MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
X19-05175
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply. BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below for each license you acquire. 1.
DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. c.
“Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content. f.
“Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware. h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy Program. i.
“Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status.
j.
“MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies.
k.
“MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l.
“Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines. 2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
MCT USE ONLY. STUDENT USE PROHIBITED
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or 2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
MCT USE ONLY. STUDENT USE PROHIBITED
c.
If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session.
MCT USE ONLY. STUDENT USE PROHIBITED
ii.
You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement. 3.
LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement. c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content, publicly display, or make the Licensed Content available for others to access or use, copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, work around any technical limitations in the Licensed Content, or reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. 6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
MCT USE ONLY. STUDENT USE PROHIBITED
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
13.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne: tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et. les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
MCT USE ONLY. STUDENT USE PROHIBITED
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. Revised September 2012
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course
xvii
This section provides you with a brief description of the course — 10967A: Fundamentals of a Windows Server Infrastructure — audience, suggested prerequisites, and course objectives.
Course Description
This five day course covers the basic skills and knowledge that are required in order to build a Windows Server Infrastructure. It covers storage considerations and implementation, networking architecture and topologies, security considerations and best practices as well as basic Windows Server administration skills and specific technologies such as Windows Server 2012 Installation, configuration, maintenance and performance. Within that it will also cover specific areas such as Active Directory Domain Services (AD DS), Domain Name Services (DNS), Group Policy and many others. This course is needed as a first step in preparing for a job in IT or as prerequisite training before beginning the Microsoft Certified System Administrator (MCSA) training and certification path
Audience
Candidates for this course are people who are starting out their career or looking to change careers into Windows Server Technologies and need the fundamental knowledge to help them achieve that. It would be of interest to home computer users, small business owners, academic students, information workers, developers, technical managers, help desk technicians or IT Professionals who are looking to cross train from an alternative technology.
Student Prerequisites In addition to their professional experience, before attending this course, students must have: • Knowledge of general computing concepts. • Knowledge equivalent to the MTA exam 98-349: Windows Operating System Fundamentals
Course Objectives After completing this course, students will be able to: • • • • • • • • • •
Perform a local media-based installation of Windows Server 2012. Select appropriate storage technologies and configure storage on Windows Server. Describe fundamental network components and terminology thus enabling you to select an appropriate network component in a particular scenario. Implement a network by selecting network hardware components and technologies and determine the appropriate network hardware and wiring components for a given situation. Describe the protocols and services within the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols and implement IPv4 within a Windows Server environment. Implement and Manage Windows Server roles. Implement and configure an Active Directory Domain Service (AD DS) forest. Describe the concept of defense-in-depth and determine how to implement this approach with Windows Server. Identify the security features in Windows Server that help to provide defense-in-depth. Identify the network-related security features in Windows Server to mitigate security threats to you network.
About This Course
• • •
MCT USE ONLY. STUDENT USE PROHIBITED
xviii
Identify and implement additional software components to enhance your organization’s security. Monitor a server to determine the performance level. Identify the Windows Server tools available to maintain and troubleshoot Windows Server.
Course Outline The course outline is as follows:
Module 1, “Installing and Configuring Windows Server 2012” This module explains how the Windows Server 2012 editions, installation options, optimal service and device configuration and general post-installation configuration all contribute to the functionality and effectiveness of your Windows Server implementation. After completing this module, you will be able to: • Describe Windows Server components and architecture. • Install Windows Server 2012. • Configure services. • Configure devices and device drivers.
Module 2, “Implementing Storage in Windows Server” This module will introduce you to different storage technologies, discuss how to implement the storage solutions in Windows Server and will finish a discussion on a resilient strategy for your storage that will be tolerant in various ways, helping to avoid unplanned downtime and loss of data. After completing this module, you will be able to: • Identify a suitable storage technology. • Manage storage within Windows Server. • Implement disk fault tolerance. Module 3, “Understanding Network Infrastructure” In this module, students will learn how to describe fundamental network component and terminology thus enabling the student to select an appropriate network component in a particular scenario. After completing this module, you will be able to: • Describe physical network topologies and standards. • Define local area networks (LANs). • Define wide area networks (WANs). • Describe wireless networking technologies. • Explain how to connect a network to the Internet. • Describe how technologies are used for remote access. Module 4, “Connecting Network Components”
This module explores the functionality of low-level networking components, including switches and routers. In addition, the module provides guidance on how best to connect these and other components together to provide additional network functionality. After completing this module, you will be able to: • Describe the industry standard protocol model. • Describe routing technologies and protocols. • Describe adapters, hubs, and switches. • Describe wiring methodologies and standards.
Module 5, “Implementing TCP/IP”
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course
xix
This module describes the requirements of a protocol stack and then focuses on the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack. After completing this module, you will be able to: • • • • •
Describe the functionality of the TCP/IP suite. Describe IP version 4 (IPv4) addressing. Configure an IPv4 network. Describe IP version 6 (IPv6) addressing and transition. Describe the various name resolution methods that are used by TCP/IP hosts.
Module 6, “Windows Server Roles”
This module explains the functional requirements of a server computer and how to select and deploy appropriate server roles to support these functional requirements. After completing this module, you will be able to: • Describe role-based deployment. • Deploy role-specific servers. • Describe deployment options for server roles. • Implement best practices for server roles. Module 7, “Implementing Active Directory Domain Services (AD DS)”
This module explains that, as a directory service, how AD DS stores information about objects on a network and makes this information available to users and network administrators. After completing this module you will be able to: • Describe the fundamental features of AD DS. • Implement AD DS. • Implement organizational units (OUs) for managing groups and objects. • Configure client computers centrally with Group Policy objects (GPOs). Module 8, “Implementing IT Security Layers”
This module explains how, in addition to file and share permissions; you can also use data encryption to restrict data access. After completing this module, you will be able to: • Identify security threats at all levels and reduce those threats. • Describe physical security risks and identify mitigations. • Identify Internet-based security threats and protect against them. Module 9, “Implementing Windows Server Security” This module reviews the tools and concepts available for implementing security within a Microsoft Windows infrastructure. After completing this module, you will be able to: • Describe the Windows Server features that help improve the network’s security. • Explain how to secure files and folders in a Windows Server environment. • Explain how to use Windows Server encryption features to help secure access to resources. Module 10, “Implementing Network Security”
About This Course
This module explains possible threats when you connect your computers to a network, how to identify them, and how implement appropriate Windows network security features to help to eliminate them. After completing this module, you will be able to: • Identify network-based security threats and mitigation strategies. • Implement Windows Firewall to secure Windows hosts. Module 11, “Implementing Security Software”
MCT USE ONLY. STUDENT USE PROHIBITED
xx
This module explains how an information technology (IT) administrator can account for and mitigate the risks of malicious code, unauthorized use, and data theft. After completing this module, you will be able to: • Implement Windows Server® technologies and features that improve client security. • Describe security threats posed by email and how to reduce these threats. • Explain how to improve server security by using Windows Server security analysis and hardening tools. Module 12, “Monitoring Server Performance”
This module discusses the importance of monitoring the performance of servers, and how you monitor servers to ensure that they run efficiently and use available server capacity. It also explains performance monitoring tools to identify components that require additional tuning and troubleshooting, so that you can improve the efficiency of your servers. After completing this module, you will be able to: • Use the Event Viewer to identify and interpret Windows® Logs, and Application and Services Logs. • Measure system resource usage, identify component bottlenecks, and use monitoring tools such as Performance Monitor. Module 13, “Maintaining Windows Server”
This module explains the importance of system updates, how to troubleshoot the Windows Server boot process, and how to implement high availability and recovery technologies to improve system availability. After completing this module, you will be able to: • Troubleshoot the Windows Server startup process. • Implement high availability and recovery technologies to improve system availability. • Explain the importance of system updates. • Implement an appropriate troubleshooting methodology to resolve problems with Windows Server.
Exam/Course Mapping
This course, 10967A: Fundamentals of a Windows Server Infrastructure, does not have a direct mapping to any Microsoft exam and taking this course does guarantee passing of any such exams.
This course does however cover some of the required content from the below Microsoft Technology Associate (MTA) exams, and may be useful study material in preparation for those exams, further details of which are available on http://www.microsoft.com/learning •
98-365: Windows Server Administration Fundamentals
•
98-366: Networking Fundamentals
•
98-367: Security Fundamentals
Course Materials The following materials are included with your kit: •
Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course
xxi
•
Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.
•
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.
•
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention.
•
Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when it’s needed.
About This Course
MCT USE ONLY. STUDENT USE PROHIBITED
xxii
Course Companion Content on the http://www.microsoft.com/learning/companionmoc site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. •
Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
•
Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, and Microsoft Press®.
Student Course files on the http://www.microsoft.com/learning/companionmoc site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. •
Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. •
To provide additional comments or feedback on the course, send e-mail to
[email protected]. To inquire about the Microsoft Certification Program, send e-mail to
[email protected].
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration In this course, you will use Hyper-V® in a Windows Server 2012 host to perform the labs. Important At the end of each lab, you must close the virtual machine and must not save any changes. Labs in each module are independent of each other and require the virtual machines to be in a clean state at the start of each module in order to function correctly. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine that is used in this course. Virtual machine
Role
10967A-LON-DC1
Windows Server 2012 Domain Controller and DNS Server in the Adatum.com domain.
10967A-LON-SVR1
Windows Server 2012 server, member server in Adatum.com domain
10967A-LON-SVR2
Windows Server 2012 server. Not domain joined.
10967A-LON-SVR3
Windows Server 2012 server core. Domain joined to Adatum.com.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course
Virtual machine
Role
10967A-LON-SVR4
Blank virtual disk used for Installation of Windows Server 2012.
10967A-LON-SVR5
Windows Server 2012 server. Not domain joined. Damaged boot sector for use in troubleshooting lab.
10967A-LON-CL1
Windows 8 client, joined to the Adatum.com domain.
MSL-TMG1
Windows Server 2008 R2 Enterprise with Microsoft Forefront Threat Management Gateway (TMG) installed. Acts as Internet proxy and default gateway for course virtual machines. Required in some labs to allow access to the internet.
Software Configuration The following software is installed or available for use in the Labs
xxiii
•
Remote Server Administration Toolkit (RSAT) for Windows 8: Available as part of lab files for installation and use during lab.
•
StressTool.exe: Used to place a simulated load on virtual machine CPUs.
•
Report Viewer 200f8 Sp1: Used for Windows Server Update services reporting synchronization.
•
Microsoft® System CLR Types for Microsoft® SQL Server® 2012: Used as example msi installer fir use with AppLocker.
•
Windows Server 2012 Evaluation Installation files: used for use during Windows Server 2012 Installation lab.
Course Files
There are lab files associated with the labs in this course which contains software listed above and samples files for use during the course labs. These lab files are located on the E:\ drive within the 10967A-LONDC1 virtual machine.
Classroom Setup Each classroom computer will have the same virtual machines configured in the same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Hardware Level 6 •
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
•
Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
•
8 GB random access memory (RAM) or higher
•
DVD drive
•
Network adapter
•
Super VGA (SVGA) 17-inch monitor
About This Course
•
Microsoft Mouse or compatible pointing device
•
Sound card with amplified speakers
Navigation in Windows Server 2012
MCT USE ONLY. STUDENT USE PROHIBITED
xxiv
If you are not familiar with the user interface in Windows Server 2012 or Windows 8 then the following information will help orient you to the new interface. •
Sign in and Sign out replace Log in and Log out.
•
Administrative tools are found in the Tools menu of Server Manager.
•
Move your mouse to the lower right corner of the desktop to open a menu with: •
Settings: This includes Control Panel and Power
•
Start menu: This provides access to some applications
•
Search: This allows you to search applications, settings, and files
You may also find the following shortcut keys useful: •
Windows: Opens the Start menu
•
Windows+C: Opens the same menu as moving the mouse to the lower right corner
•
Windows+I: Opens Settings
•
Windows+R: Opens the Run window
MCT USE ONLY. STUDENT USE PROHIBITED 1-1
Module1 Installing and Configuring Windows Server Contents: Module Overview
1-1
Lesson 1: Windows Server Architecture
1-2
Lesson 2: Installing Windows Server
1-9
Lesson 3: Configuring Services
1-21
Lesson 4: Configuring Devices and Device Drivers
1-24
Lab: Installing and Configuring Windows Server 2012
1-29
Module Review and Takeaways
1-34
Module Overview
In order to have a server that fits the needs of your organization and that operates in an efficient and consistent manner, specific steps and considerations have to be taken. A critical piece of a Windows Server® operating system’s ability to operate successfully and efficiently is the initial installation of the operating system and the configuration of the services and devices. These areas are covered in this module.
Objectives After completing this module, you will be able to: •
Describe Windows Server components and architecture.
•
Install Windows Server 2012.
•
Configure services.
•
Configure devices and device drivers.
Installing and Configuring Windows Server
Lesson 1
Windows Server Architecture
MCT USE ONLY. STUDENT USE PROHIBITED
1-2
Before you start to install and configure Windows Server, you must have a basic understanding of servers and operating systems. You must also understand server components and how those components work together. Understanding these basic concepts will help you make more informed decisions and have a better understanding of how servers work.
Lesson Objectives After completing this lesson, you will be able to: •
Describe servers and clients.
•
Describe components that make up Windows Server.
•
Describe the Windows Server bus technologies.
•
Describe the Windows Server software architecture.
What Is a Server? A server is a computer that provides shared resources—such as files, printers, email messages, web services, and databases—to network users. Unlike a client, whose primary role is performing tasks for the end-user who is logged on locally to the computer, a server is responsible for serving many resources to the rest of the network. Which resources the server provides is determined by the assignment of server roles. Server roles define a server’s function such as Web Server, Application Server, File and Storage Service server, and Print Server.
Servers also play a key role in maintaining the integrity of a computer network. Servers use authentication and resource access rules to make sure that information and resources on the network are available only to those who are authorized to use them. Servers also provide additional network-related services such as assigning IP addresses, performing name resolution, or routing network traffic.
The main component to supplying these services in an effective manner is the server operating system. The server operating system communicates with the server’s hardware to enable communication to occur and data to be transferred internally between the various server components and externally to resources that want to access information. A server operating system provides a centralized environment to manage the server’s functionality and resources. It lets administrators interact with the server in a meaningful and efficient way. Operating systems control the allocation and usage of hardware resources such as memory, CPU time, disk space, and peripheral devices. An operating system is the foundation on which programs and applications are built. Question: What different functions might a server perform in a network environment?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Windows Server Components Servers consist of multiple components that enable the computer to function. Some more well-known elements include the following: •
Motherboards
•
Casing or housing unit
•
CPU/processors
•
Memory
•
Hard disks
•
Expansion devices
•
Integrated peripherals
•
Power supplies
•
Cooling systems
•
Keyboards
•
Mouse devices
•
Monitors
1-3
Generally, servers are a group of individual components. How these components interact and operate determines the performance of the server. At its most basic level, the server consists of a series of resistors, capacitors, semiconductors, and transistors, connected through conductive cabling. The following topics cover some common components, such as the motherboard, CPU (or processor), hard disk, random access memory, and network access. Understanding how these hardware components are used by the operating system and how they interact with one another is an important step to understanding how servers function. Motherboard
The motherboard is the printed circuit board (PCB) that controls all the other components in a server. It is typically the largest single physical component on which all other physical components are installed. Motherboards can be very different from server to server and are built to accommodate particular technologies or kinds of devices. Server motherboards can be housed in several different ways, such as the following: •
Towers. Server motherboards can be mounted in a stand-alone box. This is known as a tower, much as you might see in a desktop workstation. Desktop workstations are mainly used in small to mediumsized businesses and are not usually centrally managed or configured.
•
Racking or shelving units. Server motherboards can be mounted in single self-contained units. These units can then be stacked in a rack or shelving unit. Typically racks and shelving units contain multiple servers and are located in a secure server room. These servers can be managed by using a single monitor or keyboard present in the racking unit, or remotely managed. Remotely managing servers is most common in modern data center environments.
•
Blade servers. Server motherboards can be mounted as “blade” servers. These are stripped-down versions (no chassis) with just the motherboard and necessary components. This configuration is becoming more common in data center environments because there are fewer components and the blades can be quickly swapped out.
Installing and Configuring Windows Server
CPU or Processor
MCT USE ONLY. STUDENT USE PROHIBITED
1-4
The CPU or processor is the computational, mathematical, and control unit of a computer. CPUs are everywhere in modern devices, such as TVs, telephones, washing machines, cars, and refrigerators. The processor is the component that executes instructions and, at its most basic level, is a layer of silicon with millions of transistors, known as a core. Typically, CPUs in modern servers have more than one core or separate CPUs built in to one device. Having two processors is known as dual core and having four processors is known as quad core. CPU performance can be measured in many ways. Factors such as memory cache size, bus width, and number of transistors all affect CPU performance. Processor speed, or clock speed, measured in Hertz, is probably the most common measurement used to differentiate CPUs.
CPUs can have either a 32-bit or 64-bit architecture. A 32-bit processor can directly address up to a maximum limit of approximately 4 gigabytes (GB) of address space. A 64-bit processor can support up to 1,024 GB of both physical and addressable memory. Additionally, 64-bit systems can scale up (increase processor cores and memory) more than 32-bit systems. Not all software and operating systems can take advantage of a 64-bit architecture. Legacy applications might require 32-bit architecture. The Windows Server 2012 operating system is available only in 64-bit versions. Note: •
64-bit processors can run either a 32-bit or 64-bit operating system.
•
32-bit processors can only run a 32-bit operating system.
Processor functionality is continually being updated and improved. New processors may have Second Level Address Translation (SLAT) technology for example. SLAT improves performance by providing a second level of paging at the hardware level the Client Hyper-V feature in Windows® 8 requires SLAT to be present for it to work. Similarly, Hyper-V® in Windows Server 2012 requires hardware assisted virtualization support in processors such as Intel Virtualization Technology (Intel VT) or AMD virtualization (AMD-V). Storage
Windows Server requires a repository into which it can store and retrieve data. Modern servers typically access some form of shared storage. This shared storage provides redundancy and is typically external to the physical server. There are two primary competing physical elements that can be used: •
•
Disks. Hard disk drives (HDDs) have been used for a long time. They consist of circular disks and a “head” that can read and write to the disks. The disks spin very quickly and the head accesses and writes data as directed. This is much like an old vinyl record player, except a lot faster and able to access different areas of the disk as needed. Disks can be stand-alone or attached together in an array. Disks are categorized with two main metrics, as follows: o
Capacity. Can be from several hundred megabytes to several terabytes.
o
Speed of access. This is defined by the bus technology which can have a significant affect the disk performance. Bus technologies are discussed in more detail in the next topic.
Solid-state drives (SSD). These, as the name suggests, are based on semiconductors and have no disks or mechanical components. There are no moving parts. SSDs have the same metrics as HDDs. o
Capacity. Have smaller capacities than HDDs, generally only up to several hundred megabytes. SSDs are not as scalable and are usually more expensive than HDDs. This may change as the technology evolves and becomes more common in the industry.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
o
1-5
Speed of access. SSDs provide for faster read and write access to data than HDDs. They require a separate controller to control read and write functions. SSDs generally provide faster access to data and are fairly new to the industry.
Disk space is also used by the operating system and applications to cache items for quick access. Storage costs generally have come down in recent times and the technologies implementing them are evolving. This is transforming storage options for servers and for consumers. Memory
Data that is stored in a storage device must be transferred into memory before it can be used. So server memory can have a significant effect on the number of concurrent tasks a server can perform. If multiple applications or services are operating in parallel, the available memory can determine whether a particular application will load and how long it will take to execute. Typically, memory refers to the main memory or random access memory (RAM). This is known as random because any part of the memory device can be written or accessed. However, there are other kinds of memory, such as memory dedicated to graphics or CPUs. These devices typically contain read-only memory (ROM). There are different kinds of RAM, such as Synchronous Dynamic RAM (SD RAM), Double Data Rate Synchronous DRAM (DDR SDRAM), and Double Data Rate 2 RAM (DDR2 RAM). Each kind of memory has its own characteristics. Motherboards have memory slots. This determines the kind of memory supported and how much memory is supported. Some features or functionality to be aware of include the following: •
Dual inline memory module (DIMM). The slot on the motherboard in which the RAM is inserted. The connection type has 32 or 72 pin varieties.
•
Single inline memory module (SIMM). The slot on the motherboard in which the RAM is inserted. The connection type has 32 or 72 pin varieties.
•
Error Correction Checking (ECC). Supports verifying integrity of data entering or leaving the storage area. If the data is corrupted, ECC will correct the error.
•
Registered memory. Holds the data until it is passed on to the motherboard for transfer. It increases the speed and reliability of data access.
•
Buffered memory. Contains a buffer to allow for overspill of data when it is dealing with the memory controller—that is, there is more data than the controller can handle or process. Buffered memory is more reliable and has faster transfers.
Generally, more memory is better. With 64-bit chip architecture, you can have significant values of RAM.
Note: RAM is considered volatile because without power, all memory stored in it will be lost. Network
By definition, servers provide resources to clients. Therefore, network access is very important to server performance. Although there might be some network components integrated into the motherboard, network support within servers is provided through network adapters which are inserted into the expansion slots of a server’s motherboard.
Many different network adapters are available and most of the network adapter functionality can be determined by the software that is used to manage the transfer of data. Some features—such as singleroot I/O virtualization (SR-IOV), which allows for the direct transfer of data between network adapters on
Installing and Configuring Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
1-6
different computers, bypassing the need for CPU intervention—require that functionality be supported by the network adapter itself. NIC teaming, where multiple network adapters can be combined to provide redundancy, is such a scenario; Multipath IO (MPIO) for redundancy is another such scenario. You need to be aware of the network functionality and network adapter functionality and what your requirements are for transfer rates and feature sets. Ultimately poor network performance could lead to very poor end-user experience. Power Supply
As with any electrical device, servers require power. They need a regulated power supply and are very sensitive to power surges or sudden drops in power. Either scenario can result in damaged components.
Therefore, most servers will have an uninterruptible power supply (UPS) as a backup power supply if there is a sudden power failure, and a surge protector to prevent sudden spikes in electrical power. Cooling Units/Heat Sinks
Electronic components generate heat. This heat can cause an electronic component to fail and result in damage or data loss. The heat can be “drawn off” or dissipated in several ways, such as the following: •
Use air or water. Typically, servers have fans that speed up and slow down to blow air across a hot device to cool it down. You can also use water or other liquid-cooled mechanisms. But these are not widely used. Liquid cooling systems must be carefully managed.
•
Provide conduction or radiation. Putting heat sinks over CPUs can move heat away from the device. Also, not positioning individual components over one another and leaving open space between devices also helps dissipate heat.
Heat management is a significant consideration in modern data centers. Using fans can be very noisy and require additional power consumption. This has additional costs. Question: In what ways can 64-bit computing improve performance?
Windows Server Bus Technologies Bus technologies are the mechanisms by which components communicate with one another. The term can be used in the context of either computer-to-computer communication over a network or, as is more typical, in relation to internal computer components and how parts of the computer communicate with the processor. Many devices are referred to or named by the kind of bus technology that they use. Bus technologies can be widely grouped into two functional categories: serial bus and parallel bus. •
Serial Bus. Data is broken up and transmitted as packets. The packets are sent one after the other over a single connection to the destination. At the destination packets are then reassembled. Common serial bus technologies include the following: o
Serial Advanced Technology Attachment (SATA). Connects storage devices to CPU hard disk drives and optical drives. Variations exist, such as external SATA (eSATA) and mini-SATA (mSATA). SATA version 2 provides speeds of up to 300 megabytes per second (MBps). SATA version 3 provides speeds up to 600 MBps.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
•
1-7
o
Serial-attached SCSI. Provides for speeds of potentially up 300 MBps. Supports hot swapping, replacing the component without shutting down the system
o
Peripheral Component Interconnect (PCI) and PCI Express. Typically used to attach peripheral devices to a server. PCIe supports speeds up to 200 MBps
o
Universal serial bus (USB). Several versions are available. USB 3.0 provides speeds of up to 5 gigabytes per second (GBps), but in practice, a good deal less than that, of the order of several hundred MBps. Used in many peripheral devices.
o
Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1394. Also known as FireWire, i.LINK, and Lynx. Supports speeds of 800 MBps and provides for very fast transfer speeds. Used in many peripheral devices, specifically multimedia devices.
o
Infiniband. Infiniband has three implementations, each multiples of a 2.5 GBps transfer rate. Infiniband 1x provides transfer rates of 2.5 GBps. Infiniband 4x provides transfer rates of 10 GBps. Infiniband 12x provides transfer rates of 30 GBps. Infiniband is intended for use with high-speed storage, clustering, and cloud computing in data centers.
Parallel Bus. Data is broken up into packages and transmitted to its destination over multiple connections at the same time. At the destination the packets are then reassembled. o
Parallel ATA (PATA). Generally known as Integrated Drive Electronics (IDE) and in later versions as Enhanced IDE (EIDE). Used for HDD connections. This is a legacy technology.
o
Parallel SCSI. Used primarily for data storage with hard disk drives. It provides maximum transfer rates of approximately 320 MBps. This legacy technology was replaced by serial-attached SCSI.
o
Industry Standard Architecture (ISA). This is legacy technology provided for a 16-bit bus. Replaced by PCI.
o
Micro Channel. IBM PS/2 replacement for ISA.
o
Extended ISA (EISA). An extension of ISA that was replaced largely by PCI.
Serial buses have generally replaced parallel buses and are currently more widely used in servers.
The internal bus types can be categorized by the type of data that they transmit, such as the following: •
Address bus. An internal bus from the CPU to the memory. This is used to transfer the addresses of data, not the actual data itself. The address bus width is the determining factor in how much addressable memory is available.
•
Data bus. An internal bus that connects the CPU and the memory, across which the actual data is transferred. For example, RAM.
•
Control bus. A bus that controls the communication between the CPU and memory.
Installing and Configuring Windows Server
Windows Server Software Architecture When Windows Server 2012 is installed on a computer, the CPU has two modes in which it can operate: kernel mode and user mode. Kernel Mode Kernel mode provides full and direct access to all installed hardware. Access is provided through a software layer called the hardware abstraction layer. This layer gives programmers a standard set of calls that can be used to access any hardware type.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8
The Windows Server application programming interface (API) is a set of objects and commands that enables programmers to interact and write code to manipulate the Windows software. Through this layer programmers can access and customize the Windows code. Operating system components that require direct access to hardware run in kernel mode. For example, file system drivers run in kernel mode and can access memory, CPU, bus technologies, and peripheral devices.
Be aware that code running in kernel mode is not isolated. If a driver running in kernel mode accesses or writes data to an address space, it could affect other parts of the operating system or other applications that are running. This can be seen in a fatal error that displays a stop error, more commonly known as a blue screen. User Mode User mode does not have direct access to the hardware and requests access through kernel mode.
When an application or service is started, it runs in its own process or private address space. So, each application or service runs in isolation. If you open Task Manager and select the Details tab, a list of processes and associated IDs will be displayed. Even where multiple instances of the same application are running, each instance runs in isolation. Running processes in isolation provides a level of redundancy should an application crash—that is, only the application crashes.
If you right-click a process, you can raise the priority level of the process so that if there are two requests for CPU access, the priority level will determine which process has access to the CPU. You can also set an affinity for an application so that it runs on a specific processor that you designate.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Lesson 2
Installing Windows Server
1-9
The method by which you install Windows Server 2012 can vary, depending on your individual environment and requirements. This lesson will introduce you to the key installation components and considerations involved with installing Windows Server 2012.
Lesson Objectives After completing this lesson, you will be able to: •
Identify Windows Server 2012 editions.
•
Describe the installation methods.
•
Select an installation type.
•
Describe what Server Core is.
•
Describe the process for installing Windows Server 2012.
•
Describe post-installation configuration steps.
•
Describe automating the deployment process by using Windows Deployment Services.
Windows Server 2012 Editions Windows Server 2012 is available in different editions to support various requirements and workload needs. Each edition of Windows Server has different functionality and feature sets. Therefore, it is important to be familiar with the various editions before you deploy Windows Server 2012. The following table lists the Windows Server 2012 editions.
Edition
Description
Windows Server 2012 Standard
Provides all roles and features that are available on the Windows Server 2012 platform. Supports up to 64 sockets and up to 4 terabytes (TB) of RAM. Includes two virtual machine licenses. Suitable where there are low numbers of virtual servers being run.
Windows Server 2012 Datacenter
Provides all roles and features that are available on the Windows Server 2012 platform. Includes unlimited virtual machine licenses for virtual machines that are run on the same hardware. Supports 64 sockets, up to 640 processor cores, and up to 4 TB of RAM. Suitable where there are lots of virtual machines being run.
Windows Server 2012 Foundation
Designed for small business owners, allows only 15 users, cannot be joined to a domain, and includes limited server roles. Supports one processor core and up to 32 GB of RAM.
Edition
Description
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Installing and Configuring Windows Server
Foundation Server is available only through original equipment manufacturers (OEMs). That is, third-party manufacturers ship computers that have this edition and the edition does not include rights to run virtual machines or as a virtual machine in a Standard or Datacenter edition. Windows Server 2012 Essentials
An edition of Windows Small Business Server Essentials. Must be a root server in the domain. Is limited to 25 users and 50 devices. Supports two processor cores and 64 GB of RAM. Does not contain all features and functionality as the Standard and Datacenter editions. For example, the Hyper-V role is not available.
Note: Windows Server 2012 has a more simplified edition set than previous Windows Server versions. Unlike earlier versions of Windows Server, there is no difference in features or functionality between the Standard and Datacenter editions. The difference is only in licensing, related to the number of virtual machines that you can run in Hyper-V. There is no Enterprise edition. Windows Server 2012 is now licensed in two processor increments. For example, if you are licensing: •
A two-processor server that has Windows Server 2012 Datacenter Edition, you buy one license.
•
A four-processor server that has Windows Server 2012 Datacenter Edition, you buy two licenses.
•
An eight processor server that has Windows Server 2012 Datacenter Edition, you buy four licenses.
Most servers now have multiple processor cores running, and this is to help simplify the licensing process. However, if you do have single-increment cores present—three processor cores present for example—you then have to buy the next available increment. This would be two licenses. The Standard and Datacenter editions are the general-purpose deployment. The only differentiator is whether you want to run many virtualized environments.
There are also other function-specific editions of Windows Server 2012 available, such as the following: •
Microsoft Hyper-V Server 2012. Available as a free download that contains just the Hyper-V role and some other virtualization-related functionality, such as failover clustering and storage features. It does not contain other features and functionality present in Standard and Datacenter editions. Therefore, it has a smaller installation footprint, and also does not include any guest licenses. It is very useful in running Linux virtual machines or in a Virtual Desktop Infrastructure (VDI) environment, where clients and other operating systems are licensed separately.
•
Windows Storage Server 2012. This is a storage-specific edition that is available through OEMs only, and is intended as a storage specific product that supports complex storage requirements to be run with the third-party manufacturers’ dedicated hardware and drivers.
Note: Windows Server 2012 runs only on x64 processor architecture. Unlike earlier versions of Windows Server, there is no support for x86 or Itanium-based processor architecture.
More information about the differences between the Windows Server 2012 editions can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=266736
Installation Methods Various methods exist for installing Windows Server. These methods are determined primarily by the media from which the operating system is installed. Depending on your installation scenario and the availability of specific hardware or the degree of physical access to the server, several general methods exist to make sure that Windows Server can be installed in any situation. Installation Methods
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-11
•
Local media. The standard and simplest method of installing Windows Server 2012 is using local media. Windows Server can be installed locally by using an installation DVD inserted into the DVD drive of the server or run from a USB flash drive attached to the computer.
•
Network share. Windows Server 2012 can also be installed from a shared location on the network. This allows for installation on servers where only remote access is available or for servers that do not have a DVD drive or USB ports available to support a local media installation. Network share installations also allow for multiple servers to use the same copy of the installation files at the same time. So you do not have to have multiple DVDs or USB flash drives.
•
Automated deployment. Deployment refers to an advanced, pre-planned installation of Windows Server 2012, typically done over the network and involving multiple servers. Typically, server deployments will also include a large degree of configuration and automation, requiring less handson administration during the installation process. Deployment is typically configured and executed through a dedicated deployment tool or by using answer files.
The following table summarized considerations for various installation media. Media Optical media
Considerations • Local media or network share. • Traditional method, single install method. • Computer requires access to a DVD Drive. • Typically slower than USB media. • Media is not writable and cannot customize the installation files.
USB
• Local media or network share. • All computers that have USB drives enable start from USB media.
• Media is writable. Can be updated as new software updates and drivers become available.
• Can include answer file to automate installation. USB media and host might require additional steps to enable startup from it. Mounted International Organization for Standardization (ISO) file
• Local media or network share.
• ISO is a format that install files are typically made available from Microsoft. • With virtualization software, you can mount the ISO image directly, and install Windows Server 2012 on a virtual machine. Primarily used with
Media
Considerations virtualized installations.
Start in virtual hard disk (VHD)
• Can boot directly into a VHD or a VHDX file that has the operating system already installed on the files. • This is known as "native boot" or "boot from vhd." • VHD/VHDX files are writable and can update installation files.
Network share
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Installing and Configuring Windows Server
• You can start a server from installation files that are hosted on a network share. • Slower than Windows Deployment Services.
• If you already have access to a DVD or USB media, it is simpler to use those tools for operating system deployment. Windows Deployment Services
• Windows Deployment Services allows for multiple concurrent installations of Windows Server 2012 with .wim or .vhd files, multicast network transmissions, the Windows Automated Installation Kit (AIK), and client PreBoot EXecution Environment (PXE) startups.
There are other automated options to deploy Windows Server 2012, such as Microsoft® System Center Operations Manager and System Center Virtual Machine Manager (VMM). These other options are dedicated Enterprise Server management or Virtualization management products and are not covered in this course. These options allow for multiple servers to be deployed across different environments and allow for customization.
Note: An answer file automates Windows setup. This file enables the configuration of Windows settings, the addition and removal of components, and many Windows setup tasks, such as disk configuration. Question: Why is it important to be able to change the installation files on a writable media type?
Selecting an Installation Type New Install A new install of Windows Server 2012 is typically done when a server is installed to perform a new role on the network or when you do not have to keep any information from the operating system previously installed on the server. A new install involves installing the operating system either onto an empty hard disk or overwriting existing information on a hard disk. Upgrade
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-13
An upgrade installation of Windows Server 2012 involves replacing an existing operating system while preserving the files, settings, and applications that are installed already on the original server. Upgrade installations are typically done when existing system information would be too difficult or time-consuming to re-create or migrate to a new installation of Windows Server 2012.
Note: You can only upgrade to an equivalent or newer edition of Windows Server 2012 from x64 versions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and Windows Server 2003 R2. Migration
A migration install is characterized by the backing up of data or settings from an existing server installation and erasing or overwriting that server by using a new installation of Windows Server 2012. The backed-up data or settings are then restored to the newly installed server. This kind of migration installation is typically used when the data and settings involved can easily be backed up and you do not have to maintain the complete configuration of the existing server. Or, a migration can also involve the installation of Windows Server 2012 on a new physical server and transferring the settings and applications from the original server to the new one. This method has the benefit of leaving the old server completely intact should the need arise to roll back to the old configuration. Unfortunately, this method also involves a lot of planning to make sure all relevant data from the old server are transferred to the new server.
Note: Use migration when you migrate from an x86 version of Windows Server 2008, Windows Server 2003, or Windows Server 2003 R2 to Windows Server 2012. You can use the Windows Server Migration Tools feature in Windows Server 2012 to transfer files and settings.
What Is Server Core IT administrators have several graphical user interface (GUI) options when they deploy a Windows Server 2012 operating system. There are effectively three states that the server can be in from a GUI point of view, each of which can be applied at any time by using the Add Roles And Features or Remove Roles and Features Wizards in Server Manager. The three states are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Installing and Configuring Windows Server
•
Server Core. This is a minimal GUI interface with limited GUI components, such as Notepad and Task Manager. This has the smallest footprint of all the installation options and the least amount of GUI components.
•
Graphical Management Tools and Infrastructure. This also contains a minimal server interface but has some GUI components to provide some server management UI tools, such as Server Manager and Administrative Tools.
•
Server Graphical Shell. Contains the full GUI. This includes Windows Internet Explorer®, File Explorer, and other UI components. This has a larger footprint than the Graphical Management Tools and Infrastructure option.
Reducing the GUI component down to the minimum required to manage the server serves several functions, such as the following: •
Reduced servicing overhead. Fewer updates are required for installation. This means less downtime and less administrative overhead testing and deploying updates, in addition to reduced restart requirements.
•
Reduced administrative overhead. Fewer updates means that there will be less administrative overhead testing and deploying updates.
•
Reduced resource overhead. Disk space and memory requirements are reduced by removing files that are not needed.
•
Reduced attack surface. Fewer files are installed. This means a smaller server install footprint exposed to potential security threats. Also, without a GUI, it limits a local user’s ability to interact with it.
When installation is complete in a Windows Server 2012 Server Core installation, you will know it is a Server Core installation by the presence of a command-line window without a Start menu or other GUI components visible.
A Windows Server 2012 Server Core installation can be managed locally by using several options, such as the following: •
Command-line tools. Traditional command-line tool commands such as netsh.
•
Windows PowerShell®. By typing PowerShell in the command-line tool, you start Windows PowerShell mode and can run Windows PowerShell commands.
•
Sconfig. Specific only to Server Core installations, it is a command-line, menu-driven administrative tool that lets you perform most common server administrative tasks with a reduced number of commands.
A Windows Server 2012 Server Core installation can be managed remotely by using the following methods:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-15
•
Server Manager. From another Windows Server 2012 server using Server Manager, which allows for remote and multiple server management.
•
Remote Server Administrative Tools for Windows 8 (RSAT for Windows 8). By installing the RSAT for Windows 8 and managing from a Windows 8 client.
Note: Windows Server 2012 can only be managed through RSAT on Windows 8. Similarly, Windows Server 2008 can only be managed by using the RSAT on Windows 7 clients. RSAT is version and operating system–specific. •
Windows PowerShell. By using WinRM capabilities, you can remotely manage single or multiple Windows Server 2012 servers by using Windows PowerShell.
•
Microsoft Management Console (MMC). By adding the remote server to the individual MMC on another server.
All GUI elements are removed from a Server Core installation except for those in the following list: •
Notepad. Accessed by typing Notepad in the command line.
•
Task Manager. Accessed by typing Taskmgr.exe in the command line.
•
Registry Editor. Accessed by typing regedit.exe in the command line.
•
System information. Accessed by typing Msinfo32.exe in the command line.
Note: In Windows Server 2008, performing a Server Core installation was a one-way event. That is, you could not install the GUI after a Server Core installation and you could not change between the GUI and non-GUI environments. Only in Windows Server 2012 is it possible to add and remove the GUI components as you need. Adding or removing the GUI components requires a restart of the server. Question: In what situations might a Server Core installation be used instead of a full installation of Windows Server 2012?
Demonstration: What Is Server Core
In this demonstration, you will see how to add and remove the graphical components and be introduced to various administration tools, some of which require a graphical UI. This will help you decide what administration tools that you must have to administer the server, and which installation option is best. Additionally, you will see how to add and remove the graphical components.
Demonstration Steps 1.
Open Server Manager.
2.
Open the Remove Roles and Features Wizard
3.
Identify the graphical features that can be added or removed.
4.
Access Windows PowerShell.
MCT USE ONLY. STUDENT USE PROHIBITED
1-16 Installing and Configuring Windows Server
5.
Use Windows PowerShell commands to view the windows features which will install or uninstall the GUI components of the server.
6.
Switch to the LON-SVR3 virtual machine and using Windows PowerShell view the list of installed features
7.
Access the Sconfig tool.
Installing Windows Server There are several general steps that you must follow to install Windows Server 2012. You might see small variations on the following, depending on your specific scenario. However, these steps are generally what are encountered by using most installation methods and types. 1.
Make sure that the server hardware meets minimum requirements. Windows Server 2012 requires a minimum level of hardware to run correctly. The following table lists the most common basic hardware requirements for a Windows Server 2012 installation:
Component
Minimum required
Processor
1.4 gigahertz (GHz) (64-bit processor)
Memory
512 MB RAM
Disk Space
32 GB free space
Note: Minimum requirements are just that; a minimum. In a production environment, the hardware that is used for a server should always be appropriately scaled to meet the resource requirements for the server operating system, installed roles, features and applications and, typically, future growth.
In addition, specific features might have to be configured on the server hardware to support Windows Server 2012. For example, basic input/output system (BIOS)–level virtualization settings must be enabled for the Hyper-V virtualization role to run.
Also, some hardware that is used during the installation process (typically hard disks) might not have device driver support built into Windows Server 2012. In these cases, the device driver must be preloaded before installation or a copy of the media that contains the driver must be available during installation. Also, make sure that you back up all pertinent data if you are installing Windows Server 2012 in an upgrade or migration scenario. 2.
Connect to the installation source, and then run setup.exe.
3.
Confirm regional and language settings, such as installation language and time and currency formats.
4.
Select Install Now or Repair Your Computer. Use the repair option if your operating system is corrupted and you can no longer start in Windows Server 2012.
5.
Select the edition to install. The default option is Server Core.
6.
Read and accept the license agreement.
7.
Select the installation type, either Upgrade or Custom (new installation).
8.
Select the installation location. You can also decide to repartition and reformat location disks.
9.
Wait for the installation files to install. The computer will restart several times.
10. Provide a password for the administrator. After initial setup is complete, Windows Server 2012 starts for the first time and presents options for additional configuration.
Note: The Windows Server 2012 installation bits you are using in this course are Evaluation, or “Eval”, bits. Therefore, you are not required to insert a product key as part of the installation process. However, for all other bit types, such as Retail or Volume License, you have to insert a product key during setup and activate the software. The product key comes in the format of XXXXX-XXXX-XXXX-XXXXX-XXXXX, and will be available through the mechanism you obtained the software installation bits. If the software is not activated, there will be reduced functionality and eventually the software will no longer function.
Post-Installation Configuration After installation several tasks have to be performed. These include time zone and clock settings, network configuration, setting a unique computer name and domain membership, configuring Windows Update settings, adding server roles and features, changing Remote Desktop settings, and configuring Windows Firewall settings. You use the Local Server node in the Server Manager console to perform the following tasks:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-17
•
Activate Windows. You can continue to use Windows Server while it is not activated for a grace period. After this period expires, Windows continues to function. However, the system is then unlicensed.
•
Set the time zone. It is important to configure the time zone because many network-related services do not function correctly if the computer clocks of networked computers are too much out of sync.
•
Configure the network settings. By default, both IPv4 and IPv6 are configured to obtain an IP address automatically. Most server installations will use static IP address information.
•
Configure computer name and domain membership. By default, the computer name is automatically generated. The suggested name might not comply with organizational standards that your organization requires. By default, the computer is assigned membership of a workgroup. In most cases, the computer will have to be joined to a domain.
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Installing and Configuring Windows Server
•
Enable automatic updating and feedback settings. By default, automatic updates are disabled and Windows error reporting is turned off.
•
Download and install updates. Make sure that the computer is up to date with urgent and securityrelated updates.
•
Add roles. A role refers to the primary function of the server, as enabled by the grouping of features and services that the server administrator specifies. Examples of a server role include Domain Name System (DNS) and Web Server. By default, no roles are installed.
•
Add features. Features are independent components that frequently support role services or support the server directly. For example, Windows Server Backup is a feature. By default, no features are installed.
•
Enable Remote Desktop. By default, Remote Desktop is disabled in Windows Server 2012.
•
Configure Windows Firewall. By default, the computer is connected to a public network location and Windows Firewall is enabled, by using the public location profile.
In a deployment situation, many of these tasks are completed during the deployment process by using answer files.
Note: In a Server Core installation, many GUI elements are removed. Therefore, Server Core post-installation configuration must be done locally by using the command line, the sconfig.cmd tool, or remotely by using MMC on another computer. This additional effort required for configuration makes Server Core installations excellent candidates for using answer files for automated configuration in a deployment scenario. More information about Windows Deployment Services can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309134
Demonstration: How to Configure a Server after Installation
In this demonstration, you will see how to use Server Manager to configure the following post-installation settings.
Demonstration Steps 1.
Set the time zone.
2.
Assign IP addressing details.
3.
Enable automatic updating.
4.
Join the computer to a domain.
Automating Deployment with Windows Deployment Services Windows Deployment Services is a set of operating system components that allow for the efficient deployment of several different operating systems. This includes Windows Server 2012. The Windows Deployment Services components can be divided into the following three categories:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-19
•
Windows Deployment Services server components. These components reside on a Windows Server 2012 server and are responsible for hosting and sharing the files that you must have for operating system deployment. A Windows Deployment Services server can deploy operating systems to multiple computers at one time.
•
Windows Deployment Services client components. The client components run on the computers that the operating system is being deployed to. They enable the computer to communicate correctly with the Windows Deployment Services server and determine which operating systems are available for deployment.
•
Windows Deployment Services management components. The Windows Deployment Services management components give administrators the tools necessary to configure and manage a Windows Deployment Services environment, performing tasks such as adding new operating system images and managing Windows Deployment Services configuration settings.
Windows Deployment Steps
A typical Windows Deployment Services deployment of Windows Server involves the following steps: 1.
Build image file(s). Windows Deployment Services in Windows Server 2012 uses Windows Imaging Format (WIM) or VHD file types to package operating system files for deployment. Both file types allow for a single file to contain all the information that you must have to deploy one or several versions of an operating system. These images are copied to deployed computers and unpackaged on the computer’s hard disk into a ready-to-run version of the operating system. The operating systems in the following table are supported for deployment with Windows Deployment Services in Windows Server 2012.
Client
2.
Server
Windows XP
Windows Server 2003
Windows Vista® SP1
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Build unattended answer file(s). Windows Deployment Services lets you automate operating system installation during deployment by using unattended answer files. This provides information to the deployment process about various configuration options available. These files allow for an administrator to deploy the operating system without any intervention or manual entry of information during the deployment process. These files can be reused or customized for multiple deployments.
MCT USE ONLY. STUDENT USE PROHIBITED
1-20 Installing and Configuring Windows Server
3.
Create a deployment transmission. By creating a transmission, the Windows Deployment Services server is advertising to the rest of the network that it has several images ready for deployment.
4.
Initiate installation from client. When a computer loads a Windows Deployment Services boot image (typically from DVD or by booting from the network), Windows Deployment Services displays a list of available images for deployment. After an image is selected, the deployment process is initialized and the Windows Deployment Services server begins unpacking the image file onto the new computer.
Some general tools that can be used or that you might see as part of the Windows Deployment Services process are as follows: •
WDSUtil.exe. Command-line tool that is used for managing your Windows Deployment Services server.
•
Sysprep.exe: Command-line tool that reconfigures the installed operating system files so that when the computer is first run, it will be displayed as a new installation to end-users.
•
Windows PowerShell. Windows PowerShell cmdlets are available for Windows Deployment Services in Windows Server 2012
•
Windows Preinstallation Environment (Windows PE). Provides a basic bootable command-line environment in which you can work
•
Deployment Imaging Servicing and Management (DISM). Allows for creation and manipulation of .wim and .vhd files before deployment
•
Windows System Image Manager (WSIM). Allows for creation and management of answer files
•
OSCDIMG. Command-line tool for creating an image file (.iso) of a customized 32-bit or 64-bit version of Windows PE.
•
Volume Activation Management Tool (VAMT). Allows for management of activation process across multiple image deployments
•
Application and Compatibility Toolkit (ACT). Allows for identification of applications that are potentially incompatible with Windows Server 2012 Question: In what situations would a Windows Deployment Services server be used by an organization? In what situations would a Windows Deployment Services Server not be efficient to implement?
Lesson 3
Configuring Services
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-21
In Windows Server 2012, services provide the functionality for the core of the operating system. Services provide the framework on which Windows roles and features are built. Effectively managing these services is critical to the efficient and reliable operation of Windows Server.
Lesson Objectives After completing this lesson, you will be able to: •
Describe a service.
•
Configure the startup properties for a service.
•
Troubleshoot service issues.
What Is a Service? In Windows Server 2012, a service or service application is a long-running executable that performs a specific function and requires no user intervention. Where an application might be started and closed many times by a user over any given time, a service will typically remain running for the whole time that the operating system is running, unless directed to do otherwise by the operating system or associated applications. Services typically consist of an executable file and a directory for storing service components. Service Examples Services are responsible for most of Windows Server functionality. Some common services and their primary functions are as follows: •
Print Spooler. Loads files to memory for printing.
•
Server. Supports file and print sharing over the network.
•
Task Scheduler. Enables a user to configure and schedule automated tasks.
•
Windows Error Reporting. Enables errors to be reported when programs stop working or responding.
•
Windows Time. Maintains date and time synchronization throughout a network.
Note: As a best practice, you should disable all services except those that are required by the roles, features, and applications that are installed on the server. Service Startup
Unlike applications that are executed by the user on an as-needed basis, the execution of services is controlled by the operating system or related software applications. Each service is initialized at the startup of the computer according to its startup type. Startup types are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
1-22 Installing and Configuring Windows Server
•
Automatic. Starts the service at system start.
•
Automatic (Delayed). Starts the service on a timed delay from system start. This is used to speed up system startup time in some cases, or to force the service to wait until any services that it depends on to start.
•
Manual. Starts a service as required or when it is called from an application.
•
Disabled. Prevents a service and its dependencies from running.
You can manage services through the Services console. This is available in Server Manager on the Tools menu. Each service can be configured for different recovery options. For example, the first time that the service fails; just try to restart the service. By default, each service is run by the Local System account. This logon account can be changed to restrict and control service startup.
Demonstration: How to Configure Service Startup
In this demonstration, you will see how to view and configure service startup options by using the Services console within Server Manager.
Demonstration Steps 1.
Open the Services tool.
2.
Change service settings.
3.
View service settings options.
Troubleshooting Services Because of the important nature of Windows services, service failure or service-related problems can cause various forms of operating instability. These issues have to be diagnosed and resolved quickly in order to maintain consistent system operation. Service failures can be caused by several issues. This includes the following: •
Service account restrictions. Services run under the context of a Windows account. This determines the level of access that the server and its related functions have in relation to the rest of the system. Usually, the built-in LocalSystem account is used for service execution. This gives a service a high level of access to the rest of the operating system. However, some services will run under a specially configured account known as a service account. This service account is created for the sole use of running the related service and might contain specific security restrictions or dependencies, depending on the nature of the service. Incorrect password settings or too restrictive service account permissions can cause a service be unable to start.
Note: It is not uncommon for administrators to forget passwords associated with service accounts. This could lead to significant problems when you upgrade or configure specific services or environments, or for passwords to be over simplistic, used across different servers and services, and never be changed. Windows Server 2012 introduced Managed Service Accounts. These are “special“ accounts to be used with services where the passwords are automatically changed periodically.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-23
•
Service dependencies. Many services run as a solitary application, unrelated to any other services. In other cases, a service might depend on the successful operation of other services to enable it to correctly start. If one of these dependency services fails, it could also cause the dependent service not to start.
•
Corrupted or missing files. If the files that you must have for a service’s execution are missing or corrupted, the service might not start or it might behave unpredictably.
Solving Service-Related Issues Several different methods and tools exist to help with troubleshooting services in Windows Server: •
Safe mode. The safe mode boot feature is available when pressing the F8 key as the operating system starts. Safe mode loads the minimal set of services that are required for the operating system to run and could enable the repair, removal, or disabling of failing services that are preventing Windows from starting correctly.
•
Last Known Good Configuration. Also accessed by pressing the F8 key as the operating system starts, Last Known Good Configuration restores operating system settings contained in the registry as they were the last time that the computer started correctly.
•
MSConfig.exe. MSConfig, or the Microsoft System Configuration Utility, is a graphically based utility that can be used to change and troubleshoot the Windows startup process. It gives the user a detailed level of control over which aspects of the operating system are enabled when the systems starts. It also allows for more specific control over services and the separation of native services from third-party installed services.
Lesson 4
Configuring Devices and Device Drivers
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Installing and Configuring Windows Server
Many individual components combine to provide the computer hardware on which Window Server runs. Disk drives, processors, memory, keyboards, monitors, network adapters, printers, scanners, and many other components play an important role in providing the functionality that you must have for a server to perform its duties.
The correct management and maintenance of these components means that the server components work cohesively to provide correct functionality.
Lesson Objectives After completing this lesson, you will be able to: •
Describe a device.
•
Describe typical settings required for a device.
•
Describe a device driver.
•
Describe driver signing.
•
Update a device driver.
•
Roll back a device driver.
What Is a Device? A device is a hardware component that performs a specific function and is installed in or attached to a computer. Device functions can be as narrow as that of a computer’s memory, or as diverse as a multifunction printer/copier/scanner. Devices are also connected to the computer in many ways. Many devices attach directly to the computer’s motherboard (for example, processors, memory, and network adapters), whereas some devices (for example, printers, cameras, flash drives, mouse devices, or keyboards) use external connection technologies such as USB or FireWire.
Devices work together to provide a computer’s complete functionality, and a single malfunctioning device can affect the performance of other devices or the computer.
Hardware Settings for Devices For devices to function cooperatively, they must be able to share the computer’s resources and establish methods of communication with other devices. Devices require specific settings that control where and when they communicate with the rest of the computer. These settings must be unique to the device to make sure that one device is not interfering with the functionality of another device. Historically, these settings needed to be configured by the end-user by using the BIOS of the computer, physical switches on the device itself, or special configuration software provided by the device manufacturer. Common device settings include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-25
•
Direct memory access (DMA) channel. DMA enables certain devices attached to the computer to directly access the computer’s memory without using the computer’s processor. Typically, each device that uses DMA must have a unique DMA channel assigned to it.
•
Interrupt request (IRQ) line. IRQ lines are used to send interrupt requests to a computer’s processor when a device requires processor use.
•
Input/Output range. Input/Output range specifies the range of addresses in memory that a device uses to send and receive information between the device and Windows. A device’s input/output range must be unique to that specific device.
•
Memory range. Memory range refers to the specific physical memory address in the computer that a device has reserved for its general use. A device’s memory range must be unique to that specific device.
Note: The value for each of these settings for a particular device can be viewed in Device Manager by clicking the Resource tab of the device’s Properties window. Plug and Play
Although some devices still require manual configuration of hardware settings, most computers and computer devices use Plug and Play technology for device settings. With Plug and Play, new hardware is discovered by the computer after it is installed. The computer, together with the computer’s operating system, automatically assigns and tracks the resources necessary for the device to function, avoiding conflict with other devices already installed in the computer. This functionality eliminates manual device configuration and avoids unintended settings conflicts associated with manual configuration.
Windows Server fully supports Plug and Play devices and drivers. To support Plug and Play, devices must meet the following requirements: •
Be uniquely identified.
•
State the services it provides and resources it requires.
•
Identify the driver that supports it.
•
Allow for software to configure it.
Note: Plug and Play technology has existed for many years. Most current devices support Plug and Play; very few devices still require resource settings to be configured manually.
What Is a Device Driver? A driver is software that enables your computer to communicate with hardware or devices. Without drivers, the hardware that you connect to your computer—for example, a video card or a webcam—will not work correctly. The device driver exposes the capabilities of the device to the operating system so that it can be effectively managed. A device driver is typically specific to an operating system.
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Installing and Configuring Windows Server
Windows Server 2012 provides driver support for most common devices. The drivers for these devices come preinstalled and will automatically install when the device is connected to the computer. If a driver cannot be found within Windows Server 2012 native drivers, Windows Update can be used to search for new or updated drivers. Device drivers can also be obtained from the installation media that was included with the device or from the device manufacturer’s website. Driver Staging
Additionally, device drivers can be installed into Windows Server 2012 and “staged” for future use. When a driver is staged, the driver files are stored within Windows and treated as part of the original set of drivers native to the operating system. This lets devices that are using the driver be recognized immediately and have its driver installed automatically without requiring user intervention like specifying a driver location or checking a manufacturer’s website.
Note: Device drivers are built for a specific processor architecture type. 64-bit device drivers will work only on a 64-bit operating system and 32-bit device drivers will work only on a 32-bit operating system. Because Windows Server 2012 supports 64-bit architectures only, 32-bit drivers will not work for devices that are installed on a Windows Server 2012 computer.
Driver Signing A signed driver is a device driver that includes a digital signature provided from a trusted thirdparty source. This digital signature acts as an electronic security mark that identifies the publisher of the software and confirms that the contents of the driver package are the original contents and unchanged. If a driver is signed by a publisher, you can be confident that the driver comes from that publisher and is not altered. The benefits of using signed drivers include the following:
•
Improved security
•
Reduced support costs
•
Better user experience
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-27
When a device is installed and the device driver specified is digitally signed, Windows will install the driver without requiring user intervention and start the driver after installation. All device drivers that come preinstalled with Windows are digitally signed. If you install a Plug and Play device into your computer, Windows Server 2012 will alert you with one of the following messages if a driver is not signed, if it was signed by a publisher that has not verified its identity with a certification authority, or if the driver was altered since it was released: •
Windows cannot verify the publisher of this driver. This driver either does not have a digital signature, or it is signed with a digital signature that was not verified by a trusted certification authority. You should only install this driver if you obtained it from a reliable source.
•
This driver has been altered. This driver was altered after it was digitally signed by a verified publisher. The package might have been altered to include malicious software that could harm your computer or steal information. In rare cases, legitimate publishers do alter driver packages after they are digitally signed. You should only install an altered driver if you obtained it from a reliable source.
•
Windows cannot install this driver. A driver that does not have a valid digital signature, or that was altered after it was signed, cannot be installed on 64-bit versions of Windows.
Note: When staging drivers into the Windows Server 2012 and Windows Server 2008 R2 driver store, all staged drivers must be digitally signed. After a device driver package is in the driver store, a standard user on the computer can install its device without needing elevated user permissions. Windows Server 2012 will not load unsigned drivers.
If you have to disable the driver enforcement requirement, you can do so as outlined in the following list. However, you should be aware that the loading and use of unsigned drivers might result in an inability to start from access devices. 1.
Restart the computer and press F8.
2.
Select Advanced Boot options.
3.
Select Disable Driver Enforcement.
4.
Start Windows and uninstall the unsigned driver.
You can add, remove, and enumerate drivers into the driver store by using the PNPUtil.exe utility from the command line, run as administrator. To list third-party drivers in the driver store, run the following command. Pnputil -e
Generally, before you deploy Windows Server 2012, you should make sure that the hardware that you are installing on is certified for use with Windows Server 2012 by the manufacturer. It is an all too common scenario where administrators realize that particular hardware is not supported and there are no drivers available, or that particular functionality that is required is not available because of lack of support. This results in increased cost and management overhead. The Windows Server Catalog helps you verify that specific hardware, or even software, is certified for use with Windows Server 2012.
More information about the Windows Server Catalog can be found at the following webpage: http://www.windowsservercatalog.com Note: When you are managing Windows Server 2012 device drivers remotely by using either Server Manager or RSAT for Windows 8, remote access to Plug and Play devices were disabled in Windows 8 and Windows Server 2012. This means that remotely managing hardware drivers through the Device Manager GUI management tool is not possible. Remote hardware device driver management has to be done by using Windows management instrumentation (WMI) commands or by using Windows PowerShell and the WMI-Getobject cmdlet. You can enumerate and obtain some hardware information by using Windows PowerShell remotely.
Demonstration: How to Update a Device Driver In this demonstration, you will see how to update a device driver by using Device Manager.
Demonstration Steps 1.
Open Device Manager.
2.
Update a device driver.
Demonstration: How to Roll Back a Driver In this demonstration, you will see how to roll back a device driver by using Device Manager.
Demonstration Steps 1.
Open Device Manager.
2.
Roll back a device driver.
MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Installing and Configuring Windows Server
Lab: Installing and Configuring Windows Server® 2012 Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-29
The first task in your new job as junior server administrator is to perform the initial installation and configuration of a new server for the Research and Development (R&D) department. In this instance, the company decided a local media-based installation should be performed. After the installation is complete, you will configure the server’s post-installation settings as per the supplied documentation. Additionally, the startup settings for some services must be configured, and a new device driver must be tested for correct functionality. Supporting Documentation Subject: New Server Installation From: Jim Hance [
[email protected]] Sent: May 1 To:
[email protected] Jeff, Please use the following information to install the new server for R&D. Installation options Language: English Time and currency format: English (United States) Keyboard or input method: English (United States) Product: Windows Server 2012 Datacenter (Server with a GUI) Administrator password: Pa$$w0rd
Post-installation configuration options Time zone: (UTC) Dublin, Edinburgh, Lisbon, London IP address: 172.16.0.30 Subnet mask: 255.255.0.0 Gateway: 172.16.0.1 DNS Servers: 172.16.0.10 Enable automatic Windows Update Server name: LON-SVR4 Domain name: Adatum.com (use the ADATUM\Administrator account that has a password of Pa$$w0rd when you are prompted for credentials) Please let Lisa from the Sr. Server Admin team know when you are finished. She’ll finish the configuration and get the server to R&D. Thanks, Jim
Objectives After completing this lab, students will be able to: •
Perform a local media-based installation.
•
Configure Windows Server.
•
Convert to Server Core.
•
Configure services.
•
Configure devices.
Lab Setup Estimated Time: 70 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR4 User Name : ADATUM\Administrator Password : Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
1-30 Installing and Configuring Windows Server
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials: o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: ADATUM
Exercise 1: Performing a Local Media-Based Installation Scenario You have to install the new server. The main tasks for this exercise are as follows: 1.
Read the server installation instructions
2.
Install Windows Server 2012
Task 1: Read the server installation instructions 1.
Read the contents of the email message in the lab scenario.
2.
Specifically, notice the installation options.
Task 2: Install Windows Server 2012 1.
2.
Attach the Windows Server 2012 Installation DVD to LON-SVR4 by using these steps: a.
Switch to Hyper-V Manager, right-click 10967A-LON-SVR4, and then click Settings.
b.
In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c.
In the DVD Drive pane, select Image file, and then click Browse.
d.
Browse to C:\Program Files\Microsoft Learning\10967\Drives, click WindowsServer2012_Eval.iso, and then click Open.
e.
In the Settings for 10967A-LON-SVR4 dialog box, click OK.
Start and connect to the 10967A-LON-SVR4 virtual machine.
3.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-31
Install the operating system by using the Installation Options section provided in the email message from Jim Hance.
Note: Setup will continue by copying and expanding files, installing features and updates, and finish the installation. This phase takes about 20 minutes. Your instructor might continue with other activities during this phase.
Results: After this exercise, you should have installed a new Windows Server® 2012 server.
Exercise 2: Configuring Windows Server Scenario You are asked to perform post-installation configuration on the recently installed server for the R&D department. Jim Hance has provided some installation requirements. The main tasks for this exercise are as follows: 1.
Read the server post-installation configuration instructions
2.
Configure post-installation settings
Task 1: Read the server post-installation configuration instructions 1.
Read the contents of the email message in the lab scenario.
2.
Specifically, notice the post-installation configuration options.
Task 2: Configure post-installation settings 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine.
2.
Refer to the email message and the post installation configuration options to: a.
Configure time zone settings.
b.
Configure networking settings.
c.
Configure automatic updating.
d.
Configure the computer name and domain settings.
Results: After this exercise, you should have configured post-installation settings by using Server Manager.
Exercise 3: Convert to Server Core Scenario
Now that you have configured your Windows Server 2012 installation, you want to remove the GUI components. This will save disk space and improve performance. However, after you remove the GUI, you realize the Devices and Printers interface is not available. This might be needed when you configure the Print Spooler in the next exercise. Therefore, you decide to reinstall the GUI by using Windows PowerShell. The main tasks for this exercise are as follows: 1. 2.
Remove GUI from Windows Server 2012 installation Install GUI administrative components in Windows Server 2012 Server Core
Task 1: Remove GUI from Windows Server 2012 installation 1.
If it is necessary, switch to 10967A-LON-SVR4.
2.
Use Server Manager to remove the Server Graphical Shell and Graphical Management Tools and Infrastructure features.
MCT USE ONLY. STUDENT USE PROHIBITED
1-32 Installing and Configuring Windows Server
Task 2: Install GUI administrative components in Windows Server 2012 Server Core 1.
Continue to work on 10967A-LON-SVR4.
2.
Using the Windows PowerShell Get-WindowsFeatures determine the Name of the Graphical Management Tools and Infrastructure component to install
3.
Use the Install-WindowsFeature Windows PowerShell cmdlet to reinstall the GUI Administrative management components Server-Gui-Mgmt-Infra.
4.
When the installation is complete, restart the computer using the Windows PowerShell command Restart-Computer
5.
Verify the command prompt displays and Server Manager also displays. Components such as File Explorer are still not available.
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface installation.
Exercise 4: Configuring Services Scenario
The new server for the R&D department is installed and configured. Additional changes have to be made to some services to prepare the server for its new role. In order to prevent printers from being installed and used on the server, the Print Spooler service has to be stopped and set to Disabled to prevent it from starting when the server is restarted. There is only one task for this exercise.
Task 1: Configure Print Spooler service settings 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with the user name ADATUM\Administrator and password Pa$$w0rd.
2.
Use Server Manager to access the Services console.
3.
Configure the Print Spooler service startup option to Disabled.
4.
Stop the Print Spooler service.
Results: After this exercise, you should have used Server Manager to change service startup options.
Exercise 5: Configuring Devices Scenario
A new device driver for the keyboard attached to the R&D server has to be tested for correct functionality before it is configured for permanent use. The current standard PS/2 keyboard will be replaced by a PC/AT Enhanced PS/2 Keyboard. You are asked to make sure that the new PC/AT Enhanced PS/2
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1-33
Keyboard driver will update correctly. After correct operation is confirmed, you are asked to roll back the driver to the earlier version. The main tasks for this exercise are as follows: 1.
Update the standard PS/2 keyboard driver
2.
Roll back the driver to its earlier version
3.
Revert the lab machines
Task 1: Update the standard PS/2 keyboard driver 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine.
2.
Open Device Manager from the Computer Management console, and expand Keyboards.
3.
Update the Standard PS/2 Keyboard driver to the new PC/AT Enhanced PS/2 Keyboard driver.
4.
Restart the computer when you are prompted.
Task 2: Roll back the driver to its earlier version 1.
Log on to the 10967A- LON-SVR4 virtual machine as ADATUM\Administrator with a password of Pa$$w0rd
2.
Open Device Manager from the Computer Management console, and expand Keyboards.
3.
Roll back the driver to the Standard PS/2 Keyboard driver.
4.
Restart when you are prompted, and then log on as ADATUM\Administrator with the password of Pa$$w0rd.
5.
Verify that you have successfully rolled back the keyboard driver.
Task 3: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 10967A-LON-SVR4.
Results: After this exercise, you should have performed update and rollback operations on a device driver. Question: How could the steps in this lab be performed remotely without the need for user intervention? Question: When would rolling back a driver not be an effective solution to driver-related problems?
Module Review and Takeaways Review Question(s) Question: Why is it potentially more difficult to perform post-installation tasks on a Server Core installation of Windows Server instead of a Server with a GUI? Question: If you have to troubleshoot system instability, what tool should you use to disable a specific set of services from running at startup? Question: If a newly installed video adapter device driver is preventing Windows from starting correctly, what tools would you use first to return the system to an operable state? Question: What factors should be considered when staging drivers in the Windows driver store?
Tools Where to find it
MCT USE ONLY. STUDENT USE PROHIBITED
1-34 Installing and Configuring Windows Server
Tool
Use for
Sconfig
Menu-based administration of Server Core installations.
Windows Deployment Services
Windows Deployment Services for automated deployment of Windows operating systems.
Server role
Registry editor
Editing settings in the Windows registry.
From the Run prompt: regedit.exe
MSConfig
Editing Windows Server settings and troubleshooting startup issues.
Server Manager, System Configuration
Device Manager
Managing server devices and settings.
Server Manager, Computer Management, Device Manager
MCT USE ONLY. STUDENT USE PROHIBITED 2-1
Module2 Implementing Storage in Windows Server Contents: Module Overview
2-1
Lesson 1: Identifying Storage Technologies
2-2
Lesson 2: Managing Disks and Volumes
2-10
Lesson 3: Fault Tolerance
2-22
Lab: Implementing Storage in Windows Server
2-29
Module Review and Takeaways
2-34
Module Overview
One of the key components when you plan and deploy Windows Server® is storage. Most organizations require lots of storage because users and applications are constantly working with and creating data. This data is frequently stored in a central location. For example, every email message sent or received uses storage. Every time that a user visits a website, a log is written and storage is consumed. Every time that a user logs on to a server, an audit trail is created in an event log and storage is used. When files are created, copied, or moved, storage is used.
This module will introduce you to different storage technologies, cover how to implement Windows Server storage solutions, and cover how to develop a flexible and responsive storage strategy. Developing a good storage strategy helps avoid unplanned downtime and loss of data. There can also be significant up-front capital costs and later administrative management costs that you should consider before you decide what storage option to select.
Objectives After completing this module, you will be able to: •
Identify a suitable storage technology.
•
Manage storage within Windows Server.
•
Implement disk fault tolerance.
Implementing Storage in Windows Server
Lesson 1
Identifying Storage Technologies
MCT USE ONLY. STUDENT USE PROHIBITED
2-2
Any server deployment will require storage. There are various kinds of storage, from locally attached to remotely accessed. Remotely accessed storage can be connected in many ways. This includes Ethernet and fiber-optic cabling. Each storage option has advantages and disadvantages. As you prepare to deploy storage for the server infrastructure, you will have to make some important decisions. •
How fast should information be written or read from storage?
•
How much storage will be needed?
•
How important is it that the storage always be available?
•
How easy will it be to expand the storage and meet future requirements?
•
How will you restore data if it is corrupted or lost?
Lesson Objectives After completing this lesson you will be able to: •
Describe direct-attached storage (DAS).
•
Describe network-attached storage (NAS).
•
Describe storage area networks (SANs).
•
Describe Fibre Channel SANs.
•
Describe Internet Small Computer System Interface (iSCSI) SANs.
What Is Direct-Attached Storage? Most servers provide built-in storage. This storage is usually dedicated for use by and directly attached to the server. This kind of storage is known as direct-attached storage (DAS). DAS can be disks that are physically located inside the server, such as hard disk drives (HDDs) inside a stand-alone server tower, or external disks that have cabling connecting them to the server. External DAS housing units can contain multiple numbers of HDDs connected directly to a computer through a host bus adapter (HBA).
What differentiates the various kinds of DAS are the bus technologies that are used in the implementation, each having different performance metrics over one another and of course different costs. How we differentiate and name them is typically by referring to that bus technology. The following sections describe some of the more typical DAS implementations. Enhanced Integrated Drive Electronics
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-3
Integrated drive electronics (IDE) is a kind of disk-drive interface in which the controller electronics reside on the drive itself. This eliminates the need for a separate adapter card. Drives are usually connected by using a 40-wire or 80-wire cable and only two devices can be chained together at one time. Enhanced integrated drive electronics (EIDE) improves IDE through faster transfer rates and allows for multiple channels, each connecting two devices. EIDE is limited to 128 gigabytes (GB) of storage and 133 megabits per second (Mbps) data rates. EIDE drives are based on standards developed in 1986 and are almost never used in servers today. Serial Advanced Technology Attachment
Serial Advanced Technology Attachment (SATA) is a computer bus technology for connecting the motherboard or device adapters to mass storage devices such as HDDs and optical drives. SATA was developed to replace EIDE and uses the same low-level EIDE commands. However, SATA host adapters and devices communicate through a high-speed serial cable over two pairs of conductors. SATA was introduced in 2003 and has had several revisions to improve performance, as detailed in the following table. Revision
Speed
1
150 megabytes per second (MBps)
2
300 MBps
3
600 MBps
Organizations select SATA drives when they require large amounts of storage, but not high speed performance. SATA drives are typically less expensive than other drive options and are a common bus interface that is used in internal hard disks. External SATA (eSATA) is a variation on SATA, designed to enable high speed access to externally attached SATA drives. Small Computer System Interface
Small computer system interface (SCSI) is a set of standards for physically connecting and transferring data between computers and peripheral devices. SCSI was originally introduced in 1978 and became a standard in 1986. SCSI was developed to take less processing power and perform transactions at increased speeds. SCSI is available in many interfaces. Connector types can have 25, 50, or 86 pins. Over the years, several revisions have been made and SCSI performance has improved. SCSI might also be known by different names. For example, Ultra 640 SCSI, also known as Ultra 5, was introduced in 2003 and can transfer data with speeds up to 640 MBps, by using a bus width of 16 bits. SCSI disks can provide better performance than older SATA disks but are also more expensive. Serial Attached SCSI
Serial-attached SCSI is an additional improvement on the SCSI standard. Serial-attached SCSI depends on a point-to-point serial protocol that replaces the parallel SCSI bus technology. Serial-attached SCSI uses the standard SCSI command set so that it is backward-compatible with second generation SATA drives. Solid State Drives
Solid-state drives (SSDs) are data storage devices that use solid-state memory to store data instead of using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips to store the data and contain no moving parts. Therefore, they are less susceptible to failure from being dropped. SSDs provide very fast disk access that uses less power. However, they are also more expensive than other DAS storage options. SSDs typically use the SATA interface. Therefore, you can replace SATA hard disk drives with SSDs without any modification.
Implementing Storage in Windows Server
Note: Another kind of DAS is universal serial bus (USB)–attached storage. Advantages of DAS
MCT USE ONLY. STUDENT USE PROHIBITED
2-4
•
DAS is connected directly to the server. This makes it easy to deploy and maintain.
•
Typically the least expensive storage available today.
•
Available with various bus technologies in various speeds and sizes so that you can customize cost for your particular requirement.
•
Usually a Plug and Play device that can easily be recognized by the server.
Disadvantages of DAS •
Local server storage is not centralized for users to access.
•
Can be more difficult to automate backup and restore strategies across many servers.
•
If server power is disrupted, the storage will also be disrupted.
•
Can be slower than other storage technologies.
•
Shares processing power and memory with the server. This means that disk performance might be slower on a busy server.
•
Reliant on software to control the transfer of data. This can mean increased latency.
Note: High-speed transfer rates for individual bus technologies may or may not be achieveable in your existing environment. The bus technologies provide for these theoretical transfer rates, however, each component must also support it and not be a limiting factor or bottleneck. For example, disk read and write times, disk controller speeds, and motherboard limitations may or may not support these speeds or even the bus technolgy. Before you try to implement a particular bus technology in the server environment and a corresponding transfer rate, you should be aware of the components involved in reaching these transfer speeds.
What Is Network-Attached Storage? Network-attached storage (NAS) is storage that is connected to a dedicated storage device and then accessed over the network. NAS differs from DAS in that the storage is not directly attached to each server, but can be accessed over the network by many servers. Each NAS device has a dedicated operating system that completely controls the data access on the device. This reduces the overhead associated with sharing the storage device with other server services. An example of NAS software is Windows® Storage Server.
To enable NAS storage, you must have a storage device. Frequently, these devices are appliances that have no server interfaces such as keyboards, mouse devices, and monitors. Instead, to configure the device, you access the device over the network and provide a configuration. Configuring the device includes creating network shares on the device. Users can then access the device on the network by using the NAS and the share created.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Advantages of NAS •
A good mid-priced solution for mid-sized businesses.
•
Provides performance and productivity gains over DAS because the NAS device is dedicated completely to the distribution of files.
•
Simple and cost-effective way to achieve fast data access for multiple clients at the file level.
•
NAS storage capacity is usually much larger than DAS storage capacity.
•
Offers a single location for all files.
•
Provides a Plug and Play solution that is easy to install, deploy, and manage, with or without information technology staff.
•
In summary, NAS offers centralized storage at an affordable price.
Disadvantages of NAS
2-5
•
NAS is not an enterprise storage solution. This means less reliability, more possibility of data loss, and slower performance than the enterprise storage solutions discussed in the next topic.
•
Reliant on software to control the transfer of data. This can mean increased latency.
•
NAS cannot and should not be used with data-intensive applications such as Microsoft® Exchange Server and Microsoft SQL Server®.
More information about Windows Storage Server can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=199647
What Is a Storage Area Network? A storage area network (SAN) is a specialized high speed network that connects computer systems, or host servers, to high performance storage subsystems. A SAN usually includes various components such as HBAs, switches to route traffic, and storage disk arrays with logical unit numbers (LUNs). A LUN is a logical reference to a part of a storage subsystem. For example, in a disk storage subsystem, a LUN can consist of a disk, a section of a disk, a whole disk array, or a section of a disk array in the subsystem.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any storage unit. A SAN uses a network, such as a local area network (LAN). So you can use a SAN to connect many devices and hosts and provide access to any device from anywhere. Unlike DAS or NAS, a SAN is controlled by a hardware device and does not rely on software to provide access to storage. Advantages of SAN •
Block level read and write access. SAN technologies provide faster data access by reading and writing at the block level. For example, with most DAS and NAS solutions, if you write an 8-GB file, the whole
Implementing Storage in Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
2-6
file has to be written and its checksum calculated; with SAN, the file will be written based on the block size the SAN is configured for. •
Centralization of storage into a single pool. This enables storage resources and server resources to grow independently. It also enables storage to be dynamically assigned from the pool when it is required. Server storage can be increased or decreased without complex configuration or cabling of devices.
•
Common infrastructure for attaching storage. This enables a single common management model for configuration and deployment of storage.
•
Storage devices that are shared by multiple systems.
•
Data transfer directly from device to device without server intervention.
•
Data access through hardware instead of software.
•
Can be implemented by using many technologies. The most common options are Fibre Channel and iSCSI. These technologies are described in the next topics.
•
A high level of redundancy. Most SANs are deployed with multiple network devices and paths through the network. Also, each storage device contains redundant components such as power supplies and hard disks.
Disadvantages of SAN •
The main drawback to SAN technology is that it frequently requires management tools and special knowledge. This is because of the complexity of the configuration.
•
In order to manage a SAN, not only do you have to understand the command-line utilities, but you also have to understand the underlying technology. For example, the LUN setup, the Fibre Channel back-end, and the block sizing.
•
SANs can be expensive. An entry-level SAN can frequently cost as much a fully loaded server that has DAS or even an NAS device. SANs disks and configuration are usually not included in the price.
•
Each storage vendor frequently implements SANs with different tools and features. Because of this, organizations frequently require dedicated personnel to manage the SAN deployment.
What Is a Fibre Channel SAN? Fibre Channel is a bus technology that is used primarily with SANs. It can work with several different protocol types, such as IP and SCSI. This enables it to merge the highest performing bus protocols into a single high-speed technology. Some people might incorrectly interpret Fibre Channel to mean that it is a fiber-optic technology. However, it can be used on either copper or fiber optic cabling. With copper cabling, it can operate up to approximately 30 meters. With fiber-optic cabling, depending on the light wavelengths used, it can function over distances of 10 kilometers (km).
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-7
Fibre Channel is usually found in speeds of 1, 2, or 4 gigabits per second (Gbps) and can operate in pointto-point scenarios or over switches or looped networks. Fibre Channel SAN components include the following: •
Interface cards. Specialized interface cards that connect the servers to the SAN. These devices, known as Host Bus Adapters (HBAs), enable the server to communicate with the storage device across the SAN.
Note: iSCSI SANs can also use HBAs. Each kind of HBA is specific to the technology that is used to access the storage device. •
Specialized network switches. These switches route SCSI commands.
•
Dedicated cabling. All network connections between the servers and the storage device use cables. These cables can be twisted-pair copper or fiber optic cable. Also, with the emergence of gigabit Ethernet networks, Fibre Channel over Ethernet (FCoE) is now a good option, gaining more popularity, running Ethernet networks that can support speeds up to 1 Gbps, or 1,000 Mbps.
•
Storage device(s). SANs require one more dedicated storage device. Frequently, these devices can contain hundreds of disks and store multiple terabytes of data.
•
LUNs. In most cases, servers are given access to only a small part of the storage available on the storage device. To implement this storage solution, the storage available is divided into smaller pieces and then exposed to the servers through a LUN. On the server, each LUN is displayed as an attached drive.
Multipath I/O
SANs are typically implemented because of a high-availability requirement. In most cases, you will deploy multiple HBAs on each server that is connected to a SAN, and connect the HBAs to two separate Fibre Channel networks. This means that the storage will still be available if there is a failure of one of the networks. In order to simplify the implementation of this solution, Microsoft provides a generic storage driver that uses multipath I/O (MPIO) to simplify the implementation of this solution for storage vendors. MPIO provides the following: •
Dynamic configuration and replacement of devices. In order to support multiple paths to the same storage device, the operating system must be able to dynamically discover and configure adapters that are connected to the same storage media.
•
Generic device specific module. Microsoft supplies a generic device-specific module (DSM) that interacts with the multipath bus driver on behalf of the storage device.
•
Dynamic load balancing. The multipath software enables you to distribute input/output (I/O) transactions across multiple adapters. The DSM is responsible for load-balancing policy for its storage device.
•
Fault tolerance. Multipath software can function in a fault-tolerant mode in which only a single channel is active.
There are other implementations of Fibre Channel, such as the following: •
Fibre Channel over Ethernet (FCoE). Instead of the traditional dedicated Fibre Channel networks used in Fibre Channel SANs, the emergence of gigabit Ethernet networks and FCoE allows for the running of a Fibre Channel storage system over an existing Ethernet network. FCoE can support speeds up to 1 Gbps, or 1,000 Mbps.
Implementing Storage in Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
2-8
•
Fibre Channel over IP (FCIP). Uses an IP tunneling technology to enable geographically dispersed Fibre Channel storage systems to communicate over IP networks.
•
Internet Fibre Channel Protocol (iFCP). Uses IP to control the routing and switching requirements over the Internet to enable geographically dispersed Fibre Channel storage systems to communicate over the Internet.
The Fibre Channel Industry Association (FCIA) defines and provides future direction for Fibre Channel technology. More information about FCIA can be found at the following website. http://www.fibrechannel.org/
What is an iSCSI SAN? A second option for implementing SANs is to use iSCSI. iSCSI transmits SCSI commands over IP instead of Fibre Channel. iSCSI carries standard SCSI commands over IP networks to enable data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over LANs, wide area networks (WANs), or even over the larger Internet.
iSCSI relies on standard Ethernet networking, and requires no specialized hardware such as HBA or Fibre Channel network switches. iSCSI uses TCP/IP (typically TCP ports 860 and 3260). Basically, iSCSI enables two hosts to negotiate and then exchange SCSI commands by using an existing network. By doing this, iSCSI takes a popular high-performance local storage bus and emulates it over WANs, creating a SAN. Unlike some SAN protocols, iSCSI requires no dedicated cabling. It can be run over existing switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be severely decreased when a dedicated network or subnet is not used. iSCSI is frequently seen as a low-cost alternative to Fibre Channel, because it does not require dedicated infrastructure.
Note: Although you can use a standard network connection to connect the server to the iSCSI storage device, you can also use dedicated HBAs or dedicated network adapters. An iSCSI SAN deployment requires the following components: •
IP network. You can use standard network interface adapters and standard network switches to connect the servers to the storage device. In order to provide sufficient performance, the network should provide speeds of at least 1 Gbps and should provide multiple paths through the network.
•
iSCSI targets. iSCSI targets are located on the storage device and are used to enable access to the storage by presenting or advertising it. Many storage vendors implement hardware-level iSCSI targets as part of their storage devices. Other devices or appliances, such as Windows Storage Server devices, implement iSCSI target by using software. Windows Server 2012 provides the iSCSI target as part of the operating system.
•
iSCSI initiators. iSCSI initiators run on the servers that want to connect to the storage device. All versions of Windows Server since Windows Server 2008 provide the iSCSI initiator as a standard component and can connect to iSCSI targets.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
•
2-9
iSCSI qualified name (IQN). IQNs are globally unique identifiers that are used to address initiators and targets on an iSCSI network. When you configure an iSCSI target, you must configure the IQN for the iSCSI initiators that will be connecting to the target. iSCSI initiators also use IQNs to connect to the iSCSI targets.
Lesson 2
Managing Disks and Volumes
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Implementing Storage in Windows Server
After you identify your storage technology, the next step is to determine how to manage the storage. Administering storage includes deciding how disks and volumes will be configured, and what kind of file system that you will use. Ask yourself the following questions: •
Will the disk size be fixed or dynamically adjusted to the data amount?
•
Will all the disks be allocated the same amount of storage space?
•
Will the kind of file systems be the same for all disks?
Questions such as these will help determine a storage management strategy.
Lesson Objectives After completing this lesson, you will be able to: •
Describe partition tables.
•
Describe basic and dynamic disks.
•
Describe and select file systems.
•
Describe the different kinds of virtual hard disk (VHD) drives.
•
Describe mount points and links.
•
Create and manage volumes.
•
Describe storage quotas.
•
Create a quota by using a File Server Resource Manager (FSRM).
What Are Partition Tables? A partition table, also known as a partition style, is a section of a hard disk that contains information about how the disk is organized. The partition table is divided into sections and sizes. It allows the computer to find data on the disk by knowing where partitions begin and end. When data is read from or written to a disk by the computer, the partition table allows for the data to be read and written to the correct locations. Disk partitioning is an important part of disk configuration; any corruption to the table could lead to significant data recovery problems. Its structure follows an industry standard, and it is independent of the operating system. It also contains information about whether the partition is a system partition. This is used for computer startup.
Note: System partitions can contain files that are used for startup. Boot partitions contain operating system files but contain no files that are used during the startup process.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-11
When you add a new clean hard disk to your Windows Server 2012 server—whether you use SATA, SCSI, VHD, or something else—before you can use or manage the hard disk, the first task that has to be done is to initialize the disk. After you initialize the disk, you can start to configure the disk as you need, creating volumes, partitions, and so on. You can initialize the disk by opening Disk Manager, right-clicking the disk that has just been attached, and selecting Initialize Disk. When the Initialize Disk dialog box appears, you have to make two more decisions. •
Which disk should be initialized: Disk 1, 2, 3, and so on? This should be a straightforward decision.
•
What partition style do you want to use with the disk? There are two kinds: master boot record (MBR) and GUID partition table (GPT). Which option you select depends on several factors. These factors are explained in the following sections.
MBR The MBR partition table format is the general standard partitioning model that has been used in computers for a long time. The MBR partition table format has the following characteristics: •
A partition supports no more than four primary partitions per drive. You can have additional divisions on the disk but this involves creating an extended partition within which are then created logical drives.
•
A partition can have no more than 2 terabytes (TB).
•
If you initialize a disk larger than 2 TB by using MBR, the disks are only able to store volumes up to 2 TB and the rest of the storage will not be used.
•
Data cannot be written across multiple disk MBRs. For example, you cannot use striping or mirroring to provide redundancy.
GPT
The GPT is a newer table format that tries to overcome some limitations of MBR, and to address larger disks. GPT has the following characteristics: •
GPT supports no more than 128 partitions per drive.
•
A partition can have up to 8 zettabytes (ZB).
•
A hard disk can have up to 18 exabytes (EB), with 512 kilobytes (KB) logical block addressing (LBA).
•
To start from a GPT partition table, the basic input/output (BIOS) must support GPT.
You can convert from MBR to GPT table types or vice versa. However, this is only enabled on empty disks. Converting partition table types will result in the loss of all data on the disk. There are additional ways to view and specify partition tables outside Disk Manager. These include the following: •
Diskpart. This is a Command Prompt utility used to configure disks. The Command Prompt will take the focus to let you type additional Diskpart commands.
To view the help associated with the convert command, type the following command. help convert GPT
Or type the following. help convert MBR
Type Exit to leave the Diskpart utility.
•
MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Implementing Storage in Windows Server
Windows PowerShell®. Windows PowerShell provides dedicated commands to view and configure partition tables that are part of the Storage module. Windows PowerShell Cmdlet
Description of Use
Get-Disk | FL
Displays the properties of all disks installed on the host computer and formats the output into a list. You can view the partition table type under the PartitionStyle property.
Initialize-Disk –Number – PartitionStyle
This cmdlet will initialize Disk Number 4 and specify an MBR-type partition table.
Get-Command –module Storage
Lists all available cmdlets in the Storage module.
More information about MBR can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309135
Basic Disks vs. Dynamic Disks Basic disks are an older, simpler disk format. Dynamic disks provide additional functionality, such as the ability to create volumes that span multiple disks, to support striping, and the ability to create fault-tolerant volumes to allow for mirroring. Both basic and dynamic disks can use either MBR or GPT partition table types. By default, when you initialize a disk in Windows Server 2012 it creates a basic disk. You can view the disk type in the Disk Management console or if you right-click on the disk in question and choose Properties, then navigate to the Volumes tab, this will also specify the disk type, dynamic or basic.
There is no performance gain by converting basic disks to dynamic disk and some applications may not be able to access data stored on dynamic disks. The main difference between basic and dynamic disks is really the scalability and ability to configure and manipulate the disk volumes to a greater extent on dynamic disks. Basic Disk Most personal computers use basic disks because they are the simplest and easiest to manage. A basic disk can have up to four primary partitions, or three primary partitions, one extended partition, and multiple logical drives. •
Primary partition. A kind of partition created on basic disks that can host an operating system and functions as if it were a physically separate disk. A primary partition has a file system with a drive letter assigned to it.
•
Extended partition. A kind of partition where you can create one or more logical drives within the extended partition. Extended partitions are useful if you want to create more than four volumes on a basic disk.
•
Logical drive. A disk that you create in an extended partition. You can create an unlimited number of logical drives per disk. A logical drive can be formatted and assigned a drive letter.
Basic disks also support disk types such as USB disks or VHD files. Dynamic Disk
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-13
A dynamic disk can contain simple volumes, spanned volumes, striped volumes, mirrored volumes, and redundant array of independent disks (RAID)–5 volumes. It is only possible to create a dynamic disk on fixed disks. However, you can convert USB disks and dynamically expanding VHDs to dynamic disks.
Dynamic disks use a data repository to track information about the dynamic volumes on the disk. The repository also contains information about other dynamic disks in the computer. Each dynamic disk in a computer contains a replica of the dynamic disk database. Therefore, a corrupted dynamic disk database can repair one dynamic disk by using the database on another dynamic disk. The location of the database is determined by the partition style of the disk. On MBR partitions, the database is contained in the last 1 megabyte (MB) of the disk. On a GPT partition, the database is contained in a 1 MB reserved (hidden) partition.
Note: Some IT professionals use the terms partition and volume interchangeably. However, it is more correct to refer to partitions on basic disks and volumes on dynamic disks. A volume is a storage unit made from unallocated space on one or more disks. It can be formatted with a file system and can be assigned a drive letter or configured by using a mount point. •
Simple volumes. A simple volume uses unallocated space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.
•
Spanned volumes. A spanned volume is created from free disk space that is linked from multiple disks. You can extend a spanned volume to no more than 32 disks. Windows Server fills the spanned volume by filling all the space on the first disk and then filling each of the additional disks in turn. This means if you lose a disk, you lose all the spanned volume.
•
Striped volumes. A striped volume is a volume where data is spread across two or more physical disks. The data on this kind of volume is allocated alternatively and evenly to each of the physical disks. This process is known as striping or RAID-0. A striped volume cannot be extended and is not fault-tolerant. If a single physical disk in the striped volume fails, the whole volume is lost.
•
Mirrored volumes. A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended and is also known as RAID-1.
•
RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume whose data is striped across a minimum of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the part of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
Basic disks can easily be converted to dynamic disks without any loss of data. However, to convert a dynamic disk to a basic disk means all data on the disk will be lost. Required Disk Volumes
Regardless of which kind of disk that you use, you must configure a system volume and boot volume on one of the hard disks in the server.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Implementing Storage in Windows Server
•
System volumes. The system volume contains the hardware-specific files that are needed to load Windows. For example, Bootmgr, BOOTSECT.bak, and Boot Configuration Data (BCD). The system volume can be, but does not have to be, the same as the boot volume.
•
Boot volumes. The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume.
More information about how basic disks and volumes work can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=199648
Selecting a File System After you have initialized a disk and have decided to allocate a specific part of the disk to a specific volume type, you have to decide what file system that you will use on the volume, or partition. A file system is used to organize and store data on a hard disk. Windows Server 2012 has five file system options: •
File Allocation Table (FAT)
•
FAT32
•
Extended File Allocation Table (exFAT)
•
NTFS
•
Resilient File System (ReFS)
In addition to deciding what file system to use; you can also decide the cluster or allocation unit size. This can be manually or automatically configured, but you should understand the concepts and the potential performance issues associated with those decisions. Cluster/Allocation Unit Size
A sector is the smallest amount of data that can be written to a physical disk. The sector size is determined by the manufacturer and although it can vary, it is typically 512 bytes. However, when allocating space on a disk to files and data where the sector size is 512 bytes would be a significant overhead for the disk, and increasingly so as the disk size becomes larger. Therefore, the disk uses clusters or allocation units. This allocates groups of contiguous sectors as needed instead of sectors being allocated individually.
You should be aware that the size of the allocation unit can have a direct effect on performance. If, for example, a disk has a sector size of 512 bytes and an allocation unit size of 4,096 bytes (4 KB), this means that sectors are allocated in groups of eight. If you have a 4,100 byte file, it will be allocated two clusters— that is, 16 sectors and a large part of the second cluster will have unused space. Also, as files become larger and are deleted and moved, allocation units can be written to various parts of the disk. This results in what is known as fragmentation Generally, larger allocation unit sizes reduce the potential for fragmentation. However, they then potentially increase the unused space in the allocation unit. File Allocation Table
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-15
FAT is the most simplistic of the file systems supported by Windows. There is no organization to the FAT directory structure, and files are given the first open location on the drive. A disk formatted with FAT is allocated in clusters, or allocation units, whose sizes are dependent on the size of the volume. When a file is created, the first cluster number that contains data is established. An entry is made in the FAT table to indicate whether this is the last cluster for the file or points to the next cluster..
To protect the volume, two copies of the FAT table are kept in case one becomes damaged. In addition, the FAT tables and the root directory must be stored in a fixed location so that the system's boot files can be located. •
FAT. Also known as FAT16. Can only access partitions less than 2 GB in size.
•
FAT32. An improvement over FAT. Supports partitions up to 2 TB. FAT32 supports smaller cluster sizes than FAT. This results in more efficient space allocation on FAT32 volumes.
•
exFAT. A Microsoft file system optimized for flash drives. exFAT can be used where NTFS is not a solution, or the FAT32 file size limits are unacceptable i.e. a disk that is greater than 2 TB. This could be the case with Media Centers for example.
FAT does not provide any security for files on the partition and as such you shouldn’t use FAT or FAT32 as the file system for disks attached to a Windows Server. The primary scenario for use of FAT is in relation to flash drives or external media. NTFS
NTFS is the standard file system for all Windows operating systems starting with Windows NT Server 4.0.
NTFS has several improvements over FAT, such as improved support for metadata and advanced data structures to improve performance, reliability, and disk space use. NTFS also provides a much better level of security than FAT or FAT32. NTFS supports security access control lists (ACLs). This allows for auditing, file system journaling, and encryption.
NTFS is required for several Windows Server roles and features, such as Active Directory® Domain Services, Volume Shadow Copy Service (VSS), Distributed File System (DFS), and File Replication Service (FRS). You should always use NTFS for all hard disks connected to Windows Server or Windows client computers. ReFS
ReFS is a new file system that is built in to Windows Server 2012. ReFS is based on the NTFS file system, and provides the following advantages: •
Metadata integrity with checksums.
•
Expanded protection against data corruption.
•
Maximizes reliability, especially during a loss of power (whereas NTFS is known to experience corruption in similar circumstances).
•
Supports a maximum file size of 16 EB.
•
Supports a single volume size of 2^78 bytes.
•
Supports 2^64 files in a directory.
•
Storage pooling and virtualization. This makes creating and managing file systems easier.
•
Data striping for performance (bandwidth can be managed).
•
Redundancy for fault tolerance.
•
Disk scrubbing for protection against latent disk errors.
•
Resiliency to corruptions with recovery for maximum volume availability.
MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Implementing Storage in Windows Server
•
Shared storage pools across machines for additional failure tolerance and load balancing.
•
You cannot run the chkdsk utility on ReFS because error checking and auto fixing is built in to the file system. Therefore, it is not needed.
ReFS does not support all functionality currently available in NTFS. Some items not supported on ReFS include the following: •
File compression
•
Disk quotas
•
Encrypting File System (EFS) encryption
•
Short file names
ReFS is recommended only for use with large volumes on Windows Server 2012 servers. An ReFSformatted drive is not recognized in computers that are running Windows Server operating systems before Windows Server 2012. Also, it is possible to shrink or extend NTFS volumes whereas it is only possible to extend ReFS volumes, not shrink them. NTFS should still be used as the default file system for general purpose use on Windows Server 2012. Question: What file system do you currently use on your file server? Will you continue to use it?
What Are Virtual Hard Disks? A virtual hard disk (VHD) is a non-physical disk type that is presented to and used by the operating system as if it were a physical disk. It is a stand-alone file that is portable. Therefore, it can be moved or copied as needed like any other file type. However, it acts and behaves as if it were a physical disk—that is, it can have a partition type, disk type, and be formatted. VHDs have traditionally been associated with virtual machines and Hyper-V®, a Microsoft server virtualization technology. However, they are being used much more widely. For example, you can to install an operating system onto a VHD and start a computer from it. This is known by many terms but most frequently as native boot, or boot from VHD. Virtual hard disks can also be used to provide for additional storage, such as in Storage Spaces, or can even be used as part of a high-availability failover clustering infrastructure.
Windows Server 2012 provides for two VHD file formats: .vhd and .vhdx. The .vhdx file format is a virtual hard disk format that emerged with the release of Windows Server 2012. Both file formats have the same basic function. The differences are based on scale and performance, as follows: •
•
Supported file sizes: o
The .vhd file format can have a maximum size of 2,040 GB.
o
The .vhdx file format can have a maximum size of 64 TB.
Sector size: o
The .vhd file format uses 512-byte sectors.
o
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-17
The .vhdx file format uses 4-KB sectors to gain performance advantages with larger disk sizes.
You can convert from .vhdx to .vhd or from .vhd to .vhdx, by using the Edit Virtual Hard Disk Wizard in Hyper-V Manager. Also, the .vhdx file format is only recognized by Windows Server 2012
Both .vhd and .vhdx virtual hard disks have three virtual hard disk types available when they are created. These are described in the following sections. Dynamically Expanding VHDs
Dynamically expanding VHDs are virtual disks that start very small and then grow as you write data to them. They are ideal for use in an environment where performance is not your primary consideration. Organizations typically use dynamically expanding disks in test and development environments. A dynamically expanding disk grows only to the space that you allocate to it when you create the VHD. The default maximum size is 127 GB, but dynamically expanding VHDs can be as large as 2 terabytes (TB). Dynamically expanding disk performance has increased and has almost the same performance levels as fixed-size disks. One of the potential issues with using dynamically expanding VHDs is that you must manage storage usage after deployment. If you have multiple dynamically expanding VHDs located in a single storage location that is less than the total maximum size of the VHDs, you must monitor the storage location to make sure that the VHDs do not expand to use up all available space.
Another potential issue with dynamically expanding virtual hard disks is that the .vhd file might become fragmented on the host computer’s physical hard disk. This could affect the virtual disk’s performance. Fixed-Size VHDs
Fixed-size VHDs are disks that use as much physical disk space as you specify when you create the disk. For example, if you create a 100 GB fixed-size VHD, it will use 100 GB of physical disk space. The primary benefit with using fixed-size disks is that all the storage required for the disks is committed when you create the disks. This reduces the possibility that you will over-commit your storage resources. One reason for selecting fixed-size VHDs is that dynamically expanding VHDs might not support some applications. For example, Microsoft does not support Exchange Server 2010 or Exchange Server 2007 deployed on dynamically expanding VHDs.
One of the disadvantages of fixed-size disks is that the disks might take longer to move from one server to another. Differencing VHDs
A differencing virtual hard disk is a virtual hard disk associated with another virtual hard disk in a parent/child relationship. The differencing disk is the child and the associated virtual disk is the parent. The parent disk can be any kind of virtual hard disk. The differencing disk stores a record of all changes that you make to the parent disk and lets you save changes without altering the parent disk. In other words, by using differencing disks, you make sure that changes are made to the differencing disks and not to the original virtual hard disk. When it is required, you can merge changes from the differencing disk to the original virtual hard disk. •
The differencing hard disk expands dynamically as data intended for the parent disk is written to the differencing disk. You should write-protect or lock the parent disk. If another process changes the parent disk, and does not recognize the differencing disk’s parent/child relationship, then all differencing disks related to the parent disk become invalid, and any data written to them is lost. By locking the parent disk, you can mount the disk on more than one virtual machine, similar to a readonly floppy disk or CD-ROM.
•
You cannot specify a size for a differencing disk. Differencing disks can grow as large as the parent disks to which they are associated. However, unlike dynamically expanding disks, differencing disks
MCT USE ONLY. STUDENT USE PROHIBITED
2-18 Implementing Storage in Windows Server
cannot be compacted directly. You can compact differencing disks only after merging the disk with a dynamically expanding parent disk. •
If you are using differencing disks, you must have a standardized naming convention for your virtual hard disks. It is not clear from examining the virtual hard disk in Hyper-V Manager whether it is a differencing drive or a parent disk.
Virtual hard disks can be created in several ways, one such method is as follows: •
In Disk Management, right-click the server being managed, and then select Create VHD. You can then specify the virtual hard disk format and type, as well as the location and size of the virtual hard disk file.
What Are Mount Points and Links? Mount points and links are used in NTFS and ReFS file systems in Windows Server 2012 to refer to files, directories, and volumes to make them available to users. Mount Points Mount points make a disk or part of a disk available to the operating system. Usually, mount points are associated with drive letter mappings. The operating system gains access to the disk through the drive letter.
Starting with the Windows 2000 Server operating system, you can enable volume mount points. This lets you mount a hard disk to an empty folder that is located on another drive. For example, if you add a new hard disk to a server, instead of mounting the drive by using a drive letter, you can assign a folder name such as c:\datadrive. Then when you access the c:\datadrive folder, you are actually accessing the new hard disk. Volume mount points can be useful in the following scenarios: •
If you are running out of drive space on a server and you want to add disk space without changing the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
Note: You can assign volume mount points only to empty folders on an NTFS partition. This means that if you want to use an existing folder name, you must first rename the folder, create and mount the hard disk by using the required folder name, and then copy the data to the mounted folder. •
If you are running out of available letters to assign to partitions or volumes. If you have many hard disks attached to the server, you might run out of available letters in the alphabet to assign drive letters. By using a volume mount point, you can add partitions or volumes without using more drive letters.
•
If you have to separate disk I/O in a folder structure. For example, if you are using an application that requires a specific file structure, but which uses the hard disks extensively, you can separate the disk I/O by creating a volume mount point within the folder structure.
Links
A link is a special kind of file that contains a reference to another file or directory in the form of an absolute or relative path. Windows supports the following two kinds of links: •
A symbolic file link (also known as a soft link)
•
A symbolic directory link (also known as a directory junction)
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-19
A link that is stored on a server share could refer back to a directory on a client that is not available from the server where the link is stored. Because the link processing is performed by the client, the link would work correctly to access the client, even though the server cannot access the client. Links operate transparently. Applications that read or write to files that are named by a link behave as if they are operating directly on the destination file. For example, you can use a symbolic link to link to a Hyper-V parent virtual hard disk file (.vhd) from another location. Hyper-V uses the link to work with the parent virtual hard disk (VHD) as it would the original file. The benefit of using symbolic links is that you do not need to modify the properties of your differencing VHD.
Demonstration: How to Create and Manage Volumes In this demonstration, you will see how to create and manage volumes in Windows Server.
This demonstration shows how to configure volumes by using Disk Management console and Windows Powershell.
While not called out explicitly in the demonstration steps, you may want to also show Diskpart utility if you have time as it is still a viable disk management method in Windows Server 2012. If so you can type steps similar to the follow. •
At a Command Prompt type Diskpart
•
Type List Disk
•
Type Select Disk 1 (where 1 is a Disk with available space on it)
•
Create Volume Simple size=100
•
Format FS=NTFS Label=”DiskPart Vol”
•
Exit
Demonstration Steps 1.
Bring a Disk online
2.
Initialize a Disk
3.
Create a simple volume
4.
Create a volume using File and Storage Services
5.
Convert a basic disk to a dynamic disk
6.
Create a striped volume using Disk Management.
7.
Configure a volume mount point.
8.
Resize volumes by using Disk Management.
9.
