20412A ENU TrainerHandbook

MCT USE ONLY.
STUDENT USE PROHIBITED
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
Configuring Advanced Windows Server 2012 Services
20412A
MCT USE ONLY. STUDENT USE PROHIBITED
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20412A Part Number: X18-48644 Released: 09/2012
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide.
b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.
d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
9. 10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content.
12.
13.
APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011

xi
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Stan Reimer Content Developer
Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author. Stan has extensive experience consulting on Active Directory and Microsoft Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press. For the last nine years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been a Microsoft Certified Trainer (MCT) for 12 years.
Damir Dizdarevic Subject Matter Expert/Content Developer
Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server, Exchange Server, security, and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, Damir is a Microsoft Most Valuable Professional (MVP) for Windows Server Infrastructure Management.
Orin Thomas Content Developer
Orin Thomas is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has written more than 20 books for Microsoft Press, and is a contributing editor at Windows IT Pro magazine. Orin has been working in IT since the early 1990s. He is a regular speaker at events such as TechED in Australia, and around the world on Windows Server, Windows Client, Microsoft System Center, and security topics. Orin founded and runs the Melbourne System Center Users Group.
Vladimir Meloski Content Developer
Vladimir Meloski is an MCT, an MVP on Exchange Server, and consultant providing unified communications and infrastructure solutions based on Microsoft Exchange Server, Microsoft Lync Server, and System Center. Vladimir has 16 years of professional IT experience, and has been involved in Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on labs, and technical expert. He has also been involved as a subject matter expert and technical reviewer for several MOC courses.
Nick Portlock Author
Nick Portlock has been an MCT for 15 years. He is a self-employed IT trainer, consultant and author. Last year, Nick taught in more than 20 countries. He specializes in Active Directory, Group Policy, and Domain Name System, and has consulted with a variety of companies over the last decade. Nick has reviewed more than 100 Microsoft courses, and is a member of the Windows 7 STEP program.
xii
Gary Dunlop Subject Matter Expert

Gary Dunlop is based in Winnipeg, Canada, and is a technical consultant and trainer for Broadview Networks. Gary has authored a number of Microsoft Learning titles, and has been an MCT since 1997.
Ulf B. Simon-Weidner Technical Reviewer
Ulf B. Simon-Weidner is a senior consultant with a European provider for infrastructure solutions in Germany. He also is an independent author, consultant, speaker and trainer. Ulf has been repeatedly awarded MVP for Windows Server Directory Services for the past decade, and has been an MCT for more than 10 years. Throughout his professional career, Ulf has had several consulting engagements with major European or Global corporations. He also published multiple books and magazine articles about Active Directory, Windows Server, Windows client operating systems, and security. Ulf is a frequently visiting speaker for conferences including Microsoft TechEd North America and Europe, or The Experts Conference. Ulf provides his technical and from-the-field experience in multiple Windows Server coursewares as a technical reviewer.

xiii
Contents
Module 1: Implementing Advanced Network Services
Lesson 1: Configuring Advanced DHCP Features Lesson 2: Configuring Advanced DNS Settings Lesson 3: Implementing IPAM Lab: Implementing Advanced Network Services 1-2 1-11 1-21 1-31
Module 2: Implementing Advanced File Services

Lesson 1: Configuring iSCSI Storage Lesson 2: Configuring BranchCache Lesson 3: Optimizing Storage Usage Lab A: Implementing Advanced File Services Lab B: Implementing BranchCache 2-2 2-9 2-16 2-22 2-28
Module 3: Implementing Dynamic Access Control

Lesson 1: Overview of Dynamic Access Control Lesson 2: Planning for Dynamic Access Control Lesson 3: Deploying Dynamic Access Control Lab: Implementing Dynamic Access Control 3-2 3-8 3-13 3-22
Module 4: Implementing Network Load Balancing

Lesson 1: Overview of NLB Lesson 2: Configuring an NLB Cluster Lesson 3: Planning an NLB Implementation Lab: Implementing Network Load Balancing 4-2 4-5 4-10 4-16
Module 5: Implementing Failover Clustering

Lesson 1: Overview of Failover Clustering Lesson 2: Implementing a Failover Cluster Lesson 3: Configuring Highly Available Applications and Services on a Failover Cluster Lesson 4: Maintaining a Failover Cluster Lesson 5: Implementing a Multi-Site Failover Cluster Lab: Implementing Failover Clustering 5-2 5-14 5-20 5-25 5-30 5-36
Module 6: Implementing Failover Clustering with Hyper-V

Lesson 1: Overview of Integrating Hyper-V with Failover Clustering Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters Lesson 3: Implementing Hyper-V Virtual Machine Movement Lesson 4: Managing Hyper-V Virtual Environments by Using VMM 6-2 6-7 6-15 6-21
xiv
Lab: Implementing Failover Clustering with Hyper-V
6-31
Module 7: Implementing Disaster Recovery

Lesson 1: Overview of Disaster Recovery Lesson 2: Implementing Windows Server Backup Lesson 3: Implementing Server and Data Recovery Lab: Implementing Windows Server Backup and Restore 7-2 7-7 7-16 7-20
Module 8: Implementing Distributed Active Directory Domain Services Deployments

Lesson 1: Overview of Distributed AD DS Deployments Lesson 2: Deploying a Distributed AD DS Environment Lesson 3: Configuring AD DS Trusts Lab: Implementing Complex AD DS Deployments 8-2 8-9 8-18 8-23
Module 9: Implementing Active Directory Domain Services Sites and Replication

Lesson 1: Overview of AD DS Replication Lesson 2: Configuring AD DS Sites Lesson 3: Configuring and Monitoring AD DS Replication Lab: Implementing AD DS Sites and Replication 9-2 9-10 9-16 9-22
Module 10: Implementing Active Directory Certificate Services

Lesson 1: PKI Overview Lesson 2: Deploying CAs Lesson 3: Deploying and Managing Certificate Templates Lesson 4: Implementing Certificate Distribution and Revocation Lesson 5: Managing Certificate Recovery Lab: Implementing Active Directory Certificate Services 10-2 10-10 10-16 10-21 10-29 10-33
Module 11: Implementing Active Directory Rights Management Services

Lesson 1: AD RMS Overview Lesson 2: Deploying and Managing an AD RMS Infrastructure Lesson 3: Configuring AD RMS Content Protection Lesson 4: Configuring External Access to AD RMS Lab: Configuring AD RMS 11-2 11-7 11-13 11-19 11-24
Module 12: Implementing Active Directory Federation Services

Lesson 1: Overview of AD FS Lesson 2: Deploying AD FS Lesson 3: Implementing AD FS for a Single Organization Lesson 4: Deploying AD FS in a B2B Federation Scenario Lab: Implementing AD FS 12-2 12-11 12-17 12-23 12-28

xv
Lab Answer Keys

Module 1 Lab: Implementing Advanced Network Services Module 2 Lab A: Implementing Advanced File Services Module 2 Lab B: Implementing BranchCache Module 3 Lab: Implementing Dynamic Access Control Module 4 Lab: Implementing Network Load Balancing Module 5 Lab: Implementing Failover Clustering Module 6 Lab: Implementing Failover Clustering with Hyper-V Module 7 Lab: Implementing Windows Server Backup and Restore Module 8 Lab: Implementing Complex AD DS Deployments Module 9 Lab: Implementing AD DS Sites and Replication Module 10 Lab: Implementing Active Directory Certificate Services Module 11 Lab: Configuring AD RMS Module 12 Lab: Implementing AD FS L1-1 L2-11 L2-18 L3-25 L4-35 L5-41 L6-49 L7-55 L8-61 L9-67 L10-71 L11-85 L12-95

xvii
About This Course
About This Course

Course Description
This section provides a brief description of the course, audience, suggested prerequisites, and course objectives.
Note: This first release (A) MOC version of course 20412A has been developed on prerelease software (Release Candidate (RC)). Microsoft Learning will release a B version of this course after the RTM version of the software is available.
This course will provide you with the knowledge and skills you need to provision advanced services in a Windows Server 2012 enterprise environment. This course will teach you how to configure and manage high availability features, file and storage solutions, and network services in Windows Server 2012. You will also learn about configuring the Active Directory Domain Services (AD DS) infrastructure, and implementing backups and disaster recovery.
Audience
This course is intended for IT Professionals who have real-world hands-on experience implementing, managing and maintaining a Windows Server 2012 infrastructure in an existing Enterprise environment, and wish to acquire the skills and knowledge necessary to carry out advanced management and provisioning of services within that Windows Server 2012 environment.
The secondary audience for this course will be candidates aspiring to acquire the Microsoft Certified Systems Administrator (MCSA) credential either in its own right or in order to proceed in acquiring the Microsoft Certified System Engineer (MCSE) credentials, for which this is a prerequisite. IT professionals seeking certification in the 70-412: Configuring Advanced Windows Server 2012 Services exam also may take this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least two years hands-on experience working in a Windows Server 2008 or Windows Server 2012 environment Equivalent knowledge of 20410A: Installing and Configuring Windows Server 2012 course Installing and configuring Windows Server 2012 into existing enterprise environments, or as standalone installations Configuring local storage Configuring roles and features Configuring file and print services Configuring Windows Server 2012 servers for local and remote administration Configuring IPv4 and IPv6 addresses Configuring Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services Installing domain controllers
xviii
About This Course
Creating and configuring users, groups, computers and organizational units (OUs) Creating and managing group policies Configuring local security policies Configuring Windows Firewall Configuring Windows Server 2012 Hyper-V
Equivalent knowledge of 20411A: Administering Windows Server 2012 course Deploying and managing Windows Server images Installing and configuring Update Services Monitoring the Windows Server 2012 environment Installing and configuring Distributed Files System (DFS) Installing and configuring File Server Resource Manager (FSRM) Configuring file and disk access, and audit policies Configuring DNS security and integration with AD DS
Maintaining network integrity by configuring Network Access using Network Policy Server (NPS) and Network Access Protection (NAP) Configuring Remote Access using virtual private networks (VPNs) and Windows 7 DirectAccess Configuring Domain Controllers Managing and maintaining the Active Directory environment Managing and maintaining the Windows Server 2012 domain environment using Group Policy
Course Objectives
After completing this course, students will be able to: Configure advanced features for DHCP and DNS, and configure IP Address Management (IPAM). Configure file services to meet advanced business requirements. Configure Dynamic Access Control (DAC) to manage and audit access to shared files. Provide high availability and load balancing for web-based applications by implementing Network Load Balancing (NLB). Provide high availability for network services and applications by implementing failover clustering. Deploy and manage Hyper-V virtual machines in a failover cluster. Implement a backup and disaster recovery solution based on business and technical requirements. Plan and implement an AD DS deployment that includes multiple domains and forests. Plan and implement an AD DS deployment that includes multiple locations. Implement an Active Directory Certificate Services (AD CS) deployment. Implement an Active Directory Rights Management Services (AD RMS) deployment. Implement an Active Directory Federation Services (AD FS) deployment.

xix
About This Course
Course Outline
The course outline is as follows: Module 1, Implementing Advanced Network Services" describes how to configure advanced DHCP features and DNS settings, and implement IPAM, which is a new Windows Server 2012 feature.
Module 2, Implementing Advanced File Services" describes how to configure Internet Small Computer System Interface (iSCSI) storage and Windows BranchCache. The module also describes how to implement Windows Server 2012 features that optimize storage utilization.
Module 3, Implementing Dynamic Access Control" describes DAC, which is a new Windows Server 2012 feature. It also explains how to plan for a DAC implementation, and how to configure DAC. Module 4, Implementing Network Load Balancing" describes the features and working of network load balancing (NLB). It also explains how to configure an NLB cluster and plan an NLB implementation. Module 5, Implementing Failover Clustering" describes failover clustering features in Windows Server 2012. The module also describes how to implement and maintain failover clusters, and how to configure highly available applications and services on a failover cluster. Module 6, Implementing Failover Clustering with Hyper-V" describes options to make virtual machines highly available, and covers the implementation of Hyper-V virtual machines on failover clusters and Hyper-V virtual machine movement. Module 7, Implementing Disaster Recovery" describes disaster recovery, server and data recovery, and the planning and implementation of a backup solution for Windows Server 2012. Module 8, Implementing Distributed Active Directory Domain Services Deployments" provides an overview of distributed AD DS deployments and the process of implementation for the same. It also describes how to configure AD DS trusts, and implement complex AD DS deployments.
Module 9, Implementing Active Directory Domain Services Sites and Replication" describes how replication works in AD DS in a Windows Server 2012 AD DS environment, and how to configure AD DS sites to optimize AD DS network traffic. It also shows how to configure and monitor AD DS replication.
Module 10, Implementing Active Directory Certificate Services" provides an overview of Public Key Infrastructure (PKI), and describes how to deploy certification authorities (CAs) and certificate templates. It also covers certificate distribution and revocation, and management of certificate recovery. Module 11, Implementing Active Directory Rights Management Services" describes AD RMS and how you can use it to achieve content protection. It also explains how to deploy and manage an AD RMS infrastructure, and configure AD RMS content protection and external access to AD RMS.
Module 12, Implementing Active Directory Federation Services" describes the identity federation business scenarios, and how you can use AD FS to address the scenarios. It also describes how to deploy AD FS, and how to implement it for a single organization, and in a business-to-business (B2B) scenario.
xx
About This Course
Exam/Course Mapping
This course, 20412A: Configuring Advanced Windows Server 2012 Services, has a direct mapping of its content to the objective domain for the Microsoft exam 70-412: Configuring Advanced Windows Server 2012 Services.
The table below is provided as a study aid that will assist you in preparation for taking this exam, and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam, but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination, and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure and Manage High Availability (16%) Configure This objective may include but is not limited to: Network Load Install NLB nodes; configure NLB prerequisites; Balancing configure affinity; configure port rules; configure (NLB). cluster operation mode; upgrade an NLB cluster This objective may include but is not limited to: Configure Configure Quorum; configure cluster networking; failover restore single node or cluster configuration; clustering. configure cluster storage; implement Cluster Aware Updating; upgrade a cluster This objective may include but is not limited to: Manage Configure role-specific settings including failover continuously available shares; configure VM clustering monitoring; configure failover and preference roles. settings Manage This objective may include but is not limited to: Virtual Perform Live Migration; perform quick migration; Machine perform storage migration; import, export, and copy (VM) VMs; migrate from other platforms (P2V and V2V) movement. Configure File and Storage Solutions (15%) This objective may include but is not limited to: Configure Configure NFS data store; configure BranchCache; advanced file configure File Classification Infrastructure (FCI) using services. File Server Resource Manager (FSRM); configure file access auditing Module Lesson Mod 4 Lesson 1/2/3
Course Content
Lab Mod 4 Ex 1/2/3
Mod 5
Lesson 2/5
Mod 5 Ex 2/4
Mod 5
Lesson 1/4
Mod 5 Ex 1
Mod 5
Lesson 3/4
Mod 5 Ex 3
Mod 2
Lesson 2/3
Mod 2 Ex 2/3

