Sie sind auf Seite 1von 81

George Dobrea

XEduco
gdobrea@xeduco.net | @gdobrea

Microsoft Certified Trainer (since 1998)


MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
>Get-Content
Why to
Certify ?
MCSA Windows Server 2016 certification path
MCSA: Windows Server 2016

Exam 70-740 Exam 70-741 Exam 70-742 Exam 70-743

Installation, Storage Networking with Identity with Upgrading Your


and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016

OR

Course 20740A Course 20741A Course 20742A Course 20743A

Installation, Storage, Networking with Identity with Upgrading Your


and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016
Cloud Platform & Infrastructure Cer t Path
410: 411: 412: MCSA Windows
Installing and Configuring Administering Configuring Advanced Server 2012
Windows Server 2012 Windows Server 2012 Windows Server 2012
Services

740: 741: 742: MCSA Windows


Installation, Storage, and Networking with Identity with Server 2016 MCSE
CLOUD PLATFORM & INFRASTRUCTURE Compute with Windows Server 2016 Windows Server 2016 Cloud Platform & Infrastructure
Windows Server 2016 Earned: 2016
Elective

533: Managing LFCS: MCSA Linux on


Microsoft Azure Linux Foundation Azure
Infrastructure Solutions Certified System Administrator

Choose two from: MCSA Cloud


532: Developing Microsoft Azure Solutions Platform
533: Managing Microsoft Azure Infrastructure Solutions
534: Architecting Microsoft Azure Solutions
473: Designing and Implementing Cloud Data Platform Solutions
475: Designing and Implementing Big Data Analytics Solutions
70-741 Exam Objectives
Implement Domain Name System Implement Network Connectivity and
1 4
(DNS) Remote Access Solutions

2 Implement DHCP Implement core and Distributed


5
Network Solutions

Implement IP Address Management Implement an Advanced Network


3 6
(IPAM) Infrastructure
01 |
• Install and configure DNS servers
DNS on Nano Server
To use Nano Server as a DNS Server:
• Install the NanoServer Package
• Create a VHD with the Microsoft-NanoServer-DNS-
Package
• Import the VHD into Hyper-V as a virtual machine
• Configure networking settings and enable the remote
management firewall ports
• Connect remotely to the server running Nano Server by
using Windows PowerShell 5.0 on a Windows client or a
server
• Run the command Enable-WindowsOptionalFeature
-Online -FeatureName DNS-Server-Full-Role
• Manage DNS remotely by using the Windows PowerShell
5.0 DNS commands
Implementing DNS security
DNS security feature Description

DNS cache locking Prevents entries in the cache from being


overwritten until a percentage of the TTL
has expired
DNS socket pool Randomizes the source port for issuing
DNS queries. Enabled by default in
Windows Server 2012.

DANE (DNS-based Uses TLSA records that state the CA from


Authentication of which they should expect a certificate
Named Entities )
DNSSEC Enables cryptographically signing DNS
records so that client computers can
validate responses
• Create and configure DNS zones and records
Install & Configure DNS
DNS Terminology that you should know…

Host Name Resolution


• Forward and reverse lookups
• Types of DNS zones

• For AD-Integrated, what is the domain


partition, forestDNSZone, and
domainDNSZone?
• Records =SOA, NS, A, CNAME, PTR, SRV,
and MX
Configure DNS zones
Configure DNS records
DNS policies – new in Windows Server 2016
• You create DNS policies to control how a DNS Server handles queries based on
different parameters
DNS policy scenarios:
• Application high availability
• Traffic management
• Split brain DNS
• Filtering
• Forensics
DNS policy objects:
• Client subnet
• Recursion scope
• Zone scope
Use Windows PowerShell to create and manage DNS policies
https://technet.microsoft.com/en-us/windows-server-docs/networking/dns/deploy/dns-policies-overview
Add-DnsServerZoneScope -ZoneName
"contoso.com" -Name "internal“

Add-DnsServerResourceRecord -
ZoneName "contoso.com" -A -Name
"www.career" -IPv4Address "65.55.39.10"
Add-DnsServerResourceRecord -
ZoneName "contoso.com" -A -Name
"www.career" -IPv4Address "10.0.0.39” -
ZoneScope "internal“
Add-DnsServerQueryResolutionPolicy -
Name "SplitBrainZonePolicy" -Action
ALLOW -ServerInterface "eq,10.0.0.56" -
ZoneScope "internal,1" -ZoneName
contoso.com
Key Tips to Remember







Example question
You are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services
(AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A)
record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully
functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to
www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com.

