-
Planning
-
INSTALLATION
-
dism.exe
-
convert GUI to CORE or vice versa
- Convert Server Core back to Server GUI
- Dism /online /enable-feature /featurename:Server-Gui-Mgmt /featurename:Server-Gui-Shell /featurename:ServerCore-FullServer
Y
- Import-Module DISM
Disable-WindowsOptionalFeature -online -Featurename Servercore-Fullserver
y
- Add-WindowsFeature
- Install-WindowsFeature
-
Windows Server 2012 R2 Datacenter
- Can upgrade from:
2012 Datacenter
2008 R2 Enterprise SP1
2012 Standard
-
Windows Server 2012 R2
- can remove DHCP offline VHD
- WMF 4.0 built-in
-
Windows Server 2012
- No Work Folders
-
Windows Server 2008 Core
- Can NOT migrate to 2012 R2
-
Windows Server 2008 R2 Core
- Can Migrate to 2012 R2
- Windows 8 Enterprise
-
Windows 8.1 Pro
- RSAT
- Can remove DHCP offline
-
Windows Server 2008 R2
- To remote manage (higher server) needs WMF 3.0 & .Net Framework 4.0 or plus
- Windows 7
-
Windows Server 2003 Datacenter SP1
- Can migrate to 2012 R2
-
Windows Server 2003 R2 Datacenter
- Can migrate to 2012 R2
-
AD
- Domain services
-
Delegate Control
- Delegation control wizard
-
Subnet
- AD Sites and Services
-
User Accounts
- Attributes
-
Multiple users
- CSV file and use PowerShell
-
disable
- dsmod user CANONICAL NAME -disable yes
-
Computers
-
Offline Domain Join
- 1. Open an elevated command prompt on Server
2. djoin.exe /provision /domain /machine /savefile
3. Copy the provisioning data file to the Client Computer
4. Open an elevated command prompt on Client
5. djoin.exe /requestobj /loadfile /windowspath /localos
6. reboot client computer
-
Logical Components
-
schema
- schema master
- objects that are accessible
-
attributes
- classes
- SIDs
- partition
-
domain
- DNS
-
domain tree
- share space
- forest
-
site
- logging into the right site
-
OU
- folder
- delegate authority
- deploy group policy
-
physical Components
-
Domain Controller
- oprerational master
- unique name
- data store
- global catalog servers
- RODC
-
GPO
-
Software Restriction Policy
- Application
-
Windows 7 Upgrade
- Specify Setting for optional component installation and component repair
-
Group Policy Management Editor
-
Computer Configuration
-
Windows Settings
- Security Settings
- Local Policies
- User Rights Assignment
- Deny Logon Locally
-
User Account RIGHTS
-
access network resources
-
locally
- Local Security Policy
- Assign the "Access this computer from the network" GPO
-
Links
-
To Implement corporate Policies
- parent GPO Link has Precedence over child GPO Link
-
Child Object not being applied
- remove enforcement from the parent GPO link
- force a collection of settings
- linked to OUs
domains
sites
-
Resultant Set of Policy (RSoP)
- from remote computers
-
GPMC
- gathers information
-
Starter GPO
-
Remote Event Log MAnagement
- NP-In
- RPC
- RPC-EPMAP
- WMI-in
-
Dynamic Access Control (DAC) policy
- set attributes for access
- Enforce Settings on accessing Resources
-
Restore
-
dcgpofix /target:both
-
restore Defaults
- Domain Policy GPO
- Domain Controllers GPO
-
ADMX files
- Administrative Templates
-
created manually
- Stored in C:\windows\PolicyDefinitions
- create a central store root folder within PolicyDefinitions Folder
- Create the EN-US subfolder in the PolicyDefinitions Folder
- registry.pol file
-
Security Templates
- apply server configuration to other servers
-
NOTES
- downloads GPO after boot
- in SYSVOL
- first Computer Boots
- second when User Logs on
- refreshes 90min
-
Security
-
Application control policy
-
AppLocker
-
Rule Collections
- Window Installer Files
- .msi
- Packaged App Installers
- .appx
- Scripts
- .VBS
- .ps1
- DLLS
- .ocx
- Executable Files
- .com
- add rules up from parent
-
Rule
- execution of application on clients computers
- Publisher Condition and Path Condition
- under security settings - Application Control policies
- Augmented to support Win 8 packaged apps
- Applied using Applocker Group Policy settings
- Introduced Windows Server 2008 R2
-
Updates and Fixes
- Network Access Protection (NAP)
-
Firewall
-
Rules
-
Inbound
- traffic coming into the device
-
Outbound
- traffic leaving the device
-
Security Connection Rules
- Tunnel
- Authenticate connections between 2 gateway computers
- Isolation
- separate inbound & outbound connections based on credentials
