Workbook 70.412

70-412: Configuring Advanced Windows
Server 2012 Services

Course 01 - Network Services
Slide 1
 
DHCP |DNS | IPAM
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
 Allocates IP address and  DHCP client:

configuration to clients o Any device that can request
 When IP properties change, and obtain IP address
configuration from DHCP server
only need to change it in a
• PCs
single location • Laptops
o DNS servers • Printers
o Gateway • Mobile devices
o Additional properties • Switches
 Tracks all clients and the IP • Network boot clients
address allocation
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
 DHCP Server Service

o DHCP client service on clients
o Auto startup on Windows boot
o Responsible for IP address allocation
 DHCP Database
o Contains all configuration data
o Information regarding IP addresses leased
o Default location: %System Root%\System32\DHCP
 DHCP Console
o Main administration tool
o Can be installed in Windows 8 clients with RSAT
 DHCP Authorization
o Must be authorized by Enterprise Administrator in domain
o DHCP service will shut down if not authorized
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
 Scope: Range of IP  Options:

addresses and related o Default gateway
information o DNS servers
o Must have: o Domain suffix
• Name o WINS/NBNS
• Description o Option levels:
• Range of addresses
• Global
• Subnet mask
• Scope
o Optional configuration: • Class ID
• IP addresses to be excluded • Reservation
• Duration of lease
• DHCP options
You can configure multiple scopes, but the server must be connected directly to the
subnet or to a DHCP Relay Agent.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
 Configuration obtained through broadcast

 Leases for an 8 day duration by default
o Administrator can define different duration
 50% of the lease duration - client will attempt renewal
 Renewal also done at startup process
Client accepts and

Client broadcasts Server offers IP Server sends
acknowledges
request configuration acknowledgement
configuration
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
 Super Scopes
 Multicast Scopes
 DHCP v6
 DHCP High Availability
o Failover
o Split Scopes
o DHCP Name Protection
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
 DHCP option 081 allows the Upon Lease

DHCP Server Updates
server to own DNS records DNS Address Expiration
o Creation Only if Client A Record
o Deletion Requests Discarded
• Host (A) PTR Deleted
 Configured on DNS tab • PTR (PTR)
Default is only PTR
• Properties node (DNS tab) on
• Client does A
Protocol node
• Per scope
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
 Super Scopes:
o Collection of scopes
• Grouped together for administrative reason
• Subnets must be able to be combined into one logical subnet
• Need two or more scopes already created
• Super scope wizard allows you to create
• Good when moving clients to new subnet transparently
 Benefits
o Allows you to “expand” scope if it runs out of addresses
 Multinetting
o Adding a second scope
o Clients on a different subnet
o Routers would need to be configured
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
 MADCAP Scope (alternate name)

o Multicast Address Dynamic Client Allocation Protocol WDS is a good
o Applications must support MADCAP API example of
Multicast Scopes
 Collection of class D addresses
o 224.0.0.0 to 239.255.255.255
 Used when applications need to communicate with more than
one client simultaneously
 Multiple hosts that listen for traffic for the same IP address
 Applications reserve multicast IP address
o Data and content delivery
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
 Configurations supported
o Stateless
• Router assigns IPv6 automatically
• DHCP only applies configurations
o Stateful
• DHCP server assigns IP address and other configuration data
 Scope properties
o Name/Description
o Preference
• Informs DHCPv6 clients which server to use (DHCPv6)
o Valid/Preferred Lifetimes
• Length of lease address
o Prefix
• Analogous to IPv4 address range
• Defines Network ID
o DHCP Options
• Gateway, etc.
o Exclusions
• Single or blocks of addresses that will not be offered
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
 African Network Information Centre (AfriNIC) for Africa