What should you do?

A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.
B. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com.
C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.
D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.
02 |
• Install and configure DHCP
Install and Configure DHCP Service
• Understand the DHCP options available
Implement an advanced DHCP solution

Create and configure superscopes

Create and configure multicast scopes

DHCPv6

Windows Server 2016 DHCP Server role no longer supports NAP !


• Manage and maintain DHCP
What is DHCP failover?
DHCP failover:



When you use DHCP failover:



What are DHCP security options?

Limit physical access to the network by:


• Disconnecting unused LAN drops
• Require authenticated layer 2 connections

Enable DHCP auditing to track DHCP usage


DHCP name protection:
• Prevents Windows operating systems from having their DNS name registration
overwritten by non-Windows operating systems using the same name
• Uses a DHCID resource record to track the devices that originally requested the
DNS name registration
Example question
03 |
• Install and configure IP Address Management
(IPAM)
• Manage DNS and DHCP using IPAM
• Audit IPAM
IP Address Management (IPAM)
• Inbox feature for integrated
management of IP addresses,
domain names, and device identities Domain
europe.corp.woodbridge.com

• Tightly integrates with Microsoft DNS


and DHCP servers
• Provides custom IP address space IPAM Server
(UK)
DHCP, DNS, DC,
and NPS servers

display, reporting, and management IPAM server


(Redmond)

• Audits server configuration changes


and tracks IP address use Domain
fareast.corp.woodbridge.com
• Migrates IP address data from DHCP, DNS, DC,
and NPS servers

spreadsheets or other tools


• Monitors and manages specific IPAM Server DHCP, DNS, DC, IPAM Server DHCP, DNS, DC,

scenario-based DHCP and DNS


(Hyderabad) and NPS servers (Bangalore) and NPS servers

services
Windows Server 2016 IPAM
• IP addressing management of
• Tracking activity of
physical and virtual networks (SCVMM
IP address/user/mc
Unified IP integration)
• IP utilization &
address • Integrated IP addressing, DNS and
trend
Mgmt. DHCP management
• Audit config

• Granular RBAC to manage IP


Network address space, DHCP & DNS
Delegated
audit & • Delegated administration
Admin
visibility within and across datacenters
WS 2016
IPAM
• Disaster Recovery • Automatic server discovery
• Multiple instance • Single console DHCP and DNS
deployment management across datacenters
• SQL Server database Scale, Network • Management of granular DNS
robustness properties
• Extensive PS support &
services
• Cross AD Support automation Mgmt.
IP Address Management

Configure IPAM
• Requirements :
• Trivia :
• Distributed, Centralized, and Hybrid
• Database not shared between servers
Server discovery
• What can be discovered?
• Manage or not
• Windows Internal Database and external database (SQL) supported
• Windows Server 2016: IPAM supports
04 |
• Implement network connectivity solutions
• Implement virtual private network (VPN) and
DirectAccess solutions
VPN and Routing

• Configure Web Application proxy in pass-through mode


What is Web Application Proxy?
Web Application Proxy:
• Was introduced in Windows Server 2012 R2
• Is a reverse web proxy functionality
• Uses AD FS proxy functionality
• Is located in a perimeter network

AD FS AD DS
Web Application
Proxy LOB
Client devices applications

Firewall Firewall
Internet Microsoft
applications

Corporate network
Example question
Example question
How DirectAccess works for internal clients
Active
AD DS Directory
domain
Internal client
Internet
Internet domain controller
controller
computers
websites
websites DNS server
Connection
security rules