xxi
About This Course
(continued)
Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure File and Storage Solutions (15%) Implement This objective may include but is not limited to: Dynamic Configure user and device claim types; implement Access policy changes and staging; perform access-denied Control remediation; configure file classification (DAC). This objective may include but is not limited to: Configure and Configure iSCSI Target and Initiator; configure optimize Internet Storage Name server (iSNS); implement storage. thin provisioning and trim; manage server free space using Features on Demand Implement Business Continuity and Disaster Recovery (18%) This objective may include but is not limited to: Configure and Configure Windows Server backups; configure manage Windows Online backups; configure role-specific backups. backups; manage VSS settings using VSSAdmin; create System Restore snapshots This objective may include but is not limited to: Restore from backups; perform a Bare Metal Recover Restore (BMR); recover servers using Windows servers. Recovery Environment (Win RE) and safe mode; apply System Restore snapshots; configure the Boot Configuration Data (BCD) store This objective may include but is not limited to: Configure Configure Hyper-V Replica including Hyper-V Replica site-level Broker and VMs; configure multi-site clustering fault including network settings, Quorum, and failover tolerance. settings Configure Network Services (17%) Implement an advanced This objective may include but is not limited to: Dynamic Host Create and configure superscopes and multicast Configuration scopes; implement DHCPv6; configure high Protocol availability for DHCP including DHCP failover and (DHCP) split scopes; configure DHCP Name Protection solution. Mod 3
Course Content Lesson 1/2/3
Mod 3 Ex 1/2/3/4/5/6
Mod 2
Lesson 1/3
Mod 2 Ex 1
Mod 7
Lesson 2/3
Mod 7 Ex 1/2/3/4
Mod 7
Lesson 2/3
Mod 7 Ex 1/2/3/4
Mod 6 Mod 5
Lessons 1/3 Lesson 1
Mod 6 Ex 1
Mod 1
Lesson 1
Mod 1 Ex 1
xxii
About This Course
(continued)
Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure Network Services (17%) This objective may include but is not limited to: Configure security for DNS including DNSSEC, DNS Implement an Socket Pool, and cache locking; configure DNS advanced logging; configure delegated administration; DNS solution. configure recursion; configure netmask ordering; configure a GlobalNames zone This objective may include but is not limited to: Configure IPAM manually or by using Group Policy; Deploy and configure server discovery; create and manage IP manage blocks and ranges; monitor utilization of IP address IPAM. space; migrate to IPAM; delegate IPAM administration; manage IPAM collections Configure the Active Directory Infrastructure (18%) This objective may include but is not limited to: Implement multi-domain and multi-forest Active Configure a Directory environments including interoperability forest or a with previous versions of Active Directory; upgrade domain existing domains and forests including environment preparation and functional levels; configure multiple user principal name (UPN) suffixes This objective may include but is not limited to: Configure Configure external, forest, shortcut, and realm trusts. trusts; configure trust authentication; configure SID filtering; configure name suffix routing This objective may include but is not limited to: Configure sites and subnets; create and configure Configure site links; manage site coverage; manage sites. registration of SRV records; move domain controllers between sites This objective may include but is not limited to: Manage Configure replication to Read-Only Domain Active Controllers (RODCs); configure Password Replication Directory and Policy (PRP) for RODCs; monitor and manage SYSVOL replication; upgrade SYSVOL replication to replication. Distributed File System Replication (DFSR) Mod 1
Course Content Lesson 2
Mod 1 Ex 2
Mod 1
Lesson 3
Mod 1 Ex 3
Mod 8
Lesson 1/2
Mod 8 Ex 1
Mod 8
Lesson 3
Mod 8 Ex 2
Mod 9
Lesson 2/3
Mod Ex 1/2
Mod 9
Lesson 1/3
Mod 9 Ex 3

xxiii
About This Course
(continued)
Exam 70-412: Configuring Advanced Windows Server 2012 Services Exam Objective Domain Configure Identity and Access Solutions (15%) This objective may include but is not limited to: Implement Implement claims-based authentication including Active Relying Party Trusts; configure Claims Provider Trust Directory rules; configure attribute stores including Active Federation Directory Lightweight Directory Services (AD LDS); Services 2.1 manage AD FS certificates; configure AD FS proxy; (AD FSv2.1). integrate with Cloud Services Install and This objective may include but is not limited to: configure Install an Enterprise Certificate Authority (CA); Active configure CRL distribution points; install and Directory configure Online Responder; implement Certificate administrative role separation; configure CA backup Services (AD and recovery CS). This objective may include but is not limited to: Manage certificate templates; implement and manage certificate deployment, validation, and Manage revocation; manage certificate renewal; manage certificates. certificate enrollment and renewal to computers and users using Group Policies; configure and manage key archival and recovery Install and This objective may include but is not limited to: configure Install a licensing or certificate AD RMS server; Active manage AD RMS Service Connection Point (SCP); Directory manage AD RMS client deployment; manage Rights Trusted User Domains; manage Trusted Publishing Management Domains; manage Federated Identity support; Services (AD manage RMS templates; configure Exclusion Policies RMS). Mod 12
Course Content Lesson 1/2/3/4
Mod 12 Ex 1/2/3/4
Mod 10
Lesson Mod 10 Ex 1/2/3/4/5 1/2/3/4/5/6
Mod 10
Lesson 3/4/5
Mod 10 EX 3/4/5/6
Mod 11
Lesson 1/2/3/4
Mod 11 Ex 1/2/3/4
Important: Attending this course in itself will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following:
Real world, hands-on experience Implementing, Managing and Configuring Active Directory and Networking infrastructure, working in a Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 Enterprise environment. Additional study outside of the content in this handbook
xxiv
About This Course
There may also be additional study and preparation resources, such as practice tests, available for you to prepare for this exam. Details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab3 You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-412&locale=en-us#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.
Course Materials
The following materials are included with your kit: Course Handbook: a succinct classroom learning guide that provides the critical technical information in a crisp, tightly-focused format, which is essential for an effective in-class learning experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: provide step-by-step lab solution guidance.
Course Companion Content: searchable, easy-to-browse digital content with integrated premium online resources that supplement the Course Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the most current premium content on TechNet, MSDN, or Microsoft Press.
Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.), Companion Content is not available. However, the Companion Content will be published when the next (B) version of this course is released, and students who have taken this course will be able to download the Companion Content at that time from the http://www.microsoft.com/learning/companionmoc site. Please check with your instructor when the B version of this course is scheduled to release to learn when you can access Companion Content for this course.

xxv
About This Course
Student Course files: includes the Allfiles.exe, a self-extracting executable file that contains all required files for the labs and demonstrations. Note: For this version of the Courseware on Prerelease Software (specify RC0/Beta etc.), Allfiles.exe file is not available. However, this file will be published when the next (B) version of this course is released, and students who have taken this course will be able to download the Allfiles.exe at that time from the http://www.microsoft.com/learning/companionmoc site. Course evaluation: at the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send an email to support@mscourseware.com. To inquire about the Microsoft Certification Program, send an email to mcphelp@microsoft.com.
xxvi
About This Course
Virtual Machine Environment

Virtual Machine Configuration
This section provides the information for setting up the classroom environment to support the business scenario of the course.
In this course, you will use Microsoft Hyper-V to perform the labs. Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine (VM) without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine that is used in this course: Virtual machine 20412A-LON-DC1/-B 20412A-LON-CA1 20412A-LON-CL1 20412A-LON-CL2 20412A-LON-CORE 20412A-LON-SVR1/-B 20412A-LON-SVR2 20412A-LON-SVR3 20412A-LON-SVR4 20412A-MUN-CL1 20412A-MUN-DC1 Role Windows Server 2012 Domain controller in the Adatum.com domain Windows Server 2012 Standalone server Windows 8 client computer Member of the Adatum.com domain Windows 8 client computer Member of the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows 8 client computer Member of the Treyresearch.net domain Windows Server 2012 Domain controller in the TreyResearch.net domain

xxvii
About This Course
(continued) Virtual machine 20412A-LON-HOST1 20412A-LON-HOST2 20412A-TOR-DC1 Role Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain Windows Server 2012 Member server in the Adatum.com domain
Software Configuration
The following software is installed on the VMs:
Windows Server 2012 Datacenter Edition, Release Candidate Windows 8, Release Preview Office 2010, SP1
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware is taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better* 8 GB random access memory (RAM) DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.

1-1
Module 1
Implementing Advanced Network Services
Contents:
Module Overview Lesson 1: Configuring Advanced DHCP Features Lesson 2: Configuring Advanced DNS Settings Lesson 3: Implementing IPAM Lab: Implementing Advanced Network Services Module Review and Takeaways 1-1 1-2 1-11 1-21 1-31 1-36
Module Overview
In Windows Server 2012, network services such as Domain Name System (DNS) provide critical support for name resolution of network and Internet resources. Within DNS, DNS Security Extensions (DNSSEC) is an advanced feature that provides a means of securing DNS responses to client queries so that malicious users cannot tamper with them. With Dynamic Host Configuration Protocol (DHCP), you can manage and distribute IP addresses to client computers. DHCP is essential for managing IP-based networks. DHCP failover is an advanced feature that can prevent clients from losing access to the network in case of a DHCP server failure. IP Address Management (IPAM) provides a unified means of controlling IP addressing. This module introduces DNS and DHCP improvements, IP address management, and provides details about how to implement these features.
Objectives
After completing this module you will be able to: Configure advanced DHCP features. Configure advanced DNS settings. Implement IPAM.
1-2
Implementing Advanced Netwo ork Services
Lesson 1
Config guring Advance A ed DHC CP Featu ures
DHC CP plays an im mportant role in n the Window ws Server 2012 operating syst tem infrastruct ture. It is the prim mary means of f distributing im mportant netw work configura ation information to network k clients, and it prov vides configur ration informat tion to other network-enabl n led services, in ncluding Windo ows Deployme ent Serv vices (WDS) an nd Network Ac ccess Protectio on (NAP). To su upport a Wind dows Server-ba ased network infra astructure, it is s important that you underst tand the DHC P server role. W Windows Server 2012 impro oves the functionality of o DHCP by pr roviding failover capabilities..
Les sson Objecti ives

Afte er completing this lesson you u will be able to: t CP component ts. Describe DHC Explain how to t configure DHCP D interactio on with DNS. Describe supe er scopes and multicast scop pes. Explain how DHCP D works with w IPv6. Describe DHC CP name prote ection. Describe DHC CP failover.
Ov verview of DHCP Com mponents s

DHC CP is a server role r that you can c install on Win ndows Server 2012. 2 With the e DHCP server role, you can ensure th hat all clients have h appropria ate IP add dresses and net twork configuration informa ation, which can help eliminate human error during g configuration. A DHCP D client is any device run nning DHC CP client softw ware that can request r and retrieve netw work settings from f a DHCP server s service. DHC CP clients may y be computers, mobile devices, prin nters, or switch hes. DHCP may y also provide IP add dress information to network k boot clients.
Whe en key networ rk configuratio on information n ss, you can up changes in the ne etwork, such as s the default gateway addres pdate the confi iguration using g the DHC CP server role without having to change th he information n directly on e each computer r. DHCP is also o a key serv vice for mobile e users who change network ks often. You ca an install the D DHCP server ro ole on a standalone serv ver, a domain member m serve er, or a domain n controller. DHC CP consists of the componen nts that are list ted in the follo owing table. Co omponent DHCP server service Description D After installing g the DHCP ro ole, the DHCP s server is imple emented as a service. This se ervice can dist tribute IP addr resses and othe er network configuration information to o clients who request it.
DHCP scopes
The DHCP adm ministrator co nfigures the ra ange of IP add dresses and related information allotted to the s server for distr ribution to req questing client ts. Each scope ca an only be asso ociated with a single IP subn net. A scope m must

1-3
Component
Description consist of: A name and description A range of addresses that can be distributed A subnet mask A scope can also define: IP addresses that should be excluded from distribution The duration of the IP address lease DHCP options
You can configure a single DHCP server with multiple scopes, but the server must be either connected directly to each subnet that it serves, or have a DHCP relay agent in place. Scopes also provide the primary way for the server to manage and distribute any related configuration parameters (DHCP options) to clients on the network. DHCP options
When you assign the IP address inform, you can simultaneously assign many other network configuration parameters. The most common DHCP options include: Default Gateway IP address DNS server IP address DNS domain suffix Windows Internet Name Service (WINS) server IP address You can apply the options at different levels. They can be applied: Globally to all scopes Specifically to particular scopes To specific clients based on a Class ID value To clients that have specific IP address reservations configured
Note: IPv6 scopes are slightly different, and will be discussed later in this lesson. DHCP database The DHCP database contains configuration data about the DHCP server, and stores information about the IP addresses that have been distributed. By default, the DHCP database files are stored in the %systemroot%\System32\Dhcp folder.
DHCP console
The DHCP console is the main administrative tool for managing all aspects of the DHCP server. This management console is installed automatically on any server that has the DHCP role installed. However, you can also install it on a remote server or Windows 8 client by using the Remote Server Administration Tools (RSAT) and by connecting to the DHCP server for remote management.
How Clients Acquire IP Addresses
When you configure a Windows client to use the DHCP service, upon startup the client will use an IP broadcast in its subnet to request IP configuration from any DHCP server that may receive the request. Because DHCP uses IP broadcasts to initiate communications, DHCP servers are limited to communication within their IP subnets. This means that there must either be a DHCP server on each IP subnet, or a DHCP relay agent configured on the remote subnet. The DHCP relay service can relay DHCP broadcast packets as directed messages into other IP subnets across a router. The relay agent acquires an IP address
1-4
configuration on behalf of the requesting r clie ent on the rem mote subnet, an nd then forwards that configuration to the t client.
DH HCP Leases
DHC CP allocates IP P addresses on a dynamic ba asis. This is kno own as a lease. You can conf figure the dura ation of the lease. The default d lease ti ime for wired clients c is eight t days. se. en the DHCP lease has reach hed 50 percent of the lease t time, the clien nt attempts to renew the leas Whe This s automatic process occurs in n the background. Compute ers might have e the same IP a address for a lo ong peri iod of time if they t operate continually on a network with hout being shut down. Clien nt computers a also atte empt renewal during d the star rtup process.
DH HCP Server Authorizatio A on
If th he server is a domain membe er, you must authorize the W Windows Serve er 2012 DHCP server role in Acti ive Directory Domain D Service es (AD DS) bef fore it can beg gin leasing IP a addresses. You u must be an Ente erprise Admini istrator to auth horize the DHC CP server. Stan ndalone Micro osoft servers ve erify whether t there is a DHCP server on o the network, and do not start the DHC P service if this is the case.
Co onfiguring DHCP Inte eraction With W DNS

Dur ring dynamic IP address alloc cation, the DH HCP serv ver creates reso ource records automatically for DHC CP clients in th he DNS databa ase. However, those reco ords may not be b deleted aut tomatically wh hen the client DHCP le ease expires. You Y can configure DHC CP options to allow the DHC CP server to ow wn and fully control the t creation an nd deletion of thos se DNS resource records.
Con nfiguring DHCP D Option n 081
You u can configure e DHCP option n 081 to control the way that resource records are updated in the DNS S database. Th his option perm mits the client to prov vide its fully qualified domain name (FQDN) and instruc ctions to the D DHCP server ab bout how it wo ould like the server to process DNS dynamic d updat tes on its beha alf. You configure option 081 1 on the DNS tab of the Properties window w for the protocol nod de, or per scop pe in the DHC CP console. You u can also configure DHC CP to perform updates on behalf of its clie ents to any DN NS servers that t support dyna amic updates. By default, d the DH HCP server beh haves in the fo ollowing mann ner:
The DHCP server dynamically updates DN NS address ho st (A) resource e records and pointer (PTR) resource reco ords only if req quested by the e DHCP clients . By default, th he client reque ests that the DHCP server registe er the DNS PTR R resource reco ord, while the client register rs its own DNS A resource record. The DHCP server discards the A and PTR resource reco rds when the c clients lease is s deleted.
You u can modify th his option so that it instructs s the DHCP ser rver to always dynamically u update DNS A reso ource records and a PTR resou urce records no o matter what the client requests. In this w way, the DHCP P serv ver becomes th he owner of th he resource rec cord because t the DHCP serv ver performed the registratio on of lient computers A and PTR the resource records. Once the DHCP server becomes b the o owner of the cl reso ource records, only that DHC CP server can update u the DN NS resource rec cords for the c client compute er base ed on the dura ation and rene ewal of the DH HCP lease.
Configurin ng Advanced Window ws Server 2012 Ser rvices