 Asia-Pacific Network Information Centre (APNIC) for Asia,
Australia, New Zealand, and neighboring countries
 American Registry for Internet Numbers (ARIN) for Canada,
many Caribbean and North Atlantic islands, and the United
States
 Latin America and Caribbean Network Information Centre
(LACNIC) for Latin America and parts of the Caribbean region
 Réseaux IP Européens Network Coordination Centre (RIPE
NCC) for Europe, Russia, the Middle East, and Central Asia
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
 Protects names registered

by DHCP in DNS
o Ensures they are not
overwritten
o Includes names that are DHCP server refers
• Machine has existing to DHCPID records
statically assigned name for an IP address
• UNIX based systems • Stored in DNS
• Verifies machine
 Name squatting requesting is original
machine
o Conflicts when one client
• If it is not original, record
registers name with DNS that DHCP receives is not updated
is already registered request by machine
o Resource record used: DHCP
Configuration ID (DHCPID)
• Tracks names originally
requested
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
 Delegating administration
 DNS logging
 DNS security
o DNSSEC
o DNS socket pool
o Cache locking
 Recursion
 Netmask ordering
 Global names zone
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
 Delegation
o Domain Admins: Full permissions on all DNS servers home domain
o Enterprise Admins: Full permissions on all DNS servers any domain
o Global DNS Admins – Group in each domain
• All permissions
• Domain local group
• No members by default
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
 Default location of log file

o %windir%\system32\DNS
 Events logged
o Starting and stopping DNS service
o Background loading and zone signing
o DNS configuration changes
o Warnings and error events
 Verbose logging
o Direction of packets
o Contents of packets
o Transport protocol used
o Type of request
o Filtering based on IP address
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
DNSSEC
DNS DNS
Cache Socket
Locking Pool
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
Digitally sign all DNS records in a zone, so client computers can validate responses.
 DNS attack examples:

o Spoofing
o Cache-tampering
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
 Trust anchors
o Zones that store public keys associated with Digital Signatures
o Must be configured on all DNS servers participating in DNSSEC
o Authoritative entry represented by public key
o Represented by DNSKEY or DS resource record
 Resolvers
o Use trust anchors to retrieve public keys and build trust chains
 NRTP
o Contains rules that control the requesting client behavior for queries and
responses
o Prompts client computer to check for validation of the response for
particular DNS domain suffix
o Typically deployed by Group Policy
o If no NRPT client computer accepts responses without validating
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
Install Windows Server 2012 and assign the DNS

role to the server. Typically, a domain controller
also acts as the DNS server. However, this is not a
requirement.
Sign the DNS zone by using the DNSSEC

Configuration Wizard, which is located in the DNS
console.
Configure trust anchor distribution points.
Configure the NRPT on the client computers.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
 Configurable settings
o KSK options (Key Signing Keys)
• Default value 2048 bits
• Maximum value 4096 bits
• Default algorithm RSAHA256
• Signatures valid for 7 days
• DNS Server 2012 creates an extra emergency rollover key automatically
o ZSK options (Zone Signing key)
• Default value 90 days
• Key strength 1024
o Trust anchor distribution points
o Signing and polling parameters
Everyone zone has multiple DNS keys that are broken down to ZSK and KSK.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
 Key Master Role is introduced for file-backed multi-master

zones
o Prior support was only for AD Integrated Zones
 Enhanced to enable Isolation of the Key Management Process
from Primary DNS servers that are not key masters of the
Zone
o Only the key master can initiate the entire process:
• Key Generation
• Key Storage
• Key Rollover
• Key Retirement
• Key Deletion
DNSSEC key separation is accomplished by enabling generation and storage of keys
on a cryptographic next-generation (CNG) compliant offline storage module
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
 DNSKEY
o Publishes public key for the zone
o Checks authority from responses
o Needs key replacements from key rollovers
 DS Delegation Signer
o Delegation record that contains has of public key of child zone
o Signed by parents private key
o If child zone is signed by parent is signed, DS records from the child must be added to the parent so a
chain of trust can be created
 RRSIG
o Resource record signature for set of DNS records
o Checks for authority of response
 NSEC (Next Secure)
o When DNS response has no data to provide to the client
o This record authenticates that the host does not exist
 NSEC3
o This record is a hashed version of NSEC record
o Prevents alphabet attacks by the enumerating the zone
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
 Configure zone parameters

 Sign the zone with parameters of existing zone
 Use recommended settings
Zones can be unsigned by using DNSSEC management interface to remove zone

signatures.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
 Controls when DNS information can be overwritten

