Microsoft 70-410 General study notes

Exam 70-410: Installing and Configuring Server 2012 (R2)

Preamble and disclaimer

This post consists of a ton of material that I’ve collected during the study process for the Mircosoft 70-410 exam (which I’ll be taking in early March, 2016). If you can see any required additions/omissions/corrections, send me an [email](mailto:[email protected]?subject=70-410 Feedback) and I’ll do my best to include them.

I make not guarantees that the information thrown together here is accurate or up to date! I’ll know soon enough when I start taking the exams, so don’t take anything as gospel.

Resources

Official Microsoft 70-410 Website MS 70-410 eBook

Quizes

PowerShell

Microsoft is continuously updating and utilising PowersShell for both desktop and server management. Solid PowerShell knowledge will likely be a big part of the MCSA exams and I have very little PowerShell experience.

PowerShell commands (cmd-lets) use a Verb-Noun naming convention. Example verbs that are available can be found at the Microsoft website.

Get-Command lists all available commands available to you. A nice shortcut is, if you want to see which commands are availabe for a particular noun, you can use the -Noun argument.

Get-Command -Noun vhd

PowerShell can be used to manage:

  • The registry
  • Services
  • Processes
  • Event logs
  • Windows Management Instrumentation (WMI)

Independent software vendors can build custom tools and utilities for PowerShell to administer their environemnts.

Overall, everything you see running in the background in PowerShell is an object of some type (class).

.NET Integration

.NET is a foundational aspect of the PowerShell environment.

PowerShell Backward Compatibility

  • PowerShell 2.0 is backward compatible with 1.0
  • PowerShell 3.0 and 4.0 are compatible with 2.0

You can change the version of PowerShell you’re working with using the command:

powershell -version x.0

When updating PowerShell check on any potential compatibility issues (4.0 should not be installed on an Exchange 2007 environment!)

PowerShell and security

PowerShell by default runs under normal user access privileges. You can open a PowerShell administrative console using the cmdlet Start-Process powershell -verb runas.

Installing PowerShell

PowerShell comes as part of the Microsoft Windows Management Framework downloads. 2.0 for PowerShell 2.0, 3.0 for PowerShell 3.0 etc… Additionally;

  • Windows 7 and Server 2008 R2 come with PowerShell 2.0 (and can be installed on XP SP2, 2003 SP2 and Vista SP1)
  • Windows 8 and Server 2012 come wtih PowerShell 3.0 (and can be installed on Windows 7 SP1, Server 2008 SP1 and Server 2008 R2 SP1)
  • Windows 8.1 and Server 2012 R2 comes with PowerShell 4.0 (Win 7 SP1, 2008 R2 and Server 2012)
  • PowerShell 5.0 can be installed on Windows 8.1 and Server 2012 R2.

PowerShell 3.0 and 4.0 are the most commonly used PowerShell versions

Post PowerShell installation tasks

  1. Update PowerShell help information. Update-Help in the PowerShell prompt. You may want to run this form time to time.
  2. By default, you can run commands within the PS console, but cannpt run PowerShell scripts. You’ll need to set the Get-Execution policy. Set-ExecutionPolicy RemoteSigned.
  3. PSRemoting may not be enabled on other machines you wish to run PS commands against. You can run the Enable-PSRemoting cmdlet to enable this feature. (Server 2012 machines have this enabled by default)

Customizing the PowerShell console

Click on the PowerShell icon in the top-right of the window and select ‘Properties’.

PowerShell ISE

PowerShell Profiles

  • AllUsersAllHosts

    • %windir%\System32\WindowsPowerShell\v1.0\profile.ps1

  • AllUsersCurrentHost

    • %windir%\System32\WindowsPowerShell\v.10\Microsoft.PowerShell_profile.ps1

  • CurrentUserAllHosts

    • %userprofile%\My Documents\WindowsPowerShell\profile.ps1

  • CurrentUserCurrentHost

    • %userprofile%\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Desired State Configuration (DSC)

Set-DscLocalConfigurationManager

Pipelining

PowerShell Providers (Location)

Get-PSDrive

  • WSMan (wsman:)
  • FileSystem (Default - c: <- function alias)
  • Registry (HKLM:, and HKCU:)
  • Aliases (alias:)
  • Functions (function:)
  • Environment (env:)
  • Certificates (cert:)
Set-Location HKLM:

Aliases

dir, ls -> Get-ChildItems cd ->

PowerShell Modules

Install and configure servers (15-20%)

Udemy 70-410 Video Course

Big changes around virtualisation and managability. R2 is a minor update to 2012 standard which focused on more around private cloud (virtualisation, storage and networking) A role is considered a primary feature of a server - a feature helps a server perform its primary role.

