20412D ENU Companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20412D
Configuring Advanced Windows Server
2012 Services
Companion Content
ii Configuring Advanced Windows Server 2012 Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of
the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20412D
Released: 04/2014
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Implementing Advanced Network Services 1-1
Module 1
Implementing Advanced Network Services
Contents:
Lesson 1: Configuring Advanced DHCP Features 2
Lesson 2: Configuring Advanced DNS Settings 4
Lesson 3: Implementing IPAM 6
Lesson 4: Managing IP Address Spaces with IPAM 9
Module Review and Takeaways 12
Lab Review Questions and Answers 14

1-2 Configuring Advanced Windows Server 2012 Services
Lesson 1
Configuring Advanced DHCP Features
Contents:
Demonstration: Configuring DHCP Failover 3
Demonstration: Configuring DHCP Failover

Demonstration Steps
Configure a DHCP failover relationship
1. Sign in on LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then on the drop-down list, click DHCP. Note that the server is
authorized, but that no scopes are configured.
3. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP.
4. In the DHCP console, expand lon-dc1.adatum.com, select and then right-click IPv4, and then click
Configure Failover.
5. In the Configure Failover Wizard, click Next.
6. On the Specify the partner server to use for failover page, in the Partner Server field, enter
172.16.0.21, and then click Next.
7. On the Create a new failover relationship page, in the Relationship Name field, enter Adatum.
8. In the Maximum Client Lead Time field, set the hours to zero, and then set the minutes to 15.
9. Ensure the Mode field is set to Load balance.
10. Ensure that the Load Balance Percentage is set to 50%.
11. Select the State Switchover Interval check box. Leave the default value of 60 minutes.
12. In the Enable Message Authentication Shared Secret field, type Pa$$w0rd, and then click Next.
13. Click Finish, and then click Close.
14. Switch to LON-SVR1.
15. Refresh the IPv4 node, expand the IPv4 node, and then expand Scope [172.16.0.0] Adatum.com.
16. Click Address Pool, and note that the address pool is configured.
17. Click Scope Options, and note that the scope options are configured.
18. Close the DHCP console on both LON-DC1 and LON-SVR1.
19. Revert LON-SVR1.

Lesson 2
Configuring Advanced DNS Settings
Contents:
Demonstration: Configuring DNSSEC 5
Demonstration: Configuring DNSSEC

Demonstration Steps
Configure DNSSEC
1. Sign in on LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. In Server Manager, click Tools, and then in the drop-down list, click DNS.
3. In DNS, expand LON-DC1, expand Forward Lookup Zones, and then select and right-click
Adatum.com.
4. On the menu, click DNSSEC>Sign the Zone.
5. In the Zone Signing Wizard, click Next.

6. Click Customize zone signing parameters, and then click Next.
7. On the Key Master page, click The DNS server LON-DC1 is the Key Master. Click Next.
8. On the Key Signing Key (KSK) page, click Next.
9. On the Key Signing Key (KSK) page, click Add.
10. On the New Key Signing Key (KSK) page, click OK.
11. On the Key Signing Key (KSK) page, click Next.
12. On the Zone Signing Key (ZSK) page, click Next.
13. On the Zone Signing Key (ZSK) page, click Add.
14. On the New Zone Signing Key (ZSK) page, click OK.
15. On the Zone Signing Key (ZSK) page, click Next.
16. On the Next Secure (NSEC) page, click Next.
17. On the Trust Anchors (TAs) page, check the Enable the distribution of trust anchors for this
zone check box, and then click Next.
18. On the Signing and Polling Parameters page, click Next.
19. On the DNS Security Extensions page, click Next, and then click Finish.
20. In DNS Manager, expand Trust Points, expand com, and then click Adatum. Ensure that the DNSKEY
resource records exist, and that their status is valid.
21. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
22. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, right-click Default Domain Policy, and then click Edit.
23. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, and then click the Name Resolution Policy folder.
24. In the Create Rules section, in the Suffix field, type Adatum.com to apply the rule to the suffix of the
namespace.
25. Select the Enable DNSSEC in this rule check box.
26. Select the Require DNS clients to check that the name and address data has been validated by
the DNS server check box, and then click Create.
27. Scroll down and click Apply.
28. Close all open windows.

Lesson 3
Implementing IPAM
Contents:
Demonstration: Implementing IPAM 7
Demonstration: Implementing IPAM

Demonstration Steps
Install IPAM
1. Sign in on LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. In the Server Manager, click Add roles and features.
3. In the Add Roles and Features Wizard, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, click Next.
7. On the Select features page, select the IP Address Management (IPAM) Server check box.
8. In the Add features that are required for IP Address Management (IPAM) Server popup, click
Add Features, and then click Next.
9. On the Confirm installation selections page, click Install.
10. When the Add Roles and Features Wizard completes, close the wizard.
Configure IPAM
1. In the Server Manager navigation pane, click IPAM.
2. In the IPAM Overview pane, click Connect to IPAM server. Click LON-SVR2.Adatum.com, and then
click OK.
3. Click Provision the IPAM server.
4. In the Provision IPAM Wizard, click Next.

5. On the Configure database page, click Next.
6. On the Select provisioning method page, ensure that Group Policy Based is selected. In the GPO
name prefix box, type IPAM, and then click Next.
7. On the Confirm the Settings page, click Apply. Provisioning will take a few minutes to complete.
8. When provisioning has completed, click Close.
9. On the IPAM Overview pane, click Configure server discovery.
10. In the Configure Server Discovery dialog box, click Add to add the Adatum.com domain, and then
click OK.
11. On the IPAM Overview pane, click Start server discovery. Discovery may take five to 10 minutes to
run. The yellow bar indicates when discovery is complete.
12. On the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
Notice that the IPAM Access Status is blocked. Scroll down to the Details view, and note the status
report. The IPAM server has not yet been granted permission to manage LON-DC1 via Group Policy.
13. On the taskbar, right-click the Windows PowerShell icon, and then click Run as Administrator.
14. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-

SVR2.adatum.com DelegatedGpoUser Administrator
15. When you are prompted to confirm the action, type Y, and then press Enter. The command will take a
few minutes to complete.
16. Close Windows PowerShell.
17. Switch to Server Manager. In the IPv4 details pane, right-click LON-DC1, and then click Edit Server.
18. In the Add or Edit Server dialog box, set the Manageability status field to Managed, and then click
OK.
19. Switch to LON-DC1.
20. From the start screen, start a command prompt.
21. In the command prompt, type Gpupdate /force, and then press Enter.
22. Wait for the Gpupdate process to complete, and then close the command prompt.
23. Return to LON-SVR2, and in Server Manager, right-click LON-DC1, and then click Refresh Server
Access Status. Discovery may take five to 10 minutes to run. The yellow bar indicates when discovery
is complete. After discovery is complete, refresh IPv4 by clicking the Refresh icon. It may take up to
five minutes for the status to change.
24. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few
minutes to complete.
Lesson 4
Managing IP Address Spaces with IPAM
Contents:
Demonstration: Using IPAM to Manage IP Addressing 10
Demonstration: Using IPAM Monitoring 11
Demonstration: Using IPAM to Manage IP Addressing

Demonstration Steps
1. On LON-SVR2, in the Server Manager, in the IPAM console tree, click IP Address Blocks.
2. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.
3. In the Add or Edit IPv4 Address Block dialog box, provide the following values, and then click OK:
o Network ID: 172.16.0.0
o Prefix length: 16
o Description: Head Office
4. In the IPAM console tree, click IP Address Inventory.
5. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address.
6. In the Add IP Address dialog box, under Basic Configurations, provide the following values, and
then click OK:
o IP address: 172.16.0.1
o MAC address: 112233445566
o Device type: Routers
o Description: Head Office Router
7. Click the Tasks drop-down arrow, and then click Add IP Address.
8. In the Add IP Address dialog box, under Basic Configuration, provide the following values:
o IP address: 172.16.0.101
o MAC address: 223344556677
o Device type: Host
9. In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values:
o Client ID: Check the Associate MAC to Client ID checkbox
o Reservation server name: LON-DC1.Adatum.com
o Reservation name: Webserver
o Reservation type: Both
10. In the Add IPv4 Address pane, click DNS Record, enter the following values, and then click OK:
o Device name: Webserver
o Forward lookup zone: Adatum.com
o Forward lookup primary server: LON-DC1.Adatum.com

o Check the Automatically create DNS records for this IP address checkbox.
11. On LON-DC1, open the DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then
click Reservations. Ensure that the Webserver reservation for 172.16.0.101 displays.
12. Open the DNS console, expand Forward Lookup Zones, and then click Adatum.com. Ensure that a
host record displays for Webserver.
Demonstration: Using IPAM Monitoring

Demonstration Steps
1. On LON-SVR2, in Server Manager, in the IPAM console tree, click DNS and DHCP Servers.
2. In the Details view, discuss the LON-DC1.Adatum.com Server Properties.
3. Click the Event Catalog tab, and discuss the events shown.
4. In the IPAM console tree, click on DHCP scopes.
5. Select the Adatum scope, and discuss the information in the Scope Properties.
6. Click the Options tab, and discuss the information displayed.
8. In the IPAM console tree, click on DNS Zone Monitoring.
9. Select the adatum.com zone, and discuss the information in the Zone Properties.
10. Click the Authoritative Servers tab, and discuss the information displayed.
11. In the IPAM console tree, click on Server Groups.
12. Select the LON-DC1.adatum.com entry with the DNS server role, and discuss the information in the
Server Properties.
13. Click the DNS Zones tab, and discuss the information displayed.
Module Review and Takeaways

Best Practices
Implement DHCP failover to ensure that client computers can continue to receive IP configuration
information in the event of a server failure.
Ensure that there are at least two DNS servers hosting each zone.
Use IPAM to control IP address distribution and static address assignments.
Review Question(s)
Question: What is one of the drawbacks of using IPAM?
Answer: If you use IPAM, then you cannot manage DHCP-capable network devices, such as
gateways and wireless action protocols (WAPs), from the IPAM management console.
Real-world Issues and Scenarios

Some network clients are receiving incorrect DHCP configuration. What tool should you use to begin the
troubleshooting process?
Answer: The IPConfig /All command will report to you if the client is receiving DHCP
configuration, and if so, the IP address of the DHCP server from which the configuration came.
What are some possible causes of the incorrect configurations?
Answer: There may be a rogue DHCP server on the network. Common things to look for will be
gateway devicessuch as cable modems or Private Branch Exchange (PBX) boxesthat have a
DHCP component enabled. Another possibility is that someone configured the IP address on the
client manually.
Tools
Tool Use Location
Dnscmd Configure all aspects of DNS %systemroot%\System32\dnscmd.exe

management
DHCP console Control all aspects of DHCP %systemroot%\System32\dhcpmgmt.msc

management from a user interface
DNS console Control all aspects of DNS %systemroot%\System32\dnsmgmt.msc

management from a user interface
IPAM Control all aspects of IPAM Server Manager

management management
console
Get-DnsServer Command to display DNS Server Windows PowerShell

information.
Set-DnsServer Command to configure the DNS Windows PowerShell

Server, similar to dnscmd
command.
Export-Clixml Used to write output from a Windows PowerShell

PowerShell command as an xml
file.
Tool Use Location
Import-Clixml Used to import information from Windows PowerShell

an xml file into an object for use
with a PowerShell command.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Users can no longer access a vendors The IP address of the website may have changed, but
website that they have historically been DNS cache locking is not updating the cached IP
able to access. address for that FQDN because the TTL for the record
has not yet expired. You must flush the cache on the
DNS server manually.
Managed servers are unable to connect to Ensure that the Windows Internal Database service
the IPAM server. and the Windows Process Activation service are
running on the IPAM server.
Lab Review Questions and Answers

Lab: Implementing Advanced Network Services
Question and Answers
Question: Will client computers immediately stop communicating on the network if there is no
functioning DHCP server?
Answer: No, the client computers will continue to function normally on the network until the
lease on their IP address expires.
Question: What is the default size of the DNS socket pool?
Answer: The default size of the DNS socket pool is 2,500 ports.
Question: What value does the DNS cache lock use to determine when to update an IP address in the
DNS cache?
Answer: Determination is made based on the Time to Live (TTL) value of the address record from
the start of authority resource record.
Implementing Advanced File Services 2-1
Module 2
Implementing Advanced File Services
Contents:
Lesson 1: Configuring iSCSI Storage 2
Lesson 2: Configuring BranchCache 5
Lesson 3: Optimizing Storage Usage 7

Lesson 1
Configuring iSCSI Storage
Contents:
Question and Answers 3
Demonstration: Configuring an iSCSI Target 3
Demonstration: Connecting to the iSCSI Storage 4
What Is iSCSI?
Question: Can you use your organizations internal TCP/IP network to provide iSCSI?
Answer: Yes, you can. However, as a best practice, you should have a dedicated TCP/IP network
for iSCSI so that other network traffic does not interfere the iSCSI communication, and so the
iSCSI communication does not interfere with the network traffic.
iSCSI Target Server and iSCSI Initiator

Question: When would you consider implementing diskless booting from iSCSI targets?
Answer: Answers will vary based on experience, but generally, you might consider this if you
want to implement virtualization technologies such as a Virtual Desktop Infrastructure (VDI) in
your organization.
Demonstration: Configuring an iSCSI Target

Demonstration Steps
Add the iSCSI target server role service
1. On LON-DC1, in the Server Manager, click Manage, and then click Add roles and features.
2. In the Add Roles and Features Wizard, on the Before You Begin page, click Next.
4. On the Select destination server page, ensure that Select server from the server pool is selected,
and then click Next.
5. On the Select server roles page, expand File And Storage Services (2 of 12 Installed), expand File
and iSCSI Services (1 of 11 Installed), select the iSCSI Target Server check box, and then click
Next.
6. On the Select features page, click Next.
8. When installation completes, click Close.
Create two iSCSI virtual disks and an iSCSI target

1. On LON-DC1, in the Server Manager, in the navigation pane, click File and Storage Services.
2. In the File and Storage Services pane, click iSCSI.
3. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
4. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click drive C, and then click Next.
5. On the Specify iSCSI virtual disk name page, type iSCSIDisk1, and then click Next.
6. On the Specify iSCSI virtual disk size page, in the Size box, type 5, in the drop-down list box, ensure
that GB is selected, and then click Next.
7. On the Assign iSCSI target page, click New iSCSI target, and then click Next.
8. On the Specify target name page, in the Name box, type LON-SVR2, and then click Next.
9. On the Specify access servers page, click Add.

10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected
type. In the Type drop-down list box, click IP Address, in the Value field, type 172.16.0.22, and then
click OK.
11. On the Specify access servers page, click Next.
12. On the Enable Authentication page, click Next.
13. On the Confirm selections page, click Create.

14. On the View results page, wait until creation completes, and then click Close.
15. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New
iSCSI Virtual Disk.
16. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click drive C, and then click Next.
17. On the Specify iSCSI virtual disk name page, type iSCSIDisk2, and then click Next.
18. On the Specify iSCSI virtual disk size page, in the Size box, type 5. In the drop-down list box,
ensure that GB is selected, and then click Next.
19. On the Assign iSCSI target page, click lon-svr2, and then click Next.
21. On the View results page, wait until creation completes, and then click Close.
Note: Keep the computers running, because you will need them for the next
demonstration.
Demonstration: Connecting to the iSCSI Storage

Demonstration Steps
Connect to the iSCSI target
1. On 20412D-LON-SVR2, in Server Manager, click the Tools menu, and then click iSCSI Initiator.
2. In the Microsoft iSCSI message box, click Yes.
3. In the iSCSI Initiator Properties dialog box, on the Targets tab, type LON-DC1, and then click
Quick Connect.
4. In the Quick Connect window, in the Discovered targets section, click iqn.1991-
05.com.microsoft:lon-dc1-lon-svr2-target, and then click Done.
5. In the iSCSI Initiator Properties dialog box, click OK to close the dialog box.
Verify the presence of the iSCSI drive

1. On 20412D-LON-SVR2, in Server Manager, on the Tools menu, click Computer Management.
2. In the Computer Management console, under Storage node, click Disk Management. Notice that
the new disks are added. However, they all are currently offline and not formatted.
3. Close the Computer Management console.
Note: Keep the computers running, because you will need them for the next
demonstration.
Lesson 2
Configuring BranchCache
Contents:
Demonstration: Configuring BranchCache 6
Demonstration: Configuring BranchCache

Demonstration Steps
Add BranchCache for the Network Files role service
1. On LON-DC1, in the Server Manager, click Add roles and features.
5. On the Select server roles page, expand File and Storage Services (3 of 12 Installed), expand File
and iSCSI Services (2 of 11 Installed), select the BranchCache for Network Files check box, and
then click Next.