 Time DNS caches information is based on TTL value
 Prevents local cache being written over and redirecting traffic
 Configured as a percentage value
o Value of 50 ensures DNS does not overwrite cached entry for ½ the
duration of TTL
o Default cache locking value is 100
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
 Allows for DNS port randomization for DNS queries

 Upon service starting, source port is chosen from socket pool
 Default value of socket pool is 2,500
o Values can range from 0-10,000
o Larger the value the greater the protection
o Exclusion list can be configured
Dnscmd /Config /SocketPoolSize <value>
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
 Stale Records (records left behind)

o Host taken off network without cleaning up their records
o Takes up space in database Records
o Incorrect query responses manually added
 Typical Behavior have a time
o Client refreshes DNS record every 24 hours or upon startup stamp of 0, and
 Enable Aging and Scavenging are not affected
o Advanced properties of DNS server by this process.
o Choose for which zones
o Disabled by default
 Parameters
o Refresh Interval: Date and Time record should be refreshed by the client
• Default 7 days
o No-refresh Interval: Time that a record is not eligible for refresh by client
• Default 7 days
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
 Primary Zones
o Located in %SystemRoot%\System32\DNS
o zonename.dns file Mayfieldcorner.dns
o Backup manually
 AD Integrated
o Command prompt  Run as administrator
• RUN: dnscmd /ZoneExport <zone name> <zone file name>
• Zone name: DNS zone name: mayfieldcornerllc.com
• File Name: Backup file name
• Zone data exported to %SystemRoot%\System32\DNS
o PowerShell:
• Export-DNSServerZone -Name mayfieldcornerllc.com -Filename
MayfieldCornerBackup
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
Forwarding
Stub Zones
Netmask Ordering
Conditional Forwarders
Forward DNS Queries Replicated copy Provides host
requests that forwarded for of resource addresses in
cant be specific DNS records that close proximity
resolved locally suffixes to identity based on IP
to other DNS specific DNS authoritative address (site) in
servers servers DNS servers for DNS queries
DNS domains
• SOA record
• IP of master server
Recursion: When a local DNS server needs to make a query to another DNS server to
find an authoritative answer. The answer is then returned to the original client that
requests it.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
 New zone wizard

 Can be stored in AD DS
 Replication choices:
o Domain only
o Forest wide
 Master servers
o Servers with initial copy of zone information
o Usually server with primary zone for delegated domain name
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
 Used for single label names

 Names are unique forest wide
 Allows for the decommission of WINS
 Zones are manual
 Zones do not support dynamic name registration
 When host names are resolved, DNS domain name is
appended
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
IP Administration IPAM Features

Planning & Allocation Tools for planning process and Change
Management
IPv4
IPv6
Managing Single point of management
optimizes DHCP and DNS
Tracking IP address utilization
Auditing Compliance requirements
HIPPA | Forensics | Change Management
IPAM provides framework for managing the IP address space in a network.

Discover | Audit | Monitor | Management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
 Server 2012 R2 Enhanced features

 New Operations for Scope and Servers for the following
objects
o DHCP Failover
o DHCP Policies
o DHCP SuperScopes
o DHCP Filters
o DHCP Reservations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
 Role:
o Collection of IPAM operations
o Can be associated with user or groups in Windows (assign policy)
o Eight (8) built in roles provided for convieniance
o Can create custom roles
 Access Scopes:
o Determines what objects user has access to.
o Use to define administrative domains in IPAM
o Default access scope: Global (for access to all objects)
 Access Policies
o Combines Role and Access scope for permissions
Role Based Access Control allows roles, access scopes and access policies to be
customized
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
Name Description
DNS record administrator Manages DNS resource records
IP address record Manages IP addresses but not IP address spaces, ranges,
administrator blocks, or subnets.
IPAM administrator Manages all settings and objects in IPAM
IPAM ASM administrator Completely manages IP addresses
IPAM DHCP administrator Completely manages DHCP servers
IPAM DHCP reservations
Manages DHCP reservations
administrator
IPAM DHCP scope
Manages DHCP scopes
administrator
IPAM MSM administrator Completely manages DHCP and DNS servers
By default, all objects in IPAM are included in the global access scope. All additional
scopes that are configured are subsets of the global access scope
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
 IPv4 & IPv6 planning  IP utilization statistics

