Pass4sure 70-410 Dumps

1
(No Transcript)
2
Exam Prep70-411 Administering Windows Server 2012

• Brian Svidergol

http//www.pass4sureexam.co/70-410.html
3
(No Transcript)
4
What well cover today
Study for Success
Microsoft Certification Overview
http//www.pass4sureexam.co/70-410.html
5

• Microsoft Certification Overview

http//www.pass4sureexam.co/70-410.html
6
Certification Overview
7
Microsoft Certifications
Solution/cloud focus
http//www.pass4sureexam.co/70-410.html
8
MCSE and MCSD certifications
9
MCSA Windows Server 2012
Installing and Configuring Windows Server 2012
Administering Windows Server 2012
Configuring Advanced Windows Server 2012 Services
MCSA Windows Server 2012



http//www.pass4sureexam.co/70-410.html
10
Taking the Exam
11
Upgrade paths

• Any of the following certifications qualify
• MCSA Windows Server 2008
• MCITP Virtualization Administrator on Windows
  Server 2008 R2
• MCITP Enterprise Messaging Administrator 2010
• MCITP Lync Server Administrator 2010
• MCITP SharePoint Administrator 2010
• MCITP Enterprise Desktop Administrator on
  Windows 7

70-417
http//www.pass4sureexam.co/70-410.html
Individuals that have earned the MCITP
Enterprise Administrator or MCITP Server
Administrator have also earned the MCSA Windows
Server 2008
12

• Study for Success

http//www.pass4sureexam.co/70-410.html
13
Replace the Ns with your exam number to find your
prep guide http//www.microsoft.com/learning/en/u
s/exam.aspx?ID70-NNN
Topics covered on the exam
List of available languages
Second tab shows Skills Measured. Third tab shows
Preparation Materials, including a link to the
Learning Plan for the exam.
14
Studying for the Exam
15

• Know What to Expect

http//www.pass4sureexam.co/70-410.html
16
How to interpret the questions
Business Problem
All questions have a consistent anatomy
Goal Statement
One or Multiple Correct Answers
Questions are not intended to trick you
Multiple Distracters
17
Question types go beyond multiple choice
Choose All That Apply
Case Studies
Code Review
Extending Matching items
Choose All That Apply
Case Studies
Code Review
Extending Matching items
Two Part Analysis
Best Answer
Build Lists
Drag Drop
Active Screen
Best Answer
Build Lists
Drag Drop
Active Screen
Graphics Interpretation
Multi-source Reasoning
Be sure to view the exam item type demo before
you take your first exam!
18
Installing and Configuring Windows Server 2012
19
The Objectives
Objective Weight
Deploy, Manage, and Maintain Servers 17
Configure File and Print Services 15
Configure Network Services and Access 17
Configure a Network Policy Server Infrastructure 14
Configure and Manage Active Directory 19
Configure and Manage Group Policy 18
20
Deploy, Manage, and Maintain Servers
21
Deploy and Manage Server Images (1/2)

• Install the Windows Deployment Services (WDS)
  role
• Prerequisites AD DS/DHCP/DNS/NTFS, member of
  Administrators
• Install-WindowsFeature Name WDS -ComputerName
  Server01 IncludeManagementTools
  (Servermanagercmd.exe deprecated)
• Boot, capture, install, discover images
• Boot image is Windows PE client (boot.wim on
  media)
• Capture image is used to capture a reference
  computer to use for your install image
• Install image is what you deploy (install.wim on
  media)
• Discover image when computer cant use PXE (boot
  to discover image media)
• Update images - patches/hotfixes/drivers/features
• DISM (ImageX, Package Manager, OCSetup -
  deprecated), 22 DISM cmdlets
• dism /online /enable-feature /FeatureNameTelnetCl
  ient

22
Deploy and Manage Server Images (2/2)

• Update images - patches/hotfixes/drivers/features
• Mount the offline image
• DISM /Mount-Image /ImageFileltpathgt /Nameltnamegt
  /MountDirlttemppathgt
• Add package or driver to image
• DISM /Imagelttemppathgt /Add-Package
  /PackagePathltpathgt
• DISM /Imagelttemppathgt /Add-Driver
  /Driverltpath-to-INFgt
• Commit the changes and unmount
• DISM /Unmount-Image /MountDirlttemppathgt /Commit