Enable BranchCache for the server

1. On LON-DC1, click the Start screen.
2. On the Start screen, type gpedit.msc, and then press Enter.
3. Expand Computer Configuration, expand Administrative Templates, expand Network, click

Lanman Server, and then double-click Hash Publication for BranchCache.
4. In the Hash Publication for BranchCache dialog box, click Enabled.
5. In the Options box, under Hash publication actions, select Allow hash publication only for
shared folder on which BranchCache is enabled, and then click OK.
6. Close the Local Group Policy Editor.
Enable BranchCache for a file share

1. On the taskbar, click the File Explorer icon.
2. In the File Explorer window, in the left pane, click Local Disk (C:).
3. On the quick access bar located on the upper-left side of the window, click New Folder, type Share,
and then press Enter.
4. Right-click Share, and click Properties.
5. In the Share Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
6. In the Advanced Sharing dialog box, click Share this folder, and then click Caching.
7. In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK.
8. In the Advanced Sharing dialog box, click OK, and then click Close.
9. Close all open windows.

Lesson 3
Optimizing Storage Usage
Contents:
Demonstration: How to Configure Classification Management 8
Demonstration: Configuring Data Deduplication 9
What Is FSRM?
Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what areas do you use
it?
Answer: Answers will vary based on the students experiences with the FSRM in Windows
Server 2008 R2. FSRM is used in the following areas:
File Classification Infrastructure
File management tasks
Quota management
File screening management
Demonstration: How to Configure Classification Management

Demonstration Steps
Create a classification property
1. On LON-SVR1, on the toolbar, click the Server Manager shortcut.
2. In the Server Manager, click Tools, and then click File Server Resource Manager.
3. In File Server Resource Manager, expand the Classification Management node, and then click
Classification Properties.
4. Right-click Classification Properties, and click Create Local Property.
5. In the Create Local Classification Property window, in the Name field, type Confidential, and in
the Description field, type Assigns a confidentiality value of Yes or No.
6. Under Property type, click the drop-down list box, and then select Yes/No.
7. In the Create Local Classification Property window, click OK.
Create a classification rule

1. In File Server Resource Manager, click the Classification Rules node.
2. Right-click the Classification Rules node, and click Create Classification Rule.
3. In the Rule name field, type Confidential Payroll Documents.
4. In the Description field, type Classify documents containing the word payroll as confidential,
and then click the Scope tab.
5. In the Scope section, click Add.
6. In the Browse for Folder window, expand Allfiles (E:), expand Labfiles, click Data, and then click
OK.
7. In the Create Classification Rule window, click the Classification tab.
8. In the Classification method area, click the drop-down list box, and then click Content Classifier.
9. In the Property section, choose a Property name of Confidential and a Property value of Yes, and
then click Configure.
10. On the Parameters tab, below the Expression Type column, click the drop-down list box, and then
select String.
11. Double-click in the Expression column, type payroll, and then click OK.
12. In the Create Classification Rule window, click OK.
Modify the classification schedule

1. Right-click the Classification Rules node, and click Configure Classification Schedule.
2. In the File Server Resource Manager Options window, ensure that the Automatic Classification
tab is selected.
3. In the Schedule window, click the Enable fixed schedule check box.
4. In the Run at field, type 8:30 AM, select Sunday, and then click OK.
5. Right-click the Classification Rules node, and click Run Classification With All Rules Now.
6. In the Run Classification window, click Wait for classification to complete, and then click OK.
7. View the report, and ensure that File3.txt is listed at the bottom of the report.
8. In a File Explorer window, click drive E, expand Labfiles, expand Data, double-click the file File3.txt,
and then view its contents. Ensure that it contains the word payroll. Open the other files in the
folder and ensure they do not contain the word payroll.
9. Close all open windows on LON-SVR1.
10. Keep the virtual machines running for the next demonstration.
Demonstration: Configuring Data Deduplication

Demonstration Steps
Add the Data Deduplication role service
1. On LON-SVR2, in the Server Manager, click Manage, and then click Add roles and features.
5. On the Select server roles page, expand File And Storage Services (1 of 12 Installed), expand File
and iSCSI Services, and then select the Data Deduplication check box.
6. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
Enable Data Deduplication

1. In Server Manager, in the navigation pane, click File and Storage Services.
2. In the File and Storage Services pane, click Volumes.
3. In the Volumes pane, right-click drive E:, and in the drop-down list box, click Configure Data
Deduplication.
4. In the Allfiles (E:\) Deduplication Settings dialog box, in the Data Deduplication drop-down list
box, select General purpose file server, in the Deduplicate files older than (in days) box, type 3,
and then click Set Deduplication Schedule.
5. In the LON-SVR2 Deduplication Schedule dialog box, click Enable throughput optimization, and
in the Start time drop-down list box, click 2 AM., and then click OK.
6. In the Allfiles (E:\) Deduplication Settings dialog box, click OK.
Test Data Deduplication

1. On LON-SVR2, open a File Explorer window, navigate to drive E, right-click Group Policy
Preferences.docx file, and then click Copy.
2. Paste the Group Policy Preferences.docx file to the LabFiles folder.
3. On LON-SVR2, open the E:\LabFiles folder, right-click Group Policy Preferences.docx, and then
click Properties.
4. In the Properties dialog box, note the values for Size and Size on Disk.
5. Repeat steps five through seven for Group Policy Preferences.docx in the root folder of the E: drive.
6. On LON-SVR2, open the Windows PowerShell window.
7. At the Windows PowerShell prompt, type the following cmdlet, and then press Enter:
Start-DedupJob Type Optimization Volume E:
8. Type Get-DedupJob, then press Enter. Ensure that the process is running.
9. Wait a minute or two, and repeat the Get-Dedupjob command.
10. If you get no result, it means that the deduplication job is complete.
11. In the root folder of the E: drive, right-click Group Policy Preferences.docx, and then click
Properties.
12. In the Properties dialog box, note the values for Size and Size on Disk. Size on disk should be much
smaller than it was previously.

Best Practices
When you consider an iSCSI storage solution for your organization, spend most of the time on the
design process. The design process is crucial because it allows you to optimize the solution for all
technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server.
The design should also accommodate future growth of your organizations business data. Successful
design processes help guarantee a successful deployment of the solution that will meet your
organizations business requirements.
When you plan for BranchCache deployment, ensure that you work closely with your network
administrators so that you can optimize network traffic across the WAN.
When you plan for file classifications, ensure that you start with your organizations business
requirements. Identify the classifications that you will apply to documents, and then define a method
that you will use to identify documents for classification. Before you deploy the File Classification
Infrastructure, create a test environment. Then test the scenarios to ensure that your solution will
result in a successful deployment, and that your organizations business requirements will be met.
Review Question(s)
Question: How does BranchCache differ from the Distributed File System (DFS) to branch offices?
Answer: BranchCache only caches files that users in a remote location have accessed. DFS
replicates all the contents of folders between the head office and a remote location so that all
files exist in both locations.
Question: Why would you choose to implement BranchCache in hosted cache mode instead of
distributed cache mode?
Answer: When you use the distributed cache mode, the cache is hosted on the computers that
requested the file the first time. However, it is likely that computers or laptops that are running
Windows 8.1 may be shut down or removed from the office, or there may be multiple subnets in
the branch. This means that a cached file might not be available, which will force the file to be
downloaded across the WAN link again. However, the hosted cache mode is likely to be used
when a computer that is running the Windows Server 2008 R2 or newer operating system is
available in the branch office.
Question: Can you configure data deduplication on a boot volume?
Answer: No, you cannot configure Data Deduplication on a boot volume. You can configure
Data Deduplication only on volumes that are not system or boot volumes. Data Deduplication is
also not supported on the Resilient File System.
Question: Why would you implement a File Classification Infrastructure?
Answer: The File Classification Infrastructure enables you to manage groups of files based on
various file and folder attributes. Using file classification technology, you can automate file and
folder maintenance tasks, such as cleaning up stale data or protecting sensitive information.

Your organization is considering deploying an iSCSI solution. You are a Windows Server 2012
administrator responsible for designing and deploying the new solution. This new solution will be used by
different types of technologies, such as Windows Server 2012 file server, Exchange Server, and SQL Server.
You face that of designing an optimal iSCSI solution, but at the same time you are not sure whether the
solution you are going to propose to your organization will meet the requirements of all technologies
that will be accessing the iSCSI storage. What should you do?
Answer: You should include on the team that will design and deploy the iSCSI solution experts
from different areas of specialization. Team members who will be involved in the project should
include Windows Server 2012 administrators, network administrators, storage administrators, and
security administrators. This is necessary so that the iSCSI storage solution has optimal
performance and security, and has consistent management and operations procedures.
Your organization is considering deploying a BranchCache solution. You are a Windows Server 2012
administrator in your organization, and you are responsible for designing and deploying the new solution.
The organizations business managers are concerned about security of the data that will be stored in the
branch offices. They are also concerned about how the organization will address security risks such as data
tampering, information disclosure, and denial of service attacks. What should you do?
Answer: You should include a security expert on your design team. You should also consider the
defense-in-depth model of analyzing security risks. BranchCache addresses the security risks as
follows:
Data tampering. The BranchCache technology uses hashes to confirm that during the
communication, the client computer and the server did not alter the data.
Information disclosure. BranchCache sends encrypted content to clients, but they must have the
encryption key to decrypt the content. Because potential malicious users would not have the
encryption key, if an attacker attempts to monitor the network traffic to access the data while it is
in transit between clients, the attempt will not be successful.
Denial of service. If an attacker tries to overload the client with requests for data, BranchCache
technology includes queue management counters and timers to prevent clients from being
overloaded.
Your organization is using large amounts of disk space for data storage and faces the challenge of
organizing and managing the data. Furthermore, your organization must satisfy requirements for security,
compliance, and data leakage prevention for company confidential information. What should you do?
Answer: You should deploy the File Classification Infrastructure. Based on file classification, you
can configure file management tasks that will enable you to manage groups of files based on
various file and folder attributes. You can also automate file and folder maintenance tasks, such
as cleaning up stale data or protecting sensitive information.
Tools
Tool Use Where to find it
iSCSI target server Configure iSCSI targets In Server Manager, under File
and Storage Servers
iSCSI initiator Configure a client to connect In Server Manager, in the Tools

to an iSCSI target virtual disk drop-down list box
Deduplication Evaluation tool Analyze a volume to find out Available from the command
(DDPEval.exe) the potential savings when prompt and stored in
enabling Data deduplication C:\Windows\System32
File Server Resource Manager A set of features that allow In Server Manager, in the Tools
you to manage and classify drop-down list box
data that is stored on file
servers
iSCSI Windows PowerShell Provides cmdlets for Installed automatically with

module configuring iSCSI iSCSI role
BranchCache Windows Provides cmdlets for Installed automatically with

PowerShell module configuring BranchCache BranchCache role
FSRM Windows PowerShell Provides cmdlets for Installed automatically with

module configuring FSRM FSRM role

Lab A: Implementing Advanced File Services
Question: Why would you implement MPIO together with iSCSI? What problems would you solve with
this approach?
Answer: You must have an MPIO to create a second network route to the iSCSI target. This is
useful when you lose a connection to the iSCSI target because of a loss in a network adapter.
With MPIO set up and configured, if a network adapter fails, another network adapter assumes
the failed network adapters traffic.
Question: Why must you have the iSCSI initiator component?
Answer: The iSCSI initiator component is the client component for iSCSI to connect to an iSCSI
target. Windows 8.1 and Windows Server 2012 already have this component preinstalled as a
service. You only have to start it to use it.
Question: Why would you configure file classification for documents located in a folder such as a
Corporate Documentation folder?
Answer: You would configure file classification so that you can perform specific actions only on
documents that are classified as Corporate Documentation. For example, you could configure
the expiration date so that older documents will be archived and later deleted.
Lab B: Implementing BranchCache

Question: When would you consider implementing BranchCache into your own organization?
Answer: Answers will vary, but implementing BranchCache is only important if you have a branch
office or a location that is connected to your organizations headquarters with a low bandwidth
link.
Implementing Dynamic Access Control 03-1
Module 3
Implementing Dynamic Access Control
Contents:
Lesson 2: Implementing DAC Components 2
Lesson 3: Implementing DAC for Access Control 6
Lesson 4: Implementing Access Denied Assistance 9
Lesson 5: Implementing and Managing Work Folders 11

Lesson 2
Implementing DAC Components
Contents:
Demonstration: Configuring Claims, Resource Properties, and Rules 3
Demonstration: Configuring Classification Rules 4
Demonstration: Configuring Claims, Resource Properties, and Rules

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Claim Types.
3. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type.
4. In the Create Claim Type window, in the Source Attribute section, select department.
5. In the Display name text box, type Company Department.

6. Select both User and Computer check boxes, and then click OK.
7. In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim
Type.
8. In the Create Claim Type window, in the Source Attribute section, click description.
9. Clear the User check box, select the Computer check box, and then click OK.
10. In the Active Directory Administrative Center, click Dynamic Access Control.
11. In the central pane, double-click Resource Properties.
12. In the Resource Properties list, right-click Department, and then click Enable.
13. In the Resource Properties list, right-click Confidentiality, and then click Enable.
14. Double-click Department.
15. Scroll down to the Suggested Values section, and then click Add.
16. In the Add a suggested value window, in both the Value and Display name text boxes, type
Research, and then click OK two times.
17. Click Dynamic Access Control, and then double-click Resource Property Lists.
18. In the central pane, double-click Global Resource Property List, ensure that both Department and
Confidentiality display, and then click Cancel. If they do not display, click Add, add these two
properties, and then click OK.
19. In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control,
and then double-click Central Access Rules.
20. In the Tasks pane, click New, and then click Central Access Rule.
21. In the Create Central Access Rule dialog box, in the Name field, type Department Match.
22. In the Target Resources section, click Edit.
23. In the Central Access Rule dialog box, click Add a condition.
24. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK.
25. In the Permissions section, click Use following permissions as current permissions.
26. In the Permissions section, click Edit.
27. Remove permission for Administrators.
28. In Advanced Security Settings for Permissions, click Add.
29. In Permission Entry for Permissions, click Select a principal.

30. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
Check Names, and then click OK.
31. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check
boxes.
32. Click Add a condition.
33. Click the Group drop-down list box, and then click Company Department.
34. Click the Value drop-down list box, and then click Resource.
35. In the last drop-down list box, click Department, and then click OK three times.
Note: You should have this expression as a result: User-Company Department-Equals-

Resource-Department.
36. In the Tasks pane, click New, and then click Central Access Rule.
37. For the name of the rule, type Access Confidential Docs.
38. In the Target Resources section, click Edit.

39. In the Central Access Rule window, click Add a condition.
40. In the last drop-down list box, click High, and then click OK.
Note: You should have this expression as a result: Resource-Confidentiality-Equals-Value-High.
41. In the Permissions section, click Use following permissions as current permissions.
42. In the Permissions section, click Edit.