 IP inventory management  DNS
o Corporate Network o Record creation
o Microsoft-Powered Cloud o Service monitoring
Networks o Zone monitoring
o Virtual Networks • Forward | Reverse Lookup Zones
 DHCP  RBAC
o Record creation  Server groups
o Scope properties o Organize DHCP| DNS into
• Name | ID | Prefix | Length | logical groups
Status • Business unit
o Scope utilization monitoring • Geographical
o Utilization statistics • Based on criteria
 Full Integration with System
Center 2012 VMM
IPAM does not check for IP address
consistency with routers and
switches.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
 Introduced with Windows Server 2012 R2

 Provides End to End Address space automation for Microsoft-
Powered Clouds
 To View Virtual Address Space click the New: VIRTUALIZED
ADDRESS SPACE node in the upper navigation pane of IPAM
Console
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
 Cannot have AD DS role installed

 Must be domain member
o Must sign on and use domain account
o Domain account must be member of IPAM local security group
 Dedicated server  No other roles
 IP address tracking and auditing feature:
o Auditing must be enabled for account logon events
o Domain controller
o NPS servers
 IPv6 Enabled to manage IPv6
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
Windows Server 2012

• Dual core processor 2.0 GHz or higher
• 4 GB + RAM
• 80 GB free disk space
• Installation wizard automatically installs all
features needed
• IPAM client automatically installed with Server
2012 and IPAM server
• When uninstalled – all dependencies, groups and
scheduled tasks are deleted
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
Dual core processor 2.0 GHz or higher
4 GB + RAM
80 GB free disk space
SP 2 installed (Windows Server 2008)
WMF core (KB968930) (Windows Server 2008 SP2)
.NET Framework 4.0 full installation
WMF 3 Windows remote management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
 Support 150 DHCP servers | 6,000 scopes

 Support 500 DNS servers | 150 DNS zones
 3 years forensics data stored
o IP address leases
o MAC addresses
IPAM does not support
o Login information
management of non-Microsoft
 IPv4 support networks.
o Utilization trends
o Reclamation support
 Remote administration via RSAT
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
 Windows internal database

o Windows Server 2012 – initial release
o No database purge policy
o Administrator must purge manually
 Microsoft SQL Server
o SQL Support is ONLY with Windows Server 2012 R2
• Can be collated on IPAM Server
• Can be located on Remote Computer
o SQL Features:
• Scalability
• Disaster Recovery
• Reporting Scenarios
You can migrate existing data into IPAM in CSV format.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
Group Description
IPAM Users View all information:
• IPAM server inventory
• IP address space
• IPAM server management
• IPAM | DHCP operational events
• CANNOT view IP address tracking information
IPAM MSM Administrators All privileges of IPAM users group

Perform monitoring and management tasks
IPAM ASM Administrators All privileges of IPAM users group

View IP address space tasks
IPAM IP Audit All privileges of IPAM users group
Administrators View IP address tracking information
IPAM Administrators View all IPAM information
Perform all IPAM tasks
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43
IPAM Multi-Server Operational

IPAM Address Management Auditing and
Discover Space and IP Address
Management Monitoring Tracking
• Discover AD DS • IP Address Space: • Multiple DHCP • Track

Servers that have: • View Servers Configuration
• Windows Server • Monitor • Edit Issues
2008 & newer • Manage Properties/Scopes • View
• DNS • Track Utilization Configuration
• Utilization
• DHCP • Multiple DNS Changes
• Overlapping
• AD DS Servers • Address Lease
scopes
• Health and Status Tracking
• Logon information
• NPS
• Domain
Controllers
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44
Centralized • One IPAM in the forest
Distributed • One IPAM server per site
• One Central server for forest

Hybrid • One IPAM server per site
IPAM can only manage one AD forest.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45
 IPAM server
o Data collection from servers
o Manages Windows internal database
 IPAM client
o Client computer interface
o Uses PowerShell
• DHCP configuration tasks
• DNS monitoring
• Remote management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46
 Servers need to be provisioned to allow remote manamgnet

after initial install is complete
o Group Policy
o Manually – Per server
• Network Shares
• Security Groups
• Firewall Rules
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47
• Create Group: IPAMUG

