10967A ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
X19-05175
MICROSOFT LICENSE TERMS

MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j.
MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k.
MPN Member means an active silver or gold-level Microsoft Partner Network program member in good
standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c.
If you are a MPN Member:

User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.
i.
For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii.
You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.
LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS

AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o
anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised September 2012
About This Course
About This Course
xvii
This section provides you with a brief description of the course 10967A: Fundamentals of a Windows
Server Infrastructure audience, suggested prerequisites, and course objectives.
Course Description
This five day course covers the basic skills and knowledge that are required in order to build a Windows
Server Infrastructure. It covers storage considerations and implementation, networking architecture and
topologies, security considerations and best practices as well as basic Windows Server administration skills
and specific technologies such as Windows Server 2012 Installation, configuration, maintenance and
performance. Within that it will also cover specific areas such as Active Directory Domain Services (AD DS),
Domain Name Services (DNS), Group Policy and many others. This course is needed as a first step in
preparing for a job in IT or as prerequisite training before beginning the Microsoft Certified System
Administrator (MCSA) training and certification path
Audience
Candidates for this course are people who are starting out their career or looking to change careers into
Windows Server Technologies and need the fundamental knowledge to help them achieve that. It would
be of interest to home computer users, small business owners, academic students, information workers,
developers, technical managers, help desk technicians or IT Professionals who are looking to cross train
from an alternative technology.
Student Prerequisites
In addition to their professional experience, before attending this course, students must have:
Knowledge of general computing concepts.
Knowledge equivalent to the MTA exam 98-349: Windows Operating System Fundamentals
Course Objectives
After completing this course, students will be able to:
Perform a local media-based installation of Windows Server 2012.

Select appropriate storage technologies and configure storage on Windows Server.
Describe fundamental network components and terminology thus enabling you to select an
appropriate network component in a particular scenario.
Implement a network by selecting network hardware components and technologies and
determine the appropriate network hardware and wiring components for a given situation.
Describe the protocols and services within the Transmission Control Protocol/Internet Protocol
(TCP/IP) suite of protocols and implement IPv4 within a Windows Server environment.
Implement and Manage Windows Server roles.
Implement and configure an Active Directory Domain Service (AD DS) forest.
Describe the concept of defense-in-depth and determine how to implement this approach with
Windows Server.
Identify the security features in Windows Server that help to provide defense-in-depth.
Identify the network-related security features in Windows Server to mitigate security threats to
you network.
About This Course
xviii
Identify and implement additional software components to enhance your organizations security.
Monitor a server to determine the performance level.
Identify the Windows Server tools available to maintain and troubleshoot Windows Server.
Course Outline
The course outline is as follows:
Module 1, Installing and Configuring Windows Server 2012

This module explains how the Windows Server 2012 editions, installation options, optimal service and
device configuration and general post-installation configuration all contribute to the functionality and
effectiveness of your Windows Server implementation. After completing this module, you will be able to:
Describe Windows Server components and architecture.
Install Windows Server 2012.
Configure services.
Configure devices and device drivers.
Module 2, Implementing Storage in Windows Server

This module will introduce you to different storage technologies, discuss how to implement the storage
solutions in Windows Server and will finish a discussion on a resilient strategy for your storage that will be
tolerant in various ways, helping to avoid unplanned downtime and loss of data. After completing this
module, you will be able to:
Identify a suitable storage technology.
Manage storage within Windows Server.
Implement disk fault tolerance.
Module 3, Understanding Network Infrastructure
In this module, students will learn how to describe fundamental network component and terminology
thus enabling the student to select an appropriate network component in a particular scenario. After
completing this module, you will be able to:
Describe physical network topologies and standards.
Define local area networks (LANs).
Define wide area networks (WANs).
Describe wireless networking technologies.
Explain how to connect a network to the Internet.
Describe how technologies are used for remote access.
Module 4, Connecting Network Components
This module explores the functionality of low-level networking components, including switches and
routers. In addition, the module provides guidance on how best to connect these and other components
together to provide additional network functionality. After completing this module, you will be able to:
Describe the industry standard protocol model.
Describe routing technologies and protocols.
Describe adapters, hubs, and switches.
Describe wiring methodologies and standards.
Module 5, Implementing TCP/IP
About This Course
xix
This module describes the requirements of a protocol stack and then focuses on the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol stack. After completing this module, you will be able to:
Describe the functionality of the TCP/IP suite.

Describe IP version 4 (IPv4) addressing.
Configure an IPv4 network.
Describe IP version 6 (IPv6) addressing and transition.
Describe the various name resolution methods that are used by TCP/IP hosts.
Module 6, Windows Server Roles
This module explains the functional requirements of a server computer and how to select and deploy
appropriate server roles to support these functional requirements. After completing this module, you will
be able to:
Describe role-based deployment.
Deploy role-specific servers.
Describe deployment options for server roles.
Implement best practices for server roles.
Module 7, Implementing Active Directory Domain Services (AD DS)
This module explains that, as a directory service, how AD DS stores information about objects on a
network and makes this information available to users and network administrators. After completing this
module you will be able to:
Describe the fundamental features of AD DS.
Implement AD DS.
Implement organizational units (OUs) for managing groups and objects.
Configure client computers centrally with Group Policy objects (GPOs).
Module 8, Implementing IT Security Layers
This module explains how, in addition to file and share permissions; you can also use data encryption to
restrict data access. After completing this module, you will be able to:
Identify security threats at all levels and reduce those threats.
Describe physical security risks and identify mitigations.
Identify Internet-based security threats and protect against them.
Module 9, Implementing Windows Server Security
This module reviews the tools and concepts available for implementing security within a Microsoft
Windows infrastructure. After completing this module, you will be able to:
Describe the Windows Server features that help improve the networks security.
Explain how to secure files and folders in a Windows Server environment.
Explain how to use Windows Server encryption features to help secure access to resources.
Module 10, Implementing Network Security
About This Course
This module explains possible threats when you connect your computers to a network, how to identify
them, and how implement appropriate Windows network security features to help to eliminate them.
After completing this module, you will be able to:
Identify network-based security threats and mitigation strategies.
Implement Windows Firewall to secure Windows hosts.
Module 11, Implementing Security Software
xx
This module explains how an information technology (IT) administrator can account for and mitigate the
risks of malicious code, unauthorized use, and data theft. After completing this module, you will be able
to:
Implement Windows Server technologies and features that improve client security.
Describe security threats posed by email and how to reduce these threats.
Explain how to improve server security by using Windows Server security analysis and hardening
tools.
Module 12, Monitoring Server Performance
This module discusses the importance of monitoring the performance of servers, and how you monitor
servers to ensure that they run efficiently and use available server capacity. It also explains performance
monitoring tools to identify components that require additional tuning and troubleshooting, so that you
can improve the efficiency of your servers. After completing this module, you will be able to:
Use the Event Viewer to identify and interpret Windows Logs, and Application and Services
Logs.
Measure system resource usage, identify component bottlenecks, and use monitoring tools such
as Performance Monitor.
Module 13, Maintaining Windows Server
This module explains the importance of system updates, how to troubleshoot the Windows Server boot
process, and how to implement high availability and recovery technologies to improve system availability.
Troubleshoot the Windows Server startup process.
Implement high availability and recovery technologies to improve system availability.
Explain the importance of system updates.
Implement an appropriate troubleshooting methodology to resolve problems with Windows
Server.
Exam/Course Mapping
This course, 10967A: Fundamentals of a Windows Server Infrastructure, does not have a direct mapping to
any Microsoft exam and taking this course does guarantee passing of any such exams.
This course does however cover some of the required content from the below Microsoft Technology
Associate (MTA) exams, and may be useful study material in preparation for those exams, further details of
which are available on http://www.microsoft.com/learning
98-365: Windows Server Administration Fundamentals
98-366: Networking Fundamentals
98-367: Security Fundamentals
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
About This Course
xxi
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.
About This Course
xxii
Course Companion Content on the http://www.microsoft.com/learning/companionmoc site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the
most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc site: Includes

the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Hyper-V in a Windows Server 2012 host to perform the labs.
Important At the end of each lab, you must close the virtual machine and must not save
any changes. Labs in each module are independent of each other and require the virtual
machines to be in a clean state at the start of each module in order to function correctly. To
close a virtual machine without saving the changes, perform the following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course.
Virtual machine
Role
10967A-LON-DC1
Windows Server 2012 Domain Controller and DNS Server in the Adatum.com
domain.
10967A-LON-SVR1
Windows Server 2012 server, member server in Adatum.com domain
10967A-LON-SVR2
Windows Server 2012 server. Not domain joined.
10967A-LON-SVR3
Windows Server 2012 server core. Domain joined to Adatum.com.
About This Course
Virtual machine
Role
10967A-LON-SVR4
Blank virtual disk used for Installation of Windows Server 2012.
10967A-LON-SVR5
Windows Server 2012 server. Not domain joined. Damaged boot sector for
use in troubleshooting lab.
10967A-LON-CL1
Windows 8 client, joined to the Adatum.com domain.
MSL-TMG1
Windows Server 2008 R2 Enterprise with Microsoft Forefront Threat

Management Gateway (TMG) installed. Acts as Internet proxy and default
gateway for course virtual machines. Required in some labs to allow access
to the internet.
Software Configuration
The following software is installed or available for use in the Labs
xxiii
Remote Server Administration Toolkit (RSAT) for Windows 8: Available as part of lab files for
installation and use during lab.
StressTool.exe: Used to place a simulated load on virtual machine CPUs.
Report Viewer 200f8 Sp1: Used for Windows Server Update services reporting
synchronization.
Microsoft System CLR Types for Microsoft SQL Server 2012: Used as example msi installer fir use
with AppLocker.
Windows Server 2012 Evaluation Installation files: used for use during Windows Server 2012
Installation lab.
Course Files
There are lab files associated with the labs in this course which contains software listed above and samples
files for use during the course labs. These lab files are located on the E:\ drive within the 10967A-LONDC1 virtual machine.
Classroom Setup
Each classroom computer will have the same virtual machines configured in the same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment

configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Hardware Level 6
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
8 GB random access memory (RAM) or higher
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
About This Course
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
Navigation in Windows Server 2012
xxiv
If you are not familiar with the user interface in Windows Server 2012 or Windows 8 then the following
information will help orient you to the new interface.
Sign in and Sign out replace Log in and Log out.
Administrative tools are found in the Tools menu of Server Manager.
Move your mouse to the lower right corner of the desktop to open a menu with:
Settings: This includes Control Panel and Power
Start menu: This provides access to some applications
Search: This allows you to search applications, settings, and files
You may also find the following shortcut keys useful:
Windows: Opens the Start menu
Windows+C: Opens the same menu as moving the mouse to the lower right corner
Windows+I: Opens Settings
Windows+R: Opens the Run window

1-1
Module1
Installing and Configuring Windows Server
Contents:
Module Overview
1-1
Lesson 1: Windows Server Architecture
1-2
Lesson 2: Installing Windows Server
1-9
Lesson 3: Configuring Services
1-21
Lesson 4: Configuring Devices and Device Drivers
1-24
Lab: Installing and Configuring Windows Server 2012
1-29
Module Review and Takeaways
1-34
Module Overview
In order to have a server that fits the needs of your organization and that operates in an efficient and
consistent manner, specific steps and considerations have to be taken. A critical piece of a Windows
Server operating systems ability to operate successfully and efficiently is the initial installation of the
operating system and the configuration of the services and devices. These areas are covered in this
module.
Objectives
Describe Windows Server components and architecture.
Install Windows Server 2012.
Configure services.
Configure devices and device drivers.
Lesson 1
Windows Server Architecture
1-2
Before you start to install and configure Windows Server, you must have a basic understanding of servers
and operating systems. You must also understand server components and how those components work
together. Understanding these basic concepts will help you make more informed decisions and have a
better understanding of how servers work.
Lesson Objectives
After completing this lesson, you will be able to:
Describe servers and clients.
Describe components that make up Windows Server.
Describe the Windows Server bus technologies.
Describe the Windows Server software architecture.
What Is a Server?
A server is a computer that provides shared
resourcessuch as files, printers, email messages,
web services, and databasesto network users.
Unlike a client, whose primary role is performing
tasks for the end-user who is logged on locally to
the computer, a server is responsible for serving
many resources to the rest of the network. Which
resources the server provides is determined by the
assignment of server roles. Server roles define a
servers function such as Web Server, Application
Server, File and Storage Service server, and Print
Server.
Servers also play a key role in maintaining the integrity of a computer network. Servers use authentication
and resource access rules to make sure that information and resources on the network are available only
to those who are authorized to use them. Servers also provide additional network-related services such as
assigning IP addresses, performing name resolution, or routing network traffic.
The main component to supplying these services in an effective manner is the server operating system.
The server operating system communicates with the servers hardware to enable communication to occur
and data to be transferred internally between the various server components and externally to resources
that want to access information. A server operating system provides a centralized environment to manage
the servers functionality and resources. It lets administrators interact with the server in a meaningful and
efficient way. Operating systems control the allocation and usage of hardware resources such as memory,
CPU time, disk space, and peripheral devices. An operating system is the foundation on which programs
and applications are built.
Question: What different functions might a server perform in a network environment?
Fundamentals of a Windows Server Infrastructure
Windows Server Components

Servers consist of multiple components that
enable the computer to function. Some more
well-known elements include the following:
Motherboards
Casing or housing unit
CPU/processors
Memory
Hard disks
Expansion devices
Integrated peripherals
Power supplies
Cooling systems
Keyboards
Mouse devices
Monitors
1-3
Generally, servers are a group of individual components. How these components interact and operate
determines the performance of the server. At its most basic level, the server consists of a series of resistors,
capacitors, semiconductors, and transistors, connected through conductive cabling.
The following topics cover some common components, such as the motherboard, CPU (or processor),
hard disk, random access memory, and network access. Understanding how these hardware components
are used by the operating system and how they interact with one another is an important step to
understanding how servers function.
Motherboard
The motherboard is the printed circuit board (PCB) that controls all the other components in a server. It is
typically the largest single physical component on which all other physical components are installed.
Motherboards can be very different from server to server and are built to accommodate particular
technologies or kinds of devices. Server motherboards can be housed in several different ways, such as the
following:
Towers. Server motherboards can be mounted in a stand-alone box. This is known as a tower, much
as you might see in a desktop workstation. Desktop workstations are mainly used in small to mediumsized businesses and are not usually centrally managed or configured.
Racking or shelving units. Server motherboards can be mounted in single self-contained units.
These units can then be stacked in a rack or shelving unit. Typically racks and shelving units contain
multiple servers and are located in a secure server room. These servers can be managed by using a
single monitor or keyboard present in the racking unit, or remotely managed. Remotely managing
servers is most common in modern data center environments.
Blade servers. Server motherboards can be mounted as blade servers. These are stripped-down
versions (no chassis) with just the motherboard and necessary components. This configuration is
becoming more common in data center environments because there are fewer components and the
blades can be quickly swapped out.
CPU or Processor
1-4
The CPU or processor is the computational, mathematical, and control unit of a computer. CPUs are
everywhere in modern devices, such as TVs, telephones, washing machines, cars, and refrigerators. The
processor is the component that executes instructions and, at its most basic level, is a layer of silicon with
millions of transistors, known as a core. Typically, CPUs in modern servers have more than one core or
separate CPUs built in to one device. Having two processors is known as dual core and having four
processors is known as quad core.
CPU performance can be measured in many ways. Factors such as memory cache size, bus width, and
number of transistors all affect CPU performance. Processor speed, or clock speed, measured in Hertz, is
probably the most common measurement used to differentiate CPUs.
CPUs can have either a 32-bit or 64-bit architecture. A 32-bit processor can directly address up to a
maximum limit of approximately 4 gigabytes (GB) of address space. A 64-bit processor can support up to
1,024 GB of both physical and addressable memory. Additionally, 64-bit systems can scale up (increase
processor cores and memory) more than 32-bit systems.
Not all software and operating systems can take advantage of a 64-bit architecture. Legacy applications
might require 32-bit architecture. The Windows Server 2012 operating system is available only in 64-bit
versions.
Note:
64-bit processors can run either a 32-bit or 64-bit operating system.
32-bit processors can only run a 32-bit operating system.
Processor functionality is continually being updated and improved. New processors may have Second
Level Address Translation (SLAT) technology for example. SLAT improves performance by providing a
second level of paging at the hardware level the Client Hyper-V feature in Windows 8 requires SLAT to
be present for it to work. Similarly, Hyper-V in Windows Server 2012 requires hardware assisted
virtualization support in processors such as Intel Virtualization Technology (Intel VT) or AMD virtualization
(AMD-V).
Storage
Windows Server requires a repository into which it can store and retrieve data. Modern servers typically
access some form of shared storage. This shared storage provides redundancy and is typically external to
the physical server. There are two primary competing physical elements that can be used:
Disks. Hard disk drives (HDDs) have been used for a long time. They consist of circular disks and a
head that can read and write to the disks. The disks spin very quickly and the head accesses and
writes data as directed. This is much like an old vinyl record player, except a lot faster and able to
access different areas of the disk as needed. Disks can be stand-alone or attached together in an
array. Disks are categorized with two main metrics, as follows:
o
Capacity. Can be from several hundred megabytes to several terabytes.
Speed of access. This is defined by the bus technology which can have a significant affect the
disk performance. Bus technologies are discussed in more detail in the next topic.
Solid-state drives (SSD). These, as the name suggests, are based on semiconductors and have no
disks or mechanical components. There are no moving parts. SSDs have the same metrics as HDDs.
o
Capacity. Have smaller capacities than HDDs, generally only up to several hundred megabytes.
SSDs are not as scalable and are usually more expensive than HDDs. This may change as the
technology evolves and becomes more common in the industry.
1-5
Speed of access. SSDs provide for faster read and write access to data than HDDs. They require a
separate controller to control read and write functions. SSDs generally provide faster access to
data and are fairly new to the industry.
Disk space is also used by the operating system and applications to cache items for quick access. Storage
costs generally have come down in recent times and the technologies implementing them are evolving.
This is transforming storage options for servers and for consumers.
Memory
Data that is stored in a storage device must be transferred into memory before it can be used. So server
memory can have a significant effect on the number of concurrent tasks a server can perform. If multiple
applications or services are operating in parallel, the available memory can determine whether a particular
application will load and how long it will take to execute.
Typically, memory refers to the main memory or random access memory (RAM). This is known as random
because any part of the memory device can be written or accessed. However, there are other kinds of
memory, such as memory dedicated to graphics or CPUs. These devices typically contain read-only
memory (ROM).
There are different kinds of RAM, such as Synchronous Dynamic RAM (SD RAM), Double Data Rate
Synchronous DRAM (DDR SDRAM), and Double Data Rate 2 RAM (DDR2 RAM). Each kind of memory has
its own characteristics. Motherboards have memory slots. This determines the kind of memory supported
and how much memory is supported.
Some features or functionality to be aware of include the following:
Dual inline memory module (DIMM). The slot on the motherboard in which the RAM is inserted.
The connection type has 32 or 72 pin varieties.
Single inline memory module (SIMM). The slot on the motherboard in which the RAM is inserted.
The connection type has 32 or 72 pin varieties.
Error Correction Checking (ECC). Supports verifying integrity of data entering or leaving the storage
area. If the data is corrupted, ECC will correct the error.
Registered memory. Holds the data until it is passed on to the motherboard for transfer. It increases
the speed and reliability of data access.
Buffered memory. Contains a buffer to allow for overspill of data when it is dealing with the memory
controllerthat is, there is more data than the controller can handle or process. Buffered memory is
more reliable and has faster transfers.
Generally, more memory is better. With 64-bit chip architecture, you can have significant values of RAM.
Note: RAM is considered volatile because without power, all memory stored in it will be
lost.
Network
By definition, servers provide resources to clients. Therefore, network access is very important to server
performance. Although there might be some network components integrated into the motherboard,
network support within servers is provided through network adapters which are inserted into the
expansion slots of a servers motherboard.
Many different network adapters are available and most of the network adapter functionality can be
determined by the software that is used to manage the transfer of data. Some featuressuch as singleroot I/O virtualization (SR-IOV), which allows for the direct transfer of data between network adapters on
1-6
different computers, bypassing the need for CPU interventionrequire that functionality be supported by
the network adapter itself. NIC teaming, where multiple network adapters can be combined to provide
redundancy, is such a scenario; Multipath IO (MPIO) for redundancy is another such scenario.
You need to be aware of the network functionality and network adapter functionality and what your
requirements are for transfer rates and feature sets. Ultimately poor network performance could lead to
very poor end-user experience.
Power Supply
As with any electrical device, servers require power. They need a regulated power supply and are very
sensitive to power surges or sudden drops in power. Either scenario can result in damaged components.
Therefore, most servers will have an uninterruptible power supply (UPS) as a backup power supply if there
is a sudden power failure, and a surge protector to prevent sudden spikes in electrical power.
Cooling Units/Heat Sinks
Electronic components generate heat. This heat can cause an electronic component to fail and result in
damage or data loss. The heat can be drawn off or dissipated in several ways, such as the following:
Use air or water. Typically, servers have fans that speed up and slow down to blow air across a hot
device to cool it down. You can also use water or other liquid-cooled mechanisms. But these are not
widely used. Liquid cooling systems must be carefully managed.
Provide conduction or radiation. Putting heat sinks over CPUs can move heat away from the
device. Also, not positioning individual components over one another and leaving open space
between devices also helps dissipate heat.
Heat management is a significant consideration in modern data centers. Using fans can be very noisy and
require additional power consumption. This has additional costs.
Question: In what ways can 64-bit computing improve performance?
Windows Server Bus Technologies

Bus technologies are the mechanisms by which
components communicate with one another. The
term can be used in the context of either
computer-to-computer communication over a
network or, as is more typical, in relation to
internal computer components and how parts of
the computer communicate with the processor.
Many devices are referred to or named by the
kind of bus technology that they use. Bus
technologies can be widely grouped into two
functional categories: serial bus and parallel bus.
Serial Bus. Data is broken up and transmitted

as packets. The packets are sent one after the other over a single connection to the destination. At
the destination packets are then reassembled. Common serial bus technologies include the following:
o
Serial Advanced Technology Attachment (SATA). Connects storage devices to CPU hard disk
drives and optical drives. Variations exist, such as external SATA (eSATA) and mini-SATA (mSATA).
SATA version 2 provides speeds of up to 300 megabytes per second (MBps). SATA version 3
provides speeds up to 600 MBps.
1-7
Serial-attached SCSI. Provides for speeds of potentially up 300 MBps. Supports hot swapping,
replacing the component without shutting down the system
Peripheral Component Interconnect (PCI) and PCI Express. Typically used to attach peripheral
devices to a server. PCIe supports speeds up to 200 MBps
Universal serial bus (USB). Several versions are available. USB 3.0 provides speeds of up to 5
gigabytes per second (GBps), but in practice, a good deal less than that, of the order of several
hundred MBps. Used in many peripheral devices.
Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1394. Also known as FireWire,
i.LINK, and Lynx. Supports speeds of 800 MBps and provides for very fast transfer speeds. Used in
many peripheral devices, specifically multimedia devices.
Infiniband. Infiniband has three implementations, each multiples of a 2.5 GBps transfer rate.
Infiniband 1x provides transfer rates of 2.5 GBps. Infiniband 4x provides transfer rates of 10 GBps.
Infiniband 12x provides transfer rates of 30 GBps. Infiniband is intended for use with high-speed
storage, clustering, and cloud computing in data centers.
Parallel Bus. Data is broken up into packages and transmitted to its destination over multiple
connections at the same time. At the destination the packets are then reassembled.
o
Parallel ATA (PATA). Generally known as Integrated Drive Electronics (IDE) and in later versions
as Enhanced IDE (EIDE). Used for HDD connections. This is a legacy technology.
Parallel SCSI. Used primarily for data storage with hard disk drives. It provides maximum transfer
rates of approximately 320 MBps. This legacy technology was replaced by serial-attached SCSI.
Industry Standard Architecture (ISA). This is legacy technology provided for a 16-bit bus.
Replaced by PCI.
Micro Channel. IBM PS/2 replacement for ISA.
Extended ISA (EISA). An extension of ISA that was replaced largely by PCI.
Serial buses have generally replaced parallel buses and are currently more widely used in servers.
The internal bus types can be categorized by the type of data that they transmit, such as the following:
Address bus. An internal bus from the CPU to the memory. This is used to transfer the addresses of
data, not the actual data itself. The address bus width is the determining factor in how much
addressable memory is available.
Data bus. An internal bus that connects the CPU and the memory, across which the actual data is
transferred. For example, RAM.
Control bus. A bus that controls the communication between the CPU and memory.
Windows Server Software Architecture

When Windows Server 2012 is installed on a
computer, the CPU has two modes in which it can
operate: kernel mode and user mode.
Kernel Mode
Kernel mode provides full and direct access to all
installed hardware. Access is provided through a
software layer called the hardware abstraction
layer. This layer gives programmers a standard set
of calls that can be used to access any hardware
type.
1-8
The Windows Server application programming

interface (API) is a set of objects and commands that enables programmers to interact and write code to
manipulate the Windows software. Through this layer programmers can access and customize the
Windows code.
Operating system components that require direct access to hardware run in kernel mode. For example,
file system drivers run in kernel mode and can access memory, CPU, bus technologies, and peripheral
devices.
Be aware that code running in kernel mode is not isolated. If a driver running in kernel mode accesses or
writes data to an address space, it could affect other parts of the operating system or other applications
that are running. This can be seen in a fatal error that displays a stop error, more commonly known as a
blue screen.
User Mode
User mode does not have direct access to the hardware and requests access through kernel mode.
When an application or service is started, it runs in its own process or private address space. So, each
application or service runs in isolation. If you open Task Manager and select the Details tab, a list of
processes and associated IDs will be displayed. Even where multiple instances of the same application are
running, each instance runs in isolation.
Running processes in isolation provides a level of redundancy should an application crashthat is, only
the application crashes.
If you right-click a process, you can raise the priority level of the process so that if there are two requests
for CPU access, the priority level will determine which process has access to the CPU. You can also set an
affinity for an application so that it runs on a specific processor that you designate.
Lesson 2
Installing Windows Server
1-9
The method by which you install Windows Server 2012 can vary, depending on your individual
environment and requirements. This lesson will introduce you to the key installation components and
considerations involved with installing Windows Server 2012.
Lesson Objectives
Identify Windows Server 2012 editions.
Describe the installation methods.
Select an installation type.
Describe what Server Core is.
Describe the process for installing Windows Server 2012.
Describe post-installation configuration steps.
Describe automating the deployment process by using Windows Deployment Services.
Windows Server 2012 Editions

Windows Server 2012 is available in different
editions to support various requirements and
workload needs. Each edition of Windows Server
has different functionality and feature sets.
Therefore, it is important to be familiar with the
various editions before you deploy Windows
Server 2012.
The following table lists the Windows Server 2012
editions.
Edition
Description
Windows Server
2012 Standard
Provides all roles and features that are available on the Windows Server 2012
platform. Supports up to 64 sockets and up to 4 terabytes (TB) of RAM. Includes two
virtual machine licenses. Suitable where there are low numbers of virtual servers
being run.
Windows Server
2012 Datacenter
Provides all roles and features that are available on the Windows Server 2012
platform. Includes unlimited virtual machine licenses for virtual machines that are
run on the same hardware. Supports 64 sockets, up to 640 processor cores, and up
to 4 TB of RAM. Suitable where there are lots of virtual machines being run.
Windows Server
2012 Foundation
Designed for small business owners, allows only 15 users, cannot be joined to a
domain, and includes limited server roles. Supports one processor core and up to 32
GB of RAM.
Edition
Description
1-10 Installing and Configuring Windows Server
Foundation Server is available only through original equipment manufacturers

(OEMs). That is, third-party manufacturers ship computers that have this edition and
the edition does not include rights to run virtual machines or as a virtual machine in
a Standard or Datacenter edition.
Windows Server
2012 Essentials
An edition of Windows Small Business Server Essentials. Must be a root server in the
domain. Is limited to 25 users and 50 devices. Supports two processor cores and
64 GB of RAM. Does not contain all features and functionality as the Standard and
Datacenter editions. For example, the Hyper-V role is not available.
Note: Windows Server 2012 has a more simplified edition set than previous Windows
Server versions. Unlike earlier versions of Windows Server, there is no difference in features or
functionality between the Standard and Datacenter editions. The difference is only in licensing,
related to the number of virtual machines that you can run in Hyper-V. There is no Enterprise
edition.
Windows Server 2012 is now licensed in two processor increments. For example, if you are licensing:
A two-processor server that has Windows Server 2012 Datacenter Edition, you buy one license.
A four-processor server that has Windows Server 2012 Datacenter Edition, you buy two licenses.
An eight processor server that has Windows Server 2012 Datacenter Edition, you buy four licenses.
Most servers now have multiple processor cores running, and this is to help simplify the licensing process.
However, if you do have single-increment cores presentthree processor cores present for exampleyou
then have to buy the next available increment. This would be two licenses.
The Standard and Datacenter editions are the general-purpose deployment. The only differentiator is
whether you want to run many virtualized environments.
There are also other function-specific editions of Windows Server 2012 available, such as the following:
Microsoft Hyper-V Server 2012. Available as a free download that contains just the Hyper-V role
and some other virtualization-related functionality, such as failover clustering and storage features. It
does not contain other features and functionality present in Standard and Datacenter editions.
Therefore, it has a smaller installation footprint, and also does not include any guest licenses. It is very
useful in running Linux virtual machines or in a Virtual Desktop Infrastructure (VDI) environment,
where clients and other operating systems are licensed separately.
Windows Storage Server 2012. This is a storage-specific edition that is available through OEMs only,
and is intended as a storage specific product that supports complex storage requirements to be run
with the third-party manufacturers dedicated hardware and drivers.
Note: Windows Server 2012 runs only on x64 processor architecture. Unlike earlier versions
of Windows Server, there is no support for x86 or Itanium-based processor architecture.
More information about the differences between the Windows Server 2012 editions can be
found at the following webpage:
http://go.microsoft.com/fwlink/?LinkID=266736
Installation Methods
Various methods exist for installing Windows
Server. These methods are determined primarily
by the media from which the operating system is
installed. Depending on your installation scenario
and the availability of specific hardware or the
degree of physical access to the server, several
general methods exist to make sure that Windows
Server can be installed in any situation.
Installation Methods
1-11
Local media. The standard and simplest

method of installing Windows Server 2012 is
using local media. Windows Server can be
installed locally by using an installation DVD inserted into the DVD drive of the server or run from a
USB flash drive attached to the computer.
Network share. Windows Server 2012 can also be installed from a shared location on the network.
This allows for installation on servers where only remote access is available or for servers that do not
have a DVD drive or USB ports available to support a local media installation. Network share
installations also allow for multiple servers to use the same copy of the installation files at the same
time. So you do not have to have multiple DVDs or USB flash drives.
Automated deployment. Deployment refers to an advanced, pre-planned installation of Windows

Server 2012, typically done over the network and involving multiple servers. Typically, server
deployments will also include a large degree of configuration and automation, requiring less handson administration during the installation process. Deployment is typically configured and executed
through a dedicated deployment tool or by using answer files.
The following table summarized considerations for various installation media.

Media
Optical media
Considerations
Local media or network share.
Traditional method, single install method.
Computer requires access to a DVD Drive.
Typically slower than USB media.
Media is not writable and cannot customize the installation files.
USB

All computers that have USB drives enable start from USB media.
Media is writable. Can be updated as new software updates and drivers

become available.
Can include answer file to automate installation. USB media and host might
require additional steps to enable startup from it.
Mounted
International
Organization for
Standardization (ISO)
file
ISO is a format that install files are typically made available from Microsoft.
With virtualization software, you can mount the ISO image directly, and
install Windows Server 2012 on a virtual machine. Primarily used with
Media
Considerations
virtualized installations.
Start in virtual hard

disk (VHD)
Can boot directly into a VHD or a VHDX file that has the operating system
already installed on the files.
This is known as "native boot" or "boot from vhd."
VHD/VHDX files are writable and can update installation files.
Network share
You can start a server from installation files that are hosted on a network
share.
Slower than Windows Deployment Services.
If you already have access to a DVD or USB media, it is simpler to use those
tools for operating system deployment.
Windows Deployment
Services
Windows Deployment Services allows for multiple concurrent installations

of Windows Server 2012 with .wim or .vhd files, multicast network
transmissions, the Windows Automated Installation Kit (AIK), and client PreBoot EXecution Environment (PXE) startups.
There are other automated options to deploy Windows Server 2012, such as Microsoft System Center
Operations Manager and System Center Virtual Machine Manager (VMM). These other options are
dedicated Enterprise Server management or Virtualization management products and are not covered in
this course. These options allow for multiple servers to be deployed across different environments and
allow for customization.
Note: An answer file automates Windows setup. This file enables the configuration of
Windows settings, the addition and removal of components, and many Windows setup tasks,
such as disk configuration.
Question: Why is it important to be able to change the installation files on a writable media
type?
Selecting an Installation Type

New Install
A new install of Windows Server 2012 is typically
done when a server is installed to perform a new
role on the network or when you do not have to
keep any information from the operating system
previously installed on the server. A new install
involves installing the operating system either
onto an empty hard disk or overwriting existing
information on a hard disk.
Upgrade
1-13
An upgrade installation of Windows Server 2012

involves replacing an existing operating system while preserving the files, settings, and applications that
are installed already on the original server. Upgrade installations are typically done when existing system
information would be too difficult or time-consuming to re-create or migrate to a new installation of
Windows Server 2012.
Note: You can only upgrade to an equivalent or newer edition of Windows Server 2012
from x64 versions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, and
Windows Server 2003 R2.
Migration
A migration install is characterized by the backing up of data or settings from an existing server
installation and erasing or overwriting that server by using a new installation of Windows Server 2012. The
backed-up data or settings are then restored to the newly installed server. This kind of migration
installation is typically used when the data and settings involved can easily be backed up and you do not
have to maintain the complete configuration of the existing server. Or, a migration can also involve the
installation of Windows Server 2012 on a new physical server and transferring the settings and
applications from the original server to the new one.
This method has the benefit of leaving the old server completely intact should the need arise to roll back
to the old configuration. Unfortunately, this method also involves a lot of planning to make sure all
relevant data from the old server are transferred to the new server.
Note: Use migration when you migrate from an x86 version of Windows Server 2008,
Windows Server 2003, or Windows Server 2003 R2 to Windows Server 2012. You can use the
Windows Server Migration Tools feature in Windows Server 2012 to transfer files and settings.
What Is Server Core

IT administrators have several graphical user
interface (GUI) options when they deploy a
Windows Server 2012 operating system. There are
effectively three states that the server can be in
from a GUI point of view, each of which can be
applied at any time by using the Add Roles And
Features or Remove Roles and Features Wizards in
Server Manager. The three states are as follows:
Server Core. This is a minimal GUI interface

with limited GUI components, such as
Notepad and Task Manager. This has the
smallest footprint of all the installation
options and the least amount of GUI components.
Graphical Management Tools and Infrastructure. This also contains a minimal server interface but
has some GUI components to provide some server management UI tools, such as Server Manager and
Administrative Tools.
Server Graphical Shell. Contains the full GUI. This includes Windows Internet Explorer, File Explorer,
and other UI components. This has a larger footprint than the Graphical Management Tools and
Infrastructure option.
Reducing the GUI component down to the minimum required to manage the server serves several
functions, such as the following:
Reduced servicing overhead. Fewer updates are required for installation. This means less downtime
and less administrative overhead testing and deploying updates, in addition to reduced restart
requirements.
Reduced administrative overhead. Fewer updates means that there will be less administrative
overhead testing and deploying updates.
Reduced resource overhead. Disk space and memory requirements are reduced by removing files
that are not needed.
Reduced attack surface. Fewer files are installed. This means a smaller server install footprint
exposed to potential security threats. Also, without a GUI, it limits a local users ability to interact with
it.
When installation is complete in a Windows Server 2012 Server Core installation, you will know it is a
Server Core installation by the presence of a command-line window without a Start menu or other GUI
components visible.
A Windows Server 2012 Server Core installation can be managed locally by using several options, such as
the following:
Command-line tools. Traditional command-line tool commands such as netsh.
Windows PowerShell. By typing PowerShell in the command-line tool, you start Windows
PowerShell mode and can run Windows PowerShell commands.
Sconfig. Specific only to Server Core installations, it is a command-line, menu-driven administrative

tool that lets you perform most common server administrative tasks with a reduced number of
commands.
A Windows Server 2012 Server Core installation can be managed remotely by using the following
methods:
1-15
Server Manager. From another Windows Server 2012 server using Server Manager, which allows for
remote and multiple server management.
Remote Server Administrative Tools for Windows 8 (RSAT for Windows 8). By installing the
RSAT for Windows 8 and managing from a Windows 8 client.
Note: Windows Server 2012 can only be managed through RSAT on Windows 8. Similarly,
Windows Server 2008 can only be managed by using the RSAT on Windows 7 clients. RSAT is
version and operating systemspecific.
Windows PowerShell. By using WinRM capabilities, you can remotely manage single or multiple
Windows Server 2012 servers by using Windows PowerShell.
Microsoft Management Console (MMC). By adding the remote server to the individual MMC on
another server.
All GUI elements are removed from a Server Core installation except for those in the following list:
Notepad. Accessed by typing Notepad in the command line.
Task Manager. Accessed by typing Taskmgr.exe in the command line.
Registry Editor. Accessed by typing regedit.exe in the command line.
System information. Accessed by typing Msinfo32.exe in the command line.
Note: In Windows Server 2008, performing a Server Core installation was a one-way event.
That is, you could not install the GUI after a Server Core installation and you could not change
between the GUI and non-GUI environments. Only in Windows Server 2012 is it possible to add
and remove the GUI components as you need.
Adding or removing the GUI components requires a restart of the server.
Question: In what situations might a Server Core installation be used instead of a full
installation of Windows Server 2012?
Demonstration: What Is Server Core
In this demonstration, you will see how to add and remove the graphical components and be introduced
to various administration tools, some of which require a graphical UI. This will help you decide what
administration tools that you must have to administer the server, and which installation option is best.
Additionally, you will see how to add and remove the graphical components.
Demonstration Steps
1.
Open Server Manager.
2.
Open the Remove Roles and Features Wizard
3.
Identify the graphical features that can be added or removed.
4.
Access Windows PowerShell.
5.
Use Windows PowerShell commands to view the windows features which will install or uninstall the
GUI components of the server.
6.
Switch to the LON-SVR3 virtual machine and using Windows PowerShell view the list of installed
features
7.
Access the Sconfig tool.
Installing Windows Server

There are several general steps that you must
follow to install Windows Server 2012. You might
see small variations on the following, depending
on your specific scenario. However, these steps are
generally what are encountered by using most
installation methods and types.
1.
Make sure that the server hardware meets

minimum requirements. Windows Server 2012
requires a minimum level of hardware to run
correctly. The following table lists the most
common basic hardware requirements for a
Windows Server 2012 installation:
Component
Minimum required
Processor
1.4 gigahertz (GHz) (64-bit processor)
Memory
512 MB RAM
Disk Space
32 GB free space
Note: Minimum requirements are just that; a minimum. In a production environment, the
hardware that is used for a server should always be appropriately scaled to meet the resource
requirements for the server operating system, installed roles, features and applications and,
typically, future growth.
In addition, specific features might have to be configured on the server hardware to support Windows
Server 2012. For example, basic input/output system (BIOS)level virtualization settings must be enabled
for the Hyper-V virtualization role to run.
Also, some hardware that is used during the installation process (typically hard disks) might not have
device driver support built into Windows Server 2012. In these cases, the device driver must be preloaded
before installation or a copy of the media that contains the driver must be available during installation.
Also, make sure that you back up all pertinent data if you are installing Windows Server 2012 in an
upgrade or migration scenario.
2.
Connect to the installation source, and then run setup.exe.
3.
Confirm regional and language settings, such as installation language and time and currency formats.
4.
Select Install Now or Repair Your Computer. Use the repair option if your operating system is
corrupted and you can no longer start in Windows Server 2012.
5.
Select the edition to install. The default option is Server Core.
6.
Read and accept the license agreement.
7.
Select the installation type, either Upgrade or Custom (new installation).
8.
Select the installation location. You can also decide to repartition and reformat location disks.
9.
Wait for the installation files to install. The computer will restart several times.
10. Provide a password for the administrator.

After initial setup is complete, Windows Server 2012 starts for the first time and presents options for
additional configuration.
Note: The Windows Server 2012 installation bits you are using in this course are Evaluation,
or Eval, bits. Therefore, you are not required to insert a product key as part of the installation
process. However, for all other bit types, such as Retail or Volume License, you have to insert a
product key during setup and activate the software.
The product key comes in the format of XXXXX-XXXX-XXXX-XXXXX-XXXXX, and will be available
through the mechanism you obtained the software installation bits. If the software is not
activated, there will be reduced functionality and eventually the software will no longer function.
Post-Installation Configuration
After installation several tasks have to be
performed. These include time zone and clock
settings, network configuration, setting a unique
computer name and domain membership,
configuring Windows Update settings, adding
server roles and features, changing Remote
Desktop settings, and configuring Windows
Firewall settings.
You use the Local Server node in the Server
Manager console to perform the following tasks:
1-17
Activate Windows. You can continue to use

Windows Server while it is not activated for a
grace period. After this period expires, Windows continues to function. However, the system is then
unlicensed.
Set the time zone. It is important to configure the time zone because many network-related services
do not function correctly if the computer clocks of networked computers are too much out of sync.
Configure the network settings. By default, both IPv4 and IPv6 are configured to obtain an IP
address automatically. Most server installations will use static IP address information.
Configure computer name and domain membership. By default, the computer name is
automatically generated. The suggested name might not comply with organizational standards that
your organization requires. By default, the computer is assigned membership of a workgroup. In most
cases, the computer will have to be joined to a domain.
Enable automatic updating and feedback settings. By default, automatic updates are disabled and
Windows error reporting is turned off.
Download and install updates. Make sure that the computer is up to date with urgent and securityrelated updates.
Add roles. A role refers to the primary function of the server, as enabled by the grouping of features
and services that the server administrator specifies. Examples of a server role include Domain Name
System (DNS) and Web Server. By default, no roles are installed.
Add features. Features are independent components that frequently support role services or support
the server directly. For example, Windows Server Backup is a feature. By default, no features are
installed.
Enable Remote Desktop. By default, Remote Desktop is disabled in Windows Server 2012.
Configure Windows Firewall. By default, the computer is connected to a public network location
and Windows Firewall is enabled, by using the public location profile.
In a deployment situation, many of these tasks are completed during the deployment process by using
answer files.
Note: In a Server Core installation, many GUI elements are removed. Therefore, Server Core
post-installation configuration must be done locally by using the command line, the
sconfig.cmd tool, or remotely by using MMC on another computer. This additional effort
required for configuration makes Server Core installations excellent candidates for using answer
files for automated configuration in a deployment scenario.
More information about Windows Deployment Services can be found at the following
webpage:
Demonstration: How to Configure a Server after Installation
In this demonstration, you will see how to use Server Manager to configure the following post-installation
settings.
Demonstration Steps
1.
Set the time zone.
2.
Assign IP addressing details.
3.
Enable automatic updating.
4.
Join the computer to a domain.
Automating Deployment with Windows Deployment Services

Windows Deployment Services is a set of
operating system components that allow for the
efficient deployment of several different operating
systems. This includes Windows Server 2012.
The Windows Deployment Services components
can be divided into the following three categories:
1-19
Windows Deployment Services server

components. These components reside on a
Windows Server 2012 server and are
responsible for hosting and sharing the files
that you must have for operating system
deployment. A Windows Deployment Services
server can deploy operating systems to multiple computers at one time.
Windows Deployment Services client components. The client components run on the computers
that the operating system is being deployed to. They enable the computer to communicate correctly
with the Windows Deployment Services server and determine which operating systems are available
for deployment.
Windows Deployment Services management components. The Windows Deployment Services

management components give administrators the tools necessary to configure and manage a
Windows Deployment Services environment, performing tasks such as adding new operating system
images and managing Windows Deployment Services configuration settings.
Windows Deployment Steps
A typical Windows Deployment Services deployment of Windows Server involves the following steps:
1.
Build image file(s). Windows Deployment Services in Windows Server 2012 uses Windows Imaging
Format (WIM) or VHD file types to package operating system files for deployment. Both file types
allow for a single file to contain all the information that you must have to deploy one or several
versions of an operating system. These images are copied to deployed computers and unpackaged
on the computers hard disk into a ready-to-run version of the operating system. The operating
systems in the following table are supported for deployment with Windows Deployment Services in
Client
2.
Server
Windows XP
Windows Server 2003
Windows Vista SP1
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Build unattended answer file(s). Windows Deployment Services lets you automate operating
system installation during deployment by using unattended answer files. This provides information to
the deployment process about various configuration options available. These files allow for an
administrator to deploy the operating system without any intervention or manual entry of
information during the deployment process. These files can be reused or customized for multiple
deployments.
3.
Create a deployment transmission. By creating a transmission, the Windows Deployment Services

server is advertising to the rest of the network that it has several images ready for deployment.
4.
Initiate installation from client. When a computer loads a Windows Deployment Services boot
image (typically from DVD or by booting from the network), Windows Deployment Services displays a
list of available images for deployment. After an image is selected, the deployment process is
initialized and the Windows Deployment Services server begins unpacking the image file onto the
new computer.
Some general tools that can be used or that you might see as part of the Windows Deployment Services
process are as follows:
WDSUtil.exe. Command-line tool that is used for managing your Windows Deployment Services
server.
Sysprep.exe: Command-line tool that reconfigures the installed operating system files so that when
the computer is first run, it will be displayed as a new installation to end-users.
Windows PowerShell. Windows PowerShell cmdlets are available for Windows Deployment Services
in Windows Server 2012
Windows Preinstallation Environment (Windows PE). Provides a basic bootable command-line

environment in which you can work
Deployment Imaging Servicing and Management (DISM). Allows for creation and manipulation of
.wim and .vhd files before deployment
Windows System Image Manager (WSIM). Allows for creation and management of answer files
OSCDIMG. Command-line tool for creating an image file (.iso) of a customized 32-bit or 64-bit
version of Windows PE.
Volume Activation Management Tool (VAMT). Allows for management of activation process
across multiple image deployments
Application and Compatibility Toolkit (ACT). Allows for identification of applications that are
potentially incompatible with Windows Server 2012
Question: In what situations would a Windows Deployment Services server be used by an
organization? In what situations would a Windows Deployment Services Server not be
efficient to implement?
Lesson 3
Configuring Services
1-21
In Windows Server 2012, services provide the functionality for the core of the operating system. Services
provide the framework on which Windows roles and features are built. Effectively managing these services
is critical to the efficient and reliable operation of Windows Server.
Lesson Objectives
Describe a service.
Configure the startup properties for a service.
Troubleshoot service issues.
What Is a Service?
In Windows Server 2012, a service or service
application is a long-running executable that
performs a specific function and requires no user
intervention. Where an application might be
started and closed many times by a user over any
given time, a service will typically remain running
for the whole time that the operating system is
running, unless directed to do otherwise by the
operating system or associated applications.
Services typically consist of an executable file and
a directory for storing service components.
Service Examples
Services are responsible for most of Windows Server functionality. Some common services and their
primary functions are as follows:
Print Spooler. Loads files to memory for printing.
Server. Supports file and print sharing over the network.
Task Scheduler. Enables a user to configure and schedule automated tasks.
Windows Error Reporting. Enables errors to be reported when programs stop working or
responding.
Windows Time. Maintains date and time synchronization throughout a network.
Note: As a best practice, you should disable all services except those that are required by
the roles, features, and applications that are installed on the server.
Service Startup
Unlike applications that are executed by the user on an as-needed basis, the execution of services is
controlled by the operating system or related software applications. Each service is initialized at the
startup of the computer according to its startup type. Startup types are as follows:
Automatic. Starts the service at system start.
Automatic (Delayed). Starts the service on a timed delay from system start. This is used to speed up
system startup time in some cases, or to force the service to wait until any services that it depends on
to start.
Manual. Starts a service as required or when it is called from an application.
Disabled. Prevents a service and its dependencies from running.
You can manage services through the Services console. This is available in Server Manager on the Tools
menu. Each service can be configured for different recovery options. For example, the first time that the
service fails; just try to restart the service. By default, each service is run by the Local System account. This
logon account can be changed to restrict and control service startup.
Demonstration: How to Configure Service Startup
In this demonstration, you will see how to view and configure service startup options by using the Services
console within Server Manager.
Demonstration Steps
1.
Open the Services tool.
2.
Change service settings.
3.
View service settings options.
Troubleshooting Services
Because of the important nature of Windows
services, service failure or service-related problems
can cause various forms of operating instability.
These issues have to be diagnosed and resolved
quickly in order to maintain consistent system
operation.
Service failures can be caused by several issues.
This includes the following:
Service account restrictions. Services run

under the context of a Windows account. This
determines the level of access that the server
and its related functions have in relation to
the rest of the system. Usually, the built-in LocalSystem account is used for service execution. This
gives a service a high level of access to the rest of the operating system. However, some services will
run under a specially configured account known as a service account. This service account is created
for the sole use of running the related service and might contain specific security restrictions or
dependencies, depending on the nature of the service. Incorrect password settings or too restrictive
service account permissions can cause a service be unable to start.
Note: It is not uncommon for administrators to forget passwords associated with service
accounts. This could lead to significant problems when you upgrade or configure specific services
or environments, or for passwords to be over simplistic, used across different servers and services,
and never be changed. Windows Server 2012 introduced Managed Service Accounts. These are
special accounts to be used with services where the passwords are automatically changed
periodically.
1-23
Service dependencies. Many services run as a solitary application, unrelated to any other services. In
other cases, a service might depend on the successful operation of other services to enable it to
correctly start. If one of these dependency services fails, it could also cause the dependent service not
to start.
Corrupted or missing files. If the files that you must have for a services execution are missing or
corrupted, the service might not start or it might behave unpredictably.
Solving Service-Related Issues

Several different methods and tools exist to help with troubleshooting services in Windows Server:
Safe mode. The safe mode boot feature is available when pressing the F8 key as the operating
system starts. Safe mode loads the minimal set of services that are required for the operating system
to run and could enable the repair, removal, or disabling of failing services that are preventing
Windows from starting correctly.
Last Known Good Configuration. Also accessed by pressing the F8 key as the operating system
starts, Last Known Good Configuration restores operating system settings contained in the registry as
they were the last time that the computer started correctly.
MSConfig.exe. MSConfig, or the Microsoft System Configuration Utility, is a graphically based utility
that can be used to change and troubleshoot the Windows startup process. It gives the user a
detailed level of control over which aspects of the operating system are enabled when the systems
starts. It also allows for more specific control over services and the separation of native services from
third-party installed services.
Lesson 4
Configuring Devices and Device Drivers
Many individual components combine to provide the computer hardware on which Window Server runs.
Disk drives, processors, memory, keyboards, monitors, network adapters, printers, scanners, and many
other components play an important role in providing the functionality that you must have for a server to
perform its duties.
The correct management and maintenance of these components means that the server components work
cohesively to provide correct functionality.
Lesson Objectives
Describe a device.
Describe typical settings required for a device.
Describe a device driver.
Describe driver signing.
Update a device driver.
Roll back a device driver.
What Is a Device?
A device is a hardware component that performs
a specific function and is installed in or attached
to a computer.
Device functions can be as narrow as that of a
computers memory, or as diverse as a
multifunction printer/copier/scanner. Devices are
also connected to the computer in many ways.
Many devices attach directly to the computers
motherboard (for example, processors, memory,
and network adapters), whereas some devices (for
example, printers, cameras, flash drives, mouse
devices, or keyboards) use external connection
technologies such as USB or FireWire.
Devices work together to provide a computers complete functionality, and a single malfunctioning device
can affect the performance of other devices or the computer.
Hardware Settings for Devices

For devices to function cooperatively, they must
be able to share the computers resources and
establish methods of communication with other
devices. Devices require specific settings that
control where and when they communicate with
the rest of the computer. These settings must be
unique to the device to make sure that one device
is not interfering with the functionality of another
device. Historically, these settings needed to be
configured by the end-user by using the BIOS of
the computer, physical switches on the device
itself, or special configuration software provided
by the device manufacturer. Common device settings include the following:
1-25
Direct memory access (DMA) channel. DMA enables certain devices attached to the computer to
directly access the computers memory without using the computers processor. Typically, each device
that uses DMA must have a unique DMA channel assigned to it.
Interrupt request (IRQ) line. IRQ lines are used to send interrupt requests to a computers processor
when a device requires processor use.
Input/Output range. Input/Output range specifies the range of addresses in memory that a device
uses to send and receive information between the device and Windows. A devices input/output
range must be unique to that specific device.
Memory range. Memory range refers to the specific physical memory address in the computer that a
device has reserved for its general use. A devices memory range must be unique to that specific
device.
Note: The value for each of these settings for a particular device can be viewed in Device
Manager by clicking the Resource tab of the devices Properties window.
Plug and Play
Although some devices still require manual configuration of hardware settings, most computers and
computer devices use Plug and Play technology for device settings. With Plug and Play, new hardware is
discovered by the computer after it is installed. The computer, together with the computers operating
system, automatically assigns and tracks the resources necessary for the device to function, avoiding
conflict with other devices already installed in the computer. This functionality eliminates manual device
configuration and avoids unintended settings conflicts associated with manual configuration.
Windows Server fully supports Plug and Play devices and drivers. To support Plug and Play, devices must
meet the following requirements:
Be uniquely identified.
State the services it provides and resources it requires.
Identify the driver that supports it.
Allow for software to configure it.
Note: Plug and Play technology has existed for many years. Most current devices support
Plug and Play; very few devices still require resource settings to be configured manually.
What Is a Device Driver?

A driver is software that enables your computer to
communicate with hardware or devices. Without
drivers, the hardware that you connect to your
computerfor example, a video card or a
webcamwill not work correctly. The device
driver exposes the capabilities of the device to the
operating system so that it can be effectively
managed. A device driver is typically specific to
an operating system.
Windows Server 2012 provides driver support for

most common devices. The drivers for these
devices come preinstalled and will automatically
install when the device is connected to the computer. If a driver cannot be found within Windows Server
2012 native drivers, Windows Update can be used to search for new or updated drivers. Device drivers can
also be obtained from the installation media that was included with the device or from the device
manufacturers website.
Driver Staging
Additionally, device drivers can be installed into Windows Server 2012 and staged for future use. When
a driver is staged, the driver files are stored within Windows and treated as part of the original set of
drivers native to the operating system. This lets devices that are using the driver be recognized
immediately and have its driver installed automatically without requiring user intervention like specifying
a driver location or checking a manufacturers website.
Note: Device drivers are built for a specific processor architecture type. 64-bit device
drivers will work only on a 64-bit operating system and 32-bit device drivers will work only on a
32-bit operating system. Because Windows Server 2012 supports 64-bit architectures only, 32-bit
drivers will not work for devices that are installed on a Windows Server 2012 computer.
Driver Signing
A signed driver is a device driver that includes a
digital signature provided from a trusted thirdparty source. This digital signature acts as an
electronic security mark that identifies the
publisher of the software and confirms that the
contents of the driver package are the original
contents and unchanged. If a driver is signed by a
publisher, you can be confident that the driver
comes from that publisher and is not altered.
The benefits of using signed drivers include the
following:
Improved security
Reduced support costs
Better user experience
1-27
When a device is installed and the device driver specified is digitally signed, Windows will install the driver
without requiring user intervention and start the driver after installation. All device drivers that come
preinstalled with Windows are digitally signed.
If you install a Plug and Play device into your computer, Windows Server 2012 will alert you with one of
the following messages if a driver is not signed, if it was signed by a publisher that has not verified its
identity with a certification authority, or if the driver was altered since it was released:
Windows cannot verify the publisher of this driver. This driver either does not have a digital
signature, or it is signed with a digital signature that was not verified by a trusted certification
authority. You should only install this driver if you obtained it from a reliable source.
This driver has been altered. This driver was altered after it was digitally signed by a verified
publisher. The package might have been altered to include malicious software that could harm your
computer or steal information. In rare cases, legitimate publishers do alter driver packages after they
are digitally signed. You should only install an altered driver if you obtained it from a reliable source.
Windows cannot install this driver. A driver that does not have a valid digital signature, or that was
altered after it was signed, cannot be installed on 64-bit versions of Windows.
Note: When staging drivers into the Windows Server 2012 and Windows Server 2008 R2
driver store, all staged drivers must be digitally signed. After a device driver package is in the
driver store, a standard user on the computer can install its device without needing elevated user
permissions.
Windows Server 2012 will not load unsigned drivers.
If you have to disable the driver enforcement requirement, you can do so as outlined in the following list.
However, you should be aware that the loading and use of unsigned drivers might result in an inability to
start from access devices.
1.
Restart the computer and press F8.
2.
Select Advanced Boot options.
3.
Select Disable Driver Enforcement.
4.
Start Windows and uninstall the unsigned driver.
You can add, remove, and enumerate drivers into the driver store by using the PNPUtil.exe utility from
the command line, run as administrator. To list third-party drivers in the driver store, run the following
command.
Pnputil -e
Generally, before you deploy Windows Server 2012, you should make sure that the hardware that you are
installing on is certified for use with Windows Server 2012 by the manufacturer. It is an all too common
scenario where administrators realize that particular hardware is not supported and there are no drivers
available, or that particular functionality that is required is not available because of lack of support. This
results in increased cost and management overhead. The Windows Server Catalog helps you verify that
specific hardware, or even software, is certified for use with Windows Server 2012.
More information about the Windows Server Catalog can be found at the following
webpage:
http://www.windowsservercatalog.com
Note: When you are managing Windows Server 2012 device drivers remotely by using
either Server Manager or RSAT for Windows 8, remote access to Plug and Play devices were
disabled in Windows 8 and Windows Server 2012. This means that remotely managing hardware
drivers through the Device Manager GUI management tool is not possible.
Remote hardware device driver management has to be done by using Windows management
instrumentation (WMI) commands or by using Windows PowerShell and the WMI-Getobject
cmdlet. You can enumerate and obtain some hardware information by using Windows
PowerShell remotely.
Demonstration: How to Update a Device Driver

In this demonstration, you will see how to update a device driver by using Device Manager.
Demonstration Steps
1.
Open Device Manager.
2.
Update a device driver.
Demonstration: How to Roll Back a Driver

In this demonstration, you will see how to roll back a device driver by using Device Manager.
Demonstration Steps
1.
Open Device Manager.
2.
Roll back a device driver.
Lab: Installing and Configuring Windows Server 2012

Scenario
1-29
The first task in your new job as junior server administrator is to perform the initial installation and
configuration of a new server for the Research and Development (R&D) department. In this instance, the
company decided a local media-based installation should be performed. After the installation is complete,
you will configure the servers post-installation settings as per the supplied documentation. Additionally,
the startup settings for some services must be configured, and a new device driver must be tested for
correct functionality.
Supporting Documentation
Subject: New Server Installation
From: Jim Hance [Jim@adatum.com]
Sent: May 1
To:
Jeff@adatum.com
Jeff,
Please use the following information to install the new server for R&D.
Installation options
Language: English
Time and currency format: English (United States)
Keyboard or input method: English (United States)
Product: Windows Server 2012 Datacenter (Server with a GUI)
Administrator password: Pa$$w0rd
Post-installation configuration options

Time zone: (UTC) Dublin, Edinburgh, Lisbon, London
IP address: 172.16.0.30
Subnet mask: 255.255.0.0
Gateway: 172.16.0.1
DNS Servers: 172.16.0.10
Enable automatic Windows Update
Server name: LON-SVR4
Domain name: Adatum.com (use the ADATUM\Administrator account that has a password of Pa$$w0rd
when you are prompted for credentials)
Please let Lisa from the Sr. Server Admin team know when you are finished. Shell finish the
configuration and get the server to R&D.
Thanks,
Jim
Objectives
After completing this lab, students will be able to:
Perform a local media-based installation.
Configure Windows Server.
Convert to Server Core.
Configure services.
Configure devices.
Lab Setup
Estimated Time: 70 minutes
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR4
User Name : ADATUM\Administrator
Password : Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click the Hyper-V Manager icon on the bottom toolbar.
2.
In Hyper-V Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Log on using the following credentials:

o
User name: Administrator
Password: Pa$$w0rd
Domain: ADATUM
Exercise 1: Performing a Local Media-Based Installation

Scenario
You have to install the new server.
The main tasks for this exercise are as follows:
1.
Read the server installation instructions
2.
Install Windows Server 2012
Task 1: Read the server installation instructions

1.
Read the contents of the email message in the lab scenario.
2.
Specifically, notice the installation options.
Task 2: Install Windows Server 2012

1.
2.
Attach the Windows Server 2012 Installation DVD to LON-SVR4 by using these steps:
a.
Switch to Hyper-V Manager, right-click 10967A-LON-SVR4, and then click Settings.
b.
In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c.
In the DVD Drive pane, select Image file, and then click Browse.
d.
Browse to C:\Program Files\Microsoft Learning\10967\Drives, click WindowsServer2012_Eval.iso,

and then click Open.
e.
In the Settings for 10967A-LON-SVR4 dialog box, click OK.
Start and connect to the 10967A-LON-SVR4 virtual machine.
3.
1-31
Install the operating system by using the Installation Options section provided in the email message
from Jim Hance.
Note: Setup will continue by copying and expanding files, installing features and updates, and
finish the installation. This phase takes about 20 minutes. Your instructor might continue with other
activities during this phase.
Results: After this exercise, you should have installed a new Windows Server 2012 server.
Exercise 2: Configuring Windows Server

Scenario
You are asked to perform post-installation configuration on the recently installed server for the R&D
department. Jim Hance has provided some installation requirements.
1.
Read the server post-installation configuration instructions
2.
Configure post-installation settings
Task 1: Read the server post-installation configuration instructions

1.
2.
Specifically, notice the post-installation configuration options.
Task 2: Configure post-installation settings

1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine.
2.
Refer to the email message and the post installation configuration options to:
a.
Configure time zone settings.
b.
Configure networking settings.
c.
Configure automatic updating.
d.
Configure the computer name and domain settings.
Results: After this exercise, you should have configured post-installation settings by using Server
Manager.
Exercise 3: Convert to Server Core

Scenario
Now that you have configured your Windows Server 2012 installation, you want to remove the GUI
components. This will save disk space and improve performance. However, after you remove the GUI, you
realize the Devices and Printers interface is not available. This might be needed when you configure the
Print Spooler in the next exercise. Therefore, you decide to reinstall the GUI by using Windows PowerShell.
1.
2.
Remove GUI from Windows Server 2012 installation

Install GUI administrative components in Windows Server 2012 Server Core
Task 1: Remove GUI from Windows Server 2012 installation

1.
If it is necessary, switch to 10967A-LON-SVR4.
2.
Use Server Manager to remove the Server Graphical Shell and Graphical Management Tools and
Infrastructure features.
Task 2: Install GUI administrative components in Windows Server 2012 Server Core
1.
Continue to work on 10967A-LON-SVR4.
2.
Using the Windows PowerShell Get-WindowsFeatures determine the Name of the Graphical
Management Tools and Infrastructure component to install
3.
Use the Install-WindowsFeature Windows PowerShell cmdlet to reinstall the GUI Administrative
management components Server-Gui-Mgmt-Infra.
4.
When the installation is complete, restart the computer using the Windows PowerShell command
Restart-Computer
5.
Verify the command prompt displays and Server Manager also displays. Components such as File
Explorer are still not available.
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface
installation.
Exercise 4: Configuring Services

Scenario
The new server for the R&D department is installed and configured. Additional changes have to be made
to some services to prepare the server for its new role.
In order to prevent printers from being installed and used on the server, the Print Spooler service has to
be stopped and set to Disabled to prevent it from starting when the server is restarted.
There is only one task for this exercise.
Task 1: Configure Print Spooler service settings

1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with the user name
ADATUM\Administrator and password Pa$$w0rd.
2.
Use Server Manager to access the Services console.
3.
Configure the Print Spooler service startup option to Disabled.
4.
Stop the Print Spooler service.
Results: After this exercise, you should have used Server Manager to change service startup options.
Exercise 5: Configuring Devices

Scenario
A new device driver for the keyboard attached to the R&D server has to be tested for correct functionality
before it is configured for permanent use. The current standard PS/2 keyboard will be replaced by a
PC/AT Enhanced PS/2 Keyboard. You are asked to make sure that the new PC/AT Enhanced PS/2
1-33
Keyboard driver will update correctly. After correct operation is confirmed, you are asked to roll back the
driver to the earlier version.
1.
Update the standard PS/2 keyboard driver
2.
Roll back the driver to its earlier version
3.
Revert the lab machines
Task 1: Update the standard PS/2 keyboard driver

1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine.
2.
Open Device Manager from the Computer Management console, and expand Keyboards.
3.
Update the Standard PS/2 Keyboard driver to the new PC/AT Enhanced PS/2 Keyboard driver.
4.
Restart the computer when you are prompted.
Task 2: Roll back the driver to its earlier version

1.
Log on to the 10967A- LON-SVR4 virtual machine as ADATUM\Administrator with a password of

Pa$$w0rd
2.
Open Device Manager from the Computer Management console, and expand Keyboards.
3.
Roll back the driver to the Standard PS/2 Keyboard driver.
4.
Restart when you are prompted, and then log on as ADATUM\Administrator with the password of
Pa$$w0rd.
5.
Verify that you have successfully rolled back the keyboard driver.
Task 3: Revert the lab machines
When you have completed the lab, revert the virtual machines back to their initial state. To do this,
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 10967A-LON-DC1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
4.
Repeat these steps for 10967A-LON-SVR4.
Results: After this exercise, you should have performed update and rollback operations on a device driver.
Question: How could the steps in this lab be performed remotely without the need for user
intervention?
Question: When would rolling back a driver not be an effective solution to driver-related
problems?

Review Question(s)
Question: Why is it potentially more difficult to perform post-installation tasks on a Server
Core installation of Windows Server instead of a Server with a GUI?
Question: If you have to troubleshoot system instability, what tool should you use to disable
a specific set of services from running at startup?
Question: If a newly installed video adapter device driver is preventing Windows from
starting correctly, what tools would you use first to return the system to an operable state?
Question: What factors should be considered when staging drivers in the Windows driver
store?
Tools
Where to find it
Tool
Use for
Sconfig
Menu-based administration of Server Core

installations.
Windows
Deployment
Services
Windows Deployment Services for automated

deployment of Windows operating systems.
Server role
Registry editor
Editing settings in the Windows registry.
From the Run prompt: regedit.exe
MSConfig
Editing Windows Server settings and

troubleshooting startup issues.
Server Manager, System

Configuration
Device Manager
Managing server devices and settings.
Server Manager, Computer

Management, Device Manager

2-1
Module2
Implementing Storage in Windows Server
Contents:
Module Overview
2-1
Lesson 1: Identifying Storage Technologies
2-2
Lesson 2: Managing Disks and Volumes
2-10
Lesson 3: Fault Tolerance
2-22
Lab: Implementing Storage in Windows Server
2-29
2-34
Module Overview
One of the key components when you plan and deploy Windows Server is storage. Most organizations
require lots of storage because users and applications are constantly working with and creating data. This
data is frequently stored in a central location.
For example, every email message sent or received uses storage. Every time that a user visits a website, a
log is written and storage is consumed. Every time that a user logs on to a server, an audit trail is created
in an event log and storage is used. When files are created, copied, or moved, storage is used.
This module will introduce you to different storage technologies, cover how to implement Windows
Server storage solutions, and cover how to develop a flexible and responsive storage strategy. Developing
a good storage strategy helps avoid unplanned downtime and loss of data. There can also be significant
up-front capital costs and later administrative management costs that you should consider before you
decide what storage option to select.
Objectives
Identify a suitable storage technology.
Manage storage within Windows Server.
Implement disk fault tolerance.
Lesson 1
Identifying Storage Technologies
2-2
Any server deployment will require storage. There are various kinds of storage, from locally attached to
remotely accessed. Remotely accessed storage can be connected in many ways. This includes Ethernet and
fiber-optic cabling. Each storage option has advantages and disadvantages.
As you prepare to deploy storage for the server infrastructure, you will have to make some important
decisions.
How fast should information be written or read from storage?
How much storage will be needed?
How important is it that the storage always be available?
How easy will it be to expand the storage and meet future requirements?
How will you restore data if it is corrupted or lost?
Lesson Objectives
After completing this lesson you will be able to:
Describe direct-attached storage (DAS).
Describe network-attached storage (NAS).
Describe storage area networks (SANs).
Describe Fibre Channel SANs.
Describe Internet Small Computer System Interface (iSCSI) SANs.
What Is Direct-Attached Storage?

Most servers provide built-in storage. This storage
is usually dedicated for use by and directly
attached to the server. This kind of storage is
known as direct-attached storage (DAS). DAS can
be disks that are physically located inside the
server, such as hard disk drives (HDDs) inside a
stand-alone server tower, or external disks that
have cabling connecting them to the server.
External DAS housing units can contain multiple
numbers of HDDs connected directly to a
computer through a host bus adapter (HBA).
What differentiates the various kinds of DAS are

the bus technologies that are used in the implementation, each having different performance metrics over
one another and of course different costs. How we differentiate and name them is typically by referring to
that bus technology.
The following sections describe some of the more typical DAS implementations.
Enhanced Integrated Drive Electronics
2-3
Integrated drive electronics (IDE) is a kind of disk-drive interface in which the controller electronics reside
on the drive itself. This eliminates the need for a separate adapter card. Drives are usually connected by
using a 40-wire or 80-wire cable and only two devices can be chained together at one time. Enhanced
integrated drive electronics (EIDE) improves IDE through faster transfer rates and allows for multiple
channels, each connecting two devices. EIDE is limited to 128 gigabytes (GB) of storage and 133 megabits
per second (Mbps) data rates. EIDE drives are based on standards developed in 1986 and are almost never
used in servers today.
Serial Advanced Technology Attachment
Serial Advanced Technology Attachment (SATA) is a computer bus technology for connecting the
motherboard or device adapters to mass storage devices such as HDDs and optical drives. SATA was
developed to replace EIDE and uses the same low-level EIDE commands. However, SATA host adapters
and devices communicate through a high-speed serial cable over two pairs of conductors.
SATA was introduced in 2003 and has had several revisions to improve performance, as detailed in the
following table.
Revision
Speed
150 megabytes per second (MBps)
300 MBps
600 MBps
Organizations select SATA drives when they require large amounts of storage, but not high speed
performance. SATA drives are typically less expensive than other drive options and are a common bus
interface that is used in internal hard disks. External SATA (eSATA) is a variation on SATA, designed to
enable high speed access to externally attached SATA drives.
Small Computer System Interface
Small computer system interface (SCSI) is a set of standards for physically connecting and transferring
data between computers and peripheral devices. SCSI was originally introduced in 1978 and became a
standard in 1986. SCSI was developed to take less processing power and perform transactions at increased
speeds. SCSI is available in many interfaces. Connector types can have 25, 50, or 86 pins. Over the years,
several revisions have been made and SCSI performance has improved. SCSI might also be known by
different names. For example, Ultra 640 SCSI, also known as Ultra 5, was introduced in 2003 and can
transfer data with speeds up to 640 MBps, by using a bus width of 16 bits. SCSI disks can provide better
performance than older SATA disks but are also more expensive.
Serial Attached SCSI
Serial-attached SCSI is an additional improvement on the SCSI standard. Serial-attached SCSI depends on
a point-to-point serial protocol that replaces the parallel SCSI bus technology. Serial-attached SCSI uses
the standard SCSI command set so that it is backward-compatible with second generation SATA drives.
Solid State Drives
Solid-state drives (SSDs) are data storage devices that use solid-state memory to store data instead of
using the spinning disks and movable read/write heads that are used in other disks. SSDs use microchips
to store the data and contain no moving parts. Therefore, they are less susceptible to failure from being
dropped. SSDs provide very fast disk access that uses less power. However, they are also more expensive
than other DAS storage options. SSDs typically use the SATA interface. Therefore, you can replace SATA
hard disk drives with SSDs without any modification.
Note: Another kind of DAS is universal serial bus (USB)attached storage.

Advantages of DAS
2-4
DAS is connected directly to the server. This makes it easy to deploy and maintain.
Typically the least expensive storage available today.
Available with various bus technologies in various speeds and sizes so that you can customize cost for
your particular requirement.
Usually a Plug and Play device that can easily be recognized by the server.
Disadvantages of DAS
Local server storage is not centralized for users to access.
Can be more difficult to automate backup and restore strategies across many servers.
If server power is disrupted, the storage will also be disrupted.
Can be slower than other storage technologies.
Shares processing power and memory with the server. This means that disk performance might be
slower on a busy server.
Reliant on software to control the transfer of data. This can mean increased latency.
Note: High-speed transfer rates for individual bus technologies may or may not be
achieveable in your existing environment. The bus technologies provide for these theoretical
transfer rates, however, each component must also support it and not be a limiting factor or
bottleneck. For example, disk read and write times, disk controller speeds, and motherboard
limitations may or may not support these speeds or even the bus technolgy. Before you try to
implement a particular bus technology in the server environment and a corresponding transfer
rate, you should be aware of the components involved in reaching these transfer speeds.
What Is Network-Attached Storage?

Network-attached storage (NAS) is storage that is
connected to a dedicated storage device and then
accessed over the network. NAS differs from DAS
in that the storage is not directly attached to each
server, but can be accessed over the network by
many servers. Each NAS device has a dedicated
operating system that completely controls the
data access on the device. This reduces the
overhead associated with sharing the storage
device with other server services. An example of
NAS software is Windows Storage Server.
To enable NAS storage, you must have a storage

device. Frequently, these devices are appliances that have no server interfaces such as keyboards, mouse
devices, and monitors. Instead, to configure the device, you access the device over the network and
provide a configuration. Configuring the device includes creating network shares on the device. Users can
then access the device on the network by using the NAS and the share created.
Advantages of NAS
A good mid-priced solution for mid-sized businesses.
Provides performance and productivity gains over DAS because the NAS device is dedicated
completely to the distribution of files.
Simple and cost-effective way to achieve fast data access for multiple clients at the file level.
NAS storage capacity is usually much larger than DAS storage capacity.
Offers a single location for all files.
Provides a Plug and Play solution that is easy to install, deploy, and manage, with or without
information technology staff.
In summary, NAS offers centralized storage at an affordable price.
Disadvantages of NAS
2-5
NAS is not an enterprise storage solution. This means less reliability, more possibility of data loss, and
slower performance than the enterprise storage solutions discussed in the next topic.
Reliant on software to control the transfer of data. This can mean increased latency.
NAS cannot and should not be used with data-intensive applications such as Microsoft Exchange
Server and Microsoft SQL Server.
More information about Windows Storage Server can be found at the following webpage.
What Is a Storage Area Network?

A storage area network (SAN) is a specialized
high speed network that connects computer
systems, or host servers, to high performance
storage subsystems. A SAN usually includes
various components such as HBAs, switches to
route traffic, and storage disk arrays with logical
unit numbers (LUNs). A LUN is a logical reference
to a part of a storage subsystem. For example, in a
disk storage subsystem, a LUN can consist of a
disk, a section of a disk, a whole disk array, or a
section of a disk array in the subsystem.
A SAN enables multiple servers to access a pool of

storage in which any server can potentially access any storage unit. A SAN uses a network, such as a local
area network (LAN). So you can use a SAN to connect many devices and hosts and provide access to any
device from anywhere.
Unlike DAS or NAS, a SAN is controlled by a hardware device and does not rely on software to provide
access to storage.
Advantages of SAN
Block level read and write access. SAN technologies provide faster data access by reading and writing
at the block level. For example, with most DAS and NAS solutions, if you write an 8-GB file, the whole
2-6
file has to be written and its checksum calculated; with SAN, the file will be written based on the block
size the SAN is configured for.
Centralization of storage into a single pool. This enables storage resources and server resources to
grow independently. It also enables storage to be dynamically assigned from the pool when it is
required. Server storage can be increased or decreased without complex configuration or cabling of
devices.
Common infrastructure for attaching storage. This enables a single common management model for
configuration and deployment of storage.
Storage devices that are shared by multiple systems.
Data transfer directly from device to device without server intervention.
Data access through hardware instead of software.
Can be implemented by using many technologies. The most common options are Fibre Channel and
iSCSI. These technologies are described in the next topics.
A high level of redundancy. Most SANs are deployed with multiple network devices and paths
through the network. Also, each storage device contains redundant components such as power
supplies and hard disks.
Disadvantages of SAN
The main drawback to SAN technology is that it frequently requires management tools and special
knowledge. This is because of the complexity of the configuration.
In order to manage a SAN, not only do you have to understand the command-line utilities, but you
also have to understand the underlying technology. For example, the LUN setup, the Fibre Channel
back-end, and the block sizing.
SANs can be expensive. An entry-level SAN can frequently cost as much a fully loaded server that has
DAS or even an NAS device. SANs disks and configuration are usually not included in the price.
Each storage vendor frequently implements SANs with different tools and features. Because of this,
organizations frequently require dedicated personnel to manage the SAN deployment.
What Is a Fibre Channel SAN?

Fibre Channel is a bus technology that is used
primarily with SANs. It can work with several
different protocol types, such as IP and SCSI. This
enables it to merge the highest performing bus
protocols into a single high-speed technology.
Some people might incorrectly interpret Fibre
Channel to mean that it is a fiber-optic
technology. However, it can be used on either
copper or fiber optic cabling. With copper cabling,
it can operate up to approximately 30 meters.
With fiber-optic cabling, depending on the light
wavelengths used, it can function over distances
of 10 kilometers (km).
2-7
Fibre Channel is usually found in speeds of 1, 2, or 4 gigabits per second (Gbps) and can operate in pointto-point scenarios or over switches or looped networks. Fibre Channel SAN components include the
following:
Interface cards. Specialized interface cards that connect the servers to the SAN. These devices,
known as Host Bus Adapters (HBAs), enable the server to communicate with the storage device across
the SAN.
Note: iSCSI SANs can also use HBAs. Each kind of HBA is specific to the technology that is
used to access the storage device.
Specialized network switches. These switches route SCSI commands.
Dedicated cabling. All network connections between the servers and the storage device use cables.
These cables can be twisted-pair copper or fiber optic cable. Also, with the emergence of gigabit
Ethernet networks, Fibre Channel over Ethernet (FCoE) is now a good option, gaining more
popularity, running Ethernet networks that can support speeds up to 1 Gbps, or 1,000 Mbps.
Storage device(s). SANs require one more dedicated storage device. Frequently, these devices can
contain hundreds of disks and store multiple terabytes of data.
LUNs. In most cases, servers are given access to only a small part of the storage available on the
storage device. To implement this storage solution, the storage available is divided into smaller pieces
and then exposed to the servers through a LUN. On the server, each LUN is displayed as an attached
drive.
Multipath I/O
SANs are typically implemented because of a high-availability requirement. In most cases, you will deploy
multiple HBAs on each server that is connected to a SAN, and connect the HBAs to two separate Fibre
Channel networks. This means that the storage will still be available if there is a failure of one of the
networks.
In order to simplify the implementation of this solution, Microsoft provides a generic storage driver that
uses multipath I/O (MPIO) to simplify the implementation of this solution for storage vendors. MPIO
provides the following:
Dynamic configuration and replacement of devices. In order to support multiple paths to the
same storage device, the operating system must be able to dynamically discover and configure
adapters that are connected to the same storage media.
Generic device specific module. Microsoft supplies a generic device-specific module (DSM) that
interacts with the multipath bus driver on behalf of the storage device.
Dynamic load balancing. The multipath software enables you to distribute input/output (I/O)
transactions across multiple adapters. The DSM is responsible for load-balancing policy for its storage
device.
Fault tolerance. Multipath software can function in a fault-tolerant mode in which only a single
channel is active.
There are other implementations of Fibre Channel, such as the following:
Fibre Channel over Ethernet (FCoE). Instead of the traditional dedicated Fibre Channel networks
used in Fibre Channel SANs, the emergence of gigabit Ethernet networks and FCoE allows for the
running of a Fibre Channel storage system over an existing Ethernet network. FCoE can support
speeds up to 1 Gbps, or 1,000 Mbps.
2-8
Fibre Channel over IP (FCIP). Uses an IP tunneling technology to enable geographically dispersed
Fibre Channel storage systems to communicate over IP networks.
Internet Fibre Channel Protocol (iFCP). Uses IP to control the routing and switching requirements
over the Internet to enable geographically dispersed Fibre Channel storage systems to communicate
over the Internet.
The Fibre Channel Industry Association (FCIA) defines and provides future direction for Fibre
Channel technology. More information about FCIA can be found at the following website.
http://www.fibrechannel.org/
What is an iSCSI SAN?

A second option for implementing SANs is to use
iSCSI. iSCSI transmits SCSI commands over IP
instead of Fibre Channel. iSCSI carries standard
SCSI commands over IP networks to enable data
transfers over intranets and to manage storage
over long distances. iSCSI can be used to transmit
data over LANs, wide area networks (WANs), or
even over the larger Internet.
iSCSI relies on standard Ethernet networking, and

requires no specialized hardware such as HBA or
Fibre Channel network switches. iSCSI uses TCP/IP
(typically TCP ports 860 and 3260). Basically, iSCSI
enables two hosts to negotiate and then exchange SCSI commands by using an existing network. By
doing this, iSCSI takes a popular high-performance local storage bus and emulates it over WANs, creating
a SAN. Unlike some SAN protocols, iSCSI requires no dedicated cabling. It can be run over existing
switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be severely
decreased when a dedicated network or subnet is not used. iSCSI is frequently seen as a low-cost
alternative to Fibre Channel, because it does not require dedicated infrastructure.
Note: Although you can use a standard network connection to connect the server to the
iSCSI storage device, you can also use dedicated HBAs or dedicated network adapters.
An iSCSI SAN deployment requires the following components:
IP network. You can use standard network interface adapters and standard network switches to
connect the servers to the storage device. In order to provide sufficient performance, the network
should provide speeds of at least 1 Gbps and should provide multiple paths through the network.
iSCSI targets. iSCSI targets are located on the storage device and are used to enable access to the
storage by presenting or advertising it. Many storage vendors implement hardware-level iSCSI targets
as part of their storage devices. Other devices or appliances, such as Windows Storage Server devices,
implement iSCSI target by using software. Windows Server 2012 provides the iSCSI target as part of
the operating system.
iSCSI initiators. iSCSI initiators run on the servers that want to connect to the storage device. All
versions of Windows Server since Windows Server 2008 provide the iSCSI initiator as a standard
component and can connect to iSCSI targets.
2-9
iSCSI qualified name (IQN). IQNs are globally unique identifiers that are used to address initiators
and targets on an iSCSI network. When you configure an iSCSI target, you must configure the IQN for
the iSCSI initiators that will be connecting to the target. iSCSI initiators also use IQNs to connect to
the iSCSI targets.
Lesson 2
Managing Disks and Volumes
2-10 Implementing Storage in Windows Server
After you identify your storage technology, the next step is to determine how to manage the storage.
Administering storage includes deciding how disks and volumes will be configured, and what kind of file
system that you will use. Ask yourself the following questions:
Will the disk size be fixed or dynamically adjusted to the data amount?
Will all the disks be allocated the same amount of storage space?
Will the kind of file systems be the same for all disks?
Questions such as these will help determine a storage management strategy.
Lesson Objectives
Describe partition tables.
Describe basic and dynamic disks.
Describe and select file systems.
Describe the different kinds of virtual hard disk (VHD) drives.
Describe mount points and links.
Create and manage volumes.
Describe storage quotas.
Create a quota by using a File Server Resource Manager (FSRM).
What Are Partition Tables?

A partition table, also known as a partition style, is
a section of a hard disk that contains information
about how the disk is organized. The partition
table is divided into sections and sizes. It allows
the computer to find data on the disk by knowing
where partitions begin and end. When data is
read from or written to a disk by the computer,
the partition table allows for the data to be read
and written to the correct locations. Disk
partitioning is an important part of disk
configuration; any corruption to the table could
lead to significant data recovery problems. Its
structure follows an industry standard, and it is independent of the operating system. It also contains
information about whether the partition is a system partition. This is used for computer startup.
Note: System partitions can contain files that are used for startup. Boot partitions contain
operating system files but contain no files that are used during the startup process.
2-11
When you add a new clean hard disk to your Windows Server 2012 serverwhether you use SATA, SCSI,
VHD, or something elsebefore you can use or manage the hard disk, the first task that has to be done is
to initialize the disk. After you initialize the disk, you can start to configure the disk as you need, creating
volumes, partitions, and so on. You can initialize the disk by opening Disk Manager, right-clicking the disk
that has just been attached, and selecting Initialize Disk.
When the Initialize Disk dialog box appears, you have to make two more decisions.
Which disk should be initialized: Disk 1, 2, 3, and so on? This should be a straightforward decision.
What partition style do you want to use with the disk? There are two kinds: master boot record (MBR)
and GUID partition table (GPT). Which option you select depends on several factors. These factors are
explained in the following sections.
MBR
The MBR partition table format is the general standard partitioning model that has been used in
computers for a long time. The MBR partition table format has the following characteristics:
A partition supports no more than four primary partitions per drive. You can have additional divisions
on the disk but this involves creating an extended partition within which are then created logical
drives.
A partition can have no more than 2 terabytes (TB).
If you initialize a disk larger than 2 TB by using MBR, the disks are only able to store volumes up to 2
TB and the rest of the storage will not be used.
Data cannot be written across multiple disk MBRs. For example, you cannot use striping or mirroring
to provide redundancy.
GPT
The GPT is a newer table format that tries to overcome some limitations of MBR, and to address larger
disks. GPT has the following characteristics:
GPT supports no more than 128 partitions per drive.
A partition can have up to 8 zettabytes (ZB).
A hard disk can have up to 18 exabytes (EB), with 512 kilobytes (KB) logical block addressing (LBA).
To start from a GPT partition table, the basic input/output (BIOS) must support GPT.
You can convert from MBR to GPT table types or vice versa. However, this is only enabled on empty disks.
Converting partition table types will result in the loss of all data on the disk.
There are additional ways to view and specify partition tables outside Disk Manager. These include the
following:
Diskpart. This is a Command Prompt utility used to configure disks. The Command Prompt will take
the focus to let you type additional Diskpart commands.
To view the help associated with the convert command, type the following command.
help convert GPT
Or type the following.

help convert MBR
Type Exit to leave the Diskpart utility.
Windows PowerShell. Windows PowerShell provides dedicated commands to view and configure
partition tables that are part of the Storage module.
Windows PowerShell Cmdlet
Description of Use
Get-Disk | FL
Displays the properties of all disks installed on the host computer

and formats the output into a list. You can view the partition table
type under the PartitionStyle property.
Initialize-Disk Number <4>

PartitionStyle <MBR>
This cmdlet will initialize Disk Number 4 and specify an MBR-type

partition table.
Get-Command module Storage
Lists all available cmdlets in the Storage module.
More information about MBR can be found at the following webpage.

Basic Disks vs. Dynamic Disks

Basic disks are an older, simpler disk format.
Dynamic disks provide additional functionality,
such as the ability to create volumes that span
multiple disks, to support striping, and the ability
to create fault-tolerant volumes to allow for
mirroring. Both basic and dynamic disks can use
either MBR or GPT partition table types.
By default, when you initialize a disk in Windows
Server 2012 it creates a basic disk. You can view
the disk type in the Disk Management console or
if you right-click on the disk in question and
choose Properties, then navigate to the Volumes
tab, this will also specify the disk type, dynamic or basic.
There is no performance gain by converting basic disks to dynamic disk and some applications may not
be able to access data stored on dynamic disks. The main difference between basic and dynamic disks is
really the scalability and ability to configure and manipulate the disk volumes to a greater extent on
dynamic disks.
Basic Disk
Most personal computers use basic disks because they are the simplest and easiest to manage. A basic
disk can have up to four primary partitions, or three primary partitions, one extended partition, and
multiple logical drives.
Primary partition. A kind of partition created on basic disks that can host an operating system and
functions as if it were a physically separate disk. A primary partition has a file system with a drive
letter assigned to it.
Extended partition. A kind of partition where you can create one or more logical drives within the
extended partition. Extended partitions are useful if you want to create more than four volumes on a
basic disk.
Logical drive. A disk that you create in an extended partition. You can create an unlimited number of
logical drives per disk. A logical drive can be formatted and assigned a drive letter.
Basic disks also support disk types such as USB disks or VHD files.
Dynamic Disk
2-13
A dynamic disk can contain simple volumes, spanned volumes, striped volumes, mirrored volumes, and
redundant array of independent disks (RAID)5 volumes. It is only possible to create a dynamic disk on
fixed disks. However, you can convert USB disks and dynamically expanding VHDs to dynamic disks.
Dynamic disks use a data repository to track information about the dynamic volumes on the disk. The
repository also contains information about other dynamic disks in the computer. Each dynamic disk in a
computer contains a replica of the dynamic disk database. Therefore, a corrupted dynamic disk database
can repair one dynamic disk by using the database on another dynamic disk. The location of the database
is determined by the partition style of the disk. On MBR partitions, the database is contained in the last 1
megabyte (MB) of the disk. On a GPT partition, the database is contained in a 1 MB reserved (hidden)
partition.
Note: Some IT professionals use the terms partition and volume interchangeably. However,
it is more correct to refer to partitions on basic disks and volumes on dynamic disks. A volume is a
storage unit made from unallocated space on one or more disks. It can be formatted with a file
system and can be assigned a drive letter or configured by using a mount point.
Simple volumes. A simple volume uses unallocated space from a single disk. It can be a single region
on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the
same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a
spanned volume.
Spanned volumes. A spanned volume is created from free disk space that is linked from multiple
disks. You can extend a spanned volume to no more than 32 disks. Windows Server fills the spanned
volume by filling all the space on the first disk and then filling each of the additional disks in turn. This
means if you lose a disk, you lose all the spanned volume.
Striped volumes. A striped volume is a volume where data is spread across two or more physical
disks. The data on this kind of volume is allocated alternatively and evenly to each of the physical
disks. This process is known as striping or RAID-0. A striped volume cannot be extended and is not
fault-tolerant. If a single physical disk in the striped volume fails, the whole volume is lost.
Mirrored volumes. A mirrored volume is a fault-tolerant volume whose data is duplicated on two
physical disks. All the data on one volume is copied to another disk to provide data redundancy. If
one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended and is also known as RAID-1.
RAID-5 volumes. A RAID-5 volume is a fault-tolerant volume whose data is striped across a
minimum of three or more disks. Parity (a calculated value that can be used to reconstruct data after
a failure) is also striped across the disk array. If a physical disk fails, the part of the RAID-5 volume that
was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume
cannot be mirrored or extended.
Basic disks can easily be converted to dynamic disks without any loss of data. However, to convert a
dynamic disk to a basic disk means all data on the disk will be lost.
Required Disk Volumes
Regardless of which kind of disk that you use, you must configure a system volume and boot volume on
one of the hard disks in the server.
System volumes. The system volume contains the hardware-specific files that are needed to load
Windows. For example, Bootmgr, BOOTSECT.bak, and Boot Configuration Data (BCD). The system
volume can be, but does not have to be, the same as the boot volume.
Boot volumes. The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to
be, the same as the system volume.
More information about how basic disks and volumes work can be found at the following
webpage.
Selecting a File System

After you have initialized a disk and have decided
to allocate a specific part of the disk to a specific
volume type, you have to decide what file system
that you will use on the volume, or partition. A file
system is used to organize and store data on a
hard disk. Windows Server 2012 has five file
system options:
File Allocation Table (FAT)
FAT32
Extended File Allocation Table (exFAT)
NTFS
Resilient File System (ReFS)
In addition to deciding what file system to use; you can also decide the cluster or allocation unit size. This
can be manually or automatically configured, but you should understand the concepts and the potential
performance issues associated with those decisions.
Cluster/Allocation Unit Size
A sector is the smallest amount of data that can be written to a physical disk. The sector size is determined
by the manufacturer and although it can vary, it is typically 512 bytes. However, when allocating space on
a disk to files and data where the sector size is 512 bytes would be a significant overhead for the disk, and
increasingly so as the disk size becomes larger. Therefore, the disk uses clusters or allocation units. This
allocates groups of contiguous sectors as needed instead of sectors being allocated individually.
You should be aware that the size of the allocation unit can have a direct effect on performance. If, for
example, a disk has a sector size of 512 bytes and an allocation unit size of 4,096 bytes (4 KB), this means
that sectors are allocated in groups of eight. If you have a 4,100 byte file, it will be allocated two clusters
that is, 16 sectors and a large part of the second cluster will have unused space.
Also, as files become larger and are deleted and moved, allocation units can be written to various parts of
the disk. This results in what is known as fragmentation
Generally, larger allocation unit sizes reduce the potential for fragmentation. However, they then
potentially increase the unused space in the allocation unit.
File Allocation Table
2-15
FAT is the most simplistic of the file systems supported by Windows. There is no organization to the FAT
directory structure, and files are given the first open location on the drive. A disk formatted with FAT is
allocated in clusters, or allocation units, whose sizes are dependent on the size of the volume. When a file
is created, the first cluster number that contains data is established. An entry is made in the FAT table to
indicate whether this is the last cluster for the file or points to the next cluster..
To protect the volume, two copies of the FAT table are kept in case one becomes damaged. In addition,
the FAT tables and the root directory must be stored in a fixed location so that the system's boot files can
be located.
FAT. Also known as FAT16. Can only access partitions less than 2 GB in size.
FAT32. An improvement over FAT. Supports partitions up to 2 TB. FAT32 supports smaller cluster
sizes than FAT. This results in more efficient space allocation on FAT32 volumes.
exFAT. A Microsoft file system optimized for flash drives. exFAT can be used where NTFS is not a
solution, or the FAT32 file size limits are unacceptable i.e. a disk that is greater than 2 TB. This could
be the case with Media Centers for example.
FAT does not provide any security for files on the partition and as such you shouldnt use FAT or FAT32 as
the file system for disks attached to a Windows Server. The primary scenario for use of FAT is in relation to
flash drives or external media.
NTFS
NTFS is the standard file system for all Windows operating systems starting with Windows NT Server 4.0.
NTFS has several improvements over FAT, such as improved support for metadata and advanced data
structures to improve performance, reliability, and disk space use. NTFS also provides a much better level
of security than FAT or FAT32. NTFS supports security access control lists (ACLs). This allows for auditing,
file system journaling, and encryption.
NTFS is required for several Windows Server roles and features, such as Active Directory Domain Services,
Volume Shadow Copy Service (VSS), Distributed File System (DFS), and File Replication Service (FRS). You
should always use NTFS for all hard disks connected to Windows Server or Windows client computers.
ReFS
ReFS is a new file system that is built in to Windows Server 2012. ReFS is based on the NTFS file system,
and provides the following advantages:
Metadata integrity with checksums.
Expanded protection against data corruption.
Maximizes reliability, especially during a loss of power (whereas NTFS is known to experience
corruption in similar circumstances).
Supports a maximum file size of 16 EB.
Supports a single volume size of 2^78 bytes.
Supports 2^64 files in a directory.
Storage pooling and virtualization. This makes creating and managing file systems easier.
Data striping for performance (bandwidth can be managed).
Redundancy for fault tolerance.
Disk scrubbing for protection against latent disk errors.
Resiliency to corruptions with recovery for maximum volume availability.
Shared storage pools across machines for additional failure tolerance and load balancing.
You cannot run the chkdsk utility on ReFS because error checking and auto fixing is built in to the file
system. Therefore, it is not needed.
ReFS does not support all functionality currently available in NTFS. Some items not supported on ReFS
include the following:
File compression
Disk quotas
Encrypting File System (EFS) encryption
Short file names
ReFS is recommended only for use with large volumes on Windows Server 2012 servers. An ReFSformatted drive is not recognized in computers that are running Windows Server operating systems
before Windows Server 2012. Also, it is possible to shrink or extend NTFS volumes whereas it is only
possible to extend ReFS volumes, not shrink them.
NTFS should still be used as the default file system for general purpose use on Windows Server 2012.
Question: What file system do you currently use on your file server? Will you continue to use
it?
What Are Virtual Hard Disks?

A virtual hard disk (VHD) is a non-physical disk
type that is presented to and used by the
operating system as if it were a physical disk. It is a
stand-alone file that is portable. Therefore, it can
be moved or copied as needed like any other file
type. However, it acts and behaves as if it were a
physical diskthat is, it can have a partition type,
disk type, and be formatted.
VHDs have traditionally been associated with
virtual machines and Hyper-V, a Microsoft server
virtualization technology. However, they are being
used much more widely. For example, you can to
install an operating system onto a VHD and start a computer from it. This is known by many terms but
most frequently as native boot, or boot from VHD. Virtual hard disks can also be used to provide for
additional storage, such as in Storage Spaces, or can even be used as part of a high-availability failover
clustering infrastructure.
Windows Server 2012 provides for two VHD file formats: .vhd and .vhdx. The .vhdx file format is a virtual
hard disk format that emerged with the release of Windows Server 2012. Both file formats have the same
basic function. The differences are based on scale and performance, as follows:
Supported file sizes:

o
The .vhd file format can have a maximum size of 2,040 GB.
The .vhdx file format can have a maximum size of 64 TB.
Sector size:
o
The .vhd file format uses 512-byte sectors.
2-17
The .vhdx file format uses 4-KB sectors to gain performance advantages with larger disk sizes.
You can convert from .vhdx to .vhd or from .vhd to .vhdx, by using the Edit Virtual Hard Disk Wizard in
Hyper-V Manager. Also, the .vhdx file format is only recognized by Windows Server 2012
Both .vhd and .vhdx virtual hard disks have three virtual hard disk types available when they are created.
These are described in the following sections.
Dynamically Expanding VHDs
Dynamically expanding VHDs are virtual disks that start very small and then grow as you write data to
them. They are ideal for use in an environment where performance is not your primary consideration.
Organizations typically use dynamically expanding disks in test and development environments. A
dynamically expanding disk grows only to the space that you allocate to it when you create the VHD. The
default maximum size is 127 GB, but dynamically expanding VHDs can be as large as 2 terabytes (TB).
Dynamically expanding disk performance has increased and has almost the same performance levels as
fixed-size disks.
One of the potential issues with using dynamically expanding VHDs is that you must manage storage
usage after deployment. If you have multiple dynamically expanding VHDs located in a single storage
location that is less than the total maximum size of the VHDs, you must monitor the storage location to
make sure that the VHDs do not expand to use up all available space.
Another potential issue with dynamically expanding virtual hard disks is that the .vhd file might become
fragmented on the host computers physical hard disk. This could affect the virtual disks performance.
Fixed-Size VHDs
Fixed-size VHDs are disks that use as much physical disk space as you specify when you create the disk.
For example, if you create a 100 GB fixed-size VHD, it will use 100 GB of physical disk space. The primary
benefit with using fixed-size disks is that all the storage required for the disks is committed when you
create the disks. This reduces the possibility that you will over-commit your storage resources.
One reason for selecting fixed-size VHDs is that dynamically expanding VHDs might not support some
applications. For example, Microsoft does not support Exchange Server 2010 or Exchange Server 2007
deployed on dynamically expanding VHDs.
One of the disadvantages of fixed-size disks is that the disks might take longer to move from one server
to another.
Differencing VHDs
A differencing virtual hard disk is a virtual hard disk associated with another virtual hard disk in a
parent/child relationship. The differencing disk is the child and the associated virtual disk is the parent.
The parent disk can be any kind of virtual hard disk. The differencing disk stores a record of all changes
that you make to the parent disk and lets you save changes without altering the parent disk. In other
words, by using differencing disks, you make sure that changes are made to the differencing disks and not
to the original virtual hard disk. When it is required, you can merge changes from the differencing disk to
the original virtual hard disk.
The differencing hard disk expands dynamically as data intended for the parent disk is written to the
differencing disk. You should write-protect or lock the parent disk. If another process changes the
parent disk, and does not recognize the differencing disks parent/child relationship, then all
differencing disks related to the parent disk become invalid, and any data written to them is lost. By
locking the parent disk, you can mount the disk on more than one virtual machine, similar to a readonly floppy disk or CD-ROM.
You cannot specify a size for a differencing disk. Differencing disks can grow as large as the parent
disks to which they are associated. However, unlike dynamically expanding disks, differencing disks
cannot be compacted directly. You can compact differencing disks only after merging the disk with a
dynamically expanding parent disk.
If you are using differencing disks, you must have a standardized naming convention for your virtual
hard disks. It is not clear from examining the virtual hard disk in Hyper-V Manager whether it is a
differencing drive or a parent disk.
Virtual hard disks can be created in several ways, one such method is as follows:
In Disk Management, right-click the server being managed, and then select Create VHD. You can
then specify the virtual hard disk format and type, as well as the location and size of the virtual hard
disk file.
What Are Mount Points and Links?

Mount points and links are used in NTFS and ReFS
file systems in Windows Server 2012 to refer to
files, directories, and volumes to make them
available to users.
Mount Points
Mount points make a disk or part of a disk
available to the operating system. Usually, mount
points are associated with drive letter mappings.
The operating system gains access to the disk
through the drive letter.
Starting with the Windows 2000 Server operating

system, you can enable volume mount points. This lets you mount a hard disk to an empty folder that is
located on another drive. For example, if you add a new hard disk to a server, instead of mounting the
drive by using a drive letter, you can assign a folder name such as c:\datadrive. Then when you access the
c:\datadrive folder, you are actually accessing the new hard disk.
Volume mount points can be useful in the following scenarios:
If you are running out of drive space on a server and you want to add disk space without changing
the folder structure. You can add the hard disk, and configure a folder to point to the hard disk.
Note: You can assign volume mount points only to empty folders on an NTFS partition.
This means that if you want to use an existing folder name, you must first rename the folder,
create and mount the hard disk by using the required folder name, and then copy the data to the
mounted folder.
If you are running out of available letters to assign to partitions or volumes. If you have many hard
disks attached to the server, you might run out of available letters in the alphabet to assign drive
letters. By using a volume mount point, you can add partitions or volumes without using more drive
letters.
If you have to separate disk I/O in a folder structure. For example, if you are using an application that
requires a specific file structure, but which uses the hard disks extensively, you can separate the disk
I/O by creating a volume mount point within the folder structure.
Links
A link is a special kind of file that contains a reference to another file or directory in the form of an
absolute or relative path. Windows supports the following two kinds of links:
A symbolic file link (also known as a soft link)
A symbolic directory link (also known as a directory junction)
2-19
A link that is stored on a server share could refer back to a directory on a client that is not available from
the server where the link is stored. Because the link processing is performed by the client, the link would
work correctly to access the client, even though the server cannot access the client.
Links operate transparently. Applications that read or write to files that are named by a link behave as if
they are operating directly on the destination file. For example, you can use a symbolic link to link to a
Hyper-V parent virtual hard disk file (.vhd) from another location. Hyper-V uses the link to work with the
parent virtual hard disk (VHD) as it would the original file. The benefit of using symbolic links is that you
do not need to modify the properties of your differencing VHD.
Demonstration: How to Create and Manage Volumes

In this demonstration, you will see how to create and manage volumes in Windows Server.
This demonstration shows how to configure volumes by using Disk Management console and Windows
Powershell.
While not called out explicitly in the demonstration steps, you may want to also show Diskpart utility if
you have time as it is still a viable disk management method in Windows Server 2012. If so you can type
steps similar to the follow.
At a Command Prompt type Diskpart
Type List Disk
Type Select Disk 1 (where 1 is a Disk with available space on it)
Create Volume Simple size=100
Format FS=NTFS Label=DiskPart Vol
Exit
Demonstration Steps
1.
Bring a Disk online
2.
Initialize a Disk
3.
Create a simple volume
4.
Create a volume using File and Storage Services
5.
Convert a basic disk to a dynamic disk
6.
Create a striped volume using Disk Management.
7.
Configure a volume mount point.
8.
Resize volumes by using Disk Management.
9.
Create a Volume using Windows PowerShell
What Are Storage Quotas?