43. Remove permission for Administrators.
44. In Advanced Security Settings for Permissions, click Add.
45. In the Permission Entry for Permissions, click Select a principal.
46. In the Select User, Computer, Service Account, or Group window, type Authenticated Users, click
47. In the Basic permissions section, select the Modify, Read and Execute, Read, and Write check boxes.
Click Add a condition.
48. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a
condition.
Note: If you cannot find Managers in the last drop-down list box, click Add items. Then in the
Select user, Computer, Service Account, or Group window, type Managers, click Check Names, in
Multiple Names Found window click Managers and then click OK.
49. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS, and then click
OK three times.
Demonstration: Configuring Classification Rules

Demonstration Steps
1. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager.
2. In File Server Resource Manager, expand Classification Management.
3. Select and then right-click Classification Properties, and then click Refresh.
4. Verify that the Confidentiality and Department properties are listed.
5. Click Classification Rules.
6. In the Actions pane, click Create Classification Rule.
7. In the Create Classification Rule window, for the Rule name, type Set Confidentiality.
8. Click the Scope tab, and then click Add.
9. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click
OK.
10. Click the Classification tab, make sure that the following settings are set, and then click Configure:
o Classification method: Content Classifier

o Property: Confidentiality
o Value: High
11. In the Classification Parameters dialog box, click the Regular expression drop-down list box, and
then click String.
12. In the Expression field, which is next to the word String, type secret, and then click OK.
13. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the
existing value, and then click OK.
14. In File Server Resource Manager, in the Actions pane, click Run Classification With All Rules Now.
15. Click Wait for classification to complete, and then click OK.
16. After the classification is complete, you will be presented with a report. Verify that two files were
classified. You can confirm this in the Report Totals section.
17. Close the report.
19. In the File Explorer window, expand Local Disk (C:), and then click the Docs folder.
20. In the Docs folder, right-click Doc1.txt, click Properties, and then click the Classification tab. Verify
that Confidentiality is set to High.
21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have the same Confidentiality as
Doc1.txt, while Doc3.txt should have no value. This is because only Doc1.txt and Doc2.txt have the
word secret in their content.
Lesson 3
Implementing DAC for Access Control
Contents:
Demonstration: Creating and Deploying Central Access Policies 7
Demonstration: Evaluating and Managing DAC 8
Demonstration: Creating and Deploying Central Access Policies

Demonstration Steps
1. On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then
double-click Central Access Policies.
2. In the Tasks pane, click New, and then click Central Access Policy.
3. In the Name field, type Protect confidential docs, and then click Add.
4. Click the Access Confidential Docs rule, click >>, and then click OK twice.
5. In the Tasks pane, click New, and then click Central Access Policy.
6. In the Name field, type Department Match, and then click Add.
7. Click the Department Match rule, click >>, and then click OK twice.
8. Close the Active Directory Administrative Center.
9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
10. In the Group Policy Management Console, under Domains, expand Adatum.com, right-click DAC-
Protected, and then click Create a GPO in this domain, and link it here.
11. Type DAC Policy, and then click OK.
12. Right-click DAC Policy, and then click Edit.
13. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand File System, right-click Central Access Policy, and then click Manage Central
Access Policies.
14. Press and hold the Ctrl button and click both Department Match and Protect confidential docs,
click Add, and then click OK.
15. Close the Group Policy Management Editor and the Group Policy Management Console.
16. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.
17. At a Windows PowerShell command-line interface command prompt, type gpupdate /force, and
then press Enter.
20. In File Explorer, browse to Local Disk (C:), right-click the Docs folder, and then click Properties.
21. In the Properties dialog box, click the Security tab, and then click Advanced.
22. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click
Change.
23. In the drop-down list box, select Protect confidential docs, and then click OK twice.
24. Right-click the Research folder, and then click Properties.
25. In the Properties dialog box, click the Security tab, and then click Advanced.
26. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click
Change.
27. In the drop-down list box, click Department Match, and then click OK twice.
Demonstration: Evaluating and Managing DAC

Demonstration Steps
1. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
Adatum.com, and then click Group Policy Objects.
4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration,
expand Audit Policies, and then click Object Access.
5. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK.
6. Double-click Audit File System, select all three check boxes, and then click OK.
8. On LON-DC1, open Server Manager, click Tools, and then click Active Directory Administrative
Center.
9. In the navigation pane, click Dynamic Access Control.
10. Double-click Central Access Rules, right-click Department Match, and then click Properties.
11. Scroll down to the Proposed Permissions section, click Enable permission staging configuration,
and then click Edit.
12. Click Authenticated Users, and then click Edit.
13. Change the condition to User-Company Department-Equals-Value-Marketing, and then click OK.
14. Click OK twice to close all windows.
16. On the taskbar, click the Windows PowerShell icon.
17. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait
until Group Policy is updated for both user and computer.

Lesson 4
Implementing Access Denied Assistance
Contents:
Demonstration: Implementing Access Denied Assistance 10
Demonstration: Implementing Access Denied Assistance

Demonstration Steps
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
Adatum.com, and then click Group Policy objects.
4. Under Computer Configuration, expand Policies, expand Administrative Templates, expand

System, and then click Access-Denied Assistance.
5. In the details pane, double-click Customize Message for Access Denied errors.
6. In the Customize Message for Access Denied errors window, click Enabled.
7. In the Display the following message to users who are denied access text box, type You are
denied access because of permission policy. Please request access.
8. Select the Enable users to request assistance check box. Review other options, but do not make any
changes, and then click OK.
9. In the details pane of the Group Policy Management Editor, double-click Enable access-denied
assistance on client for all file types. Click Enabled, and then click OK.
11. Switch to LON-SVR1, and on the taskbar, click the Windows PowerShell icon.
12. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait
until Group Policy is updated for both user and computer.
Lesson 5
Implementing and Managing Work Folders
Contents:
Demonstration: Implementing Work Folders 12
Demonstration: Implementing Work Folders

Demonstration Steps
1. On LON-SVR2, in Server Manager, click File and Storage Services, and then click Work Folders.
2. In the WORK FOLDERS tile, click Tasks, and then click New Sync Share
3. In the New Sync Share Wizard, on the Before you begin page, click Next.
4. On the Select the server and path page, click Select by file share, ensure that WF-Share is
highlighted, and then click Next.
5. On the Specify the structure for user folders, accept the default selection (User alias), and then
click Next.
6. On the Enter the sync share name page, accept the default, and then click Next.
7. On the Grant sync access to groups page, note the default selection to disable inherited
permissions and grant users exclusive access, and then click Add.
8. In the Select User or Group dialog box, in the Enter the object names to select, type WFsync, click
9. On the Grant sync access to groups page, click Next.
10. On the Specify device policies page, note the selections, accept the default selection, and then click
Next.
12. On the View results page, click Close.
13. Switch to LON-DC1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
14. Open Server Manager, click Tools, and then click Group Policy Management.
15. Expand Forest: Adatum.com-Domains-Adatum.com, click Group Policy Objects, right-click the
Group Policy Objects container, and then click New.
16. In the New GPO window, type Work Folders GPO in the Name field, and then click OK.
17. Right-click Work Folders GPO, and then click Edit.
18. In the Group Policy Management Editor, expand User Configuration\ Policies\Administrative
Templates\Windows Components, and then click Work Folders.
19. Double-click Specify Work Folders settings in the details pane.
20. In the Specify Work Folders settings dialog box, click Enabled.
21. In the Work Folders URL text box, type https://lon-svr2.adatum.com, and then select Force
automatic setup.
22. Click OK to close the Specify Work Folders settings dialog box, and then close the Group Policy
Management Editor.
23. In the Group Policy Management Console, right-click the Adatum.com domain object, and then
select Link an Existing GPO
24. In the Select GPO window, select Work Folders GPO, and then click OK.
25. Close the Group Policy Management Console.


Best Practices
Use central access policies instead of configuring conditional expressions on resources.
Enable Access Denied Assistance settings.
Always test changes that you have made to central access rules and central access policies before you
implement them.
Use file classifications to assign properties to files.
Use Work Folders to synchronize business data across devices.
Use Workplace Join in Bring Your Own Device (BYOD) scenarios.
Review Question(s)
Question: What is a claim?
Answer: A claim is information that AD DS states about an object, which usually is a user or a
computer.
Question: What is the purpose of Central Access Policy?
Answer: Central access policies enable administrators to create policies that apply to one or
more file servers in an organization. Central access policies contain one or more central access
policy rules. Each rule contains settings that determine applicability and permissions.
Question: What is the BYOD concept?
Answer: BYOD (Bring Your Own Device) is the policy of permitting employees to bring personal
devices, such as laptops, tablets, and smart phones, to the workplace, and allowing employees to
use those devices to access privileged company information and applications.
Question: How do Work Folders support BYOD concept?
Answer: By using Work Folders, users can access their business data even from non-Windows
and non-domain-joined devices. Additionally, administrators have control over the data in the
event that a device is lost or if a user leaves the company.
Tools
Tool Use Location
Active Directory Administering and creating Administrative tools

Administrative Center claims, resource properties,
rules, and policies
Group Policy Management Managing Group Policy Administrative tools

Console (GPMC)
Group Policy Management Editing GPOs GPMC

Editor
Windows PowerShell Administering DAC and Work Windows PowerShell

module for DAC and Work Folders
folders

Claims are not populated with the Verify that the correct attribute is selected for the claim.
appropriate values. In addition, check that the attribute value for a specific
A conditional expression does not allow object is populated.
access. Verify that the expression is well defined. In addition,
try using the Effective Access tab to troubleshoot the
problem.

Lab: Implementing Secure Data Access
Question: How do file classifications enhance DAC usage?
Answer: By using file classifications, you can set attributes on files automatically, and then use
these attributes in conditional expressions when you implement DAC.
Question: Can you implement DAC without central access policy?
Answer: Yes, you can set conditional expressions directly on resources.

Implementing Distributed Active Directory Domain Services Deployments 4-1
Module 4
Implementing Distributed Active Directory Domain
Services Deployments
Contents:
Lesson 1: Overview of Distributed AD DS Deployments 2
Lesson 2: Deploying a Distributed AD DS Environment 5
Lesson 3: Configuring AD DS Trusts 8

Lesson 1
Overview of Distributed AD DS Deployments
Contents:
Resources 4
Discussion: AD DS Components Overview

Question: What is an AD DS domain?
Answer: An AD DS domain is a logical grouping of user, computer, and group objects for the
purpose of management and security. All of these objects are stored in the AD DS database, and
a copy of this data is stored on every domain controller in the AD DS domain. Because of this, the
AD DS database is fault-tolerant, and clients can access AD DS domain information at any AD DS
domain controller in the AD DS domain. AD DS provides a searchable hierarchical directory, and
provides a framework for applying configuration and security settings for objects in the
enterprise. You can use AD DS and Group Policy Objects (GPOs) to apply configuration and
security settings to user and computer accounts.
Question: What is an AD DS domain tree?
Answer: An AD DS domain tree is a collection of one or more AD DS domains that form a

contiguous namespace. For instance, if the first domain in the forest is adatum.com, you could
create an additional domain as a child domain in that namespace. An example is atl.adatum.com.
Sometimes it is beneficial to have more than one domain in the forest. When you add a domain
to an existing forest, you can add it as a child domain to an existing domain. This adds the
domain to the domain tree. You can also create the domain as a new domain tree in the forest.
An example of this would be if A. Datum Corporation, an established company with an AD DS
forest named adatum.com, acquired a company called Fabrikam, Inc. An additional tree called
fabrikam.com could be created in the adatum.com forest. Although the new domain is a new
domain tree and accompanying new namespace, it still is integrated with the existing forest.
Question: What is an AD DS forest?
Answer: An AD DS forest is a collection of one or more AD DS trees. Each AD DS tree will contain
one or more AD DS domains. The AD DS forest is the outermost boundary for the AD DS security
and administration.
Question: What are trust relationships?
Answer: Trust relationships (trusts) are authentication pipelines between different domains.
Some trusts are generated automatically as part of the domain installation process, and others
are trusts that you create manually for various reasons. Trust relationships form the framework
that allows resource sharing between domains, and they also provide the structure that supports
authentication between domains.
Question: What is the global catalog?
Answer: The global catalog provides a central directory of every object in the forest, and is
unique in each AD DS forest. Unlike the individual domain partitions that store a complete
writeable attribute set for all objects in the domain, the global catalog is a read-only list of some
attributes for every object in the forest. The global catalog makes it easy to locate objects from
different domains in a multidomain forest. For example, Microsoft Exchange Server uses the
global catalog to locate all email recipients in a forest.
Resources
Why Implement Multiple Forests?
Best Practice: As a best practice, choose the simplest design that achieves the required
goal, as it will be less costly to implement and more straightforward to administer.
Lesson 2
Deploying a Distributed AD DS Environment
Contents:
Resources 6
Demonstration: Installing a Domain Controller in a
New Domain in an Existing Forest 6
Resources
AD DS Domain Functional Levels
Additional Reading: To learn more about the AD DS domain functional levels, refer to
Understanding Active Directory Domain Services (AD DS) Functional Levels at
http://go.microsoft.com/fwlink/?LinkId=270028.
Demonstration: Installing a Domain Controller in a New Domain in an

Existing Forest
Demonstration Steps
Install the AD DS binaries on TOR-DC1
1. On TOR-DC1, in the Server Manager, click Add Roles and Features.
2. In the Add Roles and Features Wizard, click Next.
3. On the Select installation type page, ensure that Role-based or feature-based installation is
selected, and then click Next.
4. On the Select destination server page, ensure that Select a server from the pool is selected. In the
Server Pool page, verify that TOR-DC1.Adatum.com is highlighted, and then click Next.
5. On the Select server roles page, select the Active Directory Domain Services check box, click Add
Features, and then click Next.
7. On the Active Directory Domain Services page, review the message, and then click Next.
8. On the Confirm installation selections page, review the message, and then click Install. Installation
will take several minutes.
9. On the Results page, click Promote this server to a domain controller. The wizard continues.
Configure TOR-DC1 as an AD DS domain controller using the AD DS Installation

Wizard
1. On the Deployment Configuration page, select the Add a new domain to an existing forest option,
and then, next to Select domain type, confirm that Child Domain is selected.
2. In the Parent domain name field, verify that Adatum.com is listed.
3. In the New domain name box, type NA, and then click Next.
4. On the Domain Controller Options page, ensure that Windows Server 2012 R2 is selected as the
Domain functional level, that Domain Name System (DNS) server is selected, and that Global
Catalog (GC) is selected.
5. In the Type the Directory Services Restore Mode (DSRM) password text boxes, type Pa$$w0rd in
both boxes, and then click Next.
6. On the DNS Options page, click Next.
7. On the following three windows (Additional Options, Paths, and Review Options), click Next. In
the Prerequisites Check window, click Install.
8. Review the information, and allow TOR-DC1 to reboot as an AD DS domain controller in the new
AD DS domain that you created in the AD DS forest.
9. Sign in to TOR-DC1 as NA\Administrator with the password Pa$$w0rd, and review some of the
AD DS tools to confirm the installation of the new domain.
Lesson 3
Configuring AD DS Trusts
Contents:
Resources 9
Demonstration: Configuring a Forest Trust 9
Resources
Configuring Advanced AD DS Trust Settings

Additional Reading:
For more information on configuring SID filter quarantining on external trusts, see
http://go.microsoft.com/fwlink/?LinkId=270030
For more information on enabling selective authentication over a forest trust, see
http://go.microsoft.com/fwlink/?LinkId=270046
For more information on name-suffix routing, see http://go.microsoft.com/fwlink/?LinkId=270047
Demonstration: Configuring a Forest Trust

Demonstration Steps
Configure DNS name resolution by using a conditional forwarder
1. On LON-DC1, in Server Manager, click the Tools menu, and in the drop-down list, click DNS. The
DNS manager opens.
2. In the DNS Manager, expand LON-DC1, click and then right-click Conditional Forwarders, and then
click New Conditional Forwarder.
3. In the New Conditional Forwarder window, in the DNS Domain: box, type TreyResearch.net.
4. In the IP addresses of the master servers: text box, type 172.16.10.10. Click in the open space, and
then click OK. (If an error displays, ignore it).
5. Close the DNS Manager.
6. Switch to TREY-DC1, and repeat steps 1 through 5. Use the domain name Adatum.com with the IP
address 172.16.0.10.
Configure a two-way selective forest trust

1. In LON-DC1, from the Tools menu, click Active Directory Domains and Trusts.
2. When the Active Directory Domains and Trusts window opens, right-click Adatum.com, and then
click Properties.
3. In the Adatum.com Properties dialog box, on the Trusts tab, click New Trust.
4. In the New Trust Wizard, click Next.
5. On the Trust Name page, in the Name text box, type treyresearch.net, and then click Next.
6. In the New Trust Wizard, click Forest trust, and then click Next.
7. In the Direction of Trust page, click Two-way, and then click Next.
8. In the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
9. In the User name: text box, type Administrator. In the Password text box, type Pa$$w0rd, and then
click Next.
10. In the Outgoing Trust Authentication Level--Local Forest page, click Selective authentication,
11. In the Outgoing Trust Authentication Level-Specified Forest page, click Selective authentication,
12. In the Trust Selections Complete page, click Next.