1-5
Configuring C g Advance ed DHCP Scope S Desi igns

Yo ou can configu ure advanced DHCP scope designs d ca alled superscop pes. A supersco ope is a collection of in ndividual scope es that are gro ouped togethe er for ad dministrative purposes. p This allows client co omputers to re eceive an IP ad ddress from multiple lo ogical subnets even when the e clients are lo ocated on n the same ph hysical subnet. You can only create a superscope if you have two or more IP sco opes already created in DHCP. You u can use the New N Su uperscope Wiz zard to select the t scopes tha at you wish w to combine together to create a super rscope.
Benefits B of Superscopes S s
A superscope is s useful in seve eral situations. For example, if a scope runs s out of addresses and you c cannot ad dd more addre esses from the e subnet, you can c instead ad d a new subne et to the DHCP P server. This s scope will w lease addresses to clients in the same physical networ rk, but the clie ents will be in a separate net twork lo ogically. This is known as mu ultinetting. Onc ce you add a n new subnet, yo ou must config gure routers to o re ecognize the new n subnet so that you ensure local comm munications in the physical network.
A superscope is s also useful wh hen you need to move clien nts gradually in nto a new IP nu umbering sche eme. Having both nu umbering schemes coexist fo or the original leases duratio on means that you can move e clients in nto the new subnet transpare ently. When yo ou have renew wed all client le eases in the ne ew subnet, you u can re etire the old su ubnet.
Multicast M Sco opes
A multicast scop pe is a collection of multicas st addresses fro om the class D IP address ra ange of 224.0.0 0.0 to 23 39.255.255.255 5 (224.0.0.0/3) ). These addres sses are used w when applicati ions need to c communicate w with nu umerous clients efficiently and simultaneo ously. This is ac ccomplished w with multiple h hosts that listen n to tr raffic for the sa ame IP address s.
A multicast scop pe is commonly known as a Multicast Add dress Dynamic Client Allocat tion Protocol (M MADCAP) scop pe. Application ns that request t addresses fro om these scope es need to sup pport the MAD DCAP ap pplication prog gramming inte erface (API). Windows W Deplo oyment Service es is an examp ple of an applic cation th hat supports multicast m transm missions. Multicast M scope es allow applica ations to reser rve a multicast t IP address for r data and con ntent delivery.
DHCP D Integ gration With IPv6

IP Pv6 can configure itself witho out DHCP. IPv6 6 en nabled clients have a self-assigned link-loc cal IPv6 ad ddress. A link-local address is i intended only for co ommunication ns within the lo ocal network. It is eq quivalent to th he 169.254.0.0 self-assigned ad ddresses used by IPv4. IPv6-enabled netwo ork in nterfaces can, and a often do, have more tha an one IP Pv6 address. Fo or example, ad ddresses might t in nclude a self-as ssigned link-lo ocal address an nd a DHCP-assigned global addres ss. By using DH HCP for IP Pv6 (DHCPv6), an IPv6 host can c obtain sub bnet prefixes, global addresses, and d other IPv6
1-6
Implementing Advanced Network Services
configuration settings. Note: You should obtain a block of IPv6 addresses from a Regional Internet Registry. There are five regional internet registries in the world. They are: African Network Information Centre (AfriNIC) for Africa
Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries American Registry for Internet Numbers (ARIN) for Canada, many Caribbean and North Atlantic islands, and the United States Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region
Rseaux IP Europens Network Coordination Centre (RIPE NCC) for Europe, Russia, the Middle East, and Central Asia
Stateful and Stateless Configuration
Whenever you add the DHCP server role to a Windows Server 2012 computer, you also automatically install a DHCPv6 server. Windows Server 2012 supports both DHCPv6 stateful and stateless configurations: Stateful configuration. Occurs when the DHCPv6 server assigns the IPv6 address to the client along with additional DHCP data.
Stateless configuration. Occurs when the subnet router assigns IPv6 automatically, and the DHCPv6 server only assigns other IPv6 configuration settings.
DHCPv6 Scopes for IPv6
DHCPv6 scopes for IPv6 must be created separately from IPv4 scopes. IPv6 scopes have an enhanced lease mechanism and several different options. When configuring a DHCPv6 scope, you must define the properties listed in the following table. Property Name and description Prefix Preference Exclusions Valid and Preferred lifetimes DHCP options Use This property identifies the scope.
The IPv6 address prefix is analogous to the IPv4 address range. It defines the network portion of the IP address. This property informs DHCPv6 clients as to which server to use if you have multiple DHCPv6 servers. This property defines single addresses or blocks of addresses that fall within the IPv6 prefix but will not be offered for lease. This property defines how long leased addresses are valid. As with IPv4, there are many available options.
Configuring an IPv6 Scope

You can use the New Scope Wizard to create IPv6 scopes: 1. In the DHCP console, right-click the IPv6 node, and then click New Scope.

1-7
2. . 3. . 4. . 5. .
Configure a scope prefix and preferenc ce. Define the starting and ending IP addre esses, and any y exclusions. Configure the t Preferred and Valid life etime propertie es. Activate the e scope to ena able it.
What W Is DH HCP Name Protection?

Yo ou must prote ect the names that t DHCP reg gisters in n DNS on beha alf of systems from f being ov verwritten by non-Microsoft n t systems that use the sa ame names. In addition, you must protect the na ames from bei ing overwritten by systems that t use st tatic addresses s that conflict with w DHCP-ass signed ad ddresses when n they use unse ecure DNS and d DHCP is not configure ed for conflict detections. For ex xample, a UNIX X-based system m named Client1 co ould potentially overwrite th he DNS addres ss that was w assigned an nd registered by b DHCP on behalf of a Windows-based system also o named Client1. A ne ew feature in Windows W Serve er 2012, DHCP P Name Protec ction, addresse es this issue.
Name N squatting g is the term used to describe the conflict t that occurs wh hen one client registers a na ame with DNS but that na ame is already y used by another client. This s problem cau uses the origina al machine to become in naccessible, and it typically occurs o with syst tems that have e the same na mes as Windo ows operating sy ystems. DHCP Name Protect tion addresses this by using a resource rec cord known as a Dynamic Ho ost Configuration Id dentifier (DHC CID) to track which machines s originally req quested which names. The D DHCP se erver provides the DHCID record, which is stored in DNS S. When the DHCP server rec ceives a request by a machine m with an existing nam me for an IP ad ddress, the DHC CP server can refer to the DHCID in DNS t to verify th hat the machin ne that is reque esting the nam me is the origin nal machine th hat used the name. If it is no ot the sa ame machine, then the DNS resource reco ord is not upda ated. Yo ou can implem ment name pro otection for bo oth IPv4 and IP Pv6. You can c configure DHC CP Name Prote ection at th he server level and the scope e level. Implem mentation at th he server level will only apply y for newly cre eated sc copes. To o enable DHCP Name Protection for an IP Pv4 or IPv6 nod de: 1. . 2. . 3. . Open the DHCP D console. Right-click the IPv4 or IP Pv6 node, and then open the e Property pa age. Click DNS, click Advance ed, and then se elect the Enab ble Name Pro otection check k box.
To o enable DHCP Name Protection for a sco ope: 1. . 2. . 3. . MC). Open the DHCP D Microsof ft Managemen nt Console (MM Expand the e IPv4 or IPv6 node, right-click the scope, and the open n the Property y page. Click DNS, click Advance ed, and then se elect the Enab ble Name Pro otection check k box.
1-8
Wh hat Is DHC CP Failover r?

DHC CP manages th he distribution n of IP addresses in TCP P/IP networks of o all sizes. Wh hen this service e fails s, clients lose connectivity c to the network and a all of o its resources s. A new featur re in Windows s Serv ver 2012, DHC CP failover, add dresses this issu ue.
DH HCP Failover r
DHC CP clients rene ew their leases on their IP add dresses at regular, configurab ble intervals. When W the DHCP service fails, the lease es time out and d clien nts no longer have IP addres sses. In the pas st, DHC CP failover was not possible because DHCP serv vers were independent and unaware u of eac ch othe er. Therefore, configuring c tw wo separate DH HCP servers to o distribute the e same pool of f addresses could lead d to duplicate addresses. Add ditionally, prov viding redund ant DHCP serv vices required you to configure clus stering, and pe erform a significant amount of manual con nfiguration and d monitoring. The new DHCP failover feature enables two DHCP D servers t o provide IP a addresses and optional configurations to the same subn nets or scopes s. Therefore, yo ou can now co onfigure two D DHCP servers to o repl licate lease information. If on ne of the serve ers fails, the ot ther server serv vices the clients for the entir re subnet. Note: In Windows Server 2012, you can n only configu ure two DHCP servers for failover and only y for IPv4 scop pes and subnet ts.
Con nfiguring DHCP D Failove er
To configure c DHC CP failover, you u need to establish a failove r relationship between the t two DHCP serv vers serv vices. You must also give this s relationship a unique name e. The failover r partners exch hange this nam me during configurat tion. This enab bles a single DH HCP server to have multiple failover relatio onships with o other DHC CP servers so long as they all have unique names. To co nfigure failove er, use the Con nfiguration Fai ilover wiza ard that you ca an launch by right-clicking r the t IP node or r the scope nod de. Note: DHCP failover is tim me sensitive. You Y must synch hronize time b between the pa artners in the relationship. If f the time diffe erence is great ter than one m minute, the fail lover process w will halt with h a critical erro or. You u can configure e failover in on ne of the two following f mod des. Mode Hot Standby Characteristic cs
In this mode, , one server is the primary se erver and the o other is the secondary se erver. The prim mary server acti ively assigns IP P configuration ns for the scope or subnet. The se econdary DHC CP server only assumes this r role if s become es unavailable. A DHCP serve er can the primary server simultaneous sly act as the p primary for one e scope or sub bnet, and be th he secondary for another. Adm ministrators m must configure a percentage of the sses to be assig gned to the standby server. These address ses are scope addres supplied duri ing the Maxim mum Client Lea ad Time (MCLT T) interval if th he primary serve er is down. The e default MCL LT value is 5 pe ercent of the sc cope. The secondar ry server takes s control of the e whole IP ran nge after the M MCLT

1-9
Mode
Characteristics
interval has passed. Hot Standby mode is best suited to deployments in which a disaster recovery site is located at a different location. That way the DHCP server will not service clients unless there is a main server outage. Load Sharing
This is the default mode. In this mode both servers simultaneously supply IP configuration to clients. The server that responds to IP configuration requests depends on how the administrator configures the load distribution ratio. The default ratio is 50:50.
MCLT
The administrator configures the MCLT parameter to determine the amount of time a DHCP server should wait when a partner is unavailable, before assuming control of the address range. This value cannot be zero, and the default is one hour.
Auto State Switchover Interval
A communication interrupted state occurs when a server loses contact with its partner. Because the server has no way of knowing what is causing the communication loss, it remains in this state until the administrator manually changes it to a partner down state. The administrator can also enable automatic transition to partner down state by configuring the auto state switchover interval. The default value for this interval is 10 minutes.
Message Authentication
Windows Server 2012 enables you to authenticate the failover message traffic between the replication partners. The administrator can establish a shared secretmuch like a passwordin the Configuration Failover Wizard for DHCP failover. This validates that the failover message comes from the failover partner.
Firewall Considerations
DHCP uses TCP port 647 to listen for failover traffic. The DHCP installation creates the following inbound and outbound firewall rules: Microsoft-Windows-DHCP-Failover-TCP-In Microsoft-Windows-DHCP-Failover-TCP-Out
Demonstration: Configuring DHCP Failover

In this demonstration, you will see how to configure a DHCP failover relationship.
Demonstration Steps Configure a DHCP failover relationship

1. 2. 3. 4. Log on to LON-SVR1 as Adatum\Administrator. Note that the server is authorized, but that no scopes are configured. Switch to LON-DC1. In Server Manager, click Tools, and then on the drop-down list, click DHCP. In the DHCP console, launch the Configure Failover Wizard. Configure failover replication with the following settings: o Partner server: 172.16.0.21
1-10 Implementing Advanced Network Services
o o o o o o 5. 6.
Relationship Name: Adatum Maximum Client Lead Time: 15 minutes Mode: Load balance Load Balance Percentage: 50% State Switchover Interval: 60 minutes Message authentication shared secret: Pa$$w0rd
Complete the Configure Failover Wizard.
Switch back to LON-SVR1, and note that the IPv4 node is active and the Adatum scope is configured.

1-11
Configuring g Advanced Windows s Server 2012 Serviices
Lesson n2
Configuring Advanc ced DNS Settin ngs
In n TCP/IP netwo orks of any size e, certain servi ices are essent tial. DNS is one e of the most c critical networ rk se ervices for any network, beca ause many oth her application ns and services sincluding A AD DSrely on n DNS to o resolve resou urce names to IP addresses. Without W DNS, user authentic cations fail, an nd network-based re esources and applications a may become ina accessible. For this reasons, y you need to m manage and pr rotect DNS. This lesson n discusses ma anagement tec chniques and o options for op ptimizing DNS resolution. Wi indows Se erver 2012 imp plements DNSSEC to protect t DNS respons ses. Windows S Server 2012 also supports global na ame zones to provide single e-label name re esolution.
Le esson Objec ctives

After completin ng this lesson you y will be able to: Manage DN NS services. Optimize DNS D name reso olution. Describe global name zones. Describe op ptions for implementing DNS security. Explain how w DNSSEC wor rks. Describe th he new DNSSEC C features for Windows Serv ver 2012.
Managing M DNS Services

Like other impo ortant network k services, you must manage m DNS. DNS D managem ment consists of the fo ollowing tasks: Delegating DNS administ tration, Configuring g logging for DNS, D Aging and scavenging, Backing up the DNS data abase,
Delegating D Administrat A ion of DNS
By y default, the Domain D Admins group has full f pe ermissions to manage m all asp pects of the DNS se erver in its hom me domain, an nd the Enterpri ise Admins gro oup has full pe ermissions to m manage all asp pects of all DNS servers in any domain n in the forest. If you need to o delegate the e administratio on of a DNS se erver to a different user or group, then you can add d that user or g global group t o the DNS Admins group fo or a gi iven domain in n the forest. Members M of the e DNS Admins group can vie ew and modify y all DNS data, , se ettings, and co onfigurations of o DNS servers in their home e domain. Th he DNS Admin ns group is a Domain D Local security s group p, and by defau ult has no mem mbers in it.
Configuring C DNS Loggin ng
By y default, DNS S maintains a DNS D server log g, which you ca an view in the Event Viewer. This event log g is lo ocated in the Applications A an nd Services Log gs folder in Ev vent Viewer. It records comm mon events suc ch as: Starting and stopping of the DNS service.
Background loading and zone signing events. Changes to DNS configuration settings. Various warnings and error events.
For more verbose logging, you can enable debug logging. Debug logging options are disabled by default, but can be selectively enabled. Debug logging options include the following: Direction of packets Contents of packets Transport protocol Type of request Filtering based on IP address Specifying the name and location of the log file, which is located in the %windir%\System32\DNS directory Log file maximum size limit
Debug logging can be resourceintensive. It can affect overall server performance and consume disk space. Therefore, you should only enable it temporarily when you require more detailed information about server performance. To enable debug logging on the DNS server, do the following: 1. 2. 3. 4. Open the DNS console. Right-click the applicable DNS server, and then click Properties. Click the Debug Logging tab.
Select Log packets for debugging, and then select the events for which you want the DNS server to record debug logging.
Aging and Scavenging
DNS dynamic updates add resource records to the zone automatically, but in some cases those records are not deleted automatically when they are no longer required. For example, if a computer registers its own A resource record and is improperly disconnected from the network, the A resource record might not be deleted. These records, known as stale records, take up space in the DNS database and may result in an incorrect query response being returned. Windows Server 2012 can search for those stale records and, based on the aging of the record, scavenge them from the DNS database. Aging and scavenging is disabled by default. You can enable aging and scavenging in the Advanced properties of the DNS server, or you can enable it for selected zones in the zones Properties window.
Aging is determined by using parameters known as the Refresh interval and the No-refresh interval. The Refresh interval is the date and time that the record is eligible to be refreshed by the client. The default is seven days. The No-refresh interval is the period of time that the record is not eligible to be refreshed. By default, this is seven days. In the normal course of events, a client host record cannot be refreshed in the database for seven days after it is first registered or refreshed. However, it then must be refreshed within the next seven days after the No-refresh interval, or the record becomes eligible to be scavenged out of the database. A client will attempt to refresh its DNS record at startup, and every 24 hours while the system is running. Note: Records that are added dynamically added to the database are time stamped. Static records that are you entered manually have a time stamp value of zero 0, and will not be affected by aging and therefore will not be scavenged out of the database.