Create a Volume using Windows PowerShell
What Are Storage Quotas? Storage quota management lets you limit the disk space that is allocated to a volume or folder. The quota limit applies to the whole folder subtree. Using quotas, you can manage capacity restrictions in many ways. For example, you can use a quota to make sure that individual users do not consume very large amounts of storage with their home drives, or to limit how much space consumed by multimedia files in a particular folder. Quotas can be managed through FSRM. This can be installed in Server Manager through the Add Roles And Features Wizard under Files And Storage Services. Quota Types You can create two kinds of quotas within quota management: •
A hard quota prevents users from saving files after the space limit is reached, and it generates notifications when the volume of data reaches each configured threshold.
•
A soft quota does not enforce the quota limit. However, it does provide notifications.
Quota Notifications
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Implementing Storage in Windows Server
To determine what happens when the quota limit approaches, you configure notification thresholds. For each threshold that you define, you can send email notifications, log an event, run a command or script, or generate storage reports. For example, you might want to notify the administrator and the user when a folder reaches 85 percent of its quota limit, and then send another notification when the quota limit is reached. In some cases, you might want to run a script that raises the quota limit automatically when a threshold is reached. Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use custom properties. Using quota templates has benefits such as being able to reuse a quota template to create additional quotas while also helping simplify ongoing quota maintenance.
You can also generate quotas automatically. When you configure an auto-apply quota, you apply a quota template to a parent volume or folder. Then a quota that is based on the template is created for each of the existing subfolders, and a quota is generated automatically for each new subfolder that is created.
In addition to managing and configuring quotas in the FSRM, you can use Windows PowerShell. Windows PowerShell provides an extensive number of cmdlets for FSRM parameters. This includes quotas, as part of the FileServerResourceManager module. The following table includes some cmdlets and commands that might be useful.
Windows PowerShell Cmdlet
Description of Use
Get-FSRMQuota
Displays FSRM quotas on the server
New-FSRMQuota
Creates an FSRM quota
Windows PowerShell Cmdlet Get-Command –module FileServerResourceManager
Description of Use Lists all available cmdlets in the FileServerResourceManager module
There is a Command Prompt utility named Windows File System Utility (fsutil.exe). This utility can manage file server settings, such as quotas.
Demonstration: How to Create a Quota by Using FSRM In this demonstration, you will see how to: •
Create a 100MB quota limit.
•
Use a 130MB file to test the quota limit.
Demonstration Steps 1.
Verify you can create a 130 MB File successfully
2.
Create a 100 MB Quota
3.
Verify Creating a 100 MB file is no longer allowed
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-21
Lesson 3
Fault Tolerance
MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Implementing Storage in Windows Server
Now that you have learned about the kinds of storage and the methods in which you can address the storage, the next important thing is to consider reliability and availability. These can be critical elements to the success of an organization. Windows Server 2012 has several methods for providing for reliability and availability in the event of hardware failure, such as Storage Spaces and RAID implementations. This lesson provides details of both those technologies.
Lesson Objectives After completing this lesson, you will be able to: •
Describe Storage Spaces.
•
Describe how to implement fault tolerance by using Storage Spaces.
•
Describe RAID.
•
Explain the value of RAID levels.
•
Describe how to implement RAID by using Disk Management.
What Are Storage Spaces? Storage Spaces is a new feature that was introduced in Windows Server 2012. It enables combining many physical disk types into a single entity. This is known as a Storage Pool, from which you can then create a management unit called a Storage Space. The Storage Spaces feature requires no features or roles to be installed. The functionality is built in to Windows Server 2012 and is available out-of-the-box in File And Storage Services in Server Manager. Storage spaces enable you to: •
Combine disks of different types and capacity into a single entity that can be managed as a single unit.
•
Provide a level of redundancy or resiliency by using either disk mirroring or parity.
•
Extend the storage capacity by using thin provisioning. Thin provisioning is explained later in this topic.
Storage Pools
Storage pools are hard disk units combined into a single logical unit. Storage Pools can be managed as a single entity. To create a Storage Pool, consider the following: •
You can use different bus technologies such as SATA, SCSI, serial-attached SCSI, or USB disks even if they are different capacities. You can also add .vhd and .vhdx virtual hard disk file types.
•
The drives can be internally or externally connected to the server.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-23
•
Designate a specific disk as a “Hot-Spare,” which will automatically replace a disk that has suffered a failure.
•
At least one disk is required to create a Storage Pool.
•
Drives must be blank and unformatted; no volume must exist on them. Any information on disks being added will be lost.
•
A Storage Pool can use the whole disk or just a part of the disk.
•
All disks must have the same sector size
Storage Spaces
After the Storage Pool is created, you can then create Storage Spaces from the Storage Pool. Storage Spaces are the effective management entities for the storage pool. You should be aware of the following in relation to Storage Spaces: •
To create a Storage Space, at least one Storage Pool must be created.
•
Once the Storage Pool exists you then must create a “Virtual Disk”. This is not a virtual disk in the sense of a virtual machine file, rather it is a virtual entity which you can then manage as a single instance, despite having potentially multiple disk or volume types. It is specific to this concept and should be considered as a drive as you would see it in Disk Management.
•
Once you create a “Virtual Disk” you then need to create a volume, which you then format, partition, and assign drive letters to as you would any other disk.
•
Storage Spaces are displayed as a drive in File Explorer. For example drive D or E. The underlying storage configuration is invisible to the user.
•
Failover clustering is supported in Storage Spaces. However, it is limited to serial-attached SCSI disk types. SATA, SCSI, or USB are not supported.
•
Storage Spaces supports both NTFS and ReFS volumes.
Providing Redundancy
Providing a level of redundancy for disk failure can be an expensive and complex process involving dedicated or specific hardware and software. When you create Storage Spaces in Windows Server 2012, you can provide a software-based level of redundancy or resiliency without the need for additional hardware or software. There are three options when you create Storage Spaces, two of which provide redundancy: •
Simple. This requires at least one disk and the striping of the data across multiple disks—that is, as data is written, it is spread out and written across multiple disks. This allows for quicker writing of data but does not protect the data from a disk failure.
•
Mirrored. This scenario requires at least two disks. When you write data to one of the disks, a copy of the data is written to the other disk at the same time. This means if one of the disks fails, there is another copy of the data available. Mirrored disks reduce capacity and if two disks fail, it provides no level of redundancy. To provide protection from two disk failures, five disks would be required.
•
Parity. This scenario requires at least three disks. When you write data, it writes half the data to the first disk, the rest of the data is written to the second disk, and a checksum value is written to the third disk. If one of the first two data disks fails, the data can be restored by using half the data and the checksum value. It increases redundancy should a single disk fail but reduces capacity. It cannot be used in failover clustering.
Thin Provisioning
MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Implementing Storage in Windows Server
There are benefits to using storage pools for providing storage. With thin provisioning, you can allocate more space than is actually physically available when the drive is created. For example, if you have two, 5 TB external SATA drives, giving you a total of 10 TB of available space, you could create a storage pool based off these two drives, and then create a Storage Space of up to 64 TB, even though you do not have all that physical capacity available. With thin provisioning, space or blocks are only allocated from the storage pool as they are needed. Therefore, you can add capacity as needed. In contrast fixed, or thick, provisioning allocates all the available space from the storage pool when the Storage Space is created. Windows PowerShell
Windows PowerShell also provides management and configuration support for Storage Spaces in Windows Server 2012. The following table includes some cmdlets and commands that might be useful. Windows PowerShell Cmdlet
Description of Use
Get-StoragePool
Displays all storage pools. This is provided as part of the Storage module.
Resize-SpacesVolume
Resizes Storage Spaces and file system volumes. This is provided as part of the Storage Spaces module. The module must be separately downloaded. After you download the module it must be imported into Windows PowerShell by using the importmodule cmdlet.
Get-Command –module Storage,StorageSpaces
Lists all available cmdlets in the Storage and StorageSpaces modules.
Demonstration: How to Implement and Manage Storage Spaces
In this demonstration, you will see how to create a Storage Pool and a Storage Space Virtual Hard Disk.
Demonstration Steps 1.
Create a Storage Pool
2.
Create a Storage Space Virtual Disk
3.
Verify Virtual Disk is accessible
4.
Add an Additional Physical disk to the Storage Pool
5.
Remove Physical Disk to simulate Disk Failure
6.
Verify Virtual Disk is still Available
7.
Verify Virtual Disk Status in Server Manager
8.
Repair Virtual Hard Disk
9.
Verify Virtual Disk Status Returns to healthy
10. Delete Virtual Disk 11. Delete Storage Pool
What Is RAID? RAID is a technology that has existed for a long time. It enables you to configure storage systems to provide high reliability and potentially high performance. RAID implements these storage systems by combining multiple disks into a single logical unit called a RAID array that, depending on the configuration, can withstand the failure of one or more of the physical hard disks, or provide better performance than is available by using a single disk.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-25
RAID provides an important component in planning and deploying Windows Servers. In most organizations, servers must always be available. Most servers provide highly redundant components such as redundant power supplies, and redundant network adapters. The goal of this redundancy is to make sure that the server remains available even when a single component on the server fails. By implementing RAID, you can provide the same level of redundancy for the storage system. How RAID Works
RAID enables fault tolerance by using additional disks to make sure that the disk subsystem can continue to function even if one or more disks in the subsystem fail. RAID uses two options for enabling fault tolerance: •
Disk mirroring. With disk mirroring, all the information that is written to one disk is also written to another disk. If one of the disks fails, the other disk is still available.
•
Parity information. Parity information is used to calculate the information that was stored on a disk if there is a disk failure. If this option is used, the server or RAID controller calculates the parity information for each block of data written to the disks, and then stores this information on another disk or across multiple disks. If one of the disks in the RAID array fails, the server can use the data that is still available on the functional disks and the parity information to re-create the data that was stored on the failed disk.
RAID subsystems can also provide potentially better performance than single disk by distributing disk reads and writes across multiple disks. For example, when you implement disk striping, the server can read information from all hard disks in the stripe set. When combined with multiple disk controllers, this can provide significant improvements in disk performance. Hardware RAID vs. Software RAID
Hardware RAID is implemented by installing a RAID controller in the server, and then configuring RAID by using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden from the operating system. The RAID arrays are exposed to the operating system as single disks. The only configuration that you have to perform in the operating system is to create volumes on the disks. Software RAID is implemented by exposing all the disks that are available on the server to the operating system, and then configuring RAID from the operating system. Windows Server 2012 supports software RAID, and you can use Disk Management to configure several different levels of RAID. Given the significant changes and functionality that is now available in Windows Server 2012 with Storage Spaces, software RAID can now be a secondary choice.
Note: Although RAID can provide better tolerance for disk failure, you should not use RAID to replace traditional backup. If all the disks were to fail, then you would still have to rely on standard backups.
What Are RAID Levels When you implement RAID, you have to decide what level of RAID to implement. The following table compares the features for each RAID level.
Level
Description
Performance
Space use
Redundancy
MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Implementing Storage in Windows Server
Comments
RAID 0
Striped set without parity or mirroring Data is written sequentially to each disk
High read and write performance
All space on the disks is available
A single disk failure results in the loss of all data
Use only if you must have high performance and can tolerate data loss
RAID 1
Mirrored set without parity or striping Data is written to both disks at the same time
Good performance
Can only use the amount of space that is available on the smallest disk
Can tolerate a single disk failure
Frequently used for system and boot volumes with hardware RAID
RAID 2
Data is written in bits to each disk that has parity written to a separate disk or disks
Very high performance
One or more disks used for parity
Can tolerate a single disk failure
Requires that all disks be synchronized Currently not used
RAID 3
Data is written in bytes to each disk that has parity written to a separate disk or disks
Very high performance
One disk used for parity
Can tolerate a single disk failure
Requires that all disks be synchronized Rarely used
RAID 4
Data is written in blocks to each disk that has parity written to a dedicated disk
Good read performance, poor write performance
One disk used for parity
Can tolerate a single disk failure
Rarely used
Level
Description
Performance
Space use
Redundancy
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-27
Comments
RAID 5
Striped set with distributed parity Data is written in blocks to each disk that has parity spread across all disks
Good read performance, poor write performance
The equivalent of one disk used for parity
Can tolerate a single disk failure
Very frequently used for data storage where performance is not important but maximizing disk usage is important
RAID 6
Striped set with dual distributed parity Data is written in blocks to each disk that has double parity written across all disks
Good read performance, poor write performance
The equivalent of two disks used for parity
Can tolerate two disk failures
Frequently used for data storage where performance is not important but maximizing disk usage and availability are important
RAID 0+1
Striped sets in a mirrored set A set of drives is striped, and then the strip set is mirrored
Very good read and write performance
Half the disk space is available because of mirroring
Can tolerate the failure of two or more disks as long as all failed disks are in the same striped set
Not usually used
RAID 1+0
Mirrored set in a striped set Several drives are mirrored to a second set of drives, and then one drive from each mirror is striped
Very good read and write performance
Half the disk space is available because of mirroring
Can tolerate the failure of two or more disks as long as both disks in a mirror do not fail
Frequently used in scenarios where performance and redundancy are important, and the cost of the additional disks required is acceptable
Selecting a RAID Level
You can configure different levels of RAID. When you configure a RAID level, you have to be aware of the following implications: •
Performance implications. Some RAID levels provide very high performance whereas other RAID levels provide much worse performance. Some RAID levels provide high read performance, but reduced write performance. You have to consider these performance characteristics when you select a RAID level.
•
Level of redundancy. RAID levels also provide different levels of redundancy. Some RAID levels cannot support the loss of any disks; some RAID levels can support the loss of one or more disks. You have to consider your requirements for redundancy when you select a RAID level.
•
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Implementing Storage in Windows Server
Storage use. RAID levels also have different levels of storage use. With some RAID levels, the storage capacity for the RAID array is equal to the total amount of disk space for all disks in the array. For other RAID levels, one or more disks might be used to store parity information. With disk mirroring, the RAID array storage capacity is half of the storage capacity of the disks.
In most cases, you have to select which of the three options are most important for your RAID implementation. Each RAID level provides a high level of functionality for one or two options, but no RAID level provides high functionality for all options. This means that you have to evaluate the required RAID level for each server or application separately.
Demonstration: How to Implement RAID by Using the Disk Management console
In this demonstration, you will see how to implement mirroring and create a RAID-5 volume by using Disk Management.
Demonstration Steps 1.
Create a new mirrored volume.
2.
Create a new RAID-5 volume.
Lab: Implementing Storage in Windows Server Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-29
A. Datum has just procured a new server, and it is your job to add storage to the new infrastructure. You will add disks of various sizes by using different methodologies.
Objectives After completing this lab, you will be able to: •
Create and mount a VHD drive.
•
Create and make available new volumes.
•
Change the sizes of the volumes.
•
Create a fault-tolerant disk configuration using Storage Spaces
Lab Setup Estimated Time: 50 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must follow these steps: 1.
On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2.
In Hyper-V Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
5.
o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: ADATUM
Repeat the previous steps for 10967A-LON-SVR1
Exercise 1: Creating and Mounting a VHD File Scenario A. Datum wants to use Hyper-V for disk management. You are asked create and mount a VHD file. Windows PowerShell should be used to verify the newly created disk drive. The main tasks for this exercise are as follows: 1.
Create and initialize a virtual hard disk
2.
Use Windows PowerShell to identify the newly created disk, bring the disk online and initialize it
Task 1: Create and initialize a virtual hard disk 1.
Ensure you are signed on to 10967A-LON-SVR1 virtual machine with user name ADATUM\Administrator and password Pa$$w0rd.
2.
In Disk Management, create a new .vhd file with the following configuration:
•
Location and filename: C:\Temp\LON-SVR1-Disk7
•
Virtual hard disk size: 7 GB
•
Virtual hard disk format: VHD
•
Virtual hard disk type: Dynamically expanding
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk online and initialize it
MCT USE ONLY. STUDENT USE PROHIBITED
2-30 Implementing Storage in Windows Server
1.
Open the Windows PowerShell console.
2.
Use the Get-Disk cmdlet to list all disks present on the Windows Server 2012 server and Identify the disk that has just been created.
3.
Use the Set-Disk cmdlet with the” –number” and “–isOffline” parameters to bring the .vhd file online.
4.
Find a Windows PowerShell command that can initialize the newly created disk.
5.
Use the newly discovered cmdlet with the parameters ”–number” and “–PartitionStyle” to initialize the disk with a Master Boot Record (MBR) partition style.
Results: After this exercise, you should have a Hyper-V® .vhd file.
Exercise 2: Creating and Making Available New Volumes Scenario
You are asked to create a 2 GB NTFS volume and 10 GB ReFS volume shared drives. The drives will use the letters J and K respectively. The main tasks for this exercise are as follows: 1.
Create two new simple volumes
2.
Change the new disks drive letters
3.
Mount the new volume
Task 1: Create two new simple volumes 1.
Ensure you are signed on to 10967A-LON-SVR1 virtual machine with user name ADATUM\Administrator and password Pa$$w0rd
2.
Locate Disk 1,bring it online and initialize it
3.
On Disk 1 Create a New Simple Volume with the following details o
Simple Volume size in MB: 2000
o
Assign the following driver letter: J
o
FileSystem: NTFS
o
Volume Label: SimpleVol_NTFS
4.
Format the new volume.
5.
Verify the volume is available in File Explorer.
6.
On Disk 2 Create another New Simple Volume with the following details and verify it is created successfully o
Simple Volume size in MB: 10000
o
Assign the following driver letter: K
o
FileSystem: ReFS
o
Volume Label: SimpleVol_ReFS
Task 2: Change the new disks drive letters 1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console
2.
Assign the NTFS volume the letter R to the Volume SimpleVol1NTFS.
3.
Assign the ReFS volume the letter S to the Volume SimpleVol1ReFS.
4.
Verify the Volumes have changed Drive letters in File Explorer
Task 3: Mount the new volume 1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console
2.
Mount the new SimpleVol_NTFS volume so it is accessible via the file location C:\MountedVolume_NTFS
3.
Mount the new SimpleVol_ReFS volume so it is accessible via the file location C:\MountedVolume_ReFS
4.
Verify once mounted they are both accessible as expected.
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume
Exercise 3: Vary the Sizes of the NTFS and ReFS Volumes Scenario You receive an email from your manager asking you to double the size of the NTFS volume you just created but shrinking the ReFS volume down to half its original configuration size. The main tasks for this exercise are as follows: 1.
Extend the size of the NTFS volume
2.
Shrink the size of the ReFS volume
Task 1: Extend the size of the NTFS volume 1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console locate the SimpleVol_NTFS volume.
2.
Extend the volume by 4 GBs.
3.
Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still accessible
Task 2: Shrink the size of the ReFS volume 1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console locate the SimpleVol_ReFS volume.
2.
Attempt to Shrink the volume to approximately 5 GBs.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-31
3.
Verify that the ReFS volume was unable to be shrunk
MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Implementing Storage in Windows Server
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the reduced size the volume will need to be re-created.
Exercise 4: Creating a Fault-Tolerant Disk Configuration by Using Storage Spaces Scenario
You now receive an email from your manager asking you to create a Storage Pool for use with some files shares that will be created. The main tasks for this exercise are as follows: 1.
Create a storage pool
2.
Create a storage space virtual disk
3.
Verify the virtual disk is available and functional
4.
Add an additional physical disk to the storage pool
5.
Remove a physical disk to simulate disk failure
6.
Verify storage virtual disk state and data accessibility
7.
Repair and verify the health of the virtual disk
8.
Revert the lab machines
Task 1: Create a storage pool 1.
Ensure you are signed in to 10967A-LON-SVR1 and logged on with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3.
Create a Storage Pool with the following settings: • • • •
Name: StoragePool1 Physical Disks to Add: PhysicalDisk3 PhysicalDisk4
Task 2: Create a storage space virtual disk 1.
Create a Storage Spaces Virtual Disk with the following settings: o
Storage Pool: StoragePool1
o
Virtual Disk Name: VirtualDisk1
o
Storage Layout: Mirror
o
Provisioning Type: Thin
o
Size of the virtual Disk: 4 GB
2.
Create a Volume on the Virtual Disk with the following settings:
3.
Server: LON-SVR1
4.
Virtual disk: Virtual Disk 1
5.
Size of the volume: Default Max available capacity
6.
Driver Letter: T
7.
File System: NTFS
8.
Volume Label: VirtualDiskMirVol
Task 3: Verify the virtual disk is available and functional •
Create a file Test File.txt on the volume VirtualDiskMirVol on driver T:
Task 4: Add an additional physical disk to the storage pool •
Add an additional disk, PhysicalDisk 5 , to the storage Pool
Task 5: Remove a physical disk to simulate disk failure •
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
2-33
In Server Manager in the Storage Pools and then the Physical Disks section remove PhysicalDisk 4
Task 6: Verify storage virtual disk state and data accessibility 1.
Open File Explorer and verify the text file, Test File.txt, that was created earlier is still available and accessible.
2.
Check the health status of the VirtualDisk1 virtual disk
Task 7: Repair and verify the health of the virtual disk 1.
Repair the VirtualDisk1 virtual disk
2.
Verify the health of the virtual disk and also that the .txt file created earlier is still available and accessible
Task 8: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, follow these steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 10967A-LON-SVR1.
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk failure Question: What kind of storage is easiest to configure and why? Question: How would you determine the kind of storage to implement?
Module Review and Takeaways Common Issues and Troubleshooting Tips Common Issue
Troubleshooting Tip
Determining the allocation unit when formatting a drive with a file system
General storage configuration issues
Review Question(s) Question: What are the different kinds of disks? Question: What are some different storage technologies? Question: What are the most important implementations of RAID? Question: What options are available for fault tolerance in Storage Spaces?
Tools
MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Implementing Storage in Windows Server
Tool
Use for
Where to find it
Diskpart
Manipulating disks and volumes.
Command Prompt
FSUtil
Manipulating files and storage services.
Run fsutil.exe from the command line.
Windows PowerShell
Managing and configuring storage and Storage Spaces.
The Storage module is part of the operating system. The Storage Spaces module has to be downloaded.
Disk Manager
Manages disks and volumes
Server Manager
MCT USE ONLY. STUDENT USE PROHIBITED 3-1
Module3 Understanding Network Infrastructure Contents: Module Overview
3-1
Lesson 1: Network Architecture Standard
3-2
Lesson 2: Local Area Networking
3-9
Lesson 3: Wide Area Networking
3-15
Lesson 4: Wireless Networking
3-21
Lesson 5: Connecting to the Internet
3-28
Lesson 6: Remote Access
3-32
Lab: Selecting Network Infrastructure Components
3-38
Module Review and Takeaways
3-41
Module Overview
Networks are a critical component of an effective Windows Server® infrastructure. Most computing systems today are connected in some way to a network. A typical corporate network has many components and can connect a computer to other computers in the next room, across a city, or on the other side of the globe.
This module reviews the general characteristics of computer networks and introduces components and concepts associated with networks, providing you with the basic information required to understand the fundamentals of a network computing environment.
Objectives After completing this module, you will be able to: •
Describe physical network topologies and standards.
•
Define local area networks (LANs).
•
Define wide area networks (WANs).
•
Describe wireless networking technologies.
•
Explain how to connect a network to the Internet.
•
Describe how technologies are used for remote access.
Understanding Network Infrastructure
Lesson 1
Network Architecture Standard
MCT USE ONLY. STUDENT USE PROHIBITED
3-2
A network is created by using several different physical components and logical standards that define the specific qualities of a network. Network architecture refers to the set of physical components and logical standards that provide the basis for communication in a network.
In order to troubleshoot a network environment, you must have an understanding about the composition and capabilities of the network’s architecture.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802 standards.
•
Describe fundamental network topology and components.
•
Describe network architecture.
•
Describe network access methods.
IEEE 802 Standards
The Institute of Electrical and Electronics Engineers (IEEE) is a not-for-profit organization that, among other things, tries to manage and define technical standards in a range of industrial and academic areas, such as telecommunications, electrical engineering, and aerospace. Generally, these standards define specific qualities in a technology so that devices such as network adapters, switches, and cables that are manufactured by different vendors can work together on the same network. This module examines the standards that define computer networking and how to implement a suitable network infrastructure to meet the requirements of IT professionals, based on these specifications. The specifications those various devices can perform at—for example, frequency ranges, power consumption, and throughput of data—can then be implemented in a physical computer network.
One of the most significant and recognizable computer networking standards is the IEEE 802 family of standards that define the functionality of different aspects of a network environment. The IEEE 802 standard has more than 15 sub-standards that apply to specific technologies found in a network environment. Only some of the standards are discussed in this section; other standards will be discussed in more detail later in this module and in the next module. All have different data flows—that is, how the data is moved around the network—and, as such, might have different physical requirements implementing them. They would also all have varying performance and security capabilities, in addition to different associated costs. Therefore, some specifications are more widely used. Some of the more important IEEE 802 standards you might have seen are listed here. (Notice That some of the 802.X standards have subcategories within each standard definition.)
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-3
•
IEEE 802.3. The 802.3 working group defines wired Ethernet network standards. This is generally a local area network (LAN) technology, which you would see in a typical office environment, with some wide area network (WAN) or metropolitan area network (MAN) applications.
•
IEEE 802.5. The 802.5 working group defines token ring network standards. Currently this group is inactive and the information has been archived for historical purposes.
•
IEEE 802.11. The 802.11 working group defines standards for wireless local area networks (WLANs) in the 2.4, 3.6, 5 and 60 gigahertz (GHz) frequency bands. This group of standards generally uses radio frequency spectrum for the sending and receiving of data. The 802.11 networks exist as the most common form of wireless network and benefit from simple setup, node addition, and fairly low implementation costs.
•
IEEE 802.15. The 802.15 working group defines wireless Personal Area Network (PAN) standards. These wireless PANs address wireless networking of portable and mobile computing devices such as computers, personal digital assistants (PDAs), peripherals, cell phones, pagers, and consumer electronics. This group includes Bluetooth certification.
•
IEEE 802.16. The 802.16 working group of standards governs broadband wireless WAN technology. The 802.16 standards are generally known as Worldwide Interoperability for Microwave Access. The 802.16 networks use microwave transmission for the sending and receiving of data and are typically used for backbone connections for a telecommunications network or high-capacity corporate WAN. Because of the line-of-sight requirement for Worldwide Interoperability for Microwave Access devices to communicate, additional infrastructure such as towers and large antennae are required for an 802.16 implementation. This can make implementation costly. More information about the IEEE standards can be found at the following website. http://www.ieee.org
Network Components and Terminology A network is a collection of devices connected to one another to enable communication and the sharing of resources. Most computer networks share a common set of components and common terminology regardless of differences in implementation or technology that is used. Some of the key components of a network are as follows: Data. This refers to the actual information that is being sent over a network. •
•
Bit. The smallest unit of information handled by a computer. One bit expresses a 1 or a 0 in a binary number, or a true or false logical condition. Networks transmission rates are typically measured or displayed in bits per second (bps), or iterations of that in decimal form i.e. o
Kilobits per second (Kbps) = 1000 bits/sec
o
Megabits per second (Mbps) = 1,000,000 bits/sec
o
Gigabits per second (Gbps) = 1,000,000,000 bits/sec
Byte. A group of 8 bits makes up a single byte. This typically holds a single character, such as a letter, a digit, or a punctuation mark. Some single characters can require more than one byte. For example,
Understanding Network Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
3-4
in languages such as Chinese, Japanese, and Thai, it requires two bytes to fully display the character. Various standards outline how bytes translate to specific characters for a language. The general industry standard is Unicode that provides mappings for all languages. More information about Unicode can be found at the following website. http://www.unicode.org
Bytes are binary representations and are more usually used in relation to storage, defining how much data a hard disk can hold or provide. You need to be careful you interpret the terms bit and byte correctly. •
1 KiloByte (KB) = 210 = 1,024 bytes
•
1 MegaByte (MB) = 220 = 1,049,576 bytes
•
1 GigaByte (GB) = 230 = 1,073,741,824 bytes
•
Terabyte (TB) = 240 = 1,099,511,627,776 bytes.
An important distinction between the two, are that bits are indicated with a lower case “b” whereas Bytes are indicated with an upper case “B”. Ultimately computers store data as a series of numbers, 1s and 0s. These are converted to a format that humans can understand and interpret. Node. A network node refers to a device that either sends or receives data on a network. Computers are typical node, but nodes can be other devices that are directly attached to the network, such as printers, scanners, or handheld devices. Client. A computer on a network that primarily receives data or uses other resources on the network is known as a client.
Server. A server is a computer on a network that is primarily responsible for sharing or “serving” data and resources to other computers on the network. A server typically provides access to shared files, services, or devices such as printers for the whole network, and access to the Internet, intranet, or email services, in addition to many other items. Peer. A peer performs the functions of a client computer, but also provides shared resources like a server does. Peers are common in small networks when a dedicated server is not necessary or cost-efficient.
Network Adapter. A network adapter is a device that enables a node to physically connect to a network. It provides the interface between the hardware of the device connecting to the network and the network itself. A computer or device could have wired and wireless network adapters.
Media. The physical material used to connect devices on a network is known as that network’s media. Media is typically a cable, but can also be wireless radio frequency, fiber-optic cables carrying light waves, infrared, or some other less “physical” medium. Hubs/switches/routers. These are devices that help direct and move data around and across networks. Although there is some crossover in functionality, they each have specific uses and attributes. The following provides a high-level definition here and discuss them in more detail in the next module. Hubs. These are the most basic kind of connecting device. They are used in a wired network to enable devices to talk to one another by using Ethernet cables. Typically, multiple cables are plugged into a single hub. No configuration is required or complex functionality supported.
Switches. Similar to hubs, switches are used in a wired network to allow devices to talk to one another by using Ethernet cables. However, they provide much more control over how data is transferred between devices than a hub. Switches direct communication only to the nodes that require the information. Routers. These also allow for connecting devices and networks together and can be used in wired or wireless networks. Routers provide the greatest amount of functionality and customization, such as
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-5
controlling network access, preventing data from accessing networks if it does not meet certain criteria, and “routing” traffic to certain networks.
Transport protocol. A transport protocol refers to the set of rules that govern how data is packaged, sent, and unpackaged when it is transmitted over the network. Different network architectures will have protocols with different structures to accommodate how the network functions.
Bandwidth. This term can have several different interpretations, depending on the context. Common usage would be in relation to the throughput or transmission speed at which a network operates, and it would be rated as a function of data transmitted per second. Bandwidth can be measured in various denominations but you will typically see it known as the following: •
Kilobits per second (Kbps)
•
Megabits per second (Mbps)
•
Gigabits per second (Gbps).
Another more original use is in relation to signal transmission methodologies. There are two implementations: •
Baseband transmissions, where a single signal is transmitted at a time along a single cable.
•
Broadband transmissions, where multiple signals are transmitted along a single cable at the same time. For example, this might be in a home where Internet access and multiple cable television channels are simultaneously being transferred with the same cable.
Network Architecture Network architecture refers to both the set of physical components that work together to connect computers in a network and the functional organization and configuration of those components. Network architecture standards also govern how data is packaged and transmitted on a network.
A logical topology refers to how the data flows between nodes on the network. Logical topology is largely independent of the physical layout of the network, known as the physical topology, but there will be shared terminology between certain kinds of physical and logical topologies. Logical topology is largely dependent on the network standard used to implement data flow on the network. Network architecture can be generally discussed for LANs and WANs. LANs
LAN standards include the most used Ethernet architecture and the older Attached Resource Computer Network (ARCnet) and token ring architectures. Ethernet Ethernet’s low cost reliability and simplicity of implementation have made it the main architecture standard found in modern networks. It is used in both small and large networking environments.
Understanding Network Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
3-6
In basic form, an Ethernet network involves several nodes connected with copper wire cables to a hub or switch. For larger bandwidth requirements, or long-distance connections, fiber-optic cable is frequently used.
Ethernet has evolved into several specific standards. Over time, changes to network media, computing technology, and bandwidth requirements have forced changes to the Ethernet standard to accommodate the evolving network environment.
In an Ethernet-based network, data can be transmitted along the network media by any node at any time to all other connected nodes. This mass transmittal is known as broadcasting. The broadcasted transmission is detected by all nodes on the network, but only those nodes for which the transmission was intended will accept and receive the incoming data. The various Ethernet cabling standards are named using a bandwidth value, the term Base, and then a number or letter designation. A bandwidth value of 100 indicates 100 Mbps. The number indicates the distance over which a signal can carry. For example, a 2 represents 200 meters and a 5 represents 500 meters. A descriptor letter or letters help identify the cabling type. For example, T can indicate copper wire, and F/L and E can indicate various kinds of fiber-optic cable. The following table provides key characteristics of the most frequently implemented Ethernet standards. Standard
Bandwidth
10BASE2
10 Mbps
10BASE5
10 Mbps
10BASE-T
10 Mbps
100BASE-TX
100 Mbps
100BASE-FX
100 Mbps
1000BASE-T
1 Gbps (1000 Mbps)
1000BASE-LX
1 Gbps
10GBASE-T
10 Gbps
10GBASE-LR/ER
10 Gbps
Ethernet networks that have speeds of 100 Mbps are known as fast or high-speed Ethernet. Ethernet networks that have speeds of 1 Gbps or greater are known as Gigabit Ethernet. Power over Ethernet
In a scenario where cabling is not easily available, you can use the existing power lines that transfer electricity to implement an Ethernet network—that is, the electricity and data are transferred over the same cabling. A typical scenario would be in a home environment where it is not possible to install a network cabling system or where there is poor wireless signal reception. This scenario could extend the network range by using existing power cabling. There are limitations around power and distances but this scenario can provide relatively fast networks. Token Ring
The network nodes in token ring networks are arranged in a circle so that the data flows logically in a circular motion. It relies on the use of a “token,” which passes around the network. If a node wants to send data over the network, it grabs the “token,” attaches its message to it, and then sends the data. The data then travels in a circle around the network until it arrives at its intended destination. It uses primarily
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-7
copper wire for data transmission and can transmit at speeds of somewhere between 4 Mbps and 16 Mbps. Token ring was common in early corporate networks as an alternative to Ethernet. However, it has been largely replaced by Ethernet.
Note: Support for token ring networks was removed in Windows Server 2012. Attached Resource Computer Network
ARCnet is a form of token bus network architecture for PC-based LANs. It works by transferring data according to position or sequence numbers assigned to computers in the network—that is, 1, 2, 3, and so on. This is not the most efficient method for data transfer. ARCnet can support up to 255 nodes but is typically suitable for small networks. Different versions run at speeds of 1.5 Mbps, 20 Mbps (ARCnet Plus), and 100 Mbps. ARCnet is now rarely used for new general networks. Fiber Distributed Data Interface
Fiber Distributed Data Interface (FDDI) also uses a token-based approach to transmitting data on a network, as outlined earlier for token ring networks. However, it uses primarily fiber-optic cable as a medium for transmission and can span distances of 200 km at a speed of 100 Mbps. FDDI was used in the early to mid-1990s to connect geographically separated networks. It has been largely replaced by Ethernet. FDDI is used mainly in mission-critical and high-traffic networks where a large amount of bandwidth is needed.
All the architecture types discussed to this point are wired networks. There are also many wireless network architecture types, such as WLAN or Wi-Fi, infrared, and Bluetooth. Ultimately, your requirements and ability to implement—be it cost, hardware availability, and so on—will dictate which network architecture you will deploy.
Network Media Access Control Methods When data is transmitted on a network, it travels along that network’s media to reach its destination. The set of rules that define how and when a node sends data along the media is called the network media access control method.
On a computer network, data seems to move at the same time from node to node without interruption. Nodes give the illusion of concurrent access by taking turns accessing the network media for very short periods of time. If two nodes were to transmit data onto the network media at the same time, the data from each node would collide along the media and the data would be destroyed. In an environment that has hundreds of computers sharing the same network media, network media access control methods are critical to ensuring network data is transmitted correctly to its destination. There are two basic network media access control methods: contention-based access and deterministic access. In contention-based access networks, the nodes share or “contend” for access to the media. In deterministic access networks, the nodes “determine” how long data transmission and confirmation will take for an orderly flow of data. Contention-Based Access
Understanding Network Infrastructure
Carrier Sense Multiple Access with Collision Detection
MCT USE ONLY. STUDENT USE PROHIBITED
3-8
When Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used as a network media access control method, a node first “listens” on the network media to make sure that there is no existing data transmission in progress from another node. If no other transmission signal is present, the node will transmit its data. If a transmission signal exists on the network media, the node will wait for a small interval of time before checking again, repeating this process until the media is free of other data transmissions before it sends its own transmission.
When two nodes that want to send data check the network at the same time and find no existing transmission, they will both transmit their data. This causes a data “collision” on the network. When this occurs, both nodes detect the collision, stop transmitting data immediately, and send out a signal that informs all nodes on the media that a collision has occurred and that they should not transmit. Then, the nodes that caused the collision will wait for a random time before trying to retransmit their data.
CSMA/CD is the network media access method used for Ethernet networks. It provides the network with a fast method of data transmission and collision resolution, but because concurrent data transmission and collisions can occur, it becomes increasingly less efficient as more nodes are added to a specific segment of network media. This is not as relevant in modern networks because hubs are used less and less, and with the use of switches, there are only two nodes per wire. Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
When CSMA/CA is implemented, nodes advertise their intent to transmit data on the network media before actually transmitting the data. Nodes on the network media are constantly listening” for the advertisements of other nodes, and if an advertisement is detected, the node will avoid transmitting its own data.
This method allows for nodes to more efficiently avoid collisions with data transmitted from other nodes on the network media when you compare it to CSMA/CD. It also allows for more consistent communication on the network media for data transmission notification, especially if intermittent node connectivity is an issue or if a node is not always aware of every other node on the network media. This makes CSMA/CA an excellent candidate for wireless networks. It has been accepted as the network media access control method for the 802.11 group of wireless networking standards. CSMA/CA’s collision avoidance method does come at the cost of being generally a slower method than CSMA/CD. Deterministic Access Token Passing
Token passing is a method that uses a small piece of data or “token” to signify the intention to transmit data. This token, together with the other data being sent, is passed around to all systems in the network. When the token and data reach the intended destination, the data is passed to the destination system and the token continues through the rest of the system until it reaches the originating system, confirming transmission to the whole network. Both FDDI and token ring use the token passing method. Demand Priority
Demand priority is a method that shifts network access control from the transmitting node to the hub. Before transmitting data, a node must receive permission from the hub. The hub can provide both highpriority and regular-priority transmission to the destination node. Demand priority guarantees bandwidth and increases network traffic. Demand priority is used on 100 Mbps Ethernet networks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Lesson 2
Local Area Networking
3-9
A LAN is the most basic and frequently implemented form of computer network. This lesson introduces you to the LAN and its associated concepts and technologies.
The LAN is the building block for all major and more complex networks. So, this lesson will also familiarize you with LAN structure, design, and implementation.
Lesson Objectives After completing this lesson, you will be able to: •
Describe LANs.
•
Describe how nodes on a LAN communicate.
•
Describe the physical components of a LAN.
•
Describe different LAN physical topologies.
•
Describe virtual LANs.
What Is a LAN? A LAN is a computer network that typically covers a specific physical area such as a home, office, or closely built group of buildings, such as a school campus or airport. LANs also typically feature a high bandwidth capacity and can provide equal bandwidth and network access to all nodes. However, because of constantly improving technology and the high bandwidth available in modern networking technology, LANs are becoming less dependent on geographic proximity. Most modern LANs use the Ethernet standard for network connectivity.
Understanding Network Infrastructure
How Nodes on a LAN Communicate Although communication might seem to be constant between nodes on a LAN, especially when used to offer functionality such as video conferencing, as described earlier, however it is not constant. Rather communication on a LAN consists of shared access to the network media by using short transmissions of relatively small pieces of data to allow for all nodes on the network to have access. In most cases, the data a user interacts with on a LAN (such as a file, video conference, or print job) is far too large to be contained in a single transmission from a node. For a LAN to deliver these large amounts of data, the information must be broken down into what is called a network frame.
MCT USE ONLY. STUDENT USE PROHIBITED
3-10
A network frame contains a part of the original data being sent, together with network-specific information about the frame’s sender, the frame’s recipient, and information that lets the frame to be reassembled into readable data at its destination. A frame also contains error-checking information, a cyclic redundancy check (CRC) value, that allows it to be retransmitted from the sender should it not arrive at its destination as planned. The actual structure of a frame depends on the kind of network being used. For example, an Ethernet frame will differ slightly in structure from a token ring frame. Frames are described in more detail in the next module. Every node on the LAN has a unique network address and this unique identifier allows each frame to contain the information about where it is going and where it is coming from. This unique address allows for simple and precise delivery methods throughout the LAN and also allows for each node to be distinctly identifiable on the network.
A media access control (MAC) address is the most basic form of unique identifier for a node on a LAN. MAC addresses are assigned to all network adapters at the time of manufacture and are most frequently represented in hexadecimal format (for example, 00-22-FB-8A-41-64).
Physical Components of a LAN The physical components of a LAN are responsible for taking network data and transmitting it to its destination along a physical media that connects the nodes together. A LAN can vary in complexity from two or three connected nodes in the same room to thousands of nodes connected over a large area. As such, LANs can consist of only a few components or a large number of interconnected components. The most common physical LAN components are: •
Network adapters. Network adapters provide the point of contact between a LAN node and the rest of the network. It is typically connected to the network through a wire or cable. Different network architectures (Ethernet, token ring) require different network adapters to interface
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-11
with the LAN. For example, an Ethernet network adapter will not function when connected to a token ring network. •
Wiring or cable. A LAN’s wiring provides the physical media along which a LANs data is sent. LAN cable types will vary and are classified into a number of different types according to the physical qualities of the cable. Common cable types include: o
Unshielded twisted pair (UTP). The cable is the most common type found in Ethernet LANs. It consists of four pairs of copper wire twisted together and is usually terminated with what is called an RJ-45 connector. The pairs of copper wires are twisted around each other to cancel out electromagnetic interference or “crosstalk” as data moves along the cable, thus allowing for better data integrity when received. Most technologies typically use just two of the four twisted pairs. UTP is by far the most common cabling standard used in LANs.
o
Coaxial copper. The cable is used in older Ethernet networks. It uses a barrel-type BNC connector type and is typically terminated with a resistor.
o
Fiber-optic. The cable uses light transmitted along glass or fiber tubes, rather than the electrical signals sent across copper-based cable. It is capable of transmitting data over longer distances than copper and is typically used for connections that exceed the length restrictions of copper cables in areas where electromagnetic interference would prohibit the use of copper cable.
•
Hubs. As explained earlier, a hub is a device for connecting multiple nodes on a network. Each node that is physically connected to the hub can communicate with all other nodes connected to the same hub. When using a hub, it is unclear that a signal sent from any node on the hub will be transmitted to any other node; therefore, hubs have more collisions and are typically used only in small networks.
•
Switches. A switch performs the same basic functions as a hub, but it allows for more sophisticated and efficient interaction with the data. As such, a switch can provide much improved performance over a hub when any more than a few nodes are connected to the network. Because of the comparative cost of network switches and hubs, switches have largely replaced hubs, even in small networks.
•
Termination points. Termination points or jacks describe the physical termination of a network cable that allows a node to physically connect to the LAN. Typically, termination points exist as wall plates with an appropriate receptacle for a short network cable that runs from the jack to the network adapter of the node device.
•
Wiring cabinets. Wiring cabinets or wiring closets provide a location where a number of hubs, switches, or other LAN connectivity devices are located to provide a central point of connection for LAN nodes located in a specific physical area such as a building or floor of a building. These locations are typically a small room or closet.
Understanding Network Infrastructure
LAN Physical Topology A LAN’s physical topology refers to the actual layout and connection of the physical components of a LAN. The physical topology of a LAN is determined primarily by the network’s size, architecture, and required functionality. Physical topology plays a key role in determining a LAN’s bandwidth capability and overall performance. As a result, physical topology is a very important part of LAN design, especially in larger networks. There are five main physical topology types. •
•
•
MCT USE ONLY. STUDENT USE PROHIBITED
3-12
Bus topology. In a LAN where physical bus topology is used, nodes are connected to each other in a consecutive line along a segment of network media. The network media is then typically “terminated” at each end with a special device or connector that acts as the boundary for that particular segment or piece of the LAN. Bus topology technology has been largely replaced by star topology in LANs. o
Advantages: A LAN using bus topology is easy to set up, it minimizes the amount of actual cabling required, and the ability to quickly add systems makes it suitable for small LANs or temporary networks.
o
Disadvantages: If one section of the network media becomes disconnected or breaks, the entire network ceases to function. This makes a bus topology–based LAN difficult to troubleshoot. You must also ensure the endpoints are terminated correctly and cable length considerations come into play in terms of signal attenuation.
Ring topology. In a physical ring topology, nodes are connected in much the same way as with a bus topology, but rather than each end of the network media being terminated, the ends are connected together to form a ring. Ring topology technology has been largely replaced by star topology technology in LANs. o
Advantages: Similar to bus topology, a LAN using ring topology is easy to set up, and the ability to quickly add systems makes it suitable for small LANs.
o
Disadvantages: Unfortunately, similar disadvantages that a LAN using bus topology faces also exist in a LAN based on ring topology. The LAN is based on out-of-date technology; if one section of the network media becomes disconnected or breaks, the entire network ceases to function. This can make a LAN based on ring topology difficult to troubleshoot.
Star topology. When using star topology, nodes are not connected to each other as they are in a bus or ring topology, but instead they are connected to a central device such as a hub or switch. Modern Ethernet-based LANs typically use star topology for their physical configuration. o
Advantages: LANs using star topology become more reliable on a node-by-node basis because of the presence of the switch. With the addition of this device, nodes are dependent only on their individual connection to the switch for access to the rest of the network. When using star topology, the break or disconnection of a cable affects only the node using that specific cable, making the LAN generally more reliable and easier to troubleshoot.
o
Disadvantages: LANs based on star topology typically require more hardware and planning to implement, due primarily to the addition of the switch or hub device, in addition to the extra length of network cable required to connect each node back to the centrally located switch or hub. They also still contain a single point of failure; the network switch or hub. If this device fails,
the entire network ceases to function. Switches would be used more than hubs in modern implementations.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-13
•
Hybrid topology. Hybrid topology does not refer to a specific physical configuration, but rather to the combination of one or more different topologies used together on the same LAN. The most common form of hybrid topology consists of a multiple star topology–based network connected together using bus topology to form a single LAN. LANs based on hybrid topology are very common, and become necessary when designing large or complex LANs.
•
Mesh topology. In a LAN based on mesh topology, extra connections are added to provide a level of fault tolerance to the network. In a mesh topology–based LAN, information has more than one path it can take between at least two individual nodes. This addition of extra connections or “meshing” is typically done for critical or high-traffic connections within the LAN. Mesh topology features two separate forms of meshing. o
Fully meshed. In this configuration, a direct link exists between every pair of nodes on the network. This provides the highest level of fault tolerance available, but also cost and complexity increase exponentially as more nodes are added to the network.
o
Partially meshed. Partially meshed LANs are far more common than their fully meshed counterparts. They do not provide direct connections between every pair of nodes, but rather introduce a number of redundant connections based on both providing fault tolerance and maintaining a reasonable cost of implementation.
What Is a Virtual LAN? A LAN is also known as a broadcast domain. This means that nodes connected to the LAN can broadcast to communicate with one another, and every node within that will receive the broadcast; therefore, conceptually, they can be considered as part of a domain in which that broadcast is received. Generally, routers do not propagate broadcasts, and so another definition of a LAN is a collection of nodes bounded by routers.
Note: A broadcast is a specially addressed network frame that is processed by all nodes connected to a LAN segment. Switches pass broadcasts. Routers typically do not. The destination MAC address of a broadcast frame is FF-FF-FF-FF-FF-FF.
A virtual LAN (VLAN) is a virtual implementation of a LAN that allows you to control what nodes receive what traffic and group the nodes accordingly—that is, nodes in a different physical or geographical location can behave as if they were on the same logical network. This is typically achieved with the use of switches and software, whereby you can configure a switch, or switches, in such a way that traffic handled between certain ports on the switch is treated as though it were traffic on a single LAN. Traffic from other ports outside this VLAN is typically routed. The advantage of implementing VLANs is that you can: •
Exert a fine degree of control over how traffic moves through the network.
Understanding Network Infrastructure
•
Control network bandwidth by configuring nodes that frequently communicate with one another onto the same VLAN.
•
Easily reconfigure your VLAN to encompass more or fewer nodes. You might need to rewire the network to achieve the same ends with a LAN.
•
Isolate network traffic to a specific VLAN; for example, to isolate computers that do not meet organizational security requirements. Question: What topology configuration might you recommend for a new Ethernet LAN being built to connect computers located in several buildings together on a school campus?
MCT USE ONLY. STUDENT USE PROHIBITED
3-14
Lesson 3
Wide Area Networking
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-15
Computer networks are found all across the world. Organizations that operate those networks frequently have multiple offices or locations in different cities, countries, or continents. The organizations often require their networks to be connected to each other in order to meet their organization’s business needs, but are unable to connect these locations together with LAN technology because of its high cost to implement over long distances. WAN provides these organizations the ability to connect their networks regardless of geographic boundaries, transcending the limitations of LAN technologies. WANs are the basis for the global level of network connectivity that we have in today’s computing environment.
Lesson Objectives After completing this lesson, you will be able to: •
Describe WANs.
•
Describe components of a WAN.
•
Describe WAN standards.
•
Describe T-Carrier and E-Carrier standards.
•
Describe Optical Carrier standards.
•
Describe Integrated Services Digital Network (ISDN).
•
Describe methods used to connect to the Internet using WAN components.
What Is a WAN? A WAN is a geographically distributed network composed of multiple LANs joined into a single large network typically using leased or third-party services.
A WAN is used primarily to connect a group of LANs together that belong to the same organization or have a specific requirement of interconnectivity. Historically, technology used to implement links that connect multiple LANs together to form a WAN has been relatively slow and unreliable when compared with LAN capabilities. However, with evolving technology, modern WAN links are capable of higher bandwidth and can make multiple interconnected LANs appear as one large LAN to the users of the network in terms of network speed and resource access. In this way, the lines between LANs and WANs have become somewhat blurred. In general, LANs and WANs are different in several basic ways.
Understanding Network Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
3-16
•
Speed. LAN cabling is primarily Ethernet with speeds up to 10 Gbps. WANs are typically slower with speeds up to 150 Mbps. Latency in a WAN can frequently be due to delays between when data is transmitted to when it is received.
•
Cost. LAN components are usually less expensive than WAN components. LANs can be constructed from inexpensive cabling and network interface cards (NICs). WANs require specialized routing equipment.
•
Complexity. LANs are easy to set up and expand. WANs, with a large number of users, require more sophisticated optimization and communication plans.
•
Size. LANs are usually confined to a small geographic area like an office or school. WANs cover a larger geographical area like a city or multi-location business and can even be on a global scale.
•
Dependency/Reliability. In a LAN, it is expected that everything is well connected and redundant. A WAN is likely to depend on a single set of wires or connections to the provider running through the same pipes. It is likely that a whole building could lose connectivity if building construction or some other cause interferes or breaks the wires. Sites going offline on a WAN is more likely than multiple nodes on a LAN going offline. Preventing WANs from going offline is more costly.
Physical Components of a WAN A WAN may be composed of a number of different components, depending on the WAN technology used and whether an organization’s WAN has been self-constructed or consists of leased or rented services from telecommunications companies. Common WAN components are: •
Bridge. A bridge allows for the connection of two or more network segments or LANs. A bridge forwards network data between LANs and identifies nodes on the WAN by using the node’s MAC address. A bridge is the most basic way to connect two LAN segments together. Comparatively, it is like a two-part switch in how it functions, the main difference being it has a “MAC Table” to decide which packages to forward to which side of the bridge. MAC addresses are described later in the course.
•
Router. A router is a device that is responsible for connecting individual networks together and ensuring that the data traveling outside of any given network reaches its destination. Routers contain a list of potential destinations or “routes” that it uses to send and receive data from other networks. A router needs the IP protocol and does not care about “MAC Table” addressing. The network and router must be configured to support the router so that the router knows which IP address segments are where and that the network nodes are able to be distinguished between local and routed communication and send the packages either directly or to the router requesting the forward. IP Addressing is described in more details later in the course.
•
Leased line. A leased line refers to a WAN connection that is usually provided by a third party, typically a telecommunications company. The telecommunications company uses their existing equipment to connect one or more separate LANs together. This service can be implemented by using a number of different technologies. The actual technology used is usually transparent to the
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-17
connected LANs, which will typically be connected to the leased line through a router that contains the proper routes to the other connected LANs. •
Backbone. A backbone segment of a WAN refers to a high-capacity section of the WAN over which the bulk of WAN traffic will travel. In contrast to a leased line, many backbone segments are built and owned by the organization operating the LANs connected by the backbone. This type of connection allows for multiple LANs to be connected together at a high speed without having to pay ongoing rental or leasing costs or rely on a third party for consistent WAN connectivity. Backbones do, however, have the drawback of being relatively costly to implement.
What Are WAN Standards? Most WAN networks rely on data sent through third-party telecommunications providers and frequently make use of the provider’s existing communications infrastructure to send data between LANs. In this context, WAN connections use a number of different standards for data transmission. These standards are typically chosen for bandwidth capability, but available technology and regional location also play a part in determining what WAN standards are available to an organization for the implementation of their WAN. WAN standards typically define the method used to manipulate the data along the connection, in addition to the bandwidth capability of a WAN connection and the media used.
WAN standards also use multiplexing to allow efficient use of WAN connections. Multiplexing refers to the process of combining and sending multiple, simultaneous data transmissions over the same media. This allows for higher bandwidth capability and shared usage of a single WAN connection. Some of the more commonly known and main WAN standards are called out here: •
T-Carrier standards. T-Carrier standards are a group of standards implemented primarily in North America and some parts of eastern Asia and Japan that govern digital data transmission.
•
E-Carrier standards. E-Carrier standards are a group of standards similar to the T-Carrier standards. The E-Carrier standards were developed in Europe and used globally with the exception of the regions that have adopted the T-Carrier standard as previously mentioned.
•
Optical Carrier Standards. Optical Carrier standards contain specifications for transmitting digital data over fiber-optic networks.
•
ISDN. ISDN allows simultaneous voice and data transmission over existing public telephone network infrastructure.
•
Digital Subscriber Line (DSL). DSL uses existing telephone network infrastructure to transmit data. It involves the simultaneous transmission of both voice and data over the same physical line by using a separate higher frequency for data transmission and a filter on the physical line to separate the frequencies. DSL comes in two main types, both of which use a modem for sending and receiving the signal along the telephone infrastructure. Companies tend to use it for backup lines or small offices. o
Symmetric digital subscriber line (SDSL). SDSL allows equal bandwidth for both sending and receiving data at the same speed.
Understanding Network Infrastructure
o
MCT USE ONLY. STUDENT USE PROHIBITED
3-18
Asymmetric DSL (ADSL). ADSL uses different data rates for sending and receiving, with the sending bandwidth typically considerably lower than the receiving bandwidth. Because it is less expensive to implement, ADSL is typically provided for residential use.
What Are the T-Carrier and E-Carrier Standards? T-Carrier and E-Carrier standards are a family of WAN standards used by telecommunications companies to deliver digital communications over long distances. T-Carrier is the standard most commonly used in North America. The E-Carrier standard, first developed in Europe, has been adopted by most of the rest of the world. The T-Carrier and E-Carrier standards are graded according to bandwidth capability in a T1, T2, T3, and so on to E1, E2, E3, and so on format. However, T1/E1 and T3/E3 are the most common and comprise the majority of T-Carrier–based or E-Carrier–based network implementations. •
T1. A T1 line has a bandwidth capability of 1.544 Mbps. T1 typically uses two pairs of twisted-pair copper wire as its media.
•
T3. A T3 line provides a bandwidth capability of 44.736 Mbps. T3 typically uses fiber-optic cable as its media.
•
E1. An E1 line has a potential bandwidth of 2.048 Mbps. Similar to T1; E1 is typically carried over copper wire–based media.
•
E3. An E3 line has a potential throughput of 34.368 Mbps. Like T3, E3 typically uses fiber-optic cable as its media.
Optical Carrier Standards OC-X standards refer to a set of specifications for digital data over specifically designed fiber-optic networks, Synchronous Optical Network (SONET) in North America and Synchronous Digital Hierarchy in the rest of the world. Designed for high capacity, long-distance connections, optical carrier connections are widely used as the backbone of the Internet. OC-X connections are also used as private connections and as a carrier for bandwidth-intensive applications, such as video conferencing.
The base bandwidth unit for an OC-X connection is 51.84 Mbps. For example, the OC-3 transmission medium has three times the transmission capacity of OC-1. Common OC-X classifications are as follows:
•
OC-1: 51.84 Mbps
•
OC-3: 155.52 Mbps
•
OC-12: 622.08 Mbps
•
OC-24: 1244.16 Mbps
•
OC-48: 2488.32 Mbps
•
OC-192: 9953.28 Mbps
•
OC-768: 39,813.12 Mbps
Optical Carrier standards are used throughout the industry. For example: •
OC-12 is commonly used by ISPs for WAN connections at the regional or local level.
•
OC-48 is commonly used for larger ISP WAN backbones.
•
OC-768 has been used for transatlantic cabling.
What Is ISDN? ISDN uses the preexisting public telephone network to provide digital voice and data services. In early WANs, ISDN was a very popular method for connecting LANs together, but has since been largely replaced by standards built on more modern technology. Similar to E-Carrier and T-Carrier networks, an ISDN connection used individual 64 Kbps channels to transmit data, although not using the same technology. An ISDN connection is also dial-ondemand in nature, requiring a call to be placed on the line before a connection is made. However, digital call placement on ISDN typically takes only one or two seconds. ISDN has two common types:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-19
•
Basic Rate Interface (BRI). BRI typically uses two 64Kbps channels and supports a bandwidth of 128Kbps.
•
Primary Rate Interface (PRI). PRI uses 23 64 Kbps channels and supports a bandwidth of 1.536 Mbps, roughly equivalent to the bandwidth of T1 and E1 lines. PRI ISDN connections are commonly used as backup or alternate route connections for T1 or E1 connections.
Although everyday usage of ISDN is less common than it used to be, ISDN lines are still frequently used in many parts of the world as low-cost backup connections to more robust WAN links.
Understanding Network Infrastructure
Other WAN-Based Connection Technologies Although private WANs and LANs are critical pieces of an organization’s computing environment, almost all require a connection to the rest of the world for communication outside of the organization. Typically, this is through the public Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
3-20
In theory, the Internet exists as a large, global WAN. As a result, WAN-based technologies are used extensively throughout the Internet to connect private LANs and WANs. These technologies are typically implemented and operated by telecommunications providers who connect the end-user to the Internet by using their existing infrastructure as an intermediary network. This service is typically leased or rented to individuals or organizations to give them access to Internet connectivity. Along with the previously discussed T-Carrier, E-Carrier, and ISDN technologies, other common WANbased Internet connection technologies are: •
Cable modem. Cable modems provide a service similar to that of DSL, but use the cable TV medium as an intermediary connection to the Internet.
•
2G, 3G, and 4G wireless. Historically, mobile communications networks have been typically reserved for voice communications over the wireless network. With the advent of faster, more robust networks like 3G and 4G, however, the use of these networks for digital data transmission has become more prevalent and has become a common method used by mobile computer users to access network connectivity when not in a LAN environment.
•
2G is also known as Global System for Mobile Communication (GSM) and is an older technology.
•
3G is also known as Universal Mobile Telecommunications System (UMTS) in Europe and elsewhere.
•
LTE (long-term evolution of UMTS) is sometimes referred to in the context of 4G technology. It is seen as a faster technology and is becoming more popular.
Lesson 4
Wireless Networking
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-21
Wireless networking has become an important part of both home and corporate networks. Wireless networks allow nodes to operate apart from the confines of physically wired connections. The increased mobility and freedom that a wireless network offers allow organizations to use computing resources in ways not feasible using wired network components. Wireless networks come in many configurations using multiple standards and different technology.
Familiarity with wireless networking components, terminology and standards is very important to overall computer networking knowledge.
Lesson Objectives After completing this lesson, you will be able to: •
Understand the fundamental concepts about how wireless networks work.
•
Describe the components of a wireless network.
•
Describe 802.11.
•
Describe infrared and Bluetooth connectivity.
•
Describe attenuation and interference problems
•
Describe different ways to secure wireless networks.
What Is Wireless Networking
Humans are surrounded and constantly being bombarded by various forms of radiation from the sun, light waves, radio waves, microwaves, and other sources. The characteristics of these waves and how they can be identified is outlined in what is known as the electromagnetic spectrum. This spectrum is a range of frequencies and wavelengths and it goes from very low to very high values. Each range of values within this spectrum are bundled, from a naming point of view, according to specific characteristics so we can categorize and identify them. All the different wave types carry an electric or magnetic charge and it is this which, from a computing point of view, can be converted into 1s and 0s and interpreted by a computer to allow data transfer.
Wireless networking typically operates in the radio and microwave frequency range. The frequencies and wavelengths of the waves have characteristics that can determine the distance it can travel or the speed at which data can be transferred. Different types of waves also need different types of hardware to transmit and receive the various signals, or need different specifications to outline who can use it. A wireless computer network consists of two or more network devices connected together and able to exchange information between each other by using some form of wireless technology—that is, no cables.
Understanding Network Infrastructure
Wireless Networking Components A wireless network consists of two or more network devices connected together by using some form of wireless technology, typically using either radio-frequency or microwave transmission technology.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22
Although completely wireless networks are common in smaller LANs found in homes or small offices, wireless networks are typically used to expand or extend a larger, traditionally wired network in corporate settings. This could be in a LAN environment, providing network access to mobile users in a non-wired location such as an outdoor area or in a WAN environment to connect to locations where physical network media like copper or fiber is impossible or not cost effective. The following are common components and terminology found in wireless networks: •
Wireless network adapter. Like its wired counterpart, a wireless network adapter connects a node to the wireless network and is capable of both sending and receiving information on the wireless network.
•
Access point. An access point provides a means of connecting to the wireless network. This can be in the form of another wireless network adapter or, more commonly, a centralized, dedicated access point. This dedicated access point may or may not be used to connect the wireless network to an existing wired network or LAN. An access point or multiple access points that are available publicly to provide connection to Internet access are commonly known as hotspots. You would typically find hotspots in airports, libraries, cafes, and other places.
•
Ad-hoc network. An ad-hoc wireless network consists only of wireless nodes connecting to each other and has no centralized access point. Ad-hoc wireless networks are typically used for temporary, peer-to-peer connections between two computers.
•
Infrastructure network. An infrastructure network is a wireless network that provides a centralized access point for wireless network clients. Infrastructure networks are the most common wireless network type used in enterprise network environments.
•
Service set identifier (SSID). An SSID is a string of characters that identifies and advertises a wireless access point’s existence to potential clients. This string is typically configurable to any alpha-numeric value, so it also provides a method of applying naming schemes to SSIDs if necessary.
What Is 802.11? As previously noted, the IEEE 802.11 working group of standards defines the aspects of WLANs. 802.11 is one of the most recognizable IEEE standard categories, because of the widespread use of the numeric identifier to refer to WLANs and devices in general. The IEEE 802.11 working group consists of four commonly used standards. •
802.11a. These devices operate in the 5 gigahertz (GHz) radio frequency (RF) band. It offers a theoretical bandwidth of 54 Mbps, but suffers from a relatively short range because of the technical limitations of radio waves at 5 GHz.
Note: The 802.11 bandwidth is frequently discussed as theoretical. This is because factors like distance from the access point, interference from other devices, and physical obstructions can affect the wireless signal and decrease the actual bandwidth available to a client.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-23
•
802.11b. These devices operate in the 2.4 GHz RF band and offer a slight improvement in range over 802.11a, especially when located in buildings or around multiple obstructions. However, the maximum throughput of 802.11b is considerably lower than 802.11a at 11 Mbps.
•
802.11g. This was developed to combine the data throughput capabilities of 802.11a and the increased range and reliability of 802.11b. It operates in the 2.4 GHz RF band and offers a theoretical bandwidth of 54 Mbps.
•
802.11n. This is the most recently developed and published standard, and improves upon 802.11g in both bandwidth and range. 802.11n also introduces the concept of multiple-input multiple-output channels to allow the combining of multiple signals into a single data stream for increased network throughput. Although the physical maximum throughput on an 802.11n network is 150 Mbps, the ability combines the signals of up to four physical antennae and allows for a theoretical maximum throughput of 600 Mbps. 802.11n is quickly becoming the most common form of 802.11 network deployed.
The following table provides details about the most common 802.11 standards. Data Rate
Indoor Range
Outdoor Range
5 GHz
54 Mbps
50 feet
100 feet
Sep 1999
2.4 GHz
11 Mbps
150 feet
300 feet
802.11g
Jun 2003
2.4 GHz
54 Mbps
150 feet
300 feet
802.11n
Oct 2009
2.4–2.5 GHz
600 Mbps
300 feet
600 feet
Standard
Released
802.11a
Sep 1999
802.11b
Frequency
Understanding Network Infrastructure
Infrared and Bluetooth Infrared technology uses infrared (IR) electromagnetic radiation to wirelessly connect various devices and transmit data between them. The term infra comes from the Latin word meaning below; the range of frequencies and wavelengths infrared operates at border the visible spectrum on the red side, hence the term infrared. The opposite is ultraviolet—ultra coming from the Latin word for above, and violet from its bordering the visible spectrum on the opposite, violet, side. Thus neither IR nor ultraviolet are visible to the human eye.
MCT USE ONLY. STUDENT USE PROHIBITED
3-24
Infrared connectivity is a direct beam technology—that is, the connecting devices need to have direct line of sight or an unblocked path between the transmitter and receiver (cannot pass through walls). It is typically used over relatively short distances and has been widely used on television/home entertainment remote controls, some older laptops and mobile phones, cameras, and PDAs. Some medical devices also used it. It would typically operate over ranges of about 1 to 3 meters and offer data transfer rates up to about 4 Mbps, However, IR specifications are being actively worked upon and researched and these values will most likely improve over time. Where interference or security is a potential issue with wireless radio transmissions and line of sight or distance is not an issue, IR could offer a potential solution for wireless device connectivity but it is has become less and less popular. Most computers today would not have an IR capability built in. Computers and devices, however, can use infrared ports to send and receive infrared signals.
The Infrared Data Association specifies and develops IR technology. More information about the Infrared Data Association can be found at the following website. http://www.irda.org
Bluetooth is a wireless radio frequency technology that is used to connect two or more portable devices over short distances. You will typically see Bluetooth implementation in consumer devices such as telephones, headsets, mice, keyboards, and Global Positioning Systems (GPS) in cars. It has an immediate benefit over IR in that it doesn’t require direct line of sight. It operates over a range of approximately 10 meters and can have data transmission speeds of potentially up to 24 Mbps, which allows it to transmit voice and data successfully. It is also relatively inexpensive to implement and can have low power requirements, which has helped see broad adoption by manufacturers in consumer devices,
Bluetooth has had some security concerns in the past because of the ease at which devices using it could be accessed or controlled. New specifications and changes in its implementation have led to improved security, but like all wireless devices, security must be a key part of the process before implementation in any organization.
The IEEE adopted and defined the Bluetooth specification in the 802.15.1 standard but subsequent updates have been implemented to the specification by the Bluetooth Special Interest Group (SIG), which is a private, not-for-profit organization that drives Bluetooth specifications and adoption.
Attenuation and Interference All the computer wireless technologies outlined previously use electromagnetic radiation, which travels as waves and as such, these waves are subject to interference and attenuation like all the waves in the electromagnetic spectrum. There’s a complete science dedicated to how waves travel and interact with each other and their surroundings, but this section describes just two areas of interest that have a direct bearing on how you implement and manage your wireless networks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-25
Attenuation is the weakening of a transmitted signal. It can be caused by the medium through which it passes—for example, air, water, glass, or concrete—simply absorbing the energy of the wave, and as a result, can reduce the distance over which a signal can travel or the frequency range. This means that depending on the signal type (infrared, Bluetooth, Wi-Fi radio frequencies), the signal will have maximum ranges over which it will work successfully. All the wireless standards will say that they operate up to a maximum of X range, but the maximum range is seldom attained. Variables such as the thickness of walls or the amount of steel in buildings can have significant effects on signal strength. Having a wireless transmitter in an area where there are thick concrete walls containing steel rods can reduce the range significantly of any wireless signal, such as the distortion of a digital signal or the reduction in amplitude of an electrical signal. Attenuation is usually measured in decibels and is sometimes desirable, as when signal strength is reduced electronically, for example, by a radio volume control, to prevent overloading. Interference is the interaction of other electromagnetic radiation signals on the wireless signal. This can result in the signal not being clear enough to be received or interpreted correctly by a receiver. Each day you are surrounded by electromagnetic “noise” such as radios, TV, microwaves, GPS, telecommunication satellites, and mobile phones. There is a lot of competition for access to be able to broadcast on specific areas of the spectrum. Governments typically license these areas to private companies to raise revenue. This broadcast competition can cause interference in your wireless signal and reduce the quality of the data you receive. Even the weather can have an effect on your wireless signal. Items such as atmospheric pressure or even sun activity, such as when we get an increased amount of electromagnetic radiation from the sun, can interfere with or damage some wireless network data or equipment. Various techniques and technologies have been developed to try to mitigate some of this interference, but you need to be conscious of where you place your access points and receivers; for example, having microwave ovens and access points next to each other would only increase the chances of interference between the two.
If you deploy wireless networks within an organization, you should also be aware of what devices and frequency ranges are operating at in that area. Some will be generated by your organization and employees and some will be external (TV, radio masts, and so on). As a result, some locations will prove to be more suitable access points than others. The structure of your building also has an impact, such as rooftop versus basement, stairwells versus lift shafts, or beside support columns or on ceilings. Anywhere there are large amounts of concrete or steel are typically bad for signal integrity and prone to wireless signal attenuation and interference.
Understanding Network Infrastructure
Securing Wireless Networks With the ease of implementation and physical availability of wireless networks, security is a major concern. Unlike a wired network where a node needs to connect to a physical endpoint (typically inside a building), a typical wireless network has no inherent physical security and is available as long as the node trying the connection is within range of the access point. As the effective range of wireless networks increases, this lack of physical security becomes a greater concern. Unauthorized access to the network and the potential loss or theft of business data is a considerable liability in an unsecured wireless network.
MCT USE ONLY. STUDENT USE PROHIBITED
3-26
There are several different security protocols developed for 802.11 networks. The following provides two examples: •
Wired Equivalent Privacy (WEP). The WEP encryption standard was the original standard for wireless LANs. It provides 128-bit and 256-bit encryption of data transmitted over the network. WEP uses a shared passcode or security key for the encryption of data. Users connecting to a WEPprotected network are asked to enter this key upon initiating connection to the network in order to be granted access. The overall strength of WEP security lies in the complexity of this key. Short, simple keys that are easily guessable compromise the overall security of the protocol. Multiple technical flaws were discovered in the WEP protocol encryption algorithm and were quickly exposed by malicious hackers and industry watchdogs. WEP is the weakest of all wireless security protocols and is considered to be outdated and has been largely superseded by other more secure protocols.
•
Wi-Fi Protected Access (WPA). WPA standards provide an increased level of security and stability over WEP. It is comprised of two different versions:
•
WPAv1. This was originally designed as a firmware upgrade to WEP. It allows for WEP-based networks to be upgraded to the newer, more secure standard without the addition or replacement of any devices. WPAv1 can use a variety of encryption algorithms.
•
WPAv2. This offers several technical improvements over WPAv1 but retains the same basic structure. WPAv2 is the most secure and preferred method of encryption over most wireless networks.
Both WPAv1 and WPAv2 allow for two methods of security key configuration. They can use a single, preshared key (PSK) that is used for universal access to the network in much the same way as a WEP key. This method is known as WPA-Personal. The second method involves the incorporation of a Remote Authentication Dial-In User Service (RADIUS) server to allow for individual nodes to retain their own key. This implementation is known as WPA-Enterprise and eliminates the security risks of using a single, shared key for universal network access.
The use of certificates with smart cards also allows for smart cards to be required for authentication when joining a WPA2 network. In addition to the encryption methods previously listed, several non-encryption methods exist that, when combined with the use of encryption methods, further enhance wireless network security. Here are some examples: •
MAC filtering. MAC filtering allows a wireless access point to refuse connection to nodes accessing it unless their MAC address is contained in a specific list stored on the access point. This allows for a network administrator to enter the MAC addresses of only those nodes that should be allowed to connect to the wireless access point.
Note: MAC filtering can be easily circumvented by using a process known as MAC spoofing, whereby a potential client provides a false MAC address with the purpose of obtaining access to the network.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-27
•
Universal serial bus (USB) tokens. USB tokens are physical devices that also provide an additional layer of physical security to wireless networks. These methods require the end-user to have a USB token to physically attach to their computer before access to the network is granted.
•
Hidden SSID. Another method for obscuring the identity of a wireless network is hiding the SSID. Configurable at the access point, hiding the SSID prevents the SSID of the wireless network from showing up in the list of available networks on a potential client. When a network’s SSID is hidden, clients need to know the SSID of the network and enter it manually to connect, along with satisfying any other security requirements the network might have. A hidden SSID can add a certain level of security to the network, but it should not be considered a security measure in itself; numerous commonly known methods exist for locating and identifying hidden SSIDs.
Understanding Network Infrastructure
Lesson 5
Connecting to the Internet
MCT USE ONLY. STUDENT USE PROHIBITED
3-28
Almost every corporate LAN or WAN has a network link that connects it to the rest of the world through the Internet. The Internet has become the most important medium for global communications, and, as such, corporate networks need to be connected to this global network to take advantage of what the Internet has to offer.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the Internet.
•
Describe and contrast intranets and extranets.
•
Describe a firewall.
•
Describe proxy and reverse proxy servers.
What Is the Internet? The Internet is a system of interconnected networks that spans the globe. It is used to connect billions of users worldwide to a large variety of information, resources, and services. It is comprised of both hardware and software infrastructure that allows for the communication between any two computers connected to the Internet.
The Internet has its roots in early WANs implemented by military and educational institutions to facilitate communications between geographically dispersed computer systems or networks. As more nodes were added and the network grew and began allowing for public access, the Internet gradually came into existence. The advent of graphical content and the software that allowed for viewing this content began the popularization of the Internet as a medium for public information exchange. Some of the first applications to appear and have common usage on the Internet were email, Gopher, Telnet Whois, and www. From these limited first implementation services, many more technologies have built upon and rely on the Internet for their function, such as general e-commerce, cloud services, and virtual private networks (VPNs).
The physical structure of the Internet is somewhat ambiguous and constantly changing, but at its core, the Internet bears many similarities to a vast, global WAN. Although Internet communication appears straightforward to the end-user, the path that data takes between two communicating nodes can travel over hundreds of different physical connections and be relayed through numerous intermediary network nodes before reaching its destination. The Internet uses IP as the basis for communication between nodes. Individual nodes or networks are typically connected to the Internet by using the methods mentioned in the last topic of the previous lesson. These methods typically involve connectivity through a
telecommunications provider. Global telecommunication providers provide the bulk of the physical network infrastructure on which the Internet operates.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-29
The Internet by nature is an open and generally non-secure system. When corporate LANs and WANs connect to and through the Internet, specific devices, methods, and concepts are applied to ensure the integrity and private nature of the corporate LAN or WAN architecture.
Note: The phrase World Wide Web pertains to a set of interlinked “documents” in a hypertext system, which is made available through Hypertext Transfer Protocol (HTTP). The user accesses the documents by using a web browser and enters the various document repositories on the web through a home page.
Intranets and Extranets Intranet An intranet refers to a private computer network that uses the IP suite of technologies to securely share information within the network. An intranet shares many communication methods with the public Internet and, as such, an intranet environment functions very much like a small, encapsulated version of the Internet.
Intranets are commonly used to provide privatized versions of Internet communication services, such as websites, email, or file transfer. They facilitate the same type of easy information sharing like the Internet, but allow an organization to confine its scope to avoid the loss or theft of corporate data. In general, a LAN refers to the physical structure that provides network connectivity where the term intranet refers primarily to a group of services provided on that LAN. Extranet
In its typical form, an extranet is a piece of a company’s intranet that has been exposed to a larger network, usually the Internet. This is usually done to share specific corporate information with partners or customers and requires an extra level of security and network design to ensure that private information within the intranet is separated from the information on the extranet and not inadvertently exposed to the public. The information on the extranet itself is usually not left completely exposed to the public Internet either, but protected with a security device such as data encryption or authentication mechanisms like user names and passwords.
Understanding Network Infrastructure
What Is a Firewall? A firewall is the key component used in segmenting networks to protect a private network from security risks inherent to connecting to an untrusted network. A firewall is a system or device used as a single point of connection between separate networks. It interprets network communication and allows safe or desirable network traffic to pass through while restricting or denying unsafe or undesirable traffic.
MCT USE ONLY. STUDENT USE PROHIBITED
3-30
In a network environment, a firewall typically exists as a separate device or computer on the network that is designated exclusively to perform the functions of a firewall. For example, a particular server might have the same function as a firewall and might determine the source address of a piece of data and deny or allow the data to enter the network.
The term firewall is also used to refer to a piece of software installed on a node computer that performs traffic filtering similar to that of a dedicated firewall device. When the term is used in this lesson, it is used to refer exclusively to the dedicated network firewall defined previously, and not the node-based software type. Different types of firewalls allow for varying levels of network data inspection. A basic firewall is included in most Windows® operating systems. The purpose of the perimeter network is to act as a security buffer between the untrusted and private networks for resources that must be shared by those who are not part of the internal network. A perimeter network commonly contains any nodes that share information with the public Internet. This may include items like email servers, web servers, or proxy servers.
Perimeter networks are generally implemented by using firewalls. A firewall is placed at the connection of the perimeter network to the untrusted network; another firewall typically separates the perimeter network from the private network. This configuration separates the participating networks into three zones: the private network, the perimeter network, and the untrusted network. Firewalls can also be used to secure traffic within a perimeter network. For example, allowing http(s) traffic from the internet to a perimeter’s web server only, and allowing the web server to access a SQL database.
The main function of a perimeter network is security. A perimeter network is not entirely a public part of the Internet, an untrusted network, or entirely a private part of the organization’s network. The purpose of the perimeter network is to act as a security buffer between the untrusted and private networks.
Proxy and Reverse Proxy Servers A proxy server is a variant of a firewall that is used primarily to process client requests for data that exists outside of the network. Proxy servers are most commonly used to provide and control access to the World Wide Web to ensure that the information being requested is safe and pertinent. Proxy servers are also used to temporarily store or “cache” data, again, most commonly from the World Wide Web. This allows the proxy server to redirect clients that request data from servers outside of the local network to a locally stored copy for faster and more secure access, optimizing traffic for frequently needed data.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-31
Proxy servers are most commonly used in conjunction with a firewall. In this configuration, a firewall will allow a specific type of traffic only if the traffic is originating from, or intended for, the proxy server. In this way, clients wanting to send or receive that specific type of traffic must do so through the proxy server, or their transmissions will be blocked or denied at the firewall. Conversely, a reverse proxy server takes some or all data incoming to a network and distributes it to the appropriate nodes on the network. Reverse proxy servers are commonly used for load balancing, which allows the reverse proxy server to take large amounts of incoming data and distribute it among similarly configured nodes, all capable of processing the data. Reverse proxy servers can also provide data security filtering and caching in the same manner as a proxy server.
Understanding Network Infrastructure
Lesson 6
Remote Access Direct connections to private networks provide the fastest, most secure method for an organization to share data and resources. However, organizations are increasingly finding it necessary for their employees to have access to their private network in situations where a direct physical connection is not possible.
Lesson Objectives After completing this lesson, you will be able to: •
Describe remote access and branch offices.
•
Describe encryption and authentication.
•
Select a suitable VPN protocol.
•
Explain RADIUS.
•
Explain Network Access Protection (NAP).
What Is Remote Access? Although the majority of functionality on a typical corporate network happens within the LAN, organizations are increasingly looking for ways to allow their employees access to their information while not directly connected to the private network. In other situations, an organization might be unable to directly connect one or more remote locations to the private network and require a different, more indirect approach. In these situations, remote access is required. Remote access methods typically use an intermediary and possibly untrusted connection method, such as the Internet, to indirectly gain access to a central private network. Remote access may be required in any of the following situations:
MCT USE ONLY. STUDENT USE PROHIBITED
3-32
•
Geographically dispersed branch offices
•
An employee working from home or while traveling, such as sales staff
•
Customers or partners requiring access to information hosted on the organizations private network
In its basic form, a branch office refers to a location where an organization does business or hosts employees outside of its central location of operations. It could be as large as or larger than the central location itself, or as small as a single employee working from a home office. Branch offices are typically located outside of the physical range of an organization’s central LAN, in another section of a large city, or in another city, country, or continent. The term is typically used for a location where several uses (like a sales office) are directly connected to the company but in a separate physical office with WANs or VPNs connecting permanently to the corporate network. These branch
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-33
offices frequently require the ability to provide some or all the services provided by the central location, and almost always require access to the same data and resources to operate efficiently. Placing a server in the branch office is one solution; providing secure remote connectivity is another. The branch office term is not typically used for home offices or employees working abroad.
An organization like a bank might require each of its branches to have access to financial information stored in servers at the central office; a real estate agency might have brokers that work from home offices that require access to updated property and client information; or a member of the sales staff might require access to customer or product data while traveling. Question: What other scenarios can you think of that would require remote access?
Encryption and Authentication When an intermediary or untrusted connection is used to gain access to a private network, the security of the data traveling between the remote location and the private network, in addition to the security of the private network itself, becomes a serious concern. To address this concern and provide a safe means of transmitting private data and preventing unauthorized access to the private network, encryption and authentication are used when implementing remote access connections.
Encryption refers to the intentional scrambling or encrypting of data to prevent a third party from reading the data should it be intercepted between its sender and its intended destination. When data encryption is used for transmitting data on a network, its sender uses a specific algorithm to encrypt the data and send it on the network. The intended receiver, aware of this encryption, uses the same algorithm to unscramble, or decrypt the data.
Typically, encryption is combined with a method used to prove that the nodes involved are indeed the nodes for which the communication is intended. In other words, the identities of these nodes are verified. This method of verification is known as authentication.
Authentication refers to the process of verifying the identity of a user, computer, process, or other entity by validating the credentials provided by the entity. It is distinct from authorization, which is the process of determining the level of access allowed for an already authenticated identity. Authentication is typically implemented as a password or a combination of user identification and a password, but can also include physical methods such as digital certificates, smart cards, or USB tokens.
Understanding Network Infrastructure
Virtual Private Networks and Direct Access At one point, direct dial-up access was the most popular method of providing remote access to a private network. With the advent of widely available high speed Internet access, dial-up access has been largely replaced by VPN connections. When encryption and authentication are implemented to protect information traveling across a remote access connection, a VPN is created.
MCT USE ONLY. STUDENT USE PROHIBITED
3-34
Fundamentally, a VPN exists when a more secure connection has established between a node and a private network by using an intermediary and typically untrusted network. This connection is commonly known as a tunnel, which describes the secure connection’s separation from the intermediary network due to the encryption used for the data.
Technically, VPNs are implemented using a variety of methods that govern communication mechanisms, encryption, and authentication. The technical definition is outside the scope of this topic. Several of the most common VPN protocols are listed below. •
Point-to-Point Tunneling Protocol (PPTP). PPTP has been a very widely used VPN protocol and is described in RFC 2637. PPTP is supported by most computers, tablets, and smart phones. PPTP has a low overhead, and is faster and easier to set up than other VPN protocols. PPTP requires its own ports. More companies appear to be implementing HTTPS-based VPNs.
•
Layer Two Tunneling Protocol (L2TP). L2TP is frequently used with Internet Protocol security (IPsec) to provide data encryption and security. L2TP is described in RFC 2661.
•
Secure Socket Layer (SSL) tunneling protocol. The SSL tunneling protocol uses 2,048 bit certificates for authentication, making it the most secure of the VPN protocols. The SSL tunneling protocol lets users pass through firewalls and proxy servers when other VPN protocols might be blocked. The SSL tunneling protocol uses HTTPS over the Internet.
•
IP HTTPS. This is replacing SSL tunneling protocol in DirectAccess, which is one of the remote access solutions from Microsoft®. It is discussed further a bit later.
•
IPsec. A set of industry-standard, cryptography-based services and protocols that help to protect data over a network.
DirectAccess
DirectAccess was introduced in the Windows 7 and Windows Server 2008 R2 operating systems. DirectAccess gives users the experience of being connected to their corporate network any time they have Internet access without having to initiate or configure a connection. When DirectAccess is enabled, requests for corporate resources (such as email servers, shared folders, or intranet websites) are securely directed to the corporate network, thus allowing for the same user experience regardless of whether the computer is connected to the corporate network. The DirectAccess client is connected to the corporate network before the user even logs on, making the logon and authentication process identical to the process used when connected directly to the corporate network. Windows Server 2012 and Windows 8 DirectAccess can be configured to use either IP version 4 (IPv4) or IP version 6 (IPv6) addresses. Windows Server 2008 R2 and Windows 7 can use only IPv6 for communication between clients and servers. Connections between IPv4 and IPv6 networks can be coordinated automatically using a number of different IPv6 translation technologies that are configured
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-35
at the DirectAccess server. The main benefit of using DirectAccess over VPNs is its lack of required user interaction. In Windows Server 2012, DirectAccess is also a lot easier to deploy than was the case in Windows Server 2008 R2. Furthermore, DirectAccess allows remote management such as software distribution and updates of virus scanning engines.
Windows Server 2012 supports DirectAccess with Windows 7 and Windows 8 clients, whereas Windows Server 2008 R2 only supports Windows 7 DirectAccess clients. Also, if you have operating systems older than Windows 8 or Windows 7, DirectAccess is not supported for them and they will need to use an alternative, such as VPN.
RADIUS
RADIUS is a widely used industry standard authentication protocol that allows the exchange of authentication information between various elements of a remote access solution. It provides for centralized authentication, authorization, and accounting for network connection attempts and nodes that connect to networks through any means—whether it’s dial-up, VPN, wireless or a physical connection through cable. It has been defined by the Internet Engineering Task Force (IETF) under RFC 2865 and RFC 2866 and updated and modified in numerous subsequent RFC standards. RADIUS is a very common protocol available for use in most network environments. It is used to perform the following functions with regard to network access: •
Authenticate nodes before allowing them to access the network.
•
Authorize access for nodes specific to network services or resources.
•
Account for and track the usage of those services and resources.
The main components that typically go into making a RADIUS infrastructure are as follows: •
RADIUS server. Provides centralized authentication, authorization, and accounting for network access requests. The Network Policy and Access Services role in Windows Server 2012 can be configured as a RADIUS server.
•
RADIUS proxy. Can forward and route RADIUS access and accounting messages between RADIUS clients and RADIUS servers.
•
RADIUS clients. These are RADIUS access servers, such as wireless access points, dial-up servers, authentication switches, and VPN servers. These are RADIUS clients because they use the RADIUS protocol to communicate with RADIUS servers. User devices such as laptops are not RADIUS clients.
A server implementing RADIUS allows an organization to simplify and better manage remote access to its network, especially when multiple remote access points exist in the environment. RADIUS allows for strongly securing a WLAN with the use of certificates. More information about RADIUS can be found at the following website. http://www.ietf.org
Understanding Network Infrastructure
Network Access Protection Network Access Protection (NAP) can be implemented as part of a RADIUS infrastructure. It provides components to help you enforce health requirement policies for network access and communication. NAP allows you to create policies for validating devices that connect to the network, and to provide required updates or access to required health update resources while limiting the access or communication of noncompliant devices. You can customize your health maintenance solution to monitor devices accessing the network for health policy compliance. The health policy might include checks for: •
Up-to-date antivirus patterns.
•
Appropriate firewall status.
•
Up-to-date malware protection.
•
Windows Update settings.
•
Update devices with software updates to meet health policy requirements.
•
Limit access for devices that do not meet health policy requirements, to a restricted network.
MCT USE ONLY. STUDENT USE PROHIBITED
3-36
Although NAP helps you automatically maintain the health of the network’s devices, which in turn helps maintain the network’s overall integrity, NAP does not protect the network from malicious users. For example, if a device has all the software and configuration settings that the health policy requires, then that device is compliant and has unlimited network access; however, NAP does not prevent an authorized user with a compliant device from uploading a malicious program to the network or engaging in other inappropriate behavior. NAP Functions NAP has three important and distinct functions: •
Health state validation. When a computer tries to connect to the network, the NAP health policy server validates the computer’s health state against the health-requirement policies that you define. You also can define what to do if a computer is not compliant. In a monitoring-only environment, the NAP health policy server validates the health state of all computers, and then logs the compliance state of each computer for subsequent analysis. In a limited-access environment, computers that comply with the health-requirement policies have unlimited network access. Computers that do not comply with health-requirement policies might have their access limited to a restricted network.
•
Health policy compliance. You can help ensure compliance with health requirement policies by automatically updating noncompliant computers with missing software updates and configuration changes. You can do this by using management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers have network access before they are updated with required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are complete. In both environments, computers that are compatible with NAP can become compliant automatically, and you can define exceptions for computers that are not NAP-compatible.
•
Limited access. You can protect the network by limiting noncompliant computers’ access. You can base limited network access on a specific time limit, or on what the noncompliant computer can
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-37
access. In the latter case, you define a restricted network containing health update resources, and the limited access lasts until the noncompliant computer becomes compliant. You also can configure exceptions, so computers that are not compatible with NAP do not have their network access limited. In Windows Server 2012, NAP is installed as part of the Network Policy and Access Services role. Health policies, validators, and remediation servers can all be defined and configured within the Network Policy Server (NPS) management console in Windows Server 2012.
Understanding Network Infrastructure
Lab: Selecting Network Infrastructure Components Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
3-38
A. Datum Corporation has recently decided to decentralize its marketing department, currently located in New York. In addition to the New York location, a new marketing office is being built in Seattle to house the media design staff. You are responsible for choosing the LAN design and general components for the new office and ensuring that the two offices are connected in a way that allows staff in the Seattle office to access the information they need from the New York office.
You have received email messages from the Seattle office manager outlining the duties assigned to the new office, a list of employees that will be using the Seattle office, and the primary job functions of those employees.
Objectives After completing the lab, students will be able to: •
Provide guidance on which network components are needed to complete a branch office deployment.
Estimated Time: 30 minutes No virtual machines are required for this exercise.
Exercise 1: Determining Appropriate Network Components Scenario Email #1 From: Susan Walker Subject: Seattle Office Building Hi,
We have been working with the new building contractors and they have come up with a basic design. No drawings have been drafted yet, so I will try to explain what they have in mind. The space will basically be split into two parts. We will have six offices in one part of the office for our design team members, typical office stuff. The other half will be a large, open conference room built for partner consultation. Basically, it will be a place where our consultants meet with our partners to show them progress on projects, samples of media, and things like that. It’s going to be pretty casual, with most of the furniture being couches and coffee tables. I hope that gives you a good enough idea for your side of things. Thanks, Susan
Email #2 From: Susan Walker
Email #2 Subject: Seattle Staff Hi again, Here are the details on our Seattle staff and what each of their roles entails.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-39
We will have three video editors that will be in three of the six offices: Frank, Lisa, and Peter. The bulk of their day is spent editing video for various projects. They work as a collaborative team, so they are constantly sending material (videos) back and forth to each other. Frank asked me to tell you that the videos can be really big. They have issues with the videos taking a long time to copy to and from the server in New York. I’m not sure if there is something you can do to improve that in Seattle.
There are four creative consultants. Nick and Brenda will be in the office and John and Martha will be working from home offices. Their primary role is to meet with our partners to determine overall needs. Then they come up with the basic design concept and forward it to the video editors who begin the video design process. Throughout the process, the creative consultants provide samples of the work being done and get feedback from the customers. This will be done using the conference room for local partners. I’m hoping you can come up with something that will allow our out-of-town partners to view and comment on the development process remotely. Our internal staff will need to be able to view and update the material, and our home users and partners will need to be able to view and update it from their locations. This is sensitive information, so it needs to have some kind of password or security around it so not just anybody can see it. They have also asked if there would be a way for both the in-office consultants and the two coming from home to have access to the material located on the server to show clients on their laptops when they meet in the conference room. We also need to be able to share files with New York as well. My primary role is to manage the staff here and provide general updates and material samples to New York. This typically doesn’t involve a lot of files or very big files, but it does need to be secure, and our partner agreement doesn’t allow us to use email to send the files, so they will have to be hosted on some sort of server, I guess. I am not very technical, sorry. Oh and one final thing: we’re getting new desktops and other devices, all which will be running Windows 8 I’m told, in case that helps. Hopefully that’s what you’re looking for. Thanks for your time. Susan
Branch Office Network Infrastructure Plan: Component Needs Assessment Document Author: You Date: March 22
Requirements Overview Recommend basic infrastructure components for the implementation of the network in the new Seattle location. Recommend infrastructure to connect the Seattle location to the New York location. Recommend infrastructure to allow home office users and partners access to the resources they need from the Seattle location.
Understanding Network Infrastructure
Branch Office Network Infrastructure Plan: Component Needs Assessment
MCT USE ONLY. STUDENT USE PROHIBITED
3-40
Proposals 1. What Ethernet infrastructure should be used for the staff offices portion of the Seattle location? 2. What infrastructure should be used to connect the conference room portion of the Seattle location? 3. What components and technology should be used to connect the New York and Seattle branches? 4. What is the best architecture to allow both partners and home office users to access their information using only one method of access?
The main tasks for this exercise are as follows: 1. 2.
Read the supporting documentation Update the proposal document with your planned course of action
Task 1: Read the supporting documentation •
Read the supporting documentation sent to you by the Seattle office manager.
Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs Assessment. 1.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
2.
What infrastructure should be used to connect the conference room portion of the Seattle location?
3.
What components and technology would you use to connect the New York and Seattle branches?
4.
What is the best architecture to allow both partners and home office users to access their information using only one method of access?
Results: After this exercise, you should have identified the infrastructure and components required to implement a network in a new location. Question: What other options exist to connect the home office employees if their role changes and requires consistent access to information on the Seattle LAN? Question: What infrastructure should be used to connect the conference room portion of the Seattle location?
Module Review and Takeaways Review Question Question: Why are firewalls so critical when designing and deploying networks? Question: What makes a wireless network more vulnerable to unauthorized access than a wired network?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3-41
Understanding Network Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
3-42
MCT USE ONLY. STUDENT USE PROHIBITED 4-1
Module4 Connecting Network Components Contents: Module Overview
4-1
Lesson 1: Understanding the Open Systems Interconnection Reference Model
4-2
Lesson 2: Understanding Media Types
4-7
Lesson 3: Understanding Adapters, Hubs, and Switches
4-14
Lesson 4: Understanding Routing
4-20
Lab: Connecting Network Components
4-25
Module Review and Takeaways
4-29
Module Overview
Networks consist of many components; these components fall into various categories based on their operational characteristics. For example, those components that deal with electrical signaling are known as low-level network components. However, those components that handle user requests—for example applications—are known as high-level components.
This module explores the functionality of low-level networking components. This includes cabling, network adapters, switches, hubs, and routers. In addition, the module provides guidance on how best to connect these and other components together to provide additional network functionality.
Objectives After completing this module, you will be able to: •
Describe the industry standard protocol model.
•
Describe routing technologies and protocols.
•
Describe adapters, hubs, and switches.
•
Describe wiring methodologies and standards.
Connecting Network Components
Lesson 1
Understanding the Open Systems Interconnection Reference Model
MCT USE ONLY. STUDENT USE PROHIBITED
4-2
Over the years, many networking protocol stacks were developed by different vendors to support their own networking products. In order to bring some structure and standardization to this independent evolution of network protocol stacks, the International Organization for Standardization (ISO) developed the Open Systems Interconnection (OSI) reference model.
As an aside explanation, the ISO organization would have different abbreviations in different languages. Because of this, the organization decided to adopt the ISO abbreviation and standardize the name, taken from the Greek word isos, meaning equal. As a result, this ISO acronym is used regardless of language.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the OSI model.
•
Describe lower-layer protocols and devices within the model.
•
Describe network protocols within the model.
•
Describe the upper layers in the model.
The OSI Model The OSI model is a networking model that was introduced by the ISO to promote multi-vendor interoperability. The OSI model is a conceptual model that defines the generic tasks that are performed for network communication. You can think of each layer of the OSI model as a piece of software or hardware that performs specific tasks for that layer. Each layer communicates with the layer below and the layer above. Application data that is transmitted over the network must pass through all the layers. These layers are described in the following table. Layer Number
Layer Name
Description
7
Application
Represents application programming interfaces (APIs) that developers can use to perform network functions when you build applications.
6
Presentation
Translates the data generated by the application layer from its own syntax into common transport syntax suitable for transmission over a network.
5
Session
Enables and controls a communication session between two
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Layer Number
Layer Name
Description applications.
4-3
4
Transport
Makes sure that packets are delivered in the order in which they are sent and without loss or duplication.
3
Network
Determines the physical path over which data is transmitted based on network conditions, the priority of services, and other factors. This is the only layer of the OSI model that uses logical networking and can move packets between different networks.
2
Data-link
Provides for the transfer of data frames from one computer to another over the physical layer. The media access control (MAC) address of a network adapter exists at this layer and is added to the packet to create a frame. Data is passed from the data-link layer to the physical layer as a stream of 1s and 0s. Some element of error checking is possible at this layer to ensure frame delivery.
1
Physical
Defines the physical mechanisms for sending a raw stream of data bits on the network cabling, such as a network interface card (NIC) and drivers.
Why Use the OSI Model?
The OSI model is used as a common reference point when you compare the function of different protocols and kinds of network hardware. The OSI model is important for comparing different products and understanding the functions that a device is performing. The model enables an understanding and interpretation of various network architectures and network components within those architectures. For example: •
A router is a layer 3 device. Based on this, you know that a router understands logical networks and can move packets from one network to another.
•
Hypertext Transfer Protocol (HTTP) is a layer 5-7 protocol. Based on this, you know that applications use HTTP to communicate over the network.
•
Ethernet is a standard for layers 1-2. Based on this, you know that Ethernet defines physical characteristics for media (network cabling), how signals are transmitted over that media, and when devices can communicate on the media.
More information about the OSI model definition can found at the following website. http://www.iso.org
Connecting Network Components
The Lower Layers of the OSI Model The lower layers of the OSI model are responsible for encapsulating requests from the upper layers into a meaningful structure to be merged onto the media. How you do this varies from one network architecture to another. The data-link layer is responsible for: •
Transferring data between devices.
•
Managing the MAC addressing scheme.
•
Encapsulating requests from the middle layers into data-link frames and passing these to the physical layer for merging onto the media.
•
Passing protocol-specific data up the stack.
•
Error checking.
The physical layer is responsible for: •
Establishing, maintaining, and terminating connections to the media.
•
Participating in the process of managing media access among multiple hosts.
•
Converting the data-link frames into a meaningful signal for merging onto the media.
•
Interpreting and converting signals on the media into data-link frames.
Here are examples of how data transfer occurs on a single local network and also across networks. This may help give an understanding of how the lower layers of the network stack work.
MCT USE ONLY. STUDENT USE PROHIBITED
4-4
•
On a local link, communication is addressed by using MAC addresses. If one device wants to communicate to another device, even if it knows the IP address and ensures that the device is on the same network, it needs to resolve the remote MAC address in an Address Resolution Protocol (ARP) request (MAC-level broadcast), and then send the data to the remote MAC address.
•
IP and routers are used to extend networks beyond the local subnet. For example, say the IP wants to address something beyond the local network. IP knows the address of its router—that is, its default gateway—and leaves the target address of the target host but resolves the MAC of the local router. The local router unwraps the IP and data, rewraps the package with the MAC of the next hop, and then forwards the package.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
The Middle Layers of the OSI Model In the middle of the OSI model sits the transport and network layers. These layers are frequently known as the network protocol layer. The transport layer is responsible for: •
Transferring data between applications on different hosts.
•
Providing reliable end-to-end transfer of data between these applications.
•
Encapsulating application requests in datagrams and passing these to the network layer.
•
Passing incoming datagrams to the appropriate session layer protocol.
The network layer is responsible for: •
Implementing a logical addressing scheme to identify hosts on the Internet.
•
Routing packets to the appropriate logical address as identified by the upper layers.
•
Encapsulating transport layer datagrams into network packets and passing them to the data-link layer.
•
Passing incoming packets up the protocol stack to the appropriate transport layer protocol.
4-5
In the early days of networking, different vendors produced their own, proprietary networking protocols. These included: •
Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX). This protocol was developed to provide transport and network layer services for the Novell NetWare operating system. Although proprietary, the protocol stack was widely implemented in other networking operating systems. This includes the Windows Server® operating systems. SPX is a transport layer protocol, whereas IPX provides network layer support.
•
AppleTalk. This is another proprietary protocol providing transport and network layer functions. The Apple Corp. implemented this protocol to support their Apple Mac computer systems. Microsoft Corporation provided some support for this protocol in their Windows® platform.
•
TCP/IP. This was first developed as a suite of protocols to support applications that run on the UNIX platform. During the 1990s, this protocol began to gain acceptance by network product vendors. This includes Microsoft, Novell, and Apple. TCP/IP provides a four-layer architecture that offers support for all layers of the OSI reference model. TCP/IP implements two transport layer protocols: TCP and User Datagram Protocol (UDP). At the network layer, IP is implemented.
Networking services sit on top of the protocol stack, and pass instructions down the stack to the media. It is the job of the network protocol stack to interpret service requests and encapsulate them in a form accessible by lower-level protocols.
Connecting Network Components
The Upper Layers of the OSI Model The upper layers of the OSI model consist of the application layer, the presentation layer, and the session layer. These upper layers are occupied by network applications, or services. The application layer is responsible for interacting with network-aware software components. Functions typically include the following: •
Identifying network hosts with which applications want to communicate
•
Determining available resources
•
Synchronizing communication between network hosts
The presentation layer provides independence from differences in how network data is presented. This enables applications, which use different syntax, to communicate. The presentation layer: •
Formats and encrypts data for transmission on a network.
•
Provides compatibility between applications that use different syntax.
The session layer is responsible for:
MCT USE ONLY. STUDENT USE PROHIBITED
4-6
•
Establishing, maintaining, and terminating connections, known as sessions, between local and remote applications.
•
Selecting the appropriate transport layer protocol for communications with remote applications.
Different network operating systems implement different network services. However, they also provide similar functionality: •
Authentication
•
File and print services
•
Email messages
•
Client/server applications, such as a database
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Lesson 2
Understanding Media Types
4-7
Although you can connect devices to a network that uses wireless components, it is more common to use wired media. There are many kinds of wired media types, each with different characteristics: cabling distances, load and resistivity, and the ability to resist external electromagnetic interference. This lesson explores the cabling characteristics and standards.
Lesson Objectives After completing this lesson, you will be able to: •
Describe coaxial cable.
•
Describe twisted-pair cable.
•
Describe fiber-optic cable.
•
Select a suitable cable type.
Coaxial Cable Construction Coaxial cable consists of two copper conductors separated by insulating materials. The central core is manufactured from either stranded or solid copper wire, enclosed by an insulator. Around this first insulator is a second, stranded copper conductor. The whole is then protected by a plastic covering.
Coaxial cable has different electrical characteristics based on its construction. Thin coaxial cable supports shorter cable runs and fewer devices. Thick coaxial cable can span longer distances and supports the connection of more devices. Although thick coaxial cable enables longer cable runs and more devices, it is unwieldy. Therefore coaxial cable is more typically used to provide backbone connections. Standards Two standards define coaxial cable characteristics.
American wire gauge (AWG). This defines the diameter of the central conductor. A numbering system indicates the diameter used. For example, 14 AWG indicates a thicker cable than 18 AWG cable. Realize that the electrical characteristics of the cable change with its diameter. Specifically, thicker wire carries currents further because it has lower resistance over a given distance.
Radio grade or Radio guide (RG). These standards define coaxial cable characteristics from susceptibility to interference and resistivity. There are many RG coaxial cable standards and networking components use only a small subset of those. They are primarily grouped according to the cable impedance because it is important that the impedance of the cable matches the impedance of the transmitter, otherwise there might be significant data loss. The following lists some examples.
Connecting Network Components
•
•
50 ohm impedance:
MCT USE ONLY. STUDENT USE PROHIBITED
4-8
o
RG58. Fairly thin and flexible. Ideal for connecting nodes to the network. However, RG58 does not support long cable runs or lots of connected devices. It uses 20 AWG copper wire. Used in early Ethernet networks known as a 10Base2 network (also known as ThinNet), as explained in Module 3, “Understanding Network Infrastructure,” the 10 refers to the transmission speed, 10 Mbps; base refers to the transmission type, that is, baseband; and the 2 in this instance refers to the distance over which it can operate, that is, approximately 200 meters. The actual distance is less, approximately 165 meters. This network type was very popular before twisted pair cabling. Today, it would only be found in older networks.
o
RG8. RG8 is approximately 16 AWG. It is thicker than RG58 and not as flexible. Compared to RG58, it provides less data loss over longer distances. RG8 was also commonly used in earlier Ethernet networks, known then as a 10Base5 network, again the 10Base5 name indicating 10 Mbps, baseband transmission, and in this case, over distances of 500 meters. This network type was commonly known as ThickNet because the cable type was comparatively thicker than the network type used in 10Base2 networks. Today, RG8 would only be found in older networks. RG8 and RG58 might also be found in laboratory equipment or radio transmitters/receivers.