Server 2012 R2 Licensing has four options:

  • Datacenter
  • Standard
  • Essentials (Smaller Companies - 25 Users)
  • Foundation (OEM Only - 15 Users)

Datacenter has the same functionality as Standard however DC edition has unlimited number of VMs, where Standard only has two (2). Further, licensing is per two phyical cores.

Roles (built in roles) that are not supported in Server Core 2012 R2:

  • Federated Services
  • Application Server
  • Network Policy and Access Services
  • Windows Deployment Services

Install Servers

In-Place Upgrades

In-place upgrade to Server 2012 R2 is supported from the following previous Windows versions:

  • Server 2008 R2 Datacenter with SP1 -> 2012 R2 Datacenter
  • Server 2008 R2 Enterprise with SP1 -> 2012 R2 Standard or Datacenter
  • Server 2008 R2 Standard with SP1 -> 2012 R2 Standard or Datacenter
  • Web Server 2008 R2 with SP1 -> 2012 R2 Standard
  • Server 2012 Datacenter -> 2012 R2 Datacenter
  • Server 2012 Standard -> 2012 R2 Standard or Datacenter
  • Hyper-V Server 2012 -> 2012 Hyper-V R2
  • Storage Server 2012 Standard -> 2012 Storage Server R2 Standard
  • Storage Server 2012 Workgroup -> 2012 Storage Server R2 Workgroup

Activating Windows

Post Install Configuration Steps

  • Setting the computer name: Rename-Computer -ComputerName “Example” -Restart netdom.exe renamecomputer %ComputerName% /NewName: NewComputerName

  • Joining the domain Add-Computer -DomainName (-ComputerName) netdom.exe %ComputerName% /join /userd /passwordd

(Remove-Computer)

Features on Demand (@Todo)

Role Migration (@Todo)

References

Configure Servers

Configuration Levels

In Server 2012, the configuration level at any time after installation (and during installation). Server core is considered the default.

There are now four (4) different configuration levels available (from lowest to highest):

  1. Server-Core
  2. Server-GUI-Mgmt-Infra
  3. Server-GUI-Shell
  4. Desktop-Experience

Configuration levels can be changed through Server Manager, PowerShell and DISM, and require a restart.

Example: Changing configuration levels using PowerShell.

Open up a PowerShell windows and use the Install-WindowsFeature cmdlet to update the servers configuration levels.

Install-WindowsFeature server-gui-mgmt-infra
Install-WindowsFeature server-gui-shell
Uninstall-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell -Restart

Additional option, Install-WindowsFeature can use an XML file created by Server Manager Add Features Wizard. Install-WindowsFeature -ConfigurationFilePath <filepath>

You can also install the windows role directly to a VHD file using the -VHD argument to Install-WindowsFeature.

Server Manager in 2012 has been updated to allow management of multiple servers. Remote management is enabled by default on Server 2012. If not, it can be enable using the powershell utility Enable-SMRemoting.exe -Enable. If your infrastructure includes 2008 or 2008 R2 installations you can install the Windows Management Framework. PowerShell 3.0 will be available and these machines can be managed remotely using Server Manager.

If you want to manage your servers on a Windows desktop machine you can install the Remote Server Administration Tools (Windows 8+ only).

You could also remove these features by running the Remove-WindowsFeature cmdlet.

Since the installation will require a restart anyway, you can use the -Restart argument to restart immediately after installation.

