Services management
console. This console can be accessed in Server Manager under the Tools menu.
Note: Sites are used by domain controllers to build the replication infrastructure and to
decide which DCs should serve which clients. Clients are using sites to locate services, such as
domain controllers and Global Catalog servers. There are additional services, such as DFS, which
rely on the site configuration.
Replication
AD DS replication is how changes to directory data are transferred between domain controllers in the
forest. The AD DS replication model defines the mechanisms that enable directory updates to be
transferred automatically between domain controllers to provide a seamless replication solution for the
AD DS distributed directory service.
There are multiple partitions in AD DS. By default, there are additional DomainDnsZones per Domain and
ForestDnsZones per Forest, and administrators are also able to build their own. It is the domain partition
that contains the data that changes most frequently. This information makes up the bulk of AD DS
replication data.
Active Directory Site Links
A site link is used to describe the WAN connections between sites so that domain controllers can decide
the best replication strategy across site boundaries. Although you would be able to use the default site
link provided in AD DS, we recommended in most scenarios to create additional site links as your needs
dictate. You can configure settings on site links to determine the schedule and availability of the
replication path.
When two sites are connected by a site link, the replication system automatically creates connections
between specific domain controllers in each site. These connections are called bridgehead servers.
MCT USE ONLY. STUDENT USE PROHIBITED
7-14 Implementing Active Directory
After you install a DNS server, you can start adding zones to the server. You can select to store the zone
data in AD DS if the DNS server is a domain controller. This creates an Active Directory Integrated Zone. If
you don’t select this option, the zone data is stored in a separate file, instead of in AD DS.
The main benefits of configuring DNS zones as Active Directory Integrated Zones are as follows:
• Multi-Master DNS. Where every DNS server can write updates to DNS records. Active Directory
Integrated Zones can be written to by any DC to which the zone is replicated, unlike standard primary
zones, which can only be changed by a single primary server, thus removing a single point of failure
in the DNS infrastructure. Using Active Directory Integrated Zones can also allow for more fine-
grained security.
• Secure Dynamic Update. When you create a zone, you are also prompted to specify whether
dynamic updates are supported. Dynamic updates reduce the management overhead of a zone,
because clients can add, delete, and update their own resource records. Dynamic updates leave open
the possibility that a resource record could be spoofed. For example, a computer could register a
record named www, effectively redirecting traffic from your web server to the incorrect address.
To eliminate the possibility of spoofing, the Windows DNS Server service supports secure dynamic
updates. A client must authenticate before updating its resource records. So, the DNS server knows
whether the client is the same computer that has the permission to change the resource record. Secure
dynamic updates work in Active Directory integrated DNS only. Nonsecure dynamic updates are possible
in file-based zones.
• Integrated Replication of DNS Information. An enterprise should try to make sure that a zone can
be resolved by at least two DNS servers. If the zone is AD DS integrated, you can add the DNS server
role to another domain controller in the same domain as the first DNS server, and DNS data will
automatically replicate to the new DNS server.
If the zone is not AD DS integrated, you must add another DNS server and configure it to host a
secondary zone. Remember that a secondary zone is a read-only copy of the primary zone.
In summary, the main benefits are that you don’t need large zone transfers, you can add security, you can
enable multiple masters, and the experienced replication engine keeps the zones across DNS servers in
sync.
SRV Records
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-15
A Service (SRV) Locator resource record resolves a query for a network service. This enables clients or
servers to locate a host that provides a specific service. SRV records are used in many scenarios. This
includes the following:
• When an administrator opens Active Directory Users and Computers console or other administrative
consoles, apart from the Active Directory Administrative Center console as that is using other
protocols.
• The priority and weight. This helps a client determine which host should be preferred.
• The port on which the service is offered by the server. Port 389 is the standard port for LDAP on a
Windows domain controller.
• The target, or host of the service, which in this case is the domain controller named lon-
dc1.adatum.com.
When a client process is looking for a domain controller, it can query DNS for an LDAP service. The query
returns both the SRV record and the A record for the server(s) that provide the requested service.
executed in the GUI. The commands can then be copied and used to automate daily repetitive tasks.
• Active Directory Domain Services Configuration wizard. Within the AD DS Configuration wizard,
you can create a file that contains all the configuration settings that are designated in the wizard. For
example, DC install options, DNS options, and database locations. This lets you run through the
wizard, specify the settings that are required, export the text file that contains the configuration
settings, and then exit the wizard without running it, thus providing a configuration file that can be
used for deployment. The configuration file would have to be tested before it is used in a production
environment. However, this would save time when you try to automate a setup.
Windows PowerShell has more than 10 cmdlets specific to install and uninstall contained within the
ADDSDeployment module. This includes forests and domain controller installation, and a series of Test
cmdlets that let you verify the prerequisites in your environment before you deploy or remove elements
of your infrastructure. This is very useful in remote scenarios.
For administrative tasks, there are well over 50 cmdlets contained within the ActiveDirectory module.
These cmdlets cover a large range of tasks. This includes user, group, computer, and object creation and
management; configuring password policies; site management and replication; and domain and forest
management. For a list of Active Directory Windows PowerShell commands in the Windows PowerShell
console, type get-help *-AD*.
The first step is to deploy the Active Directory Domain Services (AD DS) server role, and again you can do
this through the Add Roles And Features Wizard in Server Manager or by using Windows PowerShell with
the following command.
Install-WindowsFeature AD-Domain-Services
After installation, the files that are required to perform the role are now available on the server but the
server is not yet running as a domain controller. The next step is to promote the server to a domain
controller. If you open the notifications in Server Manager, you will find a message asking you to
“Promote this server to a domain controller” or you can open the AD DS management console in Server
Manager and also see similar messages. Clicking the messages opens up the Active Directory Domain
Services Configuration Wizard. It is here that the information outlined earlier is required.
As mentioned earlier, you can also promote a server to a domain controller by using Windows PowerShell
and the following command, when joining an existing domain. (There are many other parameters that are
not included in the following example.) A restart is required after the following command.
Some other useful Windows PowerShell commands can be viewed in the table below
Get-command –module ADDSDeployment Displays the cmdlets for the ADDSdeployment module
Get-command –module ActiveDirectory Displays the cmdlets for the ActiveDirectory module
http://go.microsoft.com/fwlink/?LinkID=309117
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Implementing Active Directory
Lesson 3
Managing Users, Groups, and Computers
One of your functions as an AD DS administrator is to manage user, group, and computer accounts. These
accounts are AD DS objects that people use to log on to the network and access resources. In this lesson,
you will learn about how to change user, group, and computer accounts in an AD DS domain.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe groups.
• Allow or deny users to log on to a computer based on their user account identity.
• Grant users access to processes and services for a specific security context.
• Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
The Users container located in Active Directory Users and Computers has two built-in user accounts:
Administrator and Guest. These built-in user accounts are created automatically when you create the
domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-19
To maximize security, you should avoid multiple users sharing one account. By avoiding multiple users on
an account, each user who logs on to the network should have a unique user account and password.
When you create a user account, you must provide a user logon name. User logon names must be unique
in the domain/forest in which the user account is created. If you create user accounts for administrative
purposes, we recommend that you separate them from the “regular” user account that is used to read
email messages and surf the web. However, it is still recommended to create individual accounts per user.
• Delegation. Groups are frequently used to delegate administration. For example, if you allow
someone to grant contributor and owner rights in SharePoint, that user has more rights than
intended because the user can delegate anything in his site. Therefore, administrators frequently
create groups by SharePoint site, network share, or for other applications, and grant the site or
application owners only the rights to manage those pre-created groups instead of managing
permissions in the application itself. The same applies to the self-management of groups or project
groups.
Group Types
There are two kinds of groups in AD DS: security groups and distribution groups.
• Security Groups. You create security groups to consolidate objects to which you want to assign
permissions or rights. These groups have associated security identifiers (SIDs). You can also use
security groups for distribution purposes in an email application, such as Exchange Server Distribution
Groups.
• Distribution Groups. You can use distribution groups only with email applications, such as Exchange
Server, to send email to multiple users. Distribution groups are not security-enabled. That means
distribution groups cannot be assigned permissions on resources or objects in AD DS. In smaller
organizations, it is usually unnecessary to create distribution groups because security groups can be
email-enabled. However, in larger organizations, the separation of distribution and security groups
enables you to separate the administration of the email system and AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
7-20 Implementing Active Directory
Group Scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that
identifies the extent to which the group is applied in the domain tree or forest. There are three group
scopes:
• Domain local. Domain local groups can contain members from any domain in the forest but can only
be granted permissions and assigned rights on objects on the local domain. In other words, the
group’s abilities are localized.
• Global. Global groups can contain members only from the local domain, but can be granted
permissions or assigned rights anywhere in the forest. In other words, the group’s abilities are global.
• Universal. A universal group can contain members from anywhere in the forest and can be granted
permissions and assigned rights anywhere in the forest. In other words, the group’s abilities and
membership are universal. Another important characteristic of a universal group is that the
membership list is maintained in the Global Catalog. Therefore, you can only email-enable universal
groups in Exchange Server.
Question: Describe a situation where you would use a distribution group instead of a
security group.
Nesting Groups
When you use nesting, you add a group as a
member of another group. You can use nesting to
combine group management. Nesting increases
the member accounts that are affected by a single
action, and reduces replication traffic caused by
the replication of changes in group membership.
The following are best practices for nesting
groups:
You can remember this process with the AGDLP mnemonic: user accounts are members of global groups,
global groups are members of domain local groups, and domain local groups describe permissions or
user rights assignments. The AGDLP mnemonic stands for account, global, domain local, and permissions.
For organizations where permissions to groups should be assigned across various domains in the same
forest, consider adding global groups to universal groups:
You can remember this process with the AGUDLP mnemonic: account, global, universal, domain local,
and permission.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-21
You can move groups in and out of this container. However, you cannot move the default groups in this
container to another location or to another domain.
If the built-in and system groups are insufficient for your needs, create additional groups as required. The
built-in groups are visible in the Builtin folder under the domain root.
Built-in groups should only be used after their rights are validated, because many Builtin groups can
potentially be granted more rights than is intended.
Computer Accounts
In AD DS, computers are security principals, just
like users. This means that computers must have
accounts and passwords. To be fully authenticated
by AD DS, a user must have a valid user account,
and the user must also log on to the domain from
a computer that has a valid computer account. If
administrators want to benefit from managing
computers and users in AD DS, administrators
must join them to the domain.
By default, if you join a computer to a domain, the computer account is created in the Computers. In most
organizations, some administrators might move the computer accounts to department-specific OUs so
that specific software and operating system configurations can be applied to the computers. However,
many companies instead use geographical information such as sites where the computers reside or are
assigned to. It is also common to differentiate between desktops and portable computers. Using
Departmental or any other organization aspects that are likely to frequently change is not recommended.
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Implementing Active Directory
Some properties for computer accounts in AD DS that could potentially be used are as follows:
• The Description property is a common property that is widely used for computer accounts, which
could be used to differentiate between test, development, or email computers such as laptops,
desktop, workstations, or servers. This is displayed in the details pane of Active Directory Users and
Computers, which makes it easy to view.
• The Location property is not as widely used but can be used to document the computer’s physical
location in the network.
• The Managed By property is also not as widely used, but lists the individual responsible for the
computer. This information can be useful when you have a data center with servers for different
departments and you have to perform maintenance on the server. You can call or send email to the
person who is responsible for the server before you perform maintenance on the server.
User Accounts
• Plan the accounts policy carefully to make sure that it meets the security needs of your organization.
The accounts policy includes password length, password complexity rules, and the maximum
password age for user accounts.
Group Accounts
When planning and implementing groups, consider the following points:
• Avoid assigning permissions and rights directly to user accounts. Use groups to make ongoing
maintenance easier.
• Use a group naming convention that identifies the group’s role or the name and the kind of access to
a resource that a group is granting. For example, the Sales global group obviously identifies users that
are in the Sales department, whereas the Printer Managers local group contains users who have
printer management rights.
Computer Accounts
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-23
• Implement a naming convention that helps you identify the role and location of a computer.
• Implement the Description properties of computer accounts so that you can differentiate between
computer types and easily view the computer description in Active Directory Users and Computers.
In this demonstration, you will see how to use Active Directory Users and Computers to create an account,
add group membership, and delegate control of an OU.
Demonstration Steps
1. Use Active Directory Users and Computers to create a new user named Jeff Hay with a User
Logon Name of Jeffh.
Lesson 4
Implementing Group Policy
After you have created AD DS users, groups, computer accounts, and an OU structure, the next step is
usually to implement Group Policy. Group Policy and the AD DS infrastructure in Windows Server enables
IT administrators to automate and simplify user and computer management. Administrators can efficiently
implement security settings, enforce IT policies, and distribute software consistently across a given site,
domain, or range of OUs.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe GPOs.
This is the most fine-grained component of Group Policy infrastructure. It defines a specific configuration
change to apply to a user or computer. For example, a policy setting exists that prevents a user from
accessing registry-editing tools. If you define that policy setting and apply it to the user, the user will be
unable to run tools such as Registry Editor (Regedit.exe). Another policy setting is available that you can
use to rename the local Administrator account. You can use this policy setting to rename the
Administrator account on all user desktops, laptops or other devices.
A policy setting can have three states: Not Configured, Enabled, and Disabled.
Note: Many policy settings are complex, and the effect of enabling or disabling them
might not be immediately clear. Make sure that you review a policy setting’s explanatory text in
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-25
the Group Policy Management Editor details pane or on the Explain tab in the policy setting’s
Properties dialog box. In addition, always test the effects of a policy setting and its interactions
with other policy settings before you deploy a change in the production environment.
Group Policy settings are defined and exist in a GPO. Therefore, a GPO can be defined as an object that
contains one or more policy settings and applies one or more configuration settings for a user or a
computer. After the settings are defined and a GPO is completed, then you must decide where to apply
the GPO. You can do this by “linking” a GPO to a specific target or audience. One or multiple GPOs can be
linked with one or multiple sites, domains, or OUs.
• Local GPOs. Every Windows operating system computer has a local set of Group Policy objects. They
are present whether the computer is part of an AD DS environment or a networked environment. If a
computer does not belong to an Active Directory domain, the local policy can be used to configure
and enforce configuration on that computer.
• Domain Based GPOs. These are created in Active Directory and stored on domain controllers. They
are used to manage configuration centrally for users and computers in the domain. When AD DS is
installed, two default GPOs are created:
o Default Domain Policy. This GPO is linked to the domain and affects all users and computers
within that domain, including computers that are domain controllers. This GPO contains policy
settings that specify password, account lockout, and Kerberos policies. Domain-based GPOs will
override local GPO settings and are easier to manage than GPOs on individual computers.
o Default Domain Controllers Policy. This GPO is linked to the OU of the domain controllers.
Because computer accounts for domain controllers are kept exclusively in the Domain Controllers
OU, and other computer accounts should be kept in other OUs, this GPO affects only domain
controllers. The Default Domain Controllers GPO should be changed to implement your auditing
policies and other settings, such as security settings, because it’s important that all DCs behave
the same.
A Group Policy Object has thousands of configurable Group Policy settings. These settings can affect
almost every area of the computing environment. You cannot apply all the settings to all versions of
Windows operating systems. Many new settings available in Windows 8 and Windows Server 2012 only
apply to the Windows 8 and Windows Server 2012 operating systems. If a computer has a setting applied
that it cannot process, it ignores the setting.
GPOs can be managed in Active Directory by using the Group Policy Management Console (GPMC). To
change the policy settings in a GPO, right-click the GPO, and then click Edit. The GPO settings then open
in the GPME. This element into two sections:
• Computer Configuration. Contains settings that are applied to computers, regardless of who logs on
to them.
• User Configuration. Contains settings that are applied when a user logs on to the computer. It is
within this that you configure specific GPO settings.
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Implementing Active Directory
Applying GPOs
Applying Group Policies is really driven by the
clients themselves—that is, it is not a push
technology. Clients initiate Group Policy
application by requesting GPOs from AD DS.
When Group Policy is applied to a user or
computer, the client interprets the policy, and
then makes the appropriate environment changes.
Some changes will be done directly into the
registry and some more complex changes are
processed by the client. This is known as Group
Policy Client-side Extensions (CSEs).
GPOs are linked to sites, domains and organizational units. The hierarchy of those objects, in addition to
the order of the links on each object, defines in which order the GPOs are applied to a computer or user.
Additional mechanisms, such as security filtering, WMI filtering, and blocking and enforcing policies can
also be used to reduce the set of computers and users to which the GPO will apply.
GPOs that apply to a user or computer do not all have the same order in which they will run. Settings that
are applied later can override settings that are applied earlier. Group Policy settings are processed in the
following order:
• Local GPO. Each computer has exactly one GPO that is stored locally. This processes for both
computer and user Group Policy processing.
• Site. Any GPOs that are linked to the site that the computer belongs to are processed next. Processing
is in the order that is specified by the administrator, on the Linked GPOs tab for the site in the GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
• Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on
the Linked GPOs tab for the domain in GPMC. The GPO with the lowest link order is processed last,
and therefore has the highest precedence.
• Organizational =Units. GPOs that are linked to the organizational unit that is highest in the AD DS
hierarchy are processed first, and then GPOs that are linked to its child organizational unit are
processed, and so on. Finally, the GPOs that are linked to the organizational unit that contain the user
or computer are processed.
The first letters of the items previously listed are highlighted. The highlighted letters give us the acronym
LSDOU. It’s important to remember this processing order, especially when troubleshooting. If settings
conflict, Local Policies will be overwritten by GPOs linked to sites, which are overwritten by GPOs linked to
the domain, which are overwritten by policies linked to OUs (from the hierarchical topmost OU to the
lowest sub-OU). Enforcing or blocking GPOs also uses this order. Blocked GPOs will not be applied.
Enforced GPOs will be put to the end of the list and are likely to win. Here are several other things to
know about GPOs.
• GPOs can also be filtered by WMI settings such as hardware or software settings, configurations, or
even applications that are installed.
• Policy settings in the Computer Configuration node in the GPME are applied at system startup and
every 90 minutes after that.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-27
• Policy settings in the User Configuration node in the GPME are applied when you log on and every 90
minutes after that.
Note: The 90-minute interval previously listed applies to domain members only. Domain
controllers update their GPOs every 5 minutes.
The application of policies is called a Group Policy refresh. You can also force an immediate policy refresh
by using the GPUpdate command from the command line. Or, in a Windows PowerShell console, you can
run the Invoke-GPUpdate cmdlet. The Windows PowerShell Group Policy cmdlets are available in
Windows Server 2012 and Windows 8 with Remote Server Administration Tools (RSAT).
In Windows Server 2012, you can also force a Group Policy Update in the GPMC by right-clicking the
container in question such as Domain Controllers for example, and selecting Group Policy Update. Then in
the resulting Force Group Policy Update dialog box, select Yes. This creates a scheduled job that will run
in 10 minutes.
Question: What would be some advantages and disadvantages to lowering the refresh
interval?
The GPMC also provides mechanisms for backing up, restoring, migrating, and copying existing GPOs.
This is very important for maintaining your Group Policy deployments if there is error or disaster. It helps
you avoid manually recreating lost or damaged GPOs, and having to complete the planning, testing, and
deployment phases. Part of your ongoing Group Policy operations and Active Directory Backup and
Recovery plan should include regular backups of all GPOs, by using the GPMC or scripting tools
supported by the GPMC. Recovering a GPO without a GPMC backup, even when you have a system state
backup, can be very tricky.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
You can also delegate the administration of GPOs. By default, only Domain Admins, Enterprise Admins,
and Group Policy Creator Owners can create new GPOs. But you can use three methods to grant a group
or user this right:
• Explicitly grant the group or user permission to create GPOs by using the GPMC.
To edit a GPO, the user must have both read and write access to the GPO. You can grant this permission
by using the GPMC.
Note: Delegating GPOs must be considered carefully. If you grant the user rights to create
new GPOs, those users can create GPOs, but they might be unable to link them. If you grant the
rights to link GPOs to specific sites/domains/OUs, they can link any GPO and not just the GPOs
they created.
In scenarios where you want to control the use of GPOs but enable an administrative group to
adjust certain settings using a GPO, it can be a good idea to create and link the GPO, and grant
the group the rights to change its settings.
Group Policy Preferences typically provide another method to configure the operating system
environment and its variables that were mostly done through logon scripts. Preferences effectively replace
the need for logon scripts. Some common configurations that can be applied to computers are as follows:
• Copy files.
• Map printers.
• Schedule tasks.
The main approach for deciding whether to use Group Policy settings or Group Policy Preferences is
determined by what the configuration setting is that the administrator wants to set. If you can set your
configuration requirement by using Group Policies, then use Group Policy settings. If not, then use Group
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-29
Policy Preferences. You may also need to enforce a policy to ensure that users are unable to change a
preference. For example, registry changes—that is, if you create a Group Policy Preference that is
changing a registry-setting, you can then use a Group Policy setting to disallow registry editing tools. This
will enforce the preference.
Preferences have a built-in scoping mechanism called item-level targeting. You can have multiple
preference items in a single GPO, and each preference item can be targeted or filtered. For example, you
could have a single GPO with a preference that specifies folder options for engineers and another item
that specifies folder options for salespeople. You can target the items by using a security group or OU.
There are more than a dozen other criteria that can be used. This includes hardware and network
characteristics, date and time, LDAP queries, and more.
One of the main benefits to preferences is that you can target multiple preference items in a single GPO
instead of requiring multiple GPOs. With Group Policy settings, you frequently need multiple GPOs
filtered to individual groups to apply variations of settings.
In the Group Policy Management Editor, you can view two nodes: Policies and Preferences. In the
Preferences node are groupings for Windows Settings and Control Panel Settings.
Demonstration Steps
1. Create a new GPO called Disable CAD Task Manager.
2. In the new GPO, restrict users from starting Task Manager when pressing Ctrl+Alt+Del
3. Link the GPO to the Sales OU.
4. Sign in as Jay Hay to verify that the Task Manager is not a logon option and the GPO was applied.
5. Sign in as the Administrator to show that the Task Manager is a logon option and the GPO was not
applied.
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Implementing Active Directory
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 75 minutes
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1
Password : Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: ADATUM
3. Promote LON-SVR1 to a domain controller by using the following information (accept the default
settings unless otherwise stated):
8. Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are
acceptable.
9. Click Install, and then wait for the installation to complete and the computer to restart.
Results: After this exercise, you will have promoted a new domain controller.
o Domain: Adatum
2. Use Active Directory Users and Computers to create a new OU called A Datum Merger Team in the
Adatum.com domain.
Results: After this exercise, you will have created a new organizational unit (OU).
2. Create groups
2. In Active Directory Users and Computers, create the following user accounts in the A Datum Merger
Team OU by using the following information to complete the process:
o Password is Pa$$w0rd.
o Clear the User must change password at next logon check ox.
3. After creating the first account see if there is an easy way to automate the creation of the remainder
of the accounts using Windows PowerShell
2. Using the Delegation of Control Wizard, grant the Merger Team Management global security group
the user right to Reset user passwords and force password change at next logon on the A
Datum Merger Team OU.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-33
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the
users’ computer accounts into the OU.
1. Create a GPO
2. Link a GPO
3. Test a GPO
4. Open the GPO for editing. Use the following steps to create a logon script for the team:
5. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
9. In the Browse dialog box, right-click the No items match your search box, click New, and then click
Text Document.
10. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press
Enter.
11. If you are prompted, in the Rename dialog box, click Yes.
13. If you are prompted, in the Open File – Security Warning dialog box, click Open.
2. Link the A Datum Merger Team GPO to the A Datum Merger Team organizational unit.
• Domain: Adatum
Note: The operating system may by default display the Start menu items after logon and you may have to
select desktop to be able to view the logon script.
2. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A
Datum Merger Team OU.
Question: In the lab, you used Active Directory Administrative Center to manage accounts.
What other tool could you use?
Question: In the lab, you added Tony Allen, a single user, to a management group. Why not
grant Tony the required permissions directly?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 7-35
Tools
Tool Use for Where to find it
Group Policy Management To edit Group Policy settings By editing a GPO in GPMC, you
Editor and preferences can access the Group Policy
Management Editor
Windows PowerShell cmdlets Available in the Windows Available for Active Directory and
PowerShell console Group Policy
Module8
Implementing IT Security Layers
Contents:
Module Overview 8-1
Module Overview
Security is an important part of any computer network and must be considered from many perspectives.
Data security for web content and files accessed on network shares are common concerns. In addition to
file and share permissions, you can also use data encryption to restrict data access.
Objectives
After completing this module, you will be able to:
• Identify security threats at all levels and reduce those threats.
Lesson 1
Overview of Defense-in-Depth
You can approach security design for computers in various ways. Defense-in-depth is one model for
analyzing and implementing security for computer systems. This model uses layers to describe different
areas of security.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe defense-in-depth.
• Describe how policies, procedures, and awareness can help implement defense-in-depth.
What Is Defense-In-Depth?
When you park your car in a public location, you
consider several factors before walking away from
it. For example, where it is parked, whether the
doors are locked, and whether you have left
anything of value lying on the seat. You
understand the risks associated with parking in a
public place, and you can reduce those risks. As
with your car, you cannot properly implement
security features on a computer network without
first understanding the security risks posed to that
network.
Physical security measures have to operate within the context of organizational policies about security
best practices. For example, enforcing a strong user password policy is not helpful if users write their
passwords down and stick them to their computer screens. When establishing a security foundation for
your organization’s network, it is a good idea to establishing appropriate policies and procedures and
making users aware of them. Then you can progress to the other aspects of the defense-in-depth model.
Physical Security
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-3
If any unauthorized person can gain physical access to your computer, then most other security measures
are of little importance. Make sure computers that contain the most sensitive data, such as servers, are
physically secure.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate in a global community, and
network resources must be available to service that global community. This might include building a
website to describe your organization’s services, or making internal services such as web conferencing and
email applications, available externally so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. By providing specialist
servers, such as a reverse proxy, in the perimeter network, you can more securely provide corporate
services across the public network.
Note: With a reverse proxy server, you can publish services from the corporate intranet,
such as email or web services, without putting the email or web servers in the perimeter. To a
client, the reverse proxy is displayed as the final destination regardless of whether the client’s
requests are forwarded to one or more servers. A reverse proxy is one system that has to be
tightly secured in the perimeter network. However, it can successfully distinguish and publish
multiple different services from various systems in the back-end.
Networks
After you connect computers to a network, they are susceptible to several threats. These threats include
eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when
communication occurs over public networks by users who work from home, or from remote offices.
Host
The next layer of defense is that used for the host computer. You must keep computers secure with the
latest security updates.
Application
Applications are only as secure as your latest security update. You should consistently use Windows®
Update to keep your applications up to date. If the network also has third-party software, you must use
update mechanisms to make sure that they are up to date.
Data
The final layer of security is data security. To make sure that the network is protected, use file permissions,
encryption, and backup.
• Users unaware of the rules. When users are unaware of the rules, they cannot be expected to follow
them.
• Users viewing rules as unnecessary. If the reason for rules is not adequately communicated to users,
then some treat the rules as unnecessary.
• Social engineering. Users and computer administrators are vulnerable to social engineering where
they are convinced to break the rules. Sometimes this involves impersonating a legitimate user.
Mitigation
Consider the following to help reduce these threats:
It is very important that users know the security rules, their relevance to the organization, and the
ramifications or consequences of not abiding by those security rules.
• Modify data. After a system is compromised, data can be changed. You can do this by a disgruntled
employee to change their own performance review.
• Steal data. Data such as credit card information could be stolen after a system is compromised.
• Steal hardware. If devices are left unsecured, they can be stolen. Even servers incorrectly secured can
be stolen together with the data. For example, one of the worst scenarios is servers that have hot-
pluggable and redundant hard disk drives (mirrored). If they are not physically secured and properly
monitored, it is very easy to pull one drive, take it away, and hack valuable business information at
your leisure and without any security guards.
Mitigation
You must secure the network infrastructure, including the physical security. The problem is that although
you want to make it difficult for non-authorized people to access your computers and infrastructure, you
want to make it fairly easy for authorized employees.
Mitigation
To keep your organization safe, create a private network and a perimeter network by using firewalls,
intruder prevention and detection systems, and other components.
• Implement network address translation (NAT). NAT is an IP translation process that enables a network
that has private addresses to access information on the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Implementing IT Security Layers
• Use proxy servers and systems to make sure that no service is directly connected to the Internet.
• Unauthorized packet sniffing. The risk of unauthorized packet sniffing on modern wired networks is
minimal because switches control packet delivery and make sure that packets are sent only to the
specific destination. However, wireless networks are vulnerable, especially when only basic security
measures, such as Wired Equivalent Privacy (WEP), are used to help secure access. To packet-sniff
wired communication, you must have a physical connection to the specific location where the host
that you are monitoring is connected. Packet-sniffing a wireless network can be performed from any
physical location that has sufficient signal strength.
• Default configurations on network devices. Network devices, such as routers, have a default
configuration that includes a default management user name and password; failure to change these
compromises the network security. Using weak passwords on those devices is a security risk, and
using different passwords per device can increase security.
Note: Packet sniffing occurs when a malicious attacker connects a network data analyzer to
the network to capture and examine network packets in transit. This could lead to additional
attacks, depending on the data captured. For example, if the attacker can capture user name and
password information in transit, they can exploit the information to gain access to the servers and
data.
Mitigation
At the heart of many of these risks is the concept of authentication. If two computers can identify one
another, then they can communicate more securely. You can provide authentication services in several
ways, but one of the most secure is where digital certificates are exchanged during initial communications.
How you distribute and manage these certificates depends on your organization, but might include the
use of a public key infrastructure (PKI) that you implement within your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-7
Note: You cannot always rely on authentication because some applications, such as
network analysis, do not support authentication.
In addition to authentication, consider using encryption to make sure that data is secure while it is in
transit. You can encrypt communication from external public networks to your the perimeter-based or
edge servers using tunneling technologies, subsequent communication between the edge servers and the
internal network can then have Internet protocol security (IPsec) in place to protect that communication
securing the entire data path. Also, in common Secure Socket Layer (SSL)/Hypertext Transfer Protocol
Secure (HTTPS) scenarios, only the server is authenticated. However, there are services and protocols—
some services even with HTTPS—where the client has to be authenticated in order to increase security.
In addition, SSL can provide for secure and authenticated communications across networks. It is widely
used on the Internet, typically in web browsers where payment transactions are performed by using
HTTPS.
Consider the following to help reduce these threats:
• Do not make it easy to connect to the network. Someone should be unable to plug a laptop into the
network and access your intranet.
• Encrypt network communication.
• Segment the network. You can designate specific subnets for use by guests that have portable
computers or device and need network access. You can do this by using Network Access Protection
(NAP). Or you could use multiple wireless LANs (WLANs). You could even put the WLAN outside the
corporate network and require internal users to use VPN. So, there are several options , depending on
the network requirements.
• Require mutual authentication.
• Restrict switch ports and internal WLAN access points based on the media access control (MAC)
address or client certificates. If the WLAN access points provide only access to the Internet, this should
be handled differently.
• Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration might not include a password or might
include sample files that have vulnerabilities. An attacker uses their knowledge of default
configurations to compromise systems.
MCT USE ONLY. STUDENT USE PROHIBITED
8-8 Implementing IT Security Layers
• Viruses are one mechanism used to attack hosts. The virus uses operating system flaws or default
configurations to replicate itself.
Mitigation
Windows Update and Windows Server® Update Services (WSUS) can help keep your computers up to
date. In Enterprise environments, you could also consider using System Center Configuration Manager
(SCCM). In addition, you should consider using antivirus and malware protection. In Windows 8 and
Windows RT, you can use Windows Defender to provide protection against viruses, malicious software or
other unwanted third party software. Microsoft Security Essentials is an antivirus product that is available
for free use with Windows XP, Windows Vista®, and Windows 7. Microsoft Security Essentials is not
supported on Windows 8 because Windows Defender provides the same level of protection.
Windows Server 2012 has several options available. Microsoft Forefront® Threat Management Gateway
(TMG) is being deprecated, but Forefront Unified Access Gateway (UAG) is available for use as a proxy or
firewall server. Some functionality is also integrated with the System Center products.
More information about the Malware Defense Guide can be found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=309118
• Viruses introduced by users. In some cases, viruses are introduced by user actions instead of
application flaws. In other cases, an application is actually a Trojan horse that has malicious code
embedded in what seems to be a useful application.
• Programming vulnerabilities. This does not exclusively refer to industry-provided back-end
applications. It also refers to custom websites and other application code that needs to be secured (or
designed with security in mind). As more and more apps become available and more widely used,
programming vulnerabilities in those apps could potentially become an issue.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-9
Mitigation
• Modification of application files. When application files are modified, they might perform
unwanted tasks, such as replicating data over the Internet where an attacker can access it.
Mitigation
This can take many forms, and might include using NTFS file system permissions and shared folder
permissions to make sure that only authorized users can access files at a defined level of access. You
might also be concerned about intellectual property rights and making sure that your data is used
appropriately. Finally, for data privacy, you can use both file and disk encryption technologies, such as the
Encrypting File System (EFS) or Windows BitLocker® Drive Encryption.
• Implement encryption.
Lesson 2
Physical Security
Physical security provides the first level of defense against a malicious attack. Therefore, make sure that
the network and the attached computers are physically secure. This lesson explores common physical
security threats, their mitigations, and how Windows Server can help provide physical security on the
network.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain the Windows tools that are used to help provide physical security.
those who gain physical possession to the computer that the files reside on. Even persons who are
otherwise authorized to access the computer and its file system cannot view the data. EFS is not
supported on Resilient File System (ReFS). ReFS is a new file system in Windows Server 2012.
There are lots of planning requirements connected to EFS. For example, ensuring the recovery agent key is
safely stored and maintained and as such you need to carefully examine and assess the impact of rolling
out EFS in your organization. Failure to properly plan EFS deployment could lead to loss of access to data.
BitLocker provides protection for the computer operating system and data that is stored on the operating
system volume by making sure that data that is stored on a computer remains encrypted, even if the
computer is tampered with when the operating system is not running. For example, if a laptop is lost or
stolen and someone tries to remove the hard disk and mount it in a separate environment to access the
data, that person cannot do so unless they have the appropriate credentials because the drive is
encrypted.
BitLocker provides a closely integrated solution in Windows client and Windows Server operating systems
to address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned
personal computers. BitLocker for Windows 8 and Windows Server 2012 provide new functionality:
• Disk Space–Only encryption. Allows for a much faster encryption experience by only encrypting
used blocks on the targeted volume.
• Standard User PIN and password change. Enables a standard user to change the BitLocker PIN or
password on operating system volumes and the BitLocker password on data volumes. This reduces
internal help desk call volume.
• Network unlock. Enables a BitLocker system on a wired network to automatically unlock the system
volume during startup (on capable Windows Server 2012 networks), reducing internal help desk call
volumes for lost PINs.
• Support for Encrypted Hard Disk Drives for Windows. Windows 8 includes BitLocker support for
encrypted hard disk drives.
BitLocker was expanded upon in Windows Server 2012 and is now supported on clusters, including Cluster
Shared Volumes (CSV). It is also supported on both NTFS and ReFS file systems, unlike EFS.
Read-Only Domain Controllers
A read-only domain controller (RODC) is a kind of domain controller introduced in Windows Server 2008.
With an RODC, you can deploy a domain controller in locations where physical security cannot be
guaranteed, such as a branch office. An RODC hosts a read-only replica of the database in AD DS for a
given domain.
When an RODC services a logon request for a user on the network, that user’s credentials are cached at
the server; only users’ accounts at the branch office are cached in this manner. If the RODC is stolen, only
this subset of your domain accounts is compromised. This makes it easier and quicker for you to maintain
user account security.
Note: By default, no user credentials are cached on the RODC. This is more secure because
if the RODC is stolen, no user passwords are compromised. However, if the link between the head
office, where the writable domain controllers exist, and the branch office fails, and caching is not
enabled, users at the branch office cannot log on until the link is reestablished.
Group Policies
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Implementing IT Security Layers
If you let users add storage devices, such as universal serial bus (USB) memory sticks or external hard disk
drives, to their network-attached computers, you can potentially introduce additional security risks.
Windows Server can use Group Policy objects (GPOs) to enforce rules on network-attached computers
that control or prohibit the addition of storage devices.
When you let computers to connect to the network from unmanaged locations, such as users’ homes, or
you let computers from other organizations to connect to the network, you expose the network to
security risks.
The network is only as secure as the least secure computer attached to it. Many programs and tools exist
to help you secure the network-attached computers, such as antivirus or malware detection software.
However, if the software on some of the connected computers is not up to date, or worse, not enabled or
configured correctly, then these computers pose a security risk.
Computers that remain within your office environment and are always connected to the same network are
fairly easy to keep configured and updated. Computers that connect to different networks, especially
unmanaged networks, are more difficult to control. For example, portable computers that are connected
to customer networks, or to public wireless fidelity (Wi-Fi) hotspots. In addition, unmanaged computers
seeking to connect remotely to the network, such as users’ home computers, pose a challenge.
As discussed earlier in the course, NAP is a policy enforcement platform that requires NAP infrastructure
servers that are running Windows Server 2008 or later versions and NAP clients that are running Windows
XP with Service Pack 3 (SP3), Windows Vista, or later operating systems. NAP lets you more strongly
protect network assets by enforcing compliance with system health requirements.
NAP provides the necessary software components to help make sure that computers connected or
connecting to the network remain manageable, so they do not become a security risk to the network and
other attached computers. This enables you to more confidently allow computers to connect to the
network.
Access Control
After computers have connected to the network and have access to the server data, you can protect the
integrity of the data by configuring appropriate file permissions. Make sure that you only grant
permissions where it is required and grant the minimum permissions that are required. This is especially
important if users from outside your organization are connecting to the network.
devices in computer rooms that are protected by physical security mechanisms such as smart card
access or any level of per-user authentication. In high-security environments, consider implementing
biometric security to make sure that only authorized persons can physically access your computers.
• Disable Log On Locally. The ability to log on interactively at a computer is a right that is typically
granted to all users for all computers in your forest except for domain controllers. Where more
security is required, consider disabling log on locally. If a user cannot log on, this reduces their ability
to perform actions on the network. Data centers are typically required to have this level of access. In
higher level security facilities, this could also be done for each server.
• Mobile device security. Mobile devices, for example portable computers and mobile telephones,
give users the convenience of being able to access the corporate network from anywhere. However,
this raises the possibility that these devices might be lost or stolen. Make sure that you implement
appropriate security on mobile devices so that if they are lost or stolen, data is not compromised.
Consider implementing remote wipe technologies on mobile devices such as Windows Mobile
handsets. Consider implementing EFS and BitLocker Drive Encryption on portable computers.