75 ohm impedance: o
RG59. Has an 18 AWG core. It is susceptible to signal loss at higher frequencies over long distances.
o
RG11. Thick coaxial cable with 14 AWG cable provides the solid core. It is fairly thick, so it is not very flexible but has good comparative integrity of signals over length. It is mostly used in backbones, where more robust cabling is needed.
o
RG6. Thinner than RG11 with 75 ohm impedance and typically 18 AWG, similar to RG58. It is more susceptible to attenuation than RG11 but is less expensive. Used mostly in consumer devices, or over short distances. RG6 and RG59 are used mostly in video applications or cable TV/TV antennae connections. RG6 would generally have better signal integrity over the distances needed, so it might be more widely used than RG59. RG6 is typically more expensive than RG59 cable.
Generally, thicker cables mean longer distances with less data loss. But there are other things to consider such as the shielding used in the cable. The main points to be aware of here are that different cable types have different capabilities, and even within the previous categories there are sub-categories that will have slightly different specifications. If you are intending to use coaxial cable, make sure that you know the correct impedance to use and also the distance over which the data must travel. Connectors
Coaxial cable connects network devices by using different connector types based on the thickness of the wire. Connectors can be categorized into two groups as outlined earlier. Thick coaxial cable (10Base5). RG8 cable types use a piercing tap, or vampire connector, to connect to thick coaxial cable. The connector surrounds the cable, and conductive spikes penetrate the cable to the central and outer conductors. The connector is then attached to the network device by using an attachment unit interface (AUI) connector. This 15-pin connector is also sometimes known as a Digital Intel Xerox (DIX) connector. Thin coaxial cable (10Base2). RG58, RG59, and RG6 would typically use BNC or F type connectors. •
The BNC connector connects by using a press, twist, and lock mechanism and would usually be seen with RG59 cable. BNC has different connection types, such as T-connector, Terminator, and barrel connector types.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
•
4-9
An F type connector has a sharp pin in its center that acts as the transfer medium. It connects by using a press or a screw-and-lock mechanism and involves the pin and female receptacle connector ends.
Note: Coaxial cable must be terminated. In order to prevent signals reflecting back up the media, a resistor is attached to both ends of the cable. This absorbs the signal and prevents reflection. You must use a terminator of the correct impedance.
Coaxial cable is not typically used in networking applications today. This is primarily because of the unstructured nature of the wiring. In addition, coaxial cable is not especially fault-tolerant. A break in the cable disrupts the whole segment because you now have two non-terminated segments. It is also very difficult to locate the exact location of the cable break, although a device like a Time Domain Reflectometer can be used to help. It is also useful to “ground” the cabling system to reduce interference in the data signal, typically through devices it is connected to, such as antennae. When to Use Coaxial Cable
Coaxial cable is resistant to electromagnetic interference and can support long cable runs between hosts. Although it might have some limited advantages it is a legacy option that has been replaced with other cable types such as twisted pair (discussed in the next topic). It is becoming difficult to find modern network adapters that support it.
Twisted-Pair Cable The twisted-pair cabling type is common in modern networks; it has generally replaced coaxial cabling in Ethernet networks as the standard. Although it is still copper based, it’s a less expensive option than coaxial cable, although this wasn’t always the case. This is mainly because switches became less expensive than hubs and as such, the number of collisions present in hubs could be reduced. This enables the cable to span larger networks. As it became more popular, the relative cost came down. You can use twisted-pair cabling to support several applications, including telephony and networking. Construction
As the name suggests, the cable is constructed from a pair, or sometimes several pairs, of insulated cables, twisted around one another, all enclosed in a protective outer sheath of plastic.
Note: The nearness of the other cable in the pair can introduce crosstalk, or interference. The twisting helps eliminate the crosstalk. The more twists per meter, the higher the cable rating. For example Category (Cat) 4 cables have fewer twists per meter than Cat 5 cables.
There are two kinds of twisted-pair cable: unshielded twisted pair (UTP) and shielded twisted pair (STP). The two types have several differences.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Connecting Network Components
•
UTP is the more typically used twisted-pair type. UTP follows the 10BaseT specification and there are several categories. The categories range from traditional telephone cable (voice but no data) to high speed (1000 Mbps/10 Gbps) quality data transmission. UTP has a maximum distance of 100 m.
•
STP overcomes the main UTP disadvantage (interference) by providing copper shielding. STP provides faster transmission over longer distances than UTP, but STP is more expensive.
Connectors You connect devices with STP or UTP to the network by using several different connectors. •
RJ11. A four-contact connector supporting two-pair cables, typically used for telephony. However, there are different connector types in different parts of the world.
•
RJ45. An eight-contact connector supporting four-pair cables. Typically used for data applications such as network adapters but modern telephone lines (Integrated Services Digital Network [ISDN]) are also now by using RJ45.
When to Use Twisted-Pair
UTP is fairly inexpensive both in terms of the cabling and associated components, and in terms of the cost to lay the cable. The potential for it to be affected by interference is also addressed by the twisted-pair technology and using a different current between both wires. A weakness of UTP is that it is not shielded. This means that it could influence other appliances and be easier to “listen in” on (by using a radio-like device). This could make UTP less secure. Typically, UTP should generally be the preferred choice. Where interference, longer cable runs, or potential security threats exist, select STP. Standards Standards maintained by the Telecommunications Industry Association (TIA)/Electronics Industries Association (EIA) define the additional characteristics of twisted-pair cable. These standards are known as the Category standards. Category
Twisted Pairs
Capacity
Bandwidth (MHz)
Use
1
2
1 Mbps
1
Voice/modem (rarely used)
2
2
4 Mbps
-
IBM cabling/token ring (rarely used any longer). Might still be found in some Advanced Interactive Executive (AIX) Datacenters)
3
4
10 Mbps
16
Ethernet (telephone cabling)
4
4
16 Mbps
20
Token ring (not used)
5
4
100 Mbps
100
High-speed Ethernet
5e
4
1000 Mbps
100
Gigabit Ethernet
6
4
1000+/10 Gbps
250
10G Ethernet
6a
4
10 Gbps
500
10G Ethernet
Category 7
Twisted Pairs 4
Capacity 10 Gbps
Bandwidth (MHz) 600
Use 10G Ethernet
Note: The term bandwidth is used to describe the transmission speed of a network. Early networks operated at low bandwidths by today’s standards. For example, early implementations of Ethernet operated at 3 million bits per second (3 Mbps). Modern network technologies can transmit much faster than this. A typical Ethernet operates at a bandwidth of between 100 Mbps for desktops to 10 Gbps in server rooms.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-11
Consider that the bandwidth of the network might be 1 Gbps. The actual throughput (or the volume of data in bits) might be much less. One reason for this is because popular network technologies such as Ethernet operate on a contention basis. In other words, the nodes or hosts on the network compete for bandwidth. This contention process leads to loss of throughput. More information about the TIA/EIA organization can be found at the following website. http://www.tiaonline.org
Fiber-Optic Cable Copper cables experience the effects of electromagnetic interference. In addition, it experiences loss of signal, or attenuation, over distance. Fiber-optic cables are less prone to either of these. Because fiber-optic cables are more reliable, they are used in situations that demand longer cable runs or in areas where highlevels of electromagnetic interference are expected. Construction An optical fiber cable is composed of: •
Glass or plastic core. This provides the transmission medium.
•
Cladding. This covers the core. Light signals cannot traverse this layer. The reflective surface of the cladding layer reflects the light signals back into the core.
•
Buffer. This protective layer surrounds the core and cladding.
Note: Because each optical fiber supports light signals in only one direction at a time, some cables implement multiple fibers bundled in a single cable. There are two kinds of fiber-optic cable: •
Multimode fiber. Consists of several fibers. Light signals are generated by light-emitting diodes (LEDs). Typically, multimode fiber supports bandwidths of around 100 Mbps at distances of up to 2 kilometers and 10 Gbps over 300 meters.
•
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Connecting Network Components
Single-mode fiber. Contains a single, thin fiber that supports higher bandwidths and longer cable runs than multimode fiber. 40 Gbps is possible over distances of several hundred kilometers. Light signals are generated by laser diodes. Single-mode fiber is typically more expensive than multimode fiber.
Connectors There are different connectors for use with fiber optic cabling, depending on whether you are using multimode fiber or single-mode fiber, and the particular application of the cable. •
Straight Tip. The fiber equivalent of a coaxial BNC connector, by using a push-and-twist locking system. Typically used with multimode fiber.
•
Subscriber Connectors. Provide a simple push/pull connection.
•
Local Connectors. Similar to Subscriber Connectors, but smaller.
•
Ferrule Connectors. Older single-mode fiber connectors, now replaced by Subscriber Connectors and Local Connectors.
•
Mechanical Transfer Registered Jack. Supports multimode fiber cables by using a snap-on connector.
When to Use Fiber Optic Cabling
Fiber-optic cabling is more expensive than its copper equivalent. It is used where higher bandwidths over long distances are required and the distance exceeds the capabilities of copper wiring. In areas of extreme electromagnetic interference, fiber-optic cabling is also better. Standards
The following table builds upon the table from Module 3 and includes the most frequently implemented cabling standards and uses. Standard
Media
Bandwidth
Common Uses
10BASE-T
Twisted copper
10 Mbps
Local networks
100BASE-TX
Twisted copper
100 Mbps
Local networks
100BASE-FX
Fiber-optic
100 Mbps
Distant networks
1000BASE-T
Twisted copper
1 Gbps (1,000 Mbps)
Local networks
1000BASE-LX
Fiber optic
1 Gbps
Distant networks
10GBASE-T
Twisted copper
10 Gbps
Local networks
10GBASE-LR/ER
Fiber optic
10 Gbps
Distant networks
Of the standards listed in this table, 100BASE-TX and 1000BASE-T are most frequently found in today’s local area networks (LANs). 1000BASE-LX and 10GBASE-LR/ER are the most frequently found in long distance Ethernet connections.
Discussion: What Cabling Strategy Would You Use? Fabrikam, Inc. has purchased a new building to house their Research and Development team. The new building is just across the parking lot from the headquarters. There are two floors in this new building; each will support around 100 network nodes. Each workstation is to have a telephone installed. You want to minimize future disruption, so any cabling solution must provide for emerging standards. Because of the nature of the work, the R & D team requires a high-bandwidth solution. Answer the following discussion questions. Question: For Fabrikam, Inc., what cabling system would you recommend within the new building? Question: Fabrikam’s R & D center is across the private parking lot from the head offices. You will have to connect the R & D office back to the head office so that research staff has access to corporate services. What cable would you recommend for this application to link the two buildings?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-13
Lesson 3
Understanding Adapters, Hubs, and Switches
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Connecting Network Components
Operating at the lower levels of the OSI network architecture, switches and hubs are responsible for connecting physical devices together. The choices that you make about the deployment and configuration of these components can have far-reaching effects on the behavior of interconnected devices and overall network functionality and performance. Therefore, make sure that you can differentiate between devices such as hubs and switches and be able to select a hub or switch based on its functionality.
Lesson Objectives After completing this lesson, you will be able to: •
Describe a network adapter.
•
Describe transmission speed.
•
Describe hubs.
•
Describe switches.
•
Describe layer 2 and layer 3 switches.
•
Describe the capabilities of a virtual local area network (VLAN).
What Is a Network Adapter? A network adapter is the lowest-level component installed in your computer. It is responsible for converting instructions from higher-level components, specifically the network protocol stack, into electrical signals and merging these signals onto the network media. The network adapter is also responsible for converting electrical signals received on the wire into meaningful instructions that it then passes up to the network protocol stack.
Note: The network media might be physical wiring or a wireless network. For convenience, the term wire will be used except where an explicit differentiation is required. Frames and Addressing The network adapter encapsulates the instructions it receives from the protocol stack into a logical sequence known as a frame. Frames contain addressing information to ensure that the protocol stack message reaches the correct target network adapter on the local network. As discussed in Module 3, each network adapter has a unique address known as a MAC address. This is usually assigned by the manufacturer of the network adapter and is in hexadecimal format.
Note: The authority responsible for allocating a unique address is the Institute of Electrical and Electronics Engineers, Inc. (IEEE).
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-15
To determine the MAC address of the destination network adapter, the local network adapter typically broadcasts a request for the required MAC address. This 48-bit address is stored by the network adapter in the source MAC address field in the network frame.
Note: Other than these unique MAC addresses, the addressing fields in a frame can also contain specially formatted addresses; these include broadcasts and multicasts. These special addresses and the kinds of communications that require them are discussed later in the course. Ethernet Frame Structure
Frame structures vary according to the architecture. Even within Ethernet, there are variations of frame structure, depending on the Ethernet standard implemented. Some variations that include some older implementations that you might hear of are as follows: •
Ethernet II. This would have been one of the earliest Ethernet frame types; it supports TCP/IP and IPX/SPX.
•
Ethernet 802.3 or Ethernet “raw”. Only supports Novell’s IPX/SPX protocol.
•
Ethernet 802.2 logical link control (LLC). Contains additional header information compared to 802.3 and allows for managing varying MAC types.
•
Ethernet Subnetwork Access Protocol. Supports TCP/IP, IPX/SPX, and AppleTalk.
The last two types enable the encapsulation of the data to enable the insertion of other protocols. Ethernet Subnetwork Access Protocol would be the most widely used and relevant frame type. There are differences between the frame type structures but generally they can be described as consisting of the following: •
Preamble. A series of bits that enables the transmitter and receiver network adapters to synchronize and establish a link.
•
Start frame delimiter. A single byte that signifies the start of the frame.
•
Destination MAC address. MAC address of the network adapter receiving the data.
Note: The destination MAC address referred to above is present when on the local subnet only. If the destination MAC Address were to be on a different network segment, the destination MAC address would be the router’s interface. •
Source MAC address. MAC address of the network adapter sending the data.
•
Length/type. The length field is present in all frame types except Ethernet II, which had a type field. The Length field assigns a value to the frame size and the type indicates the protocol type that is interpreting the frame data. The type information is contained in the data field in the Ethernet Subnetwork Access Protocol frame type.
•
Data. This data field contains the actual data. In all standard cases, it is between 46 bytes and 1,500 bytes. For 802.2 LLC and Ethernet SNAP, it encapsulates the data to allow for easier interaction with other protocols.
(Note: Remote Direct Memory Access (RDMA) in Windows Server® 2012 allows for the transfer of data from the memory of one computer to the memory of another computer without any interaction from
either computer’s operating system CPUs or caches. This is achieved by using NICs that support Server Message Block (SMB) direct protocol. This can have a significant effect on data transfer rates.)
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Connecting Network Components
•
Pad. The 802.3 frame type can pad the data field.
•
Frame check sequence. The last field in a typical frame is the frame check sequence (FCS). This field is used to calculate a checksum value to determine the integrity of the frame. As outlined previously, the FCS that is used in Ethernet frames is cyclic redundancy checks (CRCs). Frames that are damaged in transit are dropped by the network adapter.
Installing a Network Adapter
Historically, those responsible for installing network adapters into computers had to fit the separate network adapter into an available slot in the computer’s internal expansion. These days, it is more usual to find network adapters as integrated components on the computer’s motherboard. As soon as the network adapter is installed, you must connect it to the network. Typically, network adapters have a single connector for this purpose.
Note: To determine what kind of network connector you have, view the back of the desktop computer. Depending on what country/region you are in, you may see a Registered Jack-45 (RJ-45) connector. This resembles a standard telephone jack.
After you have connected the network adapter to the network cabling, depending on your requirements, you typically attach the other end of the wire to a network switch or hub. In some instances, a Direct Cable Connection, or direct cabling, between two computers is required, such as for use with a cluster heartbeat. This requires a cable to connect the two devices. The cabling required in this scenario requires the cable pairs on one end of an Ethernet cable to be the reverse of the other end. So either some customization of the cable is required, or a specific crossover cable is needed.
What Is a Hub? Some early networks used wiring systems in which each node was connected directly in a ring. Other networks implemented a single cable that was routed to each node in sequence, creating a chain of networked computers. Both cabling methods have several problems. First, if the cable was damaged, network integrity was lost and communication was disrupted. Second, because cabling was frequently laid to limit cable lengths, or finding a convenient path to the next node, it was not always easy to locate the faulty cable. As networks became more popular, administrators have tried to resolve these problems.
Later, network devices that enabled star wiring of network nodes were adopted. These devices were known as hubs and enabled each network node to be connected back to a central point. This addressed the problem of unstructured wiring and also of network failure that results from a break in the cable. A cable fault resulted in a single node being isolated.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-17
Some early hubs supported different kinds of cabling connectors, known as ports, to enable connection of twisted-pair cabling, coaxial cabling, and other media. Even today’s simple consumer hubs support wired, wireless, and Asymmetric Digital Subscriber Line (ADSL) ports. You can use hubs to extend the network. Depending on the network topology being used, you can connect a chain of hubs together potentially over very long distances.
Note: Ethernet has several rules that define how you can extend the network. As defined in the 5-4-3 rule, you can connect five segments by using four repeaters as long as only three of the segments have active nodes. In early coaxial implementations of Ethernet, the maximum segment length with thick coaxial was 500 meters. The maximum end-to-end length of an Ethernet network is defined as 2.5 kilometers. This does not allow for bridging or routing to extend the network. Note: Hubs are generally not used any longer and are considered legacy devices with limited functionality for modern networks and data transmission requirements. Switches have replaced hubs.
What Is a Switch?
In contention-based networks, such as Ethernet, all connected nodes share the media and its available bandwidth. Therefore, if there are 10 nodes on a network that has a 10 Mbps bandwidth, it can be said that each node has an available bandwidth of a tenth of the total bandwidth, or 1 Mbps. If you add nodes to the network, the share each has of the total decreases in inverse proportion to the number of connected nodes. Therefore, when there are 20 nodes, each has a twentieth of the bandwidth. A significant problem of contention networks with many connected nodes is that throughput degrades. A bigger issue is the collision that occurs on a link, which results in the further reduction of the available bandwidth. The simple solution is to reduce the number of nodes in each segment. You can do this by implementing MAC-level bridging. A switch is like a hub. It acts as a wiring concentrator to which all network devices are connected. It performs the same isolation when a cable failure occurs while maintaining the integrity of the network. However, there are some fundamental differences. Characteristics of a Switch Layer 2 Switches
The significant difference between a hub and switch is that the switch can perform MAC-level bridging between ports. In other words, each node has exclusive use of the bandwidth of the segment during its transmission. So every device connected to the switch is exclusively talking with the switch. The switch has a table that shows which MACs are connected to which ports. This means that traffic is only sent to the wires that require the information. You can configure each host to have a single port, or you can connect a hub to a switch port. When you connect a hub to a switch port, the nodes on the hub all share the bandwidth configured for the port on the switch to which the hub is connected. In this manner, you can determine how much bandwidth is
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Connecting Network Components
available to each port and nodes connected to the ports. Switches that provide this function are known as Layer 2 switches. With modern switches, you can also program a group of ports to behave like a hub. For example, you could create a group of ports to enable network load balancing or to provide for network level analysis. Layer 3 Switches
Some switches can provide protocol-specific routing functions at the protocol stack layer. For example, you can configure the switch to provide routing for IP packets, but not to perform MAC-level bridging for non-IP-based frames. Switches that provide this routing functionality are known as Layer 3 switches.
Note: Network protocols, such as IP, encapsulate instructions received from higher-level protocols, such as TCP, into a structure known as a packet.
Layer 3 switches route packets. The switch examines the packet and makes a routing decision based on the destination packet address. Layer 3 switches also perform additional routing functions. For example, Layer 3 switches can check packet integrity, respond to Simple Network Management Protocol (SNMP) management systems, and observe and decrement packet Time-to-Live (TTL) values. In some ways, a Layer 3 switch can provide several improvements over more traditional routers. For example, Layer 3 switches: •
Divide networks into logical subnets by using the Layer 2 configuration instead of at the port level, such as a traditional router. This provides a more flexible configuration.
•
Are generally less expensive than traditional routers.
•
Provide faster forwarding performance than traditional routers.
Be aware that Layer 3 switches do not provide support for wide area networks (WANs). Layer 4 Switches Some more advanced switches are equipped with a firewall service module that enables the switch to make forwarding decisions based on the type of data in the segment. These kinds of advanced functionality switches are known as Layer 4 switches.
Also as discussed in Module 3, switches allow for creating a VLAN. A VLAN is a virtual implementation of a LAN that lets you control what nodes receive what traffic and then group the nodes accordingly. For example, nodes in a different physical or geographical location can behave as if they were on the same logical network.
Note: Transport protocols, such as TCP, encapsulate instructions received from applications into a structure known as a segment.
Switches with a firewall service module examine the content of segments received and determine whether and how to route the segment based on the specific TCP port being used.
Note: TCP ports are examined in a later module of this course. In addition to port switching, Layer 4 switches (and some Layer 3 switches) can make switching decisions based on the priority of network traffic. In this mode, lower-priority traffic is buffered at the switch, whereas higher-priority traffic is handled.
Note: Quality of Service (QoS) values are a way to indicate the priority of traffic. Some network transport protocols implement QoS to support application prioritization needs. The switch can read and interpret these QoS values.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-19
Lesson 4
Understanding Routing
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Connecting Network Components
You must understand how routers make routing decisions so that you can plan their deployment and configuration to support the desired functionality of the network. Different routing protocols are suited to different network environments. A good understanding of these different protocols will enable you to manage your LAN and wide area network (WAN) more efficiently.
Lesson Objectives After completing this lesson, you will be able to: •
Describe routers.
•
Describe a routing table.
•
Understand routing protocols.
•
Select a suitable routing configuration.
What Is a Router? Historically, routers were implemented in networks in order to extend the LAN into a WAN. One router interface would be connected to the LAN, and another to a telephony circuit of some type. At the destination, a similarly configured router was deployed. Packets could flow between the networks as required. As the cost of routers decreased, network administrators began to implement routers in a single geographic location in order to manage traffic. Routers forward packets based on the destination network identification (ID) instead of the MAC address of a host. Routers operate at the network layer and handle transport protocol instructions encapsulated in packets.
Network nodes determine whether a destination host is a member of another LAN (or VLAN) when they begin communications. Elements of the network transport protocol make this determination by comparing the source and destination network addresses in the packet. When a node is determined to be in a different network, the node tries to route the packet to that network. Usually, this means that the packet is forwarded to a router on the local network. This behavior is a significant departure from the way communications occur with Layer 2 switches or bridges. The nodes explicitly address the frame to the router that will handle the routing process of the encapsulated packet. In order to perform routing, the router must know what other networks exist and how to reach them. Routers maintain this information in routing tables. Routing tables are either static or dynamic. Static routing tables are maintained by a network administrator who must add the required routes manually to the table. Dynamic routing tables are maintained by the propagation of routing information between routers themselves using special routing protocols.
How a Router Determines a Destination A router determines the destination network for a packet by examining the destination network address and comparing it to entries in its routing table. If the destination network is found in the routing table, and there is a single route to that network, the router forwards the packet to the next router in turn. When multiple routes to the destination network exist, the router must make a selection as to the best route.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-21
To determine the best path to a remote network, routers use routing algorithms. Most algorithms support multiple paths between networks. Multiple paths are good because they enable redundancy in your routing architecture. Some routing algorithms use a hierarchical structure and implement routing backbones. Hierarchical routing structure helps makes sure that you use the routing infrastructure efficiently by bypassing slower, localized networks in favor of the backbone. Some algorithms implement distance vectors in which routing tables are periodically propagated to all neighboring routers. Others use link-state propagation, in which smaller, more frequent updates are propagated. Route Selection
The router tries to select which route to use based on factors such as the route with the most reliable link, the route with the least cost, or perhaps the route with the lowest current network load; these criteria are known as metrics. Frequently implemented metrics include the following: •
Bandwidth
•
Path cost
•
Reliability
•
Shortest path length
•
Network load over path
•
Likely end-to-end delay time
•
Hop count
Note: A hop occurs when a packet passes through a router. •
Restrictions, such as maximum transmission packet size
•
Communications cost of the route
When the router has selected a route, it forwards the packet to the next router in turn.
Note: Each packet on an IP network has a field named the TTL counter. Every time that the packet transits through a network device, such as a router, the TTL counter is decremented by at least one. When the TTL reaches zero, the router then holding the packet drops it. This makes sure that packets do not loop around the network. Routing Example
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Connecting Network Components
For example, in the following scenario, a packet is routed across three networks: network A, network B, and network C. Two routers connect these networks, each configured by using a routing table. A host in network A communicates with a host in network C. The following are steps describing how network A communicates with network C: 1.
The originating host creates a packet addressed to C:12. The host determines that network C is not the local network.
2.
It has no knowledge of network C and forwards the packet to an adjacent router.
3.
The router receives the packet and examines the destination address. It compares the destination network address and determines that it has an appropriate entry for the destination network in its routing table.
4.
In this instance, it forwards packets for network C to interface B.254.
5.
The second router receives the packet and examines the destination address. It compares the destination network address and determines that it has an appropriate entry for the destination network in its routing table. In fact, the router is locally connected to the network destination network.
6.
The second router forwards the packet to the appropriate host.
In this example, communication is being performed by every device by using the MAC address of the next device. Static versus Dynamic Routing
In small networks, you can maintain routing table entries manually. However, for larger networks that have routers, this is not possible. You can configure routing tables for routers dynamically by installing a routing protocol.
Note: Hosts and routers can be configured by using a default gateway property in IP networks. When a host, or router, does not have a specific route to a target network, it forwards the packet to its configured default gateway. This is the usual configuration for network nodes. Configure each router to use the other router’s local interface as its default gateway. The only exception where you do not have to configure anything is when you have only one router that connects you to the Internet.
The main advantage of using dynamic routing, other than the benefit of not having to manually configure your routers, is that dynamic routing supports changes in the routing infrastructure. If you add or remove a network, you do not have to update all the routing tables. The routing protocols that you implement make these changes automatically.
Note: Even with dynamic routing, you still have to configure each router for the LANs you have to support. Dynamic routing only handles foreign LANs on other routers.
Common Routing Standards By implementing a routing protocol on your routers, you enable your routers to learn about the state of networks, and the routes to those networks. Additionally, this learned information can be propagated onwards to other routers in your organization. How route propagation occurs varies between routing protocols. Some route propagation methods are better suited to large internetworks, whereas others are more appropriate for small networks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-23
Routing protocols fall into one of two categories. The first is interior routing protocol, used for propagating routing information in an enterprise network. The second is exterior routing protocol, used for propagating routing information between enterprises, such as on the Internet. The following information summarizes the common routing protocols: •
Routing Information Protocol (RIP). A popular Interior Gateway Protocol (IGP). RIP uses a distance vector algorithm to identify remote networks and uses UDP. It supports fairly small internetworks as destinations, with a hop count greater than 16 considered unreachable.
•
Open Shortest Path First (OSPF). A popular link-state IGP routing protocol. OSPF uses a link-state mechanism to propagate routing information. Link-state protocols maintain data about the network segments to which they are connected and the current state of these networks. Therefore, OSPF protocols are suitable for larger internal networks than RIP. OSPF does not use TCP/IP.
•
Border Gateway Protocol (BGP). This widely used External Gateway Protocol (EGP) was designed specifically to enable interconnection of many enterprises on the Internet.
Discussion: Which Routing Protocol Would You Use? Scenario 1: A subsidiary of Fabrikam has a medium-sized network that consists of around 500 nodes. These nodes are distributed across several floors in their headquarters building. Additionally, there are about a dozen branch offices each with around 10 nodes. Routers are deployed within the network to interconnect the networks. Scenario 2:
Tailspin Toys has a small network that consists of around 100 nodes. Recently, network throughput has been affected by network traffic. You decide to install routers to help manage the network traffic. At first, there will be three networks connected by two routers. Answer the following discussion questions. Question: For the Fabrikam scenario, would you recommend static or dynamic routing?
Question: For the Fabrikam medium-sized network, is the use of a routing protocol indicated? If so, which one would you recommend? Question: For the Tailspin Toys scenario, would you recommend static or dynamic routing? Question: For the Tailspin Toys small network, are routing tables required? Question: If Tailspin Toys implements an Internet connection by using a router, how would this change the configuration that you have selected?
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Connecting Network Components
Lab: Connecting Network Components Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-25
A. Datum Corporation has created a new Research and Development team. As a result, several remote R & D branch offices are being created.
Objectives After completing this lab, you will be able to: •
Answer the questions in the Branch Office Network Components Deployment Plan document.
•
Answer the questions in the Branch Office Network Wiring Plan document.
Estimated Time: 30 minutes No virtual machines are required for this exercise.
Exercise 1: Connecting Network Components Scenario
You are responsible for planning the installation of new network components for these new branch offices. Alan Brewer, the national R & D Manager, is communicating with you about his specific requirements for the regional offices. In addition, Ed Meadows, your boss in information technology (IT), has visited some of the branch offices. Supporting Documentation Email Network Diagrams From: Sent: To: Attached:
Ed Meadows [
[email protected]] 1 Mar 2013 14:20
[email protected] A. Datum Branch Network Plan.vsd
Subject:
New branch offices
Charlotte,
The network diagrams you suggested are not quite completed yet, but you can update them with the details of the components you require. As you can see, there are three branches, and then the R & D function at the head office. We have to connect the computers together in the branches and then connect the branches to the head offices. Regards, Ed
Attached: A. Datum Branch Network Plan
Branch Office Network Components Deployment Plan Document Reference Number: CW010210/1 Document Author: Charlotte Weiss Date: March 1
MCT USE ONLY. STUDENT USE PROHIBITED
4-26 Connecting Network Components
Requirements Overview. To determine which components to install to connect nodes at branch offices and to connect branch offices to the head office. Additional Information High-bandwidth applications will be used in the branches. Devices must provide for virtual local area networks (VLANs) to support project teams that span each branch. Traffic should be isolated in the branch except where necessary. It should be possible to manage traffic in the branch based on its priority. Questions: 1.
What devices are required to connect the branches together and connect the branches to the head office?
2.
What issues arise when you implement these devices?
3.
Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will
Branch Office Network Components Deployment Plan implement.
The main tasks for this exercise are as follows: 1.
Read the supporting deployment plan document.
2.
Update the Branch Office Network Components Deployment Plan.
Task 1: Read the supporting deployment plan document. 1.
Read the supporting email.
2.
Review the Branch Office Network Components Deployment Plan
3.
Read the supporting email.
4.
Review the Branch Office Network Components Deployment Plan
Task 2: Update the Branch Office Network Components Deployment Plan.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-27
Update the Branch Office Network Components Deployment Plan, by answering these questions. 1.
What devices are required in the branches to support these requirements?
2.
What devices are required to connect the branches together and connect the branches to the head office?
3.
What issues can arise when you implement these devices?
4.
Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will implement.
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram and the Branch Office Network Components Deployment Plan.
Exercise 2: Selecting a Suitable Wiring Infrastructure Scenario
You are ready to deploy the selected network components. However, first you must determine a wiring plan for each branch. Branch Office Network Wiring Plan Document Reference Number: CW200210/1 Document Author: Charlotte Weiss Date: March 20 Requirements Overview. Provide a wiring plan for the branch offices. Additional Information Very high bandwidths are expected.
Branch Office Network Wiring Plan High levels of electromagnetic interference are expected in some areas of the branches. Cost is a limiting factor. The solution, so far as is possible, should be future-proofed. Proposals
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Connecting Network Components
1. What kind of cable would be suitable here, using the information supplied and the plan you outlined for network components earlier? 2. How will you address the issue of high levels of electromagnetic interference? 3. What cable standards do you propose?
The main tasks for this exercise are as follows: 1.
Read the supporting documentation
2.
Update the proposal document with your planned course of action
Task 1: Read the supporting documentation •
Read the Branch Office Network Wiring Plan.
Task 2: Update the proposal document with your planned course of action Update the proposal document with your planned course of action, by answering these proposal questions. 1.
What kind of cable would be suitable here, using the information supplied and the plan you outlined for network components earlier?
2.
How will you address the issue of high levels of electromagnetic interference?
3.
What cable standards do you propose?
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan. Question: In the lab, you were asked to consider a wiring scheme for branch offices. You were constrained by budget. Had you not been, how would that have changed your plans, if at all?
Module Review and Takeaways Review Questions Question: How does a switch differ from a hub? Question: You plan to implement a large, routed internetwork. What routing protocol would you consider for this completely autonomous network? Question: Why is coaxial cable generally not a good choice for data networks?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
4-29
MCT USE ONLY. STUDENT USE PROHIBITED
4-30 Connecting Network Components
MCT USE ONLY. STUDENT USE PROHIBITED 5-1
Module5 Implementing TCP/IP Contents: Module Overview
5-1
Lesson 1: Overview of TCP/IP
5-2
Lesson 2: IPv4 Addressing
5-7
Lesson 3: IPv6 Addressing
5-19
Lesson 4: Name Resolution
5-24
Lab: Implementing TCP/IP
5-37
Module Review and Takeaways
5-45
Module Overview
Network protocols are responsible for providing a communications channel between applications running on separate hosts. Most network protocols are actually a collection of multiple protocols, collectively known as a protocol stack. Each protocol in the stack provides a different networking function. This module focuses on the TCP/IP protocol stack.
Objectives After completing this module, you will be able to: Describe the functionality of the TCP/IP suite. •
Describe IP version 4 (IPv4) addressing.
•
Configure an IPv4 network.
•
Describe IP version 6 (IPv6) addressing and transition.
•
Describe the various name resolution methods that are used by TCP/IP hosts.
Implementing TCP/IP
Lesson 1
Overview of TCP/IP TCP/IP is an industry-standard suite of protocols that provides communication in a heterogeneous network. With TCP/IP, you can connect different operating systems together in a manner that helps enable cross-platform communications.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the TCP/IP protocol layers.
•
Describe the TCP/IP protocol suite.
•
Describe Windows® Socket and identify port numbers for specified protocols.
The TCP/IP Protocol Model A protocol is a set of rules that govern how data is exchanged and transmitted between nodes over a network. If a particular node cannot use or support the protocol that another node is trying to use when communicating with it, the communication will fail. To try to address this, the TCP/IP networking model is designed around the concept of internetworking—that is, the exchange of data between different networks, frequently built on different architectures. The TCP/IP protocol model can be aligned to the Open Systems Interconnection (OSI) model but there are some differences:
MCT USE ONLY. STUDENT USE PROHIBITED
5-2
•
The TCP/IP model has four layers.
•
The TCP/IP model was developed to take advantage of the Internet, after protocols were developed.
•
The TCP/IP model takes a horizontal approach to organizing the communication processes.
Another way to think of this is that the OSI model defines distinct layers related to packaging, sending, and receiving data transmissions over a network. The TCP/IP stack layered protocol suite performs these functions. Dividing the network functions into a stack of separate protocols, instead of creating a single protocol, provides several benefits: •
Separate protocols make it easier to support different computing platforms. Creating or modifying protocols to support new standards does not require changing of the whole protocol stack.
•
Having multiple protocols operating at the same layer makes it possible for applications to select the protocols that provide only the level of service required.
•
Because the stack is split into layers, the development of the protocols can proceed at the same time by personnel who are uniquely qualified in the operations of the particular layers.
The four layers of the TCP/IP protocol stack are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-3
•
Application layer. The application layer of the TCP/IP model corresponds to the application, presentation, and session layers of the OSI model. The application layer provides services and utilities that enable applications to access network resources.
•
Transport layer. The transport layer corresponds to the transport layer of the OSI model and is responsible for end-to-end communication using TCP or User Datagram Protocol (UDP).
•
Internet layer. The Internet layer corresponds to the network layer of the OSI model. Protocols in this layer are used to control packet movement between networks. It is at this layer that source and destination address details are added to network data. The main protocol that operates at this layer is IP and the main devices would typically be routers.
•
Network interface layer. The network interface layer (sometimes known as the link layer or data-link layer) corresponds to the data-link and physical layers of the OSI model. The network interface layer specifies the requirements for sending and receiving packets on the network media. This layer is usually not considered part of the TCP/IP protocol suite because the tasks are performed by network devices. For example, hubs, some parts of switches, routers, and any device with a network adapter.
The TCP/IP Protocol Suite Each layer in the TCP/IP protocol model relates to specific protocols. Application Layer This layer contains the applications and protocols that provide access to network resources. The following are some of the more prominent application protocols. New and modified protocols are continuously being added. •
Hypertext Transfer Protocol (HTTP). The Internet protocol that is used to deliver information over the World Wide Web.
•
Hypertext Transfer Protocol Secure (HTTPS). A version of HTTP that is used to encrypt communication between web browsers and web servers. It is also typically used to ensure general server and client authentication for more secure intranets or extranets.
•
File Transfer Protocol (FTP). A protocol to copy files between two computers over the Internet.
•
Dynamic Host Configuration Protocol (DHCP). Protocol to automate IP address assignment and some additional options, such as Domain Naming Servers. Used by clients that do not require a static IP address.
•
Domain Name System (DNS). Enables locating computer and services by using user-friendly names instead of IP addresses.
•
Post Office Protocol version 3 (POP3). An IP that enables a user to download email from a server to a client computer.
•
Internet Message Access Protocol (IMAP). Another IP that enables an email client to download email from an email server. Both IMAP and POP3 have traditionally been widely used for Internet email.
•
Simple Mail Transfer Protocol (SMTP). Standard protocol to transfer email messages between email servers. Also used in combination with POP3 or IMAP to send email messages from clients to email servers.
Implementing TCP/IP
MCT USE ONLY. STUDENT USE PROHIBITED
5-4
•
Simple Network Management Protocol (SNMP). An IP that is used to provide status information about a host on a TCP/IP network.
•
Remote Desktop Protocol (RDP). A proprietary protocol to provide remote display and input capabilities over network connections for Windows-based applications between two computers.
•
Network Time Protocol (NTP). An IP that enables computers to synchronize time with one another. Time synchronization is an important function when dealing with networks and network nodes..
•
Telnet. A protocol that operates over the Internet. Telnet enables communication between two computers interactively, such as over a Command Prompt. Although it is not typically required in Windows networks these days, it might still be encountered and can be useful in troubleshooting and configuring network devices.
Transport Layer
The transport layer provides software developers the choice of TCP or UDP. The protocol is determined by the software developer based on the communication requirements of the application. •
TCP. Provides connection-oriented reliable communications for applications. Connection-oriented communication confirms that the destination is ready to receive data before it sends the data. TCP confirms that all packets are received to make communication reliable. Reliable communication is desired in most cases and is used by most applications. Web servers, FTP clients, and other applications that move large amounts of data use TCP.
•
UDP. Provides connectionless and unreliable communication. Reliable delivery is the responsibility of the application when UDP is used. Applications use UDP for faster communication with less overhead than TCP. Applications such as streaming audio and video use UDP so that one missing packet will not delay playback. UDP is also used by applications that send small amounts of data, such as DNS lookups.
Note: We don’t discuss port number until the next topic but you should be aware as a troubleshooting tip in this context that that since Windows Server® 2003, DNS servers might use TCP over port 53 to communicate to their forwarders, depending on the amount of data, so DNS Lookups are not exclusively done over UDP. This can potentially cause a network to fail because firewall administrators might assume that DNS is 53 UDP only. Internet Layer The Internet layer protocols encapsulate transport-layer data into units called packets, addresses them, and routes them to their destinations. •
IP. Responsible for IP routing and addressing for the Windows operating systems. Implements a duallayer IP protocol stack. This includes support for both IPv4 and IPv6.
•
Address Resolution Protocol (ARP). Used by IP to determine the media access control (MAC) address of local network adapters—that is, adapters installed on computers on the local network— from the IP address of a local host. ARP is broadcast-based. This means ARP frames cannot transit a router. The frames are localized and cannot be broadcast across the Internet. Some implementations of TCP/IP provided support for Reverse ARP (RARP), in which the MAC address of a network adapter is used to determine the corresponding IP address. In IPv6, ARP was replaced with IPv6 Network Discovery (ND), which establishes the relationships between neighboring nodes in a network.
•
Internet Group Management Protocol (IGMP). Provides support for multicast applications over routers in IPv4 networks. Multicast involves the sending of data from a single source transmission to multiple recipients. In IPv6, IGMP was replaced with Multicast Listener Discovery (MLD).
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
•
5-5
Internet Control Message Protocol (ICMP). Used to send error, query, or diagnostic messages in IPv4 networks. In IPv6, ICMP was updated to provide a framework for ND and MLD to operate.
Network Interface Layer
These protocols define how data from the Internet layer is transmitted on the media and is determined by the network architecture. Notice how the layer is not considered part of the TCP/IP protocol suite.
Sockets and Ports To establish communication between an application on one node and another remote node, several things occur. 1.
The required transport protocol (UDP or TCP) is identified and a “socket” is created.
2.
The socket identifies the IPv4 or IPv6 address of the source and destination hosts.
3.
The socket identifies the TCP or UDP port number that the application is using.
So a socket is the means by which an application and a remote computer communicate with one another. A socket opens a direct channel between the two during communication. For example, a client submits a web request through HTTP, where a connection is established and a webpage is requested, and then TCP makes sure that the webpage is transferred correctly. A socket is not a physical component in a computer or device. Instead, it is a software connection or “pipe” opened up between the client and server. A socket consists of a: •
Protocol
•
Port number
•
Source and destination IP addresses
Applications are assigned a port number between 0 and 65,535 through which they communicate. The first 1,024 ports are “well-known ports” that are assigned to specific applications, although client/server applications can communicate with one another as long as both reference the same port number. The following table identifies some of these well-known ports. Port
Protocol
Application
21
TCP
FTP
25
TCP
SMTP that email servers and clients use to send email
80
TCP
HTTP used by a web server
53
TCP
DNS for zone transfers
53
UDP
DNS for name resolution
67/68
UDP
DHCP for address assignment communication
110
TCP
POP3 used for email retrieval from email clients
Implementing TCP/IP
Port
Protocol
Application
161
UDP
SNMP for general device management
443
TCP
HTTPS for secured web server
520
UDP
Routing Information Protocol (RIP) for routing information communication
Note: A port is an inbound or outbound service endpoint that binds a communication protocol with a network address. Static port numbers are typically used only for inbound requests.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6
Usually it is not necessary for you to configure your applications to use specific ports. However, you must be aware of the ports that applications are using to ensure that the required ports are open through any firewalls in your organization. Typically, a port with a secured service behind it is not a security risk. But an open port without a service is a security risk, because if a server is hacked, that open port can be used for unmonitored communication.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Lesson 2
IPv4 Addressing
5-7
In order to connect network hosts on an IPv4 network, you must know how to configure IPv4 addresses and related properties. This lesson will cover the general concepts around IPv4 addressing as well as how to analyze, configure and troubleshoot IPv4 Addresses. Understanding IPv4 is pivotal to any network administration tasks that administrators need to perform. More information about IPv4 addressing can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309109
Lesson Objectives After completing this lesson, you will be able to: •
Describe IPv4 concepts and terminology.
•
Describe IPv4 IP addressing.
•
Identify network and host IDs.
•
Determine subnet addressing.
•
Describe more complex IPv4 addressing schemes.
•
Describe IPv4 automatic addressing.
IPv4 Concepts and Terminology The success of TCP/IP as the network protocol of the Internet is largely because of its ability to connect networks of different sizes and systems of different types. To understand what is occurring, you have to understand several basic concepts. IP Address An IP address is a binary number that uniquely identifies a host (computer) to other hosts, for the purposes of network communication. Subnet A subnet is a subdivision of an IP network. Each subnet has its own unique subnetted network ID. Subnetting
Subnetting is a network design strategy that segregates a larger network into smaller components. A virtual local area network (VLAN), as mentioned earlier, lets you use switches to divide a network into virtual subnets, or VLANs, sometimes these terms can be used interchangeably. Subnet Mask
A subnet mask is a 32-bit value that enables the recipient of the IPv4 packet to distinguish the network ID and the host ID parts of the address. Typically, subnet masks use the format 255.x.x.x. The subnet mask
Implementing TCP/IP
MCT USE ONLY. STUDENT USE PROHIBITED
5-8
that you use determines in which subnet your computer is located. The subnet mask is used by the TCP/IP protocol to determine whether a host is using the local subnet or on a remote network.
IPv4 Addresses To configure network connectivity, you must be familiar with IP addresses and how they work. The TCP/IP Internet layer provides two protocols: IPv4 and IPv6. IPv4 is the older protocol and is still much more widely used.
Note: IPv4 is an IP that uses 32-bit source and destination addresses. RFC 791 defined IPv4 in 1981.
When you assign IPv4 addresses, you use dotted decimal notation. The dotted decimal notation is based on the decimal number system. However, in the background, computers use binary IP addresses. Therefore, you must make sure that you understand decimal and binary numbering. For example, if you view an IPv4 address in its binary format, it has 32 characters. 11000000101010000000000111001000 IPv4 divides the binary address into four 8-bit chunks, or octets. 11000000.10101000.00000001.11001000
Notice in an 8-bit octet that each bit position has an assigned decimal value (either 0 or 1). The low-order bit, the rightmost bit in the octet, represents a decimal value of 1. The high-order bit, the leftmost bit in the octet, represents a decimal value of 128. The highest decimal value of an octet is 255, that is, all bits are set to 1. To make the IP addresses more readable, the address is usually shown in its dotted decimal notation. 102.168.1.200
Note: You can use the Windows® calculator for binary-to-decimal and binary-to-hex conversion.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Network and Host IDs An IP address has two parts: network ID and host ID. To determine how the IP address is broken down, a subnet mask is used. The subnet mask: •
Identifies the subnet on which the computer resides. This is the network ID.
•
Identifies the unique identity of the computer. This is the host ID.
•
Enables a networked computer to communicate with other networked computers in a routed environment.
5-9
In simple networks, subnet masks are composed of four octets, and each octet has a value of 255 or 0. If the octet is 255, that octet is part of the network ID. If the octet is 0, that octet is part of the host ID. The subnet mask is filled with 1s from the left to the right to identify the network part, and filled up with 0s for the host part. The subnet mask does not have to fill up whole octets. A different notation of the subnet mask that is typically used is IPAddress\number-of-1-bits. For example, 10.10.0.10\16, where 16 represents the number of 1s that are used in the network ID.
The following table outlines the various components that go into making network and host IDs and how they interact. Lining up the IP address and the subnet mask together, the network and host parts of the address can be displayed and broken out into their corresponding binary values. This is shown in the first two rows of this table. IP Address
192.168.002.181
11000000.10101000.00000010.10110101
Subnet Mask
255.255.255.000
11111111.11111111.11111111.00000000
Network Address
192.168.002.000
11000000.10101000.00000010.00000000
Host Address
000.000.000.181
00000000.00000000.00000000.10110101
The first 24 bits (the number of 1s in the subnet mask) are identified as the network address, with the last 8 bits (the number of remaining 0s in the subnet mask) identified as the host address. This is shown in the second set of numbers in the previous table.
So in this example, using a 255.255.255.0 subnet mask, the network ID is 192.168.2.0, and the host address is 0.0.0.181. When a packet arrives on the 192.168.2.0 subnet (from the local subnet or a remote network), and it has a destination address of 192.168.2.181, your computer will receive it from the network and process it.
IPv4 Address Classes The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes. The number of hosts that a network has determines the class of addresses that are required. IANA has named the IPv4 address classes from Class A through Class E. Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses. This is known as unicast assignment. Multicast addresses are Class D addresses and are assigned directly by IANA. Class E addresses are reserved by IANA for experimental use. The following table lists the characteristics of each IP address class. Notice how the number of hosts per network decreases as the subnet mask increases. Class
First Octet
Default Subnet Mask
Number of Networks
Number of Hosts per Network
A
1–126
255.0.0.0
27 = 126
224 = 16,777,214
B
128–191
255.255.0.0
214 = 16,384
216 = 65,534
C
192–223
255.255.255.0
221 = 2,097,152
28 = 254
Note: The IPv4 address 127.0.0.1 is used as a loopback address. You can use this address to test the local configuration of the IPv4 protocol stack. Therefore, the network address 127 is not permitted for configuring IPv4 hosts.
MCT USE ONLY. STUDENT USE PROHIBITED
5-10 Implementing TCP/IP
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices that do not connect directly to the Internet use a private IPv4 address. This means that it is not directly exposed or visible. Public IPv4 Addresses
Public IPv4 addresses must be unique. IANA assigns public IPv4 addresses. Usually, your Internet service provider (ISP) allocates you one or more public addresses from its address pool. The number of addresses that your ISP allocates to you depends on how many devices and hosts that you have to connect to the Internet. In summary, public IPv4 addresses: •
Are required by devices and hosts that connect directly to the Internet.
•
Must be globally unique.
•
Are routable on the Internet.
•
Must be assigned by IANA.
Private IPv4 Addresses
The pool of IPv4 addresses is becoming smaller, so IANA issue very few private IPv4 addresses. Technologies such as Network Address Translation (NAT) enable administrators to use a relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and services on the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-11
IANA defines the address ranges in the following table as private. Internet-based routers do not forward packets originating from, or destined to, these ranges. Class
Mask
Range
A
10.0.0.0/8
10.0.0.0–10.255.255.255
B
172.16.0.0/12
172.16.0.0–172.31.255.255
C
192.168.0.0/16
192.168.0.0–192.168.255.255
Note: RFC3330 defines these private address ranges. In summary, private IPv4 addresses: •
Are not routable on the Internet.
•
Can be locally assigned by organization.
•
Must be translated to access the Internet.
Determining Subnet Addresses A Class A, B, or C TCP/IP network can be further divided, or subnetted, by a system administrator. Subnetting is necessary for you to reconcile the logical address scheme of the Internet with the physical networks that are used by your organization. By using subnets, you can separate networks that have different security levels, such as perimeter network, test environment, manufacturing network, office network, or classroom network. After those networks are separated, you can add security devices, such as firewalls. A firewall between the networks will provide additional levels of access. In order to select an appropriate addressing scheme for your organization, follow these steps: 1.
Decide whether to use public or private IPv4 addresses.
2.
Determine the number of subnets you need and then determine the subnet bits. For example, if you need six subnets, then you would need three subnet bits (this will provide eight subnets). Subnets are calculated by using the formula 2^n, where n is the number of bits. More examples are provided in the following table.
Subnets
Subnet Bits
2
1
4
2
8
3
Subnets
Subnet Bits
16
4
32
5
64
6
3.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Implementing TCP/IP
To determine the subnet mask, evaluate the binary number of subnet bits. For example, if you are using three subnet bits (11100000), then the subnet mask is 224. To determine the number of increments, evaluate the lowest value bit in the subnet mask. For example, the lowest value bit in the 224 subnet mask is 32, and that would be the increment between addresses. More examples are provided in the following table.
Subnets
Subnet Bits
Binary
Subnet Mask
Increment Between Addresses
2
1
10000000
128
128
4
2
11000000
192
64
8
3
11100000
224
32
16
4
11110000
240
16
32
5
11111000
248
8
64
6
11111100
252
4
4.
To assign host IP addresses, remember the following: •
The first host is one binary digit higher than the current subnet ID.
•
The last host is two binary digits lower than the next subnet ID.
•
The first and last address in any network or subnet cannot be assigned to any individual host.
•
The number of hosts depends on the number of bits. The formula is 2^n-2, where n is the number of bits.
•
0 is the network address, and the value of 255 (or whatever the last address is) is reserved for broadcast communication. More examples are provided in the following table.
Subnets
Subnet Bits
Binary
Subnet Mask
Increment Between Addresses
Host Bits
Number of Hosts
2
1
10000000
128
128
7
126
4
2
11000000
192
64
6
62
8
3
11100000
224
32
5
30
16
4
11110000
240
16
4
14
32
5
11111000
248
8
3
6
64
6
11111100
252
4
2
2
Note: Notice that you are trading off the number of subnets and the number of hosts. When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on each subnet. Using more bits than you need allows for subnet growth but limits growth for hosts. Using fewer bits than you need allows for growth in the number of hosts you can have but limits growth in subnets.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-13
As a practical example, consider that you have seven locations (round up to eight subnets) in the 172.16.0.0 network. This means the subnet mask is 224 with the ranges shown in the following table. Generally, if you have a full four octet IP, we would recommend that you use a four octet subnet mask. Subnets 8
Subnets 172.16.0.1–171.16.31.254 171.16.32.1–171.16.63.254 172.16.64.1–172.16.95.254 172.16.96.1–172.16.127.254 172.16.128.1–172.16.159.254 172.16.160.1–171.16.191.254 172.16.192.1–171.16.223.254
More Complex IPv4 Implementations In complex networks, subnet masks might not be simple combinations of 255 and 0. Instead, you might subdivide one octet with some bits that are for the network ID and some for the host ID. Classless addressing, or Classless Interdomain Routing (CIDR), is when you do not use an octet for subnetting. You use either more of the octet or less of the octet. This allows you more granularity and to more accurately match the amount of subnets or hosts that you require, thus being more efficient.
For example, consider being assigned an IP address of 172.16.16.1 with four branch offices to subnet. Each branch office has two divisions. Using full subnet mask octets, such as 255.255.255.0, you would be unable to subnet the offices. However, classless addressing will provide the capability that you need. On the slide, notice the 172.16.17.0/24 branch office that results in host addresses from 172.16.17.1 to 172.16.17.254. How does this work? Breaking down 172.16.17.0/24 172.16.17.0/24
In binary: 10101100.00010000.00010001.00000000 Network ID is the first 24 bits
Host ID is the last 8 bits
Value: 172.16.17
Possible values: 0 to 255
Breaking down 172.16.17.0/24 Hosts: 1 to 254 (The broadcast address is 172.16.18.255. Therefore, you cannot use that as a host address.)
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Implementing TCP/IP
In the previous example, using a network of 172.16.17.0/24, the network address is 172.16.17.0, and the hosts can use the addresses from 172.16.17.1 to 172.16.17.254.
Note: The /24 represents how many subnet bits are in the mask. This notation style is called variable length subnet masking.
You can apply a similar logic to the 172.16.16.0/22 subnet. 172.16.16.0/22
In binary: 10101100.00010000.00010000.00000000 Network ID is the first 22 bits
Host ID is the last 2 bits of the third octet and all the bits from the fourth octe—that is, the last 10 bits.
Value: 172.16.16
Possible values: 16–18 Hosts: 17 and 18
In the previous example, using a network of 172.16.16.0/22, the network address is 172.16.16.0, and the hosts can use the addresses from 172.16.16.1 to 172.16.18.254. The broadcast address is 172.16.18.255, which you cannot use as a host address.
Automatic IPv4 Configuration When you configure networks, you must know how to assign static IP addresses manually and be able to support computers that use DHCP to assign IP addresses dynamically. Static Configuration You can configure static IPv4 configuration manually for each network computer. Typical IPv4 configuration includes the following: •
IPv4 address
•
Subnet mask
•
Default gateway
•
DNS server
Static IP address configuration has several disadvantages: •
Requires administrators to go to each computer and input the information.
•
Can be very time-consuming, even if the network only has a few users.
•
Increases the possibility of making a mistake.
•
May not be possible if the computers are in another location or are in a secured area.
•
Requires administrators to make a manual update whenever the configuration changes.
Generally, it is recommended to use static IP configuration only for small networks. DHCPv4
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-15
With DHCPv4 you can assign automatic IPv4 configurations for many computers without having to assign each one individually. The DHCP service receives requests for IPv4 configuration from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information from scopes that you define for each network subnets. The DHCP service identifies the subnet from which the request originated and assigns IP configuration from the relevant scope. DHCP helps simplify the IP configuration process. But if you use DHCP to assign IPv4 information and the service is business critical, you must also do the following: 1.
Include resilience into your DHCP service design so that the failure of a single server does not prevent the service from functioning.
2.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole network and prevent communication.
IPv4 Alternate Configuration
If you use a laptop to connect to multiple networks, such as at work and at home, each network might require a different IP configuration. If both networks use DHCP, nothing has to be done; addresses are assigned automatically in both networks. If you must have a static address in one of the networks, Windows supports the use of an alternate static IP address.
When you configure Windows operating system computers to obtain an IPv4 address from DHCP, use the options on the Alternate Configuration tab to control the behavior. Configure the specific IP address, subnet mask, and other related properties for when the DHCP server is not available.
Note: By default, Windows uses Automatic Private IP Addressing (APIPA) to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address range. If the computer has an address from the APIPA range, it indicates that the computer cannot communicate with a DHCP server. Be aware that an APIPA address can only be used to communicate with similarly configured hosts on the local network. APIPA cannot be used with Active Directory® services, Internet connectivity, other subnets, DNS, or Windows Internet Naming Service (WINS).
Demonstration: How to Configure IPv4
You can configure IP settings from the Network and Sharing Center, by using the netsh command-line tool, or by using Windows PowerShell®. You can configure a Windows-based computer to have a manual IP configuration or to obtain an IP configuration automatically. In this demonstration, you will see how to configure IPv4 settings manually and automatically.
Demonstration Steps 1.
Create a new DHCP scope with the following parameters.
•
Start IP Address: 172.16.0.5
•
End IP Address: 172.16.0.50
•
Length: 16
•
Subnet Mask: 255.255.0.0
2.
Configure a client for an automatic IPv4 configuration.
3.
Verify the DHCP has leased a new address.
4.
Use IPConfig to release the issued IP address on the client
5.
Verify the DHCP server released the address.
6.
Manually assign an IPv4 configuration to the client o
IP address: 172.16.0.20
o
Subnet mask: 255.255.0.0
o
Default gateway: 172.16.0.1
o
Preferred DNS server: 172.16.0.10
IP Configuration Tools Windows includes several utilities to help you verify and define the IP configuration. Some of these tools have been used for a long time. With the release of Windows PowerShell 3.0 in Windows Server 2012, there are now new ways of doing things that allow for more control and manipulation of operating systems and their various components.
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Implementing TCP/IP
This section covers some of the older tools because they will still be relevant and you will experience them in day-to-day tasks. This section will also outline some common Windows PowerShell network configuration commands without going into too much detail about how they work. Some of these older tools include the following: •
IPConfig
•
Ping
•
Tracert
•
Pathping
IPConfig
IPConfig is the primary client-side DHCP troubleshooting tool. If your computer is experiencing connectivity problems, you can use IPConfig to determine the computer’s IP address. If the address is in the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a DHCP-related problem.
From the client computer, open an elevated Command Prompt, and then use the IPConfig options in the following table to diagnose the problem.
Option /all
Description Displays all IP address configuration information. If the computer uses DHCP, you should verify the DHCP Server option in the output. This
Option
Description
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-17
indicates the server from which the client is attempting to obtain an address. Also, verify the Lease Obtained and Lease Expires values to determine when the client last obtained an address. Be aware that IPConfig is listing the properties per local area network (LAN) adapter or virtual adapter. Therefore, you must know which adapter is connected to the network. /release
Forces the computer to release an IP address.
/renew
Forces the client computer to renew its DHCP lease. This is useful when you think that the DHCP-related issue is resolved, and you want to obtain a new lease without restarting the computer.
Ping
Ping verifies IP-level connectivity to another TCP/IP computer. Ping sends and receives ICMP Echo Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary TCP/IP command that is used to troubleshoot connectivity to a specific host or router. Tracert
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path that is displayed is the list of router interfaces between a source and a destination. Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides detailed statistics on the individual network steps or hops. Windows PowerShell
Windows Server 2012 also has Windows PowerShell cmdlets that you can use to manage network configuration. The functionality in these older tools are now present and expanded upon in Windows PowerShell. The following table describes some of the available Windows PowerShell cmdlets that can be used for configuring IPv4. This is just a small subset of the available cmdlets. Cmdlet
Description of IPv4 configuration uses
New-NetIPAddress
Creates a new IP address and binds it to a network adapter. You cannot change an existing IP address. You must remove the existing IP address and then create a new one.
Set-NetIPInterface
Enables or disables DHCP for an interface.
New-NetRoute
Creates routing table entries, including the default gateway (0.0.0.0). You cannot change the next hop of an existing route; instead, you must remove an existing route and create a new route with the correct next hop.
Set-DNSClientServerAddresses
Configures the DNS server that is used for an interface.
To view general Network Adapter configurations such as the IP address, DNS server, default gateway (but not subnet mask), type the following in the Windows PowerShell console. Get-NetIPConfiguration
To view more IP address details, type the following: Get-NetIPAddress
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Implementing TCP/IP
Be aware that Windows PowerShell uses the term PrefixLength instead of the term Subnet Mask, and it is displayed in number of bits. For example, PrefixLength = ‘8’ is 11111111, and indicates the subnet mask is 255.0.0.0.
A replacement for the ping command is the Test-Connection cmdlet. To run this this, type the following: Test-Connection [Computer Name]
To locate other cmdlets that can be used to configure the network type the following: Help *Net*
You can use the Get-NetRoute cmdlet to browse through the Help files. This is a close equivalent for tracert and pathping. Help Get-NetRoute -showwindow
More information about Windows PowerShell Network TCP/IP cmdlets can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309110
Demonstration: How to Verify IPv4 Configuration In this demonstration you will see how to use IPConfig to verify the computer’s IPv4 configuration.
Demonstration Steps 1.
Use IPConfig or Windows PowerShell cmdlets to determine the client’s current IPv4 configuration.
2.
Stop the DHCP service.
3.
Configure the client to obtain an IP address dynamically.
4.
Use IPConfig or Windows PowerShell to verify the IP address.
5.
Verify network communications with ping or the Test-Connection cmdlet.
6.
Start DHCP and renew the IP address on the client.
7.
Verify network communications with ping or the Test-Connection cmdlet.
Lesson 3
IPv6 Addressing
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-19
IPv6 is an important technology that will help ensure that the Internet can support a growing user base and the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware devices. IPv6 slowly is becoming more common. Although adoption might be slow, you should understand how this technology will affect current networks and how to integrate IPv6 into those networks. More information about the IPv6 protocol can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkId=154442
Lesson Objectives After completing this lesson, you will be able to: •
Describe the benefits of using IPv6.
•
Describe an IPv6 address.
•
Describe IPv6 transition technologies.
•
Describe IPv6 automatic configuration.
Benefits of Using IPv6 IPv4 Limitations When the IPv4 protocol was introduced, many of today’s networking requirements could not be predicted. Therefore, the IPv4 protocol has several limitations, including the following: •
Limited address space. IPv4 uses only 32 bits to represent addresses. IANA has already allocated most these addresses.
•
Difficult routing management. IANA has not provisioned allocated IPv4 addresses for efficient route management. Therefore, Internet backbone routers have thousands of routes in their routing tables.
•
Complex host configuration. Automatic configuration of IPv4 hosts requires you to implement stateful autoconfiguration. For example, a DHCP server or appropriately configured router.
•
No built-in security. IPv4 does not include any method for securing network data. You must implement IP security (IPsec) and other protocols to help secure data on IPv4 networks. However, this requires significant configuration and can be complex to implement.
•
Limited Quality of Service (QoS). The implementation of QoS in IPv4 relies on the use of TCP and UDP ports to identify data. This might not be appropriate in all circumstances.
IPv6 Improvements IPv6 improvements help enable secure communication on the Internet and over corporate networks. Some IPv6 features include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Implementing TCP/IP
•
Larger address space. IPv6 uses a 128-bit address space. This provides significantly more addresses than IPv4.
•
More efficient routing. IANA provisions global addresses for the Internet to support hierarchical routing. This reduces how many routes that Internet backbone routers must process and improves routing efficiency.
•
Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6. IPv6enabled hosts can assign themselves addresses automatically by taking the router’s address into credit. The router’s network part of the address is extended with a host-unique part (static for servers, random for clients).
•
Built-in security. IPv6 includes native IPsec support. This means that all hosts encrypt data in transit.
•
Better prioritized delivery support. IPv6 includes a Flow Label in the packet header to provide prioritized delivery support. This enables communication using a priority level, instead of relying on application port numbers. It also assigns a priority to the packets in which IPsec encrypts the data.
•
Redesigned header. The design of the header for IPv6 packets is more efficient in processing and extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient processing. Extension headers are not larger than the full size of the IPv6 packet. This holds more information than possible in the 40 bytes that the IPv4 packet header allocates.
The IPv6 Address Space The IPv6 address space uses 128 bits compared to the 32 bits that the IPv4 address space uses. Therefore, a significantly larger number of addresses are possible with IPv6 than with IPv4. An IPv6 address allocates 64 bits for the network ID and 64 bits for the host ID. However, for hierarchical routing, IPv6 can allocate less than 64 bits to the network ID. IPv6 Syntax IPv6 does not use a dotted decimal notation to compress the addresses. Instead, IPv6 uses hexadecimal notation, with a colon between each set of four digits. Each hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading zeros and use zero compression. Within each group of four digits, drop leading zeros and include a single grouping of four zeros as a single zero. By using zero compression, you can represent one contiguous group of zeros as a set of double colons. You should ensure that this is done once per address only as shown in the following table, which shows how to simplify addresses. Description A full IPv6 address
Example
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
Description
Example
An IPv6 with leading zeros dropped
2001:DB8:0:0:2AA:FF:FE28:9C5A/64
An IPv6 address that has contiguous groupings of zeros and leading zeros dropped
The address cannot be represented as 2001:0D88::2AA::FE28:9C5A/64 but can be represented either as 2001:0D88::2AA:0:FE28:9C5A/64 or 2001:0D88:0:0:2AA::FE28:9C5A/64
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-21
Each IPv6 address uses a prefix to define the network ID. You use this prefix in place of a subnet mask similar to using CIDR in IPv4. The prefix is a forward slash (/) followed by the number of bits that the network ID includes. In the previous examples, the prefix defines 64 bits in the network ID.
Transitioning to IPv6 The migration from IPv4 to IPv6 is expected to take considerable time. This was considered IPv6 was designed, and the transition plan for IPv6 is a multistep process that allows for extended coexistence. To achieve the goal of a pure IPv6 environment, consider the following points: •
Applications must be independent of IPv4 and IPv6. Applications must be changed to use new Windows sockets application programming interfaces (APIs) so that name resolution, socket creation, and other functions are independent regardless of whether you are using IPv4 or IPv6.
•
DNS must support IPv6 record types. You might have to upgrade the DNS infrastructure to support the new authentication, authorization, accounting, and auditing records (required) and pointer records in the IP6v6 ARP reverse domain (optional). Additionally, ensure that the DNS servers support DNS dynamic updates for authentication, authorization, accounting, and auditing records so that IPv6 hosts can register their names and IPv6 addresses automatically.
•
Hosts must support both IPv6 and IPv4. You must upgrade hosts to use a dual-IP layer or stack. You must also add DNS resolver support to process DNS query results that contain both IPv4 and IPv6 addresses. Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to ensure that IPv6/IPv4 hosts can reach one another over the IPv4-only intranet.
•
Routing infrastructure must support native IPv6 routing. You must upgrade routers to support native IPv6 routing and IPv6 routing protocols.
•
An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in today’s mainly IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4 routing infrastructures. This enables IPv6 clients to communicate with one another by using 6to4 addresses or ISATAP addresses and tunneling IPv6 packets across IPv4 networks.
•
You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4-
only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, use translation gateways as appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.
IPv6 Automatic Configuration In addition to IPv4 automatic IP addressing, you should understand how IPv6 addresses are dynamically assigned. IPv6 Address Auto-Configuration Auto-configuration is a method of assigning an IPv6 address to an interface automatically. Autoconfiguration can be stateful or stateless. DHCPv6 performs stateful auto-configuration while router advertisements perform stateless configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Implementing TCP/IP
A stateful address is so called because this address is assigned from a service on a server or other device, which records the assigned address. The service that allocated the address to the client manages the stateful address. Stateless addresses are configured by the client and are not maintained by a service. The record of the address assignment is not maintained.
The first step in auto-configuration generates a link-local address with which the host communicates with other hosts on the local network. This communication is necessary to perform additional autoconfiguration tasks. The host then performs the following actions in order to configure IPv6: 1.
When the host generates the link-local address, the host also performs duplicate address detection to ensure that it is unique. Note as well that a server by default is using a local address that has its MAC address in there, to ensure it is using the same address, while a client is using a random address.
2.
An IPv6 host will send up to three router solicitations on each interface to obtain IPv6 configuration information. The configuration process that IPv6 uses varies , depending on the response it receives to router solicitations:
•
If IPv6 does not receive a router advertisement, it uses DHCPv6 to configure the interface.
•
If IPv6 receives a router advertisement with the autonomous flag on, then the client uses stateless auto-configuration and obtains the network part of the IP address from the router.
•
If IPv6 receives a router advertisement with the managed address configuration flag on, then it uses DHCPv6 to obtain an IPv6 address.
•
If IPv6 receives a router advertisement with the managed address configuration flag off and the other stateful configuration flag on, it obtains additional IPv6 configuration options from DHCPv6. However, it obtains the IPv6 address by using stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts automatically with an IPv6 address and other configuration information such as DNS servers. This is the same as DHCPv4 for IPv4 networks. DHCPv6 also provides additional standalone options, such as the DNS servers, so while the client may be “autoconfiguring” its own address the DCHP-Server is providing additional configuration. When a host obtains an IPv6 address from a DHCPv6 server, the following steps occur: 1.
The client sends a Solicit message to locate DHCPv6 servers.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-23
2.
The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration options.
3.
The client sends a Request message to a specific DHCPv6 server to request configuration information.
4.
The selected server sends a Reply message to the client that contains the address and configuration settings.
When a client requests configuration information only, the following additional steps occur: 5.
The client sends an Information-request message.
6.
A DHCPv6 server sends a Reply message to the client that has the requested configuration settings.
On large networks, you can DHCPv6 relay agents instead of adding a DHCP server on each subnet.
Lesson 4
Name Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Implementing TCP/IP
Name resolution is the process of converting computer, device names, services or network nodes to IP addresses so that when computers want to talk to one another, they can find what they need. It’s much more intuitive and easier for humans to deal with names instead of a series of numbers like IP Addresses. In order to make that transition from how humans prefer to operate and think into a format that computers can easily understand, you need a process of name resolution.
The main purpose is to resolve host names to IP addresses and to provide a hierarchical structure to enable name resolution across zones, company locations, and even across businesses and within the Internet. On large networks, you can have DHCPv6 relay agents instead of putting a DHCP server on each subnet. This is not exclusive to IPv6; it also applies to IPv4 and has similar functionality to bootstrap protocol (BOOTP).
Over the years, the name resolution processes have evolved and morphed to meet changing realities of networks. Because of this, there are several different name resolution methods in Windows Server 2012 such as WINS, NetBIOS over TCP/IP name resolution and DNS. DNS is the most important in modern corporate environments. This will be the main focus of this lesson. The other resolution methods are older technologies that only apply in limited scenarios. However, you should still understand the concepts and processes behind all the methods because you will occasionally encounter them, whether in networks, documentation, or even certification. Name resolution is a critical component of any network.
Lesson Objectives After completing this lesson, you will be able to: •
Configure NetBIOS and host names.
•
Describe Link Local Multicast Names Resolution (LLMNR).
•
Describe the NetBIOS name resolution process.
•
Describe DNS infrastructure components.
•
Understand how Internet DNS names are resolved.
•
Understand how the client name resolution process works.
•
Describe the purpose of the DNS Global Names Zone.
•
Troubleshoot name resolution.
Configuring a Computer Name As stated earlier, computers are given individual names when they are set up. Each computer name must be unique so that it can be identified on a network. If the name is not unique, you might be unable to establish the correct identity for the computer that you want to communicate with. Conceptually, the same principals outlined here apply to other network nodes, services, applications, and so on. However, this section will focus specifically on computer names because it is most relevant at this point.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-25
When Windows Server 2012 is installed, it is given an automatically assigned computer name. This provides some uniqueness. What makes up a valid name depends on what method you are using to resolve that name to an IP address. For this discussion, there are two types: NetBIOS names and host names. NetBIOS Names
A NetBIOS name is an older computer naming format. In smaller computer networks such as a home network or workgroup you can provide a computer name such as Computer01, Computer02, and so on. As long as the names are unique, the computers can communicate over the network. NetBIOS names have the following characteristics: •
A single name identifies the computer, such as Computer01. The name does not have a second identifier associated with it such as Computer01.HomeNetwork. This is a key point to understand.
•
NetBIOS names are associated with small home networks or workgroups where traffic is not routed to other subnets or to the Internet. It’s possible it could also be associated with older servers still present on modern networks.
•
It enables computers to identify one another on small networks where DNS is not available.
•
Each NetBIOS name on a network must be unique. Otherwise, you will encounter problems when trying to communicate between computers.
•
There is a 16-character limit allowed for a NetBIOS name. The first 15 characters are used for the actual computer name and the final sixteenth character is a hexadecimal number to identify a resource or service on that computer. For example, Server01 [20h].
Host Name
A host name is typically associated with modern corporate networks that communicate across subnets or to the Internet. If you open a Command Prompt on your computer and type hostname, the computer name will be returned. For example, LON-DC1, one of the lab virtual machines. In its simplest form, the host name can look very similar to a NetBIOS name. However, the host name and the name resolution process it uses is different. Host names have the following characteristics: •
The host name is only the first part of the computer name. The computer name can contain multiple subnames that enable it to be uniquely identified.
•
Host names are typically associated with corporate or larger networks that communicate across subnets or the Internet.
•
The terminology associated with host names is typically used in relation to DNS.
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Implementing TCP/IP
•
The host name can be combined with a domain name to create what is called a fully qualified domain name (FQDN). An example of an FQDN would be webserverAdatum.com. The host name, WEBSERVER, is the first part of this FQDN.
•
Periods are used as separators between the name and identifiers. Applications use this structured FQDN on the Internet.
•
A host name cannot have more than 255 characters. This is longer than a NetBIOS name.
•
A host name can contain alphanumeric characters, periods, and hyphens.
In Windows operating systems, applications can request network services through Windows Sockets, Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS name.
What Is Link Local Multicast Name Resolution? Link Local Multicast Name Resolution (LLMNR) is a method to resolve computer host names, such as Computer01, to IPv6 network addresses in a local subnet where DNS is not available. It was a name resolution method introduced in Windows Server 2008 and Windows Vista®, and is present in Windows Server 2012 and Windows 8. It is useful in home networks, workgroups, or even in ad hoc networks such as in coffee shops. It is enabled by turning on Network Discovery in the Network and Sharing Center in Control Panel. By default, Network Discovery is turned off on public networks. To enable LMNR you can use Group Policy under Computer Configuration\Policies\Administrative Templates\Network\DNS Client. Then in the Turn Off Multicast Name Resolution setting, specify whether you want it enabled or disabled.
LLMNR is not intended as a direct replacement for NetBIOS name resolution. In Windows Server 2012, LLMNR queries and NetBIOS queries are sent in parallel to improve performance. Also, LLMNR only works with Windows Vista, Windows 8, Windows Server 2008, and Windows Server 2012 operating systems. So where older operating systems exist, LLMNR is not a name resolution solution. LLMNR does issue queries for IPv4 addresses but only returns values for IPv6. It is also compatible with IPv6, whereas NetBIOS is not. So as IPv6 becomes more prominent, it could conceivably be a single name non-DNS resolution method. One other point to emphasize again, LLMR is not routable. For example, it cannot resolve computer names beyond the local subnet.
The NetBIOS Name Resolution Process As described earlier, NetBIOS over TCP/IP (NetBT) is a legacy technology but some networks might still require it to support older operating systems and applications. It is the only mechanism that can resolve names for IPv4 addresses without DNS. Therefore, administrators must still be familiar with it, and understand the options and processes behind it. There are effectively three main methodologies for resolving computer names using the NetBIOS name resolution process: broadcasts, WINS, and LMHosts file. Each of them is covered in turn here, in addition to how they are used. Broadcasts
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-27
Name resolution through broadcasting involves the requesting computer sending out a query to all computers in a subnet for an owner of a computer name to respond with its IP address. This is broadcast communication and cannot be passed across subnets. Broadcasting is not very efficient and adds to network traffic. This can affect network performance. LMHosts
LMHosts is an actual file list of computer NetBIOS names mapped to IP addresses. It is a static list, which means that it has to be manually created and maintained. It is stored on the local computer in the directory %SystemRoot%\System32\Drivers\Etc. If LMHosts is enabled, it applies to all connections for which TCP/IP is enabled. Because LMHosts requires manual configuration it has only limited applications. For example, a remote employee who does not have another alternative name resolution process. An example of an entry in the LMHosts files would be as follows. 102.54.94.117
localsrv
WINS
WINS requires a WINS server database that has the computer names and associated IP addresses mappings. Using a database to resolve NetBIOS names enables computers to look up the IP address of a computer’s NetBIOS name directly. They do not have to broadcast, multicast, or refer to files that have to be manually configured and maintained. When WINS is enabled, it applies to all connections for which TCP/IP is enabled. WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast communication. For example, when DHCP dynamically assigns new IPv4 addresses to a computer that moves to another subnet, the moving computer automatically registers the new address in the WINS server database. The main advantage of WINS over other NetBIOS name resolution methods is that it is dynamic and routable. This enables computers to obtain the IP addresses of nodes that are not on its subnet.
Also, one final method that can also be used is the computers local cache. As computers resolve NetBIOS names to IP addresses, they store those mappings in a local cache. This means the computer doesn’t have to look elsewhere for a mapping. Entries in the cache that have not come from the LMHosts file have a limited lifetime, about 10 minutes. After that time, the cache entries are removed. At a Command Prompt, type Nbtstat.exe –c to view a computer’s local NetBIOS cache. Nbstat.exe has other capabilities including purging the cache, and listing the current NetBIOS sessions.
MCT USE ONLY. STUDENT USE PROHIBITED
5-28 Implementing TCP/IP
How the broadcast and WINS methods are used to resolve NetBIOS names on a computer is defined by what is called a NetBIOS node type that is specified on the computer. This node type setting doesn’t affect the computer using the local cache or referring to the LMHosts file; it just affects how broadcast and WINS operate. These node types can be broken down as follows: •
b-node. This uses broadcasts to resolve NetBIOS names to IP addresses. It is not routable and increases the network traffic.
•
p-node. This uses point-to-point communication with a WINS server directly.
•
m-node. This is a mixed approach and uses broadcasts first and then, if that is unsuccessful, uses a point-to-point approach and queries a WINS server.
•
h-node. This is also a mixed approach but the reverse to the m-node—that is, it directly queries a WINS server first and then uses broadcasts.
The node type on a computer can be configured in the registry or when clients are dynamically configured by DHCP. In most cases, the default node type is not altered. By default, Windows Server 2012 and Windows 8 clients, in addition to earlier versions, are h-node (or hybrid). At the Command Prompt type ipconfig /all to view the Node Type field value. When a WINS server is configured on the computer and the node type has not been changed, the NetBIOS name resolution process is as follows: 1.
Windows checks the local NetBIOS name cache.
2.
Windows contacts its configured WINS servers.
3.
Windows broadcasts as many as three NetBIOS Name Query Request messages on the directly attached subnet.
4.
Windows searches the LMHosts file.
5.
Windows checks whether the NetBIOS name is the same as the local host name.
6.
Windows then tries DNS Resolver Cache.
7.
Windows then tries DNS name resolution.
You can also specify when the LMHosts file is used—that is, if a WINS query fails, the WINS server can then query the LMHosts file before broadcasting. If all attempts fail, the name resolution process then attempts to try DNS resolution if it is present. That process is described in more detail in the next topic. The name resolution process stops when the first IPv4 address is found for the name.
If you ping another computer on a local network and the returned data is in IPv4 format and doesn’t have an FQDN, which indicates the computer name was resolved by using NetBIOS name resolution. It can’t have been LLMNR because that appears in the IPv6 format and DNS always returns an FQDN when it resolves a computer name. If you have DNS configured and enabled on the network, this indicate a problem with DNS.
DNS Infrastructure Components DNS is the Microsoft preferred choice for resolving host names to IP addresses. It is a hierarchical structure and automates the mechanisms of registering, identifying, caching, and resolving host names and IP addresses. It is routable and operates successfully across different subnets and the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-29
The automated nature of this process greatly simplifies and streamlines the maintenance and management of name resolution. However, incorrectly configuring DNS can result in poor network performance and increased computer startup times. That is mainly because of two things: unable to locate domain controllers, and replication of database information. Before you learn how DNS works, you first have to understand some core concepts. DNS Naming Structure
The naming structure used in DNS is called the DNS namespace. It is hierarchical, that means that it starts with a “root” domain. That root domain can itself have any number of subdomains underneath it. Each subdomain can also in turn have any number of sub-domains underneath it. The domain names themselves can be either public (Internet-Facing) or private. If they are private, you can decide on your own how to define your namespace. If they are public, you have to work with the Internet Corporation for Assigned Names and Numbers (ICANN) or other Internet naming registration authorities who can delegate, or sell, unique names to you. From these names, you can create subnames.
At the very root, DNS has a unique namespace, indicated by an empty string space “ “. Preceding this is a single dot ‘.’. Below this, in the public namespace, is one of several other top-level domain namespaces. There are three kinds of top-level domains in the public namespace: •
Organizational. This domain is based on the function of an organization. For example, .com, .net, .org, and .edu. There are more than 20 variations, and these are distributed and managed by ICANN.
•
Geographical. These are designated per country/region. For example, .uk for United Kingdom (co.uk is the .com equivalent for UK-based businesses), .it for Italy, .de for Germany, and .jp for Japan. There are more than 200 of these registered. Typically, each country/region has its own domain registration service.
•
Reverse domains. These are special domains used in resolving addresses to names—that is, a reverse lookup. These domains are in the minusNotDot format, such as addr.arpa and ip6.arpa.
Typically, underneath these top-level domains, there are sub-domains. For example, microsoft.com, university.edu, or government.gov. These sub-domains can also have subdomains, such as unitedstates.microsoft.com or physicsdept.university.edu. Every computer and network node can be identified by its FQDN. For example, Computer01.unitedstates.microsoft.com. More information about TLDs and IP addresses can be found at the following website. http://www.icann.org Different from the NetBIOS naming convention is the use of multiple identities associated with each network node. This lets you define the node’s location in relation to the root of the DNS namespace.
Reference Links: In everyday usage, the trailing dot (.) at the end of the FQDN separating the empty string root “ “ is usually not included in the name. For example, web browsers would use “university.edu” and not “university.edu.” However, the DNS client service adds the dot ‘.’ back in when it is querying.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Implementing TCP/IP
Some of the main infrastructure components that are spanning a DNS infrastructure, or that are used to build a DNS infrastructure are as follows: •
DNS server. Contains a database of host names and IP addresses. It responds to client requests and provides required mapping information. It can cache information for other domains. Where it does not have the needed mapping information, it can forward DNS client requests to another DNS server.
•
DNS zones. A DNS infrastructure is broken up into zones, each of which is allocated a DNS server to own, or potentially be an authoritative server for and process requests for that particular zone. For example, one DNS server might be responsible for the paris.europe.microsoft.com DNS zone and another DNS server might be responsible for the berlin.europe.microsoft.com. It’s possible to have variations on the number of servers per zone and across multiple zones and also different authority levels. You can also have different kinds of zones. For example: o
Forward lookup zones. Resolve host names to IP addresses.
o
Reverse lookup zones. Resolve IP addresses to host names—that is, the opposite to what happens in forward lookup zones. An organization typically controls the reverse lookup zones for their internal network. However, some mappings for external IP addresses obtained from an ISP might be managed by the ISP.
It is important to understand that the zone is the level of naming delegation. If a DNS server holds a zone, either authoritative or not, it will not query other servers about names in that zone. The DNS server considers its information up-to-date and valid (unless a sub-namespace was delegated). Administrative delegation (who is in charge of doing what with that namespace) is also important. It is also the scope for replication. In other words, a server cannot contain a part of the zone—either it holds a copy or not.
•
DNS Forwarders/Delegations
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-31
o
DNS Forwarders are queries that the DNS server send up stream when it cannot resolve a request locally. A DNS server only forwards data when it has not been able to resolve a query with its own authoritative data or from its own cache.
o
DNS delegation is when a DNS server delegates management of part of it namespace to another DNS server.
How DNS servers forward, delegate, and replicate the name resolution databases can have a significant effect on query response times. This is something that should be carefully considered before deployment. •
DNS resolver. Provides the service to query for host-to-IP address mappings. The DNS client service in the Windows client operating system, Windows 8 for example, provides this functionality and also facilitates the caching of resolved mappings in a local client cache for future use, called the DNS resolver cache.
Windows operating system computers also contain a Hosts file. This is a file that is stored locally in the %SystemRoot%\System32\Drivers\Etc directory. The file contains mappings for host names to IP addresses. It can be edited manually and the DNS resolver cache can parse it to add its mapped entries to the local DNS resolver cache when the DNS client service is started. Its structure resembles what was shown earlier for an LMHosts file entry. •
Resource records. These are the actual entries in the DNS database used to answer queries. Each entry contains several items, including Name, Record Type, and Record Data. Defining specific record types allows entries to be classified and provides for faster query responses. Some typical record types would be as follows: o
A. Used for resolving host names into IPv4 addresses
o
AAAA. Used for resolving host names into IPv6 addresses
o
CNAME. Used to resolve one name (alias) into another, fully qualified name, such as www into webserver1.microsoft.com
o
SRV. Used to find servers providing specific services, such as domain controllers
o
PTR. Used in reverse lookup zones for resolving IP addresses into fully qualified host names
Note: Details about resource record definitions are also available at the IANA website.
How Internet DNS Names Are Resolved A name resolution client query can potentially take many paths, depending on whether it is public or private and how the DNS infrastructure is designed. This section examines how the process operates in relation to Internet domain names because it is a common scenario that most people have encountered even though they may not be aware of how it operates.
MCT USE ONLY. STUDENT USE PROHIBITED
5-32 Implementing TCP/IP
When DNS names are resolved on the Internet, a whole system of computers is used instead of just a single server. There are 13 root servers on the Internet that are responsible for managing the overall structure of DNS resolution. When you register a domain name on the Internet, you are paying for the privilege of being part of this system. The name resolution process for the name www.microsoft.com is as follows: 1.
A workstation queries the local preferred DNS server for the IP address of www.microsoft.com.
2.
If the local DNS server does not have the information, it queries a root DNS server in the organization for the location of the .com DNS servers.
3.
The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.
4.
The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.
5.
The local DNS server returns the IP address of www.microsoft.com to the workstation.
The name resolution process can be changed in several ways, but two common options that are used are as follows: •
Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24 hours. Later resolution requests for the DNS name are given the cached information.
•
Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead of querying root servers. For example, requests for all Internet names can be forwarded to a DNS server at an ISP, who performs the rest of the resolving chain on behalf of the requesting DNS server and returns the answer. This is good because the local DNS server does not have to be able to communicate with every DNS server on the Internet. Question: Which computers in your organization should have an A record configured?
How a Client Resolves a Name When all the previously outlined name resolution methods are considered, a client has several options to locate a computer, service, or network node. There can be lots of choices, depending on how the various resolution methods are configured. This section describes a default resolution process from start to finish. This provides an overview of how the pieces fit together in a modern corporate networked environment. How the Host Name Resolution Process Works
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-33
When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver cache and DNS to try to resolve the host name. The host’s file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution methods when resolving host names. Windows resolves host names by: 1.
Checking whether the host name is the same as the local host name.
2.
Searching the DNS resolver cache. The DNS resolver cache is a local cache that contains any DNS addresses that were recently requested.
3.
Sending a DNS request to its configured DNS servers and this server attempting to resolve that request, either on its own or by forwarding that request to other DNS servers.
4.
Using the LLMNR resolution method to resolve the host name in the local subnet using IPv6, if it is enabled.
5.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
6.
Contacting the host’s configured WINS servers.
7.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly attached.
8.
Searching the LMHosts file.
Note: You can control the precise order used to resolve names. For example, if you disable NetBIOS over TCP/IP, the NetBIOS name resolution methods are not tried. Or, you can change the NetBIOS node type. This causes a change in the order in which the NetBIOS name resolution methods are tried.
The GlobalNames Zone The Global Names zone (GNZ) is a DNS name resolution method that was introduced in Windows Server 2008 and is available in all Windows Server releases since then, including Windows Server 2012. It is a DNS zone type called GlobalNames and is not a new or special zone type. It is Active Directory-integrated, and enables single-label names, such as Fileserver01, to be resolved to IP addresses in large enterprise networks. The GNZ was introduced so that companies with multiple DNS zones can resolve short names.
MCT USE ONLY. STUDENT USE PROHIBITED
5-34 Implementing TCP/IP
You can set the replication scope on the GlobalNames zone to replicate to all DNS servers in the forest and this then ensures that the zone can provide single label names that are unique in the forest. You can also do this across an organization that has multiple forests if a particular record type is used, such as service (SRV) records.
It is designed specifically for static names, and therefore, in a corporate environment for centrally managed servers (such as web or file servers) that are assigned static IP addresses. It is not for use with IP addresses that are dynamically registered or for use as part of a peer-to-peer name resolution process. Instead of using the GNZ, you could choose to configure DNS and WINS integration. You do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service, DNS, and still be able to resolve NetBIOS-compliant names.
Note: A short name does not mean NetBIOS. Although a short name can be a compliant NetBIOS name, the use of short names or non-FQDN does not mean the network requires NetBIOS for them to function on a network. It can be common for the use of short names and NetBIOS to be misunderstood.
GNZ is intended to help in the migration from WINS. For companies who want to eliminate WINS, they should consider the following approach: 1.
Enable WINS-integration in DNS.
2.
Remove Client-Wins configuration.
3.
Configure any company applications to use FQDNs and DNS.
4.
Names that are still required to be available should be created as global names via short names in a GNZ.
5.
Remove WINS if possible. If there are certain records that still have to be resolved as short names across DNS zones/domains, enter them in a GNZ.
6.
Determine how to configure applications correctly to remove unnecessary records in the GNZ.
Demonstration: How to Troubleshoot Name Resolution There are several options available when you have to troubleshoot name resolution in the network environment.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-35
First, there are the existing command-line tools such as ipconfig.exe, nslookup.exe, nbtstat.exe all outlined earlier in the module. These are present on older Windows operating systems up to and including Windows Server 2012 and Windows 8. Second, in Windows Server 2012 and Windows 8, with the improvements made to Windows PowerShell, the Windows PowerShell cmdlets are also an option to both troubleshoot and configure addressing and name resolution issues. This section provides examples of both.
When you troubleshoot name resolution, you must understand what name resolution methods the computer is using, and in what order the computer uses them. Make sure that you clear the DNS resolver cache between resolution attempts. If you cannot connect to a remote host and suspect a name resolution problem, try the following steps: 1.
Open an elevated Command Prompt, and then clear the DNS resolver cache by typing the following command. ipconfig /flushdns
Alternatively, in a Windows PowerShell console running as Administrator, type the following: Clear-DNSClientCache
2.
Try to ping the remote host by its IP address, or use the Test-Connection Windows PowerShell cmdlet. This helps identify whether the issue is related to name resolution. If the ping succeeds with the IP address but fails by its host name, then the problem is related to name resolution.
3.
Try to ping the remote host by its host name. For accuracy, use the FQDN with a trailing period. For example, at the Command Prompt type the following: ping lon-dc1.adatum.com
Alternatively, in a Windows PowerShell console, type the following: Test-Connection LON-DC1.Adatum.com
4.
If the ping is successful, then the problem is probably not related to name resolution. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry to the end of the file. For example, add the following line and save the file. 172.16.0.10
lon-dc1.adatum.com
Or, you could also use the Test-Connection Windows PowerShell command. 5.
Now perform the ping or Test-Connection by host name test again. Name resolution should now be successful. Verify that the name resolved correctly by examining the DNS resolver cache. For example, at the Command Prompt type the following: ipconfig /displaydns
Alternatively, in a Windows PowerShell console, type the following: Get-DNSClientCache
6.
Remove the entry that you added to the hosts file, and then clear the resolver cache again.
7.
At the Command Prompt, type the following command, and then examine the contents of the filename.txt file to identify the failed stage in name resolution. nslookup.exe –d2 lon-dc1.adatum.com > C:\filename.txt
Alternatively, in a Windows PowerShell console, type the following: Resolve-DNSClientName –Name LON-DC1.Adatum.com -verbose
MCT USE ONLY. STUDENT USE PROHIBITED
5-36 Implementing TCP/IP
The output from the two commands is very different but both will give you options for troubleshooting your particular problem. For example, if you examine the Help file for Resolve-DNSClientName, you will find that you can specify specific name resolution methods that you want to try, LLMNR, NetBIOS, DNS, and specific record types such as A or AAAA. This gives you a more targeted approach in your troubleshooting, whereas the nslookup command performs a series of queries that you then interpret in your troubleshooting approach.
You should understand how to interpret the output from both so that you can identify whether the name resolution problem is with the client computer’s configuration, the name server, or the configuration of records within the name server zone database.
Demonstration Steps 1.
Stop the DNS service.
2.
Test name resolution with ping.exe.
3.
Restart the DNS service.
4.
Test name resolution again.
5.
Use Nslookup.exe to test DNS resolution.
Lab: Implementing TCP/IP Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-37
The A. Datum Corporation has created a new Research and Development team. As a result, computers are being deployed to new R & D offices. You are tasked with assigning several client computers appropriate IP configurations, but first you must choose a suitable IP addressing scheme for the new branches.
Objectives After completing this lab, you will be able to: •
Determine an appropriate IPv4 addressing scheme.
•
Configure IPv4.
•
Verify the IPv4 configuration.
•
Configure and test name resolution.
•
View the IPv6 configuration.
Lab Setup Estimated Time: 90 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
5.
o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: ADATUM
Repeat steps 2 through 4 for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Determining an Appropriate IPv4 Addressing Scheme Scenario
You are responsible for planning the installation of new network components for these new branch offices. Ed Meadows, your boss in Information Technology (IT), has visited some of the branch offices and has drawn up a network plan. In addition, you have the Branch Office IP Addressing Scheme document to help you determine an appropriate IP addressing scheme for the branches. Supporting Documentation Email thread of correspondence with Ed Meadows
Email thread of correspondence with Ed Meadows From: Sent: To: Subject: Attached:
Ed Meadows [
[email protected]] 28 Jun 2013 08:14
[email protected] New branch offices – IP addressing scheme A. Datum Branch IP Addressing.vsd
MCT USE ONLY. STUDENT USE PROHIBITED
5-38 Implementing TCP/IP
Charlotte, I have attached the network diagram for the first three branches. There are around 100 hosts at each branch, all require an IPv4 address. Don’t forget those wide area network links; we’ll need a network address for each of them, too. We’ll be putting a DHCP server at each branch to allocate IP addresses to the local hosts, so each computer must be configured to obtain an IP address dynamically. Regards, Ed
A. Datum Branch IP Addressing
Branch Office IP Addressing Scheme Document Reference Number: CW100310/1 Document Author Date
Charlotte Weiss June 28
Requirements Overview To design an IPv4 addressing scheme for the A. Datum Corporation R & D branch offices. Additional Information • One router connects the three branches back to the head office. • There are three wide area network (WAN) links.
Branch Office IP Addressing Scheme • There are three branches, each of which can be configured as a single subnet. • The network address 172.16.0.0/16 is allocated to the branch offices, whereas the head office uses 10.10.0.0/16.
Proposal 1.
How many network addresses do you need to support these requirements?
2.
What class address is 172.16.0.0/16?
3.
Is this a private or public address?
4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next logical subnet using this initial subnet?
5.
What is the first and last host in this subnet?
6.
What would the subnet mask be for hosts in this subnet?
7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will implement in the branches; do not worry about the WAN links.
The main tasks for this exercise are as follows: 1.
Read the supporting documentation
2.
Update the proposal document with your planned steps
Task 1: Read the supporting documentation 1.
Review the supporting email documentation.
2.
Review the A. Datum Branch IP Addressing diagram.
Task 2: Update the proposal document with your planned steps Review the Branch Office IP Addressing Scheme, and update the proposal by answering these questions. 1.
How many network addresses do you need to support these requirements?
2.
What class address is 172.16.0.0/16?
3.
Is this a private or public address?
4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next logical subnet using this initial subnet?
5.
What is the first and last host in this subnet?
6.
What would the subnet mask be for hosts in this subnet?
7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will implement in the branches; do not worry about the WAN links.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd diagram and the Branch Office IP Addressing Scheme document.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-39
Exercise 2: Configuring IPv4 with Windows Server 2012 Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
5-40 Implementing TCP/IP
While your addressing scheme for the branches is being considered, Ed has asked you to configure a new DHCP server for the head office. The main tasks for this exercise are as follows: 1.
Configure a Dynamic Host Configuration Protocol scope
2.
Configure the client computer to obtain an IP address dynamically
3.
Verify that the client computer obtained an address
4.
Determine the IP address on the client computer
Task 1: Configure a Dynamic Host Configuration Protocol scope 1.
Ensure you are logged on to 10967A-LON-SVR1 as ADATUM\Administrator and password Pa$$w0rd
2.
Open DHCP from Server Manager.
3.
Use the New Scope Wizard to create a new IPv4 address scope with the following parameters. Use the default settings for all the other values. o
Scope name: Head Office 1
o
Scope description: Client computer addresses
o
Start IP address: 172.16.0.20
o
End IP address: 172.16.0.30
o
Length: 16
o
Subnet mask: 255.255.0.0
o
Router address: 172.16.0.1
4.
Activate the new scope.
5.
Complete the New Scope Wizard.
6.
Expand the Scope [172.16.0.0] Head Office 1.
7.
How many Address Leases have been used?
Task 2: Configure the client computer to obtain an IP address dynamically 1.
Switch to the 10967A-LON-CL1 virtual machine and ensure you are logged on as ADATUM\Administrator and password Pa$$w0rd.
2.
Open the Local Area Connection Properties dialog box.
3.
Change the Internet Protocol Version 4 (TCP/IPv4) properties: o
Obtain an IP address automatically.
o
Obtain DNS server address automatically.
Task 3: Verify that the client computer obtained an address 4.
Switch back to the 10967A-LON-SVR1 virtual machine
5.
Refresh the DHCP settings.
6.
Verify that there is a new lease for LON-CL1.
7.
What is the IP address for LON-CL1?
Task 4: Determine the IP address on the client computer 1.
Switch back to 10967A-LON-CL1.
2.
Open a Command Prompt.
3.
At the Command Prompt, type the following command, and then press Enter. ipconfig /all
4.
What is the current IPv4 address?
5.
Is DHCP enabled?
6.
What is the IP address of the DHCP server?
7.
When does the DHCP Lease expire?
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
Exercise 3: Verifying the IPv4 Configuration Scenario Ed has asked you to verify the functionality of the DHCP server. The main tasks for this exercise are as follows: 1.
Stop the DHCP server
2.
Try to renew the IPv4 address on the client computer
3.
Start the DHCP server
4.
Renew the client address and verify IPv4
Task 1: Stop the DHCP server
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-41
1.
Switch to the LON-SVR1 computer.
2.
Stop the DHCP service.
3.
Verify that there is now an error shown in the DHCP Management console, stating Cannot find the DHCP Server.
Task 2: Try to renew the IPv4 address on the client computer 1.
Switch to the 10967A-LON-CL1 computer and switch to the Command Prompt.
2.
Release the IP address using ipconfig.
3.
Renew the IP address using ipconfig.
4.
This might take several minutes while the client computer tries to contact a DHCP server.
5.
Notice the time-out error.
6.
Use IPConfig to answer the following questions.
7.
What IPv4 address was assigned?
8.
What does the IP address signify?
9.
Use ping to verify a connection to LON-SVR1.
10. You are not successful.
Task 3: Start the DHCP server 1.
Switch back to 10967A-LON-SVR1.
2.
Start the DHCP service.
Task 4: Renew the client address and verify IPv4 1.
Switch back to the 10967A-LON-CL1.
2.
Renew the IP address using IPConfig.
3.
Answer the following questions.
4.
What IPv4 address was assigned?
5.
What does the IP address signify?
6.
Use ping to verify a connection to LON-SVR1.
7.
You are successful.
MCT USE ONLY. STUDENT USE PROHIBITED
5-42 Implementing TCP/IP
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in the head office.
Exercise 4: Configuring and Testing Name Resolution Scenario
You have also been asked by your manager to verify that DNS is configured correctly and is functioning as expected as well as to create a canonical name record type for the world wide web service on the domain as it is expected there may be different services running off the domain name such as FTP and WWW. The main tasks for this exercise are as follows: 1.
View the current DNS records
2.
Force a dynamic update
3.
Add a new DNS record
4.
Verify a record
Task 1: View the current DNS records 1.
Switch to 10967A-LON-DC1 and ensure you are signed in as ADATUM\Administrator with password Pa$$w0rd
2.
Open DNS Manager from Server Manager.
3.
What is the current IP address of the LON-CL1 Host (A) record in the Adatum.com forward lookup zone?
Task 2: Force a dynamic update 1.
Switch to LON-CL1.
2.
Change the Internet Protocol Version 4 (TCP/IPv4) properties: • • •
IP address: 172.16.0.16 Subnet mask: 255.255.0.0 Default gateway: 172.16.0.1
•
Preferred DNS server: 172.16.0.10
3.
Switch to LON-DC1.
4.
Refresh the DNS Manager display.
5.
What is the current IP address listed against the LON-CL1 Host (A) record?
Task 3: Add a new DNS record
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-43
1.
On the 10967A-LON-CL1 virtual machine and open a Command Prompt
2.
Find a switch to use with the IPConfig command line tool to display DNS information.
3.
What records are listed?
4.
Switch to 10967A-LON-SVR1 and find a Windows PowerShell cmdlet to display DNS information
5.
Use the windows PowerShell cmdlet Test-Connection to test the connection to www.adatum.com
6.
Switch to the 10967A-LON-CL1 virtual machine
7.
Use ping to connect to www.adatum.com.
8.
Again you are not successful.
9.
Switch to 10967A-LON-DC1.
10. In DNS Manager, create a new record: • • •
Type: New Alias (CNAME) Alias name (uses parent domain if left blank): www FQDN for target host: lon-dc1.adatum.com
Task 4: Verify a record 1.
Switch to 10967A-LON-CL1.
2.
Use ping to connect to www.adatum.com.
Note: Depending on your Client cache you may or may not be successful at this point. If you are not successful continue with the next step, Step 3. If you are successful you can skip ahead to Step 7. 3.
You are not successful.
4.
Use IPConfig to flush the DNS cache (flushdns).
5.
Use ping to connect to www.adatum.com.
6.
You are successful.
7.
Use IPConfig to displaydns information.
8.
What record is returned for www.adatum.com?
9.
Switch to 10967A-LON-SVR1
10. Identify a Windows PowerShell cmdlet that will clear the DNS cache and use that cmdlet to clear the client DNS cache 11. Use Test-Connection cmdlet to verify the connection to www.adatum.com 12. Run the Get-DNSClientCache to verify the www.adatum.com record type
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also added a new DNS CNAME record type for www.Adatum.com
Exercise 5: Viewing the IPv6 Configuration Scenario A. Datum is currently not planning to implement IPv6, but Ed wants to know what the current IPv6 addresses are. You will use IPConfig to determine what IPv6 addresses are being used. The main tasks for this exercise are as follows: 1.
Determine the current IPv6 address
2.
Revert the lab machines.
Task 1: Determine the current IPv6 address
MCT USE ONLY. STUDENT USE PROHIBITED
5-44 Implementing TCP/IP
1.
On 10967A-LON-CL1, use IPConfig to view all the IP configuration information.
2.
Is there an IPv6 address listed?
3.
What kind of IPv6 address is it?
4.
Switch to 10967A-LON-SVR1
5.
Find a Windows PowerShell cmdlet that you can use to identify the IPv6 address and determine the IPv6 Address.
Task 2: Revert the lab machines.
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 10967A-LON-SVR1, and 10967A-LON-DC1.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6 address. Question: In the lab, you were tasked with providing an addressing scheme that would accommodate 100 hosts per subnet. Ed provided the first subnet ID of 172.16.16.0/20. How many hosts could be accommodated within this subnet? Question: The subnet might grow. If you had to accommodate 100 addresses, what would you recommend as the subnet mask? Question: What would the first subnet address be?
Module Review and Takeaways Review Questions Question: NetBIOS operates at which layer of the OSI reference model? Question: Which transport layer protocol provides for connectionless oriented delivery in IPbased networks? Question: Your host computer was assigned the following IPv4 configuration: 10.10.16.1/20. The default gateway is 10.10.8.1. You are experiencing communications problems. Why? Question: You do not want to implement WINS in the network. However, you do have some legacy applications that require Short name resolution. How could you manage short names within your existing DNS infrastructure? Question: You are troubleshooting DNS name resolution from a client computer. What must you remember to do before each test?
