Microsoft 70-410 General study notes
Exam 70-410: Installing and Configuring Server 2012 (R2)
Preamble and disclaimer
This post consists of a ton of material that I’ve collected during the study process for the Mircosoft 70-410 exam (which I’ll be taking in early March, 2016). If you can see any required additions/omissions/corrections, send me an [email](mailto:[email protected]?subject=70-410 Feedback) and I’ll do my best to include them.
I make not guarantees that the information thrown together here is accurate or up to date! I’ll know soon enough when I start taking the exams, so don’t take anything as gospel.
Resources
Official Microsoft 70-410 Website MS 70-410 eBook
Quizes
PowerShell
Microsoft is continuously updating and utilising PowersShell for both desktop and server management. Solid PowerShell knowledge will likely be a big part of the MCSA exams and I have very little PowerShell experience.
PowerShell commands (cmd-lets) use a Verb-Noun naming convention. Example verbs that are available can be found at the Microsoft website.
Get-Command
lists all available commands available to you. A nice shortcut is, if you want to see which commands are availabe for a particular noun, you can use the -Noun argument.
Get-Command -Noun vhd
PowerShell can be used to manage:
- The registry
- Services
- Processes
- Event logs
- Windows Management Instrumentation (WMI)
Independent software vendors can build custom tools and utilities for PowerShell to administer their environemnts.
Overall, everything you see running in the background in PowerShell is an object of some type (class).
.NET Integration
.NET is a foundational aspect of the PowerShell environment.
PowerShell Backward Compatibility
- PowerShell 2.0 is backward compatible with 1.0
- PowerShell 3.0 and 4.0 are compatible with 2.0
You can change the version of PowerShell you’re working with using the command:
powershell -version x.0
When updating PowerShell check on any potential compatibility issues (4.0 should not be installed on an Exchange 2007 environment!)
PowerShell and security
PowerShell by default runs under normal user access privileges.
You can open a PowerShell administrative console using the cmdlet Start-Process powershell -verb runas
.
Installing PowerShell
PowerShell comes as part of the Microsoft Windows Management Framework downloads. 2.0 for PowerShell 2.0, 3.0 for PowerShell 3.0 etc… Additionally;
- Windows 7 and Server 2008 R2 come with PowerShell 2.0 (and can be installed on XP SP2, 2003 SP2 and Vista SP1)
- Windows 8 and Server 2012 come wtih PowerShell 3.0 (and can be installed on Windows 7 SP1, Server 2008 SP1 and Server 2008 R2 SP1)
- Windows 8.1 and Server 2012 R2 comes with PowerShell 4.0 (Win 7 SP1, 2008 R2 and Server 2012)
- PowerShell 5.0 can be installed on Windows 8.1 and Server 2012 R2.
PowerShell 3.0 and 4.0 are the most commonly used PowerShell versions
Post PowerShell installation tasks
- Update PowerShell help information.
Update-Help
in the PowerShell prompt. You may want to run this form time to time. - By default, you can run commands within the PS console, but cannpt run PowerShell scripts. You’ll need to set the Get-Execution policy.
Set-ExecutionPolicy RemoteSigned
. - PSRemoting may not be enabled on other machines you wish to run PS commands against. You can run the
Enable-PSRemoting
cmdlet to enable this feature. (Server 2012 machines have this enabled by default)
Customizing the PowerShell console
Click on the PowerShell icon in the top-right of the window and select ‘Properties’.
PowerShell ISE
PowerShell Profiles
-
AllUsersAllHosts
- %windir%\System32\WindowsPowerShell\v1.0\profile.ps1
-
AllUsersCurrentHost
- %windir%\System32\WindowsPowerShell\v.10\Microsoft.PowerShell_profile.ps1
-
CurrentUserAllHosts
- %userprofile%\My Documents\WindowsPowerShell\profile.ps1
-
CurrentUserCurrentHost
- %userprofile%\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
Desired State Configuration (DSC)
Set-DscLocalConfigurationManager
Pipelining
PowerShell Providers (Location)
Get-PSDrive
- WSMan (wsman:)
- FileSystem (Default - c: <- function alias)
- Registry (HKLM:, and HKCU:)
- Aliases (alias:)
- Functions (function:)
- Environment (env:)
- Certificates (cert:)
Set-Location HKLM:
Aliases
dir, ls -> Get-ChildItems cd ->
PowerShell Modules
Install and configure servers (15-20%)
Big changes around virtualisation and managability. R2 is a minor update to 2012 standard which focused on more around private cloud (virtualisation, storage and networking) A role is considered a primary feature of a server - a feature helps a server perform its primary role.
