Exam Preparation:

70-741: Networking with Windows

Server 2016 (In development)
George Dobrea
MCT, MVP
> whoami
George Dobrea
XEduco
gdobrea@xeduco.net | @gdobrea

Microsoft Certified Trainer (since 1998)

MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
>Get-Content

Session Objective(s):
• Certification Overview
• Exam preparation per section
• Describe key 70-741 exam objectives
• Prepare more effectively using the available study material
• Relate practical Windows Server 2016 experience to the exam

Identify areas that may require extra studying

Action plan for exam preparation and success
 Click icon to add picture

Why to
Certify ?
MCSA Windows Server 2016 certification path
MCSA: Windows Server 2016

Exam 70-740 Exam 70-741 Exam 70-742 Exam 70-743

Installation, Storage Networking with Identity with Upgrading Your

and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016

OR

Course 20740A Course 20741A Course 20742A Course 20743A

Installation, Storage, Networking with Identity with Upgrading Your

and Compute with Windows Server Windows Server Skills to MCSA:
Windows Server 2016 2016 Windows Server
2016 2016
 Cloud Platform & Infrastructure Cert Path
410: 411: 412: MCSA Windows
Installing and Configuring Administering Configuring Advanced Server 2012
Windows Server 2012 Windows Server 2012 Windows Server 2012
Services

740: 741: 742: MCSA Windows

Installation, Storage, and Networking with Identity with Server 2016 MCSE
CLOUD PLATFORM & INFRASTRUCTURE Compute with Windows Server 2016 Windows Server 2016 Cloud Platform & Infrastructure
Windows Server 2016 Earned: 2016
Elective

533: Managing LFCS: MCSA Linux on

ELECTIVE EXAM POOL
Microsoft Azure Linux Foundation Azure
(SEPTEMBER 2016)
Infrastructure Solutions Certified System Administrator
• 532: Developing Microsoft Azure Solutions
• 533: Managing Microsoft Azure Infrastructure
Solutions
Choose two from: MCSA Cloud • 534: Architecting Microsoft Azure Solutions
532: Developing Microsoft Azure Solutions Platform
• 473: Designing and Implementing Cloud Data
533: Managing Microsoft Azure Infrastructure Solutions
Platform Solutions
534: Architecting Microsoft Azure Solutions
473: Designing and Implementing Cloud Data Platform Solutions • 475: Designing and Implementing Big Data Analytics
475: Designing and Implementing Big Data Analytics Solutions Solutions
• 744: Securing Windows Server 2016
• 413: Designing and Implementing a Server
Infrastructure
• 414: Implementing an Advanced Server
Infrastructure
• 246: Monitoring and Operating a Private Cloud
• 247: Configuring and Deploying a Private Cloud
My first advice
to you…
70-741 Exam Objectives
Implement Domain Name System Implement Network Connectivity and
1 4
(DNS) Remote Access Solutions

