40005B
L E A R N I N G
P R O D U C T
O F F I C I A L
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to
the Licensed Content named above, which includes the media on which you received it, if any. These license
terms also apply to any updates, supplements, internet based services and support services for the Licensed
Content, unless other terms accompany those items. If so, those terms apply.
BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy
Program Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only
MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or
exceeds the hardware level specified for the particular MOC Course located at your training facilities or
primary business location.
d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private
Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the MOC Course and any other content accompanying this agreement.
Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft
Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy
Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in
good standing that currently holds the Learning Competency status.
i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner
Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you
personally own or control that meets or exceeds the hardware level specified for the particular MOC
Course.
l. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective. These classes are not advertised or
promoted to the general public and class attendance is restricted to individuals employed by or
contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated
solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include
Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta
feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not
include virtual hard disks or virtual machines.
2.
INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is
licensed on a one copy per user basis, such that you must acquire a license for each individual that
accesses or uses the Licensed Content.
2.1
Below are four separate sets of installation and use rights. Only one set of rights apply to you.
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and
servers at the end of the Authorized Training Session,
6. you will only provide access to the Licensed Content to End Users and MCTs,
7. you will only provide access to the Trainer Content to MCTs, and
8. any Licensed Content installed for use during a training session will be done in accordance
with the applicable classroom set-up guide.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the
most recent version of the MCT Agreement, those portions of the Trainer Content that are logically
associated with instruction of a training session. If you elect to exercise the foregoing rights, you
agree: (a) that any of these customizations will only be used for providing a training session, (b) any
customizations will comply with the terms and conditions for Modified Training Sessions and
Supplemental Materials in the most recent version of the MCT agreement and with this agreement.
For clarity, any use of customize refers only to changing the order of slides and content, and/or
not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you
may not separate the components and install them on different devices.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These
license terms will apply to your use of those third party programs or services, unless other terms accompany
those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to that respective component and supplements the terms described in this Agreement.
3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other
provisions in this agreement, then these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the
same information and/or work the way a final version of the Licensed Content will. We may change it
for the final version. We also may not release a final version. Microsoft is under no obligation to
provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the
beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for
using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content,
whichever is earliest (beta term). Upon expiration or termination of the beta term, you will
irretrievably delete and destroy all copies of same in the possession or under your control.
4.
INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content,
which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an
Internet-based wireless network. In some cases, you will not receive a separate notice when they
connect. Using the Licensed Content operates as your consent to the transmission of standard device
information (including but not limited to technical information about your device, system and
application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could
harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access
to any service, data, account or network by any means.
5.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights
to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
install more copies of the Licensed Content on devices than the number of licenses you acquired;
allow more individuals to access the Licensed Content than the number of licenses you acquired;
publicly display, or make the Licensed Content available for others to access or use;
install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend,
make available or distribute the Licensed Content to any third party, except as expressly permitted
by this Agreement.
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation;
access or use any Licensed Content for which you are not providing a training session to End Users
using the Licensed Content;
access or use any Licensed Content that you have not been authorized by Microsoft to access and
use; or
transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in
this agreement. The Licensed Content is protected by copyright and other intellectual property laws and
treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that
appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You
must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, End Users and end use. For additional
information, see www.microsoft.com/exporting.
8.
LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or
sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement.
9.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you
agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed
Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content.
The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the
contents of any third party sites, any links contained in third party sites, or any changes or updates to third
party sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any third party sites. Microsoft is providing these links to third party sites to you only as a convenience,
and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.
12.
ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are
the entire agreement for the Licensed Content.
13.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of
your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE
AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO
THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS
WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS,
MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR
CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY
LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT
DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING
CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT
CORPORATION AND ITS RESPECTIVE SUPPLIERS.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce
contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement
hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y
compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage.
Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects,
accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera
pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus
par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays
si celles-ci ne le permettent pas.
Revised December 2011
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a subject matter expert for many of the Windows Server
2012 courses, and the technical lead on a number of other courses. He also has been involved in
developing TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs
his own IT training and education consultancy.
Marcin Policht obtained his Master of Computer Science degree over 15 years ago and has been since
then working in the Information Technology field, handling variety of responsibilities, but focusing
primarily on the areas of directory services, virtualization, system management, and database
management.
He has authored the first book dedicated to Windows Management Instrumentation and co-written
several others dealing with subjects ranging from core operating system features to high-availability
solutions. His articles have been published on such Web sites as ServerWatch.com and
DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded
the title of Microsoft MVP over the last six years.
Contents
Module 1: Server Management in Windows Server 2012
Lesson 1: What's New in Server Manager
Lesson 2: Windows PowerShell and Server Core Enhancements
Lesson 3: What Is New in AD DS?
Lesson 4: Dynamic Access Control
1-2
1-7
1-11
1-16
2-2
2-10
2-18
2-25
3-2
3-5
3-8
3-12
This section provides you with a brief description of the clinic, audience, suggested prerequisites, and
clinic objectives.
Clinic Description
xiii
This three-hour clinic introduces you to the key new features in Windows Server 2012. It outlines the
new management and access features such as Server Manager, Active Directory and Windows
PowerShell. It also covers storage and network improvements as well as high availability and Hyper-V
enhancements.
Audience
This clinic is intended for IT Professionals who are interested in learning about the new features and
functionality in Windows Server 2012. People who are key influencers and technology decision makers in
an IT organization will also be interested in attending this clinic and will benefit from gaining early insight
into some of the latest technologies included in Windows Server 2012. In general, early adopters of new
technology or people looking to gain early insight into new functionality in Windows Server 2012 will
benefit from attending this First Look Clinic.
Student Prerequisites
This clinic requires that you meet the following prerequisites:
Hyper-V
Basic understanding of Active Directory, DNS, DHCP, and general networking technologies.
Clinic Objectives
After completing this Clinic, students will be able to:
Explain the Windows PowerShell enhancements, and the enhancements to the Server Core installation
of Windows Server 2012.
Describe the new and improved features in Active Directory Domain Services (AD DS).
Clinic Outline
The clinic consists of three modules, as shown below.
Module 1: Server Management in Windows Server 2012
Module 2: Storage and Networking in Windows Server 2012
Module 3: Hyper-V in Windows Server 2012
Clinic Materials
Clinic Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Clinic evaluation At the end of the clinic, you will have the opportunity to complete an online
evaluation to provide feedback on the Clinic, training facility, and instructor.
xiv
Module1
Server Management in Windows Server 2012
Contents:
Module Overview
1-1
1-2
1-7
1-11
1-16
1-22
Module Overview
Windows Server 2012 has many new and improved features to assist you with server management and
administration. In this module, you will see some of the key new features that make management more
functional and more straightforward.
Objectives
After completing this module, you will be able to:
Describe the new and improved features in Active Directory Domain Services (AD DS).
Lesson 1
What Is
I New in Serve
er Mana
ager?
1-2
If yo
our organizatio
on is large, you
u may be requ
uired to admin
nister many serrvers, whether local or remo
ote
and physical or virtual. In addition, you mightt wish to mainttain these servvers and deplo
oy roles and
feattures from one
e central conso
ole. Windows Server
S
2012 Seerver Managerr enables you tto manage mu
ultiple
servvers from a single location, delivering
d
true multi-server m
management.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Explain how to
t administer servers
s
from a central locatio
on.
Explain how to
t deploy roless and features to remote serrvers.
Perform serve
er managemen
nt using the ne
ew Server Man
nager console..
Ad
dministerin
ng Servers with Server Manageer
Alth
hough you can
n remotely manage servers in
n
Win
ndows Server 2008
2
R2, you can only attach
h to
one
e server at a tim
me, and you ca
annot remotely
dep
ploy roles and features.
f
Serve
er Manager in
Win
ndows Server 2012
2
enables you
y to manage
e
mulltiple servers, regardless
r
of whether
w
the servers
are local or remotte and whethe
er they are phyysical
or virtual.
v
Note: In Wiindows Server 2008 R2,
man
naging multiple servers from
m Server Manager
requ
uires a separatte instance of Server
S
Manage
er for
each
h server you wish
w to manage
e. In Windows Server 2012, yyou can use on
ne instance off Server
Man
nager to mana
age many servers.
Win
ndows PowerSh
hell provides a very powerfu
ul scripting inteerface that you
u can use to m
manage your
servvers. In Window
ws Server 2008
8 R2, only a few
w Server Manaager actions co
ould be run w
within Windowss
Pow
werShell. Now, you can run all
a Server Mana
ager command
ds from within
n Windows Pow
werShell.
Furtthermore, Servver Manager iss able to generrate XML conffiguration files when you add
d a role or feature.
You
u can use these
e XML configuration files to configure dep
ployment of ro
oles or featuress to another se
erver
from
m Windows Po
owerShell.
You
u can use the Server
S
Manage
er console to perform
p
the folllowing tasks o
on both local sservers and rem
mote
servvers:
View events
Perform serve
er configuratio
on tasks
Grouping
G
Servers
1-3
Se
erver Managerr enables you to
t manage ma
any servers fro
om one interface. You could,, therefore, org
ganize
yo
our servers to enable you to view an overa
all picture of th
he health of yo
our organizations enterprise
e and to
simplify finding a particular se
erver. Server Manager
M
autom
matically organ
nizes servers b
by role, a structture
th
hat enables you to see all priint servers quicckly, for exam ple.
A server with multiple
m
roles will
w appear in multiple
m
group
ps. This can be useful in manyy situations, but you
offten want servvers grouped by
b location, department, or ssome other meetric. In Serverr Manager you
u can
group servers however you want,
w
and then view the statu
us of the serve rs based on yo
our groups.
Centralized
C
Dashboard
D
Th
he Dashboard in Server Man
nager providess an essential h
health report o
of all of the servers that you
manage.
m
You ca
an quickly see which server groups,
g
or rolees, have probleems and then examine the d
details
to
o resolve the problems.
p
Th
he ability to se
ee the status of all of your se
ervers in one d
dashboard view
w is a useful fe
eature of Serve
er
Manager.
M
After you have view
wed the status of your serverrs, you might w
wish to take so
ome remedial action.
Fo
or example, yo
ou might want to stop a servvice on multiplle servers, or yyou might wan
nt to restart a g
group of
se
ervers. If you performed
p
thesse actions consecutively it w
would take up m
more of your ttime to issue the
co
ommands. In Server
S
Manage
er, you can sele
ect multiple seervers and per form these acttions concurre
ently,
re
educing the ovverall time take
en to perform the actions.
Best
B
Practice
e Analyzers
Se
erver Managerr includes a Be
est Practices An
nalyzer tool fo
or all Windowss Server 2012 rroles. With Besst
Prractices Analyzzer, you can de
etermine whetther roles on yyour network aare functioning
g efficiently orr if there
arre problems th
hat you need to rectify. Best Practices Anallyzer examiness how a role fu
unctions so you can
be
e aware of hea
alth issues asso
ociated with sp
pecific roles beefore those heealth issues cau
use a failure th
hat
im
mpacts the servver functionaliity. This analyssis includes qu erying associaated event logss for warning aand
errror events.
Adding
A
and
d Removin
ng Roles an
nd Featurees
Managing
M
roless, their associatted role Servicces,
an
nd features, is still a primary function of a server
ru
unning Window
ws Server 2012
2. In Windows Server
20
008 R2 Server Manager, you
u could neitherr
re
emotely deployy roles and fea
atures, nor dep
ploy
ro
oles or features to virtual ma
achines from th
he host.
Windows
W
Server 2012 Server Manager enab
bles
yo
ou to remotelyy deploy roles and features and
a
fa
acilitate any required server restarts. You can also
ad
dd roles and fe
eatures to virtu
ual hard disks (VHDs)
evven when the associated virttual machine iss not
ru
unning. In addition, you can use Server Ma
anager
to
o remove roless and features.
Yo
ou cannot add
d roles or featu
ures to multiple servers with a single comm
mand, but you
u can save an X
XML
co
onfiguration file of a role or feature deployyment. You caan then config ure a deploym
ment of roles and
fe
eatures from a Windows Pow
werShell script using this con
nfiguration filee. You can run this script agaainst
an
nother server or
o modify the script to connect to multiplee servers.
Demonstration Steps
1-4
1.
2.
If the Server Manager console is open, click the X in the top right corner to close the Server Manager
console.
Note: The shortcut keys described here will work if you have the virtual machine in fullscreen mode. You can put the virtual machine in full-screen mode by double-clicking on the top
of the virtual machine window. You can get in and out of full-screen mode by pressing
Ctrl+Alt+Pause.
3.
Pause the mouse pointer over the bottom left hand corner of the Taskbar and click Start.
Alternatively, either hold down the Ctrl and Esc keys, or press the Windows logo key.
4.
In Start, right-click Computer. Notice that the context menu appears in the Taskbar.
5.
6.
In the Start menu, click on the user that is signed in (Administrator), and then click Sign out.
7.
8.
Sign in to LON-DC1 by using the Adatum\Administrator account and the password Pa$$w0rd.
Note: If the Virtual machine is in full-screen mode and you cannot access the
Ctrl+Alt+Delete keys, press Ctrl+Alt+Pause to remove the full-screen focus.
The virtual machine can be put into full-screen mode by double clicking on the top of the virtual
machine window.
9.
When you have logged on, pause the mouse pointer over the bottom right of the desktop, or press
Windows logo key + C. The charms bar appears.
18. Pause the mouse pointer in the bottom right or upper right corner of the desktop, or press Windows
logo key + C.
19. In the charms bar, click Start. Note that the start menu appears.
22. Press Windows Logo + R to launch the search or run dialog. Click Cancel to close the Run dialog.
23. On the taskbar, click Windows PowerShell.
24. Close Windows PowerShell by clicking the red X in the upper right corner of the screen.
25. On the taskbar, click the Server Manager icon.
Remove a role
Demonstration Steps
1.
2.
3.
On the Windows Server 2012 taskbar, click the Server Manager icon on the Windows Server 2012
taskbar to open the Server Manager console.
4.
In the Server Manager console, click Manage, and then click Add Roles and Features. This action
launches the Add Roles and Features Wizard.
5.
In the Add Roles and Features Wizard, on the Before you begin page, click Next.
6.
On the Select installation type page of the Add Roles and Features Wizard, select Role-based or
featured-based installation, and then click Next.
7.
On the Select destination server page of the Add Roles and Features Wizard, select a server from
the server pool, verify that LON-DC1.Adatum.com is selected, and then click Next.
8.
On the Select server roles page of the Add Roles and Features Wizard, select the Network Policy
and Access Services check box.
9.
In the Add Roles and Features Wizard dialog box, click Add Features and then click Next.
10. On the Select features page, select the Client for NFS check box, and then click Next.
11. On the Network Policy and Access Services page, click Next.
12. On the Select role services page, click Next.
13. On the Confirmation page of the Add Roles and Features Wizard, select the Restart the destination
server automatically if required check box, click Yes and then click Install.