13. In the Trust Creation Complete page, click Next.
14. In the Confirm Outgoing Trust page, click Yes, confirm the outgoing trust, and then click Next.
15. In the Confirm Incoming Trust page, click Yes, confirm the incoming trust, and then click Next.
16. On the Completing the New Trust Wizard page, click Finish.
17. In the Adatum.com Properties dialog box, click OK.


You receive error messages such as: DNS Usually, these errors are caused by a DNS record
lookup failure, RPC server unavailable, lookup failure or incorrectly configured firewall.
domain does not exist, or domain Ensure that at least two working DNS servers are
controller could not be found. available on the network. Ensure that every
computer has at least two DNS servers that are
configured in the network configuration.
Verify that DNS servers are able to successfully
resolve queries for DNS records outside of their
DNS domain (for instance, Internet addresses). Use
various troubleshooting tools such as nslookup,
dnslint, DCdiag, netdiag, repadmin, replmon, and
Event Viewer.
User cannot be authenticated to access Use the Active Directory Domains and Trusts
resources on another AD DS domain or console, (Domain.msc), or the command-line tool
Kerberos realm. Netdom to validate trust relationships. If
necessary, reset the trust password. Check to
ensure that trust relationships are configured for
the right direction.
Verify that all AD DS domain controllers have
registered all of the correct SRV records in the
DNS database. (You can restart the netlogon
service on an AD DS domain controller to force it
to reregister the SRV records in the DNS
database.)

Lab: Implementing Distributed AD DS Deployments
Question:
Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child
domain na.adatum.com?
Answer: You did this so that the Domain Name System running on LON-DC1 would be able to
locate a DNS server for the na.adatum.com DNS domain.
Question: What are the alternatives to creating a delegated subdomain record in the previous question?
Answer: On LON-DC1, you could create a stub zone for na.adatum.com to provide an up-to-
date list of the DNS servers for the na.adatum.com DNS domain. You also could configure on
LON-DC1 a secondary DNS zone file for na.adatum.com, but that would entail more DNS
replication traffic.
Question: When you create a forest trust, why would you create a selective trust instead of a complete
trust?
Answer: You would create a selective trust instead of a complete trust if you did not require a
full link-up between two forests, but wanted a strictly controlled amount of interactivity.
Implementing Active Directory Domain Services Sites and Replication 5-1
Module 5
Implementing Active Directory Domain Services Sites and
Replication
Contents:
Lesson 1: AD DS Replication Overview 2
Lesson 2: Configuring AD DS Sites 4
Lesson 3: Configuring and Monitoring AD DS Replication 6

Lesson 1
AD DS Replication Overview
Contents:
How AD DS Replication Works Within a Site

Question: Describe the circumstances that result when you manually create a connection object between
domain controllers within a site.
Answer: Creating a connection object manually is not typically required or recommended

because the KCC does not verify or use the manual connection object for failover. The KCC will
also not remove manual connection objects, which means that you must remember to delete
connection objects that you create manually.
Lesson 2
Configuring AD DS Sites
Contents:
Demonstration: Configuring AD DS Sites 5
Demonstration: Configuring AD DS Sites

Demonstration Steps
1. On LON-DC1, in the Server Manager, click Tools, and then click Active Directory Sites and Services.
2. In Active Directory Sites and Services, expand Sites, and then click Default-First-Site-Name.
3. Right-click Default-First-Site-Name, and then click Rename.
4. Type LondonHQ, and then press Enter.
5. In the navigation pane, right-click Sites, and then click New Site.
6. In the New Object Site dialog box, in the Name text box, type Toronto.
7. Select DEFAULTIPSITELINK, and then click OK.
8. In the Active Directory Domain Services dialog box, click OK.
9. In the navigation pane, right-click Subnets, and then click New Subnet.
10. In the New Object Subnet dialog box, in the Prefix text box, type 172.16.0.0/24.
11. Under Select a site object for this prefix, click LondonHQ, and then click OK.
12. In the navigation pane, right-click Subnets, and then click New Subnet.
13. In the New Object Subnet dialog box, in the Prefix text box, type 172.16.1.0/24.
14. Under Select a site object for this prefix, click Toronto, and then click OK.
15. In the navigation pane, expand LondonHQ, and then expand Servers.
16. Right-click TOR-DC1, and then click Move.
17. In the Move Server dialog box, select Toronto, and then click OK.
18. In the navigation pane, expand Toronto, and then expand Servers.
19. Verify that TOR-DC1 is now located in the Toronto Site.

Lesson 3
Configuring and Monitoring AD DS Replication
Contents:
Demonstration: Configuring AD DS Intersite Replication 7
Demonstration: Configuring Password Replication Policies 7
Demonstration: Configuring AD DS Intersite Replication

Demonstration Steps
1. On TOR-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services.
2. In Active Directory Sites and Services, expand Sites, and then expand Inter-Site Transports.
3. Click IP, right-click DEFAULTIPSITELINK, and then click Rename.
4. Type LON-TOR, and then press Enter.
5. Right-click LON-TOR, and then click Properties. Explain the Cost, Replicate every, and Change
Schedule options.
6. In the LON-TOR Properties dialog box, next to Replicate every, configure the value to be 60
minutes.
7. Click Change Schedule.
8. Highlight the range from Monday 12 PM to Friday 4 PM, as follows:
o Using the mouse, click at the Monday at 12:00 PM tile.
o With the mouse button still pressed down, drag the cursor to the Friday at 4:00 PM tile.
9. Click Replication Not Available and then click OK.
10. Click OK to close the LON-TOR Properties dialog box.
11. In the navigation pane, right-click IP, and then click Properties.
12. In the IP Properties dialog box, point out and explain the Bridge all site links option.
13. Click OK to close the IP Properties dialog box.
Demonstration: Configuring Password Replication Policies

Demonstration Steps
1. On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and
Computers.
2. In the console tree, expand the Adatum.com domain, and then click the Domain Controllers
organizational unit (OU).
3. Right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account.
4. In the Active Directory Domain Services Installation Wizard, on the Welcome page, click Next.
5. On the Network Credentials page, click Next.
6. On the Specify the Computer Name page, type LON-RODC1, and then click Next.
7. On the Select a Site page, click Toronto, and then click Next.
8. On the Additional Domain Controller Options page, click Next.
9. On the Delegation of RODC Installation and Administration page, click Next.
10. Review your selections on the Summary page, and then click Next.
11. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
12. In the console, click the Domain Controllers OU.
13. Right-click LON-RODC1, and then click Properties.
14. Click the Password Replication Policy tab, and then view the default policy.
15. Click Cancel to close LON-RODC1 Properties.
16. In the Active Directory Users and Computers console, click the Users container.
17. Double-click Allowed RODC Password Replication Group, and then click the Members tab.
18. Examine the default membership of Allowed RODC Password Replication Group, and then click OK.
There should be no members by default.
19. Double-click Denied RODC Password Replication Group.
20. Click the Members tab.
21. Click Cancel to close the Denied RODC Password Replication Group properties.

Best Practices
Implement the following best practices when you manage Active Directory sites and replication in
your environment: Always provide at least one or more global catalog servers per site.
Ensure that all sites have appropriate subnets associated.
Do not set up long intervals without replication when you configure replication schedules for intersite
replication.
Avoid using SMTP as a protocol for replication.
Tools
Tool Use Location
Active Directory Sites and Create sites, subnets, site- Server Manager Tools
Services console links, site-link bridging,
force replication, restart
KCC.
Repadmin.exe Report the status of Command line

replication on each domain
controller, create replication
topology and force
replication, view levels of
detail down to the
replication metadata.
Dcdiag.exe Performs a number of tests Command line

and reports on the overall
health of replication and
security for AD DS.
Get-ADReplicationConnection Specific Active Directory Windows PowerShell

replication connection or
set of Active Directory
replication connection
objects based on a specified
filter.
Get-ADReplicationFailure Description of an Active Windows PowerShell

Directory replication failure.
Get- Replication metadata for a Windows PowerShell

ADReplicationPartnerMetadata set of one or more
replication partners.
Get-ADReplicationSite Specific Active Directory Windows PowerShell

replication site or a set of
replication site objects
based on a specified filter.
Get-ADReplicationSiteLink Specific Active Directory Windows PowerShell

site-link or a set of site-links
Tool Use Location
Get- Specific Active Directory Windows PowerShell

ADReplicationSiteLinkBridge site-link bridge or a set of
site-link bridge objects
Get-ADReplicationSubnet Specific Active Directory Windows PowerShell

subnet or a set of Active
Directory subnets based on
a specified filter.
Review Question(s)
Question: Why is it important that all subnets are identified and associated with a site in a multisite
enterprise?
Answer: The process of locating domain controllers and other services can be made more
efficient by referring clients to the correct site based on the clients IP address and the definition
of subnets. If a client has an IP address that does not belong to a site, the client will query for all
domain controllers in the domain. This is not an efficient strategy. In fact, a single client can
perform actions against domain controllers in different sites, which can lead to unexpected
results if those changes have not yet replicated. Therefore, it is crucial that each client knows
what site it is in, which you can achieve by ensuring that domain controllers can identify what a
clients site location.
Question: What are the advantages and disadvantages of reducing the intersite replication interval?
Answer: Reducing the intersite replication interval improves convergence. Changes made in one
site replicate more quickly to other sites. There are actually few, if any, disadvantages. If you
consider that the same changes must replicate whether they wait 15 minutes or three hours to
replicate, it is primarily a matter of replication timing rather than replication quantity. However, in
some extreme situations, it is possible that allowing a smaller number of changes to occur more
frequently might be less preferable than allowing a large number of changes to replicate less
frequently.
Question: What is the purpose of a bridgehead server?
Answer: The bridgehead server is responsible for all replication into and out of the site. Instead
of replicating all domain controllers from one site with all domain controllers in another site, you
can use bridgehead servers to manage intersite replication. However, if a particular bridgehead
server is not specifically needed for performance reasons or other factors, it is considered a best
practice to let the ISTG choose the bridgehead servers from among the available pool of site
domain controllers.

Client cannot locate domain controller in Verify whether all SRV records for the domain
its site. controller are present in DNS.
Verify whether the domain controller has an IP
address from the subnet that is associated with that
site.
Verify that the client is a domain member and has
the correct time.
Replication between sites does not work. Verify whether site-links are configured correctly.
Verify the replication schedule.
Verify whether the firewall between the sites permits
traffic for Active Directory replication. Use repadmin
/bind.
Replication between two domain Verify whether both domain controllers appear in
controllers in the same site does not work. same site.
Verify whether AD DS is operating correctly on the
domain controllers.
Verify network communication, and that the time
on each server is valid.

Lab: Implementing AD DS Sites and Replication
Question: You decide to add a new domain controller to the LondonHQ site named LON-DC2. How can
you ensure that LON-DC2 is used to pass all replication traffic to the Toronto site?
Answer: You would have to configure this new domain controller as the preferred bridgehead
server for the LondonHQ site.
Question: You have added the new domain controller named LON-DC2 to the LondonHQ site. Which
AD DS partitions will be modified as a result?
Answer: It is likely that all of the partitions except the schema partition will be modified. You add
the new domain controller to both the domain partition and the configuration partition to
ensure that AD DS replication is configured correctly. If you are using Active Directoryintegrated
DNS, then the domain controller records also will update in the DNS application partitions.
Question: In the lab, you created a separate site-link for the Toronto and TestSite sites. What might you
also have to do to ensure that LondonHQ does not create a connection object directly with the TestSite
site automatically?
Answer: You may also have to turn off automatic site-link bridging so that you disable site
transitivity among LondonHQ, Toronto, and the TestSite.
Implementing AD CS 6-1
Module 6
Implementing AD CS
Contents:
Lesson 1: Using Certificates in a Business Environment 2
Lesson 2: PKI Overview 4
Lesson 3: Deploying CAs 6
Lesson 4: Deploying and Managing Certificate Templates 9
Lesson 5: Implementing Certificate Distribution and Revocation 11
Lesson 6: Managing Certificate Recovery 15

Lesson 1
Using Certificates in a Business Environment
Contents:
Demonstration: Signing a Document Digitally 3
Demonstration: Signing a Document Digitally

Demonstration Steps
1. On LON-CL1, open Windows PowerShell.
2. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter.
3. Click the File menu, and then select Add/Remove Snap-in.
4. Select Certificates, click Add, select My user account, click Finish, and then click OK.
5. Expand Certificates-Current User, right-click Personal, select All Tasks, and then click Request
New Certificate.
6. In the Certificate Enrollment Wizard, click Next twice.
7. On the Certificate Enrollment page, in the list of available templates, select User, click Enroll, and
then click Finish.
8. Close the Console 1 window without saving changes.
9. Open Microsoft Word 2013.
10. In a blank document, type some text, and then save the file to the desktop.
11. On the toolbar, click INSERT, and then in the Text pane, in the Signature Line drop-down list box,
click Microsoft Office Signature Line.
12. In the Signature setup window, type your name in the Suggested signer text box, type
Administrator in the Suggested signers title text box, type Administrator@adatum.com in the
Suggested signers email address text box, and then click OK.
13. Right-click the signature line in the document, and then click Sign
14. In the Sign window, click Change.
15. On the Certificate list, select the certificate with todays date, and then click OK.
16. In the text box right to the sign X, type your name, click Sign, and then click OK.
Note: Explain to the students that besides typing your name, you also can select an image
instead. This image can be your scanned, handwritten signature.
17. Ensure that the document cannot be edited anymore.
18. Close Word 2013, and save the changes when prompted.
19. Stay signed in for the next demonstration.

Lesson 2
PKI Overview
Contents:
What Is a Cross-Certification Hierarchy?

Question: Your company is currently acquiring another company. Both companies run their own PKI.
What could you do to minimize disruption and continue to provide PKI services seamlessly?
Answer: You could implement a cross-certification hierarchy.
Lesson 3
Deploying CAs
Contents:
Demonstration: Deploying a Root CA 7
Demonstration: Configuring CA Properties 7
Demonstration: Deploying a Root CA

Demonstration Steps
Deploy a root CA
1. On LON-SVR1, in the Server Manager, click Add roles and features.
2. On the Before You Begin page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, select Active Directory Certificate Services. In the Add Roles and
Features Wizard, click Add Features, and then click Next.
7. On the Active Directory Certificate Services page, click Next.
8. On the Select role services page, ensure that Certification Authority is selected, and then click
Next.
10. On the Installation progress page, after the installation completes successfully, click the text
Configure Active Directory Certificate Services on the destination server.
11. In the AD CS Configuration Wizard, on the Credentials page, click Next.
12. On the Role Services page, select Certification Authority, and then click Next.
13. On the Setup Type page, select Enterprise CA, and then click Next.
14. On the CA Type page, click the Root CA option, and then click Next.
15. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
16. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider
(CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.
17. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click
Next.
18. On the Validity Period page, click Next.
19. On the CA Database page, click Next.
20. On the Confirmation page, click Configure.
21. On the Results page, click Close.

