Sie sind auf Seite 1von 81

George Dobrea

XEduco | @gdobrea

Microsoft Certified Trainer (since 1998)

MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
Why to
Certify ?
MCSA Windows Server 2016 certification path
MCSA: Windows Server 2016

Exam 70-740 Exam 70-741 Exam 70-742 Exam 70-743

Installation, Storage Networking with Identity with Upgrading Your

and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016


Course 20740A Course 20741A Course 20742A Course 20743A

Installation, Storage, Networking with Identity with Upgrading Your

and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016
Cloud Platform & Infrastructure Cer t Path
410: 411: 412: MCSA Windows
Installing and Configuring Administering Configuring Advanced Server 2012
Windows Server 2012 Windows Server 2012 Windows Server 2012

740: 741: 742: MCSA Windows

Installation, Storage, and Networking with Identity with Server 2016 MCSE
CLOUD PLATFORM & INFRASTRUCTURE Compute with Windows Server 2016 Windows Server 2016 Cloud Platform & Infrastructure
Windows Server 2016 Earned: 2016

533: Managing LFCS: MCSA Linux on

Microsoft Azure Linux Foundation Azure
Infrastructure Solutions Certified System Administrator

Choose two from: MCSA Cloud

532: Developing Microsoft Azure Solutions Platform
533: Managing Microsoft Azure Infrastructure Solutions
534: Architecting Microsoft Azure Solutions
473: Designing and Implementing Cloud Data Platform Solutions
475: Designing and Implementing Big Data Analytics Solutions
70-741 Exam Objectives
Implement Domain Name System Implement Network Connectivity and
1 4
(DNS) Remote Access Solutions

2 Implement DHCP Implement core and Distributed

Network Solutions

Implement IP Address Management Implement an Advanced Network

3 6
(IPAM) Infrastructure
01 |
• Install and configure DNS servers
DNS on Nano Server
To use Nano Server as a DNS Server:
• Install the NanoServer Package
• Create a VHD with the Microsoft-NanoServer-DNS-
• Import the VHD into Hyper-V as a virtual machine
• Configure networking settings and enable the remote
management firewall ports
• Connect remotely to the server running Nano Server by
using Windows PowerShell 5.0 on a Windows client or a
• Run the command Enable-WindowsOptionalFeature
-Online -FeatureName DNS-Server-Full-Role
• Manage DNS remotely by using the Windows PowerShell
5.0 DNS commands
Implementing DNS security
DNS security feature Description

DNS cache locking Prevents entries in the cache from being

overwritten until a percentage of the TTL
has expired
DNS socket pool Randomizes the source port for issuing
DNS queries. Enabled by default in
Windows Server 2012.

DANE (DNS-based Uses TLSA records that state the CA from

Authentication of which they should expect a certificate
Named Entities )
DNSSEC Enables cryptographically signing DNS
records so that client computers can
validate responses
• Create and configure DNS zones and records
Install & Configure DNS
DNS Terminology that you should know…

Host Name Resolution

• Forward and reverse lookups
• Types of DNS zones

• For AD-Integrated, what is the domain

partition, forestDNSZone, and
• Records =SOA, NS, A, CNAME, PTR, SRV,
and MX
Configure DNS zones
Configure DNS records
DNS policies – new in Windows Server 2016
• You create DNS policies to control how a DNS Server handles queries based on
different parameters
DNS policy scenarios:
• Application high availability
• Traffic management
• Split brain DNS
• Filtering
• Forensics
DNS policy objects:
• Client subnet
• Recursion scope
• Zone scope
Use Windows PowerShell to create and manage DNS policies
Add-DnsServerZoneScope -ZoneName
"" -Name "internal“

Add-DnsServerResourceRecord -
ZoneName "" -A -Name
"" -IPv4Address ""
Add-DnsServerResourceRecord -
ZoneName "" -A -Name
"" -IPv4Address "” -
ZoneScope "internal“
Add-DnsServerQueryResolutionPolicy -
Name "SplitBrainZonePolicy" -Action
ALLOW -ServerInterface "eq," -
ZoneScope "internal,1" -ZoneName
Key Tips to Remember

Example question
You are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services
(AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A)
record for The record points to Forward name resolution is fully
functional. However, the web administrators are reporting that is not resolving to You need to ensure that resolves to

What should you do?

A. Add a second Address (A) record for and point it to
B. Add a second Address (AAAA) record for and point it to
C. Add a PTR record for and point it to
D. Add a PTR record for and point it to
02 |
• Install and configure DHCP
Install and Configure DHCP Service
• Understand the DHCP options available
Implement an advanced DHCP solution

Create and configure superscopes

Create and configure multicast scopes


Windows Server 2016 DHCP Server role no longer supports NAP !