• Removable devices and drives. Carefully consider whether the convenience of users being able to
copy files to and from removable storage devices outweighs the security risk posed. If you decide that
users will be able to use removable storage devices, consider implementing BitLocker To Go® on
these devices. This consideration will provide for data encryption on the device. Another important
consideration would be Active Directory Rights Management Service (AD RMS) to help secure
important data and make sure that it cannot be read on any devices or in the cloud.
More information about Security Content can be found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=309120
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Implementing IT Security Layers
Lesson 3
Internet Security
Internet access has become much more prevalent in recent years, and it seems ever present for work
productivity, personal development, and entertainment. As the demand for more integration of services
and Internet connectivity grows, and users perform increasingly complex tasks on the Internet, there is an
increase in related risks. This lesson explores the technologies and features that are available in Windows
to help protect your Windows-based computers while connected to the Internet.
Lesson Objectives
After completing this lesson, you will be able to:
o Inappropriate content.
Remember also that most email is sent in clear-text. That is, not encrypted. This means that if the message
is intercepted, anyone can read and potentially change the message contents. Additionally, most email is
transmitted between hosts that have no knowledge of one another. Therefore, most email traffic is not
authenticated. This makes it more difficult to determine the true originator of a message.
• Web browsing. A website can hide many security risks, including malicious programs. Common risks
associated with websites include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-15
o Plug-ins. These are applications to work with your browser to provide additional capabilities. For
example, you can use plug-ins to enable your browser to view video files. They can expose
security flaws in your browser.
o ActiveX® controls. These small programs are downloaded by your browser to enable it to
perform several specialized tasks. This includes manipulating data files or viewing specific file
types. Malicious ActiveX controls can pose a security threat to your computer.
o Cross-site scripting. By using this, a malicious attacker can enable client-side scripts in
webpages that your computer is viewing, even when the website you are viewing is considered a
safe source.
o Cookies. Cookies are used for authentication, session tracking, storage of website preferences,
shopping cart contents, and many other potential uses. Because of the sensitive data that is
stored in cookies, they can be misused.
It is also important to make sure that you have navigated to the appropriate site instead of to a bogus site
masquerading as a legitimate site.
• Instant messaging (IM). This method of communicating with friends and colleagues is very popular.
However, it has attracted the attention of malicious attackers. IM messages can contain links to unsafe
websites, be used to start file transfers, remotely control sessions, or share files and content on your
computer.
• Social networking. There are many social networking sites. These sites can pose the same security
risks as any other website. However, remember that these sites exist as a way for you to share
information, some of which may be personal information. Be careful when you share your personal
information with other people.
• File download. Any file that you download from the Internet can come from an untrusted source and
might contain harmful code. Make sure that you only download files from trusted sources and make
sure that files are digitally signed so that you can easily determine the files’ origin. This is especially
relevant for device drivers because files of this type, if malicious, can have a far more harmful effect
on your computer.
• Computer updates. It is common for software that is installed on your computer, including the
operating system, to periodically check for and download updates. This means that your computer is
up to date, performs optimally, and remains secured through the application of security updates.
However, software obtained from an untrusted source could use this update mechanism to download
malicious code onto your computer. Make sure that you verify that the updates are safe.
In addition, just connecting to the Internet exposes your computer to possible security risks. For example,
if you connect to the Internet from your home or from the office, the chances are that the connection is
reliable and reasonably secure. However, when you connect to the Internet from a location such as a
wireless hot spot, you might expose your computer to additional security risks.
Also, be aware that the connection provided by the hot spot might, in itself, be secure, however other
computers that are connected to that hot spot might be compromised by security flaws that might affect
your computer. In addition, hotspots commonly provide an unsecured connection for easier wireless
Internet access. However, under these circumstances, data that your computer sends and receives can be
captured and accessed by third parties.
More information about the Security Risk Management Guide can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309119
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Implementing IT Security Layers
Mitigating Risks
You can help reduce the chances of your
computer’s security being compromised if you
follow the defense-in-depth approach when you
connect your computer to the Internet. When you
perform common tasks on the Internet, consider
the following points to help reduce security risks:
o Antivirus control. Scan incoming and outgoing messages for viruses. Make sure that you keep
the virus software up to date to provide sufficient protection against new and emerging threats.
o Attachment handling controls. Some email software, such as Microsoft Outlook®, enables you
to configure how attachments of specific types are handled. For example, you can configure the
email software to block attachments of a file type that can contain malicious code, also known as
executable files.
• Web browsing. A web browser should let you select appropriate security settings based on the
trustworthiness of a website. For example, with Internet Explorer, you can define security settings for
different security zones, such as Internet, local intranet, trusted sites, and restricted sites. Security
settings within the context of these zones include whether to download and run ActiveX controls,
scripting behavior, and how to handle signed or unsigned content.
It is also important to implement security software when you surf the web. Suitable software should
provide antivirus protection, spyware protection, identity protection, and a link scanner that can help
identify unsafe websites before you visit them.
Finally, be cautious when you shop online. Only use sites that you trust, that can provide a digital
certificate to verify their identity, and that give you a redress should something go amiss with your order.
• IM. Many security software packages provide protection against viruses in files that you might try to
receive by an instant message. However, make sure that you are careful about the information that
you disclose during an instant message conversation because these messages are frequently sent and
received in clear text.
• Social networking. Make sure that you only disclose information through social networking sites that
you are happy to see in the public domain. It is a good idea to limit the kind of information that you
share. For example, disclosing details about your finances, combined with information about your
address can give a malicious attacker sufficient information to steal your identity and commit fraud.
• File download. You can limit your exposure to unsafe downloads by implementing antivirus
software. Additionally, by only downloading files from trusted sources and files that provide a digital
signature, you can help reduce the security risk posed by downloads. Frequently, downloaded files
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-17
can appear safe but actually contain code that can install additional software that harms your
computer. Windows implements a security feature known as User Account Control (UAC) that enables
you to control unintended software installations.
• Computer updates. To make sure that your computer updates are safe, only download updates from
safe sources. Computers that are running Windows-based operating systems obtain their updates
from the Microsoft Updates website or from a local server within your workplace organization
running Windows Server Update Services (WSUS).
• Connecting to the Internet. When you connect to the Internet, make sure that you have enabled a
host-based firewall. Computers that are running Windows-based operating systems implement the
Windows Firewall with Advanced Security. When you first connect to a new network, such as a
wireless hot spot, you must define whether the network is public or private. Windows Firewall with
Advanced Security then adjusts the security settings based on your selection.
In addition to a host-based firewall, it is also a good idea to make sure that the router that connects to
the Internet provides additional protection. Typical home-office Asymmetric Digital Subscriber Line (ADSL)
routers provide NAT and firewall functionality.
Note: Generally, do not use elevated accounts for surfing the web or accessing email. Use
regular user accounts for those things, and use accounts that have more administrative rights
only for their intended purpose.
By default, both standard users and administrators run applications and access resources in the security
context of a standard user. The UAC prompt provides a way for a user to elevate his or her status from a
standard user account to an administrator account without logging off, switching users, or using Run As.
Because of this, UAC creates a more secure environment in which to run and install applications.
When a change is made to your computer that requires administrator-level permissions, UAC notifies you
as follows:
• If you are an administrator, click Yes to confirm whether you want to continue with administrative
rights.
• If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue. Providing administrative credentials temporarily gives
the user administrative privileges, but only to complete the current task. After the task is complete,
permissions change back to those of a standard user.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Implementing IT Security Layers
Providing administrative credentials for a standard user temporarily gives the user administrative
privileges, but only to complete the current task. After the task is complete, permissions change back to
those of a standard user. This makes sure that even if you are using an administrator account, changes
cannot be made to your computer without your knowledge. This security can help prevent malicious
software and unwanted third party software from being installed on or making changes to your computer.
Windows Firewall
Windows Firewall is a host-based, stateful firewall. It drops incoming traffic that does not correspond to
traffic sent in response to a request (solicited traffic) or unsolicited traffic that is specified as allowed
(accepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely
on unsolicited incoming traffic to attack computers. Windows Firewall can also drop outgoing traffic and
is configured by using the Windows Firewall with Advanced Security snap-in, which integrates rules for
both firewall behavior and traffic protection with IPsec.
Windows Defender
Windows Defender on your Windows 8 client helps protect you from spyware and malicious software.
Windows Defender is not antivirus software. Windows Defender offers three ways to help keep spyware
from infecting the computer:
• Real-time protection is the mechanism that actively monitors for malware and alerts you when
potentially unwanted software tries to install itself or run on the computer. It also alerts you when
programs try to change important Windows settings.
• The Microsoft SpyNet® community helps you see how other people respond to software that has not
yet been classified for risks. When you participate, your choices are added to the community ratings
to help other people decide what to do.
• Scanning options are used to scan for unwanted software on the computer, to schedule scans
regularly, and to automatically remove any malicious software that is detected during a scan.
The following table describes some of the most important dynamic security options that you can
configure for Internet Explorer.
Dynamic security
Use
options
ActiveX Filtering Disables ActiveX controls to prevent potentially vulnerable controls from being
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-19
Dynamic security
Use
options
exposed to attack. You can enable or disable ActiveX Filtering by going to the
Tools menu and selecting ActiveX Filtering. If you visit a website that contains
ActiveX controls you will receive a prompt and have the option of turning on the
ActiveX controls for that site.
Security Report If you go to a secure website, indicated by the https protocol a lock appears in
the address bar. By click on that lock you can view security report which will
attempt to provide identification information concerning the website. You can
also view the sites certificate. You can also access the security report option from
the safety menu.
SmartScreen® Protects you against phishing sites, warns you when you visit potential or known
Filter fraudulent sites, and blocks the site if you need it. The opt-in filter updates
several times per hour with the latest security information from Microsoft, and
several industry partners. Smart Screen Filtering is available from the Tools Menu
Delete Browsing Allows you clean up cached pages, passwords, form data, cookies, and history.
History
Address Bar Displays an Address bar for every window—whether pop-up or standard—to
Protection help block malicious sites from emulating trusted sites.
International Adds support for International Domain Names in Uniform Resource Locators
Domain Name (URLs), and notifies you when visually similar characters in the URL are not
Anti-Spoofing expressed in the same language. Therefore, it protects you against sites that
could otherwise appear as known, trusted sites.
URL Handling Redesigned URL parsing makes sure consistent processing and minimizes
Security possible exploitation. The new URL handler helps centralize critical data parsing
and increases data consistency.
Fix Settings for Me Warns you with an Information Bar when current security settings might put you
at risk, which can prevent you from browsing with unsafe settings. Within the
Internet Options dialog box, certain items are highlighted in red when they are
not safely configured. In addition, this option issues reminders that the settings
remain unsafe. You can instantly reset Internet security settings to the Medium-
High default level by clicking Fix Settings For Me in the Information Bar.
Manage Add-ons Add-ons can potentially have a significant effect on performance. Manage Add-
ons allows you to proactively manage these Add-ons which can be installed on
your browser and choose to enable, disable or uninstall them. Manage Add-ons
is available from the Tools menu in Internet Explorer.
Tracking A feature that blocks third-party web content that could potentially track
Protection someone's web activity. With Tracking Protection Lists, you can select which
third-party sites can receive your information and track you online.
InPrivate Browsing A feature that prevents Internet Explorer from storing data about your browsing
session. This helps prevent anyone else who might be using your computer from
seeing where you visited and what you looked at on the web.
Compatibility View Allows you to view websites as if you were viewing them in previous versions of
windows. Some websites may have been designed for previous version of
Internet Explorer and as such do not display well in the version you have on your
operating system. Compatibility gives you the option to provide backward
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Implementing IT Security Layers
Dynamic security
Use
options
compatibility support to address this.
Protected Mode
Protected mode provides Internet Explorer with the rights that you need to browse the web, while at the
same time withholding rights needed to silently install programs or change sensitive system data. In
addition, Protected mode helps protect against malicious downloads by restricting the ability to write to
any local computer zone resources other than temporary Internet files. Web-based software cannot write
to any location other than the Temporary Internet Files folder without explicit user consent.
Running programs that have limited user rights instead of administrator rights offers better protection
against attacks, because Windows can restrict the malicious code from performing damaging actions. This
additional defense helps make sure that scripted actions or automatic processes cannot download data to
locations other than directories with lower rights, such as the Temporary Internet Files folder.
Although Protected mode does not protect against all forms of attack, it significantly reduces the ability
of an attack to write, alter, or destroy data on the user's computer, or to install malicious code.
Parental Controls
To help keep children safer online, parents can control browsing behavior through the Parental Control
settings. In Windows 8, you can specify a child’s account type and also turn on Family Safety for reports of
their computer usage. You can apply a restriction to many activities on the computer, such as playing
games or surfing the Internet. You can also examine a child's browsing session. The child lacks the
necessary permissions to remove their session history.
Note:
Parental Control settings are available only if the computer is not a member of a domain.
Manage Add-ons
The Internet Explorer Manage Add-ons console is designed to give you more control over Internet
Explorer add-ons. Add-ons are a great way to introduce new functionality to your online experience.
However, add-ons can also affect performance or potentially introducing malicious software to your
computer. You can use the Manage Add-ons to allow you to pro-actively what has been installed and
enabled/disabled: It is broken down into categories in the Manage Add-ons console
• Search providers
• Accelerators and Providers
• Tracking Protection
Depending on the type of add-on it is, you can disable or enable it, or remove it entirely. Before you
disable or remove an add-on, keep in mind that some webpages, or Internet Explorer itself, might not
display correctly if certain add-ons are disabled.
SmartScreen Filter
Businesses put lots of effort into protecting computer assets and resources. Phishing attacks, also known
as social engineering attacks, can evade those protections and result in users giving up personal
information. Most phishing scams target people in an attempt to extort money or perform identity theft.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 8-21
SmartScreen filter helps protect against imposter websites and general malware; it also adds a level of
control around warnings associated with these sites.
Demonstration Steps
1. Enable the Menu Bar, Command Bar and Status Bar in Internet explorer
Objectives
After completing this lab, you will be able to:
• Suggest steps that an organization could take to provide physical security for a branch office.
Lab Setup
Estimated Time: 30 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Domain: ADATUM
Supporting Documentation
Subject: RE: Branch offices security concerns
Charlotte,
Please look at the attached incident record and review Alan’s concerns. Get a plan together for
resolving these security concerns.
Thanks,
Ed
Ed,
I just got back from the branches. I’m pretty worried that, given the sensitive nature of the data we
handle in Research, physical security is pretty lax compared with the head office. I have listed my main
concerns below:
• Laptops are used by research staff. The staff frequently takes the laptops home.
• In some branches, there is no dedicated room for the servers.
• We let external contract staff connect their own computers to our research networks.
• I notice that some personnel bring music files on USB drives into the offices.
Regards, Alan
Overview
This document defines the corporate policy about laptops and other portable computing devices within
A. Datum Corporation.
Policies
1. Any network device that is moved from the office of A. Datum Corporation. must be configured in
such a way that loss of the device does not lead to a compromise of the stored data.
6. Portable storage devices are permitted for use on laptops as long as their loss does not compromise
the data stored on them.
Incident Details
Call logged by information technology (IT) manager following inquiries at branch offices about
physical security problems raised by Research department manager, Alan Brewer. Reported
concerns:
1. Laptops are used by research staff. The staff frequently take the laptops home.
2. In some branches, there is no dedicated room for the servers.
3. External contract staff can connect their own computers to the research networks.
Questions
1. What security policies apply to the branch office laptops as defined in the A. Datum Network
Security Policy – Laptops document?
3. How would you address the concerns you might have about laptop use?
4. How would you address the concerns you might have about the lack of dedicated server rooms?
5. How would you address the concerns you might have about contractor computer use?
6. How would you address the concerns you might have about removable storage devices?
Resolution:
2. Read the A. Datum Network Security Policy – Laptops document to determine if you must enforce
any changes at the branch based on corporate policies.
2. What security policies apply to the branch office laptops as defined in the A. Datum Network Security
Policy – Laptops document?
4. How would you address the concerns you might have about laptop use?
5. How would you address the concerns you might have about the lack of dedicated server rooms?
6. How would you address the concerns you might have about contractor computer use?
7. How would you address the concerns you might have about removable storage devices?
Results: After this exercise, you should have completed the incident record.
3. What is the current security level for the local intranet zone?
3. Browse to http://lon-dc1/intranet.
4. What is the security zone that this website is listed as being in?
8. In Manage Add-ons, can you see the Tabular Data Control Add-on?
2. Notice the presence of a lock icon now appearing in the address bar
4. A website identification dialog appears which contains information about the identity of the website
and who if anyone has identified the site if the site has a certificate. You can also view the certificate
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
Results: After this exercise, you should have modified Internet Explorer security settings.
Question: In the lab, you were concerned primarily with physical security concerns. What
potential support issues might arise following implementation of your proposed changes?
Specifically, what issues might arise surrounding the encryption of files and volumes and the
prohibition of USB storage devices?
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Implementing IT Security Layers
• Create specific rules that help prevent social engineering and educate users on these rules and their
relevance.
• Restrict physical access to servers by locking doors and then monitor server room access.
• Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
Review Questions
Question: Why is it important to educate users about your organization’s acceptable use
policy?
Question: How could you help reduce the risk that your wireless network is the target of
unauthorized packet sniffing?
Question: What are the risks associated with allowing your users to connect their laptops to
Wi-Fi hotspots?
MCT USE ONLY. STUDENT USE PROHIBITED
9-1
Module9
Implementing Security in Windows Server
Contents:
Module Overview 9-1
Module Overview
As organizations expand the availability of network data, applications, and systems, it becomes more
challenging to ensure network infrastructure security. Security technologies in the Windows Server®
operating system enable organizations to provide better protection for their network resources and
organizational assets in increasingly complex environments and business scenarios. This module reviews
the tools and concepts available for implementing security in a Windows® infrastructure.
Objectives
After completing this module, you will be able to:
• Describe the Windows Server features that help improve the network’s security.
• Explain how to secure files and folders in a Windows Server environment.
• Explain how to use Windows Server encryption features to help secure access to resources.
MCT USE ONLY. STUDENT USE PROHIBITED
9-2 Implementing Security in Windows Server
Lesson 1
Overview of Windows Security
Windows Server 2012 includes many features that provide different methods for implementing security.
These features combine to form the core of Windows Server 2012 security functionality. Understanding
the concepts covered in the previous module and combining them with specific Windows Server 2012
features and functionality covered in this module is critical to maintaining a secure environment.
Lesson Objectives
After completing this lesson, you will be able to:
Authentication
Authentication verifies that someone is who they claim to be. Authentication distinguishes legitimate
users from uninvited guests, and is the most visible and fundamental concept in security. In private and
public computer networks (including the Internet), the most common authentication method that is used
to control access to resources involves verification of a user’s credentials—that is, a user name and a
password.
However, the user name and password combination is only one way of authentication. Other mechanisms
and tools can also be used in the Windows Server 2012 environment to add multiple layers to the
authentication process. This makes sure that users’ identities on the network are legitimate and secure.
Some of the other mechanisms available include the following:
• Smart cards. A smart card refers to a credit-card shaped device that contains specific digital
information, in most cases used to specifically identify a person. A user name and certificate is present
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-3
on the card and a password or pin is required to access that certificate and prove your identity. Smart
cards increase security because the user must have possession of the card know the correct password
or pin that is tied to the certificate. Smart cards can also be used to provide physical security to help
in controlling building or room access.
• Universal serial bus (USB) tokens. These are similar in principal to smart cards because they can
contain a certificate, and a pin or password is required to access that certificate. One advantage of
USB tokens over smart cards is that USB tokens don’t require a specialized reader to be able to use
them.
• Biometrics. The term biometrics refers to the measuring of an unchanging physical or behavioral
characteristic to uniquely identify a given person. Fingerprints are the most common form of
implemented biometrics. Other possibilities include facial recognition, iris scanning, and voice
recognition. Biometric devices are most frequently used to provide an added measure of security in
environments where highly sensitive data is involved. The level of security they provide can vary,
depending on the hardware. That is, how accurate the fingerprint readers are, if they are built in, or if
the signals of the readers can be recorded and replayed.
Authorization
Authorization is the process of determining whether a user or computer is permitted access to a resource
and what the appropriate level of access is, usually known as access control. This could include
authorization to read, change, or delete files and folders, or combinations of these. It could also include
authorization to access services such as remote access or other permissions.
1. The initial definition of permissions for system resources by the owner of a specific resource or a
system administrator.
2. The subsequent checking of permission values by the system or application when a user tries to
access a system resource.
Note: You can have authorization (access to resources) without first providing
authentication (entering a user name and password). This occurs many times in modern
computing. For example, when you access a webpage on the Internet, you are accessing the
resources on that web server (pages, graphics, and so on) without providing any kind of
authentication to the web server. So when you define authorization, admins can allow any
known user or even any anonymous user to access data.
You can also “audit” the access to resources by individuals or devices. This additional step of auditing
access to some resources provides another security layer to a defense-in-depth strategy.
MCT USE ONLY. STUDENT USE PROHIBITED
9-4 Implementing Security in Windows Server
UAC provides a method by which all users can be aware of the way their account privileges are being
used on the computer.
Turning on UAC ensures that both standard users and administrators can access resources and run
applications in the security context of a standard user.
UAC checks for administrative permissions, and prompts the user when an application requires those. The
user can select whether to grant the application the desired permissions. Users do not have to log off,
switch users, or use the Run As Administrator command. In this manner, UAC provides a secure
environment for the running and installing of applications.
• If you are an administrator, you can click Yes to elevate your permission level and continue. This
process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2008 R2 and Windows Server 2012, Admin Approval Mode is
disabled on the built-in Administrator account. This results in no UAC prompts when using the
local Administrator account.
• If you are not an administrator, the user name and password for an account that has administrative
permissions needs to be entered. Providing administrative credentials temporarily gives you the
administrative privileges required to complete the task. After the task is complete, your permissions
are returned back to those of a standard user.
This process of notification and elevation of privileges makes it so that even if you are using an
administrator account, changes cannot be made to your computer without you knowing about it, which
can help prevent malicious software (malware) and spyware from being installed on or making changes to
your computer.
UAC allows certain system-level changes to occur without prompting, even when logged on as a local
user:
• Reset the network adapter and perform other network diagnostic and repair tasks.
The UAC notification experience can also be modified in the User Accounts section of User Account
Control Settings in Control Panel to adjust the frequency and behavior of UAC prompts. With the use of a
slider, you can select from four options for level of notification:
• Always notify me
• Notify me only when apps try to make changes to my computer (default)
• Notify me only when apps try to make changes to my computer (do not dim my desktop)
• Never notify me
UAC can also be configured using Group Policy. The Group Policy settings can be found in Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. Here, the
following settings can be configured for UAC:
• User Account Control: Admin Approval Mode for the built-in Administrator account
• User Account Control: Allow UIAccess applications to prompt for elevation without using the secure
desktop
• User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
• User Account Control: Behavior of the elevation prompt for standard users
• User Account Control: Detect application installations and prompt for elevation
• User Account Control: Only elevate executables that are signed and validated
• User Account Control: Only elevate UIAccess applications that are installed in secure locations
• User Account Control: Virtualize file and registry write failures to per-user locations
Note: To fully disable the UAC prompts, you need to configure the Group Policy setting
User Account Control: Run All administrators In Admin Approval Mode. You must restart
your computer when you enable or disable UAC. Changing levels of notification does not require
that you restart your computer.
Also, the group policy setting User Account Control: Switch to the secure desktop when prompting
for elevation is an important setting. When you are being prompted access approval or denial in the
UAC dialog box, the computer deksotp is “dimmed” and no other programs can run until approval or
denial selected. After a selection is made, the desktop will be no longer be dimmed. The term secure
desktop in this context is also known as dimming the desktop.
Question: From a system administrator viewpoint, what are some of the advantages and
benefits of UAC?
MCT USE ONLY. STUDENT USE PROHIBITED
9-6 Implementing Security in Windows Server
From a permissions point of view, both NTFS and ReFS provide this functionality. Permissions are assigned
to files and folders on NTFS or ReFS volumes and govern the access given to users who attempt to access
the files. Permissions are assignable to individual or sets of files and folders. File Allocation Table 32
(FAT32) does not allow for permissions at file and folder level.
Shared folder permissions
Shared folder permissions are available in Windows Server 2012 with the following file system types:
• FAT32
• NTFS
• ReFS
When a local folder is shared or made accessible to the rest of the network, a separate set of permissions
are assigned to the folder. Those permissions control user’s access to the files from a network location.
Shared folder permissions are assignable only to a folder or group of folders, not to individual files.
Note: Shared folder permissions can be combined with the file and folder permissions to
provide a two-level set of permissions for that specific folder when accessed over the network.
Note: Both file and folder permissions and shared folder permissions have a variety of
access levels that can be granted or denied to a specific user or group of users. These levels will
be covered in detail later in this module, along with a discussion of some of the differences
between NTFS and ReFS.
New in Windows Server 2012, Dynamic Access Control allows for access to files and folders to be
controlled by central policies that are conditional and built around attributes and claims. For example, if a
document has an attribute linking it to a particular department, administrators can create a policy that
allows access to the document only if a user is a member of that department, or possibly if a user has a
Full Time Employee attribute.
Dynamic Access Control is a powerful technology that allows for much more granular control and greater
centralized management over file and folder access. It builds upon the existing NTFS and Share
permissions and combines multiple criteria into the access decision, so users must satisfy the NTFS, Share
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-7
permissions criteria, and the Central Access Policies defined by Dynamic Access Control, to gain access to
the file. The central policies are enforced regardless of how the share and NTFS permissions might change.
Implementing Dynamic Access Control allows for reducing security group complexity, more robust
adherence to compliance regulations, and protection to sensitive information. Also, with Dynamic Access
Control, you can extend functionality of an existing access control model.
Account Policies
The security provided by a password system
depends on keeping the passwords secret at all
times and on ensuring that the passwords used
have a level of complexity that makes them hard
to guess. Brute force attacks occur when a hacker
uses tools that try all possible letter/number
combinations to guess a user name and password.
You can configure account policy settings by accessing the following location from the Group Policy
Management Console (GPMC): Computer Configuration\Policies\Windows Settings\Security
Settings\Account Policies. The following table outlines the various policies that you can define for
password policies.
Password must • Requires that passwords: Enable this setting. These complexity
meet requirements can help ensure a strong
• Be at least as long as specified by the
complexity password. Strong passwords are more
Minimum Password Length, with a
requirements difficult to crack than those containing
minimum of three characters if the
simple letters or numbers.
Minimum Password Length is set to 0.
You can instruct users to use pass
• Contain a combination of at least phrases to create long passwords that
three of the following characteristics: are easy to remember.
• Uppercase letters
• Lowercase letters
• Numbers
• Alphanumeric combination
• Symbols (!#% and so on)
• Do not contain the user's user name
or screen name.
Enforce Prevents users from creating a new Enforcing password history ensures that
password password that is the same as their passwords that have been compromised
history current password or a recently used are not used over and over.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Implementing Security in Windows Server
Maximum Sets the maximum number of days that Set a maximum password age of 30–70
password age a password is valid. After this number of days. Setting the number of days too
days, the user will have to change the high provides hackers with an extended
password. window of opportunity to crack the
password. Setting the number of days
too low might be frustrating for users
who have to change their passwords too
frequently.
Minimum Sets the minimum number of days that Set the minimum password age to at
password age must pass before a password can be least one day. By doing so, you require
changed. that the user can change their password
only once a day. This will help to enforce
other settings. For example, if the past
five passwords are remembered, this will
ensure that at least five days must pass
before the user can reuse their original
password. If the minimum password age
is set to 0, the user can change their
password six times on the same day and
begin reusing their original password on
the same day.
Minimum Specifies the fewest number of Set the length between eight and 12
password characters a password can have. characters (provided that the characters
length also meet complexity requirements). A
longer password is more difficult to crack
than a shorter password, assuming the
password is not a word or common
phrase.
If you change the attribute in the
domain object directly, you can use
longer passwords. You can also use
longer passwords if you use fine-grained
password policies.
Store Stores the password by using Do not use this setting unless you use a
passwords encryption that can be reversed in program that requires it. Enabling this
using reversible order for specific applications to verify setting decreases the security of stored
encryption the password. passwords.
Note: Password settings that use Group Policies need to be either in the default domain
policy or in a policy linked to the domain. Organizational unit (OU)–level Group Object Policies
(GPOs) would only apply to local accounts of computers to which the GPO applies. This is
explained in more detail in Module 6, “Windows Server Roles.”
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-9
The following table outlines the various policies that you can define to govern account lockout policies—
for example, controlling what actions to take if a user repeatedly fails to enter a valid password when
logging on to the system.
Account lockout Specifies the number of failed logon A setting from 3 through 5 will
threshold attempts allowed before the account is allow for reasonable user error
locked out. For example, if the threshold and limit repeated logon
is set to 3, the account will be locked out attempts for malicious purposes.
after a user enters incorrect logon
information three times.
Account lockout duration Allows you to specify a timeframe, in After the threshold has been
minutes, after which the account will reached and the account is
automatically unlock and resume normal locked out, the account should
operation. If you specify 0, the account remain locked long enough to
will be locked out indefinitely until an block or deter any potential
administrator manually unlocks it. attacks, but short enough not to
interfere with productivity of
legitimate users. In most
situations a duration of 30 to 90
minutes should work well.
Reset account lockout Defines a timeframe for counting the Using a timeframe of 30 to 60
counter after incorrect logon attempts. If the policy is minutes is sufficient to deter
set for one hour and the account lockout automated attacks and manual
threshold is set for three attempts, a user attempts by an attacker to guess
can enter the incorrect logon a password.
information three times within one hour.
If they enter the incorrect information
twice but get it correct the third time,
the counter will reset after one hour has
elapsed (from the first incorrect entry) so
that future failed attempts will again
start counting at one.
Note: Although password lockout settings can be a security option, they can also be seen
as a denial-of-service provider. For example, a malicious user could go to an external-facing
company website, for web mail for example, and enter a known user name and the wrong
password several times, which could render that account useless to its owner for a period of time,
or even require Help Desk interaction. You should be aware of and carefully consider the
password policies before implementing them to ensure that you fully understand the
implications.
Question: What would be the effect on a user’s account if the user entered his or her
password incorrectly five times between 10:00 A.M. and 10:25 A.M. with the following
settings applied to the account:
To do this, password policy information regarding password and account lockout policy settings are
stored within an Active Directory object called a Password Settings object (PSO). All PSOs are stored within
a parent container called a Password Settings Container (PSC). By default, the PSC is created under the
System container for the domain.
You can create fine-grained password policies by opening the Active Directory Administrative Center,
selecting <Domain> Local, clicking System, and then choosing the Password Settings Container. You can
then select New and Password Settings from the Actions pane.
You can apply these multiple password policies to a user or to a global security group in a domain but not
to an organizational unit (OU). If you wish to apply the password policies to an OU, you can create a
shadow group, which is a global security group that is logically mapped to an OU. Any changes made to
the OU must then also be made to the shadow group
Within the Create Password Settings dialog box in the Active Directory Administrative Center, some of the
settings you can specify are the following:
• Precedence. This value determines which password policy to use when more than one password
policy applies to a user or group. When there is a conflict, the password policy that has the lower
precedence value has higher priority. Values are typically assigned values in multiples of tens or
hundreds.
• Password must meet complexity requirements. Specifies whether password complexity is enabled
for the password policy. If enabled, the password must contain three of the following five
characteristics
Each of the following also has the option to enforce the setting, and the ability to specify a value:
• Minimum password length (characters). The minimum number of characters a password must
contain.
• Number of passwords remembered. The number of passwords that are remembered that cannot
be reused
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-11
• User cannot change password within (days). Length of time in days during which a user is not able
to change their password.
• User must change password within (days). Length of time in days within which a user must change
their password.
Alternatively, you can use Windows PowerShell® to create and manage fine-grained password policies. For
example, to create a fairly standard fine grained policy using Windows PowerShell, type the following.
To view a list of the available Windows PowerShell commands for fine-grained password polices, type the
following.
help *FineGrained*
More information about Windows PowerShell cmdlets for fine-grained password policies can
be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309139
After a PSO is created, it can be linked to one or more AD DS users or global security groups. After it is
linked, the settings defined within that PSO will apply to the linked users or groups. If no fine-grained
password policy applies to a user, the default domain password policy out of the GPO takes place. If any
fine-grained password policy applies, the domain policy is not considered.
With fine-grained password policies, you can have multiple password policies in a single domain. As a
result, a user might have multiple PSOs assigned to him or her. If a user has multiple PSOs applied, you
can view the resultant “winning” policy by using the gpresult.exe tool from the Command Prompt or the
Get-ADUserresultantPasswordPolicy cmdlet.
Note: A PSO cannot be linked to an Active Directory OU; it can be linked only to AD DS
users and groups.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Implementing Security in Windows Server
Auditing Features
Auditing is the process that tracks user activity by
recording selected events in a security log.
Auditing provides a recorded log of access and
activity, allowing an administrator to determine
whether or not resources are being accessed and
used appropriately and according to policy.
Auditing logs the following information regarding
system activity:
• What occurred?
• Who did it?
It is important to be clear that enabling auditing only tells the server that it needs to track whether
someone is making changes in that area. What is audited depends on the settings of the individual
components, such as files, folders, registry keys, or Active Directory security settings.
You can configure auditing within the Group Policy Management Editor. Within here there are two sets of
auditing policy settings available.
The second set includes newer, more advanced auditing options that are available under Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies. These are only applicable in Windows Server 2008, Windows Vista®, Windows 8, and Windows
Server 2012. This set provides for 53 different auditing options covering the following areas:
• Account Logon
• Account Management
• Detailed Tracking
• DS Access
• Logon/Logoff
• Object Access
• Policy Change
• Privilege Use
• System
• Global Object Access Auditing
The use of basic and advanced auditing settings together is not compatible. As soon as the advanced
settings are applied, they will clear all the existing auditing policy settings. As such, you need to be careful
applying and using both sets of auditing options because they are used and applied differently and can
cause some confusion around what the effective auditing policy is.
You can view the audited events in the respective logs within Event Viewer.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-13
Note: By default, auditing is not enabled; it needs to be configured before it will collect
data.
There are no dedicated auditing cmdlets available in Windows PowerShell. However, the command-line
tool Auditpol.exe is a powerful tool that allows for the setting and querying of audit policy.
More information about Advanced Auditing can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309140
Digital Certificates
In modern cryptography, data is encrypted and
decrypted by using a key that contains the
information necessary for performing the
encryption or decryption. A key is a piece of
physical data, and can be protected by a password
or attached to a smart card or even a Windows
user account.
Symmetric encryption works well when the same user is both encrypting and decrypting the data.
However, when the user encrypting the data is different than the user who is decrypting the data,
especially if the encryption and decryption process is on different computers or networks, symmetric
encryption becomes more problematic. In this case, the user encrypting the data must find some way to
make the key available to the user decrypting the data. Anytime the key is exchanged between users, it
becomes vulnerable to being intercepted and compromised.
The use of digital certificates introduces an alternative to the shortcomings of symmetric encryption. Data
exchange using a digital certificate uses asymmetric encryption. When using asymmetric encryption, a pair
of mathematically related keys is used to encrypt or decrypt data. One of the keys, commonly known as
the private key, is held by an individual. A second key, the public key, is attached to the digital certificate,
which can be digitally requested at any time. With this form of encryption, either the private or public key
can be used to encrypt the data. Then, the opposite key is used to decrypt the data.
In general, symmetric encryption is faster but less secure than asymmetric, whereas asymmetric encryption
is slower but more secure. In multiple communication scenarios, this can be taken into account whereby
asymmetric keys are used to exchange the symmetric key, which is then used to encrypt and decrypt the
data stream.
Note: A digital certificate is a digital document that is commonly used for authentication
and to help secure information on a network. A certificate binds a public key to an entity that
holds the corresponding private key.
A digital certificate makes it possible to verify someone's claim that they have the right to use a given key,
helping to prevent people from using phony keys to impersonate other users. Used in conjunction with
encryption, digital certificates provide a more complete security solution, assuring the identity of all
parties involved in a transaction.
MCT USE ONLY. STUDENT USE PROHIBITED
9-14 Implementing Security in Windows Server
• A user, computer, or network device that holds the private key corresponding to the issued certificate.
The user, computer, or network device is known as the owner or subject of the certificate.
• A public key of the certificate's associated public and private key pair.
• The names of the encryption and digital signing algorithms supported by the certificate.
Also, a digital certificate can contain additional information, such as the encryption algorithms supported,
the acceptable applications or uses for the certificate, or other applicable information. The use of digital
certificates and encryption technologies will be discussed in more detail in Lesson 3, “Implementing
Encryption.”
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-15
Lesson 2
Securing Files and Folders
Ensuring data integrity and security is a fundamental aspect of a Windows Server infrastructure. The
assignment of proper permissions to users and groups for the resources they require access to is the first
level of data security in a Windows Server environment.
This lesson covers the configuring of permissions, best practices for maintaining permissions functionality,
and auditing file and folder access to ensure that configured permissions are operating effectively.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the available file and folder permissions on NTFS and ReFS volumes.
• Describe permission inheritance.
• Explain how file and folder permissions and shared folder permissions combine.
Access Control
The previous lesson explained authentication and
authorization in general terms. This lesson
explains how that process translates into a real-
world access control process in Windows Server
2012 and Windows 8.
Access control is effectively the process of
authorizing users, groups, or computers
(sometimes known as the principal) access to
objects, which will be files and folders in this
instance, on a network or computer. It involves
permissions, permission inheritance, user rights,
and auditing, each of which are described in this
module.
Before a user can access an object, the user first must identify themselves to the security system in
operation on the domain or network. When a user logs on to a computer, he identifies himself and, if
successful, is allowed to log on to the computer. The identity of that user is then contained within an
access token or security descriptor that is re-created every time that user logs on. Indeed, every container
or object on a Windows Server network has an associated security descriptor in it that contains access
control information.
The operating system checks to see if the user is authorized to access an object. It does this by comparing
the following two things:
• The security identifier of the user and the groups to which the user belongs in the access token
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Implementing Security in Windows Server
The access control entries then allow or deny particular functionality on the object for the specific user.
The entire set of access control entries is known as the access control list (ACL). There are two kinds of
ACLs, the discretionary access control list (DACL), which is responsible for permissions, and the system
access control list (SACL), which is responsible for auditing.
When the operating system is determining the authorization to access an object, each ACE is evaluated by
comparing the security identifiers (SIDs) in the ACE to the SIDs in the token (which contains the user’s SID
plus all group SIDs he belongs to). If any match is found, the permissions are granted or denied; these
permissions are specified in the matching ACE. If it comes to the end of the ACL and the desired access is
still not explicitly allowed or denied, the user is denied access to the object.
