Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016
Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016
Exam Ref 70-743 Upgrading Your Skills To MCSA Windows Server 2016
Charles Pluta
Exam Ref 70-743 Upgrading Your Skills to MCSA: Windows Server 2016
Published with the authorization of Microsoft Corporation by:
Pearson Education, Inc.
Copyright © 2017 by Pearson Education, Inc.
A r ghts reserved. Pr nted n the Un ted States of Amer ca. Th s pub cat on s protected by copyr ght, and perm ss on must be
obta ned from the pub sher pr or to any proh b ted reproduct on, storage n a retr eva system, or transm ss on n any form or
by any means, e ectron c, mechan ca , photocopy ng, record ng, or kew se. For nformat on regard ng perm ss ons, request
forms, and the appropr ate contacts w th n the Pearson Educat on G oba R ghts & Perm ss ons Department, p ease v s t www.
pearsoned.com/perm ss ons/. No patent ab ty s assumed w th respect to the use of the nformat on conta ned here n.
A though every precaut on has been taken n the preparat on of th s book, the pub sher and author assume no respons b ty for
errors or om ss ons. Nor s any ab ty assumed for damages resu t ng from the use of the nformat on conta ned here n.
SBN 13: 978 0 7356 9743 0
SBN 10: 0 7356 9743 4
L brary of Congress Contro Number: 2016959957
F rst Pr nt ng December 2016
Trademarks
M crosoft and the trademarks sted at https://www.m crosoft.com on the “Trademarks” webpage are trademarks of the
M crosoft group of compan es. A other marks are property of the r respect ve owners.
Warning and Disclaimer
Every effort has been made to make th s book as comp ete and as accurate as poss b e, but no warranty or fitness s
mp ed. The nformat on prov ded s on an “as s” bas s. The author, the pub sher, and M crosoft Corporat on sha have
ne ther ab ty nor respons b ty to any person or ent ty w th respect to any oss or damages ar s ng from the nformat on
conta ned n th s book or programs accompany ng t.
Special Sales
For nformat on about buy ng th s t t e n bu k quant t es, or for spec a sa es opportun t es (wh ch may nc ude e ectron c
vers ons; custom cover des gns; and content part cu ar to your bus ness, tra n ng goa s, market ng focus, or brand ng
nterests), p ease contact our corporate sa es department at corpsa es@pearsoned.com or (800) 382 3419.
For government sa es nqu r es, p ease contact governmentsa es@pearsoned.com.
For quest ons about sa es outs de the U.S., p ease contact nt cs@pearson.com.
Chapter summary 26
vi Contents
Chapter 3 Implement Hyper-V 51
Sk 3 1 Insta and configure Hyper-V 51
Determ ne hardware and compat b ty requ rements
for nsta ng Hyper-V 52
Insta Hyper-V 52
Insta management too s 52
Upgrade from ex st ng vers ons of Hyper-V 54
De egate v rtua mach ne management 55
Perform remote management of Hyper-V hosts 58
Configure v rtua mach nes us ng W ndows PowerShe D rect 59
Imp ement nested v rtua zat on 60
viii Contents
Chapter 4 Implement Windows Containers 93
Sk 4 1 Dep oy W ndows Conta ners 93
Determ ne nsta at on requ rements and
appropr ate scenar os for W ndows Conta ners 94
Insta and configure conta ners 94
Insta Docker on W ndows Server and Nano Server 95
Configure Docker daemon start-up opt ons 96
Insta a base operat ng system 97
Tag an mage 98
Un nsta an operat ng system mage 98
Create W ndows Server conta ners 99
Create Hyper-V conta ners 99
x Contents
Sk 5 3 Imp ement Storage Spaces D rect 148
Determ ne scenar o requ rements for mp ement ng
Storage Spaces D rect 148
Enab e Storage Spaces D rect us ng W ndows PowerShe 148
Imp ement a d saggregated Storage Spaces D rect
scenar o n a c uster 149
Imp ement a hyper-converged Storage Spaces D rect
scenar o n a c uster 150
xii Contents
Chapter 7 Implement IP Address Management 183
Sk 7 1 Insta and configure IPAM 183
Prov s on IPAM manua y or by us ng Group Po cy 184
Configure server d scovery 191
Create and manage IP b ocks and ranges 193
Mon tor ut zat on of IP address space 195
M grate ex st ng work oads to IPAM 198
Configure IPAM database storage us ng SQL Server 198
Determ ne scenar os for us ng IPAM w th System
Center V rtua Mach ne Manager for phys ca and
v rtua IP address space management 199
Manage DHCP server propert es us ng IPAM 200
Configure DHCP scopes and opt ons 201
Configure DHCP po c es and fa over 202
Manage DNS server propert es us ng IPAM 202
Manage DNS zones and records 203
Manage DNS and DHCP servers n mu t p e
Act ve D rectory forests 204
De egate adm n strat on for DNS and DHCP
us ng Ro e-Based Access Contro (RBAC) 204
xiv Contents
Determ ne scenar os for mp ementat on of Software
Load Ba ancer for North-South and East-West oad ba anc ng 237
Determ ne mp ementat on scenar os for var ous types
of W ndows Server Gateways, nc ud ng L3, GRE, and
S2S, and the r uses 239
Determ ne requ rements and scenar os for d str buted
firewa po c es and network secur ty groups 239
xvi Contents
This page intentionally left blank
Introduction
W th each re ease of W ndows Server, more and more features are added or mod fied
that makes know ng the product ns de and out more and more d fficu t The 70-743
exam “Upgrad ng your sk s to W ndows Server 2016” s for adm n strators that have prev -
ous y ach eved the MCSA cert ficat on for W ndows Server 2008, or W ndows Server 2012, and
p an to ach eve the atest cert ficat on offer ng
Understand ng that the exam s geared spec fica y towards adm n strators w th ex st ng
know edge, th s Exam Ref book assumes you remember and know the know edge that s nec-
essary to pass the prev ous vers ons of the exam Therefore, we focus so e y on the sk s that
are measured n the 70-743 exam, somet mes sk pp ng the bas cs of the sk A ot of these
sk s bu d on the know edge you’ve reta ned from W ndows Server 2008 or W ndows Server
2012 However, some of the sk s are brand new to W ndows Server 2016, and are expected
to be h gh ghted on the exam
The goa of th s book s to act as a reference to g ve you the too s and know edge that you
need to succeed n pass ng the exam Wh e we cover every sk that the exam measures and
focus on rea -wor d examp es of how to use the techno og es that are sted, there s no way
of guarantee ng that you w pass the exam s mp y by us ng th s book As you are we aware
as an ex st ng MCSA credent a ho der, noth ng s better than gett ng hands-on exper ence
w th each of the ro es and features n W ndows Server 2016 before tak ng the exam It s rec-
ommended that you use the nformat on n th s book, comb ned w th a hands-on approach
of try ng each ro e or feature d scussed by us ng both graph ca and W ndows PowerShe (or
command- ne) too s Th s w ensure that you have the best opportun ty to succeed when
tak ng the exam
Th s book covers every major top c area found on the exam, but t does not cover every
exam quest on On y the M crosoft exam team has access to the exam quest ons, and
M crosoft regu ar y adds new quest ons to the exam, mak ng t mposs b e to cover spec fic
quest ons You shou d cons der th s book a supp ement to your re evant rea -wor d exper -
ence and other study mater a s If you encounter a top c n th s book that you do not fee
comp ete y comfortab e w th, use the “Need more rev ew?” nks you’ find n the text to find
more nformat on and take the t me to research and study the top c Great nformat on s
ava ab e on MSDN, TechNet, MVA, and n b ogs and forums
Introduction xix
Free ebooks from Microsoft Press
From techn ca overv ews to n-depth nformat on on spec a top cs, the free ebooks from M -
crosoft Press cover a w de range of top cs These ebooks are ava ab e n PDF, EPUB, and Mob
for K nd e formats, ready for you to down oad at
https://aka.ms/mspressfree
Check back often to see what s new!
Introduction xxi
Errata, updates, & book support
We’ve made every effort to ensure the accuracy of th s book and ts compan on content You
can access updates to th s book— n the form of a st of subm tted errata and the r re ated
correct ons—at
https://aka.ms/examref743/errata
If you d scover an error that s not a ready sted, p ease subm t t to us at the same page
If you need add t ona support, ema M crosoft Press Book Support at
mspinput@microsoft.com.
P ease note that product support for M crosoft software and hardware s not offered
through the prev ous addresses For he p w th M crosoft software or hardware, go to
https://support.microsoft.com.
https://aka.ms/tellpress
We know you’re busy, so we’ve kept t short w th just a few quest ons Your answers go
d rect y to the ed tors at M crosoft Press (No persona nformat on w be requested ) Thanks
n advance for your nput!
Stay in touch
Let’s keep the conversat on go ng! We’re on Tw tter http://twitter.com/MicrosoftPress
Important: How to use this book to study for the exam
Cert ficat on exams va date your on-the-job exper ence and product know edge To gauge
your read ness to take an exam, use th s Exam Ref to he p you check your understand ng of
the sk s tested by the exam Determ ne the top cs you know we and the areas n wh ch you
need more exper ence To he p you refresh your sk s n spec fic areas, we have a so prov ded
“Need more rev ew?” po nters, wh ch d rect you to more n-depth nformat on outs de the
book
The Exam Ref s not a subst tute for hands-on exper ence Th s book s not des gned to
teach you new sk s
We recommend that you round out your exam preparat on by us ng a comb nat on of
ava ab e study mater a s and courses Learn more about ava ab e c assroom tra n ng at
https://www.microsoft.com/learning M crosoft Offic a Pract ce Tests are ava ab e for many
exams at https://aka.ms/practicetests You can a so find free on ne courses and ve events
from M crosoft V rtua Academy at https://www.microsoftvirtualacademy.com
Th s book s organ zed by the “Sk s measured” st pub shed for the exam The
“Sk s measured” st for each exam s ava ab e on the M crosoft Learn ng webs te
https://aka.ms/examlist
Note that th s Exam Ref s based on th s pub c y ava ab e nformat on and the author’s
exper ence To safeguard the ntegr ty of the exam, authors do not have access to the exam
quest ons
Introduction xxiii
This page intentionally left blank
CHAPTER 1
1
Determine appropriate Windows Server 2016 editions per
workload
M crosoft offers severa vers ons of W ndows Server 2016 Se ect ng the appropr ate vers on
for your env ronment depends on the s ze or funct ona ty that you expect to rece ve from the
server Tab e 1-1 sts the W ndows Server 2016 ed t ons that are ava ab e
----
AD-CertificateADCS-Cert-Authority
ADCS-Enroll-Web-Pol
ADCS-Enroll-Web-Svc
ADCS-Web-Enrollment
ADCS-Device-Enrollment
ADCS-Online-Cert
AD-Domain-Services
ADFS-Federation
ADLDS
ADRMS
ADRMS-Server
ADRMS-Identity
As F gure 1-2 shows, there s no graph ca e ement to the nsta at on Un ke some prev -
ous vers ons, you cannot sw tch from a Server Core nsta at on to an nsta at on w th a GUI
The Desktop Exper ence nsta at on opt on must be se ected dur ng nsta at on to add these
spec fic features
After chang ng the password or ogg ng n for the first t me, you are s mp y presented w th
a b ank command prompt To make any configurat on changes oca y on the server, run the
sconfig.cmd command from the command prompt F gure 1-3 shows the ava ab e configu-
rat on opt ons by runn ng sconfig
Sk 1.1: nsta , upgrade, and m grate servers and work oads CHAPTER 1 7
Implement Windows PowerShell Desired State
Configuration to install and maintain integrity of installed
environments
Des red State Configurat on (DSC) extends W ndows PowerShe and enab es you to dep oy
and configure a server based on a temp ate or base ne Us ng DSC you are ab e to automate
the configurat on of severa sett ngs, nc ud ng
■ Server ro es and features
■ Reg stry sett ngs
■ F es and d rector es
■ Processes and serv ces
■ Groups and user accounts
■ Env ronment var ab es
■ PowerShe scr pts
In add t on to perform ng the n t a configurat on, you can a so use DSC to dent fy serv-
ers that no onger conform to the des red state DSC has bu t- n resources to enab e you to
determ ne the actua configurat on of a server, and mp ement changes f necessary There are
three pr mary components of DSC
■ Local Configuration Manager (LCM) The LCM runs on every server (or target node)
be ng managed The LCM configures the target node based on the DSC The LCM a so
performs other act ons for the target node, nc ud ng the refresh method, determ n ng
how frequent y to perform refreshes, and mak ng part a configurat ons
■ Resources Used to mp ement the chang ng states of a configurat on change Re-
sources are part of the PowerShe modu es, and can be wr tten to m m c a fi e, process,
server, or even a VM
■ Configuration Defined as the scr pts that compr se and configure the resources
When runn ng the configurat on, DSC and the resources perform the configurat on and
ensure that the target node s configured as defined
When bu d ng a DSC Script, there are a few components of the syntax to be aware of The
Scr pt s composed of
■ GetScript Th s b ock of code shou d return the current state of the node be ng
tested The va ue must be a Str ng that s returned as the resu t
■ TestScript Th s b ock of code determ nes f the node that s be ng tested needs to be
mod fied based on the returned configurat on If any configurat on s found to be out
of date, then t s remed ed by the SetScr pt b ock
■ SetScript Th s b ock of code mod fies the node to the des red configurat on
■ Credential The credent a s that are needed for the scr pt, f any are requ red
■ DependsOn Th s nd cates that another resource must be runn ng before the scr pt
can be run and configured
Sk 1.1: nsta , upgrade, and m grate servers and work oads CHAPTER 1 9
To use AVMA, you must configure the v rtua zat on host w th an AVMA key us ng the
s mgr too and the / pk sw tch For examp e slmgr /ipk <key>.
