Professional Documents
Culture Documents
SixmajortopicsmakeuptheMicrosoft70410Certification.Thetopicsareasfollows:
InstallandConfigureServers
ConfigureServerRolesandFeatures
ConfigureHyperV
DeployandConfigureCoreNetworkServices
InstallandAdministerActiveDirectory
CreateandManageGroupPolicy
Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.
OBJECTIVES
CHAPTER1:INSTALLANDCONFIGURESERVERS
1.1Installservers
1.2Configureservers
1.3Configurelocalstorage
CHAPTER2:CONFIGURESERVERROLESANDFEATURES
2.1Configurefileandshareaccess
2.2Configureprintanddocumentservices
2.3Configureserversforremotemanagement
CHAPTER3:CONFIGUREHYPERV
3.1Createandconfigurevirtualmachinesettings
3.2Createandconfigurevirtualmachinestorage
3.3Createandconfigurevirtualnetworks
CHAPTER4:DEPLOYANDCONFIGURECORENETWORKSERVICES
4.1ConfigureIPv4andIPv6addressing
4.2DeployandconfigureDynamicHostConfigurationProtocol(DHCP)service
4.3DeployandconfigureDNSservice
CHAPTER5:INSTALLANDADMINISTERACTIVEDIRECTORY
5.1Installdomaincontrollers
5.2CreateandmanageActiveDirectoryusersandcomputers
5.3CreateandmanageActiveDirectorygroupsandorganizationalunits(OUs)
CHAPTER6:CREATEANDMANAGEGROUPPOLICY
6.1CreateGroupPolicyobjects
6.2Configuresecuritypolicies
6.3Configureapplicationrestrictionpolicies
6.4ConfigureWindowsFirewall
CHAPTER1INSTALLANDCONFIGURESERVERS
1.1INSTALLSERVERS
Planforaserverinstallation
ServeroperatingsystemsdifferfromadesktopOSinthattheyareoftenoptimizedforhandlingprocessesthatrun
behindthescenes(backgroundprocesses).
TheFoundationversionhasalimitationof15useraccountsandisavailableonlyforOEMs.
TheEssentialsversionhasalimitof25useraccountswithsupportforpreconfiguredconnectivity.
TheStandardversionhasfullWindowsServerfunctionalitywithamaxoftwovirtualinstances.
TheDatacenterversionoffersunlimitedvirtualinstances.
Planforserverroles
Aservercanbeconfiguredtoperformspecificroles.Theapplicationsthattheserverrunsdeterminetheparticular
serversrole.Foraservertoundertakearole,additionalservicesandfeatureswillhavetobeinstalled.Thisiswhythe
serversroleisthesinglemostimportantfactorindeterminingthehardwarethataserverrequires.Normallyyouadd
rolesthroughtheServerManagerDashboarduponsetupcompletion.
Planforaserverupgrade
IfyouarerunningWindowsServer2008StandardwithSP2orWindowsServer2008EnterprisewithSP2,youmay
upgradetoWindowsServer2012StandardandWindowsServer2012Datacenter.
IfyouarerunningWindowsServer2008DatacenterwithSP2,youmayupgradetoWindowsServer2012Datacenter
only.
IfyouarerunningWindowsWebServer2008,youmayupgradetoWindowsServer2012Standardonly.
InstallServerCore
WhenyouinstallServer2012,youmaychoosebetweenServerCoreInstallationandServerwithaGUI,whichisthe
Fullinstallationoption.YoucanstartaServerwithaGUIinstallationandthenremovetheGraphicalShellsotheend
resultisaMinimalServerInterface.
OptimizeresourceutilizationbyusingFeaturesonDemand
FeaturesonDemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveoraddroles
andfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailablethatkeepsthefeature
files.
MigraterolesfrompreviousversionsofWindowsServer
YoucanusetheWindowsServerMigrationToolstomigrateroles.FirstyouinstallWindowsServerMigrationToolson
thedestination2012servers.Next,youcreatethedeploymentfoldersandcopythemfromthedestinationserversto
thesourceservers.Finally,youregisterWindowsServerMigrationToolsonthesourceservers.
1.2CONFIGURESERVERS
ConfigureServerCore
Ifyouarerunningaservercoreinstallation,youusesconfigtoperformserverconfiguration.Ithasanumberofoptions
for you to choose from. The tool presents a menu with options you can choose by pressing keys. You can set the
domainnameorworkgroupname,setthecomputername,addanewlocaladminandconfigureremotemanagement.
YoucanalsoconfigureWindowsUpdate.
Delegateadministration
Enterprise Admins, Domain Admins, Administrators, and Account Operators groups can create new computer
objectsinanyOU.Delegationofthepermissiontocreatecomputerobjectscanadministrativeoverhead.Thiscanbe
donebyassigningthepermissionstoanOUsgroupsothatlocalmembersofthatOUcancreatecomputerobjects
onlyinthatOU.ThisisachievedviatheDelegateControlWizard.
Addandremovefeaturesinofflineimages
InDISMyoucanswitchfromaServerwithaGUIinstallationtoServerCore.Fromanelevatedcommandpromptyou
rundism /online /disable-feature /featurename:ServerCore-FullServer.
To switch from Server Core to the Server with GUI you run dism /online /enable-feature
/featurename:ServerCore-FullServer/featurename:Server-Gui-Shell
/featurename:Server-Gui-Mgmt.
Toreboottheserver,runshutdown r -f.
Deployrolesonremoteservers
Toinstall,configureanduninstallserverroleslocally,useServerManagerortheWindowsPowerShell.Remotelyyou
may use Server Manager, Remote Server, RSAT, or the Windows PowerShell. RSAT in particular provides you with
Server Manager, MMC snapins, consoles and PowerShell cmdlets that run on Windows Server. There are many
differentversionsofRSAT,supportingfromVistatoWindowsServer2012.
ConvertServerCoreto/fromfullGUI
To convert to a Server Core installation, you run UninstallWindowsFeature ServerGuiMgmtInfra restart. On the
other hand, to convert from a core only to a server with GUI you run Install-WindowsFeature
Server-Gui-Mgmt-Infra,Server-Gui-Shell Restart.
Configureservices
WindowsServerwillstarttheServerManagerautomaticallyuponinstallationcompletionandthenateveryserver
startup.ServerManageristheprimaryconsoleforserverconfigurationandmanagement.Youcanmanageboththe
local server and the networked servers via Server Manager. You can configure whether Server Manager should be
invokedeverytimeyoustarttheserver.Youcanalsosethowoftenitrefreshestheinformationitdisplays.
ConfigureNICteaming
NICteamingreferstotheprocessofgroupingtogethermultiplephysicalNICsintoasinglelogicalNICforachieving
faulttoleranceandloadbalancing.LinkaggregationthroughLACPintheformofNICteamingisnotthesameasMPIO.
ItcannotimprovethethroughputofasingleI/Oflow.Itdoesimprovethroughputwhenyouhaveseveraluniqueflows.
WindowsServer2012hasbuiltinsupportforNICTeaming.ItcanbeenabledviaServerManager.Amaximumof32
physicaladaptorscanbeusedtogether.NotethatWindowsServer2012supportsteamingasaHyperVswitchportif
yourvirtualmachinesareusingindependentMACaddresses.
