20417C ENU Companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20417C
Upgrading Your Skills to MCSA Windows
Server 2012
Companion Content

ii Upgrading Your Skills to MCSA Windows Server 2012
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners

Product Number: 20417C
Released: 01/2014

MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.

i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active Microsoft Partner Network program member in good standing.

l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.

ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject
matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.

4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013
Installing and Configuring Windows Server 2012 1-1
Module 1
Installing and Configuring Windows Server 2012
Contents:
Lesson 1: Installing Windows Server 2012 R2 2
Lesson 2: Configuring Windows Server 2012 R2 and Windows Server 2012 4
Lesson 3: Configuring Remote Management for Windows Server 2012 R2 and
Windows Server 2012 7
Module Review and Takeaways 9
Lab Review Questions and Answers 10

1-2 Upgrading Your Skills to MCSA Windows Server 2012
Lesson 1
Installing Windows Server 2012 R2
Contents:
Resources 3

Resources
Hardware Requirements for Installing Windows Server 2012 R2
Additional Reading: For more information about the Windows Server Virtualization
Validation Program, see http://go.microsoft.com/fwlink/?LinkId=269652
Migrating Server Roles
Additional Reading: Migrating Roles and Features in Windows Server
http://go.microsoft.com/fwlink/?LinkID=331437

Lesson 2
Configuring Windows Server 2012 R2 and Windows
Server 2012
Contents:
Demonstration: Exploring Server Manager in Windows Server 2012 R2 5
Demonstration: Installing and Optimizing Server Roles in Windows Server 2012 6

Demonstration: Exploring Server Manager in Windows Server 2012 R2
Demonstration Steps
1. Sign in to server LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. In Server Manager, click Manage, and then click Add Roles and Features. This starts the Add Roles
and Features Wizard.
3. On the Before you begin page of the Add Roles and Features Wizard, click Next.
4. On the Installation Type page of the Add Roles and Features Wizard, select Role-based or feature-
based installation, and then click Next.
5. On the Select destination server page of the Add Roles and Features Wizard, click Select a server
from the server pool. Verify that LON-DC1.Adatum.com is selected, and click Next.
6. On the Select server roles page of the Add Roles and Features Wizard, select Fax Server. In the Add
Roles and Features Wizard dialog box that opens, click Add Features.
7. On the Select server roles page of the Add Roles and Features Wizard, click Next.
8. On the Select features page of the Add Roles and Features Wizard, select BranchCache, and then
click Next.
9. On the Fax Server page of the Add Roles and Features Wizard, click Next.
10. On the Print and Document Services page of the Add Roles and Features Wizard, click Next.
11. On the Select role services page of the Add Roles and Features Wizard, click Next.
12. On the Confirmation page of the Add Roles and Features Wizard, select the Restart the destination
server automatically if required check box. In the Add Roles and Features Wizard dialog box,
click Yes, and then click Install.
13. On the Installation progress page of the Add Roles and Features Wizard, click Close.
14. Click the flag icon next to Server Manager Dashboard and review the messages.
15. On the Server Manager console, click the Dashboard node.
16. In the Roles and Server Groups area, under DNS, click Events.
17. In the DNS - Events Detail View dialog box, change the time period to 12 hours and the Event
Sources to All, and then click OK.
18. In the Roles and Server Groups area, under DNS, click BPA results.
19. On the DNS - BPA Results Detail View dialog box, on the Severity Levels drop-down menu, select
All, and then click OK.
20. In the Server Manager console, on the Tools menu, review the tools that are installed on LON-DC1.
21. Hold down the Start key to start the Microsoft design style Start screen.
22. On the Start screen, click Administrator, and then click Sign Out.
23. Sign in to LON-DC1 by using the Adatum\Administrator account and the password Pa$$w0rd.
24. On the taskbar, click the Windows PowerShell icon.
25. In the Windows PowerShell window, type the following command, and press Enter:
Stop-Computer
Demonstration: Installing and Optimizing Server Roles in Windows Server
2012
Demonstration Steps
1. Sign in to server LON-DC1 by using the Adatum\Administrator account, and the password
Pa$$w0rd.
2. In the already open Server Manager console, click Manage, and then click Add Roles and Features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Installation Type page, select Role-based or feature-based installation, and then click
Next.
5. On the Server Selection page, click Select a server from the server pool. Verify that LON-
DC1.Adatum.com is selected, and click Next.
6. On the Select server roles page, select Application Server, and then click Next.
7. On the Features page, click Next.
8. On the Application Server page, click Next.
9. On the Role Services page, click Next.
10. On the Confirmation page, click Install. To dismiss the Add Role and Features wizard, click Close.
11. Click the App Server node of the Server Manager console.
12. Click the Dashboard node, and under App Server, click Performance.
13. Review the console, and click OK.
14. Under the DHCP section, click BPA results. Discuss the BPA results, and click OK.

Lesson 3
Configuring Remote Management for Windows
Server 2012 R2 and Windows Server 2012
Contents:
Resources 8
Demonstration: Configuring Servers for Remote Management 8

Resources
How Remote Management Works in Windows Server 2012 R2 and
Windows Server 2012
Additional Reading: For more information on Windows Remote Management, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269663
Additional Reading: For more information on configuring Windows Remote Management,
visit the following Performance Team post: http://go.microsoft.com/fwlink/?LinkId=269664
Additional Reading: For more information on Remote Windows PowerShell, visit the
following link: http://go.microsoft.com/fwlink/?LinkId=269667
Demonstration: Configuring Servers for Remote Management
Demonstration Steps
1. Sign in to LON-DC1 using the Adatum\Administrator account with the password Pa$$w0rd.
2. In the Server Manager console, click Local Server, and next to Remote Management, click
Enabled.
3. On the Configure Remote Management dialog box, clear the check box next to Enable remote
management of this server from other computers, and then click OK.
4. Close the Server Manager console.
5. Open Windows PowerShell from the taskbar.
6. At the Windows PowerShell prompt, run the winrm qc command. When you are prompted, type Y,
and then press Enter.
7. Open the Server Manager console. Click Local Server, and then verify that Remote Management is
now enabled.

Module Review and Takeaways
Best Practices
Unless you must have a Server with a GUI installation to support roles and features, deploy Server
Core.
Use Windows Remote Management to manage multiple servers from a single server by using the
Server Manager console.
Use Windows PowerShell remoting to run remote Windows PowerShell sessions, rather than logging
on locally to perform the same task.
Review Question(s)
Question: Why is the Server Core installation the default installation option for Windows Server 2012 R2
installations?
Answer: The Server Core installation is the default installation option for Windows Server 2012 R2
because it enables you to deploy the most frequently used roles with a minimal hardware
footprint.
Real-world Issues and Scenarios
Unless a particular role requires it, consider using the Server Core installation option as your default
server deployment option. You can always install the GUI later if required.
Understand which roles and features you must deploy on a server prior to deploying that server,
rather than deploying roles and features to servers without planning.
You should plan to manage many servers from one console, rather than logging on to each server
individually.
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Remote management connections fail

Verify firewall settings.

Windows PowerShell commands are not
available

Ensure that appropriate Windows PowerShell modules,
such as Server Manager, are loaded.

Cannot install GUI features on Server Core
deployment

Mount a WIM image that holds all the Windows Server
2012 R2 files, and use the -source option of the
Install-WindowsFeature cmdlet.

Unable to restart a computer running
Server Core

Use sconfig.cmd or the shutdown /r command.

Unable to join the domain

Verify DNS resolution and network connectivity
between the host and the domain controller.

Lab Review Questions and Answers
Lab: Installing and Configuring Windows Server 2012 R2
Question and Answers
Question: What steps would you have to take to deploy Windows Server 2012 R2 over a virtual network?
Answer: You would have to configure WDS. You also would have to configure virtual machines to use
legacy network adapters.
Question: Which command could you use to configure the network address settings on a computer
running Server Core, other than sconfig.cmd?
Answer: You can use the netsh command prompt utility to configure the network address settings.
Question: After performing Exercise 3, would you be able to make a Remote Desktop connection from
LON-DC1 to LON-SVR5?
Answer: No. Although you do enable Windows Remote Management, Remote Desktop is not enabled
during this exercise.
Managing Windows Server 2012 by Using Windows PowerShell 2-1
Module 2
Managing Windows Server 2012 by Using Windows
PowerShell
Contents:
Lesson 1: Overview of Windows PowerShell 2
Lesson 2: Using Windows PowerShell to Manage AD DS 4
Lesson 3: Managing Servers by Using Windows PowerShell 6

Lesson 1
Overview of Windows PowerShell
Contents:
Resources 3
Demonstration: Using the Windows PowerShell Integrated Scripting
Environment (ISE) 3

Resources
Windows PowerShell Syntax
Additional Reading: Approved Verbs for Windows PowerShell Commands
Using Windows PowerShell Modules
Additional Reading: Windows PowerShell Modules
http://go.microsoft.com/fwlink/?linkID=270852
What Is New in Windows PowerShell?
Additional Reading: Get Started with Windows PowerShell Desired State Configuration
Additional Reading: What's New in Windows PowerShell
Demonstration: Using the Windows PowerShell Integrated Scripting
Environment (ISE)
Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$word.
2. Browse to the Start screen, type Windows PowerShell ISE, and then right-click the Windows
PowerShell ISE app tile. In the app bar, click Run as administrator.
3. Click View, and click Show Script Pane.
4. Click File, and click Open. Navigate to the demonstration script at E:\ModXA\Democode\Using
Windows PowerShell ISE.ps1, and then click Open.
5. Follow the instructions within the script to complete the demonstration.
6. Close the Using Windows PowerShell ISE.ps1 tab.

Lesson 2
Using Windows PowerShell to Manage AD DS
Contents:
Question and Answers 5
Resources 5
Demonstration: Managing AD DS by Using Windows PowerShell 5

Using Windows PowerShell Variables
Question: How do you declare variables and assign values to them?
Answer: You can declare a variable and assign it a value by using an equal sign (=) or by using Set-
Variable.
Resources
Additional Reading: about_Variables
Demonstration: Managing AD DS by Using Windows PowerShell
Demonstration Steps
1. Sign in to LON-DC1 with the user name Adatum\Administrator and the password Pa$$w0rd.
2. On the Start screen, type Windows PowerShell ISE, and then right-click Windows PowerShell ISE. In
the pop-up window, click Run as administrator.
3. Click File, and click Open. Locate the demonstration script at E:\ModXA\Democode\Managing
Users and Groups.ps1, and click Open.
4. Follow the instructions within the script to complete the demonstration.

Lesson 3
Managing Servers by Using Windows PowerShell
Contents:
Resources 7
Demonstration: Managing a Server by Using Windows PowerShell 7

Resources
What Is Windows PowerShell Web Access?
Additional Reading: Install and Use Windows PowerShell Web Access
Introduction to Windows PowerShell Workflow
Additional Reading: Getting Started with Windows PowerShell Workflow
Demonstration: Managing a Server by Using Windows PowerShell
Demonstration Steps
1. Start virtual machines LON-DC1, LON-SVR1, and LON-SVR2, and then sign in to LON-DC1 with user
name Adatum\Administrator and the password Pa$$w0rd.
2. On LON-DC1, start Internet Explorer
.
3. In the address bar, type https://LON-DC1.adatum.com/pswa.
4. Sign in to Windows PowerShell Web Access by using the following information:
o User name: Administrator
o Password: Pa$$w0rd
o Computer: LON-DC1
5. Start a new job by running the following command:
Start-Job -ScriptBlock {Get-ADUser Filter *}
6. Obtain the status of the job by running Get-Job.
7. Create a new scheduled job by running the following commands, each followed by Enter:
$Trigger = New-JobTrigger Weekly DaysOfWeek Monday,Friday At 9:00AM
Register-ScheduledJob Name ScheduledJob1 ScriptBlock {Get-ADUser Filter * } -
Trigger $Trigger
8. Run the scheduled job immediately by running:
Start-Job DefinitionName ScheduledJob1

Best Practices
Set a goal to spend time learning how to use Windows PowerShell for your common tasks. This
will make you more comfortable when working with Windows PowerShell, and will equip you for
using it to perform more complex tasks and resolve certain problems.
Save the commands that you have used to resolve problems in a script file for later reference.
Use Windows PowerShell ISE to help you write scripts and ensure that you are using the correct
syntax.
Review Question(s)
Question: Which cmdlet will display the content of a text file?
Answer: Get-Content displays the content of a text file. It is also acceptable to use type, which is an alias
for Get-Content.
Question: Which cmdlet will move a file to another directory?
Answer: Move-Item moves a file to another directory. It is also acceptable to use move and mi as aliases
for Move-Item.
Question: Which cmdlet will rename a file?
Answer: Rename-Item renames a file. It is also acceptable to use ren, which is an alias for Rename-Item.
Question: Which cmdlet will create a new directory?
Answer: New-Item creates a new directory. It is also acceptable to use ni, which is an alias for New-
Item.
Question: Which cmdlet do you think would retrieve information from the event log?
Answer: Get-EventLog retrieves information from the event log.
Question: Which cmdlet do you think would start a stopped virtual machine?
Answer: Start-VM would start a stopped virtual machine.
Many common tools can be replaced with Windows PowerShell cmdlets. The following table shows some
examples of common commands that can be replaced with Windows PowerShell cmdlets in Windows
Server 2012 R2.
Old Command Windows PowerShell Equivalent
ipconfig /a Get-NetIPConfiguration
Shutdown.exe Restart-Computer
Net Start Start-Service (Restart-Service)
Net Stop Stop-Service (Restart-Service)
Net Use New-SmbMapping
Netstat Get-NetTCPConnection
Old Command Windows PowerShell Equivalent
Netsh advfirewall add New-NetFirewallRule

Route Print Get-NetRoute
Tools
You can use the tools in the following table to work with Windows PowerShell.
Tool Description
Windows PowerShell
Integrated Script Editor (ISE)

Windows PowerShell ISE provides a simple, yet powerful interface to
create and test scripts, and discover new cmdlets.

Microsoft Visual Studio
Workflow Designer

This is a development tool that is used to create Windows
PowerShell workflows.

Powershell.exe

This is the Windows PowerShell executable.

Active Directory
Administrative Center

This tool enables you to perform common Active Directory
management tasks, such as creating and modifying user and
computer accounts. All of the changes that you make by using this
management tool are logged in the Windows PowerShell History
pane.

Administrators cannot find the correct
Windows PowerShell cmdlet for a task.

Use the Get-Command cmdlets and Help in
Windows PowerShell ISE to search for cmdlets.

Administrator cannot connect to a server
by using remote Windows PowerShell.

There are several possible reasons why this could
occur. For example, Remote Windows PowerShell
connections may be blocked by Windows Advanced
Firewall, or the WinRM service may be misconfigured
or disabled.

Get-Help does not provide any help for
cmdlets.

You may have to download the latest Help files. You
can download the latest files by using the Update-
Help cmdlet.

An administrator is new to Windows
PowerShell, and is uncomfortable with the
command-line.

Use Windows PowerShell ISE to become more
familiar with the command line. Also, use the Get-
Command and Show-Command cmdlets to provide
additional help.