DirectAccess NRPT
server

Network
location
server
CRL distribution Internal network
point resources
How DirectAccess works for external clients

DirectAccess
DNS server server

Internet
websites
Active Directory
domain controller
DNS server

Connection
security
rules

Internal network
NRPT resources
External
client
computers
DirectAccess
• Implement Network Policy Server (NPS)
Configure NPS
Network Policy Server policies
START

Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Yes
Is the remote access
permission for the user
No account set to Deny Access?
Reject
No Yes connection
attempt
Is the remote Is the remote access
Reject access permission on the
Yes No
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
connection
No Does the attempt
connection attempt
match the user
object and profile
settings?
Configure NPS policies
05 |
• Implement IPv4 and IPv6 addressing
Configure IPv4 and IPv6 Addressing
Important factors to know about Addressing…
• Understand IPv4 Subnetting & Supernetting
• Understand IPv6 Addressing
• Assign an IPv6 Addresses and check the
route (route print)

Tunneling
• Automatic or Manual Configuration
• 6to4
• ISATAP
• Teredo
• PortProxy
• Implement Distributed File System (DFS) and
Branch Office solutions
Planning for DFS
User in New York Server in New York
2

1
\\Contoso.com\Marketing
DFS
1 \\NYC-SRV-01\ProjectDocs Replication
Folder
Targets \\LON-SRV-01\ProjectDocs

Namespace
2
User in London Server in London

1. User enters: \\contoso.com\marketing


Client computers contact a namespace server and receive a
referral
2. Client computers cache the referral and then contact the
first server in the referral
Optimizing namespaces and replication

You can optimize DFS by:


• Disabling referrals to a folder
• Specifying referral cache duration
• Configuring namespace polling
• Configuring replication groups
• Creating multiple replicated folders
• Modifying replication topology
• Clone a DFSR database for initial replication –
preseeding the files ( Robocopy, Windows Backup)
Monitoring and troubleshooting DFS
Tool Use
Report replication statistics and
Health Report
general health of the topology
Generate a test file to verify
Propagation Test
replication
Report on the propagation test
Propagation Report
and provide replication statistics
Report on the current status of the
Verify Topology
members of the topology
Monitor replication state of the
Dfsrdiag.exe
DFS replication service
Configure, monitor, and
Windows PowerShell
troubleshoot DFS
Understanding BranchCache modes

Head Office
Branch Office
(Hosted Cache Mode)

Branch Office
(Distributed Cache Mode)
Example question
06 |
• Implement high performance network solutions
Converged Networking

Management OS VM(s) Management OS VM(s)

DCB policies
configured for
Mgmt, Storage,
Migration &
Clustering traffic.

Utilizes SMB
Multichannel &
SMB Direct

Hyper-V vSwitch
Hyper-V vSwitch with SET

NIC Team
Virtual switch expanded functionality
The virtual switch improvements in Windows Server 2016 include:
• Extended port ACLs
• Dynamic load balancing
• Coexistence with third-party forwarding extensions
• RSS support on the virtual machine network path
• Network tracing enhancements
• Router guarding
• DHCP guarding
• Trunk mode for virtual machine
• Port mirroring
• VLAN isolation through a Private VLAN
• Extended bandwidth management
Network adapter advanced features
Hardware
acceleration:
• VMQ
• IPsec task
offloading
• SR-IOV
• Determine scenarios and requirements for
implementing software-defined networking (SDN)
What is Software Defined Networking?
• Software Defined Networking enables you to:
• Virtualize the network layer in a datacenter
• Define polices for the physical and virtual networks
• Manage the virtualized network infrastructure

• The Microsoft Software Defined Networking solution includes:


• Network Controller
• Hyper-V Network Virtualization
• Hyper-V Virtual Switch
• RRAS Multitenant Gateway
• NIC Teaming
• System Center Operations Manager
• System Center Virtual Machine Manager
• Windows Server Gateway
What is network virtualization?