Configure Networking Details

Using the netsh interface context

netsh interface ipv4 set address "Ethernet" static 192.168.1.1 255.255.255.0 netsh interface ipv4 set dnsservers "Ethernet" static 192.168.1.1 primary

Using PowerShell cmdlets

New-NetIPAddress -NetworkAlias "Ethernet" -IPAddress 192.168.1.1 -DefaultGateway 192.168.1.254 -PrefixLength 24

Set-DNSClientServerAddress -NetworkAlias "Ethernet" -ServerAddresses 192.168.1.1

Note: The first IP Address for DNS servers will be the primary address. You can remove DNS settings from an interface completely using the command:

Set-DNSClientServerAddress -ResetServerAddresses

Nic Teaming / LBFO

NIC Teams are used where high-availability is required. A virtual machine network switch would usually use NIC teaming. In 2012, NIC teaming is native to Windows and supports up to 32 individial network cards in a team.

Note: While the Hyper-V Host/Hypervisor can support up to 32 NICs in an LBFO team, an individual VM will only support two NICs in a team. Shortcut: Typing lbfoadmin from the command line brings up the NIC teaming window.

New-NetLbfoTeam -Name "Name" -TeamMembers nic1,nic2 TeamingMode static/lacp/switchindependent
Set-NetLbfoTeam(As Above)

Microsoft’s recommended teaming mode is Switch Independent and Dynamic (new in 2012 R2).

Delegate Administration (@Todo)

Working with Offline Images (@Todo)

PowerShell Desired State Configuration

PowerShell DSC is Microsoft’s answer to the general trend towards infrastructure as code. Rather than configuring server roles, features files etc.. manually when provisioning (or updating existing) servers, the administrator can define various resources. For example, WindowsFeature (e.g. IIS) or File (e.g. A file or folder). These resources are coded as a PowerShell function which is then compiled to a .mof file.

Once this policy has been applied to a machine, a local service will regularly (depending on the configuration) check the machine against this policy. The policy can be enforced, or the local DSC service will

This configuration be be either a Push or Pull configuration.

Push vs Pull

References

Configure Local Storage

Storage Spaces

Create a new Storage Pool

Storage Spaces uses a specific underlying Operating System storage subsystem. The name can change depending on the operating system. You can use Get-StorageSubSystem to find the appropriate name on your OS. You’ll use this name when creating a new storage spaces Storage Pool.

@Todo: Image of Get-StorageSubSystem result in Windows 10 and Windows Server 2012 R2.

$disks = (Get-PhysicalDisk -CanPool $true)
New-StoragePool -FriendlyName -StorageSubsystemFriendlyName "Storage Spaces*" -PhysicalDisks $disks

Note: Asterisk is required as on Windows the name of the sub system is unique. E.g. Storage Spaces on COMPUTERNAME.

Storage Layouts

Data can be made resilient in three different modes. Simple (no resiliency), Mirror and Parity. These are somewhat analogous to traditional RAID levels 0, 1 and 5 respectively. However, Mirror and Parity can be made resilient to more than one disk failure. Further, performance can be adjusted by adjusting the number of disks a stripe of data is replicated across (think RAID 1+0 etc…). Stripes of data will be split across the number of columns chosen for either Mirror or Parity redundancy.

Simple

  • Requires at least 1 physical disk.
  • No fault tolerance.
  • Data will be stripped across disks (great performance).

Mirror

  • Requires at least 2 physical disks.
  • Great read/good write performance.
  • Required 2 disks for single drive failure tolerance and 5 disks for 2 drive failure tolerance.

Parity

  • Requires at least 3 disks.
  • Parity data is striped across disks.
  • Required 3 disks for single drive failure and 7 disks for 2 drive failure tolerance.
Columns

Each storage layout contains a certain numbers of columns. Columns are a logical unit where-upon stripes of data are written. If I have a 512kb block of data to write to the disk system, and I have two columns, then 256kb will be written to the first column and 256kb to the second column.

Each column will contain one or more disks.

In a simple storage layout, the number of columns matches the number of disks and cannot (no need to be) adjusted. In a Mirror and Parity layout there is some configurability as to how many columns to use. Using Server Manager to create a new virtual disk will by default use the largest number of columns possible.

Columns to disk ratio

  • Two-Way Mirror -> 1:2
  • Three-Way Mirror -> 1:3
  • Single Parity -> 1:1
  • Dial Parity -> 1:1
Example - Critical Data Storage with Fast Access

We need to create a virtual disk that can survive the failure of two disks but also requires fast read and write performance (perhaps this is for an important SQL database). Our enclosure contains 20 10k rpm HDDs.

Best practice recommends using a number of columns 1 less than maximum to allow enough disk space to automatically re-build following the loss of a drive.