Lab: Managing Servers Running Windows Server 2012 by Using Windows
PowerShell
Question: What happens if you try to run an unsigned script that you have created locally and the
execution policy is set to RemoteSigned?
Answer: When a locally created script is run on a computer with the execution policy set to
RemoteSigned, the script runs successfully without warning. This is the default policy for
Windows Server 2012 R2.
Question: How can you automate the creation of hundreds of user accounts based on data contained on
an Excel spreadsheet?
Answer: You can save the Excel file as a CSV file, and then use a Windows PowerShell script that uses the
Import-CSV and Add-ADUser cmdlets.
Managing Storage in Windows Server 2012 3-1
Module 3
Managing Storage in Windows Server 2012
Contents:
Lesson 1: Storage Features in Windows Server 2012 2
Lesson 2: Configuring iSCSI Storage 6
Lesson 3: Configuring Storage Spaces in Windows Server 2012 10
Lesson 4: Configuring BranchCache in Windows Server 2012 14

Lesson 1
Storage Features in Windows Server 2012
Contents:
Resources 3
Demonstration: Configuring Data Deduplication 4
Demonstration: Managing Virtual Hard Disks 4

What Is Data Deduplication?
Question: On which of your shares can you use data deduplication?
Answer: The answer varies according to the company. In smaller companies, it is very likely that there is
one share that stores all of the software or application files, and in such cases, data deduplication
would be a good way to reduce space. Generally, data deduplication should be used on large
volumes that contain data that does not change frequently. Data deduplication cannot be used
for volumes containing an operating system.
Whats New in File Server Resource Manager?
Question: Are you currently using the File Server Resource Manager in Windows Server 2008? If yes, for
what areas do you use it?
Answer: The answer will vary based on the students experience with the File Server Resource Manager in
Windows Server 2008. File Server Resource Manager is used in the following areas:
File classification infrastructure
File management tasks
Quota management
File screening management
Resources
File and Storage Services in Windows Server 2012
Additional Reading: For more information, see File and Storage Services Overview at
What Is Data Deduplication?
Additional Reading: For more information, see Data Deduplication Overview at
For more information, see Introduction to Data Deduplication in Windows Server 2012 at
What Are Thin Provisioning and Trim Storage?
Additional Reading: For more information, see Thin Provisioning and Trim Storage
Overview at http://go.microsoft.com/fwlink/?linkID=269672
Whats New in File Server Resource Manager?
Additional Reading: For more information, see What's New in File Server Resource
Manager in Windows Server 2012 at http://go.microsoft.com/fwlink/?linkID=270039
For more information, see What's New in File Server Resource Manager in Windows Server 2012
R2 at http://go.microsoft.com/fwlink/?LinkID=331422
What Are Basic and Dynamic Disks?
Additional Reading: For more information, see How Basic Disks and Volumes Work at
For more information, see Dynamic disks and volumes at
Demonstration: Configuring Data Deduplication
Demonstration Steps
Add the Data Deduplication role service
1. Sign in to LON-DC1 with the user name Adatum\Administrator and the password Pa$$w0rd.
2. In Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
6. On the Select server roles page, expand File And Storage Services (Installed), expand File and
iSCSI Services (Installed), select the Data Deduplication check box, and then click Next.
7. On the Select features page, click Next.
8. On the Confirm installation selections page, click Install.
9. When installation is complete, click Close.
Enable Data Deduplication on E: Drive
1. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services.
2. In the File and Storage Services pane, click Volumes.
3. In the Volumes pane, right-click E:, and then in the drop-down list, select Configure Data
Deduplication.
4. In the Allfiles (E:\) Deduplication Settings dialog box, click General purpose file server from the
Data duplication list, and in the Deduplicate files older than (in days) box, type 3, and then click
Set Deduplication Schedule.
5. In the LON-DC1 Deduplication Schedule dialog box, click Enable throughput optimization, in the
Start time drop-down list, select the closest hour to the current time, and then click OK.
6. In the Allfiles (E:\) Deduplication Settings dialog box, click OK.
Demonstration: Managing Virtual Hard Disks
Demonstration Steps
Create a virtual hard disk
1. On LON-SVR1, if required, start Server Manager.
2. Click Tools, and then click Computer Management.
3. In Computer Management, click Disk Management.
4. Wait for the disks to appear, and then right-click Disk Management, and click Create VHD.
5. In the Create and Attach Virtual Hard Disk dialog box, click Browse.
6. Browse to E:\Labfiles, type DiskF as the File name, and then click Save.
7. In the Create and Attach Virtual Hard Disk dialog box, type 10 as the Virtual hard disk size.
8. Click VHDX, click Dynamically expanding, and then click OK.
9. On the taskbar, click File Explorer.
10. Browse to E:\Labfiles and verify that a .vhdx file named DiskE.vhdx was created.
Manage a virtual hard disk
1. In Disk Management, right-click Disk 2, click Initialize disk, and then click OK.
2. Right-click the unallocated space on Disk 2, and click New Simple Volume.
3. On the Welcome to the New Simple Volume Wizard page, click Next.
4. On the Specify Volume Size page, click Next.
5. On the Assign Drive Letter or Path page, click Next.
6. On the Format Partition page, type Data as the Volume label, click Next, and then click Finish.
If the Microsoft Windows dialog box appears, click Cancel.
7. In File Explorer, verify that the Data (F:) drive is now listed.
8. Close all open windows.

Lesson 2
Configuring iSCSI Storage
Contents:
Resources 7
Demonstration: Configuring iSCSI Target 7
Demonstration: Connecting to the iSCSI Storage 8

What is iSCSI?
Question: Can you use your organizations internal IP network to provide iSCSI?
Answer: Yes, you can. However, we recommend having a dedicated IP network for iSCSI so that other
network traffic does not interfere the iSCSI communication, and the iSCSI communication does
not interfere with the network traffic.
iSCSI Target Server and iSCSI Initiator
Question: When would you consider implementing diskless booting from iSCSI targets?
Answer: The answer varies depending on your experience, but primarily you might consider using this
approach if you want to implement virtualization technologies such as a Virtual Desktop
Infrastructure (VDI) in your organization.
Resources
Additional Reading: For more information, see Introduction of iSCSI Target in Windows
Server 2012 at http://go.microsoft.com/fwlink/?linkID=269674
Demonstration: Configuring iSCSI Target
Demonstration Steps
Add the iSCSI Target Server role service
1. On LON-DC1, in Server Manager, click Dashboard.
2. Click Add roles and features.
iSCSI Services, select the iSCSI Target Server check box, and then click Next.
Create two iSCSI virtual disks and an iSCSI target on LON-DC1
2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
5. On the Specify iSCSI virtual disk name page, type iSCSIDisk1, and then click Next.
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-SVR2, and then click Next.
9. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type, in the Type drop-down list select IP Address. In the Value box, type 172.16.0.22, and then
click OK.
11. On the Specify access servers page, click Next.
12. On the Enable Authentication page, click Next.
13. On the Confirm selections page, click Create.
14. On the View results page, wait until the creation is completed, and then click Close.
15. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New iSCSI
Virtual Disk.
16. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
17. On the Specify iSCSI virtual disk name page, type iSCSIDisk2, and then click Next.
18. On the Specify iSCSI virtual disk size page, in the Size box, type 5, ensure GB is selected in the
drop-down list, and then click Next.
19. On the Assign iSCSI target page, click lon-svr2, and then click Next.
Demonstration: Connecting to the iSCSI Storage
Demonstration Steps
Connect LON-SVR2 to the iSCSI target
1. Sign in to LON-SVR2 with user name Adatum\Administrator and the password Pa$$w0rd.
2. In Server Manager, on the Tools menu, in the Tools drop-down list, select iSCSI Initiator.
3. In the Microsoft iSCSI message box, click Yes.
4. In the iSCSI Initiator Properties dialog box, on the Targets tab, type LON-DC1, and then click
Quick Connect.
5. In the Quick Connect window, in the Discovered targets section, click iqn.1991-
05.com.microsoft:lon-dc1-lon-svr2-target, and then click Done.
6. In the iSCSI Initiator Properties dialog box, to close the dialog box, click OK.
Verify the presence of the iSCSI drive
1. In Server Manager, on the Tools menu, in the Tools drop-down list, select Computer Management.
2. In the Computer Management console, under Storage, click Disk Management.
Notice that the new disks are added. They are all currently offline and not formatted.
3. Close the Computer Management console.
Note: Keep the computers running. You must have them for the demonstration in the
lesson Configuring Storage Spaces in Windows Server 2012.

Lesson 3
Configuring Storage Spaces in Windows Server 2012
Contents:
Demonstration: Configuring a Storage Space 11
Demonstration: Implementing Redundant Storage Spaces 12

Demonstration: Configuring a Storage Space
Demonstration Steps
Create a storage pool
1. On LON-SVR2, open Server Manager by clicking the icon on the taskbar.
2. In the navigation pane, click File and Storage Services, and in the Servers pane, click Storage Pools.
3. In the STORAGE POOLS pane, click TASKS, and then in the TASKS drop-down list, click New Storage
Pool.
4. In the New Storage Pool Wizard, on the Before you begin page, click Next.
5. On the Specify a storage pool name and subsystem page, in the Name box, type StoragePool1,
6. On the Select physical disks for the storage pool page, click all available Physical disks, and then
click Next.
Create a simple virtual disk and a volume
1. In the VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list, click New Virtual
Disk. Note: If New Virtual Disk appears dimmed, select StoragePool1 first.
2. In the New Virtual Disk Wizard, on the Before you begin page, click Next.
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Simple vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Simple, and then click Next.
6. On the Specify the provisioning type page, click Thin, and then click Next. You should mention
that this configures thin provisioning for that volume.
7. On the Specify the size of the virtual disk page in the Specify size box, type 2, and then click Next.
9. On the View results page, wait until the creation is completed. Ensure Create a volume when this
wizard closes is selected, and click Close.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, under Disk, click Simple vdisk virtual disk, and then click
Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Simple Volume, and then click Next.
16. On the Completion page, wait until the creation is completed, and then click Close.
Demonstration: Implementing Redundant Storage Spaces
Demonstration Steps
Create a redundant virtual disk and a volume
1. On LON-SVR2, in Server Manager, in the VIRTUAL DISKS pane, click TASKS, and then in the TASKS
drop-down list, select New Virtual Disk.
2. In the New Virtual Disk Wizard, on the Before you begin page, click Next.
3. On the Select the storage pool page, click StoragePool1, and then click Next.
4. On the Specify the virtual disk name page, in the Name box, type Mirrored vDisk, and then click
Next.
5. On the Select the storage layout page, in the Layout list, select Mirror, and then click Next.
Note: You should mention that this automatically configures a two-way mirror. You do not
see the Resiliency Settings page because you would require five disks to configure a three-way
mirror.
6. On the Specify the provisioning type page, click Thin, and then click Next.
7. On the Specify the size of the virtual disk page in the Specify size box, type 5, and then click Next.
9. On the View results page, wait until the creation is completed, ensure Create a volume when this
wizard closes is selected, and then click Close.
10. In the New Volume Wizard, on the Before you begin page, click Next.
11. On the Select the server and disk page, in the Disk pane, click the Mirrored vDisk virtual disk, and
then click Next.
12. On the Specify the size of the volume page, to confirm the default selection, click Next.
13. On the Assign to a drive letter or folder page, to confirm the default selection, click Next.
14. On the Select file system settings page, in the File system drop-down list, select ReFS. In the
Volume label box, type Mirrored Volume, and then click Next.
16. On the Completion page, wait until the creation is completed, and then click Close.
17. On the Start screen, type command prompt, and then press Enter.
18. At the command prompt, type the following command, and then press Enter:
Copy C:\windows\system32\write.exe F:\
19. Close the command prompt.
20. In Server Manager, click the Tools menu, and then in the Tools drop-down list, select Computer
Management.
21. In the Computer Management console, under Storage, click Disk Management.
Note: Notice that the two volumes E: and F: are available.
Simulate a drive failure and test volume access
2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, in the LON-DC1 list, right-click iSCSIDisk1.vhd, and then click
Disable iSCSI Virtual Disk.
4. In the Disable iSCSI Virtual Disk warning message box, click Yes.
5. Switch to LON-SVR2.
6. In the Computer Management console, under Storage, right-click Disk Management and in the
drop-down list, select Rescan Disks.
Note: Notice that the Simple Volume (E:) is not available, and the Mirrored Volume (F:) is
available.
7. On the taskbar, open File Explorer, click Computer, and then click Mirrored Volume (F:). You should
now see write.exe in the file list.
8. Close File Explorer.
9. In Server Manager, in the STORAGE POOLS pane, on the menu bar, click Refresh Storage Pools.
Notice the warning that appears next to Mirrored vDisk.
10. In the VIRTUAL DISKS pane, in the drop-down list, right-click Simple vDisk, and then select
Properties.
11. In the Simple vDisk Properties dialog box, in the navigation pane, click Health.
Note: Notice the Health Status that should indicate Unhealthy. The Operational Status
should indicate Detached. This means that the disk is not available on this computer any longer.
12. To close the dialog box, click OK.
13. In the VIRTUAL DISKS pane, right-click Mirrored vDisk, and then in the drop-down list, select
Properties.
14. In the Mirrored vDisk Properties window, in the navigation pane, click Health.
15. Notice the Health Status should indicate a Warning. The Operational Status should indicate
Incomplete.
16. To close the dialog box, click OK.