Storage quota management lets you limit the disk
space that is allocated to a volume or folder. The
quota limit applies to the whole folder subtree.
Using quotas, you can manage capacity
restrictions in many ways. For example, you can
use a quota to make sure that individual users do
not consume very large amounts of storage with
their home drives, or to limit how much space
consumed by multimedia files in a particular
folder.
Quotas can be managed through FSRM. This can
be installed in Server Manager through the Add
Roles And Features Wizard under Files And Storage Services.
Quota Types
You can create two kinds of quotas within quota management:
A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
A soft quota does not enforce the quota limit. However, it does provide notifications.
Quota Notifications
To determine what happens when the quota limit approaches, you configure notification thresholds. For
each threshold that you define, you can send email notifications, log an event, run a command or script,
or generate storage reports. For example, you might want to notify the administrator and the user when a
folder reaches 85 percent of its quota limit, and then send another notification when the quota limit is
reached. In some cases, you might want to run a script that raises the quota limit automatically when a
threshold is reached.
Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Using quota templates has benefits such as being able to reuse a quota template to
create additional quotas while also helping simplify ongoing quota maintenance.
You can also generate quotas automatically. When you configure an auto-apply quota, you apply a quota
template to a parent volume or folder. Then a quota that is based on the template is created for each of
the existing subfolders, and a quota is generated automatically for each new subfolder that is created.
In addition to managing and configuring quotas in the FSRM, you can use Windows PowerShell. Windows
PowerShell provides an extensive number of cmdlets for FSRM parameters. This includes quotas, as part of
the FileServerResourceManager module. The following table includes some cmdlets and commands that
might be useful.
Description of Use
Get-FSRMQuota
Displays FSRM quotas on the server
New-FSRMQuota
Creates an FSRM quota

Get-Command module
FileServerResourceManager
Description of Use
Lists all available cmdlets in the
FileServerResourceManager module
There is a Command Prompt utility named Windows File System Utility (fsutil.exe). This utility can
manage file server settings, such as quotas.
Demonstration: How to Create a Quota by Using FSRM

In this demonstration, you will see how to:
Create a 100MB quota limit.
Use a 130MB file to test the quota limit.
Demonstration Steps
1.
Verify you can create a 130 MB File successfully
2.
Create a 100 MB Quota
3.
Verify Creating a 100 MB file is no longer allowed
2-21
Lesson 3
Fault Tolerance
Now that you have learned about the kinds of storage and the methods in which you can address the
storage, the next important thing is to consider reliability and availability. These can be critical elements to
the success of an organization. Windows Server 2012 has several methods for providing for reliability and
availability in the event of hardware failure, such as Storage Spaces and RAID implementations. This lesson
provides details of both those technologies.
Lesson Objectives
Describe Storage Spaces.
Describe how to implement fault tolerance by using Storage Spaces.
Describe RAID.
Explain the value of RAID levels.
Describe how to implement RAID by using Disk Management.
What Are Storage Spaces?

Storage Spaces is a new feature that was
introduced in Windows Server 2012. It enables
combining many physical disk types into a single
entity. This is known as a Storage Pool, from which
you can then create a management unit called a
Storage Space. The Storage Spaces feature
requires no features or roles to be installed. The
functionality is built in to Windows Server 2012
and is available out-of-the-box in File And
Storage Services in Server Manager. Storage
spaces enable you to:
Combine disks of different types and capacity

into a single entity that can be managed as a single unit.
Provide a level of redundancy or resiliency by using either disk mirroring or parity.
Extend the storage capacity by using thin provisioning. Thin provisioning is explained later in this
topic.
Storage Pools
Storage pools are hard disk units combined into a single logical unit. Storage Pools can be managed as a
single entity. To create a Storage Pool, consider the following:
You can use different bus technologies such as SATA, SCSI, serial-attached SCSI, or USB disks even if
they are different capacities. You can also add .vhd and .vhdx virtual hard disk file types.
The drives can be internally or externally connected to the server.
2-23
Designate a specific disk as a Hot-Spare, which will automatically replace a disk that has suffered a
failure.
At least one disk is required to create a Storage Pool.
Drives must be blank and unformatted; no volume must exist on them. Any information on disks
being added will be lost.
A Storage Pool can use the whole disk or just a part of the disk.
All disks must have the same sector size
Storage Spaces
After the Storage Pool is created, you can then create Storage Spaces from the Storage Pool. Storage
Spaces are the effective management entities for the storage pool. You should be aware of the following
in relation to Storage Spaces:
To create a Storage Space, at least one Storage Pool must be created.
Once the Storage Pool exists you then must create a Virtual Disk. This is not a virtual disk in the
sense of a virtual machine file, rather it is a virtual entity which you can then manage as a single
instance, despite having potentially multiple disk or volume types. It is specific to this concept and
should be considered as a drive as you would see it in Disk Management.
Once you create a Virtual Disk you then need to create a volume, which you then format, partition,
and assign drive letters to as you would any other disk.
Storage Spaces are displayed as a drive in File Explorer. For example drive D or E. The underlying
storage configuration is invisible to the user.
Failover clustering is supported in Storage Spaces. However, it is limited to serial-attached SCSI disk
types. SATA, SCSI, or USB are not supported.
Storage Spaces supports both NTFS and ReFS volumes.
Providing Redundancy
Providing a level of redundancy for disk failure can be an expensive and complex process involving
dedicated or specific hardware and software. When you create Storage Spaces in Windows Server 2012,
you can provide a software-based level of redundancy or resiliency without the need for additional
hardware or software. There are three options when you create Storage Spaces, two of which provide
redundancy:
Simple. This requires at least one disk and the striping of the data across multiple disksthat is, as
data is written, it is spread out and written across multiple disks. This allows for quicker writing of data
but does not protect the data from a disk failure.
Mirrored. This scenario requires at least two disks. When you write data to one of the disks, a copy of
the data is written to the other disk at the same time. This means if one of the disks fails, there is
another copy of the data available. Mirrored disks reduce capacity and if two disks fail, it provides no
level of redundancy. To provide protection from two disk failures, five disks would be required.
Parity. This scenario requires at least three disks. When you write data, it writes half the data to the
first disk, the rest of the data is written to the second disk, and a checksum value is written to the
third disk. If one of the first two data disks fails, the data can be restored by using half the data and
the checksum value. It increases redundancy should a single disk fail but reduces capacity. It cannot
be used in failover clustering.
Thin Provisioning
There are benefits to using storage pools for providing storage. With thin provisioning, you can allocate
more space than is actually physically available when the drive is created. For example, if you have two, 5
TB external SATA drives, giving you a total of 10 TB of available space, you could create a storage pool
based off these two drives, and then create a Storage Space of up to 64 TB, even though you do not have
all that physical capacity available.
With thin provisioning, space or blocks are only allocated from the storage pool as they are needed.
Therefore, you can add capacity as needed. In contrast fixed, or thick, provisioning allocates all the
available space from the storage pool when the Storage Space is created.
Windows PowerShell
Windows PowerShell also provides management and configuration support for Storage Spaces in
Windows Server 2012. The following table includes some cmdlets and commands that might be useful.
Description of Use
Get-StoragePool
Displays all storage pools. This is provided as part of the Storage

module.
Resize-SpacesVolume
Resizes Storage Spaces and file system volumes. This is provided

as part of the Storage Spaces module. The module must be
separately downloaded. After you download the module it must
be imported into Windows PowerShell by using the importmodule cmdlet.
Get-Command module
Storage,StorageSpaces
Lists all available cmdlets in the Storage and StorageSpaces

modules.
Demonstration: How to Implement and Manage Storage Spaces
In this demonstration, you will see how to create a Storage Pool and a Storage Space Virtual Hard Disk.
Demonstration Steps
1.
Create a Storage Pool
2.
Create a Storage Space Virtual Disk
3.
Verify Virtual Disk is accessible
4.
Add an Additional Physical disk to the Storage Pool
5.
Remove Physical Disk to simulate Disk Failure
6.
Verify Virtual Disk is still Available
7.
Verify Virtual Disk Status in Server Manager
8.
Repair Virtual Hard Disk
9.
Verify Virtual Disk Status Returns to healthy
10. Delete Virtual Disk

11. Delete Storage Pool
What Is RAID?
RAID is a technology that has existed for a long
time. It enables you to configure storage systems
to provide high reliability and potentially high
performance. RAID implements these storage
systems by combining multiple disks into a single
logical unit called a RAID array that, depending on
the configuration, can withstand the failure of one
or more of the physical hard disks, or provide
better performance than is available by using a
single disk.
2-25
RAID provides an important component in

planning and deploying Windows Servers. In most
organizations, servers must always be available. Most servers provide highly redundant components such
as redundant power supplies, and redundant network adapters. The goal of this redundancy is to make
sure that the server remains available even when a single component on the server fails. By implementing
RAID, you can provide the same level of redundancy for the storage system.
How RAID Works
RAID enables fault tolerance by using additional disks to make sure that the disk subsystem can continue
to function even if one or more disks in the subsystem fail. RAID uses two options for enabling fault
tolerance:
Disk mirroring. With disk mirroring, all the information that is written to one disk is also written to
another disk. If one of the disks fails, the other disk is still available.
Parity information. Parity information is used to calculate the information that was stored on a disk
if there is a disk failure. If this option is used, the server or RAID controller calculates the parity
information for each block of data written to the disks, and then stores this information on another
disk or across multiple disks. If one of the disks in the RAID array fails, the server can use the data that
is still available on the functional disks and the parity information to re-create the data that was
stored on the failed disk.
RAID subsystems can also provide potentially better performance than single disk by distributing disk
reads and writes across multiple disks. For example, when you implement disk striping, the server can read
information from all hard disks in the stripe set. When combined with multiple disk controllers, this can
provide significant improvements in disk performance.
Hardware RAID vs. Software RAID
Hardware RAID is implemented by installing a RAID controller in the server, and then configuring RAID by
using the RAID controller configuration tool. With this implementation, the RAID configuration is hidden
from the operating system. The RAID arrays are exposed to the operating system as single disks. The only
configuration that you have to perform in the operating system is to create volumes on the disks.
Software RAID is implemented by exposing all the disks that are available on the server to the operating
system, and then configuring RAID from the operating system. Windows Server 2012 supports software
RAID, and you can use Disk Management to configure several different levels of RAID. Given the
significant changes and functionality that is now available in Windows Server 2012 with Storage Spaces,
software RAID can now be a secondary choice.
Note: Although RAID can provide better tolerance for disk failure, you should not use RAID
to replace traditional backup. If all the disks were to fail, then you would still have to rely on
standard backups.
What Are RAID Levels

When you implement RAID, you have to decide
what level of RAID to implement. The following
table compares the features for each RAID level.
Level
Description
Performance
Space use
Redundancy
Comments
RAID 0
Striped set
without parity or
mirroring
Data is written
sequentially to
each disk
High read and

write
performance
All space on the

disks is
available
A single disk
failure results
in the loss of
all data
Use only if you

must have
high
performance
and can
tolerate data
loss
RAID 1
Mirrored set
without parity or
striping
Data is written to
both disks at the
same time
Good
performance
Can only use

the amount of
space that is
available on the
smallest disk
Can tolerate a
single disk
failure
Frequently
used for
system and
boot volumes
with hardware
RAID
RAID 2
Data is written in
bits to each disk
that has parity
written to a
separate disk or
disks
Very high
performance
One or more
disks used for
parity
Can tolerate a
single disk
failure
Requires that
all disks be
synchronized
Currently not
used
RAID 3
Data is written in
bytes to each
disk that has
parity written to
a separate disk
or disks
Very high
performance
One disk used

for parity
Can tolerate a
single disk
failure
Requires that
all disks be
synchronized
Rarely used
RAID 4
Data is written in
blocks to each
disk that has
parity written to
a dedicated disk
Good read
performance,
poor write
performance
One disk used

for parity
Can tolerate a
single disk
failure
Rarely used
Level
Description
Performance
Space use
Redundancy
2-27
Comments
RAID 5
Striped set with

distributed parity
Data is written in
blocks to each
disk that has
parity spread
across all disks
Good read
performance,
poor write
performance
The equivalent
of one disk
used for parity
Can tolerate a
single disk
failure
Very
frequently
used for data
storage where
performance is
not important
but
maximizing
disk usage is
important
RAID 6
Striped set with

dual distributed
parity
Data is written in
blocks to each
disk that has
double parity
written across all
disks
Good read
performance,
poor write
performance
The equivalent
of two disks
used for parity
Can tolerate
two disk
failures
Frequently
used for data
storage where
performance is
not important
but
maximizing
disk usage and
availability are
important
RAID 0+1
Striped sets in a
mirrored set
A set of drives is
striped, and then
the strip set is
mirrored
Very good read

and write
performance
Half the disk

space is
available
because of
mirroring
Can tolerate
the failure of
two or more
disks as long
as all failed
disks are in the
same striped
set
Not usually
used
RAID 1+0
Mirrored set in a
striped set
Several drives
are mirrored to a
second set of
drives, and then
one drive from
each mirror is
striped
Very good read

and write
performance
Half the disk

space is
available
because of
mirroring
Can tolerate
the failure of
two or more
disks as long
as both disks
in a mirror do
not fail
Frequently
used in
scenarios
where
performance
and
redundancy
are important,
and the cost
of the
additional
disks required
is acceptable
Selecting a RAID Level
You can configure different levels of RAID. When you configure a RAID level, you have to be aware of the
following implications:
Performance implications. Some RAID levels provide very high performance whereas other RAID
levels provide much worse performance. Some RAID levels provide high read performance, but
reduced write performance. You have to consider these performance characteristics when you select a
RAID level.
Level of redundancy. RAID levels also provide different levels of redundancy. Some RAID levels
cannot support the loss of any disks; some RAID levels can support the loss of one or more disks. You
have to consider your requirements for redundancy when you select a RAID level.
Storage use. RAID levels also have different levels of storage use. With some RAID levels, the storage
capacity for the RAID array is equal to the total amount of disk space for all disks in the array. For
other RAID levels, one or more disks might be used to store parity information. With disk mirroring,
the RAID array storage capacity is half of the storage capacity of the disks.
In most cases, you have to select which of the three options are most important for your RAID
implementation. Each RAID level provides a high level of functionality for one or two options, but no RAID
level provides high functionality for all options. This means that you have to evaluate the required RAID
level for each server or application separately.
Demonstration: How to Implement RAID by Using the Disk Management

console
In this demonstration, you will see how to implement mirroring and create a RAID-5 volume by using Disk
Management.
Demonstration Steps
1.
Create a new mirrored volume.
2.
Create a new RAID-5 volume.
Lab: Implementing Storage in Windows Server

Scenario
2-29
A. Datum has just procured a new server, and it is your job to add storage to the new infrastructure. You
will add disks of various sizes by using different methodologies.
Objectives
After completing this lab, you will be able to:
Create and mount a VHD drive.
Create and make available new volumes.
Change the sizes of the volumes.
Create a fault-tolerant disk configuration using Storage Spaces
Lab Setup
User Name: ADATUM\Administrator
Password: Pa$$w0rd
follow these steps:
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: ADATUM
Repeat the previous steps for 10967A-LON-SVR1
Exercise 1: Creating and Mounting a VHD File

Scenario
A. Datum wants to use Hyper-V for disk management. You are asked create and mount a VHD file.
Windows PowerShell should be used to verify the newly created disk drive.
1.
Create and initialize a virtual hard disk
2.
Use Windows PowerShell to identify the newly created disk, bring the disk online and initialize it
Task 1: Create and initialize a virtual hard disk

1.
Ensure you are signed on to 10967A-LON-SVR1 virtual machine with user name
2.
In Disk Management, create a new .vhd file with the following configuration:
Location and filename: C:\Temp\LON-SVR1-Disk7
Virtual hard disk size: 7 GB
Virtual hard disk format: VHD
Virtual hard disk type: Dynamically expanding
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk
online and initialize it
1.
Open the Windows PowerShell console.
2.
Use the Get-Disk cmdlet to list all disks present on the Windows Server 2012 server and Identify the
disk that has just been created.
3.
Use the Set-Disk cmdlet with the number and isOffline parameters to bring the .vhd file online.
4.
Find a Windows PowerShell command that can initialize the newly created disk.
5.
Use the newly discovered cmdlet with the parameters number and PartitionStyle to initialize the
disk with a Master Boot Record (MBR) partition style.
Results: After this exercise, you should have a Hyper-V .vhd file.
Exercise 2: Creating and Making Available New Volumes

Scenario
You are asked to create a 2 GB NTFS volume and 10 GB ReFS volume shared drives. The drives will use the
letters J and K respectively.
1.
Create two new simple volumes
2.
Change the new disks drive letters
3.
Mount the new volume
Task 1: Create two new simple volumes

1.
ADATUM\Administrator and password Pa$$w0rd
2.
Locate Disk 1,bring it online and initialize it
3.
On Disk 1 Create a New Simple Volume with the following details

o
Simple Volume size in MB: 2000
Assign the following driver letter: J
FileSystem: NTFS
Volume Label: SimpleVol_NTFS
4.
Format the new volume.
5.
Verify the volume is available in File Explorer.
6.
On Disk 2 Create another New Simple Volume with the following details and verify it is created
successfully
o
Assign the following driver letter: K
FileSystem: ReFS
Volume Label: SimpleVol_ReFS
Task 2: Change the new disks drive letters

1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console
2.
Assign the NTFS volume the letter R to the Volume SimpleVol1NTFS.
3.
Assign the ReFS volume the letter S to the Volume SimpleVol1ReFS.
4.
Verify the Volumes have changed Drive letters in File Explorer
Task 3: Mount the new volume

1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console
2.
Mount the new SimpleVol_NTFS volume so it is accessible via the file location
C:\MountedVolume_NTFS
3.
Mount the new SimpleVol_ReFS volume so it is accessible via the file location
C:\MountedVolume_ReFS
4.
Verify once mounted they are both accessible as expected.
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume
Exercise 3: Vary the Sizes of the NTFS and ReFS Volumes

Scenario
You receive an email from your manager asking you to double the size of the NTFS volume you just
created but shrinking the ReFS volume down to half its original configuration size.
1.
Extend the size of the NTFS volume
2.
Shrink the size of the ReFS volume
Task 1: Extend the size of the NTFS volume

1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console locate the
SimpleVol_NTFS volume.
2.
Extend the volume by 4 GBs.
3.
Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still accessible
Task 2: Shrink the size of the ReFS volume

1.
On the 10967A-LON-SVR1 virtual machine in the Disk Management console locate the
SimpleVol_ReFS volume.
2.
Attempt to Shrink the volume to approximately 5 GBs.
2-31
3.
Verify that the ReFS volume was unable to be shrunk
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume
size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the
reduced size the volume will need to be re-created.
Exercise 4: Creating a Fault-Tolerant Disk Configuration by Using Storage

Spaces
Scenario
You now receive an email from your manager asking you to create a Storage Pool for use with some files
shares that will be created.
1.
Create a storage pool
2.
Create a storage space virtual disk
3.
Verify the virtual disk is available and functional
4.
Add an additional physical disk to the storage pool
5.
Remove a physical disk to simulate disk failure
6.
Verify storage virtual disk state and data accessibility
7.
Repair and verify the health of the virtual disk
8.
Task 1: Create a storage pool

1.
Ensure you are signed in to 10967A-LON-SVR1 and logged on with user name
2.
In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3.
Create a Storage Pool with the following settings:
Name: StoragePool1
Physical Disks to Add:
PhysicalDisk3
PhysicalDisk4
Task 2: Create a storage space virtual disk

1.
Create a Storage Spaces Virtual Disk with the following settings:

o
Storage Pool: StoragePool1
Virtual Disk Name: VirtualDisk1
Storage Layout: Mirror
Provisioning Type: Thin
Size of the virtual Disk: 4 GB
2.
Create a Volume on the Virtual Disk with the following settings:
3.
Server: LON-SVR1
4.
Virtual disk: Virtual Disk 1
5.
Size of the volume: Default Max available capacity
6.
Driver Letter: T
7.
File System: NTFS
8.
Volume Label: VirtualDiskMirVol
Task 3: Verify the virtual disk is available and functional
Create a file Test File.txt on the volume VirtualDiskMirVol on driver T:
Task 4: Add an additional physical disk to the storage pool
Add an additional disk, PhysicalDisk 5 , to the storage Pool
Task 5: Remove a physical disk to simulate disk failure
2-33
In Server Manager in the Storage Pools and then the Physical Disks section remove PhysicalDisk 4
Task 6: Verify storage virtual disk state and data accessibility

1.
Open File Explorer and verify the text file, Test File.txt, that was created earlier is still available and
accessible.
2.
Check the health status of the VirtualDisk1 virtual disk
Task 7: Repair and verify the health of the virtual disk

1.
Repair the VirtualDisk1 virtual disk
2.
Verify the health of the virtual disk and also that the .txt file created earlier is still available and
accessible
follow these steps:
1.
2.
3.
4.
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data
in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk
failure
Question: What kind of storage is easiest to configure and why?
Question: How would you determine the kind of storage to implement?

Common Issues and Troubleshooting Tips
Common Issue
Troubleshooting Tip
Determining the allocation unit when

formatting a drive with a file system
General storage configuration issues
Review Question(s)
Question: What are the different kinds of disks?
Question: What are some different storage technologies?
Question: What are the most important implementations of RAID?
Question: What options are available for fault tolerance in Storage Spaces?
Tools
Tool
Use for
Where to find it
Diskpart
Manipulating disks and volumes.
Command Prompt
FSUtil
Manipulating files and storage

services.
Run fsutil.exe from the

command line.
Windows PowerShell
Managing and configuring

storage and Storage Spaces.
The Storage module is part of

the operating system. The
Storage Spaces module has to
be downloaded.
Disk Manager
Manages disks and volumes
Server Manager

3-1
Module3
Understanding Network Infrastructure
Contents:
Module Overview
3-1
Lesson 1: Network Architecture Standard
3-2
Lesson 2: Local Area Networking
3-9
Lesson 3: Wide Area Networking
3-15
Lesson 4: Wireless Networking
3-21
Lesson 5: Connecting to the Internet
3-28
Lesson 6: Remote Access
3-32
Lab: Selecting Network Infrastructure Components
3-38
3-41
Module Overview
Networks are a critical component of an effective Windows Server infrastructure. Most computing
systems today are connected in some way to a network. A typical corporate network has many
components and can connect a computer to other computers in the next room, across a city, or on the
other side of the globe.
This module reviews the general characteristics of computer networks and introduces components and
concepts associated with networks, providing you with the basic information required to understand the
fundamentals of a network computing environment.
Objectives
Describe physical network topologies and standards.
Define local area networks (LANs).
Define wide area networks (WANs).
Describe wireless networking technologies.
Explain how to connect a network to the Internet.
Describe how technologies are used for remote access.
Lesson 1
Network Architecture Standard
3-2
A network is created by using several different physical components and logical standards that define the
specific qualities of a network. Network architecture refers to the set of physical components and logical
standards that provide the basis for communication in a network.
In order to troubleshoot a network environment, you must have an understanding about the composition
and capabilities of the networks architecture.
Lesson Objectives
Describe the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802 standards.
Describe fundamental network topology and components.
Describe network architecture.
Describe network access methods.
IEEE 802 Standards
The Institute of Electrical and Electronics

Engineers (IEEE) is a not-for-profit organization
that, among other things, tries to manage and
define technical standards in a range of industrial
and academic areas, such as telecommunications,
electrical engineering, and aerospace. Generally,
these standards define specific qualities in a
technology so that devices such as network
adapters, switches, and cables that are
manufactured by different vendors can work
together on the same network. This module
examines the standards that define computer
networking and how to implement a suitable network infrastructure to meet the requirements of IT
professionals, based on these specifications. The specifications those various devices can perform atfor
example, frequency ranges, power consumption, and throughput of datacan then be implemented in a
physical computer network.
One of the most significant and recognizable computer networking standards is the IEEE 802 family of
standards that define the functionality of different aspects of a network environment. The IEEE 802
standard has more than 15 sub-standards that apply to specific technologies found in a network
environment. Only some of the standards are discussed in this section; other standards will be discussed in
more detail later in this module and in the next module. All have different data flowsthat is, how the
data is moved around the networkand, as such, might have different physical requirements
implementing them. They would also all have varying performance and security capabilities, in addition to
different associated costs. Therefore, some specifications are more widely used. Some of the more
important IEEE 802 standards you might have seen are listed here. (Notice That some of the 802.X
standards have subcategories within each standard definition.)
3-3
IEEE 802.3. The 802.3 working group defines wired Ethernet network standards. This is generally a
local area network (LAN) technology, which you would see in a typical office environment, with some
wide area network (WAN) or metropolitan area network (MAN) applications.
IEEE 802.5. The 802.5 working group defines token ring network standards. Currently this group is
inactive and the information has been archived for historical purposes.
IEEE 802.11. The 802.11 working group defines standards for wireless local area networks (WLANs) in
the 2.4, 3.6, 5 and 60 gigahertz (GHz) frequency bands. This group of standards generally uses radio
frequency spectrum for the sending and receiving of data. The 802.11 networks exist as the most
common form of wireless network and benefit from simple setup, node addition, and fairly low
implementation costs.
IEEE 802.15. The 802.15 working group defines wireless Personal Area Network (PAN) standards.
These wireless PANs address wireless networking of portable and mobile computing devices such as
computers, personal digital assistants (PDAs), peripherals, cell phones, pagers, and consumer
electronics. This group includes Bluetooth certification.
IEEE 802.16. The 802.16 working group of standards governs broadband wireless WAN technology.
The 802.16 standards are generally known as Worldwide Interoperability for Microwave Access. The
802.16 networks use microwave transmission for the sending and receiving of data and are typically
used for backbone connections for a telecommunications network or high-capacity corporate WAN.
Because of the line-of-sight requirement for Worldwide Interoperability for Microwave Access devices
to communicate, additional infrastructure such as towers and large antennae are required for an
802.16 implementation. This can make implementation costly.
More information about the IEEE standards can be found at the following website.
http://www.ieee.org
Network Components and Terminology

A network is a collection of devices connected to
one another to enable communication and the
sharing of resources. Most computer networks
share a common set of components and common
terminology regardless of differences in
implementation or technology that is used.
Some of the key components of a network are as
follows:
Data. This refers to the actual information that is
being sent over a network.
Bit. The smallest unit of information handled

by a computer. One bit expresses a 1 or a 0 in a binary number, or a true or false logical condition.
Networks transmission rates are typically measured or displayed in bits per second (bps), or iterations
of that in decimal form i.e.
o
Kilobits per second (Kbps) = 1000 bits/sec
Megabits per second (Mbps) = 1,000,000 bits/sec
Gigabits per second (Gbps) = 1,000,000,000 bits/sec
Byte. A group of 8 bits makes up a single byte. This typically holds a single character, such as a letter,
a digit, or a punctuation mark. Some single characters can require more than one byte. For example,
3-4
in languages such as Chinese, Japanese, and Thai, it requires two bytes to fully display the character.
Various standards outline how bytes translate to specific characters for a language. The general
industry standard is Unicode that provides mappings for all languages.
More information about Unicode can be found at the following website.
http://www.unicode.org
Bytes are binary representations and are more usually used in relation to storage, defining how much data
a hard disk can hold or provide. You need to be careful you interpret the terms bit and byte correctly.
1 KiloByte (KB) = 210 = 1,024 bytes
1 MegaByte (MB) = 220 = 1,049,576 bytes
1 GigaByte (GB) = 230 = 1,073,741,824 bytes
Terabyte (TB) = 240 = 1,099,511,627,776 bytes.
An important distinction between the two, are that bits are indicated with a lower case b whereas Bytes
are indicated with an upper case B. Ultimately computers store data as a series of numbers, 1s and 0s.
These are converted to a format that humans can understand and interpret.
Node. A network node refers to a device that either sends or receives data on a network. Computers are
typical node, but nodes can be other devices that are directly attached to the network, such as printers,
scanners, or handheld devices.
Client. A computer on a network that primarily receives data or uses other resources on the network is
known as a client.
Server. A server is a computer on a network that is primarily responsible for sharing or serving data and
resources to other computers on the network. A server typically provides access to shared files, services, or
devices such as printers for the whole network, and access to the Internet, intranet, or email services, in
addition to many other items.
Peer. A peer performs the functions of a client computer, but also provides shared resources like a server
does. Peers are common in small networks when a dedicated server is not necessary or cost-efficient.
Network Adapter. A network adapter is a device that enables a node to physically connect to a network.
It provides the interface between the hardware of the device connecting to the network and the network
itself. A computer or device could have wired and wireless network adapters.
Media. The physical material used to connect devices on a network is known as that networks media.
Media is typically a cable, but can also be wireless radio frequency, fiber-optic cables carrying light waves,
infrared, or some other less physical medium.
Hubs/switches/routers. These are devices that help direct and move data around and across networks.
Although there is some crossover in functionality, they each have specific uses and attributes. The
following provides a high-level definition here and discuss them in more detail in the next module.
Hubs. These are the most basic kind of connecting device. They are used in a wired network to enable
devices to talk to one another by using Ethernet cables. Typically, multiple cables are plugged into a
single hub. No configuration is required or complex functionality supported.
Switches. Similar to hubs, switches are used in a wired network to allow devices to talk to one another by
using Ethernet cables. However, they provide much more control over how data is transferred between
devices than a hub. Switches direct communication only to the nodes that require the information.
Routers. These also allow for connecting devices and networks together and can be used in wired or
wireless networks. Routers provide the greatest amount of functionality and customization, such as
3-5
controlling network access, preventing data from accessing networks if it does not meet certain criteria,
and routing traffic to certain networks.
Transport protocol. A transport protocol refers to the set of rules that govern how data is packaged,
sent, and unpackaged when it is transmitted over the network. Different network architectures will have
protocols with different structures to accommodate how the network functions.
Bandwidth. This term can have several different interpretations, depending on the context. Common
usage would be in relation to the throughput or transmission speed at which a network operates, and it
would be rated as a function of data transmitted per second. Bandwidth can be measured in various
denominations but you will typically see it known as the following:
Kilobits per second (Kbps)
Megabits per second (Mbps)
Gigabits per second (Gbps).
Another more original use is in relation to signal transmission methodologies. There are two
implementations:
Baseband transmissions, where a single signal is transmitted at a time along a single cable.
Broadband transmissions, where multiple signals are transmitted along a single cable at the same
time. For example, this might be in a home where Internet access and multiple cable television
channels are simultaneously being transferred with the same cable.
Network Architecture
Network architecture refers to both the set of
physical components that work together to
connect computers in a network and the
functional organization and configuration of those
components. Network architecture standards also
govern how data is packaged and transmitted on
a network.
A logical topology refers to how the data flows

between nodes on the network. Logical topology
is largely independent of the physical layout of
the network, known as the physical topology, but
there will be shared terminology between certain
kinds of physical and logical topologies. Logical topology is largely dependent on the network standard
used to implement data flow on the network. Network architecture can be generally discussed for LANs
and WANs.
LANs
LAN standards include the most used Ethernet architecture and the older Attached Resource Computer
Network (ARCnet) and token ring architectures.
Ethernet
Ethernets low cost reliability and simplicity of implementation have made it the main architecture
standard found in modern networks. It is used in both small and large networking environments.
3-6
In basic form, an Ethernet network involves several nodes connected with copper wire cables to a hub or
switch. For larger bandwidth requirements, or long-distance connections, fiber-optic cable is frequently
used.
Ethernet has evolved into several specific standards. Over time, changes to network media, computing
technology, and bandwidth requirements have forced changes to the Ethernet standard to accommodate
the evolving network environment.
In an Ethernet-based network, data can be transmitted along the network media by any node at any time
to all other connected nodes. This mass transmittal is known as broadcasting. The broadcasted
transmission is detected by all nodes on the network, but only those nodes for which the transmission was
intended will accept and receive the incoming data.
The various Ethernet cabling standards are named using a bandwidth value, the term Base, and then a
number or letter designation. A bandwidth value of 100 indicates 100 Mbps. The number indicates the
distance over which a signal can carry. For example, a 2 represents 200 meters and a 5 represents 500
meters. A descriptor letter or letters help identify the cabling type. For example, T can indicate copper
wire, and F/L and E can indicate various kinds of fiber-optic cable. The following table provides key
characteristics of the most frequently implemented Ethernet standards.
Standard
Bandwidth
10BASE2
10 Mbps
10BASE5
10 Mbps
10BASE-T
10 Mbps
100BASE-TX
100 Mbps
100BASE-FX
100 Mbps
1000BASE-T
1 Gbps (1000 Mbps)
1000BASE-LX
1 Gbps
10GBASE-T
10 Gbps
10GBASE-LR/ER
10 Gbps
Ethernet networks that have speeds of 100 Mbps are known as fast or high-speed Ethernet. Ethernet
networks that have speeds of 1 Gbps or greater are known as Gigabit Ethernet.
Power over Ethernet
In a scenario where cabling is not easily available, you can use the existing power lines that transfer
electricity to implement an Ethernet networkthat is, the electricity and data are transferred over the
same cabling. A typical scenario would be in a home environment where it is not possible to install a
network cabling system or where there is poor wireless signal reception. This scenario could extend the
network range by using existing power cabling. There are limitations around power and distances but this
scenario can provide relatively fast networks.
Token Ring
The network nodes in token ring networks are arranged in a circle so that the data flows logically in a
circular motion. It relies on the use of a token, which passes around the network. If a node wants to send
data over the network, it grabs the token, attaches its message to it, and then sends the data. The data
then travels in a circle around the network until it arrives at its intended destination. It uses primarily
3-7
copper wire for data transmission and can transmit at speeds of somewhere between 4 Mbps and 16
Mbps. Token ring was common in early corporate networks as an alternative to Ethernet. However, it has
been largely replaced by Ethernet.
Note: Support for token ring networks was removed in Windows Server 2012.
Attached Resource Computer Network
ARCnet is a form of token bus network architecture for PC-based LANs. It works by transferring data
according to position or sequence numbers assigned to computers in the networkthat is, 1, 2, 3, and so
on. This is not the most efficient method for data transfer. ARCnet can support up to 255 nodes but is
typically suitable for small networks. Different versions run at speeds of 1.5 Mbps, 20 Mbps (ARCnet Plus),
and 100 Mbps. ARCnet is now rarely used for new general networks.
Fiber Distributed Data Interface
Fiber Distributed Data Interface (FDDI) also uses a token-based approach to transmitting data on a
network, as outlined earlier for token ring networks. However, it uses primarily fiber-optic cable as a
medium for transmission and can span distances of 200 km at a speed of 100 Mbps. FDDI was used in the
early to mid-1990s to connect geographically separated networks. It has been largely replaced by
Ethernet. FDDI is used mainly in mission-critical and high-traffic networks where a large amount of
bandwidth is needed.
All the architecture types discussed to this point are wired networks. There are also many wireless network
architecture types, such as WLAN or Wi-Fi, infrared, and Bluetooth. Ultimately, your requirements and
ability to implementbe it cost, hardware availability, and so onwill dictate which network architecture
you will deploy.
Network Media Access Control Methods

When data is transmitted on a network, it travels
along that networks media to reach its
destination. The set of rules that define how and
when a node sends data along the media is called
the network media access control method.
On a computer network, data seems to move at

the same time from node to node without
interruption. Nodes give the illusion of
concurrent access by taking turns accessing the
network media for very short periods of time. If
two nodes were to transmit data onto the network
media at the same time, the data from each node
would collide along the media and the data would be destroyed. In an environment that has hundreds of
computers sharing the same network media, network media access control methods are critical to
ensuring network data is transmitted correctly to its destination.
There are two basic network media access control methods: contention-based access and deterministic
access. In contention-based access networks, the nodes share or contend for access to the media. In
deterministic access networks, the nodes determine how long data transmission and confirmation will
take for an orderly flow of data.
Contention-Based Access
Carrier Sense Multiple Access with Collision Detection
3-8
When Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used as a network media
access control method, a node first listens on the network media to make sure that there is no existing
data transmission in progress from another node. If no other transmission signal is present, the node will
transmit its data. If a transmission signal exists on the network media, the node will wait for a small
interval of time before checking again, repeating this process until the media is free of other data
transmissions before it sends its own transmission.
When two nodes that want to send data check the network at the same time and find no existing
transmission, they will both transmit their data. This causes a data collision on the network. When this
occurs, both nodes detect the collision, stop transmitting data immediately, and send out a signal that
informs all nodes on the media that a collision has occurred and that they should not transmit. Then, the
nodes that caused the collision will wait for a random time before trying to retransmit their data.
CSMA/CD is the network media access method used for Ethernet networks. It provides the network with a
fast method of data transmission and collision resolution, but because concurrent data transmission and
collisions can occur, it becomes increasingly less efficient as more nodes are added to a specific segment
of network media. This is not as relevant in modern networks because hubs are used less and less, and
with the use of switches, there are only two nodes per wire.
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
When CSMA/CA is implemented, nodes advertise their intent to transmit data on the network media
before actually transmitting the data. Nodes on the network media are constantly listening for the
advertisements of other nodes, and if an advertisement is detected, the node will avoid transmitting its
own data.
This method allows for nodes to more efficiently avoid collisions with data transmitted from other nodes
on the network media when you compare it to CSMA/CD. It also allows for more consistent
communication on the network media for data transmission notification, especially if intermittent node
connectivity is an issue or if a node is not always aware of every other node on the network media. This
makes CSMA/CA an excellent candidate for wireless networks. It has been accepted as the network media
access control method for the 802.11 group of wireless networking standards. CSMA/CAs collision
avoidance method does come at the cost of being generally a slower method than CSMA/CD.
Deterministic Access
Token Passing
Token passing is a method that uses a small piece of data or token to signify the intention to transmit
data. This token, together with the other data being sent, is passed around to all systems in the network.
When the token and data reach the intended destination, the data is passed to the destination system and
the token continues through the rest of the system until it reaches the originating system, confirming
transmission to the whole network. Both FDDI and token ring use the token passing method.
Demand Priority
Demand priority is a method that shifts network access control from the transmitting node to the hub.
Before transmitting data, a node must receive permission from the hub. The hub can provide both highpriority and regular-priority transmission to the destination node. Demand priority guarantees bandwidth
and increases network traffic. Demand priority is used on 100 Mbps Ethernet networks.
Lesson 2
Local Area Networking
3-9
A LAN is the most basic and frequently implemented form of computer network. This lesson introduces
you to the LAN and its associated concepts and technologies.
The LAN is the building block for all major and more complex networks. So, this lesson will also familiarize
you with LAN structure, design, and implementation.
Lesson Objectives
Describe LANs.
Describe how nodes on a LAN communicate.
Describe the physical components of a LAN.
Describe different LAN physical topologies.
Describe virtual LANs.
What Is a LAN?
A LAN is a computer network that typically covers
a specific physical area such as a home, office, or
closely built group of buildings, such as a school
campus or airport. LANs also typically feature a
high bandwidth capacity and can provide equal
bandwidth and network access to all nodes.
However, because of constantly improving
technology and the high bandwidth available in
modern networking technology, LANs are
becoming less dependent on geographic
proximity. Most modern LANs use the Ethernet
standard for network connectivity.
How Nodes on a LAN Communicate

Although communication might seem to be
constant between nodes on a LAN, especially
when used to offer functionality such as video
conferencing, as described earlier, however it is
not constant. Rather communication on a LAN
consists of shared access to the network media by
using short transmissions of relatively small pieces
of data to allow for all nodes on the network to
have access. In most cases, the data a user
interacts with on a LAN (such as a file, video
conference, or print job) is far too large to be
contained in a single transmission from a node.
For a LAN to deliver these large amounts of data, the information must be broken down into what is
called a network frame.
3-10
A network frame contains a part of the original data being sent, together with network-specific
information about the frames sender, the frames recipient, and information that lets the frame to be
reassembled into readable data at its destination. A frame also contains error-checking information, a
cyclic redundancy check (CRC) value, that allows it to be retransmitted from the sender should it not
arrive at its destination as planned. The actual structure of a frame depends on the kind of network being
used. For example, an Ethernet frame will differ slightly in structure from a token ring frame. Frames are
described in more detail in the next module.
Every node on the LAN has a unique network address and this unique identifier allows each frame to
contain the information about where it is going and where it is coming from. This unique address allows
for simple and precise delivery methods throughout the LAN and also allows for each node to be
distinctly identifiable on the network.
A media access control (MAC) address is the most basic form of unique identifier for a node on a LAN.
MAC addresses are assigned to all network adapters at the time of manufacture and are most frequently
represented in hexadecimal format (for example, 00-22-FB-8A-41-64).
Physical Components of a LAN

The physical components of a LAN are responsible
for taking network data and transmitting it to its
destination along a physical media that connects
the nodes together. A LAN can vary in complexity
from two or three connected nodes in the same
room to thousands of nodes connected over a
large area. As such, LANs can consist of only a few
components or a large number of interconnected
components.
The most common physical LAN components are:
Network adapters. Network adapters

provide the point of contact between a LAN
node and the rest of the network. It is typically connected to the network through a wire or cable.
Different network architectures (Ethernet, token ring) require different network adapters to interface
3-11
with the LAN. For example, an Ethernet network adapter will not function when connected to a token
ring network.
Wiring or cable. A LANs wiring provides the physical media along which a LANs data is sent. LAN
cable types will vary and are classified into a number of different types according to the physical
qualities of the cable. Common cable types include:
o
Unshielded twisted pair (UTP). The cable is the most common type found in Ethernet LANs. It
consists of four pairs of copper wire twisted together and is usually terminated with what is called
an RJ-45 connector. The pairs of copper wires are twisted around each other to cancel out
electromagnetic interference or crosstalk as data moves along the cable, thus allowing for
better data integrity when received. Most technologies typically use just two of the four twisted
pairs. UTP is by far the most common cabling standard used in LANs.
Coaxial copper. The cable is used in older Ethernet networks. It uses a barrel-type BNC
connector type and is typically terminated with a resistor.
Fiber-optic. The cable uses light transmitted along glass or fiber tubes, rather than the electrical
signals sent across copper-based cable. It is capable of transmitting data over longer distances
than copper and is typically used for connections that exceed the length restrictions of copper
cables in areas where electromagnetic interference would prohibit the use of copper cable.
Hubs. As explained earlier, a hub is a device for connecting multiple nodes on a network. Each node
that is physically connected to the hub can communicate with all other nodes connected to the same
hub. When using a hub, it is unclear that a signal sent from any node on the hub will be transmitted
to any other node; therefore, hubs have more collisions and are typically used only in small networks.
Switches. A switch performs the same basic functions as a hub, but it allows for more sophisticated
and efficient interaction with the data. As such, a switch can provide much improved performance
over a hub when any more than a few nodes are connected to the network. Because of the
comparative cost of network switches and hubs, switches have largely replaced hubs, even in small
networks.
Termination points. Termination points or jacks describe the physical termination of a network cable
that allows a node to physically connect to the LAN. Typically, termination points exist as wall plates
with an appropriate receptacle for a short network cable that runs from the jack to the network
adapter of the node device.
Wiring cabinets. Wiring cabinets or wiring closets provide a location where a number of hubs,
switches, or other LAN connectivity devices are located to provide a central point of connection for
LAN nodes located in a specific physical area such as a building or floor of a building. These locations
are typically a small room or closet.
LAN Physical Topology

A LANs physical topology refers to the actual
layout and connection of the physical
components of a LAN. The physical topology of a
LAN is determined primarily by the networks size,
architecture, and required functionality.
Physical topology plays a key role in determining
a LANs bandwidth capability and overall
performance. As a result, physical topology is a
very important part of LAN design, especially in
larger networks.
There are five main physical topology types.
3-12
Bus topology. In a LAN where physical bus topology is used, nodes are connected to each other in a
consecutive line along a segment of network media. The network media is then typically terminated
at each end with a special device or connector that acts as the boundary for that particular segment
or piece of the LAN. Bus topology technology has been largely replaced by star topology in LANs.
o
Advantages: A LAN using bus topology is easy to set up, it minimizes the amount of actual
cabling required, and the ability to quickly add systems makes it suitable for small LANs or
temporary networks.
Disadvantages: If one section of the network media becomes disconnected or breaks, the entire
network ceases to function. This makes a bus topologybased LAN difficult to troubleshoot. You
must also ensure the endpoints are terminated correctly and cable length considerations come
into play in terms of signal attenuation.
Ring topology. In a physical ring topology, nodes are connected in much the same way as with a bus
topology, but rather than each end of the network media being terminated, the ends are connected
together to form a ring. Ring topology technology has been largely replaced by star topology
technology in LANs.
o
Advantages: Similar to bus topology, a LAN using ring topology is easy to set up, and the ability
to quickly add systems makes it suitable for small LANs.
Disadvantages: Unfortunately, similar disadvantages that a LAN using bus topology faces also
exist in a LAN based on ring topology. The LAN is based on out-of-date technology; if one
section of the network media becomes disconnected or breaks, the entire network ceases to
function. This can make a LAN based on ring topology difficult to troubleshoot.
Star topology. When using star topology, nodes are not connected to each other as they are in a bus
or ring topology, but instead they are connected to a central device such as a hub or switch. Modern
Ethernet-based LANs typically use star topology for their physical configuration.
o
Advantages: LANs using star topology become more reliable on a node-by-node basis because
of the presence of the switch. With the addition of this device, nodes are dependent only on their
individual connection to the switch for access to the rest of the network. When using star
topology, the break or disconnection of a cable affects only the node using that specific cable,
making the LAN generally more reliable and easier to troubleshoot.
Disadvantages: LANs based on star topology typically require more hardware and planning to
implement, due primarily to the addition of the switch or hub device, in addition to the extra
length of network cable required to connect each node back to the centrally located switch or
hub. They also still contain a single point of failure; the network switch or hub. If this device fails,
the entire network ceases to function. Switches would be used more than hubs in modern
implementations.
3-13
Hybrid topology. Hybrid topology does not refer to a specific physical configuration, but rather to
the combination of one or more different topologies used together on the same LAN. The most
common form of hybrid topology consists of a multiple star topologybased network connected
together using bus topology to form a single LAN. LANs based on hybrid topology are very common,
and become necessary when designing large or complex LANs.
Mesh topology. In a LAN based on mesh topology, extra connections are added to provide a level of
fault tolerance to the network. In a mesh topologybased LAN, information has more than one path it
can take between at least two individual nodes. This addition of extra connections or meshing is
typically done for critical or high-traffic connections within the LAN. Mesh topology features two
separate forms of meshing.
o
Fully meshed. In this configuration, a direct link exists between every pair of nodes on the
network. This provides the highest level of fault tolerance available, but also cost and complexity
increase exponentially as more nodes are added to the network.
Partially meshed. Partially meshed LANs are far more common than their fully meshed
counterparts. They do not provide direct connections between every pair of nodes, but rather
introduce a number of redundant connections based on both providing fault tolerance and
maintaining a reasonable cost of implementation.
What Is a Virtual LAN?

A LAN is also known as a broadcast domain. This
means that nodes connected to the LAN can
broadcast to communicate with one another, and
every node within that will receive the broadcast;
therefore, conceptually, they can be considered as
part of a domain in which that broadcast is
received. Generally, routers do not propagate
broadcasts, and so another definition of a LAN is a
collection of nodes bounded by routers.
Note: A broadcast is a specially addressed

network frame that is processed by all nodes
connected to a LAN segment. Switches pass broadcasts. Routers typically do not. The destination
MAC address of a broadcast frame is FF-FF-FF-FF-FF-FF.
A virtual LAN (VLAN) is a virtual implementation of a LAN that allows you to control what nodes receive
what traffic and group the nodes accordinglythat is, nodes in a different physical or geographical
location can behave as if they were on the same logical network. This is typically achieved with the use of
switches and software, whereby you can configure a switch, or switches, in such a way that traffic handled
between certain ports on the switch is treated as though it were traffic on a single LAN. Traffic from other
ports outside this VLAN is typically routed.
The advantage of implementing VLANs is that you can:
Exert a fine degree of control over how traffic moves through the network.
Control network bandwidth by configuring nodes that frequently communicate with one another
onto the same VLAN.
Easily reconfigure your VLAN to encompass more or fewer nodes. You might need to rewire the
network to achieve the same ends with a LAN.
Isolate network traffic to a specific VLAN; for example, to isolate computers that do not meet
organizational security requirements.
Question: What topology configuration might you recommend for a new Ethernet LAN
being built to connect computers located in several buildings together on a school campus?
3-14
Lesson 3
Wide Area Networking
3-15
Computer networks are found all across the world. Organizations that operate those networks frequently
have multiple offices or locations in different cities, countries, or continents. The organizations often
require their networks to be connected to each other in order to meet their organizations business needs,
but are unable to connect these locations together with LAN technology because of its high cost to
implement over long distances.
WAN provides these organizations the ability to connect their networks regardless of geographic
boundaries, transcending the limitations of LAN technologies. WANs are the basis for the global level of
network connectivity that we have in todays computing environment.
Lesson Objectives
Describe WANs.
Describe components of a WAN.
Describe WAN standards.
Describe T-Carrier and E-Carrier standards.
Describe Optical Carrier standards.
Describe Integrated Services Digital Network (ISDN).
Describe methods used to connect to the Internet using WAN components.
What Is a WAN?
A WAN is a geographically distributed network
composed of multiple LANs joined into a single
large network typically using leased or third-party
services.
A WAN is used primarily to connect a group of

LANs together that belong to the same
organization or have a specific requirement of
interconnectivity. Historically, technology used to
implement links that connect multiple LANs
together to form a WAN has been relatively slow
and unreliable when compared with LAN
capabilities. However, with evolving technology,
modern WAN links are capable of higher bandwidth and can make multiple interconnected LANs appear
as one large LAN to the users of the network in terms of network speed and resource access. In this way,
the lines between LANs and WANs have become somewhat blurred.
In general, LANs and WANs are different in several basic ways.
3-16
Speed. LAN cabling is primarily Ethernet with speeds up to 10 Gbps. WANs are typically slower with
speeds up to 150 Mbps. Latency in a WAN can frequently be due to delays between when data is
transmitted to when it is received.
Cost. LAN components are usually less expensive than WAN components. LANs can be constructed
from inexpensive cabling and network interface cards (NICs). WANs require specialized routing
equipment.
Complexity. LANs are easy to set up and expand. WANs, with a large number of users, require more
sophisticated optimization and communication plans.
Size. LANs are usually confined to a small geographic area like an office or school. WANs cover a
larger geographical area like a city or multi-location business and can even be on a global scale.
Dependency/Reliability. In a LAN, it is expected that everything is well connected and redundant. A

WAN is likely to depend on a single set of wires or connections to the provider running through the
same pipes. It is likely that a whole building could lose connectivity if building construction or some
other cause interferes or breaks the wires. Sites going offline on a WAN is more likely than multiple
nodes on a LAN going offline. Preventing WANs from going offline is more costly.
Physical Components of a WAN

A WAN may be composed of a number of
different components, depending on the WAN
technology used and whether an organizations
WAN has been self-constructed or consists of
leased or rented services from
telecommunications companies.
Common WAN components are:
Bridge. A bridge allows for the connection of

two or more network segments or LANs. A
bridge forwards network data between LANs
and identifies nodes on the WAN by using the
nodes MAC address. A bridge is the most
basic way to connect two LAN segments together. Comparatively, it is like a two-part switch in how it
functions, the main difference being it has a MAC Table to decide which packages to forward to
which side of the bridge. MAC addresses are described later in the course.
Router. A router is a device that is responsible for connecting individual networks together and
ensuring that the data traveling outside of any given network reaches its destination. Routers contain
a list of potential destinations or routes that it uses to send and receive data from other networks. A
router needs the IP protocol and does not care about MAC Table addressing. The network and
router must be configured to support the router so that the router knows which IP address segments
are where and that the network nodes are able to be distinguished between local and routed
communication and send the packages either directly or to the router requesting the forward. IP
Addressing is described in more details later in the course.
Leased line. A leased line refers to a WAN connection that is usually provided by a third party,
typically a telecommunications company. The telecommunications company uses their existing
equipment to connect one or more separate LANs together. This service can be implemented by
using a number of different technologies. The actual technology used is usually transparent to the
3-17
connected LANs, which will typically be connected to the leased line through a router that contains
the proper routes to the other connected LANs.
Backbone. A backbone segment of a WAN refers to a high-capacity section of the WAN over which
the bulk of WAN traffic will travel. In contrast to a leased line, many backbone segments are built and
owned by the organization operating the LANs connected by the backbone. This type of connection
allows for multiple LANs to be connected together at a high speed without having to pay ongoing
rental or leasing costs or rely on a third party for consistent WAN connectivity. Backbones do,
however, have the drawback of being relatively costly to implement.
What Are WAN Standards?

Most WAN networks rely on data sent through
third-party telecommunications providers and
frequently make use of the providers existing
communications infrastructure to send data
between LANs. In this context, WAN connections
use a number of different standards for data
transmission. These standards are typically chosen
for bandwidth capability, but available technology
and regional location also play a part in
determining what WAN standards are available to
an organization for the implementation of their
WAN.
WAN standards typically define the method used to manipulate the data along the connection, in
addition to the bandwidth capability of a WAN connection and the media used.
WAN standards also use multiplexing to allow efficient use of WAN connections. Multiplexing refers to
the process of combining and sending multiple, simultaneous data transmissions over the same media.
This allows for higher bandwidth capability and shared usage of a single WAN connection.
Some of the more commonly known and main WAN standards are called out here:
T-Carrier standards. T-Carrier standards are a group of standards implemented primarily in North
America and some parts of eastern Asia and Japan that govern digital data transmission.
E-Carrier standards. E-Carrier standards are a group of standards similar to the T-Carrier standards.
The E-Carrier standards were developed in Europe and used globally with the exception of the
regions that have adopted the T-Carrier standard as previously mentioned.
Optical Carrier Standards. Optical Carrier standards contain specifications for transmitting digital
data over fiber-optic networks.
ISDN. ISDN allows simultaneous voice and data transmission over existing public telephone network
infrastructure.
Digital Subscriber Line (DSL). DSL uses existing telephone network infrastructure to transmit data. It
involves the simultaneous transmission of both voice and data over the same physical line by using a
separate higher frequency for data transmission and a filter on the physical line to separate the
frequencies. DSL comes in two main types, both of which use a modem for sending and receiving the
signal along the telephone infrastructure. Companies tend to use it for backup lines or small offices.
o
Symmetric digital subscriber line (SDSL). SDSL allows equal bandwidth for both sending and
receiving data at the same speed.
3-18
Asymmetric DSL (ADSL). ADSL uses different data rates for sending and receiving, with the
sending bandwidth typically considerably lower than the receiving bandwidth. Because it is less
expensive to implement, ADSL is typically provided for residential use.
What Are the T-Carrier and E-Carrier Standards?

T-Carrier and E-Carrier standards are a family of
WAN standards used by telecommunications
companies to deliver digital communications over
long distances. T-Carrier is the standard most
commonly used in North America. The E-Carrier
standard, first developed in Europe, has been
adopted by most of the rest of the world.
The T-Carrier and E-Carrier standards are graded
according to bandwidth capability in a T1, T2, T3,
and so on to E1, E2, E3, and so on format.
However, T1/E1 and T3/E3 are the most common
and comprise the majority of T-Carrierbased or
E-Carrierbased network implementations.
T1. A T1 line has a bandwidth capability of 1.544 Mbps. T1 typically uses two pairs of twisted-pair
copper wire as its media.
T3. A T3 line provides a bandwidth capability of 44.736 Mbps. T3 typically uses fiber-optic cable as its
media.
E1. An E1 line has a potential bandwidth of 2.048 Mbps. Similar to T1; E1 is typically carried over
copper wirebased media.
E3. An E3 line has a potential throughput of 34.368 Mbps. Like T3, E3 typically uses fiber-optic cable
as its media.
Optical Carrier Standards

OC-X standards refer to a set of specifications for
digital data over specifically designed fiber-optic
networks, Synchronous Optical Network (SONET)
in North America and Synchronous Digital
Hierarchy in the rest of the world. Designed for
high capacity, long-distance connections, optical
carrier connections are widely used as the
backbone of the Internet. OC-X connections are
also used as private connections and as a carrier
for bandwidth-intensive applications, such as
video conferencing.
The base bandwidth unit for an OC-X connection

is 51.84 Mbps. For example, the OC-3 transmission medium has three times the transmission capacity of
OC-1.
Common OC-X classifications are as follows:
OC-1: 51.84 Mbps
OC-3: 155.52 Mbps
OC-12: 622.08 Mbps
OC-24: 1244.16 Mbps
OC-48: 2488.32 Mbps
OC-192: 9953.28 Mbps
OC-768: 39,813.12 Mbps
Optical Carrier standards are used throughout the industry. For example:
OC-12 is commonly used by ISPs for WAN connections at the regional or local level.
OC-48 is commonly used for larger ISP WAN backbones.
OC-768 has been used for transatlantic cabling.
What Is ISDN?
ISDN uses the preexisting public telephone
network to provide digital voice and data services.
In early WANs, ISDN was a very popular method
for connecting LANs together, but has since been
largely replaced by standards built on more
modern technology.
Similar to E-Carrier and T-Carrier networks, an
ISDN connection used individual 64 Kbps channels
to transmit data, although not using the same
technology. An ISDN connection is also dial-ondemand in nature, requiring a call to be placed on
the line before a connection is made. However,
digital call placement on ISDN typically takes only one or two seconds.
ISDN has two common types:
3-19
Basic Rate Interface (BRI). BRI typically uses two 64Kbps channels and supports a bandwidth of
128Kbps.
Primary Rate Interface (PRI). PRI uses 23 64 Kbps channels and supports a bandwidth of 1.536
Mbps, roughly equivalent to the bandwidth of T1 and E1 lines. PRI ISDN connections are commonly
used as backup or alternate route connections for T1 or E1 connections.
Although everyday usage of ISDN is less common than it used to be, ISDN lines are still frequently used in
many parts of the world as low-cost backup connections to more robust WAN links.
Other WAN-Based Connection Technologies

Although private WANs and LANs are critical
pieces of an organizations computing
environment, almost all require a connection to
the rest of the world for communication outside
of the organization. Typically, this is through the
public Internet.
3-20
In theory, the Internet exists as a large, global

WAN. As a result, WAN-based technologies are
used extensively throughout the Internet to
connect private LANs and WANs. These
technologies are typically implemented and
operated by telecommunications providers who
connect the end-user to the Internet by using their existing infrastructure as an intermediary network. This
service is typically leased or rented to individuals or organizations to give them access to Internet
connectivity.
Along with the previously discussed T-Carrier, E-Carrier, and ISDN technologies, other common WANbased Internet connection technologies are:
Cable modem. Cable modems provide a service similar to that of DSL, but use the cable TV medium
as an intermediary connection to the Internet.
2G, 3G, and 4G wireless. Historically, mobile communications networks have been typically reserved
for voice communications over the wireless network. With the advent of faster, more robust networks
like 3G and 4G, however, the use of these networks for digital data transmission has become more
prevalent and has become a common method used by mobile computer users to access network
connectivity when not in a LAN environment.
2G is also known as Global System for Mobile Communication (GSM) and is an older technology.
3G is also known as Universal Mobile Telecommunications System (UMTS) in Europe and elsewhere.
LTE (long-term evolution of UMTS) is sometimes referred to in the context of 4G technology. It is seen
as a faster technology and is becoming more popular.
Lesson 4
Wireless Networking
3-21
Wireless networking has become an important part of both home and corporate networks. Wireless
networks allow nodes to operate apart from the confines of physically wired connections. The increased
mobility and freedom that a wireless network offers allow organizations to use computing resources in
ways not feasible using wired network components.
Wireless networks come in many configurations using multiple standards and different technology.
Familiarity with wireless networking components, terminology and standards is very important to overall
computer networking knowledge.
Lesson Objectives
Understand the fundamental concepts about how wireless networks work.
Describe the components of a wireless network.
Describe 802.11.
Describe infrared and Bluetooth connectivity.
Describe attenuation and interference problems
Describe different ways to secure wireless networks.
What Is Wireless Networking
Humans are surrounded and constantly being

bombarded by various forms of radiation from the
sun, light waves, radio waves, microwaves, and
other sources. The characteristics of these waves
and how they can be identified is outlined in what
is known as the electromagnetic spectrum. This
spectrum is a range of frequencies and
wavelengths and it goes from very low to very
high values. Each range of values within this
spectrum are bundled, from a naming point of
view, according to specific characteristics so we
can categorize and identify them. All the different
wave types carry an electric or magnetic charge and it is this which, from a computing point of view, can
be converted into 1s and 0s and interpreted by a computer to allow data transfer.
Wireless networking typically operates in the radio and microwave frequency range. The frequencies and
wavelengths of the waves have characteristics that can determine the distance it can travel or the speed at
which data can be transferred. Different types of waves also need different types of hardware to transmit
and receive the various signals, or need different specifications to outline who can use it.
A wireless computer network consists of two or more network devices connected together and able to
exchange information between each other by using some form of wireless technologythat is, no cables.
Wireless Networking Components

A wireless network consists of two or more
network devices connected together by using
some form of wireless technology, typically using
either radio-frequency or microwave transmission
technology.
3-22
Although completely wireless networks are

common in smaller LANs found in homes or small
offices, wireless networks are typically used to
expand or extend a larger, traditionally wired
network in corporate settings. This could be in a
LAN environment, providing network access to
mobile users in a non-wired location such as an
outdoor area or in a WAN environment to connect to locations where physical network media like copper
or fiber is impossible or not cost effective.
The following are common components and terminology found in wireless networks:
Wireless network adapter. Like its wired counterpart, a wireless network adapter connects a node to
the wireless network and is capable of both sending and receiving information on the wireless
network.
Access point. An access point provides a means of connecting to the wireless network. This can be in
the form of another wireless network adapter or, more commonly, a centralized, dedicated access
point. This dedicated access point may or may not be used to connect the wireless network to an
existing wired network or LAN. An access point or multiple access points that are available publicly to
provide connection to Internet access are commonly known as hotspots. You would typically find
hotspots in airports, libraries, cafes, and other places.
Ad-hoc network. An ad-hoc wireless network consists only of wireless nodes connecting to each
other and has no centralized access point. Ad-hoc wireless networks are typically used for temporary,
peer-to-peer connections between two computers.
Infrastructure network. An infrastructure network is a wireless network that provides a centralized

access point for wireless network clients. Infrastructure networks are the most common wireless
network type used in enterprise network environments.
Service set identifier (SSID). An SSID is a string of characters that identifies and advertises a wireless
access points existence to potential clients. This string is typically configurable to any alpha-numeric
value, so it also provides a method of applying naming schemes to SSIDs if necessary.
What Is 802.11?
As previously noted, the IEEE 802.11 working
group of standards defines the aspects of WLANs.
802.11 is one of the most recognizable IEEE
standard categories, because of the widespread
use of the numeric identifier to refer to WLANs
and devices in general. The IEEE 802.11 working
group consists of four commonly used standards.
802.11a. These devices operate in the 5

gigahertz (GHz) radio frequency (RF) band. It
offers a theoretical bandwidth of 54 Mbps,
but suffers from a relatively short range
because of the technical limitations of radio
waves at 5 GHz.
Note: The 802.11 bandwidth is frequently discussed as theoretical. This is because factors
like distance from the access point, interference from other devices, and physical obstructions can
affect the wireless signal and decrease the actual bandwidth available to a client.
3-23
802.11b. These devices operate in the 2.4 GHz RF band and offer a slight improvement in range over
802.11a, especially when located in buildings or around multiple obstructions. However, the
maximum throughput of 802.11b is considerably lower than 802.11a at 11 Mbps.
802.11g. This was developed to combine the data throughput capabilities of 802.11a and the
increased range and reliability of 802.11b. It operates in the 2.4 GHz RF band and offers a theoretical
bandwidth of 54 Mbps.
802.11n. This is the most recently developed and published standard, and improves upon 802.11g in
both bandwidth and range. 802.11n also introduces the concept of multiple-input multiple-output
channels to allow the combining of multiple signals into a single data stream for increased network
throughput. Although the physical maximum throughput on an 802.11n network is 150 Mbps, the
ability combines the signals of up to four physical antennae and allows for a theoretical maximum
throughput of 600 Mbps. 802.11n is quickly becoming the most common form of 802.11 network
deployed.
The following table provides details about the most common 802.11 standards.
Data Rate
Indoor
Range
Outdoor
Range
5 GHz
54 Mbps
50 feet
100 feet
Sep 1999
2.4 GHz
11 Mbps
150 feet
300 feet
802.11g
Jun 2003
2.4 GHz
54 Mbps
150 feet
300 feet
802.11n
Oct 2009
2.42.5 GHz
600 Mbps
300 feet
600 feet
Standard
Released
802.11a
Sep 1999
802.11b
Frequency
Infrared and Bluetooth

Infrared technology uses infrared (IR)
electromagnetic radiation to wirelessly connect
various devices and transmit data between them.
The term infra comes from the Latin word
meaning below; the range of frequencies and
wavelengths infrared operates at border the
visible spectrum on the red side, hence the term
infrared. The opposite is ultravioletultra coming
from the Latin word for above, and violet from its
bordering the visible spectrum on the opposite,
violet, side. Thus neither IR nor ultraviolet are
visible to the human eye.
3-24
Infrared connectivity is a direct beam technologythat is, the connecting devices need to have direct line
of sight or an unblocked path between the transmitter and receiver (cannot pass through walls). It is
typically used over relatively short distances and has been widely used on television/home entertainment
remote controls, some older laptops and mobile phones, cameras, and PDAs. Some medical devices also
used it. It would typically operate over ranges of about 1 to 3 meters and offer data transfer rates up to
about 4 Mbps, However, IR specifications are being actively worked upon and researched and these values
will most likely improve over time.
Where interference or security is a potential issue with wireless radio transmissions and line of sight or
distance is not an issue, IR could offer a potential solution for wireless device connectivity but it is has
become less and less popular. Most computers today would not have an IR capability built in.
Computers and devices, however, can use infrared ports to send and receive infrared signals.
The Infrared Data Association specifies and develops IR technology. More information about
the Infrared Data Association can be found at the following website.
http://www.irda.org
Bluetooth is a wireless radio frequency technology that is used to connect two or more portable devices
over short distances. You will typically see Bluetooth implementation in consumer devices such as
telephones, headsets, mice, keyboards, and Global Positioning Systems (GPS) in cars. It has an immediate
benefit over IR in that it doesnt require direct line of sight. It operates over a range of approximately 10
meters and can have data transmission speeds of potentially up to 24 Mbps, which allows it to transmit
voice and data successfully. It is also relatively inexpensive to implement and can have low power
requirements, which has helped see broad adoption by manufacturers in consumer devices,
Bluetooth has had some security concerns in the past because of the ease at which devices using it could
be accessed or controlled. New specifications and changes in its implementation have led to improved
security, but like all wireless devices, security must be a key part of the process before implementation in
any organization.
The IEEE adopted and defined the Bluetooth specification in the 802.15.1 standard but subsequent
updates have been implemented to the specification by the Bluetooth Special Interest Group (SIG), which
is a private, not-for-profit organization that drives Bluetooth specifications and adoption.
Attenuation and Interference

All the computer wireless technologies outlined
previously use electromagnetic radiation, which
travels as waves and as such, these waves are
subject to interference and attenuation like all the
waves in the electromagnetic spectrum. Theres a
complete science dedicated to how waves travel
and interact with each other and their
surroundings, but this section describes just two
areas of interest that have a direct bearing on how
you implement and manage your wireless
networks.
3-25
Attenuation is the weakening of a transmitted

signal. It can be caused by the medium through which it passesfor example, air, water, glass, or
concretesimply absorbing the energy of the wave, and as a result, can reduce the distance over which a
signal can travel or the frequency range. This means that depending on the signal type (infrared,
Bluetooth, Wi-Fi radio frequencies), the signal will have maximum ranges over which it will work
successfully. All the wireless standards will say that they operate up to a maximum of X range, but the
maximum range is seldom attained. Variables such as the thickness of walls or the amount of steel in
buildings can have significant effects on signal strength. Having a wireless transmitter in an area where
there are thick concrete walls containing steel rods can reduce the range significantly of any wireless
signal, such as the distortion of a digital signal or the reduction in amplitude of an electrical signal.
Attenuation is usually measured in decibels and is sometimes desirable, as when signal strength is reduced
electronically, for example, by a radio volume control, to prevent overloading.
Interference is the interaction of other electromagnetic radiation signals on the wireless signal. This can
result in the signal not being clear enough to be received or interpreted correctly by a receiver. Each day
you are surrounded by electromagnetic noise such as radios, TV, microwaves, GPS, telecommunication
satellites, and mobile phones. There is a lot of competition for access to be able to broadcast on specific
areas of the spectrum. Governments typically license these areas to private companies to raise revenue.
This broadcast competition can cause interference in your wireless signal and reduce the quality of the
data you receive.
Even the weather can have an effect on your wireless signal. Items such as atmospheric pressure or even
sun activity, such as when we get an increased amount of electromagnetic radiation from the sun, can
interfere with or damage some wireless network data or equipment.
Various techniques and technologies have been developed to try to mitigate some of this interference,
but you need to be conscious of where you place your access points and receivers; for example, having
microwave ovens and access points next to each other would only increase the chances of interference
between the two.
If you deploy wireless networks within an organization, you should also be aware of what devices and
frequency ranges are operating at in that area. Some will be generated by your organization and
employees and some will be external (TV, radio masts, and so on). As a result, some locations will prove to
be more suitable access points than others. The structure of your building also has an impact, such as
rooftop versus basement, stairwells versus lift shafts, or beside support columns or on ceilings. Anywhere
there are large amounts of concrete or steel are typically bad for signal integrity and prone to wireless
signal attenuation and interference.
Securing Wireless Networks

With the ease of implementation and physical
availability of wireless networks, security is a major
concern. Unlike a wired network where a node
needs to connect to a physical endpoint (typically
inside a building), a typical wireless network has
no inherent physical security and is available as
long as the node trying the connection is within
range of the access point.
As the effective range of wireless networks
increases, this lack of physical security becomes a
greater concern. Unauthorized access to the
network and the potential loss or theft of business
data is a considerable liability in an unsecured wireless network.
3-26
There are several different security protocols developed for 802.11 networks. The following provides two
examples:
Wired Equivalent Privacy (WEP). The WEP encryption standard was the original standard for
wireless LANs. It provides 128-bit and 256-bit encryption of data transmitted over the network. WEP
uses a shared passcode or security key for the encryption of data. Users connecting to a WEPprotected network are asked to enter this key upon initiating connection to the network in order to
be granted access. The overall strength of WEP security lies in the complexity of this key. Short, simple
keys that are easily guessable compromise the overall security of the protocol. Multiple technical
flaws were discovered in the WEP protocol encryption algorithm and were quickly exposed by
malicious hackers and industry watchdogs. WEP is the weakest of all wireless security protocols and is
considered to be outdated and has been largely superseded by other more secure protocols.
Wi-Fi Protected Access (WPA). WPA standards provide an increased level of security and stability
over WEP. It is comprised of two different versions:
WPAv1. This was originally designed as a firmware upgrade to WEP. It allows for WEP-based
networks to be upgraded to the newer, more secure standard without the addition or replacement of
any devices. WPAv1 can use a variety of encryption algorithms.
WPAv2. This offers several technical improvements over WPAv1 but retains the same basic structure.
WPAv2 is the most secure and preferred method of encryption over most wireless networks.
Both WPAv1 and WPAv2 allow for two methods of security key configuration. They can use a single, preshared key (PSK) that is used for universal access to the network in much the same way as a WEP key. This
method is known as WPA-Personal. The second method involves the incorporation of a Remote
Authentication Dial-In User Service (RADIUS) server to allow for individual nodes to retain their own key.
This implementation is known as WPA-Enterprise and eliminates the security risks of using a single, shared
key for universal network access.
The use of certificates with smart cards also allows for smart cards to be required for authentication when
joining a WPA2 network. In addition to the encryption methods previously listed, several non-encryption
methods exist that, when combined with the use of encryption methods, further enhance wireless network
security. Here are some examples:
MAC filtering. MAC filtering allows a wireless access point to refuse connection to nodes accessing it
unless their MAC address is contained in a specific list stored on the access point. This allows for a
network administrator to enter the MAC addresses of only those nodes that should be allowed to
connect to the wireless access point.
Note: MAC filtering can be easily circumvented by using a process known as MAC
spoofing, whereby a potential client provides a false MAC address with the purpose of obtaining
access to the network.
3-27
Universal serial bus (USB) tokens. USB tokens are physical devices that also provide an additional
layer of physical security to wireless networks. These methods require the end-user to have a USB
token to physically attach to their computer before access to the network is granted.
Hidden SSID. Another method for obscuring the identity of a wireless network is hiding the SSID.
Configurable at the access point, hiding the SSID prevents the SSID of the wireless network from
showing up in the list of available networks on a potential client. When a networks SSID is hidden,
clients need to know the SSID of the network and enter it manually to connect, along with satisfying
any other security requirements the network might have. A hidden SSID can add a certain level of
security to the network, but it should not be considered a security measure in itself; numerous
commonly known methods exist for locating and identifying hidden SSIDs.
Lesson 5
Connecting to the Internet
3-28
Almost every corporate LAN or WAN has a network link that connects it to the rest of the world through
the Internet. The Internet has become the most important medium for global communications, and, as
such, corporate networks need to be connected to this global network to take advantage of what the
Internet has to offer.
Lesson Objectives
Describe the Internet.
Describe and contrast intranets and extranets.
Describe a firewall.
Describe proxy and reverse proxy servers.
What Is the Internet?

The Internet is a system of interconnected
networks that spans the globe. It is used to
connect billions of users worldwide to a large
variety of information, resources, and services. It is
comprised of both hardware and software
infrastructure that allows for the communication
between any two computers connected to the
Internet.
The Internet has its roots in early WANs

implemented by military and educational
institutions to facilitate communications between
geographically dispersed computer systems or
networks. As more nodes were added and the network grew and began allowing for public access, the
Internet gradually came into existence. The advent of graphical content and the software that allowed for
viewing this content began the popularization of the Internet as a medium for public information
exchange. Some of the first applications to appear and have common usage on the Internet were email,
Gopher, Telnet Whois, and www. From these limited first implementation services, many more
technologies have built upon and rely on the Internet for their function, such as general e-commerce,
cloud services, and virtual private networks (VPNs).
The physical structure of the Internet is somewhat ambiguous and constantly changing, but at its core, the
Internet bears many similarities to a vast, global WAN. Although Internet communication appears
straightforward to the end-user, the path that data takes between two communicating nodes can travel
over hundreds of different physical connections and be relayed through numerous intermediary network
nodes before reaching its destination. The Internet uses IP as the basis for communication between nodes.
Individual nodes or networks are typically connected to the Internet by using the methods mentioned in
the last topic of the previous lesson. These methods typically involve connectivity through a
telecommunications provider. Global telecommunication providers provide the bulk of the physical
network infrastructure on which the Internet operates.
3-29
The Internet by nature is an open and generally non-secure system. When corporate LANs and WANs
connect to and through the Internet, specific devices, methods, and concepts are applied to ensure the
integrity and private nature of the corporate LAN or WAN architecture.
Note: The phrase World Wide Web pertains to a set of interlinked documents in a
hypertext system, which is made available through Hypertext Transfer Protocol (HTTP). The user
accesses the documents by using a web browser and enters the various document repositories on
the web through a home page.
Intranets and Extranets

Intranet
An intranet refers to a private computer network
that uses the IP suite of technologies to securely
share information within the network.
An intranet shares many communication methods
with the public Internet and, as such, an intranet
environment functions very much like a small,
encapsulated version of the Internet.
Intranets are commonly used to provide privatized

versions of Internet communication services, such
as websites, email, or file transfer. They facilitate
the same type of easy information sharing like the Internet, but allow an organization to confine its scope
to avoid the loss or theft of corporate data.
In general, a LAN refers to the physical structure that provides network connectivity where the term
intranet refers primarily to a group of services provided on that LAN.
Extranet
In its typical form, an extranet is a piece of a companys intranet that has been exposed to a larger
network, usually the Internet. This is usually done to share specific corporate information with partners or
customers and requires an extra level of security and network design to ensure that private information
within the intranet is separated from the information on the extranet and not inadvertently exposed to
the public. The information on the extranet itself is usually not left completely exposed to the public
Internet either, but protected with a security device such as data encryption or authentication
mechanisms like user names and passwords.
What Is a Firewall?
A firewall is the key component used in
segmenting networks to protect a private network
from security risks inherent to connecting to an
untrusted network. A firewall is a system or device
used as a single point of connection between
separate networks. It interprets network
communication and allows safe or desirable
network traffic to pass through while restricting or
denying unsafe or undesirable traffic.
3-30
In a network environment, a firewall typically

exists as a separate device or computer on the
network that is designated exclusively to perform
the functions of a firewall. For example, a particular server might have the same function as a firewall and
might determine the source address of a piece of data and deny or allow the data to enter the network.
The term firewall is also used to refer to a piece of software installed on a node computer that performs
traffic filtering similar to that of a dedicated firewall device. When the term is used in this lesson, it is used
to refer exclusively to the dedicated network firewall defined previously, and not the node-based software
type.
Different types of firewalls allow for varying levels of network data inspection. A basic firewall is included
in most Windows operating systems.
The purpose of the perimeter network is to act as a security buffer between the untrusted and private
networks for resources that must be shared by those who are not part of the internal network. A
perimeter network commonly contains any nodes that share information with the public Internet. This
may include items like email servers, web servers, or proxy servers.
Perimeter networks are generally implemented by using firewalls. A firewall is placed at the connection of
the perimeter network to the untrusted network; another firewall typically separates the perimeter
network from the private network. This configuration separates the participating networks into three
zones: the private network, the perimeter network, and the untrusted network. Firewalls can also be used
to secure traffic within a perimeter network. For example, allowing http(s) traffic from the internet to a
perimeters web server only, and allowing the web server to access a SQL database.
The main function of a perimeter network is security. A perimeter network is not entirely a public part of
the Internet, an untrusted network, or entirely a private part of the organizations network. The purpose of
the perimeter network is to act as a security buffer between the untrusted and private networks.
Proxy and Reverse Proxy Servers

A proxy server is a variant of a firewall that is used
primarily to process client requests for data that
exists outside of the network. Proxy servers are
most commonly used to provide and control
access to the World Wide Web to ensure that the
information being requested is safe and pertinent.
Proxy servers are also used to temporarily store or
cache data, again, most commonly from the
World Wide Web. This allows the proxy server to
redirect clients that request data from servers
outside of the local network to a locally stored
copy for faster and more secure access, optimizing
traffic for frequently needed data.
3-31
Proxy servers are most commonly used in conjunction with a firewall. In this configuration, a firewall will
allow a specific type of traffic only if the traffic is originating from, or intended for, the proxy server. In this
way, clients wanting to send or receive that specific type of traffic must do so through the proxy server, or
their transmissions will be blocked or denied at the firewall.
Conversely, a reverse proxy server takes some or all data incoming to a network and distributes it to the
appropriate nodes on the network. Reverse proxy servers are commonly used for load balancing, which
allows the reverse proxy server to take large amounts of incoming data and distribute it among similarly
configured nodes, all capable of processing the data. Reverse proxy servers can also provide data security
filtering and caching in the same manner as a proxy server.
Lesson 6
Remote Access
Direct connections to private networks provide the fastest, most secure method for an organization to
share data and resources.
However, organizations are increasingly finding it necessary for their employees to have access to their
private network in situations where a direct physical connection is not possible.
Lesson Objectives
Describe remote access and branch offices.
Describe encryption and authentication.
Select a suitable VPN protocol.
Explain RADIUS.
Explain Network Access Protection (NAP).
What Is Remote Access?

Although the majority of functionality on a typical
corporate network happens within the LAN,
organizations are increasingly looking for ways to
allow their employees access to their information
while not directly connected to the private
network. In other situations, an organization
might be unable to directly connect one or more
remote locations to the private network and
require a different, more indirect approach. In
these situations, remote access is required.
Remote access methods typically use an
intermediary and possibly untrusted connection
method, such as the Internet, to indirectly gain access to a central private network.
Remote access may be required in any of the following situations:
3-32
Geographically dispersed branch offices
An employee working from home or while traveling, such as sales staff
Customers or partners requiring access to information hosted on the organizations private network
In its basic form, a branch office refers to a location where an organization does business or hosts
employees outside of its central location of operations. It could be as large as or larger than the central
location itself, or as small as a single employee working from a home office.
Branch offices are typically located outside of the physical range of an organizations central LAN, in
another section of a large city, or in another city, country, or continent. The term is typically used for a
location where several uses (like a sales office) are directly connected to the company but in a separate
physical office with WANs or VPNs connecting permanently to the corporate network. These branch
3-33
offices frequently require the ability to provide some or all the services provided by the central location,
and almost always require access to the same data and resources to operate efficiently. Placing a server in
the branch office is one solution; providing secure remote connectivity is another.
The branch office term is not typically used for home offices or employees working abroad.
An organization like a bank might require each of its branches to have access to financial information
stored in servers at the central office; a real estate agency might have brokers that work from home
offices that require access to updated property and client information; or a member of the sales staff
might require access to customer or product data while traveling.
Question: What other scenarios can you think of that would require remote access?
Encryption and Authentication

When an intermediary or untrusted connection is
used to gain access to a private network, the
security of the data traveling between the remote
location and the private network, in addition to
the security of the private network itself, becomes
a serious concern.
To address this concern and provide a safe means
of transmitting private data and preventing
unauthorized access to the private network,
encryption and authentication are used when
implementing remote access connections.
Encryption refers to the intentional scrambling or

encrypting of data to prevent a third party from reading the data should it be intercepted between its
sender and its intended destination. When data encryption is used for transmitting data on a network, its
sender uses a specific algorithm to encrypt the data and send it on the network. The intended receiver,
aware of this encryption, uses the same algorithm to unscramble, or decrypt the data.
Typically, encryption is combined with a method used to prove that the nodes involved are indeed the
nodes for which the communication is intended. In other words, the identities of these nodes are verified.
This method of verification is known as authentication.
Authentication refers to the process of verifying the identity of a user, computer, process, or other entity
by validating the credentials provided by the entity. It is distinct from authorization, which is the process
of determining the level of access allowed for an already authenticated identity. Authentication is typically
implemented as a password or a combination of user identification and a password, but can also include
physical methods such as digital certificates, smart cards, or USB tokens.
Virtual Private Networks and Direct Access

At one point, direct dial-up access was the most
popular method of providing remote access to a
private network. With the advent of widely
available high speed Internet access, dial-up
access has been largely replaced by VPN
connections. When encryption and authentication
are implemented to protect information traveling
across a remote access connection, a VPN is
created.
3-34
Fundamentally, a VPN exists when a more secure

connection has established between a node and a
private network by using an intermediary and
typically untrusted network. This connection is commonly known as a tunnel, which describes the secure
connections separation from the intermediary network due to the encryption used for the data.
Technically, VPNs are implemented using a variety of methods that govern communication mechanisms,
encryption, and authentication. The technical definition is outside the scope of this topic. Several of the
most common VPN protocols are listed below.
Point-to-Point Tunneling Protocol (PPTP). PPTP has been a very widely used VPN protocol and is
described in RFC 2637. PPTP is supported by most computers, tablets, and smart phones. PPTP has a
low overhead, and is faster and easier to set up than other VPN protocols. PPTP requires its own
ports. More companies appear to be implementing HTTPS-based VPNs.
Layer Two Tunneling Protocol (L2TP). L2TP is frequently used with Internet Protocol security (IPsec)
to provide data encryption and security. L2TP is described in RFC 2661.
Secure Socket Layer (SSL) tunneling protocol. The SSL tunneling protocol uses 2,048 bit certificates
for authentication, making it the most secure of the VPN protocols. The SSL tunneling protocol lets
users pass through firewalls and proxy servers when other VPN protocols might be blocked. The SSL
tunneling protocol uses HTTPS over the Internet.
IP HTTPS. This is replacing SSL tunneling protocol in DirectAccess, which is one of the remote access
solutions from Microsoft. It is discussed further a bit later.
IPsec. A set of industry-standard, cryptography-based services and protocols that help to protect
data over a network.
DirectAccess
DirectAccess was introduced in the Windows 7 and Windows Server 2008 R2 operating systems.
DirectAccess gives users the experience of being connected to their corporate network any time they have
Internet access without having to initiate or configure a connection.
When DirectAccess is enabled, requests for corporate resources (such as email servers, shared folders, or
intranet websites) are securely directed to the corporate network, thus allowing for the same user
experience regardless of whether the computer is connected to the corporate network. The DirectAccess
client is connected to the corporate network before the user even logs on, making the logon and
authentication process identical to the process used when connected directly to the corporate network.
Windows Server 2012 and Windows 8 DirectAccess can be configured to use either IP version 4 (IPv4) or
IP version 6 (IPv6) addresses. Windows Server 2008 R2 and Windows 7 can use only IPv6 for
communication between clients and servers. Connections between IPv4 and IPv6 networks can be
coordinated automatically using a number of different IPv6 translation technologies that are configured
3-35
at the DirectAccess server. The main benefit of using DirectAccess over VPNs is its lack of required user
interaction. In Windows Server 2012, DirectAccess is also a lot easier to deploy than was the case in
Windows Server 2008 R2. Furthermore, DirectAccess allows remote management such as software
distribution and updates of virus scanning engines.
Windows Server 2012 supports DirectAccess with Windows 7 and Windows 8 clients, whereas Windows
Server 2008 R2 only supports Windows 7 DirectAccess clients. Also, if you have operating systems older
than Windows 8 or Windows 7, DirectAccess is not supported for them and they will need to use an
alternative, such as VPN.
RADIUS
RADIUS is a widely used industry standard

authentication protocol that allows the exchange
of authentication information between various
elements of a remote access solution. It provides
for centralized authentication, authorization, and
accounting for network connection attempts and
nodes that connect to networks through any
meanswhether its dial-up, VPN, wireless or a
physical connection through cable. It has been
defined by the Internet Engineering Task Force
(IETF) under RFC 2865 and RFC 2866 and updated
and modified in numerous subsequent RFC
standards. RADIUS is a very common protocol available for use in most network environments. It is used
to perform the following functions with regard to network access:
Authenticate nodes before allowing them to access the network.
Authorize access for nodes specific to network services or resources.
Account for and track the usage of those services and resources.
The main components that typically go into making a RADIUS infrastructure are as follows:
RADIUS server. Provides centralized authentication, authorization, and accounting for network
access requests. The Network Policy and Access Services role in Windows Server 2012 can be
configured as a RADIUS server.
RADIUS proxy. Can forward and route RADIUS access and accounting messages between RADIUS
clients and RADIUS servers.
RADIUS clients. These are RADIUS access servers, such as wireless access points, dial-up servers,
authentication switches, and VPN servers. These are RADIUS clients because they use the RADIUS
protocol to communicate with RADIUS servers. User devices such as laptops are not RADIUS clients.
A server implementing RADIUS allows an organization to simplify and better manage remote access to its
network, especially when multiple remote access points exist in the environment. RADIUS allows for
strongly securing a WLAN with the use of certificates.
More information about RADIUS can be found at the following website.
http://www.ietf.org
Network Access Protection

Network Access Protection (NAP) can be
implemented as part of a RADIUS infrastructure. It
provides components to help you enforce health
requirement policies for network access and
communication. NAP allows you to create policies
for validating devices that connect to the network,
and to provide required updates or access to
required health update resources while limiting
the access or communication of noncompliant
devices. You can customize your health
maintenance solution to monitor devices
accessing the network for health policy
compliance. The health policy might include checks for:
Up-to-date antivirus patterns.
Appropriate firewall status.
Up-to-date malware protection.
Windows Update settings.
Update devices with software updates to meet health policy requirements.
Limit access for devices that do not meet health policy requirements, to a restricted network.
3-36
Although NAP helps you automatically maintain the health of the networks devices, which in turn helps
maintain the networks overall integrity, NAP does not protect the network from malicious users. For
example, if a device has all the software and configuration settings that the health policy requires, then
that device is compliant and has unlimited network access; however, NAP does not prevent an authorized
user with a compliant device from uploading a malicious program to the network or engaging in other
inappropriate behavior.
NAP Functions
NAP has three important and distinct functions:
Health state validation. When a computer tries to connect to the network, the NAP health policy
server validates the computers health state against the health-requirement policies that you define.
You also can define what to do if a computer is not compliant. In a monitoring-only environment, the
NAP health policy server validates the health state of all computers, and then logs the compliance
state of each computer for subsequent analysis. In a limited-access environment, computers that
comply with the health-requirement policies have unlimited network access. Computers that do not
comply with health-requirement policies might have their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health requirement policies by
automatically updating noncompliant computers with missing software updates and configuration
changes. You can do this by using management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers have network access before
they are updated with required updates or configuration changes. In a limited access environment,
noncompliant computers have limited access until the updates and configuration changes are
complete. In both environments, computers that are compatible with NAP can become compliant
automatically, and you can define exceptions for computers that are not NAP-compatible.
Limited access. You can protect the network by limiting noncompliant computers access. You can
base limited network access on a specific time limit, or on what the noncompliant computer can
3-37
access. In the latter case, you define a restricted network containing health update resources, and the
limited access lasts until the noncompliant computer becomes compliant. You also can configure
exceptions, so computers that are not compatible with NAP do not have their network access limited.
In Windows Server 2012, NAP is installed as part of the Network Policy and Access Services role. Health
policies, validators, and remediation servers can all be defined and configured within the Network Policy
Server (NPS) management console in Windows Server 2012.
Lab: Selecting Network Infrastructure Components

Scenario
3-38
A. Datum Corporation has recently decided to decentralize its marketing department, currently located in
New York. In addition to the New York location, a new marketing office is being built in Seattle to house
the media design staff.
You are responsible for choosing the LAN design and general components for the new office and
ensuring that the two offices are connected in a way that allows staff in the Seattle office to access the
information they need from the New York office.
You have received email messages from the Seattle office manager outlining the duties assigned to the
new office, a list of employees that will be using the Seattle office, and the primary job functions of those
employees.
Objectives
After completing the lab, students will be able to:
Provide guidance on which network components are needed to complete a branch office
deployment.

No virtual machines are required for this exercise.
Exercise 1: Determining Appropriate Network Components

Scenario
Email #1
From: Susan Walker
Subject: Seattle Office Building
Hi,
We have been working with the new building contractors and they have come up with a basic design.
No drawings have been drafted yet, so I will try to explain what they have in mind. The space will
basically be split into two parts. We will have six offices in one part of the office for our design team
members, typical office stuff. The other half will be a large, open conference room built for partner
consultation. Basically, it will be a place where our consultants meet with our partners to show them
progress on projects, samples of media, and things like that. Its going to be pretty casual, with most of
the furniture being couches and coffee tables.
I hope that gives you a good enough idea for your side of things.
Thanks,
Susan
Email #2
From: Susan Walker
Email #2
Subject: Seattle Staff
Hi again,
Here are the details on our Seattle staff and what each of their roles entails.
3-39
We will have three video editors that will be in three of the six offices: Frank, Lisa, and Peter. The bulk of
their day is spent editing video for various projects. They work as a collaborative team, so they are
constantly sending material (videos) back and forth to each other. Frank asked me to tell you that the
videos can be really big. They have issues with the videos taking a long time to copy to and from the
server in New York. Im not sure if there is something you can do to improve that in Seattle.
There are four creative consultants. Nick and Brenda will be in the office and John and Martha will be
working from home offices. Their primary role is to meet with our partners to determine overall needs.
Then they come up with the basic design concept and forward it to the video editors who begin the
video design process. Throughout the process, the creative consultants provide samples of the work
being done and get feedback from the customers. This will be done using the conference room for local
partners. Im hoping you can come up with something that will allow our out-of-town partners to view
and comment on the development process remotely.
Our internal staff will need to be able to view and update the material, and our home users and
partners will need to be able to view and update it from their locations. This is sensitive information, so
it needs to have some kind of password or security around it so not just anybody can see it. They have
also asked if there would be a way for both the in-office consultants and the two coming from home to
have access to the material located on the server to show clients on their laptops when they meet in the
conference room.
We also need to be able to share files with New York as well. My primary role is to manage the staff
here and provide general updates and material samples to New York. This typically doesnt involve a lot
of files or very big files, but it does need to be secure, and our partner agreement doesnt allow us to
use email to send the files, so they will have to be hosted on some sort of server, I guess. I am not very
technical, sorry.
Oh and one final thing: were getting new desktops and other devices, all which will be running
Windows 8 Im told, in case that helps.
Hopefully thats what youre looking for. Thanks for your time.
Susan
Branch Office Network Infrastructure Plan: Component Needs Assessment

Document Author: You
Date: March 22
Requirements Overview
Recommend basic infrastructure components for the implementation of the network in the new Seattle
location.
Recommend infrastructure to connect the Seattle location to the New York location. Recommend
infrastructure to allow home office users and partners access to the resources they need from the
Seattle location.
Branch Office Network Infrastructure Plan: Component Needs Assessment
3-40
Proposals
1. What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
2. What infrastructure should be used to connect the conference room portion of the Seattle location?
3. What components and technology should be used to connect the New York and Seattle branches?
4. What is the best architecture to allow both partners and home office users to access their
information using only one method of access?

1.
2.
Read the supporting documentation

Update the proposal document with your planned course of action
Task 1: Read the supporting documentation
Read the supporting documentation sent to you by the Seattle office manager.
Task 2: Update the proposal document with your planned course of action
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
1.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
2.
What infrastructure should be used to connect the conference room portion of the Seattle location?
3.
What components and technology would you use to connect the New York and Seattle branches?
4.
What is the best architecture to allow both partners and home office users to access their information
using only one method of access?
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.
Question: What other options exist to connect the home office employees if their role
changes and requires consistent access to information on the Seattle LAN?
Question: What infrastructure should be used to connect the conference room portion of
the Seattle location?

Review Question
Question: Why are firewalls so critical when designing and deploying networks?
Question: What makes a wireless network more vulnerable to unauthorized access than a
wired network?
3-41
3-42

4-1
Module4
Connecting Network Components
Contents:
Module Overview
4-1
Lesson 1: Understanding the Open Systems Interconnection Reference Model
4-2
Lesson 2: Understanding Media Types
4-7
Lesson 3: Understanding Adapters, Hubs, and Switches
4-14
Lesson 4: Understanding Routing
4-20
Lab: Connecting Network Components
4-25
4-29
Module Overview
Networks consist of many components; these components fall into various categories based on their
operational characteristics. For example, those components that deal with electrical signaling are known
as low-level network components. However, those components that handle user requestsfor example
applicationsare known as high-level components.
This module explores the functionality of low-level networking components. This includes cabling,
network adapters, switches, hubs, and routers. In addition, the module provides guidance on how best to
connect these and other components together to provide additional network functionality.
Objectives
Describe the industry standard protocol model.
Describe routing technologies and protocols.
Describe adapters, hubs, and switches.
Describe wiring methodologies and standards.
Lesson 1
Understanding the Open Systems Interconnection

Reference Model
4-2
Over the years, many networking protocol stacks were developed by different vendors to support their
own networking products. In order to bring some structure and standardization to this independent
evolution of network protocol stacks, the International Organization for Standardization (ISO) developed
the Open Systems Interconnection (OSI) reference model.
As an aside explanation, the ISO organization would have different abbreviations in different languages.
Because of this, the organization decided to adopt the ISO abbreviation and standardize the name, taken
from the Greek word isos, meaning equal. As a result, this ISO acronym is used regardless of language.
Lesson Objectives
Describe the OSI model.
Describe lower-layer protocols and devices within the model.
Describe network protocols within the model.
Describe the upper layers in the model.
The OSI Model

The OSI model is a networking model that was
introduced by the ISO to promote multi-vendor
interoperability. The OSI model is a conceptual
model that defines the generic tasks that are
performed for network communication. You can
think of each layer of the OSI model as a piece of
software or hardware that performs specific tasks
for that layer. Each layer communicates with the
layer below and the layer above. Application data
that is transmitted over the network must pass
through all the layers. These layers are described
in the following table.
Layer
Number
Layer Name
Description
Application
Represents application programming interfaces (APIs) that

developers can use to perform network functions when you build
applications.
Presentation
Translates the data generated by the application layer from its own
syntax into common transport syntax suitable for transmission over a
network.
Session
Enables and controls a communication session between two
Layer
Number
Layer Name
Description
applications.
4-3
Transport
Makes sure that packets are delivered in the order in which they are
sent and without loss or duplication.
Network
Determines the physical path over which data is transmitted based

on network conditions, the priority of services, and other factors. This
is the only layer of the OSI model that uses logical networking and
can move packets between different networks.
Data-link
Provides for the transfer of data frames from one computer to

another over the physical layer. The media access control (MAC)
address of a network adapter exists at this layer and is added to the
packet to create a frame. Data is passed from the data-link layer to
the physical layer as a stream of 1s and 0s. Some element of error
checking is possible at this layer to ensure frame delivery.
Physical
Defines the physical mechanisms for sending a raw stream of data

bits on the network cabling, such as a network interface card (NIC)
and drivers.
Why Use the OSI Model?
The OSI model is used as a common reference point when you compare the function of different
protocols and kinds of network hardware. The OSI model is important for comparing different products
and understanding the functions that a device is performing. The model enables an understanding and
interpretation of various network architectures and network components within those architectures.
For example:
A router is a layer 3 device. Based on this, you know that a router understands logical networks and
can move packets from one network to another.
Hypertext Transfer Protocol (HTTP) is a layer 5-7 protocol. Based on this, you know that applications
use HTTP to communicate over the network.
Ethernet is a standard for layers 1-2. Based on this, you know that Ethernet defines physical
characteristics for media (network cabling), how signals are transmitted over that media, and when
devices can communicate on the media.
More information about the OSI model definition can found at the following website.
http://www.iso.org
The Lower Layers of the OSI Model

The lower layers of the OSI model are responsible
for encapsulating requests from the upper layers
into a meaningful structure to be merged onto
the media. How you do this varies from one
network architecture to another.
The data-link layer is responsible for:
Transferring data between devices.
Managing the MAC addressing scheme.
Encapsulating requests from the middle layers

into data-link frames and passing these to the
physical layer for merging onto the media.
Passing protocol-specific data up the stack.
Error checking.
The physical layer is responsible for:
Establishing, maintaining, and terminating connections to the media.
Participating in the process of managing media access among multiple hosts.
Converting the data-link frames into a meaningful signal for merging onto the media.
Interpreting and converting signals on the media into data-link frames.
Here are examples of how data transfer occurs on a single local network and also across networks. This
may help give an understanding of how the lower layers of the network stack work.
4-4
On a local link, communication is addressed by using MAC addresses. If one device wants to
communicate to another device, even if it knows the IP address and ensures that the device is on the
same network, it needs to resolve the remote MAC address in an Address Resolution Protocol (ARP)
request (MAC-level broadcast), and then send the data to the remote MAC address.
IP and routers are used to extend networks beyond the local subnet. For example, say the IP wants to
address something beyond the local network. IP knows the address of its routerthat is, its default
gatewayand leaves the target address of the target host but resolves the MAC of the local router.
The local router unwraps the IP and data, rewraps the package with the MAC of the next hop, and
then forwards the package.
The Middle Layers of the OSI Model

In the middle of the OSI model sits the transport
and network layers. These layers are frequently
known as the network protocol layer.
The transport layer is responsible for:
Transferring data between applications on

different hosts.
Providing reliable end-to-end transfer of data

between these applications.
Encapsulating application requests in

datagrams and passing these to the network
layer.
Passing incoming datagrams to the appropriate session layer protocol.
The network layer is responsible for:
Implementing a logical addressing scheme to identify hosts on the Internet.
Routing packets to the appropriate logical address as identified by the upper layers.
Encapsulating transport layer datagrams into network packets and passing them to the data-link
layer.
Passing incoming packets up the protocol stack to the appropriate transport layer protocol.
4-5
In the early days of networking, different vendors produced their own, proprietary networking protocols.
These included:
Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX). This protocol was developed
to provide transport and network layer services for the Novell NetWare operating system. Although
proprietary, the protocol stack was widely implemented in other networking operating systems. This
includes the Windows Server operating systems. SPX is a transport layer protocol, whereas IPX
provides network layer support.
AppleTalk. This is another proprietary protocol providing transport and network layer functions. The
Apple Corp. implemented this protocol to support their Apple Mac computer systems. Microsoft
Corporation provided some support for this protocol in their Windows platform.
TCP/IP. This was first developed as a suite of protocols to support applications that run on the UNIX
platform. During the 1990s, this protocol began to gain acceptance by network product vendors. This
includes Microsoft, Novell, and Apple. TCP/IP provides a four-layer architecture that offers support for
all layers of the OSI reference model. TCP/IP implements two transport layer protocols: TCP and User
Datagram Protocol (UDP). At the network layer, IP is implemented.
Networking services sit on top of the protocol stack, and pass instructions down the stack to the media. It
is the job of the network protocol stack to interpret service requests and encapsulate them in a form
accessible by lower-level protocols.
The Upper Layers of the OSI Model

The upper layers of the OSI model consist of the
application layer, the presentation layer, and the
session layer. These upper layers are occupied by
network applications, or services.
The application layer is responsible for interacting
with network-aware software components.
Functions typically include the following:
Identifying network hosts with which

applications want to communicate
Determining available resources
Synchronizing communication between

network hosts
The presentation layer provides independence from differences in how network data is presented. This
enables applications, which use different syntax, to communicate. The presentation layer:
Formats and encrypts data for transmission on a network.
Provides compatibility between applications that use different syntax.
The session layer is responsible for:
4-6
Establishing, maintaining, and terminating connections, known as sessions, between local and remote
applications.
Selecting the appropriate transport layer protocol for communications with remote applications.
Different network operating systems implement different network services. However, they also provide
similar functionality:
Authentication
File and print services
Email messages
Client/server applications, such as a database
Lesson 2
Understanding Media Types
4-7
Although you can connect devices to a network that uses wireless components, it is more common to use
wired media. There are many kinds of wired media types, each with different characteristics: cabling
distances, load and resistivity, and the ability to resist external electromagnetic interference. This lesson
explores the cabling characteristics and standards.
Lesson Objectives
Describe coaxial cable.
Describe twisted-pair cable.
Describe fiber-optic cable.
Select a suitable cable type.
Coaxial Cable
Construction
Coaxial cable consists of two copper conductors
separated by insulating materials. The central core
is manufactured from either stranded or solid
copper wire, enclosed by an insulator. Around this
first insulator is a second, stranded copper
conductor. The whole is then protected by a
plastic covering.
Coaxial cable has different electrical characteristics

based on its construction. Thin coaxial cable
supports shorter cable runs and fewer devices.
Thick coaxial cable can span longer distances and
supports the connection of more devices. Although thick coaxial cable enables longer cable runs and
more devices, it is unwieldy. Therefore coaxial cable is more typically used to provide backbone
connections.
Standards
Two standards define coaxial cable characteristics.
American wire gauge (AWG). This defines the diameter of the central conductor. A numbering system
indicates the diameter used. For example, 14 AWG indicates a thicker cable than 18 AWG cable. Realize
that the electrical characteristics of the cable change with its diameter. Specifically, thicker wire carries
currents further because it has lower resistance over a given distance.
Radio grade or Radio guide (RG). These standards define coaxial cable characteristics from susceptibility
to interference and resistivity. There are many RG coaxial cable standards and networking components
use only a small subset of those. They are primarily grouped according to the cable impedance because it
is important that the impedance of the cable matches the impedance of the transmitter, otherwise there
might be significant data loss. The following lists some examples.
50 ohm impedance:
4-8
RG58. Fairly thin and flexible. Ideal for connecting nodes to the network. However, RG58 does
not support long cable runs or lots of connected devices. It uses 20 AWG copper wire. Used in
early Ethernet networks known as a 10Base2 network (also known as ThinNet), as explained in
Module 3, Understanding Network Infrastructure, the 10 refers to the transmission speed, 10
Mbps; base refers to the transmission type, that is, baseband; and the 2 in this instance refers to
the distance over which it can operate, that is, approximately 200 meters. The actual distance is
less, approximately 165 meters. This network type was very popular before twisted pair cabling.
Today, it would only be found in older networks.
RG8. RG8 is approximately 16 AWG. It is thicker than RG58 and not as flexible. Compared to
RG58, it provides less data loss over longer distances. RG8 was also commonly used in earlier
Ethernet networks, known then as a 10Base5 network, again the 10Base5 name indicating 10
Mbps, baseband transmission, and in this case, over distances of 500 meters. This network type
was commonly known as ThickNet because the cable type was comparatively thicker than the
network type used in 10Base2 networks. Today, RG8 would only be found in older networks. RG8
and RG58 might also be found in laboratory equipment or radio transmitters/receivers.
75 ohm impedance:
o
RG59. Has an 18 AWG core. It is susceptible to signal loss at higher frequencies over long
distances.
RG11. Thick coaxial cable with 14 AWG cable provides the solid core. It is fairly thick, so it is not
very flexible but has good comparative integrity of signals over length. It is mostly used in
backbones, where more robust cabling is needed.
RG6. Thinner than RG11 with 75 ohm impedance and typically 18 AWG, similar to RG58. It is
more susceptible to attenuation than RG11 but is less expensive. Used mostly in consumer
devices, or over short distances. RG6 and RG59 are used mostly in video applications or cable
TV/TV antennae connections. RG6 would generally have better signal integrity over the distances
needed, so it might be more widely used than RG59. RG6 is typically more expensive than RG59
cable.
Generally, thicker cables mean longer distances with less data loss. But there are other things to consider
such as the shielding used in the cable. The main points to be aware of here are that different cable types
have different capabilities, and even within the previous categories there are sub-categories that will have
slightly different specifications. If you are intending to use coaxial cable, make sure that you know the
correct impedance to use and also the distance over which the data must travel.
Connectors
Coaxial cable connects network devices by using different connector types based on the thickness of the
wire. Connectors can be categorized into two groups as outlined earlier.
Thick coaxial cable (10Base5). RG8 cable types use a piercing tap, or vampire connector, to connect to
thick coaxial cable. The connector surrounds the cable, and conductive spikes penetrate the cable to the
central and outer conductors. The connector is then attached to the network device by using an
attachment unit interface (AUI) connector. This 15-pin connector is also sometimes known as a Digital
Intel Xerox (DIX) connector.
Thin coaxial cable (10Base2). RG58, RG59, and RG6 would typically use BNC or F type connectors.
The BNC connector connects by using a press, twist, and lock mechanism and would usually be seen
with RG59 cable. BNC has different connection types, such as T-connector, Terminator, and barrel
connector types.
4-9
An F type connector has a sharp pin in its center that acts as the transfer medium. It connects by
using a press or a screw-and-lock mechanism and involves the pin and female receptacle connector
ends.
Note: Coaxial cable must be terminated. In order to prevent signals reflecting back up the
media, a resistor is attached to both ends of the cable. This absorbs the signal and prevents
reflection. You must use a terminator of the correct impedance.
Coaxial cable is not typically used in networking applications today. This is primarily because of the
unstructured nature of the wiring. In addition, coaxial cable is not especially fault-tolerant. A break in the
cable disrupts the whole segment because you now have two non-terminated segments. It is also very
difficult to locate the exact location of the cable break, although a device like a Time Domain
Reflectometer can be used to help. It is also useful to ground the cabling system to reduce interference
in the data signal, typically through devices it is connected to, such as antennae.
When to Use Coaxial Cable
Coaxial cable is resistant to electromagnetic interference and can support long cable runs between hosts.
Although it might have some limited advantages it is a legacy option that has been replaced with other
cable types such as twisted pair (discussed in the next topic). It is becoming difficult to find modern
network adapters that support it.
Twisted-Pair Cable
The twisted-pair cabling type is common in
modern networks; it has generally replaced coaxial
cabling in Ethernet networks as the standard.
Although it is still copper based, its a less
expensive option than coaxial cable, although this
wasnt always the case. This is mainly because
switches became less expensive than hubs and as
such, the number of collisions present in hubs
could be reduced. This enables the cable to span
larger networks. As it became more popular, the
relative cost came down. You can use twisted-pair
cabling to support several applications, including
telephony and networking.
Construction
As the name suggests, the cable is constructed from a pair, or sometimes several pairs, of insulated cables,
twisted around one another, all enclosed in a protective outer sheath of plastic.
Note: The nearness of the other cable in the pair can introduce crosstalk, or interference.
The twisting helps eliminate the crosstalk. The more twists per meter, the higher the cable rating.
For example Category (Cat) 4 cables have fewer twists per meter than Cat 5 cables.
There are two kinds of twisted-pair cable: unshielded twisted pair (UTP) and shielded twisted pair (STP).
The two types have several differences.
4-10 Connecting Network Components
UTP is the more typically used twisted-pair type. UTP follows the 10BaseT specification and there are
several categories. The categories range from traditional telephone cable (voice but no data) to high
speed (1000 Mbps/10 Gbps) quality data transmission. UTP has a maximum distance of 100 m.
STP overcomes the main UTP disadvantage (interference) by providing copper shielding. STP provides
faster transmission over longer distances than UTP, but STP is more expensive.
Connectors
You connect devices with STP or UTP to the network by using several different connectors.
RJ11. A four-contact connector supporting two-pair cables, typically used for telephony. However,
there are different connector types in different parts of the world.
RJ45. An eight-contact connector supporting four-pair cables. Typically used for data applications
such as network adapters but modern telephone lines (Integrated Services Digital Network [ISDN]) are
also now by using RJ45.
When to Use Twisted-Pair
UTP is fairly inexpensive both in terms of the cabling and associated components, and in terms of the cost
to lay the cable. The potential for it to be affected by interference is also addressed by the twisted-pair
technology and using a different current between both wires. A weakness of UTP is that it is not shielded.
This means that it could influence other appliances and be easier to listen in on (by using a radio-like
device). This could make UTP less secure.
Typically, UTP should generally be the preferred choice. Where interference, longer cable runs, or
potential security threats exist, select STP.
Standards
Standards maintained by the Telecommunications Industry Association (TIA)/Electronics Industries
Association (EIA) define the additional characteristics of twisted-pair cable.
These standards are known as the Category standards.
Category
Twisted
Pairs
Capacity
Bandwidth
(MHz)
Use
1 Mbps
Voice/modem (rarely used)
4 Mbps
IBM cabling/token ring (rarely used any

longer). Might still be found in some
Advanced Interactive Executive (AIX)
Datacenters)
10 Mbps
16
Ethernet (telephone cabling)
16 Mbps
20
Token ring (not used)
100 Mbps
100
High-speed Ethernet
5e
1000 Mbps
100
Gigabit Ethernet
1000+/10
Gbps
250
10G Ethernet
6a
10 Gbps
500
10G Ethernet
Category
7
Twisted
Pairs
4
Capacity
10 Gbps
Bandwidth
(MHz)
600
Use
10G Ethernet
Note: The term bandwidth is used to describe the transmission speed of a network.
Early networks operated at low bandwidths by todays standards. For example, early
implementations of Ethernet operated at 3 million bits per second (3 Mbps). Modern network
technologies can transmit much faster than this. A typical Ethernet operates at a bandwidth of
between 100 Mbps for desktops to 10 Gbps in server rooms.
4-11
Consider that the bandwidth of the network might be 1 Gbps. The actual throughput (or the volume of
data in bits) might be much less. One reason for this is because popular network technologies such as
Ethernet operate on a contention basis. In other words, the nodes or hosts on the network compete for
bandwidth. This contention process leads to loss of throughput.
More information about the TIA/EIA organization can be found at the following website.
http://www.tiaonline.org
Fiber-Optic Cable
Copper cables experience the effects of
electromagnetic interference. In addition, it
experiences loss of signal, or attenuation, over
distance. Fiber-optic cables are less prone to
either of these. Because fiber-optic cables are
more reliable, they are used in situations that
demand longer cable runs or in areas where highlevels of electromagnetic interference are
expected.
Construction
An optical fiber cable is composed of:
Glass or plastic core. This provides the transmission medium.
Cladding. This covers the core. Light signals cannot traverse this layer. The reflective surface of the
cladding layer reflects the light signals back into the core.
Buffer. This protective layer surrounds the core and cladding.
Note: Because each optical fiber supports light signals in only one direction at a time, some
cables implement multiple fibers bundled in a single cable.
There are two kinds of fiber-optic cable:
Multimode fiber. Consists of several fibers. Light signals are generated by light-emitting diodes
(LEDs). Typically, multimode fiber supports bandwidths of around 100 Mbps at distances of up to 2
kilometers and 10 Gbps over 300 meters.
Single-mode fiber. Contains a single, thin fiber that supports higher bandwidths and longer cable
runs than multimode fiber. 40 Gbps is possible over distances of several hundred kilometers. Light
signals are generated by laser diodes. Single-mode fiber is typically more expensive than multimode
fiber.
Connectors
There are different connectors for use with fiber optic cabling, depending on whether you are using
multimode fiber or single-mode fiber, and the particular application of the cable.
Straight Tip. The fiber equivalent of a coaxial BNC connector, by using a push-and-twist locking
system. Typically used with multimode fiber.
Subscriber Connectors. Provide a simple push/pull connection.
Local Connectors. Similar to Subscriber Connectors, but smaller.
Ferrule Connectors. Older single-mode fiber connectors, now replaced by Subscriber Connectors
and Local Connectors.
Mechanical Transfer Registered Jack. Supports multimode fiber cables by using a snap-on
connector.
When to Use Fiber Optic Cabling
Fiber-optic cabling is more expensive than its copper equivalent. It is used where higher bandwidths over
long distances are required and the distance exceeds the capabilities of copper wiring. In areas of extreme
electromagnetic interference, fiber-optic cabling is also better.
Standards
The following table builds upon the table from Module 3 and includes the most frequently implemented
cabling standards and uses.
Standard
Media
Bandwidth
Common Uses
10BASE-T
Twisted copper
10 Mbps
Local networks
100BASE-TX
Twisted copper
100 Mbps
Local networks
100BASE-FX
Fiber-optic
100 Mbps
Distant networks
1000BASE-T
Twisted copper
1 Gbps (1,000 Mbps)
Local networks
1000BASE-LX
Fiber optic
1 Gbps
Distant networks
10GBASE-T
Twisted copper
10 Gbps
Local networks
10GBASE-LR/ER
Fiber optic
10 Gbps
Distant networks
Of the standards listed in this table, 100BASE-TX and 1000BASE-T are most frequently found in todays
local area networks (LANs). 1000BASE-LX and 10GBASE-LR/ER are the most frequently found in long
distance Ethernet connections.
Discussion: What Cabling Strategy Would You Use?