2 Implement DHCP Implement core and Distributed

5
Network Solutions

Implement IP Address Management Implement an Advanced Network

3 6
(IPAM) Infrastructure
01 | Implement Domain Name
System (DNS)
(15-20%)
• Install and configure DNS servers
• Determine DNS installation requirements
• Determine supported DNS deployment scenarios on Nano Server
• Install DNS
• Configure forwarders, configure Root Hints, configure delegation
• Implement DNS policies
• Implement DNS global settings using Windows PowerShell
• Configure Domain Name System Security Extensions (DNSSEC)
• Configure DNS Socket Pool, configure cache locking
• Enable Response Rate Limiting
• Configure DNS-based Authentication of Named Entities (DANE)
• Configure DNS logging
• Configure delegated administration
• Configure recursion settings
• Implement DNS performance tuning
• Configure global settings using Windows PowerShell
DNS on Nano Server
To use Nano Server as a DNS Server:
• Install the NanoServer Package
• Create a VHD with the Microsoft-NanoServer-DNS-
Package
• Import the VHD into Hyper-V as a virtual machine
• Configure networking settings and enable the remote
management firewall ports
• Connect remotely to the server running Nano Server by
using Windows PowerShell 5.0 on a Windows client or a
server
• Run the command Enable-WindowsOptionalFeature
-Online -FeatureName DNS-Server-Full-Role
• Manage DNS remotely by using the Windows PowerShell
5.0 DNS commands
Implementing DNS security
DNS security feature Description
DNS cache locking Prevents entries in the cache from being
overwritten until a percentage of the TTL
has expired
DNS socket pool Randomizes the source port for issuing
DNS queries. Enabled by default in
Windows Server 2012.
DANE (DNS-based Uses TLSA records that state the CA from
Authentication of which they should expect a certificate
Named Entities )
DNSSEC Enables cryptographically signing DNS
records so that client computers can
validate responses
• Create and configure DNS zones and records
• Create primary zones; configure Active Directory integration of primary zones
• Create and configure secondary zones
• Create and configure stub zones
• Configure a GlobalNames zone
• Analyze zone-level statistics
• Create and configure DNS Resource Records (RR), including A, AAAA, PTR, SOA, NS, SRV, CNAME,
and MX records
• Configure zone scavenging
• Configure record options, including Time To Live (TTL) and weight
• Configure round robin
• Configure secure dynamic updates
• Configure unknown record support
• Use DNS audit events and analytical (query) events for auditing and troubleshooting; configure
Zone Scopes
• Configure records in Zone Scopes
• Configure policies for zones
Install & Configure DNS
DNS Terminology that you should know…

• DNS = Host Name Resolution

• Forward and reverse lookups
• Types of DNS zones
• Primary, secondary, Active Directory-Integrated,
and stub zones
• For AD-Integrated, what is the domain
partition, forestDNSZone, and
domainDNSZone?
• Records =SOA, NS, A, CNAME, PTR, SRV,
and MX
Configure DNS zones
Configure stub zones
• Stub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisition
• Watch for scenarios that offer stub zone and conditional forwarding as potential solutions
• Stub zones best when needing to dynamically maintain authoritative DNS servers for child zone
Configure conditional forwarders
• Forwards to specific DNS servers which can then build up a cache for efficient resolution
• Often the best solution for merger/acquisition but can also speed up internal name resolution
Configure zone and conditional forward storage in Active Directory
• DNS must be a domain controller, zone must be primary/stub/conditional
• Replication – all DNS + DCs in forest, all DNS + DCs in domain, all DCs in domain, all DCs in partition
Configure zone delegation
• Key scenarios – delegate management, distribute load/improve perf/fault tolerance
Configure DNS records
Create configure Resource Records (RR) including A, AAAA, PTR, SOA, NS,
SRV, CNAME, and MX records
• Know that AAAA is IPv6 A record
• Use dnscmd /recordadd for mass record creation (or PowerShell)
• Add-DnsServerResourceRecord -A -Name “test" -ZoneName "woodgrovebank.com"
-IPv4Address 172.16.1.200
Configure zone scavenging
• Must enable at server level and at zone level (watch for troubleshooting scenarios or choose all)
• Must also be enabled at resource record level (by default it is, but watch for troubleshooting)
• Cleans up dynamic records only (not static)
Configure record options including TTL and weight
• TTL default is 1 hour – can be updated at zone level or individual resource record level
DNS policies – new in Windows Server 2016
• You create DNS policies to control how a DNS Server handles queries based on
different parameters
DNS policy scenarios:
• Application high availability
• Traffic management
• Split brain DNS
• Filtering
• Forensics
DNS policy objects:
• Client subnet
• Recursion scope
• Zone scope
Use Windows PowerShell to create and manage DNS policies
https://technet.microsoft.com/en-us/windows-server-docs/networking/dns/deploy/dns-policies-overview
Split-Brain DNS Deployment Using Windows
DNS Server Policies
Add-DnsServerZoneScope -ZoneName
"contoso.com" -Name "internal“

Add-DnsServerResourceRecord
-ZoneName "contoso.com" -A -Name
"www.career" -IPv4Address "65.55.39.10" 
Add-DnsServerResourceRecord
-ZoneName "contoso.com" -A -Name
"www.career" -IPv4Address "10.0.0.39”
-ZoneScope "internal“
Add-DnsServerQueryResolutionPolicy
-Name "SplitBrainZonePolicy" -Action
ALLOW -ServerInterface "eq,10.0.0.56"
-ZoneScope "internal,1" -ZoneName
contoso.com
Key Tips to Remember

• Always use host names instead of NetBIOS names.

