Microsoft 70-410 General study notes

Exam 70-410: Installing and Configuring Server 2012 (R2)

Preamble and disclaimer

This post consists of a ton of material that I’ve collected during the study process for the Mircosoft 70-410 exam (which I’ll be taking in early March, 2016). If you can see any required additions/omissions/corrections, send me an email and I’ll do my best to include them.

I make not guarantees that the information thrown together here is accurate or up to date! I’ll know soon enough when I start taking the exams, so don’t take anything as gospel.

Resources

Official Microsoft 70-410 Website

Quizes

PowerShell

Microsoft is continuously updating and utilising PowersShell for both desktop and server management. Solid PowerShell knowledge will likely be a big part of the MCSA exams and I have very little PowerShell experience.

PowerShell commands (cmd-lets) use a Verb-Noun naming convention. Example verbs that are available can be found at the Microsoft website.aspx).

Get-Command lists all available commands available to you. A nice shortcut is, if you want to see which commands are availabe for a particular noun, you can use the -Noun argument.

Get-Command -Noun vhd

PowerShell can be used to manage: - The registry - Services - Processes - Event logs - Windows Management Instrumentation (WMI)

Independent software vendors can build custom tools and utilities for PowerShell to administer their environemnts.

Overall, everything you see running in the background in PowerShell is an object of some type (class).

.NET Integration

.NET is a foundational aspect of the PowerShell environment.

PowerShell Backward Compatibility

You can change the version of PowerShell you’re working with using the command:

powershell -version x.0

When updating PowerShell check on any potential compatibility issues (4.0 should not be installed on an Exchange 2007 environment!)

PowerShell and security

PowerShell by default runs under normal user access privileges. You can open a PowerShell administrative console using the cmdlet Start-Process powershell -verb runas.

Installing PowerShell

PowerShell comes as part of the Microsoft Windows Management Framework downloads. 2.0 for PowerShell 2.0, 3.0 for PowerShell 3.0 etc… Additionally; - Windows 7 and Server 2008 R2 come with PowerShell 2.0 (and can be installed on XP SP2, 2003 SP2 and Vista SP1) - Windows 8 and Server 2012 come wtih PowerShell 3.0 (and can be installed on Windows 7 SP1, Server 2008 SP1 and Server 2008 R2 SP1) - Windows 8.1 and Server 2012 R2 comes with PowerShell 4.0 (Win 7 SP1, 2008 R2 and Server 2012) - PowerShell 5.0 can be installed on Windows 8.1 and Server 2012 R2.

PowerShell 3.0 and 4.0 are the most commonly used PowerShell versions

Post PowerShell installation tasks

  1. Update PowerShell help information. Update-Help in the PowerShell prompt. You may want to run this form time to time.
  2. By default, you can run commands within the PS console, but cannpt run PowerShell scripts. You’ll need to set the Get-Execution policy. Set-ExecutionPolicy RemoteSigned.
  3. PSRemoting may not be enabled on other machines you wish to run PS commands against. You can run the Enable-PSRemoting cmdlet to enable this feature. (Server 2012 machines have this enabled by default)

Customizing the PowerShell console

Click on the PowerShell icon in the top-right of the window and select ‘Properties’.

PowerShell ISE

PowerShell Profiles

Desired State Configuration (DSC)

Set-DscLocalConfigurationManager

Pipelining

PowerShell Providers (Location)

Get-PSDrive

Set-Location HKLM:

Aliases

dir, ls -> Get-ChildItems cd ->

PowerShell Modules

Install and configure servers (15-20%)

Resources

Udemy 70-410 Video Course

Big changes around virtualisation and managability. R2 is a minor update to 2012 standard which focused on more around private cloud (virtualisation, storage and networking) A role is considered a primary feature of a server - a feature helps a server perform its primary role.

Server 2012 R2 Licensing has four options: - Datacenter - Standard - Essentials (Smaller Companies - 25 Users) - Foundation (OEM Only - 15 Users)

Datacenter has the same functionality as Standard however DC edition has unlimited number of VMs, where Standard only has two (2). Further, licensing is per two phyical cores.