Alternatively, a hash can be created based upon components of the packet, and then assignment can be made
dynamicallytotheavailablenetworkadapters.InthecaseofVM,eachHyperVswitchportassociatedwithavirtual
machinethatisTeamingcapablemustallowMACspoofing.
1.3CONFIGURELOCALSTORAGE
Designstoragespaces
Partitioningreferstotheprocessofcreatingvirtualmarkersthatseparatedriveletters.Apartitiontableisthelistof
whatpartitionshavebeenconfiguredonadrive.Afilesystem,ontheotherhand,isadatastructurethatanoperating
systemusestokeeptrackoffilesonadiskorpartition.Onemaycreatefolderstoorganizeyourdataintogroupsand
tostoredatahierarchicallyontheharddisk.Keepinmind,disksarephysical,whereasstoragepoolsandvolumesare
logical.
TheStorageServicesRoleispartoftheFileandStorageServicesandisinstalledbydefault.
Configurebasicanddynamicdisks
The2012ServerManagerhasadiskmanagementsection.The3thingsyoucanmanagethroughtheUIareVolumes,
DisksandStoragePools.Rightclickingonavolumewilldisplayoptionssuchasfixingfileerrors,extendingvolumeand
assigningdriveletters.Youcanevenanalyzeandoptimize(defrag)thedrivesviatheGUI.
ConfigureMBRandGPTdisks
Thesearethehighlightsofthedifferencesbetweenthetwo:
MasterBootRecord(MBR)diskssupportformax4partitiontableentries.
MBRdiskpartitionsandlogicaldrivesareusuallycreatedbasedonthereportedcylinderboundaries.
GUIDPartitionTable(GPT)comeswiththeUnifiedExtensibleFirmwareInterface(UEFI)standard.
GPTdiskscanhaveverylargesizes.
OnWindowsyoucanhaveamaximumof128partitionsperGPTdisk.
BasicdisksanddynamicdiskscansupportMBRaswellasGPTdisks.
Managevolumes
NTFS5isthenativefilesystemforWindows2012.NTFS5hasmanyfeaturesforsecurity,quotamanagement,disk
compressionandvolumemounting.
Transactional NTFS allows file operations to be performed in a transactional manner, with support for full atomic,
consistent,isolated,anddurablesemanticsfortransactions.SelfhealingNTFScancorrectdiskfilecorruptionsonline
withoutrequiringChkdsk.exetoberunmanually.
Astoragepoolisacollectionofvolumes.Avolumeisthebasicunitofstoragethatrepresentsanallocatedspaceona
disk.Thekeyisflexibility;storagecanbeexpandedasneededwhenyouaddnewdrives.
Createandmountvirtualharddisks(VHDs)
VirtualHardDisk(VHD)isafileformatforspecifyingavirtualharddisktobeencapsulatedinasinglefile.Itisnotthe
sameasHyperV.VHDworksonalmostallCPUtypes.HyperVdoesnotworkonincompatibleprocessors.
Virtualharddiskformatiseitherdynamicallyexpandingorfixed.VHDBootstartsWindowsfromaVirtualHardDiskfile.
ThisVHDfileismountedasavirtualdiskbutcanbeusedjustlikeanormalharddiskdrive.
Configurestoragepoolsanddiskpools
Astoragepoolallowsyoutomixandmatchdifferentdrivesforstoragepurposes.Apoolactsasacontainer.Youcan
createstoragepoolviatheGUI.IfyoupreferusingPowerShellforcreatingthestoragepools,youmustfirstusethe
getstoragesubsystemcmdlet.
Thepoolcreatedcanbeeasilyexpandedbyaddingnewdisks.Thepoolcanalsobedividedintospacesthatareused
likephysicaldisks.Infact,withinapoolyoucancreatevirtualdiskswhichareknownasspaces.
Datadeduplicationiseliminatingredundantdatainstoragepools.
CHAPTER2CONFIGURESERVERROLESANDFEATURES
2.1CONFIGUREFILEANDSHAREACCESS
Createandconfigureshares
SimplenetworkfoldersharingcanbemanagedviatheNetworkandSharingCenter.TheNetworkandSharingCenter
isaninterfaceforbasicnetworkingsetupaswellasnetworkdiscovery,connectionstatusandfilesharing.
Youcancreateafoldersharesimplybyrightclickingonthefolderandchoosingtheappropriatesharingoption.You
can also manage shared folders via Computer Management. Alternatively, from Server Managers File and Storage
sectionyoucanrightclickonaserverandchooseNewSharetoinvoketheNewShareWizard.
Configuresharepermissions
AdvancedsharingandofflinefilescanbeconfiguredbyrightclickingonafileandchoosingSharewithAdvanced
sharing.TheServerManagersFileandStoragesectioncanalsobeusedtomanagestorageresourcesandshareson
localorremoteserversinrealtime.
WiththeFileServerResourceManagerinstalled,youcanconfigureanumberofadvancedfilesharesettingssuchas
security,encryptionandcaching.Keepinmind:
Sharepermissionsapplyonlywhenauserisaccessingafileorfoldernonlocally.Theycanbeappliedonauseror
onagrouplevel.
Assigningpermissionsonagroupbasisisalwaysrecommended.
Individualpermissionsandgrouppermissionsarecombinedtoformtheuserseffectivepermissions.
Configureofflinefiles
OfflineFilesmakenetworkfilesavailableevenwhenanetworkconnectiontotheserveriseitherunavailableorvery
slow.Forthesakeofperformanceyoushouldcreatearootshareontheserver,letthesystemcreatetheusersfolders
andthensynchronizefilesatlogoffviaFolderRedirectionwithOfflineFiles.Forsecuritypurposesyouwanttocreatea
securitygroupforthoseuserswhohaveredirectedfoldersonaparticularshareandaccordinglylimitaccessonlyto
thoseusers.
ConfigureNTFSpermissions
NTFS permissions allow you to assign permissions more granularly at the folder and file level. Keep in mind; file
permissionsalwaystakeprecedenceoverfolderpermissions.Youcanalwayssetthesebyrightclickingonafileor
folderandconfiguringthedesiredpermissionsfromProperties.
Configureaccessbasedenumeration(ABE)
Accessbased enumeration (ABE) is a builtin feature that can display only the files and folders that a user has
permissionstoread.Itworksonlywhenviewingfilesandfoldersinasharedfolder.WhenyouusetheNewShare
Wizard,thereisanoptiontoenableit.
ConfigureVolumeShadowCopyService(VSS)
VSSaimstocreateaconsistentshadowcopyofthedatatobebackedup.TheVSSservicecanensurethatallVSS
componentscancommunicatewitheachotherproperly.YoushouldknowtheseVSScomponentsandterms:
TheVSSrequesterrequeststheactualcreationofshadowcopiesthroughabackupapplication.
TheVSSwriterensuresthereisaconsistentdatasettobackup.
TheVSSprovidercreatesandmaintainstheshadowcopiesviasoftwareorhardware.
Completecopymeansmakingacompletefullandreadonlycopyoftheoriginalvolume.
Copyonwritemakesadifferentialcopy.
Redirectonwritedoesnotmakeanychangestotheoriginalvolume.