Tools
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
5-45
Where to find it
Tool
Use
Ipconfig.exe
Verifying and testing IP configuration.
Command Prompt
Nslookup.exe
Troubleshooting DNS.
Command Prompt
Ping.exe
Verifying basic IP functionality and that another computer is contactable.
Command Prompt
Netsh.exe
Configuring network settings, including IP settings, from the command line.
Command Prompt
Test-Connection
Functionality similar to ping. You can ping multiple computers concurrently by using Test-Connection.
Windows PowerShell
Resolve DNS-Cache
Type help *DNS* in the Windows PowerShell console to see a list of Windows PowerShell commands that might help when troubleshooting or configuring DNS.
Windows PowerShell
Get-NetIPAddress
Similar to subset of functionality in the older IPConfig command.
Windows PowerShell
GetNETIPConfiguration
Similar to subset of functionality in older IPConfig command. As described earlier, type help *NET* in the Windows PowerShell console to see a list of Windows PowerShell commands that might help when troubleshooting or configuring DNS.
Windows PowerShell
MCT USE ONLY. STUDENT USE PROHIBITED
5-46 Implementing TCP/IP
MCT USE ONLY. STUDENT USE PROHIBITED 6-1
Module6 Windows Server Roles Contents: Module Overview
6-1
Lesson 1: Role-Based Deployment
6-2
Lesson 2: Deploying Role-Specific Servers
6-11
Lesson 3: Considerations for Provisioning Roles
6-19
Lab: Implementing Server Roles
6-23
Module Review and Takeaways
6-28
Module Overview
Servers perform many functions. In the past, these functions were combined into a monolithic operating system. Each server was loaded with all the necessary software to perform all server functions regardless of the actual functions that it performed. Starting with Windows Server® 2008, the operating system server functions are separated into distinct server roles. By default, a server has no enabled roles. It is more efficient to select which particular server roles that you want based on the functional requirements of the server. You must understand the functional requirements of a server and select and deploy appropriate server roles to support these functional requirements.
Objectives After completing this module, you will be able to: •
Describe role-based deployment.
•
Deploy role-specific servers.
•
Describe deployment options for server roles.
Windows Server Roles
Lesson 1
Role-Based Deployment This lesson will help you understand server roles and features so that you can install and support the Windows Server components your organization needs.
Lesson Objectives After completing this lesson, you will be able to: •
Describe each server role.
•
Describe role services and server features.
•
Describe Server Manager and how it can be used.
What Is a Server Role? Server roles in Windows Server 2012 describe a server’s primary function. For example, a server role might be an Active Directory® Domain Services (AD DS) domain controller or a web server. You can select to install one or many roles on a Windows Server 2012 environment. You can use the Add Roles And Features Wizard and Remove Roles And Features Wizard from the Manage menu in Server Manager for the installation and removal of server roles in Windows Server 2012. Windows Server 2012 has nineteen roles. These are listed in the following table. Role
Function
MCT USE ONLY. STUDENT USE PROHIBITED
6-2
Active Directory Certificate Services (AD CS)
Allows you deploy certification authorities and related role services.
Active Directory Domain Services (AD DS)
A centralized store of information about network objects, such as user and computer accounts. Used for authentication and authorization.
Active Directory Federation Services (AD FS)
Provides web single sign-on (SSO) and secured identify federation support.
Active Directory Lightweight Directory Services (AD LDS)
Supports storage of application-specific data for directory-aware applications that do not require the full infrastructure of AD DS.
Active Directory Rights Management Services (AD RMS)
Allows you to apply rights management policies to prevent unauthorized access to sensitive documents.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Role
Function
6-3
Application Server
Supports centralized management and hosting of high-performance distributed business applications, such as those built with Microsoft® .NET Framework 4.5.
Dynamic Host Configuration Protocol (DHCP) Server
Provisions client computers on the network with an IP address.
Domain Name Service (DNS) Server
Provides name resolution for TCP/IP networks.
Fax Server
Supports sending and receiving of faxes. Also allows you to manage fax resources on the network.
File and Storage Services
Supports the management of shared folder storage, distributed file system (DFS), and network storage.
Hyper-V®
Enables you to host virtual machines on computers that are running Windows Server 2012.
Network Policy and Access Services
Authorization infrastructure for remote connections. This includes Health Registration Authority (HRA) for Network Access Protection (NAP).
Print and Document Services
Supports centralized management of document tasks, including network scanners and networked printers.
Remote Access
Supports Seamless Connectivity, Always On, and Always Managed features based on the Windows® 7 DirectAccess feature. Also supports remote access through virtual private network (VPN) and dial-up connections.
Remote Desktop Services (RDS)
Supports access to virtual desktops, session-based desktops, and RemoteApp programs.
Volume Activation Services
Allows you to automate and simplify the management of volume license keys and volume key activation. Allows you to manage a Key Management Server (KMS) host or configure AD DS–based activation for computers that are members of the domain.
Web Server (IIS)
The Windows Server 2012 web server component.
Windows Deployment Services
Allows you to deploy server operating systems to clients over the network.
Windows Server Update Services (WSUS)
Provides a method of deploying updates for Microsoft products to network computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the server’s configuration, such as firewall settings, to support the role. Also, when you deploy a role, Windows Server 2012 automatically deploys role dependencies at the same time. For example, when you install the Windows Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components that are required to support the Web Server (IIS) role. Many server roles also have role services. Role services are software programs that provide various functionalities of a role. When you install a role, you can select which role services the role provides for other users and computers in your enterprise. Some roles, such as Domain Name System (DNS) Server,
Windows Server Roles
MCT USE ONLY. STUDENT USE PROHIBITED
6-4
have only a single function, and have no role services. Other roles, such as Web Server (IIS), have several role services, such as File Transfer Protocol (FTP), that can be installed.
Role services let you control which role functionality is installed and enabled. This is useful where you only require a subset of the functionality of a given server role. Windows PowerShell® can also be sued to add and remove roles. The following table lists some commands that might be useful. Windows PowerShell Commands
Description
Get-WindowsFeature | Where InstallState –eq Installed
Displays the installed roles.
Get-WindowsFeature | Where InstallState –eq Available
Displays the roles that are not installed but are available to install.
Get-WindowsFeature | Where InstallState –eq Removed
Displays the roles that are not available. For example, roles that cannot be installed on Server Core.
More information about Windows Server 2012 server roles and technologies can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309111
What Are Features? A feature typically does not describe the server’s primary function. Instead, it describes a server’s auxiliary or supporting function. An administrator typically installs a feature not as the primary function of the server, but to augment the functionality of an installed role. For example, failover clustering is a feature that administrators can install to make a role like File and Storage Services more redundant. Specific Microsoft Windows features are required for specific roles. For example, if you add the Application Server role, the Add Role and Features Wizard asks for your confirmation to install the .NET Framework and the Windows Process Activation Service because these features are required to support that role. Windows Server 2012 features are independent components that frequently support role services or support the server directly. For example, Windows Server Backup is a feature because it only provides backup support for the local server. It is not a resource that other servers on the network can use. Windows Server 2012 includes the features that are listed in the following table. Feature
Description
.NET Framework 3.5 Features
Installs .NET Framework 3.5 technologies.
.NET Framework 4.5 Features
Installs .NET Framework 4.5 technologies. By default, this feature is installed.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Feature
Description
6-5
Background Intelligent Transfer Service (BITS)
Enables asynchronous transfer of files to make sure that other network applications are not adversely affected.
BitLocker® Drive Encryption
Supports full-disk and full-volume encryption, and startup environment protection.
BitLocker network unlock
Provides a network-based key protector that can unlock locked BitLocker-protected domain-joined operating systems.
Windows BranchCache®
Enables the server to function as either a hosted cache server or a BranchCache content server for BranchCache clients.
Client for NFS
Provides access to files that are stored on network file system (NFS) servers.
Data Center Bridging
Allows you to enforce bandwidth allocation on Converged Network Adapters.
Enhanced Storage
Provides support for additional functionality available in an Enhanced Storage Access (IEEE 1667 protocol) device, including data access restrictions.
Failover Clustering
A high availability feature that enables Windows Server 2012 to participate in failover clustering.
Group Policy Management
An administrative management tool for administering Group Policy across an enterprise.
Ink and Handwriting Services
Allows use of Ink Support and Handwriting Recognition.
Internet Printing Client
Supports use of Internet Printing Protocol.
IP Address Management (IPAM) Server
Centralized management of IP address and namespace infrastructure.
Internet SCSI (iSCSI) Target Storage Provider
Provides iSCSI target and disk management services to Windows Server 2012.
Internet Storage name Service (iSNS) Server service
Supports discovery services of iSCSI storage area networks (SANs).
Line Printer Remote (LPR) Port Monitor
Enables a computer to send print jobs to printers that are shared using the Line Printer Daemon (LPD) service.
Management Open Data Protocol (OData) IIS Extension
Allows you to expose Windows PowerShell cmdlets through an ODatabased web service running on the Internet Information Services (IIS) platform.
Media Foundation
Supports media file infrastructure.
Message Queuing
Supports message delivery between applications.
Multipath I/O (MPIO)
Supports multiple data paths to storage devices.
Network Load Balancing
Allows traffic to be distributed in a load-balanced manner across
Windows Server Roles
Feature
Description
MCT USE ONLY. STUDENT USE PROHIBITED
6-6
(NLB)
multiple servers that host the same stateless application.
Peer Name Resolution Protocol (PNRP)
Name resolution protocol that allows applications to resolve names on the computer.
Quality Windows Audio Video Experience
Supports audio and video streaming applications on IP home networks.
Remote Access Server (RAS) Connection Manager Administration Kit
Allows you to create connection manager profiles that simplify remote access configuration deployment to client computers.
Remote Assistance
Allows remote support through invitations.
Remote Differential Compression (RDC)
Transfers the differences between files over a network, minimizing bandwidth use.
Remote Server Administration Tools
Collection of consoles and tools for remotely managing roles and features on other servers.
Remote Procedure Call (RPC) over HTTP Proxy
Relays RPC traffic over Hypertext Transfer Protocol (HTTP) as an alternative to VPN connections.
Simple TCP/IP Services
Supports basic TCP/IP services, including Quote of the Day.
Simple Mail Transfer Protocol (SMTP) Server
Supports transfer of email messages.
Simple Network Management Protocol (SNMP) Service
Includes SNMP agents that are used with the network management services.
Subsystem for UNIX-based Applications
Supports Portable Operating System Interface for UNIX (POSIX)– compliant UNIX-based applications.
Telnet Client
Allows outgoing connections to Telnet servers and other Transmission Control Protocol (TCP)–based services.
Telnet Server
Allows clients to connect to the server by using the Telnet protocol.
Trivial File Transfer Protocol (TFTP) Client
Allows you to access TFTP servers.
User Interfaces and Infrastructure
Contains the components that you must have to support the graphical interface installation option on Windows Server 2012. By default, on graphical installations, this feature is installed.
Windows Biometric Framework (WBF)
Allows use of fingerprint devices for authentication.
Windows Feedback Forwarder
Supports sending of feedback to Microsoft when joining a Customer Experience Improvement Program (CEIP).
Windows Identity Foundation 3.5
Set of .NET Framework classes that support implementing claims-based identity on .NET Framework applications.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Feature
Description
6-7
Windows Internal Database
Relational data store that can only be used by Windows roles and features such as WSUS.
Windows PowerShell
Task-based command-line shell and scripting language that is used to administer computers that are running Windows operating systems. By default, this feature is installed.
Windows PowerShell Web Access
Allows remote management of computers by running Windows PowerShell sessions in a web browser.
Windows Process Activation service (WAS)
Allows applications hosting Windows Communication Foundation (WCF) services that do not use HTTP protocols to use features of IIS.
Windows Search service
Allows fast searches of files hosted on a server for clients compatible with the Windows Search service.
Windows Server Backup
Backup and recovery software for Windows Server 2012.
Windows Server Migration Tools
Collection of Windows PowerShell cmdlets that help in the migration of server roles, operating system settings, files, and shares from computers that are running earlier versions of Windows Server operating systems to Windows Server 2012.
Windows Standards-Based Storage Management
Set of application programming interfaces (APIs) that allow the discovery, management, and monitoring of storage devices that use standards such as Storage Management Initiative Specification (SMI-S).
Windows System Resource Manager (WSRM)
Allows you to control the allocation of CPU and memory resources.
Windows TIFF IFilter
Supports Optical Character Recognition on Tagged Image File Format (TIFF) 6.0-compliant files.
WinRM IIS Extension
Windows Remote Management for IIS.
Windows Internet Naming Service (WINS) Server
Supports name resolution for NetBIOS names.
Wireless local area network (LAN) Service
Allows the server to use a wireless network interface.
Windows on Windows (WOW) 64 Support
Supports running 32-bit applications on Server Core installations. By default, this feature is installed.
XPS Viewer
Supports the viewing and signing of documents in XPS formats.
Features on Demand
With Features on Demand, you can add and remove role and feature files, also known as feature payload, from the Windows Server 2012 operating system to conserve space. You can install roles and features where the feature payload is not present by using a remote source, such as a mounted image of the full operating system. If an installation source is not present but an Internet connection is, source files will be downloaded from Windows Update. The advantage of a “Features on Demand” installation is that it requires less hard disk space than a traditional installation. The disadvantage is that if you want to add a
Windows Server Roles
role or feature, you must have access to a mounted installation source. This is something that is not necessary if you perform an installation of Windows Server 2012 with the graphical features enabled.
What Is Server Manager? Server Manager is the main graphical tool that you use to manage computers that are running Windows Server 2012. You can use the Server Manager console to manage both the local server and remote servers. You can also manage servers as groups. By managing servers as groups, you can perform the same administrative tasks quickly across multiple servers that either perform the same role or are members of the same group. You can use the Server Manager console to perform the following tasks on both local servers and remote servers: •
Add and remove roles and features.
•
Manage and view server and server group status.
•
Perform various server configuration and management tasks.
•
Access local configuration settings such as networking, firewall, and remote management.
•
Access all the available management consoles through the Tools menu, such as DNS, DHCP, and Services.
Server Manager has three main areas when it is first opened.
MCT USE ONLY. STUDENT USE PROHIBITED
6-8
•
Dashboard. This gives a quick view of what roles and features are installed locally and also high-level overviews across other groups and servers. If there are any errors or potential problems, this is signified by a red banner over the specific role.
•
Local server. This gives specific data for the local server. From within here you can access the configuration consoles, by clicking the highlighted blue text links, for some of the main areas you may need to configure for the local server such as Computer name, Windows Firewall, Local Area Connection
•
All Servers. This is a default server group and contains all servers that are added to server Manager to manage—that is, added to the server pool.
When you create customized Server Groups, by clicking Manage and then clicking Create Server Group, you can then manage a subset of servers as a logical unit based on whatever criteria is required, such as Accounting, New York, or other criteria. After you create these, you then have the following areas: •
Server Status. Allows you to view the status of servers, for example activation status, last updates, manageability status (online or not), and IP address. You can also filter the view by adding filter criteria. You can right-click a server and view a whole range of other management tasks, such as starting specific management consoles for the server, launching Windows PowerShell, or shutting down the server.
•
Events. You can view all event types in all logs for a specific server over a particular time period or be as fine-grained as required. You should be careful not to monitor too many events because it can generate a lot of data and as a result potentially affect server performance
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-9
•
Services. You can start and stop or view the status of services.
•
Best Practice Analyzer (BPA). Allows you to determine whether roles on the network are performing efficiently or whether there are problems. You can view the health of a specific role based on criteria that you specify.
•
Performance. Allows you to configure Performance Alerts around CPU % Usage and Memory availability and view as a graph over a period of up to seven days.
•
Roles and features. Allows you to view roles, role services, and features that are currently installed on each server and install or remove roles, role services, or features for the whole group concurrently or for individual servers.
After a role is installed on a local server, it is displayed in the navigation pane of Server Manager. From this navigation pane you can manage specific roles.
You can manage Windows Server 2008 and Windows Server 2008 R2 servers with Server Manager on Windows Server 2012 but .NET Framework 4 and Windows Management Framework BITS 4.0 are required to be installed. Server Manager uses Remote Management capability, which is enabled by default in Windows Server 2012. This might also need to be enabled on other Windows Server versions if it is not already and you want to manage those versions through Server Manager.
Demonstration: How to Deploy Server Roles and Features You can add or remove roles and features by using the following management tools. Server Manager
The Server Manager console uses integrated wizards to step you through adding server roles. You can use Server Manager to add several roles at the same time, even if they are unrelated. For example, a server being provisioned for a branch office could have the DNS Server, DHCP Server, and Print Server roles added at one time. The Server Manager Wizard performs all the necessary dependency checks and conflict resolution so that the server is stable, reliable, and secure. In this demonstration, you will see how to add roles and features to a server.
Demonstration Steps 1.
Open Server Manager.
2.
Access the Add Roles and Features Wizard.
3.
Install the DHCP Server role and review the configuration settings in the wizard.
4.
Export and view the configuration settings xml
Lesson 2
Deploying Role-Specific Servers
MCT USE ONLY. STUDENT USE PROHIBITED
6-10 Windows Server Roles
In smaller organizations, server functions are frequently combined into a single server. In larger organizations with many server computers, it is more common to dedicate a server to a specific subset of server functions. This lesson will cover some common kinds of servers: file and print servers, domain controllers, application servers, web servers, and remote access servers.
Lesson Objectives After completing this lesson, you will be able to: •
Describe a file and print server.
•
Describe a domain controller.
•
Describe an application server.
•
Describe a web server.
•
Describe a remote access server.
What Are File and Print Servers? Historically, the term file server was frequently used as a generic term to describe any server. Currently, the term is a file-storage device on a LAN that can be accessed by network users. A file server deploys the File and Storage Services role and not only stores files but manages them. A file server also maintains order as network users request and change files, and it can define and manage the storage around the files. On a Windows Server file server, you must: •
Provide sufficient storage for users’ files.
•
Share the folders that contain users’ files.
•
Configure security settings to make sure appropriate levels of access to users’ files.
•
Provide a mechanism that is used to back up and restore shared files.
As discussed in Module 2, “Fundamentals of a Windows Server Infrastructure,” the storage used to host users’ files does not have to be locally attached to the file server. There are a range of technologies available depending on your specific requirements and budget. Deploying a File Server
To deploy a file server, install the File and Storage Services server role. This role includes the following role services:
•
•
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-11
File and iSCSI Services. Provides technologies that help manage file servers and storage, reduce space utilization, replicate and cache files to branch offices, move or fail over a file share to another cluster node, and share files by using the NFS protocol. o
File Server. Manages shared folders and enables users to access files on this server.
o
BranchCache for network files. Enables BranchCache computers to cache frequently downloaded files, and then provide those files to other computers in the branch office. This reduces network bandwidth usage and provides faster access to the files.
o
Data Deduplication. Saves disk space by storing a single copy of identical data on the volume.
o
Distributed File System (DFS) Namespaces and Replication. Enables you to group file shares that are located on different servers into one or more logically structured namespaces. Each namespace displays to users as a single file share with a series of subfolders. This service also replicates data between multiple servers over limited-bandwidth network connections and LAN connections.
o
File Server Resource Manager (FSRM). Helps you manage and understand the files and folders on a file server by scheduling file management tasks and storage reports, classifying files and folders, configuring folder quotas, and defining file screening policies.
o
File Server VSS Agent Service. Enables you to perform volume shadow copying of applications that store data on the file server.
o
iSCSI Target Server. Provides services and management tools for iSCSI targets.
o
iSCSI Target Storage Provider. Enables server applications that are connected to an iSCSI Target to create volume shadow copies and also allows for management of iSCSI virtual hard disks by older applications that use Virtual Disk Service (VDS).
o
Server for Network File System (NFS). Provides compatibility services for UNIX-based computers.
Storage Services. Provides storage management functionality that is always installed, including storage pools and storage spaces.
As you can see from the previous list, a broad range of functionalities is available under the File and Storage Services role with many different role services providing specific functions. Although you might not need all these services for your particular scenario, it is wise to research into what functionality is available in case it can help identify and simplify your own particular requirements.
File services are frequently combined in organizations with print server services. The print server services are available in the Print and Document Services role in Windows Server 2012. The Print and Document Services role provides the following services and features: •
Print Server. Used for managing multiple printers or printer servers and migrating to and from other Windows print servers.
•
Distributed Scan Server. Provides service to receive scanned documents from network scanners and routes them to correct destinations. Also contains a scan management snap-in.
•
Internet Printing. Creates a website where users can manage print jobs and enables users who have an Internet Printing client installed to use a web browser to connect and print to shared printers.
•
LPD Service. Enables UNIX-based computers using the LPR to print to shared printers on the server.
The print server can share locally or network-attached printers. By using network-attached printers, you can reduce the overall number of print devices in your organization because users do not each need a printer.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Windows Server Roles
In addition to installing the File and Storage Services and Print and Document Services roles through the Add Roles And Features wizard, you can also install them by using Windows PowerShell with the following commands. Install-windowsfeature fileandstorage-services Install-windowsfeature print-services
You can verify the installation by using the following command and viewing the output. get-windowsfeature
Note: If you’re unsure what the feature name is in Windows PowerShell, you can use the Get-WindowsFeature command and scroll through the output until you locate the role, role service, or feature that you need.
What Is an Application Server? An application server is a computer that hosts the Application Server role. It provides for centralized management and hosting of high-performance distributed business applications such as client/server or web-based network-aware application software. Examples of such software include Microsoft SQL Server®, Exchange Server, IIS, and Terminal Services. Because an application server runs user applications, it typically has more processor and memory requirements than other kinds of servers. You must consider the system requirements of each application, including its architecture, when you configure the servers that will host them. The following provides a description of kinds of application servers. •
Client/server applications. Client/server applications are also known as traditional applications. Part of the application runs on a client computer and part of the application runs on a server. Typically, the client (front-end) application serves as an end-user interface for processing requests sent to and receiving responses from the server (back-end). The bulk of data is stored on the server. In some cases, the server part of the application is just a SQL Server database that all client computers communicate with. In other cases, there is a middle tier with application logic that the client computers communicate with and the middle tier communicates with a SQL Server database.
•
Web-based applications. A web-based application uses a web browser to provide the UI. The application logic is then performed on a web server and data is stored in a SQL Server database.
Windows Server 2012 includes features to support the application server role, regardless of whether the application to be hosted has a web-based or a client/server kind of architecture. Deploying an Application Server
To deploy an application server, install the Application Server role. This role consists of five role services. These are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-13
•
Web Server (IIS) Support. Enables the application server to host internal or external websites and web services that communicate over HTTP.
•
Microsoft Component Object Model (COM+) Network Access. Enables the server to host and allow remote invocation of applications that are built with COM+ and Enterprise Services components.
•
TCP Port Sharing. Facilitates the sharing of TCP ports across multiple processes that use Windows Communication Foundation (WCF) for communications. This enables multiple applications to coexist on the same server while remaining logically separate.
•
Windows Process Activation Service Support. Enables the server to start and stop applications remotely and dynamically using protocols such as HTTP and TCP.
•
Distributed Transactions. Provides services that make sure reliable and complete transactions over multiple databases that are hosted on multiple computers on the network.
Note: An application server differs from a web server because it hosts applications that run natively on the server and the client, instead of preparing and providing content to a browser.
There are no Windows PowerShell cmdlets available for installing and configuring the Application Server role.
More information about the Application Server role can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309112
What Is a Web Server? A Microsoft web server hosts the Web Server (IIS) role. A web server generally is a computer attached to either the Internet or the corporate intranet that serves static, dynamic, or streaming content to client computers that request them and that are equipped with a web browser.
Although the webpages you display and use daily are most frequently provided using Hypertext Markup Language (HTML) with the HTTP and HTTPS protocols, web server usage is wide and varied. Web servers can also handle other functions and protocols, such as FTP to accommodate file transfers or SMTP to provide email functionality. The underlying functionality across all these is the ability of the web server to receive requests and respond to them. Types of Web Service Content The following paragraphs describe the three kinds of web service content.
Static content. Static content is data that is the same for all users that view it. The data does not change based on where the users connect from or which user is connected. This is the most common kind of data on computer networks. Some examples of static content include the following: •
Basic HTML webpages
•
Microsoft Word documents
•
Microsoft PowerPoint® slides
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Windows Server Roles
Dynamic content. Dynamic content is data that can be different every time it is accessed by a user. This content can change depending on variables such as which user is accessing the content or the user’s location. This kind of content is most frequently found in modern websites and web-based applications. A common way to build dynamic content is by using Active Server Pages (ASP) and ASP.NET. These methods use scripts in webpages that are processed by the server to generate the webpages that are delivered to users. Examples of dynamic content include the following: •
A webpage that displays a user’s name when the user accesses the website.
•
A webpage that displays the IP address of a user accessing content.
•
A webpage that changes content depending on the demographics or location of the user.
Streaming content. Streaming content is data that is delivered to users at the speed required for playback. This differs from non-streaming content that is delivered to users at the fastest possible speed that the client, servers, and network can support. Streaming content could lead to increases in network traffic and can cause network congestion. Windows Server and Windows Media® Services provide support for streaming content. Examples of streaming content can include online radio stations and online video feeds. Security
Although users frequently connect anonymously to a web server, users frequently require the web server to verify its identity. This is typically achieved by using a digital certificate installed on the web server and the use of the Secure Sockets Layer (SSL) protocol. Although users who connect to an Internet-connected web server do not have to authenticate themselves, users who connect to a corporate web server through an intranet connection or remotely from home are frequently required to provide credentials to identify themselves. Deploying a Web Server To deploy a web server, install the Web Server (IIS) role. This role consists of the following four role services and their sub components: •
Web Server. Installing the Web Server role in Windows Server 2012 installs IIS 8.0. Provides support for HTML websites with optional support for ASP.NET, ASP, and web server extensions. You can use the web server to host an internal or external website or to provide an environment for developers to create web-based applications.
•
FTP Server. Enables the transfer of files between a client and server by using the FTP protocol. Users can establish an FTP connection and transfer files by using an FTP client or FTP-enabled web browser.
•
IIS Hostable Web Core. Enables you to write custom code that hosts core IIS functions within your application.
•
Management Tools. Provides tools to manage your IIS 6.0 or IIS 7.0 deployments, which are earlier versions than what displays in Windows Server 2012. You can use the IIS UI, command line tools, and scripts to manage the web server.
Note: In Windows Server, the Web Server (IIS) role is frequently required to support other server roles or functions such as Application Server, Active Directory Federation Services (AD FS), or Internet Printing. You can also install the Web Server (IIS) role on a Windows Server 2012 Server Core,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-15
Windows PowerShell provides an extensive range of cmdlets to help with web server installation and configuration, as part of the WebAdministration module. Some useful commands are included in the following table. Windows PowerShell Commands
Description
Get-WebSite
Gets configuration information for an IIS web site
Get-WebURL
Gets information associated with a URL for a specific website.
Get-Module –module WebAdministration
Lists all the cmdlets that are present in the WebAdministration module
For more information about Internet Information Service 8.0 can be found at the following webpage. http://www.iis.net
What Is a Remote Access Server? Remote access enables users to access corporate resources from outside the corporate network. Users could be accessing corporate network shares, websites, and applications remotely through many different devices or locations. In Windows Server 2012, there two main options for providing remote access: DirectAccess or through VPN. Situations that might require a remote access server include the following: •
Staff working from home in the evenings
•
Staff telecommuting
•
Working from hotels during business trips
•
Wireless clients for accessing data on the road
When you install the remote services role, you have two options: •
•
DirectAccess and VPN (RAS). o
DirectAccess was introduced in Windows Server 2008 R2 and Windows 7, and is present in Windows Server 2012 and Windows 8. DirectAccess allows users to securely access their corporate network, shares, websites, and applications remotely across the corporate network without any configuration or manual intervention on the end-user side. It creates a bi-directional link that IT administrators can use to manage the device when the computer or device is connected to the Internet. It provides a secure, seamless, always-on technology. If DirectAccess loses connection, it will automatically reconnect.
o
VPN is an older remote access technology that creates a secure point-to-point connection between the remote device or computer. It uses tunneling protocols to provide the connection. It can require some manual intervention and troubleshooting on the client-side.
Routing. Routing provides for the management of data flow between network segments or subnets. It provides support for network address translation (NAT) routers, LAN routers running Routing
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Windows Server Roles
Information Protocol (RIP), and multicast-capable routers. The Routing role service in Windows Server 2012 is a software-based routing solution that is best suited for smaller segmented networks that carry fairly light network volumes. Regardless of what kind of data is being accessed, security is a key concern when you allow devices from outside your own secure corporate environment to gain access to the network. So although the remote access role allows for external connections to the network, there are additional roles that are installed to provide security for those devices. To provide that protection, one additional role to install would be Network Policy and Access Services. Network Policy and Access Services
The Network Policy and Access Services role provides for a range of different technologies that provide layers of security when you are deploying a remote access infrastructure in the network. This role consists of four role services: •
Network Policy Server (NPS). Enables you to create and enforce network access policies for network access connections, health enforcement, and network connection authorization. This controls access to your corporate network and allows for remediation of clients who do not meet the specific requirement that you set in your policies, such as the latest updates being installed or antivirus software being present on the client devices.
•
Health Registration Authority (HRA). Validates certificate requests that contain health claims; used in NAP enforcement.
•
Host Credential Authorization Protocol. Enables you to integrate your NAP solution with Cisco Network Access Control.
Some of these technologies are described in more detail later in the course. But the main thing to understand from this topic is that several roles might be necessary to provide for efficient and secure deployment of a role. You should give full consideration to what your requirements are before you deploy any server role. Windows PowerShell provides an extensive range of cmdlets to help with remote access installation and configuration, as part of the RemoteAccess and NPS modules. Some useful commands might include those in the following table. Windows PowerShell Commands
Description
Get-RemoteAccessHelp
Displays the current health status of a remote access deployment
Get-PSRADIUSCliet
Displays NPS RADIUS clients
Get-command –module RemoteAccess
Displays the cmdlets for the RemoteAccess module
Get-command –module NPS
Displays the cmdlets for the NPS module
Question: What are some examples of security concerns for data that is accessed remotely?
Remote Server Administration Tools You can install the complete set of administrative tools for Windows Server 2012 by installing the Remote Server Administration Tools (RSAT) feature. When you install RSAT, you can choose to install all of the tools, or only the tools to manage specific roles and features. You can also install RSAT on computers running the Windows 8 operating system. This allows administrators to manage servers remotely, without having to log on directly to each server.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-17
It is a general best practice to run Windows Server 2012 servers as a Server Core installation and manage then remotely via RSAT for Windows 8 or one of the many other remote management methods.
You can manage Windows Server 2012 server RSAT for Windows 8 only. i.e. you cannot manage Windows Server 2012 using the RSAT for Windows 7 You can download the Remote Server Administration Tools for Windows 8 at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309113
Demonstration: Remotely Manage Windows Server 2012 Servers
In this demonstration, you will see how manage Windows Server 2012 servers remotely using the Remote Server administration Tool (RSAT) for Windows 8
Demonstration Steps 1.
Install the RSAT for Windows 8
2.
Create a Server Group in Server Manager called Lon Servers
3.
Add LON-DC1 and LON-SVR3 to the Server Group
4.
Install the Web Server (IIS) role to LON-SVR3
5.
Install the Print and Document Services role to LON-DC1
6.
Restart both servers simultaneously via the Server Group
Lesson 3
Considerations for Provisioning Roles
MCT USE ONLY. STUDENT USE PROHIBITED
6-18 Windows Server Roles
This lesson will cover considerations for deploying server roles and also the deployment options that are available. Organizations are no longer required to provide the IT infrastructure for their business. Instead, the availability of online cloud services allows for IT administrators to take advantage of large data center functionality while focusing on their core business needs. Although externally hosted services may not be suitable in all situations, the option is available and IT administrators must be aware of them.
Lesson Objectives After completing this lesson, students will be able to: •
Describe Hyper-V.
•
Understand the capabilities of Hyper-V.
•
Configure a virtual machine.
•
Describe on-premise scenarios.
•
Describe cloud services.
What Is Hyper-V? Hyper-V is a virtualization technology that is installed as a role in Windows Server 2012. It provides for the ability to create and manage virtual machines. Virtual machines are virtual instances of operating systems which allows for multiple operating systems to be running concurrently on a single server.
Hyper-V is a hardware virtualization technology that provides virtual machines with direct access to the server's hardware. It does this by installing what is known as a hypervisor on the operating system hardware. All access to the hardware traverses the hypervisor. This includes the installed operating system. This enables multiple isolated operating systems to share a single hardware platform. This differs from other software virtualization products, such as Microsoft Virtual Server 2005 R2, or Virtual PC. These virtualization technologies provide access to the hardware through the server's operating system, which in turn provides indirect access to the server's hardware. After installation of the Hyper-V role, the installed operating system becomes the “parent partition” from where you can create and manage “child partitions.” Child partitions do not have direct access to other hardware resources and are presented with a virtual view of the resources, as virtual devices. Drivers in the parent partition are used for accessing the server hardware. Child partitions use virtualized devices through virtualization service client drivers, which communicate through a virtual machine bus (VMBus) with virtualization service providers in the parent partition. Requests to the virtual devices are redirected either through the VMBus or through the hypervisor to the devices in the parent partition.
Installation Requirements
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-19
The server on which you plan to install the Hyper-V role must meet the following hardware requirements: •
The server must have an x64 platform that supports the following: o
Hardware-assisted virtualization. If you want to run Hyper-V, you must have servers that can run AMD Virtualization (AMD-V) or Intel Virtualization Technology (Intel VT).
o
Data Execution Prevention (DEP). You must have hardware-enforced DEP enabled by configuring either the Advanced Micro Devices (AMD) no execute bit (NX bit) or the Intel execute disable bit (XD bit).
After you change the BIOS to support hardware virtualization and DEP you must turn off the computer completely, and then restart it. Performing a restart may not enable the new settings. •
The server must have enough CPU capacity to meet the requirements of the guest virtual machines. A virtual machine hosted on Hyper-V in Windows Server 2012 can support up to 64 virtual processors.
•
The server must have enough memory to support all the virtual machines that must run concurrently, plus enough memory to run the host Windows Server 2012 operating system. o
The server must have at least 4 gigabytes (GB) of RAM.
o
A virtual machine hosted on Hyper-V in Windows Server 2012 can support no more than 2 terabytes (TB) of RAM.
•
The storage subsystem performance must meet the input/output (I/O) needs of the guest virtual machines. Whether deployed locally or on SANs, you might have to put different virtual machines on separate physical disks, or you might have to deploy high-performance redundant array of independent disks (RAID), solid-state drives (SSD), hybrid-SSD, or a combination of all three.
•
The virtualization server's network adapters must be able to support the network throughput needs of the guest virtual machines. You can improve network performance by installing multiple network adapters.
Windows PowerShell provides an extensive range of cmdlets to help with Hyper-V implementation. These cmdlets are part of the Hyper-V module and include those in the following table. Windows PowerShell Commands
Description
New-VM
Creates a new Virtual Machine
Test-VHD
Verifies the integrity of one or more virtual hard disks
Get-Command –module Hyper-V
Displays the cmdlets for the RemoteAccess module
As well as being able to install Hyper-V as a role in Windows Server 2012, it is also possible to obtain Microsoft Hyper-V Server 2012 as a free download. This version just contains the virtualization technology and does not contain the rich feature set that comes with Windows Server 2012. Hyper-V Server 2012 would typically be used where organizations are consolidating servers where no new Windows Server licenses are required or where the servers being consolidated are running an alternative operating system.
Hyper-V Capabilities Hyper-V is a cornerstone to several Microsoft virtualization technologies. Microsoft provides many virtualization solutions that address various organizational needs. This includes the following:
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Windows Server Roles
•
Server virtualization. This lets you run multiple virtual machines on a single physical server. This provides more density of resource use (hardware, utilities, storage space) while providing operational isolation and security.
•
Desktop virtualization. This lets you run virtual machine guests on client computers. This enables you to run multiple operating systems on a single workstation, and to run an incompatible legacy or line-of-business (LOB) application in a more-current desktop operating system.
•
RDS and Virtual Desktop Infrastructure (VDI). This allows you to provision remote access to machines and also provision client desktops and applications to end-users. VDI provides for more centralized control and customization of the desktop environments, maintaining application storage on centralized servers, while providing users with a familiar application interface on their workstations.
•
Application virtualization. This lets you run applications in a virtualized environment on a user’s desktop. With application virtualization, the application is isolated from the underlying operating system because the application is encapsulated in a virtual environment. When you deploy a complete application virtualization solution, you can use centralized servers to distribute the virtual applications.
•
User-state virtualization. User-state virtualization lets users take advantage of separating their documents and profile information from a specific computer. This makes it easy to get started again on a new computer. Profile virtualization also makes it easy for users to move between computers, or to experience the same desktop environment when using one of the other virtualization technologies.
Each virtualization strategy has specific tools or configurations that it requires in addition to Hyper-V.
One of the critical components in deploying virtualization is to be able to manage both the physical and virtual components. The System Center suite of tools provides virtualization management. Tools such as System Center Configuration Manager, System Center Operations Manager, and System Center Virtual Machine Manager (VMM) provide a familiar set of tools for managing both the virtual environment and the physical layer that hosts the virtual environment. These Enterprise server tools integrate with Hyper-V to allow for more scalability and efficiency when you deal with many virtualized environments.
On-Premise Servers As an IT professional who has worked with locally deployed servers, it would be reasonable to ask why, if everything is moving to cloud computing (discussed in the next topic) would you have to learn about deploying Windows Server 2012 locally? The reality is that not every service and application that is used daily should be hosted by cloud computing. Locally deployed servers form the backbone of an organizational network, and provide the following resources to clients:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-21
•
Infrastructure services. Servers provide clients with infrastructure resources, including DNS and DHCP services. These services allow clients to connect and communicate with other resources. Without these services, clients would be unable to connect either to one another or to remote resources—including resources that are hosted by cloud computing.
•
Shared files and printers. Servers provide a centralized location that lets users store and share documents. Servers also host resources such as shared printers that allow groups of users to take advantage of resources more efficiently. Without these centralized, locally deployed resources, sharing and backing up files centrally would be a more complex and time-intensive process. You could host some of this information by using cloud computing. However, it does not always make sense to send a job to a printer that is in the next room through a server that is hosted at a remote location.
•
Hosted applications. Servers host applications such as Exchange Server, SQL Server, Microsoft Dynamics®, and System Center. Clients access these applications to perform different tasks, such as accessing email or self-service deployment of desktop applications. In some cases, these resources can be deployed to cloud computing. But frequently, these resources must be hosted locally for performance, cost, and regulatory reasons. Whether it is best to host these resources locally or with cloud computing depends on the specifics of the individual organization.
•
Network access. Servers provide authentication and authorization resources to clients on the network. By authenticating against a server, a user and client can prove their identity. Even when many of an organization’s servers are located in a public or private cloud.
•
Application, Update, and Operating System deployment. Servers are frequently deployed locally to help with the deployment of applications, updates, and operating systems to clients on the organizational network. Because of intensive bandwidth use, these servers must be in proximity to the clients to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet connectivity will have to rely more on on-premises servers than an organization that has access to highspeed bandwidth. Make sure that, even in a case of Internet connectivity issues, work in an organization can continue. Productivity will be adversely affected if the failure of the organization’s Internet connection suddenly means that no one can access their shared files and printers. Although Windows Server 2012 is ready for integration with cloud computing, it is also still eminently suited to the traditional tasks that Windows Server operating systems have performed historically. Therefore, you will still be able to configure and deploy Windows Server 2012 to perform the same or similar workloads that you configured for servers running Windows Server 2003, and maybe even for the Windows NT Server 4.0.
What Are Cloud Services Cloud computing is a general description that consists of several different technologies. Although it might be defined in many ways, it effectively refers to services being provisioned remotely through the Internet standards and protocols to both users and administrators. The most common forms of cloud computing are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Windows Server Roles
•
Infrastructure as a service (IaaS). With this form of cloud computing, you run a full virtual machine in the cloud. The cloud hosting provider manages the hypervisor platform, and you manage the virtual machine that runs on the cloud provider’s infrastructure. Windows Azure™ Compute is an example of IaaS. You can run Windows Server 2012 as a virtual machine in an IaaS cloud, but in some cases, the operating system will host the virtual machines in an IaaS cloud.
•
Platform as a Service (PaaS). With PaaS, the cloud hosting provider provisions you with a particular platform. For example, a provider could let you host databases. You manage the database itself, and the cloud hosting provider hosts the database server. Windows Azure™ SQL Database (formerly known as SQL Azure) is an example of PaaS.
•
Software as a Service (SaaS). The cloud hosting provider hosts your application and the infrastructure that supports that application. You buy and run a software application from a cloud hosting provider. Windows Intune™ and Microsoft Office 365™ are examples of SaaS.
Public and Private Clouds
A public cloud is a cloud service that is hosted by a cloud services provider, and is made available for public use. A public cloud might host a single tenant, or it might host tenants from multiple organizations. Therefore, public cloud security is not as strong as private cloud security, but public cloud hosting typically costs less because multiple tenants absorb costs. In contrast, private clouds are cloud infrastructure that is dedicated to a single organization. Private clouds might be hosted by the organization itself, or might be hosted by a cloud services provider who makes sure that the cloud services are not shared with any other organization. Private clouds are more than large-scale hypervisor deployments. They can use the System Center 2012 management suite, which makes it possible to provide self-service delivery of services and applications. For example, in an organization that has its own private cloud; it would be possible for users to use a selfservice portal to request multitier applications including a web server, database server, and storage components. Windows Server 2012 and the components of the System Center 2012 suite are configured in such a way that this service request can be processed automatically, without requiring the manual deployment of virtual machines and database server software. In general, your organizations requirements will most likely involve some mix of the two scenarios in a hybrid cloud and on-premise environment. This provides the core services that you must have, allows for control over data that you do not want to leave your organization, and lets you take advantage of some benefits of cloud services. These benefits include high availability, business continuity, disaster recovery, reduced hardware costs, regular billing for services allowing for better forecasting, and management of costs. More information about Windows Azure can be found at the following webpage.
http://www.windowsazure.com
Lab: Implementing Server Roles Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-23
A. Datum Corporation has deployed client computers to several new R & D branch offices. It has planned to install new server computers at these branches to enable network infrastructure features, to support custom applications, and to enable file and print services to support office productivity applications on the client computers. Your task is to read the requirements document and determine what server roles are required to support the needs of users at branch offices.
Objectives After completing this lab, you will be able to: •
Determine the appropriate roles to deploy.
•
Deploy server roles.
Lab Setup Estimated Time: 90 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR3 and 10967A-LON-CL1 User Name: ADATUM\Administrator Password: Pa$$w0rd Exercise 1 can be done as a small group or class discussion.
Exercise 1: Determining the Appropriate Roles to Deploy Scenario
Ed Meadows has forwarded an email message to you from Alan Brewer, the Research department head. Also attached to the email is the Branch Office Server Deployment Requirements document. You must read the supporting documentation and complete the Branch Office Server Deployment Recommendations document. Supporting Documentation Subject: From: Sent: To: Attached:
FW: New branch offices – Server Deployment Ed Meadows [
[email protected]] April 3
[email protected] Branch Office Server Deployment Requirements.doc
Charlotte, Please see Alan’s comments and review the attached document for more information. Regards, Ed
----- Original Message ----Subject: From: Sent: To:
New branch offices – Server Deployment Alan Brewer [
[email protected]] April 1
[email protected]
Ed,
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Windows Server Roles
I don’t understand all the technicalities, but what we want at the branches is the ability to work as usual even if the link to the head offices is unavailable. We have a database that we use; the branches synchronize their data with the head office database periodically.
All workers at the branches are using standard office productivity software: Microsoft Word 2013, Microsoft Excel® 2013, and other Office components. They save their work to a server. Shared printers are available throughout the branches for all users.
We often have visiting laptops and users moving between branches, so they need to be able to connect to the network without user or administrator intervention. Hope this helps, Alan
Branch Office Server Deployment Requirements.doc Branch Office Technical Overview During interviews with staff and following research at each branch, I have determined the following requirements: •
Client computers require automatic IPv4 configuration.
•
Users share files and store them centrally on shared folders.
•
Shared printers can be accessed by everyone at the branch.
•
A database server exists at each branch that contains a subset of the data for the whole Research department; synchronization occurs automatically with the head office.
•
Make sure that updates to computers are not obtained directly from the Internet, but instead from a local server. Branch Office Server Deployment Recommendations Document Reference Number: CW040410/1 Document Author: Charlotte Weiss Date: April 4
Branch Office Server Deployment Recommendations Requirements Overview Deploy required server roles to the branch offices to ensure that the needs of the users are met. Additional Information None. Proposals
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
6-25
1.
How will you address the requirement that all computers can obtain an IPv4 configuration automatically even if the link to the head office is down?
2.
How will you address the requirement that users must be able to access shared files?
3.
How will you address the requirement that users must be able to use shared printers?
4.
What kind of server best supports the needs of the database application?
5.
What roles support this kind of server?
6.
How will you address the requirement that the computers must obtain updates from a local update server?
7.
Which roles are required at the branch servers?
The main tasks for this exercise are as follows: 1.
Read the supporting documentation
2.
Complete the Branch Office Server Deployment Recommendations document
Task 1: Read the supporting documentation 1.
Read the supporting documentation.
2.
Review the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document 1.
Complete the Deployment Proposals section of the Branch Office Server Deployment Recommendations document.
2.
How will you address the requirement that all computers can obtain an IPv4 configuration automatically even if the link to the head office is down?
3.
How will you address the requirement that users must be able to access shared files?
4.
How will you address the requirement that users must be able to use shared printers?
5.
What kind of server best supports the needs of the database application?
6.
What roles support this kind of server?
7.
How will you address the requirement that the computers must obtain updates from a local update server?
8.
Which roles are required at the branch servers?
Results: After this exercise, you should have completed the Branch Office Server Deployment Recommendations document.
Exercise 2: Deploying and Configuring the Determined Server Roles Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Windows Server Roles
You have studied the supporting documentation and Ed has asked you to deploy a subset of the required roles on a test server in the lab environment. Assuming all goes well in the test lab, you will deploy these roles to production servers at the branch offices. You decided to remotely manage the servers using the RSAT for Windows 8, so multiple servers can be managed from a single management console and you will also investigate automating some of the installations. The main tasks for this exercise are as follows: 1.
Deploy infrastructure-related roles
2.
Deploy the remaining roles on a single server
3.
Obtain configuration settings xml for Infrastructure Role installation
4.
Configure event settings in Server Manager for DNS Server
5.
Run the Best Practice Analyzer for the DHCP role
6.
Revert the lab virtual machines
Task 1: Deploy infrastructure-related roles 1.
Install the RSAT for Windows 8 from \\LON-DC1\E$\Mod06\Labfiles on to the Windows 8 client computer
2.
Install DHCP and DNS roles on a single server
Task 2: Deploy the remaining roles on a single server 1.
Ensure you are signed on to 10967A-LON-CL1.
2.
Use the Add Roles and Features Wizard to install the following roles: o
Application Server
o
File and Storage Services
o
Print and Document Services
o
Windows Server Update Services
Task 3: Obtain configuration settings xml for Infrastructure Role installation 1.
On the Add Roles and features wizard Installation progress page obtain the configuration settings and save them to the Documents folder
2.
Review the configuration settings file
Task 4: Configure event settings in Server Manager for DNS Server 1.
On 10967A-LON-CL1 open Server Manager
2.
Configure event data to track the below events that have occurred within the past three days •
Critical
•
Error
•
Warning
•
Informational
Task 5: Run the Best Practice Analyzer for the DHCP role
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1.
On 10967A-LON-CL1 open Server Manager
2.
In the DHCP node go to the Best practice Analyzer section and start a BPA scan
3.
Review the resultant messages and determine what remains to be configured on the DHCP server.
Task 6: Revert the lab virtual machines
6-27
1.
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
2.
On the host computer, start Hyper-V® Manager.
3.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
4.
In the Revert Virtual Machine dialog box, click Revert.
5.
Repeat steps 2 and 3 for 10967A-LON-SVR3, and 10967A-LON-DC1
Results: After this exercise, you should have deployed all required roles and features. Question: When installing the File Services role during the lab, which role services might prove especially useful for a branch office?
Module Review and Takeaways Best Practice: Supplement or modify the following best practices for your own work situations: •
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Windows Server Roles
Combine multiple roles on a single server when you deploy servers in smaller organizations; scale out these roles in larger organizations so that you can optimize performance.
Review Question Question: How is a server role different from a server feature?
Tools Tool
Use for
Where to find it
Server Manager
Managing server configuration, including adding roles and features.
Start Menu
Windows PowerShell
Managing both Server Manager; most server roles have cmdlets available to support them.
Windows PowerShell console
MCT USE ONLY. STUDENT USE PROHIBITED 7-1
Module7 Implementing Active Directory Contents: Module Overview
7-1
Lesson 1: Introducing Active Directory Domain Services
7-2
Lesson 2: Implementing AD DS
7-10
Lesson 3: Managing Users, Groups, and Computers
7-18
Lesson 4: Implementing Group Policy
7-24
Lab: Implementing Active Directory Domain Services
7-30
Module Review and Takeaways
7-35
Module Overview
The Windows Server® operating system Active Directory® Domain Services (AD DS) is a Windows®–based directory service. As a directory service, AD DS stores information about objects on a network and makes this information available to users and network administrators.
Objectives After completing this module you will be able to: •
Describe the fundamental features of AD DS.
•
Implement AD DS.
•
Implement organizational units (OUs) for managing groups and objects.
•
Configure client computers centrally with Group Policy objects (GPOs).
Implementing Active Directory
Lesson 1
Introducing Active Directory Domain Services
MCT USE ONLY. STUDENT USE PROHIBITED
7-2
AD DS enables network users to access resources anywhere on the network by using a single logon process. It also gives network administrators an intuitive, hierarchical view of the network and a single point of administration for all network objects. By understanding the fundamental building blocks of AD DS, you can make more informed decisions about how to implement and configuring AD DS. More information about Active Directory Domain Services can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309114
Lesson Objectives After completing this lesson you will be able to: •
Describe an Active Directory forest.
•
Describe an Active Directory domain.
•
Describe Active Directory trees.
•
Describe Active Directory trust relationships.
•
Describe the Active Directory schema.
•
Describe and implement OUs.
The AD DS Forest In AD DS, a forest is the highest level in the logical structure hierarchy. An Active Directory forest represents a single, self-contained directory, and within each forest there exists one or more domains. A forest is a security boundary, a domain being an administrative boundary. This means that administrators in a forest have complete control over all access to information that is stored inside the forest and to the domain controllers (DCs) that are used to implement the forest.
Typically, an organization has a single forest. There are reasons for multiple forests, such as the following: an organization requires complete data or service isolation, or requires separate test or development networks, or if Domain Controllers are being deployed in perimeter networks, or if there are mergers and acquisitions. If an organization requires separate administrative areas for different parts of your organization, you should create multiple domains to represent those administrative areas. By default, if you implement multiple forests within your organization, the forests will operate separately from one another as if they were the only directory service in your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Note: You can integrate multiple forests by creating security relationships between them known as external or forest trust relationships. You can also use technologies such as Microsoft® Forefront® Identity Manager to synchronize accounts (as in a resource forest model) or Active Directory Federation Services (AD FS) to enable accounts from other forests to authenticate against resources in a non-trusted forest. Forest Wide Operations
7-3
AD DS is a multi-master directory service. This means that many changes to the directory can be made at any writable instance of the directory—that is, any writable domain controller. However, some changes are single-master. This means that they can only be made on one specific domain controller in the forest or domain, depending on the particular change. Domain controllers at which you can make these singlemaster changes are said to hold operations master roles. There are five operations master roles. Two of the roles are forest-wide and assigned for the forest. The remaining three roles are domain-wide and are assigned for the domain. The two operations master roles assigned for the forest are as follows: •
Domain naming master. The job of the domain naming master is to make sure that there are unique names throughout the forest. That is, it makes sure that the fully qualified domain name (FQDN) of each computer, among other objects, exists only one time in the forest.
•
Schema master. The schema master tracks the schema of the forest and maintains changes to the schema of the forest.
Because these are key critical forest-wide roles, each forest must have only one schema master and one domain naming master.
What Is a Domain? A domain is an administrative boundary. All domains host an Administrator user account that has full administrative capabilities over all objects within the domain, frequently known as the domain administrator. Although the administrator can delegate administration on objects within the domain, the account maintains full administrative control of all objects within the domain. In AD DS, the administrator account in the forest root domain also has full administrative control to all objects in the forest, rendering any domainlevel administrative separation invalid.
A domain is also a replication boundary. AD DS consists of three elements, or partitions. These are the schema, the configuration partition, and the domain partition. There is one of each per domain. Generally, it is only the domain partition that frequently changes.
The domain partition contains objects that are likely to be frequently updated. These include users, computers, groups, and OUs. Therefore, AD DS replication consists primarily of the updates to objects that are defined within the domain partition. Only domain controllers in the same domain receive domain partition updates from other domain controllers. Partitioning data enables organizations to replicate data only to where it is needed. In this manner, the directory can scale globally over a network that has limited available bandwidth.
Implementing Active Directory
A domain is also an authentication boundary. Each user account in a domain can be authenticated by domain controllers from that domain. Domains in a forest trust one another, and it is these trusts that enable a user from one domain to access resources held in another domain. Domain Wide Operations There are three operations master roles per domain. By default, these roles are assigned to the first domain controller in each domain and include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
7-4
•
Relative identifier (RID) master. When an object is created in AD DS, the domain controller where the object is created assigns the object a unique identifying number known as a security identifier (SID). To make sure that no two domain controllers assign the same SID to two objects, the RID master allocates blocks of SIDs to each domain controller within the domain.
•
Primary domain controller emulator. This role is the most important because its failure is noticed far more quickly than any other operations master role. It is responsible for several domain-wide functions. This includes the following:
•
o
Updating account lockout status.
o
Single operations master for the creation and replication of GPOs.
o
Time synchronization for the domain.
o
Maintaining a domain-based Distributed File System (DFS) namespace.
Infrastructure master. This role is responsible for maintaining inter-domain object references. For example, when a group in one domain contains a member from another domain, the infrastructure master is responsible for maintaining the integrity of this reference.
These three roles must be unique in each domain. Therefore, each domain can have only one RID master, one primary domain controller (PDC) emulator, and one infrastructure master.
AD DS Trees If your AD DS consists of more than one domain, you must define the relationship between the domains. If the domains share a common root and a contiguous namespace, then they are logically part of the same Active Directory tree. A tree serves no administrative purpose. In other words, there is no tree administrator as there is a forest or domain administrator. A tree provides a logical, hierarchical grouping of domains that have parent/child relationships that are defined through their names. Your Active Directory tree maps to your Domain Name System (DNS) namespace.
Active Directory trees are created by the relationship between the domains within the forest. There is no specific reason you should, or indeed, should not create multiple trees within your forest. However, be aware that a single tree, with its contiguous namespace, is easier to manage, and easier for users to visualize.
Consider using multiple trees in a single forest if you have multiple namespaces to support. For example, if within your organization there are several distinct operating divisions that have different public identities, you could create a different tree for each operating division. Consider that with this scenario,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-5
there is no separation of administration because the forest root administrator still has complete control over all objects in the forest—in whichever tree they reside.
Trust Relationships A trust relationship enables one security entity to trust another security entity for the purposes of authentication. In the Windows Server operating system, the security entity can be thought of as the Windows domain. The main purpose of a trust relationship is to provide a user in one domain access to a resource in another domain without having a user account in both domains.
In any trust relationship, there are two parties involved: the trusting entity and the trusted entity. The trusting entity is the resource holding entity, whereas the trusted entity is the account holding entity. For example, if you lend someone your laptop, you trust them. You are the resource holding entity. They are the account holding entity.
Note: Just because there is a trust between domains that does not necessarily mean that someone from a different domain has access to resources in other domains. Administrators can grant the user rights to resources. By default, there are no user rights. Types of Trusts Trusts can be one-way or two-way.
A one-way trust means that, although one entity trusts the other, the reciprocal is not true. For example, just because you lend Steve your laptop does not mean that Steve will lend you his car. In a two-way trust, both entities trust one another. Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, and then A also implicitly trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you might lend your mobile phone to Mary.
Windows Server supports several different trusts for use in different situations. In a single forest, all domains trust one another with internal, two-way transitive trusts. Basically, this means that all domains trust all other domains. These trusts extend across trees within the forest. Other than these automatically created trusts, you can configure additional trusts between domains within your forest, between your forest and other forests, and between your forest and other security entities, such as Kerberos realms or an Active Directory domain. The following table provides more information. Trust Type
Transitivity
Direction
Description
External
Nontransitive
One-way or two-way
Use external trusts to provide access to resources that are located on a domain that is located in a separate forest that is not joined by a forest trust.
Realm
Transitive or nontransitive
One-way or two-way
Use realm trusts to form a trust relationship between platforms other than Windows utilizing a Kerberos
Implementing Active Directory
Trust Type
Transitivity
Direction
Description realm and an Active Directory domain.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6
Forest
Transitive
One-way or two-way
Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.
Shortcut
Transitive
One-way or two-way
Use shortcut trusts to improve user logon times between two domains in an Active Directory forest. This is useful when two domains are separated by two domain trees.
The AD DS Schema The AD DS schema is the definition of all objects and attributes that AD DS uses to store data. AD DS stores and retrieves information from many different applications and services. So that it can store and replicate data from these various sources, AD DS standardizes how data is stored in the directory. By standardizing how data is stored, AD DS can retrieve, update, and replicate data while making sure that the integrity of the data is maintained. AD DS uses objects as units of storage. All objects are defined in the schema. Every time that the directory handles data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data. The schema defines the following: •
Objects (also known as classes) are a collection of attributes
•
Required and optional attributes for each object
Imagine you are creating a database (or Microsoft Excel® spreadsheet) with cars in it. You create a cars table, which reflects to the objects definition, or class, in AD DS. Then you define that every car has a license or registration plate, and you define that this is a string with no more than 12 digits and that every car can only be entered if the license or registration plate exists. Additionally, you define that the car has a specific number of doors, a specific number of wheels, and a maximum speed. All these attributes are numbers. Next you define a six-digit color code and a manufactured date. The definition of this table reflects to the class in the schema, the definition of the attributes, and attaching the attributes to the class. You haven’t added any cars yet. However, you have the definition of the car. When you enter a car, you are restricted to that definition and you cannot enter other data, such as the engine size, if it is not defined in the schema.
Object definitions control the types of data that the objects can store and the syntax of the data. Using this information, the schema makes sure that all objects comply with their standard definitions. Therefore, AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is the original source of the data. Only data that has an existing object definition in the schema can be stored in
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-7
the directory. If a new kind of data has to be stored, a new object definition for the data must first be created in the schema.
The schema is a single master element of AD DS. This means that you must change the schema at the domain controller that holds the schema operations master role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest. All domain controllers in the forest share the same schema. Therefore the same definition of objects and attributes. When a change in the schema occurs, DCs update the schema before they replicate objects and attributes. This makes sure that they have the definition before they obtain the data. Because the schema dictates how information is stored, and because any changes that are made to the schema affect every domain controller, changes to the schema should only be made when it is necessary. Changes should follow a tightly controlled process. Although you might not make any change to the schema directly, some applications change the schema to support additional features. For example, when you install Microsoft Exchange Server into your AD DS forest, the installation program extends the schema to support new object types and attributes.
Note: You can view the schema on a domain controller by running regsvr32 schmmgmt.dll in an administrative Command Prompt and then adding the Active Directory Schema snap-in into the Microsoft Management Console (MMC). You can then scroll through and view the classes and attributes.
More information about the Active Directory schema can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309115
Organizational Units An OU is a container object in a domain that you can use to consolidate users, groups, computers, and other objects. You can use OUs to organize hundreds of thousands of directory objects into manageable units. OUs are useful in grouping and organizing objects for administrative purposes, such as delegating administrative rights and assigning policies to a collection of objects as a single unit. There are two reasons to create OUs: •
Delegate administrative control of objects within the OU. You can assign management permissions on an OU, thereby delegating control of that OU to a user or group within AD DS other than the administrator.
•
Configure objects that are contained within the OU. You can assign GPOs to the OU, and the settings apply to all objects within the OU.
Note: An OU is very important for delegation. However, you have a lot of possibilities for GPOs: you can use security filtering, Windows Management Instrumentation (WMI) filters, sites, domains, and OUs. An OU is not the smallest scope to apply a GPO. If you want GPOs applied to
Implementing Active Directory
a small subset of objects, you usually use security filtering and link the GPO as high as appropriate.
MCT USE ONLY. STUDENT USE PROHIBITED
7-8
OUs should match the administrative model in your organization. This is very important because OUs are the only way to enable implementation of an administrative tasks delegation model. You should avoid creating OUs based on departments, cost centers, or other business-related units that are likely to change. OUs are a technical view for administrators, and users do not see the OU structure. Therefore, although it is very important that unnecessary OU moves are avoided, administrative tasks can still be fulfilled if moves are made. For example, if you have a central administrator who is creating users, some server administrators who are installing servers, project managers who grant rights to their project resources, some site administrators who are maintaining some resource groups, and a telephone administrator who is managing the Voice over Internet Protocol (VoIP) infrastructure, then these are functional structures that have to be considered when you design your OU structure. Every AD DS domain contains a standard set of containers and OUs that are created when you install AD DS. These include the following: •
Domain container. Serves as the root container to the hierarchy.
•
Built-in container. Holds the default service administrator accounts.
•
Users container. The default location for new user accounts and groups that are created in the domain.
•
Computers container. The default location for new computer accounts that are created in the domain.
•
Domain controllers OU. The default location for the computer accounts for domain controllers computer accounts.
Implementing Organizational Units AD DS OUs are used to create a hierarchical structure in a domain. An organizational hierarchy should logically represent an organizational structure. That organization could be based on geographic, functional, resource-based, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible. For example, if all the computers that are used by information technology (IT) administrators must be configured in a certain way, you can group all the computers in an OU and assign a policy to manage the computers in the OU. OU Hierarchical Models Organizations can deploy OU hierarchies by using several different models, such as the following: •
Geographic OUs. If the organization has multiple locations and network management is distributed geographically, you should use a location-based hierarchy. For example, you might decide to create OUs for New York, Toronto, and Miami in a single domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-9
•
Departmental OUs. A Departmental OU is based only on the organization's business functions, without regard to geographical location or divisional barriers. You should avoid creating OUs based on departments, cost centers, or other business-related units that are likely to change or have users switching departments. However, this approach could work for small organizations that have a single location.
•
Resource OUs. Resource OUs are used to manage resource objects (non-users such as client computers, servers, or printers). This design is most useful when all resources of a given type are managed in the same manner. Resource-based OUs can simplify software installations or printer selections based on Group Policies.
•
Management-based OUs. Management-based OUs reflect the various administrative divisions within the organization by mirroring its structure in the OU structure. For example, users and groups can be organized into nested departmental OUs. These OUs can then be delegated to the managers of those departments.
The main factor for designing OUs must be ease of management. If the OUs are too large and the management structure doesn’t meet the requirements, consider creating OUs that combine the models. For example, add geographical (site or country/region administrators), department (departmental administrators), or resources (virtual machine, server, or desktop administrators, project managers, or Microsoft SharePoint® site owners) information.
The final OU design should represent how the business will be administered. Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you should consider when you design Group Policy and select the scenarios to use for your organization. Question: Describe a scenario in which you would use a domain to organize a network. Describe a scenario in which you would use an OU to organize a network.
Demonstration: How to Manage Organizational Units
In this demonstration, you will see how to access Active Directory Administrative Center, locate OUs and users, and move a user to a different OU.
Demonstration Steps 1.
Access the Active Directory Administrative Center.
2.
Move Claus Hansen from the Domain Users group to the Sales OU.
Lesson 2
Implementing AD DS
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Implementing Active Directory
To implement AD DS, you must deploy domain controllers. Understanding where and how to create domain controllers to optimize the network infrastructure is important to make sure that you optimize AD DS.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the role of a domain controller.
•
Describe when to use read-only domain controllers (RODCs).
•
Explain AD DS sites and replication.
•
Configure DNS to support AD DS functions.
What Is a Domain Controller? AD DS is provided by one or (preferably) multiple domain controllers per domain. When you promote a domain controller, you can add it to an existing domain, create a new domain in an existing forest, or create a new forest. Domain controllers provide the following functions on the network: •
Provide authentication and authorization. Domain controllers store the domain accounts database, and provide authentication and authorization services.
•
Host operations master roles (optional). These roles were formerly known as flexible single master operations (FSMO) roles. There are five operations master roles: two forest-wide roles and three domain roles. You can transfer these roles to other domain controllers as you need.
•
Host the Global Catalog (optional). You can designate any domain controller as a Global Catalog server.
Note: The Global Catalog server is a domain controller that holds, in addition to the domain information, some partial information about every object in every other domain in the forest. It is optimized for cross-domain searches. •
Support group policies and the System Volume (SYSVOL). By using Group Policies, you can specify configuration for collections of users, groups, or computers by linking GPOs that contain configuration instructions to OUs. Group Policies consist of Group Policy containers, stored in AD DS, and Group Policy templates, stored in the SYSVOL folder in the file system of all domain controllers.
•
Provide for consistent data throughout the organization. AD DS is a distributed directory service. Objects such as users, computers, OUs, and services are distributed across all domain controllers in
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-11
the domain (a partial set is distributed across all DCs who are GCs in the forest), and can be updated on any domain controller in the domain. Objects in the domain partition can only be updated in the domain. When an application tries to change them in another domain, it receives a write referral to a DC of the domain where the object resides.
Note: Domain controllers in a forest share a common schema, a common Global Catalog, and a common forest root domain. Installing a DC in Windows Server 2012 is effectively a two-step process that can be broken down as follows: 1.
Install AD DS in the Add Roles And Features Wizard in Server Manager.
2.
Run the Active Directory Domain Services Configuration Wizard in Server Manager to promote the server to a domain controller.
You can install multiple DCs remotely with the remote multi-server management capabilities present in Server Manager in Windows Server 2012. You can also use the Install-ADDSDomainController Windows PowerShell® cmdlet to automate the installation. This cmdlet can be used remotely and across multiple computers.
Finally, before Windows Server 2012, a command-line tool named Active Directory Installation Wizard (Dcpromo.exe) could be used to install DCs. This tool was deprecated in Windows Server 2012. However, it can still be used to automate the installation when there are many parameters or an input file is preferred.
What Is a Read-Only Domain Controller? A read-only domain controller (RODC) contains a read-only copy of the Active Directory domain. As such, with an RODC, organizations can deploy a domain controller in locations where physical security cannot be guaranteed, such as a remote office or perimeter network and where IT support services can often less advanced than in the main corporate centers. The RODC can also function as a Global Catalog server.
An organization can deploy an RODC to address scenarios with limited wide area network (WAN) bandwidth and poor physical security for computers. If WAN is not limited, there is no need for a local DC. If good physical security exists, there is no need for an RODC. So both conditions should be met to consider an RODC as an alternative solution. As a result, users in this situation can benefit from: •
Improved security.
•
Faster logon times.
•
More efficient access to resources on the network.
Be aware that applications that must run on a DC typically will not be compatible with RODCs. RODC Feature
Explanation
RODC Feature
Explanation
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Implementing Active Directory
Read-only Active Directory database
Except for certain “secrets,” an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the replica that is stored on the RODC. Changes must be made on a writable domain controller and replicated back to the RODC. The RODC does not store multiple passwords or Microsoft BitLocker® information.
Unidirectional replication
Even if an RODC is being hacked and data is compromised, it would not replicate out and would affect the island around the RODC only.
Credential caching
Credential caching is the storage of user or computer credentials. By default, RODCs do not store or cache user or computer passwords. The exception to this is with the RODCs computer account password and krbtgt account of the RODC. There are also 10 default user profiles that are cached on an RODC. Therefore, it is considered best practice not to log on to RODC locally by using accounts that have higher rights. You do not allow credential caching on an RODC, but you allow password replication to a defined subset of accounts..
Administrative role separation
You can delegate the local administrator role of an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This enables a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, this does not give the branch user the ability to log on to any other domain controller or perform any other administrative task in the domain.
Read-only Domain Name System
You can install the DNS Server service on an RODC. An RODC can replicate all application directory partitions that DNS uses. If the DNS server is installed on an RODC, clients can query it for name resolution as they would query any other DNS server. RODCs effectively behaves like a DNS server hosting a secondary zone—that is, it will not accept changes but instead will redirect update requests to full domain controllers hosting the DNS zones.
Delegated TwoStage Promotion of an RODC
Where no domain contollers exist in a remote office, you can delegate the RODC promotion to any domain user. The first stage involves having domain Admin privileges to create the relevant information in AD DS, and the second stage involves the domain user who does not have those privileges but can be delegated those permissions in this scenario. This means a Domain Admin does not have to log on to the remote office to complete the installation. This reduces risk.
Question: In your work environment, do you have scenarios where an RODC could be used?
AD DS Sites and Replication Sites In AD DS, sites are used to represent the physical network in a logical way so that domain controllers can optimize traffic, depending on the underlying network infrastructure. Sites usually align with the parts of the network that have good connectivity or bandwidth. For example, if a branch office is connected to the main data center by an unreliable wide area network (WAN) link, it would be better to define the data center and the branch office as separate sites in AD DS. The site configuration applies to all DCs across all domains in a forest. AD DS replication is automatically optimized for intra-site and inter-site replication. Sites can be configured and managed through the Active Directory Sites and Services management console. This console can be accessed in Server Manager under the Tools menu.
Note: Sites are used by domain controllers to build the replication infrastructure and to decide which DCs should serve which clients. Clients are using sites to locate services, such as domain controllers and Global Catalog servers. There are additional services, such as DFS, which rely on the site configuration. Replication
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-13
AD DS replication is how changes to directory data are transferred between domain controllers in the forest. The AD DS replication model defines the mechanisms that enable directory updates to be transferred automatically between domain controllers to provide a seamless replication solution for the AD DS distributed directory service.
There are multiple partitions in AD DS. By default, there are additional DomainDnsZones per Domain and ForestDnsZones per Forest, and administrators are also able to build their own. It is the domain partition that contains the data that changes most frequently. This information makes up the bulk of AD DS replication data. Active Directory Site Links
A site link is used to describe the WAN connections between sites so that domain controllers can decide the best replication strategy across site boundaries. Although you would be able to use the default site link provided in AD DS, we recommended in most scenarios to create additional site links as your needs dictate. You can configure settings on site links to determine the schedule and availability of the replication path. When two sites are connected by a site link, the replication system automatically creates connections between specific domain controllers in each site. These connections are called bridgehead servers.
Configuring DNS for AD DS Installing DNS AD DS requires DNS. By default, the DNS server role is not installed on Windows Server 2012. Like other functionality, it is added in a role-based manner when a server is configured to perform the role. You can install the DNS server role by using the Add Roles and Features link in Server Manager. The DNS server role can also be added automatically by the Active Directory Domain Services Configuration Wizard while you are creating forests, domains, or domain controllers on the Domain Controller Options page. Configuring DNS Zones
MCT USE ONLY. STUDENT USE PROHIBITED
7-14 Implementing Active Directory
After you install a DNS server, you can start adding zones to the server. You can select to store the zone data in AD DS if the DNS server is a domain controller. This creates an Active Directory Integrated Zone. If you don’t select this option, the zone data is stored in a separate file, instead of in AD DS. The main benefits of configuring DNS zones as Active Directory Integrated Zones are as follows: •
Multi-Master DNS. Where every DNS server can write updates to DNS records. Active Directory Integrated Zones can be written to by any DC to which the zone is replicated, unlike standard primary zones, which can only be changed by a single primary server, thus removing a single point of failure in the DNS infrastructure. Using Active Directory Integrated Zones can also allow for more finegrained security.
•
Secure Dynamic Update. When you create a zone, you are also prompted to specify whether dynamic updates are supported. Dynamic updates reduce the management overhead of a zone, because clients can add, delete, and update their own resource records. Dynamic updates leave open the possibility that a resource record could be spoofed. For example, a computer could register a record named www, effectively redirecting traffic from your web server to the incorrect address.
To eliminate the possibility of spoofing, the Windows DNS Server service supports secure dynamic updates. A client must authenticate before updating its resource records. So, the DNS server knows whether the client is the same computer that has the permission to change the resource record. Secure dynamic updates work in Active Directory integrated DNS only. Nonsecure dynamic updates are possible in file-based zones. •
Integrated Replication of DNS Information. An enterprise should try to make sure that a zone can be resolved by at least two DNS servers. If the zone is AD DS integrated, you can add the DNS server role to another domain controller in the same domain as the first DNS server, and DNS data will automatically replicate to the new DNS server.
If the zone is not AD DS integrated, you must add another DNS server and configure it to host a secondary zone. Remember that a secondary zone is a read-only copy of the primary zone.
In summary, the main benefits are that you don’t need large zone transfers, you can add security, you can enable multiple masters, and the experienced replication engine keeps the zones across DNS servers in sync. SRV Records
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-15
A Service (SRV) Locator resource record resolves a query for a network service. This enables clients or servers to locate a host that provides a specific service. SRV records are used in many scenarios. This includes the following: •
When a domain controller has to replicate changes from its partners
•
When a client computer has to authenticate to AD DS
•
When a user changes their password
•
When an Exchange server performs a directory lookup
•
When an administrator opens Active Directory Users and Computers console or other administrative consoles, apart from the Active Directory Administrative Center console as that is using other protocols.
An SRV record uses the following syntax. SRV record syntax and example protocol.service.name TTL class type priority weight port target _ldap._tcp.adatum.com 600 IN SRV 0 100 389 lon-dc1.adatum.com
The components of the above record are: •
The protocol service name, such as the Lightweight Directory Access Protocol (LDAP) service that is offered by a domain controller.
•
The Time to Live (TTL) value, in seconds.
•
The class (all records in a Windows DNS server will be IN (Internet).
•
The type, which is SRV.
•
The priority and weight. This helps a client determine which host should be preferred.
•
The port on which the service is offered by the server. Port 389 is the standard port for LDAP on a Windows domain controller.
•
The target, or host of the service, which in this case is the domain controller named londc1.adatum.com.
When a client process is looking for a domain controller, it can query DNS for an LDAP service. The query returns both the SRV record and the A record for the server(s) that provide the requested service.
Windows PowerShell Support for AD DS Windows Server 2012 has much more Windows PowerShell functionality for both deployment and administration of Active Directory. Windows PowerShell is very tightly aligned with Windows Server 2012 and Active Directory. Some of the main uses and applications are as follows: •
Active Directory Administrative Center. This management console is based on Windows PowerShell and has a History viewer at the bottom of the console. The History Viewer displays equivalent Windows PowerShell commands for commands that are
MCT USE ONLY. STUDENT USE PROHIBITED
7-16 Implementing Active Directory
executed in the GUI. The commands can then be copied and used to automate daily repetitive tasks. •
Active Directory Domain Services Configuration wizard. Within the AD DS Configuration wizard, you can create a file that contains all the configuration settings that are designated in the wizard. For example, DC install options, DNS options, and database locations. This lets you run through the wizard, specify the settings that are required, export the text file that contains the configuration settings, and then exit the wizard without running it, thus providing a configuration file that can be used for deployment. The configuration file would have to be tested before it is used in a production environment. However, this would save time when you try to automate a setup.
Windows PowerShell has more than 10 cmdlets specific to install and uninstall contained within the ADDSDeployment module. This includes forests and domain controller installation, and a series of Test cmdlets that let you verify the prerequisites in your environment before you deploy or remove elements of your infrastructure. This is very useful in remote scenarios. For administrative tasks, there are well over 50 cmdlets contained within the ActiveDirectory module. These cmdlets cover a large range of tasks. This includes user, group, computer, and object creation and management; configuring password policies; site management and replication; and domain and forest management. For a list of Active Directory Windows PowerShell commands in the Windows PowerShell console, type get-help *-AD*.
The first step is to deploy the Active Directory Domain Services (AD DS) server role, and again you can do this through the Add Roles And Features Wizard in Server Manager or by using Windows PowerShell with the following command. Install-WindowsFeature AD-Domain-Services
After installation, the files that are required to perform the role are now available on the server but the server is not yet running as a domain controller. The next step is to promote the server to a domain controller. If you open the notifications in Server Manager, you will find a message asking you to “Promote this server to a domain controller” or you can open the AD DS management console in Server Manager and also see similar messages. Clicking the messages opens up the Active Directory Domain Services Configuration Wizard. It is here that the information outlined earlier is required.
As mentioned earlier, you can also promote a server to a domain controller by using Windows PowerShell and the following command, when joining an existing domain. (There are many other parameters that are not included in the following example.) A restart is required after the following command. Install-ADDSDomainContoller –DomainName adatum.com –SafeModeAdministratorPassword Pa$$w0rd
Some other useful Windows PowerShell commands can be viewed in the table below Windows PowerShell Commands
Description
Get-command –module ADDSDeployment
Displays the cmdlets for the ADDSdeployment module
Get-command –module ActiveDirectory
Displays the cmdlets for the ActiveDirectory module
Get-ADDomain
Displays high-level domain information
More information about Windows PowerShell AD DS deployment cmdlets can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309116
More information about Windows PowerShell AD DS administration cmdlets can be found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=309117
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-17
Lesson 3
Managing Users, Groups, and Computers
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Implementing Active Directory
One of your functions as an AD DS administrator is to manage user, group, and computer accounts. These accounts are AD DS objects that people use to log on to the network and access resources. In this lesson, you will learn about how to change user, group, and computer accounts in an AD DS domain.
Lesson Objectives After completing this lesson, you will be able to: •
Describe user accounts.
•
Describe groups.
•
Explain when to nest groups.
•
List the default built-in groups.
•
Describe a computer account.
•
Provide best practices for user, group, and computer management.
What Are User Accounts? In AD DS, all users that require access to network resources must be configured to have a user account. With this user account, users can be authenticated to the AD DS domain and granted access to network resources.
A user account is an object that contains all the information that defines a user. The account can be either a local or a domain account. A user account includes the user name and password and can contain other organizational or infrastructure information such as department, telephone numbers, manager (which can be used to browse hierarchically through the organization), home directory, and where their profile is stored. Users can be members of groups, and typically access to resources are granted to groups rather than individuals. A user account also contains many other settings that you can configure based on your organizational requirements. A user account enables a user to log on to computers and domains with an identity that can be authenticated by the domain. With a user account, you can do the following: •
Allow or deny users to log on to a computer based on their user account identity.
•
Grant users access to processes and services for a specific security context.
•
Manage users' access to resources such as AD DS objects and their properties, shared folders, files, directories, and printer queues.
The Users container located in Active Directory Users and Computers has two built-in user accounts: Administrator and Guest. These built-in user accounts are created automatically when you create the domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-19
To maximize security, you should avoid multiple users sharing one account. By avoiding multiple users on an account, each user who logs on to the network should have a unique user account and password.
When you create a user account, you must provide a user logon name. User logon names must be unique in the domain/forest in which the user account is created. If you create user accounts for administrative purposes, we recommend that you separate them from the “regular” user account that is used to read email messages and surf the web. However, it is still recommended to create individual accounts per user.
What Are Groups? A group is a collection of user accounts, computer accounts, contacts, and other groups that you can manage and use to grant access to resources as a single unit. There are several common reasons for creating groups in AD DS. These are as follows: •
Granting permissions. Instead of assigning several user accounts the same permissions on the same resource, you could create a group, add the users as members, and grant the group permissions on the resource.
•
Assigning rights. When a user must have administrative control of a resource, such as a server, it is better to add the user to a management group that you created for that purpose. Then, if the user changes job functions within your organization, you can remove them from the group. You can remove their assigned rights on the server without the need to change permissions.
•
Distributing email. When users want to send email messages to multiple users, you can create specialized groups to make the process easier.
•
Delegation. Groups are frequently used to delegate administration. For example, if you allow someone to grant contributor and owner rights in SharePoint, that user has more rights than intended because the user can delegate anything in his site. Therefore, administrators frequently create groups by SharePoint site, network share, or for other applications, and grant the site or application owners only the rights to manage those pre-created groups instead of managing permissions in the application itself. The same applies to the self-management of groups or project groups.
Objects that belong to a particular group are known as group members. Group Types There are two kinds of groups in AD DS: security groups and distribution groups. •
Security Groups. You create security groups to consolidate objects to which you want to assign permissions or rights. These groups have associated security identifiers (SIDs). You can also use security groups for distribution purposes in an email application, such as Exchange Server Distribution Groups.
•
Distribution Groups. You can use distribution groups only with email applications, such as Exchange Server, to send email to multiple users. Distribution groups are not security-enabled. That means distribution groups cannot be assigned permissions on resources or objects in AD DS. In smaller organizations, it is usually unnecessary to create distribution groups because security groups can be email-enabled. However, in larger organizations, the separation of distribution and security groups enables you to separate the administration of the email system and AD DS.
Group Scope Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three group scopes:
MCT USE ONLY. STUDENT USE PROHIBITED
7-20 Implementing Active Directory
•
Domain local. Domain local groups can contain members from any domain in the forest but can only be granted permissions and assigned rights on objects on the local domain. In other words, the group’s abilities are localized.
•
Global. Global groups can contain members only from the local domain, but can be granted permissions or assigned rights anywhere in the forest. In other words, the group’s abilities are global.
•
Universal. A universal group can contain members from anywhere in the forest and can be granted permissions and assigned rights anywhere in the forest. In other words, the group’s abilities and membership are universal. Another important characteristic of a universal group is that the membership list is maintained in the Global Catalog. Therefore, you can only email-enable universal groups in Exchange Server. Question: Describe a situation where you would use a distribution group instead of a security group.
Nesting Groups When you use nesting, you add a group as a member of another group. You can use nesting to combine group management. Nesting increases the member accounts that are affected by a single action, and reduces replication traffic caused by the replication of changes in group membership. The following are best practices for nesting groups: 1.
Add user accounts into global groups.
2.
Add global group to a domain local group.
3.
Assign permissions or user rights assignments to the domain local group.
You can remember this process with the AGDLP mnemonic: user accounts are members of global groups, global groups are members of domain local groups, and domain local groups describe permissions or user rights assignments. The AGDLP mnemonic stands for account, global, domain local, and permissions. For organizations where permissions to groups should be assigned across various domains in the same forest, consider adding global groups to universal groups: 1.
Add user accounts into global groups.
2.
Add the global group to an appropriate universal group.
3.
Add the universal group to the domain local group.
4.
Assign permissions or user rights assignments to the domain local group.
You can remember this process with the AGUDLP mnemonic: account, global, universal, domain local, and permission.
Default Built-in Groups In both domains and stand-alone workgroupbased computers, there are built-in groups. These groups are groups that are defined with domainlocal scope. You can use the built-in groups to simplify administration. For example, adding user accounts to the built-in Domain Admins group enables the member user to perform administration on all domain computers, or adding a user to the Backup Operators group allows that user to perform backups on domain controllers in the domain.
Note: Keep in-mind that some of these built-in groups have powerful pre-assigned rights and privileges. Although it can be convenient to add users to built-in groups to achieve an administrative goal, you may be unintentionally assigning more rights and privileges than you intended.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-21
You can move groups in and out of this container. However, you cannot move the default groups in this container to another location or to another domain.
If the built-in and system groups are insufficient for your needs, create additional groups as required. The built-in groups are visible in the Builtin folder under the domain root. Built-in groups should only be used after their rights are validated, because many Builtin groups can potentially be granted more rights than is intended.
Computer Accounts In AD DS, computers are security principals, just like users. This means that computers must have accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account, and the user must also log on to the domain from a computer that has a valid computer account. If administrators want to benefit from managing computers and users in AD DS, administrators must join them to the domain.
Computers access network resources to perform key tasks such as authenticating user log on, obtaining an IP address, and receiving security policies. To have full access to these network resources, computers must have valid accounts in AD DS. The two main functions of a computer account are performing security and management activities.
By default, if you join a computer to a domain, the computer account is created in the Computers. In most organizations, some administrators might move the computer accounts to department-specific OUs so that specific software and operating system configurations can be applied to the computers. However, many companies instead use geographical information such as sites where the computers reside or are assigned to. It is also common to differentiate between desktops and portable computers. Using Departmental or any other organization aspects that are likely to frequently change is not recommended.
Some properties for computer accounts in AD DS that could potentially be used are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Implementing Active Directory
•
The Description property is a common property that is widely used for computer accounts, which could be used to differentiate between test, development, or email computers such as laptops, desktop, workstations, or servers. This is displayed in the details pane of Active Directory Users and Computers, which makes it easy to view.
•
The Location property is not as widely used but can be used to document the computer’s physical location in the network.
•
The Managed By property is also not as widely used, but lists the individual responsible for the computer. This information can be useful when you have a data center with servers for different departments and you have to perform maintenance on the server. You can call or send email to the person who is responsible for the server before you perform maintenance on the server.
Account Management Best Practices Consider the following best practices to help make sure that you manage accounts within your AD DS forest efficiently. User Accounts When planning and implementing user accounts, consider the following points: •
Create a user account for every user that has to access your forest. Do not let users share user accounts.
•
Implement a naming convention that yields simple-to-remember, unique user names. Consider that the more users that you have, the more likely there are to be duplicates within your organization.
•
Create accounts for temporary or contract staff with the same naming convention that you use for other users. That is, do not use generic account names such as Temp1.
•
Plan the accounts policy carefully to make sure that it meets the security needs of your organization. The accounts policy includes password length, password complexity rules, and the maximum password age for user accounts.
Group Accounts When planning and implementing groups, consider the following points: •
Use the built-in groups where you can to simplify administration.
•
Nest groups to more efficiently control access to resources in larger organizations.
•
Avoid assigning permissions and rights directly to user accounts. Use groups to make ongoing maintenance easier.
•
Use a group naming convention that identifies the group’s role or the name and the kind of access to a resource that a group is granting. For example, the Sales global group obviously identifies users that are in the Sales department, whereas the Printer Managers local group contains users who have printer management rights.
Computer Accounts
When planning computers, consider the following points:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-23
•
Limit who can create computer accounts.
•
Implement a naming convention that helps you identify the role and location of a computer.
•
Implement the Description properties of computer accounts so that you can differentiate between computer types and easily view the computer description in Active Directory Users and Computers.
Demonstration: How to Manage Accounts You can manage user, group, and computer accounts by using either Active Directory Users and Computers or the Active Directory Administrative Center.
In this demonstration, you will see how to use Active Directory Users and Computers to create an account, add group membership, and delegate control of an OU.
Demonstration Steps 1.
Use Active Directory Users and Computers to create a new user named Jeff Hay with a User Logon Name of Jeffh.
2.
Add Jeff Hay to the Domain Admins group.
3.
Delegate control of the Sales OU to Jeff Hay.
Lesson 4
Implementing Group Policy
MCT USE ONLY. STUDENT USE PROHIBITED
7-24 Implementing Active Directory
After you have created AD DS users, groups, computer accounts, and an OU structure, the next step is usually to implement Group Policy. Group Policy and the AD DS infrastructure in Windows Server enables IT administrators to automate and simplify user and computer management. Administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of OUs.
Lesson Objectives After completing this lesson, you will be able to: •
Describe GPOs.
•
Understand local, site, domain, and organizational unit-linked policies.
•
Explain how to use GPO management tools.
•
Describe GPO policies and preferences.
•
Create a GPO and assign it to an organizational unit.
Core Group Policy Components Group Policy is a Microsoft technology that supports one-to-many management of computers and users in an AD DS environment. By editing Group Policy settings and targeting a GPO at the intended users or computers, you can centrally manage more than 2,400 configuration parameters. In this manner, you can manage thousands of computers or users by changing a single GPO.
There are many parts that go into building a Group Policy Infrastructure, not all will be covered in this lesson, but there are two fundamental components that are at the core of that infrastructure. These are Group Policy settings and Group Policy objects, which are discussed in the following sections. Group Policy Setting
This is the most fine-grained component of Group Policy infrastructure. It defines a specific configuration change to apply to a user or computer. For example, a policy setting exists that prevents a user from accessing registry-editing tools. If you define that policy setting and apply it to the user, the user will be unable to run tools such as Registry Editor (Regedit.exe). Another policy setting is available that you can use to rename the local Administrator account. You can use this policy setting to rename the Administrator account on all user desktops, laptops or other devices. A policy setting can have three states: Not Configured, Enabled, and Disabled.
Note: Many policy settings are complex, and the effect of enabling or disabling them might not be immediately clear. Make sure that you review a policy setting’s explanatory text in
the Group Policy Management Editor details pane or on the Explain tab in the policy setting’s Properties dialog box. In addition, always test the effects of a policy setting and its interactions with other policy settings before you deploy a change in the production environment. Group Policy Object
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-25
Group Policy settings are defined and exist in a GPO. Therefore, a GPO can be defined as an object that contains one or more policy settings and applies one or more configuration settings for a user or a computer. After the settings are defined and a GPO is completed, then you must decide where to apply the GPO. You can do this by “linking” a GPO to a specific target or audience. One or multiple GPOs can be linked with one or multiple sites, domains, or OUs. There are two kinds of Group Policy objects: •
Local GPOs. Every Windows operating system computer has a local set of Group Policy objects. They are present whether the computer is part of an AD DS environment or a networked environment. If a computer does not belong to an Active Directory domain, the local policy can be used to configure and enforce configuration on that computer.
•
Domain Based GPOs. These are created in Active Directory and stored on domain controllers. They are used to manage configuration centrally for users and computers in the domain. When AD DS is installed, two default GPOs are created: o
Default Domain Policy. This GPO is linked to the domain and affects all users and computers within that domain, including computers that are domain controllers. This GPO contains policy settings that specify password, account lockout, and Kerberos policies. Domain-based GPOs will override local GPO settings and are easier to manage than GPOs on individual computers.
o
Default Domain Controllers Policy. This GPO is linked to the OU of the domain controllers. Because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU, and other computer accounts should be kept in other OUs, this GPO affects only domain controllers. The Default Domain Controllers GPO should be changed to implement your auditing policies and other settings, such as security settings, because it’s important that all DCs behave the same.
A Group Policy Object has thousands of configurable Group Policy settings. These settings can affect almost every area of the computing environment. You cannot apply all the settings to all versions of Windows operating systems. Many new settings available in Windows 8 and Windows Server 2012 only apply to the Windows 8 and Windows Server 2012 operating systems. If a computer has a setting applied that it cannot process, it ignores the setting. GPOs can be managed in Active Directory by using the Group Policy Management Console (GPMC). To change the policy settings in a GPO, right-click the GPO, and then click Edit. The GPO settings then open in the GPME. This element into two sections: •
Computer Configuration. Contains settings that are applied to computers, regardless of who logs on to them.
•
User Configuration. Contains settings that are applied when a user logs on to the computer. It is within this that you configure specific GPO settings.
Applying GPOs Applying Group Policies is really driven by the clients themselves—that is, it is not a push technology. Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to a user or computer, the client interprets the policy, and then makes the appropriate environment changes. Some changes will be done directly into the registry and some more complex changes are processed by the client. This is known as Group Policy Client-side Extensions (CSEs).
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Implementing Active Directory
As GPOs are processed, the client uses Active Directory to compile a list of GPOs that must be processed. Then, the client pulls the Group Policy objects settings from the SYSVOL file system structure, which applies and passes it to the appropriate CSEs. GPOs are linked to sites, domains and organizational units. The hierarchy of those objects, in addition to the order of the links on each object, defines in which order the GPOs are applied to a computer or user. Additional mechanisms, such as security filtering, WMI filtering, and blocking and enforcing policies can also be used to reduce the set of computers and users to which the GPO will apply.
GPOs that apply to a user or computer do not all have the same order in which they will run. Settings that are applied later can override settings that are applied earlier. Group Policy settings are processed in the following order: •
Local GPO. Each computer has exactly one GPO that is stored locally. This processes for both computer and user Group Policy processing.
•
Site. Any GPOs that are linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked GPOs tab for the site in the GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
•
Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked GPOs tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
•
Organizational =Units. GPOs that are linked to the organizational unit that is highest in the AD DS hierarchy are processed first, and then GPOs that are linked to its child organizational unit are processed, and so on. Finally, the GPOs that are linked to the organizational unit that contain the user or computer are processed.
The first letters of the items previously listed are highlighted. The highlighted letters give us the acronym LSDOU. It’s important to remember this processing order, especially when troubleshooting. If settings conflict, Local Policies will be overwritten by GPOs linked to sites, which are overwritten by GPOs linked to the domain, which are overwritten by policies linked to OUs (from the hierarchical topmost OU to the lowest sub-OU). Enforcing or blocking GPOs also uses this order. Blocked GPOs will not be applied. Enforced GPOs will be put to the end of the list and are likely to win. Here are several other things to know about GPOs. •
GPOs can also be filtered by WMI settings such as hardware or software settings, configurations, or even applications that are installed.
•
Policy settings in the Computer Configuration node in the GPME are applied at system startup and every 90 minutes after that.
•
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-27
Policy settings in the User Configuration node in the GPME are applied when you log on and every 90 minutes after that.
Note: The 90-minute interval previously listed applies to domain members only. Domain controllers update their GPOs every 5 minutes.
The application of policies is called a Group Policy refresh. You can also force an immediate policy refresh by using the GPUpdate command from the command line. Or, in a Windows PowerShell console, you can run the Invoke-GPUpdate cmdlet. The Windows PowerShell Group Policy cmdlets are available in Windows Server 2012 and Windows 8 with Remote Server Administration Tools (RSAT).
In Windows Server 2012, you can also force a Group Policy Update in the GPMC by right-clicking the container in question such as Domain Controllers for example, and selecting Group Policy Update. Then in the resulting Force Group Policy Update dialog box, select Yes. This creates a scheduled job that will run in 10 minutes. Question: What would be some advantages and disadvantages to lowering the refresh interval?
Creating and Managing GPOs You can create or manage Group Policy objects in many ways. A GPO can be created from a template or by using a graphical user interface (GUI) tool such as the GPMC. After you have created the GPO, you can link it to the appropriate site, domain, or OU. The GPMC also provides what are called starter GPOs. Starter GPOs are templates that help you create GPOs. When you create new GPOs, you can select to use a starter GPO as the source. This makes it easier and faster to create multiple GPOs with the same baseline configuration.
The GPMC also provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very important for maintaining your Group Policy deployments if there is error or disaster. It helps you avoid manually recreating lost or damaged GPOs, and having to complete the planning, testing, and deployment phases. Part of your ongoing Group Policy operations and Active Directory Backup and Recovery plan should include regular backups of all GPOs, by using the GPMC or scripting tools supported by the GPMC. Recovering a GPO without a GPMC backup, even when you have a system state backup, can be very tricky. GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
You can also delegate the administration of GPOs. By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new GPOs. But you can use three methods to grant a group or user this right: •
Add the user to the Group Policy Creator Owners group.
•
Explicitly grant the group or user permission to create GPOs by using the GPMC.
•
Grant permissions to link the GPO to certain target objects.
MCT USE ONLY. STUDENT USE PROHIBITED
7-28 Implementing Active Directory
To edit a GPO, the user must have both read and write access to the GPO. You can grant this permission by using the GPMC.
Note: Delegating GPOs must be considered carefully. If you grant the user rights to create new GPOs, those users can create GPOs, but they might be unable to link them. If you grant the rights to link GPOs to specific sites/domains/OUs, they can link any GPO and not just the GPOs they created. In scenarios where you want to control the use of GPOs but enable an administrative group to adjust certain settings using a GPO, it can be a good idea to create and link the GPO, and grant the group the rights to change its settings.
Group Policy Preferences Many common configuration settings were traditionally delivered through logon or startup scripts. This required writing, debugging, and storing the scripts in a central location, and then applying the scripts by using user settings or Group Policy. Group Policy preferences enable IT professionals to configure, deploy, and manage many common operating system and application settings that they previously were not able to manage by using Group Policy settings. With Windows Server 2012 and Windows 8, Group Policy Preferences includes more than 20 Group Policy extensions that expand the range of configurable settings in a GPO. Common Uses for Group Policy Preferences
Group Policy Preferences typically provide another method to configure the operating system environment and its variables that were mostly done through logon scripts. Preferences effectively replace the need for logon scripts. Some common configurations that can be applied to computers are as follows: •
Map network drives for users.
•
Configure desktop shortcuts for users or computers.
•
Set environment variables.
•
Copy files.
•
Map printers.
•
Map network drives.
•
Set power options.
•
Configure Start menus.
•
Configure data sources.
•
Configure Internet options.
•
Schedule tasks.
The main approach for deciding whether to use Group Policy settings or Group Policy Preferences is determined by what the configuration setting is that the administrator wants to set. If you can set your configuration requirement by using Group Policies, then use Group Policy settings. If not, then use Group
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-29
Policy Preferences. You may also need to enforce a policy to ensure that users are unable to change a preference. For example, registry changes—that is, if you create a Group Policy Preference that is changing a registry-setting, you can then use a Group Policy setting to disallow registry editing tools. This will enforce the preference. Preferences have a built-in scoping mechanism called item-level targeting. You can have multiple preference items in a single GPO, and each preference item can be targeted or filtered. For example, you could have a single GPO with a preference that specifies folder options for engineers and another item that specifies folder options for salespeople. You can target the items by using a security group or OU. There are more than a dozen other criteria that can be used. This includes hardware and network characteristics, date and time, LDAP queries, and more. One of the main benefits to preferences is that you can target multiple preference items in a single GPO instead of requiring multiple GPOs. With Group Policy settings, you frequently need multiple GPOs filtered to individual groups to apply variations of settings. In the Group Policy Management Editor, you can view two nodes: Policies and Preferences. In the Preferences node are groupings for Windows Settings and Control Panel Settings.
Demonstration: How to Create a GPO and Link It to an Organizational Unit In this demonstration, you will see how to create a GPO by using the GPMC. After creating the GPO, you will link the GPO to Production OU and then log on as a production user. You will then see what happens when the GPO is not applied.
Demonstration Steps 1.
Create a new GPO called Disable CAD Task Manager.
2.
In the new GPO, restrict users from starting Task Manager when pressing Ctrl+Alt+Del
3.
Link the GPO to the Sales OU.
4.
Sign in as Jay Hay to verify that the Task Manager is not a logon option and the GPO was applied.
5.
Sign in as the Administrator to show that the Task Manager is a logon option and the GPO was not applied.
Lab: Implementing Active Directory Domain Services Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Implementing Active Directory
The A. Datum Corporation is about to undergo a merger with Contoso Corporation. A new project team is created that consists of multiple externals. The team must be able to manage themselves during the merger. Ed Meadows has asked you to create a new OU in AD DS to support this new project team and populate it with the users, groups, and computers to support the new staff. You have also been asked to see if there is a way to automate some of the general manual configuration.
Objectives After completing this lab, you will be able to: •
Add an additional domain controller.
•
Create an organizational unit structure.
•
Configure user, group, and computer accounts.
•
Create and link a GPO to the organizational units.
Lab Setup Estimated Time: 75 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1 User Name : ADATUM\Administrator Password : Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on by using the following credentials:
5.
o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: ADATUM
Repeat steps 2 through 4 for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Promoting a New Domain Controller Scenario Ed thinks that having more users will put an additional load on the existing domain controller in New York. He has asked you to promote an existing member server as a new domain controller. This exercise has only one task.
Task 1: Add an additional domain controller 1.
Switch to the LON-SVR1 computer.
2.
Add the AD DS role and associated features to the server.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
3.
Promote LON-SVR1 to a domain controller by using the following information (accept the default settings unless otherwise stated):
4.
Select a Deployment Configuration: Add a domain controller to an existing domain
5.
Select a domain: Adatum.com
6.
DNS Server and Global Catalog Server are not required.
7.
Directory Services Restore Mode Administrator Password: Pa$$w0rd
8.
Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are acceptable.
9.
Click Install, and then wait for the installation to complete and the computer to restart.
Results: After this exercise, you will have promoted a new domain controller.
Exercise 2: Creating an Organizational Unit Scenario You must now create the required organizational unit for team members. There is only one task for this exercise.
Task 1: Create an organizational unit 1.
After LON-SVR1 has restarted, log on by using the following credentials: o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: Adatum
7-31
2.
Use Active Directory Users and Computers to create a new OU called A Datum Merger Team in the Adatum.com domain.
3.
Close the Active Directory Users and Computers console
Results: After this exercise, you will have created a new organizational unit (OU).
Exercise 3: Configuring Accounts Scenario
Ed has asked that you create the necessary users accounts and groups, and move the users’ computer accounts into the OU. You need two groups, one for all team members and one for the manager, Tony Allen. You will then grant Tony Allen the ability to reset user passwords on all user accounts in the A. Datum Corporation Merger Team OU. The main tasks for this exercise are as follows: 1.
Add user accounts
2.
Create groups
3.
Add members to groups
4.
Move a computer account
5.
Delegate control of the OU
Task 1: Add user accounts
MCT USE ONLY. STUDENT USE PROHIBITED
7-32 Implementing Active Directory
1.
Ensure you are still logged on to the 10967A-LON-SVR1 virtual machine and open the Active Directory Administrative Center
2.
In Active Directory Users and Computers, create the following user accounts in the A Datum Merger Team OU by using the following information to complete the process: o
Configure users’ first names and last names.
o
User logon name is first name.
o
Password is Pa$$w0rd.
o
Clear the User must change password at next logon check ox.
o
Ensure Account expires is set to Never
o
Ensure Password never expires
3.
After creating the first account see if there is an easy way to automate the creation of the remainder of the accounts using Windows PowerShell
4.
Users to create are as follows: o
Christian Kemp with logon name of ChristianK
o
Tony Allen with logon name of TonyA
o
Pia Lund with logon name of PiaL
Task 2: Create groups 1.
Locate the A Datum Merger Team OU.
2.
Create the following Global Security groups: o
Mergers and Acquisitions
o
Merger Team Management
Task 3: Add members to groups 1.
Add all new users in the A Datum Merger Team OU to the Mergers and Acquisitions group.
2.
Add only Tony Allen to the Merger Team Management Group.
Task 4: Move a computer account •
In Active Directory Administrative Center, in the Computers folder, move the LON-CL1 computer to the A Datum Merger Team OU.
Task 5: Delegate control of the OU 1.
Still on 10967A-LON-SVR1 in Server Manager click on Tools then select Active Directory Users And Computers
2.
Using the Delegation of Control Wizard, grant the Merger Team Management global security group the user right to Reset user passwords and force password change at next logon on the A Datum Merger Team OU.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-33
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the users’ computer accounts into the OU.
Exercise 4: Creating a GPO Scenario
You must now create a GPO and link it to the A Datum Merger Team OU. The GPO will launch a logon script for users in the new OU. The main tasks for this exercise are as follows: 1.
Create a GPO
2.
Link a GPO
3.
Test a GPO
4.
Revert the lab machines
Task 1: Create a GPO 1.
Make sure that you are logged on to 10967A-LON-DC1 as ADATUM\Administrator with credentials Pa$$w0rd.
2.
Open Group Policy Management.
3.
Create a new GPO called A Datum Merger Team GPO.
4.
Open the GPO for editing. Use the following steps to create a logon script for the team:
5.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).
6.
In the Results pane, double-click Logon.
7.
In the Logon Properties dialog box, click Add.
8.
In the Add a Script dialog box, click Browse.
9.
In the Browse dialog box, right-click the No items match your search box, click New, and then click Text Document.
10. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press Enter. 11. If you are prompted, in the Rename dialog box, click Yes. 12. Right-click logon.vbs, and then click Edit. 13. If you are prompted, in the Open File – Security Warning dialog box, click Open. 14. In Notepad, type msgbox “Welcome to the A Datum Merger Team”. 15. Click File, and then click Save. 16. Close Notepad. 17. In the Browse dialog box, click Open. 18. In the Add a Script box, click OK. 19. In the Logon Properties dialog box, click OK. 20. Close Group Policy Management Editor.
Task 2: Link a GPO 1.
Switch to LON-DC1.
2.
Link the A Datum Merger Team GPO to the A Datum Merger Team organizational unit.
Task 3: Test a GPO 1.
Switch to 10967A-LON-CL1 and log off.
2.
Log on by using the following credentials:
•
User name: Tonya
•
Password: Pa$$w0rd
•
Domain: Adatum
3.
Make sure that the logon script runs.
MCT USE ONLY. STUDENT USE PROHIBITED
7-34 Implementing Active Directory
Note: The operating system may by default display the Start menu items after logon and you may have to select desktop to be able to view the logon script.
Task 4: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 10967A-LON-SVR1, and 10967A-LON-DC1.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A Datum Merger Team OU. Question: In the lab, you used Active Directory Administrative Center to manage accounts. What other tool could you use? Question: In the lab, you added Tony Allen, a single user, to a management group. Why not grant Tony the required permissions directly?
