70-417 Study Notes

Below is a list of key notes I made whilst studying for the 70-417 exam. They are as brief as I could make them for last minute cramming.

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. .intranet.al.net) in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection.

File Resource Manager

  • To setup Access Denied Assistance –
    • Install file server resource manager on the file server(s).
    • You may need to setup an email address for this
    • You must then edit a GPO to enable this.

  • Folder “classifications” are a feature of file server resource manager

Failover Cluster

  • Failover cluster servers must have
    • 1 NIC for network communication and another for cluster communication.
    • Shared storage
    • Both servers in the cluster must be identical
  • Before creating a cluster it must be “validated”. If validation doesn’t pass you won’t be able to create a cluster
  • As a general rule when you configure a quorum, the voting elements in the cluster should be an odd number. Therefore, if the cluster contains an even number of voting nodes, you should configure a disk witness or a file share witness. The cluster will be able to sustain one additional node down. In addition, adding a witness vote enables the cluster to continue running if half the cluster nodes simultaneously go down or are disconnected.
    • A disk witness is usually recommended if all nodes can see the disk. A file share witness is recommended when you need to consider multisite disaster recovery with replicated storage. Configuring a disk witness with replicated storage is possible only if the storage vendor supports read-write access from all sites to the replicated storage.
  • The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.
    • Node Majority (recommended for clusters with an odd number of nodes) – Can sustain failures of half the nodes (rounding up) minus one. For example, a seven node cluster can sustain three node failures.
    • Node and Disk Majority (recommended for clusters with an even number of nodes) – Can sustain failures of half the nodes (rounding up) if the disk witness remains online. For example, a six node cluster in which the disk witness is online could sustain three node failures. Can sustain failures of half the nodes (rounding up) minus one if the disk witness goes offline or fails. For example, a six node cluster with a failed disk witness could sustain two (3-1=2) node failures.
    • Node and File Share Majority (for clusters with special configurations) – Works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster uses a file share witness.
    • No Majority: Disk Only (not recommended) – Can sustain failures of all nodes except one (if the disk is online). However, this configuration is not recommended because the disk might be a single point of failure.
  • If you use a network for iSCSI (storage), do not use it for network communication in the cluster.
  • Scale-Out File Server (SOFS). The SOFS is a special active/active clustered file server role that runs on every node in the file server cluster.
    • It requires shared storage either SAN or storage space
  • The Add-ClusterGenericApplicationRole cmdlet – Configure high availability for an application that was not originally designed to run in a failover cluster.
  • Witness disks must be basic (not dynamic) and formatted with NTFS
  • To specify which server should process client requests in a failover cluster set it as the preferred owner.

  • To move cluster resources to another cluster use “migrate roles”.
  • To move cluster resources between nodes use “move core cluster resources”

 

Clustered File servers

  • Scale Out File Server
    • Doesn’t support DFS
    • All file shares are online on all nodes simultaneously (active-active)
    • Can be used to store HyperV VMs
  • File server for general use
    • Does support DFS
    • Online one node online at a time (active-passive)

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain contoso.com -gpoprefixname IPAM
  • The IPAM installation process

  • To set the manageability status of the ipam change the below

Publishing Apps on the Internet

  • Web Application Proxy – A feature on win2012 that lets you configure a server to act as a reverse proxy
  • Constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. A common example of constrained delegation is the web-browser-to-IIS-to-SQL-Server scenario.
  • Relaying Party Trust – allow a server to request AD information from ADFS

Read Only Domain Controller

You can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:

  • adding local roles
  • showing local roles

Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.

Server Core Edition

  • There are a number of ways to manage a Windows core server
    • The Server Configuration tool (Sconfig.cmd) can be used to configure and manage several common aspects of Server Core installations

  • You can use server manager installed by default on 2012. For windows 8 you need to download the remote server administration tools
  • To open the firewall to allow MMC remote management use the command Enable-NetFirewallRule -DisplayGroup “Remote Administration”
  • To enable RDP run the command cscript C:\Windows\System32\Scregedit.wsf /ar 0 on the core server
  • To join a domain you can use either:-
    • Powershell – Add-computer (you will be prompted for further info)
    • Cmd line – netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /passwordd:*
  • To make a core server a domain controller in an existing domain enter the below in the cmd prompt
    • Powershell
    • Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    • Install-ADDSDomainController
  • To convert to the GUI version of windows you can use either dism or powershell:-
    • DISM –
      • Dism /online /enable-feature /featurename:Server-Gui-Mgmt /featurename:Server-Gui-Shell /featurename:ServerCore-FullServer
    • Power shell
      • Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra, or
      • Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN): adfs1.contoso.com
    • Subject Alternative Name (DNS): adfs1.contoso.com
    • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

