Microsoft 70-410

Installing and Configuring Windows Server 2012

ABOUTTHEEXAM
The Microsoft 70410 exam is part one of a series of three exams that test the skills and
knowledge necessary to implement a core Windows Server 2012 infrastructure in an existing
enterprise environment. Passing this exam validates a candidates ability to implement and
configure Windows Server 2012 core services, such as Active Directory and the networking
services.Passingthisexamalongwiththeothertwoexamsconfirmsthatacandidate hasthe
skills and knowledge necessary for implementing, managing, maintaining, and provisioning
servicesandinfrastructureinaWindowsServer2012environment.

SixmajortopicsmakeuptheMicrosoft70410Certification.Thetopicsareasfollows:
InstallandConfigureServers
ConfigureServerRolesandFeatures
ConfigureHyperV
DeployandConfigureCoreNetworkServices
InstallandAdministerActiveDirectory
CreateandManageGroupPolicy

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.
OBJECTIVES

CHAPTER1:INSTALLANDCONFIGURESERVERS
1.1Installservers
1.2Configureservers
1.3Configurelocalstorage

CHAPTER2:CONFIGURESERVERROLESANDFEATURES
2.1Configurefileandshareaccess
2.2Configureprintanddocumentservices
2.3Configureserversforremotemanagement

CHAPTER3:CONFIGUREHYPERV
3.1Createandconfigurevirtualmachinesettings
3.2Createandconfigurevirtualmachinestorage
3.3Createandconfigurevirtualnetworks

CHAPTER4:DEPLOYANDCONFIGURECORENETWORKSERVICES
4.1ConfigureIPv4andIPv6addressing
4.2DeployandconfigureDynamicHostConfigurationProtocol(DHCP)service
4.3DeployandconfigureDNSservice

CHAPTER5:INSTALLANDADMINISTERACTIVEDIRECTORY
5.1Installdomaincontrollers
5.2CreateandmanageActiveDirectoryusersandcomputers
5.3CreateandmanageActiveDirectorygroupsandorganizationalunits(OUs)

CHAPTER6:CREATEANDMANAGEGROUPPOLICY
6.1CreateGroupPolicyobjects
6.2Configuresecuritypolicies
6.3Configureapplicationrestrictionpolicies
6.4ConfigureWindowsFirewall

CHAPTER1INSTALLANDCONFIGURESERVERS

1.1INSTALLSERVERS

Planforaserverinstallation

ServeroperatingsystemsdifferfromadesktopOSinthattheyareoftenoptimizedforhandlingprocessesthatrun
behindthescenes(backgroundprocesses).

TheFoundationversionhasalimitationof15useraccountsandisavailableonlyforOEMs.

TheEssentialsversionhasalimitof25useraccountswithsupportforpreconfiguredconnectivity.

TheStandardversionhasfullWindowsServerfunctionalitywithamaxoftwovirtualinstances.

TheDatacenterversionoffersunlimitedvirtualinstances.

Planforserverroles

Aservercanbeconfiguredtoperformspecificroles.Theapplicationsthattheserverrunsdeterminetheparticular
serversrole.Foraservertoundertakearole,additionalservicesandfeatureswillhavetobeinstalled.Thisiswhythe
serversroleisthesinglemostimportantfactorindeterminingthehardwarethataserverrequires.Normallyyouadd
rolesthroughtheServerManagerDashboarduponsetupcompletion.

Planforaserverupgrade

IfyouarerunningWindowsServer2008StandardwithSP2orWindowsServer2008EnterprisewithSP2,youmay
upgradetoWindowsServer2012StandardandWindowsServer2012Datacenter.

IfyouarerunningWindowsServer2008DatacenterwithSP2,youmayupgradetoWindowsServer2012Datacenter
only.

IfyouarerunningWindowsWebServer2008,youmayupgradetoWindowsServer2012Standardonly.

InstallServerCore

WhenyouinstallServer2012,youmaychoosebetweenServerCoreInstallationandServerwithaGUI,whichisthe
Fullinstallationoption.YoucanstartaServerwithaGUIinstallationandthenremovetheGraphicalShellsotheend
resultisaMinimalServerInterface.
OptimizeresourceutilizationbyusingFeaturesonDemand

FeaturesonDemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveoraddroles
andfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailablethatkeepsthefeature
files.

MigraterolesfrompreviousversionsofWindowsServer

YoucanusetheWindowsServerMigrationToolstomigrateroles.FirstyouinstallWindowsServerMigrationToolson
thedestination2012servers.Next,youcreatethedeploymentfoldersandcopythemfromthedestinationserversto
thesourceservers.Finally,youregisterWindowsServerMigrationToolsonthesourceservers.

1.2CONFIGURESERVERS

ConfigureServerCore

Ifyouarerunningaservercoreinstallation,youusesconfigtoperformserverconfiguration.Ithasanumberofoptions
for you to choose from. The tool presents a menu with options you can choose by pressing keys. You can set the
domainnameorworkgroupname,setthecomputername,addanewlocaladminandconfigureremotemanagement.
YoucanalsoconfigureWindowsUpdate.

Delegateadministration

Enterprise Admins, Domain Admins, Administrators, and Account Operators groups can create new computer
objectsinanyOU.Delegationofthepermissiontocreatecomputerobjectscanadministrativeoverhead.Thiscanbe
donebyassigningthepermissionstoanOUsgroupsothatlocalmembersofthatOUcancreatecomputerobjects
onlyinthatOU.ThisisachievedviatheDelegateControlWizard.

Addandremovefeaturesinofflineimages

InDISMyoucanswitchfromaServerwithaGUIinstallationtoServerCore.Fromanelevatedcommandpromptyou
rundism /online /disable-feature /featurename:ServerCore-FullServer.

To switch from Server Core to the Server with GUI you run dism /online /enable-feature
/featurename:ServerCore-FullServer/featurename:Server-Gui-Shell
/featurename:Server-Gui-Mgmt.

Toreboottheserver,runshutdown r -f.
Deployrolesonremoteservers

Toinstall,configureanduninstallserverroleslocally,useServerManagerortheWindowsPowerShell.Remotelyyou
may use Server Manager, Remote Server, RSAT, or the Windows PowerShell. RSAT in particular provides you with
Server Manager, MMC snapins, consoles and PowerShell cmdlets that run on Windows Server. There are many
differentversionsofRSAT,supportingfromVistatoWindowsServer2012.

ConvertServerCoreto/fromfullGUI

To convert to a Server Core installation, you run UninstallWindowsFeature ServerGuiMgmtInfra restart. On the
other hand, to convert from a core only to a server with GUI you run Install-WindowsFeature
Server-Gui-Mgmt-Infra,Server-Gui-Shell Restart.

Configureservices

WindowsServerwillstarttheServerManagerautomaticallyuponinstallationcompletionandthenateveryserver
startup.ServerManageristheprimaryconsoleforserverconfigurationandmanagement.Youcanmanageboththe
local server and the networked servers via Server Manager. You can configure whether Server Manager should be
invokedeverytimeyoustarttheserver.Youcanalsosethowoftenitrefreshestheinformationitdisplays.

ConfigureNICteaming

NICteamingreferstotheprocessofgroupingtogethermultiplephysicalNICsintoasinglelogicalNICforachieving
faulttoleranceandloadbalancing.LinkaggregationthroughLACPintheformofNICteamingisnotthesameasMPIO.
ItcannotimprovethethroughputofasingleI/Oflow.Itdoesimprovethroughputwhenyouhaveseveraluniqueflows.