Parity layout gives us more usable storage space, and can survive the failure of two disks with a Dual Parity configuration, however the write performance is generally poor. So in this case, we’ll use a Three-Way mirror storage layout. A three way mirror requires 3 disks per column. With 20 disks that leave a maximum of 6 columns (6 * 3 = 18).

Note: Storage Spaces allows the use of a dedicated journaling disk to significantly improve the performance of Parity Storage spaces (hint: you would use an SSD).

New-VirtualDisk -StoragePoolFriendlyName NameOfStoragePool -FriendlyName BusinessCritical -ResiliencySettingName Mirror -PhysicalDiskRedundancy 2 -NumberOfColumns 5

References

Basic vs. Dynamic Disks

MBR vs GPT Disks

Volume Management

VHD and VHDX Management

Storage and Disk Pools with Disk Enclosures

References

Configure server roles and features (15-20%)

Configure File and Share Access

  • Create and Configure Shares
  • Configure Share Permissions
  • Configure Offline Files
  • Configure NTFS Permissions
  • Configure ABE (Access Based Enumeration)
  • Configure VSS (Volume Shadow Copy Service)
  • Configure NTFS Quotas
  • Create and Configure Work Folders

References

Configure Print and Document Services

  • Easy Print Driver
  • Enterprise Print Management
  • Drivers
  • Printer Pooling
  • Print Priorities
  • Printer Permissions

Printing

Migrating Printers

  • printbrm tool.

References

Configure Servers for Remote Management

  • Configure WinRM
  • Down-level server management
  • Multi-server Management
  • Configure Server Code
  • Configure Firewall
  • Manage non-domain joined servers.

References

Preparation Resources

File Server Resiliency with ReFS Using 2012 Server Manager for Remote and Multi-Server Management

Configure Hyper-V (15-20%)

Hyper-V is a Type 1 hypervisor. It runs on the bare-metal of the server. When the Hyper-V role is installed and the server is reinstalled, Window Server itself runs essentially on top of the Hyper-V hypervisor.

Came out as a post RTM update to Windows Server 2008.

Server 2008

  • Limited to 4 vCPUs and 64GB of RAM per VM
  • Limited to 2TB VHD Size
  • Quick Migration (Pausing the VM)
  • Iterative VSS Backup
  • Snapshots
  • Passthu Storage

Server 2008 R2

  • Live Migration (Running VM - no pauses)
  • Clustered Shared Volumes
  • Processor compatibility mode
  • Hot-add SCSI storage
  • Jumbo Frames and VMQ (Virtual Machine Queues)
  • NIC teaming allowed (NIC vendor only, but supported)
  • SLAT support

Server 2008 R2 SP1

Server 2012

  • 64 vCPU and 1TB RAM per VM
  • NUMA support
  • 64TB VHDX
  • 64-node clusters
  • SMB 3.0 support
  • Storage Migration
  • Shared-nothing live migration.
  • Hyper-V Replica
  • Virtual Fibre Channel
  • Network Virtualisation
  • VMQ and SR-IOV
  • Hyper-V Extensible Switch
  • Improved Dynamic Memory (Minimum Memory)
  • Resource Metering
  • First Class Linux Support

Server 2012 R2

  • Generation 2 VM (UEFI)
  • Dynamic SCSI VHDX resize
  • Shared VHDX on CSV/SoFS
  • Storage metering / QoS
  • Live migration compression / SMB
  • Hyper-V replica granularity & extended (multiple replicas)
  • Network virtualisation Gateway
  • Live VM/checkpoint export
  • vRSS (Virtual receive side scaling)
  • Automatic VM activation (AVMA)
  • More Linux features

References

Create and Configure Virtual Machine Settings

Dynamic Memory (@Todo)

Smart Paging (@Todo)

VM Resource Metering

Introducted in Hyper-V for Windows Server 2012, allows tracking of resource usage at the VM level.

Get-VM "VM Name" | Enable-VMResourceMetering
Measure-VM -VMName "VM Name" | Format-List

Get-VMMemory only gets the configured memory settings for the host server, not the actual usage of running virtual machines.

Guest Integration Services

Generation 1 vs Generation 2 Virtual Machines

Introduced in Server 2012 R2, Hyper-V supports Generation 2 virtual machines. The generation of VM determined which hardware and features are presented to the VM guest operating system.