14. On the Installation progress page of the Add Roles and Features Wizard, click Close.
15. Click the flag icon next to Server Manager Dashboard and review the messages.
16. In the Server Manager console, click the Dashboard node on the Left Hand side.
17. In the Roles and Server Groups area in the middle of the screen in the DNS box, click Events.
18. On the DNS - Events Detail View, change the time period to 18 hours and the Event Sources to
All, and then click OK.
19. In the Roles and Server Groups area, under DNS, click BPA results.
20. In the DNS - BPA Results Detail View dialog box, in the Severity Levels drop-down menu, select
the All check box, and then click OK.
1-6
21. In the Server Manager console, click on the Tools menu, show and review the tools that are installed
on LON-DC1.
22. Pause the mouse pointer in the lower left of the Taskbar, and then click Start.
23. In the Start menu, click Administrator, and then click Sign out.
24. Sign in to LON-DC1 using the Adatum\Administrator account and the password Pa$$w0rd.
25. In Server Manager, click Manage, and then click Remove Roles and Features.
26. In the Remove Roles and Features Wizard, on the Before you begin page, click Next three times.
27. On the Remove features page, clear the Client for NFS check box and then click Next.
28. Click Remove.
29. Click Close.
Lesson
n2
Windows Po
owerShe
ell and Server
S
C
Core Enhancem
ments
1-7
Windows
W
PowerShell is a com
mmand-line she
ell and task-baased scripting technology th
hat is built into
o
Windows
W
Server 2012. Windo
ows PowerShell simplifies thee automation o
of common syystems adminisstration
ta
asks. Windows Server 2012 extends
e
Windo
ows PowerShel l with a new In
ntegrated Scripting Environm
ment
(IS
SE). In addition
n, the numberr of cmdlets ha
as increased fro
om approximaately 200 to more than 2000
0. You
ca
an use Window
ws PowerShell to perform alll of the tasks tthat you can p erform in Servver Manager.
In
n Windows Serrver 2008 R2, there is no wayy to convert a Server Core deeployment on a server on w
which
th
he graphical in
nterface has be
een deployed without
w
triggeering the need for a new insttallation. In Windows
Se
erver 2012, you can now rem
move the graphical user inteerface (GUI) on
n a standard se
erver, and reinsstall it
la
ater if necessarry.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he functions off Windows Pow
werShell ISE.
Describe ho
ow to remove the graphical shell from Win
ndows Server 2
2012.
Configure Windows
W
Serve
er using Windows PowerSheell ISE.
Using
U
Wind
dows Powe
erShell in Windows
W
Server 201
12
Windows
W
PowerShell is a scrip
pting language
e
de
esigned to assist you in perfforming day-to
o-day
ad
dministrative tasks.
t
Windowss PowerShell iss made
up
p of cmdlets th
hat you executte at a Window
ws
Po
owerShell prom
mpt or combin
ne into Windo
ows
Po
owerShell scrip
pts. Other scrip
pting language
es in
usse for system administration
a
n tasks were de
esigned
fo
or other purpo
oses. Windows PowerShell is
de
esigned with system
s
adminisstration tasks in
i mind.
Yo
ou can extend Windows Pow
werShell functiionality by add
ding modules. For example, the Active Dirrectory
module
m
include
es Windows Po
owerShell cmdlets that are sp
pecifically usefful for perform
ming Active Dirrectory
management
m
ta
asks, and the DNS
D
Server mo
odule includes Windows Pow
werShell cmdle
ets that are spe
ecifically
usseful for performing domain
n name server (DNS) server m
management ttasks. Window
ws PowerShell n
now
also includes features such as tab completio
on. Tab compl etion allows a dministrators to complete
co
ommands by pressing
p
the ta
ab key rather than having to type the com
mplete comman
nd.
Note: You
u can determin
ne which Wind
dows PowerSh
hell cmdlets aree available by executing
th
he Get-Comma
and cmdlet.
Win
ndows Pow
werShell ISE
1-8
Win
ndows PowerSh
hell ISE is an in
ntegrated scrip
pting environm
ment that assissts you when u
using Windowss
Pow
werShell. It pro
ovides comman
nd completion
n functionality,, and allows yo
ou to see all avvailable comm
mands
and the paramete
ers that can be
e used with tho
ose commandss.
Win
ndows PowerSh
hell ISE simpliffies the processs of using Win
ndows PowerSShell because yyou can executte
cmd
dlets from the ISE. You can also
a use a scrip
pting window w
within Window
ws PowerShell ISE to constru
uct
and save Window
ws PowerShell scripts.
s
The ability to view cm
mdlet parametters ensures th
hat you are aw
ware of
the full functionallity of each cm
mdlet, and can create syntacttically correct W
Windows Pow
werShell commands.
ndows PowerSh
hell ISE provides color-coded cmdlets to aassist with trou
ubleshooting. T
The ISE also
Win
provvides you with
h debugging to
ools that you can
c use to deb
bug simple and
d complex Win
ndows PowerSShell
scrip
pts.
You
u can use the Windows
W
Powe
erShell ISE environment to v iew available ccmdlets by mo
odule. You can
n then
dete
ermine which Windows
W
Pow
werShell modulle you need to
o load to accesss a particular cmdlet.
Removing an
nd Restoring the Gra
aphical Intterface
Servver Core is a minimal
m
installa
ation option fo
or
Win
ndows Server 2012.
2
With Server Core, you
perfform managem
ment tasks loca
ally from the
com
mmand line or remotely from
m another
com
mputer. Server Core is the de
efault installatio
on
option for Window
ws Server 2012
2. Server Core has
the following advantages over a traditional
dep
ployment of Windows
W
Serverr 2012:
Reduced upd
date requireme
ents. Because Server
S
Core installs fewer
f
compon
nents, Server Core
deployments require the ap
pplication of fe
ewer
software updates. This redu
uces the amount of
time required
d for an admin
nistrator to servvice Server Co re.
Reduced hard
dware footprin
nt. Server Core
e computers reequire less rand
dom access memory (RAM) and
less hard disk
k space.
Adm
ministration off Server Core can be difficult in some insta nces, such as w
when configurring third partyy
device drivers, or where administrators have limited commaand line abilities.
Alth
hough there arre obvious ben
nefits to using Server Core, t here were certtain tradeoffs to previous
verssions. Previouss versions of Se
erver Core had
d to be configu
ured using a co
ommand line, and conversio
on
backwards and fo
orwards betwee
en the Server Core
C
version aand the full verrsion was not possible. This
caused many dep
ployments of th
he Full version when Server C
Core would haave been more
e suitable.
There are two wayys of installing
g a Server Core
e version of W indows Serverr 2012 configuration:
Note: Removing the GUI reduces the disk footprint by around 300 MB, while Server Core is
approximately 4 GB smaller.
You can uninstall the graphical interface either partially or completely by using the Remove Roles and
Features Wizard in Server Manager. This feature enables you to deploy a server and configure remote
administration using the graphical interface and then uninstall the graphical interface and manage the
server remotely.
You can also choose to leave a partial graphical interface so that you can still run administration tools
such as Server Manager locally.
You can switch from Server Core to the graphical version of Windows Server 2012 by running the
following Windows PowerShell cmdlet, where c:\mount is the root directory of a mounted image that
hosts the full version of the Windows Server 2012 installation files:
Import-Module ServerManager
Install-WindowsFeature -IncludeAllSubFeature User-Interfaces-Infra -Source
c:\mount\windows\winsxs
Another related installation option is Features on Demand. This is a full installation of Windows Server
2012, but with only the basic required roles and features installed. Additional roles and features may be
installed later as required from a remote source, reducing local storage requirements and footprint.
Demonstration Steps
1.
On LON-DC1, on the Windows taskbar, right-click the Windows PowerShell icon, and then click
Windows PowerShell ISE.
2.
In the Windows PowerShell ISE command line area, type get-. Cmdlet names appear in an IntelliSense
list. This is a list of items that match what you have typed in order to help you identify the command
you are looking for
3.
4.
Single click Get-Help in the IntelliSense and pause the mouse over the cmdlet in the IntelliSense list.
Notice the parameter help window that appears, outlining the parameters and switches that can be
used with Get-Help.
5.
Double-click Get-Help in the IntelliSense list. This puts the Get-Help cmdlet into the Windows
PowerShell ISE command line interface.
6.
7.
In the Windows PowerShell ISE Commands tab on the right hand side of the window, type feature.
The ISE displays a list of cmdlets that contain feature in the name.
8.
Scroll through the list, click on Get-WindowsFeature and click the Show Details button.
9.
Note the parameters for Get-WindowsFeature: section which appears and the boxes that are
present which allow you to enter parameters for the variables listed.
Lesson
n3
Whatt Is New
w in AD DS?
Windows
W
Server 2012 include
es important im
mprovements tto AD DS, such
h as: security e
enhancementss,
exxtension of the
e GUI, and sim
mplified domain
n deployment . This lesson exxplores these improvementss.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Identify the
e new features for AD DS.
Explain how
w to use the Active Directoryy Recycle Bin.
Describe th
he improved do
omain deployment capabilitties.
Explain how
w AD DS virtua
alization is safe
er.
Im
mportant New Featu
ures
Windows
W
Server 2012 has sevveral new featu
ures
fo
or AD DS. Wind
dows PowerSh
hell command line
in
nterface is the underlying component behiind
in
nstallations and
d configurations. It enables full
f
sccripting and au
utomation and
d new GUIs forr
previous command-line-only activities.
So
ome new featu
ures are described in the folllowing
ta
able.
Feature
Deployment
Improveme
ent
Server Manager
M
now eenables installaation of the AD
D DS role on b
both
remote and
a local com puters. The Acctive Directoryy Domain Serviices
Configurration Wizard replaces Activve Directory Installation Wizaard
(also callled DCPromo)).
Deploym
ment now usess Windows Pow
werShell in the
e background.
When yo
ou install Activve Directory on
n the member server, Windo
ows
Server 20
012 performs prerequisite checks that valiidate domain aand
forest readiness.
Improved support for virtualizing do
omain controlllers.
Simplified adm
ministration
Improveme
ents to configu
ure and monittor AD DS thro
ough the Serve
er
Manager console
c
includee:
A GUI fo
or the Active D
Directory Recyccle Bin.
A GUI to
o implement fi ne-grained paasswords.
Group Policy health m
monitoring.
AD DS-specific perform
mance monito
oring and best practice analyysis.
1-11
Fe
eature
Improvement
Active Dire
ectory manageement tools, w
which you can open from the
e
Server Man
nager console .
Su
upport for virtualized
do
omain controllers
Windows
W
PowerShell
hiistory viewer
When admin
nistrators use t he Active Direectory Adminisstrative Centerr,
they can now
w view the und
derlying Windo
ows PowerShe
ell commands tthat
are executed
d. This reduces the time requ
uired to learn tthe Windows
PowerShell commands.
You
u can now acce
ess the Active Directory Recyycle
Bin from the Activve Directory Administrative
Cen
nter in Window
ws Server 2012. This simplifie
es
the recovery of Acctive Directoryy objects that were
w
erro
oneously deleted. The Active
e Directory Reccycle
Bin lets administra
ators enable th
he Recycle Bin and
loca
ate or restore deleted
d
objectts in the domain.
Use of Windows PowerShell
P
or Ldp.exe to ena
able the recyclle bin or restore objects in d
domain partitio
ons is
no longer required.
Active
A
Directtory Recycle
e Bin Characcteristics
Th
he Active Direcctory Recycle Bin has the folllowing characcteristics:
1-13
It must be manually
m
enab
bled. As soon as
a it is enabled
d, you cannot d
disable it.
You must be
b a member of
o the Domain Administratorrs group to reccover objects ffrom the Activve
Directory Recycle
R
Bin.
The recycle
e bin increases the size of the
e Active Directtory database (NTDS.DIT) on
n every domain
n
controller in the forest. Disk
D space that is used by thee recycle bin co
ontinues to increase over tim
me as it
preserves objects
o
and all attribute data.
Objects are
e preserved in the recycle bin
n for a configu
urable amountt of time to maatch the tombstone
lifetime of the
t forest. Thiss is 180 days by
b default.
After the Active Directoryy Recycle Bin iss enabled, deleeted restorable objects can be viewed in tthe
Active Directory Administtrative Center console.
Deploying
D
Domain Controllers
C
s
With
W Windows Server 2008, you
y could insta
all
th
he AD DS role to add the bin
nary files and use
u
DCPromo to pro
omote the com
mputer to be a
do
omain controller. In Window
ws Server 2012
2,
yo
ou can promotte a domain co
ontroller by ussing
Se
erver Managerr to add the AD DS role. You
u use a
se
eparate wizard
d to configure AD DS within Server
Manager.
M
Yo
ou can add the
e AD DS role binaries
b
using these
methods:
m
Installs AD DS remotely.
Prepare
es schema extension and do
omain prepara tion automaticcally in the background.
hell
The ServerM
Manager Powe
erShell module
e. You can add
d AD DS binariies using the A
AD DS PowerSh
module forr local or remo
ote installations.
Note: You
u can also use the command
d-line tool, Dissm.exe, to deploy the AD DSS role.
Improvemen
nts to Dom
main Contrroller Virtu
ualization
Win
ndows Server 2012
2
introduce
es virtualized
dom
main controllerr cloning. Clon
ning a virtualizzed
dom
main controllerr presents certtain challengess. For
exam
mple, two dom
main controllers cannot coexxist
in th
he same forestt with the same name, invoccation
ID, and
a security id
dentifier. Prior to Windows Server
S
2012, you could create
c
virtualized domain
controllers by dep
ploying a Sysprepped base server
image and manua
ally promoting
g it to be a dom
main
controller. Windows Server 2012 provides spe
ecific
virtu
ualization capa
abilities to AD DS Virtualized
d
Dom
main Controlle
ers (VDCs) to re
esolve those isssues.
Win
ndows Server 2012
2
VDCs havve two new capabilities:
Accidental restoration of do
omain controller snapshots d
does not disru
upt the AD DS environment.
Saffe Cloning
A cloned domain controller automatically syspreps (based o
on settings in DcCloneConfig.xml) and
promotes itself ussing the existin
ng local AD DS
S data as installlation media.
Rolling back to a previous snapshot of a VDC is problematicc because AD DS uses multi-master replication
thatt relies on chan
nges being asssigned increasing numeric v alues called Update Sequence Numbers (U
USNs).
These USNs togetther with the database
d
identtifier, called InvvocationID, un
niquely identifyy updates. Eacch
dom
main controllerr keeps track of
o the USNs of its replication
n partners. When a VDC resto
ored from a
snap
pshot reassign
ns existing USN
Ns to new chan
nges, these chaanges are igno
ored by the replication partn
ners
of the VDC. This mechanism
m
cau
uses inconsiste
encies in the A
AD DS database. Windows Se
erver 2012 Hyp
perV is
i capable of detecting
d
that a snapshot resstore has been
n applied to a V
VDC and force
es inbound
syncchronization with
w replication
n partners to ensure
e
that loccal USNs are cu
urrent.