Roles (built in roles) that are not supported in Server Core 2012 R2: - Federated Services - Application Server - Network Policy and Access Services - Windows Deployment Services

In-Place Upgrades

In-place upgrade to Server 2012 R2 is supported from the following previous Windows versions:

Configuration Levels

In Server 2012, the configuration level at any time after installation (and during installation). Server core is considered the default.

There are now four (4) different configuration levels available (from lowest to highest): 1. Server-Core 2. Server-GUI-Mgmt-Infra 3. Server-GUI-Shell 4. Desktop-Experience

Configuration levels can be changed through Server Manager, PowerShell and DISM, and require a restart.

Example: Changing configuration levels using PowerShell.

Open up a PowerShell windows and use the Install-WindowsFeature cmdlet to update the servers configuration levels.

Install-WindowsFeature server-gui-mgmt-infra
Install-WindowsFeature server-gui-shell
Uninstall-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell -Restart

Additional option, Install-WindowsFeature can use an XML file created by Server Manager Add Features Wizard. Install-WindowsFeature -ConfigurationFilePath <filepath>

You can also install the windows role directly to a VHD file using the -VHD argument to Install-WindowsFeature.

Server Manager in 2012 has been updated to allow management of multiple servers. Remote management is enabled by default on Server 2012. If not, it can be enable using the powershell utility Enable-SMRemoting.exe -Enable. If your infrastructure includes 2008 or 2008 R2 installations you can install the Windows Management Framework. PowerShell 3.0 will be available and these machines can be managed remotely using Server Manager.

If you want to manage your servers on a Windows desktop machine you can install the Remote Server Administration Tools (Windows 8+ only).

You could also remove these features by running the Remove-WindowsFeature cmdlet.

Since the installation will require a restart anyway, you can use the -Restart argument to restart immediately after installation.

Post Configuration Steps

(Remove-Computer)

Configure Networking Details

Using the netsh interface context

netsh interface ipv4 set address "Ethernet" static 192.168.1.1 255.255.255.0 netsh interface ipv4 set dnsservers "Ethernet" static 192.168.1.1 primary

Using PowerShell cmdlets

New-NetIPAddress -NetworkAlias "Ethernet" -IPAddress 192.168.1.1 -DefaultGateway 192.168.1.254 -PrefixLength 24

Set-DNSClientServerAddress -NetworkAlias "Ethernet" -ServerAddresses 192.168.1.1

Note: The first IP Address for DNS servers will be the primary address. You can remove DNS settings from an interface completely using the command:

Set-DNSClientServerAddress -ResetServerAddresses

Nic Teaming / LBFO

NIC Teams are used where high-availability is required (really always). A virtual machine network switch would usually use NIC teaming. In 2012, NIC teaming is native to Windows and supports up to 32 individial network cards in a team.

Note: While the Hyper-V Host/Hypervisor can support up to 32 NICs in an LBFO team, an individual VM will only support two NICs in a team.

Set up Load Balance Fail Over (LBFO)

Shortcut: Typing lbfoadmin from the command line brings up the NIC teaming window.

New-NetLbfoTeam -Name "Name" -TeamMembers nic1,nic2 TeamingMode static/lacp/switchindependent

Set-NetLbfoTeam(Ad Above)

Microsoft’s recommended teaming mode is Switch Independent and Dynamic (new in 2012 R2).

Activating windows

Configure server roles and features (15-20%)

Storage Spaces

Create a new Storage Pool

$disks = (Get-PhysicalDisk -CanPool $true)
New-StoragePool -FriendlyName -StorageSubsystemFriendlyName -PhysicalDisks $disks

Storage Layouts

Simple

Mirror

Parity

Columns

References

Configure Hyper-V (15-20%)

Hyper-V Details and History

Hyper-V is a Type 1 hypervisor. It runs on the bare-metal of the server. When the Hyper-V role is installed and the server is reinstalled, Window Server itself runs essentially on top of the Hyper-V hypervisor.

Came out as a post RTM update to Windows Server 2008.

Server 2008

Server 2008 R2

Server 2008 R2 SP1

Server 2012

Server 2012 R2

References

VHD vs. VHDX

The VHDX virtual disk format was introduced with Server 2012.