- Authentication Exemption
- do not require authentication
- Custom
- allow to add IP address & leave other endpoinbt open (authentication req)
-
Ports
- SMTP = 25
- HTTPS = 443
- POP3 = 110
- RDP = 3389
- Telnet = 23
-
DMZ
-
Authentication Exemption
- Exempting from Authentication in and out of firewall
- improve performance
- protects internal network
- Not to expose DNS
- Store in AD
-
Software Restriction
-
Policy for Internal Applications
-
Rule Types Order
- 1. Hash
2. Certificate
3. Path
4. Internet Zone
5. Default
-
Software Restriction policy
- Used to identify software running on a local computer
- Introcuced prior to Windows Server 2008 R2
- Deployed using Domain-wide group policy
-
NTFS
- Configure NTFS Permissions
-
Permissions
-
Full Control
- Delete
- Change Permissions
- Create Files and Write Data
- Take Ownership
- Traverse Folder/Execute File
-
Modify
- Delete
- Create Files and Write Data
- Traverse Folder/Execute File
-
Write
- Create Files and Write Data
- Read
-
Read/Execute
- Traverse Folder/Execute File
- Share permissions
-
UAC
-
accept updates without UAC prompts
- UAC: Detect applications and prompt for elevation
-
TrustedHost list for NTLM authentication
- So processes can run like remote workgroup server
-
policy settings
-
Access Token
- Two generated for an administrative user signing onto a computer
- Generated when a standard user signs on to a computer
-
Consent Prompt
- presented when a user performs a task that requires admin privileges
-
Credential Prompt
- Displays when a standard user attempts to perform an admin function
-
Admin approval Mode
- Required to elevate the security context from standard to admin
-
Auditing
-
collection of settings
- success and or failure settings
-
enabled
- Audtipol.exe
- secedit.msc
-
Documentation
- what when where
- Triggers
-
Policy
- account logon events
- account management
-
directory services
- record access events taking place on AD objects
- logon events
- object access
- policy change
-
priviledge
- record user acces and actions on a system
- process tracking
- sytem events
-
SACL
- system access control list
- Who will be audited
- Auditing inheritance apply
-
Security Templates
- Configure permissions for startup modes using system services
- Define access control permissions for NTFS
- define the users allowed to be members of groups using RESTRICTED GROUPS
-
Merge Predefined security templates to an Existing GPO
- 1. Open GRoup Policy Management
2. Open the target GPO to edit
3. Open the security template
4. Navigate to Security Settings to import a template
5. Confirm merge
-
Hyper-V Manager
-
VMs
- Create and Configure Virtual Machine Settings
-
Backup
-
Checkpoint (earlier version called Snapshots)
- Managing VM Checkpoints
- revert the virtual machine to a previous state
- Checkpoint name
- Revert = Rollback
-
Generation 1
- x86 Architecture
- RemoteFX Enabled
- Backward Compatible
- Subtopic 4
- Server 2008
- Server 2008 R2
-
Generation 2
- Secure Boot
- Boot from SCSI
- PXE boot
- Windows 8.1 64-bit
- Supports 4 SCSI controllers
- Each Controller can support up to 64 = 256 Storage devices MAX
-
Hyper-V Resource Metering
-
Measure-VM
- Average CPU
- max disk space per VM
- IO net traffic per virtual adapter
-
Memory
- Found under Settings
- Dynamic Memory (RAM) max-min
-
Smart paging
- location of temp memory
- used when no physical mem is avail
- Booting VMs need more mem
- Smart Paging File Location
-
Create a VM from ISO
- 1. select Create a virtual hard disk
2. Install OS from Boot CD/DVD
3. Select
-
Join Domain
- offline domain join (faster)
-
guest integration services
- fastest comm for guest & server
- Pass local resources into the OS
- 2012 Server R2 onwards
-
Virtual Machine Connection Tool
-
execute an enhanced session mode connection
- redirecting local resources to VM (display,USB, printers etc)
- in Hyper-V Settings
-
Install Hyper-V Remotely
-
Open a PowerShell Session
-
Get-WindowsFeature
- Get-Help Install-WindowsFeature
- Install-WindowsFeature -Name <Feaure_name> -computername <computer_name> -restart
-
Networking
-
Switches
- Configure Hyper-V Virtual Switches
-
Internal Switch
- Virtual Host Plugs in
-
External Switch
- Connects to a physical Switch