1-13
Backing B Up the t DNS Database
How you back up u the DNS da atabase depends on how DN NS was implem mented into yo our organizatio on. If yo our DNS zone was implemen nted as an Act tive Directory i integrated zon ne, then your D DNS zone is in ncluded in n the Active Directory databa ase ntds.dit file e. If the DNS z zone is a prima ary zone and is s not stored in n AD DS, th hen the file is stored s as a .dns file in the %S SystemRoot%\ \System32\Dn ns folder.
Backing Up Active A Directo ory Integrate ed Zones
up as part of a System State Active Directory y integrated zo ones are stored d in AD DS an d are backed u e or a fu ull server backu up. Additionally, you can back up just the Active Directo ory integrated zone by using g the dnscmd command-line tool. To o back up an Active A Director ry integrated zone, z perform the following steps: 1. . 2. . Launch an elevated e comm mand prompt. . Run the following comma and:
dnscmd /Z ZoneExport <z zone name> <zone file na ame>
where <zon ne name> is th he name of your DNS zone, and <zone file e name> is the e file that you w want to create to ho old the backup p information. Th he dnscmd to ool exports the zone data to the file name that you desig gnate in the co ommand, to th he %windir%\Syste % em32\DNS dire ectory.
Backing Up Primary Zone es
Ba acking up a pr rimary zone th hat is not store ed in AD DS is simply a matte er of copying or backing up the in ndividual zone file, zonename.dns, which is s located in the e %windir%\Sy ystem32\DNS directory. For ex xample, if your DNS primary y zone is name ed Adatum.com m, then the DN NS zone file will be named Adatum.com.dn ns.
Optimizing O g DNS Nam me Resolut tion
In n a typical DNS S query event, a client comp puter at ttempts to reso olve a FQDN to t an IP addres ss. For ex xample, if a user tries to go to t the FQDN www.microsoft. w com, the clien nt computer wi ill pe erform a recur rsive query to the t DNS serve er that it is configured to discover the IP address as ssociated with that FQDN. The local DNS server s must m then respo ond with an au uthoritative response. If the local DNS S server has no o copy of the DNS D na amespace for which it was queried, q it will re espond with an n authoritative e answer to the e client co omputer. If the e local DNS server does not have th hat information n, it will perfor rm recursion. Recursion R refer rs to the proce ess of having t the local DNS s server its self make a rec cursive query to t another DN NS server until it finds the au uthoritative ans swer and retur rns that an nswer to the client that mad de the original request. By de efault, this serv ver will be one e of the servers s on the In nternet that is listed as a root hint. When the local DNS s server receives s a response, it t will return that in nformation to the t original requesting client computer.
There are a number of options available for optimizing DNS name resolution. They include features such as: Forwarding Conditional forwarding Stub zones Netmask ordering
Forwarding
A forwarder is a network DNS server that you configure to forward DNS queries for host names that it cannot resolve to other DNS servers for resolution. In a typical environment, the internal DNS server forwards queries for external DNS host names to DNS servers on the Internet. For example, if the local network DNS server cannot authoritatively resolve a query for www.microsoft.com, then the local DNS server can forward the query to the internet service providers (ISPs) DNS server for resolution.
Conditional Forwarding
You also can use conditional forwarders to forward queries according to specific domain names. A conditional forwarder is a DNS server on a network that forwards DNS queries according to the querys DNS domain name. For example, you can configure a DNS server to forward all queries that it receives for names ending with corp.adatum.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. This can be useful when you have multiple DNS namespaces in a forest. For example, suppose Contoso.com and Adatum.com are merged. Rather than each domain having to host a complete replica of the other domains DNS database, you could create conditional forwarders so that they point to each others specific DNS servers for resolution of internal DNS names.
Stub Zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify that zones authoritative DNS servers. A stub zone resolves names between separate DNS namespaces, which might be necessary when you want a DNS server that is hosting a parent zone to remain aware of all the authoritative DNS servers for one of its child zones. A stub zone that is hosted on a parent domain DNS server will receive a list of all new DNS servers for the child zone, when it requests an update from the stub zone's master server. By using this method, the DNS server that is hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as they are added and removed. A stub zone consists of the following:
The delegated zones start of authority (SOA) resource record, name server (NS) resource records, and A resource records The IP address of one or more master servers that you can use to update the stub zone
Stub zones have the following characteristics: Stub zones are created using the New Zone Wizard. Stub zones can be stored in AD DS. Stub zones can be replicated either in the domain only, or throughout the entire forest.
Stub zone master servers are one or more DNS servers that are responsible for the initial copy of the zone information, and are usually the DNS server that is hosting the primary zone for the delegated domain name.

1-15
Netmask N Ord dering
Netmask ordering returns add dresses for typ pe A (address r records) DNS q queries that pr rioritize resour rces on th he client comp puters local subnet to the cli ient. In other w words, address ses of hosts tha at are on the s same su ubnet as the re equesting clien nt will have a higher h priority y in the DNS re esponse to the e client computer.
Lo ocalization is based b on IP ad ddresses. For ex xample, if ther re are multiple e A records tha at are associate ed with th he same DNS name, n and eac ch of the A records are locate ed on a differe ent IP subnet, netmask orde ering re eturns an A rec cord that is on the same IP subnet as the c client compute er that made the request.
What W Is the e GlobalNa ame Zone? ?

Th he DNS Server r Service in Windows Server 2012 provides the Glo obalName zon ne, which you can use to o contain single-label names s that are unique ac cross an entire e forest. This el liminates the need n to us se the NetBIOS-based WINS S to provide su upport fo or single-label names. GlobalName zones provide p single-label nam me resolution for f large enter rprise ne etworks that do d not deploy WINS and that have multiple m DNS domain environ nments. GlobalName zo ones are create ed manually and do not sup pport dy ynamic record d registration.
When W clients try y to resolve sh hort names, the ey au utomatically append their DNS domain na ame. Dependin ng on the conf figuration, the ey also try to find the na ame in upper-level domain name, or work k through thei r name suffix l list. Therefore, short names a are re esolved in the same domain. .
Yo ou use a Globa alName zone to t maintain a list of DNS sea arch suffixes fo or resolving na ames among m multiple DNS domain en nvironments. For F example, if an organizatio on supports tw wo DNS doma ains, such as ad datum.com an nd contoso.com m, users in the adatum.com DNS domain n need to use a FQDN such as s da ata.contoso.co om to locate th he servers in co ontoso.com. O Otherwise, the domain admin nistrator needs to add a DNS search su uffix for contos so.com on all the t systems in n the adatum.c com domain. If f the clients just se earch for the server name d data, then the search would fail.
Global names are based on cr reating alias (C CNAME) resou urce records in n a special forw ward lookup zo one that us ses single nam mes to point to FQDNs. For example, e Globa alName zones would enable e clients in both the ad datum.com do omain and the contoso.com domain to use e a single labe el name, such a as data, to loca ate a se erver whose FQ QDN is data.co ontoso.com without having t to use the FQD DN.
Creating C a GlobalName Zone

To o create a GlobalName zone e, do the follow wing: 1. . 2. . 3. . Use the dnscmd tool to enable e GlobalN Name zones s upport.
Create a ne ew forward loo okup zone nam med GlobalNam me (not case s sensitive). Do n not allow dyna amic updates for r this zone.
Manually create CNAME records that point p to record ds that already y exist in the ot ther zones tha at are hosted on your y DNS serv vers.
to Fo or example, yo ou could create e a CNAME record in the Glo obalName zon ne named Data, that points t ganization to find this server by the Data.contoso.co om. This enables clients from m any DNS dom main in the org single label nam me of Data.
1-16 Implemen nting Advanced Netw work Services
Op ptions for Implemen I ting DNS Security

Because DNS is a critical networ rk service, you mus st protect it as much as poss sible. A numbe er of options are available for protecting the DNS serv ver, including: DNS cache lo ocking DNS socket pool p DNSSEC
DN NS Cache Loc cking
Cache locking is a security featu ure available with w Win ndows Server 2012 2 that allow ws you to cont trol whe en information n in the DNS ca ache can be ov verwritten. Wh hen a recursive e DNS server r responds to a q query, it ca aches the results so that it ca an respond quickly if it receiv ves another qu uery requestin ng the same info ormation. The period p of time e the DNS serv ver keeps infor mation in its c cache is determ mined by the T Time to Live L (TTL) value e for a resource record. Infor rmation in the e cache can be overwritten b before the TTL expires if updated d information about a that resource record i is received. If a an attacker suc ccessfully over rwrites info ormation in the e cache, the at ttacker might be b able to red irect your netw work traffic to a malicious site. Whe en you enable e cache locking g, the DNS serv ver prohibits c cached records s from being o overwritten for r the dura ation of the TT TL value. You u configure cac che locking as a percentage value. For exa ample, if the ca ache locking value is set to 5 50, then n the DNS serv ver will not ove erwrite a cached entry for ha alf of the dura ation of the TT TL. By default, t the cach he locking per rcentage value e is 100. This means m that cach hed entries will not be overw written for the e enti ire duration of f the TTL. You u can configure e cache locking g with the dns scmd tool as f follows: 1. 2. Launch an ele evated comma and prompt. Run the follow wing comman nd:
dnscmd /Config /CacheLockingPercen nt <percent>
3.
Restart the DNS service to apply a the chan nges.
DN NS Socket Po ool
The DNS socket pool p enables a DNS server to o use source po ort randomiza tion when issu uing DNS quer ries. Whe en the DNS se ervice starts, the server choos ses a source po ort from a poo ol of sockets th hat are availab ble for issuing queries. In nstead of using g a predicable source port, th he DNS server r uses a random m port numbe er that it se elects from the e DNS socket pool. p The DNS socket pool m makes cache-ta ampering attacks more diffic cult because an attack ker must correctly guess both the source p port of a DNS q query and a ra andom transac ction ID to successfully run the attack k. The DNS soc cket pool is en abled by default in Window ws Server 2012. .
The default size of o the DNS socket pool is 2,500. When you u configure the e DNS socket p pool, you can choose a size valu ue from 0 to 10 0,000. The larg ger the value, t the greater the e protection y you will have against DNS S spoofing atta acks. If the DN NS server is run nning Window ws Server 2012,, you can also configure a DNS sock ket pool exclus sion list. You u can configure e the DNS socket pool size by b using the dn nscmd tool as s follows: 1. Launch an ele evated comma and prompt.

1-17
2. .
Run the following comma and:

dnscmd /C Config /Socke etPoolSize <value>
3. .
Restart the DNS service to o apply the ch hanges
DNSSEC D
DNSSEC enable es a DNS zone and all record ds in the zone t to be signed c cryptographica ally such that c client co omputers can validate the DNS D response. DNS is often s subject to vario ous attacks, su uch as spoofing g and ca ache-tamperin ng. DNSSEC he elps protect ag gainst these th reats and prov vides a more secure DNS in nfrastructure.
How H DNSSEC Works

In ntercepting and tampering with w an organiz zations DNS query resp ponse is a common attack method. If attackers can alter response es from DNS se ervers, or r send spoofed d responses to o point client co omputers to th heir own serve ers, they can ga ain ac ccess to sensitive information. Any service that re elies on DNS fo or the initial co onnectionsu uch as e-commerce we eb servers and email servers are vu ulnerable. DNS SSEC protects clients that are e making m DNS qu ueries from acc cepting false DNS D re esponses.
When W a DNS se erver that is ho osting a digitally signed zone rec ceives a query, it returns the digital signatu ures along wit h the requeste ed records. A r resolver or r another serve er can obtain the t public key y of the public/ /private key pa air from a trus st anchor, and then va alidate that the e responses ar re authentic an nd have not be een tampered with. To do th his, the resolve er or se erver must be configured wit th a trust anch hor for the sign ned zone or fo or a parent of t the signed zon ne.
Trust Anchor rs
A trust anchor is an authoritative entity that is represente ed by a public key. The Trust tAnchors zone stores preconfigured public p keys tha at are associate ed with a spec cific zone. In D DNS, the trust a anchor is the D DNSKEY or r DS resource record. Client computers use e these record ds to build trus st chains. You m must configure a trust an nchor from the e zone on every domain DNS server to val lidate responses from that signed zone. If the DNS server is a domain contro oller, then Act tive Directory i integrated zon nes can distribute the trust a anchors.
Name N Resolu ution Policy y Table
Th he Name Reso olution Policy Table T (NRPT) contains c rules t that control th he DNS client b behavior for se ending DNS queries and processing the t responses from those qu ueries. For exam mple, a DNSSE EC rule promp pts the client computer r to check for validation v of the response fo or a particular DNS domain suffix. As a bes st practice, Group Policy is the preferred p meth hod of configu uring the NRPT T. If there is no o NRPT presen nt, the client computer r accepts respo onses without validating the em.
Deploying D DNSSEC D
To o deploy DNSS SEC: 1. . 2. .
Install Wind dows Server 20 012 and assign n the DNS role e to the server.. Typically, a domain control ller also acts as the DNS server. However, this is s not a require ment. Sign the DN NS zone by using the DNSSE EC Configurati on Wizard, wh hich is located in the DNS co onsole.
3. 4.
Configure trust anchor distribution points. Configure the NRPT on the client computers.
Assigning the DNS Server Role
To assign the DNS server role, in the Server Manager Dashboard, use the Add Roles and Features Wizard. You can also add this role can when you add the AD DS role. Configure the primary zones on the DNS server. After a zone is signed, any new DNS servers in Windows Server 2012 automatically receive the DNSSEC parameters.
Signing the Zone

The following signing options are available:
Configure the zone signing parameters. This option guides you through the steps and enables you to set all values for the key signing key (KSK) and the zone signing key (ZSK). Sign the zone with parameters of an existing zone. This option enables you to keep the same values and options as another signed zone. Use recommended settings. This option signs the zone by using the default values.
Note: Zones can also be unsigned by using the DNSSEC management user interface to remove zone signatures.
Configuring Trust Anchor Distribution Points

If the zone is Active Directoryintegrated, you should select to distribute the trust anchors to all the servers in the forest. If trust anchors are required on computers that are not joined to the domainfor example, a DNS server in the perimeter network (also known as DMZ, demilitarized zone, and screened subnetthen you should enable automated key rollover. Note: A key rollover is the act of replacing one key pair with another at the end of a keys effective period.
Configuring NRPT on Client Computers

The DNS client computer only performs DNSSEC validation on domain names where the DNS client computer is configured to do so by the NRPT. A client computer running Windows 7 is DNSSECaware, but it does not perform validation. Instead, it relies on the security-aware DNS server to perform validation on its behalf.