Fabrikam, Inc. has purchased a new building to
house their Research and Development team. The
new building is just across the parking lot from
the headquarters. There are two floors in this new
building; each will support around 100 network
nodes. Each workstation is to have a telephone
installed. You want to minimize future disruption,
so any cabling solution must provide for emerging
standards. Because of the nature of the work, the
R & D team requires a high-bandwidth solution.
Answer the following discussion questions.
Question: For Fabrikam, Inc., what cabling
system would you recommend within the new building?
Question: Fabrikams R & D center is across the private parking lot from the head offices.
You will have to connect the R & D office back to the head office so that research staff has
access to corporate services. What cable would you recommend for this application to link
the two buildings?
4-13
Lesson 3
Understanding Adapters, Hubs, and Switches
Operating at the lower levels of the OSI network architecture, switches and hubs are responsible for
connecting physical devices together. The choices that you make about the deployment and
configuration of these components can have far-reaching effects on the behavior of interconnected
devices and overall network functionality and performance. Therefore, make sure that you can
differentiate between devices such as hubs and switches and be able to select a hub or switch based on its
functionality.
Lesson Objectives
Describe a network adapter.
Describe transmission speed.
Describe hubs.
Describe switches.
Describe layer 2 and layer 3 switches.
Describe the capabilities of a virtual local area network (VLAN).
What Is a Network Adapter?

A network adapter is the lowest-level component
installed in your computer. It is responsible for
converting instructions from higher-level
components, specifically the network protocol
stack, into electrical signals and merging these
signals onto the network media.
The network adapter is also responsible for
converting electrical signals received on the wire
into meaningful instructions that it then passes up
to the network protocol stack.
Note: The network media might be physical

wiring or a wireless network. For convenience, the term wire will be used except where an explicit
differentiation is required.
Frames and Addressing
The network adapter encapsulates the instructions it receives from the protocol stack into a logical
sequence known as a frame.
Frames contain addressing information to ensure that the protocol stack message reaches the correct
target network adapter on the local network. As discussed in Module 3, each network adapter has a
unique address known as a MAC address. This is usually assigned by the manufacturer of the network
adapter and is in hexadecimal format.
Note: The authority responsible for allocating a unique address is the Institute of Electrical
and Electronics Engineers, Inc. (IEEE).
4-15
To determine the MAC address of the destination network adapter, the local network adapter typically
broadcasts a request for the required MAC address. This 48-bit address is stored by the network adapter
in the source MAC address field in the network frame.
Note: Other than these unique MAC addresses, the addressing fields in a frame can also
contain specially formatted addresses; these include broadcasts and multicasts. These special
addresses and the kinds of communications that require them are discussed later in the course.
Ethernet Frame Structure
Frame structures vary according to the architecture. Even within Ethernet, there are variations of frame
structure, depending on the Ethernet standard implemented. Some variations that include some older
implementations that you might hear of are as follows:
Ethernet II. This would have been one of the earliest Ethernet frame types; it supports TCP/IP and
IPX/SPX.
Ethernet 802.3 or Ethernet raw. Only supports Novells IPX/SPX protocol.
Ethernet 802.2 logical link control (LLC). Contains additional header information compared to
802.3 and allows for managing varying MAC types.
Ethernet Subnetwork Access Protocol. Supports TCP/IP, IPX/SPX, and AppleTalk.
The last two types enable the encapsulation of the data to enable the insertion of other protocols.
Ethernet Subnetwork Access Protocol would be the most widely used and relevant frame type. There are
differences between the frame type structures but generally they can be described as consisting of the
following:
Preamble. A series of bits that enables the transmitter and receiver network adapters to synchronize
and establish a link.
Start frame delimiter. A single byte that signifies the start of the frame.
Destination MAC address. MAC address of the network adapter receiving the data.
Note: The destination MAC address referred to above is present when on the local subnet
only. If the destination MAC Address were to be on a different network segment, the destination
MAC address would be the routers interface.
Source MAC address. MAC address of the network adapter sending the data.
Length/type. The length field is present in all frame types except Ethernet II, which had a type field.
The Length field assigns a value to the frame size and the type indicates the protocol type that is
interpreting the frame data. The type information is contained in the data field in the Ethernet
Subnetwork Access Protocol frame type.
Data. This data field contains the actual data. In all standard cases, it is between 46 bytes and 1,500
bytes. For 802.2 LLC and Ethernet SNAP, it encapsulates the data to allow for easier interaction with
other protocols.
(Note: Remote Direct Memory Access (RDMA) in Windows Server 2012 allows for the transfer of data
from the memory of one computer to the memory of another computer without any interaction from
either computers operating system CPUs or caches. This is achieved by using NICs that support Server
Message Block (SMB) direct protocol. This can have a significant effect on data transfer rates.)
Pad. The 802.3 frame type can pad the data field.
Frame check sequence. The last field in a typical frame is the frame check sequence (FCS). This field
is used to calculate a checksum value to determine the integrity of the frame. As outlined previously,
the FCS that is used in Ethernet frames is cyclic redundancy checks (CRCs). Frames that are damaged
in transit are dropped by the network adapter.
Installing a Network Adapter
Historically, those responsible for installing network adapters into computers had to fit the separate
network adapter into an available slot in the computers internal expansion. These days, it is more usual to
find network adapters as integrated components on the computers motherboard. As soon as the network
adapter is installed, you must connect it to the network. Typically, network adapters have a single
connector for this purpose.
Note: To determine what kind of network connector you have, view the back of the
desktop computer. Depending on what country/region you are in, you may see a Registered
Jack-45 (RJ-45) connector. This resembles a standard telephone jack.
After you have connected the network adapter to the network cabling, depending on your requirements,
you typically attach the other end of the wire to a network switch or hub.
In some instances, a Direct Cable Connection, or direct cabling, between two computers is required, such
as for use with a cluster heartbeat. This requires a cable to connect the two devices. The cabling required
in this scenario requires the cable pairs on one end of an Ethernet cable to be the reverse of the other
end. So either some customization of the cable is required, or a specific crossover cable is needed.
What Is a Hub?
Some early networks used wiring systems in which
each node was connected directly in a ring. Other
networks implemented a single cable that was
routed to each node in sequence, creating a chain
of networked computers. Both cabling methods
have several problems. First, if the cable was
damaged, network integrity was lost and
communication was disrupted. Second, because
cabling was frequently laid to limit cable lengths,
or finding a convenient path to the next node, it
was not always easy to locate the faulty cable. As
networks became more popular, administrators
have tried to resolve these problems.
Later, network devices that enabled star wiring of network nodes were adopted. These devices were
known as hubs and enabled each network node to be connected back to a central point. This addressed
the problem of unstructured wiring and also of network failure that results from a break in the cable. A
cable fault resulted in a single node being isolated.
4-17
Some early hubs supported different kinds of cabling connectors, known as ports, to enable connection of
twisted-pair cabling, coaxial cabling, and other media. Even todays simple consumer hubs support wired,
wireless, and Asymmetric Digital Subscriber Line (ADSL) ports.
You can use hubs to extend the network. Depending on the network topology being used, you can
connect a chain of hubs together potentially over very long distances.
Note: Ethernet has several rules that define how you can extend the network. As defined in
the 5-4-3 rule, you can connect five segments by using four repeaters as long as only three of the
segments have active nodes. In early coaxial implementations of Ethernet, the maximum segment
length with thick coaxial was 500 meters. The maximum end-to-end length of an Ethernet
network is defined as 2.5 kilometers. This does not allow for bridging or routing to extend the
network.
Note: Hubs are generally not used any longer and are considered legacy devices with
limited functionality for modern networks and data transmission requirements. Switches have
replaced hubs.
What Is a Switch?
In contention-based networks, such as Ethernet,

all connected nodes share the media and its
available bandwidth. Therefore, if there are 10
nodes on a network that has a 10 Mbps
bandwidth, it can be said that each node has an
available bandwidth of a tenth of the total
bandwidth, or 1 Mbps. If you add nodes to the
network, the share each has of the total decreases
in inverse proportion to the number of connected
nodes. Therefore, when there are 20 nodes, each
has a twentieth of the bandwidth. A significant
problem of contention networks with many
connected nodes is that throughput degrades. A bigger issue is the collision that occurs on a link, which
results in the further reduction of the available bandwidth. The simple solution is to reduce the number of
nodes in each segment. You can do this by implementing MAC-level bridging.
A switch is like a hub. It acts as a wiring concentrator to which all network devices are connected. It
performs the same isolation when a cable failure occurs while maintaining the integrity of the network.
However, there are some fundamental differences.
Characteristics of a Switch
Layer 2 Switches
The significant difference between a hub and switch is that the switch can perform MAC-level bridging
between ports. In other words, each node has exclusive use of the bandwidth of the segment during its
transmission. So every device connected to the switch is exclusively talking with the switch. The switch has
a table that shows which MACs are connected to which ports. This means that traffic is only sent to the
wires that require the information.
You can configure each host to have a single port, or you can connect a hub to a switch port. When you
connect a hub to a switch port, the nodes on the hub all share the bandwidth configured for the port on
the switch to which the hub is connected. In this manner, you can determine how much bandwidth is
available to each port and nodes connected to the ports. Switches that provide this function are known as
Layer 2 switches.
With modern switches, you can also program a group of ports to behave like a hub. For example, you
could create a group of ports to enable network load balancing or to provide for network level analysis.
Layer 3 Switches
Some switches can provide protocol-specific routing functions at the protocol stack layer. For example,
you can configure the switch to provide routing for IP packets, but not to perform MAC-level bridging for
non-IP-based frames. Switches that provide this routing functionality are known as Layer 3 switches.
Note: Network protocols, such as IP, encapsulate instructions received from higher-level
protocols, such as TCP, into a structure known as a packet.
Layer 3 switches route packets. The switch examines the packet and makes a routing decision based on
the destination packet address. Layer 3 switches also perform additional routing functions. For example,
Layer 3 switches can check packet integrity, respond to Simple Network Management Protocol (SNMP)
management systems, and observe and decrement packet Time-to-Live (TTL) values.
In some ways, a Layer 3 switch can provide several improvements over more traditional routers. For
example, Layer 3 switches:
Divide networks into logical subnets by using the Layer 2 configuration instead of at the port level,
such as a traditional router. This provides a more flexible configuration.
Are generally less expensive than traditional routers.
Provide faster forwarding performance than traditional routers.
Be aware that Layer 3 switches do not provide support for wide area networks (WANs).
Layer 4 Switches
Some more advanced switches are equipped with a firewall service module that enables the switch to
make forwarding decisions based on the type of data in the segment. These kinds of advanced
functionality switches are known as Layer 4 switches.
Also as discussed in Module 3, switches allow for creating a VLAN. A VLAN is a virtual implementation of a
LAN that lets you control what nodes receive what traffic and then group the nodes accordingly. For
example, nodes in a different physical or geographical location can behave as if they were on the same
logical network.
Note: Transport protocols, such as TCP, encapsulate instructions received from applications
into a structure known as a segment.
Switches with a firewall service module examine the content of segments received and determine whether
and how to route the segment based on the specific TCP port being used.
Note: TCP ports are examined in a later module of this course.

In addition to port switching, Layer 4 switches (and some Layer 3 switches) can make switching
decisions based on the priority of network traffic. In this mode, lower-priority traffic is buffered at
the switch, whereas higher-priority traffic is handled.
Note: Quality of Service (QoS) values are a way to indicate the priority of traffic. Some
network transport protocols implement QoS to support application prioritization needs. The
switch can read and interpret these QoS values.
4-19
Lesson 4
Understanding Routing
You must understand how routers make routing decisions so that you can plan their deployment and
configuration to support the desired functionality of the network. Different routing protocols are suited to
different network environments. A good understanding of these different protocols will enable you to
manage your LAN and wide area network (WAN) more efficiently.
Lesson Objectives
Describe routers.
Describe a routing table.
Understand routing protocols.
Select a suitable routing configuration.
What Is a Router?
Historically, routers were implemented in
networks in order to extend the LAN into a WAN.
One router interface would be connected to the
LAN, and another to a telephony circuit of some
type. At the destination, a similarly configured
router was deployed. Packets could flow between
the networks as required.
As the cost of routers decreased, network
administrators began to implement routers in a
single geographic location in order to manage
traffic. Routers forward packets based on the
destination network identification (ID) instead of
the MAC address of a host. Routers operate at the network layer and handle transport protocol
instructions encapsulated in packets.
Network nodes determine whether a destination host is a member of another LAN (or VLAN) when they
begin communications. Elements of the network transport protocol make this determination by
comparing the source and destination network addresses in the packet. When a node is determined to be
in a different network, the node tries to route the packet to that network. Usually, this means that the
packet is forwarded to a router on the local network. This behavior is a significant departure from the way
communications occur with Layer 2 switches or bridges. The nodes explicitly address the frame to the
router that will handle the routing process of the encapsulated packet.
In order to perform routing, the router must know what other networks exist and how to reach them.
Routers maintain this information in routing tables. Routing tables are either static or dynamic. Static
routing tables are maintained by a network administrator who must add the required routes manually to
the table. Dynamic routing tables are maintained by the propagation of routing information between
routers themselves using special routing protocols.
How a Router Determines a Destination

A router determines the destination network for a
packet by examining the destination network
address and comparing it to entries in its routing
table. If the destination network is found in the
routing table, and there is a single route to that
network, the router forwards the packet to the
next router in turn. When multiple routes to the
destination network exist, the router must make a
selection as to the best route.
4-21
To determine the best path to a remote network,

routers use routing algorithms. Most algorithms
support multiple paths between networks.
Multiple paths are good because they enable redundancy in your routing architecture. Some routing
algorithms use a hierarchical structure and implement routing backbones. Hierarchical routing structure
helps makes sure that you use the routing infrastructure efficiently by bypassing slower, localized
networks in favor of the backbone. Some algorithms implement distance vectors in which routing tables
are periodically propagated to all neighboring routers. Others use link-state propagation, in which
smaller, more frequent updates are propagated.
Route Selection
The router tries to select which route to use based on factors such as the route with the most reliable link,
the route with the least cost, or perhaps the route with the lowest current network load; these criteria are
known as metrics. Frequently implemented metrics include the following:
Bandwidth
Path cost
Reliability
Shortest path length
Network load over path
Likely end-to-end delay time
Hop count
Note: A hop occurs when a packet passes through a router.
Restrictions, such as maximum transmission packet size
Communications cost of the route
When the router has selected a route, it forwards the packet to the next router in turn.
Note: Each packet on an IP network has a field named the TTL counter. Every time that the
packet transits through a network device, such as a router, the TTL counter is decremented by at
least one. When the TTL reaches zero, the router then holding the packet drops it. This makes
sure that packets do not loop around the network.
Routing Example
For example, in the following scenario, a packet is routed across three networks: network A, network B,
and network C. Two routers connect these networks, each configured by using a routing table. A host in
network A communicates with a host in network C. The following are steps describing how network A
communicates with network C:
1.
The originating host creates a packet addressed to C:12. The host determines that network C is not
the local network.
2.
It has no knowledge of network C and forwards the packet to an adjacent router.
3.
The router receives the packet and examines the destination address. It compares the destination
network address and determines that it has an appropriate entry for the destination network in its
routing table.
4.
In this instance, it forwards packets for network C to interface B.254.
5.
The second router receives the packet and examines the destination address. It compares the
destination network address and determines that it has an appropriate entry for the destination
network in its routing table. In fact, the router is locally connected to the network destination
network.
6.
The second router forwards the packet to the appropriate host.
In this example, communication is being performed by every device by using the MAC address of the next
device.
Static versus Dynamic Routing
In small networks, you can maintain routing table entries manually. However, for larger networks that
have routers, this is not possible. You can configure routing tables for routers dynamically by installing a
routing protocol.
Note: Hosts and routers can be configured by using a default gateway property in IP
networks. When a host, or router, does not have a specific route to a target network, it forwards
the packet to its configured default gateway. This is the usual configuration for network nodes.
Configure each router to use the other routers local interface as its default gateway. The only
exception where you do not have to configure anything is when you have only one router that
connects you to the Internet.
The main advantage of using dynamic routing, other than the benefit of not having to manually configure
your routers, is that dynamic routing supports changes in the routing infrastructure. If you add or remove
a network, you do not have to update all the routing tables. The routing protocols that you implement
make these changes automatically.
Note: Even with dynamic routing, you still have to configure each router for the LANs you
have to support. Dynamic routing only handles foreign LANs on other routers.
Common Routing Standards

By implementing a routing protocol on your
routers, you enable your routers to learn about
the state of networks, and the routes to those
networks. Additionally, this learned information
can be propagated onwards to other routers in
your organization.
How route propagation occurs varies between
routing protocols. Some route propagation
methods are better suited to large internetworks,
whereas others are more appropriate for small
networks.
4-23
Routing protocols fall into one of two categories.

The first is interior routing protocol, used for propagating routing information in an enterprise network.
The second is exterior routing protocol, used for propagating routing information between enterprises,
such as on the Internet.
The following information summarizes the common routing protocols:
Routing Information Protocol (RIP). A popular Interior Gateway Protocol (IGP). RIP uses a distance
vector algorithm to identify remote networks and uses UDP. It supports fairly small internetworks as
destinations, with a hop count greater than 16 considered unreachable.
Open Shortest Path First (OSPF). A popular link-state IGP routing protocol. OSPF uses a link-state
mechanism to propagate routing information. Link-state protocols maintain data about the network
segments to which they are connected and the current state of these networks. Therefore, OSPF
protocols are suitable for larger internal networks than RIP. OSPF does not use TCP/IP.
Border Gateway Protocol (BGP). This widely used External Gateway Protocol (EGP) was designed
specifically to enable interconnection of many enterprises on the Internet.
Discussion: Which Routing Protocol Would You Use?

Scenario 1:
A subsidiary of Fabrikam has a medium-sized
network that consists of around 500 nodes. These
nodes are distributed across several floors in their
headquarters building. Additionally, there are
about a dozen branch offices each with around 10
nodes. Routers are deployed within the network
to interconnect the networks.
Scenario 2:
Tailspin Toys has a small network that consists of

around 100 nodes. Recently, network throughput
has been affected by network traffic. You decide to install routers to help manage the network traffic. At
first, there will be three networks connected by two routers.
Answer the following discussion questions.
Question: For the Fabrikam scenario, would you recommend static or dynamic routing?
Question: For the Fabrikam medium-sized network, is the use of a routing protocol
indicated? If so, which one would you recommend?
Question: For the Tailspin Toys scenario, would you recommend static or dynamic routing?
Question: For the Tailspin Toys small network, are routing tables required?
Question: If Tailspin Toys implements an Internet connection by using a router, how would
this change the configuration that you have selected?

Scenario
4-25
A. Datum Corporation has created a new Research and Development team. As a result, several remote R &
D branch offices are being created.
Objectives
Answer the questions in the Branch Office Network Components Deployment Plan document.
Answer the questions in the Branch Office Network Wiring Plan document.

No virtual machines are required for this exercise.
Exercise 1: Connecting Network Components

Scenario
You are responsible for planning the installation of new network components for these new branch
offices. Alan Brewer, the national R & D Manager, is communicating with you about his specific
requirements for the regional offices. In addition, Ed Meadows, your boss in information technology (IT),
has visited some of the branch offices.
Email Network Diagrams
From:
Sent:
To:
Attached:
Ed Meadows [Ed@adatum.com]
1 Mar 2013 14:20
Charlotte@adatum.com
A. Datum Branch Network Plan.vsd
Subject:
New branch offices
Charlotte,
The network diagrams you suggested are not quite completed yet, but you can update them with the details of
the components you require.
As you can see, there are three branches, and then the R & D function at the head office. We have to connect
the computers together in the branches and then connect the branches to the head offices.
Regards, Ed
Attached: A. Datum Branch Network Plan
Branch Office Network Components Deployment Plan

Document Reference Number: CW010210/1
Document Author: Charlotte Weiss
Date: March 1
Requirements Overview. To determine which components to install to connect nodes at branch offices
and to connect branch offices to the head office.
Additional Information
High-bandwidth applications will be used in the branches.
Devices must provide for virtual local area networks (VLANs) to support project teams that span each
branch.
Traffic should be isolated in the branch except where necessary.
It should be possible to manage traffic in the branch based on its priority.
Questions:
1.
What devices are required to connect the branches together and connect the branches to the head
office?
2.
What issues arise when you implement these devices?
3.
Update the A. Datum Branch Network Plan diagram to show what kinds of devices that you will
Branch Office Network Components Deployment Plan

implement.

1.
Read the supporting deployment plan document.
2.
Update the Branch Office Network Components Deployment Plan.
Task 1: Read the supporting deployment plan document.

1.
Read the supporting email.
2.
Review the Branch Office Network Components Deployment Plan
3.
4.
Task 2: Update the Branch Office Network Components Deployment Plan.
4-27
Update the Branch Office Network Components Deployment Plan, by answering these questions.
1.
What devices are required in the branches to support these requirements?
2.
office?
3.
What issues can arise when you implement these devices?
4.
implement.
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram
and the Branch Office Network Components Deployment Plan.
Exercise 2: Selecting a Suitable Wiring Infrastructure

Scenario
You are ready to deploy the selected network components. However, first you must determine a wiring
plan for each branch.
Branch Office Network Wiring Plan
Date: March 20
Requirements Overview. Provide a wiring plan for the branch offices.
Very high bandwidths are expected.
Branch Office Network Wiring Plan

High levels of electromagnetic interference are expected in some areas of the branches.
Cost is a limiting factor.
The solution, so far as is possible, should be future-proofed.
Proposals
1. What kind of cable would be suitable here, using the information supplied and the plan you outlined
for network components earlier?
2. How will you address the issue of high levels of electromagnetic interference?
3. What cable standards do you propose?

1.
2.
Update the proposal document with your planned course of action
Read the Branch Office Network Wiring Plan.
Update the proposal document with your planned course of action, by answering these proposal
questions.
1.
What kind of cable would be suitable here, using the information supplied and the plan you outlined
2.
How will you address the issue of high levels of electromagnetic interference?
3.
What cable standards do you propose?
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.
Question: In the lab, you were asked to consider a wiring scheme for branch offices. You
were constrained by budget. Had you not been, how would that have changed your plans, if
at all?

Review Questions
Question: How does a switch differ from a hub?
Question: You plan to implement a large, routed internetwork. What routing protocol would
you consider for this completely autonomous network?
Question: Why is coaxial cable generally not a good choice for data networks?
4-29

5-1
Module5
Implementing TCP/IP
Contents:
Module Overview
5-1
Lesson 1: Overview of TCP/IP
5-2
Lesson 2: IPv4 Addressing
5-7
Lesson 3: IPv6 Addressing
5-19
Lesson 4: Name Resolution
5-24
Lab: Implementing TCP/IP
5-37
5-45
Module Overview
Network protocols are responsible for providing a communications channel between applications running
on separate hosts. Most network protocols are actually a collection of multiple protocols, collectively
known as a protocol stack. Each protocol in the stack provides a different networking function. This
module focuses on the TCP/IP protocol stack.
Objectives
Describe the functionality of the TCP/IP suite.
Describe IP version 4 (IPv4) addressing.
Configure an IPv4 network.
Describe IP version 6 (IPv6) addressing and transition.
Describe the various name resolution methods that are used by TCP/IP hosts.
Implementing TCP/IP
Lesson 1
Overview of TCP/IP
TCP/IP is an industry-standard suite of protocols that provides communication in a heterogeneous
network. With TCP/IP, you can connect different operating systems together in a manner that helps
enable cross-platform communications.
Lesson Objectives
Describe the TCP/IP protocol layers.
Describe the TCP/IP protocol suite.
Describe Windows Socket and identify port numbers for specified protocols.
The TCP/IP Protocol Model

A protocol is a set of rules that govern how data is
exchanged and transmitted between nodes over a
network. If a particular node cannot use or
support the protocol that another node is trying
to use when communicating with it, the
communication will fail. To try to address this, the
TCP/IP networking model is designed around the
concept of internetworkingthat is, the exchange
of data between different networks, frequently
built on different architectures. The TCP/IP
protocol model can be aligned to the Open
Systems Interconnection (OSI) model but there are
some differences:
5-2
The TCP/IP model has four layers.
The TCP/IP model was developed to take advantage of the Internet, after protocols were developed.
The TCP/IP model takes a horizontal approach to organizing the communication processes.
Another way to think of this is that the OSI model defines distinct layers related to packaging, sending,
and receiving data transmissions over a network. The TCP/IP stack layered protocol suite performs these
functions.
Dividing the network functions into a stack of separate protocols, instead of creating a single protocol,
provides several benefits:
Separate protocols make it easier to support different computing platforms. Creating or modifying
protocols to support new standards does not require changing of the whole protocol stack.
Having multiple protocols operating at the same layer makes it possible for applications to select the
protocols that provide only the level of service required.
Because the stack is split into layers, the development of the protocols can proceed at the same time
by personnel who are uniquely qualified in the operations of the particular layers.
The four layers of the TCP/IP protocol stack are as follows:
5-3
Application layer. The application layer of the TCP/IP model corresponds to the application,
presentation, and session layers of the OSI model. The application layer provides services and utilities
that enable applications to access network resources.
Transport layer. The transport layer corresponds to the transport layer of the OSI model and is
responsible for end-to-end communication using TCP or User Datagram Protocol (UDP).
Internet layer. The Internet layer corresponds to the network layer of the OSI model. Protocols in this
layer are used to control packet movement between networks. It is at this layer that source and
destination address details are added to network data. The main protocol that operates at this layer is
IP and the main devices would typically be routers.
Network interface layer. The network interface layer (sometimes known as the link layer or data-link
layer) corresponds to the data-link and physical layers of the OSI model. The network interface layer
specifies the requirements for sending and receiving packets on the network media. This layer is
usually not considered part of the TCP/IP protocol suite because the tasks are performed by network
devices. For example, hubs, some parts of switches, routers, and any device with a network adapter.
The TCP/IP Protocol Suite

Each layer in the TCP/IP protocol model relates to
specific protocols.
Application Layer
This layer contains the applications and protocols
that provide access to network resources. The
following are some of the more prominent
application protocols. New and modified
protocols are continuously being added.
Hypertext Transfer Protocol (HTTP). The

Internet protocol that is used to deliver
information over the World Wide Web.
Hypertext Transfer Protocol Secure (HTTPS). A version of HTTP that is used to encrypt
communication between web browsers and web servers. It is also typically used to ensure general
server and client authentication for more secure intranets or extranets.
File Transfer Protocol (FTP). A protocol to copy files between two computers over the Internet.
Dynamic Host Configuration Protocol (DHCP). Protocol to automate IP address assignment and
some additional options, such as Domain Naming Servers. Used by clients that do not require a static
IP address.
Domain Name System (DNS). Enables locating computer and services by using user-friendly names
instead of IP addresses.
Post Office Protocol version 3 (POP3). An IP that enables a user to download email from a server
to a client computer.
Internet Message Access Protocol (IMAP). Another IP that enables an email client to download
email from an email server. Both IMAP and POP3 have traditionally been widely used for Internet
email.
Simple Mail Transfer Protocol (SMTP). Standard protocol to transfer email messages between
email servers. Also used in combination with POP3 or IMAP to send email messages from clients to
email servers.
Implementing TCP/IP
5-4
Simple Network Management Protocol (SNMP). An IP that is used to provide status information
about a host on a TCP/IP network.
Remote Desktop Protocol (RDP). A proprietary protocol to provide remote display and input
capabilities over network connections for Windows-based applications between two computers.
Network Time Protocol (NTP). An IP that enables computers to synchronize time with one another.
Time synchronization is an important function when dealing with networks and network nodes..
Telnet. A protocol that operates over the Internet. Telnet enables communication between two
computers interactively, such as over a Command Prompt. Although it is not typically required in
Windows networks these days, it might still be encountered and can be useful in troubleshooting and
configuring network devices.
Transport Layer
The transport layer provides software developers the choice of TCP or UDP. The protocol is determined by
the software developer based on the communication requirements of the application.
TCP. Provides connection-oriented reliable communications for applications. Connection-oriented

communication confirms that the destination is ready to receive data before it sends the data. TCP
confirms that all packets are received to make communication reliable. Reliable communication is
desired in most cases and is used by most applications. Web servers, FTP clients, and other
applications that move large amounts of data use TCP.
UDP. Provides connectionless and unreliable communication. Reliable delivery is the responsibility of
the application when UDP is used. Applications use UDP for faster communication with less overhead
than TCP. Applications such as streaming audio and video use UDP so that one missing packet will
not delay playback. UDP is also used by applications that send small amounts of data, such as DNS
lookups.
Note: We dont discuss port number until the next topic but you should be aware as a
troubleshooting tip in this context that that since Windows Server 2003, DNS servers might use
TCP over port 53 to communicate to their forwarders, depending on the amount of data, so DNS
Lookups are not exclusively done over UDP. This can potentially cause a network to fail because
firewall administrators might assume that DNS is 53 UDP only.
Internet Layer
The Internet layer protocols encapsulate transport-layer data into units called packets, addresses them,
and routes them to their destinations.
IP. Responsible for IP routing and addressing for the Windows operating systems. Implements a duallayer IP protocol stack. This includes support for both IPv4 and IPv6.
Address Resolution Protocol (ARP). Used by IP to determine the media access control (MAC)
address of local network adaptersthat is, adapters installed on computers on the local network
from the IP address of a local host. ARP is broadcast-based. This means ARP frames cannot transit a
router. The frames are localized and cannot be broadcast across the Internet. Some implementations
of TCP/IP provided support for Reverse ARP (RARP), in which the MAC address of a network adapter
is used to determine the corresponding IP address. In IPv6, ARP was replaced with IPv6 Network
Discovery (ND), which establishes the relationships between neighboring nodes in a network.
Internet Group Management Protocol (IGMP). Provides support for multicast applications over
routers in IPv4 networks. Multicast involves the sending of data from a single source transmission to
multiple recipients. In IPv6, IGMP was replaced with Multicast Listener Discovery (MLD).
5-5
Internet Control Message Protocol (ICMP). Used to send error, query, or diagnostic messages in
IPv4 networks. In IPv6, ICMP was updated to provide a framework for ND and MLD to operate.
Network Interface Layer
These protocols define how data from the Internet layer is transmitted on the media and is determined by
the network architecture. Notice how the layer is not considered part of the TCP/IP protocol suite.
Sockets and Ports

To establish communication between an
application on one node and another remote
node, several things occur.
1.
The required transport protocol (UDP or TCP)

is identified and a socket is created.
2.
The socket identifies the IPv4 or IPv6 address

of the source and destination hosts.
3.
The socket identifies the TCP or UDP port

number that the application is using.
So a socket is the means by which an application

and a remote computer communicate with one
another. A socket opens a direct channel between the two during communication. For example, a client
submits a web request through HTTP, where a connection is established and a webpage is requested, and
then TCP makes sure that the webpage is transferred correctly. A socket is not a physical component in a
computer or device. Instead, it is a software connection or pipe opened up between the client and
server. A socket consists of a:
Protocol
Port number
Source and destination IP addresses
Applications are assigned a port number between 0 and 65,535 through which they communicate. The
first 1,024 ports are well-known ports that are assigned to specific applications, although client/server
applications can communicate with one another as long as both reference the same port number. The
following table identifies some of these well-known ports.
Port
Protocol
Application
21
TCP
FTP
25
TCP
SMTP that email servers and clients use to send email
80
TCP
HTTP used by a web server
53
TCP
DNS for zone transfers
53
UDP
DNS for name resolution
67/68
UDP
DHCP for address assignment communication
110
TCP
POP3 used for email retrieval from email clients
Implementing TCP/IP
Port
Protocol
Application
161
UDP
SNMP for general device management
443
TCP
HTTPS for secured web server
520
UDP
Routing Information Protocol (RIP) for routing information communication
Note: A port is an inbound or outbound service endpoint that binds a communication

protocol with a network address. Static port numbers are typically used only for inbound
requests.
5-6
Usually it is not necessary for you to configure your applications to use specific ports. However, you must
be aware of the ports that applications are using to ensure that the required ports are open through any
firewalls in your organization. Typically, a port with a secured service behind it is not a security risk. But an
open port without a service is a security risk, because if a server is hacked, that open port can be used for
unmonitored communication.
Lesson 2
IPv4 Addressing
5-7
In order to connect network hosts on an IPv4 network, you must know how to configure IPv4 addresses
and related properties. This lesson will cover the general concepts around IPv4 addressing as well as how
to analyze, configure and troubleshoot IPv4 Addresses. Understanding IPv4 is pivotal to any network
administration tasks that administrators need to perform.
More information about IPv4 addressing can be found at the following webpage.
Lesson Objectives
Describe IPv4 concepts and terminology.
Describe IPv4 IP addressing.
Identify network and host IDs.
Determine subnet addressing.
Describe more complex IPv4 addressing schemes.
Describe IPv4 automatic addressing.
IPv4 Concepts and Terminology

The success of TCP/IP as the network protocol of
the Internet is largely because of its ability to
connect networks of different sizes and systems of
different types. To understand what is occurring,
you have to understand several basic concepts.
IP Address
An IP address is a binary number that uniquely
identifies a host (computer) to other hosts, for the
purposes of network communication.
Subnet
A subnet is a subdivision of an IP network. Each
subnet has its own unique subnetted network ID.
Subnetting
Subnetting is a network design strategy that segregates a larger network into smaller components. A
virtual local area network (VLAN), as mentioned earlier, lets you use switches to divide a network into
virtual subnets, or VLANs, sometimes these terms can be used interchangeably.
Subnet Mask
A subnet mask is a 32-bit value that enables the recipient of the IPv4 packet to distinguish the network ID
and the host ID parts of the address. Typically, subnet masks use the format 255.x.x.x. The subnet mask
Implementing TCP/IP
5-8
that you use determines in which subnet your computer is located. The subnet mask is used by the TCP/IP
protocol to determine whether a host is using the local subnet or on a remote network.
IPv4 Addresses
To configure network connectivity, you must be
familiar with IP addresses and how they work. The
TCP/IP Internet layer provides two protocols: IPv4
and IPv6. IPv4 is the older protocol and is still
much more widely used.
Note: IPv4 is an IP that uses 32-bit source

and destination addresses. RFC 791 defined IPv4
in 1981.
When you assign IPv4 addresses, you use dotted

decimal notation. The dotted decimal notation is
based on the decimal number system. However, in the background, computers use binary IP addresses.
Therefore, you must make sure that you understand decimal and binary numbering.
For example, if you view an IPv4 address in its binary format, it has 32 characters.
11000000101010000000000111001000
IPv4 divides the binary address into four 8-bit chunks, or octets.
11000000.10101000.00000001.11001000
Notice in an 8-bit octet that each bit position has an assigned decimal value (either 0 or 1). The low-order
bit, the rightmost bit in the octet, represents a decimal value of 1. The high-order bit, the leftmost bit in
the octet, represents a decimal value of 128. The highest decimal value of an octet is 255, that is, all bits
are set to 1.
To make the IP addresses more readable, the address is usually shown in its dotted decimal notation.
102.168.1.200
Note: You can use the Windows calculator for binary-to-decimal and binary-to-hex
conversion.
Network and Host IDs

An IP address has two parts: network ID and host
ID. To determine how the IP address is broken
down, a subnet mask is used. The subnet mask:
Identifies the subnet on which the computer

resides. This is the network ID.
Identifies the unique identity of the computer.

This is the host ID.
Enables a networked computer to

communicate with other networked
computers in a routed environment.
5-9
In simple networks, subnet masks are composed

of four octets, and each octet has a value of 255 or 0. If the octet is 255, that octet is part of the network
ID. If the octet is 0, that octet is part of the host ID. The subnet mask is filled with 1s from the left to the
right to identify the network part, and filled up with 0s for the host part. The subnet mask does not have
to fill up whole octets. A different notation of the subnet mask that is typically used is IPAddress\number-of-1-bits. For example, 10.10.0.10\16, where 16 represents the number of 1s that are
used in the network ID.
The following table outlines the various components that go into making network and host IDs and how
they interact. Lining up the IP address and the subnet mask together, the network and host parts of the
address can be displayed and broken out into their corresponding binary values. This is shown in the first
two rows of this table.
IP Address
192.168.002.181
11000000.10101000.00000010.10110101
Subnet Mask
255.255.255.000
11111111.11111111.11111111.00000000
Network Address
192.168.002.000
11000000.10101000.00000010.00000000
Host Address
000.000.000.181
00000000.00000000.00000000.10110101
The first 24 bits (the number of 1s in the subnet mask) are identified as the network address, with the last
8 bits (the number of remaining 0s in the subnet mask) identified as the host address. This is shown in the
second set of numbers in the previous table.
So in this example, using a 255.255.255.0 subnet mask, the network ID is 192.168.2.0, and the host address
is 0.0.0.181. When a packet arrives on the 192.168.2.0 subnet (from the local subnet or a remote network),
and it has a destination address of 192.168.2.181, your computer will receive it from the network and
process it.
IPv4 Address Classes

The Internet Assigned Numbers Authority (IANA)
organizes IPv4 addresses into classes. The number
of hosts that a network has determines the class of
addresses that are required. IANA has named the
IPv4 address classes from Class A through Class E.
Classes A, B, and C are IP addresses that you can
assign to host computers as unique IP addresses.
This is known as unicast assignment. Multicast
addresses are Class D addresses and are assigned
directly by IANA. Class E addresses are reserved by
IANA for experimental use.
The following table lists the characteristics of each
IP address class. Notice how the number of hosts per network decreases as the subnet mask increases.
Class
First
Octet
Default Subnet
Mask
Number of
Networks
Number of Hosts per

Network
1126
255.0.0.0
27 = 126
224 = 16,777,214
128191
255.255.0.0
214 = 16,384
216 = 65,534
192223
255.255.255.0
221 = 2,097,152
28 = 254
Note: The IPv4 address 127.0.0.1 is used as a loopback address. You can use this address to
test the local configuration of the IPv4 protocol stack. Therefore, the network address 127 is not
permitted for configuring IPv4 hosts.
5-10 Implementing TCP/IP
Devices and hosts that connect directly to the Internet require a public IPv4 address. Hosts and devices
that do not connect directly to the Internet use a private IPv4 address. This means that it is not directly
exposed or visible.
Public IPv4 Addresses
Public IPv4 addresses must be unique. IANA assigns public IPv4 addresses. Usually, your Internet service
provider (ISP) allocates you one or more public addresses from its address pool. The number of addresses
that your ISP allocates to you depends on how many devices and hosts that you have to connect to the
Internet. In summary, public IPv4 addresses:
Are required by devices and hosts that connect directly to the Internet.
Must be globally unique.
Are routable on the Internet.
Must be assigned by IANA.
Private IPv4 Addresses
The pool of IPv4 addresses is becoming smaller, so IANA issue very few private IPv4 addresses.
Technologies such as Network Address Translation (NAT) enable administrators to use a relatively small
number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and
services on the Internet.
5-11
IANA defines the address ranges in the following table as private. Internet-based routers do not forward
packets originating from, or destined to, these ranges.
Class
Mask
Range
10.0.0.0/8
10.0.0.010.255.255.255
172.16.0.0/12
172.16.0.0172.31.255.255
192.168.0.0/16
192.168.0.0192.168.255.255
Note: RFC3330 defines these private address ranges.

In summary, private IPv4 addresses:
Are not routable on the Internet.
Can be locally assigned by organization.
Must be translated to access the Internet.
Determining Subnet Addresses

A Class A, B, or C TCP/IP network can be further
divided, or subnetted, by a system administrator.
Subnetting is necessary for you to reconcile the
logical address scheme of the Internet with the
physical networks that are used by your
organization. By using subnets, you can separate
networks that have different security levels, such
as perimeter network, test environment,
manufacturing network, office network, or
classroom network. After those networks are
separated, you can add security devices, such as
firewalls. A firewall between the networks will
provide additional levels of access.
In order to select an appropriate addressing scheme for your organization, follow these steps:
1.
Decide whether to use public or private IPv4 addresses.
2.
Determine the number of subnets you need and then determine the subnet bits. For example, if you
need six subnets, then you would need three subnet bits (this will provide eight subnets). Subnets are
calculated by using the formula 2^n, where n is the number of bits. More examples are provided in
the following table.
Subnets
Subnet Bits
Subnets
Subnet Bits
16
32
64
3.
To determine the subnet mask, evaluate the binary number of subnet bits. For example, if you are
using three subnet bits (11100000), then the subnet mask is 224. To determine the number of
increments, evaluate the lowest value bit in the subnet mask. For example, the lowest value bit in the
224 subnet mask is 32, and that would be the increment between addresses. More examples are
provided in the following table.
Subnets
Subnet Bits
Binary
Subnet Mask
Increment Between Addresses
10000000
128
128
11000000
192
64
11100000
224
32
16
11110000
240
16
32
11111000
248
64
11111100
252
4.
To assign host IP addresses, remember the following:
The first host is one binary digit higher than the current subnet ID.
The last host is two binary digits lower than the next subnet ID.
The first and last address in any network or subnet cannot be assigned to any individual host.
The number of hosts depends on the number of bits. The formula is 2^n-2, where n is the
number of bits.
0 is the network address, and the value of 255 (or whatever the last address is) is reserved for
broadcast communication. More examples are provided in the following table.
Subnets
Subnet
Bits
Binary
Subnet
Mask
Increment Between
Addresses
Host
Bits
Number of
Hosts
10000000
128
128
126
11000000
192
64
62
11100000
224
32
30
16
11110000
240
16
14
32
11111000
248
64
11111100
252
Note: Notice that you are trading off the number of subnets and the number of hosts.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on
each subnet. Using more bits than you need allows for subnet growth but limits growth for hosts.
Using fewer bits than you need allows for growth in the number of hosts you can have but limits
growth in subnets.
5-13
As a practical example, consider that you have seven locations (round up to eight subnets) in the
172.16.0.0 network. This means the subnet mask is 224 with the ranges shown in the following table.
Generally, if you have a full four octet IP, we would recommend that you use a four octet subnet mask.
Subnets
8
Subnets
172.16.0.1171.16.31.254
171.16.32.1171.16.63.254
172.16.64.1172.16.95.254
172.16.96.1172.16.127.254
172.16.128.1172.16.159.254
172.16.160.1171.16.191.254
172.16.192.1171.16.223.254
More Complex IPv4 Implementations

In complex networks, subnet masks might not be
simple combinations of 255 and 0. Instead, you
might subdivide one octet with some bits that are
for the network ID and some for the host ID.
Classless addressing, or Classless Interdomain
Routing (CIDR), is when you do not use an octet
for subnetting. You use either more of the octet or
less of the octet. This allows you more granularity
and to more accurately match the amount of
subnets or hosts that you require, thus being
more efficient.
For example, consider being assigned an IP

address of 172.16.16.1 with four branch offices to subnet. Each branch office has two divisions. Using full
subnet mask octets, such as 255.255.255.0, you would be unable to subnet the offices. However, classless
addressing will provide the capability that you need.
On the slide, notice the 172.16.17.0/24 branch office that results in host addresses from 172.16.17.1 to
172.16.17.254. How does this work?
Breaking down 172.16.17.0/24
172.16.17.0/24
In binary:
10101100.00010000.00010001.00000000
Network ID is the
first 24 bits
Host ID is the last 8 bits
Value: 172.16.17
Possible values: 0 to 255
Breaking down 172.16.17.0/24

Hosts: 1 to 254
(The broadcast address is 172.16.18.255. Therefore, you
cannot use that as a host address.)
In the previous example, using a network of 172.16.17.0/24, the network address is 172.16.17.0, and the
hosts can use the addresses from 172.16.17.1 to 172.16.17.254.
Note: The /24 represents how many subnet bits are in the mask. This notation style is called
variable length subnet masking.
You can apply a similar logic to the 172.16.16.0/22 subnet.

172.16.16.0/22
In binary:
10101100.00010000.00010000.00000000
Network ID is the
first 22 bits
Host ID is the last 2 bits of the third octet and all the bits
from the fourth octethat is, the last 10 bits.
Value: 172.16.16
Possible values: 1618

Hosts: 17 and 18
In the previous example, using a network of 172.16.16.0/22, the network address is 172.16.16.0, and the
hosts can use the addresses from 172.16.16.1 to 172.16.18.254. The broadcast address is 172.16.18.255,
which you cannot use as a host address.
Automatic IPv4 Configuration

When you configure networks, you must know
how to assign static IP addresses manually and be
able to support computers that use DHCP to
assign IP addresses dynamically.
Static Configuration
You can configure static IPv4 configuration
manually for each network computer. Typical IPv4
configuration includes the following:
IPv4 address
Subnet mask
Default gateway
DNS server
Static IP address configuration has several disadvantages:
Requires administrators to go to each computer and input the information.
Can be very time-consuming, even if the network only has a few users.
Increases the possibility of making a mistake.
May not be possible if the computers are in another location or are in a secured area.
Requires administrators to make a manual update whenever the configuration changes.
Generally, it is recommended to use static IP configuration only for small networks.

DHCPv4
5-15
With DHCPv4 you can assign automatic IPv4 configurations for many computers without having to assign
each one individually. The DHCP service receives requests for IPv4 configuration from computers that you
configure to obtain an IPv4 address automatically. It also assigns IPv4 information from scopes that you
define for each network subnets. The DHCP service identifies the subnet from which the request
originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process. But if you use DHCP to assign IPv4 information and the
service is business critical, you must also do the following:
1.
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
2.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network and prevent communication.
IPv4 Alternate Configuration
If you use a laptop to connect to multiple networks, such as at work and at home, each network might
require a different IP configuration. If both networks use DHCP, nothing has to be done; addresses are
assigned automatically in both networks. If you must have a static address in one of the networks,
Windows supports the use of an alternate static IP address.
When you configure Windows operating system computers to obtain an IPv4 address from DHCP, use the
options on the Alternate Configuration tab to control the behavior. Configure the specific IP address,
subnet mask, and other related properties for when the DHCP server is not available.
Note: By default, Windows uses Automatic Private IP Addressing (APIPA) to assign itself an
IP address automatically from the 169.254.0.0 to 169.254.255.255 address range. If the computer
has an address from the APIPA range, it indicates that the computer cannot communicate with a
DHCP server. Be aware that an APIPA address can only be used to communicate with similarly
configured hosts on the local network. APIPA cannot be used with Active Directory services,
Internet connectivity, other subnets, DNS, or Windows Internet Naming Service (WINS).
Demonstration: How to Configure IPv4
You can configure IP settings from the Network and Sharing Center, by using the netsh command-line
tool, or by using Windows PowerShell. You can configure a Windows-based computer to have a manual
IP configuration or to obtain an IP configuration automatically.
In this demonstration, you will see how to configure IPv4 settings manually and automatically.
Demonstration Steps
1.
Create a new DHCP scope with the following parameters.
Start IP Address: 172.16.0.5
End IP Address: 172.16.0.50
Length: 16
Subnet Mask: 255.255.0.0
2.
Configure a client for an automatic IPv4 configuration.
3.
Verify the DHCP has leased a new address.
4.
Use IPConfig to release the issued IP address on the client
5.
Verify the DHCP server released the address.
6.
Manually assign an IPv4 configuration to the client

o
IP address: 172.16.0.20
Default gateway: 172.16.0.1
Preferred DNS server: 172.16.0.10
IP Configuration Tools
Windows includes several utilities to help you
verify and define the IP configuration. Some of
these tools have been used for a long time. With
the release of Windows PowerShell 3.0 in
Windows Server 2012, there are now new ways of
doing things that allow for more control and
manipulation of operating systems and their
various components.
This section covers some of the older tools

because they will still be relevant and you will
experience them in day-to-day tasks. This section
will also outline some common Windows
PowerShell network configuration commands without going into too much detail about how they work.
Some of these older tools include the following:
IPConfig
Ping
Tracert
Pathping
IPConfig
IPConfig is the primary client-side DHCP troubleshooting tool. If your computer is experiencing
connectivity problems, you can use IPConfig to determine the computers IP address. If the address is in
the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a
DHCP-related problem.
From the client computer, open an elevated Command Prompt, and then use the IPConfig options in the
following table to diagnose the problem.
Option
/all
Description
Displays all IP address configuration information.
If the computer uses DHCP, you should verify the DHCP Server option in the output. This
Option
Description
5-17
indicates the server from which the client is attempting to obtain an address. Also, verify the
Lease Obtained and Lease Expires values to determine when the client last obtained an
address.
Be aware that IPConfig is listing the properties per local area network (LAN) adapter or
virtual adapter. Therefore, you must know which adapter is connected to the network.
/release
Forces the computer to release an IP address.
/renew
Forces the client computer to renew its DHCP lease. This is useful when you think that the
DHCP-related issue is resolved, and you want to obtain a new lease without restarting the
computer.
Ping
Ping verifies IP-level connectivity to another TCP/IP computer. Ping sends and receives ICMP Echo
Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary
TCP/IP command that is used to troubleshoot connectivity to a specific host or router.
Tracert
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path
that is displayed is the list of router interfaces between a source and a destination.
Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides
detailed statistics on the individual network steps or hops.
Windows PowerShell
Windows Server 2012 also has Windows PowerShell cmdlets that you can use to manage network
configuration. The functionality in these older tools are now present and expanded upon in Windows
PowerShell. The following table describes some of the available Windows PowerShell cmdlets that can be
used for configuring IPv4. This is just a small subset of the available cmdlets.
Cmdlet
Description of IPv4 configuration uses
New-NetIPAddress
Creates a new IP address and binds it to a network adapter. You

cannot change an existing IP address. You must remove the existing
IP address and then create a new one.
Set-NetIPInterface
Enables or disables DHCP for an interface.
New-NetRoute
Creates routing table entries, including the default gateway (0.0.0.0).

You cannot change the next hop of an existing route; instead, you
must remove an existing route and create a new route with the
correct next hop.
Set-DNSClientServerAddresses
Configures the DNS server that is used for an interface.
To view general Network Adapter configurations such as the IP address, DNS server, default gateway (but
not subnet mask), type the following in the Windows PowerShell console.
Get-NetIPConfiguration
To view more IP address details, type the following:

Get-NetIPAddress
Be aware that Windows PowerShell uses the term PrefixLength instead of the term Subnet Mask, and it is
displayed in number of bits. For example, PrefixLength = 8 is 11111111, and indicates the subnet mask is
255.0.0.0.
A replacement for the ping command is the Test-Connection cmdlet. To run this this, type the following:
Test-Connection [Computer Name]
To locate other cmdlets that can be used to configure the network type the following:
Help *Net*
You can use the Get-NetRoute cmdlet to browse through the Help files. This is a close equivalent for
tracert and pathping.
Help Get-NetRoute -showwindow
More information about Windows PowerShell Network TCP/IP cmdlets can be found at the
following webpage.
Demonstration: How to Verify IPv4 Configuration

In this demonstration you will see how to use IPConfig to verify the computers IPv4 configuration.
Demonstration Steps
1.
Use IPConfig or Windows PowerShell cmdlets to determine the clients current IPv4 configuration.
2.
Stop the DHCP service.
3.
Configure the client to obtain an IP address dynamically.
4.
Use IPConfig or Windows PowerShell to verify the IP address.
5.
Verify network communications with ping or the Test-Connection cmdlet.
6.
Start DHCP and renew the IP address on the client.
7.
Verify network communications with ping or the Test-Connection cmdlet.
Lesson 3
IPv6 Addressing
5-19
IPv6 is an important technology that will help ensure that the Internet can support a growing user base
and the increasingly large number of IP-enabled devices. The current IPv4 has served as the underlying
Internet protocol for almost 30 years. Its robustness, scalability, and limited feature set now is challenged
by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware
devices. IPv6 slowly is becoming more common. Although adoption might be slow, you should
understand how this technology will affect current networks and how to integrate IPv6 into those
networks.
More information about the IPv6 protocol can be found at the following webpage.
http://go.microsoft.com/fwlink/?LinkId=154442
Lesson Objectives
Describe the benefits of using IPv6.
Describe an IPv6 address.
Describe IPv6 transition technologies.
Describe IPv6 automatic configuration.
Benefits of Using IPv6

IPv4 Limitations
When the IPv4 protocol was introduced, many of
todays networking requirements could not be
predicted. Therefore, the IPv4 protocol has several
limitations, including the following:
Limited address space. IPv4 uses only 32 bits

to represent addresses. IANA has already
allocated most these addresses.
Difficult routing management. IANA has

not provisioned allocated IPv4 addresses for
efficient route management. Therefore,
Internet backbone routers have thousands of routes in their routing tables.
Complex host configuration. Automatic configuration of IPv4 hosts requires you to implement
stateful autoconfiguration. For example, a DHCP server or appropriately configured router.
No built-in security. IPv4 does not include any method for securing network data. You must
implement IP security (IPsec) and other protocols to help secure data on IPv4 networks. However, this
requires significant configuration and can be complex to implement.
Limited Quality of Service (QoS). The implementation of QoS in IPv4 relies on the use of TCP and
UDP ports to identify data. This might not be appropriate in all circumstances.
IPv6 Improvements
IPv6 improvements help enable secure communication on the Internet and over corporate networks.
Some IPv6 features include the following:
Larger address space. IPv6 uses a 128-bit address space. This provides significantly more addresses
than IPv4.
More efficient routing. IANA provisions global addresses for the Internet to support hierarchical
routing. This reduces how many routes that Internet backbone routers must process and improves
routing efficiency.
Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6. IPv6enabled hosts can assign themselves addresses automatically by taking the routers address into
credit. The routers network part of the address is extended with a host-unique part (static for servers,
random for clients).
Built-in security. IPv6 includes native IPsec support. This means that all hosts encrypt data in transit.
Better prioritized delivery support. IPv6 includes a Flow Label in the packet header to provide
prioritized delivery support. This enables communication using a priority level, instead of relying on
application port numbers. It also assigns a priority to the packets in which IPsec encrypts the data.
Redesigned header. The design of the header for IPv6 packets is more efficient in processing and
extensibility. IPv6 moves nonessential and optional fields to extension headers for more efficient
processing. Extension headers are not larger than the full size of the IPv6 packet. This holds more
information than possible in the 40 bytes that the IPv4 packet header allocates.
The IPv6 Address Space

The IPv6 address space uses 128 bits compared to
the 32 bits that the IPv4 address space uses.
Therefore, a significantly larger number of
addresses are possible with IPv6 than with IPv4.
An IPv6 address allocates 64 bits for the network
ID and 64 bits for the host ID. However, for
hierarchical routing, IPv6 can allocate less than 64
bits to the network ID.
IPv6 Syntax
IPv6 does not use a dotted decimal notation to
compress the addresses. Instead, IPv6 uses
hexadecimal notation, with a colon between each
set of four digits. Each hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading zeros and use zero compression. Within each
group of four digits, drop leading zeros and include a single grouping of four zeros as a single zero. By
using zero compression, you can represent one contiguous group of zeros as a set of double colons. You
should ensure that this is done once per address only as shown in the following table, which shows how to
simplify addresses.
Description
A full IPv6 address
Example
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
Description
Example
An IPv6 with leading zeros dropped
2001:DB8:0:0:2AA:FF:FE28:9C5A/64
An IPv6 address that has contiguous groupings of

zeros and leading zeros dropped
The address cannot be represented as

2001:0D88::2AA::FE28:9C5A/64
but can be represented either as
2001:0D88::2AA:0:FE28:9C5A/64
or
2001:0D88:0:0:2AA::FE28:9C5A/64
5-21
Each IPv6 address uses a prefix to define the network ID. You use this prefix in place of a subnet mask
similar to using CIDR in IPv4. The prefix is a forward slash (/) followed by the number of bits that the
network ID includes. In the previous examples, the prefix defines 64 bits in the network ID.
Transitioning to IPv6
The migration from IPv4 to IPv6 is expected to
take considerable time. This was considered IPv6
was designed, and the transition plan for IPv6 is a
multistep process that allows for extended
coexistence. To achieve the goal of a pure IPv6
environment, consider the following points:
Applications must be independent of IPv4

and IPv6. Applications must be changed to
use new Windows sockets application
programming interfaces (APIs) so that name
resolution, socket creation, and other
functions are independent regardless of
whether you are using IPv4 or IPv6.
DNS must support IPv6 record types. You might have to upgrade the DNS infrastructure to support
the new authentication, authorization, accounting, and auditing records (required) and pointer
records in the IP6v6 ARP reverse domain (optional). Additionally, ensure that the DNS servers support
DNS dynamic updates for authentication, authorization, accounting, and auditing records so that IPv6
hosts can register their names and IPv6 addresses automatically.
Hosts must support both IPv6 and IPv4. You must upgrade hosts to use a dual-IP layer or stack. You
must also add DNS resolver support to process DNS query results that contain both IPv4 and IPv6
addresses. Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) to ensure that IPv6/IPv4
hosts can reach one another over the IPv4-only intranet.
Routing infrastructure must support native IPv6 routing. You must upgrade routers to support native
IPv6 routing and IPv6 routing protocols.
An eventual successful transition to IPv6 requires interim coexistence of IPv6 nodes in todays mainly
IPv4 environment. To support this, IPv6 packets are tunneled automatically over IPv4 routing
infrastructures. This enables IPv6 clients to communicate with one another by using 6to4 addresses or
ISATAP addresses and tunneling IPv6 packets across IPv4 networks.
You can upgrade IPv6/IPv4 nodes to be IPv6-only nodes. This should be a long-term goal, because it
will take years for all current IPv4-only network devices to be upgraded to IPv6-only. For those IPv4-
only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-only, use translation gateways as
appropriate so that IPv4-only nodes can communicate with IPv6-only nodes.
IPv6 Automatic Configuration

In addition to IPv4 automatic IP addressing, you
should understand how IPv6 addresses are
dynamically assigned.
IPv6 Address Auto-Configuration
Auto-configuration is a method of assigning an
IPv6 address to an interface automatically. Autoconfiguration can be stateful or stateless. DHCPv6
performs stateful auto-configuration while router
advertisements perform stateless configuration.
A stateful address is so called because this address

is assigned from a service on a server or other
device, which records the assigned address. The service that allocated the address to the client manages
the stateful address. Stateless addresses are configured by the client and are not maintained by a service.
The record of the address assignment is not maintained.
The first step in auto-configuration generates a link-local address with which the host communicates with
other hosts on the local network. This communication is necessary to perform additional autoconfiguration tasks. The host then performs the following actions in order to configure IPv6:
1.
When the host generates the link-local address, the host also performs duplicate address detection to
ensure that it is unique. Note as well that a server by default is using a local address that has its MAC
address in there, to ensure it is using the same address, while a client is using a random address.
2.
An IPv6 host will send up to three router solicitations on each interface to obtain IPv6 configuration
information. The configuration process that IPv6 uses varies , depending on the response it receives
to router solicitations:
If IPv6 does not receive a router advertisement, it uses DHCPv6 to configure the interface.
If IPv6 receives a router advertisement with the autonomous flag on, then the client uses stateless
auto-configuration and obtains the network part of the IP address from the router.
If IPv6 receives a router advertisement with the managed address configuration flag on, then it uses
DHCPv6 to obtain an IPv6 address.
If IPv6 receives a router advertisement with the managed address configuration flag off and the other
stateful configuration flag on, it obtains additional IPv6 configuration options from DHCPv6.
However, it obtains the IPv6 address by using stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration information such as DNS servers. This is the
same as DHCPv4 for IPv4 networks. DHCPv6 also provides additional standalone options, such as the DNS
servers, so while the client may be autoconfiguring its own address the DCHP-Server is providing
additional configuration.
When a host obtains an IPv6 address from a DHCPv6 server, the following steps occur:
1.
The client sends a Solicit message to locate DHCPv6 servers.
5-23
2.
The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration
options.
3.
The client sends a Request message to a specific DHCPv6 server to request configuration information.
4.
The selected server sends a Reply message to the client that contains the address and configuration
settings.
When a client requests configuration information only, the following additional steps occur:
5.
The client sends an Information-request message.
6.
A DHCPv6 server sends a Reply message to the client that has the requested configuration settings.
On large networks, you can DHCPv6 relay agents instead of adding a DHCP server on each subnet.
Lesson 4
Name Resolution
Name resolution is the process of converting computer, device names, services or network nodes to IP
addresses so that when computers want to talk to one another, they can find what they need. Its much
more intuitive and easier for humans to deal with names instead of a series of numbers like IP Addresses.
In order to make that transition from how humans prefer to operate and think into a format that
computers can easily understand, you need a process of name resolution.
The main purpose is to resolve host names to IP addresses and to provide a hierarchical structure to
enable name resolution across zones, company locations, and even across businesses and within the
Internet. On large networks, you can have DHCPv6 relay agents instead of putting a DHCP server on each
subnet. This is not exclusive to IPv6; it also applies to IPv4 and has similar functionality to bootstrap
protocol (BOOTP).
Over the years, the name resolution processes have evolved and morphed to meet changing realities of
networks. Because of this, there are several different name resolution methods in Windows Server 2012
such as WINS, NetBIOS over TCP/IP name resolution and DNS. DNS is the most important in modern
corporate environments. This will be the main focus of this lesson. The other resolution methods are older
technologies that only apply in limited scenarios. However, you should still understand the concepts and
processes behind all the methods because you will occasionally encounter them, whether in networks,
documentation, or even certification. Name resolution is a critical component of any network.
Lesson Objectives
Configure NetBIOS and host names.
Describe Link Local Multicast Names Resolution (LLMNR).
Describe the NetBIOS name resolution process.
Describe DNS infrastructure components.
Understand how Internet DNS names are resolved.
Understand how the client name resolution process works.
Describe the purpose of the DNS Global Names Zone.
Troubleshoot name resolution.
Configuring a Computer Name

As stated earlier, computers are given individual
names when they are set up. Each computer name
must be unique so that it can be identified on a
network. If the name is not unique, you might be
unable to establish the correct identity for the
computer that you want to communicate with.
Conceptually, the same principals outlined here
apply to other network nodes, services,
applications, and so on. However, this section will
focus specifically on computer names because it is
most relevant at this point.
5-25
When Windows Server 2012 is installed, it is given

an automatically assigned computer name. This provides some uniqueness. What makes up a valid name
depends on what method you are using to resolve that name to an IP address. For this discussion, there
are two types: NetBIOS names and host names.
NetBIOS Names
A NetBIOS name is an older computer naming format. In smaller computer networks such as a home
network or workgroup you can provide a computer name such as Computer01, Computer02, and so on.
As long as the names are unique, the computers can communicate over the network. NetBIOS names
have the following characteristics:
A single name identifies the computer, such as Computer01. The name does not have a second
identifier associated with it such as Computer01.HomeNetwork. This is a key point to understand.
NetBIOS names are associated with small home networks or workgroups where traffic is not routed to
other subnets or to the Internet. Its possible it could also be associated with older servers still present
on modern networks.
It enables computers to identify one another on small networks where DNS is not available.
Each NetBIOS name on a network must be unique. Otherwise, you will encounter problems when
trying to communicate between computers.
There is a 16-character limit allowed for a NetBIOS name. The first 15 characters are used for the
actual computer name and the final sixteenth character is a hexadecimal number to identify a
resource or service on that computer. For example, Server01 [20h].
Host Name
A host name is typically associated with modern corporate networks that communicate across subnets or
to the Internet. If you open a Command Prompt on your computer and type hostname, the computer
name will be returned. For example, LON-DC1, one of the lab virtual machines. In its simplest form, the
host name can look very similar to a NetBIOS name. However, the host name and the name resolution
process it uses is different. Host names have the following characteristics:
The host name is only the first part of the computer name. The computer name can contain multiple
subnames that enable it to be uniquely identified.
Host names are typically associated with corporate or larger networks that communicate across
subnets or the Internet.
The terminology associated with host names is typically used in relation to DNS.
The host name can be combined with a domain name to create what is called a fully qualified domain
name (FQDN). An example of an FQDN would be webserverAdatum.com. The host name,
WEBSERVER, is the first part of this FQDN.
Periods are used as separators between the name and identifiers. Applications use this structured
FQDN on the Internet.
A host name cannot have more than 255 characters. This is longer than a NetBIOS name.
A host name can contain alphanumeric characters, periods, and hyphens.
In Windows operating systems, applications can request network services through Windows Sockets,
Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or
Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS
name.
What Is Link Local Multicast Name Resolution?

Link Local Multicast Name Resolution (LLMNR) is a
method to resolve computer host names, such as
Computer01, to IPv6 network addresses in a local
subnet where DNS is not available. It was a name
resolution method introduced in Windows Server
2008 and Windows Vista, and is present in
Windows Server 2012 and Windows 8. It is useful
in home networks, workgroups, or even in ad hoc
networks such as in coffee shops.
It is enabled by turning on Network Discovery in
the Network and Sharing Center in Control Panel.
By default, Network Discovery is turned off on
public networks. To enable LMNR you can use Group Policy under Computer
Configuration\Policies\Administrative Templates\Network\DNS Client. Then in the Turn Off Multicast
Name Resolution setting, specify whether you want it enabled or disabled.
LLMNR is not intended as a direct replacement for NetBIOS name resolution. In Windows Server 2012,
LLMNR queries and NetBIOS queries are sent in parallel to improve performance. Also, LLMNR only works
with Windows Vista, Windows 8, Windows Server 2008, and Windows Server 2012 operating systems. So
where older operating systems exist, LLMNR is not a name resolution solution.
LLMNR does issue queries for IPv4 addresses but only returns values for IPv6. It is also compatible with
IPv6, whereas NetBIOS is not. So as IPv6 becomes more prominent, it could conceivably be a single name
non-DNS resolution method.
One other point to emphasize again, LLMR is not routable. For example, it cannot resolve computer
names beyond the local subnet.
The NetBIOS Name Resolution Process

As described earlier, NetBIOS over TCP/IP (NetBT)
is a legacy technology but some networks might
still require it to support older operating systems
and applications. It is the only mechanism that can
resolve names for IPv4 addresses without DNS.
Therefore, administrators must still be familiar
with it, and understand the options and processes
behind it.
There are effectively three main methodologies
for resolving computer names using the NetBIOS
name resolution process: broadcasts, WINS, and
LMHosts file. Each of them is covered in turn here,
in addition to how they are used.
Broadcasts
5-27
Name resolution through broadcasting involves the requesting computer sending out a query to all
computers in a subnet for an owner of a computer name to respond with its IP address. This is broadcast
communication and cannot be passed across subnets. Broadcasting is not very efficient and adds to
network traffic. This can affect network performance.
LMHosts
LMHosts is an actual file list of computer NetBIOS names mapped to IP addresses. It is a static list, which
means that it has to be manually created and maintained. It is stored on the local computer in the
directory %SystemRoot%\System32\Drivers\Etc. If LMHosts is enabled, it applies to all connections for
which TCP/IP is enabled. Because LMHosts requires manual configuration it has only limited applications.
For example, a remote employee who does not have another alternative name resolution process. An
example of an entry in the LMHosts files would be as follows.
102.54.94.117
localsrv
WINS
WINS requires a WINS server database that has the computer names and associated IP addresses
mappings. Using a database to resolve NetBIOS names enables computers to look up the IP address of a
computers NetBIOS name directly. They do not have to broadcast, multicast, or refer to files that have to
be manually configured and maintained. When WINS is enabled, it applies to all connections for which
TCP/IP is enabled.
WINS is built on a protocol that registers, resolves, and releases NetBIOS names by using unicast
communication. For example, when DHCP dynamically assigns new IPv4 addresses to a computer that
moves to another subnet, the moving computer automatically registers the new address in the WINS
server database.
The main advantage of WINS over other NetBIOS name resolution methods is that it is dynamic and
routable. This enables computers to obtain the IP addresses of nodes that are not on its subnet.
Also, one final method that can also be used is the computers local cache. As computers resolve NetBIOS
names to IP addresses, they store those mappings in a local cache. This means the computer doesnt have
to look elsewhere for a mapping. Entries in the cache that have not come from the LMHosts file have a
limited lifetime, about 10 minutes. After that time, the cache entries are removed. At a Command Prompt,
type Nbtstat.exe c to view a computers local NetBIOS cache. Nbstat.exe has other capabilities
including purging the cache, and listing the current NetBIOS sessions.
How the broadcast and WINS methods are used to resolve NetBIOS names on a computer is defined by
what is called a NetBIOS node type that is specified on the computer. This node type setting doesnt affect
the computer using the local cache or referring to the LMHosts file; it just affects how broadcast and
WINS operate. These node types can be broken down as follows:
b-node. This uses broadcasts to resolve NetBIOS names to IP addresses. It is not routable and
increases the network traffic.
p-node. This uses point-to-point communication with a WINS server directly.
m-node. This is a mixed approach and uses broadcasts first and then, if that is unsuccessful, uses a
point-to-point approach and queries a WINS server.
h-node. This is also a mixed approach but the reverse to the m-nodethat is, it directly queries a
WINS server first and then uses broadcasts.
The node type on a computer can be configured in the registry or when clients are dynamically
configured by DHCP. In most cases, the default node type is not altered. By default, Windows Server 2012
and Windows 8 clients, in addition to earlier versions, are h-node (or hybrid). At the Command Prompt
type ipconfig /all to view the Node Type field value.
When a WINS server is configured on the computer and the node type has not been changed, the
NetBIOS name resolution process is as follows:
1.
Windows checks the local NetBIOS name cache.
2.
Windows contacts its configured WINS servers.
3.
Windows broadcasts as many as three NetBIOS Name Query Request messages on the directly
attached subnet.
4.
Windows searches the LMHosts file.
5.
Windows checks whether the NetBIOS name is the same as the local host name.
6.
Windows then tries DNS Resolver Cache.
7.
Windows then tries DNS name resolution.
You can also specify when the LMHosts file is usedthat is, if a WINS query fails, the WINS server can
then query the LMHosts file before broadcasting. If all attempts fail, the name resolution process then
attempts to try DNS resolution if it is present. That process is described in more detail in the next topic.
The name resolution process stops when the first IPv4 address is found for the name.
If you ping another computer on a local network and the returned data is in IPv4 format and doesnt
have an FQDN, which indicates the computer name was resolved by using NetBIOS name resolution. It
cant have been LLMNR because that appears in the IPv6 format and DNS always returns an FQDN when
it resolves a computer name. If you have DNS configured and enabled on the network, this indicate a
problem with DNS.
DNS Infrastructure Components

DNS is the Microsoft preferred choice for
resolving host names to IP addresses. It is a
hierarchical structure and automates the
mechanisms of registering, identifying, caching,
and resolving host names and IP addresses. It is
routable and operates successfully across different
subnets and the Internet.
5-29
The automated nature of this process greatly

simplifies and streamlines the maintenance and
management of name resolution. However,
incorrectly configuring DNS can result in poor
network performance and increased computer
startup times. That is mainly because of two things: unable to locate domain controllers, and replication of
database information.
Before you learn how DNS works, you first have to understand some core concepts.
DNS Naming Structure
The naming structure used in DNS is called the DNS namespace. It is hierarchical, that means that it starts
with a root domain. That root domain can itself have any number of subdomains underneath it. Each
subdomain can also in turn have any number of sub-domains underneath it.
The domain names themselves can be either public (Internet-Facing) or private. If they are private, you
can decide on your own how to define your namespace. If they are public, you have to work with the
Internet Corporation for Assigned Names and Numbers (ICANN) or other Internet naming registration
authorities who can delegate, or sell, unique names to you. From these names, you can create subnames.
At the very root, DNS has a unique namespace, indicated by an empty string space . Preceding this is a
single dot .. Below this, in the public namespace, is one of several other top-level domain namespaces.
There are three kinds of top-level domains in the public namespace:
Organizational. This domain is based on the function of an organization. For example, .com, .net,
.org, and .edu. There are more than 20 variations, and these are distributed and managed by ICANN.
Geographical. These are designated per country/region. For example, .uk for United Kingdom (co.uk
is the .com equivalent for UK-based businesses), .it for Italy, .de for Germany, and .jp for Japan. There
are more than 200 of these registered. Typically, each country/region has its own domain registration
service.
Reverse domains. These are special domains used in resolving addresses to namesthat is, a reverse
lookup. These domains are in the minusNotDot format, such as addr.arpa and ip6.arpa.
Typically, underneath these top-level domains, there are sub-domains. For example, microsoft.com,
university.edu, or government.gov. These sub-domains can also have subdomains, such as
unitedstates.microsoft.com or physicsdept.university.edu. Every computer and network node can be
identified by its FQDN. For example, Computer01.unitedstates.microsoft.com.
More information about TLDs and IP addresses can be found at the following website.
http://www.icann.org
Different from the NetBIOS naming convention is the use of multiple identities associated with each
network node. This lets you define the nodes location in relation to the root of the DNS namespace.
Reference Links: In everyday usage, the trailing dot (.) at the end of the FQDN separating
the empty string root is usually not included in the name. For example, web browsers would
use university.edu and not university.edu. However, the DNS client service adds the dot . back
in when it is querying.
Some of the main infrastructure components that are spanning a DNS infrastructure, or that are used to
build a DNS infrastructure are as follows:
DNS server. Contains a database of host names and IP addresses. It responds to client requests and
provides required mapping information. It can cache information for other domains. Where it does
not have the needed mapping information, it can forward DNS client requests to another DNS server.
DNS zones. A DNS infrastructure is broken up into zones, each of which is allocated a DNS server to
own, or potentially be an authoritative server for and process requests for that particular zone. For
example, one DNS server might be responsible for the paris.europe.microsoft.com DNS zone and
another DNS server might be responsible for the berlin.europe.microsoft.com. Its possible to have
variations on the number of servers per zone and across multiple zones and also different authority
levels. You can also have different kinds of zones. For example:
o
Forward lookup zones. Resolve host names to IP addresses.
Reverse lookup zones. Resolve IP addresses to host namesthat is, the opposite to what
happens in forward lookup zones. An organization typically controls the reverse lookup zones for
their internal network. However, some mappings for external IP addresses obtained from an ISP
might be managed by the ISP.
It is important to understand that the zone is the level of naming delegation. If a DNS server holds a zone,
either authoritative or not, it will not query other servers about names in that zone. The DNS server
considers its information up-to-date and valid (unless a sub-namespace was delegated). Administrative
delegation (who is in charge of doing what with that namespace) is also important. It is also the scope for
replication. In other words, a server cannot contain a part of the zoneeither it holds a copy or not.
DNS Forwarders/Delegations
5-31
DNS Forwarders are queries that the DNS server send up stream when it cannot resolve a request
locally. A DNS server only forwards data when it has not been able to resolve a query with its own
authoritative data or from its own cache.
DNS delegation is when a DNS server delegates management of part of it namespace to another
DNS server.
How DNS servers forward, delegate, and replicate the name resolution databases can have a significant
effect on query response times. This is something that should be carefully considered before deployment.
DNS resolver. Provides the service to query for host-to-IP address mappings. The DNS client service
in the Windows client operating system, Windows 8 for example, provides this functionality and also
facilitates the caching of resolved mappings in a local client cache for future use, called the DNS
resolver cache.
Windows operating system computers also contain a Hosts file. This is a file that is stored locally in the
%SystemRoot%\System32\Drivers\Etc directory. The file contains mappings for host names to IP
addresses. It can be edited manually and the DNS resolver cache can parse it to add its mapped entries to
the local DNS resolver cache when the DNS client service is started. Its structure resembles what was
shown earlier for an LMHosts file entry.
Resource records. These are the actual entries in the DNS database used to answer queries. Each
entry contains several items, including Name, Record Type, and Record Data. Defining specific record
types allows entries to be classified and provides for faster query responses. Some typical record types
would be as follows:
o
A. Used for resolving host names into IPv4 addresses
AAAA. Used for resolving host names into IPv6 addresses
CNAME. Used to resolve one name (alias) into another, fully qualified name, such as www into
webserver1.microsoft.com
SRV. Used to find servers providing specific services, such as domain controllers
PTR. Used in reverse lookup zones for resolving IP addresses into fully qualified host names
Note: Details about resource record definitions are also available at the IANA website.
How Internet DNS Names Are Resolved

A name resolution client query can potentially
take many paths, depending on whether it is
public or private and how the DNS infrastructure
is designed. This section examines how the
process operates in relation to Internet domain
names because it is a common scenario that most
people have encountered even though they may
not be aware of how it operates.
When DNS names are resolved on the Internet, a

whole system of computers is used instead of just
a single server. There are 13 root servers on the
Internet that are responsible for managing the
overall structure of DNS resolution. When you register a domain name on the Internet, you are paying for
the privilege of being part of this system.
The name resolution process for the name www.microsoft.com is as follows:
1.
A workstation queries the local preferred DNS server for the IP address of www.microsoft.com.
2.
If the local DNS server does not have the information, it queries a root DNS server in the organization
for the location of the .com DNS servers.
3.
The local DNS server queries a .com DNS server for the location of the Microsoft.com DNS servers.
4.
The local DNS server queries the Microsoft.com DNS server for the IP address of www.microsoft.com.
5.
The local DNS server returns the IP address of www.microsoft.com to the workstation.
The name resolution process can be changed in several ways, but two common options that are used are
as follows:
Caching. After a local DNS server resolves a DNS name, it will cache the results for approximately 24
hours. Later resolution requests for the DNS name are given the cached information.
Forwarding. A DNS server can be configured to forward DNS requests to another DNS server instead
of querying root servers. For example, requests for all Internet names can be forwarded to a DNS
server at an ISP, who performs the rest of the resolving chain on behalf of the requesting DNS server
and returns the answer. This is good because the local DNS server does not have to be able to
communicate with every DNS server on the Internet.
Question: Which computers in your organization should have an A record configured?
How a Client Resolves a Name

When all the previously outlined name resolution
methods are considered, a client has several
options to locate a computer, service, or network
node. There can be lots of choices, depending on
how the various resolution methods are
configured. This section describes a default
resolution process from start to finish. This
provides an overview of how the pieces fit
together in a modern corporate networked
environment.
How the Host Name Resolution Process Works
5-33
When an application specifies a host name and

uses Windows Sockets, TCP/IP uses the DNS resolver cache and DNS to try to resolve the host name. The
hosts file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses
NetBIOS name resolution methods when resolving host names.
Windows resolves host names by:
1.
Checking whether the host name is the same as the local host name.
2.
Searching the DNS resolver cache. The DNS resolver cache is a local cache that contains any DNS
addresses that were recently requested.
3.
Sending a DNS request to its configured DNS servers and this server attempting to resolve that
request, either on its own or by forwarding that request to other DNS servers.
4.
Using the LLMNR resolution method to resolve the host name in the local subnet using IPv6, if it is
enabled.
5.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
6.
Contacting the hosts configured WINS servers.
7.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly
attached.
8.
Searching the LMHosts file.
Note: You can control the precise order used to resolve names. For example, if you disable
NetBIOS over TCP/IP, the NetBIOS name resolution methods are not tried. Or, you can change
the NetBIOS node type. This causes a change in the order in which the NetBIOS name resolution
methods are tried.
The GlobalNames Zone

The Global Names zone (GNZ) is a DNS name
resolution method that was introduced in
Windows Server 2008 and is available in all
Windows Server releases since then, including
Windows Server 2012. It is a DNS zone type called
GlobalNames and is not a new or special zone
type. It is Active Directory-integrated, and enables
single-label names, such as Fileserver01, to be
resolved to IP addresses in large enterprise
networks. The GNZ was introduced so that
companies with multiple DNS zones can resolve
short names.
You can set the replication scope on the GlobalNames zone to replicate to all DNS servers in the forest
and this then ensures that the zone can provide single label names that are unique in the forest. You can
also do this across an organization that has multiple forests if a particular record type is used, such as
service (SRV) records.
It is designed specifically for static names, and therefore, in a corporate environment for centrally
managed servers (such as web or file servers) that are assigned static IP addresses. It is not for use with IP
addresses that are dynamically registered or for use as part of a peer-to-peer name resolution process.
Instead of using the GNZ, you could choose to configure DNS and WINS integration. You do this by
configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service,
DNS, and still be able to resolve NetBIOS-compliant names.
Note: A short name does not mean NetBIOS. Although a short name can be a compliant
NetBIOS name, the use of short names or non-FQDN does not mean the network requires
NetBIOS for them to function on a network. It can be common for the use of short names and
NetBIOS to be misunderstood.
GNZ is intended to help in the migration from WINS. For companies who want to eliminate WINS, they
should consider the following approach:
1.
Enable WINS-integration in DNS.
2.
Remove Client-Wins configuration.
3.
Configure any company applications to use FQDNs and DNS.
4.
Names that are still required to be available should be created as global names via short names in a
GNZ.
5.
Remove WINS if possible. If there are certain records that still have to be resolved as short names
across DNS zones/domains, enter them in a GNZ.
6.
Determine how to configure applications correctly to remove unnecessary records in the GNZ.
Demonstration: How to Troubleshoot Name Resolution

There are several options available when you have to troubleshoot name resolution in the network
environment.
5-35
First, there are the existing command-line tools such as ipconfig.exe, nslookup.exe, nbtstat.exe all outlined
earlier in the module. These are present on older Windows operating systems up to and including
Windows Server 2012 and Windows 8.
Second, in Windows Server 2012 and Windows 8, with the improvements made to Windows PowerShell,
the Windows PowerShell cmdlets are also an option to both troubleshoot and configure addressing and
name resolution issues. This section provides examples of both.
When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. Make sure that you clear the DNS resolver
cache between resolution attempts. If you cannot connect to a remote host and suspect a name
resolution problem, try the following steps:
1.
Open an elevated Command Prompt, and then clear the DNS resolver cache by typing the following
command.
ipconfig /flushdns
Alternatively, in a Windows PowerShell console running as Administrator, type the following:

Clear-DNSClientCache
2.
Try to ping the remote host by its IP address, or use the Test-Connection Windows PowerShell
cmdlet. This helps identify whether the issue is related to name resolution. If the ping succeeds with
the IP address but fails by its host name, then the problem is related to name resolution.
3.
Try to ping the remote host by its host name. For accuracy, use the FQDN with a trailing period. For
example, at the Command Prompt type the following:
ping lon-dc1.adatum.com
Alternatively, in a Windows PowerShell console, type the following:

Test-Connection LON-DC1.Adatum.com
4.
If the ping is successful, then the problem is probably not related to name resolution. If the ping is
unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the appropriate entry
to the end of the file. For example, add the following line and save the file.
172.16.0.10
lon-dc1.adatum.com
Or, you could also use the Test-Connection Windows PowerShell command.
5.
Now perform the ping or Test-Connection by host name test again. Name resolution should now be
successful. Verify that the name resolved correctly by examining the DNS resolver cache. For example,
at the Command Prompt type the following:
ipconfig /displaydns

Get-DNSClientCache
6.
Remove the entry that you added to the hosts file, and then clear the resolver cache again.
7.
At the Command Prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution.
nslookup.exe d2 lon-dc1.adatum.com > C:\filename.txt

Resolve-DNSClientName Name LON-DC1.Adatum.com -verbose
The output from the two commands is very different but both will give you options for troubleshooting
your particular problem. For example, if you examine the Help file for Resolve-DNSClientName, you will
find that you can specify specific name resolution methods that you want to try, LLMNR, NetBIOS, DNS,
and specific record types such as A or AAAA. This gives you a more targeted approach in your
troubleshooting, whereas the nslookup command performs a series of queries that you then interpret in
your troubleshooting approach.
You should understand how to interpret the output from both so that you can identify whether the name
resolution problem is with the client computers configuration, the name server, or the configuration of
records within the name server zone database.
Demonstration Steps
1.
Stop the DNS service.
2.
Test name resolution with ping.exe.
3.
Restart the DNS service.
4.
Test name resolution again.
5.
Use Nslookup.exe to test DNS resolution.

Scenario
5-37
The A. Datum Corporation has created a new Research and Development team. As a result, computers are
being deployed to new R & D offices.
You are tasked with assigning several client computers appropriate IP configurations, but first you must
choose a suitable IP addressing scheme for the new branches.
Objectives
Determine an appropriate IPv4 addressing scheme.
Configure IPv4.
Verify the IPv4 configuration.
Configure and test name resolution.
View the IPv6 configuration.
Lab Setup
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1
Password: Pa$$w0rd
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: ADATUM
Repeat steps 2 through 4 for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Determining an Appropriate IPv4 Addressing Scheme

Scenario
You are responsible for planning the installation of new network components for these new branch
offices. Ed Meadows, your boss in Information Technology (IT), has visited some of the branch offices and
has drawn up a network plan. In addition, you have the Branch Office IP Addressing Scheme document to
help you determine an appropriate IP addressing scheme for the branches.
Email thread of correspondence with Ed Meadows
Email thread of correspondence with Ed Meadows

From:
Sent:
To:
Subject:
Attached:
28 Jun 2013 08:14
New branch offices IP addressing scheme
A. Datum Branch IP Addressing.vsd
Charlotte,
I have attached the network diagram for the first three branches. There are around 100 hosts at each
branch, all require an IPv4 address. Dont forget those wide area network links; well need a network
address for each of them, too.
Well be putting a DHCP server at each branch to allocate IP addresses to the local hosts, so each
computer must be configured to obtain an IP address dynamically.
Regards,
Ed
A. Datum Branch IP Addressing
Branch Office IP Addressing Scheme

Document Author
Date
Charlotte Weiss
June 28
To design an IPv4 addressing scheme for the A. Datum Corporation R & D branch offices.
One router connects the three branches back to the head office.
There are three wide area network (WAN) links.
Branch Office IP Addressing Scheme

There are three branches, each of which can be configured as a single subnet.
The network address 172.16.0.0/16 is allocated to the branch offices, whereas the head
office uses 10.10.0.0/16.
Proposal
1.
How many network addresses do you need to support these requirements?
2.
What class address is 172.16.0.0/16?
3.
Is this a private or public address?
4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is
the next logical subnet using this initial subnet?
5.
What is the first and last host in this subnet?
6.
What would the subnet mask be for hosts in this subnet?
7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network

addresses you will implement in the branches; do not worry about the WAN links.

1.
2.
Update the proposal document with your planned steps

1.
Review the supporting email documentation.
2.
Review the A. Datum Branch IP Addressing diagram.
Task 2: Update the proposal document with your planned steps

Review the Branch Office IP Addressing Scheme, and update the proposal by answering these
questions.
1.
2.
3.
4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
5.
6.
7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.
5-39
Exercise 2: Configuring IPv4 with Windows Server 2012

Scenario
While your addressing scheme for the branches is being considered, Ed has asked you to configure a new
DHCP server for the head office.
1.
Configure a Dynamic Host Configuration Protocol scope
2.
Configure the client computer to obtain an IP address dynamically
3.
Verify that the client computer obtained an address
4.
Determine the IP address on the client computer
Task 1: Configure a Dynamic Host Configuration Protocol scope

1.
Ensure you are logged on to 10967A-LON-SVR1 as ADATUM\Administrator and password

Pa$$w0rd
2.
Open DHCP from Server Manager.
3.
Use the New Scope Wizard to create a new IPv4 address scope with the following parameters. Use the
default settings for all the other values.
o
Scope name: Head Office 1
Scope description: Client computer addresses
Start IP address: 172.16.0.20
End IP address: 172.16.0.30
Length: 16
Router address: 172.16.0.1
4.
Activate the new scope.
5.
Complete the New Scope Wizard.
6.
Expand the Scope [172.16.0.0] Head Office 1.
7.
How many Address Leases have been used?
Task 2: Configure the client computer to obtain an IP address dynamically

1.
Switch to the 10967A-LON-CL1 virtual machine and ensure you are logged on as
2.
Open the Local Area Connection Properties dialog box.
3.
Change the Internet Protocol Version 4 (TCP/IPv4) properties:

o
Obtain an IP address automatically.
Obtain DNS server address automatically.
Task 3: Verify that the client computer obtained an address

4.
Switch back to the 10967A-LON-SVR1 virtual machine
5.
Refresh the DHCP settings.
6.
Verify that there is a new lease for LON-CL1.
7.
What is the IP address for LON-CL1?
Task 4: Determine the IP address on the client computer

1.
Switch back to 10967A-LON-CL1.
2.
Open a Command Prompt.
3.
At the Command Prompt, type the following command, and then press Enter.
ipconfig /all
4.
What is the current IPv4 address?
5.
Is DHCP enabled?
6.
What is the IP address of the DHCP server?
7.
When does the DHCP Lease expire?
Results: After this exercise, you should have created a DHCP scope and allocated a client address.
Exercise 3: Verifying the IPv4 Configuration

Scenario
Ed has asked you to verify the functionality of the DHCP server.
1.
Stop the DHCP server
2.
Try to renew the IPv4 address on the client computer
3.
Start the DHCP server
4.
Renew the client address and verify IPv4
Task 1: Stop the DHCP server
5-41
1.
Switch to the LON-SVR1 computer.
2.
Stop the DHCP service.
3.
Verify that there is now an error shown in the DHCP Management console, stating Cannot find the
DHCP Server.
Task 2: Try to renew the IPv4 address on the client computer

1.
Switch to the 10967A-LON-CL1 computer and switch to the Command Prompt.
2.
Release the IP address using ipconfig.
3.
Renew the IP address using ipconfig.
4.
This might take several minutes while the client computer tries to contact a DHCP server.
5.
Notice the time-out error.
6.
Use IPConfig to answer the following questions.
7.
What IPv4 address was assigned?
8.
What does the IP address signify?
9.
Use ping to verify a connection to LON-SVR1.
10. You are not successful.
Task 3: Start the DHCP server

1.
Switch back to 10967A-LON-SVR1.
2.
Start the DHCP service.
Task 4: Renew the client address and verify IPv4

1.
Switch back to the 10967A-LON-CL1.
2.
Renew the IP address using IPConfig.
3.
Answer the following questions.
4.
5.
6.
Use ping to verify a connection to LON-SVR1.
7.
You are successful.
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in
the head office.
Exercise 4: Configuring and Testing Name Resolution

Scenario
You have also been asked by your manager to verify that DNS is configured correctly and is functioning as
expected as well as to create a canonical name record type for the world wide web service on the domain
as it is expected there may be different services running off the domain name such as FTP and WWW.
1.
View the current DNS records
2.
Force a dynamic update
3.
Add a new DNS record
4.
Verify a record
Task 1: View the current DNS records

1.
Switch to 10967A-LON-DC1 and ensure you are signed in as ADATUM\Administrator with

password Pa$$w0rd
2.
Open DNS Manager from Server Manager.
3.
What is the current IP address of the LON-CL1 Host (A) record in the Adatum.com forward lookup
zone?
Task 2: Force a dynamic update

1.
Switch to LON-CL1.
2.
Change the Internet Protocol Version 4 (TCP/IPv4) properties:
IP address: 172.16.0.16
3.
Switch to LON-DC1.
4.
Refresh the DNS Manager display.
5.
What is the current IP address listed against the LON-CL1 Host (A) record?
Task 3: Add a new DNS record
5-43
1.
On the 10967A-LON-CL1 virtual machine and open a Command Prompt
2.
Find a switch to use with the IPConfig command line tool to display DNS information.
3.
What records are listed?
4.
Switch to 10967A-LON-SVR1 and find a Windows PowerShell cmdlet to display DNS information
5.
Use the windows PowerShell cmdlet Test-Connection to test the connection to www.adatum.com
6.
Switch to the 10967A-LON-CL1 virtual machine
7.
Use ping to connect to www.adatum.com.
8.
Again you are not successful.
9.
Switch to 10967A-LON-DC1.
10. In DNS Manager, create a new record:
Type: New Alias (CNAME)

Alias name (uses parent domain if left blank): www
FQDN for target host: lon-dc1.adatum.com
Task 4: Verify a record

1.
Switch to 10967A-LON-CL1.
2.
Note: Depending on your Client cache you may or may not be successful at this point. If you are
not successful continue with the next step, Step 3. If you are successful you can skip ahead to Step 7.
3.
You are not successful.
4.
Use IPConfig to flush the DNS cache (flushdns).
5.
6.
You are successful.
7.
Use IPConfig to displaydns information.
8.
What record is returned for www.adatum.com?
9.
Switch to 10967A-LON-SVR1
10. Identify a Windows PowerShell cmdlet that will clear the DNS cache and use that cmdlet to clear the
client DNS cache
11. Use Test-Connection cmdlet to verify the connection to www.adatum.com
12. Run the Get-DNSClientCache to verify the www.adatum.com record type
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also
added a new DNS CNAME record type for www.Adatum.com
Exercise 5: Viewing the IPv6 Configuration

Scenario
A. Datum is currently not planning to implement IPv6, but Ed wants to know what the current IPv6
addresses are. You will use IPConfig to determine what IPv6 addresses are being used.
1.
Determine the current IPv6 address
2.
Revert the lab machines.
Task 1: Determine the current IPv6 address
1.
On 10967A-LON-CL1, use IPConfig to view all the IP configuration information.
2.
Is there an IPv6 address listed?
3.
What kind of IPv6 address is it?
4.
5.
Find a Windows PowerShell cmdlet that you can use to identify the IPv6 address and determine the
IPv6 Address.
Task 2: Revert the lab machines.
1.
2.
In the Virtual Machines list, right-click 10967A-LON-CL1, and then click Revert.
3.
4.
Repeat steps 2 and 3 for 10967A-LON-SVR1, and 10967A-LON-DC1.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address.
Question: In the lab, you were tasked with providing an addressing scheme that would
accommodate 100 hosts per subnet. Ed provided the first subnet ID of 172.16.16.0/20. How
many hosts could be accommodated within this subnet?
Question: The subnet might grow. If you had to accommodate 100 addresses, what would
you recommend as the subnet mask?
Question: What would the first subnet address be?