The AVMA act vat on for a VM s on y va d for seven days As the t me per od gets c oser
to exp rat on, the VM commun cates w th the v rtua zat on host aga n to act vate and reset
the t me per od To determ ne f a VM has been act vated by AVMA, or to see the atest status,
run the s gmgr vbs /d v command F gure 1-4 shows the resu ts of the command
Note that n F gure 1-4, the descr pt on fie d nc udes the str ng VIRTUAL MACHINE
ACTIVATION Th s nd cates that the v rtua mach ne s act vated us ng AVMA
If you p an to automate the nsta of a v rtua zat on host, you can a so spec fy the AVMA
key n the Unattended Setup fi e Once configured, the reg stry on the v rtua zat on server
prov des the fo ow ng track ng and report ng nformat on for the guest operat ng system
■ Fu y qua fied doma n name
■ Operat ng system and serv ce packs nsta ed
■ Processor arch tecture
■ IPv4 and IPv6 network addresses
■ RDP addresses
The New-NanoServerImage cmd et has severa parameters that are configured when run-
n ng For examp e
■ Edition Spec fies the ed t on type of the nsta at on, and can be e ther Standard or
Datacenter
■ DeploymentType Spec fies whether Nano Server runs as a v rtua mach ne guest, or
as a phys ca host The accepted va ues are Guest or Host
■ MediaPath Spec fies the ocat on of the nsta at on med a for W ndows Server 2016
Th s can be a mounted ISO ocat on, or a cop ed ocat on
■ BasePath Th s s the d rectory to wh ch the packages and W ndows mage are
cop ed
■ TargetPath Th s s the path, fi ename, and extens on where the Nano Server VHD,
VHDX, or WIM fi e s created
■ ComputerName Th s s the hostname of the Nano Server after nsta at on has com-
p eted
For examp e, to create a Standard Nano Server v rtua mach ne named NanoSvr1 that s
ocated n the current fo der, run the fo ow ng command
New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath D:\ -BasePath .\
-TargetPath .\NanoSvr1\NanoSvr.vhdx -ComputerName NanoSvr1
You can opt ona y nc ude the Adm n stratorPassword parameter dur ng the command,
but the password wou d be p a ntext Om tt ng the parameter causes PowerShe to prompt
Once you have created the mage type that you’d ke to use, you can mount that mage
through Hyper-V, or nsta t on a phys ca server For phys ca servers, t s recommended that
you a so nc ude the OEMDr vers parameter After the Nano Server mage has been gener-
ated, th s process s not any d fferent than a norma VM or nsta at on
The bas c network ng nformat on for the Nano Server mach ne can be configured through
the Network ng screen of the Recovery Conso e You can configure the des red network
adapter from the screen, and then configure the des red network sett ngs Both IPv4 and IPv6
can be configured from the recovery conso e F gure 1-9 d sp ays the network ng configura-
t on of a Nano Server through the Recovery Conso e
The firewa sett ngs must be configured to enab e remote management Remote Man-
agement F rewa Sett ngs can be found n the Inbound F rewa Ru es screen of the Recovery
Conso e For add t ona secur ty, you can a so configure outbound firewa ru es
The W nRM screen of the recovery conso e enab es you to reset the firewa and remote
management sett ngs for the server back to defau t Th s s usefu f you can no onger access
the server remote y, but are unaware of any network changes that m ght be prevent ng you
from connect ng
Sk 1.3: Create, manage, and ma nta n mages for dep oyment CHAPTER 1 23
Assess virtualization workloads using the Microsoft
Assessment and Planning Toolkit, determine considerations
for deploying workloads into virtualized environments
One too that s ava ab e to assess and p an for a m grat on—whether t s phys ca or v r-
tua — s the M crosoft Assessment and P ann ng (MAP) Too k t MAP s c ass fied as a so ut on
acce erator that takes an nventory of your organ zat on’s ex st ng nfrastructure Based on
the d scovered nformat on, MAP prov des an assessment and report that you can use for
upgrades, m grat ons, and v rtua zat on work oads MAP s ava ab e for severa M crosoft
products
■ W ndows Server 2016
■ W ndows Server 2012 R2
■ W ndows 10
■ W ndows 8 1
■ SQL Server 2014
■ Hyper-V
Some of the genera tasks that you can use MAP to perform nc ude
■ Inventory D scover dev ces on the network and generate a deta ed report of the
servers that can run W ndows Server 2016
■ Reporting Generate a report or proposa us ng the W ndows Server 2016 Read ness
Assessment The proposa generates an Execut ve Overv ew, Assessment Ru es, Next
Steps, and a summary of overa read ness for W ndows Server 2016
■ Performance metrics Use MAP to capture the performance of the current nfra-
structure to ensure that the work oads are acceptab e for W ndows Server 2016
■ Utilization Est mate server ut zat on before and after v rtua zat on of work oads
You can a so determ ne wh ch phys ca hosts are spec fica y su ted to become a VM
F gure 1-11 shows the MAP Too k t on the server v rtua zat on overv ew screen
Thought Experiment
You are a consu tant for a sma hea thcare prov der, wh ch has two offices and about 75 em-
p oyees You p an to dep oy two new servers to support the fo ow ng ro es
■ Act ve D rectory Doma n Serv ces (AD DS)
■ DNS
■ DHCP
■ Internet Informat on Serv ces (IIS)
You need to m n m ze the amount of resources that the servers consume Wh ch vers on,
ed t on, and act vat on method of W ndows Server 2016 wou d you choose?
5. On the Phys ca D sk page, se ect the nd v dua d sks that make up the poo F gure
2-2 shows three d sks ava ab e Se ect what you need to a ocate to the poo , and then
c ck Next
6. After se ect ng the d sks, you’ be prompted to rev ew the nformat on on the Confir-
mat on page C ck Create to confirm the deta s of the storage poo The summary s
shown n F gure 2-3
Th s returns the ava ab e d sks to poo To make the d sks eas er to pass to the
NewStoragePoo cmd et, set the d sks to a var ab e Then you can create a poo by us ng
the fo ow ng commands
$Disks = Get-PhysicalDisk -CanPool $True
An a ternate step to creat ng a v rtua d sk s to create a vo ume In add t on to the sett ngs
that you can configure for a v rtua d sk, a vo ume s what s actua y presented to the server
and used by the operat ng system, accessed by a dr ve etter To create a vo ume n the GUI,
2. On the SCSI V rtua D sk S ze page, enter a s ze for the v rtua d sk You can a so con-
figure whether the d sk s fixed, dynam ca y expand ng, or d fferenc ng As shown n
3. On the SCSI Target page, se ect e ther an ex st ng target or a new target, and then
c ck Next
4. On the Target Name And Access page, enter a name for the target and then c ck Next
5. On the Access Servers page, c ck Add to spec fy the SCSI n t ators that access the new
v rtua d sk F gure 2-9 shows add ng the SCSI n t ator
6. On the Enab e Authent cat on page, se ect whether you want to Enab e CHAP or Enab e
Reverse CHAP for authent cat on These are opt ona protoco s to authent cate the n -
t ator connect ons or target F gure 2-10 shows the ava ab e opt ons to configure CHAP
and Reverse CHAP
Configure iSNS
The Internet Storage Name Serv ce ( SNS) s a protoco , wh ch can be added to a W ndows
Server nsta at on, and used to commun cate between SNS servers and c ents SNS c ents
are computers, or n t ators, that search for storage dev ces, or targets, on a network SNS
prov des automated d scovery, management, and configurat on of SCSI and F bre Channe
dev ces on a network F gure 2-11 shows the SNS Server propert es page
By defau t, when you create an SNS Server, there are no SCSI targets sted even f they
have been configured a ready To ensure that the configured SCSI targets a so appear n
the SNS Server, the SNS Server must be added to the SCSI In t ator propert es, as shown n
F gure 2-12
In the SNS propert es, you can then see the connected dev ces, and whether they are an
n t ator or target SNS does not have any spec fic PowerShe cmd ets, but can be configured
from the command- ne by us ng the isnscli.exe ut ty
Install-WindowsFeature "data-center-bridging"
After nsta ng the DCB feature, you can manage DCB on a server by mport ng three d f-
ferent PowerShe modu es
Import-Module netqos
Import-Module dcbqos
Import-Module netadapter
When MPIO s nsta ed on a Nano Server, the d sks that are presented are sted as dup -
cates, w th a s ng e d sk be ng ava ab e through each path MPIO must be configured to c a m
and manage the d sks to ensure that on y one path s used A scr pt has been prov ded by
M crosoft to c a m and manage the d sks, and can be found at https://technet.microsoft.com/
en-us/windows-server-docs/compute/nano-server/mpio-on-nano-server.
■ Cluster-to-Cluster Enab es rep cat on between two comp ete y separate c usters,
where one c uster cop es the data to another c uster Th s scenar o can a so use Storage
Spaces on JBOD, SAN, or SCSI-attached d sks as the backend storage A c uster-to-
Import-Module Deduplication
Start-DedupJob E: -Optimization
The DataAccess parameter nd cates that data access w be enab ed as part of the
dedup cated vo ume There are three poss b e opt ons for the UsageType parameter when
enab ng dedup cat on
■ Default Th s nd cates a genera purpose vo ume as the expected work oad for the
under y ng d sk
■ Hyper-V Th s nd cates that the vo ume stores VHDs for a Hyper-V server
■ Backup Th s nd cates that the vo ume s opt m zed for v rtua zed backup servers
There are four types of dedup cat on jobs that run per od ca y, or can be run manua y
■ Optimization Th s manua y starts the process of opt m z ng the vo ume for dedup -
cat on, and ensures that dup cated data does not consume add t ona storage
■ GarbageCollection Garbage co ect on ensures that de eted or mod fied data s
removed from the reference tab e
■ Scrubbing Th s starts the data ntegr ty scrubb ng on the dedup cated vo ume
■ Unoptimization Th s removes the dedup cat on on a spec fic vo ume
After you have nsta ed the data dedup cat on feature, you can a so use the Dedup cat on
Sav ngs Eva uat on Too The fo ow ng output s an examp e of the ddpeva exe too
Data Deduplication Savings Evaluation Tool
Evaluated folder: E:
Based on the percentage returned by the too , you can dec de whether to mp ement data
dedup cat on n the env ronment W th W ndows Server 2016, data dedup cat on ntroduces
the fo ow ng changes
■ Increased volume sizes NTFS vo umes up to 64 TB can have dedup cat on enab ed
Th s has been enhanced by ncreas ng the number of threads work ng n para e for
nd v dua vo umes
Monitor deduplication
The bu t- n dedup cat on jobs support week y schedu ng for opt m zat on, garbage
co ect on, and scrubb ng Add t ona y, jobs can be configured by us ng the W ndows
Task Schedu er Remember that the garbage co ector rec a ms space by remov ng data
that s no onger be ng used The defau t week y schedu e can be v ewed by runn ng the
Get-DedupSchedu e cmd et
Get-DedupSchedule
True Optimization
BackgroundOptimization
The Get-DedupStatus cmd et can be used to see the overa status of a server
Get-DedupStatus
To force a refresh of the dedup cat on serv ce and requ re t to rescan the ava ab e vo -
umes, use the Update-DedupStatus cmd et
Install Hyper-V
The process for nsta ng Hyper-V has not changed much s nce W ndows Server 2008 and
W ndows Server 2012 Hyper-V s a server ro e that can be nsta ed by us ng the Add Ro es
and Features W zard from Server Manager, or by us ng W ndows PowerShe
Install-WindowsFeature –Name Hyper-V -ComputerName Server1 -IncludeManagementTools
-Restart
Each configurat on represents the VM configurat on fi e, saved state, and snapshots that
are assoc ated w th the VM on the host By us ng a newer v rtua mach ne configurat on, you
a so ensure that the v rtua mach ne supports the atest features Tab e 3-2 shows features that
are on y supported n spec fic VM configurat on vers ons
2. R ght-c ck the Author zat on Manager, and then c ck Open Author zat on Store
3. In the Open Author zat on Store w ndow, ensure that XML F e s se ected C ck Browse
Nav gate to %systemroot%\ProgramData\M crosoft\W ndows\Hyper-V\ and se ect
In t a Store xm , as shown n F gure 3-3 C ck OK
4. Expand Author zat on Manager, In t a Store, Hyper-V serv ces, Ro e Ass gnments Note
that by defau t, the on y ro e ass gnment s an Adm n strator, as shown n F gure 3-4
5. Expand Defin t ons, and then r ght-c ck Task Defin t ons C ck New Task Defin t on
6. Name the task defin t on “VM Managers ” In the not ficat on prompt, c ck OK In the
Add Defin t on screen, c ck the Operat ons tab
7. Se ect operat ons that you wou d want the VM Managers ro e to do In th s examp e,
se ect a operat ons that are assoc ated w th a v rtua mach ne, as shown n F gure 3-5,
and then c ck OK tw ce
8. Now that you have created a group of tasks, you can create the ro e that can use these
tasks R ght-c ck Ro e Defin t ons, and then c ck New Ro e Defin t on
9. Name the Ro e Defin t on, such as VM Managers Ro e, and then c ck Add C ck the
Tasks tab, se ect VM Managers, and then c ck OK There are now be two ro e defin -
t ons, as shown n F gure 3-6
The more comp cated steps occur on the computer from wh ch you p an to manage the
Hyper-V F rst, you must trust the Hyper-V server from the remote c ent If the Hyper-V host
s named Host01, run the fo ow ng command
Set-Item "WSMan:\localhost\Client\TrustedHosts" -Value "Host01"
Us ng EnterPSSess on a ows you to nteract ve y manage the v rtua mach ne You can con-
t nue to run commands w th n the v rtua mach ne unt you exp c t y ex t the sess on W th
InvokeCommand, you are m ted to on y what s w th n the Scr ptB ock parameter Once the
command s over, you are returned to the oca PowerShe sess on
In add t on to the VMName, you can a so use the VMId or the VMGUID to connect to a
spec fic VM To enter a PowerShe d rect sess on, you must be ogged onto the host as a
Hyper-V adm n strator The VM must be runn ng oca y and a ready booted to the OS
Add t ona y, smart pag ng can be configured from PowerShe w th the Set-VM cmd et To
set the smart pag ng fi e ocat on to E \VMs\743\03\Pag ng, run the fo ow ng command
Set-VM -VMName 743-03 -SmartPagingFilePath "E:\VMs\743\03\Paging"
Once Resource Meter ng has been enab ed, you can v ew the data by runn ng the
MeasureVM cmd et The fo ow ng examp e s for a VM named 743-01
Measure-VM -VMName 743-01 | FL
VMName : 743-01
CimSession : CimSession: .