Server 2012 R2 Licensing has four options:
- Datacenter
- Standard
- Essentials (Smaller Companies - 25 Users)
- Foundation (OEM Only - 15 Users)
Datacenter has the same functionality as Standard however DC edition has unlimited number of VMs, where Standard only has two (2). Further, licensing is per two phyical cores.
Roles (built in roles) that are not supported in Server Core 2012 R2:
- Federated Services
- Application Server
- Network Policy and Access Services
- Windows Deployment Services
Install Servers
In-Place Upgrades
In-place upgrade to Server 2012 R2 is supported from the following previous Windows versions:
- Server 2008 R2 Datacenter with SP1 -> 2012 R2 Datacenter
- Server 2008 R2 Enterprise with SP1 -> 2012 R2 Standard or Datacenter
- Server 2008 R2 Standard with SP1 -> 2012 R2 Standard or Datacenter
- Web Server 2008 R2 with SP1 -> 2012 R2 Standard
- Server 2012 Datacenter -> 2012 R2 Datacenter
- Server 2012 Standard -> 2012 R2 Standard or Datacenter
- Hyper-V Server 2012 -> 2012 Hyper-V R2
- Storage Server 2012 Standard -> 2012 Storage Server R2 Standard
- Storage Server 2012 Workgroup -> 2012 Storage Server R2 Workgroup
Activating Windows
Post Install Configuration Steps
-
Setting the computer name: Rename-Computer -ComputerName “Example” -Restart netdom.exe renamecomputer %ComputerName% /NewName: NewComputerName
-
Joining the domain Add-Computer -DomainName (-ComputerName) netdom.exe %ComputerName% /join /userd /passwordd
(Remove-Computer)
Features on Demand (@Todo)
Role Migration (@Todo)
References
Configure Servers
Configuration Levels
In Server 2012, the configuration level at any time after installation (and during installation). Server core is considered the default.
There are now four (4) different configuration levels available (from lowest to highest):
- Server-Core
- Server-GUI-Mgmt-Infra
- Server-GUI-Shell
- Desktop-Experience
Configuration levels can be changed through Server Manager, PowerShell and DISM, and require a restart.
Example: Changing configuration levels using PowerShell.
Open up a PowerShell windows and use the Install-WindowsFeature
cmdlet to update the servers configuration levels.
Install-WindowsFeature server-gui-mgmt-infra
Install-WindowsFeature server-gui-shell
Uninstall-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell -Restart
Additional option, Install-WindowsFeature can use an XML file created by Server Manager Add Features Wizard.
Install-WindowsFeature -ConfigurationFilePath <filepath>
You can also install the windows role directly to a VHD file using the -VHD
argument to Install-WindowsFeature
.
Server Manager in 2012 has been updated to allow management of multiple servers. Remote management is enabled by default on Server 2012. If not, it can be enable using the powershell utility Enable-SMRemoting.exe -Enable
.
If your infrastructure includes 2008 or 2008 R2 installations you can install the Windows Management Framework. PowerShell 3.0 will be available and these machines can be managed remotely using Server Manager.
If you want to manage your servers on a Windows desktop machine you can install the Remote Server Administration Tools (Windows 8+ only).
You could also remove these features by running the Remove-WindowsFeature
cmdlet.
Since the installation will require a restart anyway, you can use the -Restart
argument to restart immediately after installation.
Configure Networking Details
Using the netsh interface context
netsh interface ipv4 set address "Ethernet" static 192.168.1.1 255.255.255.0 netsh interface ipv4 set dnsservers "Ethernet" static 192.168.1.1 primary
Using PowerShell cmdlets
New-NetIPAddress -NetworkAlias "Ethernet" -IPAddress 192.168.1.1 -DefaultGateway 192.168.1.254 -PrefixLength 24
Set-DNSClientServerAddress -NetworkAlias "Ethernet" -ServerAddresses 192.168.1.1
Note: The first IP Address for DNS servers will be the primary address. You can remove DNS settings from an interface completely using the command:
Set-DNSClientServerAddress -ResetServerAddresses
Nic Teaming / LBFO
NIC Teams are used where high-availability is required. A virtual machine network switch would usually use NIC teaming. In 2012, NIC teaming is native to Windows and supports up to 32 individial network cards in a team.