http//www.pass4sureexam.co/70-410.html
23
Example question

• You have an existing image that you use to deploy
  to servers. You need to add a package to the
  image.
• What should you do first?
• A. Run the DISM /Imagelttemppathgt /Add-Package
  /PackagePathltpathgt
• B. Run the DISM /Imagelttemppathgt /Add-Driver
  /Driverltpath-to-INFgt
• C. Run the DISM /Mount-Image /ImageFileltpathgt
  /Nameltnamegt /MountDirlttemppathgt
• D. Run the DISM /Unmount-Image
  /MountDirlttemppathgt /Commit

http//www.pass4sureexam.co/70-410.html
24
Implement Patch Management

• Install WSUS role
• DISM /Online /Enable-Feature /FeatureName (dism
  /online /get-features)
• Install-WindowsFeature -Name UpdateServices
  -IncludeManagementTools
• GPOs, client side targeting
• Server-side targeting (default) best in smaller
  deployments, make changes on the fly
• Client-side targeting (typically GPO) best in
  large deployments, automated membership
• Watch for non-domain joined clients or the manual
  step of creating groups in WSUS
• Synchronization and WSUS groups
• Synchronization is where WSUS downloads updates
  from upstream server or Microsoft Update
• Watch for proxy server issue (configure in WSUS),
  firewall issue, or BITS issue
• WSUS groups used for targeting updates to
  groups of computers
• Watch for client computers not showing up in the
  computer list (configure them for WSUS first)

25
Monitor Servers (1/2)

• Configure Data Collector Sets (DCS)
• 3 types of collectors performance counters
  (system performance), event trace data
  (activities and system events), system
  configuration information (registry)
• Built in templates Active Directory
  Diagnostics, Basic, System Diagnostics, System
  Performance, WDAC Diagnostics
• Alerts / Monitor Real-Time Performance
• Monitor performance counter then alert when
  threshold is exceeded
• Start a DCS, log event in Event Log, run a task
  (such as email or script)
• Monitor VMs
• Prerequisites Windows Server 2012 Failover
  Cluster, Windows Server 2012 VMs, FW rule for VM
  Monitoring, enabled for monitoring
• Monitor services, restart service upon failure,
  reboot and/or move VM thereafter, automate,
  manual, or integrate with System Center

26
Monitor Servers (2/2)

• Monitor Events
• Centralize event log data to a single collector
  server (default protocol HTTP over port 5985)
• Use winrm quickconfig on source and wecutil qc on
  collector
• Works in non-domain environment but need to set
  TrustedHosts for WinRM
• Configure Event Subscriptions
• Use Event Viewer to create a subscription,
  default location is ForwardedEvents log
• Can use existing custom view (useful when trying
  to minimize administrative overhead)
• Configure Network Monitoring
• System Center Operations Manager OS mgmt. packs
  network device discovery
• Performance Monitor DCS performance monitor
  data alert or log

http//www.pass4sureexam.co/70-410.html
27
Example question

• You have a standalone Hyper-V host server
  running Windows Server 2012. You need to monitor
  the VMs that run Windows Server 2012.
• What should you do first?
• Migrate the VMs to a Windows Server 2012 Failover
  Cluster.
• Install Windows Server 2012 SP1 on the host
  server.
• Install Windows Server 2012 SP1 on the VMs.
• Join the host server to an Active Directory
  domain.

http//www.pass4sureexam.co/70-410.html
28
Configure File and Print Services
29
Configure DFS (1/2)

• Overview
• DFS Replication and DFS Namespaces are role
  services (rolling up to File and Storage Services
  role)
• Know whats new PowerShell module, WMI mgmt.,
  site awareness for DirectAccess, dedupe
• Know whats deprecated dfscmd, FRS
• Install and configure DFS Namespaces
• Domain-based namespace (can use multiple
  namespace servers, not Failover Clustering)
• For ABE and increased scalability DFS Windows
  Server 2008 mode required
• The forest functional level must be Windows
  Server 2003 or higher
• The domain functional level must be Windows
  Server 2008 or higher
• All namespace servers must be running Windows
  Server 2008 or newer
• Stand-alone namespace (can be combined with
  Failover Clustering)
• Useful for non-AD DS environment
• Can scale to 50,000 folders (higher than Windows
  2000 Server Mode which is 5,000)

30
Configure DFS (2/2)

• Configure DFS Replication Targets
• Keep folders in sync, use the Replicate Folder
  wizard to configure
• Config changes must replicate via AD DS and then
  each namespace server must poll a DC for the
  config change (speed it up by forcing AD DS
  replication and then running the dfsrdiag.exe
  PollAD /MemberContoso\Server01 command)
• Configure Replication Scheduling
• Create replication group
• Multipurpose or data collection
• Hub and spoke, full mesh, or no topology
• Replicate continuously (select bandwidth limits
  if desired)
• Replicate during specific days/times (can set
  bandwidth to use per time slot)
• Watch for staging folder size issues (if too
  small, high CPU or slow replication will result)
• Use a different physical disk for staging folder
  for improved I/O