Review Questions
Question: NetBIOS operates at which layer of the OSI reference model?
Question: Which transport layer protocol provides for connectionless oriented delivery in IPbased networks?
Question: Your host computer was assigned the following IPv4 configuration: 10.10.16.1/20.
The default gateway is 10.10.8.1. You are experiencing communications problems. Why?
Question: You do not want to implement WINS in the network. However, you do have some
legacy applications that require Short name resolution. How could you manage short names
within your existing DNS infrastructure?
Question: You are troubleshooting DNS name resolution from a client computer. What must
you remember to do before each test?
Tools
5-45
Where to
find it
Tool
Use
Ipconfig.exe
Verifying and testing IP configuration.
Command
Prompt
Nslookup.exe
Troubleshooting DNS.
Command
Prompt
Ping.exe
Verifying basic IP functionality and that another computer is

contactable.
Command
Prompt
Netsh.exe
Configuring network settings, including IP settings, from the

command line.
Command
Prompt
Test-Connection
Functionality similar to ping. You can ping multiple computers

concurrently by using Test-Connection.
Windows
PowerShell
Resolve DNS-Cache
Type help *DNS* in the Windows PowerShell console to see a list of

Windows PowerShell commands that might help when
troubleshooting or configuring DNS.
Windows
PowerShell
Get-NetIPAddress
Similar to subset of functionality in the older IPConfig command.
Windows
PowerShell
GetNETIPConfiguration
Similar to subset of functionality in older IPConfig command. As

described earlier, type help *NET* in the Windows PowerShell
console to see a list of Windows PowerShell commands that might
help when troubleshooting or configuring DNS.
Windows
PowerShell

6-1
Module6
Windows Server Roles
Contents:
Module Overview
6-1
Lesson 1: Role-Based Deployment
6-2
Lesson 2: Deploying Role-Specific Servers
6-11
Lesson 3: Considerations for Provisioning Roles
6-19
Lab: Implementing Server Roles
6-23
6-28
Module Overview
Servers perform many functions. In the past, these functions were combined into a monolithic operating
system. Each server was loaded with all the necessary software to perform all server functions regardless of
the actual functions that it performed. Starting with Windows Server 2008, the operating system server
functions are separated into distinct server roles. By default, a server has no enabled roles. It is more
efficient to select which particular server roles that you want based on the functional requirements of the
server. You must understand the functional requirements of a server and select and deploy appropriate
server roles to support these functional requirements.
Objectives
Describe role-based deployment.
Deploy role-specific servers.
Describe deployment options for server roles.
Lesson 1
Role-Based Deployment
This lesson will help you understand server roles and features so that you can install and support the
Windows Server components your organization needs.
Lesson Objectives
Describe each server role.
Describe role services and server features.
Describe Server Manager and how it can be used.
What Is a Server Role?

Server roles in Windows Server 2012 describe a
servers primary function. For example, a server
role might be an Active Directory Domain
Services (AD DS) domain controller or a web
server. You can select to install one or many roles
on a Windows Server 2012 environment. You can
use the Add Roles And Features Wizard and
Remove Roles And Features Wizard from the
Manage menu in Server Manager for the
installation and removal of server roles in
Windows Server 2012 has nineteen roles. These
are listed in the following table.
Role
Function
6-2
Active Directory
Certificate Services (AD
CS)
Allows you deploy certification authorities and related role services.
Active Directory Domain

Services (AD DS)
A centralized store of information about network objects, such as user and

computer accounts. Used for authentication and authorization.
Active Directory
Federation Services
(AD FS)
Provides web single sign-on (SSO) and secured identify federation support.
Active Directory
Lightweight Directory
Services (AD LDS)
Supports storage of application-specific data for directory-aware

applications that do not require the full infrastructure of AD DS.
Active Directory Rights

Management Services
(AD RMS)
Allows you to apply rights management policies to prevent unauthorized

access to sensitive documents.
Role
Function
6-3
Application Server
Supports centralized management and hosting of high-performance

distributed business applications, such as those built with Microsoft .NET
Framework 4.5.
Dynamic Host
Configuration Protocol
(DHCP) Server
Provisions client computers on the network with an IP address.
Domain Name Service

(DNS) Server
Provides name resolution for TCP/IP networks.
Fax Server
Supports sending and receiving of faxes. Also allows you to manage fax
resources on the network.
File and Storage Services
Supports the management of shared folder storage, distributed file system

(DFS), and network storage.
Hyper-V
Enables you to host virtual machines on computers that are running

Network Policy and

Access Services
Authorization infrastructure for remote connections. This includes Health

Registration Authority (HRA) for Network Access Protection (NAP).
Print and Document

Services
Supports centralized management of document tasks, including network

scanners and networked printers.
Remote Access
Supports Seamless Connectivity, Always On, and Always Managed features

based on the Windows 7 DirectAccess feature. Also supports remote
access through virtual private network (VPN) and dial-up connections.
Remote Desktop
Services (RDS)
Supports access to virtual desktops, session-based desktops, and

RemoteApp programs.
Volume Activation
Services
Allows you to automate and simplify the management of volume license

keys and volume key activation. Allows you to manage a Key Management
Server (KMS) host or configure AD DSbased activation for computers that
are members of the domain.
Web Server (IIS)
The Windows Server 2012 web server component.
Windows Deployment
Services
Allows you to deploy server operating systems to clients over the network.
Windows Server Update

Services (WSUS)
Provides a method of deploying updates for Microsoft products to network

computers.
When you deploy a role, Windows Server 2012 automatically configures aspects of the servers
configuration, such as firewall settings, to support the role. Also, when you deploy a role, Windows Server
2012 automatically deploys role dependencies at the same time. For example, when you install the
Windows Server Update Services role, Windows Server 2012 installs the Web Server (IIS) role components
that are required to support the Web Server (IIS) role.
Many server roles also have role services. Role services are software programs that provide various
functionalities of a role. When you install a role, you can select which role services the role provides for
other users and computers in your enterprise. Some roles, such as Domain Name System (DNS) Server,
6-4
have only a single function, and have no role services. Other roles, such as Web Server (IIS), have several
role services, such as File Transfer Protocol (FTP), that can be installed.
Role services let you control which role functionality is installed and enabled. This is useful where you only
require a subset of the functionality of a given server role.
Windows PowerShell can also be sued to add and remove roles. The following table lists some
commands that might be useful.
Windows PowerShell Commands
Description
Get-WindowsFeature | Where
InstallState eq Installed
Displays the installed roles.
InstallState eq Available
Displays the roles that are not installed but are available to
install.
InstallState eq Removed
Displays the roles that are not available. For example, roles
that cannot be installed on Server Core.
More information about Windows Server 2012 server roles and technologies can be found at
the following webpage.
What Are Features?

A feature typically does not describe the servers
primary function. Instead, it describes a servers
auxiliary or supporting function. An administrator
typically installs a feature not as the primary
function of the server, but to augment the
functionality of an installed role. For example,
failover clustering is a feature that administrators
can install to make a role like File and Storage
Services more redundant.
Specific Microsoft Windows features are required
for specific roles. For example, if you add the
Application Server role, the Add Role and Features
Wizard asks for your confirmation to install the .NET Framework and the Windows Process Activation
Service because these features are required to support that role.
Windows Server 2012 features are independent components that frequently support role services or
support the server directly. For example, Windows Server Backup is a feature because it only provides
backup support for the local server. It is not a resource that other servers on the network can use.
Windows Server 2012 includes the features that are listed in the following table.
Feature
Description
.NET Framework 3.5 Features
Installs .NET Framework 3.5 technologies.
.NET Framework 4.5 Features
Installs .NET Framework 4.5 technologies. By default, this feature is

installed.
Feature
Description
6-5
Background Intelligent
Transfer Service (BITS)
Enables asynchronous transfer of files to make sure that other network

applications are not adversely affected.
BitLocker Drive Encryption
Supports full-disk and full-volume encryption, and startup

environment protection.
BitLocker network unlock
Provides a network-based key protector that can unlock locked

BitLocker-protected domain-joined operating systems.
Windows BranchCache
Enables the server to function as either a hosted cache server or a

BranchCache content server for BranchCache clients.
Client for NFS
Provides access to files that are stored on network file system (NFS)
servers.
Data Center Bridging
Allows you to enforce bandwidth allocation on Converged Network

Adapters.
Enhanced Storage
Provides support for additional functionality available in an Enhanced

Storage Access (IEEE 1667 protocol) device, including data access
restrictions.
Failover Clustering
A high availability feature that enables Windows Server 2012 to

participate in failover clustering.
Group Policy Management
An administrative management tool for administering Group Policy

across an enterprise.
Ink and Handwriting Services
Allows use of Ink Support and Handwriting Recognition.
Internet Printing Client
Supports use of Internet Printing Protocol.
IP Address Management
(IPAM) Server
Centralized management of IP address and namespace infrastructure.
Internet SCSI (iSCSI) Target

Storage Provider
Provides iSCSI target and disk management services to Windows Server

2012.
Internet Storage name

Service (iSNS) Server service
Supports discovery services of iSCSI storage area networks (SANs).
Line Printer Remote (LPR)

Port Monitor
Enables a computer to send print jobs to printers that are shared using
the Line Printer Daemon (LPD) service.
Management Open Data

Protocol (OData) IIS
Extension
Allows you to expose Windows PowerShell cmdlets through an ODatabased web service running on the Internet Information Services (IIS)
platform.
Media Foundation
Supports media file infrastructure.
Message Queuing
Supports message delivery between applications.
Multipath I/O (MPIO)
Supports multiple data paths to storage devices.
Network Load Balancing
Allows traffic to be distributed in a load-balanced manner across
Feature
Description
6-6
(NLB)
multiple servers that host the same stateless application.
Peer Name Resolution

Protocol (PNRP)
Name resolution protocol that allows applications to resolve names on

the computer.
Quality Windows Audio

Video Experience
Supports audio and video streaming applications on IP home

networks.
Remote Access Server (RAS)

Connection Manager
Administration Kit
Allows you to create connection manager profiles that simplify remote

access configuration deployment to client computers.
Remote Assistance
Allows remote support through invitations.
Remote Differential
Compression (RDC)
Transfers the differences between files over a network, minimizing

bandwidth use.
Remote Server
Administration Tools
Collection of consoles and tools for remotely managing roles and

features on other servers.
Remote Procedure Call (RPC)

over HTTP Proxy
Relays RPC traffic over Hypertext Transfer Protocol (HTTP) as an

alternative to VPN connections.
Simple TCP/IP Services
Supports basic TCP/IP services, including Quote of the Day.
Simple Mail Transfer Protocol

(SMTP) Server
Supports transfer of email messages.
Simple Network
Management Protocol
(SNMP) Service
Includes SNMP agents that are used with the network management
services.
Subsystem for UNIX-based

Applications
Supports Portable Operating System Interface for UNIX (POSIX)

compliant UNIX-based applications.
Telnet Client
Allows outgoing connections to Telnet servers and other Transmission

Control Protocol (TCP)based services.
Telnet Server
Allows clients to connect to the server by using the Telnet protocol.
Trivial File Transfer Protocol

(TFTP) Client
Allows you to access TFTP servers.
User Interfaces and

Infrastructure
Contains the components that you must have to support the graphical
interface installation option on Windows Server 2012. By default, on
graphical installations, this feature is installed.
Windows Biometric
Framework (WBF)
Allows use of fingerprint devices for authentication.
Windows Feedback
Forwarder
Supports sending of feedback to Microsoft when joining a Customer

Experience Improvement Program (CEIP).
Windows Identity
Foundation 3.5
Set of .NET Framework classes that support implementing claims-based

identity on .NET Framework applications.
Feature
Description
6-7
Windows Internal Database
Relational data store that can only be used by Windows roles and
features such as WSUS.
Windows PowerShell
Task-based command-line shell and scripting language that is used to

administer computers that are running Windows operating systems. By
default, this feature is installed.
Windows PowerShell Web

Access
Allows remote management of computers by running Windows

PowerShell sessions in a web browser.
Windows Process Activation

service (WAS)
Allows applications hosting Windows Communication Foundation

(WCF) services that do not use HTTP protocols to use features of IIS.
Windows Search service
Allows fast searches of files hosted on a server for clients compatible

with the Windows Search service.
Windows Server Backup
Backup and recovery software for Windows Server 2012.
Windows Server Migration

Tools
Collection of Windows PowerShell cmdlets that help in the migration

of server roles, operating system settings, files, and shares from
computers that are running earlier versions of Windows Server
operating systems to Windows Server 2012.
Windows Standards-Based
Storage Management
Set of application programming interfaces (APIs) that allow the

discovery, management, and monitoring of storage devices that use
standards such as Storage Management Initiative Specification (SMI-S).
Windows System Resource

Manager (WSRM)
Allows you to control the allocation of CPU and memory resources.
Windows TIFF IFilter
Supports Optical Character Recognition on Tagged Image File Format

(TIFF) 6.0-compliant files.
WinRM IIS Extension
Windows Remote Management for IIS.
Windows Internet Naming

Service (WINS) Server
Supports name resolution for NetBIOS names.
Wireless local area network

(LAN) Service
Allows the server to use a wireless network interface.
Windows on Windows
(WOW) 64 Support
Supports running 32-bit applications on Server Core installations. By

default, this feature is installed.
XPS Viewer
Supports the viewing and signing of documents in XPS formats.
Features on Demand
With Features on Demand, you can add and remove role and feature files, also known as feature payload,
from the Windows Server 2012 operating system to conserve space. You can install roles and features
where the feature payload is not present by using a remote source, such as a mounted image of the full
operating system. If an installation source is not present but an Internet connection is, source files will be
downloaded from Windows Update. The advantage of a Features on Demand installation is that it
requires less hard disk space than a traditional installation. The disadvantage is that if you want to add a
role or feature, you must have access to a mounted installation source. This is something that is not
necessary if you perform an installation of Windows Server 2012 with the graphical features enabled.
What Is Server Manager?

Server Manager is the main graphical tool that
you use to manage computers that are running
Windows Server 2012. You can use the Server
Manager console to manage both the local server
and remote servers. You can also manage servers
as groups. By managing servers as groups, you
can perform the same administrative tasks quickly
across multiple servers that either perform the
same role or are members of the same group.
You can use the Server Manager console to
perform the following tasks on both local servers
and remote servers:
Add and remove roles and features.
Manage and view server and server group status.
Perform various server configuration and management tasks.
Access local configuration settings such as networking, firewall, and remote management.
Access all the available management consoles through the Tools menu, such as DNS, DHCP, and
Services.
Server Manager has three main areas when it is first opened.
6-8
Dashboard. This gives a quick view of what roles and features are installed locally and also high-level
overviews across other groups and servers. If there are any errors or potential problems, this is
signified by a red banner over the specific role.
Local server. This gives specific data for the local server. From within here you can access the
configuration consoles, by clicking the highlighted blue text links, for some of the main areas you
may need to configure for the local server such as Computer name, Windows Firewall, Local Area
Connection
All Servers. This is a default server group and contains all servers that are added to server Manager
to managethat is, added to the server pool.
When you create customized Server Groups, by clicking Manage and then clicking Create Server Group,
you can then manage a subset of servers as a logical unit based on whatever criteria is required, such as
Accounting, New York, or other criteria. After you create these, you then have the following areas:
Server Status. Allows you to view the status of servers, for example activation status, last updates,
manageability status (online or not), and IP address. You can also filter the view by adding filter
criteria. You can right-click a server and view a whole range of other management tasks, such as
starting specific management consoles for the server, launching Windows PowerShell, or shutting
down the server.
Events. You can view all event types in all logs for a specific server over a particular time period or be
as fine-grained as required. You should be careful not to monitor too many events because it can
generate a lot of data and as a result potentially affect server performance
6-9
Services. You can start and stop or view the status of services.
Best Practice Analyzer (BPA). Allows you to determine whether roles on the network are
performing efficiently or whether there are problems. You can view the health of a specific role based
on criteria that you specify.
Performance. Allows you to configure Performance Alerts around CPU % Usage and Memory
availability and view as a graph over a period of up to seven days.
Roles and features. Allows you to view roles, role services, and features that are currently installed on
each server and install or remove roles, role services, or features for the whole group concurrently or
for individual servers.
After a role is installed on a local server, it is displayed in the navigation pane of Server Manager. From
this navigation pane you can manage specific roles.
You can manage Windows Server 2008 and Windows Server 2008 R2 servers with Server Manager on
Windows Server 2012 but .NET Framework 4 and Windows Management Framework BITS 4.0 are required
to be installed.
Server Manager uses Remote Management capability, which is enabled by default in Windows Server
2012. This might also need to be enabled on other Windows Server versions if it is not already and you
want to manage those versions through Server Manager.
Demonstration: How to Deploy Server Roles and Features

You can add or remove roles and features by using the following management tools.
Server Manager
The Server Manager console uses integrated wizards to step you through adding server roles. You can use
Server Manager to add several roles at the same time, even if they are unrelated. For example, a server
being provisioned for a branch office could have the DNS Server, DHCP Server, and Print Server roles
added at one time. The Server Manager Wizard performs all the necessary dependency checks and
conflict resolution so that the server is stable, reliable, and secure.
In this demonstration, you will see how to add roles and features to a server.
Demonstration Steps
1.
Open Server Manager.
2.
Access the Add Roles and Features Wizard.
3.
Install the DHCP Server role and review the configuration settings in the wizard.
4.
Export and view the configuration settings xml
Lesson 2
Deploying Role-Specific Servers
6-10 Windows Server Roles
In smaller organizations, server functions are frequently combined into a single server. In larger
organizations with many server computers, it is more common to dedicate a server to a specific subset of
server functions. This lesson will cover some common kinds of servers: file and print servers, domain
controllers, application servers, web servers, and remote access servers.
Lesson Objectives
Describe a file and print server.
Describe a domain controller.
Describe an application server.
Describe a web server.
Describe a remote access server.
What Are File and Print Servers?

Historically, the term file server was frequently
used as a generic term to describe any server.
Currently, the term is a file-storage device on a
LAN that can be accessed by network users. A file
server deploys the File and Storage Services role
and not only stores files but manages them. A file
server also maintains order as network users
request and change files, and it can define and
manage the storage around the files.
On a Windows Server file server, you must:
Provide sufficient storage for users files.
Share the folders that contain users files.
Configure security settings to make sure appropriate levels of access to users files.
Provide a mechanism that is used to back up and restore shared files.
As discussed in Module 2, Fundamentals of a Windows Server Infrastructure, the storage used to host
users files does not have to be locally attached to the file server. There are a range of technologies
available depending on your specific requirements and budget.
Deploying a File Server
To deploy a file server, install the File and Storage Services server role. This role includes the following role
services:
6-11
File and iSCSI Services. Provides technologies that help manage file servers and storage, reduce
space utilization, replicate and cache files to branch offices, move or fail over a file share to another
cluster node, and share files by using the NFS protocol.
o
File Server. Manages shared folders and enables users to access files on this server.
BranchCache for network files. Enables BranchCache computers to cache frequently

downloaded files, and then provide those files to other computers in the branch office. This
reduces network bandwidth usage and provides faster access to the files.
Data Deduplication. Saves disk space by storing a single copy of identical data on the volume.
Distributed File System (DFS) Namespaces and Replication. Enables you to group file shares
that are located on different servers into one or more logically structured namespaces. Each
namespace displays to users as a single file share with a series of subfolders. This service also
replicates data between multiple servers over limited-bandwidth network connections and LAN
connections.
File Server Resource Manager (FSRM). Helps you manage and understand the files and folders
on a file server by scheduling file management tasks and storage reports, classifying files and
folders, configuring folder quotas, and defining file screening policies.
File Server VSS Agent Service. Enables you to perform volume shadow copying of applications
that store data on the file server.
iSCSI Target Server. Provides services and management tools for iSCSI targets.
iSCSI Target Storage Provider. Enables server applications that are connected to an iSCSI Target
to create volume shadow copies and also allows for management of iSCSI virtual hard disks by
older applications that use Virtual Disk Service (VDS).
Server for Network File System (NFS). Provides compatibility services for UNIX-based
computers.
Storage Services. Provides storage management functionality that is always installed, including
storage pools and storage spaces.
As you can see from the previous list, a broad range of functionalities is available under the File and
Storage Services role with many different role services providing specific functions. Although you might
not need all these services for your particular scenario, it is wise to research into what functionality is
available in case it can help identify and simplify your own particular requirements.
File services are frequently combined in organizations with print server services. The print server services
are available in the Print and Document Services role in Windows Server 2012. The Print and Document
Services role provides the following services and features:
Print Server. Used for managing multiple printers or printer servers and migrating to and from other
Windows print servers.
Distributed Scan Server. Provides service to receive scanned documents from network scanners and
routes them to correct destinations. Also contains a scan management snap-in.
Internet Printing. Creates a website where users can manage print jobs and enables users who have
an Internet Printing client installed to use a web browser to connect and print to shared printers.
LPD Service. Enables UNIX-based computers using the LPR to print to shared printers on the server.
The print server can share locally or network-attached printers. By using network-attached printers, you
can reduce the overall number of print devices in your organization because users do not each need a
printer.
In addition to installing the File and Storage Services and Print and Document Services roles through the
Add Roles And Features wizard, you can also install them by using Windows PowerShell with the following
commands.
Install-windowsfeature fileandstorage-services
Install-windowsfeature print-services
You can verify the installation by using the following command and viewing the output.
get-windowsfeature
Note: If youre unsure what the feature name is in Windows PowerShell, you can use the
Get-WindowsFeature command and scroll through the output until you locate the role, role
service, or feature that you need.
What Is an Application Server?

An application server is a computer that hosts the
Application Server role. It provides for centralized
management and hosting of high-performance
distributed business applications such as
client/server or web-based network-aware
application software. Examples of such software
include Microsoft SQL Server, Exchange Server,
IIS, and Terminal Services.
Because an application server runs user
applications, it typically has more processor and
memory requirements than other kinds of servers.
You must consider the system requirements of
each application, including its architecture, when you configure the servers that will host them.
The following provides a description of kinds of application servers.
Client/server applications. Client/server applications are also known as traditional applications. Part
of the application runs on a client computer and part of the application runs on a server. Typically,
the client (front-end) application serves as an end-user interface for processing requests sent to and
receiving responses from the server (back-end). The bulk of data is stored on the server. In some
cases, the server part of the application is just a SQL Server database that all client computers
communicate with. In other cases, there is a middle tier with application logic that the client
computers communicate with and the middle tier communicates with a SQL Server database.
Web-based applications. A web-based application uses a web browser to provide the UI. The
application logic is then performed on a web server and data is stored in a SQL Server database.
Windows Server 2012 includes features to support the application server role, regardless of whether the
application to be hosted has a web-based or a client/server kind of architecture.
Deploying an Application Server
To deploy an application server, install the Application Server role. This role consists of five role services.
These are as follows:
6-13
Web Server (IIS) Support. Enables the application server to host internal or external websites and
web services that communicate over HTTP.
Microsoft Component Object Model (COM+) Network Access. Enables the server to host and
allow remote invocation of applications that are built with COM+ and Enterprise Services
components.
TCP Port Sharing. Facilitates the sharing of TCP ports across multiple processes that use Windows
Communication Foundation (WCF) for communications. This enables multiple applications to coexist
on the same server while remaining logically separate.
Windows Process Activation Service Support. Enables the server to start and stop applications
remotely and dynamically using protocols such as HTTP and TCP.
Distributed Transactions. Provides services that make sure reliable and complete transactions over
multiple databases that are hosted on multiple computers on the network.
Note: An application server differs from a web server because it hosts applications that run
natively on the server and the client, instead of preparing and providing content to a browser.
There are no Windows PowerShell cmdlets available for installing and configuring the Application Server
role.
More information about the Application Server role can be found at the following webpage.
What Is a Web Server?

A Microsoft web server hosts the Web Server (IIS)
role. A web server generally is a computer
attached to either the Internet or the corporate
intranet that serves static, dynamic, or streaming
content to client computers that request them
and that are equipped with a web browser.
Although the webpages you display and use daily

are most frequently provided using Hypertext
Markup Language (HTML) with the HTTP and
HTTPS protocols, web server usage is wide and
varied. Web servers can also handle other
functions and protocols, such as FTP to
accommodate file transfers or SMTP to provide email functionality. The underlying functionality across all
these is the ability of the web server to receive requests and respond to them.
Types of Web Service Content
The following paragraphs describe the three kinds of web service content.
Static content. Static content is data that is the same for all users that view it. The data does not change
based on where the users connect from or which user is connected. This is the most common kind of data
on computer networks. Some examples of static content include the following:
Basic HTML webpages
Microsoft Word documents
Microsoft PowerPoint slides
Dynamic content. Dynamic content is data that can be different every time it is accessed by a user. This
content can change depending on variables such as which user is accessing the content or the users
location. This kind of content is most frequently found in modern websites and web-based applications.
A common way to build dynamic content is by using Active Server Pages (ASP) and ASP.NET. These
methods use scripts in webpages that are processed by the server to generate the webpages that are
delivered to users. Examples of dynamic content include the following:
A webpage that displays a users name when the user accesses the website.
A webpage that displays the IP address of a user accessing content.
A webpage that changes content depending on the demographics or location of the user.
Streaming content. Streaming content is data that is delivered to users at the speed required for
playback. This differs from non-streaming content that is delivered to users at the fastest possible speed
that the client, servers, and network can support. Streaming content could lead to increases in network
traffic and can cause network congestion. Windows Server and Windows Media Services provide support
for streaming content. Examples of streaming content can include online radio stations and online video
feeds.
Security
Although users frequently connect anonymously to a web server, users frequently require the web server
to verify its identity. This is typically achieved by using a digital certificate installed on the web server and
the use of the Secure Sockets Layer (SSL) protocol.
Although users who connect to an Internet-connected web server do not have to authenticate
themselves, users who connect to a corporate web server through an intranet connection or remotely
from home are frequently required to provide credentials to identify themselves.
Deploying a Web Server
To deploy a web server, install the Web Server (IIS) role. This role consists of the following four role
services and their sub components:
Web Server. Installing the Web Server role in Windows Server 2012 installs IIS 8.0. Provides support
for HTML websites with optional support for ASP.NET, ASP, and web server extensions. You can use
the web server to host an internal or external website or to provide an environment for developers to
create web-based applications.
FTP Server. Enables the transfer of files between a client and server by using the FTP protocol. Users
can establish an FTP connection and transfer files by using an FTP client or FTP-enabled web browser.
IIS Hostable Web Core. Enables you to write custom code that hosts core IIS functions within your
application.
Management Tools. Provides tools to manage your IIS 6.0 or IIS 7.0 deployments, which are earlier
versions than what displays in Windows Server 2012. You can use the IIS UI, command line tools, and
scripts to manage the web server.
Note: In Windows Server, the Web Server (IIS) role is frequently required to support other
server roles or functions such as Application Server, Active Directory Federation Services (AD FS),
or Internet Printing. You can also install the Web Server (IIS) role on a Windows Server 2012
Server Core,
6-15
Windows PowerShell provides an extensive range of cmdlets to help with web server installation and
configuration, as part of the WebAdministration module. Some useful commands are included in the
following table.
Description
Get-WebSite
Gets configuration information for an IIS web site
Get-WebURL
Gets information associated with a URL for a specific website.
Get-Module module
WebAdministration
Lists all the cmdlets that are present in the WebAdministration

module
For more information about Internet Information Service 8.0 can be found at the following
webpage.
http://www.iis.net
What Is a Remote Access Server?

Remote access enables users to access corporate
resources from outside the corporate network.
Users could be accessing corporate network
shares, websites, and applications remotely
through many different devices or locations. In
Windows Server 2012, there two main options for
providing remote access: DirectAccess or through
VPN.
Situations that might require a remote access
server include the following:
Staff working from home in the evenings
Staff telecommuting
Working from hotels during business trips
Wireless clients for accessing data on the road
When you install the remote services role, you have two options:
DirectAccess and VPN (RAS).

o
DirectAccess was introduced in Windows Server 2008 R2 and Windows 7, and is present in
Windows Server 2012 and Windows 8. DirectAccess allows users to securely access their
corporate network, shares, websites, and applications remotely across the corporate network
without any configuration or manual intervention on the end-user side. It creates a bi-directional
link that IT administrators can use to manage the device when the computer or device is
connected to the Internet. It provides a secure, seamless, always-on technology. If DirectAccess
loses connection, it will automatically reconnect.
VPN is an older remote access technology that creates a secure point-to-point connection
between the remote device or computer. It uses tunneling protocols to provide the connection. It
can require some manual intervention and troubleshooting on the client-side.
Routing. Routing provides for the management of data flow between network segments or subnets.
It provides support for network address translation (NAT) routers, LAN routers running Routing
Information Protocol (RIP), and multicast-capable routers. The Routing role service in Windows Server
2012 is a software-based routing solution that is best suited for smaller segmented networks that
carry fairly light network volumes.
Regardless of what kind of data is being accessed, security is a key concern when you allow devices from
outside your own secure corporate environment to gain access to the network. So although the remote
access role allows for external connections to the network, there are additional roles that are installed to
provide security for those devices. To provide that protection, one additional role to install would be
Network Policy and Access Services.
Network Policy and Access Services
The Network Policy and Access Services role provides for a range of different technologies that provide
layers of security when you are deploying a remote access infrastructure in the network. This role consists
of four role services:
Network Policy Server (NPS). Enables you to create and enforce network access policies for network
access connections, health enforcement, and network connection authorization. This controls access
to your corporate network and allows for remediation of clients who do not meet the specific
requirement that you set in your policies, such as the latest updates being installed or antivirus
software being present on the client devices.
Health Registration Authority (HRA). Validates certificate requests that contain health claims; used
in NAP enforcement.
Host Credential Authorization Protocol. Enables you to integrate your NAP solution with Cisco
Network Access Control.
Some of these technologies are described in more detail later in the course. But the main thing to
understand from this topic is that several roles might be necessary to provide for efficient and secure
deployment of a role. You should give full consideration to what your requirements are before you deploy
any server role.
Windows PowerShell provides an extensive range of cmdlets to help with remote access installation and
configuration, as part of the RemoteAccess and NPS modules. Some useful commands might include
those in the following table.
Description
Get-RemoteAccessHelp
Displays the current health status of a remote access

deployment
Get-PSRADIUSCliet
Displays NPS RADIUS clients
Get-command module
RemoteAccess
Displays the cmdlets for the RemoteAccess module
Get-command module NPS
Displays the cmdlets for the NPS module
Question: What are some examples of security concerns for data that is accessed remotely?
Remote Server Administration Tools

You can install the complete set of administrative
tools for Windows Server 2012 by installing the
Remote Server Administration Tools (RSAT)
feature. When you install RSAT, you can choose to
install all of the tools, or only the tools to manage
specific roles and features. You can also install
RSAT on computers running the Windows 8
operating system. This allows administrators to
manage servers remotely, without having to log
on directly to each server.
6-17
It is a general best practice to run Windows Server

2012 servers as a Server Core installation and
manage then remotely via RSAT for Windows 8 or one of the many other remote management methods.
You can manage Windows Server 2012 server RSAT for Windows 8 only. i.e. you cannot manage Windows
Server 2012 using the RSAT for Windows 7
You can download the Remote Server Administration Tools for Windows 8 at the following
webpage.
Demonstration: Remotely Manage Windows Server 2012 Servers
In this demonstration, you will see how manage Windows Server 2012 servers remotely using the Remote
Server administration Tool (RSAT) for Windows 8
Demonstration Steps
1.
Install the RSAT for Windows 8
2.
Create a Server Group in Server Manager called Lon Servers
3.
Add LON-DC1 and LON-SVR3 to the Server Group
4.
Install the Web Server (IIS) role to LON-SVR3
5.
Install the Print and Document Services role to LON-DC1
6.
Restart both servers simultaneously via the Server Group
Lesson 3
Considerations for Provisioning Roles
This lesson will cover considerations for deploying server roles and also the deployment options that are
available. Organizations are no longer required to provide the IT infrastructure for their business. Instead,
the availability of online cloud services allows for IT administrators to take advantage of large data center
functionality while focusing on their core business needs. Although externally hosted services may not be
suitable in all situations, the option is available and IT administrators must be aware of them.
Lesson Objectives
After completing this lesson, students will be able to:
Describe Hyper-V.
Understand the capabilities of Hyper-V.
Configure a virtual machine.
Describe on-premise scenarios.
Describe cloud services.
What Is Hyper-V?
Hyper-V is a virtualization technology that is
installed as a role in Windows Server 2012. It
provides for the ability to create and manage
virtual machines. Virtual machines are virtual
instances of operating systems which allows for
multiple operating systems to be running
concurrently on a single server.
Hyper-V is a hardware virtualization technology

that provides virtual machines with direct access
to the server's hardware. It does this by installing
what is known as a hypervisor on the operating
system hardware. All access to the hardware
traverses the hypervisor. This includes the installed operating system. This enables multiple isolated
operating systems to share a single hardware platform. This differs from other software virtualization
products, such as Microsoft Virtual Server 2005 R2, or Virtual PC. These virtualization technologies provide
access to the hardware through the server's operating system, which in turn provides indirect access to
the server's hardware.
After installation of the Hyper-V role, the installed operating system becomes the parent partition from
where you can create and manage child partitions. Child partitions do not have direct access to other
hardware resources and are presented with a virtual view of the resources, as virtual devices.
Drivers in the parent partition are used for accessing the server hardware. Child partitions use virtualized
devices through virtualization service client drivers, which communicate through a virtual machine bus
(VMBus) with virtualization service providers in the parent partition. Requests to the virtual devices are
redirected either through the VMBus or through the hypervisor to the devices in the parent partition.
Installation Requirements
6-19
The server on which you plan to install the Hyper-V role must meet the following hardware requirements:
The server must have an x64 platform that supports the following:
o
Hardware-assisted virtualization. If you want to run Hyper-V, you must have servers that can
run AMD Virtualization (AMD-V) or Intel Virtualization Technology (Intel VT).
Data Execution Prevention (DEP). You must have hardware-enforced DEP enabled by
configuring either the Advanced Micro Devices (AMD) no execute bit (NX bit) or the Intel execute
disable bit (XD bit).
After you change the BIOS to support hardware virtualization and DEP you must turn off the computer
completely, and then restart it. Performing a restart may not enable the new settings.
The server must have enough CPU capacity to meet the requirements of the guest virtual machines. A
virtual machine hosted on Hyper-V in Windows Server 2012 can support up to 64 virtual processors.
The server must have enough memory to support all the virtual machines that must run concurrently,
plus enough memory to run the host Windows Server 2012 operating system.
o
The server must have at least 4 gigabytes (GB) of RAM.
A virtual machine hosted on Hyper-V in Windows Server 2012 can support no more than 2
terabytes (TB) of RAM.
The storage subsystem performance must meet the input/output (I/O) needs of the guest virtual
machines. Whether deployed locally or on SANs, you might have to put different virtual machines on
separate physical disks, or you might have to deploy high-performance redundant array of
independent disks (RAID), solid-state drives (SSD), hybrid-SSD, or a combination of all three.
The virtualization server's network adapters must be able to support the network throughput needs
of the guest virtual machines. You can improve network performance by installing multiple network
adapters.
Windows PowerShell provides an extensive range of cmdlets to help with Hyper-V implementation. These
cmdlets are part of the Hyper-V module and include those in the following table.
Description
New-VM
Creates a new Virtual Machine
Test-VHD
Verifies the integrity of one or more virtual hard disks
Get-Command module Hyper-V
Displays the cmdlets for the RemoteAccess module
As well as being able to install Hyper-V as a role in Windows Server 2012, it is also possible to obtain
Microsoft Hyper-V Server 2012 as a free download. This version just contains the virtualization technology
and does not contain the rich feature set that comes with Windows Server 2012. Hyper-V Server 2012
would typically be used where organizations are consolidating servers where no new Windows Server
licenses are required or where the servers being consolidated are running an alternative operating system.
Hyper-V Capabilities
Hyper-V is a cornerstone to several Microsoft
virtualization technologies. Microsoft provides
many virtualization solutions that address various
organizational needs. This includes the following:
Server virtualization. This lets you run

multiple virtual machines on a single physical
server. This provides more density of resource
use (hardware, utilities, storage space) while
providing operational isolation and security.
Desktop virtualization. This lets you run

virtual machine guests on client computers.
This enables you to run multiple operating
systems on a single workstation, and to run an incompatible legacy or line-of-business (LOB)
application in a more-current desktop operating system.
RDS and Virtual Desktop Infrastructure (VDI). This allows you to provision remote access to
machines and also provision client desktops and applications to end-users. VDI provides for more
centralized control and customization of the desktop environments, maintaining application storage
on centralized servers, while providing users with a familiar application interface on their
workstations.
Application virtualization. This lets you run applications in a virtualized environment on a users
desktop. With application virtualization, the application is isolated from the underlying operating
system because the application is encapsulated in a virtual environment. When you deploy a
complete application virtualization solution, you can use centralized servers to distribute the virtual
applications.
User-state virtualization. User-state virtualization lets users take advantage of separating their
documents and profile information from a specific computer. This makes it easy to get started again
on a new computer. Profile virtualization also makes it easy for users to move between computers, or
to experience the same desktop environment when using one of the other virtualization technologies.
Each virtualization strategy has specific tools or configurations that it requires in addition to Hyper-V.
One of the critical components in deploying virtualization is to be able to manage both the physical and
virtual components. The System Center suite of tools provides virtualization management. Tools such as
System Center Configuration Manager, System Center Operations Manager, and System Center Virtual
Machine Manager (VMM) provide a familiar set of tools for managing both the virtual environment and
the physical layer that hosts the virtual environment. These Enterprise server tools integrate with Hyper-V
to allow for more scalability and efficiency when you deal with many virtualized environments.
On-Premise Servers
As an IT professional who has worked with locally
deployed servers, it would be reasonable to ask
why, if everything is moving to cloud computing
(discussed in the next topic) would you have to
learn about deploying Windows Server 2012
locally? The reality is that not every service and
application that is used daily should be hosted by
cloud computing. Locally deployed servers form
the backbone of an organizational network, and
provide the following resources to clients:
6-21
Infrastructure services. Servers provide

clients with infrastructure resources, including
DNS and DHCP services. These services allow clients to connect and communicate with other
resources. Without these services, clients would be unable to connect either to one another or to
remote resourcesincluding resources that are hosted by cloud computing.
Shared files and printers. Servers provide a centralized location that lets users store and share
documents. Servers also host resources such as shared printers that allow groups of users to take
advantage of resources more efficiently. Without these centralized, locally deployed resources,
sharing and backing up files centrally would be a more complex and time-intensive process. You
could host some of this information by using cloud computing. However, it does not always make
sense to send a job to a printer that is in the next room through a server that is hosted at a remote
location.
Hosted applications. Servers host applications such as Exchange Server, SQL Server, Microsoft
Dynamics, and System Center. Clients access these applications to perform different tasks, such as
accessing email or self-service deployment of desktop applications. In some cases, these resources can
be deployed to cloud computing. But frequently, these resources must be hosted locally for
performance, cost, and regulatory reasons. Whether it is best to host these resources locally or with
cloud computing depends on the specifics of the individual organization.
Network access. Servers provide authentication and authorization resources to clients on the
network. By authenticating against a server, a user and client can prove their identity. Even when
many of an organizations servers are located in a public or private cloud.
Application, Update, and Operating System deployment. Servers are frequently deployed locally
to help with the deployment of applications, updates, and operating systems to clients on the
organizational network. Because of intensive bandwidth use, these servers must be in proximity to the
clients to which they are providing this service.
Each organization will have its own requirements. An organization in an area that has limited Internet
connectivity will have to rely more on on-premises servers than an organization that has access to highspeed bandwidth. Make sure that, even in a case of Internet connectivity issues, work in an organization
can continue. Productivity will be adversely affected if the failure of the organizations Internet connection
suddenly means that no one can access their shared files and printers.
Although Windows Server 2012 is ready for integration with cloud computing, it is also still eminently
suited to the traditional tasks that Windows Server operating systems have performed historically.
Therefore, you will still be able to configure and deploy Windows Server 2012 to perform the same or
similar workloads that you configured for servers running Windows Server 2003, and maybe even for the
Windows NT Server 4.0.
What Are Cloud Services

Cloud computing is a general description that
consists of several different technologies.
Although it might be defined in many ways, it
effectively refers to services being provisioned
remotely through the Internet standards and
protocols to both users and administrators. The
most common forms of cloud computing are as
follows:
Infrastructure as a service (IaaS). With this

form of cloud computing, you run a full
virtual machine in the cloud. The cloud
hosting provider manages the hypervisor
platform, and you manage the virtual machine that runs on the cloud providers infrastructure.
Windows Azure Compute is an example of IaaS. You can run Windows Server 2012 as a virtual
machine in an IaaS cloud, but in some cases, the operating system will host the virtual machines in an
IaaS cloud.
Platform as a Service (PaaS). With PaaS, the cloud hosting provider provisions you with a particular
platform. For example, a provider could let you host databases. You manage the database itself, and
the cloud hosting provider hosts the database server. Windows Azure SQL Database (formerly
known as SQL Azure) is an example of PaaS.
Software as a Service (SaaS). The cloud hosting provider hosts your application and the
infrastructure that supports that application. You buy and run a software application from a cloud
hosting provider. Windows Intune and Microsoft Office 365 are examples of SaaS.
Public and Private Clouds
A public cloud is a cloud service that is hosted by a cloud services provider, and is made available for
public use. A public cloud might host a single tenant, or it might host tenants from multiple organizations.
Therefore, public cloud security is not as strong as private cloud security, but public cloud hosting
typically costs less because multiple tenants absorb costs. In contrast, private clouds are cloud
infrastructure that is dedicated to a single organization. Private clouds might be hosted by the
organization itself, or might be hosted by a cloud services provider who makes sure that the cloud
services are not shared with any other organization.
Private clouds are more than large-scale hypervisor deployments. They can use the System Center 2012
management suite, which makes it possible to provide self-service delivery of services and applications.
For example, in an organization that has its own private cloud; it would be possible for users to use a selfservice portal to request multitier applications including a web server, database server, and storage
components. Windows Server 2012 and the components of the System Center 2012 suite are configured
in such a way that this service request can be processed automatically, without requiring the manual
deployment of virtual machines and database server software.
In general, your organizations requirements will most likely involve some mix of the two scenarios in a
hybrid cloud and on-premise environment. This provides the core services that you must have, allows for
control over data that you do not want to leave your organization, and lets you take advantage of some
benefits of cloud services. These benefits include high availability, business continuity, disaster recovery,
reduced hardware costs, regular billing for services allowing for better forecasting, and management of
costs.
More information about Windows Azure can be found at the following webpage.
http://www.windowsazure.com

Scenario
6-23
A. Datum Corporation has deployed client computers to several new R & D branch offices. It has planned
to install new server computers at these branches to enable network infrastructure features, to support
custom applications, and to enable file and print services to support office productivity applications on
the client computers.
Your task is to read the requirements document and determine what server roles are required to support
the needs of users at branch offices.
Objectives
Determine the appropriate roles to deploy.
Deploy server roles.
Lab Setup
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR3 and 10967A-LON-CL1
Password: Pa$$w0rd
Exercise 1 can be done as a small group or class discussion.
Exercise 1: Determining the Appropriate Roles to Deploy

Scenario
Ed Meadows has forwarded an email message to you from Alan Brewer, the Research department head.
Also attached to the email is the Branch Office Server Deployment Requirements document. You must
read the supporting documentation and complete the Branch Office Server Deployment
Recommendations document.
Subject:
From:
Sent:
To:
Attached:
FW: New branch offices Server Deployment

April 3
Branch Office Server Deployment Requirements.doc
Charlotte,
Please see Alans comments and review the attached document for more information.
Regards,
Ed
----- Original Message ----Subject:

From:
Sent:
To:
New branch offices Server Deployment

Alan Brewer [Alan@adatum.com]
April 1
Ed@adatum.com
Ed,
I dont understand all the technicalities, but what we want at the branches is the ability to work as usual
even if the link to the head offices is unavailable.
We have a database that we use; the branches synchronize their data with the head office database
periodically.
All workers at the branches are using standard office productivity software: Microsoft Word 2013,
Microsoft Excel 2013, and other Office components. They save their work to a server. Shared printers
are available throughout the branches for all users.
We often have visiting laptops and users moving between branches, so they need to be able to connect
to the network without user or administrator intervention.
Hope this helps,
Alan
Branch Office Server Deployment Requirements.doc

Branch Office Technical Overview
During interviews with staff and following research at each branch, I have determined the following
requirements:
Client computers require automatic IPv4 configuration.
Users share files and store them centrally on shared folders.
Shared printers can be accessed by everyone at the branch.
A database server exists at each branch that contains a subset of the data for the whole Research
department; synchronization occurs automatically with the head office.
Make sure that updates to computers are not obtained directly from the Internet, but instead from a
local server.
Branch Office Server Deployment Recommendations
Date: April 4
Branch Office Server Deployment Recommendations

Deploy required server roles to the branch offices to ensure that the needs of the users are met.
None.
Proposals
6-25
1.
How will you address the requirement that all computers can obtain an IPv4 configuration
automatically even if the link to the head office is down?
2.
How will you address the requirement that users must be able to access shared files?
3.
How will you address the requirement that users must be able to use shared printers?
4.
What kind of server best supports the needs of the database application?
5.
What roles support this kind of server?
6.
How will you address the requirement that the computers must obtain updates from a local update
server?
7.
Which roles are required at the branch servers?

1.
2.
Complete the Branch Office Server Deployment Recommendations document

1.
Read the supporting documentation.
2.
Review the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document

1.
Complete the Deployment Proposals section of the Branch Office Server Deployment
2.
3.
4.
5.
6.
7.
server?
8.
Results: After this exercise, you should have completed the Branch Office Server Deployment
Exercise 2: Deploying and Configuring the Determined Server Roles

Scenario
You have studied the supporting documentation and Ed has asked you to deploy a subset of the required
roles on a test server in the lab environment. Assuming all goes well in the test lab, you will deploy these
roles to production servers at the branch offices. You decided to remotely manage the servers using the
RSAT for Windows 8, so multiple servers can be managed from a single management console and you will
also investigate automating some of the installations.
1.
Deploy infrastructure-related roles
2.
Deploy the remaining roles on a single server
3.
Obtain configuration settings xml for Infrastructure Role installation
4.
Configure event settings in Server Manager for DNS Server
5.
Run the Best Practice Analyzer for the DHCP role
6.
Revert the lab virtual machines
Task 1: Deploy infrastructure-related roles

1.
Install the RSAT for Windows 8 from \\LON-DC1\E$\Mod06\Labfiles on to the Windows 8 client
computer
2.
Install DHCP and DNS roles on a single server
Task 2: Deploy the remaining roles on a single server

1.
Ensure you are signed on to 10967A-LON-CL1.
2.
Use the Add Roles and Features Wizard to install the following roles:
o
Application Server
Print and Document Services
Windows Server Update Services
Task 3: Obtain configuration settings xml for Infrastructure Role installation

1.
On the Add Roles and features wizard Installation progress page obtain the configuration settings
and save them to the Documents folder
2.
Review the configuration settings file
Task 4: Configure event settings in Server Manager for DNS Server

1.
On 10967A-LON-CL1 open Server Manager
2.
Configure event data to track the below events that have occurred within the past three days
Critical
Error
Warning
Informational
Task 5: Run the Best Practice Analyzer for the DHCP role
1.
2.
In the DHCP node go to the Best practice Analyzer section and start a BPA scan
3.
Review the resultant messages and determine what remains to be configured on the DHCP server.
Task 6: Revert the lab virtual machines
6-27
1.
2.
3.
4.
5.
Repeat steps 2 and 3 for 10967A-LON-SVR3, and 10967A-LON-DC1
Results: After this exercise, you should have deployed all required roles and features.
Question: When installing the File Services role during the lab, which role services might
prove especially useful for a branch office?

Best Practice:
Supplement or modify the following best practices for your own work situations:
Combine multiple roles on a single server when you deploy servers in smaller organizations; scale out
these roles in larger organizations so that you can optimize performance.
Review Question
Question: How is a server role different from a server feature?
Tools
Tool
Use for
Where to find it
Server Manager
Managing server configuration, including

adding roles and features.
Start Menu
Windows PowerShell
Managing both Server Manager; most

server roles have cmdlets available to
support them.
Windows PowerShell
console

7-1
Module7
Implementing Active Directory
Contents:
Module Overview
7-1
Lesson 1: Introducing Active Directory Domain Services
7-2
Lesson 2: Implementing AD DS
7-10
Lesson 3: Managing Users, Groups, and Computers
7-18
Lesson 4: Implementing Group Policy
7-24
Lab: Implementing Active Directory Domain Services
7-30
7-35
Module Overview
The Windows Server operating system Active Directory Domain Services (AD DS) is a Windowsbased
directory service. As a directory service, AD DS stores information about objects on a network and makes
this information available to users and network administrators.
Objectives
After completing this module you will be able to:
Describe the fundamental features of AD DS.
Implement AD DS.
Implement organizational units (OUs) for managing groups and objects.
Configure client computers centrally with Group Policy objects (GPOs).
Lesson 1
Introducing Active Directory Domain Services
7-2
AD DS enables network users to access resources anywhere on the network by using a single logon
process. It also gives network administrators an intuitive, hierarchical view of the network and a single
point of administration for all network objects. By understanding the fundamental building blocks of AD
DS, you can make more informed decisions about how to implement and configuring AD DS.
More information about Active Directory Domain Services can be found at the following
webpage:
Lesson Objectives
After completing this lesson you will be able to:
Describe an Active Directory forest.
Describe an Active Directory domain.
Describe Active Directory trees.
Describe Active Directory trust relationships.
Describe the Active Directory schema.
Describe and implement OUs.
The AD DS Forest
In AD DS, a forest is the highest level in the logical
structure hierarchy. An Active Directory forest
represents a single, self-contained directory, and
within each forest there exists one or more
domains. A forest is a security boundary, a domain
being an administrative boundary. This means
that administrators in a forest have complete
control over all access to information that is
stored inside the forest and to the domain
controllers (DCs) that are used to implement the
forest.
Typically, an organization has a single forest.

There are reasons for multiple forests, such as the following: an organization requires complete data or
service isolation, or requires separate test or development networks, or if Domain Controllers are being
deployed in perimeter networks, or if there are mergers and acquisitions. If an organization requires
separate administrative areas for different parts of your organization, you should create multiple domains
to represent those administrative areas.
By default, if you implement multiple forests within your organization, the forests will operate separately
from one another as if they were the only directory service in your organization.
Note: You can integrate multiple forests by creating security relationships between them
known as external or forest trust relationships.
You can also use technologies such as Microsoft Forefront Identity Manager to synchronize
accounts (as in a resource forest model) or Active Directory Federation Services (AD FS) to enable
accounts from other forests to authenticate against resources in a non-trusted forest.
Forest Wide Operations
7-3
AD DS is a multi-master directory service. This means that many changes to the directory can be made at
any writable instance of the directorythat is, any writable domain controller. However, some changes
are single-master. This means that they can only be made on one specific domain controller in the forest
or domain, depending on the particular change. Domain controllers at which you can make these singlemaster changes are said to hold operations master roles. There are five operations master roles. Two of
the roles are forest-wide and assigned for the forest. The remaining three roles are domain-wide and are
assigned for the domain.
The two operations master roles assigned for the forest are as follows:
Domain naming master. The job of the domain naming master is to make sure that there are unique
names throughout the forest. That is, it makes sure that the fully qualified domain name (FQDN) of
each computer, among other objects, exists only one time in the forest.
Schema master. The schema master tracks the schema of the forest and maintains changes to the
schema of the forest.
Because these are key critical forest-wide roles, each forest must have only one schema master and one
domain naming master.
What Is a Domain?
A domain is an administrative boundary. All
domains host an Administrator user account that
has full administrative capabilities over all objects
within the domain, frequently known as the
domain administrator. Although the administrator
can delegate administration on objects within the
domain, the account maintains full administrative
control of all objects within the domain.
In AD DS, the administrator account in the forest
root domain also has full administrative control to
all objects in the forest, rendering any domainlevel administrative separation invalid.
A domain is also a replication boundary. AD DS consists of three elements, or partitions. These are the
schema, the configuration partition, and the domain partition. There is one of each per domain. Generally,
it is only the domain partition that frequently changes.
The domain partition contains objects that are likely to be frequently updated. These include users,
computers, groups, and OUs. Therefore, AD DS replication consists primarily of the updates to objects that
are defined within the domain partition. Only domain controllers in the same domain receive domain
partition updates from other domain controllers. Partitioning data enables organizations to replicate data
only to where it is needed. In this manner, the directory can scale globally over a network that has limited
available bandwidth.
A domain is also an authentication boundary. Each user account in a domain can be authenticated by
domain controllers from that domain. Domains in a forest trust one another, and it is these trusts that
enable a user from one domain to access resources held in another domain.
Domain Wide Operations
There are three operations master roles per domain. By default, these roles are assigned to the first
domain controller in each domain and include the following:
7-4
Relative identifier (RID) master. When an object is created in AD DS, the domain controller where
the object is created assigns the object a unique identifying number known as a security identifier
(SID). To make sure that no two domain controllers assign the same SID to two objects, the RID
master allocates blocks of SIDs to each domain controller within the domain.
Primary domain controller emulator. This role is the most important because its failure is noticed
far more quickly than any other operations master role. It is responsible for several domain-wide
functions. This includes the following:
Updating account lockout status.
Single operations master for the creation and replication of GPOs.
Time synchronization for the domain.
Maintaining a domain-based Distributed File System (DFS) namespace.
Infrastructure master. This role is responsible for maintaining inter-domain object references. For
example, when a group in one domain contains a member from another domain, the infrastructure
master is responsible for maintaining the integrity of this reference.
These three roles must be unique in each domain. Therefore, each domain can have only one RID master,
one primary domain controller (PDC) emulator, and one infrastructure master.
AD DS Trees
If your AD DS consists of more than one domain,
you must define the relationship between the
domains. If the domains share a common root
and a contiguous namespace, then they are
logically part of the same Active Directory tree. A
tree serves no administrative purpose. In other
words, there is no tree administrator as there is a
forest or domain administrator. A tree provides a
logical, hierarchical grouping of domains that
have parent/child relationships that are defined
through their names. Your Active Directory tree
maps to your Domain Name System (DNS)
namespace.
Active Directory trees are created by the relationship between the domains within the forest. There is no
specific reason you should, or indeed, should not create multiple trees within your forest. However, be
aware that a single tree, with its contiguous namespace, is easier to manage, and easier for users to
visualize.
Consider using multiple trees in a single forest if you have multiple namespaces to support. For example,
if within your organization there are several distinct operating divisions that have different public
identities, you could create a different tree for each operating division. Consider that with this scenario,
7-5
there is no separation of administration because the forest root administrator still has complete control
over all objects in the forestin whichever tree they reside.
Trust Relationships
A trust relationship enables one security entity to
trust another security entity for the purposes of
authentication. In the Windows Server operating
system, the security entity can be thought of as
the Windows domain.
The main purpose of a trust relationship is to
provide a user in one domain access to a resource
in another domain without having a user account
in both domains.
In any trust relationship, there are two parties

involved: the trusting entity and the trusted entity.
The trusting entity is the resource holding entity,
whereas the trusted entity is the account holding entity. For example, if you lend someone your laptop,
you trust them. You are the resource holding entity. They are the account holding entity.
Note: Just because there is a trust between domains that does not necessarily mean that
someone from a different domain has access to resources in other domains. Administrators can
grant the user rights to resources. By default, there are no user rights.
Types of Trusts
Trusts can be one-way or two-way.
A one-way trust means that, although one entity trusts the other, the reciprocal is not true. For example,
just because you lend Steve your laptop does not mean that Steve will lend you his car. In a two-way trust,
both entities trust one another.
Trusts can be transitive or nontransitive. In a transitive trust, A trusts B and B trusts C, and then A also
implicitly trusts C. For example, if you lend Steve your laptop, and Steve lends his car to Mary, then you
might lend your mobile phone to Mary.
Windows Server supports several different trusts for use in different situations. In a single forest, all
domains trust one another with internal, two-way transitive trusts. Basically, this means that all domains
trust all other domains. These trusts extend across trees within the forest. Other than these automatically
created trusts, you can configure additional trusts between domains within your forest, between your
forest and other forests, and between your forest and other security entities, such as Kerberos realms or
an Active Directory domain. The following table provides more information.
Trust
Type
Transitivity
Direction
Description
External
Nontransitive
One-way or
two-way
Use external trusts to provide access to resources that

are located on a domain that is located in a separate
forest that is not joined by a forest trust.
Realm
Transitive or
nontransitive
One-way or
two-way
Use realm trusts to form a trust relationship between

platforms other than Windows utilizing a Kerberos
Trust
Type
Transitivity
Direction
Description
realm and an Active Directory domain.
7-6
Forest
Transitive
One-way or
two-way
Use forest trusts to share resources between forests. If a

forest trust is a two-way trust, authentication requests
that are made in either forest can reach the other
forest.
Shortcut
Transitive
One-way or
two-way
Use shortcut trusts to improve user logon times

between two domains in an Active Directory forest.
This is useful when two domains are separated by two
domain trees.
The AD DS Schema
The AD DS schema is the definition of all objects
and attributes that AD DS uses to store data.
AD DS stores and retrieves information from many
different applications and services. So that it can
store and replicate data from these various
sources, AD DS standardizes how data is stored in
the directory. By standardizing how data is stored,
AD DS can retrieve, update, and replicate data
while making sure that the integrity of the data is
maintained.
AD DS uses objects as units of storage. All objects
are defined in the schema. Every time that the
directory handles data, the directory queries the schema for an appropriate object definition. Based on
the object definition in the schema, the directory creates the object and stores the data.
The schema defines the following:
Objects (also known as classes) are a collection of attributes
Required and optional attributes for each object
Imagine you are creating a database (or Microsoft Excel spreadsheet) with cars in it. You create a cars
table, which reflects to the objects definition, or class, in AD DS. Then you define that every car has a
license or registration plate, and you define that this is a string with no more than 12 digits and that every
car can only be entered if the license or registration plate exists. Additionally, you define that the car has a
specific number of doors, a specific number of wheels, and a maximum speed. All these attributes are
numbers. Next you define a six-digit color code and a manufactured date.
The definition of this table reflects to the class in the schema, the definition of the attributes, and
attaching the attributes to the class. You havent added any cars yet. However, you have the definition of
the car. When you enter a car, you are restricted to that definition and you cannot enter other data, such
as the engine size, if it is not defined in the schema.
Object definitions control the types of data that the objects can store and the syntax of the data. Using
this information, the schema makes sure that all objects comply with their standard definitions. Therefore,
AD DS can store, retrieve, and validate the data that it manages, regardless of the application that is the
original source of the data. Only data that has an existing object definition in the schema can be stored in
7-7
the directory. If a new kind of data has to be stored, a new object definition for the data must first be
created in the schema.
The schema is a single master element of AD DS. This means that you must change the schema at the
domain controller that holds the schema operations master role.
The schema is replicated among all domain controllers in the forest. Any change that is made to the
schema is replicated to every domain controller in the forest. All domain controllers in the forest share the
same schema. Therefore the same definition of objects and attributes. When a change in the schema
occurs, DCs update the schema before they replicate objects and attributes. This makes sure that they
have the definition before they obtain the data.
Because the schema dictates how information is stored, and because any changes that are made to the
schema affect every domain controller, changes to the schema should only be made when it is necessary.
Changes should follow a tightly controlled process.
Although you might not make any change to the schema directly, some applications change the schema
to support additional features. For example, when you install Microsoft Exchange Server into your AD DS
forest, the installation program extends the schema to support new object types and attributes.
Note: You can view the schema on a domain controller by running regsvr32
schmmgmt.dll in an administrative Command Prompt and then adding the Active Directory
Schema snap-in into the Microsoft Management Console (MMC). You can then scroll through
and view the classes and attributes.
More information about the Active Directory schema can be found at the following webpage:
Organizational Units
An OU is a container object in a domain that you
can use to consolidate users, groups, computers,
and other objects. You can use OUs to organize
hundreds of thousands of directory objects into
manageable units. OUs are useful in grouping and
organizing objects for administrative purposes,
such as delegating administrative rights and
assigning policies to a collection of objects as a
single unit.
There are two reasons to create OUs:
Delegate administrative control of objects

within the OU. You can assign management
permissions on an OU, thereby delegating control of that OU to a user or group within AD DS other
than the administrator.
Configure objects that are contained within the OU. You can assign GPOs to the OU, and the settings
apply to all objects within the OU.
Note: An OU is very important for delegation. However, you have a lot of possibilities for
GPOs: you can use security filtering, Windows Management Instrumentation (WMI) filters, sites,
domains, and OUs. An OU is not the smallest scope to apply a GPO. If you want GPOs applied to
a small subset of objects, you usually use security filtering and link the GPO as high as
appropriate.
7-8
OUs should match the administrative model in your organization. This is very important because OUs are
the only way to enable implementation of an administrative tasks delegation model. You should avoid
creating OUs based on departments, cost centers, or other business-related units that are likely to change.
OUs are a technical view for administrators, and users do not see the OU structure. Therefore, although it
is very important that unnecessary OU moves are avoided, administrative tasks can still be fulfilled if
moves are made.
For example, if you have a central administrator who is creating users, some server administrators who are
installing servers, project managers who grant rights to their project resources, some site administrators
who are maintaining some resource groups, and a telephone administrator who is managing the Voice
over Internet Protocol (VoIP) infrastructure, then these are functional structures that have to be
considered when you design your OU structure.
Every AD DS domain contains a standard set of containers and OUs that are created when you install AD
DS. These include the following:
Domain container. Serves as the root container to the hierarchy.
Built-in container. Holds the default service administrator accounts.
Users container. The default location for new user accounts and groups that are created in the
domain.
Computers container. The default location for new computer accounts that are created in the
domain.
Domain controllers OU. The default location for the computer accounts for domain controllers
computer accounts.
Implementing Organizational Units

AD DS OUs are used to create a hierarchical
structure in a domain. An organizational hierarchy
should logically represent an organizational
structure. That organization could be based on
geographic, functional, resource-based, or user
classifications. Whatever the order, the hierarchy
should make it possible to administer AD DS
resources as flexibly and effectively as possible.
For example, if all the computers that are used by
information technology (IT) administrators must
be configured in a certain way, you can group all
the computers in an OU and assign a policy to
manage the computers in the OU.
OU Hierarchical Models
Organizations can deploy OU hierarchies by using several different models, such as the following:
Geographic OUs. If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might decide to create
OUs for New York, Toronto, and Miami in a single domain.
7-9
Departmental OUs. A Departmental OU is based only on the organization's business functions,

without regard to geographical location or divisional barriers. You should avoid creating OUs based
on departments, cost centers, or other business-related units that are likely to change or have users
switching departments. However, this approach could work for small organizations that have a single
location.
Resource OUs. Resource OUs are used to manage resource objects (non-users such as client
computers, servers, or printers). This design is most useful when all resources of a given type are
managed in the same manner. Resource-based OUs can simplify software installations or printer
selections based on Group Policies.
Management-based OUs. Management-based OUs reflect the various administrative divisions within
the organization by mirroring its structure in the OU structure. For example, users and groups can be
organized into nested departmental OUs. These OUs can then be delegated to the managers of those
departments.
The main factor for designing OUs must be ease of management. If the OUs are too large and the
management structure doesnt meet the requirements, consider creating OUs that combine the models.
For example, add geographical (site or country/region administrators), department (departmental
administrators), or resources (virtual machine, server, or desktop administrators, project managers, or
Microsoft SharePoint site owners) information.
The final OU design should represent how the business will be administered. Delegation of authority,
separation of administrative duties, central versus distributed administration, and design flexibility are
important factors you should consider when you design Group Policy and select the scenarios to use for
your organization.
Question: Describe a scenario in which you would use a domain to organize a network.
Describe a scenario in which you would use an OU to organize a network.
Demonstration: How to Manage Organizational Units
In this demonstration, you will see how to access Active Directory Administrative Center, locate OUs and
users, and move a user to a different OU.
Demonstration Steps
1.
Access the Active Directory Administrative Center.
2.
Move Claus Hansen from the Domain Users group to the Sales OU.
Lesson 2
Implementing AD DS
7-10 Implementing Active Directory
To implement AD DS, you must deploy domain controllers. Understanding where and how to create
domain controllers to optimize the network infrastructure is important to make sure that you optimize AD
DS.
Lesson Objectives
Describe the role of a domain controller.
Describe when to use read-only domain controllers (RODCs).
Explain AD DS sites and replication.
Configure DNS to support AD DS functions.
What Is a Domain Controller?

AD DS is provided by one or (preferably) multiple
domain controllers per domain. When you
promote a domain controller, you can add it to an
existing domain, create a new domain in an
existing forest, or create a new forest.
Domain controllers provide the following
functions on the network:
Provide authentication and authorization.

Domain controllers store the domain
accounts database, and provide
authentication and authorization services.
Host operations master roles (optional). These roles were formerly known as flexible single master
operations (FSMO) roles. There are five operations master roles: two forest-wide roles and three
domain roles. You can transfer these roles to other domain controllers as you need.
Host the Global Catalog (optional). You can designate any domain controller as a Global Catalog
server.
Note: The Global Catalog server is a domain controller that holds, in addition to the
domain information, some partial information about every object in every other domain in the
forest. It is optimized for cross-domain searches.
Support group policies and the System Volume (SYSVOL). By using Group Policies, you can specify
configuration for collections of users, groups, or computers by linking GPOs that contain
configuration instructions to OUs. Group Policies consist of Group Policy containers, stored in AD DS,
and Group Policy templates, stored in the SYSVOL folder in the file system of all domain controllers.
Provide for consistent data throughout the organization. AD DS is a distributed directory service.
Objects such as users, computers, OUs, and services are distributed across all domain controllers in
7-11
the domain (a partial set is distributed across all DCs who are GCs in the forest), and can be updated
on any domain controller in the domain. Objects in the domain partition can only be updated in the
domain. When an application tries to change them in another domain, it receives a write referral to a
DC of the domain where the object resides.
Note: Domain controllers in a forest share a common schema, a common Global Catalog,
and a common forest root domain.
Installing a DC in Windows Server 2012 is effectively a two-step process that can be broken down as
follows:
1.
Install AD DS in the Add Roles And Features Wizard in Server Manager.
2.
Run the Active Directory Domain Services Configuration Wizard in Server Manager to promote the
server to a domain controller.
You can install multiple DCs remotely with the remote multi-server management capabilities present in
Server Manager in Windows Server 2012.
You can also use the Install-ADDSDomainController Windows PowerShell cmdlet to automate the
installation. This cmdlet can be used remotely and across multiple computers.
Finally, before Windows Server 2012, a command-line tool named Active Directory Installation Wizard
(Dcpromo.exe) could be used to install DCs. This tool was deprecated in Windows Server 2012. However,
it can still be used to automate the installation when there are many parameters or an input file is
preferred.
What Is a Read-Only Domain Controller?

A read-only domain controller (RODC) contains a
read-only copy of the Active Directory domain. As
such, with an RODC, organizations can deploy a
domain controller in locations where physical
security cannot be guaranteed, such as a remote
office or perimeter network and where IT support
services can often less advanced than in the main
corporate centers. The RODC can also function as
a Global Catalog server.
An organization can deploy an RODC to address

scenarios with limited wide area network (WAN)
bandwidth and poor physical security for
computers. If WAN is not limited, there is no need for a local DC. If good physical security exists, there is
no need for an RODC. So both conditions should be met to consider an RODC as an alternative solution.
As a result, users in this situation can benefit from:
Improved security.
Faster logon times.
More efficient access to resources on the network.
Be aware that applications that must run on a DC typically will not be compatible with RODCs.
RODC Feature
Explanation
RODC Feature
Explanation
Read-only Active
Directory database
Except for certain secrets, an RODC holds all the Active Directory objects and
attributes that a writable domain controller holds. However, changes cannot be
made to the replica that is stored on the RODC.
Changes must be made on a writable domain controller and replicated back to
the RODC. The RODC does not store multiple passwords or Microsoft BitLocker
information.
Unidirectional
replication
Even if an RODC is being hacked and data is compromised, it would not

replicate out and would affect the island around the RODC only.
Credential caching
Credential caching is the storage of user or computer credentials. By default,

RODCs do not store or cache user or computer passwords. The exception to this
is with the RODCs computer account password and krbtgt account of the RODC.
There are also 10 default user profiles that are cached on an RODC. Therefore, it
is considered best practice not to log on to RODC locally by using accounts that
have higher rights.
You do not allow credential caching on an RODC, but you allow password
replication to a defined subset of accounts..
Administrative role
separation
You can delegate the local administrator role of an RODC to any domain user
without granting that user any user rights for the domain or other domain
controllers. This enables a local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver. However, this does
not give the branch user the ability to log on to any other domain controller or
perform any other administrative task in the domain.
Read-only Domain
Name System
You can install the DNS Server service on an RODC. An RODC can replicate all
application directory partitions that DNS uses. If the DNS server is installed on
an RODC, clients can query it for name resolution as they would query any other
DNS server.
RODCs effectively behaves like a DNS server hosting a secondary zonethat is,
it will not accept changes but instead will redirect update requests to full
domain controllers hosting the DNS zones.
Delegated TwoStage Promotion of

an RODC
Where no domain contollers exist in a remote office, you can delegate the
RODC promotion to any domain user.
The first stage involves having domain Admin privileges to create the relevant
information in AD DS, and the second stage involves the domain user who does
not have those privileges but can be delegated those permissions in this
scenario. This means a Domain Admin does not have to log on to the remote
office to complete the installation. This reduces risk.
Question: In your work environment, do you have scenarios where an RODC could be used?
AD DS Sites and Replication

Sites
In AD DS, sites are used to represent the physical
network in a logical way so that domain
controllers can optimize traffic, depending on the
underlying network infrastructure. Sites usually
align with the parts of the network that have good
connectivity or bandwidth. For example, if a
branch office is connected to the main data center
by an unreliable wide area network (WAN) link, it
would be better to define the data center and the
branch office as separate sites in AD DS. The site
configuration applies to all DCs across all domains
in a forest. AD DS replication is automatically optimized for intra-site and inter-site replication.
Sites can be configured and managed through the Active Directory Sites and Services management
console. This console can be accessed in Server Manager under the Tools menu.
Note: Sites are used by domain controllers to build the replication infrastructure and to
decide which DCs should serve which clients. Clients are using sites to locate services, such as
domain controllers and Global Catalog servers. There are additional services, such as DFS, which
rely on the site configuration.
Replication
7-13
AD DS replication is how changes to directory data are transferred between domain controllers in the
forest. The AD DS replication model defines the mechanisms that enable directory updates to be
transferred automatically between domain controllers to provide a seamless replication solution for the
AD DS distributed directory service.
There are multiple partitions in AD DS. By default, there are additional DomainDnsZones per Domain and
ForestDnsZones per Forest, and administrators are also able to build their own. It is the domain partition
that contains the data that changes most frequently. This information makes up the bulk of AD DS
replication data.
Active Directory Site Links
A site link is used to describe the WAN connections between sites so that domain controllers can decide
the best replication strategy across site boundaries. Although you would be able to use the default site
link provided in AD DS, we recommended in most scenarios to create additional site links as your needs
dictate. You can configure settings on site links to determine the schedule and availability of the
replication path.
When two sites are connected by a site link, the replication system automatically creates connections
between specific domain controllers in each site. These connections are called bridgehead servers.
Configuring DNS for AD DS

Installing DNS
AD DS requires DNS. By default, the DNS server
role is not installed on Windows Server 2012. Like
other functionality, it is added in a role-based
manner when a server is configured to perform
the role.
You can install the DNS server role by using the
Add Roles and Features link in Server Manager.
The DNS server role can also be added
automatically by the Active Directory Domain
Services Configuration Wizard while you are
creating forests, domains, or domain controllers
on the Domain Controller Options page.
Configuring DNS Zones
After you install a DNS server, you can start adding zones to the server. You can select to store the zone
data in AD DS if the DNS server is a domain controller. This creates an Active Directory Integrated Zone. If
you dont select this option, the zone data is stored in a separate file, instead of in AD DS.
The main benefits of configuring DNS zones as Active Directory Integrated Zones are as follows:
Multi-Master DNS. Where every DNS server can write updates to DNS records. Active Directory
Integrated Zones can be written to by any DC to which the zone is replicated, unlike standard primary
zones, which can only be changed by a single primary server, thus removing a single point of failure
in the DNS infrastructure. Using Active Directory Integrated Zones can also allow for more finegrained security.
Secure Dynamic Update. When you create a zone, you are also prompted to specify whether
dynamic updates are supported. Dynamic updates reduce the management overhead of a zone,
because clients can add, delete, and update their own resource records. Dynamic updates leave open
the possibility that a resource record could be spoofed. For example, a computer could register a
record named www, effectively redirecting traffic from your web server to the incorrect address.
To eliminate the possibility of spoofing, the Windows DNS Server service supports secure dynamic
updates. A client must authenticate before updating its resource records. So, the DNS server knows
whether the client is the same computer that has the permission to change the resource record. Secure
dynamic updates work in Active Directory integrated DNS only. Nonsecure dynamic updates are possible
in file-based zones.
Integrated Replication of DNS Information. An enterprise should try to make sure that a zone can
be resolved by at least two DNS servers. If the zone is AD DS integrated, you can add the DNS server
role to another domain controller in the same domain as the first DNS server, and DNS data will
automatically replicate to the new DNS server.
If the zone is not AD DS integrated, you must add another DNS server and configure it to host a
secondary zone. Remember that a secondary zone is a read-only copy of the primary zone.
In summary, the main benefits are that you dont need large zone transfers, you can add security, you can
enable multiple masters, and the experienced replication engine keeps the zones across DNS servers in
sync.
SRV Records
7-15
A Service (SRV) Locator resource record resolves a query for a network service. This enables clients or
servers to locate a host that provides a specific service. SRV records are used in many scenarios. This
includes the following:
When a domain controller has to replicate changes from its partners
When a client computer has to authenticate to AD DS
When a user changes their password
When an Exchange server performs a directory lookup
When an administrator opens Active Directory Users and Computers console or other administrative
consoles, apart from the Active Directory Administrative Center console as that is using other
protocols.
An SRV record uses the following syntax.

SRV record syntax and example
protocol.service.name TTL class type priority weight port target
_ldap._tcp.adatum.com 600 IN SRV
0
100
389 lon-dc1.adatum.com
The components of the above record are:
The protocol service name, such as the Lightweight Directory Access Protocol (LDAP) service that is
offered by a domain controller.
The Time to Live (TTL) value, in seconds.
The class (all records in a Windows DNS server will be IN (Internet).
The type, which is SRV.
The priority and weight. This helps a client determine which host should be preferred.
The port on which the service is offered by the server. Port 389 is the standard port for LDAP on a
Windows domain controller.
The target, or host of the service, which in this case is the domain controller named londc1.adatum.com.
When a client process is looking for a domain controller, it can query DNS for an LDAP service. The query
returns both the SRV record and the A record for the server(s) that provide the requested service.
Windows PowerShell Support for AD DS

Windows Server 2012 has much more Windows
PowerShell functionality for both deployment and
administration of Active Directory. Windows
PowerShell is very tightly aligned with Windows
Server 2012 and Active Directory. Some of the
main uses and applications are as follows:
Active Directory Administrative Center.

This management console is based on
Windows PowerShell and has a History viewer
at the bottom of the console. The History
Viewer displays equivalent Windows
PowerShell commands for commands that are
executed in the GUI. The commands can then be copied and used to automate daily repetitive tasks.
Active Directory Domain Services Configuration wizard. Within the AD DS Configuration wizard,
you can create a file that contains all the configuration settings that are designated in the wizard. For
example, DC install options, DNS options, and database locations. This lets you run through the
wizard, specify the settings that are required, export the text file that contains the configuration
settings, and then exit the wizard without running it, thus providing a configuration file that can be
used for deployment. The configuration file would have to be tested before it is used in a production
environment. However, this would save time when you try to automate a setup.
Windows PowerShell has more than 10 cmdlets specific to install and uninstall contained within the
ADDSDeployment module. This includes forests and domain controller installation, and a series of Test
cmdlets that let you verify the prerequisites in your environment before you deploy or remove elements
of your infrastructure. This is very useful in remote scenarios.
For administrative tasks, there are well over 50 cmdlets contained within the ActiveDirectory module.
These cmdlets cover a large range of tasks. This includes user, group, computer, and object creation and
management; configuring password policies; site management and replication; and domain and forest
management. For a list of Active Directory Windows PowerShell commands in the Windows PowerShell
console, type get-help *-AD*.
The first step is to deploy the Active Directory Domain Services (AD DS) server role, and again you can do
this through the Add Roles And Features Wizard in Server Manager or by using Windows PowerShell with
the following command.
Install-WindowsFeature AD-Domain-Services
After installation, the files that are required to perform the role are now available on the server but the
server is not yet running as a domain controller. The next step is to promote the server to a domain
controller. If you open the notifications in Server Manager, you will find a message asking you to
Promote this server to a domain controller or you can open the AD DS management console in Server
Manager and also see similar messages. Clicking the messages opens up the Active Directory Domain
Services Configuration Wizard. It is here that the information outlined earlier is required.
As mentioned earlier, you can also promote a server to a domain controller by using Windows PowerShell
and the following command, when joining an existing domain. (There are many other parameters that are
not included in the following example.) A restart is required after the following command.
Install-ADDSDomainContoller DomainName adatum.com SafeModeAdministratorPassword
Pa$$w0rd
Some other useful Windows PowerShell commands can be viewed in the table below
Description
Get-command module ADDSDeployment
Displays the cmdlets for the ADDSdeployment module
Get-command module ActiveDirectory
Displays the cmdlets for the ActiveDirectory module
Get-ADDomain
Displays high-level domain information
More information about Windows PowerShell AD DS deployment cmdlets can be found at

the following webpage:
More information about Windows PowerShell AD DS administration cmdlets can be found at

7-17
Lesson 3
Managing Users, Groups, and Computers
One of your functions as an AD DS administrator is to manage user, group, and computer accounts. These
accounts are AD DS objects that people use to log on to the network and access resources. In this lesson,
you will learn about how to change user, group, and computer accounts in an AD DS domain.
Lesson Objectives
Describe user accounts.
Describe groups.
Explain when to nest groups.
List the default built-in groups.
Describe a computer account.
Provide best practices for user, group, and computer management.
What Are User Accounts?

In AD DS, all users that require access to network
resources must be configured to have a user
account. With this user account, users can be
authenticated to the AD DS domain and granted
access to network resources.
A user account is an object that contains all the

information that defines a user. The account can
be either a local or a domain account. A user
account includes the user name and password and
can contain other organizational or infrastructure
information such as department, telephone
numbers, manager (which can be used to browse
hierarchically through the organization), home directory, and where their profile is stored. Users can be
members of groups, and typically access to resources are granted to groups rather than individuals. A user
account also contains many other settings that you can configure based on your organizational
requirements. A user account enables a user to log on to computers and domains with an identity that
can be authenticated by the domain.
With a user account, you can do the following:
Allow or deny users to log on to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
The Users container located in Active Directory Users and Computers has two built-in user accounts:
Administrator and Guest. These built-in user accounts are created automatically when you create the
domain.
7-19
To maximize security, you should avoid multiple users sharing one account. By avoiding multiple users on
an account, each user who logs on to the network should have a unique user account and password.
When you create a user account, you must provide a user logon name. User logon names must be unique
in the domain/forest in which the user account is created. If you create user accounts for administrative
purposes, we recommend that you separate them from the regular user account that is used to read
email messages and surf the web. However, it is still recommended to create individual accounts per user.
What Are Groups?

A group is a collection of user accounts, computer
accounts, contacts, and other groups that you can
manage and use to grant access to resources as a
single unit. There are several common reasons for
creating groups in AD DS. These are as follows:
Granting permissions. Instead of assigning

several user accounts the same permissions
on the same resource, you could create a
group, add the users as members, and grant
the group permissions on the resource.
Assigning rights. When a user must have

administrative control of a resource, such as a
server, it is better to add the user to a management group that you created for that purpose. Then, if
the user changes job functions within your organization, you can remove them from the group. You
can remove their assigned rights on the server without the need to change permissions.
Distributing email. When users want to send email messages to multiple users, you can create
specialized groups to make the process easier.
Delegation. Groups are frequently used to delegate administration. For example, if you allow
someone to grant contributor and owner rights in SharePoint, that user has more rights than
intended because the user can delegate anything in his site. Therefore, administrators frequently
create groups by SharePoint site, network share, or for other applications, and grant the site or
application owners only the rights to manage those pre-created groups instead of managing
permissions in the application itself. The same applies to the self-management of groups or project
groups.
Objects that belong to a particular group are known as group members.

Group Types
There are two kinds of groups in AD DS: security groups and distribution groups.
Security Groups. You create security groups to consolidate objects to which you want to assign
permissions or rights. These groups have associated security identifiers (SIDs). You can also use
security groups for distribution purposes in an email application, such as Exchange Server Distribution
Groups.
Distribution Groups. You can use distribution groups only with email applications, such as Exchange
Server, to send email to multiple users. Distribution groups are not security-enabled. That means
distribution groups cannot be assigned permissions on resources or objects in AD DS. In smaller
organizations, it is usually unnecessary to create distribution groups because security groups can be
email-enabled. However, in larger organizations, the separation of distribution and security groups
enables you to separate the administration of the email system and AD DS.
Group Scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that
identifies the extent to which the group is applied in the domain tree or forest. There are three group
scopes:
Domain local. Domain local groups can contain members from any domain in the forest but can only
be granted permissions and assigned rights on objects on the local domain. In other words, the
groups abilities are localized.
Global. Global groups can contain members only from the local domain, but can be granted
permissions or assigned rights anywhere in the forest. In other words, the groups abilities are global.
Universal. A universal group can contain members from anywhere in the forest and can be granted
permissions and assigned rights anywhere in the forest. In other words, the groups abilities and
membership are universal. Another important characteristic of a universal group is that the
membership list is maintained in the Global Catalog. Therefore, you can only email-enable universal
groups in Exchange Server.
Question: Describe a situation where you would use a distribution group instead of a
security group.
Nesting Groups
When you use nesting, you add a group as a
member of another group. You can use nesting to
combine group management. Nesting increases
the member accounts that are affected by a single
action, and reduces replication traffic caused by
the replication of changes in group membership.
The following are best practices for nesting
groups:
1.
Add user accounts into global groups.
2.
Add global group to a domain local group.
3.
Assign permissions or user rights assignments

to the domain local group.
You can remember this process with the AGDLP mnemonic: user accounts are members of global groups,
global groups are members of domain local groups, and domain local groups describe permissions or
user rights assignments. The AGDLP mnemonic stands for account, global, domain local, and permissions.
For organizations where permissions to groups should be assigned across various domains in the same
forest, consider adding global groups to universal groups:
1.
Add user accounts into global groups.
2.
Add the global group to an appropriate universal group.
3.
Add the universal group to the domain local group.
4.
Assign permissions or user rights assignments to the domain local group.
You can remember this process with the AGUDLP mnemonic: account, global, universal, domain local,
and permission.
Default Built-in Groups

In both domains and stand-alone workgroupbased computers, there are built-in groups. These
groups are groups that are defined with domainlocal scope. You can use the built-in groups to
simplify administration. For example, adding user
accounts to the built-in Domain Admins group
enables the member user to perform
administration on all domain computers, or
adding a user to the Backup Operators group
allows that user to perform backups on domain
controllers in the domain.
Note: Keep in-mind that some of these

built-in groups have powerful pre-assigned rights and privileges. Although it can be convenient
to add users to built-in groups to achieve an administrative goal, you may be unintentionally
assigning more rights and privileges than you intended.
7-21
You can move groups in and out of this container. However, you cannot move the default groups in this
container to another location or to another domain.
If the built-in and system groups are insufficient for your needs, create additional groups as required. The
built-in groups are visible in the Builtin folder under the domain root.
Built-in groups should only be used after their rights are validated, because many Builtin groups can
potentially be granted more rights than is intended.
Computer Accounts
In AD DS, computers are security principals, just
like users. This means that computers must have
accounts and passwords. To be fully authenticated
by AD DS, a user must have a valid user account,
and the user must also log on to the domain from
a computer that has a valid computer account. If
administrators want to benefit from managing
computers and users in AD DS, administrators
must join them to the domain.
Computers access network resources to perform

key tasks such as authenticating user log on,
obtaining an IP address, and receiving security
policies. To have full access to these network resources, computers must have valid accounts in AD DS.
The two main functions of a computer account are performing security and management activities.
By default, if you join a computer to a domain, the computer account is created in the Computers. In most
organizations, some administrators might move the computer accounts to department-specific OUs so
that specific software and operating system configurations can be applied to the computers. However,
many companies instead use geographical information such as sites where the computers reside or are
assigned to. It is also common to differentiate between desktops and portable computers. Using
Departmental or any other organization aspects that are likely to frequently change is not recommended.
Some properties for computer accounts in AD DS that could potentially be used are as follows:
The Description property is a common property that is widely used for computer accounts, which
could be used to differentiate between test, development, or email computers such as laptops,
desktop, workstations, or servers. This is displayed in the details pane of Active Directory Users and
Computers, which makes it easy to view.
The Location property is not as widely used but can be used to document the computers physical
location in the network.
The Managed By property is also not as widely used, but lists the individual responsible for the
computer. This information can be useful when you have a data center with servers for different
departments and you have to perform maintenance on the server. You can call or send email to the
person who is responsible for the server before you perform maintenance on the server.
Account Management Best Practices

Consider the following best practices to help
make sure that you manage accounts within your
AD DS forest efficiently.
User Accounts
When planning and implementing user accounts,
consider the following points:
Create a user account for every user that has

to access your forest. Do not let users share
user accounts.
Implement a naming convention that yields

simple-to-remember, unique user names.
Consider that the more users that you have, the more likely there are to be duplicates within your
organization.
Create accounts for temporary or contract staff with the same naming convention that you use for
other users. That is, do not use generic account names such as Temp1.
Plan the accounts policy carefully to make sure that it meets the security needs of your organization.
The accounts policy includes password length, password complexity rules, and the maximum
password age for user accounts.
Group Accounts
When planning and implementing groups, consider the following points:
Use the built-in groups where you can to simplify administration.
Nest groups to more efficiently control access to resources in larger organizations.
Avoid assigning permissions and rights directly to user accounts. Use groups to make ongoing
maintenance easier.
Use a group naming convention that identifies the groups role or the name and the kind of access to
a resource that a group is granting. For example, the Sales global group obviously identifies users that
are in the Sales department, whereas the Printer Managers local group contains users who have
printer management rights.
Computer Accounts
When planning computers, consider the following points:
7-23
Limit who can create computer accounts.
Implement a naming convention that helps you identify the role and location of a computer.
Implement the Description properties of computer accounts so that you can differentiate between
computer types and easily view the computer description in Active Directory Users and Computers.
Demonstration: How to Manage Accounts

You can manage user, group, and computer accounts by using either Active Directory Users and
Computers or the Active Directory Administrative Center.
In this demonstration, you will see how to use Active Directory Users and Computers to create an account,
add group membership, and delegate control of an OU.
Demonstration Steps
1.
Use Active Directory Users and Computers to create a new user named Jeff Hay with a User
Logon Name of Jeffh.
2.
Add Jeff Hay to the Domain Admins group.
3.
Delegate control of the Sales OU to Jeff Hay.
Lesson 4
Implementing Group Policy
After you have created AD DS users, groups, computer accounts, and an OU structure, the next step is
usually to implement Group Policy. Group Policy and the AD DS infrastructure in Windows Server enables
IT administrators to automate and simplify user and computer management. Administrators can efficiently
implement security settings, enforce IT policies, and distribute software consistently across a given site,
domain, or range of OUs.
Lesson Objectives
Describe GPOs.
Understand local, site, domain, and organizational unit-linked policies.
Explain how to use GPO management tools.
Describe GPO policies and preferences.
Create a GPO and assign it to an organizational unit.
Core Group Policy Components

Group Policy is a Microsoft technology that
supports one-to-many management of computers
and users in an AD DS environment. By editing
Group Policy settings and targeting a GPO at the
intended users or computers, you can centrally
manage more than 2,400 configuration
parameters. In this manner, you can manage
thousands of computers or users by changing a
single GPO.
There are many parts that go into building a

Group Policy Infrastructure, not all will be covered
in this lesson, but there are two fundamental
components that are at the core of that infrastructure. These are Group Policy settings and Group Policy
objects, which are discussed in the following sections.
Group Policy Setting
This is the most fine-grained component of Group Policy infrastructure. It defines a specific configuration
change to apply to a user or computer. For example, a policy setting exists that prevents a user from
accessing registry-editing tools. If you define that policy setting and apply it to the user, the user will be
unable to run tools such as Registry Editor (Regedit.exe). Another policy setting is available that you can
use to rename the local Administrator account. You can use this policy setting to rename the
Administrator account on all user desktops, laptops or other devices.
A policy setting can have three states: Not Configured, Enabled, and Disabled.
Note: Many policy settings are complex, and the effect of enabling or disabling them
might not be immediately clear. Make sure that you review a policy settings explanatory text in
the Group Policy Management Editor details pane or on the Explain tab in the policy settings
Properties dialog box. In addition, always test the effects of a policy setting and its interactions
with other policy settings before you deploy a change in the production environment.
Group Policy Object
7-25
Group Policy settings are defined and exist in a GPO. Therefore, a GPO can be defined as an object that
contains one or more policy settings and applies one or more configuration settings for a user or a
computer. After the settings are defined and a GPO is completed, then you must decide where to apply
the GPO. You can do this by linking a GPO to a specific target or audience. One or multiple GPOs can be
linked with one or multiple sites, domains, or OUs.
There are two kinds of Group Policy objects:
Local GPOs. Every Windows operating system computer has a local set of Group Policy objects. They
are present whether the computer is part of an AD DS environment or a networked environment. If a
computer does not belong to an Active Directory domain, the local policy can be used to configure
and enforce configuration on that computer.
Domain Based GPOs. These are created in Active Directory and stored on domain controllers. They
are used to manage configuration centrally for users and computers in the domain. When AD DS is
installed, two default GPOs are created:
o
Default Domain Policy. This GPO is linked to the domain and affects all users and computers
within that domain, including computers that are domain controllers. This GPO contains policy
settings that specify password, account lockout, and Kerberos policies. Domain-based GPOs will
override local GPO settings and are easier to manage than GPOs on individual computers.
Default Domain Controllers Policy. This GPO is linked to the OU of the domain controllers.
Because computer accounts for domain controllers are kept exclusively in the Domain Controllers
OU, and other computer accounts should be kept in other OUs, this GPO affects only domain
controllers. The Default Domain Controllers GPO should be changed to implement your auditing
policies and other settings, such as security settings, because its important that all DCs behave
the same.
A Group Policy Object has thousands of configurable Group Policy settings. These settings can affect
almost every area of the computing environment. You cannot apply all the settings to all versions of
Windows operating systems. Many new settings available in Windows 8 and Windows Server 2012 only
apply to the Windows 8 and Windows Server 2012 operating systems. If a computer has a setting applied
that it cannot process, it ignores the setting.
GPOs can be managed in Active Directory by using the Group Policy Management Console (GPMC). To
change the policy settings in a GPO, right-click the GPO, and then click Edit. The GPO settings then open
in the GPME. This element into two sections:
Computer Configuration. Contains settings that are applied to computers, regardless of who logs on
to them.
User Configuration. Contains settings that are applied when a user logs on to the computer. It is
within this that you configure specific GPO settings.
Applying GPOs
Applying Group Policies is really driven by the
clients themselvesthat is, it is not a push
technology. Clients initiate Group Policy
application by requesting GPOs from AD DS.
When Group Policy is applied to a user or
computer, the client interprets the policy, and
then makes the appropriate environment changes.
Some changes will be done directly into the
registry and some more complex changes are
processed by the client. This is known as Group
Policy Client-side Extensions (CSEs).
As GPOs are processed, the client uses Active

Directory to compile a list of GPOs that must be processed. Then, the client pulls the Group Policy objects
settings from the SYSVOL file system structure, which applies and passes it to the appropriate CSEs.
GPOs are linked to sites, domains and organizational units. The hierarchy of those objects, in addition to
the order of the links on each object, defines in which order the GPOs are applied to a computer or user.
Additional mechanisms, such as security filtering, WMI filtering, and blocking and enforcing policies can
also be used to reduce the set of computers and users to which the GPO will apply.
GPOs that apply to a user or computer do not all have the same order in which they will run. Settings that
are applied later can override settings that are applied earlier. Group Policy settings are processed in the
following order:
Local GPO. Each computer has exactly one GPO that is stored locally. This processes for both
computer and user Group Policy processing.
Site. Any GPOs that are linked to the site that the computer belongs to are processed next. Processing
is in the order that is specified by the administrator, on the Linked GPOs tab for the site in the GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on
the Linked GPOs tab for the domain in GPMC. The GPO with the lowest link order is processed last,
and therefore has the highest precedence.
Organizational =Units. GPOs that are linked to the organizational unit that is highest in the AD DS
hierarchy are processed first, and then GPOs that are linked to its child organizational unit are
processed, and so on. Finally, the GPOs that are linked to the organizational unit that contain the user
or computer are processed.
The first letters of the items previously listed are highlighted. The highlighted letters give us the acronym
LSDOU. Its important to remember this processing order, especially when troubleshooting. If settings
conflict, Local Policies will be overwritten by GPOs linked to sites, which are overwritten by GPOs linked to
the domain, which are overwritten by policies linked to OUs (from the hierarchical topmost OU to the
lowest sub-OU). Enforcing or blocking GPOs also uses this order. Blocked GPOs will not be applied.
Enforced GPOs will be put to the end of the list and are likely to win. Here are several other things to
know about GPOs.
GPOs can also be filtered by WMI settings such as hardware or software settings, configurations, or
even applications that are installed.
Policy settings in the Computer Configuration node in the GPME are applied at system startup and
every 90 minutes after that.
7-27
Policy settings in the User Configuration node in the GPME are applied when you log on and every 90
minutes after that.
Note: The 90-minute interval previously listed applies to domain members only. Domain
controllers update their GPOs every 5 minutes.
The application of policies is called a Group Policy refresh. You can also force an immediate policy refresh
by using the GPUpdate command from the command line. Or, in a Windows PowerShell console, you can
run the Invoke-GPUpdate cmdlet. The Windows PowerShell Group Policy cmdlets are available in
Windows Server 2012 and Windows 8 with Remote Server Administration Tools (RSAT).
In Windows Server 2012, you can also force a Group Policy Update in the GPMC by right-clicking the
container in question such as Domain Controllers for example, and selecting Group Policy Update. Then in
the resulting Force Group Policy Update dialog box, select Yes. This creates a scheduled job that will run
in 10 minutes.
Question: What would be some advantages and disadvantages to lowering the refresh
interval?
Creating and Managing GPOs

You can create or manage Group Policy objects in
many ways. A GPO can be created from a
template or by using a graphical user interface
(GUI) tool such as the GPMC. After you have
created the GPO, you can link it to the
appropriate site, domain, or OU.
The GPMC also provides what are called starter
GPOs. Starter GPOs are templates that help you
create GPOs. When you create new GPOs, you can
select to use a starter GPO as the source. This
makes it easier and faster to create multiple GPOs
with the same baseline configuration.
The GPMC also provides mechanisms for backing up, restoring, migrating, and copying existing GPOs.
This is very important for maintaining your Group Policy deployments if there is error or disaster. It helps
you avoid manually recreating lost or damaged GPOs, and having to complete the planning, testing, and
deployment phases. Part of your ongoing Group Policy operations and Active Directory Backup and
Recovery plan should include regular backups of all GPOs, by using the GPMC or scripting tools
supported by the GPMC. Recovering a GPO without a GPMC backup, even when you have a system state
backup, can be very tricky.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
You can also delegate the administration of GPOs. By default, only Domain Admins, Enterprise Admins,
and Group Policy Creator Owners can create new GPOs. But you can use three methods to grant a group
or user this right:
Add the user to the Group Policy Creator Owners group.
Explicitly grant the group or user permission to create GPOs by using the GPMC.
Grant permissions to link the GPO to certain target objects.
To edit a GPO, the user must have both read and write access to the GPO. You can grant this permission
by using the GPMC.
Note: Delegating GPOs must be considered carefully. If you grant the user rights to create
new GPOs, those users can create GPOs, but they might be unable to link them. If you grant the
rights to link GPOs to specific sites/domains/OUs, they can link any GPO and not just the GPOs
they created.
In scenarios where you want to control the use of GPOs but enable an administrative group to
adjust certain settings using a GPO, it can be a good idea to create and link the GPO, and grant
the group the rights to change its settings.
Group Policy Preferences

Many common configuration settings were
traditionally delivered through logon or startup
scripts. This required writing, debugging, and
storing the scripts in a central location, and then
applying the scripts by using user settings or
Group Policy. Group Policy preferences enable IT
professionals to configure, deploy, and manage
many common operating system and application
settings that they previously were not able to
manage by using Group Policy settings. With
Windows Server 2012 and Windows 8, Group
Policy Preferences includes more than 20 Group
Policy extensions that expand the range of configurable settings in a GPO.
Common Uses for Group Policy Preferences
Group Policy Preferences typically provide another method to configure the operating system
environment and its variables that were mostly done through logon scripts. Preferences effectively replace
the need for logon scripts. Some common configurations that can be applied to computers are as follows:
Map network drives for users.
Configure desktop shortcuts for users or computers.
Set environment variables.
Copy files.
Map printers.
Map network drives.
Set power options.
Configure Start menus.
Configure data sources.
Configure Internet options.
Schedule tasks.
The main approach for deciding whether to use Group Policy settings or Group Policy Preferences is
determined by what the configuration setting is that the administrator wants to set. If you can set your
configuration requirement by using Group Policies, then use Group Policy settings. If not, then use Group
7-29
Policy Preferences. You may also need to enforce a policy to ensure that users are unable to change a
preference. For example, registry changesthat is, if you create a Group Policy Preference that is
changing a registry-setting, you can then use a Group Policy setting to disallow registry editing tools. This
will enforce the preference.
Preferences have a built-in scoping mechanism called item-level targeting. You can have multiple
preference items in a single GPO, and each preference item can be targeted or filtered. For example, you
could have a single GPO with a preference that specifies folder options for engineers and another item
that specifies folder options for salespeople. You can target the items by using a security group or OU.
There are more than a dozen other criteria that can be used. This includes hardware and network
characteristics, date and time, LDAP queries, and more.
One of the main benefits to preferences is that you can target multiple preference items in a single GPO
instead of requiring multiple GPOs. With Group Policy settings, you frequently need multiple GPOs
filtered to individual groups to apply variations of settings.
In the Group Policy Management Editor, you can view two nodes: Policies and Preferences. In the
Preferences node are groupings for Windows Settings and Control Panel Settings.
Demonstration: How to Create a GPO and Link It to an Organizational Unit

In this demonstration, you will see how to create a GPO by using the GPMC. After creating the GPO, you
will link the GPO to Production OU and then log on as a production user. You will then see what happens
when the GPO is not applied.
Demonstration Steps
1.
Create a new GPO called Disable CAD Task Manager.
2.
In the new GPO, restrict users from starting Task Manager when pressing Ctrl+Alt+Del
3.
Link the GPO to the Sales OU.
4.
Sign in as Jay Hay to verify that the Task Manager is not a logon option and the GPO was applied.
5.
Sign in as the Administrator to show that the Task Manager is a logon option and the GPO was not
applied.
Lab: Implementing Active Directory Domain Services

Scenario
The A. Datum Corporation is about to undergo a merger with Contoso Corporation. A new project team is
created that consists of multiple externals. The team must be able to manage themselves during the
merger. Ed Meadows has asked you to create a new OU in AD DS to support this new project team and
populate it with the users, groups, and computers to support the new staff. You have also been asked to
see if there is a way to automate some of the general manual configuration.
Objectives
Add an additional domain controller.
Create an organizational unit structure.
Configure user, group, and computer accounts.
Create and link a GPO to the organizational units.
Lab Setup
Virtual Machines: 10967A-LON-DC1, 10967A-LON-SVR1, 10967A-LON-CL1
User Name : ADATUM\Administrator
Password : Pa$$w0rd
1.
2.
3.
4.
Log on by using the following credentials:
5.
Password: Pa$$w0rd
Domain: ADATUM
Repeat steps 2 through 4 for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Promoting a New Domain Controller

Scenario
Ed thinks that having more users will put an additional load on the existing domain controller in New
York. He has asked you to promote an existing member server as a new domain controller.
This exercise has only one task.
Task 1: Add an additional domain controller

1.
2.
Add the AD DS role and associated features to the server.
3.
Promote LON-SVR1 to a domain controller by using the following information (accept the default
settings unless otherwise stated):
4.
Select a Deployment Configuration: Add a domain controller to an existing domain
5.
Select a domain: Adatum.com
6.
DNS Server and Global Catalog Server are not required.
7.
Directory Services Restore Mode Administrator Password: Pa$$w0rd
8.
Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are
acceptable.
9.
Click Install, and then wait for the installation to complete and the computer to restart.
Results: After this exercise, you will have promoted a new domain controller.
Exercise 2: Creating an Organizational Unit

Scenario
You must now create the required organizational unit for team members.
There is only one task for this exercise.
Task 1: Create an organizational unit

1.
After LON-SVR1 has restarted, log on by using the following credentials:

o
Password: Pa$$w0rd
Domain: Adatum
7-31
2.
Use Active Directory Users and Computers to create a new OU called A Datum Merger Team in the
Adatum.com domain.
3.
Close the Active Directory Users and Computers console
Results: After this exercise, you will have created a new organizational unit (OU).
Exercise 3: Configuring Accounts

Scenario
Ed has asked that you create the necessary users accounts and groups, and move the users computer
accounts into the OU. You need two groups, one for all team members and one for the manager, Tony
Allen. You will then grant Tony Allen the ability to reset user passwords on all user accounts in the A.
Datum Corporation Merger Team OU.
1.
Add user accounts
2.
Create groups
3.
Add members to groups
4.
Move a computer account
5.
Delegate control of the OU
Task 1: Add user accounts
1.
Ensure you are still logged on to the 10967A-LON-SVR1 virtual machine and open the Active
Directory Administrative Center
2.
In Active Directory Users and Computers, create the following user accounts in the A Datum Merger
Team OU by using the following information to complete the process:
o
Configure users first names and last names.
User logon name is first name.
Password is Pa$$w0rd.
Clear the User must change password at next logon check ox.
Ensure Account expires is set to Never
Ensure Password never expires
3.
After creating the first account see if there is an easy way to automate the creation of the remainder
of the accounts using Windows PowerShell
4.
Users to create are as follows:

o
Christian Kemp with logon name of ChristianK
Tony Allen with logon name of TonyA
Pia Lund with logon name of PiaL
Task 2: Create groups

1.
Locate the A Datum Merger Team OU.
2.
Create the following Global Security groups:

o
Mergers and Acquisitions
Merger Team Management
Task 3: Add members to groups

1.
Add all new users in the A Datum Merger Team OU to the Mergers and Acquisitions group.
2.
Add only Tony Allen to the Merger Team Management Group.
Task 4: Move a computer account
In Active Directory Administrative Center, in the Computers folder, move the LON-CL1 computer to
the A Datum Merger Team OU.
Task 5: Delegate control of the OU

1.
Still on 10967A-LON-SVR1 in Server Manager click on Tools then select Active Directory Users And
Computers
2.
Using the Delegation of Control Wizard, grant the Merger Team Management global security group
the user right to Reset user passwords and force password change at next logon on the A
Datum Merger Team OU.
7-33
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the
users computer accounts into the OU.
Exercise 4: Creating a GPO

Scenario
You must now create a GPO and link it to the A Datum Merger Team OU. The GPO will launch a logon
script for users in the new OU.
1.
Create a GPO
2.
Link a GPO
3.
Test a GPO
4.
Task 1: Create a GPO

1.
Make sure that you are logged on to 10967A-LON-DC1 as ADATUM\Administrator with credentials
Pa$$w0rd.
2.
Open Group Policy Management.
3.
Create a new GPO called A Datum Merger Team GPO.
4.
Open the GPO for editing. Use the following steps to create a logon script for the team:
5.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
6.
In the Results pane, double-click Logon.
7.
In the Logon Properties dialog box, click Add.
8.
In the Add a Script dialog box, click Browse.
9.
In the Browse dialog box, right-click the No items match your search box, click New, and then click
Text Document.
10. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press
Enter.
11. If you are prompted, in the Rename dialog box, click Yes.
12. Right-click logon.vbs, and then click Edit.
13. If you are prompted, in the Open File Security Warning dialog box, click Open.
14. In Notepad, type msgbox Welcome to the A Datum Merger Team.
15. Click File, and then click Save.
16. Close Notepad.
17. In the Browse dialog box, click Open.
18. In the Add a Script box, click OK.
19. In the Logon Properties dialog box, click OK.
20. Close Group Policy Management Editor.
Task 2: Link a GPO

1.
Switch to LON-DC1.
2.
Link the A Datum Merger Team GPO to the A Datum Merger Team organizational unit.
Task 3: Test a GPO

1.
Switch to 10967A-LON-CL1 and log off.
2.
User name: Tonya
Password: Pa$$w0rd
Domain: Adatum
3.
Make sure that the logon script runs.
Note: The operating system may by default display the Start menu items after logon and you may have to
select desktop to be able to view the logon script.
1.
2.
3.
4.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A
Question: In the lab, you used Active Directory Administrative Center to manage accounts.
What other tool could you use?
Question: In the lab, you added Tony Allen, a single user, to a management group. Why not
grant Tony the required permissions directly?

