Browsing Posts published by Huw

This article explains how to update the firmware of a Dell N200 or N3000 series switch. To be specific this will work on N2024/N2024P/N2048/N2048P/N3024/N3024F/N3024P/N3048/N3048P switches.

Prerequisites

  • It is assumed that the switch is on the network and has an IP address configured (this is needed to copy the firmware file onto the switch). You will need to download the updated firmware from the dell website and extract the contents.
  • You will need to have a TFTP server running and accessible from the switch. If you do not already have TFTP you can download a basic server from here http://tftpd32.jounin.net/tftpd32_download.html
  • Copy the firmware file (.stk) into the TFTP directory (in this example

 

Step 1 – Backup Existing Config

Connect to the switch either via a console connection or telnet/putty.

copy running-config tftp://YYYYYY/backup-stackX

Where YYYY is the IP address of your TFTP server

conf t

enable password XXXXXXXXX

Where XXXXXXXX is your password

copy running-config-startup-config

Verify the current firmware version by running

Show ver

Below shows the steps taken in a real world upgrade…


 

Step 2 – Copy New Firmware onto Switch

In this step we are copying the new firmware onto the backup config.

copy tftp://YYYYYYYY/ZZZZZZZZ.stk backup

Where ZZZZZ is the name of the firmware update file. For firmware 6.1.0.6 the file is N3000_N2000v6.1.0.6

show ver

Verify that the new firmware is shown in the backup config. Assuming all ok then we want to then boot off the backup config.

boot system backup

reload

Once the switch has rebooted. Connect to the switch and enter a show ver to verify the active firmware


 

Step 3 – Update Bootcode

We then need to update the bootcode to ensure the system always boots with the new firmware.

update bootcode

reload

Then issue a show ver to verify the active firmware version.

Note if connected via serial cable you can verify the bootcode version on switch reload. For this firmware (only) look for “U-Boot 2012.10-00077-g89d3a3e (Mar 18 2014 – 13:11:33)”

For further information look at the pdf’s including with the firmware .zip file.

END

In this example I am setting up a very basic DFS infrastructure for a company with one head office and one branch office. The DFS server in head office is called Training-DC1, the DFS server in the branch office is called Training-DC2. We want to create a folder that is available and replicated to both sites.

Pre-Requisites

  • DFS is not going to play nice is there are communication and/or Active Directory issues. Please check that all is well – I recommend running ping tests and “dcdiag” on all servers to check for issues.
  • Install DFS Role on all servers that will be holding DFS shares. This is done from server manager

 

Setup Namespace

Microsoft’s definition of a DFS Namespaces – “Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. However, the underlying structure of the namespace can consist of numerous file shares that are located on different servers and in multiple sites.”

On your main DFS server (e.g. the one in head office) open the DFS Tool from server manager and create a new namespace

Select the local server

 

Click on edit settings and enter the below. For the local path I recommend creating a folder referencing the server name (in this instance DFS-DC1). I have seen DFS replication problems caused by different servers having the same folder name.

Click next and finish.

 

Add Other Servers to Namespace

In the DFS management tool click on add namespace server

Select your second DFS server (in this example the branch office server).

Click on edit settings and set folder access as appropriate. Again I recommend choosing a unique name for the folder (DFS-DC2 in this example).

 

Create Replication Group

In DFS management console right click on “replication” and select “new replication group”

Select a multipurpose replication group and click next.

Add your servers

Select your chosen topology

Choose schedule and primary member. Then chose the folder to replicate on the primary server (DFS-DC1).

Chose the location of the folder to replicate on the other server (in this example DFS-DC2).

 

Conclusion

You have now setup a replicated folder accessible from both sites/offices via a non-server specific address (in this example \\training.local\DFS)

In the event of any problems check Windows firewall and server manager for event errors.

END

Some notes I’ve made whilst studying for 70-414. I’ve tried to keep them as concise as possible. Some of the screenshots are from older versions of windows but are included to show specific settings.

System Center 2012r2

  • Orchestrator – A workflow management solution for the data center that lets you automate the creation, monitoring and deployment of resources in your environment.
    • Service Provider Foundation – This enables service providers and hosters to design and implement multi-tenant self-service portals that integrate IaaS capabilities.
      • Stamp – a concept introduced in Service Provider Foundation, a stamp is a logical unit of a SCVMM, a HyperV host and a VM. As they must be monitoring SCOM is required also. For example a hosting company may have a “stamp” for each customer.
  • Service Manager – A platform for automating and adapting your organizations best practises (e.g. ITIL). Provides processes for change control, problem resolution, asset management etc.
  • App Controller provides a common self-service experience that can help you easily configure, deploy, and manage virtual machines and services across private and public clouds.
  • System Center Global Service Monitor (GSM) provides capability to monitor externally facing web sites and web services from geo-distributed location. There are two monitoring types
    • Web Application Availability
      Monitoring that monitors single URLs
    • Visual Studio Web Tests Monitoring that lets you to run multi-step, authenticated web tests from Microsoft-provided agents in the cloud.
  • The Self-Service Portal provides web-based access to the features of System Center 2012. It can be used by users to reset their own passwords.

System Center Configuration Manager (SCCM) –

  • Configuration Manager integrates with Windows Deployment Services to allow you to perform OS deployment and image capture.
  • Configuration baselines contain predefined configuration items and optionally, other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it.
  • You can have primary sites, secondary sites and distribution points. For sites with less than 500 nodes use distribution points. Each primary site can support up to 10 management points. A secondary site supports 1.

System Center Operations Manager (SCOM) –

  • A cross platform management and monitoring solution for PCs, Servers and Hypervisors (including VMWare).
  • Can be used in conjunction with SCVMM for reporting
  • Audit Collection Services – a means to collect records generated by an audit policy and store them in a centralized database
  • Gateway server – Used as a local hub for authenticating and communicating with clients.
  • Management Packs – contain the settings for monitoring applications and services as well as tasks, views, reports, run as profiles etc.
    • Overrides – allow you to change the default values – e.g. the severity of an alert
  • To setup email notification subscriptions, go to administration – notifications – subscriptions and create a subscription task

  • You can monitor Distribution Applications with Service Level Tracking

System Center Virtual Machine Manager (SCVMM)

  • To integrate VMM with SCOM you need to
    • Install powershell v3
    • Install an Operations Manager Operations console on the VMM management server
    • Install Operations Manager agents on the VMM management server and all hosts under management by VMM (managed hosts).
    • Import the necessary management packs
  • Host Groups – can be used to group Hyper-V hosts. You can then assign permissions to host groups.