     

Hyper-V

  • With Hyper-V Replica, one can replicate a virtual machine from one location to another simple utilizing Hyper-V and a network connection.
    • To replicate a VM you must setup the destination hyperV server as a “replica server” and you must edit the settings of the VM to enable replication.
    • You will also need to have certificate services setup on the domain if you want to encrypt the replication
  • Live Migration – almost instantaneous moving of a VM between hosts. A live migration can be used for planned maintenance but not for an unplanned failover. You cannot move multiple VMs simultaneously.
  • Quick Migration – slower than live migration. You can move multiple VMs with a quick migration
  • Port mirroring – can be used to capture all network traffic to another port
  • You can use the Resource Control settings to balance resources:-

  • Virtual Machine Reserve (percentage) – this value says how much CPU is kept aside for the running Virtual Machine.
  • Percent of total system resources – this is a percent of a Virtual Machine processor time, that is measured by how many processors are assigned to the virtual machine
  • Virtual Machine Limit (percentage) – this is a percent of CPU that the running Virtual Machine is not allowed to go over the top of
  • Percent of total system resources – this is percent of a VM processor time, that is measured by how many processors are assigned to the physical computer
  • Relative Weight – this is used to decide how CPU is distributed. (Basically a virtual machine with the higher weight (say 500) will get twice the CPU time as a virtual machine with a weight lower weight (say 400).
  • You can use resource metering to gather stats on a VM.
  • Use import-vm powershell command to import a VM into Hyper-V from a file.
  • Single root I/O virtualisation capable network adaptors can be assigned diretly to a VM. This is useful for VMs that generate a lot of network traffic.
  • You can test the failover of a HyperV replicated VM by right clicking on it and selecting “test failover”

Network Access Protection

  • Restricts client PC access to your network. NAP can test “health” of clients by checking status of; AV, patching, firewall. If fails status check it can provide access to a “remediation” network that could contain an AV server
  • There are 4 components
    • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
    • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
      • Requirements for HRA automatic discovery
        • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
        • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
        • The EnableDiscovery registry key must be configured on NAP client computers.
        • DNS SRV records must be configured.
        • The trusted server group configuration in either local policy or Group Policy must be cleared.
    • Host Credential Authorization Protocol (HCAP)
    • RADIUS server and proxy
  • You can configure the NAP server with three different types of policies:
  1. Connection Request Policies that use connections and settings to authenticate client requests to access the network. These policies also control where the authentication will be performed. You must have a connection request policy for each NAP enforcement method.
  2. Network Policies that use conditions, settings and constraints to determine the level of access that will be authorized for a client that attempts to connect to the network. You need at least two network policies to deploy NAP: one for client computers that are found to be compliant with your health policies and one for those clients that are out of compliance.
  3. Health Policies that specify which System Health Validators (SHVs) are to be evaluated and how they’re to be used to evaluate health status. You have to enable at least one SHV for each health policy.
  • NAP Policies can be IPsec, VPN, 802.1x, RD Gateway and DHCP.

  • Network Policy Server (NPS) – The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy is automatically installed when you install HRA. You can configure NPS on your HRA server as either a NAP health policy server or NPS proxy.
  • System Health Validators – When you install an SHV, it is added to the list of SHVs in the Network Policy Server (NPS) console and becomes available for use in health policies. The Windows Security Health Validator (WSHV) is available by default.