ConfigureNTFSquotas
ThroughComputerManagementDiskManagementyoucansetquotaandcreatecustomquotaentries.Itworks
evenifyourserverdidnotjoinAD.
Quotamanagementisnotenabledbydefaultbutyoucanenableitbyhand.Infact,theServerManagersFileand
Storagesectioncanbeusedtosetsoftorhardspacelimitsonavolumeorfoldertree.Youmayalsocreateandapply
quotatemplateswithstandardquotaproperties.
2.2CONFIGUREPRINTANDDOCUMENTSERVICES
ConfiguretheEasyPrintprintdriver
EasyPrintisforterminalserviceprinting.ItallowsuserstoprintfromaTerminalServicesRemoteAppprogramora
terminalserverdesktopsessionusingthecorrectlocalprinter.TheRedirectonlythedefaultclientprinterpolicysetting
can be used to specify whether the default client printer is the only printer to be redirected in Terminal Services
sessions.
ConfigureEnterprisePrintManagement
Toprovideprintingservice,theprintspoolerservicemustberunning.Wheneversomethingiswrongwiththeprint
queue,problemscanbeoftenbesolvedbystoppingandrestartingthespooler.
ConfigureDrivers
Printer device configuration is done via Devices and Printers folder located in the Control Panel. Once a printer is
added,youcanrightclickittoconfiguresharingandotherparameters.Insteadofconfiguringonaperprinterbasis,
youcanmanageprinterdriversandpermissionsattheprintserverlevel.Whenthereisaprintingissue,thelogforthe
PrintServiceeventchannelcanbeveryhelpfulwithtroubleshooting.
Configureprinterpooling
Printingpoolrequiresthatyoucreatealogicalprinterformedbyagroupofactualphysicalprintersthatusetheexact
samedriver.Printuserscannotchoosetheactualphysicalprintertouse.YoucanconfigurepoolingviatheWindows
printerconfigurationappletoftheControlPanel.
Configureprintpriorities
Settingprintingprioritiesinvolveschangingtheorderofdocumentprinting.YoumusthavetheManageDocuments
permissiontomakethechanges.FromwithinPrintersandFaxesyoucangointoaspecificprintersqueue,rightclick
onthedesireddocumentandthenchangeitsprioritylevel.
Configureprinterpermissions
Alluserscanpause,resume,restart,orcancelprintingoftheirowndocuments.However,theManageDocuments
permissionwillberequiredtomanipulateprintjobsofotherpeople.IfyouhavetheManagePrinterspermission,you
canpauseorresumeprintingattheprinterlevel.
2.3CONFIGURESERVERSFORREMOTEMANAGEMENT
ConfigureWinRM
Remote Management WinRM implements WSManagement protocol, which is a standard Simple Object Access
Protocolbasedprotocol.Itfacilitatestheinteroperationofdifferenthardwareandoperatingsystems.
Computers that run Windows with WinRM will have management data supplied by Windows Management
Instrumentation (WMI). If your remote connection is behind a firewall, make sure connections on port 3389 are
allowed
Configuredownlevelservermanagement
ManagingdownlevelserversmeansmanagingremoteserversrunningWindowsServer2008R2SP1fullserver,Server
Core,orWindowsServer2008SP2fullserver.YoumustensuretheyhaveWindowsManagementFramework(WMF)
3.0properlyinstalled.Foraservercoremanagedserver,thereareseveralfeaturestoinstallusingDISM,including:
NetFx2ServerCore
MicrosoftWindowsPowerShell
NetFx2ServerCoreWOW64
MicrosoftWindowsPowerShellWOW64
Configureserversfordaytodaymanagementtasks
TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker,
LicensingandVirtualization.YoumayaddrolesthroughtheServerManagerDashboarduponsetupcompletion.
From Control Panels System Properties you can enable remote desktop connections to a server. Setting Remote
Desktopsessionstorunoveranencryptedchannelisconsideredbestpracticeasitcanpreventviewingofasession.It
isrecommendedtoalwaysusestrongpasswordswithanyaccountsthathaveaccesstoRemoteDesktop.
Configuremultiservermanagement
IfyouhavemultipleAdministratoraccountsinplace,trytolimitremoteaccessonlytothoseaccountsthatactually
needit.YoushoulduseLocalSecurityPolicytosetaccountlockoutsforthem.
Before creating a subscription to collect events on a computer, configure both the collecting computer and the
computerfromwhicheventswillbecollected.Alsonotethefollowing:
Yourunthewinrmquickconfigcommandonthesourcecomputer.
Youusethewecutilqccommandonthecollectorcomputer.
You add the computer account of the collector computer to the local Administrators group of the source
computer.
ConfigureServerCore
To install, configure or uninstall server roles remotely you may use Server Manager, Remote Server, RSAT, or the
Windows PowerShell. A Server Core installation option allows the installing of Windows Server with a minimal
environment for running specific server roles. Everything is done via command prompt, which cuts down the
maintenanceandmanagementrequirementsaswellastheattacksurface.
ThroughtheRSATtoolsyoucanmanagecomputersrunningServer2012,Server2008R2,Server2008,orServer2003.
BydefaulttheRSATtoolswillonlyopentheportsandenabletheservicesthatarerequiredforremotemanagementto
function.
ConfigureWindowsFirewall
Windows Firewall can be configured via the Windows Firewall with Advanced Security interface or the Netsh
advfirewallcommand.YoumayalsoaccessitviatheControlPanel.Itworksbyexaminingeachmessageand/orpacket
thatpassesthroughitandblocksthosethatdonotmeetthespecifiedsecuritycriteria.
NetworkLocationandWindowsFirewallareintheorymutuallyindependent.TheconfigurationofWindowsFirewall
wouldlargelybebasedonthecurrentnetworkcategoryorcategories.WhenconnectedtoaPublicnetwork,onlyCore
Networkingruleswillbeenabled.
Withinthenetshadvfirewallcontext,thefirewallsubcommandcanbeusedtochangetotheproperfirewallcontext
soyoucanview,create,andmodifyfirewallrules.
CHAPTER3CONFIGUREHYPERV
3.1CREATEANDCONFIGUREVIRTUALMACHINESETTINGS
Configuredynamicmemory
With Dynamic Memory, there is no need to stop and restart a VM when the memory size is changed. It is also
distributesmemorymoreefficiently,whichcouldbeaperformancedrawback,thusrequiringanincreasetothesizeof
thepagefileintheguestOS.YoumayalsoneedtoincreasethememorybufferconfiguredfortheVM.Keepinmind;
youmusthaveadequateRAMtoavoidexperiencingperformanceproblems.
Notethatbydefault,theminimumRAMvalueisthesameasthatoftheStartupRAM.
Configuresmartpaging
Smart Paging uses the hard disk as an option for providing the memory required by a VM if the physical RAM is
insufficient.Usingthistechniqueafailuretoloadmayoccurwhenthememoryrequestsaretoohighatagiventime.
Thisshouldonlybeusedasatemporaryfixbecauseusingharddrivespaceasmemoryhasanoticeableperformance
impact.