Review Questions
Question: For most organizations, how many AD DS forests are required?
Question: If you are installing an AD DScompatible email application, what implications
does this have for your AD DS schema?
Question: What trusts are implemented between domains in a single forest?
Question: Why create organizational units?
Tools
7-35
Tool
Use for
Where to find it
Active Directory Users and

Computers
Managing objects within AD

DS such as users, groups, and
computers
Server Manager
Active Directory Administrative

Center
Managing objects within AD

DS such as users, groups, and
computers
Server Manager

Console (GPMC)
Creating, managing, and

editing Group Policy objects
(GPOs)
Server Manager

Editor
To edit Group Policy settings

and preferences
By editing a GPO in GPMC, you

can access the Group Policy
Management Editor
Windows PowerShell cmdlets
Available in the Windows

PowerShell console
Available for Active Directory and

Group Policy
Command-line tools such as

dsget, dsquery, dsmod,
ntdsutil, and more
Allow for configuration and

management of objects
Command Prompt

8-1
Module8
Implementing IT Security Layers
Contents:
Module Overview
8-1
Lesson 1: Overview of Defense-in-Depth
8-2
Lesson 2: Physical Security
8-10
Lesson 3: Internet Security
8-14
Lab: Implementing IT Security Layers
8-22
8-28
Module Overview
Security is an important part of any computer network and must be considered from many perspectives.
Data security for web content and files accessed on network shares are common concerns. In addition to
file and share permissions, you can also use data encryption to restrict data access.
Objectives
Identify security threats at all levels and reduce those threats.
Describe physical security risks and identify mitigations.
Identify Internet-based security threats and protect against them.
Lesson 1
Overview of Defense-in-Depth
8-2
You can approach security design for computers in various ways. Defense-in-depth is one model for
analyzing and implementing security for computer systems. This model uses layers to describe different
areas of security.
Lesson Objectives
Describe defense-in-depth.
Describe how policies, procedures, and awareness can help implement defense-in-depth.
Describe physical security threats and mitigations.
Describe perimeter network security threats and mitigations.
Describe internal network security threats and mitigations.
Describe host-based security threats and mitigations.
Describe application-based security threats and mitigations.
Describe data-based security threats and mitigations.
What Is Defense-In-Depth?
When you park your car in a public location, you
consider several factors before walking away from
it. For example, where it is parked, whether the
doors are locked, and whether you have left
anything of value lying on the seat. You
understand the risks associated with parking in a
public place, and you can reduce those risks. As
with your car, you cannot properly implement
security features on a computer network without
first understanding the security risks posed to that
network.
You can lessen risks to your computer network by
providing security at different infrastructure layers. The term defense-in-depth is frequently used to
describe the use of multiple security technologies at different points throughout your organization.
Policies, Procedures, and Awareness
Physical security measures have to operate within the context of organizational policies about security
best practices. For example, enforcing a strong user password policy is not helpful if users write their
passwords down and stick them to their computer screens. When establishing a security foundation for
your organizations network, it is a good idea to establishing appropriate policies and procedures and
making users aware of them. Then you can progress to the other aspects of the defense-in-depth model.
Physical Security
8-3
If any unauthorized person can gain physical access to your computer, then most other security measures
are of little importance. Make sure computers that contain the most sensitive data, such as servers, are
physically secure.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate in a global community, and
network resources must be available to service that global community. This might include building a
website to describe your organizations services, or making internal services such as web conferencing and
email applications, available externally so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. By providing specialist
servers, such as a reverse proxy, in the perimeter network, you can more securely provide corporate
services across the public network.
Note: With a reverse proxy server, you can publish services from the corporate intranet,
such as email or web services, without putting the email or web servers in the perimeter. To a
client, the reverse proxy is displayed as the final destination regardless of whether the clients
requests are forwarded to one or more servers. A reverse proxy is one system that has to be
tightly secured in the perimeter network. However, it can successfully distinguish and publish
multiple different services from various systems in the back-end.
Networks
After you connect computers to a network, they are susceptible to several threats. These threats include
eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when
communication occurs over public networks by users who work from home, or from remote offices.
Host
The next layer of defense is that used for the host computer. You must keep computers secure with the
latest security updates.
Application
Applications are only as secure as your latest security update. You should consistently use Windows
Update to keep your applications up to date. If the network also has third-party software, you must use
update mechanisms to make sure that they are up to date.
Data
The final layer of security is data security. To make sure that the network is protected, use file permissions,
encryption, and backup.
Question: How many layers of the defense-in-depth model should be secured?
Policies, Procedures, and Awareness

Security is not only a technology-based solution.
Organizations also implement policies,
procedures, and awareness programs to help
prevent security incidents. Security relies on staff
and users following policies and procedures. For
example, rules must be put in place to determine
under what circumstances a password can be reset
and how that new password is communicated to
the user. Without these rules, unauthorized
password resets could unknowingly be performed
that would enable an attacker to access your
system.
8-4
Even when you implement rules to help prevent security problems, they can be circumvented. Some ways
that policies and procedures are compromised include the following:
Users unaware of the rules. When users are unaware of the rules, they cannot be expected to follow
them.
Users viewing rules as unnecessary. If the reason for rules is not adequately communicated to users,
then some treat the rules as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering where
they are convinced to break the rules. Sometimes this involves impersonating a legitimate user.
Mitigation
Consider the following to help reduce these threats:
Create specific rules that help prevent social engineering.
Educate users on rules and their relevance.
Implement compliance monitoring.
It is very important that users know the security rules, their relevance to the organization, and the
ramifications or consequences of not abiding by those security rules.
Physical Layer Security

This is one of the most frequently overlooked
areas of securing computer systems. Generally,
anyone who has physical access to computer
systems can do the following:
Damage systems. This can be as simple as a

server stored next to a desk that is
accidentally knocked over or has coffee
spilled on it.
Install unauthorized software.

Unauthorized software can be used to attack
systems. For example, there are utilities
available to reset the administrator password
on a Windows-based workstation or member server.
8-5
Modify data. After a system is compromised, data can be changed. You can do this by a disgruntled
employee to change their own performance review.
Steal data. Data such as credit card information could be stolen after a system is compromised.
Steal hardware. If devices are left unsecured, they can be stolen. Even servers incorrectly secured can
be stolen together with the data. For example, one of the worst scenarios is servers that have hotpluggable and redundant hard disk drives (mirrored). If they are not physically secured and properly
monitored, it is very easy to pull one drive, take it away, and hack valuable business information at
your leisure and without any security guards.
Mitigation
You must secure the network infrastructure, including the physical security. The problem is that although
you want to make it difficult for non-authorized people to access your computers and infrastructure, you
want to make it fairly easy for authorized employees.
Consider the following to help mitigate physical security threats:
Restrict physical access by locking doors.
Monitor server room access.
Install fire suppression equipment.
Perimeter Layer Security

Perimeter layer security refers to connectivity
between the network and other untrusted
networks. The Internet is the most frequently
untrusted network. However, there are other
untrusted networks that are a concern:
Remote access client. The client computers

are accessing the network from a remote
network over which you have little or no
control. However, the clients have access to
more data on the network than typical
Internet hosts.
Business partners. You do not control the

networks of business partners and cannot make sure that they have appropriate security controls. If a
business partner is compromised, then the network links between your organization and the business
partner pose a risk.
Mitigation
To keep your organization safe, create a private network and a perimeter network by using firewalls,
intruder prevention and detection systems, and other components.
Consider the following to help mitigate perimeter security threats:
Implement firewalls at network boundaries.
Implement network address translation (NAT). NAT is an IP translation process that enables a network
that has private addresses to access information on the Internet.
Use virtual private networks (VPNs) or DirectAccess and implement encryption.
Use proxy servers and systems to make sure that no service is directly connected to the Internet.
Internal Network Layer Security

Internal network layer security refers to events on
the internally controlled network. This includes
local area networks (LANs) and wide area
networks (WANs). This layer is easier to secure
because you have control of the devices on these
networks.
The security risks to the internal network layer are
as follows:
8-6
Unauthorized network communication.

Hosts can communicate with servers to which
they have no need. This raises the risk of hostlevel exploits being performed. Restricting
network communication to specific servers helps prevent this.
Unauthorized network hosts. Frequently, security risks can be introduced to a network by

unauthorized hosts connecting to the network. A common source of unauthorized hosts is visitors
with portable computers or employees with non-domain-joined and not-corporate-secured devices
that people can connect to the network.
Unauthorized packet sniffing. The risk of unauthorized packet sniffing on modern wired networks is
minimal because switches control packet delivery and make sure that packets are sent only to the
specific destination. However, wireless networks are vulnerable, especially when only basic security
measures, such as Wired Equivalent Privacy (WEP), are used to help secure access. To packet-sniff
wired communication, you must have a physical connection to the specific location where the host
that you are monitoring is connected. Packet-sniffing a wireless network can be performed from any
physical location that has sufficient signal strength.
Default configurations on network devices. Network devices, such as routers, have a default
configuration that includes a default management user name and password; failure to change these
compromises the network security. Using weak passwords on those devices is a security risk, and
using different passwords per device can increase security.
Note: Packet sniffing occurs when a malicious attacker connects a network data analyzer to
the network to capture and examine network packets in transit. This could lead to additional
attacks, depending on the data captured. For example, if the attacker can capture user name and
password information in transit, they can exploit the information to gain access to the servers and
data.
Mitigation
At the heart of many of these risks is the concept of authentication. If two computers can identify one
another, then they can communicate more securely. You can provide authentication services in several
ways, but one of the most secure is where digital certificates are exchanged during initial communications.
How you distribute and manage these certificates depends on your organization, but might include the
use of a public key infrastructure (PKI) that you implement within your organization.
Note: You cannot always rely on authentication because some applications, such as
network analysis, do not support authentication.
8-7
In addition to authentication, consider using encryption to make sure that data is secure while it is in
transit. You can encrypt communication from external public networks to your the perimeter-based or
edge servers using tunneling technologies, subsequent communication between the edge servers and the
internal network can then have Internet protocol security (IPsec) in place to protect that communication
securing the entire data path. Also, in common Secure Socket Layer (SSL)/Hypertext Transfer Protocol
Secure (HTTPS) scenarios, only the server is authenticated. However, there are services and protocols
some services even with HTTPSwhere the client has to be authenticated in order to increase security.
In addition, SSL can provide for secure and authenticated communications across networks. It is widely
used on the Internet, typically in web browsers where payment transactions are performed by using
HTTPS.
Consider the following to help reduce these threats:
Do not make it easy to connect to the network. Someone should be unable to plug a laptop into the
network and access your intranet.
Encrypt network communication.
Segment the network. You can designate specific subnets for use by guests that have portable
computers or device and need network access. You can do this by using Network Access Protection
(NAP). Or you could use multiple wireless LANs (WLANs). You could even put the WLAN outside the
corporate network and require internal users to use VPN. So, there are several options , depending on
the network requirements.
Require mutual authentication.
Restrict switch ports and internal WLAN access points based on the media access control (MAC)
address or client certificates. If the WLAN access points provide only access to the Internet, this should
be handled differently.
Host Layer Security

The host layer refers to the individual computers
on the network. This includes the operating
system, but not application software. Operating
system services, such as a web server, are included
in host layer security.
Host layer security can be compromised by:
Operating system vulnerabilities. An

operating system is complex. Therefore, there
are frequently vulnerabilities that malicious
users can exploit. These vulnerabilities enable
an attacker to install malicious software or
control hosts.
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration might not include a password or might
include sample files that have vulnerabilities. An attacker uses their knowledge of default
configurations to compromise systems.
8-8
Viruses are one mechanism used to attack hosts. The virus uses operating system flaws or default
configurations to replicate itself.
Mitigation
Windows Update and Windows Server Update Services (WSUS) can help keep your computers up to
date. In Enterprise environments, you could also consider using System Center Configuration Manager
(SCCM). In addition, you should consider using antivirus and malware protection. In Windows 8 and
Windows RT, you can use Windows Defender to provide protection against viruses, malicious software or
other unwanted third party software. Microsoft Security Essentials is an antivirus product that is available
for free use with Windows XP, Windows Vista, and Windows 7. Microsoft Security Essentials is not
supported on Windows 8 because Windows Defender provides the same level of protection.
Windows Server 2012 has several options available. Microsoft Forefront Threat Management Gateway
(TMG) is being deprecated, but Forefront Unified Access Gateway (UAG) is available for use as a proxy or
firewall server. Some functionality is also integrated with the System Center products.
Consider the following to help you lessen these threats:
Harden operating systems.
Monitor access attempts.
Implement antivirus and antispyware software.
Implement host-based firewalls.
More information about the Malware Defense Guide can be found at the following webpage:
Application Layer Security

The application layer refers to applications that
are running on the hosts. This includes additional
services, such as mail servers, and desktop
applications, such as Microsoft Office. The risks to
applications resemble the risks to hosts and
include the following:
Application vulnerabilities. Applications are

complex programs that are likely to have
vulnerabilities. An attacker can use these
vulnerabilities to install malicious applications
or remotely control a computer.
Default application configurations.

Applications, such as databases, might have a default password or no password at all. Not securing
the default configuration simplifies the work of an attacker trying to access a system.
Viruses introduced by users. In some cases, viruses are introduced by user actions instead of
application flaws. In other cases, an application is actually a Trojan horse that has malicious code
embedded in what seems to be a useful application.
Programming vulnerabilities. This does not exclusively refer to industry-provided back-end

applications. It also refers to custom websites and other application code that needs to be secured (or
designed with security in mind). As more and more apps become available and more widely used,
programming vulnerabilities in those apps could potentially become an issue.
Mitigation
Consider the following to help you mitigate these threats:
Run applications with the least privileges possible.
Install security updates.
Enable only required features and functionality.
Data Layer Security

The data layer refers to data that is stored on your
computers. This includes data files, application
files, databases, and Active Directory Domain
Services (AD DS). When the data layer is
compromised it can result in:
Unauthorized access to data files. This

might result in unintended users reading
data. For example, the salaries of other staff. It
might also result in data being changed and
becoming inaccurate. This can also result in a
denial-of-service (DoS) attack.
Unauthorized access to AD DS. This might

result in user passwords being reset and an attacker logging on by using the reset passwords.
Modification of application files. When application files are modified, they might perform
unwanted tasks, such as replicating data over the Internet where an attacker can access it.
Mitigation
8-9
This can take many forms, and might include using NTFS file system permissions and shared folder
permissions to make sure that only authorized users can access files at a defined level of access. You
might also be concerned about intellectual property rights and making sure that your data is used
appropriately. Finally, for data privacy, you can use both file and disk encryption technologies, such as the
Encrypting File System (EFS) or Windows BitLocker Drive Encryption.
Consider the following to help mitigate data layer security threats:
Implement and configure suitable NTFS file system permissions.
Implement encryption.
Implement rights management.
Lesson 2
Physical Security
8-10 Implementing IT Security Layers
Physical security provides the first level of defense against a malicious attack. Therefore, make sure that
the network and the attached computers are physically secure. This lesson explores common physical
security threats, their mitigations, and how Windows Server can help provide physical security on the
network.
Lesson Objectives
Describe physical security risks.
Explain the Windows tools that are used to help provide physical security.
Provide best practices for reducing these risks.
What Are the Physical Security Risks?

Other than physical damage to inappropriately
located servers and potential resulting data loss,
the main physical security risks to the networked
computers are as follows:
Data compromise arising from the loss or

theft of the server computers or server
storage devices.
Data compromise from unmanaged

computers that connect to the network.
Data compromise from the introduction of

storage devices into the network that can
contain malicious or damaging software.
Implementing Physical Security with Windows Server Tools

Windows Server provides several tools and
features that can help you implement physical
security.
Encrypting File System
The EFS is the built-in file encryption tool for
Windows file systems. A component of the NTFS
file system, EFS enables transparent encryption
and decryption of files by using advanced,
standard cryptographic algorithms. Any individual
or program that does not have the appropriate
cryptographic key cannot read the encrypted
data. Encrypted files can be protected even from
those who gain physical possession to the computer that the files reside on. Even persons who are
otherwise authorized to access the computer and its file system cannot view the data. EFS is not
supported on Resilient File System (ReFS). ReFS is a new file system in Windows Server 2012.
8-11
There are lots of planning requirements connected to EFS. For example, ensuring the recovery agent key is
safely stored and maintained and as such you need to carefully examine and assess the impact of rolling
out EFS in your organization. Failure to properly plan EFS deployment could lead to loss of access to data.
BitLocker provides protection for the computer operating system and data that is stored on the operating
system volume by making sure that data that is stored on a computer remains encrypted, even if the
computer is tampered with when the operating system is not running. For example, if a laptop is lost or
stolen and someone tries to remove the hard disk and mount it in a separate environment to access the
data, that person cannot do so unless they have the appropriate credentials because the drive is
encrypted.
BitLocker provides a closely integrated solution in Windows client and Windows Server operating systems
to address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned
personal computers. BitLocker for Windows 8 and Windows Server 2012 provide new functionality:
BitLocker Provisioning. Windows 8 is now deployable to an encrypted state during installation.
Disk SpaceOnly encryption. Allows for a much faster encryption experience by only encrypting
used blocks on the targeted volume.
Standard User PIN and password change. Enables a standard user to change the BitLocker PIN or
password on operating system volumes and the BitLocker password on data volumes. This reduces
internal help desk call volume.
Network unlock. Enables a BitLocker system on a wired network to automatically unlock the system
volume during startup (on capable Windows Server 2012 networks), reducing internal help desk call
volumes for lost PINs.
Support for Encrypted Hard Disk Drives for Windows. Windows 8 includes BitLocker support for
encrypted hard disk drives.
BitLocker was expanded upon in Windows Server 2012 and is now supported on clusters, including Cluster
Shared Volumes (CSV). It is also supported on both NTFS and ReFS file systems, unlike EFS.
Read-Only Domain Controllers
A read-only domain controller (RODC) is a kind of domain controller introduced in Windows Server 2008.
With an RODC, you can deploy a domain controller in locations where physical security cannot be
guaranteed, such as a branch office. An RODC hosts a read-only replica of the database in AD DS for a
given domain.
When an RODC services a logon request for a user on the network, that users credentials are cached at
the server; only users accounts at the branch office are cached in this manner. If the RODC is stolen, only
this subset of your domain accounts is compromised. This makes it easier and quicker for you to maintain
user account security.
Note: By default, no user credentials are cached on the RODC. This is more secure because
if the RODC is stolen, no user passwords are compromised. However, if the link between the head
office, where the writable domain controllers exist, and the branch office fails, and caching is not
enabled, users at the branch office cannot log on until the link is reestablished.
Group Policies
If you let users add storage devices, such as universal serial bus (USB) memory sticks or external hard disk
drives, to their network-attached computers, you can potentially introduce additional security risks.
Windows Server can use Group Policy objects (GPOs) to enforce rules on network-attached computers
that control or prohibit the addition of storage devices.
Network Access Protection
When you let computers to connect to the network from unmanaged locations, such as users homes, or
you let computers from other organizations to connect to the network, you expose the network to
security risks.
The network is only as secure as the least secure computer attached to it. Many programs and tools exist
to help you secure the network-attached computers, such as antivirus or malware detection software.
However, if the software on some of the connected computers is not up to date, or worse, not enabled or
configured correctly, then these computers pose a security risk.
Computers that remain within your office environment and are always connected to the same network are
fairly easy to keep configured and updated. Computers that connect to different networks, especially
unmanaged networks, are more difficult to control. For example, portable computers that are connected
to customer networks, or to public wireless fidelity (Wi-Fi) hotspots. In addition, unmanaged computers
seeking to connect remotely to the network, such as users home computers, pose a challenge.
As discussed earlier in the course, NAP is a policy enforcement platform that requires NAP infrastructure
servers that are running Windows Server 2008 or later versions and NAP clients that are running Windows
XP with Service Pack 3 (SP3), Windows Vista, or later operating systems. NAP lets you more strongly
protect network assets by enforcing compliance with system health requirements.
NAP provides the necessary software components to help make sure that computers connected or
connecting to the network remain manageable, so they do not become a security risk to the network and
other attached computers. This enables you to more confidently allow computers to connect to the
network.
Access Control
After computers have connected to the network and have access to the server data, you can protect the
integrity of the data by configuring appropriate file permissions. Make sure that you only grant
permissions where it is required and grant the minimum permissions that are required. This is especially
important if users from outside your organization are connecting to the network.
Physical Security Best Practices

To help reduce the physical security risks, consider
the following points:
Site security. Where you can, make sure that

only authorized persons have access to the
physical site where your computers are
located. This is more difficult with branch
offices, and also with certain commercial
markets, such as retail.
Computer security. Make sure that server

computers, or any computer that contains or
has access to important data, are physically
secure. Ideally, put servers and their storage
8-13
devices in computer rooms that are protected by physical security mechanisms such as smart card
access or any level of per-user authentication. In high-security environments, consider implementing
biometric security to make sure that only authorized persons can physically access your computers.
Disable Log On Locally. The ability to log on interactively at a computer is a right that is typically
granted to all users for all computers in your forest except for domain controllers. Where more
security is required, consider disabling log on locally. If a user cannot log on, this reduces their ability
to perform actions on the network. Data centers are typically required to have this level of access. In
higher level security facilities, this could also be done for each server.
Mobile device security. Mobile devices, for example portable computers and mobile telephones,
give users the convenience of being able to access the corporate network from anywhere. However,
this raises the possibility that these devices might be lost or stolen. Make sure that you implement
appropriate security on mobile devices so that if they are lost or stolen, data is not compromised.
Consider implementing remote wipe technologies on mobile devices such as Windows Mobile
handsets. Consider implementing EFS and BitLocker Drive Encryption on portable computers.
Removable devices and drives. Carefully consider whether the convenience of users being able to
copy files to and from removable storage devices outweighs the security risk posed. If you decide that
users will be able to use removable storage devices, consider implementing BitLocker To Go on
these devices. This consideration will provide for data encryption on the device. Another important
consideration would be Active Directory Rights Management Service (AD RMS) to help secure
important data and make sure that it cannot be read on any devices or in the cloud.
More information about Security Content can be found at the following webpage:
Lesson 3
Internet Security
Internet access has become much more prevalent in recent years, and it seems ever present for work
productivity, personal development, and entertainment. As the demand for more integration of services
and Internet connectivity grows, and users perform increasingly complex tasks on the Internet, there is an
increase in related risks. This lesson explores the technologies and features that are available in Windows
to help protect your Windows-based computers while connected to the Internet.
Lesson Objectives
Describe the risks posed by connecting to the Internet.
Describe possible mitigations to these risks.
Describe the Windows Server components and features that can help provide this Internet security.
Describe Windows Internet Explorer security settings.
Configure Internet Explorer security settings.
What Are the Risks?

When you connect your computer to any
untrusted network, including the Internet, you
expose it to many potential security risks. Consider
the security risks posed by the Internet in relation
to the applications that you use when you are
connected to the Internet. Common applications,
and associated security risks, include the
following:
Email. An email message can contain a

malicious payload. For example, the message
might contain:
o
A malicious executable file that is

attached to the message.
A request for personal information.
Inappropriate content.
Embedded links to unsafe websites.
Remember also that most email is sent in clear-text. That is, not encrypted. This means that if the message
is intercepted, anyone can read and potentially change the message contents. Additionally, most email is
transmitted between hosts that have no knowledge of one another. Therefore, most email traffic is not
authenticated. This makes it more difficult to determine the true originator of a message.
Web browsing. A website can hide many security risks, including malicious programs. Common risks
associated with websites include the following:
8-15
Plug-ins. These are applications to work with your browser to provide additional capabilities. For
example, you can use plug-ins to enable your browser to view video files. They can expose
security flaws in your browser.
ActiveX controls. These small programs are downloaded by your browser to enable it to
perform several specialized tasks. This includes manipulating data files or viewing specific file
types. Malicious ActiveX controls can pose a security threat to your computer.
Cross-site scripting. By using this, a malicious attacker can enable client-side scripts in
webpages that your computer is viewing, even when the website you are viewing is considered a
safe source.
Cookies. Cookies are used for authentication, session tracking, storage of website preferences,
shopping cart contents, and many other potential uses. Because of the sensitive data that is
stored in cookies, they can be misused.
It is also important to make sure that you have navigated to the appropriate site instead of to a bogus site
masquerading as a legitimate site.
Instant messaging (IM). This method of communicating with friends and colleagues is very popular.
However, it has attracted the attention of malicious attackers. IM messages can contain links to unsafe
websites, be used to start file transfers, remotely control sessions, or share files and content on your
computer.
Social networking. There are many social networking sites. These sites can pose the same security
risks as any other website. However, remember that these sites exist as a way for you to share
information, some of which may be personal information. Be careful when you share your personal
information with other people.
File download. Any file that you download from the Internet can come from an untrusted source and
might contain harmful code. Make sure that you only download files from trusted sources and make
sure that files are digitally signed so that you can easily determine the files origin. This is especially
relevant for device drivers because files of this type, if malicious, can have a far more harmful effect
on your computer.
Computer updates. It is common for software that is installed on your computer, including the
operating system, to periodically check for and download updates. This means that your computer is
up to date, performs optimally, and remains secured through the application of security updates.
However, software obtained from an untrusted source could use this update mechanism to download
malicious code onto your computer. Make sure that you verify that the updates are safe.
In addition, just connecting to the Internet exposes your computer to possible security risks. For example,
if you connect to the Internet from your home or from the office, the chances are that the connection is
reliable and reasonably secure. However, when you connect to the Internet from a location such as a
wireless hot spot, you might expose your computer to additional security risks.
Also, be aware that the connection provided by the hot spot might, in itself, be secure, however other
computers that are connected to that hot spot might be compromised by security flaws that might affect
your computer. In addition, hotspots commonly provide an unsecured connection for easier wireless
Internet access. However, under these circumstances, data that your computer sends and receives can be
captured and accessed by third parties.
More information about the Security Risk Management Guide can be found at the following
webpage.
Mitigating Risks
You can help reduce the chances of your
computers security being compromised if you
follow the defense-in-depth approach when you
connect your computer to the Internet. When you
perform common tasks on the Internet, consider
the following points to help reduce security risks:
Email. Implement email software or use

additional software with your email software
that supports the following important security
features:
Anti-spam control. Make sure that junk

email is either quarantined or deleted.
Anti-spam software can identify spam messages by using many different technologies.
Antivirus control. Scan incoming and outgoing messages for viruses. Make sure that you keep
the virus software up to date to provide sufficient protection against new and emerging threats.
Attachment handling controls. Some email software, such as Microsoft Outlook, enables you
to configure how attachments of specific types are handled. For example, you can configure the
email software to block attachments of a file type that can contain malicious code, also known as
executable files.
Authentication and encryption of network traffic. As an example, connecting to a Microsoft

Exchange Server account through Outlook Anywhere (also known as Remote Procedure Call over
HTTP Protocol [RPC over HTTP]) is secure as opposed to using Post Office Protocol version
3/Simple Mail Transfer Protocol (POP3/SMTP).
Web browsing. A web browser should let you select appropriate security settings based on the
trustworthiness of a website. For example, with Internet Explorer, you can define security settings for
different security zones, such as Internet, local intranet, trusted sites, and restricted sites. Security
settings within the context of these zones include whether to download and run ActiveX controls,
scripting behavior, and how to handle signed or unsigned content.
It is also important to implement security software when you surf the web. Suitable software should
provide antivirus protection, spyware protection, identity protection, and a link scanner that can help
identify unsafe websites before you visit them.
Finally, be cautious when you shop online. Only use sites that you trust, that can provide a digital
certificate to verify their identity, and that give you a redress should something go amiss with your order.
IM. Many security software packages provide protection against viruses in files that you might try to
receive by an instant message. However, make sure that you are careful about the information that
you disclose during an instant message conversation because these messages are frequently sent and
received in clear text.
Social networking. Make sure that you only disclose information through social networking sites that
you are happy to see in the public domain. It is a good idea to limit the kind of information that you
share. For example, disclosing details about your finances, combined with information about your
address can give a malicious attacker sufficient information to steal your identity and commit fraud.
File download. You can limit your exposure to unsafe downloads by implementing antivirus
software. Additionally, by only downloading files from trusted sources and files that provide a digital
signature, you can help reduce the security risk posed by downloads. Frequently, downloaded files
8-17
can appear safe but actually contain code that can install additional software that harms your
computer. Windows implements a security feature known as User Account Control (UAC) that enables
you to control unintended software installations.
Computer updates. To make sure that your computer updates are safe, only download updates from
safe sources. Computers that are running Windows-based operating systems obtain their updates
from the Microsoft Updates website or from a local server within your workplace organization
running Windows Server Update Services (WSUS).
Connecting to the Internet. When you connect to the Internet, make sure that you have enabled a
host-based firewall. Computers that are running Windows-based operating systems implement the
Windows Firewall with Advanced Security. When you first connect to a new network, such as a
wireless hot spot, you must define whether the network is public or private. Windows Firewall with
Advanced Security then adjusts the security settings based on your selection.
In addition to a host-based firewall, it is also a good idea to make sure that the router that connects to
the Internet provides additional protection. Typical home-office Asymmetric Digital Subscriber Line (ADSL)
routers provide NAT and firewall functionality.
Note: Generally, do not use elevated accounts for surfing the web or accessing email. Use
regular user accounts for those things, and use accounts that have more administrative rights
only for their intended purpose.
Implementing Internet Security with Windows

Windows based operating systems provide several
security features that help make sure that
connectivity to the Internet is secure.
User Account Control
User Account Control (UAC) is a security feature
that helps prevent unauthorized changes to a
computer. It does this by asking the user for
permission or for administrator credentials before
performing actions that could potentially affect
the computers operation or that could change
settings that would affect multiple users
By default, both standard users and administrators run applications and access resources in the security
context of a standard user. The UAC prompt provides a way for a user to elevate his or her status from a
standard user account to an administrator account without logging off, switching users, or using Run As.
Because of this, UAC creates a more secure environment in which to run and install applications.
When a change is made to your computer that requires administrator-level permissions, UAC notifies you
as follows:
If you are an administrator, click Yes to confirm whether you want to continue with administrative
rights.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue. Providing administrative credentials temporarily gives
the user administrative privileges, but only to complete the current task. After the task is complete,
permissions change back to those of a standard user.
Providing administrative credentials for a standard user temporarily gives the user administrative
privileges, but only to complete the current task. After the task is complete, permissions change back to
those of a standard user. This makes sure that even if you are using an administrator account, changes
cannot be made to your computer without your knowledge. This security can help prevent malicious
software and unwanted third party software from being installed on or making changes to your computer.
Windows Firewall
Windows Firewall is a host-based, stateful firewall. It drops incoming traffic that does not correspond to
traffic sent in response to a request (solicited traffic) or unsolicited traffic that is specified as allowed
(accepted traffic). Windows Firewall helps provide protection from malicious users and programs that rely
on unsolicited incoming traffic to attack computers. Windows Firewall can also drop outgoing traffic and
is configured by using the Windows Firewall with Advanced Security snap-in, which integrates rules for
both firewall behavior and traffic protection with IPsec.
Windows Defender
Windows Defender on your Windows 8 client helps protect you from spyware and malicious software.
Windows Defender is not antivirus software. Windows Defender offers three ways to help keep spyware
from infecting the computer:
Real-time protection is the mechanism that actively monitors for malware and alerts you when
potentially unwanted software tries to install itself or run on the computer. It also alerts you when
programs try to change important Windows settings.
The Microsoft SpyNet community helps you see how other people respond to software that has not
yet been classified for risks. When you participate, your choices are added to the community ratings
to help other people decide what to do.
Scanning options are used to scan for unwanted software on the computer, to schedule scans
regularly, and to automatically remove any malicious software that is detected during a scan.
Internet Explorer Security Settings

Internet Explorer security options help you secure
your computer while providing a functional
browsing environment. Internet Explorer has new
functionality that helps protect computers against
malicious software, and helps protect users
against data theft from fraudulent websites. In
addition, Internet Explorer comes with safe and
easy add-on functionality that gives users full
control over adding functionality to their online
experiences, while at the same time avoiding
unintended, unwanted software downloads.
Dynamic Security Options
The following table describes some of the most important dynamic security options that you can
configure for Internet Explorer.
Dynamic security
options
ActiveX Filtering
Use
Disables ActiveX controls to prevent potentially vulnerable controls from being
Dynamic security
options
Use
8-19
exposed to attack. You can enable or disable ActiveX Filtering by going to the
Tools menu and selecting ActiveX Filtering. If you visit a website that contains
ActiveX controls you will receive a prompt and have the option of turning on the
ActiveX controls for that site.
Security Report
If you go to a secure website, indicated by the https protocol a lock appears in

the address bar. By click on that lock you can view security report which will
attempt to provide identification information concerning the website. You can
also view the sites certificate. You can also access the security report option from
the safety menu.
SmartScreen
Filter
Protects you against phishing sites, warns you when you visit potential or known
fraudulent sites, and blocks the site if you need it. The opt-in filter updates
several times per hour with the latest security information from Microsoft, and
several industry partners. Smart Screen Filtering is available from the Tools Menu
Delete Browsing
History
Allows you clean up cached pages, passwords, form data, cookies, and history.
Address Bar
Protection
Displays an Address bar for every windowwhether pop-up or standardto

help block malicious sites from emulating trusted sites.
International
Domain Name
Anti-Spoofing
Adds support for International Domain Names in Uniform Resource Locators

(URLs), and notifies you when visually similar characters in the URL are not
expressed in the same language. Therefore, it protects you against sites that
could otherwise appear as known, trusted sites.
URL Handling
Security
Redesigned URL parsing makes sure consistent processing and minimizes

possible exploitation. The new URL handler helps centralize critical data parsing
and increases data consistency.
Fix Settings for Me
Warns you with an Information Bar when current security settings might put you
at risk, which can prevent you from browsing with unsafe settings. Within the
Internet Options dialog box, certain items are highlighted in red when they are
not safely configured. In addition, this option issues reminders that the settings
remain unsafe. You can instantly reset Internet security settings to the MediumHigh default level by clicking Fix Settings For Me in the Information Bar.
Manage Add-ons
Add-ons can potentially have a significant effect on performance. Manage Addons allows you to proactively manage these Add-ons which can be installed on
your browser and choose to enable, disable or uninstall them. Manage Add-ons
is available from the Tools menu in Internet Explorer.
Tracking
Protection
A feature that blocks third-party web content that could potentially track
someone's web activity. With Tracking Protection Lists, you can select which
third-party sites can receive your information and track you online.
InPrivate Browsing
A feature that prevents Internet Explorer from storing data about your browsing
session. This helps prevent anyone else who might be using your computer from
seeing where you visited and what you looked at on the web.
Compatibility View
Allows you to view websites as if you were viewing them in previous versions of
windows. Some websites may have been designed for previous version of
Internet Explorer and as such do not display well in the version you have on your
operating system. Compatibility gives you the option to provide backward
Dynamic security
options
Use
compatibility support to address this.
Protected Mode
Protected mode provides Internet Explorer with the rights that you need to browse the web, while at the
same time withholding rights needed to silently install programs or change sensitive system data. In
addition, Protected mode helps protect against malicious downloads by restricting the ability to write to
any local computer zone resources other than temporary Internet files. Web-based software cannot write
to any location other than the Temporary Internet Files folder without explicit user consent.
Running programs that have limited user rights instead of administrator rights offers better protection
against attacks, because Windows can restrict the malicious code from performing damaging actions. This
additional defense helps make sure that scripted actions or automatic processes cannot download data to
locations other than directories with lower rights, such as the Temporary Internet Files folder.
Although Protected mode does not protect against all forms of attack, it significantly reduces the ability
of an attack to write, alter, or destroy data on the user's computer, or to install malicious code.
Parental Controls
To help keep children safer online, parents can control browsing behavior through the Parental Control
settings. In Windows 8, you can specify a childs account type and also turn on Family Safety for reports of
their computer usage. You can apply a restriction to many activities on the computer, such as playing
games or surfing the Internet. You can also examine a child's browsing session. The child lacks the
necessary permissions to remove their session history.
Note:
Parental Control settings are available only if the computer is not a member of a domain.
Manage Add-ons
The Internet Explorer Manage Add-ons console is designed to give you more control over Internet
Explorer add-ons. Add-ons are a great way to introduce new functionality to your online experience.
However, add-ons can also affect performance or potentially introducing malicious software to your
computer. You can use the Manage Add-ons to allow you to pro-actively what has been installed and
enabled/disabled: It is broken down into categories in the Manage Add-ons console
Toolbars and extensions:
Search providers
Accelerators and Providers
Tracking Protection
Depending on the type of add-on it is, you can disable or enable it, or remove it entirely. Before you
disable or remove an add-on, keep in mind that some webpages, or Internet Explorer itself, might not
display correctly if certain add-ons are disabled.
SmartScreen Filter
Businesses put lots of effort into protecting computer assets and resources. Phishing attacks, also known
as social engineering attacks, can evade those protections and result in users giving up personal
information. Most phishing scams target people in an attempt to extort money or perform identity theft.
SmartScreen filter helps protect against imposter websites and general malware; it also adds a level of
control around warnings associated with these sites.
Demonstration: How to Secure Internet Explorer

In this demonstration, you will see how to disable an Internet Explorer add-on.
Demonstration Steps
1.
Enable the Menu Bar, Command Bar and Status Bar in Internet explorer
2.
Turn On ActiveX Filtering
3.
View a webpage that uses an ActiveX control.
4.
Turn on ActiveX Control filtering
5.
View Security Report
6.
View Certificate errors on secure sites with no certificate or unrecognized certificate
7.
View Manage Add-ons
8.
Add website to Trusted Sites
9.
Disable Tabular Data Control
8-21

Scenario
Alan Brewer has visited various Research department branch offices. On his return to head office, he
produced a list of security concerns and sent them by email to Ed Meadows, your boss. Ed has tasked you
with the resolution of these issues.
Objectives
Suggest steps that an organization could take to provide physical security for a branch office.
Configure Internet Explorer security settings.
Lab Setup
Virtual Machines: 10967A-LON-DC1
Password: Pa$$w0rd
1.
2.
3.
4.

o
Password: Pa$$w0rd
Domain: ADATUM
Exercise 1: Implementing Physical Security

Scenario
The security issues that were identified revolve around the fact that many of the branch offices cannot be
physically secured. After you have completed the incident record, propose how to best address Alans
physical security concerns.
Subject: RE: Branch offices security concerns
From:
Sent:
To:
May 6
Attached:
Incident Record
Subject: RE: Branch offices security concerns

Charlotte,
Please look at the attached incident record and review Alans concerns. Get a plan together for
resolving these security concerns.
Thanks,
Ed
Subject: Branch offices security concerns

From:
Sent:
To:
Alan Brewer [Alan@adatum.com]

May 5
Ed@adatum.com
Ed,
8-23
I just got back from the branches. Im pretty worried that, given the sensitive nature of the data we
handle in Research, physical security is pretty lax compared with the head office. I have listed my main
concerns below:
Laptops are used by research staff. The staff frequently takes the laptops home.
In some branches, there is no dedicated room for the servers.
We let external contract staff connect their own computers to our research networks.
I notice that some personnel bring music files on USB drives into the offices.
Regards, Alan
A. Datum Network Security Policy Laptops

Document Reference Number: EM220109/1
Document Author: Ed Meadows
Date: January 22
Overview
This document defines the corporate policy about laptops and other portable computing devices within
A. Datum Corporation.
Policies
1.
Any network device that is moved from the office of A. Datum Corporation. must be configured in
such a way that loss of the device does not lead to a compromise of the stored data.
2.
Laptops can connect to other networks provided:
3.
A suitable firewall is in place.
A. Datum Network Security Policy Laptops
4.
The computer is up to date with security updates.
5.
Protection against viruses and malware is installed.
6.
Portable storage devices are permitted for use on laptops as long as their loss does not compromise
the data stored on them.
A. Datum Incident Record

Incident Reference Number: 501285
Call logged by: Ed Meadows
Date of call: May 10
Time of call: 10:50am
User: Alan Brewer
Status: OPEN
Incident Details
Call logged by information technology (IT) manager following inquiries at branch offices about
physical security problems raised by Research department manager, Alan Brewer. Reported
concerns:
1.
Laptops are used by research staff. The staff frequently take the laptops home.
2.
In some branches, there is no dedicated room for the servers.
3.
External contract staff can connect their own computers to the research networks.
4.
Staff uses personal USB storage devices on work computers.
Questions
1.
What security policies apply to the branch office laptops as defined in the A. Datum Network
Security Policy Laptops document?
2.
What security concerns do you have about the branch offices?
3.
How would you address the concerns you might have about laptop use?
4.
How would you address the concerns you might have about the lack of dedicated server rooms?
5.
How would you address the concerns you might have about contractor computer use?
6.
How would you address the concerns you might have about removable storage devices?
7.
Complete the following resolution section with a summary of your proposals.
Resolution:

1.
2.
Complete the incident record
8-25
1.
Read email and the Incident to determine the possible problem causes.
2.
Read the A. Datum Network Security Policy Laptops document to determine if you must enforce
any changes at the branch based on corporate policies.
Task 2: Complete the incident record

1.
Complete the Resolution section of the Incident Report by answering these questions.
2.
What security policies apply to the branch office laptops as defined in the A. Datum Network Security
Policy Laptops document?
3.
4.
5.
6.
7.
8.
Complete the resolution section below with a summary of your proposals.
Results: After this exercise, you should have completed the incident record.
Exercise 2: Configuring Security Settings in Windows Internet Explorer

Scenario
When Alan returned from the branch offices, he had several problems with his laptop. You determined
that these problems were related to his laptops Internet Explorer settings. You must verify that the
settings are appropriate.
1.
Verify the current Internet Explorer security settings
2.
Change the Intranet Zone security settings
3.
Test the security settings
4.
Add the website to the Trusted Sites list
5.
Test the security zone change
6.
View Security Report
7.
Task 1: Verify the current Internet Explorer security settings

1.
Make sure that you are logged on to the 10967A-LON-DC1 virtual machine with user account
2.
Open Internet Explorer.
3.
What is the current security level for the local intranet zone?
Task 2: Change the Intranet Zone security settings

1.
Change the security settings for the local intranet zone to High.
2.
Enable Protected Mode for the local intranet zone.
Task 3: Test the security settings

1.
2.
Enable the Menu, Command and Status bars
3.
Browse to http://lon-dc1/intranet.
4.
What is the security zone that this website is listed as being in?
5.
Is protected mode turned on or off for this website?
6.
On the A. Datum Intranet Home page, click Current Projects.
7.
Did the webpage load correctly?
8.
In Manage Add-ons, can you see the Tabular Data Control Add-on?
9.
What is the default search provider?
10. Close the A. Datum Projects webpage.
Task 4: Add the website to the Trusted Sites list

1.
What is the current security level for the trusted sites zone?
2.
Add the http://lon-dc1 site to the Trusted sites list.
3.
What security zone is this website listed as being in now?
Task 5: Test the security zone change

1.
On the A. Datum Intranet home page, click Current Projects.
2.
Did the projects list populate?
3.
In Manage Add-ons, can you see a Tabular Data Control Add-on?
4.
Use the Tools menu to turn off ActiveX Filtering.
5.
Close Internet Explorer.
Task 6: View Security Report
1.
Go to the Website https://www.microsoft.com
2.
Notice the presence of a lock icon now appearing in the address bar
3.
Click the lock icon
4.
A website identification dialog appears which contains information about the identity of the website
and who if anyone has identified the site if the site has a certificate. You can also view the certificate
1.
2.
3.
Results: After this exercise, you should have modified Internet Explorer security settings.
Question: In the lab, you were concerned primarily with physical security concerns. What
potential support issues might arise following implementation of your proposed changes?
Specifically, what issues might arise surrounding the encryption of files and volumes and the
prohibition of USB storage devices?
8-27

Best Practice:
Best practices for implementing defense-in-depth.
Supplement or change the following best practices for your own work situations:
Create specific rules that help prevent social engineering and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors and then monitor server room access.
Implement firewalls at network boundaries.
Implement NAT.
Use virtual private networks (VPNs) and implement network encryption.
Segment the network.
Restrict switch ports and wireless access points based on media access control (MAC) address or client
certificates.
Harden operating systems.
Monitor access attempts.
Implement antivirus and antispyware software.
Implement host-based firewalls.
Run applications that have the least user rights possible.
Install security updates.
Enable only required features and functionality.
Implement and configure suitable NTFS or ReFS file system permissions.
Implement file and volume encryption.
Implement rights management.
Review Questions
Question: Why is it important to educate users about your organizations acceptable use
policy?
Question: How could you help reduce the risk that your wireless network is the target of
unauthorized packet sniffing?
Question: What are the risks associated with allowing your users to connect their laptops to
Wi-Fi hotspots?

9-1
Module9
Implementing Security in Windows Server
Contents:
Module Overview
9-1
Lesson 1: Overview of Windows Security
9-2
Lesson 2: Securing Files and Folders
9-15
Lesson 3: Implementing Encryption
9-27
Lab: Implementing Security in Windows Server
9-35
9-40
Module Overview
As organizations expand the availability of network data, applications, and systems, it becomes more
challenging to ensure network infrastructure security. Security technologies in the Windows Server
operating system enable organizations to provide better protection for their network resources and
organizational assets in increasingly complex environments and business scenarios. This module reviews
the tools and concepts available for implementing security in a Windows infrastructure.
Objectives
Describe the Windows Server features that help improve the networks security.
Explain how to secure files and folders in a Windows Server environment.
Explain how to use Windows Server encryption features to help secure access to resources.
Lesson 1
Overview of Windows Security
9-2
Windows Server 2012 includes many features that provide different methods for implementing security.
These features combine to form the core of Windows Server 2012 security functionality. Understanding
the concepts covered in the previous module and combining them with specific Windows Server 2012
features and functionality covered in this module is critical to maintaining a secure environment.
Lesson Objectives
Describe authentication and authorization.
Describe User Account Control (UAC).
Describe file and shared folder permissions.
Describe account lockout and password policies.
Describe fine-grained password policies.
Describe security auditing features.
Describe the use of digital certificate encryption.
What Is Authentication and Authorization?

Security in a Windows infrastructure relies on
accounts and their passwords, such as a user name
and password or computer accounts and their
passwords. The user name and password
combination allows a user to gain access to
network resources as specified by the user
accounts permissions. As described earlier in the
course, this process is typically broken down into
two components: authentication and
authorization. These concepts are described in a
bit more detail in the following sections.
Authentication
Authentication verifies that someone is who they claim to be. Authentication distinguishes legitimate
users from uninvited guests, and is the most visible and fundamental concept in security. In private and
public computer networks (including the Internet), the most common authentication method that is used
to control access to resources involves verification of a users credentialsthat is, a user name and a
password.
However, the user name and password combination is only one way of authentication. Other mechanisms
and tools can also be used in the Windows Server 2012 environment to add multiple layers to the
authentication process. This makes sure that users identities on the network are legitimate and secure.
Some of the other mechanisms available include the following:
Smart cards. A smart card refers to a credit-card shaped device that contains specific digital
information, in most cases used to specifically identify a person. A user name and certificate is present
9-3
on the card and a password or pin is required to access that certificate and prove your identity. Smart
cards increase security because the user must have possession of the card know the correct password
or pin that is tied to the certificate. Smart cards can also be used to provide physical security to help
in controlling building or room access.
Universal serial bus (USB) tokens. These are similar in principal to smart cards because they can
contain a certificate, and a pin or password is required to access that certificate. One advantage of
USB tokens over smart cards is that USB tokens dont require a specialized reader to be able to use
them.
Biometrics. The term biometrics refers to the measuring of an unchanging physical or behavioral
characteristic to uniquely identify a given person. Fingerprints are the most common form of
implemented biometrics. Other possibilities include facial recognition, iris scanning, and voice
recognition. Biometric devices are most frequently used to provide an added measure of security in
environments where highly sensitive data is involved. The level of security they provide can vary,
depending on the hardware. That is, how accurate the fingerprint readers are, if they are built in, or if
the signals of the readers can be recorded and replayed.
A range of third-party solutions could also be implemented if you want.

Authorization
Authorization is the process of determining whether a user or computer is permitted access to a resource
and what the appropriate level of access is, usually known as access control. This could include
authorization to read, change, or delete files and folders, or combinations of these. It could also include
authorization to access services such as remote access or other permissions.
Authorization has two main components or phases:
1.
The initial definition of permissions for system resources by the owner of a specific resource or a
system administrator.
2.
The subsequent checking of permission values by the system or application when a user tries to
access a system resource.
Note: You can have authorization (access to resources) without first providing
authentication (entering a user name and password). This occurs many times in modern
computing. For example, when you access a webpage on the Internet, you are accessing the
resources on that web server (pages, graphics, and so on) without providing any kind of
authentication to the web server. So when you define authorization, admins can allow any
known user or even any anonymous user to access data.
You can also audit the access to resources by individuals or devices. This additional step of auditing
access to some resources provides another security layer to a defense-in-depth strategy.
What Is User Access Control?
9-4
The Administrator account or other administrative

accountsthat is, any account that has some
administrative rights, such as a delegated
administrator, printer operator, or any other
group that has elevated rightscarry with them a
larger degree of security risk than a normal user
account. For example, when the Administrator
account, or a member of the administrators
group, is logged in, its privileges allow access to
the whole windows operating system. This
includes the registry, system files, and
configuration settings. As long as an Administrator
account is logged in, the system is vulnerable to attack and can potentially be compromised. The use of
other administrative accounts tries to limit the access to specific areas but these accounts still carry with
them a degree of risk if used with malicious intent.
UAC provides a method by which all users can be aware of the way their account privileges are being
used on the computer.
UAC in Windows Server 2012
Turning on UAC ensures that both standard users and administrators can access resources and run
applications in the security context of a standard user.
UAC checks for administrative permissions, and prompts the user when an application requires those. The
user can select whether to grant the application the desired permissions. Users do not have to log off,
switch users, or use the Run As Administrator command. In this manner, UAC provides a secure
environment for the running and installing of applications.
When an application requires administrator-level permission, UAC notifies you:
If you are an administrator, you can click Yes to elevate your permission level and continue. This
process of requesting approval is known as Admin Approval Mode.
Note: In Windows Server 2008 R2 and Windows Server 2012, Admin Approval Mode is
disabled on the built-in Administrator account. This results in no UAC prompts when using the
local Administrator account.
If you are not an administrator, the user name and password for an account that has administrative
permissions needs to be entered. Providing administrative credentials temporarily gives you the
administrative privileges required to complete the task. After the task is complete, your permissions
are returned back to those of a standard user.
This process of notification and elevation of privileges makes it so that even if you are using an
administrator account, changes cannot be made to your computer without you knowing about it, which
can help prevent malicious software (malware) and spyware from being installed on or making changes to
your computer.
UAC allows certain system-level changes to occur without prompting, even when logged on as a local
user:
Install updates from Windows Update.
Install drivers from Windows Update or those that are packaged with the operating system.
View Windows settings.
Pair Bluetooth devices with the computer.
Reset the network adapter and perform other network diagnostic and repair tasks.
Modifying UAC Behavior
9-5
The UAC notification experience can also be modified in the User Accounts section of User Account
Control Settings in Control Panel to adjust the frequency and behavior of UAC prompts. With the use of a
slider, you can select from four options for level of notification:
Always notify me
Notify me only when apps try to make changes to my computer (default)
Notify me only when apps try to make changes to my computer (do not dim my desktop)
Never notify me
UAC can also be configured using Group Policy. The Group Policy settings can be found in Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. Here, the
following settings can be configured for UAC:
User Account Control: Admin Approval Mode for the built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure
desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Note: To fully disable the UAC prompts, you need to configure the Group Policy setting
User Account Control: Run All administrators In Admin Approval Mode. You must restart
your computer when you enable or disable UAC. Changing levels of notification does not require
that you restart your computer.
Also, the group policy setting User Account Control: Switch to the secure desktop when prompting
for elevation is an important setting. When you are being prompted access approval or denial in the
UAC dialog box, the computer deksotp is dimmed and no other programs can run until approval or
denial selected. After a selection is made, the desktop will be no longer be dimmed. The term secure
desktop in this context is also known as dimming the desktop.
Question: From a system administrator viewpoint, what are some of the advantages and
benefits of UAC?
File and Folder Permissions

The files and folders stored on a server can
contain many forms of data. As an administrator,
you might not want all users on the network to be
able to perform certain operations on specific files
and folders. After a user or group is authenticated,
they can be given authorization to permissions to
access files and folders.
There are three main categories of permissions:
file, folder, and shared folder permissions.
File and folder permissions
File and folder permissions are available in
Windows Server 2012 with the following file system types:
New Technology File System (NTFS)
Resilient File System (ReFS)
9-6
From a permissions point of view, both NTFS and ReFS provide this functionality. Permissions are assigned
to files and folders on NTFS or ReFS volumes and govern the access given to users who attempt to access
the files. Permissions are assignable to individual or sets of files and folders. File Allocation Table 32
(FAT32) does not allow for permissions at file and folder level.
Shared folder permissions
Shared folder permissions are available in Windows Server 2012 with the following file system types:
FAT32
NTFS
ReFS
When a local folder is shared or made accessible to the rest of the network, a separate set of permissions
are assigned to the folder. Those permissions control users access to the files from a network location.
Shared folder permissions are assignable only to a folder or group of folders, not to individual files.
Note: Shared folder permissions can be combined with the file and folder permissions to
provide a two-level set of permissions for that specific folder when accessed over the network.
Note: Both file and folder permissions and shared folder permissions have a variety of
access levels that can be granted or denied to a specific user or group of users. These levels will
be covered in detail later in this module, along with a discussion of some of the differences
between NTFS and ReFS.
Dynamic Access Control
New in Windows Server 2012, Dynamic Access Control allows for access to files and folders to be
controlled by central policies that are conditional and built around attributes and claims. For example, if a
document has an attribute linking it to a particular department, administrators can create a policy that
allows access to the document only if a user is a member of that department, or possibly if a user has a
Full Time Employee attribute.
Dynamic Access Control is a powerful technology that allows for much more granular control and greater
centralized management over file and folder access. It builds upon the existing NTFS and Share
permissions and combines multiple criteria into the access decision, so users must satisfy the NTFS, Share
9-7
permissions criteria, and the Central Access Policies defined by Dynamic Access Control, to gain access to
the file. The central policies are enforced regardless of how the share and NTFS permissions might change.
Implementing Dynamic Access Control allows for reducing security group complexity, more robust
adherence to compliance regulations, and protection to sensitive information. Also, with Dynamic Access
Control, you can extend functionality of an existing access control model.
Account Policies
The security provided by a password system
depends on keeping the passwords secret at all
times and on ensuring that the passwords used
have a level of complexity that makes them hard
to guess. Brute force attacks occur when a hacker
uses tools that try all possible letter/number
combinations to guess a user name and password.
Administrators can help protect their system by

defining account policies such as password or
lockout policies. These policies can require users
to change their password regularly, specify a
minimum password length, require passwords to
meet certain complexity requirements, and define the criteria for when an account becomes locked or
inaccessible. A domains account policy settings are controlled by a number of Group Policy settings
related to accounts and passwords.
You can configure account policy settings by accessing the following location from the Group Policy
Management Console (GPMC): Computer Configuration\Policies\Windows Settings\Security
Settings\Account Policies. The following table outlines the various policies that you can define for
password policies.
Policy
Password must
meet
complexity
requirements
What it does
Requires that passwords:
Be at least as long as specified by the
Minimum Password Length, with a
minimum of three characters if the
Minimum Password Length is set to 0.
Contain a combination of at least
three of the following characteristics:
Uppercase letters
Lowercase letters
Numbers
Alphanumeric combination
Symbols (!#% and so on)
Do not contain the user's user name
or screen name.
Enforce
password
history
Prevents users from creating a new

password that is the same as their
current password or a recently used
Best practice
Enable this setting. These complexity

requirements can help ensure a strong
password. Strong passwords are more
difficult to crack than those containing
simple letters or numbers.
You can instruct users to use pass
phrases to create long passwords that
are easy to remember.
Enforcing password history ensures that

passwords that have been compromised
are not used over and over.
Policy
What it does
Best practice
9-8
password. To specify how many

passwords are remembered, provide a
value. For example, a value of 1 means
that only the last password will be
remembered, and a value of 5 means
that the previous five passwords will be
remembered.
If you select too low a number, some

users might change their passwords a
couple times to get the old one back, so
you should use a big enough value to
enforce unique new passwords. For
example, some companies might use
values of 10 or 20 or greater.
Maximum
password age
Sets the maximum number of days that

a password is valid. After this number of
days, the user will have to change the
password.
Set a maximum password age of 3070

days. Setting the number of days too
high provides hackers with an extended
window of opportunity to crack the
password. Setting the number of days
too low might be frustrating for users
who have to change their passwords too
frequently.
Minimum
password age
Sets the minimum number of days that

must pass before a password can be
changed.
Set the minimum password age to at

least one day. By doing so, you require
that the user can change their password
only once a day. This will help to enforce
other settings. For example, if the past
five passwords are remembered, this will
ensure that at least five days must pass
before the user can reuse their original
password. If the minimum password age
is set to 0, the user can change their
password six times on the same day and
begin reusing their original password on
the same day.
Minimum
password
length
Specifies the fewest number of

characters a password can have.
Set the length between eight and 12

characters (provided that the characters
also meet complexity requirements). A
longer password is more difficult to crack
than a shorter password, assuming the
password is not a word or common
phrase.
If you change the attribute in the
domain object directly, you can use
longer passwords. You can also use
longer passwords if you use fine-grained
password policies.
Store
passwords
using reversible
encryption
Stores the password by using

encryption that can be reversed in
order for specific applications to verify
the password.
Do not use this setting unless you use a

program that requires it. Enabling this
setting decreases the security of stored
passwords.
Note: Password settings that use Group Policies need to be either in the default domain
policy or in a policy linked to the domain. Organizational unit (OU)level Group Object Policies
(GPOs) would only apply to local accounts of computers to which the GPO applies. This is
explained in more detail in Module 6, Windows Server Roles.
9-9
The following table outlines the various policies that you can define to govern account lockout policies
for example, controlling what actions to take if a user repeatedly fails to enter a valid password when
logging on to the system.
Policy
What it does
Best practice
Account lockout
threshold
Specifies the number of failed logon

attempts allowed before the account is
locked out. For example, if the threshold
is set to 3, the account will be locked out
after a user enters incorrect logon
information three times.
A setting from 3 through 5 will

allow for reasonable user error
and limit repeated logon
attempts for malicious purposes.
Account lockout duration
Allows you to specify a timeframe, in

minutes, after which the account will
automatically unlock and resume normal
operation. If you specify 0, the account
will be locked out indefinitely until an
administrator manually unlocks it.
After the threshold has been

reached and the account is
locked out, the account should
remain locked long enough to
block or deter any potential
attacks, but short enough not to
interfere with productivity of
legitimate users. In most
situations a duration of 30 to 90
minutes should work well.
Reset account lockout

counter after
Defines a timeframe for counting the

incorrect logon attempts. If the policy is
set for one hour and the account lockout
threshold is set for three attempts, a user
can enter the incorrect logon
information three times within one hour.
If they enter the incorrect information
twice but get it correct the third time,
the counter will reset after one hour has
elapsed (from the first incorrect entry) so
that future failed attempts will again
start counting at one.
Using a timeframe of 30 to 60
minutes is sufficient to deter
automated attacks and manual
attempts by an attacker to guess
a password.
Note: Although password lockout settings can be a security option, they can also be seen
as a denial-of-service provider. For example, a malicious user could go to an external-facing
company website, for web mail for example, and enter a known user name and the wrong
password several times, which could render that account useless to its owner for a period of time,
or even require Help Desk interaction. You should be aware of and carefully consider the
password policies before implementing them to ensure that you fully understand the
implications.
Question: What would be the effect on a users account if the user entered his or her
password incorrectly five times between 10:00 A.M. and 10:25 A.M. with the following
settings applied to the account:
Account lockout threshold: 4
Account lockout duration: 60 minutes
Reset account lockout after: 30 minutes.
Fine-Grained Password Policies

In an Active Directory Domain Services (AD DS)
environment, standard password and account
lockout policies are applied to the entire domain.
This behavior might not be desired by
organizations that require different password and
account lockout policies for different groups of
users.
Fine-grained password policies provide the
solution to this issue. Fine-grained password
policies allow an administrator to apply multiple,
unique password policies to multiple users or
groups within the same domain.
9-10 Implementing Security in Windows Server
To do this, password policy information regarding password and account lockout policy settings are
stored within an Active Directory object called a Password Settings object (PSO). All PSOs are stored within
a parent container called a Password Settings Container (PSC). By default, the PSC is created under the
System container for the domain.
You can create fine-grained password policies by opening the Active Directory Administrative Center,
selecting <Domain> Local, clicking System, and then choosing the Password Settings Container. You can
then select New and Password Settings from the Actions pane.
You can apply these multiple password policies to a user or to a global security group in a domain but not
to an organizational unit (OU). If you wish to apply the password policies to an OU, you can create a
shadow group, which is a global security group that is logically mapped to an OU. Any changes made to
the OU must then also be made to the shadow group
Within the Create Password Settings dialog box in the Active Directory Administrative Center, some of the
settings you can specify are the following:
Name. This is the name of the password setting.
Precedence. This value determines which password policy to use when more than one password
policy applies to a user or group. When there is a conflict, the password policy that has the lower
precedence value has higher priority. Values are typically assigned values in multiples of tens or
hundreds.
Password must meet complexity requirements. Specifies whether password complexity is enabled
for the password policy. If enabled, the password must contain three of the following five
characteristics
o
Uppercase letters (A, B, C,Z)
Lowercase letters (a, b, cz)
Numbers (0, 1, 2,9)
Alphanumeric combination (for example, 3B9ak4L)
Symbols (~!@#$%^ and others)
Each of the following also has the option to enforce the setting, and the ability to specify a value:
Minimum password length (characters). The minimum number of characters a password must
contain.
Number of passwords remembered. The number of passwords that are remembered that cannot
be reused
9-11
User cannot change password within (days). Length of time in days during which a user is not able
to change their password.
User must change password within (days). Length of time in days within which a user must change
their password.
Account lockout policy. Includes the following settings:

o
Number of failed logon attempts allowed:
Reset failed logon attempts counter after (mins)
Account will be locked out
For a duration of (mins):
Until an administrator manually unlocks the account
You can then specify which users or groups the particular policy applies.
Alternatively, you can use Windows PowerShell to create and manage fine-grained password policies. For
example, to create a fairly standard fine grained policy using Windows PowerShell, type the following.
New-FineGrainedPasswordPolicy Name TestPasswordPolicy precedence 100
LockOutDuration 00:30:00 LockOutObservationWindow 00:20:00 LockOutThreshold 10
ComplexityEnabled $true MinPasswordLength 8
To view the newly created policy, type the following.

Get-FineGrainedPasswordPolicy Filter {Name like *}
To view a list of the available Windows PowerShell commands for fine-grained password polices, type the
following.
help *FineGrained*
More information about Windows PowerShell cmdlets for fine-grained password policies can
be found at the following webpage.
After a PSO is created, it can be linked to one or more AD DS users or global security groups. After it is
linked, the settings defined within that PSO will apply to the linked users or groups. If no fine-grained
password policy applies to a user, the default domain password policy out of the GPO takes place. If any
fine-grained password policy applies, the domain policy is not considered.
With fine-grained password policies, you can have multiple password policies in a single domain. As a
result, a user might have multiple PSOs assigned to him or her. If a user has multiple PSOs applied, you
can view the resultant winning policy by using the gpresult.exe tool from the Command Prompt or the
Get-ADUserresultantPasswordPolicy cmdlet.
Note: A PSO cannot be linked to an Active Directory OU; it can be linked only to AD DS
users and groups.
Auditing Features
Auditing is the process that tracks user activity by
recording selected events in a security log.
Auditing provides a recorded log of access and
activity, allowing an administrator to determine
whether or not resources are being accessed and
used appropriately and according to policy.
Auditing logs the following information regarding
system activity:
What occurred?
Who did it?
When did the event occur?
What was the result?
It is important to be clear that enabling auditing only tells the server that it needs to track whether
someone is making changes in that area. What is audited depends on the settings of the individual
components, such as files, folders, registry keys, or Active Directory security settings.
You can configure auditing within the Group Policy Management Editor. Within here there are two sets of
auditing policy settings available.
The first set is available under Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Audit Policy. These are basic settings that are applicable for all operating systems since Windows
2000 operating systems. It provides for nine different auditing options.
The second set includes newer, more advanced auditing options that are available under Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies. These are only applicable in Windows Server 2008, Windows Vista, Windows 8, and Windows
Server 2012. This set provides for 53 different auditing options covering the following areas:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Global Object Access Auditing
The use of basic and advanced auditing settings together is not compatible. As soon as the advanced
settings are applied, they will clear all the existing auditing policy settings. As such, you need to be careful
applying and using both sets of auditing options because they are used and applied differently and can
cause some confusion around what the effective auditing policy is.
You can view the audited events in the respective logs within Event Viewer.
Note: By default, auditing is not enabled; it needs to be configured before it will collect
data.
9-13
There are no dedicated auditing cmdlets available in Windows PowerShell. However, the command-line
tool Auditpol.exe is a powerful tool that allows for the setting and querying of audit policy.
More information about Advanced Auditing can be found at the following webpage.
Digital Certificates
In modern cryptography, data is encrypted and
decrypted by using a key that contains the
information necessary for performing the
encryption or decryption. A key is a piece of
physical data, and can be protected by a password
or attached to a smart card or even a Windows
user account.
In the simplest form of data encryption, data is
both encrypted and decrypted by using the same
key. This method of using the same key for both
encryption and decryption is known as symmetric
encryption.
Symmetric encryption works well when the same user is both encrypting and decrypting the data.
However, when the user encrypting the data is different than the user who is decrypting the data,
especially if the encryption and decryption process is on different computers or networks, symmetric
encryption becomes more problematic. In this case, the user encrypting the data must find some way to
make the key available to the user decrypting the data. Anytime the key is exchanged between users, it
becomes vulnerable to being intercepted and compromised.
The use of digital certificates introduces an alternative to the shortcomings of symmetric encryption. Data
exchange using a digital certificate uses asymmetric encryption. When using asymmetric encryption, a pair
of mathematically related keys is used to encrypt or decrypt data. One of the keys, commonly known as
the private key, is held by an individual. A second key, the public key, is attached to the digital certificate,
which can be digitally requested at any time. With this form of encryption, either the private or public key
can be used to encrypt the data. Then, the opposite key is used to decrypt the data.
In general, symmetric encryption is faster but less secure than asymmetric, whereas asymmetric encryption
is slower but more secure. In multiple communication scenarios, this can be taken into account whereby
asymmetric keys are used to exchange the symmetric key, which is then used to encrypt and decrypt the
data stream.
Note: A digital certificate is a digital document that is commonly used for authentication
and to help secure information on a network. A certificate binds a public key to an entity that
holds the corresponding private key.
A digital certificate makes it possible to verify someone's claim that they have the right to use a given key,
helping to prevent people from using phony keys to impersonate other users. Used in conjunction with
encryption, digital certificates provide a more complete security solution, assuring the identity of all
parties involved in a transaction.
A digital certificate generally contains information about the following:
A user, computer, or network device that holds the private key corresponding to the issued certificate.
The user, computer, or network device is known as the owner or subject of the certificate.
A public key of the certificate's associated public and private key pair.
The issuer of the certificate, commonly known as a certification authority (CA).
The issue and expiry dates of the public key associated with the certificate.
The serial number of the digital certificate.
The digital signature of the issuing CA.
The names of the encryption and digital signing algorithms supported by the certificate.
Also, a digital certificate can contain additional information, such as the encryption algorithms supported,
the acceptable applications or uses for the certificate, or other applicable information. The use of digital
certificates and encryption technologies will be discussed in more detail in Lesson 3, Implementing
Encryption.
Lesson 2
Securing Files and Folders
9-15
Ensuring data integrity and security is a fundamental aspect of a Windows Server infrastructure. The
assignment of proper permissions to users and groups for the resources they require access to is the first
level of data security in a Windows Server environment.
This lesson covers the configuring of permissions, best practices for maintaining permissions functionality,
and auditing file and folder access to ensure that configured permissions are operating effectively.
Lesson Objectives
Describe access control.
Describe the available file and folder permissions on NTFS and ReFS volumes.
Describe permission inheritance.
Describe shared folder permissions.
Explain how file and folder permissions and shared folder permissions combine.
Secure shared files.
Describe and implement file auditing.
Access Control
The previous lesson explained authentication and
authorization in general terms. This lesson
explains how that process translates into a realworld access control process in Windows Server
2012 and Windows 8.
Access control is effectively the process of
authorizing users, groups, or computers
(sometimes known as the principal) access to
objects, which will be files and folders in this
instance, on a network or computer. It involves
permissions, permission inheritance, user rights,
and auditing, each of which are described in this
module.
Before a user can access an object, the user first must identify themselves to the security system in
operation on the domain or network. When a user logs on to a computer, he identifies himself and, if
successful, is allowed to log on to the computer. The identity of that user is then contained within an
access token or security descriptor that is re-created every time that user logs on. Indeed, every container
or object on a Windows Server network has an associated security descriptor in it that contains access
control information.
The operating system checks to see if the user is authorized to access an object. It does this by comparing
the following two things:
The security identifier of the user and the groups to which the user belongs in the access token
Access control entries (ACE) for the object
The access control entries then allow or deny particular functionality on the object for the specific user.
The entire set of access control entries is known as the access control list (ACL). There are two kinds of
ACLs, the discretionary access control list (DACL), which is responsible for permissions, and the system
access control list (SACL), which is responsible for auditing.
When the operating system is determining the authorization to access an object, each ACE is evaluated by
comparing the security identifiers (SIDs) in the ACE to the SIDs in the token (which contains the users SID
plus all group SIDs he belongs to). If any match is found, the permissions are granted or denied; these
permissions are specified in the matching ACE. If it comes to the end of the ACL and the desired access is
still not explicitly allowed or denied, the user is denied access to the object.
In Windows Server 2012 and Windows 8, You can view the effective permissions for a user, group, or
computer on the Effective Permissions tab of the Advanced Permission Settings dialog box. This is
designed to help more effectively manage and troubleshoot file and folder permissions.
You can also use the Windows PowerShell cmdlets Get-ACL and Set-ACL to help manage access control
on objects.
Another command-line tool that can be used to view, change, backup, and restore ACL information and
settings is icacls.exe.
File and Folder Permissions

File and folder permissions specify which users,
groups, and computers can access and interact
with files and folders on an NTFS or ReFS volume.
These permissions combine to create the ACL.
As stated earlier, file and folder permissions are
available on NTFS and ReFS file systems. These are
commonly known as NTFS permissions because
they were, up until the release of Windows Server
2012 and the new ReFS file system, only available
on NTFS. File and folder-level permissions are not
available on FAT32 file systems.
There are two kinds of file/folder-level or NTFS
permissions:
Standard. Standard permissions are the most commonly used permissions. These can be viewed and
accessed through the Properties of an object, i.e. right-click on a file or folder, select Properties and
then navigate to the Security tab.
Advanced. Advanced sharing permissions provide a finer degree of control for assigning access to
files and folders. However, advanced permissions are more complex to manage than standard
permissions.
Standard File and Folder Permissions
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow
or deny each of the permissions.
File Permissions
Description
File Permissions
Description
9-17
Full Control
This gives complete control of the file/folder and control of permissions.
Modify
This gives read and write access.
Read and Execute
Allows a file to be read; programs can be started.

Allows folder content to be seen; programs can be started.
List Folder Contents

(Folders Only)
Allows users to view the contents of a folder.
Read
This gives read-only access.
Write
Allows file content to be changed; files can be deleted.

Allows folder content to be changed; files can be deleted.
Special permissions
Allows custom permissions configuration, defined by advanced permissions.
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
To modify file and folder permissions, you must be given the Full Control permission for a folder or file.
The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions
even if he or she does not have any other current NTFS permissions. Administrators can always take
ownership of files and folders to make modifications to NTFS permissions.
Advanced File and Folder Permissions
Advanced or special permissions provide a much greater level of control over NTFS files and folders.
Groupings of advanced settings effectively make up the standard permission sets. The following table
defines the special permissions that can be assigned for each file and folder.
File Permissions
Description
Full Control
Allows for full control on an object
Traverse
Folder/Execute
File
The Traverse Folder permission applies only to folders. This permission allows or
denies the user from moving through folders to reach other files or folders, even if
the user has no permissions for the traversed folders. Traverse Folder takes effect
only when the group or user is not granted the Bypass Traverse Checking user
right. The Bypass Traverse Checking user right checks user rights in the Group
Policy snap-in. By default, the Everyone group is given the Bypass Traverse
Checking user right.
The Execute File permission allows or denies to the execution of program files.
If you set the Traverse Folder permission on a folder, the Execute File permission is
not automatically set on all files in that folder.
List Folder/Read
Data
The List Folder permission allows or denies the user from viewing file names and
subfolder names in the folder. The List Folder permission applies only to folders
and affects only the contents of that folder. This permission is not affected if the
folder that you are setting the permission on is listed in the folder list. Also, this
setting has no effect on viewing the file structure from the command-line
interface.
The Read Data permission applies only to files and allows or denies the user from
File Permissions
Description
viewing data in files.
Read Attributes
The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. Attributes
are defined by NTFS or ReFS.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies the user from viewing
the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
Create Files/Write
Data
The Create Files permission applies only to folders and allows or denies the user
from creating files in the folder.
The Write Data permission applies only to files and allows or denies the user from
making changes to the file and overwriting existing content by NTFS or ReFS.
Create
Folders/Append
Data
The Create Folders permission applies only to folders and allows or denies the
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies the user
from making changes to the end of the file, preventing the changing, deleting, or
overwriting of existing data.
Write Attributes
The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. Attributes are defined by
NTFS or ReFS.
The Write Attributes permission does not imply that you can create or delete files
or folders; it includes only the permission to make changes to the attributes of a
file or folder. To allow or to deny Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Write Extended
Attributes
The Write Extended Attributes permission allows or denies the user from changing
the extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can create
or delete files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To allow or to deny Create or Delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete entries in this table.
Delete Subfolders
and Files
The Delete Subfolders and Files permission applies only to folders and allows or
denies the user from deleting subfolders and files, even if the Delete permission is
not granted on the subfolder or file.
Delete
The Delete permission allows or denies the user from deleting the file or folder. If
you have not been assigned Delete permission on a file or folder, you can still
delete the file or folder if you are granted Delete Subfolders and Files permissions
on the parent folder.
Read Permissions
Read Permissions allows or denies the user from reading permissions about the
file or folder, such as Full Control, Read, and Write.
Change
Permissions
Change Permissions allows or denies the user from changing permissions on the
file or folder, such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows or denies the user from taking ownership
of the file or folder. The owner of a file or folder can change permissions on it,
File Permissions
Description
regardless of any existing permissions that protect the file or folder.
Synchronize
9-19
The Synchronize permission allows or denies different threads to wait on the

handle for the file or folder and synchronize with another thread that might signal
it. This permission applies only to multiple-threaded, multiple-process programs.
Note: When assigning both standard and special NTFS permissions, permissions set to
Deny typically override permissions set to Allow. Also, permissions can be set for various object
types, such as printers, registry keys, Active Directory objects or system objects such as processes.
Depending on the object type, each might have different permission sets available for it. For
example, printers have permissions for Print, Manage Printers, and Manage Documents. These
object types are not applicable to files and folders, or in Active Directory you have permissions
which go down to attribute level read/write access.
To configure NTFS file and folder permissions, follow these steps:
1.
Right-click the file or folder to which you want to assign permissions, and then click Properties.
2.
Click the Security tab to view existing permissions.
3.
To modify standard permissions, click the Edit button.
4.
To modify advanced permissions, click the Advanced button.
When Access Based Enumeration is applied to a folder share only the files and folders that a user has
permissions to access will be displayed. If a user does not have read (or equivalent) permission for a folder,
Windows hides the folder from the users view.
One final aspect of file and folder permissions that well call out here that you should be aware of, is in
relation to owner rights. By default the owner of an object has permissions on it that may be greater than
intended, such as deleting, which could be an issue if an administrator was tasked with creating specific
objects but it had not been the intention to provide them further control or permissions, or if people have
moved positions but still retain permission greater than intended. To mitigate this you can add the
OWNER RIGHTS security principal to the object and then apply specific permissions, such as READ only, to
the object for the owner. This will limit the permissions the owner has on the object.
Permissions Inheritance
By default, the permissions granted to a parent
folder are inherited by its subfolders and files.
Permissions can be inherited only from a direct
parent, and any files and folders contained within
the parent folder will be assigned the same
permissions as the parent folder, even if the
parent folders permissions are modified.
Permissions inherited in this manner are known as
inherited permissions.
A folder or file will always inherit its parent folders
permissions unless inheritance is blocked. When
blocking inheritance, the folder for which you
block permissions inheritance becomes the new parent folder, and the subfolders and files that are
contained within it inherit the permissions assigned to it. A folder that has had inheritance blocked will
either copy the inherited permissions as explicit permissions, or will remove all inherited permissions.
Permissions inherited in this manner can also frequently be known as implicit permissions.
Permissions assigned to a file or folder directly, overriding that file or folders inherited permissions, are
called explicit permissions. Explicit permissions behave differently than inherited permissions when being
moved within an NTFS volume.
To block inheritance for a file or folder, perform the following steps:
1.
Right-click the file or folder to which you want to block inheritance, and then click Properties.
2.
Click the Security tab to view existing permissions.
3.
Click the Advanced button.
4.
In the Permissions window, click the Disable Inheritance button.
5.
You then receive a prompt to either convert the inherited permissions into explicit permissions or to
remove all inherited permissions from the object.
Copying vs. Moving Files
When you copy or move a file or folder, the permissions might change, depending on where you move
the file or folder.
Copying a File or Folder
When you copy a file or folder from one folder to another folder, or from one partition to another
partition, the following rules apply:
Within the same NTFS partition, the copy of the folder or file inherits the permissions of the
destination folder.
To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination
folder.
To a non-NTFS partition, such as a FAT32 partition, the copy of the folder or file loses its NTFS
permissions, because non-NTFS partitions do not support NTFS permissions.
Note: All these are also applicable where ReFS is the file system in question. Also, if files are
copied between NTFS and ReFS partitions, the file or folder inherits the permissions of the
destination folder.
Moving a File or Folder
When you move a file or folder, the following rules apply:
Within the same NTFS partition, the folder or file keeps its original permissions. If the permissions of
the new parent folder are changed later, the file or folder will inherit the new permissions.
Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be
lost.
To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When
you move a folder or file between partitions, the Windows Server 2012 operating system copies the
folder or file to the new location and then deletes it from the old location.
To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do
not support NTFS permissions.
9-21
Again, all these are also applicable where ReFS is the file system in question. If files are moved between
NTFS and ReFS partitions, the file or folder inherits the permissions of the destination folder and loses its
explicit permissions.
Shared Folder Permissions

Shared folder permissions apply only to users who
connect to the folder over the network. They do
not restrict access to users who access them
locally on the computer where the folder is stored.
You can grant shared folder permissions to user
accounts, groups, and computer accounts. By
default, a shared folder is already protected by the
NTFS permissions applied to that specific folder,
and shared folder permissions combine with NTFS
permissions to determine the appropriate level of
access allowed on an object.
Before granting permissions to a share, a folder

must first be shared. It is also possible to create different shares (using different names) for the same
folder. This could be useful if, for example, you have a set of users who should have limited permissions,
but a special group of people who should have a greater level of permissions.
The following table lists the options available for shared folder permissions. You can choose whether to
allow or deny each of the permissions.
File
Permissions
Description
Read
Read permission allows users to view folder and file names, file data, and file attributes.
Users are also able to access the shared folder's subfolders, and run program files and
scripts.
Change
Users that are granted the Change permission can perform all the functions granted by
the Read permission in addition to creating and deleting files and subfolders. Users are
also able to change file attributes, change the data in files, and append data to files.
Full Control
Users that are granted the Full Control permission can perform all the tasks enabled by
the Change permissions as well as take ownership of files, and change file permissions.
To access the folder permissions listed in the table, follow these steps:
1.
Right-click the folder you want to share, and select Properties.
2.
Click the Sharing tab, and then click the Advanced Sharing button.
To access a more simplified set of permissions (Read, Read/Write, and Remove), follow these steps:
1.
Right-click the folder you want to share, and select Properties.
2.
Click the Sharing tab, and then click the Share button.
The Sharing tab is only present in folder properties, not file properties.
Note: As with NTFS permissions, when assigning shared folder permissions, permissions set
to Deny typically override permissions set to Allow.
When creating Windows Server 2012 file server shares, you can make the shares available through the File
and Storage Services role that can be installed in Server Manager. This allows for the centralized creation
and control of shares in an organization.
Administrators can make shares available using the following two protocols:
Server Message Block (SMB). Allows Windows-based clients to read, write, and access files and
folders on a remote Windows Server 2012 server. Windows Server 2012 released with SMB 3.0, which
comes with additional features and functionality such as the following:
o
Support for network adapters that are Remote Direct Memory Access (RDMA)capablethat is,
can transfer data directly between network adapters without using operating system resources.
Support for Cluster Shared Volumes (CSV) and many more.
Network file system (NFS). Allows non-Windows-based clients to read, write, and access files and
folders on a remote Windows Server 2012 server.
You can also use Windows PowerShell to configure file shares. Depending on the protocol used for the file
share, you could use a series of NFS cmdlets or SMB Share cmdlets.
More information about SMB Windows PowerShell cmdlets can be found at the following
webpage.
More information about NFS Windows PowerShell cmdlets can be found at the following
webpage.
Evaluating Combined, Shared, and Local Permissions

When a shared folder is created on a partition
formatted with the NTFS file system, both the
shared folder permissions and the NTFS file
system permissions are combined to protect file
resources. NTFS file system permissions apply
whether the resource is accessed locally or over a
network, but they are filtered against the share
folder permissions.
When accessing a shared folder over the network,

a user must have the appropriate permissions
granted on a shared folder to gain access to the
files and folders within that folder. After it has
been determined that the user has been granted access through the shared folder permissions, only then
is the users access to the specific NTFS file(s) or folder(s) checked against the users NTFS permissions. If
both the shared folder permissions and the NTFS permissions allow the type of access that the user is
attempting on the files, access is granted.
When you grant shared folder permissions on an NTFS volume, the following rules apply:
By default, the Everyone group is granted the shared folder permission Read.
Users must have the appropriate NTFS file system permissions for each file and subfolder in a shared
folder, in addition to the appropriate shared folder permissions to access those resources.
9-23
When NTFS file system permissions and shared folder permissions are combined, the resulting
permission is the most restrictive one of the effective shared folder permissions or the effective NTFS
file system permissions.
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders.
Note: Some general best practices would be:
To remove the Everyone group from any permission lists and replace it with the Authenticated Users
group.
Use the most restrictive group that contains the users you want to grant access.
If you want only the users of the domain to access the information but no other users from other
trusted domains, it would be better to use domain users rather than authenticated users.
When dealing with a shared folder, you must always go through the shared folder to access its files over
the network. Therefore, you can think of the shared folder permissions as a filter that only allows users to
perform actions on its contents that are acceptable to the share permissions. All NTFS permissions that are
less restrictive than the share permissions are filtered out so that only the share permission remains.
For example, if the share permission is set to Read, then the most you can do when accessing the share
over the network is read the contents, even if individual NTFS file permission is set to Full Control. If
configuring the share permission to Modify, then you are allowed to read or modify the shared folder
contents. If the NTFS permission is set to Full Control, then the share permissions filter the effective
permission down to just Modify.
You can check the effective permissions that a user, group, or computer device account will have on an
object based on the NTFS permissions that have been assigned to an object. This is done on the Security
tab of the objects Properties dialog box, by clicking the Advanced button, and then selecting the Effective
Access tab. However, share permissions are not included in calculating the effective permissions; only file
and folder or NTFS permissions are taken into account.
Demonstration: How to Secure a Shared Folder
In this demonstration, you will see how to create a folder, secure it by using NTFS permissions, share the
folder, and further secure it with shared folder permissions.
Demonstration Steps
1.
Create a new folder called Deliverables.
2.
Assign NTFS permissions to the new folder.
3.
Share the new folder.
4.
Validate the permission changes
File and Folder Auditing

Defining object permissions will not tell you who
deleted important data or who was trying to
access files and folders inappropriately. To track
who accessed files and folders and what they did,
you must configure auditing for file and folder
access. Every comprehensive security strategy
should include auditing to provide traceability
and to assess compliance with company or data
privacy requirements, allowing an administrator to
be proactive in protecting data from
inappropriate access or deletion.
As discussed in Lesson 1, Overview of Windows
Security, there are two kinds of auditing available in Windows Server 2012. One type is basic auditing,
which is applicable for legacy operating systems and available for configuration via the Group Policy
Management Editor, under the node Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policy\Audit Policy.
The other type is advanced auditing, which is new in Windows Server 2012 and contains more granular
and advanced functionality. It is available in the Group Policy Management Editor, under Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Object Access. It is within here that auditing policy should be configured.
Within this Object Access node there are 14 auditing policies that can be applied across a network. These
cover a range of areas, including the three listed in the following table.
Audit Policy
Description
Audit
Detailed File
Share
Audits attempts to access files and folders on a shared folder. It logs an event every
time a file or folder is accessed. Event ID 5145 is generated when an event is logged.
Audit File
Share
Audits events when a computer accesses a file share. Can generate a range of Event
IDs, such as 5140, 5142, 5143, 5144, and 5168 depending on the event type.
Audit File
System
Audits user attempts to access file system objects. Can be combined with Audit File
Share policy to track the content, course, and user account attempting to access an
object. Can generate a range of Event IDs including, 4664, 4985, and 5051.
The logging of events is based around the use of SACLs. For both the Audit Detailed File Share and Audit
File Share policies, no SACLs exist; therefore, after those policies are enabled, access to all shares on the
system will be enabled. Before enabling these policies, you should ensure that you are aware of the
volumes of events that will be generated so there are no detrimental effects.
You should understand that there are two components to enable auditing in this context. The server must
be instructed about which areas of the operating system to audit, as is done in Group Policy, and the
resource on the server must be configured with the SACL that you want to audit.
It is also important to enable auditing just as you would for configuring NTFS permissions. For example,
right-click the folder, click Properties, select the Security tab, click the Advanced button, and then select
the Auditing tab. Within this dialog box, specific users, groups, or computers can be selected to trace
access events.
It is also possible to specify a condition to limit the scope of the auditing. For example, security events will
only be logged if specific conditions are met. This allows for more granular configuration and can
significantly reduce the volume of events traced.
9-25
When enabling auditing on a specific file or folder, the same inheritance rules used by NTFS permissions
and shared folder permissions apply to the auditing properties. By default, files and folders will inherit
their parents audit settings unless inheritance is blocked or explicitly specified.
After auditing is configured, file and folder auditing events will be recorded to the Windows security log.
This log can be viewed in Event Viewer, accessed through the Tools menu in Server Manager.
Demonstration: How to Configure File Auditing
In this demonstration, you will see how to configure the Audit object access security policy to audit file
access.
Demonstration Steps
1.
Configure the object access auditing policy to audit file access.
2.
Enable folder auditing.
3.
Test the object access auditing policy.
Dynamic Access Control
Dynamic Access Control is an access control

mechanism in Windows Server 2012 for file
system resources. It enables administrators to
define central file access policies that can apply to
every file server in the organization. Dynamic
Access Control implements a safety net over file
servers, and over any existing share and NTFS
permissions. It also ensures that regardless of how
the share and NTFS permissions might change,
this central overriding policy is still enforced.
Dynamic Access Control combines multiple
criteria into the access decision. This augments the
NTFS access control list (ACL) so that users need to satisfy both the NTFS ACL and the central access policy
to gain access to the file.
Dynamic Access Control is designed for four scenarios:
Central access policy for access to files. Enables organizations to set organization wide policies that
reflect business and regulatory compliance.
Auditing for compliance and analysis. Enables targeted auditing across file servers for compliance
reporting and forensic analysis.
Protecting sensitive information. Identifies and protects sensitive information within a Windows Server
2012 environment, and also when it leaves the Windows Server 2012 environment.
Access denied remediation. Improves the access-denied experience to reduce helpdesk load and
incident time for troubleshooting.
Dynamic Access Control leverages the following technologies:
Active Directory Domain Services and its dependent technologies for enterprise network
management.
Kerberos version 5 (V5) protocol, including compound identity for secure authentication.
Windows security (local security authority (LSA), Net Logon service) for secure logon transactions.
File classifications for file categorization.
Auditing for secure monitoring and accountability.
Active directory Rights Management Service (AD RMS) for additional protection.
In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS
permissions. By using NTFS permissions and their ACLs, administrators can control access to resources
based on user name security identifiers (SIDs) or group membership SIDs, and the level of access such as
Read-only, Change, and Full Control. However, once you provide someone with, for example, Read-only
access to a document, you cannot prevent that person from copying the content of that document into a
new document or printing the document.
By implementing AD RMS, you can establish an additional level of file control. Unlike, NTFS permissions,
which are not application-aware, AD RMS sets a policy that can control document access inside the
application that the user uses to open it. By implementing AD RMS, you enable users to protect
documents within applications.
Using Windows client operating systems prior to Windows 8, you cannot set conditional access to files
by using NTFS and AD RMS. For example, you cannot not set NTFS permissions so that users can access
documents if they are members of a specific group, or if their EmployeeType attributes are set to Full
Time Employee (FTE). Additionally, you cannot set permissions so that only users who have a
department attribute populated with the same value as the department attribute for the resource can
access the content. However, you can use conditional expressions to accomplish these tasks. You can use
Dynamic Access Control to count attribute values on users or resource objects when providing or denying
access.
Dynamic Access Control provides access control based on expressions that can include security groups,
claims and resource properties both in NTFS ACL and central access policies.
Lesson 3
Implementing Encryption
9-27
In this age of information interconnection, an organizations network might consist of intranets, Internet
sites, and extranetsall which are potentially susceptible to access by unauthorized individuals. Therefore,
it is important that you have some means of ensuring that your organizations data and communications
are secure. Encrypting data or the volumes on which data resides is one part of that process. This lesson
describes these technologies.
Lesson Objectives
After completing this lesson, students will be able to:
Describe public key infrastructure (PKI) infrastructure components.
Describe how Encrypting File System (EFS) helps ensure file security.
Describe how BitLocker Drive Encryption ensures drive and volume security.
Compare and contrast EFS and BitLocker encryption technologies.
How Are Digital Certificates Used?

Public key infrastructure (PKI) is a system of
components that allow for verifying the
authenticity of each party involved in digital
communication through the use of public key
cryptography.
Some of the key components that make up a PKI
are:
Digital certificates. Digital certificates are the

primary items managed in a PKI. Indeed a PKI
exists primarily for the proper management of
these certificates. Certificates can be issued
for a user, computer, or a service.
CAs. CAs represent the people, processes, and tools used to create digital certificates. Before issuing a
digital certificate, a CA will verify that users identity and the validity of the users purpose for
obtaining a digital certificate. A CA will place the users digital signature on a certificate, which both
verifies that the certificate has come from a trusted source and acts like a tamper-proof seal on the
certificate itself, preventing any attempts to tamper with the digital certificate. CAs also operate in a
hierarchal manner, where CAs that issue certificates can use another, more widely trusted CA as its
parent to maintain the level of trust necessary within a PKI environment.
Certificate revocation lists (CRLs). CRLs contain a list of certificates that have been revoked or
removed from a CA prior to the certificates expiry date. Depending on the application that relies on
the certificate, it is important that the CRLs are available from all locations where the certificate might
be used. Some applications perform CRL checking, and others dont. If all certificates are used
internally only, you do not need to publish it outside your organization. If a certificate is used for your
Hypertext Transfer Protocol Secure (HTTPS) external website, or for your users accessing the
corporate network externally through a virtual private network (VPN), you need to define and
manage publishing the CRL to a location available on the Internet.
Certificate and CA management tools. When a Windows server is configured as a CA, a specific set
of tools are available to create and manage certificates, manage CRLs, and perform maintenance on
different aspects of the PKI environment. An example of this follows.
Consider the diagram on the slide for this topic. Data at the A. Datum web server is encrypted using A.
Datums private key and SSL encryption. The resultant encrypted data is sent out over the public Internet
to the web client who is accessing the information on the server. Because the data has been encrypted
using A. Datums private key, the web client can be assured that the information is coming from A. Datum
and is genuine.
Alternatively, data sent from the client to the server, such as personal or financial information, is first
encrypted using Secure Socket Layer (SSL) and A. Datums public key attached to the digital certificate.
The user can be assured that encrypted information is safe in transit because only A. Datums private key
can decrypt the data. It is critical for private keys to be secured in order to maintain the integrity of this
exchange.
In Windows Server environments, core PKI components such as digital certificates, CAs, or CRLs are
configured and managed through Active Directory Certificate Services (AD CS). This is installed as a role in
Digital certificates are used for a wide variety of purposes. Depending on the nature of the issuing CA,
certain digital certificates might have a specific level of trust assigned to them. Public, private, and selfsigned certificates each have individual characteristics that make them suitable for specific
implementations. The following points outline characteristics of public, private, and self-signed
certificates:
Public CAs typically charge a fee for providing a digital certificate, but the certificate is universally
trusted. Also, public certificates can be used in almost any situation a private certificate is used. Digital
certificates used on the public Internet are most commonly issued by a public CA.
Private certificates allow an organization to manage its certificate issuing process, and any number of
certificates can be generated at no cost. This allows an organization with the requirement to issue
many certificates for internal use to use a private CA and not incur the costs associated with a large
number of public certificates. This gives an organization a great deal of control over certificate
management, but requires additional administrative overhead. Private certificates can be used within
an organization to facilitate secure email or the encryption of individuals data.
Self-signed certificates do not require the implementation of a stand-alone CA. Rather, the
application itself creates and signs the certificate. This decreases the administrative overhead of
maintaining a private CA, and the organization incurs no extra costs. The main drawback is that the
self-signed certificate has a very limited valid scope; it is strictly within the application itself.
More information about PKI and Active Directory Certificate Services (AD CS) in Windows
Server 2012 can be found at the following webpage.
Question: In what situations would a public certificate signed by a trusted CA be requested
or required?
Question: Why would a private certificate created by its owner be used instead of a public
certificate provided by a third party?
Question: Why would an organization choose to use self-signed certificates over private
certificates?
Encrypting File System

Encrypting File System (EFS) is a file and folder
encryption technology in Windows Server 2012
and Windows 8, and is a built-in component of
the NTFS file system. EFS was introduced in
Windows 2000 and extended in Windows Server
2003 to allow multiple users to have certificates in
one file. Most likely, no changes were made to EFS
later on. EFS enables transparent encryption and
decryption of files by using cryptographic
algorithms. It is also possible to encrypt files on a
file share.
9-29
Encrypted files and folders can be protected from

an unauthorized user who gains physical possession of the computer that the files reside on. Even people
who are otherwise authorized to access the computer and its file system cannot view the data if they are
not authorized to do so. Any individual or program that does not possess the appropriate cryptographic
key cannot read the encrypted data; users will receive an access denied message. If a user is authorized,
the file or folder will open up with no prompts or interaction required.
Information technology (IT) professionals should be aware that although encryption is a powerful addition
to any defensive plan, it might not be the correct measure for every threat, and if used incorrectly, carries
the potential for harm or loss of data. EFS must be understood, implemented appropriately, and managed
effectively to ensure that your experience, the experience of those to whom you provide support, and the
data you want to protect are not compromised.
Features and Functionality of EFS
The following are some important features and functionality about EFS:
EFS encryption does not occur at the application level but rather at the file-system level; therefore,
the encryption and decryption process is transparent to the user and to the application. Applications
do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a folder is marked for encryption, every file created in or moved to the folder will be encrypted.
EFS uses a combination of public-key and symmetric-key encryption to protect files from attack. EFS
uses a symmetric key to encrypt the file, and a public key to protect the symmetric key.
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a
recovery agent exists, then the file might be recoverable. If a PKI is used and archival has been
implemented, then the key might be recovered, and the file decrypted; otherwise, the file might be
lost. It is important to manage the private key of the recovery agent and store it in a safe location.
The users public and private keys are protected by the user's password. Any user who can obtain the
user ID and password can log on as that user and decrypt that user's files. Therefore, a strong
password policy and strong user education must be a component of each organization's security
practices to ensure the protection of EFS-encrypted files. It is also possible to use certificates issued to
a users smart card for EFS.
IT administrators should ensure that they back up certificates and have a key recovery process in
place in the event of lost or damaged keys.
EFS is only supported on the NTFS file system. EFS is not supported on ReFS, FAT, or any other file
system. If a user moves or copies an encrypted file to a non-NTFS file system, such as a floppy disk or
USB flash drive formatted with FAT32, the file will no longer be encrypted.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user can, in turn, make the file available to other users EFS certificates. EFS
certificates are only issued to individual users, not to groups.
When a file is accessed remotely, it doesnt matter which remote machine an EFS encrypted file is
accessed from; the file is decrypted on the local machine where the file is, meaning the file itself is made
available through plaintext over the network. If the file needs to be shared and encrypted for all users who
view it remotely, additional encryption mechanisms might be required, such as Internet Protocol security
(IPsec) or Web Distributed Authoring and Versioning (WebDAV) with SSL.
EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard (AES).
AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
Configuration
The default configuration of EFS requires no administrative effort to allow users to implement it. Users can
begin encrypting files immediately, and EFS automatically generates a user certificate with a key pair for a
user if one does not already exist and there is no CA in place.
To encrypt a file or folder, a user can right-click the file or folder, and click Properties. In the Properties
dialog box, click the Advanced button, and then in the Advanced Attributes dialog box, select the
Encrypt Contents To Secure Data check box. You will then be prompted to confirm your action, and
after confirming it, will encrypt your file, or your folder and all the content within it. In File Explorer, it will
then display in a different color than the non-encrypted files so it is easily distinguishable.
Note: If EFS, and especially the recovery agent, are not planned, it is recommended that
you use Group Policy to prevent users from encrypting the files to prevent files from being lost.
You can disable EFS on client computers by using Group Policy. In the GPMC, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting Files
System, right-click this policy setting, click Properties, and then click Dont Allow.
After a file has been encrypted, file sharing is enabled through the user interface as usual. Users can be
added either from the local computer or from AD DS and Active Directory if the user has a valid certificate
for EFS.
More information about EFS functionality can be found at the following webpage.

BitLocker Drive Encryption provides for full disk
and full volume encryption, in addition to startup
environment protection. It is available in Windows
Server 2012 and Windows 8, and was present in
earlier versions of Windows such as Windows
Server 2008 and Windows 7.
Data on a lost or stolen computer can become
vulnerable to unauthorized access when a user
either runs a software attack tool against it or
transfers the computers hard disk to a different
computer. BitLocker helps mitigate unauthorized
data access by enhancing Windows file and
9-31
system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are
decommissioned or recycled.
BitLocker provides for offline data protection and system integrity verification, both of which are
described in the following sections.
Offline Data Protection
Offline data protection encrypts all data stored on the Windows operating system volume (and
configured data volumes). This includes user files; Windows operating system, hibernation, and paging
files; applications; and data used by applications. BitLocker also provides an umbrella protection for nonMicrosoft applications, which benefits the applications when they are installed on the encrypted volume.
By default, offline data protection is configured to use a Trusted Platform Module (TPM) to help ensure
the integrity of early startup components (components used in the earlier stages of the startup process),
and "locks" any BitLocker-protected volumes so that they remain protected even if the computer is
tampered with when the operating system is not running.
BitLocker is extended from operating system drives and fixed data drives to include removable storage
devices such as portable hard drives and USB flash drives. These devices are readable only with Windows 8
and Windows Server 2012. It is also possible to encrypt the full disk or, alternatively, just the space that
has been used. As disk space is used the data is encrypted.
BitLocker also supports Windows Clustered Shared Volumes and Windows Failover Clusters to provide
protection for highly available servers and services. It also supports ReFS.
Offline data protection can use existing Active Directory Domain Services (AD DS) infrastructure to
remotely store BitLocker recovery keys.
System Integrity Verification
BitLocker uses a TPM (version 1.2 or 2.0), which is functionality supported within the central processing
unit (CPU) of a computer, to verify the integrity of the operating system startup process. This helps
prevent additional offline attacks, such as attempts to insert malicious code into those components.
System integrity verification provides a method to check that early boot file integrity has been
maintained, and to help ensure that there has been no adverse modification of those files, such as with
boot sector viruses or root kits. This functionality is important because the components in the earliest part
of the startup process must be available unencrypted so that the computer can start.
It also enhances protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system volume.
System integrity verification also locks the system when tampered with. If any monitored files have been
tampered with, the system does not start. This alerts the user to the tampering because the system fails to
start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
Note: TPM is not required for BitLocker to be installed and used. However, the startup
integrity check does require TPM. As such, if TPM is not present, the startup integrity checks
cannot be executed.
Using BitLocker To Go with Removable Drives
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To
Go provides enhanced protection against data theft and exposure by extending BitLocker Drive
Encryption support to removable storage devices such as USB flash drives, and can be managed through
Group Policy. BitLocker To Go works with FAT16, FAT32, or NTFS.
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that
the drive is encrypted and prompt you to unlock it.
In Windows Server 2012, BitLocker is enabled by installing the BitLocker Drive Encryption feature in Server
Manager. It is highly configurable through Group Policy in GPMC under Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
It is also possible to enable, disable, and configure BitLocker by using Windows PowerShell. Examples of
some BitLocker cmdlets are included in the following table.
BitLocker cmdlet
Functionality
Enable-BitLocker
Enables BitLocker encryption on a volume
Disable-BitLocker
Disables BitLocker encryption on a volume
Backup-BitLockerKeyProtector
Saves a key protector for an encrypted volume in AD DS
Get-BitLockerVolume
Returns information about volumes that BitLocker can encrypt
To view all the available BitLocker commands in the Windows PowerShell console, type the following in a
Windows PowerShell console.
Help *BitL*
To view the Help information for individual cmdlets, type the following example, substituting the cmdlet
name.
Help Get-BitLockerVolume Showwindow
More information about BitLocker Drive Encryption can be found at the following webpage.
More information about Windows PowerShell cmdlets for BitLocker can be found at the
following webpage.
BitLocker and EFS Comparison

Although BitLocker and EFS might appear at first
glance to be similar and two different ways of
achieving the same result, each has distinct
functionalities and, therefore, applications. Both
have specific functionality and requirements, and
as a result have different suitability for use. They
can be used together to achieve high levels of
data and system protection.
EFS
EFS provides core file-level encryption for files and

folders stored on NTFS volumes; this is carried out
on a per-user basis. EFS supports industrystandard encryption algorithms and smart cardbased encryption. By default, users generate self-signed
9-33
encryption keys, which allow for both the encryption and decryption of files or folders. Other users cannot
view the contents of the files unless the key is made available to them.
EFS allows users to quickly and conveniently encrypt files or folders that contain sensitive data, knowing
the data will be secure regardless of file or folder permissions granted. It does not require a restart of the
system and there are no hardware requirements to enable it.
Although EFS provides for the encryption of file contents, it does not encrypt file metadata such as file
name, file size, file extension type, or assigned permissions.
EFS does not support ReFS.
BitLocker
BitLocker is a full disk encryption system built into Windows Server 2012 and Windows 8. It provides for
encryption of the entire operating system volumes and additional data volumes.
BitLocker To Go provides for the encryption of removable data drives like USB flash drives or portable
hard drives.
BitLocker uses keys for encryption in similar fashion to EFS, but provides more options for key
management. Users can store encryption keys on a removable USB drive, store them in Active Directory,
incorporate passkeys or incorporate a special hardware feature called Trusted Platform Module (TPM) to
ensure that an encrypted volume only allows for decryption while attached to a specific system.
Depending on domain policies for Windows 8 computers that do not have TPM functionality, the
administrator must enable the Allow BitLocker Without Compatible TPM option in the Require
Additional Authentication At Startup operating system volumes Group Policy.
Comparing BitLocker and EFS
The following table compares BitLocker and EFS encryption functionality.
BitLocker
EFS
Encrypts all personal and system files on system, data, and

removable drives.
Encrypts files and folders individually.