Cre
eating a VDC
C Clone
gh level steps::
To create
c
a VDC clone
c
in Windo
ows Server 201
12, perform th e following hig
1.
2.
Run Get-ADD
DCCloningExclu
udedApplicationList cmdlet..
3.
Run New-ADDCCloneConfiigFile.
4.
Export and th
hen import the
e virtual machine of the sourrce domain co
ontroller.
Group
G
Man
naged Serv
vice Accou
unts
1-15
Sttandalone Man
naged Service Accounts are
managed
m
doma
ain accounts th
hat provide automatic
pa
assword mana
agement and simplified
s
serve
er
principal name (SPN) manage
ement to single
se
ervers. Group Managed
M
Servvice Accounts provide
p
th
he same functionality within the domain but also
exxtend that functionality overr multiple servvers.
When
W
connectin
ng to a service
e hosted on a server
s
fa
arm, such as a Network Load
d Balancing clu
uster,
th
he authentication protocols supporting
s
mu
utual
au
uthentication require
r
that all instances of the
t
se
ervices use the
e same principa
al. When Grou
up
Managed
M
Servicce Accounts arre used as servvice principals, the Windows operating sysstem manages the
pa
assword for th
he account insttead of relying
g on the admin
nistrator to maanage the passsword.
Note: Gro
oup Managed Service Accou
unts can only b
be configured and administe
ered on
co
omputers runn
ning Windows Server 2012.
Group Managed
d Service Acco
ounts provide a single identi ty solution forr services running on a serve
er farm
orr on systems configured as a Network Load Balancing clluster. Adminisstrators do not need to man
nage
pa
assword synch
hronization bettween service instances wheen using a Gro up Managed SService Accoun
nt.
Th
he Group Man
naged Service Account
A
suppo
orts hosts thatt are kept offli ne for an extended time perriod,
an
nd manageme
ent of memberr hosts for all instances of a sservice. This m
means you can deploy a serve
er farm
th
hat supports a single identityy to which exissting client com
mputers can a uthenticate without knowing the
in
nstance of the service they arre connecting to.
W
Pow
werShell cmdletts default to m
managing the
Note: Forr Windows Serrver 2012, the Windows
Group Managed
d Service Acco
ounts instead of
o the original Standalone M
Managed Servicce Accounts.
Lesson 4
Dynam
mic Acce
ess Control
Dyn
namic Access Control
C
is a new
w claims-based authorizatio
on system in W
Windows Serverr 2012. You caan
configure Dynamic Access Conttrol to reflect your
y
organizattions businesss structure and
d processes, maaking
it more
m
straightforward to transslate business rules
r
into acceess control rulees to enhance, rather than
repllace, the existing authorization model.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Inttroduction
n to Dynam
mic Access Control
Because much of the data in an
n organization is
storred on file servvers, IT adminisstrators must help
h
provvide security and
a access con
ntrol to file servver
reso
ources. In prevvious versions of
o Windows Se
erver,
mosst access contrrol to file serve
er resources wa
as
perfformed using NTFS file syste
em permissions and
acce
ess control lists.
Dyn
namic Access Control
C
in Wind
dows Server 2012
is a new access co
ontrol mechanism for file sysstem
reso
ources that ena
ables administtrators to defin
ne
centtral file access policies that can
c apply to evvery
file server in the organization.
o
Dynamic
D
Accesss
Con
ntrol helps imp
plement security over file serrvers, in additio
on to any existting share and
d NTFS file systtem
perm
missions. Dyna
amic Access Co
ontrol ensures that this cent ral overriding policy is still e
enforced, regarrdless
of how
h
the share and NTFS file system permisssions might c hange. Dynam
mic Access Con
ntrol combiness
mulltiple criteria in
nto the access decision. This augments thee NTFS Access Control Lists ((ACL) so that u
users
musst satisfy both the NTFS ACLL and the centrral access policcy to gain acceess to the file.
Dyn
namic Access Control
C
provide
es:
Data classifica
ation. You can use automatic and manual classification o
of files to tag d
data in file serrvers
across the org
ganization.
Access contro
ol to files. Centtral access policies enable orrganizations to
o define who ccan access particular
data. For exam
mple, these po
olicies can resttrict access to p
personal emplloyee medical health information
within the org
ganization.
Optional RMS
S protection in
ntegration. Auttomatic Rightss Management Services (RM
MS) encryption for
sensitive Micrrosoft Office documents. Forr example, you
u can configurre RMS to encrrypt all docum
ments
containing He
ealth Insurance Portability and Accountab
bility Act (HIPA
AA) information.
1-17
Auditing fo
or compliance and analysis. Enable
E
targeteed auditing acrross file serverss for complian
nce
reporting and forensic an
nalysis.
Dynamic Accesss Control provvides a flexible way to apply and manage aaccess and aud
diting to domaainba
ased file servers. Dynamic Acccess Control uses claims in the authenticaation token, re
esource properties on
th
he resource, an
nd conditional expressions within
w
permissi on and auditin
ng entries. Witth this combin
nation of
fe
eatures, you ca
an now grant access
a
to files and
a folders baased on AD DSS attributes.
What
W
are Id
dentity, Claims, and Central Acccess Policcy?
In
n order to plan
n and impleme
ent Dynamic Access
A
Control, you mu
ust understand
d some fundam
mental
co
oncepts.
Id
dentity
Id
dentity is inform
mation provided from a trussted
so
ource about an
n entity. This id
dentity is considered
au
uthoritative be
ecause the sou
urce is trusted. Older
ve
ersions of Windows Server used the user and
a
group account security identifiers (SIDs) to
re
epresent the id
dentity of a use
er or compute
er. Users
au
uthenticate to the domain with
w a specific user
u
na
ame and passw
word. The uniq
que logon nam
me
trranslates into the
t SID. The do
omain controlller validates th
he password a nd provides baack a token with the
SIID of the securrity principal and the SIDs off all the group
p of which the principal is a m
member. The d
domain
co
ontroller "claim
ms" the user's SID
S is valid and
d should be ussed as the iden
ntity of the use
er. Because all
do
omain membe
ers trust the do
omain controlller, the respon
nse is treated aas authoritative
e.
Bu
ut identity doe
es not need to
o be limited to the user's SID
D. Applications can use any in
nformation ab
bout the
usser as a form of
o identity, pro
ovided that the
e application t rusts the sourcce of the inforrmation to be
au
uthoritative.
Claim
C
User Claim. A user claim is information provided by a Windows Server 2012 domain controller
about a user. Windows Server 2012 domain controllers can use most AD DS user attributes as claim
information. This provides you with many possibilities to configure and use claims for access control.
Device Claim. A device claim is information provided by a Windows Server 2012 domain controller
about a device represented by a computer account in AD DS. As with a user claim, a device claim,
often called a computer claim, can use most of the AD DS attributes that are applicable to computer
objects.
The Central Access Policy is a feature in Windows Server 2012 that enables you to create a policy that is
applied to one or more file servers. Central Access Policy is created in the Active Directory Administrative
Center, stored in AD DS, and applied by using GPOs. Central Access Policy contains one or more Central
Access Policy rules. Each rule contains settings that determine applicability and permissions.
Note: Before you create Central Access Policy, you must create at least one central access
rule. A central access rule defines all parameters and conditions that control access to specific
resources and has three configurable elements:
Name. For each central access rule you should provide a meaningful name.
Target resources. Define what data the policy applies to. This is defined by specifying an attribute and
its value. For example, a particular central policy might apply to any data classified as Sensitive.
Permissions. A list of one or more access control entries (ACEs) that define which users can access the
data. For example, you can specify Full Control Access to a user with attribute EmployeeType
populated with the value FTE. This is the key component of each central access rule. You can combine
and group conditions that you place in central access rule. You can set permission as proposed (for
staging purposes) or current.
After you have configured one or more central access rules, you then place these rules in Central
Access Policy which is applied to the resources.
Central access policy enhances, but does not replace, the local access policies or discretionary access
control lists (DACL) that are applied to files and folders on a specific server. For example, if a DACL on a
file allows access to a specific user, but a central policy is also applied to the file that restricts access to the
same user, the user cannot obtain access to the file. Likewise, if the central access policy allows access but
the DACL does not allow access, then the user cannot obtain access to the file.
Before you implement Central Access Policy, you must:
1.
Use security groups or optionally create claims and connect them with attributes on user or computer
objects.
2.
3.
4.
5.
Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a
Central Access Policy exists in AD DS.
1-19
On
O the file serve
er, apply that policy to a spe
ecific shared fo
older. You can also use the D
Data Classificattion
To
oolkit to autom
matically applyy central policiies across multtiple file servers and report o
on which policcies are
ap
pplied on whicch shares.
Overview
O
of
o How to Implemen
nt Dynamicc Access C
Control
As you could se
ee in previous topics,
t
there are
many
m
required components and
a configurattion
stteps that must be complete before you acttually
usse Dynamic Acccess Control features.
f
It is very
im
mportant that you
y understan
nd the purpose
e of
ea
ach componen
nt and each co
onfiguration step
be
efore you implement Dynam
mic Access Con
ntrol.
To
o successfully implement Dyynamic Access
Control, you ne
eed to do and understand fo
ollowing:
Configure claims
c
for userrs and devices. You use claim
ms to identify aattributes of usser and compu
uter
objects that you want to use in Dynamic Access Conttrol implementation. By usin
ng claims, you actually
extend the ability of acce
ess control to use
u the value o
of an attributee as a condition
n for evaluatin
ng
access.
Configure resource
r
prope
erty definitions. By defining resource prop
perty definition
ns, you identifyy object
properties that
t
you want to use in cond
ditional expresssions used forr access contro
ol.
Demonstra
D
ation: Implementing Dynamic Access Co
ontrol
Th
his demonstration shows how to:
Demonstration Steps
1.
On LON-DC1, in Server Manager, click Tools and then click Active Directory Administrative
Center.
2.
In the Active Directory Administrative Center console, in the navigation pane click Dynamic Access
Control.
3.
4.
In the Tasks pane, click New and then select Claim Type.
5.
In the Create Claim Type dialog box, in the Source attribute section, select attribute department.
6.
7.
8.
Click OK.
9.
In the Active Directory Administrative Center console, in the navigation pane click Dynamic Access
Control.
12. In the Create Claim Type dialog box, in the Source attribute section, select attribute employeeType.
13. Select both User and Computer check boxes.
14. Click OK.
15. In ADAC console, click Dynamic Access Control.
16. In the central pane double-click Resource Properties.
17. In the Resource Properties list, locate the property Department.
18. Right-click Department, and then click Enable.
19. In the Active Directory Administrative Center console, in navigation pane, click Dynamic Access
Control.
20. Double-click Central Access Rules.
21. In the Tasks pane, click New, and then click Central Access Rule.
22. In the Central Access Rule dialog box, type Department Match for the Name.
23. In the Target Resources section click Edit.
24. In the Central Access Rule dialog box, click Add a condition.
31. In the Select User, Computer, Service Account or Group dialog box, type Authenticated Users,
click Check Names, and then click OK.
32. In the Basic permissions section select Modify, Read and Execute, Read and Write.
33. Click Add a condition.
34. Click the Group drop-down list and select Company Department.
35. On the Value drop-down list and select Resource.
36. In the last drop-down box select Department. Note: As a result, you should have: User-Company
Department-Equals-Resource-Department.
37. Click OK three times.
38. In Active Directory Administrative Center, click Dynamic Access Control, and then double-click
Central Access Policies.
39. In Tasks pane, click New, and then click Central Access Policy.
40. Type Department Match for Name of policy.
41. Click Add.
42. Click Department Match rule, and then click >>.
43. Click OK twice.
Server Manager in Windows Server 2012 enables you to manage multiple servers, regardless of
whether the servers are local or remote and regardless of whether they are physical or virtual.
In Windows Server 2012, Windows PowerShell has been extended and advanced with a new
PowerShell ISE and the number of cmdlets has increased from approximately 200 to more than 2000.
AD DS has been improved in many areas. Security has been enhanced, the functionality of the GUI
has been extended, and domain deployment has been simplified.
Dynamic Access Control is a new claims-based authorization system that enhances, rather than
replaces, the existing authorization model.
Review Question(s)
Question: How many instances of Windows Server 2012 Server Manager are required to manage
eight servers concurrently?
Question: Which feature in Windows PowerShell ISE prompts you as you type cmdlets?
Question: Dynamic Access Control in Windows Server 2012 introduces what two new types of
claims?
Question: In Windows Server 2012, what four functions does IPAM provide?
Module2
Storage and Networking in Windows Server 2012
Contents:
Module Overview
2-1
2-2
2-10
2-18
2-25
2-32
Module Overview
Planning and implementing efficient and reliable storage helps to ensure the reliability and availability of
applications that rely on the underlying storage. Ensuring that your network infrastructure is efficient and
reliable also helps to ensure the availability of your networked applications.
In this module, we will discuss storage improvements that provide improved scalability both at a disk and
server level, and improvements to Windows BranchCache. We will then discuss DirectAccess
improvements that help to deliver automatic connections to corporate networks, regardless of whether
the user is onsite or remote. Finally, we will examine improvements and additions to networking
technologies, including changes to Domain Name System (DNS), Dynamic Host Configuration Protocol
(DHCP), and the introduction of Internet Protocol Address Management (IPAM) to Windows Server 2012.
Objectives
After completing this module, you will be able to:
Lesson 1
Storag
ge Enhancemen
nts
2-2
Storrage is fundam
mental to mostt server compu
uters. Whateveer you do with applications aand networks, they
still access data an
nd must present this data to
o user applicatiions. Improvin
ng the availability, scalability,
perfformance, and
d disaster recovvery of storage
e will benefit yyour entire serrver infrastructture. Windows
Servver 2012 has many storage improvementts to help you to meet thesee goals.
Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:
Describe som
me of the new storage
s
feature
es in Windowss Server 2012.
Explain Storag
ge Spaces.
Explain the be
enefits of Servver Message Block (SMB) 3.0 .
Explain the be
enefits of an In
nternet Small Computer
C
Systtem Interface (iSCSI) Target Server.
Ne
ew Storage
e Features in Window
ws Server 2012
Win
ndows Server 2012
2
introduce
es many storag
ge
changes and imprrovements. The following table
desccribes some off the new stora
age features and
imp
proved functionality.
Ne
ew feature
Improve
ement
Multi-terabyte
M
volumes
v
You can
c use this feeature to deplo
oy multi-terab
byte NTFS file
syste
em volumes, w
which supports consolidation
n scenarios and
d
maximizes storage utilization.
The Chkdsk
C
tool in
ntroduces a new
hat prioritizes
w approach th
volum
me availabilityy and enables yyou to detect file system
corru
uption while th
he volume rem
mains online with data availaable.
Data deduplicattion
You can
c use this feeature to save disk space by storing a single
instance of multipl e identical datta segments on the volume.