WindowsServer2012hasbuiltinsupportforNICTeaming.ItcanbeenabledviaServerManager.Amaximumof32
physicaladaptorscanbeusedtogether.NotethatWindowsServer2012supportsteamingasaHyperVswitchportif
yourvirtualmachinesareusingindependentMACaddresses.

Alternatively, a hash can be created based upon components of the packet, and then assignment can be made
dynamicallytotheavailablenetworkadapters.InthecaseofVM,eachHyperVswitchportassociatedwithavirtual
machinethatisTeamingcapablemustallowMACspoofing.
1.3CONFIGURELOCALSTORAGE

Designstoragespaces

Partitioningreferstotheprocessofcreatingvirtualmarkersthatseparatedriveletters.Apartitiontableisthelistof
whatpartitionshavebeenconfiguredonadrive.Afilesystem,ontheotherhand,isadatastructurethatanoperating
systemusestokeeptrackoffilesonadiskorpartition.Onemaycreatefolderstoorganizeyourdataintogroupsand
tostoredatahierarchicallyontheharddisk.Keepinmind,disksarephysical,whereasstoragepoolsandvolumesare
logical.

TheStorageServicesRoleispartoftheFileandStorageServicesandisinstalledbydefault.

Configurebasicanddynamicdisks

The2012ServerManagerhasadiskmanagementsection.The3thingsyoucanmanagethroughtheUIareVolumes,
DisksandStoragePools.Rightclickingonavolumewilldisplayoptionssuchasfixingfileerrors,extendingvolumeand
assigningdriveletters.Youcanevenanalyzeandoptimize(defrag)thedrivesviatheGUI.
ConfigureMBRandGPTdisks

Thesearethehighlightsofthedifferencesbetweenthetwo:

MasterBootRecord(MBR)diskssupportformax4partitiontableentries.

MBRdiskpartitionsandlogicaldrivesareusuallycreatedbasedonthereportedcylinderboundaries.

GUIDPartitionTable(GPT)comeswiththeUnifiedExtensibleFirmwareInterface(UEFI)standard.

GPTdiskscanhaveverylargesizes.

OnWindowsyoucanhaveamaximumof128partitionsperGPTdisk.

BasicdisksanddynamicdiskscansupportMBRaswellasGPTdisks.

Managevolumes

NTFS5isthenativefilesystemforWindows2012.NTFS5hasmanyfeaturesforsecurity,quotamanagement,disk
compressionandvolumemounting.

Transactional NTFS allows file operations to be performed in a transactional manner, with support for full atomic,
consistent,isolated,anddurablesemanticsfortransactions.SelfhealingNTFScancorrectdiskfilecorruptionsonline
withoutrequiringChkdsk.exetoberunmanually.
Astoragepoolisacollectionofvolumes.Avolumeisthebasicunitofstoragethatrepresentsanallocatedspaceona
disk.Thekeyisflexibility;storagecanbeexpandedasneededwhenyouaddnewdrives.

Createandmountvirtualharddisks(VHDs)

VirtualHardDisk(VHD)isafileformatforspecifyingavirtualharddisktobeencapsulatedinasinglefile.Itisnotthe
sameasHyperV.VHDworksonalmostallCPUtypes.HyperVdoesnotworkonincompatibleprocessors.

Virtualharddiskformatiseitherdynamicallyexpandingorfixed.VHDBootstartsWindowsfromaVirtualHardDiskfile.
ThisVHDfileismountedasavirtualdiskbutcanbeusedjustlikeanormalharddiskdrive.

Configurestoragepoolsanddiskpools

Astoragepoolallowsyoutomixandmatchdifferentdrivesforstoragepurposes.Apoolactsasacontainer.Youcan
createstoragepoolviatheGUI.IfyoupreferusingPowerShellforcreatingthestoragepools,youmustfirstusethe
getstoragesubsystemcmdlet.

Thepoolcreatedcanbeeasilyexpandedbyaddingnewdisks.Thepoolcanalsobedividedintospacesthatareused
likephysicaldisks.Infact,withinapoolyoucancreatevirtualdiskswhichareknownasspaces.

Datadeduplicationiseliminatingredundantdatainstoragepools.

CHAPTER2CONFIGURESERVERROLESANDFEATURES

2.1CONFIGUREFILEANDSHAREACCESS

Createandconfigureshares

SimplenetworkfoldersharingcanbemanagedviatheNetworkandSharingCenter.TheNetworkandSharingCenter
isaninterfaceforbasicnetworkingsetupaswellasnetworkdiscovery,connectionstatusandfilesharing.

Youcancreateafoldersharesimplybyrightclickingonthefolderandchoosingtheappropriatesharingoption.You
can also manage shared folders via Computer Management. Alternatively, from Server Managers File and Storage
sectionyoucanrightclickonaserverandchooseNewSharetoinvoketheNewShareWizard.

Configuresharepermissions

AdvancedsharingandofflinefilescanbeconfiguredbyrightclickingonafileandchoosingSharewithAdvanced
sharing.TheServerManagersFileandStoragesectioncanalsobeusedtomanagestorageresourcesandshareson
localorremoteserversinrealtime.
WiththeFileServerResourceManagerinstalled,youcanconfigureanumberofadvancedfilesharesettingssuchas
security,encryptionandcaching.Keepinmind:

Sharepermissionsapplyonlywhenauserisaccessingafileorfoldernonlocally.Theycanbeappliedonauseror
onagrouplevel.

Assigningpermissionsonagroupbasisisalwaysrecommended.

Individualpermissionsandgrouppermissionsarecombinedtoformtheuserseffectivepermissions.

Configureofflinefiles

OfflineFilesmakenetworkfilesavailableevenwhenanetworkconnectiontotheserveriseitherunavailableorvery
slow.Forthesakeofperformanceyoushouldcreatearootshareontheserver,letthesystemcreatetheusersfolders
andthensynchronizefilesatlogoffviaFolderRedirectionwithOfflineFiles.Forsecuritypurposesyouwanttocreatea
securitygroupforthoseuserswhohaveredirectedfoldersonaparticularshareandaccordinglylimitaccessonlyto
thoseusers.
ConfigureNTFSpermissions

NTFS permissions allow you to assign permissions more granularly at the folder and file level. Keep in mind; file
permissionsalwaystakeprecedenceoverfolderpermissions.Youcanalwayssetthesebyrightclickingonafileor
folderandconfiguringthedesiredpermissionsfromProperties.

Configureaccessbasedenumeration(ABE)

Accessbased enumeration (ABE) is a builtin feature that can display only the files and folders that a user has
permissionstoread.Itworksonlywhenviewingfilesandfoldersinasharedfolder.WhenyouusetheNewShare
Wizard,thereisanoptiontoenableit.

ConfigureVolumeShadowCopyService(VSS)

VSSaimstocreateaconsistentshadowcopyofthedatatobebackedup.TheVSSservicecanensurethatallVSS
componentscancommunicatewitheachotherproperly.YoushouldknowtheseVSScomponentsandterms:

TheVSSrequesterrequeststheactualcreationofshadowcopiesthroughabackupapplication.

TheVSSwriterensuresthereisaconsistentdatasettobackup.