Note: While the Hyper-V Host/Hypervisor can support up to 32 NICs in an LBFO team, an individual VM will only support two NICs in a team. Shortcut: Typing
lbfoadmin
from the command line brings up the NIC teaming window.
New-NetLbfoTeam -Name "Name" -TeamMembers nic1,nic2 TeamingMode static/lacp/switchindependent
Set-NetLbfoTeam(As Above)
Microsoft’s recommended teaming mode is Switch Independent and Dynamic (new in 2012 R2).
Delegate Administration (@Todo)
Working with Offline Images (@Todo)
PowerShell Desired State Configuration
PowerShell DSC is Microsoft’s answer to the general trend towards infrastructure as code. Rather than configuring server roles, features files etc.. manually when provisioning (or updating existing) servers, the administrator can define various resources. For example, WindowsFeature (e.g. IIS) or File (e.g. A file or folder). These resources are coded as a PowerShell function which is then compiled to a .mof file.
Once this policy has been applied to a machine, a local service will regularly (depending on the configuration) check the machine against this policy. The policy can be enforced, or the local DSC service will
This configuration be be either a Push or Pull configuration.
Push vs Pull
References
Configure Local Storage
Storage Spaces
Create a new Storage Pool
Storage Spaces uses a specific underlying Operating System storage subsystem. The name can change depending on the operating system. You can use Get-StorageSubSystem
to find the appropriate name on your OS. You’ll use this name when creating a new storage spaces Storage Pool.
@Todo: Image of Get-StorageSubSystem
result in Windows 10 and Windows Server 2012 R2.
$disks = (Get-PhysicalDisk -CanPool $true)
New-StoragePool -FriendlyName -StorageSubsystemFriendlyName "Storage Spaces*" -PhysicalDisks $disks
Note: Asterisk is required as on Windows the name of the sub system is unique. E.g.
Storage Spaces on COMPUTERNAME
.
Storage Layouts
Data can be made resilient in three different modes. Simple (no resiliency), Mirror and Parity. These are somewhat analogous to traditional RAID levels 0, 1 and 5 respectively. However, Mirror and Parity can be made resilient to more than one disk failure. Further, performance can be adjusted by adjusting the number of disks a stripe of data is replicated across (think RAID 1+0 etc…). Stripes of data will be split across the number of columns chosen for either Mirror or Parity redundancy.
Simple
- Requires at least 1 physical disk.
- No fault tolerance.
- Data will be stripped across disks (great performance).
Mirror
- Requires at least 2 physical disks.
- Great read/good write performance.
- Required 2 disks for single drive failure tolerance and 5 disks for 2 drive failure tolerance.
Parity
- Requires at least 3 disks.
- Parity data is striped across disks.
- Required 3 disks for single drive failure and 7 disks for 2 drive failure tolerance.
Columns
Each storage layout contains a certain numbers of columns. Columns are a logical unit where-upon stripes of data are written. If I have a 512kb block of data to write to the disk system, and I have two columns, then 256kb will be written to the first column and 256kb to the second column.
Each column will contain one or more disks.
In a simple storage layout, the number of columns matches the number of disks and cannot (no need to be) adjusted. In a Mirror and Parity layout there is some configurability as to how many columns to use. Using Server Manager to create a new virtual disk will by default use the largest number of columns possible.
Columns to disk ratio
- Two-Way Mirror -> 1:2
- Three-Way Mirror -> 1:3
- Single Parity -> 1:1
- Dial Parity -> 1:1
Example - Critical Data Storage with Fast Access
We need to create a virtual disk that can survive the failure of two disks but also requires fast read and write performance (perhaps this is for an important SQL database). Our enclosure contains 20 10k rpm HDDs.
Best practice recommends using a number of columns 1 less than maximum to allow enough disk space to automatically re-build following the loss of a drive.