You can
c use this feeature to virtuaalize storage b
by grouping
indusstry-standard d
disks into Storrage Pools, and
d then create
Stora
age Spaces fro
om the available capacity in tthe Storage Po
ools.
New feature
Impro
ovement
2-3
SMB 3.0
iSCSI target se
erver
Scale-Out File
e Server
Windows Pow
werShell cmdlets
for File and Sttorage Service
es
Storage Spaces
A storage space
e is a storage virtualization
v
ca
apability built into Windows Server 2012 and
a
8. Yo
Windows
W
ou can use storage spaces to
o add
physical disks of any type and
d size to a storage
po
ool and create
e highly-available virtual disk
ks from
it.. The primary advantage
a
of storage
s
spacess is that
yo
ou do no longer manage sin
ngle disks, and
manage
m
them as
a one unit insttead.
To
o create a high
hly-available virtual
v
disk, you
u must
ha
ave the following:
Virtual Disk
k (or storage sp
pace). This is ve
ery similar to a physical diskk from the persspective of use
ers and
applications. However, virtual disks are more flexible because they include thin p
provisioning orr justin-time (JIT
T) allocations, and
a they includ
de resiliency to
o physical diskk failures with built-in functionality
such as mirrroring.
2-4
A minimu
um of five phyysical disks are required to crreate a Storage Space with rresiliency throu
ugh
parity.
Three-wa
ay mirroring re
equires at leastt three physicaal disks.
Disks mu
ust be blank an
nd unformatted
d; no volume must exist on them.
Disks can
n be attached using
u
a varietyy of bus interfaaces including,, SAS, SATA, SC
CSI, and USB. If you
want to use
u failover clu
ustering with storage pools, SAS disks are required.
Wh
hat is SMB
B 3.0?
SMB
B is a network file sharing prrotocol that
provvides access to
o files and servvices over a
netw
work. Window
ws Server 2012 introduces
SMB
B 3.0, which ha
as several key improvementss
over previous verssions. The follo
owing sectionss
desccribe some of these improve
ements and their
imp
plications.
Hig
gh Speed
Dire
ect Attached Storage (DAS) is
i storage that is
phyysically installed
d in or attache
ed to the mach
hine
and provides the fastest possible speeds. SMB
B 3.0
can deliver perforrmance that is comparable with
w
the transactional performance of
o DAS. The ne
ear parity with DAS enables network storage with minim
mal
perfformance costs.
SM
MB MultiCha
annel
SMB
B 3.0 will use multiple
m
TCP co
onnections forr each SMB sesssion and will automatically and transpare
ently
failo
over to anothe
er connection in
i the event off a network faiilure. This abiliity to detect and use multiple
netw
work paths pro
ovides improve
ed resiliency. If there is a fai lure in networrking hardware
e, including ne
etwork
inte
erface cards (NICs) and route
ers, SMB 3.0 wiill automatical ly use anotherr connection. FFurthermore,
thro
ough the use of
o multiple TCP
P connections,, the server can
n scale up netw
working based
d on demandss.
SM
MB Direct
SMB
B Direct provid
des Remote Diirect Memory Access
A
(RDMA
A) functionalityy on standard RDMA capable
NICs. SMB Direct enables data to
t be copied frrom the memo
ory of one servver to the mem
mory of another
servver with minim
mal impact on CPU
C
utilization
n. Previously th
he data would have to go th
hrough the enttire
netw
work stack of both
b
the sending and receivving server. By moving data d
directly from m
memory to
mem
mory, SMB Dirrect reduces prrocessing on the servers and
d improves perrformance.
SMB Encrypttion
2-5
SM
MB encryption
n provides secu
ure transmissio
on of data from
m endto-end
d, removing the
e need for Inte
ernet
Prrotocol securitty (IPsec) or otther such securrity overhead. It can be conffigured at a grranular level eiither for
in
ndividual share
es or for a full file
f server.
iS
SCSI Targe
et
Th
he iSCSI targett is a role serviice in Windows Server
20
012. While the
e iSCSI initiatorr has been inclluded
with
w Windows Server
S
operatin
ng systems since
Windows
W
Server 2008, this wa
as not true for the
iS
SCSI target. Prior to Windows Server 2012, you
ha
ad to first dow
wnload and the
en install the iS
SCSI
ta
arget.
Th
he new feature
es in the iSCSI target in Wind
dows
Se
erver 2012 include:
Query initia
ator computerr for ID. This is only supporteed with Windo
ows 8 or Windo
ows Server 201
12.
iS
SCSI Target Server
Th
he iSCSI targett server role se
ervice providess for software--based and hardware-indepe
endent iSCSI d
disk
su
ubsystem. You can use the iS
SCSI target serrver to create i SCSI targets a nd iSCSI virtuaal disks. You caan then
usse the Server Manager
M
to ma
anage these iS
SCSI targets an
nd virtual diskss.
Th
he iSCSI targett server included in Window
ws Server 2012 provides the ffollowing funcctionality:
Server application storage. Some appliccations such a s for example,, Hyper-V and Microsoft Exxchange
Server requ
uire block stora
age. The iSCSI target server ccan provide th
hese applicatio
ons with contin
nuously
available bllock storage. Because
B
the sto
orage is remottely accessible, it can also co
ombine block sstorage
for central or branch officce locations.
Heterogene
eous storage. iSCSI
i
target se
erver supports iSCSI initiatorss from other vvendors so you
u can
share storage on Window
ws Servers in mixed
m
environm
ments.
Lab environ
nments. The iS
SCSI target servver role enablees your Windo
ows Server 201
12 computers tto be a
network-acccessible block
k storage devicce. This is usefu
ul in situationss such as when
n you want to ttest
applications before deplo
oyment on sto
orage area netw
work (SAN) sto
orage.
En
nabling iSCSI target
t
server to
o provide blocck storage takees advantage o
of your existing Ethernet nettwork.
No additional hardware
h
is nee
eded. If high availability
a
is a n important crriterion, consid
der setting up a high
avvailability clustter. With a high availability cluster,
c
you wi ll need shared
d storage for th
he clustereitther
ha
ardware Fibre Channel stora
age or a serial attached
a
SCSI (SAS) storage array. iSCSI taarget server is directly
in
ntegrated into the failover cluster feature as
a a cluster rol e.
iSC
CSI Initiator
2-6
Da
ata Dedupllication
Data deduplicatio
on is a role servvice of Window
ws
Servver 2012. Data deduplication
n identifies and
d
rem
moves duplicatiions within datta without
com
mpromising its integrity to acchieve the ultim
mate
goa
al of storing mo
ore data while
e concurrently using
less physical disk space.
s
Whe
en combined with
w BranchCa
ache, the same
e optimization techniques arre applied to d
data that is
tran
nsferred over the wide area network
n
(WAN
N) to a branch office. This ressults in faster ffile download times
and reduced band
dwidth consum
mption.
Wh
hen to Use Data
D
Dedup
plication
Data deduplicatio
on is designed to be installed
d on primary (aand not logicaally extended) data volumes
with
hout adding an
ny additional dedicated
d
hard
dware. The im plementation is designed fo
or low memoryy
and CPU priority. However, if memory
m
use becomes high, d
deduplication b
backs off and w
waits for availaable
reso
ources. You can schedule ded
duplication ba
ased on the typ
pe of data invo
olved and the frequency and
d
volu
ume of change
es that occur to
o the volume or particular fiile types.
Note: By de
efault, only file
es older than 30
3 days are pro
ocessed.
u should consid
der using dedu
uplication for the
t following aareas:
You
File shares. Th
his includes group content publication
p
or sharing, user h
home folders, and profile
redirection (o
offline files). Yo
ou may be able
e to save apprroximately 3050 percent dissk space.
Software dep
ployment share
es. This include
es software bin
naries, images,, and updates. You may be aable
to save appro
oximately 70 to
o 80 percent disk
d space.
Hyper-V hostts
Virtual Deskto
op Infrastructu
ure VHDs
Files approa
aching or larger than 1 terab
byte (TB) in sizze
BranchCach
B
he Improv
vements
Th
he BranchCach
he feature cach
hes data from a data
ce
enter or head office and makes it available
e in a
lo
ocal branch offfice. This feature reduces nettwork
ba
andwidth utilizzation and spe
eeds up data access
a
fo
or applicationss. The caching in BranchCach
he
ca
an either be ho
osted on a servver or distributed
am
mongst clientss. A distributed
d cache might not be
su
uitable if clientt computers arre often switch
hed off
orr disconnected
d from the network because the
ca
ached data wo
ould not be loccally available and
would
w
have to be
b retrieved from head office, but it
do
oes not require additional in
nfrastructure in
n the
branch office.
2-7
In
n Windows Serrver 2012 and Windows 8, BrranchCache prrovides the folllowing performance, manag
gement,
se
ecurity, and sca
alability impro
ovements.
Performancce is improved
d through chun
nking improveements, cache preloading, an
nd caching staarting
sooner.
Manageabiility is improve
ed through both more straig
ghtforward dep
ployment and PowerShell
integration in addition to
o Windows Ma
anagement Insstrumentation (WMI), and th
he inclusion of new
Group Policcy and Local Computer
C
Policcy settings.
Security improvements in
nclude cache encryption.
e
BranchCache
B
e Caching
In
n BranchCache
e in Windows Server
S
2008 R2
2 and Window
ws 7, data mustt be indexed in
n order to makke it
avvailable to more than one usser; this indexing takes time.. To prevent th
he indexing ovverhead and th
he
re
esulting slowerr data access fo
or the first perrson to downlo
oad it, Window
ws Server 2008
8 R2 and Wind
dows 7
provide the datta immediatelyy, but do not provide
p
the hasshes from the indexing proccess. In Window
ws
Se
erver 2012, the
e data is still downloaded im
mmediately, bu
ut the client co
omputer autom
matically asks ffor the
ha
ashes once it has
h been serve
ed with the datta; this improvves performance.
Note: Cacche preloading
g enables you to preload co ntent from varrious media an
nd transfer
th
he content ove
er the network
k to the hosted
d cache server.
Chunking
C
In
n Windows Serrver 2008 R2, BranchCache
B
splits the data into large, equ
ually sized bloccks of contentt in a
process known as chunking. These
T
blocks arre then indexeed and formed
d into units thaat clients reque
est.
Windows
W
Server 2012 optimizzes this by splitting the data into small, variably sized blo
ocks. By being
g
sm
maller, there are fewer chang
ges to transmit if there is a ssmall change tto a file. Now o
only the small block
th
hat has change
ed needs to be
e transmitted from
f
to the braanch, whereass previously the much largerr block
2-8
Dep
ployment
To deploy
d
BranchCache, you eitther deploy the BranchCachee feature, or d
deploy it as part of the File
Servvices server rolle. If you are using
u
BranchCa
ache to deliverr files, you sho
ould deploy it aas part of the File
Servvices server rolle, but if you are
a deploying it
i to deliver weeb server or ap
pplication servver content, yo
ou
should deploy the
e BranchCache
e feature. If you are deployin
ng a hosted caache server in a branch office
e, you
should deploy the
e BranchCache
e feature and enable
e
the Hossted Cache Server mode. Wiindows 7 and
Win
ndows 8 clientss can be config
gured to use BranchCache
B
b
by creating a G
Group Policy.
Key
y Features
Simple config
guration and management.
m
Integration
I
witth the familiarr Windows Server Backup tool
or to the cloud
provides a seamless backup
p and recoveryy experience to
o a local disk, o
d environmentt.
Other feature
es include:
o
Integrate
ed recovery experience to recover files and
d folders from local disk or ffrom cloud.
Easy reco
overy of any da
ata that was backed up onto
o any server off your choice.
Block-level in
ncremental bacckups. The Win
ndows Azure B
Backup Agent performs incre
emental backu
ups by
tracking file and
a block-leve
el changes, and
d then only traansferring the changed blocks. This resultss in
reduced stora
age and bandw
width utilizatio
on. Different p oint-in-time vversions of the backups use
storage efficie
ently by only storing
s
the cha
anged blocks b
between thesee versions.
Data integrity verification in the cloud. In addition to the secure backups, the backed up data is also
checked automatically for integrity after the backup is done. As a result, any corruptions that may
arise due to data transfer can be easily identified and they are fixed automatically in next backup.
Configurable retention policies for storing data in the cloud. The Windows Azure Online Backup
Service accepts and implements retention policies to recycle backups that exceed the desired
retention range, thereby meeting business policies and managing backup costs.
Considerations
Windows Azure Online Backup backs up your files and folders, but not your system state. Therefore, you
must consider Windows Azure Online Backup a supplement to, rather than a replacement for, your
existing backup solution. You should also consider that Windows Azure Online Backup will only back up
Windows Server 2012 servers; it will not back up other versions of Windows Server or any version of
Windows client operating systems. You must also have at least 1 gigabyte (GB) of available local storage
for caching purposes.
When planning Windows Azure Online Backup, you should consider your available upload bandwidth and
the quantity of data that you will upload. You can set a throttling limit to prevent Windows Azure Online
Backup from affecting other operations, and adjust the time that it runs for work hours and non-work
hours.
Deployment
Once you install Windows Azure Online Backup, you need to create a Windows Azure Online Backup
Service account. You can then open the Windows Azure Online Backup Service and register a server using
the account credentials, and providing any necessary proxy server settings (if required), and encryption
settings to ensure that data is encrypted before it is sent to the cloud.
When the server is registered, you can open Computer Management, and then navigate to Storage, and
Windows Server Backup. There you will see two nodes; Local Backup and Online Backup. From Online
Backup you can create backup jobs, choose the files, folders, exclusion settingsfor example, temporary
filesbackup frequency, and how long to keep old backup files.
To recover data, the server that will receive the data must have Windows Azure Online Backup Service
Agent installed. Once you have supplied the Windows Azure Online Backup Service account credentials,
you can then restore the file or folder. If multiple versions of the file are available, you can select which
version of that file (or folder) you wish to restore, whether or not the file (or folder) was originally backed
up from the local server or another server.
Lesson 2
DirectA
Access Improv
vementss
With an increasing
gly distributed
d workforce, ussers must be aable to connecct to their orgaanizations netw
work
infra
astructure, whether they are
e at the head office,
o
a branch
h office, or con
nnecting to the
e network rem
motely.
With Windows Se
erver 2012, a re
emote user benefits from seaamless connecctivity to corpo
orate resource
es,
rega
ardless of their location, and
d improved nettworking when
n working at a branch office
e.
Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:
Describe Dire
ectAccess.
Explain the de
eployment sce
enarios supporrted by DirectA
Access in Wind
dows Server 20
012.
Explain how to
t configure a DirectAccess server.
s
Wh
hat Is DirectAccess?
The DirectAccess feature in Win
ndows Server 2012
2
enables seamless remote accesss to intranet
reso
ources withoutt first establishing a user-inittiated
virtu
ual private nettwork (VPN) co
onnection. The
e
Dire
ectAccess featu
ure also ensure
es seamless
connectivity to the application infrastructure
i
for
inte
ernal users and
d remote users.