ComputerName : HOST01
AverageProcessorUsage : 9
AverageMemoryUsage : 2048
MaximumMemoryUsage : 2048
MinimumMemoryUsage : 2048
TotalDiskAllocation : 130048
AggregatedAverageNormalizedIOPS : 2
AggregatedAverageLatency : 240
AggregatedDiskDataRead : 0
AggregatedDiskDataWritten : 2
AggregatedNormalizedIOCount : 301
AvgCPU : 9
AvgRAM : 2048
MinRAM : 2048
MaxRAM : 2048
TotalDisk : 130048
By defau t, a ntegrat on serv ces except for Guest Serv ce Interface are enab ed To en-
ab e a spec fic serv ce, run the Enab e-VMIntegrat onServ ce cmd et For examp e
Enable-VMIntegrationService -VMName 743-01 -Name "Guest Service Interface"
You can a so manage ntegrat on serv ces from w th n the VM tse f To v ew the st of
serv ces from w th n the VM, run the Get-Serv ce cmd et For examp e
Get-Service -Name VM*
The Get-Serv ce cmd et returns the same st of ntegrat on serv ces, but w th the r serv ce
names
■ vm cguest nterface
■ vm cheartbeat
■ vm ckvpexchange
■ vm crdv
■ vm shutdown
■ vm ct mesync
■ vm ccvmsess on
■ vm cvss
From w th n the VM, you can run Start-Serv ce or Stop-Serv ce to manage the ntegrat on
serv ces
S m ar to the ntegrat on serv ces, you shou d not memor ze spec fic vers ons of operat-
ng systems that are supported w th Secure Boot However, you shou d be aware of the L nux
d str but ons that are supported w th secure boot
■ Ubuntu
■ SUSE L nux Enterpr se
■ Red Hat Enterpr se
■ CentOS
An offl ne method of m grat on wou d be to power down the VM and move a of the as-
soc ated fi es w th the VM, and then mport the VM on the new Hyper-V host We expand on
th s n the next sect on
After the VM has been upgraded, t cannot be downgraded to a prev ous vers on of VM
Us ng a UNC path ensures that even f you move the VM to a d fferent host, t can st ac-
cess the storage If you are us ng Hyper-V Manager, a shared dr ve can be created by add ng
a dr ve from the contro er F gure 3-15 shows the opt on to add a shared dr ve to a VM
To set the VM to on y use product on checkpo nts, w thout the ab ty to fa back to a stan-
dard checkpo nt, rep ace the Product on opt on w th Product onOn y Checkpo nts can a so be
configured from Hyper-V Manager by ed t ng the sett ngs of a VM F gure 3-20 d sp ays the
checkpo nt management of a VM
If you need to spec fy the WWNs that the VM uses the adapter, rep ace the GenerateWwn
opt on w th the fo ow ng
■ Wor dW deNodeNameSetA
■ Wor dW deNodeNameSetB
■ Wor dW dePortNameSetA
■ Wor dW dePortNameSetB
For examp e, run the fo ow ng command to create a FC adapter us ng these WWNs
Add-VMFibreChannelHba -VMName 743-Nano -SanName vSAN1 -WorldWideNodeNameSetA
C003FF0000FFFF00 -WorldWidePortNameSetA C003FF73FD70000C -WorldWideNodeNameSetB
C003FF0000FFFF00 -WorldWidePortNameSetB C003FF73FD70000D
After add ng a network adapter to a VM, you can configure the VLAN dent ficat on, f
necessary, for that adapter Referr ng back to F gure 3-22, a synthet c network adapter a so
supports a few add t ona features
■ Bandwidth management You can configure the m n mum and max mum band-
w dth targets for the network adapter
■ Virtual machine queue (VMQ) If supported by the correspond ng phys ca adapter,
VMQ can be enab ed on the v rtua adapter
■ IPsec task offloading If supported by the correspond ng phys ca adapter, IPsec
tasks can be offloaded to hardware
A egacy network adapter does not support these features, and can on y be configured
w th a part cu ar VLAN Regard ess of the adapter type, you can manage the adapter w th
PowerShe by us ng the Set-VMNetworkAdapter cmd et
V rtua sw tches can be added from PowerShe by us ng the New-VMSw tch cmd et For
examp e, to create a new nterna v rtua sw tch, run the fo ow ng command
New-VMSwitch -Name Internal1 -SwitchType Internal
A though s t managed from the V rtua Sw tch Manager, t s configured from PowerShe
by us ng the Set-VMHost cmd et For examp e
Set-VMHost -MacAddressMinimum 00155DA7E700 -MacAddressMaximum 00155DA7E7FF
Configur ng the MAC address on an nd v dua network adapter s accomp shed from the
sett ngs of the VM, as shown n F gure 3-25
The MAC address sett ngs for a v rtua network adapter can be configured w th PowerShe
by us ng the Set-VMNetworkAdapter cmd et For examp e, to ass gn a stat c MAC address, run
the fo ow ng command
Set-VMNetworkAdapter -VMName 743-01 -StaticMacAddress 00155DA7E73B
Enab ng NIC team ng for a v rtua network adapter can a so be performed through Pow-
erShe by us ng the Set-VMNetworkAdapter cmd et Note that a though the A owTeam ng
parameter expects a Boo ean va ue, the va d opt ons are On and Off, not $True or $Fa se For
examp e
Set-VMNetworkAdapter -VMName 743-01 -AllowTeaming On
F gure 4-1 shows nsta ng the Conta ners feature by us ng the Insta -W ndowsFeature
cmd et
"hosts": ["tcp://0.0.0.0:2375"]
Therefore, f you want to use the ASP NET mage, use the Docker daemon to pu the m-
age
docker pull microsoft/aspnet
To demonstrate the so at on of a Hyper-V conta ner, assume that a W ndows Server con-
ta ner has been dep oyed You start a runn ng p ng on the conta ner
docker run -d windowsservercore ping localhost -t
If you use the docker daemon, you can v ew the task thread that s runn ng the p ng
docker top windowservercore
4369 ping
In th s examp e, the process ID w th n the conta ner s 4369 W th n the conta ner, you can
a so v ew the thread
get-process -Name ping
If you fo ow the same process when us ng a Hyper-V conta ner, you rece ve a d fferent
end resu t You can create and v ew the process from the host, us ng the Docker daemon
docker run -d --isolation=hyperv nanoserver ping -t localhost
2371 ping
However, the d fference s when try ng to v ew the process on the conta ner host
Get-process -Name ping
Get-Process : Cannot find a process with the name "ping". Verify the process name and
call the cmdlet again.
At line:1 char:1
+ ~~~~~~~~~~~~~~~~~~~~~~
+ FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.
GetProcessCommand
The d fference s n the process name By us ng a Hyper-V conta ner, the process s run by
the vmwp process The vmwp process s the v rtua mach ne process on the host, and s pro-
tect ng the process from the host operat ng system
Get-Process -Name vmwp
Add t ona y, Tab e 4-2 out nes the connect ons for a mu t -host env ronment
By defau t, new data vo umes are created n C \ProgramData\Docker\Vo umes on the con-
ta ner host In the command, the C \Vo ume1 nd cates that the vo ume s be access b e w th n
the conta ner endpo nt at that path
After you have created a vo ume, to mount t to a d fferent conta ner, spec fy the source
and dest nat on paths us ng the same parameters
docker run -it -v c:\source:c:\destination windowsservercore cmd
You can a so pass-through a s ng e fi e from the conta ner host to the endpo nt The syntax
s bas ca y the same as spec fy ng an ex st ng vo ume
docker run -it -v c:\container-share\config.ini windowsservercore cmd
S m ar y, you can a so mount a fu dr ve from the conta ner host to the endpo nt Note
that when mount ng a fu dr ve, a backs ash s not nc uded w th the dr ve etter
docker run -it -v d: windowsservercore cmd
F na y, data vo umes can be nher ted from other endpo nts us ng the --vo umes-from
sw tch n the run parameter Th s s usefu f the app cat ons n mu t p e conta ners are shar ng
the same data
docker run -it --volumes-from Volume1 windowsservercore cmd
After down oad ng the mage, t s ava ab e when v ew ng the mages through the Docker
daemon
docker images
To up oad an mage to the Docker Hub, use the push parameter w th the Docker daemon
F rst, you must og n w th your Docker ID to access the Hub
docker login
Username: username
Password:
Thought Experiment
A company s test ng conta ners and mages n the r deve opment env ronment They have
nsta ed the Docker eng ne on a W ndows Server host, and dep oyed a base mage con-
nected to the defau t network The company wou d ke the mages to connect d rect y to the
phys ca network They a so p an to automate the creat on of future mages and store them n
the Docker Hub
Us ng th s nformat on, answer the fo ow ng quest ons
1. What shou d be mod fied to configure the Docker daemon startup opt ons?
2. Wh ch network s the mage that has been dep oyed connected to?
3. What type of network must the company create to ach eve the goa ?
4. What type of fi e does the Dockerfi e need to be?
5. Wh ch Docker daemon command s used to store mages n the Docker Hub repos -
tory?