• Use forwarders rather than root hints.
• Be aware of potential caching issues when you troubleshoot name resolution.
• Use Active Directory–integrated zones instead of primary and secondary zones.
• Use GlobalNames zone when you must have single-name entities.
• Use DNS policies to fine-tune client name resolution and zone transfers.
Example question
You are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services
(AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A)
record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully
functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to
www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com.

What should you do?

A. Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com.
B. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com.
C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254.
D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com.
02 | Implement DHCP

(15-20%)
• Install and configure DHCP
• Install and configure DHCP servers, authorize a DHCP server
• Create and configure scopes, create and configure superscopes and multicast
scopes
• Configure a DHCP reservation, configure DHCP options
• Configure DNS options from within DHCP
• Configure policies
• Configure client and server for PXE boot
• Configure DHCP Relay Agent, Implement IPv6 addressing using DHCPv6
• Perform export and import of a DHCP server
• Perform DHCP server migration
Install and Configure DHCP Service
• Understand the DHCP options available
Implement an advanced DHCP solution
Create and configure superscopes
• Handles multiple networks
• Add-DhcpServerv4Superscope
Create and configure multicast scopes
• Stream packets
DHCPv6
• Stateful and stateless configurations
• Add-DhcpServerv6Scope –Name”Name”-Prefix <Address>
Windows Server 2016 DHCP Server role no longer supports NAP !
• Manage and maintain DHCP

• Configure a lease period

• Back up and restore the DHCP database
• Configure high availability using DHCP failover
• Configure DHCP name protection
• Troubleshoot DHCP
What is DHCP failover?
DHCP failover:
• Enables two DHCP servers to provide IP addresses and optional
configurations to the same subnets or scopes
• Requires failover relationships to have unique names
• Supports the hot standby mode and the load sharing mode
When you use DHCP failover:
• The MCLT determines when a failover partner assumes control of the subnet
or scope
• The auto state switchover interval determines when a failover partner is
considered to be down
• Message authentication can validate the failover messages
• Firewall rules are auto-configured during DHCP installation
What are DHCP security options?

Limit physical access to the network by:

• Disconnecting unused LAN drops
• Require authenticated layer 2 connections

Enable DHCP auditing to track DHCP usage

DHCP name protection:
• Prevents Windows operating systems from having their DNS name registration
overwritten by non-Windows operating systems using the same name
• Uses a DHCID resource record to track the devices that originally requested the
DNS name registration
Example question
You are the system administrator for Fabrikam, Inc. You have a main office, a single
DHCP server, and a single DHCP scope. You need to configure DHCP for high
availability.

What should you do? (Choose all that apply.)

A. Add the Failover Cluster feature.

B. Add the Network Load Balancing feature.
C. Add the DHCP Server to the failover cluster.
D. Configure NLB for network affinity.
E. Deploy a new server.
F. Add the DHCP role.
03 | Implement IP Address
Management (IPAM)
(15-20%)
• Install and configure IP Address Management
(IPAM)
• Provision IPAM manually or by using Group Policy
• Configure server discovery
• Create and manage IP blocks and ranges
• Monitor utilization of IP address space
• Migrate existing workloads to IPAM
• Configure IPAM database storage using SQL Server
• Determine scenarios for using IPAM with System Center Virtual Machine Manager
for physical and virtual IP address space management
• Manage DNS and DHCP using IPAM

• Manage DHCP server properties using IPAM

• Configure DHCP scopes and options
• Configure DHCP policies and failover
• Manage DNS server properties using IPAM
• Manage DNS zones and records
• Manage DNS and DHCP servers in multiple Active Directory forests
• Delegate administration for DNS and DHCP using role-based access control
(RBAC)
• Audit IPAM