Unliike traditional VPNs that req
quire user
inte
ervention to initiate a connecction to an intranet,
Dire
ectAccess enab
bles any IPv6-ccapable application
on the
t client computer to have complete acce
ess to
intra
anet resourcess. DirectAccesss also enables you
y
to specify resourcces and client-sside applicatio
ons that are resstricted for rem
mote access.
Org
ganizations ben
nefit from Dire
ectAccess beca
ause remote co
omputers can be managed aas if they are lo
ocal
com
mputers. Using the same man
nagement and
d update serveers, you can en
nsure they are always up-to-date
and in compliance
e with securityy and system health
h
policies.. You can also define more d
detailed accesss
control policies fo
or remote acce
ess when comp
pared with deffining access control policiess in VPN solutiions.
Dire
ectAccess offerrs the following features:
Supports sele
ected server acccess and end--to-end IPsec aauthentication
n with intranet network serve
ers
Supports end
d-to-end authe
entication and encryption wiith intranet neetwork servers
Supports man
nagement of remote
r
client computers
c
Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is also connected to the intranet. This connectivity enables remote client computers to
access and update applications more easily. It also makes intranet resources always available, and
enables users to connect to the corporate intranet from anywhere and anytime, thereby improving
their productivity and performance.
Seamless connectivity. DirectAccess provides a consistent connectivity experience whether the client
computer is local or remote. This allows users to focus more on productivity and less on connectivity
options and process. This consistency can reduce training costs for users, with fewer support incidents.
Bidirectional access. You can configure DirectAccess in a way that the DirectAccess clients have access
to intranet resources and you can also have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional. This ensures that the client computers are always
updated with recent security updates, the domain Group Policy is enforced, and there is no difference
whether the users are on the corporate intranet or on the public network.
Manage-out Support. This feature is new in Windows Server 2012 and provides the ability to enable
only remote management functionality in the DirectAccess client. This new sub-option of the
DirectAccess client configuration wizard automates the deployment of policies that are used for
managing the client computer. Manage-out support does not implement any policy options that
allow users to connect to the network for file or application access. Manage-out support is
unidirectional, incoming only access for administration purposes only.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and Network
Access Protection (NAP) solutions, resulting in the seamless integration of security, access, and health
requirement policies between the intranet and remote computers.
In Windows Server 2012, DirectAccess has several enhancements, especially regarding bypassing some
common technology issues, such as requirements for public key infrastructure (PKI) and public IP
addresses:
Improved Managemen
nt
Dire
ectAccess in Windows
W
Serverr 2012 has bee
en
imp
proved in the fo
ollowing wayss:
Windows Pow
werShell and Server Core sup
pport. Window
ws Server 2012
2 provides full Windows
PowerShell su
upport for the setup, configu
uration, manag
gement, monitoring, and tro
oubleshooting of
the Remote Access
A
Server Role.
R
Unified mana
agement wizarrd and tools. You can use a ssingle console for DirectAcce
ess configuratiion,
managementt, and monitoring.
Simplified Deployme
ent
Th
he DirectAccesss deploymentt has been sim
mplified.
Windows
W
Server 2012 provide
es Express Setu
up for
sm
mall and medium deployment. Express Settup
in
ncludes the following characteristics:
2-13
Single facto
or authenticatiion only; no su
upport for smaart card integraation or using one-time password
(OTP).
Performanc
P
ce and Sca
alability Im
mprovemen
nts
DirectAccess inccludes the follo
owing improve
ed
fe
eatures in perfo
ormance and scalability:
s
Improved support
s
for Recceive Side Scaling
(RSS). DirecctAccess provid
des support fo
or RSS
and supporrts running DirrectAccess in virtual
v
machinees with increassed density:
o
IP-HTT
TPS interoperab
bility and performance imprrovements. Windows Server 2012 DirectAcccess
implem
mentation removes double encryption
e
wheen using IP-HTTTPS. Also, it re
educes the tim
me for
duplica
ate address de
etection, resulting in a signifiicant performaance improvem
ment.
Lower bandwidth utiilization. Windows Server 20012 reduces the overhead associated with
establisshing of conne
ectivity methods, optimizes batched send behavior, and
d receives buffe
ers,
which result in overall lower bandw
width utilizatio
on. Additionally Windows Se
erver 2012
DirectA
Access receivess site scaling with
w User Datag
gram Protocol (UDP).
Ne
ew Deployment Scen
narios
The new DirectAcccess deployme
ent scenarios in
i
Win
ndows Server 2012
2
include:
Deploying mu
ultiple endpoints. When you
u
implement DirectAccess on
n multiple servers in
different netw
work locations, the Windowss 8
device autom
matically chooses the closest
endpoint. (Fo
or the Window
ws 7 operating
system, you have
h
to specifyy the endpointt
manually). Th
his also works for
f distributed file
system (DFS) shares that are
e redirected to
o an
appropriate Active
A
Directorry site.
Multiple dom
main support. In
n Windows Server
2008 R2, you had to manua
ally configure multiple domaains. However,, this feature iss integrated w
with
Windows Servver 2012 by ussing the Deplo
oyment Wizard
d.
Off-premise provisioning.
p
With
W the new djoin
d
tool, you
u can easily pro
ovision non-domain computer so
that the comp
puter can be jo
oined in a dom
main without tthe need to bee ever connectted in your inte
ernal
premises.
De
emonstration: Config
guring the
e DirectAcccess Server
Thiss demonstratio
on shows how to:
Create and co
onfigure the re
equired securitty group.
Configure the
e DNS suffix on the DirectAcccess server.
Configure the
e network connection prope
erties on the D
DirectAccess server.
Complete the
e DirectAccess Setup Wizard.
Dem
monstration
n Steps
1.
Create a secu
urity group for DirectAccess client
c
computeers by perform
ming the follow
wing steps:
a.
Switch to
o LON-DC1.
b.
c.
d.
In the Active Directory Users and Computers console, right-click Adatum.com, click New, and
then click Organizational Unit
e.
In the New Object Organizational Unit window, in the Name text box, type DA_Clients OU,
and then click OK.
f.
In the Active Directory Users and Computers console, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.
g.
In the New Object - Group dialog box, under Group name, type DA_Clients.
h.
Under Group scope, click Global, under Group type, click Security, and then click OK.
i.
j.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
k.
In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click
Object Types, select the Computers check box, and then click OK.
l.
Under Enter the object names to select (examples), type LON-CL1, and then click OK.
m. Verify that LON-CL1 displays below Members, and then click OK.
n.
2.
3.
Switch to LON-RTR.
b.
Move the mouse to the lower right corner of the screen, click Settings, click Control Panel, and
then click View network status and tasks.
c.
In the Network and Sharing Center window, click Change adapter settings.
d.
In the Network Connection window, right-click Local Area Connection, and then click
Properties.
e.
In the Local Area Network Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
f.
g.
On the DNS tab, in the DNS suffix for this connection text box, type Adatum.com, and then
click OK.
h.
i.
In the Network Connection window, right-click Local Area Connection 2, and then click
Properties.
b.
In the Local Area Network 2 Properties window, double-click Internet Protocol Version 4
(TCP/IPv4).
c.
In the Internet Protocol Version 4 (TCP/IPv4) dialog box, in the IP address text box, type
131.107.0.2 and in the Subnet mask text box, type 255.255.0.0.
d.
e.
4.
On LON-RTR, in Server Manager, click Tools, and then click Routing and Remote Access. If
prompted, click No to launching the DirectAccess Wizard.
b.
In Routing and Remote Access, disable the existing configuration, and close the console.
c.
d.
e.
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator,
and then restart from c).
f.
g.
In the Network Topology, verify that Edge is selected, and in the Type the public name or
IPv4 address used by clients to connect to the Remote Access server box, type 131.107.0.2
and then click Next.
Note: If you get an error at this point, restart LON-RTR, sign in as Adatum\administrator,
and then restart from c).
h.
i.
j.
In the Remote Access Management console, under Step 1, click Edit, and then click Next.
k.
Under Select Groups, in the details pane, click Domain Computers (ADATUM\Domain
Computers) and click Remove.
l.
Clear the Enable DirectAccess for mobile computers only check box.
o.
p.
q.
On the Network Topology page, verify that Edge is selected, type 131.107.0.2, and then click
Next.
r.
s.
t.
u.
On the Network Location Server page, click The network location server is deployed on the
Remote Access server.
v.
Click Next, on the DNS page, examine the values, and then click Next.
y.
z.
Move the mouse pointer on the lower-right corner, on the menu bar, click Search, type cmd, and
then press Enter.
b.
At the command prompt, type the following commands, pressing Enter at the end of each line:
gpupdate /force
Ipconfig
Note: Verify that LON-RTR has an IPv6 address for Tunnel adapter IPHTTPSInterface
starting with 2002.
Lesson 3
Netwo
orking Technol
T
ogies Im
mprove
ements
A nu
umber of new and improved
d networking features
f
in Win
ndows Server 2012 seek to improve
thro
oughput, respo
onsiveness, seccurity, and ava
ailability of nettworked appliccations. In this lesson, you w
will
explore some of these new and improved features.
Lessson Objecctives
Afte
er completing this lesson, yo
ou will be able to:
Describe Dom
main Name Sysstem Security Extensions (DN
NSSEC) improvvements in Windows Server 2012.
Explain the im
mprovements to
t DHCP in Windows Server 2012.
Explain how to
t configure DHCP
D
failover.
Describe data
a center bridgiing.
Explain the be
enefits of NIC teaming.
Ov
verview of Networking Change
es
Win
ndows Server 2012
2
introduce
es a wide range of
sign
nificant change
es to the network infrastructture
and components. These update
es provide a range
of im
mprovements in areas such as
a performancce,
man
nageability, security, and exttensibility.
The following table outlines som
me of the chan
nges
to networking
n
infrastructure components in
Win
ndows Server 2012.
2
Fe
eature
Improvem
ment
DNSSEC
A series of
o extensions to
o DNS that heelp protect and
d secure it from
m
malicious attacks and eensure that Inteernet resolved
d names are no
ot forged.
DHCP
Improvem
ments include a new DHCP ffailover functio
onality, together with
support fo
or DHCP namee protection.
Feature
Improve
ement
2-19
Use of Explicit
E
Congeestion Notificattion (ECN) to e
estimate the extent of the
bandwidth congestio
on at the sourcce, and reduce the sending rate only to
the exte
ent of the con gestion.
NetworkDirecct
NetworrkDirect is used
d for HPC app
plications in wh
hich computattional
workloa
ads are distribu
uted to large n
numbers of se
ervers for paralllel
processsing.
Window
ws Server 20122 extends supp
port for Netwo
orkDirect to no
on-HPC
server versions,
v
and aadds new management featu
ures such as pe
erformance
monitor counters, eveent tracing, an
nd a new Kerne
el mode interfface.
This pro
ovides remapp
ping of interrupts and DMA and allows SR-IOV
capable
e devices to bee assigned direectly to a virtual machine. Hyyper-V
enabless support for SSR-IOVcapablle network devvices. This increases
network
k throughput.
Receive Segm
ment Coalescing
(RSC)
Reduce
e CPU utilizatio
on for networkk processing on the receive sside by
offloading tasks from
m the CPU to an
e network adapter.
n RSC-capable
RSS
Policy Based
B
QoS: Po licy-based QoS enables you to specify nettwork
bandwidth control baased on appliccation type, use
ers, and comp
puters
Hyper-V
V QoS: Enable s hosting provviders to guaraantee specific
perform
mance levels baased on servicce level agreem
ments (SLAs).
DNSSEC
D
Im
mprovemen
nts
DNSSEC is available in Windo
ows Server 200
08 R2.
Windows
W
Server 2012 introdu
uces an enhancced and
simplified imple
ementation of DNSSEC.
DNSSEC allows for the use of cryptographyy in
signing all of th
he records in a DNS zone. When a
re
equest is receivved it returns the
t digital sign
nature
an
nd the requestted record. Another server can
ob
btain the public key of the public
p
/private key
pa
air and validatte that the resp
ponse is genuine and
ha
as not been co
ompromised. Windows
W
Serve
er 2012
in
ncludes a DNSS
SEC wizard to simplify the
co
onfiguration and signing pro
ocess, and enables
on
nline signing.
Pu
urpose
DNSKEY
This
T record pub
blishes the pub
blic key for thee zone. It checcks the authoriity of
a response aga
ainst the privatte key held by the DNS serve
er. These keys
re
equire periodic replacementt. This is know
wn as key rollovvers. Windows
Server
S
2012 supports automaated key rollovvers.
Note: Every zone has m
multiple DNS kkeys broken do
own to the zone
signing key (ZS
SK) and key sig
gning key (KSK
K).
DS (Delegation Signer)
This
T is a delega
ation record th
hat contains th
he hash of the public key of a
child
c
zone. Thiss record is sign
ned by the parrent zones private key. If a cchild
zone
z
of a signe
ed parent is alsso signed, the directory servvice records fro
om
the child must be manually aadded to the p
parent so a chaain of trust can
n be
created.
c
RRSIG (Resource
e Record
Siignature)
This
T record holds a signaturee for a set of D
DNS records. It is used to che
eck
the authority of
o a response.
When
W
the DNS
S response has no data to pr ovide to the client, this reco
ord
authenticates
a
that the data aactually does n
not exist.
Tru
ust Anchors
A trrust anchor is an
a authoritativve entity represented by a pu
ublic key. The TrustAnchors zone stores
precconfigured public keys that are associated
d with a specifi c zone. In DNSS the trust ancchor is the DNSKEY
reso
ource record or
o the directoryy service resou
urce record hassh of the DNS KEY resource rrecord. Clientss use
thesse records to build
b
trust chains. A trust ancchor from the zone must bee configured on every domaiin
DNS
S server in order to validate responses from
m that signed zone. If the DNS server is a domain contro
oller
then
n Active Directtory integrated
d zones can distribute the trrust anchors.
DH
HCP Impro
ovements
DHC
CP failover is a new feature for
f Windows Server
S
2012. It addressess the issue of client
c
compute
ers
losin
ng connectivitty to the netwo
ork and all its
reso
ources if there is DHCP serve
er failure.
Ano
other new feature in Window
ws Server 2012
2 is
policy based assig
gnment. This fe
eature enabless the
DHC
CP server to evvaluate DHCP requests based
on policies
p
define
ed by an admin
nistrator. Policies
contain a set of co
onditions that are evaluated
whe
enever a client request is pro
ocessed. Policie
es
can be applied att the server orr scope level.
Policies can be defined based on fields in the client request, such as:
Vendor class
User class
MAC address
Client Identifier
The DHCP server can assign different DHCP options and addresses based on the criteria the client request
matches in the policy, For example, you could add a vendor class that matches a particular type of printer
and have DHCP addresses from a specific range assigned when a printer that matches that criteria
requests a DHCP address.
Windows Server 2012 supports DHCP name protection. Names that are registered in DNS by DHCP on
behalf of systems must be protected from being overwritten by non-Microsoft systems that have the
same name. For example, a Unix based system named Client1 could potentially overwrite the DNS address
that was assigned and registered by DHCP on behalf of a Windows-based system also named Client1.