Module Review and Takeaways Review Questions Question: For most organizations, how many AD DS forests are required? Question: If you are installing an AD DS–compatible email application, what implications does this have for your AD DS schema? Question: What trusts are implemented between domains in a single forest? Question: Why create organizational units?
Tools
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
7-35
Tool
Use for
Where to find it
Active Directory Users and Computers
Managing objects within AD DS such as users, groups, and computers
Server Manager
Active Directory Administrative Center
Managing objects within AD DS such as users, groups, and computers
Server Manager
Group Policy Management Console (GPMC)
Creating, managing, and editing Group Policy objects (GPOs)
Server Manager
Group Policy Management Editor
To edit Group Policy settings and preferences
By editing a GPO in GPMC, you can access the Group Policy Management Editor
Windows PowerShell cmdlets
Available in the Windows PowerShell console
Available for Active Directory and Group Policy
Command-line tools such as dsget, dsquery, dsmod, ntdsutil, and more
Allow for configuration and management of objects
Command Prompt
MCT USE ONLY. STUDENT USE PROHIBITED
7-36 Implementing Active Directory
MCT USE ONLY. STUDENT USE PROHIBITED 8-1
Module8 Implementing IT Security Layers Contents: Module Overview
8-1
Lesson 1: Overview of Defense-in-Depth
8-2
Lesson 2: Physical Security
8-10
Lesson 3: Internet Security
8-14
Lab: Implementing IT Security Layers
8-22
Module Review and Takeaways
8-28
Module Overview
Security is an important part of any computer network and must be considered from many perspectives. Data security for web content and files accessed on network shares are common concerns. In addition to file and share permissions, you can also use data encryption to restrict data access.
Objectives After completing this module, you will be able to: •
Identify security threats at all levels and reduce those threats.
•
Describe physical security risks and identify mitigations.
•
Identify Internet-based security threats and protect against them.
Implementing IT Security Layers
Lesson 1
Overview of Defense-in-Depth
MCT USE ONLY. STUDENT USE PROHIBITED
8-2
You can approach security design for computers in various ways. Defense-in-depth is one model for analyzing and implementing security for computer systems. This model uses layers to describe different areas of security.
Lesson Objectives After completing this lesson, you will be able to: •
Describe defense-in-depth.
•
Describe how policies, procedures, and awareness can help implement defense-in-depth.
•
Describe physical security threats and mitigations.
•
Describe perimeter network security threats and mitigations.
•
Describe internal network security threats and mitigations.
•
Describe host-based security threats and mitigations.
•
Describe application-based security threats and mitigations.
•
Describe data-based security threats and mitigations.
What Is Defense-In-Depth? When you park your car in a public location, you consider several factors before walking away from it. For example, where it is parked, whether the doors are locked, and whether you have left anything of value lying on the seat. You understand the risks associated with parking in a public place, and you can reduce those risks. As with your car, you cannot properly implement security features on a computer network without first understanding the security risks posed to that network. You can lessen risks to your computer network by providing security at different infrastructure layers. The term defense-in-depth is frequently used to describe the use of multiple security technologies at different points throughout your organization. Policies, Procedures, and Awareness
Physical security measures have to operate within the context of organizational policies about security best practices. For example, enforcing a strong user password policy is not helpful if users write their passwords down and stick them to their computer screens. When establishing a security foundation for your organization’s network, it is a good idea to establishing appropriate policies and procedures and making users aware of them. Then you can progress to the other aspects of the defense-in-depth model. Physical Security
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-3
If any unauthorized person can gain physical access to your computer, then most other security measures are of little importance. Make sure computers that contain the most sensitive data, such as servers, are physically secure. Perimeter
These days, no organization is an isolated enterprise. Organizations operate in a global community, and network resources must be available to service that global community. This might include building a website to describe your organization’s services, or making internal services such as web conferencing and email applications, available externally so that users can work from home or from satellite offices. Perimeter networks mark the boundary between public and private networks. By providing specialist servers, such as a reverse proxy, in the perimeter network, you can more securely provide corporate services across the public network.
Note: With a reverse proxy server, you can publish services from the corporate intranet, such as email or web services, without putting the email or web servers in the perimeter. To a client, the reverse proxy is displayed as the final destination regardless of whether the client’s requests are forwarded to one or more servers. A reverse proxy is one system that has to be tightly secured in the perimeter network. However, it can successfully distinguish and publish multiple different services from various systems in the back-end. Networks
After you connect computers to a network, they are susceptible to several threats. These threats include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication occurs over public networks by users who work from home, or from remote offices. Host
The next layer of defense is that used for the host computer. You must keep computers secure with the latest security updates. Application
Applications are only as secure as your latest security update. You should consistently use Windows® Update to keep your applications up to date. If the network also has third-party software, you must use update mechanisms to make sure that they are up to date. Data
The final layer of security is data security. To make sure that the network is protected, use file permissions, encryption, and backup. Question: How many layers of the defense-in-depth model should be secured?
Implementing IT Security Layers
Policies, Procedures, and Awareness Security is not only a technology-based solution. Organizations also implement policies, procedures, and awareness programs to help prevent security incidents. Security relies on staff and users following policies and procedures. For example, rules must be put in place to determine under what circumstances a password can be reset and how that new password is communicated to the user. Without these rules, unauthorized password resets could unknowingly be performed that would enable an attacker to access your system.
MCT USE ONLY. STUDENT USE PROHIBITED
8-4
Even when you implement rules to help prevent security problems, they can be circumvented. Some ways that policies and procedures are compromised include the following: •
Users unaware of the rules. When users are unaware of the rules, they cannot be expected to follow them.
•
Users viewing rules as unnecessary. If the reason for rules is not adequately communicated to users, then some treat the rules as unnecessary.
•
Social engineering. Users and computer administrators are vulnerable to social engineering where they are convinced to break the rules. Sometimes this involves impersonating a legitimate user.
Mitigation Consider the following to help reduce these threats: •
Create specific rules that help prevent social engineering.
•
Educate users on rules and their relevance.
•
Implement compliance monitoring.
It is very important that users know the security rules, their relevance to the organization, and the ramifications or consequences of not abiding by those security rules.
Physical Layer Security This is one of the most frequently overlooked areas of securing computer systems. Generally, anyone who has physical access to computer systems can do the following: •
Damage systems. This can be as simple as a server stored next to a desk that is accidentally knocked over or has coffee spilled on it.
•
Install unauthorized software. Unauthorized software can be used to attack systems. For example, there are utilities available to reset the administrator password
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
on a Windows-based workstation or member server.
8-5
•
Modify data. After a system is compromised, data can be changed. You can do this by a disgruntled employee to change their own performance review.
•
Steal data. Data such as credit card information could be stolen after a system is compromised.
•
Steal hardware. If devices are left unsecured, they can be stolen. Even servers incorrectly secured can be stolen together with the data. For example, one of the worst scenarios is servers that have hotpluggable and redundant hard disk drives (mirrored). If they are not physically secured and properly monitored, it is very easy to pull one drive, take it away, and hack valuable business information at your leisure and without any security guards.
Mitigation
You must secure the network infrastructure, including the physical security. The problem is that although you want to make it difficult for non-authorized people to access your computers and infrastructure, you want to make it fairly easy for authorized employees. Consider the following to help mitigate physical security threats: •
Restrict physical access by locking doors.
•
Monitor server room access.
•
Install fire suppression equipment.
Perimeter Layer Security Perimeter layer security refers to connectivity between the network and other untrusted networks. The Internet is the most frequently untrusted network. However, there are other untrusted networks that are a concern: •
Remote access client. The client computers are accessing the network from a remote network over which you have little or no control. However, the clients have access to more data on the network than typical Internet hosts.
•
Business partners. You do not control the networks of business partners and cannot make sure that they have appropriate security controls. If a business partner is compromised, then the network links between your organization and the business partner pose a risk.
Mitigation To keep your organization safe, create a private network and a perimeter network by using firewalls, intruder prevention and detection systems, and other components. Consider the following to help mitigate perimeter security threats: •
Implement firewalls at network boundaries.
•
Implement network address translation (NAT). NAT is an IP translation process that enables a network that has private addresses to access information on the Internet.
Implementing IT Security Layers
•
Use virtual private networks (VPNs) or DirectAccess and implement encryption.
•
Use proxy servers and systems to make sure that no service is directly connected to the Internet.
Internal Network Layer Security Internal network layer security refers to events on the internally controlled network. This includes local area networks (LANs) and wide area networks (WANs). This layer is easier to secure because you have control of the devices on these networks. The security risks to the internal network layer are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
8-6
•
Unauthorized network communication. Hosts can communicate with servers to which they have no need. This raises the risk of hostlevel exploits being performed. Restricting network communication to specific servers helps prevent this.
•
Unauthorized network hosts. Frequently, security risks can be introduced to a network by unauthorized hosts connecting to the network. A common source of unauthorized hosts is visitors with portable computers or employees with non-domain-joined and not-corporate-secured devices that people can connect to the network.
•
Unauthorized packet sniffing. The risk of unauthorized packet sniffing on modern wired networks is minimal because switches control packet delivery and make sure that packets are sent only to the specific destination. However, wireless networks are vulnerable, especially when only basic security measures, such as Wired Equivalent Privacy (WEP), are used to help secure access. To packet-sniff wired communication, you must have a physical connection to the specific location where the host that you are monitoring is connected. Packet-sniffing a wireless network can be performed from any physical location that has sufficient signal strength.
•
Default configurations on network devices. Network devices, such as routers, have a default configuration that includes a default management user name and password; failure to change these compromises the network security. Using weak passwords on those devices is a security risk, and using different passwords per device can increase security.
Note: Packet sniffing occurs when a malicious attacker connects a network data analyzer to the network to capture and examine network packets in transit. This could lead to additional attacks, depending on the data captured. For example, if the attacker can capture user name and password information in transit, they can exploit the information to gain access to the servers and data. Mitigation
At the heart of many of these risks is the concept of authentication. If two computers can identify one another, then they can communicate more securely. You can provide authentication services in several ways, but one of the most secure is where digital certificates are exchanged during initial communications. How you distribute and manage these certificates depends on your organization, but might include the use of a public key infrastructure (PKI) that you implement within your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Note: You cannot always rely on authentication because some applications, such as network analysis, do not support authentication.
8-7
In addition to authentication, consider using encryption to make sure that data is secure while it is in transit. You can encrypt communication from external public networks to your the perimeter-based or edge servers using tunneling technologies, subsequent communication between the edge servers and the internal network can then have Internet protocol security (IPsec) in place to protect that communication securing the entire data path. Also, in common Secure Socket Layer (SSL)/Hypertext Transfer Protocol Secure (HTTPS) scenarios, only the server is authenticated. However, there are services and protocols— some services even with HTTPS—where the client has to be authenticated in order to increase security. In addition, SSL can provide for secure and authenticated communications across networks. It is widely used on the Internet, typically in web browsers where payment transactions are performed by using HTTPS. Consider the following to help reduce these threats: •
Do not make it easy to connect to the network. Someone should be unable to plug a laptop into the network and access your intranet.
•
Encrypt network communication.
•
Segment the network. You can designate specific subnets for use by guests that have portable computers or device and need network access. You can do this by using Network Access Protection (NAP). Or you could use multiple wireless LANs (WLANs). You could even put the WLAN outside the corporate network and require internal users to use VPN. So, there are several options , depending on the network requirements.
•
Require mutual authentication.
•
Restrict switch ports and internal WLAN access points based on the media access control (MAC) address or client certificates. If the WLAN access points provide only access to the Internet, this should be handled differently.
Host Layer Security The host layer refers to the individual computers on the network. This includes the operating system, but not application software. Operating system services, such as a web server, are included in host layer security. Host layer security can be compromised by: •
Operating system vulnerabilities. An operating system is complex. Therefore, there are frequently vulnerabilities that malicious users can exploit. These vulnerabilities enable an attacker to install malicious software or control hosts.
•
Default operating system configurations. Operating systems and their services include default configurations. In some cases, the default configuration might not include a password or might include sample files that have vulnerabilities. An attacker uses their knowledge of default configurations to compromise systems.
Implementing IT Security Layers
•
MCT USE ONLY. STUDENT USE PROHIBITED
8-8
Viruses are one mechanism used to attack hosts. The virus uses operating system flaws or default configurations to replicate itself.
Mitigation
Windows Update and Windows Server® Update Services (WSUS) can help keep your computers up to date. In Enterprise environments, you could also consider using System Center Configuration Manager (SCCM). In addition, you should consider using antivirus and malware protection. In Windows 8 and Windows RT, you can use Windows Defender to provide protection against viruses, malicious software or other unwanted third party software. Microsoft Security Essentials is an antivirus product that is available for free use with Windows XP, Windows Vista®, and Windows 7. Microsoft Security Essentials is not supported on Windows 8 because Windows Defender provides the same level of protection. Windows Server 2012 has several options available. Microsoft Forefront® Threat Management Gateway (TMG) is being deprecated, but Forefront Unified Access Gateway (UAG) is available for use as a proxy or firewall server. Some functionality is also integrated with the System Center products. Consider the following to help you lessen these threats: •
Harden operating systems.
•
Monitor access attempts.
•
Implement antivirus and antispyware software.
•
Implement host-based firewalls.
More information about the Malware Defense Guide can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309118
Application Layer Security The application layer refers to applications that are running on the hosts. This includes additional services, such as mail servers, and desktop applications, such as Microsoft Office. The risks to applications resemble the risks to hosts and include the following: •
Application vulnerabilities. Applications are complex programs that are likely to have vulnerabilities. An attacker can use these vulnerabilities to install malicious applications or remotely control a computer.
•
Default application configurations. Applications, such as databases, might have a default password or no password at all. Not securing the default configuration simplifies the work of an attacker trying to access a system.
•
Viruses introduced by users. In some cases, viruses are introduced by user actions instead of application flaws. In other cases, an application is actually a Trojan horse that has malicious code embedded in what seems to be a useful application.
•
Programming vulnerabilities. This does not exclusively refer to industry-provided back-end applications. It also refers to custom websites and other application code that needs to be secured (or designed with security in mind). As more and more apps become available and more widely used, programming vulnerabilities in those apps could potentially become an issue.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Mitigation Consider the following to help you mitigate these threats: •
Run applications with the least privileges possible.
•
Install security updates.
•
Enable only required features and functionality.
Data Layer Security The data layer refers to data that is stored on your computers. This includes data files, application files, databases, and Active Directory® Domain Services (AD DS). When the data layer is compromised it can result in: •
Unauthorized access to data files. This might result in unintended users reading data. For example, the salaries of other staff. It might also result in data being changed and becoming inaccurate. This can also result in a denial-of-service (DoS) attack.
•
Unauthorized access to AD DS. This might result in user passwords being reset and an attacker logging on by using the reset passwords.
•
Modification of application files. When application files are modified, they might perform unwanted tasks, such as replicating data over the Internet where an attacker can access it.
Mitigation
8-9
This can take many forms, and might include using NTFS file system permissions and shared folder permissions to make sure that only authorized users can access files at a defined level of access. You might also be concerned about intellectual property rights and making sure that your data is used appropriately. Finally, for data privacy, you can use both file and disk encryption technologies, such as the Encrypting File System (EFS) or Windows BitLocker® Drive Encryption. Consider the following to help mitigate data layer security threats: •
Implement and configure suitable NTFS file system permissions.
•
Implement encryption.
•
Implement rights management.
Lesson 2
Physical Security
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Implementing IT Security Layers
Physical security provides the first level of defense against a malicious attack. Therefore, make sure that the network and the attached computers are physically secure. This lesson explores common physical security threats, their mitigations, and how Windows Server can help provide physical security on the network.
Lesson Objectives After completing this lesson, you will be able to: •
Describe physical security risks.
•
Explain the Windows tools that are used to help provide physical security.
•
Provide best practices for reducing these risks.
What Are the Physical Security Risks? Other than physical damage to inappropriately located servers and potential resulting data loss, the main physical security risks to the networked computers are as follows: •
Data compromise arising from the loss or theft of the server computers or server storage devices.
•
Data compromise from unmanaged computers that connect to the network.
•
Data compromise from the introduction of storage devices into the network that can contain malicious or damaging software.
Implementing Physical Security with Windows Server Tools Windows Server provides several tools and features that can help you implement physical security. Encrypting File System The EFS is the built-in file encryption tool for Windows file systems. A component of the NTFS file system, EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Any individual or program that does not have the appropriate cryptographic key cannot read the encrypted data. Encrypted files can be protected even from
those who gain physical possession to the computer that the files reside on. Even persons who are otherwise authorized to access the computer and its file system cannot view the data. EFS is not supported on Resilient File System (ReFS). ReFS is a new file system in Windows Server 2012.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-11
There are lots of planning requirements connected to EFS. For example, ensuring the recovery agent key is safely stored and maintained and as such you need to carefully examine and assess the impact of rolling out EFS in your organization. Failure to properly plan EFS deployment could lead to loss of access to data. BitLocker Drive Encryption
BitLocker provides protection for the computer operating system and data that is stored on the operating system volume by making sure that data that is stored on a computer remains encrypted, even if the computer is tampered with when the operating system is not running. For example, if a laptop is lost or stolen and someone tries to remove the hard disk and mount it in a separate environment to access the data, that person cannot do so unless they have the appropriate credentials because the drive is encrypted. BitLocker provides a closely integrated solution in Windows client and Windows Server operating systems to address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned personal computers. BitLocker for Windows 8 and Windows Server 2012 provide new functionality: •
BitLocker Provisioning. Windows 8 is now deployable to an encrypted state during installation.
•
Disk Space–Only encryption. Allows for a much faster encryption experience by only encrypting used blocks on the targeted volume.
•
Standard User PIN and password change. Enables a standard user to change the BitLocker PIN or password on operating system volumes and the BitLocker password on data volumes. This reduces internal help desk call volume.
•
Network unlock. Enables a BitLocker system on a wired network to automatically unlock the system volume during startup (on capable Windows Server 2012 networks), reducing internal help desk call volumes for lost PINs.
•
Support for Encrypted Hard Disk Drives for Windows. Windows 8 includes BitLocker support for encrypted hard disk drives.
BitLocker was expanded upon in Windows Server 2012 and is now supported on clusters, including Cluster Shared Volumes (CSV). It is also supported on both NTFS and ReFS file systems, unlike EFS. Read-Only Domain Controllers
A read-only domain controller (RODC) is a kind of domain controller introduced in Windows Server 2008. With an RODC, you can deploy a domain controller in locations where physical security cannot be guaranteed, such as a branch office. An RODC hosts a read-only replica of the database in AD DS for a given domain.
When an RODC services a logon request for a user on the network, that user’s credentials are cached at the server; only users’ accounts at the branch office are cached in this manner. If the RODC is stolen, only this subset of your domain accounts is compromised. This makes it easier and quicker for you to maintain user account security.
Note: By default, no user credentials are cached on the RODC. This is more secure because if the RODC is stolen, no user passwords are compromised. However, if the link between the head office, where the writable domain controllers exist, and the branch office fails, and caching is not enabled, users at the branch office cannot log on until the link is reestablished. Group Policies
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Implementing IT Security Layers
If you let users add storage devices, such as universal serial bus (USB) memory sticks or external hard disk drives, to their network-attached computers, you can potentially introduce additional security risks. Windows Server can use Group Policy objects (GPOs) to enforce rules on network-attached computers that control or prohibit the addition of storage devices. Network Access Protection
When you let computers to connect to the network from unmanaged locations, such as users’ homes, or you let computers from other organizations to connect to the network, you expose the network to security risks.
The network is only as secure as the least secure computer attached to it. Many programs and tools exist to help you secure the network-attached computers, such as antivirus or malware detection software. However, if the software on some of the connected computers is not up to date, or worse, not enabled or configured correctly, then these computers pose a security risk.
Computers that remain within your office environment and are always connected to the same network are fairly easy to keep configured and updated. Computers that connect to different networks, especially unmanaged networks, are more difficult to control. For example, portable computers that are connected to customer networks, or to public wireless fidelity (Wi-Fi) hotspots. In addition, unmanaged computers seeking to connect remotely to the network, such as users’ home computers, pose a challenge. As discussed earlier in the course, NAP is a policy enforcement platform that requires NAP infrastructure servers that are running Windows Server 2008 or later versions and NAP clients that are running Windows XP with Service Pack 3 (SP3), Windows Vista, or later operating systems. NAP lets you more strongly protect network assets by enforcing compliance with system health requirements. NAP provides the necessary software components to help make sure that computers connected or connecting to the network remain manageable, so they do not become a security risk to the network and other attached computers. This enables you to more confidently allow computers to connect to the network. Access Control
After computers have connected to the network and have access to the server data, you can protect the integrity of the data by configuring appropriate file permissions. Make sure that you only grant permissions where it is required and grant the minimum permissions that are required. This is especially important if users from outside your organization are connecting to the network.
Physical Security Best Practices To help reduce the physical security risks, consider the following points: •
Site security. Where you can, make sure that only authorized persons have access to the physical site where your computers are located. This is more difficult with branch offices, and also with certain commercial markets, such as retail.
•
Computer security. Make sure that server computers, or any computer that contains or has access to important data, are physically secure. Ideally, put servers and their storage
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-13
devices in computer rooms that are protected by physical security mechanisms such as smart card access or any level of per-user authentication. In high-security environments, consider implementing biometric security to make sure that only authorized persons can physically access your computers. •
Disable Log On Locally. The ability to log on interactively at a computer is a right that is typically granted to all users for all computers in your forest except for domain controllers. Where more security is required, consider disabling log on locally. If a user cannot log on, this reduces their ability to perform actions on the network. Data centers are typically required to have this level of access. In higher level security facilities, this could also be done for each server.
•
Mobile device security. Mobile devices, for example portable computers and mobile telephones, give users the convenience of being able to access the corporate network from anywhere. However, this raises the possibility that these devices might be lost or stolen. Make sure that you implement appropriate security on mobile devices so that if they are lost or stolen, data is not compromised. Consider implementing remote wipe technologies on mobile devices such as Windows Mobile handsets. Consider implementing EFS and BitLocker Drive Encryption on portable computers.
•
Removable devices and drives. Carefully consider whether the convenience of users being able to copy files to and from removable storage devices outweighs the security risk posed. If you decide that users will be able to use removable storage devices, consider implementing BitLocker To Go® on these devices. This consideration will provide for data encryption on the device. Another important consideration would be Active Directory Rights Management Service (AD RMS) to help secure important data and make sure that it cannot be read on any devices or in the cloud. More information about Security Content can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309120
Lesson 3
Internet Security
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Implementing IT Security Layers
Internet access has become much more prevalent in recent years, and it seems ever present for work productivity, personal development, and entertainment. As the demand for more integration of services and Internet connectivity grows, and users perform increasingly complex tasks on the Internet, there is an increase in related risks. This lesson explores the technologies and features that are available in Windows to help protect your Windows-based computers while connected to the Internet.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the risks posed by connecting to the Internet.
•
Describe possible mitigations to these risks.
•
Describe the Windows Server components and features that can help provide this Internet security.
•
Describe Windows Internet Explorer® security settings.
•
Configure Internet Explorer security settings.
What Are the Risks? When you connect your computer to any untrusted network, including the Internet, you expose it to many potential security risks. Consider the security risks posed by the Internet in relation to the applications that you use when you are connected to the Internet. Common applications, and associated security risks, include the following: •
Email. An email message can contain a malicious payload. For example, the message might contain: o
A malicious executable file that is attached to the message.
o
A request for personal information.
o
Inappropriate content.
o
Embedded links to unsafe websites.
Remember also that most email is sent in clear-text. That is, not encrypted. This means that if the message is intercepted, anyone can read and potentially change the message contents. Additionally, most email is transmitted between hosts that have no knowledge of one another. Therefore, most email traffic is not authenticated. This makes it more difficult to determine the true originator of a message. •
Web browsing. A website can hide many security risks, including malicious programs. Common risks associated with websites include the following:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-15
o
Plug-ins. These are applications to work with your browser to provide additional capabilities. For example, you can use plug-ins to enable your browser to view video files. They can expose security flaws in your browser.
o
ActiveX® controls. These small programs are downloaded by your browser to enable it to perform several specialized tasks. This includes manipulating data files or viewing specific file types. Malicious ActiveX controls can pose a security threat to your computer.
o
Cross-site scripting. By using this, a malicious attacker can enable client-side scripts in webpages that your computer is viewing, even when the website you are viewing is considered a safe source.
o
Cookies. Cookies are used for authentication, session tracking, storage of website preferences, shopping cart contents, and many other potential uses. Because of the sensitive data that is stored in cookies, they can be misused.
It is also important to make sure that you have navigated to the appropriate site instead of to a bogus site masquerading as a legitimate site. •
Instant messaging (IM). This method of communicating with friends and colleagues is very popular. However, it has attracted the attention of malicious attackers. IM messages can contain links to unsafe websites, be used to start file transfers, remotely control sessions, or share files and content on your computer.
•
Social networking. There are many social networking sites. These sites can pose the same security risks as any other website. However, remember that these sites exist as a way for you to share information, some of which may be personal information. Be careful when you share your personal information with other people.
•
File download. Any file that you download from the Internet can come from an untrusted source and might contain harmful code. Make sure that you only download files from trusted sources and make sure that files are digitally signed so that you can easily determine the files’ origin. This is especially relevant for device drivers because files of this type, if malicious, can have a far more harmful effect on your computer.
•
Computer updates. It is common for software that is installed on your computer, including the operating system, to periodically check for and download updates. This means that your computer is up to date, performs optimally, and remains secured through the application of security updates. However, software obtained from an untrusted source could use this update mechanism to download malicious code onto your computer. Make sure that you verify that the updates are safe.
In addition, just connecting to the Internet exposes your computer to possible security risks. For example, if you connect to the Internet from your home or from the office, the chances are that the connection is reliable and reasonably secure. However, when you connect to the Internet from a location such as a wireless hot spot, you might expose your computer to additional security risks. Also, be aware that the connection provided by the hot spot might, in itself, be secure, however other computers that are connected to that hot spot might be compromised by security flaws that might affect your computer. In addition, hotspots commonly provide an unsecured connection for easier wireless Internet access. However, under these circumstances, data that your computer sends and receives can be captured and accessed by third parties. More information about the Security Risk Management Guide can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309119
Mitigating Risks You can help reduce the chances of your computer’s security being compromised if you follow the defense-in-depth approach when you connect your computer to the Internet. When you perform common tasks on the Internet, consider the following points to help reduce security risks: •
•
Email. Implement email software or use additional software with your email software that supports the following important security features:
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Implementing IT Security Layers
o
Anti-spam control. Make sure that junk email is either quarantined or deleted. Anti-spam software can identify spam messages by using many different technologies.
o
Antivirus control. Scan incoming and outgoing messages for viruses. Make sure that you keep the virus software up to date to provide sufficient protection against new and emerging threats.
o
Attachment handling controls. Some email software, such as Microsoft Outlook®, enables you to configure how attachments of specific types are handled. For example, you can configure the email software to block attachments of a file type that can contain malicious code, also known as executable files.
o
Authentication and encryption of network traffic. As an example, connecting to a Microsoft Exchange Server account through Outlook Anywhere (also known as Remote Procedure Call over HTTP Protocol [RPC over HTTP]) is secure as opposed to using Post Office Protocol version 3/Simple Mail Transfer Protocol (POP3/SMTP).
Web browsing. A web browser should let you select appropriate security settings based on the trustworthiness of a website. For example, with Internet Explorer, you can define security settings for different security zones, such as Internet, local intranet, trusted sites, and restricted sites. Security settings within the context of these zones include whether to download and run ActiveX controls, scripting behavior, and how to handle signed or unsigned content.
It is also important to implement security software when you surf the web. Suitable software should provide antivirus protection, spyware protection, identity protection, and a link scanner that can help identify unsafe websites before you visit them.
Finally, be cautious when you shop online. Only use sites that you trust, that can provide a digital certificate to verify their identity, and that give you a redress should something go amiss with your order. •
IM. Many security software packages provide protection against viruses in files that you might try to receive by an instant message. However, make sure that you are careful about the information that you disclose during an instant message conversation because these messages are frequently sent and received in clear text.
•
Social networking. Make sure that you only disclose information through social networking sites that you are happy to see in the public domain. It is a good idea to limit the kind of information that you share. For example, disclosing details about your finances, combined with information about your address can give a malicious attacker sufficient information to steal your identity and commit fraud.
•
File download. You can limit your exposure to unsafe downloads by implementing antivirus software. Additionally, by only downloading files from trusted sources and files that provide a digital signature, you can help reduce the security risk posed by downloads. Frequently, downloaded files
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-17
can appear safe but actually contain code that can install additional software that harms your computer. Windows implements a security feature known as User Account Control (UAC) that enables you to control unintended software installations. •
Computer updates. To make sure that your computer updates are safe, only download updates from safe sources. Computers that are running Windows-based operating systems obtain their updates from the Microsoft Updates website or from a local server within your workplace organization running Windows Server Update Services (WSUS).
•
Connecting to the Internet. When you connect to the Internet, make sure that you have enabled a host-based firewall. Computers that are running Windows-based operating systems implement the Windows Firewall with Advanced Security. When you first connect to a new network, such as a wireless hot spot, you must define whether the network is public or private. Windows Firewall with Advanced Security then adjusts the security settings based on your selection.
In addition to a host-based firewall, it is also a good idea to make sure that the router that connects to the Internet provides additional protection. Typical home-office Asymmetric Digital Subscriber Line (ADSL) routers provide NAT and firewall functionality.
Note: Generally, do not use elevated accounts for surfing the web or accessing email. Use regular user accounts for those things, and use accounts that have more administrative rights only for their intended purpose.
Implementing Internet Security with Windows Windows based operating systems provide several security features that help make sure that connectivity to the Internet is secure. User Account Control User Account Control (UAC) is a security feature that helps prevent unauthorized changes to a computer. It does this by asking the user for permission or for administrator credentials before performing actions that could potentially affect the computer’s operation or that could change settings that would affect multiple users
By default, both standard users and administrators run applications and access resources in the security context of a standard user. The UAC prompt provides a way for a user to elevate his or her status from a standard user account to an administrator account without logging off, switching users, or using Run As. Because of this, UAC creates a more secure environment in which to run and install applications.
When a change is made to your computer that requires administrator-level permissions, UAC notifies you as follows: •
If you are an administrator, click Yes to confirm whether you want to continue with administrative rights.
•
If you are not an administrator, someone with an administrator account on the computer will have to enter his or her password for you to continue. Providing administrative credentials temporarily gives the user administrative privileges, but only to complete the current task. After the task is complete, permissions change back to those of a standard user.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Implementing IT Security Layers
Providing administrative credentials for a standard user temporarily gives the user administrative privileges, but only to complete the current task. After the task is complete, permissions change back to those of a standard user. This makes sure that even if you are using an administrator account, changes cannot be made to your computer without your knowledge. This security can help prevent malicious software and unwanted third party software from being installed on or making changes to your computer. Windows Firewall
Windows Firewall is a host-based, stateful firewall. It drops incoming traffic that does not correspond to traffic sent in response to a request (solicited traffic) or unsolicited traffic that is specified as allowed (accepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Windows Firewall can also drop outgoing traffic and is configured by using the Windows Firewall with Advanced Security snap-in, which integrates rules for both firewall behavior and traffic protection with IPsec. Windows Defender
Windows Defender on your Windows 8 client helps protect you from spyware and malicious software. Windows Defender is not antivirus software. Windows Defender offers three ways to help keep spyware from infecting the computer: •
Real-time protection is the mechanism that actively monitors for malware and alerts you when potentially unwanted software tries to install itself or run on the computer. It also alerts you when programs try to change important Windows settings.
•
The Microsoft SpyNet® community helps you see how other people respond to software that has not yet been classified for risks. When you participate, your choices are added to the community ratings to help other people decide what to do.
•
Scanning options are used to scan for unwanted software on the computer, to schedule scans regularly, and to automatically remove any malicious software that is detected during a scan.
Internet Explorer Security Settings Internet Explorer security options help you secure your computer while providing a functional browsing environment. Internet Explorer has new functionality that helps protect computers against malicious software, and helps protect users against data theft from fraudulent websites. In addition, Internet Explorer comes with safe and easy add-on functionality that gives users full control over adding functionality to their online experiences, while at the same time avoiding unintended, unwanted software downloads. Dynamic Security Options The following table describes some of the most important dynamic security options that you can configure for Internet Explorer. Dynamic security options ActiveX Filtering
Use
Disables ActiveX controls to prevent potentially vulnerable controls from being
Dynamic security options
Use
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-19
exposed to attack. You can enable or disable ActiveX Filtering by going to the Tools menu and selecting ActiveX Filtering. If you visit a website that contains ActiveX controls you will receive a prompt and have the option of turning on the ActiveX controls for that site. Security Report
If you go to a secure website, indicated by the https protocol a lock appears in the address bar. By click on that lock you can view security report which will attempt to provide identification information concerning the website. You can also view the sites certificate. You can also access the security report option from the safety menu.
SmartScreen® Filter
Protects you against phishing sites, warns you when you visit potential or known fraudulent sites, and blocks the site if you need it. The opt-in filter updates several times per hour with the latest security information from Microsoft, and several industry partners. Smart Screen Filtering is available from the Tools Menu
Delete Browsing History
Allows you clean up cached pages, passwords, form data, cookies, and history.
Address Bar Protection
Displays an Address bar for every window—whether pop-up or standard—to help block malicious sites from emulating trusted sites.
International Domain Name Anti-Spoofing
Adds support for International Domain Names in Uniform Resource Locators (URLs), and notifies you when visually similar characters in the URL are not expressed in the same language. Therefore, it protects you against sites that could otherwise appear as known, trusted sites.
URL Handling Security
Redesigned URL parsing makes sure consistent processing and minimizes possible exploitation. The new URL handler helps centralize critical data parsing and increases data consistency.
Fix Settings for Me
Warns you with an Information Bar when current security settings might put you at risk, which can prevent you from browsing with unsafe settings. Within the Internet Options dialog box, certain items are highlighted in red when they are not safely configured. In addition, this option issues reminders that the settings remain unsafe. You can instantly reset Internet security settings to the MediumHigh default level by clicking Fix Settings For Me in the Information Bar.
Manage Add-ons
Add-ons can potentially have a significant effect on performance. Manage Addons allows you to proactively manage these Add-ons which can be installed on your browser and choose to enable, disable or uninstall them. Manage Add-ons is available from the Tools menu in Internet Explorer.
Tracking Protection
A feature that blocks third-party web content that could potentially track someone's web activity. With Tracking Protection Lists, you can select which third-party sites can receive your information and track you online.
InPrivate Browsing
A feature that prevents Internet Explorer from storing data about your browsing session. This helps prevent anyone else who might be using your computer from seeing where you visited and what you looked at on the web.
Compatibility View
Allows you to view websites as if you were viewing them in previous versions of windows. Some websites may have been designed for previous version of Internet Explorer and as such do not display well in the version you have on your operating system. Compatibility gives you the option to provide backward
Dynamic security options
Use compatibility support to address this.
Protected Mode
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Implementing IT Security Layers
Protected mode provides Internet Explorer with the rights that you need to browse the web, while at the same time withholding rights needed to silently install programs or change sensitive system data. In addition, Protected mode helps protect against malicious downloads by restricting the ability to write to any local computer zone resources other than temporary Internet files. Web-based software cannot write to any location other than the Temporary Internet Files folder without explicit user consent.
Running programs that have limited user rights instead of administrator rights offers better protection against attacks, because Windows can restrict the malicious code from performing damaging actions. This additional defense helps make sure that scripted actions or automatic processes cannot download data to locations other than directories with lower rights, such as the Temporary Internet Files folder. Although Protected mode does not protect against all forms of attack, it significantly reduces the ability of an attack to write, alter, or destroy data on the user's computer, or to install malicious code. Parental Controls
To help keep children safer online, parents can control browsing behavior through the Parental Control settings. In Windows 8, you can specify a child’s account type and also turn on Family Safety for reports of their computer usage. You can apply a restriction to many activities on the computer, such as playing games or surfing the Internet. You can also examine a child's browsing session. The child lacks the necessary permissions to remove their session history. Note: Parental Control settings are available only if the computer is not a member of a domain. Manage Add-ons The Internet Explorer Manage Add-ons console is designed to give you more control over Internet Explorer add-ons. Add-ons are a great way to introduce new functionality to your online experience. However, add-ons can also affect performance or potentially introducing malicious software to your computer. You can use the Manage Add-ons to allow you to pro-actively what has been installed and enabled/disabled: It is broken down into categories in the Manage Add-ons console •
Toolbars and extensions:
•
Search providers
•
Accelerators and Providers
•
Tracking Protection
Depending on the type of add-on it is, you can disable or enable it, or remove it entirely. Before you disable or remove an add-on, keep in mind that some webpages, or Internet Explorer itself, might not display correctly if certain add-ons are disabled. SmartScreen Filter
Businesses put lots of effort into protecting computer assets and resources. Phishing attacks, also known as social engineering attacks, can evade those protections and result in users giving up personal information. Most phishing scams target people in an attempt to extort money or perform identity theft.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
SmartScreen filter helps protect against imposter websites and general malware; it also adds a level of control around warnings associated with these sites.
Demonstration: How to Secure Internet Explorer In this demonstration, you will see how to disable an Internet Explorer add-on.
Demonstration Steps 1.
Enable the Menu Bar, Command Bar and Status Bar in Internet explorer
2.
Turn On ActiveX Filtering
3.
View a webpage that uses an ActiveX control.
4.
Turn on ActiveX Control filtering
5.
View Security Report
6.
View Certificate errors on secure sites with no certificate or unrecognized certificate
7.
View Manage Add-ons
8.
Add website to Trusted Sites
9.
Disable Tabular Data Control
8-21
Lab: Implementing IT Security Layers Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Implementing IT Security Layers
Alan Brewer has visited various Research department branch offices. On his return to head office, he produced a list of security concerns and sent them by email to Ed Meadows, your boss. Ed has tasked you with the resolution of these issues.
Objectives After completing this lab, you will be able to: •
Suggest steps that an organization could take to provide physical security for a branch office.
•
Configure Internet Explorer security settings.
Lab Setup Estimated Time: 30 minutes Virtual Machines: 10967A-LON-DC1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials: o
User name: Administrator
o
Password: Pa$$w0rd
o
Domain: ADATUM
Exercise 1: Implementing Physical Security Scenario
The security issues that were identified revolve around the fact that many of the branch offices cannot be physically secured. After you have completed the incident record, propose how to best address Alan’s physical security concerns.
Supporting Documentation Subject: RE: Branch offices security concerns From: Sent: To:
Ed Meadows [
[email protected]] May 6
[email protected]
Attached:
Incident Record
Subject: RE: Branch offices security concerns Charlotte, Please look at the attached incident record and review Alan’s concerns. Get a plan together for resolving these security concerns. Thanks, Ed
Subject: Branch offices security concerns From: Sent: To:
Alan Brewer [
[email protected]] May 5
[email protected]
Ed,
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-23
I just got back from the branches. I’m pretty worried that, given the sensitive nature of the data we handle in Research, physical security is pretty lax compared with the head office. I have listed my main concerns below: • Laptops are used by research staff. The staff frequently takes the laptops home. • In some branches, there is no dedicated room for the servers. • We let external contract staff connect their own computers to our research networks. • I notice that some personnel bring music files on USB drives into the offices. Regards, Alan
A. Datum Network Security Policy – Laptops Document Reference Number: EM220109/1 Document Author: Ed Meadows Date: January 22
Overview This document defines the corporate policy about laptops and other portable computing devices within A. Datum Corporation. Policies 1.
Any network device that is moved from the office of A. Datum Corporation. must be configured in such a way that loss of the device does not lead to a compromise of the stored data.
2.
Laptops can connect to other networks provided:
3.
A suitable firewall is in place.
A. Datum Network Security Policy – Laptops
MCT USE ONLY. STUDENT USE PROHIBITED
8-24 Implementing IT Security Layers
4.
The computer is up to date with security updates.
5.
Protection against viruses and malware is installed.
6.
Portable storage devices are permitted for use on laptops as long as their loss does not compromise the data stored on them.
A. Datum Incident Record Incident Reference Number: 501285 Call logged by: Ed Meadows Date of call: May 10 Time of call: 10:50am User: Alan Brewer Status: OPEN Incident Details Call logged by information technology (IT) manager following inquiries at branch offices about physical security problems raised by Research department manager, Alan Brewer. Reported concerns: 1.
Laptops are used by research staff. The staff frequently take the laptops home.
2.
In some branches, there is no dedicated room for the servers.
3.
External contract staff can connect their own computers to the research networks.
4.
Staff uses personal USB storage devices on work computers.
Questions 1.
What security policies apply to the branch office laptops as defined in the A. Datum Network Security Policy – Laptops document?
2.
What security concerns do you have about the branch offices?
3.
How would you address the concerns you might have about laptop use?
4.
How would you address the concerns you might have about the lack of dedicated server rooms?
5.
How would you address the concerns you might have about contractor computer use?
6.
How would you address the concerns you might have about removable storage devices?
7.
Complete the following resolution section with a summary of your proposals.
Resolution:
The main tasks for this exercise are as follows: 1.
Read the supporting documentation
2.
Complete the incident record
Task 1: Read the supporting documentation
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-25
1.
Read email and the Incident to determine the possible problem causes.
2.
Read the A. Datum Network Security Policy – Laptops document to determine if you must enforce any changes at the branch based on corporate policies.
Task 2: Complete the incident record 1.
Complete the Resolution section of the Incident Report by answering these questions.
2.
What security policies apply to the branch office laptops as defined in the A. Datum Network Security Policy – Laptops document?
3.
What security concerns do you have about the branch offices?
4.
How would you address the concerns you might have about laptop use?
5.
How would you address the concerns you might have about the lack of dedicated server rooms?
6.
How would you address the concerns you might have about contractor computer use?
7.
How would you address the concerns you might have about removable storage devices?
8.
Complete the resolution section below with a summary of your proposals.
Results: After this exercise, you should have completed the incident record.
Exercise 2: Configuring Security Settings in Windows® Internet Explorer® Scenario
When Alan returned from the branch offices, he had several problems with his laptop. You determined that these problems were related to his laptop’s Internet Explorer settings. You must verify that the settings are appropriate. The main tasks for this exercise are as follows: 1.
Verify the current Internet Explorer security settings
2.
Change the Intranet Zone security settings
3.
Test the security settings
4.
Add the website to the Trusted Sites list
5.
Test the security zone change
6.
View Security Report
7.
Revert the lab machines
Task 1: Verify the current Internet Explorer security settings 1.
Make sure that you are logged on to the 10967A-LON-DC1 virtual machine with user account ADATUM\Administrator and password Pa$$w0rd.
2.
Open Internet Explorer.
3.
What is the current security level for the local intranet zone?
Task 2: Change the Intranet Zone security settings 1.
Change the security settings for the local intranet zone to High.
2.
Enable Protected Mode for the local intranet zone.
Task 3: Test the security settings 1.
Open Internet Explorer.
2.
Enable the Menu, Command and Status bars
3.
Browse to http://lon-dc1/intranet.
4.
What is the security zone that this website is listed as being in?
5.
Is protected mode turned on or off for this website?
6.
On the A. Datum Intranet Home page, click Current Projects.
7.
Did the webpage load correctly?
8.
In Manage Add-ons, can you see the Tabular Data Control Add-on?
9.
What is the default search provider?
10. Close the A. Datum Projects webpage.
Task 4: Add the website to the Trusted Sites list 1.
What is the current security level for the trusted sites zone?
2.
Add the http://lon-dc1 site to the Trusted sites list.
3.
What security zone is this website listed as being in now?
Task 5: Test the security zone change 1.
On the A. Datum Intranet home page, click Current Projects.
2.
Did the projects list populate?
3.
In Manage Add-ons, can you see a Tabular Data Control Add-on?
4.
Use the Tools menu to turn off ActiveX Filtering.
5.
Close Internet Explorer.
Task 6: View Security Report
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Implementing IT Security Layers
1.
Go to the Website https://www.microsoft.com
2.
Notice the presence of a lock icon now appearing in the address bar
3.
Click the lock icon
4.
A website identification dialog appears which contains information about the identity of the website and who if anyone has identified the site if the site has a certificate. You can also view the certificate
Task 7: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you should have modified Internet Explorer security settings. Question: In the lab, you were concerned primarily with physical security concerns. What potential support issues might arise following implementation of your proposed changes? Specifically, what issues might arise surrounding the encryption of files and volumes and the prohibition of USB storage devices?
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
8-27
Module Review and Takeaways Best Practice: Best practices for implementing defense-in-depth. Supplement or change the following best practices for your own work situations:
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Implementing IT Security Layers
•
Create specific rules that help prevent social engineering and educate users on these rules and their relevance.
•
Restrict physical access to servers by locking doors and then monitor server room access.
•
Implement firewalls at network boundaries.
•
Implement NAT.
•
Use virtual private networks (VPNs) and implement network encryption.
•
Segment the network.
•
Require mutual authentication.
•
Restrict switch ports and wireless access points based on media access control (MAC) address or client certificates.
•
Harden operating systems.
•
Monitor access attempts.
•
Implement antivirus and antispyware software.
•
Implement host-based firewalls.
•
Run applications that have the least user rights possible.
•
Install security updates.
•
Enable only required features and functionality.
•
Implement and configure suitable NTFS or ReFS file system permissions.
•
Implement file and volume encryption.
•
Implement rights management.
Review Questions Question: Why is it important to educate users about your organization’s acceptable use policy? Question: How could you help reduce the risk that your wireless network is the target of unauthorized packet sniffing? Question: What are the risks associated with allowing your users to connect their laptops to Wi-Fi hotspots?
MCT USE ONLY. STUDENT USE PROHIBITED 9-1
Module9 Implementing Security in Windows Server Contents: Module Overview
9-1
Lesson 1: Overview of Windows Security
9-2
Lesson 2: Securing Files and Folders
9-15
Lesson 3: Implementing Encryption
9-27
Lab: Implementing Security in Windows Server
9-35
Module Review and Takeaways
9-40
Module Overview
As organizations expand the availability of network data, applications, and systems, it becomes more challenging to ensure network infrastructure security. Security technologies in the Windows Server® operating system enable organizations to provide better protection for their network resources and organizational assets in increasingly complex environments and business scenarios. This module reviews the tools and concepts available for implementing security in a Windows® infrastructure.
Objectives After completing this module, you will be able to: •
Describe the Windows Server features that help improve the network’s security.
•
Explain how to secure files and folders in a Windows Server environment.
•
Explain how to use Windows Server encryption features to help secure access to resources.
Implementing Security in Windows Server
Lesson 1
Overview of Windows Security
MCT USE ONLY. STUDENT USE PROHIBITED
9-2
Windows Server 2012 includes many features that provide different methods for implementing security. These features combine to form the core of Windows Server 2012 security functionality. Understanding the concepts covered in the previous module and combining them with specific Windows Server 2012 features and functionality covered in this module is critical to maintaining a secure environment.
Lesson Objectives After completing this lesson, you will be able to: •
Describe authentication and authorization.
•
Describe User Account Control (UAC).
•
Describe file and shared folder permissions.
•
Describe account lockout and password policies.
•
Describe fine-grained password policies.
•
Describe security auditing features.
•
Describe the use of digital certificate encryption.
What Is Authentication and Authorization? Security in a Windows infrastructure relies on accounts and their passwords, such as a user name and password or computer accounts and their passwords. The user name and password combination allows a user to gain access to network resources as specified by the user account’s permissions. As described earlier in the course, this process is typically broken down into two components: authentication and authorization. These concepts are described in a bit more detail in the following sections. Authentication
Authentication verifies that someone is who they claim to be. Authentication distinguishes legitimate users from uninvited guests, and is the most visible and fundamental concept in security. In private and public computer networks (including the Internet), the most common authentication method that is used to control access to resources involves verification of a user’s credentials—that is, a user name and a password.
However, the user name and password combination is only one way of authentication. Other mechanisms and tools can also be used in the Windows Server 2012 environment to add multiple layers to the authentication process. This makes sure that users’ identities on the network are legitimate and secure. Some of the other mechanisms available include the following: •
Smart cards. A smart card refers to a credit-card shaped device that contains specific digital information, in most cases used to specifically identify a person. A user name and certificate is present
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-3
on the card and a password or pin is required to access that certificate and prove your identity. Smart cards increase security because the user must have possession of the card know the correct password or pin that is tied to the certificate. Smart cards can also be used to provide physical security to help in controlling building or room access. •
Universal serial bus (USB) tokens. These are similar in principal to smart cards because they can contain a certificate, and a pin or password is required to access that certificate. One advantage of USB tokens over smart cards is that USB tokens don’t require a specialized reader to be able to use them.
•
Biometrics. The term biometrics refers to the measuring of an unchanging physical or behavioral characteristic to uniquely identify a given person. Fingerprints are the most common form of implemented biometrics. Other possibilities include facial recognition, iris scanning, and voice recognition. Biometric devices are most frequently used to provide an added measure of security in environments where highly sensitive data is involved. The level of security they provide can vary, depending on the hardware. That is, how accurate the fingerprint readers are, if they are built in, or if the signals of the readers can be recorded and replayed.
A range of third-party solutions could also be implemented if you want. Authorization
Authorization is the process of determining whether a user or computer is permitted access to a resource and what the appropriate level of access is, usually known as access control. This could include authorization to read, change, or delete files and folders, or combinations of these. It could also include authorization to access services such as remote access or other permissions. Authorization has two main components or phases: 1.
The initial definition of permissions for system resources by the owner of a specific resource or a system administrator.
2.
The subsequent checking of permission values by the system or application when a user tries to access a system resource.
Note: You can have authorization (access to resources) without first providing authentication (entering a user name and password). This occurs many times in modern computing. For example, when you access a webpage on the Internet, you are accessing the resources on that web server (pages, graphics, and so on) without providing any kind of authentication to the web server. So when you define authorization, admins can allow any known user or even any anonymous user to access data.
You can also “audit” the access to resources by individuals or devices. This additional step of auditing access to some resources provides another security layer to a defense-in-depth strategy.
Implementing Security in Windows Server
What Is User Access Control?
MCT USE ONLY. STUDENT USE PROHIBITED
9-4
The Administrator account or other administrative accounts—that is, any account that has some administrative rights, such as a delegated administrator, printer operator, or any other group that has elevated rights—carry with them a larger degree of security risk than a normal user account. For example, when the Administrator account, or a member of the administrators group, is logged in, its privileges allow access to the whole windows operating system. This includes the registry, system files, and configuration settings. As long as an Administrator account is logged in, the system is vulnerable to attack and can potentially be compromised. The use of other administrative accounts tries to limit the access to specific areas but these accounts still carry with them a degree of risk if used with malicious intent. UAC provides a method by which all users can be aware of the way their account privileges are being used on the computer. UAC in Windows Server 2012 Turning on UAC ensures that both standard users and administrators can access resources and run applications in the security context of a standard user.
UAC checks for administrative permissions, and prompts the user when an application requires those. The user can select whether to grant the application the desired permissions. Users do not have to log off, switch users, or use the Run As Administrator command. In this manner, UAC provides a secure environment for the running and installing of applications. When an application requires administrator-level permission, UAC notifies you: •
If you are an administrator, you can click Yes to elevate your permission level and continue. This process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2008 R2 and Windows Server 2012, Admin Approval Mode is disabled on the built-in Administrator account. This results in no UAC prompts when using the local Administrator account. •
If you are not an administrator, the user name and password for an account that has administrative permissions needs to be entered. Providing administrative credentials temporarily gives you the administrative privileges required to complete the task. After the task is complete, your permissions are returned back to those of a standard user.
This process of notification and elevation of privileges makes it so that even if you are using an administrator account, changes cannot be made to your computer without you knowing about it, which can help prevent malicious software (malware) and spyware from being installed on or making changes to your computer. UAC allows certain system-level changes to occur without prompting, even when logged on as a local user: •
Install updates from Windows Update.
•
Install drivers from Windows Update or those that are packaged with the operating system.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
•
View Windows settings.
•
Pair Bluetooth devices with the computer.
•
Reset the network adapter and perform other network diagnostic and repair tasks.
Modifying UAC Behavior
9-5
The UAC notification experience can also be modified in the User Accounts section of User Account Control Settings in Control Panel to adjust the frequency and behavior of UAC prompts. With the use of a slider, you can select from four options for level of notification: •
Always notify me
•
Notify me only when apps try to make changes to my computer (default)
•
Notify me only when apps try to make changes to my computer (do not dim my desktop)
•
Never notify me
UAC can also be configured using Group Policy. The Group Policy settings can be found in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. Here, the following settings can be configured for UAC: •
User Account Control: Admin Approval Mode for the built-in Administrator account
•
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
•
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
•
User Account Control: Behavior of the elevation prompt for standard users
•
User Account Control: Detect application installations and prompt for elevation
•
User Account Control: Only elevate executables that are signed and validated
•
User Account Control: Only elevate UIAccess applications that are installed in secure locations
•
User Account Control: Run all administrators in Admin Approval Mode
•
User Account Control: Switch to the secure desktop when prompting for elevation
•
User Account Control: Virtualize file and registry write failures to per-user locations
Note: To fully disable the UAC prompts, you need to configure the Group Policy setting User Account Control: Run All administrators In Admin Approval Mode. You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.
Also, the group policy setting User Account Control: Switch to the secure desktop when prompting for elevation is an important setting. When you are being prompted access approval or denial in the UAC dialog box, the computer deksotp is “dimmed” and no other programs can run until approval or denial selected. After a selection is made, the desktop will be no longer be dimmed. The term secure desktop in this context is also known as dimming the desktop. Question: From a system administrator viewpoint, what are some of the advantages and benefits of UAC?
Implementing Security in Windows Server
File and Folder Permissions The files and folders stored on a server can contain many forms of data. As an administrator, you might not want all users on the network to be able to perform certain operations on specific files and folders. After a user or group is authenticated, they can be given authorization to permissions to access files and folders. There are three main categories of permissions: file, folder, and shared folder permissions. File and folder permissions File and folder permissions are available in Windows Server 2012 with the following file system types: •
New Technology File System (NTFS)
•
Resilient File System (ReFS)
MCT USE ONLY. STUDENT USE PROHIBITED
9-6
From a permissions point of view, both NTFS and ReFS provide this functionality. Permissions are assigned to files and folders on NTFS or ReFS volumes and govern the access given to users who attempt to access the files. Permissions are assignable to individual or sets of files and folders. File Allocation Table 32 (FAT32) does not allow for permissions at file and folder level. Shared folder permissions Shared folder permissions are available in Windows Server 2012 with the following file system types: •
FAT32
•
NTFS
•
ReFS
When a local folder is shared or made accessible to the rest of the network, a separate set of permissions are assigned to the folder. Those permissions control user’s access to the files from a network location. Shared folder permissions are assignable only to a folder or group of folders, not to individual files.
Note: Shared folder permissions can be combined with the file and folder permissions to provide a two-level set of permissions for that specific folder when accessed over the network. Note: Both file and folder permissions and shared folder permissions have a variety of access levels that can be granted or denied to a specific user or group of users. These levels will be covered in detail later in this module, along with a discussion of some of the differences between NTFS and ReFS. Dynamic Access Control
New in Windows Server 2012, Dynamic Access Control allows for access to files and folders to be controlled by central policies that are conditional and built around attributes and claims. For example, if a document has an attribute linking it to a particular department, administrators can create a policy that allows access to the document only if a user is a member of that department, or possibly if a user has a Full Time Employee attribute. Dynamic Access Control is a powerful technology that allows for much more granular control and greater centralized management over file and folder access. It builds upon the existing NTFS and Share permissions and combines multiple criteria into the access decision, so users must satisfy the NTFS, Share
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-7
permissions criteria, and the Central Access Policies defined by Dynamic Access Control, to gain access to the file. The central policies are enforced regardless of how the share and NTFS permissions might change. Implementing Dynamic Access Control allows for reducing security group complexity, more robust adherence to compliance regulations, and protection to sensitive information. Also, with Dynamic Access Control, you can extend functionality of an existing access control model.
Account Policies The security provided by a password system depends on keeping the passwords secret at all times and on ensuring that the passwords used have a level of complexity that makes them hard to guess. Brute force attacks occur when a hacker uses tools that try all possible letter/number combinations to guess a user name and password.
Administrators can help protect their system by defining account policies such as password or lockout policies. These policies can require users to change their password regularly, specify a minimum password length, require passwords to meet certain complexity requirements, and define the criteria for when an account becomes locked or inaccessible. A domain’s account policy settings are controlled by a number of Group Policy settings related to accounts and passwords. You can configure account policy settings by accessing the following location from the Group Policy Management Console (GPMC): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies. The following table outlines the various policies that you can define for password policies. Policy Password must meet complexity requirements
What it does • Requires that passwords: • Be at least as long as specified by the Minimum Password Length, with a minimum of three characters if the Minimum Password Length is set to 0. • Contain a combination of at least three of the following characteristics: • Uppercase letters • Lowercase letters • Numbers • Alphanumeric combination • Symbols (!#% and so on) • Do not contain the user's user name or screen name.
Enforce password history
Prevents users from creating a new password that is the same as their current password or a recently used
Best practice
Enable this setting. These complexity requirements can help ensure a strong password. Strong passwords are more difficult to crack than those containing simple letters or numbers. You can instruct users to use pass phrases to create long passwords that are easy to remember.
Enforcing password history ensures that passwords that have been compromised are not used over and over.
Implementing Security in Windows Server
Policy
What it does
Best practice
MCT USE ONLY. STUDENT USE PROHIBITED
9-8
password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.
If you select too low a number, some users might change their passwords a couple times to get the old one back, so you should use a big enough value to enforce unique new passwords. For example, some companies might use values of 10 or 20 or greater.
Maximum password age
Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.
Set a maximum password age of 30–70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.
Minimum password age
Sets the minimum number of days that must pass before a password can be changed.
Set the minimum password age to at least one day. By doing so, you require that the user can change their password only once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing their original password on the same day.
Minimum password length
Specifies the fewest number of characters a password can have.
Set the length between eight and 12 characters (provided that the characters also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase. If you change the attribute in the domain object directly, you can use longer passwords. You can also use longer passwords if you use fine-grained password policies.
Store passwords using reversible encryption
Stores the password by using encryption that can be reversed in order for specific applications to verify the password.
Do not use this setting unless you use a program that requires it. Enabling this setting decreases the security of stored passwords.
Note: Password settings that use Group Policies need to be either in the default domain policy or in a policy linked to the domain. Organizational unit (OU)–level Group Object Policies (GPOs) would only apply to local accounts of computers to which the GPO applies. This is explained in more detail in Module 6, “Windows Server Roles.”
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-9
The following table outlines the various policies that you can define to govern account lockout policies— for example, controlling what actions to take if a user repeatedly fails to enter a valid password when logging on to the system. Policy
What it does
Best practice
Account lockout threshold
Specifies the number of failed logon attempts allowed before the account is locked out. For example, if the threshold is set to 3, the account will be locked out after a user enters incorrect logon information three times.
A setting from 3 through 5 will allow for reasonable user error and limit repeated logon attempts for malicious purposes.
Account lockout duration
Allows you to specify a timeframe, in minutes, after which the account will automatically unlock and resume normal operation. If you specify 0, the account will be locked out indefinitely until an administrator manually unlocks it.
After the threshold has been reached and the account is locked out, the account should remain locked long enough to block or deter any potential attacks, but short enough not to interfere with productivity of legitimate users. In most situations a duration of 30 to 90 minutes should work well.
Reset account lockout counter after
Defines a timeframe for counting the incorrect logon attempts. If the policy is set for one hour and the account lockout threshold is set for three attempts, a user can enter the incorrect logon information three times within one hour. If they enter the incorrect information twice but get it correct the third time, the counter will reset after one hour has elapsed (from the first incorrect entry) so that future failed attempts will again start counting at one.
Using a timeframe of 30 to 60 minutes is sufficient to deter automated attacks and manual attempts by an attacker to guess a password.
Note: Although password lockout settings can be a security option, they can also be seen as a denial-of-service provider. For example, a malicious user could go to an external-facing company website, for web mail for example, and enter a known user name and the wrong password several times, which could render that account useless to its owner for a period of time, or even require Help Desk interaction. You should be aware of and carefully consider the password policies before implementing them to ensure that you fully understand the implications. Question: What would be the effect on a user’s account if the user entered his or her password incorrectly five times between 10:00 A.M. and 10:25 A.M. with the following settings applied to the account: Account lockout threshold: 4 Account lockout duration: 60 minutes Reset account lockout after: 30 minutes.
Fine-Grained Password Policies In an Active Directory® Domain Services (AD DS) environment, standard password and account lockout policies are applied to the entire domain. This behavior might not be desired by organizations that require different password and account lockout policies for different groups of users. Fine-grained password policies provide the solution to this issue. Fine-grained password policies allow an administrator to apply multiple, unique password policies to multiple users or groups within the same domain.
MCT USE ONLY. STUDENT USE PROHIBITED
9-10 Implementing Security in Windows Server
To do this, password policy information regarding password and account lockout policy settings are stored within an Active Directory object called a Password Settings object (PSO). All PSOs are stored within a parent container called a Password Settings Container (PSC). By default, the PSC is created under the System container for the domain. You can create fine-grained password policies by opening the Active Directory Administrative Center, selecting Local, clicking System, and then choosing the Password Settings Container. You can then select New and Password Settings from the Actions pane.
You can apply these multiple password policies to a user or to a global security group in a domain but not to an organizational unit (OU). If you wish to apply the password policies to an OU, you can create a shadow group, which is a global security group that is logically mapped to an OU. Any changes made to the OU must then also be made to the shadow group Within the Create Password Settings dialog box in the Active Directory Administrative Center, some of the settings you can specify are the following: •
Name. This is the name of the password setting.
•
Precedence. This value determines which password policy to use when more than one password policy applies to a user or group. When there is a conflict, the password policy that has the lower precedence value has higher priority. Values are typically assigned values in multiples of tens or hundreds.
•
Password must meet complexity requirements. Specifies whether password complexity is enabled for the password policy. If enabled, the password must contain three of the following five characteristics o
Uppercase letters (A, B, C,…Z)
o
Lowercase letters (a, b, c…z)
o
Numbers (0, 1, 2,…9)
o
Alphanumeric combination (for example, 3B9ak4L)
o
Symbols (~!@#$%^ and others)
Each of the following also has the option to enforce the setting, and the ability to specify a value: •
Minimum password length (characters). The minimum number of characters a password must contain.
•
Number of passwords remembered. The number of passwords that are remembered that cannot be reused
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-11
•
User cannot change password within (days). Length of time in days during which a user is not able to change their password.
•
User must change password within (days). Length of time in days within which a user must change their password.
•
Account lockout policy. Includes the following settings: o
Number of failed logon attempts allowed:
o
Reset failed logon attempts counter after (mins)
o
Account will be locked out
For a duration of (mins):
Until an administrator manually unlocks the account
You can then specify which users or groups the particular policy applies.
Alternatively, you can use Windows PowerShell® to create and manage fine-grained password policies. For example, to create a fairly standard fine grained policy using Windows PowerShell, type the following. New-FineGrainedPasswordPolicy –Name TestPasswordPolicy –precedence 100 – LockOutDuration 00:30:00 –LockOutObservationWindow 00:20:00 –LockOutThreshold 10 – ComplexityEnabled $true –MinPasswordLength 8
To view the newly created policy, type the following. Get-FineGrainedPasswordPolicy –Filter {Name –like “*”}
To view a list of the available Windows PowerShell commands for fine-grained password polices, type the following. help *FineGrained*
More information about Windows PowerShell cmdlets for fine-grained password policies can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309139
After a PSO is created, it can be linked to one or more AD DS users or global security groups. After it is linked, the settings defined within that PSO will apply to the linked users or groups. If no fine-grained password policy applies to a user, the default domain password policy out of the GPO takes place. If any fine-grained password policy applies, the domain policy is not considered.
With fine-grained password policies, you can have multiple password policies in a single domain. As a result, a user might have multiple PSOs assigned to him or her. If a user has multiple PSOs applied, you can view the resultant “winning” policy by using the gpresult.exe tool from the Command Prompt or the Get-ADUserresultantPasswordPolicy cmdlet.
Note: A PSO cannot be linked to an Active Directory OU; it can be linked only to AD DS users and groups.
Auditing Features Auditing is the process that tracks user activity by recording selected events in a security log. Auditing provides a recorded log of access and activity, allowing an administrator to determine whether or not resources are being accessed and used appropriately and according to policy. Auditing logs the following information regarding system activity: •
What occurred?
•
Who did it?
•
When did the event occur?
•
What was the result?
It is important to be clear that enabling auditing only tells the server that it needs to track whether someone is making changes in that area. What is audited depends on the settings of the individual components, such as files, folders, registry keys, or Active Directory security settings.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Implementing Security in Windows Server
You can configure auditing within the Group Policy Management Editor. Within here there are two sets of auditing policy settings available. The first set is available under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These are basic settings that are applicable for all operating systems since Windows 2000 operating systems. It provides for nine different auditing options. The second set includes newer, more advanced auditing options that are available under Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies. These are only applicable in Windows Server 2008, Windows Vista®, Windows 8, and Windows Server 2012. This set provides for 53 different auditing options covering the following areas: •
Account Logon
•
Account Management
•
Detailed Tracking
•
DS Access
•
Logon/Logoff
•
Object Access
•
Policy Change
•
Privilege Use
•
System
•
Global Object Access Auditing
The use of basic and advanced auditing settings together is not compatible. As soon as the advanced settings are applied, they will clear all the existing auditing policy settings. As such, you need to be careful applying and using both sets of auditing options because they are used and applied differently and can cause some confusion around what the effective auditing policy is. You can view the audited events in the respective logs within Event Viewer.
Note: By default, auditing is not enabled; it needs to be configured before it will collect data.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-13
There are no dedicated auditing cmdlets available in Windows PowerShell. However, the command-line tool Auditpol.exe is a powerful tool that allows for the setting and querying of audit policy. More information about Advanced Auditing can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309140
Digital Certificates In modern cryptography, data is encrypted and decrypted by using a key that contains the information necessary for performing the encryption or decryption. A key is a piece of physical data, and can be protected by a password or attached to a smart card or even a Windows user account. In the simplest form of data encryption, data is both encrypted and decrypted by using the same key. This method of using the same key for both encryption and decryption is known as symmetric encryption.
Symmetric encryption works well when the same user is both encrypting and decrypting the data. However, when the user encrypting the data is different than the user who is decrypting the data, especially if the encryption and decryption process is on different computers or networks, symmetric encryption becomes more problematic. In this case, the user encrypting the data must find some way to make the key available to the user decrypting the data. Anytime the key is exchanged between users, it becomes vulnerable to being intercepted and compromised.
The use of digital certificates introduces an alternative to the shortcomings of symmetric encryption. Data exchange using a digital certificate uses asymmetric encryption. When using asymmetric encryption, a pair of mathematically related keys is used to encrypt or decrypt data. One of the keys, commonly known as the private key, is held by an individual. A second key, the public key, is attached to the digital certificate, which can be digitally requested at any time. With this form of encryption, either the private or public key can be used to encrypt the data. Then, the opposite key is used to decrypt the data. In general, symmetric encryption is faster but less secure than asymmetric, whereas asymmetric encryption is slower but more secure. In multiple communication scenarios, this can be taken into account whereby asymmetric keys are used to exchange the symmetric key, which is then used to encrypt and decrypt the data stream.
Note: A digital certificate is a digital document that is commonly used for authentication and to help secure information on a network. A certificate binds a public key to an entity that holds the corresponding private key.
A digital certificate makes it possible to verify someone's claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, digital certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction.
A digital certificate generally contains information about the following:
MCT USE ONLY. STUDENT USE PROHIBITED
9-14 Implementing Security in Windows Server
•
A user, computer, or network device that holds the private key corresponding to the issued certificate. The user, computer, or network device is known as the owner or subject of the certificate.
•
A public key of the certificate's associated public and private key pair.
•
The issuer of the certificate, commonly known as a certification authority (CA).
•
The issue and expiry dates of the public key associated with the certificate.
•
The serial number of the digital certificate.
•
The digital signature of the issuing CA.
•
The names of the encryption and digital signing algorithms supported by the certificate.
Also, a digital certificate can contain additional information, such as the encryption algorithms supported, the acceptable applications or uses for the certificate, or other applicable information. The use of digital certificates and encryption technologies will be discussed in more detail in Lesson 3, “Implementing Encryption.”
Lesson 2
Securing Files and Folders
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-15
Ensuring data integrity and security is a fundamental aspect of a Windows Server infrastructure. The assignment of proper permissions to users and groups for the resources they require access to is the first level of data security in a Windows Server environment.
This lesson covers the configuring of permissions, best practices for maintaining permissions functionality, and auditing file and folder access to ensure that configured permissions are operating effectively.
Lesson Objectives After completing this lesson, you will be able to: •
Describe access control.
•
Describe the available file and folder permissions on NTFS and ReFS volumes.
•
Describe permission inheritance.
•
Describe shared folder permissions.
•
Explain how file and folder permissions and shared folder permissions combine.
•
Secure shared files.
•
Describe and implement file auditing.
Access Control The previous lesson explained authentication and authorization in general terms. This lesson explains how that process translates into a realworld access control process in Windows Server 2012 and Windows 8. Access control is effectively the process of authorizing users, groups, or computers (sometimes known as the principal) access to objects, which will be files and folders in this instance, on a network or computer. It involves permissions, permission inheritance, user rights, and auditing, each of which are described in this module.
Before a user can access an object, the user first must identify themselves to the security system in operation on the domain or network. When a user logs on to a computer, he identifies himself and, if successful, is allowed to log on to the computer. The identity of that user is then contained within an access token or security descriptor that is re-created every time that user logs on. Indeed, every container or object on a Windows Server network has an associated security descriptor in it that contains access control information.
The operating system checks to see if the user is authorized to access an object. It does this by comparing the following two things: •
The security identifier of the user and the groups to which the user belongs in the access token
•
Access control entries (ACE) for the object
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Implementing Security in Windows Server
The access control entries then allow or deny particular functionality on the object for the specific user. The entire set of access control entries is known as the access control list (ACL). There are two kinds of ACLs, the discretionary access control list (DACL), which is responsible for permissions, and the system access control list (SACL), which is responsible for auditing.
When the operating system is determining the authorization to access an object, each ACE is evaluated by comparing the security identifiers (SIDs) in the ACE to the SIDs in the token (which contains the user’s SID plus all group SIDs he belongs to). If any match is found, the permissions are granted or denied; these permissions are specified in the matching ACE. If it comes to the end of the ACL and the desired access is still not explicitly allowed or denied, the user is denied access to the object. In Windows Server 2012 and Windows 8, You can view the effective permissions for a user, group, or computer on the Effective Permissions tab of the Advanced Permission Settings dialog box. This is designed to help more effectively manage and troubleshoot file and folder permissions.
You can also use the Windows PowerShell cmdlets Get-ACL and Set-ACL to help manage access control on objects. Another command-line tool that can be used to view, change, backup, and restore ACL information and settings is icacls.exe.
File and Folder Permissions File and folder permissions specify which users, groups, and computers can access and interact with files and folders on an NTFS or ReFS volume. These permissions combine to create the ACL. As stated earlier, file and folder permissions are available on NTFS and ReFS file systems. These are commonly known as NTFS permissions because they were, up until the release of Windows Server 2012 and the new ReFS file system, only available on NTFS. File and folder-level permissions are not available on FAT32 file systems. There are two kinds of file/folder-level or NTFS permissions: •
Standard. Standard permissions are the most commonly used permissions. These can be viewed and accessed through the Properties of an object, i.e. right-click on a file or folder, select Properties and then navigate to the Security tab.
•
Advanced. Advanced sharing permissions provide a finer degree of control for assigning access to files and folders. However, advanced permissions are more complex to manage than standard permissions.
Standard File and Folder Permissions
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow or deny each of the permissions. File Permissions
Description
File Permissions
Description
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-17
Full Control
This gives complete control of the file/folder and control of permissions.
Modify
This gives read and write access.
Read and Execute
Allows a file to be read; programs can be started. Allows folder content to be seen; programs can be started.
List Folder Contents (Folders Only)
Allows users to view the contents of a folder.
Read
This gives read-only access.
Write
Allows file content to be changed; files can be deleted. Allows folder content to be changed; files can be deleted.
Special permissions
Allows custom permissions configuration, defined by advanced permissions.
Note: Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file.
To modify file and folder permissions, you must be given the Full Control permission for a folder or file. The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions even if he or she does not have any other current NTFS permissions. Administrators can always take ownership of files and folders to make modifications to NTFS permissions. Advanced File and Folder Permissions
Advanced or special permissions provide a much greater level of control over NTFS files and folders. Groupings of advanced settings effectively make up the standard permission sets. The following table defines the special permissions that can be assigned for each file and folder. File Permissions
Description
Full Control
Allows for full control on an object
Traverse Folder/Execute File
The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. The Execute File permission allows or denies to the execution of program files. If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.
List Folder/Read Data
The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder that you are setting the permission on is listed in the folder list. Also, this setting has no effect on viewing the file structure from the command-line interface. The Read Data permission applies only to files and allows or denies the user from
File Permissions
Description viewing data in files.
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Implementing Security in Windows Server
Read Attributes
The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS or ReFS.
Read Extended Attributes
The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs and can vary by program.
Create Files/Write Data
The Create Files permission applies only to folders and allows or denies the user from creating files in the folder. The Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS or ReFS.
Create Folders/Append Data
The Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder. The Append Data permission applies only to files and allows or denies the user from making changes to the end of the file, preventing the changing, deleting, or overwriting of existing data.
Write Attributes
The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS or ReFS. The Write Attributes permission does not imply that you can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To allow or to deny Create or Delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.
Write Extended Attributes
The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Extended attributes are defined by programs and can vary by program. The Write Extended Attributes permission does not imply that the user can create or delete files or folders; it includes only the permission to make changes to the attributes of a file or folder. To allow or to deny Create or Delete operations, view the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete entries in this table.
Delete Subfolders and Files
The Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file.
Delete
The Delete permission allows or denies the user from deleting the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.
Read Permissions
Read Permissions allows or denies the user from reading permissions about the file or folder, such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows or denies the user from changing permissions on the file or folder, such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it,
File Permissions
Description regardless of any existing permissions that protect the file or folder.
Synchronize
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-19
The Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that might signal it. This permission applies only to multiple-threaded, multiple-process programs.
Note: When assigning both standard and special NTFS permissions, permissions set to Deny typically override permissions set to Allow. Also, permissions can be set for various object types, such as printers, registry keys, Active Directory objects or system objects such as processes. Depending on the object type, each might have different permission sets available for it. For example, printers have permissions for Print, Manage Printers, and Manage Documents. These object types are not applicable to files and folders, or in Active Directory you have permissions which go down to attribute level read/write access. To configure NTFS file and folder permissions, follow these steps: 1.
Right-click the file or folder to which you want to assign permissions, and then click Properties.
2.
Click the Security tab to view existing permissions.
3.
To modify standard permissions, click the Edit button.
4.
To modify advanced permissions, click the Advanced button.
When Access Based Enumeration is applied to a folder share only the files and folders that a user has permissions to access will be displayed. If a user does not have read (or equivalent) permission for a folder, Windows hides the folder from the user’s view. One final aspect of file and folder permissions that we’ll call out here that you should be aware of, is in relation to owner rights. By default the owner of an object has permissions on it that may be greater than intended, such as deleting, which could be an issue if an administrator was tasked with creating specific objects but it had not been the intention to provide them further control or permissions, or if people have moved positions but still retain permission greater than intended. To mitigate this you can add the OWNER RIGHTS security principal to the object and then apply specific permissions, such as READ only, to the object for the owner. This will limit the permissions the owner has on the object.
Permissions Inheritance By default, the permissions granted to a parent folder are inherited by its subfolders and files. Permissions can be inherited only from a direct parent, and any files and folders contained within the parent folder will be assigned the same permissions as the parent folder, even if the parent folder’s permissions are modified. Permissions inherited in this manner are known as inherited permissions. A folder or file will always inherit its parent folder’s permissions unless inheritance is blocked. When blocking inheritance, the folder for which you block permissions inheritance becomes the new parent folder, and the subfolders and files that are
contained within it inherit the permissions assigned to it. A folder that has had inheritance blocked will either copy the inherited permissions as explicit permissions, or will remove all inherited permissions. Permissions inherited in this manner can also frequently be known as implicit permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Implementing Security in Windows Server
Permissions assigned to a file or folder directly, overriding that file or folder’s inherited permissions, are called explicit permissions. Explicit permissions behave differently than inherited permissions when being moved within an NTFS volume. To block inheritance for a file or folder, perform the following steps: 1.
Right-click the file or folder to which you want to block inheritance, and then click Properties.
2.
Click the Security tab to view existing permissions.
3.
Click the Advanced button.
4.
In the Permissions window, click the Disable Inheritance button.
5.
You then receive a prompt to either convert the inherited permissions into explicit permissions or to remove all inherited permissions from the object.
Copying vs. Moving Files
When you copy or move a file or folder, the permissions might change, depending on where you move the file or folder. Copying a File or Folder When you copy a file or folder from one folder to another folder, or from one partition to another partition, the following rules apply: •
Within the same NTFS partition, the copy of the folder or file inherits the permissions of the destination folder.
•
To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination folder.
•
To a non-NTFS partition, such as a FAT32 partition, the copy of the folder or file loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
Note: All these are also applicable where ReFS is the file system in question. Also, if files are copied between NTFS and ReFS partitions, the file or folder inherits the permissions of the destination folder. Moving a File or Folder When you move a file or folder, the following rules apply: •
Within the same NTFS partition, the folder or file keeps its original permissions. If the permissions of the new parent folder are changed later, the file or folder will inherit the new permissions. Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be lost.
•
To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When you move a folder or file between partitions, the Windows Server 2012 operating system copies the folder or file to the new location and then deletes it from the old location.
•
To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-21
Again, all these are also applicable where ReFS is the file system in question. If files are moved between NTFS and ReFS partitions, the file or folder inherits the permissions of the destination folder and loses its explicit permissions.
Shared Folder Permissions Shared folder permissions apply only to users who connect to the folder over the network. They do not restrict access to users who access them locally on the computer where the folder is stored. You can grant shared folder permissions to user accounts, groups, and computer accounts. By default, a shared folder is already protected by the NTFS permissions applied to that specific folder, and shared folder permissions combine with NTFS permissions to determine the appropriate level of access allowed on an object.
Before granting permissions to a share, a folder must first be shared. It is also possible to create different shares (using different names) for the same folder. This could be useful if, for example, you have a set of users who should have limited permissions, but a special group of people who should have a greater level of permissions. The following table lists the options available for shared folder permissions. You can choose whether to allow or deny each of the permissions. File Permissions
Description
Read
Read permission allows users to view folder and file names, file data, and file attributes. Users are also able to access the shared folder's subfolders, and run program files and scripts.
Change
Users that are granted the Change permission can perform all the functions granted by the Read permission in addition to creating and deleting files and subfolders. Users are also able to change file attributes, change the data in files, and append data to files.
Full Control
Users that are granted the Full Control permission can perform all the tasks enabled by the Change permissions as well as take ownership of files, and change file permissions.
To access the folder permissions listed in the table, follow these steps: 1.
Right-click the folder you want to share, and select Properties.
2.
Click the Sharing tab, and then click the Advanced Sharing button.
To access a more simplified set of permissions (Read, Read/Write, and Remove), follow these steps: 1.
Right-click the folder you want to share, and select Properties.
2.
Click the Sharing tab, and then click the Share button.
The Sharing tab is only present in folder properties, not file properties.
Note: As with NTFS permissions, when assigning shared folder permissions, permissions set to Deny typically override permissions set to Allow.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Implementing Security in Windows Server
When creating Windows Server 2012 file server shares, you can make the shares available through the File and Storage Services role that can be installed in Server Manager. This allows for the centralized creation and control of shares in an organization. Administrators can make shares available using the following two protocols: •
•
Server Message Block (SMB). Allows Windows-based clients to read, write, and access files and folders on a remote Windows Server 2012 server. Windows Server 2012 released with SMB 3.0, which comes with additional features and functionality such as the following: o
Support for network adapters that are Remote Direct Memory Access (RDMA)–capable—that is, can transfer data directly between network adapters without using operating system resources.
o
Support for Cluster Shared Volumes (CSV) and many more.
Network file system (NFS). Allows non-Windows-based clients to read, write, and access files and folders on a remote Windows Server 2012 server.
You can also use Windows PowerShell to configure file shares. Depending on the protocol used for the file share, you could use a series of NFS cmdlets or SMB Share cmdlets. More information about SMB Windows PowerShell cmdlets can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309141 More information about NFS Windows PowerShell cmdlets can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309142
Evaluating Combined, Shared, and Local Permissions When a shared folder is created on a partition formatted with the NTFS file system, both the shared folder permissions and the NTFS file system permissions are combined to protect file resources. NTFS file system permissions apply whether the resource is accessed locally or over a network, but they are filtered against the share folder permissions.
When accessing a shared folder over the network, a user must have the appropriate permissions granted on a shared folder to gain access to the files and folders within that folder. After it has been determined that the user has been granted access through the shared folder permissions, only then is the user’s access to the specific NTFS file(s) or folder(s) checked against the user’s NTFS permissions. If both the shared folder permissions and the NTFS permissions allow the type of access that the user is attempting on the files, access is granted. When you grant shared folder permissions on an NTFS volume, the following rules apply: •
By default, the Everyone group is granted the shared folder permission Read.
•
Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared folder, in addition to the appropriate shared folder permissions to access those resources.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-23
•
When NTFS file system permissions and shared folder permissions are combined, the resulting permission is the most restrictive one of the effective shared folder permissions or the effective NTFS file system permissions.
•
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to all files in those subfolders.
Note: Some general best practices would be: •
To remove the Everyone group from any permission lists and replace it with the Authenticated Users group.
•
Use the most restrictive group that contains the users you want to grant access.
If you want only the users of the domain to access the information but no other users from other trusted domains, it would be better to use domain users rather than authenticated users.
When dealing with a shared folder, you must always go through the shared folder to access its files over the network. Therefore, you can think of the shared folder permissions as a filter that only allows users to perform actions on its contents that are acceptable to the share permissions. All NTFS permissions that are less restrictive than the share permissions are filtered out so that only the share permission remains. For example, if the share permission is set to Read, then the most you can do when accessing the share over the network is read the contents, even if individual NTFS file permission is set to Full Control. If configuring the share permission to Modify, then you are allowed to read or modify the shared folder contents. If the NTFS permission is set to Full Control, then the share permissions filter the effective permission down to just Modify.
You can check the effective permissions that a user, group, or computer “device account” will have on an object based on the NTFS permissions that have been assigned to an object. This is done on the Security tab of the object’s Properties dialog box, by clicking the Advanced button, and then selecting the Effective Access tab. However, share permissions are not included in calculating the effective permissions; only file and folder or NTFS permissions are taken into account.
Demonstration: How to Secure a Shared Folder
In this demonstration, you will see how to create a folder, secure it by using NTFS permissions, share the folder, and further secure it with shared folder permissions.
Demonstration Steps 1.
Create a new folder called Deliverables.
2.
Assign NTFS permissions to the new folder.
3.
Share the new folder.
4.
Validate the permission changes
File and Folder Auditing Defining object permissions will not tell you who deleted important data or who was trying to access files and folders inappropriately. To track who accessed files and folders and what they did, you must configure auditing for file and folder access. Every comprehensive security strategy should include auditing to provide traceability and to assess compliance with company or data privacy requirements, allowing an administrator to be proactive in protecting data from inappropriate access or deletion. As discussed in Lesson 1, “Overview of Windows Security,” there are two kinds of auditing available in Windows Server 2012. One type is basic auditing, which is applicable for legacy operating systems and available for configuration via the Group Policy Management Editor, under the node Computer Configuration\Policies\Windows Settings\Security Settings\Local Policy\Audit Policy.
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Implementing Security in Windows Server
The other type is advanced auditing, which is new in Windows Server 2012 and contains more granular and advanced functionality. It is available in the Group Policy Management Editor, under Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access. It is within here that auditing policy should be configured.
Within this Object Access node there are 14 auditing policies that can be applied across a network. These cover a range of areas, including the three listed in the following table. Audit Policy
Description
Audit Detailed File Share
Audits attempts to access files and folders on a shared folder. It logs an event every time a file or folder is accessed. Event ID 5145 is generated when an event is logged.
Audit File Share
Audits events when a computer accesses a file share. Can generate a range of Event IDs, such as 5140, 5142, 5143, 5144, and 5168 depending on the event type.
Audit File System
Audits user attempts to access file system objects. Can be combined with Audit File Share policy to track the content, course, and user account attempting to access an object. Can generate a range of Event IDs including, 4664, 4985, and 5051.
The logging of events is based around the use of SACLs. For both the Audit Detailed File Share and Audit File Share policies, no SACLs exist; therefore, after those policies are enabled, access to all shares on the system will be enabled. Before enabling these policies, you should ensure that you are aware of the volumes of events that will be generated so there are no detrimental effects.
You should understand that there are two components to enable auditing in this context. The server must be instructed about which areas of the operating system to audit, as is done in Group Policy, and the resource on the server must be configured with the SACL that you want to audit. It is also important to enable auditing just as you would for configuring NTFS permissions. For example, right-click the folder, click Properties, select the Security tab, click the Advanced button, and then select the Auditing tab. Within this dialog box, specific users, groups, or computers can be selected to trace access events.
It is also possible to specify a condition to limit the scope of the auditing. For example, security events will only be logged if specific conditions are met. This allows for more granular configuration and can significantly reduce the volume of events traced.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-25
When enabling auditing on a specific file or folder, the same inheritance rules used by NTFS permissions and shared folder permissions apply to the auditing properties. By default, files and folders will inherit their parent’s audit settings unless inheritance is blocked or explicitly specified.
After auditing is configured, file and folder auditing events will be recorded to the Windows security log. This log can be viewed in Event Viewer, accessed through the Tools menu in Server Manager.
Demonstration: How to Configure File Auditing
In this demonstration, you will see how to configure the Audit object access security policy to audit file access.
Demonstration Steps 1.
Configure the object access auditing policy to audit file access.
2.
Enable folder auditing.
3.
Test the object access auditing policy.
Dynamic Access Control
Dynamic Access Control is an access control mechanism in Windows Server 2012 for file system resources. It enables administrators to define central file access policies that can apply to every file server in the organization. Dynamic Access Control implements a safety net over file servers, and over any existing share and NTFS permissions. It also ensures that regardless of how the share and NTFS permissions might change, this central overriding policy is still enforced. Dynamic Access Control combines multiple criteria into the access decision. This augments the NTFS access control list (ACL) so that users need to satisfy both the NTFS ACL and the central access policy to gain access to the file. Dynamic Access Control is designed for four scenarios: •
Central access policy for access to files. Enables organizations to set organization wide policies that reflect business and regulatory compliance.
•
Auditing for compliance and analysis. Enables targeted auditing across file servers for compliance reporting and forensic analysis.
•
Protecting sensitive information. Identifies and protects sensitive information within a Windows Server 2012 environment, and also when it leaves the Windows Server 2012 environment.
•
Access denied remediation. Improves the access-denied experience to reduce helpdesk load and incident time for troubleshooting.
Dynamic Access Control leverages the following technologies: •
Active Directory Domain Services and its dependent technologies for enterprise network management.
•
Kerberos version 5 (V5) protocol, including compound identity for secure authentication.
•
Windows security (local security authority (LSA), Net Logon service) for secure logon transactions.
•
File classifications for file categorization.
•
Auditing for secure monitoring and accountability.
•
Active directory Rights Management Service (AD RMS) for additional protection.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Implementing Security in Windows Server
In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS permissions. By using NTFS permissions and their ACLs, administrators can control access to resources based on user name security identifiers (SIDs) or group membership SIDs, and the level of access such as Read-only, Change, and Full Control. However, once you provide someone with, for example, Read-only access to a document, you cannot prevent that person from copying the content of that document into a new document or printing the document. By implementing AD RMS, you can establish an additional level of file control. Unlike, NTFS permissions, which are not application-aware, AD RMS sets a policy that can control document access inside the application that the user uses to open it. By implementing AD RMS, you enable users to protect documents within applications.
Using Windows client operating systems prior to Windows® 8, you cannot set conditional access to files by using NTFS and AD RMS. For example, you cannot not set NTFS permissions so that users can access documents if they are members of a specific group, or if their EmployeeType attributes are set to Full
Time Employee (FTE). Additionally, you cannot set permissions so that only users who have a department attribute populated with the same value as the department attribute for the resource can access the content. However, you can use conditional expressions to accomplish these tasks. You can use Dynamic Access Control to count attribute values on users or resource objects when providing or denying access. Dynamic Access Control provides access control based on expressions that can include security groups, claims and resource properties both in NTFS ACL and central access policies.
Lesson 3
Implementing Encryption
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-27
In this age of information interconnection, an organization’s network might consist of intranets, Internet sites, and extranets—all which are potentially susceptible to access by unauthorized individuals. Therefore, it is important that you have some means of ensuring that your organization’s data and communications are secure. Encrypting data or the volumes on which data resides is one part of that process. This lesson describes these technologies.
Lesson Objectives After completing this lesson, students will be able to: •
Describe public key infrastructure (PKI) infrastructure components.
•
Describe how Encrypting File System (EFS) helps ensure file security.
•
Describe how BitLocker® Drive Encryption ensures drive and volume security.
•
Compare and contrast EFS and BitLocker encryption technologies.
How Are Digital Certificates Used? Public key infrastructure (PKI) is a system of components that allow for verifying the authenticity of each party involved in digital communication through the use of public key cryptography. Some of the key components that make up a PKI are: •
Digital certificates. Digital certificates are the primary items managed in a PKI. Indeed a PKI exists primarily for the proper management of these certificates. Certificates can be issued for a user, computer, or a service.
•
CAs. CAs represent the people, processes, and tools used to create digital certificates. Before issuing a digital certificate, a CA will verify that user’s identity and the validity of the user’s purpose for obtaining a digital certificate. A CA will place the user’s digital signature on a certificate, which both verifies that the certificate has come from a trusted source and acts like a tamper-proof seal on the certificate itself, preventing any attempts to tamper with the digital certificate. CAs also operate in a hierarchal manner, where CAs that issue certificates can use another, more widely trusted CA as its parent to maintain the level of trust necessary within a PKI environment.
•
Certificate revocation lists (CRLs). CRLs contain a list of certificates that have been revoked or removed from a CA prior to the certificate’s expiry date. Depending on the application that relies on the certificate, it is important that the CRLs are available from all locations where the certificate might be used. Some applications perform CRL checking, and others don’t. If all certificates are used internally only, you do not need to publish it outside your organization. If a certificate is used for your Hypertext Transfer Protocol Secure (HTTPS) external website, or for your users accessing the corporate network externally through a virtual private network (VPN), you need to define and manage publishing the CRL to a location available on the Internet.
•
MCT USE ONLY. STUDENT USE PROHIBITED
9-28 Implementing Security in Windows Server
Certificate and CA management tools. When a Windows server is configured as a CA, a specific set of tools are available to create and manage certificates, manage CRLs, and perform maintenance on different aspects of the PKI environment. An example of this follows.
Consider the diagram on the slide for this topic. Data at the A. Datum web server is encrypted using A. Datum’s private key and SSL encryption. The resultant encrypted data is sent out over the public Internet to the web client who is accessing the information on the server. Because the data has been encrypted using A. Datum’s private key, the web client can be assured that the information is coming from A. Datum and is genuine. Alternatively, data sent from the client to the server, such as personal or financial information, is first encrypted using Secure Socket Layer (SSL) and A. Datum’s public key attached to the digital certificate. The user can be assured that encrypted information is safe in transit because only A. Datum’s private key can decrypt the data. It is critical for private keys to be secured in order to maintain the integrity of this exchange.
In Windows Server environments, core PKI components such as digital certificates, CAs, or CRLs are configured and managed through Active Directory Certificate Services (AD CS). This is installed as a role in Windows Server 2012. Digital certificates are used for a wide variety of purposes. Depending on the nature of the issuing CA, certain digital certificates might have a specific level of trust assigned to them. Public, private, and selfsigned certificates each have individual characteristics that make them suitable for specific implementations. The following points outline characteristics of public, private, and self-signed certificates: •
Public CAs typically charge a fee for providing a digital certificate, but the certificate is universally trusted. Also, public certificates can be used in almost any situation a private certificate is used. Digital certificates used on the public Internet are most commonly issued by a public CA.
•
Private certificates allow an organization to manage its certificate issuing process, and any number of certificates can be generated at no cost. This allows an organization with the requirement to issue many certificates for internal use to use a private CA and not incur the costs associated with a large number of public certificates. This gives an organization a great deal of control over certificate management, but requires additional administrative overhead. Private certificates can be used within an organization to facilitate secure email or the encryption of individual’s data.
•
Self-signed certificates do not require the implementation of a stand-alone CA. Rather, the application itself creates and signs the certificate. This decreases the administrative overhead of maintaining a private CA, and the organization incurs no extra costs. The main drawback is that the self-signed certificate has a very limited valid scope; it is strictly within the application itself.
More information about PKI and Active Directory Certificate Services (AD CS) in Windows Server 2012 can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309143 Question: In what situations would a public certificate signed by a trusted CA be requested or required? Question: Why would a private certificate created by its owner be used instead of a public certificate provided by a third party? Question: Why would an organization choose to use self-signed certificates over private certificates?
Encrypting File System Encrypting File System (EFS) is a file and folder encryption technology in Windows Server 2012 and Windows 8, and is a built-in component of the NTFS file system. EFS was introduced in Windows 2000 and extended in Windows Server 2003 to allow multiple users to have certificates in one file. Most likely, no changes were made to EFS later on. EFS enables transparent encryption and decryption of files by using cryptographic algorithms. It is also possible to encrypt files on a file share.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-29
Encrypted files and folders can be protected from an unauthorized user who gains physical possession of the computer that the files reside on. Even people who are otherwise authorized to access the computer and its file system cannot view the data if they are not authorized to do so. Any individual or program that does not possess the appropriate cryptographic key cannot read the encrypted data; users will receive an access denied message. If a user is authorized, the file or folder will open up with no prompts or interaction required.
Information technology (IT) professionals should be aware that although encryption is a powerful addition to any defensive plan, it might not be the correct measure for every threat, and if used incorrectly, carries the potential for harm or loss of data. EFS must be understood, implemented appropriately, and managed effectively to ensure that your experience, the experience of those to whom you provide support, and the data you want to protect are not compromised. Features and Functionality of EFS The following are some important features and functionality about EFS: •
EFS encryption does not occur at the application level but rather at the file-system level; therefore, the encryption and decryption process is transparent to the user and to the application. Applications do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
•
If a folder is marked for encryption, every file created in or moved to the folder will be encrypted.
•
EFS uses a combination of public-key and symmetric-key encryption to protect files from attack. EFS uses a symmetric key to encrypt the file, and a public key to protect the symmetric key.
•
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, then the file might be recoverable. If a PKI is used and archival has been implemented, then the key might be recovered, and the file decrypted; otherwise, the file might be lost. It is important to manage the private key of the recovery agent and store it in a safe location.
•
The user’s public and private keys are protected by the user's password. Any user who can obtain the user ID and password can log on as that user and decrypt that user's files. Therefore, a strong password policy and strong user education must be a component of each organization's security practices to ensure the protection of EFS-encrypted files. It is also possible to use certificates issued to a user’s smart card for EFS.
•
IT administrators should ensure that they back up certificates and have a key recovery process in place in the event of lost or damaged keys.
•
EFS is only supported on the NTFS file system. EFS is not supported on ReFS, FAT, or any other file system. If a user moves or copies an encrypted file to a non-NTFS file system, such as a floppy disk or USB flash drive formatted with FAT32, the file will no longer be encrypted.
Users can make encrypted files accessible to other users’ EFS certificates. If you grant access to another user’s EFS certificate, that user can, in turn, make the file available to other users’ EFS certificates. EFS certificates are only issued to individual users, not to groups.
MCT USE ONLY. STUDENT USE PROHIBITED
9-30 Implementing Security in Windows Server
When a file is accessed remotely, it doesn’t matter which remote machine an EFS encrypted file is accessed from; the file is decrypted on the local machine where the file is, meaning the file itself is made available through plaintext over the network. If the file needs to be shared and encrypted for all users who view it remotely, additional encryption mechanisms might be required, such as Internet Protocol security (IPsec) or Web Distributed Authoring and Versioning (WebDAV) with SSL. EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm. Configuration
The default configuration of EFS requires no administrative effort to allow users to implement it. Users can begin encrypting files immediately, and EFS automatically generates a user certificate with a key pair for a user if one does not already exist and there is no CA in place. To encrypt a file or folder, a user can right-click the file or folder, and click Properties. In the Properties dialog box, click the Advanced button, and then in the Advanced Attributes dialog box, select the Encrypt Contents To Secure Data check box. You will then be prompted to confirm your action, and after confirming it, will encrypt your file, or your folder and all the content within it. In File Explorer, it will then display in a different color than the non-encrypted files so it is easily distinguishable.
Note: If EFS, and especially the recovery agent, are not planned, it is recommended that you use Group Policy to prevent users from encrypting the files to prevent files from being lost. You can disable EFS on client computers by using Group Policy. In the GPMC, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting Files System, right-click this policy setting, click Properties, and then click Don’t Allow.
After a file has been encrypted, file sharing is enabled through the user interface as usual. Users can be added either from the local computer or from AD DS and Active Directory if the user has a valid certificate for EFS. More information about EFS functionality can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309144
BitLocker Drive Encryption BitLocker Drive Encryption provides for full disk and full volume encryption, in addition to startup environment protection. It is available in Windows Server 2012 and Windows 8, and was present in earlier versions of Windows such as Windows Server 2008 and Windows 7. Data on a lost or stolen computer can become vulnerable to unauthorized access when a user either runs a software attack tool against it or transfers the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows file and
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-31
system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. BitLocker provides for offline data protection and system integrity verification, both of which are described in the following sections. Offline Data Protection
Offline data protection encrypts all data stored on the Windows operating system volume (and configured data volumes). This includes user files; Windows operating system, hibernation, and paging files; applications; and data used by applications. BitLocker also provides an umbrella protection for nonMicrosoft® applications, which benefits the applications when they are installed on the encrypted volume. By default, offline data protection is configured to use a Trusted Platform Module (TPM) to help ensure the integrity of early startup components (components used in the earlier stages of the startup process), and "locks" any BitLocker-protected volumes so that they remain protected even if the computer is tampered with when the operating system is not running.
BitLocker is extended from operating system drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. These devices are readable only with Windows 8 and Windows Server 2012. It is also possible to encrypt the full disk or, alternatively, just the space that has been used. As disk space is used the data is encrypted. BitLocker also supports Windows Clustered Shared Volumes and Windows Failover Clusters to provide protection for highly available servers and services. It also supports ReFS. Offline data protection can use existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys. System Integrity Verification
BitLocker uses a TPM (version 1.2 or 2.0), which is functionality supported within the central processing unit (CPU) of a computer, to verify the integrity of the operating system startup process. This helps prevent additional offline attacks, such as attempts to insert malicious code into those components.
System integrity verification provides a method to check that early boot file integrity has been maintained, and to help ensure that there has been no adverse modification of those files, such as with boot sector viruses or root kits. This functionality is important because the components in the earliest part of the startup process must be available unencrypted so that the computer can start. It also enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume. System integrity verification also locks the system when tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering because the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
Note: TPM is not required for BitLocker to be installed and used. However, the startup integrity check does require TPM. As such, if TPM is not present, the startup integrity checks cannot be executed. Using BitLocker To Go with Removable Drives
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To Go® provides enhanced protection against data theft and exposure by extending BitLocker Drive Encryption support to removable storage devices such as USB flash drives, and can be managed through Group Policy. BitLocker To Go works with FAT16, FAT32, or NTFS.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Implementing Security in Windows Server
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that the drive is encrypted and prompt you to unlock it.
In Windows Server 2012, BitLocker is enabled by installing the BitLocker Drive Encryption feature in Server Manager. It is highly configurable through Group Policy in GPMC under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. It is also possible to enable, disable, and configure BitLocker by using Windows PowerShell. Examples of some BitLocker cmdlets are included in the following table. BitLocker cmdlet
Functionality
Enable-BitLocker
Enables BitLocker encryption on a volume
Disable-BitLocker
Disables BitLocker encryption on a volume
Backup-BitLockerKeyProtector
Saves a key protector for an encrypted volume in AD DS
Get-BitLockerVolume
Returns information about volumes that BitLocker can encrypt
To view all the available BitLocker commands in the Windows PowerShell console, type the following in a Windows PowerShell console. Help *BitL*
To view the Help information for individual cmdlets, type the following example, substituting the cmdlet name. Help Get-BitLockerVolume –Showwindow
More information about BitLocker Drive Encryption can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309145 More information about Windows PowerShell cmdlets for BitLocker can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309146
BitLocker and EFS Comparison Although BitLocker and EFS might appear at first glance to be similar and two different ways of achieving the same result, each has distinct functionalities and, therefore, applications. Both have specific functionality and requirements, and as a result have different suitability for use. They can be used together to achieve high levels of data and system protection. EFS
EFS provides core file-level encryption for files and folders stored on NTFS volumes; this is carried out on a per-user basis. EFS supports industrystandard encryption algorithms and smart card–based encryption. By default, users generate self-signed
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-33
encryption keys, which allow for both the encryption and decryption of files or folders. Other users cannot view the contents of the files unless the key is made available to them. EFS allows users to quickly and conveniently encrypt files or folders that contain sensitive data, knowing the data will be secure regardless of file or folder permissions granted. It does not require a restart of the system and there are no hardware requirements to enable it. Although EFS provides for the encryption of file contents, it does not encrypt file metadata such as file name, file size, file extension type, or assigned permissions. EFS does not support ReFS. BitLocker
BitLocker is a full disk encryption system built into Windows Server 2012 and Windows 8. It provides for encryption of the entire operating system volumes and additional data volumes. BitLocker To Go provides for the encryption of removable data drives like USB flash drives or portable hard drives.
BitLocker uses keys for encryption in similar fashion to EFS, but provides more options for key management. Users can store encryption keys on a removable USB drive, store them in Active Directory, incorporate passkeys or incorporate a special hardware feature called Trusted Platform Module (TPM) to ensure that an encrypted volume only allows for decryption while attached to a specific system. Depending on domain policies for Windows 8 computers that do not have TPM functionality, the administrator must enable the Allow BitLocker Without Compatible TPM option in the Require Additional Authentication At Startup operating system volumes’ Group Policy. Comparing BitLocker and EFS The following table compares BitLocker and EFS encryption functionality. BitLocker
EFS
Encrypts all personal and system files on system, data, and removable drives.
Encrypts files and folders individually. Does not encrypt the entire drive.
Is implemented for all users or groups. Does not depend on individual user accounts.
Is implemented at the user level. Individual users can encrypt their own files.
Requires TPM for full functionality—that is, it can encrypt drives and volumes but TPM is needed for the startup integrity check.
Does not require any special hardware.
Administrator credentials are required to turn BitLocker on or off.
Administrator-level intervention is not required for users to implement EFS.
Does not require user certificates.
Requires user certificates.
Supported on ReFS.
Not supported on ReFS.
Can be installed and configured using Windows PowerShell.
No dedicated Windows PowerShell EFS cmdlets are available.
As stated earlier, both EFS and BitLocker have benefits and, depending on your particular requirements, either one could be preferred.
Note: A number of potential events could cause BitLocker to enter recovery mode when restarting the computer, such as adding volumes, hard drives, or DVD drives. To avoid that situation when making significant hardware changes to the computer, it is advisable to suspend BitLocker before making the changes.
MCT USE ONLY. STUDENT USE PROHIBITED
9-34 Implementing Security in Windows Server
Lab: Implementing Security in Windows Server Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-35
You have been asked to implement a stricter password policy for the Research group in order to meet the requirements of new A. Datum company security policies, which is looking to ensure the integrity of the companies intellectual property. You have also been asked by your supervisor to create a shared folder structure on LON-SVR1 that satisfies the Research team’s request for access.
It has been requested by your supervisor that, on LON-SV1, specific files containing sensitive information in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized access. You have been asked to test encryption on the Classified folder.
Objectives After completing this lab, students will be able to: •
Create and apply a Fine Grained password policy
•
Secure NTFS files and folders.
•
Encrypt files and folders by using EFS.
Lab Setup Estimated Time: 60 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1 and 10967A-LON-CL1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: ADATUM
5.