Generation 2
  • PXE boot with a standard network adapter.
  • Boot from SCSI virtual HDD.
  • Boot from SCSI virtual DVD.
  • Secure Boot (enabled by default).
  • UEFI firmware support.

Generation 2 virtual machines support only Windows version 6.2 (64bit only) and higher.

  • Windows 8 (64bit), Server 2012 (6.2)
  • Windows 8.1 (64bit), Server 2012 R2.
  • Windows 10, Server 2016 (When it’s released).

Note: Linux VMs will not boot unless secure boot is disabled.

References

Virtual Machine Connection Enhanced Session Mode

Enhanced session mode allows the sharing of more data between the client and the guest virtual machine. Such as:

  • Clipboard content (Copy and Paste)
  • Audio
  • Drives
  • Printers
  • Smart cards and USB devices
  • Display configuration

These features are only available when the Hyper-V host is Server 2012 R2 and the guest OS is Windows 8.1 Professional/Enterprise or Server 2012 R2.

Enhanced session mode is disabled by default, to enable:

  • Enable Enhanced Session Mode Policy on the Hyper-V Host
  • Enable Enhanged Session Mode of Hyper-V Host
  • Restart the Hyper-V Service

For each host

  • Enable guest services
  • Ensure Remote Desktop Services is running/enabled.

References

Configuring RemoteFX

References

Create and Configure Virtual Machine Storage

VHD and VHDX Disks

The VHDX virtual disk format was introduced with Server 2012.

  • Support for storage capacities up to 64TB.
  • Protection against corruption during power failures.
  • Improved alignment on newer, large sector, disks (4KB vs. 512B with the older VHD format).
  • TRIM compatibility (on Physically connected disks only)

PowerShell

New-VHD -Path -SizeBytes -PhysicalSectorSizeBytes

References

Differencing Drives

Pass-Through Disks

Checkpoints

Virtual Fibre Channel Adapters

Storage Quality of Service

References

Create and Configure Virtual Networks

Hyper-V Virtual Switches

Optimise Network Performance

Configure MAC Addresses

Network Isolation

Synthetic and Legacy Network Adapters

NIC Teaminig in Virtual Machines

Hyper-V Networking

Hyper-V supports virtual subnetting on a VM network adapter basis. Virtual subnet IDs can range from 4096 to 16777215. Setting the Virtual Subnet ID to 0 disables the virtual subnetting feature.

Set-VMNetworkAdapter -VirtualSubjetId 0

Virtual machines only support two (2) virtual network adapters used in a team. You can add more, but only two are supported.

Metering network connections to a specific subnet.

Get-VMNetworkAdapter -VMName Redmond | Add-VMNetworkAdapterAcl -RemoteIPAddress 192.168.0.0/16 -Direction Outbound -Action Meter

References

Deploy and configure core network services (15-20%)

Configure IPv4 and IPv6 Networking

IPv4

Subnetting

IPv6

Prefixes:

  • 2000/3000 - Global unicast address space. (publically addressable)
  • FE80 - Link Local prefix. Reserved for single (non-public) broadcast domains.

Autoconfiguration

In IPv4 land, IP addresses are typically configured through a DHCP server. The DHCP server will provide IP addresses as well as other subnet specific options, such as the address/es for DNS , gateway (router) and Windows Deployment Services (networking booting).

In IPv6 land, IP addresses are typically automatically configured. When IPv6 is enabled on an interface, it will (attempt to) create multiple IPv6 addresses.

The first is a EUI-64 generated Link-Local address. This address is broadcast domain scoped (It’s a Link-Local address) so routers will not transmit addresses beyond the subnet.

This address is created by taking the interface’s MAC address, flipping the 7th bit (don’t ask me why!) and putting FFFE right bang in the middle of the MAC address - then using the result (a 64 bit address) at the host ID in the FE80:: network.

For example, given the MAC address: 68:C2:D4:99:B9:E6, the resultant EUI-64 host ID will be 6AC2:D4FF:FE99:B9E6.

Putting the FE80:: network address at the beginning leaves the full EUI-64 address as:

FE80::6AC2:D4FF:FE99:B9E6/64.