31
Configure FSRM (1/2)

• Install FSRM
• Add-WindowsFeature FS-Resource-Manager
  -IncludeManagementTools
• Configure Quotas
• Configure quotas on specific folder or on a path
  (which handles newly created folders)
• Hard (users cannot exceed) or soft (users can
  exceed, used for monitoring)
• Built-in templates which can be used to create a
  quota or to create a new customized template
• When quota threshold met, option to send email,
  log event, run command, or generate report
• Be wary of deprecated tools such as dirquota.exe
  (instead use Set-FsrmQuota or similar)

http//www.pass4sureexam.co/70-410.html
32
Configure FSRM (2/2)

• Configure File Screens
• Active screening (cannot save unauthorized files)
• Passive screening (can save unauthorized files,
  used for monitoring)
• Built-in templates (block audio/video files,
  e-mail files, executable files, images, monitor
  exe/system)
• Be wary of deprecated filescrn.exe
• Set-FsrmFileScreen, Set-FsrmFileScreenException,
  Set-FsrmFileScreenTemplate
• Configure Reports
• Run reports on demand DHTML, HTML, XML, CSV, or
  text
• Built-in reports duplicate files, file screen
  audit, files by file group, files by owner, files
  by property, folders by property, large files,
  least recently accessed files, most recently
  accessed files, quota usage
• Set scheduled reports and have reports emailed to
  admin(s)

33
Configure file and disk encryption (1/3)

• New Features
• BitLocker provisioning (can enable BitLocker
  prior to deploying Windows 8 via WinPE)
• Encrypt only used disk space (faster overall and
  takes only seconds for Windows 8 deployments)
• Change PIN and password by standard users (no
  longer require admin rights)
• Support for encrypted hard drives (encryption
  offloaded to the hard drive)
• Configure BitLocker encryption
• TPM version 1.2 or higher (required for
  provisioning prior to operating system
  deployment)
• TPM owner authorization separate object new for
  Windows 8 requires AD schema update
• Add BitLocker Drive Encryption feature,
  Enable-BitLocker (need volume/encryption
  method/key protector)

http//www.pass4sureexam.co/70-410.html
34
Configure file and disk encryption (2/3)

• Configure the Network Unlock feature (new)
• Install the BitLocker Network Unlock feature, WDS
  on Windows Server 2012, separate DHCP, UEFI DHCP
  drivers, PKI for issuing certificate (or
  self-signed certificate), Group Policy configured
• For TPMPIN systems, Network Unlock allows a form
  of two-factor authentication without user
  intervention when booting (on untrusted networks,
  TPMPIN is used)
• Configure BitLocker policies (Win8 or Win2012)
• Choose drive encryption method and cipher
  strength
• Configure use of hardware-based encryption for
  drives (fixed/operating/removable)
• Enforce drive encryption type on drives
  Full/Used only
• Allow network unlock at startup

http//www.pass4sureexam.co/70-410.html
35
Configure file and disk encryption (3/3)

• Configure the EFS recovery agent
• Obtain a certificate for File Recovery for a data
  recovery agent user account
• Add data recovery agent (DRA) by editing GPO
• Add from AD DS if certificated are published in
  AD DS (default not published)
• Add from .cer files if not published in AD DS
• Manage EFS and BitLocker certificates including
  backup and restore
• For certificates, can enable archiving on the
  certificate templates to allow recovery
• DRA can have a self-signed certificate which is
  backed up with standard backup methods
• Windows 7 requires permissions update to
  ms-TPM-OwnerInformation for TPM owner info backup
• Back up BitLocker recovery info to AD DS GPO
  setting (Pre-2008 requires schema extension)

36
Example question

• You are the system administrator for Contoso,
  Ltd. You manage an Active Directory Domain
  Services (AD DS) domain. All servers run Windows
  Server 2008 R2. The forest functional level is
  set to Windows Server 2003. The domain functional
  level is set to Windows Server 2008. You are
  preparing to deploy DFS. The deployment must meet
  the following requirements.
• Users must not be able to see folders that they
  do not have access to
• Users must be able to create 3,000 total folders
• Minimize changes to the environment
• You need to deploy DFS to meet the requirements.
  What should you do?
• Update the forest functional level to Windows
  Server 2008 R2 and then deploy a standalone DFS
  namespace.
• Update the forest functional level to Windows
  Server 2008 R2 and then deploy a domain-based DFS
  namespace by deselecting DFS Windows Server 2008
  mode.
• Deploy a standalone DFS namespace with Windows
  Server 2008 mode enabled.
• Deploy a domain-based DFS namespace with Windows
  Server 2008 mode enabled.