ConfigureResourceMetering
ResourcemeteringallowsyoutotracksystemresourceusageforyourVM.Itisnotenabledbydefault,though.You
canactivateitviaEnableVMResourceMetering.Statisticsarecollectedonceeveryhourbydefault,orasdictatedby
theResourceMeteringSaveIntervaloption.Todisplaythedata,useMeasureVM.
Configureguestintegrationservices
Integration Services aim to optimize the virtual environment drivers. It works by replacing the generic operating
system driver files for components such as the mouse, keyboard, display, network and SCSI controller, etc. It also
synchronizes the system time between the guest and host OS. File interoperability and heartbeat are also
implemented.TheDataExchangeServicecanset,andalsogetinformationfrom,aVMrunninginachildpartition.The
GuestShutdownServicecanmakeashutdownrequestfromtheparentpartitiontothechildpartitionthroughWMI
calls.
3.2CREATEANDCONFIGUREVIRTUALMACHINESTORAGE
CreateVHDsandVHDX
WithVHD,alltheactualdataisstoredinasinglefile,ofwhichyoucanrunonlyoneinstanceatatime.Thisisbecause
itabsorbsalmostalloftheprocessingpowerofthehostcomputer.NotethatVHDshaveasizelimitof2040GB.One
waytocreateaVHDistousediskpartatthecommandprompt.Firstyouinvokethediskpartcommand,thenyouuse
thecreatevdiskcommand.
VHDXistheformattouseifyouwanttogoover2040GBinsize.VHDXisalsoresilienttopowerfailure.Whenusingthe
NewVMWizardyoucanchoosewhichyouprefer;VHDorVHDX.
You can set a VHD to a fixed size or make it dynamic. A dynamic VHD is slower and may become more easily
fragmented.However,itusesspaceasneededandisthereforesmalleringeneral.
Configuredifferencingdrives
TocreateaVHDviatheWindowsGUI,openComputerManagementsDiskManagementsection.CreateVHDcanbe
selected from the Action menu. A dynamically expanding VHD can have a maximum size that is larger than the
availablefreespaceonthedrive.
NotethatinthecontextofVHD,attachingmeansmountingwhiledetachingmeansdismounting.
ModifyVHDs
YoucanexpandthesizeofaVHDthroughdiskpart.FirstmakesurethattheVHDisdetached.Thenselectitviathe
selectvdiskfile=command,thentypeexpandvdiskmaximum=forspecifyingthenewsize.
TheEditWizardcanbeusedtomodifyanexistingVHDaswell.
AdifferencingconfigurationisusefulwhenyouhaveanimageservingasaparentVHDthatyouprefernottomodify.
AllmodificationstotheimagewillbemadetoaseparatechildVHD.InordertocreateadifferencingVHD,usethe
parentoptionwiththecreatevdiskcommandorviaGUI.
Configurepassthroughdisks
Passthroughdisksarenotvirtualized.Thisisafeatureintendedtoprovidethefastestpossiblediskperformance.Due
to the restrictive drawbacks it has, its support is minimal in Windows Server 2012. In fact, it is supported during
HyperVLiveMigrationif,andonlyif,theVMbeingmigratedandthepassthroughdiskaremanagedbythesame
HyperVcluster.Thesearebecomingobsolete.
Managesnapshots
AHyperVsnapshotcapturesthestatusofaVMatagiventime.ThissnapshotcanthenbeusedtorestoreaVMif
necessary.TocreateoneyousimplyselectaVMtocapturefromwithintheHyperVManagerinterfaceandthenselect
Snapshot from the Actions pane. You may take a maximum of 50 snapshots of a VM. Note that snapshotfiles are
AVHD/AVHDXfiles.EachVHDfilewillactasaparenttoitsAVHDfile.Similarly,eachVHDXfilewillactasaparenttoits
AVHDXfile.
ImplementavirtualFiberChanneladapter
VirtualFiberChannelforHyperVallowstheguestOStohavedirectaccesstoaSANviaastandardWorldWideName
(WWN) that is associated with a VM. This allows you to use Fiber Channel SANs to perform virtualization of the
workloads accessing the SAN. In particular it uses the existing N_Port ID Virtualization T11 standard for mapping
multiplevirtualN_PortIDstoasinglephysicalFiberChannelN_port.ThereisanewNPIVportcreatedonthehost
wheneveryoustartaVMconfiguredwithavirtualHBA.
3.3CREATEANDCONFIGUREVIRTUALNETWORKS
ImplementHyperVNetworkVirtualization
HyperV is a server role that provides tools and services one can use to create a virtualized server computing
environment.YouaddthisroleviaServerManagerAddRoles.Youmayalsoaddfeaturesformanagingit.
FromwithintheCreateVirtualNetworkspageyoucanalsoselecttheLANadaptersyouwanttohavesharedwith
yourguestsessions.AHyperVhostserverMUSTrunona64bitsystem.Anexternalnetworkprovidescommunication
between a virtual machine and a physical network. An internal network provides communication between the
virtualizationserverandvirtualmachineswithinthesameserversystem.Aprivatenetworkprovidescommunication
betweenvirtualmachines.
Avirtualswitchcancombineboththeinternalandtheexternalnetworkswitchsegments.Withdirectaddressing,a
guestsessioncanconnectdirectlytothebackboneofthenetwork.Thevirtualservercanactasaswitchthatconnects
allguestsessionstogether.
ConfigureHyperVvirtualswitches
AnetworkvirtualswitchinthecontextofHyperVrunsatthedatalinklayer.ThereisaMACtablewiththelayer2
addressesofalltheVMsconnectedtoit.The2possibleswitchmodesareTrunkModeandAccessMode.
ThepossibletypesofvirtualswitchesareExternal,PrivateandInternal.OnlyExternalandInternalVirtualSwitchescan
runinTrunkModeandAccessMode.Thenumberofinternalvirtualswitchesthatcanbecreatedisnotlimitedby
default.
Optimizenetworkperformance
Assaidbefore,withdirectaddressingaguestsessioncanconnectdirectlytothebackboneofthenetwork.Foritto
workyouneedtoconfigureanexternalconnectionintheVirtualNetworkManager.YoualsomusthaveavalidIP
addressonthatexternalsegment.
Tokeeptheguestsessionisolatedfromthenetwork,setupaninternalconnectionusinganIPaddressofasegment
thatiscommontotheotherguestsessionsonthesamehostsystem.
ConfigureMACaddresses
VMMACaddressescanbestaticordynamic.Bydefault,theMACaddressissettoDynamic.IfyouneedtheMAC
addresstobecomestatic,youmuststoptheVMfirst.
Configurenetworkisolation
If there are VLANs connected to your HyperV platform, each of your VMs must have a correct VLAN tag for the
network interfaces in use. You may want to use the PowerShell to set the necessary VLAN parameters. Use
SetVMNetworkAdapterVlantosetalloftheVLANrelatedsettings.
Configuresyntheticandlegacyvirtualnetworkadapters
If you have an older OS to virtualize, you may want to ensure compatibility via SetVMProcessor
CompatibilityForOlderOperatingSystemsEnabled$true.
CHAPTER4DEPLOYANDCONFIGURECORENETWORK
SERVICES
4.1CONFIGUREIPV4ANDIPV6ADDRESSING
ConfigureIPaddressoptions
InordertoconfigureprotocolsandaddressesforthenetworkinterfacesfromFileExplorer,yourightclickonNetwork
andchooseProperties.