PowerShell

New-VHD -Path -SizeBytes -PhysicalSectorSizeBytes

References

Generation 1 vs Generation 2 Virtual Machines

Introduced in Server 2012 R2, Hyper-V supports Generation 2 virtual machines. The generation of VM determined which hardware and features are presented to the VM guest operating system.

Generation 2

Generation 2 virtual machines support only Windows version 6.2 (64bit only) and higher.

Note: Linux VMs will not boot unless secure boot is disabled.

References

VM Resource Metering

Introducted in Hyper-V for Windows Server 2012, allows tracking of resource usage at the VM level.

Get-VM "VM Name" | Enable-VMResourceMetering
Measure-VM -VMName "VM Name" | Format-List

Get-VMMemory only gets the configured memory settings for the host server, not the actual usage of running virtual machines.

Hyper-V Networking

Hyper-V supports virtual subnetting on a VM network adapter basis. Virtual subnet IDs can range from 4096 to 16777215. Setting the Virtual Subnet ID to 0 disables the virtual subnetting feature.

Set-VMNetworkAdapter -VirtualSubjetId 0

Virtual machines only support two (2) virtual network adapters used in a team. You can add more, but only two are supported.

Metering network connections to a specific subnet.

PS C:> Get-VMNetworkAdapter -VMName Redmond | Add-VMNetworkAdapterAcl -RemoteIPAddress 192.168.0.0/16 -Direction Outbound -Action Meter

Managing Hyper-V Virtual Machines

Using Virtual Machine Connection Enhanced Session Mode

Enhanced session mode allows the sharing of more data between the client and the guest virtual machine. Such as:

These features are only available when the Hyper-V host is Server 2012 R2 and the guest OS is Windows 8.1 Professional/Enterprise or Server 2012 R2.

Enhanced session mode is disabled by default, to enable:

For each host - Enable guest services - Ensure Remote Desktop Services is running/enabled.

References

Deploy and configure core network services (15-20%)

DNS

For hosts to resolve address without the FQDN (i.e. only from the base hostname), the DNS server should be set to have a new Primary Zone called GlobalNames. It’s recommended it be AD integrated.

Add-DnsServerPrimaryZone -Name GlobalNames -ReplicationScope Domain

Printing

Migrating Printers - printbrm tool.

Auditing

IPv4

Subnetting

IPv6

Prefixes:

Autoconfiguration

In IPv4 land, IP addresses are typically configured through a DHCP server. The DHCP server will provide IP addresses as well as other subnet specific options, such as the address/es for DNS , gateway (router) and Windows Deployment Services (networking booting).

In IPv6 land, IP addresses are typically automatically configured. When IPv6 is enabled on an interface, it will (attempt to) create multiple IPv6 addresses.

The first is a EUI-64 generated Link-Local address. This address is broadcast domain scoped (It’s a Link-Local address) so routers will not transmit addresses beyond the subnet.

This address is created by taking the interface’s MAC address, flipping the 7th bit (don’t ask me why!) and putting FFFE right bang in the middle of the MAC address - then using the result (a 64 bit address) at the host ID in the FE80:: network.

For example, given the MAC address: 68:C2:D4:99:B9:E6, the resultant EUI-64 host ID will be 6AC2:D4FF:FE99:B9E6.

Putting the FE80:: network address at the beginning leaves the full EUI-64 address as:

FE80::6AC2:D4FF:FE99:B9E6/64.

Note the :: which has omitted a series of 0’s from the address. The full address is FE80:0000:0000:0000:6AC2:D4FF:FE99:B9E6/64.

In addition, if your network supports it, devices may attempt to generate a stateless autoconfiguration IPv6 address (see below).

Broadcast Groups

In an IPv4 network, you have the notion of a network broadcast. This is restricted to the subnet and was used by processes such as ARP requests to try and find the hardware address from an IP address.

IPv6 no longer has a notion of broadcast address. On network connection, the interface on the device will automatically join itself to at least the all devices multicast group an to an additional multicast group that corresponds to the last 24 bits of it’s MAC address.