Does not encrypt the entire drive.
Is implemented for all users or groups. Does not depend on

individual user accounts.
Is implemented at the user level.

Individual users can encrypt their own
files.
Requires TPM for full functionalitythat is, it can encrypt

drives and volumes but TPM is needed for the startup
integrity check.
Does not require any special hardware.
Administrator credentials are required to turn BitLocker on

or off.
Administrator-level intervention is not

required for users to implement EFS.
Does not require user certificates.
Requires user certificates.
Supported on ReFS.
Not supported on ReFS.
Can be installed and configured using Windows PowerShell.
No dedicated Windows PowerShell EFS

cmdlets are available.
As stated earlier, both EFS and BitLocker have benefits and, depending on your particular requirements,
either one could be preferred.
Note: A number of potential events could cause BitLocker to enter recovery mode when
restarting the computer, such as adding volumes, hard drives, or DVD drives. To avoid that
situation when making significant hardware changes to the computer, it is advisable to suspend
BitLocker before making the changes.
Lab: Implementing Security in Windows Server

Scenario
9-35
You have been asked to implement a stricter password policy for the Research group in order to meet the
requirements of new A. Datum company security policies, which is looking to ensure the integrity of the
companies intellectual property.
You have also been asked by your supervisor to create a shared folder structure on LON-SVR1 that
satisfies the Research teams request for access.
It has been requested by your supervisor that, on LON-SV1, specific files containing sensitive information
in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized
access. You have been asked to test encryption on the Classified folder.
Objectives
After completing this lab, students will be able to:
Create and apply a Fine Grained password policy
Secure NTFS files and folders.
Encrypt files and folders by using EFS.
Lab Setup
Password: Pa$$w0rd
1.
2.
In Hyper-V Manager, click 10967A-LON-DC1, and then in the Actions pane, click Start.
3.
4.
Password: Pa$$w0rd
Domain: ADATUM
5.
Repeat these steps for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Configuring a Fine Grained Password Policy

Scenario
You have been asked to implement a stricter password policy for the Research group in order to meet the
requirements of new A. Datum company security policies, which is looking to ensure the integrity of the
companies intellectual property.
A Datum already have a password policy in place, based on the below criteria.
Passwords must be at least eight characters long.
Passwords must contain at least three of the four following character types: lowercase letters (az),
uppercase letters (AZ), numbers (09), and symbols (for example, ! @ # $).
Passwords must be changed every 60 days.
Users cannot use a password again until five other different passwords have been used.
Users should be locked out of the system after repeated failed logon attempts.
You have been asked to extend the minimum password length to 10 characters for the Research group,
while still maintaining the above criteria for the remainder of the company.
1.
Create a shadow security group for the Research group
2.
Create a fine-grained password policy and apply it to the Research group
3.
Verify new user password policy settings
Task 1: Create a shadow security group for the Research group

1.
Ensure you are logged on to 10967A-LON-DC1 with username ADATUM\Administrator and

password Pa$$w0rd
2.
Open Active Directory Administrative Center
3.
Create a Shadow Group called Research Shadow Group and ensure it is Global Security group
4.
Add all users from the Research group to the new Research Shadow Group
Task 2: Create a fine-grained password policy and apply it to the Research group
1.
On 10967A-LON-DC1 open the Active Directory Administrative Center
2.
Open the Password Settings Container
3.
Create a New Password Setting with the following parameters
Name: Research Password Policy
Precedence: 1
Minimum password length (characters): 10
Number of passwords remembered: 20
Password must meet complexity requirements: Yes
User cannot change the password within (days): 1
Users must change the password after (days): 30
Protect from accidental deletion: Yes
4.
Apply the new password policy to the Research Shadow Group.
Task 3: Verify new user password policy settings

1.
Sign in to the 10967A-LON-CL1 with username ADATUM\Maxim and password Pa$$w0rd
Note: ADATUM\Maxim is a member of the Research group

2.
Change Maxs password to password
3.
Is Max successful?
4.
Change Maxs password to Pa$$w0rd1
5.
Is Max successful?
6.
Change Maxs password to Pa$$w0rd012
7.
Is Max successful? Why?
8.
Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
9.
Change Franz password to Pa$$w0rd1
10. Is Franz successful? Why?
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.
Exercise 2: Securing NTFS Files and Folders

Scenario
9-37
The Research team at A. Datum has asked for a new folder to be created on LON-SVR1 to store general
research information, in addition to information regarding the teams projects and special classified
information. The team would like this folder and its contents to be fully accessible to the entire Research
team, with the exception of the classified information, which should be unavailable to all members of the
Research team with the exception of Allie Bellew, the Research Manager, who should have full access to
classified information. The Research team will access the files and folders exclusively over the network.
You have been asked by your supervisor to create a shared folder structure that satisfies the Research
teams request.
1.
Create the C:\Research folder structure
2.
Assign appropriate NTFS file and folder permissions to the folder structure
3.
Share the C:\Research folder on the network and set appropriate shared folder permissions
4.
Test access to C:\Research folders
Task 1: Create the C:\Research folder structure

1.
Ensure you are logged on to 10967A-LON-SVR1 with username ADATUM\Administrator and

password Pa$$w0rd
2.
Create two subfolders in C:\Research named Classified and Projects.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
Block inheritance for the C:\Research folder.
2.
Assign the ADATUM\Research group Full Control over the C:\Research folder
3.
Block inheritance for the C:\Research\Classified folder.
4.
Assign only ADATUM\Allie Full Control over the C:\Research\Classified folder.
Task 3: Share the C:\Research folder on the network and set appropriate shared
folder permissions
1.
Share the C:\Research folder on the network.
2.
Assign Full Control permissions for C:\Research to the ADATUM\Research group.
Task 4: Test access to C:\Research folders

1.
Log on to the 10967A-LON-CL1 with username ADATUM\Billand password Pa$$w0rd
Note: ADATUM\Bill is a member of the Managers group. He is not a member of the Research group
2.
Attempt to connect to the share \\LON-SVR1\Research
3.
Does ADATUM\bill have access to the Research folder?
4.
Log on as ADATUM\Olivier with password Pa$$w0rd.
5.
Does ADATAM\Olivier have access to the Research folder?
6.
Does ADATUM\Olivier have access to the Research\Classified folder?
7.
Log on as ADATUM\Allie with password Pa$$word.
8.
Does ADATUM\Allie have access to the Research folder?
9.
Does ADATUM\Allie have access to the Research\Classified folder?
Results: After this exercise, you should have secured NTFS and shared folders.
Exercise 3: Encrypting Files and Folders

Scenario
It has been requested by your supervisor that, on LON-SVR1, specific files containing sensitive information
in the Classified subfolder of the new Research shared folder be encrypted to prevent unauthorized
access. You have been asked to test encryption on the Classified folder.
1.
Encrypt files and folders by using EFS
2.
Confirm that files are encrypted
3.
Decrypt files and folders
4.
Task 1: Encrypt files and folders by using EFS

1.

password Pa$$w0rd
2.
Create a test file called Personal.txt in the C:\Research\Classified folder.
3.
Encrypt the C:\Research\Classified folder and files within it.
4.
Sign out of LON-SVR3.
Task 2: Confirm that files are encrypted

1.
Sign in to 10967A-LON-SVR1 with user name ADATUM\Olivier and password Pa$$w0rd
2.
Confirm that the Classified folder and files have been encrypted by attempting to open the
Personal.txt file in the C:\Research\Classified folder. The encrypted file and folder names should
also be listed in green text.
3.
Sign out from LON-SVR3.
Task 3: Decrypt files and folders

1.
Sign in to 10967A-LON-SVR1 as ADATUM\Administrator with the password of Pa$$w0rd.
2.
Decrypt the contents of C:\Research\Classified.
9-39
1.
2.
In the Virtual Machines list, right-click 10967A-LON-SVR1, and then click Revert.
3.

Repeat steps 2 and 3 for 10967A-LON-DC1 and 10967A-LON-CL1.
Results: After this exercise, you should have encrypted and decrypted files and folders by using
Encrypting File System (EFS).
Question: What is the most efficient way to give several users who all require the same
permissions access to a shared folder?
Question: What are some of the ways of protecting sensitive data in Windows Server?

Best practices for UAC
The following are best practices for UAC users:
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local
Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be centrally managed and controlled.
Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you might require administrative permissions to change the UAC setting to Always
Notify Me or Always Notify Me And Wait For My Response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page indicating the
requirement.
Best practices for EFS

The following are best practices for EFS users:
Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must be
accessed, the private key can easily be imported from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the
personal folder, where most documents are stored, is encrypted.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.
Also, when files are encrypted, the temp folder is used, where you would be able to access the
unencrypted file when you have a tool to recover deleted files.
The private keys that are associated with recovery certificates are extremely sensitive. These keys must
be generated either on a computer that is physically secured, or their certificates must be exported to
a .pfx file, or protected with a strong password, and saved on a disk that is stored in a physically
secure location.
You should plan and roll out EFS with some thought, including the proper use of a recovery agent. It
is possible to lose access to all EFS-encrypted files, and have no way of recovering them as such
proper planning including the use or Recovery Agents is essential.
Best practices for BitLocker

Because BitLocker stores its own encryption and decryption key in a hardware device that is
separate from the hard disk, consider the following:
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities
of TPM version 1.2 or higher
9-41
On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation will require the user to insert a
USB startup key to start the computer or resume from hibernation and does not provide the prestartup system integrity verification offered by BitLocker that is working with a TPM.
If you are making any significant hardware changes, such as adding Hard Drives or optical drives,
suspend BitLocker before doing so; otherwise, the changes might cause BitLocker to start in recovery
mode when it restarts.
Best practices for securing files and folders
Use the most restrictive permissions possible. Do not grant more permissions for a file or folder than
the users legitimately require. For example, if a user only has to read the files in a folder, grant Read
permission for the folder to the user or group to which the user belongs.
Avoid assigning permissions to individual users. Use groups whenever possible. It is very inefficient to
maintain user accounts directly.
Use restrictive shared folder permissions only when necessary. To avoid complicated combined
permissions scenarios, use NTFS file and folder permissions to restrict or grant access as much as
possible. NTFS file and folder permissions offer much more precise control over user access and
always apply to file and folder security, whether being accessed locally or over the network.
Use Deny permissions with caution. Deny permissions always override Allow permissions and can
result in users being mistakenly restricted from access to files or folders.
Remember that Full Control lets users modify permissions. Assign Full Control permissions with
caution, as any change in existing permissions could potentially affect security.
Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present)
from the shared folders permissions list. The Everyone group includes guest users. Using the
Authenticated or Domain Users group limits file or folder access to only authenticated users, and
prevents users or viruses from accidentally deleting or damaging files.
Be conscious of explicitly set permissions and the effects of blocked inheritance. When assigning
permissions to a parent folder, be aware that some subfolders and files might have inheritance
blocked and explicit permissions specified. In this case, such subfolders and files will not inherit the
parent folders permissions when changes are made.
You can use the Effective Permissions tool to evaluate the permissions assigned to a user or group for
a specific file or folder. Effective Permissions allows you to select users or groups and then shows you
the effective permissions for those users or groups according to all the permissions set on the specific
file or folder.
Tools
Tool
Use for
Where to find it
Server Manager
Managing server configuration, including adding

roles and features.
Start menu
Windows
PowerShell
Managing both Server Manager. Also, almost all

server roles have cmdlets available to support
them.
Windows PowerShell console

and Windows PowerShell ISE
Auditpol.exe
Viewing and managing audit policy.
Command Prompt
Icacls.exe
Viewing and managing access control list details.
Command Prompt

10-1
Module10
Implementing Network Security
Contents:
Module Overview
10-1
Lesson 1: Overview of Network Security
10-2
Lesson 2: Implementing Firewalls
10-4
Lesson 3: Internet Protocol Security
10-13
Lab: Implementing Network Security
10-20
10-25
Module Overview
When you connect your computers to a network, you might expose them to additional security threats. It
is important that you identify possible threats, and implement appropriate Windows network security
features to help eliminate them.
Objectives
Identify network-based security threats and mitigation strategies.
Implement Windows Firewall to secure Windows hosts.
Lesson 1
Overview of Network Security
10-2 Implementing Network Security
There are many network-based security threats. You must understand the nature of these threats and be
able to implement appropriate security measures to lessen them.
Lesson Objectives
Describe the security threats that can appear on networks.
Describe common solutions to these threats.
Network Security Threats

There are many different network security threats
classified into several categories, some threats
would overlap each other and be combinations of
different types. Common network-based security
threats include the following:
Eavesdropping. An eavesdropping attack

occurs when a malicious person captures
network packets being sent and received by
workstations connected to the network.
Eavesdropping attacks can result in sensitive
data, such as passwords, being compromised.
This can lead to other, perhaps more
damaging, attacks.
Note: Eavesdropping is also known as sniffing. Because of the 1:1 communication between
switches, eavesdropping is no longer easy.
Denial-of-service (DoS). This attack is intended to limit the function of a network application, or
make the application, or network resource, unavailable. There are many ways in which a malicious
person can start a DoS attack. For example, a person could intentionally enter incorrect passwords on
a publicly addressable site to cause passwords to be locked out.
Port scanning. Applications that are running on a TCP/IP host use TCP or User Datagram Protocol
(UDP) ports to identify themselves. An attacker can scan to identify what ports are being used. If the
port is open, no service using it, the attacker can exploit that port. If the port does have a service
using it, the attacker could potentially exploit a known vulnerability against that service.
Man-in-the-middle. The malicious attacker uses a computer to impersonate a legitimate host on the
network. The attacker intercepts all of the communications intended for the destination host. The
attacker can view, change, or replay the data in transit between the two hosts.
Replay Attacks. An attacker re-uses or replays data, which has been captured from your network
during transmission, to establish a session or gain information illegally,
Hacking. This is a generic term that means any kind of network attack.
Mitigating Network Security Threats

One of the most important things to realize is that
an attacker looking for access into the network
use different tools and techniques. After they have
found a way in, regardless of how minor and
apparently innocuous, they can exploit that
success, and continue the attack. Therefore, it is
important to implement a holistic approach to
network security to make sure that one loophole
or oversight does not result in another attack.
You can use any of the following defense
mechanisms to help protect the network from
malicious attacks.
10-3
Internet protocol security (IPsec). IPsec lets you authenticate IP-based communications between
two hosts and, where desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on a set of rules. These rules can apply a filter
by using the source, destination, protocol, port, and even validity of the communication.
Perimeter networks. A perimeter network is an isolated area on the network to and from which
there is defined network traffic flow. When you have to make network services available on the
Internet, it is inadvisable to connect the hosting servers directly to the Internet. By adding these
servers in a perimeter network, you can make them available to Internet users without letting those
users gain access to your corporate intranet.
Virtual private networks (VPNs). When users must connect to your corporate intranet from the
Internet, make sure that they do so as securely as possible. The Internet is a public network and data
in transit across it is susceptible to eavesdropping or man-in-the-middle attacks. By authenticating
and encrypting connections between the remote users and your corporate intranet by using a VPN,
you can reduce these risks. Also, you do not want to publish information about your internal
network on the Internet. Tunneling technologies are used where only the endpoints are public-facing.
Server hardening. By only running the services that you need, you can make your servers more
secure. Because it is sometimes difficult to determine precisely which Windows Server services are
required, you can use tools such as the Security Configuration Wizard (SCW) or the Microsoft
Baseline Security Analyzer to help you establish a baseline.
Intrusion detection. Although it is important to implement the previous techniques, it is also

sensible to monitor the network for signs that it was attacked. You can implement intrusion detection
systems to help you perform this task. You can implement intrusion detection systems on devices at
the perimeter of the network, such as Internet-facing routers.
Lesson 2
Implementing Firewalls
A firewall can help protect your computer and network from unauthorized access or from malicious
software which may be attempting to do harm to your organization. Firewalls can function on different
levels and can be specific to private networks or for public networks, such as the Internet. Organizations
and individuals have different requirements and acceptable levels of security and as such each scenario
and Firewall implementation will have its own infrastructure and configuration requirements.
You can implement firewalls by using software, hardware, or a combination of both. Firewalls work on the
principle of filtering network traffic based on the characteristics of that traffic, and then either allowing or
blocking the traffic as determined by your configuration.
While the principals are the same for public or private network Firewalls, the products and configurations
will be different, This Lesson will focus on private network Firewall implementations specific to protecting
the host and private network.
Lesson Objectives
Describe the different firewall types.
Design a perimeter network and identify common perimeter applications
Describe Windows Firewall and its main features.
Describe network location-aware profiles.
Configure Windows Firewall with Advanced Security rules.
Implement an inbound firewall rule.
Describe IPsec and its benefits.
Describe connection security rules.
Firewall Types
Firewalls can operate on hosts directly, and as
such will protect the local computer from
malicious attack, regardless of where that attack
originated, whether from a public or private
source or Firewalls can operate in the perimeter
network, between two networks, which will
provide general protection from attack from the
Internet. Firewalls can also be implemented on
Routers, operating between two networks, or also
as Firewall appliances, which are standalone
entities containing hardware and software which
perform the necessary access control functions.
Firewall appliances are more specialized and used more in large organizations.
So there are different kinds of firewalls available depending on where the actual communication or
processing of data occurs. Definitions of these are:
10-5
Application-layer gateways. Operate at the application layer of the Open Systems Interconnection
(OSI) model. Application-layer gateways proxy requests to or from the network and do not allow
traffic for which you have not defined a proxy. In other words, firewalls that understand applications
can look inside the traffic (for example, HTTP traffic) and decide which applications are allowed and
which to block. Additionally, they can understand dynamic ports, and you could allow specific
applications by using Remote Procedure Call (RPC) through the firewall. This enables applications
such as instant messaging and file transfer to function through your firewall without you having to
open multiple ports.
Circuit-level gateways. Operate at the session layer of the OSI model and monitor datagrams
between communicating hosts to verify that requested sessions are legitimate. Circuit-level gateways
monitor the TCP hand-shaking process that is used to establish TCP sessions between hosts to
determine whether the session is legitimate. Additionally, information passed from the network to
remote hosts appears to originate from the circuit-level gateway. This is useful in hiding information
about the network from remote hosts.
Packet filters. Operate at the network level of the OSI model, and in consumer markets are
frequently implemented as part of a router. Each packet is filtered and compared with an action list to
determine the appropriate action to take with the packet. Actions include allowing or blocking the
packet. Most consumer broadband routers provide this functionality.
Stateful multilayer inspection. These firewalls combine aspects of the other three firewall types
providing a high level of security. A stateful multilayer inspection firewall examines data at all seven
layers of the OSI model. Unlike other firewalls, stateful multilayer inspection firewalls not only inspect
the packet header, but also inspect the packet payload. Each packet is examined and compared with
example packets to determine the probability that the packet contains malicious data.
You can install firewalls on hosts, such as Windows Server, or implement firewalls as software in devices
such as routers. There are also firewall appliances. These are very specialized and preferred by larger
corporations.
What Is a Perimeter Network?

In order to make the network applications
available to users connected to the Internet, you
must publish these applications. A common way
to publish these applications, while maintaining
security, is to use servers in a perimeter network.
There are several different ways that you can
configure your perimeter network. This includes
the following:
Three-legged firewall. A single device or

computer providing firewall services between
multiple network adapters, one of which is
Internet-facing, another of which is connected to
the perimeter network, and the remaining is being connected to the intranet. Software that is installed on
the host is used to create the separation between the networks. The separation is achieved through
filtering on the firewall device so that only specified traffic is passed between the interfaces designated as
public, private, and perimeter. This solution works well for smaller networks. However, because the firewall
device is connected directly to all three networks, security potentially can be breached if this single point
of failure is compromised.
Dual back-to-back firewall. In this scenario, two firewalls are connected in sequence across three
networks: the Internet, your perimeter network, and your corporate intranet. The network to which both
firewalls are connected is the perimeter network. The firewalls are configured to allow only appropriate
traffic to pass between their connected networks. This is a more complex and expensive solution because
it requires additional hardware and software to configure. However, it provides for a more secure
environment and is the configuration of choice for larger networks.
Through the combination of hardware and software, and with appropriate configuration, you should be
able to create a perimeter network that has the network isolation that you need, while allowing
communication between devices located in the three networks. In that perimeter network scenario,
communication from the internal LAN to the outside is usually only allowed across one of the firewalls
which talks to a proxy server, which then relays the data as needed. So internal communication does not
directly talk with the internet, but with a proxy server in the perimeter.
It is rare for an organization to operate without the need to connect its network infrastructure to the
Internet. At the very least, most organizations use email applications to conduct some elements of their
core business.
Conduct an audit of the network services that you have within your organization and determine which
services must be available to users from the Internet. Then consider how you want to make those services
available.
Many companies have a policy not to allow Internet traffic unfiltered to the internal network. That can
typically result in the placement of Microsoft Exchange Servers or other Application servers on the internal
network and proxies, reverse proxies, and mail relays on the perimeter network, in addition to antivirus
and mail screening solutions.
With the use of Exchange Server 2013 and the Outlook Anywhere feature, (formerly known as RPC over
HTTP), users can access their Exchange Server accounts over the Internet without using virtual private
network (VPN) connections or having to put Exchange relays in the perimeter network. This lets clients
who use Microsoft Outlook 2013, 2010, or 2007 to connect to their Exchange servers from outside the
corporate network or over the Internet by using RPC over HTTP.
Note: Applications can be configured to use specific TCP ports; indeed, many applications
are configurable to use only HTTP or HTTP Secure (HTTPS). This means that you can configure
the Internet-facing firewall to only allow TCP port 80 and port 443 inbound.
Typical Perimeter Applications
Although an incomplete list, the following table identifies some common applications that you might
have to make available in your perimeter network or that you might experience in some networks.
Applications
Email
Protocols
Post Office Protocol 3 (POP3),
Internet Message Access Protocol
4 (IMAP4), Simple Mail Transfer
Protocol (SMTP), Microsoft
Outlook Web Access (HTTPS),
Outlook Anywhere (HTTPS),
Microsoft ActiveSync (HTTPS)
Comments
Exchange Server supports extensive

publishing by using Microsoft Forefront
Threat Management Gateway (TMG). In
addition, the Exchange Edge Transport server
role enables SMTP relay functionality from the
perimeter network.
Applications
10-7
Protocols
Comments
Web server
HTTP, HTTPS
Put the web servers directly in the perimeter

network or publish them with Forefront TMG.
Active
Directory
Domain
Services
(AD DS)
Lightweight Directory Access

Protocol (LDAP)
We do not recommend putting domain

controllers in the perimeter network. If your
edge application requires access to Active
Directory domains. Instead consider deploying
Active Directory Lightweight Directory
Services (AD LDS) into the perimeter.
Web
Conferencing
HTTPS, Session Initiation Protocol

(SIP), Persistent Shared Object
Model (PSOM), Real-Time
Transport Protocol (RTP), RealTime Control Protocol (RTCP)
Microsoft Office Communications Server

supports the use of edge servers to extend
conferencing to Internet participants. In
addition, a Forefront TMG server or other
reverse-proxy is required to enable some
conferencing features.
Instant
Messaging
SIP
SIP is the industry standard protocol that is

used for instant messaging.
DirectAccess
IP over HTTPS
Provides connectivity and access to internal

corporate networks automatically without
using VPNs.
Internet Time
Services
Network Time Protocol (NTP)
Used to synchronize time over a network.
What Is Windows Firewall?

Windows Firewall is a host-based, stateful firewall
that is included with Windows Server 2012. It
implements network traffic filtering in both
directions that is, inbound and outbound traffic.
Windows Firewall helps provide protection from
malicious users and programs that rely on
unsolicited incoming traffic to attack computers.
Unlike a perimeter firewall, which provides
protection only from threats on the Internet, a
host-based firewall provides protection from
threats wherever they originate. For example,
Windows Firewall protects a host from a threat
within the local area network (LAN).
Windows Firewall offers several important features, such as the following:
Management. You can configure Windows Firewall by using several different management
programs. The choice of which program to use depends on whether you are administering a single
computer, or multiple computers. The following configuration options are available:
o
Control Panel. Firewalls can be managed locally on Windows 8 and Windows Server 2012
computers by using the System and Security Windows Firewall.
Windows Firewall with Advanced Security management console. Available through the Tools
menu in Server Manager.
Group Policy. Where Active Directory is implemented, you can enforce Windows Firewall
settings by configuring Group Policy by using the Group Policy Management Console (GPMC)
under Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile or Standard Profile.
Note: When Group Policy is used to configure Windows Firewall, local system
administrators cannot locally configure Windows Firewall.
o
Windows PowerShell. Dedicated cmdlets are available in the NetSecurity module in Windows
PowerShell. These cmdlets provide administrators the ability to enable and configure Windows
Firewall locally or remotely.
Network location-aware profiles. Windows Firewall can adapt to changing network conditions. For
example, changing from a work location to a public wireless hot spot. This capability provides a
dynamic user experience as a computer moves from one location to another.
Fine-grained configuration through inbound and outbound rules. By default, Windows Firewall
blocks all inbound traffic unless it either matches a configured rule, or is in response to a request from
the local computer. By default, Windows Firewall allows all outbound traffic, unless it matches a
configured rule.
Server and domain isolation. Windows Firewall supports creating rules for enforcing server or
domain isolation. For example, isolating a database server so that it only accepts communications
from a specific web server, or making sure that computers that are part of a domain only accept
communications from other computers in the domain.
An interesting example of this controlled flow of data is the flow of application communication where an
Internet Information Services (IIS) server can receive traffic through port 80 from all clients in the domain.
The Server Running IIS additionally can communicate through port 1433 to a SQL server, which stores
information for the IIS site. The SQL server is not allowed to respond to any other requests. Both servers
can authenticate against the domain controllers, and Remote Desktop is available only to those servers
from the administrative subnet.
IPsec integration. IPSec secures network traffic using encryption and Windows Firewall is integrated
with IPsec settings. As such, it can be used to allow or block traffic based on an IPsec negotiation or
configured so that IPSec encrypted network traffic from an administrative subnet can bypass all
firewall rules. We will discuss IPSec further in the next lesson.
More information about Windows PowerShell cmdlets that support firewall configuration
can be found at the following webpage.
Network Location-Aware Profiles

When you configure Windows Firewall in Control
Panel the first time that your computer connects
to a specific network, you must select a network
location or profile. This automatically sets
appropriate firewall and security settings for that
kind of network. When you are connecting to
networks in different locations, selecting a
network location can help make sure that the
computer is always set to an appropriate security
level.
10-9
A firewall profile is a way to group settings,

including firewall rules and connection security
rules for related networks at the same security level, from the client point of view. For example, public
networks are rarely related, but they have in common that you consider them unsecure and need provide
the most protection when using them. Someone might consider a Home Network as trusted, but also
consider a relatives home network as trusted such as parents, siblings or friends, thus requiring a certain
level of protection but also being able to share audio and pictures. Being able to classify the networks like
this simplifies and eases management and configuration tasks.
There are three network profiles available within Network and Sharing in Control Panel:
Domain networks. These are networks at a workplace that are attached to a domain. This option is
used automatically for any network that allows communication with a domain controller. By default,
network discovery and file and printer sharing is turned off. These can be determined by Group
Policy.
Private networks. These are networks at home or work where you trust the people and devices on
the network. When private networks are selected, network discovery is turned on but file and printer
sharing is turned off.
Guest or Public networks. These are networks in public places. This location keeps the computer
from being visible to other computers. When Public networks is the selected network location,
network discovery and file and printer sharing is turned off.
It is also possible to create a Homegroup which allows the sharing of pictures, audio, video, documents
and printers between multiple computers and devices in your home. The network profile must be set to
private to be able to view and join a Homegroup. Also if a domain joined computer joins a Homegroup it
will be able to view shared files but unable to share its own files. Homegroups are configured in Control
Panel in the Network and Internet category.
You can change the firewall settings for each kind of network location from the main Windows Firewall
page in System and Security in Control Panel. Click Turn Windows Firewall On Or Off, select the network
location, and then make your selection. Each network location has the following information:
Windows Firewall state. This refers to whether Windows Firewall is turned on or off.
Incoming connections. This provides the status on what is occurring to incoming connections, such
as, Block all connections to apps that are not on the list.
Active networks. This lists what network connections are currently active.
Notification state. This lets you know when Windows Firewall will notify the user if an event occurs.
For example, if the firewall blocks a new program or app.
10-10
The Public networks location blocks certain programs and services from running to help protect the
computer from unauthorized access. If you are connected to a Public network and Windows Firewall is
turned on, some programs or services might ask you to allow them to communicate through the firewall
so that they work correctly.
Configuring Windows Firewall with Advanced Security

On the Windows Firewall page in Control Panel,
you can configure basic firewall properties for
domain, private, and guest or public network
profiles for the local computer. By clicking the
Advanced Settings link in Windows Firewall, you
can access the Windows Firewall with Advanced
Security management console. This management
console provides for more fine-granular control of
Firewall Rules, Connection Security Rules, and
Monitoring.
In the Windows Firewall with Advanced Security
management console, in the Overview section in
the middle pane, click Windows Firewall Properties. Within this section there are three tabs, one for
each of the network profiles or locations.
Domain Profile
Private Profile
Public Profile
These profiles and locations provide more configuration options than Control Panel. The options that you
can configure for each of the three network profiles are as follows:
Firewall State. You can turn the firewall On or Off independently for each profile.
Inbound Connections. You can block (default) connections that do not match any active firewall
rules, block all connections regardless of inbound rule specifications, or allow inbound connections
that do not match an active firewall rule.
Outbound Connections. You can configure to allow (default) connections that do not match any
active firewall rules or block outbound connections that do not match an active firewall rule.
Protected Network Connections. Select the connections that you want Windows Firewall to protect.
For example, the Local Area Connection.
Settings. You can configure display notifications, unicast responses, and merge rules distributed
through Group Policy. When merging rules with Group Policy, you can apply local firewall rules and
local connection security rules.
Logging. You can configure and enable logging.
The final tab in this Properties dialog box is the IPsec Settings tab. This tab lets you configure the default
values for IPsec configuration.
Windows Firewall with Advanced Security Rules
Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall.
You can configure different kinds of rules:
Inbound
Outbound
Connection Security
Inbound Rules
10-11
Inbound rules explicitly allow or block traffic that matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the
same traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound traffic is blocked. To allow a certain kind of
unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For Windows
Server Roles and Features, you will not have to create the rule. For example, enabling IIS will automatically
adjust the Windows Firewall to allow the appropriate traffic.
You can configure the default action that Windows Firewall with Advanced Security takes whether
connections are allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from the computer that matches the criteria in the rule. For example, you can
configure a rule to explicitly block outbound traffic to a computer through the firewall, but allow the
same traffic for other computers. This rule could specify an IP address or an IP address range.
Inbound and Outbound Rule Types
There are four kinds of inbound and outbound rules:
Program rules. These rules can control connections for a program regardless of the port numbers it
uses. Use this kind of firewall rule to allow a connection based on the program that is trying to
connect. These rules are useful when you are not sure of the port or other required settings because
you only specify the path of the program executable (.exe) file.
Port rules. These rules can control connections for a TCP or UDP port regardless of the application.
Use this kind of firewall rule to allow a connection based on the TCP or UDP port number over which
the computer is trying to connect. You specify the protocol and individual or multiple local ports.
Predefined rules. These rules can control connections for a Windows component. For example, File
or Print Sharing, or Active Directory. Use this kind of firewall rule to allow a connection by selecting
one of the programs from the drop-down list. These kinds of Windows components typically add
their own entries to this list automatically during setup or configuration. You can enable and disable
the rule or rules as a group.
Custom rules. These rules can combine combinations of the other rule types such as port and
program.
Connection Security Rules
Firewall rules and connection security rules are complementary, and both contribute to a defense-indepth strategy to help protect your computer. Connection security rules secure traffic by using IPsec while
it crosses the network. Use connection security rules to specify that connections between two computers
must be authenticated or encrypted. Connection security rules specify how and when authentication
occurs. However, they do not allow connections. To allow a connection, create an inbound or outbound
rule. After a connection security rule is created, you can specify that inbound and outbound rules apply
only to specific users or computers.
Note: Connection security rules are discussed in the Connection Security Rules topic later
in the lesson.
Monitoring
10-12
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations. The Monitoring overview page displays which profiles
are active (domain, private, or public) and the settings for the active profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the
Group Policy Management Editor console, the same rules and configurable options are available
except for the Monitoring node, which does not display.
Also be aware that the Windows Firewall with Advanced Security events are available in Event
Viewer.
You can enable and configure Windows Firewall with Windows PowerShell commands from the
NetSecurity module. This includes the cmdlets described in the following table.
Windows PowerShell
cmdlet
Description
New-NetFirewallRule
Creates a new inbound or outbound firewall rule and adds the rule to the
destination computer.
Enable-NetFirewallRule
Enables a network firewall rule that was previously disabled.
Show-NetFirewallRule
Displays all of the existing Firewall rules in the policy store, along with the
associated objects
Get-Help *Net*
Lists all cmdlets that have Net in their name. It will return all Windows
Firewall cmdlets.
Demonstration: How to Use Windows Firewall to Manage Inbound

Network Traffic
In this demonstration, you will see how to create and test an inbound firewall rule.
Demonstration Steps
1.
Ensure you are logged on to the 10967A-LON-DC1 virtual machine with username
2.
Use ping to test the network connectivity from 10967A-LON-DC1 to 10967A-LON-CL1.
Note: Alternatively, you could use the Windows PowerShell Test-Connection cmdlet.
3.
Configure a new firewall rule.
4.
Test the firewall rule.
5.
Disable the new firewall rule and verify that ping is now available.
Lesson 3
Internet Protocol Security
10-13
Internet Protocol security (IPsec) is a framework of open standards that provides for the protection of data
transmitted over a network and between hosts. In order to improve the integrity of transmitted data in
your organization it is important to be aware of when and how IPsec can be implemented. In this lesson
we will discuss when and where it can be used and what are the benefits and potential hazards in doing
so.
Lesson Objectives
Describe Internet Protocol security (IPsec)
Describe how to implement IPsec
Create connection security rules
Manage IPsec
Create a Server to Server Connection rule
What Is IPsec?
Internet Protocol security IPsec is a method that is

used to ensure the security of data sent between
two computers on an IP network. It is not
exclusively a windows technology; rather, it is a
framework of open standards for protecting
communications over IP networks using
cryptography Typically, IPsec is used to achieve
confidentiality, integrity, and authentication in
data transport across non-secure channels.
However although its original purpose was to
help secure traffic across public networks, its
implementations are frequently used to improve
the security of private networks, because organizations are not always sure whether weaknesses in their
own private networks are susceptible to exploitation.
IPsec has two operation modes: Host-to-Host Transport mode and Network Tunnel mode.
Host-to-Host Transport mode. This is the default mode for IPsec. In transport mode, IPsec only
encrypts the IP payload. The IP header is not encrypted. Transport mode should be selected for endto-end communications, such as what occurs between a client and a server. Transport mode is also
used in most IPsec-based VPNs for which Layer Two Tunneling Protocol (L2TP) is used to tunnel the
IPsec connection through the public network.
Network Tunnel mode. In tunnel mode, IPsec encrypts the IP header and the payload. Tunnel mode
is most useful for communications between two networks when that communication occurs over an
untrustworthy network, such as the Internet or when a VPN gateway is incompatible with L2TP or
Point-to-Point Tunneling Protocol (PPTP).
The major benefit of IPsec is that it provides encryption for all protocols from OSI model layer 3 (network
layer) and higher. This includes the following:
10-14
Network-level peer authentication. Offers mutual authentication before and during

communications. Forces both parties to identify themselves during the communication process.
Data origin authentication. In tunnel mode, a new IP header can be added to the packet, specifying
the source and destination addresses of the tunnel endpoints.
Data integrity. Makes sure integrity of IP traffic by rejecting modified traffic. If a packet is changed,
the digital signature will not match, and the packet will be discarded.
Data confidentiality. Enables confidentiality through IP traffic encryption and digital packet
authentication.
Protection from replay attacks.
IPsec Uses sequenced numbers to make sure that an attacker cannot reuse or replay captured data to
establish a session or gain information illegally. The use of sequenced numbers also protects against tries
to intercept a message and then use the identical message to illegally access resources at a later date.
More information about IPsec can be found at the following webpage.

Implementing IPsec
Some network environments are well suited to
IPsec as a security solution, while others are not.
The following are situations where implementing
IPsec can add some value:
Packet filtering: Packet Filtering is the

allowing or blocking of specific types of IP
traffic. You can permit or block inbound or
outbound traffic using IPsec with the Network
Address Translation (NAT) component of the
Remote Access Service.
Securing host-to-host traffic on specific

paths: You can use IPsec to provide
protection for traffic between servers or other static IP addresses or subnets. For example, IPsec can
secure traffic between domain controllers in different sites, or between web servers and database
servers.
Securing traffic to servers: You can require IPsec protection for all client computers that access a
server. Additionally, you can set restrictions on which computers can connect to a server that is
running Windows Server 2012.
Layer 2 Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of
the L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require that you configure and
deploy IPsec policies.
Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site
(gateway-to-gateway) tunnels when you need interoperability with third-party routers, gateways, or end
systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections.
10-15
Enforcing logical networks (server/domain isolation): In a Microsoft Windows-based network,

you can isolate server and domain resources logically to limit access to authenticated and authorized
computers. For example, you can create a logical network inside the existing physical network where
computers share common requirements for secure communications. To establish connectivity, each
computer in this logically isolated network must provide authentication credentials to other
computers. This isolation prevents unauthorized computers and programs from gaining inappropriate
access to resources. Requests from computers that are not part of the isolated network are ignored.
Server and domain isolation can help protect specific high-value servers and data, and protect
managed computers from unmanaged or rogue computers and users.
You can protect a network with two types of isolation:
Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept
authenticated communications from other computers. For example, you might configure the
database server to accept connections from the web application server only.
Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that
computers that are domain members accept only authenticated and secured communications from
other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain
members, including all client and server computers.
Note: Because IPsec depends on IP addresses for establishing secure connections, you
cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address
in IPsec policy filters. In large network deployments, and in some mobile user cases, using
dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy
design.
IPsec uses that need additional consideration
IPsec can reduce processing performance and increase network bandwidth consumption. Additionally,
IPsec policies can be complex to configure and manage. Finally, the use of IPsec can introduce application
compatibility issues. For these reasons, we do not recommend IPsec for the following uses:
Securing communication between domain members and their domain controllers. This reduces
network performance. Additionally, we do not recommend using IPsec for this scenario because the
required IPsec policy configuration and management is complex.
Securing all network traffic. This reduces network performance, and we do not recommend using
IPsec for this scenario because of the following reasons:
o
IPsec cannot negotiate security for multicast and broadcast traffic.
Traffic from real-time communications, applications that require Internet Control Message
Protocol (ICMP), and peer-to-peer applications might be incompatible with IPsec.
Network management functions that must inspect the TCP, UDP, and protocol headers are less
effective or cannot function at all due to IPsec encapsulation or IP payload encryption.
Additionally, the IPsec protocol and implementation have characteristics that require special consideration
when you perform the following tasks:
Protect traffic over wireless 802.11 networks: You can use IPsec transport mode to protect traffic
that is sent over 802.11 networks. However, it is not recommend using IPsec for providing security for
corporate 802.11 wireless local area networks (LANs). Instead, you could use 802.11 WPA2 or WPA
encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication.
Support for IPsec, configuration management, and trusts are required on client computers and
10-16
servers and because many computers on a network do not support IPsec or they are not managed, it
is not appropriate to use IPsec alone to protect all 802.11 corporate wireless LAN traffic. Additionally,
IPsec tunnel mode policies are not optimized for mobile clients with dynamic IP addresses, nor does
IPsec tunnel mode support dynamic address assignment or user authentication, which is needed for
remote-access virtual private network (VPN) scenarios.
Use IPsec in tunnel mode for remote access VPN connections: We do not recommend that you
use IPsec in tunnel mode for remote access VPN scenarios for Windows-based VPN clients and
servers. Instead, use L2TP/IPsec or PPTP.
Connection Security Rules

In earlier Windows versions, managing IPsec
policies and managing Windows Firewall were two
separate processes achieved by using different
management tools. Beginning with Windows
Server 2008 R2 and present in Windows Server
2012, you can manage both IPsec and Windows
Firewall policies and rules through a single
interface and set of command-line utilities.
IPsec Integration with Windows Firewall
The advantage of combining IPsec and Windows
Firewall is that you can avoid overlapping possibly
conflicting rules and policies, and you can
streamline the process of securing your computer against unauthorized access.
You can configure IPsec with connection security rules in Windows Firewall with Advanced Security. With
these rules, you can associate IPsec rules with Windows Firewall network profiles.
Firewall rules allow traffic through the firewall, but do not secure that traffic. To help secure traffic with
IPsec, you can create connection security rules. However, when you create a connection security rule, this
does not allow the traffic through the Windows Firewall. You must create a firewall rule to do this if the
traffic is not allowed by the firewalls default behavior. Connection security rules are not applied to
programs and services. They are applied between the computers that make up the two endpoints.
What Are Connection Security Rules?
A connection security rule forces authentication between two peer computers before they can establish a
connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to
enforce these rules.
Use connection security rules to configure IPsec settings for specific connections between computers.
Windows Firewall with Advanced Security uses these rules to evaluate network traffic, and then blocks or
allows messages based on the criteria that you establish in the rules. In some circumstances, Windows
Firewall with Advanced Security blocks the communication. If you configure settings that require security
for a connection (in either direction) and the two computers cannot authenticate, then the connection is
blocked.
The configurable connection security rules are as follows:
Isolation. An isolation rule isolates computers by restricting connections based on credentials such as
domain membership or health status. You can use isolation rules to implement an isolation strategy
for servers or domains.
10-17
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by specific IP address, an IP address
range, a subnet, or a predefined group such as a gateway.
Server to Server. A server-to-server rule protects connections between specific computers. This type
of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. Then you designate requirements
and the authentication you want to use.
Tunnel. A tunnel rule lets you protect connections between gateway computers. You typically use it
when you connect across the Internet between two security gateways. You must specify the tunnel
endpoints by IP address, and then specify the authentication method that is used.
Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set
up the authentication rules that you need by using the other rules available in the New Connection
Security Rule wizard.
Connection Security Rules Settings
When you enable and configure a connection security rule, you must define the following properties:
Requirements. You can select whether the rule requests authentication, requires inbound
authentication, or requires both inbound and outbound authentication.
Authentication methods. You can select between several authentication methods. The options in
the Security Rule wizard are as follows:
o
Default. Uses the authentication method specified in the IPsec settings.
Computer and User (Kerberos V5). Restricts communications to connections from domainjoined users and computers.
Computer (Kerberos V5). Restricts communications from domain-joined computers.
Advanced. Specifies custom authentication methods as first and second authentication methods.
Profile. Associate the rule with the appropriate network profile. You can select one or more of the
following: domain, private, or public.
Exempt computers. For authentication exemption rules only, define the exempt computers by IP
address, IP address range, or IP subnet.
Endpoints. For server-to-server rules only, define the IP addresses affected by the rule.
Tunnel endpoints. For tunnel rules only, define the tunnel endpoints affected by the rule
Note: Connection security rules and IPsec policies are different. An IPsec policy can filter
traffic to the specific port level, whereas a connection security rule cannot. It only applies
between computers, and not for specific kinds of traffic between those computers.
Managing IPsec
There are several ways to manage and configure
Windows Firewall and IPsec settings and options,
Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security
snap-in enables you to configure firewall settings
and security (IPsec) settings in one interface. You
also can view the currently applied policy, rules,
and other information in the Monitor node.
IP Security Policy MMC snap-in
10-18
This MMC snap-in enables you to configure IPsec

policies that apply to computers that are running
earlier Windows versions and to computers that are running the current version of Windows. This MMC
snap-in is useful for environments where computers that are running these Windows versions coexist. You
cannot use this snap-in to configure Windows Firewall with Advanced Security settings.
Windows PowerShell
You can enable and configure IPsec with Windows PowerShell commands from the NetSecurity module.
This includes the cmdlets described in the following table.
Windows PowerShell
cmdlet
Description
Get-NetIPsecRule
Gets IPsec rule from the target computer
Show-NetIpsecRule
Displays all of the existing IPsec rules and associated objects in a fully
expanded view
New-NetIPsecRule
Creates an IPsec rule to define security requirements for network

connections to match specific criteria.
Get-Help *IPsec*
Lists all cmdlets that have IPsec in their name.
Note: The Netsh command line tool is also available which can configure and manage
IPsec. However, this has largely been replaced by Windows PowerShell in Windows Server 2012
Demonstration: Create Server to Server Connection Security Rule

In this demonstration, you will see how to create a Server to Server connection security rule.
Demonstration Steps
1.
2.
Enable ICMPv4 Traffic on 10967A-LON-DC1
3.
Create a Server to Server Connection Security Rule on 10967-LON-DC1
4.
Create Server to Server Connection Security Rule on 10967-LON-SVR1
5.
Verify the Server to Server Connection Security Rule
10-19

Scenario
10-20
Ed Meadows is looking to make available the Intranet web site for project queries. He has asked you to
test the configuration and to create Firewall rules to make sure that access can be granted and blocked if
needed. He has supplied the requirements in an email message. You must read the requirements and then
implement them on a client computer.
Subject: Improving network security
From:
Sent:
To:
June 18
Charlotte,
We have an urgent need to get the Intranet web site online to staff. Id like you to test making it
available but I have some concerns about network security and Id like to make sure we can block access
quickly and easily whenever we need. Can you test making the web site available and create Firewall
rules to allow and block access to it so we can control it if need be?
Also, we may host the web server content in remote offices and I have some general concerns about
accessing the web site over our network due to the sensitive nature of the data that will be transmitted
over the network. Id like to check out using IPsec to make sure we have secure connections between
the web servers if we do need to have another server made available. Can you test these scenarios out
and check if we can make the web site and any server to server connections secure?
Thanks
Ed
Objectives
Create Firewall Rule to allow access to the World Wide Web service
Created a Server to Server Connection Security Rule
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
Password: Pa$$w0rd
Domain: ADATUM
5.
Repeat these steps for 10967A-LON-SVR1 and 10967A-LON-CL1.
Exercise 1: Configuring Windows Firewall with Advanced Security

Scenario
10-21
You must implement a firewall rule that allows access to the World Wide Web Service then ensure you
can block access to the same World Wide Web Service on the A. Datum network.
1.
Turn off Website caching and verify connectivity to World Wide Web service
2.
Configure a new firewall rule to block access to the World Wide Web service
3.
Test World Wide Web service Access
4.
Allow access to the World Wide Web service
5.
Verify Web Wide Web access has been restored
Task 1: Turn off Website caching and verify connectivity to World Wide Web service
1.
Ensure you are signed on to 10967A-LON-CL1 with user name ADATUM\Administrator and
password Pa$$w0rd
2.
Turn off website caching in Internet Options.
3.
Attempt to connect to the web site http://LON-DC1/Intranet
4.
Are you able to connect?
Task 2: Configure a new firewall rule to block access to the World Wide Web service
1.
Switch virtual machines and ensure you are signed on to 10967A-LON-DC1 with user name
2.
Open the Windows Firewall with Advanced Security management console
3.
Create a New Inbound Rule
4.
Try to find a predefined rule that determines access to the World Wide Web Service for http and
block the connection for the rule
5.
Once created verify the rule settings are as you intended
Task 3: Test World Wide Web service Access

1.
LON-CL1 with user name ADATUM\Administrator and password Pa$$w0rd
2.
Attempt to connect to the web site http://LON-DC1/Intranet
3.
Task 4: Allow access to the World Wide Web service

1.
2.
In Windows Firewall with Advanced Security locate the World Wide Web Services inbound rule that
you configured earlier and change the Action to Block the connection
Task 5: Verify Web Wide Web access has been restored

1.
Switch virtual machines again and ensure you are signed on to 10967A-LON-CL1 with user name
2.
Open Internet Explorer and in the address bar type http://LON-DC1/Intranet
3.
10-22
Results: After this exercise, you should have created and tested an inbound firewall rule to control access
to the world wide web service.
Exercise 2: Create a Server to Server Connection Security Rule

Scenario
As per the email you received from Ed Meadows at the start of the lab, reproduced here, you need to test
creating a server to server connection security rule so as to ensure the integrity of data transmitted
between two web servers.
Charlotte,
We have an urgent need to get the Intranet web site online to staff. Id like you to test making it available
but I have some concerns about network security and Id like to make sure we can block access quickly
and easily whenever we need. Can you test making the web site available and create Firewall rules to
allow and block access to it so we can control it if need be?
Also, we may host the web server content in remote offices and I have some general concerns about
accessing the web site over our network due to the sensitive nature of the data that will be transmitted
over the network. Id like to check out using IPsec to make sure we have secure connections between the
web servers if we do need to have another server made available. Can you test these scenarios out and
check if we can make the web site and any server to server connections secure?
Thanks
Ed
1.
Enable ICMPv4 traffic
2.
Create a Server to Server Connection Security rule
3.
Create a Server to Server Connection Security rule on a member server
4.
Verify the Server to Server Connection Security rule
5.
Task 1: Enable ICMPv4 traffic

1.
2.
In Windows Firewall with Advanced Security create a new Inbound Rule with the following settings:
Rule Type: Custom
Program: All programs
Protocols and Ports: ICMPv4
Scope: Any IP Address for local and remote
Action: Allow the connection if it is secure
Users: Default
Computers: Default
Profile: Default
Name: ICMPv4 allowed
Task 2: Create a Server to Server Connection Security rule
10-23
1.
Still on 10967A-LON-DC1
2.
In Windows Firewall with Advanced Security management console create a Connection Security
Rule with the following settings:
Rule Type: Server-to-server
Endpoints: Default
Requirements: Request authentication for inbound and outbound connections
Authentication Method: Advanced > Customize
First Authentication method: Preshared key (not recommended) and type the word secret. Click
OK and Click OK again.
Profile: Default
3.
Name: A. Datum Server-to-Server
Task 3: Create a Server to Server Connection Security rule on a member server

1.
Switch to 10967A-LON-SVR1 and ensure you are logged on as ADATUM\Administrator with

password Pa$$w0rd
2.
In Windows Firewall with Advanced Security management console create a Connection Security
Rule with the following settings:
Rule Type: Server-to-server
Endpoints: Default
Requirements: Request authentication for inbound and outbound connections
Authentication Method: Advanced > Customize
First Authentication method: Preshared key (not recommended) and type the word secret. Click
OK and Click OK again.
Profile: Default
Name: A. Datum Server-to-Server
Task 4: Verify the Server to Server Connection Security rule

1.
Still on 10967A-LON-SVR1
2.
Open a Command Prompt with Administrative privileges
3.
Ping the LON-DC1 virtual machine
4.
In the Windows Firewall with Advanced Security view the Main Mode and Quick Mode folder content
in the Monitoring section
5.
Verify the data that is present matches what you configured earlier.
10-24
1.
2.
3.

Repeat steps 2 and 3 for 10967A-LON-SVR1 and 10967A-LON-DC1.
Results: After completing this exercise you will have created a server to server connection security rule
and validated the secure nature of the communication between the two servers
Question: If you wanted to make sure that only domain computers could communicate with
other domain computers, how could you easily achieve this with Windows Firewall?

Best Practices:
Implement firewalls.
Publish services to your perimeter network.
Secure some network traffic and communication if it is highly sensitive
Encrypt network communication.
Segment the network.
Review Question
Question: Why is it important to publish services to the perimeter instead of connecting
servers directly to the Internet?
Tools
Tool
Use for
10-25
Where to find
it
Ping.exe
Testing network connectivity
Command line
Windows Firewall with

Advanced Security
Managing inbound, outbound, and IPsec rules
Server
Manager
Group Policy
Management Console
Can configure Advanced Firewall settings and apply

them across the domain when used with Active
Directory
Server
Manager
Windows PowerShell
Configuring Advanced Firewall settings, only present I

Windows Server 2012
NetSecurity
Module
Netsh
Configuring Advanced firewall settings, present in

Windows Server 2012 and pre Windows Server 2012
versions
Command line
tool

10-26

11-1
Module11
Implementing Security Software
Contents:
Module Overview
11-1
Lesson 1: Client Software Protection Features
11-2
Lesson 2: Email Protection
11-9
Lesson 3: Server Protection
11-14
Lab: Implementing Security Software
11-21
11-25
Module Overview
Computers are now, more than ever, interconnected. The Internet can be accessed from almost anywhere
a user has a computer or device, and corporate networks can be accessed from a users home through
remote access. Communication among networks is continuous. Critical and private information is
routinely sent out through email message. So, the number of email messages that are received by users
continues to increase. Private corporate networks are now usually connected in some way to the public
Internet and much of the available server software requires, or at least recommends, Internet access.
As connectivity increases the risk of compromise to the computer or connected network also increases.
Malicious code, unauthorized use, and data theft are all risks that have to be considered and reduced by
an information technology (IT) administrator.
Objectives
Implement Windows Server technologies and features that improve client security.
Describe security threats posed by email and how to reduce these threats.
Explain how to improve server security by using Windows Server security analysis and hardening
tools.
Lesson 1
Client Software Protection Features
11-2 Implementing Security Software
As client operating systems become more advanced and security threats increase, more features are being
built into the operating system as a first line of defense. However, building defenses into the operating
system is not meant to be the sole method that is used to help secure the client infrastructure. Client
protection features provide additional methods to protect the client infrastructure.
The Windows Server operating system has several built-in technologies to help you improve the security
of your desktop infrastructure that is in constant communication with the network.
This lesson will introduce software restriction policies (SRPs) and AppLocker, and explain how they can be
used to improve the security and integrity of the client infrastructure.
Lesson Objectives
Describe SRPs and how the policies are used.
Describe AppLocker and how it is used.
Describe the main differences between SRP and AppLocker.
Configure AppLocker.
What Are Software Restriction Policies?

One of the primary security concerns for client
computers is what applications are available on
each computer. Users need applications in order
to do their jobs. However, unnecessary or
unwanted applications can be installed, either
unintentionally or for malicious or nonbusiness
reasons.
Introduced in Windows Server 2003 and
Windows XP operating systems and present in
Windows Server 2012 and Windows 8, SRPs let an
administrator identify and specify which
applications are permitted to run on which client
computers. The following is a list of operating systems that are supported:
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows 8
Windows 7
Windows Vista
Windows XP
11-3
SRP settings are configured and deployed to clients by using Group Policy. The settings are not
configured or administered through Server Manager. If domain computers are not administered by Group
Policy, they will not receive the SRPs. Because of SRPs integration with Group Policy, there is a great
degree of specificity that can be done in its configuration. For example, targeting specific groups of users
or computers, or enabling different levels of functionality for each version of an operating system. SRP
settings contain two key components, Rules and Security Levels.
Rules
Rules determine how SRP responds to an application being run or installed. Rules can be based on one of
the following criteria.
Hash. A cryptographic fingerprint of a file that is generated based on the file contents by using a
cryptographic algorithm. With this method software can be moved or renamed and still be identified.
Hash rules are very effective but best suited for environments where there is not a lot of change. For
example, if there are regular software updates, the amount of work required to maintain the rules
could be significant.
Certificate. A software publisher certificate that is used to digitally sign a file. This has less
administrative overhead than a Hash rule. That means you just have to identify the certificate owner,
regardless of version. Therefore, it is easier to configure. However, if the software is not signed, there
will be administrative overhead to manage those scenarios.
Path. The local or Universal Naming Convention (UNC) path of where the file is stored. It does not
prevent software from being renamed, and administrators must define all the directories for running
software versions.
Network Zone. Applicable only to Windows Installer packagers. It identifies software based on the
Internet Zone from which it is downloaded, such as Internet, Local Computer, Local Intranet,
Restricted Sites, and Trusted Sites.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is executed. The three available security levels are as follows:
Disallowed. The software identified in the rule will not run, regardless of the permissions of the user.
Basic User. Enables the software identified in the rule to run as a standard, non-administrative user.
Unrestricted. Enables the software identified in the rule to run unrestricted by SRP.
Default Security Level
The way a system behaves in generally determined by the Default Security Level. This governs how the
operating system reacts to applications without any SRP rules. The following three points outline a system
default behavior, based on the Default Security Level applied in the SRP.
Disallowed. No applications will be able to run, regardless of the permissions of the user, unless an
SRP rule is created that lets a specific application or set of applications to run.
Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user who is logged in, unless an SRP rule is created to change this behavior for a specific
application or set of applications.
Unrestricted. Software access rights are determined by the access rights of the user. All applications
will run as if SRP was not enabled, unless specifically defined by an SRP rule.
Based on these three components, there are two primary ways to use SRPs.
If an administrator knows all of the software that should be able to run on clients, the Default Security
Level could be set to Disallowed. All applications that should be able to run can be identified in SRP
rules that would apply either the Basic User or Unrestricted security level to each application,
depending on the security requirements.
If an administrator does not have a complete list of the software that should be able to run on clients,
the Default Security Level could be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be able to run could then be identified by using SRP
rules that would use a security level setting of Disallowed.
Software Restriction Policy settings can be set and configured in the Group Policy Management Editor:
under Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies.
Within Software Restriction Policies settings in Group Policy, you can also configure the following:
Enforcement: Allows setting Files, Users and Certificate Rules behavior
Designated File Types: Allows you to define what is considered to be executable code, such as .exe,
.dll, and .vbs etc You can add or remove file types as needed
Trusted Publishers: Allows you to certificate checks during signature verification and how Trusted
Publishers are managed.
There are no dedicated Windows PowerShell cmdlets available for SRP configuration and management.
Note: By default, software restriction policies are not enabled in Windows Server 2008 R2
or Windows Server 2012.
More information about software restriction policies in Windows Server 2012 can be found at
What Is AppLocker?
AppLocker (introduced in the Windows 7 and
Windows Server 2008 R2 operating systems and
present in Windows Server 2012 and Windows 8)
provides several improvements over SRP.
AppLocker gives administrators many different
methods for quickly and concisely determining
applications that they might want to restrict or
allow access to.
AppLocker can help organizations prevent
unlicensed or malicious software from executing,
and can selectively restrict ActiveX controls from
being installed. It can also reduce the total cost of
ownership by making sure that workstations are standardized across their enterprise and that users are
running only the software and applications that are approved by the enterprise.
AppLocker can be used in many ways and for many reasons, such as the following:
Your organization implements a policy to standardize the applications used within each business
group. Therefore, you have to determine the expected usage compared to the actual usage.
11-5
The security policy for application usage has changed, and you have to evaluate where and when
those deployed applications are being accessed. In this scenario you would not restrict usage but
audit it by using AppLocker rules.
Your organization's security policy dictates the use of only licensed software. Therefore, you have to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
Some computers in your organization are shared by people who have different software usage needs.
With AppLocker administrators can create a set of rules and then apply those rules to applications. There
are five possible types of rules available which are as follows
Executables Rules: These are applicable to .exe and .com file formats
Windows Installer Rules: These are applicable to .msi, .msp and mst file formats
Script Rules: These are applicable to .ps1, .bat, .cmd, .vbs, and .js file formats
Packaged app Rules: These are applicable to .appx file formats
DLL Rules: These are applicable to .dll and .ocx file formats
These rules are based on file attributes determined from the digital signature, such as publisher, product
name, file name, and file version.
Note: The packaged app and packaged app installers rules are applicable applications that
are obtained specifically from the Windows Store. As such this rule type is only available on
Windows 8 and Windows Server 2012.
The DLL Rule is not visible in the Group Policy Management Editor by default. It must be enabled
in the Local Security Policy management console in AppLocker properties apps.
Rule Behavior
Rules can be configured to use Allow or Deny actions.
Allow. You can specify which files can run and for which users or groups. You can also configure
exceptions that are excluded from the rule.
Deny. You can specify which files are not allowed to run and for which users or groups. Again, You
Can Also configure exceptions that are excluded from the rule.
Enforcement Modes
Not Configured. This is the default setting and means the rule will be enforced unless a linked Group
Policy Object (GPO) with a higher precedence has a different value for the setting.
Enforce. This means the rule will be enforced.
Audit Only. This means that rules will not be enforced but will be audited and events written to the
AppLocker Event Log. This can be used to pre-stage and verify your settings before enforcement.
A general process for applying AppLocker rules should be to Implement the rules in audit-only mode,
verify the results, and then enforce them.
Note: By default, AppLocker is not enabled in Windows Server 2008 R2 or Windows Server
2012.
AppLocker can be configured and managed in a domain environment by using the Group Policy
Management Editor: expand Computer Configuration\Policies\Windows Settings\Security
Settings\Application Control Policies\AppLocker.
AppLocker can also be managed in a domain environment, locally or remotely, by using Windows
PowerShell. Here are some of the available Windows PowerShell cmdlets and brief descriptions of their
use.
AppLocker cmdlets
Functionality
Get-AppLockerFileInformation
Displays file information that you need to create AppLocker rules
Set-AppLockerPolicy
Sets AppLocker policy for specified GPOs
Test-AppLockerPolicy
Determines whether files will be able to run for a given user
Get-Command *applocker*
Returns AppLocker cmdlets
More information about Windows PowerShell AppLocker cmdlets can be found at the
following webpage.
More information about AppLocker Policies Deployment can be found at the following
webpage.
SRP vs. AppLocker

For backward-compatibility, SRPs are included in
the latest Windows Server operating systems.
Starting with Windows Server 2008 R2 and
Windows 7, AppLocker is the recommended tool
for providing application management.
AppLocker provides a more simplified and
streamlined implementation and interface than
SRP. It enables a more control and flexibility when
creating and implementing rules and also has
Windows PowerShell support.
AppLocker Benefits vs. SRP
When you implement SRPs in older Windows

versions, it was especially difficult to create policies that were secure and remained functional after
software updates were applied. This was because to the lack of specificity of certificate rules and the
fragility of hash rules that became invalid when an application binary was updated. To address this issue,
AppLocker enables you to create a rule that combines a certificate and a product name, file name, and file
version. This simplifies your ability to specify that anything signed by a particular vendor for a specific
product name can run.
By using certificate rules in SRP, you can trust all software signed by a specific publisher. However,
AppLocker gives you much more flexibility. For example, when you create publisher rules, you can trust
the publisher, and then drill down to the product level, the executable level, and even the version.
11-7
In SRP, you can create a rule that affectively reads Trust all content signed by Microsoft. With
AppLocker, you can further refine the rule to specify Trust the Microsoft Office 2007 Suite if it is signed
by Microsoft and the version is greater than 12.0.0.0.
The AppLocker new features and improvements over the SRP feature can be summarized as follows:
The ability to define rules based on attributes derived from a files digital signature. This includes the
publisher, product name, file name, and file version. SRP supports certificate rules, but they are less
specific and more difficult to define.
A more intuitive enforcement model; only a file that is specified in an AppLocker rule can run.
A user interface that is accessed through a new Microsoft Management Console (MMC) snap-in
extension to the Group Policy Management Console (GPMC) snap-in.
An audit-only enforcement mode that lets administrators determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Feature
SRP
AppLocker
Rule scope
Specific user or group (per GPO)
Specific users or groups

(per rule)
Rule conditions provided
File hash, path, certificate, registry

path, Internet zone
File hash, path, publisher
Rule types provided
Allow and Deny
Allow and Deny
Default Rule action
Allow and deny
Implicit Deny
Audit-only mode
No
Yes
Wizard to create multiple rules

at one time
No
Yes
Policy import or export
No
Yes
Rule collection
No
Yes
Windows PowerShell support
No
Yes
Custom error messages
No
Yes
Windows PowerShell support
No
Yes
Implementing AppLocker and SRPs
Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRP
rules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both.
This lets you upgrade an existing implementation to Windows 7 and still take advantage of the SRP rules
that are defined in Group Policy.
However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in a
Group Policy, only the AppLocker rules are enforced and the SRP rules are ignored.
When you add a single AppLocker rule, all processing of SRP rules stops. Therefore, if you are replacing
SRP rules with AppLocker rules, you must implement all AppLocker rules that you need at one time. If you
implement the AppLocker rules incrementally, you will lose the functionality that is provided by SRP rules
that have not yet been replaced with corresponding AppLocker rules.
Another additional key functionality introduced with AppLocker in Windows Server 2012 and Windows 8
is the ability to manage policies for Windows Store apps i.e. packaged apps and packaged app installers.
Note: SRP is still the standard method to restrict software usage in versions of Windows
prior to Windows Server 2008 and Windows 7.
Demonstration: Create and Enforce a AppLocker Rule
In this demonstration, you will see how to configure AppLocker and restrict users from running WordPad
on their computers.
Demonstration Steps
1.
Create a Group Policy object Word Pad Restriction Policy
2.
Edit the Word Pad Restriction Policy GPO to Create an AppLocker rule to Deny access to
WordPad.
3.
Enforce Executable Rules
4.
Set the Application Identity service to start automatically
5.
Link the Word Pad Restriction Policy GPO to the Adatum.com domain.
6.
Test the AppLocker rule.

Question: How could the AppLocker rule that you created be changed to make sure that
WordPad could not be run from any location on the client computers?
Lesson 2
Email Protection
11-9
One of the major threats today is the introduction of malicious code into a corporate network. Malicious
code can be very damaging to the corporate network. Creators of malicious code are becoming
increasingly inventive in finding new ways to introduce this code into an environment.
One of the most common and effective methods of distributing malicious code into an environment is
through email. Because of its widespread use and the intrinsic trust of the delivery mechanism, email
messages carrying some form of malicious code continue to be a problem for IT administrators.
This lesson will introduce you to various methods for reducing the threat of unsafe email activity in several
different areas in a corporate network environment.
Lesson Objectives
Describe common email threats.
Describe the possible server solutions to these threats.
Describe possible client-based solutions.
Common Email Security Threats

A large amount of todays email messages are
unwanted or unsolicited. Even as email filtering
systems become more intelligent in the way that
they analyze and block these kinds of messages,
the perpetrators of these illegitimate email
messages are coming up with new ways to bypass
the protection. The most common threats of email
today are described here.
Spam
Spam is usually an unsolicited email that arrives in

your Inbox, typically sent as part of a bulk junk
email operation. Email addresses are harvested or
collected in various methods, usually by extracting addresses from Internet forums and webpages. These
addresses are then used to target users to buy goods and services that might be valid. Frequently
spammers will include propaganda to make the message look more valid than it is actually, and viruses
are sometimes present in spam email.
Phishing
One form of spam is called phishing. Phishing is an attempt to collect what is usually sensitive information
from a user. The most common form of phishing is to request to harvest key security information and
bank details from a user by diverting them to a falsified website. Over the years, phishing attacks have
increased. Phishing is an easy way to gain access to reusable information without having to continually
spam the user trying to make them buy goods or services. Windows Server, Windows client, and Windows
11-10
Internet Explorer include a phishing filter that checks against known falsified websites that are trying to
collect information from unsuspecting users.
Spoofing
Spoofing is another common threat wherein the sender tries to mask or hide their identity as if they were
someone else. Spoofing can impersonate an email sender, IP connection, or a domain. Spoofing causes an
email message to seem as if it originates from a sender other than the actual sender of the message.
Viruses
A virus is malicious code that copies itself and then expands in some way, shape, or form. Usually, it sends
itself out in a piece of spam or by taking control of other computers and trying to infect them also. The
term virus has become a catch-all term referring to traditional viruses, wherein there was not a reason
other than to exploit code. But now the term includes malware, adware, spyware, and all third-party
programs that infect devices. Many viruses perform malicious activity on an infected computer, such as
data theft or disabling of required applications.
Within and across these definitions are variations and blended kinds of attacks that ultimately try to take
control of some aspect of the computer environment and as such there is a range of new and changing
terminology to classify these attacks, such as Bot networks, Logic Bombs, Salami attacks, Trojan horses and
many others
There are many ways to gain access to your system and network, such as through messages that suggest
that you open an attached PDF or compressed file. Those attachments then take advantage of
vulnerabilities in installed applications, scripting, or elevated rights from the user to change the system.
Also, in modern computer environments with widespread use of social networking and apps, hackers are
trying to exploit various vulnerabilities in apps or social networking sites to gain and exploit information
about individuals or that persons system. Generally, IT administrators have to be aware of the various
channels through which attacks can come, provide education to end-users, and take appropriate
precautions.
Server-Side Solutions
To protect from the various levels of threats that
exist within the confines of email infrastructure,
several methods and layers of protection are
required to effectively keep the threat of emailbased attacks at an acceptable level.
In a server environment, several general methods
exist that combine to decrease the threat of
unwanted email or email server activity.
Content Filtering
Content filtering is a method frequently used to

identify spam email. Typically, either software that
is installed on a server or a dedicated device is responsible for intercepting email either to (most common)
or from the email server. The contents of the email are then checked against an existing database or
catalog of known spam-related terms or patterns. Email messages that seem to be spam are either
deleted or sent to a quarantine area. This prevents them from reaching their intended destination.
Sender and Recipient Filtering
11-11
Similar to content filtering, sender and recipient filtering selectively filters incoming or outgoing email
messages. However, with send and recipient filtering, the filtering process depends on a fairly static
database of senders and recipients that can be filtered. There are two kinds of sender and recipient
filtering.
Blocklist filtering. Blocklist filtering identifies email addresses that are known to be associated with
unwanted activity. Email messages coming from blocklisted addresses are filtered and removed.
Allowlist filtering. Allowlist filtering works in the reverse of blocklist filtering. When allowlist filtering
is used, email addresses contained in the allowlist database are identified as valid addresses. Allowlist
filtering is most frequently used together with content filtering to prevent messages coming from
valid senders being incorrectly identified as spam.
IP Block/Allow Lists
Using IP addresses is another way to identify the source of email messages. Email servers can be
configured to check against a database of IP addresses that are either known as valid or addresses are
flagged as sources of spam-related activity. Similar to email address filtering, IP-based blocklists and
allowlists are frequently used together with more sophisticated content filtering to decrease the
occurrence of false positives.
DNS Reverse Lookup
Another way email is protected is by using reverse Domain Name System (DNS) lookup rules. If an email
message destined for your organization comes from @adatum.com, the first thing most email servers do
is to make sure that it is a legitimate email and do a reverse DNS lookup on the email server hosting
adatum.com. It does this by checking for the DNS pointer (PTR) record to confirm the source of the email
message. This makes sure that the email message is from a valid source. If there is no reverse email server
for adatum.com, the message will be discarded.
Sender policy framework (SPF) records can prevent sender email address forgery. SPF records put the
onus on the sending organization to register the IP addresses or alias for all email servers that can send
email from the organizations domain. Receiving email servers can check the SPF records, and only accept
email from the authorized servers.
Forefront Online Protection for Exchange (FOPE)
Microsoft Forefront Online Protection for Exchange (FOPE) is a cloud-based service that protects
Microsoft Exchange Server servers incoming and outgoing email from spam, viruses, phishing scams, and
email policy violations. Although it is a cloud-based service, it can be integrated into on-premise
Exchange deployments or used as part of hybrid or mixed deployments of Exchange.
More information about Forefront Online Protection for Exchange can be found at the
following webpage.
Microsoft Exchange Online Protection
Microsoft Exchange Online Protection provides cloud-based protection for your on-premise email,
Microsoft Exchange Server 2013, legacy Exchange servers, or any other on-premise Simple Mail Transfer
Protocol (SMTP)based email solutions that you might have. It can operate in a purely cloud environment,
such as with Exchange Online or Office 365, or integrate into a purely on-premise environment or a
hybrid email infrastructure. It helps protect your organization against spam and malware in addition to
helping with management.
More information about Exchange Online Protection can be found at the following webpage.
Client-Side Solutions
11-12
Although server-based solutions and tools

deployed into an organizations perimeter
network provide the best defense against emailbased threats trying to enter the network, no
single solution will eliminate email-based threats.
Indeed, many cloud-based services are now
becoming more widely available and popular as
this allows for the security and management
overhead to be managed by a hosted third-party,
such as with Exchange Online, and can have many
benefits for administrators. However, even having
a fully cloud-based service or a hybrid kind of
service available with a mix of on-premise and off-premise solutions, client-side security is still important.
Client-side email security management provides an additional level of protection from unwanted email
for users.
Microsoft Office Outlook Defenses
In addition to antivirus programs and boundary defenses, Microsoft Outlook provides additional layers
of security. Outlook has junk filters built in that restrict potentially harmful attachments and images from
being displayed. This junk filter is based on the concept of trusted senders and its own logic.
Outlook maintains two lists of sender addresses for filtering received email content. Users can maintain
these lists according to messages they receive and how they want those messages handled by Outlook.
Safe senders. Safe senders are addresses are identified as known and trusted senders of email.
Messages that are received from addresses located in the safe senders list are treated in a trusted
manner and can display images and other functions that might be considered potentially harmful if
coming from an untrusted address.
Block senders. Compared to the safe senders list, the blocked senders list lists addresses that are
known as unsafe. Messages from these addresses are filtered in order to prevent the potential for
harmful activity.
With Outlook, a user can also maintain a list of international top-level domains (TLDs) that are marked as
unsafe or unwanted. Examples of TLDs are .jp, .de, and .uk. So to block email coming from addresses that
have a particular country/region code, you would just add that TLD to the Blocked TLD list.
When an email message comes in, Outlook checks the validity of the message and checks the level of junk
email protection you have set. There are four levels of security:
No filtering. This setting enables all email to be received regardless of the sender and will not use
built-in junk email settings from Outlook.
Low. This performs a basic scan and analyzes email as it comes in. It allows most email to pass
through and end up in the Inbox. It also considers the safe senders, safe recipients, blocked senders
list, and international settings, which are configurable in Outlook. The safe senders and safe recipients
list is a list of people that you trust, regardless of what kind of logic Outlook might apply to the email.
These lists make sure that the email message, provided it passes the front line of defense, always ends
up in your Inbox. The blocked senders list is just that; any email address or domain on the blocked
senders list immediately is treated as junk email. The international setting enables blocking of toplevel domains and specific character encoding sets.
High. High, similar to Low, filters email, only on a more aggressive scale. This lets less email through
to your Inbox. High also considers all of the previously mentioned lists.
11-13
Safe Lists Only. This is the most extensive filtering possible, but can treat some potential safe email
as junk. Safe Lists Only allows email from the safe senders and safe recipients lists mentioned
previously and treats all remaining email as junk email.
Antivirus Programs
Most antivirus programs integrate with email programs such as Outlook and scan email. They also scan
any attachments included in the email. This provides a second layer of defense in case the perimeterbased servers have missed a potentially harmful email message.
This second layer of security also allows an end-user or an IT department to implement more rigorous
checks on specific devices instead of at the global level. For example, the global policy might be to allow
Microsoft Word, Excel, and PowerPoint files through the firewall. However, at the second layer, the
antivirus software will block the service staff of the company from receiving any attachments at all.
Lesson 3
Server Protection
11-14
An organizations servers represent the core of its network functionality. Servers typically host multiple
business-critical services in an organization. An infected file server can propagate a virus to remote
workstations, further crippling a network, whereas an infected email server could potentially drop external
communications between your organization and the clients. Therefore, security measures implemented on
the server infrastructure represent one of the most important aspects of maintaining overall network
integrity and functionality.
This lesson introduces several ways to make sure that your servers are protected from circumstances that
could leave them vulnerable to attack.
Lesson Objectives
Describe how to maintain server security.
Describe the Security Configuration Wizard (SCW).
Describe the Best Practices Analyzer (BPA).
Describe the Security Compliance Manager (SCM).
Maintaining Server Security

Ensuring the security of your Windows Server
servers is an ongoing process that requires routine
attention and maintenance to try to minimize
their exposure to potential attacks. Several areas
exist that should be considered when maintaining
the security of your servers.
Maintaining Updates
Operating systems are constantly changing and

evolving in response to newly identified security
risks or other changes in the computing world.
Also, applications installed on servers experience
the same state of constant change for many of the
same reasons. Because of this ever-changing state, operating systems and the applications that run on
them are constantly being updated. Although many update processes, such as Windows Update and
Windows Server Update Services (WSUS) are primarily automated, these automated processes have to be
routinely examined for correct operation.
User Account Security
The state of the servers (and, if applicable, domains) account security is critical to ensuring the integrity
of the server environment. Account passwords should be enforced by a password complexity policy and
passwords should be regularly updated to prevent unauthorized account access. Unused accounts should
be disabled or removed from the system. Accounts that have elevated permissions, such as administrative
11-15
accounts, should be closely monitored and used only for their intended purpose. For additional security,
these accounts could be protected with a smart card or a biometric authentication device.
Unused Services or Features
Disabling unused services and features within Windows Server reduces the potential vulnerability of the
server to attack and potentially increases performance.
Application Installation and Usage
Like unused services or features, unused applications can expose the server to security vulnerabilities and
potential performance implications. In addition, carefully monitoring installed applications makes sure
that malicious or unauthorized application installations are detected and removed.
Windows Firewall
Leaving Windows Firewall enabled and making sure that it is configured correctly leaves that layer of
protection intact and gives you a manageable and flexible way to protect against potential network
vulnerabilities that may exist in other applications on the server.
Also, as discussed in Module 1 running Windows Server 2012 as Server Core will help reduce overall
maintenance and management due to the reduced attack surface and reduced number of updates that
will be required to be applied to a Server Core Installation.
What Is the Security Configuration Wizard?

The Security Configuration Wizard (SCW) can be
used to improve the security of a server by
configuring ports and services that might be
required for a particular server role in your
organization. It lets administrators create, edit,
apply, or roll back security policies that can be
targeted for a specific server function or role, such
as File Server for example. The security policy can
enhance and control the security configuration on
the server as it goes into production. SCW can be
accessed from the Server Manager Tools menu or
from the command line by using Scwcmd.exe.
The SCW is a role-based tool and typically runs on a server prior to that server being deployed in
production. In this manner, the attack surface of the server is reduced before it is deployed into the
infrastructure and exposed to potential threats.
When the SCW is run, it scans the server and identifies the current state of the server relative to potential
changes that might have to be made. SCW scans the following:
Roles that are installed on the server
Roles likely being performed by the server
Services installed on the server but not defined in the security configuration database
IP addresses and subnets configured for the server
The information discovered about the server is saved in an XML file. This server-specific file is called the
configuration database.
11-16
The initial settings in the configuration database are called the baseline settings. After the server is
scanned and the configuration database is created, you can change the database. This will then be used
to generate the security policy to configure services, firewall rules, registry settings, and audit policies. The
security policy can then be applied to the server or to other servers playing the same roles. The SCW is a
series of wizard pages that presents these four security policy categories in separate sections:
Role-based service configuration
Network security
Registry settings
Audit policy
The final section of the wizard is Save Security Policy. This allows for the inclusion of security templates
and also when to apply the policy.
Role-Based Service Configuration
The outcome of this section is a set of policies that configure the startup state of services on the server.
Only the services that are required by the servers roles should start and other services that are not
required should no start. To achieve this outcome, the SCW presents pages that display the server roles,
client features, administration, and other options detected on the scanned server. You can add or remove
roles, features, and options to reflect the desired role configuration.
Network Security
The Network Security section produces the firewall settings of the security policy. Those settings are
applied by Windows Firewall with Advanced Security. Like the Role-Based Service Configuration section,
the Network Security section displays a page of settings derived from the baseline settings in the
configuration database. The settings in the Network Security section are firewall rules instead of service
startup modes.
Registry Settings
The Registry Settings section configures protocols that are used to communicate with other computers.
These wizard pages determine Server Message Block (SMB) packet signing, Lightweight Directory Access
Protocol (LDAP) signing, local area network (LAN) Manager authentication levels, and storage of password
LAN Manager hash values. It also allows for the definition of Outbound Authentication methods. Each of
these settings is described on the appropriate page, and there is a link to a Security Configuration Wizard
Help page.
Audit Policy
The Audit Policy section generates settings that manage the auditing of success and failure events and the
file system objects that are audited. Additionally, the section enables you to incorporate a security
template called SCWAudit.inf into the security policy.
Security Policies
When the SCW has completed the assessment of the server, it provides the opportunity to capture the
settings in a security policy.
A security policy is the result of the SCW run on a server. A security policy is an XML-based file that
contains the settings obtained from the details provided during the SCW process. The policy contains
potential changes to Windows settings from the following areas:
Services
Network security, including firewall rules
Registry values
Audit policy
The saved policy can then be modified or deployed to servers.

Deploying a Security Policy by Using Group Policy
11-17
You can apply a security policy created by the SCW to a server by using the Security Configuration Wizard
itself and selecting Apply An Existing Policy, by using the Scwcmd.exe command from the command line,
or alternatively by transforming the security policy into a Group Policy Object (GPO).
To transform a security policy into a GPO, use Scwcmd.exe.
scwcmd transform /p:"Adatum DC Security.xml /g:"Adatum DC Security GPO
This command will create a GPO called Adatum DC Security GPO with settings imported from the
Adatum DC Security.xml security policy file. The resulting GPO can then be linked to an appropriate scope
site, domain, or organizational unit (OU) by using the Group Policy Management console. You can use
scwcmd.exe transform /? for help and guidance about this process.
There are no Windows PowerShell cmdlets that can work directly with the Security Configuration Wizard.
More information about the Security Configuration Wizard can be found at the following
webpage.
What Is the Best Practices Analyzer?

The Best Practices Analyzer (BPA) is a tool that
examines an operating system configuration and
settings against a set of predefined rules to
generate a list of issues outlining any best practice
violations it finds.
The BPA can analyze Windows Server 2012 server
roles to determine whether a particular server role
is using best practices. The BPA works by
measuring a roles compliance with best practice
rules in different categories of effectiveness,
trustworthiness, and reliability. Some of the rules
include:
Security: Measures a roles risk for exposure against threats such as unauthorized users.
Performance: Measures a roles ability to process requests in an expected time, based on workloads.
Configuration: Identifies setting conflicts that can result in error messages.
Policy: Identifies Group Policy and Windows Registry settings that might require modification.
Operation: Identifies possible failures of a role to perform its prescribed tasks
PreDeployment: Applied before an installed role is deployed to allow administrators to evaluate

whether best practices were followed before the Role is deployed.
PostDeployment: Applied after all required services for a role have been started and the role is
running
11-18
BPA Prerequisites: Explains configuration and policy settings and features that are required for the
role before BPA can apply specific rules from other categories.
After analyzing the role categories, results are reported in different severity levels such as the following:
Noncompliant/Error. The role does not satisfy the conditions of a rule.
Compliant. The role satisfies the conditions of the rule.
Warning. The role satisfies the conditions of the rule, but might not satisfy the rule for certain
configuration or policy settings. For example, when a directory backup has not been completed in a
recommended number of days.
The BPA is updated through Windows Update. To start a BPA scan:

1.
Open Server Manager, and select the role of interest.
2.
In the center details pane, locate the Best Practices Analyzer area.
3.
From the TASKS menu, select Start BPA Scan.
4.
In the Select Servers dialog box, select the server(s) of interest, and then click Start Scan.
BPA can also be run and managed by Windows PowerShell. Here are some of the available Windows
PowerShell cmdlets and brief descriptions of their functionality.
BPA cmdlets
Functionality
Get-BpaResult
Displays the results of the most recent BPA scan
Invoke-BpaModel
Starts a BPA scan on a computer for a specific model
Set-BpaResult
Excludes or includes results of a BPA scan
Get-command *BPA*
Returns available BPA cmdlets
More information about the Best Practices Analyzer can be found at the following webpage.
More information about Windows PowerShell BPA cmdlets can be found at the following
webpage.
What Is the Security Compliance Manager?

The Microsoft Security Compliance Manager
(SCM) is a free tool and the latest in a series of
Solution Accelerators. Solution Accelerators are
free downloadable tools available for a range of
management and administrative tasks related to
Windows Server 2012, such as Microsoft
Deployment Toolkit (MDT) and Microsoft
Assessment and Planning Toolkit (MAP). With the
SCM Solution Accelerator, you can view, update,
customize, and export security baselines to meet
the unique requirements of your organization.
11-19
A security baseline is a collection of configuration

items for a specific Microsoft product. SCM includes a Baseline Library for various Microsoft products, such
as Exchange Server, Internet Explorer, Windows Server, and Windows Client. The baselines are for specific
versions, that is, there are separate baselines for Internet Explorer 10, Internet Explorer 9, and Internet
Explorer 10, or Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 in SCM 3.0. Baselines are also
available for Windows Server 2012 and Windows 8.
Within each product baseline are sub categories for specific roles. For example, under the Windows Server
2012 baseline are specific settings for roles, such as Dynamic Host Configuration Protocol (DHCP), DNS
Server, and Domain Controllers (DC).
Each baseline provides prescribed values to resolve a specific usage case or scenario. For example, running
Internet Explorer 10 with a specific set of search providers and third-party add-ins. Additionally, each
configuration item provides information on Group Policy settings, registry settings, threats, and
countermeasures such as the following:
Vulnerability. What security weaknesses could be exposed by this server, application, or browser
setting? For example, allowing users to enable third-party add-ins could expose the network to a
security risk.
Potential Impact. What affect could changing this configuration item have on users? For example,
disabling third-party add-ins could affect a users ability to do their job.
Countermeasure. What is the recommended configuration setting? For example, do not let users
enable or disable third-party add-ins that are not within the organizations security policy.
After security baselines are established, they can be exported and applied to other computers in your
organization. This provides an easy way to make sure that all the computers in your organization comply
with the same security standard, especially if they have the same role, such as multiple DNS servers or
DHCP servers.
To summarize the key features of SCM:
Provides baselines for most Microsoft products, and the ability to import baselines from a file. These
baselines are known as third-party baselines.
Combines Microsoft security guide recommendations and industry best practices into one place.
Provides a centralized location to access, configure, and manage all the organizations security
baselines.
Ability to start your baseline by importing your Group Policy settings.
Deploy configurations to non-domain-joined computers.
11-20
Analyze your configurations against prebuilt Windows client and server operating system baselines.
SCM v3.0 must be downloaded and installed separately. The installation prerequisites are included with
the installation.
More information about the SCM download can be found at the following webpage.
More information about Microsoft Solution Accelerators can be found at the following
webpage.
Demonstration: How to Use the Best Practices Analyzer
In this demonstration, you will see how to use the Best Practices Analyzer to scan the Internet Information
Services (IIS) server role.
Demonstration Steps
1.
Access the IIS server role in Server Manager.
2.
Run the Best Practices Analyzer.
3.
Review the compliance results.

Scenario
11-21
A. Datum has recently experienced several security breaches and is taking steps to tighten server security.
You have been asked to prevent the installation of a particular Windows Installer .msi file which has
caused some performance issues and raised some security issues for the organization. You are also asked
to use the Security Configuration Wizard to configure security settings on a domain controller. And, to use
the Best Practices Analyzer to scan the Active Directory Domain Services (AD DS) server role to ensure it is
operating efficiently and as per best practices.
Objectives
Use the Security Configuration Wizard.
Use the Best Practices Analyzer.
Lab Setup
Virtual Machines: 10967A-LON-DC1 and 10967A-LON-CL1
User Name: ADATUM\Administrator and also ADATUM\Allie on 10967A-LON-CL1
Password: Pa$$w0rd
1.
2.
In the Hyper-V Manager, click 10967A-LON-DC1, and in the Actions pane, click Start.
3.
4.
Password: Pa$$w0rd
Domain: ADATUM
5.
Repeat steps 2 and 3 on 10967A-LON-CL1. Sign in as Adatum\Allie with password Pa$$w0rd.
Exercise 1: Create and Enforce an AppLocker Rule

Scenario
A. Datum has recently experienced several security breaches and is taking steps to tighten server security.
You have been asked to prevent the installation of a particular Windows Installer .msi file which has
caused some performance issues on some servers and raised some potential security issues for the
organization. Before blocking the installation of the file you first need to ensure blocking it has no
unexpected consequences, as such you need to run it in Audit Only mode for testing purposes. If the
AppLocker rule performs as expected you then need to proceed to block the windows installer package
properly.
1.
Create a Group Policy Object to apply an AppLocker rule in the domain
2.
Create Windows Installer rule to block the installation of the .msi file
3.
Configure Windows Installer rule enforcement to be audit only
4.
Configure the Application Identity service to automatically start
5.
Apply the AppLocker rule to the domains Group Policy
6.
Run the Windows Installer and verify the audited result in Event Viewer
7.
Enforce the blocking of the Windows Installer
8.
Run the Windows Installer file and verify the application is blocked
Task 1: Create a Group Policy Object to apply an AppLocker rule in the domain
1.
Ensure you are logged on to 10967A-LON-DC1 with user name ADATUM\Administrator and
password Pa$$w0rd
2.
Create a Group Policy Object called SQLSysClrTypes Restriction Policy
Task 2: Create Windows Installer rule to block the installation of the .msi file
1.
Edit the newly created Group Policy Object.
2.
Create a Windows Installer AppLocker Rule with the following settings:
Permissions: Deny
Conditions: Publisher
Publisher: Browse to E:\Mod11\LabFiles\ SQLSysClrTypes.msi and leave slider rules as default
Exceptions: Default
Task 3: Configure Windows Installer rule enforcement to be audit only
Configure AppLocker Rule Enforcement for Windows Installer Rules for Auditing Only
Task 4: Configure the Application Identity service to automatically start
11-22
Using the Group Policy Management Editor, under Computer Configuration\Windows Settings\
Security Settings, click System Services, set the Application Identity service to start automatically
Task 5: Apply the AppLocker rule to the domains Group Policy

1.
Link the Group Policy Object SQLSysClrTypes Restriction Policy to the Adatum.com domain
2.
Update Group Policy on the local machine
3.
Switch to 10967A-LON-CL1 sign out as ADATUM\Administrator if need be and sign in as

ADATUM\Allie with a password of Pa$$w0rd.
4.
Update Group Policy
Task 6: Run the Windows Installer and verify the audited result in Event Viewer
1.
Ensure you are logged on to 10967A-LON-CL1 as ADATUM\Allie with a password of Pa$$w0rd.
2.
Run the file \\LON-DC1\E$\Mod11\Labfiles\SQLSysClrTypes.msi and verify it installs successfully
3.
Switch to the 10967A-LON-DC1 virtual machine
4.
Open Event Viewer and view the MSI and Script logs in the Applocker Logs
5.
Verify the logs detail what happened and what would have happened if the rules had been enforced
6.
What is the Event ID for audited blocked installations of Windows Installer files?
Task 7: Enforce the blocking of the Windows Installer
11-23
1.
2.
Edit the SQLSysClrTypes Restriction Policy and configure the Rule Enforcement to Enforce Rules for
Windows Installer Rules
3.
Update Group Policy
Task 8: Run the Windows Installer file and verify the application is blocked
1.
Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as

2.
Update Group Policy
3.
Uninstall the \\LON-DC1\E$\Mod11\Labfiles\ SQLSysClrTypes.msi
4.
Install the \\LON-DC1\E$\Mod11\Labfiles\ SQLSysClrTypes.msi
5.
Verify you are now unable to install the Windows Installer .msi file.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular
Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your
production environment and you will have applied that AppLocker rule using Group Policy across the A
Datum domain.
Exercise 2: Use the Security Configuration Wizard

Scenario
You are asked to use the Security Configuration Wizard to create a security policy for domain controllers
in the adatum.com domain, based on the configuration of LON-DC1. You will then convert the security
policy into a GPO, which could then be deployed to all domain controllers by using Group Policy.
1.
Create a security policy
2.
Transform a security policy into a GPO
Task 1: Create a security policy

1.
password Pa$$w0rd
2.
On 10967A-LON-DC1, run the Security Configuration Wizard from Server Manager.
3.
Carry through the steps of the wizard, accepting the default settings.
4.
Save the resultant security policy as C:\LabFiles\SCW\DC Security Policy.xml.
5.
When you are prompted to apply the security policy, select Apply later.
Task 2: Transform a security policy into a GPO

1.
On 10967A-LON-DC1, use c:\windows\security\msscw\policies\scwcmd to transform the

C:\LabFiles\SCW\DC Security Policy.xml to a GPO named DC Security Policy GPO.
2.
In the Group Policy Management Editor, examine the newly created DC Security Policy GPO.
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a
security policy named DC Security Policy, and transformed the security policy to a Group Policy Object
(GPO) named DC Security Policy.
Exercise 3: Use the Best Practices Analyzer

Scenario
You are asked to run the Best Practices Analyzer on the AD DS server role.
1.
Run the BPA on the AD DS server role
2.
Analyze the BPA compliance results
3.
Task 1: Run the BPA on the AD DS server role

1.
Switch to 10967A-LON-DC1
2.
Use Server Manager to run the BPA on the AD DS server role.
Task 2: Analyze the BPA compliance results

1.
Review the BPA results.
2.
How many events were returned?
3.
Select an item and view the additional information that is available.
4.
What three additional pieces of information are provided?
5.
Click the severity column heading to sort the findings.
6.
What severity categories are shown for this BPA scan?
7.
Run the saved Compliant results query.
8.
How many complaint (informational) results were found?
11-24
1.
2.
3.
4.
Repeat steps 1 to 3 for 10967A-LON-CL1.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and
determine areas for improved efficiency or performance.
Question: What is the benefit of exporting a SCW security policy to a GPO?
Question: When would you use the Security Policy XML format?

Review Questions
Question: What are the key differences between AppLocker and legacy Software Restriction
Policies?
Question: Why are server-side email security solutions typically more effective and easy to
implement than client-side solutions?
Tools
Tool
Use for
11-25
Where to find it
Software Restriction
Policies
Managing software execution in legacy environments

or in environments where Windows Server 2008 R2 or
Windows 7 coexist with legacy Windows operating
systems
Group Policy
Management
AppLocker
Managing software execution in Windows Server 2012,

Windows 8, Windows Server 2008 R2, and Windows 7
environments
Group Policy
Management
Microsoft Forefront
Protection for
Exchange Server
Providing anti-malware protection for an Exchange

Server environment
Separate
Downloadable
Product
Security Configuration
Wizard
Generating and applying security policy templates to

decrease the vulnerability of Windows Server.
Server Manager
Microsoft Baseline
Security Analyzer
Analyzing the security state of an environment

according to Microsoft security recommendations.
Server Manager
Best Practices Analyzer
Reviewing server roles for compliance with best

practices
Server Roles
Summary Details
Security Compliance
Manager
Viewing, updating, customizing, and exporting security

baselines
Solution
Accelerator
Windows PowerShell
Configuring AppLocker and Best Practice Analyzer
Windows
PowerShell
console
Scwcmd.exe
Transforms BPA results xml file into Group Policy

Object that can be deployed with Group Policy
Command Prompt

11-26

12-1
Module12
Monitoring Server Performance
Contents:
Module Overview
12-1
Lesson 1: Event Logging
12-2
Lesson 2: Performance Monitoring
12-8
Lab: Monitoring Server Performance
12-15
12-22
Module Overview
Monitoring the performance of servers is important for all organizations. Businesses require cost-effective
solutions that provide value for the money spent on computer infrastructure. Proactive monitoring is also
important for successful troubleshooting and can be a security component. When you know how your
servers usually perform, it is more likely that you will find services having issues or even someone
attacking your systems. You should monitor servers to make sure that they run efficiently and use all the
available server capacity. Monitoring your servers will require you to review server logs and actively
monitor server performance.
Objectives
Use the Event Viewer to identify and interpret Windows Logs, and Application and Services Logs.
Measure system resource usage, identify component bottlenecks, and use monitoring tools such as
Performance Monitor.
Lesson 1
Event Logging
12-2 Monitoring Server Performance
As events occur in your Windows Server environment, information about what occurred will be logged.
This information can be used to determine what is working well and what requires or might require
administrator attention or intervention. One of the biggest problems facing IT administrators in relation to
logging is what to log and what not to log. If an administrator logs and tracks too many events, there is a
risk that important information might be missed; if too few events are logged, it is possible that important
information might not be logged. Also, with increases in logging comes an increase in overhead on the
server, whether it is for log size and storage space or CPU overhead in processing the additional data or
potentially network bandwidth in monitoring and transmitting data from remote servers. Getting that
balance right and using the correct functionality built in to Windows Server 2012 can help manage and
provide solutions for those issues.
By default, Windows Server 2012 includes two sets of logs: Windows Logs, and Application and Services
Logs. This lesson will focus on how to use the Event Viewer to identify, review, and interpret the various
log types and also the information that they contain.
Lesson Objectives
Review and interpret Windows Logs.
Review and interpret Application and Services Logs.
Describe Event Types.
Filter logs, create custom views, and create subscriptions.
Windows Logs
Windows Logs can be viewed by using the Event
Viewer under the Windows Log node. The Event
Viewer can be accessed in Server Manager from
the Tools menu.
All Logs are stored in the
%SystemRoot%\System32\Winevt\Logs\ folder.
Windows Logs includes the logs listed in the
following table.
Windows Log
Application log
Description and Use

Contains events that relate to the operation of applications such as Windows
Internet Explorer and Notepad. Also, as was mentioned earlier, there is an
Application and Services Logs section. Generally, for application specificinformation, the Application and Services Logs should be checked first.
Windows Log
Description and Use
12-3
Security log
Reports the results of auditing. For these event types to be logged, auditing must
be configured on the object that you want to be auditedthat is, it must be
configured on a specific folder or file for example.
Setup log
Contains events related to the setup of applications on a server.
System log
Logs general events from Windows components and services, such as device
driver data or service starting failures.
Forwarded events
Collects events from remote computers. This is useful when centralized viewing
of logs is required for viewing logs across multiple computers.
Windows Logs can also be viewed and manipulated by using Windows PowerShell cmdlets. Some of
these commands are listed in the following table.
Windows PowerShell
Cmdlet
Description and Use
Get-EventLog
Displays events and event logs on local and remote computers.
Show-EventLog
Opens Event Viewer on the local computer and displays the event
logs from local or remote computers.
Write-EventLog
Writes an event to an event log.
Get-Help *log*
Displays all the event log cmdlets.
Get-Help <Get-EventLog> showwindow
Displays the detailed help for the Get-EventLog cmdlet. The item in
the brackets (<>) can be substituted.
Note: The Get-EventLog cmdlet will only work with Windows Logs. It will not work with
Application and Services Logs.
Application and Services Logs

Applications and Services Logs is another kind of
log available in the Event Viewer. These logs were
introduced in Windows Server 2008. These logs
store events from single applications, such as
Internet Explorer or a single component, such as
Audio. When you install a role on Windows
Server 2012, typically a corresponding log of the
same name is created under this node in Event
Viewer, such as DNS Server, Directory Service, or
DFS Replication. The number of logs under this
node will increase as roles are added.
Application and Service Logs have four event
types which are present across all logs under here:
Administrative. These events are primarily targeted at end-users, administrators, and support
personnel. Each event describes the problem and contains a suggested solution on how to fix the
problem. For example, if your computer cannot receive an address from the network, there are very
specific troubleshooting steps that you can take.
Operational. These events are used for analyzing and diagnosing a problem or occurrence. These
events may trigger tools or tasks for that event. For example, operational events are logged when a
server starts or stops. They do not provide suggested solutions on how to fix a problem.
Analytic. These events are descriptive, and indicate problems that are generally not easily resolved.
By default, analytic events are hidden and disabled. When analytic events are enabled they can
produce lots of data and increase system processing and memory demands.
Debug. Debug events are used by developers to troubleshoot their applications. By default, debug
events are hidden and disabled. When debug logs are enabled they can also produce lots of data and
increase system processing and memory demands.
Note: As a best practice it is recommended to leave the Analytic and Debug events
disabled. If these logs are required for diagnostic troubleshooting make sure that you limit the
maximum size of the log and disable the logging when it is no longer required. Additionally,
many events can be adjusted from being completely disabled to providing a very detailed
logging level. These log levels should be increased carefully however.
Application and Services Logs can also be found in the location %SystemRoot%\System32\Winevt\Logs.
Windows PowerShell cmdlets, such as Get-EventLog and Write-EventLog, which were described in the
previous lesson, do not work with the Application and Services Logs. These cmdlets work only with the
Windows Logs.
To manage the Application and Services Logs, you must use different Windows PowerShell cmdlets. The
following table provides some details.
Windows PowerShell
Cmdlets
Description and Use
Get-WinEvent
Displays events from Windows Logs and Application and Services Logs from
both local and remote computers
Get-WinEvent ListLog *
Lists all the logs available
Get-Help get-WinEvent
Displays help for the Get-WinEvent cmdlet
Note: This course does not provide a detailed description of the differences between the
two cmdlets, Get-EventLog and Get-WinEvent. When you deal with remote computers, GetWinEvent provides for faster processing. Get-WinEvent also allows for more manipulation of
the data returned. However, for local server use, Get-EventLog is easy to use and quicker.
What Are the Event Types and Data Formats?