Networking

VMM uses a number of architectural components

  • Logical network – e.g. LAN, WAN, DMZ, VLAN1, VLAN2 etc

  • Network Sites – allow the same logical network to have a difference address when in another site. E.g. the LAN for London may be different to Norwich.
  • Port Profiles – there are 2 types
    • Virtual Port Profiles – for use with VMs. You can specify offload settings, DHCP guard, guest teaming, QoS etc
    • Uplink Port Profiles – The connectivity of the virtual switch to the logical (actual) network
  • Port Classifications – a label that can be used to identify different classes of connection (.e.g “Gold” for fast fibre SAN, “Bronze” for NAS”)
  • Network Types
    • Internal – Communication between the host and the VMs only
    • External – Communication between the VMs and other systems (via a physical adaptor)
    • Private – Communication only between VMs

  • A Virtual IP (VIP) template – can be used for hardware load balancers. These contain load-balancer-related configuration settings for a specific type of network traffic.

Integration with other Hypervisors

You can manage VMWare and Citrix XenServer hypervisors from SCVMM.

  • To manage citrix servers you must install the system center integration pack.

Permissions

  • You can assign the below roles within VMM
    • Administrator – full rights to all objects
    • Fabric Administrator – a delegated administrator role, can perform all administrative tasks within their assigned host groups, clouds or library servers.
    • Read-Only Administrator – view only rights
    • Tenant Administrator – can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.
    • Application Administrator – Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.

Optimisation

Automatic Virtual Machine Placement

  • VMM Availability sets – can be used to specify VMs that should be kept on different hosts (e.g. DCs). Aka anti-affinity.
  • Custom Properties – can be used to customize placement via your own criteria. E.g. create a value called costcenter
  • Preferred Owner – Selected first where possible, Possible Owner – VMs can only be migrated to possible owners

  • P2V. As of System Center 2012 R2, you can no longer perform P2V conversions in VMM. You can use System Center 2012 SP1 as long as the source system:-
    • Have more than 512MB RAM
    • Have volumes smaller than 2040 G
    • Does not have encrypted volumes
  • Service Template – Contains the information required to create an instance of a service (e.g. multi—tier application).
    • A tier can contain up to 4 components
      • VIP template – a virtual IP address used with NLB
      • VM template
      • Application profile – reference application code or scripts
      • SQL profile – schema definitions and other SQL info
    • Each service template has a release number.
    • Each VM created from a service template maintains its connection to the template. Therefore if you update the template, the release number of the template is raised and the changes are pushed out to all VMs created from the template.
  • Dynamic Optimisation – migrates virtual machines to improve load balancing among hosts and to correct any placement constraint violations for virtual machines.
    • You can specify Dynamic Optimization settings for: CPU, memory, disk I/O, and network I/O.
    • Can be configured on a host group
    • Aggressiveness – determines the amount of load imbalance required to initiate a migration. VMs are migrated every 10 mins with the default (medium) aggressiveness.
    • Power Optimisation – turns off hosts when not needed to save power. They can then be turned back on when required
    • Host reserve – Set aside CPU, Memory, Disk I/O and Network I/O for the host OS.
  • The Replica Broker role must be installed if attempting to replica VMs that are in a cluster

Windows Powershell Desired State Configuration (DSC)

Installed as a feature, DSC is a new management platform in Powershell that can be used to:-

  • Enabling or disabling server roles and features
  • Managing registry settings
  • Managing files and directories
  • Starting, stopping, and managing processes and services
  • Managing groups and user accounts
  • Deploying new software
  • Managing environment variables
  • Running Windows PowerShell scripts
  • Fixing a configuration that has drifted away from the desired state
  • Discovering the actual configuration state on a given node

Use the cmds Set-DscLocalConfigurationManager and Get-DscLocalConfigurationManager

Clustering

  • Cluster Aware Updating (CAU) – a new feature in windows 2012r2 to enable the update of Clustered servers
  • Data-duplication – Now supports VDI virtual machines on Cluster Shared Volumes (CSV)
  • When there are multiple networks Win2012r2 uses the below criteria when deciding what network to use for CSV traffic.
    • Metrics
      • These are automatically calculated based on speed and whether features such as RDMA and RSS are supported.
      • However, SMB multichannel takes precedence over network calculated metrics. To just rely on metrics you must disable SMB Multichannel.
  • A File Share Witness (FSW) is a file share that you may create on a completely separate server from the cluster to act like a disk for tie-breaker scenarios when quorum needs to be established. You would typically use a FSW as a tie-breaker when there are an even number of clustered servers.

DHCP

  • DHCP failover – A new feature in Windows 2012r2 that allows multiple DHCP servers to be setup in an active/passive configuration. Should the active fail, the passive server will take over.

Windows Intune

A cloud management solution aimed at SMEs. Allows administrators to deploy updates, malware protection and manage inventory.

Network Load Balancing

Filtering Mode

  • Multiple host – traffic will be handled by multiple nodes
  • Single host – single host

Affinity –

  • Single – Used in most instances when clients originate from many different locations
  • None – If clients originate from the same IP (e.g. behind a NAT router).
  • Network – Request originating from the same class C network are directed to the same node

You will need to enable MAC address spoofing on the virtual adaptor of a VM in order to use NLB

The below network services can be load balanced by NLB:-

  • SQL server 2012 reporting services
  • Sharepoint Server 2010 front-end web server

Microsoft Desktop Optimization Pack

Contains a number of utiliies

  • Asset Inventory Service – helps you determine what software and hardware you have in your organization compared to your licensing agreements.

Virtual Disks

Resiliency Settings – When creating a virtual disk you have the following resiliency options

  • 2-way mirror – requires at least 2 disks
  • 3-way mirror – requires at least 5 disks
  • Parity – requires at least 3 disks

Certificates

Email Encryption –

For 2 companies to encrypt emails sent between them you should

  • Exchange and install root CA certificates
  • Duplicate the enrolment certificate and install a template based on the new certificate
  • Request cross certification authorities

Constraints can be applied during the cross-certification process by using a policy.inf file. CApolicy.inf is used to apply constraints during the installation of a CA

Recovery of a CA

To restore certificate revocation checking in the event of a failed CA

  • Restore a copy of the CA’s private key and then retrieve a copy of the CRL
  • Use certutil to resign the CRL and extend the validity period of the CRL
  • Republish the CRL using Certutil

Services

  • Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. When used with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
  • Online Responder – Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate.
  • Certificate Authority Web Enrollment – Provides a web interface to the CA role service

BranchCache

WAN bandwidth optimization technology that is included in Windows 2008R2 and Win7 and higher. To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from the remote servers and caches it locally for clients at branch offices to access.

  • In hosted mode data is cache on a local “server”
  • In distributed mode no server is required. Content is distributed amongst the client computers.

WSUS

  • Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately.
  • Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.

Active Directory Rights Management Servicies (AD RMS)

An information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.