• Audit the changes performed on the DNS and DHCP servers

• Audit the IPAM address usage trail
• Audit DHCP lease events and user logon events
IP Address Management (IPAM)
• Inbox feature for integrated
management of IP addresses, IPAM distributed architecture
domain names, and device identities Domain
corp.woodbridge.com
Domain
europe.corp.woodbridge.com

• Tightly integrates with Microsoft DNS

and DHCP servers
IPAM Server DHCP, DNS, DC,
• Provides custom IP address space IPAM server
(UK) and NPS servers

display, reporting, and management

(Redmond) Site: UK
Branch office

• Audits server configuration changes Domain

and tracks IP address use DHCP, DNS, DC,
and NPS servers
fareast.corp.woodbridge.com

• Migrates IP address data from

spreadsheets or other tools IPAM Server DHCP, DNS, DC, IPAM Server DHCP, DNS, DC,
(Hyderabad) and NPS servers (Bangalore) and NPS servers
• Monitors and manages specific Site: Redmond Site: Hyderabad Site: Bangalore
scenario-based DHCP and DNS Head office Branch office Branch office

services
Windows Server 2016 IPAM
• IP addressing management of physical
• Tracking activity of
and virtual networks (SCVMM
IP address/user/mc
integration)
• IP utilization & Unified IP
address • Integrated IP addressing, DNS and
trend
Mgmt. DHCP management
• Audit config

• Granular RBAC to manage IP

Network address space, DHCP & DNS
Delegated
audit & • Delegated administration
Admin
visibility
within and across datacenters
WS 2016
IPAM
• Disaster Recovery • Automatic server discovery
• Multiple instance • Single console DHCP and DNS
deployment management across datacenters
• SQL Server database Scale, Network • Management of granular DNS
robustness properties
• Extensive PS support & services
• Cross AD Support automation Mgmt.
IP Address Management
Configure IPAM
• Requirements : IPAM server must be member server, cannot be DC
• Trivia : if you install IPAM on a DHCP server, then IPAM won’t discover any DHCP servers
• Distributed, Centralized, and Hybrid
• Database not shared between servers
Server discovery
• What can be discovered? DCs, DNS servers, DHCP servers, NPS servers
• Manage or not
• Windows Internal Database and external database (SQL) supported
• Windows Server 2016: IPAM supports multiple Active Directory forests when there is a two-
way trust relationship between the forest where IPAM is installed and each of the remote
forests
04 | Implement Network Connectivity
and Remote Access Solutions
(25-30%)
• Implement network connectivity solutions
• Implement Network Address Translation (NAT)
• Configure routing
• Implement virtual private network (VPN) and
DirectAccess solutions
• Implement remote access and site-to-site (S2S) VPN solutions using remote
access gateway
• Configure different VPN protocol options
• Configure authentication options
• Configure VPN reconnect
• Create and configure connection profiles
• Determine when to use remote access VPN and site-to-site VPN and configure
appropriate protocols
• Install and configure DirectAccess
• Implement server requirements
• Implement client configuration
• Troubleshoot DirectAccess
VPN and Routing
Install and configure the Remote Access role
1. Add-WindowsFeature RemoteAccess -IncludeManagementTools –IncludeAllSubFeature
2. Run the Configure and Enable Routing and Remote Access wizard
Implement Network Address Translation (NAT)
• Need two interfaces prior to enabling via wizard
Configure VPN settings
• For SSTP, need to select the proper SSL certificate post install
Configure remote dial-in settings for users
• Default in AD is control access through NPS Network Policy
• Need to adjust policy or create new policy in order to allow users in
Configure Web Application proxy
• Configure Web Application proxy in pass-through mode
What is Web Application Proxy?
Web Application Proxy:
• Was introduced in Windows Server 2012 R2
• Is a reverse web proxy functionality
• Uses AD FS proxy functionality
• Is located in a perimeter network

AD FS AD DS
Web Application
Proxy LOB
Client devices applications

Firewall Firewall
Internet Microsoft
applications

Corporate network
Example question
You are configuring a web application proxy (WAP) to provide external access to corporate
applications. Users will typically be using untrusted internet connections outside the corporate
firewall.
You need to configure Active Directory Federation Services ( AD FS) to protect applications
from unauthorized access. The configuration must meet the following requirements:
User credentials cannot be sent as part of the authentication request.
All users will access the applications by using a private computer secured by the user's local
credentials.
The most secure authentication method should be chosen.
Which type of authentication should you use?