TheVSSprovidercreatesandmaintainstheshadowcopiesviasoftwareorhardware.

Completecopymeansmakingacompletefullandreadonlycopyoftheoriginalvolume.
 Copyonwritemakesadifferentialcopy.

Redirectonwritedoesnotmakeanychangestotheoriginalvolume.

ConfigureNTFSquotas

ThroughComputerManagementDiskManagementyoucansetquotaandcreatecustomquotaentries.Itworks
evenifyourserverdidnotjoinAD.

Quotamanagementisnotenabledbydefaultbutyoucanenableitbyhand.Infact,theServerManagersFileand
Storagesectioncanbeusedtosetsoftorhardspacelimitsonavolumeorfoldertree.Youmayalsocreateandapply
quotatemplateswithstandardquotaproperties.

2.2CONFIGUREPRINTANDDOCUMENTSERVICES

ConfiguretheEasyPrintprintdriver

EasyPrintisforterminalserviceprinting.ItallowsuserstoprintfromaTerminalServicesRemoteAppprogramora
terminalserverdesktopsessionusingthecorrectlocalprinter.TheRedirectonlythedefaultclientprinterpolicysetting
can be used to specify whether the default client printer is the only printer to be redirected in Terminal Services
sessions.
ConfigureEnterprisePrintManagement

Toprovideprintingservice,theprintspoolerservicemustberunning.Wheneversomethingiswrongwiththeprint
queue,problemscanbeoftenbesolvedbystoppingandrestartingthespooler.

ConfigureDrivers

Printer device configuration is done via Devices and Printers folder located in the Control Panel. Once a printer is
added,youcanrightclickittoconfiguresharingandotherparameters.Insteadofconfiguringonaperprinterbasis,
youcanmanageprinterdriversandpermissionsattheprintserverlevel.Whenthereisaprintingissue,thelogforthe
PrintServiceeventchannelcanbeveryhelpfulwithtroubleshooting.
Configureprinterpooling

Printingpoolrequiresthatyoucreatealogicalprinterformedbyagroupofactualphysicalprintersthatusetheexact
samedriver.Printuserscannotchoosetheactualphysicalprintertouse.YoucanconfigurepoolingviatheWindows
printerconfigurationappletoftheControlPanel.

Configureprintpriorities

Settingprintingprioritiesinvolveschangingtheorderofdocumentprinting.YoumusthavetheManageDocuments
permissiontomakethechanges.FromwithinPrintersandFaxesyoucangointoaspecificprintersqueue,rightclick
onthedesireddocumentandthenchangeitsprioritylevel.

Configureprinterpermissions

Alluserscanpause,resume,restart,orcancelprintingoftheirowndocuments.However,theManageDocuments
permissionwillberequiredtomanipulateprintjobsofotherpeople.IfyouhavetheManagePrinterspermission,you
canpauseorresumeprintingattheprinterlevel.

2.3CONFIGURESERVERSFORREMOTEMANAGEMENT

ConfigureWinRM

Remote Management WinRM implements WSManagement protocol, which is a standard Simple Object Access
Protocolbasedprotocol.Itfacilitatestheinteroperationofdifferenthardwareandoperatingsystems.

Computers that run Windows with WinRM will have management data supplied by Windows Management
Instrumentation (WMI). If your remote connection is behind a firewall, make sure connections on port 3389 are
allowed

Configuredownlevelservermanagement

ManagingdownlevelserversmeansmanagingremoteserversrunningWindowsServer2008R2SP1fullserver,Server
Core,orWindowsServer2008SP2fullserver.YoumustensuretheyhaveWindowsManagementFramework(WMF)
3.0properlyinstalled.Foraservercoremanagedserver,thereareseveralfeaturestoinstallusingDISM,including:

NetFx2ServerCore

MicrosoftWindowsPowerShell

NetFx2ServerCoreWOW64

MicrosoftWindowsPowerShellWOW64
Configureserversfordaytodaymanagementtasks

TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker,
LicensingandVirtualization.YoumayaddrolesthroughtheServerManagerDashboarduponsetupcompletion.

From Control Panels System Properties you can enable remote desktop connections to a server. Setting Remote
Desktopsessionstorunoveranencryptedchannelisconsideredbestpracticeasitcanpreventviewingofasession.It
isrecommendedtoalwaysusestrongpasswordswithanyaccountsthathaveaccesstoRemoteDesktop.

Configuremultiservermanagement

IfyouhavemultipleAdministratoraccountsinplace,trytolimitremoteaccessonlytothoseaccountsthatactually
needit.YoushoulduseLocalSecurityPolicytosetaccountlockoutsforthem.

Before creating a subscription to collect events on a computer, configure both the collecting computer and the
computerfromwhicheventswillbecollected.Alsonotethefollowing:

Yourunthewinrmquickconfigcommandonthesourcecomputer.

Youusethewecutilqccommandonthecollectorcomputer.

You add the computer account of the collector computer to the local Administrators group of the source
computer.

ConfigureServerCore

To install, configure or uninstall server roles remotely you may use Server Manager, Remote Server, RSAT, or the
Windows PowerShell. A Server Core installation option allows the installing of Windows Server with a minimal
environment for running specific server roles. Everything is done via command prompt, which cuts down the
maintenanceandmanagementrequirementsaswellastheattacksurface.

ThroughtheRSATtoolsyoucanmanagecomputersrunningServer2012,Server2008R2,Server2008,orServer2003.
BydefaulttheRSATtoolswillonlyopentheportsandenabletheservicesthatarerequiredforremotemanagementto
function.

ConfigureWindowsFirewall

Windows Firewall can be configured via the Windows Firewall with Advanced Security interface or the Netsh
advfirewallcommand.YoumayalsoaccessitviatheControlPanel.Itworksbyexaminingeachmessageand/orpacket
thatpassesthroughitandblocksthosethatdonotmeetthespecifiedsecuritycriteria.
NetworkLocationandWindowsFirewallareintheorymutuallyindependent.TheconfigurationofWindowsFirewall
wouldlargelybebasedonthecurrentnetworkcategoryorcategories.WhenconnectedtoaPublicnetwork,onlyCore
Networkingruleswillbeenabled.

Withinthenetshadvfirewallcontext,thefirewallsubcommandcanbeusedtochangetotheproperfirewallcontext
soyoucanview,create,andmodifyfirewallrules.

CHAPTER3CONFIGUREHYPERV

3.1CREATEANDCONFIGUREVIRTUALMACHINESETTINGS

Configuredynamicmemory

With Dynamic Memory, there is no need to stop and restart a VM when the memory size is changed. It is also
distributesmemorymoreefficiently,whichcouldbeaperformancedrawback,thusrequiringanincreasetothesizeof
thepagefileintheguestOS.YoumayalsoneedtoincreasethememorybufferconfiguredfortheVM.Keepinmind;
youmusthaveadequateRAMtoavoidexperiencingperformanceproblems.

Notethatbydefault,theminimumRAMvalueisthesameasthatoftheStartupRAM.

Configuresmartpaging

Smart Paging uses the hard disk as an option for providing the memory required by a VM if the physical RAM is
insufficient.Usingthistechniqueafailuretoloadmayoccurwhenthememoryrequestsaretoohighatagiventime.
Thisshouldonlybeusedasatemporaryfixbecauseusingharddrivespaceasmemoryhasanoticeableperformance
impact.