1-19
New N DNSSEC Feature es for Windows Serv ver 2012

DNSSEC implem mentation was simplified for Windows W Server 2012. Althou ugh DNSSEC was w su upported in Windows W Server r 2008 R2, mos st of th he configuratio on and administration tasks were pe erformed man nually, and zon nes were signed when th hey were offlin ne.
DNSSEC D Zon ne Signing Wizard W
Windows W Server 2012 include es a DNSSEC Zone Si igning Wizard to simplify the e configuration and signing process, and to enable online signin ng. The wizard w allows yo ou to choose the t zone signin ng pa arameters as in ndicated in the e previous top pic. If yo ou choose to configure c the zone z signing settings s rather than using pa arameters from m an existing z zone or us sing default va alues, you can use the wizard d to configure e settings such as: KSK options ZSK options Trust ancho or distribution options Signing and d polling param meters
New N Resourc ce Records
DNS response validation v is ac chieved by asso ociating a priv vate/public key y pair (as gene erated by the ad dministrator) with w a DNS zon ne, and then defining d additi onal DNS reso ource records t to sign and pu ublish ke eys. Resource records r distrib bute the public c key while the e private key re emains on the e server. When the client requests validation, v DNSSEC adds dat ta to the respo onse that enab bles the client t to authenticat te the re esponse. Th he following ta able describes the new resou urce records in n Windows Ser rver 2012. Resource reco ord DNSKEY Purp pose This s record publis shes the public c key for the zo one. It checks the auth hority of a resp ponse against the private ke ey held by the DNS serv ver. These keys s require perio odic replaceme ent through ke ey rollo overs. Window ws Server 2012 2 supports auto omated key ro ollovers. This s record is a de elegation reco ord that contai ns the hash of f the pub blic key of a ch hild zone. This record is signe ed by the pare ent zones private key y. If a child zon ne of a signed parent is also signed, om the child m must be manua ally added to t the the DS records fro ent so that a chain c of trust c can be created d. pare This s record holds a signature fo or a set of DNS S records. It is used to check the authority of a respon se. Whe en the DNS re esponse has no o data to provi ide to the clien nt, this reco ord authentica ates that the ho ost does not e exist.
DS
RRSIG NSEC
Other O New Enhancemen E nts

Other O enhancem ments for Windows Server 2012 include: Support for r DNS dynamic c updates in DNSSEC D signed d zones.
Automated trust anchor distribution through AD DS. Windows PowerShellbased command-line interface for management and scripting.
Demonstration: Configuring DNSSEC
In this demonstration, you will see how to use the Zone Signing Wizard in the DNS console to configure DNSSEC
Demonstration Steps Configure DNSSEC

1. 2. 3. 4. 5. Log on to LON-DC1 as Adatum\Administrator. Start the DNS console. Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all default settings. Verify that the DNSKEY resource records were created in the Trust Points zone.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for the Adatum.com suffix and that requires DNS client computers to verify that the name and address data is validated.

1-21
Lesson n3
Imple ementin ng IPAM M
With W the develo opment of IPv6 6 and more an nd more device es requiring IP P addresses, ne etworks have b become co omplex and difficult to mana age. Maintaining an updated d list of static IP addresses th hat have been n issued ha as often been a manual task k, which can lea ad to errors. T To help organiz zations manag ge IP addresses, Windows W Server 2012 provide es the IPAM to ool.

After completin ng this lesson you y will be able to: Describe IP PAM. Describe IP PAM architectu ure. Describe th he requirement ts for IPAM im mplementation s. Manage IP addressing us sing IPAM. Install and configure c IPAM M. Describe co onsiderations for f implementing IPAM.
What W Is IPA AM?

IP P address mana agement is a difficult d task in n large ne etworks, becau use tracking IP P address usage is la argely a manua al operation. Windows W Serve er 2012 in ntroduces IPAM M, which is a fr ramework for di iscovering, mo onitoring utilization, auditing g, and managing m the IP address spac ce in a network. IP PAM enables th he administrat tion and monit toring of f DHCP and DNS, and provid des a compreh hensive view of where IP addresses ar re used. IPAM collects in nformation from domain con ntrollers and Network N Po olicy Servers (N NPSs) and stor res that inform mation in n the Windows s Internal Database. IP PAM assists in the t areas of IP P administratio on as shown in the following g table. IP administrat tion area Planning Managing Tracking Auditing IPAM capab bilities
Provides a tool t set that ca an reduce the time and expe ense of the pla anning process whe en changes oc ccur in the netw work. Provides a single s point of f management t and assists in n optimizing utilization and a capacity p lanning for DH HCP and DNS. Enables trac cking and fore ecasting of IP a address utilizat tion.
Assists with compliance re equirements, s such as HIPAA A and Sarbanes s-Oxley , and provides s reporting for r forensics and change act of 2002, management.
Cha aracteristics s of IPAM

Cha aracteristics of IPAM include: : M server can su upport up to 150 1 DHCP serv vers and 500 D DNS servers. A single IPAM A single IPAM M server can su upport up to 6,000 6 DHCP sco opes and 150 DNS zones.
C addresses, u ases, host MAC IPAM stores three t years of forensics data (IP address lea user login and logoff information) for 100,000 us sers in a Windo ows Internal D Database. There e is no databa ase purge polic cy provided, and d the administrator must purge the data m manually as ne eeded. IPAM supports only Windows Internal Da atabase. No ex xternal databas se is supported d. ilization trends s are provided d only for IPv4.. IP address uti IP address rec clamation support is provide ed only for IPv v4. IPAM does no ot check for IP P address consistency with ro outers and switches.
Ben nefits of IPA AM

IPAM M benefits include: IPv4 and IPv6 6 address space e planning and d allocation. IP address spa ace utilization statistics and trend monitor ring. Static IP inven ntory management, lifetime management t, and DHCP an nd DNS record d creation and deletion. Service and zone monitorin ng of DNS serv vices. IP address lea ase and logon event tracking g. Role based ac ccess control (RBAC). Remote admi inistration support through RSAT.
Note: IPAM M does not sup pport managem ment and conf figuration of n non-Microsoft network elem ments.
IPA AM Archite ecture

IPAM M architecture e consists of fo our main modu ules, which are listed in n the following g table.

1-23
Module IPAM discovery
Description
You use AD DS to discover servers running Windows Server 2008 and newer that have DNS, DHCP, or AD DS installed. Administrators can define the scope of discovery to a subset of domains in the forest. They can also add servers manually. You can use this module to view, monitor, and manage the IP address space. You can dynamically issue or statically assign addresses. You can also track address utilization and detect overlapping DHCP scopes.
IP address space management (ASM) Multi-server management and monitoring
You can manage and monitor multiple DHCP servers. This enables tasks to execute across multiple servers. For example, you can configure and edit DHCP properties and scopes and track the status of DHCP and scope utilization. You can also monitor multiple DNS servers, and monitor the health and status of DNS zones across authoritative DNS servers.
Operational auditing and IP address tracking
You can use the auditing tools to track potential configuration problems. You can also collect, manage, and view details of configuration changes from managed DHCP servers. You can also collect address lease tracking from DHCP lease logs, and collect logon event information from NPS and domain controllers.
The IPAM server can only manage one Active Directory forest. IPAM is deployed in one of three topologies: Distributed. An IPAM server is deployed to every site in the forest. Centralized. Only one IPAM server is deployed in the forest. Hybrid. A central IPAM server is deployed together with a dedicated IPAM server in each site.
Note: IPAM servers do not communicate with one another or share database information. If you deploy multiple IPAM servers, you must customize each servers discovery scope. IPAM has two main components:
IPAM server. The IPAM server performs the data collection from the managed servers. It also manages the Windows Internal Database and provides RBAC. IPAM client. The IPAM client provides the client computer user interface, interacts with the IPAM server, and invokes Windows PowerShell to perform DHCP configuration tasks, DNS monitoring, and remote management.
IPAM Security Groups
The following table describes the local security groups that are created automatically when you install IPAM. Group IPAM Users Description
Members of this group can view all information that is located in server discovery, IP address space, and server management. They can view IPAM and DHCP server operational events, but they cannot view IP address tracking information. IPAM multi-server management (MSM) administrators have IPAM users privileges, and can perform IPAM common management tasks and server
IPAM MSM
Gr roup Administrators IP PAM ASM Administrators IP PAM IP Audit Administrators IP PAM Administr rators
Description management tasks.
IPA AM ASM admin nistrators have e IPAM users p privileges, and can perform IPAM com mmon manage ement tasks an nd IP address s space tasks. Me embers of this group have IP PAM users priv vileges, can perform IPAM com mmon manage ement tasks, a nd can view IP P address track king informatio on. IPA AM Administrators can view a all IPAM data and perform a all IPAM tasks. .
Requirement ts for IPAM M Implementation

To ensure e a succe essful IPAM implementation, you mus st meet several prerequisites s: The IPAM ser rver must be a domain member, but cannot be e a domain co ontroller. The IPAM ser rver should be a single purpo ose server. Do no ot install other network roles such as DHCP or DNS D on the sam me server. To manage th he IPv6 addres ss space, IPv6 must m be enabled on the IPAM se erver. Log on to the e IPAM server with w a domain n account, and not a local acc count. You must be a member of the t correct IPA AM local secur rity group on t the IPAM serve er.
Enable loggin ng of account logon events on o domain co ntroller and N NPS servers for IPAMs IP add dress tracking and auditing featu ure.
IPA AM Hardware and Softw ware Requirements

The IPAM hardwa are and software requiremen nts are as follow ws: Dual core pro ocessor of 2.0 gigahertz g (GHz) or higher Windows Serv ver 2012 operating system 4 or more gig gabytes (GB) of o random acce ess memory (R RAM) 80 GB of free hard disk space
In addition to the previously me entioned requirements, Win dows Server 2 2008 and 2008 8 R2 require the follo owing: Service Pack 2 (SP2) must be b installed on Windows Serv ver 2008. Microsoft .NE ET Framework 4.0 full installa ation must be installed. Windows Management Framework 3.0 Be eta must be in nstalled (KB250 06146).
For Windows Server 2008 SP2, S Windows Management Framework Co ore (KB968930 0) is also required. Windows Rem mote Managem ment (Window ws RM) must be e enabled. Verify that Se ervice principal names (SPNs) are written.

1-25
Managing M IP Address sing Using g IPAM

IP P address space e managemen nt allows ad dministrators to t manage, tra ack, audit, and report on n an organizat tions IPv4 and d IPv6 address spaces. Th he IPAM IP address space co onsole provide es ad dministrators with w IP address utilization sta atistics an nd historical tr rend data so th hat they can make m in nformed planning decisions for f dynamic, static, an nd virtual addr ress spaces. IPA AM periodic ta asks au utomatically discover the address space an nd ut tilization data as configured on the DHCP servers th hat are managed in IPAM. Yo ou can also im mport IP ad ddress informa ation from com mma separated d va alues (.csv) files.
IP PAM also enab bles administra ators to detect overlapping I P address rang ges that are de efined on diffe erent DHCP servers, find free IP add dresses within a range, creat te DHCP reserv vations, and cr reate DNS reco ords.
IP PAM provides a number of ways w to filter th he view of the IP address spa ace. You can c customize how w you view and manag ge the IP addr ress space usin ng any of the fo ollowing views s: IP address blocks b IP address ranges r IP addresse es IP address inventory i IP address range r groups
IP P Address Blocks B
IP P address block ks are the high hest-level entit ties within an I IP address spa ace organizatio on. Conceptually, an IP P block is an IP P subnet marke ed by a start and an end IP a address, and it t is typically assigned to an or rganization by y various Regio onal Internet Registries R (RIRs s). Network ad ministrators use IP address b blocks an add, impor to o create and al llocate IP addr ress ranges to DHCP. They ca rt, edit, and de elete IP address blocks. IPAM au utomatically maps m IP address s ranges to the e appropriate IP address blo ock based on the bo ress blocks in t oundaries of the range. You can add and import i IP addr the IPAM cons sole.
IP P Address Ranges R
IP P address ranges are the nex xt hierarchical level l of IP add dress space ent tities after IP address blocks. . cally Conceptually, an IP address ra ange is an IP subnet marked d by a start and d end IP addre ess, and it typic co orresponds to a DHCP scope e, or a static IP Pv4 or IPv6 add dress range or address pool that is used to o assign ad ddresses to ho osts. An IP address range is uniquely u identi ifiable by the v value of the m mandatory Man naged By y Service and Service Insta ance options, which w help IPA AM manage an nd maintain ov verlapping or du uplicate IP add dress ranges fr rom the same console. You c can add or imp port IP addres ss ranges from within th he IPAM conso ole.
IP P Addresses s
IP P addresses are e the addresses that make up the IP addre ess range. IPAM M enables end d-to-end life cy ycle tion with DHC management m of IPv4 and IPv6 6 addresses, in ncluding record d synchronizat CP and DNS servers. IP PAM automatic cally maps an address to the e appropriate r range based o on the start and d end address of the ra ange. An IP address is unique ely identifiable e by the value of mandatory y Managed By y Service and Service In nstance option ns that help IP PAM manage and a maintain d duplicate IP ad ddresses from t the same cons sole. Yo ou can add or import IP add dresses from within w the IPAM M console.
IP Address Inventory
In this view, you can view a list of all IP addresses in the enterprise along with their device names and type. IP address inventory is a logical group defined by the Device Type option within the IP addresses view. These groups allow you to customize the way your address space displays for managing and tracking IP usage. You can add or import IP addresses from within the IPAM console. For example, you could add the IP addresses for printers or routers, assign IP address the appropriate device type of printer or router, and then view your IP inventory filtered by the device type you assigned.
IP Address Range Groups
IPAM enables you to organize IP address ranges into logical groups. For example, you might organize IP address ranges geographically or by business division. Logical groups are defined by selecting the grouping criteria from built-in or user-defined custom fields.
Monitoring and Managing

IPAM enables automated, periodic service monitoring of DHCP and DNS servers across a forest. Monitoring and managing is organized into the views listed in the following table. View DNS and DHCP Servers Description By default, managed DHCP and DNS servers are arranged by their network interface in /16 subnets for IPv4 and /48 subnets for IPv6. You can select the view to see just DHCP scope properties, just DNS server properties, or both. The DHCP scope view enables scope utilization monitoring. Utilization statistics are collected periodically and automatically from a managed DHCP server. You can track important scope properties such as Name, ID, Prefix Length, and Status. Zone monitoring is enabled for forward and reverse lookup zones. Zone status is based on events collected by IPAM. The status of each zone is summarized. You can organize your managed DHCP and DNS servers into logical groups. For example, you might organize servers by business unit or geography. Groups are defined by selecting the grouping criteria from built-in fields or user-defined fields.
DHCP scopes
DNS Zone Monitoring Server Groups
Demonstration: Installing and Configuring IPAM

In this demonstration, you will see how to install and configure IPAM management.
Demonstration Steps Install and Configure IPAM

1. 2. 3. 4. 5. 6. Log on to LON-SVR2 as Adatum\Administrator. In Server Manager, add the IPAM feature and all required supporting features. In the IPAM Overview pane, provision the IPAM server using Group Policy. Enter IPAM as the Group Policy Object (GPO) name prefix, and provision IPAM. In the IPAM Overview pane, configure server discovery for the Adatum domain. In the IPAM Overview pane, start the server discovery process.