Lesson 4
Configuring BranchCache in Windows Server 2012
Contents:
Resources 15
Demonstration: How to Configure BranchCache 15

Resources
BranchCache Requirements
Additional Reading: For more information, see BranchCache Overview at
Demonstration: How to Configure BranchCache
Demonstration Steps
Add BranchCache for the Network Files role service
1. Sign in to LON-DC1 with user name Adatum\Administrator and the password Pa$$w0rd.
2. Open Server Manager by clicking the icon on the taskbar.
3. Click Add roles and features.
iSCSI Services, select the BranchCache for Network Files check box, and then click Next.
10. When installation is complete, click Close, and then close Server Manager.
Enable BranchCache for the server
1. On the Start screen, type gpedit.msc, and then press Enter. Browse to Computer
Configuration\Administrative Templates\Network\Lanman Server, and double-click Hash
Publication for BranchCache.
2. In the Hash Publication for BranchCache dialog box, click Enabled.
3. In the Options box, under Hash publication actions, select Allow hash publication only for
shared folder on which BranchCache is enabled, and then click OK.
4. Close the Local Group Policy Editor.
Enable BranchCache for a file share
1. On the taskbar, open File Explorer, and then click Local Disk (C:).
2. On the quick access bar located on the upper-left side of the window, click New Folder, type Share,
and then press Enter.
3. Right-click Share, and click Properties.
4. In the Share Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, click Share this folder, and then click Caching.
6. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
7. In the Advanced Sharing dialog box, click OK, and then click Close.
Review Question(s)
Question: How does BranchCache differ from Distributed File System (DFS)?
Answer: BranchCache only caches files that users in a remote location have accessed. DFS replicates files
between head office and a remote location so that all files exist in both locations.
Question: Why would you want to implement BranchCache in Hosted Cache mode instead of the
Distributed Cache mode?
Answer: When you use the Distributed Cache mode, the cache is distributed among all computers
running Windows 7 or newer. However, it is likely that these computers are turned off or that
portable computers are removed from the office. This means that a cached file might not be
available, forcing the file to be downloaded across the WAN link again. However, the Hosted
Cache mode keeps the cached files on a file server that will always be available.
Question: Is the Storage Spaces feature also available on Windows 8?
Answer: Yes, you can use Storage Spaces on both Windows Server 2012 and Windows 8.
Question: Can you configure data deduplication on a boot volume?
Answer: No, you cannot configure data deduplication on a boot volume. You can configure data
deduplication only on volumes that are not system or boot volumes.
Question: Are you currently implementing volumes that are 10 terabytes or larger? What are the
problems with volumes of that size?
Answer: Depending on your situation, you may have very large volumes. However, the larger the volume,
the more difficult and lengthy the process of checking these volumes for errors becomes.
Windows Server 2012 R2 includes an enhanced version of the Chkdsk tool to optimize the
implementation of very large volumes; it also includes the new ReFS file system, which helps to
address the issue of NTFS formatted volumes.
Tools
Tool Use Where to find it
iSCSI Target Server Configure iSCSI targets In Server Manager, under File and
Storage Servers
iSCSI Initiator Configure a client to connect to
an iSCSI target virtual disk
In Server Manager, in the Tools drop-
down list
Deduplication
Evaluation tool
(DDPEval.exe)
Analyze a volume on the
potential saving when enabling
data deduplication
C:\Windows\System32

Lab A: Managing Storage on Servers Running Windows Server 2012
Question: Why would you implement MPIO together with iSCSI? What problems would you solve with
this?
Answer: You must have an MPIO to create a second network route to the iSCSI target. This is useful when
you lose a connection to the iSCSI target because of a loss in a network adapter. With MPIO set
up and configured, if a network adapter fails, another network adapter can take over.
Question: What is the purpose of the iSCSI Initiator component?
Answer: The iSCSI Initiator component is the client component for iSCSI to connect to an iSCSI target.
Windows 8 and Windows Server 2012 already have this component preinstalled as a service. You
only have to start them to use it.
Lab B: Implementing BranchCache
Question: In the lab, you moved LON-SVR1 to its own OU. Why?
Answer: The client configuration settings were configured in the Default Domain Policy that is linked to
the root of the domain. Those Group Policy settings prevent the Hosted cache mode from being
configured on LON-SVR1. By moving LON-SVR1 to its own OU, you were able to block
inheritance of Group Policy to that OU, and thereby prevent those settings from applying to
LON-SVR1.
Question: When would you consider implementing BranchCache into your own organization?
Answer: The answer varies, but BranchCache is only important if you have a branch office or a location
that is connected to your organizations headquarters with a low-bandwidth link.
Implementing Network Services 4-1
Module 4
Implementing Network Services
Contents:
Lesson 1: Implementing DNS and DHCP Enhancements 2
Lesson 2: Implementing IP Address Management (IPAM) 5
Lesson 3: Managing IP Address Spaces with IPAM 8
Lesson 5: Implementing NAP 11

Lesson 1
Implementing DNS and DHCP Enhancements
Contents:
Resources 3
Demonstration: Configuring DNSSEC 3
Demonstration: Configuring Failover for DHCP 4

Resources
What's New in DNS in Windows Server 2012
Reference Links: For detailed information of improved features for DNS server role in
Windows Server 2012 R2, see What's New in DNS Server in Windows Server 2012 R2 at
Whats New in DHCP in Windows Server 2012
Reference Links: For complete list of new and improved Windows PowerShell cmdlets for
DHCP in Windows Server 2012 R2, see Windows PowerShell for DHCP Server at
Demonstration: Configuring DNSSEC
Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator with a password of Pa$$w0rd.
2. In Server Manager click Tools, and then, in the drop-down list, click DNS.
3. Expand LON-DC1, expand Forward Lookup Zones. Select Adatum.com.
4. On the menu, click Action, and in the drop-down list, click DNSSEC>Sign the Zone
5. In the Zone Signing Wizard, click Next.
6. On the Signing Options screen, select Customize zone signing parameters, and click Next.
7. On the Key Master screen, ensure that LON-DC1 is the Key Master. Click Next.
8. On the Key Signing Key (KSK) screen, click Next.
9. On the KSK screen, click Add.
10. On the New Key Signing Key (KSK) screen, click OK.
11. On the Key Signing Key screen, click Next.
12. On the Zone Signing Key (ZSK) screen, click Next.
13. On the Zone Signing Key (ZKS) screen, click Add.
14. On the New Zone Signing Key (ZKS) screen, click OK.
15. On the Zone Signing Key screen, click Next.
16. On the Next Secure (NSEC) screen, click Next.
17. On the Trust Anchors (TAs) screen, click Next.
18. On the signing and polling parameters screen, click Next.
19. On the DNS Security Extensions (DNSSEC) screen, click Next, and then click Finish.
20. In Server Manager, click Tools, and then in the drop-down list click Group Policy Management.
21. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click the Default
Domain Policy, and then click Edit.
22. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
23. In the Create Rules section, in the Suffix field, type Adatum.com.
24. On the DNSSEC tab, select the Enable DNSSEC in this rule check box.
25. Check Require DNS clients to check that name and address data has been validated by the DNS
server, and then click Create.
Demonstration: Configuring Failover for DHCP
Demonstration Steps
1. Sign in to LON-SVR1 as Adatum\Administrator with a password Pa$$w0rd.
2. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
Note: The server is authorized but no scopes are configured.
3. Switch to LON-DC1.
4. In Server Manager, click Tools, and then in the drop-down list, click DHCP.
5. In the DHCP Management console expand lon-dc1.adatum.com, select and then right-click the IPv4
node, and then click Configure Failover.
6. In the Configuration Failover Wizard, click Next.
7. On the Specify the partner server to use for failover screen, in the Partner Server field, enter
172.16.0.21, and then click Next.
8. On the Create a new failover relationship screen, in the Relationship Name field, enter Adatum.
9. In the Maximum Client Lead Time field, set the hours to 0 and set the minutes to 15.
10. Ensure that the Mode field is set to Load balance.
11. Ensure the Load Balance Percentage is set to 50%.
12. Check State Switchover Interval.
13. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd, and then click Next.
14. In Configure Failover window, click Finish.
15. Ensure that all five actions have status Successful, and then click Close.

Lesson 2
Implementing IP Address Management (IPAM)
Contents:
Demonstration: Implementing IPAM 6

Demonstration: Implementing IPAM
Demonstration Steps
1. Sign in to LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. On the Server Manager Dashboard, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type screen, click Next.
5. On the Select destination server screen, click Next.
6. On the Select server roles screen, click Next.
7. On the Select features screen, check IP Address Management (IPAM) Server.
8. In the Add features that are required for IP Address Management (IPAM) Server pop-up
window, click Add Features, and then click Next.
9. In Confirm installation selections, click Install.
10. Close the wizard when complete.
11. In the Server Manager navigation pane, click IPAM.
12. In the IPAM Overview pane, click Provision the IPAM server.
13. In the Provision IPAM Wizard, click Next twice.
14. On the Select provisioning method screen, select Group Policy Based and type IPAM in the GPO
name prefix field, and then click Next.
15. On the Confirm the Settings screen, click Apply.
16. When provisioning has completed, click Close.
17. On the IPAM Overview pane, click Configure server discovery.
18. In the Configure Server Discovery dialog box, click Add to add the Adatum.com domain, and then
click OK.
19. In the IPAM Overview pane, click Start server discovery.
20. In the yellow banner, to determine the discovery status, click the More link. The Overview Task
Details window will appear. Discovery will take a few minutes to complete. Wait until IPAM
ServerDiscovery task in the Overview Task Details window under Stage column displays
Complete.
21. To return to the IPAM pane, close the Overview Tasks Details dialog box.
Configure managed servers
1. In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Note: Notice that for LON-SVR1 and LON-DC1, the IPAM Access Status is Blocked. Scroll
down to the Details View and note the status report. This is because the IPAM server has not yet
been granted permission to manage LON-SVR1 or LON-DC1 by using Group Policy.
3. Type the following command at the Windows PowerShell prompt: Invoke-IpamGpoProvisioning
Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-SVR2.adatum.com, and
then press Enter.
Read the information displayed, type Y, and then press Enter.
4. When you are prompted to confirm the action, press Enter. It will take a few minutes to complete.
5. Return to Server Manager.
6. In the details pane of the IPAM Server Inventory, right-click LON-DC1, and then click Edit Server.
7. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
8. Repeat Steps 6 and 7 to configure LON-SVR1 to be managed.
10. On the taskbar, click Windows PowerShell.
11. Type gpupdate /force, and press Enter.
13. On the taskbar, click Windows PowerShell.
14. Type gpupdate /force, and press Enter.
15. Switch back to LON-SVR2 and right-click LON-DC1, and then click Refresh Server Access Status.
This may take a few minutes to complete.
16. Repeat Step 15 to refresh the status for LON-SVR1.
17. Refresh the page by clicking the Refresh icon on the top menu bar until status shows an IPAM Access
Status Unblocked.
18. In the IPAM Overview pane, click retrieve data from managed servers. This action will take several
minutes to complete.

Lesson 3
Managing IP Address Spaces with IPAM
Contents:
Resources 9
Demonstration: Managing IP Addressing by Using IPAM 9
Demonstration: Configuring IPAM Reporting and Monitoring 9

Resources
Using IPAM to Manage IP Addressing
Additional Reading: For more information, see the IPAM Operations Guide at
Demonstration: Managing IP Addressing by Using IPAM
Demonstration Steps
Add an IP address block
1. On LON-SVR2, in Server Manager, in the navigation pane, click IP Address Blocks.
2. On the upper-right side of the window, click Tasks, and then click Add IP Address Block.
3. In the Add or Edit IPv4 Address Block window, type the following in the boxes, and then click OK:
o Network ID: 172.16.0.0
o Prefix length: 16
o Start IP address: 172.16.0.201
o End IP address: 172.16.0.254
o Description: London subnet
4. In the IPv4 pane, beside Current view:, click IP Address Blocks. Note the newly created address
block for London.
Create an IP address reservation
1. In Server Manager, on the IPAM configuration page, in the navigation pane, click IP Address
Range Groups.
2. In the IPv4 pane, beside Current view:, click IP Address Ranges.
3. Right-click the IP address range with a Network value of 172.16.0.0/16 cconfigured on LON-DC1,
and then click Edit IP Address Range.
4. In the Edit IP Address Range window, click Reservations.
5. In the Reservations box, type 172.16.0.165, click Add, and then click OK.
Deactivate a scope
Click the DHCP Scopes node, and then in the details pane, right-click the first scope listed with a
Scope ID of 172.16.0.0, and then click Deactivate DHCP Scope.
Demonstration: Configuring IPAM Reporting and Monitoring
Demonstration Steps
1. On LON-SVR2, in Server Manager, in the IPAM console tree, click DNS and DHCP Servers.
2. In the Details view, discuss the Server Properties of LON-DC1.Adatum.com.
3. Click the Event Catalog tab, and discuss the events shown.
4. In the IPAM console tree, click DHCP scopes.
5. Select Scope1, and discuss the information in the Scope Properties.
6. Click the Options tab, and discuss the information displayed.
8. In the IPAM console tree, click DNS Zone Monitoring.
9. Select the adatum.com zone, and discuss the information in the Zone Properties.
10. Click the Authoritative Servers tab, and discuss the information displayed.
11. In the IPAM console tree, click Server Groups.
12. Select the LON-DC1.adatum.com entry with the DNS server role, and discuss the information in the
Server Properties.
13. Click the DNS Zones tab, and discuss the information displayed.

Lesson 5
Implementing NAP
Contents:
Demonstration: Implementing NAP with DHCP 12

Demonstration: Implementing NAP with DHCP
Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.
2. In the Add Roles and Features Wizard, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, check Network Policy and Access Services.
6. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
8. On the Network Policy and Access Services page, click Next.
9. On the Select role services page, select Network Policy Server, and then click Next.
10. On the Confirm installation selections page, click Install. Click Close when the installation
completes.
11. On the Server Manager Tools menu, select Network Policy Server.
12. In the Network Policy Server console, click NPS (Local).
13. In the details pane, click Configure NAP.
14. On the Select Network Connection Method For Use with NAP page in the Network connection
method drop-down list, select Dynamic Host Configuration Protocol (DHCP), and then click Next.
15. On the Specify NAP Enforcement Servers Running DHCP Server page, click Next.
16. On the Specify DHCP Scopes page, click Next.
17. On the Configure Machine Groups page, click Next.
18. On the Specify a NAP Remediation Server Group and URL page, click Next.
19. On the Define NAP Health Policy page, clear the Enable auto-remediation of client computers
check box, and then click Next.
20. Click Finish.
21. In the console tree, expand Network Access Protection, expand System Health Validators, expand
Windows Security Health Validator, click Settings, and in the details pane, double-click Default
Configuration.
22. Clear all check boxes except A firewall is enabled for all network connections, and click OK.
23. Close the Network Policy Server console.
24. Click Tools, and then click DHCP.
25. Expand lon-dc1.adatum.com, select and then right-click IPv4, and then click Properties.
26. Click the Network Access Protection tab, and then click Enable on all scopes.
27. In the DHCP dialog box, click Yes.
28. In the IPv4 Properties dialog box, click OK.

Best Practices
Some best practices include the following:
Ensure that IPv6 is enabled on the IPAM server to manage IPv6 address spaces.
Use Group Policy to configure NRPT tables for DNSSEC client computers.
Disable authentication protocols that you are not using.
Document the NPS configuration by using the NetshNps Show Config>Path\File.txt to save the
configuration to a text file.
Unable to connect to the IPAM server.

Ensure that the Windows Internal Database
(WID) service and the Windows Process
Activation service are running.
Noncompliant NAP client computers are
being denied network access instead of
being sent to the restricted network.

Check that the network policy is configured to
Grant Access instead of Deny Access. Access
must be granted so that noncompliant
computers can receive remediation.

Lab: Implementing Network Services
Question: Will client computers still be able to access the network if the DHCP server fails?
Answer: Yes, for the duration of the IP lease. Once the lease expires, the client computers will no longer
be able to renew their IP address and network access will fail.
Question: Is a third-party certification authority required to implement DNSSEC?
Answer: No certification authority is required.
Question: What is the difference between a centralized and a distributed IPAM topology?
Answer: In a centralized topology, there is only one IPAM server in the forest. In a distributed topology,
there is an IPAM server in every site in the forest.
Question: NAP can protect your network from viruses and malware on remote computers that connect to
your network through VPN connections.
( ) True
( ) False
Answer:
( ) True
() False
Implementing Remote Access 5-1
Module 5
Implementing Remote Access
Contents:
Lesson 1: Remote Access Overview 2
Lesson 2: Implementing DirectAccess by Using the Getting Started Wizard 4
Lesson 3: Implementing and Managing an Advanced DirectAccess Infrastructure 10

Lesson 1
Remote Access Overview
Contents:
Resources 3
Demonstration: Installing and Managing the Remote Access Role 3

Resources
Managing Remote Access in Windows Server 2012
Additional Reading: For more information on Remote Access Cmdlets in Windows
PowerShell, visit the following link: http://go.microsoft.com/fwlink/?LinkID=331443
Demonstration: Installing and Managing the Remote Access Role
Demonstration Steps
Install the Remote Access role
1. On LON-SVR1, switch to the Server Manager console, click Manage, and then click Add Roles and
Features.
2. On the Before You Begin page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, click Remote Access, and then click Next.
6. On the Select Features page, click Next.
7. On the Remote Access page, click Next.
8. On the Select role services, click DirectAccess and VPN (RAS) and on the Add Roles and Features
Wizard page, click Add Features.
9. Verify that DirectAccess and VPN (RAS) is selected, and on the Select role services page, click
Next.
10. On the Confirm installation selections page, click Install, and then when the installation finishes,
click Close.
Manage the Remote Access role
1. In the Server Manager console, in the upper-right part of the console, click Tools, and then click the
Remote Access Management.
2. In the Remote Access Management Console, review the options for configuring and managing
remote access.
3. In the Server Manager console, in the upper-right part of the console, click Tools, and then click the
Routing and Remote Access.
4. In the Routing and Remote Access Console, review the options for configuring and managing remote
access.