ConfigureResourceMetering

ResourcemeteringallowsyoutotracksystemresourceusageforyourVM.Itisnotenabledbydefault,though.You
canactivateitviaEnableVMResourceMetering.Statisticsarecollectedonceeveryhourbydefault,orasdictatedby
theResourceMeteringSaveIntervaloption.Todisplaythedata,useMeasureVM.

Configureguestintegrationservices

Integration Services aim to optimize the virtual environment drivers. It works by replacing the generic operating
system driver files for components such as the mouse, keyboard, display, network and SCSI controller, etc. It also
synchronizes the system time between the guest and host OS. File interoperability and heartbeat are also
implemented.TheDataExchangeServicecanset,andalsogetinformationfrom,aVMrunninginachildpartition.The
GuestShutdownServicecanmakeashutdownrequestfromtheparentpartitiontothechildpartitionthroughWMI
calls.

3.2CREATEANDCONFIGUREVIRTUALMACHINESTORAGE

CreateVHDsandVHDX

WithVHD,alltheactualdataisstoredinasinglefile,ofwhichyoucanrunonlyoneinstanceatatime.Thisisbecause
itabsorbsalmostalloftheprocessingpowerofthehostcomputer.NotethatVHDshaveasizelimitof2040GB.One
waytocreateaVHDistousediskpartatthecommandprompt.Firstyouinvokethediskpartcommand,thenyouuse
thecreatevdiskcommand.

VHDXistheformattouseifyouwanttogoover2040GBinsize.VHDXisalsoresilienttopowerfailure.Whenusingthe
NewVMWizardyoucanchoosewhichyouprefer;VHDorVHDX.
You can set a VHD to a fixed size or make it dynamic. A dynamic VHD is slower and may become more easily
fragmented.However,itusesspaceasneededandisthereforesmalleringeneral.

Configuredifferencingdrives

TocreateaVHDviatheWindowsGUI,openComputerManagementsDiskManagementsection.CreateVHDcanbe
selected from the Action menu. A dynamically expanding VHD can have a maximum size that is larger than the
availablefreespaceonthedrive.

NotethatinthecontextofVHD,attachingmeansmountingwhiledetachingmeansdismounting.

ModifyVHDs

YoucanexpandthesizeofaVHDthroughdiskpart.FirstmakesurethattheVHDisdetached.Thenselectitviathe
selectvdiskfile=command,thentypeexpandvdiskmaximum=forspecifyingthenewsize.

TheEditWizardcanbeusedtomodifyanexistingVHDaswell.

AdifferencingconfigurationisusefulwhenyouhaveanimageservingasaparentVHDthatyouprefernottomodify.
AllmodificationstotheimagewillbemadetoaseparatechildVHD.InordertocreateadifferencingVHD,usethe
parentoptionwiththecreatevdiskcommandorviaGUI.

Configurepassthroughdisks

Passthroughdisksarenotvirtualized.Thisisafeatureintendedtoprovidethefastestpossiblediskperformance.Due
to the restrictive drawbacks it has, its support is minimal in Windows Server 2012. In fact, it is supported during
HyperVLiveMigrationif,andonlyif,theVMbeingmigratedandthepassthroughdiskaremanagedbythesame
HyperVcluster.Thesearebecomingobsolete.

Managesnapshots

AHyperVsnapshotcapturesthestatusofaVMatagiventime.ThissnapshotcanthenbeusedtorestoreaVMif
necessary.TocreateoneyousimplyselectaVMtocapturefromwithintheHyperVManagerinterfaceandthenselect
Snapshot from the Actions pane. You may take a maximum of 50 snapshots of a VM. Note that snapshotfiles are
AVHD/AVHDXfiles.EachVHDfilewillactasaparenttoitsAVHDfile.Similarly,eachVHDXfilewillactasaparenttoits
AVHDXfile.

ImplementavirtualFiberChanneladapter

VirtualFiberChannelforHyperVallowstheguestOStohavedirectaccesstoaSANviaastandardWorldWideName
(WWN) that is associated with a VM. This allows you to use Fiber Channel SANs to perform virtualization of the
workloads accessing the SAN. In particular it uses the existing N_Port ID Virtualization T11 standard for mapping
multiplevirtualN_PortIDstoasinglephysicalFiberChannelN_port.ThereisanewNPIVportcreatedonthehost
wheneveryoustartaVMconfiguredwithavirtualHBA.

3.3CREATEANDCONFIGUREVIRTUALNETWORKS

ImplementHyperVNetworkVirtualization

HyperV is a server role that provides tools and services one can use to create a virtualized server computing
environment.YouaddthisroleviaServerManagerAddRoles.Youmayalsoaddfeaturesformanagingit.

FromwithintheCreateVirtualNetworkspageyoucanalsoselecttheLANadaptersyouwanttohavesharedwith
yourguestsessions.AHyperVhostserverMUSTrunona64bitsystem.Anexternalnetworkprovidescommunication
between a virtual machine and a physical network. An internal network provides communication between the
virtualizationserverandvirtualmachineswithinthesameserversystem.Aprivatenetworkprovidescommunication
betweenvirtualmachines.

Avirtualswitchcancombineboththeinternalandtheexternalnetworkswitchsegments.Withdirectaddressing,a
guestsessioncanconnectdirectlytothebackboneofthenetwork.Thevirtualservercanactasaswitchthatconnects
allguestsessionstogether.

ConfigureHyperVvirtualswitches

AnetworkvirtualswitchinthecontextofHyperVrunsatthedatalinklayer.ThereisaMACtablewiththelayer2
addressesofalltheVMsconnectedtoit.The2possibleswitchmodesareTrunkModeandAccessMode.
ThepossibletypesofvirtualswitchesareExternal,PrivateandInternal.OnlyExternalandInternalVirtualSwitchescan
runinTrunkModeandAccessMode.Thenumberofinternalvirtualswitchesthatcanbecreatedisnotlimitedby
default.

Optimizenetworkperformance

Assaidbefore,withdirectaddressingaguestsessioncanconnectdirectlytothebackboneofthenetwork.Foritto
workyouneedtoconfigureanexternalconnectionintheVirtualNetworkManager.YoualsomusthaveavalidIP
addressonthatexternalsegment.

Tokeeptheguestsessionisolatedfromthenetwork,setupaninternalconnectionusinganIPaddressofasegment
thatiscommontotheotherguestsessionsonthesamehostsystem.

ConfigureMACaddresses

VMMACaddressescanbestaticordynamic.Bydefault,theMACaddressissettoDynamic.IfyouneedtheMAC
addresstobecomestatic,youmuststoptheVMfirst.

Configurenetworkisolation

If there are VLANs connected to your HyperV platform, each of your VMs must have a correct VLAN tag for the
network interfaces in use. You may want to use the PowerShell to set the necessary VLAN parameters. Use
SetVMNetworkAdapterVlantosetalloftheVLANrelatedsettings.

Configuresyntheticandlegacyvirtualnetworkadapters

If you have an older OS to virtualize, you may want to ensure compatibility via SetVMProcessor
CompatibilityForOlderOperatingSystemsEnabled$true.

CHAPTER4DEPLOYANDCONFIGURECORENETWORK
SERVICES

4.1CONFIGUREIPV4ANDIPV6ADDRESSING

ConfigureIPaddressoptions

InordertoconfigureprotocolsandaddressesforthenetworkinterfacesfromFileExplorer,yourightclickonNetwork
andchooseProperties.