113
To perform a ve m grat on, first enab e t from the sett ngs of the Hyper-V host To enab e
ve m grat ons, the mach ne must be a doma n member L ve m grat on s not ava ab e n a
Hyper-V workgroup F gure 5-1 shows the sett ngs from the Hyper-V Manager
The first step to perform the m grat on us ng Hyper-V Manager s to r ght-c ck the VM
you p an to m grate, and c ck Move The Move W zard s d sp ayed, as shown n F gure 5-2
The first opt on s whether to move the v rtua mach ne, or move the storage of the v rtua
mach ne In th s sect on, we move the v rtua mach ne
You are then prompted to spec fy the dest nat on for the move Th s can be any other
Hyper-V host that you have perm ss on to adm n ster F gure 5-3 shows spec fy ng the dest -
nat on host
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 117
FIGURE 5-3 Move W zard spec fy dest nat on
You are then prompted for add t ona deta s of the m grat on type The ava ab e opt ons
dur ng a VM m grat on are shown n F gure 5-4
■ Move The Virtual Machine’s Data To A Single Location Th s opt on moves a VM
fi es, nc ud ng d sks, snapshots, and configurat on nformat on to a s ng e spec fied
ocat on
■ Move The Virtual Machine’s Data By Selecting Where To Move The Items Th s
opt on presents add t ona opt ons for mov ng the storage of the VM, wh ch we d scuss
n a ater sect on
■ Move Only The Virtual Machine Th s opt on moves on y the runn ng configurat on
of the VM, but not the storage The storage of the VM must be shared between the
source and dest nat on Hyper-V hosts
If you se ect to move on y the v rtua mach ne, then no add t ona opt ons are d sp ayed
and you comp ete the w zard If you p an to move a of the VM fi es to a s ng e ocat on, one
add t ona screen s d sp ayed, prompt ng you for the dest nat on d rectory to store the VM
and ts fi es F gure 5-5 shows spec fy ng the dest nat on d rectory
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 119
FIGURE 5-5 Move W zard v rtua mach ne
You must a so configure a network to be used by the ve m grat on serv ce, wh ch s ac-
comp shed by us ng the Set-VMHost cmd et For examp e
Set-VMHost –UseAnyNetworkForMigration $true
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 121
FIGURE 5-7 L ve M grat on advanced sett ngs
You can a so enhance the performance of a ve m grat on by configur ng add t ona op-
t ons These nc ude
■ TCP/IP W th th s opt on, the memory of the VM s transferred dur ng the m grat on
by us ng the ava ab e network over a typ ca TCP/IP connect on
■ Compression W th th s opt on, the memory of the VM s first compressed before be-
ng sent to the dest nat on by us ng a TCP/IP connect on
■ SMB W th th s opt on, the memory of the VM s cop ed to the dest nat on by us ng
a SMB connect on If both the source and dest nat on network adapters use Remote
D rect Memory Access (RDMA), then SMB D rect s used for the copy
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 123
FIGURE 5-9 Move W zard move type se ect on
When mov ng the storage of a v rtua mach ne, there are a few d fferent opt ons n the
w zard, as shown n F gure 5-10
■ Move All Of The Virtual Machine’s Data To A Single Location Th s opt on moves
a VM data, regard ess of ts current ocat on, to a s ng e dest nat on
■ Move the Virtual Machine’s Data to Different Locations Th s opt on enab es you
to first se ect wh ch tems you p an to move, and then spec fy the dest nat on for each
tem Items nc ude the VHD fi es, configurat on fi es, checkpo nts, and smart pag ng
fi es
■ Move Only the Virtual Machine’s Virtual Hard Disks Th s opt on enab es you to
move on y the VHDs that are be ng used w th the VM
Depend ng on the opt on you se ect, the w zard s automat ca y prompt for add t ona
nformat on For examp e, choos ng Move the v rtua mach ne’s data to d fferent ocat ons
adds a new page n the w zard for each configurat on tem F gure 5-5 shows an examp e of
spec fy ng the dest nat on for the VM
Sk 5.1: mp ement h gh ava ab ty and d saster recovery opt ons n Hyper V CHAPTER 5 125
FIGURE 5-11 Move W zard v rtua mach ne
Mov ng a VM’s storage can a so be accomp shed by us ng the Move-VM cmd et For
examp e, to move a VM named VM1 to Host02 n the E \VMs d rectory run the fo ow ng
command
Move-VM "VM1" Host02 –IncludeStorage –DestinationStoragePath E:\VMs
The next step, perform ng va dat on, s opt ona Va dat on ensures that the servers you
are configur ng as part of a fa over c uster meet the supported requ rements If you se ect
Yes, then a separate w zard aunches above the Create C uster W zard and must be comp eted
before return ng The va dat on warn ng s shown n F gure 5-13
Next, set a name for the c uster that s ess than 15 characters Th s s the name that s used
when adm n ster ng the c uster, as shown n F gure 5-14
Next, you are ab e to se ect the type of quorum w tness to configure, as shown n F gure
5-18 Aga n, focus on creat ng a c oud w tness
FIGURE 5-18 Conf gure C uster Quorum W zard se ect quorum w tness
FIGURE 5-19 Conf gure C uster Quorum W zard conf gure quorum w tness
The configurat on deta s that are needed are a to be found n the Azure porta where the
storage account s configured F gure 5-20 d sp ays a port on of the Azure porta that conta ns
the storage account name and access key for the conta ner The serv ce endpo nt s popu ated
by defau t, and does not need to be changed
In the above examp e, the storage account name s nfxxxstorage1 The access key s the
str ng that beg ns w th the numbers 74 To configure the quorum w tness by us ng PowerShe ,
use the Set-C usterQuorum cmd et For examp e, us ng the same nformat on, run the fo ow-
ng command
Set-ClusterQuorum –CloudWitness –AccountName infxxxstorage1 -AccessKey 74dxzkTUdxWAUbwuH
m4gPoVW5XgOeG+6ivP3lthzbVPicp/NEK6ivjGdA1J0oVcUuNRfLtaeYQ6WHZSwzq3/9Q==
Each network can be configured to e ther a ow or prevent c uster network commun ca-
t ons Th s commun cat on s for c uster operat ons, and does not nc ude any c ent traffic For
c ent connect v ty, a network must spec fica y be granted as c ent use F gure 5-23 shows the
propert es of a c uster network, w th both opt ons enab ed
Then, you are prompted to se ect the d sks to use for the storage poo You need at east
three d sks to create a storage poo for use w th fa over c uster ng F gure 5-25 shows the
ava ab e d sks for the storage poo
You cannot app y updates w thout enab ng the CAU se f-updat ng ro e To enab e the ro e,
configure the se f-updat ng opt ons from the CAU screen F gure 5-27 shows the first configu-
rat on screen of the se f-updat ng opt ons w zard
After se ect ng the opt on to enab e the ro e, you can configure the schedu e to perform
the se f-updat ng process Then you can configure advanced opt ons for the c uster The
advanced opt ons enab e you to configure t me boundar es, retry m ts, and pre and post
update scr pts that must a so be run when updat ng F gure 5-28 shows a port on of the ad-
vanced opt ons that are ava ab e
By defau t, on y mportant updates are nsta ed based on the CAU too An add t ona
opt on s to a so nc ude the recommended updates on the c uster After app y ng the se f-
updat ng opt ons, the c uster can be updated by us ng CAU
If the C usterFunct ona Leve va ue s set to 8, then the c uster s at W ndows Server 2012
R2 If the va ue s 9, then the c uster s at W ndows Server 2016 It s a so recommended that
you d sab e C uster-Aware Updat ng before attempt ng to perform za Ro ng Operat ng
System Upgrade Wh e the name mp es upgrad ng the operat ng system, a best pract ce s
to perform a c ean nsta at on of the operat ng system An n-p ace upgrade s not recom-
mended for c uster nodes
After you have added the ava ab e d sks, create a CSV by us ng the Add-C usterSharedVo -
ume cmd et
Add-ClusterSharedVolume -Name "CSV1"
Implement VM resiliency
W ndows Server 2016 nc udes ncreased res ency w th Hyper-V fa over c usters There are
two pr mary res ency enhancements
■ Compute resiliency There are add t ona opt ons that can be configured for Hyper-V
VMs that he p to reduce ntra-c uster commun cat on
■ Storage resiliency VMs are more res ent to trans ent storage fa ures
New opt ons for compute res ency nc ude
■ Resiliency level Defines how fa ures are hand ed
■ Resiliency period Defines how ong VMs can run when they are so ated
You can a so configure quarant nes for nodes that are deemed unhea thy These nodes
cannot jo n a c uster, and prevents nodes from affect ng other nodes n the c uster
The shared storage can be added to mu t p e v rtua mach nes, enab ng you to create a
v rtua zed c uster w thout expos ng any under y ng storage
Configure VM monitoring
VMs that are configured n a fa over c uster can have the VM tse f as we as app cat ons
n the VM mon tored by the Hyper-V host The guest VM and the Hyper-V host must e ther
be ong to the same doma n, or have a trust re at onsh p configured between doma ns The
pre-defined V rtua Mach ne Mon tor ng ru es must a so be enab ed on the VM F gure 5-36
shows the ru es that must be enab ed These ru es nc ude
■ V rtua Mach ne Mon tor ng (DCOM-In)
■ V rtua Mach ne Mon tor ng (Echo Request – ICMPv4-In)
■ V rtua Mach ne Mon tor ng (Echo Request – ICMPv6-In)
■ V rtua Mach ne Mon tor ng (NB-Sess on-In)
■ V rtua Mach ne Mon tor ng (RPC)
After you have mod fied the firewa , you can configure mon tor ng for the VM from the
Fa over C uster Manager R ght-c ck a VM, and n the More Act ons menu, c ck Configure
Mon tor ng You are prompted w th a st of serv ces that ex st on the VM
After se ect ng the serv ce to mon tor, you can a so configure recovery sett ngs for the
serv ce By defau t, the first two t mes a serv ce fa s, the fa over c uster attempts to restart
the serv ce If the serv ce fa s to start, then a fa over wou d be performed Therefore, f you
need to mmed ate y fa over (rather than try to wa t for the serv ce to restart), you need to
change the first recovery act on to Take No Action Th s ensures that the VM fa overs, as the
mon tored serv ce s cons dered down
You can a so contro the number of t mes that the fa over c uster serv ce tr es to
restart or fa over a ro e These sett ngs can be configured from the Fa over tab, as
shown n F gure 5-38
W ndows Server 2016 a so ntroduces the ab ty to contro the start order of VMs VMs
can be grouped nto t ers, wh ch can be used to define dependenc es for start ng order Th s
ensures that more mportant v rtua mach nes are started before others For examp e, you can
configure a doma n contro ers to start first
Chapter summary
■ How to use the Hyper-V Manager to perform bas c VM management
■ Configure m grat on and authent cat on deta s for Hyper-V servers
■ Insta and configure a fa over c uster
■ Configure quorum opt ons, nc ud ng Azure C oud W tness
■ Use C uster-Aware Updat ng to perform W ndows Updates
■ Seam ess y upgrade c usters from W ndows Server 2012 R2 to W ndows Server 2016
■ Opt m ze c usters us ng storage techno og es ke CSVs and Storage Rep ca
■ Imp ement Storage Spaces D rect for ncreased storage performance
■ Manage fa over c usters us ng fa over and preference sett ngs
■ Perform bas c VM management by us ng the Fa over C uster Manager
Implement DNS
T h s chapter covers one sk that s represented on the exam, mp ement ng and configur-
ng DNS servers There are a few new techno og es ntroduced n W ndows Server 2016
for DNS servers
■ DNS Policies Po c es can be created to spec fy how DNS servers respond to c ent
requests
■ Response Rate Limiting M t gates den a of serv ce attacks on DNS
■ DNS-based Authentication of Named Entities Uses Transport Layer Secur ty
Authent cat on to nform c ents to expect a cert ficate from a Cert ficat on Author ty
for the DNS zone
■ Unknown record support Add records that are not exp c t y supported by W n-
dows Server DNS
■ IPv6 root hints Nat ve IPv6 root h nts have been added to DNS
We d scuss these new techno og es and rev ew key techno og es that a ready ex st for
DNS n th s chapter
163
Determine supported DNS deployment scenarios on
Nano Server
DNS can be nsta ed on Nano Server, and offers the same features, secur ty, and funct ona ty
as nsta ng t on Server Core or graph ca vers ons of W ndows Server The on y d fference n
us ng Nano Server s the management of the server ro e after t has been dep oyed
After dep oy ng DNS on a Nano Server, you can manage t by us ng W ndows PowerShe
remot ng Create a new sess on w th the Nano Server by runn ng the Enter-PSSess on cmd et
Enter-PSSession -ComputerName "Nano1"
After connect ng remote y to the Nano Server, you can mport the PowerShe modu e for
DNS by runn ng the Import-Modu e cmd et
Import-Module DNSServer
You can then run any DNS PowerShe cmd et on the Nano Server A ternat ve y, you
can run the DNS Manager from a separate management computer, and connect to the
DNS serv ce that s runn ng on the Nano Server Th s g ves you the ab ty to manage the
DNS serv ce through the DNS Manager conso e as f t was nsta ed on a server w th a
graph ca nterface
Install DNS
DNS can be nsta ed by us ng the Add Ro es and Features W zard through Server Manager,
or by us ng W ndows PowerShe w th the Insta -W ndowsFeature cmd et
Install-WindowsFeature DNS
If add ng the package to Nano Server, the package wou d be nsta ed by us ng the
Insta -NanoServerPackage cmd et
Install-NanoServerPackage -Package Microsoft-NanoServer-DNS-Package
Configure forwarders
When a DNS server rece ves a request to trans ate a doma n name that t does not know, a
forwarder s used to transfer the request to another DNS server DNS forwarders use recur-
s ve quer es as the st of forwarders are processed A recurs ve query e ther accepts a record
that s prov ded, or d sp ays an error f the record cannot be found Forwarders do not accept
referra s to other DNS servers The next DNS server cou d be a d fferent DNS server w th n a
corporate network, the ISP, or a pub c DNS server F gure 6-1 shows the Forwarders config-
ured for a DNS server, us ng Ver s gn and OpenDNS pub c servers, respect ve y
An opt on shown n F gure 6-1 for forwarders s the Use Root H nts If No Forwarders
Are Ava ab e Th s uses any configured root h nts f the forwarders that have been
configured are not ava ab e By defau t, th s opt on s d sab ed From the GUI, forwarders
are managed by mod fy ng the propert es of the DNS server However, us ng W ndows
PowerShe , forwarders have separate cmd ets To configure a forwarder w th PowerShe ,
use the Add-DnsServerForwarder cmd et
Add-DnsServerForwarder 8.8.8.8
To configure whether root h nts are used f a forwarder s unava ab e, run the
Set-DnsServerForwarer cmd et
Set-DnsServerForwarder -UseRootHint $False
After forwarders have been configured, you can ver fy DNS s work ng proper y by us ng
ns ookup The ns ookup too s a command- ne ut ty that enab es you to query spec fic re-
cord types us ng DNS F gure 6-3 shows perform ng successfu quer es for M crosoft com, the
oca doma n contosoforest com, and the partner doma n adatum com
If you p an to use PowerShe to create a cond t ona forwarder, use the
Add-DnsServerCond t ona ForwarderZone cmd et
Add-DnsServerConditionalForwarderZone -Name adatum.com -MasterServers 10.0.0.105
Root H nts can a so be retr eved or configured by us ng PowerShe To retr eve the same
st that the GUI d sp ays, run the Get-DnsServerRootH nt cmd et To add add t ona root h nts,
use the Add-DnsServerRootH nt cmd et
Add-DnsServerRootHint -NameServer a.root-servers.net -IPAddress 2001:503:ba3e::2:30
Configure delegation
Zone de egat on enab es you to d v de a DNS namespace nto mu t p e zones These add -
t ona zones can be stored and rep cated to other DNS servers Th s s usefu f you need to
de egate management for a port on of a namespace, or want to mprove network d str but on
by d v d ng arger zones
Creat ng a new de egat on zone can be performed from DNS Manager by r ght-c ck ng
the forward ookup zone that you p an to sp t, then c ck New De egat on The New De ega-
t on W zard appears The first configurat on screen prompts for the doma n that s de egated
For examp e, we spec fy the fu y qua fied doma n name (FQDN) emea contosoforest com to
be de egated as a separate doma n F gure 6-5 shows the New De egat on W zard
You are then prompted to enter the FQDN of the DNS server that s author tat ve for the
zone You must a so reso ve the FQDN to the ava ab e IP addresses for that spec fic server
F gure 6-6 d sp ays configur ng the FQDN and assoc ated IP addresses for de egat on
After you comp ete the w zard, the de egat on zone s created n the forward ookup zone
You can a so create the zone by us ng the Add-DnsServerZoneDe egat on cmd et
Add-DnsServerZoneDelegation -Name contosoforest.com -ChildZoneName emea.contosoforest.
com -IPAddress 10.0.0.100 -NameServer DC1
If you need to prov de jun or adm n strators the ab ty to v ew the DNS contents of the
zones, create a new secur ty group and ass gn the Read perm ss on You cou d a so have a
separate group that can create and update DNS objects, but not de ete them
Mod fy ng the propert es of a zone s a s m ar process The zone nher ts the perm ss ons
that have been ass gned at the server eve You can a so add add t ona secur ty groups that
can manage the zone F gure 6-9 shows the defau t propert es of a forward ookup zone
In add t on to enab ng or d sab ng recurs on, the PowerShe cmd et a so ets you config-
ure spec fic recurs on sett ngs For examp e, the RetryInterval sett ng spec fies the amount
of t me n seconds before a DNS server uses recurs on By defau t, the RetryInterval s set to
three seconds, but can be configured w th a va ue from 1 to 15 Another configurab e pa-
rameter s the AdditionalTimeout sett ng Th s spec fies the number of seconds before a DNS
server wa ts after us ng a recurs ve request to rece ve a response from the next DNS server By
defau t, th s sett ng s set to four seconds, but accepts a va ue from 0 to 15
Set-DnsServerRecursion -RetryInterval 2
Thought Experiment
A company has a product on env ronment and a test env ronment The product on env ron-
ment s n an Act ve D rectory doma n w th DNS ntegrated nto the doma n The test env ron-
ment s n a workgroup w th a separate DNS server The company needs to proh b t the test
env ronment from reso v ng any names n the product on env ronment, but must use the pro-
duct on server as a name server for the Internet The product on servers must be configured
to suspend responses to quer es n the event of a DNS request flood The test env ronment
must a so wa t 10 seconds before us ng non-author tat ve DNS servers You must a so enab e
a jun or adm n strator to be ab e to v ew a objects and sett ngs on the DNS server w thout
enab ng them to make changes
G ven the above scenar o, answer these quest ons
1. What shou d be used to proh b t reso ut on between networks?
2. What shou d be used to suspend quer es when flooded?
3. How shou d the jun or adm n strator be granted perm ss ons?
4. What must be configured n the test env ronment to wa t 10 seconds for non-author -
tat ve responses?