AnIPaddressistheuniquenumberIDassignedtoanetworkinterface.IPv4is32bit,whereasIPv6is128bit.The
gatewayaddressistypicallyaroutersaddress.InaClassAaddress,thefirstoctetisthenetworkportion.InaClassB
address,thefirsttwooctetsarethenetworkportion.InaClassCaddress,thefirstthreeoctetsarethenetworkportion.
ClassDaddressesareformulticast,whileclassEaddressesarereserved.PrivateIPaddressesarenonroutableandare
forprivateuseonly.
AnIPv6addressspacehas128bits.Therearetwomajor64bitparts:thenetworkprefixandtheinterfaceID.The
exam,however,haslimitedcoverageofIPv6.
Configuresubnetting
Asubnetmaskhasfourbytes,thustotaling32bits.Thesubnetmaskiswrittenusingthedotteddecimalnotation,with
theleftmostbitsalwayssettothevalueof1.ThroughapplyingasubnetmasktoanIPaddressyoueffectivelysplitthe
addressintotwoparts.
VariableLengthSubnetMasks(VLSM)allowfortheuseofalongmaskonnetworkswithfewhostsandashortmask
onsubnetswithrelativelymorehosts.
Configuresupernetting
Classless Interdomain Routing (CIDR) is also known as supernetting. It improves address space
utilizationbyhavinganIPnetworkrepresentedbyaprefix.WithCIDR,youspecifyanIPaddressrange
usingacombinationofanIPaddressandnetworkmask.
ConfigureinteroperabilitybetweenIPv4andIPv6
WindowsServer2012supportsIPv4andIPv6.Bothareinstalledandenabledbydefault.YoumaytunnelIPv6traffic
throughanIPv4networkandviceversa.
ConfigureISATAP
TherearetransitiontechnologiesyoumayconsiderifyouarenotreadyforIPv6.ISATAPallowsunicastcommunication
betweenIPv6/IPv4hostsacrossyourIPv4intranet.
WindowsServer2012canbeconfiguredtoactasanISATAProuter.VirtualIPaddresses(VIPs)allowyoutousecluster
basedNetworkLoadBalancing.NeighborUnreachabilityDetection(NUD)canprotectagainstroutingloops.
ConfigureTeredo
6to4allowsunicastcommunicationstotakeplacebetweenIPv6/IPv4hostsandIPv6capablesitesthroughtheInternet.
Teredoissimilarto6to4andcanworkevenwhenthereareprivateIPv4addressesandNATdevicesinvolved.IPHTTPS
permitsIPv6tobetunneledusingHTTPwithSSLasatransport.
TouseTeredo,youneedtohavetwoconsecutivestaticpublicIPv4addressesonyouroutsidefacingnetworkinterface.
YoucanusetheSetDAServerTeredoEnabledcmdlettoturnonTeredoforDirectAccess.
4.2DEPLOYANDCONFIGUREDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)
SERVICE
Createandconfigurescopes
A DHCP scope refers to an administrative grouping of IP addresses. You may first create a scope for each physical
subnet,thenusethescopetofurtherdefinetheparameterstobeusedbyyourclients.EachscopehasarangeofIP
addresses,asubnetmaskandascopename.YouusetheNewScopeWizardtocreateone.
EachsubnetcanhaveonlyoneDHCPscopewithasinglecontinuousrangeofIPaddresses.Tousemultipleaddress
rangeswithinasinglescopeyouhavetocarefullyconfiguretherequiredexclusionranges,orconflictswilloccur.
ConfigureaDHCPreservation
AclientreservationisanIPaddressreservedforpermanentusebyaspecificDHCPclient.WhenmultipleDHCPservers
areconfiguredwithascopethatcoverstherangeofthereservedIPaddress,youshouldmanuallymakethesame
clientreservationateachoftheinvolvedDHCPservers.Also,ifyoutrytoreserveanaddressthatisalreadyinuse,the
clientusingtheaddressmustfirstreleaseit.Thiscanbedoneviaipconfig/release.WhenspecificDHCPoptionsare
configuredforareservedclient,thevalueswilloverrideanythingdistributedviaotherassignmentmethods.
ConfigureDHCPoptions
DHCP scope options are configured for assignment to DHCP clients, such as a DNS server address, router address,
WINSserveraddress,etc.ServeroptionsapplytoallscopesandclientsofaDHCPserver.Scopeoptionsapplyonlyto
clientsofaselectedapplicablescope.ReservationoptionsapplyonlytoaspecificreservedDHCPclient.Classoptions
applytomemberclientsofaspecifieduserorvendorclass.Userclassesgroupclientsthathavebeenidentifiedas
having a common need for certain options configuration. Vendor classes provide vendorspecific options to clients.
Mostofthetimeyoushouldonlyusescopeoptionstoassignmostoptionsclientsneed.NotethatwhentheDHCP
serviceisinstalled,therearenodefaultDHCPoptiondefinitionscreatedsotheymustbeconfiguredmanually.
For BOOTP to work theremust be a BOOTP table. By default this table is empty. DHCP can provide assignment to
BOOTPclients,buttheseclientscanonlyobtainanIPaddressleaseatboottime.Leaseexpirationtimesshouldbeset
accordinglysotheleasewillnotexpirebeforetheclientreboots.
ConfigureclientandserverforPXEboot
In order to support PXE Network Boot, there must be a working DHCP server with scope option 066 and 067
configured,plusaTFTPserverandaNFSserver.ThejobofDHCPinthisscenarioistoprovidethePXEenabledhost
withthecorrectTFTPhostandbootfilename.
ConfigureDHCPrelayagent
ADHCPRelayAgentcanrelayDHCPmessagesbetweenclientsandserversondifferentsubnets.Keepinmind,DHCPis
broadcastbased and therefore cannot be routed unless facilitated by RFC 1542 compliant relay agents. You may
enabletheDHCPRelayAgentfeatureviaRRAS,whereitislistedasaroutingprotocol.NotethereisanagentforIPv4
and another for IPv6. However, both of them cannot run simultaneously within the DHCP service on the same
computer.
AuthorizeDHCPserver
ForadomainjoinedDHCPMemberServer,youmayusetheDHCPMMCconsoletoauthorizetheserver.Ifitisnot
authorizeditwillnotleaseaddressestoclients.Thisisdoneforthesakeofsecurity.Iflocatedonaworkgroupserver,
authorizationisnotnecessary.Iflocatedonadomaincontroller,itistypicallyautomaticallyauthorized.
4.3DEPLOYANDCONFIGUREDNSSERVICE
ConfigureActiveDirectoryintegrationofprimaryzones
You use the DNS Manager to invoke the New Zone Wizard. It is always recommended that the DNS zones be
integrated with AD (due to the endless number of benefits offered by AD, such as AD DSintegrated replication of
updates).NotethatonlyprimaryzonescanbestoredinAD.Secondaryzonescanonlybestoredintextfiles.