37
Configure advanced audit policies (1/2)

• Implement auditing using Group Policy and
  AuditPol.exe
• Know difference between basic Audit Policy
  settings and advanced Audit Policy settings
• To manually enable Advanced Audit subcategory
  auditing (high overhead for widespread use)
• auditpol /set /subcategory"RPC Events"
  /successenable
• Auditpol has a /backup switch and a /restore
  switch
• Global object access auditing (for file system or
  registry automatically applies to all objects)
• For Global auditing, watch for situations that
  dont also enable Audit File System and Audit
  Registry audit policy settings (required)
• Advanced Audit Policy settings take precedence
  over basic Audit Policy settings

http//www.pass4sureexam.co/70-410.html
38
Configure advanced audit policies (2/2)

• Create expression-based audit policies
• Audit anybody not in Payroll that tries to access
  the sensitive payroll spreadsheets (can be set
  directly on a file/folder or in global policy),
  can be combined with Dynamic Access Control
• Create removable device audit policies
• Requires Windows 8 or Windows Server 2012
• Logs event when users attempt to access a
  removable storage device (Audit Removable
  Storage)
• Can also log removable storage device events
  (Audit Handle Manipulation)

http//www.pass4sureexam.co/70-410.html
39
Configure Network Services and Access
40
Configure DNS zones (1/2)

• Configure primary and secondary zones
• Primary zone can be stored in file or in AD DS
  authoritative source for the zone
• Secondary zone cannot be stored in AD DS and is a
  read-only copy of a primary zone
• Configure stub zones
• Stub zone used to identify authoritative DNS
  servers for a zone useful in a
  merger/acquisition
• Watch for scenarios that offer stub zone and
  conditional forwarding as potential solutions
• Stub zones best when needing to dynamically
  maintain authoritative DNS servers for child zone
• Configure conditional forwarders
• Forwards to specific DNS servers which can then
  build up a cache for efficient resolution
• Often the best solution for merger/acquisition
  but can also speed up internal name resolution

http//www.pass4sureexam.co/70-410.html
41
Configure DNS zones (2/2)

• Configure zone and conditional forward storage in
  Active Directory
• DNS must be a domain controller, zone must be
  primary/stub/conditional
• Replication for integrated zones all DNS DCs
  in forest, all DNS DCs in domain, all DCs in
  domain, all DCs in partition
• Configure zone delegation
• Key scenarios delegate management, distribute
  load/improve perf/fault tolerance
• Configure zone transfer settings
• All servers, listed name servers, specific list
  best security is specific list
• Configure notify settings
• Can notify name servers which helps secondary
  servers have more consistent DNS data

42
Configure DNS records (1/2)

• Create configure Resource Records (RR) including
  A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records
• Know that AAAA is IPv6 A record
• Use dnscmd /recordadd for mass record creation
  (or PowerShell)
• Add-DnsServerResourceRecord -A -Name test"
  -ZoneName "woodgrovebank.com" -IPv4Address
  172.16.1.200
• Configure zone scavenging
• Must enable at server level and at zone level
  (watch for troubleshooting scenarios or choose
  all)
• Must also be enabled at resource record level (by
  default it is, but watch for troubleshooting)
• Cleans up dynamic records only (not static)
• Avoid DNScmd.exe /ageallrecords

43
Configure DNS records (2/2)

• Configure record options including TTL and weight
• TTL default is 1 hour can be updated at zone
  level or individual resource record level
• Weight default is 100 with a possible range of
  0-65535 (higher means usually picked more)
• Configure round robin
• On and working by default, can disable with
  registry edit for certain resource record types
• HKLM\System\CurrentControlSet\Services\DNS\Paramet
  ers\DoNotRoundRobinTypes
• Local subnet priority takes precedence over
  round-robin for multi-homed names
• Configure secure dynamic updates
• Secure updates option only available when a zone
  is AD DS integrated
• Run dnscmd /Config woodgrovebank.com /AllowUpdate
  2 to force a zone to secure only