A. Windows
B. Username
C. Basic
D. Certificate
Example question
You are configuring a web application proxy (WAP) to provide external access to corporate
applications. Users will typically be using untrusted internet connections outside the corporate
firewall.
You need to configure Active Directory Federation Services ( AD FS) to protect applications
from unauthorized access. The configuration must meet the following requirements:
User credentials cannot be sent as part of the authentication request.
All users will access the applications by using a private computer secured by the user's local
credentials.
The most secure authentication method should be chosen.
Which type of authentication should you use?

A. Windows
B. Username
C. Basic
D. Certificate
How DirectAccess works for internal clients
Internal client Active
AD DS Directory
domain
Internet
Internet computers domain controller
controller
websites
websites DNS server
Connection
security rules

DirectAccess NRPT
server

Network
location
server
CRL distribution Internal network
point resources
How DirectAccess works for external clients
DirectAccess
DNS server server

Internet
websites
Active Directory
domain controller
DNS server

re
ctu
tru
ras

et
ran
Inf

Connection Int
security
rules

Internal network
NRPT resources
External
client
computers
 DirectAccess
Implement server requirements
• No longer requires PKI (can use Kerberos proxy over HTTPS instead along with port 443)
• New simplified deployment but then won’t get force tunneling, Network Access Protection
(NAP) integration, or two-factor authentication
• Can use a single NIC card behind NAT (Windows Server 2012 required)
• Remote access servers and all client computers must be domain members
• IPv6 not required and IPv6 transition technologies are used (however, IPv6 = best
performance)
• If using internal CA or self-signed certificate, CRL distribution point must be available
externally
Implement client configuration
• Need to have security groups in place and then create GPOs
DirectAccess offline domain join
• Join a domain without physical or VPN connection
• Implement Network Policy Server (NPS)

• Configure a RADIUS server including RADIUS proxy

• Configure RADIUS clients
• Configure NPS templates
• Configure RADIUS accounting
• Configure certificates
• Configure Connection Request Policies
• Configure network policies for VPN and wireless and wired clients, import and
export NPS policies
Configure NPS
Configure multiple RADIUS server infrastructures
• 5 parts – access clients, access servers, NPS servers, NPS proxies, user account DBs
Configure RADIUS clients
• Required: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)
Manage RADIUS templates
• Watch for questions involving administrative overhead as that may indicate the creation of a
template or use of existing template.
Configure RADIUS accounting
• Can log to SQL DB, text file on local computer, both simultaneously, or SQL with text file
logging for failover (if SQL logging fails, continue to log via text file)
• If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out
default install and sudden loss of functionality – could be out of disk space, consider moving
logging to non-system disk)
Network Policy Server policies
START

Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Yes
Is the remote access
permission for the user
No account set to Deny Access?
Yes Reject
No connection
attempt
Is the remote Is the remote access
Reject
Yes access No permission on the
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
connection
No Does the attempt
connection attempt
match the user
object and profile
settings?
Configure NPS policies
Configure connection request policies
• Policies have conditions such as connection type, day/time, network, computer
• Useful to authenticate untrusted domain (proxy policy first in the policy order) while still
authenticating locally via NPS (to AD DS)
• If no local processing by NPS, then server is a proxy (can forward one place or multiple)
Configure network policies for VPN clients (multilink and bandwidth
allocation, IP filters, encryption, IP addressing)
• Watch for default installation questions
• Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)
Manage NPS templates
• Can use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies,
and remediation server groups (minimize administrative overhead, speed up deployment)
• Can export templates to .XML file and import to another server
05 | Implement core and Distributed
Network Solutions
(10-15%)
• Implement IPv4 and IPv6 addressing

• Configure IPv4 addresses and options

• Determine and configure appropriate IPv6 addresses
• configure IPv4 or IPv6 subnetting
• Implement IPv6 stateless addressing
• Configure interoperability between IPv4 and IPv6 by using ISATAP, 6to4, and
Teredo scenarios
• Configure Border Gateway Protocol (BGP)
• Configure IPv4 and IPv6 routing
Configure IPv4 and IPv6 Addressing
Important factors to know about Addressing…
• Understand IPv4 Subnetting & Supernetting
• Understand IPv6 Addressing
• Assign an IPv6 Addresses and check the
route (route print)