• Manage and maintain DHCP
What is DHCP failover?
DHCP failover:

When you use DHCP failover:

What are DHCP security options?

Limit physical access to the network by:

• Disconnecting unused LAN drops
• Require authenticated layer 2 connections

Enable DHCP auditing to track DHCP usage

DHCP name protection:
• Prevents Windows operating systems from having their DNS name registration
overwritten by non-Windows operating systems using the same name
• Uses a DHCID resource record to track the devices that originally requested the
DNS name registration
Example question
03 |
• Install and configure IP Address Management
• Manage DNS and DHCP using IPAM
• Audit IPAM
IP Address Management (IPAM)
• Inbox feature for integrated
management of IP addresses,
domain names, and device identities Domain

• Tightly integrates with Microsoft DNS

and DHCP servers
• Provides custom IP address space IPAM Server
and NPS servers

display, reporting, and management IPAM server


• Audits server configuration changes

and tracks IP address use Domain
• Migrates IP address data from DHCP, DNS, DC,
and NPS servers

spreadsheets or other tools

• Monitors and manages specific IPAM Server DHCP, DNS, DC, IPAM Server DHCP, DNS, DC,

scenario-based DHCP and DNS

(Hyderabad) and NPS servers (Bangalore) and NPS servers

Windows Server 2016 IPAM
• IP addressing management of
• Tracking activity of
physical and virtual networks (SCVMM
IP address/user/mc
Unified IP integration)
• IP utilization &
address • Integrated IP addressing, DNS and
Mgmt. DHCP management
• Audit config

• Granular RBAC to manage IP

Network address space, DHCP & DNS
audit & • Delegated administration
visibility within and across datacenters
WS 2016
• Disaster Recovery • Automatic server discovery
• Multiple instance • Single console DHCP and DNS
deployment management across datacenters
• SQL Server database Scale, Network • Management of granular DNS
robustness properties
• Extensive PS support &
• Cross AD Support automation Mgmt.
IP Address Management

Configure IPAM
• Requirements :
• Trivia :
• Distributed, Centralized, and Hybrid
• Database not shared between servers
Server discovery
• What can be discovered?
• Manage or not
• Windows Internal Database and external database (SQL) supported
• Windows Server 2016: IPAM supports
04 |
• Implement network connectivity solutions
• Implement virtual private network (VPN) and
DirectAccess solutions
VPN and Routing

• Configure Web Application proxy in pass-through mode

What is Web Application Proxy?
Web Application Proxy:
• Was introduced in Windows Server 2012 R2
• Is a reverse web proxy functionality
• Uses AD FS proxy functionality
• Is located in a perimeter network

Web Application
Proxy LOB
Client devices applications

Firewall Firewall
Internet Microsoft

Corporate network
Example question
Example question
How DirectAccess works for internal clients
AD DS Directory
Internal client
Internet domain controller
websites DNS server
security rules

DirectAccess NRPT

CRL distribution Internal network
point resources
How DirectAccess works for external clients

DNS server server

Active Directory
domain controller
DNS server


Internal network
NRPT resources
• Implement Network Policy Server (NPS)
Configure NPS
Network Policy Server policies

Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Is the remote access
permission for the user
No account set to Deny Access?
No Yes connection
Is the remote Is the remote access
Reject access permission on the
Yes No
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
No Does the attempt
connection attempt
match the user
object and profile
Configure NPS policies
05 |
• Implement IPv4 and IPv6 addressing
Configure IPv4 and IPv6 Addressing
Important factors to know about Addressing…
• Understand IPv4 Subnetting & Supernetting
• Understand IPv6 Addressing
• Assign an IPv6 Addresses and check the
route (route print)

• Automatic or Manual Configuration
• 6to4
• Teredo
• PortProxy
• Implement Distributed File System (DFS) and
Branch Office solutions
Planning for DFS
User in New York Server in New York

1 \\NYC-SRV-01\ProjectDocs Replication
Targets \\LON-SRV-01\ProjectDocs

User in London Server in London

1. User enters: \\\marketing

Client computers contact a namespace server and receive a
2. Client computers cache the referral and then contact the
first server in the referral
Optimizing namespaces and replication

You can optimize DFS by:

• Disabling referrals to a folder
• Specifying referral cache duration
• Configuring namespace polling
• Configuring replication groups
• Creating multiple replicated folders
• Modifying replication topology
• Clone a DFSR database for initial replication –
preseeding the files ( Robocopy, Windows Backup)
Monitoring and troubleshooting DFS
Tool Use
Report replication statistics and
Health Report
general health of the topology
Generate a test file to verify
Propagation Test
Report on the propagation test
Propagation Report
and provide replication statistics
Report on the current status of the
Verify Topology
members of the topology
Monitor replication state of the
DFS replication service
Configure, monitor, and
Windows PowerShell
troubleshoot DFS
Understanding BranchCache modes

Head Office
Branch Office
(Hosted Cache Mode)

Branch Office
(Distributed Cache Mode)
Example question
06 |
• Implement high performance network solutions
Converged Networking

Management OS VM(s) Management OS VM(s)

DCB policies
configured for
Mgmt, Storage,
Migration &
Clustering traffic.