AnIPaddressistheuniquenumberIDassignedtoanetworkinterface.IPv4is32bit,whereasIPv6is128bit.The
gatewayaddressistypicallyaroutersaddress.InaClassAaddress,thefirstoctetisthenetworkportion.InaClassB
address,thefirsttwooctetsarethenetworkportion.InaClassCaddress,thefirstthreeoctetsarethenetworkportion.
ClassDaddressesareformulticast,whileclassEaddressesarereserved.PrivateIPaddressesarenonroutableandare
forprivateuseonly.
AnIPv6addressspacehas128bits.Therearetwomajor64bitparts:thenetworkprefixandtheinterfaceID.The
exam,however,haslimitedcoverageofIPv6.

Configuresubnetting

Asubnetmaskhasfourbytes,thustotaling32bits.Thesubnetmaskiswrittenusingthedotteddecimalnotation,with
theleftmostbitsalwayssettothevalueof1.ThroughapplyingasubnetmasktoanIPaddressyoueffectivelysplitthe
addressintotwoparts.

VariableLengthSubnetMasks(VLSM)allowfortheuseofalongmaskonnetworkswithfewhostsandashortmask
onsubnetswithrelativelymorehosts.

Configuresupernetting

Classless Interdomain Routing (CIDR) is also known as supernetting. It improves address space
utilizationbyhavinganIPnetworkrepresentedbyaprefix.WithCIDR,youspecifyanIPaddressrange
usingacombinationofanIPaddressandnetworkmask.

ConfigureinteroperabilitybetweenIPv4andIPv6

WindowsServer2012supportsIPv4andIPv6.Bothareinstalledandenabledbydefault.YoumaytunnelIPv6traffic
throughanIPv4networkandviceversa.

ConfigureISATAP

TherearetransitiontechnologiesyoumayconsiderifyouarenotreadyforIPv6.ISATAPallowsunicastcommunication
betweenIPv6/IPv4hostsacrossyourIPv4intranet.

WindowsServer2012canbeconfiguredtoactasanISATAProuter.VirtualIPaddresses(VIPs)allowyoutousecluster
basedNetworkLoadBalancing.NeighborUnreachabilityDetection(NUD)canprotectagainstroutingloops.

ConfigureTeredo

6to4allowsunicastcommunicationstotakeplacebetweenIPv6/IPv4hostsandIPv6capablesitesthroughtheInternet.
Teredoissimilarto6to4andcanworkevenwhenthereareprivateIPv4addressesandNATdevicesinvolved.IPHTTPS
permitsIPv6tobetunneledusingHTTPwithSSLasatransport.

TouseTeredo,youneedtohavetwoconsecutivestaticpublicIPv4addressesonyouroutsidefacingnetworkinterface.
YoucanusetheSetDAServerTeredoEnabledcmdlettoturnonTeredoforDirectAccess.

4.2DEPLOYANDCONFIGUREDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)
SERVICE

Createandconfigurescopes

A DHCP scope refers to an administrative grouping of IP addresses. You may first create a scope for each physical
subnet,thenusethescopetofurtherdefinetheparameterstobeusedbyyourclients.EachscopehasarangeofIP
addresses,asubnetmaskandascopename.YouusetheNewScopeWizardtocreateone.
EachsubnetcanhaveonlyoneDHCPscopewithasinglecontinuousrangeofIPaddresses.Tousemultipleaddress
rangeswithinasinglescopeyouhavetocarefullyconfiguretherequiredexclusionranges,orconflictswilloccur.

ConfigureaDHCPreservation

AclientreservationisanIPaddressreservedforpermanentusebyaspecificDHCPclient.WhenmultipleDHCPservers
areconfiguredwithascopethatcoverstherangeofthereservedIPaddress,youshouldmanuallymakethesame
clientreservationateachoftheinvolvedDHCPservers.Also,ifyoutrytoreserveanaddressthatisalreadyinuse,the
clientusingtheaddressmustfirstreleaseit.Thiscanbedoneviaipconfig/release.WhenspecificDHCPoptionsare
configuredforareservedclient,thevalueswilloverrideanythingdistributedviaotherassignmentmethods.

ConfigureDHCPoptions

DHCP scope options are configured for assignment to DHCP clients, such as a DNS server address, router address,
WINSserveraddress,etc.ServeroptionsapplytoallscopesandclientsofaDHCPserver.Scopeoptionsapplyonlyto
clientsofaselectedapplicablescope.ReservationoptionsapplyonlytoaspecificreservedDHCPclient.Classoptions
applytomemberclientsofaspecifieduserorvendorclass.Userclassesgroupclientsthathavebeenidentifiedas
having a common need for certain options configuration. Vendor classes provide vendorspecific options to clients.
Mostofthetimeyoushouldonlyusescopeoptionstoassignmostoptionsclientsneed.NotethatwhentheDHCP
serviceisinstalled,therearenodefaultDHCPoptiondefinitionscreatedsotheymustbeconfiguredmanually.

For BOOTP to work theremust be a BOOTP table. By default this table is empty. DHCP can provide assignment to
BOOTPclients,buttheseclientscanonlyobtainanIPaddressleaseatboottime.Leaseexpirationtimesshouldbeset
accordinglysotheleasewillnotexpirebeforetheclientreboots.

ConfigureclientandserverforPXEboot

In order to support PXE Network Boot, there must be a working DHCP server with scope option 066 and 067
configured,plusaTFTPserverandaNFSserver.ThejobofDHCPinthisscenarioistoprovidethePXEenabledhost
withthecorrectTFTPhostandbootfilename.

ConfigureDHCPrelayagent

ADHCPRelayAgentcanrelayDHCPmessagesbetweenclientsandserversondifferentsubnets.Keepinmind,DHCPis
broadcastbased and therefore cannot be routed unless facilitated by RFC 1542 compliant relay agents. You may
enabletheDHCPRelayAgentfeatureviaRRAS,whereitislistedasaroutingprotocol.NotethereisanagentforIPv4
and another for IPv6. However, both of them cannot run simultaneously within the DHCP service on the same
computer.

AuthorizeDHCPserver

ForadomainjoinedDHCPMemberServer,youmayusetheDHCPMMCconsoletoauthorizetheserver.Ifitisnot
authorizeditwillnotleaseaddressestoclients.Thisisdoneforthesakeofsecurity.Iflocatedonaworkgroupserver,
authorizationisnotnecessary.Iflocatedonadomaincontroller,itistypicallyautomaticallyauthorized.

4.3DEPLOYANDCONFIGUREDNSSERVICE

ConfigureActiveDirectoryintegrationofprimaryzones

You use the DNS Manager to invoke the New Zone Wizard. It is always recommended that the DNS zones be
integrated with AD (due to the endless number of benefits offered by AD, such as AD DSintegrated replication of
updates).NotethatonlyprimaryzonescanbestoredinAD.Secondaryzonescanonlybestoredintextfiles.

Configureforwarders

WhenanewDNSserverisnotalsoservingasadomaincontroller,youmayconfigureitbyfirstcreatingaforwardand
reverse(optional)lookupzone,thendecidewhetherquerieswillbeforwardedtootherservers.Youcanchooseto
designateaDNSserveronyourlocalnetworkasaforwarderbyconfiguringtheforwardingofqueries.Aconditional
forwarderisonethatforwardsDNSqueriesaccordingtotheDNSdomainnameinvolved(onlysomebutnotallqueries
willbeforwarded).