Lesson 2
Implementing DirectAccess by Using the Getting
Started Wizard
Contents:
Resources 5
Demonstration: Running the Getting Started Wizard 5
Demonstration: Identifying the Getting Started Wizard Settings 8

How DirectAccess Works for Internal Clients
Question: Your organization requires only selected computers to be able to connect from the Internet to
the corporate network resources by using DirectAccess. How will you configure the DirectAccess settings
to meet the organizations requirements?
Answer: If only selected computers need to be provided secure remote access from the Internet to the
corporate network resources, you can create computer groups and then configure appropriate
membership for the clients that need secure remote access. After you configure group
membership, you should configure DirectAccess to allow remote access for the computer group
you created.
How DirectAccess Works for External Clients
Question: If you were using 6to4 instead of Teredo, would you need two IP addresses on the DirectAccess
server?
Answer: No. DirectAccess will first use Teredo, and then will try 6to4.If 6to4 also fails, DirectAccess will try
HTTPs.
Resources
DirectAccess Components
Additional Reading: For more information, visit the following links:
The DNS server does not listen on the ISATAP interface on a computer running Windows Server
2008
IPv6 - Technology Overview
Remote Access (DirectAccess, Routing and Remote Access) Overview
DirectAccess Tunneling Protocol Options
Additional Reading: For more information, visit the following links:
IPv6 Transition Technologies
Networking and Access Technologies
http://go.microsoft.com/fwlink/?LinkId=169500
[MS-IPHTTPS]: IP over HTTPS (IP-HTTPS) Tunneling Protocol
Demonstration: Running the Getting Started Wizard
Demonstration Steps
Configure AD DS requirements
1. On LON-DC1, on the taskbar, click the Server Manager console.
2. In the Server Manager console, in the upper-right corner, click Tools, and then click Active Directory
Users and Computers.
3. In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and
then click Organizational Unit.
4. In the New Object Organizational Unit dialog box, in the Name box, type DA_Clients OU, and
then click OK.
5. In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
6. In the New Object - Group dialog box, in the Group name box, type DA_Clients.
7. Under Group scope, ensure that Global is selected, and under Group type, ensure that Security is
selected, and then click OK.
8. In the details pane, right-click DA_Clients, and then click Properties.
9. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) box, type LON-CL1, and then click OK.
12. Verify that LON-CL1 is displayed under Members, and then click OK.
13. Close the Active Directory Users and Computers console.
Configure the DirectAccess server
1. Switch to LON-RTR.
2. In Server Manager, click Tools, and then select Remote Access Management.
3. In the Remote Access Management Console, under Configuration, click DirectAccess and VPN.
4. Click Run the Getting Started Wizard.
5. On the Configure Remote Access page, click Deploy DirectAccess only.
6. Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.10, and then click Next.
7. On the Configure Remote Access page, click the here link.
8. On the Remote Access Review page, verify that two GPO objects are created, Direct Access Server
Settings and DirectAccess Client settings.
9. Next to Remote Clients, click the Change link.
10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
13. On the DirectAccess Client Setup page, click Finish.
14. On the Remote Access Review page, click OK.
15. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.
Validate the DirectAccess deployment
1. When you configured the DirectAccess server, the wizard created two GPOs and linked them to the
domain. To apply them, on LON-CL1, on the Start screen, type cmd and then press Enter to open the
Command Prompt window.
2. At the command prompt, type the following command, and then press Enter.
gpupdate /force
gpresult /R
4. Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with the password Pa$$w0rd, and then repeat steps 3 and 4 on LON-
CL1.
netsh name show effectivepolicy
6. Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is in a corporate network.
7. Right-click the Start button, and then click Control Panel.
8. In Control Panel, click View Network Status and Tasks.
9. In the Network and Sharing Center window, click Change adapter settings.
10. Right-click Ethernet, and then click Disable.
11. Right-click Ethernet 2, and then in the Networks dialog box, click Enable.
12. In the dialog box, type Yes,
13. Right-click Ethernet 2, and then click Properties.
14. In the Ethernet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).
15. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, ensure that the following
details are displayed, and then click OK.
o IP address: 131.107.0.20
o Subnet mask: 255.255.255.0
o Preferred DNS server: 131.107.0.100
16. In the Ethernet 2 Properties dialog box, click OK.
Verify connectivity to the internal network resources
1. On LON-CL1, on the taskbar, click the Internet Explorer icon.
2. In the Address bar, type http://lon-svr1.adatum.com, and then press Enter. The default IIS 8.0 web
page for LON-SVR1 appears.
3. Leave the Internet Explorer window open.
4. On the Start screen, type \\LON-SVR1\Files, and then press Enter. Note that you are able to access
the folder content.
6. Click the Start window, on the Start screen type cmd, and then press Enter.
7. At the command prompt, type ipconfig, and then press Enter.
Note: Notice the IP address for Tunnel adapter is IPHTTPSInterface starting with 2002.
This is an IP-HTTPS address.
Verify connectivity to the DirectAccess server
Netsh name show effectivepolicy
2. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for
adatum.com and Directaccess-NLS.Adatum.com.
Powershell
4. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
Verify client connectivity on the DirectAccess server
2. Switch to the Remote Access Management Console.
3. In the console pane, click Remote Client Status.
Note: Notice that client is connected via IPHTTPS. In the Connection Details pane, in the
bottom-right of the screen, note the use of Kerberos for the machine and the user.
Demonstration: Identifying the Getting Started Wizard Settings
Demonstration Steps
1. On LON-RTR, switch to the Server Manager console, click Tools, and then click Remote Access
Management.
2. In the Remote Access Management Console, in the left pane, click DirectAccess and VPN.
3. In the Remote Access Setup window, under the image of the client computer labeled as Step 1
Remote Clients, click Edit.
4. In the DirectAccess Client Setup window, click Deployment Scenario, and then review the default
settings; click Select Groups, and review the default settings; click Network Connectivity Assistant,
and then review the default settings.
5. Click Cancel, and click OK.
Remote Access Servers, click Edit.
7. In the Remote Access Server Setup window, click Network Topology, and review the default settings;
click Network Adapters, and review the default settings; click Authentication, and then review the
default settings.
Infrastructure Servers, click Edit.
10. In the Infrastructure Server Setup window, click Network Location Server, and then review the
default settings; click DNS, and review the default settings; click DNS Suffix Search List, and review
the default settings; click Management, and then review the default settings.
Application Servers, click Edit.
13. In the DirectAccess Application Server Setup window, review the default settings, click Cancel, and
then click OK.

Lesson 3
Implementing and Managing an Advanced
DirectAccess Infrastructure
Contents:
Resources 11
Demonstration: Modifying the DirectAccess Infrastructure 11
Demonstration: Monitoring and Troubleshooting DirectAccess Connectivity 12

Resources
Integrating a PKI with DirectAccess
Additional Reading: Active Directory Certificate Services
Considerations for Configuring Internal Network Connectivity for
DirectAccess Clients
Additional Reading: For more information, visit the following link:
Step 2: Plan the Remote Access Deployment
Demonstration: Modifying the DirectAccess Infrastructure
Demonstration Steps
Configure the Remote Access role
1. On LON-RTR, in Server Manager, on the Tools menu, click Remote Access Management.
2. In Remote Access Management window, click Direct Access and VPN.
3. Click Edit on Step 1 to select which clients will use DirectAccess.
4. On the Deployment Scenario page, click Next.
5. Under Select Groups, in the details pane, ensure that Enable DirectAccess for mobile computers
only checkbox is cleared, and then click Next.
Note: In real-world scenario, you might choose a security group, instead allowing
DirectAccess for all domain computers.
6. On the Network Connectivity Assistant page, double-click the empty row under the Resource
column.
7. In the Configure Corporate Resources for NCA window, verify that HTTP is selected, and then type
https://lon-svr1.adatum.com. Click Validate, and then click Add.
8. In the Network Connectivity Assistant page, click Finish to close configuration for Step 1.
9. Click Edit on Step 2.
10. On the Network Topology page, verify that Edge is selected, and then type 131.107.0.10.
11. Click Next.
12. On the Network Adapters page, select Use a self-signed certificate created automatically by
DirectAccess, verify that CN=131.107.0.10 is used as a certificate to authenticate IP-HTTPS
connections, and then click Next.
13. On the Authentication page, select Use computer certificates, click Browse, select AdatumCA,
and then click OK.
14. Select Enable Windows 7 client computers to connect via DirectAccess, and then click Finish to
close configuration for Step 2.
15. In the Remote Access Setup pane, under Step 3, click Edit.
16. On the Network Location Server page, select The network location server is deployed on a
remote web server (recommended), type https://lon-svr1.adatum.com, click Validate, and then
click Next.
17. On the DNS page, click Next.
18. In the DNS Suffix Search List page, click Next.
19. On the Management page, click Finish to close configuration for Step 3.
20. Under Step 4, click Edit.
21. On the DirectAccess Application Server Setup page, click Finish.
22. Click Finish to apply the changes.
23. In the Remote Access Review page, click Cancel.
Note: The DirectAccess configuration is not applied, because additional prerequisites need
to be configured, such as AD DS configuration, firewall settings, and certificate deployment. You
will perform complete DirectAccess configuration in Lab A.
Demonstration: Monitoring and Troubleshooting DirectAccess
Connectivity
Demonstration Steps
2. On LON-RTR, open the Remote Access Management Console, and then in the left pane, click
Dashboard.
3. Review the information in the central pane, under DirectAccess and VPN Client Status.
4. In the left pane, click Remote Client Status, and then in the central pane, review the information
under the Connected Clients list.
5. In the left pane, click Reporting, and then in the central pane, click Configure Accounting.
6. In the Configure Accounting window, under Select Accounting Method, click Use inbox
accounting, click Apply, and then click Close.
7. In the central pane, under Remote Access Reporting, review the options for monitoring historical
data.

Best Practices
Although DirectAccess was present in previous Windows Server 2008 R2 edition, Windows Server
2012 introduces new features for improved manageability, ease of deployment, and improved
scale and performance.
Monitoring of the environment is now much easier with support of Windows PowerShell,
Windows Management Instrumentation (WMI), GUI monitoring, along with Network Connectivity
Assistant on the client side.
One of the best enhancements is that DirectAccess can now access IP4 servers on your network
without needing to implement IPv6, because your DirectAccess server acts as a proxy.
Consider integrating DirectAccess with your existing Remote Access solution because Windows
Server 2012 can implement DirectAccess server behind a NAT device, which is the most common
RAS solution for organizations.
Review Question(s)
Question: What remote access solutions can you deploy by using Windows Server 2012 R2?
Answer: In the Windows Server 2012 R2 operating system, you can deploy following remote access
solutions: DirectAccess, VPN, Routing, and Web Application Proxy.
Question: What are the main benefits of using DirectAccess for providing remote connectivity?
Answer: The main benefits of using DirectAccess for providing remote connectivity are as follows:
Always-on connectivity. When the user is connected to the Internet, the user is also connected to
intranet.
Same user experience regardless of whether connected locally or remotely.
Bidirectional access. When the client computer is accessing the intranet, the computer is also
connected and managed.
Improved security. Administrators can set and control the intranet resources that are accessible
through DirectAccess.
Question: How do you configure DirectAccess clients?
Answer: To configure DirectAccess clients, use Group Policy. When you use the Configure Remote Access
Wizard to configure DirectAccess, two GPOs are created and linked to the domain. These two
GPOs define DirectAccess-related settings and are applied on DirectAccess clients.
Question: How does the DirectAccess client determine if it is connected to the intranet or the Internet?
Answer: When DirectAccess client computer tries to locate the NLS server, if the DirectAccess client
computer can contact the NLS server, the DirectAccess client computer assumes it is on the
internal network. If the DirectAccess client computer cannot contact the NLS server, the
DirectAccess client computer assumes it is on the Internet. In organizations where DirectAccess is
a business-critical solution, the NLS should be a highly-available web server, because NLS server
availability is important for DirectAccess client computers to determine if they are located on
internal network or the Internet.
Question: What is the use of an NRPT?
Answer: NRPT stores a list of DNS namespaces and their corresponding configuration settings. These
settings define the DNS server to contact and the DNS client behavior for that namespace.
Question: What type of remote access solutions you can provide by using VPN in Windows Server 2012?
Answer: You can configure following remote access solutions by using VPN in Windows Server 2012:
Secure remote access to internal network resources for users located on Internet. The users act as
VPN clients that are connecting to Windows Server 2012 that acts as a VPN server.
Secure communication between network resources located on different geographical locations
sites. This solution is called site-to-site VPN. In each site, Windows Server 2012 acts as a VPN
server that encrypts communication between the sites.
Tools
Tool Use for Where to find it
Remote Access
Management Console
Managing DirectAccess and VPN Server Manager/Tools
Routing and Remote
Access Console
Managing VPN and routing Server Manager/Tools
Remote Access Getting
Started Wizard
A graphical tool that simplifies
the configuration of DirectAccess
Server Manager/Tools/Remote
Access Management Console
Dnscmd.exe A command-line tool used for
DNS management
Run from command-line
Services.msc Helps in managing Windows
services
Server Manager/Tools
Gpedit.msc Helps in editing the Local Group
Policy
IPconfig.exe A command-line tool that
displays current TCP/IP network
configuration
DNS Manager console Helps in configuring name
resolution
Mmc.exe Helps in the creation and
management of the
Management Console
Gpupdate.exe Helps in managing Group Policy
application
Active Directory Users
and Computers
Is useful in configuring group
membership for client computers
that will be configured with
DirectAccess
You have configured DirectAccess, but
users are complaining about connectivity
issues. You want to troubleshoot those
Basic troubleshooting experience is integrated in
Network Connectivity assistance, so educate users
how to access it and to determine what is preventing
issues more efficiently.

the client computer from communicating with the
DirectAccess server.

The DirectAccess client tries to connect to
the DirectAccess server by using IPv6 and
IPSec with no success.

If you are using Teredo as the IPv6 transition
technology, check whether you have two public
addresses on the external network adapter of
DirectAccess server, which is needed for establishing
two IPSec tunnels.