- Access to a physical network
- Private Switch
-
NIC
-
NIC Teaming
- Set-VMNetworkAdapter
- under Advanced Features
- ADV
- Enhance Throughput and Availability
- Run from VM
- lbfoadmin.exe
- Process
- 1. Open Server Manager
2. Access NIC Teaming for the Server
3. Select both NICs, right-click and select Add to New Team
4. Enter the Team Name
-
Virtual Switch Manager
-
Configure range of MAC addresses
- assigned to VMs
- Under Global Network Settings
-
Network Isolation
- Port Access Control Lists (ACLs)
-
network performance
-
Virtual Receive-side scaling (vRSS)
- avoid bottlenecks network traffic to VMs
-
IP REwrite
- increase Throughput
-
Storage
-
Volume
-
list volume
- display volume label, number, letter, file system, size and status
-
Share
- net share TeamLeaders=e:\TeamLeaders
-
Quotas
-
Hard
- Enforce Quotas
-
Soft
- Send Threshold Notifications
-
Shared Folders
- Configure Shared Folders
- Ends with a $ is a hidden share
- Default Read-Only Access
-
VHD
-
Virtual Hard Disk Wizard (edit Existing)
- Convert
- Expand
- Compact
- Shrink
- Create & Modify VHDs and VHDx
-
Offline
-
Adding a Role to an Offline VHD
- 1. Configure a role-based installation
2. Locate a VHD
3. Locate a Server to mount VHD
4. Add the VHD File
-
Disk Formats
-
VHD
- 2TB
-
VHDX
- 64TB
- Not Supported earlier than Win Server 2012
-
Disk Type
- Fixed Size
- Dynamically expanding
-
Differencing
- dependent on a parent drive
- pass-through disk
-
SAN
- Fibre Channel Storage Area Network
- vSAN
- Virtual SAN Manager
- Virtual Fibre Channel Adapter
-
DFS
-
Distributed File System
-
access-based enumeration (abe)
- view of files and folders
- dfsutil property abe enable \\server\path\share
-
Work Folders
- Needs Windows Server 2012 R2
- NTFS
-
Installation
- 1. Launch the Add Roles and Features Wizard
2. Select Role-based or feature-based deployment
3. Select the destination server
4. Select the Work Folders role service and OK
-
DISKs
-
Basic
- Configure
- Convert to Dynamic Disk
- Format Partition
- MBR
-
Dynamic
- Configure
- Can convert back to Basic
-
GPT Format
- partitions > 2TB need to convert to GPT
-
Disk Pool (storage pool)
-
Configure Disk Pools
- Create Virtual Disk after Pool
- collection of heterogeneous disks
- Select the physical disks for the storage pool
- Hot Spare (redundency)
-
Virtual Disks
-
Storage Layout
- Simple
- Striped for max capacity and increased throughput
- Mirror
- Parity
-
Provision type
- Thin
- Volume uses space from Storage Pool as needed
- Fixed
- Volume uses space from Storage Pool = volume size
-
New Volumes
- 1. Select Server & Disk
2. Size
3. Drive Letter
4. Select File System & Volume Label
-
Failover Clustering
- Install & configure Failover Clustering
- fault tolerance in assuring network service availability
-
iSCSI initiator
- access servers
- installed iSCSI target services on two servers to simulate a shared storage that can be used by members of a server cluster
- nodes of the server cluster acts as iSCSI initiators which are clients that connect to a shared volume
- Add-WindowsFeature -Name Failover-Clustering -IncludeAllSubFeature –IncludeManagementTools
- Set DNS name and point to A or AAAA record host
-
Failover Cluster Manager
- Validate Configuration
- Create Cluster
- added functionality to a failover cluster by creating a storage pool
-
in-place Upgrade each node
- 1. Remove one of the Servers from the cluster and upgrade to 2012 R2
2. Create a new Cluster
3. Run the Copy Cluster Roles wizard
4. Disband the old cluster
5. upgrade all remaining servers to 2012 R2
-
Migrate Clustered Roles
- 1. Connect to the new Cluster
2. Run the Copy Cluster Roles Wizard
3. Take the Roles on the old Cluster Offline
4. Bring the Roles on the new Closter Online
-
Offline Files
- Configure Offline Files
- Sync of Files and Folders
- Files not cached policy enabled in GPO
- 1. Configure Sync Options Using GPO
2. Go to OU -> Create GPO & Link
3. Name GPO
4. Edit -> Go to Computer Configuration-> Policies-> Administrative Templates-> Network-> select Offline Files
5. Options : Configure Background Sync -> Enable
6. Options : Enable Transparent Caching -> Enable
- GPO Setup ->User Configuration-> Policies-> Administrative Templates-> Network-> select Offline Files.