Note the :: which has omitted a series of 0’s from the address. The full address is FE80:0000:0000:0000:6AC2:D4FF:FE99:B9E6/64.

In addition, if your network supports it, devices may attempt to generate a stateless autoconfiguration IPv6 address (see below).

Broadcast Groups

In an IPv4 network, you have the notion of a network broadcast. This is restricted to the subnet and was used by processes such as ARP requests to try and find the hardware address from an IP address.

IPv6 no longer has a notion of broadcast address. On network connection, the interface on the device will automatically join itself to at least the all devices multicast group an to an additional multicast group that corresponds to the last 24 bits of it’s MAC address.

For example, given the same MAC address as above (68:C2:D4:99:B9:E6), the machine will be a member of the FF02::1 multicast group (all devices), and the FF02::1:FF99:B9E6 multicast group.

Stateless Autoconfiguration

Devices can also attempt to discover the network they are located on and automatically generate an appropriate address for the network. On connection to the network, the interface will send out a Router Solicitation message to the FF02::2 multicast group (Routers are configured to be a part of this group automatically). If found, a router will respond with a Router Advertisement message. This message will contain the networks prefix and whether or not other options are available from the router (I’ll get to this in a second).

Further, the interface will by default set the gateway address to the router that responding to the Router Solicitation address.

From the network prefix provided by the router, the interface will attempt to generate a unique host ID, and will then send out a neighbor discovery to find out if any other devices have already taken the generated host address.

If the router advertisment message included the -o option (aka: options), then an additional DHCPv6 message will be sent to the router which may respond with additona important network options (DNS servers, etc…).

References:

Configure ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)

Configure Teredo

References

Deploy and Configure DHCP

Reservations and Options

Client/Server PXE Boot

DHCP Relay Agent

Authorising a DHCP Server

References

Deploy and Configure DNS

Configure AD Integration of Primary Zones

Configure Forwarders

Configure Root Hints

Manage DNS Cache

Create A/AAAA and PTR Records.

IPv6 AAAA Records (Quad-A Records) translate a domain name in to a IPv6 address. A Records translate a DNS domain name to an IPv4 address. Cache.dns contains designated root hints for the DNS server. ISATAP

For hosts to resolve address without the FQDN (i.e. only from the base hostname), the DNS server should be set to have a new Primary Zone called GlobalNames. It’s recommended it be AD integrated.

Add-DnsServerPrimaryZone -Name GlobalNames -ReplicationScope Domain

References

d### Network Load Balancer

Reference: http://myitforum.com/myitforumwp/2012/08/16/how-to-configure-an-nlb-in-hyper-v-part-1/

Install and administer Active Directory (15-20%)

Install Domain Controllers

  • Add/Remove Domain Controllers
  • Upgrade Domain Controllers
  • Install ADDS (Active Directory Domain Services)
  • Install Domain Controllers from IFM (Install from Media)
  • Resolve DNS SRV record integration issues
  • Configure a GC (Global Catalog) server
  • Deploy AD Infrastructure as a Service (IAAS) in Microsoft Azure s####

Create and manage Active Directory users and computers

  • Automate the create of account
  • Create/Copy/Configure and Delete Users and Computers
  • Configure Templates
  • Perform bulk AD operations
  • Configure User rights

Offline joining a workstation

Supported from the Server 2008 R2 domain functional level.

djoin.exe Machines running Windows 7, Server 2008 R2, Windows 8, Server 2012 or Server 2012 R2 only.

djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos

Manage inactive and disabled accounts

Create and manage Active Directory groups and OUs

  • Group nesting
  • Converting groups between security, distribution, universal, domain local and domain global
  • Group members using Group Policy
  • Enumerate group membership
  • Delegate creation/management of AD objects.
  • Manage default AD containers
  • Create/Copy/Configure and Delete groups and OUs

Domain Controllers

FSMO Roles

Global Catalog Role

A global catalog server lets you search the entire AD DS forest (for a sub set of AD information) without requests to the domain controller in the domain that stores the target of your search.

To promote a domain controller to a global catalog server for the forest, you can use either *Active Directory Sites and Services or the Set-ADObject command:

Set-ADObject "CN=NTDS Settings,CN=Server-Name,CN=OU-Name,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" -Replace@{options='1'}

Replacing options='1' with options="0" will disable the global catalog role for that domain controller.