Tunneling
• Automatic or Manual Configuration
• 6to4
• ISATAP
• Teredo
• PortProxy
• Implement Distributed File System (DFS) and
Branch Office solutions
• Install and configure DFS namespaces
• Configure DFS replication targets
• Configure replication scheduling
• Configure Remote Differential Compression (RDC) settings
• Configure staging
• Configure fault tolerance
• Clone a Distributed File System Replication (DFSR) database
• Recover DFSR databases
• Optimize DFS Replication
• Install and configure BranchCache
• Implement distributed and hosted cache modes
• Implement BranchCache for web, file, and application servers
• Troubleshoot BranchCache
Planning for DFS
User in New York Server in New York
2

1
\\Contoso.com\Marketing
DFS
1 \\NYC-SRV-01\ProjectDocs Replication
Folder
Targets \\LON-SRV-01\ProjectDocs

Namespace
2
User in London Server in London

1. User enters: \\contoso.com\marketing

Client computers contact a namespace server and receive a
referral
2. Client computers cache the referral and then contact the
first server in the referral
Optimizing namespaces and replication

You can optimize DFS by:

• Disabling referrals to a folder
• Specifying referral cache duration
• Configuring namespace polling
• Configuring replication groups
• Creating multiple replicated folders
• Modifying replication topology
• Clone a DFSR database for initial replication –
preseeding the files ( Robocopy, Windows Backup)
Monitoring and troubleshooting DFS
Tool Use
Report replication statistics and
Health Report
general health of the topology

Generate a test file to verify

Propagation Test
replication

Report on the propagation test

Propagation Report
and provide replication statistics

Report on the current status of the

Verify Topology
members of the topology

Monitor replication state of the

Dfsrdiag.exe
DFS replication service

Configure, monitor, and

Windows PowerShell
Understanding BranchCache modes

Head Office
Branch Office
(Hosted Cache Mode)

Branch Office
(Distributed Cache Mode)
Example question
You are a system administrator for Contoso, Ltd. You have a main office and a branch
office. The main office has a single file server. The branch office does not have a
secure facility to house servers and has a high latency connection to the main office.
You need to improve the performance when branch offices users access documents
from the file server.

What should you do?

A. Implement Branch Cache using the Hosted Cache mode

B. Implement Branch Cache using the Distributed Cache mode
C. Implement DirectAccess for all branch office users.
D. Implement universal group membership caching for all branch office users.
06 | Implement an Advanced
Network Infrastructure
(10-15%)
• Implement high performance network solutions

• Implement NIC Teaming or the Switch Embedded Teaming (SET) solution, and
identify when to use each
• Enable and configure Receive Side Scaling (RSS)
• Enable and configure network Quality of Service (QoS) with Data Center Bridging
(DCB)
• Enable and configure SMB Direct on Remote Direct Memory Access (RDMA)
enabled network adapters; enable and configure SMB Multichannel
• Enable and configure virtual Receive Side Scaling (vRSS) on a Virtual Machine
Queue (VMQ) capable network adapter
• Enable and configure Virtual Machine Multi-Queue (VMMQ)
• enable and configure Single-Root I/O Virtualization (SR-IOV) on a supported
network adapter
Converged Networking

Management OS VM(s) Management OS VM(s)

DCB policies
configured for
Mgmt, Storage, VM VM
Migration & vNIC vNIC
Clustering traffic.