Test virtual Production


machine virtual machine Test network Production network

Physical Physical
server network

Server virtualization: Network virtualization:


• Multiple virtual machines • Multiple virtual networks
on the same physical on the same physical
server network
• Each virtual machine is • Each virtual network is
isolated from others isolated from others
What is Generic Route Encapsulation?
192.168.2.22 GRE 10.1.1.11
MAC
192.168.5.55 Key=5001 10.1.1.12
192.168.2.22 GRE 10.1.1.11
MAC
192.168.5.55 Key=6001 10.1.1.12
192.168.2.22 (PA) 192.168.5.55 (PA)
192.168.5.55

10.1.1.11 (CA) 10.1.1.11 (CA) 10.1.1.12 (CA) 10.1.1.12 (CA)

10.1.1.11 10.1.1.11 10.1.1.12 10.1.1.12


10.1.1.11 10.1.1.11 10.1.1.11 10.1.1.11
10.1.1.12 10.1.1.12 10.1.1.12 10.1.1.12

• Customer address space based on virtual machine configuration


• Provider address space based on physical network and is not visible to
the virtual machines
What are network virtualization policies?
• Define CA-PA mappings:
• Specify the Hyper-V server on which the virtual machines are
running
• Hyper-V implements policies by translating incoming and outgoing
packets
• If a virtual machine is moved, policies are modified, but the virtual
machine configuration stays the same
Policy settings PA space

Blue Yonder Airlines


SQL 10.1.1.1 CA PA VSID Datacenter
WEB 10.1.1.2 10.1.1.1 192.168.1.10 5001
network

10.1.1.2 198.168.1.12 192.168.1.10 192.168.1.12


Hyper-V Host 1 Hyper-V Host 2
Woodgrove Bank
SQL 10.1.1.1 SQL SQL WEB WEB
CA PA VSID
WEB 10.1.1.2
10.1.1.1 192.168.1.10 6001
10.1.1.2 192.168.1.12 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2

CA spaces
Network Controller Overview
• Highly available and scalable server
role

• Southbound API

• Northbound API (Rest interface)

• Can manage:
Network Controller features

IP subnets
VLANS,
L2 and L3 switches
Host NICs
Datacenter Firewall
• Highly scalable, manageable,
and diagnosable software-
based firewall
• Freedom to move tenant virtual
machines to different compute
hosts without breaking tenant
firewall policies
Software Load Balancing
Layer 4 load balancing for both “North-South” and “East-West” Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) traffic
Software-based, multitenant, BGP-capable router
RAS Gateway features:
• Addition and removal of gateway VMs
• Site-to-site VPN gateway connectivity by using IPsec
• Site-to-site VPN gateway connectivity by using GRE
• Point-to-site VPN gateway connectivity
• Layer 3 forwarding capability
• BGP routing
Network Controller Deployment Requirements
• You can only deploy Network Controller to the Windows Server 2016
Datacenter edition.
• The management client you use must be installed on a computer or
virtual machine running Windows 10, Windows 8.1, or Windows 8.
• You must configure dynamic DNS registration to enable registration of
required DNS records for Network Controller.
• If the computers or virtual machines running Network Controller or the
management client for Network Controller are joined to a domain, you
must:
o Create a security group that holds all the users that have permission to
configure Network Controller.
o Create a security group that holds all of the users that have permission to
configure and manage the network by using Network Controller.
Learning Resources
Course 20741 - outline
Module 1
Planning and implementing an IPv4 network

Module 2
Implementing DHCP

Module 3
Implementing IPv6

Module 4
Implementing DNS

Module 5
Implementing and managing IPAM
Course 20741 outline, continued
Module 6
Remote access in Windows Server 2016

Module 7
Implementing DirectAccess

Module 8
Implementing VPNs

Module 9
Implementing networking for branch offices

Module 10
Configuring advanced networking features

Module 11
Implementing software-defined networking
Born To Learn Site http://borntolearn.mslearn.net/
TechNet https://technet.microsoft.com/
TechNet Virtual Labs
https://technet.microsoft.com/en-
us/virtuallabs/default
Microsoft Virtual Academy https://mva.microsoft.com/en-
US/training-courses/whats-new-in-
windows-server-2016