Configureforwarders
WhenanewDNSserverisnotalsoservingasadomaincontroller,youmayconfigureitbyfirstcreatingaforwardand
reverse(optional)lookupzone,thendecidewhetherquerieswillbeforwardedtootherservers.Youcanchooseto
designateaDNSserveronyourlocalnetworkasaforwarderbyconfiguringtheforwardingofqueries.Aconditional
forwarderisonethatforwardsDNSqueriesaccordingtotheDNSdomainnameinvolved(onlysomebutnotallqueries
willbeforwarded).
ConfigureRootHints
Throughroothintsyoumayprepareserversthatareauthoritativeforanonrootzonesothatitispossibleforthemto
discoverauthoritativeserversatahigherlevel.ThisisneededonDNSserversthatareauthoritativeatlowerlevelsof
thenamespace.Youmayconfigureroothints(locatedinpropertiesoftheDNSserver)viatheDNSManagerconsole.
Theroothintsfileisinfactthecachehintsfile.Thisfileistextbasedandcontainshostinformationforresolvingnames
outsideoftheauthoritativeDNSdomains.
ManageDNScache
CachingmeanstheDNSserverscanremembertheresultsfromearlierresolutions.Withpropercachingitispossibleto
reduceWANtrafficsincerequestscanbesatisfiedviathecache.However,itissometimesnecessarytouseipconfig
/flushdnstoflushthecache.TheDNSManagerGUIalsohastheClearCacheoptionwhenyourightclickonaserver.
TheadvancedoptionknownasSecurecacheagainstpollutionisforpreventingahackerfrompollutingtheDNScache.
CreateAandPTRresourcerecords
DNSrecordscanbecreatedviatheDNSManagerconsole.Yousimplyrightclickonazoneandthenchoosefromthe
optionsavailable.AhostresourcerecordisforassociatingtheDNSdomainnameofacomputertoanIPaddress.You
needtohavesucharesourcerecordforacomputersharingresourcesthatneedstobeidentifiedbytheDNSdomain
name.
When you create a new host record (A or AAAA), you have the option to also create an associated PTR record
automatically.PTRresourcerecordscreatedthiswaywillbedeletedifthecorrespondinghostrecordisdeleted.
CHAPTER5INSTALLANDADMINISTERACTIVEDIRECTORY
5.1INSTALLDOMAINCONTROLLERS
Addorremoveadomaincontrollerfromadomain
You need to install the Active Directory Domain Services ADDS role on the server to allow it to act as a Domain
Controller.Afterthisyouneedtopromotetheservertoadomaincontroller.YouusetheADDSInstallationWizardto
achievethis.
WhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthe
lowestfunctionallevelthatispossible.Whenyouraisethefunctionallevel,neweradvancedfeaturesbecomeavailable,
butthisisattheexpenseofcompatibility.Keepinmind;youcannothaveADDSinstalledonaserverthatalsorunsthe
HyperVServerrole.
Upgradeadomaincontroller
DomaincontrollersthatrunWindows2000Servermustberemoved.Youshouldfirstraisetheforestfunctionallevel
to Windows Server 2003 (or higher), install domain controllers that run Windows Server 2012, and then remove
domaincontrollersthatrunearlierversionsofWindows.
InordertoinstallthefirstWindowsServer2012domaincontrollerinanexistingdomainorforest,thisservermust
have proper connectivity to the existing schema master. To install or remove a domain in a forest there must be
connectivitytothedomainnamingmaster.OnadomaincontrollerthatyouplantoupgradetoWindowsServer2012,
make sure you size the drive properly. The drive that hosts NTDS.DIT must have sufficient free space to allow the
upgradetogothrough.Thisisabout20%ofthesizeoftheDITfile.
InstallActiveDirectoryDomainServices(ADDS)onaServerCoreinstallation
In Windows Server 2012, commandline installation of AD relies on the ADDSDeployment Module of Windows
PowerShell.AdprepisfullyintegratedintotheADDSinstallationsoyoudonotneedtorunitmanually.
TheActiveDirectoryModuleforWindowsPowerShellisinstalledbydefaultwhentheADDSserverroleisaddedona
2012serverthereisnoadditionalsteprequiredotherthanaddingtheserverrole.ADDScanbeinstalledonaServer
Coreinstallation,andisoftenrecommendedforreadonlydomaincontrollersinsmallerbranchoffices.
On a server core, you add the Active Directory Services Role via InstallWindowsFeature
ADDomainServices IncludeManagementTools. To promote the server core, use InstallADDSDomainController
DomainName mydomain.com InstallDNS:$True Credential (GetCredential). You will be asked to supply a logon
credentialwithdomainadminrights.
InstalladomaincontrollerfromInstallfromMedia(IFM)
YoucanusetheNtdsutiltool'sifmcommandtocreateinstallationmediaforinstallingadditionaldomaincontrollers.
This minimizes data replication over the network. For this to work, you have to log on to a domain controller
interactively.Youmustalsobeabletomakeabackup.SinceIFMwillcreateatempdatabaseinthe%TMP%folder,
makesureyouhaveenoughfreedrivespace;approximately110%ofthesizeoftheexistingADDS.
ResolveDNSSRVrecordregistrationissues
Service(SRV)recordsareresourcerecords.Theyindicatetheresourcesthatperformaparticularservice.Alldomain
controllers are referenced by SRV records. In fact, through these records the domain controllers can advertise the
servicestheyprovide.AnSRVrecordmustbereadyfortheservicesof_kerberosand_ldap.IfyourDNSserverisNOT
runningWindows,youshouldverifytheSRVlocatorresourcerecordsthroughexaminingtheNetlogon.dnsfile.
Configureaglobalcatalogserver
Aglobalcatalog(GC)isadomaincontroller.EveryADhasatleastone.ItstoresacopyofallActiveDirectoryobjectsin
aforest.Itenablesandfacilitatesusersearchesfordirectoryinformationthroughoutalldomains.Italsoresolvesuser
principalnameswhentheauthenticatingdomaincontrollerdoesn'thaveknowledgeoftheinvolvedaccount.Italso
helpsotherdomaincontrollerstovalidatereferencestothoseobjectsthatbelongtootherdomainsintheforest.Ina
singledomainforestalldomaincontrollerscanrespondtoauthenticationorservicerequestssoyouhavelessworry
regarding GC placement. There is no need to have a GC at a location that does not use applications that are GC
dependant.However,roaminguserswillneedtocontactGCwhenevertheylogonforthefirsttimeatanylocation.To
addaGC,usetheActiveDirectorySitesandServicesconsole.
5.2CREATEANDMANAGEACTIVEDIRECTORYUSERSANDCOMPUTERS
AutomatethecreationofActiveDirectoryaccounts
Youcancreate,editanddeleteADdirectoryobjectsusingldifdefromwithinanelevatedcommandprompt(i.e.Runas
administrator). You can use an import file to automate object creation. In particular you can create user account
objectsfroman.ldffile.TheCSVDEcommandcanserveasimilarpurpose,butyouneedtosupply.CSVfilescontaining
theuseraccountdata.
Create,copy,configure,anddeleteusersandcomputers
YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenterADACUItocreate
newresources,ADusers,printers,sharesandOUs.Ontheotherhand,youusetheADSitesandServicesconsoleto
createandmanagesites.Notethattousetheformeryoumustlogonasadomainadministrator.