ConfigureRootHints

Throughroothintsyoumayprepareserversthatareauthoritativeforanonrootzonesothatitispossibleforthemto
discoverauthoritativeserversatahigherlevel.ThisisneededonDNSserversthatareauthoritativeatlowerlevelsof
thenamespace.Youmayconfigureroothints(locatedinpropertiesoftheDNSserver)viatheDNSManagerconsole.
Theroothintsfileisinfactthecachehintsfile.Thisfileistextbasedandcontainshostinformationforresolvingnames
outsideoftheauthoritativeDNSdomains.

ManageDNScache

CachingmeanstheDNSserverscanremembertheresultsfromearlierresolutions.Withpropercachingitispossibleto
reduceWANtrafficsincerequestscanbesatisfiedviathecache.However,itissometimesnecessarytouseipconfig
/flushdnstoflushthecache.TheDNSManagerGUIalsohastheClearCacheoptionwhenyourightclickonaserver.

TheadvancedoptionknownasSecurecacheagainstpollutionisforpreventingahackerfrompollutingtheDNScache.

CreateAandPTRresourcerecords

DNSrecordscanbecreatedviatheDNSManagerconsole.Yousimplyrightclickonazoneandthenchoosefromthe
optionsavailable.AhostresourcerecordisforassociatingtheDNSdomainnameofacomputertoanIPaddress.You
needtohavesucharesourcerecordforacomputersharingresourcesthatneedstobeidentifiedbytheDNSdomain
name.

When you create a new host record (A or AAAA), you have the option to also create an associated PTR record
automatically.PTRresourcerecordscreatedthiswaywillbedeletedifthecorrespondinghostrecordisdeleted.

CHAPTER5INSTALLANDADMINISTERACTIVEDIRECTORY
5.1INSTALLDOMAINCONTROLLERS

Addorremoveadomaincontrollerfromadomain

You need to install the Active Directory Domain Services ADDS role on the server to allow it to act as a Domain
Controller.Afterthisyouneedtopromotetheservertoadomaincontroller.YouusetheADDSInstallationWizardto
achievethis.

WhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthe
lowestfunctionallevelthatispossible.Whenyouraisethefunctionallevel,neweradvancedfeaturesbecomeavailable,
butthisisattheexpenseofcompatibility.Keepinmind;youcannothaveADDSinstalledonaserverthatalsorunsthe
HyperVServerrole.

Upgradeadomaincontroller

DomaincontrollersthatrunWindows2000Servermustberemoved.Youshouldfirstraisetheforestfunctionallevel
to Windows Server 2003 (or higher), install domain controllers that run Windows Server 2012, and then remove
domaincontrollersthatrunearlierversionsofWindows.

InordertoinstallthefirstWindowsServer2012domaincontrollerinanexistingdomainorforest,thisservermust
have proper connectivity to the existing schema master. To install or remove a domain in a forest there must be
connectivitytothedomainnamingmaster.OnadomaincontrollerthatyouplantoupgradetoWindowsServer2012,
make sure you size the drive properly. The drive that hosts NTDS.DIT must have sufficient free space to allow the
upgradetogothrough.Thisisabout20%ofthesizeoftheDITfile.

InstallActiveDirectoryDomainServices(ADDS)onaServerCoreinstallation

In Windows Server 2012, commandline installation of AD relies on the ADDSDeployment Module of Windows
PowerShell.AdprepisfullyintegratedintotheADDSinstallationsoyoudonotneedtorunitmanually.

TheActiveDirectoryModuleforWindowsPowerShellisinstalledbydefaultwhentheADDSserverroleisaddedona
2012serverthereisnoadditionalsteprequiredotherthanaddingtheserverrole.ADDScanbeinstalledonaServer
Coreinstallation,andisoftenrecommendedforreadonlydomaincontrollersinsmallerbranchoffices.

On a server core, you add the Active Directory Services Role via InstallWindowsFeature
ADDomainServices IncludeManagementTools. To promote the server core, use InstallADDSDomainController
DomainName mydomain.com InstallDNS:$True Credential (GetCredential). You will be asked to supply a logon
credentialwithdomainadminrights.

InstalladomaincontrollerfromInstallfromMedia(IFM)

YoucanusetheNtdsutiltool'sifmcommandtocreateinstallationmediaforinstallingadditionaldomaincontrollers.
This minimizes data replication over the network. For this to work, you have to log on to a domain controller
interactively.Youmustalsobeabletomakeabackup.SinceIFMwillcreateatempdatabaseinthe%TMP%folder,
makesureyouhaveenoughfreedrivespace;approximately110%ofthesizeoftheexistingADDS.

ResolveDNSSRVrecordregistrationissues

Service(SRV)recordsareresourcerecords.Theyindicatetheresourcesthatperformaparticularservice.Alldomain
controllers are referenced by SRV records. In fact, through these records the domain controllers can advertise the
servicestheyprovide.AnSRVrecordmustbereadyfortheservicesof_kerberosand_ldap.IfyourDNSserverisNOT
runningWindows,youshouldverifytheSRVlocatorresourcerecordsthroughexaminingtheNetlogon.dnsfile.

Configureaglobalcatalogserver

Aglobalcatalog(GC)isadomaincontroller.EveryADhasatleastone.ItstoresacopyofallActiveDirectoryobjectsin
aforest.Itenablesandfacilitatesusersearchesfordirectoryinformationthroughoutalldomains.Italsoresolvesuser
principalnameswhentheauthenticatingdomaincontrollerdoesn'thaveknowledgeoftheinvolvedaccount.Italso
helpsotherdomaincontrollerstovalidatereferencestothoseobjectsthatbelongtootherdomainsintheforest.Ina
singledomainforestalldomaincontrollerscanrespondtoauthenticationorservicerequestssoyouhavelessworry
regarding GC placement. There is no need to have a GC at a location that does not use applications that are GC
dependant.However,roaminguserswillneedtocontactGCwhenevertheylogonforthefirsttimeatanylocation.To
addaGC,usetheActiveDirectorySitesandServicesconsole.

5.2CREATEANDMANAGEACTIVEDIRECTORYUSERSANDCOMPUTERS

AutomatethecreationofActiveDirectoryaccounts

Youcancreate,editanddeleteADdirectoryobjectsusingldifdefromwithinanelevatedcommandprompt(i.e.Runas
administrator). You can use an import file to automate object creation. In particular you can create user account
objectsfroman.ldffile.TheCSVDEcommandcanserveasimilarpurpose,butyouneedtosupply.CSVfilescontaining
theuseraccountdata.

Create,copy,configure,anddeleteusersandcomputers

YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenterADACUItocreate
newresources,ADusers,printers,sharesandOUs.Ontheotherhand,youusetheADSitesandServicesconsoleto
createandmanagesites.Notethattousetheformeryoumustlogonasadomainadministrator.

Configuretemplates

To allow objects to be created easily, you can create template objects. You simply create objects as usual with
commonlyusedpropertiesandDISABLEtheaccount.Thenwheneveryouneedtousethetemplateforobjectcreation
yousimplyCOPYit.