Implement IP Address
Management
In th s chapter, we w d scuss how to nsta , configure, and use the bu t- n IP Address
Management funct ona ty In past exams, IPAM was a major component of the exam sk s
that are tested You shou d ant c pate and be prepared to understand how to nsta and
configure IPAM on W ndows Server 2016
■ W ndows Server 2016 ntroduces new features to IPAM, nc ud ng
■ Enhanced DNS serv ce management
■ Mu t p e Act ve D rectory Doma n Serv ces forest support
■ Purge Ut zat on Data
■ W ndows PowerShe cmd ets for Ro e-Based Access Contro
IPAM n W ndows Server 2016 a so mproves on the ex st ng IP address management and
ntegrated DNS and DHCP management from the IPAM conso e
183
You can prov s on the server by us ng the Invoke-IpamServerProv s on ng cmd et, then
prov s on the GPOs by us ng the Invoke-IpamGpoProv s on ng cmd et
Invoke-IpamServerProvisioning -ProvisioningMethod Automatic -GpoPrefix "IPAM-"
Invoke-IpamGpoProvisioning –Domain contosoforest.com –GpoPrefixName IPAM –IpamServerFqdn
ipam.contosoforest.com
Choos ng the manua dep oyment method requ res you to manua y create or configure
d fferent opt ons on each managed server, nc ud ng
■ Network shares
■ Secur ty groups
■ F rewa ru es
DHCP servers
A managed DHCP server requ res that a three opt ons be configured on the servers Tab e
7-1 summar zes the ru es that must be configured on a managed DHCP server
A un versa secur ty group must a so be created n the doma n w th the name IPAMUG The
members of the secur ty group must nc ude the computer account objects for each DHCP
server F gure 7-3 shows the correct sett ngs for the group
Once created, the IPAMUG un versa secur ty group must be added to the DHCP Users and
Event Log Readers secur ty groups on each managed server F gure 7-4 shows add ng the user
group to the oca groups on the DHCP server If the server s a so a doma n contro er, then
the Event Log Readers group n the Bu t n conta ner shou d be used
The perm ss ons of the share must be mod fied to enab e the IPAMUG un versa secur ty
group to read the contents of the d rectory F gure 7-6 shows the share perm ss ons that are
app ed to the d rectory
After mak ng the requ red group membersh p changes, you must restart the DHCP serv ce
Th s ensures that the new perm ss on eve s are act vated
DNS Servers
S m ar to DHCP servers, DNS servers must have severa configurat on changes when dep oy-
ng IPAM manua y These changes nc ude
■ Inbound firewa ru es
■ Secur ty group changes
■ De egated DNS access
2. Copy the SID va ue for the IPAM server to the c pboard, as shown n F gure 7-7
(A;;0x1;;; S-1-5-21-1910878678-1601286290-2698553502-1000)
W th W ndows Server 2016, you can a so manage other Act ve D rectory forests f a two-
way forest trust has been configured After you c ck add for the doma n, you can configure
whether to d scover the doma n contro ers, DHCP servers, and DNS servers for the doma n
You can a so add the doma n to be d scovered by us ng the Add-IpamD scoveryDoma n
cmd et
Add-IpamDiscoveryDomain -Name "contosoforest.com"
By defau t, after d scover ng the servers n the env ronment the manageab ty status s set
to unspec fied To configure a server as be ng managed, ed t the server n the d scovery st
Set the Manageab ty Status to Managed, as shown n F gure 7-11
Add ng a b ock of IP addresses can a so be comp eted from PowerShe us ng the Add-
IpamB ock cmd et
Add-IpamBlock -NetworkId "10.0.0.0/8"
Add ng a range of IP addresses s ke creat ng a b ock The range expects the network
ID and e ther the subnet prefix or subnet mask F gure 7-13 shows creat ng an IPv4 address
range
After ocat ng an ava ab e IP address, you can use the same too to then a ocate that IP
address as a DHCP reservat on, create a DNS record, or prov de any other custom configura-
t on w th the IP address
The IP Address B ocks and IP Address Range Groups pages n the IPAM nterface a so
d sp ays the ut zat on rate for each b ock or range The three states that a b ock or range can
be n are
■ Under If the IP address a ocat on s ess than 20 percent, then the b ock or range s
cons dered under-ut zed
■ Optimal If the IP address a ocat on s between 20 and 80 percent, then the b ock or
range s cons dered opt ma
■ Over If the IP address a ocat on s over 80 percent, then the b ock or range s cons d-
ered over-ut zed
F gure 7-15 shows a port on of the IPAM nterface that d sp ays the ut zat on rate
The under and over ut zat on rates can a so be configured by mod fy ng the ut zat on
thresho d for the IPAM configurat on From Server Manager, c ck Manage, and then c ck
IPAM Sett ngs On the IPAM Sett ngs screen, c ck Configure Ut zat on Thresho d F gure 7-16
shows the configurat on screen for the thresho d sett ngs
There are a so three PowerShe cmd ets that can be used to dent fy ava ab e IP addresses
■ Find-IpamFreeAddress Th s cmd et finds one or more ava ab e IP addresses that are
n a range of addresses defined on the IPAM server
■ Find-IpamFreeRange Th s cmd et finds free IP ranges that are ava ab e on the IPAM
server
■ Find-IpamFreeSubnet Th s cmd et finds free IP subnets that are ava ab e on the
IPAM server
R ght-c ck ng a serv ce offers mu t p e opt ons, nc ud ng manag ng the DHCP server prop-
ert es from IPAM F gure 7-18 d sp ays the Ed t DHCP Server propert es configurat on screen
from the IPAM nterface
The ava ab e DNS zone opt ons that can be configured from the IPAM nterface nc ude
■ Add DNS Resource Record Th s creates a record type, such as an A record, n the
DNS zone
■ Configure Preferred DNS Server Se ect the author tat ve DNS server for the DNS
zone that s used by IPAM
■ Reset Zone Status Reset the status of the DNS zone n the IPAM database Use the
Retr eve Server Data opt on to co ect the atest data from the DNS server
■ Edit DNS Zone Enab es you to mod fy the name servers, scaveng ng, updates, and
zone transfer sett ngs for the zone
■ Delete DNS Zone Remove the zone from the DNS server
■ Set Access Scope Set the access scope on the IPAM server
After the add t ona doma ns have been added to the IPAM database, the management
process s the same regard ess of wh ch forest the server s n
Thought Experiment
A company has a s ng e Act ve D rectory forest w th mu t p e ch d doma ns The company has
partnered w th another organ zat on, and a two-way Act ve D rectory forest trust has been
estab shed The company p ans to use IPAM w th a W ndows Interna Database, but needs to
ensure that the database s part of the backup strategy The fo ow ng users must be config-
ured to manage the IPAM env ronment Each user must not have more perm ss ons than are
necessary
■ User1 must be configured to manage IP address b ocks
■ User2 must be configured to manage DNS and DHCP servers
■ User3 must be configured to manage IP address a ocat on n IPAM
Us ng the above nformat on, answer the fo ow ng quest ons
1. How many IPAM servers must be dep oyed to manage both forests?
2. How shou d the IPAM database be nc uded n the backup strategy?
3. Wh ch ro e shou d User1 be added to?
4. Wh ch ro e shou d User2 be added to?
5. Wh ch ro e shou d User3 be added to?
Implement network
connectivity and remote
access solutions
Th s chapter covers one sk that s represented on the exam, wh ch s mp ement ng V rtua
Pr vate Networks (VPNs) and D rectAccess Th s s a sma port on of the exam, and has not
changed s gn ficant y s nce W ndows Server 2012 R2 The same protoco s, authent cat on
opt ons, and D rectAccess requ rements that ex st n W ndows Server 2012 R2 st app y to
W ndows Server 2016
209
When configur ng a RAS Gateway, there are a few d fferent VPN opt ons
■ Site-to-site VPN Th s connects two networks together, such as a branch office to a
corporate office
■ Point to site VPN Th s enab es nd v dua remote connect ons from c ent computers
to a corporate office
■ Dynamic routing with Border Gateway Protocol (BGP) BGP prov des automat c
route reconfigurat on based on the routes that are connected from s te-to-s te VPNs
■ Network Address Translation (NAT) NAT enab es you to share a s ng e IP address
to connect mu t p e dev ces to a network
■ DirectAccess server D rectAccess prov des a method of seam ess VPN serv ces for
c ent computers that are connect ng to a corporate network
The Remote Access server ro e can be nsta ed by us ng the Add Ro es and Features w z-
ard, or by us ng the Insta -W ndowsFeature cmd et After nsta ng the ro e, use the Rout ng
and Remote Access MMC snap- n to manage the server ro e The n t a setup requ res com-
p et ng the Rout ng and Remote Access Server Setup W zard F gure 8-1 shows the defau t
configurat on of the RAS snap- n Note that the server con s show ng as down because no
configurat on has been defined
To perform the n t a configurat on on the RAS server, r ght-c ck the server and then
se ect Configure And Enab e Rout ng And Remote Access F gure 8-2 shows the ava ab e op-
t ons to configure the RAS server
To enab e remote access and VPN access for remote c ents, use the Remote Access opt on
The next configurat on screen n the w zard prompts to configure the server for the type of
connect VPN or D a -up F gure 8-3 shows se ect ng VPN as the connect on type
For c ents to connect to the network, they must have an IP address that s e ther on the
network, or s routab e for the network The RAS server prov des the opt on to ass gn IP ad-
dresses to c ents automat ca y, from e ther a DHCP server on the network, or act as a DHCP
server tse f You can a so define a certa n range of IP addresses for the RAS server to use spe-
c fica y for remote c ents F gure 8-5 shows the IP Address Ass gnment screen of the w zard
F na y, the ast opt on n the w zard s to configure the authent cat on method for the re-
mote c ents By defau t, the RAS server authent cates the c ents us ng W ndows Authent ca-
t on through Extens b e Authent cat on Protoco (EAP) or M crosoft encrypted authent cat on
vers on 2 (MS-CHAP v2) Opt ona y, you can configure a RADIUS server to authent cate the
c ents, or configure the RAS server to act as a RADIUS server F gure 8-6 shows the authent -
cat on configurat on dur ng the w zard
Multitenant mode
If there are mu t p e tenants hosted n the datacenter that are accessed, then the mu t tenant
mode shou d be used Mu t tenancy enab es a datacenter to prov de a c oud nfrastructure to
support v rtua mach ne work oads, v rtua networks, and storage
V rtua networks can be created by us ng Hyper-V Network V rtua zat on A RAS gateway
can be ntegrated w th the Hyper-V Network V rtua zat on stack to route network traffic ef-
fic ent y depend ng on the tenant that s be ng accessed
W th W ndows Server 2016, a RAS gateway can route traffic to any resource w th n a pr -
vate or hybr d c oud network The RAS gateway can route traffic between phys ca and v rtua
networks at any ocat on
Next, you dent fy the topo ogy of the D rectAccess mp ementat on The RAS server can
be n one of three configurat ons
■ Edge The RAS server s d rect y connected to the Internet w th no phys ca firewa or
NAT dev ce n p ace
■ Behind An Edge Device (With Two Network Adapters) The RAS server s beh nd a
network firewa or other dev ce and has two network adapters One network adapter
s on the network w th the firewa The second network adapter s on the corporate
nterna network
■ Behind An Edge Device (With A Single Network Adapter) The RAS server s
beh nd a network firewa or edge dev ce The network adapter on the RAS server s
connected to both the firewa and the nterna corporate network
After se ect ng the network topo ogy, you can configure the DNS Suffix st that s used by
D rectAccess c ents Th s s s m ar to sett ng a suffix st from DHCP Anyt me a D rectAccess
c ent uses a s ng e- abe name, such as Server1, the server appends a st of DNS suffixes unt
a response s found for a FQDN The order that the st s n s a so mportant If a match s
found, then the rema n ng doma ns are sk pped If there are two Server1 objects n d fferent
ookup zones (or FQDNs), then the first n the st s returned to the D rectAccess c ent F gure
8-11 shows configur ng D rectAccess w th the doma n name and an add t ona doma n
The fina step s to configure the Group Po cy Objects (GPOs) that are used to app y the
D rectAccess po c es Two GPOs are created and nked to the doma n
■ DirectAccess client GPO Th s conta ns the c ent sett ngs for the D rectAccess c -
ents
■ DirectAccess server GPO Th s conta ns the RAS server sett ngs for the D rectAccess
server
F gure 8-12 shows the confirmat on to create the two new GPOs n the doma n
Thought Experiment
A company has a corporate office and three branch offices The corporate office has ap-
prox mate y 10,000 c ent computers Each branch office has approx mate y 1,000 c ent
computers Each branch office must have connect v ty to the corporate office The company
a so emp oys 1,000 sa es and fie d staff that must connect remote y to the corporate net-
work A mob e c ents run W ndows 8 1 or W ndows 10 Enterpr se ed t ons Execut ve- eve
staff must have the ab ty to connect to the corporate network us ng the r home computers
that are not doma n jo ned IT staff must have the ab ty to VPN nto the corporate net-