-
Folder Redirection
- 1. Create a Folder Redirection Security Group
2. Create a File Share for the redirected folder
3. Create a GPO for Folder Redirection
4. Configure Folder Redirection with Offline Files
5. Enable the Folder Redirection GPO
-
Volume Shadow Copy Service (VSS)
- Configure Volume Shadow Copy Service
-
NTFS Quotas
- Configure NTFS Quotas
-
Networking
-
DHCP
-
Server
-
DHCP Relay agent
- Fwd client request to another subnet
- DHCP/Bootstrap Protocol (BOOTP)
-
Configure to issue IP addresses
- 1. Install DHCP service
2. Create DHCP scope
3. Activate Scope
4. Authorize the DHCP Server
-
Authorize in AD
- Add-DhcpServerInDC
- may have 1 or more scopes
-
Reservations
-
allocation of addresses
- ie. printers
- servers
- network devices
-
Scope Options
- Default Gateway Addresses
- DNS Server
- 1st and Last IP addresses
-
Lease Duration
- Low lease for wireless
- Activate the scope
-
Backup
- Reservation
- Leases
- Scopes
- Binds IP Addresses to MAC addresses
- database
- PXE boot can be defined if using WDS
- Remote Desktop Services
-
DNS
-
DNS MAnager
-
Resource Records
- Mail Exchanger (MX)
- identify mail servers
- Canonical name (CNAME)
- multiple names are needed for a single host record
- Service Location (SRV)
- used to locate domain controllers
- Created automatically from AD DS
- have a priority
- Host (A)
- not for a DHCP Client
- nslookup
-
Powershell
- New-NetIPAddress
- Set-DnsClientServerAddress
-
404 errors
-
Flush DNS client resolver Cache
- ipconfig /flushdns
- Restart each user's computer
- Allows computers to establish a connection to a name associated to an IP address
-
Process
- 1. Goes to a root server
2. delegate authority ie. a .com server
3. authorative delegate to second level dns server
4. provides an IP address
5. Client will cache the information
-
Primary Zone
- read and write replicate to a secondary zone
- read/write copy
-
Zone transfer Process
-
Secondary
- read only
- Checks with master every x min
-
Stub
- Copy to find Primary (redirection)
-
notify
- Push info if received info straight away
- keeps servers up-to-date
-
Dynamic Updates
- Best security is not to have it
- Inserts records into the DNS
- NS (name server) and SOA records already created
-
KMS Activation Infrastructure
- Manually create the _vlmcs._TCP SRV record and point it to KMS host
-
Active Directory
-
AD integrated DNS
- encrypted
- mulitmaster topology
- Branch offices RO copy
- All DNS servers jost the same info
-
Non-AD integrated DNS
- zone transfers are not secured
- DNS data is stored locally
- Uses Cache only option
-
AD needs DNS
- AD replicates data automatically
- Store in AD for security
- multimaster
-
root hints
- provides a list of IP addresses of DNS servers that are considered to be authoritative at the root level of the DNS hierarchy
- (also known as root name server).