For example, given the same MAC address as above (68:C2:D4:99:B9:E6), the machine will be a member of the FF02::1 multicast group (all devices), and the FF02::1:FF99:B9E6 multicast group.

Stateless Autoconfiguration

Devices can also attempt to discover the network they are located on and automatically generate an appropriate address for the network. On connection to the network, the interface will send out a Router Solicitation message to the FF02::2 multicast group (Routers are configured to be a part of this group automatically). If found, a router will respond with a Router Advertisement message. This message will contain the networks prefix and whether or not other options are available from the router (I’ll get to this in a second).

Further, the interface will by default set the gateway address to the router that responding to the Router Solicitation address.

From the network prefix provided by the router, the interface will attempt to generate a unique host ID, and will then send out a neighbor discovery to find out if any other devices have already taken the generated host address.

If the router advertisment message included the -o option (aka: options), then an additional DHCPv6 message will be sent to the router which may respond with additona important network options (DNS servers, etc…).

References:

Install and administer Active Directory (15-20%)

Domain Controllers

FSMO Roles

Global Catalog Role

A global catalog server lets you search the entire AD DS forest (for a sub set of AD information) without requests to the domain controller in the domain that stores the target of your search.

To promote a domain controller to a global catalog server for the forest, you can use either *Active Directory Sites and Services or the Set-ADObject command:

Set-ADObject "CN=NTDS Settings,CN=Server-Name,CN=OU-Name,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM" -Replace@{options='1'}

Replacing options='1' with options="0" will disable the global catalog role for that domain controller.

References

Offline joining a workstation

Supported from the Server 2008 R2 domain functional level.

djoin.exe Machines running Windows 7, Server 2008 R2, Windows 8, Server 2012 or Server 2012 R2 only.

djoin /provision /domain /machine /savefile [/machineou ] [/dcname ] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate ] [/policynames ] [/policypaths ] djoin /requestodj /loadfile /windowspath /localos

Create and manage group policy (15-20%)

PowerShell Commands (Get-Command -Noun GP*) - New-GPLink - Set-GPLink - New-GPO - New-GPStarterGPO - Restore-GPO - Copy-GPO - Export-GPO - Import-GPO - Backup-GPO

Central Store

Supported from Server 2008 and allows

References

TechNet How to implement the central store for GP Admin Templates

To Go Over

DHCP and Complex Configuration

- Policies to restrict DHCP scope based on type of machine (VM’s only, or other types of machines).

Certificate and Cert Services

Work Folders

Domains and Trusts - Group types and PowerShell/Cmd utilities and arguemnts - Set-ADGroup (To change group type to universal for example if it needs to contain user or computer accounts from a different domain in the forest) - Dsmod can also be used.

FlashCards

netsh (used a lot)

netsh firewall <- is depreciated. netsh advfirewall

Important Ports

3389 - Remote Desktop 1723 - PPTP VPN Access 80 - Web Traffic 443 - HTTPS Web Traffic 110 - POP Email 25 - SMTP Email

PowerShell

Firewall Configuration

Measuring Performance

AppLocker

Essentially an updated version of Software Restriction Policies. Can only only AppLocker policies to machines running Windows 7 and Server 2008 R2 onwards.

AppLocker policies are a computer based GPO, found at the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker container.

AppLocker requires the Application Identity Service to be running, which is set to manual by default on machines.

You can merge AppLocker policies using the Set-AppLockerPolicy PowerShell cmdlet.

References:

Get-Counter will only get memory usage for the host server, not the memory allocated by Hyper-V

Command Lins Tools - netsh - net share - dism - rsat - sc - dnscmd - secedt - scwcmd

slmgr.vbs (Activation)

slmgr.vbs /ipk must be run first to set the product key. slmgr.vbs /ato Activate Windows. slmgr.vbs /act-type will set the specific activation type for volume licensing (AD or KMS)

Active Directory - dsamain - ldifde - dsadd - dsmod - csvde - djoin - dsmgmt - dsacls

PowerShell Cmdlets - Get-ADGroupMember - Get-ADGroup - Set-VMNetworkAdapter (VLan etc…)

Operating System Versions

NT 10

NT 6.3

NT 6.2

NT 6.1

NT 6.0