Repeat these steps for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Configuring a Fine Grained Password Policy Scenario
You have been asked to implement a stricter password policy for the Research group in order to meet the requirements of new A. Datum company security policies, which is looking to ensure the integrity of the companies intellectual property. A Datum already have a password policy in place, based on the below criteria. •
Passwords must be at least eight characters long.
•
Passwords must contain at least three of the four following character types: lowercase letters (a–z), uppercase letters (A–Z), numbers (0–9), and symbols (for example, ! @ # $).
•
Passwords must be changed every 60 days.
•
Users cannot use a password again until five other different passwords have been used.
•
Users should be locked out of the system after repeated failed logon attempts.
MCT USE ONLY. STUDENT USE PROHIBITED
9-36 Implementing Security in Windows Server
You have been asked to extend the minimum password length to 10 characters for the Research group, while still maintaining the above criteria for the remainder of the company. The main tasks for this exercise are as follows: 1.
Create a shadow security group for the Research group
2.
Create a fine-grained password policy and apply it to the Research group
3.
Verify new user password policy settings
Task 1: Create a shadow security group for the Research group 1.
Ensure you are logged on to 10967A-LON-DC1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Open Active Directory Administrative Center
3.
Create a Shadow Group called Research Shadow Group and ensure it is Global Security group
4.
Add all users from the Research group to the new Research Shadow Group
Task 2: Create a fine-grained password policy and apply it to the Research group 1.
On 10967A-LON-DC1 open the Active Directory Administrative Center
2.
Open the Password Settings Container
3.
Create a New Password Setting with the following parameters
•
Name: Research Password Policy
•
Precedence: 1
•
Minimum password length (characters): 10
•
Number of passwords remembered: 20
•
Password must meet complexity requirements: Yes
•
User cannot change the password within (days): 1
•
Users must change the password after (days): 30
•
Protect from accidental deletion: Yes
4.
Apply the new password policy to the Research Shadow Group.
Task 3: Verify new user password policy settings 1.
Sign in to the 10967A-LON-CL1 with username ADATUM\Maxim and password Pa$$w0rd
Note: ADATUM\Maxim is a member of the Research group 2.
Change Max’s password to password
3.
Is Max successful?
4.
Change Max’s password to Pa$$w0rd1
5.
Is Max successful?
6.
Change Max’s password to Pa$$w0rd012
7.
Is Max successful? Why?
8.
Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
9.
Change Franz’ password to Pa$$w0rd1
10. Is Franz successful? Why?
Results: After this exercise, you should have configured Password and Account Lockout settings in Account Policies.
Exercise 2: Securing NTFS Files and Folders Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-37
The Research team at A. Datum has asked for a new folder to be created on LON-SVR1 to store general research information, in addition to information regarding the team’s projects and special classified information. The team would like this folder and its contents to be fully accessible to the entire Research team, with the exception of the classified information, which should be unavailable to all members of the Research team with the exception of Allie Bellew, the Research Manager, who should have full access to classified information. The Research team will access the files and folders exclusively over the network. You have been asked by your supervisor to create a shared folder structure that satisfies the Research team’s request. The main tasks for this exercise are as follows: 1.
Create the C:\Research folder structure
2.
Assign appropriate NTFS file and folder permissions to the folder structure
3.
Share the C:\Research folder on the network and set appropriate shared folder permissions
4.
Test access to C:\Research folders
Task 1: Create the C:\Research folder structure 1.
Ensure you are logged on to 10967A-LON-SVR1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Create two subfolders in C:\Research named Classified and Projects.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure 1.
Block inheritance for the C:\Research folder.
2.
Assign the ADATUM\Research group Full Control over the C:\Research folder
3.
Block inheritance for the C:\Research\Classified folder.
4.
Assign only ADATUM\Allie Full Control over the C:\Research\Classified folder.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder permissions 1.
Share the C:\Research folder on the network.
2.
Assign Full Control permissions for C:\Research to the ADATUM\Research group.
Task 4: Test access to C:\Research folders 1.
Log on to the 10967A-LON-CL1 with username ADATUM\Billand password Pa$$w0rd
Note: ADATUM\Bill is a member of the Managers group. He is not a member of the Research group 2.
Attempt to connect to the share \\LON-SVR1\Research
3.
Does ADATUM\bill have access to the Research folder?
4.
Log on as ADATUM\Olivier with password Pa$$w0rd.
5.
Does ADATAM\Olivier have access to the Research folder?
6.
Does ADATUM\Olivier have access to the Research\Classified folder?
7.
Log on as ADATUM\Allie with password Pa$$word.
8.
Does ADATUM\Allie have access to the Research folder?
9.
Does ADATUM\Allie have access to the Research\Classified folder?
Results: After this exercise, you should have secured NTFS and shared folders.
Exercise 3: Encrypting Files and Folders Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
9-38 Implementing Security in Windows Server
It has been requested by your supervisor that, on LON-SVR1, specific files containing sensitive information in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized access. You have been asked to test encryption on the Classified folder. The main tasks for this exercise are as follows: 1.
Encrypt files and folders by using EFS
2.
Confirm that files are encrypted
3.
Decrypt files and folders
4.
Revert the lab machines
Task 1: Encrypt files and folders by using EFS 1.
Ensure you are logged on to 10967A-LON-SVR1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Create a test file called Personal.txt in the C:\Research\Classified folder.
3.
Encrypt the C:\Research\Classified folder and files within it.
4.
Sign out of LON-SVR3.
Task 2: Confirm that files are encrypted 1.
Sign in to 10967A-LON-SVR1 with user name ADATUM\Olivier and password Pa$$w0rd
2.
Confirm that the Classified folder and files have been encrypted by attempting to open the Personal.txt file in the C:\Research\Classified folder. The encrypted file and folder names should also be listed in green text.
3.
Sign out from LON-SVR3.
Task 3: Decrypt files and folders 1.
Sign in to 10967A-LON-SVR1 as ADATUM\Administrator with the password of Pa$$w0rd.
2.
Decrypt the contents of C:\Research\Classified.
Task 4: Revert the lab machines
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-39
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 10967A-LON-DC1 and 10967A-LON-CL1.
Results: After this exercise, you should have encrypted and decrypted files and folders by using Encrypting File System (EFS). Question: What is the most efficient way to give several users who all require the same permissions access to a shared folder? Question: What are some of the ways of protecting sensitive data in Windows Server?
Module Review and Takeaways Best practices for UAC The following are best practices for UAC users:
MCT USE ONLY. STUDENT USE PROHIBITED
9-40 Implementing Security in Windows Server
•
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred because it can be centrally managed and controlled.
•
Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both, can view.
•
For example, you might require administrative permissions to change the UAC setting to Always Notify Me or Always Notify Me And Wait For My Response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page indicating the requirement.
Best practices for EFS The following are best practices for EFS users: •
Users should export their certificates and private keys to removable media and store the media securely when it is not in use. For the greatest possible security, the private key must be removed from the computer whenever the computer is not in use. This protects against attackers who physically obtain the computer and try to access the private key. When the encrypted files must be accessed, the private key can easily be imported from the removable media.
•
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the personal folder, where most documents are stored, is encrypted.
•
Users should encrypt folders rather than individual files. Programs work on files in various ways. Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted. Also, when files are encrypted, the temp folder is used, where you would be able to access the unencrypted file when you have a tool to recover deleted files.
•
The private keys that are associated with recovery certificates are extremely sensitive. These keys must be generated either on a computer that is physically secured, or their certificates must be exported to a .pfx file, or protected with a strong password, and saved on a disk that is stored in a physically secure location.
•
You should plan and roll out EFS with some thought, including the proper use of a recovery agent. It is possible to lose access to all EFS-encrypted files, and have no way of recovering them as such proper planning including the use or Recovery Agents is essential.
Best practices for BitLocker Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from the hard disk, consider the following: •
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities of TPM version 1.2 or higher
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
9-41
•
On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the prestartup system integrity verification offered by BitLocker that is working with a TPM.
•
If you are making any significant hardware changes, such as adding Hard Drives or optical drives, suspend BitLocker before doing so; otherwise, the changes might cause BitLocker to start in recovery mode when it restarts.
Best practices for securing files and folders •
Use the most restrictive permissions possible. Do not grant more permissions for a file or folder than the users legitimately require. For example, if a user only has to read the files in a folder, grant Read permission for the folder to the user or group to which the user belongs.
•
Avoid assigning permissions to individual users. Use groups whenever possible. It is very inefficient to maintain user accounts directly.
•
Use restrictive shared folder permissions only when necessary. To avoid complicated combined permissions scenarios, use NTFS file and folder permissions to restrict or grant access as much as possible. NTFS file and folder permissions offer much more precise control over user access and always apply to file and folder security, whether being accessed locally or over the network.
•
Use Deny permissions with caution. Deny permissions always override Allow permissions and can result in users being mistakenly restricted from access to files or folders.
•
Remember that Full Control lets users modify permissions. Assign Full Control permissions with caution, as any change in existing permissions could potentially affect security.
•
Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present) from the shared folder’s permissions list. The Everyone group includes guest users. Using the Authenticated or Domain Users group limits file or folder access to only authenticated users, and prevents users or viruses from accidentally deleting or damaging files.
•
Be conscious of explicitly set permissions and the effects of blocked inheritance. When assigning permissions to a parent folder, be aware that some subfolders and files might have inheritance blocked and explicit permissions specified. In this case, such subfolders and files will not inherit the parent folder’s permissions when changes are made.
•
You can use the Effective Permissions tool to evaluate the permissions assigned to a user or group for a specific file or folder. Effective Permissions allows you to select users or groups and then shows you the effective permissions for those users or groups according to all the permissions set on the specific file or folder.
Tools Tool
Use for
Where to find it
Server Manager
Managing server configuration, including adding roles and features.
Start menu
Windows PowerShell
Managing both Server Manager. Also, almost all server roles have cmdlets available to support them.
Windows PowerShell console and Windows PowerShell ISE
Auditpol.exe
Viewing and managing audit policy.
Command Prompt
Icacls.exe
Viewing and managing access control list details.
Command Prompt
MCT USE ONLY. STUDENT USE PROHIBITED
9-42 Implementing Security in Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED 10-1
Module10 Implementing Network Security Contents: Module Overview
10-1
Lesson 1: Overview of Network Security
10-2
Lesson 2: Implementing Firewalls
10-4
Lesson 3: Internet Protocol Security
10-13
Lab: Implementing Network Security
10-20
Module Review and Takeaways
10-25
Module Overview
When you connect your computers to a network, you might expose them to additional security threats. It is important that you identify possible threats, and implement appropriate Windows® network security features to help eliminate them.
Objectives After completing this module, you will be able to: •
Identify network-based security threats and mitigation strategies.
•
Implement Windows Firewall to secure Windows hosts.
Lesson 1
Overview of Network Security
MCT USE ONLY. STUDENT USE PROHIBITED
10-2 Implementing Network Security
There are many network-based security threats. You must understand the nature of these threats and be able to implement appropriate security measures to lessen them.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the security threats that can appear on networks.
•
Describe common solutions to these threats.
Network Security Threats There are many different network security threats classified into several categories, some threats would overlap each other and be combinations of different types. Common network-based security threats include the following: •
Eavesdropping. An eavesdropping attack occurs when a malicious person captures network packets being sent and received by workstations connected to the network. Eavesdropping attacks can result in sensitive data, such as passwords, being compromised. This can lead to other, perhaps more damaging, attacks.
Note: Eavesdropping is also known as sniffing. Because of the 1:1 communication between switches, eavesdropping is no longer easy. •
Denial-of-service (DoS). This attack is intended to limit the function of a network application, or make the application, or network resource, unavailable. There are many ways in which a malicious person can start a DoS attack. For example, a person could intentionally enter incorrect passwords on a publicly addressable site to cause passwords to be locked out.
•
Port scanning. Applications that are running on a TCP/IP host use TCP or User Datagram Protocol (UDP) ports to identify themselves. An attacker can scan to identify what ports are being used. If the port is open, no service using it, the attacker can exploit that port. If the port does have a service using it, the attacker could potentially exploit a known vulnerability against that service.
•
Man-in-the-middle. The malicious attacker uses a computer to impersonate a legitimate host on the network. The attacker intercepts all of the communications intended for the destination host. The attacker can view, change, or replay the data in transit between the two hosts.
•
Replay Attacks. An attacker re-uses or replays data, which has been captured from your network during transmission, to establish a session or gain information illegally,
•
Hacking. This is a generic term that means any kind of network attack.
Mitigating Network Security Threats One of the most important things to realize is that an attacker looking for access into the network use different tools and techniques. After they have found a way in, regardless of how minor and apparently innocuous, they can exploit that success, and continue the attack. Therefore, it is important to implement a holistic approach to network security to make sure that one loophole or oversight does not result in another attack. You can use any of the following defense mechanisms to help protect the network from malicious attacks.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-3
•
Internet protocol security (IPsec). IPsec lets you authenticate IP-based communications between two hosts and, where desirable, encrypt that network traffic.
•
Firewalls. Firewalls allow or block network traffic based on a set of rules. These rules can apply a filter by using the source, destination, protocol, port, and even validity of the communication.
•
Perimeter networks. A perimeter network is an isolated area on the network to and from which there is defined network traffic flow. When you have to make network services available on the Internet, it is inadvisable to connect the hosting servers directly to the Internet. By adding these servers in a perimeter network, you can make them available to Internet users without letting those users gain access to your corporate intranet.
•
Virtual private networks (VPNs). When users must connect to your corporate intranet from the Internet, make sure that they do so as securely as possible. The Internet is a public network and data in transit across it is susceptible to eavesdropping or man-in-the-middle attacks. By authenticating and encrypting connections between the remote users and your corporate intranet by using a VPN, you can reduce these risks. Also, you do not want to “publish” information about your internal network on the Internet. Tunneling technologies are used where only the endpoints are public-facing.
•
Server hardening. By only running the services that you need, you can make your servers more secure. Because it is sometimes difficult to determine precisely which Windows Server® services are required, you can use tools such as the Security Configuration Wizard (SCW) or the Microsoft® Baseline Security Analyzer to help you establish a baseline.
•
Intrusion detection. Although it is important to implement the previous techniques, it is also sensible to monitor the network for signs that it was attacked. You can implement intrusion detection systems to help you perform this task. You can implement intrusion detection systems on devices at the perimeter of the network, such as Internet-facing routers.
Lesson 2
Implementing Firewalls
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Implementing Network Security
A firewall can help protect your computer and network from unauthorized access or from malicious software which may be attempting to do harm to your organization. Firewalls can function on different levels and can be specific to private networks or for public networks, such as the Internet. Organizations and individuals have different requirements and acceptable levels of security and as such each scenario and Firewall implementation will have its own infrastructure and configuration requirements.
You can implement firewalls by using software, hardware, or a combination of both. Firewalls work on the principle of filtering network traffic based on the characteristics of that traffic, and then either allowing or blocking the traffic as determined by your configuration. While the principals are the same for public or private network Firewalls, the products and configurations will be different, This Lesson will focus on private network Firewall implementations specific to protecting the host and private network.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the different firewall types.
•
Design a perimeter network and identify common perimeter applications
•
Describe Windows Firewall and its main features.
•
Describe network location-aware profiles.
•
Configure Windows Firewall with Advanced Security rules.
•
Implement an inbound firewall rule.
•
Describe IPsec and its benefits.
•
Describe connection security rules.
Firewall Types Firewalls can operate on hosts directly, and as such will protect the local computer from malicious attack, regardless of where that attack originated, whether from a public or private source or Firewalls can operate in the perimeter network, between two networks, which will provide general protection from attack from the Internet. Firewalls can also be implemented on Routers, operating between two networks, or also as Firewall appliances, which are standalone entities containing hardware and software which perform the necessary access control functions. Firewall appliances are more specialized and used more in large organizations.
So there are different kinds of firewalls available depending on where the actual communication or processing of data occurs. Definitions of these are:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-5
•
Application-layer gateways. Operate at the application layer of the Open Systems Interconnection (OSI) model. Application-layer gateways proxy requests to or from the network and do not allow traffic for which you have not defined a proxy. In other words, firewalls that understand applications can look inside the traffic (for example, HTTP traffic) and decide which applications are allowed and which to block. Additionally, they can understand dynamic ports, and you could allow specific applications by using Remote Procedure Call (RPC) through the firewall. This enables applications such as instant messaging and file transfer to function through your firewall without you having to open multiple ports.
•
Circuit-level gateways. Operate at the session layer of the OSI model and monitor datagrams between communicating hosts to verify that requested sessions are legitimate. Circuit-level gateways monitor the TCP hand-shaking process that is used to establish TCP sessions between hosts to determine whether the session is legitimate. Additionally, information passed from the network to remote hosts appears to originate from the circuit-level gateway. This is useful in hiding information about the network from remote hosts.
•
Packet filters. Operate at the network level of the OSI model, and in consumer markets are frequently implemented as part of a router. Each packet is filtered and compared with an action list to determine the appropriate action to take with the packet. Actions include allowing or blocking the packet. Most consumer broadband routers provide this functionality.
•
Stateful multilayer inspection. These firewalls combine aspects of the other three firewall types providing a high level of security. A stateful multilayer inspection firewall examines data at all seven layers of the OSI model. Unlike other firewalls, stateful multilayer inspection firewalls not only inspect the packet header, but also inspect the packet payload. Each packet is examined and compared with example packets to determine the probability that the packet contains malicious data.
You can install firewalls on hosts, such as Windows Server, or implement firewalls as software in devices such as routers. There are also firewall appliances. These are very specialized and preferred by larger corporations.
What Is a Perimeter Network? In order to make the network applications available to users connected to the Internet, you must publish these applications. A common way to publish these applications, while maintaining security, is to use servers in a perimeter network. There are several different ways that you can configure your perimeter network. This includes the following:
Three-legged firewall. A single device or computer providing firewall services between multiple network adapters, one of which is Internet-facing, another of which is connected to the perimeter network, and the remaining is being connected to the intranet. Software that is installed on the host is used to create the separation between the networks. The separation is achieved through filtering on the firewall device so that only specified traffic is passed between the interfaces designated as public, private, and perimeter. This solution works well for smaller networks. However, because the firewall
MCT USE ONLY. STUDENT USE PROHIBITED
10-6 Implementing Network Security
device is connected directly to all three networks, security potentially can be breached if this single point of failure is compromised.
Dual back-to-back firewall. In this scenario, two firewalls are connected in sequence across three networks: the Internet, your perimeter network, and your corporate intranet. The network to which both firewalls are connected is the perimeter network. The firewalls are configured to allow only appropriate traffic to pass between their connected networks. This is a more complex and expensive solution because it requires additional hardware and software to configure. However, it provides for a more secure environment and is the configuration of choice for larger networks. Through the combination of hardware and software, and with appropriate configuration, you should be able to create a perimeter network that has the network isolation that you need, while allowing communication between devices located in the three networks. In that perimeter network scenario, communication from the internal LAN to the outside is usually only allowed across one of the firewalls which talks to a proxy server, which then relays the data as needed. So internal communication does not directly talk with the internet, but with a proxy server in the perimeter. It is rare for an organization to operate without the need to connect its network infrastructure to the Internet. At the very least, most organizations use email applications to conduct some elements of their core business.
Conduct an audit of the network services that you have within your organization and determine which services must be available to users from the Internet. Then consider how you want to make those services available.
Many companies have a policy not to allow Internet traffic unfiltered to the internal network. That can typically result in the placement of Microsoft Exchange Servers or other Application servers on the internal network and proxies, reverse proxies, and mail relays on the perimeter network, in addition to antivirus and mail screening solutions. With the use of Exchange Server 2013 and the Outlook® Anywhere feature, (formerly known as RPC over HTTP), users can access their Exchange Server accounts over the Internet without using virtual private network (VPN) connections or having to put Exchange relays in the perimeter network. This lets clients who use Microsoft Outlook 2013, 2010, or 2007 to connect to their Exchange servers from outside the corporate network or over the Internet by using RPC over HTTP.
Note: Applications can be configured to use specific TCP ports; indeed, many applications are configurable to use only HTTP or HTTP Secure (HTTPS). This means that you can configure the Internet-facing firewall to only allow TCP port 80 and port 443 inbound. Typical Perimeter Applications Although an incomplete list, the following table identifies some common applications that you might have to make available in your perimeter network or that you might experience in some networks. Applications Email
Protocols Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), Simple Mail Transfer Protocol (SMTP), Microsoft Outlook Web Access (HTTPS), Outlook Anywhere (HTTPS), Microsoft ActiveSync® (HTTPS)
Comments
Exchange Server supports extensive publishing by using Microsoft Forefront® Threat Management Gateway (TMG). In addition, the Exchange Edge Transport server role enables SMTP relay functionality from the perimeter network.
Applications
10-7
Protocols
Comments
Web server
HTTP, HTTPS
Put the web servers directly in the perimeter network or publish them with Forefront TMG.
Active Directory® Domain Services (AD DS)
Lightweight Directory Access Protocol (LDAP)
We do not recommend putting domain controllers in the perimeter network. If your edge application requires access to Active Directory domains. Instead consider deploying Active Directory Lightweight Directory Services (AD LDS) into the perimeter.
Web Conferencing
HTTPS, Session Initiation Protocol (SIP), Persistent Shared Object Model (PSOM), Real-Time Transport Protocol (RTP), RealTime Control Protocol (RTCP)
Microsoft Office Communications Server supports the use of edge servers to extend conferencing to Internet participants. In addition, a Forefront TMG server or other reverse-proxy is required to enable some conferencing features.
Instant Messaging
SIP
SIP is the industry standard protocol that is used for instant messaging.
DirectAccess
IP over HTTPS
Provides connectivity and access to internal corporate networks automatically without using VPNs.
Internet Time Services
Network Time Protocol (NTP)
Used to synchronize time over a network.
What Is Windows Firewall? Windows Firewall is a host-based, stateful firewall that is included with Windows Server 2012. It implements network traffic filtering in both directions that is, inbound and outbound traffic. Windows Firewall helps provide protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. Unlike a perimeter firewall, which provides protection only from threats on the Internet, a host-based firewall provides protection from threats wherever they originate. For example, Windows Firewall protects a host from a threat within the local area network (LAN). Windows Firewall offers several important features, such as the following: •
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
Management. You can configure Windows Firewall by using several different management programs. The choice of which program to use depends on whether you are administering a single computer, or multiple computers. The following configuration options are available: o
Control Panel. Firewalls can be managed locally on Windows 8 and Windows Server 2012 computers by using the System and Security Windows Firewall.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Implementing Network Security
o
Windows Firewall with Advanced Security management console. Available through the Tools menu in Server Manager.
o
Group Policy. Where Active Directory is implemented, you can enforce Windows Firewall settings by configuring Group Policy by using the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile or Standard Profile.
Note: When Group Policy is used to configure Windows Firewall, local system administrators cannot locally configure Windows Firewall. o
Windows PowerShell®. Dedicated cmdlets are available in the NetSecurity module in Windows PowerShell. These cmdlets provide administrators the ability to enable and configure Windows Firewall locally or remotely.
•
Network location-aware profiles. Windows Firewall can adapt to changing network conditions. For example, changing from a work location to a public wireless hot spot. This capability provides a dynamic user experience as a computer moves from one location to another.
•
Fine-grained configuration through inbound and outbound rules. By default, Windows Firewall blocks all inbound traffic unless it either matches a configured rule, or is in response to a request from the local computer. By default, Windows Firewall allows all outbound traffic, unless it matches a configured rule.
•
Server and domain isolation. Windows Firewall supports creating rules for enforcing server or domain isolation. For example, isolating a database server so that it only accepts communications from a specific web server, or making sure that computers that are part of a domain only accept communications from other computers in the domain.
An interesting example of this controlled flow of data is the flow of application communication where an Internet Information Services (IIS) server can receive traffic through port 80 from all clients in the domain. The Server Running IIS additionally can communicate through port 1433 to a SQL server, which stores information for the IIS site. The SQL server is not allowed to respond to any other requests. Both servers can authenticate against the domain controllers, and Remote Desktop is available only to those servers from the administrative subnet. •
IPsec integration. IPSec secures network traffic using encryption and Windows Firewall is integrated with IPsec settings. As such, it can be used to allow or block traffic based on an IPsec negotiation or configured so that IPSec encrypted network traffic from an administrative subnet can bypass all firewall rules. We will discuss IPSec further in the next lesson.
More information about Windows PowerShell cmdlets that support firewall configuration can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309121
Network Location-Aware Profiles When you configure Windows Firewall in Control Panel the first time that your computer connects to a specific network, you must select a network location or profile. This automatically sets appropriate firewall and security settings for that kind of network. When you are connecting to networks in different locations, selecting a network location can help make sure that the computer is always set to an appropriate security level.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-9
A firewall profile is a way to group settings, including firewall rules and connection security rules for related networks at the same security level, from the client point of view. For example, public networks are rarely related, but they have in common that you consider them unsecure and need provide the most protection when using them. Someone might consider a “Home Network” as trusted, but also consider a relative’s home network as trusted such as parents, siblings or friends, thus requiring a certain level of protection but also being able to share audio and pictures. Being able to classify the networks like this simplifies and eases management and configuration tasks. There are three network profiles available within Network and Sharing in Control Panel: •
Domain networks. These are networks at a workplace that are attached to a domain. This option is used automatically for any network that allows communication with a domain controller. By default, network discovery and file and printer sharing is turned off. These can be determined by Group Policy.
•
Private networks. These are networks at home or work where you trust the people and devices on the network. When private networks are selected, network discovery is turned on but file and printer sharing is turned off.
•
Guest or Public networks. These are networks in public places. This location keeps the computer from being visible to other computers. When Public networks is the selected network location, network discovery and file and printer sharing is turned off.
It is also possible to create a Homegroup which allows the sharing of pictures, audio, video, documents and printers between multiple computers and devices in your home. The network profile must be set to private to be able to view and join a Homegroup. Also if a domain joined computer joins a Homegroup it will be able to view shared files but unable to share its own files. Homegroups are configured in Control Panel in the Network and Internet category. You can change the firewall settings for each kind of network location from the main Windows Firewall page in System and Security in Control Panel. Click Turn Windows Firewall On Or Off, select the network location, and then make your selection. Each network location has the following information: •
Windows Firewall state. This refers to whether Windows Firewall is turned on or off.
•
Incoming connections. This provides the status on what is occurring to incoming connections, such as, “Block all connections to apps that are not on the list.”
•
Active networks. This lists what network connections are currently active.
•
Notification state. This lets you know when Windows Firewall will notify the user if an event occurs. For example, if the firewall blocks a new program or app.
Implementing Network Security
MCT USE ONLY. STUDENT USE PROHIBITED
10-10
The Public networks location blocks certain programs and services from running to help protect the computer from unauthorized access. If you are connected to a Public network and Windows Firewall is turned on, some programs or services might ask you to allow them to communicate through the firewall so that they work correctly.
Configuring Windows Firewall with Advanced Security On the Windows Firewall page in Control Panel, you can configure basic firewall properties for domain, private, and guest or public network profiles for the local computer. By clicking the Advanced Settings link in Windows Firewall, you can access the Windows Firewall with Advanced Security management console. This management console provides for more fine-granular control of Firewall Rules, Connection Security Rules, and Monitoring. In the Windows Firewall with Advanced Security management console, in the Overview section in the middle pane, click Windows Firewall Properties. Within this section there are three tabs, one for each of the network profiles or locations. •
Domain Profile
•
Private Profile
•
Public Profile
These profiles and locations provide more configuration options than Control Panel. The options that you can configure for each of the three network profiles are as follows: •
Firewall State. You can turn the firewall On or Off independently for each profile.
•
Inbound Connections. You can block (default) connections that do not match any active firewall rules, block all connections regardless of inbound rule specifications, or allow inbound connections that do not match an active firewall rule.
•
Outbound Connections. You can configure to allow (default) connections that do not match any active firewall rules or block outbound connections that do not match an active firewall rule.
•
Protected Network Connections. Select the connections that you want Windows Firewall to protect. For example, the Local Area Connection.
•
Settings. You can configure display notifications, unicast responses, and merge rules distributed through Group Policy. When merging rules with Group Policy, you can apply local firewall rules and local connection security rules.
•
Logging. You can configure and enable logging.
The final tab in this Properties dialog box is the IPsec Settings tab. This tab lets you configure the default values for IPsec configuration. Windows Firewall with Advanced Security Rules
Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall. You can configure different kinds of rules:
•
Inbound
•
Outbound
•
Connection Security
Inbound Rules
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-11
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, you can configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain kind of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For Windows Server Roles and Features, you will not have to create the rule. For example, enabling IIS will automatically adjust the Windows Firewall to allow the appropriate traffic. You can configure the default action that Windows Firewall with Advanced Security takes whether connections are allowed or blocked when no inbound rule applies. Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or deny traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer through the firewall, but allow the same traffic for other computers. This rule could specify an IP address or an IP address range. Inbound and Outbound Rule Types There are four kinds of inbound and outbound rules: •
Program rules. These rules can control connections for a program regardless of the port numbers it uses. Use this kind of firewall rule to allow a connection based on the program that is trying to connect. These rules are useful when you are not sure of the port or other required settings because you only specify the path of the program executable (.exe) file.
•
Port rules. These rules can control connections for a TCP or UDP port regardless of the application. Use this kind of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You specify the protocol and individual or multiple local ports.
•
Predefined rules. These rules can control connections for a Windows component. For example, File or Print Sharing, or Active Directory. Use this kind of firewall rule to allow a connection by selecting one of the programs from the drop-down list. These kinds of Windows components typically add their own entries to this list automatically during setup or configuration. You can enable and disable the rule or rules as a group.
•
Custom rules. These rules can combine combinations of the other rule types such as port and program.
Connection Security Rules
Firewall rules and connection security rules are complementary, and both contribute to a defense-indepth strategy to help protect your computer. Connection security rules secure traffic by using IPsec while it crosses the network. Use connection security rules to specify that connections between two computers must be authenticated or encrypted. Connection security rules specify how and when authentication occurs. However, they do not allow connections. To allow a connection, create an inbound or outbound rule. After a connection security rule is created, you can specify that inbound and outbound rules apply only to specific users or computers.
Implementing Network Security
Note: Connection security rules are discussed in the “Connection Security Rules” topic later in the lesson. Monitoring
MCT USE ONLY. STUDENT USE PROHIBITED
10-12
Windows Firewall uses the monitoring interface to display information about current firewall rules, connection security rules, and security associations. The Monitoring overview page displays which profiles are active (domain, private, or public) and the settings for the active profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the Group Policy Management Editor console, the same rules and configurable options are available except for the Monitoring node, which does not display. Also be aware that the Windows Firewall with Advanced Security events are available in Event Viewer. You can enable and configure Windows Firewall with Windows PowerShell commands from the NetSecurity module. This includes the cmdlets described in the following table.
Windows PowerShell cmdlet
Description
New-NetFirewallRule
Creates a new inbound or outbound firewall rule and adds the rule to the destination computer.
Enable-NetFirewallRule
Enables a network firewall rule that was previously disabled.
Show-NetFirewallRule
Displays all of the existing Firewall rules in the policy store, along with the associated objects
Get-Help *Net*
Lists all cmdlets that have Net in their name. It will return all Windows Firewall cmdlets.
Demonstration: How to Use Windows Firewall to Manage Inbound Network Traffic In this demonstration, you will see how to create and test an inbound firewall rule.
Demonstration Steps 1.
Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username ADATUM\Administrator and password Pa$$w0rd
2.
Use ping to test the network connectivity from 10967A-LON-DC1 to 10967A-LON-CL1.
Note: Alternatively, you could use the Windows PowerShell Test-Connection cmdlet. 3.
Configure a new firewall rule.
4.
Test the firewall rule.
5.
Disable the new firewall rule and verify that ping is now available.
Lesson 3
Internet Protocol Security
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-13
Internet Protocol security (IPsec) is a framework of open standards that provides for the protection of data transmitted over a network and between hosts. In order to improve the integrity of transmitted data in your organization it is important to be aware of when and how IPsec can be implemented. In this lesson we will discuss when and where it can be used and what are the benefits and potential hazards in doing so.
Lesson Objectives After completing this lesson, you will be able to: •
Describe Internet Protocol security (IPsec)
•
Describe how to implement IPsec
•
Create connection security rules
•
Manage IPsec
•
Create a Server to Server Connection rule
What Is IPsec?
Internet Protocol security IPsec is a method that is used to ensure the security of data sent between two computers on an IP network. It is not exclusively a windows technology; rather, it is a framework of open standards for protecting communications over IP networks using cryptography Typically, IPsec is used to achieve confidentiality, integrity, and authentication in data transport across non-secure channels. However although it’s original purpose was to help secure traffic across public networks, its implementations are frequently used to improve the security of private networks, because organizations are not always sure whether weaknesses in their own private networks are susceptible to exploitation. IPsec has two operation modes: Host-to-Host Transport mode and Network Tunnel mode. •
Host-to-Host Transport mode. This is the default mode for IPsec. In transport mode, IPsec only encrypts the IP payload. The IP header is not encrypted. Transport mode should be selected for endto-end communications, such as what occurs between a client and a server. Transport mode is also used in most IPsec-based VPNs for which Layer Two Tunneling Protocol (L2TP) is used to tunnel the IPsec connection through the public network.
•
Network Tunnel mode. In tunnel mode, IPsec encrypts the IP header and the payload. Tunnel mode is most useful for communications between two networks when that communication occurs over an untrustworthy network, such as the Internet or when a VPN gateway is incompatible with L2TP or Point-to-Point Tunneling Protocol (PPTP).
The major benefit of IPsec is that it provides encryption for all protocols from OSI model layer 3 (network layer) and higher. This includes the following:
Implementing Network Security
MCT USE ONLY. STUDENT USE PROHIBITED
10-14
•
Network-level peer authentication. Offers mutual authentication before and during communications. Forces both parties to identify themselves during the communication process.
•
Data origin authentication. In tunnel mode, a new IP header can be added to the packet, specifying the source and destination addresses of the tunnel endpoints.
•
Data integrity. Makes sure integrity of IP traffic by rejecting modified traffic. If a packet is changed, the digital signature will not match, and the packet will be discarded.
•
Data confidentiality. Enables confidentiality through IP traffic encryption and digital packet authentication.
Protection from replay attacks.
IPsec Uses sequenced numbers to make sure that an attacker cannot reuse or replay captured data to establish a session or gain information illegally. The use of sequenced numbers also protects against tries to intercept a message and then use the identical message to illegally access resources at a later date.
More information about IPsec can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=154531
Implementing IPsec Some network environments are well suited to IPsec as a security solution, while others are not. The following are situations where implementing IPsec can add some value: •
Packet filtering: Packet Filtering is the allowing or blocking of specific types of IP traffic. You can permit or block inbound or outbound traffic using IPsec with the Network Address Translation (NAT) component of the Remote Access Service.
•
Securing host-to-host traffic on specific paths: You can use IPsec to provide protection for traffic between servers or other static IP addresses or subnets. For example, IPsec can secure traffic between domain controllers in different sites, or between web servers and database servers.
•
Securing traffic to servers: You can require IPsec protection for all client computers that access a server. Additionally, you can set restrictions on which computers can connect to a server that is running Windows Server 2012.
•
Layer 2 Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of the L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require that you configure and deploy IPsec policies.
•
Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site
(gateway-to-gateway) tunnels when you need interoperability with third-party routers, gateways, or end systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections.
•
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-15
Enforcing logical networks (server/domain isolation): In a Microsoft Windows-based network, you can isolate server and domain resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share common requirements for secure communications. To establish connectivity, each computer in this logically isolated network must provide authentication credentials to other computers. This isolation prevents unauthorized computers and programs from gaining inappropriate access to resources. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data, and protect managed computers from unmanaged or rogue computers and users.
You can protect a network with two types of isolation: •
Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.
•
Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that computers that are domain members accept only authenticated and secured communications from other domain-member computers. The isolated network consists only of that domain’s member computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain members, including all client and server computers.
Note: Because IPsec depends on IP addresses for establishing secure connections, you cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address in IPsec policy filters. In large network deployments, and in some mobile user cases, using dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy design. IPsec uses that need additional consideration
IPsec can reduce processing performance and increase network bandwidth consumption. Additionally, IPsec policies can be complex to configure and manage. Finally, the use of IPsec can introduce application compatibility issues. For these reasons, we do not recommend IPsec for the following uses: •
Securing communication between domain members and their domain controllers. This reduces network performance. Additionally, we do not recommend using IPsec for this scenario because the required IPsec policy configuration and management is complex.
•
Securing all network traffic. This reduces network performance, and we do not recommend using IPsec for this scenario because of the following reasons: o
IPsec cannot negotiate security for multicast and broadcast traffic.
o
Traffic from real-time communications, applications that require Internet Control Message Protocol (ICMP), and peer-to-peer applications might be incompatible with IPsec.
o
Network management functions that must inspect the TCP, UDP, and protocol headers are less effective or cannot function at all due to IPsec encapsulation or IP payload encryption.
Additionally, the IPsec protocol and implementation have characteristics that require special consideration when you perform the following tasks: •
Protect traffic over wireless 802.11 networks: You can use IPsec transport mode to protect traffic that is sent over 802.11 networks. However, it is not recommend using IPsec for providing security for corporate 802.11 wireless local area networks (LANs). Instead, you could use 802.11 WPA2 or WPA encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication. Support for IPsec, configuration management, and trusts are required on client computers and
Implementing Network Security
MCT USE ONLY. STUDENT USE PROHIBITED
10-16
servers and because many computers on a network do not support IPsec or they are not managed, it is not appropriate to use IPsec alone to protect all 802.11 corporate wireless LAN traffic. Additionally, IPsec tunnel mode policies are not optimized for mobile clients with dynamic IP addresses, nor does IPsec tunnel mode support dynamic address assignment or user authentication, which is needed for remote-access virtual private network (VPN) scenarios. •
Use IPsec in tunnel mode for remote access VPN connections: We do not recommend that you use IPsec in tunnel mode for remote access VPN scenarios for Windows-based VPN clients and servers. Instead, use L2TP/IPsec or PPTP.
Connection Security Rules In earlier Windows versions, managing IPsec policies and managing Windows Firewall were two separate processes achieved by using different management tools. Beginning with Windows Server 2008 R2 and present in Windows Server 2012, you can manage both IPsec and Windows Firewall policies and rules through a single interface and set of command-line utilities. IPsec Integration with Windows Firewall The advantage of combining IPsec and Windows Firewall is that you can avoid overlapping possibly conflicting rules and policies, and you can streamline the process of securing your computer against unauthorized access.
You can configure IPsec with connection security rules in Windows Firewall with Advanced Security. With these rules, you can associate IPsec rules with Windows Firewall network profiles.
Firewall rules allow traffic through the firewall, but do not secure that traffic. To help secure traffic with IPsec, you can create connection security rules. However, when you create a connection security rule, this does not allow the traffic through the Windows Firewall. You must create a firewall rule to do this if the traffic is not allowed by the firewall’s default behavior. Connection security rules are not applied to programs and services. They are applied between the computers that make up the two endpoints. What Are Connection Security Rules?
A connection security rule forces authentication between two peer computers before they can establish a connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to enforce these rules. Use connection security rules to configure IPsec settings for specific connections between computers. Windows Firewall with Advanced Security uses these rules to evaluate network traffic, and then blocks or allows messages based on the criteria that you establish in the rules. In some circumstances, Windows Firewall with Advanced Security blocks the communication. If you configure settings that require security for a connection (in either direction) and the two computers cannot authenticate, then the connection is blocked. The configurable connection security rules are as follows: •
Isolation. An isolation rule isolates computers by restricting connections based on credentials such as domain membership or health status. You can use isolation rules to implement an isolation strategy for servers or domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-17
•
Authentication exemption. You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group such as a gateway.
•
Server to Server. A server-to-server rule protects connections between specific computers. This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. Then you designate requirements and the authentication you want to use.
•
Tunnel. A tunnel rule lets you protect connections between gateway computers. You typically use it when you connect across the Internet between two security gateways. You must specify the tunnel endpoints by IP address, and then specify the authentication method that is used.
•
Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set up the authentication rules that you need by using the other rules available in the New Connection Security Rule wizard.
Connection Security Rules Settings
When you enable and configure a connection security rule, you must define the following properties: •
Requirements. You can select whether the rule requests authentication, requires inbound authentication, or requires both inbound and outbound authentication.
•
Authentication methods. You can select between several authentication methods. The options in the Security Rule wizard are as follows: o
Default. Uses the authentication method specified in the IPsec settings.
o
Computer and User (Kerberos V5). Restricts communications to connections from domainjoined users and computers.
o
Computer (Kerberos V5). Restricts communications from domain-joined computers.
o
Advanced. Specifies custom authentication methods as first and second authentication methods.
•
Profile. Associate the rule with the appropriate network profile. You can select one or more of the following: domain, private, or public.
•
Exempt computers. For authentication exemption rules only, define the exempt computers by IP address, IP address range, or IP subnet.
•
Endpoints. For server-to-server rules only, define the IP addresses affected by the rule.
•
Tunnel endpoints. For tunnel rules only, define the tunnel endpoints affected by the rule
Note: Connection security rules and IPsec policies are different. An IPsec policy can filter traffic to the specific port level, whereas a connection security rule cannot. It only applies between computers, and not for specific kinds of traffic between those computers.
Implementing Network Security
Managing IPsec There are several ways to manage and configure Windows Firewall and IPsec settings and options, Windows Firewall with Advanced Security The Windows Firewall with Advanced Security snap-in enables you to configure firewall settings and security (IPsec) settings in one interface. You also can view the currently applied policy, rules, and other information in the Monitor node. IP Security Policy MMC snap-in
MCT USE ONLY. STUDENT USE PROHIBITED
10-18
This MMC snap-in enables you to configure IPsec policies that apply to computers that are running earlier Windows versions and to computers that are running the current version of Windows. This MMC snap-in is useful for environments where computers that are running these Windows versions coexist. You cannot use this snap-in to configure Windows Firewall with Advanced Security settings. Windows PowerShell
You can enable and configure IPsec with Windows PowerShell commands from the NetSecurity module. This includes the cmdlets described in the following table. Windows PowerShell cmdlet
Description
Get-NetIPsecRule
Gets IPsec rule from the target computer
Show-NetIpsecRule
Displays all of the existing IPsec rules and associated objects in a fully expanded view
New-NetIPsecRule
Creates an IPsec rule to define security requirements for network connections to match specific criteria.
Get-Help *IPsec*
Lists all cmdlets that have IPsec in their name.
Note: The Netsh command line tool is also available which can configure and manage IPsec. However, this has largely been replaced by Windows PowerShell in Windows Server 2012
Demonstration: Create Server to Server Connection Security Rule In this demonstration, you will see how to create a Server to Server connection security rule.
Demonstration Steps 1.
Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username ADATUM\Administrator and password Pa$$w0rd
2.
Enable ICMPv4 Traffic on 10967A-LON-DC1
3.
Create a Server to Server Connection Security Rule on 10967-LON-DC1
4.
Create Server to Server Connection Security Rule on 10967-LON-SVR1
5.
Verify the Server to Server Connection Security Rule
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-19
Implementing Network Security
Lab: Implementing Network Security Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
10-20
Ed Meadows is looking to make available the Intranet web site for project queries. He has asked you to test the configuration and to create Firewall rules to make sure that access can be granted and blocked if needed. He has supplied the requirements in an email message. You must read the requirements and then implement them on a client computer. Subject: Improving network security From: Sent: To:
Ed Meadows [
[email protected]] June 18
[email protected]
Charlotte, We have an urgent need to get the Intranet web site online to staff. I’d like you to test making it available but I have some concerns about network security and I’d like to make sure we can block access quickly and easily whenever we need. Can you test making the web site available and create Firewall rules to allow and block access to it so we can control it if need be? Also, we may host the web server content in remote offices and I have some general concerns about accessing the web site over our network due to the sensitive nature of the data that will be transmitted over the network. I’d like to check out using IPsec to make sure we have secure connections between the web servers if we do need to have another server made available. Can you test these scenarios out and check if we can make the web site and any server to server connections secure? Thanks Ed
Objectives After completing this lab, you will be able to: •
Create Firewall Rule to allow access to the World Wide Web service
•
Created a Server to Server Connection Security Rule
Lab Setup Estimated Time: 60 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1 and 10967A-LON-CL1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: ADATUM
5.
Repeat these steps for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Configuring Windows Firewall with Advanced Security Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-21
You must implement a firewall rule that allows access to the World Wide Web Service then ensure you can block access to the same World Wide Web Service on the A. Datum network. The main tasks for this exercise are as follows: 1.
Turn off Website caching and verify connectivity to World Wide Web service
2.
Configure a new firewall rule to block access to the World Wide Web service
3.
Test World Wide Web service Access
4.
Allow access to the World Wide Web service
5.
Verify Web Wide Web access has been restored
Task 1: Turn off Website caching and verify connectivity to World Wide Web service 1.
Ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Turn off website caching in Internet Options.
3.
Attempt to connect to the web site http://LON-DC1/Intranet
4.
Are you able to connect?
Task 2: Configure a new firewall rule to block access to the World Wide Web service 1.
Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Open the Windows Firewall with Advanced Security management console
3.
Create a New Inbound Rule
4.
Try to find a predefined rule that determines access to the World Wide Web Service for http and block the connection for the rule
5.
Once created verify the rule settings are as you intended
Task 3: Test World Wide Web service Access 1.
LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Attempt to connect to the web site http://LON-DC1/Intranet
3.
Are you able to connect?
Task 4: Allow access to the World Wide Web service 1.
Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Windows Firewall with Advanced Security locate the World Wide Web Services inbound rule that you configured earlier and change the Action to Block the connection
Implementing Network Security
Task 5: Verify Web Wide Web access has been restored 1.
Switch virtual machines again and ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Open Internet Explorer and in the address bar type http://LON-DC1/Intranet
3.
Are you able to connect?
MCT USE ONLY. STUDENT USE PROHIBITED
10-22
Results: After this exercise, you should have created and tested an inbound firewall rule to control access to the world wide web service.
Exercise 2: Create a Server to Server Connection Security Rule Scenario
As per the email you received from Ed Meadows at the start of the lab, reproduced here, you need to test creating a server to server connection security rule so as to ensure the integrity of data transmitted between two web servers. Charlotte,
We have an urgent need to get the Intranet web site online to staff. I’d like you to test making it available but I have some concerns about network security and I’d like to make sure we can block access quickly and easily whenever we need. Can you test making the web site available and create Firewall rules to allow and block access to it so we can control it if need be? Also, we may host the web server content in remote offices and I have some general concerns about accessing the web site over our network due to the sensitive nature of the data that will be transmitted over the network. I’d like to check out using IPsec to make sure we have secure connections between the web servers if we do need to have another server made available. Can you test these scenarios out and check if we can make the web site and any server to server connections secure? Thanks Ed The main tasks for this exercise are as follows: 1.
Enable ICMPv4 traffic
2.
Create a Server to Server Connection Security rule
3.
Create a Server to Server Connection Security rule on a member server
4.
Verify the Server to Server Connection Security rule
5.
Revert the lab machines
Task 1: Enable ICMPv4 traffic 1.
Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username ADATUM\Administrator and password Pa$$w0rd
2.
In Windows Firewall with Advanced Security create a new Inbound Rule with the following settings:
•
Rule Type: Custom
•
Program: All programs
•
Protocols and Ports: ICMPv4
•
Scope: Any IP Address for local and remote
•
Action: Allow the connection if it is secure
•
Users: Default
•
Computers: Default
•
Profile: Default
•
Name: ICMPv4 allowed
Task 2: Create a Server to Server Connection Security rule
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-23
1.
Still on 10967A-LON-DC1
2.
In Windows Firewall with Advanced Security management console create a Connection Security Rule with the following settings:
•
Rule Type: Server-to-server
•
Endpoints: Default
•
Requirements: Request authentication for inbound and outbound connections
•
Authentication Method: Advanced > Customize…
•
First Authentication method: Preshared key (not recommended) and type the word secret. Click OK and Click OK again.
•
Profile: Default
3.
Name: A. Datum Server-to-Server
Task 3: Create a Server to Server Connection Security rule on a member server 1.
Switch to 10967A-LON-SVR1 and ensure you are logged on as ADATUM\Administrator with password Pa$$w0rd
2.
In Windows Firewall with Advanced Security management console create a Connection Security Rule with the following settings:
•
Rule Type: Server-to-server
•
Endpoints: Default
•
Requirements: Request authentication for inbound and outbound connections
•
Authentication Method: Advanced > Customize…
•
First Authentication method: Preshared key (not recommended) and type the word secret. Click OK and Click OK again.
•
Profile: Default
•
Name: A. Datum Server-to-Server
Task 4: Verify the Server to Server Connection Security rule 1.
Still on 10967A-LON-SVR1
2.
Open a Command Prompt with Administrative privileges
3.
Ping the LON-DC1 virtual machine
4.
In the Windows Firewall with Advanced Security view the Main Mode and Quick Mode folder content in the Monitoring section
Implementing Network Security
5.
Verify the data that is present matches what you configured earlier.
Task 5: Revert the lab machines
MCT USE ONLY. STUDENT USE PROHIBITED
10-24
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 10967A-LON-SVR1 and 10967A-LON-DC1.
Results: After completing this exercise you will have created a server to server connection security rule and validated the secure nature of the communication between the two servers Question: If you wanted to make sure that only domain computers could communicate with other domain computers, how could you easily achieve this with Windows Firewall?
Module Review and Takeaways Best Practices: •
Implement firewalls.
•
Publish services to your perimeter network.
•
Secure some network traffic and communication if it is highly sensitive
•
Encrypt network communication.
•
Segment the network.
•
Require mutual authentication.
Review Question Question: Why is it important to publish services to the perimeter instead of connecting servers directly to the Internet?
Tools Tool
Use for
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
10-25
Where to find it
Ping.exe
Testing network connectivity
Command line
Windows Firewall with Advanced Security
Managing inbound, outbound, and IPsec rules
Server Manager
Group Policy Management Console
Can configure Advanced Firewall settings and apply them across the domain when used with Active Directory
Server Manager
Windows PowerShell
Configuring Advanced Firewall settings, only present I Windows Server 2012
NetSecurity Module
Netsh
Configuring Advanced firewall settings, present in Windows Server 2012 and pre Windows Server 2012 versions
Command line tool
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Network Security 10-26
MCT USE ONLY. STUDENT USE PROHIBITED 11-1
Module11 Implementing Security Software Contents: Module Overview
11-1
Lesson 1: Client Software Protection Features
11-2
Lesson 2: Email Protection
11-9
Lesson 3: Server Protection
11-14
Lab: Implementing Security Software
11-21
Module Review and Takeaways
11-25
Module Overview
Computers are now, more than ever, interconnected. The Internet can be accessed from almost anywhere a user has a computer or device, and corporate networks can be accessed from a user’s home through remote access. Communication among networks is continuous. Critical and private information is routinely sent out through email message. So, the number of email messages that are received by users continues to increase. Private corporate networks are now usually connected in some way to the public Internet and much of the available server software requires, or at least recommends, Internet access. As connectivity increases the risk of compromise to the computer or connected network also increases. Malicious code, unauthorized use, and data theft are all risks that have to be considered and reduced by an information technology (IT) administrator.
Objectives After completing this module, you will be able to: •
Implement Windows Server® technologies and features that improve client security.
•
Describe security threats posed by email and how to reduce these threats.
•
Explain how to improve server security by using Windows Server security analysis and hardening tools.
Lesson 1
Client Software Protection Features
MCT USE ONLY. STUDENT USE PROHIBITED
11-2 Implementing Security Software
As client operating systems become more advanced and security threats increase, more features are being built into the operating system as a first line of defense. However, building defenses into the operating system is not meant to be the sole method that is used to help secure the client infrastructure. Client protection features provide additional methods to protect the client infrastructure. The Windows Server operating system has several built-in technologies to help you improve the security of your desktop infrastructure that is in constant communication with the network.
This lesson will introduce software restriction policies (SRPs) and AppLocker®, and explain how they can be used to improve the security and integrity of the client infrastructure.
Lesson Objectives After completing this lesson, you will be able to: •
Describe SRPs and how the policies are used.
•
Describe AppLocker and how it is used.
•
Describe the main differences between SRP and AppLocker.
•
Configure AppLocker.
What Are Software Restriction Policies? One of the primary security concerns for client computers is what applications are available on each computer. Users need applications in order to do their jobs. However, unnecessary or unwanted applications can be installed, either unintentionally or for malicious or nonbusiness reasons. Introduced in Windows Server 2003 and Windows® XP operating systems and present in Windows Server 2012 and Windows 8, SRPs let an administrator identify and specify which applications are permitted to run on which client computers. The following is a list of operating systems that are supported: •
Windows Server 2012
•
Windows Server 2008 R2
•
Windows Server 2008
•
Windows Server 2003
•
Windows 8
•
Windows 7
•
Windows Vista®
•
Windows XP
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-3
SRP settings are configured and deployed to clients by using Group Policy. The settings are not configured or administered through Server Manager. If domain computers are not administered by Group Policy, they will not receive the SRPs. Because of SRP’s integration with Group Policy, there is a great degree of specificity that can be done in its configuration. For example, targeting specific groups of users or computers, or enabling different levels of functionality for each version of an operating system. SRP settings contain two key components, Rules and Security Levels. Rules
Rules determine how SRP responds to an application being run or installed. Rules can be based on one of the following criteria. •
Hash. A cryptographic fingerprint of a file that is generated based on the file contents by using a cryptographic algorithm. With this method software can be moved or renamed and still be identified. Hash rules are very effective but best suited for environments where there is not a lot of change. For example, if there are regular software updates, the amount of work required to maintain the rules could be significant.
•
Certificate. A software publisher certificate that is used to digitally sign a file. This has less administrative overhead than a Hash rule. That means you just have to identify the certificate owner, regardless of version. Therefore, it is easier to configure. However, if the software is not signed, there will be administrative overhead to manage those scenarios.
•
Path. The local or Universal Naming Convention (UNC) path of where the file is stored. It does not prevent software from being renamed, and administrators must define all the directories for running software versions.
•
Network Zone. Applicable only to Windows Installer packagers. It identifies software based on the Internet Zone from which it is downloaded, such as Internet, Local Computer, Local Intranet, Restricted Sites, and Trusted Sites.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the application that is defined in the rule is executed. The three available security levels are as follows: •
Disallowed. The software identified in the rule will not run, regardless of the permissions of the user.
•
Basic User. Enables the software identified in the rule to run as a standard, non-administrative user.
•
Unrestricted. Enables the software identified in the rule to run unrestricted by SRP.
Default Security Level
The way a system behaves in generally determined by the Default Security Level. This governs how the operating system reacts to applications without any SRP rules. The following three points outline a system default behavior, based on the Default Security Level applied in the SRP. •
Disallowed. No applications will be able to run, regardless of the permissions of the user, unless an SRP rule is created that lets a specific application or set of applications to run.
•
Basic User. All applications will run under the context of a basic user, regardless of the permissions of the user who is logged in, unless an SRP rule is created to change this behavior for a specific application or set of applications.
•
Unrestricted. Software access rights are determined by the access rights of the user. All applications will run as if SRP was not enabled, unless specifically defined by an SRP rule.
Based on these three components, there are two primary ways to use SRPs.
MCT USE ONLY. STUDENT USE PROHIBITED
11-4 Implementing Security Software
•
If an administrator knows all of the software that should be able to run on clients, the Default Security Level could be set to Disallowed. All applications that should be able to run can be identified in SRP rules that would apply either the Basic User or Unrestricted security level to each application, depending on the security requirements.
•
If an administrator does not have a complete list of the software that should be able to run on clients, the Default Security Level could be set to Unrestricted or Basic User, depending on security requirements. Any applications that should not be able to run could then be identified by using SRP rules that would use a security level setting of Disallowed.
Software Restriction Policy settings can be set and configured in the Group Policy Management Editor: under Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies. Within Software Restriction Policies settings in Group Policy, you can also configure the following: •
Enforcement: Allows setting Files, Users and Certificate Rules behavior
•
Designated File Types: Allows you to define what is considered to be executable code, such as .exe, .dll, and .vbs etc You can add or remove file types as needed
•
Trusted Publishers: Allows you to certificate checks during signature verification and how Trusted Publishers are managed.
There are no dedicated Windows PowerShell® cmdlets available for SRP configuration and management.
Note: By default, software restriction policies are not enabled in Windows Server 2008 R2 or Windows Server 2012.
More information about software restriction policies in Windows Server 2012 can be found at the following webpage: http://go.microsoft.com/fwlink/?LinkID=309122
What Is AppLocker? AppLocker (introduced in the Windows 7 and Windows Server 2008 R2 operating systems and present in Windows Server 2012 and Windows 8) provides several improvements over SRP. AppLocker gives administrators many different methods for quickly and concisely determining applications that they might want to restrict or allow access to. AppLocker can help organizations prevent unlicensed or malicious software from executing, and can selectively restrict ActiveX® controls from being installed. It can also reduce the total cost of ownership by making sure that workstations are standardized across their enterprise and that users are running only the software and applications that are approved by the enterprise. AppLocker can be used in many ways and for many reasons, such as the following: •
Your organization implements a policy to standardize the applications used within each business group. Therefore, you have to determine the expected usage compared to the actual usage.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-5
•
The security policy for application usage has changed, and you have to evaluate where and when those deployed applications are being accessed. In this scenario you would not restrict usage but audit it by using AppLocker rules.
•
Your organization's security policy dictates the use of only licensed software. Therefore, you have to determine which applications are not licensed or prevent unauthorized users from running licensed software.
•
Some computers in your organization are shared by people who have different software usage needs.
With AppLocker administrators can create a set of rules and then apply those rules to applications. There are five possible types of rules available which are as follows •
Executables Rules: These are applicable to .exe and .com file formats
•
Windows Installer Rules: These are applicable to .msi, .msp and mst file formats
•
Script Rules: These are applicable to .ps1, .bat, .cmd, .vbs, and .js file formats
•
Packaged app Rules: These are applicable to .appx file formats
•
DLL Rules: These are applicable to .dll and .ocx file formats
These rules are based on file attributes determined from the digital signature, such as publisher, product name, file name, and file version.
Note: The packaged app and packaged app installers rules are applicable applications that are obtained specifically from the Windows Store. As such this rule type is only available on Windows 8 and Windows Server 2012. The DLL Rule is not visible in the Group Policy Management Editor by default. It must be enabled in the Local Security Policy management console in AppLocker properties apps. Rule Behavior Rules can be configured to use Allow or Deny actions. •
Allow. You can specify which files can run and for which users or groups. You can also configure exceptions that are excluded from the rule.
•
Deny. You can specify which files are not allowed to run and for which users or groups. Again, You Can Also configure exceptions that are excluded from the rule.
Enforcement Modes •
Not Configured. This is the default setting and means the rule will be enforced unless a linked Group Policy Object (GPO) with a higher precedence has a different value for the setting.
•
Enforce. This means the rule will be enforced.
•
Audit Only. This means that rules will not be enforced but will be audited and events written to the AppLocker Event Log. This can be used to pre-stage and verify your settings before enforcement.
A general process for applying AppLocker rules should be to Implement the rules in audit-only mode, verify the results, and then enforce them.
Note: By default, AppLocker is not enabled in Windows Server 2008 R2 or Windows Server 2012.
AppLocker can be configured and managed in a domain environment by using the Group Policy Management Editor: expand Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker.
MCT USE ONLY. STUDENT USE PROHIBITED
11-6 Implementing Security Software
AppLocker can also be managed in a domain environment, locally or remotely, by using Windows PowerShell. Here are some of the available Windows PowerShell cmdlets and brief descriptions of their use. AppLocker cmdlets
Functionality
Get-AppLockerFileInformation
Displays file information that you need to create AppLocker rules
Set-AppLockerPolicy
Sets AppLocker policy for specified GPOs
Test-AppLockerPolicy
Determines whether files will be able to run for a given user
Get-Command *applocker*
Returns AppLocker cmdlets
More information about Windows PowerShell AppLocker cmdlets can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309123 More information about AppLocker Policies Deployment can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309124
SRP vs. AppLocker For backward-compatibility, SRPs are included in the latest Windows Server operating systems. Starting with Windows Server 2008 R2 and Windows 7, AppLocker is the recommended tool for providing application management. AppLocker provides a more simplified and streamlined implementation and interface than SRP. It enables a more control and flexibility when creating and implementing rules and also has Windows PowerShell support. AppLocker Benefits vs. SRP
When you implement SRPs in older Windows versions, it was especially difficult to create policies that were secure and remained functional after software updates were applied. This was because to the lack of specificity of certificate rules and the fragility of hash rules that became invalid when an application binary was updated. To address this issue, AppLocker enables you to create a rule that combines a certificate and a product name, file name, and file version. This simplifies your ability to specify that anything signed by a particular vendor for a specific product name can run. By using certificate rules in SRP, you can trust all software signed by a specific publisher. However, AppLocker gives you much more flexibility. For example, when you create publisher rules, you can trust the publisher, and then drill down to the product level, the executable level, and even the version.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-7
In SRP, you can create a rule that affectively reads “Trust all content signed by Microsoft.” With AppLocker, you can further refine the rule to specify “Trust the Microsoft® Office 2007 Suite if it is signed by Microsoft and the version is greater than 12.0.0.0.” The AppLocker new features and improvements over the SRP feature can be summarized as follows: •
The ability to define rules based on attributes derived from a file’s digital signature. This includes the publisher, product name, file name, and file version. SRP supports certificate rules, but they are less specific and more difficult to define.
•
A more intuitive enforcement model; only a file that is specified in an AppLocker rule can run.
•
A user interface that is accessed through a new Microsoft Management Console (MMC) snap-in extension to the Group Policy Management Console (GPMC) snap-in.
•
An audit-only enforcement mode that lets administrators determine which files will be prevented from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs. Feature
SRP
AppLocker
Rule scope
Specific user or group (per GPO)
Specific users or groups (per rule)
Rule conditions provided
File hash, path, certificate, registry path, Internet zone
File hash, path, publisher
Rule types provided
Allow and Deny
Allow and Deny
Default Rule action
Allow and deny
Implicit Deny
Audit-only mode
No
Yes
Wizard to create multiple rules at one time
No
Yes
Policy import or export
No
Yes
Rule collection
No
Yes
Windows PowerShell support
No
Yes
Custom error messages
No
Yes
Windows PowerShell support
No
Yes
Implementing AppLocker and SRPs
Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRP rules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both. This lets you upgrade an existing implementation to Windows 7 and still take advantage of the SRP rules that are defined in Group Policy. However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in a Group Policy, only the AppLocker rules are enforced and the SRP rules are ignored.
When you add a single AppLocker rule, all processing of SRP rules stops. Therefore, if you are replacing SRP rules with AppLocker rules, you must implement all AppLocker rules that you need at one time. If you
MCT USE ONLY. STUDENT USE PROHIBITED
11-8 Implementing Security Software
implement the AppLocker rules incrementally, you will lose the functionality that is provided by SRP rules that have not yet been replaced with corresponding AppLocker rules. Another additional key functionality introduced with AppLocker in Windows Server 2012 and Windows 8 is the ability to manage policies for Windows Store apps i.e. packaged apps and packaged app installers.
Note: SRP is still the standard method to restrict software usage in versions of Windows prior to Windows Server 2008 and Windows 7.
Demonstration: Create and Enforce a AppLocker Rule
In this demonstration, you will see how to configure AppLocker and restrict users from running WordPad on their computers.
Demonstration Steps 1.
Create a Group Policy object Word Pad Restriction Policy
2.
Edit the Word Pad Restriction Policy GPO to Create an AppLocker rule to Deny access to WordPad.
3.
Enforce Executable Rules
4.
Set the Application Identity service to start automatically
5.
Link the Word Pad Restriction Policy GPO to the Adatum.com domain.
6.
Test the AppLocker rule. Question: How could the AppLocker rule that you created be changed to make sure that WordPad could not be run from any location on the client computers?
Lesson 2
Email Protection
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-9
One of the major threats today is the introduction of malicious code into a corporate network. Malicious code can be very damaging to the corporate network. Creators of malicious code are becoming increasingly inventive in finding new ways to introduce this code into an environment. One of the most common and effective methods of distributing malicious code into an environment is through email. Because of its widespread use and the intrinsic trust of the delivery mechanism, email messages carrying some form of malicious code continue to be a problem for IT administrators.
This lesson will introduce you to various methods for reducing the threat of unsafe email activity in several different areas in a corporate network environment.
Lesson Objectives After completing this lesson, you will be able to: •
Describe common email threats.
•
Describe the possible server solutions to these threats.
•
Describe possible client-based solutions.
Common Email Security Threats A large amount of today’s email messages are unwanted or unsolicited. Even as email filtering systems become more intelligent in the way that they analyze and block these kinds of messages, the perpetrators of these illegitimate email messages are coming up with new ways to bypass the protection. The most common threats of email today are described here. Spam
Spam is usually an unsolicited email that arrives in your Inbox, typically sent as part of a bulk junk email operation. Email addresses are harvested or collected in various methods, usually by extracting addresses from Internet forums and webpages. These addresses are then used to target users to buy goods and services that might be valid. Frequently spammers will include propaganda to make the message look more valid than it is actually, and viruses are sometimes present in spam email. Phishing
One form of spam is called phishing. Phishing is an attempt to collect what is usually sensitive information from a user. The most common form of phishing is to request to harvest key security information and bank details from a user by diverting them to a falsified website. Over the years, phishing attacks have increased. Phishing is an easy way to gain access to reusable information without having to continually spam the user trying to make them buy goods or services. Windows Server, Windows client, and Windows
Implementing Security Software
MCT USE ONLY. STUDENT USE PROHIBITED
11-10
Internet Explorer® include a phishing filter that checks against known falsified websites that are trying to collect information from unsuspecting users. Spoofing
Spoofing is another common threat wherein the sender tries to mask or hide their identity as if they were someone else. Spoofing can impersonate an email sender, IP connection, or a domain. Spoofing causes an email message to seem as if it originates from a sender other than the actual sender of the message. Viruses
A virus is malicious code that copies itself and then expands in some way, shape, or form. Usually, it sends itself out in a piece of spam or by taking control of other computers and trying to infect them also. The term virus has become a catch-all term referring to traditional viruses, wherein there was not a reason other than to exploit code. But now the term includes malware, adware, spyware, and all third-party programs that infect devices. Many viruses perform malicious activity on an infected computer, such as data theft or disabling of required applications.
Within and across these definitions are variations and blended kinds of attacks that ultimately try to take control of some aspect of the computer environment and as such there is a range of new and changing terminology to classify these attacks, such as Bot networks, Logic Bombs, Salami attacks, Trojan horses and many others There are many ways to gain access to your system and network, such as through messages that suggest that you open an attached PDF or compressed file. Those attachments then take advantage of vulnerabilities in installed applications, scripting, or elevated rights from the user to change the system.
Also, in modern computer environments with widespread use of social networking and apps, hackers are trying to exploit various vulnerabilities in apps or social networking sites to gain and exploit information about individuals or that person’s system. Generally, IT administrators have to be aware of the various channels through which attacks can come, provide education to end-users, and take appropriate precautions.
Server-Side Solutions To protect from the various levels of threats that exist within the confines of email infrastructure, several methods and layers of protection are required to effectively keep the threat of emailbased attacks at an acceptable level. In a server environment, several general methods exist that combine to decrease the threat of unwanted email or email server activity. Content Filtering
Content filtering is a method frequently used to identify spam email. Typically, either software that is installed on a server or a dedicated device is responsible for intercepting email either to (most common) or from the email server. The contents of the email are then checked against an existing database or catalog of known spam-related terms or patterns. Email messages that seem to be spam are either deleted or sent to a quarantine area. This prevents them from reaching their intended destination. Sender and Recipient Filtering
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-11
Similar to content filtering, sender and recipient filtering selectively filters incoming or outgoing email messages. However, with send and recipient filtering, the filtering process depends on a fairly static database of senders and recipients that can be filtered. There are two kinds of sender and recipient filtering. •
Blocklist filtering. Blocklist filtering identifies email addresses that are known to be associated with unwanted activity. Email messages coming from blocklisted addresses are filtered and removed.
•
Allowlist filtering. Allowlist filtering works in the reverse of blocklist filtering. When allowlist filtering is used, email addresses contained in the allowlist database are identified as valid addresses. Allowlist filtering is most frequently used together with content filtering to prevent messages coming from valid senders being incorrectly identified as spam.
IP Block/Allow Lists
Using IP addresses is another way to identify the source of email messages. Email servers can be configured to check against a database of IP addresses that are either known as valid or addresses are flagged as sources of spam-related activity. Similar to email address filtering, IP-based blocklists and allowlists are frequently used together with more sophisticated content filtering to decrease the occurrence of false positives. DNS Reverse Lookup
Another way email is protected is by using reverse Domain Name System (DNS) lookup rules. If an email message destined for your organization comes from @adatum.com, the first thing most email servers do is to make sure that it is a legitimate email and do a reverse DNS lookup on the email server hosting adatum.com. It does this by checking for the DNS pointer (PTR) record to confirm the source of the email message. This makes sure that the email message is from a valid source. If there is no reverse email server for adatum.com, the message will be discarded.
Sender policy framework (SPF) records can prevent sender email address forgery. SPF records put the onus on the sending organization to register the IP addresses or alias for all email servers that can send email from the organization’s domain. Receiving email servers can check the SPF records, and only accept email from the authorized servers. Forefront Online Protection for Exchange (FOPE)
Microsoft Forefront® Online Protection for Exchange (FOPE) is a cloud-based service that protects Microsoft Exchange Server servers’ incoming and outgoing email from spam, viruses, phishing scams, and email policy violations. Although it is a cloud-based service, it can be integrated into on-premise Exchange deployments or used as part of hybrid or mixed deployments of Exchange. More information about Forefront Online Protection for Exchange can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309125 Microsoft Exchange Online Protection
Microsoft Exchange Online Protection provides cloud-based protection for your on-premise email, Microsoft Exchange Server 2013, legacy Exchange servers, or any other on-premise Simple Mail Transfer Protocol (SMTP)–based email solutions that you might have. It can operate in a purely cloud environment, such as with Exchange Online or Office 365™, or integrate into a purely on-premise environment or a hybrid email infrastructure. It helps protect your organization against spam and malware in addition to helping with management. More information about Exchange Online Protection can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309126
Implementing Security Software
Client-Side Solutions
MCT USE ONLY. STUDENT USE PROHIBITED
11-12
Although server-based solutions and tools deployed into an organization’s perimeter network provide the best defense against emailbased threats trying to enter the network, no single solution will eliminate email-based threats. Indeed, many cloud-based services are now becoming more widely available and popular as this allows for the security and management overhead to be managed by a hosted third-party, such as with Exchange Online, and can have many benefits for administrators. However, even having a fully cloud-based service or a hybrid kind of service available with a mix of on-premise and off-premise solutions, client-side security is still important. Client-side email security management provides an additional level of protection from unwanted email for users. Microsoft Office Outlook Defenses
In addition to antivirus programs and boundary defenses, Microsoft Outlook® provides additional layers of security. Outlook has junk filters built in that restrict potentially harmful attachments and images from being displayed. This junk filter is based on the concept of trusted senders and its own logic. Outlook maintains two lists of sender addresses for filtering received email content. Users can maintain these lists according to messages they receive and how they want those messages handled by Outlook. •
Safe senders. Safe senders are addresses are identified as known and trusted senders of email. Messages that are received from addresses located in the safe senders list are treated in a trusted manner and can display images and other functions that might be considered potentially harmful if coming from an untrusted address.
•
Block senders. Compared to the safe senders list, the blocked senders list lists addresses that are known as unsafe. Messages from these addresses are filtered in order to prevent the potential for harmful activity.
With Outlook, a user can also maintain a list of international top-level domains (TLDs) that are marked as unsafe or unwanted. Examples of TLDs are .jp, .de, and .uk. So to block email coming from addresses that have a particular country/region code, you would just add that TLD to the Blocked TLD list.
When an email message comes in, Outlook checks the validity of the message and checks the level of junk email protection you have set. There are four levels of security: •
No filtering. This setting enables all email to be received regardless of the sender and will not use built-in junk email settings from Outlook.
•
Low. This performs a basic scan and analyzes email as it comes in. It allows most email to pass through and end up in the Inbox. It also considers the safe senders, safe recipients, blocked senders list, and international settings, which are configurable in Outlook. The safe senders and safe recipients list is a list of people that you trust, regardless of what kind of logic Outlook might apply to the email. These lists make sure that the email message, provided it passes the front line of defense, always ends up in your Inbox. The blocked senders list is just that; any email address or domain on the blocked senders list immediately is treated as junk email. The international setting enables blocking of toplevel domains and specific character encoding sets.
•
High. High, similar to Low, filters email, only on a more aggressive scale. This lets less email through to your Inbox. High also considers all of the previously mentioned lists.
•
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-13
Safe Lists Only. This is the most extensive filtering possible, but can treat some potential “safe” email as junk. Safe Lists Only allows email from the safe senders and safe recipients lists mentioned previously and treats all remaining email as junk email.
Antivirus Programs
Most antivirus programs integrate with email programs such as Outlook and scan email. They also scan any attachments included in the email. This provides a second layer of defense in case the perimeterbased servers have missed a potentially harmful email message.
This second layer of security also allows an end-user or an IT department to implement more rigorous checks on specific devices instead of at the global level. For example, the global policy might be to allow Microsoft Word, Excel®, and PowerPoint® files through the firewall. However, at the second layer, the antivirus software will block the service staff of the company from receiving any attachments at all.
Implementing Security Software
Lesson 3
Server Protection
MCT USE ONLY. STUDENT USE PROHIBITED
11-14
An organization’s servers represent the core of its network functionality. Servers typically host multiple business-critical services in an organization. An infected file server can propagate a virus to remote workstations, further crippling a network, whereas an infected email server could potentially drop external communications between your organization and the clients. Therefore, security measures implemented on the server infrastructure represent one of the most important aspects of maintaining overall network integrity and functionality. This lesson introduces several ways to make sure that your servers are protected from circumstances that could leave them vulnerable to attack.
Lesson Objectives After completing this lesson, you will be able to: •
Describe how to maintain server security.
•
Describe the Security Configuration Wizard (SCW).
•
Describe the Best Practices Analyzer (BPA).
•
Describe the Security Compliance Manager (SCM).
Maintaining Server Security Ensuring the security of your Windows Server servers is an ongoing process that requires routine attention and maintenance to try to minimize their exposure to potential attacks. Several areas exist that should be considered when maintaining the security of your servers. Maintaining Updates
Operating systems are constantly changing and evolving in response to newly identified security risks or other changes in the computing world. Also, applications installed on servers experience the same state of constant change for many of the same reasons. Because of this ever-changing state, operating systems and the applications that run on them are constantly being updated. Although many update processes, such as Windows Update and Windows Server Update Services (WSUS) are primarily automated, these automated processes have to be routinely examined for correct operation. User Account Security
The state of the server’s (and, if applicable, domain’s) account security is critical to ensuring the integrity of the server environment. Account passwords should be enforced by a password complexity policy and passwords should be regularly updated to prevent unauthorized account access. Unused accounts should be disabled or removed from the system. Accounts that have elevated permissions, such as administrative
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-15
accounts, should be closely monitored and used only for their intended purpose. For additional security, these accounts could be protected with a smart card or a biometric authentication device. Unused Services or Features
Disabling unused services and features within Windows Server reduces the potential vulnerability of the server to attack and potentially increases performance. Application Installation and Usage
Like unused services or features, unused applications can expose the server to security vulnerabilities and potential performance implications. In addition, carefully monitoring installed applications makes sure that malicious or unauthorized application installations are detected and removed. Windows Firewall
Leaving Windows Firewall enabled and making sure that it is configured correctly leaves that layer of protection intact and gives you a manageable and flexible way to protect against potential network vulnerabilities that may exist in other applications on the server.
Also, as discussed in Module 1 running Windows Server 2012 as Server Core will help reduce overall maintenance and management due to the reduced attack surface and reduced number of updates that will be required to be applied to a Server Core Installation.
What Is the Security Configuration Wizard? The Security Configuration Wizard (SCW) can be used to improve the security of a server by configuring ports and services that might be required for a particular server role in your organization. It lets administrators create, edit, apply, or roll back security policies that can be targeted for a specific server function or role, such as File Server for example. The security policy can enhance and control the security configuration on the server as it goes into production. SCW can be accessed from the Server Manager Tools menu or from the command line by using Scwcmd.exe. The SCW is a role-based tool and typically runs on a server prior to that server being deployed in production. In this manner, the attack surface of the server is reduced before it is deployed into the infrastructure and exposed to potential threats.
When the SCW is run, it scans the server and identifies the current state of the server relative to potential changes that might have to be made. SCW scans the following: •
Roles that are installed on the server
•
Roles likely being performed by the server
•
Services installed on the server but not defined in the security configuration database
•
IP addresses and subnets configured for the server
The information discovered about the server is saved in an XML file. This server-specific file is called the configuration database.
Implementing Security Software
MCT USE ONLY. STUDENT USE PROHIBITED
11-16
The initial settings in the configuration database are called the baseline settings. After the server is scanned and the configuration database is created, you can change the database. This will then be used to generate the security policy to configure services, firewall rules, registry settings, and audit policies. The security policy can then be applied to the server or to other servers playing the same roles. The SCW is a series of wizard pages that presents these four security policy categories in separate sections: •
Role-based service configuration
•
Network security
•
Registry settings
•
Audit policy
The final section of the wizard is Save Security Policy. This allows for the inclusion of security templates and also when to apply the policy. Role-Based Service Configuration
The outcome of this section is a set of policies that configure the startup state of services on the server. Only the services that are required by the server’s roles should start and other services that are not required should no start. To achieve this outcome, the SCW presents pages that display the server roles, client features, administration, and other options detected on the scanned server. You can add or remove roles, features, and options to reflect the desired role configuration. Network Security
The Network Security section produces the firewall settings of the security policy. Those settings are applied by Windows Firewall with Advanced Security. Like the Role-Based Service Configuration section, the Network Security section displays a page of settings derived from the baseline settings in the configuration database. The settings in the Network Security section are firewall rules instead of service startup modes. Registry Settings
The Registry Settings section configures protocols that are used to communicate with other computers. These wizard pages determine Server Message Block (SMB) packet signing, Lightweight Directory Access Protocol (LDAP) signing, local area network (LAN) Manager authentication levels, and storage of password LAN Manager hash values. It also allows for the definition of Outbound Authentication methods. Each of these settings is described on the appropriate page, and there is a link to a Security Configuration Wizard Help page. Audit Policy
The Audit Policy section generates settings that manage the auditing of success and failure events and the file system objects that are audited. Additionally, the section enables you to incorporate a security template called SCWAudit.inf into the security policy. Security Policies When the SCW has completed the assessment of the server, it provides the opportunity to capture the settings in a security policy. A security policy is the result of the SCW run on a server. A security policy is an XML-based file that contains the settings obtained from the details provided during the SCW process. The policy contains potential changes to Windows settings from the following areas: •
Services
•
Network security, including firewall rules
•
Registry values
•
Audit policy
The saved policy can then be modified or deployed to servers. Deploying a Security Policy by Using Group Policy
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-17
You can apply a security policy created by the SCW to a server by using the Security Configuration Wizard itself and selecting Apply An Existing Policy, by using the Scwcmd.exe command from the command line, or alternatively by transforming the security policy into a Group Policy Object (GPO). To transform a security policy into a GPO, use Scwcmd.exe. scwcmd transform /p:"Adatum DC Security.xml” /g:"Adatum DC Security GPO”
This command will create a GPO called “Adatum DC Security GPO” with settings imported from the Adatum DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate scope site, domain, or organizational unit (OU) by using the Group Policy Management console. You can use scwcmd.exe transform /? for help and guidance about this process. There are no Windows PowerShell cmdlets that can work directly with the Security Configuration Wizard. More information about the Security Configuration Wizard can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309127
What Is the Best Practices Analyzer? The Best Practices Analyzer (BPA) is a tool that examines an operating system configuration and settings against a set of predefined rules to generate a list of issues outlining any best practice violations it finds. The BPA can analyze Windows Server 2012 server roles to determine whether a particular server role is using best practices. The BPA works by measuring a role’s compliance with best practice rules in different categories of effectiveness, trustworthiness, and reliability. Some of the rules include: •
Security: Measures a role’s risk for exposure against threats such as unauthorized users.
•
Performance: Measures a role’s ability to process requests in an expected time, based on workloads.
•
Configuration: Identifies setting conflicts that can result in error messages.
•
Policy: Identifies Group Policy and Windows Registry settings that might require modification.
•
Operation: Identifies possible failures of a role to perform its prescribed tasks
•
PreDeployment: Applied before an installed role is deployed to allow administrators to evaluate whether best practices were followed before the Role is deployed.
•
PostDeployment: Applied after all required services for a role have been started and the role is running
Implementing Security Software
•
MCT USE ONLY. STUDENT USE PROHIBITED
11-18
BPA Prerequisites: Explains configuration and policy settings and features that are required for the role before BPA can apply specific rules from other categories.
After analyzing the role categories, results are reported in different severity levels such as the following: •
Noncompliant/Error. The role does not satisfy the conditions of a rule.
•
Compliant. The role satisfies the conditions of the rule.
•
Warning. The role satisfies the conditions of the rule, but might not satisfy the rule for certain configuration or policy settings. For example, when a directory backup has not been completed in a recommended number of days.
The BPA is updated through Windows Update. To start a BPA scan: 1.
Open Server Manager, and select the role of interest.
2.
In the center details pane, locate the Best Practices Analyzer area.
3.
From the TASKS menu, select Start BPA Scan.
4.
In the Select Servers dialog box, select the server(s) of interest, and then click Start Scan.
BPA can also be run and managed by Windows PowerShell. Here are some of the available Windows PowerShell cmdlets and brief descriptions of their functionality. BPA cmdlets
Functionality
Get-BpaResult
Displays the results of the most recent BPA scan
Invoke-BpaModel
Starts a BPA scan on a computer for a specific model
Set-BpaResult
Excludes or includes results of a BPA scan
Get-command *BPA*
Returns available BPA cmdlets
More information about the Best Practices Analyzer can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309128 More information about Windows PowerShell BPA cmdlets can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309129
What Is the Security Compliance Manager? The Microsoft Security Compliance Manager (SCM) is a free tool and the latest in a series of Solution Accelerators. Solution Accelerators are free downloadable tools available for a range of management and administrative tasks related to Windows Server 2012, such as Microsoft Deployment Toolkit (MDT) and Microsoft Assessment and Planning Toolkit (MAP). With the SCM Solution Accelerator, you can view, update, customize, and export security baselines to meet the unique requirements of your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-19
A security baseline is a collection of configuration items for a specific Microsoft product. SCM includes a Baseline Library for various Microsoft products, such as Exchange Server, Internet Explorer, Windows Server, and Windows Client. The baselines are for specific versions, that is, there are separate baselines for Internet Explorer 10, Internet Explorer 9, and Internet Explorer 10, or Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 in SCM 3.0. Baselines are also available for Windows Server 2012 and Windows 8. Within each product baseline are sub categories for specific roles. For example, under the Windows Server 2012 baseline are specific settings for roles, such as Dynamic Host Configuration Protocol (DHCP), DNS Server, and Domain Controllers (DC).
Each baseline provides prescribed values to resolve a specific usage case or scenario. For example, running Internet Explorer 10 with a specific set of search providers and third-party add-ins. Additionally, each configuration item provides information on Group Policy settings, registry settings, threats, and countermeasures such as the following: •
Vulnerability. What security weaknesses could be exposed by this server, application, or browser setting? For example, allowing users to enable third-party add-ins could expose the network to a security risk.
•
Potential Impact. What affect could changing this configuration item have on users? For example, disabling third-party add-ins could affect a user’s ability to do their job.
•
Countermeasure. What is the recommended configuration setting? For example, do not let users enable or disable third-party add-ins that are not within the organization’s security policy.
After security baselines are established, they can be exported and applied to other computers in your organization. This provides an easy way to make sure that all the computers in your organization comply with the same security standard, especially if they have the same role, such as multiple DNS servers or DHCP servers. To summarize the key features of SCM: •
Provides baselines for most Microsoft products, and the ability to import baselines from a file. These baselines are known as third-party baselines.
•
Combines Microsoft security guide recommendations and industry best practices into one place.
•
Provides a centralized location to access, configure, and manage all the organization’s security baselines.
•
Ability to start your baseline by importing your Group Policy settings.
•
Deploy configurations to non-domain-joined computers.
Implementing Security Software
•
MCT USE ONLY. STUDENT USE PROHIBITED
11-20
Analyze your configurations against prebuilt Windows client and server operating system baselines.
SCM v3.0 must be downloaded and installed separately. The installation prerequisites are included with the installation. More information about the SCM download can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309130 More information about Microsoft Solution Accelerators can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309131
Demonstration: How to Use the Best Practices Analyzer
In this demonstration, you will see how to use the Best Practices Analyzer to scan the Internet Information Services (IIS) server role.
Demonstration Steps 1.
Access the IIS server role in Server Manager.
2.
Run the Best Practices Analyzer.
3.
Review the compliance results.
Lab: Implementing Security Software Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-21
A. Datum has recently experienced several security breaches and is taking steps to tighten server security. You have been asked to prevent the installation of a particular Windows Installer .msi file which has caused some performance issues and raised some security issues for the organization. You are also asked to use the Security Configuration Wizard to configure security settings on a domain controller. And, to use the Best Practices Analyzer to scan the Active Directory Domain Services (AD DS) server role to ensure it is operating efficiently and as per best practices.
Objectives After completing this lab, you will be able to: •
Use the Security Configuration Wizard.
•
Use the Best Practices Analyzer.
Lab Setup Estimated Time: 60 minutes Virtual Machines: 10967A-LON-DC1 and 10967A-LON-CL1 User Name: ADATUM\Administrator and also ADATUM\Allie on 10967A-LON-CL1 Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In the Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: ADATUM
5.
Repeat steps 2 and 3 on 10967A-LON-CL1. Sign in as Adatum\Allie with password Pa$$w0rd.
Exercise 1: Create and Enforce an AppLocker Rule Scenario
A. Datum has recently experienced several security breaches and is taking steps to tighten server security. You have been asked to prevent the installation of a particular Windows Installer .msi file which has caused some performance issues on some servers and raised some potential security issues for the organization. Before blocking the installation of the file you first need to ensure blocking it has no unexpected consequences, as such you need to run it in Audit Only mode for testing purposes. If the AppLocker rule performs as expected you then need to proceed to block the windows installer package properly. The main tasks for this exercise are as follows:
Implementing Security Software
1.
Create a Group Policy Object to apply an AppLocker rule in the domain
2.
Create Windows Installer rule to block the installation of the .msi file
3.
Configure Windows Installer rule enforcement to be audit only
4.
Configure the Application Identity service to automatically start
5.
Apply the AppLocker rule to the domain’s Group Policy
6.
Run the Windows Installer and verify the audited result in Event Viewer
7.
Enforce the blocking of the Windows Installer
8.
Run the Windows Installer file and verify the application is blocked
Task 1: Create a Group Policy Object to apply an AppLocker rule in the domain 1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Create a Group Policy Object called SQLSysClrTypes Restriction Policy
Task 2: Create Windows Installer rule to block the installation of the .msi file 1.
Edit the newly created Group Policy Object.
2.
Create a Windows Installer AppLocker Rule with the following settings:
•
Permissions: Deny
•
Conditions: Publisher
•
Publisher: Browse to E:\Mod11\LabFiles\ SQLSysClrTypes.msi and leave slider rules as default
•
Exceptions: Default
Task 3: Configure Windows Installer rule enforcement to be audit only •
Configure AppLocker Rule Enforcement for Windows Installer Rules for Auditing Only
Task 4: Configure the Application Identity service to automatically start •
MCT USE ONLY. STUDENT USE PROHIBITED
11-22
Using the Group Policy Management Editor, under Computer Configuration\Windows Settings\ Security Settings, click System Services, set the Application Identity service to start automatically
Task 5: Apply the AppLocker rule to the domain’s Group Policy 1.
Link the Group Policy Object SQLSysClrTypes Restriction Policy to the Adatum.com domain
2.
Update Group Policy on the local machine
3.
Switch to 10967A-LON-CL1 sign out as ADATUM\Administrator if need be and sign in as ADATUM\Allie with a password of Pa$$w0rd.
4.
Update Group Policy
Task 6: Run the Windows Installer and verify the audited result in Event Viewer 1.
Ensure you are logged on to 10967A-LON-CL1 as ADATUM\Allie with a password of Pa$$w0rd.
2.
Run the file \\LON-DC1\E$\Mod11\Labfiles\SQLSysClrTypes.msi and verify it installs successfully
3.
Switch to the 10967A-LON-DC1 virtual machine
4.
Open Event Viewer and view the MSI and Script logs in the Applocker Logs
5.
Verify the logs detail what happened and what would have happened if the rules had been enforced
6.
What is the Event ID for audited blocked installations of Windows Installer files?
Task 7: Enforce the blocking of the Windows Installer
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-23
1.
Still on 10967A-LON-DC1
2.
Edit the SQLSysClrTypes Restriction Policy and configure the Rule Enforcement to Enforce Rules for Windows Installer Rules
3.
Update Group Policy
Task 8: Run the Windows Installer file and verify the application is blocked 1.
Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as ADATUM\Allie with a password of Pa$$w0rd.
2.
Update Group Policy
3.
Uninstall the \\LON-DC1\E$\Mod11\Labfiles\ SQLSysClrTypes.msi
4.
Install the \\LON-DC1\E$\Mod11\Labfiles\ SQLSysClrTypes.msi
5.
Verify you are now unable to install the Windows Installer .msi file.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your production environment and you will have applied that AppLocker rule using Group Policy across the A Datum domain.
Exercise 2: Use the Security Configuration Wizard Scenario
You are asked to use the Security Configuration Wizard to create a security policy for domain controllers in the adatum.com domain, based on the configuration of LON-DC1. You will then convert the security policy into a GPO, which could then be deployed to all domain controllers by using Group Policy. The main tasks for this exercise are as follows: 1.
Create a security policy
2.
Transform a security policy into a GPO
Task 1: Create a security policy 1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
On 10967A-LON-DC1, run the Security Configuration Wizard from Server Manager.
3.
Carry through the steps of the wizard, accepting the default settings.
4.
Save the resultant security policy as C:\LabFiles\SCW\DC Security Policy.xml.
5.
When you are prompted to apply the security policy, select Apply later.
Task 2: Transform a security policy into a GPO 1.
On 10967A-LON-DC1, use c:\windows\security\msscw\policies\scwcmd to transform the C:\LabFiles\SCW\DC Security Policy.xml to a GPO named DC Security Policy GPO.
2.
In the Group Policy Management Editor, examine the newly created DC Security Policy GPO.
Implementing Security Software
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a security policy named DC Security Policy, and transformed the security policy to a Group Policy Object (GPO) named DC Security Policy.
Exercise 3: Use the Best Practices Analyzer Scenario You are asked to run the Best Practices Analyzer on the AD DS server role. The main tasks for this exercise are as follows: 1.
Run the BPA on the AD DS server role
2.
Analyze the BPA compliance results
3.
Revert the lab machines
Task 1: Run the BPA on the AD DS server role 1.
Switch to 10967A-LON-DC1
2.
Use Server Manager to run the BPA on the AD DS server role.
Task 2: Analyze the BPA compliance results 1.
Review the BPA results.
2.
How many events were returned?
3.
Select an item and view the additional information that is available.
4.
What three additional pieces of information are provided?
5.
Click the severity column heading to sort the findings.
6.
What severity categories are shown for this BPA scan?
7.
Run the saved Compliant results query.
8.
How many complaint (informational) results were found?
Task 3: Revert the lab machines
MCT USE ONLY. STUDENT USE PROHIBITED
11-24
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 1 to 3 for 10967A-LON-CL1.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and determine areas for improved efficiency or performance. Question: What is the benefit of exporting a SCW security policy to a GPO? Question: When would you use the Security Policy XML format?
Module Review and Takeaways Review Questions Question: What are the key differences between AppLocker and legacy Software Restriction Policies? Question: Why are server-side email security solutions typically more effective and easy to implement than client-side solutions?
Tools Tool
Use for
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
11-25
Where to find it
Software Restriction Policies
Managing software execution in legacy environments or in environments where Windows Server 2008 R2 or Windows 7 coexist with legacy Windows operating systems
Group Policy Management
AppLocker
Managing software execution in Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7 environments
Group Policy Management
Microsoft Forefront Protection for Exchange Server
Providing anti-malware protection for an Exchange Server environment
Separate Downloadable Product
Security Configuration Wizard
Generating and applying security policy templates to decrease the vulnerability of Windows Server.
Server Manager
Microsoft Baseline Security Analyzer
Analyzing the security state of an environment according to Microsoft security recommendations.
Server Manager
Best Practices Analyzer
Reviewing server roles for compliance with best practices
Server Roles Summary Details
Security Compliance Manager
Viewing, updating, customizing, and exporting security baselines
Solution Accelerator
Windows PowerShell
Configuring AppLocker and Best Practice Analyzer
Windows PowerShell console
Scwcmd.exe
Transforms BPA results xml file into Group Policy Object that can be deployed with Group Policy
Command Prompt
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing Security Software 11-26
MCT USE ONLY. STUDENT USE PROHIBITED 12-1
Module12 Monitoring Server Performance Contents: Module Overview
12-1
Lesson 1: Event Logging
12-2
Lesson 2: Performance Monitoring
12-8
Lab: Monitoring Server Performance
12-15
Module Review and Takeaways
12-22
Module Overview
Monitoring the performance of servers is important for all organizations. Businesses require cost-effective solutions that provide value for the money spent on computer infrastructure. Proactive monitoring is also important for successful troubleshooting and can be a security component. When you know how your servers usually perform, it is more likely that you will find services having issues or even someone attacking your systems. You should monitor servers to make sure that they run efficiently and use all the available server capacity. Monitoring your servers will require you to review server logs and actively monitor server performance.
Objectives After completing this module, you will be able to: •
Use the Event Viewer to identify and interpret Windows® Logs, and Application and Services Logs.
•
Measure system resource usage, identify component bottlenecks, and use monitoring tools such as Performance Monitor.
Lesson 1
Event Logging
MCT USE ONLY. STUDENT USE PROHIBITED
12-2 Monitoring Server Performance
As events occur in your Windows Server environment, information about what occurred will be logged. This information can be used to determine what is working well and what requires or might require administrator attention or intervention. One of the biggest problems facing IT administrators in relation to logging is what to log and what not to log. If an administrator logs and tracks too many events, there is a risk that important information might be missed; if too few events are logged, it is possible that important information might not be logged. Also, with increases in logging comes an increase in overhead on the server, whether it is for log size and storage space or CPU overhead in processing the additional data or potentially network bandwidth in monitoring and transmitting data from remote servers. Getting that balance right and using the correct functionality built in to Windows Server® 2012 can help manage and provide solutions for those issues. By default, Windows Server 2012 includes two sets of logs: Windows Logs, and Application and Services Logs. This lesson will focus on how to use the Event Viewer to identify, review, and interpret the various log types and also the information that they contain.
Lesson Objectives After completing this lesson, you will be able to: •
Review and interpret Windows Logs.
•
Review and interpret Application and Services Logs.
•
Describe Event Types.
•
Filter logs, create custom views, and create subscriptions.
Windows Logs Windows Logs can be viewed by using the Event Viewer under the Windows Log node. The Event Viewer can be accessed in Server Manager from the Tools menu. All Logs are stored in the %SystemRoot%\System32\Winevt\Logs\ folder. Windows Logs includes the logs listed in the following table.
Windows Log Application log
Description and Use Contains events that relate to the operation of applications such as Windows Internet Explorer® and Notepad. Also, as was mentioned earlier, there is an Application and Services Logs section. Generally, for application specificinformation, the Application and Services Logs should be checked first.
Windows Log
Description and Use
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-3
Security log
Reports the results of auditing. For these event types to be logged, auditing must be configured on the object that you want to be audited—that is, it must be configured on a specific folder or file for example.
Setup log
Contains events related to the setup of applications on a server.
System log
Logs general events from Windows components and services, such as device driver data or service starting failures.
Forwarded events
Collects events from remote computers. This is useful when centralized viewing of logs is required for viewing logs across multiple computers.
Windows Logs can also be viewed and manipulated by using Windows PowerShell® cmdlets. Some of these commands are listed in the following table. Windows PowerShell Cmdlet
Description and Use
Get-EventLog
Displays events and event logs on local and remote computers.
Show-EventLog
Opens Event Viewer on the local computer and displays the event logs from local or remote computers.
Write-EventLog
Writes an event to an event log.
Get-Help *log*
Displays all the event log cmdlets.
Get-Help showwindow
Displays the detailed help for the Get-EventLog cmdlet. The item in the brackets () can be substituted.
Note: The Get-EventLog cmdlet will only work with Windows Logs. It will not work with Application and Services Logs.
Application and Services Logs Applications and Services Logs is another kind of log available in the Event Viewer. These logs were introduced in Windows Server 2008. These logs store events from single applications, such as Internet Explorer or a single component, such as Audio. When you install a role on Windows Server 2012, typically a corresponding log of the same name is created under this node in Event Viewer, such as DNS Server, Directory Service, or DFS Replication. The number of logs under this node will increase as roles are added. Application and Service Logs have four event types which are present across all logs under here:
MCT USE ONLY. STUDENT USE PROHIBITED
12-4 Monitoring Server Performance
•
Administrative. These events are primarily targeted at end-users, administrators, and support personnel. Each event describes the problem and contains a suggested solution on how to fix the problem. For example, if your computer cannot receive an address from the network, there are very specific troubleshooting steps that you can take.
•
Operational. These events are used for analyzing and diagnosing a problem or occurrence. These events may trigger tools or tasks for that event. For example, operational events are logged when a server starts or stops. They do not provide suggested solutions on how to fix a problem.
•
Analytic. These events are descriptive, and indicate problems that are generally not easily resolved. By default, analytic events are hidden and disabled. When analytic events are enabled they can produce lots of data and increase system processing and memory demands.
•
Debug. Debug events are used by developers to troubleshoot their applications. By default, debug events are hidden and disabled. When debug logs are enabled they can also produce lots of data and increase system processing and memory demands.
Note: As a best practice it is recommended to leave the Analytic and Debug events disabled. If these logs are required for diagnostic troubleshooting make sure that you limit the maximum size of the log and disable the logging when it is no longer required. Additionally, many events can be adjusted from being completely disabled to providing a very detailed logging level. These log levels should be increased carefully however.
Application and Services Logs can also be found in the location %SystemRoot%\System32\Winevt\Logs. Windows PowerShell cmdlets, such as Get-EventLog and Write-EventLog, which were described in the previous lesson, do not work with the Application and Services Logs. These cmdlets work only with the Windows Logs.
To manage the Application and Services Logs, you must use different Windows PowerShell cmdlets. The following table provides some details. Windows PowerShell Cmdlets
Description and Use
Get-WinEvent
Displays events from Windows Logs and Application and Services Logs from both local and remote computers
Get-WinEvent –ListLog *
Lists all the logs available
Get-Help get-WinEvent
Displays help for the Get-WinEvent cmdlet
Note: This course does not provide a detailed description of the differences between the two cmdlets, Get-EventLog and Get-WinEvent. When you deal with remote computers, GetWinEvent provides for faster processing. Get-WinEvent also allows for more manipulation of the data returned. However, for local server use, Get-EventLog is easy to use and quicker.
What Are the Event Types and Data Formats? Both Windows Logs and Applications and Services Logs events can be classified into three primary levels:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-5
•
Information. Informational messages about the progress and the state of the system. These events are usually very basic. For example, an informational event is logged when Windows PowerShell is ready for user input.
•
Error. Event errors are serious problems that administrators should be notified of and immediately address. Failure to resolve event errors can result in poor server performance and possibly other component failures. For example, an Error event would be logged if your Windows Server license has not been activated. Failure to activate the license could result in the server shutting down.
•
Warning. Event warnings indicate a condition that is currently tolerable but could become critical if not addressed. Many event warnings are automatically resolved by the operating system before administrator intervention is required. For example, a Warning event would be logged if the time service is not synchronized. In this case, the operating system would continue to retry the connection until the problem was resolved.
In addition to the previous three levels, the Security log will classify all its event types as Information Level type but will sub classify them by two Keywords types. •
Audit Failure. Audit failure events are informational and are intended to track logon failures and other permissions-related issues. For example, an audit failure would be logged if a user tries to log on and is not a valid user.
•
Audit Success. Audit success events are informational and are intended to track successful events, such as a user successfully logging on to the computer.
Within each event when viewed in Event Viewer, there are two tabs: General and Details. The General tab provides information categorized into paragraphs in a single scrollable window. The information is easy to display and includes the following: •
The Log Name from which the event came.
•
An Event ID number to help identify and classify the event.
•
The component or Source that generated the event.
•
The event Level such as Warning, Information, or Error.
•
The time that the occurrence was logged.
•
The User account under which the event happened.
•
The Computer on which the event occurred.
•
A link to an external Event Log Online Help site where there might be more information about the event.
Depending on the event, additional details might be displayed, that let you analyze and troubleshoot the event’s cause. The Details tab provides the following information:
•
A description of the event in Friendly View
•
A description of the event in XML view
MCT USE ONLY. STUDENT USE PROHIBITED
12-6 Monitoring Server Performance
On both tabs, you can scroll through events sequentially by clicking the up and down arrows on the right side. There is also an option to copy the event for pasting into another application, such as Notepad.
Filters, Custom Views, Tasks, and Subscriptions Event logs can contain large amounts of data, and it can be challenging to narrow the information to just those events that interest you. To help with this process, Event Viewer provides filters, custom views, and subscriptions. •
Filters. Enables you to identify specific events in a single event log on a single computer. Filters are temporary and cannot be saved.
•
Custom Views. Enables you to identify specific events in multiple event logs on a single computer. You can also save, export, import, and share these custom views.
•
Tasks. Enables you to send an email message, start a program, or display a message when a specific event is written to a particular log.
•
Subscriptions. Enables you to identify specific events in multiple event logs on multiple computers.
Filters and Custom Views Filters and custom views are created by specifying the query parameters. For example: •
When the event was logged, such as within the last 12 hours.
•
The event level, such as Warning or Error.
•
The event sender, such as Remote Access or Firewall.
•
The Event ID (can be a range of Event IDs).
•
Keywords, such as Audit Failure or Response Time.
•
User context (can be multiple users).
•
Computer where the event occurred (can be multiple computers).
Filters and custom view can be accessed from the Event Viewer Action pane. Tasks
Tasks enable you to be more proactive when you manage your environment. Instead of waiting until you conduct a weekly review of logs, you can be notified as soon as a particular event occurs. When you create tasks, you should carefully consider which specific events that you must have notification. Tasks are stored in Task Scheduler and are created by clicking the relevant log and then selecting Attach A Task To This Log in the Action pane of Event Viewer. Tasks are also available in the log properties. In the Create Basic Task Wizard, you can provide the Task Name, and then the Log, Source and Event ID information. Then you have three options: •
Start A Program
•
Send An Email (deprecated)
•
Display A Message (deprecated)
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-7
The Send An Email and Display A Message options are deprecated in Windows Server 2012. This means there will be no additional development investment in these features and they could be removed from future releases. When you are finished, the new task will be added to Task Scheduler, available in Administrative Tools. Subscriptions
Troubleshooting an issue might require you to examine a set of events that are stored in multiple logs on multiple computers. For this purpose, Event Viewer lets you collect copies of events from multiple remote computers, and then store them locally. To specify which events to collect, create an event subscription. After a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. To create a subscription, you must configure the collecting computer (the collector) and each computer from which events will be collected (the source). Subscriptions are configurable from the Log Properties dialog box, and can be accessed either through the log or the Event Viewer Action pane. The Windows Event Collector Service must be running.
Note: Subscriptions are not intended for auditing. If a network connection briefly fails, or the receiving server is very busy, forwarded events might not be received. Therefore, subscriptions should only be used for troubleshooting.
Demonstration: How to Use the Event Viewer
In this demonstration, you will see how to use the Event Viewer to review Windows Logs, and Application and Services Logs. You will also see how to create a custom view.
Demonstration Steps 1.
Access the Event Viewer.
2.
Review Windows Logs.
3.
Review Application and Services Logs.
4.
Create a custom view.
5.
Within the Windows PowerShell console, obtain a list of all the available logs by using the GetWinEvent cmdlet.