Both Windows Logs and Applications and Services
Logs events can be classified into three primary
levels:
12-5
Information. Informational messages about

the progress and the state of the system.
These events are usually very basic. For
example, an informational event is logged
when Windows PowerShell is ready for user
input.
Error. Event errors are serious problems that

administrators should be notified of and
immediately address. Failure to resolve event
errors can result in poor server performance and possibly other component failures. For example, an
Error event would be logged if your Windows Server license has not been activated. Failure to
activate the license could result in the server shutting down.
Warning. Event warnings indicate a condition that is currently tolerable but could become critical if
not addressed. Many event warnings are automatically resolved by the operating system before
administrator intervention is required. For example, a Warning event would be logged if the time
service is not synchronized. In this case, the operating system would continue to retry the connection
until the problem was resolved.
In addition to the previous three levels, the Security log will classify all its event types as Information Level
type but will sub classify them by two Keywords types.
Audit Failure. Audit failure events are informational and are intended to track logon failures and
other permissions-related issues. For example, an audit failure would be logged if a user tries to log
on and is not a valid user.
Audit Success. Audit success events are informational and are intended to track successful events,
such as a user successfully logging on to the computer.
Within each event when viewed in Event Viewer, there are two tabs: General and Details. The General tab
provides information categorized into paragraphs in a single scrollable window. The information is easy to
display and includes the following:
The Log Name from which the event came.
An Event ID number to help identify and classify the event.
The component or Source that generated the event.
The event Level such as Warning, Information, or Error.
The time that the occurrence was logged.
The User account under which the event happened.
The Computer on which the event occurred.
A link to an external Event Log Online Help site where there might be more information about the
event.
Depending on the event, additional details might be displayed, that let you analyze and troubleshoot the
events cause. The Details tab provides the following information:
A description of the event in Friendly View
A description of the event in XML view
On both tabs, you can scroll through events sequentially by clicking the up and down arrows on the right
side. There is also an option to copy the event for pasting into another application, such as Notepad.
Filters, Custom Views, Tasks, and Subscriptions

Event logs can contain large amounts of data, and
it can be challenging to narrow the information to
just those events that interest you. To help with
this process, Event Viewer provides filters, custom
views, and subscriptions.
Filters. Enables you to identify specific events

in a single event log on a single computer.
Filters are temporary and cannot be saved.
Custom Views. Enables you to identify

specific events in multiple event logs on a
single computer. You can also save, export,
import, and share these custom views.
Tasks. Enables you to send an email message, start a program, or display a message when a specific
event is written to a particular log.
Subscriptions. Enables you to identify specific events in multiple event logs on multiple computers.
Filters and Custom Views

Filters and custom views are created by specifying the query parameters. For example:
When the event was logged, such as within the last 12 hours.
The event level, such as Warning or Error.
The event sender, such as Remote Access or Firewall.
The Event ID (can be a range of Event IDs).
Keywords, such as Audit Failure or Response Time.
User context (can be multiple users).
Computer where the event occurred (can be multiple computers).
Filters and custom view can be accessed from the Event Viewer Action pane.
Tasks
Tasks enable you to be more proactive when you manage your environment. Instead of waiting until you
conduct a weekly review of logs, you can be notified as soon as a particular event occurs. When you
create tasks, you should carefully consider which specific events that you must have notification.
Tasks are stored in Task Scheduler and are created by clicking the relevant log and then selecting Attach
A Task To This Log in the Action pane of Event Viewer. Tasks are also available in the log properties. In
the Create Basic Task Wizard, you can provide the Task Name, and then the Log, Source and Event ID
information. Then you have three options:
Start A Program
Send An Email (deprecated)
Display A Message (deprecated)
12-7
The Send An Email and Display A Message options are deprecated in Windows Server 2012. This means
there will be no additional development investment in these features and they could be removed from
future releases. When you are finished, the new task will be added to Task Scheduler, available in
Administrative Tools.
Subscriptions
Troubleshooting an issue might require you to examine a set of events that are stored in multiple logs on
multiple computers. For this purpose, Event Viewer lets you collect copies of events from multiple remote
computers, and then store them locally. To specify which events to collect, create an event subscription.
After a subscription is active and events are being collected, you can view and manipulate these
forwarded events as you would any other locally stored events. To create a subscription, you must
configure the collecting computer (the collector) and each computer from which events will be collected
(the source).
Subscriptions are configurable from the Log Properties dialog box, and can be accessed either through
the log or the Event Viewer Action pane. The Windows Event Collector Service must be running.
Note: Subscriptions are not intended for auditing. If a network connection briefly fails, or
the receiving server is very busy, forwarded events might not be received. Therefore,
subscriptions should only be used for troubleshooting.
Demonstration: How to Use the Event Viewer
In this demonstration, you will see how to use the Event Viewer to review Windows Logs, and Application
and Services Logs. You will also see how to create a custom view.
Demonstration Steps
1.
Access the Event Viewer.
2.
Review Windows Logs.
3.
Review Application and Services Logs.
4.
Create a custom view.
5.
Within the Windows PowerShell console, obtain a list of all the available logs by using the GetWinEvent cmdlet.
Lesson 2
Performance Monitoring
When performance issues are encountered, the first step is usually to identify the servers that are
responsible for those performance issues and then the specific roles or services on that server which are
the cause. However knowing what is not normal performance can be difficult to determine, for example
File servers may have higher disk usage than a web server, or a mail server may have higher network
bandwidth requirements than a domain controller. As such, knowing your baseline performance for each
serve role helps analyze the data and make informed decisions about bottlenecks and performance issues.
Additionally, in todays cloud-enabled world, knowing the base performance and components of the
application helps you make decisions about what, if any, services you should consider migrating to the
cloud to support your requirements during peak hours. If significant investment in hardware is required
by your organization to address performance issues this may something you need to consider.
Windows Server 2012 provides several tools that you can use to collect and analyze performance-related
statistics. You must know what data to collect so that you can identify performance problems on your
servers before they affect users.
Lesson Objectives
Describe performance monitoring.
View real-time performance data.
Capture performance data for later analysis.
Describe and implement Data Collector Sets.
Identify server bottlenecks by using performance counter alerts.
Performance Bottlenecks
A performance bottleneck is a condition, usually
involving a hardware resource, which causes a
computer to perform poorly. An example of a
hardware bottleneck is when a server cannot
service a request for disk, memory, processor, or
network resources.
There are many scenarios that can cause resource
bottlenecks, such as the following:
Resources are insufficient.
Resources are not sharing workloads evenly.
A resource is malfunctioning.
A program is monopolizing a particular resource.
A resource is configured incorrectly.
As soon as a bottleneck is identified, you can do several things, including the following:
Run fewer applications.
Add or upgrade components.
Replace a malfunctioning resource.
Run programs during periods of low demand.
Distribute users across additional servers.
Balance resource workloads.
Configure resources to perform optimally.
12-9
The key to removing bottlenecks is identifying when and where they are occurring. You do this by using
performance monitoring tools and having a baseline to know how servers perform in a typical setting. By
comparing performance results to your baseline and to historical data, you can identify server bottlenecks
before they affect users. Here are several general mitigation strategy best practices.
Make one change at a time.
Repeat monitoring after every change.
Routinely review event logs.
To determine whether network components are playing a part in performance problems, compare
the performance of programs that run over the network with locally run programs.
Note: As a best practice, try to view the server as part of a larger system. Follow the flow of
data around the system to isolate and identify potential performance bottlenecks.
The Process of Performance Monitoring

There are several methods that you can use to
collect performance data from servers in your
organization. You should select the best methods
for your organizations requirements.
Real-time monitoring
Real-time monitoring of computers is useful when
you want to determine the effect of performing a
specific action or troubleshoot specific events. This
kind of monitoring can also help you make sure
that you are meeting service level agreements
(SLAs).
Historical data
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet the changing requirements of your
business. You should use historical performance data to help you when you plan future server
requirements.
If you intend to collect data for historical comparison, it is important to establish a performance baseline.
To create a baseline, you must collect performance data over the time during which the server is under
typical load. When you collect data in the future, you must make sure that you collect statistics about the
12-10
same resources as those that you analyzed in your baseline. You can then compare resource usage against
your baseline and see whether there are sufficient resources to satisfy user demands.
Tools
A range of tools is available to help you in the monitoring of the server environment. These tools are
described in the following table.
Tool
Description
Windows Server Event

Viewer
As discussed in the previous lesson the Event Viewer displays information

that relates to server operations. This data can help you to identify
performance issues on a server. You can search for specific events in the
event log file to locate and identify problems.
Windows System
Resource Manager
(WSRM)
Using WSRM, you can control how CPU resources are allocated to
applications, services, and processes. Managing these resources improves
system performance and reduces the risk that these applications, services,
or processes will interfere with the rest of the system. Although the WSRM
feature is available in Windows Server 2012, it has been deprecated.
Microsoft Network
Monitor/Microsoft
Message Analyzer
Network Monitor is a protocol analyzer. It enables you to capture, view, and

analyze network data. You can use it to help troubleshoot problems with
applications on the network. You can download Network Monitor from the
Microsoft Download Center.
Note: Network Monitor, at the time of development of this course, is
being superseded by Microsoft Message Analyzer, which is currently in Beta
and available for download form the Microsoft Connect website.
Performance Monitor
You can use Performance Monitor to examine how programs that you run
affect your computers performance, both in real-time and by collecting log
data for later analysis. It enables viewing detailed real-time information
about hardware resources such as CPU, disk, network, or memory. You can
also monitor system resources that are used by the operating system, such
as handles. Performance Monitor uses performance counters, event trace
data, and configuration information. This information can be combined into
data collector sets.
Resource Monitor
Resource Monitor enables you to determine and control system resources

such as CPU, memory, disk, network, and memory, which are being used by
processes and services. You can also view handles and modules associated
with threads and processes. Resource Monitor cannot monitor a resource
remotely. However, it can monitor a resource in a virtual machine.
Microsoft System Center

(Operations Manager)
With Operations Manager, you can build a complete picture of the past and
current performance of the server infrastructure. Operations Manager can
also automatically respond to events and address problems before they
become an issue. Operations Manager requires time to configure and
requires additional licenses.
Task Manager
Task Manager in Windows Server 2012 can be accessed by right-clicking

the taskbar or by pressing Ctrl+Alt+Delete and selecting it from the menu.
Task Manager has several tabs that divide information into the following
components: Processes, Performance, Users, Details and Services. Each of
these components can be broken down into more fine-grained data. For
Tool
Description
12-11
example, the Performance tab can provide additional data that is specific to
the Network, CPU, or Memory usage.
Task Manager is a user-friendly, easy to access troubleshooting tool.
More information about deprecated features and functionality in Windows Server 2012 can
be found at the following webpage.
More information about Microsoft Message Analyzer and when and where it will be available
for download when released is available at the following webpage.
Performance Counters
Performance counters are used to provide
information about how well the operating system
or an application, service, or driver is performing.
The data captured by the counter can help
identify system bottlenecks and fine-tune system
and application performance. Windows Server
collects data from performance counters in
various ways. This includes the following:
Real-time snapshot value
Total since the last time that the server

restarted
Average over specific time interval
Average of last x values
Number per second
Maximum value
Minimum value
Primary Processor Counters

CPU counters are a feature of the computer's CPU that stores the count of hardware-related events.
Processor\% Processor Time. Shows the percentage of elapsed time that this thread used the
processor to execute instructions. An instruction is the basic unit of execution in a processor, and a
thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
Processor\Interrupts/sec. Shows the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
System\Processor Queue Length. This counter is a rough indicator of the number of threads each
processor is servicing. The processor queue length, also known as processor queue depth, reported by
this counter is an instant value that is representative only of a current snapshot of the processor.
Therefore, you have to watch this counter over a long time. Also, the System\Processor Queue
Length counter is reporting a total queue length for all processors, not a length per processor.
Primary Memory Counters
12-12
The Memory performance object consists of counters that describe the behavior of physical and virtual
memory on the computer. Physical memory is how much random access memory (RAM) is installed in the
computer. Virtual memory consists of space in physical memory and on disk. Many of the memory
counters monitor disk paging. This is the transfer of pages of code and data between disk and physical
memory.
Memory\Pages/sec. Shows the number of hard page faults per second. A hard page fault occurs
when the requested memory page cannot be located in RAM because it currently exists in the paging
file. An increase in this counter indicates that more paging is occurring. This suggests a need for more
physical memory.
Primary Disk Counters
The Physical Disk performance object consists of counters that monitor hard disk drives. Disk drives are
used to store file, program, and paging data. They are read to retrieve these items, and are written to
record changes to them. The values of physical disk counters are sums of the values of the logical disks (or
partitions) into which they are divided.
Physical Disk\% Disk time. This counter shows how busy a particular disk is. A counter approaching
100 percent indicates that the disk is busy most of the time and might suggest a performance
bottleneck is imminent.
Physical Disk\Average Disk Queue Length. This counter shows how many disk requests are waiting
to be serviced by the input/output (I/O) manager in Windows Server at a given moment. The longer
the queue, the less satisfactory the disk throughput is.
Primary Network Counters
Most workloads require access to production networks to communicate with other applications and
services and to communicate with users. Network requirements include elements such as throughput
that is, the total amount of traffic that passes a given point on a network connection per unit of time.
Other network requirements include the presence of multiple network connections. Workloads might
require access to several different networks that must remain secure. Examples include connections for:
Public network access.
Networks for performing backups and other maintenance tasks.
Dedicated remote-management connections.
Network adapter teaming for performance and failover.
Connections to the physical host server.
Connections to network-based storage arrays or Cluster HeartBeats.
By monitoring the network performance counters, you can evaluate the networks performance.
Performance counters can be managed, imported, and exported by using Windows PowerShell. The
following table lists some cmdlets and a brief description of their use.
Windows PowerShell
Cmdlets
Get-Counter
Description
Displays performance counter data from local or remote computers
Windows PowerShell
Cmdlets
Description
12-13
Import-Counter
Imports counter log files (.blg, .csv, .tsv ) and creates the objects that
represent each counter in the log
Export-Counter
Takes performance counter sample sets and exports them as counter log
files (.blg, .csv, .tsv)
Get-counter ListSet *
Displays all the counter sets on the local computer
Get-command *counter*
Displays commands that contains the word *counter*
All these Windows PowerShell cmdlets are part of the Microsoft.PowerShell.Management module.
Demonstration: How to Capture Current Performance Activity
In this demonstration, you will see how to use Performance Monitor to view real-time performance data.
Demonstration Steps
1.
View current activity in System Summary.
2.
Use Performance Monitor to view a chart on current activity.
3.
View the current activity data in a Histogram
4.
View the current activity data in a Report
What Are Data Collector Sets?

A Data Collector Set is the foundation of Windows
Server performance monitoring and reporting in
Data Collector Sets enable you to collect
performance-related and other system statistics
for analysis with other tools within Performance
Monitor, or with third-party tools.
Although it is useful to analyze current

performance activity on a server, it is perhaps
more useful to collect performance data over time
for later analysis and comparison with previously
collected data. This data comparison enables you
to make determinations about resource usage, to plan for growth, and to identify potential performance
problems.
Data Collector Sets can contain the following kinds of data collectors:
Performance counters. Provides data about the servers performance.
Event trace data. Provides information about system activities and events. This is useful for
troubleshooting.
12-14
System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
Additional information. As an example, the Directory Services counters are providing information
about Lightweight Directory Access Protocol (LDAP) queries and their expensiveness for the
resources.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting each data collector and setting the options in the Data
Collector Set properties. A default set of templates is provided.
Data collectors can also be managed by using Windows PowerShell. The following table lists some
cmdlets and a brief description of their use.
Windows PowerShell cmdlet
Description
Get-SMPerformancecollector
Displays the state of a performance data collector set
Start-SMPerformancecollector
Starts a Data Collector Set
Stop-SMPerformancecollector
Stops a Data Collector Set
Get-command module
ServerManagerTasks
Lists all available cmdlets in the ServerManagerTasks

module
All these Windows PowerShell cmdlets are part of the ServerManagerTasks module.
Demonstration: How to Use Data Collector Sets to Capture Performance

Data
In this demonstration, you will see how to collect performance data in a Data Collector Set.
Demonstration Steps
1.
Create a Data Collector Set.
2.
Create a disk load on the server.
3.
Analyze the resulting data in a report and different report types.
Demonstration: How to Use Alerts to Identify Performance Bottlenecks
You can use alerts in Performance Monitor to determine when a threshold is exceeded and then take
appropriate action. Actions might include the following: run a program, generate an Event Log error, or
start a Data Collector Set. In this demonstration, you will see how to create an alert.
Demonstration Steps
1.
Create a data collector set with an alert counter.
2.
Generate a load on the server to exceed configured threshold.
3.
Examine the event log for the resulting event.

Scenario
12-15
You have successfully deployed some new servers at the A. Datum branch offices. Before the system goes
live, you decide to establish a performance baseline so that you can compare future workloads to the
expected workload and you also want to create and test an Alert that you can use to monitor the volume
of data on the Network Interface on the server.
Objectives
Create a performance baseline
Introduce a load on the server.
Collect additional performance data and determine possible bottlenecks
Create and test an alert
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
Password: Pa$$w0rd
Domain: ADATUM
5.
Repeat the previous steps for 10967A-LON-SVR1.
Exercise 1: Creating a Performance Baseline

Scenario
You load Performance Monitor on the server and create a baseline by using typical performance counters.
1.
Create a Data Collector Set
2.
Start the Data Collector Set
3.
Create workloads on the server
4.
Analyze collected data
Task 1: Create a Data Collector Set
12-16
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password Pa$$w0rd
2.
Open Performance Monitor.
3.
Create a new user-defined Data Collector Set by using the following information to complete the
process:
Name: LON-SVR1 Performance
Create: Create manually (Advanced)
Type of data: Performance counter
4.
Select the following counters:
Memory\Pages/sec
Network Interface\ Bytes Total/sec
PhysicalDisk\% Disk Time
PhysicalDisk\Avg. Disk Queue Length
Processor\%Processor Time
System\Processor Queue Length
5.
Sample interval: 1 Second
6.
Where to store data: default value
7.
Save and close the Data Collector Set.
Task 2: Start the Data Collector Set
In the Performance Monitor, Start the LON-SVR1 Performance Data Collector set
Task 3: Create workloads on the server

1.
Open a Command Prompt and run the following commands, pressing Enter after each command:
fsutil file createnew bigfile 104857600
2.
Then type
copy bigfile \\lon-dc1\c$
3.
Then type
copy \\lon-dc1\c$\bigfile bigfile2
4.
Then type
del bigfile*.*
5.
Then type
del \\lon-dc1\c$\bigfile*.*
6.
Do not close the Command Prompt.
Task 4: Analyze collected data
12-17
1.
In Performance Monitor stop the LON-SVR1 Performance Data Collector Set.
2.
In Performance Monitor on the toolbar, click View Log Data.
3.
In the Performance Monitor Properties dialog box, on the Source tab, click Log files, and then
click Add.
4.
In the Select Log File dialog box, double-click Admin.
5.
Double-click LON-SVR1 Performance, double-click the LON-SVR1_<date-000001> folder, and

then double-click DataCollector01.blg.
6.
Click the Data tab, and then click Add.
7.
Select the following counters:
Memory\Pages/sec
Network Interface\Bytes Total/sec
Processor\% Processor Time
8.
On the toolbar, click the down arrow and then click Report.
9.
Record the values listed in the report for analysis later.

Recorded values:
Memory\Pages/sec
Results: After this exercise, you should have established a performance baseline.
Exercise 2: Simulating a Server Load

Scenario
Having created the baseline, you now simulate a load to represent the system in live usage and start the
Data Collector Set.
1.
Load a new program on the server
2.
Simulated a load on the servers CPU
3.
Start the Data Collector Set again
Task 1: Load a new program on the server
12-18
1.
2.
Open a Command Prompt Change to the C:\Labfiles\StressTool\amd64 folder.
Task 2: Simulated a load on the servers CPU

1.
2.
From the Command Prompt window Run the command StressTool.exe 95
3.
Open Task Manager and view the CPU utilization, noticing how it has increased dramatically
Task 3: Start the Data Collector Set again

1.
2.
Switch to the Performance Monitor.
3.
Start the LON-SVR1 Performance Data Collector Set.
4.
Wait one minute for data to be captured
Results: After this exercise, you should have introduced a load on the server and restarted the Data
Collector Set.
Exercise 3: Determining Probable Performance Bottlenecks

Scenario
You compare the results achieved under the new load with those collected when you first deployed the
server.
1.
Stop the running program
2.
View performance data
3.
Analyze results and draw a conclusion
Task 1: Stop the running program

1.
2.
Open a Command Prompt if it is not already open.
3.
Stop the running program.
4.
Open Task Manager and ensure the CPU % Utilization graph indicates the simulated load has been
removed from the CPU and it has returned to normal
Task 2: View performance data

1.
2.
Stop the LON-SVR1 Performance Data Collector Set.
3.
In Performance Monitor, in the navigation pane, click Performance Monitor.
4.
On the toolbar, click View log data.
12-19
5.
click Remove.
6.
Click Add.
7.
In the Select Log File dialog box, click Up One Level.
8.
Double-click the LON-SVR2_<date-000002> folder, and then double-click DataCollector01.blg.
9.
Click the Data tab, and then click OK.
10. If you receive an error or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory\Pages/sec
Task 3: Analyze results and draw a conclusion

Answer the following questions.
1.
Compared with your previous report, which values have changed?
2.
What was the most significant change and why?
3.
If you saw a similar trend in your work environment what would you recommend as a next step?
4.
Can you identify any additional counters which could potentially help you narrow down your search
to determine what application is placing the greatest load on the CPU?
5.
Are there any additional tools which may help identify what process or software is placing the load on
the server?
Results: After this exercise, you should have identified a potential bottleneck.
Exercise 4: Create, Test, and Verify an Alert

Scenario
Your manager, Ed Meadows, is concerned about an old network adapter on one of your servers and it
being able to handle the volume of traffic it may have. Ed asks you to create and test an Alert that you
can use to monitor the volume of data on the Network Interface on the server so you can monitor the
amount of data that it sends and receives and also so if it exceeds the limit another collector set will start
to monitor other aspects of the server to ensure they are not being overly loaded or performing poorly.
1.
Create and start an alert to trigger an Event ID
2.
Simulate a load on the network bandwidth
3.
Verify the Event ID is generated and the Data Collector Set starts
4.
Task 1: Create and start an alert to trigger an Event ID

1.
Ensure you are still signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password

Pa$$w0rd
2.
Create a new Data Collector set with the following parameters:
Name: LON-SVR1 Network Bandwidth Alert.
How to create: Create Manually (Advanced)
Type: Performance Counter Alert
Add the following Counter: Network Interface\Bytes Total/sec
Alert When: Above
Limit: 500
3.
Edit the properties of the LON-SVR1 Network Bandwidth Alert data collector as follows:
Alert tab:
o
o
o
o
Alert Action tab:

o
o
4.
Alert when: Above

Limit: 500
Sample interval: 10
Units: Seconds
Log an entry in the application event

Start LON-SVR1 Performance data collector set
Start the LON-SVR1 Network Bandwidth Alert collector set
Task 2: Simulate a load on the network bandwidth

1.
Open the Command Prompt
2.
Open the Start screen and type cmd.exe, and then press Enter.
3.
4.
Task 3: Verify the Event ID is generated and the Data Collector Set starts
1.
Open Event Viewer
2.
Go to the log Microsoft-Windows-Diagnosis-PLA/Operational
3.
Verify there an Event ID was generated by the Alert when the threshold was exceeded
4.
What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
5.
Return to Performance Monitor
6.
Verify the SVR1 Performance has started successfully
12-20
12-21
1.
2.
3.
4.
Repeat the previous steps for 10967A-LON-DC1.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an
Event ID and triggers a Data Collector Set to start.
Question: During the lab, you collected data in a Data Collector Set. What is the advantage
of collecting data in this manner?
Question: What significant counters should you monitor in Windows Server Performance
Monitor?

Tools
Tool
Use for
Where to find it
Performance
Monitor
Monitoring and analyzing real-time and logged

performance data.
Server Manager
Resource Monitor
Monitoring resources in real time.
Server Manager
Windows
PowerShell
Cmdlets available for event logging, performance

counters, and data collectors.
Built in to Windows
Server 2012
Event Viewer
Viewing Logs and determining what happened
Server Manager
12-22

13-1
Module13
Maintaining Windows Server
Contents:
Module Overview
13-1
Lesson 1: Troubleshooting Windows Server Startup
13-2
Lesson 2: Business Continuity and Disaster Recovery
13-11
Lesson 3: Applying Updates to Windows Server
13-20
Lesson 4: Troubleshooting Windows Server
13-25
Lab: Maintaining Windows Server
13-33
13-42
Module Overview
Windows Server roles are critical in an organizations network infrastructure. It is very important to make
sure that the Windows Server is performing as efficiently as possible in their roles. To support Windows
Server, you must have the skills and knowledge to correctly maintain an efficiently operating and
continually available server infrastructure. You must also be able to troubleshoot issues within that
infrastructure when they arise.
Objectives
Troubleshoot the Windows Server startup process.
Implement high availability and recovery technologies to improve system availability.
Explain the importance of system updates.
Implement an appropriate troubleshooting methodology to resolve problems with Windows Server.
Lesson 1
Troubleshooting Windows Server Startup

The Windows Server startup process makes sure that all aspects of Windows Server functionality are
checked and initiated in a way that results in a stable and efficiently running server. Several issues can
emerge in the startup process. Understanding the Windows Server startup process will help you
troubleshooting or, even better, avoid these issues.
13-2 Maintaining Windows Server
This lesson will explain the Windows Server startup process and give you the tools to identify and correct
issues related to Windows Server startup.
Lesson Objectives
Describe the Windows Server startup process.
Identify the startup troubleshooting tools.
Apply the considerations for troubleshooting the startup environment.
Recover the startup environment.
Windows Server Startup

The Windows Server startup process is made up of
several steps involving components in the
operating system environment. At first glance,
startup seems to be a relatively basic feature of an
operating system. However, there is nothing
simple or basic about startup processes and
procedures.
The Startup Process can be broken down into four
main areas. There is some overlap regards the
timing of when particular services start and stop
but the below is the general chronological order
1.
2.
BIOS/EFI or UEFI initialization:

a.
The platform is turned on, it identifies and then initializes hardware
b.
Power-on self-test (POST)
c.
Detects system disk, where the operating system resides
d.
Locates and reads the Master Boot Record (MBR)
e.
Starts the Boot Manager (Bootmgr.exe) which locates and calls the WinLoad.exe which resides on
the Boot Partition, where the boot, or startup, files reside.
OS Loader
a.
WinLoad.exe controls this phase
b.
Device drivers identified as needing to start are loaded into memory
c.
3.
4.
The system registry is loaded into memory
Main Startup Cycle
a.
PreSMSS: Starts when WinLoad.exe passes control over to the kernel. The kernel initializes the
data structures and system components
b.
SMSSInit: Starts when the kernel passes control over to the session management subsystem
process (smss.exe). Service control manager starts here
Video drivers initialized
Subsystem processes are started
13-3
Smss.exe (Windows Session Manager: responsible for user sessions)
Csrss.exe(Client Server Runtime Process: provides threading control and core graphical
capabilities)
WinInit.exe (Windows Start-Up Application: responsible for some core services starting
up)
WinLogon.exe (Windows Logon Application: responsible for sign in and sign out
process)
c.
WinLogon: Service Control manager continues to operate in this phase. Logon on screen appears
and desktop starts.
d.
Explorer .Init: Explorer.exe, which controls file management and user UI functions, such as File
Explorer, Desktop, Taskbars and more, starts and services and applications continue to be loaded
Post-Startup: Desktop available and user can interact but services and applications may continue to
start. Ends when all services and applications scheduled to start on logon have done so and system
reaches an idle state
Well now touch on some of these areas in more depth:

BIOS, EFI, or UEFI Initialization and POST
As outlined earlier the Windows Server startup process consists of several steps, starting with the
initialization of system hardware through the computers basic input/output system (BIOS), the Unified
Extensible Firmware Interface (UEFI), or the Extensible Firmware Interface (EFI). This process is known as
power-on self-test (POST). The POST process typically involves quick checks of system hardware
components to confirm correct operation and functionality. Additionally, most BIOS or EFI systems
provide for more intensive POST procedures if troubleshooting has to be performed on the POST process.
BIOS, UEFI, and EFI are all firmware interface technologies that act as the interface between the hardware
and the operating system software. (Firmware is hardware that has software on it that makes it function
that is, it is a middle ground between hardware and software and is read-only, such as CPU.) On startup,
these firmware interface technologies effectively bring all the hardware components online for use by the
operating system. BIOS, although still widely used, is the oldest technology. BIOS is being replaced by EFI,
which is an Intel proprietary technology, and UEFI, which is a unified industry standard. UEFI and EFI allow
for faster startup times and the ability to use drives larger than 2 terabytes (TB). EFI and UEFI also can
provide for more functionality.
Windows Server 2012 and Windows 8 include startup support that works with UEFI and EFI. This helps
protect the startup process from potential security exposures.
More information about UEFI industry standards organization can be found at the following
website.
http://www.uefi.org/home/
The Startup Environment, Windows Boot Manager, and Windows Boot Loader
Windows Server 2012 and Windows 8 use Windows Boot Manager to manage the operating system
startup process.
The startup environment is in the hardware (BIOS Chip) and contains everything that is needed to load
the hard disk drive drivers that contain the operating system. Then Windows Boot Loader initializes the
loading of the operating system from the disk. So, the startup environment is loaded before the operating
system and is independent of the operating system. This way the startup environment can be used to
confirm the integrity of the startup process and the operating system.
The Windows Boot Loader is stored in \Windows\System32\winload.exe. When Windows Boot Loader is
started by Windows Boot Manager, it begins the initial load process of the operating system.
Within the startup environment, Windows Boot Manager controls the startup process by using the
information in the Boot Configuration Data (BCD) store. Entries in the BCD store are loaded by Windows
Boot Manager and contain configuration data about the various boot loaders installed on the system. This
Device where the boot loader is stored
Path to the executable file of the boot loader
Descriptive name of the boot loader
Boot loader recovery options
System root of boot loader files
When multiple boot loaders are referenced in the BCD store, Windows Boot Manager will prompt the user
at startup to choose which boot loader should be used. For example, a server might have Windows Server
2012 installed on one partition and a different Server edition, or conceivably, even a client operating
system such as Windows 8, installed on another partition. The computer can start either of the operating
systems, depending on the needs of the user. This configuration is known as a multiboot configuration.
For example as alternative startup options, you can have a backup operating system or an older version of
the operating system.
You can also startup from a virtual hard disk (VHD) file, where you configure the boot configuration
database (BCD) store to mount a VHD and start the operating system.
Multiboot configuration are more complicated to configure and more difficult to maintain. The benefits
being more flexibility and the capability to cleanly remove or change an installation.
To edit the Windows Boot Manager settings, you can use a command-line tool named BCDEdit and the
relevant switches at the Command Prompt. There is a wide variety of functionality that can be configured
concerning how the system starts up including system recovery options.
To view the Windows Boot Manager settings, run the following at the Command Prompt.
BCDEdit /enum bootmgr
To view the Windows OS Loader settingsthat is, to see what operating systems are loaded into Windows
Boot Manager for startuprun the following at the Command Prompt.
BCDEdit /enum osloader
Note: Certain aspects of the BCD store can also be changed on the Startup And Recovery
tab in System Properties. This includes settings for the default operating system, debugging, and
memory dump.
Detecting and Configuring Hardware
13-5
After Windows Boot Manager has started the Windows Boot Loader, the Windows Server operating
system begins to load. The operating system starts by enumerating drivers and services. There can be
different timings for when drivers and services are loaded, and there are dependencies between them. So,
the sequencing can vary. After the startup order is determined, the operating system is loaded and starts
the drivers and services in their respective order.
Loading the Operating System Kernel
An operating system kernel is the most basic and fundamental part of the operating system. The kernel
controls system hardware and resources, managing them and making them available to applications that
are running on the system. After the operating system kernel loads, the operating system is ready to
interact with the rest of the system software and the user.
Logon and Plug and Play Drivers
When a user logs on to a Windows Server environment, the users credentials are processed and validated
against the default security database, usually either the local security database or possibly Active
Directory Domain Services (AD DS). After the credentials are validated, the user gains access to the
operating system and applications, and any Plug and Play or user-mode drivers load to complete the
Windows Server startup process.
Note: Windows 8 also includes Sleep and Hibernate functionality. This allows the
computer to save power when it is not in active use and also accommodates quicker startup
times. Windows Server 2012 does not support Sleep or Hibernate functionality. While it may be
possible to configure sleep in some hardware/firmware environments for servers. In production
environments servers are typically required to be available twenty four hours a day, seven days a
week to respond to service requests. As such additional configuration or management overhead
associated with sleep and hibernation would not be desired.
Securing the Startup
Servers can still be subject to attack by malware during the startup process, even before the operating
system is loaded and malicious software can potentially run undetected in the kernel. To try protect
against such threats Windows Server 2012 and Windows 8 have additional checks around the startup
process such as:
Secured or Trusted Boot: With UEFI, on startup, the server ensures that the firmware is digitally
signed and has not been altered or tampered with.
Early Launch Anti Malware (ELAM): Allows the ability to load and use an antimalware driver to
attempt to detect if the startup drivers are trusted or not and if any of them are potential malware
threats.
Measured Boot: With UEFI and Threat Platform Module functionality present in the CPU logs can be
taken during startup and sent to a separate trusted sever, which can then validate the integrity of the
startup process. This could potentially provide for allowing full or limited access to the network or
placing the server in quarantine until the integrity of the startup can be assessed.
Troubleshooting Tools in the Startup Environment

During the Windows startup process, the failure or
malfunction of any component involved can cause
the startup process to fail or behave
unpredictably. Events like hard disk failure,
missing or corrupted files, third-party driver bugs,
or intentional or accidental damage of system files
can interfere with the startup process. Windows
Server 2012 provides several tools and options to
help troubleshoot and repair components
involved in the startup process. This enables the
operating system to start correctly and efficiently.
Note: All of these tools are available from

the Advanced Boot Options menu. This can be accessed by pressing the F8 key during startup
before the Windows Server startup splash screen.
The Advanced Boot Options menu provides the following 12 options:
Repair Your Computer
Safe Mode
Safe Mode With Networking
Safe Mode With Command Prompt
Enable Boot Logging
Enable Low-Resolution Video
Last Known Good Configuration (Advanced)
Directory Services Restore Mode
Debugging Mode
Disable Automatic Restart On System Failure
Disable Driver Signature Enforcement
Disable Early Launch Anti-Malware Driver
Start Windows Normally
The following topics discuss each of these options in turn.

Repair Your Computer
During the installation process, Windows Server 2012 creates a special hidden partition on the system disk
that contains several useful diagnostic and repair tools known collectively as the Windows Recovery
Environment (WinRE). These tools are accessed from the Advanced Boot Options menu. You can use the
system recovery tools to repair startup problems, run diagnostics, or restore your system.
The Windows Recovery Environment may start automatically if the last system startup did not finish. For
example if the failure occurs just after logon, the computer may not start and Last Known Good
Configuration, discussed later in this topic, would be the best troubleshooting option.
When you select Repair Your Computer, you are presented with a Choose An Option screen that
contains three options:
13-7
1.
Continue. Exit and continue to Windows Server 2012.
2.
Troubleshoot. Refresh or reset your computer, or use advanced tools. After you select this option,
you are taken to an Advanced options screen that contains the following options:
3.
a.
System Image Recovery. Recover Windows by using a specific system image file. Selecting this
option starts the Re-image Your Computer wizard. This tries to find an already backed up image
to restore.
b.
Command Prompt. Use the Command Prompt for advanced troubleshooting. When you select
this option you are prompted for administrator credentials and then provided with a Command
Prompt on a new partition, drive X:\. You can then carry out whatever troubleshooting steps you
need. For example, you can use BCDEdit, Task Manager, the System File Checker (SFC)
command, or other tools or commands. You can type exit to exit the Command Prompt and
return to the Choose An Option screen which was presented earlier
c.
Startup Settings. Change Windows Startup Behavior. With this option, you can change the
various startup options previously listed, such as low resolution video mode, debugging mode,
safe mode, and driver signature settings.
Turn off your PC. Turns off the computer
Note: If a system loses electrical power during the startup process, the Windows Recovery
Environment automatically starts the next time that the system is started. Also, Windows 8 has
more Repair Your Computer options than Windows Server 2012. This includes the following:
Refresh Your PC (updates without losing your files), Reset Your PC (all personal settings and files
will be removed), and Advanced Options that includes System Restore, and Automatic Recovery.
Finally, if Windows Recovery Environment does not work for any reasons from the local system,
you can use the startup media and access the same recovery options from there.
Safe Mode
In safe mode, the user can run system startup by using a limited set of files, services, and drivers. With this
limited configuration, failure from a malfunctioning driver or service is less likely, and you can
troubleshoot from the Windows graphical user interface (GUI) environment. On the Windows Advanced
Options menu, several options exist for starting Windows in Safe mode.
Safe mode. Starts loading only a basic set of files, drivers, and services. This includes mouse,
keyboard, storage, and basic video drivers. No networking services or drivers are started.
Safe Mode with Networking. Starts the same as safe mode, but adds drivers and services necessary
to provide network functionality.
Safe Mode with Command Prompt. Loads the same service and driver set as safe mode, but starts
you at the Command Prompt instead of in the Windows GUI. That is, the GUI is not started.
Enable Boot Logging
This option starts the boot logging process. This records all startup events to the ntbtlog.txt boot log.
This log lists all the drivers that load during startup and the last file to load before failure. You can retrieve
the boot log by starting the operating system from the install media and selecting recovery options.
Analyzing this file will help identify where the failure occurred.
Enable Low-Resolution Video
This option sets the system resolution to 640 x 480 pixels. This lets you reset your display resolution if it
was changed to a setting that rendered the system unusable.
Last Known Good Configuration
Using Last Known Good Configuration restores a systems configuration to the state it was in at the end of
the last successful startup and Logon. Last Known Good Configuration makes a copy of the configuration
information that is stored in the registry every time that the operating system startup process successfully
is completed and a user logs on to the system. Last Known Good Configuration stores the values for the
following two registry hives, or groups of values.
HKLM\SYSTEM\CurrentControlSet\Control. This registry hive contains system configuration

settings.
HKLM\SYSTEM\CurrentControlSet\Services. This registry hive contains settings that control driver

and service configuration.
When you select Last Known Good Configuration, it marks the values in the previous two registry hives as
failed and replaces them with the copy taken after the last successful startup and logon.
Directory Services Restore Mode
This option, sometimes abbreviated as DSRM, provides a special startup mode for addressing Active
Directory issues. It is only applicable to domain controllers. DSRM starts the Domain Controller without
the domain controller part, working as a member server only. You need to log on by using the default
local administrator account whose password is reset when the domain controller is promoted. DSRM can
be used to perform certain administrative tasks when the domain controller is not functioning correctly or
when it has to be serviced in a way where the Active Directory database cannot be used.
Debugging Mode
This option enables the Windows Kernel debugger and allows for the debugging of the Windows Server
operating system which may involve attaching another computer that has debugging enabled on it to the
computer which has to be debugged by using a serial connection.
Disable Automatic Restart On System Failure
This option prevents Windows from automatically restarting after a crash, such as when a blue screen
appears.
Disable Driver Signature Enforcement
This option enables drivers that do not contain digital signatures or contain untrusted signatures to be
loaded.
Disable Early Launch Anti-Malware Driver
This option enables drivers to initialize without being measured and evaluated by the Early Anti-Malware
driver.
Start Windows Normally
Exit and continue.
Considerations for Troubleshooting Startup

When issues arise with the Windows startup
process, resolving those issues and bringing the
system back to a working state as quickly as
possible is your highest priority. Before you begin
the troubleshooting process, you must consider
which startup tool will best diagnose and resolve
the issue.
The following examples of common startup issues
list conditions that prevent the startup process
from completing successfully, together with
considerations for troubleshooting that specific
problem and which tool or tools will best help in
resolving the problem.
Master Boot Record Corruption
13-9
Symptoms. When a systems master boot record (MBR) is corrupted or missing, the system will stop
the startup process immediately following BIOS POST and a black screen or one of the following
messages might appear: Invalid partition table, Error loading operating system, or Missing
operating system.
Causes. The MBR can become corrupted because of hard disk errors, disk corruption, or intentional
destruction of MBR data by a virus or malicious user.
Resolution. Select Repair Your Computer on the Advanced Boot Options menu, choose Command
Prompt, and execute bootrec /fixmbr. This command replaces the executable code in the MBR.
Note: Where UEFI or EFI is used instead of BIOS, GUID partition table (GPT) would be used
instead of MBR.
Boot Configuration Database (BCD) Misconfiguration
Symptoms. After BIOS POST, a message states Windows could not start because of a computer disk
hardware configuration problem, Could not read from selected boot disk, or Check boot path and
disk hardware.
Causes. The BCD is deleted, corrupted, or no longer refers to the correct boot volume. Possibly
because the addition of a partition has changed the name of the volume.
Resolution. Start the Window Recovery Environment, select Command Prompt, and then execute the
bootrec /scanos and bootrec /rebuildbcd commands. These commands scan each volume to look
for Windows installations. When they discover an installation, they ask you whether it should be
added to the BCD as a startup option and what name should be displayed for the installation on the
startup options menu. For other kinds of BCD-related damage, you can also use BCDEdit to perform
tasks such as building a new BCD from scratch or cloning an existing good copy.
System File Corruption
Symptoms. System file (dynamic-link libraries [DLLs], drivers, executables) corruption typically causes
a message on a black screen after BIOS POST that says, Windows could not start because the
following file is missing or corrupt, followed by the name of a file and a request to reinstall the file.
13-10
Causes. The volume on which a system file is located is corrupted or one or more system files are
deleted or become corrupted.
Resolution. For NTFS startup into the Windows Recovery Environment, select Command Prompt, and
then execute the chkdsk command. Chkdsk will try to repair the volume corruption. If Chkdsk does
not report any problems, you could run sfc.exe to scan the system files and replacing any ones which
may be incorrect versions or alternatively you could also obtain a backup copy of the system file in
question and replace the file.
Note: Resilient File System (ReFS) can automatically detect data corruption and perform
repairs without taking the disk offline. If you try to run Chkdsk on ReFS you will receive the
message The ReFS file system does not need to be checked.
Crashing or Hanging After the Splash Screen Appears
Symptoms. Issues that occur after the Windows splash screen appears, after the desktop appears, or
after you log on fall into this category and can manifest as a crash that shows nothing but a blue
screen or as an unresponsive system freeze.
Causes. This problem is usually caused by a device driver or corruption of registry information.
Resolution. The first and most straightforward method for trying to restore the startup process would
be to run the Last Known Good Configuration. This will load the appropriate registry information
from a backup taken when the system last started correctly. This would allow for the review of recent
changes to the operating system to try to discover what caused the crash or freeze. If the problem is
caused by a driver or service that existed on the system before the Last Known Good Configuration
was taken, another solution will be required. In this case, safe mode could enable the system to start
correctly. Then, you can rollback newly installed drivers or disable services to determine the cause of
the problem. A rollback of drivers installs an earlier version of the drivers. For example, rollback to the
driver which was previously working.
Question: Which tool would you use to recover a system that does not start correctly
immediately following the installation of a new network adapter?
Demonstration: How to Recover the Startup Environment

In this demonstration, you will see how to recover a system from startup failure.
Demonstration Steps
1.
Start the virtual machine and access the Windows Recovery Environment by pressing F8 while
starting up
2.
Scroll through and View the System Recovery Options
3.
Select Repair Your Computer, then choose Troubleshooting, followed by Command Prompt
4.
Assess Boot Manager and OS Loader configuration using the bcdedit command
5.
Determine the options available with the boot recovery command line tool bootrec
Lesson 2
Business Continuity and Disaster Recovery
13-11
Organizations depend on constant and consistent access to their business information and applications. In
this environment, a server is only useful when it is operating properly and it contains the correct data. A
server that has intermittent failures, is frequently unavailable, contains inconsistent data, or loses data can
cause significant problems for an organization; detrimentally affecting the organizations line of business.
As someone responsible for the operation of your organizations servers, you have to be aware of the
variety of methods that Windows Server offers to allow for high availability, reliability, and consistency.
You also need to understand how to implement these methods.
Lesson Objectives
Describe the need for backup.
Describe the requirement to provide for business continuity.
Differentiate between Business Continuity and Disaster Recovery (BCDR) solutions.
Describe Network Load Balancing (NLB).
Describe failover clustering.
Implement a backup solution.
Why Backup Data?

Data is the most important digital commodity in
the business world. Data hosted on an
organizations servers is most often critical to their
line of business. Inventories, business contracts,
purchase orders, manufacturing and engineering
data are just some of the important pieces of
business information data that are frequently
hosted on servers.
The retention or backup of this data is the first

line of defense against any event or circumstance
that could put the security, validity, or the
existence of that data at risk. Events that could
lead to data loss include hardware or software failures leading to data corruption or corruption of
volumes or disks, natural disasters like a flood, an earthquake, or a lightning strike could also be factors.
Environmental issues such as fire, plumbing malfunctions, or power surges can also contribute to the loss
of data. Finally, malicious or accidental activity like hacking, file deletion, equipment theft, or intentional
damage may cause data being lost.
Backing up your companys data in Windows Server 2012 is an important part of maintaining a reliable
server environment. Not only business data, as just discussed, is at risk, but data that is contained in the
operating system and server applications themselves have to be retained should the need to restore or recreate them arise.
User or Business Data
13-12
Most user or business-related data that is stored on a server is stored in a specifically allocated drive or
folder structure, dedicated exclusively to storing that data. In this configuration, all of the business data is
in one place, and can be backed up as a whole instead of backing up data from different locations on the
server. The location and structure of this data will depend on the individual organization, and can vary
from implementation to implementation.
System Data
System data, such as operating system and application data, are usually stored in a constant location on
the operating system. Although not always accessed or changed by employees directly like business data,
system data is critical to the operation of a server. Make sure that the Windows Server system volume,
which holds the location of the Windows Server operating system files, is backed up. This makes sure that
the server is recoverable if there is a system failure.
There could also potentially be application configuration data running across multiple systems which can
add a level of complexity which you also have to consider.
Discussion: The Importance of Business Continuity

Business continuity planning refers to the ongoing
maintenance activity and infrastructure planning
and implementation that enable an organization
to carry on their line of business if there is a
disaster or system failure.
The ability for an organizations server
infrastructure to ensure business continuity in
times of crisis is a very important aspect of server
management and maintenance.
Question: What kinds of events could
interfere with business continuity?
Question: What would the cost be to your organization if your server infrastructure was
unavailable for an hour, a day, or a week?
Increased Availability and Data Recovery

Organizations have come to rely more and more
on their information technology (IT) infrastructure
to support their business needs. Frequently, an
organizations server infrastructure provides
applications or contains data that is critical to
business operations. Therefore, the availability of
those applications and the retention and safety of
that data must be managed to make sure business
continuity through high availability and data
recovery.
Increased Availability
13-13
High availability refers to the ability of a server infrastructure to remain available and operable if there is
hardware, application, or service outages within the server infrastructure.
Organizations that are required to meet service level agreements (SLAs) or that run applications important
to an organizations daily business typically use high availability solutions to achieve required server
uptimes. This uptime value is commonly known as the number of nines referred to in the percentage of
that servers total availability. It is common for companies to strive for five nines of uptime (99.999%). This
equates to less than 10 minutes per year of server downtime.
You can also have different uptime requirements for different server times in SLAs. For example, if a
server is required to run for five days a week for 10 hours a day, on an SLA with a 99.999% uptime
requirement in that time period, the server is allowed 3 minutes downtime. However, during non-core
hours the server may be allowed longer downtimes.
High availability typically involves multiple servers configured to perform the same role or provide similar
services. If one of the servers experiences a hardware or software failure, the remaining servers continue to
provide the services.
Windows Server 2012 contains several features that help you in maintaining availability in the server
infrastructure.
Fault-tolerant Hardware Support. Windows Server 2012 supports fault-tolerant hardware

architecture supplied by many server hardware vendors that allows for the removal, addition, or
replacement of hardware components such as fans, power supplies, memory, hard disks, network
adapters, and processors. This architecture enables a server to remain running and available while
hardware upgrades occur or faulty hardware components are replaced.
Fault-tolerant Applications. There are applications or services which are providing fault tolerance as
part of the actual application infrastructure, such as Active Directory Domains Services having
multiple domain controllers, or a replicated DFS infrastructure.
Failover Clustering. Failover clustering allows for a group of servers to work together to provide a
set of applications or services. Together, these servers provide a fault-tolerant configuration that
continues to provide its applications and services, even if one of the servers in the cluster fails or
becomes unavailable. You can implement failover clustering for a range of roles and services in
Windows Server 2012, such as File, Dynamic Host Configuration Protocol (DHCP), Hyper-V, or even
application servers such as Microsoft Exchange Server or Microsoft SQL Server.
Network Load Balancing (NLB). NLB provides for the increased availability of (TCP/IP) b-based
network services. The load on the servers is shared and each server is aware of the other servers in its
group. Therefore when one server fails or becomes unavailable on the network, traffic is redirected
among the other servers. This guarantees continuity of the network services. However, this is not high
availability, because the failover is more passive than in Failover clustering and a failing server could
cause a delay on the clients before the infrastructure recognizes the failure and another server serves
the requests.
Many subcomponents in Windows Server 2012 also contribute to providing a highly available
infrastructure, such as network interface card (NIC) Teaming, Multipath I/O (MPIO).
Data Recovery
Data recovery processes make sure that important data is recoverable, should the data be lost, corrupted,
or destroyed. This typically involves the copying or backing up of data to a device separate from the
server. These devices can be external hard disks or flash drives, optical drives, or network locations.
Frequently, these devices are stored in a different physical location than the server being backed up, in
case the server location is physically destroyed or damaged by a disaster such as a fire or flood.
When data is lost, corrupted, or destroyed, the backed up data can then be restored to the original
location on the server; or to a separate server until the original server is restored or rebuilt.
The built-in tool for backing up data in Windows Server is Windows Server Backup. Windows Server
Backup is a simple and easy to use backup and recovery tool. You can use Windows Server Backup on
both local and remote systems to perform full or incremental backups and to create a copy.
13-14
When you use Windows Server Backup, you have to have separate, dedicated media for storing backed
up data. Windows Server Backup can use external and internal disks, DVDs, or shared folders for backup
and restore locations. DVDs can be used only to restore full volumes of data, not individual files, folders,
or application data.
You can use Windows Server Backup for recovery in several ways. Instead of having to manually restore
files from multiple backups if the files were stored in incremental backups, you can recover folders and
files by selecting the date on which you backed up the version of the item(s) you want to restore. You can
recover data to the same server hardware or to new server hardware that has no operating system.
Windows Server Backup no longer supports tape backup.
Note: Backups taken with Windows Server Backup can also be restored from the Windows
Recovery Environment. This was described earlier in the Troubleshooting Tools in the Startup
Environment topic.
Also available is the cloud-based service Windows Azure Online Backup, which can provide backup
infrastructure and services for your organization.
More information about Windows Azure Online Backup can be found at the following
webpage.
http://www.windowsazure.com/en-us/home/features/online-backup
Question: Why would an organization have to implement both high availability and data
recovery processes to make sure of business continuity?
Network Load Balancing

Network Load Balancing (NLB) provides for
increased availability and scalability for TCP/IPbased services, including web servers, File Transfer
Protocol (FTP) servers, and other mission-critical
servers and services. In an NLB configuration,
multiple servers run independently and do not
share any resources, for example IIS websites
would be mostly static and any changing data
would typically be implemented on a back-end
SQL Server. This group of servers is known as an
NLB cluster. Client requests are distributed among
the servers, and if a server were to fail, NLB
detects the problem and distributes the load to another server. With NLB, you can increase network
service performance and availability.
Increased Availability
13-15
NLB supports increased availability by redirecting incoming network traffic to working NLB cluster hosts if
a host fails or is offline. Existing connections to an offline host are lost, but the Internet services remain
available. In most cases, for example with web servers, client software automatically retries the failed
connections, and the clients experience a delay for several moments before receiving a response.
In terms of how the NLB servers function, a virtual IP address is created which applies to all NLB hosts in
the NLB cluster. Every NLB host will then receive the traffic addressed to the virtual IP, however only a
specific host will listen and process it. From a networking standpoint, you must make sure that all hosts
are configured in a hub-mode instead of a switch mode. Otherwise, the NLB hosts would not receive the
traffic as the switch would direct it only to the last host who replied using the virtual IP address.
Many applications work with NLB. Generally, NLB can load-balance any application or service that uses
TCP/IP as its network protocol and is associated with a specific TCP or User Datagram Protocol (UDP) port.
Some examples are listed in the following table.
Protocol
Examples
Hypertext Transfer Protocol (HTTP) and HTTP Secure

(HTTPS)
Internet Information Services (IIS): port

80 for http and Port 443 for HTTPS
FTP
IIS: port 20, port 21, and ports 102465535
Simple Mail Transfer Protocol (SMTP)
Exchange Server: port 25
Remote Desktop Protocol (RDP)
Terminal Services: port 3389
Point-to-Point Tunneling Protocol (PPTP), L2TP, SSTP and

IP by using HTTP and Internet Protocol security (IPsec)
Virtual private network (VPN) servers:

1723 for PPTP
Performance
NLB supports server performance scaling by distributing incoming network traffic among one or more
virtual IP addresses assigned to the NLB cluster. The hosts in the cluster concurrently respond to different
client requests, even multiple requests from the same client. For example, a web browser might obtain
multiple images in a single webpage from different hosts in a NLB cluster. This speeds up processing and
shortens the response time to clients.
Scalability
NLB lets administrators scale network services to meet client demand. New servers can be added to a load
balancing cluster without changing the applications or reconfiguring clients. The NLB cluster does not
have to be taken offline to add new capacity, and members of the load balancing cluster do not have to
be based on identical hardware. NLB hosts could even be powered up and powered down as demand
requires.
Windows PowerShell also provides management and configuration support for Network Load Balancing
in Windows Server 2012. The following table includes some of the cmdlets and commands that might be
useful.
Description of Use
Add-NlbClusterNode
Adds a new node to the NLB cluster
New-NlbCluster
Creates a new NLB cluster defined by the node and
Description of Use
network adapter name
Get-Command module
NetworkLoadBalancingClusters
Lists all available cmdlets in the

NetworkLoadBalancingClusters module
13-16
The Network Load Balancing feature has to be installed through Server Manager, in order to make these
cmdlets available on a Windows Server 2012 server.
Failover Clustering
Failover clustering is a technology in Windows
Server 2012 that provides for high availability, it
does not provide for scalability. In a failover
cluster, a group of servers, or a cluster, work
together to increase the availability of a set of
applications and services. Physical cables and
software connect the clustered servers, known as
nodes. If any of the cluster nodes fail, other nodes
begin to provide service to clients (a process
known as failover). With this method, system
downtime is minimized and a high level of
availability is provided.
Applications that are best suited for configuration in a failover cluster are applications that use a
centralized set of data. Applications such as SQL Server and Exchange Server, and services such as File
Servers, and DHCP, use centralized data sets and are therefore ideal for being configured as a failover
cluster.
Failover Clustering Benefits
Failover clustering provides several benefits for mission-critical server and application deployments. This
Reduced downtime, if there is a hardware failure.
Reduced downtime, if these is an operating system failure.
Reduced downtime during periods of planned server maintenance.
Applications or services that are added to a failover cluster must be cluster-aware in order to take
advantage of the benefits that are provided by failover clustering. Cluster-aware refers to the applications
ability to register with the failover cluster in order to communicate with the cluster and take advantage of
the clusters features. Applications and services that are cluster-aware include the following:
Distributed File System (DFS) Namespace Server
DHCP Server
Exchange Server
File Server
Print Server
SQL Server
Windows Internet Naming Service (WINS) Server
13-17
Applications that do not support cluster events are called cluster-unaware. Some cluster-unaware
applications can still be configured as high availability resources and can be failed over. However, the
following provisions apply:
IP-based protocols are used for cluster communications. The application must use an IP-based
protocol for its network communications.
Nodes in the cluster access application data through shared storage devices. If the application is not
able to store its data in a configurable location, the application data is not available on failover.
Client applications experience a temporary loss of network connectivity when failover occurs. If client
applications cannot retry and recover from this, they will no longer function.
Windows PowerShell also provides management and configuration support for failover clustering in
Windows Server 2012. The following table includes some of the cmdlets and commands that might be
useful.
Description of Use
Get-Cluster
Displays information about one or more failover clusters in a

domain
Test-Cluster
Runs validation tests for failover cluster hardware and settings
Get-Command module
FailoverClusters
Lists all available cmdlets in the FailoverClusters module
The Failover Cluster Module for Windows PowerShell needs to be installed as part of the Failover
Clustering feature or the Remote Server Administrative Tools (RSAT) in Server Manager, in order to
make these cmdlets available on a Windows Server 2012 server. The RSAT can also be installed on a
Windows 8 client, which would make the cmdlets available on the client.
More information about failover clustering and Network Load Balancing can be found at the
following webpage.
http://technet.microsoft.com/en-us/library/hh831579.aspx
Providing for Data Recovery

Providing for data recovery involves implementing
a plan that includes what to backup, how
frequently to backup, what media the backed up
data will be stored on, where that media will be
stored, and who can backup and restore the data.
What to Backup
Deciding what to backup is one thing to consider

when you develop a backup plan. Business
information loss can significantly disrupt business
productivity. Usually, a full data backup is
desirable. The key question for the organization is
what data is most important to the company? This
data can consist of customer or client database information, payroll records, and product information.
When to Backup
13-18
Several questions have to be answered when you are considering backup. Ask yourself, When should I
backup data?, How frequently should backups be made? and, How long will my backup take and what
time of day will the backup occur? When asking how frequently backups occur, the answer depends on
your business data and how frequently it changes. An organizations sales history might only have to be
backed up monthly. However, the current sales database, which is constantly being updated with sales
information, might have to be backed up multiple times per day. The second and third questions, about
how long the backup will take and when the backup should be taken, depend on one another. Frequently,
data being backed up cannot be in use by users and applications during the backup process. A full
backup of all servers in a data center might take 1520 hours. If your business operates on a 10-hour work
day, that only leaves 14 hours to do your backup. Typically, the longer, full backup is completed during
off-hours, perhaps on a weekend. Then, smaller backups of specific or important information occur more
frequently throughout the week.
What Media to Use
After the decision is made about what data to backup, the next step is to determine where you should
store the backup. Options for storage include external or internal hard disk drives, CDs, DVDs, universal
serial bus (USB) flash drives and third-party backup systems.
Where to Store the Backups
To provide greater security, an organization should store these backups in an off-site location. This helps
in a situation such as a fire where backup media stored onsite can be potentially destroyed.
Who Should Perform the Backup/Restore Operations
The final fundamental consideration is who should perform the backup, and perhaps more critically,
restore operations. After you have implemented a backup strategy, you could automate the backup
process; indeed, most backup solutions are automated. However, you may sometimes have to perform
unscheduled backup operations. You should carefully consider which users can perform this task.
When you have to restore data, make sure that the correct data is restored, and to the correct location.
Therefore, restore operations, except for user-initiated single file operations, should only be conducted by
skilled administrative personnel.
You can use the Windows Server built-in groups to assign the necessary backup and restore permissions,
or you can create your own groups as needed.
Windows Server Backup is installed as a feature by using Server Manager. It provides a means of
administration, a Microsoft Management Console (MMC) snap-in administrative tool, and the WBAdmin
command (wbadmin.exe), which can be used at the Command Prompt. Both the snap-in and the
command-line tools let you perform manual or automated backups to an internal or external disk volume,
a remote share, or optical media. As stated earlier, backing up to tape is no longer supported by Windows
Server Backup.
Windows Azure Online Backup
This is a cloud-based service where an IT administrator subscribes to the service. An account is then
created for a particular organization and backups are scheduled. The difference is the data storage is
provided for by the Online Backup Service. This service removes risk and administrative overhead when
you manage and maintain backups. You can access Windows Azure Online Services from the Windows
Server Backup management console.
Windows PowerShell provides cmdlets for both Windows Server Backup and Windows Azure Online
Backup to let administrators manage and configure the service. These cmdlets are provided under the
13-19
WindowsServerBackup and MSOnlineBackup modules. The following table includes some of the cmdlets
from each module.
Description of Use
Get-WBDisk
Displays a list of internal and external disks that are online for
the local computer
Get-WBJob
Displays the current Windows Backup job operation
Get-OBPolicy
Displays the current online backup policy set for the server
Get-OBJob
Displays a list of operations from a server as Online Backup

Job objects
Get-Command module
WindowsServerBackup
Lists all available cmdlets in the WindowsServerBackup

module
Get-Command module
MSOnlineBackup
Lists all available cmdlets in the MSOnlineBackup module
The Windows Server Backup feature has to be installed for the WindowsServerBackup module to be
installed and for the cmdlets to become available. Similarly, the Online Backup agent has to be installed to
be able to view the Online Backup cmdlets.
Question: What would an appropriate backup plan be for your organization or department?
Lesson 3
Applying Updates to Windows Server
13-20
Windows Server provides a full-featured framework to maintain itself in a current and secure state
through updates. This lesson will cover how to keep your Windows Server up to date by using Windows
Server Update Services (WSUS).
Lesson Objectives
Describe the need to keep Windows Server up to date.
Describe what has to be kept up to date.
Explain how Windows Server obtains updates by using WSUS.
Implement WSUS.
Why Update Windows?

Globally, computing happens in an ever-changing
environment. As technology advances and
security concerns appear, the server infrastructure
must be both prepared and protected in order to
perform efficiently.
The following questions can be asked of a static,
non-updated server that is running Windows
Server.
Does the server have a vulnerability to

malicious code that takes advantage of
potential weak spots identified in the servers
operating or application configuration?
When a new device is installed, how can you be sure that you have the most recent version of the
driver installed?
How can you make sure that you are running the latest and most compatible versions of your
applications?
You have to update your Windows Servers to make sure that you can avoid the pitfalls associated with the
previous points, but manual configuration of a single server can be a time-consuming and tedious
process, let alone the configuration of hundreds of servers.
The key source of Windows updates is the Windows Update website. Here, a catalog of updates is stored
and available for download and installation to your computer.
Windows Server 2012 contains a robust infrastructure for managing interaction with the Windows Update
process. However, you must make sure that the tools available are customized for your environment and
working in a way that makes sure the infrastructure is secure and regularly updated.
What Must be Updated?

Updates can be applied to different areas within
the Windows Server infrastructure:
13-21
Core Operating System. The core files of the

servers operating system must be kept up to
date in order to correct possible security
vulnerabilities and maintain the most recent
set of features and functionality. New versions
of executables, additional features, and
updated .dll and data files are several of the
aspects of the core operating system that can
be implemented as part of an update.
Drivers. Hardware devices on your servers

must have the most recent drivers installed to make sure that your system functions correctly and that
all of the components can work together as a cohesive whole without conflicts or interruption. The
way that Windows interacts with the server and the attached hardware is governed primarily by the
device drivers that Windows loads for the devices. Old, corrupted, or incompatible drivers can cause a
device to stop functioning and cause system instability or even failure.
Applications. Updates also have to be performed on applications. Service packs, feature updates, and
security fixes all make sure that your applications can consistently provide their associated services
within your environment.
In addition to these three core areas, other aspects such as device firmware might also have to be
periodically updated.

Windows Server Update Services (WSUS) enables
network administrators to simplify and gain
control over applying updates to all computers in
the network environment.
When WSUS is integrated into the operating

system, it is installed as a role on Windows Server
2012. The integration can be done through Server
Manager. As part of the installation, a Windows
Internal Database (WID) is also installed. This is
required by WSUS. WSUS downloads all of the
latest updates from the Windows Update servers
on the Internet, and then all other computers on
the network are configured to download their updates directly from the WSUS server. You can organize
computers into groups to simplify the approval of updates. For example, you can configure a pilot group
to be the first set of computers that are used for testing updates. WSUS can also generate reports to help
with monitoring of update installation. These reports can identify which computers have not applied
recently approved updates. WSUS in Windows Server 2012 can also allow for client and server separation.
In a typical WSUS implementation, instead of each computer downloading the same update files
independently, only the WSUS server downloads the files from the Windows Update servers. The WSUS
server downloads a copy of each available update and saves it in a local data store. Then it makes the
updates available for access by all of the computers on the network. The bandwidth consumed by the
update process is greatly reduced, because the WSUS server has to download only one copy of each
update. WSUS also gives administrators the opportunity to research, evaluate, and test updates before
you deploy them to the network clients.
13-22
You can also implement a hierarchical structure in your organization for WSUS specifying Upstream or
DownStream Servers or Replica Servers to streamline the distribution of updates across a geographically
dispersed organization.
A WSUS server has several components and settings that are configurable to suit the needs of your
environment. When WSUS is first set up, the Windows Server Updates Services Configuration Wizard runs
and lets you configure the following settings:
Choose Upstream Server. You can specify a WSUS server from which the server being configured
will receive updates.
Specify Proxy Server. If your organization has a Firewall or Proxy server, proxy details will be
required to enable access to the Windows Server Update Services to access and download updates.
Choose Languages. You can specify the update languages to download. By default, WSUS
synchronizes only updates in the language that you specified when installing Windows Server.
Choose Products. This setting controls which products WSUS will download updates for. This
includes Windows Server and client operating systems, in addition to many Microsoft applications
and server products, such as Microsoft Office, SQL Server, and Exchange Server.
Choose Classification. Microsoft updates come in several different classifications that identify the
type and urgency of the update. For example, Critical Updates, Security Updates, and Definition
Updates. This setting lets you select which classifications WSUS will synchronize.
Configure Sync Schedule. This setting controls when WSUS will synchronize with Internet-based
Windows Update servers to download new updates. It can be done manually or automatically at
defined times.
After the wizard is finished, you can perform an initial synchronization based on the settings that you have
just defined. Consider the following when you configure the settings.
Use SSL with WSUS.
Create computer groups.
Assign computers to groups by using Group Policy.
Configure auto-approval.
Within the WSUS management console, there are several options, some of which include the following:
Updates. Here you can classify updates such as Security and Critical. Each update must also be
approved before it can be installed. By default, WSUS automatically approves all security, critical, and
definition updates for servers. For clients, WSUS approves all security, critical, and definition updates,
plus service packs.
Computers. Within here you can create groups of computers on which to apply updates.
DownStream Servers. You can specify other update servers in your WSUS hierarchy that will receive
updates from this server.
Synchronization. Within here you can specify how the local server synchronizes with the Windows
Server Update Services. It provides a status on the synchronizations and enables reports to be viewed.
Microsoft Report Viewer 2008 Redistributable. This is required to be able to view the reports.
13-23
Reports. Many reports are available to generate and view, such as computer status and update status.
Options. Different settings that can be configured, such as the following:

o
Email message notifications
Server Cleanup
Automatic approvals
By default, WSUS downloads only the approved updates and stores them, in Cab format, in the
C:\WSUS\WsusContent folder.
Using Group Policy to Configure Windows Update Settings
You can configure automatic updates for client computers through Group Policy. Group Policy settings
are available in the Group Policy Management Editor under the node Computer
Configuration\Policies\Windows Settings\Administrative Settings\Windows Update. There are 16 different
settings available in this node, some of which are described in the following table.
Group Policy Setting
Description
Allow Automatic Updates

immediate installation
Specifies whether the Automatic Updates client should install updates

that do not require a service interruption or system restart immediately
Allow non-administrators
to receive update
notifications
Enables users without administrative privileges to receive notifications of

impending update downloads or installations from the Automatic
Updates client
Automatic Updates
detection frequency
Specifies the interval at which Automatic Updates clients check the

server for new updates
Configure Automatic
Updates
Enables the Automatic Updates client, specifies whether the client should
download and install updates with or without requiring user
intervention, and specifies the installation interval and time of da
Reschedule Automatic
Updates scheduled
installations
Specifies the time interval the Automatic Updates client should wait after
system startup before starting an update installation that did not occur
because the computer was offline
Specify intranet Microsoft

update service location
Specifies the URL that Automatic Updates clients use to access the WSUS
server on the local network
Delay Restart for scheduled

installations
Specifies the time interval the Automatic Updates client should wait
before restarting the computer after an update installation
Reschedule Automatic
Updates scheduled
installations
Specifies the time interval the Automatic Updates client should wait after
system startup before starting an update installation that did not occur
because the computer was offline
You can also manage WSUS by using Windows PowerShell. Cmdlets are provided as part of the WSUS
module; some of them are listed in the following table.
Windows PowerShell
Cmdlet
Description of Use
Approve-WSUSUpdate
Approves an update to be applied to clients
Get-WSUSProduct
Displays the list of all products currently available on WSUS by

category
Windows PowerShell
Cmdlet
Get-Command module
WSUS
Description of Use
Lists all available cmdlets in the WSUS module
More information about Windows Server Update Services can be found at the following
webpage.
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
Demonstration: Review WSUS Group Policy Settings

In this demonstration, you will review the WSUS Group Policy settings
Demonstration Steps
1.
Open the Group Policy Management Console.
2.
View Group Policy settings for WSUS.
13-24
Lesson 4
Troubleshooting Windows Server
13-25
When a system failure or an event that affects system performance occurs, you must be able to repair the
problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the modern
network environment, the ability to determine the cause quickly often depends on having a logical and
comprehensive troubleshooting methodology. You must also understand the tools available to determine
the cause and make corrections to the environment if applicable.
Lesson Objectives
Develop a troubleshooting methodology.
Describe troubleshooting stages.
Select troubleshooting tools.
Troubleshoot component areas.
Use Windows tools to troubleshoot problems.
Developing a Troubleshooting Methodology

Troubleshooting a problem, especially when you
deal with technology, can be a multistep process
involving lots of potential root causes and several
tries to resolve the issue before the actual cause is
determined. From collecting information to
testing possible fixes to making sure that fixes
work correctly and can be maintained, a
troubleshooting methodology can help your
troubleshooting process remain organized and
efficient.
Key concepts and practices must be understood
and observed throughout the troubleshooting
process to make sure that the issue is resolved in the most effective way possible.
Assessment of Impact
Understanding how an issue affects the network environment and the operations of your organization is a
very important part of the troubleshooting process. An issue that affects critical services, such as point-ofsale operations in a busy retail store, might have to have a temporary partial fix or workaround
implemented until the cause of the issue can be determined and corrected.
As the troubleshooting process continues, the temporary fix might have to be reassessed to make sure
that it is supporting the rest of the environment as effectively as possible. Finally, after the original issue is
determined and corrected, a method for replacing the temporary fix with the permanent solution has to
be determined and implemented in a way that has the least effect on your organizations operations.
Communication
13-26
Almost every issue that you troubleshoot will affect at least one person in your organization. Those
affected have to know specifically how the issue will affect them going forward. In addition, they should
be informed about the progress of the troubleshooting process, time estimates for resolution, and process
changes that might be required of them because of a temporary fix. When the issue is corrected and the
environment returned to a completely functioning state, they also have to be notified that the issue is
resolved. All of these items fall under the category of communication.
Communication is one of the most critical components in the troubleshooting process and is frequently
overlooked. Communication might consist of direct conversations, telephone calls, email messages, or the
updating of a Help Desk ticket with troubleshooting progress.
If several people are affected by an issue, your communication methods might have to be adjusted to
make sure that the information is reaching those affected as efficiently as possible. For example, if an issue
affects a department, you might designate one person from that department, a manager, to communicate
directly with. Any information about the troubleshooting process is then relayed by the manager to the
other people in the department. This makes sure that you can focus on the troubleshooting process, and
assigns responsibility to the manager for making sure that the staff members know the status and
progress of the troubleshooting process.
Documentation
Throughout the troubleshooting process, documentation must be maintained at all levels. Initial
symptoms, affected people and systems, potential causes, and both failed and successful tries to resolve
the issue have to be recorded and appropriately documented to make sure that you make forward
progress in the troubleshooting process.
Failing to document the troubleshooting process could result in overlooked symptoms,

miscommunication or communication breakdown, failed solutions being tried multiple times, or even the
return to seemingly normal operation without knowing the specifics of the resolution or if a permanent fix
was completed. After an issue is resolved, documenting the resolution and the steps taken to achieve that
resolution can help you speed up the troubleshooting process of similar issues.
Stages of a Typical Troubleshooting Methodology

In any troubleshooting methodology, especially
one where multiple people might be involved in
the troubleshooting process, you must have an
established troubleshooting process. Using this
process, the issue that is raised is taken through
several stages, each bringing the issue closer to
the final resolution.
1.
Define the issue. The first step in the

troubleshooting process is to correctly define
the issue. This means make sure that you have
obtained specific information about the
symptoms observed by those experiencing
the issue. This could consist of physical descriptions from end-users (my screen went blank when I
clicked the Start button) or the observation of the issue yourself. Making sure that you understand
the scope and the facts of the issue is very important. Incorrect or incomplete information could lead
to incorrect assumptions about how to troubleshoot information and could potentially result in the
elimination of all assumed root causes without an actual resolution.
13-27
2.
Gather initial information. The next step in the process is to collect appropriate information about
the issue. Typically, this consists of actions like extended observation of the symptoms, running
diagnostic tests on affected hardware and software, or obtaining technical information from vendors
or suppliers of affected items.
3.
Determine probable causes of the issue. After the appropriate information is collected, a list of
probable causes has to be recorded and typically ranked. This makes sure that the most probable
causes are investigated first. As the troubleshooting process continues, the causes are tested one by
one. This could lead to the removal of causes other than the cause being tested. It might also lead to
new causes being added to the list because of more information collected during testing.
4.
Develop a plan of action. Next, you should determine a plan of action to test for the most probable
cause or causes. This plan can involve one or more steps, and should be documented to make sure
that it is performed correctly and that it can be repeated if it is necessary later in the troubleshooting
process. Also, your development plan should allow for rollback after implementation in case the plan
of action does not resolve the issue.
5.
Implement the plan of action. After a plan is established, the plan should be implemented and the
process documented.
6.
Test the results of the plan of action. After the implementation of the plan is completed, you
should test the environment to determine whether the issue is corrected. You should also make sure
that related systems and users are not negatively affected by the results of the plan of action.
7.
Document the results of the plan of action and repeat the plan steps if it is necessary. The
results of your plan of action should then be documented. If the result of the plan of action corrected
the matter satisfactorily, you should carry on to the last step of closing the issue and completing the
documentation. If your plan of action was unsuccessful, you should roll back the plan of action steps.
Then move on to the next probable cause on the list and begin the plan of action steps for that
cause, repeating the process until the cause is determined and resolution is achieved.
8.
Record the issue as resolved and complete documentation. After you have determined the issue
as resolved, any temporary fixes or workarounds should be removed and affected users should be
informed of the resolution. In addition, the documentation of the resolution and steps taken in the
troubleshooting process should be finished and recorded in a manner that allows for later reference
or cataloging. This can be through a Help Desk ticketing application, a Microsoft Word document or
Microsoft Excel spreadsheet, or a written record in a notebook.
Summary
When these steps are observed and performed correctly, your troubleshooting process will follow a logical
and thorough methodology that will help you resolve an issue quickly and efficiently, in addition to
equipping you with the ability to quickly resolve the issue should it occur again in your environment.
Troubleshooting Component Areas
13-28
Early in the troubleshooting process, you will try

to determine the cause of the problem. Typically,
the problem will be with some component of the
computer and its associated hardware, software,
and environment. These elements can be classified
into several system component categories. By
trying to determine which system component is
causing a problem, you are using the subtractive
approach to troubleshooting. For example, if the
computer will not start, you might determine
whether the cause could be hardware related,
such as a hard disk failure, or operating system
related, such as a missing startup file. However, you must consider that a combination of components in
different categories can cause some issues. The following sections look more closely at the main system
components.
Operating System
Faults or corruptions in the system registry or with system services can result in operating systemrelated
problems. The operating system controls user and application access to the computer hardware. The
operating system is composed of device drivers, services, security components, applications, network
components, and the configuration that links these components together. However for troubleshooting,
you should consider the operating system as just the base elementsstartup files, startup configuration
components, and operating system servicesand not the security, application, or network elements.
Operating system faults frequently manifest during the computer startup process. For example, if a user
accidentally deletes a critical startup file, the operating system will be unable to start. If you install a new
operating system service pack, or update, it might introduce unexpected problems. Therefore, it is
important to test all service packs and updates before you deploy them.
Hardware
For the purposes of troubleshooting, hardware-related problems include problems with the physical
computer, attached peripherals and devices, and device drivers related to these components. Computers
are generally very reliable, but certain components are more prone to failure than others. Components
with moving parts, such as disk drives and power supplies, can wear out. These problems can easily be
identified and fixed.
Other hardware-related issues can occur because of incompatible devices or device conflicts. To
communicate with the rest of the computer, the operating system allocates each device a unique
configuration. Occasionally, the operating system cannot provide the device configuration. This can result
in device failure or computer startup failure.
Network Components
You can define any network configuration as a network component. For example, the TCP/IP
configuration is a network component. Therefore, problems related to a computers IP address, subnet
mask, and default gateway are all network componentrelated. Many network component problems with
server computers can manifest at client computers, in the form of applications or operating system
components operating in an unexpected way because of a lack of network connectivity. Therefore, it can
be difficult to determine exactly where a network component problem is.
Security
13-29
When a user cannot access a resource or when a user can access a resource that they should be restricted
from, there is a security-related issue. Some security-related problems can manifest as network
component problems. For example, problems with the firewall configuration might result in users being
unable to access resources to which they should have access. Data encryption and authentication issues
can also result in security problems.
Problems can also occur because of users having elevated administrative rights, or too many privileges on
important files or folders. For example, a user who has Full Control of the Windows system folder might
accidentally delete sensitive system files. This results in an unstable or unusable operating system.
Applications
Application-related problems are those specifically related to the application programs installed and used
by the users. Many of these problems result from misuse of the application by the user or from the user
who is trying to do something with the application that the application does not support. User training
should minimize these kinds of problems.
If a user reports a problem with an application and misuse has not caused the problem, the problems
cause might be a software error or bug. You can read the applications documentation to determine
whether this is a known problem and whether service packs or hot fixes exist that will eliminate the
problem.
Users who report performance problems with applications might have hardware-related problems instead
of an application problem. The computer might require more memory, or the computers disk might be
fragmented. You can determine whether a problem is hardware performancerelated because hardware
performance problems typically affect more than one application.
Application incompatibility issues can also cause significant problems. A specific combination of
applications that are running at the same time could cause operating system failures and data loss. You
can avoid application incompatibility issues by deploying only applications that you have tested in
combination together, and by restricting end-users from installing additional applications.
Windows Server Troubleshooting Tools

When you are troubleshooting issues in Windows
Server 2012, detailed and correct information is
your most valuable asset in determining and
resolving the issue. The more information that you
have available about the issue, the more likely you
are to be able to determine both the most
probable cause and the most effective solution.
Windows Server 2012 contains several built-in
tools that help you collect information about the
server environment and identify potential issues.
Some of these were discussed in Module 12,
Monitoring Server Performance, but in the
context of performance. The following topics examine some of them again in the context of
troubleshooting.
Event Viewer
Windows Event Viewer provides access to the Windows event logs. Event logs provide information about
system events that occur within Windows. These events include information, warning, and error messages
about Windows components and installed applications.
13-30
Event Viewer provides categorized lists of basic Windows log events (application, security, setup, and
system), in addition to log groupings for individual installed applications and specific Windows
component categories. Individual events provide detailed information about the kind of event that
occurred, when the event occurred, the source of the event, and detailed technical information to help in
troubleshooting the event.
Additionally, Event Viewer lets you combine logs from multiple computers onto a centralized computer by
using subscriptions. Finally, you can configure Event Viewer to perform an action based on a specific event
or events occurring. This can include sending an email message, starting an application, or running a
script or other maintenance action that could notify you or try to resolve a potential issue.
Note: To open Event Viewer, in Server Manager, click Tools, and then select Event Viewer.
Task Manager
Windows Task Manager is the simplest and quickest way to monitor real-time resource usage and
performance information in Windows Server. Task Manager provides information about currently running
applications, processes, and services, in addition to a high-level performance view of three system
resources: CPU, memory, and network. Within Task Manager, you can also see a list of currently loggedon users.
Note: To open Task Manager, do one of the following:

1.
Press Ctrl+Shift+Esc.
2.
Press Ctrl+Alt+Del, and then click Task Manager.
3.
Right-click the taskbar, and then click Task Manager.
Resource Monitor
Resource Monitor provides features similar to Task Manager, but greatly enhanced. It provides a
comprehensive view of the performance of key system components (CPU, disk, network, and memory) in
both a graphical and a detailed report form. Resource Monitor provides detailed information that lets you
troubleshoot resource or performance-based issues at a very specific level.
Note: To start Resource Monitor, do one of the following.

1.
In Server Manager, click Tools, and then select Resource Monitor
2.
Open Task Manager, click the Performance tab, and then click Open Resource Monitor.
Performance Monitor
Windows Performance monitor is an MMC snap-in that lets you measure and compare the performance
of a many system components. This information can be displayed graphically in real time or collected and
reported on for a given time period. Windows accumulates the data for these components by using
objects called counters. A counter can track the information about a single component or aspect of the
system within Performance Monitor.
In addition to the default counters, applications installed on a Windows Server such as SQL Server or
Exchange Server can add their own counters to Performance Monitor. This lets you monitor various
aspects of those application installations.
13-31
Performance Monitor can monitor a specific set of counters over time. It can also provide detailed reports
of system performance and configuration.
Note: To start Performance Monitor, in Server Manager, click Tools, and then click
Reliability Monitor
Reliability Monitor provides an overview of system stability and the events and changes that affect the
overall stability of a system. It tracks software installation and uninstallation, Windows failures, application
failures, and hardware failures.
Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected
problems reduced the system's reliability. It assess the computers overall stability on a scale of 1 to 10. The
accompanying System Stability Report provides details to help identify the specific changes that reduced
reliability and it can be saved in XML format.
Note: To start Reliability Monitor, do one of the following:

1.
Open Control Panel. Then click System and Security, open Action Center, expand the Maintenance
section within it, and then click the View reliability history link.
2.
Open a Command Prompt, type perfmon /rel, and then press Enter.
Command-Line Tools and Windows PowerShell
Depending on the component in question, different command-line tools can troubleshoot issues. For
example, for network-related issues, tools such as ping, nslookup, nbtstat, and ipconfig are all relevant
and important in narrowing the cause of a problem.
As roles and features are installed on servers, some of those functions have their own command-line tool.
Some of the directory services toolsets can be useful in troubleshooting.
Windows PowerShell functionality has also been greatly extended in Windows Server 2012. There are now
cmdlets for most roles and features. If you are unsure how to obtain information about a specific role or
feature, look for the corresponding Windows PowerShell cmdlets and see whether there is data that can
be obtained by using Windows PowerShell that is not available elsewhere. Using a command in the
format of Help *XYZ* can help identify relevant cmdlets that might be useful. This lets you drill down into
the individual cmdlet functionality.
External Sources
In addition to the troubleshooting tools included with Windows, external sources such as product
manuals, vendor websites, or community forums or discussion groups can be used to provide additional
resources for the troubleshooting process.
Microsoft regularly produces Knowledge Base Articles (KB Articles), which document known issues and
provide workarounds or sometimes fixes for the issues.
General Microsoft support is available at the following website.
http://support.microsoft.com
Demonstration: How to Use Windows Tools to Help Troubleshoot

Windows Server Problems
In this demonstration, you will see how to use various Windows troubleshooting tools.
Demonstration Steps
1.
Open and view Event Viewer.
2.
Open and view Task Manager.
3.
Open and view Resource Monitor.
13-32

Scenario
13-33
Several troubleshooting tickets have been submitted to you to correct. Three separate issues exist in the A.
Datum company network.
Objectives
Troubleshoot the startup process.
Install and configure Windows Server Update Services.
Collect information to start the troubleshooting process.
Lab Setup
Virtual Machines: 10967A-LON-DC1, 10967A-LON-CL1 and 10967A-LON-SVR5
Password: Pa$$w0rd
1.
2.
3.
4.
Password: Pa$$w0rd
Domain: ADATUM
5.
Repeat the preceding steps to start 10967A-LON-CL1
6.
For 10967A-LON-SVR5, this server is intentionally broken for this troubleshooting exercise. You
should not start the virtual machine until you are instructed to do so during the lab, following
the steps outlined there closely.
IMPORTANT: Also Internet access is required for Exercise 1. The 10967A-LON-DC1 virtual machine needs
to be able to access the Windows Updates service As such the MSL-TMG server needs to be up and
running to be able to complete the lab in Exercise 1. MSL-TMG is available for download from the MCT
Download Center and steps for successful set up are available in MSL-TMG setup guide.
Exercise 1: Installing and Configuring Windows Server Update Services

Scenario
You are forwarded a request to install and configure a WSUS server in A. Datums London location and
test the configuration by configuring a client computer to use the WSUS server to receive automatic
updates.
A. Datum Add Request
Request Reference Number: 10527
Requested by: Nancy Anderson
Date of request: May 17
Assigned to: You
Status: OPEN
Request Details:
Configure WSUS for local distribution of updates for the London office:
1.
Install WSUS on 10967A-LON-DC1.
2.
Complete Post Installation configuration
3.
Complete WSUS Configuration wizard
4.
Install Report Viewer pre-requisites
5.
Configure test client LON-CL1 to receive updates from the newly configured WSUS server.
6.
Test the configuration by installing updates on LON-CL1.

1.
Install the Windows Server Update Services role and required features
2.
Complete WSUS post-configuration tasks
3.
Complete the Windows Server Update Services Configuration Wizard
4.
Prepare synchronized reporting
5.
Configure Group Policy to enable WSUS across the domain
6.
Perform clarification checks on the WSUS Client
7.
Create a computer groups, and add client computers
8.
Approve a Critical Update for Windows 8 operating system clients
9.
Query the WSUS server for available updates from Windows 8 client
10. View WSUS reports.
Task 1: Install the Windows Server Update Services role and required features
13-34
1.
Ensure you are signed in to 10967A-LON-DC1 with username ADATUM\Administrator and

password Pa$$w0rd
2.
Install the Windows Server Update Services role and also the .NET Framework 3.5 feature via the Add
Roles and Features Wizard
Task 2: Complete WSUS post-configuration tasks

1.
On 10967A-LON-DC1 in the Notification details click open the task details
2.
Carry out the Post-Deployment Configuration tasks
3.
When completed successfully open the Windows Server Update Services management console.
Task 3: Complete the Windows Server Update Services Configuration Wizard
1.
Still on 10967A-LON-DC1, if not already done so, In Server Manager click Tools and then select
Windows Server Update Services to open the Update servicers management console.
2.
Complete the Windows Server Update Services Configuration Wizard with the following settings:
Choose Upstream Server: Synchronize from Microsoft Update
Specify Proxy Server: accept the defaults
Choose Languages: English only
Choose Products: Windows 8 only
Choose classifications: Critical Update only
Set Sync Schedule: Synchronize manually
Finished page: Begin Initial Synchronization
Task 4: Prepare synchronized reporting

1.
On 10967A-LON-DC1 in the Update Services console attempt to open the Synchronization

Reporting
2.
What is the result?
3.
Install Report Viewer 2008 sp1 from E:\Mod13\Labfiles
4.
Once the installation is complete verify you can successfully open the Synchronization Reporting
Task 5: Configure Group Policy to enable WSUS across the domain
13-35
1.
Still on 100967A-LON-DC1, open the Group Policy Management Console.
2.
Create a new Group Policy Object (GPO) linked to the Adatum.com domain named WSUS.
3.
Open the Group Policy Management Editor to edit the WSUS GPO.
4.
In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click
Windows Update.
5.
Enable Configure Automatic Updates.
6.
Enable Specify intranet Microsoft update service location.
7.
Set the intranet update service for detecting updates and the intranet statistics server to http://LONDC1:8530
8.
Why is the number 8530 specified in the URL?
9.
Enable Automatic Updates detection frequency.
10. Start 10967A-LON-CL1 and sign in as ADATUM\Administrator with the password of Pa$$w0rd.
11. On LON-CL1, open a Command Prompt, with Administrative permissions and update group policy
by running the below command
gpupdate /force
12. Update the client with any changes made to the WSUS service by running the following command
wuauclt /ResetAuthentication /DetectNow
Task 6: Perform clarification checks on the WSUS Client

1.
Perform these tasks on 10967A-LON-CL1
2.
Ensure the following services are running successfully and have Startup type set to Automatic
Background Intelligent Transfer Service
Windows Update
Task 7: Create a computer groups, and add client computers
13-36
1.
On 10967A-LON-DC1 virtual machine open the Windows Server Update Services management
console
2.
Expand All Computers and ensure there are two computers listed
Lon-dc1.adatum.com
Lon-cl1.adatum.com
Note: It may take a few minutes for the computers to appear, if you do not see them listed immediately.
3.
Create a Computer Group call WSUS LON Win8 and add lon-cl1.adatu,.com to that group
4.
Create a Computer Group call WSUS LON WS2012 and add lon-dc1.adatum.com to that group
Task 8: Approve a Critical Update for Windows 8 operating system clients

1.
Approve the Following critical Updates
Update for Windows 8 for x64-based Systems (KB2768703)
Update for Windows 8 for x64-based Systems (KB2768703)
2.
Specify a Deadline of yesterdays date to force client computers to install it straight away
Task 9: Query the WSUS server for available updates from Windows 8 client
1.
Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and
password pa$$w0rd
2.
At the Command Prompt, run the following.

gpupdate /force
3.
After the policy has finished updating, run the following.

wuauclt /Reset Authentication /Detectnow
4.
Open the Windows Update log file C:\Windows\WindowsUpdate.log in Notepad and verify it has
connected successfully to the WSUS web services.
5.
Back on 10967A-LON-DC1 verify there are events in Event Viewer from WSUS specifying that clients
have connected successfully.
6.
Return to 10967A-LON-CL1
7.
Verify that the Update for Microsoft Windows(KB2768703) is listed as installed in Control Panel and
then Programs
Note: It may take several minutes for the client to connect and the update to be installed. You
should proceed to the next Exercises and complete those while waiting for the client to be updated. Once
you have completed those exercises you can then return here to verify the update has been applied
successfully.
Task 10: View WSUS reports.

1.
Switch back to 1096A-LON-DC1,
2.
Run a Computer Detailed Status report to view updates for 10967A-LON-DC1.
13-37
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to
manage updates.
Exercise 2: Troubleshooting the Startup Process

Scenario
A Help Desk Incident Record has been forwarded to you for resolution by the A. Datum Help Desk
support team. Users in the London office have reported being unable to access network resources on a
specific server. You have been asked to review the Incident Record, resolve the issue, and complete the
Incident Record.
Supporting documentation
Call logged by: John Peoples
Date of call: May 15
Time of call: 11:45
User: Daniel Roth
Status: OPEN
Incident Details:
Call logged by IT Help Desk. Branch users cannot access shared files on 10967A-LONSVR5.
1.
File shares not available over the network.
2.
Cannot connect to 10967A-LON-SVR5 with Remote Desktop Connection.
3.
Cannot ping 10967A-LON-SVR5 IP address.
4.
All other network resources in the branch location are functioning correctly.
Preliminary Questions:
1.
Where is the best place to troubleshoot this problem from?
2.
What considerations should be made about 10967A-LON-SVR5 and the people and
services that require the services that are provided by 10967A-LON-SVR5?
Assessment Questions:
1.
What is the error message displayed on 10967A-LON-SVR5?
2.
What could the possible causes of this error message be?
3.
What tool should you use to try to resolve the problem that is causing the error

message?
4.
How can you access these tools?
Resolution Questions:
1.
How did you resolve the problem?
2.
What should the next steps in the troubleshooting process be?

1.
2.
Investigate startup issues on a Windows Server
3.
Resolve the issue on the Windows Server and complete the Incident Record

1.
Read the Incident Record to determine possible troubleshooting methods.
2.
3.
What considerations should be made about 10967A-LON-SVR5 and the people and services that
require the services that are provided by 10967A-LON-SVR5?
Task 2: Investigate startup issues on a Windows Server
13-38
1.
Connect to the 10967A-LON-SVR5 virtual machine
2.
You will be prompted to Press any key to boot from CD or DVD as the virtual machine starts
but do not press anything and allow the virtual machine to start without any intervention
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso installation
files already attached to the virtual machine to assist with steps required later in the lab. As such the
10967A-LON-SVR5 virtual machine will give the prompt Press any key to boot from CD or DVD
each time when starting up. Do not press any key to boot into the installation files unless explicitly told to
do so in the lab steps.
3.
Observe the error message displayed on 10967A-LON-SVR5 and answer the Assessment Questions
in the Incident Record.
4.
5.
6.
What tool should you use to try to resolve the problem that is causing the error message?
7.
Task 3: Resolve the issue on the Windows Server and complete the Incident Record
1.
Start the 10967A-LON-SVR5 virtual machine
2.
As stated in the previous exercise you will be prompted to Press any key to boot from CD or
DVD as the virtual machine starts.
3.
Press Enter and allow the virtual machine to boot into the installation files
4.
At the Install Windows dialog box, click Next, and then click the Repair your computer link
5.
In the System Recovery Options dialog box, select Troubleshoot
6.
Proceed to the Command Prompt
7.
Use bcdedit to view the current BCD store.
8.
Use bootrec to scan for the operating system
9.
Use bootrec to rebuild the BCD store with the newly found operating system entry.
10. Restart the server and verify the server starts successfully now
11. Answer the Resolution Questions on the Incident Record.
12. How did you resolve the problem?
13. What should the next steps in the troubleshooting process be?
14. Revert the 10967A-LON-SVR5 virtual machine.
13-39
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
Exercise 3: Gathering Information to Start the Troubleshooting Process

Scenario
You are asked to examine possible performance issues with LON-SVR2.
You know that the server LON-SVR2 experiences low network traffic and has limited disk activity, but the
Help Desk is receiving many reports that the server is slow.
Later that week, the Help Desk receives reports that the server is running slow again. You know that the
server LON-SVR2 is not running processor-intensive applications so you remotely run a System
performance data collector set on LON-SVR2 and now need to analyze those logs to try to identify any
problems that could be affecting performance.
A. Datum Incident Record PART A (Complete for Task 1)
Date of call: May 19, 12:10PM
User: Daniel Roth
Incident Details:
Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are
stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartA.blg
1.
What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
2.
Keeping in mind your answer to the previous question, what steps (using a troubleshooting
methodology) would you take to continue the troubleshooting process?
A. Datum Incident Record PART B (Complete for Task 2)

Date of call: May 19, 13:15PM
User: Daniel Roth
Status: OPEN
Incident Details:
Call logged by IT Help Desk. Users report LON-SVR2 is running slow. Performance Monitor logs are
stored in E:\Mod13\Labfiles\Captures\10967A-LON-SVR2-LAB13-PerfLog-PartB.blg
1.
2.
Keeping in mind your answer to the previous question, what steps (using a troubleshooting
13-40
1.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
A
2.
Examine the Performance Monitor logs for the first issue and answer the resolution questions for Part
B
Task 1: Examine the Performance Monitor logs for the first issue and answer the
resolution questions for Part A
1.
Ensure you are signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
2.
Use Performance Monitor to open the log file E:\Mod13\LabFiles\Captures\ADATUM-LON-SVR2System-Perf-Data-PartA.blg on the server.
3.
Add the following counters and examine them:
Processor - % Processor Time (Instance 0)
System - Processor Queue Length
Process _ % Processor Time (All Instances)
4.
Complete the resolution questions in Part A of the Incident Record.
5.
6.
Keeping in mind your answer from the previous question, what steps (using a troubleshooting
7.
Close Performance Monitor.
resolution questions for Part B
13-41
1.
Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
2.
Use Performance Monitor to open the log file E:\Mod13\LabFiles\Captures\ADATUM-LON-SVR2System-Perf-Data-PartB.blg on the server.
3.
Examine the following counters:
PhysicalDisk - Avg. Disk Queue Length (Instance 0 C:)
PhysicalDisk - Current Disk Queue Length (Instance 0 C:)
PhysicalDisk - Disk Transfers/sec (Instance 0 C:)
Process - IO Data Bytes/sec (All Instances)
4.
Complete the resolution questions in Part B of the Incident Record.
5.
6.
Keeping in mind your answer from the previous question, what steps (using a troubleshooting
7.
Close Performance Monitor.
Results: After this exercise, you should have collected information to start the troubleshooting process.
Question: If, after a network adapter installation on a server, Windows startup failed while
the splash screen was displayed, which startup based tool would you use to troubleshoot the
issue?
Question: What would be the most efficient way to configure hundreds of clients in a
Windows domain to receive updates from a newly installed WSUS server?

Review Questions
Question: What is the key functionality of a boot loader?
Question: How does fault-tolerant hardware provide for high availability, provided the
hardware is supported by Windows Server 2012
Question: What benefits does Performance Monitor offer over Resource Monitor?
Tools
Tool
Use for
Where to find it
13-42
BCDEdit
Editing Windows Boot Configuration

Data Store.
From the command line, type bcedit.
Chkdsk
Checking the file for unreadable or

corrupted sectors.
From the command line, type chkdsk.
WSUS
Managing Windows Updates in the

enterprise.
Available from the Microsoft Download

Center.
Windows Recovery
Environment
Repairing various aspects of a

Windows Server.
Select Repair Computer from the F8

Windows Advance Options boot menu,
or select Repair Computer when booting
from Windows installation media.
Last Known Good

Configuration
Loading system registry settings

saved from the last successful system
startup.
Select Last Known Good Configuration

from the F8 Windows Advance Options
boot menu.
Safe mode
Loading Windows Server that has a

minimal set of drivers and services
for troubleshooting.
Select one of the Safe Mode options

from the F8 Windows Advanced Options
boot menu.
Windows Server
Backup
(wbadmin.exe)
Backing up Windows Server

computers.
Click Start, type Windows Server

Backup in the Start Search field, and
then press Enter.
Can also run wbadmin.exe from the
command line.
Windows Update
Updating operating system, device

driver, and Microsoft application
components.
Click Start, type Windows Update in

the Start Search field, and then press
Enter.
WSUS
Allowing centralized management of

the Windows Update process.
Visit the Windows Server Update

Services home page.
Event Viewer
Viewing Windows logs.
Click Start, click Administrative Tools,

and then click Event Viewer.
Task Manager
Viewing basic real-time information

about the Windows environment.
Press Ctrl+Shift+Esc.
Tool
Use for
Where to find it
13-43
Resource Monitor
Viewing detailed real-time

information about the Windows
environment.
From Task Manager, click the

Performance tab, and then click the
Resource Monitor button.
Performance
Monitor
Viewing and collecting real-time and

historical performance and
configuration information about the
Windows environment.
Click Start, click Administrative Tools,

and then click Performance Monitor.
Reliability Monitor
Viewing an overview of system

events and relative system stability.
Click Start, and then in the Start Search

box, type perfmon /rel, and then press
Enter.
System File
Checker (sfc.exe)
Scans integrity of all protected files

and replaces incorrect versions if
need be
From the command line tool, type sfc
Wuauclt.exe
Windows Update Automatic update

client command line tool
From the command line, type wuauclt
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to access the
course evaluation form.
Microsoft will keep your answers to this survey private
and confidential and will use your responses to improve
your future learning experience. Your open and honest
feedback is valuable and appreciated.
13-44

L1-1
Module1: Installing and Configuring Windows Server
Lab: Installing and Configuring Windows

Server 2012
Exercise 1: Performing a Local Media-Based Installation
Task 1: Read the server installation instructions
1.
2.
Specifically, notice the installation options.
Task 2: Install Windows Server 2012

1.
Attach the Windows Server 2012 Installation DVD to LON-SVR4 by using these steps:
a.
Switch to Hyper-V Manager, right-click 10967A-LON-SVR4, and then click Settings.
b.
In the Settings for 10967A-LON-SVR4 dialog box, click DVD Drive in the Hardware pane.
c.
In the DVD Drive pane, select Image file, and then click Browse.
d.
Browse to C:\Program Files\Microsoft Learning\10967\Drives, click WindowsServer2012_Eval.iso,

and then click Open.
e.
In the Settings for 10967A-LON-SVR4 dialog box, click OK.
2.
In the Hyper-V Manager, right-click 10967A-LON-SVR4, and then click Connect.
3.
In the Virtual Machine Connection window, click the Action menu, and then click Start.
4.
In the Windows Setup wizard, choose the following settings, and then click Next.
Language to install: English (United States)
Time and currency format: English (United States)
Keyboard or input method: US
5.
Click the Install Now button
6.
Select the Windows Server 2012 Datacenter Evaluation (Server with a GUI) operating system, and
then click Next.
7.
Accept the license terms, and then click Next.
8.
Click Custom: Install Windows only (advanced).
9.
Install Windows Server 2012 on Drive 0, and then click Next.
10. Provide the administrator password, Pa$$w0rd, and then click Finish.
Note: Setup will continue by copying and expanding files, installing features and updates,
and finish the installation. This phase takes about 20 minutes. Your instructor might continue with
other activities during this phase.
Results: After this exercise, you should have installed a new Windows Server 2012 server.
Exercise 2: Configuring Windows Server

Task 1: Read the server post-installation configuration instructions
1.
2.
Specifically, notice the post-installation configuration options.
Task 2: Configure post-installation settings

1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine, and then login as Administrator
with Pa$$w0rd.
2.
Open Server Manager, and in the navigation pane, click Local Server.
3.
Configure time zone settings as specified in the email message.
4.
a.
In the Properties area, scroll to the right side, and then click the Time zone entry.
b.
In the Date and Time dialog box, click the Change time zone button.
c.
Select (UTC) Dublin, Edinburgh, Lisbon, London, make sure that Automatically adjust clock for
Daylight Saving Time, is selected, and then click OK.
d.
In the Date and Time dialog box, click OK.
Configure networking settings as specified in the email message.

a.
In the Properties area, click the Local Area Connection entry.
b.
In the Local Area Connection Properties window, right-click Local Area Connection, and then
select Properties.
c.
Click Internet Protocol Version 4 (TCP/IPv4), and then click the Properties button.
d.
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, select Use the following IP
address.
e.
Enter the following values:
f.
IP address: 172.16.0.30
Select Use the following DNS server addresses.
5.
6.
L1-2 Fundamentals of a Windows Server Infrastructure
g.
In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.
h.
In the Local Area Connections Properties window, click Close.
i.
Close the Network Connections window.
Configure automatic updating and feedback settings as specified in the email message.
a.
In the Properties area, click the Windows Update entry.
b.
In the Windows Update window, click Turn on automatic updates.
c.
Close the Windows Update window.
Configure the computer name and domain settings as specified in the email message.
a.
In the Properties area, click the Computer Name value.
b.
In the System Properties window, click the Change button.

L1-3
c.
In the Computer Name/Domain Changes window, type LON-SVR4 in the Computer name
field.
d.
Select Domain in the Member of section, and then type Adatum.com in the Domain field.
e.
Click OK.
f.
When you are prompted to provide administrative account details, use ADATUM\Administrator
and a password of Pa$$w0rd.
g.
When the Welcome to the Adatum domain dialog box appears, click OK.
h.
When you are prompted to restart your computer to apply these changes, click OK.
i.
In the System Properties window, click Close.
j.
When you are prompted to restart, click Restart Now.
Results: After this exercise, you should have configured post-installation settings by using Server
Manager.
Exercise 3: Convert to Server Core

Task 1: Remove GUI from Windows Server 2012 installation
1.
If it is necessary, switch to 10967A-LON-SVR4, and then login as Adatum\Administrator with

Pa$$w0rd
2.
Click the File Explorer icon on the bottom toolbar to confirm the graphical user interface (GUI)
components are installed.
3.
In Server Manager, select the Manage menu, and then click Remove Roles and Features.
4.
In the Remove Roles and Features wizard, click Server Selection, verify LON-SVR4.Adatum.com is
selected, and then click Next.
5.
On the Remove Server Roles page, click Next.
6.
On the Remove Features page, expand User Interfaces and Infrastructure, clear Server Graphical
Shell and Graphical Management Tools and Infrastructure, click Remove feature, when the
Remove Roles and Feature Wizard opens, click Next.
7.
On the Confirm Removal Selections page, select the Restart the destination server automatically
if required check box, and then click Yes to confirm your selection.
8.
Click the Remove button, and wait for the feature to be removed.
9.
After the computer restarts, log on as ADATUM\administrator with password Pa$$w0rd.
10. Notice that the File Explorer icon is no longer available and Server Manager does not appear. Also,
pressing the Windows logo key does not activate the Windows interface.
Task 2: Install GUI administrative components in Windows Server 2012 Server Core
1.
Continue to work on 10967A-LON-SVR4.
2.
At the command prompt type the following, and then press Enter
powershell
3.
At the Windows PowerShell prompt, type the following, and then press Enter.
Get-WindowsFeature
4.
Note the Name associated with the Graphical Management Tools and Infrastructure component
5.
At the Windows PowerShell prompt, type the following, and then press Enter.
Install-WindowsFeature Server-Gui-Mgmt-Infra
6.
Wait for the installation to finish.
7.
Notice the Warning message that you must restart this computer to finish the installation process.
8.
At the prompt, type the following, and then press Enter.

Restart-Computer
9.
After the computer restarts, log on as ADATUM\administrator with password Pa$$w0rd.
10. Verify the command prompt displays and Server Manager also displays. Components such as File
Explorer are still not available.
11. When the Remove Roles and Feature Wizard window provides a message that Removal succeeded on
LON-SVR4.Adatum.com, click Close.

L1-5
Results: After this exercise, you should have converted from a Full installation to a Minimal Interface
installation.
Exercise 4: Configuring Services

Task 1: Configure Print Spooler service settings
1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with the user name
2.
In Server Manager, click the Tools menu, and then click Services.
3.
Scroll down to Print Spooler. Notice that Print Spooler status is Running and startup is set to
Automatic.
4.
Right-click Print Spooler, and then click Properties.
5.
Click the drop-down box for Startup type, and then select Disabled.
6.
Click the Stop button to stop the Print Spooler service and then click OK.
Results: After this exercise, you should have used Server Manager to change service startup options.

L1-7
Exercise 5: Configuring Devices

Task 1: Update the standard PS/2 keyboard driver
1.
If it is necessary, switch to the 10967A-LON-SVR4 virtual machine and log in with user name
2.
In Server Manager, click the Tools menu, and then click Computer Management.
3.
In the left column, select Device Manager.
4.
In the Device Manager window, expand Keyboards, right-click Standard PS/2 Keyboard, and then
click Update Driver Software.
5.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
6.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
7.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and
then click Next.
8.
Click Close.
9.
In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Roll back the driver to its earlier version

1.