PerformbulkActiveDirectoryoperations

BatchoperationsinADcanbeperformedusingtheLDIFDEutilityortheADSI/VBScript.Theformermakesuseofthe
LDAPDataInterchangeFormatLDIFfile,whichisanInternetdraftstandardfileformatforperformingbatchoperations
ondirectories.ActiveDirectoryServicesInterfacesADSIcanbeusedtowritedirectoryenabledapplications.VBScript
canbeusedtowritesimplescriptsusingVBlikelanguage.


Configureuserrights

ADuserrightscanbeconfiguredviatheADUsersandComputersconsolebyrightclickingthedesireduserobjectand
thenchoosingProperties.FromtheSecuritytab,clickAdvancedtoviewallofthepermissionentriesthatexistand
makechangesaccordingly.

Offlinedomainjoin

OfflineDomainJoinisimplementedthroughDjoin.exe.Youuseittojoinacomputertoadomainwithoutphysically
contacting a domain controller. You first run djoin /provision to create the necessary computer account metadata
whichissavedina.txtfile.Thenyourundjoin/requestODJtoinsertthecomputeraccountmetadataintothedirectory.
Onceyourebootthedestinationcomputer,thecomputerwillbejoinedtoAD.DirectAccessofflinedomainjoinfurther
allowsWindowsServer2012orWindows8basedcomputerstojoinADremotely.

Manageinactiveanddisabledaccounts

Tocleanupinactiveaccounts,youshouldusedsquery.Throughdsqueryyoucanquerythedirectoryusingspecific
searchcriteria.Forexample,youcanusedsquerycomputerwithinactive/disabledtosearchforcomputeraccounts
thatareeffectivelyinactive/disabled.Dsqueryusercandothesamewithuseraccounts.

5.3CREATEANDMANAGEACTIVEDIRECTORYGROUPSANDORGANIZATIONALUNITS
(OUS)

Configuregroupnesting

Groupnestingisaddingagroupasamemberofanothergroup.Thisisusefulforconsolidatingmemberaccounts.By
default, when you nest a group within another, the user rights are automatically inherited. Note that groups with
universalscopescanhaveothergroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.
Groupswithglobalscopescanhaveothergroupswithglobalscopesfromthesamedomain.Groupswithdomainlocal
scopescanhavegroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.Itcanalsohave
groupswithdomainlocalscopesfromwithinthesamedomain.

Convertgroupsincludingsecurity,distribution,universal,domainlocal,anddomainglobal

Distribution groups are for use with email distribution lists, while security groups are for assigning permissions to
sharedresources.Youmayusedsmodgrouptoconvertbetweengrouptypes.Groupswithdomainlocalscopesarefor
managingaccesstoresourceswithinasingledomain.Groupswithglobalscopesareformanagingdirectoryobjects
thatrequirefrequentmaintenance.Theyareneverreplicatedtootherdomains.Groupswithuniversalscopesarefor
consolidatinggroupsthatspanacrossmultipledomains.
ManagegroupmembershipusingGroupPolicy

Group Policy can be used to configure computer and user settings within networks based on the Active Directory
DomainServices(ADDS).ForGroupPolicytowork,yournetworkmustbebasedonADDSandthecomputersyou
wanttomanagemustbejoinedtothedomain.Youmustalsohavetherelevantpermissionstocreateandeditthe
policyobjects.

Enumerategroupmembership

Youmayusedsgetgrouptoshowthepropertiesandmembersofagroup.Thistaskcanbeautomatedusingascript.

DelegatethecreationandmanagementofActiveDirectoryobjects

Withdelegationofadministration,theresponsibilityforspecificADadministrativetasksistransferredtothosewho
mustperformtherespectivetasksonly.Simplyput,highleveladministratorsauthorizethedelegatedlowerlevelstaff
administratorstoperformspecificadministrativetasks.WhenyoudesignyourOUstructureyoushouldconsiderthe
factorofdelegation.

ManagedefaultActiveDirectorycontainers

EverydomaincontainsastandardsetofdefaultcontainerscreatedduringADinstallation.Adomaincontaineristhe
root container to the hierarchy. A builtin container keeps the default service administrator accounts. The users
container keeps new user accounts and groups created for the domain. The computers container keeps the new
computeraccountscreated.TheDomainControllersOUprovidesadefaultlocationforthecomputeraccountsofthe
domaincontrollers.

NotethereisnowaytoapplyGroupPolicysettingstothedefaultUsersandComputerscontainers.Youmustfirst
createnewOUs,movethedesireduserandcomputerobjectstothenewOUsandthenapplythedesiredgrouppolicy.

Create,copy,configure,anddeletegroupsandOUs

YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenter(ADAC)UItocreate
newresources,ADusers,printers,sharesandOUs.Youmayalsousenetgrouptocreateanewgroupaccount,but
groupnamesarelimitedto64characters.

CHAPTER6CREATEANDMANAGEGROUPPOLICY
6.1CREATEGROUPPOLICYOBJECTS(GPOS)

ConfigureaCentralStore

GroupPolicycanbeusedtoconfigurecomputerandusersettingsonnetworksbasedontheActiveDirectory
Domain Services (AD DS). Although you can choose to configure Group Policy settings locally, it should be
avoidedsincedomainbasedGroupPolicycentralizesmanagementwhilelocalizedpolicydoesnot.

TheADMX/ADMLtemplatefilesareforkeepingadmintemplates.InAD,thesecanbereplicatedacrossdomain
controllers.RatherthanreplicatingthemtotheSYSVOLfolderofalldomaincontrollers(eventhoughtheGPOs
are by default stored in the SYSVOL folder) inside the domain, creating a Central Store which serves as a file
locationthatwillbecheckedbytheGroupPolicytoolsisconsideredbestpractice.Thisstorecanbecreatedvia
WindowsVistaorlaterclientcomputer.

ManagestarterGPOs

StarterGroupPolicyObjectsderivefromaGPO.TheseareusedtostoreAdministrativeTemplatepolicysettings.
Groupingthesesettingsinsideasingle objectmakesimportsandexportsmucheasier.Thesearecreatedand
managedviatheGroupPolicyManagementConsoleUI.SelectingNewGPOfromtheStarterGPOoptionallow
thesebeusedastemplatesforGPOcreation.

ConfigureGPOlinks

ThesettingsofaGPOcanbeappliedbyaddingalinktothatGPO.MultipleGPOlinkscanbeaddedtoadomain,
site,orOUviatheGPMC.Ifyouwanttoapplypolicysettingsbaseduponphysicallocationonly,addalinktothe
desired site. If the settings do not clearly correspond to any particular site, linking to an OU or a domain is
consideredbestpractice.

InorderforaGPOtobeappliedtoagivenuserorcomputer,thatuserorcomputermusthavebothReadand
ApplyGroupPolicy(AGP)permissionsforthatGPO.However,youcannothaveaGPOlinkeddirectlytoauser,a
computer,orasecuritygroup.

Configuremultiplelocalgrouppolicies

Multiple Local Group Policy (MLGP) is a collection of local GPOs. These objects include:

Local Computer Policy

Administrators Local Group Policy
Non-Administrators Local Group Policy
User-Specific Local Group Policy

They may be edited via the Group Policy Object Editor. Note that these are available only on computers that are
not domain controllers.