22. On the Installation progress page, click Close.
Demonstration: Configuring CA Properties

Demonstration Steps
1. On LON-SVR1, open the Server Manager, click Tools, and then click Certification Authority.
2. In the certsrv console, right-click AdatumRootCA, and then select Properties.
3. On the General tab, click View Certificate. When the Certificate window opens, review the data on
the General, Details, and Certification Path tabs, and then click OK.
4. On the Policy Module tab, click Properties. Review the settings available for the Default policy
module, and then click OK.
5. On the Exit Module tab, click Properties. Show the Publication Settings available in the default Exit
module, and then click OK.
6. On the Extensions tab, review the options available for the certificate revocation list distribution
point (CDP) and authority information access (AIA) locations.
7. On the Security tab, review the available options on the access control list (ACL), and then review the
default permissions.
8. On the Certificate Managers tab, review the options and explain how to restrict security principals to
specific certificate templates, and then click Cancel.
9. Close the certsrv console

Lesson 4
Deploying and Managing Certificate Templates
Contents:
Demonstration: Modifying and Enabling a Certificate Template 10
Demonstration: Modifying and Enabling a Certificate Template

Demonstration Steps
Modify and enable a certificate template
1. On LON-SVR1, on the taskbar, click the Server Manager icon.
2. In the Server Manager, click Tools, and then click Certification Authority.
3. In the Certification Authority console, expand AdatumRootCA, right-click Certificate Templates,

and then click Manage.
4. Review the list of default templates. Examine the templates and their properties.
5. In the Details pane, double-click IPsec.
6. In the IPsec Properties dialog box, scroll through the tabs, and note what you can modify on each
tab. Note that on the Security tab, you can define permissions for enrollment. Click Cancel to close
the template.
7. In the Certificate Templates console, in the Details pane, right-click the Exchange User certificate
template, and then click Duplicate Template.
8. In the Properties of New Template dialog box, review options on the Compatibility tab.
9. Click the General tab, and then in the Template display name text box, type Exchange User Test1.
10. Click the Superseded Templates tab, and then click Add.
11. Click the Exchange User template, and then click OK.
12. Click the Security tab, and then click Authenticated Users.
13. Under the Permissions for Authenticated Users node, select the Allow check boxes for Read,
Enroll, and Autoenroll, and then click OK.
14. Close the Certificate Templates console.
15. In the Certification Authority console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.
16. In the Enable Certificate Templates dialog box, select the Exchange User Test1 certificate, and
then click OK.
Lesson 5
Implementing Certificate Distribution and Revocation
Contents:
Demonstration: Configuring the Restricted Enrollment Agent 12
Demonstration: Configuring an Online Responder 13
Demonstration: Configuring the Restricted Enrollment Agent

Demonstration Steps
Configure the Restricted Enrollment Agent
2. In the Server Manager console, click Tools, and then open the Certification Authority.
3. In the certsrv console, expand AdatumRootCA, right-click Certificate Templates, and then click
Manage.
4. In the Certificate Templates console, double-click Enrollment Agent, click the Security tab, and then
click Add.
5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names,
and then click OK.
6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click
OK.
8. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate
Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LON-CL1, and sign in as Adatum\Allie with the password Pa$$w0rd.
11. On the Start screen, type mmc.exe, and then press Enter.
12. In Console1, open the File menu, and then click Add/Remove Snap-in.
13. Click Certificates, click Add, and then click OK.
14. Expand Certificates Current User, and then click Personal.
15. Right-click Personal, point to All Tasks, and then click Request New Certificate.
16. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
17. On the Select Certificate Enrollment Policy page, click Next.
18. On the Request Certificates page, select Enrollment Agent, click Enroll, and then click Finish.
20. In the Certification Authority console, right-click AdatumRootCA, and then click Properties.
21. In the AdatumRootCA Properties dialog box, click the Enrollment Agents tab.
22. On the Enrollment Agents tab, click Restrict Enrollment agents.
23. In the pop-up window, click OK.
24. On the Enrollment Agents tab, under Enrollment Agents, click Add.
25. In the Select User, Computer, or Group window, type Allie, click Check Names, and then click OK.
26. Click Everyone, and then click Remove.
27. In the certificate templates section, click Add.
28. In the list of templates, select User, and then click OK.
29. In the Certificate Templates section, click <All>, and then click Remove.
30. In the permission section, click Add.
31. In the Select User, Computer, or Group window, type Marketing, click Check Names, and then click
OK.
32. In the Permission section, click Everyone, click Remove, and then click OK.
Demonstration: Configuring an Online Responder

Demonstration Steps
Configure an Online Responder
2. In the Server Manager, click Add roles and features.
3. Click Next three times.
4. On the Select server roles page, expand Active Directory Certificate Services (1 of 6 installed),
and then select Online Responder.
5. Click Add Features.
6. Click Next two times, and then click Install.
7. When the message displays that installation is successful, click Configure Active Directory
Certificate Services on the destination server.
8. In the AD CS Configuration Wizard, click Next.
9. Select Online Responder, and then click Next.
10. Click Configure, and then click Close two times.
11. In the Server Manager console, click Tools, and then click the Certification Authority console on
LON-SVR1.
12. In the Certification Authority console, right-click AdatumRootCA, and then click Properties.
13. In the AdatumRootCA Properties dialog box, on the Extensions tab, in the Select extension list,
click Authority Information Access (AIA), and then click Add.
14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check box, and then
click OK.
17. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes.
18. In the certsrv console, expand AdatumRootCA, right-click the Certificate Templates folder, and
then click Manage.
19. In the Certificate Templates console, double-click the OCSP Response Signing template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab. Under Permissions for
Authenticated Users, select the Allow for Enroll check box, and then click OK.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and
then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and
then click OK.
24. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management.
25. In the Online Responder Management console, right-click Revocation Configuration, and then click
Add Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name text box, type AdatumCA Online
Responder, and then click Next.
28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the AdatumRootCA certificate, click OK, and
then click Next.
30. On the Select Signing Certificate page, verify that both Automatically select a signing certificate
is selected and Auto-Enroll for an OCSP signing certificate are selected, and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status will display as
Working.
32. Close the Online Responder console.

Lesson 6
Managing Certificate Recovery
Contents:
Demonstration: Configuring a CA for Key Archival 16
Demonstration: Recovering a Lost Private Key 17
Demonstration: Configuring a CA for Key Archival

Demonstration Steps
Configure automatic key archival
1. On LON-SVR1, open the Certification Authority console.
2. In the Certificate Authority console, expand the AdatumRootCA node, right-click the Certificate
Templates folder, and then click Manage.
3. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties.
4. In the Key Recovery Agent Properties dialog box, on the Issuance Requirements tab, clear the CA
certificate manager approval check box.
Note: This is for test purposes only. In a production environment, you should not change
this value.
5. On the Security tab, notice that Domain Admins and Enterprise Admins are the only groups that
have the Enroll permission, and then click OK. Make no changes here.
6. Close the Certificates Templates console.
7. In the Certificate Authority console, right-click Certificate Templates, click New, click Certificate
Template to issue, click Key Recovery Agent, and then click OK. This process configures a CA to
issue certificates based on the Key Recovery Agent template.
8. Click the Start screen, type mmc.exe, and then press Enter.
9. In the Console 1 window, click File, and then click Add/remove Snap-In.
10. On the Add/Remove Snap-ins page, select Certificates, and then click Add.
11. Select My user account, click Finish, and then click OK.
12. Expand Certificates - Current User, and then click Personal. Right-click Personal, select All tasks,
and then click Request New Certificate.
13. In the Certificate Enrollment Wizard, click Next twice.

14. On the Request Certificates page, select Key Recovery Agent, and then click Enroll.
15. Click Finish.
16. Confirm that the new certificate displays in the Certificates store. If it displays, then you have enrolled
the Administrator as the KRA. Minimize the Certificates console.
17. Open the properties of AdatumRootCA.
18. On the Recovery Agents tab, click Archive the Key, click Add, and then select the Administrator
certificate. Click OK.
19. Click OK, and then click Yes to restart AD CS.
20. Right-click Certificate Templates, and then click Manage.
21. Double-click the Exchange User Test1 certificate to open the Properties dialog box. On the
Request Handling tab, click both Archive subjects encryption private key and Include
symmetric algorithms allowed by the subject. If a popup window displays, click OK.
22. Click OK to close the template.

Demonstration: Recovering a Lost Private Key

Demonstration Steps
Recover a lost private key
1. On LON-SVR1, click to the Start screen, type mmc.exe, and then press Enter.
2. Click File, and then click Add/Remove Snap-in.
3. Select Certificates, and then click Add.
4. Click My user account, click Finish, and then click OK.
5. Expand Certificates - Current User, expand Personal, and right-click Certificates. Select All tasks,
and then click Request New Certificate. Click Next twice.
6. Enroll for the Exchange User Test1 certificate by using the wizard. When you select the Exchange
User Test1 template in the wizard, click to open settings to enter Subject name. In the Type list, click
Email, in the value field, type administrator@adatum.com, click Add, click OK, and then click
Enroll. Click Finish.
7. Verify that the certificate displays in the Personal->Certificates store.
8. Simulate a lost private key by deleting the administrator@adatum.com certificate from the Personal
certificate store. Right-click administrator@adatum.com, click Delete, and then click Yes. Minimize
the Certificates (Console1) console.
9. In the Certification Authority console, in the Issued Certificates folder, double-click the certificate
with Exchange User Test1 as the template name. This is the certificate that you issued in an earlier
step. From the Details tab, record the serial number. (You can copy and paste it to Notepad, and
then remove spaces between numbers.)
10. Open a command-prompt window with elevated privileges. (On the Start menu, type cmd, right-click
Command Prompt, and then click Run as Administrator.)
11. In the command-prompt window, switch to the root of drive C by typing cd.., and then press Enter.
(You might have to do this twice.)
12. Select the certificate serial number from Notepad, right-click it, and then select Copy.
13. Switch back to the command-prompt window, and type the following command, where
<serialnumber> is a number that you paste from Notepad:
Certutil -getkey <serialnumber > outputblob
Press Enter.
Note: If a question mark appears at the beginning of the number after you paste it in,
delete it. Also, ensure that you remove all spaces from the serial number, or enclose the serial
number in quotation marks.
14. After the command completes successfully, open drive C and verify that the Outputblob file displays.
15. Switch back to the command-prompt window. At a command prompt, type the following, and then
press Enter:
Certutil -recoverkey outputblob recover.pfx
16. When prompted, type Pa$$w0rd as the new password, and then confirm the password.
17. Browse to drive C, and then verify that the Recover.pfx filethe recovered keyis created.
18. Right-click the file recover.pfx, and then click Install PFX. (Note: If Install PFX option is not available,
select Open with, and then click Crypto Shell Extensions.)
19. Click Next two times.
20. Enter the password Pa$$w0rd, click Next twice, click Finish, and then click OK.
21. Restore the Certificates console (Console 1). Refresh the Certificates store.
22. Verify that the administrator@adatum.com certificate now displays.


Best Practices
When you deploy CA infrastructure, deploy a stand-alone (non-domain-joined) root CA, and an
enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from
the root CA, take the root CA offline.
Issue a certificate for the root CA for a long period of time, such as 15 or 20 years.
Use autoenrollment for certificates that are widely used.
Use a Restricted Enrollment Agent whenever possible.
Use Virtual Smart Cards to improve logon security.
Review Question(s)
Question: What are some reasons that an organization would utilize PKI?
Answer: An organization would utilize PKI to improve security, identity control, and digital
signing of code.
Question: What are some reasons that an organization would use an enterprise root CA?
Answer: If an organization wants to use only one CA, and wants to use certificate templates and
autoenrollment, then an enterprise root CA will be the only choice.
Question: List the requirements to use autoenrollment for certificates.
Answer: To use autoenrollment for certificates, you must have an enterprise CA, and you must
configure Group Policy options. In addition, you must enable autoenrollment for the desired
certificates, and you must configure Group Policy Objects.
Question: What are the steps to configure an Online Responder?
Answer: To configure an Online Responder, you must create Responder Configuration, and you
must enroll for an OCSP Signing certificate. You must also add a Responder URL to AIA.

Contoso, Ltd. wants to deploy PKI to support and secure several services. They have decided to use
Windows Server 2012 Certificate Services as a platform for PKI. Certificates will be primarily used for EFS,
digital signing, and for web servers. Because documents that will be encrypted are important, it is crucial
to have a disaster recovery strategy in case of key loss. In addition, clients that will access secure parts of
the company website must not receive any warning in their browsers.
What kind of deployment should Contoso select?
What kind of certificates should Contoso use for EFS and digital signing?
What kind of certificates should Contoso use for a website?
How will Contoso ensure that EFS-encrypted data is not lost if a user loses a certificate?
Tools
Certificate Authority console
Certificate Templates console
Certificates console
Certutil.exe

The location of the CA certificate that the Use the Certification Authority snap-in to
AIA extension specifies is not configured to configure the AIA extension to include the
include the certificate name suffix. Clients certificate name suffix in each location.
may not be able to locate the correct
version of the issuing CA's certificate to
build a certificate chain, and certificate
validation may fail.
CA is not configured to include CRL Use the CA snap-in to configure the CRL
distribution point locations in the distribution point extension and to specify the
extensions of issued certificates. Clients network location of the CRL.
may not be able to locate a CRL to check The default locations of the CRL are added to
the revocation status of a certificate, and the CRL distribution point extension settings
certificate validation may fail. during CA installation, and the CA is
configured to include the default locations in
the extensions of all issued certificates.
CA was installed as an enterprise CA, but Use the Group Policy Management Console to
Group Policy settings for user configure user autoenrollment policy settings,
autoenrollment have not been enabled. An and use the Certificate Templates snap-in to
enterprise CA can use autoenrollment to configure autoenrollment settings on the
simplify certificate issuance and renewal. If certificate template.
autoenrollment is not enabled, certificate
issuance and renewal may not occur as
expected.