Pa$$w0rd.
2.
In Server Manager, click the Tools menu, and then click Computer Management.
3.
In the left column, select Device Manager.
4.
In the Device Manager window, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard
(101/102 Key), and then click Properties.
5.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab.
6.
Click Roll Back Driver.
7.
In the Driver Package rollback dialog box, click Yes.
8.
Click Close, and then in the System Settings Change dialog box, click Yes to restart the computer.
9.

Pa$$w0rd.
10. In Server Manager, click the Tools menu, and then click Computer Management.
11. In the left column select Device Manager.
12. Expand Keyboards, and then click Standard PS/2 Keyboard.
13. Verify that you have successfully rolled back the keyboard driver.
1.
2.
3.
4.
Results: After this exercise, you should have performed update and rollback operations on a device driver.

L2-1
Module2: Implementing Storage in Windows Server
Lab: Implementing Storage in Windows

Server
Exercise 1: Creating and Mounting a VHD File
Task 1: Create and initialize a virtual hard disk
1.
ADATUM\Administrator and password Pa$$w0rd.On your host computer, open Hyper-V Manager.
2.
Open Server Manager, then click Tools and select Computer Management,
3.
In the Computer Management console expand Storage, and then click Disk Management.
Note: Alternatively, you can hover the mouse over the bottom left corner and right-click. In the resultant
menu select Disk Management
4.
Right-click Disk Management in the left pane and select Create VHD
5.
In the Create and Attach Virtual Hard Disk dialog create a .vhd file with the following
characteristics then click OK
Location and filename: C:\Temp\LON-SVR1-Disk7
Virtual hard disk size: 7 GB
Virtual hard disk format: VHD
Virtual hard disk type: Dynamically expanding
6.
Open File Explorer and verify the file exists as you created it.
7.
Open Disk Management and verify the disk is listed with the properties you specified.
Task 2: Use Windows PowerShell to identify the newly created disk, bring the disk
online and initialize it
1.
Open the Windows PowerShell console by right-clicking the Windows PowerShell icon and selecting
Run as Administrator
2.
To view the available disks, type the following and press Enter.
Get-Disk
3.
The vhd file just created should have a size of approx. 7 GB, be online and have ID number 7.
4.
You can use Windows PowerShell to take a disk offline. Type the following, where <X> is the number
of the disk that has just been created, and then press Enter.
Set-Disk number <X> -IsOffline $True
5.
Use the Get-Disk command to verify the disk is offline.
6.
To bring the disk online, type the following and press Enter.
Set-Disk number <X> -IsOffline $False
7.
To find a command that may be able to initialize a disk, type the following and press Enter.
Get-Help *Disk*
8.
Scroll through the resultant cmdlets and locate the cmdlet Initialize-Disk
9.
To initialize the disk with an MBR partition style, type the following and press Enter.
Initialize-Disk Number 7 PartitionStyle MBR
10. Use the Get-Disk command to ensure that the disk was initialized successfully.
Results: After this exercise, you should have a Hyper-V .vhd file.

L2-3
Exercise 2: Creating and Making Available New Volumes

Task 1: Create two new simple volumes
1.
2.
Under Computer Management, expand Storage, and then click Disk Management.
3.
Right-click Disk 1 and select Online
4.
Right-click Disk 1 and select Initialize Disk
5.
In the Initialize Disk dialog accept the defaults and click OK
6.
On Disk 1 right-click the unallocated area of the Disk (the black area), and then select New Simple
Volume.
7.
Click Next.
8.
Change Simple volume size in MB to 2000. Click Next.
9.
Select J in the drop down box for the Assign the following drive letter. Click Next.
10. On the Format Partition page ensure NTFS is selected and enter the volume label as
SimpleVol_NTFS, click Next.
11. Click Finish.
12. Right-click SimpleVol_NTFS and select Format, and then click OK in the Format J: dialog box.
13. In the Format J: dialog box, read the warning and click OK.
14. In the Disk Management dialog box, read the warning and click Yes.
15. Verify SimpleVol_NTFS shows Healthy (Primary Partition).
16. Go to File Explorer from the task bar and notice a dialog appears prompting that the newly attached
disk needs to be formatted, In this dialog click Cancel
17. Open File Explorer and ensure the new volume is displayed as a drive with letter J
18. Repeat Steps 3 to 17 using Disk 2 with the following settings Substitute K for J. Substitute
SimpleVol_ReFS for SimpleVol_NTFS
Assign the following driver letter: K
FileSystem: ReFS
19. Volume Label: SimpleVol_ReFS
Task 2: Change the new disks drive letters

1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools
2.
Select Computer Management and then expand Storage and click on Disk Management
3.
In Disk Management right-click the SimpleVol_NTFS volume and then select Change Drive Letter
and Paths.
4.
Click Change.
5.
Change Assign the following drive letter to R:, click OK, and then click Yes twice.
6.
Repeat steps 3 to 5 for the SimpleVol_ReFS volume assigning the drive letter S to the volume
7.
Open File Explorer and verify the drive letters now appears as configured
Task 3: Mount the new volume
1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools
2.
3.
In Disk Management, right-click the SimpleVol_NTFS volume, and then select Change Drive Letter
and Paths.
4.
Click Add.
5.
Select Mount in the following empty NTFS folder, and then click Browse.
6.
With C:\ selected, click New Folder and call the folder MountedVolume_NTFS
7.
Click OK twice.
8.
Repeat steps 3 to 7 for the SimpleVol_ReFS volume using the folder path C:\MountedVolume_ReFS
9.
In File Explorer, show that C:\MountedVolume_NTFS and C:\MountedVolume_ReFS exist and they
are accessible as expected.
Results: After this exercise, you should have a 2 GB NTFS volume and a 10 GB ReFS volume

L2-5
Exercise 3: Vary the Sizes of the NTFS and ReFS Volumes

Task 1: Extend the size of the NTFS volume
1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools.
2.
3.
In Disk Management, right-click the SimpleVol_NTFS volume, and then select Extend Volume
4.
In the Welcome to the Extend Volume Wizard page click Next
5.
On the Select Disks page in the select the amount of space in MB textbox enter 4000 and click
Next
6.
On the Completing the Extend Volume Wizard click Finish
7.
Verify the NTFS volume size has increased from 2 GB to 6 GB in size and is still available and
accessible.
Task 2: Shrink the size of the ReFS volume

1.
On the 10967A-LON-SVR1, go to Server Manager and click on Tools.
2.
3.
In Disk Management, right-click the SimpleVol_ReFS volume, and then select Shrink Volume
4.
Verify a message displays that states, The volume cannot be shrunk because the file system
does not support it.
5.
Click OK to close the Virtual Disk Manager dialog box.
Results: You have expanded the NTFS volume to 4 GB in size but have failed to shrink the ReFS volume
size as shrinking ReFS volume is not supported. If your manager insists that you have an ReFS drive to the
reduced size the volume will need to be re-created.
Exercise 4: Creating a Fault-Tolerant Disk Configuration by Using Storage

Spaces
Task 1: Create a storage pool
1.
Ensure you are signed in to 10967A-LON-SVR1 and logged on with user name
2.
In Server Manager click on File and Storage Services followed by Volumes then Storage Pools
3.
In the Storage Pool section click on Tasks and choose New Storage Pool
4.
On the opening page of the New Storage Pool Wizard click Next
5.
On the Specify a storage pool name and subsystem page enter StoragePool1 into the Name textbox,
and then click Next.
6.
On the Select physical disks for the storage pool page select Physical disks 3 and 4, and then click
Next.
7.
On the Confirm selections page click Create
8.
On the View results page click Close
Task 2: Create a storage space virtual disk

1.
In Server Manager in the File and Storage Services section click Volumes and then Storage Pools
2.
Click StoragePool1 under Storage Pools, and then in the Virtual Disks section click Tasks and choose
New Virtual Disk
3.
In the New Virtual Disk Wizard on the Before You Begin page click Next
4.
On the Select Storage Pool page ensure StoragePool1 is selected and click Next
5.
On the Specify the virtual disk name page enter VirtualDisk1 into the Name field and Click Next
6.
On the Storage Layout page select Mirror and click Next
7.
On the Specify provisioning type page select Thin and click Next
8.
On the Specify the size of the virtual disk page enter 4 GB into the virtual disk size textbox click
Next
9.
On the Confirm selections page click Create and then click Close
10. The New Volume Wizard appears and on the Before you Begin page click Next
11. On the Select the server and disk page click Next
12. On the Specify the size of the volume page click Next
13. On the Assign a drive letter or folder page select T from the drop down list, and then click Next.
14. On the Select file system settings page select NTFS as the file system, Enter VirtualDiskMirVol as
the Volume Label and click Next
15. On the Confirm selections page click Create
16. On the Completion page click Close
Task 3: Verify the virtual disk is available and functional

1.
Open File Explorer by clicking on the File Explorer icon in the Task bar
2.
Locate the drive with the volume label VirtualDiskMirVol
3.
Create a .txt files in this drive called Test File.txt

L2-7
Task 4: Add an additional physical disk to the storage pool

1.
2.
Right-click StoragePool1 under Storage Pools, and select Add Physical Disk
3.
In the Add Physical Disk dialog select PhysicalDisk 5 and click OK
4.
Verify three disks are now listed in the Physical Disks section in Storage Pools
Task 5: Remove a physical disk to simulate disk failure

1.
2.
In the Physical Disks section right-click PhysicalDisk 4 and select Remove Disk
3.
In the resultant Remove Physical Disk prompt click Yes
4.
Click OK again in the Remove Physical Disk dialog
Task 6: Verify storage virtual disk state and data accessibility

1.
Open File Explorer by clicking on the File Explorer icon in the Task bar
2.
Verify the Test File.txt is still present and accessible on the VirtualDiskMirVol
3.
Return to Server Manager, click on File and Storage Services followed by Volumes then Storage
Pools then go to the Physical Disks section
4.
Notice that there are only two disks now as part of the Virtual Disk listed in the Physical Disks section
5.
In the Virtual Disk section verify a warning exists alongside the VirtualDisk1
6.
Right-click the Virtual Disk VirtualDisk1, select Properties and in the Virtual Disk Properties dialog
click on Health
7.
Notice the status is listed as Warning
8.
Click OK to close the VirtualDisk1 Properties window
Task 7: Repair and verify the health of the virtual disk

1.
In Server Manager in the Storage Pools pane in the Virtual Disk section right-click VirtualDiskl1 and
select Repair Virtual Disk
2.
Refresh the settings and verify the Virtual Disk warning message is no longer present
3.
Right-click the Virtual disk VirtualDisk1 and select properties and click Health
4.
Verify the health status now reads healthy, and then close the VirtualDisk1 Properties window
5.
Open File Explorer and verify the file you created earlier is still accessible and available
follow these steps:
1.
2.
3.
4.
Results: You have created Storage Pool and Virtual Disk and have verified the integrity of the share data
in the event of catastrophic hard disk failure by simulating the removal of a disk to represent hard disk
failure

L3-1
Module3: Understanding Network Infrastructure
Lab: Selecting Network Infrastructure

Components
Exercise 1: Determining Appropriate Network Components
Read the supporting documentation sent to you by the Seattle office manager.
Answer the questions in the Branch Office Network Infrastructure Plan: Component Needs
Assessment.
1.
What Ethernet infrastructure should be used for the staff offices portion of the Seattle location?
Answer: Because of the large amount of data being sent back and forth on the network, the fastest
possible Ethernet standard should be used that can be deployed in an office LAN environment.
10GBASE-T offers a throughput of 10 Gbps and uses copper wire cabling as its medium, which can be
easily installed into each office as the new building is being constructed.
2.
What infrastructure should be used to connect the conference room portion of the Seattle location?
Answer: Based on the conference rooms size and the variance in location and mobility of users and
their laptops, a wireless infrastructure should be used for the conference room, preferably the fastest
available, 802.11n. Encryption should also be added to the wireless network, preferably using WPAv2
and RADIUS, the most secure and current wireless encryption protocol, and the ability to use
certificates to control access.
3.
What components and technology would you use to connect the New York and Seattle branches?
Answer: T1 would be a good choice. There isnt a lot of data being sent between the two offices, and
a leased T1 connection through a telecommunications provider would allow for data to be sent
between locations in a secure fashion.
4.
What is the best architecture to allow both partners and home office users to access their information
using only one method of access?
Answer: An extranet could be set up, providing a server available for both partners and remote users
to exchange their files. This would provide one point of access, in addition to a centralized place to
host the files that these two groups are using.
We know the A. Datum staff will all be running the Windows 8 operating system, so we could set up
DirectAccess to allow the remote staff to be always connected to the office network or we could also
consider a VPN connection; however, because they only need access to a few files, an extranet would
be a more logical choice. If the office were to expand significantly over the short term, it might be
worth investing in a DirectAccess solution now. Perhaps this is one point you can inquire about in
your follow up with Susan.
Results: After this exercise, you should have identified the infrastructure and components required to
implement a network in a new location.

L4-1
Module4: Connecting Network Components

Exercise 1: Connecting Network Components
Task 1: Read the supporting deployment plan document.
1.
2.
Task 2: Update the Branch Office Network Components Deployment Plan.

Update the Branch Office Network Components Deployment Plan, by answering these questions.
1.
What devices are required in the branches to support these requirements?
Answer: Switches. These provide a way of connecting the nodes on the network and support virtual local
area networks (VLANs). Traffic is isolated to the required VLAN except where necessary. In addition, simple
hubs do not support quality of service (QoS).
2.
office?
Answer: Routers. Although switches can provide routing function, wide area network (WAN) routers are
needed to connect the branches together and to connect to the head office.
3.
What issues arise when you implement these devices?
Answer: You must select a mechanism to manage the routing tables. You could use static routes, or
alternatively implement a routing protocol like Routing Information Protocol (RIP) or Open Shortest Path
First (OSPF).
4.
implement.
Answer: See the following.

Proposed A. Datum Branch Network Plan
L4-2
Results: After this exercise, you should have completed both the A. Datum Branch Network Plan diagram
and the Branch Office Network Components Deployment Plan.

L4-3
Exercise 2: Selecting a Suitable Wiring Infrastructure

Read the Branch Office Network Wiring Plan.
Update the proposal document with your planned course of action, by answering these proposal
questions.
1.
What kind of cable would be suitable here, using the information supplied and the plan you outlined
Answer: Switches were indicated earlier, which means coaxial cable is not possible. And generally
coaxial cable is not good in any new installation. Twisted-pair and fiber cabling is required.
2.
How will you address the issue of high levels of electromagnetic interference?
Answer: Where required, install shielded twisted pair. In areas where this is insufficient; use fiber.
3.
What cable standards do you propose?
Answer: For copper, Category 5e or higher. Cat 6 supports 10 gigabits per second (Gbps) Ethernet
and better future-proofs the solution. For fiber, multimode fiber is cheaper and should address the
bandwidth requirements.
Results: After this exercise, you should have completed the Branch Office Network Wiring Plan.

L5-1
Module5: Implementing TCP/IP

Exercise 1: Determining an Appropriate IPv4 Addressing Scheme
1.
Review the supporting email documentation.
2.
Review the A. Datum Branch IP Addressing diagram.
Task 2: Update the proposal document with your planned steps
Review the Branch Office IP Addressing Scheme, and update the proposal by answering these questions.
1.
Answer: Six.
2.
Answer: Class B.
3.
Answer: Private.
4.
Ed has allocated the first block of addresses to the first branch: 172.16.16.0/20. What is the next
logical subnet using this initial subnet?
Answer: 172.16.32.0/20. The next is 172.16.48.0/20.

5.
Answer: The first host is one binary digit higher than the subnet ID and the last host is two binary digits
lower than the next subnet ID. Therefore, the first host is 172.16.16.1/20 and the last is 172.16.31.254.
6.
Answer: 255.255.240.0.
7.
Update the A. Datum Branch IP Addressing.vsd diagram to show the network addresses you will
implement in the branches; do not worry about the WAN links.
Answer: See the following addressing diagram.

Completed A. Datum IP addressing diagram.
Results: After this exercise, you should have completed both the A. Datum Branch IP Addressing.vsd
diagram and the Branch Office IP Addressing Scheme document.

L5-3
Exercise 2: Configuring IPv4 with Windows Server 2012

Task 1: Configure a Dynamic Host Configuration Protocol scope
1.
Ensure you are logged on to 10967A-LON-SVR1 as ADATUM\Administrator and password

Pa$$w0rd
2.
If it is not already open, open Server Manager by clicking the Server Manager icon on the taskbar,
point to the Tools menu, and then click DHCP.
3.
In the DHCP window, expand lon-svr1.adatum.com, click IPv4, right- click IPv4, and then click New
Scope.
4.
In the New Scope Wizard, click Next.
5.
On the Scope Name page, in the Name box, type Head Office 1.
6.
In the Description box, type Client computer addresses, and then click Next.
7.
On the IP Address Range page, enter the following information and then click Next.
Start IP address: 172.16.0.20
End IP address: 172.16.0.30
Length: 16
8.
On the Add Exclusions and Delay page, click Next.
9.
On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type 172.16.0.1, click Add, and then
click Next.
12. On the Domain Name and DNS Servers page, click Next.
13. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Next.
15. On the Completing the New Scope Wizard page, click Finish.
16. In the console, expand IPv4, expand Scope [172.16.0.0] Head Office 1, and then click Address
Leases.
17. How many Address Leases have been used?
Answer: None.
Task 2: Configure the client computer to obtain an IP address dynamically

1.
Switch to the 10967A-LON-CL1 virtual machine and ensure you are logged on as
2.
On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3.
Click Network and Internet, click Network and Sharing Center, and then click Change adapter
settings.
4.
In the Network Connections window, double-click Ethernet, and then click the Properties button.
5.
In the Ethernet Properties dialog box, locate and double-click Internet Protocol Version 4
(TCP/IPv4).
6.
Select Obtain an IP address automatically and Obtain DNS server address automatically, and
then click OK.
7.
In the Ethernet Properties dialog box, click OK, and then click Close to close the Ethernet Status
dialog box.
Task 3: Verify that the client computer obtained an address

1.
Switch back to the 10967A-LON-SVR1 virtual machine
2.
In DHCP, press F5, to refresh the settings.

Verify that there is a new lease for LON-CL1.
3.
What is the IP address for LON-CL1?
Answer: 172.16.0.20.
Task 4: Determine the IP address on the client computer

1.
Switch back to 10967A-LON-CL1.
2.
Click the lower-left corner of the virtual machine, open the Start home page, type cmd, and then
press Enter.
3.
ipconfig /all
4.
What is the current IPv4 address?
Answer: 172.16.0.20.
5.
Is DHCP enabled?
Answer: Yes.
6.
What is the IP address of the DHCP server?
Answer: 172.16.0.15.
7.
When does the DHCP Lease expire? Answer: In 8 days.
Results: After this exercise, you should have created a DHCP scope and allocated a client address.

L5-5
Exercise 3: Verifying the IPv4 Configuration

Task 1: Stop the DHCP server
1.
2.
In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Stop.
3.
Verify that there is now an error shown in the DHCP Management console, stating Cannot find the
DHCP Server.
Task 2: Try to renew the IPv4 address on the client computer

1.
Switch to the 10967A-LON-CL1 computer and switch to the Command Prompt.
2.
ipconfig /release
3.
ipconfig /renew
4.
This might take several minutes while the client computer tries to contact a DHCP server.
5.
Notice the time-out error.
6.
ipconfig
7.
Answer: An address starting with 169.254.

8.
Answer: The computer is using Automatic Private IP Addressing (APIPA) because it failed to obtain an
address from a DHCP server.
9.
ping lon-svr1.adatum.com
Task 3: Start the DHCP server

1.
Switch back to 10967A-LON-SVR1.
2.
In DHCP, right-click lon-svr1.adatum.com, point to All Tasks, and then click Start.
Task 4: Renew the client address and verify IPv4

1.
Switch to 10967A-LON-CL1, and at the Command Prompt, type the following command, and then
press Enter.
ipconfig /renew
2.
What IPv4 address is listed?
Answer: The IP address starts with 172.16.

3.
Answer: The computer has successfully obtained an IPv4 address from the DHCP.
4.
ping lon-svr1.adatum.com
5.
You are successful.
Results: After this exercise, you should have successfully verified the functionality of the DHCP server in
the head office.

L5-7
Exercise 4: Configuring and Testing Name Resolution

Task 1: View the current DNS records
1.
Switch to 10967A-LON-DC1 and ensure you are signed in as ADATUM\Administrator with

password Pa$$w0rd
2.
In Server Manager, point to the Tools menu, and then click DNS.
3.
In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
4.
What is the current IP address listed against the LON-CL1 Host (A) record in the Adatum.com forward
lookup zone?
Answer: 172.16.0.20
Task 2: Force a dynamic update

1.
Switch to the LON-CL1 virtual machine.
2.
On the Start page type con. When the Control Panel appears on the left side, click it to open it.
3.
Click Network and Internet, click Network and Sharing Center, and then click Change adapter
settings. In Network Connections, right-click Ethernet, and then click Properties.
4.
In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
5.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP
address.
6.
Use the following information to complete the configuration and then click OK:
IP address: 172.16.0.16
7.
In the Ethernet Properties dialog box, click OK.
8.
Switch to LON-DC1.
9.
In DNS Manager, in Adatum.com, press F5.
10. What is the current IP address listed against the LON-CL1 Host (A) record?
Answer: 172.16.0.16
Task 3: Add a new DNS record

1.
Switch to LON-CL1, and at the Command Prompt, type the following command, and then press
Enter.
ipconfig /?
2.
Scroll through the help returned and identify the /displaydns switch
3.
Now in the Command Prompt type the below and press Enter.
4.
What records are listed?
Answer: Answer will vary. But there will be several records for LON-DC1.
5.
6.
Hover the mouse over the bottom left side of the virtual machine and click on the resultant start
menu
7.
Once the start menu appears type powershell
8.
The Windows PowerShell icon appears
9.
Right-click the icon and select Run as Administator from the options
10. In the Windows PowerShell console type the following and press Enter.
Get-help *DNS*
11. There are several commands that could get you similar information obtained using ipconfig but type
the following and press Enter.
Get-DNSClientCache
12. Still on 10967A-LON-SVR1 type the following and press Enter.

Test-Connection www.adatum.com
13. You are not successful

14. Switch to the 10967A-LON-CL1 virtual machine
15. At the Command Prompt, type the following command, and then press Enter.
ping www.adatum.com

17. Switch to 10967A-LON-DC1.
18. In DNS Manager, right-click Adatum.com, and then click New Alias (CNAME).
19. In the New Resource Record dialog box, in the Alias name (uses parent domain if left blank) box, type
www
20. Enter the following in the Fully qualified domain name (FQDN) for target host box, and then click OK.
lon-dc1.adatum.com
Task 4: Verify a record

1.
Switch to 10967A-LON-CL1.
2.
ping www.adatum.com
Note: Depending on your Client cache you may or may not be successful at this point. If
you are not successful continue with the next step, Step 3. If you are successful you can skip
ahead to Step 7.
3.
You are not successful.
4.

L5-9
ipconfig /flushdns
5.
ping www.adatum.com
6.
You are successful.
7.
8.
What record is returned for www.adatum.com?
Answer:
www.adatum.com
--------------------------Record Name . . . . . : www.adatum.com
Record Type . . . . . : 5
Time To Live . . . . . : 3531
Data Length . . . . . . : 8
Section . . . . . . . . . . : Answer
CNAME Record . . : lon-dc1.adatum.com
(Some fields might vary slightly)
Note: Record types are listed by number in IPConfig and 5 corresponds to a CNAME record type.
9.
10. Type the following to identify the cmdlet you need, and then press Enter.
Help *DNS*
11. Notice the clear-DNSClientcache cmdlet, type the following, and then press Enter.
Clear-DNSClientCache
12. To test the connection, type the following command, and then press Enter.
Test-Connection www.adatum.com
13. You are successful.
14. To view information on the DNS client cache, type the following command, and then press Enter.
Get-DNSClientCache
15. Verify the Record Type for www.adatum.com is listed as CNAME
Results: After this exercise, you should have successfully verified DNS is functioning correctly and also
added a new DNS CNAME record type for www.Adatum.com
Exercise 5: Viewing the IPv6 Configuration

Task 1: Determine the current IPv6 address
1.
On 10967A-LON-CL1, at the Command Prompt, type the following command, and then press Enter.
ipconfig /all
2.
Is there an IPv6 address listed?
Answer: Yes
3.
What kind of IPv6 address is it?
Answer: Link-Local IPv6 Address as indicated by the address format i.e. leading fe80 and also as it is
called out in text beside the IPv6 Address.
4.
5.
To identify the cmdlet you need, type the following, and then press Enter.
Get-help *address*
6.
Notice the Get-NetIPAddress cmdlet, then type the following and press Enter.
Get-NetIPAddress
7.
L5-10
Locate the IPv6 in the list of returned addresses and compare it to the address returned in the
10967A-LON-CL1 virtual machine.
Task 2: Revert the lab machines.
1.
2.
3.
4.
Results: After this exercise, you should have determined that the local host has only a link-local IPv6
address.

L6-1
Module6: Windows Server Roles

Exercise 1: Determining the Appropriate Roles to Deploy
1.
Read the supporting documentation.
2.
Review the server requirements of the branch offices.
Task 2: Complete the Branch Office Server Deployment Recommendations document

1.
Complete the Deployment Proposals section of the Branch Office Server Deployment
2.
Answer: Deploy the Dynamic Host Configuration Protocol (DHCP) server role to each branch and
configure an appropriate scope for the branch.
3.
Answer: Deploy the File Services role.

4.
Answer: Deploy the Print and Document Services role.

5.
Answer: An application server.

6.
Answer: The Application Server role provides the necessary components.

7.
server?
Answer: Deploy the Windows Server Update Services (WSUS) role.

8.
Answer: DHCP Server, DNS Server, File Services , Print and Document services, Application Server,
Results: After this exercise, you should have completed the Branch Office Server Deployment
Exercise 2: Deploying and Configuring the Determined Server Roles

Task 1: Deploy infrastructure-related roles
1.
Ensure you are signed on to 10967A-LON-CL1.
2.
Click the Windows logo key, type run, and then press Enter
3.
In the Run textbox type the following and press Enter.

\\LON-DC1\E$
4.
If prompted, provide the credentials ADATUM\Administrator and password Pa$$word
5.
Go to the folder mod06\Labfiles, copy the file Windows6.2-KB2693643-x64.msu to the Desktop, and
then double-click it
6.
In the Windows Update Standalone installer dialog click Yes
7.
In the Download and Install Updates license terms window click I Accept
8.
In the installation complete dialog click Restart Now
Or if you are not given a restart option, only a Close option, click Close, then hover the mouse in the
bottom right hand corner of the task bar, select Settings, then Power, then Restart
9.
The 10967A-LON-CL1 virtual machine will update and restart. This will take approx. 5 minutes
10. After 10967A-LON-CL1 restarts log on with the credentials ADATUM\Administrator and password
Pa$$w0rd
11. Scroll across to the right side of the Start Menu and notice the presence of Administrative Tools and
Server Manager icons. Click on Server Manager
12. In Server Manager within the Dashboard section click on the Create a server group link.
13. In the Server group name box type LON Servers
14. Click the DNS tab.
15. In the Search: box type LON-DC1 and press search icon. LON-DC1.adatum.com should be returned
and click the arrow to add the server to the selected box on the right side.
16. In the Search: box type LON-SVR3 and press search icon. LON-SVR3.adatum.com should be returned
and click the arrow to add the server to the selected box on the right side
17. Click OK
18. Click the LON Servers group on the left side
19. Right click on LON-SVR3 and select Add Roles and Features
20. In the Add Roles and Features Wizard click Next.
21. On the Installation Type page click Next
22. On the Server selection page click lon-svr3.Adatum.com and click Next
23. On the Server Roles page select DHCP Server and DNS Server and then click Next
24. Click Next through the remaining pages and install but do not close the wizard.
25. On the Installation progress page, wait until the Installation succeeded on lon-svr3.adatum.com
message displays, and then click Close.
26. Click the LON Servers group on the left side

L6-3
27. Right click on LON-DC1 and select Add Roles and Features
28. In the Add Roles and Features Wizard click Next.
29. On the Installation Type page click Next
30. On the Server selection page click lon-dc1.Adatum.com and click Next
31. On the Server Roles page select Print and Document Services and click Next
32. Click Add Features button when prompted
33. Click Next through the remaining pages, click Install, and then close the wizard when as soon as the
installation begins.
34. Click the notification Flag icon in Server manager and view the status of the Role installations
35. Click the LON Servers group on the left side again.
36. Click on LON-DC1 press CTRL and click LON-SVR3 then right-click on the highlighted servers.
37. In the resultant menu select Restart Server.
38. In the resultant prompt ensure LON-DC1 and LON-SVR3 are listed and click OK
39. Switch to the LON-DC1 and LON-SVR3 servers and show students that they are restarting as
specified.
Notice that you can have many more servers as member of a Server Group and managing in bulk can
reduce Administrative overhead.
Task 2: Deploy the remaining roles on a single server

1.
Ensure you are signed on to 10967A-LON-CL1 with the credentials ADATUM\Administrator and
password Pa$$w0rd
2.
In Server Manager within the Dashboard section click on the LON Servers group on the left side
3.
Right click on LON-DC1 and select Add Roles and Features
4.
In the Add Roles and Features Wizard click Next.
5.
On the Installation Type page click Next
6.
On the Server selection page click lon-dc1.Adatum.com and click Next
7.
On the Server Roles page select the following roles and then click Next
Application Server
Print and Document Services
8.
Click Next until you reach the Content Selection page.
9.
On the Content Selection page, clear the check box for Store updates in the following location
(choose a valid local path on lon-dc1.adatum.com, or a remote path):, and then click Next.
10. Click Install but do not close the wizard.
Task 3: Obtain configuration settings xml for Infrastructure Role installation

1.
On the Installation Progress page, click the Export Configuration Settings link.
2.
In the Save As dialog box, in the navigation pane under Libraries, click Documents, in the File
name: box type LON-DC1 DHCP Server Role Install, and then click Save.
3.
On the Installation progress page, click Close.
4.
Point out to students that the install will run in the background with the wizard closed
5.
In Server Manager click the Notification Flag icon at the top of the console. Point out to students
that you can view the progress of the installation here and it will also tell you when it is complete.
6.
On the taskbar, click File Explorer, double-click Documents, right-click LON-DC1 DHCP Server
Role Install, click Open with, and then click Notepad.
7.
Review the XML code in the configuration file. This file contains the configuration settings that were
generated automatically as you ran through the Add Roles and features Wizard. You can now use or
customize this file for automation purposes to install the role on this or multiple servers
8.
Close Notepad, and then close File Explorer
Task 4: Configure event settings in Server Manager for DNS Server

1.
2.
In the Server Manager console, click the DNS node on the left.
3.
Scroll down to the Events section
4.
Click Tasks and select Configure Event Data.
5.
In the Configure Event data dialog select
Critical
Error
Warning
Informational
6.
And select to Get events that have occurred within the past 3 days and click OK
Task 5: Run the Best Practice Analyzer for the DHCP role
1.
2.
In the Server Manager console, click the DHCP node on the left side.
3.
Scroll down to the Best practice Analyzer section
4.
Click Tasks and then select Start BPA Scan
5.
In the Select Servers dialog choose lon-svr3.Adatum.com and click Start Scan
6.
The BPA scan will run for approximately a minute and Warnings and Errors should display
7.
Scroll through the results and determine what remains to be configured i.e. you should see a message
around authorizing the DHCP server and also that at least one IPv4 scope should be configured
Task 6: Revert the lab virtual machines

1.
2.
3.

L6-5
4.
5.
Repeat steps 2 and 3 for 10967A-LON-SVR3, and 10967A-LON-DC1
Results: After this exercise, you should have deployed all required roles and features.

L7-1
Module7: Implementing Active Directory
Lab: Implementing Active Directory Domain

Services
Exercise 1: Promoting a New Domain Controller
Task 1: Add an additional domain controller
1.
Ensure you are logged on to the 10976A-LON-SVR1 virtual machine as ADATUM\Administrator with
password Pa$$w0rd.
2.
In Server Manager, click Manage, and then click Add Roles and Features.
3.
Click Server Selection, and then click Next.
4.
Select the Active Directory Domain Services checkbox, click Add Features, and then click Next.
5.
Take the default settings for the remaining selections, and then click Install.
6.
Wait while the Active Directory Domain Services (AD DS) role and associated features are installed. It
should take about two minutes.
7.
Click Close to close the Add Roles and Features Wizard window
8.
After the role is installed, click the Notifications flag, and then click Promote this server to a
domain controller.
9.
Verify that you are in the Active Directory Domain Services Configuration Wizard.
10. On the Deployment Configuration page, make the following changes then click Next.
Select a Deployment Configuration: Add a domain controller to an existing domain
Domain: Adatum.com
Supply the credentials to perform this operation: accept defaults
11. On the Domain Controller Options page, make the following changes then click Next.
Deselect Domain Name Server (DNS) Server
Deselect Global Catalog (GC)
Password: Pa$$w0rd
Confirm Password: Pa$$w0rd
12. Accept the default settings for Additional Options, Paths, and Review Options, and then click
Next.
13. Run the Prerequisite Check and make sure that all prerequisites are successful. Warnings are
acceptable.
14. Click Install, and then wait for the installation to complete and the computer to restart. It should take
about two minutes before the server restarts
Results: After this exercise, you will have promoted a new domain controller.
Exercise 2: Creating an Organizational Unit

Task 1: Create an organizational unit
1.
After LON-SVR1 has restarted, log on by using the following credentials:
Password: Pa$$w0rd
Domain: Adatum
2.
In Server Manager, click Tools, and then click Active Directory Users and Computers.
3.
In the Navigation pane, right-click Adatum.com, click New, and then click Organizational Unit.
4.
In the Name text box, type A Datum Merger Team, and then click OK.
5.
In the Navigation pane, double-click Adatum.com and verify that you have a new OU called A
Datum Merger Team.
6.
Close the Active Directory Users and Computers console by clicking the X in the top right corner
Results: After this exercise, you will have created a new organizational unit (OU).

L7-3
Exercise 3: Configuring Accounts

Task 1: Add user accounts
1.
Ensure you are still logged on to the 10967A-LON-SVR1 virtual machine
2.
In Server Manager click Tools and then select Active Directory Administrative Center
3.
Click Adatum (local) and click on A Datum Merger Team, point to New, and then click User.
4.
In the Create User: dialog box, in the First name box, type Christian.
5.
In the Last name box, type Kemp.
6.
In the User SamAccountName logon: name box, type Adatum\Christiank
7.
In the Password and Confirm password boxes, type Pa$$w0rd.
8.
In the Account expires: section ensure the Never radio button is selected
9.
In the password options section click the Other password options radio button and check the
Password never expires checkbox
10. Click OK
11. In the Active Directory Administrative Center in the Windows PowerShell History section at the
bottom of the console click the arrow on the right side to display the Windows PowerShell
commands generated when creating the user
12. Right-click in the Windows PowerShell commands and choose Select All then right-click and select
Copy
13. Open File Explorer and go to C:\ drive right click and select New and then Text Document
14. Open the file and click paste to paste in the Windows PowerShell commands and save the txt file.
15. Review the contents of the file to see how the new user was created.
16. Rename the file text file Create User Account.ps1
17. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and
then click User.
18. As per earlier steps create a user with the following details
First name: Tony
Last name: Allen
UserSamAccountName logon: TonyA
Password: Pa$$w0rd
Account expires: Never
Password Options: Password never expires
19. Click OK.
20. In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and
then click User.
21. As per earlier steps create a user with the following details
First name: Pia
Last name: Lund
UserSamAccountName logon: PiaL
Password: Pa$$w0rd
Account expires: Never
Password Options: Password never expires
22. Click OK.

L7-5
Task 2: Create groups

1.
In Active Directory Administrative Center, right-click A Datum Merger Team, point to New, and
then click Group.
2.
In the Create Group: dialog box, create a group with the following characteristics
Group Name: Mergers and Acquisitions
Group scope: Global
Group type: Security
3.
Click OK.
4.
Again in the Active Directory Administrative Center, right-click A Datum Merger Team, point to
New, and then click Group.
5.
In the Create Group: dialog box, create a group with the following characteristics
Group Name: Merger Team Management
Group scope: Global
Group type: Security
6.
Click OK.
Task 3: Add members to groups

1.
In Active Directory Administrative Center, double click on the A Datum Merger Team group
2.
Locate and then click on Christian Kemp.
3.
While pressing the Ctrl key, click Pia Lund and Tony Allen.
4.
Release the Ctrl key, right-click Tony Allen, and then click Add to group...
5.
In the Select Groups dialog box, in the Enter the object names to select (examples) text box, type
Mergers and Acquisitions.
6.
Click Check Names, and then click OK.
7.
In the Active Directory Administrative Center and then A Datum Merger Team under Adatum
(local), double-click Tony Allen.
8.
In the Tony Allen properties dialog box, click the Member Of tab.
9.
Click Add, and in the Member of section dialog box, in the Enter the object names to select
(examples) text box, type Merger Team Management.
10. Click Check Names, and then click OK.

11. In the Tony Allen properties dialog box, click OK.
Task 4: Move a computer account

1.
In Active Directory Administrative Center, click Adatum (local) and then locate and double click on
Computers
2.
In the Results pane, right-click LON-CL1, and then click Move.
3.
In the Move dialog box, select A Datum Merger Team, and then click OK.
4.
In Active Directory Administrative Center click A Datum Merger Team and notice the presence of
the LON-CL1 computer
Task 5: Delegate control of the OU
1.
Still on 10967A-LON-SVR1 in Server Manager click on Tools then select Active Directory Users And
Computers
2.
Locate then right-click A Datum Merger Team, and then Delegate Control
3.
In the A Datum Merger Team properties dialog In the Delegation of Control Wizard, on the
Welcome to the Delegation of Control Wizard page, click Next.
4.
On the Users or Groups page, click Add.
5.
In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(examples): box, type Merger Team Management, click Check Names, and then click OK.
6.
On the Users or Groups page, click Next.
7.
On the Tasks to Delegate page, select the Reset user passwords and force password change at
next logon checkbox, and then click Next.
8.
Click Finish.
Results: After this exercise, you will have created the necessary user accounts and groups, and moved the
users computer accounts into the OU.

L7-7
Exercise 4: Creating a GPO

Task 1: Create a GPO
1.
Make sure that you are logged on to 10967A-LON-DC1 as ADATUM\Administrator with credentials
Pa$$w0rd.
2.
In Server Manager, point to Tools, and then click Group Policy Management.
3.
Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
4.
In the Navigation pane, right-click Group Policy Objects, and then click New.
5.
In the New GPO dialog box, in the Name box, type A Datum Merger Team GPO, and then click OK.
6.
Expand Group Policy Objects, right-click A Datum Merger Team GPO, and then click Edit.
7.
In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then click Scripts (Logon/Logoff).
8.
In the Results pane, double-click Logon.
9.
In the Logon Properties dialog box, click Add.
10. In the Add a Script dialog box, click Browse.
11. In the Browse dialog box, right-click the No items match your search box, click New, and then click
Text Document.
12. Highlight the whole file name, including the file name extension, and type logon.vbs. Then press
Enter.
13. If you are prompted, in the Rename dialog box, click Yes.
14. Right-click logon.vbs, and then click Edit.
15. If you are prompted, in the Open File Security Warning dialog box, click Open.
16. In Notepad, type msgbox Welcome to the A Datum Merger Team.
17. Click File, and then click Save.
18. Close Notepad.
19. In the Browse dialog box, click Open.

20. Make sure that the Script Name is logon.vbs.
21. In the Add a Script box, click OK.
22. In the Logon Properties dialog box, click OK.
23. Close the Group Policy Management Editor.
Task 2: Link a GPO
1.
In the Group Policy Management console, in the Navigation pane, expand Adatum.com, right-click
A Datum Merger Team, and then select Link an Existing GPO.
2.
In the Select GPO dialog box, in the Group Policy objects list, click A Datum Merger Team GPO,
and then click OK.
Task 3: Test a GPO

1.
Switch to 10967A-LON-CL1 and log off.
2.
User name: Tonya
Password: Pa$$w0rd
Domain: Adatum
3.
Make sure that the logon script runs.
Note: It may be default display the Start menu items after logon and you may have to select desktop to
be able to view the logon script.
1.
2.
3.
4.
Results: After this exercise, you will have created a Group Policy Object (GPO) and linked it to the A

L8-1
Module8: Implementing IT Security Layers

Exercise 1: Implementing Physical Security
1.
Read email and the Incident Record to determine the possible problem causes.
2.
Read the A. Datum Network Security Policy Laptops document to determine if you must enforce
any changes at the branch based on corporate policies.
Task 2: Complete the incident record

1.
Complete the Resolution section of the Incident Report by answering these questions.
2.
What security policies apply to the branch office laptops as defined in the A. Datum Network Security
Policy Laptops document?
Answer: All the policies apply.

3.
Answer: If users can take their laptops home, this raises several security issues. First, the users are
connecting to unmanaged networks (at home or possibly elsewhere) and then reconnecting to the
corporate network. Second, the laptops are at risk of being lost or stolen.
Where branches have no dedicated room for servers, the servers are at risk of being physically damaged
and possibly stolen.
External contract staff might intentionally or unintentionally introduce malicious code into the corporate
network through the research department branch networks.
Use of removable storage devices by users might result in data compromise. Users might introduce,
unintentionally or otherwise, malicious code that might damage data.
4.
Answer: By implementing Network Access Protection (NAP), users can move their computers between
various networks while maintaining the health integrity of the corporate network. Specifically, NAP
isolates computers that do not meet health criteria.
Implement Encrypting File System (EFS) and Windows BitLocker Drive Encryption on laptop; in the
event the laptops are lost or stolen, the data on them would not be compromised.
5.
Answer: Put the servers in a location that is least likely to result in their accidental damage.
If theft is a possibility, first make sure that the servers are physically secure. Then implement BitLocker
Drive Encryption on all servers.
Additionally, where domain controllers are placed in branches, if they are not physically secured and the
branches contain servers that can work with read-only domain controllers (RODCs ), such as Microsoft
Exchange Server, implement RODC.
6.
Answer: Implement NAP to make sure that only computers that meet the network health requirements
can connect.
Use access control to make sure that visitors can only access files and folders that they have been granted
permissions on; make sure that you assign permissions sparingly.
7.
Answer: Use Group Policy Object (GPO) to restrict the kind of device that users can use. If you can block
all use of external universal serial bus (USB) storage devices.
8.
Complete the following resolution section with a summary of your proposals.
Answers:
Enable and configure BitLocker and EFS on portable computers.
Enable and configure BitLocker on servers.
Deploy only RODCs to branches, not writable domain controllers (DCs).
Implement NAP.
Implement GPO to restrict USB storage device usage.
Configure restrictive file permissions.
Results: After this exercise, you should have completed the incident record.

L8-3
Exercise 2: Configuring Security Settings in Windows Internet Explorer

Task 1: Verify the current Internet Explorer security settings
1.
Make sure that you are logged on to the 10967A-LON-DC1 virtual machine with user account
2.
Go to the Start page and open Internet Explorer
3.
Right-click beside the tabs at the top of the Internet Explorer window, select the Menu bar, click
Tools, and then click Internet Options.
4.
In the Internet Options dialog box, click the Security tab.
5.
In the Select a zone to view or change security settings list, click Local intranet.
6.
What is the current security level for this zone?
Answer: Medium-low.
Task 2: Change the Intranet Zone security settings

1.
Under Security level for this zone, move the slider to High.
2.
Select the Enable Protected Mode (requires restarting Internet Explorer) check box, and then
click OK.
Task 3: Test the security settings

1.
2.
Right-click beside the tabs at the top of the Internet Explorer window and select Status bar
3.
Repeat Step 2 for the Menu bar and Command bar
4.
In the Address bar, type http://lon-dc1/intranet, and then press Enter.
5.
Right-click on the A. Datum Intranet Home Page and choose Properties.
6.
What security zone is this website listed as being in?
Answer: Internet.
7.
Is protected mode turned on or off for this website?
Answer: Off
8.
Click OK to close the Properties dialog.
9.
On the A. Datum Intranet Home page, click Current Projects.
10. If you receive a warning message prompting you to add the web site to your trusted zones click
Close.
11. Read the Information Bar at the bottom of the screen. What is the problem?
Answer: An add-on for this website failed to run.
12. Click Tools, and then click Manage Add-ons.
13. Can you see a Tabular Data Control Add-on?
Answer: No.
14. What is the default search provider?
Answer: Bing
15. Click on Bing and examine the options that are available.
16. In the Manage Add-ons dialog box, click Close.
17. Close the A. Datum Projects webpage.
Task 4: Add the website to the Trusted Sites list

1.
On the A. Datum Intranet Home page, click Tools, and then click Internet Options.
2.
In the Internet Options dialog box, click the Security tab.
3.
In the Select a zone to view or change security settings list, click Trusted sites.
4.
What is the current security level for this zone?
Answer: Medium.
5.
Click Sites.
6.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
7.
In the Internet Options dialog box, click OK.
8.
In the Address bar, type http://lon-dc1/intranet, and then press Enter.
9.
Right-click on the A. Datum Intranet Home Page and choose Properties.
10. What security zone is this website listed as being in now?

Answer: Trusted sites.
Task 5: Test the security zone change

1.
On the A. Datum Intranet home page, click Current Projects.
2.
Did the projects list populate?
Answer: Yes.
3.
Click Tools, and then click Manage Add-ons.
4.
Can you see a Tabular Data Control Add-on?
Answer: Yes.
5.
In the Manage Add-ons dialog box, click Close.
6.
Close the A. Datum Projects webpage.
7.
Close the A. Datum Intranet home page.
8.
Open Internet Explorer , click Tools and then select ActiveX Filtering
9.
Go to www.microsoft.com
10. Notice a blue circle with a line through the middle now present in the address bar. Click on this icon.
11. A message appears stating that some content is filtered on this site and you have the option to Turn
off ActiveX Filtering.
12. Click the Turn off ActiveX Filtering button
13. Click on the blue circular icon in the address bar again and notice the message now states No
content is filtered on this site.
14. Click Tools, then click Manage Add-ons, examine the various Add-on Types, and then click Close

L8-5
Task 6: View Security Report

1.
Go to the Website https://www.microsoft.com
2.
Notice the presence of a lock icon now appearing in the address bar
3.
Click the lock icon
4.
A website identification dialog appears which contains information about the identity of the website
and who if anyone has identified the site if the site has a certificate. You can also view the certificate
1.
2.
3.
Results: After this exercise, you should have modified Internet Explorer security settings.

L9-1
Module9: Implementing Security in Windows Server
Lab: Implementing Security in Windows

Server
Exercise 1: Configuring a Fine Grained Password Policy
Task 1: Create a shadow security group for the Research group
1.

password Pa$$w0rd
2.
Open Server Manager navigate to Tools and select Active directory Administrative Center
3.
Right click Adatum (local), select New, and then select Group
4.
In the Create Group: dialog enter Research Shadow Group and ensure the
Group type: = Security
Group scope: = Global
5.
Click OK
6.
Double-click on the Research group and view all the members.
7.
Select all the members within the Research group by clicking the first name in the list, pressing the
Shift button, then scrolling down and clicking the last name in the list.
8.
Ensure all the members are highlighted then select Add to Group
9.
In the Select Groups in the Enter the object names to select (examples): section type Research, and
then click Check Names
10. In the Multiple Names Found dialog select Research Shadow Group and click OK twice.
11. In the Active Directory Domain Services dialog box, click OK
12. Open the Research Shadow Group and view the Members to ensure all members have been added
successfully.
Task 2: Create a fine-grained password policy and apply it to the Research group
1.

password Pa$$w0rd
2.
Open Server Manager go to Tools and select Active directory Administrative Center
3.
Click Adatum (local), double-click on System, and then double-click the Password Settings
Container
4.
In the Password Settings container area right-click and select New the Password settings
5.
In the Create Password Settings: dialog enter the following settings
Name: Research Password Policy
Precedence: 1
Minimum password length (characters): 10
Number of passwords remembered: 20
Password must meet complexity requirements: Yes
User cannot change the password within (days): 1
Users must change the password after (days): 30
Protect from accidental deletion: Yes
6.
In the Directly Applies To section click Add and in the in the Select Users or Groups dialog in the
Enter the object names to select (examples): section type Research, then click Check Names, Research
Shadow Group should appear and then click OK
7.
Click OK to close the Create Password Settings dialog.
Task 3: Verify new user password policy settings

1.
Sign in to the 10967A-LON-CL1 with username ADATUM\Maxim and password Pa$$w0rd
Note: ADATUM\Maxim is a member of the Research group

2.
When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
3.
Select Change a password
4.
On the change a password screen enter Maxs current password = Pa$$w0rd
5.
Now attempt to create a new password = password
You receive a message saying Unable to update the password/The value provided for the new password
does not meet the length, complexity, or history requirements of the domain
6.
Now attempt to create a different new password = Pa$$w0rd1
Again you receive a message saying Unable to update the password/The value provided for the new
password does not meet the length, complexity, or history requirements of the domain
7.
Now attempt to create another more complex different new password = Pa$$w0rd012
The password is accepted as it is greater than the 10 character limit you specified in the fine grained
password policy and meets the complexity requirements.
8.
Now log into 10967A-LON-CL1 with user name ADATUM\Franz and password Pa$$w0rd
Note: ADATUM\Franz is a member of the Sales group

9.
When logged in send a Ctrl+Alt+Del to the virtual machine to get the option to change password
10. Select Change a password

11. On the Change a password screen press Enter
Franzs current password = Pa$$w0rd
12. Now Attempt to create a new password = Pa$$w0rd1
You are successful and the password is changed. It meets the complexity requirements and because Franz
is not a member of the Research group he is not required to have a minimum password length of 10
characters, thus the 9 characters he entered is sufficient.
Results: After this exercise, you should have configured Password and Account Lockout settings in
Account Policies.

L9-3
Exercise 2: Securing NTFS Files and Folders

Task 1: Create the C:\Research folder structure
1.

password Pa$$w0rd
2.
Click Computer, double-click Local Disk (C:), and then on the top toolbar, click New folder icon.
3.
Type Research in the folder name box, and then press Enter.
4.
Double-click the Research folder.
5.
On the toolbar, click New folder.
6.
Type Classified in the folder name box, and then press Enter.
7.
On the toolbar, click New folder.
8.
Type Projects in the folder name box, and then press Enter.
Task 2: Assign appropriate NTFS file and folder permissions to the folder structure
1.
Click the Back button. Then right-click the Research folder, and click Properties.
2.
In the Research Properties dialog box, click the Security tab, and then click Advanced.
3.
Click the Disable inheritance button.
4.
In the Block Inheritance window, click Convert inherited permissions into explicit permissions
on this object.
5.
Click OK, to close the Advanced Security Settings for Research window.
6.
In the Research Properties dialog box, on the Security tab, click Edit.
7.
Select Users (LON-SVR1\Users), and then click Remove.
8.
In the Permissions for Research dialog box, click Add.
9.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adatum\Research, click Check Names.
10. In the Multiple Names Found dialog select Research and then click OK and click OK again.
11. In the Group or user names box, click Research (ADATUM\Research).
12. In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
13. In the Research Properties window, click OK.
14. Double-click the Research folder, right-click the Classified folder, and then click Properties.
15. In the Classified Properties dialog box, on the Security tab, click Advanced.
16. In the Advanced Security Settings for Classified dialog box, click the Disable inheritance button.
17. In the Block Inheritance dialog box, select Convert inherited permissions into explicit
permissions for this object.
Note: Clicking the Remove All Inherited Permissions From This Object selection removes all
NTFS permissions for the folder, including your permissions as administrator. This prohibits you
from making any changes to the folder, including assigning permissions.
18. In the Advanced Security Settings for Classified dialog box, click OK.
19. In the Classified Properties dialog box, on the Security tab, click Edit.
20. In the Permissions for Classified dialog box, in the Group or user names box, click Research
(ADATUM\Research), and then click the Remove button.
21. In the Permission for Classified dialog box, click Add.
22. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type ADATUM\Allie, click Check Names, and then click OK.
23. In the Group or user names box, click Allie Bellew (ADATUM\Allie).
24. In the Permissions for Allie Bellew section, next to Full Control, select the Allow check box, and
then click OK.
25. In the Classified Properties window, click OK.
Task 3: Share the C:\Research folder on the network and set appropriate shared
folder permissions
1.
Click the Back button. Then right-click the Research folder, and click Properties.
2.
In the Research Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
3.
Click the Share this folder check box, leave the Share name as Research, and then click the
Permissions button.
4.
In the Permissions for Research dialog box, in the Group or user names box, click Everyone, and
then click the Remove button.
5.
In the Permissions for Research dialog box, click Add.
6.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adatum\Research, click Check Names
7.
In the Multiple Names Found dialog select Research and then click OK and click OK again.
8.
In the Group or user names box, click Research (ADATUM\Research).
9.
In the Permissions for Research dialog box, next to Full Control, select the Allow check box, and
then click OK.
10. In the Advanced Sharing dialog box, click OK.

11. In the Research Properties dialog box, click Close.
12. Close File Explorer.
Task 4: Test access to C:\Research folders

1.
Log on to the 10967A-LON-CL1 with username ADATUM\Bill and password Pa$$w0rd
Note: ADATUM\Bill is a member of the Manager group. He is not a member of the Research group
2.
Hover the mouse over the lower left corner and when the start menu appears right-click then go to
the Run command
3.
Enter \\LON-SVR1 and press Enter
4.
Once connected, double-click on the folder share Research
5.
Does ADATUM\Bill have access to the Research folder?
Answer: No. ADATUM\Bill is not a member of the Research group.

L9-5
6.
Sign out as Bill.
7.
Log on as ADATUM\Olivier with password Pa$$w0rd.
8.
Does ADATUM\Olivier have access to the Research\Projects folders
Answer: Yes. ADATUM\Olivier is a member of the Research group.

9.
Does ADATUM\Olivier have access to the Research\Classified folder?
Answer: No. The Classified folder is restricted to only allow Allie Bellew access.
10. Sign out as Olivier.
11. Log on as ADATUM\Allie with password Pa$$word.
12. Does ADATUM\Allie have access to the Research\Projects folder?
Answer: Yes.
13. Does ADATUM\Allie have access to the Research\Classified folder?
Answer: Yes.
Results: After this exercise, you should have secured NTFS and shared folders.
Exercise 3: Encrypting Files and Folders

Task 1: Encrypt files and folders by using EFS
1.

password Pa$$w0rd
2.
On the desktop, click File Explorer on the bottom toolbar, click Computer, and then double-click
Local Disk (C:).
3.
In the right pane, double-click the Research folder.
4.
In the right pane, double-click the Classified folder.
5.
In the right pane, right-click, point to New, and then click Text Document.
6.
Rename the New Text Document file as Personal.
7.
In the left column, double-click Local Disk (C:), and then click the Research folder.
8.
In the right column, right-click the Classified folder, and then click Properties.
9.
In the Classified Properties dialog box, on the General tab click the Advanced button.
10. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and
then click OK.
11. In the Classified Properties dialog box, click OK.
12. In the Confirm Attribute Changes message box, ensure that Apply changes to this folder,
subfolders and files is selected, and then click OK.
Note: If you receive an error saying cannot access the file you can click ignore and continue
13. Ensure the Personal.txt filename now displays in Green text. This indicates it has been encrypted.
14. Verify you can double-click the Personal.txt file and view the contents successfully.
15. Close File Explorer, and then sign out of 10967A-LON-SVR1.
Task 2: Confirm that files are encrypted

1.
Sign in to 10967A-LON-SVR1 with user name ADATUM\Olivier and password Pa$$w0rd
2.
On the desktop, click File Explorer, click Computer, and then double-click Local Disk (C:).
3.
4.
In the right pane, double-click the Classified folder, click Continue, and then type the Administrator
Pa$$w0rd in the User Account Control dialog box.
5.
In the right pane, notice that the file is green, double-click Personal, and confirm that a message box
appears that informs you that Access is denied. Then click OK.
6.
Close Notepad.
7.
Close File Explorer and sign out of 10967A-LON-SVR3.
Task 3: Decrypt files and folders

1.
Log on to 10967A-LON-SVR1 as ADATUM\Administrator with a password of Pa$$w0rd.
2.
On the desktop, click the File Explorer icon, click Computer, and then double-click Local Disk (C:).
3.
4.
In the right pane, right-click the Classified folder, and then click Properties.

L9-7
5.
In the Classified Properties dialog box, click the Advanced button.
6.
In the Advanced Attributes dialog box, clear the Encrypt contents to secure data check box, and
then click OK.
7.
In the Classified Properties dialog box, click OK.
8.
In the Confirm Attribute Changes message box, ensure that Apply changes to this folder,
subfolders and files is selected, and then click OK.
9.
Close File Explorer.
1.
2.
3.

Repeat steps 2 and 3 for 10967A-LON-DC1 and 10967A-LON-CL1.
Results: After this exercise, you should have encrypted and decrypted files and folders by using
Encrypting File System (EFS).

L10-1
Module10: Implementing Network Security

Exercise 1: Configuring Windows Firewall with Advanced Security
Task 1: Turn off Website caching and verify connectivity to World Wide Web service
1.
password Pa$$w0rd
2.
Open Internet Explorer and click on the wheel icon in the top right side, then select Internet
Options
3.
In the Internet Options dialog on the General tab go to Browsing History section then click on
Settings
4.
Go to the Caches and databases tab and uncheck the Allow website caches and databases
checkbox, then click OK
5.
On the General tab in Internet Options, check the Delete browsing history on exit checkbox and
then click on the Delete button.
6.
Check all checkboxes in the Delete Browsing History dialog and click Delete
Notice the presence of the Internet Explorer has finished deleting the selected browsing history message
in Internet Explorer window
7.
Click OK on the Internet Options dialog
8.
Close Internet Explorer
9.
Open Internet Explorer again and in the address bar type http://LON-DC1/Intranet
10. Are you able to connect?

Answer: Yes, by default you are able to connect to the URL.
11. Close Internet Explorer.
Task 2: Configure a new firewall rule to block access to the World Wide Web service
1.
2.
In Server Manager click on Tools the select Windows Firewall with Advanced Security
3.
In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
4.
Right-click Inbound Rules and then click New Rule.
5.
In the New Inbound Rule Wizard, on the Rule Type page, click Predefined:
6.
In the drop down box select World Wide Web Services (HTTP) and then click Next.
7.
On the Predefined Rules page in the Rules: section check the World Wide Web Services (HTTP
Traffic-In) checkbox, scroll across the rule and understand the settings that are configured and click
Next.
8.
On the Action page click Block the connection and click Finish.
9.
In the Windows Firewall with Advanced security management console in the Inbound Rules pane
click on the Name column to sort the rules by name then locate the Inbound rule you just
configured. It should have a red circle with a line through it.
L10-2
10. Double click on the rule and verify the settings in the tabs represent what you configured. Click OK
once you are finished.
Task 3: Test World Wide Web service Access

1.
password Pa$$w0rd
2.
3.
Answer: No, you are unable to connect to the URL and view the company Intranet site. You receive a
message stating This page cant be displayed
4.
Close Internet Explorer.
Task 4: Allow access to the World Wide Web service

1.
2.
In Server Manager click on Tools the select Windows Firewall with Advanced Security
3.
In Windows Firewall with Advanced Security, in the navigation pane, click Inbound Rules.
4.
Locate the World Wide Web Services (HTTP Traffic-In) rule that you configured earlier right-click
it and select properties
5.
On the General tab in the Action section click Allow the connection then click OK
Notice the icon changes to a green circle with a white tick in the middle now.
Task 5: Verify Web Wide Web access has been restored

1.
Switch virtual machines again and ensure you are signed on to 10967A-LON-CL1 with user name
2.
3.
Answer: Yes, you are able to connect to the URL as was originally the case
Results: After this exercise, you should have created and tested an inbound firewall rule to control access
to the world wide web service.

L10-3
Exercise 2: Create a Server to Server Connection Security Rule

Task 1: Enable ICMPv4 traffic
1.
2.
In Server Manager go to Tools then select Windows Firewall with Advanced Security
3.
Right-click Inbound Rules and then click New Rule.
4.
In the New Inbound Rule Wizard dialog box, click Custom, and then click Next.
5.
On the Programs page, click Next.
6.
On the Protocols and Ports page, in the Protocol type list, click ICMPv4 and then click Next.
7.
On the Scope page, click Next.
8.
On the Action page, click Allow the connection if it is secure, and then click Next.
9.
On the Users page, click Next.
10. On the Computers page, click Next.

11. On the Profile page, click Next
12. On the Name page, in the Name box, type ICMPv4 allowed and then click Finish
Task 2: Create a Server to Server Connection Security rule

1.
2.
Right-click Connection Security Rules and then click New Rule.
3.
In the New Connection Security Rule Wizard, click Server-to-Server and then click Next.
4.
On the Endpoints page, click Next.
5.
On the Requirements page, click Request authentication for inbound and outbound
connections and then click Next.
6.
On the Authentication Method page, click Advanced, and then click Customize.
7.
In the Customize Advanced Authentication Methods dialog box, under First authentication, click
Add.
8.
In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click
OK.
9.
In the Customize Advanced Authentication Methods dialog box, click OK.
10. On the Authentication Method page, click Next.

11. On the Profile page, click Next.
12. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
Task 3: Create a Server to Server Connection Security rule on a member server

1.
Switch to 10967A-LON-SVR1 and ensure you are logged on as ADATUM\Administrator with

password Pa$$w0rd
2.
In Server Manager go to Tools then select Windows Firewall with Advanced Security
3.
Right-click Connection Security Rules and then click New Rule.
4.
In the New Connection Security Rule Wizard, click Server-to-Server and then click Next.
L10-4
5.
On the Endpoints page, click Next.
6.
On the Requirements page, click Require authentication for inbound and outbound connections
7.
On the Authentication Method page, click Advanced, and then click Customize.
8.
In the Customize Advanced Authentication Methods dialog box, under First authentication, click
Add.
9.
In the Add First Authentication Method dialog box, click Preshared Key, type secret and then click
OK.
10. In the Customize Advanced Authentication Methods dialog box, click OK.
11. On the Authentication Method page, click Next.
12. On the Profile page, click Next.
13. On the Name page, in the Name box, type A Datum-Server-to-Server and click Finish.
Task 4: Verify the Server to Server Connection Security rule

1.
2.
Open a Command Prompt with Administrative privileges.
3.
At the Command Prompt, type ping LON-DC1 and press Enter.
4.
Switch to Windows Firewall with Advanced Security.
5.
Expand Monitoring, expand Security Associations, and then click Main Mode.
6.
In the right-pane, double-click the listed item.
7.
View the information in Main Mode, and then click OK.
8.
Click Quick Mode.
9.
In the right-pane, double-click the listed item.
10. View the information in Quick Mode, and then click OK.
1.
2.
3.

Repeat steps 2 and 3 for 10967A-LON-SVR1 and 10967A-LON-DC1.
Results: After completing this exercise you will have created a server to server connection security rule
and validated the secure nature of the communication between the two servers

L11-1
Module11: Implementing Security Software

Exercise 1: Create and Enforce an AppLocker Rule
Task 1: Create a Group Policy Object to apply an AppLocker rule in the domain
1.
password Pa$$w0rd
2.
On LON-DC1, in Server Manager, click Tools, and then select Group Policy Management.
3.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Group Policy
Objects, and then click New.
4.
Name the new GPO SQLSysClrTypes Restriction Policy, and then click OK.
Task 2: Create Windows Installer rule to block the installation of the .msi file
1.
In the Group Policy Management Console, expand Group Policy Objects, right-click the Group
Policy Object SQLSysClrTypes Restriction Policy, and then click Edit.
2.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, and then
double-click AppLocker.
3.
Click Windows Installer Rules, right-click Windows Installer, and then select Create New Rule
4.
On the Before you Begin page click Next
5.
Permissions page, select Deny, Notice that the rule could be restricted to a specific user or group,
6.
On the Conditions page, select Publisher, and then click Next.
7.
Click Browse and navigate to E:\Mod11\LabFiles\ SQLSysClrTypes.msi- and then click Open.
8.
Notice the text explaining the slider usage at the top of the page, and then click Next.
9.
On the Exceptions page, click Next
10. On the Name and description page, click Create.

11. Click Yes if you are prompted to create default rules.
Task 3: Configure Windows Installer rule enforcement to be audit only

1.
Click AppLocker, and then click Configure rule enforcement.
2.
Under Windows Installer Rules, select the Configured check box, click Audit Only, and then click
OK.
Task 4: Configure the Application Identity service to automatically start

Note: Before you can enforce AppLocker policies, you must start the Application Identity
service.
1.
In the Group Policy Management Editor, expand Computer Configuration, expand Windows
Settings, expand Security Settings, click System Services, and then double-click Application
Identity.
L11-2
2.
In the Application Identity Properties dialog box, select the Define this policy setting check box.
3.
Select Automatic under Select service startup mode, and then click OK.
4.
Close Group Policy Management Editor.
Task 5: Apply the AppLocker rule to the domains Group Policy

1.
In the Group Policy Management Console window, drag the SQLSysClrTypes Restriction Policy
GPO over the Adatum.com domain container.
2.
Click OK to link the GPO to the domain.
3.
Close the Group Policy Management console.
4.
Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy
to be updated.
Note: Alternatively you can open a Windows PowerShell console, import the GroupPolicy
module by running the command Import-module GroupPolicy and then running the cmdlet
Invoke-GPUpdate
5.
Switch to 10967A-LON-CL1 sign out as ADATUM\Administrator if need be and sign in as

6.
Open a Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy
to be updated.
Task 6: Run the Windows Installer and verify the audited result in Event Viewer
1.
Hover the mouse over the lower left corner of the desktop and when the Start menu appears rightclick and go to Run
2.
In the Run dialog type \\LON-DC1\E$ and press OK
3.
In the Windows Security dialog box sign in to the ADATUM domain as Administrator with password
Pa$$w0rd, and then click OK.
4.
Go to \\LON-DC1\E$\Mod11\Labfiles\
5.
Right-click SQLSysClrTypes.msi and select Install
6.
Complete the installation of the Windows Installer.
If prompted for credentials during the installation by User Account Control dialog enter user name
Administrator and password Pa$$w0rd
7.
Open Control Panel, the select System and Security and Administrative Tools, then double-click
Event Viewer
8.
Go to Applications and Services Logs\Microsoft\Windows\Applocker\MSI and Script and view the

events that are present
9.
What is the Event ID for audited blocked installations of Windows Installer files?
Answer: The Event ID is 8006
Note: Notice the presence of the 8006 Event IDs and the descriptive text saying
SQLSYSSLRTypes.msi was allowed to run but would have been prevented from running if the
AppLocker policy were enforced.

L11-3
10. Note Also, if the event does not appear for you in Event Viewer, you should restart the Application
Identity service on 10967A-LON-DC1 and try again.
Task 7: Enforce the blocking of the Windows Installer

1.
Switch to the 10967A-LON-DC1 virtual machine
2.
In Server Manager, click Tools, and then select Group Policy Management
3.
In the Group Policy Management Console, expand Domains then Adatum.com and underneath
Adatum.com right-click the SQLSysClrTypes Restriction Policy, and then click Edit.
4.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, and then
double-click AppLocker
5.
Click AppLocker, and then click Configure rule enforcement.
6.
Under Windows Installer Rules, ensure the Configured checkbox is still selected, select Enforce
Rules from the drop down box, and then click OK.
7.
Open a Command Prompt window, type gpupdate /force, and then press Enter.
8.
Wait for the policy to be updated
Task 8: Run the Windows Installer file and verify the application is blocked
1.
Switch to 10967A-LON-CL1 sign off as ADATUM\Administrator if need be and sign in as

2.
Open a Command Prompt window, type gpupdate /force, then press Enter and wait for the policy
to be updated.
3.
Hover the mouse over the lower left corner of the desktop and when the Start menu displays rightclick and go to Run
4.
In the Run dialog type \\LON-DC1\E$ and press OK
5.
Go to \\LON-DC1\E$\Mod11\Labfiles\
6.
Right-click SQLSysClrTypes.msi, select UnInstall and remove the software from the system that was
installed as part of the earlier task.
7.
When uninstalled, right-click SQLSysClrTypes.msi, and then select Install
8.
Notice the Windows Installer message, The system administrator has set policies to prevent this
installation. Click OK.
Results: After this exercise, you will have created an AppLocker rule to block the installation of a particular
Windows Installer package. You will have tested the rule before implementing the AppLocker rule in your
production environment and you will have applied that AppLocker rule using Group Policy across the A
Datum domain.
Exercise 2: Use the Security Configuration Wizard

Task 1: Create a security policy
1.
password Pa$$w0rd
2.
In Server Manager, click Tools, and then click the Security Configuration Wizard.
3.
On the Welcome to the Security Configuration Wizard page, click Next.
4.
On the Configuration Action page, select Create a new security policy, and then click Next.
5.
On the Select Server page, accept the default server name, LON-DC1, and then click Next.
6.
On the Processing Security Configuration Database page, you can click View Configuration
Database and explore the configuration that was discovered on LON-DC1.
If you receive a Windows Security Warning regarding an ActiveX control, click Yes to allow the
interaction.
7.
Click Next.
8.
On the Role-Based Service Configuration section introduction page, click Next.
9.
On the Select Server Roles page, you can explore the settings that were discovered on 10967ALON-DC1, but do not change any settings. Click Next.
L11-4
10. On the Select Client Features page, you can explore the settings that were discovered on 10967ALON-DC1, but do not change any settings. Click Next.
11. On the Select Administration and Other Options page, you can explore the settings that were
discovered on 10967A-LON-DC1, but do not change any settings. Click Next.
12. On the Select Additional Services page, you can explore the settings that were discovered on
10967A-LON-DC1, but do not change any settings. Click Next.
13. On the Handling Unspecified Services page, do not change the default setting: Do not change the
startup mode of the service. Click Next.
14. On the Confirm Service Changes page, in the View list, select All services.
15. Examine the settings in the Current Startup Mode column, which reflect service startup modes on
10967A-LON-DC1, and compare them to the settings specified in the Policy Startup Mode column.
16. In the View list, select Changed services.
17. Click Next.
18. On the Network Security section introduction page, click Next.
19. On the Network Security Rules page, you can examine the firewall rules derived from the
configuration of 10967A-LON-DC1. Do not change any settings. Click Next.
20. On the Registry Settings section introduction page, click Next.
21. On each page of the Registry Settings section, examine the settings, but do not change any of them,
then click Next.
22. Continue to click Next at each page until you the Registry Settings Summary page appears,
examine the settings and then click Next.
23. On the Audit Policy section introduction page, click Next.
24. On the System Audit Policy page, examine but do not change the settings. Click Next.

L11-5
25. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy
Setting columns. Click Next.
26. On the Save Security Policy section introduction page, click Next.
27. In the Security Policy File Name text box, click Browse and navigate to C:\Labfiles, click New
Folder, name the folder SCW, double-click the SCW folder, type DC Security Policy in the file name:
box, and then click Save.
Ensure the following is listed in the Security policy file name box C:\Labfiles\SCW\DC Security
Policy
28. Click the View Security Policy button.
29. If you are prompted to confirm the use of ActiveX control, click Yes.
30. Close the window after you have examined the policy.
31. In the Security Configuration Wizard, click Next.
32. On the Apply Security Policy page, accept the Apply later default setting, and then click Next.
33. Click Finish.
Task 2: Transform a security policy into a GPO

1.
Ensure you are still signed in on 10967A-LON-DC1
2.
Open the Start screen and type cmd, when the Command Prompt icon appears right-click it and
choose Run as Administrator
3.
Change to the directory where your new security policy is located.

cd
4.
C:\LabFiles\SCW\
View the help for the scwcmd file by typing

scwcmd /?
5.
View the help for the scwcmd transform command by typing

scwcmd transform /?
6.
Transform the DC Security Policy.xml file to a GPO called DC Security Policy

scwcmd transform /p:"DC Security Policy.xml" /g:"DC Security Policy"
7.
Verify that the command completed successfully, and then close the Command Prompt window.
8.
In Server Manager, click Tools, and then click Group Policy Management.
9.
In the console tree, expand Forest:Adatum.com, Domains, Adatum.com, and Group Policy
Objects, and then click DC Security Policy. This is the GPO created by the Scwcmd.exe command.
10. Click the Settings tab to examine the settings of the GPO.
11. Close the Group Policy Management console.
Results: After this exercise, you will have used the Security Configuration Wizard (SCW) to create a
security policy named DC Security Policy, and transformed the security policy to a Group Policy Object
(GPO) named DC Security Policy.
Exercise 3: Use the Best Practices Analyzer

Task 1: Run the BPA on the AD DS server role
L11-6
1.
password Pa$$w0rd
2.
In Server Manager, click AD DS in the left navigation pane.
3.
In the center details pane, locate the Best Practices Analyzer.
4.
In the TASKS drop-down list, select Start BPA Scan.
5.
In the Select Servers dialog box, make sure that LON-DC1.Adatum.com is selected, and then click
Start Scan.
Task 2: Analyze the BPA compliance results

1.
Review the BPA results.
Note: It can take a minute for results to appear. Refresh the results by using the TASKS
menu.
2.
How many events were returned?
Answer: 43
3.
Select an item and view the additional information that is available.
4.
What three additional pieces of information are provided?
Answer: Problem, impact, and resolution.

5.
Click the severity column heading to sort the findings.
6.
What severity categories are shown for this BPA scan?
Answer: Error, Information, and Warning.

7.
In the Click to display saved search settings drop-down list (icon on the right side of the filter text
box), select the Compliant results report.
8.
Notice that only items with Severity equal to Information are now displayed.
9.
How many complaint results were found?
Answer: 34
1.
2.
3.
4.
Repeat steps 1 to 3 for 10967A-LON-CL1.
Results: After this exercise, you will be able to run the Best Practices Analyzer (BPA) on a server role and
determine areas for improved efficiency or performance.

L12-1
Module12: Monitoring Server Performance

Exercise 1: Creating a Performance Baseline
Task 1: Create a Data Collector Set
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password

Pa$$w0rd
2.
In Server Manager, select Tools, and then click Performance Monitor.
3.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
4.
Right-click User Defined, point to New, and then click Data Collector Set.
5.
In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Performance.
6.
Click the Create manually (Advanced) radio button and then click Next.
7.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
8.
On the Which performance counters would you like to log? page, click Add.
9.
In the Available counters list, expand Memory, click Pages/sec, and then click Add >>.
10. In the Available counters list, expand Network Interface, click Bytes Total/sec, and then click Add
>>
11. In the Available counters list, expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Still within PhysicalDisk click Avg. Disk Queue Length, and then click Add >>.
13. In the Available counters list, expand Processor, click %Processor Time, and then click Add >>.
14. In the Available counters list, expand System, click Processor Queue Length, and then click Add
>>. Then click OK.
15. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and ensure Seconds is selected in the Units: drop down box, and then click Next.
16. On the Where would you like the data to be saved? page, click Next.
17. On the Create the data collector set? page, click Save and close, and then click Finish.
Task 2: Start the Data Collector Set

1.
2.
Naviagate to Data Collector Sets and then click User Defined
3.
Right-click LON-SVR1 Performance, and then click Start.
Task 3: Create workloads on the server

1.
Open the Start menu, type cmd.exe, and then press Enter.
2.
At the Command Prompt, type the following command, and then press Enter. (This creates a file
approx. 100 MB in size)
3.
At the Command Prompt, type the following command, and then press Enter. (This copies that file to
LON-DC1)
4.
At the Command Prompt, type the following command, and then press Enter. (This creates a copy of
the file on LON-DC1)
copy \\lon-dc1\c$\bigfile bigfile2
5.
At the Command Prompt, type the following command, and then press Enter. (This deletes all the
created files from LON-SVR1)
del bigfile*.*
6.
At the Command Prompt, type the following command, and then press Enter. (This deletes all the
created files from LON-DC1)
del \\lon-dc1\c$\bigfile*.*
7.
L12-2
Do not close the Command Prompt.
Task 4: Analyze collected data

1.
Switch to Performance Monitor.
2.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3.
4.
On the toolbar, click View Log Data.
5.
click Add.
6.
In the Select Log File dialog box, double-click Admin.
7.
Double-click the LON-SVR1 Performance folder, double-click the LON-SVR1_<date-000001>

folder, and then double-click DataCollector01.blg.
8.
Click the Data tab, and then click Add.
9.
In the Add Counters dialog box, in the Available counters list, expand Memory, click Pages/sec,
and then click Add >>.
10. Expand Network Interface, click Bytes Total/sec, and then click Add >>.
11. Expand PhysicalDisk, click %Disk Time, and then click Add >>.
12. Click Avg. Disk Queue Length, and then click Add >>.
13. Expand Processor, click %Processor Time, and then click Add >>.
14. Expand System, click Processor Queue Length, click Add >>, and then click OK.
15. In the Performance Monitor Properties dialog box, click OK.
16. On the toolbar, click the down arrow, and then click Report.
17. Record the values listed in the report for analysis later.
Recorded values:
Memory\Pages/sec

L12-3
18. System\Processor Queue Length
Results: After this exercise, you should have established a performance baseline.
Exercise 2: Simulating a Server Load

Task 1: Load a new program on the server
L12-4
1.
2.
cd C:\Labfiles\StressTool\amd64
Task 2: Simulated a load on the servers CPU

1.
2.
At the Command Prompt, type the following, and then press Enter.
StressTool 95
3.
Open Task Manager, by right clicking on the Task Bar at the bottom of the screen and selecting Task
Manager, and then click More details
4.
Go to the Performance tab and click CPU
5.
Notice the CPU % Utilization graph and the change in usage.
Task 3: Start the Data Collector Set again

1.
2.
3.
In Performance Monitor, click User Defined. In the results pane, right-click LON-SVR1 Performance,
and then click Start.
4.
Wait for one minute for data to be captured.
Results: After this exercise, you should have introduced a load on the server and restarted the Data
Collector Set.

L12-5
Exercise 3: Determining Probable Performance Bottlenecks

Task 1: Stop the running program
1.
Ensure you are signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password

Pa$$w0rd
2.
After one minute, switch to the Command Prompt.
3.
Press Ctrl+ C.
4.
Close the Command Prompt.
5.
Open task Manager by right clicking on the Task Bar at the bottom of the screen and selecting Task
Manager
6.
Go to the Performance tab and click CPU
7.
Notice the CPU % Utilization graph has returned to normal now that the simulated load has been
removed.
Task 2: View performance data

1.
2.
In the navigation pane, right-click LON-SVR1 Performance, and then click Stop.
3.
4.
On the toolbar, click View log data.
5.
click Remove.
6.
Click Add.
7.
In the Select Log File dialog box, click Up One Level.
8.
Double-click the LON-SVR2_<date-000002> folder, and then double-click DataCollector01.blg.
9.
Click the Data tab, click OK, and then click OK to close the Performance Monitor Properties
dialog box.
10. If you receive an error or the values in your report are zero, repeat steps 4-9.
Recorded values:
Memory\Pages/sec
Task 3: Analyze results and draw a conclusion

1.
Question: Compared with your previous report, which values have changed?
Answer: Memory and disk activity are reduced.

2.
Question: What was the most significant change and why?
L12-6
Answer: Processor activity has increased significantly and this is due to the simulated load we placed on
it.
3.
Question: If you saw a similar trend in your work environment what would you recommend as a next
step?
Answer: CPU load has increased without an increase in networking or disk activity. This would indicate a
service local to the machine is putting load on the CPU. You could continue to monitor the server to try
identify what service or program is placing the load on the server
4.
Question: Can you identify any additional counters which could potentially help you narrow down
your search to determine what application is placing the greatest load on the CPU?
Answer: If you have not encountered this issue before it may be a process of trial and error to identify
which additional counters, if any could be of help.
You should start to create a new Data Collector set and scroll through the available counters. Some
counters which may help in this instance
Process\ Thread count (To identify if a particular process has a large amount of threads running)
Processor Information\% User (To identify a user placing a load on a server if there are multiple
users accessing the server and its services)
Thread\ID Process (To identify the process placing the load on the server)
5.
Question: Are there any additional tools which may help identify what process or software is placing
the load on the server?
Answer: You could also open Task Manager and go to the Processes tab scroll through the processes
that are listed and try identify which process are placing the greatest load on the server
Results: After this exercise, you should have identified a potential bottleneck.

L12-7
Exercise 4: Create, Test, and Verify an Alert

Task 1: Create and start an alert to trigger an Event ID
1.
Ensure you are still signed in to 10967A-LON-SVR1 as ADATUM\Administrator with password

Pa$$w0rd
2.
In Performance Monitor, in the navigation pane, expand Data Collector Sets, and then click User
Defined.
3.
Right-click User Defined, point to New, and then click Data Collector Set.
4.
In the Create new Data Collector Set wizard, in the Name box, type LON-SVR1 Network
Bandwidth Alert.
5.
Click Create manually (Advanced), and then click Next.
6.
On the What type of data do you want to include? page, click the Performance Counter Alert
radio button, and then click Next.
7.
On the Which performance counters would you like to monitor? page, click Add.
8.
In the Available counters list, expand Network Interface, click Bytes Total/sec, click Add >>, and
then click OK.
9.
On the Which performance counters would you like to monitor? page, in the Alert when: list,
select Above.
10. In the Limit box, type 500, and then click Next.
11. On the Create the data collector set? page, click Finish.
12. In the navigation pane, expand the User Defined node, and then click LON-SVR1 Network
Bandwidth Alert.
13. In the Results pane, right-click DataCollector01, and then click Properties.
14. In the DataCollector01 Properties dialog box, on the Alert tab choose the following
Alert when: Above
Limit: 500
Sample interval: 10
Units: Seconds
15. Click the Alert Action tab.

16. Select the Log an entry in the application event log check box, and then in the Start a Data
Collector set: drop down box select LON-SVR1 Performance and click OK.
17. In the navigation pane, right-click LON-SVR1 Network Bandwidth Alert, and then click Start.
Task 2: Simulate a load on the network bandwidth

1.
Open the Start screen and type cmd.exe, and then press Enter.
2.
At the Command Prompt, type the following command, and then press Enter. (This creates a file
approx. 1 GB in size)
3.
At the Command Prompt, type the following command, and then press Enter. (This copies that file to
10967A-LON-DC1 and puts a load on the Network Interface)
Task 3: Verify the Event ID is generated and the Data Collector Set starts
L12-8
1.
In Server Manager, click Tools, and then click Event Viewer.
2.
Expand Application and Services Logs, and then select the Microsoft-Windows-DiagnosisPLA/Operational log
3.
Scroll through the list of events. Look for Event ID 2031 and read the details in the General tab, which
should say something like .Performance counter \Network Adapter> [Emulated])\Bytes Total/sec
has tripped its alert threshold. The counter value of < X > is over the limit value of 500.000000.
500.000000 is the alert threshold value.
4.
What is the Event ID associated with an Event generated with an Alerts threshold being exceeded?
Answer. Event ID 2031

5.
Return to Performance Monitor and navigate to Data Collector Sets then User defined
Note: As you scroll through the Event IDs you may see some errors related to the LONSVR1 Performance collector set not being able to start. This will be because it was already
started successfully.
6.
Ensure LON-SVR1 Performance collector set has started successfully
1.
2.
3.
4.
Repeat the previous steps for 10967A-LON-DC1.
Results: After completing this exercise you will have: created an alert, and tested to ensure it generates an
Event ID and triggers a Data Collector Set to start.

L13-1
Module13: Maintaining Windows Server

Exercise 1: Installing and Configuring Windows Server Update Services
Task 1: Install the Windows Server Update Services role and required features
1.
Ensure you are signed in to 10967A-LON-DC1 with username ADATUM\Administrator and

password Pa$$w0rd
2.
In Server Manager, click Manage, and then select Add Roles and Features
3.
On the before you begin page click Next
4.
On the Select installation type page, accept the defaults and Click Next
5.
On the Select destination server page, click Next
6.
On the Select server roles page, select the Windows Server Update Services checkbox
7.
In the Add Roles And Features Wizard dialog click Add Features, then click Next
8.
On the Select features page select .NET Framework 3.5, and then click Next
Note: .NET Framework 3.5 is required for the reporting function in WSUS in Windows Server 2012
9.
On the Windows Server Update Services page click Next
10. On the Select role services page, ensure WID Database and WSUS Service are selected and click
Next
11. On the Content location selection page, ensure the Store updates in the following location ..
checkbox is selected, type C:\WSUS in the box, and then click Next
12. On the Confirm installation selections page, click Install, and then click Close
Task 2: Complete WSUS post-configuration tasks

1.
On 10967A-LON-DC1, in Server Manager, click on the Notification icon (the white flag at the top of
the screen).
2.
In the resultant dialog, navigate to the Post-Deployment Configuration section and click Launch
Post-Installation tasks
3.
In Server Manager click the Notification Icon again and then select Task Details
4.
In the Task Details dialog note the Task Name and Stage columns, and wait until the Postdeployment Configuration Task Name is listed as Complete. When it is complete, close the Task
Details dialog.
5.
In Server Manager, click Tools, and then select Windows Server Update Services
6.
Confirm the Update Services management console successfully opens
Task 3: Complete the Windows Server Update Services Configuration Wizard

1.
Still on 10967A-LON-DC1, if not already done so ,in Server Manager, click Tools, and then select
Windows Server Update Services to open the Update servicers management console
2.
The Windows Server Update Services Configuration Wizard appears and on the Before you
Begin page click Next
3.
On the Join the Microsoft Update Improvement Program page click Next
L13-2
4.
On the Choose Upstream Server page, ensure Synchronize from Microsoft Update is selected and
click Next
5.
On the Specify Proxy Server page click Next
6.
On the Connect to Upstream Server page click Start Connecting. When it is finished Click Next
Note: This may take up to five minutes to complete depending on your connection speed
7.
On the Choose Languages page select Download updates only in these languages: and choose
English, then click Next
8.
On the Choose Products page, check All Products checkbox then uncheck it again to clear the
default product selections. Scroll down to Windows and select Windows 8, ensure all other options
are unchecked, and then click Next.
9.
On the Choose Classifications page, uncheck Definition Updates and security updates and select
Critical Updates only, and then click Next.
Note: We are selecting only this option to reduce the amount of time it takes to synchronization.
However at least both security and critical updates would be needed to keep your environment secure
10. On the Set Sync Schedule select Synchronize manually and click Next
11. On the Finished page, select Begin Initial synchronization, and click Next
12. On the Whats Next page, click Finish
13. Return to the Update Services management console
Task 4: Prepare synchronized reporting

1.
On 10967A-LON-DC1 in the Update Services console click on the navigation pane on the left side,
expand LON-DC1, click Synchronizations, and then click Synchronization Report in the Actions
pane
2.
Verify you receive a Feature Unavailable error stating that The Microsoft Report Viewer2008
Redistributable is required for this feature and then click OK
3.
Close the Update services management console
4.
Open File Explorer navigate to E:\Mod13\Labfiles, right-click the ReportViewer.exe and select Run
as Administrator
5.
On the Welcome page, click Next
6.
On the License Terms page check the I have read and accept the license terms checkbox, and
then click Install
7.
On the Setup Complete page, click Finish
8.
In Server Manager, go to Tools, then select Windows Server Update Services
9.
In the navigation pane on the left side click on Synchronizations, and then select Synchronization
Report in the actions pane
10. Verify the Synchronization Report opens successful

11. Close the Synchronization Report for LON-DC1 window, and the Update Services window
Task 5: Configure Group Policy to enable WSUS across the domain

1.
Still on 10967A-LON-DC1, in Server Manager, select Tools, and then click Group Policy
Management.
2.
In the console pane, expand Forest: Adatum.com, expand Domains, and then click Adatum.com.

L13-3
3.
Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4.
In the New GPO dialog box, type WSUS in the Name field, and then click OK.
5.
Expand Adatum.com, right-click WSUS, and then click Edit.
6.
In the Group Policy Management Editor window, under Computer Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click
Windows Update.
7.
In the details pane, double-click Configure Automatic Updates.
8.
In the Configure Automatic Updates dialog box, click Enabled, and then click Next Setting.
9.
In the Specify intranet Microsoft update service location dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://LON-DC1:8530
11. In the Set the intranet statistics server field, type http://LON-DC1:8530
12. Why is the number 8530 specified in the URL?
Answer. The default http connection port is 80. However, WSUS uses port 8530 for http and port 8531
for https. That is different from the default and as needs to be specified here so the client can successfully
connect.
13. Click Next Setting.
14. In the Automatic Updates detection frequency dialog box, click Enabled, set the interval (hours):
at 1 and then click OK.
15. Ensure the three Group Policy settings are enabled then close Group Policy Management Editor,
and then close Group Policy Management Console.
16. Sign in to the 10967A-LON-CL1 virtual machine as ADATUM\Administrator with the password
Pa$$w0rd.
17. If not already done so start and then sign in to 10967A-LON-CL1 with user name
18. On 10967A-LON-CL1, open a Command Prompt with Administrative privileges, type the following
command, and then press Enter. This will force the client to update the Group Policies on the
computer.
gpupdate /force
19. To force the client to detect any changes that have been made to the update service, type the
following and press Enter.
wuauclt /ResetAuthentication /Detectnow
Task 6: Perform clarification checks on the WSUS Client

1.
On 10967A-LON-CL1, hover the mouse over the lower left corner until the Start menu appears, then
right-click and select Computer Management
2.
In the Computer Management console, expand Services and Applications, and then select
Services
3.
In Services, locate Background Intelligent Transfer Service, navigate to Properties and specify a
Startup type: Automatic, and then click OK.
4.
In Services locate Windows Update, go to Properties and specify a Startup type: Automatic, click
Apply, and then click OK.
Task 7: Create a computer groups, and add client computers
L13-4
1.
On 10967A-LON-DC1 virtual machine in Server Manager select Tools then select Windows Server
Update Services
2.
In the Updated Services console, expand Computers, and then click All Computers
3.
Select Status: Any and click Refresh. Verify there are two computers listed lon-dc1.adatum.com
and lon- cl1.adatum.com
4.
In the Actions pane, click Add Computer Group.
5.
In the Add Computer Group dialog box, type WSUS LON Win8, and then click Add.
6.
In the Actions pane, click Add Computer Group.
7.
In the Add Computer Group dialog box, type WSUS LON WS2012, and then click Add.
8.
In the console pane, expand All Computers, and then click Unassigned Computers.
9.
In the details pane, in the Status list, click Any, and then click Refresh.
10. Right-click lon-cl1.adatum.com, and then click Change Membership.
11. In the Set Computer Group Membership dialog box, select the WSUS LON Win8 check box, and
then click OK.
12. Click Unassigned Computers group again.
13. In the details pane, in the Status list, click Any, and then click Refresh.
14. Right-click lon-dc1.adatum.com, and then click Change Membership.
15. In the Set Computer Group Membership dialog box, select the WSUS LON WS2012 check box,
and then click OK.
Task 8: Approve a Critical Update for Windows 8 operating system clients

1.
In the console pane, expand Updates, and then click Critical Updates.
2.
In the details pane, in the Approval list, select Any Except Declined.
3.
In the Status list, click Any, and then click Refresh.
4.
Click on the Title column to sort them according to Title
5.
Notice there are several updates available.
6.
Locate the Update for Windows 8 for x64-based Systems (KB2768703) right-click, and then
click Approve
7.
In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8
LON Computer Group and select Approved for Install and click OK
8.
In the Approval Progress dialog click Close when it is complete.
9.
Right-click the same update Update for Windows 8 for x64-based Systems (KB2768703) and
again select Approve
10. In the Approve Updates dialog box, expand All Computers then click the arrow on the WSUS Win8
LON Computer Group and select Deadline and then Custom
11. In the Choose Deadline dialog select Yesterdays date and then Click OK
For example, if it is 2 June when running this lab exercise, select 1 June. and then click OK
Note: This has the effect of ensuring the update is applied to a client as soon as the client queries the
Update Server for available updates.

L13-5
12. Click OK to Approve Updates

13. Click Close on the Approval Progress dialog when it is complete
Task 9: Query the WSUS server for available updates from Windows 8 client
1.
Ensure you are signed in to 10967A-LON-CL1 with user name ADATUM\Administrator and
password pa$$w0rd
2.
Open a Command Prompt window with administrative privileges.
3.

gpupdate /force
4.
Wait for the policy to finish updating.
5.

wuauclt /ResetAuthentication /detectnow
6.
Open File Explorer and open the file C:\Windows\WindowsUpdate.log in Notepad
7.
In Notepad click Format then select Word Wrap
8.
Scroll down to the end of the log file and locate references to http://lon-dc1:8530, ensure there are
no errors listed.
9.
Return to 10967A-LON-DC1 go to Server Manager, then Tools then select Event Viewer
10. Expand Windows Logs then click on Application
11. In the Application Logs details pane locate Events with source equal to Windows Update Services
and verify there is an event specifying a client connected successfully.
12. Back on 10967A-LON-CL1
You may receive a Restart prompt. If so restart 10967A-LON-CL1 and sign in again as
ADATUM\Administrator with password Pa$$w0rd
13. Open the Control Panel and select Programs and then underneath Programs and Features select
the View Installed updates
14. Verify that the Update for Microsoft Windows(KB2768703) is listed
Note: It may take several minutes for the client to connect and the update to be installed.
You should proceed to the next Exercises and complete those while waiting for the client to be
updated. Once you have completed those exercises you can then return here to verify the update
has been applied successfully.
Task 10: View WSUS reports.

1.
Switch back to 1096A-LON-DC1, in the Windows Server Update Services console, click Reports.
2.
Review the various reports available in WSUS.
3.
In the details pane, click Computer Detailed Status.
4.
In the Computers Report for LON-DC1 window, click Run Report.
5.
On the completed report, note how many updates are listed under lon-cl1.adatum.com.
6.
Close the Computers Report for LON-DC1 window.
7.
Close Update Services.
L13-6
Results: At the end of this exercise, you will have configured Windows Server Update Services (WSUS) to
manage updates.

L13-7
Exercise 2: Troubleshooting the Startup Process

1.
Read the Incident Record to determine possible troubleshooting methods.
2.
Answer: If file shares, remote desktop, and ping are unavailable, the troubleshooting process for this
problem have to be done locally, in the physical location of the computer, or alternatively over the
telephone with someone at the physical computer who can help you with the troubleshooting
process.
3.
What considerations should be made about 10967A-LON-SVR5 and the people and services that
require the services that are provided by 10967A-LON-SVR5?
Answer: If 10967A-LON-SVR5 performs critical services, a replacement or spare should be checked

for availability, should the troubleshooting process carry beyond the first one or two most probable
causes.
Task 2: Investigate startup issues on a Windows Server

1.
2.
You will be prompted to Press any key to boot from CD or DVD as the virtual machine starts
but do not press anything and allow the virtual machine to start without any intervention
Note: The virtual machine has been configured with the Windows Server 2012 Eval iso
installation files already attached to the virtual machine to assist with steps required later in the
lab. As such the 10967A-LON-SVR5 virtual machine will give the prompt Press any key to
boot from CD or DVD each time when starting up. Do not press any key to boot into the
installation files unless explicitly told to do so in the lab steps.
3.
View the error message on the screen.
4.
Answer the Assessment Questions in the Incident Record.
5.
Answer: The Boot Configuration Data file doesnt contain valid information for an operating system.
6.
Answer: The problem is a corrupted or damaged Boot Configuration Data (BCD) store. There is no
reference in the BCD to enable the Windows Boot Manager to access the Windows Boot Loader.
7.
What tool should you use to try to resolve the problem that is causing the error message?
Answer: BCDEdit will let you view the status of the BCD store. In this case, there is no entry for an
operating system in the BCD store for 10967A-LON-SVR5. To correct this, run bootrec.exe with the
/scanos switch to find the operating system on the computer, and then run bootrec.exe with the
/rebuildbcd switch to create a new BCD store with a pointer to the boot loader for the found operating
system.
8.
Answer: By starting the computer by using the Windows Server Installation disc and selecting the Repair
Your Computer and Command Prompt options.
9.
In Hyper-V Manager, right-click 10967A-LON-SVR5, and select Turn Off
10. In the Turn Off Machine dialog box, click Turn Off
L13-8
Task 3: Resolve the issue on the Windows Server and complete the Incident Record
1.
2.
As stated in the previous exercise you will be prompted to Press any key to boot from CD or
DVD as the virtual machine starts.
3.
Press Enter and allow the virtual machine to boot into the installation files
4.
In the Install Windows dialog box, click Next.
5.
In the Install Windows dialog box, click the Repair your computer link.
6.
In the System Recovery Options dialog box, click Troubleshoot
7.
On the Advanced Options page click Command Prompt.
8.
At the Command Prompt, type the following, and then press Enter.
Bcdedit
9.
Observe the lack of an operating system entry in the BCD store.
10. At the Command Prompt, type the following, then press Enter, and from the resultant output
determine which are the most appropriate switches to use
bootrec /?
11. At the Command Prompt, type the following, and then press Enter:
bootrec /scanos
12. At the Command Prompt, type the following, and then press Enter:
bootrec /rebuildbcd
13. At the Add installation to boot list prompt, press Y, and then press Enter.
14. Close the Command Prompt window by typing exit and hitting Enter.
15. In the System Recovery Options screen, click the Continue button.
16. Make sure that 10967A-LON-SVR5 starts and brings you to the sign in screen.
17. Ensure you can sign in successfully with the local administrator credentials user name
.\Administrator and password Pa$$w0rd
18. Answer the Resolution Questions on the Incident Report.
19. How did you resolve the problem?
Answer: By using BCDEdit to identify the lack of an operating system entry in the BCD store. Then use
bootrec to rebuild the BCD store.
20. What should the next steps in the troubleshooting process be?
Answer: Have a user or users connect to 10967A-LON-SVR5 to make sure that their applications are
functioning correctly. Notify the remainder of the users of 10967A-LON-SVR5 that the server is
operating correctly and can resume their use of 10967A-LON-SVR5. Additionally, the details of the
problem, together with the steps used to repair the problem, should be documented and archived for
future reference and logging purposes.
21. Revert the 10967A-LON-SVR5 virtual machine and then shut down the virtual machine to free up
host resources, as it is not required for any subsequent exercises

L13-9
Results: After this exercise, you should have used Windows tools to troubleshoot the startup process.
Exercise 3: Gathering Information to Start the Troubleshooting Process

resolution questions for Part A
1.
Ensure you are signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
2.
In Server Manager, point to Tools, and then click Performance Monitor.
3.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
4.
In the details pane, click the View Log Data button (Ctrl+L).
5.
click Add.
6.
In the Select Log File dialog box, browse to E:\Mod13\Labfiles\Captures.
7.
Click ADATUM-LON-SVR2-System-Perf-Data-PartA.blg, and then click Open.
8.
In the Performance Monitor Properties dialog box, click OK.
9.
In the Performance Monitor details pane, click Add (Ctrl+I).
10. In the Add Counters dialog box, under Available counters, add the following counters by
highlighting them and clicking Add>>
Processor,
% Processor Time
Instances of selected object=0
System
Processor Queue Length
Instances of selected object=Not Applicable
11. Click OK.
12. In Performance, at the bottom of the window, click % Processor Time to view the graph of the CPU
usage on LON-SVR2 and notice:
The minimum value is 0.623 percent.
The maximum value is 100 percent.
The average value is 80.126 percent.
13. In the Performance Monitor details pane, click Add (Ctrl+I).

Process
% Processor Time
Instances of selected object=<All Instances>
15. Click OK.
16. Review the % Processor Time used by each process. It is useful to use the Highlight button (Ctrl+
H) to view each instance. Identify the process that is consuming the CPU.

L13-11
17. Complete the resolution questions in Part A of the Incident Record.

18. What do the Performance Logs for LON-SVR2 indicate could be the source of the problem?
Answer: The StressTool process is consuming most of the CPU time.
19. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
Answer: A likely first step is to determine what the StressTool process is responsible for doing and if any
users are experiencing issues with those processes. If no specific cause can be found, you might restart the
StressToolprocess before ensuring that all users using the services associated with StressTool are
prepared for the services to be unavailable. Additional monitoring of the StressTool process might be
necessary to determine whether the application needs updating or repair. (Note: The StressTool
process is a testing tool which you encountered earlier in the course. In this lab we used it to place a load
on the CPU for us then to analyze.)
20. Close Performance Monitor.
resolution questions for Part B
1.
Ensure you are still signed into 10967A-LON-DC1, with user name ADATUM\Administrator and
password pa$$w0rd
2.
In Server Manager, point to Tools, and then click Performance Monitor.
3.
In the Performance Monitor console, expand Monitoring Tools, and then click Performance
Monitor.
4.
In the details pane, click View Log Data (Ctrl+L).
5.
click Add.
6.
In the Select Log File dialog box, browse to E:\Mod13\Labfiles\Captures.
7.
Click ADATUM-LON-SVR2-System-Perf-Data-PartB.blg, and then click Open.
8.
In the Performance Monitor Properties dialog box, click OK.
9.
In the Performance Monitor details pane, click Add (Ctrl+I).
Physical Disk
o
Avg. Disk Queue Length
Instances of selected object= 0 C:
Physical Disk
o
Current Disk Queue Length
Physical Disk
o
Disk Transfers/sec
Process
IO Data Bytes/sec
Instances of selected object= <All Instances>
11. Click OK
12. Review the IO Data Bytes/sec values for each process. It is useful to use the Highlight button
(Ctrl+H) to view each instance. Identify the process that is using the disk transfer capacity.
13. Complete the resolution questions in Part B of the Incident Record.
14. What do the Performance Logs for LON-SVR2 indicate could possibly be the source of the problem?
Answer: There are a few processes that are intermittently performing a lot of IO occurring. Such as the
sqlservr and Wsusservice processes, however they display peaks and troughs. For example, they have IO
and then none, which would be expected. However peak value for Avg Disk Queue Length and Disk
Transfers per/sec occur when the process EatDiskspace IO consumption occurs, and this process is
continuously consuming IO resources on the computer. The EatDiskspace process is consuming a lot of
disk resources and would warrant a closer look.
15. Keeping in mind your answer from the previous question, what steps (using a troubleshooting
Answer: If EatDiskspace is consuming disk resources you could view the Disk tab of the Resource
Monitor, check the box beside the process and click on the Disk Activity or Storage sections to try
determine what aspects of the process are involved, such as file copies. If the process is manipulating files
you could determine whether that is necessary or not or possibly whether the task could be scheduled
during non-business hours. (Note: The EatDiskspace process is a testing tool which we used it to
perform a large volume of disk IO operations for us to analyze.)
16. Close Performance Monitor.
Results: After this exercise, you should have collected information to start the troubleshooting process.
Notes
Notes
Notes
Notes
Notes
Notes
Notes
Notes

10967A ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10967A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS

MCT USE ONLY. STUDENT USE PROHIBITED

a. If you are a Microsoft IT Academy Program Member:

MCT USE ONLY. STUDENT USE PROHIBITED

b. If you are a Microsoft Learning Competency Member:

MCT USE ONLY. STUDENT USE PROHIBITED

If you are a MPN Member:

d. If you are an End User:

MCT USE ONLY. STUDENT USE PROHIBITED

LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

MCT USE ONLY. STUDENT USE PROHIBITED

modify or create a derivative work of any Licensed Content,

work around any technical limitations in the Licensed Content, or

MCT USE ONLY. STUDENT USE PROHIBITED

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Perform a local media-based installation of Windows Server 2012.

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1, Installing and Configuring Windows Server 2012

Module 2, Implementing Storage in Windows Server

Module 5, Implementing TCP/IP

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Describe the functionality of the TCP/IP suite.

Module 6, Windows Server Roles

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

98-365: Windows Server Administration Fundamentals

98-366: Networking Fundamentals

98-367: Security Fundamentals

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Companion Content on the http://www.microsoft.com/learning/companionmoc site:

Student Course files on the http://www.microsoft.com/learning/companionmoc site: Includes

To provide additional comments or feedback on the course, send e-mail to

Virtual Machine Environment

Virtual Machine Configuration

Windows Server 2012 server, member server in Adatum.com domain

Windows Server 2012 server. Not domain joined.

Windows Server 2012 server core. Domain joined to Adatum.com.

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Blank virtual disk used for Installation of Windows Server 2012.

Windows 8 client, joined to the Adatum.com domain.

Windows Server 2008 R2 Enterprise with Microsoft Forefront Threat