•Add IPAM Servers in domain
•Domain Controllers and NPS:
•Add as member of BUILTIN\Event Log Readers
Security •DHCP Servers:
•Add as member of BUILTIN\Event Log Readers
Groups •Add as member of BUILTIN\DHCP Users
•DNS Servers:
•Add as member of BUILTIN\Event Log Readers Group
• Add IPAMUG group as DNS Administrator
Network • DHCP Servers:

•Share %Systemroot%\System32\DHCP folder as DHCPAUDIT
Shares •Grant IPAMUG read permissions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48
• Domain Controllers and NPS:

• Inbound firewall rules to allow:
• Remote Event Log Management
• DHCP Servers:
• Inbound Firewall rules to allow:
• DHCP Server Management
• Remote Service Management
Firewall Rules
• File and Printer Sharing
• DNS Servers:
• Inbound Firewall Rules to allow:
• DNS Service
• Remote Service Management
• Modify the
Event Log Monitoring
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\DNS
on DNS Servers
Server registry key
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49
 Powershell: Invoke-IpamGpoProvisioning
 Running command will create 3 GPO’s to configure settings:
o IPAM_DC_NPS.
• GPO applied to all managed AD DS servers and NPS servers
o IPAM_DHCP
• GPO applied to all managed DHCP servers
• GPO includes scripts that configure the network share for DHCP
monitoring
o IPAM_DNS
• GPO applied to all managed DNS servers
• GPO includes scripts to:
• Configure the event log for DNS monitoring
• Configure the IPAMUG group as a DNS administrator.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50
IP Address Blocks
• Subnets IP Address Ranges IP Addresses
• Ranges
• Addresses
IP Address IP Address Range

Inventory Groups
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51
 DNS & DHCP

o Arranged by their Network Card
• /16 subnets for IPv4
• /48 subnets for IPv6
o You can choose to view either DHCP or DNS server properties
 DHCP Scope utilization monitoring
o Utilization statistics collected periodically and automatically from server
o Track Scope properties
• Name
• Prefix Length
• Status
 DNS Zone Monitoring
o Enabled for forward and reverse zones
o Status is based on events collected
o Zones are summarized
 Server Groups
o Choose logical groups to organize into based on criteria
• Business unit
• geography
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52
The IPAM database can be migrated seamlessly when you

upgrade from Windows Server 2012 to Windows Server 2012 R2
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53
 Add-IpamAddress  Get-IpamCustomField IpamDhcpConfigurationEvent

 Add-IpamAddressSpace  Get-IpamCustomFieldAssociation  Remove-IpamDiscoveryDomain
 Add-IpamBlock  Get-IpamDatabase  Remove-IpamIpAddressAuditEvent
 Add-IpamCustomField  Get-IpamDhcpConfigurationEvent  Remove-IpamRange
 Add-IpamCustomFieldAssociation  Get-IpamDiscoveryDomain  Remove-IpamServerInventory
 Add-IpamCustomValue  Get-IpamIpAddressAuditEvent  Remove-IpamSubnet
 Add-IpamDiscoveryDomain  Get-IpamRange  Rename-IpamCustomField
 Add-IpamRange  Get-IpamServerInventory  Rename-IpamCustomValue
 Add-IpamServerInventory  Get-IpamSubnet  Set-IpamAddress
 Add-IpamSubnet  Import-IpamAddress  Set-IpamAddressSpace
 Disable-IpamCapability  Import-IpamRange  Set-IpamAddressUtilizationThreshold
 Enable-IpamCapability  Import-IpamSubnet  Set-IpamBlock
 Export-IpamAddress  Invoke-IpamGpoProvisioning  Set-IpamConfiguration
 Export-IpamRange  Invoke-IpamServerProvisioning  Set-IpamCustomFieldAssociation
 Export-IpamSubnet  Move-IpamDatabase  Set-IpamDatabase
 Find-IpamFreeAddress  Remove-IpamAddress  Set-IpamDiscoveryDomain
 Get-IpamAddress  Remove-IpamAddressSpace  Set-IpamRange
 Get-IpamAddressSpace  Remove-IpamBlock  Set-IpamServerInventory
 Get-IpamAddressUtilizationThreshold  Remove-IpamConfigurationEvent  Set-IpamSubnet
 Get-IpamBlock  Remove-IpamCustomField  Update-IpamServer
 Get-IpamCapability  Remove-IpamCustomFieldAssociation
 Get-IpamConfiguration  Remove-IpamCustomValue Windows Server R2 added 55
 Get-IpamConfigurationEvent  Remove- new Cmdlts
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54
 Address space is container