44
VPN and Routing

• Install and configure the Remote Access role
• Add-WindowsFeature RemoteAccess
  -IncludeManagementTools IncludeAllSubFeature
• Run the Configure and Enable Routing and Remote
  Access wizard
• Implement Network Address Translation (NAT)
• Need two interfaces prior to enabling via wizard
• Configure VPN settings
• For SSTP, need to select the proper SSL
  certificate post install
• Configure remote dial-in settings for users
• Default in AD is control access through NPS
  Network Policy
• Need to adjust policy or create new policy in
  order to allow users in
• Configure routing
• IPv4 and IPv6 static routes, DHCP relay, need to
  enable router for protocol

45
DirectAccess (1/2)

• Implement server requirements
• No longer require PKI (can use Kerberos proxy
  over HTTPS instead along with port 443)
• New simplified deployment but then wont get
  force tunneling, Network Access Protection (NAP)
  integration, or two-factor authentication
• Can use a single NIC card behind NAT (Windows
  Server 2012 required)
• Remote access servers and all client computers
  must be domain members
• IPv6 not required and IPv6 transition
  technologies are used (however, IPv6 best
  performance)
• Implement client configuration
• Need to have security groups in place and then
  create GPOs

http//www.pass4sureexam.co/70-410.html
46
DirectAccess (2/2)

• Configure DNS for DirectAccess
• Name Resolution Policy Table (NRPT) used to
  send specific queries to specific DNS servers
  (otherwise, use normal name resolution) Windows
  7 or later required (config via GPO)
• Configure certificates for DirectAccess
• If using internal CA or self-signed certificate,
  CRL distribution point must be available
  externally
• Cant use self-signed cert in a multi-site
  environment
• Internal PKI is required if Kerberos proxy over
  HTTPS not available/possible

http//www.pass4sureexam.co/70-410.html
47
Example question

• You are the system administrator for Tailspin
  Toys. You administer the Active Directory Domain
  Services (AD DS) environment along with DNS.
  Recently, another administrator added a new DNS
  Address (A) record for www2.tailspintoy.com. The
  record points to 10.10.5.254. Forward name
  resolution is fully functional. However, the web
  administrators are reporting that 10.10.5.254 is
  not resolving to www2.tailspintoys.com. You need
  to ensure that 10.10.5.254 resolves to
  www2.tailspintoys.com.
• What should you do?
• Add a second Address (A) record for 10.10.5.254
  and point it to www2.tailspintoys.com.
• Add a second Address (AAAA) record for
  10.10.5.254 and point it to www2.tailspintoys.com.
  
• Add a PTR record for www2.tailspintoys.com and
  point it to 10.10.5.254.
• Add a PTR record for 10.10.5.254 and point it to
  www2.tailspintoys.com.

http//www.pass4sureexam.co/70-410.html
48
Configure a Network Policy Server Infrastructure
49
Configure NPS (1/2)

• Configure multiple RADIUS server infrastructures
• 5 parts access clients (laptops), access
  servers (VPN/wireless devices), NPS servers
  (RADIUS server), NPS proxies (RADIUS proxy, fault
  tolerance by using two with one being a backup,
  domain membership optional, use NETSH to copy
  config from one proxy to another), user account
  DBs (such as AD DS)
• Configure RADIUS clients
• Required shared secret, friendly name, FQDN or
  IP, optional is vendor info (e.g. Cisco)
• Manage RADIUS templates
• Watch for questions involving administrative
  overhead as that may indicate the creation of a
  template or use of existing template.

http//www.pass4sureexam.co/70-410.html
50
Configure NPS (2/2)

• Configure RADIUS accounting
• Can log to SQL DB, text file on local computer,
  both simultaneously, or SQL with text file
  logging for failover (if SQL logging fails,
  continue to log via text file)
• If logging stops (out of disk, SQL down), users
  cant get in (watch for situations that call out
  default install and sudden loss of functionality
  could be out of disk space, consider moving
  logging to non-system disk)
• Configure certificates
• Certificate-based auth - NPS servers need a
  server certificate
• Minimize administrative overhead in large
  environment autoenrollment

http//www.pass4sureexam.co/70-410.html
51
Configure NPS policies (1/2)

• Configure connection request policies
• Policies have conditions such as connection type,
  day/time, network, computer
• Useful to authenticate untrusted domain (proxy
  policy first in the policy order) while still
  authenticating locally via NPS (to AD DS)
• If no local processing by NPS, then server is a
  proxy (can forward one place or multiple)
• Configure network policies for VPN clients
  (multilink and bandwidth allocation, IP filters,
  encryption, IP addressing)
• Watch for default installation on encryption as
  all encryption options are enabled (40-bit,
  56-bit, 128-bit)
• Can use IP filters to enhance security, limit
  traffic type (IPv4 and IPv6)