In Windows Server 2012 and Windows 8, You can view the effective permissions for a user, group, or
computer on the Effective Permissions tab of the Advanced Permission Settings dialog box. This is
designed to help more effectively manage and troubleshoot file and folder permissions.
You can also use the Windows PowerShell cmdlets Get-ACL and Set-ACL to help manage access control
on objects.
Another command-line tool that can be used to view, change, backup, and restore ACL information and
settings is icacls.exe.
• Standard. Standard permissions are the most commonly used permissions. These can be viewed and
accessed through the Properties of an object, i.e. right-click on a file or folder, select Properties and
then navigate to the Security tab.
• Advanced. Advanced sharing permissions provide a finer degree of control for assigning access to
files and folders. However, advanced permissions are more complex to manage than standard
permissions.
Standard File and Folder Permissions
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow
or deny each of the permissions.
Full Control This gives complete control of the file/folder and control of permissions.
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
To modify file and folder permissions, you must be given the Full Control permission for a folder or file.
The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions
even if he or she does not have any other current NTFS permissions. Administrators can always take
ownership of files and folders to make modifications to NTFS permissions.
Traverse The Traverse Folder permission applies only to folders. This permission allows or
Folder/Execute denies the user from moving through folders to reach other files or folders, even if
File the user has no permissions for the traversed folders. Traverse Folder takes effect
only when the group or user is not granted the Bypass Traverse Checking user
right. The Bypass Traverse Checking user right checks user rights in the Group
Policy snap-in. By default, the Everyone group is given the Bypass Traverse
Checking user right.
The Execute File permission allows or denies to the execution of program files.
If you set the Traverse Folder permission on a folder, the Execute File permission is
not automatically set on all files in that folder.
List Folder/Read The List Folder permission allows or denies the user from viewing file names and
Data subfolder names in the folder. The List Folder permission applies only to folders
and affects only the contents of that folder. This permission is not affected if the
folder that you are setting the permission on is listed in the folder list. Also, this
setting has no effect on viewing the file structure from the command-line
interface.
The Read Data permission applies only to files and allows or denies the user from
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Implementing Security in Windows Server
Read Attributes The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. Attributes
are defined by NTFS or ReFS.
Read Extended The Read Extended Attributes permission allows or denies the user from viewing
Attributes the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
Create Files/Write The Create Files permission applies only to folders and allows or denies the user
Data from creating files in the folder.
The Write Data permission applies only to files and allows or denies the user from
making changes to the file and overwriting existing content by NTFS or ReFS.
Create The Create Folders permission applies only to folders and allows or denies the
Folders/Append user from creating folders in the folder.
Data The Append Data permission applies only to files and allows or denies the user
from making changes to the end of the file, preventing the changing, deleting, or
overwriting of existing data.
Write Attributes The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. Attributes are defined by
NTFS or ReFS.
The Write Attributes permission does not imply that you can create or delete files
or folders; it includes only the permission to make changes to the attributes of a
file or folder. To allow or to deny Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Write Extended The Write Extended Attributes permission allows or denies the user from changing
Attributes the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can create
or delete files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To allow or to deny Create or Delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete entries in this table.
Delete Subfolders The Delete Subfolders and Files permission applies only to folders and allows or
and Files denies the user from deleting subfolders and files, even if the Delete permission is
not granted on the subfolder or file.
Delete The Delete permission allows or denies the user from deleting the file or folder. If
you have not been assigned Delete permission on a file or folder, you can still
delete the file or folder if you are granted Delete Subfolders and Files permissions
on the parent folder.
Read Permissions Read Permissions allows or denies the user from reading permissions about the
file or folder, such as Full Control, Read, and Write.
Change Change Permissions allows or denies the user from changing permissions on the
Permissions file or folder, such as Full Control, Read, and Write.
Take Ownership The Take Ownership permission allows or denies the user from taking ownership
of the file or folder. The owner of a file or folder can change permissions on it,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-19
Synchronize The Synchronize permission allows or denies different threads to wait on the
handle for the file or folder and synchronize with another thread that might signal
it. This permission applies only to multiple-threaded, multiple-process programs.
Note: When assigning both standard and special NTFS permissions, permissions set to
Deny typically override permissions set to Allow. Also, permissions can be set for various object
types, such as printers, registry keys, Active Directory objects or system objects such as processes.
Depending on the object type, each might have different permission sets available for it. For
example, printers have permissions for Print, Manage Printers, and Manage Documents. These
object types are not applicable to files and folders, or in Active Directory you have permissions
which go down to attribute level read/write access.
1. Right-click the file or folder to which you want to assign permissions, and then click Properties.
When Access Based Enumeration is applied to a folder share only the files and folders that a user has
permissions to access will be displayed. If a user does not have read (or equivalent) permission for a folder,
Windows hides the folder from the user’s view.
One final aspect of file and folder permissions that we’ll call out here that you should be aware of, is in
relation to owner rights. By default the owner of an object has permissions on it that may be greater than
intended, such as deleting, which could be an issue if an administrator was tasked with creating specific
objects but it had not been the intention to provide them further control or permissions, or if people have
moved positions but still retain permission greater than intended. To mitigate this you can add the
OWNER RIGHTS security principal to the object and then apply specific permissions, such as READ only, to
the object for the owner. This will limit the permissions the owner has on the object.
Permissions Inheritance
By default, the permissions granted to a parent
folder are inherited by its subfolders and files.
Permissions can be inherited only from a direct
parent, and any files and folders contained within
the parent folder will be assigned the same
permissions as the parent folder, even if the
parent folder’s permissions are modified.
Permissions inherited in this manner are known as
inherited permissions.
contained within it inherit the permissions assigned to it. A folder that has had inheritance blocked will
either copy the inherited permissions as explicit permissions, or will remove all inherited permissions.
Permissions inherited in this manner can also frequently be known as implicit permissions.
Permissions assigned to a file or folder directly, overriding that file or folder’s inherited permissions, are
called explicit permissions. Explicit permissions behave differently than inherited permissions when being
moved within an NTFS volume.
1. Right-click the file or folder to which you want to block inheritance, and then click Properties.
5. You then receive a prompt to either convert the inherited permissions into explicit permissions or to
remove all inherited permissions from the object.
• Within the same NTFS partition, the copy of the folder or file inherits the permissions of the
destination folder.
• To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
• To a non-NTFS partition, such as a FAT32 partition, the copy of the folder or file loses its NTFS
permissions, because non-NTFS partitions do not support NTFS permissions.
Note: All these are also applicable where ReFS is the file system in question. Also, if files are
copied between NTFS and ReFS partitions, the file or folder inherits the permissions of the
destination folder.
• Within the same NTFS partition, the folder or file keeps its original permissions. If the permissions of
the new parent folder are changed later, the file or folder will inherit the new permissions.
Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be
lost.
• To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When
you move a folder or file between partitions, the Windows Server 2012 operating system copies the
folder or file to the new location and then deletes it from the old location.
• To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do
not support NTFS permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-21
Again, all these are also applicable where ReFS is the file system in question. If files are moved between
NTFS and ReFS partitions, the file or folder inherits the permissions of the destination folder and loses its
explicit permissions.
The following table lists the options available for shared folder permissions. You can choose whether to
allow or deny each of the permissions.
File
Description
Permissions
Read Read permission allows users to view folder and file names, file data, and file attributes.
Users are also able to access the shared folder's subfolders, and run program files and
scripts.
Change Users that are granted the Change permission can perform all the functions granted by
the Read permission in addition to creating and deleting files and subfolders. Users are
also able to change file attributes, change the data in files, and append data to files.
Full Control Users that are granted the Full Control permission can perform all the tasks enabled by
the Change permissions as well as take ownership of files, and change file permissions.
To access the folder permissions listed in the table, follow these steps:
2. Click the Sharing tab, and then click the Advanced Sharing button.
To access a more simplified set of permissions (Read, Read/Write, and Remove), follow these steps:
The Sharing tab is only present in folder properties, not file properties.
Note: As with NTFS permissions, when assigning shared folder permissions, permissions set
to Deny typically override permissions set to Allow.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Implementing Security in Windows Server
When creating Windows Server 2012 file server shares, you can make the shares available through the File
and Storage Services role that can be installed in Server Manager. This allows for the centralized creation
and control of shares in an organization.
Administrators can make shares available using the following two protocols:
• Server Message Block (SMB). Allows Windows-based clients to read, write, and access files and
folders on a remote Windows Server 2012 server. Windows Server 2012 released with SMB 3.0, which
comes with additional features and functionality such as the following:
o Support for network adapters that are Remote Direct Memory Access (RDMA)–capable—that is,
can transfer data directly between network adapters without using operating system resources.
• Network file system (NFS). Allows non-Windows-based clients to read, write, and access files and
folders on a remote Windows Server 2012 server.
You can also use Windows PowerShell to configure file shares. Depending on the protocol used for the file
share, you could use a series of NFS cmdlets or SMB Share cmdlets.
More information about SMB Windows PowerShell cmdlets can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309141
More information about NFS Windows PowerShell cmdlets can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309142
When you grant shared folder permissions on an NTFS volume, the following rules apply:
• By default, the Everyone group is granted the shared folder permission Read.
• Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared
folder, in addition to the appropriate shared folder permissions to access those resources.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-23
• When NTFS file system permissions and shared folder permissions are combined, the resulting
permission is the most restrictive one of the effective shared folder permissions or the effective NTFS
file system permissions.
• The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders.
• To remove the Everyone group from any permission lists and replace it with the Authenticated Users
group.
• Use the most restrictive group that contains the users you want to grant access.
If you want only the users of the domain to access the information but no other users from other
trusted domains, it would be better to use domain users rather than authenticated users.
When dealing with a shared folder, you must always go through the shared folder to access its files over
the network. Therefore, you can think of the shared folder permissions as a filter that only allows users to
perform actions on its contents that are acceptable to the share permissions. All NTFS permissions that are
less restrictive than the share permissions are filtered out so that only the share permission remains.
For example, if the share permission is set to Read, then the most you can do when accessing the share
over the network is read the contents, even if individual NTFS file permission is set to Full Control. If
configuring the share permission to Modify, then you are allowed to read or modify the shared folder
contents. If the NTFS permission is set to Full Control, then the share permissions filter the effective
permission down to just Modify.
You can check the effective permissions that a user, group, or computer “device account” will have on an
object based on the NTFS permissions that have been assigned to an object. This is done on the Security
tab of the object’s Properties dialog box, by clicking the Advanced button, and then selecting the Effective
Access tab. However, share permissions are not included in calculating the effective permissions; only file
and folder or NTFS permissions are taken into account.
Demonstration Steps
1. Create a new folder called Deliverables.
The other type is advanced auditing, which is new in Windows Server 2012 and contains more granular
and advanced functionality. It is available in the Group Policy Management Editor, under Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Object Access. It is within here that auditing policy should be configured.
Within this Object Access node there are 14 auditing policies that can be applied across a network. These
cover a range of areas, including the three listed in the following table.
Audit Audits attempts to access files and folders on a shared folder. It logs an event every
Detailed File time a file or folder is accessed. Event ID 5145 is generated when an event is logged.
Share
Audit File Audits events when a computer accesses a file share. Can generate a range of Event
Share IDs, such as 5140, 5142, 5143, 5144, and 5168 depending on the event type.
Audit File Audits user attempts to access file system objects. Can be combined with Audit File
System Share policy to track the content, course, and user account attempting to access an
object. Can generate a range of Event IDs including, 4664, 4985, and 5051.
The logging of events is based around the use of SACLs. For both the Audit Detailed File Share and Audit
File Share policies, no SACLs exist; therefore, after those policies are enabled, access to all shares on the
system will be enabled. Before enabling these policies, you should ensure that you are aware of the
volumes of events that will be generated so there are no detrimental effects.
You should understand that there are two components to enable auditing in this context. The server must
be instructed about which areas of the operating system to audit, as is done in Group Policy, and the
resource on the server must be configured with the SACL that you want to audit.
It is also important to enable auditing just as you would for configuring NTFS permissions. For example,
right-click the folder, click Properties, select the Security tab, click the Advanced button, and then select
the Auditing tab. Within this dialog box, specific users, groups, or computers can be selected to trace
access events.
It is also possible to specify a condition to limit the scope of the auditing. For example, security events will
only be logged if specific conditions are met. This allows for more granular configuration and can
significantly reduce the volume of events traced.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-25
When enabling auditing on a specific file or folder, the same inheritance rules used by NTFS permissions
and shared folder permissions apply to the auditing properties. By default, files and folders will inherit
their parent’s audit settings unless inheritance is blocked or explicitly specified.
After auditing is configured, file and folder auditing events will be recorded to the Windows security log.
This log can be viewed in Event Viewer, accessed through the Tools menu in Server Manager.
Demonstration Steps
1. Configure the object access auditing policy to audit file access.
• Central access policy for access to files. Enables organizations to set organization wide policies that
reflect business and regulatory compliance.
• Auditing for compliance and analysis. Enables targeted auditing across file servers for compliance
reporting and forensic analysis.
• Protecting sensitive information. Identifies and protects sensitive information within a Windows Server
2012 environment, and also when it leaves the Windows Server 2012 environment.
• Access denied remediation. Improves the access-denied experience to reduce helpdesk load and
incident time for troubleshooting.
Dynamic Access Control leverages the following technologies:
• Active Directory Domain Services and its dependent technologies for enterprise network
management.
• Kerberos version 5 (V5) protocol, including compound identity for secure authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Implementing Security in Windows Server
• Windows security (local security authority (LSA), Net Logon service) for secure logon transactions.
• Active directory Rights Management Service (AD RMS) for additional protection.
In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS
permissions. By using NTFS permissions and their ACLs, administrators can control access to resources
based on user name security identifiers (SIDs) or group membership SIDs, and the level of access such as
Read-only, Change, and Full Control. However, once you provide someone with, for example, Read-only
access to a document, you cannot prevent that person from copying the content of that document into a
new document or printing the document.
By implementing AD RMS, you can establish an additional level of file control. Unlike, NTFS permissions,
which are not application-aware, AD RMS sets a policy that can control document access inside the
application that the user uses to open it. By implementing AD RMS, you enable users to protect
documents within applications.
Using Windows client operating systems prior to Windows® 8, you cannot set conditional access to files
by using NTFS and AD RMS. For example, you cannot not set NTFS permissions so that users can access
documents if they are members of a specific group, or if their EmployeeType attributes are set to Full
Time Employee (FTE). Additionally, you cannot set permissions so that only users who have a
department attribute populated with the same value as the department attribute for the resource can
access the content. However, you can use conditional expressions to accomplish these tasks. You can use
Dynamic Access Control to count attribute values on users or resource objects when providing or denying
access.
Dynamic Access Control provides access control based on expressions that can include security groups,
claims and resource properties both in NTFS ACL and central access policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-27
Lesson 3
Implementing Encryption
In this age of information interconnection, an organization’s network might consist of intranets, Internet
sites, and extranets—all which are potentially susceptible to access by unauthorized individuals. Therefore,
it is important that you have some means of ensuring that your organization’s data and communications
are secure. Encrypting data or the volumes on which data resides is one part of that process. This lesson
describes these technologies.
Lesson Objectives
After completing this lesson, students will be able to:
• Describe how Encrypting File System (EFS) helps ensure file security.
• Describe how BitLocker® Drive Encryption ensures drive and volume security.
• CAs. CAs represent the people, processes, and tools used to create digital certificates. Before issuing a
digital certificate, a CA will verify that user’s identity and the validity of the user’s purpose for
obtaining a digital certificate. A CA will place the user’s digital signature on a certificate, which both
verifies that the certificate has come from a trusted source and acts like a tamper-proof seal on the
certificate itself, preventing any attempts to tamper with the digital certificate. CAs also operate in a
hierarchal manner, where CAs that issue certificates can use another, more widely trusted CA as its
parent to maintain the level of trust necessary within a PKI environment.
• Certificate revocation lists (CRLs). CRLs contain a list of certificates that have been revoked or
removed from a CA prior to the certificate’s expiry date. Depending on the application that relies on
the certificate, it is important that the CRLs are available from all locations where the certificate might
be used. Some applications perform CRL checking, and others don’t. If all certificates are used
internally only, you do not need to publish it outside your organization. If a certificate is used for your
Hypertext Transfer Protocol Secure (HTTPS) external website, or for your users accessing the
corporate network externally through a virtual private network (VPN), you need to define and
manage publishing the CRL to a location available on the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
9-28 Implementing Security in Windows Server
• Certificate and CA management tools. When a Windows server is configured as a CA, a specific set
of tools are available to create and manage certificates, manage CRLs, and perform maintenance on
different aspects of the PKI environment. An example of this follows.
Consider the diagram on the slide for this topic. Data at the A. Datum web server is encrypted using A.
Datum’s private key and SSL encryption. The resultant encrypted data is sent out over the public Internet
to the web client who is accessing the information on the server. Because the data has been encrypted
using A. Datum’s private key, the web client can be assured that the information is coming from A. Datum
and is genuine.
Alternatively, data sent from the client to the server, such as personal or financial information, is first
encrypted using Secure Socket Layer (SSL) and A. Datum’s public key attached to the digital certificate.
The user can be assured that encrypted information is safe in transit because only A. Datum’s private key
can decrypt the data. It is critical for private keys to be secured in order to maintain the integrity of this
exchange.
In Windows Server environments, core PKI components such as digital certificates, CAs, or CRLs are
configured and managed through Active Directory Certificate Services (AD CS). This is installed as a role in
Windows Server 2012.
Digital certificates are used for a wide variety of purposes. Depending on the nature of the issuing CA,
certain digital certificates might have a specific level of trust assigned to them. Public, private, and self-
signed certificates each have individual characteristics that make them suitable for specific
implementations. The following points outline characteristics of public, private, and self-signed
certificates:
• Public CAs typically charge a fee for providing a digital certificate, but the certificate is universally
trusted. Also, public certificates can be used in almost any situation a private certificate is used. Digital
certificates used on the public Internet are most commonly issued by a public CA.
• Private certificates allow an organization to manage its certificate issuing process, and any number of
certificates can be generated at no cost. This allows an organization with the requirement to issue
many certificates for internal use to use a private CA and not incur the costs associated with a large
number of public certificates. This gives an organization a great deal of control over certificate
management, but requires additional administrative overhead. Private certificates can be used within
an organization to facilitate secure email or the encryption of individual’s data.
• Self-signed certificates do not require the implementation of a stand-alone CA. Rather, the
application itself creates and signs the certificate. This decreases the administrative overhead of
maintaining a private CA, and the organization incurs no extra costs. The main drawback is that the
self-signed certificate has a very limited valid scope; it is strictly within the application itself.
More information about PKI and Active Directory Certificate Services (AD CS) in Windows
Server 2012 can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309143
Question: Why would a private certificate created by its owner be used instead of a public
certificate provided by a third party?
Question: Why would an organization choose to use self-signed certificates over private
certificates?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-29
Information technology (IT) professionals should be aware that although encryption is a powerful addition
to any defensive plan, it might not be the correct measure for every threat, and if used incorrectly, carries
the potential for harm or loss of data. EFS must be understood, implemented appropriately, and managed
effectively to ensure that your experience, the experience of those to whom you provide support, and the
data you want to protect are not compromised.
The following are some important features and functionality about EFS:
• EFS encryption does not occur at the application level but rather at the file-system level; therefore,
the encryption and decryption process is transparent to the user and to the application. Applications
do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
• If a folder is marked for encryption, every file created in or moved to the folder will be encrypted.
• EFS uses a combination of public-key and symmetric-key encryption to protect files from attack. EFS
uses a symmetric key to encrypt the file, and a public key to protect the symmetric key.
• If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a
recovery agent exists, then the file might be recoverable. If a PKI is used and archival has been
implemented, then the key might be recovered, and the file decrypted; otherwise, the file might be
lost. It is important to manage the private key of the recovery agent and store it in a safe location.
• The user’s public and private keys are protected by the user's password. Any user who can obtain the
user ID and password can log on as that user and decrypt that user's files. Therefore, a strong
password policy and strong user education must be a component of each organization's security
practices to ensure the protection of EFS-encrypted files. It is also possible to use certificates issued to
a user’s smart card for EFS.
• IT administrators should ensure that they back up certificates and have a key recovery process in
place in the event of lost or damaged keys.
• EFS is only supported on the NTFS file system. EFS is not supported on ReFS, FAT, or any other file
system. If a user moves or copies an encrypted file to a non-NTFS file system, such as a floppy disk or
USB flash drive formatted with FAT32, the file will no longer be encrypted.
MCT USE ONLY. STUDENT USE PROHIBITED
9-30 Implementing Security in Windows Server
Users can make encrypted files accessible to other users’ EFS certificates. If you grant access to another
user’s EFS certificate, that user can, in turn, make the file available to other users’ EFS certificates. EFS
certificates are only issued to individual users, not to groups.
When a file is accessed remotely, it doesn’t matter which remote machine an EFS encrypted file is
accessed from; the file is decrypted on the local machine where the file is, meaning the file itself is made
available through plaintext over the network. If the file needs to be shared and encrypted for all users who
view it remotely, additional encryption mechanisms might be required, such as Internet Protocol security
(IPsec) or Web Distributed Authoring and Versioning (WebDAV) with SSL.
EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard (AES).
AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
Configuration
The default configuration of EFS requires no administrative effort to allow users to implement it. Users can
begin encrypting files immediately, and EFS automatically generates a user certificate with a key pair for a
user if one does not already exist and there is no CA in place.
To encrypt a file or folder, a user can right-click the file or folder, and click Properties. In the Properties
dialog box, click the Advanced button, and then in the Advanced Attributes dialog box, select the
Encrypt Contents To Secure Data check box. You will then be prompted to confirm your action, and
after confirming it, will encrypt your file, or your folder and all the content within it. In File Explorer, it will
then display in a different color than the non-encrypted files so it is easily distinguishable.
Note: If EFS, and especially the recovery agent, are not planned, it is recommended that
you use Group Policy to prevent users from encrypting the files to prevent files from being lost.
You can disable EFS on client computers by using Group Policy. In the GPMC, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting Files
System, right-click this policy setting, click Properties, and then click Don’t Allow.
After a file has been encrypted, file sharing is enabled through the user interface as usual. Users can be
added either from the local computer or from AD DS and Active Directory if the user has a valid certificate
for EFS.
More information about EFS functionality can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309144
system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are
decommissioned or recycled.
BitLocker provides for offline data protection and system integrity verification, both of which are
described in the following sections.
Offline data protection encrypts all data stored on the Windows operating system volume (and
configured data volumes). This includes user files; Windows operating system, hibernation, and paging
files; applications; and data used by applications. BitLocker also provides an umbrella protection for non-
Microsoft® applications, which benefits the applications when they are installed on the encrypted volume.
By default, offline data protection is configured to use a Trusted Platform Module (TPM) to help ensure
the integrity of early startup components (components used in the earlier stages of the startup process),
and "locks" any BitLocker-protected volumes so that they remain protected even if the computer is
tampered with when the operating system is not running.
BitLocker is extended from operating system drives and fixed data drives to include removable storage
devices such as portable hard drives and USB flash drives. These devices are readable only with Windows 8
and Windows Server 2012. It is also possible to encrypt the full disk or, alternatively, just the space that
has been used. As disk space is used the data is encrypted.
BitLocker also supports Windows Clustered Shared Volumes and Windows Failover Clusters to provide
protection for highly available servers and services. It also supports ReFS.
Offline data protection can use existing Active Directory Domain Services (AD DS) infrastructure to
remotely store BitLocker recovery keys.
BitLocker uses a TPM (version 1.2 or 2.0), which is functionality supported within the central processing
unit (CPU) of a computer, to verify the integrity of the operating system startup process. This helps
prevent additional offline attacks, such as attempts to insert malicious code into those components.
System integrity verification provides a method to check that early boot file integrity has been
maintained, and to help ensure that there has been no adverse modification of those files, such as with
boot sector viruses or root kits. This functionality is important because the components in the earliest part
of the startup process must be available unencrypted so that the computer can start.
It also enhances protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system volume.
System integrity verification also locks the system when tampered with. If any monitored files have been
tampered with, the system does not start. This alerts the user to the tampering because the system fails to
start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
Note: TPM is not required for BitLocker to be installed and used. However, the startup
integrity check does require TPM. As such, if TPM is not present, the startup integrity checks
cannot be executed.
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To
Go® provides enhanced protection against data theft and exposure by extending BitLocker Drive
Encryption support to removable storage devices such as USB flash drives, and can be managed through
Group Policy. BitLocker To Go works with FAT16, FAT32, or NTFS.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Implementing Security in Windows Server
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that
the drive is encrypted and prompt you to unlock it.
In Windows Server 2012, BitLocker is enabled by installing the BitLocker Drive Encryption feature in Server
Manager. It is highly configurable through Group Policy in GPMC under Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
It is also possible to enable, disable, and configure BitLocker by using Windows PowerShell. Examples of
some BitLocker cmdlets are included in the following table.
To view all the available BitLocker commands in the Windows PowerShell console, type the following in a
Windows PowerShell console.
Help *BitL*
To view the Help information for individual cmdlets, type the following example, substituting the cmdlet
name.
More information about BitLocker Drive Encryption can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309145
More information about Windows PowerShell cmdlets for BitLocker can be found at the
following webpage.
http://go.microsoft.com/fwlink/?LinkID=309146
EFS
encryption keys, which allow for both the encryption and decryption of files or folders. Other users cannot
view the contents of the files unless the key is made available to them.
EFS allows users to quickly and conveniently encrypt files or folders that contain sensitive data, knowing
the data will be secure regardless of file or folder permissions granted. It does not require a restart of the
system and there are no hardware requirements to enable it.
Although EFS provides for the encryption of file contents, it does not encrypt file metadata such as file
name, file size, file extension type, or assigned permissions.
BitLocker
BitLocker is a full disk encryption system built into Windows Server 2012 and Windows 8. It provides for
encryption of the entire operating system volumes and additional data volumes.
BitLocker To Go provides for the encryption of removable data drives like USB flash drives or portable
hard drives.
BitLocker uses keys for encryption in similar fashion to EFS, but provides more options for key
management. Users can store encryption keys on a removable USB drive, store them in Active Directory,
incorporate passkeys or incorporate a special hardware feature called Trusted Platform Module (TPM) to
ensure that an encrypted volume only allows for decryption while attached to a specific system.
Depending on domain policies for Windows 8 computers that do not have TPM functionality, the
administrator must enable the Allow BitLocker Without Compatible TPM option in the Require
Additional Authentication At Startup operating system volumes’ Group Policy.
BitLocker EFS
Encrypts all personal and system files on system, data, and Encrypts files and folders individually.
removable drives. Does not encrypt the entire drive.
Is implemented for all users or groups. Does not depend on Is implemented at the user level.
individual user accounts. Individual users can encrypt their own
files.
Requires TPM for full functionality—that is, it can encrypt Does not require any special hardware.
drives and volumes but TPM is needed for the startup
integrity check.
Can be installed and configured using Windows PowerShell. No dedicated Windows PowerShell EFS
cmdlets are available.
As stated earlier, both EFS and BitLocker have benefits and, depending on your particular requirements,
either one could be preferred.
MCT USE ONLY. STUDENT USE PROHIBITED
9-34 Implementing Security in Windows Server
Note: A number of potential events could cause BitLocker to enter recovery mode when
restarting the computer, such as adding volumes, hard drives, or DVD drives. To avoid that
situation when making significant hardware changes to the computer, it is advisable to suspend
BitLocker before making the changes.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-35
You have also been asked by your supervisor to create a shared folder structure on LON-SVR1 that
satisfies the Research team’s request for access.
It has been requested by your supervisor that, on LON-SV1, specific files containing sensitive information
in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized
access. You have been asked to test encryption on the Classified folder.
Objectives
After completing this lab, students will be able to:
• Create and apply a Fine Grained password policy
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Password: Pa$$w0rd
• Domain: ADATUM
A Datum already have a password policy in place, based on the below criteria.
• Passwords must contain at least three of the four following character types: lowercase letters (a–z),
uppercase letters (A–Z), numbers (0–9), and symbols (for example, ! @ # $).
• Users cannot use a password again until five other different passwords have been used.
• Users should be locked out of the system after repeated failed logon attempts.
You have been asked to extend the minimum password length to 10 characters for the Research group,
while still maintaining the above criteria for the remainder of the company.
4. Add all users from the Research group to the new Research Shadow Group
Task 2: Create a fine-grained password policy and apply it to the Research group
1. On 10967A-LON-DC1 open the Active Directory Administrative Center
2. Open the Password Settings Container
3. Is Max successful?
4. Change Max’s password to Pa$$w0rd1
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-37
5. Is Max successful?
8. Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.
2. Assign appropriate NTFS file and folder permissions to the folder structure
3. Share the C:\Research folder on the network and set appropriate shared folder permissions
4. Test access to C:\Research folders
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1. Block inheritance for the C:\Research folder.
2. Assign the ADATUM\Research group Full Control over the C:\Research folder
3. Block inheritance for the C:\Research\Classified folder.
Task 3: Share the C:\Research folder on the network and set appropriate shared
folder permissions
1. Share the C:\Research folder on the network.
Note: ADATUM\Bill is a member of the Managers group. He is not a member of the Research group
Results: After this exercise, you should have secured NTFS and shared folders.
2. Confirm that the Classified folder and files have been encrypted by attempting to open the
Personal.txt file in the C:\Research\Classified folder. The encrypted file and folder names should
also be listed in green text.
2. In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
Results: After this exercise, you should have encrypted and decrypted files and folders by using
Encrypting File System (EFS).
Question: What is the most efficient way to give several users who all require the same
permissions access to a shared folder?
Question: What are some of the ways of protecting sensitive data in Windows Server?
MCT USE ONLY. STUDENT USE PROHIBITED
9-40 Implementing Security in Windows Server
• UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local
Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be centrally managed and controlled.
• Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
• For example, you might require administrative permissions to change the UAC setting to Always
Notify Me or Always Notify Me And Wait For My Response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page indicating the
requirement.
• Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must be
accessed, the private key can easily be imported from the removable media.
• Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the
personal folder, where most documents are stored, is encrypted.
• Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.
Also, when files are encrypted, the temp folder is used, where you would be able to access the
unencrypted file when you have a tool to recover deleted files.
• The private keys that are associated with recovery certificates are extremely sensitive. These keys must
be generated either on a computer that is physically secured, or their certificates must be exported to
a .pfx file, or protected with a strong password, and saved on a disk that is stored in a physically
secure location.
• You should plan and roll out EFS with some thought, including the proper use of a recovery agent. It
is possible to lose access to all EFS-encrypted files, and have no way of recovering them as such
proper planning including the use or Recovery Agents is essential.
• The most secure implementation of BitLocker takes advantage of the enhanced security capabilities
of TPM version 1.2 or higher
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 9-41
• On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation will require the user to insert a
USB startup key to start the computer or resume from hibernation and does not provide the pre-
startup system integrity verification offered by BitLocker that is working with a TPM.
• If you are making any significant hardware changes, such as adding Hard Drives or optical drives,
suspend BitLocker before doing so; otherwise, the changes might cause BitLocker to start in recovery
mode when it restarts.
• Use restrictive shared folder permissions only when necessary. To avoid complicated combined
permissions scenarios, use NTFS file and folder permissions to restrict or grant access as much as
possible. NTFS file and folder permissions offer much more precise control over user access and
always apply to file and folder security, whether being accessed locally or over the network.
• Use Deny permissions with caution. Deny permissions always override Allow permissions and can
result in users being mistakenly restricted from access to files or folders.
• Remember that Full Control lets users modify permissions. Assign Full Control permissions with
caution, as any change in existing permissions could potentially affect security.
• Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present)
from the shared folder’s permissions list. The Everyone group includes guest users. Using the
Authenticated or Domain Users group limits file or folder access to only authenticated users, and
prevents users or viruses from accidentally deleting or damaging files.
• Be conscious of explicitly set permissions and the effects of blocked inheritance. When assigning
permissions to a parent folder, be aware that some subfolders and files might have inheritance
blocked and explicit permissions specified. In this case, such subfolders and files will not inherit the
parent folder’s permissions when changes are made.
• You can use the Effective Permissions tool to evaluate the permissions assigned to a user or group for
a specific file or folder. Effective Permissions allows you to select users or groups and then shows you
the effective permissions for those users or groups according to all the permissions set on the specific
file or folder.
Tools
Tool Use for Where to find it
Windows Managing both Server Manager. Also, almost all Windows PowerShell console
PowerShell server roles have cmdlets available to support and Windows PowerShell ISE
them.
Icacls.exe Viewing and managing access control list details. Command Prompt
MCT USE ONLY. STUDENT USE PROHIBITED
9-42 Implementing Security in Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
10-1
Module10
Implementing Network Security
Contents:
Module Overview 10-1
Module Overview
When you connect your computers to a network, you might expose them to additional security threats. It
is important that you identify possible threats, and implement appropriate Windows® network security
features to help eliminate them.
Objectives
After completing this module, you will be able to:
• Identify network-based security threats and mitigation strategies.
Lesson 1
Overview of Network Security
There are many network-based security threats. You must understand the nature of these threats and be
able to implement appropriate security measures to lessen them.
Lesson Objectives
After completing this lesson, you will be able to:
Note: Eavesdropping is also known as sniffing. Because of the 1:1 communication between
switches, eavesdropping is no longer easy.
• Denial-of-service (DoS). This attack is intended to limit the function of a network application, or
make the application, or network resource, unavailable. There are many ways in which a malicious
person can start a DoS attack. For example, a person could intentionally enter incorrect passwords on
a publicly addressable site to cause passwords to be locked out.
• Port scanning. Applications that are running on a TCP/IP host use TCP or User Datagram Protocol
(UDP) ports to identify themselves. An attacker can scan to identify what ports are being used. If the
port is open, no service using it, the attacker can exploit that port. If the port does have a service
using it, the attacker could potentially exploit a known vulnerability against that service.
• Man-in-the-middle. The malicious attacker uses a computer to impersonate a legitimate host on the
network. The attacker intercepts all of the communications intended for the destination host. The
attacker can view, change, or replay the data in transit between the two hosts.
• Replay Attacks. An attacker re-uses or replays data, which has been captured from your network
during transmission, to establish a session or gain information illegally,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-3
• Hacking. This is a generic term that means any kind of network attack.
• Internet protocol security (IPsec). IPsec lets you authenticate IP-based communications between
two hosts and, where desirable, encrypt that network traffic.
• Firewalls. Firewalls allow or block network traffic based on a set of rules. These rules can apply a filter
by using the source, destination, protocol, port, and even validity of the communication.
• Perimeter networks. A perimeter network is an isolated area on the network to and from which
there is defined network traffic flow. When you have to make network services available on the
Internet, it is inadvisable to connect the hosting servers directly to the Internet. By adding these
servers in a perimeter network, you can make them available to Internet users without letting those
users gain access to your corporate intranet.
• Virtual private networks (VPNs). When users must connect to your corporate intranet from the
Internet, make sure that they do so as securely as possible. The Internet is a public network and data
in transit across it is susceptible to eavesdropping or man-in-the-middle attacks. By authenticating
and encrypting connections between the remote users and your corporate intranet by using a VPN,
you can reduce these risks. Also, you do not want to “publish” information about your internal
network on the Internet. Tunneling technologies are used where only the endpoints are public-facing.
• Server hardening. By only running the services that you need, you can make your servers more
secure. Because it is sometimes difficult to determine precisely which Windows Server® services are
required, you can use tools such as the Security Configuration Wizard (SCW) or the Microsoft®
Baseline Security Analyzer to help you establish a baseline.
Lesson 2
Implementing Firewalls
A firewall can help protect your computer and network from unauthorized access or from malicious
software which may be attempting to do harm to your organization. Firewalls can function on different
levels and can be specific to private networks or for public networks, such as the Internet. Organizations
and individuals have different requirements and acceptable levels of security and as such each scenario
and Firewall implementation will have its own infrastructure and configuration requirements.
You can implement firewalls by using software, hardware, or a combination of both. Firewalls work on the
principle of filtering network traffic based on the characteristics of that traffic, and then either allowing or
blocking the traffic as determined by your configuration.
While the principals are the same for public or private network Firewalls, the products and configurations
will be different, This Lesson will focus on private network Firewall implementations specific to protecting
the host and private network.
Lesson Objectives
After completing this lesson, you will be able to:
Firewall Types
Firewalls can operate on hosts directly, and as
such will protect the local computer from
malicious attack, regardless of where that attack
originated, whether from a public or private
source or Firewalls can operate in the perimeter
network, between two networks, which will
provide general protection from attack from the
Internet. Firewalls can also be implemented on
Routers, operating between two networks, or also
as Firewall appliances, which are standalone
entities containing hardware and software which
perform the necessary access control functions.
Firewall appliances are more specialized and used more in large organizations.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-5
So there are different kinds of firewalls available depending on where the actual communication or
processing of data occurs. Definitions of these are:
• Application-layer gateways. Operate at the application layer of the Open Systems Interconnection
(OSI) model. Application-layer gateways proxy requests to or from the network and do not allow
traffic for which you have not defined a proxy. In other words, firewalls that understand applications
can look inside the traffic (for example, HTTP traffic) and decide which applications are allowed and
which to block. Additionally, they can understand dynamic ports, and you could allow specific
applications by using Remote Procedure Call (RPC) through the firewall. This enables applications
such as instant messaging and file transfer to function through your firewall without you having to
open multiple ports.
• Circuit-level gateways. Operate at the session layer of the OSI model and monitor datagrams
between communicating hosts to verify that requested sessions are legitimate. Circuit-level gateways
monitor the TCP hand-shaking process that is used to establish TCP sessions between hosts to
determine whether the session is legitimate. Additionally, information passed from the network to
remote hosts appears to originate from the circuit-level gateway. This is useful in hiding information
about the network from remote hosts.
• Packet filters. Operate at the network level of the OSI model, and in consumer markets are
frequently implemented as part of a router. Each packet is filtered and compared with an action list to
determine the appropriate action to take with the packet. Actions include allowing or blocking the
packet. Most consumer broadband routers provide this functionality.
• Stateful multilayer inspection. These firewalls combine aspects of the other three firewall types
providing a high level of security. A stateful multilayer inspection firewall examines data at all seven
layers of the OSI model. Unlike other firewalls, stateful multilayer inspection firewalls not only inspect
the packet header, but also inspect the packet payload. Each packet is examined and compared with
example packets to determine the probability that the packet contains malicious data.
You can install firewalls on hosts, such as Windows Server, or implement firewalls as software in devices
such as routers. There are also firewall appliances. These are very specialized and preferred by larger
corporations.
device is connected directly to all three networks, security potentially can be breached if this single point
of failure is compromised.