References

References

Create and manage group policy (15-20%)

PowerShell Commands

Get-Command -Noun GP*)

  • New-GPLink
  • Set-GPLink
  • New-GPO
  • New-GPStarterGPO
  • Restore-GPO
  • Copy-GPO
  • Export-GPO
  • Import-GPO
  • Backup-GPO

Supported from Server 2008 and allows

Create GPOs (Group Policy Objects)

Central Store

Starter GPOs

Multiple Local Group Policies

Configure Security Policies

User Rights Assignment

Security Options Settings

Security Templates

Auditing

  • @Todo: Auditing file system access
  • @Todo: Auditing system changes (time?)
  • @Todo: Auditing AD and GP Access

References

TechNet How to implement the central store for GP Admin Templates

Local Users and Groups

User Account Control (UAC)

Configure Application Restriction Policies

Rule Enforcement

Software Restriction Policies

SRP configuration can be found in a GPO under Windows Settings\Security Settings. As either a user or computer policy.

When you enable Software Restriction Policies on a GPO, two folders are created:

  • Security Levels -> The default behaviour before additional rules are considered.
  • Additional Rules
Security Levels

Unrestricted All applications can be run except those specified.

Disallowed No applications can run except those specified.

Basic User Prevent applications from running that require administrator access (think UAC prompt). All other applications are allowed.

(Additional) Rules

Hash Certificate Path Network Zone Network Zone rules apply only to Windows installation packages.

AppLocker Rules

AppLocker can be considered an updated version of Software Restriction Policies. It is available only on Windows 7 and Server 2008 R2 onwards.

Note: To use AppLocker, the Application Identity service must be running. This service is set to Manual by default.

Configure Windows Firewall

Rules for Multiple Profiles using Group Policy

Configure Connection Security Rules

Configure Windows Firewall

Configure Windows Firewall to allow or deny applications, scopes, ports and users
Configure Authenticated Firewall Exceptions
Import and Export Settings

References

To Go Over

DHCP and Complex Configuration

  • Policies to restrict DHCP scope based on type of machine (VM’s only, or other types of machines).

Certificate and Cert Services

Work Folders

Domains and Trusts

  • Group types and PowerShell/Cmd utilities and arguemnts
    • Set-ADGroup (To change group type to universal for example if it needs to contain user or computer accounts from a different domain in the forest)
    • Dsmod can also be used.

FlashCards

netsh (used a lot)

netsh firewall <- is depreciated. netsh advfirewall

Important Ports

3389 - Remote Desktop 1723 - PPTP VPN Access 80 - Web Traffic 443 - HTTPS Web Traffic 110 - POP Email 25 - SMTP Email

PowerShell

Firewall Configuration

Measuring Performance

AppLocker

Essentially an updated version of Software Restriction Policies. Can only only AppLocker policies to machines running Windows 7 and Server 2008 R2 onwards.

AppLocker policies are a computer based GPO, found at the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker container.

AppLocker requires the Application Identity Service to be running, which is set to manual by default on machines.

  • @Todo: Local policies

You can merge AppLocker policies using the Set-AppLockerPolicy PowerShell cmdlet.

References:

Get-Counter will only get memory usage for the host server, not the memory allocated by Hyper-V

Command Lins Tools

  • netsh
  • net share
  • dism
  • rsat
  • sc
  • dnscmd
  • secedt
  • scwcmd

slmgr.vbs (Activation)

slmgr.vbs /ipk must be run first to set the product key. slmgr.vbs /ato Activate Windows. slmgr.vbs /act-type will set the specific activation type for volume licensing (AD or KMS)

Active Directory

  • dsamain
  • ldifde
  • dsadd
  • dsmod
  • csvde
  • djoin
  • dsmgmt
  • dsacls

PowerShell Cmdlets

  • Get-ADGroupMember
  • Get-ADGroup
  • Set-VMNetworkAdapter (VLan etc…)

Operating System Versions

NT 10

  • Windows 10
  • Windows Server 2016

NT 6.3

  • Windows 8.1
  • Windows Server 2012 R2

NT 6.2

  • Windows 8
  • Windows Server 2012

NT 6.1

  • Windows 7
  • Windows Server 2008 R2

NT 6.0

  • Windows Vista
  • Windows Server 2008