52
Configure NPS policies (2/2)

• Manage NPS templates
• Can use templates for shared secrets, RADIUS
  clients, RADIUS servers, IP filter, health
  policies, and remediation server groups (minimize
  administrative overhead, speed up deployment)
• Can export templates to .XML file and import to
  another server
• Import and export NPS policies
• Can use NETSH or Export-NpsConfiguration to
  export entire NPS server config including
  policies

http//www.pass4sureexam.co/70-410.html
53
Configure NAP (1/2)

• Configure System Health Validators (SHVs)
• One default SHV Windows Security Health
  Validator can require specific firewall
  settings, antivirus settings, spyware protection,
  automatic updates settings
• If noncompliant with SHV, can restrict network
  access or remediate
• Windows XP does not have spyware protection
  settings available
• Configure health policies
• Policy dictates how many SHV checks must be
  passed or failed
• Health policies are added to network policies
  (NPS) to ascertain who should gain access
• Configure NAP enforcement using DHCP and VPN
• Non-compliant devices full access, full access
  with limited time, limited access
• Limited access usually is tied with remediation
  servers for updating components for compliance
• If full network limited time and client
  subsequently becomes compliant, will be
  disconnected!

http//www.pass4sureexam.co/70-410.html
54
Configure NAP (2/2)

• Configure isolation and remediation of
  non-compliant computers using DHCP and VPN
• Default network policy has automatic remediation
  enabled by default
• Can add remediation servers and a troubleshooting
  URL for employees
• Configure NAP client settings
• Remember that Group Policy overrides NETSH and
  NAP Client Configuration console
• Enable tracing - netsh nap client set tracing
  state enable
• Use the NAP Client Configuration console to
  create .xml config file for use in a GPO
• By default, NAP enforcement clients are disabled
• To enforce health policies, must enable at least
  one NAP enforcement client
• IPsec need to configure NAP health registration
  authority settings

http//www.pass4sureexam.co/70-410.html
55
Configure and Manage Active Directory
56
Configure service authentication (1/2)

• Create and configure Service Accounts
• Used to enhance security but the pain point is
  the password management and SPN mgmt.
• Create/configure Group Managed Service Accounts
• Must create/configure on a server running Windows
  Server 2012 or on a Windows 8 computer
• Automated password management and can be used
  across multiple servers
• Minimum of one DC that runs Windows Server 2012
• Before you begin, must create KDS Root Key -
  Add-KDSRootKey EffectiveImmediately
• New-ADServiceAccount and Set-ADServiceAccount
• Create and configure Managed Service Accounts
• Introduced in Windows Server 2008 R2 / Windows 7
• New-ADServiceAccount with the RestrictToSingleCom
  puter parameter
• Automated password management and can be used on
  a single server
• Not supported for scheduled tasks, Exchange, SQL

57
Configure service authentication (2/2)

• Configure Kerberos delegation
• IIS may require the Trust this computer for
  delegation to any service (Kerberos only) option
• Manage Service Principal Names (SPNs)
• SetSPN (note that it cannot register duplicate
  names in a domain in Windows Server 2012)
• ltservice typegt/ltinstance namegtltport
  numbergt/ltservice namegt

http//www.pass4sureexam.co/70-410.html
58
Configure Domain Controllers (1/2)

• Configure Universal Group Membership Caching
• Eliminates dependency on GC during logons
• Set-ADObject "CNNTDS Site Settings,CNDefault-Fir
  st-Site-Name,CNSites,CNConfiguration,DCFabrikam
  ,DCCOM" Replace _at_options'32'
• Transfer and seize operations masters
• NTDSUTIL can transfer and seize roles
• Move-ADDirectoryServerOperationMasterRole for
  transfer, use Force for seize
• Install and configure an RODC
• Cannot upgrade writable DC to RODC
• Staged installation delegate installation to
  non-Domain Admin at remote site (IFM for speed)