Utilizes SMB Host

Multichannel & vNIC 0
SMB Direct
Host RDMA
Hyper-V vSwitch vNIC 1
Hyper-V vSwitch with SET
Host RDMA
NIC Team vNIC 2

RDMA RDMA 10G 10 G RDMA RDMA

NIC 1 NIC 2 NIC 1 NIC 2 NIC 1 NIC 2

Windows Server 2012 R2 Windows Server 2016

Virtual switch expanded functionality
The virtual switch improvements in Windows Server 2016 include:
• Extended port ACLs
• Dynamic load balancing
• Coexistence with third-party forwarding extensions
• RSS support on the virtual machine network path
• Network tracing enhancements
• Router guarding
• DHCP guarding
• Trunk mode for virtual machine
• Port mirroring
• VLAN isolation through a Private VLAN
• Extended bandwidth management
Network adapter advanced features
Hardware
acceleration:
• VMQ
• IPsec task
offloading
• SR-IOV
• Determine scenarios and requirements for
implementing software-defined networking (SDN)
• Determine deployment scenarios and network requirements for deploying SDN
• Determine requirements and scenarios for implementing Hyper-V Network
Virtualization (HNV) using Network Virtualization Generic Route Encapsulation
(NVGRE) encapsulation or Virtual Extensible LAN (VXLAN) encapsulation
• Determine scenarios for implementation of Software Load Balancer (SLB) for
North-South and East-West load balancing
• Determine implementation scenarios for various types of Windows Server
Gateways, including L3, GRE, and S2S, and their use
• Determine requirements and scenarios for distributed firewall policies and
network security groups
What is Software Defined Networking?
• Software Defined Networking enables you to:
• Virtualize the network layer in a datacenter
• Define polices for the physical and virtual networks
• Manage the virtualized network infrastructure
• The Microsoft Software Defined Networking solution includes:
• Network Controller
• Hyper-V Network Virtualization
• Hyper-V Virtual Switch
• RRAS Multitenant Gateway
• NIC Teaming
• System Center Operations Manager
• System Center Virtual Machine Manager
• Windows Server Gateway
What is network virtualization?

Test virtual Production

machine virtual machine Test network Production network

Physical Physical
server network

Server virtualization: Network virtualization:

• Multiple virtual machines
on the same physical
server
• Each virtual machine is
isolated from others
• Multiple virtual networks
on the same physical
network
• Each virtual network is
isolated from others
What is Generic Route Encapsulation?
192.168.2.22 GRE 10.1.1.11
MAC
192.168.5.55 Key=5001 10.1.1.12
192.168.2.22 GRE 10.1.1.11
MAC
192.168.5.55 Key=6001 10.1.1.12
192.168.2.22 (PA) 192.168.5.55 (PA)
192.168.5.55

10.1.1.11 (CA) 10.1.1.11 (CA) 10.1.1.12 (CA) 10.1.1.12 (CA)

10.1.1.11 10.1.1.11 10.1.1.12 10.1.1.12

10.1.1.11 10.1.1.11 10.1.1.11 10.1.1.11
10.1.1.12 10.1.1.12 10.1.1.12 10.1.1.12

• Customer address space based on virtual machine configuration

• Provider address space based on physical network and is not visible to
the virtual machines
What are network virtualization policies?
• Define CA-PA mappings:
• Specify the Hyper-V server on which the virtual machines are
running
• Hyper-V implements policies by translating incoming and outgoing
packets
• If a virtual machine is moved, policies are modified, but the virtual
machine configuration stays the same
Policy settings PA space

Blue Yonder Airlines

SQL 10.1.1.1
CA PA VSID Datacenter
WEB 10.1.1.2 network
10.1.1.1 192.168.1.10 5001
10.1.1.2 198.168.1.12 192.168.1.10 192.168.1.12
Hyper-V Host 1 Hyper-V Host 2

Woodgrove Bank
SQL 10.1.1.1 SQL SQL WEB WEB
CA PA VSID
WEB 10.1.1.2
10.1.1.1 192.168.1.10 6001
10.1.1.2 192.168.1.12 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2

CA spaces
Network Controller Overview
• Highly available and scalable server
role
• Southbound API for NC to communicate with the network Management Network aware
• Northbound API allows you to communicate with the NC applications applications