Configuretemplates
To allow objects to be created easily, you can create template objects. You simply create objects as usual with
commonlyusedpropertiesandDISABLEtheaccount.Thenwheneveryouneedtousethetemplateforobjectcreation
yousimplyCOPYit.
PerformbulkActiveDirectoryoperations
BatchoperationsinADcanbeperformedusingtheLDIFDEutilityortheADSI/VBScript.Theformermakesuseofthe
LDAPDataInterchangeFormatLDIFfile,whichisanInternetdraftstandardfileformatforperformingbatchoperations
ondirectories.ActiveDirectoryServicesInterfacesADSIcanbeusedtowritedirectoryenabledapplications.VBScript
canbeusedtowritesimplescriptsusingVBlikelanguage.
Configureuserrights
ADuserrightscanbeconfiguredviatheADUsersandComputersconsolebyrightclickingthedesireduserobjectand
thenchoosingProperties.FromtheSecuritytab,clickAdvancedtoviewallofthepermissionentriesthatexistand
makechangesaccordingly.
Offlinedomainjoin
OfflineDomainJoinisimplementedthroughDjoin.exe.Youuseittojoinacomputertoadomainwithoutphysically
contacting a domain controller. You first run djoin /provision to create the necessary computer account metadata
whichissavedina.txtfile.Thenyourundjoin/requestODJtoinsertthecomputeraccountmetadataintothedirectory.
Onceyourebootthedestinationcomputer,thecomputerwillbejoinedtoAD.DirectAccessofflinedomainjoinfurther
allowsWindowsServer2012orWindows8basedcomputerstojoinADremotely.
Manageinactiveanddisabledaccounts
Tocleanupinactiveaccounts,youshouldusedsquery.Throughdsqueryyoucanquerythedirectoryusingspecific
searchcriteria.Forexample,youcanusedsquerycomputerwithinactive/disabledtosearchforcomputeraccounts
thatareeffectivelyinactive/disabled.Dsqueryusercandothesamewithuseraccounts.
5.3CREATEANDMANAGEACTIVEDIRECTORYGROUPSANDORGANIZATIONALUNITS
(OUS)
Configuregroupnesting
Groupnestingisaddingagroupasamemberofanothergroup.Thisisusefulforconsolidatingmemberaccounts.By
default, when you nest a group within another, the user rights are automatically inherited. Note that groups with
universalscopescanhaveothergroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.
Groupswithglobalscopescanhaveothergroupswithglobalscopesfromthesamedomain.Groupswithdomainlocal
scopescanhavegroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.Itcanalsohave
groupswithdomainlocalscopesfromwithinthesamedomain.
Convertgroupsincludingsecurity,distribution,universal,domainlocal,anddomainglobal
Distribution groups are for use with email distribution lists, while security groups are for assigning permissions to
sharedresources.Youmayusedsmodgrouptoconvertbetweengrouptypes.Groupswithdomainlocalscopesarefor
managingaccesstoresourceswithinasingledomain.Groupswithglobalscopesareformanagingdirectoryobjects
thatrequirefrequentmaintenance.Theyareneverreplicatedtootherdomains.Groupswithuniversalscopesarefor
consolidatinggroupsthatspanacrossmultipledomains.
ManagegroupmembershipusingGroupPolicy
Group Policy can be used to configure computer and user settings within networks based on the Active Directory
DomainServices(ADDS).ForGroupPolicytowork,yournetworkmustbebasedonADDSandthecomputersyou
wanttomanagemustbejoinedtothedomain.Youmustalsohavetherelevantpermissionstocreateandeditthe
policyobjects.
Enumerategroupmembership
Youmayusedsgetgrouptoshowthepropertiesandmembersofagroup.Thistaskcanbeautomatedusingascript.
DelegatethecreationandmanagementofActiveDirectoryobjects
Withdelegationofadministration,theresponsibilityforspecificADadministrativetasksistransferredtothosewho
mustperformtherespectivetasksonly.Simplyput,highleveladministratorsauthorizethedelegatedlowerlevelstaff
administratorstoperformspecificadministrativetasks.WhenyoudesignyourOUstructureyoushouldconsiderthe
factorofdelegation.
ManagedefaultActiveDirectorycontainers
EverydomaincontainsastandardsetofdefaultcontainerscreatedduringADinstallation.Adomaincontaineristhe
root container to the hierarchy. A builtin container keeps the default service administrator accounts. The users
container keeps new user accounts and groups created for the domain. The computers container keeps the new
computeraccountscreated.TheDomainControllersOUprovidesadefaultlocationforthecomputeraccountsofthe
domaincontrollers.
NotethereisnowaytoapplyGroupPolicysettingstothedefaultUsersandComputerscontainers.Youmustfirst
createnewOUs,movethedesireduserandcomputerobjectstothenewOUsandthenapplythedesiredgrouppolicy.
Create,copy,configure,anddeletegroupsandOUs
YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenter(ADAC)UItocreate
newresources,ADusers,printers,sharesandOUs.Youmayalsousenetgrouptocreateanewgroupaccount,but
groupnamesarelimitedto64characters.
CHAPTER6CREATEANDMANAGEGROUPPOLICY
6.1CREATEGROUPPOLICYOBJECTS(GPOS)
ConfigureaCentralStore
GroupPolicycanbeusedtoconfigurecomputerandusersettingsonnetworksbasedontheActiveDirectory
Domain Services (AD DS). Although you can choose to configure Group Policy settings locally, it should be
avoidedsincedomainbasedGroupPolicycentralizesmanagementwhilelocalizedpolicydoesnot.
TheADMX/ADMLtemplatefilesareforkeepingadmintemplates.InAD,thesecanbereplicatedacrossdomain
controllers.RatherthanreplicatingthemtotheSYSVOLfolderofalldomaincontrollers(eventhoughtheGPOs
are by default stored in the SYSVOL folder) inside the domain, creating a Central Store which serves as a file
locationthatwillbecheckedbytheGroupPolicytoolsisconsideredbestpractice.Thisstorecanbecreatedvia
WindowsVistaorlaterclientcomputer.
ManagestarterGPOs
StarterGroupPolicyObjectsderivefromaGPO.TheseareusedtostoreAdministrativeTemplatepolicysettings.
Groupingthesesettingsinsideasingle objectmakesimportsandexportsmucheasier.Thesearecreatedand
managedviatheGroupPolicyManagementConsoleUI.SelectingNewGPOfromtheStarterGPOoptionallow
thesebeusedastemplatesforGPOcreation.
ConfigureGPOlinks
ThesettingsofaGPOcanbeappliedbyaddingalinktothatGPO.MultipleGPOlinkscanbeaddedtoadomain,
site,orOUviatheGPMC.Ifyouwanttoapplypolicysettingsbaseduponphysicallocationonly,addalinktothe
desired site. If the settings do not clearly correspond to any particular site, linking to an OU or a domain is
consideredbestpractice.
InorderforaGPOtobeappliedtoagivenuserorcomputer,thatuserorcomputermusthavebothReadand
ApplyGroupPolicy(AGP)permissionsforthatGPO.However,youcannothaveaGPOlinkeddirectlytoauser,a
computer,orasecuritygroup.
Configuremultiplelocalgrouppolicies
Multiple Local Group Policy (MLGP) is a collection of local GPOs. These objects include:
They may be edited via the Group Policy Object Editor. Note that these are available only on computers that are
not domain controllers.