Lab: Implementing DirectAccess
Question: Why did you make the CRL available on LON-RTR?
Answer: You made the CRL available on LON-RTR so that the DirectAccess clients connecting through the
Internet can access the CRL.
Question: Why did you install a certificate on the client computer?
Answer: Without a certificate, the DirectAccess server cannot identify and authenticate the client.
Implementing Failover Clustering 06-1
Module 6
Implementing Failover Clustering
Contents:
Lesson 1: Overview of Failover Clustering 2
Lesson 2: Implementing a Failover Cluster 4
Lesson 3: Configuring Highly-Available Applications and Services on a
Failover Cluster 6
Lesson 4: Maintaining a Failover Cluster 8

Lesson 1
Overview of Failover Clustering
Contents:
Resources 3

Resources
Failover Cluster Storage
Reference Links: For more information about clustered storage spaces, see Deploy
Clustered Storage Spaces by visiting the following link:
Reference Links: For more information on failover cluster requirements, see
Understanding Requirements for Failover Clusters by visiting the following link:
What Are Cluster Shared Volumes?
Additional Reading:
Server Message Block overview http://go.microsoft.com/fwlink/?linkID=269659
Storage Spaces Overview http://go.microsoft.com/fwlink/?linkID=269680

Lesson 2
Implementing a Failover Cluster
Contents:
Demonstration: Validating and Configuring a Failover Cluster 5

Demonstration: Validating and Configuring a Failover Cluster
Demonstration Steps
1. On LON-SVR3, in Server Manager, click Tools, and then click Failover Cluster Manager.
2. In the Failover Cluster Manager, in the console tree, ensure that Failover Cluster Manager is
selected, and under Management, click Validate Configuration, and then click Next.
3. In the Enter name field, type LON-SVR3, and then click Add.
4. In the Enter name field, type LON-SVR4.
5. Click Add, and then click Next.
6. Verify that Run all tests (recommended) is selected, and click Next.
7. In the Confirmation window, click Next.
8. Wait for the validation tests to finish, and in the Summary window, click View Report. Review the
results of validation and discuss warnings, and why they appear.
9. Close the report window, clear the check mark next to Create the cluster now using the validated
nodes, and then click Finish.
10. On LON-SVR3, in Failover Cluster Manager, in the Management section of the center pane, select
Create Cluster.
11. Read the Before You Begin information page.
12. Click Next, type LON-SVR3, and then click Add. Type LON-SVR4, and click Add.
13. Verify the entries, and click Next.
14. In the Access Point for Administering the Cluster section, enter Cluster1 as the Cluster Name.
15. Under Address, type 172.16.0.125 as the IP address, and then click Next.
16. On the Confirmation page, verify the information, and then click Next.
17. On the Summary page, click Finish to return to the Failover Cluster Manager.

Lesson 3
Configuring Highly-Available Applications and
Services on a Failover Cluster
Contents:
Demonstration: Clustering a File Server Role 7

Demonstration: Clustering a File Server Role
Demonstration Steps
1. On LON-SVR3, open Failover Cluster Manager, and then expand Cluster1.adatum.com.
2. Expand Storage, and click Disks. Verify that three cluster disks are available.
3. Right-click Roles, and select Configure Role.
4. On the Before You Begin page, click Next.
5. On the Select Role page, select File Server, and then click Next.
6. On the File Server Type page, click File Server for general use, and then click Next.
7. On the Client Access Point page, in the Name box, type AdatumFS, and in the Address box, type
172.16.0.130, and then click Next.
8. On the Select Storage page, click Cluster Disk 2, and then click Next.
9. On the Confirmation page, click Next.
10. On the Summary page click Finish.

Lesson 4
Maintaining a Failover Cluster
Contents:
Demonstration: Configuring Cluster-Aware Updating 9

Demonstration: Configuring Cluster-Aware Updating
Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.
2. In the Add roles and features Wizard, on the Before you begin page, click Next.
5. On the Select server roles page, click Next.
6. On the Select features page, in the list of features, click Failover Clustering. In Add features that
are required for Failover Clustering? dialog box, click Add Features, and then click Next.
9. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
CLUSTER1, and then click Connect.
11. In the Cluster Actions pane, click Preview updates for this cluster.
12. In the Cluster1-Preview Updates window, click Generate Update Preview List. (Note: Explain that
updates are pulled from WSUS server.)
13. After few minutes, updates will be shown in the list. Review updates and click Close.
14. In the Cluster Actions pane, click Create or modify Updating Run Profile.
15. Review and explain available options. Do not make any changes, and click Close when you are
finished.
16. Click Apply updates to this cluster.
17. On the Getting Started page, click Next.
18. On the Advanced options page, review options for updating, and then click Next.
19. On the Additional Update Options page, click Next.
20. On the Confirmation page, click Update, and then click Close.
21. In the Cluster nodes pane, you can review progress of updating. (Note: You should emphasize that
one node of the cluster is in Waiting state, while the other node is restarting after it is updated.)
22. Wait until the process is finished. (Note: This may require restart of both nodes, and it can take up to
10 minute to complete.)
23. Sign in to LON-SVR3 with the user name Adatum\Administrator and the password Pa$$w0rd.
24. On LON-SVR3, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
25. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select
Cluster1, and then click Connect.
26. Click Configure cluster self-updating options.
27. On the Getting Started page, click Next.
28. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
29. In the Specify self-updating schedule area, click Weekly, select 4:00 AM for Time of day, select
Sunday for Day of the week, and then click Next.
30. On the Advanced Options page, click Next.
31. On the Additional Update Options page, click Next.
32. On the Confirmation page, click Apply.

Best Practices
Try to avoid using a quorum model that depends just on the disk for Hyper-V high availability or
Scale-Out File Server.
Perform regular backups of cluster configuration.
Ensure that in case of one node failure, other nodes can handle the load.
Carefully plan multisite clusters.
Review Question(s)
Question: Why is using a disk-only quorum configuration generally not a good idea?
Answer: The failover cluster stops functioning if the LUN that is used as the disk for the quorum fails.
Even if all the other resourcesincluding the disk for the applicationsare available, all nodes do
not provide any service when the quorum disk is not available.
Question: What is the purpose of cluster-aware updating?
Answer: CAU enables administrators to automatically update cluster nodes with little or no loss in
availability during the update process.
Question: What is the main difference between synchronous and asynchronous replication in a multisite
cluster scenario?
Answer: When you use synchronous replication, the host receives a write-complete response from the
primary storage after the data is written successfully on both storage systems. If the data is not
written successfully to both storage systems, the application must attempt to write to the disk
again. With synchronous replication, both storage systems are identical.
When you use asynchronous replication, the node receives a write-complete response from the
storage after the data is written successfully on the primary storage. The data is written to the
secondary storage on a different schedule, depending on the hardware or software vendors
implementation.
Question: What is an enhanced feature in multisite clusters in Windows Server 2012?
Answer: In Windows Server 2012, you can adjust cluster quorum settings so that nodes do or do not have
a vote when the cluster determines whether it has quorum.
Your organization is considering the use of a geographically dispersed cluster that includes an alternative
data center. Your organization has only a single physical location, together with an alternative data center.
Can you provide an automatic failover in this configuration?
Answer: No. You cannot provide an automatic failover in this configuration. To provide an automatic
failover, you must have at least three sites.
Tools
The tools for implementing failover clustering include:
Failover Cluster Manager console
Cluster-Aware Updating console
Windows PowerShell
Server Manager
iSCSI initiator
Disk Management
Cluster Validation Wizard reports and
error

Review the report that Cluster Validation Wizard provides
and determine the problem.

Create Cluster Wizard reports that not all
nodes support desired clustered role

Review installed roles and features on cluster nodes.
Clustered role must be installed on each cluster node.

You cannot create Print Server cluster

This is not supported in Windows Server 2012. You
should use other technologies to provide a highly-
available print server.

Lab: Implementing Failover Clustering
Question: What information do you have to collect as you plan a failover cluster implementation and
choose the quorum mode?
Answer: You have to collect information such as the:
Number of applications or services that will be deployed on the cluster.
Performance requirements and characteristics for each application or service.
Number of servers that must be available to meet the performance requirements.
Location of the users who use the failover cluster.
Type of storage used for the shared cluster storage.
Question: After running the Validate a Configuration Wizard, how can you resolve the network
communication single point of failure?
Answer: You can resolve the network communication single point of failure by adding network adapters
on a separate network. This provides communication redundancy between cluster nodes.
Question: In which situations might it be important to enable failback of a clustered application only
during a specific time?
Answer: Setting the failback to a preferred node at a specific time is important when you have to ensure
that the failback does not interfere with client connections, backup windows, or other
maintenance that a failback would interrupt.
Implementing Hyper-V 7-1
Module 7
Implementing Hyper-V
Contents:
Lesson 1: Configuring Hyper-V Servers 2
Lesson 2: Configuring Hyper-V Storage 4
Lesson 3: Configuring Hyper-V Networking 7
Lesson 4: Configuring Hyper-V Virtual Machines 9

Lesson 1
Configuring Hyper-V Servers
Contents:
Resources 3
Demonstration: Configuring Hyper-V Settings 3

Resources
What's New in Windows Server 2012 R2 Hyper-V?
Additional Reading: Whats New in Hyper-V in Windows Server 2012 R2
Hyper-V Integration Services
Additional Reading: Note that the Hyper-V support for the Windows XP operating system
ends in April 2014, and support for Windows Server 2003 and Windows Server 2003 R2 expires in
July 2015. Visit the following website for a list of supported Hyper-V virtual-machine guest
operating systems on Windows Server 2012:
Hyper-V Overview
http://go.microsoft.com/fwlink/?linkid=272334
Best Practices for Configuring Hyper-V Hosts
Additional Reading: Tip: 6 Best Practices for Physical Servers Hosting Hyper-V Roles
Demonstration: Configuring Hyper-V Settings
Demonstration Steps
1. Sign in to LON-HOST1 with user name Adatum\Administrator and the password Pa$$w0rd.
2. On the Tools menu, click Hyper-V Manager.
3. In the navigation pane, right-click LON-HOST1, and then click Hyper-V Settings.
4. Click Virtual Hard Disks. Show how to change the location of the default virtual hard disks folder.
5. Click Virtual Machines. Show how to change the location of the default virtual machine
configuration files folder.
6. Click Physical GPUs. Explain that the Remote Desktop Virtualization Host role service must be
installed before you can enable RemoteFx and GPU management.
7. Click NUMA Spanning. Explain that when you enable NUMA spanning, servers take advantage of
Non-Uniform Memory Access (NUMA) performance optimizations.
Note: Mention that Live Migrations, Storage Migrations, and Replication Configuration will
be discussed in Module 8: Implementing Failover Clustering with Hyper-V.

Lesson 2
Configuring Hyper-V Storage
Contents:
Resources 5
Demonstration: Managing Virtual Hard Disks in Hyper-V 5

Resources
Virtual Hard Disks in Hyper-V
Additional Reading: Hyper-V Virtual Hard Disk Format Overview
Storage on SMB 3.0 File Shares
Additional Reading: Server Message Block overview
Fibre Channel Support in Hyper-V
Additional Reading: Hyper-V Virtual Fibre Channel Overview
Demonstration: Managing Virtual Hard Disks in Hyper-V
Demonstration Steps
1. On the taskbar, click File Explorer.
2. Click Computer, and browse to the following location:
E:\Program Files\Microsoft Learning\Base. (Note: The drive letter may depend upon the number of
drives on the physical host machine.)
3. Verify that the Base14A-WS12R2.vhd hard disk image file is present.
4. Click the Home tab, and click the New Folder icon twice to create two new folders. Right-click each
folder, and rename each folder to the names listed below:
o LON-GUEST1
o LON-GUEST2
5. Close File Explorer.
6. Switch to the Hyper-V Manager.
7. In the Actions pane, click New, and then click Hard Disk.
8. On the Before You Begin page of the New Virtual Hard Disk Wizard, click Next.
9. On the Choose Disk Format page, select VHD, and then click Next.
10. On the Choose Disk Type page, select Differencing, and then click Next.
11. On the Specify Name and Location page, specify the following details, and then click Next:
o Name: LON-GUEST1.vhd
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
12. On the Configure Disk page, type the location: E:\Program Files\Microsoft Learning\Base\
Base14A-WS12R2.vhd, and then click Finish.
13. On the taskbar, click the PowerShell icon.
14. At the PowerShell prompt, type the following command to import the Hyper-V module, and then
press Enter.
Import-Module Hyper-V
15. At the PowerShell prompt, type the following command to create a new differencing disk to be used
with LON-GUEST2, and then press Enter.
New-VHD E:\Program Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd
-ParentPath E:\Program Files\Microsoft Learning\Base\Base14A-WS12R2.vhd.vhd
16. Close the PowerShell window.
17. In the Actions pane of the Hyper-V Manager console, click Inspect Disk.
18. In the Open dialog box, browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST2\, click
LON-GUEST2.vhd, and then click Open.
19. In the Virtual Hard Disk Properties dialog box, verify that LON-GUEST2.vhd is configured as a
differencing virtual hard disk with E:\Program Files\Microsoft Learning\Base\Base14A-
WS12R2.vhd as a parent, and then click Close.

Lesson 3
Configuring Hyper-V Networking
Contents:
Resources 8
Demonstration: Configuring a Public and a Private Network Switch 8

Resources
What Is a Hyper-V Virtual Switch?
Additional Reading: Hyper-V Virtual Switch Overview
Virtual Switch Enhancements in Windows Server 2012 R2
Additional Reading: What's New in Hyper-V Virtual Switch for Windows Server 2012 R2
What Is Network Virtualization?
Additional Reading: Hyper-V Network Virtualization Overview
Demonstration: Configuring a Public and a Private Network Switch
Demonstration Steps
1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
2. In the Virtual Switch Manager dialog box, select New virtual network switch. Ensure that External
is selected, and click Create Virtual Switch.
3. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the
following information, and then click OK:
o Name: Corporate Network
o External Network: Mapped to the host computer's physical network adapter. Will vary depending
on host computer.
4. In the Apply Networking Changes dialog box, review the warning, and then click Yes.
5. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.
6. Under Virtual Switches, select New virtual network switch.
7. Under Create virtual switch, select Private, and then click Create Virtual Switch.
8. In the Virtual Switch Properties section, configure the following settings, and then click OK:
o Name: Private Network
o Connection type: Private network

Lesson 4
Configuring Hyper-V Virtual Machines
Contents:
Resources 10
Demonstration: Creating a Virtual Machine 10

Resources
How Dynamic Memory Works in Hyper-V
Additional Reading: Hyper-V Dynamic Memory Overview
Demonstration: Creating a Virtual Machine
Demonstration Steps
1. In the Hyper-V Manager, on the Actions pane, click New, and then click Virtual Machine.
2. On the Before You Begin page of the New Virtual Machine Wizard, click Next.
3. On the Specify Name and Location page of the New Virtual Machine Wizard, select Store the
virtual machine in a different location, enter the following values, and then click Next:
o Name: LON-GUEST1
o Location: E:\Program Files\Microsoft Learning\Base\LON-GUEST1\
4. On the Specify Generation page, click Next.
5. On the Assign Memory page of the New Virtual Machine Wizard, enter a value of 1024 MB, select
the Use Dynamic Memory for this virtual machine option, and then click Next.
6. On the Configure Networking page of the New Virtual Machine Wizard, select Private Network,
7. On the Connect Virtual Hard Disk page, choose Use an existing virtual hard disk. Click Browse,
and browse to E:\Program Files\Microsoft Learning\Base\LON-GUEST1\lon-guest1.vhd. Click
Open, and click Finish.
8. On the taskbar, click the PowerShell icon.
9. At the PowerShell prompt, enter the following command to import the Hyper-V module:
Import-Module Hyper-V
10. At the PowerShell prompt, enter the following command to create a new virtual machine named
LON-GUEST2:
New-VM Name LON-GUEST2 MemoryStartupBytes 1024MB VHDPath E:\Program
Files\Microsoft Learning\Base\LON-GUEST2\LON-GUEST2.vhd SwitchName Private
Network
11. Close the PowerShell window.
12. In the Hyper-V Manager console, click LON-GUEST2. In the Actions pane, under LON-GUEST2, click
Settings.
13. In the Settings for the LON-GUEST2 dialog box, click Automatic Start Action, and then set the
Automatic Start Action setting to Nothing.
14. In the Settings for the LON-GUEST2 dialog box, click Automatic Stop Action, and then set the
Automatic Stop Action setting to Shut down the guest operating system.
15. To close the Settings for the LON-GUEST2 dialog box, click OK.