Lesson 2
Performance Monitoring
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Monitoring Server Performance
When performance issues are encountered, the first step is usually to identify the servers that are responsible for those performance issues and then the specific roles or services on that server which are the cause. However knowing what is not normal performance can be difficult to determine, for example File servers may have higher disk usage than a web server, or a mail server may have higher network bandwidth requirements than a domain controller. As such, knowing your baseline performance for each serve role helps analyze the data and make informed decisions about bottlenecks and performance issues. Additionally, in today’s cloud-enabled world, knowing the base performance and components of the application helps you make decisions about what, if any, services you should consider migrating to the cloud to support your requirements during peak hours. If significant investment in hardware is required by your organization to address performance issues this may something you need to consider.
Windows Server 2012 provides several tools that you can use to collect and analyze performance-related statistics. You must know what data to collect so that you can identify performance problems on your servers before they affect users.
Lesson Objectives After completing this lesson, you will be able to: •
Describe performance monitoring.
•
View real-time performance data.
•
Capture performance data for later analysis.
•
Describe and implement Data Collector Sets.
•
Identify server bottlenecks by using performance counter alerts.
Performance Bottlenecks A performance bottleneck is a condition, usually involving a hardware resource, which causes a computer to perform poorly. An example of a hardware bottleneck is when a server cannot service a request for disk, memory, processor, or network resources. There are many scenarios that can cause resource bottlenecks, such as the following: •
Resources are insufficient.
•
Resources are not sharing workloads evenly.
•
A resource is malfunctioning.
•
A program is monopolizing a particular resource.
•
A resource is configured incorrectly.
As soon as a bottleneck is identified, you can do several things, including the following:
•
Run fewer applications.
•
Add or upgrade components.
•
Replace a malfunctioning resource.
•
Run programs during periods of low demand.
•
Distribute users across additional servers.
•
Balance resource workloads.
•
Configure resources to perform optimally.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-9
The key to removing bottlenecks is identifying when and where they are occurring. You do this by using performance monitoring tools and having a baseline to know how servers perform in a typical setting. By comparing performance results to your baseline and to historical data, you can identify server bottlenecks before they affect users. Here are several general mitigation strategy best practices. •
Make one change at a time.
•
Repeat monitoring after every change.
•
Routinely review event logs.
•
To determine whether network components are playing a part in performance problems, compare the performance of programs that run over the network with locally run programs.
Note: As a best practice, try to view the server as part of a larger system. Follow the flow of data around the system to isolate and identify potential performance bottlenecks.
The Process of Performance Monitoring There are several methods that you can use to collect performance data from servers in your organization. You should select the best methods for your organization’s requirements. Real-time monitoring Real-time monitoring of computers is useful when you want to determine the effect of performing a specific action or troubleshoot specific events. This kind of monitoring can also help you make sure that you are meeting service level agreements (SLAs). Historical data Analyzing historical data can be useful for tracking trends over time, determining when to relocate resources, and deciding when to invest in new hardware to meet the changing requirements of your business. You should use historical performance data to help you when you plan future server requirements.
If you intend to collect data for historical comparison, it is important to establish a performance baseline. To create a baseline, you must collect performance data over the time during which the server is under typical load. When you collect data in the future, you must make sure that you collect statistics about the
Monitoring Server Performance
MCT USE ONLY. STUDENT USE PROHIBITED
12-10
same resources as those that you analyzed in your baseline. You can then compare resource usage against your baseline and see whether there are sufficient resources to satisfy user demands. Tools A range of tools is available to help you in the monitoring of the server environment. These tools are described in the following table. Tool
Description
Windows Server Event Viewer
As discussed in the previous lesson the Event Viewer displays information that relates to server operations. This data can help you to identify performance issues on a server. You can search for specific events in the event log file to locate and identify problems.
Windows System Resource Manager (WSRM)
Using WSRM, you can control how CPU resources are allocated to applications, services, and processes. Managing these resources improves system performance and reduces the risk that these applications, services, or processes will interfere with the rest of the system. Although the WSRM feature is available in Windows Server 2012, it has been deprecated.
Microsoft Network Monitor/Microsoft Message Analyzer
Network Monitor is a protocol analyzer. It enables you to capture, view, and analyze network data. You can use it to help troubleshoot problems with applications on the network. You can download Network Monitor from the Microsoft Download Center. Note: Network Monitor, at the time of development of this course, is being superseded by Microsoft Message Analyzer, which is currently in Beta and available for download form the Microsoft Connect website.
Performance Monitor
You can use Performance Monitor to examine how programs that you run affect your computer’s performance, both in real-time and by collecting log data for later analysis. It enables viewing detailed real-time information about hardware resources such as CPU, disk, network, or memory. You can also monitor system resources that are used by the operating system, such as handles. Performance Monitor uses performance counters, event trace data, and configuration information. This information can be combined into data collector sets.
Resource Monitor
Resource Monitor enables you to determine and control system resources such as CPU, memory, disk, network, and memory, which are being used by processes and services. You can also view handles and modules associated with threads and processes. Resource Monitor cannot monitor a resource remotely. However, it can monitor a resource in a virtual machine.
Microsoft System Center (Operations Manager)
With Operations Manager, you can build a complete picture of the past and current performance of the server infrastructure. Operations Manager can also automatically respond to events and address problems before they become an issue. Operations Manager requires time to configure and requires additional licenses.
Task Manager
Task Manager in Windows Server 2012 can be accessed by right-clicking the taskbar or by pressing Ctrl+Alt+Delete and selecting it from the menu. Task Manager has several tabs that divide information into the following components: Processes, Performance, Users, Details and Services. Each of these components can be broken down into more fine-grained data. For
Tool
Description
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-11
example, the Performance tab can provide additional data that is specific to the Network, CPU, or Memory usage. Task Manager is a user-friendly, easy to access troubleshooting tool. More information about deprecated features and functionality in Windows Server 2012 can be found at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309133
More information about Microsoft Message Analyzer and when and where it will be available for download when released is available at the following webpage. http://go.microsoft.com/fwlink/?LinkID=309132
Performance Counters Performance counters are used to provide information about how well the operating system or an application, service, or driver is performing. The data captured by the counter can help identify system bottlenecks and fine-tune system and application performance. Windows Server collects data from performance counters in various ways. This includes the following: •
Real-time snapshot value
•
Total since the last time that the server restarted
•
Average over specific time interval
•
Average of last x values
•
Number per second
•
Maximum value
•
Minimum value
Primary Processor Counters CPU counters are a feature of the computer's CPU that stores the count of hardware-related events. •
Processor\% Processor Time. Shows the percentage of elapsed time that this thread used the processor to execute instructions. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Code executed to handle some hardware interrupts and trap conditions is included in this count.
•
Processor\Interrupts/sec. Shows the rate, in incidents per second, at which the processor received and serviced hardware interrupts.
•
System\Processor Queue Length. This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, also known as processor queue depth, reported by this counter is an instant value that is representative only of a current snapshot of the processor.
Monitoring Server Performance
Therefore, you have to watch this counter over a long time. Also, the System\Processor Queue Length counter is reporting a total queue length for all processors, not a length per processor. Primary Memory Counters
MCT USE ONLY. STUDENT USE PROHIBITED
12-12
The Memory performance object consists of counters that describe the behavior of physical and virtual memory on the computer. Physical memory is how much random access memory (RAM) is installed in the computer. Virtual memory consists of space in physical memory and on disk. Many of the memory counters monitor disk paging. This is the transfer of pages of code and data between disk and physical memory. •
Memory\Pages/sec. Shows the number of hard page faults per second. A hard page fault occurs when the requested memory page cannot be located in RAM because it currently exists in the paging file. An increase in this counter indicates that more paging is occurring. This suggests a need for more physical memory.
Primary Disk Counters
The Physical Disk performance object consists of counters that monitor hard disk drives. Disk drives are used to store file, program, and paging data. They are read to retrieve these items, and are written to record changes to them. The values of physical disk counters are sums of the values of the logical disks (or partitions) into which they are divided. •
Physical Disk\% Disk time. This counter shows how busy a particular disk is. A counter approaching 100 percent indicates that the disk is busy most of the time and might suggest a performance bottleneck is imminent.
•
Physical Disk\Average Disk Queue Length. This counter shows how many disk requests are waiting to be serviced by the input/output (I/O) manager in Windows Server at a given moment. The longer the queue, the less satisfactory the disk throughput is.
Primary Network Counters
Most workloads require access to production networks to communicate with other applications and services and to communicate with users. Network requirements include elements such as throughput— that is, the total amount of traffic that passes a given point on a network connection per unit of time. Other network requirements include the presence of multiple network connections. Workloads might require access to several different networks that must remain secure. Examples include connections for: •
Public network access.
•
Networks for performing backups and other maintenance tasks.
•
Dedicated remote-management connections.
•
Network adapter teaming for performance and failover.
•
Connections to the physical host server.
•
Connections to network-based storage arrays or Cluster HeartBeats.
By monitoring the network performance counters, you can evaluate the network’s performance. Performance counters can be managed, imported, and exported by using Windows PowerShell. The following table lists some cmdlets and a brief description of their use. Windows PowerShell Cmdlets Get-Counter
Description Displays performance counter data from local or remote computers
Windows PowerShell Cmdlets
Description
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-13
Import-Counter
Imports counter log files (.blg, .csv, .tsv ) and creates the objects that represent each counter in the log
Export-Counter
Takes performance counter sample sets and exports them as counter log files (.blg, .csv, .tsv)
Get-counter –ListSet *
Displays all the counter sets on the local computer
Get-command *counter*
Displays commands that contains the word *counter*
All these Windows PowerShell cmdlets are part of the Microsoft.PowerShell.Management module.
Demonstration: How to Capture Current Performance Activity
In this demonstration, you will see how to use Performance Monitor to view real-time performance data.
Demonstration Steps 1.
View current activity in System Summary.
2.
Use Performance Monitor to view a chart on current activity.
3.
View the current activity data in a Histogram
4.
View the current activity data in a Report
What Are Data Collector Sets? A Data Collector Set is the foundation of Windows Server performance monitoring and reporting in Performance Monitor. Data Collector Sets enable you to collect performance-related and other system statistics for analysis with other tools within Performance Monitor, or with third-party tools.
Although it is useful to analyze current performance activity on a server, it is perhaps more useful to collect performance data over time for later analysis and comparison with previously collected data. This data comparison enables you to make determinations about resource usage, to plan for growth, and to identify potential performance problems. Data Collector Sets can contain the following kinds of data collectors: •
Performance counters. Provides data about the server’s performance.
•
Event trace data. Provides information about system activities and events. This is useful for troubleshooting.
Monitoring Server Performance
MCT USE ONLY. STUDENT USE PROHIBITED
12-14
•
System configuration information. Enables you to record the current state of registry keys and to record changes to those keys.
•
Additional information. As an example, the Directory Services counters are providing information about Lightweight Directory Access Protocol (LDAP) queries and their “expensiveness” for the resources.
You can create a Data Collector Set from a template, from an existing set of data collectors in a Performance Monitor view, or by selecting each data collector and setting the options in the Data Collector Set properties. A default set of templates is provided. Data collectors can also be managed by using Windows PowerShell. The following table lists some cmdlets and a brief description of their use. Windows PowerShell cmdlet
Description
Get-SMPerformancecollector
Displays the state of a performance data collector set
Start-SMPerformancecollector
Starts a Data Collector Set
Stop-SMPerformancecollector
Stops a Data Collector Set
Get-command –module ServerManagerTasks
Lists all available cmdlets in the ServerManagerTasks module
All these Windows PowerShell cmdlets are part of the ServerManagerTasks module.
Demonstration: How to Use Data Collector Sets to Capture Performance Data In this demonstration, you will see how to collect performance data in a Data Collector Set.
Demonstration Steps 1.
Create a Data Collector Set.
2.
Create a disk load on the server.
3.
Analyze the resulting data in a report and different report types.
Demonstration: How to Use Alerts to Identify Performance Bottlenecks
You can use alerts in Performance Monitor to determine when a threshold is exceeded and then take appropriate action. Actions might include the following: run a program, generate an Event Log error, or start a Data Collector Set. In this demonstration, you will see how to create an alert.
Demonstration Steps 1.
Create a data collector set with an alert counter.
2.
Generate a load on the server to exceed configured threshold.
3.
Examine the event log for the resulting event.
Lab: Monitoring Server Performance Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-15
You have successfully deployed some new servers at the A. Datum branch offices. Before the system goes live, you decide to establish a performance baseline so that you can compare future workloads to the expected workload and you also want to create and test an Alert that you can use to monitor the volume of data on the Network Interface on the server.
Objectives After completing this lab, you will be able to: •
Create a performance baseline
•
Introduce a load on the server.
•
Collect additional performance data and determine possible bottlenecks
•
Create and test an alert
Lab Setup Estimated Time: 60 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: ADATUM
5.
Repeat the previous steps for 10967A-LON-SVR1.
Exercise 1: Creating a Performance Baseline Scenario
You load Performance Monitor on the server and create a baseline by using typical performance counters. The main tasks for this exercise are as follows: 1.
Create a Data Collector Set
2.
Start the Data Collector Set
3.
Create workloads on the server
4.
Analyze collected data
Monitoring Server Performance
Task 1: Create a Data Collector Set
MCT USE ONLY. STUDENT USE PROHIBITED
12-16
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Open Performance Monitor.
3.
Create a new user-defined Data Collector Set by using the following information to complete the process:
•
Name: LON-SVR1 Performance
•
Create: Create manually (Advanced)
•
Type of data: Performance counter
4.
Select the following counters:
•
Memory\Pages/sec
•
Network Interface\ Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\%Processor Time
•
System\Processor Queue Length
5.
Sample interval: 1 Second
6.
Where to store data: default value
7.
Save and close the Data Collector Set.
Task 2: Start the Data Collector Set •
In the Performance Monitor, Start the LON-SVR1 Performance Data Collector set
Task 3: Create workloads on the server 1.
Open a Command Prompt and run the following commands, pressing Enter after each command: fsutil file createnew bigfile 104857600
2.
Then type copy bigfile \\lon-dc1\c$
3.
Then type copy \\lon-dc1\c$\bigfile bigfile2
4.
Then type del bigfile*.*
5.
Then type del \\lon-dc1\c$\bigfile*.*
6.
Do not close the Command Prompt.
Task 4: Analyze collected data
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-17
1.
In Performance Monitor stop the LON-SVR1 Performance Data Collector Set.
2.
In Performance Monitor on the toolbar, click View Log Data.
3.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.
4.
In the Select Log File dialog box, double-click Admin.
5.
Double-click LON-SVR1 Performance, double-click the LON-SVR1_ folder, and then double-click DataCollector01.blg.
6.
Click the Data tab, and then click Add.
7.
Select the following counters:
•
Memory\Pages/sec
•
Network Interface\Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\% Processor Time
•
System\Processor Queue Length
8.
On the toolbar, click the down arrow and then click Report.
9.
Record the values listed in the report for analysis later. Recorded values:
•
Memory\Pages/sec
•
Network Interface\Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\% Processor Time
•
System\Processor Queue Length
Results: After this exercise, you should have established a performance baseline.
Exercise 2: Simulating a Server Load Scenario
Having created the baseline, you now simulate a load to represent the system in live usage and start the Data Collector Set. The main tasks for this exercise are as follows: 1.
Load a new program on the server
2.
Simulated a load on the server’s CPU
3.
Start the Data Collector Set again
Monitoring Server Performance
Task 1: Load a new program on the server
MCT USE ONLY. STUDENT USE PROHIBITED
12-18
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Open a Command Prompt Change to the C:\Labfiles\StressTool\amd64 folder.
Task 2: Simulated a load on the server’s CPU 1.
Still on 10967A-LON-SVR1
2.
From the Command Prompt window Run the command StressTool.exe 95
3.
Open Task Manager and view the CPU utilization, noticing how it has increased dramatically
Task 3: Start the Data Collector Set again 1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Switch to the Performance Monitor.
3.
Start the LON-SVR1 Performance Data Collector Set.
4.
Wait one minute for data to be captured
Results: After this exercise, you should have introduced a load on the server and restarted the Data Collector Set.
Exercise 3: Determining Probable Performance Bottlenecks Scenario
You compare the results achieved under the new load with those collected when you first deployed the server. The main tasks for this exercise are as follows: 1.
Stop the running program
2.
View performance data
3.
Analyze results and draw a conclusion
Task 1: Stop the running program 1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Open a Command Prompt if it is not already open.
3.
Stop the running program.
4.
Open Task Manager and ensure the CPU % Utilization graph indicates the simulated load has been removed from the CPU and it has returned to normal
Task 2: View performance data 1.
Switch to the Performance Monitor.
2.
Stop the LON-SVR1 Performance Data Collector Set.
3.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4.
On the toolbar, click View log data.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-19
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Remove.
6.
Click Add.
7.
In the Select Log File dialog box, click Up One Level.
8.
Double-click the LON-SVR2_ folder, and then double-click DataCollector01.blg.
9.
Click the Data tab, and then click OK.
10. If you receive an error or the values in your report are zero, repeat steps 4-9. Recorded values: •
Memory\Pages/sec
•
Network Interface\Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\% Processor Time
•
System\Processor Queue Length
Task 3: Analyze results and draw a conclusion Answer the following questions. 1.
Compared with your previous report, which values have changed?
2.
What was the most significant change and why?
3.
If you saw a similar trend in your work environment what would you recommend as a next step?
4.
Can you identify any additional counters which could potentially help you narrow down your search to determine what application is placing the greatest load on the CPU?
5.
Are there any additional tools which may help identify what process or software is placing the load on the server?
Results: After this exercise, you should have identified a potential bottleneck.
Exercise 4: Create, Test, and Verify an Alert Scenario
Your manager, Ed Meadows, is concerned about an old network adapter on one of your servers and it being able to handle the volume of traffic it may have. Ed asks you to create and test an Alert that you can use to monitor the volume of data on the Network Interface on the server so you can monitor the amount of data that it sends and receives and also so if it exceeds the limit another collector set will start to monitor other aspects of the server to ensure they are not being overly loaded or performing poorly. The main tasks for this exercise are as follows: 1.
Create and start an alert to trigger an Event ID
2.
Simulate a load on the network bandwidth
3.
Verify the Event ID is generated and the Data Collector Set starts
4.
Revert the lab machines
Monitoring Server Performance
Task 1: Create and start an alert to trigger an Event ID 1.
Ensure you are still signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Create a new Data Collector set with the following parameters:
•
Name: LON-SVR1 Network Bandwidth Alert.
•
How to create: Create Manually (Advanced)
•
Type: Performance Counter Alert
•
Add the following Counter: Network Interface\Bytes Total/sec
•
Alert When: Above
•
Limit: 500
3.
Edit the properties of the LON-SVR1 Network Bandwidth Alert data collector as follows:
•
Alert tab: o o o o
•
Alert Action tab: o o
4.
Alert when: Above Limit: 500 Sample interval: 10 Units: Seconds
Log an entry in the application event Start LON-SVR1 Performance data collector set
Start the LON-SVR1 Network Bandwidth Alert collector set
Task 2: Simulate a load on the network bandwidth 1.
Open the Command Prompt
2.
Open the Start screen and type cmd.exe, and then press Enter.
3.
At the Command Prompt, type the following command, and then press Enter. fsutil file createnew bigfile 1048576000
4.
At the Command Prompt, type the following command, and then press Enter. copy bigfile \\lon-dc1\c$
Task 3: Verify the Event ID is generated and the Data Collector Set starts 1.
Open Event Viewer
2.
Go to the log Microsoft-Windows-Diagnosis-PLA/Operational
3.
Verify there an Event ID was generated by the Alert when the threshold was exceeded
4.
What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
5.
Return to Performance Monitor
6.
Verify the SVR1 Performance has started successfully
MCT USE ONLY. STUDENT USE PROHIBITED
12-20
Task 4: Revert the lab machines
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
12-21
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat the previous steps for 10967A-LON-DC1.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an Event ID and triggers a Data Collector Set to start. Question: During the lab, you collected data in a Data Collector Set. What is the advantage of collecting data in this manner? Question: What significant counters should you monitor in Windows Server Performance Monitor?
Monitoring Server Performance
Module Review and Takeaways Tools Tool
Use for
Where to find it
Performance Monitor
Monitoring and analyzing real-time and logged performance data.
Server Manager
Resource Monitor
Monitoring resources in real time.
Server Manager
Windows PowerShell
Cmdlets available for event logging, performance counters, and data collectors.
Built in to Windows Server 2012
Event Viewer
Viewing Logs and determining what happened
Server Manager
MCT USE ONLY. STUDENT USE PROHIBITED
12-22
MCT USE ONLY. STUDENT USE PROHIBITED 13-1
Module13 Maintaining Windows Server Contents: Module Overview
13-1
Lesson 1: Troubleshooting Windows Server Startup
13-2
Lesson 2: Business Continuity and Disaster Recovery
13-11
Lesson 3: Applying Updates to Windows Server
13-20
Lesson 4: Troubleshooting Windows Server
13-25
Lab: Maintaining Windows Server
13-33
Module Review and Takeaways
13-42
Module Overview
Windows Server® roles are critical in an organization’s network infrastructure. It is very important to make sure that the Windows Server is performing as efficiently as possible in their roles. To support Windows Server, you must have the skills and knowledge to correctly maintain an efficiently operating and continually available server infrastructure. You must also be able to troubleshoot issues within that infrastructure when they arise.
Objectives After completing this module, you will be able to: •
Troubleshoot the Windows Server startup process.
•
Implement high availability and recovery technologies to improve system availability.
•
Explain the importance of system updates.
•
Implement an appropriate troubleshooting methodology to resolve problems with Windows Server.
Lesson 1
Troubleshooting Windows Server Startup The Windows Server startup process makes sure that all aspects of Windows Server functionality are checked and initiated in a way that results in a stable and efficiently running server. Several issues can emerge in the startup process. Understanding the Windows Server startup process will help you troubleshooting or, even better, avoid these issues.
MCT USE ONLY. STUDENT USE PROHIBITED
13-2 Maintaining Windows Server
This lesson will explain the Windows Server startup process and give you the tools to identify and correct issues related to Windows Server startup.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the Windows Server startup process.
•
Identify the startup troubleshooting tools.
•
Apply the considerations for troubleshooting the startup environment.
•
Recover the startup environment.
Windows Server Startup The Windows Server startup process is made up of several steps involving components in the operating system environment. At first glance, startup seems to be a relatively basic feature of an operating system. However, there is nothing simple or basic about startup processes and procedures. The Startup Process can be broken down into four main areas. There is some overlap regards the timing of when particular services start and stop but the below is the general chronological order 1.
2.
BIOS/EFI or UEFI initialization: a.
The platform is turned on, it identifies and then initializes hardware
b.
Power-on self-test (POST)
c.
Detects system disk, where the operating system resides
d.
Locates and reads the Master Boot Record (MBR)
e.
Starts the Boot Manager (Bootmgr.exe) which locates and calls the WinLoad.exe which resides on the Boot Partition, where the boot, or startup, files reside.
OS Loader a.
WinLoad.exe controls this phase
b.
Device drivers identified as needing to start are loaded into memory
c. 3.
4.
The system registry is loaded into memory
Main Startup Cycle
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
a.
PreSMSS: Starts when WinLoad.exe passes control over to the kernel. The kernel initializes the data structures and system components
b.
SMSSInit: Starts when the kernel passes control over to the session management subsystem process (smss.exe). Service control manager starts here •
Video drivers initialized
•
Subsystem processes are started
13-3
o
Smss.exe (Windows Session Manager: responsible for user sessions)
o
Csrss.exe(Client Server Runtime Process: provides threading control and core graphical capabilities)
o
WinInit.exe (Windows Start-Up Application: responsible for some core services starting up)
o
WinLogon.exe (Windows Logon Application: responsible for sign in and sign out process)
c.
WinLogon: Service Control manager continues to operate in this phase. Logon on screen appears and desktop starts.
d.
Explorer .Init: Explorer.exe, which controls file management and user UI functions, such as File Explorer, Desktop, Taskbars and more, starts and services and applications continue to be loaded
Post-Startup: Desktop available and user can interact but services and applications may continue to start. Ends when all services and applications scheduled to start on logon have done so and system reaches an idle state
We’ll now touch on some of these areas in more depth: BIOS, EFI, or UEFI Initialization and POST
As outlined earlier the Windows Server startup process consists of several steps, starting with the initialization of system hardware through the computer’s basic input/output system (BIOS), the Unified Extensible Firmware Interface (UEFI), or the Extensible Firmware Interface (EFI). This process is known as power-on self-test (POST). The POST process typically involves quick checks of system hardware components to confirm correct operation and functionality. Additionally, most BIOS or EFI systems provide for more intensive POST procedures if troubleshooting has to be performed on the POST process. BIOS, UEFI, and EFI are all firmware interface technologies that act as the interface between the hardware and the operating system software. (Firmware is hardware that has software on it that makes it function— that is, it is a middle ground between hardware and software and is read-only, such as CPU.) On startup, these firmware interface technologies effectively bring all the hardware components online for use by the operating system. BIOS, although still widely used, is the oldest technology. BIOS is being replaced by EFI, which is an Intel proprietary technology, and UEFI, which is a unified industry standard. UEFI and EFI allow for faster startup times and the ability to use drives larger than 2 terabytes (TB). EFI and UEFI also can provide for more functionality. Windows Server 2012 and Windows® 8 include startup support that works with UEFI and EFI. This helps protect the startup process from potential security exposures.
More information about UEFI industry standards organization can be found at the following website. http://www.uefi.org/home/
The Startup Environment, Windows Boot Manager, and Windows Boot Loader Windows Server 2012 and Windows 8 use Windows Boot Manager to manage the operating system startup process.
MCT USE ONLY. STUDENT USE PROHIBITED
13-4 Maintaining Windows Server
The startup environment is in the hardware (BIOS Chip) and contains everything that is needed to load the hard disk drive drivers that contain the operating system. Then Windows Boot Loader initializes the loading of the operating system from the disk. So, the startup environment is loaded before the operating system and is independent of the operating system. This way the startup environment can be used to confirm the integrity of the startup process and the operating system. The Windows Boot Loader is stored in \Windows\System32\winload.exe. When Windows Boot Loader is started by Windows Boot Manager, it begins the initial load process of the operating system.
Within the startup environment, Windows Boot Manager controls the startup process by using the information in the Boot Configuration Data (BCD) store. Entries in the BCD store are loaded by Windows Boot Manager and contain configuration data about the various boot loaders installed on the system. This includes the following: •
Device where the boot loader is stored
•
Path to the executable file of the boot loader
•
Descriptive name of the boot loader
•
Boot loader recovery options
•
System root of boot loader files
When multiple boot loaders are referenced in the BCD store, Windows Boot Manager will prompt the user at startup to choose which boot loader should be used. For example, a server might have Windows Server 2012 installed on one partition and a different Server edition, or conceivably, even a client operating system such as Windows 8, installed on another partition. The computer can start either of the operating systems, depending on the needs of the user. This configuration is known as a multiboot configuration. For example as alternative startup options, you can have a backup operating system or an older version of the operating system. You can also startup from a virtual hard disk (VHD) file, where you configure the boot configuration database (BCD) store to mount a VHD and start the operating system.
Multiboot configuration are more complicated to configure and more difficult to maintain. The benefits being more flexibility and the capability to cleanly remove or change an installation.
To edit the Windows Boot Manager settings, you can use a command-line tool named BCDEdit and the relevant switches at the Command Prompt. There is a wide variety of functionality that can be configured concerning how the system starts up including system recovery options. To view the Windows Boot Manager settings, run the following at the Command Prompt. BCDEdit /enum bootmgr
To view the Windows OS Loader settings—that is, to see what operating systems are loaded into Windows Boot Manager for startup—run the following at the Command Prompt. BCDEdit /enum osloader
Note: Certain aspects of the BCD store can also be changed on the Startup And Recovery tab in System Properties. This includes settings for the default operating system, debugging, and memory dump.
Detecting and Configuring Hardware
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-5
After Windows Boot Manager has started the Windows Boot Loader, the Windows Server operating system begins to load. The operating system starts by enumerating drivers and services. There can be different timings for when drivers and services are loaded, and there are dependencies between them. So, the sequencing can vary. After the startup order is determined, the operating system is loaded and starts the drivers and services in their respective order. Loading the Operating System Kernel
An operating system kernel is the most basic and fundamental part of the operating system. The kernel controls system hardware and resources, managing them and making them available to applications that are running on the system. After the operating system kernel loads, the operating system is ready to interact with the rest of the system software and the user. Logon and Plug and Play Drivers
When a user logs on to a Windows Server environment, the user’s credentials are processed and validated against the default security database, usually either the local security database or possibly Active Directory® Domain Services (AD DS). After the credentials are validated, the user gains access to the operating system and applications, and any Plug and Play or user-mode drivers load to complete the Windows Server startup process.
Note: Windows 8 also includes Sleep and Hibernate functionality. This allows the computer to save power when it is not in active use and also accommodates quicker startup times. Windows Server 2012 does not support Sleep or Hibernate functionality. While it may be possible to configure sleep in some hardware/firmware environments for servers. In production environments servers are typically required to be available twenty four hours a day, seven days a week to respond to service requests. As such additional configuration or management overhead associated with sleep and hibernation would not be desired. Securing the Startup
Servers can still be subject to attack by malware during the startup process, even before the operating system is loaded and malicious software can potentially run undetected in the kernel. To try protect against such threats Windows Server 2012 and Windows 8 have additional checks around the startup process such as: •
Secured or Trusted Boot: With UEFI, on startup, the server ensures that the firmware is digitally signed and has not been altered or tampered with.
•
Early Launch Anti Malware (ELAM): Allows the ability to load and use an antimalware driver to attempt to detect if the startup drivers are trusted or not and if any of them are potential malware threats.
•
Measured Boot: With UEFI and Threat Platform Module functionality present in the CPU logs can be taken during startup and sent to a separate trusted sever, which can then validate the integrity of the startup process. This could potentially provide for allowing full or limited access to the network or placing the server in quarantine until the integrity of the startup can be assessed.
Troubleshooting Tools in the Startup Environment During the Windows startup process, the failure or malfunction of any component involved can cause the startup process to fail or behave unpredictably. Events like hard disk failure, missing or corrupted files, third-party driver bugs, or intentional or accidental damage of system files can interfere with the startup process. Windows Server 2012 provides several tools and options to help troubleshoot and repair components involved in the startup process. This enables the operating system to start correctly and efficiently.
Note: All of these tools are available from the Advanced Boot Options menu. This can be accessed by pressing the F8 key during startup before the Windows Server startup splash screen. The Advanced Boot Options menu provides the following 12 options: •
Repair Your Computer
•
Safe Mode
•
Safe Mode With Networking
•
Safe Mode With Command Prompt
•
Enable Boot Logging
•
Enable Low-Resolution Video
•
Last Known Good Configuration (Advanced)
•
Directory Services Restore Mode
•
Debugging Mode
•
Disable Automatic Restart On System Failure
•
Disable Driver Signature Enforcement
•
Disable Early Launch Anti-Malware Driver
•
Start Windows Normally
The following topics discuss each of these options in turn. Repair Your Computer
MCT USE ONLY. STUDENT USE PROHIBITED
13-6 Maintaining Windows Server
During the installation process, Windows Server 2012 creates a special hidden partition on the system disk that contains several useful diagnostic and repair tools known collectively as the Windows Recovery Environment (WinRE). These tools are accessed from the Advanced Boot Options menu. You can use the system recovery tools to repair startup problems, run diagnostics, or restore your system. The Windows Recovery Environment may start automatically if the last system startup did not finish. For example if the failure occurs just after logon, the computer may not start and Last Known Good Configuration, discussed later in this topic, would be the best troubleshooting option.
When you select Repair Your Computer, you are presented with a Choose An Option screen that contains three options:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-7
1.
Continue. Exit and continue to Windows Server 2012.
2.
Troubleshoot. Refresh or reset your computer, or use advanced tools. After you select this option, you are taken to an Advanced options screen that contains the following options:
3.
a.
System Image Recovery. Recover Windows by using a specific system image file. Selecting this option starts the Re-image Your Computer wizard. This tries to find an already backed up image to restore.
b.
Command Prompt. Use the Command Prompt for advanced troubleshooting. When you select this option you are prompted for administrator credentials and then provided with a Command Prompt on a new partition, drive X:\. You can then carry out whatever troubleshooting steps you need. For example, you can use BCDEdit, Task Manager, the System File Checker (SFC) command, or other tools or commands. You can type exit to exit the Command Prompt and return to the Choose An Option screen which was presented earlier
c.
Startup Settings. Change Windows Startup Behavior. With this option, you can change the various startup options previously listed, such as low resolution video mode, debugging mode, safe mode, and driver signature settings.
Turn off your PC. Turns off the computer
Note: If a system loses electrical power during the startup process, the Windows Recovery Environment automatically starts the next time that the system is started. Also, Windows 8 has more Repair Your Computer options than Windows Server 2012. This includes the following: Refresh Your PC (updates without losing your files), Reset Your PC (all personal settings and files will be removed), and Advanced Options that includes System Restore, and Automatic Recovery. Finally, if Windows Recovery Environment does not work for any reasons from the local system, you can use the startup media and access the same recovery options from there. Safe Mode
In safe mode, the user can run system startup by using a limited set of files, services, and drivers. With this limited configuration, failure from a malfunctioning driver or service is less likely, and you can troubleshoot from the Windows graphical user interface (GUI) environment. On the Windows Advanced Options menu, several options exist for starting Windows in Safe mode. •
Safe mode. Starts loading only a basic set of files, drivers, and services. This includes mouse, keyboard, storage, and basic video drivers. No networking services or drivers are started.
•
Safe Mode with Networking. Starts the same as safe mode, but adds drivers and services necessary to provide network functionality.
•
Safe Mode with Command Prompt. Loads the same service and driver set as safe mode, but starts you at the Command Prompt instead of in the Windows GUI. That is, the GUI is not started.
Enable Boot Logging
This option starts the boot logging process. This records all startup events to the ntbtlog.txt boot log. This log lists all the drivers that load during startup and the last file to load before failure. You can retrieve the boot log by starting the operating system from the install media and selecting recovery options. Analyzing this file will help identify where the failure occurred. Enable Low-Resolution Video
MCT USE ONLY. STUDENT USE PROHIBITED
13-8 Maintaining Windows Server
This option sets the system resolution to 640 x 480 pixels. This lets you reset your display resolution if it was changed to a setting that rendered the system unusable. Last Known Good Configuration
Using Last Known Good Configuration restores a system’s configuration to the state it was in at the end of the last successful startup and Logon. Last Known Good Configuration makes a copy of the configuration information that is stored in the registry every time that the operating system startup process successfully is completed and a user logs on to the system. Last Known Good Configuration stores the values for the following two registry hives, or groups of values. •
HKLM\SYSTEM\CurrentControlSet\Control. This registry hive contains system configuration settings.
•
HKLM\SYSTEM\CurrentControlSet\Services. This registry hive contains settings that control driver and service configuration.
When you select Last Known Good Configuration, it marks the values in the previous two registry hives as failed and replaces them with the copy taken after the last successful startup and logon. Directory Services Restore Mode
This option, sometimes abbreviated as DSRM, provides a special startup mode for addressing Active Directory issues. It is only applicable to domain controllers. DSRM starts the Domain Controller without the domain controller part, working as a member server only. You need to log on by using the default local administrator account whose password is reset when the domain controller is promoted. DSRM can be used to perform certain administrative tasks when the domain controller is not functioning correctly or when it has to be serviced in a way where the Active Directory database cannot be used. Debugging Mode
This option enables the Windows Kernel debugger and allows for the debugging of the Windows Server operating system which may involve attaching another computer that has debugging enabled on it to the computer which has to be debugged by using a serial connection. Disable Automatic Restart On System Failure This option prevents Windows from automatically restarting after a crash, such as when a blue screen appears. Disable Driver Signature Enforcement This option enables drivers that do not contain digital signatures or contain untrusted signatures to be loaded. Disable Early Launch Anti-Malware Driver
This option enables drivers to initialize without being measured and evaluated by the Early Anti-Malware driver. Start Windows Normally Exit and continue.
Considerations for Troubleshooting Startup When issues arise with the Windows startup process, resolving those issues and bringing the system back to a working state as quickly as possible is your highest priority. Before you begin the troubleshooting process, you must consider which startup tool will best diagnose and resolve the issue. The following examples of common startup issues list conditions that prevent the startup process from completing successfully, together with considerations for troubleshooting that specific problem and which tool or tools will best help in resolving the problem. Master Boot Record Corruption
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-9
•
Symptoms. When a system’s master boot record (MBR) is corrupted or missing, the system will stop the startup process immediately following BIOS POST and a black screen or one of the following messages might appear: “Invalid partition table,” “Error loading operating system,” or “Missing operating system.”
•
Causes. The MBR can become corrupted because of hard disk errors, disk corruption, or intentional destruction of MBR data by a virus or malicious user.
•
Resolution. Select Repair Your Computer on the Advanced Boot Options menu, choose Command Prompt, and execute bootrec /fixmbr. This command replaces the executable code in the MBR.
Note: Where UEFI or EFI is used instead of BIOS, GUID partition table (GPT) would be used instead of MBR. Boot Configuration Database (BCD) Misconfiguration •
Symptoms. After BIOS POST, a message states “Windows could not start because of a computer disk hardware configuration problem,” “Could not read from selected boot disk,” or “Check boot path and disk hardware.”
•
Causes. The BCD is deleted, corrupted, or no longer refers to the correct boot volume. Possibly because the addition of a partition has changed the name of the volume.
•
Resolution. Start the Window Recovery Environment, select Command Prompt, and then execute the bootrec /scanos and bootrec /rebuildbcd commands. These commands scan each volume to look for Windows installations. When they discover an installation, they ask you whether it should be added to the BCD as a startup option and what name should be displayed for the installation on the startup options menu. For other kinds of BCD-related damage, you can also use BCDEdit to perform tasks such as building a new BCD from scratch or cloning an existing good copy.
System File Corruption •
Symptoms. System file (dynamic-link libraries [DLLs], drivers, executables) corruption typically causes a message on a black screen after BIOS POST that says, “Windows could not start because the following file is missing or corrupt,” followed by the name of a file and a request to reinstall the file.
Maintaining Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-10
•
Causes. The volume on which a system file is located is corrupted or one or more system files are deleted or become corrupted.
•
Resolution. For NTFS startup into the Windows Recovery Environment, select Command Prompt, and then execute the chkdsk command. Chkdsk will try to repair the volume corruption. If Chkdsk does not report any problems, you could run sfc.exe to scan the system files and replacing any ones which may be incorrect versions or alternatively you could also obtain a backup copy of the system file in question and replace the file.
Note: Resilient File System (ReFS) can automatically detect data corruption and perform repairs without taking the disk offline. If you try to run Chkdsk on ReFS you will receive the message “The ReFS file system does not need to be checked.” Crashing or Hanging After the Splash Screen Appears •
Symptoms. Issues that occur after the Windows splash screen appears, after the desktop appears, or after you log on fall into this category and can manifest as a crash that shows nothing but a blue screen or as an unresponsive system freeze.
•
Causes. This problem is usually caused by a device driver or corruption of registry information.
•
Resolution. The first and most straightforward method for trying to restore the startup process would be to run the Last Known Good Configuration. This will load the appropriate registry information from a backup taken when the system last started correctly. This would allow for the review of recent changes to the operating system to try to discover what caused the crash or freeze. If the problem is caused by a driver or service that existed on the system before the Last Known Good Configuration was taken, another solution will be required. In this case, safe mode could enable the system to start correctly. Then, you can rollback newly installed drivers or disable services to determine the cause of the problem. A rollback of drivers installs an earlier version of the drivers. For example, rollback to the driver which was previously working. Question: Which tool would you use to recover a system that does not start correctly immediately following the installation of a new network adapter?
Demonstration: How to Recover the Startup Environment In this demonstration, you will see how to recover a system from startup failure.
Demonstration Steps 1.
Start the virtual machine and access the Windows Recovery Environment by pressing F8 while starting up
2.
Scroll through and View the System Recovery Options
3.
Select Repair Your Computer, then choose Troubleshooting, followed by Command Prompt
4.
Assess Boot Manager and OS Loader configuration using the bcdedit command
5.
Determine the options available with the boot recovery command line tool bootrec
Lesson 2
Business Continuity and Disaster Recovery
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-11
Organizations depend on constant and consistent access to their business information and applications. In this environment, a server is only useful when it is operating properly and it contains the correct data. A server that has intermittent failures, is frequently unavailable, contains inconsistent data, or loses data can cause significant problems for an organization; detrimentally affecting the organization’s line of business. As someone responsible for the operation of your organization’s servers, you have to be aware of the variety of methods that Windows Server offers to allow for high availability, reliability, and consistency. You also need to understand how to implement these methods.
Lesson Objectives After completing this lesson, you will be able to: •
Describe the need for backup.
•
Describe the requirement to provide for business continuity.
•
Differentiate between Business Continuity and Disaster Recovery (BCDR) solutions.
•
Describe Network Load Balancing (NLB).
•
Describe failover clustering.
•
Implement a backup solution.
Why Backup Data? Data is the most important digital commodity in the business world. Data hosted on an organization’s servers is most often critical to their line of business. Inventories, business contracts, purchase orders, manufacturing and engineering data are just some of the important pieces of business information data that are frequently hosted on servers.
The retention or backup of this data is the first line of defense against any event or circumstance that could put the security, validity, or the existence of that data at risk. Events that could lead to data loss include hardware or software failures leading to data corruption or corruption of volumes or disks, natural disasters like a flood, an earthquake, or a lightning strike could also be factors. Environmental issues such as fire, plumbing malfunctions, or power surges can also contribute to the loss of data. Finally, malicious or accidental activity like hacking, file deletion, equipment theft, or intentional damage may cause data being lost.
Backing up your company’s data in Windows Server 2012 is an important part of maintaining a reliable server environment. Not only business data, as just discussed, is at risk, but data that is contained in the operating system and server applications themselves have to be retained should the need to restore or recreate them arise.
Maintaining Windows Server
User or Business Data
MCT USE ONLY. STUDENT USE PROHIBITED
13-12
Most user or business-related data that is stored on a server is stored in a specifically allocated drive or folder structure, dedicated exclusively to storing that data. In this configuration, all of the business data is in one place, and can be backed up as a whole instead of backing up data from different locations on the server. The location and structure of this data will depend on the individual organization, and can vary from implementation to implementation. System Data
System data, such as operating system and application data, are usually stored in a constant location on the operating system. Although not always accessed or changed by employees directly like business data, system data is critical to the operation of a server. Make sure that the Windows Server system volume, which holds the location of the Windows Server operating system files, is backed up. This makes sure that the server is recoverable if there is a system failure. There could also potentially be application configuration data running across multiple systems which can add a level of complexity which you also have to consider.
Discussion: The Importance of Business Continuity Business continuity planning refers to the ongoing maintenance activity and infrastructure planning and implementation that enable an organization to carry on their line of business if there is a disaster or system failure. The ability for an organization’s server infrastructure to ensure business continuity in times of crisis is a very important aspect of server management and maintenance. Question: What kinds of events could interfere with business continuity? Question: What would the cost be to your organization if your server infrastructure was unavailable for an hour, a day, or a week?
Increased Availability and Data Recovery Organizations have come to rely more and more on their information technology (IT) infrastructure to support their business needs. Frequently, an organization’s server infrastructure provides applications or contains data that is critical to business operations. Therefore, the availability of those applications and the retention and safety of that data must be managed to make sure business continuity through high availability and data recovery. Increased Availability
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-13
High availability refers to the ability of a server infrastructure to remain available and operable if there is hardware, application, or service outages within the server infrastructure.
Organizations that are required to meet service level agreements (SLAs) or that run applications important to an organization’s daily business typically use high availability solutions to achieve required server uptimes. This uptime value is commonly known as the number of nines referred to in the percentage of that server’s total availability. It is common for companies to strive for five nines of uptime (99.999%). This equates to less than 10 minutes per year of server downtime. You can also have different uptime requirements for different server times in SLAs. For example, if a server is required to run for five days a week for 10 hours a day, on an SLA with a 99.999% uptime requirement in that time period, the server is allowed 3 minutes downtime. However, during non-core hours the server may be allowed longer downtimes.
High availability typically involves multiple servers configured to perform the same role or provide similar services. If one of the servers experiences a hardware or software failure, the remaining servers continue to provide the services. Windows Server 2012 contains several features that help you in maintaining availability in the server infrastructure. •
Fault-tolerant Hardware Support. Windows Server 2012 supports fault-tolerant hardware architecture supplied by many server hardware vendors that allows for the removal, addition, or replacement of hardware components such as fans, power supplies, memory, hard disks, network adapters, and processors. This architecture enables a server to remain running and available while hardware upgrades occur or faulty hardware components are replaced.
•
Fault-tolerant Applications. There are applications or services which are providing fault tolerance as part of the actual application infrastructure, such as Active Directory Domains Services having multiple domain controllers, or a replicated DFS infrastructure.
•
Failover Clustering. Failover clustering allows for a group of servers to work together to provide a set of applications or services. Together, these servers provide a fault-tolerant configuration that continues to provide its applications and services, even if one of the servers in the cluster fails or becomes unavailable. You can implement failover clustering for a range of roles and services in Windows Server 2012, such as File, Dynamic Host Configuration Protocol (DHCP), Hyper-V®, or even application servers such as Microsoft® Exchange Server or Microsoft SQL Server®.
•
Network Load Balancing (NLB). NLB provides for the increased availability of (TCP/IP) b-based network services. The load on the servers is shared and each server is aware of the other servers in its group. Therefore when one server fails or becomes unavailable on the network, traffic is redirected among the other servers. This guarantees continuity of the network services. However, this is not high availability, because the failover is more passive than in Failover clustering and a failing server could cause a delay on the clients before the infrastructure recognizes the failure and another server serves the requests.
Many subcomponents in Windows Server 2012 also contribute to providing a highly available infrastructure, such as network interface card (NIC) Teaming, Multipath I/O (MPIO). Data Recovery
Data recovery processes make sure that important data is recoverable, should the data be lost, corrupted, or destroyed. This typically involves the copying or backing up of data to a device separate from the server. These devices can be external hard disks or flash drives, optical drives, or network locations. Frequently, these devices are stored in a different physical location than the server being backed up, in case the server location is physically destroyed or damaged by a disaster such as a fire or flood.
Maintaining Windows Server
When data is lost, corrupted, or destroyed, the backed up data can then be restored to the original location on the server; or to a separate server until the original server is restored or rebuilt. Windows Server Backup The built-in tool for backing up data in Windows Server is Windows Server Backup. Windows Server Backup is a simple and easy to use backup and recovery tool. You can use Windows Server Backup on both local and remote systems to perform full or incremental backups and to create a copy.
MCT USE ONLY. STUDENT USE PROHIBITED
13-14
When you use Windows Server Backup, you have to have separate, dedicated media for storing backed up data. Windows Server Backup can use external and internal disks, DVDs, or shared folders for backup and restore locations. DVDs can be used only to restore full volumes of data, not individual files, folders, or application data.
You can use Windows Server Backup for recovery in several ways. Instead of having to manually restore files from multiple backups if the files were stored in incremental backups, you can recover folders and files by selecting the date on which you backed up the version of the item(s) you want to restore. You can recover data to the same server hardware or to new server hardware that has no operating system. Windows Server Backup no longer supports tape backup.
Note: Backups taken with Windows Server Backup can also be restored from the Windows Recovery Environment. This was described earlier in the “Troubleshooting Tools in the Startup Environment” topic. Also available is the cloud-based service Windows Azure™ Online Backup, which can provide backup infrastructure and services for your organization. More information about Windows Azure Online Backup can be found at the following webpage. http://www.windowsazure.com/en-us/home/features/online-backup Question: Why would an organization have to implement both high availability and data recovery processes to make sure of business continuity?
Network Load Balancing Network Load Balancing (NLB) provides for increased availability and scalability for TCP/IPbased services, including web servers, File Transfer Protocol (FTP) servers, and other mission-critical servers and services. In an NLB configuration, multiple servers run independently and do not share any resources, for example IIS websites would be mostly static and any changing data would typically be implemented on a back-end SQL Server. This group of servers is known as an NLB cluster. Client requests are distributed among the servers, and if a server were to fail, NLB detects the problem and distributes the load to another server. With NLB, you can increase network service performance and availability.
Increased Availability
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-15
NLB supports increased availability by redirecting incoming network traffic to working NLB cluster hosts if a host fails or is offline. Existing connections to an offline host are lost, but the Internet services remain available. In most cases, for example with web servers, client software automatically retries the failed connections, and the clients experience a delay for several moments before receiving a response.
In terms of how the NLB servers function, a virtual IP address is created which applies to all NLB hosts in the NLB cluster. Every NLB host will then receive the traffic addressed to the virtual IP, however only a specific host will listen and process it. From a networking standpoint, you must make sure that all hosts are configured in a “hub-mode” instead of a switch mode. Otherwise, the NLB hosts would not receive the traffic as the switch would direct it only to the last host who replied using the virtual IP address.
Many applications work with NLB. Generally, NLB can load-balance any application or service that uses TCP/IP as its network protocol and is associated with a specific TCP or User Datagram Protocol (UDP) port. Some examples are listed in the following table. Protocol
Examples
Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS)
Internet Information Services (IIS): port 80 for http and Port 443 for HTTPS
FTP
IIS: port 20, port 21, and ports 102465535
Simple Mail Transfer Protocol (SMTP)
Exchange Server: port 25
Remote Desktop Protocol (RDP)
Terminal Services: port 3389
Point-to-Point Tunneling Protocol (PPTP), L2TP, SSTP and IP by using HTTP and Internet Protocol security (IPsec)
Virtual private network (VPN) servers: 1723 for PPTP
Performance
NLB supports server performance scaling by distributing incoming network traffic among one or more virtual IP addresses assigned to the NLB cluster. The hosts in the cluster concurrently respond to different client requests, even multiple requests from the same client. For example, a web browser might obtain multiple images in a single webpage from different hosts in a NLB cluster. This speeds up processing and shortens the response time to clients. Scalability
NLB lets administrators scale network services to meet client demand. New servers can be added to a load balancing cluster without changing the applications or reconfiguring clients. The NLB cluster does not have to be taken offline to add new capacity, and members of the load balancing cluster do not have to be based on identical hardware. NLB hosts could even be powered up and powered down as demand requires. Windows PowerShell® also provides management and configuration support for Network Load Balancing in Windows Server 2012. The following table includes some of the cmdlets and commands that might be useful. Windows PowerShell Cmdlet
Description of Use
Add-NlbClusterNode
Adds a new node to the NLB cluster
New-NlbCluster
Creates a new NLB cluster defined by the node and
Maintaining Windows Server
Windows PowerShell Cmdlet
Description of Use network adapter name
Get-Command –module NetworkLoadBalancingClusters
Lists all available cmdlets in the NetworkLoadBalancingClusters module
MCT USE ONLY. STUDENT USE PROHIBITED
13-16
The Network Load Balancing feature has to be installed through Server Manager, in order to make these cmdlets available on a Windows Server 2012 server.
Failover Clustering Failover clustering is a technology in Windows Server 2012 that provides for high availability, it does not provide for scalability. In a failover cluster, a group of servers, or a cluster, work together to increase the availability of a set of applications and services. Physical cables and software connect the clustered servers, known as nodes. If any of the cluster nodes fail, other nodes begin to provide service to clients (a process known as failover). With this method, system downtime is minimized and a high level of availability is provided. Applications that are best suited for configuration in a failover cluster are applications that use a centralized set of data. Applications such as SQL Server and Exchange Server, and services such as File Servers, and DHCP, use centralized data sets and are therefore ideal for being configured as a failover cluster. Failover Clustering Benefits
Failover clustering provides several benefits for mission-critical server and application deployments. This includes the following: •
Reduced downtime, if there is a hardware failure.
•
Reduced downtime, if these is an operating system failure.
•
Reduced downtime during periods of planned server maintenance.
Applications or services that are added to a failover cluster must be cluster-aware in order to take advantage of the benefits that are provided by failover clustering. Cluster-aware refers to the application’s ability to register with the failover cluster in order to communicate with the cluster and take advantage of the cluster’s features. Applications and services that are cluster-aware include the following: •
Distributed File System (DFS) Namespace Server
•
DHCP Server
•
Exchange Server
•
File Server
•
Print Server
•
SQL Server
•
Windows Internet Naming Service (WINS) Server
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-17
Applications that do not support cluster events are called cluster-unaware. Some cluster-unaware applications can still be configured as high availability resources and can be failed over. However, the following provisions apply: •
IP-based protocols are used for cluster communications. The application must use an IP-based protocol for its network communications.
•
Nodes in the cluster access application data through shared storage devices. If the application is not able to store its data in a configurable location, the application data is not available on failover.
•
Client applications experience a temporary loss of network connectivity when failover occurs. If client applications cannot retry and recover from this, they will no longer function.
Windows PowerShell also provides management and configuration support for failover clustering in Windows Server 2012. The following table includes some of the cmdlets and commands that might be useful. Windows PowerShell Cmdlet
Description of Use
Get-Cluster
Displays information about one or more failover clusters in a domain
Test-Cluster
Runs validation tests for failover cluster hardware and settings
Get-Command –module FailoverClusters
Lists all available cmdlets in the FailoverClusters module
The Failover Cluster Module for Windows PowerShell needs to be installed as part of the Failover Clustering feature or the Remote Server Administrative Tools (RSAT) in Server Manager, in order to make these cmdlets available on a Windows Server 2012 server. The RSAT can also be installed on a Windows 8 client, which would make the cmdlets available on the client.
More information about failover clustering and Network Load Balancing can be found at the following webpage. http://technet.microsoft.com/en-us/library/hh831579.aspx
Providing for Data Recovery Providing for data recovery involves implementing a plan that includes what to backup, how frequently to backup, what media the backed up data will be stored on, where that media will be stored, and who can backup and restore the data. What to Backup
Deciding what to backup is one thing to consider when you develop a backup plan. Business information loss can significantly disrupt business productivity. Usually, a full data backup is desirable. The key question for the organization is what data is most important to the company? This data can consist of customer or client database information, payroll records, and product information. When to Backup
Maintaining Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-18
Several questions have to be answered when you are considering backup. Ask yourself, “When should I backup data?”, “How frequently should backups be made?” and, “How long will my backup take and what time of day will the backup occur?” When asking how frequently backups occur, the answer depends on your business data and how frequently it changes. An organization’s sales history might only have to be backed up monthly. However, the current sales database, which is constantly being updated with sales information, might have to be backed up multiple times per day. The second and third questions, about how long the backup will take and when the backup should be taken, depend on one another. Frequently, data being backed up cannot be in use by users and applications during the backup process. A full backup of all servers in a data center might take 15–20 hours. If your business operates on a 10-hour work day, that only leaves 14 hours to do your backup. Typically, the longer, full backup is completed during off-hours, perhaps on a weekend. Then, smaller backups of specific or important information occur more frequently throughout the week. What Media to Use
After the decision is made about what data to backup, the next step is to determine where you should store the backup. Options for storage include external or internal hard disk drives, CDs, DVDs, universal serial bus (USB) flash drives and third-party backup systems. Where to Store the Backups
To provide greater security, an organization should store these backups in an off-site location. This helps in a situation such as a fire where backup media stored onsite can be potentially destroyed. Who Should Perform the Backup/Restore Operations The final fundamental consideration is who should perform the backup, and perhaps more critically, restore operations. After you have implemented a backup strategy, you could automate the backup process; indeed, most backup solutions are automated. However, you may sometimes have to perform unscheduled backup operations. You should carefully consider which users can perform this task.
When you have to restore data, make sure that the correct data is restored, and to the correct location. Therefore, restore operations, except for user-initiated single file operations, should only be conducted by skilled administrative personnel. You can use the Windows Server built-in groups to assign the necessary backup and restore permissions, or you can create your own groups as needed. Windows Server Backup
Windows Server Backup is installed as a feature by using Server Manager. It provides a means of administration, a Microsoft Management Console (MMC) snap-in administrative tool, and the WBAdmin command (wbadmin.exe), which can be used at the Command Prompt. Both the snap-in and the command-line tools let you perform manual or automated backups to an internal or external disk volume, a remote share, or optical media. As stated earlier, backing up to tape is no longer supported by Windows Server Backup. Windows Azure Online Backup
This is a cloud-based service where an IT administrator subscribes to the service. An account is then created for a particular organization and backups are scheduled. The difference is the data storage is provided for by the Online Backup Service. This service removes risk and administrative overhead when you manage and maintain backups. You can access Windows Azure Online Services from the Windows Server Backup management console. Windows PowerShell provides cmdlets for both Windows Server Backup and Windows Azure Online Backup to let administrators manage and configure the service. These cmdlets are provided under the
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-19
WindowsServerBackup and MSOnlineBackup modules. The following table includes some of the cmdlets from each module. Windows PowerShell Cmdlet
Description of Use
Get-WBDisk
Displays a list of internal and external disks that are online for the local computer
Get-WBJob
Displays the current Windows Backup job operation
Get-OBPolicy
Displays the current online backup policy set for the server
Get-OBJob
Displays a list of operations from a server as Online Backup Job objects
Get-Command –module WindowsServerBackup
Lists all available cmdlets in the WindowsServerBackup module
Get-Command –module MSOnlineBackup
Lists all available cmdlets in the MSOnlineBackup module
The Windows Server Backup feature has to be installed for the WindowsServerBackup module to be installed and for the cmdlets to become available. Similarly, the Online Backup agent has to be installed to be able to view the Online Backup cmdlets. Question: What would an appropriate backup plan be for your organization or department?
Maintaining Windows Server
Lesson 3
Applying Updates to Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-20
Windows Server provides a full-featured framework to maintain itself in a current and secure state through updates. This lesson will cover how to keep your Windows Server up to date by using Windows Server Update Services (WSUS).
Lesson Objectives After completing this lesson, you will be able to: •
Describe the need to keep Windows Server up to date.
•
Describe what has to be kept up to date.
•
Explain how Windows Server obtains updates by using WSUS.
•
Implement WSUS.
Why Update Windows? Globally, computing happens in an ever-changing environment. As technology advances and security concerns appear, the server infrastructure must be both prepared and protected in order to perform efficiently. The following questions can be asked of a static, non-updated server that is running Windows Server. •
Does the server have a vulnerability to malicious code that takes advantage of potential weak spots identified in the server’s operating or application configuration?
•
When a new device is installed, how can you be sure that you have the most recent version of the driver installed?
•
How can you make sure that you are running the latest and most compatible versions of your applications?
You have to update your Windows Servers to make sure that you can avoid the pitfalls associated with the previous points, but manual configuration of a single server can be a time-consuming and tedious process, let alone the configuration of hundreds of servers. The key source of Windows updates is the Windows Update website. Here, a catalog of updates is stored and available for download and installation to your computer.
Windows Server 2012 contains a robust infrastructure for managing interaction with the Windows Update process. However, you must make sure that the tools available are customized for your environment and working in a way that makes sure the infrastructure is secure and regularly updated.
What Must be Updated? Updates can be applied to different areas within the Windows Server infrastructure:
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-21
•
Core Operating System. The core files of the server’s operating system must be kept up to date in order to correct possible security vulnerabilities and maintain the most recent set of features and functionality. New versions of executables, additional features, and updated .dll and data files are several of the aspects of the core operating system that can be implemented as part of an update.
•
Drivers. Hardware devices on your servers must have the most recent drivers installed to make sure that your system functions correctly and that all of the components can work together as a cohesive whole without conflicts or interruption. The way that Windows interacts with the server and the attached hardware is governed primarily by the device drivers that Windows loads for the devices. Old, corrupted, or incompatible drivers can cause a device to stop functioning and cause system instability or even failure.
•
Applications. Updates also have to be performed on applications. Service packs, feature updates, and security fixes all make sure that your applications can consistently provide their associated services within your environment.
In addition to these three core areas, other aspects such as device firmware might also have to be periodically updated.
Windows Server Update Services Windows Server Update Services (WSUS) enables network administrators to simplify and gain control over applying updates to all computers in the network environment.
When WSUS is integrated into the operating system, it is installed as a role on Windows Server 2012. The integration can be done through Server Manager. As part of the installation, a Windows Internal Database (WID) is also installed. This is required by WSUS. WSUS downloads all of the latest updates from the Windows Update servers on the Internet, and then all other computers on the network are configured to download their updates directly from the WSUS server. You can organize computers into groups to simplify the approval of updates. For example, you can configure a pilot group to be the first set of computers that are used for testing updates. WSUS can also generate reports to help with monitoring of update installation. These reports can identify which computers have not applied recently approved updates. WSUS in Windows Server 2012 can also allow for client and server separation. In a typical WSUS implementation, instead of each computer downloading the same update files independently, only the WSUS server downloads the files from the Windows Update servers. The WSUS server downloads a copy of each available update and saves it in a local data store. Then it makes the
Maintaining Windows Server
updates available for access by all of the computers on the network. The bandwidth consumed by the update process is greatly reduced, because the WSUS server has to download only one copy of each update. WSUS also gives administrators the opportunity to research, evaluate, and test updates before you deploy them to the network clients.
MCT USE ONLY. STUDENT USE PROHIBITED
13-22
You can also implement a hierarchical structure in your organization for WSUS specifying Upstream or DownStream Servers or Replica Servers to streamline the distribution of updates across a geographically dispersed organization.
A WSUS server has several components and settings that are configurable to suit the needs of your environment. When WSUS is first set up, the Windows Server Updates Services Configuration Wizard runs and lets you configure the following settings: •
Choose Upstream Server. You can specify a WSUS server from which the server being configured will receive updates.
•
Specify Proxy Server. If your organization has a Firewall or Proxy server, proxy details will be required to enable access to the Windows Server Update Services to access and download updates.
•
Choose Languages. You can specify the update languages to download. By default, WSUS synchronizes only updates in the language that you specified when installing Windows Server.
•
Choose Products. This setting controls which products WSUS will download updates for. This includes Windows Server and client operating systems, in addition to many Microsoft applications and server products, such as Microsoft Office, SQL Server, and Exchange Server.
•
Choose Classification. Microsoft updates come in several different classifications that identify the type and urgency of the update. For example, Critical Updates, Security Updates, and Definition Updates. This setting lets you select which classifications WSUS will synchronize.
•
Configure Sync Schedule. This setting controls when WSUS will synchronize with Internet-based Windows Update servers to download new updates. It can be done manually or automatically at defined times.
After the wizard is finished, you can perform an initial synchronization based on the settings that you have just defined. Consider the following when you configure the settings. •
Use SSL with WSUS.
•
Create computer groups.
•
Assign computers to groups by using Group Policy.
•
Configure auto-approval.
Within the WSUS management console, there are several options, some of which include the following: •
Updates. Here you can classify updates such as Security and Critical. Each update must also be approved before it can be installed. By default, WSUS automatically approves all security, critical, and definition updates for servers. For clients, WSUS approves all security, critical, and definition updates, plus service packs.
•
Computers. Within here you can create groups of computers on which to apply updates.
•
DownStream Servers. You can specify other update servers in your WSUS hierarchy that will receive updates from this server.
•
Synchronization. Within here you can specify how the local server synchronizes with the Windows Server Update Services. It provides a status on the synchronizations and enables reports to be viewed. Microsoft Report Viewer 2008 Redistributable. This is required to be able to view the reports.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-23
•
Reports. Many reports are available to generate and view, such as computer status and update status.
•
Options. Different settings that can be configured, such as the following: o
Email message notifications
o
Server Cleanup
o
Automatic approvals
By default, WSUS downloads only the approved updates and stores them, in Cab format, in the C:\WSUS\WsusContent folder. Using Group Policy to Configure Windows Update Settings
You can configure automatic updates for client computers through Group Policy. Group Policy settings are available in the Group Policy Management Editor under the node Computer Configuration\Policies\Windows Settings\Administrative Settings\Windows Update. There are 16 different settings available in this node, some of which are described in the following table. Group Policy Setting
Description
Allow Automatic Updates immediate installation
Specifies whether the Automatic Updates client should install updates that do not require a service interruption or system restart immediately
Allow non-administrators to receive update notifications
Enables users without administrative privileges to receive notifications of impending update downloads or installations from the Automatic Updates client
Automatic Updates detection frequency
Specifies the interval at which Automatic Updates clients check the server for new updates
Configure Automatic Updates
Enables the Automatic Updates client, specifies whether the client should download and install updates with or without requiring user intervention, and specifies the installation interval and time of da
Reschedule Automatic Updates scheduled installations
Specifies the time interval the Automatic Updates client should wait after system startup before starting an update installation that did not occur because the computer was offline
Specify intranet Microsoft update service location
Specifies the URL that Automatic Updates clients use to access the WSUS server on the local network
Delay Restart for scheduled installations
Specifies the time interval the Automatic Updates client should wait before restarting the computer after an update installation
Reschedule Automatic Updates scheduled installations
Specifies the time interval the Automatic Updates client should wait after system startup before starting an update installation that did not occur because the computer was offline
You can also manage WSUS by using Windows PowerShell. Cmdlets are provided as part of the WSUS module; some of them are listed in the following table. Windows PowerShell Cmdlet
Description of Use
Approve-WSUSUpdate
Approves an update to be applied to clients
Get-WSUSProduct
Displays the list of all products currently available on WSUS by category
Maintaining Windows Server
Windows PowerShell Cmdlet Get-Command –module WSUS
Description of Use Lists all available cmdlets in the WSUS module
More information about Windows Server Update Services can be found at the following webpage. http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
Demonstration: Review WSUS Group Policy Settings In this demonstration, you will review the WSUS Group Policy settings
Demonstration Steps 1.
Open the Group Policy Management Console.
2.
View Group Policy settings for WSUS.
MCT USE ONLY. STUDENT USE PROHIBITED
13-24
Lesson 4
Troubleshooting Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-25
When a system failure or an event that affects system performance occurs, you must be able to repair the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern network environment, the ability to determine the cause quickly often depends on having a logical and comprehensive troubleshooting methodology. You must also understand the tools available to determine the cause and make corrections to the environment if applicable.
Lesson Objectives After completing this lesson, you will be able to: •
Develop a troubleshooting methodology.
•
Describe troubleshooting stages.
•
Select troubleshooting tools.
•
Troubleshoot component areas.
•
Use Windows tools to troubleshoot problems.
Developing a Troubleshooting Methodology Troubleshooting a problem, especially when you deal with technology, can be a multistep process involving lots of potential root causes and several tries to resolve the issue before the actual cause is determined. From collecting information to testing possible fixes to making sure that fixes work correctly and can be maintained, a troubleshooting methodology can help your troubleshooting process remain organized and efficient. Key concepts and practices must be understood and observed throughout the troubleshooting process to make sure that the issue is resolved in the most effective way possible. Assessment of Impact
Understanding how an issue affects the network environment and the operations of your organization is a very important part of the troubleshooting process. An issue that affects critical services, such as point-ofsale operations in a busy retail store, might have to have a temporary partial fix or workaround implemented until the cause of the issue can be determined and corrected. As the troubleshooting process continues, the temporary fix might have to be reassessed to make sure that it is supporting the rest of the environment as effectively as possible. Finally, after the original issue is determined and corrected, a method for replacing the temporary fix with the permanent solution has to be determined and implemented in a way that has the least effect on your organization’s operations. Communication
Maintaining Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-26
Almost every issue that you troubleshoot will affect at least one person in your organization. Those affected have to know specifically how the issue will affect them going forward. In addition, they should be informed about the progress of the troubleshooting process, time estimates for resolution, and process changes that might be required of them because of a temporary fix. When the issue is corrected and the environment returned to a completely functioning state, they also have to be notified that the issue is resolved. All of these items fall under the category of communication. Communication is one of the most critical components in the troubleshooting process and is frequently overlooked. Communication might consist of direct conversations, telephone calls, email messages, or the updating of a Help Desk ticket with troubleshooting progress.
If several people are affected by an issue, your communication methods might have to be adjusted to make sure that the information is reaching those affected as efficiently as possible. For example, if an issue affects a department, you might designate one person from that department, a manager, to communicate directly with. Any information about the troubleshooting process is then relayed by the manager to the other people in the department. This makes sure that you can focus on the troubleshooting process, and assigns responsibility to the manager for making sure that the staff members know the status and progress of the troubleshooting process. Documentation
Throughout the troubleshooting process, documentation must be maintained at all levels. Initial symptoms, affected people and systems, potential causes, and both failed and successful tries to resolve the issue have to be recorded and appropriately documented to make sure that you make forward progress in the troubleshooting process.
Failing to document the troubleshooting process could result in overlooked symptoms, miscommunication or communication breakdown, failed solutions being tried multiple times, or even the return to seemingly normal operation without knowing the specifics of the resolution or if a permanent fix was completed. After an issue is resolved, documenting the resolution and the steps taken to achieve that resolution can help you speed up the troubleshooting process of similar issues.
Stages of a Typical Troubleshooting Methodology In any troubleshooting methodology, especially one where multiple people might be involved in the troubleshooting process, you must have an established troubleshooting process. Using this process, the issue that is raised is taken through several stages, each bringing the issue closer to the final resolution. 1.
Define the issue. The first step in the troubleshooting process is to correctly define the issue. This means make sure that you have obtained specific information about the symptoms observed by those experiencing the issue. This could consist of physical descriptions from end-users (my screen went blank when I clicked the Start button) or the observation of the issue yourself. Making sure that you understand the scope and the facts of the issue is very important. Incorrect or incomplete information could lead to incorrect assumptions about how to troubleshoot information and could potentially result in the elimination of all assumed root causes without an actual resolution.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-27
2.
Gather initial information. The next step in the process is to collect appropriate information about the issue. Typically, this consists of actions like extended observation of the symptoms, running diagnostic tests on affected hardware and software, or obtaining technical information from vendors or suppliers of affected items.
3.
Determine probable causes of the issue. After the appropriate information is collected, a list of probable causes has to be recorded and typically ranked. This makes sure that the most probable causes are investigated first. As the troubleshooting process continues, the causes are tested one by one. This could lead to the removal of causes other than the cause being tested. It might also lead to new causes being added to the list because of more information collected during testing.
4.
Develop a plan of action. Next, you should determine a plan of action to test for the most probable cause or causes. This plan can involve one or more steps, and should be documented to make sure that it is performed correctly and that it can be repeated if it is necessary later in the troubleshooting process. Also, your development plan should allow for rollback after implementation in case the plan of action does not resolve the issue.
5.
Implement the plan of action. After a plan is established, the plan should be implemented and the process documented.
6.
Test the results of the plan of action. After the implementation of the plan is completed, you should test the environment to determine whether the issue is corrected. You should also make sure that related systems and users are not negatively affected by the results of the plan of action.
7.
Document the results of the plan of action and repeat the plan steps if it is necessary. The results of your plan of action should then be documented. If the result of the plan of action corrected the matter satisfactorily, you should carry on to the last step of closing the issue and completing the documentation. If your plan of action was unsuccessful, you should roll back the plan of action steps. Then move on to the next probable cause on the list and begin the plan of action steps for that cause, repeating the process until the cause is determined and resolution is achieved.
8.
Record the issue as resolved and complete documentation. After you have determined the issue as resolved, any temporary fixes or workarounds should be removed and affected users should be informed of the resolution. In addition, the documentation of the resolution and steps taken in the troubleshooting process should be finished and recorded in a manner that allows for later reference or cataloging. This can be through a Help Desk ticketing application, a Microsoft Word document or Microsoft Excel® spreadsheet, or a written record in a notebook.
Summary
When these steps are observed and performed correctly, your troubleshooting process will follow a logical and thorough methodology that will help you resolve an issue quickly and efficiently, in addition to equipping you with the ability to quickly resolve the issue should it occur again in your environment.
Maintaining Windows Server
Troubleshooting Component Areas
MCT USE ONLY. STUDENT USE PROHIBITED
13-28
Early in the troubleshooting process, you will try to determine the cause of the problem. Typically, the problem will be with some component of the computer and its associated hardware, software, and environment. These elements can be classified into several system component categories. By trying to determine which system component is causing a problem, you are using the subtractive approach to troubleshooting. For example, if the computer will not start, you might determine whether the cause could be hardware related, such as a hard disk failure, or operating system related, such as a missing startup file. However, you must consider that a combination of components in different categories can cause some issues. The following sections look more closely at the main system components. Operating System
Faults or corruptions in the system registry or with system services can result in operating system–related problems. The operating system controls user and application access to the computer hardware. The operating system is composed of device drivers, services, security components, applications, network components, and the configuration that links these components together. However for troubleshooting, you should consider the operating system as just the base elements—startup files, startup configuration components, and operating system services—and not the security, application, or network elements. Operating system faults frequently manifest during the computer startup process. For example, if a user accidentally deletes a critical startup file, the operating system will be unable to start. If you install a new operating system service pack, or update, it might introduce unexpected problems. Therefore, it is important to test all service packs and updates before you deploy them. Hardware
For the purposes of troubleshooting, hardware-related problems include problems with the physical computer, attached peripherals and devices, and device drivers related to these components. Computers are generally very reliable, but certain components are more prone to failure than others. Components with moving parts, such as disk drives and power supplies, can wear out. These problems can easily be identified and fixed.
Other hardware-related issues can occur because of incompatible devices or device conflicts. To communicate with the rest of the computer, the operating system allocates each device a unique configuration. Occasionally, the operating system cannot provide the device configuration. This can result in device failure or computer startup failure. Network Components
You can define any network configuration as a network component. For example, the TCP/IP configuration is a network component. Therefore, problems related to a computer’s IP address, subnet mask, and default gateway are all network component–related. Many network component problems with server computers can manifest at client computers, in the form of applications or operating system components operating in an unexpected way because of a lack of network connectivity. Therefore, it can be difficult to determine exactly where a network component problem is. Security
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-29
When a user cannot access a resource or when a user can access a resource that they should be restricted from, there is a security-related issue. Some security-related problems can manifest as network component problems. For example, problems with the firewall configuration might result in users being unable to access resources to which they should have access. Data encryption and authentication issues can also result in security problems.
Problems can also occur because of users having elevated administrative rights, or too many privileges on important files or folders. For example, a user who has Full Control of the Windows system folder might accidentally delete sensitive system files. This results in an unstable or unusable operating system. Applications
Application-related problems are those specifically related to the application programs installed and used by the users. Many of these problems result from misuse of the application by the user or from the user who is trying to do something with the application that the application does not support. User training should minimize these kinds of problems. If a user reports a problem with an application and misuse has not caused the problem, the problem’s cause might be a software error or bug. You can read the application’s documentation to determine whether this is a known problem and whether service packs or hot fixes exist that will eliminate the problem.
Users who report performance problems with applications might have hardware-related problems instead of an application problem. The computer might require more memory, or the computer’s disk might be fragmented. You can determine whether a problem is hardware performance–related because hardware performance problems typically affect more than one application. Application incompatibility issues can also cause significant problems. A specific combination of applications that are running at the same time could cause operating system failures and data loss. You can avoid application incompatibility issues by deploying only applications that you have tested in combination together, and by restricting end-users from installing additional applications.
Windows Server Troubleshooting Tools When you are troubleshooting issues in Windows Server 2012, detailed and correct information is your most valuable asset in determining and resolving the issue. The more information that you have available about the issue, the more likely you are to be able to determine both the most probable cause and the most effective solution. Windows Server 2012 contains several built-in tools that help you collect information about the server environment and identify potential issues. Some of these were discussed in Module 12, “Monitoring Server Performance,” but in the context of performance. The following topics examine some of them again in the context of troubleshooting. Event Viewer
Windows Event Viewer provides access to the Windows event logs. Event logs provide information about system events that occur within Windows. These events include information, warning, and error messages about Windows components and installed applications.
Maintaining Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-30
Event Viewer provides categorized lists of basic Windows log events (application, security, setup, and system), in addition to log groupings for individual installed applications and specific Windows component categories. Individual events provide detailed information about the kind of event that occurred, when the event occurred, the source of the event, and detailed technical information to help in troubleshooting the event.
Additionally, Event Viewer lets you combine logs from multiple computers onto a centralized computer by using subscriptions. Finally, you can configure Event Viewer to perform an action based on a specific event or events occurring. This can include sending an email message, starting an application, or running a script or other maintenance action that could notify you or try to resolve a potential issue.
Note: To open Event Viewer, in Server Manager, click Tools, and then select Event Viewer. Task Manager
Windows Task Manager is the simplest and quickest way to monitor real-time resource usage and performance information in Windows Server. Task Manager provides information about currently running applications, processes, and services, in addition to a high-level performance view of three system resources: CPU, memory, and network. Within Task Manager, you can also see a list of currently loggedon users.
Note: To open Task Manager, do one of the following: 1.
Press Ctrl+Shift+Esc.
2.
Press Ctrl+Alt+Del, and then click Task Manager.
3.
Right-click the taskbar, and then click Task Manager.
Resource Monitor
Resource Monitor provides features similar to Task Manager, but greatly enhanced. It provides a comprehensive view of the performance of key system components (CPU, disk, network, and memory) in both a graphical and a detailed report form. Resource Monitor provides detailed information that lets you troubleshoot resource or performance-based issues at a very specific level.
Note: To start Resource Monitor, do one of the following. 1.
In Server Manager, click Tools, and then select Resource Monitor
2.
Open Task Manager, click the Performance tab, and then click Open Resource Monitor.
Performance Monitor
Windows Performance monitor is an MMC snap-in that lets you measure and compare the performance of a many system components. This information can be displayed graphically in real time or collected and reported on for a given time period. Windows accumulates the data for these components by using objects called counters. A counter can track the information about a single component or aspect of the system within Performance Monitor. In addition to the default counters, applications installed on a Windows Server such as SQL Server or Exchange Server can add their own counters to Performance Monitor. This lets you monitor various aspects of those application installations.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-31
Performance Monitor can monitor a specific set of counters over time. It can also provide detailed reports of system performance and configuration.
Note: To start Performance Monitor, in Server Manager, click Tools, and then click Performance Monitor. Reliability Monitor
Reliability Monitor provides an overview of system stability and the events and changes that affect the overall stability of a system. It tracks software installation and uninstallation, Windows failures, application failures, and hardware failures.
Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected problems reduced the system's reliability. It assess the computers overall stability on a scale of 1 to 10. The accompanying System Stability Report provides details to help identify the specific changes that reduced reliability and it can be saved in XML format.
Note: To start Reliability Monitor, do one of the following: 1.
Open Control Panel. Then click System and Security, open Action Center, expand the Maintenance section within it, and then click the View reliability history link.
2.
Open a Command Prompt, type perfmon /rel, and then press Enter.
Command-Line Tools and Windows PowerShell
Depending on the component in question, different command-line tools can troubleshoot issues. For example, for network-related issues, tools such as ping, nslookup, nbtstat, and ipconfig are all relevant and important in narrowing the cause of a problem.
As roles and features are installed on servers, some of those functions have their own command-line tool. Some of the directory services toolsets can be useful in troubleshooting.
Windows PowerShell functionality has also been greatly extended in Windows Server 2012. There are now cmdlets for most roles and features. If you are unsure how to obtain information about a specific role or feature, look for the corresponding Windows PowerShell cmdlets and see whether there is data that can be obtained by using Windows PowerShell that is not available elsewhere. Using a command in the format of Help *XYZ* can help identify relevant cmdlets that might be useful. This lets you drill down into the individual cmdlet functionality. External Sources
In addition to the troubleshooting tools included with Windows, external sources such as product manuals, vendor websites, or community forums or discussion groups can be used to provide additional resources for the troubleshooting process. Microsoft regularly produces Knowledge Base Articles (KB Articles), which document known issues and provide workarounds or sometimes fixes for the issues. General Microsoft support is available at the following website. http://support.microsoft.com
Maintaining Windows Server
Demonstration: How to Use Windows Tools to Help Troubleshoot Windows Server Problems In this demonstration, you will see how to use various Windows troubleshooting tools.
Demonstration Steps 1.
Open and view Event Viewer.
2.
Open and view Task Manager.
3.
Open and view Resource Monitor.
MCT USE ONLY. STUDENT USE PROHIBITED
13-32
Lab: Maintaining Windows Server Scenario
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-33
Several troubleshooting tickets have been submitted to you to correct. Three separate issues exist in the A. Datum company network.
Objectives After completing this lab, you will be able to: •
Troubleshoot the startup process.
•
Install and configure Windows Server Update Services.
•
Collect information to start the troubleshooting process.
Lab Setup Estimated Time: 90 minutes Virtual Machines: 10967A-LON-DC1, 10967A-LON-CL1 and 10967A-LON-SVR5 User Name: ADATUM\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1.
On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2.
In Hyper-V® Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: ADATUM
5.
Repeat the preceding steps to start 10967A-LON-CL1
6.
For 10967A-LON-SVR5, this server is intentionally broken for this troubleshooting exercise. You should not start the virtual machine until you are instructed to do so during the lab, following the steps outlined there closely.
IMPORTANT: Also Internet access is required for Exercise 1. The 10967A-LON-DC1 virtual machine needs to be able to access the Windows Updates service As such the MSL-TMG server needs to be up and running to be able to complete the lab in Exercise 1. MSL-TMG is available for download from the MCT Download Center and steps for successful set up are available in MSL-TMG setup guide.
Exercise 1: Installing and Configuring Windows Server Update Services Scenario
You are forwarded a request to install and configure a WSUS server in A. Datum’s London location and test the configuration by configuring a client computer to use the WSUS server to receive automatic updates.
Maintaining Windows Server
Supporting Documentation A. Datum Add Request Request Reference Number: 10527 Requested by: Nancy Anderson Date of request: May 17 Assigned to: You Status: OPEN Request Details: Configure WSUS for local distribution of updates for the London office: 1.
Install WSUS on 10967A-LON-DC1.
2.
Complete Post Installation configuration
3.
Complete WSUS Configuration wizard
4.
Install Report Viewer pre-requisites
5.
Configure test client LON-CL1 to receive updates from the newly configured WSUS server.
6.
Test the configuration by installing updates on LON-CL1.
The main tasks for this exercise are as follows: 1.
Install the Windows Server Update Services role and required features
2.
Complete WSUS post-configuration tasks
3.
Complete the Windows Server Update Services Configuration Wizard
4.
Prepare synchronized reporting
5.
Configure Group Policy to enable WSUS across the domain
6.
Perform clarification checks on the WSUS Client
7.
Create a computer groups, and add client computers
8.
Approve a Critical Update for Windows® 8 operating system clients
9.
Query the WSUS server for available updates from Windows 8 client
10. View WSUS reports.
Task 1: Install the Windows Server Update Services role and required features
MCT USE ONLY. STUDENT USE PROHIBITED
13-34
1.
Ensure you are signed in to 10967A-LON-DC1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Install the Windows Server Update Services role and also the .NET Framework 3.5 feature via the Add Roles and Features Wizard
Task 2: Complete WSUS post-configuration tasks 1.
On 10967A-LON-DC1 in the Notification details click open the task details
2.
Carry out the Post-Deployment Configuration tasks
3.
When completed successfully open the Windows Server Update Services management console.
Task 3: Complete the Windows Server Update Services Configuration Wizard
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
1.
Still on 10967A-LON-DC1, if not already done so, In Server Manager click Tools and then select Windows Server Update Services to open the Update servicers management console.
2.
Complete the Windows Server Update Services Configuration Wizard with the following settings:
•
Choose Upstream Server: Synchronize from Microsoft Update
•
Specify Proxy Server: accept the defaults
•
Choose Languages: English only
•
Choose Products: Windows 8 only
•
Choose classifications: Critical Update only
•
Set Sync Schedule: Synchronize manually
•
Finished page: Begin Initial Synchronization
Task 4: Prepare synchronized reporting 1.
On 10967A-LON-DC1 in the Update Services console attempt to open the Synchronization Reporting
2.
What is the result?
3.
Install Report Viewer 2008 sp1 from E:\Mod13\Labfiles
4.
Once the installation is complete verify you can successfully open the Synchronization Reporting
Task 5: Configure Group Policy to enable WSUS across the domain
13-35
1.
Still on 100967A-LON-DC1, open the Group Policy Management Console.
2.
Create a new Group Policy Object (GPO) linked to the Adatum.com domain named WSUS.
3.
Open the Group Policy Management Editor to edit the WSUS GPO.
4.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.
5.
Enable Configure Automatic Updates.
6.
Enable Specify intranet Microsoft update service location.
7.
Set the intranet update service for detecting updates and the intranet statistics server to http://LONDC1:8530
8.
Why is the number 8530 specified in the URL?
9.
Enable Automatic Updates detection frequency.
10. Start 10967A-LON-CL1 and sign in as ADATUM\Administrator with the password of Pa$$w0rd. 11. On LON-CL1, open a Command Prompt, with Administrative permissions and update group policy by running the below command gpupdate /force
12. Update the client with any changes made to the WSUS service by running the following command wuauclt /ResetAuthentication /DetectNow
Maintaining Windows Server
Task 6: Perform clarification checks on the WSUS Client 1.
Perform these tasks on 10967A-LON-CL1
2.
Ensure the following services are running successfully and have Startup type set to Automatic
•
Background Intelligent Transfer Service
•
Windows Update
Task 7: Create a computer groups, and add client computers
MCT USE ONLY. STUDENT USE PROHIBITED
13-36
1.
On 10967A-LON-DC1 virtual machine open the Windows Server Update Services management console
2.
Expand All Computers and ensure there are two computers listed
•
Lon-dc1.adatum.com
•
Lon-cl1.adatum.com
Note: It may take a few minutes for the computers to appear, if you do not see them listed immediately. 3.
Create a Computer Group call WSUS LON Win8 and add lon-cl1.adatu,.com to that group
4.
Create a Computer Group call WSUS LON WS2012 and add lon-dc1.adatum.com to that group
Task 8: Approve a Critical Update for Windows® 8 operating system clients 1.
Approve the Following critical Updates
•
Update for Windows 8 for x64-based Systems (KB2768703)”
•
Update for Windows 8 for x64-based Systems (KB2768703)
2.
Specify a Deadline of yesterday’s date to force client computers to install it straight away
Task 9: Query the WSUS server for available updates from Windows 8 client 1.
Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and password pa$$w0rd
2.
At the Command Prompt, run the following. gpupdate /force
3.
After the policy has finished updating, run the following. wuauclt /Reset Authentication /Detectnow
4.
Open the Windows Update log file C:\Windows\WindowsUpdate.log in Notepad and verify it has connected successfully to the WSUS web services.
5.
Back on 10967A-LON-DC1 verify there are events in Event Viewer from WSUS specifying that clients have connected successfully.
6.
Return to 10967A-LON-CL1
7.
Verify that the Update for Microsoft Windows(KB2768703) is listed as installed in Control Panel and then Programs
Note: It may take several minutes for the client to connect and the update to be installed. You should proceed to the next Exercises and complete those while waiting for the client to be updated. Once you have completed those exercises you can then return here to verify the update has been applied successfully.
Task 10: View WSUS reports. 1.
Switch back to 1096A-LON-DC1,
2.
Run a Computer Detailed Status report to view updates for 10967A-LON-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-37
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to manage updates.
Exercise 2: Troubleshooting the Startup Process Scenario
A Help Desk Incident Record has been forwarded to you for resolution by the A. Datum Help Desk support team. Users in the London office have reported being unable to access network resources on a specific server. You have been asked to review the Incident Record, resolve the issue, and complete the Incident Record. Supporting documentation A. Datum Incident Record Incident Reference Number: 501285 Call logged by: John Peoples Date of call: May 15 Time of call: 11:45 User: Daniel Roth Status: OPEN Incident Details: Call logged by IT Help Desk. Branch users cannot access shared files on 10967A-LONSVR5. 1.
File shares not available over the network.
2.
Cannot connect to 10967A-LON-SVR5 with Remote Desktop Connection.
3.
Cannot ping 10967A-LON-SVR5 IP address.
4.
All other network resources in the branch location are functioning correctly.
Preliminary Questions: 1.
Where is the best place to troubleshoot this problem from?
2.
What considerations should be made about 10967A-LON-SVR5 and the people and services that require the services that are provided by 10967A-LON-SVR5?
Assessment Questions: 1.
What is the error message displayed on 10967A-LON-SVR5?
2.
What could the possible causes of this error message be?
3.
What tool should you use to try to resolve the problem that is causing the error
Maintaining Windows Server
A. Datum Incident Record message? 4.
How can you access these tools?
Resolution Questions: 1.
How did you resolve the problem?
2.
What should the next steps in the troubleshooting process be?
The main tasks for this exercise are as follows: 1.
Read the supporting documentation
2.
Investigate startup issues on a Windows Server
3.
Resolve the issue on the Windows Server and complete the Incident Record
Task 1: Read the supporting documentation 1.
Read the Incident Record to determine possible troubleshooting methods.
2.
Where is the best place to troubleshoot this problem from?
3.
What considerations should be made about 10967A-LON-SVR5 and the people and services that require the services that are provided by 10967A-LON-SVR5?
Task 2: Investigate startup issues on a Windows Server
MCT USE ONLY. STUDENT USE PROHIBITED
13-38
1.
Connect to the 10967A-LON-SVR5 virtual machine
2.
You will be prompted to “Press any key to boot from CD or DVD…” as the virtual machine starts but do not press anything and allow the virtual machine to start without any intervention
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso installation files already attached to the virtual machine to assist with steps required later in the lab. As such the 10967A-LON-SVR5 virtual machine will give the prompt “Press any key to boot from CD or DVD…” each time when starting up. Do not press any key to boot into the installation files unless explicitly told to do so in the lab steps. 3.
Observe the error message displayed on 10967A-LON-SVR5 and answer the Assessment Questions in the Incident Record.
4.
What is the error message displayed on 10967A-LON-SVR5?
5.
What could the possible causes of this error message be?
6.
What tool should you use to try to resolve the problem that is causing the error message?
7.
How can you access these tools?
Task 3: Resolve the issue on the Windows Server and complete the Incident Record 1.
Start the 10967A-LON-SVR5 virtual machine
2.
As stated in the previous exercise you will be prompted to “Press any key to boot from CD or DVD…” as the virtual machine starts.
3.
Press Enter and allow the virtual machine to boot into the installation files
4.
At the Install Windows dialog box, click Next, and then click the Repair your computer link
5.
In the System Recovery Options dialog box, select Troubleshoot
6.
Proceed to the Command Prompt
7.
Use bcdedit to view the current BCD store.
8.
Use bootrec to scan for the operating system
9.
Use bootrec to rebuild the BCD store with the newly found operating system entry.
10. Restart the server and verify the server starts successfully now 11. Answer the Resolution Questions on the Incident Record. 12. How did you resolve the problem? 13. What should the next steps in the troubleshooting process be? 14. Revert the 10967A-LON-SVR5 virtual machine.
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-39
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
Exercise 3: Gathering Information to Start the Troubleshooting Process Scenario You are asked to examine possible performance issues with LON-SVR2.
You know that the server LON-SVR2 experiences low network traffic and has limited disk activity, but the Help Desk is receiving many reports that the server is slow. Later that week, the Help Desk receives reports that the server is running slow again. You know that the server LON-SVR2 is not running processor-intensive applications so you remotely run a System performance data collector set on LON-SVR2 and now need to analyze those logs to try to identify any problems that could be affecting performance. Supporting Documentation A. Datum Incident Record PART A (Complete for Task 1) Incident Reference Number: 501289 Call logged by: John Peoples Date of call: May 19, 12:10PM User: Daniel Roth
Incident Details: Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartA.blg Resolution Questions: 1.
What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
2.
Keeping in mind your answer to the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
Maintaining Windows Server
A. Datum Incident Record PART B (Complete for Task 2) Incident Reference Number: 501290 Call logged by: John Peoples Date of call: May 19, 13:15PM User: Daniel Roth Status: OPEN Incident Details: Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartB.blg Resolution Questions: 1.
What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
2.
Keeping in mind your answer to the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
The main tasks for this exercise are as follows:
MCT USE ONLY. STUDENT USE PROHIBITED
13-40
1.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part A
2.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part B
Task 1: Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part A 1.
Ensure you are signed into 10967A-LON-DC1, with user name ADATUM\Administrator and password pa$$w0rd
2.
Use Performance Monitor to open the log file E:\Mod13\LabFiles\Captures\ADATUM-LON-SVR2System-Perf-Data-PartA.blg on the server.
3.
Add the following counters and examine them:
•
Processor - % Processor Time (Instance 0)
•
System - Processor Queue Length
•
Process _ % Processor Time (All Instances)
4.
Complete the resolution questions in Part A of the Incident Record.
5.
What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
6.
Keeping in mind your answer from the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
7.
Close Performance Monitor.
Task 2: Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part B
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-41
1.
Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and password pa$$w0rd
2.
Use Performance Monitor to open the log file E:\Mod13\LabFiles\Captures\ADATUM-LON-SVR2System-Perf-Data-PartB.blg on the server.
3.
Examine the following counters:
•
PhysicalDisk - Avg. Disk Queue Length (Instance 0 C:)
•
PhysicalDisk - Current Disk Queue Length (Instance 0 C:)
•
PhysicalDisk - Disk Transfers/sec (Instance 0 C:)
•
Process - IO Data Bytes/sec (All Instances)
4.
Complete the resolution questions in Part B of the Incident Record.
5.
What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
6.
Keeping in mind your answer from the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
7.
Close Performance Monitor.
Results: After this exercise, you should have collected information to start the troubleshooting process. Question: If, after a network adapter installation on a server, Windows startup failed while the splash screen was displayed, which startup based tool would you use to troubleshoot the issue? Question: What would be the most efficient way to configure hundreds of clients in a Windows domain to receive updates from a newly installed WSUS server?
Maintaining Windows Server
Module Review and Takeaways Review Questions Question: What is the key functionality of a boot loader? Question: How does fault-tolerant hardware provide for high availability, provided the hardware is supported by Windows Server 2012 Question: What benefits does Performance Monitor offer over Resource Monitor?
Tools Tool
Use for
Where to find it
MCT USE ONLY. STUDENT USE PROHIBITED
13-42
BCDEdit
Editing Windows Boot Configuration Data Store.
From the command line, type bcedit.
Chkdsk
Checking the file for unreadable or corrupted sectors.
From the command line, type chkdsk.
WSUS
Managing Windows Updates in the enterprise.
Available from the Microsoft Download Center.
Windows Recovery Environment
Repairing various aspects of a Windows Server.
Select Repair Computer from the F8 Windows Advance Options boot menu, or select Repair Computer when booting from Windows installation media.
Last Known Good Configuration
Loading system registry settings saved from the last successful system startup.
Select Last Known Good Configuration from the F8 Windows Advance Options boot menu.
Safe mode
Loading Windows Server that has a minimal set of drivers and services for troubleshooting.
Select one of the Safe Mode options from the F8 Windows Advanced Options boot menu.
Windows Server Backup (wbadmin.exe)
Backing up Windows Server computers.
Click Start, type Windows Server Backup in the Start Search field, and then press Enter. Can also run wbadmin.exe from the command line.
Windows Update
Updating operating system, device driver, and Microsoft application components.
Click Start, type Windows Update in the Start Search field, and then press Enter.
WSUS
Allowing centralized management of the Windows Update process.
Visit the Windows Server Update Services home page.
Event Viewer
Viewing Windows logs.
Click Start, click Administrative Tools, and then click Event Viewer.
Task Manager
Viewing basic real-time information about the Windows environment.
Press Ctrl+Shift+Esc.
Tool
Use for
Where to find it
MCT USE ONLY. STUDENT USE PROHIBITED
Fundamentals of a Windows Server Infrastructure
13-43
Resource Monitor
Viewing detailed real-time information about the Windows environment.
From Task Manager, click the Performance tab, and then click the Resource Monitor button.
Performance Monitor
Viewing and collecting real-time and historical performance and configuration information about the Windows environment.
Click Start, click Administrative Tools, and then click Performance Monitor.
Reliability Monitor
Viewing an overview of system events and relative system stability.
Click Start, and then in the Start Search box, type perfmon /rel, and then press Enter.
System File Checker (sfc.exe)
Scans integrity of all protected files and replaces incorrect versions if need be
From the command line tool, type sfc
Wuauclt.exe
Windows Update Automatic update client command line tool
From the command line, type wuauclt
Maintaining Windows Server
Course Evaluation Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
13-44
MCT USE ONLY. STUDENT USE PROHIBITED L1-1
Module1: Installing and Configuring Windows Server
Lab: Installing and Configuring Windows Server 2012 Exercise 1: Performing a Local Media-Based Installation Task 1: Read the server installation instructions 1.
Read the contents of the email message in the lab scenario.
2.
Specifically, notice the installation options.
Task 2: Install Windows Server 2012 1.
Attach the Windows Server 2012 Installation DVD to LON-SVR4 by using these steps: a.
Switch to Hyper-V® Manager, right-click 10967A-LON-SVR4, and then click Settings.
b.
In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c.
In the DVD Drive pane, select Image file, and then click Browse.
d.
Browse to C:\Program Files\Microsoft Learning\10967\Drives, click WindowsServer2012_Eval.iso, and then click Open.
e.
In the Settings for 10967A-LON-SVR4 dialog box, click OK.
2.
In the Hyper-V Manager, right-click 10967A-LON-SVR4, and then click Connect.
3.
In the Virtual Machine Connection window, click the Action menu, and then click Start.
4.
In the Windows Setup wizard, choose the following settings, and then click Next.
•
Language to install: English (United States)
•
Time and currency format: English (United States)
•
Keyboard or input method: US
5.
Click the Install Now button
6.
Select the Windows Server 2012 Datacenter Evaluation (Server with a GUI) operating system, and then click Next.
7.
Accept the license terms, and then click Next.
8.
Click Custom: Install Windows only (advanced).
9.
Install Windows Server 2012 on Drive 0, and then click Next.
10. Provide the administrator password, Pa$$w0rd, and then click Finish.
Note: Setup will continue by copying and expanding files, installing features and updates, and finish the installation. This phase takes about 20 minutes. Your instructor might continue with other activities during this phase.
Results: After this exercise, you should have installed a new Windows Server® 2012 server.
Exercise 2: Configuring Windows Server Task 1: Read the server post-installation configuration instructions 1.
Read the contents of the email message in the lab scenario.
2.
Specifically, notice the post-installation configuration options.
Task 2: Configure post-installation settings 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine, and then login as Administrator with Pa$$w0rd.
2.
Open Server Manager, and in the navigation pane, click Local Server.
3.
Configure time zone settings as specified in the email message.
4.
a.
In the Properties area, scroll to the right side, and then click the Time zone entry.
b.
In the Date and Time dialog box, click the Change time zone button.
c.
Select (UTC) Dublin, Edinburgh, Lisbon, London, make sure that Automatically adjust clock for Daylight Saving Time, is selected, and then click OK.
d.
In the Date and Time dialog box, click OK.
Configure networking settings as specified in the email message. a.
In the Properties area, click the Local Area Connection entry.
b.
In the Local Area Connection Properties window, right-click Local Area Connection, and then select Properties.
c.
Click Internet Protocol Version 4 (TCP/IPv4), and then click the Properties button.
d.
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Use the following IP address.
e.
Enter the following values:
f.
•
IP address: 172.16.0.30
•
Subnet mask: 255.255.0.0
•
Default gateway: 172.16.0.1
Select Use the following DNS server addresses. •
5.
6.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Fundamentals of a Windows Server Infrastructure
Preferred DNS server: 172.16.0.10
g.
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.
h.
In the Local Area Connections Properties window, click Close.
i.
Close the Network Connections window.
Configure automatic updating and feedback settings as specified in the email message. a.
In the Properties area, click the Windows Update entry.
b.
In the Windows Update window, click Turn on automatic updates.
c.
Close the Windows Update window.
Configure the computer name and domain settings as specified in the email message. a.
In the Properties area, click the Computer Name value.
b.
In the System Properties window, click the Change button.
MCT USE ONLY. STUDENT USE PROHIBITED L1-3
c.
In the Computer Name/Domain Changes window, type LON-SVR4 in the Computer name field.
d.
Select Domain in the Member of section, and then type Adatum.com in the Domain field.
e.
Click OK.
f.
When you are prompted to provide administrative account details, use ADATUM\Administrator and a password of Pa$$w0rd.
g.
When the Welcome to the Adatum domain dialog box appears, click OK.
h.
When you are prompted to restart your computer to apply these changes, click OK.
i.
In the System Properties window, click Close.
j.
When you are prompted to restart, click Restart Now.
Results: After this exercise, you should have configured post-installation settings by using Server Manager.
Exercise 3: Convert to Server Core Task 1: Remove GUI from Windows Server 2012 installation
MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Fundamentals of a Windows Server Infrastructure
1.
If it is necessary, switch to 10967A-LON-SVR4, and then login as Adatum\Administrator with Pa$$w0rd
2.
Click the File Explorer icon on the bottom toolbar to confirm the graphical user interface (GUI) components are installed.
3.
In Server Manager, select the Manage menu, and then click Remove Roles and Features.
4.
In the Remove Roles and Features wizard, click Server Selection, verify LON-SVR4.Adatum.com is selected, and then click Next.
5.
On the Remove Server Roles page, click Next.
6.
On the Remove Features page, expand User Interfaces and Infrastructure, clear Server Graphical Shell and Graphical Management Tools and Infrastructure, click Remove feature, when the Remove Roles and Feature Wizard opens, click Next.
7.
On the Confirm Removal Selections page, select the Restart the destination server automatically if required check box, and then click Yes to confirm your selection.
8.
Click the Remove button, and wait for the feature to be removed.
9.
After the computer restarts, log on as ADATUM\administrator with password Pa$$w0rd.
10. Notice that the File Explorer icon is no longer available and Server Manager does not appear. Also, pressing the Windows logo key does not activate the Windows interface.
Task 2: Install GUI administrative components in Windows Server 2012 Server Core 1.
Continue to work on 10967A-LON-SVR4.
2.
At the command prompt type the following, and then press Enter powershell
3.
At the Windows PowerShell prompt, type the following, and then press Enter. Get-WindowsFeature
4.
Note the Name associated with the Graphical Management Tools and Infrastructure component
5.
At the Windows PowerShell prompt, type the following, and then press Enter. Install-WindowsFeature Server-Gui-Mgmt-Infra
6.
Wait for the installation to finish.
7.
Notice the Warning message that you must restart this computer to finish the installation process.
8.
At the prompt, type the following, and then press Enter. Restart-Computer
9.
After the computer restarts, log on as ADATUM\administrator with password Pa$$w0rd.
10. Verify the command prompt displays and Server Manager also displays. Components such as File Explorer are still not available.
11. When the Remove Roles and Feature Wizard window provides a message that Removal succeeded on LON-SVR4.Adatum.com, click Close.
MCT USE ONLY. STUDENT USE PROHIBITED L1-5
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface installation.
Exercise 4: Configuring Services Task 1: Configure Print Spooler service settings 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with the user name ADATUM\Administrator and password Pa$$w0rd.
2.
In Server Manager, click the Tools menu, and then click Services.
3.
Scroll down to Print Spooler. Notice that Print Spooler status is Running and startup is set to Automatic.
4.
Right-click Print Spooler, and then click Properties.
5.
Click the drop-down box for Startup type, and then select Disabled.
6.
Click the Stop button to stop the Print Spooler service and then click OK.
Results: After this exercise, you should have used Server Manager to change service startup options.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-6 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L1-7
Exercise 5: Configuring Devices Task 1: Update the standard PS/2 keyboard driver 1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager, click the Tools menu, and then click Computer Management.
3.
In the left column, select Device Manager.
4.
In the Device Manager window, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.
5.
In the Update Driver Software – Standard PS/2 Keyboard dialog box, click Browse my computer for driver software.
6.
On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer.
7.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and then click Next.
8.
Click Close.
9.
In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Roll back the driver to its earlier version 1.
Log on to the 10967A- LON-SVR4 virtual machine as ADATUM\Administrator with a password of Pa$$w0rd.
2.
In Server Manager, click the Tools menu, and then click Computer Management.
3.
In the left column, select Device Manager.
4.
In the Device Manager window, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and then click Properties.
5.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab.
6.
Click Roll Back Driver.
7.
In the Driver Package rollback dialog box, click Yes.
8.
Click Close, and then in the System Settings Change dialog box, click Yes to restart the computer.
9.
Log on to the 10967A- LON-SVR4 virtual machine as ADATUM\Administrator with a password of Pa$$w0rd.
10. In Server Manager, click the Tools menu, and then click Computer Management. 11. In the left column select Device Manager. 12. Expand Keyboards, and then click Standard PS/2 Keyboard. 13. Verify that you have successfully rolled back the keyboard driver.
Task 3: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 10967A-LON-SVR4.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-8 Fundamentals of a Windows Server Infrastructure
Results: After this exercise, you should have performed update and rollback operations on a device driver.
MCT USE ONLY. STUDENT USE PROHIBITED L2-1
Module2: Implementing Storage in Windows Server
Lab: Implementing Storage in Windows Server Exercise 1: Creating and Mounting a VHD File Task 1: Create and initialize a virtual hard disk 1.
Ensure you are signed on to 10967A-LON-SVR1 virtual machine with user name ADATUM\Administrator and password Pa$$w0rd.On your host computer, open Hyper-V Manager.