Parity layout gives us more usable storage space, and can survive the failure of two disks with a Dual Parity configuration, however the write performance is generally poor. So in this case, we’ll use a Three-Way mirror storage layout. A three way mirror requires 3 disks per column. With 20 disks that leave a maximum of 6 columns (6 * 3 = 18).
Note: Storage Spaces allows the use of a dedicated journaling disk to significantly improve the performance of Parity Storage spaces (hint: you would use an SSD).
New-VirtualDisk -StoragePoolFriendlyName NameOfStoragePool -FriendlyName BusinessCritical -ResiliencySettingName Mirror -PhysicalDiskRedundancy 2 -NumberOfColumns 5
References
Basic vs. Dynamic Disks
MBR vs GPT Disks
Volume Management
VHD and VHDX Management
Storage and Disk Pools with Disk Enclosures
References
Configure server roles and features (15-20%)
Configure File and Share Access
- Create and Configure Shares
- Configure Share Permissions
- Configure Offline Files
- Configure NTFS Permissions
- Configure ABE (Access Based Enumeration)
- Configure VSS (Volume Shadow Copy Service)
- Configure NTFS Quotas
- Create and Configure Work Folders
References
Configure Print and Document Services
- Easy Print Driver
- Enterprise Print Management
- Drivers
- Printer Pooling
- Print Priorities
- Printer Permissions
Printing
Migrating Printers
- printbrm tool.
References
Configure Servers for Remote Management
- Configure WinRM
- Down-level server management
- Multi-server Management
- Configure Server Code
- Configure Firewall
- Manage non-domain joined servers.
References
Preparation Resources
File Server Resiliency with ReFS Using 2012 Server Manager for Remote and Multi-Server Management
Configure Hyper-V (15-20%)
Hyper-V is a Type 1 hypervisor. It runs on the bare-metal of the server. When the Hyper-V role is installed and the server is reinstalled, Window Server itself runs essentially on top of the Hyper-V hypervisor.
Came out as a post RTM update to Windows Server 2008.
Server 2008
- Limited to 4 vCPUs and 64GB of RAM per VM
- Limited to 2TB VHD Size
- Quick Migration (Pausing the VM)
- Iterative VSS Backup
- Snapshots
- Passthu Storage
Server 2008 R2
- Live Migration (Running VM - no pauses)
- Clustered Shared Volumes
- Processor compatibility mode
- Hot-add SCSI storage
- Jumbo Frames and VMQ (Virtual Machine Queues)
- NIC teaming allowed (NIC vendor only, but supported)
- SLAT support
Server 2008 R2 SP1
Server 2012
- 64 vCPU and 1TB RAM per VM
- NUMA support
- 64TB VHDX
- 64-node clusters
- SMB 3.0 support
- Storage Migration
- Shared-nothing live migration.
- Hyper-V Replica
- Virtual Fibre Channel
- Network Virtualisation
- VMQ and SR-IOV
- Hyper-V Extensible Switch
- Improved Dynamic Memory (Minimum Memory)
- Resource Metering
- First Class Linux Support
Server 2012 R2
- Generation 2 VM (UEFI)
- Dynamic SCSI VHDX resize
- Shared VHDX on CSV/SoFS
- Storage metering / QoS
- Live migration compression / SMB
- Hyper-V replica granularity & extended (multiple replicas)
- Network virtualisation Gateway
- Live VM/checkpoint export
- vRSS (Virtual receive side scaling)
- Automatic VM activation (AVMA)
- More Linux features
References
- John Savill YouTube History of Hyper-V Features
Create and Configure Virtual Machine Settings
Dynamic Memory (@Todo)
Smart Paging (@Todo)
VM Resource Metering
Introducted in Hyper-V for Windows Server 2012, allows tracking of resource usage at the VM level.
Get-VM "VM Name" | Enable-VMResourceMetering
Measure-VM -VMName "VM Name" | Format-List
Get-VMMemory
only gets the configured memory settings for the host server, not the actual usage of running virtual machines.
Guest Integration Services
Generation 1 vs Generation 2 Virtual Machines
Introduced in Server 2012 R2, Hyper-V supports Generation 2 virtual machines. The generation of VM determined which hardware and features are presented to the VM guest operating system.
Generation 2
- PXE boot with a standard network adapter.
- Boot from SCSI virtual HDD.
- Boot from SCSI virtual DVD.
- Secure Boot (enabled by default).