Azure

  • Designed for the data center, Windows Azure Pack integrates with System Center and Windows Server to help provide a self-service portal for managing services such as websites, Virtual Machines, and Service Bus; a portal for administrators to manage resource clouds; scalable web hosting; and more. Available for free.

Azure Site Recovery

Use Azure Site Recovery to protect virtual machines running on Hyper-V hosts located in System Center Virtual Machine Manager (VMM) clouds. To setup site recovery

  1. Get a certificate uploaded to the vault and set up on the source VMM server, and generate a vault key.
  2. Set up VMM servers—Install the Azure Site Recovery Provider on the source and target VMM server.
  3. Configure the VMM clouds—Configure protection settings for VMM clouds.
  4. Enable virtual machines—Enable protection for virtual machines.

Scale-Out File Server

Designed to provide continuously available file shares by sharing the same folder from a number of servers. Ideal for use where there is no SAN. It can be used in 2 scenarios

  1. Application data – e.g. HyperV VMs
  2. File Server – e.g. clustered file server

Bitlocker

Top deploy bitlocker you need to setup one account with permission to decrypt encrypted drivers

  1. Install Bitlocker on a DC
  2. Copy, modify and publish the basic EFS template
  3. Request a new certificate for the user with “basic EFS”. Save as a .cer
  4. Deloy the data recovery agent in GPO

AutoEnrollment

To have certificates automatically renew you need to edit the autoenrollment template

Then edit the GPO

Misc

  • Windows Server Gateway – like RRAS. Use it to connect to different networks
  • RDMA – aka SMB direct – SMB CPU processing if offloaded to the NIC
  • Receive-side scaling (RSS) – Enables a network adapter to distribute its network processing load across multiple virtual processors in multi-core virtual machines.
  • VHDX disks can store over 2TB of data.
  • When creating virtual disks:-
    • A 2 way mirror requires 2 disks
    • Parity requires 3 disks
    • A 3 way mirror requires 5 disks
  • To audit changes to active directory objects in an OU you must:-
    • From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.
    • Modify the audit settings on the OU

Below is a list of quick study notes taken whilst revising for this exam. I’ve tried to keep them as concise as possible.

Storage Spaces

  • A storage pool is a collection of physical disks
  • You can create virtual disks from a storage pool
    • When creating virtual disks you can enable “storage tiers” which will automatically move data to fast disks (e.g. SSDs) based on usage.
    • Virtual disks can be
      • Simple – data striped across all disks. Maximises usable space
      • Mirror – data mirrored. You need 2 drives to cover 1 disk failure, 5 to cover 2 disk failures. Drastically reduces usable space.
      • Parity – striped with parity. You need 3 drives to cover 1 disk failure, 7 to cover 2 disk failures. Good combination of reliability and usable space.
    • Virtual disk can be thick or thin provisioned
  • Volumes are then created from the virtual disks. You have the option to enable deduplication

  • The “iSCSI target service” allows a server to present local disk as an iSCSI target (i.e. so other servers can connect to it).

Azure

To manage windows Azure you can use the below 3 cmds

  • Get-AzurePublishSettingsFile cmdlet opens your default browser, signs into your Windows Azure account, and automatically downloads a .publishsettings xml file that contains information and a certificate that provides management credentials for your Windows Azure subscription.
  • Import-AzurePublishSettingsFile cmdlet imports the .publishsettings file
  • Set-AzureStorageAccount cmdlet updates the properties of an Azure storage account in the current subscription. Properties that can be set are: “Label”, “Description” and “GeoReplicationEnabled”.

Active Directory Recycle Bin

  • Forest functional level must be at least win2008 r2
  • Not enabled by default in Win2012. You can enable it within the “Active Directory Administrative Center”

A deleted objects folder is now shown

NB – You can use the powershell command sync-adobject to replicate an individual object.

Microsoft Desktop Optimization Pack (MDOP)

  • Advanced Group Policy Management (AGPM) is a key component of MDOP. It provides change control, offline editing, and role-based delegation.

Active Directory Federation Services

Integrated Windows Authentication (IWA) can be provided via ADFS 2.0 in Windows 2012r2.

Managing Printers

Note you can migrate printers via the print management console (you will need to have the printer management role installed.

Deduplication

Caveats:-

  • Cannot be installed on system or boot volumes
  • Do not install on CSV volumes
  • Can only be installed on non-removable drives
  • Cannot dedupe drives formatted with ReFS

DNS

  • You would create a DNS zone delegation to:-
    • Create sub zones. E.g. sales.contoso.com
    • Delegate management
    • Divide up DNS traffic for large zones
  • You can protect against DNS cache poisoning attacked by using DNSSEC. Below are common DNSSEC commands :-
    • Invoke-DnsServerZoneSign – ensure a zone is signed
    • Add-DnsServerSigningKey – used to manage key signing key (KSK) and zone signing key (ZSK)
  • Stub zone – a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
  • Cache Locking – the CacheLockPercent value is used to protect DNS entrys for a percentage of their TTL. E.g. if you set cachelockpercent to 50, and the TTL is 1 hour, the entry cannot be overwritten for 30mins.
  • UnRegister-DnsServerDirectoryPartition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. After you deregister a DNS server from a DNS application directory partition, the DNS server removes itself the from the replication scope of the partition.
  • GlobalNames – Windows 2008 and above support the replication of simple, single names in DNS via GlobalNames. To setup GlobalNames you must
    • Create Global Name Zone in DNS
    • Enable GlobalNames Support dnscmd <ServerName> /config /enableglobalnamessupport 1
    • Populate the zone and replicate
    • Publish to other forests –
      • add service location (SRV) resource records to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone
      • In addition, you must run the dnscmdServerName/config /enableglobalnamessupport 1 command on every authoritative DNS server in the forests that do not host the GlobalNames zone.

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN): adfs1.contoso.com
    • Subject Alternative Name (DNS): adfs1.contoso.com
    • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

Read Only Domain Controllers (RODC)

  • Filtered Attribute Set (FAS) – A list of sensitive items that are NOT replicated to RODCs.
  • Check the attributes searchflags value to see if it is replicated. Searchflags = 0 means its replicated
  • Use ldifde –d to query searchflags value
  • To enable/deny the caching of passwords on a RODC you can you the Allowed and Denied RODC password replication groups.
    • Allowed RODC Password Replication Group” has no members by default,
    • Denied RODC Password Replication Group” contains all the ‘VIP’ accounts (Enterprise Administrators, Cert Publishers, Schema Administrators, Etc). Deny overrules allow.

    The configuration of a Password Replication Policy is pretty straight forward. Open Active Directory Users and Computers snap-in and select the RODC in the Domain Controllers organizational unit. On the “Password Replication Policy” tab, there are the two groups: “Allowed RODC Password Replication Group” and “Denied RODC Password Replication Group”. A user can be added to either of the desired groups.