• Southbound API
• Network Controller can discover network devices, detect service Network
configurations, and gather all of the information you need about Controller
the network
• Provides pathway to send information to the network
infrastructure, such as configuration changes that you have made
Virtual network
• Northbound API (Rest interface) infrastructure
• Provides you with the ability to gather network information from
Network Controller and use it to monitor and configure the Physical network
network infrastructure
• Configure, monitor, troubleshoot, and deploy new devices on the
network by using Windows PowerShell, REST, SCVMM, SCOM etc. NIC
• Can manage:
• Hyper-V VMs & vSwitches, Physical Network Switches, Physical
Network Controller features
Fabric Network Firewall Management Network Service Chaining
Management Allow/Deny Rules Topology Rules for redirecting
IP subnets East/West & North/South Automatic discovery of traffic to one or more
VLANS, Firewall rules plumbed into vSwitch port of VMs network elements & virtual appliances
L2 and L3 switches Rules for incoming/outgoing traffic relationships
Host NICs Log traffic allowed/denied

Software Load Balancer

Centralized configuration of SLB policies
Network Monitoring
Physical & Virtual
Active network data: network loss, latency, baselines, deviations
Virtual Network Management
Fault localization Deploy Hyper-V Network Virtualization
Element data: SNMP polling & traps Deploy Hyper-V Virtual Switch
Limited set of critical data via public management info bases (MIB) Deploy Virtual Network Adaptors to VMs
i.e. Link state, system restarts, BGP peer status Store and Distribute virtual network policies
Device (switch, router) and Device Group (racks, subnets etc.) health Supports NVGRE and VXLAN
Gathers network loss, latency, device CPU/memory usages, link utilization, and
packet drops
Impact analysis: overlay networks affected by underlying faulty physical networks Windows Server Gateway Management
using topology information to determine vNet footprint & health Deploy, configure & manage WSGs -> Host & VMs
System Center Operations Manager integration for health & statistics. S2S VPN with IPsec, S2S VPN with GRE
P2S VPN, L3 Forwarding, BGP Routing
Load balancing of S2S and P2S connections across
Gateway VMs + logging config/state changes
Datacenter Firewall
• Highly scalable, manageable,
and diagnosable software-
based firewall
• Freedom to move tenant virtual
machines to different compute
hosts without breaking tenant
firewall policies
• Deployed as a vSwitch port host agent
firewall
• Tenant virtual machines get the policies
assigned to their vSwitch host agent
firewall
• Firewall rules are configured in each
vSwitch port, independent of the actual
host running the virtual machine
• Guest OS agnostic
• Protect traffic between VMs on
Software Load Balancing
Layer 4 load balancing for both “North-South” and “East-West” Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) traffic
RAS Gateway

Software-based, multitenant, BGP-capable router

RAS Gateway features:
• Addition and removal of gateway VMs
• Site-to-site VPN gateway connectivity by using IPsec
• Site-to-site VPN gateway connectivity by using GRE
• Point-to-site VPN gateway connectivity
• Layer 3 forwarding capability
• BGP routing
Network Controller Deployment Requirements
• You can only deploy Network Controller to the Windows Server 2016
Datacenter edition.
• The management client you use must be installed on a computer or
virtual machine running Windows 10, Windows 8.1, or Windows 8.
• You must configure dynamic DNS registration to enable registration of
required DNS records for Network Controller.
• If the computers or virtual machines running Network Controller or the
management client for Network Controller are joined to a domain, you
must:
o Create a security group that holds all the users that have permission to
configure Network Controller.
o Create a security group that holds all of the users that have permission to
configure and manage the network by using Network Controller.
Learning Resources

M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Course 20741 - outline
Module 1
Planning and implementing an IPv4 network

Module 2
Implementing DHCP

Module 3
Implementing IPv6

Module 4
Implementing DNS

Module 5
Implementing and managing IPAM
Course 20741 outline, continued
Module 6
Remote access in Windows Server 2016

Module 7
Implementing DirectAccess

Module 8
Implementing VPNs

Module 9
Implementing networking for branch offices

Module 10
Configuring advanced networking features

Module 11
Implementing software-defined networking
Born To Learn Site http://borntolearn.mslearn.net/
TechNet https://technet.microsoft.com/
TechNet Virtual Labs

https://technet.microsoft.com/en-
us/virtuallabs/default
 https://mva.microsoft.com/en-
Microsoft Virtual Academy US/training-courses/whats-new-in-
windows-server-2016