Lab A: Deploying and Configuring a CA Hierarchy
Question: Why is it not recommended to install just an enterprise root CA?
Answer: For security reasons, root CAs should be offline, without any network access. A root
enterprise CA cannot be offline, so there is no maximum protection for its key.
Lab B: Deploying and Managing Certificates

Question: What is the main benefit of OCSP over CRL?
Answer: OCSP provides status for a single certificate that clients request, instead of downloading
the entire CRL and delta CRLs. In addition, responses are much faster and more reliable, because
clients do not cache them.
Question: What must you do to recover private keys?
Answer: To recover private keys, you must configure CA to archive private keys for specific
templates, and you must issue a Key Recovery Agent (KRA) certificate.
Implementing Active Directory Rights Management Services 07-1
Module 7
Implementing Active Directory Rights Management Services
Contents:
Lesson 2: Deploying and Managing an AD RMS Infrastructure 2
Lesson 3: Configuring AD RMS Content Protection 5
Lesson 4: Configuring External Access to AD RMS 8

Lesson 2
Deploying and Managing an AD RMS Infrastructure
Contents:
Demonstration: Installing the First Server of an AD RMS Cluster 3
Demonstration: Installing the First Server of an AD RMS Cluster

Demonstration Steps
Configure Service Account
1. On LON-DC1, in the Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. Select and then right-click Adatum (local), click New, and then click Organizational Unit.
3. In the Create Organizational Unit dialog box, in the Name text box, type Service Accounts, and
then click OK.
4. Right-click the Service Accounts organizational unit (OU), click New, and then click User.
5. In the Create User dialog box, enter the following details, and then click OK:
o First name: ADRMSSVC
o User UPN logon: ADRMSSVC
o Password: Pa$$w0rd
o Confirm Password: Pa$$w0rd
o Password never expires: Enabled
o User cannot change password: Enabled
6. Close the Active Directory Administrative Center.
Prepare DNS
1. In the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, and then expand Forward Lookup Zones.
3. Select and then right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host dialog box, enter the following information, and then click Add Host:
o Name: adrms
o IP address: 172.16.0.21
5. Click OK, and then click Done.
6. Close the DNS Manager console.
Install the AD RMS role

1. Sign in to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd.
2. In the Server Manager, click Manage, and then click Add Roles and Features.
3. In the Add Roles and Features Wizard, click Next three times.
4. On the Server Roles page, click Active Directory Rights Management Services.
5. In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next four
times.
6. Click Install, and when it finishes, click Close.
Configure AD RMS
1. In Server Manager, click the AD RMS node.
2. Next to Configuration required for Active Directory Rights Management Services at LON-SVR1,
click More.
3. On the All Servers Task Details and Notifications page, click Perform additional configuration.
4. In the AD RMS Configuration: LON-SVR1.Adatum.com dialog box, click Next.
5. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.
6. On the Configuration Database page, click Use Windows Internal Database on this server, and
then click Next.
7. On the Service Account page, click Specify.
8. In the Windows Security dialog box, enter the following details, click OK, and then click Next:
o Username: ADRMSSVC
9. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.
10. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then
click Next.
11. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then click Next.
12. On the Cluster Web Site page, verify that the Default Web Site is selected, and then click Next.
13. On the Cluster Address page, provide the following information, and then click Next:
o Connection Type: Use an unencrypted connection (http://)
o Fully-Qualified Domain Name: adrms.adatum.com
o Port: 80
14. On the Licensor Certificate page, type Adatum AD RMS, and then click Next.
15. On the SCP Registration page, click Register the SCP now, and then click Next.
16. Click Install, and then click Close. The installation might take several minutes.
17. Click to the Start screen, click Administrator, and then click Sign Out.
Note: You must sign out before you can manage AD RMS.
Lesson 3
Configuring AD RMS Content Protection
Contents:
Resources 6
Demonstration: Creating a Rights policy Template 6
Demonstration: Creating an Exclusion Policy to Exclude an Application 6
Resources
What Are Exclusion Policies?
Additional Reading: To find out more about enabling exclusion policies, see Enabling
Exclusion Policies at http://go.microsoft.com/fwlink/?LinkId=270031.
Demonstration: Creating a Rights policy Template

Demonstration Steps
1. In the Server Manager, click Tools, and then click Active Directory Rights Management Services.
2. In the Active Directory Rights Management Services console, click the lon-svr1 (Local)\Rights Policy
Templates node.
3. In the Actions pane, click Create Distributed Rights Policy Template.
4. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification
Information page, click Add.
5. On the Add New Template Identification Information page, enter the following information, then
click Add, and then click Next:
o Language: English (United States)

o Name: ReadOnly
o Description: Read-only access. No copy or print.
6. On the Add User Rights page, click Add.
7. On the Add User or Group page, type executives@adatum.com, and then click OK.
8. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner
(author) full control right with no expiration is selected, and then click Next.
9. On the Specify Expiration Policy page, choose the following settings, and then click Next:
o Content Expiration: Expires after the following duration (days): 7
o Use license expiration: Expires after the following duration (days): 7
10. On the Specify Extended Policy page, click Require a new use license every time content is
consumed (disable client-side caching), click Next, and then click Finish.
Demonstration: Creating an Exclusion Policy to Exclude an Application

Demonstration Steps
1. On LON-SVR1, switch to the Active Directory Rights Management Services console.
2. Click the Exclusion Policies node, and then click Manage application exclusion list.
3. In the Actions pane, click Enable Application Exclusion.
4. In the Actions pane, click Exclude Application.
5. In the Exclude Application dialog box, enter the following information, and then click Finish:
o Application File name: Powerpnt.exe
o Minimum version: 14.0.0.0

o Maximum version: 16.0.0.0

Lesson 4
Configuring External Access to AD RMS
Contents:
Resources 9
Resources
Options for Enabling External Users with AD RMS Access
Additional Reading: To learn more about AD RMS Trust Policies, see

http://go.microsoft.com/fwlink/?LinkId=270032.
Implementing TPD
Additional Reading: To learn more about importing TPDs, see Add a Trusted Publishing
Domain at http://go.microsoft.com/fwlink/?LinkId=270033.
Sharing AD RMSProtected Documents by Using a Microsoft Account
Additional Reading: To can learn more about using Windows Live ID to establish RACs for
users, see http://go.microsoft.com/fwlink/?LinkId=270034.

Best Practices
Before you deploy AD RMS, you must analyze your organizations business requirements and create
the necessary templates. You should meet with users to inform them of AD RMS functionality, and ask
for feedback on the types of templates that they would like to have available.
Strictly control membership of the Super Users group. Users in this group can access all protected
content. Granting a user membership of this group gives them complete access to all AD RMS
protected content.
Tools
Tool Where is it?
Active Directory Rights Management Service Server Manager, Tools

Administration Console
Active Directory Administrative Center Server Manager, Tools
Windows PowerShell Start Screen, Desktop Task Bar
File Services Resource Manager Server Manager, Tools
Regedit.exe Type in Run text box or command prompt

If you enable the Super Users Group, you also enable success and failure auditing for Audit account
management and Audit directory services access.
Review Question(s)
Question: What are the benefits of having an SSL certificate installed on the AD RMS server when you are
performing AD RMS configuration?
Answer: You can protect the connection between clients and the AD RMS server with SSL.
Question: You need to provide access to AD RMSprotected content to five users who are unaffiliated
contractors, and who are not members of your organization. Which method should you use to provide
this access?
Answer:
Use Microsoft account to provide RAC to the unaffiliated contractors.
Question: You want to block users from protecting Microsoft PowerPoint content by using AD RMS
templates. What steps should you take to accomplish this goal?
Answer: You should configure an application exclusion for the PowerPoint application.

Lab: Implementing AD RMS
Question: What considerations should you make and steps you can take when you use the AD RMS role?
Answer: Answers may include:
Whether to install a full version of the SQL Server database server or use the internal
database when configuring the initial AD RMS install.
Use the default HTTPS or HTTP web server configuration.
Thoroughly review Windows Azure Rights Management, which may be used instead of
a local deployment of an AD RMS infrastructure.
Implementing and Administering AD FS 08-1
Module 8
Implementing and Administering AD FS
Contents:
Lesson 2: Deploying AD FS 2
Lesson 3: Implementing AD FS for a Single Organization 4
Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 8
Lesson 5: Extending AD FS to External Clients 10

Lesson 2
Deploying AD FS
Contents:
Demonstration: Installing the AD FS Server Role 3
Demonstration: Installing the AD FS Server Role

Demonstration Steps
Install Active Directory Federation Services (AD FS)
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-DC1.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box, and
then click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
9. Wait until installation is complete, and then click Close.
Add a Domain Name System (DNS) record for AD FS

1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.10, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
7. Close DNS Manager.
Configure AD FS
1. In the Server Manager, click the Notifications icon, and then click Configure the federation service
on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Create a Group Managed Service Account.
7. In the Account Name box, type ADFS, and then click Next.
8. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
9. On the Review Options page, click Next.
10. On the Pre-requisite Checks page, click Configure.

Lesson 3
Implementing AD FS for a Single Organization
Contents:
Demonstration: Configuring Claims Provider and Relying Party Trusts 5
Demonstration: Configuring Claims Provider and Relying Party Trusts

Demonstration Steps
Configure a Claims Provider Trust
1. On LON-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. Right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click
Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule.
7. In the Attribute store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type:
o E-Mail-Addresses: E-Mail Address
o User-Principal-Name: UPN
9. Click Finish, and then click OK.
Configure a certificate for a web-based app

1. On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do not
show this message check box, and then click No.
3. In IIS Manager, click LON-SVR1 (ADATUM\Administrator), double-click Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the following and
then click Next.
o Common name: lon-svr1.adatum.com
o Organization: A. Datum
o Organizational unit: IT
o City/locality: London
o State/Province: England
o Country/region: GB
6. On the Online Certification Authority page, and then click Select.
7. In the Select Certification Authority window, click AdatumCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type AdatumTestApp
Certificate, and then click Finish.
9. In IIS Manager, expand LON-SVR1 (ADATUM\Administrator), expand Sites, click Default Web
Site, and then in the Actions Pane, click Bindings.
10. In the Site Bindings window, click Add.
11. In the Add Site Binding window, in the Type box, select https.
12. In the SSL certificate box, select AdatumTestApp Certificate, and then click OK.
13. In the Site Bindings window, click Close.
14. Close Internet Information Services (IIS) Manager.
Configure a Windows Identity Foundation (WIF) application for AD FS

1. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the

path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, and in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/2007-
06/federationmetadata.xml, and then click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that will be offered by the federation server, and then
click Next.
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and then
click Finish.
9. In the Success window, click OK.
Configure a Relying Party Trust

1. On LON-DC1, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.
3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published online or
on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lon-
svr1.adatum.com/adatumtestapp/, and then click Next. This downloads the metadata configured
in the previous section.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then
click Next.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi-
factor authentication settings for this relying party trust at this time, and then click Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying
party, and then click Next.
9. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.
Lesson 4
Deploying AD FS in a Business-to-Business Federation
Scenario
Contents:
Demonstration: Configuring Claim Rules 9
Demonstration: Configuring Claim Rules

Demonstration Steps
1. On LON-DC1, in the AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the
Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click
Next.
3. In the Claim rule name box, type Send Group Name Rule.
4. In the Incoming claim type drop-down list, click Group, and then click Finish.
5. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab,
click the rule named Permit Access to All Users, and then click Remove Rule.
6. Click Yes to confirm.
Note: If you do not configure rules, users are not permitted access.
7. On the Issuance Authorization Rules tab, click Add Rule.
8. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
9. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule.
10. In the Incoming claim type drop-down list, select Group.
11. In the Incoming claim value box, type Production, click Permit access to users with this
incoming claim, and then click Finish.
12. On the Issuance Authorization Rules tab, click Add Rule.
13. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users
Based on an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users.
15. In the Incoming claim type drop-down list, select UPN.
16. In the Incoming claim value box, type @adatum.com, click Permit access to users with this
incoming claim, and then click Finish.
17. Click the Allow A. Datum Users rule, and then click Edit Rule.
18. In the Edit Rule Allow Adatum Users dialog box, click View Rule Language.
19. Click OK, and then click Cancel.
20. In the Edit Claim Rules for A. Datum Test App window, click OK.
Lesson 5
Extending AD FS to External Clients
Contents:
Demonstration: Installing and Configuring Web Application Proxy 11
Demonstration: Installing and Configuring Web Application Proxy

Demonstration Steps
Install the Web Application Proxy
1. On LON-SVR2, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, expand Remote Access (1 of 3 installed), select the Web
Application Proxy check box, and then click Next.
8. On the Installation progress page, click Close.
Export the adfs.adatum.com certificate from LON-DC1

1. On LON-DC1, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or Remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.
16. Close the Microsoft Management Console and do not save the changes.
Import the adfs.adatum.com certificate on LON-SVR2

1. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running on),
and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
8. Right-click Personal, point to All Tasks, and then click Import.
9. In the Certificate Import Wizard, click Next.
10. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click
Next.
11. On the Private key protection page, in the Password box, type Pa$$w0rd.
12. Select the Mark this key as exportable check box, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store.
14. In the Certificate store box, select Personal, and then click Next.
15. On the Completing the Certificate Import Wizard page, click Finish.
16. Click OK to clear the success message.
17. Close the Microsoft Management Console and do not save the changes.
Configure the Web Application Proxy

1. On LON-SVR2, in the Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following information, and then click Next:
o Federation service name: adfs.adatum.com
o User name: Adatum\Administrator
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy
box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.
7. Leave the Remote Access Management Console open for the next task.
Configure an Application
1. On LON-SVR2, in the remote Access Management Console, click Web Application Proxy, and then
click Publish.
2. In the Publish New Application Wizard, on the Welcome page, click Next.
3. On the Preauthentication page, click Pass-through, and then click Next.
4. On the Publishing Settings page, in the Name box, type External App.
5. In the External URL and Backend server URL boxes, type https://adfs.adatum.com/externalapp/.
6. In the External certificate box, select adfs.adatum.com, and then click Next.
7. On the Confirmation page, click Publish.


Question: Your organization is planning to implement AD FS. In the short term, only internal clients will
be using AD FS to access internal applications. However, in the long run, you will be providing access to
web-based applications that are secured by AD FS to users at home. How many certificates should you
obtain from a third party CA?
Answer: The only AD FS certificate that needs to be trusted is the service-communication

certificate. The token-signing and token-decrypting certificates can be left as self-signed.
Therefore, only a single certificate from a third party is required.
Question: Your organization has an application for customers that enables them to view their orders and
invoices. Currently, all customers have a user name and password that is managed within the application.
To simplify access to the application and reduce support calls, your organization has rewritten the
application to support AD FS for authentication. What do you need to configure to support the
application?
Answer: You need to perform the following tasks:
1. Configure the application to trust incoming claims. Use the WIF Federation Utility to
configure the application.
2. Configure a relying-party trust for the application. This configures AD FS to provide

claims to the application for authorized users.
3. Configure claim rules for the relying-party trust. This configures which information is
provided to the application.
Question: Your organization has an application for customers that enables them to view their orders and
invoices. Currently, all customers have a user name and password that is managed within the application.
To simplify access to the application and reduce support calls, your organization has rewritten the
application to support AD FS for authentication. A Web Application Proxy is being configured to support
application access over the Internet. Internally, your AD FS server uses the host name adfs.contoso.com
and resolves to 10.10.0.99. How will you allow external partners to resolve adfs.contso.com to the external
IP address of Web Application Proxy?
Answer: Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP
address internally and externally. The internal DNS server resolves adfs.contoso.com to the
internal IP address of the AD FS server. The external DNS server resolves adfs.contoso.com to the
external IP address of Web Application Proxy.
Question: Your organization has implemented a single AD FS server and a single Web Application Proxy
successfully. Initially, AD FS was used for only a single application, but now it is being used for several
business-critical applications. However, you must configure AD FS to be highly available.
During the installation of AD FS, you selected to use the Windows Internal Database. Can you use this
database in a highly available configuration?
Answer: Yes, you can use the Windows Internal Database to support up to five AD FS servers.
The first AD FS server is the primary server where all configuration changes take place. Changes
in the primary server replicate to the other AD FS servers.
Question: Your organization wants to control access to applications that are available from the Internet
by using Workplace Join. Web Application Proxy is in place to protect internal applications and AD FS.
What DNS changes do you need to perform so that devices can locate the Web Application Proxy during
the Workplace Join process?
Answer: Devices identify the server name based on the UPN name provided during the
workplace-join process. Assuming that your organization uses only a single UPN name, you need
to create a host record for enterpriseregistration.yourdomainname.com that resolves to the IP

address of the Web Application Proxy server.