Dual back-to-back firewall. In this scenario, two firewalls are connected in sequence across three
networks: the Internet, your perimeter network, and your corporate intranet. The network to which both
firewalls are connected is the perimeter network. The firewalls are configured to allow only appropriate
traffic to pass between their connected networks. This is a more complex and expensive solution because
it requires additional hardware and software to configure. However, it provides for a more secure
environment and is the configuration of choice for larger networks.
Through the combination of hardware and software, and with appropriate configuration, you should be
able to create a perimeter network that has the network isolation that you need, while allowing
communication between devices located in the three networks. In that perimeter network scenario,
communication from the internal LAN to the outside is usually only allowed across one of the firewalls
which talks to a proxy server, which then relays the data as needed. So internal communication does not
directly talk with the internet, but with a proxy server in the perimeter.
It is rare for an organization to operate without the need to connect its network infrastructure to the
Internet. At the very least, most organizations use email applications to conduct some elements of their
core business.
Conduct an audit of the network services that you have within your organization and determine which
services must be available to users from the Internet. Then consider how you want to make those services
available.
Many companies have a policy not to allow Internet traffic unfiltered to the internal network. That can
typically result in the placement of Microsoft Exchange Servers or other Application servers on the internal
network and proxies, reverse proxies, and mail relays on the perimeter network, in addition to antivirus
and mail screening solutions.
With the use of Exchange Server 2013 and the Outlook® Anywhere feature, (formerly known as RPC over
HTTP), users can access their Exchange Server accounts over the Internet without using virtual private
network (VPN) connections or having to put Exchange relays in the perimeter network. This lets clients
who use Microsoft Outlook 2013, 2010, or 2007 to connect to their Exchange servers from outside the
corporate network or over the Internet by using RPC over HTTP.
Note: Applications can be configured to use specific TCP ports; indeed, many applications
are configurable to use only HTTP or HTTP Secure (HTTPS). This means that you can configure
the Internet-facing firewall to only allow TCP port 80 and port 443 inbound.
Although an incomplete list, the following table identifies some common applications that you might
have to make available in your perimeter network or that you might experience in some networks.
Web server HTTP, HTTPS Put the web servers directly in the perimeter
network or publish them with Forefront TMG.
Internet Time Network Time Protocol (NTP) Used to synchronize time over a network.
Services
• Management. You can configure Windows Firewall by using several different management
programs. The choice of which program to use depends on whether you are administering a single
computer, or multiple computers. The following configuration options are available:
o Control Panel. Firewalls can be managed locally on Windows 8 and Windows Server 2012
computers by using the System and Security Windows Firewall.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Implementing Network Security
o Windows Firewall with Advanced Security management console. Available through the Tools
menu in Server Manager.
o Group Policy. Where Active Directory is implemented, you can enforce Windows Firewall
settings by configuring Group Policy by using the Group Policy Management Console (GPMC)
under Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile or Standard Profile.
Note: When Group Policy is used to configure Windows Firewall, local system
administrators cannot locally configure Windows Firewall.
o Windows PowerShell®. Dedicated cmdlets are available in the NetSecurity module in Windows
PowerShell. These cmdlets provide administrators the ability to enable and configure Windows
Firewall locally or remotely.
• Network location-aware profiles. Windows Firewall can adapt to changing network conditions. For
example, changing from a work location to a public wireless hot spot. This capability provides a
dynamic user experience as a computer moves from one location to another.
• Fine-grained configuration through inbound and outbound rules. By default, Windows Firewall
blocks all inbound traffic unless it either matches a configured rule, or is in response to a request from
the local computer. By default, Windows Firewall allows all outbound traffic, unless it matches a
configured rule.
• Server and domain isolation. Windows Firewall supports creating rules for enforcing server or
domain isolation. For example, isolating a database server so that it only accepts communications
from a specific web server, or making sure that computers that are part of a domain only accept
communications from other computers in the domain.
An interesting example of this controlled flow of data is the flow of application communication where an
Internet Information Services (IIS) server can receive traffic through port 80 from all clients in the domain.
The Server Running IIS additionally can communicate through port 1433 to a SQL server, which stores
information for the IIS site. The SQL server is not allowed to respond to any other requests. Both servers
can authenticate against the domain controllers, and Remote Desktop is available only to those servers
from the administrative subnet.
• IPsec integration. IPSec secures network traffic using encryption and Windows Firewall is integrated
with IPsec settings. As such, it can be used to allow or block traffic based on an IPsec negotiation or
configured so that IPSec encrypted network traffic from an administrative subnet can bypass all
firewall rules. We will discuss IPSec further in the next lesson.
More information about Windows PowerShell cmdlets that support firewall configuration
can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309121
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-9
• Domain networks. These are networks at a workplace that are attached to a domain. This option is
used automatically for any network that allows communication with a domain controller. By default,
network discovery and file and printer sharing is turned off. These can be determined by Group
Policy.
• Private networks. These are networks at home or work where you trust the people and devices on
the network. When private networks are selected, network discovery is turned on but file and printer
sharing is turned off.
• Guest or Public networks. These are networks in public places. This location keeps the computer
from being visible to other computers. When Public networks is the selected network location,
network discovery and file and printer sharing is turned off.
It is also possible to create a Homegroup which allows the sharing of pictures, audio, video, documents
and printers between multiple computers and devices in your home. The network profile must be set to
private to be able to view and join a Homegroup. Also if a domain joined computer joins a Homegroup it
will be able to view shared files but unable to share its own files. Homegroups are configured in Control
Panel in the Network and Internet category.
You can change the firewall settings for each kind of network location from the main Windows Firewall
page in System and Security in Control Panel. Click Turn Windows Firewall On Or Off, select the network
location, and then make your selection. Each network location has the following information:
• Windows Firewall state. This refers to whether Windows Firewall is turned on or off.
• Incoming connections. This provides the status on what is occurring to incoming connections, such
as, “Block all connections to apps that are not on the list.”
• Active networks. This lists what network connections are currently active.
• Notification state. This lets you know when Windows Firewall will notify the user if an event occurs.
For example, if the firewall blocks a new program or app.
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Implementing Network Security
The Public networks location blocks certain programs and services from running to help protect the
computer from unauthorized access. If you are connected to a Public network and Windows Firewall is
turned on, some programs or services might ask you to allow them to communicate through the firewall
so that they work correctly.
• Private Profile
• Public Profile
These profiles and locations provide more configuration options than Control Panel. The options that you
can configure for each of the three network profiles are as follows:
• Firewall State. You can turn the firewall On or Off independently for each profile.
• Inbound Connections. You can block (default) connections that do not match any active firewall
rules, block all connections regardless of inbound rule specifications, or allow inbound connections
that do not match an active firewall rule.
• Outbound Connections. You can configure to allow (default) connections that do not match any
active firewall rules or block outbound connections that do not match an active firewall rule.
• Protected Network Connections. Select the connections that you want Windows Firewall to protect.
For example, the Local Area Connection.
• Settings. You can configure display notifications, unicast responses, and merge rules distributed
through Group Policy. When merging rules with Group Policy, you can apply local firewall rules and
local connection security rules.
The final tab in this Properties dialog box is the IPsec Settings tab. This tab lets you configure the default
values for IPsec configuration.
Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall.
You can configure different kinds of rules:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-11
• Inbound
• Outbound
• Connection Security
Inbound Rules
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the
same traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain kind of
unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For Windows
Server Roles and Features, you will not have to create the rule. For example, enabling IIS will automatically
adjust the Windows Firewall to allow the appropriate traffic.
You can configure the default action that Windows Firewall with Advanced Security takes whether
connections are allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from the computer that matches the criteria in the rule. For example, you can
configure a rule to explicitly block outbound traffic to a computer through the firewall, but allow the
same traffic for other computers. This rule could specify an IP address or an IP address range.
• Program rules. These rules can control connections for a program regardless of the port numbers it
uses. Use this kind of firewall rule to allow a connection based on the program that is trying to
connect. These rules are useful when you are not sure of the port or other required settings because
you only specify the path of the program executable (.exe) file.
• Port rules. These rules can control connections for a TCP or UDP port regardless of the application.
Use this kind of firewall rule to allow a connection based on the TCP or UDP port number over which
the computer is trying to connect. You specify the protocol and individual or multiple local ports.
• Predefined rules. These rules can control connections for a Windows component. For example, File
or Print Sharing, or Active Directory. Use this kind of firewall rule to allow a connection by selecting
one of the programs from the drop-down list. These kinds of Windows components typically add
their own entries to this list automatically during setup or configuration. You can enable and disable
the rule or rules as a group.
• Custom rules. These rules can combine combinations of the other rule types such as port and
program.
Firewall rules and connection security rules are complementary, and both contribute to a defense-in-
depth strategy to help protect your computer. Connection security rules secure traffic by using IPsec while
it crosses the network. Use connection security rules to specify that connections between two computers
must be authenticated or encrypted. Connection security rules specify how and when authentication
occurs. However, they do not allow connections. To allow a connection, create an inbound or outbound
rule. After a connection security rule is created, you can specify that inbound and outbound rules apply
only to specific users or computers.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Implementing Network Security
Note: Connection security rules are discussed in the “Connection Security Rules” topic later
in the lesson.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations. The Monitoring overview page displays which profiles
are active (domain, private, or public) and the settings for the active profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the
Group Policy Management Editor console, the same rules and configurable options are available
except for the Monitoring node, which does not display.
Also be aware that the Windows Firewall with Advanced Security events are available in Event
Viewer.
You can enable and configure Windows Firewall with Windows PowerShell commands from the
NetSecurity module. This includes the cmdlets described in the following table.
Windows PowerShell
Description
cmdlet
New-NetFirewallRule Creates a new inbound or outbound firewall rule and adds the rule to the
destination computer.
Show-NetFirewallRule Displays all of the existing Firewall rules in the policy store, along with the
associated objects
Get-Help *Net* Lists all cmdlets that have Net in their name. It will return all Windows
Firewall cmdlets.
Demonstration Steps
1. Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username
ADATUM\Administrator and password Pa$$w0rd
Note: Alternatively, you could use the Windows PowerShell Test-Connection cmdlet.
5. Disable the new firewall rule and verify that ping is now available.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-13
Lesson 3
Internet Protocol Security
Internet Protocol security (IPsec) is a framework of open standards that provides for the protection of data
transmitted over a network and between hosts. In order to improve the integrity of transmitted data in
your organization it is important to be aware of when and how IPsec can be implemented. In this lesson
we will discuss when and where it can be used and what are the benefits and potential hazards in doing
so.
Lesson Objectives
After completing this lesson, you will be able to:
What Is IPsec?
Internet Protocol security IPsec is a method that is
used to ensure the security of data sent between
two computers on an IP network. It is not
exclusively a windows technology; rather, it is a
framework of open standards for protecting
communications over IP networks using
cryptography Typically, IPsec is used to achieve
confidentiality, integrity, and authentication in
data transport across non-secure channels.
However although it’s original purpose was to
help secure traffic across public networks, its
implementations are frequently used to improve
the security of private networks, because organizations are not always sure whether weaknesses in their
own private networks are susceptible to exploitation.
IPsec has two operation modes: Host-to-Host Transport mode and Network Tunnel mode.
• Host-to-Host Transport mode. This is the default mode for IPsec. In transport mode, IPsec only
encrypts the IP payload. The IP header is not encrypted. Transport mode should be selected for end-
to-end communications, such as what occurs between a client and a server. Transport mode is also
used in most IPsec-based VPNs for which Layer Two Tunneling Protocol (L2TP) is used to tunnel the
IPsec connection through the public network.
• Network Tunnel mode. In tunnel mode, IPsec encrypts the IP header and the payload. Tunnel mode
is most useful for communications between two networks when that communication occurs over an
untrustworthy network, such as the Internet or when a VPN gateway is incompatible with L2TP or
Point-to-Point Tunneling Protocol (PPTP).
The major benefit of IPsec is that it provides encryption for all protocols from OSI model layer 3 (network
layer) and higher. This includes the following:
MCT USE ONLY. STUDENT USE PROHIBITED
10-14 Implementing Network Security
• Data origin authentication. In tunnel mode, a new IP header can be added to the packet, specifying
the source and destination addresses of the tunnel endpoints.
• Data integrity. Makes sure integrity of IP traffic by rejecting modified traffic. If a packet is changed,
the digital signature will not match, and the packet will be discarded.
• Data confidentiality. Enables confidentiality through IP traffic encryption and digital packet
authentication.
IPsec Uses sequenced numbers to make sure that an attacker cannot reuse or replay captured data to
establish a session or gain information illegally. The use of sequenced numbers also protects against tries
to intercept a message and then use the identical message to illegally access resources at a later date.
Implementing IPsec
Some network environments are well suited to
IPsec as a security solution, while others are not.
The following are situations where implementing
IPsec can add some value:
• Packet filtering: Packet Filtering is the
allowing or blocking of specific types of IP
traffic. You can permit or block inbound or
outbound traffic using IPsec with the Network
Address Translation (NAT) component of the
Remote Access Service.
• Securing traffic to servers: You can require IPsec protection for all client computers that access a
server. Additionally, you can set restrictions on which computers can connect to a server that is
running Windows Server 2012.
• Layer 2 Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of
the L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require that you configure and
deploy IPsec policies.
• Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site
(gateway-to-gateway) tunnels when you need interoperability with third-party routers, gateways, or end
systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-15
• Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept
authenticated communications from other computers. For example, you might configure the
database server to accept connections from the web application server only.
• Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that
computers that are domain members accept only authenticated and secured communications from
other domain-member computers. The isolated network consists only of that domain’s member
computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain
members, including all client and server computers.
Note: Because IPsec depends on IP addresses for establishing secure connections, you
cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address
in IPsec policy filters. In large network deployments, and in some mobile user cases, using
dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy
design.
• Securing communication between domain members and their domain controllers. This reduces
network performance. Additionally, we do not recommend using IPsec for this scenario because the
required IPsec policy configuration and management is complex.
• Securing all network traffic. This reduces network performance, and we do not recommend using
IPsec for this scenario because of the following reasons:
o Traffic from real-time communications, applications that require Internet Control Message
Protocol (ICMP), and peer-to-peer applications might be incompatible with IPsec.
o Network management functions that must inspect the TCP, UDP, and protocol headers are less
effective or cannot function at all due to IPsec encapsulation or IP payload encryption.
Additionally, the IPsec protocol and implementation have characteristics that require special consideration
when you perform the following tasks:
• Protect traffic over wireless 802.11 networks: You can use IPsec transport mode to protect traffic
that is sent over 802.11 networks. However, it is not recommend using IPsec for providing security for
corporate 802.11 wireless local area networks (LANs). Instead, you could use 802.11 WPA2 or WPA
encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication.
Support for IPsec, configuration management, and trusts are required on client computers and
MCT USE ONLY. STUDENT USE PROHIBITED
10-16 Implementing Network Security
servers and because many computers on a network do not support IPsec or they are not managed, it
is not appropriate to use IPsec alone to protect all 802.11 corporate wireless LAN traffic. Additionally,
IPsec tunnel mode policies are not optimized for mobile clients with dynamic IP addresses, nor does
IPsec tunnel mode support dynamic address assignment or user authentication, which is needed for
remote-access virtual private network (VPN) scenarios.
• Use IPsec in tunnel mode for remote access VPN connections: We do not recommend that you
use IPsec in tunnel mode for remote access VPN scenarios for Windows-based VPN clients and
servers. Instead, use L2TP/IPsec or PPTP.
Firewall rules allow traffic through the firewall, but do not secure that traffic. To help secure traffic with
IPsec, you can create connection security rules. However, when you create a connection security rule, this
does not allow the traffic through the Windows Firewall. You must create a firewall rule to do this if the
traffic is not allowed by the firewall’s default behavior. Connection security rules are not applied to
programs and services. They are applied between the computers that make up the two endpoints.
A connection security rule forces authentication between two peer computers before they can establish a
connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to
enforce these rules.
Use connection security rules to configure IPsec settings for specific connections between computers.
Windows Firewall with Advanced Security uses these rules to evaluate network traffic, and then blocks or
allows messages based on the criteria that you establish in the rules. In some circumstances, Windows
Firewall with Advanced Security blocks the communication. If you configure settings that require security
for a connection (in either direction) and the two computers cannot authenticate, then the connection is
blocked.
• Isolation. An isolation rule isolates computers by restricting connections based on credentials such as
domain membership or health status. You can use isolation rules to implement an isolation strategy
for servers or domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-17
• Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by specific IP address, an IP address
range, a subnet, or a predefined group such as a gateway.
• Server to Server. A server-to-server rule protects connections between specific computers. This type
of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. Then you designate requirements
and the authentication you want to use.
• Tunnel. A tunnel rule lets you protect connections between gateway computers. You typically use it
when you connect across the Internet between two security gateways. You must specify the tunnel
endpoints by IP address, and then specify the authentication method that is used.
• Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set
up the authentication rules that you need by using the other rules available in the New Connection
Security Rule wizard.
• Requirements. You can select whether the rule requests authentication, requires inbound
authentication, or requires both inbound and outbound authentication.
• Authentication methods. You can select between several authentication methods. The options in
the Security Rule wizard are as follows:
o Computer and User (Kerberos V5). Restricts communications to connections from domain-
joined users and computers.
• Profile. Associate the rule with the appropriate network profile. You can select one or more of the
following: domain, private, or public.
• Exempt computers. For authentication exemption rules only, define the exempt computers by IP
address, IP address range, or IP subnet.
• Endpoints. For server-to-server rules only, define the IP addresses affected by the rule.
• Tunnel endpoints. For tunnel rules only, define the tunnel endpoints affected by the rule
Note: Connection security rules and IPsec policies are different. An IPsec policy can filter
traffic to the specific port level, whereas a connection security rule cannot. It only applies
between computers, and not for specific kinds of traffic between those computers.
MCT USE ONLY. STUDENT USE PROHIBITED
10-18 Implementing Network Security
Managing IPsec
There are several ways to manage and configure
Windows Firewall and IPsec settings and options,
Windows PowerShell
You can enable and configure IPsec with Windows PowerShell commands from the NetSecurity module.
This includes the cmdlets described in the following table.
Windows PowerShell
Description
cmdlet
Show-NetIpsecRule Displays all of the existing IPsec rules and associated objects in a fully
expanded view
Get-Help *IPsec* Lists all cmdlets that have IPsec in their name.
Note: The Netsh command line tool is also available which can configure and manage
IPsec. However, this has largely been replaced by Windows PowerShell in Windows Server 2012
Demonstration Steps
1. Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username
ADATUM\Administrator and password Pa$$w0rd
Charlotte,
We have an urgent need to get the Intranet web site online to staff. I’d like you to test making it
available but I have some concerns about network security and I’d like to make sure we can block access
quickly and easily whenever we need. Can you test making the web site available and create Firewall
rules to allow and block access to it so we can control it if need be?
Also, we may host the web server content in remote offices and I have some general concerns about
accessing the web site over our network due to the sensitive nature of the data that will be transmitted
over the network. I’d like to check out using IPsec to make sure we have secure connections between
the web servers if we do need to have another server made available. Can you test these scenarios out
and check if we can make the web site and any server to server connections secure?
Thanks
Ed
Objectives
After completing this lab, you will be able to:
• Create Firewall Rule to allow access to the World Wide Web service
• Created a Server to Server Connection Security Rule
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Password: Pa$$w0rd
• Domain: ADATUM
5. Repeat these steps for 10967A-LON-SVR1 and 10967A-LON-CL1.
1. Turn off Website caching and verify connectivity to World Wide Web service
2. Configure a new firewall rule to block access to the World Wide Web service
3. Test World Wide Web service Access
Task 1: Turn off Website caching and verify connectivity to World Wide Web service
1. Ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and
password Pa$$w0rd
Task 2: Configure a new firewall rule to block access to the World Wide Web service
1. Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name
ADATUM\Administrator and password Pa$$w0rd
4. Try to find a predefined rule that determines access to the World Wide Web Service for http and
block the connection for the rule
2. In Windows Firewall with Advanced Security locate the World Wide Web Services inbound rule that
you configured earlier and change the Action to Block the connection
MCT USE ONLY. STUDENT USE PROHIBITED
10-22 Implementing Network Security
Results: After this exercise, you should have created and tested an inbound firewall rule to control access
to the world wide web service.
Charlotte,
We have an urgent need to get the Intranet web site online to staff. I’d like you to test making it available
but I have some concerns about network security and I’d like to make sure we can block access quickly
and easily whenever we need. Can you test making the web site available and create Firewall rules to
allow and block access to it so we can control it if need be?
Also, we may host the web server content in remote offices and I have some general concerns about
accessing the web site over our network due to the sensitive nature of the data that will be transmitted
over the network. I’d like to check out using IPsec to make sure we have secure connections between the
web servers if we do need to have another server made available. Can you test these scenarios out and
check if we can make the web site and any server to server connections secure?
Thanks
Ed
2. In Windows Firewall with Advanced Security create a new Inbound Rule with the following settings:
• Computers: Default
• Profile: Default
2. In Windows Firewall with Advanced Security management console create a Connection Security
Rule with the following settings:
• Endpoints: Default
• First Authentication method: Preshared key (not recommended) and type the word secret. Click
OK and Click OK again.
• Profile: Default
2. In Windows Firewall with Advanced Security management console create a Connection Security
Rule with the following settings:
• Endpoints: Default
• First Authentication method: Preshared key (not recommended) and type the word secret. Click
OK and Click OK again.
• Profile: Default
5. Verify the data that is present matches what you configured earlier.
2. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
Results: After completing this exercise you will have created a server to server connection security rule
and validated the secure nature of the communication between the two servers
Question: If you wanted to make sure that only domain computers could communicate with
other domain computers, how could you easily achieve this with Windows Firewall?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 10-25
• Implement firewalls.
Review Question
Question: Why is it important to publish services to the perimeter instead of connecting
servers directly to the Internet?
Tools
Where to find
Tool Use for
it
Windows Firewall with Managing inbound, outbound, and IPsec rules Server
Advanced Security Manager
Group Policy Can configure Advanced Firewall settings and apply Server
Management Console them across the domain when used with Active Manager
Directory
Module11
Implementing Security Software
Contents:
Module Overview 11-1
Module Overview
Computers are now, more than ever, interconnected. The Internet can be accessed from almost anywhere
a user has a computer or device, and corporate networks can be accessed from a user’s home through
remote access. Communication among networks is continuous. Critical and private information is
routinely sent out through email message. So, the number of email messages that are received by users
continues to increase. Private corporate networks are now usually connected in some way to the public
Internet and much of the available server software requires, or at least recommends, Internet access.
As connectivity increases the risk of compromise to the computer or connected network also increases.
Malicious code, unauthorized use, and data theft are all risks that have to be considered and reduced by
an information technology (IT) administrator.
Objectives
After completing this module, you will be able to:
• Implement Windows Server® technologies and features that improve client security.
• Describe security threats posed by email and how to reduce these threats.
• Explain how to improve server security by using Windows Server security analysis and hardening
tools.
MCT USE ONLY. STUDENT USE PROHIBITED
11-2 Implementing Security Software
Lesson 1
Client Software Protection Features
As client operating systems become more advanced and security threats increase, more features are being
built into the operating system as a first line of defense. However, building defenses into the operating
system is not meant to be the sole method that is used to help secure the client infrastructure. Client
protection features provide additional methods to protect the client infrastructure.
The Windows Server operating system has several built-in technologies to help you improve the security
of your desktop infrastructure that is in constant communication with the network.
This lesson will introduce software restriction policies (SRPs) and AppLocker®, and explain how they can be
used to improve the security and integrity of the client infrastructure.
Lesson Objectives
After completing this lesson, you will be able to:
• Configure AppLocker.
• Windows 8
• Windows 7
• Windows Vista®
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-3
• Windows XP
SRP settings are configured and deployed to clients by using Group Policy. The settings are not
configured or administered through Server Manager. If domain computers are not administered by Group
Policy, they will not receive the SRPs. Because of SRP’s integration with Group Policy, there is a great
degree of specificity that can be done in its configuration. For example, targeting specific groups of users
or computers, or enabling different levels of functionality for each version of an operating system. SRP
settings contain two key components, Rules and Security Levels.
Rules
Rules determine how SRP responds to an application being run or installed. Rules can be based on one of
the following criteria.
• Hash. A cryptographic fingerprint of a file that is generated based on the file contents by using a
cryptographic algorithm. With this method software can be moved or renamed and still be identified.
Hash rules are very effective but best suited for environments where there is not a lot of change. For
example, if there are regular software updates, the amount of work required to maintain the rules
could be significant.
• Certificate. A software publisher certificate that is used to digitally sign a file. This has less
administrative overhead than a Hash rule. That means you just have to identify the certificate owner,
regardless of version. Therefore, it is easier to configure. However, if the software is not signed, there
will be administrative overhead to manage those scenarios.
• Path. The local or Universal Naming Convention (UNC) path of where the file is stored. It does not
prevent software from being renamed, and administrators must define all the directories for running
software versions.
• Network Zone. Applicable only to Windows Installer packagers. It identifies software based on the
Internet Zone from which it is downloaded, such as Internet, Local Computer, Local Intranet,
Restricted Sites, and Trusted Sites.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is executed. The three available security levels are as follows:
• Disallowed. The software identified in the rule will not run, regardless of the permissions of the user.
• Basic User. Enables the software identified in the rule to run as a standard, non-administrative user.
• Unrestricted. Enables the software identified in the rule to run unrestricted by SRP.
The way a system behaves in generally determined by the Default Security Level. This governs how the
operating system reacts to applications without any SRP rules. The following three points outline a system
default behavior, based on the Default Security Level applied in the SRP.
• Disallowed. No applications will be able to run, regardless of the permissions of the user, unless an
SRP rule is created that lets a specific application or set of applications to run.
• Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user who is logged in, unless an SRP rule is created to change this behavior for a specific
application or set of applications.
• Unrestricted. Software access rights are determined by the access rights of the user. All applications
will run as if SRP was not enabled, unless specifically defined by an SRP rule.
Based on these three components, there are two primary ways to use SRPs.
MCT USE ONLY. STUDENT USE PROHIBITED
11-4 Implementing Security Software
• If an administrator knows all of the software that should be able to run on clients, the Default Security
Level could be set to Disallowed. All applications that should be able to run can be identified in SRP
rules that would apply either the Basic User or Unrestricted security level to each application,
depending on the security requirements.
• If an administrator does not have a complete list of the software that should be able to run on clients,
the Default Security Level could be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be able to run could then be identified by using SRP
rules that would use a security level setting of Disallowed.
Software Restriction Policy settings can be set and configured in the Group Policy Management Editor:
under Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies.
Within Software Restriction Policies settings in Group Policy, you can also configure the following:
• Enforcement: Allows setting Files, Users and Certificate Rules behavior
• Designated File Types: Allows you to define what is considered to be executable code, such as .exe,
.dll, and .vbs etc You can add or remove file types as needed
• Trusted Publishers: Allows you to certificate checks during signature verification and how Trusted
Publishers are managed.
There are no dedicated Windows PowerShell® cmdlets available for SRP configuration and management.
Note: By default, software restriction policies are not enabled in Windows Server 2008 R2
or Windows Server 2012.
More information about software restriction policies in Windows Server 2012 can be found at
the following webpage:
http://go.microsoft.com/fwlink/?LinkID=309122
What Is AppLocker?
AppLocker (introduced in the Windows 7 and
Windows Server 2008 R2 operating systems and
present in Windows Server 2012 and Windows 8)
provides several improvements over SRP.
AppLocker gives administrators many different
methods for quickly and concisely determining
applications that they might want to restrict or
allow access to.
AppLocker can be used in many ways and for many reasons, such as the following:
• Your organization implements a policy to standardize the applications used within each business
group. Therefore, you have to determine the expected usage compared to the actual usage.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-5
• The security policy for application usage has changed, and you have to evaluate where and when
those deployed applications are being accessed. In this scenario you would not restrict usage but
audit it by using AppLocker rules.
• Your organization's security policy dictates the use of only licensed software. Therefore, you have to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
• Some computers in your organization are shared by people who have different software usage needs.
With AppLocker administrators can create a set of rules and then apply those rules to applications. There
are five possible types of rules available which are as follows
• Executables Rules: These are applicable to .exe and .com file formats
• Windows Installer Rules: These are applicable to .msi, .msp and mst file formats
• Script Rules: These are applicable to .ps1, .bat, .cmd, .vbs, and .js file formats
• DLL Rules: These are applicable to .dll and .ocx file formats
These rules are based on file attributes determined from the digital signature, such as publisher, product
name, file name, and file version.
Note: The packaged app and packaged app installers rules are applicable applications that
are obtained specifically from the Windows Store. As such this rule type is only available on
Windows 8 and Windows Server 2012.
The DLL Rule is not visible in the Group Policy Management Editor by default. It must be enabled
in the Local Security Policy management console in AppLocker properties apps.
Rule Behavior
• Allow. You can specify which files can run and for which users or groups. You can also configure
exceptions that are excluded from the rule.
• Deny. You can specify which files are not allowed to run and for which users or groups. Again, You
Can Also configure exceptions that are excluded from the rule.
Enforcement Modes
• Not Configured. This is the default setting and means the rule will be enforced unless a linked Group
Policy Object (GPO) with a higher precedence has a different value for the setting.
• Audit Only. This means that rules will not be enforced but will be audited and events written to the
AppLocker Event Log. This can be used to pre-stage and verify your settings before enforcement.
A general process for applying AppLocker rules should be to Implement the rules in audit-only mode,
verify the results, and then enforce them.
Note: By default, AppLocker is not enabled in Windows Server 2008 R2 or Windows Server
2012.
MCT USE ONLY. STUDENT USE PROHIBITED
11-6 Implementing Security Software
AppLocker can be configured and managed in a domain environment by using the Group Policy
Management Editor: expand Computer Configuration\Policies\Windows Settings\Security
Settings\Application Control Policies\AppLocker.
AppLocker can also be managed in a domain environment, locally or remotely, by using Windows
PowerShell. Here are some of the available Windows PowerShell cmdlets and brief descriptions of their
use.
Get-AppLockerFileInformation Displays file information that you need to create AppLocker rules
Test-AppLockerPolicy Determines whether files will be able to run for a given user
http://go.microsoft.com/fwlink/?LinkID=309123
More information about AppLocker Policies Deployment can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309124
By using certificate rules in SRP, you can trust all software signed by a specific publisher. However,
AppLocker gives you much more flexibility. For example, when you create publisher rules, you can trust
the publisher, and then drill down to the product level, the executable level, and even the version.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-7
In SRP, you can create a rule that affectively reads “Trust all content signed by Microsoft.” With
AppLocker, you can further refine the rule to specify “Trust the Microsoft® Office 2007 Suite if it is signed
by Microsoft and the version is greater than 12.0.0.0.”
The AppLocker new features and improvements over the SRP feature can be summarized as follows:
• The ability to define rules based on attributes derived from a file’s digital signature. This includes the
publisher, product name, file name, and file version. SRP supports certificate rules, but they are less
specific and more difficult to define.
• A more intuitive enforcement model; only a file that is specified in an AppLocker rule can run.
• A user interface that is accessed through a new Microsoft Management Console (MMC) snap-in
extension to the Group Policy Management Console (GPMC) snap-in.
• An audit-only enforcement mode that lets administrators determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Rule scope Specific user or group (per GPO) Specific users or groups
(per rule)
Rule conditions provided File hash, path, certificate, registry File hash, path, publisher
path, Internet zone
Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRP
rules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both.
This lets you upgrade an existing implementation to Windows 7 and still take advantage of the SRP rules
that are defined in Group Policy.
However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in a
Group Policy, only the AppLocker rules are enforced and the SRP rules are ignored.
When you add a single AppLocker rule, all processing of SRP rules stops. Therefore, if you are replacing
SRP rules with AppLocker rules, you must implement all AppLocker rules that you need at one time. If you
MCT USE ONLY. STUDENT USE PROHIBITED
11-8 Implementing Security Software
implement the AppLocker rules incrementally, you will lose the functionality that is provided by SRP rules
that have not yet been replaced with corresponding AppLocker rules.
Another additional key functionality introduced with AppLocker in Windows Server 2012 and Windows 8
is the ability to manage policies for Windows Store apps i.e. packaged apps and packaged app installers.
Note: SRP is still the standard method to restrict software usage in versions of Windows
prior to Windows Server 2008 and Windows 7.
Demonstration Steps
1. Create a Group Policy object Word Pad Restriction Policy
2. Edit the Word Pad Restriction Policy GPO to Create an AppLocker rule to Deny access to
WordPad.
5. Link the Word Pad Restriction Policy GPO to the Adatum.com domain.
Lesson 2
Email Protection
One of the major threats today is the introduction of malicious code into a corporate network. Malicious
code can be very damaging to the corporate network. Creators of malicious code are becoming
increasingly inventive in finding new ways to introduce this code into an environment.
One of the most common and effective methods of distributing malicious code into an environment is
through email. Because of its widespread use and the intrinsic trust of the delivery mechanism, email
messages carrying some form of malicious code continue to be a problem for IT administrators.
This lesson will introduce you to various methods for reducing the threat of unsafe email activity in several
different areas in a corporate network environment.
Lesson Objectives
After completing this lesson, you will be able to:
Spam
Phishing
One form of spam is called phishing. Phishing is an attempt to collect what is usually sensitive information
from a user. The most common form of phishing is to request to harvest key security information and
bank details from a user by diverting them to a falsified website. Over the years, phishing attacks have
increased. Phishing is an easy way to gain access to reusable information without having to continually
spam the user trying to make them buy goods or services. Windows Server, Windows client, and Windows
MCT USE ONLY. STUDENT USE PROHIBITED
11-10 Implementing Security Software
Internet Explorer® include a phishing filter that checks against known falsified websites that are trying to
collect information from unsuspecting users.
Spoofing
Spoofing is another common threat wherein the sender tries to mask or hide their identity as if they were
someone else. Spoofing can impersonate an email sender, IP connection, or a domain. Spoofing causes an
email message to seem as if it originates from a sender other than the actual sender of the message.
Viruses
A virus is malicious code that copies itself and then expands in some way, shape, or form. Usually, it sends
itself out in a piece of spam or by taking control of other computers and trying to infect them also. The
term virus has become a catch-all term referring to traditional viruses, wherein there was not a reason
other than to exploit code. But now the term includes malware, adware, spyware, and all third-party
programs that infect devices. Many viruses perform malicious activity on an infected computer, such as
data theft or disabling of required applications.
Within and across these definitions are variations and blended kinds of attacks that ultimately try to take
control of some aspect of the computer environment and as such there is a range of new and changing
terminology to classify these attacks, such as Bot networks, Logic Bombs, Salami attacks, Trojan horses and
many others
There are many ways to gain access to your system and network, such as through messages that suggest
that you open an attached PDF or compressed file. Those attachments then take advantage of
vulnerabilities in installed applications, scripting, or elevated rights from the user to change the system.
Also, in modern computer environments with widespread use of social networking and apps, hackers are
trying to exploit various vulnerabilities in apps or social networking sites to gain and exploit information
about individuals or that person’s system. Generally, IT administrators have to be aware of the various
channels through which attacks can come, provide education to end-users, and take appropriate
precautions.
Server-Side Solutions
To protect from the various levels of threats that
exist within the confines of email infrastructure,
several methods and layers of protection are
required to effectively keep the threat of email-
based attacks at an acceptable level.
In a server environment, several general methods
exist that combine to decrease the threat of
unwanted email or email server activity.
Content Filtering
Similar to content filtering, sender and recipient filtering selectively filters incoming or outgoing email
messages. However, with send and recipient filtering, the filtering process depends on a fairly static
database of senders and recipients that can be filtered. There are two kinds of sender and recipient
filtering.
• Blocklist filtering. Blocklist filtering identifies email addresses that are known to be associated with
unwanted activity. Email messages coming from blocklisted addresses are filtered and removed.
• Allowlist filtering. Allowlist filtering works in the reverse of blocklist filtering. When allowlist filtering
is used, email addresses contained in the allowlist database are identified as valid addresses. Allowlist
filtering is most frequently used together with content filtering to prevent messages coming from
valid senders being incorrectly identified as spam.
IP Block/Allow Lists
Using IP addresses is another way to identify the source of email messages. Email servers can be
configured to check against a database of IP addresses that are either known as valid or addresses are
flagged as sources of spam-related activity. Similar to email address filtering, IP-based blocklists and
allowlists are frequently used together with more sophisticated content filtering to decrease the
occurrence of false positives.
Microsoft Forefront® Online Protection for Exchange (FOPE) is a cloud-based service that protects
Microsoft Exchange Server servers’ incoming and outgoing email from spam, viruses, phishing scams, and
email policy violations. Although it is a cloud-based service, it can be integrated into on-premise
Exchange deployments or used as part of hybrid or mixed deployments of Exchange.
More information about Forefront Online Protection for Exchange can be found at the
following webpage.
http://go.microsoft.com/fwlink/?LinkID=309125
Microsoft Exchange Online Protection provides cloud-based protection for your on-premise email,
Microsoft Exchange Server 2013, legacy Exchange servers, or any other on-premise Simple Mail Transfer
Protocol (SMTP)–based email solutions that you might have. It can operate in a purely cloud environment,
such as with Exchange Online or Office 365™, or integrate into a purely on-premise environment or a
hybrid email infrastructure. It helps protect your organization against spam and malware in addition to
helping with management.
More information about Exchange Online Protection can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309126
MCT USE ONLY. STUDENT USE PROHIBITED
11-12 Implementing Security Software
Client-Side Solutions
Although server-based solutions and tools
deployed into an organization’s perimeter
network provide the best defense against email-
based threats trying to enter the network, no
single solution will eliminate email-based threats.
Indeed, many cloud-based services are now
becoming more widely available and popular as
this allows for the security and management
overhead to be managed by a hosted third-party,
such as with Exchange Online, and can have many
benefits for administrators. However, even having
a fully cloud-based service or a hybrid kind of
service available with a mix of on-premise and off-premise solutions, client-side security is still important.
Client-side email security management provides an additional level of protection from unwanted email
for users.
In addition to antivirus programs and boundary defenses, Microsoft Outlook® provides additional layers
of security. Outlook has junk filters built in that restrict potentially harmful attachments and images from
being displayed. This junk filter is based on the concept of trusted senders and its own logic.
Outlook maintains two lists of sender addresses for filtering received email content. Users can maintain
these lists according to messages they receive and how they want those messages handled by Outlook.
• Safe senders. Safe senders are addresses are identified as known and trusted senders of email.
Messages that are received from addresses located in the safe senders list are treated in a trusted
manner and can display images and other functions that might be considered potentially harmful if
coming from an untrusted address.
• Block senders. Compared to the safe senders list, the blocked senders list lists addresses that are
known as unsafe. Messages from these addresses are filtered in order to prevent the potential for
harmful activity.