Utilizes SMB
Multichannel &
SMB Direct

Hyper-V vSwitch
Hyper-V vSwitch with SET

NIC Team
Virtual switch expanded functionality
The virtual switch improvements in Windows Server 2016 include:
• Extended port ACLs
• Dynamic load balancing
• Coexistence with third-party forwarding extensions
• RSS support on the virtual machine network path
• Network tracing enhancements
• Router guarding
• DHCP guarding
• Trunk mode for virtual machine
• Port mirroring
• VLAN isolation through a Private VLAN
• Extended bandwidth management
Network adapter advanced features
• IPsec task
• Determine scenarios and requirements for
implementing software-defined networking (SDN)
What is Software Defined Networking?
• Software Defined Networking enables you to:
• Virtualize the network layer in a datacenter
• Define polices for the physical and virtual networks
• Manage the virtualized network infrastructure

• The Microsoft Software Defined Networking solution includes:

• Network Controller
• Hyper-V Network Virtualization
• Hyper-V Virtual Switch
• RRAS Multitenant Gateway
• NIC Teaming
• System Center Operations Manager
• System Center Virtual Machine Manager
• Windows Server Gateway
What is network virtualization?

Test virtual Production

machine virtual machine Test network Production network

Physical Physical
server network

Server virtualization: Network virtualization:

• Multiple virtual machines • Multiple virtual networks
on the same physical on the same physical
server network
• Each virtual machine is • Each virtual network is
isolated from others isolated from others
What is Generic Route Encapsulation? GRE
MAC Key=5001 GRE
MAC Key=6001 (PA) (PA) (CA) (CA) (CA) (CA)

• Customer address space based on virtual machine configuration

• Provider address space based on physical network and is not visible to
the virtual machines
What are network virtualization policies?
• Define CA-PA mappings:
• Specify the Hyper-V server on which the virtual machines are
• Hyper-V implements policies by translating incoming and outgoing
• If a virtual machine is moved, policies are modified, but the virtual
machine configuration stays the same
Policy settings PA space

Blue Yonder Airlines

SQL CA PA VSID Datacenter
WEB 5001

Hyper-V Host 1 Hyper-V Host 2
Woodgrove Bank
WEB 6001

CA spaces
Network Controller Overview
• Highly available and scalable server

• Southbound API

• Northbound API (Rest interface)

• Can manage:
Network Controller features

IP subnets
L2 and L3 switches
Host NICs
Datacenter Firewall
• Highly scalable, manageable,
and diagnosable software-
based firewall
• Freedom to move tenant virtual
machines to different compute
hosts without breaking tenant
firewall policies
Software Load Balancing
Layer 4 load balancing for both “North-South” and “East-West” Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) traffic
Software-based, multitenant, BGP-capable router
RAS Gateway features:
• Addition and removal of gateway VMs
• Site-to-site VPN gateway connectivity by using IPsec
• Site-to-site VPN gateway connectivity by using GRE
• Point-to-site VPN gateway connectivity
• Layer 3 forwarding capability
• BGP routing
Network Controller Deployment Requirements
• You can only deploy Network Controller to the Windows Server 2016
Datacenter edition.
• The management client you use must be installed on a computer or
virtual machine running Windows 10, Windows 8.1, or Windows 8.
• You must configure dynamic DNS registration to enable registration of
required DNS records for Network Controller.
• If the computers or virtual machines running Network Controller or the
management client for Network Controller are joined to a domain, you
o Create a security group that holds all the users that have permission to
configure Network Controller.
o Create a security group that holds all of the users that have permission to
configure and manage the network by using Network Controller.
Learning Resources
Course 20741 - outline
Module 1
Planning and implementing an IPv4 network

Module 2
Implementing DHCP

Module 3
Implementing IPv6

Module 4
Implementing DNS

Module 5
Implementing and managing IPAM
Course 20741 outline, continued
Module 6
Remote access in Windows Server 2016

Module 7
Implementing DirectAccess

Module 8
Implementing VPNs

Module 9
Implementing networking for branch offices

Module 10
Configuring advanced networking features

Module 11
Implementing software-defined networking
Born To Learn Site
TechNet Virtual Labs
Microsoft Virtual Academy