  • “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com” – this error occurs when running adprep /rodc if you cannot contact the inafrastructure master.
  • Each RODC requires direct access to a writable DC running win2008 and above.

Windows Deployment Services

  • Use a transport server for custom deployments – e.g. when you want to store information in a SQL database.
  • Improved multicast deployment by eliminating the need for making a local copy of the install.wim file
  • DNS and DHCP must be available for WDS

DHCP

  • DHCP failover “load balance mode” – multiple DHCP servers can respond to, and load balance, client requests.
  • You can also setup a “hot standby” where just one of the DHCP servers is active and the other is passive. Below are options ton configure such as “state switchover interval”

  • You can grant control of DHCP services (to a non-enterprise admin) by delegating control to the “netservices” folder in active directory sites and services.
  • You can use DHCP filtering to deny leases by MAC address

Forest Trusts

  • “Selective authentication” over a forest trust restricts access to computer objects to only users that have been explicitly selected. Users can be granted access by the advanced properties of the computer object.

Printing

  • Branch Office Direct Printing – Allows print jobs from branch office to be sent directly to the print (i.e. keeping traffic off the WAN)

  • Print Server Clusters are not used in Windows 2012. Microsoft recommend using a highly available VM instead.

Group Policies

  • When a group policy is “enforced” it cannot be overridden by another group policy further down the hierarchy.

HyperV

Virtual Machine Manager can use the below profiles which can be found in the library section.

  • Application Profiles – Instructions to install APP-V, SQL and Web Deploy.
  • Capability Profiles – Capability Profiles are used to define the sets of capabilities that are allowed in a particular item.
  • Hardware profile – can contain specifications for CPU, memory, network adapters, a video adapter, a DVD drive, a floppy drive, COM ports etc
  • Guest OS Profiles – The OS settings, e.g. Windows version, roles and features to install
  • Host Profiles – Used to deploy new hosts.
  • SQL Server Profiles – Used to deploy SQL

 

VHDX

  • A new format for virtual disks
  • Only supported on Windows 2012.
  • Supports up to 64TB (as opposed to 2TB in VHDs)
  • Contains Built in protection against corruption (via metadata logging)
  • Larger block sizes (up to 256MB)

Offline Data Transfer (ODX)

  • ODX requests can be offloaded to the SAN allowing for faster file transfers and drive creations.
  • Not supported on IDE
  • Supports VHD and VHDX
  • Only works on NTFS that cannot be compressed or encrypted

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. .intranet.al.net) in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection. Use “split tunnelling” if you do not want to force all traffic (e.g. web) through the direct access connection.

VPN

  • SSTP – A new form of VPN tunnel that allows traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP VPNs connect to port 443 (SSL).
  • VPN Reconnect refers to the support in Routing and Remote Access service (RRAS) for a new tunnelling protocol, IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2)

Resilient File System (ReFS)

New file system introduced in Windows 2012 and windows 8.

  • Cannot be configured on boot drives
  • Cannot convert NTFS to ReFS
  • Cannot be used on removable media
  • Cannot be used with Windows Deduplication

Network Access Protection (NAP)

  • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
  • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
    • Requirements for HRA automatic discovery
      • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
      • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
      • The EnableDiscovery registry key must be configured on NAP client computers.
      • DNS SRV records must be configured.
      • The trusted server group configuration in either local policy or Group Policy must be cleared.
  • Host Credential Authorization Protocol (HCAP) – allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control
  • RADIUS server and proxy.
    • Note that client computers are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers

Domain Controller Cloning

  • Requires the PDC emulator runs windows 2012 or higher
  • DCs can be cloned using HyperV 2012 or higher (including windows 8)
  • The DC must be windows 2012
  • Dccloneconfig.xml is used to specify configuration settings of a cloned DC. They are applied at boot.
  • There is a new active directory group called “Cloneable Domain Controllers”. DCs must be a member of this group to be cloned.

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. This needs to be run in every domain. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain contoso.com -gpoprefixname IPAM
  • Set-IpamConfiguration – can be used to configure the IPAM server itself
  • The following IPAM security groups can be used for:-
    • IPAM Users – can view all information in server inventory, IP address space, and the monitor and manage IPAM console nodes. IPAM Users can view IPAM and DHCP operational events under in the Event Catalog node, but cannot view IP address tracking data.
    • IPAM MSM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform server monitoring and management tasks in addition to IPAM common management tasks.
    • IPAM ASM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform IP address space tasks in addition to IPAM common management tasks.
    • IPAM IP Audit Administrators – Members of this group have all the privileges of the IPAM Users security group. They can view IP address tracking data and perform IPAM common management tasks.
    • IPAM Administrators – Members of this group have privileges to view all IPAM data and perform all IPAM tasks.

System Center Configuration Manager

  • Distribution Point – Used to store the files needed for installation packages.

Migration Tools

  • When migrating a server you can use the Export-SmigServerSetting to backup a configuration (e.g. DHCP settings).
  • You can then use the import-SmigServerSetting to import to a new server.

Key Powershell Commands

  • Get-ADReplicationUpToDatenessVectorTable DC1 – shows a list of the highest USNs seen by server DC1 for every domain controller in the forest.

Misc

  • Note that since Win2008r2 you can lower the forest functional level via the following powershell commands
    • Set-AdForestMode -identity yourdomain.com -forestmode Windows2008R2Forest
    • Set-AdDomainMode -identity YourDomain.com -domainmode Windows2008R2Domain
  • Online responder – An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.
  • To rename a domain use the cmd line rendom.
    • Then use GPFIXUP to replace domain name references in GPOs.
  • BranchCache – Introduces in windows 2008r2 BranchCache provides a way to cache file and web content in a branch office to reduce WAN traffic.
    • Distributed cache mode – does not require a server in the branch office. Client computers can download and cache content for others.
  • Use the Microsoft Assessment and Planning (MAP) toolkit – to produce reports on what servers can be migrated to windows 2012r2
  • When delegating control of an OU, the tasks that can be generated are taken from a text file called delegwiz.inf. This file can be edited to include custom tasks.
  • Windows 2012r2 introduces support of claims based authentication via dynamic access control.
  • Active Directory Migration Tool (ADMT) – can be used to migrate users, groups, accounts and computers between forests.
  • User State Migration Tool (USMT) – used to migrate profiles

END

In this example I am setting up 1x 5524P as the core with 2x 5548P switches used for distribution. These switches are to be used for networking only (no iSCSI).

They are being setup with a vlan for data (vlan1), a voice vlan (100) and wireless vlan (50). Initially only vlan1 will be used.

 

Stacking The Switches

  • In this example I have stacked the 3 switches with the top switch (number 1) connecting to HDMI port 2 on switches 2 and 3. There is also a cable between HDMI ports 1 on switches 2 and 3.
  • Power on the switches from top to bottom letting each switch power on fully before the next. You should then get the displays showing 1-2-3 as below.