With Outlook, a user can also maintain a list of international top-level domains (TLDs) that are marked as
unsafe or unwanted. Examples of TLDs are .jp, .de, and .uk. So to block email coming from addresses that
have a particular country/region code, you would just add that TLD to the Blocked TLD list.
When an email message comes in, Outlook checks the validity of the message and checks the level of junk
email protection you have set. There are four levels of security:
• No filtering. This setting enables all email to be received regardless of the sender and will not use
built-in junk email settings from Outlook.
• Low. This performs a basic scan and analyzes email as it comes in. It allows most email to pass
through and end up in the Inbox. It also considers the safe senders, safe recipients, blocked senders
list, and international settings, which are configurable in Outlook. The safe senders and safe recipients
list is a list of people that you trust, regardless of what kind of logic Outlook might apply to the email.
These lists make sure that the email message, provided it passes the front line of defense, always ends
up in your Inbox. The blocked senders list is just that; any email address or domain on the blocked
senders list immediately is treated as junk email. The international setting enables blocking of top-
level domains and specific character encoding sets.
• High. High, similar to Low, filters email, only on a more aggressive scale. This lets less email through
to your Inbox. High also considers all of the previously mentioned lists.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-13
• Safe Lists Only. This is the most extensive filtering possible, but can treat some potential “safe” email
as junk. Safe Lists Only allows email from the safe senders and safe recipients lists mentioned
previously and treats all remaining email as junk email.
Antivirus Programs
Most antivirus programs integrate with email programs such as Outlook and scan email. They also scan
any attachments included in the email. This provides a second layer of defense in case the perimeter-
based servers have missed a potentially harmful email message.
This second layer of security also allows an end-user or an IT department to implement more rigorous
checks on specific devices instead of at the global level. For example, the global policy might be to allow
Microsoft Word, Excel®, and PowerPoint® files through the firewall. However, at the second layer, the
antivirus software will block the service staff of the company from receiving any attachments at all.
MCT USE ONLY. STUDENT USE PROHIBITED
11-14 Implementing Security Software
Lesson 3
Server Protection
An organization’s servers represent the core of its network functionality. Servers typically host multiple
business-critical services in an organization. An infected file server can propagate a virus to remote
workstations, further crippling a network, whereas an infected email server could potentially drop external
communications between your organization and the clients. Therefore, security measures implemented on
the server infrastructure represent one of the most important aspects of maintaining overall network
integrity and functionality.
This lesson introduces several ways to make sure that your servers are protected from circumstances that
could leave them vulnerable to attack.
Lesson Objectives
After completing this lesson, you will be able to:
Maintaining Updates
accounts, should be closely monitored and used only for their intended purpose. For additional security,
these accounts could be protected with a smart card or a biometric authentication device.
Disabling unused services and features within Windows Server reduces the potential vulnerability of the
server to attack and potentially increases performance.
Like unused services or features, unused applications can expose the server to security vulnerabilities and
potential performance implications. In addition, carefully monitoring installed applications makes sure
that malicious or unauthorized application installations are detected and removed.
Windows Firewall
Leaving Windows Firewall enabled and making sure that it is configured correctly leaves that layer of
protection intact and gives you a manageable and flexible way to protect against potential network
vulnerabilities that may exist in other applications on the server.
Also, as discussed in Module 1 running Windows Server 2012 as Server Core will help reduce overall
maintenance and management due to the reduced attack surface and reduced number of updates that
will be required to be applied to a Server Core Installation.
The SCW is a role-based tool and typically runs on a server prior to that server being deployed in
production. In this manner, the attack surface of the server is reduced before it is deployed into the
infrastructure and exposed to potential threats.
When the SCW is run, it scans the server and identifies the current state of the server relative to potential
changes that might have to be made. SCW scans the following:
• Services installed on the server but not defined in the security configuration database
The information discovered about the server is saved in an XML file. This server-specific file is called the
configuration database.
MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Implementing Security Software
The initial settings in the configuration database are called the baseline settings. After the server is
scanned and the configuration database is created, you can change the database. This will then be used
to generate the security policy to configure services, firewall rules, registry settings, and audit policies. The
security policy can then be applied to the server or to other servers playing the same roles. The SCW is a
series of wizard pages that presents these four security policy categories in separate sections:
• Network security
• Registry settings
• Audit policy
The final section of the wizard is Save Security Policy. This allows for the inclusion of security templates
and also when to apply the policy.
The outcome of this section is a set of policies that configure the startup state of services on the server.
Only the services that are required by the server’s roles should start and other services that are not
required should no start. To achieve this outcome, the SCW presents pages that display the server roles,
client features, administration, and other options detected on the scanned server. You can add or remove
roles, features, and options to reflect the desired role configuration.
Network Security
The Network Security section produces the firewall settings of the security policy. Those settings are
applied by Windows Firewall with Advanced Security. Like the Role-Based Service Configuration section,
the Network Security section displays a page of settings derived from the baseline settings in the
configuration database. The settings in the Network Security section are firewall rules instead of service
startup modes.
Registry Settings
The Registry Settings section configures protocols that are used to communicate with other computers.
These wizard pages determine Server Message Block (SMB) packet signing, Lightweight Directory Access
Protocol (LDAP) signing, local area network (LAN) Manager authentication levels, and storage of password
LAN Manager hash values. It also allows for the definition of Outbound Authentication methods. Each of
these settings is described on the appropriate page, and there is a link to a Security Configuration Wizard
Help page.
Audit Policy
The Audit Policy section generates settings that manage the auditing of success and failure events and the
file system objects that are audited. Additionally, the section enables you to incorporate a security
template called SCWAudit.inf into the security policy.
Security Policies
When the SCW has completed the assessment of the server, it provides the opportunity to capture the
settings in a security policy.
A security policy is the result of the SCW run on a server. A security policy is an XML-based file that
contains the settings obtained from the details provided during the SCW process. The policy contains
potential changes to Windows settings from the following areas:
• Services
• Network security, including firewall rules
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-17
• Registry values
• Audit policy
You can apply a security policy created by the SCW to a server by using the Security Configuration Wizard
itself and selecting Apply An Existing Policy, by using the Scwcmd.exe command from the command line,
or alternatively by transforming the security policy into a Group Policy Object (GPO).
This command will create a GPO called “Adatum DC Security GPO” with settings imported from the
Adatum DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate scope
site, domain, or organizational unit (OU) by using the Group Policy Management console. You can use
scwcmd.exe transform /? for help and guidance about this process.
There are no Windows PowerShell cmdlets that can work directly with the Security Configuration Wizard.
More information about the Security Configuration Wizard can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309127
• Security: Measures a role’s risk for exposure against threats such as unauthorized users.
• Performance: Measures a role’s ability to process requests in an expected time, based on workloads.
• Policy: Identifies Group Policy and Windows Registry settings that might require modification.
• PostDeployment: Applied after all required services for a role have been started and the role is
running
MCT USE ONLY. STUDENT USE PROHIBITED
11-18 Implementing Security Software
• BPA Prerequisites: Explains configuration and policy settings and features that are required for the
role before BPA can apply specific rules from other categories.
After analyzing the role categories, results are reported in different severity levels such as the following:
2. In the center details pane, locate the Best Practices Analyzer area.
4. In the Select Servers dialog box, select the server(s) of interest, and then click Start Scan.
BPA can also be run and managed by Windows PowerShell. Here are some of the available Windows
PowerShell cmdlets and brief descriptions of their functionality.
http://go.microsoft.com/fwlink/?LinkID=309128
More information about Windows PowerShell BPA cmdlets can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309129
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-19
Within each product baseline are sub categories for specific roles. For example, under the Windows Server
2012 baseline are specific settings for roles, such as Dynamic Host Configuration Protocol (DHCP), DNS
Server, and Domain Controllers (DC).
Each baseline provides prescribed values to resolve a specific usage case or scenario. For example, running
Internet Explorer 10 with a specific set of search providers and third-party add-ins. Additionally, each
configuration item provides information on Group Policy settings, registry settings, threats, and
countermeasures such as the following:
• Vulnerability. What security weaknesses could be exposed by this server, application, or browser
setting? For example, allowing users to enable third-party add-ins could expose the network to a
security risk.
• Potential Impact. What affect could changing this configuration item have on users? For example,
disabling third-party add-ins could affect a user’s ability to do their job.
• Countermeasure. What is the recommended configuration setting? For example, do not let users
enable or disable third-party add-ins that are not within the organization’s security policy.
After security baselines are established, they can be exported and applied to other computers in your
organization. This provides an easy way to make sure that all the computers in your organization comply
with the same security standard, especially if they have the same role, such as multiple DNS servers or
DHCP servers.
• Combines Microsoft security guide recommendations and industry best practices into one place.
• Provides a centralized location to access, configure, and manage all the organization’s security
baselines.
• Analyze your configurations against prebuilt Windows client and server operating system baselines.
SCM v3.0 must be downloaded and installed separately. The installation prerequisites are included with
the installation.
More information about the SCM download can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309130
More information about Microsoft Solution Accelerators can be found at the following
webpage.
http://go.microsoft.com/fwlink/?LinkID=309131
Demonstration Steps
1. Access the IIS server role in Server Manager.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In the Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Domain: ADATUM
2. Create Windows Installer rule to block the installation of the .msi file
3. Configure Windows Installer rule enforcement to be audit only
6. Run the Windows Installer and verify the audited result in Event Viewer
8. Run the Windows Installer file and verify the application is blocked
Task 1: Create a Group Policy Object to apply an AppLocker rule in the domain
1. Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and
password Pa$$w0rd
Task 2: Create Windows Installer rule to block the installation of the .msi file
1. Edit the newly created Group Policy Object.
• Permissions: Deny
• Conditions: Publisher
• Exceptions: Default
Task 6: Run the Windows Installer and verify the audited result in Event Viewer
1. Ensure you are logged on to 10967A-LON-CL1 as ADATUM\Allie with a password of Pa$$w0rd.
4. Open Event Viewer and view the MSI and Script logs in the Applocker Logs
5. Verify the logs detail what happened and what would have happened if the rules had been enforced
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-23
6. What is the Event ID for audited blocked installations of Windows Installer files?
2. Edit the SQLSysClrTypes Restriction Policy and configure the Rule Enforcement to Enforce Rules for
Windows Installer Rules
Task 8: Run the Windows Installer file and verify the application is blocked
1. Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as
ADATUM\Allie with a password of Pa$$w0rd.
5. Verify you are now unable to install the Windows Installer .msi file.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular
Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your
production environment and you will have applied that AppLocker rule using Group Policy across the A
Datum domain.
3. Carry through the steps of the wizard, accepting the default settings.
5. When you are prompted to apply the security policy, select Apply later.
2. In the Group Policy Management Editor, examine the newly created DC Security Policy GPO.
MCT USE ONLY. STUDENT USE PROHIBITED
11-24 Implementing Security Software
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a
security policy named DC Security Policy, and transformed the security policy to a Group Policy Object
(GPO) named DC Security Policy.
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and
determine areas for improved efficiency or performance.
Question: When would you use the Security Policy XML format?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 11-25
Question: Why are server-side email security solutions typically more effective and easy to
implement than client-side solutions?
Tools
Tool Use for Where to find it
Security Configuration Generating and applying security policy templates to Server Manager
Wizard decrease the vulnerability of Windows Server.
Best Practices Analyzer Reviewing server roles for compliance with best Server Roles
practices Summary Details
Scwcmd.exe Transforms BPA results xml file into Group Policy Command Prompt
Object that can be deployed with Group Policy
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Security Software
11-26
MCT USE ONLY. STUDENT USE PROHIBITED
12-1
Module12
Monitoring Server Performance
Contents:
Module Overview 12-1
Module Overview
Monitoring the performance of servers is important for all organizations. Businesses require cost-effective
solutions that provide value for the money spent on computer infrastructure. Proactive monitoring is also
important for successful troubleshooting and can be a security component. When you know how your
servers usually perform, it is more likely that you will find services having issues or even someone
attacking your systems. You should monitor servers to make sure that they run efficiently and use all the
available server capacity. Monitoring your servers will require you to review server logs and actively
monitor server performance.
Objectives
After completing this module, you will be able to:
• Use the Event Viewer to identify and interpret Windows® Logs, and Application and Services Logs.
• Measure system resource usage, identify component bottlenecks, and use monitoring tools such as
Performance Monitor.
MCT USE ONLY. STUDENT USE PROHIBITED
12-2 Monitoring Server Performance
Lesson 1
Event Logging
As events occur in your Windows Server environment, information about what occurred will be logged.
This information can be used to determine what is working well and what requires or might require
administrator attention or intervention. One of the biggest problems facing IT administrators in relation to
logging is what to log and what not to log. If an administrator logs and tracks too many events, there is a
risk that important information might be missed; if too few events are logged, it is possible that important
information might not be logged. Also, with increases in logging comes an increase in overhead on the
server, whether it is for log size and storage space or CPU overhead in processing the additional data or
potentially network bandwidth in monitoring and transmitting data from remote servers. Getting that
balance right and using the correct functionality built in to Windows Server® 2012 can help manage and
provide solutions for those issues.
By default, Windows Server 2012 includes two sets of logs: Windows Logs, and Application and Services
Logs. This lesson will focus on how to use the Event Viewer to identify, review, and interpret the various
log types and also the information that they contain.
Lesson Objectives
After completing this lesson, you will be able to:
• Review and interpret Windows Logs.
Windows Logs
Windows Logs can be viewed by using the Event
Viewer under the Windows Log node. The Event
Viewer can be accessed in Server Manager from
the Tools menu.
Application log Contains events that relate to the operation of applications such as Windows
Internet Explorer® and Notepad. Also, as was mentioned earlier, there is an
Application and Services Logs section. Generally, for application specific-
information, the Application and Services Logs should be checked first.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 12-3
Security log Reports the results of auditing. For these event types to be logged, auditing must
be configured on the object that you want to be audited—that is, it must be
configured on a specific folder or file for example.
System log Logs general events from Windows components and services, such as device
driver data or service starting failures.
Forwarded events Collects events from remote computers. This is useful when centralized viewing
of logs is required for viewing logs across multiple computers.
Windows Logs can also be viewed and manipulated by using Windows PowerShell® cmdlets. Some of
these commands are listed in the following table.
Windows PowerShell
Description and Use
Cmdlet
Get-EventLog Displays events and event logs on local and remote computers.
Show-EventLog Opens Event Viewer on the local computer and displays the event
logs from local or remote computers.
Get-Help <Get-EventLog> - Displays the detailed help for the Get-EventLog cmdlet. The item in
showwindow the brackets (<>) can be substituted.
Note: The Get-EventLog cmdlet will only work with Windows Logs. It will not work with
Application and Services Logs.
• Administrative. These events are primarily targeted at end-users, administrators, and support
personnel. Each event describes the problem and contains a suggested solution on how to fix the
problem. For example, if your computer cannot receive an address from the network, there are very
specific troubleshooting steps that you can take.
• Operational. These events are used for analyzing and diagnosing a problem or occurrence. These
events may trigger tools or tasks for that event. For example, operational events are logged when a
server starts or stops. They do not provide suggested solutions on how to fix a problem.
• Analytic. These events are descriptive, and indicate problems that are generally not easily resolved.
By default, analytic events are hidden and disabled. When analytic events are enabled they can
produce lots of data and increase system processing and memory demands.
• Debug. Debug events are used by developers to troubleshoot their applications. By default, debug
events are hidden and disabled. When debug logs are enabled they can also produce lots of data and
increase system processing and memory demands.
Note: As a best practice it is recommended to leave the Analytic and Debug events
disabled. If these logs are required for diagnostic troubleshooting make sure that you limit the
maximum size of the log and disable the logging when it is no longer required. Additionally,
many events can be adjusted from being completely disabled to providing a very detailed
logging level. These log levels should be increased carefully however.
Application and Services Logs can also be found in the location %SystemRoot%\System32\Winevt\Logs.
Windows PowerShell cmdlets, such as Get-EventLog and Write-EventLog, which were described in the
previous lesson, do not work with the Application and Services Logs. These cmdlets work only with the
Windows Logs.
To manage the Application and Services Logs, you must use different Windows PowerShell cmdlets. The
following table provides some details.
Windows PowerShell
Description and Use
Cmdlets
Get-WinEvent Displays events from Windows Logs and Application and Services Logs from
both local and remote computers
Note: This course does not provide a detailed description of the differences between the
two cmdlets, Get-EventLog and Get-WinEvent. When you deal with remote computers, Get-
WinEvent provides for faster processing. Get-WinEvent also allows for more manipulation of
the data returned. However, for local server use, Get-EventLog is easy to use and quicker.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 12-5
In addition to the previous three levels, the Security log will classify all its event types as Information Level
type but will sub classify them by two Keywords types.
• Audit Failure. Audit failure events are informational and are intended to track logon failures and
other permissions-related issues. For example, an audit failure would be logged if a user tries to log
on and is not a valid user.
• Audit Success. Audit success events are informational and are intended to track successful events,
such as a user successfully logging on to the computer.
Within each event when viewed in Event Viewer, there are two tabs: General and Details. The General tab
provides information categorized into paragraphs in a single scrollable window. The information is easy to
display and includes the following:
• The Log Name from which the event came.
• A link to an external Event Log Online Help site where there might be more information about the
event.
Depending on the event, additional details might be displayed, that let you analyze and troubleshoot the
event’s cause. The Details tab provides the following information:
MCT USE ONLY. STUDENT USE PROHIBITED
12-6 Monitoring Server Performance
On both tabs, you can scroll through events sequentially by clicking the up and down arrows on the right
side. There is also an option to copy the event for pasting into another application, such as Notepad.
• Tasks. Enables you to send an email message, start a program, or display a message when a specific
event is written to a particular log.
• Subscriptions. Enables you to identify specific events in multiple event logs on multiple computers.
Filters and custom views are created by specifying the query parameters. For example:
• When the event was logged, such as within the last 12 hours.
Filters and custom view can be accessed from the Event Viewer Action pane.
Tasks
Tasks enable you to be more proactive when you manage your environment. Instead of waiting until you
conduct a weekly review of logs, you can be notified as soon as a particular event occurs. When you
create tasks, you should carefully consider which specific events that you must have notification.
Tasks are stored in Task Scheduler and are created by clicking the relevant log and then selecting Attach
A Task To This Log in the Action pane of Event Viewer. Tasks are also available in the log properties. In
the Create Basic Task Wizard, you can provide the Task Name, and then the Log, Source and Event ID
information. Then you have three options:
• Start A Program
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 12-7
Subscriptions
Troubleshooting an issue might require you to examine a set of events that are stored in multiple logs on
multiple computers. For this purpose, Event Viewer lets you collect copies of events from multiple remote
computers, and then store them locally. To specify which events to collect, create an event subscription.
After a subscription is active and events are being collected, you can view and manipulate these
forwarded events as you would any other locally stored events. To create a subscription, you must
configure the collecting computer (the collector) and each computer from which events will be collected
(the source).
Subscriptions are configurable from the Log Properties dialog box, and can be accessed either through
the log or the Event Viewer Action pane. The Windows Event Collector Service must be running.
Note: Subscriptions are not intended for auditing. If a network connection briefly fails, or
the receiving server is very busy, forwarded events might not be received. Therefore,
subscriptions should only be used for troubleshooting.
Demonstration Steps
1. Access the Event Viewer.
2. Review Windows Logs.
5. Within the Windows PowerShell console, obtain a list of all the available logs by using the Get-
WinEvent cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Monitoring Server Performance
Lesson 2
Performance Monitoring
When performance issues are encountered, the first step is usually to identify the servers that are
responsible for those performance issues and then the specific roles or services on that server which are
the cause. However knowing what is not normal performance can be difficult to determine, for example
File servers may have higher disk usage than a web server, or a mail server may have higher network
bandwidth requirements than a domain controller. As such, knowing your baseline performance for each
serve role helps analyze the data and make informed decisions about bottlenecks and performance issues.
Additionally, in today’s cloud-enabled world, knowing the base performance and components of the
application helps you make decisions about what, if any, services you should consider migrating to the
cloud to support your requirements during peak hours. If significant investment in hardware is required
by your organization to address performance issues this may something you need to consider.
Windows Server 2012 provides several tools that you can use to collect and analyze performance-related
statistics. You must know what data to collect so that you can identify performance problems on your
servers before they affect users.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe performance monitoring.
Performance Bottlenecks
A performance bottleneck is a condition, usually
involving a hardware resource, which causes a
computer to perform poorly. An example of a
hardware bottleneck is when a server cannot
service a request for disk, memory, processor, or
network resources.
• A resource is malfunctioning.
As soon as a bottleneck is identified, you can do several things, including the following:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 12-9
The key to removing bottlenecks is identifying when and where they are occurring. You do this by using
performance monitoring tools and having a baseline to know how servers perform in a typical setting. By
comparing performance results to your baseline and to historical data, you can identify server bottlenecks
before they affect users. Here are several general mitigation strategy best practices.
• To determine whether network components are playing a part in performance problems, compare
the performance of programs that run over the network with locally run programs.
Note: As a best practice, try to view the server as part of a larger system. Follow the flow of
data around the system to isolate and identify potential performance bottlenecks.
Real-time monitoring
Historical data
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet the changing requirements of your
business. You should use historical performance data to help you when you plan future server
requirements.
If you intend to collect data for historical comparison, it is important to establish a performance baseline.
To create a baseline, you must collect performance data over the time during which the server is under
typical load. When you collect data in the future, you must make sure that you collect statistics about the
MCT USE ONLY. STUDENT USE PROHIBITED
12-10 Monitoring Server Performance
same resources as those that you analyzed in your baseline. You can then compare resource usage against
your baseline and see whether there are sufficient resources to satisfy user demands.
Tools
A range of tools is available to help you in the monitoring of the server environment. These tools are
described in the following table.
Tool Description
Windows Server Event As discussed in the previous lesson the Event Viewer displays information
Viewer that relates to server operations. This data can help you to identify
performance issues on a server. You can search for specific events in the
event log file to locate and identify problems.
Windows System Using WSRM, you can control how CPU resources are allocated to
Resource Manager applications, services, and processes. Managing these resources improves
(WSRM) system performance and reduces the risk that these applications, services,
or processes will interfere with the rest of the system. Although the WSRM
feature is available in Windows Server 2012, it has been deprecated.
Microsoft Network Network Monitor is a protocol analyzer. It enables you to capture, view, and
Monitor/Microsoft analyze network data. You can use it to help troubleshoot problems with
Message Analyzer applications on the network. You can download Network Monitor from the
Microsoft Download Center.
Note: Network Monitor, at the time of development of this course, is
being superseded by Microsoft Message Analyzer, which is currently in Beta
and available for download form the Microsoft Connect website.
Performance Monitor You can use Performance Monitor to examine how programs that you run
affect your computer’s performance, both in real-time and by collecting log
data for later analysis. It enables viewing detailed real-time information
about hardware resources such as CPU, disk, network, or memory. You can
also monitor system resources that are used by the operating system, such
as handles. Performance Monitor uses performance counters, event trace
data, and configuration information. This information can be combined into
data collector sets.
Resource Monitor Resource Monitor enables you to determine and control system resources
such as CPU, memory, disk, network, and memory, which are being used by
processes and services. You can also view handles and modules associated
with threads and processes. Resource Monitor cannot monitor a resource
remotely. However, it can monitor a resource in a virtual machine.
Microsoft System Center With Operations Manager, you can build a complete picture of the past and
(Operations Manager) current performance of the server infrastructure. Operations Manager can
also automatically respond to events and address problems before they
become an issue. Operations Manager requires time to configure and
requires additional licenses.
Task Manager Task Manager in Windows Server 2012 can be accessed by right-clicking
the taskbar or by pressing Ctrl+Alt+Delete and selecting it from the menu.
Task Manager has several tabs that divide information into the following
components: Processes, Performance, Users, Details and Services. Each of
these components can be broken down into more fine-grained data. For
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 12-11
Tool Description
example, the Performance tab can provide additional data that is specific to
the Network, CPU, or Memory usage.
Task Manager is a user-friendly, easy to access troubleshooting tool.
More information about deprecated features and functionality in Windows Server 2012 can
be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309133
More information about Microsoft Message Analyzer and when and where it will be available
for download when released is available at the following webpage.
http://go.microsoft.com/fwlink/?LinkID=309132
Performance Counters
Performance counters are used to provide
information about how well the operating system
or an application, service, or driver is performing.
The data captured by the counter can help
identify system bottlenecks and fine-tune system
and application performance. Windows Server
collects data from performance counters in
various ways. This includes the following:
• Maximum value
• Minimum value
Primary Processor Counters
CPU counters are a feature of the computer's CPU that stores the count of hardware-related events.
• Processor\% Processor Time. Shows the percentage of elapsed time that this thread used the
processor to execute instructions. An instruction is the basic unit of execution in a processor, and a
thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
• Processor\Interrupts/sec. Shows the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
• System\Processor Queue Length. This counter is a rough indicator of the number of threads each
processor is servicing. The processor queue length, also known as processor queue depth, reported by
this counter is an instant value that is representative only of a current snapshot of the processor.
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Monitoring Server Performance
Therefore, you have to watch this counter over a long time. Also, the System\Processor Queue
Length counter is reporting a total queue length for all processors, not a length per processor.
The Memory performance object consists of counters that describe the behavior of physical and virtual
memory on the computer. Physical memory is how much random access memory (RAM) is installed in the
computer. Virtual memory consists of space in physical memory and on disk. Many of the memory
counters monitor disk paging. This is the transfer of pages of code and data between disk and physical
memory.
• Memory\Pages/sec. Shows the number of hard page faults per second. A hard page fault occurs
when the requested memory page cannot be located in RAM because it currently exists in the paging
file. An increase in this counter indicates that more paging is occurring. This suggests a need for more
physical memory.
The Physical Disk performance object consists of counters that monitor hard disk drives. Disk drives are
used to store file, program, and paging data. They are read to retrieve these items, and are written to
record changes to them. The values of physical disk counters are sums of the values of the logical disks (or
partitions) into which they are divided.
• Physical Disk\% Disk time. This counter shows how busy a particular disk is. A counter approaching
100 percent indicates that the disk is busy most of the time and might suggest a performance
bottleneck is imminent.
• Physical Disk\Average Disk Queue Length. This counter shows how many disk requests are waiting
to be serviced by the input/output (I/O) manager in Windows Server at a given moment. The longer
the queue, the less satisfactory the disk throughput is.
Primary Network Counters
Most workloads require access to production networks to communicate with other applications and
services and to communicate with users. Network requirements include elements such as throughput—
that is, the total amount of traffic that passes a given point on a network connection per unit of time.
Other network requirements include the presence of multiple network connections. Workloads might
require access to several different networks that must remain secure. Examples include connections for:
• Public network access.
Performance counters can be managed, imported, and exported by using Windows PowerShell. The
following table lists some cmdlets and a brief description of their use.
Windows PowerShell
Description
Cmdlets
Windows PowerShell
Description
Cmdlets
Import-Counter Imports counter log files (.blg, .csv, .tsv ) and creates the objects that
represent each counter in the log
Export-Counter Takes performance counter sample sets and exports them as counter log
files (.blg, .csv, .tsv)
Get-counter –ListSet * Displays all the counter sets on the local computer
All these Windows PowerShell cmdlets are part of the Microsoft.PowerShell.Management module.
Demonstration Steps
1. View current activity in System Summary.
2. Use Performance Monitor to view a chart on current activity.
Data Collector Sets can contain the following kinds of data collectors:
• Event trace data. Provides information about system activities and events. This is useful for
troubleshooting.
MCT USE ONLY. STUDENT USE PROHIBITED
12-14 Monitoring Server Performance
• System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
• Additional information. As an example, the Directory Services counters are providing information
about Lightweight Directory Access Protocol (LDAP) queries and their “expensiveness” for the
resources.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting each data collector and setting the options in the Data
Collector Set properties. A default set of templates is provided.
Data collectors can also be managed by using Windows PowerShell. The following table lists some
cmdlets and a brief description of their use.
All these Windows PowerShell cmdlets are part of the ServerManagerTasks module.
Demonstration Steps
1. Create a Data Collector Set.
Demonstration Steps
1. Create a data collector set with an alert counter.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Password: Pa$$w0rd
• Domain: ADATUM
3. Create a new user-defined Data Collector Set by using the following information to complete the
process:
• Memory\Pages/sec
• Processor\%Processor Time
2. Then type
3. Then type
4. Then type
del bigfile*.*
5. Then type
del \\lon-dc1\c$\bigfile*.*
3. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
• Memory\Pages/sec
8. On the toolbar, click the down arrow and then click Report.
• Memory\Pages/sec
Results: After this exercise, you should have established a performance baseline.
3. Open Task Manager and view the CPU utilization, noticing how it has increased dramatically
Results: After this exercise, you should have introduced a load on the server and restarted the Data
Collector Set.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Remove.
6. Click Add.
10. If you receive an error or the values in your report are zero, repeat steps 4-9.
Recorded values:
• Memory\Pages/sec
3. If you saw a similar trend in your work environment what would you recommend as a next step?
4. Can you identify any additional counters which could potentially help you narrow down your search
to determine what application is placing the greatest load on the CPU?
5. Are there any additional tools which may help identify what process or software is placing the load on
the server?
Results: After this exercise, you should have identified a potential bottleneck.
3. Verify the Event ID is generated and the Data Collector Set starts
• Limit: 500
3. Edit the properties of the LON-SVR1 Network Bandwidth Alert data collector as follows:
• Alert tab:
o Alert when: Above
o Limit: 500
o Sample interval: 10
o Units: Seconds
3. At the Command Prompt, type the following command, and then press Enter.
4. At the Command Prompt, type the following command, and then press Enter.
Task 3: Verify the Event ID is generated and the Data Collector Set starts
1. Open Event Viewer
3. Verify there an Event ID was generated by the Alert when the threshold was exceeded
4. What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
2. In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an
Event ID and triggers a Data Collector Set to start.
Question: During the lab, you collected data in a Data Collector Set. What is the advantage
of collecting data in this manner?
Question: What significant counters should you monitor in Windows Server Performance
Monitor?
MCT USE ONLY. STUDENT USE PROHIBITED
12-22 Monitoring Server Performance
Event Viewer Viewing Logs and determining what happened Server Manager
MCT USE ONLY. STUDENT USE PROHIBITED
13-1
Module13
Maintaining Windows Server
Contents:
Module Overview 13-1
Module Overview
Windows Server® roles are critical in an organization’s network infrastructure. It is very important to make
sure that the Windows Server is performing as efficiently as possible in their roles. To support Windows
Server, you must have the skills and knowledge to correctly maintain an efficiently operating and
continually available server infrastructure. You must also be able to troubleshoot issues within that
infrastructure when they arise.
Objectives
After completing this module, you will be able to:
• Troubleshoot the Windows Server startup process.
Lesson 1
Troubleshooting Windows Server Startup
The Windows Server startup process makes sure that all aspects of Windows Server functionality are
checked and initiated in a way that results in a stable and efficiently running server. Several issues can
emerge in the startup process. Understanding the Windows Server startup process will help you
troubleshooting or, even better, avoid these issues.
This lesson will explain the Windows Server startup process and give you the tools to identify and correct
issues related to Windows Server startup.
Lesson Objectives
After completing this lesson, you will be able to:
e. Starts the Boot Manager (Bootmgr.exe) which locates and calls the WinLoad.exe which resides on
the Boot Partition, where the boot, or startup, files reside.
2. OS Loader
a. PreSMSS: Starts when WinLoad.exe passes control over to the kernel. The kernel initializes the
data structures and system components
b. SMSSInit: Starts when the kernel passes control over to the session management subsystem
process (smss.exe). Service control manager starts here
o Csrss.exe(Client Server Runtime Process: provides threading control and core graphical
capabilities)
o WinInit.exe (Windows Start-Up Application: responsible for some core services starting
up)
o WinLogon.exe (Windows Logon Application: responsible for sign in and sign out
process)
c. WinLogon: Service Control manager continues to operate in this phase. Logon on screen appears
and desktop starts.
d. Explorer .Init: Explorer.exe, which controls file management and user UI functions, such as File
Explorer, Desktop, Taskbars and more, starts and services and applications continue to be loaded
4. Post-Startup: Desktop available and user can interact but services and applications may continue to
start. Ends when all services and applications scheduled to start on logon have done so and system
reaches an idle state
As outlined earlier the Windows Server startup process consists of several steps, starting with the
initialization of system hardware through the computer’s basic input/output system (BIOS), the Unified
Extensible Firmware Interface (UEFI), or the Extensible Firmware Interface (EFI). This process is known as
power-on self-test (POST). The POST process typically involves quick checks of system hardware
components to confirm correct operation and functionality. Additionally, most BIOS or EFI systems
provide for more intensive POST procedures if troubleshooting has to be performed on the POST process.
BIOS, UEFI, and EFI are all firmware interface technologies that act as the interface between the hardware
and the operating system software. (Firmware is hardware that has software on it that makes it function—
that is, it is a middle ground between hardware and software and is read-only, such as CPU.) On startup,
these firmware interface technologies effectively bring all the hardware components online for use by the
operating system. BIOS, although still widely used, is the oldest technology. BIOS is being replaced by EFI,
which is an Intel proprietary technology, and UEFI, which is a unified industry standard. UEFI and EFI allow
for faster startup times and the ability to use drives larger than 2 terabytes (TB). EFI and UEFI also can
provide for more functionality.
Windows Server 2012 and Windows® 8 include startup support that works with UEFI and EFI. This helps
protect the startup process from potential security exposures.
More information about UEFI industry standards organization can be found at the following
website.
http://www.uefi.org/home/
MCT USE ONLY. STUDENT USE PROHIBITED
13-4 Maintaining Windows Server
The Startup Environment, Windows Boot Manager, and Windows Boot Loader
Windows Server 2012 and Windows 8 use Windows Boot Manager to manage the operating system
startup process.
The startup environment is in the hardware (BIOS Chip) and contains everything that is needed to load
the hard disk drive drivers that contain the operating system. Then Windows Boot Loader initializes the
loading of the operating system from the disk. So, the startup environment is loaded before the operating
system and is independent of the operating system. This way the startup environment can be used to
confirm the integrity of the startup process and the operating system.
The Windows Boot Loader is stored in \Windows\System32\winload.exe. When Windows Boot Loader is
started by Windows Boot Manager, it begins the initial load process of the operating system.
Within the startup environment, Windows Boot Manager controls the startup process by using the
information in the Boot Configuration Data (BCD) store. Entries in the BCD store are loaded by Windows
Boot Manager and contain configuration data about the various boot loaders installed on the system. This
includes the following:
• Device where the boot loader is stored
When multiple boot loaders are referenced in the BCD store, Windows Boot Manager will prompt the user
at startup to choose which boot loader should be used. For example, a server might have Windows Server
2012 installed on one partition and a different Server edition, or conceivably, even a client operating
system such as Windows 8, installed on another partition. The computer can start either of the operating
systems, depending on the needs of the user. This configuration is known as a multiboot configuration.
For example as alternative startup options, you can have a backup operating system or an older version of
the operating system.
You can also startup from a virtual hard disk (VHD) file, where you configure the boot configuration
database (BCD) store to mount a VHD and start the operating system.
Multiboot configuration are more complicated to configure and more difficult to maintain. The benefits
being more flexibility and the capability to cleanly remove or change an installation.
To edit the Windows Boot Manager settings, you can use a command-line tool named BCDEdit and the
relevant switches at the Command Prompt. There is a wide variety of functionality that can be configured
concerning how the system starts up including system recovery options.
To view the Windows Boot Manager settings, run the following at the Command Prompt.
To view the Windows OS Loader settings—that is, to see what operating systems are loaded into Windows
Boot Manager for startup—run the following at the Command Prompt.
Note: Certain aspects of the BCD store can also be changed on the Startup And Recovery
tab in System Properties. This includes settings for the default operating system, debugging, and
memory dump.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-5
After Windows Boot Manager has started the Windows Boot Loader, the Windows Server operating
system begins to load. The operating system starts by enumerating drivers and services. There can be
different timings for when drivers and services are loaded, and there are dependencies between them. So,
the sequencing can vary. After the startup order is determined, the operating system is loaded and starts
the drivers and services in their respective order.
An operating system kernel is the most basic and fundamental part of the operating system. The kernel
controls system hardware and resources, managing them and making them available to applications that
are running on the system. After the operating system kernel loads, the operating system is ready to
interact with the rest of the system software and the user.
When a user logs on to a Windows Server environment, the user’s credentials are processed and validated
against the default security database, usually either the local security database or possibly Active
Directory® Domain Services (AD DS). After the credentials are validated, the user gains access to the
operating system and applications, and any Plug and Play or user-mode drivers load to complete the
Windows Server startup process.
Note: Windows 8 also includes Sleep and Hibernate functionality. This allows the
computer to save power when it is not in active use and also accommodates quicker startup
times. Windows Server 2012 does not support Sleep or Hibernate functionality. While it may be
possible to configure sleep in some hardware/firmware environments for servers. In production
environments servers are typically required to be available twenty four hours a day, seven days a
week to respond to service requests. As such additional configuration or management overhead
associated with sleep and hibernation would not be desired.
Servers can still be subject to attack by malware during the startup process, even before the operating
system is loaded and malicious software can potentially run undetected in the kernel. To try protect
against such threats Windows Server 2012 and Windows 8 have additional checks around the startup
process such as:
• Secured or Trusted Boot: With UEFI, on startup, the server ensures that the firmware is digitally
signed and has not been altered or tampered with.
• Early Launch Anti Malware (ELAM): Allows the ability to load and use an antimalware driver to
attempt to detect if the startup drivers are trusted or not and if any of them are potential malware
threats.
• Measured Boot: With UEFI and Threat Platform Module functionality present in the CPU logs can be
taken during startup and sent to a separate trusted sever, which can then validate the integrity of the
startup process. This could potentially provide for allowing full or limited access to the network or
placing the server in quarantine until the integrity of the startup can be assessed.
MCT USE ONLY. STUDENT USE PROHIBITED
13-6 Maintaining Windows Server
• Safe Mode
• Safe Mode With Networking
• Debugging Mode
During the installation process, Windows Server 2012 creates a special hidden partition on the system disk
that contains several useful diagnostic and repair tools known collectively as the Windows Recovery
Environment (WinRE). These tools are accessed from the Advanced Boot Options menu. You can use the
system recovery tools to repair startup problems, run diagnostics, or restore your system.