o IP Blocks
o Subnets
o IP Ranges
o IP Addresses
 IP ADDRESS SPACE pane contains all objects
o Discovered
o Created
 Can add or import
 Default values are automatically filled in for required fields
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55
 Supply Network ID and Prefix Length

o Start and End are automatically added for you
 Non-Private IP Address range
o Specify Regional Internet Registry (RIR) where registered
o Brief Description and owner (Optional)
 PowerShell Method:
o Add-IpamBlock –NetworkID <network prefix, in CIDR notation> -Rir
<string>
• RIR Values must be one of the following: AFRNIC, APNIC, ARIN, LACNIC,
RIPE
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56
 Required:
o Friendly Name
o Network ID
o Prefix Length
 Optional Settings
o One or more Vlans
o Subnet Virtualized?
o Custom Fields:
• AD Site
• VMM IP Pool Name
o Description and Owner Name
o Add-IpamSubnet –NetworkID <network prefix, in CIDR notation> -Rir
<string>
• RIR Values must be one of the following: AFRNIC, APNIC, ARIN, LACNIC, RIPE
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57
 Required:
o Network ID
o Prefix Length
o Will use default values if not supplied:
• Managed by Service
• Service Instance
• Assignment Type
 If IP address does not already exisit – allow it to automatically create
o One or more Vlans
o Subnet Virtualized?
o Custom Fields:
• AD Site
• VMM IP Pool Name
o Description and Owner Name
o Add-IpamRange –NetworkID <network prefix, in CIDR notation> -
CreateSubnetIfNotFound
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58
 Can associate with DHCP Reservations

o If using PowerShell, the reservation is NOT automatically created
 Can discover duplicate addressed using Managed by Service and
Service Instance properties of IP Address
 IPAM Maps an address to range containing address
 Properties that use default values unless specified:
o Managed by Service
o Service Instance
o Device Type
o Address State
o Assignment Type
 Many custom fields available if needed
o Add-IpamAddress –IpAddress <x.x.x.x>
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59
 Import information using a text file

 Required Fields for IP Address Import
o IP Address
• Field Names and Data
o Managed by Service
can be enclosed in
o Service Instance quotes
o Device Type • Field Names and Data
can contain spaces
o IP Address State
• Field Names and Data
o Assignment Type are not case sensitive
 Required fields for IP Address Block Import • Data must be valid for
field that it is being
o Network imported into
o Start IP Address
o End IP Address
o RIR
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60
 IP Addresses into IPAM Database managing DHCP Server

“IP Address”,”Managed by Service”,”Service Instance”,”Device Type”,”IP
Address State”,”Assignment Type”
192.168.1.25,ms dhcp,dhcp.sandraclassroom.com,host,in-use,static
 IP Address block assigned by ARIN Regional Authority
“Network”,“Start IP address”,“End IP address”,RIR
173.90.100.0,173.90.100.1,173.90.100.126,ARIN
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Which of the following allows you to access the settings jewel to shut down
Windows Server 2012?
A. Navigating mouse to the lower right corner
B. Navigating the mouse to the lower left corner
C. Pressing Ctrl+Esc
D. Pressing Ctrl+I
E. All of the above
F. Both A and D
2. DHCP server provides which service?

A. Name resolution to clients
B. IP address resolution to clients
C. Service location information
D. IP address allocation
3. Which of the following can be a DHCP client?

A. PC
B. Laptop
C. Printer
D. All of the above
4. Which of the following properties can be managed by DHCP?

A. DNS server
B. Gateway
C. NBNS server
D. All of the above
5. Where is the DHCP database located?

A. %SystemRoot%\System32\DHCP
B. %OS%\DHCP
C. C:\DHCP
D. %\System32%\DHCP
6. Who must authorize the DHCP server before it can be active on the network?
A. Enterprise administrator
B. Domain administrator
C. Local DHCP server administrator
D. All of the above
7. Which of the following are option levels for DHCP options?
A. Reservation
B. Personal
C. Global
D. Class ID
E. All of the above
F. A, C, and D
8. True or False: You can only configure one scope per DHCP server.
A. True
B. False
9. True or False: DHCP server updates only the PTR record.