DHCP name protection addresses this issue.
Note: DHCP name protection was introduced in Windows Server 2008.
DHCP Failover
DHCP client computers renew their lease on their IP address at regular, configurable intervals. If the DHCP
server service fails, then leases time-out, and eventually client computers no longer have IP addresses. In
the past, DHCP failover was not possible because DHCP servers were independent and unaware of one
another. Configuring two separate DHCP servers to distribute IP addresses within the same scope could
lead to duplicate address assignment if the administrator incorrectly configured overlapping ranges. The
DHCP server failover feature enables an alternative DHCP server to distribute IP addresses and associated
option configuration to the same subnet or scope. Lease information is replicated between the two DHCP
servers. A partner relationship is established between the DHCP servers. This enables one server to know
if the other has failed. If one of the DHCP servers fails, then the other DHCP server services the client
computers for the whole subnet. In Windows Server 2012 you can configure one alternative DHCP server
for failover. Additionally, only IPv4 scopes and subnets are supported because IPv6 uses a different IP
address assignment scheme.
DHCP Name Protection
Name squatting describes the problem where a DHCP client computer registers a name with DNS, but
that name is actively being used by another computer. The original computer then becomes inaccessible.
This problem typically occurs between non-Windows systems that have duplicate names of Windows
systems. DHCP Name Protection uses a resource record known as a DHCID to keep track of which
computer originally requested the name. This record is provided by the DHCP server and stored in DNS.
When the DHCP server receives a request to update a host record that is currently associated with a
different computer, the DHCP server can verify the DHCID in DNS to check whether the requester is the
original owner of the name. If it is not the same computer, the record in DNS is not updated. To resolve
this issue, either the current host name owner must release the IP address, or the requester must use a
different host name. You can implement name protection for both IPv4 and IPv6. Configuration is set in
the properties page at the IP address level or the scope level.
Demonstration Steps
1.
2.
In Server Manager, in the results pane, click Add roles and features.
3.
4.
On the Select server roles page, select the DHCP Server role, and then click Add Features.
5.
6.
7.
In Server Manager, click Notifications, and then click Complete DHCP configuration.
8.
9.
21. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd, and then click Next.
22. Click Finish, and then click Close.
23. Switch to LON-SVR1.
24. In Server Manager, click Tools and then click DHCP.
25. Expand lon-svr1.adatum.com. Note that the IPv4 node is active.
26. Expand the IPv4 node, and then expand Scope.
27. Click Address Pool, and note that the address pool is configured.
28
8. Click Scope
e Options, and
d note that the
e scope option
ns are configu red.
29
9. Close the DHCP
D
console on
o both LON-DC1 and LON
N-SVR1.
Data
D
Cente
er Bridging
g
Most
M
networks have some tra
affic which is more
m
im
mportant than other traffic. For
F example a HyperV Live Migration might be considered to be
e more
crritical than oth
her network da
ata traffic, or media
m
sttreaming migh
ht be particularly important for
f your
co
ompany.
With
W Windows Server 2012 yo
ou can use Datta
Center Bridging
g to enforce QoS for mission critical
workloads.
w
The bandwidth is only reserved while
se
ervices that are
e appropriatelyy tagged are using
u
it.
At other times all
a bandwidth is available to any
se
ervice.
2-23
Th
he packets of data
d
are assign
ned traffic classses by the DC
CB-capable NIC
C. You can then configure th
he QoS
an
nd priority of the
t traffic type
es. The configu
uration of DCB
B can be performed from Po
owerShell.
NIC
N Improv
vements
NIC improveme
ents enhance the
t scalability,
avvailability, and manageability of NICs and include
NIC Teaming an
nd Consistent Device Namin
ng.
NIC
N Teaming
g
NIC Teaming en
nables you to group
g
togethe
er up to
32
2 network card
ds and then make
m
them app
pear to
ap
pplications, ph
hysical servers, or Hyper-V virtual
machines
m
as a single NIC. Thiss provides scallability
th
hrough additio
onal bandwidth
h and availability
be
ecause the faillure of one NIC
C will just causse
trraffic to be rou
uted through the remaining NICs in
th
he team. Netw
work card team
ming does not require
r
th
hat the networrk cards be the
e same model or use the sam
me driver.
Yo
ou can configu
ure NIC teamin
ng in a numbe
er of ways:
Setting the Switch Mode.. Switch Mode can be set to Switch Depen
ndent or Switch
h Independent. If a
NIC team iss Switch Depen
ndent, you mu
ust directly con
nfigure the sw
witch, but you w
will receive traffic on
all active members,
m
rathe
er than just the
e primary mem
mber of Switch Independent mode.
Consistent Device Naming (CDN) enables the BIOS to supply the name of a Windows NIC. CDN requires a
CDN-compliant BIOS. The name of a NIC would typically be displayed on the network card and would
then be displayed as the name of the network connection in Windows. This is useful for servers with many
network cards.
Lesson
n4
Introd
ducing IP Addrress Ma
anagem
ment
2-25
Lesson Objectives
After completin
ng this lesson, you
y will be able to:
Describe IP
P address mana
agement.
Describe IP
PAM functions in the enterprrise.
Describe IP
P address mana
agement concepts.
Explain how
w to implemen
nt IPAM.
What
W
Is IPA
AM?
IP
P address mana
agement is a difficult
d
task in
n large
ne
etworks, becau
use tracking IP
P address usage is
la
argely a manua
al operation. Windows
W
Serve
er 2012
in
ntroduces IPAM
M, which is a frramework for
diiscovering, mo
onitoring utilization, auditing
g, and
managing
m
the IP address spacce in a network. IPAM
en
nables the adm
ministration an
nd monitoring of
DHCP and DNS, and providess a comprehen
nsive
view of where IP addresses arre used. IPAM also
co
ollects informa
ation from dom
main controllers and
Network Policy Servers (NPSs) and stores th
hat
in
nformation in the
t Windows Internal Database.
IP
PAM assists in the
t areas of IP
P administratio
on as shown in the following
g table.
IP administrattion area
IPAM
M capabilitiess
Plan
Manage
Track
Ena
ables tracking aand forecastin
ng of IP addresss utilization.
Audit
Benefits
IPAM benefits include:
Static IP inventory management, lifetime management, and DHCP and DNS record creation and
deletion
Prerequisites
IPAM Server is deployed as a Windows Server 2012 feature. You must meet the following prerequisites to
deploy IPAM:
The IPAM server must not be a domain controller, but must be domain-joined. Furthermore, if IPAM
is running on a DHCP server it will not be able to discover the DHCP role on that server. The IPAM
server should be a single purpose server. Do not install other network roles such as DHCP or DNS on
the same server.
You must sign in to the IPAM server using a domain account, and this account must be a member of
the relevant IPAM security group or a member of the IPAM Administrators security group if it needs
to perform all IPAM actions. Furthermore, if you are accessing IPAM remotely using Remote Server
Administration Tools (RSAT), you must be a member of the WinRMRemoteWMIUsers security group.
IPAM supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows Server 2008 and
above in a single Active Directory forest.
IPv6 must be enabled on the IPAM server to manage the IPv6 address space.
You must configure domain controllers, and any NPSs that you wish to track, to log account logon
events if you wish to utilize IP Address Tracking in IPAM.
To allow IPAM to perform remote management and file transfers you must ensure that the necessary
firewall ports are open.
When you use the Group Policy-based provisioning of IPAM, you must ensure that users marking
servers as managed or unmanaged are either domain administrators or at least have rights to edit
GPO filter lists.
IP
PAM Functions and Architectu
ure
IP
PAM Functions
IP
PAM consists of
o four module
es that provide
e the
fo
ollowing functiionality:
2-27
IPAM disco
overy. You conffigure IPAM to
o use
AD DS to discover serverss running Windows
Server 2008
8, Windows Se
erver 2008 R2, and
Windows Server 2012 tha
at are domain
controllers or have eitherr DNS or DHCP
P
installed. Yo
ou can also ad
dd servers man
nually.
IP address space
s
manage
ement (ASM). You
Y can
use this mo
odule to view, monitor, and manage
m
the IP
P address spacce. You can also
o track addresss
utilization and
a detect ove
erlapping DHC
CP scopes.
Multi-serve
er managemen
nt and monitorring. You can m
manage and m
monitor multip
ple DHCP serve
ers. This
enables tasks to run across multiple serrvers. For exam
mple, you can cconfigure and edit DHCP prroperties
and scopes and track the
e status of DHC
CP and scope u
utilization. You
u can also mon
nitor multiple DNS
servers and
d monitor the health
h
and status of DNS zo nes across autthoritative DNSS servers.
Operationa
al auditing and
d IP address tra
acking. You caan use the aud iting tools to ttrack potential
configuratio
on problems. You
Y can also collect,
c
manag e, and view deetails of config
guration chang
ges from
managed DHCP
D
servers. You
Y can also collect
c
addresss lease tracking
g from DHCP llease logs and collect
logon even
nt information from NPS and
d domain cont rollers.
IP
PAM Archite
ecture
Th
he IPAM serve
er can only manage one AD DS forest. IPAM
M is deployed in one of thre
ee topologies:
Centralized
d. Only one IPA
AM server is de
eployed in thee forest.
IPAM serve
er. The IPAM se
erver performss the data colleection from th
he managed se
ervers. It also m
manages
the Window
ws Internal Database and pro
ovides RBAC.
Ad
ddress Spacce Manage
ement
IP address space management
m
allows
a
you
to manage,
m
track, audit, and rep
port on your
orga
anizations IPvv4 and IPv6 address spaces. The
T
IPAM
M IP address space
s
console provides you with
w
IP address utilization statistics and historical trend
data
a so that you can
c make inforrmed planning
g
decisions for dyna
amic, static, an
nd virtual address
spacces. IPAM periodic tasks automatically disccover
the address space
e and utilizatio
on data as
configured on the
e DHCP servers that are man
naged
in IP
PAM. You can also import IP
P address
info
ormation from comma separrated values (.ccsv)
filess.
IPAM
M also enables you to detecct overlapping IP address ran
nges that are d
defined on diffferent DHCP
servvers, find free IP addresses within
w
a range, create DHCP rreservations, aand create DNS records.
IPAM
M provides a number
n
of wayys to filter the view of the IP
P address spacee. You can cusstomize how you
view
w and manage
e the IP addresss space using any of the folllowing views:
IP address blo
ocks
IP address ran
nges
IP addresses
IP address invventory
IP address ran
nge groups
IP Address
A
Block
ks
IP address blocks are the highesst-level entities within an IP address spacee organization.. Conceptuallyy, an
IP block
b
is an IP su
upernet marke
ed by a start and an end IP aaddress. You u
use IP address blocks to create
and allocate IP ad
ddress ranges to
t DHCP. You can add, impo
ort, edit, and d
delete IP addre
ess blocks. IPAM
auto
omatically map
ps IP address ranges
r
to the appropriate
a
IP
P address blockk based on the
e boundaries o
of the
rang
ge. You can ad
dd and import IP address blo
ocks in the IPA
AM console.
IP Address
A
Ranges
IP Address Inventory
In this view, you can view a list of all IP addresses in the enterprise along with their device names and
type. IP address inventory is a logical group defined by the Device Type option within the IP addresses
view. These groups allow you to customize the way your address space displays for managing and
tracking IP usage. You can add or import IP addresses from within the IPAM console. For example, you
could add the IP addresses for printers or routers, assign the appropriate device type of printer or router
to each IP address, and then view your IP inventory filtered by the device type you assigned.
IP Address Range Groups
IPAM enables you to organize IP address ranges into logical groups. For example, you might organize IP
address ranges geographically or by business division. Logical groups are defined by selecting the
grouping criteria from built-in or user-defined custom fields.
Monitoring and Managing
IPAM enables automated, periodic service monitoring of DHCP and DNS servers across a forest.
Monitoring and managing is organized into the views listed in the following table.
View
Description
By default, managed DHCP and DNS servers are arranged by their network
interface in /16 subnets for IPv4 and /48 subnets for IPv6. You can select the
view to see just DHCP scope properties, just DNS server properties, or both.
DHCP scopes
DNS Zone
Monitoring
Zone monitoring is enabled for forward and reverse lookup zones. Zone
status is based on events collected by IPAM. The status of each zone is
summarized.
Server Groups
You can organize your managed DHCP and DNS servers into logical groups.
For example, you might organize servers by business unit or geography.
Groups are defined by selecting the grouping criteria from built-in fields or
user-defined fields.
Configure IPAM.
Demonstration Steps
1.
2.
In Server Manager, in the results pane, click Add roles and features.
3.
4.
5.
6.
7.
On the Select features page, select the IP Address Management (IPAM) Server check box.
8.
In the Add features that are required for IP Address Management (IPAM) Server popup, click
Add Features, and then click Next.
9.
10. When the Add Roles and Features Wizard completes, close the wizard.
11. In the Server Manager navigation pane, click IPAM.
12. In the IPAM Overview pane, click Connect to IPAM server. Select LON-SVR4.Adatum.com and then
click OK.
13. Click Provision the IPAM server.
14. In the Provision IPAM Wizard, click Next.
15. On the Select provisioning method page, ensure that Group Policy Based is selected, in the GPO
name prefix box, type IPAM, and then click Next.
16. On the Confirm the Settings page, click Apply. Provisioning will take a few moments to complete.
17. When provisioning has completed, click Close.
18. In the IPAM Overview pane, click Configure server discovery.
19. In the Configure Server Discovery dialog box, click Add to add the Adatum.com domain, and then
click OK.
20. In the IPAM Overview pane, click Start server discovery. Discovery may take 5 to 10 minutes to run.
The yellow bar indicates when discovery is complete.
21. In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access. Notice
that the IPAM Access Status is blocked for both servers. Scroll down to the Details view, and note the
status report. The IPAM server has not yet been granted permission to manage LON-DC1 through
Group Policy.
22. On the task bar, right-click the Windows PowerShell icon, and then click Run as Administrator.
23. At the Windows PowerShell prompt, type the following command on one line, and then press Enter:
Invoke-IpamGpoProvisioning
Domain Adatum.com
GpoPrefixName IPAM
IpamServerFqdn
LON-SVR4.adatum.com
DelegatedGpoUser Administrator
24. When you are prompted to confirm the action, type Y, and then press Enter. The command will take a
few moments to complete.
25. Close Windows PowerShell.
26. Switch to Server Manager. In the IPv4 details pane, right-click LON-DC1, and then click Edit Server.
27. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then
click OK.
28. In the IPv4 details pane, right-click LON-SRV1, and then click Edit Server.
29. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then
click OK.
38. Switch back to LON-SVR4, and in Server Manager, right click LON-DC1, then click Refresh Server
Access Status. When completed, right click LON-SVR1, then click Refresh Server Access Status.
When completed refresh IPv4 by clicking the Refresh icon. It may take up to five minutes for the
status to change.
39. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few
moments to complete.
40. On LON-SVR4, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP
Servers.
41. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server
role, and then click Create DHCP Scope.
42. In the Create DHCP Scope dialog box, in the Scope Name box, type TestScope.
43. In the Start IP address box, type 10.0.0.50.
44. In the End IP address box, type 10.0.0.100.
45. Ensure the subnet mask is 255.0.0.0.
46. Click OK.
47. On LON-DC1, in the Server Manager toolbar, click Tools, and then click DHCP.
48. In the DHCP console, expand LON-DC1, expand IPv4, and confirm that the TestScope exists.
49. Minimize the DHCP console.
Multi-terabyte volumes
Data deduplication
Storage Spaces
SMB 3.0
BranchCache
Windows Server 2012 implements several simplifications to DirectAccess to encourage its use as a
remote access solution, especially to bypass some common technology challenges such as
requirements for PKI and public IP addresses.
Windows Server 2012 seeks to improve networking throughput, responsiveness, and availability by
offloading much of the networking workload from the processor, and by teaming network cards to
provide scalability and availability. In addition, improvements to the DHCP server role provide for
more highly available DHCP scopes.
IPAM functionality adds IP address planning, IP address allocation, IP address usage tracking, and
auditing capabilities.
Review Question(s)
Question: Which technology enables disk mirroring, striping, and parity without specialist
hardware?
Question: How can you support Windows Vista, Windows 7, and Windows 8 clients for remote
access?
Question: In Dynamic Host Configuration Protocol (DHCP) failover, can you establish failover
relationships between DHCP servers for IPv6 scopes?
Question: In Windows Server 2012, what four functions does IPAM provide?
Module3
Hyper-V in Windows Server 2012
Contents:
Module Overview
3-1
3-2
3-5
3-8
3-12
3-18
Module Overview
The Hyper-V role in Windows Server 2012 enables you to create and manage a virtualized computing
environment by using the virtualization technology that is built in to Windows Server 2012. Hyper-V
virtualizes hardware to provide an environment in which you can run multiple operating systems in their
own virtual machines at the same time on one physical computer.
In this module, you will learn about some of the major enhancements to Hyper-V in Windows Server 2012.
Objectives
After completing this module, you will be able to:
Lesson 1
Storag
ge Enhancemen
nts
3-2
Win
ndows Server 2012
2
introduce
es a number of storage enhaancements thaat improve the
e performance,,
scalability, and avvailability of yo
our virtual macchines. Enhanccements to file -based storage increase flexxibility
of access
a
and sizin
ng of virtual ha
ard disks (VHD
Ds), and impro
ovements to daata transfer maanagement maake
mig
grations smootther and fasterr.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Fea
atures of VHDX
V
File Format
Win
ndows Server 2012
2
introduce
es VHDX, a new
w file
form
mat for virtual machines. VHDX offers a nu
umber
of advantages
a
wh
hen compared VHD)
Ben
nefits of the VH
HDX format incclude:
If yo
ou have upgraded a Window
ws Server 2008
8 or Windows SServer 2008 R2
2 Hyper-V servver to Window
ws
Servver 2012, you can
c convert an
n existing VHD
D file to the VH
HDX format byy using the Ediit Disk tool. It aalso is
possible to convert from VHDX format to VHD
D.
Hyper-V
H
ov
ver SMB
Hyper-V supports storing virtual machine data,
d
su
uch as virtual-m
machine configuration files,
sn
napshots, and virtual hard-disk files, on SM
MB 3.0
fille shares. The file share mustt support SMB
B 3.0.
Th
his limits place
ement of VHDss on file sharess that
arre hosted on file servers thatt are running
Windows
W
Server 2012. Earlier Windows Servver
ve
ersions do not support SMB 3.0.
Yo
ou must ensurre that network connectivity to the
fille share is 1 gigabyte (GB) or more.
3-3
SM
MB file share provides
p
an altternative to sto
oring
virtual-machine
e files on intern
net Small Com
mputer
Syystem Interface (iSCSI) or Fib
bre Channel sto
orage area nettwork (SAN) d
devices. When creating a virttual
machine
m
in Hyp
per-V on Windows Server 2012, you can sp
pecify a netwo
ork share when
n choosing the
e virtual
machine
m
locatio
on and the virttual hard-disk location. You also can attach disks stored on SMB 3.0 file
sh
hares. You can use both VHD
D and VHDX disks with SMB file shares.
Offloaded
O
Data Transsfer
Offloaded
O
Data Transfer (ODX
X) is a feature new in
Windows
W
Server 2012 that op
ptimizes copyin
ng large
am
mounts of data from one loccation to another. In
Hyper-V, ODX provides
p
suppo
ort for offloaded data
trransfer in the storage
s
stack, and
a makes the
ese
op
perations faste
er than was pre
eviously possib
ble.
Many
M
source an
nd destination file configurattions
arre possible. The source file and destination
n file
ca
an be on the same volume, two
t
different volumes
v
ho
osted by the same machine, a local volum
me and a
re
emote volume accessed thro
ough SMB 3.0, or on
tw
wo volumes on
n two differentt machines acccessed
th
hrough SMB 3..0. Windows Se
erver 2012 faccilitates this acccelerated proccess by enablin
ng the hand offf of
op
perations to a storage system
m that can perrform actions m
more quickly.
ODX
O
functionality benefits op
perations such as:
Secure offlo
oad data transsfer.
VHD/VHDX
X merge.
3-4
To use ODX with virtual machines hosted by Hyper-V, the virtual machines must access storage from an
ODX-capable storage array. You can achieve this by using any of the following approaches:
Assign ODX-capable Fibre Channel LUNs to the virtual machine's virtual Fibre Channel adapter.
Connect the host or virtual machine to an SMB file share on another computer that is hosted on an
ODX-capable storage array.
Note: There are additional hardware and software requirements for implementing ODX.
Lesson
n2
Hyper-V Nettworkin
ng Improvemen
nts
3-5
Windows
W
Server 2012 adds ne
ew networking
g features and enhancementts to many existing features.. In this
le
esson you will learn
l
about ne
etworking features that supp
port Hyper-V.
Le
esson Objecctives
After completin
ng this lesson, you
y will be able to:
Describe th
he changes in networking
n
in Hyper-V.
Describe ne
etwork virtualization.
Changes
C
in Hyper-V Networkin
ng
Th
here are severa
al new networrking features in
Hyper-V in Windows Server 2012
2
that imprrove
th
he network performance and
d flexibility of
virtual machines in private an
nd public cloud
d
en
nvironments. In most cases, you should usse the
de
efault settings in small scale deployments..
Th
he new networking features in Windows Server
S
20
012 Hyper-V in
nclude:
Network virtualization. Th
his feature ena
ables
IP addresse
es to be virtualized in hosting
g
environmen
nts so that virttual machines
migrated to
o the host can keep their original IP
address rather than receivving an IP add
dress on the Hyyper-V server's network.
IP security (IPsec)
(
task offfloading. This feature
f
requirees that the gueest operating system and ne
etwork
adapter are
e supported. This feature ena
ables the hosts network adaapter to perforrm calculationintensive se
ecurity-associa
ation tasks. If sufficient hardw
ware resourcess are not availaable, the guestt
3-6
operating sysstem performs these tasks. You can config ure a maximu m number of o
offloaded secu
urity
associations between
b
a rang
ge of one and 4,096. This fe ature is suppo
orted only on ssynthetic netw
work
adapters.
Virrtual Switcches
Virtual switches are virtual devicces that you ca
an
man
nage through the Virtual Sw
witch Manager. The
Virtual Switch Manager enabless you to create
e
thre
ee types of virttual switches. Virtual
V
switche
es
control how netw
work traffic flow
ws both between
virtu
ual machines hosted
h
on the Hyper-V serve
er
and between virtu
ual machines and
a the rest off your
orga
anizations nettwork.
Hyp
per-V on Windows Server 20
012 supports th
he
thre
ee types of virttual switches th
hat the following
tablle details.
Internal. You use internal viirtual switches to communiccate between tthe virtual macchines on the
Hyper-V hostt and to comm
municate betwe
een the virtuall machines and
d the Hyper-V
V host itself.
Whe
en configuring
g a virtual netw
work, you can also configuree a virtual local area networkk (VLAN) identtifier
(ID) to be associatted with the network. You ca
an use this to eextend existing
g VLANs on th
he external nettwork
to VLANs
V
within the Hyper-V ho
ost's network switch.
s
You us e VLANs to paartition networrk traffic. VLAN
Ns
funcction as separa
ate logical netw
works. Traffic can
c pass only from one VLA
AN to another if it passes thro
ough
a ro
outer.
You
u can configure
e the following
g extensions fo
or each virtual switch type:
Microsoft Win
ndows Filtering Platform. This
T extension allows filtering
g of data trave
elling across th
he
virtual switch.
Hyper-V
H
Ne
etwork Virrtualization
3-7
Yo
ou can use nettwork virtualizzation to isolate
virtual machines from differen
nt organizations, even
if they share the
e same Hyper--V host. For exxample,
yo
ou might be providing an In
nfrastructure ass a
Se
ervice (IaaS) to
o competing businesses. You
u can
usse network virttualization to go beyond asssigning
th
hese virtual ma
achines to sepa
arate VLANs in
n
orrder to isolate their network
k traffic. Netwo
ork
virtualization is a technology that you would
de
eploy primarilyy in scenarios where you use
e
Hyper-V to hostt virtual machines for third-p
party
orrganizations. Network
N
virtua
alization has th
he
ad
dvantage that you can configure all netwo
ork isolation on
n the Hyper-V
V host. With VLLANs, configurring
sw
witches with th
he appropriate
e VLAN IDs is also
a necessary..
When
W
you configure network
k virtualization,, each guest viirtual machinee has two IP ad
ddresses that w
work
ass follows:
Yo
ou can use nettwork virtualizzation to host multiple
m
mach
hines that use tthe same custo
omer address, such as
19
92.168.15.101,, on the same Hyper-V host. When you do
o this, the virtu
ual machines are assigned diifferent
IP
P addresses by the hosting provider, thoug
gh this addresss will not be ap
pparent from w
within the virtual
machine.
m
Yo
ou manage ne
etwork virtualizzation by using
g Windows Po
owerShell cm dlets. All Netw
work Virtualization
cm
mdlets are in the NetWNV PowerShell
P
module. Tenants gain access to
o virtual machiines that take
ad
dvantage of ne
etwork virtualiization through routing and remote accesss. They make a tunneled
co
onnection from
m their networrk through to the
t virtualized
d network on the Hyper-V se
erver.
Lesson 3
Failove
er Clusttering and Virtu
ual-Macchine M
Monitorring
In th
his lesson, you
u will learn abo
out Windows Server
S
2012 feaatures that enaable your virtu
ual machines to
reco
over from service failures and
d react to Even
nt Tracing for Windows (ETW
W) events.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Select an app
propriate cluste
ering model.
Describe new
w failover cluste
ering features in Hyper-V.
Describe virtu
ual-machine monitoring.
m
Choosing Be
etween Ho
ost and Guest Clusterring
Mosst organization
ns have some applications th
hat
are business critical and must be highly availa
able.
To make
m
an appliccation highly available,
a
you
musst deploy it in an environment that provides
redu
undancy for alll components that the
app
plication requirres. For virtual machines to be
b
high
hly available, you
y can choose
e between sevveral
options. You can implement a virtual
v
machine
e as a
clusstered role (host clustering), you can imple
ement
clusstering inside virtual
v
machine
es (guest
clusstering), or you
u can use Netw
work Load
Bala
ancing (NLB) in
nside virtual machines.
m
Host Clusterin
ng
3-8
Hosst clustering en
nables you to configure
c
a faiilover cluster b
by using the Hyper-V host se
ervers. When yyou
configure host clu
ustering for Hyyper-V, you co
onfigure the virrtual machine as a highly avvailable resourcce.
Failo
over protection is implemen
nted at the hosst server level. This means th
hat the guest o
operating syste
em
and applications that
t
are runnin
ng within the virtual
v
machin e do not havee to be cluster--aware. Howevver,
the virtual machin
ne is still highlyy available. Some examples of non-clusterr-aware applications are a prrint
servver, or perhapss a proprietaryy network-base
ed application,, such as an acccounting app
plication. Shoulld the
hostt node that co
ontrols the virtual machine unexpectedly b
become unava ilable, the seco
ondary host no
ode
take
es control and restarts the virtual machine as quickly as possible. You can also move
e the virtual
macchine from one
e node in the cluster
c
to anotther in a contrrolled manner.. For example, you could mo
ove
the virtual machin
ne from one no
ode to anothe
er while patchi ng the Host operating syste
em. The applicaations
or services that arre running in the virtual macchine do not h ave to be com
mpatible with ffailover clusterring
nor are they awarre that the virtual machine iss clustered. Beccause the failo
over is at the vvirtual machine
e
leve
el, there are no
o dependencie
es on software that is installeed inside the virtual machine
e.
Gue
est Clustering
Gue
est failover clusstering is configured very sim
milarly to physsical server faillover clustering, except that the
clusster nodes musst include multtiple virtual machines. In thiss scenario, you
u create two o
or more virtual
macchines, and enable failover clustering within the guest o perating systeem. The applicaation or service is
then
n enabled for high availabilitty between the
e virtual mach
hines by using failover cluste
ering in each virtual
machine. Because failover clustering is implemented within each virtual machine nodes guest operating
system, you can locate the virtual machines on a single host. This can be a quick and cost-effective
configuration in a test or staging environment.
For production environments however, you can more robustly protect the application or service if
you deploy the virtual machines on separate failover clustering enabled Hyper-V host computers. With
failover clustering implemented both at the host and virtual machine levels, the resource can be restarted
regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as
a Guest Cluster Across Hosts. This is an optimal high availability configuration for virtual machines
running mission-critical applications in a production environment.
You should consider several factors when you implement guest clustering:
The application or service must be failover cluster-aware. This includes any of the Windows Server
2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server.
Hyper-V virtual machines can use fiber channel-based connections to shared storage (this is specific
only to Hyper-V in Windows Server 2012), or you can implement iSCSI connections from the virtual
machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. As a best
practice, you should dedicate a network connection to the network connection that the client computers
use, to the private network between the hosts, and to the iSCSI connection if you use iSCSI to connect to
storage. .
NLB works with virtual machines in the same manner that it works with physical hosts. It distributes IP
traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the
NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to
access the cluster by using a virtual Host Name or a virtual IP addresses. From the client computers point
of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic
increases, you can add another server into the cluster. Examples of NLB-appropriate applications would be
web-based front ends to database applications or Exchange Server Client Access Servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines.
After you configure the application, you install the network load balancing feature in Windows Server
2012 within each virtual machines guest operating system (not on the Hyper-V hosts), and then
configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, so that
the Guest operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across
Hosts, the NLB resource typically benefits from overall increased I/O performance when the virtual
machine nodes are located on different Hyper-V hosts.