Group Policy

  • WMI filtering allows you to filter the application of group policies based on hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
  • When a group policy is enforced it means it cannot be overruled by another GPO underneath it in AD. Enforced policies are applied last with policies “higher” in the AD tree being applied after “lower” policies.
  • By default settings in Group Policy Objects (GPOs) get applied in the following order:
    • Local system policies
    • Site
    • Domain level
    • OUs (starting at the root of the domain).
  • In Win2012 you can now force a group policy update from the management console

Backups

  • You cannot use Azure backups to backup a USB flash drive
  • Azure Powershell commands
    • Set-OBMachineSetting – used to specify proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase
    • Start-OBRegistration – Registers the current computer with Windows Azure Backup using the credentials (username and password) created during enrolment.
    • Get-OBPolicy | Start-OBBackup – start backup job using a policy
  • When using server backup to a network share it will only store one backup. Subsequent backups overwrite the previous

Installation

  • Files used in the installation of roles is held in the winsxs folder
  • Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows image – e.g. to add drivers. An example command to mount an image = dism.exe /mount /wimfile c:\yourserverimage.wim /index:4 /mountdir:c:\mount
    • For example to install the server migration tools into this image run the cmd Dism /image:C:\mount /Enable-Feature /FeatureName:migration /All
  • You cannot upgrade and “core” installation of windows server and switch to a GUI in one step. If you want to upgrade 2008r2 core to 2012 GUI you should upgrade to 2012 as the first step and then add the Server Graphical Shell feature
  • You can upgrade standard versions of win2012r2 to datacentre by using the dism tool (dism /online /set-edition:ServerDatacenter /productkey:<Datacenter key, e.g. AAAAA-BBBBB-CCCCC-DDDDD-EEEEE> /AcceptEula)
  • Powershell – You can use the below commands
    • Install-ADDSDomainController – Creates a new domain controller in an existing domain.
    • Install-ADDSDomain – Creates a new domain in an existing forest.
    • Install-ADDSForest – Creates a new forest. Note you will need to run this one first when first setting up AD
  • The Active Directory installation wizard gives options to install DNS and setup as a GC

Powershell Web Access Gateway

  • Windows PowerShell Web Access provides a web-based Windows PowerShell console. It enables IT Pros to run Windows PowerShell commands and scripts from a Windows PowerShell console in a web browser, with no Windows PowerShell, remote management software, or browser plug-in installation necessary on the client device.
  • Install-PswaWebApplication – Configures the Windows PowerShell Web Access web application in IIS.
  • Add-PswaAuthorizationRule – Adds a new authorization rule to the Windows PowerShell Web Access authorization rule set.

Remote Management

  • On Win2012 remote management is enabled by default
  • LocalAccountTokenFilterPolicy – registry setting that must be enabled to allow remote management in non-domain environment. It disables remote UAC
  • You can enable server manager remote management via the powershell commands:-
    • Set-Execution-Policy -ExecutionPolicyRemote signed
    • Configure-SMRemoting.exe –enable – this will enable all firewall rule exceptions needed
  • The cmd winrs -r:SERVERNAME ipconfig can be used to remotely retrieve the ip details of a server
  • To manage 2008r2 servers from 2012 you must (on the 2008r2 server):-
    • Install .net 4 and windows management framework 3
    • Run the powershell commands:-
      • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
      • Configure-SMRemoting.ps1 -force -enable
  • To enable remote management via powershell you can use enable-pssessionconfiguration although enable-psremoting is the preferred option

Active Directory

  • The Active Directory Recycle bin needs to be manually enabled
  • Dcpromo is not available in the GUI version of 2012 but is available in the core edition. You will need to use server manager or powershell
    • The powershell commands are Import-Module ADDSDeployment and Install-ADDSForest
  • The Active Directory Database Mounting Tool, Dsamain.exe, allows an ntds.dit file to be mounted and exposed as an LDAP server, which means you can use such tools as ADSIEdit, LDP.exe, and Active Directory Users and Computers to interact with the data.
    • Obviously because you’re mounting on a DC, you can’t mount the AD database on the standard LDAP port of 389 – you must choose another port.
  • The overall function of the Federation Service in Active Directory Federation Services (AD FS) is to issue a token that contains a set of claims. The decision regarding what claims AD FS accepts and then issues is governed by claim rules.
    • AD FS includes a predefined set of claim rule templates that are designed to help you easily select and create the most appropriate claim rules for your particular business need.
      • Acceptance Transform Rule Set – A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust.
      • Issuance Transform Rule Set – A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.
      • Issuance Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to receive a token for the relying party.
      • Delegation Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to act as delegates for other users to the relying party.
      • Impersonation authorization Rule Set – A set of claim rules that you configure using Windows PowerShell to determine whether a user can fully impersonate another user to the relying party.
  • The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings. It needs to be scripted to apply to remote computers
  • If having problems with ADFS and 3rd party applications you can disable extended protection for authentication by running the command Set-ADFSProperties –ExtendedProtectionTokenCheck “None”. This is not recommended as it lowers security.
  • Use NTDSUTIL to mount an AD snapshot. You can then use DSAMAIN to make this data available via ldap.
  • After a migration you may need to rebuild sysvol and netlogon shares. You can so this forcing an authoritative (D4) and non-authoritative (D2)
    synchronization. The steps are:-
    • Stop FRS service
    • Edit registry – Set “burflags” key to either D2 or D4
    • Start FRS service
  • A non-authoritative SYSVOL restore will re-deploys SYSVOL data from working Domain Controller using DFS-R (DFS Replication). The process to do this is:-
    • adsiedit – to set the DFSR-Enabled value to “false”
      • repadmin /syncall /AdP – initiate AD replication
      • dfsrdiag PollAD – to synchronize with the global information store
    • adsiedit – to set the DFSR-Enabled value to “true”
      • repadmin /syncall /AdP – again start AD replication
      • dfsrdiag PollAD – sync with global information store (again)