This can be confirmed by running the show switch command. Notice the topology is listed as “Ring”.

 

Initial Configuration

The below commands will specific a hostname, setup SSL, enable IP routing and specify the default gateway.

hostname XXXXXX

crypto key generate rsa

ip ssh server

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.26.2

 

Disable iSCSI Optimisations, Jumbo Frames and Flow Control

Assuming the switches are not being used for iSCSI, and you do not have flow control and jumbo frames in use. Log onto the switch via the console cable and enter configuration mode. Enter the below commands:-

no iscsi enable

no port jumbo-frames

no iscsi target port 860 address 0.0.0.0

no iscsi target port 3260 address 0.0.0.0

no iscsi target port 9876 address 0.0.0.0

no iscsi target port 20002 address 0.0.0.0

no iscsi target port 20003 address 0.0.0.0

no iscsi target port 25555 address 0.0.0.0

To disable flow control for each interface. As we have 3 switches

int range gi1/0/1-24

no flowcontrol

int range te1/0/1-2

no flowcontrol

int range gi2/0/1-48

no flowcontrol

int range te2/0/1-2

no flowcontrol

int range gi3/0/1-48

no flowcontrol

int range te3/0/1-2

no flowcontrol

 

Configure Vlans

int vlan 50

name wireless

ip address 192.168.50.2 255.255.255.0

int vlan 100

ip address 192.168.100.2 255.255.255.0

 

The setup the ports for vlans

int range gi1/0/1-24

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100

 

int range gi2/0/1-48

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100

 

int range gi3/0/1-48

desc “Voice \ Data port”

spanning-tree portfast

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan add 1,50,100

Note that you do not have to enter the command “switchport trunk native vlan 1” as this is the default anyway. I have included it in case you want to change to another vlan.

 

Setup Usernames and Passwords

This section sets up the passwords for telnet, ssh and enables http and https access to the switch.

! Replace ZZZZ with admin password (must be 8 chars!)

! WWWW = telnet and SSH password

! YYYYY = enable password

! VVVVV = console password

username admin password ZZZZ priv 15

enable password YYYY

aaa authentication login default line

aaa authentication enable default line

crypto certificate 1 generate key-generate

ip https secure-server

ip http authentication aaa login-authentication local

line ssh

login authentication default

enable authentication default

password WWWW

line telnet

login authentication default

enable authentication default

password WWWW

line console

password VVVV

 

Save Config

Most importantly don’t forget to save your changes.

Copy run start

You can backup the config to a USB key fob (inserted into switch 1) with the command

    Copy run usb://filename

(Change filename to whatever you want to call the backup file)

 

END

If you try to add a generic top-level domain (gTLD) to Office365 you will probably get the below error…

“You’ve typed a domain name that includes an extension that is not valid. Type a domain name that includes .com or another valid extension.”

The solution to this is to add the domain through Powershell.

Pre-Requisites

Powershell

  • Run the “Windows Azure Active Directory Module for Powershell” as administratot

Enter the below commands

Set-ExecutionPolicy Remotesigned

Enter Y

$LiveCred = Get-Credential

You will be prompted for your office365 administrator credentials

Connect-MSOLservice -Credential $livecred

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Start-Transcript

New-MsolDomain -Name jimbobtest.tips    

Get-MsolDomain -domain jimbobtest.tips

Get-MSOLDomainVerificationDNS -DomainName jimbobtest.tips -Mode DNSTXTRecord

This will give you the data needed to put into a DNS TXT record needed to prove domain ownership

Create DNS TXT record

You now need to create a DNS TXT record called “@” with data shown from the output of the above command. The value is shown next to the “Text :” field. I won’t go through the steps for this as they will be different depending on who manages the internet domain. An example is below.

Note that it might take a while for the new TXT record to be created.

Verify Domain Ownership

Logon to the Microsoft portal and navigate to the domains section as shown below.

Select “setup in progress” and then “start step 1”.

Then click “done, verify now”. As long as the TXT record has been created and made live this should work and your domain is now available for use.

THE END

 

 

Below is a list of key notes I made whilst studying for the 70-417 exam. They are as brief as I could make them for last minute cramming.

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. .intranet.al.net) in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection.

File Resource Manager

  • To setup Access Denied Assistance –
    • Install file server resource manager on the file server(s).
    • You may need to setup an email address for this
    • You must then edit a GPO to enable this.

  • Folder “classifications” are a feature of file server resource manager

Failover Cluster

  • Failover cluster servers must have
    • 1 NIC for network communication and another for cluster communication.
    • Shared storage
    • Both servers in the cluster must be identical
  • Before creating a cluster it must be “validated”. If validation doesn’t pass you won’t be able to create a cluster
  • As a general rule when you configure a quorum, the voting elements in the cluster should be an odd number. Therefore, if the cluster contains an even number of voting nodes, you should configure a disk witness or a file share witness. The cluster will be able to sustain one additional node down. In addition, adding a witness vote enables the cluster to continue running if half the cluster nodes simultaneously go down or are disconnected.
    • A disk witness is usually recommended if all nodes can see the disk. A file share witness is recommended when you need to consider multisite disaster recovery with replicated storage. Configuring a disk witness with replicated storage is possible only if the storage vendor supports read-write access from all sites to the replicated storage.
  • The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.
    • Node Majority (recommended for clusters with an odd number of nodes) – Can sustain failures of half the nodes (rounding up) minus one. For example, a seven node cluster can sustain three node failures.
    • Node and Disk Majority (recommended for clusters with an even number of nodes) – Can sustain failures of half the nodes (rounding up) if the disk witness remains online. For example, a six node cluster in which the disk witness is online could sustain three node failures. Can sustain failures of half the nodes (rounding up) minus one if the disk witness goes offline or fails. For example, a six node cluster with a failed disk witness could sustain two (3-1=2) node failures.
    • Node and File Share Majority (for clusters with special configurations) – Works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster uses a file share witness.
    • No Majority: Disk Only (not recommended) – Can sustain failures of all nodes except one (if the disk is online). However, this configuration is not recommended because the disk might be a single point of failure.
  • If you use a network for iSCSI (storage), do not use it for network communication in the cluster.
  • Scale-Out File Server (SOFS). The SOFS is a special active/active clustered file server role that runs on every node in the file server cluster.
    • It requires shared storage either SAN or storage space
  • The Add-ClusterGenericApplicationRole cmdlet – Configure high availability for an application that was not originally designed to run in a failover cluster.
  • Witness disks must be basic (not dynamic) and formatted with NTFS
  • To specify which server should process client requests in a failover cluster set it as the preferred owner.