Configuresecurityfiltering

SecurityfilteringallowsyoutofinetunewhichusersandcomputerswillreceiveandapplythesettingsofaGPO.
Security filtering is used to apply only some of the security principals within a container to which the GPO is
linked.YoumayusetheGPMCtoaddandremovegroups,users,andcomputersthataretobeusedassecurity
filtersforaGPO.

6.2CONFIGURESECURITYPOLICIES

ConfigureUserRightsAssignment

Userrightsarefordefiningcapabilitiesat thelevel oflocalcomputeronly. Technicallytheycanbeappliedto

individualuseraccounts,butshouldbeadministeredonagroupaccountbasis.Userrightsassignedtoagroup
areappliedtoallmemberswithinthegroup.

ConfigureSecurityOptionssettings

It is possible to use Dynamic Access Control (DAC) to dramatically reduce the complexity of amalgamated
security groups. You may create central access policies for files to centrally deploy and manage authorization
policies that include conditional expressions using a variety of criteria such as user claims, device claims, and
resourceproperties.

TheprimarygoalofSecurityAuditing,incontextofDAC,isregulatorycompliance.Thishelpstoestablishthe
presenceofsuchpoliciesandalsoprovecomplianceornoncompliancewiththesestandards.Stagingallowsyou
toverifyproposedpolicychangesbeforeenforcingthem.

ConfigureSecuritytemplates

TheSecurityConfigurationWizardisusedtoproducesecuritypoliciesusingsecuritytemplatesthatarein.inf
format. This allows for prioritization of templates to ensure the correct settings are taking the proper
precedence.

InAD,itisconsideredbestpracticetodeploysecuritytemplatesbyimportingthemintoaGPO.Thisisfacilitated
byfirstcreatingOUsforthecomputersthataretousethevariousspecificsecuritytemplates,thenaddingthe
computers accounts to the proper OU. Finally, the OU is linked to the desired GPO. To import a security
templateintoaGPO,usetheGroupPolicyObjectEditorUI.

ConfigureAuditPolicy

There are many audit policy setting categories contained within Security Settings\Advanced Audit Policy
Configuration.Theseare:

AccountLogon

AccountManagement

DetailedTracking
 DSAccess

Logon/Logoff

ObjectAccess

PolicyChange

PrivilegeUse

System

GlobalObjectAccessAuditing

Object Access policy settings are used to track attempts to access specific objects or types of objects on a
network or computer. This allows for auditing attempts to access a file, directory, registry key, or any other
object,suchasfilesandfolderswithinasharedfolder.TheappropriateObjectAccessauditingsubcategoryfor
successand/orfailureeventsmustbeenabled,however.

ConfigureLocalUsersandGroups

Local users and groups can be managed through the Server Manager or the Task Manager. You can create,
modifyorremoveusersandgroupsasneeded.

ConfigureUserAccountControl(UAC)

UserAccountControl(UAC)isafeaturethatcanlimitprivilegesofusersbydefault.Thiscanbeoverriddenfroma
givenuseraccountsessionbyusingtheRunasadministratoroptionfromagivencontextmenu,andthensupplying
theadmincredentialswhenprompted.


6.3CONFIGUREAPPLICATIONRESTRICTIONPOLICIES

Configureruleenforcement

SoftwareRestrictionPoliciesrelyonfourtypesofrulestoidentifysoftware.TheseareHash,Certificate,Path
andZone.ThesepoliciesdonotpreventrestrictedprocessesthatrununderthenameoftheSystemaccount.
Notethateachtypeofrulehasitsbenefitsanddrawbacks.

ArulemaybeUnrestrictedorDisallowed.Softwarerestrictionpoliciescanbeappliedtoallowonlyalistoftrusted
applicationsortospecificallydisallowthoseundesiredapplicationsorfiletypesthatshouldbeprohibited.Bydefault,
thereisnoruleorpolicyapplied.

ConfigureApplockerrules

ApplockercanbeusedtoconfigureApplicationControlPoliciestoblocktheexecutionofasoftwareasneeded.
YoucanhaveAppLockerrulesassociatedwithaspecificuserorgroupwithinanorganization.Norulesarein
placebydefault.Defaultrules,ifany,shouldNOTbeusedforproductionpurpose.UnlikeSoftwareRestriction
Policies,anAppLockerrulecollectionwouldonlyfunctionasanallowedlistoffiles,whichmeansonlythosefiles
thatarelistedwouldbeallowedtorun.

ConfigureSoftwareRestrictionPolicies

SoftwarerestrictionpoliciescanbedealtwithviatheLocalSecurityPolicyEditor.Checkouttheleftpaneandyouwill
seeitthere.Ifyouaddpoliciesthroughherethoseinheritedpolicieswillbeoverridden.Thisiswhyyoushouldaddnew
policiesthroughtheActionmenuinstead.


6.4CONFIGUREWINDOWSFIREWALL

ConfigurerulesformultipleprofilesusingGroupPolicy

Asastatefulhostbasedfirewall,WindowsFirewallcanbeconfiguredviatheWindowsFirewallwithAdvanced
SecurityinterfaceorviatheNetshadvfirewallcommand.YoumayalsoaccessitviatheControlPanel.However,
configurationviatheControlPanelismostlyfortypicalendusertasks.

Configuration through group policy is possible. To do so, first determine the Group Policy settings in a test
environmentbeforeformaldeployment.Domainprofilesettingsareusedwhencomputersareconnectedtoa
networkthathasdomaincontrollersforthedomainofwhichthecomputerisamember.Ontheotherhand,
standardprofilesettingsareusedwhenthenetworkdoesnotcontaindomaincontrollers.

Configureconnectionsecurityrules

Firewall rules are used to allow server computers to send traffic to, or receive traffic from, programs, system
services,computers,orusers.Firewallrulescanbecreatedtoallowtheconnection,allowaconnectiononlyifit
issecuredthroughIPsec,orblocktheconnectionentirely.Rulesmaybeforeitherinboundtrafficoroutbound
trafficandmayspecifythecomputersorusers,program,service,port(allportsorspecifiedports),protocol(TCP
vsUDP)andthetypeofnetworkadapterinvolved.


ConnectionsecurityrulesdefineauthenticationusingIPsecandenforceNetworkAccessProtection(NAP)policy.

ConfigureWindowsFirewalltoallowordenyapplications,scopes,ports,andusers

The windows services and third party programs that require access should be determined initially and then
allowed to communicate between different network locations. Inside the netsh advfirewall context there are
severalsubcommandsthatallowchangessoyoucanview,create,andmodifyfirewallrules.Theseincludeadd,
delete,setandshow.Directionoftrafficcanbeeitherinorout,whiletheavailableactionsareallow,blockor
bypass.

Configureauthenticatedfirewallexceptions

Authenticated bypass rules allow connections that bypass other inbound rules when the traffic is protected
withIPsec.Blockrulesexplicitlyblockparticulartypesoftraffic,andcanbeusedtooverrideamatchingallow
rule. IfWindowsFirewallisblockingaspecificprogramthatshouldbeallowedtocommunicate,itshouldbe
addedtothelistofallowedprograms(alsocalledtheexceptionslist).

Importandexportsettings

UnderAdvancedsettings,intheActionPane,youcanchoosetoimportorexportyourfirewallpolicies.Also,
fromwithinthenetshadvfirewallcommandpromptyoucanaccessthesesameimportandexportcommands.