work ng us ng SSL
Us ng the above scenar o, answer the fo ow ng quest ons
1. How shou d the sa es and fie d staff connect to the corporate office?
2. How shou d execut ve- eve staff connect to the corporate network?
3. How shou d the branch offices connect to the corporate office?
4. Wh ch VPN protoco shou d the IT staff use for the VPN connect on?
Implement an advanced
network infrastructure
In th s chapter, we w rev ew the new features and sk s that can be used w th a network
nfrastructure n W ndows Server 2016 From a network ng perspect ve, the pr mary
change to W ndows Server 2016 s n the Software Defined Network ng (SDN) components
These updat ng nc ude the ab ty to
■ M rror and route traffic to new or ex st ng app ances
■ Dynam ca y segment work oads s m ar to M crosoft Azure
■ Use a d str buted firewa and network secur ty groups
■ Dep oy and manage the SDN w th System Center V rtua Mach ne Manager
■ Comb ne SDN w th Docker for conta ner network ng
W ndows Server 2016 a so nc udes enhancements to the TCP stack, however, these
changes are not ca ed out on the exam sk s These mprovements nc ude
■ Increas ng the In t a Congest on W ndow from 4 to 10
■ TCP Fast Open (TFO) has been enab ed to reduce the t me to estab sh a TCP
connect on
■ TCP Ta Loss Probe (TLP) has been mp emented to ass st n recover ng from
packet oss
■ Recent Acknow edgement (RACK) has been mp emented to reduce the t me
requ red to transm t a packet
227
FIGURE 9-1 N C Team ng
You can a so enab e RSS by us ng the netsh command F gure 9-3 shows runn ng the fu
netsh command
netsh interface tcp set global rss=enabled
If you p an to use RSS n a v rtua env ronment, then the Hyper-V host processor and net-
work adapter must support RSS S mp y configure RSS by us ng the same methods w th n the
v rtua mach ne
Server name CA PA
Server1 192.168.1.100 10.0.0.1
Server2 192.168.1.101 10.0.0.2
Server3 192.168.1.102 10.0.0.3
Us ng the nformat on n the above tab e, when Server1 commun cates w th Server2, on y
the CA addresses are used dur ng the commun cat on These addresses are on a v rtua net-
work that are on y used by the v rtua mach nes assoc ated w th the network However, when
any of the servers commun cate w th the Internet, the CA s encapsu ated by the Hyper-V
host The Hyper-V host then mod fies the source IP address of the packet header as the PA
The PA s used on the phys ca network to ex t the v rtua network and onto the Internet
When a response s rece ved, t s sent to the PA address The Hyper-V hosts then trans ate the
PA back to the CA to de ver to the nd v dua v rtua mach ne
Sk 9.2: Determ ne scenar os and requ rements for mp ement ng Software Defined Network ng CHAPTER 9 237
The Southbound API enab es you to
■ D scover network dev ces
■ Detect network configurat ons
■ Ascerta n network topo ogy deta s
■ Push configurat on changes to the network nfrastructure
The Northbound API enab es you to obta n nformat on from the Network Contro er to
mon tor and configure a g ven network The Northbound API can be used w th
■ W ndows PowerShe
■ REST API
■ Management app cat ons, nc ud ng System Center
The Network Contro er features can be used w th Software Load Ba anc ng (SLB) to
d str bute network traffic based on the po c es defined n the oad ba ancer Th s nc udes
■ Layer 4 oad ba anc ng for North-South and East-West network traffic
■ Interna and externa network traffic
■ Dynam c IP addresses
■ Hea th probes
An SLB maps v rtua IP addresses to the dynam c addresses n an env ronment The com-
ponents of an SLB env ronment nc ude
■ Virtual machine Manager System Center can be used to manage the Network
Contro er and SLB
■ Network Controller Dep oy ng the Network Contro er feature s a requ rement for
dep oy ng SLB n an env ronment
■ SLB Multiplexer Maps and d rects traffic so that t s sent to the correct dynam c IP
address
■ SLB Host Agent L stens for po cy updates from the Network Contro er and
configures v rtua sw tches w th the configured po cy
■ BGP-enabled router BGP enab es you to route the traffic to and from the SLB
Mu t p exer
Sk 9.2: Determ ne scenar os and requ rements for mp ement ng Software Defined Network ng CHAPTER 9 239
FIGURE 9-6 V rtua Mach ne Hardware Acce erat on Sett ngs
Thought Experiment
A c oud prov der s p ann ng an expans on of the r serv ces Add t ona Hyper-V hosts, net-
work resources, storage, and other support components are nsta ed The c oud prov der
p ans to prov de new capab t es to the r customers as part of the expans on These capab -
t es must nc ude
■ Bu t- n firewa serv ces for tenant networks
■ Tenant networks must support over app ng IP addresses
■ Enhanced storage performance
The prov der a so p ans to use a Software Load Ba ancer for the r network
Us ng the above scenar o, answer the fo ow ng quest ons
1. What feature shou d the prov der use to protect tenant networks?
2. How can the prov de ensure that tenant networks can over ap us ng the same IP ad-
dresses?
3. What techno ogy shou d the network equ pment support to enhance storage perfor-
mance?
243
referred to as the parent doma n Doma ns jo ned to the parent doma n are referred to
as ch d doma ns
■ Forests Make up a comp ete Act ve D rectory nstance Each forest acts as a secur ty
boundary for the nformat on conta ned w th n that Act ve D rectory nstance A forest
can conta n mu t p e doma ns and a objects w th n
To get started w th AD DS, we first need to nsta a new forest In the fo ow ng examp e,
W ngt p Toys has dec ded to mp ement AD DS nto the r env ronment They are us ng W n-
dows Server 2016 for a the r doma n contro ers For th s exam, you shou d be fam ar w th
nsta ng a forest us ng Server Manager and PowerShe
10. After comp et ng the nsta at on of AD DS, a new warn ng not ficat on s d sp ayed n
Server Manager C ck the not ficat on con and c ck Promote Th s Server To A Doma n
Contro er
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces
Configurat on W zard, se ect Add A New Forest For the Root Doma n Name, type
WingtipToys.local and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t sett ngs for forest and
doma n funct ona eve Confirm that Doma n Name System (DNS) Server s checked
For the D rectory Serv ces Restore Mode (DSRM) Password, type P@ssw0rd n the two
fie ds and c ck Next
13. On the DNS Opt ons page, note the DNS warn ng at the top of the w zard Th s s ex-
pected as th s s a new s ng e-server nsta at on of AD DS and we do not current y have
a DNS server C ck Next
14. On the Add t ona Opt ons page, rev ew the NetBIOS doma n name and c ck Next
15. On the Paths page, rev ew the defau t paths for the AD DS database, og fi es, and
sysvo fo der C ck Next
16. On the Rev ew Opt ons page, rev ew the st of configurat on opt ons C ck V ew Scr pt
Th s opens a text fi e w th the PowerShe commands used to configure AD DS Copy
246 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
the contents of th s text fi e for use n the next sect on of th s object ve C ose the text
fi e and c ck Next
17. On the Prerequ s tes Check page, rev ew any warn ngs d sp ayed n the resu ts pane
and c ck Insta Once nsta at on comp etes, the server automat ca y reboots to fin sh
the AD DS configurat on
After comp et ng these steps, you have a new AD DS forest for W nt pToys oca that cons sts
of a s ng e doma n contro er The first t me you og nto a new forest, use the WINGTIPTOYS\
Adm n strator account Once ogged n you can create add t ona adm n strat ve accounts for
manag ng the objects n the doma n
5. When prompted for the Safe Mode Adm n strator Password, type P@ssw0rd
6. Rev ew the status messages n the PowerShe w ndow as AD DS s configured on your
server Once the operat on comp etes, the server automat ca y reboots
248 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces
Configurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck
the Se ect opt on that appears next to the Doma n fie d When prompted, enter the
doma n credent a s for an account n the w ngt ptoys oca doma n that s a member of
the Doma n Adm ns group Se ect the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Confirm that
Doma n Name System (DNS) Server and G oba Cata og (GC) are checked For the
D rectory Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds
and c ck Next
13. On the DNS Opt ons page, c ck Next
14. On the Add t ona Opt ons page, note the defau t opt on for Rep cat on and c ck Next
15. On the Paths page, rev ew the defau t paths for the AD DS database, og fi es, and
sysvo fo der C ck Next
16. On the Rev ew Opt ons page, rev ew the st of configurat on opt ons C ck V ew Scr pt
Th s opens a text fi e w th the PowerShe commands used to configure the new do-
ma n contro er, wh ch s s m ar to what we saw when we nsta ed a new forest C ose
the text fi e and c ck Next
17. On the Prerequ s tes Check page, rev ew any warn ngs d sp ayed n the resu ts pane
and c ck Insta Once the nsta at on s comp ete, the server automat ca y reboots to
comp ete the nsta at on
After comp et ng these steps, the new doma n contro er s now assoc ated as an object n
the W ngt pToys oca doma n Open Act ve D rectory Users and Computers from an ex st-
ng doma n contro er and confirm that the new server s shown n the Doma n Contro ers
organ zat ona un t As w th the nsta at on of a new forest, add ng a new doma n contro er
can a so be automated us ng the PowerShe scr pt output seen n Step 16 Most notab y, the
Insta -ADDSDoma nContro er cmd et
3. When prompted, type the oca adm n strator password for the server
FIGURE 10-2 The Un nsta ADDSDoma nContro er cmd et can be used to demote a doma n
contro er from an ex st ng forest.