- UEFI firmware support.
Generation 2 virtual machines support only Windows version 6.2 (64bit only) and higher.
- Windows 8 (64bit), Server 2012 (6.2)
- Windows 8.1 (64bit), Server 2012 R2.
- Windows 10, Server 2016 (When it’s released).
Note: Linux VMs will not boot unless secure boot is disabled.
References
- TechNet Generation 2 Virtual Machine Overview
- John Savill Generation 1 vs Generation 2 VMs
Virtual Machine Connection Enhanced Session Mode
Enhanced session mode allows the sharing of more data between the client and the guest virtual machine. Such as:
- Clipboard content (Copy and Paste)
- Audio
- Drives
- Printers
- Smart cards and USB devices
- Display configuration
These features are only available when the Hyper-V host is Server 2012 R2 and the guest OS is Windows 8.1 Professional/Enterprise or Server 2012 R2.
Enhanced session mode is disabled by default, to enable:
- Enable Enhanced Session Mode Policy on the Hyper-V Host
- Enable Enhanged Session Mode of Hyper-V Host
- Restart the Hyper-V Service
For each host
- Enable guest services
- Ensure Remote Desktop Services is running/enabled.
References
- Virtualization Admin Using VMConnect
Configuring RemoteFX
References
Create and Configure Virtual Machine Storage
VHD and VHDX Disks
The VHDX virtual disk format was introduced with Server 2012.
- Support for storage capacities up to 64TB.
- Protection against corruption during power failures.
- Improved alignment on newer, large sector, disks (4KB vs. 512B with the older VHD format).
- TRIM compatibility (on Physically connected disks only)
PowerShell
New-VHD -Path -SizeBytes -PhysicalSectorSizeBytes
References
- TechNet Virtual Hard Disk Formats
- TechNet Netrwork Virtualisation Overview
Differencing Drives
Pass-Through Disks
Checkpoints
Virtual Fibre Channel Adapters
Storage Quality of Service
References
Create and Configure Virtual Networks
Hyper-V Virtual Switches
Optimise Network Performance
Configure MAC Addresses
Network Isolation
Synthetic and Legacy Network Adapters
NIC Teaminig in Virtual Machines
Hyper-V Networking
Hyper-V supports virtual subnetting on a VM network adapter basis. Virtual subnet IDs can range from 4096 to 16777215. Setting the Virtual Subnet ID to 0 disables the virtual subnetting feature.
Set-VMNetworkAdapter -VirtualSubjetId 0
Virtual machines only support two (2) virtual network adapters used in a team. You can add more, but only two are supported.
Metering network connections to a specific subnet.
Get-VMNetworkAdapter -VMName Redmond | Add-VMNetworkAdapterAcl -RemoteIPAddress 192.168.0.0/16 -Direction Outbound -Action Meter
References
Deploy and configure core network services (15-20%)
Configure IPv4 and IPv6 Networking
IPv4
Subnetting
IPv6
Prefixes:
- 2000/3000 - Global unicast address space. (publically addressable)
- FE80 - Link Local prefix. Reserved for single (non-public) broadcast domains.
Autoconfiguration
In IPv4 land, IP addresses are typically configured through a DHCP server. The DHCP server will provide IP addresses as well as other subnet specific options, such as the address/es for DNS , gateway (router) and Windows Deployment Services (networking booting).
In IPv6 land, IP addresses are typically automatically configured. When IPv6 is enabled on an interface, it will (attempt to) create multiple IPv6 addresses.
The first is a EUI-64 generated Link-Local address. This address is broadcast domain scoped (It’s a Link-Local address) so routers will not transmit addresses beyond the subnet.
This address is created by taking the interface’s MAC address, flipping the 7th bit (don’t ask me why!) and putting FFFE right bang in the middle of the MAC address - then using the result (a 64 bit address) at the host ID in the FE80:: network.
For example, given the MAC address: 68:C2:D4:99:B9:E6
, the resultant EUI-64 host ID will be 6AC2:D4FF:FE99:B9E6
.
Putting the FE80::
network address at the beginning leaves the full EUI-64 address as:
FE80::6AC2:D4FF:FE99:B9E6/64
.
Note the
::
which has omitted a series of 0’s from the address. The full address isFE80:0000:0000:0000:6AC2:D4FF:FE99:B9E6/64
.