The Windows Recovery Environment may start automatically if the last system startup did not finish. For
example if the failure occurs just after logon, the computer may not start and Last Known Good
Configuration, discussed later in this topic, would be the best troubleshooting option.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-7
When you select Repair Your Computer, you are presented with a Choose An Option screen that
contains three options:
2. Troubleshoot. Refresh or reset your computer, or use advanced tools. After you select this option,
you are taken to an Advanced options screen that contains the following options:
a. System Image Recovery. Recover Windows by using a specific system image file. Selecting this
option starts the Re-image Your Computer wizard. This tries to find an already backed up image
to restore.
b. Command Prompt. Use the Command Prompt for advanced troubleshooting. When you select
this option you are prompted for administrator credentials and then provided with a Command
Prompt on a new partition, drive X:\. You can then carry out whatever troubleshooting steps you
need. For example, you can use BCDEdit, Task Manager, the System File Checker (SFC)
command, or other tools or commands. You can type exit to exit the Command Prompt and
return to the Choose An Option screen which was presented earlier
c. Startup Settings. Change Windows Startup Behavior. With this option, you can change the
various startup options previously listed, such as low resolution video mode, debugging mode,
safe mode, and driver signature settings.
Note: If a system loses electrical power during the startup process, the Windows Recovery
Environment automatically starts the next time that the system is started. Also, Windows 8 has
more Repair Your Computer options than Windows Server 2012. This includes the following:
Refresh Your PC (updates without losing your files), Reset Your PC (all personal settings and files
will be removed), and Advanced Options that includes System Restore, and Automatic Recovery.
Finally, if Windows Recovery Environment does not work for any reasons from the local system,
you can use the startup media and access the same recovery options from there.
Safe Mode
In safe mode, the user can run system startup by using a limited set of files, services, and drivers. With this
limited configuration, failure from a malfunctioning driver or service is less likely, and you can
troubleshoot from the Windows graphical user interface (GUI) environment. On the Windows Advanced
Options menu, several options exist for starting Windows in Safe mode.
• Safe mode. Starts loading only a basic set of files, drivers, and services. This includes mouse,
keyboard, storage, and basic video drivers. No networking services or drivers are started.
• Safe Mode with Networking. Starts the same as safe mode, but adds drivers and services necessary
to provide network functionality.
• Safe Mode with Command Prompt. Loads the same service and driver set as safe mode, but starts
you at the Command Prompt instead of in the Windows GUI. That is, the GUI is not started.
This option starts the boot logging process. This records all startup events to the ntbtlog.txt boot log.
This log lists all the drivers that load during startup and the last file to load before failure. You can retrieve
the boot log by starting the operating system from the install media and selecting recovery options.
Analyzing this file will help identify where the failure occurred.
This option sets the system resolution to 640 x 480 pixels. This lets you reset your display resolution if it
was changed to a setting that rendered the system unusable.
Using Last Known Good Configuration restores a system’s configuration to the state it was in at the end of
the last successful startup and Logon. Last Known Good Configuration makes a copy of the configuration
information that is stored in the registry every time that the operating system startup process successfully
is completed and a user logs on to the system. Last Known Good Configuration stores the values for the
following two registry hives, or groups of values.
When you select Last Known Good Configuration, it marks the values in the previous two registry hives as
failed and replaces them with the copy taken after the last successful startup and logon.
Directory Services Restore Mode
This option, sometimes abbreviated as DSRM, provides a special startup mode for addressing Active
Directory issues. It is only applicable to domain controllers. DSRM starts the Domain Controller without
the domain controller part, working as a member server only. You need to log on by using the default
local administrator account whose password is reset when the domain controller is promoted. DSRM can
be used to perform certain administrative tasks when the domain controller is not functioning correctly or
when it has to be serviced in a way where the Active Directory database cannot be used.
Debugging Mode
This option enables the Windows Kernel debugger and allows for the debugging of the Windows Server
operating system which may involve attaching another computer that has debugging enabled on it to the
computer which has to be debugged by using a serial connection.
This option prevents Windows from automatically restarting after a crash, such as when a blue screen
appears.
This option enables drivers that do not contain digital signatures or contain untrusted signatures to be
loaded.
This option enables drivers to initialize without being measured and evaluated by the Early Anti-Malware
driver.
• Symptoms. When a system’s master boot record (MBR) is corrupted or missing, the system will stop
the startup process immediately following BIOS POST and a black screen or one of the following
messages might appear: “Invalid partition table,” “Error loading operating system,” or “Missing
operating system.”
• Causes. The MBR can become corrupted because of hard disk errors, disk corruption, or intentional
destruction of MBR data by a virus or malicious user.
• Resolution. Select Repair Your Computer on the Advanced Boot Options menu, choose Command
Prompt, and execute bootrec /fixmbr. This command replaces the executable code in the MBR.
Note: Where UEFI or EFI is used instead of BIOS, GUID partition table (GPT) would be used
instead of MBR.
• Causes. The BCD is deleted, corrupted, or no longer refers to the correct boot volume. Possibly
because the addition of a partition has changed the name of the volume.
• Resolution. Start the Window Recovery Environment, select Command Prompt, and then execute the
bootrec /scanos and bootrec /rebuildbcd commands. These commands scan each volume to look
for Windows installations. When they discover an installation, they ask you whether it should be
added to the BCD as a startup option and what name should be displayed for the installation on the
startup options menu. For other kinds of BCD-related damage, you can also use BCDEdit to perform
tasks such as building a new BCD from scratch or cloning an existing good copy.
• Symptoms. System file (dynamic-link libraries [DLLs], drivers, executables) corruption typically causes
a message on a black screen after BIOS POST that says, “Windows could not start because the
following file is missing or corrupt,” followed by the name of a file and a request to reinstall the file.
MCT USE ONLY. STUDENT USE PROHIBITED
13-10 Maintaining Windows Server
• Causes. The volume on which a system file is located is corrupted or one or more system files are
deleted or become corrupted.
• Resolution. For NTFS startup into the Windows Recovery Environment, select Command Prompt, and
then execute the chkdsk command. Chkdsk will try to repair the volume corruption. If Chkdsk does
not report any problems, you could run sfc.exe to scan the system files and replacing any ones which
may be incorrect versions or alternatively you could also obtain a backup copy of the system file in
question and replace the file.
Note: Resilient File System (ReFS) can automatically detect data corruption and perform
repairs without taking the disk offline. If you try to run Chkdsk on ReFS you will receive the
message “The ReFS file system does not need to be checked.”
• Symptoms. Issues that occur after the Windows splash screen appears, after the desktop appears, or
after you log on fall into this category and can manifest as a crash that shows nothing but a blue
screen or as an unresponsive system freeze.
• Causes. This problem is usually caused by a device driver or corruption of registry information.
• Resolution. The first and most straightforward method for trying to restore the startup process would
be to run the Last Known Good Configuration. This will load the appropriate registry information
from a backup taken when the system last started correctly. This would allow for the review of recent
changes to the operating system to try to discover what caused the crash or freeze. If the problem is
caused by a driver or service that existed on the system before the Last Known Good Configuration
was taken, another solution will be required. In this case, safe mode could enable the system to start
correctly. Then, you can rollback newly installed drivers or disable services to determine the cause of
the problem. A rollback of drivers installs an earlier version of the drivers. For example, rollback to the
driver which was previously working.
Question: Which tool would you use to recover a system that does not start correctly
immediately following the installation of a new network adapter?
Demonstration Steps
1. Start the virtual machine and access the Windows Recovery Environment by pressing F8 while
starting up
3. Select Repair Your Computer, then choose Troubleshooting, followed by Command Prompt
4. Assess Boot Manager and OS Loader configuration using the bcdedit command
5. Determine the options available with the boot recovery command line tool bootrec
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-11
Lesson 2
Business Continuity and Disaster Recovery
Organizations depend on constant and consistent access to their business information and applications. In
this environment, a server is only useful when it is operating properly and it contains the correct data. A
server that has intermittent failures, is frequently unavailable, contains inconsistent data, or loses data can
cause significant problems for an organization; detrimentally affecting the organization’s line of business.
As someone responsible for the operation of your organization’s servers, you have to be aware of the
variety of methods that Windows Server offers to allow for high availability, reliability, and consistency.
You also need to understand how to implement these methods.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the need for backup.
Backing up your company’s data in Windows Server 2012 is an important part of maintaining a reliable
server environment. Not only business data, as just discussed, is at risk, but data that is contained in the
operating system and server applications themselves have to be retained should the need to restore or re-
create them arise.
MCT USE ONLY. STUDENT USE PROHIBITED
13-12 Maintaining Windows Server
Most user or business-related data that is stored on a server is stored in a specifically allocated drive or
folder structure, dedicated exclusively to storing that data. In this configuration, all of the business data is
in one place, and can be backed up as a whole instead of backing up data from different locations on the
server. The location and structure of this data will depend on the individual organization, and can vary
from implementation to implementation.
System Data
System data, such as operating system and application data, are usually stored in a constant location on
the operating system. Although not always accessed or changed by employees directly like business data,
system data is critical to the operation of a server. Make sure that the Windows Server system volume,
which holds the location of the Windows Server operating system files, is backed up. This makes sure that
the server is recoverable if there is a system failure.
There could also potentially be application configuration data running across multiple systems which can
add a level of complexity which you also have to consider.
Question: What would the cost be to your organization if your server infrastructure was
unavailable for an hour, a day, or a week?
Increased Availability
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-13
High availability refers to the ability of a server infrastructure to remain available and operable if there is
hardware, application, or service outages within the server infrastructure.
Organizations that are required to meet service level agreements (SLAs) or that run applications important
to an organization’s daily business typically use high availability solutions to achieve required server
uptimes. This uptime value is commonly known as the number of nines referred to in the percentage of
that server’s total availability. It is common for companies to strive for five nines of uptime (99.999%). This
equates to less than 10 minutes per year of server downtime.
You can also have different uptime requirements for different server times in SLAs. For example, if a
server is required to run for five days a week for 10 hours a day, on an SLA with a 99.999% uptime
requirement in that time period, the server is allowed 3 minutes downtime. However, during non-core
hours the server may be allowed longer downtimes.
High availability typically involves multiple servers configured to perform the same role or provide similar
services. If one of the servers experiences a hardware or software failure, the remaining servers continue to
provide the services.
Windows Server 2012 contains several features that help you in maintaining availability in the server
infrastructure.
• Fault-tolerant Applications. There are applications or services which are providing fault tolerance as
part of the actual application infrastructure, such as Active Directory Domains Services having
multiple domain controllers, or a replicated DFS infrastructure.
• Failover Clustering. Failover clustering allows for a group of servers to work together to provide a
set of applications or services. Together, these servers provide a fault-tolerant configuration that
continues to provide its applications and services, even if one of the servers in the cluster fails or
becomes unavailable. You can implement failover clustering for a range of roles and services in
Windows Server 2012, such as File, Dynamic Host Configuration Protocol (DHCP), Hyper-V®, or even
application servers such as Microsoft® Exchange Server or Microsoft SQL Server®.
• Network Load Balancing (NLB). NLB provides for the increased availability of (TCP/IP) b-based
network services. The load on the servers is shared and each server is aware of the other servers in its
group. Therefore when one server fails or becomes unavailable on the network, traffic is redirected
among the other servers. This guarantees continuity of the network services. However, this is not high
availability, because the failover is more passive than in Failover clustering and a failing server could
cause a delay on the clients before the infrastructure recognizes the failure and another server serves
the requests.
Many subcomponents in Windows Server 2012 also contribute to providing a highly available
infrastructure, such as network interface card (NIC) Teaming, Multipath I/O (MPIO).
Data Recovery
Data recovery processes make sure that important data is recoverable, should the data be lost, corrupted,
or destroyed. This typically involves the copying or backing up of data to a device separate from the
server. These devices can be external hard disks or flash drives, optical drives, or network locations.
Frequently, these devices are stored in a different physical location than the server being backed up, in
case the server location is physically destroyed or damaged by a disaster such as a fire or flood.
MCT USE ONLY. STUDENT USE PROHIBITED
13-14 Maintaining Windows Server
When data is lost, corrupted, or destroyed, the backed up data can then be restored to the original
location on the server; or to a separate server until the original server is restored or rebuilt.
The built-in tool for backing up data in Windows Server is Windows Server Backup. Windows Server
Backup is a simple and easy to use backup and recovery tool. You can use Windows Server Backup on
both local and remote systems to perform full or incremental backups and to create a copy.
When you use Windows Server Backup, you have to have separate, dedicated media for storing backed
up data. Windows Server Backup can use external and internal disks, DVDs, or shared folders for backup
and restore locations. DVDs can be used only to restore full volumes of data, not individual files, folders,
or application data.
You can use Windows Server Backup for recovery in several ways. Instead of having to manually restore
files from multiple backups if the files were stored in incremental backups, you can recover folders and
files by selecting the date on which you backed up the version of the item(s) you want to restore. You can
recover data to the same server hardware or to new server hardware that has no operating system.
Windows Server Backup no longer supports tape backup.
Note: Backups taken with Windows Server Backup can also be restored from the Windows
Recovery Environment. This was described earlier in the “Troubleshooting Tools in the Startup
Environment” topic.
Also available is the cloud-based service Windows Azure™ Online Backup, which can provide backup
infrastructure and services for your organization.
More information about Windows Azure Online Backup can be found at the following
webpage.
http://www.windowsazure.com/en-us/home/features/online-backup
Question: Why would an organization have to implement both high availability and data
recovery processes to make sure of business continuity?
Increased Availability
NLB supports increased availability by redirecting incoming network traffic to working NLB cluster hosts if
a host fails or is offline. Existing connections to an offline host are lost, but the Internet services remain
available. In most cases, for example with web servers, client software automatically retries the failed
connections, and the clients experience a delay for several moments before receiving a response.
In terms of how the NLB servers function, a virtual IP address is created which applies to all NLB hosts in
the NLB cluster. Every NLB host will then receive the traffic addressed to the virtual IP, however only a
specific host will listen and process it. From a networking standpoint, you must make sure that all hosts
are configured in a “hub-mode” instead of a switch mode. Otherwise, the NLB hosts would not receive the
traffic as the switch would direct it only to the last host who replied using the virtual IP address.
Many applications work with NLB. Generally, NLB can load-balance any application or service that uses
TCP/IP as its network protocol and is associated with a specific TCP or User Datagram Protocol (UDP) port.
Protocol Examples
Hypertext Transfer Protocol (HTTP) and HTTP Secure Internet Information Services (IIS): port
(HTTPS) 80 for http and Port 443 for HTTPS
Point-to-Point Tunneling Protocol (PPTP), L2TP, SSTP and Virtual private network (VPN) servers:
IP by using HTTP and Internet Protocol security (IPsec) 1723 for PPTP
Performance
NLB supports server performance scaling by distributing incoming network traffic among one or more
virtual IP addresses assigned to the NLB cluster. The hosts in the cluster concurrently respond to different
client requests, even multiple requests from the same client. For example, a web browser might obtain
multiple images in a single webpage from different hosts in a NLB cluster. This speeds up processing and
shortens the response time to clients.
Scalability
NLB lets administrators scale network services to meet client demand. New servers can be added to a load
balancing cluster without changing the applications or reconfiguring clients. The NLB cluster does not
have to be taken offline to add new capacity, and members of the load balancing cluster do not have to
be based on identical hardware. NLB hosts could even be powered up and powered down as demand
requires.
Windows PowerShell® also provides management and configuration support for Network Load Balancing
in Windows Server 2012. The following table includes some of the cmdlets and commands that might be
useful.
The Network Load Balancing feature has to be installed through Server Manager, in order to make these
cmdlets available on a Windows Server 2012 server.
Failover Clustering
Failover clustering is a technology in Windows
Server 2012 that provides for high availability, it
does not provide for scalability. In a failover
cluster, a group of servers, or a cluster, work
together to increase the availability of a set of
applications and services. Physical cables and
software connect the clustered servers, known as
nodes. If any of the cluster nodes fail, other nodes
begin to provide service to clients (a process
known as failover). With this method, system
downtime is minimized and a high level of
availability is provided.
Applications that are best suited for configuration in a failover cluster are applications that use a
centralized set of data. Applications such as SQL Server and Exchange Server, and services such as File
Servers, and DHCP, use centralized data sets and are therefore ideal for being configured as a failover
cluster.
Failover clustering provides several benefits for mission-critical server and application deployments. This
includes the following:
Applications or services that are added to a failover cluster must be cluster-aware in order to take
advantage of the benefits that are provided by failover clustering. Cluster-aware refers to the application’s
ability to register with the failover cluster in order to communicate with the cluster and take advantage of
the cluster’s features. Applications and services that are cluster-aware include the following:
• DHCP Server
• Exchange Server
• File Server
• Print Server
• SQL Server
• Windows Internet Naming Service (WINS) Server
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-17
Applications that do not support cluster events are called cluster-unaware. Some cluster-unaware
applications can still be configured as high availability resources and can be failed over. However, the
following provisions apply:
• IP-based protocols are used for cluster communications. The application must use an IP-based
protocol for its network communications.
• Nodes in the cluster access application data through shared storage devices. If the application is not
able to store its data in a configurable location, the application data is not available on failover.
• Client applications experience a temporary loss of network connectivity when failover occurs. If client
applications cannot retry and recover from this, they will no longer function.
Windows PowerShell also provides management and configuration support for failover clustering in
Windows Server 2012. The following table includes some of the cmdlets and commands that might be
useful.
Test-Cluster Runs validation tests for failover cluster hardware and settings
The Failover Cluster Module for Windows PowerShell needs to be installed as part of the Failover
Clustering feature or the Remote Server Administrative Tools (RSAT) in Server Manager, in order to
make these cmdlets available on a Windows Server 2012 server. The RSAT can also be installed on a
Windows 8 client, which would make the cmdlets available on the client.
More information about failover clustering and Network Load Balancing can be found at the
following webpage.
http://technet.microsoft.com/en-us/library/hh831579.aspx
What to Backup
Deciding what to backup is one thing to consider
when you develop a backup plan. Business
information loss can significantly disrupt business
productivity. Usually, a full data backup is
desirable. The key question for the organization is
what data is most important to the company? This
data can consist of customer or client database information, payroll records, and product information.
When to Backup
MCT USE ONLY. STUDENT USE PROHIBITED
13-18 Maintaining Windows Server
Several questions have to be answered when you are considering backup. Ask yourself, “When should I
backup data?”, “How frequently should backups be made?” and, “How long will my backup take and what
time of day will the backup occur?” When asking how frequently backups occur, the answer depends on
your business data and how frequently it changes. An organization’s sales history might only have to be
backed up monthly. However, the current sales database, which is constantly being updated with sales
information, might have to be backed up multiple times per day. The second and third questions, about
how long the backup will take and when the backup should be taken, depend on one another. Frequently,
data being backed up cannot be in use by users and applications during the backup process. A full
backup of all servers in a data center might take 15–20 hours. If your business operates on a 10-hour work
day, that only leaves 14 hours to do your backup. Typically, the longer, full backup is completed during
off-hours, perhaps on a weekend. Then, smaller backups of specific or important information occur more
frequently throughout the week.
After the decision is made about what data to backup, the next step is to determine where you should
store the backup. Options for storage include external or internal hard disk drives, CDs, DVDs, universal
serial bus (USB) flash drives and third-party backup systems.
The final fundamental consideration is who should perform the backup, and perhaps more critically,
restore operations. After you have implemented a backup strategy, you could automate the backup
process; indeed, most backup solutions are automated. However, you may sometimes have to perform
unscheduled backup operations. You should carefully consider which users can perform this task.
When you have to restore data, make sure that the correct data is restored, and to the correct location.
Therefore, restore operations, except for user-initiated single file operations, should only be conducted by
skilled administrative personnel.
You can use the Windows Server built-in groups to assign the necessary backup and restore permissions,
or you can create your own groups as needed.
Windows Server Backup
Windows Server Backup is installed as a feature by using Server Manager. It provides a means of
administration, a Microsoft Management Console (MMC) snap-in administrative tool, and the WBAdmin
command (wbadmin.exe), which can be used at the Command Prompt. Both the snap-in and the
command-line tools let you perform manual or automated backups to an internal or external disk volume,
a remote share, or optical media. As stated earlier, backing up to tape is no longer supported by Windows
Server Backup.
This is a cloud-based service where an IT administrator subscribes to the service. An account is then
created for a particular organization and backups are scheduled. The difference is the data storage is
provided for by the Online Backup Service. This service removes risk and administrative overhead when
you manage and maintain backups. You can access Windows Azure Online Services from the Windows
Server Backup management console.
Windows PowerShell provides cmdlets for both Windows Server Backup and Windows Azure Online
Backup to let administrators manage and configure the service. These cmdlets are provided under the
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-19
WindowsServerBackup and MSOnlineBackup modules. The following table includes some of the cmdlets
from each module.
Get-WBDisk Displays a list of internal and external disks that are online for
the local computer
Get-OBPolicy Displays the current online backup policy set for the server
The Windows Server Backup feature has to be installed for the WindowsServerBackup module to be
installed and for the cmdlets to become available. Similarly, the Online Backup agent has to be installed to
be able to view the Online Backup cmdlets.
Question: What would an appropriate backup plan be for your organization or department?
MCT USE ONLY. STUDENT USE PROHIBITED
13-20 Maintaining Windows Server
Lesson 3
Applying Updates to Windows Server
Windows Server provides a full-featured framework to maintain itself in a current and secure state
through updates. This lesson will cover how to keep your Windows Server up to date by using Windows
Server Update Services (WSUS).
Lesson Objectives
After completing this lesson, you will be able to:
• Implement WSUS.
• When a new device is installed, how can you be sure that you have the most recent version of the
driver installed?
• How can you make sure that you are running the latest and most compatible versions of your
applications?
You have to update your Windows Servers to make sure that you can avoid the pitfalls associated with the
previous points, but manual configuration of a single server can be a time-consuming and tedious
process, let alone the configuration of hundreds of servers.
The key source of Windows updates is the Windows Update website. Here, a catalog of updates is stored
and available for download and installation to your computer.
Windows Server 2012 contains a robust infrastructure for managing interaction with the Windows Update
process. However, you must make sure that the tools available are customized for your environment and
working in a way that makes sure the infrastructure is secure and regularly updated.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-21
• Applications. Updates also have to be performed on applications. Service packs, feature updates, and
security fixes all make sure that your applications can consistently provide their associated services
within your environment.
In addition to these three core areas, other aspects such as device firmware might also have to be
periodically updated.
In a typical WSUS implementation, instead of each computer downloading the same update files
independently, only the WSUS server downloads the files from the Windows Update servers. The WSUS
server downloads a copy of each available update and saves it in a local data store. Then it makes the
MCT USE ONLY. STUDENT USE PROHIBITED
13-22 Maintaining Windows Server
updates available for access by all of the computers on the network. The bandwidth consumed by the
update process is greatly reduced, because the WSUS server has to download only one copy of each
update. WSUS also gives administrators the opportunity to research, evaluate, and test updates before
you deploy them to the network clients.
You can also implement a hierarchical structure in your organization for WSUS specifying Upstream or
DownStream Servers or Replica Servers to streamline the distribution of updates across a geographically
dispersed organization.
A WSUS server has several components and settings that are configurable to suit the needs of your
environment. When WSUS is first set up, the Windows Server Updates Services Configuration Wizard runs
and lets you configure the following settings:
• Choose Upstream Server. You can specify a WSUS server from which the server being configured
will receive updates.
• Specify Proxy Server. If your organization has a Firewall or Proxy server, proxy details will be
required to enable access to the Windows Server Update Services to access and download updates.
• Choose Languages. You can specify the update languages to download. By default, WSUS
synchronizes only updates in the language that you specified when installing Windows Server.
• Choose Products. This setting controls which products WSUS will download updates for. This
includes Windows Server and client operating systems, in addition to many Microsoft applications
and server products, such as Microsoft Office, SQL Server, and Exchange Server.
• Choose Classification. Microsoft updates come in several different classifications that identify the
type and urgency of the update. For example, Critical Updates, Security Updates, and Definition
Updates. This setting lets you select which classifications WSUS will synchronize.
• Configure Sync Schedule. This setting controls when WSUS will synchronize with Internet-based
Windows Update servers to download new updates. It can be done manually or automatically at
defined times.
After the wizard is finished, you can perform an initial synchronization based on the settings that you have
just defined. Consider the following when you configure the settings.
• Configure auto-approval.
Within the WSUS management console, there are several options, some of which include the following:
• Updates. Here you can classify updates such as Security and Critical. Each update must also be
approved before it can be installed. By default, WSUS automatically approves all security, critical, and
definition updates for servers. For clients, WSUS approves all security, critical, and definition updates,
plus service packs.
• Computers. Within here you can create groups of computers on which to apply updates.
• DownStream Servers. You can specify other update servers in your WSUS hierarchy that will receive
updates from this server.
• Synchronization. Within here you can specify how the local server synchronizes with the Windows
Server Update Services. It provides a status on the synchronizations and enables reports to be viewed.
Microsoft Report Viewer 2008 Redistributable. This is required to be able to view the reports.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-23
• Reports. Many reports are available to generate and view, such as computer status and update status.
o Server Cleanup
o Automatic approvals
By default, WSUS downloads only the approved updates and stores them, in Cab format, in the
C:\WSUS\WsusContent folder.
Allow Automatic Updates Specifies whether the Automatic Updates client should install updates
immediate installation that do not require a service interruption or system restart immediately
Automatic Updates Specifies the interval at which Automatic Updates clients check the
detection frequency server for new updates
Configure Automatic Enables the Automatic Updates client, specifies whether the client should
Updates download and install updates with or without requiring user
intervention, and specifies the installation interval and time of da
Reschedule Automatic Specifies the time interval the Automatic Updates client should wait after
Updates scheduled system startup before starting an update installation that did not occur
installations because the computer was offline
Specify intranet Microsoft Specifies the URL that Automatic Updates clients use to access the WSUS
update service location server on the local network
Delay Restart for scheduled Specifies the time interval the Automatic Updates client should wait
installations before restarting the computer after an update installation
Reschedule Automatic Specifies the time interval the Automatic Updates client should wait after
Updates scheduled system startup before starting an update installation that did not occur
installations because the computer was offline
You can also manage WSUS by using Windows PowerShell. Cmdlets are provided as part of the WSUS
module; some of them are listed in the following table.
Windows PowerShell
Description of Use
Cmdlet
Windows PowerShell
Description of Use
Cmdlet
More information about Windows Server Update Services can be found at the following
webpage.
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
Demonstration Steps
1. Open the Group Policy Management Console.
Lesson 4
Troubleshooting Windows Server
When a system failure or an event that affects system performance occurs, you must be able to repair the
problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern
network environment, the ability to determine the cause quickly often depends on having a logical and
comprehensive troubleshooting methodology. You must also understand the tools available to determine
the cause and make corrections to the environment if applicable.
Lesson Objectives
After completing this lesson, you will be able to:
Assessment of Impact
Understanding how an issue affects the network environment and the operations of your organization is a
very important part of the troubleshooting process. An issue that affects critical services, such as point-of-
sale operations in a busy retail store, might have to have a temporary partial fix or workaround
implemented until the cause of the issue can be determined and corrected.
As the troubleshooting process continues, the temporary fix might have to be reassessed to make sure
that it is supporting the rest of the environment as effectively as possible. Finally, after the original issue is
determined and corrected, a method for replacing the temporary fix with the permanent solution has to
be determined and implemented in a way that has the least effect on your organization’s operations.
Communication
MCT USE ONLY. STUDENT USE PROHIBITED
13-26 Maintaining Windows Server
Almost every issue that you troubleshoot will affect at least one person in your organization. Those
affected have to know specifically how the issue will affect them going forward. In addition, they should
be informed about the progress of the troubleshooting process, time estimates for resolution, and process
changes that might be required of them because of a temporary fix. When the issue is corrected and the
environment returned to a completely functioning state, they also have to be notified that the issue is
resolved. All of these items fall under the category of communication.
Communication is one of the most critical components in the troubleshooting process and is frequently
overlooked. Communication might consist of direct conversations, telephone calls, email messages, or the
updating of a Help Desk ticket with troubleshooting progress.
If several people are affected by an issue, your communication methods might have to be adjusted to
make sure that the information is reaching those affected as efficiently as possible. For example, if an issue
affects a department, you might designate one person from that department, a manager, to communicate
directly with. Any information about the troubleshooting process is then relayed by the manager to the
other people in the department. This makes sure that you can focus on the troubleshooting process, and
assigns responsibility to the manager for making sure that the staff members know the status and
progress of the troubleshooting process.
Documentation
Throughout the troubleshooting process, documentation must be maintained at all levels. Initial
symptoms, affected people and systems, potential causes, and both failed and successful tries to resolve
the issue have to be recorded and appropriately documented to make sure that you make forward
progress in the troubleshooting process.
2. Gather initial information. The next step in the process is to collect appropriate information about
the issue. Typically, this consists of actions like extended observation of the symptoms, running
diagnostic tests on affected hardware and software, or obtaining technical information from vendors
or suppliers of affected items.
3. Determine probable causes of the issue. After the appropriate information is collected, a list of
probable causes has to be recorded and typically ranked. This makes sure that the most probable
causes are investigated first. As the troubleshooting process continues, the causes are tested one by
one. This could lead to the removal of causes other than the cause being tested. It might also lead to
new causes being added to the list because of more information collected during testing.
4. Develop a plan of action. Next, you should determine a plan of action to test for the most probable
cause or causes. This plan can involve one or more steps, and should be documented to make sure
that it is performed correctly and that it can be repeated if it is necessary later in the troubleshooting
process. Also, your development plan should allow for rollback after implementation in case the plan
of action does not resolve the issue.
5. Implement the plan of action. After a plan is established, the plan should be implemented and the
process documented.
6. Test the results of the plan of action. After the implementation of the plan is completed, you
should test the environment to determine whether the issue is corrected. You should also make sure
that related systems and users are not negatively affected by the results of the plan of action.
7. Document the results of the plan of action and repeat the plan steps if it is necessary. The
results of your plan of action should then be documented. If the result of the plan of action corrected
the matter satisfactorily, you should carry on to the last step of closing the issue and completing the
documentation. If your plan of action was unsuccessful, you should roll back the plan of action steps.
Then move on to the next probable cause on the list and begin the plan of action steps for that
cause, repeating the process until the cause is determined and resolution is achieved.
8. Record the issue as resolved and complete documentation. After you have determined the issue
as resolved, any temporary fixes or workarounds should be removed and affected users should be
informed of the resolution. In addition, the documentation of the resolution and steps taken in the
troubleshooting process should be finished and recorded in a manner that allows for later reference
or cataloging. This can be through a Help Desk ticketing application, a Microsoft Word document or
Microsoft Excel® spreadsheet, or a written record in a notebook.
Summary
When these steps are observed and performed correctly, your troubleshooting process will follow a logical
and thorough methodology that will help you resolve an issue quickly and efficiently, in addition to
equipping you with the ability to quickly resolve the issue should it occur again in your environment.
MCT USE ONLY. STUDENT USE PROHIBITED
13-28 Maintaining Windows Server
Operating System
Faults or corruptions in the system registry or with system services can result in operating system–related
problems. The operating system controls user and application access to the computer hardware. The
operating system is composed of device drivers, services, security components, applications, network
components, and the configuration that links these components together. However for troubleshooting,
you should consider the operating system as just the base elements—startup files, startup configuration
components, and operating system services—and not the security, application, or network elements.
Operating system faults frequently manifest during the computer startup process. For example, if a user
accidentally deletes a critical startup file, the operating system will be unable to start. If you install a new
operating system service pack, or update, it might introduce unexpected problems. Therefore, it is
important to test all service packs and updates before you deploy them.
Hardware
For the purposes of troubleshooting, hardware-related problems include problems with the physical
computer, attached peripherals and devices, and device drivers related to these components. Computers
are generally very reliable, but certain components are more prone to failure than others. Components
with moving parts, such as disk drives and power supplies, can wear out. These problems can easily be
identified and fixed.
Other hardware-related issues can occur because of incompatible devices or device conflicts. To
communicate with the rest of the computer, the operating system allocates each device a unique
configuration. Occasionally, the operating system cannot provide the device configuration. This can result
in device failure or computer startup failure.
Network Components
You can define any network configuration as a network component. For example, the TCP/IP
configuration is a network component. Therefore, problems related to a computer’s IP address, subnet
mask, and default gateway are all network component–related. Many network component problems with
server computers can manifest at client computers, in the form of applications or operating system
components operating in an unexpected way because of a lack of network connectivity. Therefore, it can
be difficult to determine exactly where a network component problem is.
Security
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-29
When a user cannot access a resource or when a user can access a resource that they should be restricted
from, there is a security-related issue. Some security-related problems can manifest as network
component problems. For example, problems with the firewall configuration might result in users being
unable to access resources to which they should have access. Data encryption and authentication issues
can also result in security problems.
Problems can also occur because of users having elevated administrative rights, or too many privileges on
important files or folders. For example, a user who has Full Control of the Windows system folder might
accidentally delete sensitive system files. This results in an unstable or unusable operating system.
Applications
Application-related problems are those specifically related to the application programs installed and used
by the users. Many of these problems result from misuse of the application by the user or from the user
who is trying to do something with the application that the application does not support. User training
should minimize these kinds of problems.
If a user reports a problem with an application and misuse has not caused the problem, the problem’s
cause might be a software error or bug. You can read the application’s documentation to determine
whether this is a known problem and whether service packs or hot fixes exist that will eliminate the
problem.
Users who report performance problems with applications might have hardware-related problems instead
of an application problem. The computer might require more memory, or the computer’s disk might be
fragmented. You can determine whether a problem is hardware performance–related because hardware
performance problems typically affect more than one application.
Application incompatibility issues can also cause significant problems. A specific combination of
applications that are running at the same time could cause operating system failures and data loss. You
can avoid application incompatibility issues by deploying only applications that you have tested in
combination together, and by restricting end-users from installing additional applications.
Event Viewer
Windows Event Viewer provides access to the Windows event logs. Event logs provide information about
system events that occur within Windows. These events include information, warning, and error messages
about Windows components and installed applications.
MCT USE ONLY. STUDENT USE PROHIBITED
13-30 Maintaining Windows Server
Event Viewer provides categorized lists of basic Windows log events (application, security, setup, and
system), in addition to log groupings for individual installed applications and specific Windows
component categories. Individual events provide detailed information about the kind of event that
occurred, when the event occurred, the source of the event, and detailed technical information to help in
troubleshooting the event.
Additionally, Event Viewer lets you combine logs from multiple computers onto a centralized computer by
using subscriptions. Finally, you can configure Event Viewer to perform an action based on a specific event
or events occurring. This can include sending an email message, starting an application, or running a
script or other maintenance action that could notify you or try to resolve a potential issue.
Note: To open Event Viewer, in Server Manager, click Tools, and then select Event Viewer.
Task Manager
Windows Task Manager is the simplest and quickest way to monitor real-time resource usage and
performance information in Windows Server. Task Manager provides information about currently running
applications, processes, and services, in addition to a high-level performance view of three system
resources: CPU, memory, and network. Within Task Manager, you can also see a list of currently logged-
on users.
1. Press Ctrl+Shift+Esc.
Resource Monitor
Resource Monitor provides features similar to Task Manager, but greatly enhanced. It provides a
comprehensive view of the performance of key system components (CPU, disk, network, and memory) in
both a graphical and a detailed report form. Resource Monitor provides detailed information that lets you
troubleshoot resource or performance-based issues at a very specific level.
2. Open Task Manager, click the Performance tab, and then click Open Resource Monitor.
Performance Monitor
Windows Performance monitor is an MMC snap-in that lets you measure and compare the performance
of a many system components. This information can be displayed graphically in real time or collected and
reported on for a given time period. Windows accumulates the data for these components by using
objects called counters. A counter can track the information about a single component or aspect of the
system within Performance Monitor.
In addition to the default counters, applications installed on a Windows Server such as SQL Server or
Exchange Server can add their own counters to Performance Monitor. This lets you monitor various
aspects of those application installations.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-31
Performance Monitor can monitor a specific set of counters over time. It can also provide detailed reports
of system performance and configuration.
Note: To start Performance Monitor, in Server Manager, click Tools, and then click
Performance Monitor.
Reliability Monitor
Reliability Monitor provides an overview of system stability and the events and changes that affect the
overall stability of a system. It tracks software installation and uninstallation, Windows failures, application
failures, and hardware failures.
Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected
problems reduced the system's reliability. It assess the computers overall stability on a scale of 1 to 10. The
accompanying System Stability Report provides details to help identify the specific changes that reduced
reliability and it can be saved in XML format.
1. Open Control Panel. Then click System and Security, open Action Center, expand the Maintenance
section within it, and then click the View reliability history link.
2. Open a Command Prompt, type perfmon /rel, and then press Enter.
Depending on the component in question, different command-line tools can troubleshoot issues. For
example, for network-related issues, tools such as ping, nslookup, nbtstat, and ipconfig are all relevant
and important in narrowing the cause of a problem.
As roles and features are installed on servers, some of those functions have their own command-line tool.
Some of the directory services toolsets can be useful in troubleshooting.
Windows PowerShell functionality has also been greatly extended in Windows Server 2012. There are now
cmdlets for most roles and features. If you are unsure how to obtain information about a specific role or
feature, look for the corresponding Windows PowerShell cmdlets and see whether there is data that can
be obtained by using Windows PowerShell that is not available elsewhere. Using a command in the
format of Help *XYZ* can help identify relevant cmdlets that might be useful. This lets you drill down into
the individual cmdlet functionality.
External Sources
In addition to the troubleshooting tools included with Windows, external sources such as product
manuals, vendor websites, or community forums or discussion groups can be used to provide additional
resources for the troubleshooting process.
Microsoft regularly produces Knowledge Base Articles (KB Articles), which document known issues and
provide workarounds or sometimes fixes for the issues.
General Microsoft support is available at the following website.
http://support.microsoft.com
MCT USE ONLY. STUDENT USE PROHIBITED
13-32 Maintaining Windows Server
Demonstration Steps
1. Open and view Event Viewer.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 90 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2. In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
• Domain: ADATUM
6. For 10967A-LON-SVR5, this server is intentionally broken for this troubleshooting exercise. You
should not start the virtual machine until you are instructed to do so during the lab, following
the steps outlined there closely.
IMPORTANT: Also Internet access is required for Exercise 1. The 10967A-LON-DC1 virtual machine needs
to be able to access the Windows Updates service As such the MSL-TMG server needs to be up and
running to be able to complete the lab in Exercise 1. MSL-TMG is available for download from the MCT
Download Center and steps for successful set up are available in MSL-TMG setup guide.