Review Question(s)
Question: In which situations should you use a fixed-memory allocation rather than dynamic memory?
Answer: You should use fixed-memory allocation in the following situations:
When the guest operating system or application does not support dynamic memory.
When the host operating system has limited memory resources and you need to ensure that
operating systems receive a fair allocation of memory.
Question: In which situations must you use virtual hard disks in VHDX format as opposed to virtual hard
disks in VHD format?
Answer: You should use the VHDX format rather than the VHD format in the following situations:
You need to support virtual hard disks larger than 2 TB. VHDX files can be a maximum of 64
terabytes in size.
You need to protect against data corruption caused by power failures. VHDX format is less
likely to become corrupted in the event of unexpected power failure because of the way the
file format processes updates.
You need to deploy a virtual hard disk to a large sector disk.
Question: You want to deploy a Windows Server 2012 Hyper-V virtual machine's virtual hard disk on a
file share. What operating system must the file server be running to support this configuration?
Answer: You can only deploy virtual hard disks to file shares that support SMB 3.0. Only the Windows
Server 2012 operating system supports hosting SMB 3.0 file shares.
You need to ensure that a virtual machine host is provisioned with adequate RAM. Having multiple virtual
machines paging the hard disk drive because they are provisioned with inadequate memory will decrease
performance for all virtual machines on the Hyper-V host.
In addition, monitor virtual machine performance carefully. One virtual machine that uses a
disproportionate amount of server resources can adversely impact the performance of all other virtual
machines that the Hyper-V server hosts.
Tools
Tool Used for Where to find it
The
Sysinternals
disk2vhd tool
Convert physical hard
disks to VHD format
Microsoft TechNet website
Sysinternals Suite
Virtual
Machine
Manager 2012
Manage virtual
machines across
multiple Hyper-V servers
Perform online physical
to virtual conversions
Microsoft TechNet website
Virtual Machine Manager
Cannot deploy Hyper-V on x64 processor

Processor does not support hardware assisted
virtualization.

Virtual machine does not use dynamic
memory

Operating system may not support dynamic memory. In
some cases, applying a service pack or installing virtual
machine Integration Services will resolve this issue.

Implementing Failover Clustering with Hyper-V 8-1
Module 8
Implementing Failover Clustering with Hyper-V
Contents:
Lesson 1: Overview of the Integration of Hyper-V Server 2012 with
Failover Clustering 2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 4
Lesson 3: Implementing Windows Server 2012 Hyper-V Virtual Machine
Movement 6
Lesson 4: Implementing Hyper-V Replica 8

Lesson 1
Overview of the Integration of Hyper-V Server 2012
with Failover Clustering
Contents:

Options for Making Virtual Machines Highly Available
Question: Do you use any high availability solution for virtual machines in your environment?
Answer: Answers may vary. For example, you can use storage replication, which is one alternative for
Failover Clustering.

Lesson 2
Implementing Hyper-V Virtual Machines on Failover
Clusters
Contents:

Configuring a Shared Virtual Hard Disk
Question: What is the main benefit of using shared hard virtual disks?
Answer: If you use a shared hard virtual disk as cluster storage, you do not have to provide Fibre Channel
or iSCSI connection to the virtual machines.
Implementing Scale-Out File Servers for Virtual Machines
Question: Have you considered storing virtual machines on the SMB share? Why or why not?
Answer: Answers may vary. Students will probably emphasize performance issues as a reason for not
deploying VMs on the SMB share.
Maintaining and Monitoring Virtual Machines in Clusters
Question: What are some alternative technologies that you can use for virtual machine and network
monitoring?
Answer: You can use dedicated monitoring software such as System Center Operations Manager.

Lesson 3
Implementing Windows Server 2012 Hyper-V Virtual
Machine Movement
Contents:

Virtual Machine Migration Options
Question: When will you export and import a virtual machine instead of migrating it?
Answer: If you want to move a virtual machine to the host that does not support a shared-nothing
migration, or you do not have a cluster, you must export and import the virtual machine; for
example, if you want to move a virtual machine from Windows Server 2012 host to the Hyper-V
in Windows 8.

Lesson 4
Implementing Hyper-V Replica
Contents:

Whats New in Hyper-V Replica in Windows Server 2012 R2
Question: Do you see extended replication as a benefit for your environment?
Answer: Answers will vary.

Best Practices
Develop standard configurations before you implement highly-available virtual machines. The host
computers should be configured as close to identically as possible. To ensure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSV volumes.
Use new features in Hyper-V Replica to extend your replication to more than one server.
Consider using Scale-Out File Servers clusters as storage for highly-available virtual machines.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly-available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Review Question(s)
Question: Do you have to implement CSV in order to provide high availability for virtual machines in
VMM in Windows Server 2008 R2?
Answer: No, you do not have to implement CSV to provide high availability. However, CSV makes it much
easier to implement and manage an environment where you have multiple Hyper-V hosts
accessing multiple LUNs on shared storage.
Tools
The tools for implementing Failover Clustering with Hyper-V include:
Failover Cluster Manager
Hyper-V Manager
VMM console
Virtual machine failover fails after I implement
CSV and migrate the shared storage to CSV.

The CSV home folder is located on the host-server
system drive. You cannot move it. If the host
computers use different system drives, the failovers
will fail because the hosts cannot access the same
storage location. All failover cluster nodes should
use the same hard-drive configuration.

A virtual machine fails over to another node in
the host cluster, but loses all network
connectivity.

All the nodes in a host cluster must have the same
networks configured. If they do not, then the virtual
machines cannot connect to a network when they
failover to another node.

Four hours after restarting a Hyper-V host that
is a member of a host cluster, there are still no
virtual machines running on the host.

By default, virtual machines do not fail back to a
host computer after they have migrated to another
host. You can enable failback on the virtual
machine properties in Failover Cluster
Management, or you can implement PRO in VMM.

Lab: Implementing Failover Clustering with Hyper-V
Lab Review
Question: How can you extend Hyper-V Replica in Windows Server 2012 R2?
Answer: You can use the Extended Replication feature to add a third host machine that can
replicate with passive copy and with configurable replication timeout.
Question: What is the difference between Live Migration and Storage Migration?
Answer: In Live Migration, you move the machine from one host to another; however, in Storage
Migration, you move virtual machine storage and optionally, configuration files to another
location on the same server.
Implementing Secure Data Access for Users and Devices 09-1
Module 9
Implementing Secure Data Access for Users and Devices
Contents:
Lesson 2: Implementing DAC Components 2
Lesson 3: Implementing DAC for Access Control 6
Lesson 4: Implementing Access-Denied Assistance 9
Lesson 5: Implementing and Managing Work Folders 11

Lesson 2
Implementing DAC Components
Contents:
Demonstration: Configuring Claims, Resource Properties, and Rules 3
Demonstration: Configuring Classification Rules 4

Demonstration: Configuring Claims, Resource Properties, and Rules
Demonstration Steps
1. On LON-DC1, open Active Directory Administrative Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, select Department.
5. In the Display name text box, type Company Department.
6. Select both User and Computer check boxes, and then click OK.
7. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.
8. In the Create Claim Type window, in the Source Attribute section, click description.
9. Clear the User check box, select the Computer check box, and then click OK.
10. In the Active Directory Administrative Center, click Dynamic Access Control.
11. In the central pane, double-click Resource Properties.
12. In the Resource Properties list, right-click Department, and then click Enable.
13. In the Resource Properties list, right-click Confidentiality, and then click Enable.
14. Double-click Department.
15. Scroll down to the Suggested Values section, and then click Add.
16. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK two times.
17. Click Dynamic Access Control, and then double-click Resource Property Lists.
18. In the central pane, double-click Global Resource Property List.
19. Ensure that both Department and Confidentiality appear in the Resource Properties list, and then click
Cancel. If they do not appear, click Add, add these two properties, and then click OK.
20. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. In the Create Central Access Rule dialog box, in the Name field, type Department Match.
23. In the Target Resources section, click Edit.
24. In the Central Access Rule dialog box, click Add a condition.
25. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
26. In the Permissions section, click Use following permissions as current permissions.
27. In the Permissions section, click Edit.
28. Remove permission for Administrators.
29. In Advanced Security Settings for Permissions, click Add.
30. In Permission Entry for Permissions, click Select a principal.
31. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
33. Click Add a condition.
34. Click the Group drop-down list box, and then click Company Department.
35. Click the Value drop-down list box, and then click Resource.
36. In the last drop-down list box, click Department, and then click OK three times.
Note: You should have this expression as a result: User-Company Department-Equals-
Resource-Department.
37. In the Tasks pane, click New, and then click Central Access Rule.
38. For the name of rule, type Access Confidential Docs.
39. In the Target Resources section, click Edit.
40. In the Central Access Rule window, click Add a condition.
41. In the last drop-down list box, click High, and then click OK.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.
42. In the Permissions section, click Use following permissions as current permissions.
43. In the Permissions section, click Edit.
44. Remove permission for Administrators.
45. In Advanced Security Settings for Permissions, click Add.
46. In the Permission Entry for Permissions, click Select a principal.
47. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
48. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
Click Add a condition.
49. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a
condition.
Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in
the Select user, Computer, Service Account, or Group window, type Managers, click Check
Names, and then click OK.
50. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.
Demonstration: Configuring Classification Rules
Demonstration Steps
1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
2. In File Server Resource Manager, expand Classification Management.
3. Select and then right-click Classification Properties, and then click Refresh.
4. Verify that the Confidentiality and Department properties are listed.
5. Click Classification Rules.
6. In the Actions pane, click Create Classification Rule.
7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.
8. Click the Scope tab, and then click Add.
9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.
10. Click the Classification tab, ensure that following settings are set, and then click Configure:
o Classification method: Content Classifier
o Property: Confidentiality
o Value: High
11. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.
12. In the Expression field, which is next to the word String, type secret, and then click OK.
13. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
14. In File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
15. Click Wait for classification to complete, and then click OK.
16. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in Report Totals section.
17. Close the report.
18. On the taskbar, click the File Explorer icon.
19. In the File Explorer window, expand drive C, and then expand the Docs folder.
20. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt contain the
word secret.

Lesson 3
Implementing DAC for Access Control
Contents:
Demonstration: Creating and Deploying Central Access Policies 7
Demonstration: Evaluating and Managing DAC 8

Demonstration: Creating and Deploying Central Access Policies
Demonstration Steps
1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2. In the Tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the Tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
8. Close the Active Directory Administrative Center.
9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
10. In the Group Policy Management Console, under Domains, expand Adatum.com, right-click Test,
and then click Create a GPO in this domain, and link it here.
11. Type DAC Policy, and then click OK.
12. Right-click DAC Policy, and then click Edit.
13. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
14. Press and hold the Ctrl button and click both Department Match and Protect confidential docs,
click Add, and then click OK.
15. Close the Group Policy Management Editor and the Group Policy Management Console.
16. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.
17. At a Windows PowerShell command-line interface command prompt, type gpupdate /force, and
then press Enter.
18. Close Windows PowerShell.
19. On the taskbar, click the File Explorer icon.
20. In File Explorer, browse to drive C, right-click the Docs folder, and then click Properties.
21. In the Properties dialog box, click the Security tab, and then click Advanced.
22. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
23. In the drop-down list box, select Protect confidential docs, and then click OK twice.
24. Right-click the Research folder, and then click Properties.
25. In the Properties dialog box, click the Security tab, and then click Advanced.
26. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
27. In the drop-down list box, click Department Match, and then click OK twice.

Demonstration: Evaluating and Managing DAC
Demonstration Steps
1. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy Objects.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
6. Double-click Audit File System, select all three check boxes, and then click OK.
7. Close the Group Policy Management Editor and the Group Policy Management Console
8. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative
Center.
9. In the navigation pane, click Dynamic Access Control.
10. Double-click Central Access Rules, right-click Department Match, and then click Properties.
11. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
12. Click Authenticated Users, and then click Edit.
13. Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.
14. Click OK twice to close all windows.
17. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
18. Close Windows PowerShell.

Lesson 4
Implementing Access-Denied Assistance
Contents:
Demonstration: Implementing Access-Denied Assistance 10

Demonstration: Implementing Access-Denied Assistance
Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Group Policy objects.
4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Access-Denied Assistance.
5. In the details pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box. Review other options, but do not make any
changes, and then click OK.
9. In the details pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types. Click Enabled, and then click OK.
10. Close the Group Policy Management Editor and the Group Policy Management Console.
11. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.
12. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.

Lesson 5
Implementing and Managing Work Folders
Contents:
Demonstration: Implementing Work Folders 12

Demonstration: Implementing Work Folders
Demonstration Steps
1. On LON-SVR3, in Server Manager, expand File and Storage Services, and then click Work Folders.
2. In the WORK FOLDERS tile, click Tasks, and then click New Sync Share.
3. In the New Sync Share Wizard, on the Before you begin page, click Next.
4. On the Select the server and path page, select Select by file share, ensure that the share you
created in the previous task (WF-Share) is highlighted, and then click Next.
5. On the Specify the structure for user folders, accept the default selection (user alias), and then click
Next.
6. On the Enter the sync share name page, accept the default, and then click Next.
7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.
8. In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click
9. On the Grant sync access to groups page, click Next.
10. On the Specify device policies page, note the selections, accept the default selection, and then click
Next.
12. On the View results page, click Close.
13. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
14. Open Server Manager, click Tools, and then click Group Policy Management.
15. Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the
Group Policy Objects container, and then click New.
16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.
18. In the Group Policy Management Editor, expand User Configuration / Policies / Administrative
Templates / Windows Components, and then click Work Folders.
19. Double-click Specify Work Folders settings in the details pane.
20. In the Specify Work Folders settings dialog box, click Enabled.
21. In the Work Folders URL text box, type https://lon-svr3.adatum.com, and then select Force
automatic setup.
22. To close the Specify Work Folders settings dialog box, click OK, and then close the Group Policy
Management Editor.
23. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO.
24. In the Select GPO window, select Work Folders GPO, and then click OK.
25. Close the Group Policy Management Console.