Troubleshooting

  • The cmd-line Logman tool can create and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

  • Use subscription managers to automatically send event log data to another server

  • Source-initiated subscriptions allow you to define a subscription on an event collector computer without specifying the event source computers.
  • Collector initiated subscriptions must define all the event sources in the event subscription.

Performance Counter Thresholds

If any of the below counters are giving reading above the threshold, you have an issue

Performance Counter

Threshold

Memory\Available MBytes     

<10%

Memory\Pages/sec

>1000

Processor Interrupt Time

>30%

System\Processor Queue Length

> 2 per processor

Processor\%Processor Time

> 90%

 

FSMO Roles

Forest Wide Roles

  • Schema Master – The schema master controls all updates and modifications to the schema.
  • Domain Naming
    Master – responsible for making changes to the forest-wide domain name space of the directory in the Partitions container.

Domain Wide Roles:

  • Relative ID (RID) Master – Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
  • PDC Emulator – acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC. Responsible for time synchronising. Is ultimately responsible for passwords with all password changes being replicated to the PDC emulator as soon as possible.
  • Infrastructure Master – The infrastructure master is responsible for updating references from objects in its domain to objects in other domains.

Storage Spaces

  • When adding a new disk to a win2012 server it will go into the primordial storage space.
  • You require 2 disks for a “mirrored” storage space
  • A “parity” storage space requires 3 disks.

Dynamic Access Control

You can use dynamic access control to limit access to files based on AD attributes and folder properties. For example allow all Canadian users to access a file share with the vale “Canada” setup on it.

To setup dynamic access control you must:-

  • “Enable KDC support for claims, compound authentication, and Kerberos armouring” in GPO
  • Create a claim type – e.g. if users home country is set to Canada

  • Configure Resource properties for files – Select the relevant information from the file share (e.g. country, department)


  • Create Resource property lists – every resource property needs to be added to a list. Once done you can now classify the files\folders via this property.
  • Create New Central Access Rule – i.e. Canadian users can access file shares with the “Canadian” field setup
  • Create Central Access Policy – Create a policy to use the above rule
  • Apply in GPO

 

Computer Management

You can create a VHD from computer management

Djoin

  • Can be used with win7 and 2008r2 and above
  • Allows a computer to join a domain without connectivity to a DC

Misc

  • The Netlogon.dns file can be used to locate SRV records
  • The cmdlet set-executionpolicy specifies the security restrictions:-
    • Restricted: Does not load configuration files or run scripts. “Restricted” is the default execution policy.
    • AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
    • RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
    • Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
    • Bypass: Nothing is blocked and there are no warnings or prompts.
    • Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
  • Use the new-virtualdisk cmdlet to create a vhd.
  • Managed Service Accounts can be used for services to run under.
    • They can be created via powershell New-ADServiceAccount
    • Use sc.exe to change the log on credentials of a service

  • Use NTDSUTIL to manage active directory application partitions
  • To prepare a domain controller for cloning, place the customdccloneallowlist.xml file in the same directory as the AD database (ntdis.dit)
  • To export a custom Data Collector Set from one computer to another right click on it and select save template.

Comments 1

Leave a Reply

Your email address will not be published. Required fields are marked *