In addition, if your network supports it, devices may attempt to generate a stateless autoconfiguration IPv6 address (see below).
Broadcast Groups
In an IPv4 network, you have the notion of a network broadcast. This is restricted to the subnet and was used by processes such as ARP requests to try and find the hardware address from an IP address.
IPv6 no longer has a notion of broadcast address. On network connection, the interface on the device will automatically join itself to at least the all devices multicast group an to an additional multicast group that corresponds to the last 24 bits of it’s MAC address.
For example, given the same MAC address as above (68:C2:D4:99:B9:E6
), the machine will be a member of the FF02::1
multicast group (all devices), and the FF02::1:FF99:B9E6
multicast group.
Stateless Autoconfiguration
Devices can also attempt to discover the network they are located on and automatically generate an appropriate address for the network. On connection to the network, the interface will send out a Router Solicitation message to the FF02::2 multicast group (Routers are configured to be a part of this group automatically). If found, a router will respond with a Router Advertisement message. This message will contain the networks prefix and whether or not other options are available from the router (I’ll get to this in a second).
Further, the interface will by default set the gateway address to the router that responding to the Router Solicitation address.
From the network prefix provided by the router, the interface will attempt to generate a unique host ID, and will then send out a neighbor discovery to find out if any other devices have already taken the generated host address.
If the router advertisment message included the -o option (aka: options), then an additional DHCPv6 message will be sent to the router which may respond with additona important network options (DNS servers, etc…).
References:
Configure ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)
Configure Teredo
References
- IPv6 Addressing At-A-Glance
- Best Current Operational Practices on IPv6 Subnetting
- [Intra-Site Automatic Tunnel Ad]
Deploy and Configure DHCP
Reservations and Options
Client/Server PXE Boot
DHCP Relay Agent
Authorising a DHCP Server
References
Deploy and Configure DNS
Configure AD Integration of Primary Zones
Configure Forwarders
Configure Root Hints
Manage DNS Cache
Create A/AAAA and PTR Records.
IPv6 AAAA Records (Quad-A Records) translate a domain name in to a IPv6 address. A Records translate a DNS domain name to an IPv4 address. Cache.dns contains designated root hints for the DNS server. ISATAP
For hosts to resolve address without the FQDN (i.e. only from the base hostname), the DNS server should be set to have a new Primary Zone called GlobalNames. It’s recommended it be AD integrated.
Add-DnsServerPrimaryZone -Name GlobalNames -ReplicationScope Domain
References
d### Network Load Balancer
Reference: http://myitforum.com/myitforumwp/2012/08/16/how-to-configure-an-nlb-in-hyper-v-part-1/
Install and administer Active Directory (15-20%)
Install Domain Controllers
- Add/Remove Domain Controllers
- Upgrade Domain Controllers
- Install ADDS (Active Directory Domain Services)
- Install Domain Controllers from IFM (Install from Media)
- Resolve DNS SRV record integration issues
- Configure a GC (Global Catalog) server
- Deploy AD Infrastructure as a Service (IAAS) in Microsoft Azure s####
Create and manage Active Directory users and computers
- Automate the create of account
- Create/Copy/Configure and Delete Users and Computers
- Configure Templates
- Perform bulk AD operations
- Configure User rights
Offline joining a workstation
Supported from the Server 2008 R2 domain functional level.
djoin.exe Machines running Windows 7, Server 2008 R2, Windows 8, Server 2012 or Server 2012 R2 only.
djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos
Manage inactive and disabled accounts
Create and manage Active Directory groups and OUs
- Group nesting
- Converting groups between security, distribution, universal, domain local and domain global
- Group members using Group Policy
- Enumerate group membership
- Delegate creation/management of AD objects.
- Manage default AD containers
- Create/Copy/Configure and Delete groups and OUs
Domain Controllers
FSMO Roles
Global Catalog Role
A global catalog server lets you search the entire AD DS forest (for a sub set of AD information) without requests to the domain controller in the domain that stores the target of your search.
To promote a domain controller to a global catalog server for the forest, you can use either *Active Directory Sites and Services or the Set-ADObject
command:
Set-ADObject "CN=NTDS Settings,CN=Server-Name,CN=OU-Name,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" -Replace@{options='1'}
Replacing
options='1'
withoptions="0"
will disable the global catalog role for that domain controller.