1-27
7. . 8. . 9. .
In the IPAM M Overview pane, add the se ervers to be ma anaged. Verify that IPAM access is s currently blo ocked. ermission to m Use Window ws PowerShell l to grant the IPAM I server pe manage LON-D DC1 by using t the following command:
Invoke-Ip pamGpoProvisi ioning Domain Adatum.co om GpoPrefix xName IPAM I IpamServerFqd dn LON-SVR2.adatum.com DelegatedGp oUser Admini strator
10 0. Set the man nageability sta atus to Manag ged. 11 1. Switch to LON-DC1. 12 2. Force the update u of Grou up Policy. 13 3. Switch back k to LON-SVR2 2 and refresh the t IPv4 view. 14 4. In the IPAM M Overview pane, retrieve da ata from the m managed serve er.
IP PAM Mana agement and a Monit toring

Th he IPAM ASM feature allows s you to efficie ently view, monitor, and a manage th he IP address space s on n the network. ASM support ts IPv4 public and a private addresse es, and IPv6 gl lobal and unic cast ad ddresses. Using g the DNS and d DHCP server view, yo ou can view an nd monitor health and co onfiguration of all the DNS and a DHCP serv vers th hat are being managed m by IP PAM. IPAM use es sc cheduled tasks s to periodicall ly collect data from managed m servers. You can als so retrieve data a on de emand by usin ng the Retriev ve All Server Data D op ption.
Utilization U Monitoring M
Utilization data is maintained for IP address s ranges, IP ad dress blocks, a and IP range g groups within I IPAM. Yo ou can configu ure thresholds for the percen ntage of the IP P address spac ce that is utilized, and then u use th hose threshold ds to determine e under-utiliza ation and over r-utilization. Yo ou can perform m utilization tr rend building and a reporting for IPv4 addre ess ranges, blo ocks, and range groups. The util lization trend window w allows s you to view t trends over tim me periods suc ch as daily, weekly, monthly m or annually, or you can c view trends over custom m date ranges. Utilization dat ta from manag ged DHCP scopes is auto-discover red, and you can c view this d ata.
Monitoring M DHCP D and DNS D
Using IPAM, you can monitor r DHCP and DN NS servers from m any physica l location of th he enterprise. One of th he primary ben nefits of IPAM is its ability to o simultaneous sly manage mu ultiple DHCP s servers or DHC CP sc copes that are spread across one or more DHCP servers.
and health of selected sets o Th he IPAM monitoring view allows you to vie ew the status a of Microsoft D DNS and DHCP servers fr rom a single co onsole. IPAMs s monitoring v view displays th he basic health h of servers an nd re ecent configuration events th hat occurred on o these server rs. The monito oring view also o allows you to o or rganize the ma anaged server rs into logical sever s groups.
Fo or DHCP serve ers, the server view v allows yo ou to track vari ious server set ttings, server o options, the nu umber of sc copes, and the e number of ac ctive leases tha at are configur red on the serv ver. For DNS servers, this vie ew
allows you to trac ck all zones tha at are configur red on the serv ver, along with h details of the e zone type. Th he view w also allows you y to see the total number of zones that a are configured d on the server, and the overall zone health status s as derived fro om the zone status s of indivi dual zones on n the server.
DH HCP Server Managemen M nt

From m the IPAM co onsole, you can manage DHCP servers and d perform the following actions: Edit DHCP server properties Edit DHCP server options Create DHCP scopes Configure pre edefined optio ons and values s Configure the e user class acr ross multiple servers s simulta aneously ultiple servers simultaneously Create and ed dit new and ex xisting user cla asses across mu Configure the e vendor class across multipl le servers simu ultaneously Start the man nagement cons sole for a selec cted DHCP ser rver Retrieve serve er data from multiple m servers s
DN NS Server Ma anagement t
You u can start the DNS managem ment console for f any manag ged DNS serve er from a centr ral console in the IPAM M server and retrieve r server data from the e selected set o of servers. The e DNS Zone Monitoring view w disp plays all the forward lookup and reverse lo ookup zones o n all the DNS servers that IP PAM is currently man naging. For the e forward look kup zones, IPA AM also display ys all the serve ers that are hosting the zone e, and the aggregate hea alth of the zon ne across all th hese servers an nd the zone pr roperties.
The e Event Cata alog
The IPAM event catalog c provide es a centralized repository fo or auditing all configuration n changes that are perf formed on DH HCP servers tha at are managed from a singl e IPAM manag gement conso ole. The IPAM configuration eve ents console ga athers all of the configuratio on events. Thes se configuratio on event catalo ogs allows you to view w, query, and generate g reports of the cons solidated confi iguration chan nges, along wit th deta ails specific to each record.
Co onsideratio ons for Imp plementing IPAM

IPAM M is an agentless technology that uses Win ndows remote management protocols to man nage, monitor, , and collect data from distributed servers in the enviro onment. As suc ch, you should be aw ware of some im mplementation n considerations.
Installation Co onsideration ns
Alth hough IPAM is relatively simple to install, there t are certain consid derations: IPAM should not be installe ed on a domai in controller, DH HCP server, or DNS server. The installatio on wizard in Se erver Manager r automatically y installs the fe eatures require ed to support IPAM. There are a no extra st teps required of o the adminis strator.

1-29
The IPAM client is installed automatically on Windows Server 2012 along with the IPAM server, but you can uninstall the client separately. You can uninstall IPAM by using Server Manager. All dependencies, local security groups, and scheduled tasks will be deleted. The IPAM database will be detached from the Windows Internal Database.
Functional Considerations
Consider the following IPAM functional specifications: IPAM does not support multiple forest topologies. IPAM can only use Windows Internal Database; it cannot use any other type of database.
The IPAM server must collect DHCP lease information to enable address tracking. Ensure that the DHCP audit log file size is configured so that it is large enough to contain audit events for the entire day. For domain controllers and network policy servers, enable the required events for logging. You can use Group Policy security settings to perform this task.
Administrative Considerations
Domain and enterprise administrators have full access to IPAM administration. You can delegate administrative duties to other users or groups by using the IPAM security groups. The installation process creates local security groups (which have no members by default) on the IPAM server. The local security groups provide the permissions that are required for administering and using the multiple services that IPAM employs. IPAM installation automatically creates the local user groups listed it the following table. Group IPAM Users Description Members of this group can view all information in IPAM server inventory, IP address space, and IPAM server management consoles. They can view IPAM and DHCP server operational events, but they cannot view IP address tracking information. Members of this group have all the privileges of the IPAM Users group, and they can perform IPAM monitoring and management tasks. Members of this group have all the privileges of IPAM Users group, and they can perform IPAM IP address space tasks. Members of this group have all the privileges of IPAM Users group, and they can view IP address tracking information. Members of this group can view all IPAM information and perform all IPAM tasks.
IPAM MSM Administrators IPAM ASM Administrators IPAM IP Audit Administrators IPAM Administrators
Migrating Existing IP Data Into IPAM
Many organizations use Microsoft Office Excel spreadsheets to document the IP address space allocation for static addresses and network devices. Because these spreadsheets must be updated manually, they are prone to error. You can migrate the existing data from these spreadsheets into IPAM by converting the spreadsheets to .csv files, and then importing the information into IPAM.
Lab: Implementing Advanced Network Services

Scenario
A. Datum Corporation has grown rapidly over the last few years. The company has deployed several new branch offices, and it has significantly increased the number of users in the organization. Additionally, it has expanded the number of partner organizations and customers that are accessing A. Datum websites and applications. Because of this expansion, the complexity of the network infrastructure has increased, and the organization now needs to be much more aware of network level security.
As one of the senior network administrators at A. Datum, you are responsible for implementing some of the advanced networking features in Windows Server 2012 to manage the networking infrastructure. You need to implement new features in DHCP and DNS, with the primary goal of providing higher levels of availability while increasing the security of these services. You also need to implement IPAM so that you can simplify and centralize the management of the IP address usage and configuration in an increasing complex network.
Objectives
Configure advanced DHCP settings. Configure advanced DNS settings. Configure IP address management.
Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CL1 Estimated time: 60 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CL1 Adatum\Administrator Pa$$w0rd
Virtual Machine(s)
User Name Password
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2. Do not start 20412A-LON-CL1 until directed to do so.

1-31
Exercise 1: Configuring Advanced DHCP Settings

Scenario
With the expansion of the network, and the increased availability and security requirements at A. Datum Corporation, you need to implement some additional DHCP features. Because of the recent business expansion, the main office DHCP scope is almost completely utilized, which means you need to configure a superscope. Additionally, you need to configure DHCP name protection and DHCP failover. The main tasks for this exercise are as follows: 1. 2. 3. Configure a superscope Configure DHCP name protection Configure and verify DHCP failover
Task 1: Configure a superscope

1.
On LON-DC1, configure a scope named Scope1, with a range of 192.168.0.50 192.168.0.100, and with the following settings: o o o o Subnet mask: 255.255.255.0 Router: 192.168.0.1 DNS Suffix: Adatum.com Choose to activate the scope later
2.
Configure a second scope named Scope2 with a range of 192.168.1.50 192.168.1.100, and with the following settings: o o o o Subnet mask: 255.255.255.0 Router: 192.168.1.1 DNS Suffix: Adatum.com Choose to activate the scope later
3.
Create a superscope called AdatumSuper that has Scope1 and Scope2 as members.
Task 2: Configure DHCP name protection
Switch to the DHCP console on LON-DC1, and enable DHCP Name Protection for the IPv4 node.
Task 3: Configure and verify DHCP failover

1. 2. 3.
On LON-SVR1, start the DHCP console, and observe the current state of DHCP. Note that the server is authorized, but no scopes are configured. On LON-DC1, in the DHCP console, launch the Configure Failover Wizard. Configure failover replication with the following settings: o o o o o o Partner server: 172.16.0.21 Relationship Name: Adatum Maximum Client Lead Time: 15 minutes Mode: Load balance Load Balance Percentage: 50% State Switchover Interval: 60 minutes
o 4. 5. 6. 7. 8. 9.
Message authentication shared secret: Pa$$w0rd
Complete the Configure Failover Wizard. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active, and that Scope Adatum is configured. Start 20412A-LON-CL1, and log on as Adatum\Administrator. Configure LON-CL1 to obtain an IP address from the DHCP server. Open a command prompt window, and record the IP address. Switch to LON-DC1, and stop the DHCP server service.
10. Switch back to LON-CL1 and renew the IP address. 11. Shut down the LON-SVR1 server. 12. On LON-DC1, in the Services console, start the DHCP server service. 13. Close the Services console.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection, and configured and verified DHCP failover.
Exercise 2: Configuring Advanced DNS Settings

Scenario
To increase the level of security for the DNS zones at A. Datum, you need configure DNS security settings such as DNSSEC, DNS socket pool, and cache locking. A. Datum has a business relationship with Contoso, Ltd, and will host the Contoso.com DNS zone. A. Datum clients use an application that accesses a server named App1 in the Contoso.com zone by using its NetBIOS name. You need to ensure that these applications can resolve the names of the required servers correctly. You will employ a GlobalNames zone to achieve this. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure DNSSEC. Configure the DNS socket pool. Configure DNS cache locking. Configure a GlobalName Zone.
Task 1: Configure DNSSEC

1. 2. 3. 4. 5. On LON-DC1, start the DNS Manager.
Use the DNSSEC Zone Signing Wizard to sign the Adatum.com zone. Accept all the default settings. Verify that the DNSKEY resource records have been created in the Trust Points zone. Minimize the DNS console.
Use the Group Policy Management Console to configure NRPT. Create a rule that enables DNSSEC for the Adatum.com suffix, and that requires DNS clients to verify that the name and address data were validated.
Task 2: Configure the DNS socket pool

1. On LON-DC1, start a command prompt with elevated credentials.

1-33
2.
Run the following command to view the current size of the socket pool.
dnscmd /info /socketpoolsize
3.
Run the following command to change the socket pool size to 3,000.
dnscmd /config /socketpoolsize 3000
4. 5.
Restart the DNS service. Run dnscmd to confirm the new socket pool size.
Task 3: Configure DNS cache locking

1. Run the following command to view the current cache lock size.
dnscmd /info /CacheLockingPercent
2.
Run the following command to change the cache lock value to 75 percent.
dnscmd /config /CacheLockingPercent 75
3. 4.
Restart the DNS service. Run dnscmd to confirm the new cache lock value.
Task 4: Configure a GlobalName Zone

1.
Create an Active Directory integrated forward lookup zone named Contoso.com, by running the following command:
Dnscmd LON-DC1 /ZoneAdd Contoso.com /DsPrimary /DP /forest
2.
Run the following command to enable support for GlobalName zones:

dnscmd lon-dc1 /config /enableglobalnamessupport 1
3.
Create an Active Directory integrated forward lookup zone named GlobalNames by running the following command:
Dnscmd LON-DC1 /ZoneAdd GlobalNames /DsPrimary /DP /forest
4. 5. 6.
Open the DNS Manager console and add a new host record to the Contoso.com domain named App1 with the IP address of 192.168.1.200.
In the GlobalNames zone, create a new alias named App1 using the FQDN of App1.Contoso.com. Close DNS Manager and close the command prompt.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS cache locking, and the GlobalName zone.
Exercise 3: Configuring IP Address Management

Scenario
A. Datum Corporation is evaluating solutions for simplifying IP management. Since implementing Windows Server 2012, you have decided to implement IPAM.
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the IPAM feature. Configure IPAMrelated GPOs. Configure IP management server discovery. Configure managed servers. Configure and verify a new DHCP scope with IPAM.. Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
Task 1: Install the IPAM feature

On LON-SVR2, install the IP Address Management (IPAM) Server feature.
Task 2: Configure IPAMrelated GPOs

1. 2. In Server Manager, in the IPAM Overview pane, provision the IPAM server using Group Policy. Enter IPAM as the GPO name prefix, and provision IPAM using the Provision IPAM Wizard.
Task 3: Configure IP management server discovery

1. 2. In the IPAM Overview pane, configure server discovery for the Adatum domain. In the IPAM Overview pane, start the server discovery process.
Task 4: Configure managed servers

1. 2. In the IPAM Overview pane, add the servers that you need to manage. Verify that IPAM access is currently blocked.
Use Windows PowerShell to grant the IPAM server permission to manage LON-DC1 by running the following command:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-SVR2.adatum.com DelegatedGpoUser Administrator
3. 4. 5.
Set the manageability status to Managed. Switch to LON-DC1, and force the update of Group Policy using the gpupdate /force.
Return to LON-SVR2 and refresh the server access status for LON-DC1 and the IPv4 console view. It may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked. In the IPAM Overview pane, retrieve data from the managed server.
6.
Task 5: Configure and verify a new DHCP scope with IPAM

1. On LON-SVR2, use IPAM to create a new DHCP scope with the following parameters: o o o o 2. Scope start address: 10.0.0.50 Scope end address: 10.0.0.100 Subnet mask: 255.0.0.0 Default gateway: 10.0.0.1
On LON-DC1, verify the scope in the DHCP MMC.