Supporting Documentation
Request Details:
Configure WSUS for local distribution of updates for the London office:
1. Install WSUS on 10967A-LON-DC1.
5. Configure test client LON-CL1 to receive updates from the newly configured WSUS server.
9. Query the WSUS server for available updates from Windows 8 client
Task 1: Install the Windows Server Update Services role and required features
1. Ensure you are signed in to 10967A-LON-DC1 with username ADATUM\Administrator and
password Pa$$w0rd
2. Install the Windows Server Update Services role and also the .NET Framework 3.5 feature via the Add
Roles and Features Wizard
3. When completed successfully open the Windows Server Update Services management console.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-35
2. Complete the Windows Server Update Services Configuration Wizard with the following settings:
2. Create a new Group Policy Object (GPO) linked to the Adatum.com domain named WSUS.
3. Open the Group Policy Management Editor to edit the WSUS GPO.
4. In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click
Windows Update.
10. Start 10967A-LON-CL1 and sign in as ADATUM\Administrator with the password of Pa$$w0rd.
11. On LON-CL1, open a Command Prompt, with Administrative permissions and update group policy
by running the below command
gpupdate /force
12. Update the client with any changes made to the WSUS service by running the following command
2. Ensure the following services are running successfully and have Startup type set to Automatic
• Windows Update
2. Expand All Computers and ensure there are two computers listed
• Lon-dc1.adatum.com
• Lon-cl1.adatum.com
Note: It may take a few minutes for the computers to appear, if you do not see them listed immediately.
3. Create a Computer Group call WSUS LON Win8 and add lon-cl1.adatu,.com to that group
4. Create a Computer Group call WSUS LON WS2012 and add lon-dc1.adatum.com to that group
2. Specify a Deadline of yesterday’s date to force client computers to install it straight away
Task 9: Query the WSUS server for available updates from Windows 8 client
1. Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and
password pa$$w0rd
gpupdate /force
4. Open the Windows Update log file C:\Windows\WindowsUpdate.log in Notepad and verify it has
connected successfully to the WSUS web services.
5. Back on 10967A-LON-DC1 verify there are events in Event Viewer from WSUS specifying that clients
have connected successfully.
6. Return to 10967A-LON-CL1
7. Verify that the Update for Microsoft Windows(KB2768703) is listed as installed in Control Panel and
then Programs
Note: It may take several minutes for the client to connect and the update to be installed. You
should proceed to the next Exercises and complete those while waiting for the client to be updated. Once
you have completed those exercises you can then return here to verify the update has been applied
successfully.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-37
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to
manage updates.
Incident Details:
Call logged by IT Help Desk. Branch users cannot access shared files on 10967A-LON-
SVR5.
1. File shares not available over the network.
4. All other network resources in the branch location are functioning correctly.
Preliminary Questions:
1. Where is the best place to troubleshoot this problem from?
2. What considerations should be made about 10967A-LON-SVR5 and the people and
services that require the services that are provided by 10967A-LON-SVR5?
Assessment Questions:
1. What is the error message displayed on 10967A-LON-SVR5?
3. What tool should you use to try to resolve the problem that is causing the error
MCT USE ONLY. STUDENT USE PROHIBITED
13-38 Maintaining Windows Server
message?
Resolution Questions:
1. How did you resolve the problem?
3. Resolve the issue on the Windows Server and complete the Incident Record
3. What considerations should be made about 10967A-LON-SVR5 and the people and services that
require the services that are provided by 10967A-LON-SVR5?
2. You will be prompted to “Press any key to boot from CD or DVD…” as the virtual machine starts
but do not press anything and allow the virtual machine to start without any intervention
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso installation
files already attached to the virtual machine to assist with steps required later in the lab. As such the
10967A-LON-SVR5 virtual machine will give the prompt “Press any key to boot from CD or DVD…”
each time when starting up. Do not press any key to boot into the installation files unless explicitly told to
do so in the lab steps.
3. Observe the error message displayed on 10967A-LON-SVR5 and answer the Assessment Questions
in the Incident Record.
Task 3: Resolve the issue on the Windows Server and complete the Incident Record
1. Start the 10967A-LON-SVR5 virtual machine
2. As stated in the previous exercise you will be prompted to “Press any key to boot from CD or
DVD…” as the virtual machine starts.
3. Press Enter and allow the virtual machine to boot into the installation files
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-39
4. At the Install Windows dialog box, click Next, and then click the Repair your computer link
9. Use bootrec to rebuild the BCD store with the newly found operating system entry.
10. Restart the server and verify the server starts successfully now
13. What should the next steps in the troubleshooting process be?
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
You know that the server LON-SVR2 experiences low network traffic and has limited disk activity, but the
Help Desk is receiving many reports that the server is slow.
Later that week, the Help Desk receives reports that the server is running slow again. You know that the
server LON-SVR2 is not running processor-intensive applications so you remotely run a System
performance data collector set on LON-SVR2 and now need to analyze those logs to try to identify any
problems that could be affecting performance.
Supporting Documentation
Incident Details:
Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are
stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartA.blg
Resolution Questions:
1. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
2. Keeping in mind your answer to the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
MCT USE ONLY. STUDENT USE PROHIBITED
13-40 Maintaining Windows Server
Incident Details:
Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are
stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartB.blg
Resolution Questions:
1. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
2. Keeping in mind your answer to the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
1. Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
A
2. Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
B
Task 1: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part A
1. Ensure you are signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
5. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
6. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
7. Close Performance Monitor.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure 13-41
Task 2: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part B
1. Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
5. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
6. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
Results: After this exercise, you should have collected information to start the troubleshooting process.
Question: If, after a network adapter installation on a server, Windows startup failed while
the splash screen was displayed, which startup based tool would you use to troubleshoot the
issue?
Question: What would be the most efficient way to configure hundreds of clients in a
Windows domain to receive updates from a newly installed WSUS server?
MCT USE ONLY. STUDENT USE PROHIBITED
13-42 Maintaining Windows Server
Question: How does fault-tolerant hardware provide for high availability, provided the
hardware is supported by Windows Server 2012
Question: What benefits does Performance Monitor offer over Resource Monitor?
Tools
Tool Use for Where to find it
BCDEdit Editing Windows Boot Configuration From the command line, type bcedit.
Data Store.
Chkdsk Checking the file for unreadable or From the command line, type chkdsk.
corrupted sectors.
WSUS Managing Windows Updates in the Available from the Microsoft Download
enterprise. Center.
Windows Recovery Repairing various aspects of a Select Repair Computer from the F8
Environment Windows Server. Windows Advance Options boot menu,
or select Repair Computer when booting
from Windows installation media.
Last Known Good Loading system registry settings Select Last Known Good Configuration
Configuration saved from the last successful system from the F8 Windows Advance Options
startup. boot menu.
Safe mode Loading Windows Server that has a Select one of the Safe Mode options
minimal set of drivers and services from the F8 Windows Advanced Options
for troubleshooting. boot menu.
Windows Server Backing up Windows Server Click Start, type Windows Server
Backup computers. Backup in the Start Search field, and
(wbadmin.exe) then press Enter.
Can also run wbadmin.exe from the
command line.
Windows Update Updating operating system, device Click Start, type Windows Update in
driver, and Microsoft application the Start Search field, and then press
components. Enter.
Event Viewer Viewing Windows logs. Click Start, click Administrative Tools,
and then click Event Viewer.
Resource Monitor Viewing detailed real-time From Task Manager, click the
information about the Windows Performance tab, and then click the
environment. Resource Monitor button.
Performance Viewing and collecting real-time and Click Start, click Administrative Tools,
Monitor historical performance and and then click Performance Monitor.
configuration information about the
Windows environment.
Reliability Monitor Viewing an overview of system Click Start, and then in the Start Search
events and relative system stability. box, type perfmon /rel, and then press
Enter.
System File Scans integrity of all protected files From the command line tool, type sfc
Checker (sfc.exe) and replaces incorrect versions if
need be
Wuauclt.exe Windows Update Automatic update From the command line, type wuauclt
client command line tool
MCT USE ONLY. STUDENT USE PROHIBITED
13-44 Maintaining Windows Server
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
b. In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c. In the DVD Drive pane, select Image file, and then click Browse.
3. In the Virtual Machine Connection window, click the Action menu, and then click Start.
4. In the Windows Setup wizard, choose the following settings, and then click Next.
6. Select the Windows Server 2012 Datacenter Evaluation (Server with a GUI) operating system, and
then click Next.
10. Provide the administrator password, Pa$$w0rd, and then click Finish.
Note: Setup will continue by copying and expanding files, installing features and updates,
and finish the installation. This phase takes about 20 minutes. Your instructor might continue with
other activities during this phase.
Results: After this exercise, you should have installed a new Windows Server® 2012 server.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Fundamentals of a Windows Server Infrastructure
2. Open Server Manager, and in the navigation pane, click Local Server.
a. In the Properties area, scroll to the right side, and then click the Time zone entry.
b. In the Date and Time dialog box, click the Change time zone button.
c. Select (UTC) Dublin, Edinburgh, Lisbon, London, make sure that Automatically adjust clock for
Daylight Saving Time, is selected, and then click OK.
b. In the Local Area Connection Properties window, right-click Local Area Connection, and then
select Properties.
c. Click Internet Protocol Version 4 (TCP/IPv4), and then click the Properties button.
d. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Use the following IP
address.
e. Enter the following values:
• IP address: 172.16.0.30
5. Configure automatic updating and feedback settings as specified in the email message.
6. Configure the computer name and domain settings as specified in the email message.
c. In the Computer Name/Domain Changes window, type LON-SVR4 in the Computer name
field.
d. Select Domain in the Member of section, and then type Adatum.com in the Domain field.
e. Click OK.
f. When you are prompted to provide administrative account details, use ADATUM\Administrator
and a password of Pa$$w0rd.
g. When the Welcome to the Adatum domain dialog box appears, click OK.
h. When you are prompted to restart your computer to apply these changes, click OK.
Results: After this exercise, you should have configured post-installation settings by using Server
Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Fundamentals of a Windows Server Infrastructure
2. Click the File Explorer icon on the bottom toolbar to confirm the graphical user interface (GUI)
components are installed.
3. In Server Manager, select the Manage menu, and then click Remove Roles and Features.
4. In the Remove Roles and Features wizard, click Server Selection, verify LON-SVR4.Adatum.com is
selected, and then click Next.
6. On the Remove Features page, expand User Interfaces and Infrastructure, clear Server Graphical
Shell and Graphical Management Tools and Infrastructure, click Remove feature, when the
Remove Roles and Feature Wizard opens, click Next.
7. On the Confirm Removal Selections page, select the Restart the destination server automatically
if required check box, and then click Yes to confirm your selection.
8. Click the Remove button, and wait for the feature to be removed.
Task 2: Install GUI administrative components in Windows Server 2012 Server Core
1. Continue to work on 10967A-LON-SVR4.
2. At the command prompt type the following, and then press Enter
powershell
3. At the Windows PowerShell prompt, type the following, and then press Enter.
Get-WindowsFeature
4. Note the Name associated with the Graphical Management Tools and Infrastructure component
5. At the Windows PowerShell prompt, type the following, and then press Enter.
Install-WindowsFeature Server-Gui-Mgmt-Infra
7. Notice the Warning message that you must restart this computer to finish the installation process.
8. At the prompt, type the following, and then press Enter.
Restart-Computer
10. Verify the command prompt displays and Server Manager also displays. Components such as File
Explorer are still not available.
11. When the Remove Roles and Feature Wizard window provides a message that Removal succeeded on
LON-SVR4.Adatum.com, click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-5
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface
installation.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Fundamentals of a Windows Server Infrastructure
2. In Server Manager, click the Tools menu, and then click Services.
3. Scroll down to Print Spooler. Notice that Print Spooler status is Running and startup is set to
Automatic.
6. Click the Stop button to stop the Print Spooler service and then click OK.
Results: After this exercise, you should have used Server Manager to change service startup options.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-7
2. In Server Manager, click the Tools menu, and then click Computer Management.
4. In the Device Manager window, expand Keyboards, right-click Standard PS/2 Keyboard, and then
click Update Driver Software.
5. In the Update Driver Software – Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
6. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
7. In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and
then click Next.
8. Click Close.
9. In the System Settings Change dialog box, click Yes to restart the computer.
2. In Server Manager, click the Tools menu, and then click Computer Management.
5. In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab.
6. Click Roll Back Driver.
8. Click Close, and then in the System Settings Change dialog box, click Yes to restart the computer.
10. In Server Manager, click the Tools menu, and then click Computer Management.
11. In the left column select Device Manager.
13. Verify that you have successfully rolled back the keyboard driver.
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-8 Fundamentals of a Windows Server Infrastructure
Results: After this exercise, you should have performed update and rollback operations on a device driver.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-1
2. Open Server Manager, then click Tools and select Computer Management,
3. In the Computer Management console expand Storage, and then click Disk Management.
Note: Alternatively, you can hover the mouse over the bottom left corner and right-click. In the resultant
menu select Disk Management
4. Right-click Disk Management in the left pane and select Create VHD
5. In the Create and Attach Virtual Hard Disk dialog create a .vhd file with the following
characteristics then click OK
6. Open File Explorer and verify the file exists as you created it.
7. Open Disk Management and verify the disk is listed with the properties you specified.
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk
online and initialize it
1. Open the Windows PowerShell console by right-clicking the Windows PowerShell icon and selecting
Run as Administrator
2. To view the available disks, type the following and press Enter.
Get-Disk
3. The vhd file just created should have a size of approx. 7 GB, be online and have ID number 7.
4. You can use Windows PowerShell to take a disk offline. Type the following, where <X> is the number
of the disk that has just been created, and then press Enter.
6. To bring the disk online, type the following and press Enter.
7. To find a command that may be able to initialize a disk, type the following and press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-2 Fundamentals of a Windows Server Infrastructure
Get-Help *Disk*
8. Scroll through the resultant cmdlets and locate the cmdlet Initialize-Disk
9. To initialize the disk with an MBR partition style, type the following and press Enter.
10. Use the Get-Disk command to ensure that the disk was initialized successfully.
Results: After this exercise, you should have a Hyper-V® .vhd file.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-3
2. Under Computer Management, expand Storage, and then click Disk Management.
7. Click Next.
9. Select J in the drop down box for the Assign the following drive letter. Click Next.
10. On the Format Partition page ensure NTFS is selected and enter the volume label as
SimpleVol_NTFS, click Next.
12. Right-click SimpleVol_NTFS and select Format, and then click OK in the Format J: dialog box.
13. In the Format J: dialog box, read the warning and click OK.
14. In the Disk Management dialog box, read the warning and click Yes.
17. Open File Explorer and ensure the new volume is displayed as a drive with letter J
18. Repeat Steps 3 to 17 using Disk 2 with the following settings – Substitute K for J. Substitute
SimpleVol_ReFS for SimpleVol_NTFS
• FileSystem: ReFS
2. Select Computer Management and then expand Storage and click on Disk Management
3. In Disk Management right-click the SimpleVol_NTFS volume and then select Change Drive Letter
and Paths.
4. Click Change.
5. Change Assign the following drive letter to R:, click OK, and then click Yes twice.
6. Repeat steps 3 to 5 for the SimpleVol_ReFS volume assigning the drive letter S to the volume
MCT USE ONLY. STUDENT USE PROHIBITED
L2-4 Fundamentals of a Windows Server Infrastructure
7. Open File Explorer and verify the drive letters now appears as configured
2. Select Computer Management and then expand Storage and click on Disk Management
3. In Disk Management, right-click the SimpleVol_NTFS volume, and then select Change Drive Letter
and Paths.
4. Click Add.
5. Select Mount in the following empty NTFS folder, and then click Browse.
6. With C:\ selected, click New Folder and call the folder MountedVolume_NTFS
7. Click OK twice.
8. Repeat steps 3 to 7 for the SimpleVol_ReFS volume using the folder path C:\MountedVolume_ReFS
9. In File Explorer, show that C:\MountedVolume_NTFS and C:\MountedVolume_ReFS exist and they
are accessible as expected.
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume
MCT USE ONLY. STUDENT USE PROHIBITED
L2-5
2. Select Computer Management and then expand Storage and click on Disk Management
3. In Disk Management, right-click the SimpleVol_NTFS volume, and then select Extend Volume
4. In the Welcome to the Extend Volume Wizard page click Next
5. On the Select Disks page in the select the amount of space in MB textbox enter 4000 and click
Next
7. Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still available and
accessible.
2. Select Computer Management and then expand Storage and click on Disk Management
3. In Disk Management, right-click the SimpleVol_ReFS volume, and then select Shrink Volume
4. Verify a message displays that states, The volume cannot be shrunk because the file system
does not support it.
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume
size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the
reduced size the volume will need to be re-created.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-6 Fundamentals of a Windows Server Infrastructure
2. In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3. In the Storage Pool section click on Tasks and choose New Storage Pool…
4. On the opening page of the New Storage Pool Wizard click Next
5. On the Specify a storage pool name and subsystem page enter StoragePool1 into the Name textbox,
and then click Next.
6. On the Select physical disks for the storage pool page select Physical disks 3 and 4, and then click
Next.
2. Click StoragePool1 under Storage Pools, and then in the Virtual Disks section click Tasks and choose
New Virtual Disk…
3. In the New Virtual Disk Wizard on the Before You Begin page click Next
4. On the Select Storage Pool page ensure StoragePool1 is selected and click Next
5. On the Specify the virtual disk name page enter VirtualDisk1 into the Name field and Click Next
7. On the Specify provisioning type page select Thin and click Next
8. On the Specify the size of the virtual disk page enter 4 GB into the virtual disk size textbox click
Next
9. On the Confirm selections page click Create and then click Close
10. The New Volume Wizard appears and on the Before you Begin page click Next
11. On the Select the server and disk page click Next
12. On the Specify the size of the volume page click Next
13. On the Assign a drive letter or folder page select T from the drop down list, and then click Next.
14. On the Select file system settings page select NTFS as the file system, Enter VirtualDiskMirVol as
the Volume Label and click Next
15. On the Confirm selections page click Create
2. Right-click StoragePool1 under Storage Pools, and select Add Physical Disk…
4. Verify three disks are now listed in the Physical Disks section in Storage Pools
2. In the Physical Disks section right-click PhysicalDisk 4 and select Remove Disk
2. Verify the Test File.txt is still present and accessible on the VirtualDiskMirVol
3. Return to Server Manager, click on File and Storage Services followed by Volumes then Storage
Pools then go to the Physical Disks section
4. Notice that there are only two disks now as part of the Virtual Disk listed in the Physical Disks section
5. In the Virtual Disk section verify a warning exists alongside the VirtualDisk1
6. Right-click the Virtual Disk VirtualDisk1, select Properties and in the Virtual Disk Properties dialog
click on Health
2. Refresh the settings and verify the Virtual Disk warning message is no longer present
3. Right-click the Virtual disk VirtualDisk1 and select properties and click Health
4. Verify the health status now reads healthy, and then close the VirtualDisk1 Properties window
5. Open File Explorer and verify the file you created earlier is still accessible and available
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data
in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk
failure
MCT USE ONLY. STUDENT USE PROHIBITED
L3-1
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
1. What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
Answer: Because of the large amount of data being sent back and forth on the network, the fastest
possible Ethernet standard should be used that can be deployed in an office LAN environment.
10GBASE-T offers a throughput of 10 Gbps and uses copper wire cabling as its medium, which can be
easily installed into each office as the new building is being constructed.
2. What infrastructure should be used to connect the conference room portion of the Seattle location?
Answer: Based on the conference room’s size and the variance in location and mobility of users and
their laptops, a wireless infrastructure should be used for the conference room, preferably the fastest
available, 802.11n. Encryption should also be added to the wireless network, preferably using WPAv2
and RADIUS, the most secure and current wireless encryption protocol, and the ability to use
certificates to control access.
3. What components and technology would you use to connect the New York and Seattle branches?
Answer: T1 would be a good choice. There isn’t a lot of data being sent between the two offices, and
a leased T1 connection through a telecommunications provider would allow for data to be sent
between locations in a secure fashion.
4. What is the best architecture to allow both partners and home office users to access their information
using only one method of access?
Answer: An extranet could be set up, providing a server available for both partners and remote users
to exchange their files. This would provide one point of access, in addition to a centralized place to
host the files that these two groups are using.
We know the A. Datum staff will all be running the Windows 8 operating system, so we could set up
DirectAccess to allow the remote staff to be always connected to the office network or we could also
consider a VPN connection; however, because they only need access to a few files, an extranet would
be a more logical choice. If the office were to expand significantly over the short term, it might be
worth investing in a DirectAccess solution now. Perhaps this is one point you can inquire about in
your follow up with Susan.
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-2 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L4-1
Answer: Switches. These provide a way of connecting the nodes on the network and support virtual local
area networks (VLANs). Traffic is isolated to the required VLAN except where necessary. In addition, simple
hubs do not support quality of service (QoS).
2. What devices are required to connect the branches together and connect the branches to the head
office?
Answer: Routers. Although switches can provide routing function, wide area network (WAN) routers are
needed to connect the branches together and to connect to the head office.
Answer: You must select a mechanism to manage the routing tables. You could use static routes, or
alternatively implement a routing protocol like Routing Information Protocol (RIP) or Open Shortest Path
First (OSPF).
4. Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will
implement.
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram
and the Branch Office Network Components Deployment Plan.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-3
Task 2: Update the proposal document with your planned course of action
Update the proposal document with your planned course of action, by answering these proposal
questions.
1. What kind of cable would be suitable here, using the information supplied and the plan you outlined
for network components earlier?
Answer: Switches were indicated earlier, which means coaxial cable is not possible. And generally
coaxial cable is not good in any new installation. Twisted-pair and fiber cabling is required.
2. How will you address the issue of high levels of electromagnetic interference?
Answer: Where required, install shielded twisted pair. In areas where this is insufficient; use fiber.
3. What cable standards do you propose?
Answer: For copper, Category 5e or higher. Cat 6 supports 10 gigabits per second (Gbps) Ethernet
and better future-proofs the solution. For fiber, multimode fiber is cheaper and should address the
bandwidth requirements.
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-4 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L5-1
Answer: Six.
2. What class address is 172.16.0.0/16?
Answer: Class B.
Answer: Private.
4. Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
Answer: 172.16.32.0/20. The next is 172.16.48.0/20.
Answer: The first host is one binary digit higher than the subnet ID and the last host is two binary digits
lower than the next subnet ID. Therefore, the first host is 172.16.16.1/20 and the last is 172.16.31.254.
Answer: 255.255.240.0.
7. Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-3
2. If it is not already open, open Server Manager by clicking the Server Manager icon on the taskbar,
point to the Tools menu, and then click DHCP.
3. In the DHCP window, expand lon-svr1.adatum.com, click IPv4, right- click IPv4, and then click New
Scope.
5. On the Scope Name page, in the Name box, type Head Office 1.
6. In the Description box, type Client computer addresses, and then click Next.
7. On the IP Address Range page, enter the following information and then click Next.
• Length: 16
11. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then
click Next.
12. On the Domain Name and DNS Servers page, click Next.
15. On the Completing the New Scope Wizard page, click Finish.
16. In the console, expand IPv4, expand Scope [172.16.0.0] Head Office 1, and then click Address
Leases.
Answer: None.
2. On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3. Click Network and Internet, click Network and Sharing Center, and then click Change adapter
settings.
4. In the Network Connections window, double-click Ethernet, and then click the Properties button.
5. In the Ethernet Properties dialog box, locate and double-click Internet Protocol Version 4
(TCP/IPv4).
MCT USE ONLY. STUDENT USE PROHIBITED
L5-4 Fundamentals of a Windows Server Infrastructure
6. Select Obtain an IP address automatically and Obtain DNS server address automatically, and
then click OK.
7. In the Ethernet Properties dialog box, click OK, and then click Close to close the Ethernet Status
dialog box.
Answer: 172.16.0.20.
2. Click the lower-left corner of the virtual machine, open the Start home page, type cmd, and then
press Enter.
3. At the Command Prompt, type the following command, and then press Enter.
ipconfig /all
5. Is DHCP enabled?
Answer: Yes.
6. What is the IP address of the DHCP server?
Answer: 172.16.0.15.
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-5
2. In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Stop.
3. Verify that there is now an error shown in the DHCP Management console, stating Cannot find the
DHCP Server.
2. At the Command Prompt, type the following command, and then press Enter.
ipconfig /release
3. At the Command Prompt, type the following command, and then press Enter.
ipconfig /renew
4. This might take several minutes while the client computer tries to contact a DHCP server.
ipconfig
Answer: The computer is using Automatic Private IP Addressing (APIPA) because it failed to obtain an
address from a DHCP server.
9. At the Command Prompt, type the following command, and then press Enter.
ping lon-svr1.adatum.com
2. In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Start.
ipconfig /renew
Answer: The computer has successfully obtained an IPv4 address from the DHCP.
4. At the Command Prompt, type the following command, and then press Enter.
ping lon-svr1.adatum.com
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in
the head office.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-7
2. In Server Manager, point to the Tools menu, and then click DNS.
3. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
4. What is the current IP address listed against the LON-CL1 Host (A) record in the Adatum.com forward
lookup zone?
Answer: 172.16.0.20
2. On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3. Click Network and Internet, click Network and Sharing Center, and then click Change adapter
settings. In Network Connections, right-click Ethernet, and then click Properties.
4. In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
5. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address.
6. Use the following information to complete the configuration and then click OK:
• IP address: 172.16.0.16
8. Switch to LON-DC1.
10. What is the current IP address listed against the LON-CL1 Host (A) record?
Answer: 172.16.0.16
ipconfig /?
2. Scroll through the help returned and identify the /displaydns switch
3. Now in the Command Prompt type the below and press Enter.
ipconfig /displaydns
Answer: Answer will vary. But there will be several records for LON-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-8 Fundamentals of a Windows Server Infrastructure
5. Switch to 10967A-LON-SVR1
6. Hover the mouse over the bottom left side of the virtual machine and click on the resultant start
menu
10. In the Windows PowerShell console type the following and press Enter.
Get-help *DNS*
11. There are several commands that could get you similar information obtained using ipconfig but type
the following and press Enter.
Get-DNSClientCache
Test-Connection www.adatum.com
15. At the Command Prompt, type the following command, and then press Enter.
ping www.adatum.com
18. In DNS Manager, right-click Adatum.com, and then click New Alias (CNAME).
19. In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box, type
www
20. Enter the following in the Fully qualified domain name (FQDN) for target host box, and then click OK.
lon-dc1.adatum.com
2. At the Command Prompt, type the following command, and then press Enter.
ping www.adatum.com
Note: Depending on your Client cache you may or may not be successful at this point. If
you are not successful continue with the next step, Step 3. If you are successful you can skip
ahead to Step 7.
4. At the Command Prompt, type the following command, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-9
ipconfig /flushdns
5. At the Command Prompt, type the following command, and then press Enter.
ping www.adatum.com
7. At the Command Prompt, type the following command, and then press Enter.
ipconfig /displaydns
Answer:
www.adatum.com
---------------------------
Record Name . . . . . : www.adatum.com
Record Type . . . . . : 5
Time To Live . . . . . : 3531
Data Length . . . . . . : 8
Section . . . . . . . . . . : Answer
CNAME Record . . : lon-dc1.adatum.com
(Some fields might vary slightly)
Note: Record types are listed by number in IPConfig and 5 corresponds to a CNAME record type.
9. Switch to 10967A-LON-SVR1
10. Type the following to identify the cmdlet you need, and then press Enter.
Help *DNS*
11. Notice the clear-DNSClientcache cmdlet, type the following, and then press Enter.
Clear-DNSClientCache
12. To test the connection, type the following command, and then press Enter.
Test-Connection www.adatum.com
14. To view information on the DNS client cache, type the following command, and then press Enter.
Get-DNSClientCache
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also
added a new DNS CNAME record type for www.Adatum.com
MCT USE ONLY. STUDENT USE PROHIBITED
L5-10 Fundamentals of a Windows Server Infrastructure
ipconfig /all
Answer: Yes
Answer: Link-Local IPv6 Address as indicated by the address format i.e. leading fe80 and also as it is
called out in text beside the IPv6 Address.
4. Switch to 10967A-LON-SVR1
5. To identify the cmdlet you need, type the following, and then press Enter.
Get-help *address*
6. Notice the Get-NetIPAddress cmdlet, then type the following and press Enter.
Get-NetIPAddress
7. Locate the IPv6 in the list of returned addresses and compare it to the address returned in the
10967A-LON-CL1 virtual machine.
2. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-1
2. How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
Answer: Deploy the Dynamic Host Configuration Protocol (DHCP) server role to each branch and
configure an appropriate scope for the branch.
3. How will you address the requirement that users must be able to access shared files?
4. How will you address the requirement that users must be able to use shared printers?
5. What kind of server best supports the needs of the database application?
7. How will you address the requirement that the computers must obtain updates from a local update
server?
Answer: DHCP Server, DNS Server, File Services , Print and Document services, Application Server,
Windows Server Update Services
Results: After this exercise, you should have completed the Branch Office Server Deployment
Recommendations document.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-2 Fundamentals of a Windows Server Infrastructure
2. Click the Windows logo key, type run, and then press Enter
\\LON-DC1\E$
5. Go to the folder …mod06\Labfiles, copy the file Windows6.2-KB2693643-x64.msu to the Desktop, and
then double-click it
7. In the Download and Install Updates license terms window click I Accept
9. The 10967A-LON-CL1 virtual machine will update and restart. This will take approx. 5 minutes
10. After 10967A-LON-CL1 restarts log on with the credentials ADATUM\Administrator and password
Pa$$w0rd
11. Scroll across to the right side of the Start Menu and notice the presence of Administrative Tools and
Server Manager icons. Click on Server Manager
12. In Server Manager within the Dashboard section click on the Create a server group link.
15. In the Search: box type LON-DC1 and press search icon. LON-DC1.adatum.com should be returned
and click the arrow to add the server to the selected box on the right side.
16. In the Search: box type LON-SVR3 and press search icon. LON-SVR3.adatum.com should be returned
and click the arrow to add the server to the selected box on the right side
17. Click OK
19. Right click on LON-SVR3 and select Add Roles and Features
22. On the Server selection page click lon-svr3.Adatum.com and click Next
23. On the Server Roles page select DHCP Server and DNS Server and then click Next
24. Click Next through the remaining pages and install but do not close the wizard.
25. On the Installation progress page, wait until the Installation succeeded on lon-svr3.adatum.com
message displays, and then click Close.
26. Click the LON Servers group on the left side
MCT USE ONLY. STUDENT USE PROHIBITED
L6-3
27. Right click on LON-DC1 and select Add Roles and Features
30. On the Server selection page click lon-dc1.Adatum.com and click Next
31. On the Server Roles page select Print and Document Services and click Next
33. Click Next through the remaining pages, click Install, and then close the wizard when as soon as the
installation begins.
34. Click the notification Flag icon in Server manager and view the status of the Role installations
35. Click the LON Servers group on the left side again.
36. Click on LON-DC1 press CTRL and click LON-SVR3 then right-click on the highlighted servers.
37. In the resultant menu select Restart Server.
38. In the resultant prompt ensure LON-DC1 and LON-SVR3 are listed and click OK
39. Switch to the LON-DC1 and LON-SVR3 servers and show students that they are restarting as
specified.
Notice that you can have many more servers as member of a Server Group and managing in bulk can
reduce Administrative overhead.
2. In Server Manager within the Dashboard section click on the LON Servers group on the left side
3. Right click on LON-DC1 and select Add Roles and Features
7. On the Server Roles page select the following roles and then click Next
• Application Server
9. On the Content Selection page, clear the check box for Store updates in the following location
(choose a valid local path on lon-dc1.adatum.com, or a remote path):, and then click Next.
10. Click Install but do not close the wizard.
2. In the Save As dialog box, in the navigation pane under Libraries, click Documents, in the File
name: box type LON-DC1 DHCP Server Role Install, and then click Save.
4. Point out to students that the install will run in the background with the wizard closed
5. In Server Manager click the Notification Flag icon at the top of the console. Point out to students
that you can view the progress of the installation here and it will also tell you when it is complete.
6. On the taskbar, click File Explorer, double-click Documents, right-click LON-DC1 DHCP Server
Role Install, click Open with, and then click Notepad.
7. Review the XML code in the configuration file. This file contains the configuration settings that were
generated automatically as you ran through the Add Roles and features Wizard. You can now use or
customize this file for automation purposes to install the role on this or multiple servers
8. Close Notepad, and then close File Explorer
2. In the Server Manager console, click the DNS node on the left.
3. Scroll down to the Events section
• Error
• Warning
• Informational
6. And select to Get events that have occurred within the past 3 days and click OK
Task 5: Run the Best Practice Analyzer for the DHCP role
1. On 10967A-LON-CL1 open Server Manager
2. In the Server Manager console, click the DHCP node on the left side.
5. In the Select Servers dialog choose lon-svr3.Adatum.com and click Start Scan
6. The BPA scan will run for approximately a minute and Warnings and Errors should display
7. Scroll through the results and determine what remains to be configured i.e. you should see a message
around authorizing the DHCP server and also that at least one IPv4 scope should be configured
3. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-5
Results: After this exercise, you should have deployed all required roles and features.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-6 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L7-1
2. In Server Manager, click Manage, and then click Add Roles and Features.
4. Select the Active Directory Domain Services checkbox, click Add Features, and then click Next.
5. Take the default settings for the remaining selections, and then click Install.
6. Wait while the Active Directory® Domain Services (AD DS) role and associated features are installed. It
should take about two minutes.
7. Click Close to close the Add Roles and Features Wizard window
8. After the role is installed, click the Notifications flag, and then click Promote this server to a
domain controller.
9. Verify that you are in the Active Directory Domain Services Configuration Wizard.
10. On the Deployment Configuration page, make the following changes then click Next.
11. On the Domain Controller Options page, make the following changes then click Next.
• Deselect Domain Name Server (DNS) Server
• Password: Pa$$w0rd
12. Accept the default settings for Additional Options, Paths, and Review Options, and then click
Next.
13. Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are
acceptable.
14. Click Install, and then wait for the installation to complete and the computer to restart. It should take
about two minutes before the server restarts
Results: After this exercise, you will have promoted a new domain controller.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-2 Fundamentals of a Windows Server Infrastructure
• Password: Pa$$w0rd
• Domain: Adatum
2. In Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In the Navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.
4. In the Name text box, type A Datum Merger Team, and then click OK.
5. In the Navigation pane, double-click Adatum.com and verify that you have a new OU called A
Datum Merger Team.
6. Close the Active Directory Users and Computers console by clicking the X in the top right corner
Results: After this exercise, you will have created a new organizational unit (OU).
MCT USE ONLY. STUDENT USE PROHIBITED
L7-3
2. In Server Manager click Tools and then select Active Directory Administrative Center
3. Click Adatum (local) and click on A Datum Merger Team, point to New, and then click User.
4. In the Create User: dialog box, in the First name box, type Christian.
8. In the Account expires: section ensure the Never radio button is selected
9. In the password options section click the Other password options radio button and check the
Password never expires checkbox
10. Click OK
11. In the Active Directory Administrative Center in the Windows PowerShell History section at the
bottom of the console click the arrow on the right side to display the Windows PowerShell
commands generated when creating the user
12. Right-click in the Windows PowerShell commands and choose Select All then right-click and select
Copy
13. Open File Explorer and go to C:\ drive right click and select New and then Text Document
14. Open the file and click paste to paste in the Windows PowerShell commands and save the txt file.
15. Review the contents of the file to see how the new user was created.
17. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and
then click User.
18. As per earlier steps create a user with the following details
• Password: Pa$$w0rd
20. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and
then click User.
21. As per earlier steps create a user with the following details
• Password: Pa$$w0rd
2. In the Create Group: dialog box, create a group with the following characteristics
3. Click OK.
4. Again in the Active Directory Administrative Center, right-click A Datum Merger Team, point to
New, and then click Group.
5. In the Create Group: dialog box, create a group with the following characteristics
6. Click OK.
3. While pressing the Ctrl key, click Pia Lund and Tony Allen.
4. Release the Ctrl key, right-click Tony Allen, and then click Add to group...
5. In the Select Groups dialog box, in the Enter the object names to select (examples) text box, type
Mergers and Acquisitions.
6. Click Check Names, and then click OK.
7. In the Active Directory Administrative Center and then A Datum Merger Team under Adatum
(local), double-click Tony Allen.
8. In the Tony Allen properties dialog box, click the Member Of tab.
9. Click Add, and in the Member of section dialog box, in the Enter the object names to select
(examples) text box, type Merger Team Management.
3. In the Move dialog box, select A Datum Merger Team, and then click OK.
4. In Active Directory Administrative Center click A Datum Merger Team and notice the presence of
the LON-CL1 computer
MCT USE ONLY. STUDENT USE PROHIBITED
L7-6 Fundamentals of a Windows Server Infrastructure
2. Locate then right-click A Datum Merger Team, and then Delegate Control…
3. In the A Datum Merger Team properties dialog In the Delegation of Control Wizard, on the
Welcome to the Delegation of Control Wizard page, click Next.
5. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Merger Team Management, click Check Names, and then click OK.
6. On the Users or Groups page, click Next.
7. On the Tasks to Delegate page, select the Reset user passwords and force password change at
next logon checkbox, and then click Next.
8. Click Finish.
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the
users’ computer accounts into the OU.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-7
2. In Server Manager, point to Tools, and then click Group Policy Management.
4. In the Navigation pane, right-click Group Policy Objects, and then click New.
5. In the New GPO dialog box, in the Name box, type A Datum Merger Team GPO, and then click OK.
6. Expand Group Policy Objects, right-click A Datum Merger Team GPO, and then click Edit.
7. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
12. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press
Enter.
13. If you are prompted, in the Rename dialog box, click Yes.
2. In the Select GPO dialog box, in the Group Policy objects list, click A Datum Merger Team GPO,
and then click OK.
• Password: Pa$$w0rd
• Domain: Adatum
3. Make sure that the logon script runs.
Note: It may be default display the Start menu items after logon and you may have to select desktop to
be able to view the logon script.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A
Datum Merger Team OU.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-1
2. Read the A. Datum Network Security Policy – Laptops document to determine if you must enforce
any changes at the branch based on corporate policies.
2. What security policies apply to the branch office laptops as defined in the A. Datum Network Security
Policy – Laptops document?
Answer: All the policies apply.
3. What security concerns do you have about the branch offices?
Answer: If users can take their laptops home, this raises several security issues. First, the users are
connecting to unmanaged networks (at home or possibly elsewhere) and then reconnecting to the
corporate network. Second, the laptops are at risk of being lost or stolen.
Where branches have no dedicated room for servers, the servers are at risk of being physically damaged
and possibly stolen.
External contract staff might intentionally or unintentionally introduce malicious code into the corporate
network through the research department branch networks.
Use of removable storage devices by users might result in data compromise. Users might introduce,
unintentionally or otherwise, malicious code that might damage data.
4. How would you address the concerns you might have about laptop use?
Answer: By implementing Network Access Protection (NAP), users can move their computers between
various networks while maintaining the health integrity of the corporate network. Specifically, NAP
isolates computers that do not meet health criteria.
