70-413 Study Notes

Below is a list of quick study notes taken whilst revising for this exam. I’ve tried to keep them as concise as possible.

Storage Spaces

  • A storage pool is a collection of physical disks
  • You can create virtual disks from a storage pool
    • When creating virtual disks you can enable “storage tiers” which will automatically move data to fast disks (e.g. SSDs) based on usage.
    • Virtual disks can be
      • Simple – data striped across all disks. Maximises usable space
      • Mirror – data mirrored. You need 2 drives to cover 1 disk failure, 5 to cover 2 disk failures. Drastically reduces usable space.
      • Parity – striped with parity. You need 3 drives to cover 1 disk failure, 7 to cover 2 disk failures. Good combination of reliability and usable space.
    • Virtual disk can be thick or thin provisioned
  • Volumes are then created from the virtual disks. You have the option to enable deduplication

  • The “iSCSI target service” allows a server to present local disk as an iSCSI target (i.e. so other servers can connect to it).

Azure

To manage windows Azure you can use the below 3 cmds

  • Get-AzurePublishSettingsFile cmdlet opens your default browser, signs into your Windows Azure account, and automatically downloads a .publishsettings xml file that contains information and a certificate that provides management credentials for your Windows Azure subscription.
  • Import-AzurePublishSettingsFile cmdlet imports the .publishsettings file
  • Set-AzureStorageAccount cmdlet updates the properties of an Azure storage account in the current subscription. Properties that can be set are: “Label”, “Description” and “GeoReplicationEnabled”.

Active Directory Recycle Bin

  • Forest functional level must be at least win2008 r2
  • Not enabled by default in Win2012. You can enable it within the “Active Directory Administrative Center”

A deleted objects folder is now shown

NB – You can use the powershell command sync-adobject to replicate an individual object.

Microsoft Desktop Optimization Pack (MDOP)

  • Advanced Group Policy Management (AGPM) is a key component of MDOP. It provides change control, offline editing, and role-based delegation.

Active Directory Federation Services

Integrated Windows Authentication (IWA) can be provided via ADFS 2.0 in Windows 2012r2.

Managing Printers

Note you can migrate printers via the print management console (you will need to have the printer management role installed.

Deduplication

Caveats:-

  • Cannot be installed on system or boot volumes
  • Do not install on CSV volumes
  • Can only be installed on non-removable drives
  • Cannot dedupe drives formatted with ReFS

DNS

  • You would create a DNS zone delegation to:-
    • Create sub zones. E.g. sales.contoso.com
    • Delegate management
    • Divide up DNS traffic for large zones
  • You can protect against DNS cache poisoning attacked by using DNSSEC. Below are common DNSSEC commands :-
    • Invoke-DnsServerZoneSign – ensure a zone is signed
    • Add-DnsServerSigningKey – used to manage key signing key (KSK) and zone signing key (ZSK)
  • Stub zone – a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone.
  • Cache Locking – the CacheLockPercent value is used to protect DNS entrys for a percentage of their TTL. E.g. if you set cachelockpercent to 50, and the TTL is 1 hour, the entry cannot be overwritten for 30mins.
  • UnRegister-DnsServerDirectoryPartition cmdlet deregisters a Domain Name System (DNS) server from a specified DNS application directory partition. After you deregister a DNS server from a DNS application directory partition, the DNS server removes itself the from the replication scope of the partition.
  • GlobalNames – Windows 2008 and above support the replication of simple, single names in DNS via GlobalNames. To setup GlobalNames you must
    • Create Global Name Zone in DNS
    • Enable GlobalNames Support dnscmd <ServerName> /config /enableglobalnamessupport 1
    • Populate the zone and replicate
    • Publish to other forests –
      • add service location (SRV) resource records to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone
      • In addition, you must run the dnscmdServerName/config /enableglobalnamessupport 1 command on every authoritative DNS server in the forests that do not host the GlobalNames zone.

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN): adfs1.contoso.com
    • Subject Alternative Name (DNS): adfs1.contoso.com
    • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

Read Only Domain Controllers (RODC)

  • Filtered Attribute Set (FAS) – A list of sensitive items that are NOT replicated to RODCs.
  • Check the attributes searchflags value to see if it is replicated. Searchflags = 0 means its replicated
  • Use ldifde –d to query searchflags value
  • To enable/deny the caching of passwords on a RODC you can you the Allowed and Denied RODC password replication groups.
    • Allowed RODC Password Replication Group” has no members by default,
    • Denied RODC Password Replication Group” contains all the ‘VIP’ accounts (Enterprise Administrators, Cert Publishers, Schema Administrators, Etc). Deny overrules allow.

    The configuration of a Password Replication Policy is pretty straight forward. Open Active Directory Users and Computers snap-in and select the RODC in the Domain Controllers organizational unit. On the “Password Replication Policy” tab, there are the two groups: “Allowed RODC Password Replication Group” and “Denied RODC Password Replication Group”. A user can be added to either of the desired groups.

  • “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com” – this error occurs when running adprep /rodc if you cannot contact the inafrastructure master.
  • Each RODC requires direct access to a writable DC running win2008 and above.

Windows Deployment Services

  • Use a transport server for custom deployments – e.g. when you want to store information in a SQL database.
  • Improved multicast deployment by eliminating the need for making a local copy of the install.wim file
  • DNS and DHCP must be available for WDS

DHCP

  • DHCP failover “load balance mode” – multiple DHCP servers can respond to, and load balance, client requests.
  • You can also setup a “hot standby” where just one of the DHCP servers is active and the other is passive. Below are options ton configure such as “state switchover interval”

  • You can grant control of DHCP services (to a non-enterprise admin) by delegating control to the “netservices” folder in active directory sites and services.
  • You can use DHCP filtering to deny leases by MAC address

Forest Trusts

  • “Selective authentication” over a forest trust restricts access to computer objects to only users that have been explicitly selected. Users can be granted access by the advanced properties of the computer object.