Best Practices
Use central access policies instead of configuring conditional expressions on resources.
Enable access-denied assistance settings.
Always test changes that you have made to Central Access Rules and central access policies before
implementing them.
Use file classifications to assign properties to files.
Use Work Folders to synchronize business data across devices.
Use Workplace Join in BYOD scenarios.
Review Question(s)
Question: What is a claim?
Answer: A claim is information that AD DS states about an object, which usually is a user or a computer.
Question: What is the purpose of Central Access Policy?
Answer: Central access policies enable administrators to create policies that apply to one or more file
servers in an organization. Central access policies contain one or more Central Access Policy rules.
Each rule contains settings that determine applicability and permissions.
Question: What is the BYOD concept?
Answer: BYOD is the policy of permitting employees to bring personal devices, such as laptops, tablets,
and smart phones, to the workplace, and allowing employees to use those devices to access
privileged company information and applications.
Tools
Tool Use Location
Active Directory Administrative
Center
Administering and creating
claims, resource properties,
rules, and policies
Administrative tools
Group Policy Management Console
(GPMC)
Managing Group Policy Administrative tools
Group Policy Management Editor Editing GPOs GPMC
Claims are not populated with the
appropriate values.
A conditional expression does not allow
access.

Verify that the correct attribute is selected for the claim.
In addition, check that the attribute value for a specific
object is populated.
Verify that the expression is well defined. In addition, try
using the Effective Access tab to troubleshoot the
problem.

Lab: Implementing Secure File Access
Question: How do file classifications enhance the usage of DAC?
Answer: By using file classifications, you can set attributes on files automatically, and then use these
attributes in conditional expressions when implementing DAC.
Question: Can you implement DAC without Central Access Policy?
Answer: Yes, you can set conditional expressions directly on resources.
Implementing Active Directory Domain Services 10-1
Module 10
Implementing Active Directory Domain Services
Contents:
Lesson 1: Deploying AD DS Domain Controllers 2
Lesson 3: Implementing Service Accounts 4
Lesson 5: Overview of Windows Azure Active Directory 6
Lesson 6: Maintaining AD DS 8

Lesson 1
Deploying AD DS Domain Controllers
Contents:
Resources 3

Resources
Whats New in AD DS in Windows Server 2012 and Windows Server 2012
R2?
Additional Reading: You can see a complete list of new features for AD DS at:
What's New in Active Directory Domain Services (AD DS) at
What's New in Active Directory in Windows Server 2012 R2 at
Deploying AD DS Domain Controllers on Server Core
Additional Reading: Guidance for using Windows PowerShell to establish a Window
Server 2012 AD DS environment can be found at the following link:

Lesson 3
Implementing Service Accounts
Contents:
Demonstration: Configuring Group Managed Service Accounts 5

Demonstration: Configuring Group Managed Service Accounts
Demonstration Steps
1. Sign in to LON-DC1 as Administrator with the password Pa$$w0rd.
2. Right-click Windows PowerShell on the Taskbar, and click Run as Administrator.
3. At the prompt, type Add-KdsRootKey EffectiveTime ((get-date).addhours(-10)), and press Enter.
4. Type New-ADServiceAccount Name Webservice DNSHostName LON-DC1
PrincipalsAllowedToRetrieveManagedPassword LON-DC1$, and press Enter.
5. Type Add-ADComputerServiceAccount identity LON-DC1 ServiceAccount Webservice, and
press Enter.
6. Type Get-ADServiceAccount -Filter * and press Enter to verify the account. Note the output of the
command.

Lesson 5
Overview of Windows Azure Active Directory
Contents:
Resources 7

Resources
Integration with Applications
Additional Reading: Windows Azure partitioning for multitenancy is outside the scope of
this course, but more information can be found at

Lesson 6
Maintaining AD DS
Contents:
Demonstration: Restoring AD DS Objects Using the Active Directory Recycle Bin 9

Demonstration: Restoring AD DS Objects Using the Active Directory
Recycle Bin
Demonstration Steps
Enable the Active Directory Recycle Bin
1. Sign in to LON-DC1 as Administrator with the password Pa$$w0rd.
2. In Server Manager, on the Tools menu, click Active Directory Administrative Center.
3. In the navigation pane, click Adatum (local).
4. In the Tasks pane, click Enable Recycle Bin.
5. In the Enable Recycle Bin Confirmation dialog box, click OK.
6. In the Active Directory Administrative Center dialog box, click OK.
7. Click the Refresh icon on the menu bar. Notice a Deleted Objects container now appears.
Delete a current user
1. In the center pane, double-click the IT OU.
2. Ensure that the Amr Zaki user account is selected, and in the Tasks pane, click Delete.
3. In the Delete Confirmation dialog box, click Yes.
4. Click Adtaum (local) in the navigation pane to return to the main tree.
Restore the user
1. In the center pane, double-click the Deleted Objects folder.
2. In the Tasks pane, click Restore.
3. In the navigation pane, under Adatum (local), click IT.
Note: Note that the Amr Zaki account is restored.

Best Practices
When cloning VDCs, delete snapshots before copying or exporting VDCs.
When cloning VDCs, we recommend copying disks manually if there is only one drive. We
recommend Export for VMs with more than one drive or other complex customizations such as
multiple NICs.
At least one global catalog should exist in every site.
AD DS should be at the minimum Windows Server 2008 R2 level to provide fully automatic password
and SPN management for managed service accounts.
GPOs should be backed up after any changes are made.
Do not use volumes that contain backups of GPOs or AD DS data for other uses.
Review Question(s)
Question: You have a mixture of client computers running Windows XP and Windows 8. After you
configure several settings in the Administrative Templates and Preferences of a GPO, Windows XP users
report that some settings are being applied while others are not.
Answer: Not all new settings apply to legacy systems such as Windows XP. In addition, Windows XP
cannot process Group Policy Preferences unless the correct client-side extensions are
downloaded and installed.
You have a large company with multiple branch offices. Some branch offices have fast, redundant
connections while others have slow, unreliable connections.
Question: When you have branch offices across WAN links, what solutions are available to facilitate client
logons in the branch offices?
Answer: You could place a domain controller in the branch office.
Question: What if security is a concern?
Answer: The domain controller could be an RODC.
Question: What can you do to help prevent network interruptions from preventing users from logging
on?
Answer: You can create a password replication policy for the RODC that enables the passwords of the
branch users to be cached locally.
Tools
Tool Use Location
Server Manager A central location for all aspects
of server management
Open by default on logon or can be
accessed from the task bar
Active Directory
Administrative Center
Active Directory Sites
and Services
Active Directory
Control all aspects of Active
Directory management
Can be accessed from the Tools
drop-down menu in Server Manager
Tool Use Location
Domains and Trusts
GPMC Control all aspects of Group
Policy management
Can be accessed from the Tools
drop-down menu in Server Manager
Active Directory Best
Practices Analyzer
Can detect best practices
violations and provide help
implement best practices
Server Manager Dashboard
Active Directory
Recycle Bin
Restore object that were
deleted in error from AD DS
Can be accessed from the Active
Directory Administration Center
Domain controller promotion fails

Use the logs and troubleshooting diagnostic tools.

Group Policy is not being applied correctly

Use Group Policy troubleshooting tools such as
GPResult and GPUpdate to discover the issues.

You have to restore a version of AD DS
and do not know from which backup to
restore

Take regular snapshots of AD DS, and then you can
mount a read-only snapshot to compare to the
current AD DS.

Lab A: Implementing AD DS
Lab Review
Question: What passwords are cached on the RODC by default?
Answer: Passwords are not cached by default. A password replication policy must be configured.
Question: Assigning a user as the RODC server administrator grants that user the right to create user
accounts in AD DS. True or false?
Answer: False. Granting administrative rights to the RODC enables administrative access to
perform server maintenance duties such as backup, restore, installation applications and devices,
and others. It does not grant any rights in AD DS.
Question: What client-side extensions are applied even across a slow connection?
Answer: Administrative Templates settings and security settings are always applied, even across
slow connections.
Lab B: Troubleshooting and Maintaining Active Directory Domain Services
Question: Are Group Policy settings still enforced when a client computer, such as a laptop, is
disconnected from the LAN?
Answer: Yes. Group Policy is still being enforced even when disconnected from the LAN. The
client computer cannot receive any changes to Group Policy until the computer connects back to
the LAN.
Question: The Active Directory Recycle Bin can be disabled using a Windows PowerShell script. True or
false?
Answer: False. As soon as it is enabled the Active Directory Recycle Bin cannot be disabled.
Implementing AD FS 11-1
Module 11
Implementing AD FS
Contents:
Lesson 2: Deploying AD FS 2
Lesson 3: Implementing AD FS for a Single Organization 4
Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 7
Lesson 5: Implementing Web Application Proxy 9
Lesson 6: Implementing Workplace Join 12

Lesson 2
Deploying AD FS
Contents:
Demonstration: Installing the AD FS Server Role 3

Demonstration: Installing the AD FS Server Role
Demonstration Steps
Install AD FS
1. On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
9. Wait until installation is complete, and then click Close.
Add a DNS record for AD FS
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.22, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
7. Close DNS Manager.
Configure AD FS
1. On LON-SVR2, in Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Create a Group Managed Service Account.
7. In the Account Name box, type ADFS, and then click Next.
8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
9. On the Review Options page, click Next.
10. On the Pre-requisite Checks page, click Configure.
11. On the Results page, click Close.
Lesson 3
Implementing AD FS for a Single Organization
Contents:
Demonstration: Configuring Claims Provider and Relying Party Trusts 5

Demonstration: Configuring Claims Provider and Relying Party Trusts
Demonstration Steps
Configure a Claims Provider Trust
1. On LON-SVR2, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. Right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o E-Mail-Addresses: E-Mail Address
o User-Principal-Name: UPN
9. Click Finish, and then click OK.
Configure a WIF application for AD FS
1. On LON-SVR1, in Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample Web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the
path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/2007-
06/federationmetadata.xml, and then click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
9. In the Success window, click OK.
Configure a Relying Party Trust
1. On LON-SVR2, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.
3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published online or
on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lon-
svr1.adatum.com/adatumtestapp, and then click Next. This downloads the metadata configured in
the previous section.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then
click Next.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for the relying party trust at this time, and then click Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.
9. On the Ready to Add Trust page, review the relying party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.

Lesson 4
Deploying AD FS in a Business-to-Business Federation
Scenario
Contents:
Resources 7
Demonstration: Configuring Claim Rules 7

Resources
How Home Realm Discovery Works
Additional Reading: For more information on RelayState, see:
Demonstration: Configuring Claim Rules
Demonstration Steps
1. On LON-SVR2, in AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the
Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
3. In the Claim rule name box, type Send Group Name Rule.
4. In the Incoming claim type drop-down list, click Group, and then click Finish.
5. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab,
click the rule named Permit Access to All Users, and then click Remove Rule.
6. Click Yes to confirm.
Note: With no rules, users are not permitted access.
7. On the Issuance Authorization Rules tab, click Add Rule.
8. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
9. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule.
10. In the Incoming claim type drop-down list, select Group.
11. In the Incoming claim value box, type Production, click Permit access to users with this
incoming claim, and then click Finish.
12. On the Issuance Authorization Rules tab, click Add Rule.
13. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users.
15. In the Incoming claim type drop-down list, select UPN.
16. In the Incoming claim value box, type @adatum.com, click Permit access to users with this
incoming claim, and then click Finish.
17. Click the Allow A. Datum Users rule, and then click Edit Rule.
18. In the Edit Rule Allow Adatum Users dialog box, click View Rule Language.
19. Click OK, and then click Cancel.
20. In the Edit Claim Rules for A. Datum Test App window, click OK.

Lesson 5
Implementing Web Application Proxy
Contents:
Demonstration: Installing and Configuring Web Application Proxy 10

Demonstration: Installing and Configuring Web Application Proxy
Demonstration Steps
Install Web Application Proxy
1. On LON-SVR3, in Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR3.Adatum.com, and then click Next.
5. On the Select server roles page, select the Remote Access check box, and then click Next.
7. On the Remote Access page, click Next.
8. On the Select role services page, select Web Application Proxy.
9. In the Add Roles and Features Wizard, click Add Features.
10. On the Select role services page, click Next.
12. On the Installation progress page, click Close.
Export the adfs.adatum.com certificate from LON-SVR2
1. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or Remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and to close the success
message. click OK.
16. Close the Microsoft Management Console, and do not save the changes.
Import the adfs.adatum.com certificate on LON-SVR3
1. On LON-SVR3, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
8. Right-click Personal, point to All Tasks, and then click Import.
9. In the Certificate Import Wizard, click Next.
10. On the File to Import page, in the File name box, type \\LON-SVR2\c$\adfs.pfx, and then click
Next.
11. On the Private key protection page, in the Password box, type Pa$$w0rd.
12. Select the Mark this key as exportable. This will allow you back up or transport your keys at a
later time check box, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store.
14. In the Certificate store box, select Personal, and then click Next.
15. On the Completing the Certificate Import Wizard page, click Finish.
16. To clear the success message, click OK.
17. Close the Microsoft Management Console, and do not save the changes.
Configure Web Application Proxy
1. On LON-SVR3, in Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following, and then click Next:
o Federation service name: adfs.adatum.com
o User name: Adatum\Administrator
o Password: Pa$$w0rd
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.
6. On the Results page, click Close.

Lesson 6
Implementing Workplace Join
Contents:
Demonstration: Performing a Workplace Join 13

Demonstration: Performing a Workplace Join
Demonstration Steps
Verify that the DNS record for Workplace Join exists
1. On LON-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Verify that the enterpriseregistration record exists.
4. Close DNS Manager.
Enable device registration
1. On LON-SVR2, on the taskbar, click Windows PowerShell.
2. At the Windows PowerShell command prompt, type Initialize-ADDeviceRegistration
ServiceAccountName Adatum\ADFS$ and then press Enter.
3. Type Y to confirm and press Enter.
4. Type Enable-AdfsDeviceRegistration and press Enter.
5. Close the Windows PowerShell command prompt.
6. In Server Manager, click Tools, and then click AD FS Management.
7. In the AD FS Management console, click Authentication Policies.
8. In the Actions pane, click Edit Global Primary Authentication.
9. In the Edit Global Authentication Policy window, select the Enable device authentication check box,
and then click OK.
10. Close the AD FS Management console.
Perform a Workplace Join
1. On LON-CL3, sign in as Admin with the password Pa$$word.
2. On the Start screen, type workplace, and then click Workplace settings.
3. In the Workplace window, in the Enter your user ID to get workplace access or turn on device
management box, type Brad@adatum.com, and then click Join.
4. When prompted, sign in as Adatum\Brad with a password of Pa$$w0rd.
View the device object in AD DS
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, click View, and then click Advanced Features.
3. Expand Adatum.com and click RegisteredDevices.
4. Right-click the object in the details pane and click Properties.
5. On the Attribute Editor tab, review the list of attributes.
6. Verify that the displayName attribute has a value of LON-CL3, and then click Cancel.
7. Close Active Directory Users and Computers.
Review Question(s)
Question: Your organization is planning to implement AD FS. In the short term, only internal clients will
be using AD FS to access internal applications. However, in the end, you will be providing access to web-
based applications that are secured by AD FS to users at home. How many certificates should you obtain
from a third-party CA?
Answer: The only AD FS certificate that needs to be trusted is the service communication certificate. The
token signing and token decrypting certificates can be left as self-signed. Therefore, only a single
certificate from a third-party is required.
Question: Your organization has an application for customers that allows them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. What do you need to configure to support the application?
Answer: You need to perform the following tasks:
1. Configure the application to trust incoming claims. Use the WIF Federation Utility to
configure the application.
2. Configure a relying party trust for the application. This configures AD FS to provide claims to
the application for authorized users.
3. Configure claim rules for the relying party trust. This configures which information is
provided to the application.
Question: Your organization has an application for customers that enables them to view their orders and
invoices. Now, all customers have a user name and password that is managed within the application. To
simplify access to the application and reduce support calls, your organization has rewritten the application
to support AD FS for authentication. A Web Application Proxy is being configured to support application
access over the Internet. Internally, your AD FS server uses the host name adfs.contoso.com and resolves
to 10.10.0.99. How will you allow external partners to resolve adfs.contso.com to the external IP address of
Web Application Proxy?
Answer: Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP address
internally and externally. The internal DNS server resolves adfs.contoso.com to the internal IP
address of the AD FS server. The external DNS server resolves adfs.contoso.com to the external IP
address of Web Application Proxy.
Question: Your organization has implemented a single AD FS server and a single Web Application Proxy
successfully. Initially, AD FS was used for only a single application, but now it is being used for several
business-critical applications. AD FS must be configured to be highly available.
During the installation of AD FS, you selected to use the Windows Internal Database. Can this database be
used in a highly available configuration?
Answer: Yes, the Windows Internal Database can be used to support up to five AD FS servers. The first
AD FS server is the primary server where all configuration changes take place. Changes in the
primary server are replicated to the other AD FS servers.
Question: Your organization wants to control access to applications that are available from the Internet
by using Workplace Join. What DNS changes need to be performed so that devices can locate the Web
Application Proxy during the Workplace Join process?
Answer: Devices identify the server name based on the UPN name provided during the Workplace Join
process. Assuming that there is only a single UPN name used by your organization, you need to
create a host record for enterpriseregistration.yourdomainname.com that resolves to the IP
address of the Web Application Proxy server.