Configuresecurityfiltering
SecurityfilteringallowsyoutofinetunewhichusersandcomputerswillreceiveandapplythesettingsofaGPO.
Security filtering is used to apply only some of the security principals within a container to which the GPO is
linked.YoumayusetheGPMCtoaddandremovegroups,users,andcomputersthataretobeusedassecurity
filtersforaGPO.
6.2CONFIGURESECURITYPOLICIES
ConfigureUserRightsAssignment
ConfigureSecurityOptionssettings
It is possible to use Dynamic Access Control (DAC) to dramatically reduce the complexity of amalgamated
security groups. You may create central access policies for files to centrally deploy and manage authorization
policies that include conditional expressions using a variety of criteria such as user claims, device claims, and
resourceproperties.
TheprimarygoalofSecurityAuditing,incontextofDAC,isregulatorycompliance.Thishelpstoestablishthe
presenceofsuchpoliciesandalsoprovecomplianceornoncompliancewiththesestandards.Stagingallowsyou
toverifyproposedpolicychangesbeforeenforcingthem.
ConfigureSecuritytemplates
TheSecurityConfigurationWizardisusedtoproducesecuritypoliciesusingsecuritytemplatesthatarein.inf
format. This allows for prioritization of templates to ensure the correct settings are taking the proper
precedence.
InAD,itisconsideredbestpracticetodeploysecuritytemplatesbyimportingthemintoaGPO.Thisisfacilitated
byfirstcreatingOUsforthecomputersthataretousethevariousspecificsecuritytemplates,thenaddingthe
computers accounts to the proper OU. Finally, the OU is linked to the desired GPO. To import a security
templateintoaGPO,usetheGroupPolicyObjectEditorUI.
ConfigureAuditPolicy
There are many audit policy setting categories contained within Security Settings\Advanced Audit Policy
Configuration.Theseare:
AccountLogon
AccountManagement
DetailedTracking
DSAccess
Logon/Logoff
ObjectAccess
PolicyChange
PrivilegeUse
System
GlobalObjectAccessAuditing
Object Access policy settings are used to track attempts to access specific objects or types of objects on a
network or computer. This allows for auditing attempts to access a file, directory, registry key, or any other
object,suchasfilesandfolderswithinasharedfolder.TheappropriateObjectAccessauditingsubcategoryfor
successand/orfailureeventsmustbeenabled,however.
ConfigureLocalUsersandGroups
Local users and groups can be managed through the Server Manager or the Task Manager. You can create,
modifyorremoveusersandgroupsasneeded.
ConfigureUserAccountControl(UAC)
UserAccountControl(UAC)isafeaturethatcanlimitprivilegesofusersbydefault.Thiscanbeoverriddenfroma
givenuseraccountsessionbyusingtheRunasadministratoroptionfromagivencontextmenu,andthensupplying
theadmincredentialswhenprompted.
6.3CONFIGUREAPPLICATIONRESTRICTIONPOLICIES
Configureruleenforcement
SoftwareRestrictionPoliciesrelyonfourtypesofrulestoidentifysoftware.TheseareHash,Certificate,Path
andZone.ThesepoliciesdonotpreventrestrictedprocessesthatrununderthenameoftheSystemaccount.
Notethateachtypeofrulehasitsbenefitsanddrawbacks.
ArulemaybeUnrestrictedorDisallowed.Softwarerestrictionpoliciescanbeappliedtoallowonlyalistoftrusted
applicationsortospecificallydisallowthoseundesiredapplicationsorfiletypesthatshouldbeprohibited.Bydefault,
thereisnoruleorpolicyapplied.
ConfigureApplockerrules
ApplockercanbeusedtoconfigureApplicationControlPoliciestoblocktheexecutionofasoftwareasneeded.
YoucanhaveAppLockerrulesassociatedwithaspecificuserorgroupwithinanorganization.Norulesarein
placebydefault.Defaultrules,ifany,shouldNOTbeusedforproductionpurpose.UnlikeSoftwareRestriction
Policies,anAppLockerrulecollectionwouldonlyfunctionasanallowedlistoffiles,whichmeansonlythosefiles
thatarelistedwouldbeallowedtorun.
ConfigureSoftwareRestrictionPolicies
SoftwarerestrictionpoliciescanbedealtwithviatheLocalSecurityPolicyEditor.Checkouttheleftpaneandyouwill
seeitthere.Ifyouaddpoliciesthroughherethoseinheritedpolicieswillbeoverridden.Thisiswhyyoushouldaddnew
policiesthroughtheActionmenuinstead.
6.4CONFIGUREWINDOWSFIREWALL
ConfigurerulesformultipleprofilesusingGroupPolicy
Asastatefulhostbasedfirewall,WindowsFirewallcanbeconfiguredviatheWindowsFirewallwithAdvanced
SecurityinterfaceorviatheNetshadvfirewallcommand.YoumayalsoaccessitviatheControlPanel.However,
configurationviatheControlPanelismostlyfortypicalendusertasks.
Configuration through group policy is possible. To do so, first determine the Group Policy settings in a test
environmentbeforeformaldeployment.Domainprofilesettingsareusedwhencomputersareconnectedtoa
networkthathasdomaincontrollersforthedomainofwhichthecomputerisamember.Ontheotherhand,
standardprofilesettingsareusedwhenthenetworkdoesnotcontaindomaincontrollers.
Configureconnectionsecurityrules
Firewall rules are used to allow server computers to send traffic to, or receive traffic from, programs, system
services,computers,orusers.Firewallrulescanbecreatedtoallowtheconnection,allowaconnectiononlyifit
issecuredthroughIPsec,orblocktheconnectionentirely.Rulesmaybeforeitherinboundtrafficoroutbound
trafficandmayspecifythecomputersorusers,program,service,port(allportsorspecifiedports),protocol(TCP
vsUDP)andthetypeofnetworkadapterinvolved.
ConnectionsecurityrulesdefineauthenticationusingIPsecandenforceNetworkAccessProtection(NAP)policy.
ConfigureWindowsFirewalltoallowordenyapplications,scopes,ports,andusers
The windows services and third party programs that require access should be determined initially and then
allowed to communicate between different network locations. Inside the netsh advfirewall context there are
severalsubcommandsthatallowchangessoyoucanview,create,andmodifyfirewallrules.Theseincludeadd,
delete,setandshow.Directionoftrafficcanbeeitherinorout,whiletheavailableactionsareallow,blockor
bypass.
Configureauthenticatedfirewallexceptions
Authenticated bypass rules allow connections that bypass other inbound rules when the traffic is protected
withIPsec.Blockrulesexplicitlyblockparticulartypesoftraffic,andcanbeusedtooverrideamatchingallow
rule. IfWindowsFirewallisblockingaspecificprogramthatshouldbeallowedtocommunicate,itshouldbe
addedtothelistofallowedprograms(alsocalledtheexceptionslist).
Importandexportsettings
UnderAdvancedsettings,intheActionPane,youcanchoosetoimportorexportyourfirewallpolicies.Also,
fromwithinthenetshadvfirewallcommandpromptyoucanaccessthesesameimportandexportcommands.