59
Configure Domain Controllers (2/2)

• Configure Domain Controller cloning
• VM-GenerationID (supported on Hyper-V on 2012 and
  VMware 5.0 and later)
• Source VM must be 2012, PDC emulator must be 2012
• Add the source DC to the Cloneable Domain
  Controllers group
• Run New-ADDCCloneConfig to create
  DCCloneConfig.xml file (IP info, site info)
• Export source DC (Hyper-V or Export-VM cmdlet)
• Import the VM (Hyper-V or Import-VM cmdlet)
• DefaultDCCloneAllowList.XML contains a list of
  services that are supported for cloning (watch
  out for unsupported services such as DHCP)
• CustomDCCloneAllowList.xml is for custom services
  that you are sure about
• See http//blogs.dirteam.com/blogs/sanderberkouwer
  /archive/2012/09/10/new-features-in-active-directo
  ry-domain-services-in-windows-server-2012-part-13-
  domain-controller-cloning.aspx (the entire series
  is valuable)

60
Maintain Active Directory (1/2)

• Back up Active Directory and SYSVOL
• wbadmin start systemstatebackup -backuptargete
• (this includes SYSVOL)
• Manage Active Directory offline
• Stop the Active Directory Domain Services service
  (Services console or Stop-Service cmdlet)
• Can perform offline defrag (or other maintenance)
  and then start the service
• Optimize an Active Directory database
• LDIFDE can be used to manually kick off a garbage
  collection process (free up space inside)
• NTDSUTIL can compact ntds.dit file (need adequate
  disk space to hold second copy of .dit file)

61
Maintain Active Directory (2/2)

• Clean up metadata
• Since 2008, deletion of DC from default OU
  results in automatic metadata cleanup
• Deletion of DCs NTDS Settings from Sites
  Services also results in automatic metadata
  cleanup
• Otherwise ntdsutil, metadata cleanup, remove
  selected server ltDN of DCgt
• Configure Active Directory snapshots
• Ntdsutil, snapshot, activate instance ntds,
  create
• Perform object- and container-level recovery
• Ntdsutil or Restore-ADObject (need Recycle Bin
  to get the link-valued attributes)
• Enable-ADOptionalFeature Recycle Bin Feature
  -scope ForestOrConfigurationSet -target
  DomainName -server DomainControllerName
• Perform Active Directory restore
• Authoritative vs. non-authoritative (watch for
  situations where you restore and the objects gets
  subsequently deleted after the restore)

62
Configure account policies (1/2)

• Configure domain user password policy
• Without fine-grained, one password and one
  lockout policy per domain
• Configure via GPO
• Configure and apply Password Settings Objects
• New-ADFineGrainedPasswordPolicy apply to user
  or groups (not OU)
• Active Directory Administrative Center
• Delegate password settings management
• Can delegate ability to apply a PSO to user or
  group (Write Property permissions on the PSO)

63
Configure account policies (2/2)

• Configure local user password policy
• Can use a GPO linked to an OU with the computer
  objects
• Configure account lockout settings
• Account lockout duration setting set to 0 means
  an administrator must unlock locked accounts
• Account lockout threshold setting set to 0
  means an account will never get locked out
• Reset account lockout counter after setting
  resets the number of failed logon attempts
• Watch for requirements such as minimizing calls
  to the Help Desk, maintaining the highest level
  of security, or situations where a Denial of
  Service (DoS) is occurring

64
Configure and Manage Group Policy
65
Configure Group Policy processing (1/3)

• Configure processing order and precedence
• LSDOU remember this!
• Link order 1 is highest (also referred to as
  the top of the list)
• Configure blocking of inheritance
• Nothing above will apply unless a GPO is enforced
• Configure enforced policies
• Right-click a GPO and click Enforced to ensure
  that the GPO cannot blocked
• Enforced GPOs also ensure that the settings
  arent overwritten by GPOs applied lower in
  structure

66
Configure Group Policy processing (2/3)

• Configure security filtering and WMI filtering
• Read and Apply Group Policy (AGP) permissions are
  required for GPO to apply
• Root\CimV2 Select from Win32_OperatingSystem
  where Caption "Microsoft Windows Server 2012
  Datacenter
• Configure loopback processing
• Loopback with Replace ensures that settings
  from User Configuration of GPOs that apply to the
  computer replace the settings that are set in
  User Configuration of GPOs that apply to the user
• Loopback with Merge ensures that settings from
  the User Configuration of GPOs that apply to the
  computer merge with the settings that are set in
  User Configuration of GPOs that apply to the user
• Watch for scenarios such as a kiosk or public
  computer where all users must have the exact same
  settings on the computer!