  • To move cluster resources to another cluster use “migrate roles”.
  • To move cluster resources between nodes use “move core cluster resources”

 

Clustered File servers

  • Scale Out File Server
    • Doesn’t support DFS
    • All file shares are online on all nodes simultaneously (active-active)
    • Can be used to store HyperV VMs
  • File server for general use
    • Does support DFS
    • Online one node online at a time (active-passive)

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain contoso.com -gpoprefixname IPAM
  • The IPAM installation process

  • To set the manageability status of the ipam change the below

Publishing Apps on the Internet

  • Web Application Proxy – A feature on win2012 that lets you configure a server to act as a reverse proxy
  • Constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. A common example of constrained delegation is the web-browser-to-IIS-to-SQL-Server scenario.
  • Relaying Party Trust – allow a server to request AD information from ADFS

Read Only Domain Controller

You can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:

  • adding local roles
  • showing local roles

Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.

Server Core Edition

  • There are a number of ways to manage a Windows core server
    • The Server Configuration tool (Sconfig.cmd) can be used to configure and manage several common aspects of Server Core installations

  • You can use server manager installed by default on 2012. For windows 8 you need to download the remote server administration tools
  • To open the firewall to allow MMC remote management use the command Enable-NetFirewallRule -DisplayGroup “Remote Administration”
  • To enable RDP run the command cscript C:\Windows\System32\Scregedit.wsf /ar 0 on the core server
  • To join a domain you can use either:-
    • Powershell – Add-computer (you will be prompted for further info)
    • Cmd line – netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /passwordd:*
  • To make a core server a domain controller in an existing domain enter the below in the cmd prompt
    • Powershell
    • Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    • Install-ADDSDomainController
  • To convert to the GUI version of windows you can use either dism or powershell:-
    • DISM –
      • Dism /online /enable-feature /featurename:Server-Gui-Mgmt /featurename:Server-Gui-Shell /featurename:ServerCore-FullServer
    • Power shell
      • Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra, or
      • Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN): adfs1.contoso.com
    • Subject Alternative Name (DNS): adfs1.contoso.com
    • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

     

Hyper-V

  • With Hyper-V Replica, one can replicate a virtual machine from one location to another simple utilizing Hyper-V and a network connection.
    • To replicate a VM you must setup the destination hyperV server as a “replica server” and you must edit the settings of the VM to enable replication.
    • You will also need to have certificate services setup on the domain if you want to encrypt the replication
  • Live Migration – almost instantaneous moving of a VM between hosts. A live migration can be used for planned maintenance but not for an unplanned failover. You cannot move multiple VMs simultaneously.
  • Quick Migration – slower than live migration. You can move multiple VMs with a quick migration
  • Port mirroring – can be used to capture all network traffic to another port
  • You can use the Resource Control settings to balance resources:-

  • Virtual Machine Reserve (percentage) – this value says how much CPU is kept aside for the running Virtual Machine.
  • Percent of total system resources – this is a percent of a Virtual Machine processor time, that is measured by how many processors are assigned to the virtual machine
  • Virtual Machine Limit (percentage) – this is a percent of CPU that the running Virtual Machine is not allowed to go over the top of
  • Percent of total system resources – this is percent of a VM processor time, that is measured by how many processors are assigned to the physical computer
  • Relative Weight – this is used to decide how CPU is distributed. (Basically a virtual machine with the higher weight (say 500) will get twice the CPU time as a virtual machine with a weight lower weight (say 400).
  • You can use resource metering to gather stats on a VM.
  • Use import-vm powershell command to import a VM into Hyper-V from a file.
  • Single root I/O virtualisation capable network adaptors can be assigned diretly to a VM. This is useful for VMs that generate a lot of network traffic.
  • You can test the failover of a HyperV replicated VM by right clicking on it and selecting “test failover”

Network Access Protection

  • Restricts client PC access to your network. NAP can test “health” of clients by checking status of; AV, patching, firewall. If fails status check it can provide access to a “remediation” network that could contain an AV server
  • There are 4 components
    • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
    • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
      • Requirements for HRA automatic discovery
        • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
        • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
        • The EnableDiscovery registry key must be configured on NAP client computers.
        • DNS SRV records must be configured.
        • The trusted server group configuration in either local policy or Group Policy must be cleared.
    • Host Credential Authorization Protocol (HCAP)
    • RADIUS server and proxy
  • You can configure the NAP server with three different types of policies:
  1. Connection Request Policies that use connections and settings to authenticate client requests to access the network. These policies also control where the authentication will be performed. You must have a connection request policy for each NAP enforcement method.
  2. Network Policies that use conditions, settings and constraints to determine the level of access that will be authorized for a client that attempts to connect to the network. You need at least two network policies to deploy NAP: one for client computers that are found to be compliant with your health policies and one for those clients that are out of compliance.
  3. Health Policies that specify which System Health Validators (SHVs) are to be evaluated and how they’re to be used to evaluate health status. You have to enable at least one SHV for each health policy.
  • NAP Policies can be IPsec, VPN, 802.1x, RD Gateway and DHCP.

  • Network Policy Server (NPS) – The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy is automatically installed when you install HRA. You can configure NPS on your HRA server as either a NAP health policy server or NPS proxy.
  • System Health Validators – When you install an SHV, it is added to the list of SHVs in the Network Policy Server (NPS) console and becomes available for use in health policies. The Windows Security Health Validator (WSHV) is available by default.

Group Policy

  • WMI filtering allows you to filter the application of group policies based on hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
  • When a group policy is enforced it means it cannot be overruled by another GPO underneath it in AD. Enforced policies are applied last with policies “higher” in the AD tree being applied after “lower” policies.
  • By default settings in Group Policy Objects (GPOs) get applied in the following order:
    • Local system policies
    • Site
    • Domain level
    • OUs (starting at the root of the domain).
  • In Win2012 you can now force a group policy update from the management console

Backups

  • You cannot use Azure backups to backup a USB flash drive
  • Azure Powershell commands
    • Set-OBMachineSetting – used to specify proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase
    • Start-OBRegistration – Registers the current computer with Windows Azure Backup using the credentials (username and password) created during enrolment.
    • Get-OBPolicy | Start-OBBackup – start backup job using a policy
  • When using server backup to a network share it will only store one backup. Subsequent backups overwrite the previous