A. True
B. False
10. True or False: Multinetting is adding a second scope to address clients on a

different subnet.
A. True
B. False
11. True or False: Key Master Role is only available in DNS for DNSSEC for AD
integrated zones.
A. True
B. False
Answer Key:
1. F
You can use the keyboard shortcut of Ctrl+I, or you can navigate the mouse to
the lower right corner.
2. D
DHCP server provides IP address allocation to clients.
3. D
A DHCP client can be a PC, laptop, printer, mobile device, switch, or network
boot client.
4. D
You can manage DNS servers, gateways, and a number of other configurable
properties for TCP/IP.
5. A
The DHCP database is located at %SystemRoot%\System32\DHCP.
6. A
The Enterprise administrator is the only account that can authorize a DHCP
server.
7. F
Option levels are Global, Scope, Class ID, and Reservation.
8. B
False. You can configure multiple scopes, but the server must be connected
directly to a subnet or DHCP Relay Agent.
9. B
False. You can configure a client to request DNS server updates for both host
and PTR records.
10. A
True. Multinetting is adding a second scope for clients on a different subnet.
Routers need to be configured for this to work.
11. B
False. Windows Server 2012 R2 has many improvements with DNSSEC. One of
them is to make the Key Master Role available for file-backed multi-master
zones. Prior support was only for AD integrated zones.

Workbook 70.412

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Workbook 70.412

Hochgeladen von

Copyright:

Verfügbare Formate

70-412: Configuring Advanced Windows

Server 2012 Services

 Allocates IP address and  DHCP client:

 DHCP Server Service

 Scope: Range of IP  Options:

 Configuration obtained through broadcast

Client accepts and

 DHCP option 081 allows the Upon Lease

 MADCAP Scope (alternate name)

 African Network Information Centre (AfriNIC) for Africa

 Protects names registered

 Default location of log file

 DNS attack examples:

Install Windows Server 2012 and assign the DNS

Sign the DNS zone by using the DNSSEC

Configure trust anchor distribution points.

Configure the NRPT on the client computers.

 Key Master Role is introduced for file-backed multi-master

 Configure zone parameters

Zones can be unsigned by using DNSSEC management interface to remove zone

 Controls when DNS information can be overwritten

 Allows for DNS port randomization for DNS queries

Dnscmd /Config /SocketPoolSize <value>

 Stale Records (records left behind)

 New zone wizard

 Used for single label names

IP Administration IPAM Features

IPAM provides framework for managing the IP address space in a network.

 Server 2012 R2 Enhanced features

 IPv4 & IPv6 planning  IP utilization statistics

 Introduced with Windows Server 2012 R2

 Cannot have AD DS role installed

Windows Server 2012

Dual core processor 2.0 GHz or higher

80 GB free disk space

SP 2 installed (Windows Server 2008)

WMF core (KB968930) (Windows Server 2008 SP2)

.NET Framework 4.0 full installation

WMF 3 Windows remote management

 Support 150 DHCP servers | 6,000 scopes

 Windows internal database

You can migrate existing data into IPAM in CSV format.

IPAM MSM Administrators All privileges of IPAM users group

IPAM ASM Administrators All privileges of IPAM users group

IPAM Multi-Server Operational

• Discover AD DS • IP Address Space: • Multiple DHCP • Track

Centralized • One IPAM in the forest

Distributed • One IPAM server per site

• One Central server for forest

 Servers need to be provisioned to allow remote manamgnet

• Create Group: IPAMUG

Network • DHCP Servers:

• Domain Controllers and NPS:

IP Address IP Address Range

 DNS & DHCP

The IPAM database can be migrated seamlessly when you

 Add-IpamAddress  Get-IpamCustomField IpamDhcpConfigurationEvent

 Address space is container

 Supply Network ID and Prefix Length

 Can associate with DHCP Reservations

 Import information using a text file

 IP Addresses into IPAM Database managing DHCP Server