Note: As with earlier versions of Windows Server, you should not implement NLB and
failover clustering within the same operating system because the two technologies conflict with
one another.
Hyper-V in
i Windows Server 20012
Wh
hat Is New
w in Failove
er Clustering?
In Windows
W
Serve
er 2012, failove
er clustering is
mucch improved with
w respect to Hyper-V clustters.
Som
me of the mostt important im
mprovements are:
3-10
using BitLock
ker Drive Encrryption and co
onfiguring them
m to make sto
orage visible to
o only a subsett of
nodes.
VM
M Monitorring
In Windows
W
Serve
er 2012, VM Monitoring enables
you monitor the health
h
state off services and
app
plications that are
a running within a virtual
macchine. VM Mon
nitoring then reports
r
the hea
alth
state to the host level so that th
he host can tak
ke
reco
overy actions. You
Y can monittor any Windo
ows
servvice (such as Prrint Spooler) in
n the virtual
macchine or any Evvent Tracing fo
or Windows (E
ETW)
event occurring in
n the virtual machine.
m
When the
condition you are
e monitoring iss triggered, the
e
Clusster Service log
gs an event on
n the host and takes
reco
overy actions.
When VM Monitoring is configured, the cluster service monitors the status of clustered virtual machines
through periodic health checks, and communicates issues to the host. When the cluster services determine
that a virtual machine is in a critical state (an application or service inside the virtual machine is in an
unhealthy state) the cluster service takes recovery actions.
When a monitored service encounters an unexpected failure, the sequence of recovery actions is
determined by the configured Recovery actions on failure for the service. You can view and configure
these recovery actions using Service Control Manager inside the guest. For example, you can specify that
on the first and second service failures, the Service Control Manager will restart the service. On the third
failure, the Service Control Manager will take no action and defer recovery actions to the cluster service
running in the host.
Requirements for VM Monitoring
VM Monitoring has the following requirements:
Windows Server 2012 is required as both host and guest operating system.
Windows Server 2012 Hyper-V integration services must be installed on the guest.
Failover Clustering feature must be installed and configured on the Windows Server 2012 Hyper-V
hosts.
Firewall rule Virtual Machine Monitoring must be enabled on the guest operating system.
Hyper-V in
i Windows Server 20012
Lesson 4
3-12
Movving virtual ma
achines from one
o location to
o another is a relatively com
mmon procedure in the
adm
ministration of Hyper-V envirronments. Most of the techn
niques in previious Windows Server version
ns
requ
uired some do
owntime. Wind
dows Server 20
012 introducess new technolo
ogies to enable
e seamless virttual
macchine moveme
ent. In this lesson, you will learn about virt ual machine m
movement, mig
gration option
ns, and
options for virtual machine high
h availability.
Lessson Objectiives
Afte
er completing this lesson, yo
ou will be able to:
Explain how to
t implement Live Migration
n.
Describe Hyp
per-V Replica.
Describe how
w to configure Hyper-V Repliica.
Configure a Hyper-V
H
replica.
Op
ptions for Virtual
V
Ma
achine Mig
gration
There are several scenarios whe
ere you would want
to migrate
m
a virtual machine fro
om one locatio
on to
ano
other. For exam
mple, you migh
ht want to movve a
virtu
ual machine VHD from one physical drive to
ano
other on the sa
ame host. Anotther example is
i
movving a virtual machine
m
from one node in a
clusster to anotherr, or moving a computer from
m
one
e host server to
o another hostt server withou
ut the
hostts being members of a cluster. Compared with
Win
ndows Server 2008
2
R2, Windows Server 2012
provvides significant enhanceme
ents in addition
n to
simplified procedures for this process.
In Windows
W
Serve
er 2012, you ca
an perform migration of virt ual machines by using these
e methods:
Exporting and
d importing virtual machines. This is an es tablished met hod of moving
g virtual mach
hines
without using
g a cluster. You
u export a virtu
ual machine o n one host, an
nd then physiccally move exp
ported
files to another host by perrforming an im
mport operatio
on. This is a verry time-consum
ming operation. It
3-13
requires tha
at a virtual ma
achine is turned
d off during exxport and imp
port. In Window
ws Server 2012
2 this
migration method
m
is improved. You can import a virttual machine tto a Hyper-V h
host without
exporting itt before imporrt. Windows Se
erver 2012 Hy per-V is now ccapable of con
nfiguring all the
necessary settings during
g the import op
peration.
How
H
Does Virtual Ma
achine and
d Storage Migration
n Work?
Th
here are manyy cases in which you might want
w
to
move
m
the virtua
al machine files to another lo
ocation.
Fo
or example, if the disk where
e a virtual macchine
ha
ard disk reside
es runs out of space,
s
you mu
ust
move
m
the virtua
al machine to another
a
drive or
o
vo
olume. Also, moving
m
a virtua
al machine to another
a
ho
ost is a very co
ommon proced
dure.
In
n earlier versions of Windowss Server, such as
Windows
W
Server 2008 or Wind
dows Server 2008 R2,
moving
m
a virtua
al machine resu
ulted in downttime
be
ecause it had to
t be turned off.
o If you moved a
virtual machine between two hosts, then yo
ou also
ha
ad to perform export and im
mport operatio
ons for that speecific virtual m
machine. Exporrt operations can be
time-consuming
g, depending on
o the size of the virtual maachine hard dissks.
In
n Windows Serrver 2012, Virtu
ual Machine and Storage Miigration enables you to movve a virtual maachine
to
o another locattion on the same host or on another host computer wit hout turning o
off the virtual
machine.
m
How
H
it works
To
o copy a VHD,, an administra
ator starts live storage migraation by using the Hyper-V cconsole or Win
ndows
Po
owerShell, and
d completes th
he wizard (or specifies param
meters in Windows PowerShe
ell). A new VHD is
crreated on the destination loccation and the
e copy processs starts. During
g the copy process, the virtuaal
machine
m
is fullyy functional. Ho
owever, all cha
anges that occcur during cop
pying are writte
en to both the
e source
an
nd destination
n location. Read
d operations are
a performed only from thee source location. As soon ass the
diisk copy proce
ess is complete
e, Hyper-V swittches virtual m
machines to run on the destination VHD. A
Also,
if the virtual ma
achine is move
ed to another host,
h
the comp
puter configurration is copied
d and the virtu
ual
machine
m
is asso
ociated with an
nother host. If a failure were to occur on th
he destination side, there is aalways
a fail back optio
on to run back
k again on the source directo
ory. After the vvirtual machine is migrated
su
uccessfully and
d associated to
o a new locatio
on, the processs deletes the s ource VHDs.
Th
he time that iss required to move
m
a virtual machine depeends on the source and destination locatio
on,
th
he speed of ha
ard disks or sto
orage, and the size of the VH
HDs. The movin
ng process is ffaster if source
e and
de
estination loca
ations are on storage, and storage supportts Offloaded D
Data Transfer (ODX).
When
W
you move a virtual macchines VHDs or
o VHDXs to a nother locatio
on, a wizard presents three available
op
ptions:
Move all th
he virtual mach
hines data to a single locatio
on: You specifyy one single destination locaation,
such as disk
k file, configurration, snapsho
ot, or smart paaging.
Hyper-V in
i Windows Server 20012
Ho
ow Live Miigration Works
W
Live
e Migration enables you to move
m
running
virtu
ual machines from
f
one Hype
er-V host to
ano
other host. With Live Migratio
on, users who
are connected to the virtual ma
achine should
experience almostt no server outage.
Note: Wherreas you can also do live
mig
gration of virtual machine byy using Virtual
Macchine and Storrage migration
n described in the
prevvious topic, yo
ou should be aware that live
mig
gration is based
d on a differen
nt technology,
failo
over clustering
g. Unlike the sttorage migratio
on
scen
nario, Live Mig
gration can be performed on
nly if a virtual m
machine is hig
ghly available.
You
u can start a Livve Migration through one of the following
g:
A Windows Management
M
In
nstrumentation (WMI) or Wiindows PowerrShell script.
3-14
1.
2.
3.
m
the virtual machine tto the target h
host, Hyper-V stops the sourrce
State transferr. To actually migrate
partition, tran
nsfers the state
e of the virtual machine (inclluding the rem
maining dirty m
memory pagess) to
the target host, and then re
estores the virttual machine o
on the target h
host. The virtual machine has to
be paused du
uring the final state transfer.
4.
Demonstra
D
ation: Implementing Live Migrration
3-15
Th
here is a recorded demonstrration of Hype
er-V Live Mig ration which yyour instructor will play and discuss
with
w you.
Overview
O
of
o Hyper-V
V Replica
Windows
W
Server 2012 introdu
uces Hyper-V Replica,
R
a feature that enables you to replicate virtu
ual
machines
m
betwe
een hosts, storrage systems, clusters,
c
an
nd data centerrs in different sites.
s
Hyper-V Replica
ca
an be used to assist disaster recovery scenarios
fo
or your organizzation. In this lesson, you will learn
ho
ow Hyper-V makes
m
it easier and less expen
nsive
to
o plan and imp
plement busine
ess continuity and
diisaster recoverry solutions for your virtual
machines.
m
When
n you impleme
ent high availa
ability,
yo
ou have one in
nstance of a virtual machine..
Note: Hig
gh availability does
d
not preve
ent
co
orruption of so
oftware runnin
ng inside the virtual machinee.
To
o help to make
e this single virtual machine highly availab
ble, you can im
mplement Hyper-V replica
te
echnology in Windows
W
Serve
er 2012. This te
echnology enaables virtual m
machines runnin
ng at a primarry site,
lo
ocation, or host to be efficien
ntly replicated to a secondarry site, a locatiion or a host, aacross a wide aarea
ne
etwork (WAN)) or LAN link. Hyper-V
H
replica enables you to have two i nstances of a ssingle virtual m
machine
re
esiding on diffe
erent hosts, on
ne as the primary (live) copyy and the other as a replica ((offline) copy. T
These
co
opies are synch
hronized, and you can failovver at any timee. In the event of a failure at a primary site
e, such
ass fire, natural disaster,
d
powerr outage, or se
erver failure, an
n administrato
or can use Hyp
per-V Managerr to
exxecute a failovver of production workloads to replica servvers at a secon
ndary location within minute
es, thus
in
ncurring minim
mal downtime. Hyper-V Replica enables an
n administratorr to restore virrtualized workloads to
a point in time depending on
n the Recovery History selecttions for the viirtual machine
e.
a technology consists of seve
eral componen
nts:
Hyper-V replica
Change Tra
acking. This component tracks changes thaat are happening on primaryy copy of virtu
ual
machine. It is designed to
o make the sce
enario work reegardless of wh
here the virtuaal machine VHD file or
files reside.
Network Module.
M
The Ne
etworking Mod
dule provides a secure and eefficient way to
o transfer virtu
ual
machine re
eplicas between
n the primary host and a rep
plica host. Dat a compression
n is enabled byy
using HTTPS aand certificatio
default. Thiis communicattion can also be
b secured by u
on-based
authenticattion.
Hyper-V in
i Windows Server 20012
3-16
Ho
ow to Conffigure Hyp
per-V Replica
Befo
ore you implem
ment Hyper-V
V replica
tech
hnology, ensurre that these prerequisites
p
arre
mett:
The server ha
ardware suppo
orts the Hyper--V
role on Windows Server 2012.
Network conn
nectivity existss between the
locations hosting the prima
ary and replica
a
servers. This can
c be a WAN or LAN link.
Optionally, an
n X.509v3 certificate exists to
o support Muttual Authenticaation with certtificates.
You
u do not have to
t install Hype
er-V Replica se
eparately becau
use it is not a W
Windows Servver role or featture.
Hyp
per-V Replica is implemented
d as part of the Hyper-V Rolle. It can be ussed on Hyper-V
V servers that are
stan
nd-alone or servers that are part of a Failovver Cluster, in which case, yo
ou should con
nfigure Hyper-V
V
Rep
plica Broker. Un
nlike failover clustering,
c
a Hyyper-V role is n
not dependen
nt on Active Directory Domain
Servvices (AD DS). You can use itt with Hyper-V
V servers that aare stand-alone, or that are m
members of
diffe
erent Active Directory doma
ains, except in cases when seervers are part of a failover ccluster.
To enable
e
Hyper-V replica technology, you sh
hould first con figure Hyper-V
V server settin
ngs. In the
Rep
plication Config
guration group
p of options, you
y should enaable Hyper-V sserver as a rep
plica server, and you
should also selectt authentication and port op
ptions. You sho
ould also confi gure authorizaation options. You
can choose to ena
able replication from any serrver that succeessfully authen
nticates (which
h is convenientt in
scen
narios where all
a servers are part
p of same domain), or you
u can type fullly qualified do
omain names
(FQDNs) of serverrs that you acccept as replica servers. Also, yyou must conffigure the locaation for replicca
filess. These setting
gs should be configured on each server th
hat will serve ass replica server.
Afte
er you configure options on the server leve
el, you should enable replicaation on a virtual machine.
Durring this config
guration, you must
m
specify a replica server name and op
ptions for conn
nection. You caan
sele
ect which VHD drives you rep
plicate (in case
e when virtual machine has m
more than one
e VHD), and yo
ou
can also configure
e Recovery Hisstory and an in
nitial replicatio
on method. Aftter you have cconfigured the
ese
options then you can start replication.
There is a recorded demonstration of Hyper-V Replica which your instructor will play and discuss with
you.
Windows Server 2012 introduces storage enhancements that are beneficial for Microsoft Hyper-V
Server 2012, including:
3-18
Virtual hard disk X (VHDX), which is a new file format for virtual machines. VHDX offers a number
of advantages when compared with virtual hard disk (VHD), including better management for
large files and improved alignment of the VHD format.
SMB 3.0, which is a storage and access protocol that enables Hyper-V to access virtual machine
configuration files, VHD files, and snapshots when they are stored in shared folders.
Offloaded Data Transfer (ODX), which is a new feature that optimizes copying large amounts of
data from one location to another.
The Hyper-V virtual switch is an extensible virtual switch that can help hosting providers support
multi-tenant environments.
Network Virtualization allows you to isolate virtual machines from different organizations from
each other, even though they share the same Hyper-V host.
Virtual Network Adapters allow the virtual machine guest operating system to communicate
using the virtual switches that you configure using virtual switch manager.
Windows Server 2012 introduces Hyper-V Replica, a feature that enables you to replicate virtual
machines between hosts, storage systems, clusters and data centers in different sites. Hyper-V Replica
can be used to provide disaster recovery for your organization.
Windows Server 2012 introduces new technologies to enable seamless virtual machine movement.
o
Moving virtual machines from one location to another is relatively common procedure in the
administration of Hyper-V environments. Windows Server 2012 enables you to migrate virtual
machines with no interruption to service and no downtime.
Review Questions
Question: What are the benefits of the new VHDX format?
Question: What does network virtualization enable you to do?
Question: What are the prerequisites of implementing Hyper-V Replica?
Question: What are the requirements for Live Migration in Windows Server 2012?
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.