Installation

  • Files used in the installation of roles is held in the winsxs folder
  • Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows image – e.g. to add drivers. An example command to mount an image = dism.exe /mount /wimfile c:\yourserverimage.wim /index:4 /mountdir:c:\mount
    • For example to install the server migration tools into this image run the cmd Dism /image:C:\mount /Enable-Feature /FeatureName:migration /All
  • You cannot upgrade and “core” installation of windows server and switch to a GUI in one step. If you want to upgrade 2008r2 core to 2012 GUI you should upgrade to 2012 as the first step and then add the Server Graphical Shell feature
  • You can upgrade standard versions of win2012r2 to datacentre by using the dism tool (dism /online /set-edition:ServerDatacenter /productkey:<Datacenter key, e.g. AAAAA-BBBBB-CCCCC-DDDDD-EEEEE> /AcceptEula)
  • Powershell – You can use the below commands
    • Install-ADDSDomainController – Creates a new domain controller in an existing domain.
    • Install-ADDSDomain – Creates a new domain in an existing forest.
    • Install-ADDSForest – Creates a new forest. Note you will need to run this one first when first setting up AD
  • The Active Directory installation wizard gives options to install DNS and setup as a GC

Powershell Web Access Gateway

  • Windows PowerShell Web Access provides a web-based Windows PowerShell console. It enables IT Pros to run Windows PowerShell commands and scripts from a Windows PowerShell console in a web browser, with no Windows PowerShell, remote management software, or browser plug-in installation necessary on the client device.
  • Install-PswaWebApplication – Configures the Windows PowerShell Web Access web application in IIS.
  • Add-PswaAuthorizationRule – Adds a new authorization rule to the Windows PowerShell Web Access authorization rule set.

Remote Management

  • On Win2012 remote management is enabled by default
  • LocalAccountTokenFilterPolicy – registry setting that must be enabled to allow remote management in non-domain environment. It disables remote UAC
  • You can enable server manager remote management via the powershell commands:-
    • Set-Execution-Policy -ExecutionPolicyRemote signed
    • Configure-SMRemoting.exe –enable – this will enable all firewall rule exceptions needed
  • The cmd winrs -r:SERVERNAME ipconfig can be used to remotely retrieve the ip details of a server
  • To manage 2008r2 servers from 2012 you must (on the 2008r2 server):-
    • Install .net 4 and windows management framework 3
    • Run the powershell commands:-
      • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
      • Configure-SMRemoting.ps1 -force -enable
  • To enable remote management via powershell you can use enable-pssessionconfiguration although enable-psremoting is the preferred option

Active Directory

  • The Active Directory Recycle bin needs to be manually enabled
  • Dcpromo is not available in the GUI version of 2012 but is available in the core edition. You will need to use server manager or powershell
    • The powershell commands are Import-Module ADDSDeployment and Install-ADDSForest
  • The Active Directory Database Mounting Tool, Dsamain.exe, allows an ntds.dit file to be mounted and exposed as an LDAP server, which means you can use such tools as ADSIEdit, LDP.exe, and Active Directory Users and Computers to interact with the data.
    • Obviously because you’re mounting on a DC, you can’t mount the AD database on the standard LDAP port of 389 – you must choose another port.
  • The overall function of the Federation Service in Active Directory Federation Services (AD FS) is to issue a token that contains a set of claims. The decision regarding what claims AD FS accepts and then issues is governed by claim rules.
    • AD FS includes a predefined set of claim rule templates that are designed to help you easily select and create the most appropriate claim rules for your particular business need.
      • Acceptance Transform Rule Set – A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust.
      • Issuance Transform Rule Set – A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.
      • Issuance Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to receive a token for the relying party.
      • Delegation Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to act as delegates for other users to the relying party.
      • Impersonation authorization Rule Set – A set of claim rules that you configure using Windows PowerShell to determine whether a user can fully impersonate another user to the relying party.
  • The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings. It needs to be scripted to apply to remote computers
  • If having problems with ADFS and 3rd party applications you can disable extended protection for authentication by running the command Set-ADFSProperties –ExtendedProtectionTokenCheck “None”. This is not recommended as it lowers security.
  • Use NTDSUTIL to mount an AD snapshot. You can then use DSAMAIN to make this data available via ldap.
  • After a migration you may need to rebuild sysvol and netlogon shares. You can so this forcing an authoritative (D4) and non-authoritative (D2)
    synchronization. The steps are:-
    • Stop FRS service
    • Edit registry – Set “burflags” key to either D2 or D4
    • Start FRS service
  • A non-authoritative SYSVOL restore will re-deploys SYSVOL data from working Domain Controller using DFS-R (DFS Replication). The process to do this is:-
    • adsiedit – to set the DFSR-Enabled value to “false”
      • repadmin /syncall /AdP – initiate AD replication
      • dfsrdiag PollAD – to synchronize with the global information store
    • adsiedit – to set the DFSR-Enabled value to “true”
      • repadmin /syncall /AdP – again start AD replication
      • dfsrdiag PollAD – sync with global information store (again)

Troubleshooting

  • The cmd-line Logman tool can create and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

  • Use subscription managers to automatically send event log data to another server

  • Source-initiated subscriptions allow you to define a subscription on an event collector computer without specifying the event source computers.
  • Collector initiated subscriptions must define all the event sources in the event subscription.

Performance Counter Thresholds

If any of the below counters are giving reading above the threshold, you have an issue

Performance Counter

Threshold

Memory\Available MBytes     

<10%

Memory\Pages/sec

>1000

Processor Interrupt Time

>30%

System\Processor Queue Length

> 2 per processor

Processor\%Processor Time

> 90%

 

FSMO Roles

Forest Wide Roles

  • Schema Master – The schema master controls all updates and modifications to the schema.
  • Domain Naming
    Master – responsible for making changes to the forest-wide domain name space of the directory in the Partitions container.

Domain Wide Roles:

  • Relative ID (RID) Master – Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
  • PDC Emulator – acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC. Responsible for time synchronising. Is ultimately responsible for passwords with all password changes being replicated to the PDC emulator as soon as possible.
  • Infrastructure Master – The infrastructure master is responsible for updating references from objects in its domain to objects in other domains.

Storage Spaces

  • When adding a new disk to a win2012 server it will go into the primordial storage space.
  • You require 2 disks for a “mirrored” storage space
  • A “parity” storage space requires 3 disks.

Dynamic Access Control

You can use dynamic access control to limit access to files based on AD attributes and folder properties. For example allow all Canadian users to access a file share with the vale “Canada” setup on it.

To setup dynamic access control you must:-

  • “Enable KDC support for claims, compound authentication, and Kerberos armouring” in GPO
  • Create a claim type – e.g. if users home country is set to Canada

  • Configure Resource properties for files – Select the relevant information from the file share (e.g. country, department)


  • Create Resource property lists – every resource property needs to be added to a list. Once done you can now classify the files\folders via this property.
  • Create New Central Access Rule – i.e. Canadian users can access file shares with the “Canadian” field setup
  • Create Central Access Policy – Create a policy to use the above rule
  • Apply in GPO

 

Computer Management

You can create a VHD from computer management

Djoin

  • Can be used with win7 and 2008r2 and above
  • Allows a computer to join a domain without connectivity to a DC

Misc

  • The Netlogon.dns file can be used to locate SRV records
  • The cmdlet set-executionpolicy specifies the security restrictions:-
    • Restricted: Does not load configuration files or run scripts. “Restricted” is the default execution policy.
    • AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
    • RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
    • Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
    • Bypass: Nothing is blocked and there are no warnings or prompts.
    • Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
  • Use the new-virtualdisk cmdlet to create a vhd.
  • Managed Service Accounts can be used for services to run under.
    • They can be created via powershell New-ADServiceAccount
    • Use sc.exe to change the log on credentials of a service

  • Use NTDSUTIL to manage active directory application partitions
  • To prepare a domain controller for cloning, place the customdccloneallowlist.xml file in the same directory as the AD database (ntdis.dit)
  • To export a custom Data Collector Set from one computer to another right click on it and select save template.