Lab: Implementing AD FS
Question: Why was it important to configure adfs.adatum.com to use as a host name for the AD FS
service?
Answer: If you use the host name of an existing server for the AD FS server, you will not be able to add
additional servers to your server farm. All servers in the server farm must share the same host
name when providing AD FS services. The host name for AD FS also is used by AD FS proxy
servers.
Question: How can you test whether AD FS is functioning properly?
Answer: You can access https://hostname/federationmetadata/2007-06/federationmetadata.xml
on the AD FS server.
Monitoring and Maintaining Windows Server 2012 12-1
Module 12
Monitoring and Maintaining Windows Server 2012
Contents:
Lesson 1: Monitoring Windows Server 2012 2
Lesson 2: Implementing Windows Server Backup 6
Lesson 3: Implementing Server and Data Recovery 8

Lesson 1
Monitoring Windows Server 2012
Contents:
Demonstration: Creating Data Collector Sets 3
Demonstration: Configuring Event Subscriptions 4

Reasons for Monitoring Servers
Question: List four troubleshooting procedures that would benefit from server monitoring.
Answer: Many troubleshooting procedures benefit from server monitoring. Some are:
Establishing baseline metrics to determine typical operating conditions for servers.
Improving server performance by detecting anomalies.
Simplifying troubleshooting through early identification of malfunctioning components.
Making server management proactive through early identification of potential problems.
Predicting requirements for future server capacity.
Reallocating underused resources.
Demonstration: Creating Data Collector Sets
Demonstration Steps
Enable default performance counters in Server Manager
1. On LON-SVR1, on the taskbar, click the Server Manager icon.
2. In Server Manager, in the left pane, click All Servers, and in the right pane, scroll down to the
Performance area. Right-click LON-SVR1, and then click Start performance counters.
3. In Server Manager, click Tools, and then click Performance Monitor.
4. If the Action pane is not seen on the right side of Performance Monitor, do the following:
a. Click the View drop down menu and click Customize.
b. In the Customized View dialog box, select the Action pane check box, and then click OK.
5. In the navigation pane, expand Data Collector Sets, click User Defined, and then click Server
Manager Performance Monitor.
6. In the details pane, double-click Performance Counters to review the default counters created.
7. In the Performance Counter Properties dialog box, click Cancel.
Create a new data collector set named Windows Server Monitoring
1. In the navigation pane, expand Data Collector Sets, and then click User Defined.
2. Click Action, click More Actions, click New, and then click Data Collector Set.
3. On the How would you like to create this new data collector set? page, in the Create New Data
Collector Set Wizard, in the Name box, type Windows Server Monitoring, select Create manually
(Advanced), and then click Next.
4. On the What type of data do you want to include? page, ensure that the Create data logs option
button is selected, select the Performance Counter check box, and then click Finish.
5. In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Windows Server Monitoring, click Action, click More Actions, click New, and then
click Data Collector.
6. In the Create New Data Collector Wizard, in the Name box, type Base Windows Server Monitoring,
select Performance counter data collector, click Next, and then click Add.
7. In the Available counters object list, expand Processor, click % Processor Time, and then click Add.
8. In the Available counters object list, expand Memory, click Available Mbytes, and then click Add.
9. In the Available counters object list, expand Logical Disk, click % Free Space, click Add, and then
click OK.
10. In the Create New Data Collector Wizard, in the Sample interval box, accept the default values, and
then click Finish.
Verify that the data collector set works correctly
1. In the Performance Monitor, in the navigation pane, click Windows Server Monitoring, click Action,
click More Actions, and then click Start.
2. Wait at least one minute, click Action, click More Actions, and then click Stop.
3. In the navigation pane, expand Reports, expand User Defined, expand Windows Server
Monitoring, click LON-SVR1_DateTime, and then review the report.
Set data collector set scheduling
1. In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, and in the details pane, right-click Windows Server Monitoring, and then click Properties.
2. In the Windows Server Monitoring Properties dialog box, click the Schedule tab.
3. On the Schedule tab, click Add.
4. In the Launch area, in the Start time list, select 1:00:00 AM, and then click OK.
5. Select the Stop Condition tab, and on the tab, select the Overall duration check box, and then in
the Units drop-down list, select Hours.
6. Click OK. Now, the Windows Server Monitoring data collector set will run for one hour every night at
1:00 A.M.
7. Close the Performance Monitor.
Demonstration: Configuring Event Subscriptions
Demonstration Steps
Configure the source computer
2. Move the mouse pointer on the lower-right corner on the screen, right-click the Windows start icon,
and then click Run.
3. In the Run, Open text box, type cmd and then click OK.
4. At the command prompt, type winrm quickconfig, and then press Enter.
5. In Server Manager, click Tools, and then click Computer Management.
6. In the Computer Management console, expand Local Users and Groups, and then click Groups.
7. In the details pane, double-click Administrators.
8. Click Add, and in the Select Users, Computers, Service Accounts or Groups dialog box, click
Object Types.
9. In the Object Types dialog box, select the Computers check box, and then click OK.
10. In the Select Users, Computers, Service Accounts or Groups dialog box, in the Enter the object
names to select box, type LON-DC1, and then click OK.
11. In the Administrators Properties dialog box, click OK.
Configure the collector computer
2. Move the mouse pointer on to the lower-right corner on the screen, and right-click the Windows
start icon, and then click Run.
3. In the Run, Open Text box, type cmd and click OK.
4. At the command prompt, type wecutil qc, and then press Enter.
5. When you are prompted, type Y, and then press Enter.
Create a subscribed log
1. In Server Manager, click Tools, and then click Event Viewer.
2. In the Event Viewer, in the navigation pane, click Subscriptions.
3. Right-click Subscriptions, and click Create Subscription.
4. In the Subscription Properties dialog box, in the Subscription name box, type LON-SVR1 Events.
5. Click Collector Initiated, and click Select Computers.
6. In the Computers dialog box, click Add Domain Computers.
7. In the Select Computer dialog box, in the Enter the object name to select box, type LON-SVR1,
and then click OK.
8. In the Computers dialog box, click OK.
9. In the Subscription Properties LON-SVR1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
11. In the Logged drop-down list, click Last 7 days.
12. In the Event logs drop-down list, select Windows Logs. Click inside the Query Filter dialog box, and
click OK.
13. In the Subscription Properties LON-SVR1 Events dialog box, click OK.
Check the subscribed log
1. In Event Viewer, in the navigation pane, expand Windows Logs.
2. Click Forwarded Events, and check for events from LON-SVR1.

Lesson 2
Implementing Windows Server Backup
Contents:
Resources 7
Demonstration: Backing Up Windows Server 2012 by Using
Windows Server Backup (Optional) 7

Resources
What Is Windows Azure Online Backup?
Additional Reading: For more information on Data Management, visit the following link:
Demonstration: Backing Up Windows Server 2012 by Using Windows
Server Backup (Optional)
Demonstration Steps
1. On LON-DC1, on the taskbar click the File Explorer icon.
2. In the console tree of File Explorer, expand This PC and select Local Disk (C:).
3. On the ribbon, click the Share tab, and in the Share ribbon dialog box, click New Folder, type
Backup, and then press Enter.
4. Right-click Backup and click Share with, and then click Specific people.
5. In the File Sharing dialog box, in the drop-down list, select Everyone, and then click Add.
6. In the Name area, beside the Everyone name, click the Read drop-down arrow, and click
Read/Write.
7. Click Share, and then click Done.
8. Switch to LON-SVR1, click Server Manager, click Tools, and then click Windows Server Backup.
9. In the wbadmin [Windows Server Backup (Local)] window, in the navigation pane, click Local
Backup, and then point out the elements of the MMC, such as Status and Actions.
10. In the Actions pane, click Backup Once.
11. On the Backup Options page of the Backup Once Wizard, click Different options, and then click
Next.
12. On the Select Backup Configuration page, click Custom, and then click Next.
13. On the Select Items for Backup page, click Add Items.
14. Expand Local disk (C), select the HR Data check box, click OK, and then click Next.
15. On the Specify Destination Type page, click Remote shared folder, and then click Next.
16. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
17. On the Confirmation page, click Backup.
18. On the Backup Progress page, click Close after the backup is complete.
Lesson 3
Implementing Server and Data Recovery
Contents:
Resources 9
Demonstration: Restoring with Windows Server Backup (Optional) 9

Resources
Options for Server Recovery
Additional Reading: For more information on using BCDEdit, visit the following link:
Considerations for Restoring Virtual Servers
Additional Reading: For more information on Hyper-V Replica, see the Microsoft Official
Courseware (MOC), 20409A, Server Virtualization with Windows Server Hyper-V and System
Center.
Demonstration: Restoring with Windows Server Backup (Optional)
Demonstration Steps
1. On LON-SVR1, locate C:\ and delete the HR Data folder.
2. On the Windows Server Backup page, in the Actions pane, click Recover.
3. On the Getting Started page, click A backup stored on another location, and then click Next.
4. On the Specify Location type page, click Remote shared folder, and then click Next.
5. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
6. On the Select Backup Date page, click Next.
7. On the Select Recovery Type page, click Next.
8. On the Select Items to Recover page, expand LON-SVR1, click the Local Disk (C:) drive, and in the
right pane, select HR Data. Ensure that the HR folder and not the individual HR files is displayed in
the right pane, and then click Next.
9. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
10. On the Confirmation page, click Recover.
11. On the Recovery Progress page, click Close.
12. Locate C:\ and ensure that the HR Data folder is restored to drive C.
Best Practices
Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus
on proactively detecting potential failures or performance issues.
When monitoring, estimate the baseline of system utilizations for each server. This will help
you determine whether the system is performing well or is overused.
Analyze your important infrastructure resources and mission-critical and business-critical
data. Based on that analysis, create a backup strategy that will protect the company's critical
infrastructure resources and business data.
Identify with the organizations business managers the minimum recovery time for business-
critical data. Based on that information, create an optimal restore strategy.
Always test backup and restore procedures regularly, even if data loss or system failures
never occur. Perform testing in a non-production and isolated environment.
Review Question(s)
Question: Why is monitoring important?
Answer: Monitoring servers helps in obtaining information about the server-infrastructure health and
performance. Monitoring helps you proactively protect servers from performance bottlenecks,
server failures, or issues related to security, such as denial of service (DoS) attacks or viruses.
Question: You want to create a strategy for how to back up different technologies that are used in your
organization, such as DHCP, DNS, Active Directory, and SQL Server. What should you do?
Answer: Read documentation about the optimal backup strategy for each specific technology, because
every technology has specific best practices on backup and restore. Create documentation and a
checklist for backup and restore procedures.
Question: How frequently should we perform backup on critical data?
Answer: The frequency with which you perform a backup of critical data depends on your organizations
requirements and on how frequently data changes. You should always plan backup strategies
according to risk assessments. If critical data changes significantly during each day, then you
should perform backup at least once daily.
Your organization needs information on which data to back up, how frequently to back up different types
of data and technologies, where to store backed up data (onsite or in the cloud), and how fast they can
restore backed up data if a failure were to occur. What is your recommendation for improving your
organizations ability to efficiently restore data when it is necessary?
Answer: Your company should develop backup and restore strategies based on multiple parameters, such
as business-continuity needs, risk-assessment procedures, and resource and critical data identification.
You must develop strategies that should be evaluated and tested. These strategies should suit the
dynamic changes occurring with new technologies and should suit changes that occur with the
organizations growth.
Tools
Server Manager Monitoring multiple servers Server Manager
Dashboard
Performance Monitor Monitoring services, and application
and hardware performance data
Resource Monitor Controlling how your system resources
are being used by processes and
services
Windows Server Backup Performing on-demand or scheduled
backup, and restoring data and servers
Windows Azure Online
Backup
Performing on-demand or schedule
backup to the cloud, and restoring data
from the backup located in the cloud
During monitoring, multiple sources are
concurrently reporting different problems.

Collect as much information as possible about each of
the reported problems. Although there might be
multiple issues, it is likely that you will find a
connection between these issues or problems.

The server has suffered a major failure on
its components.

Perform a bare-metal restore on a new system by
using the backup set that you created. Use the
documentation and checklist that you created as part
of your company's backup and restore strategy and
procedures.

You must have a way to back up and
restore your data quickly on a different
company's locations. You do not have
backup media or backup hardware in each
site.

Install and configure the Windows Azure Online
Backup. Using this service, you can back up and restore
your data on each location or server, because the
backup data is located in the cloud.

You must restore your data because of
failure of the disk system. However, you
find that your backup media is corrupted.

Always retain at least two sets of copies of your backup
data. In addition, you might consider keeping one
copy onsite and another copy in the cloud.

Lab: Monitoring and Maintaining Windows 2012 Servers
Question: Users are complaining of slow performance when they connect to files that are located on file
server on the network. What should you do?
Answer: You should configure performance monitoring with different performance counters. To start
monitoring, you should first start to monitor with the following performance counters:
Processor - %Processor Time
Memory - Available MBytes
Logical Disk - % Free Space
Question: You are concerned about business-critical data that is located on your company's servers. You
want to perform backups daily, but not during the business hours. What should you do?
Answer: You should perform a scheduled backup that runs every day after the business hours, for
example, at 1:00 A.M.
Question: Users are reporting that they can no longer access data that is located on the server. You
connect to the server, and realize that the shared folder where users were accessing data is missing. What
should you do?
Answer: You should restore the folder by using Windows Server Backup.

20417C ENU Companion

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

20417C ENU Companion

Diunggah oleh

Hak Cipta:

Format Tersedia

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

Anda mungkin juga menyukai