250 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
runn ng W ndows Server 2012 R2 Your team has been tasked w th upgrad ng the operat-
ng system across a 18 doma n contro ers to W ndows Server 2016, fo owed by ra s ng the
doma n funct ona eve to match There are three approaches to cons der when faced w th
th s scenar o
■ In-place upgrade In-p ace upgrades of the W ndows Server operat ng system are
supported They a so tend to be more cost effect ve, a ow ng you to reuse the ex st ng
hardware If you p an to do an n-p ace upgrade of the operat ng system, be aware of
the updated system requ rements for the new operat ng system vers on A so, take nto
cons derat on any app cat on compat b ty concerns f the doma n contro er s host ng
add t ona ro es for your organ zat on
■ Demote, upgrade, and promote If costs are a concern but a fresh nsta at on s
preferred over an n-p ace upgrade, cons der demot ng the ex st ng doma n contro er,
formatt ng t, nsta ng the atest vers on of W ndows Server, and promot ng t back
nto the doma n When tak ng th s approach, you st need to cons der the system
requ rements for the newer vers on of W ndows Server, and the fecyc e of the phys ca
hardware you are reus ng
■ Side-by-side upgrade A s de-by-s de upgrade s not as cost effic ent as the prev -
ous two opt ons, but m ght be mandatory f ex st ng hardware has reached end-of- fe
or doesn’t meet the system requ rements for the atest vers on of W ndows Server In
th s s tuat on, you wou d bu d a new server and promote t as a doma n contro er
You want to cons der the need for new host names, IP addresses, and poss b y firewa
changes to support the s de-by-s de upgrade After a new doma n contro er s on ne,
you w trans t on any ro es from the ex st ng doma n contro er, and then demote the
ex st ng doma n contro er
After rev ew ng the above opt ons, the best approach for W de Wor d Importers nvo ves
a m xture of s de-by-s de upgrades and refresh ng ex st ng doma n contro ers Know ng that
a port on of the ex st ng doma n contro ers are three to four years o d, t s safe to assume
that the hardware for those doma n contro ers s reach ng end-of- fe and shou d be rep aced
soon Whereas the servers that are one to two years o d cou d be demoted, refreshed, and
promoted back nto the doma n
6. Run the ipconfig /all command and rev ew the IP and DNS sett ngs for your network
adapter Confirm that the va ues match the ass gnments set above
W th the network adapter configured, we can now nsta the AD DS ro e on th s server To
do so, ut ze the same PowerShe cmd ets d scussed ear er n th s chapter
1. Log n to your server runn ng W ndows Server 2016 Server Core
2. At the command prompt, type powershell.exe to start PowerShe
3. Run the fo ow ng command to nsta the Act ve D rectory Doma n Serv ces ro e and a
requ red features
Install-WindowsFeature AD-Domain-Services –IncludeAllSubFeature –
IncludeManagementTools
4. Run the fo ow ng command to create the new forest and promote the server to a
doma n contro er
Install-ADDSForest –DomainName WintipToys.local
5. When prompted for the Safe Mode Adm n strator Password, type P@ssw0rd
252 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
As a systems adm n strator for W de Wor d Importers, you are respons b e for dep oy-
ng new doma n contro ers when the need ar ses You work at the corporate headquarters,
ocated n San Franc sco, CA Your manager has just nformed you that a new office s set to
open n Dub n, Ire and ater th s year Th s s the company’s first office n Dub n, w th the
expectat on of future growth In t a y you are m ted to a 10 MB WAN nk between the new
office and the corporate headquarters In the fo ow ng examp e, we wa k through the process
of export ng the ex st ng AD database, copy ng t to a new server, and us ng the IFM opt on to
promote the server to a doma n contro er
1. Log n to a doma n contro er on your doma n
2. Open an e evated command prompt
3. At the command prompt, run the ntdsutil command to start the command- ne too
for manag ng AD DS
4. Run the activate instance ntds command to set NTDS as the act ve nstance
5. Run the ifm command to start the Insta from Med a process
6. Run the fo ow ng command to beg n export ng a copy of your AD database and cor-
respond ng fi es In th s examp e, we are us ng the create sysvo fu med a type
7. create sysvol full C:\IFM
Severa status messages appear n the command prompt; these prov de you w th a prog-
ress report as the export runs Once the export has comp eted successfu y you rece ve a
status message, as shown n F gure 10-3 At th s stage, you can copy the contents of the IFM
d rectory to a removab e med a source, or to the dr ve on the new server before you sh p t to
ts future dest nat on
FIGURE 10-3 The ntdsut command ne too s used to manage Act ve D rectory, nc ud ng the
ab ty to create nsta at on med a for new doma n contro ers
254 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
In th s examp e, we copy the contents of the IFM fo der to the root of the system dr ve on
our new server Upon arr va , the server s powered up and ready to be promoted The fo ow-
ng steps demonstrate wa k through promot ng a doma n contro er us ng the IFM export
1. Open Server Manager
2. On the Server Manager Dashboard, c ck Add Ro es And Features
3. On the Before You Beg n page of the Add Ro es And Features W zard, c ck Next
4. On the Insta at on Type page, confirm Ro e-Based Or Feature-Based Insta at on s
se ected and c ck Next
5. On the Server Se ect on page, confirm Se ect A Server From The Server Poo s se ected
and your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, se ect Act ve D rectory Doma n Serv ces When prompted to
add add t ona features, rev ew the st and confirm that Inc ude Management Too s (If
App cab e) s checked C ck Add Features and c ck Next
7. On the Features page, c ck Next
8. On the AD DS page, c ck Next
9. On the Confirmat on page, rev ew the st of ro es and features to be nsta ed Refer to
F gure 10-1 as a reference C ck Insta to beg n the nsta at on of AD DS
10. After comp et ng the nsta at on of AD DS, a new warn ng not ficat on s d sp ayed n
Server Manager C ck the not ficat on con and c ck Promote Th s Server To A Doma n
Contro er
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces Con-
figurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck Se ect
next to the Doma n fie d When prompted, enter the doma n credent a s for an account
n the w ngt ptoys oca doma n that s a member of the Doma n Adm ns group Se ect
the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Confirm that
Doma n Name System (DNS) Server and G oba Cata og (GC) are checked For the
D rectory Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds
and c ck Next
13. On the DNS Opt ons page, c ck Next
14. On the Add t ona Opt ons page, check the box for Insta From Med a, as shown n
F gure 10-4 In the path fie d, enter C \IFM, where we cop ed the database export, and
c ck Ver fy to confirm the fi es can be accessed C ck Next
15. On the Paths page, rev ew the defau t paths for the AD DS database, og fi es, and
sysvo fo der C ck Next
16. On the Rev ew Opt ons page, rev ew the st of configurat on opt ons C ck V ew Scr pt
Note the add t ona parameter for Insta at onMed aPath C ose the text fi e and c ck
Next
17. On the Prerequ s tes Check page, rev ew any warn ngs d sp ayed n the Resu ts pane
and c ck Insta Once nsta at on comp etes the server automat ca y reboots to com-
p ete the nsta at on
18. After your new doma n contro er s on ne, og n and open Act ve D rectory Users and
Computers Compare the contents w th an ex st ng doma n contro er Confirm that the
OU structure, objects, and attr butes match across both doma n contro ers
At th s stage n the chapter we have wa ked through mu t p e nsta at on scenar os for
promot ng a new doma n contro er IFM adds some add t ona flex b ty n your dep oyments,
enab ng you to re ab y dep oy doma n contro ers remote y, w th m ted saturat on to your
organ zat on’s WAN These same methods can be used to prepare for arger dep oyments For
examp e, an organ zat on that spec a zes n reta m ght have hundreds of stores across the
g obe, each w th the r own doma n contro er Us ng IFM n th s s tuat on can be very benefi-
c a n reduc ng overhead
256 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
Resolve DNS SRV record registration issues
Throughout th s chapter, we have dep oyed a few doma n contro ers under d fferent
c rcumstances One common component among those doma n contro ers has been DNS
For AD DS to funct on proper y, DNS must be nsta ed and configured correct y Every
env ronment s d fferent when t comes to DNS, and that p ays a major ro e n the overa
hea th of your AD DS forest
AD DS re es on SRV records—a so referred to as serv ce records Each record performs a
d fferent purpose, such as gu d ng c ents to the r nearest LDAP server, or a ow ng servers to
commun cate w th each other As the adm n strator for AD DS, you need to be fam ar w th
these SRV records and how to troub eshoot reg strat on ssues When prob ems do ar se,
there are a few resources that you can use to find a so ut on Let’s ook at those now
■ DNS Manager The DNS management conso e s part of the AD DS management
too s You can exp ore the SRV records n your doma n us ng DNS Manager In F gure
10-5, you can see we are ook ng at the forward ookup zone for W ngt pToys oca In
the s tes d rectory, we can confirm that the Ldap and Kerberos SRV records are present
for our doma n contro ers
FIGURE 10-5 The DNS Manager management conso e s an mportant too for check ng on SRV
records
■ Dcdiag The dcd ag ut ty s a command- ne too that prov des tests that can ass st
n troub eshoot ng ssues n your AD DS forest A DNS test can be n t ated from any of
your doma n contro ers by runn ng the fo ow ng command from an e evated com-
mand prompt dcdiag /test:dns.
258 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
FIGURE 10-6 The Act ve D rectory Users and Computers management conso e d sp ays the DC type for
the doma n contro ers n your doma n
Another ocat on for rev ew ng the status of a g oba cata og server s w th n the Act ve D -
rectory S tes And Serv ces Management conso e To revea these opt ons, you need to expand
s tes, fo owed by the s te where your doma n contro er s ass gned Under the s te, expand
Servers W th the des red doma n contro er se ected, r ght-c ck NTDS Sett ngs and choose
Propert es On the Genera tab of the NTDS Sett ngs propert es w ndow, there s a checkbox
for des gnat ng the g oba cata og ro e, as shown n F gure 10-7 If you need to togg e th s ro e
on or off, app y the act on here and the AD DS topo ogy s updated
FIGURE 10-7 The Act ve D rectory Users and Computers management conso e d sp ays the DC type for
the doma n contro ers n your doma n
FIGURE 10-9 The netdom ut ty can ass st n dent fy ng where the FSMO ro es are ass gned n your
doma n.
262 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
TABLE 10-1 RODC secur ty feature chart
Feature Description
Un d rect ona rep cat on Un ke wr tab e doma n contro ers, RODCs are des gned to rep cate
changes nbound but not outbound. The other doma n contro ers n
your forest does not rep cate changes from an RODC. Th s mproves
secur ty by prevent ng the poss b ty of a ma c ous update from
rep cat ng outward through your forest.
Spec a krbtgt account The krbtgt account prevents a compr sed RODC from access ng re
sources at a remote s te.
Password Rep cat on Po cy (PRP) The PRP prevents passwords from be ng cached oca y on the
RODC. f an RODC s comprom sed, no account passwords can be
obta ned.
RODC F tered attr bute set (FAS) The FAS enab es the adm n strator to ass gn wh ch app cat ons can
rep cate data to RODCs. Th s s accomp shed by add ng the at
tr butes for the app cat on to the RODC FAS and mark ng them as
confident a .
For examp e, W ngt p Toys has recent y expanded nto the reta market, w th 12 new
stores set to open n the next s x months These stores requ re oca doma n contro ers to
support the mu t p e po nt-of-sa e computers at each ocat on The phys ca secur ty of these
stores s m ted, and n some cases, requ res your servers to share some centra zed rack space
w th the jo n ng stores Based on these requ rements you have chosen to promote RODCs at
each store Let’s wa k through process of promot ng a RODC
1. Open Server Manager
2. On the Server Manager Dashboard, c ck Add Ro es And Features
3. On the Before You Beg n page of the Add Ro es And Features W zard, c ck Next
4. On the Insta at on Type page, confirm Ro e-Based or Feature-Based Insta at on s
se ected and c ck Next
5. On the Server Se ect on page, confirm Se ect A Server From The Server Poo s se ected
and your server s h gh ghted n the st C ck Next
6. On the Server Ro es page, check the box for Act ve D rectory Doma n Serv ces When
prompted to add add t ona features, rev ew the st and se ect Inc ude Management
Too s (If App cab e) C ck Add Features and c ck Next
7. On the Features page, c ck Next
8. On the AD DS page, c ck Next
9. On the Confirmat on page, rev ew the st of ro es and features to be nsta ed Refer to
F gure 10-1 as a reference C ck Insta to beg n the nsta at on of AD DS
10. After comp et ng the nsta at on of AD DS, a new warn ng not ficat on s d sp ayed n
Server Manager C ck the not ficat on con and c ck Promote Th s Server To A Doma n
Contro er
264 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
11. On the Dep oyment Configurat on page of the Act ve D rectory Doma n Serv ces
Configurat on W zard, se ect Add A Doma n Contro er To An Ex st ng Doma n C ck
Doma n fie d opt on When prompted, enter the doma n credent a s for an account n
the w ngt ptoys oca doma n that s a member of the Doma n Adm ns group Se ect
the W ngt pToys oca doma n and c ck Next
12. On the Doma n Contro er Opt ons page, rev ew the defau t opt ons Check the box
for Read On y Doma n Contro er (RODC), as shown n F gure 10-10 For the D rectory
Serv ces Restore Mode (DSRM) password, type P@ssw0rd n the two fie ds and c ck
Next
FIGURE 10-10 The Act ve D rectory Doma n Serv ces Conf gurat on W zard nc udes the opt on for
promot ng a RODC on the Doma n Contro er Opt ons page
13. On the RODC Opt ons page, rev ew the defau t accounts and groups that rep cate pass-
words to the RODC and those that are den ed, as shown n F gure 10-11 C ck Next
266 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
4. On the Change D rectory Server d a og w ndow, se ect the RODC n the st and c ck
OK Before connect ng to the RODC you are presented w th a warn ng stat ng that
wr te operat ons are not perm tted, as shown n F gure 10-12 C ck OK
5. R ght-c ck the Users conta ner Not ce that the opt on to create new tems s not ava -
ab e
6. C ck the Users conta ner R ght-c ck the Adm n strator account Not ce the opt ons
to update group membersh p, d sab e the account, and reset the password are a
d sab ed
Now that you have dep oyed an RODC and exp ored some of the bas c funct ona ty, con-