Lab A: Implementing AD FS
Question: Why was it important to configure adfs.adatum.com to use as a host name for the AD FS
service?
Answer: If you use the host name of an existing server for the AD FS server, you will not be able
to add additional servers to your server farm. All servers in the server farm must share the same
host name when they provide AD FS services. The AD FS proxy servers also use the host name for
AD FS.
Question: How can you test whether AD FS is functioning properly?
Answer: You can access https://hostname/federationmetadata/2007-06/federationmetadata.xml

on the AD FS server.
Lab B: Implementing AD FS for External Partners and Users

Question: Why does using certificate from a trusted provider on the Internet negate the need to
configure certificate trusts between organizations?
Answer: In this lab, you need to configure certificate trusts because the certificates were
internally generated by each organization. The CA certificate for each organization was
configured as trusted in the other organization so that the certificates issued by each
organization would be trusted.
If you use certificates from a trusted provider on the Internet, that provider is already trusted by
the other organization. Consequently, certificates are automatically trusted.
Note that on rare occasions, high-security environments may have chosen to remove trusted root
certification authorities that are installed by default. Additionally, if updates to trusted root
certification authorities are not applied, certificates issued by some public certification authorities
may not be trusted.
Question: Could you have created authorization rules in Adatum.com and achieved the same result if you
had instead created authorization rules in TreyResearch.net?
Answer: Yes. However, to allow the authorization rules to be configured at Adatum.com, the
implementation of AD FS at TreyResearch.net must pass through the group membership claims
to AD FS at Adatum.com.
Implementing Network Load Balancing 9-1
Module 9
Implementing Network Load Balancing
Contents:
Lesson 2: Configuring an NLB Cluster 2

Lesson 2
Configuring an NLB Cluster
Contents:
Demonstration: Deploying NLB 3
Demonstration: Configuring NLB Affinity and Port Rules 3
Demonstration: Deploying NLB

Demonstration Steps
Create a Windows Server 2012 R2 NLB cluster
1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd, and on the taskbar,
click the Server Manager icon.
2. In the Server Manager console, click the Tools menu, and then click Windows PowerShell ISE.
3. In the Windows PowerShell ISE window, enter the following command, and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature

NLB,RSAT-NLB}
4. Enter the following command, and then press Enter:
New-NlbCluster -InterfaceName "Ethernet" -OperationMode Multicast -ClusterPrimaryIP

172.16.0.42 -ClusterName LON-NLB
5. Enter the following command, and then press Enter:
Add-NlbClusterNode -InterfaceName "Ethernet" -NewNodeName "LON-SVR2" -

NewNodeInterface "Ethernet"
6. In the Server Manager console, click the Tools menu, and then click Network Load Balancing
Manager.
7. Verify that nodes LON-SVR1 and LON-SVR2 display with the status of Converged for the LON-NLB
cluster.
8. Right-click the LON-NLB cluster, and then click Cluster properties.
9. In the LON-NLB(172.16.0.42) dialog box, on the Cluster Parameters tab, verify that the cluster is
set to use the Multicast operations mode.
10. On the Port Rules tab, verify that there is a single port rule named All that starts at port 0 and ends
at port 65535 for both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), and
uses Single affinity.
11. Click OK to close the dialog box.
Demonstration: Configuring NLB Affinity and Port Rules

Demonstration Steps
Configure affinity for NLB cluster nodes
1. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type the following commands, and press Enter after each
command:
Cmd.exe
Mkdir c:\porttest
Xcopy /s c:\inetpub\wwwroot c:\porttest
Exit
New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678
New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678
Configure NLB port rules

1. On LON-SVR1, in Server Manager, click Tools, and then click Network Load Balancing Manager.
2. In the Network Load Balancing Manager console, right-click LON-NLB, and then click Cluster
Properties.
3. In the LON-NLB(172.16.0.42), on the Port Rules tab, select the All port rule, click Remove, and
then click OK to close the LON-NLB(172.16.0.42).
Properties.
5. In the LON-NLB(172.16.0.42), on the Port Rules tab, click Add.
6. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Port range: 80 to 80
o Protocols: Both
o Filtering mode: Multiple Host
o Affinity: None
7. Click OK to close the LON-NLB(172.16.0.42).
Properties.
9. On the Port Rules tab, click Add.
10. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK:
o Port range: 5678 to 5678
o Protocols: Both
o Filtering mode: Single Host
11. Click OK to close the LON-NLB(172.16.0.42).
12. In the Network Load Balancing Manager console, right-click LON-SVR1, and then click Host
Properties.
13. On the Port Rules tab, click the port rule that has 5678 as the Start and End value, and then click
Edit.
14. Click the Handling priority value, and change it to 10.


Question: You have created a four-node Windows Server 2012 NLB cluster. The cluster hosts a website
that is hosted on IIS. What happens to the cluster if you shut down the World Wide Web publishing
service on one of the nodes?
Answer: Nothing will happen, because NLB only detects server failure and not the failure of a
particular application. In addition, approximately every fourth request to the application from
clients will not be served.
Question: You want to host the www.contoso.com, www.adatum.com, and www.fabrikam.com websites
on a four-node NLB cluster. The cluster IP address will be a public IP address, and each fully qualified
domain name is mapped in DNS to the cluster's public IP address. What steps should you take on each
node to ensure that traffic is directed to the appropriate site?
Answer: You must configure host headers for each site on each node. In addition, you must
ensure that host header configuration is identical.
Question: You have an eight-node Windows NLB cluster that hosts a web application. You want to ensure
that traffic from a client that uses the cluster remains with the same node throughout their session, but
that traffic from separate clients is distributed equitably across all nodes. Which option do you configure
to accomplish this goal?
Answer: You must configure affinity settings to accomplish this.

To become a true high-availability solution, use a monitoring solution with NLB that will detect
application failure. This is because NLB clusters will continue to direct traffic to nodes with failed
applications as long as NLB, which is independent of the application, continues to send heartbeat traffic.

Lab: Implementing NLB
Question: How many additional nodes can you add to the LON-NLB cluster?
Answer: The LON-NLB cluster can scale to 32 nodes.
Question: What steps would you take to ensure that LON-SVR1 always manages requests for web traffic
on port 5678, given the port rules established by the end of this exercise?
Answer: You configure the host priority. You also set the rule to use single-host filtering mode.
Question: What is the difference between a Stop and a Drainstop command?
Answer: Stop terminates all active connections immediately. Drainstop blocks new connections,
but allows existing connections to complete normally.
Implementing Failover Clustering 10-1
Module 10
Implementing Failover Clustering
Contents:
Lesson 2: Implementing a Failover Cluster 2
Lesson 3: Configuring Highly Available Applications and

Services on a Failover Cluster 4
Lesson 4: Maintaining a Failover Cluster 6

Lesson 2
Implementing a Failover Cluster
Contents:
Demonstration: Validating and Configuring a Failover Cluster 3
Demonstration: Validating and Configuring a Failover Cluster

Demonstration Steps
1. On LON-SVR3, in Server Manager, click Tools, and then click Failover Cluster Manager.
2. In the Failover Cluster Manager, in the console tree, ensure that Failover Cluster Manager is
selected, and then, under Management, click Validate Configuration, and then click Next.
3. In the Enter name field, type LON-SVR3, and then click Add.
4. In the Enter name field, type LON-SVR4, click Add, and then click Next.
5. Verify that Run all tests (recommended) is selected, and then click Next.
6. In the Confirmation window, click Next.
7. Wait for the validation tests to finish, and then in the Summary window, click View Report.
8. Close the report window, remove the check mark next to Create the cluster now using the
validated nodes, and then click Finish.
9. On LON-SVR3, in the Failover Cluster Manager, in the Management section of the center pane,
select Create Cluster.
10. Read the Before You Begin information page.

11. Click Next, type LON-SVR3, and then click Add. Type LON-SVR4, and then click Add.
12. Verify the entries, and then click Next.
13. In the Access Point for Administering the Cluster section, enter Cluster1 as the Cluster Name.
14. Under Address, type 172.16.0.125 as the IP address, and then click Next.
15. On the Confirmation page, verify the information, and then click Next.
16. On the Summary page, click Finish to return to the Failover Cluster Manager.
Lesson 3
Configuring Highly Available Applications and
Services on a Failover Cluster
Contents:
Demonstration: Clustering a File Server Role 5
Demonstration: Clustering a File Server Role

Demonstration Steps
1. On LON-SVR3, open the Failover Cluster Manager, and then expand Cluster1.adatum.com.
2. Expand Storage, and then click Disks. Verify that three cluster disks are available.
3. Right-click Roles, and then select Configure Role.
5. On the Select Role page, select File Server, and then click Next.
6. On the File Server Type page, click File Server for general use, and then click Next.
7. On the Client Access Point page, in the Name box, type AdatumFS, in the Address box, type
172.16.0.130, and then click Next.
8. On the Select Storage page, click Cluster Disk 2, and then click Next.
9. On the Confirmation page, click Next.

10. On the Summary page, click Finish.
Lesson 4
Maintaining a Failover Cluster
Contents:
Demonstration: Configuring CAU 7
Demonstration: Configuring CAU

Demonstration Steps
1. On LON-DC1, in Server Manager, click Add roles and features.
4. On the Select destination server page, make sure that Select server from the server pool is
selected, and then click Next.
5. On the Select server roles page, click Next.
6. On the Select features page, in the list of features, click Failover Clustering. In the Add features
that are required for Failover Clustering? dialog box, click Add Features. Click Next.
8. When installation is complete, click Close.
9. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list box,
select CLUSTER1, and then click Connect.
11. In the Cluster Actions pane, click Preview updates for this cluster.
12. In the Cluster1-Preview Updates window, click Generate Update Preview List.
Note: You must have an Internet connection for this step.
13. After several minutes, updates will be shown in the list. Review updates, and then click Close.
14. In the Cluster Actions pane, click Create or modify Updating Run Profile.
15. Review and explain the available options. Do not make any changes, and then click Close when you
are finished.
16. Click Apply updates to this cluster.
17. On the Getting Started page, click Next.
18. On the Advanced options page, review options for updating clustered nodes, and then click Next.
19. On the Additional Update Options page, click Next.

20. On the Confirmation page, click Update, and then click Close.
21. In the Cluster nodes pane, you can review the updating progress.
Note: You should emphasize that one node of the cluster is in Waiting state, while the
other node is restarting after it is updated.
22. Wait until the process is finished.
Note: This may require a restart of both nodes.

23. Sign in to LON-SVR3 with the username Adatum\Administrator and the password Pa$$w0rd.
24. On LON-SVR3, in the Server Manager dashboard, click Tools, and then click Cluster-Aware
Updating.
25. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list box,
select CLUSTER1. Click Connect.
26. Click Configure cluster self-updating options.
27. On the Getting Started page, click Next.
28. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered
role, with self-updating mode enabled, to this cluster, and then click Next.
29. In the Specify self-updating schedule area, click Weekly, select 4:00 AM for Time of day, and then
select Sunday for Day of the week. Click Next.
30. On the Advanced Options page, click Next.
31. On the Additional Update Options page, click Next.

32. On the Confirmation page, click Apply.

Best Practice
Try to avoid using a quorum model that depends just on the disk for Hyper-V failover cluster or a
Scale-Out File Server cluster.
Perform regular backups of the cluster configuration.
Ensure that other nodes can handle the load if one node fails.
Plan multisite clusters carefully.
Review Question(s)
Question: Why is using a disk-only quorum configuration generally not a good idea?
Answer: The failover cluster stops functioning if the logical unit number (LUN) that is used as the
disk for the quorum fails. Even if all the other resources, including the disk for the applications,
are available, no nodes provide any service when the quorum disk is not available.
Question: What is the purpose of Cluster-Aware Updating (CAU)?
Answer: CAU enables administrators to automatically update cluster nodes with little or no loss
in availability during the update process. Also, administrators should not manage an update
process across all nodes of the cluster.
Question: What is the main difference between synchronous and asynchronous replication in a multisite
cluster scenario?
Answer: When you use synchronous replication, the host receives a write-complete response
from the primary storage after the data is written successfully on both storage systems. If the
data is not written successfully to both storage systems, the application must attempt to write to
the disk again. With synchronous replication, both storage systems are identical.
When you use asynchronous replication, the node receives a write-complete response from the storage
after the data is written successfully on the primary storage. The data is written to the secondary
storage on a different schedule, depending on the hardware or software vendors
implementation.
Question: What is an enhanced feature in multisite clusters in the Windows Server 2012 operating
system?
Answer: In Windows Server 2012, you can adjust cluster quorum settings so that nodes do or do
not have a vote when the cluster determines whether it has quorum.

Your organization is considering the use of a geographically dispersed cluster that includes an alternative
data center. Your organization has only a single physical location, together with an alternative data center.
Can you provide an automatic failover in this configuration?
Answer: No, you cannot provide an automatic failover in this configuration. To provide an
automatic failover, you must have at least three sites.
Tools
The tools for implementing failover clustering include the following.
Tool Use for Where to find it

Tool Use for Where to find it
Failover Cluster Manager Cluster management Administrative Tools

console
Cluster-Aware Updating Cluster update Administrative Tools

console management
Windows PowerShell Cmdlet-based Administrative Tools

management
Server Manager General server mangement Taskbar
Internet SCSI (iSCSI) initiator Establishing a connection Administrative Tools

with an iSCSI target
Disk Management Disk and volume Computer Management

managment

Cluster Validation Wizard reports an error Review the report that the Cluster Validation Wizard
provides and determine the problem.
Create Cluster Wizard reports that not all Review installed roles and features on cluster nodes. A
nodes support the desired clustered role clustered role must be installed on each cluster node.
You cannot create a print server cluster This is not supported in Windows Server 2012. You
should use other technologies, such as configuring a
print server in the virtual machine that is highly
available, to provide a highly available print server.

Lab: Implementing Failover Clustering
Question: What information do you have to collect as you plan a failover cluster implementation and
choose the quorum mode?
Answer: You have to collect information such as the:
Number of applications or services that will be deployed on the cluster.
Performance requirements and characteristics for each application or service.
Number of servers that must be available to meet the performance requirements.
Location of the users who use the failover cluster.
Type of storage used for the shared cluster storage.
Question: After running the Validate a Configuration Wizard, how can you resolve the network
communication single point of failure?
Answer: You can resolve the network communication single point of failure by adding network
adapters on a separate network. This provides communication redundancy between cluster
nodes.
Question: In what situations might it be important to enable failback of a clustered application only
during a specific time?
Answer: Setting the failback to a preferred node at a specific time is important when you have to
ensure that the failback does not interfere with client connections, backup windows, or other
maintenance that a failback would interrupt.
Implementing Failover Clustering with Hyper-V 11-1
Module 11
Implementing Failover Clustering with Hyper-V
Contents:
Lesson 1: Overview of Integrating Hyper-V with Failover Clustering 2
Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters 4
Lesson 3: Implementing Hyper-V Virtual Machine Movement 7

Lesson 1
Overview of Integrating Hyper-V with Failover
Clustering
Contents:
Options for Making Applications and Services Highly Available

Question: Do you use any high availability solution for virtual machines in your environment?
Answer: Answers might vary. For example, you can use storage replication, which is one
alternative for failover clustering.
Whats New in Failover Clustering for Hyper-V in Windows Server 2012

R2?
Question: Do you think that these new features will be useful for your environment? If yes, which one(s)?
Answer: Answers might vary.