-
cache.dns
- checks its own cache first
- Populated to root hints
- list of root servers
-
NOTES
- Finds Authoratative servers
- delegate authority
-
levels
- root-level
- first-level
- .org , .com, .eu
- second-level
- .microsoft, google
- third-level
- mail.microsoft
-
resource records
- information and IP address associated
- registration records of DHCP clients
-
DNS recursion
- look up itself
-
SOA
- Start of Authority
- version number (increments)
- primary server
- email
- refresh time
- in each zone
-
Forwarders
- if no answer, indtead of root hints try this server
- capitalize on cache
- add manually
- ISP may use this
-
reverse lookups
- IP to name
- used for security
- verification usage
- PTR
-
Cache lookups
- shown in advances view of DNS manager
-
IPv6
-
Link-Lcal Unicat Address
- FE80::/8
- Local connectivity
- auto address config
- router discovery
-
neighbour discovery
- AnyCast
-
Unique Local Unicast Address
- FC00::/7
- local comms
- assign DA clients
- Not desireable to configure a long time
-
Global Unicast Address
- 2000::/3
- publicaly routable addresses
- IPsec built in
- 128bit
- avoidance of Broadcast
- AAAA records DNS
- No NAT
- Multicast
-
Router
-
Stateless
- client assigns itself and IP address
-
Statefull
- Binds Addresses
-
Technologies
-
ISATAP
- Tunneling Protocol
- transmit IPv6 packets between dual-stack nodes on top of an IPv4 network
- using Group Policy
- Can Implement Using DirectAccess
-
6to4
- Public Tunneling
- Remote hosts
- Site-to-site connections
- Not NAT
- Starts with 2002
- Uses Relay Routers to forward IPv6 Through IPv4 environment
-
Teredo
- Tunneling 6to4
- Supports NAT
- Client
- Server
- direct traffic
- configuration point
- Ipv4 & IPv6 address
- Encapsulated in a UDP packet
-
NAT64
- Acts as a network device between IPv4 and IPv6 network
-
DirectAccess
-
IPv6
- ISATAP
-
IP Address Management (IPAM)
- Best deployed on a member server in each site
- Can Not be installed in AD DC
-
Server Manager
-
Feature on Demand
-
data Deduplication
- locate and remove duplication of data without issues
- File and Storage Services
- IIS Web Server
- Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
-
Remote Server Manage
-
2008 R2
-
Install .NET Framework 4 or newer
- Install Windows Management Framework (WMF) 3.0
- Install hotfix KB2682001
-
Server Core
- Configure-SMRemoting.exe -enable
- Not able to connect unless WinRM
-
PowerShell
-
Desired State Configuration (DSC)
- Need Windows Management Framwork (WMF) 4.0
- Install or remove server roles and features
Manage registry settings
Manage files and directories
Start, stop, and manage processes and services
Manage local groups and user accounts
Install and manage packages such as .msi and .exe
Manage environment variables
Run Windows PowerShell scripts
Fix a configuration that has drifted away from the desired state
Discover the actual configuration state on a given node
-
setup a central configuration pull server
- Stores computer configurations
- Can be checked for updates of the pull server
-
Not on a Core Server
- Need to convert the server to a "Server with a GUI" installation
- Install-WindowsFeature DSC-Service
-
Cloud Services
-
windows Azure
-
VMs
-
Server Applications
- AD
-
Services
- Infrastructure as a Service (IaaS)
-
Printing
-
Policy
-
Use Remote Desktop Easy Print Print Driver First
- local machine
- no need to install prin drivers
- deploy by gpo
-
Drivers
-
Install
- Add-PrinterDriver -Name "Some printer"
-
Version 4
- discover drivers over the network
- no architure dependent
- delivered from WSUS
-
Type 3
- Backwards comaptible
- Class drivers
-
NOTES
- Branch
- adrvertise in listing of printers
-
Printing Priority
- higher has precedence
-
driver isolation
- troubleshooting
- protecting from crashing
- enabled by default
- Print Pooling
- Distributed Scan Server
-
Services
- Role
-
Domain Controller
- replication traffic
-
install from media (IFM)
-
NTDSUTIL.EXE
-
Create Full NoDefrag %s
- Creates an IFM store w/o Defrag
- space is limited and as fast as possible
-
NTDS.DIT
- database
-
Global Catalog Server
-
if unavailable - Configure universal group membership caching at sites
- eliminates the need to contact DC for authentication
-
Deploy a domain controller (Slow Connection)
- 1. Create an IFM installation Run Ntdsutil.exe on main domain controller
2. Install a server in the branch office and install AD DS role
3. Promote the server to a Controller
4. Configure the server to perform an install from Media (IFM) (using previous created media)