References
References
Create and manage group policy (15-20%)
PowerShell Commands
Get-Command -Noun GP*)
- New-GPLink
- Set-GPLink
- New-GPO
- New-GPStarterGPO
- Restore-GPO
- Copy-GPO
- Export-GPO
- Import-GPO
- Backup-GPO
Supported from Server 2008 and allows
Create GPOs (Group Policy Objects)
Central Store
Starter GPOs
GPO Links
Multiple Local Group Policies
Configure Security Policies
User Rights Assignment
Security Options Settings
Security Templates
Auditing
- @Todo: Auditing file system access
- @Todo: Auditing system changes (time?)
- @Todo: Auditing AD and GP Access
References
TechNet How to implement the central store for GP Admin Templates
Local Users and Groups
User Account Control (UAC)
Configure Application Restriction Policies
Rule Enforcement
Software Restriction Policies
SRP configuration can be found in a GPO under
Windows Settings\Security Settings
. As either a user or computer policy.
When you enable Software Restriction Policies on a GPO, two folders are created:
- Security Levels -> The default behaviour before additional rules are considered.
- Additional Rules
Security Levels
Unrestricted All applications can be run except those specified.
Disallowed No applications can run except those specified.
Basic User Prevent applications from running that require administrator access (think UAC prompt). All other applications are allowed.
(Additional) Rules
Hash Certificate Path Network Zone Network Zone rules apply only to Windows installation packages.
AppLocker Rules
AppLocker can be considered an updated version of Software Restriction Policies. It is available only on Windows 7 and Server 2008 R2 onwards.
Note: To use AppLocker, the Application Identity service must be running. This service is set to Manual by default.
Configure Windows Firewall
Rules for Multiple Profiles using Group Policy
Configure Connection Security Rules
Configure Windows Firewall
Configure Windows Firewall to allow or deny applications, scopes, ports and users
Configure Authenticated Firewall Exceptions
Import and Export Settings
References
To Go Over
DHCP and Complex Configuration
- Policies to restrict DHCP scope based on type of machine (VM’s only, or other types of machines).
Certificate and Cert Services
Work Folders
Domains and Trusts
- Group types and PowerShell/Cmd utilities and arguemnts
- Set-ADGroup (To change group type to universal for example if it needs to contain user or computer accounts from a different domain in the forest)
- Dsmod can also be used.
FlashCards
netsh (used a lot)
netsh firewall <- is depreciated. netsh advfirewall
Important Ports
3389 - Remote Desktop 1723 - PPTP VPN Access 80 - Web Traffic 443 - HTTPS Web Traffic 110 - POP Email 25 - SMTP Email
PowerShell
Firewall Configuration
Measuring Performance
AppLocker
Essentially an updated version of Software Restriction Policies. Can only only AppLocker policies to machines running Windows 7 and Server 2008 R2 onwards.
AppLocker policies are a computer based GPO, found at the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker container.
AppLocker requires the Application Identity Service to be running, which is set to manual by default on machines.
- @Todo: Local policies
You can merge AppLocker policies using the Set-AppLockerPolicy PowerShell cmdlet.
References:
- TechNet Merge AppLocker Policies
Get-Counter will only get memory usage for the host server, not the memory allocated by Hyper-V
Command Lins Tools
- netsh
- net share
- dism
- rsat
- sc
- dnscmd
- secedt
- scwcmd
slmgr.vbs (Activation)
slmgr.vbs /ipk
must be run first to set the product key.slmgr.vbs /ato
Activate Windows.slmgr.vbs /act-type
will set the specific activation type for volume licensing (AD or KMS)
Active Directory
- dsamain
- ldifde
- dsadd
- dsmod
- csvde
- djoin
- dsmgmt
- dsacls
PowerShell Cmdlets
- Get-ADGroupMember
- Get-ADGroup
- Set-VMNetworkAdapter (VLan etc…)
Operating System Versions
NT 10
- Windows 10
- Windows Server 2016
NT 6.3
- Windows 8.1
- Windows Server 2012 R2
NT 6.2
- Windows 8
- Windows Server 2012
NT 6.1
- Windows 7
- Windows Server 2008 R2
NT 6.0
- Windows Vista
- Windows Server 2008