This article explains how to create an SMTP relay on windows server. We have found that after migrating businesses to Office365 there are certain applications that need to send emails. By creating a local SMTP relay you bypass the need to relay the emails through Office365.

In this example we are installing and SMTP relay on Windows 2008r2

Pre-requisites

The server that will be acting as an SMTP relay must be allowed through the firewall for outbound port 25 connections.

Step 1 – Add SMTP server feature

Select SMTP server. It will ask you to install the pre-requisite roles which you will need to do.

 

Step 2 – Allow Relay

Open IIS Manager and go to the relay section of the SMTP virtual server (as shown below).

Enter the IP of the servers you would like to relay though this.

Step 3 – Configure Application

In the below example I have configured Veeam to use this server

 

Best Practise

As you have just created a non-registered SMTP server, there is a high chance that this email may be classed as spam. The below list will help ensure your email reaches its destination but are out of the scope of this article. You may want to

  1. Add the sending address to a whitelist (e.g. mimecast permitted senders)
  2. Add public IP used by the server to an allow list (such as the office365 allow list)
  3. Setup PTR record for the public IP used by this server
  4. Update SPF records to include the public IP used by this server

THE END

In this article I explain how to perform a simple P2V using vmware convertor. This guide is designed for IT professionals.

Pre-Requisite Checks

  • Are there any usual PCI cards e.g. SCSI cards. If there are you may not be able to virtualise
  • Are there any USB devices connected.
  • How big are the server drives will they fit on the destination ESXi server
  • Is there enough RAM on the destination ESXi server
  • Confirm both source and destination servers are on a GB port otherwise the p2v may take a long time.

Step 1 – Prepare the Machine for P2V

I recommend the following steps:-

  • Make a note of the IP settings. Go to the start menu, then choose run and enter “cmd”. This will bring up a cmd prompt. In the cmd prompt enter ipconfig /all > c:\ipconfig.txt. On windows 7 you will have to run the cmd prompt with administrative permissions or you may get an access denied error

This is because following the p2v a “new” network adaptor is installed and this will need to have the IP information entered into it.

  • Stop any services that will keep data files open for example the exchange information store or SQL services

This will ensure that the files are brought across in a consistent state.

Step 2 – Download and Install VMWare Convertor

  • Download and install. Although you can run vmware convertor remotely you will have a greater chance of success if you install it on the machine you want to p2v. Vmware convertor can be downloaded from here:-

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_0

  • Disable SSL (optional) – By default, VMware Converter uses SSL to transmit data. Switching off SSL will speed up the p2v. You can do this by editing an xml file on the machine running VMware converter. It is located in

    C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\converter-client.xml

    Look in the NFC section:

    <nfc>

    <useSsl>false</useSsl> –Change to false.

    </nfc>

 

Step 3 – Start the P2V

  1. Open VMware converterand select “convert machine”, then “This local machine” (assuming you installed the converter on the machine you want to p2v).

  1. Enter the details for the ESXi server you want to connect to and click next. Note that if you use a vCenter Server you may want to enter those details instead. Ignore any SSL errors.

  1. On the next screen enter the name of the VM and click next.
  2. On the next screen where you want to store the VM. Obviously make sure there is sufficient disk space!
  3. On the options section there are a few things you will wish to check. Firstly the disk layout if there machine has multiple drives you may wish to make sure they are all on separate virtualdisks. This will make resizing the drives in the future far easier.

  4. vCPUs – consider the number of CPUs needed for the virtual machine. If the VM is not running software that takes advantage of multiple CPUs (such as exchange, SQL etc) then there is little point having more than one CPU.
  5. Networks – Again if the VM only requires one network card there is little point having 2. I also recommend disabling the network card. This allows you to check the p2v has been successful before shutting down the original physical machine.

  1. Services – I recommend disabling any hardware specific services (such as Dell Openmanage) that will not be required once the machine is virtualised.

  1. I recommend choosing to install vmware tools following conversion (this saves doing it manually).

  1. Click next and start the p2v process.

 

Step 4 – Post P2V

  • Logon to the ESXi server (or vCenter) and check that the new virtual machine has started up successfully.
  • Assuming it has you can now power down the original host.
  • If you disabled the network card in step 7 above then you now need to enable it. You can do this by editing the properties of the VM.

  • Go to the control panel and remove any hardware specific software which is now not needed. For example Dell OpenManage software.
  • Again in the control panel go to the network section and put the IP addresses into the network card. You can get the IP information from the c:\ipconfig.txt file created in step 1.

  • Reboot the new VM and verify you can access it over the network.

THE END

 

In this article I am setting up a vCenter appliance and configuring it with Active Directory.

 

1 – Download and deploy appliance

Log onto vmware.com and browse to the download section.

Log onto one of your ESXi hosts and deploy via the VI client.

I would also check the time on the ESXi hosts is correct and matches the time on your Active Directory DCs.

Follow the wizard, once complete you should have a running appliance.

 

2- Setup Appliance

Log on to the appliance using the link specified above (e.g. 10.0.0.1:5480). Note that the default username is root with a password of vmware.

Run through the wizard using the default settings.

Enter IP information on below section. Enter the Active Directory DNS servers.

Make sure the time zone is correct

 

3 – Configure Active Directory Integration

Go to the below tab and enter your active directory details. You will need to reboot the appliance once entered.

Then log onto the vCenter web client. This is on https://IP-OF-VCSA:9443

Note if you get an SSL error when trying to log into the web client you may need to regenerate the SSL certificate and reboot the appliance.

Once you have logged on go to the below section and add the active directory details. E.g.

Primary Server URL = ldap://FQDN-of-your-1st-DC

Secondary Server URL = ldap://FQDN-of-your-2nd-DC

Base DN for users = specify the active directory DN

Domain alias = your domain name

Base DN for groups = as above specify the active directory DN

Authentication type = Password

Username and password = enter the details of an active directory account

Click ok and then I would recommend rebooting the appliance.

Once rebooted you will need to log onto the appliance and manually add any active directory groups you want to give permissions to – see below.

THE END