2.
Open Server Manager, then click Tools and select Computer Management,
3.
In the Computer Management console expand Storage, and then click Disk Management.
Note: Alternatively, you can hover the mouse over the bottom left corner and right-click. In the resultant menu select Disk Management 4.
Right-click Disk Management in the left pane and select Create VHD
5.
In the Create and Attach Virtual Hard Disk dialog create a .vhd file with the following characteristics then click OK
•
Location and filename: C:\Temp\LON-SVR1-Disk7
•
Virtual hard disk size: 7 GB
•
Virtual hard disk format: VHD
•
Virtual hard disk type: Dynamically expanding
6.
Open File Explorer and verify the file exists as you created it.
7.
Open Disk Management and verify the disk is listed with the properties you specified.
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk online and initialize it 1.
Open the Windows PowerShell console by right-clicking the Windows PowerShell icon and selecting Run as Administrator
2.
To view the available disks, type the following and press Enter. Get-Disk
3.
The vhd file just created should have a size of approx. 7 GB, be online and have ID number 7.
4.
You can use Windows PowerShell to take a disk offline. Type the following, where is the number of the disk that has just been created, and then press Enter. Set-Disk –number -IsOffline $True
5.
Use the Get-Disk command to verify the disk is offline.
6.
To bring the disk online, type the following and press Enter. Set-Disk –number -IsOffline $False
7.
To find a command that may be able to initialize a disk, type the following and press Enter.
Get-Help *Disk* 8.
Scroll through the resultant cmdlets and locate the cmdlet Initialize-Disk
9.
To initialize the disk with an MBR partition style, type the following and press Enter. Initialize-Disk –Number 7 –PartitionStyle MBR
10. Use the Get-Disk command to ensure that the disk was initialized successfully.
Results: After this exercise, you should have a Hyper-V® .vhd file.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-2 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L2-3
Exercise 2: Creating and Making Available New Volumes Task 1: Create two new simple volumes 1.
Ensure you are signed on to 10967A-LON-SVR1 virtual machine with user name ADATUM\Administrator and password Pa$$w0rd
2.
Under Computer Management, expand Storage, and then click Disk Management.
3.
Right-click Disk 1 and select Online
4.
Right-click Disk 1 and select Initialize Disk
5.
In the Initialize Disk dialog accept the defaults and click OK
6.
On Disk 1 right-click the unallocated area of the Disk (the black area), and then select New Simple Volume.
7.
Click Next.
8.
Change Simple volume size in MB to 2000. Click Next.
9.
Select J in the drop down box for the Assign the following drive letter. Click Next.
10. On the Format Partition page ensure NTFS is selected and enter the volume label as SimpleVol_NTFS, click Next. 11. Click Finish. 12. Right-click SimpleVol_NTFS and select Format, and then click OK in the Format J: dialog box. 13. In the Format J: dialog box, read the warning and click OK. 14. In the Disk Management dialog box, read the warning and click Yes. 15. Verify SimpleVol_NTFS shows Healthy (Primary Partition).
16. Go to File Explorer from the task bar and notice a dialog appears prompting that the newly attached disk needs to be formatted, In this dialog click Cancel 17. Open File Explorer and ensure the new volume is displayed as a drive with letter J 18. Repeat Steps 3 to 17 using Disk 2 with the following settings – Substitute K for J. Substitute SimpleVol_ReFS for SimpleVol_NTFS •
Simple Volume size in MB: 10000
•
Assign the following driver letter: K
•
FileSystem: ReFS
19. Volume Label: SimpleVol_ReFS
Task 2: Change the new disks drive letters 1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools
2.
Select Computer Management and then expand Storage and click on Disk Management
3.
In Disk Management right-click the SimpleVol_NTFS volume and then select Change Drive Letter and Paths.
4.
Click Change.
5.
Change Assign the following drive letter to R:, click OK, and then click Yes twice.
6.
Repeat steps 3 to 5 for the SimpleVol_ReFS volume assigning the drive letter S to the volume
7.
Open File Explorer and verify the drive letters now appears as configured
Task 3: Mount the new volume
MCT USE ONLY. STUDENT USE PROHIBITED
L2-4 Fundamentals of a Windows Server Infrastructure
1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools
2.
Select Computer Management and then expand Storage and click on Disk Management
3.
In Disk Management, right-click the SimpleVol_NTFS volume, and then select Change Drive Letter and Paths.
4.
Click Add.
5.
Select Mount in the following empty NTFS folder, and then click Browse.
6.
With C:\ selected, click New Folder and call the folder MountedVolume_NTFS
7.
Click OK twice.
8.
Repeat steps 3 to 7 for the SimpleVol_ReFS volume using the folder path C:\MountedVolume_ReFS
9.
In File Explorer, show that C:\MountedVolume_NTFS and C:\MountedVolume_ReFS exist and they are accessible as expected.
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume
MCT USE ONLY. STUDENT USE PROHIBITED L2-5
Exercise 3: Vary the Sizes of the NTFS and ReFS Volumes Task 1: Extend the size of the NTFS volume 1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools.
2.
Select Computer Management and then expand Storage and click on Disk Management
3.
In Disk Management, right-click the SimpleVol_NTFS volume, and then select Extend Volume
4.
In the Welcome to the Extend Volume Wizard page click Next
5.
On the Select Disks page in the select the amount of space in MB textbox enter 4000 and click Next
6.
On the Completing the Extend Volume Wizard click Finish
7.
Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still available and accessible.
Task 2: Shrink the size of the ReFS volume 1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools.
2.
Select Computer Management and then expand Storage and click on Disk Management
3.
In Disk Management, right-click the SimpleVol_ReFS volume, and then select Shrink Volume
4.
Verify a message displays that states, The volume cannot be shrunk because the file system does not support it.
5.
Click OK to close the Virtual Disk Manager dialog box.
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the reduced size the volume will need to be re-created.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-6 Fundamentals of a Windows Server Infrastructure
Exercise 4: Creating a Fault-Tolerant Disk Configuration by Using Storage Spaces Task 1: Create a storage pool 1.
Ensure you are signed in to 10967A-LON-SVR1 and logged on with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3.
In the Storage Pool section click on Tasks and choose New Storage Pool…
4.
On the opening page of the New Storage Pool Wizard click Next
5.
On the Specify a storage pool name and subsystem page enter StoragePool1 into the Name textbox, and then click Next.
6.
On the Select physical disks for the storage pool page select Physical disks 3 and 4, and then click Next.
7.
On the Confirm selections page click Create
8.
On the View results page click Close
Task 2: Create a storage space virtual disk 1.
In Server Manager in the File and Storage Services section click Volumes and then Storage Pools
2.
Click StoragePool1 under Storage Pools, and then in the Virtual Disks section click Tasks and choose New Virtual Disk…
3.
In the New Virtual Disk Wizard on the Before You Begin page click Next
4.
On the Select Storage Pool page ensure StoragePool1 is selected and click Next
5.
On the Specify the virtual disk name page enter VirtualDisk1 into the Name field and Click Next
6.
On the Storage Layout page select Mirror and click Next
7.
On the Specify provisioning type page select Thin and click Next
8.
On the Specify the size of the virtual disk page enter 4 GB into the virtual disk size textbox click Next
9.
On the Confirm selections page click Create and then click Close
10. The New Volume Wizard appears and on the Before you Begin page click Next 11. On the Select the server and disk page click Next 12. On the Specify the size of the volume page click Next
13. On the Assign a drive letter or folder page select T from the drop down list, and then click Next.
14. On the Select file system settings page select NTFS as the file system, Enter VirtualDiskMirVol as the Volume Label and click Next 15. On the Confirm selections page click Create 16. On the Completion page click Close
Task 3: Verify the virtual disk is available and functional 1.
Open File Explorer by clicking on the File Explorer icon in the Task bar
2.
Locate the drive with the volume label VirtualDiskMirVol
3.
Create a .txt files in this drive called Test File.txt
MCT USE ONLY. STUDENT USE PROHIBITED L2-7
Task 4: Add an additional physical disk to the storage pool 1.
In Server Manager in the File and Storage Services section click Volumes and then Storage Pools
2.
Right-click StoragePool1 under Storage Pools, and select Add Physical Disk…
3.
In the Add Physical Disk dialog select PhysicalDisk 5 and click OK
4.
Verify three disks are now listed in the Physical Disks section in Storage Pools
Task 5: Remove a physical disk to simulate disk failure 1.
In Server Manager in the File and Storage Services section click Volumes and then Storage Pools
2.
In the Physical Disks section right-click PhysicalDisk 4 and select Remove Disk
3.
In the resultant Remove Physical Disk prompt click Yes
4.
Click OK again in the Remove Physical Disk dialog
Task 6: Verify storage virtual disk state and data accessibility 1.
Open File Explorer by clicking on the File Explorer icon in the Task bar
2.
Verify the Test File.txt is still present and accessible on the VirtualDiskMirVol
3.
Return to Server Manager, click on File and Storage Services followed by Volumes then Storage Pools then go to the Physical Disks section
4.
Notice that there are only two disks now as part of the Virtual Disk listed in the Physical Disks section
5.
In the Virtual Disk section verify a warning exists alongside the VirtualDisk1
6.
Right-click the Virtual Disk VirtualDisk1, select Properties and in the Virtual Disk Properties dialog click on Health
7.
Notice the status is listed as Warning
8.
Click OK to close the VirtualDisk1 Properties window
Task 7: Repair and verify the health of the virtual disk 1.
In Server Manager in the Storage Pools pane in the Virtual Disk section right-click VirtualDiskl1 and select Repair Virtual Disk
2.
Refresh the settings and verify the Virtual Disk warning message is no longer present
3.
Right-click the Virtual disk VirtualDisk1 and select properties and click Health
4.
Verify the health status now reads healthy, and then close the VirtualDisk1 Properties window
5.
Open File Explorer and verify the file you created earlier is still accessible and available
Task 8: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, follow these steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 10967A-LON-SVR1.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Fundamentals of a Windows Server Infrastructure
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk failure
MCT USE ONLY. STUDENT USE PROHIBITED L3-1
Module3: Understanding Network Infrastructure
Lab: Selecting Network Infrastructure Components Exercise 1: Determining Appropriate Network Components Task 1: Read the supporting documentation Read the supporting documentation sent to you by the Seattle office manager.
Task 2: Update the proposal document with your planned course of action Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs Assessment. 1.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
Answer: Because of the large amount of data being sent back and forth on the network, the fastest possible Ethernet standard should be used that can be deployed in an office LAN environment. 10GBASE-T offers a throughput of 10 Gbps and uses copper wire cabling as its medium, which can be easily installed into each office as the new building is being constructed. 2.
What infrastructure should be used to connect the conference room portion of the Seattle location?
Answer: Based on the conference room’s size and the variance in location and mobility of users and their laptops, a wireless infrastructure should be used for the conference room, preferably the fastest available, 802.11n. Encryption should also be added to the wireless network, preferably using WPAv2 and RADIUS, the most secure and current wireless encryption protocol, and the ability to use certificates to control access. 3.
What components and technology would you use to connect the New York and Seattle branches?
Answer: T1 would be a good choice. There isn’t a lot of data being sent between the two offices, and a leased T1 connection through a telecommunications provider would allow for data to be sent between locations in a secure fashion. 4.
What is the best architecture to allow both partners and home office users to access their information using only one method of access? Answer: An extranet could be set up, providing a server available for both partners and remote users to exchange their files. This would provide one point of access, in addition to a centralized place to host the files that these two groups are using. We know the A. Datum staff will all be running the Windows 8 operating system, so we could set up DirectAccess to allow the remote staff to be always connected to the office network or we could also consider a VPN connection; however, because they only need access to a few files, an extranet would be a more logical choice. If the office were to expand significantly over the short term, it might be worth investing in a DirectAccess solution now. Perhaps this is one point you can inquire about in your follow up with Susan.
Results: After this exercise, you should have identified the infrastructure and components required to implement a network in a new location.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-2 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L4-1
Module4: Connecting Network Components
Lab: Connecting Network Components Exercise 1: Connecting Network Components Task 1: Read the supporting deployment plan document. 1.
Read the supporting email.
2.
Review the Branch Office Network Components Deployment Plan
Task 2: Update the Branch Office Network Components Deployment Plan. Update the Branch Office Network Components Deployment Plan, by answering these questions. 1.
What devices are required in the branches to support these requirements?
Answer: Switches. These provide a way of connecting the nodes on the network and support virtual local area networks (VLANs). Traffic is isolated to the required VLAN except where necessary. In addition, simple hubs do not support quality of service (QoS). 2.
What devices are required to connect the branches together and connect the branches to the head office?
Answer: Routers. Although switches can provide routing function, wide area network (WAN) routers are needed to connect the branches together and to connect to the head office. 3.
What issues arise when you implement these devices?
Answer: You must select a mechanism to manage the routing tables. You could use static routes, or alternatively implement a routing protocol like Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). 4.
Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will implement.
Answer: See the following. Proposed A. Datum Branch Network Plan
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L4-2
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram and the Branch Office Network Components Deployment Plan.
MCT USE ONLY. STUDENT USE PROHIBITED L4-3
Exercise 2: Selecting a Suitable Wiring Infrastructure Task 1: Read the supporting documentation •
Read the Branch Office Network Wiring Plan.
Task 2: Update the proposal document with your planned course of action
Update the proposal document with your planned course of action, by answering these proposal questions. 1.
What kind of cable would be suitable here, using the information supplied and the plan you outlined for network components earlier? Answer: Switches were indicated earlier, which means coaxial cable is not possible. And generally coaxial cable is not good in any new installation. Twisted-pair and fiber cabling is required.
2.
How will you address the issue of high levels of electromagnetic interference?
Answer: Where required, install shielded twisted pair. In areas where this is insufficient; use fiber. 3.
What cable standards do you propose?
Answer: For copper, Category 5e or higher. Cat 6 supports 10 gigabits per second (Gbps) Ethernet and better future-proofs the solution. For fiber, multimode fiber is cheaper and should address the bandwidth requirements.
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-4 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L5-1
Module5: Implementing TCP/IP
Lab: Implementing TCP/IP Exercise 1: Determining an Appropriate IPv4 Addressing Scheme Task 1: Read the supporting documentation 1.
Review the supporting email documentation.
2.
Review the A. Datum Branch IP Addressing diagram.
Task 2: Update the proposal document with your planned steps
Review the Branch Office IP Addressing Scheme, and update the proposal by answering these questions. 1.
How many network addresses do you need to support these requirements?
Answer: Six. 2.
What class address is 172.16.0.0/16?
Answer: Class B. 3.
Is this a private or public address?
Answer: Private. 4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next logical subnet using this initial subnet?
Answer: 172.16.32.0/20. The next is 172.16.48.0/20. 5.
What is the first and last host in this subnet?
Answer: The first host is one binary digit higher than the subnet ID and the last host is two binary digits lower than the next subnet ID. Therefore, the first host is 172.16.16.1/20 and the last is 172.16.31.254. 6.
What would the subnet mask be for hosts in this subnet?
Answer: 255.255.240.0. 7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will implement in the branches; do not worry about the WAN links.
Answer: See the following addressing diagram. Completed A. Datum IP addressing diagram.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd diagram and the Branch Office IP Addressing Scheme document.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-2 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L5-3
Exercise 2: Configuring IPv4 with Windows Server 2012 Task 1: Configure a Dynamic Host Configuration Protocol scope 1.
Ensure you are logged on to 10967A-LON-SVR1 as ADATUM\Administrator and password Pa$$w0rd
2.
If it is not already open, open Server Manager by clicking the Server Manager icon on the taskbar, point to the Tools menu, and then click DHCP.
3.
In the DHCP window, expand lon-svr1.adatum.com, click IPv4, right- click IPv4, and then click New Scope.
4.
In the New Scope Wizard, click Next.
5.
On the Scope Name page, in the Name box, type Head Office 1.
6.
In the Description box, type Client computer addresses, and then click Next.
7.
On the IP Address Range page, enter the following information and then click Next.
•
Start IP address: 172.16.0.20
•
End IP address: 172.16.0.30
•
Length: 16
•
Subnet mask: 255.255.0.0
8.
On the Add Exclusions and Delay page, click Next.
9.
On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then click Next. 12. On the Domain Name and DNS Servers page, click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Next. 15. On the Completing the New Scope Wizard page, click Finish.
16. In the console, expand IPv4, expand Scope [172.16.0.0] Head Office 1, and then click Address Leases. 17. How many Address Leases have been used? Answer: None.
Task 2: Configure the client computer to obtain an IP address dynamically 1.
Switch to the 10967A-LON-CL1 virtual machine and ensure you are logged on as ADATUM\Administrator and password Pa$$w0rd.
2.
On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3.
Click Network and Internet, click Network and Sharing Center, and then click Change adapter settings.
4.
In the Network Connections window, double-click Ethernet, and then click the Properties button.
5.
In the Ethernet Properties dialog box, locate and double-click Internet Protocol Version 4 (TCP/IPv4).
6.
Select Obtain an IP address automatically and Obtain DNS server address automatically, and then click OK.
7.
In the Ethernet Properties dialog box, click OK, and then click Close to close the Ethernet Status dialog box.
Task 3: Verify that the client computer obtained an address 1.
Switch back to the 10967A-LON-SVR1 virtual machine
2.
In DHCP, press F5, to refresh the settings. Verify that there is a new lease for LON-CL1.
3.
What is the IP address for LON-CL1?
Answer: 172.16.0.20.
Task 4: Determine the IP address on the client computer 1.
Switch back to 10967A-LON-CL1.
2.
Click the lower-left corner of the virtual machine, open the Start home page, type cmd, and then press Enter.
3.
At the Command Prompt, type the following command, and then press Enter. ipconfig /all
4.
What is the current IPv4 address?
Answer: 172.16.0.20. 5.
Is DHCP enabled?
Answer: Yes. 6.
What is the IP address of the DHCP server?
Answer: 172.16.0.15. 7.
When does the DHCP Lease expire? Answer: In 8 days.
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-4 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L5-5
Exercise 3: Verifying the IPv4 Configuration Task 1: Stop the DHCP server 1.
Switch to the LON-SVR1 computer.
2.
In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Stop.
3.
Verify that there is now an error shown in the DHCP Management console, stating Cannot find the DHCP Server.
Task 2: Try to renew the IPv4 address on the client computer 1.
Switch to the 10967A-LON-CL1 computer and switch to the Command Prompt.
2.
At the Command Prompt, type the following command, and then press Enter. ipconfig /release
3.
At the Command Prompt, type the following command, and then press Enter. ipconfig /renew
4.
This might take several minutes while the client computer tries to contact a DHCP server.
5.
Notice the time-out error.
6.
At the Command Prompt, type the following command, and then press Enter. ipconfig
7.
What IPv4 address was assigned?
Answer: An address starting with 169.254. 8.
What does the IP address signify?
Answer: The computer is using Automatic Private IP Addressing (APIPA) because it failed to obtain an address from a DHCP server. 9.
At the Command Prompt, type the following command, and then press Enter. ping lon-svr1.adatum.com
10. You are not successful.
Task 3: Start the DHCP server 1.
Switch back to 10967A-LON-SVR1.
2.
In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Start.
Task 4: Renew the client address and verify IPv4 1.
Switch to 10967A-LON-CL1, and at the Command Prompt, type the following command, and then press Enter. ipconfig /renew
2.
What IPv4 address is listed?
Answer: The IP address starts with 172.16. 3.
What does the IP address signify?
Answer: The computer has successfully obtained an IPv4 address from the DHCP. 4.
At the Command Prompt, type the following command, and then press Enter. ping lon-svr1.adatum.com
5.
You are successful.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-6 Fundamentals of a Windows Server Infrastructure
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in the head office.
MCT USE ONLY. STUDENT USE PROHIBITED L5-7
Exercise 4: Configuring and Testing Name Resolution Task 1: View the current DNS records 1.
Switch to 10967A-LON-DC1 and ensure you are signed in as ADATUM\Administrator with password Pa$$w0rd
2.
In Server Manager, point to the Tools menu, and then click DNS.
3.
In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
4.
What is the current IP address listed against the LON-CL1 Host (A) record in the Adatum.com forward lookup zone?
Answer: 172.16.0.20
Task 2: Force a dynamic update 1.
Switch to the LON-CL1 virtual machine.
2.
On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3.
Click Network and Internet, click Network and Sharing Center, and then click Change adapter settings. In Network Connections, right-click Ethernet, and then click Properties.
4.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
5.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address.
6.
Use the following information to complete the configuration and then click OK:
•
IP address: 172.16.0.16
•
Subnet mask: 255.255.0.0
•
Default gateway: 172.16.0.1
•
Preferred DNS server: 172.16.0.10
7.
In the Ethernet Properties dialog box, click OK.
8.
Switch to LON-DC1.
9.
In DNS Manager, in Adatum.com, press F5.
10. What is the current IP address listed against the LON-CL1 Host (A) record? Answer: 172.16.0.16
Task 3: Add a new DNS record 1.
Switch to LON-CL1, and at the Command Prompt, type the following command, and then press Enter. ipconfig /?
2.
Scroll through the help returned and identify the /displaydns switch
3.
Now in the Command Prompt type the below and press Enter. ipconfig /displaydns
4.
What records are listed?
Answer: Answer will vary. But there will be several records for LON-DC1.
5.
Switch to 10967A-LON-SVR1
6.
Hover the mouse over the bottom left side of the virtual machine and click on the resultant start menu
7.
Once the start menu appears type “powershell”
8.
The Windows PowerShell icon appears
9.
Right-click the icon and select Run as Administator from the options
10. In the Windows PowerShell console type the following and press Enter. Get-help *DNS*
MCT USE ONLY. STUDENT USE PROHIBITED
L5-8 Fundamentals of a Windows Server Infrastructure
11. There are several commands that could get you similar information obtained using ipconfig but type the following and press Enter. Get-DNSClientCache
12. Still on 10967A-LON-SVR1 type the following and press Enter. Test-Connection www.adatum.com
13. You are not successful 14. Switch to the 10967A-LON-CL1 virtual machine 15. At the Command Prompt, type the following command, and then press Enter. ping www.adatum.com
16. You are not successful. 17. Switch to 10967A-LON-DC1. 18. In DNS Manager, right-click Adatum.com, and then click New Alias (CNAME).
19. In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box, type www 20. Enter the following in the Fully qualified domain name (FQDN) for target host box, and then click OK. lon-dc1.adatum.com
Task 4: Verify a record 1.
Switch to 10967A-LON-CL1.
2.
At the Command Prompt, type the following command, and then press Enter. ping www.adatum.com
Note: Depending on your Client cache you may or may not be successful at this point. If you are not successful continue with the next step, Step 3. If you are successful you can skip ahead to Step 7. 3.
You are not successful.
4.
At the Command Prompt, type the following command, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED L5-9
ipconfig /flushdns
5.
At the Command Prompt, type the following command, and then press Enter. ping www.adatum.com
6.
You are successful.
7.
At the Command Prompt, type the following command, and then press Enter. ipconfig /displaydns
8.
What record is returned for www.adatum.com?
Answer: www.adatum.com --------------------------Record Name . . . . . : www.adatum.com Record Type . . . . . : 5 Time To Live . . . . . : 3531 Data Length . . . . . . : 8 Section . . . . . . . . . . : Answer CNAME Record . . : lon-dc1.adatum.com (Some fields might vary slightly)
Note: Record types are listed by number in IPConfig and 5 corresponds to a CNAME record type. 9.
Switch to 10967A-LON-SVR1
10. Type the following to identify the cmdlet you need, and then press Enter. Help *DNS*
11. Notice the clear-DNSClientcache cmdlet, type the following, and then press Enter. Clear-DNSClientCache
12. To test the connection, type the following command, and then press Enter. Test-Connection www.adatum.com
13. You are successful.
14. To view information on the DNS client cache, type the following command, and then press Enter. Get-DNSClientCache
15. Verify the Record Type for www.adatum.com is listed as CNAME
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also added a new DNS CNAME record type for www.Adatum.com
Fundamentals of a Windows Server Infrastructure
Exercise 5: Viewing the IPv6 Configuration Task 1: Determine the current IPv6 address 1.
On 10967A-LON-CL1, at the Command Prompt, type the following command, and then press Enter. ipconfig /all
2.
Is there an IPv6 address listed?
Answer: Yes 3.
What kind of IPv6 address is it?
Answer: Link-Local IPv6 Address as indicated by the address format i.e. leading fe80 and also as it is called out in text beside the IPv6 Address. 4.
Switch to 10967A-LON-SVR1
5.
To identify the cmdlet you need, type the following, and then press Enter. Get-help *address*
6.
Notice the Get-NetIPAddress cmdlet, then type the following and press Enter. Get-NetIPAddress
7.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-10
Locate the IPv6 in the list of returned addresses and compare it to the address returned in the 10967A-LON-CL1 virtual machine.
Task 2: Revert the lab machines.
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 10967A-LON-SVR1, and 10967A-LON-DC1.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6 address.
MCT USE ONLY. STUDENT USE PROHIBITED L6-1
Module6: Windows Server Roles
Lab: Implementing Server Roles Exercise 1: Determining the Appropriate Roles to Deploy Task 1: Read the supporting documentation 1.
Read the supporting documentation.
2.
Review the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document 1.
Complete the Deployment Proposals section of the Branch Office Server Deployment Recommendations document.
2.
How will you address the requirement that all computers can obtain an IPv4 configuration automatically even if the link to the head office is down?
Answer: Deploy the Dynamic Host Configuration Protocol (DHCP) server role to each branch and configure an appropriate scope for the branch. 3.
How will you address the requirement that users must be able to access shared files?
Answer: Deploy the File Services role. 4.
How will you address the requirement that users must be able to use shared printers?
Answer: Deploy the Print and Document Services role. 5.
What kind of server best supports the needs of the database application?
Answer: An application server. 6.
What roles support this kind of server?
Answer: The Application Server role provides the necessary components. 7.
How will you address the requirement that the computers must obtain updates from a local update server?
Answer: Deploy the Windows Server® Update Services (WSUS) role. 8.
Which roles are required at the branch servers?
Answer: DHCP Server, DNS Server, File Services , Print and Document services, Application Server, Windows Server Update Services
Results: After this exercise, you should have completed the Branch Office Server Deployment Recommendations document.
Exercise 2: Deploying and Configuring the Determined Server Roles Task 1: Deploy infrastructure-related roles 1.
Ensure you are signed on to 10967A-LON-CL1.
2.
Click the Windows logo key, type run, and then press Enter
3.
In the Run textbox type the following and press Enter. \\LON-DC1\E$
MCT USE ONLY. STUDENT USE PROHIBITED
L6-2 Fundamentals of a Windows Server Infrastructure
4.
If prompted, provide the credentials ADATUM\Administrator and password Pa$$word
5.
Go to the folder …mod06\Labfiles, copy the file Windows6.2-KB2693643-x64.msu to the Desktop, and then double-click it
6.
In the Windows Update Standalone installer dialog click Yes
7.
In the Download and Install Updates license terms window click I Accept
8.
In the installation complete dialog click Restart Now
Or if you are not given a restart option, only a Close option, click Close, then hover the mouse in the bottom right hand corner of the task bar, select Settings, then Power, then Restart 9.
The 10967A-LON-CL1 virtual machine will update and restart. This will take approx. 5 minutes
10. After 10967A-LON-CL1 restarts log on with the credentials ADATUM\Administrator and password Pa$$w0rd
11. Scroll across to the right side of the Start Menu and notice the presence of Administrative Tools and Server Manager icons. Click on Server Manager 12. In Server Manager within the Dashboard section click on the Create a server group link. 13. In the Server group name box type LON Servers 14. Click the DNS tab.
15. In the Search: box type LON-DC1 and press search icon. LON-DC1.adatum.com should be returned and click the arrow to add the server to the selected box on the right side.
16. In the Search: box type LON-SVR3 and press search icon. LON-SVR3.adatum.com should be returned and click the arrow to add the server to the selected box on the right side 17. Click OK 18. Click the LON Servers group on the left side 19. Right click on LON-SVR3 and select Add Roles and Features 20. In the Add Roles and Features Wizard click Next. 21. On the Installation Type page click Next 22. On the Server selection page click lon-svr3.Adatum.com and click Next 23. On the Server Roles page select DHCP Server and DNS Server and then click Next 24. Click Next through the remaining pages and install but do not close the wizard.
25. On the Installation progress page, wait until the Installation succeeded on lon-svr3.adatum.com message displays, and then click Close. 26. Click the LON Servers group on the left side
MCT USE ONLY. STUDENT USE PROHIBITED L6-3
27. Right click on LON-DC1 and select Add Roles and Features 28. In the Add Roles and Features Wizard click Next. 29. On the Installation Type page click Next 30. On the Server selection page click lon-dc1.Adatum.com and click Next 31. On the Server Roles page select Print and Document Services and click Next 32. Click Add Features button when prompted
33. Click Next through the remaining pages, click Install, and then close the wizard when as soon as the installation begins. 34. Click the notification Flag icon in Server manager and view the status of the Role installations 35. Click the LON Servers group on the left side again. 36. Click on LON-DC1 press CTRL and click LON-SVR3 then right-click on the highlighted servers. 37. In the resultant menu select Restart Server. 38. In the resultant prompt ensure LON-DC1 and LON-SVR3 are listed and click OK 39. Switch to the LON-DC1 and LON-SVR3 servers and show students that they are restarting as specified.
Notice that you can have many more servers as member of a Server Group and managing in bulk can reduce Administrative overhead.
Task 2: Deploy the remaining roles on a single server 1.
Ensure you are signed on to 10967A-LON-CL1 with the credentials ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager within the Dashboard section click on the LON Servers group on the left side
3.
Right click on LON-DC1 and select Add Roles and Features
4.
In the Add Roles and Features Wizard click Next.
5.
On the Installation Type page click Next
6.
On the Server selection page click lon-dc1.Adatum.com and click Next
7.
On the Server Roles page select the following roles and then click Next
•
Application Server
•
File and Storage Services
•
Print and Document Services
•
Windows Server Update Services
8.
Click Next until you reach the Content Selection page.
9.
On the Content Selection page, clear the check box for Store updates in the following location (choose a valid local path on lon-dc1.adatum.com, or a remote path):, and then click Next.
10. Click Install but do not close the wizard.
Task 3: Obtain configuration settings xml for Infrastructure Role installation 1.
On the Installation Progress page, click the Export Configuration Settings link.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-4 Fundamentals of a Windows Server Infrastructure
2.
In the Save As dialog box, in the navigation pane under Libraries, click Documents, in the File name: box type LON-DC1 DHCP Server Role Install, and then click Save.
3.
On the Installation progress page, click Close.
4.
Point out to students that the install will run in the background with the wizard closed
5.
In Server Manager click the Notification Flag icon at the top of the console. Point out to students that you can view the progress of the installation here and it will also tell you when it is complete.
6.
On the taskbar, click File Explorer, double-click Documents, right-click LON-DC1 DHCP Server Role Install, click Open with, and then click Notepad.
7.
Review the XML code in the configuration file. This file contains the configuration settings that were generated automatically as you ran through the Add Roles and features Wizard. You can now use or customize this file for automation purposes to install the role on this or multiple servers
8.
Close Notepad, and then close File Explorer
Task 4: Configure event settings in Server Manager for DNS Server 1.
On 10967A-LON-CL1 open Server Manager
2.
In the Server Manager console, click the DNS node on the left.
3.
Scroll down to the Events section
4.
Click Tasks and select Configure Event Data.
5.
In the Configure Event data dialog select
•
Critical
•
Error
•
Warning
•
Informational
6.
And select to Get events that have occurred within the past 3 days and click OK
Task 5: Run the Best Practice Analyzer for the DHCP role 1.
On 10967A-LON-CL1 open Server Manager
2.
In the Server Manager console, click the DHCP node on the left side.
3.
Scroll down to the Best practice Analyzer section
4.
Click Tasks and then select Start BPA Scan
5.
In the Select Servers dialog choose lon-svr3.Adatum.com and click Start Scan
6.
The BPA scan will run for approximately a minute and Warnings and Errors should display
7.
Scroll through the results and determine what remains to be configured i.e. you should see a message around authorizing the DHCP server and also that at least one IPv4 scope should be configured
Task 6: Revert the lab virtual machines 1.
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
2.
On the host computer, start Hyper-V® Manager.
3.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED L6-5
4.
In the Revert Virtual Machine dialog box, click Revert.
5.
Repeat steps 2 and 3 for 10967A-LON-SVR3, and 10967A-LON-DC1
Results: After this exercise, you should have deployed all required roles and features.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-6 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L7-1
Module7: Implementing Active Directory
Lab: Implementing Active Directory Domain Services Exercise 1: Promoting a New Domain Controller Task 1: Add an additional domain controller 1.
Ensure you are logged on to the 10976A-LON-SVR1 virtual machine as ADATUM\Administrator with password Pa$$w0rd.
2.
In Server Manager, click Manage, and then click Add Roles and Features.
3.
Click Server Selection, and then click Next.
4.
Select the Active Directory Domain Services checkbox, click Add Features, and then click Next.
5.
Take the default settings for the remaining selections, and then click Install.
6.
Wait while the Active Directory® Domain Services (AD DS) role and associated features are installed. It should take about two minutes.
7.
Click Close to close the Add Roles and Features Wizard window
8.
After the role is installed, click the Notifications flag, and then click Promote this server to a domain controller.
9.
Verify that you are in the Active Directory Domain Services Configuration Wizard.
10. On the Deployment Configuration page, make the following changes then click Next. •
Select a Deployment Configuration: Add a domain controller to an existing domain
•
Domain: Adatum.com
•
Supply the credentials to perform this operation: accept defaults
11. On the Domain Controller Options page, make the following changes then click Next. •
Deselect Domain Name Server (DNS) Server
•
Deselect Global Catalog (GC)
•
Password: Pa$$w0rd
•
Confirm Password: Pa$$w0rd
12. Accept the default settings for Additional Options, Paths, and Review Options, and then click Next. 13. Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are acceptable.
14. Click Install, and then wait for the installation to complete and the computer to restart. It should take about two minutes before the server restarts
Results: After this exercise, you will have promoted a new domain controller.
Exercise 2: Creating an Organizational Unit Task 1: Create an organizational unit
MCT USE ONLY. STUDENT USE PROHIBITED
L7-2 Fundamentals of a Windows Server Infrastructure
1.
After LON-SVR1 has restarted, log on by using the following credentials:
•
User name: Administrator
•
Password: Pa$$w0rd
•
Domain: Adatum
2.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
3.
In the Navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.
4.
In the Name text box, type A Datum Merger Team, and then click OK.
5.
In the Navigation pane, double-click Adatum.com and verify that you have a new OU called A Datum Merger Team.
6.
Close the Active Directory Users and Computers console by clicking the X in the top right corner
Results: After this exercise, you will have created a new organizational unit (OU).
MCT USE ONLY. STUDENT USE PROHIBITED L7-3
Exercise 3: Configuring Accounts Task 1: Add user accounts 1.
Ensure you are still logged on to the 10967A-LON-SVR1 virtual machine
2.
In Server Manager click Tools and then select Active Directory Administrative Center
3.
Click Adatum (local) and click on A Datum Merger Team, point to New, and then click User.
4.
In the Create User: dialog box, in the First name box, type Christian.
5.
In the Last name box, type Kemp.
6.
In the User SamAccountName logon: name box, type Adatum\Christiank
7.
In the Password and Confirm password boxes, type Pa$$w0rd.
8.
In the Account expires: section ensure the Never radio button is selected
9.
In the password options section click the Other password options radio button and check the Password never expires checkbox
10. Click OK
11. In the Active Directory Administrative Center in the Windows PowerShell History section at the bottom of the console click the arrow on the right side to display the Windows PowerShell commands generated when creating the user
12. Right-click in the Windows PowerShell commands and choose Select All then right-click and select Copy 13. Open File Explorer and go to C:\ drive right click and select New and then Text Document
14. Open the file and click paste to paste in the Windows PowerShell commands and save the txt file. 15. Review the contents of the file to see how the new user was created. 16. Rename the file text file Create User Account.ps1
17. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and then click User. 18. As per earlier steps create a user with the following details •
First name: Tony
•
Last name: Allen
•
UserSamAccountName logon: TonyA
•
Password: Pa$$w0rd
•
Account expires: Never
•
Password Options: Password never expires
19. Click OK.
20. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and then click User. 21. As per earlier steps create a user with the following details •
First name: Pia
•
Last name: Lund
•
UserSamAccountName logon: PiaL
•
Password: Pa$$w0rd
•
Account expires: Never
•
Password Options: Password never expires
22. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-4 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L7-5
Task 2: Create groups 1.
In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and then click Group.
2.
In the Create Group: dialog box, create a group with the following characteristics
•
Group Name: Mergers and Acquisitions
•
Group scope: Global
•
Group type: Security
3.
Click OK.
4.
Again in the Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and then click Group.
5.
In the Create Group: dialog box, create a group with the following characteristics
•
Group Name: Merger Team Management
•
Group scope: Global
•
Group type: Security
6.
Click OK.
Task 3: Add members to groups 1.
In Active Directory Administrative Center, double click on the A Datum Merger Team group
2.
Locate and then click on Christian Kemp.
3.
While pressing the Ctrl key, click Pia Lund and Tony Allen.
4.
Release the Ctrl key, right-click Tony Allen, and then click Add to group...
5.
In the Select Groups dialog box, in the Enter the object names to select (examples) text box, type Mergers and Acquisitions.
6.
Click Check Names, and then click OK.
7.
In the Active Directory Administrative Center and then A Datum Merger Team under Adatum (local), double-click Tony Allen.
8.
In the Tony Allen properties dialog box, click the Member Of tab.
9.
Click Add, and in the Member of section dialog box, in the Enter the object names to select (examples) text box, type Merger Team Management.
10. Click Check Names, and then click OK. 11. In the Tony Allen properties dialog box, click OK.
Task 4: Move a computer account 1.
In Active Directory Administrative Center, click Adatum (local) and then locate and double click on Computers
2.
In the Results pane, right-click LON-CL1, and then click Move.
3.
In the Move dialog box, select A Datum Merger Team, and then click OK.
4.
In Active Directory Administrative Center click A Datum Merger Team and notice the presence of the LON-CL1 computer
Task 5: Delegate control of the OU
MCT USE ONLY. STUDENT USE PROHIBITED
L7-6 Fundamentals of a Windows Server Infrastructure
1.
Still on 10967A-LON-SVR1 in Server Manager click on Tools then select Active Directory Users And Computers
2.
Locate then right-click A Datum Merger Team, and then Delegate Control…
3.
In the A Datum Merger Team properties dialog In the Delegation of Control Wizard, on the Welcome to the Delegation of Control Wizard page, click Next.
4.
On the Users or Groups page, click Add.
5.
In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type Merger Team Management, click Check Names, and then click OK.
6.
On the Users or Groups page, click Next.
7.
On the Tasks to Delegate page, select the Reset user passwords and force password change at next logon checkbox, and then click Next.
8.
Click Finish.
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the users’ computer accounts into the OU.
MCT USE ONLY. STUDENT USE PROHIBITED L7-7
Exercise 4: Creating a GPO Task 1: Create a GPO 1.
Make sure that you are logged on to 10967A-LON-DC1 as ADATUM\Administrator with credentials Pa$$w0rd.
2.
In Server Manager, point to Tools, and then click Group Policy Management.
3.
Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
4.
In the Navigation pane, right-click Group Policy Objects, and then click New.
5.
In the New GPO dialog box, in the Name box, type A Datum Merger Team GPO, and then click OK.
6.
Expand Group Policy Objects, right-click A Datum Merger Team GPO, and then click Edit.
7.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).
8.
In the Results pane, double-click Logon.
9.
In the Logon Properties dialog box, click Add.
10. In the Add a Script dialog box, click Browse.
11. In the Browse dialog box, right-click the No items match your search box, click New, and then click Text Document. 12. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press Enter. 13. If you are prompted, in the Rename dialog box, click Yes. 14. Right-click logon.vbs, and then click Edit. 15. If you are prompted, in the Open File – Security Warning dialog box, click Open. 16. In Notepad, type msgbox “Welcome to the A Datum Merger Team”. 17. Click File, and then click Save. 18. Close Notepad.
19. In the Browse dialog box, click Open. 20. Make sure that the Script Name is logon.vbs. 21. In the Add a Script box, click OK. 22. In the Logon Properties dialog box, click OK. 23. Close the Group Policy Management Editor.
Task 2: Link a GPO
MCT USE ONLY. STUDENT USE PROHIBITED
L7-8 Fundamentals of a Windows Server Infrastructure
1.
In the Group Policy Management console, in the Navigation pane, expand Adatum.com, right-click A Datum Merger Team, and then select Link an Existing GPO.
2.
In the Select GPO dialog box, in the Group Policy objects list, click A Datum Merger Team GPO, and then click OK.
Task 3: Test a GPO 1.
Switch to 10967A-LON-CL1 and log off.
2.
Log on by using the following credentials:
•
User name: Tonya
•
Password: Pa$$w0rd
•
Domain: Adatum
3.
Make sure that the logon script runs.
Note: It may be default display the Start menu items after logon and you may have to select desktop to be able to view the logon script.
Task 4: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 2 and 3 for 10967A-LON-SVR1, and 10967A-LON-DC1.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A Datum Merger Team OU.
MCT USE ONLY. STUDENT USE PROHIBITED L8-1
Module8: Implementing IT Security Layers
Lab: Implementing IT Security Layers Exercise 1: Implementing Physical Security Task 1: Read the supporting documentation 1.
Read email and the Incident Record to determine the possible problem causes.
2.
Read the A. Datum Network Security Policy – Laptops document to determine if you must enforce any changes at the branch based on corporate policies.
Task 2: Complete the incident record 1.
Complete the Resolution section of the Incident Report by answering these questions.
2.
What security policies apply to the branch office laptops as defined in the A. Datum Network Security Policy – Laptops document?
Answer: All the policies apply. 3.
What security concerns do you have about the branch offices?
Answer: If users can take their laptops home, this raises several security issues. First, the users are connecting to unmanaged networks (at home or possibly elsewhere) and then reconnecting to the corporate network. Second, the laptops are at risk of being lost or stolen. Where branches have no dedicated room for servers, the servers are at risk of being physically damaged and possibly stolen. External contract staff might intentionally or unintentionally introduce malicious code into the corporate network through the research department branch networks. Use of removable storage devices by users might result in data compromise. Users might introduce, unintentionally or otherwise, malicious code that might damage data. 4.
How would you address the concerns you might have about laptop use?
Answer: By implementing Network Access Protection (NAP), users can move their computers between various networks while maintaining the health integrity of the corporate network. Specifically, NAP isolates computers that do not meet health criteria. Implement Encrypting File System (EFS) and Windows® BitLocker® Drive Encryption on laptop; in the event the laptops are lost or stolen, the data on them would not be compromised. 5.
How would you address the concerns you might have about the lack of dedicated server rooms?
Answer: Put the servers in a location that is least likely to result in their accidental damage. If theft is a possibility, first make sure that the servers are physically secure. Then implement BitLocker Drive Encryption on all servers. Additionally, where domain controllers are placed in branches, if they are not physically secured and the branches contain servers that can work with read-only domain controllers (RODCs ), such as Microsoft® Exchange Server, implement RODC. 6.
How would you address the concerns you might have about contractor computer use?
Answer: Implement NAP to make sure that only computers that meet the network health requirements can connect. Use access control to make sure that visitors can only access files and folders that they have been granted permissions on; make sure that you assign permissions sparingly. 7.
How would you address the concerns you might have about removable storage devices?
Answer: Use Group Policy Object (GPO) to restrict the kind of device that users can use. If you can block all use of external universal serial bus (USB) storage devices. 8.
Complete the following resolution section with a summary of your proposals.
Answers: •
Enable and configure BitLocker and EFS on portable computers.
•
Enable and configure BitLocker on servers.
•
Deploy only RODCs to branches, not writable domain controllers (DCs).
•
Implement NAP.
•
Implement GPO to restrict USB storage device usage.
•
Configure restrictive file permissions.
Results: After this exercise, you should have completed the incident record.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-2 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L8-3
Exercise 2: Configuring Security Settings in Windows® Internet Explorer® Task 1: Verify the current Internet Explorer security settings 1.
Make sure that you are logged on to the 10967A-LON-DC1 virtual machine with user account ADATUM\Administrator and password Pa$$w0rd.
2.
Go to the Start page and open Internet Explorer
3.
Right-click beside the tabs at the top of the Internet Explorer window, select the Menu bar, click Tools, and then click Internet Options.
4.
In the Internet Options dialog box, click the Security tab.
5.
In the Select a zone to view or change security settings list, click Local intranet.
6.
What is the current security level for this zone?
Answer: Medium-low.
Task 2: Change the Intranet Zone security settings 1.
Under Security level for this zone, move the slider to High.
2.
Select the Enable Protected Mode (requires restarting Internet Explorer) check box, and then click OK.
Task 3: Test the security settings 1.
Open Internet Explorer.
2.
Right-click beside the tabs at the top of the Internet Explorer window and select Status bar
3.
Repeat Step 2 for the Menu bar and Command bar
4.
In the Address bar, type http://lon-dc1/intranet, and then press Enter.
5.
Right-click on the A. Datum Intranet Home Page and choose Properties.
6.
What security zone is this website listed as being in?
Answer: Internet. 7.
Is protected mode turned on or off for this website?
Answer: Off 8.
Click OK to close the Properties dialog.
9.
On the A. Datum Intranet Home page, click Current Projects.
10. If you receive a warning message prompting you to add the web site to your trusted zones click Close. 11. Read the Information Bar at the bottom of the screen. What is the problem? Answer: An add-on for this website failed to run. 12. Click Tools, and then click Manage Add-ons. 13. Can you see a Tabular Data Control Add-on? Answer: No. 14. What is the default search provider? Answer: Bing
15. Click on Bing and examine the options that are available. 16. In the Manage Add-ons dialog box, click Close. 17. Close the A. Datum Projects webpage.
Task 4: Add the website to the Trusted Sites list 1.
On the A. Datum Intranet Home page, click Tools, and then click Internet Options.
2.
In the Internet Options dialog box, click the Security tab.
3.
In the Select a zone to view or change security settings list, click Trusted sites.
4.
What is the current security level for this zone?
Answer: Medium.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-4 Fundamentals of a Windows Server Infrastructure
5.
Click Sites.
6.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box, click Add, and then click Close.
7.
In the Internet Options dialog box, click OK.
8.
In the Address bar, type http://lon-dc1/intranet, and then press Enter.
9.
Right-click on the A. Datum Intranet Home Page and choose Properties.
10. What security zone is this website listed as being in now? Answer: Trusted sites.
Task 5: Test the security zone change 1.
On the A. Datum Intranet home page, click Current Projects.
2.
Did the projects list populate?
Answer: Yes. 3.
Click Tools, and then click Manage Add-ons.
4.
Can you see a Tabular Data Control Add-on?
Answer: Yes. 5.
In the Manage Add-ons dialog box, click Close.
6.
Close the A. Datum Projects webpage.
7.
Close the A. Datum Intranet home page.
8.
Open Internet Explorer , click Tools and then select ActiveX Filtering
9.
Go to www.microsoft.com
10. Notice a blue circle with a line through the middle now present in the address bar. Click on this icon. 11. A message appears stating that some content is filtered on this site and you have the option to Turn off ActiveX Filtering. 12. Click the Turn off ActiveX Filtering button 13. Click on the blue circular icon in the address bar again and notice the message now states No content is filtered on this site.
14. Click Tools, then click Manage Add-ons, examine the various Add-on Types, and then click Close
MCT USE ONLY. STUDENT USE PROHIBITED L8-5
Task 6: View Security Report 1.
Go to the Website https://www.microsoft.com
2.
Notice the presence of a lock icon now appearing in the address bar
3.
Click the lock icon
4.
A website identification dialog appears which contains information about the identity of the website and who if anyone has identified the site if the site has a certificate. You can also view the certificate
Task 7: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
Results: After this exercise, you should have modified Internet Explorer security settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-6 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L9-1
Module9: Implementing Security in Windows Server
Lab: Implementing Security in Windows Server Exercise 1: Configuring a Fine Grained Password Policy Task 1: Create a shadow security group for the Research group 1.
Ensure you are logged on to 10967A-LON-DC1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Open Server Manager navigate to Tools and select Active directory Administrative Center
3.
Right click Adatum (local), select New, and then select Group
4.
In the Create Group: dialog enter Research Shadow Group and ensure the
•
Group type: = Security
•
Group scope: = Global
5.
Click OK
6.
Double-click on the Research group and view all the members.
7.
Select all the members within the Research group by clicking the first name in the list, pressing the Shift button, then scrolling down and clicking the last name in the list.
8.
Ensure all the members are highlighted then select Add to Group
9.
In the Select Groups in the Enter the object names to select (examples): section type Research, and then click Check Names
10. In the Multiple Names Found dialog select Research Shadow Group and click OK twice. 11. In the Active Directory Domain Services dialog box, click OK
12. Open the Research Shadow Group and view the Members to ensure all members have been added successfully.
Task 2: Create a fine-grained password policy and apply it to the Research group 1.
Ensure you are logged on to 10967A-LON-DC1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Open Server Manager go to Tools and select Active directory Administrative Center
3.
Click Adatum (local), double-click on System, and then double-click the Password Settings Container
4.
In the Password Settings container area right-click and select New the Password settings
5.
In the Create Password Settings: dialog enter the following settings
•
Name: Research Password Policy
•
Precedence: 1
•
Minimum password length (characters): 10
•
Number of passwords remembered: 20
•
Password must meet complexity requirements: Yes
MCT USE ONLY. STUDENT USE PROHIBITED
L9-2 Fundamentals of a Windows Server Infrastructure
•
User cannot change the password within (days): 1
•
Users must change the password after (days): 30
•
Protect from accidental deletion: Yes
6.
In the Directly Applies To section click Add and in the in the Select Users or Groups dialog in the Enter the object names to select (examples): section type Research, then click Check Names, Research Shadow Group should appear and then click OK
7.
Click OK to close the Create Password Settings dialog.
Task 3: Verify new user password policy settings 1.
Sign in to the 10967A-LON-CL1 with username ADATUM\Maxim and password Pa$$w0rd
Note: ADATUM\Maxim is a member of the Research group 2.
When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
3.
Select Change a password
4.
On the change a password screen enter Max’s current password = Pa$$w0rd
5.
Now attempt to create a new password = password
You receive a message saying ”Unable to update the password/The value provided for the new password does not meet the length, complexity, or history requirements of the domain” 6.
Now attempt to create a different new password = Pa$$w0rd1
Again you receive a message saying ”Unable to update the password/The value provided for the new password does not meet the length, complexity, or history requirements of the domain” 7.
Now attempt to create another more complex different new password = Pa$$w0rd012
The password is accepted as it is greater than the 10 character limit you specified in the fine grained password policy and meets the complexity requirements. 8.
Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
Note: ADATUM\Franz is a member of the Sales group 9.
When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
10. Select Change a password 11. On the Change a password screen press Enter Franz’s current password = Pa$$w0rd 12. Now Attempt to create a new password = Pa$$w0rd1
You are successful and the password is changed. It meets the complexity requirements and because Franz is not a member of the Research group he is not required to have a minimum password length of 10 characters, thus the 9 characters he entered is sufficient.
Results: After this exercise, you should have configured Password and Account Lockout settings in Account Policies.
MCT USE ONLY. STUDENT USE PROHIBITED L9-3
Exercise 2: Securing NTFS Files and Folders Task 1: Create the C:\Research folder structure 1.
Ensure you are logged on to 10967A-LON-SVR1 with username ADATUM\Administrator and password Pa$$w0rd
2.
Click Computer, double-click Local Disk (C:), and then on the top toolbar, click New folder icon.
3.
Type Research in the folder name box, and then press Enter.
4.
Double-click the Research folder.
5.
On the toolbar, click New folder.
6.
Type Classified in the folder name box, and then press Enter.
7.
On the toolbar, click New folder.
8.
Type Projects in the folder name box, and then press Enter.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure 1.
Click the Back button. Then right-click the Research folder, and click Properties.
2.
In the Research Properties dialog box, click the Security tab, and then click Advanced.
3.
Click the Disable inheritance button.
4.
In the Block Inheritance window, click Convert inherited permissions into explicit permissions on this object.
5.
Click OK, to close the Advanced Security Settings for Research window.
6.
In the Research Properties dialog box, on the Security tab, click Edit.
7.
Select Users (LON-SVR1\Users), and then click Remove.
8.
In the Permissions for Research dialog box, click Add.
9.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adatum\Research, click Check Names.
10. In the Multiple Names Found dialog select Research and then click OK and click OK again. 11. In the Group or user names box, click Research (ADATUM\Research).
12. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and then click OK. 13. In the Research Properties window, click OK. 14. Double-click the Research folder, right-click the Classified folder, and then click Properties. 15. In the Classified Properties dialog box, on the Security tab, click Advanced.
16. In the Advanced Security Settings for Classified dialog box, click the Disable inheritance button. 17. In the Block Inheritance dialog box, select Convert inherited permissions into explicit permissions for this object.
Note: Clicking the Remove All Inherited Permissions From This Object selection removes all NTFS permissions for the folder, including your permissions as administrator. This prohibits you from making any changes to the folder, including assigning permissions.
18. In the Advanced Security Settings for Classified dialog box, click OK. 19. In the Classified Properties dialog box, on the Security tab, click Edit. 20. In the Permissions for Classified dialog box, in the Group or user names box, click Research (ADATUM\Research), and then click the Remove button. 21. In the Permission for Classified dialog box, click Add.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-4 Fundamentals of a Windows Server Infrastructure
22. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type ADATUM\Allie, click Check Names, and then click OK. 23. In the Group or user names box, click Allie Bellew (ADATUM\Allie).
24. In the Permissions for Allie Bellew section, next to Full Control, select the Allow check box, and then click OK. 25. In the Classified Properties window, click OK.
Task 3: Share the C:\Research folder on the network and set appropriate shared folder permissions 1.
Click the Back button. Then right-click the Research folder, and click Properties.
2.
In the Research Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
3.
Click the Share this folder check box, leave the Share name as Research, and then click the Permissions button.
4.
In the Permissions for Research dialog box, in the Group or user names box, click Everyone, and then click the Remove button.
5.
In the Permissions for Research dialog box, click Add.
6.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adatum\Research, click Check Names
7.
In the Multiple Names Found dialog select Research and then click OK and click OK again.
8.
In the Group or user names box, click Research (ADATUM\Research).
9.
In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and then click OK.
10. In the Advanced Sharing dialog box, click OK. 11. In the Research Properties dialog box, click Close. 12. Close File Explorer.
Task 4: Test access to C:\Research folders 1.
Log on to the 10967A-LON-CL1 with username ADATUM\Bill and password Pa$$w0rd
Note: ADATUM\Bill is a member of the Manager group. He is not a member of the Research group 2.
Hover the mouse over the lower left corner and when the start menu appears right-click then go to the Run command
3.
Enter \\LON-SVR1 and press Enter
4.
Once connected, double-click on the folder share Research
5.
Does ADATUM\Bill have access to the Research folder?
Answer: No. ADATUM\Bill is not a member of the Research group.
MCT USE ONLY. STUDENT USE PROHIBITED L9-5
6.
Sign out as Bill.
7.
Log on as ADATUM\Olivier with password Pa$$w0rd.
8.
Does ADATUM\Olivier have access to the Research\Projects folders
Answer: Yes. ADATUM\Olivier is a member of the Research group. 9.
Does ADATUM\Olivier have access to the Research\Classified folder?
Answer: No. The Classified folder is restricted to only allow Allie Bellew access. 10. Sign out as Olivier. 11. Log on as ADATUM\Allie with password Pa$$word. 12. Does ADATUM\Allie have access to the Research\Projects folder? Answer: Yes. 13. Does ADATUM\Allie have access to the Research\Classified folder? Answer: Yes.
Results: After this exercise, you should have secured NTFS and shared folders.
Exercise 3: Encrypting Files and Folders Task 1: Encrypt files and folders by using EFS 1.
Ensure you are logged on to 10967A-LON-SVR1 with username ADATUM\Administrator and password Pa$$w0rd
2.
On the desktop, click File Explorer on the bottom toolbar, click Computer, and then double-click Local Disk (C:).
3.
In the right pane, double-click the Research folder.
4.
In the right pane, double-click the Classified folder.
5.
In the right pane, right-click, point to New, and then click Text Document.
6.
Rename the New Text Document file as Personal.
7.
In the left column, double-click Local Disk (C:), and then click the Research folder.
8.
In the right column, right-click the Classified folder, and then click Properties.
9.
In the Classified Properties dialog box, on the General tab click the Advanced button.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-6 Fundamentals of a Windows Server Infrastructure
10. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and then click OK. 11. In the Classified Properties dialog box, click OK. 12. In the Confirm Attribute Changes message box, ensure that Apply changes to this folder, subfolders and files is selected, and then click OK. Note: If you receive an error saying cannot access the file you can click ignore and continue 13. Ensure the Personal.txt filename now displays in Green text. This indicates it has been encrypted. 14. Verify you can double-click the Personal.txt file and view the contents successfully. 15. Close File Explorer, and then sign out of 10967A-LON-SVR1.
Task 2: Confirm that files are encrypted 1.
Sign in to 10967A-LON-SVR1 with user name ADATUM\Olivier and password Pa$$w0rd
2.
On the desktop, click File Explorer, click Computer, and then double-click Local Disk (C:).
3.
In the right pane, double-click the Research folder.
4.
In the right pane, double-click the Classified folder, click Continue, and then type the Administrator Pa$$w0rd in the User Account Control dialog box.
5.
In the right pane, notice that the file is green, double-click Personal, and confirm that a message box appears that informs you that Access is denied. Then click OK.
6.
Close Notepad.
7.
Close File Explorer and sign out of 10967A-LON-SVR3.
Task 3: Decrypt files and folders 1.
Log on to 10967A-LON-SVR1 as ADATUM\Administrator with a password of Pa$$w0rd.
2.
On the desktop, click the File Explorer icon, click Computer, and then double-click Local Disk (C:).
3.
In the right pane, double-click the Research folder.
4.
In the right pane, right-click the Classified folder, and then click Properties.
MCT USE ONLY. STUDENT USE PROHIBITED L9-7
5.
In the Classified Properties dialog box, click the Advanced button.
6.
In the Advanced Attributes dialog box, clear the Encrypt contents to secure data check box, and then click OK.
7.
In the Classified Properties dialog box, click OK.
8.
In the Confirm Attribute Changes message box, ensure that Apply changes to this folder, subfolders and files is selected, and then click OK.
9.
Close File Explorer.
Task 4: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 10967A-LON-DC1 and 10967A-LON-CL1.
Results: After this exercise, you should have encrypted and decrypted files and folders by using Encrypting File System (EFS).
MCT USE ONLY. STUDENT USE PROHIBITED
L9-8 Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED L10-1
Module10: Implementing Network Security
Lab: Implementing Network Security Exercise 1: Configuring Windows Firewall with Advanced Security
Task 1: Turn off Website caching and verify connectivity to World Wide Web service 1.
Ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Open Internet Explorer and click on the wheel icon in the top right side, then select Internet Options
3.
In the Internet Options dialog on the General tab go to Browsing History section then click on Settings
4.
Go to the Caches and databases tab and uncheck the Allow website caches and databases checkbox, then click OK
5.
On the General tab in Internet Options, check the Delete browsing history on exit checkbox and then click on the Delete… button.
6.
Check all checkboxes in the Delete Browsing History dialog and click Delete
Notice the presence of the “Internet Explorer has finished deleting the selected browsing history” message in Internet Explorer window 7.
Click OK on the Internet Options dialog
8.
Close Internet Explorer
9.
Open Internet Explorer again and in the address bar type http://LON-DC1/Intranet
10. Are you able to connect? Answer: Yes, by default you are able to connect to the URL. 11. Close Internet Explorer.
Task 2: Configure a new firewall rule to block access to the World Wide Web service 1.
Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager click on Tools the select Windows Firewall with Advanced Security
3.
In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
4.
Right-click Inbound Rules and then click New Rule.
5.
In the New Inbound Rule Wizard, on the Rule Type page, click Predefined:
6.
In the drop down box select World Wide Web Services (HTTP) and then click Next.
7.
On the Predefined Rules page in the Rules: section check the World Wide Web Services (HTTP Traffic-In) checkbox, scroll across the rule and understand the settings that are configured and click Next.
8.
On the Action page click Block the connection and click Finish.
9.
In the Windows Firewall with Advanced security management console in the Inbound Rules pane click on the Name column to sort the rules by name then locate the Inbound rule you just configured. It should have a red circle with a line through it.
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L10-2
10. Double click on the rule and verify the settings in the tabs represent what you configured. Click OK once you are finished.
Task 3: Test World Wide Web service Access 1.
Ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Open Internet Explorer and in the address bar type http://LON-DC1/Intranet
3.
Are you able to connect?
Answer: No, you are unable to connect to the URL and view the company Intranet site. You receive a message stating “This page can’t be displayed” 4.
Close Internet Explorer.
Task 4: Allow access to the World Wide Web service 1.
Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager click on Tools the select Windows Firewall with Advanced Security
3.
In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
4.
Locate the World Wide Web Services (HTTP Traffic-In) rule that you configured earlier right-click it and select properties
5.
On the General tab in the Action section click Allow the connection then click OK
Notice the icon changes to a green circle with a white tick in the middle now.
Task 5: Verify Web Wide Web access has been restored 1.
Switch virtual machines again and ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Open Internet Explorer and in the address bar type http://LON-DC1/Intranet
3.
Are you able to connect?
Answer: Yes, you are able to connect to the URL as was originally the case
Results: After this exercise, you should have created and tested an inbound firewall rule to control access to the world wide web service.
MCT USE ONLY. STUDENT USE PROHIBITED L10-3
Exercise 2: Create a Server to Server Connection Security Rule Task 1: Enable ICMPv4 traffic 1.
Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager go to Tools then select Windows Firewall with Advanced Security
3.
Right-click Inbound Rules and then click New Rule.
4.
In the New Inbound Rule Wizard dialog box, click Custom, and then click Next.
5.
On the Programs page, click Next.
6.
On the Protocols and Ports page, in the Protocol type list, click ICMPv4 and then click Next.
7.
On the Scope page, click Next.
8.
On the Action page, click Allow the connection if it is secure, and then click Next.
9.
On the Users page, click Next.
10. On the Computers page, click Next. 11. On the Profile page, click Next 12. On the Name page, in the Name box, type ICMPv4 allowed and then click Finish
Task 2: Create a Server to Server Connection Security rule 1.
Still on 10967A-LON-DC1
2.
Right-click Connection Security Rules and then click New Rule.
3.
In the New Connection Security Rule Wizard, click Server-to-Server and then click Next.
4.
On the Endpoints page, click Next.
5.
On the Requirements page, click Request authentication for inbound and outbound connections and then click Next.
6.
On the Authentication Method page, click Advanced, and then click Customize.
7.
In the Customize Advanced Authentication Methods dialog box, under First authentication, click Add.
8.
In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click OK.
9.
In the Customize Advanced Authentication Methods dialog box, click OK.
10. On the Authentication Method page, click Next. 11. On the Profile page, click Next. 12. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
Task 3: Create a Server to Server Connection Security rule on a member server 1.
Switch to 10967A-LON-SVR1 and ensure you are logged on as ADATUM\Administrator with password Pa$$w0rd
2.
In Server Manager go to Tools then select Windows Firewall with Advanced Security
3.
Right-click Connection Security Rules and then click New Rule.
4.
In the New Connection Security Rule Wizard, click Server-to-Server and then click Next.
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L10-4
5.
On the Endpoints page, click Next.
6.
On the Requirements page, click Require authentication for inbound and outbound connections and then click Next.
7.
On the Authentication Method page, click Advanced, and then click Customize.
8.
In the Customize Advanced Authentication Methods dialog box, under First authentication, click Add.
9.
In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click OK.
10. In the Customize Advanced Authentication Methods dialog box, click OK. 11. On the Authentication Method page, click Next. 12. On the Profile page, click Next. 13. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
Task 4: Verify the Server to Server Connection Security rule 1.
Still on 10967A-LON-SVR1
2.
Open a Command Prompt with Administrative privileges.
3.
At the Command Prompt, type ping LON-DC1 and press Enter.
4.
Switch to Windows Firewall with Advanced Security.
5.
Expand Monitoring, expand Security Associations, and then click Main Mode.
6.
In the right-pane, double-click the listed item.
7.
View the information in Main Mode, and then click OK.
8.
Click Quick Mode.
9.
In the right-pane, double-click the listed item.
10. View the information in Quick Mode, and then click OK.
Task 5: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 10967A-LON-SVR1 and 10967A-LON-DC1.
Results: After completing this exercise you will have created a server to server connection security rule and validated the secure nature of the communication between the two servers
MCT USE ONLY. STUDENT USE PROHIBITED L11-1
Module11: Implementing Security Software
Lab: Implementing Security Software Exercise 1: Create and Enforce an AppLocker Rule Task 1: Create a Group Policy Object to apply an AppLocker rule in the domain 1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
On LON-DC1, in Server Manager, click Tools, and then select Group Policy Management.
3.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy Objects, and then click New.
4.
Name the new GPO SQLSysClrTypes Restriction Policy, and then click OK.
Task 2: Create Windows Installer rule to block the installation of the .msi file 1.
In the Group Policy Management Console, expand Group Policy Objects, right-click the Group Policy Object SQLSysClrTypes Restriction Policy, and then click Edit.
2.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
3.
Click Windows Installer Rules, right-click Windows Installer, and then select Create New Rule
4.
On the Before you Begin page click Next
5.
Permissions page, select Deny, Notice that the rule could be restricted to a specific user or group, and then click Next.
6.
On the Conditions page, select Publisher, and then click Next.
7.
Click Browse and navigate to E:\Mod11\LabFiles\ SQLSysClrTypes.msi- and then click Open.
8.
Notice the text explaining the slider usage at the top of the page, and then click Next.
9.
On the Exceptions page, click Next
10. On the Name and description page, click Create. 11. Click Yes if you are prompted to create default rules.
Task 3: Configure Windows Installer rule enforcement to be audit only 1.
Click AppLocker, and then click Configure rule enforcement.
2.
Under Windows Installer Rules, select the Configured check box, click Audit Only, and then click OK.
Task 4: Configure the Application Identity service to automatically start Note: Before you can enforce AppLocker policies, you must start the Application Identity service. 1.
In the Group Policy Management Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, click System Services, and then double-click Application Identity.
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L11-2
2.
In the Application Identity Properties dialog box, select the Define this policy setting check box.
3.
Select Automatic under Select service startup mode, and then click OK.
4.
Close Group Policy Management Editor.
Task 5: Apply the AppLocker rule to the domain’s Group Policy 1.
In the Group Policy Management Console window, drag the SQLSysClrTypes Restriction Policy GPO over the Adatum.com domain container.
2.
Click OK to link the GPO to the domain.
3.
Close the Group Policy Management console.
4.
Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.
Note: Alternatively you can open a Windows PowerShell console, import the GroupPolicy module by running the command Import-module GroupPolicy and then running the cmdlet Invoke-GPUpdate 5.
Switch to 10967A-LON-CL1 sign out as ADATUM\Administrator if need be and sign in as ADATUM\Allie with a password of Pa$$w0rd.
6.
Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.
Task 6: Run the Windows Installer and verify the audited result in Event Viewer 1.
Hover the mouse over the lower left corner of the desktop and when the Start menu appears rightclick and go to Run
2.
In the Run dialog type \\LON-DC1\E$ and press OK
3.
In the Windows Security dialog box sign in to the ADATUM domain as Administrator with password Pa$$w0rd, and then click OK.
4.
Go to \\LON-DC1\E$\Mod11\Labfiles\
5.
Right-click SQLSysClrTypes.msi and select Install
6.
Complete the installation of the Windows Installer.
If prompted for credentials during the installation by User Account Control dialog enter user name Administrator and password Pa$$w0rd 7.
Open Control Panel, the select System and Security and Administrative Tools, then double-click Event Viewer
8.
Go to Applications and Services Logs\Microsoft\Windows\Applocker\MSI and Script and view the events that are present
9.
What is the Event ID for audited blocked installations of Windows Installer files?
Answer: The Event ID is 8006
Note: Notice the presence of the 8006 Event IDs and the descriptive text saying “…SQLSYSSLRTypes.msi was allowed to run but would have been prevented from running if the AppLocker policy were enforced.”
MCT USE ONLY. STUDENT USE PROHIBITED L11-3
10. Note Also, if the event does not appear for you in Event Viewer, you should restart the Application Identity service on 10967A-LON-DC1 and try again.
Task 7: Enforce the blocking of the Windows Installer 1.
Switch to the 10967A-LON-DC1 virtual machine
2.
In Server Manager, click Tools, and then select Group Policy Management
3.
In the Group Policy Management Console, expand Domains then Adatum.com and underneath Adatum.com right-click the SQLSysClrTypes Restriction Policy, and then click Edit.
4.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then double-click AppLocker
5.
Click AppLocker, and then click Configure rule enforcement.
6.
Under Windows Installer Rules, ensure the Configured checkbox is still selected, select Enforce Rules from the drop down box, and then click OK.
7.
Open a Command Prompt window, type gpupdate /force, and then press Enter.
8.
Wait for the policy to be updated
Task 8: Run the Windows Installer file and verify the application is blocked 1.
Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as ADATUM\Allie with a password of Pa$$w0rd.
2.
Open a Command Prompt window, type gpupdate /force, then press Enter and wait for the policy to be updated.
3.
Hover the mouse over the lower left corner of the desktop and when the Start menu displays rightclick and go to Run
4.
In the Run dialog type \\LON-DC1\E$ and press OK
5.
Go to \\LON-DC1\E$\Mod11\Labfiles\
6.
Right-click SQLSysClrTypes.msi, select UnInstall and remove the software from the system that was installed as part of the earlier task.
7.
When uninstalled, right-click SQLSysClrTypes.msi, and then select Install
8.
Notice the Windows Installer message, “The system administrator has set policies to prevent this installation. Click OK.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your production environment and you will have applied that AppLocker rule using Group Policy across the A Datum domain.
Fundamentals of a Windows Server Infrastructure
Exercise 2: Use the Security Configuration Wizard Task 1: Create a security policy 1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager, click Tools, and then click the Security Configuration Wizard.
3.
On the Welcome to the Security Configuration Wizard page, click Next.
4.
On the Configuration Action page, select Create a new security policy, and then click Next.
5.
On the Select Server page, accept the default server name, LON-DC1, and then click Next.
6.
On the Processing Security Configuration Database page, you can click View Configuration Database and explore the configuration that was discovered on LON-DC1.
If you receive a Windows Security Warning regarding an ActiveX control, click Yes to allow the interaction. 7.
Click Next.
8.
On the Role-Based Service Configuration section introduction page, click Next.
9.
On the Select Server Roles page, you can explore the settings that were discovered on 10967ALON-DC1, but do not change any settings. Click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-4
10. On the Select Client Features page, you can explore the settings that were discovered on 10967ALON-DC1, but do not change any settings. Click Next. 11. On the Select Administration and Other Options page, you can explore the settings that were discovered on 10967A-LON-DC1, but do not change any settings. Click Next. 12. On the Select Additional Services page, you can explore the settings that were discovered on 10967A-LON-DC1, but do not change any settings. Click Next.
13. On the Handling Unspecified Services page, do not change the default setting: Do not change the startup mode of the service. Click Next. 14. On the Confirm Service Changes page, in the View list, select All services.
15. Examine the settings in the Current Startup Mode column, which reflect service startup modes on 10967A-LON-DC1, and compare them to the settings specified in the Policy Startup Mode column. 16. In the View list, select Changed services. 17. Click Next. 18. On the Network Security section introduction page, click Next. 19. On the Network Security Rules page, you can examine the firewall rules derived from the configuration of 10967A-LON-DC1. Do not change any settings. Click Next. 20. On the Registry Settings section introduction page, click Next.
21. On each page of the Registry Settings section, examine the settings, but do not change any of them, then click Next. 22. Continue to click Next at each page until you the Registry Settings Summary page appears, examine the settings and then click Next. 23. On the Audit Policy section introduction page, click Next. 24. On the System Audit Policy page, examine but do not change the settings. Click Next.
MCT USE ONLY. STUDENT USE PROHIBITED L11-5
25. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy Setting columns. Click Next. 26. On the Save Security Policy section introduction page, click Next.
27. In the Security Policy File Name text box, click Browse and navigate to C:\Labfiles, click New Folder, name the folder SCW, double-click the SCW folder, type DC Security Policy in the file name: box, and then click Save. Ensure the following is listed in the Security policy file name box C:\Labfiles\SCW\DC Security Policy 28. Click the View Security Policy button. 29. If you are prompted to confirm the use of ActiveX® control, click Yes. 30. Close the window after you have examined the policy. 31. In the Security Configuration Wizard, click Next.
32. On the Apply Security Policy page, accept the Apply later default setting, and then click Next. 33. Click Finish.
Task 2: Transform a security policy into a GPO 1.
Ensure you are still signed in on 10967A-LON-DC1
2.
Open the Start screen and type cmd, when the Command Prompt icon appears right-click it and choose Run as Administrator
3.
Change to the directory where your new security policy is located. cd
4.
C:\LabFiles\SCW\
View the help for the scwcmd file by typing scwcmd /?
5.
View the help for the scwcmd transform command by typing scwcmd transform /?
6.
Transform the DC Security Policy.xml file to a GPO called DC Security Policy scwcmd transform /p:"DC Security Policy.xml" /g:"DC Security Policy"
7.
Verify that the command completed successfully, and then close the Command Prompt window.
8.
In Server Manager, click Tools, and then click Group Policy Management.
9.
In the console tree, expand Forest:Adatum.com, Domains, Adatum.com, and Group Policy Objects, and then click DC Security Policy. This is the GPO created by the Scwcmd.exe command.
10. Click the Settings tab to examine the settings of the GPO. 11. Close the Group Policy Management console.
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a security policy named DC Security Policy, and transformed the security policy to a Group Policy Object (GPO) named DC Security Policy.
Fundamentals of a Windows Server Infrastructure
Exercise 3: Use the Best Practices Analyzer Task 1: Run the BPA on the AD DS server role
MCT USE ONLY. STUDENT USE PROHIBITED
L11-6
1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager, click AD DS in the left navigation pane.
3.
In the center details pane, locate the Best Practices Analyzer.
4.
In the TASKS drop-down list, select Start BPA Scan.
5.
In the Select Servers dialog box, make sure that LON-DC1.Adatum.com is selected, and then click Start Scan.
Task 2: Analyze the BPA compliance results 1.
Review the BPA results.
Note: It can take a minute for results to appear. Refresh the results by using the TASKS menu. 2.
How many events were returned?
Answer: 43 3.
Select an item and view the additional information that is available.
4.
What three additional pieces of information are provided?
Answer: Problem, impact, and resolution. 5.
Click the severity column heading to sort the findings.
6.
What severity categories are shown for this BPA scan?
Answer: Error, Information, and Warning. 7.
In the Click to display saved search settings drop-down list (icon on the right side of the filter text box), select the Compliant results report.
8.
Notice that only items with Severity equal to Information are now displayed.
9.
How many complaint results were found?
Answer: 34
Task 3: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V® Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat steps 1 to 3 for 10967A-LON-CL1.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and determine areas for improved efficiency or performance.
MCT USE ONLY. STUDENT USE PROHIBITED L12-1
Module12: Monitoring Server Performance
Lab: Monitoring Server Performance Exercise 1: Creating a Performance Baseline Task 1: Create a Data Collector Set 1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
In Server Manager, select Tools, and then click Performance Monitor.
3.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.
4.
Right-click User Defined, point to New, and then click Data Collector Set.
5.
In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Performance.
6.
Click the Create manually (Advanced) radio button and then click Next.
7.
On the What type of data do you want to include? page, select the Performance counter check box, and then click Next.
8.
On the Which performance counters would you like to log? page, click Add.
9.
In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. In the Available counters list, expand Network Interface, click Bytes Total/sec, and then click Add >> 11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Still within PhysicalDisk click Avg. Disk Queue Length, and then click Add >>.
13. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
14. In the Available counters list, expand System, click Processor Queue Length, and then click Add >>. Then click OK. 15. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and ensure Seconds is selected in the Units: drop down box, and then click Next. 16. On the Where would you like the data to be saved? page, click Next. 17. On the Create the data collector set? page, click Save and close, and then click Finish.
Task 2: Start the Data Collector Set 1.
Switch to the Performance Monitor.
2.
Naviagate to Data Collector Sets and then click User Defined
3.
Right-click LON-SVR1 Performance, and then click Start.
Task 3: Create workloads on the server 1.
Open the Start menu, type cmd.exe, and then press Enter.
2.
At the Command Prompt, type the following command, and then press Enter. (This creates a file approx. 100 MB in size) fsutil file createnew bigfile 104857600
Fundamentals of a Windows Server Infrastructure
3.
At the Command Prompt, type the following command, and then press Enter. (This copies that file to LON-DC1) copy bigfile \\lon-dc1\c$
4.
At the Command Prompt, type the following command, and then press Enter. (This creates a copy of the file on LON-DC1) copy \\lon-dc1\c$\bigfile bigfile2
5.
At the Command Prompt, type the following command, and then press Enter. (This deletes all the created files from LON-SVR1) del bigfile*.*
6.
At the Command Prompt, type the following command, and then press Enter. (This deletes all the created files from LON-DC1) del \\lon-dc1\c$\bigfile*.*
7.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-2
Do not close the Command Prompt.
Task 4: Analyze collected data 1.
Switch to Performance Monitor.
2.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4.
On the toolbar, click View Log Data.
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.
6.
In the Select Log File dialog box, double-click Admin.
7.
Double-click the LON-SVR1 Performance folder, double-click the LON-SVR1_ folder, and then double-click DataCollector01.blg.
8.
Click the Data tab, and then click Add.
9.
In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>. 11. Expand PhysicalDisk, click %Disk Time, and then click Add >>. 12. Click Avg. Disk Queue Length, and then click Add >>. 13. Expand Processor, click %Processor Time, and then click Add >>. 14. Expand System, click Processor Queue Length, click Add >>, and then click OK. 15. In the Performance Monitor Properties dialog box, click OK. 16. On the toolbar, click the down arrow, and then click Report. 17. Record the values listed in the report for analysis later. Recorded values: •
Memory\Pages/sec
MCT USE ONLY. STUDENT USE PROHIBITED L12-3
•
Network Interface\Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\% Processor Time
18. System\Processor Queue Length
Results: After this exercise, you should have established a performance baseline.
Fundamentals of a Windows Server Infrastructure
Exercise 2: Simulating a Server Load Task 1: Load a new program on the server
MCT USE ONLY. STUDENT USE PROHIBITED
L12-4
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
At the Command Prompt, type the following command, and then press Enter. cd C:\Labfiles\StressTool\amd64
Task 2: Simulated a load on the server’s CPU 1.
Still on 10967A-LON-SVR1
2.
At the Command Prompt, type the following, and then press Enter. StressTool 95
3.
Open Task Manager, by right clicking on the Task Bar at the bottom of the screen and selecting Task Manager, and then click More details
4.
Go to the Performance tab and click CPU
5.
Notice the CPU % Utilization graph and the change in usage.
Task 3: Start the Data Collector Set again 1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Switch to the Performance Monitor.
3.
In Performance Monitor, click User Defined. In the results pane, right-click LON-SVR1 Performance, and then click Start.
4.
Wait for one minute for data to be captured.
Results: After this exercise, you should have introduced a load on the server and restarted the Data Collector Set.
MCT USE ONLY. STUDENT USE PROHIBITED L12-5
Exercise 3: Determining Probable Performance Bottlenecks Task 1: Stop the running program 1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
After one minute, switch to the Command Prompt.
3.
Press Ctrl+ C.
4.
Close the Command Prompt.
5.
Open task Manager by right clicking on the Task Bar at the bottom of the screen and selecting Task Manager
6.
Go to the Performance tab and click CPU
7.
Notice the CPU % Utilization graph has returned to normal now that the simulated load has been removed.
Task 2: View performance data 1.
Switch to the Performance Monitor.
2.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4.
On the toolbar, click View log data.
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Remove.
6.
Click Add.
7.
In the Select Log File dialog box, click Up One Level.
8.
Double-click the LON-SVR2_ folder, and then double-click DataCollector01.blg.
9.
Click the Data tab, click OK, and then click OK to close the Performance Monitor Properties dialog box.
10. If you receive an error or the values in your report are zero, repeat steps 4-9. Recorded values: •
Memory\Pages/sec
•
Network Interface\Bytes Total/sec
•
PhysicalDisk\% Disk Time
•
PhysicalDisk\Avg. Disk Queue Length
•
Processor\% Processor Time
•
System\Processor Queue Length
Task 3: Analyze results and draw a conclusion 1.
Question: Compared with your previous report, which values have changed?
Answer: Memory and disk activity are reduced. 2.
Question: What was the most significant change and why?
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L12-6
Answer: Processor activity has increased significantly and this is due to the simulated load we placed on it. 3.
Question: If you saw a similar trend in your work environment what would you recommend as a next step?
Answer: CPU load has increased without an increase in networking or disk activity. This would indicate a service local to the machine is putting load on the CPU. You could continue to monitor the server to try identify what service or program is placing the load on the server 4.
Question: Can you identify any additional counters which could potentially help you narrow down your search to determine what application is placing the greatest load on the CPU?
Answer: If you have not encountered this issue before it may be a process of trial and error to identify which additional counters, if any could be of help. You should start to create a new Data Collector set and scroll through the available counters. Some counters which may help in this instance •
Process\ Thread count (To identify if a particular process has a large amount of threads running)
•
Processor Information\% User (To identify a user placing a load on a server if there are multiple users accessing the server and its services)
•
Thread\ID Process (To identify the process placing the load on the server)
5.
Question: Are there any additional tools which may help identify what process or software is placing the load on the server?
Answer: You could also open Task Manager and go to the Processes tab scroll through the processes that are listed and try identify which process are placing the greatest load on the server
Results: After this exercise, you should have identified a potential bottleneck.
MCT USE ONLY. STUDENT USE PROHIBITED L12-7
Exercise 4: Create, Test, and Verify an Alert Task 1: Create and start an alert to trigger an Event ID 1.
Ensure you are still signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User Defined.
3.
Right-click User Defined, point to New, and then click Data Collector Set.
4.
In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Network Bandwidth Alert.
5.
Click Create manually (Advanced), and then click Next.
6.
On the What type of data do you want to include? page, click the Performance Counter Alert radio button, and then click Next.
7.
On the Which performance counters would you like to monitor? page, click Add.
8.
In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and then click OK.
9.
On the Which performance counters would you like to monitor? page, in the Alert when: list, select Above.
10. In the Limit box, type 500, and then click Next. 11. On the Create the data collector set? page, click Finish. 12. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Network Bandwidth Alert. 13. In the Results pane, right-click DataCollector01, and then click Properties. 14. In the DataCollector01 Properties dialog box, on the Alert tab choose the following •
Alert when: Above
•
Limit: 500
•
Sample interval: 10
•
Units: Seconds
15. Click the Alert Action tab. 16. Select the Log an entry in the application event log check box, and then in the Start a Data Collector set: drop down box select LON-SVR1 Performance and click OK. 17. In the navigation pane, right-click LON-SVR1 Network Bandwidth Alert, and then click Start.
Task 2: Simulate a load on the network bandwidth 1.
Open the Start screen and type cmd.exe, and then press Enter.
2.
At the Command Prompt, type the following command, and then press Enter. (This creates a file approx. 1 GB in size) fsutil file createnew bigfile 1048576000
3.
At the Command Prompt, type the following command, and then press Enter. (This copies that file to 10967A-LON-DC1 and puts a load on the Network Interface)
Fundamentals of a Windows Server Infrastructure
copy bigfile \\lon-dc1\c$
Task 3: Verify the Event ID is generated and the Data Collector Set starts
MCT USE ONLY. STUDENT USE PROHIBITED
L12-8
1.
In Server Manager, click Tools, and then click Event Viewer.
2.
Expand Application and Services Logs, and then select the Microsoft-Windows-DiagnosisPLA/Operational log
3.
Scroll through the list of events. Look for Event ID 2031 and read the details in the General tab, which should say something like “….Performance counter \Network Adapter> [Emulated])\Bytes Total/sec has tripped its alert threshold. The counter value of < X > is over the limit value of 500.000000. 500.000000 is the alert threshold value.”
4.
What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
Answer. Event ID 2031 5.
Return to Performance Monitor and navigate to Data Collector Sets then User defined
Note: As you scroll through the Event IDs you may see some errors related to the LONSVR1 Performance collector set not being able to start. This will be because it was already started successfully. 6.
Ensure LON-SVR1 Performance collector set has started successfully
Task 4: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat the previous steps for 10967A-LON-DC1.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an Event ID and triggers a Data Collector Set to start.
MCT USE ONLY. STUDENT USE PROHIBITED L13-1
Module13: Maintaining Windows Server
Lab: Maintaining Windows Server Exercise 1: Installing and Configuring Windows Server Update Services Task 1: Install the Windows Server Update Services role and required features 1.
Ensure you are signed in to 10967A-LON-DC1 with username ADATUM\Administrator and password Pa$$w0rd
2.
In Server Manager, click Manage, and then select Add Roles and Features
3.
On the before you begin page click Next
4.
On the Select installation type page, accept the defaults and Click Next
5.
On the Select destination server page, click Next
6.
On the Select server roles page, select the Windows Server Update Services checkbox
7.
In the Add Roles And Features Wizard dialog click Add Features, then click Next
8.
On the Select features page select .NET Framework 3.5, and then click Next
Note: .NET Framework 3.5 is required for the reporting function in WSUS in Windows Server 2012 9.
On the Windows Server Update Services page click Next
10. On the Select role services page, ensure WID Database and WSUS Service are selected and click Next
11. On the Content location selection page, ensure the “Store updates in the following location …..” checkbox is selected, type C:\WSUS in the box, and then click Next 12. On the Confirm installation selections page, click Install, and then click Close
Task 2: Complete WSUS post-configuration tasks 1.
On 10967A-LON-DC1, in Server Manager, click on the Notification icon (the white flag at the top of the screen).
2.
In the resultant dialog, navigate to the Post-Deployment Configuration section and click Launch Post-Installation tasks
3.
In Server Manager click the Notification Icon again and then select Task Details
4.
In the Task Details dialog note the Task Name and Stage columns, and wait until the Postdeployment Configuration Task Name is listed as Complete. When it is complete, close the Task Details dialog.
5.
In Server Manager, click Tools, and then select Windows Server Update Services
6.
Confirm the Update Services management console successfully opens
Task 3: Complete the Windows Server Update Services Configuration Wizard 1.
Still on 10967A-LON-DC1, if not already done so ,in Server Manager, click Tools, and then select Windows Server Update Services to open the Update servicers management console
2.
The Windows Server Update Services Configuration Wizard appears and on the Before you Begin page click Next
3.
On the Join the Microsoft Update Improvement Program page click Next
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L13-2
4.
On the Choose Upstream Server page, ensure Synchronize from Microsoft Update is selected and click Next
5.
On the Specify Proxy Server page click Next
6.
On the Connect to Upstream Server page click Start Connecting. When it is finished Click Next
Note: This may take up to five minutes to complete depending on your connection speed 7.
On the Choose Languages page select Download updates only in these languages: and choose English, then click Next
8.
On the Choose Products page, check All Products checkbox then uncheck it again to clear the default product selections. Scroll down to Windows and select Windows 8, ensure all other options are unchecked, and then click Next.
9.
On the Choose Classifications page, uncheck Definition Updates and security updates and select Critical Updates only, and then click Next.
Note: We are selecting only this option to reduce the amount of time it takes to synchronization. However at least both security and critical updates would be needed to keep your environment secure 10. On the Set Sync Schedule select Synchronize manually and click Next 11. On the Finished page, select Begin Initial synchronization, and click Next 12. On the Whats Next page, click Finish 13. Return to the Update Services management console
Task 4: Prepare synchronized reporting 1.
On 10967A-LON-DC1 in the Update Services console click on the navigation pane on the left side, expand LON-DC1, click Synchronizations, and then click Synchronization Report in the Actions pane
2.
Verify you receive a Feature Unavailable error stating that “The Microsoft Report Viewer2008 Redistributable is required for this feature…” and then click OK
3.
Close the Update services management console
4.
Open File Explorer navigate to E:\Mod13\Labfiles, right-click the ReportViewer.exe and select Run as Administrator
5.
On the Welcome page, click Next
6.
On the License Terms page check the I have read and accept the license terms checkbox, and then click Install
7.
On the Setup Complete page, click Finish
8.
In Server Manager, go to Tools, then select Windows Server Update Services
9.
In the navigation pane on the left side click on Synchronizations, and then select Synchronization Report in the actions pane
10. Verify the Synchronization Report opens successful 11. Close the Synchronization Report for LON-DC1 window, and the Update Services window
Task 5: Configure Group Policy to enable WSUS across the domain 1.
Still on 10967A-LON-DC1, in Server Manager, select Tools, and then click Group Policy Management.
2.
In the console pane, expand Forest: Adatum.com, expand Domains, and then click Adatum.com.
MCT USE ONLY. STUDENT USE PROHIBITED L13-3
3.
Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4.
In the New GPO dialog box, type WSUS in the Name field, and then click OK.
5.
Expand Adatum.com, right-click WSUS, and then click Edit.
6.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.
7.
In the details pane, double-click Configure Automatic Updates.
8.
In the Configure Automatic Updates dialog box, click Enabled, and then click Next Setting.
9.
In the Specify intranet Microsoft update service location dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://LON-DC1:8530 11. In the Set the intranet statistics server field, type http://LON-DC1:8530 12. Why is the number 8530 specified in the URL?
Answer. The default http connection port is 80. However, WSUS uses port 8530 for http and port 8531 for https. That is different from the default and as needs to be specified here so the client can successfully connect. 13. Click Next Setting.
14. In the Automatic Updates detection frequency dialog box, click Enabled, set the interval (hours): at 1 and then click OK. 15. Ensure the three Group Policy settings are enabled then close Group Policy Management Editor, and then close Group Policy Management Console. 16. Sign in to the 10967A-LON-CL1 virtual machine as ADATUM\Administrator with the password Pa$$w0rd. 17. If not already done so start and then sign in to 10967A-LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
18. On 10967A-LON-CL1, open a Command Prompt with Administrative privileges, type the following command, and then press Enter. This will force the client to update the Group Policies on the computer. gpupdate /force
19. To force the client to detect any changes that have been made to the update service, type the following and press Enter. wuauclt /ResetAuthentication /Detectnow
Task 6: Perform clarification checks on the WSUS Client 1.
On 10967A-LON-CL1, hover the mouse over the lower left corner until the Start menu appears, then right-click and select Computer Management
2.
In the Computer Management console, expand Services and Applications, and then select Services
3.
In Services, locate Background Intelligent Transfer Service, navigate to Properties and specify a Startup type: Automatic, and then click OK.
4.
In Services locate Windows Update, go to Properties and specify a Startup type: Automatic, click Apply, and then click OK.
Fundamentals of a Windows Server Infrastructure
Task 7: Create a computer groups, and add client computers
MCT USE ONLY. STUDENT USE PROHIBITED
L13-4
1.
On 10967A-LON-DC1 virtual machine in Server Manager select Tools then select Windows Server Update Services
2.
In the Updated Services console, expand Computers, and then click All Computers
3.
Select Status: Any and click Refresh. Verify there are two computers listed lon-dc1.adatum.com and lon- cl1.adatum.com
4.
In the Actions pane, click Add Computer Group.
5.
In the Add Computer Group dialog box, type WSUS LON Win8, and then click Add.
6.
In the Actions pane, click Add Computer Group.
7.
In the Add Computer Group dialog box, type WSUS LON WS2012, and then click Add.
8.
In the console pane, expand All Computers, and then click Unassigned Computers.
9.
In the details pane, in the Status list, click Any, and then click Refresh.
10. Right-click lon-cl1.adatum.com, and then click Change Membership.
11. In the Set Computer Group Membership dialog box, select the WSUS LON Win8 check box, and then click OK. 12. Click Unassigned Computers group again. 13. In the details pane, in the Status list, click Any, and then click Refresh. 14. Right-click lon-dc1.adatum.com, and then click Change Membership. 15. In the Set Computer Group Membership dialog box, select the WSUS LON WS2012 check box, and then click OK.
Task 8: Approve a Critical Update for Windows® 8 operating system clients 1.
In the console pane, expand Updates, and then click Critical Updates.
2.
In the details pane, in the Approval list, select Any Except Declined.
3.
In the Status list, click Any, and then click Refresh.
4.
Click on the Title column to sort them according to Title
5.
Notice there are several updates available.
6.
Locate the “Update for Windows 8 for x64-based Systems (KB2768703)” right-click, and then click Approve…
7.
In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8 LON Computer Group and select Approved for Install and click OK
8.
In the Approval Progress dialog click Close when it is complete.
9.
Right-click the same update “Update for Windows 8 for x64-based Systems (KB2768703)” and again select Approve…
10. In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8 LON Computer Group and select Deadline and then Custom… 11. In the Choose Deadline dialog select Yesterday’s date and then Click OK For example, if it is 2 June when running this lab exercise, select 1 June. and then click OK Note: This has the effect of ensuring the update is applied to a client as soon as the client queries the Update Server for available updates.
MCT USE ONLY. STUDENT USE PROHIBITED L13-5
12. Click OK to Approve Updates 13. Click Close on the Approval Progress dialog when it is complete
Task 9: Query the WSUS server for available updates from Windows 8 client 1.
Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and password pa$$w0rd
2.
Open a Command Prompt window with administrative privileges.
3.
At the Command Prompt, run the following. gpupdate /force
4.
Wait for the policy to finish updating.
5.
At the Command Prompt, run the following. wuauclt /ResetAuthentication /detectnow
6.
Open File Explorer and open the file C:\Windows\WindowsUpdate.log in Notepad
7.
In Notepad click Format then select Word Wrap
8.
Scroll down to the end of the log file and locate references to http://lon-dc1:8530, ensure there are no errors listed.
9.
Return to 10967A-LON-DC1 go to Server Manager, then Tools then select Event Viewer
10. Expand Windows Logs then click on Application
11. In the Application Logs details pane locate Events with source equal to Windows Update Services and verify there is an event specifying a client connected successfully. 12. Back on 10967A-LON-CL1 You may receive a Restart prompt. If so restart 10967A-LON-CL1 and sign in again as ADATUM\Administrator with password Pa$$w0rd
13. Open the Control Panel and select Programs and then underneath Programs and Features select the View Installed updates 14. Verify that the Update for Microsoft Windows(KB2768703) is listed
Note: It may take several minutes for the client to connect and the update to be installed. You should proceed to the next Exercises and complete those while waiting for the client to be updated. Once you have completed those exercises you can then return here to verify the update has been applied successfully.
Task 10: View WSUS reports. 1.
Switch back to 1096A-LON-DC1, in the Windows Server Update Services console, click Reports.
2.
Review the various reports available in WSUS.
3.
In the details pane, click Computer Detailed Status.
4.
In the Computers Report for LON-DC1 window, click Run Report.
5.
On the completed report, note how many updates are listed under lon-cl1.adatum.com.
6.
Close the Computers Report for LON-DC1 window.
Fundamentals of a Windows Server Infrastructure
7.
Close Update Services.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-6
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to manage updates.
MCT USE ONLY. STUDENT USE PROHIBITED L13-7
Exercise 2: Troubleshooting the Startup Process Task 1: Read the supporting documentation 1.
Read the Incident Record to determine possible troubleshooting methods.
2.
Where is the best place to troubleshoot this problem from?
Answer: If file shares, remote desktop, and ping are unavailable, the troubleshooting process for this problem have to be done locally, in the physical location of the computer, or alternatively over the telephone with someone at the physical computer who can help you with the troubleshooting process. 3.
What considerations should be made about 10967A-LON-SVR5 and the people and services that require the services that are provided by 10967A-LON-SVR5?
Answer: If 10967A-LON-SVR5 performs critical services, a replacement or spare should be checked for availability, should the troubleshooting process carry beyond the first one or two most probable causes.
Task 2: Investigate startup issues on a Windows Server 1.
Start the 10967A-LON-SVR5 virtual machine
2.
You will be prompted to “Press any key to boot from CD or DVD…” as the virtual machine starts but do not press anything and allow the virtual machine to start without any intervention
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso installation files already attached to the virtual machine to assist with steps required later in the lab. As such the 10967A-LON-SVR5 virtual machine will give the prompt “Press any key to boot from CD or DVD…” each time when starting up. Do not press any key to boot into the installation files unless explicitly told to do so in the lab steps. 3.
View the error message on the screen.
4.
Answer the Assessment Questions in the Incident Record.
5.
What is the error message displayed on 10967A-LON-SVR5?
Answer: “The Boot Configuration Data file doesn’t contain valid information for an operating system”. 6.
What could the possible causes of this error message be?
Answer: The problem is a corrupted or damaged Boot Configuration Data (BCD) store. There is no reference in the BCD to enable the Windows Boot Manager to access the Windows Boot Loader. 7.
What tool should you use to try to resolve the problem that is causing the error message?
Answer: BCDEdit will let you view the status of the BCD store. In this case, there is no entry for an operating system in the BCD store for 10967A-LON-SVR5. To correct this, run bootrec.exe with the /scanos switch to find the operating system on the computer, and then run bootrec.exe with the /rebuildbcd switch to create a new BCD store with a pointer to the boot loader for the found operating system. 8.
How can you access these tools?
Answer: By starting the computer by using the Windows Server Installation disc and selecting the Repair Your Computer and Command Prompt options. 9.
In Hyper-V Manager, right-click 10967A-LON-SVR5, and select Turn Off
10. In the Turn Off Machine dialog box, click Turn Off
Fundamentals of a Windows Server Infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
L13-8
Task 3: Resolve the issue on the Windows Server and complete the Incident Record 1.
Start the 10967A-LON-SVR5 virtual machine
2.
As stated in the previous exercise you will be prompted to “Press any key to boot from CD or DVD…” as the virtual machine starts.
3.
Press Enter and allow the virtual machine to boot into the installation files
4.
In the Install Windows dialog box, click Next.
5.
In the Install Windows dialog box, click the Repair your computer link.
6.
In the System Recovery Options dialog box, click Troubleshoot
7.
On the Advanced Options page click Command Prompt.
8.
At the Command Prompt, type the following, and then press Enter. Bcdedit
9.
Observe the lack of an operating system entry in the BCD store.
10. At the Command Prompt, type the following, then press Enter, and from the resultant output determine which are the most appropriate switches to use bootrec /?
11. At the Command Prompt, type the following, and then press Enter: bootrec /scanos
12. At the Command Prompt, type the following, and then press Enter: bootrec /rebuildbcd
13. At the Add installation to boot list prompt, press Y, and then press Enter. 14. Close the Command Prompt window by typing exit and hitting Enter. 15. In the System Recovery Options screen, click the Continue button. 16. Make sure that 10967A-LON-SVR5 starts and brings you to the sign in screen. 17. Ensure you can sign in successfully with the local administrator credentials user name .\Administrator and password Pa$$w0rd 18. Answer the Resolution Questions on the Incident Report. 19. How did you resolve the problem? Answer: By using BCDEdit to identify the lack of an operating system entry in the BCD store. Then use bootrec to rebuild the BCD store. 20. What should the next steps in the troubleshooting process be?
Answer: Have a user or users connect to 10967A-LON-SVR5 to make sure that their applications are functioning correctly. Notify the remainder of the users of 10967A-LON-SVR5 that the server is operating correctly and can resume their use of 10967A-LON-SVR5. Additionally, the details of the problem, together with the steps used to repair the problem, should be documented and archived for future reference and logging purposes. 21. Revert the 10967A-LON-SVR5 virtual machine and then shut down the virtual machine to free up host resources, as it is not required for any subsequent exercises
MCT USE ONLY. STUDENT USE PROHIBITED L13-9
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
Exercise 3: Gathering Information to Start the Troubleshooting Process Task 1: Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part A 1.
Ensure you are signed into 10967A-LON-DC1, with user name ADATUM\Administrator and password pa$$w0rd
2.
In Server Manager, point to Tools, and then click Performance Monitor.
3.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance Monitor.
4.
In the details pane, click the View Log Data button (Ctrl+L).
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.
6.
In the Select Log File dialog box, browse to E:\Mod13\Labfiles\Captures.
7.
Click ADATUM-LON-SVR2-System-Perf-Data-PartA.blg, and then click Open.
8.
In the Performance Monitor Properties dialog box, click OK.
9.
In the Performance Monitor details pane, click Add (Ctrl+I).
10. In the Add Counters dialog box, under Available counters, add the following counters by highlighting them and clicking Add>> •
Processor,
•
% Processor Time
•
Instances of selected object=0
•
System
•
Processor Queue Length
•
Instances of selected object=Not Applicable
11. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-10 Fundamentals of a Windows Server Infrastructure
12. In Performance, at the bottom of the window, click % Processor Time to view the graph of the CPU usage on LON-SVR2 and notice: •
The minimum value is 0.623 percent.
•
The maximum value is 100 percent.
•
The average value is 80.126 percent.
13. In the Performance Monitor details pane, click Add (Ctrl+I). 14. In the Add Counters dialog box, under Available counters, add the following counters by highlighting them and clicking Add>> •
Process
•
% Processor Time
•
Instances of selected object=
15. Click OK.
16. Review the % Processor Time used by each process. It is useful to use the Highlight button (Ctrl+ H) to view each instance. Identify the process that is consuming the CPU.
MCT USE ONLY. STUDENT USE PROHIBITED L13-11
17. Complete the resolution questions in Part A of the Incident Record. 18. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem? Answer: The StressTool process is consuming most of the CPU time. 19. Keeping in mind your answer from the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
Answer: A likely first step is to determine what the StressTool process is responsible for doing and if any users are experiencing issues with those processes. If no specific cause can be found, you might restart the StressToolprocess before ensuring that all users using the services associated with StressTool are prepared for the services to be unavailable. Additional monitoring of the StressTool process might be necessary to determine whether the application needs updating or repair. (Note: The “StressTool” process is a testing tool which you encountered earlier in the course. In this lab we used it to place a load on the CPU for us then to analyze.) 20. Close Performance Monitor.
Task 2: Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part B 1.
Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and password pa$$w0rd
2.
In Server Manager, point to Tools, and then click Performance Monitor.
3.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance Monitor.
4.
In the details pane, click View Log Data (Ctrl+L).
5.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then click Add.
6.
In the Select Log File dialog box, browse to E:\Mod13\Labfiles\Captures.
7.
Click ADATUM-LON-SVR2-System-Perf-Data-PartB.blg, and then click Open.
8.
In the Performance Monitor Properties dialog box, click OK.
9.
In the Performance Monitor details pane, click Add (Ctrl+I).
10. In the Add Counters dialog box, under Available counters, add the following counters by highlighting them and clicking Add>> •
•
•
•
Physical Disk o
Avg. Disk Queue Length
o
Instances of selected object= 0 C:
Physical Disk o
Current Disk Queue Length
o
Instances of selected object= 0 C:
Physical Disk o
Disk Transfers/sec
o
Instances of selected object= 0 C:
Process
o
IO Data Bytes/sec
o
Instances of selected object=
11. Click OK 12. Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button (Ctrl+H) to view each instance. Identify the process that is using the disk transfer capacity. 13. Complete the resolution questions in Part B of the Incident Record.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-12 Fundamentals of a Windows Server Infrastructure
14. What do the Performance Logs for LON-SVR2 indicate could possibly be the source of the problem?
Answer: There are a few processes that are intermittently performing a lot of IO occurring. Such as the sqlservr and Wsusservice processes, however they display peaks and troughs. For example, they have IO and then none, which would be expected. However peak value for Avg Disk Queue Length and Disk Transfers per/sec occur when the process EatDiskspace IO consumption occurs, and this process is continuously consuming IO resources on the computer. The EatDiskspace process is consuming a lot of disk resources and would warrant a closer look. 15. Keeping in mind your answer from the previous question, what steps (using a troubleshooting methodology) would you take to continue the troubleshooting process?
Answer: If EatDiskspace is consuming disk resources you could view the Disk tab of the Resource Monitor, check the box beside the process and click on the Disk Activity or Storage sections to try determine what aspects of the process are involved, such as file copies. If the process is manipulating files you could determine whether that is necessary or not or possibly whether the task could be scheduled during non-business hours. (Note: The “EatDiskspace” process is a testing tool which we used it to perform a large volume of disk IO operations for us to analyze.) 16. Close Performance Monitor.
Results: After this exercise, you should have collected information to start the troubleshooting process.
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
MCT USE ONLY. STUDENT USE PROHIBITED
Notes