67
Configure Group Policy processing (3/3)

• Configure and manage slow-link processing
• Some settings not applied when slow link detected
  (software installation, folder redirection, etc.)
• Default slow link is less than 500Kbps
• Computer Configuration\Administrative
  Templates\System\Group Policy
• Configure client-side extension (CSE) behavior
• Allow processing across a slow network connection
• Do not apply during periodic background
  processing
• Process even if the Group Policy objects have not
  changed
• Settings can be set on extensions such as
  Scripts, Security, Registry, or other extensions
  (note that some only have two options, not all
  three)

68
Configure Group Policy settings (1/2)

• Configure settings including software
  installation, folder redirection, scripts, and
  administrative template settings
• Assign to user (shortcuts appear on Start menu,
  not installed yet)
• Assign to computer (no shortcut, install typical
  at startup)
• Publish to user (add/remove programs
  availability)
• Import security templates
• Import from Group Policy Object Policy/Computer
  Configuration/Windows Settings/Security Settings
• Clear this database before importing option
  will overwrite, without it you get a merge

69
Configure Group Policy settings (2/2)

• Import custom administrative template file
• Add/remove templates while editing GPO
• ADM and ADMX (ADMX cuts down on SYSVOL size
  because it isnt stored in GPO)
• ADMX Central Store (ADM not supported in
  Central Store)
• Convert admin templates using ADMX Migrator
• Free download, GUI conversion using Generate
  ADMX from ADM
• Command line - faAdmxConv.exe name.adm
• Configure property filters for admin templates
• Managed any all, yes only, no only
  unmanaged
• Configured any all, yes only, no only not
  configured
• Commented any all, yes only, no only
  uncommented
• (filters to limit what you see in the GUI)

70
Manage Group Policy objects (GPOs)

• Back up, import, copy, and restore GPOs
• PowerShell Backup-GPO, Import-GPO, Copy-GPO,
  Restore-GPO
• C\Program Files (x86)\Microsoft Group
  Policy\GPMC Sample Scripts (.WSF scripts)
• Create and configure Migration Table
• Manually open Migration Table Editor, select
  source, destination
• Cross-Domain Copying Wizard
• Users, groups, computers, and UNC paths
• Reset default GPOs
• dcgpofix /targetDomain (can also use DC or Both
  as target)
• Delegate Group Policy management
• Group Policy Creator Owners group create new
  GPOs and edit/delete GPOs that they created
• Linking a GPO requires additional permissions
  (can be granted via ADUC on OU)

71
Configure Group Policy preferences

• Configure Group Policy Preferences (GPP) settings
  including printers, network drive mappings, power
  options, custom registry settings, Control Panel
  settings, Internet Explorer settings, file and
  folder deployment, and shortcut deployment
• Beware of tattooing scenarios use the Remove
  this item when it is no longer applied option
• Use the Apply once and do not reapply option to
  allow user customization
• Configure item-level targeting
• Use single GPO but set different settings for
  different users or computer
• Targets can be specific CPU, battery presence,
  security group membership, WMI, and many more

72
Example question

• You are the system administrator for Woodgrove
  Bank. An existing GPO named GPO1 is linked to an
  OU named Corp. The Corp OU contains all user
  objects. You need to ensure that a GPO named GPO2
  applies to all users in the Corp OU while also
  ensuring that settings in GPO2 take precedence
  over the same settings in GPO1.
• What should you do?
• Link GPO2 to the domain.
• Link GPO2 to the site.
• Migrate GPO2 to a local GPO.
• Configure GPO2 to be enforced.

73
Related content

• Breakout Sessions (WCA-B346 - What's New in
  Windows Server 2012 Active Directory)

• Hands-on Labs (WCA-H306 Enabling Secure Remote
  Users with RemoteApp, DirectAccess, and Dynamic
  Access Control)

• Related Exams - 70-412 and 70-417

• Find Me Later At Info Desk (Tues/Thurs. 915am
  -1215pm)
• Also Find Me Later At Study Hall (Wed. 915am
  1215pm)

74
Resources
Learning
msdn
TechNet
75
Complete an evaluation on CommNet and enter to
win!
76
MS tag
Required Slide delete this box when your slide
is finalized Your MS Tag will be inserted here
during the final scrub.
Scan the Tagto evaluate this session now on
myTechEd Mobile
77
http//www.pass4sureexam.co/70-410.html
2013 Microsoft Corporation. All rights
reserved. Microsoft, Windows and other product
names are or may be registered trademarks and/or
trademarks in the U.S. and/or other
countries. The information herein is for
informational purposes only and represents the
current view of Microsoft Corporation as of the
date of this presentation. Because Microsoft
must respond to changing market conditions, it
should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information
provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.