1-35
Task 6: Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
1. On LON-SVR2, add an IP address block in the IPAM console with the following parameters: o o o 2. Network ID: 172.16.0.0 Prefix length: 16 Description: Head Office
Add IP addresses for the network router by adding to the IP Address Inventory with the following parameters: o o o o IP address: 172.16.0.1 MAC address: 112233445566 Device type: Routers Description: Head Office Router
3.
Use the IPAM console to create a DHCP reservation as follows: o o o o o o IP address: 172.16.0.10 MAC address: 223344556677 Device type: Host Reservation server name: LON-DC1.Adatum.com Reservation name: Webserver Reservation type: Both
4.
Use the IPAM console to create the DNS host record as follows: o o o Device name: Webserver Forward lookup zone: Adatum.com Forward lookup primary server: LON-DC1.adatum.com
5. 6. 7.
Right-click the IPv4 entry and create the DHCP reservation and create the DNS Host record.
On LON-DC1, open the DHCP console and confirm that the reservation was created in the 172.16.0.0 scope. On LON-DC1, open the DNS Manager console. Confirm that the DNS host record was created.
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAMrelated GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP addresses, DHCP reservations, and DNS records.
To prepare for the next module

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2 and 20412A-LON-CL1.
Module Review and Takeaways

Question: What is one of the drawbacks to using IPAM?
Common Issues and Troubleshooting Tips

Common Issue Users can no longer access a vendors website that they have always been able to access in the past. Troubleshooting Tip
Managed servers are unable to connect to the IPAM server.
Real-world Issues and Scenarios

Some network clients are receiving incorrect DHCP configuration. What tool should you use to start troubleshooting?
Answer: The IPConfig /All command will tell you if the client is receiving DHCP configuration and the IP address of the DHCP server from which the configuration came. What are some possible causes of the incorrect configurations?
Answer: There may be a rogue DHCP server on the network. Common things to look for will be gateway devicessuch as cable modems or PBX boxesthat have a DHCP component enabled. Another possibility is that someone has manually configured the IP address on the client.
Best Practice
Implement DHCP failover to ensure that client computers can continue to receive IP configuration information in the event of a server failure. Ensure that there are at least two DNS servers hosting each zone. Use IPAM to control IP address distribution and static address assignments.
Tools
Tool Dnscmd DHCP console Use Configure all aspects of DNS management Control all aspects of DHCP management from a user interface Control all aspects of DNS management from a user interface Control all aspects of IPAM management Location %systemroot%\System32\dnscmd.exe %systemroot%\System32\dhcpmgmt.msc
DNS console
%systemroot%\System32\dnsmgmt.msc
IPAM Management console
Server Manager

2-1
Module 2
Implementing Advanced File Services
Contents:
Module Overview Lesson 1: Configuring iSCSI Storage Lesson 2: Configuring BranchCache Lesson 3: Optimizing Storage Usage Lab A: Implementing Advanced File Services Lab B: Implementing BranchCache Module Review and Takeaways 2-1 2-2 2-9 2-16 2-22 2-28 2-33
Module Overview
Storage space requirements have been increasing since the inception of server-based file shares. The Windows Server 2012 and Windows 8 operating systems include two new features to reduce the disk space that is required, and to manage physical disks effectively: Data deduplication, and Storage Spaces. This module provides an overview of these features, and explains the steps required to configure them.
In addition to minimizing disk space, another storage concern is the connection between the storage and the remote disks. Internet SCSI (iSCSI) storage in Windows Server 2012 is a cost-effective feature that helps create a connection between the servers and the storage. To implement iSCSI storage in Windows Server 2012, you must be familiar with the iSCSI architecture and components. In addition, you must be familiar with the tools that are provided in Windows Server to implement an iSCSI-based storage. In organizations with branch offices, you have to consider slow links and how to use these links efficiently when sending data between your offices. The Windows BranchCache feature in Windows Server 2012 helps address the problem of slow connectivity. This module explains the BranchCache, feature, and the steps to configure it.
Objectives
After completing this module, you will be able to: Configure iSCSI storage. Configure BranchCache. Optimize storage usage. Implement advanced file services.
2-2
Implementing Advanced File Se ervices
Lesson 1
Config guring iSCSI Sto orage
iSCS SI storage is an n inexpensive and a simple wa ay to configure e a connection n to remote dis sks. Many app plication requir rements dictate that remote storage conne ections must b be redundant in nature for fa ault tole erance or high availability. In addition, man ny companies already have f fault tolerant n networks, in w which the networks are cheap to keep p redundant as s opposed to u using storage a area networks (SANs). In this s lesson, you will lea arn how to cre eate a connect tion between s servers and iSC CSI storage. Yo ou will perform m thes se tasks by using IP-based iS SCSI storage. You Y will also lea arn how to cre eate both single and redund dant connections to an n iSCSI target. You Y will practi ice this by usin ng the iSCSI in itiator softwar re that is availa able in Win ndows Server 2012. 2

Afte er completing this lesson, yo ou will be able to: Describe iSCS SI and its comp ponents. Describe the iSCSI target se erver and the iSCSI initiator. Describe options for implem menting high availability a for r iSCSI. Describe iSCS SI security options. Configure the e iSCSI target. Connect to iS SCSI storage. Describe cons siderations for r implementing g the iSCSI sto orage solution..
Wh hat Is iSCSI?
iSCS SI is a protocol that supports s access to rem mote, SCSI-based storag ge devices ove er a TCP/IP net twork. iSCS SI carries stand dard SCSI commands over IP P netw works to facilit tate data trans sfers over intra anets, and to manage st torage over lon ng distances. You Y can use iSCSI to tr ransmit data over o local area netw works (LANs), wide w area netw works (WANs), , or even over the Inte ernet.
iSCS SI relies on standard Etherne et networking arch hitecture. Spec cialized hardwa are such as ho ost bus adapters (HBA A) or network switches are optional. iSCSI use es TCP/IP (typi ically, TCP por rt 3260). This means s that iSCSI sim mply enables tw wo hosts to ne egotiate tasks (for example, session esta ablishment, flo ow control, and d packet size,), and then exc hange SCSI co ommands by u using an existin ng Ethe ernet network. . By doing this s, iSCSI uses a popular, p high performance, local storage b bus subsystem m arch hitecture, and emulates it ov ver LANs and WANs, W creating g a SAN. Unlik ke some SAN t technologies, iSCSI requ uires no specia alized cabling. You can run it over the exis sting switching g and IP infrast tructure. Howe ever, you can increase the t performan nce of an iSCSI SAN deploym ment by operat ting it on a de edicated netwo ork or subnet, as best pr ractices recommend. Note: Altho ough you can use a standard d Ethernet netw work adapter to connect the e server to the iSCSI storage device, you ca an also use ded dicated iSCSI H HBAs.

2-3
An iSCSI SAN de eployment inc cludes the follo owing:
TCP/IP netw work. You can use standard network interf face adapters and standard Ethernet proto ocol network sw witches to conn nect the server rs to the storag ge device. To p provide sufficient performan nce, the network should provide speeds s of at le east 1 gigabit p per second (Gb bps), and shou uld provide mu ultiple paths to the e iSCSI target. As a best prac ctice, use a ded dicated physic cal and logical network to ac chieve fast, reliable e throughput.
iSCSI target ts. This is another method of f gaining acce ess to storage. iSCSI targets p present or adv vertise storage, sim milar to contro ollers for hard disk d drives of llocally attache ed storage. However, this sto orage is accessed ov ver a network, instead of loc cally. Many sto orage vendors implement ha ardware-level i iSCSI such as Windo targets as part p of their sto orage devices s hardware. Ot her devices or r appliancess ows Storage Ser rver 2012 devicesimpleme ent iSCSI targe ets by using a s software driver together with at SI target serve least one Et thernet adapte er. Windows Server 2012 pro ovides the iSCS erwhich is ef ffectively a driver for the iSCSI prot tocolas a rol le service. iSCSI initiat tors. The iSCSI target display ys storage to th he iSCSI initiator (also known n as the client) ), which acts as a loc cal disk contro oller for the rem mote disks. Al l versions of W Windows Serve er starting from m Windows Server 2008 inc clude the iSCSI I initiator, and can connect t to iSCSI targets.
iSCSI Qualif fied Name (IQN). IQNs are unique u identifie ers that are us sed to address initiators and targets on an iSCSI network. Whe en you configu ure an iSCSI ta arget, you mus st configure th he IQN for the iSCSI initiators th hat will be connecting to the e target. iSCSI i initiators also use IQNs to co onnect to the iSCSI targets. However, if name e resolution on n the iSCSI net twork is a poss sible issue, iSCSI endpoints (both target and initiator) can always a be iden ntified by their r IP addresses. Question: Can you use your y organizati ions internal T TCP/IP networ rk to provide iS SCSI?
iS SCSI Targe et Server and iSCSI In nitiator

Th he iSCSI target t server and th he iSCSI initiato or are de escribed below w.
iS SCSI Target Server

Th he iSCSI target t server role se ervice provides s for so oftware-based and hardware e-independent t iSCSI di isk subsystems s. You can use the iSCSI target se erver to create e iSCSI targets and iSCSI virtu ual di isks. You can then use Server Manager to manage m these iSCSI targets an nd virtual disks. Th he iSCSI target t server included in Window ws Se erver 2012 pro ovides the follo owing function nality:
Network/di iskless boot. By y using boot-c capable netwo ork adapters or a software lo oader, you can use ing differencin iSCSI target ts to deploy di iskless servers quickly. By usi ng virtual disks s, you can save e up to 90 percent of the storage e space for the e operating sys stem images. T This is ideal for large deploy yments of identical operating sys stem images, such s as a Hype er-V server farm, or high-pe erformance computing (HPC) clusters s.
Server application storage. Some applic cations such a s Hyper-V and d Microsoft Exchange Serve er require block storage. The iSCSI target server can pro ovide these ap pplications with h continuously y available bl lock storage. Because B the sto orage is remot tely accessible, it can also co ombine block s storage for central or branch offic ce locations.
2-4
Implementing Advanced File Se ervices
Heterogeneo ous storage. iSC CSI target server supports iSC CSI initiators that are not ba ased on the Windows op perating system m, so you can share storage on Windows s servers in mixe ed environmen nts. Lab environm ments. The iSCS SI target server role enables your Window ws Server 2012 computers to be network-acce essible block st torage devices s. This is useful l in situations i in which you w want to test applications before b deployi ing them on SAN storage.
iSCS SI target servers that provide e block storage e utilize your e existing Ethern net network; no additional hard dware is required. If high ava ailability is an important crit terion, conside er setting up a high availability clus ster. With a hig gh availability cluster, you wi ill need shared d storage for the clustereit ther hardware e Fibre Cha annel storage, or a Serial Atta ached SCSI (SA AS) storage arr ray. The iSCSI t target server integrates directly into o the failover cluster feature as a cluster role.
iSC CSI Initiator
The iSCSI initiator r service has be een a standard d component i installed by de efault since Wi indows Server 2008 and Windows Vist ta. To connect your compute er to an iSCSI t target, you sim mply start the Microsoft iSCS SI Initi iator Service and configure it. The new features in Windows Server 2012 inc clude:
Authenticatio on. You can enable Challenge Handshake A Authentication n Protocol (CH HAP) to authen nticate initiator conn nections, or you can enable reverse r CHAP t to allow the in nitiator to auth henticate the iS SCSI target. Query initiato or computer fo or ID. This is on nly supported with Windows s 8 or Window ws Server 2012.
Additional Reading: For r more informa ation about th e introduction n of iSCSI targe ets in Win ndows Server 2012, 2 refer to: http p://blogs.techn net.com/b/filec cab/archive/20 012/05/21/intr roduction-of-i iscsi-target-in-windowsserv ver-2012.aspx Question: When would you u consider imp plementing dis skless booting g from iSCSI targets?
Op ptions for Implemen I ting High Availabilit ty for iSCS SI

In addition to con nfiguring the basic b iSCSI targ get serv ver and iSCSI in nitiator setting gs, you can inte egrate these se ervices into mo ore advanced configurations.
Con nfiguring iS SCSI for High Availabili ity

Crea ating a single connection to iSCSI storage mak kes that storag ge available. However, it doe es not mak ke that storage e highly available. Losing the e connection results s in the server losing access to its stor rage. Therefore e, most iSCSI storage s connections are made m redundant through one of two o high availability technologies: Multiple Con nnection Sessio on (MCS) and Multipath I/O (MPIO).
Alth hough similar in i results they achieve, these e two technolo ogies use diffe rent approach hes to achieve high avai ilability for iSC CSI storage con nnections.

2-5
MCS M is a feature e of the iSCSI protocol p that: Enables mu ultiple TCP/IP connections c from the initiato or to the targe et for the same e iSCSI session.
Supports au utomatic failov ver. If a failure e occurs, all ou tstanding iSCS SI commands a are reassigned d to another connection automatically.
Requires ex xplicit support by iSCSI SAN devices, altho ugh the Wind ows Server 2012 iSCSI target server role suppor rts it.
MPIO M provides redundancy differently. MPI IO:
If you have have multiple e network interface cards (N ICs) in your iSC CSI initiator an nd iSCSI target t server, you can use e MPIO to pro ovide failover redundancy du uring network outages. Requires a device-specific c module (DSM M) if you want t to connect to o a third-party SAN device th hat is connected to the iSCSI in cludes a defau nitiator. The Windows operat ting system inc ult MPIO DSM that is installed as the MPIO feature within Server Manager.. Is widely su upported. Man ny SANs can us se the default DSM without any additional software, while others requ uire a specialized DSM from the manufactu urer. Is more com mplex to configure, and is no ot as fully auto omated during g failover as M MCS.
iS SCSI Secur rity Option ns

Be ecause iSCSI is s a protocol that provides ac ccess to st torage devices over a TCP/IP P network, it is crucial th hat you secure your iSCSI sol lution to prote ect it from malicious users or attack ks. You can mitigate ris sks to your iSC CSI solution by y providing sec curity at va arious infrastru ucture layers. The T term defen nse-inde epth is often used to describ be the use of multiple m se ecurity technologies at differ rent points th hroughout you ur organization n. Defense-in-Dep pth security str rategy includes s:
Policies, pro ocedures, and awareness. As sa security bes st practice, sec curity policy measures need n to operat te within the co ontext of orga anizational pol licies. For exam mple, consider enforcing a strong user password p policy throughout the organizati ion, but having g an even stro onger administrat tor password policy p for accessing iSCSI sto orage devices a and computers that have iSC CSI manageme ent software installed.
Physical sec curity. If any unauthorized person p can gain n physical acce ess to iSCSI sto orage devices or a computer on o your netwo ork, then most other security y measures are e not useful. Yo ou must ensure e that iSCSI storag ge devices, the e computers th hat manage th hem, and the servers to which they are con nnected are physically secure, and d that access is s granted to au uthorized pers sonnel only. Perimeter. Perimeter netw works mark the boundary be etween public and private networks. Provi iding firewalls and reverse prox xy servers in th he perimeter n network enable es you to prov vide more secu ure corporate services s across the public net twork, and to prevent possib ble attacks on the iSCSI stora age devices from m the Internet t.
Networks. Once O you conn nect iSCSI stor rage devices to o a network, th hey are suscep ptible to a num mber of threats. The ese threats include eavesdro opping, spoofin ng, denial of se ervice, and rep play attacks. Yo ou should use authentication n such as CHA AP, to protect c communication between iSC CSI initiators an nd iSCSI
2-6
targets. You might also consider implementing Internet Protocol security (IPsec) for encrypting the traffic between iSCSI initiators and iSCSI targets. Isolating iSCSI traffic to its own virtual LAN (VLAN) also strengthens security by not allowing malicious users that are connected on corporate VLAN network to attack iSCSI storage devices that are connected to a different VLAN. You should also protect network equipment such as routers and switches that are used by iSCSI storage devices, from unauthorized access. Host. The next layer of defense is the protection layer for the host computers that are connected to iSCSI storage devices. You must maintain secure computers by using the latest security updates. You should consistently use the Windows Update feature in Windows operating systems to keep your operating system up-to-date. You also have to configure security policies such as password complexity, configure the host firewall, and install antivirus software. Application. Applications are only as secure as their latest security update. For applications that run on your servers but do not integrate in Windows Update, you should regularly check for security updates issued by the application vendor. You should also update the iSCSI management software according to vendor recommendations and best practices.
Data. This is the final layer of security. To help protect your network, ensure that you are using file user permissions properly. Do this by using BitLocker, Access Control Lists (ACLs), implementing the encryption of confidential data with Encrypting File System (EFS), and performing regular backups of data.
Demonstration: Configuring an iSCSI Target

In this demonstration. you will see how to: Add the iSCSI target server role service. Create two iSCSI virtual disks and an iSCSI target.
Demonstration Steps Add the iSCSI Target Server Role Service

1. 2. On LON-DC1, open Server Manager.
In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Create two iSCSI virtual disks and an iSCSI target

1. 2.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then click iSCSI.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New iSCSI Virtual Disk. Create a virtual disk with the following settings: o o o o o Name: iSCSIDisk1 Disk size: 5 GB iSCSI target: New Target name: LON-SVR2 Access servers: 172.16.0.22
3.
On the View results page, wait until creation completes, and then close the View Results page.