Implement Encrypting File System (EFS) and Windows® BitLocker® Drive Encryption on laptop; in the
event the laptops are lost or stolen, the data on them would not be compromised.
5. How would you address the concerns you might have about the lack of dedicated server rooms?
Answer: Put the servers in a location that is least likely to result in their accidental damage.
If theft is a possibility, first make sure that the servers are physically secure. Then implement BitLocker
Drive Encryption on all servers.
Additionally, where domain controllers are placed in branches, if they are not physically secured and the
branches contain servers that can work with read-only domain controllers (RODCs ), such as Microsoft®
Exchange Server, implement RODC.
6. How would you address the concerns you might have about contractor computer use?
Answer: Implement NAP to make sure that only computers that meet the network health requirements
can connect.
Use access control to make sure that visitors can only access files and folders that they have been granted
permissions on; make sure that you assign permissions sparingly.
7. How would you address the concerns you might have about removable storage devices?
Answer: Use Group Policy Object (GPO) to restrict the kind of device that users can use. If you can block
all use of external universal serial bus (USB) storage devices.
8. Complete the following resolution section with a summary of your proposals.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-2 Fundamentals of a Windows Server Infrastructure
Answers:
• Enable and configure BitLocker and EFS on portable computers.
• Implement NAP.
Results: After this exercise, you should have completed the incident record.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-3
3. Right-click beside the tabs at the top of the Internet Explorer window, select the Menu bar, click
Tools, and then click Internet Options.
Answer: Medium-low.
2. Select the Enable Protected Mode (requires restarting Internet Explorer) check box, and then
click OK.
2. Right-click beside the tabs at the top of the Internet Explorer window and select Status bar
Answer: Internet.
Answer: Off
10. If you receive a warning message prompting you to add the web site to your trusted zones click
Close.
11. Read the Information Bar at the bottom of the screen. What is the problem?
Answer: No.
14. What is the default search provider?
Answer: Bing
MCT USE ONLY. STUDENT USE PROHIBITED
L8-4 Fundamentals of a Windows Server Infrastructure
15. Click on Bing and examine the options that are available.
3. In the Select a zone to view or change security settings list, click Trusted sites.
Answer: Medium.
5. Click Sites.
6. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
Answer: Yes.
Answer: Yes.
8. Open Internet Explorer , click Tools and then select ActiveX Filtering
9. Go to www.microsoft.com
10. Notice a blue circle with a line through the middle now present in the address bar. Click on this icon.
11. A message appears stating that some content is filtered on this site and you have the option to Turn
off ActiveX Filtering.
13. Click on the blue circular icon in the address bar again and notice the message now states No
content is filtered on this site.
14. Click Tools, then click Manage Add-ons, examine the various Add-on Types, and then click Close
MCT USE ONLY. STUDENT USE PROHIBITED
L8-5
2. Notice the presence of a lock icon now appearing in the address bar
4. A website identification dialog appears which contains information about the identity of the website
and who if anyone has identified the site if the site has a certificate. You can also view the certificate
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
Results: After this exercise, you should have modified Internet Explorer security settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-6 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L9-1
2. Open Server Manager navigate to Tools and select Active directory Administrative Center
3. Right click Adatum (local), select New, and then select Group
4. In the Create Group: dialog enter Research Shadow Group and ensure the
• Group type: = Security
5. Click OK
7. Select all the members within the Research group by clicking the first name in the list, pressing the
Shift button, then scrolling down and clicking the last name in the list.
8. Ensure all the members are highlighted then select Add to Group
9. In the Select Groups in the Enter the object names to select (examples): section type Research, and
then click Check Names
10. In the Multiple Names Found dialog select Research Shadow Group and click OK twice.
12. Open the Research Shadow Group and view the Members to ensure all members have been added
successfully.
Task 2: Create a fine-grained password policy and apply it to the Research group
1. Ensure you are logged on to 10967A-LON-DC1 with username ADATUM\Administrator and
password Pa$$w0rd
2. Open Server Manager go to Tools and select Active directory Administrative Center
3. Click Adatum (local), double-click on System, and then double-click the Password Settings
Container
4. In the Password Settings container area right-click and select New the Password settings
• Precedence: 1
6. In the Directly Applies To section click Add and in the in the Select Users or Groups dialog in the
Enter the object names to select (examples): section type Research, then click Check Names, Research
Shadow Group should appear and then click OK
2. When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
You receive a message saying ”Unable to update the password/The value provided for the new password
does not meet the length, complexity, or history requirements of the domain”
Again you receive a message saying ”Unable to update the password/The value provided for the new
password does not meet the length, complexity, or history requirements of the domain”
7. Now attempt to create another more complex different new password = Pa$$w0rd012
The password is accepted as it is greater than the 10 character limit you specified in the fine grained
password policy and meets the complexity requirements.
8. Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
9. When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
You are successful and the password is changed. It meets the complexity requirements and because Franz
is not a member of the Research group he is not required to have a minimum password length of 10
characters, thus the 9 characters he entered is sufficient.
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-3
2. Click Computer, double-click Local Disk (C:), and then on the top toolbar, click New folder icon.
3. Type Research in the folder name box, and then press Enter.
8. Type Projects in the folder name box, and then press Enter.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1. Click the Back button. Then right-click the Research folder, and click Properties.
2. In the Research Properties dialog box, click the Security tab, and then click Advanced.
4. In the Block Inheritance window, click Convert inherited permissions into explicit permissions
on this object.
5. Click OK, to close the Advanced Security Settings for Research window.
6. In the Research Properties dialog box, on the Security tab, click Edit.
10. In the Multiple Names Found dialog select Research and then click OK and click OK again.
12. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
14. Double-click the Research folder, right-click the Classified folder, and then click Properties.
15. In the Classified Properties dialog box, on the Security tab, click Advanced.
16. In the Advanced Security Settings for Classified dialog box, click the Disable inheritance button.
17. In the Block Inheritance dialog box, select Convert inherited permissions into explicit
permissions for this object.
Note: Clicking the Remove All Inherited Permissions From This Object selection removes all
NTFS permissions for the folder, including your permissions as administrator. This prohibits you
from making any changes to the folder, including assigning permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-4 Fundamentals of a Windows Server Infrastructure
18. In the Advanced Security Settings for Classified dialog box, click OK.
19. In the Classified Properties dialog box, on the Security tab, click Edit.
20. In the Permissions for Classified dialog box, in the Group or user names box, click Research
(ADATUM\Research), and then click the Remove button.
23. In the Group or user names box, click Allie Bellew (ADATUM\Allie).
24. In the Permissions for Allie Bellew section, next to Full Control, select the Allow check box, and
then click OK.
Task 3: Share the C:\Research folder on the network and set appropriate shared
folder permissions
1. Click the Back button. Then right-click the Research folder, and click Properties.
2. In the Research Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
3. Click the Share this folder check box, leave the Share name as Research, and then click the
Permissions button.
4. In the Permissions for Research dialog box, in the Group or user names box, click Everyone, and
then click the Remove button.
5. In the Permissions for Research dialog box, click Add.
6. In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adatum\Research, click Check Names
7. In the Multiple Names Found dialog select Research and then click OK and click OK again.
9. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
Note: ADATUM\Bill is a member of the Manager group. He is not a member of the Research group
2. Hover the mouse over the lower left corner and when the start menu appears right-click then go to
the Run command
Answer: No. The Classified folder is restricted to only allow Allie Bellew access.
Answer: Yes.
Answer: Yes.
Results: After this exercise, you should have secured NTFS and shared folders.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-6 Fundamentals of a Windows Server Infrastructure
2. On the desktop, click File Explorer on the bottom toolbar, click Computer, and then double-click
Local Disk (C:).
7. In the left column, double-click Local Disk (C:), and then click the Research folder.
8. In the right column, right-click the Classified folder, and then click Properties.
9. In the Classified Properties dialog box, on the General tab click the Advanced button.
10. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and
then click OK.
12. In the Confirm Attribute Changes message box, ensure that Apply changes to this folder,
subfolders and files is selected, and then click OK.
Note: If you receive an error saying cannot access the file you can click ignore and continue
13. Ensure the Personal.txt filename now displays in Green text. This indicates it has been encrypted.
14. Verify you can double-click the Personal.txt file and view the contents successfully.
4. In the right pane, double-click the Classified folder, click Continue, and then type the Administrator
Pa$$w0rd in the User Account Control dialog box.
5. In the right pane, notice that the file is green, double-click Personal, and confirm that a message box
appears that informs you that Access is denied. Then click OK.
6. Close Notepad.
2. On the desktop, click the File Explorer icon, click Computer, and then double-click Local Disk (C:).
4. In the right pane, right-click the Classified folder, and then click Properties.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-7
6. In the Advanced Attributes dialog box, clear the Encrypt contents to secure data check box, and
then click OK.
8. In the Confirm Attribute Changes message box, ensure that Apply changes to this folder,
subfolders and files is selected, and then click OK.
2. In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you should have encrypted and decrypted files and folders by using
Encrypting File System (EFS).
MCT USE ONLY. STUDENT USE PROHIBITED
L9-8 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L10-1
2. Open Internet Explorer and click on the wheel icon in the top right side, then select Internet
Options
3. In the Internet Options dialog on the General tab go to Browsing History section then click on
Settings
4. Go to the Caches and databases tab and uncheck the Allow website caches and databases
checkbox, then click OK
5. On the General tab in Internet Options, check the Delete browsing history on exit checkbox and
then click on the Delete… button.
6. Check all checkboxes in the Delete Browsing History dialog and click Delete
Notice the presence of the “Internet Explorer has finished deleting the selected browsing history” message
in Internet Explorer window
9. Open Internet Explorer again and in the address bar type http://LON-DC1/Intranet
Task 2: Configure a new firewall rule to block access to the World Wide Web service
1. Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name
ADATUM\Administrator and password Pa$$w0rd
2. In Server Manager click on Tools the select Windows Firewall with Advanced Security
3. In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
5. In the New Inbound Rule Wizard, on the Rule Type page, click Predefined:
6. In the drop down box select World Wide Web Services (HTTP) and then click Next.
7. On the Predefined Rules page in the Rules: section check the World Wide Web Services (HTTP
Traffic-In) checkbox, scroll across the rule and understand the settings that are configured and click
Next.
8. On the Action page click Block the connection and click Finish.
9. In the Windows Firewall with Advanced security management console in the Inbound Rules pane
click on the Name column to sort the rules by name then locate the Inbound rule you just
configured. It should have a red circle with a line through it.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-2 Fundamentals of a Windows Server Infrastructure
10. Double click on the rule and verify the settings in the tabs represent what you configured. Click OK
once you are finished.
Answer: No, you are unable to connect to the URL and view the company Intranet site. You receive a
message stating “This page can’t be displayed”
4. Close Internet Explorer.
2. In Server Manager click on Tools the select Windows Firewall with Advanced Security
3. In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
4. Locate the World Wide Web Services (HTTP Traffic-In) rule that you configured earlier right-click
it and select properties
5. On the General tab in the Action section click Allow the connection then click OK
Notice the icon changes to a green circle with a white tick in the middle now.
Answer: Yes, you are able to connect to the URL as was originally the case
Results: After this exercise, you should have created and tested an inbound firewall rule to control access
to the world wide web service.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-3
2. In Server Manager go to Tools then select Windows Firewall with Advanced Security
4. In the New Inbound Rule Wizard dialog box, click Custom, and then click Next.
8. On the Action page, click Allow the connection if it is secure, and then click Next.
9. On the Users page, click Next.
12. On the Name page, in the Name box, type ICMPv4 allowed and then click Finish
5. On the Requirements page, click Request authentication for inbound and outbound
connections and then click Next.
6. On the Authentication Method page, click Advanced, and then click Customize.
7. In the Customize Advanced Authentication Methods dialog box, under First authentication, click
Add.
8. In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click
OK.
12. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
2. In Server Manager go to Tools then select Windows Firewall with Advanced Security
4. In the New Connection Security Rule Wizard, click Server-to-Server and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-4 Fundamentals of a Windows Server Infrastructure
6. On the Requirements page, click Require authentication for inbound and outbound connections
and then click Next.
7. On the Authentication Method page, click Advanced, and then click Customize.
8. In the Customize Advanced Authentication Methods dialog box, under First authentication, click
Add.
9. In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click
OK.
10. In the Customize Advanced Authentication Methods dialog box, click OK.
13. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
5. Expand Monitoring, expand Security Associations, and then click Main Mode.
6. In the right-pane, double-click the listed item.
10. View the information in Quick Mode, and then click OK.
2. In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing this exercise you will have created a server to server connection security rule
and validated the secure nature of the communication between the two servers
MCT USE ONLY. STUDENT USE PROHIBITED
L11-1
2. On LON-DC1, in Server Manager, click Tools, and then select Group Policy Management.
3. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy
Objects, and then click New.
4. Name the new GPO SQLSysClrTypes Restriction Policy, and then click OK.
Task 2: Create Windows Installer rule to block the installation of the .msi file
1. In the Group Policy Management Console, expand Group Policy Objects, right-click the Group
Policy Object SQLSysClrTypes Restriction Policy, and then click Edit.
2. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, and then
double-click AppLocker.
3. Click Windows Installer Rules, right-click Windows Installer, and then select Create New Rule
5. Permissions page, select Deny, Notice that the rule could be restricted to a specific user or group,
and then click Next.
7. Click Browse and navigate to E:\Mod11\LabFiles\ SQLSysClrTypes.msi- and then click Open.
8. Notice the text explaining the slider usage at the top of the page, and then click Next.
2. Under Windows Installer Rules, select the Configured check box, click Audit Only, and then click
OK.
Note: Before you can enforce AppLocker policies, you must start the Application Identity
service.
1. In the Group Policy Management Editor, expand Computer Configuration, expand Windows
Settings, expand Security Settings, click System Services, and then double-click Application
Identity.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-2 Fundamentals of a Windows Server Infrastructure
2. In the Application Identity Properties dialog box, select the Define this policy setting check box.
3. Select Automatic under Select service startup mode, and then click OK.
4. Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy
to be updated.
Note: Alternatively you can open a Windows PowerShell console, import the GroupPolicy
module by running the command Import-module GroupPolicy and then running the cmdlet
Invoke-GPUpdate
6. Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy
to be updated.
Task 6: Run the Windows Installer and verify the audited result in Event Viewer
1. Hover the mouse over the lower left corner of the desktop and when the Start menu appears right-
click and go to Run
3. In the Windows Security dialog box sign in to the ADATUM domain as Administrator with password
Pa$$w0rd, and then click OK.
4. Go to \\LON-DC1\E$\Mod11\Labfiles\
7. Open Control Panel, the select System and Security and Administrative Tools, then double-click
Event Viewer
9. What is the Event ID for audited blocked installations of Windows Installer files?
Note: Notice the presence of the 8006 Event IDs and the descriptive text saying
“…SQLSYSSLRTypes.msi was allowed to run but would have been prevented from running if the
AppLocker policy were enforced.”
MCT USE ONLY. STUDENT USE PROHIBITED
L11-3
10. Note Also, if the event does not appear for you in Event Viewer, you should restart the Application
Identity service on 10967A-LON-DC1 and try again.
2. In Server Manager, click Tools, and then select Group Policy Management
3. In the Group Policy Management Console, expand Domains then Adatum.com and underneath
Adatum.com right-click the SQLSysClrTypes Restriction Policy, and then click Edit.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, and then
double-click AppLocker
6. Under Windows Installer Rules, ensure the Configured checkbox is still selected, select Enforce
Rules from the drop down box, and then click OK.
7. Open a Command Prompt window, type gpupdate /force, and then press Enter.
Task 8: Run the Windows Installer file and verify the application is blocked
1. Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as
ADATUM\Allie with a password of Pa$$w0rd.
2. Open a Command Prompt window, type gpupdate /force, then press Enter and wait for the policy
to be updated.
3. Hover the mouse over the lower left corner of the desktop and when the Start menu displays right-
click and go to Run
4. In the Run dialog type \\LON-DC1\E$ and press OK
5. Go to \\LON-DC1\E$\Mod11\Labfiles\
6. Right-click SQLSysClrTypes.msi, select UnInstall and remove the software from the system that was
installed as part of the earlier task.
8. Notice the Windows Installer message, “The system administrator has set policies to prevent this
installation. Click OK.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular
Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your
production environment and you will have applied that AppLocker rule using Group Policy across the A
Datum domain.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-4 Fundamentals of a Windows Server Infrastructure
2. In Server Manager, click Tools, and then click the Security Configuration Wizard.
4. On the Configuration Action page, select Create a new security policy, and then click Next.
5. On the Select Server page, accept the default server name, LON-DC1, and then click Next.
6. On the Processing Security Configuration Database page, you can click View Configuration
Database and explore the configuration that was discovered on LON-DC1.
If you receive a Windows Security Warning regarding an ActiveX control, click Yes to allow the
interaction.
7. Click Next.
9. On the Select Server Roles page, you can explore the settings that were discovered on 10967A-
LON-DC1, but do not change any settings. Click Next.
10. On the Select Client Features page, you can explore the settings that were discovered on 10967A-
LON-DC1, but do not change any settings. Click Next.
11. On the Select Administration and Other Options page, you can explore the settings that were
discovered on 10967A-LON-DC1, but do not change any settings. Click Next.
12. On the Select Additional Services page, you can explore the settings that were discovered on
10967A-LON-DC1, but do not change any settings. Click Next.
13. On the Handling Unspecified Services page, do not change the default setting: Do not change the
startup mode of the service. Click Next.
14. On the Confirm Service Changes page, in the View list, select All services.
15. Examine the settings in the Current Startup Mode column, which reflect service startup modes on
10967A-LON-DC1, and compare them to the settings specified in the Policy Startup Mode column.
19. On the Network Security Rules page, you can examine the firewall rules derived from the
configuration of 10967A-LON-DC1. Do not change any settings. Click Next.
21. On each page of the Registry Settings section, examine the settings, but do not change any of them,
then click Next.
22. Continue to click Next at each page until you the Registry Settings Summary page appears,
examine the settings and then click Next.
24. On the System Audit Policy page, examine but do not change the settings. Click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-5
25. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy
Setting columns. Click Next.
26. On the Save Security Policy section introduction page, click Next.
27. In the Security Policy File Name text box, click Browse and navigate to C:\Labfiles, click New
Folder, name the folder SCW, double-click the SCW folder, type DC Security Policy in the file name:
box, and then click Save.
Ensure the following is listed in the Security policy file name box C:\Labfiles\SCW\DC Security
Policy
29. If you are prompted to confirm the use of ActiveX® control, click Yes.
30. Close the window after you have examined the policy.
32. On the Apply Security Policy page, accept the Apply later default setting, and then click Next.
2. Open the Start screen and type cmd, when the Command Prompt icon appears right-click it and
choose Run as Administrator
3. Change to the directory where your new security policy is located.
cd C:\LabFiles\SCW\
scwcmd /?
scwcmd transform /?
7. Verify that the command completed successfully, and then close the Command Prompt window.
8. In Server Manager, click Tools, and then click Group Policy Management.
9. In the console tree, expand Forest:Adatum.com, Domains, Adatum.com, and Group Policy
Objects, and then click DC Security Policy. This is the GPO created by the Scwcmd.exe command.
10. Click the Settings tab to examine the settings of the GPO.
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a
security policy named DC Security Policy, and transformed the security policy to a Group Policy Object
(GPO) named DC Security Policy.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-6 Fundamentals of a Windows Server Infrastructure
5. In the Select Servers dialog box, make sure that LON-DC1.Adatum.com is selected, and then click
Start Scan.
Note: It can take a minute for results to appear. Refresh the results by using the TASKS
menu.
Answer: 43
3. Select an item and view the additional information that is available.
7. In the Click to display saved search settings drop-down list (icon on the right side of the filter text
box), select the Compliant results report.
8. Notice that only items with Severity equal to Information are now displayed.
Answer: 34
2. In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and
determine areas for improved efficiency or performance.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-1
3. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
4. Right-click User Defined, point to New, and then click Data Collector Set.
5. In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Performance.
6. Click the Create manually (Advanced) radio button and then click Next.
7. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
8. On the Which performance counters would you like to log? page, click Add.
9. In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. In the Available counters list, expand Network Interface, click Bytes Total/sec, and then click Add
>>
11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Still within PhysicalDisk click Avg. Disk Queue Length, and then click Add >>.
13. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
14. In the Available counters list, expand System, click Processor Queue Length, and then click Add
>>. Then click OK.
15. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and ensure Seconds is selected in the Units: drop down box, and then click Next.
16. On the Where would you like the data to be saved? page, click Next.
17. On the Create the data collector set? page, click Save and close, and then click Finish.
2. At the Command Prompt, type the following command, and then press Enter. (This creates a file
approx. 100 MB in size)
3. At the Command Prompt, type the following command, and then press Enter. (This copies that file to
LON-DC1)
4. At the Command Prompt, type the following command, and then press Enter. (This creates a copy of
the file on LON-DC1)
5. At the Command Prompt, type the following command, and then press Enter. (This deletes all the
created files from LON-SVR1)
del bigfile*.*
6. At the Command Prompt, type the following command, and then press Enter. (This deletes all the
created files from LON-DC1)
del \\lon-dc1\c$\bigfile*.*
2. In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3. In Performance Monitor, in the navigation pane, click Performance Monitor.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
9. In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec,
and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.
11. Expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Click Avg. Disk Queue Length, and then click Add >>.
13. Expand Processor, click %Processor Time, and then click Add >>.
14. Expand System, click Processor Queue Length, click Add >>, and then click OK.
16. On the toolbar, click the down arrow, and then click Report.
17. Record the values listed in the report for analysis later.
Recorded values:
• Memory\Pages/sec
MCT USE ONLY. STUDENT USE PROHIBITED
L12-3
Results: After this exercise, you should have established a performance baseline.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-4 Fundamentals of a Windows Server Infrastructure
2. At the Command Prompt, type the following command, and then press Enter.
cd C:\Labfiles\StressTool\amd64
2. At the Command Prompt, type the following, and then press Enter.
StressTool 95
3. Open Task Manager, by right clicking on the Task Bar at the bottom of the screen and selecting Task
Manager, and then click More details
3. In Performance Monitor, click User Defined. In the results pane, right-click LON-SVR1 Performance,
and then click Start.
4. Wait for one minute for data to be captured.
Results: After this exercise, you should have introduced a load on the server and restarted the Data
Collector Set.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-5
3. Press Ctrl+ C.
5. Open task Manager by right clicking on the Task Bar at the bottom of the screen and selecting Task
Manager
7. Notice the CPU % Utilization graph has returned to normal now that the simulated load has been
removed.
2. In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3. In Performance Monitor, in the navigation pane, click Performance Monitor.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Remove.
6. Click Add.
9. Click the Data tab, click OK, and then click OK to close the Performance Monitor Properties
dialog box.
10. If you receive an error or the values in your report are zero, repeat steps 4-9.
Recorded values:
• Memory\Pages/sec
• Network Interface\Bytes Total/sec
Answer: Processor activity has increased significantly and this is due to the simulated load we placed on
it.
3. Question: If you saw a similar trend in your work environment what would you recommend as a next
step?
Answer: CPU load has increased without an increase in networking or disk activity. This would indicate a
service local to the machine is putting load on the CPU. You could continue to monitor the server to try
identify what service or program is placing the load on the server
4. Question: Can you identify any additional counters which could potentially help you narrow down
your search to determine what application is placing the greatest load on the CPU?
Answer: If you have not encountered this issue before it may be a process of trial and error to identify
which additional counters, if any could be of help.
You should start to create a new Data Collector set and scroll through the available counters. Some
counters which may help in this instance
• Process\ Thread count (To identify if a particular process has a large amount of threads running)
• Processor Information\% User (To identify a user placing a load on a server if there are multiple
users accessing the server and its services)
• Thread\ID Process (To identify the process placing the load on the server)
5. Question: Are there any additional tools which may help identify what process or software is placing
the load on the server?
Answer: You could also open Task Manager and go to the Processes tab scroll through the processes
that are listed and try identify which process are placing the greatest load on the server
Results: After this exercise, you should have identified a potential bottleneck.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-7
2. In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
3. Right-click User Defined, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Network
Bandwidth Alert.
6. On the What type of data do you want to include? page, click the Performance Counter Alert
radio button, and then click Next.
7. On the Which performance counters would you like to monitor? page, click Add.
8. In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and
then click OK.
9. On the Which performance counters would you like to monitor? page, in the Alert when: list,
select Above.
10. In the Limit box, type 500, and then click Next.
11. On the Create the data collector set? page, click Finish.
12. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Network
Bandwidth Alert.
13. In the Results pane, right-click DataCollector01, and then click Properties.
14. In the DataCollector01 Properties dialog box, on the Alert tab choose the following
• Alert when: Above
• Limit: 500
• Sample interval: 10
• Units: Seconds
16. Select the Log an entry in the application event log check box, and then in the Start a Data
Collector set: drop down box select LON-SVR1 Performance and click OK.
17. In the navigation pane, right-click LON-SVR1 Network Bandwidth Alert, and then click Start.
2. At the Command Prompt, type the following command, and then press Enter. (This creates a file
approx. 1 GB in size)
3. At the Command Prompt, type the following command, and then press Enter. (This copies that file to
10967A-LON-DC1 and puts a load on the Network Interface)
MCT USE ONLY. STUDENT USE PROHIBITED
L12-8 Fundamentals of a Windows Server Infrastructure
Task 3: Verify the Event ID is generated and the Data Collector Set starts
1. In Server Manager, click Tools, and then click Event Viewer.
2. Expand Application and Services Logs, and then select the Microsoft-Windows-Diagnosis-
PLA/Operational log
3. Scroll through the list of events. Look for Event ID 2031 and read the details in the General tab, which
should say something like “….Performance counter \Network Adapter> [Emulated])\Bytes Total/sec
has tripped its alert threshold. The counter value of < X > is over the limit value of 500.000000.
500.000000 is the alert threshold value.”
4. What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
5. Return to Performance Monitor and navigate to Data Collector Sets then User defined
Note: As you scroll through the Event IDs you may see some errors related to the LON-
SVR1 Performance collector set not being able to start. This will be because it was already
started successfully.
2. In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an
Event ID and triggers a Data Collector Set to start.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-1
2. In Server Manager, click Manage, and then select Add Roles and Features
4. On the Select installation type page, accept the defaults and Click Next
5. On the Select destination server page, click Next
6. On the Select server roles page, select the Windows Server Update Services checkbox
7. In the Add Roles And Features Wizard dialog click Add Features, then click Next
8. On the Select features page select .NET Framework 3.5, and then click Next
Note: .NET Framework 3.5 is required for the reporting function in WSUS in Windows Server 2012
11. On the Content location selection page, ensure the “Store updates in the following location …..”
checkbox is selected, type C:\WSUS in the box, and then click Next
12. On the Confirm installation selections page, click Install, and then click Close
2. In the resultant dialog, navigate to the Post-Deployment Configuration section and click Launch
Post-Installation tasks
3. In Server Manager click the Notification Icon again and then select Task Details
4. In the Task Details dialog note the Task Name and Stage columns, and wait until the Post-
deployment Configuration Task Name is listed as Complete. When it is complete, close the Task
Details dialog.
5. In Server Manager, click Tools, and then select Windows Server Update Services
2. The Windows Server Update Services Configuration Wizard appears and on the Before you
Begin page click Next
3. On the Join the Microsoft Update Improvement Program page click Next
MCT USE ONLY. STUDENT USE PROHIBITED
L13-2 Fundamentals of a Windows Server Infrastructure
4. On the Choose Upstream Server page, ensure Synchronize from Microsoft Update is selected and
click Next
6. On the Connect to Upstream Server page click Start Connecting. When it is finished Click Next
Note: This may take up to five minutes to complete depending on your connection speed
7. On the Choose Languages page select Download updates only in these languages: and choose
English, then click Next
8. On the Choose Products page, check All Products checkbox then uncheck it again to clear the
default product selections. Scroll down to Windows and select Windows 8, ensure all other options
are unchecked, and then click Next.
9. On the Choose Classifications page, uncheck Definition Updates and security updates and select
Critical Updates only, and then click Next.
Note: We are selecting only this option to reduce the amount of time it takes to synchronization.
However at least both security and critical updates would be needed to keep your environment secure
10. On the Set Sync Schedule select Synchronize manually and click Next
11. On the Finished page, select Begin Initial synchronization, and click Next
2. Verify you receive a Feature Unavailable error stating that “The Microsoft Report Viewer2008
Redistributable is required for this feature…” and then click OK
3. Close the Update services management console
4. Open File Explorer navigate to E:\Mod13\Labfiles, right-click the ReportViewer.exe and select Run
as Administrator
6. On the License Terms page check the I have read and accept the license terms checkbox, and
then click Install
7. On the Setup Complete page, click Finish
9. In the navigation pane on the left side click on Synchronizations, and then select Synchronization
Report in the actions pane
11. Close the Synchronization Report for LON-DC1 window, and the Update Services window
2. In the console pane, expand Forest: Adatum.com, expand Domains, and then click Adatum.com.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-3
3. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, type WSUS in the Name field, and then click OK.
6. In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click
Windows Update.
8. In the Configure Automatic Updates dialog box, click Enabled, and then click Next Setting.
9. In the Specify intranet Microsoft update service location dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://LON-DC1:8530
11. In the Set the intranet statistics server field, type http://LON-DC1:8530
12. Why is the number 8530 specified in the URL?
Answer. The default http connection port is 80. However, WSUS uses port 8530 for http and port 8531
for https. That is different from the default and as needs to be specified here so the client can successfully
connect.
14. In the Automatic Updates detection frequency dialog box, click Enabled, set the interval (hours):
at 1 and then click OK.
15. Ensure the three Group Policy settings are enabled then close Group Policy Management Editor,
and then close Group Policy Management Console.
16. Sign in to the 10967A-LON-CL1 virtual machine as ADATUM\Administrator with the password
Pa$$w0rd.
17. If not already done so start and then sign in to 10967A-LON-CL1 with user name
ADATUM\Administrator and password Pa$$w0rd
18. On 10967A-LON-CL1, open a Command Prompt with Administrative privileges, type the following
command, and then press Enter. This will force the client to update the Group Policies on the
computer.
gpupdate /force
19. To force the client to detect any changes that have been made to the update service, type the
following and press Enter.
2. In the Computer Management console, expand Services and Applications, and then select
Services
3. In Services, locate Background Intelligent Transfer Service, navigate to Properties and specify a
Startup type: Automatic, and then click OK.
4. In Services locate Windows Update, go to Properties and specify a Startup type: Automatic, click
Apply, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-4 Fundamentals of a Windows Server Infrastructure
2. In the Updated Services console, expand Computers, and then click All Computers
3. Select Status: Any and click Refresh. Verify there are two computers listed lon-dc1.adatum.com
and lon- cl1.adatum.com
5. In the Add Computer Group dialog box, type WSUS LON Win8, and then click Add.
7. In the Add Computer Group dialog box, type WSUS LON WS2012, and then click Add.
8. In the console pane, expand All Computers, and then click Unassigned Computers.
9. In the details pane, in the Status list, click Any, and then click Refresh.
10. Right-click lon-cl1.adatum.com, and then click Change Membership.
11. In the Set Computer Group Membership dialog box, select the WSUS LON Win8 check box, and
then click OK.
12. Click Unassigned Computers group again.
13. In the details pane, in the Status list, click Any, and then click Refresh.
6. Locate the “Update for Windows 8 for x64-based Systems (KB2768703)” right-click, and then
click Approve…
7. In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8
LON Computer Group and select Approved for Install and click OK
9. Right-click the same update “Update for Windows 8 for x64-based Systems (KB2768703)” and
again select Approve…
10. In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8
LON Computer Group and select Deadline and then Custom…
11. In the Choose Deadline dialog select Yesterday’s date and then Click OK
For example, if it is 2 June when running this lab exercise, select 1 June. and then click OK
Note: This has the effect of ensuring the update is applied to a client as soon as the client queries the
Update Server for available updates.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-5
Task 9: Query the WSUS server for available updates from Windows 8 client
1. Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and
password pa$$w0rd
gpupdate /force
8. Scroll down to the end of the log file and locate references to http://lon-dc1:8530, ensure there are
no errors listed.
9. Return to 10967A-LON-DC1 go to Server Manager, then Tools then select Event Viewer
11. In the Application Logs details pane locate Events with source equal to Windows Update Services
and verify there is an event specifying a client connected successfully.
13. Open the Control Panel and select Programs and then underneath Programs and Features select
the View Installed updates
Note: It may take several minutes for the client to connect and the update to be installed.
You should proceed to the next Exercises and complete those while waiting for the client to be
updated. Once you have completed those exercises you can then return here to verify the update
has been applied successfully.
5. On the completed report, note how many updates are listed under lon-cl1.adatum.com.
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to
manage updates.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-7
Answer: If file shares, remote desktop, and ping are unavailable, the troubleshooting process for this
problem have to be done locally, in the physical location of the computer, or alternatively over the
telephone with someone at the physical computer who can help you with the troubleshooting
process.
3. What considerations should be made about 10967A-LON-SVR5 and the people and services that
require the services that are provided by 10967A-LON-SVR5?
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso
installation files already attached to the virtual machine to assist with steps required later in the
lab. As such the 10967A-LON-SVR5 virtual machine will give the prompt “Press any key to
boot from CD or DVD…” each time when starting up. Do not press any key to boot into the
installation files unless explicitly told to do so in the lab steps.
Answer: “The Boot Configuration Data file doesn’t contain valid information for an operating system”.
Answer: The problem is a corrupted or damaged Boot Configuration Data (BCD) store. There is no
reference in the BCD to enable the Windows Boot Manager to access the Windows Boot Loader.
7. What tool should you use to try to resolve the problem that is causing the error message?
Answer: BCDEdit will let you view the status of the BCD store. In this case, there is no entry for an
operating system in the BCD store for 10967A-LON-SVR5. To correct this, run bootrec.exe with the
/scanos switch to find the operating system on the computer, and then run bootrec.exe with the
/rebuildbcd switch to create a new BCD store with a pointer to the boot loader for the found operating
system.
10. In the Turn Off Machine dialog box, click Turn Off
MCT USE ONLY. STUDENT USE PROHIBITED
L13-8 Fundamentals of a Windows Server Infrastructure
Task 3: Resolve the issue on the Windows Server and complete the Incident Record
1. Start the 10967A-LON-SVR5 virtual machine
2. As stated in the previous exercise you will be prompted to “Press any key to boot from CD or
DVD…” as the virtual machine starts.
3. Press Enter and allow the virtual machine to boot into the installation files
8. At the Command Prompt, type the following, and then press Enter.
Bcdedit
10. At the Command Prompt, type the following, then press Enter, and from the resultant output
determine which are the most appropriate switches to use
bootrec /?
11. At the Command Prompt, type the following, and then press Enter:
bootrec /scanos
12. At the Command Prompt, type the following, and then press Enter:
bootrec /rebuildbcd
13. At the Add installation to boot list prompt, press Y, and then press Enter.
14. Close the Command Prompt window by typing exit and hitting Enter.
15. In the System Recovery Options screen, click the Continue button.
16. Make sure that 10967A-LON-SVR5 starts and brings you to the sign in screen.
17. Ensure you can sign in successfully with the local administrator credentials user name
.\Administrator and password Pa$$w0rd
18. Answer the Resolution Questions on the Incident Report.
Answer: By using BCDEdit to identify the lack of an operating system entry in the BCD store. Then use
bootrec to rebuild the BCD store.
20. What should the next steps in the troubleshooting process be?
Answer: Have a user or users connect to 10967A-LON-SVR5 to make sure that their applications are
functioning correctly. Notify the remainder of the users of 10967A-LON-SVR5 that the server is
operating correctly and can resume their use of 10967A-LON-SVR5. Additionally, the details of the
problem, together with the steps used to repair the problem, should be documented and archived for
future reference and logging purposes.
21. Revert the 10967A-LON-SVR5 virtual machine and then shut down the virtual machine to free up
host resources, as it is not required for any subsequent exercises
MCT USE ONLY. STUDENT USE PROHIBITED
L13-9
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-10 Fundamentals of a Windows Server Infrastructure
3. In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
4. In the details pane, click the View Log Data button (Ctrl+L).
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
10. In the Add Counters dialog box, under Available counters, add the following counters by
highlighting them and clicking Add>>
• Processor,
• % Processor Time
• System
12. In Performance, at the bottom of the window, click % Processor Time to view the graph of the CPU
usage on LON-SVR2 and notice:
14. In the Add Counters dialog box, under Available counters, add the following counters by
highlighting them and clicking Add>>
• Process
• % Processor Time
18. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
19. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
Answer: A likely first step is to determine what the StressTool process is responsible for doing and if any
users are experiencing issues with those processes. If no specific cause can be found, you might restart the
StressToolprocess before ensuring that all users using the services associated with StressTool are
prepared for the services to be unavailable. Additional monitoring of the StressTool process might be
necessary to determine whether the application needs updating or repair. (Note: The “StressTool”
process is a testing tool which you encountered earlier in the course. In this lab we used it to place a load
on the CPU for us then to analyze.)
Task 2: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part B
1. Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
3. In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
5. In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
10. In the Add Counters dialog box, under Available counters, add the following counters by
highlighting them and clicking Add>>
• Physical Disk
• Physical Disk
• Physical Disk
o Disk Transfers/sec
• Process
MCT USE ONLY. STUDENT USE PROHIBITED
L13-12 Fundamentals of a Windows Server Infrastructure
o IO Data Bytes/sec
11. Click OK
12. Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button
(Ctrl+H) to view each instance. Identify the process that is using the disk transfer capacity.
13. Complete the resolution questions in Part B of the Incident Record.
14. What do the Performance Logs for LON-SVR2 indicate could possibly be the source of the problem?
Answer: There are a few processes that are intermittently performing a lot of IO occurring. Such as the
sqlservr and Wsusservice processes, however they display peaks and troughs. For example, they have IO
and then none, which would be expected. However peak value for Avg Disk Queue Length and Disk
Transfers per/sec occur when the process EatDiskspace IO consumption occurs, and this process is
continuously consuming IO resources on the computer. The EatDiskspace process is consuming a lot of
disk resources and would warrant a closer look.
15. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
Answer: If EatDiskspace is consuming disk resources you could view the Disk tab of the Resource
Monitor, check the box beside the process and click on the Disk Activity or Storage sections to try
determine what aspects of the process are involved, such as file copies. If the process is manipulating files
you could determine whether that is necessary or not or possibly whether the task could be scheduled
during non-business hours. (Note: The “EatDiskspace” process is a testing tool which we used it to
perform a large volume of disk IO operations for us to analyze.)
Results: After this exercise, you should have collected information to start the troubleshooting process.
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes