Browsing Posts published by Huw

When installing a new SSL certificate you may find that you need to change the URLs used by Exchange as you can no longer get SSL certificates with non-internet FQDNs. E.g. You can’t use exch2010.mycompany.local as .local is not an internet domain. You will need to configure your Exchange server to use an FQDN – e.g. internally. This article explains how to change the URLs used by Exchange 2010.

Note that you will need the relevant DNS entries setup for this to work. You may need a “split brain” setup – i.e. where autodiscover.mycompany.local resolves to the internal IP of your exchange server. This is outside of the scope of this article. Also outside is assigning services to your new certificate.

Change URLs in EMC

The External URLs to change are:-

  • (Outlook Web App)
  • (Exchange Control Panel)
  • (ActiveSync)
  • (Offline Address Book)

Open the EMC and navigate to the below.

Double click on each tab and change the URL used.

Change URLs in Powershell

The two URLs to change are:-

  • (Autodiscover)
  • (Exchange Web Services, Availability, Out of Office)

Open Powershell (run as administrator) and enter the below changing the FQDN:-

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl ‘’

I would recommend running an IISRESET.


This article explains how to update the X710 & XL710 series of network adaptors on ESXi 6

I had to do this to fix a Purple Screen Of Death (PSOD) issue when using 10GB Intel X710 adaptors.

Check Current Version of Drive and Firmware

You can check this via the shell with the command ethtool -i vmnic0

[root@esxi-03:~] ethtool -i vmnic0

driver: i40e

version: 1.2.22

firmware-version: f4.33.31377 a1.2 n5.06 e1863

bus-info: 0000:01:00.0


Method 1 – Intel NVM Software

Go to the below website and download the update utility.

You will want the XL710_NVMUpdatePackage_v4_50_ESX.tar.gz

Copy this onto a datastore accessible by the ESXi server and extract with the command tar -zxvf XL710_NVMUpdatePackage_v4_50_ESX.tar.gz

Change into the directory

[root@xxx-esxi-03:/vmfs/volumes/52c59127-f0806a72-fafa-bc305bd7326f/Drivers/IntelXL710/XL710/ESXi_x64] chmod 755 nvmupdate64e

[root@xxx-esxi-03:/vmfs/volumes/52c59127-f0806a72-fafa-bc305bd7326f/Drivers/IntelXL710/XL710/ESXi_x64] ./nvmupdate64e -l nvmupdatelog01.txt

Note that this did not work in my example, hence I used method 2 below…

Method 2 – Via Update Manager


Download driver

Note although its for ESXi 5.5 it is also compatible with v6 – “VMware ESXi 5.5 i40e 1.2.48 NIC Driver for Intel Ethernet Controllers X710 and XL710

The ESXi 5.5 driver package, also compatible with ESXi 6.0″

Install into repository

Create baseline

Attach baseline, scan and remediate

Verify Update

[root@cap-esxi-03:~] ethtool -i vmnic0

driver: i40e

version: 1.2.48

firmware-version: f4.33.31377 a1.2 n4.41 e1863

bus-info: 0000:01:00.0

[root@cap-esxi-03:~] ethtool -i vmnic1

driver: i40e

version: 1.2.48

firmware-version: f4.33.31377 a1.2 n4.41 e1863

bus-info: 0000:01:00.1






DCB allows switches to prioritise different types of traffic via either a lossless queue or Priority Flow Control (PFC). This permits to the switch to pause non-priority traffic when congested. Traffic is paused according to the 802.1p priority. You can also divide available bandwidth between different traffic types by setting parameters known as Enhanced Transmission Selection (ETS).


This article gives an example of configuring DCB on a pair of Force10 MXL’s connected to an Equallogic SAN.


Configure Equallogic

From version 6 of the Equallogic firmware the array can automatically detect if there is an invalid DCB configuration on the switch. If there is you will see the below error.

To specify the DCB vlan go to the advanced tab as shown below. In my example I am using vlan 3000

Save your changes.


Configure MXL

In my example I am configuring DCB with Force10 MXL switches. You can find instructions for other switches here.


You will need to enter the below commands on BOTH MXL switches. The red commands may need to be changed based on your config.

  1. Disable flow control on all ports (note the port ranges may change depending on what interfaces are set to quad mode)

    Interface range te0/1-32, te0/41-56

    No flowcontrol rx on tx off


    Interface range fo0/33, fo0/37

    No flowcontrol rx on tx off


  2. Check DCB is enabled with the show dcb command. If not enabled you will need to enable and reload the switch (after saving the config of course).
  3. Create tagged VLAN for all iSCSI ports and port-channels. In my setup po100 is the VLT port channel.

        Interface vlan 3000

        No shutdown

        Tagged te0/1-15

        Tagged te0/41-56

        Tagged po100


  4. Configure DCB policies

    dcb-map CP-DCB

    priority-group 0 bandwidth 50 pfc off

    priority-group 1 bandwidth 50 pfc on

    priority-pgid 0 0 0 0 1 0 0 0


  5. Apply policies to switch ports used for iSCSI

    Int range te0/1-15, te0/41-56

    Dcb-map CP-DCB

    Int range fo0/33,fo0/37

    Dcb-map CP-DCB



  6. Save the config!


Check DCB Settings on Equallogic

Right click on the iSCSI interface of the member and select DCB details. Please then check:-

  • In the traffic class group (Group 1 in this example) only iSCSI is present
  • ETS Bandwidth is set from 1-100% (50% in this example)
  • Recommended priority for iSCSI is 4
  • Lossless in on foe the iSCSI group


This article explains how to recover a file from dropbox when it has been encrypted by Cryptolocker. As cryptolocker changes the file extension for all files to “.encrypted” the original file can be found in deleted items.

On a non-infected PC logon to the dropbox website. Navigate to the folder required and click on the “show deleted files” icon

You should now be able to view the file and restore. I suggest restoring from a previous version first.

Click on a link to download the file


This article explains how to update a standalone (i.e. not managed by vCenter) ESXi host to a later version.

Enable Remote Shell Access

In this example I am connecting to the ESXi server remotely. Alternatively you could run this from the ESXi shell via the console. Logon to the ESXi server via the vi client and go to configuration – security. Firstly start the SSH service.

Secondly make sure the “SSH server” service is running.


Update the ESXi server

You should now be able to SSH to the ESXi server. In this example I am using putty as an SSH client.

Allow outbound HTTP access

esxcli network firewall ruleset set -e true -r httpClient

To view a list of ESXi versions to download enter the command

esxcli software sources profile list -d

Choose the version you want to install. In this example we want the latest version – ESXi-5.5.0-20140704001-standard. Enter the below command to download and install (substituting the version as appropriate

esxcli software profile update -d -p ESXi-5.5.0-20140704001-standard

Once complete you will be prompted to reboot. Once you have rebooted the system is ready to use.


This article explains how to update the firmware of a Dell N200 or N3000 series switch. To be specific this will work on N2024/N2024P/N2048/N2048P/N3024/N3024F/N3024P/N3048/N3048P switches.


  • It is assumed that the switch is on the network and has an IP address configured (this is needed to copy the firmware file onto the switch). You will need to download the updated firmware from the dell website and extract the contents.
  • You will need to have a TFTP server running and accessible from the switch. If you do not already have TFTP you can download a basic server from here
  • Copy the firmware file (.stk) into the TFTP directory (in this example


Step 1 – Backup Existing Config

Connect to the switch either via a console connection or telnet/putty.

copy running-config tftp://YYYYYY/backup-stackX

Where YYYY is the IP address of your TFTP server

conf t

enable password XXXXXXXXX

Where XXXXXXXX is your password

copy running-config-startup-config

Verify the current firmware version by running

Show ver

Below shows the steps taken in a real world upgrade…


Step 2 – Copy New Firmware onto Switch

In this step we are copying the new firmware onto the backup config.

copy tftp://YYYYYYYY/ZZZZZZZZ.stk backup

Where ZZZZZ is the name of the firmware update file. For firmware the file is N3000_N2000v6.1.0.6

show ver

Verify that the new firmware is shown in the backup config. Assuming all ok then we want to then boot off the backup config.

boot system backup


Once the switch has rebooted. Connect to the switch and enter a show ver to verify the active firmware


Step 3 – Update Bootcode

We then need to update the bootcode to ensure the system always boots with the new firmware.

update bootcode


Then issue a show ver to verify the active firmware version.

Note if connected via serial cable you can verify the bootcode version on switch reload. For this firmware (only) look for “U-Boot 2012.10-00077-g89d3a3e (Mar 18 2014 – 13:11:33)”

For further information look at the pdf’s including with the firmware .zip file.


In this example I am setting up a very basic DFS infrastructure for a company with one head office and one branch office. The DFS server in head office is called Training-DC1, the DFS server in the branch office is called Training-DC2. We want to create a folder that is available and replicated to both sites.


  • DFS is not going to play nice is there are communication and/or Active Directory issues. Please check that all is well – I recommend running ping tests and “dcdiag” on all servers to check for issues.
  • Install DFS Role on all servers that will be holding DFS shares. This is done from server manager


Setup Namespace

Microsoft’s definition of a DFS Namespaces – “Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous file shares that are located on different servers and in multiple sites.”

On your main DFS server (e.g. the one in head office) open the DFS Tool from server manager and create a new namespace

Select the local server


Click on edit settings and enter the below. For the local path I recommend creating a folder referencing the server name (in this instance DFS-DC1). I have seen DFS replication problems caused by different servers having the same folder name.

Click next and finish.


Add Other Servers to Namespace

In the DFS management tool click on add namespace server

Select your second DFS server (in this example the branch office server).

Click on edit settings and set folder access as appropriate. Again I recommend choosing a unique name for the folder (DFS-DC2 in this example).


Create Replication Group

In DFS management console right click on “replication” and select “new replication group”

Select a multipurpose replication group and click next.

Add your servers

Select your chosen topology

Choose schedule and primary member. Then chose the folder to replicate on the primary server (DFS-DC1).

Chose the location of the folder to replicate on the other server (in this example DFS-DC2).



You have now setup a replicated folder accessible from both sites/offices via a non-server specific address (in this example \\training.local\DFS)

In the event of any problems check Windows firewall and server manager for event errors.


Some notes I’ve made whilst studying for 70-414. I’ve tried to keep them as concise as possible. Some of the screenshots are from older versions of windows but are included to show specific settings.

System Center 2012r2

  • Orchestrator – A workflow management solution for the data center that lets you automate the creation, monitoring and deployment of resources in your environment.
    • Service Provider Foundation – This enables service providers and hosters to design and implement multi-tenant self-service portals that integrate IaaS capabilities.
      • Stamp – a concept introduced in Service Provider Foundation, a stamp is a logical unit of a SCVMM, a HyperV host and a VM. As they must be monitoring SCOM is required also. For example a hosting company may have a “stamp” for each customer.
  • Service Manager – A platform for automating and adapting your organizations best practises (e.g. ITIL). Provides processes for change control, problem resolution, asset management etc.
  • App Controller provides a common self-service experience that can help you easily configure, deploy, and manage virtual machines and services across private and public clouds.
  • System Center Global Service Monitor (GSM) provides capability to monitor externally facing web sites and web services from geo-distributed location. There are two monitoring types
    • Web Application Availability
      Monitoring that monitors single URLs
    • Visual Studio Web Tests Monitoring that lets you to run multi-step, authenticated web tests from Microsoft-provided agents in the cloud.
  • The Self-Service Portal provides web-based access to the features of System Center 2012. It can be used by users to reset their own passwords.

System Center Configuration Manager (SCCM) –

  • Configuration Manager integrates with Windows Deployment Services to allow you to perform OS deployment and image capture.
  • Configuration baselines contain predefined configuration items and optionally, other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it.
  • You can have primary sites, secondary sites and distribution points. For sites with less than 500 nodes use distribution points. Each primary site can support up to 10 management points. A secondary site supports 1.

System Center Operations Manager (SCOM) –

  • A cross platform management and monitoring solution for PCs, Servers and Hypervisors (including VMWare).
  • Can be used in conjunction with SCVMM for reporting
  • Audit Collection Services – a means to collect records generated by an audit policy and store them in a centralized database
  • Gateway server – Used as a local hub for authenticating and communicating with clients.
  • Management Packs – contain the settings for monitoring applications and services as well as tasks, views, reports, run as profiles etc.
    • Overrides – allow you to change the default values – e.g. the severity of an alert
  • To setup email notification subscriptions, go to administration – notifications – subscriptions and create a subscription task

  • You can monitor Distribution Applications with Service Level Tracking

System Center Virtual Machine Manager (SCVMM)

  • To integrate VMM with SCOM you need to
    • Install powershell v3
    • Install an Operations Manager Operations console on the VMM management server
    • Install Operations Manager agents on the VMM management server and all hosts under management by VMM (managed hosts).
    • Import the necessary management packs
  • Host Groups – can be used to group Hyper-V hosts. You can then assign permissions to host groups.


VMM uses a number of architectural components

  • Logical network – e.g. LAN, WAN, DMZ, VLAN1, VLAN2 etc

  • Network Sites – allow the same logical network to have a difference address when in another site. E.g. the LAN for London may be different to Norwich.
  • Port Profiles – there are 2 types
    • Virtual Port Profiles – for use with VMs. You can specify offload settings, DHCP guard, guest teaming, QoS etc
    • Uplink Port Profiles – The connectivity of the virtual switch to the logical (actual) network
  • Port Classifications – a label that can be used to identify different classes of connection (.e.g “Gold” for fast fibre SAN, “Bronze” for NAS”)
  • Network Types
    • Internal – Communication between the host and the VMs only
    • External – Communication between the VMs and other systems (via a physical adaptor)
    • Private – Communication only between VMs

  • A Virtual IP (VIP) template – can be used for hardware load balancers. These contain load-balancer-related configuration settings for a specific type of network traffic.

Integration with other Hypervisors

You can manage VMWare and Citrix XenServer hypervisors from SCVMM.

  • To manage citrix servers you must install the system center integration pack.


  • You can assign the below roles within VMM
    • Administrator – full rights to all objects
    • Fabric Administrator – a delegated administrator role, can perform all administrative tasks within their assigned host groups, clouds or library servers.
    • Read-Only Administrator – view only rights
    • Tenant Administrator – can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.
    • Application Administrator – Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.


Automatic Virtual Machine Placement

  • VMM Availability sets – can be used to specify VMs that should be kept on different hosts (e.g. DCs). Aka anti-affinity.
  • Custom Properties – can be used to customize placement via your own criteria. E.g. create a value called costcenter
  • Preferred Owner – Selected first where possible, Possible Owner – VMs can only be migrated to possible owners

  • P2V. As of System Center 2012 R2, you can no longer perform P2V conversions in VMM. You can use System Center 2012 SP1 as long as the source system:-
    • Have more than 512MB RAM
    • Have volumes smaller than 2040 G
    • Does not have encrypted volumes
  • Service Template – Contains the information required to create an instance of a service (e.g. multi—tier application).
    • A tier can contain up to 4 components
      • VIP template – a virtual IP address used with NLB
      • VM template
      • Application profile – reference application code or scripts
      • SQL profile – schema definitions and other SQL info
    • Each service template has a release number.
    • Each VM created from a service template maintains its connection to the template. Therefore if you update the template, the release number of the template is raised and the changes are pushed out to all VMs created from the template.
  • Dynamic Optimisation – migrates virtual machines to improve load balancing among hosts and to correct any placement constraint violations for virtual machines.
    • You can specify Dynamic Optimization settings for: CPU, memory, disk I/O, and network I/O.
    • Can be configured on a host group
    • Aggressiveness – determines the amount of load imbalance required to initiate a migration. VMs are migrated every 10 mins with the default (medium) aggressiveness.
    • Power Optimisation – turns off hosts when not needed to save power. They can then be turned back on when required
    • Host reserve – Set aside CPU, Memory, Disk I/O and Network I/O for the host OS.
  • The Replica Broker role must be installed if attempting to replica VMs that are in a cluster

Windows Powershell Desired State Configuration (DSC)

Installed as a feature, DSC is a new management platform in Powershell that can be used to:-

  • Enabling or disabling server roles and features
  • Managing registry settings
  • Managing files and directories
  • Starting, stopping, and managing processes and services
  • Managing groups and user accounts
  • Deploying new software
  • Managing environment variables
  • Running Windows PowerShell scripts
  • Fixing a configuration that has drifted away from the desired state
  • Discovering the actual configuration state on a given node

Use the cmds Set-DscLocalConfigurationManager and Get-DscLocalConfigurationManager


  • Cluster Aware Updating (CAU) – a new feature in windows 2012r2 to enable the update of Clustered servers
  • Data-duplication – Now supports VDI virtual machines on Cluster Shared Volumes (CSV)
  • When there are multiple networks Win2012r2 uses the below criteria when deciding what network to use for CSV traffic.
    • Metrics
      • These are automatically calculated based on speed and whether features such as RDMA and RSS are supported.
      • However, SMB multichannel takes precedence over network calculated metrics. To just rely on metrics you must disable SMB Multichannel.
  • A File Share Witness (FSW) is a file share that you may create on a completely separate server from the cluster to act like a disk for tie-breaker scenarios when quorum needs to be established. You would typically use a FSW as a tie-breaker when there are an even number of clustered servers.


  • DHCP failover – A new feature in Windows 2012r2 that allows multiple DHCP servers to be setup in an active/passive configuration. Should the active fail, the passive server will take over.

Windows Intune

A cloud management solution aimed at SMEs. Allows administrators to deploy updates, malware protection and manage inventory.

Network Load Balancing

Filtering Mode

  • Multiple host – traffic will be handled by multiple nodes
  • Single host – single host

Affinity –

  • Single – Used in most instances when clients originate from many different locations
  • None – If clients originate from the same IP (e.g. behind a NAT router).
  • Network – Request originating from the same class C network are directed to the same node

You will need to enable MAC address spoofing on the virtual adaptor of a VM in order to use NLB

The below network services can be load balanced by NLB:-

  • SQL server 2012 reporting services
  • Sharepoint Server 2010 front-end web server

Microsoft Desktop Optimization Pack

Contains a number of utiliies

  • Asset Inventory Service – helps you determine what software and hardware you have in your organization compared to your licensing agreements.

Virtual Disks

Resiliency Settings – When creating a virtual disk you have the following resiliency options

  • 2-way mirror – requires at least 2 disks
  • 3-way mirror – requires at least 5 disks
  • Parity – requires at least 3 disks


Email Encryption –

For 2 companies to encrypt emails sent between them you should

  • Exchange and install root CA certificates
  • Duplicate the enrolment certificate and install a template based on the new certificate
  • Request cross certification authorities

Constraints can be applied during the cross-certification process by using a policy.inf file. CApolicy.inf is used to apply constraints during the installation of a CA

Recovery of a CA

To restore certificate revocation checking in the event of a failed CA

  • Restore a copy of the CA’s private key and then retrieve a copy of the CRL
  • Use certutil to resign the CRL and extend the validity period of the CRL
  • Republish the CRL using Certutil


  • Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. When used with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
  • Online Responder – Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate.
  • Certificate Authority Web Enrollment – Provides a web interface to the CA role service


WAN bandwidth optimization technology that is included in Windows 2008R2 and Win7 and higher. To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from the remote servers and caches it locally for clients at branch offices to access.

  • In hosted mode data is cache on a local “server”
  • In distributed mode no server is required. Content is distributed amongst the client computers.


  • Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately.
  • Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.

Active Directory Rights Management Servicies (AD RMS)

An information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.


  • Designed for the data center, Windows Azure Pack integrates with System Center and Windows Server to help provide a self-service portal for managing services such as websites, Virtual Machines, and Service Bus; a portal for administrators to manage resource clouds; scalable web hosting; and more. Available for free.

Azure Site Recovery

Use Azure Site Recovery to protect virtual machines running on Hyper-V hosts located in System Center Virtual Machine Manager (VMM) clouds. To setup site recovery

  1. Get a certificate uploaded to the vault and set up on the source VMM server, and generate a vault key.
  2. Set up VMM servers—Install the Azure Site Recovery Provider on the source and target VMM server.
  3. Configure the VMM clouds—Configure protection settings for VMM clouds.
  4. Enable virtual machines—Enable protection for virtual machines.

Scale-Out File Server

Designed to provide continuously available file shares by sharing the same folder from a number of servers. Ideal for use where there is no SAN. It can be used in 2 scenarios

  1. Application data – e.g. HyperV VMs
  2. File Server – e.g. clustered file server


Top deploy bitlocker you need to setup one account with permission to decrypt encrypted drivers

  1. Install Bitlocker on a DC
  2. Copy, modify and publish the basic EFS template
  3. Request a new certificate for the user with “basic EFS”. Save as a .cer
  4. Deloy the data recovery agent in GPO


To have certificates automatically renew you need to edit the autoenrollment template

Then edit the GPO


  • Windows Server Gateway – like RRAS. Use it to connect to different networks
  • RDMA – aka SMB direct – SMB CPU processing if offloaded to the NIC
  • Receive-side scaling (RSS) – Enables a network adapter to distribute its network processing load across multiple virtual processors in multi-core virtual machines.
  • VHDX disks can store over 2TB of data.
  • When creating virtual disks:-
    • A 2 way mirror requires 2 disks
    • Parity requires 3 disks
    • A 3 way mirror requires 5 disks
  • To audit changes to active directory objects in an OU you must:-
    • From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.
    • Modify the audit settings on the OU

Below is a list of quick study notes taken whilst revising for this exam. I’ve tried to keep them as concise as possible.

Storage Spaces

  • A storage pool is a collection of physical disks
  • You can create virtual disks from a storage pool
    • When creating virtual disks you can enable “storage tiers” which will automatically move data to fast disks (e.g. SSDs) based on usage.
    • Virtual disks can be
      • Simple – data striped across all disks. Maximises usable space
      • Mirror – data mirrored. You need 2 drives to cover 1 disk failure, 5 to cover 2 disk failures. Drastically reduces usable space.
      • Parity – striped with parity. You need 3 drives to cover 1 disk failure, 7 to cover 2 disk failures. Good combination of reliability and usable space.
    • Virtual disk can be thick or thin provisioned
  • Volumes are then created from the virtual disks. You have the option to enable deduplication

  • The “iSCSI target service” allows a server to present local disk as an iSCSI target (i.e. so other servers can connect to it).


To manage windows Azure you can use the below 3 cmds

  • Get-AzurePublishSettingsFile cmdlet opens your default browser, signs into your Windows Azure account, and automatically downloads a .publishsettings xml file that contains information and a certificate that provides management credentials for your Windows Azure subscription.
  • Import-AzurePublishSettingsFile cmdlet imports the .publishsettings file
  • Set-AzureStorageAccount cmdlet updates the properties of an Azure storage account in the current subscription. Properties that can be set are: “Label”, “Description” and “GeoReplicationEnabled”.

Active Directory Recycle Bin

  • Forest functional level must be at least win2008 r2
  • Not enabled by default in Win2012. You can enable it within the “Active Directory Administrative Center”

A deleted objects folder is now shown

NB – You can use the powershell command sync-adobject to replicate an individual object.

Microsoft Desktop Optimization Pack (MDOP)

  • Advanced Group Policy Management (AGPM) is a key component of MDOP. It provides change control, offline editing, and role-based delegation.

Active Directory Federation Services

Integrated Windows Authentication (IWA) can be provided via ADFS 2.0 in Windows 2012r2.

Managing Printers

Note you can migrate printers via the print management console (you will need to have the printer management role installed.



  • Cannot be installed on system or boot volumes
  • Do not install on CSV volumes
  • Can only be installed on non-removable drives
  • Cannot dedupe drives formatted with ReFS


  • You would create a DNS zone delegation to:-
    • Create sub zones. E.g.
    • Delegate management
    • Divide up DNS traffic for large zones
  • You can protect against DNS cache poisoning attacked by using DNSSEC. Below are common DNSSEC commands :-
    • Invoke-DnsServerZoneSign – ensure a zone is signed
    • Add-DnsServerSigningKey – used to manage key signing key (KSK) and zone signing key (ZSK)
  • Stub zone – a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
  • Cache Locking – the CacheLockPercent value is used to protect DNS entrys for a percentage of their TTL. E.g. if you set cachelockpercent to 50, and the TTL is 1 hour, the entry cannot be overwritten for 30mins.
  • UnRegister-DnsServerDirectoryPartition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. After you deregister a DNS server from a DNS application directory partition, the DNS server removes itself the from the replication scope of the partition.
  • GlobalNames – Windows 2008 and above support the replication of simple, single names in DNS via GlobalNames. To setup GlobalNames you must
    • Create Global Name Zone in DNS
    • Enable GlobalNames Support dnscmd <ServerName> /config /enableglobalnamessupport 1
    • Populate the zone and replicate
    • Publish to other forests –
      • add service location (SRV) resource records to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone
      • In addition, you must run the dnscmdServerName/config /enableglobalnamessupport 1 command on every authoritative DNS server in the forests that do not host the GlobalNames zone.

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN):
    • Subject Alternative Name (DNS):
    • Subject Alternative Name (DNS):

Read Only Domain Controllers (RODC)

  • Filtered Attribute Set (FAS) – A list of sensitive items that are NOT replicated to RODCs.
  • Check the attributes searchflags value to see if it is replicated. Searchflags = 0 means its replicated
  • Use ldifde –d to query searchflags value
  • To enable/deny the caching of passwords on a RODC you can you the Allowed and Denied RODC password replication groups.
    • Allowed RODC Password Replication Group” has no members by default,
    • Denied RODC Password Replication Group” contains all the ‘VIP’ accounts (Enterprise Administrators, Cert Publishers, Schema Administrators, Etc). Deny overrules allow.

    The configuration of a Password Replication Policy is pretty straight forward. Open Active Directory Users and Computers snap-in and select the RODC in the Domain Controllers organizational unit. On the “Password Replication Policy” tab, there are the two groups: “Allowed RODC Password Replication Group” and “Denied RODC Password Replication Group”. A user can be added to either of the desired groups.

  • “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com” – this error occurs when running adprep /rodc if you cannot contact the inafrastructure master.
  • Each RODC requires direct access to a writable DC running win2008 and above.

Windows Deployment Services

  • Use a transport server for custom deployments – e.g. when you want to store information in a SQL database.
  • Improved multicast deployment by eliminating the need for making a local copy of the install.wim file
  • DNS and DHCP must be available for WDS


  • DHCP failover “load balance mode” – multiple DHCP servers can respond to, and load balance, client requests.
  • You can also setup a “hot standby” where just one of the DHCP servers is active and the other is passive. Below are options ton configure such as “state switchover interval”

  • You can grant control of DHCP services (to a non-enterprise admin) by delegating control to the “netservices” folder in active directory sites and services.
  • You can use DHCP filtering to deny leases by MAC address

Forest Trusts

  • “Selective authentication” over a forest trust restricts access to computer objects to only users that have been explicitly selected. Users can be granted access by the advanced properties of the computer object.


  • Branch Office Direct Printing – Allows print jobs from branch office to be sent directly to the print (i.e. keeping traffic off the WAN)

  • Print Server Clusters are not used in Windows 2012. Microsoft recommend using a highly available VM instead.

Group Policies

  • When a group policy is “enforced” it cannot be overridden by another group policy further down the hierarchy.


Virtual Machine Manager can use the below profiles which can be found in the library section.

  • Application Profiles – Instructions to install APP-V, SQL and Web Deploy.
  • Capability Profiles – Capability Profiles are used to define the sets of capabilities that are allowed in a particular item.
  • Hardware profile – can contain specifications for CPU, memory, network adapters, a video adapter, a DVD drive, a floppy drive, COM ports etc
  • Guest OS Profiles – The OS settings, e.g. Windows version, roles and features to install
  • Host Profiles – Used to deploy new hosts.
  • SQL Server Profiles – Used to deploy SQL



  • A new format for virtual disks
  • Only supported on Windows 2012.
  • Supports up to 64TB (as opposed to 2TB in VHDs)
  • Contains Built in protection against corruption (via metadata logging)
  • Larger block sizes (up to 256MB)

Offline Data Transfer (ODX)

  • ODX requests can be offloaded to the SAN allowing for faster file transfers and drive creations.
  • Not supported on IDE
  • Supports VHD and VHDX
  • Only works on NTFS that cannot be compressed or encrypted

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection. Use “split tunnelling” if you do not want to force all traffic (e.g. web) through the direct access connection.


  • SSTP – A new form of VPN tunnel that allows traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP VPNs connect to port 443 (SSL).
  • VPN Reconnect refers to the support in Routing and Remote Access service (RRAS) for a new tunnelling protocol, IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2)

Resilient File System (ReFS)

New file system introduced in Windows 2012 and windows 8.

  • Cannot be configured on boot drives
  • Cannot convert NTFS to ReFS
  • Cannot be used on removable media
  • Cannot be used with Windows Deduplication

Network Access Protection (NAP)

  • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
  • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
    • Requirements for HRA automatic discovery
      • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
      • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
      • The EnableDiscovery registry key must be configured on NAP client computers.
      • DNS SRV records must be configured.
      • The trusted server group configuration in either local policy or Group Policy must be cleared.
  • Host Credential Authorization Protocol (HCAP) – allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control
  • RADIUS server and proxy.
    • Note that client computers are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers

Domain Controller Cloning

  • Requires the PDC emulator runs windows 2012 or higher
  • DCs can be cloned using HyperV 2012 or higher (including windows 8)
  • The DC must be windows 2012
  • Dccloneconfig.xml is used to specify configuration settings of a cloned DC. They are applied at boot.
  • There is a new active directory group called “Cloneable Domain Controllers”. DCs must be a member of this group to be cloned.

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. This needs to be run in every domain. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain -gpoprefixname IPAM
  • Set-IpamConfiguration – can be used to configure the IPAM server itself
  • The following IPAM security groups can be used for:-
    • IPAM Users – can view all information in server inventory, IP address space, and the monitor and manage IPAM console nodes. IPAM Users can view IPAM and DHCP operational events under in the Event Catalog node, but cannot view IP address tracking data.
    • IPAM MSM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform server monitoring and management tasks in addition to IPAM common management tasks.
    • IPAM ASM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform IP address space tasks in addition to IPAM common management tasks.
    • IPAM IP Audit Administrators – Members of this group have all the privileges of the IPAM Users security group. They can view IP address tracking data and perform IPAM common management tasks.
    • IPAM Administrators – Members of this group have privileges to view all IPAM data and perform all IPAM tasks.

System Center Configuration Manager

  • Distribution Point – Used to store the files needed for installation packages.

Migration Tools

  • When migrating a server you can use the Export-SmigServerSetting to backup a configuration (e.g. DHCP settings).
  • You can then use the import-SmigServerSetting to import to a new server.

Key Powershell Commands

  • Get-ADReplicationUpToDatenessVectorTable DC1 – shows a list of the highest USNs seen by server DC1 for every domain controller in the forest.


  • Note that since Win2008r2 you can lower the forest functional level via the following powershell commands
    • Set-AdForestMode -identity -forestmode Windows2008R2Forest
    • Set-AdDomainMode -identity -domainmode Windows2008R2Domain
  • Online responder – An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.
  • To rename a domain use the cmd line rendom.
    • Then use GPFIXUP to replace domain name references in GPOs.
  • BranchCache – Introduces in windows 2008r2 BranchCache provides a way to cache file and web content in a branch office to reduce WAN traffic.
    • Distributed cache mode – does not require a server in the branch office. Client computers can download and cache content for others.
  • Use the Microsoft Assessment and Planning (MAP) toolkit – to produce reports on what servers can be migrated to windows 2012r2
  • When delegating control of an OU, the tasks that can be generated are taken from a text file called delegwiz.inf. This file can be edited to include custom tasks.
  • Windows 2012r2 introduces support of claims based authentication via dynamic access control.
  • Active Directory Migration Tool (ADMT) – can be used to migrate users, groups, accounts and computers between forests.
  • User State Migration Tool (USMT) – used to migrate profiles


In this example I am setting up 1x 5524P as the core with 2x 5548P switches used for distribution. These switches are to be used for networking only (no iSCSI).

They are being setup with a vlan for data (vlan1), a voice vlan (100) and wireless vlan (50). Initially only vlan1 will be used.


Stacking The Switches

  • In this example I have stacked the 3 switches with the top switch (number 1) connecting to HDMI port 2 on switches 2 and 3. There is also a cable between HDMI ports 1 on switches 2 and 3.
  • Power on the switches from top to bottom letting each switch power on fully before the next. You should then get the displays showing 1-2-3 as below.

This can be confirmed by running the show switch command. Notice the topology is listed as “Ring”.


Initial Configuration

The below commands will specific a hostname, setup SSL, enable IP routing and specify the default gateway.

hostname XXXXXX

crypto key generate rsa

ip ssh server

ip routing

ip route


Disable iSCSI Optimisations, Jumbo Frames and Flow Control

Assuming the switches are not being used for iSCSI, and you do not have flow control and jumbo frames in use. Log onto the switch via the console cable and enter configuration mode. Enter the below commands:-

no iscsi enable

no port jumbo-frames

no iscsi target port 860 address

no iscsi target port 3260 address

no iscsi target port 9876 address

no iscsi target port 20002 address

no iscsi target port 20003 address

no iscsi target port 25555 address

To disable flow control for each interface. As we have 3 switches

int range gi1/0/1-24

no flowcontrol

int range te1/0/1-2

no flowcontrol

int range gi2/0/1-48

no flowcontrol

int range te2/0/1-2

no flowcontrol

int range gi3/0/1-48

no flowcontrol

int range te3/0/1-2

no flowcontrol


Configure Vlans

int vlan 50

name wireless

ip address

int vlan 100

ip address


The setup the ports for vlans

int range gi1/0/1-24

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100


int range gi2/0/1-48

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100


int range gi3/0/1-48

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100

Note that you do not have to enter the command “switchport trunk native vlan 1” as this is the default anyway. I have included it in case you want to change to another vlan.


Setup Usernames and Passwords

This section sets up the passwords for telnet, ssh and enables http and https access to the switch.

! Replace ZZZZ with admin password (must be 8 chars!)

! WWWW = telnet and SSH password

! YYYYY = enable password

! VVVVV = console password

username admin password ZZZZ priv 15

enable password YYYY

aaa authentication login default line

aaa authentication enable default line

crypto certificate 1 generate key-generate

ip https secure-server

ip http authentication aaa login-authentication local

line ssh

login authentication default

enable authentication default

password WWWW

line telnet

login authentication default

enable authentication default

password WWWW

line console

password VVVV


Save Config

Most importantly don’t forget to save your changes.

Copy run start

You can backup the config to a USB key fob (inserted into switch 1) with the command

    Copy run usb://filename

(Change filename to whatever you want to call the backup file)