Lesson 2
Implementing Hyper-V Virtual Machines on Failover
Clusters
Contents:
Demonstration: Implementing Virtual Machines on Clusters (optional) 5
Configuring a Shared Virtual Hard Disk

Question: What is the main benefit of using shared hard virtual disks?
Answer: If you use a shared hard virtual disk as cluster storage, you do not have to provide Fibre
Channel or an iSCSI connection to the virtual machines.
Using Scale-Out File Servers Over SMB 3 for Virtual Machines

Question: Have you considered storing virtual machines on the SMB share? Why or why not?
Answer: Answers might vary. The students probably will emphasize performance issues as a
reason for not deploying virtual machines on the SMB share.
Maintaining and Monitoring Virtual Machines in Clusters

Question: What are some alternative technologies that you can use for virtual machine and network
monitoring?
Answer: You can use dedicated monitoring software such as Microsoft System Center 2012
Operations Manager.
Demonstration: Implementing Virtual Machines on Clusters (optional)

Demonstration Steps
1. Ensure that LON-HOST1 is the owner of the ClusterVMs disk in Failover Cluster Manager. You can
verify this by reading the value in the Owner column. If it is not, then move the ClusterVMs resource
to LON-HOST1 before you do this procedure.
2. On LON-HOST1, open File Explorer, browse to E:\Program Files\Microsoft

Learning\20412\Drives\20412D-LON-CORE\Virtual Hard Disks, and then copy the 20412D-LON-
CORE.vhd virtual hard disk file to the C:\ClusterStorage\Volume1 location. (Note: The drive letter
might be different based upon the number of drives on the physical host machine)
3. In the Failover Cluster Manager console, click Roles, and then in the Actions pane, click Virtual
Machines.
4. Click New Virtual Machine.
5. Select LON-HOST1 as the cluster node, and click OK.
6. In the New Virtual Machine Wizard, click Next.
7. On the Specify Name and Location page, type TestClusterVM for the Name, click Store the virtual
machine in a different location, and then click Browse.
8. Browse to and select C:\ClusterStorage\Volume1, click Select Folder, and then click Next.
9. On the Specify Generation page, select Next.
10. On the Assign Memory page, type 1536, and then click Next.
11. On the Configure Networking page, click External Network, and then click Next.
12. On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, and then click
Browse.
13. Locate C:\ClusterStorage\Volume1, select 20412D-LON-CORE.vhd, and then click Open.
14. Click Next, and click Finish.
15. On the Summary page of the High Availability Wizard, click Finish.
16. Right-click the TestClusterVM, and click Settings.
17. In the Settings for TestClusterVM on LON-Host1, expand Processor in the left navigation pane, and
then click Compatibility.
18. In the right pane, select the check box before the Migrate to a physical computer with a different
processor version option.
19. Click OK.
20. Right-click TestClusterVM, and click Start.
21. Ensure that the machine starts successfully.
22. Open Failover Cluster Manager on LON-HOST2.
23. Expand VMCluster.Adatum.com, and click Roles.
24. Right-click TestClusterVM, select Move, select Live Migration, and then click Select Node.
25. Click LON-HOST2, and click OK.
26. Right-click TestClusterVM, and click Connect.
27. Ensure that you can access and operate the virtual machine while it is migrating to another host.
28. Wait until the migration is finished.

Lesson 3
Implementing Hyper-V Virtual Machine Movement
Contents:
Demonstration: Implementing Hyper-V Replica (optional) 8
Virtual Machine Migration Options

Question: When would you export and import a virtual machine instead of migrating it?
Answer: If you want to move a virtual machine to the host that does not support a shared-
nothing migration, or you do not have a cluster, you must export and import the virtual machine.
For example, you use this method if you want to move a virtual machine from a Windows
Server 2012 host to the Hyper-V in Windows 8.
New Features of Hyper-V Replica in Windows Server 2012 R2

Question: Do you see extended replication as a benefit for your environment?
Answer: Answers will vary.
Demonstration: Implementing Hyper-V Replica (optional)

Demonstration Steps
1. On LON-HOST2, open the Hyper-V Manager console.
2. In Hyper-V Manager, right-click LON-HOST2, and then select Hyper-V Settings.
3. In Hyper-V Settings for LON-HOST2, click Replication Configuration.
4. In the Replication Configuration pane, click Enable this computer as a Replica server.
5. In the Authentication and ports section, select Use Kerberos (HTTP).
6. In the Authorization and storage section, click Allow replication from any authenticated server,
and then click Browse.
7. Click Computer, double-click Local Disk (E), and then click New folder. Type VMReplica for folder
name, and press Enter. Select the E:\VMReplica\ folder, and click Select Folder.
8. In the Hyper-V Settings for LON-HOST2, click OK.
9. In the Settings window, read the notice, and then click OK.
10. Click the Start screen, and click the Control Panel.
11. In the Control Panel, click System and Security, and then click Windows Firewall. Click Advanced
settings, and then click Inbound Rules.
12. In the right pane, in the rule list, find and right-click the Hyper-V Replica HTTP Listener (TCP-In)
rule, and then click Enable Rule.
13. Close the Windows Firewall with Advanced Security console, and close Windows Firewall.
14. Repeat Steps 1 through 13 on LON-HOST1.
15. On LON-HOST1, open Hyper-V Manager. Click LON-HOST1, and right-click 20412D-LON-CORE.
16. Click Enable Replication.
18. On the Specify Replica Server page, click Browse.
19. In the Select Computer window, type LON-HOST2, and click Check Names, and click OK. Then click
Next.
20. On the Specify Connection Parameters page, review the settings, and ensure that Use Kerberos
authentication (HTTP) is selected, and then click Next.
21. On the Choose Replication VHDs page, ensure that 20412D-LON-CORE.vhd is selected, and then
click Next.
22. On the Configure Replication Frequency page, select 30 seconds from the drop-down list box, and
click Next.
23. On the Configure Additional Recovery Points page, select Maintain only the latest recovery
point, and then click Next.
24. On the Choose Initial Replication Method page, click Send initial copy over the network, select
Start replication immediately, and then click Next.
25. On the Completing the Enable Replication Wizard page, click Finish.
26. Wait five to 10 minutes. You can monitor the progress of initial replication in the Status column in the
Hyper-V Manager console. When it completes (progress reaches 100 percent), ensure that 20412D-
LON-CORE has appeared on LON-HOST2 in Hyper-V Manager.
27. On LON-HOST2 in Hyper-V Manager, right-click 20412D-LON-CORE.
28. Select Replication, and then click View Replication Health.
29. Review the content of the window that appears, ensure that there are no errors, and then click Close.
30. On LON-HOST1, open Hyper-V Manager, and verify that 20412D-LON-CORE is turned off.
31. Right-click 20412D-LON-CORE, select Replication, and then click Planned Failover.
32. In the Planned Failover window, ensure that the option Start the Replica virtual machine after
failover is selected, and then click Fail Over.
33. On LON-HOST2, in Hyper-V Manager, ensure that 20412D-LON-CORE is running.
34. On LON-HOST1, right-click 20412D-LON-CORE, point to Replication, and then click Remove
Replication.
35. In the Remove Replication dialog box, click Remove Replication.
36. On LON-HOST2, right-click 20412D-LON-CORE, and then select Shut Down. In the Shut Down
Machine dialog box, click Shut Down.

Best Practices
Develop standard configurations before you implement highly available virtual machines. The host
computers should be configured as close to identically as possible. To ensure that you have a
consistent Hyper-V platform, you should configure standard network names, and use consistent
naming standards for CSVs.
Use new features in Hyper-V Replica to extend your replication to more than one server.
Consider using Scale-Out File Server clusters as storage for highly available virtual machines.
Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster
Management that can block you from making mistakes when you manage highly available virtual
machines. For example, it blocks you from creating virtual machines on storage that is inaccessible
from all nodes in the cluster.
Review Question(s)
Question: Do you have to implement CSV in order to provide high availability for virtual machines in
VMM in Windows Server 2012?
Answer: No, you do not have to implement CSV to provide high availability. However, CSV
makes it much easier to implement and manage an environment where you have multiple
Hyper-V hosts that access multiple LUNs on shared storage.
Tools
The tools for implementing failover clustering with Hyper-V include:
Tools Where to Find Use
Failover Cluster Manager Administrative Tools Failover clustering management
Hyper-V Manager Administrative Tools Virtual machine management
VMM Console Start menu Hyper-V hosts and virtual

machine management

Virtual machine failover fails after you The CSV home folder is located on the host-
implement CSV and migrate the shared server system drive. You cannot move it. If the
storage to CSV. host computers use different system drives, the
failovers will fail because the hosts cannot access
the same storage location. All failover cluster
nodes should use the same hard-drive
configuration.
A virtual machine fails over to another All the nodes in a host cluster must have the
node in the host cluster, but loses all same networks configured. If they do not, then
network connectivity. the virtual machines cannot connect to a
network when they failover to another node.
Four hours after restarting a Hyper-V host By default, virtual machines do not fail back to a
that is a member of a host cluster, there host computer after they have migrated to
are still no virtual machines running on the another host. You can enable failback on the
host. virtual machine properties in Failover Cluster
Management, or you can implement
Performance and Resource Optimization in
VMM.

Lab: Implementing Failover Clustering with Hyper-V
Question: How can you extend Hyper-V Replica in Windows Server 2012 R2?
Answer: You can use the Extended Replication feature to add a third host machine that can
replicate with passive copy and with configurable replication timeout.
Question: What is the difference between Live Migration and Storage Migration?
Answer: In Live Migration, you move the machine from one host to another. In Storage
Migration, you move virtual machine storage and, optionally, configuration files to another
location on the same server.
Implementing Business Continuity and Disaster Recovery 12-1
Module 12
Implementing Business Continuity and Disaster Recovery
Contents:
Lesson 2: Implementing Windows Server Backup 2
Lesson 3: Implementing Server and Data Recovery 4

Lesson 2
Implementing Windows Server Backup
Contents:
Demonstration: Configuring a Scheduled Backup 3
Demonstration: Configuring a Scheduled Backup

Demonstration Steps
2. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Server Backup.
3. Click Local Backup, and then in the Actions pane, click Backup Schedule.
4. In the Backup Schedule Wizard, on the Getting Started page, click Next.
5. On the Select Backup Configuration page, click Custom, and then click Next.
6. On the Select Items for Backup page, click Add Items.
7. Expand Local disk (C:), select the HR Data check box, and then click OK.
8. Click Advanced Settings.
9. Click Add Exclusion, click C:\HR Data\Old HR file.txt, and then click OK.
10. Click OK to close the Advanced Settings dialog box.
11. Click Next.
12. On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next.
13. On the Specify Destination Type page, click Backup to a shared network folder, and then click
Next. Review the warning, and then click OK.
14. On the Specify Remote Shared Folder page, in the Path text box, type \\LON-DC1\Backup, and then
click Next.
15. In the Register Backup Schedule dialog box, in the Username text box, type Administrator, in the
Password text box, type Pa$$w0rd, and then click OK.
16. Click Finish, and then click Close.
17. In the Actions pane, click Backup Once.
18. In the Backup Once Wizard, select Scheduled backup options, and then click Next.
19. On the Confirmation page, click Backup.
20. On the Backup Progress page, click Close.
21. Close Windows Server Backup.

Lesson 3
Implementing Server and Data Recovery
Contents:
Demonstration: Using Windows Server Backup to Restore a Folder 5
Demonstration: Using Windows Server Backup to Restore a Folder

Demonstration Steps
1. On LON-SVR1, open Windows Explorer, browse to drive C, and then delete the HR Data folder.
2. From the Server Manager, start Windows Server Backup, and then click Recover.
3. In the Recovery Wizard, on the Getting Started page, click A backup stored on another location,
4. On the Specify Location Type page, click Remote shared folder, and then click Next.
5. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next.
6. On the Select Backup Date page, click Next.
7. On the Select Recovery Type page, click Next.
8. On the Select Items to Recover page, expand LON-SVR1, click Local disk (C:) drive, and in the right
pane, click HR Data, and then click Next.
9. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next.
10. On the Confirmation page, click Recover.
11. On the Recovery Progress page, click Close.
12. In Windows Explorer, browse to drive C, and ensure that the HR Data folder is restored.

Best Practices
Analyze your important infrastructure resources and mission-critical and business-critical data. Based
on that analysis, create a backup strategy that will protect the company's critical infrastructure
resources and business data.
Work with the organizations business managers to identify the minimum recovery time for business-
critical data. Based on that information, create an optimal restore strategy.
Always test backup-and-restore procedures regularly. Perform testing in a non-production and

isolated environment.
Review Question(s)
Question: You want to create a strategy that includes guidance on how to back up different technologies
that are used in your organization such as DHCP, DNS, AD DS, and SQL Server. What should you do?
Answer: Read documentation about the optimal backup strategy for each technology, because
every technology has specific best practices concerning backup and restore. Then, based on this
information, create documentation and a checklist for backup-and-restore procedures.
Question: How frequently should you perform backups on critical data?
Answer: The frequency at which you perform a backup of critical data depends on your
organizations requirements, and on how frequently data changes. You should always plan
backup strategies according to risk assessments. If your critical data changes significantly during
the day, then you should perform backup at least once per day, and you should consider
performing multiple VSS snapshots during the day.

Your organization needs information about which data to back up, how frequently to back up different
types of data and technologies, where to store backed up data (onsite or in the cloud), and how fast it can
restore backed-up data. How would you improve your organizations ability to restore data efficiently
when it is necessary?
Answer: Your company should develop backup-and-restore strategies based on multiple

parameters, such as business-continuity needs, risk-assessment procedures, and critical resource
and data identification. You must develop strategies that should then be evaluated and tested.
These strategies should take into consideration the dynamic changes that are occurring with new
technologies, and the changes that may occur with your organizations growth.
Tools
Windows Server Backup Perform on-demand or Server Manager Tools
scheduled backup and restore of
data and servers.
Windows Azure Backup Perform on-demand or Server Manager Tools

scheduled backup to the cloud,
and restore data from the backup
located in the cloud.

The server has suffered a major failure on Perform a bare-metal restore on a new system by
its components. using the backup set that you created. Use the
documentation and checklist that you created as
part of your company's backup-and-restore strategy
and procedures.

Lab: Implementing Windows Server Backup and Restore
Question: You are concerned about business-critical data that is located on your company's servers. You
want to perform backups every day, but not during business hours. What should you do?
Answer: You should perform a scheduled backup that runs every day after business hours, for
example at 1 a.m.
Question: Users report that they can no longer access data that is located on the server. You connect to
the server, and you realize that the shared folder where users were accessing data is missing. What should
you do?
Answer: You should restore the folder by using Windows Server Backup.

20412D ENU Companion

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

20412D ENU Companion

Transféré par

Droits d'auteur :

Formats disponibles

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at

Product Number: 20412D

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

Revised July 2013

Lesson 2: Configuring Advanced DNS Settings 4

Lesson 3: Implementing IPAM 6

Lesson 4: Managing IP Address Spaces with IPAM 9

Module Review and Takeaways 12

Lab Review Questions and Answers 14

Demonstration: Configuring DHCP Failover

5. In the Configure Failover Wizard, click Next.

9. Ensure the Mode field is set to Load balance.

10. Ensure that the Load Balance Percentage is set to 50%.

13. Click Finish, and then click Close.

14. Switch to LON-SVR1.

18. Close the DHCP console on both LON-DC1 and LON-SVR1.

19. Revert LON-SVR1.

Demonstration: Configuring DNSSEC

4. On the menu, click DNSSEC>Sign the Zone.

5. In the Zone Signing Wizard, click Next.

8. On the Key Signing Key (KSK) page, click Next.

9. On the Key Signing Key (KSK) page, click Add.

11. On the Key Signing Key (KSK) page, click Next.

12. On the Zone Signing Key (ZSK) page, click Next.

13. On the Zone Signing Key (ZSK) page, click Add.

15. On the Zone Signing Key (ZSK) page, click Next.

16. On the Next Secure (NSEC) page, click Next.

18. On the Signing and Polling Parameters page, click Next.

25. Select the Enable DNSSEC in this rule check box.

27. Scroll down and click Apply.

28. Close all open windows.

Demonstration: Implementing IPAM

2. In the Server Manager, click Add roles and features.

3. In the Add Roles and Features Wizard, click Next.

4. On the Select installation type page, click Next.

5. On the Select destination server page, click Next.

6. On the Select server roles page, click Next.

9. On the Confirm installation selections page, click Install.

3. Click Provision the IPAM server.

4. In the Provision IPAM Wizard, click Next.

8. When provisioning has completed, click Close.

9. On the IPAM Overview pane, click Configure server discovery.

Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-

16. Close Windows PowerShell.

19. Switch to LON-DC1.

20. From the start screen, start a command prompt.

Demonstration: Using IPAM to Manage IP Addressing

o Network ID: 172.16.0.0

o Description: Head Office

4. In the IPAM console tree, click IP Address Inventory.

o MAC address: 112233445566

o Device type: Routers

o Description: Head Office Router

o MAC address: 223344556677

o Device type: Host