s der the cases where th s wou d make sense n your env ronment The RODC s very effect ve
at prevent ng changes to your ex st ng AD DS forest However, be caut ous n your dep oy-
ments I had a customer that ns sted on rep ac ng a the wr tab e doma n contro ers w th
RODCs at each of the r remote offices Th s qu ck y ntroduced a ot of management over-
head Changes cou d on y be made on the wr tab e doma n contro ers at the centra office
Th s affected rep cat on when mu t p e changes needed to be made Offices were thousands
of m es apart and operated n d fferent t me zones These doma n contro ers were a racked
n secure ocat ons, so the RODC topo ogy d dn’t make sense for th s env ronment
5. Confirm that the source doma n contro er does not have any app cat ons or serv ces
nsta ed that are not compat b e w th c on ng To do so, run the fo ow ng command
Get-ADDCCloningExcludedApplicationList
6. If any tems appear n the app cat on st, they need to be removed from the doma n
contro er or added to a CustomDCC oneA owL st xm before you can proceed w th
c on ng To create the CustomDCC oneA owL st xm , run the fo ow ng command
Get-ADDCCloningExcludedApplicationList -GenerateXML
7. Create a new c one configurat on fi e for the source doma n contro er To do so, run
the fo ow ng command and rev ew the output for any warn ngs or errors
New-ADDCCloneConfigFile -CloneComputerName “WTT-DC-03” -SiteName Default-
First-Site-Name -IPv4Address 10.0.0.15 -IPv4DefaultGateway 10.0.0.254
-IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 10.0.0.1,10.0.0.15 –Static
268 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
3. Run the fo ow ng command to mport the new v rtua mach ne
Import-VM -Path “<XMLFile> -Copy -GenerateNewId -VhdDestinationPath D:\WTT-
DC-03
Once the mport has comp eted, power on the new v rtua mach ne Be sure to eave the
source doma n contro er powered off dur ng th s t me When you start the new v rtua mach ne,
t n t a y runs under the context of the source doma n contro er unt the c on ng process has
comp eted, at wh ch po nt you can restore the source doma n contro er to act ve duty
When the new doma n contro er powers up for the first t me the c on ng process tr ggers
automat ca y Th s process ut zes the c on ng configurat on fi e that we created ear er n
th s sect on The boot sequence d sp ays a s mp e percentage to nd cate how far a ong the
c on ng process s, as shown n F gure 10-13
Once the c on ng process has comp eted, og n to your new doma n contro er Open
Act ve D rectory S tes and Serv ces on your new doma n contro er Nav gate to the Defau t-
F rst-S te-Name s te and ook n the Servers d rectory Confirm that a three doma n contro -
ers are present At th s stage, you can power on your source doma n contro er that was
prev ous y eft offl ne
In preparat on for the exam, fam ar ze yourse f w th the PowerShe cmd ets used to
generate the custom app cat on st XML and c on ng configurat on XML Be prepared to
answer quest ons re ated to prerequ s tes, such as know ng w th vers ons of W ndows Server
support doma n contro er c on ng
270 CHAPTER 10 nsta and configure Act ve D rectory Doma n Serv ces
Thought experiment answers
1. Imp ement ng RODCs at the reta stores he ps restr ct potent a ma c ous act v t es f
the oca doma n contro er s comprom sed
2. Ut z ng IFM for the dep oyment of these new doma n contro ers enab es the team
to rap d y dep oy the new servers, as we as great y reduc ng the rep cat on overhead
across the mu t p e WAN nks
3. To mprove re ab ty and redundancy, each office shou d ut ze two doma n con-
tro ers New servers shou d be dep oyed to offices that on y conta n a s ng e doma n
contro er
4. For the web porta , ut z ng a server core nsta at on to host the doma n contro er m-
proves secur ty and m t downt me for rout ng patch ng, due to the reduced number
of secur ty patches
Implement identity
federation and access
solutions
In th s chapter, we d scuss the dent fy management so ut ons that are prov ded w th
Act ve D rectory Federat on Serv ces (AD FS) AD FS can a so be comb ned w th the Remote
Access server ro e, wh ch can be used to enab e a Web App cat on Proxy (WAP) AD FS can
be used to manage federated env ronments, and enab e mu t -factor authent cat on for
organ zat ons Used together w th a WAP, c ents can be preauthent cated by an app cat on
or serv ce before be ng d rected to the app cat on server
W ndows Server 2016 ntroduces a few new features to AD FS, not a of wh ch are n-
c uded on the upgrade exam New features nc ude
■ Azure multi-factor authentication (MFA) Use Azure to enab e MFA for an
app cat on or server n the organ zat on
■ Password-less access from devices Use Azure AD or Intune MDM po c es to en-
ab e s gn-on and access contro based on the comp ance status for the dev ce
■ Sign in using Windows Hello for Business Th s was prev ous y known as
M crosoft Passport for Work
■ Enable sign-in using third-party LDAP LDAP v3-comp ance d rector es can
be used as a source for authent cat ng users
■ Customizable sign-in The ogon screen for nd v dua app cat ons can be
custom zed for compan es or brands
■ Enhanced auditing AD FS n W ndows Server 2016 has been stream ned and ess
verbose to reduce adm n strat ve comp ex ty
■ SAML 2.0 support AD FS can be used w th InCommon Federat ons and other
SAML 2 0 configurat ons
■ Simplified password management When federat ng w th Office 365, password
exp rat on not ficat ons can be sent and managed by AD FS when a user s be ng
authent cated
273
FIGURE 11-1 Add Re y ng Party Trust
The next step of configur ng a re y ng party trust s to spec fy the source data for the
re y ng party Th s nformat on can be prov ded n one of three ways
■ From a pub shed source, on ne or on the network
■ From a federat on metadata fi e
■ Entered manua y n the w zard
F gure 11-2 shows the ava ab e opt ons for prov d ng the configurat on deta s
When spec fy ng the deta s manua y, the nformat on that s requ red nc udes
■ D sp ay name
■ Opt ona cert ficate
■ Federat on URLs
■ Re y ng party trust dent fiers
After spec fy ng the trust deta s, the next configurat on tem s whether to set access
contro po c es These po c es can be configured now, or at a ater t me A common access
method s to perm t everyone, but requ re mu t -factor authent cat on when the request s
externa F gure 11-3 shows se ect ng an access contro po cy
Sk 11.1: nsta and configure Act ve D rectory Federat on Serv ces CHAPTER 11 277
FIGURE 11-3 Spec fy ng data source
You can a so spec fy a custom access contro po cy from the AD FS management snap- n
The ava ab e opt ons to perm t
■ Everyone
■ Users
■ From a spec fic network
■ From spec fic secur ty groups
■ From dev ces that have a spec fic trust eve
■ W th spec fic c a ms n the request
■ And requ re mu t -factor authent cat on
You can a so perm t these users or groups w th the fo ow ng except ons
■ Spec fic networks
■ Spec fic groups
■ Dev ces w th spec fic trust eve s
■ Spec fic c a ms n the request
Sk 11.1: nsta and configure Act ve D rectory Federat on Serv ces CHAPTER 11 279
F gure 11-5 shows defin ng a custom access contro po cy
Sk 11.1: nsta and configure Act ve D rectory Federat on Serv ces CHAPTER 11 281
Implement and configure device registration
AD FS n W ndows Server 2016 enhances dev ce reg strat on to enab e s gn on and access
contro based on the comp ance status of a dev ce When users authent cate us ng a dev ce
credent a , the dev ce’s comp ance s re-eva uated to ensure that po c es are app ed
appropr ate y Th s can nc ude
■ Enab e access on y from dev ces that are managed and/or comp ant
■ Enab e externa access for dev ces that are managed and/or comp ant
■ Requ re MFA for computers that are not managed or comp ant
F gure 11-7 ustrates us ng dev ce reg strat on w th AD FS Users and dev ces can be
enro ed by us ng Azure AD or M crosoft Intune Both serv ces use Azure AD w th Azure AD
Connect dev ce wr te-back The dev ces can connect to on-prem ses serv ces that m ght a so
conta n cond t ona access po c es, dev ce authent cat on, or MFA
Add t ona y, you can configure the Web App cat on Proxy by us ng the
Insta -WebApp cat onProxy cmd et The cmd et must spec fy the federat on
serv ce name and cert ficate thumbpr nt to be used
Install-WebApplicationProxy -CertificateThumbprint
'A142A369FC60C7984A70A56A17E31228546D85D8' -FederationServiceName 'host02.contosoforest.
com'
A ternat ve y, you can use the Add-WebApp cat onProxyApp cat on cmd et and spec fy
PassThrough for the Externa PreAuthent cat on parameter
Add-WebApplicationProxyApplication -BackendServerURL 'https://app1.contosoforest.com/'
-ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b'
-ExternalURL 'https://app1.contosoforest.com/' -Name 'App1 (no preauthentication)'
-ExternalPreAuthentication PassThrough
Configure AD FS requirements
The on y requ rement for us ng a WAP w th AD FS s that a farm s configured w th a re y ng
party trust W thout a re y ng party trust, you are not ab e to pub sh an app cat on to be
used w th the WAP
A ternat ve y, you can use the Add-WebApp cat onProxyApp cat on cmd et to pub sh an
app cat on
Add-WebApplicationProxyApplication -BackendServerUrl 'https://app1.contosoforest.com'
-ExternalCertificateThumbprint '2FC38D0224B0A6412F450A9597271179878708B0'
-EnableHTTPRedirect:$true -ExternalUrl 'https://app1.contosoforest.com'
-Name 'App1' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'AD FS'
Thought Experiment
An organ zat on has an ex st ng W ndows Server 2012 R2 AD FS farm They p an to upgrade
the farm to W ndows Server 2016 After the upgrade, they a so p an to mp ement Azure MFA
w th the r app cat ons The organ zat on does not current y have any add t ona configurat on
software n the r env ronment The MFA so ut on must a so work w th b ometr c opt ons After
the upgrade, they p an to centra ze user requests by us ng a reverse proxy A user requests
must be secured
Us ng the above scenar o, answer the fo ow ng quest ons
1. How shou d the organ zat on comp ete the upgrade?
2. What add t ona software shou d the organ zat on use to ntegrate Azure MFA?
3. What techno ogy shou d the organ zat on use to enab e b ometr c MFA?
4. How shou d the organ zat on ensure that a requests are secure?
294
DCB
296
Fabric Management
298
Hyper-V Administrators group
I
nsta from Med a feature 253 256
types of 253
nsta from Med a ( FM) 253 256
dent ty management 273 292
nsta NanoServerPackage cmd et 18
Web App cat on Proxy 284 290
nsta PackageProv der NanoServerPackage command
FM. See nsta from Med a
17
KEv2 tunne ng protoco 217
nsta RemoteAccess cmd et 215
mages
nsta WebApp cat onProxy cmd et 286
base operat ng system 97
nsta W ndowsFeature cmd e 94
creat ng new conta ner 107
nsta W ndowsFeature cmd et 184, 211
for dep oyment 20 25
nsta W ndowsFeature cmd et 6, 40
management of
us ng Docker Hub 107 108 nst tute of E ectr ca and E ectron cs Eng neers ( EEE)
us ng M crosoft Azure 109 231
manag ng 25 ntegrat on serv ces
tagg ng 98 99 management of 67
un nsta ng operat ng system 98 nternet Ass gned Numbers Author ty ( ANA) 168, 193
v ew ng st of ava ab e conta ner 99 nternet Storage Name Serv ce ( SNS)
mage temp ates. See temp ate mages configurat on 39 40
mport DHCP Po cy 202 nternet W de Area RDMA Protoco ( WARP) 231
mport ng ntune 217. See M crosoft ntune
v rtua mach nes 71 72 nvokeCommand 60
mport Modu e cmd et 165 nvoke pamGpoProv s on ng cmd et 186
mport PackageProv der NanoServerPackage command nvoke pamServerProv s on ng cmd et 186
17 /O schedu er 23
mport V rtua Mach ne w zard 72 P Address B ocks page 196
nfin band 231 P addresses 103
nfrastructure master ro e 260 fi ter ng 171
n t a Congest on W ndow 227 for v rtua mach nes 236
n p ace upgrades 251 RAS server 213 214
nsta at on space ut zat on 195 197, 199
base operat ng system 97 v rtua 238
Docker 95 96 w th network v rtua zat on 237
FreeBSD ntegrat on Serv ces 69 P address management ( PAM) 183 208
GU 3 configurat on of database storage us ng SQL Server
Hyper V 51 58 198
SCS Target Server server ro e 36 DHCP management us ng 199 202, 204 205
300
MAC addresses
302
PackageManagement provider
P PowerShe D rect
configur ng v rtua mach nes us ng 59
PackageManagement prov der 17 PPTP. See Po nt to Po nt Tunne ng Protoco
parent ch d d sks 76 preference sett ngs
parent doma ns 244 for fa over c uster ng 154 155
par ty storage ayout 32 34 PreferredS te property 157
pass through d sks processor compat b ty
configurat on 77 VMs and 120 121
pass through mode product on checkpo nts 79 80
WAP 286 287 Protected Network 159
Password Rep cat on Po cy (PRP) 264 Prov der Address (PA) 237
passwords prov s on ng types 33 35
D rectory Serv ces Restore Mode (DSRM) 249, 265 prox es
management, n AD FS 273 web app cat on 210
Safe Mode Adm n strator Password 247 Pub sh New App cat on W zard 289
unencrypted 216 PXE boot 83
PDC emu ator ro e 260 PXE TFTP server 23
performance tun ng 179
PFS. See Perfect Forward Secrecy Q
Phys ca Funct ons 233
p anned fa overs 114 Qua ty of Serv ce (QoS) 231
p atform as a serv ce. See PaaS storage 82
Po nt to Po nt Tunne ng Protoco (PPTP) 215 query reso ut on po cy 171
po nt to s te VPNs 211, 239 qu ck m grat on
port 443 215 of VMs 158
port mapp ng 104 quorum w tnesses
PowerShe configurat on of 130 134
add ng d sks us ng 35
add ng FC adapter us ng 81 R
add ng network adapters us ng 84
conta ner management us ng 102 RAD US authent cat on 216
d rect runn ng of 1 RAD US server 214
D SM n 25 RAS Gateway 210 215
Docker nsta at on 95 dep oyment scenar os 217 218
enab ng remot ng n 58 mu t tenant edge 218
export ng and mport ng VMs us ng 72 73 s ng e tenant edge 217, 218
Hyper V nsta at on us ng 52 VPN opt ons 211
mport ng 15 w th Hyper V Network V rtua zat on 239
MAC address configurat on from 87 RDG. See Remote Desktop Gateway
management too s nsta at on us ng 53 RDMA. See Remote D rect Memory Access
manag ng v rtua hard d sks us ng 78 RDMA based storage networks 236
N C team ng n 89 RDMA over Converged Ethernet (RoCE) 231
storage poo creat on us ng 32 33 RDS. See Remote Desktop Serv ces
Storage Rep ca modu e 44 read on y doma n contro ers (RODCs) 243, 260,
v rtua d sk creat on us ng 33 34, 39 263 267
v rtua sw tches from 85 secur ty features 264
W ndows Conta ner nsta at on us ng 94 Rece ve S de Sca ng (RSS) 229 230
304
second-level address translation (SLAT)
306
validation
308
Windows Server 2016 Datacenter
server storage 29 44
upgrades and m grat ons to 10 11
v rtua zat on
p ann ng for 21 22
W ndows Server 2016 Datacenter 4
W ndows Server 2016 Essent a s 4
W ndows Server 2016 Mu t Po nt Prem um Server 4
W ndows Server 2016 Standard 4
W ndows Server Backup 48
W ndows Server Core. See Server Core
W ndows Server Gateway 235
mp ementat on scenar os 239 240
W ndows Storage Server 2016 4
W ndows Update 67
W ndows Updates 138
workgroup c usters 127 130
Wor d W de Name (WWN) 80
WS MAN protoco 121
310
Digitally signed by vahid
DN: cn=vahid, o=IT, ou,
email=azarpara.vahid@gmail.co
m, c=US
'Date: 2017.07.27 11:50:22 +04'30