Printing

  • Branch Office Direct Printing – Allows print jobs from branch office to be sent directly to the print (i.e. keeping traffic off the WAN)

  • Print Server Clusters are not used in Windows 2012. Microsoft recommend using a highly available VM instead.

Group Policies

  • When a group policy is “enforced” it cannot be overridden by another group policy further down the hierarchy.

HyperV

Virtual Machine Manager can use the below profiles which can be found in the library section.

  • Application Profiles – Instructions to install APP-V, SQL and Web Deploy.
  • Capability Profiles – Capability Profiles are used to define the sets of capabilities that are allowed in a particular item.
  • Hardware profile – can contain specifications for CPU, memory, network adapters, a video adapter, a DVD drive, a floppy drive, COM ports etc
  • Guest OS Profiles – The OS settings, e.g. Windows version, roles and features to install
  • Host Profiles – Used to deploy new hosts.
  • SQL Server Profiles – Used to deploy SQL

 

VHDX

  • A new format for virtual disks
  • Only supported on Windows 2012.
  • Supports up to 64TB (as opposed to 2TB in VHDs)
  • Contains Built in protection against corruption (via metadata logging)
  • Larger block sizes (up to 256MB)

Offline Data Transfer (ODX)

  • ODX requests can be offloaded to the SAN allowing for faster file transfers and drive creations.
  • Not supported on IDE
  • Supports VHD and VHDX
  • Only works on NTFS that cannot be compressed or encrypted

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. .intranet.al.net) in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection. Use “split tunnelling” if you do not want to force all traffic (e.g. web) through the direct access connection.

VPN

  • SSTP – A new form of VPN tunnel that allows traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP VPNs connect to port 443 (SSL).
  • VPN Reconnect refers to the support in Routing and Remote Access service (RRAS) for a new tunnelling protocol, IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2)

Resilient File System (ReFS)

New file system introduced in Windows 2012 and windows 8.

  • Cannot be configured on boot drives
  • Cannot convert NTFS to ReFS
  • Cannot be used on removable media
  • Cannot be used with Windows Deduplication

Network Access Protection (NAP)

  • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
  • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
    • Requirements for HRA automatic discovery
      • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
      • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
      • The EnableDiscovery registry key must be configured on NAP client computers.
      • DNS SRV records must be configured.
      • The trusted server group configuration in either local policy or Group Policy must be cleared.
  • Host Credential Authorization Protocol (HCAP) – allows you to integrate your Microsoft Network Access Protection (NAP) solution with Cisco Network Admission Control
  • RADIUS server and proxy.
    • Note that client computers are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers

Domain Controller Cloning

  • Requires the PDC emulator runs windows 2012 or higher
  • DCs can be cloned using HyperV 2012 or higher (including windows 8)
  • The DC must be windows 2012
  • Dccloneconfig.xml is used to specify configuration settings of a cloned DC. They are applied at boot.
  • There is a new active directory group called “Cloneable Domain Controllers”. DCs must be a member of this group to be cloned.

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. This needs to be run in every domain. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain contoso.com -gpoprefixname IPAM
  • Set-IpamConfiguration – can be used to configure the IPAM server itself
  • The following IPAM security groups can be used for:-
    • IPAM Users – can view all information in server inventory, IP address space, and the monitor and manage IPAM console nodes. IPAM Users can view IPAM and DHCP operational events under in the Event Catalog node, but cannot view IP address tracking data.
    • IPAM MSM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform server monitoring and management tasks in addition to IPAM common management tasks.
    • IPAM ASM Administrators – Members of this group have all the privileges of the IPAM Users security group, and can perform IP address space tasks in addition to IPAM common management tasks.
    • IPAM IP Audit Administrators – Members of this group have all the privileges of the IPAM Users security group. They can view IP address tracking data and perform IPAM common management tasks.
    • IPAM Administrators – Members of this group have privileges to view all IPAM data and perform all IPAM tasks.

System Center Configuration Manager

  • Distribution Point – Used to store the files needed for installation packages.

Migration Tools

  • When migrating a server you can use the Export-SmigServerSetting to backup a configuration (e.g. DHCP settings).
  • You can then use the import-SmigServerSetting to import to a new server.

Key Powershell Commands

  • Get-ADReplicationUpToDatenessVectorTable DC1 – shows a list of the highest USNs seen by server DC1 for every domain controller in the forest.

Misc

  • Note that since Win2008r2 you can lower the forest functional level via the following powershell commands
    • Set-AdForestMode -identity yourdomain.com -forestmode Windows2008R2Forest
    • Set-AdDomainMode -identity YourDomain.com -domainmode Windows2008R2Domain
  • Online responder – An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.
  • To rename a domain use the cmd line rendom.
    • Then use GPFIXUP to replace domain name references in GPOs.
  • BranchCache – Introduces in windows 2008r2 BranchCache provides a way to cache file and web content in a branch office to reduce WAN traffic.
    • Distributed cache mode – does not require a server in the branch office. Client computers can download and cache content for others.
  • Use the Microsoft Assessment and Planning (MAP) toolkit – to produce reports on what servers can be migrated to windows 2012r2
  • When delegating control of an OU, the tasks that can be generated are taken from a text file called delegwiz.inf. This file can be edited to include custom tasks.
  • Windows 2012r2 introduces support of claims based authentication via dynamic access control.
  • Active Directory Migration Tool (ADMT) – can be used to migrate users, groups, accounts and computers between forests.
  • User State Migration Tool (USMT) – used to migrate profiles

END

Comments 2

Leave a Reply

Your email address will not be published. Required fields are marked *