2-7
4. .
In the iSCSI I VIRTUAL DISK KS pane, click TASKS, and th hen in the TAS SKS drop-dow wn list, click Ne ew iSCSI Virtual Dis sk. Create a vir rtual disk that has these setti ings: o o o Name: iSCSIDisk2 Disk siz ze: 5 GB iSCSI ta arget: LON-SV VR2
5. .
On the View w results page, wait until cr reation comple etes, and then n close the View w Results pag ge.
Demonstra D ation: Conn necting to the iSCSI Storage

In n this demonst tration, you will see how to: Connect to the iSCSI targ get Verify the presence p of the e iSCSI drive
Demonstrati D ion Steps Connect C to the iSCSI tar rget

1. . 2. . 3. . Log on to LON-SVR2 L with h username of f Adatum\Adm ministrator a nd password P Pa$$w0rd. Open Serve er Manager, an nd on the Too ols menu, open n iSCSI Initiato or. ng: In the iSCSI Initiator Pro operties dialog g box, configu ure the followin o o Quick Connect: C LON-DC1 Discove er targets: iqn n.1991-05.com m.microsoft:lo on-dc1-lon-sv vr2-target
Verify V the pr resence of the iSCSI dri ive

1. . 2. . 3. . In Server Manager, M on the Tools menu, open Compu uter Managem ment.
In the Computer Manage ement console e, under Storag ge node, acce ess Disk Mana agement. Noti ice that the new dis sks are added. However, they y all are curren ntly offline and d not formatte ed. Close the Computer C Man nagement cons sole.
Considerat C ions for Im mplementi ing iSCSI S Storage

When W designing g your iSCSI st torage solution n, co onsider following best practi ices: Deploy the iSCSI solution n on at least 1 Gbps networks. High availability design fo or network infrastructu ure is crucial be ecause data fro om servers to iS SCSI storage is s transferred th hrough network de evices and com mponents. (Hig gh availability considerations were explain ned earlier in th his module.)
Design an appropriate a se ecurity strategy y for the iSCSI storage solution n. (Security con nsiderations an nd recommen dations were e explained earlier in this module e.)
2-8
Read the vendor-specific best practices for different types of deployments and applications that will use iSCSI storage solution, such as Exchange Server and Microsoft SQL Server.
IT personnel who will be designing, configuring, and administering the iSCSI storage solution must include IT administrators from different areas of specialization, such as Windows Server 2012 administrators, network administrators, storage administrators, and security administrators. This is necessary so that the iSCSI storage solution has optimal performance and security, and has consistent management and operations procedures.
When designing an iSCSI storage solution, the design team should also include application-specific administrators, such as Exchange Server administrators and SQL server administrators, so that you can implement the optimal configuration for the specific technology or solution.

2-9
Lesson n2
Configuring Branch hCache
Br ranch offices have h unique management m ch hallenges. A br ranch office ty ypically has slo ow connectivity y to the en nterprise netw work and limite ed infrastructure for securing g servers. Also,, you need to b back up data t that you maintain m in you ur remote bran nch offices, which is why org anizations pre efer to centraliz ze data where e po ossible. Theref fore, the challe enge is being able a to provide e efficient acce ess to network k resources for r users in n branch office es. The BranchC Cache helps yo ou overcome t these problem ms by caching f files so they do o not ha ave to be transferred repeat tedly over the network.

After completin ng this lesson, you y will be able to: Describe ho ow BranchCache works. Describe Br ranchCache requirements. Explain how w to configure e BranchCache server setting gs. Explain how w to configure e BranchCache client settings s. Explain how w to configure e BranchCache. Explain how w to monitor BranchCache. B
How H Does BranchCac che Work? ?

Th he BranchCach he feature introduced with Windows W Server 2008 R2 and Windows 7 re educes th he network use e on WAN con nnections betw ween branch offices and a headquart ters by locally ca aching frequen ntly used files on computers in the branch office. Br ranchCache im mproves the pe erformance of ap pplications tha at use one of the following protocols: HTTP or HT TTPS protocols s. These protoc cols are used by we eb browsers an nd other applic cations.
raffic protocol Server mess sage block (SM MB), including signed SMB tr l. This protocol is used for ac ccessing shared fold ders. Background d Intelligent Tr ransfer Service e (BITS). A Win ndows compon nent that distri ibutes content t from a server to clients by using only idle netw work bandwidt th. BITS is also a component t used by Syste em Center Con nfiguration Manager.
Br ranchCache re etrieves data fr rom a server when w the client t requests the data. Because BranchCache is a pa assive cache, it t will not incre ease WAN use. . BranchCache only caches the read reque ests, and will no ot in nterfere when a user saves a file.
Br ranchCache im mproves the re esponsiveness of o common ne etwork applica ations that acc cess intranet se ervers ac cross slow WA AN links. Because BranchCach he does not re equire addition nal infrastructu ure, you can im mprove th he performanc ce of remote networks by de eploying Windo ows 7 or Wind dows 8 to clien nt computers, and by de eploying Wind dows Server 20 008 R2 and Wi indows Server 2012 to serve ers, and then enabling the Br ranchCache fe eature.
2-10 Implementing Advanced File Services
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL), SMB Signing, and end-to-end IPsec. You can use BranchCache to reduce network bandwidth use and to improve application performance, even if the content is encrypted. You can configure BranchCache to use hosted cache mode or distributed cache mode:
Hosted cache. This mode operates by deploying a computer that is running Windows Server 2008 R2 or newer versions as a hosted cache server in the branch office. Client computers are locating the host computer so that they can retrieve content from the hosted cache when available. If the content is not available in the hosted cache, the content is retrieved from the content server by using a WAN link and then provided to the hosted cache so that the successive client requests can get it from there. Distributed cache. For smaller remote offices, you can configure BranchCache in the distributed cache mode without requiring a server. In this mode, local client computers running Windows 7 or Windows 8 maintain a copy of the content and make it available to other authorized clients that request the same data. This eliminates the need to have a server in the branch office. However, unlike the Hosted Cache mode, this configuration works per subnet only. In addition, clients who hibernate or disconnect from the network cannot provide content to other requesting clients.
Note: When using BranchCache, you may use both modes in your organization, but you can configure only one mode per branch office. BranchCache functionality in Windows Server 2012 has improved in the following ways: BranchCache allows for more than one hosted cache server per location to allow for scale. A new underlying database uses the Extensible Storage Engine (ESE) database technology from Exchange Server. This enables a hosted cache server to store significantly more data (even up to terabytes).
A simpler deployment means that you do not need a Group Policy Object (GPO) for each location. To deploy BranchCache, you only need a single GPO that contains the settings. This also enables clients to switch between hosted cache mode and distributed mode when they are traveling between locations without the need to use site-specific GPOs, which should be avoided in multiple scenarios.
How Client Computers Retrieve Data by Using BranchCache

When BranchCache is enabled on a client computer and a server, the client computer performs the following process to retrieve data when using the HTTP, HTTPS, or SMB protocol: 1.
The client computer that is running Windows 8 connects to a content server that is running Windows Server 2012 in the head office, and requests content similar to how it would retrieve content without using BranchCache. The content server in the head office authenticates the user and verifies that the user is authorized to access the data.
2. 3.
Instead of sending the content itself, the content server in the head office returns identifiers or hashes of the requested content to the client computer. The content server sends that data over the same connection that the content would have typically been sent. Using retrieved identifiers, the client computer does the following: o
4.
If you configure it to use distributed cache, the client computer multicasts on the local subnet to find other client computers that have already downloaded the content. If you configure it to use hosted cache, the client computer searches for the content on the configured hosted cache.

2-11
5. .
If the conte ent is available e in the branch h office, either on one or mo ore clients or o on the hosted c cache, the client computer retrie eves the data from f the branc ch office. The client comput ter also ensure es that the data is updated and has h not been tampered t with h or corrupted . If the conte ent is not available in the rem mote office, th hen the client c computer retri ieves the conte ent directly from the server across a the WAN N link. The clie ent computer t then either ma akes it availabl le on the local ne etwork to othe er requesting client c compute ers (distributed d cache mode) ) or sends it to o the hosted cach he, where it is made availabl le to other clie ent computers .
6. .
BranchCach B he Require ements

Br ranchCache op ptimizes traffic c flow between n head of ffices and bran nch offices. Windows Server 2008 R2 2, Windows Se erver 2012, and d client compu uters ru unning Window ws 7 and Wind dows 8 can benefit from using Bran nchCache. (Ear rlier versions of o Windows W opera ating systems do d not benefit from th his feature.) Yo ou can use BranchCache to cache c on nly the conten nt that is stored d on file servers or web w servers that are running Windows Serv ver 20 008 R2 or Windows Server 2012. 2
Requirement R ts for Using g BranchCac che

To o use BranchC Cache for file se ervices, you must pe erform the following tasks:
Install the BranchCache B fe eature or the BranchCache B f for Network Fi iles role service e on the host s server that is runn ning Windows Server 2012. Configure client c compute ers either by using Group Po olicy or the net tsh branchcac che set servic ce command.
If you want to use u BranchCache to cache co ontent from th he file server, y you must perfo orm following tasks: Install BranchCache for th he Network Fil les role service e on the file se erver. Configure hash h publicatio on for BranchC Cache. Create Bran nchCacheenabled file share es.
If you want to use u BranchCache for caching g content from m the web serv ver, you must install the Br ranchCache fe eature on the web w server. You do not need d additional co onfigurations.
Br ranchCache is supported on the full install lation and Serv ver Core installation of Wind dows Server 20 012. By de efault, BranchC Cache is not in nstalled on Windows Server 2012.
Requirement R ts for Distributed Cach he Mode and d Hosted Ca ache Mode
In n the Distribute ed Cache mod de, BranchCach he works acros ss a single subnet only. If clie ent computers s are alled co onfigured to use u the Distribu uted Cache mo ode, any client t computer ca n use a multicast protocol ca WS-Discovery W to o search locall ly for the computer that has s already down nloaded and ca ached the con ntent. Yo ou should con nfigure the clie ent firewall to enable e incomin ng traffic, HTT TP, and WS-Dis scovery.
In n clients, however, they will search s for a ho osted cache se rver, and if on ne is discovered d, clients au utomatically se elf-configure as a hosted cach he mode client ts. In the Hoste ed Cache mod de, the client co omputers auto omatically self-configure as hosted h cache m mode clients, a and they will s search for the host se erver so that th hey can retriev ve content from m the Hosted Cache. Furthermore, you can use Group P Policy so
2-12 Implemen nting Advanced File Services S
that t you can use the t FQDN of the hosted cache servers or e enable automa atic Hosted Ca ache discovery y by Serv vice Connectio on Points (SCPs s). You must co onfigure a fire ewall to enable e incoming HT TTP traffic from m the Hos sted Cache serv ver. In both b cache mo odes, BranchCa ache uses the HTTP H protocol for data trans sfer between c client compute ers and the computer that is hostin ng the cached data.
Co onfiguring BranchCache Server r Settings

You u can use Branc chCache to cache web conte ent, which is delivered d by HTTP or HTTPS. H You can n also use BranchCache to cache share ed folder content, which is delivered d by the SMB protocol. p The following table lists the serv vers that you can c configure for Bran nchCache.
Se erver Web W server or BITS B server
Description To configure a Windo ws Server 2012 web server o or an application server that t uses the BITS S protocol, inst tall nchCache featu ure. Ensure tha at the BranchC Cache the Bran service has h started. Th hen, configure clients who will use the Bran nchCache featu ure. No additio onal web serve er configur ration is requir red. You mus st install the B ranchCache fo or the Network k Files role serv vice of the File e Services serve er role before y you enable BranchCache B fo for any file sha ares. After you install the Bran nchCache for t he Network Fi iles role service e, use Group Policy P to enabl e BranchCache e on the serve er. You must the en configure e each file share to enable BranchC Cache. For the Hosted H Cache mode, you m ust add the BranchC Cache feature t to the Window ws Server 2012 2 server th hat you are co nfiguring as a Hosted Cache e server. unication, clien nt computers use To help secure commu ity (TLS) when communicating Transport Layer Securi e Hosted Cache e server. with the By defau ult, BranchCac he allocates fiv ve percent of the disk space on the activ ve partition fo or hosting cach he owever, you ca an change this value by using data. Ho Group Policy P or the ne etsh tool by ru unning netsh branchc cache set cach hesize comma and.
File server
Hosted cache se erver

2-13
Configuring C g BranchC Cache Clien nt Settings s

Yo ou do not hav ve to install the e BranchCache e fe eature on clien nt computers, because b Branc chCache is already includ ded if the clien nt is running Windows W 7 or Windows W 8. Ho owever, Branch hCache is disabled by default on clien nt computers. To T en nable and configure BranchC Cache, you mu ust pe erform the following steps: 1. . 2. . Enable Bran nchCache. Enable the Distributed Ca ache mode or the Hosted Cac che mode. Win ndows 8 clients can use either mode m dynamic cally. Configure the t client firew wall to enable BranchCache B p protocols.
3. .
Enabling Bra anchCache

Yo ou can enable the BranchCa ache feature on n client compu uters by using Group Policy, or by using th he ne etsh branchca ache set servi ice command.
To o enable Branc chCache settin ngs by using Group G Policy, p perform the fol llowing steps f for a domain-b based GPO: 1. . 2. . 3. . Open the Group G Policy Management M Console. C Create a GP PO that will be e linked to the organizationa al unit where c client compute ers are located d. In a GPO, browse b to Com mputer Config guration, Polic cies, Adminis strative Temp plates: Policy definitions s (ADMX files s) retrieved fr rom the local computer, N etwork, and t then click BranchCac che. Enable Turn on BranchC Cache setting in i GPO.
4. .
Enabling the e Distributed d Cache Mo ode or Hoste ed Cache M Mode
Yo ou can configu ure the Branch hCache mode on o client comp puters by usin g Group Policy y, or by using the ne etsh branchca ache set servi ice command.
To o configure Br ranchCache mo ode by using Group G Policy, p perform the fo ollowing steps for a domain-based GPO: 1. . 2. . 3. . Open the Group G Policy Management M Console. C Create a GP PO that will be e linked to the organizationa al unit where c client compute ers are located d. In a GPO, browse b to Com mputer Config guration, Polic cies, Adminis strative Temp plates: Policy definitions s (ADMX files s) retrieved fr rom the local computer, N etwork, and t then click BranchCac che.
4. .
Choose eith her the Distributed Cache or r the Hosted C Cache mode. Y You may also e enable both the Distributed Cache mode and Automatic Hosted Cach he Discovery b by Service Connection Point policy settings. Th he client computers will oper rate in distribu uted cache mo ode unless they y find a hosted d cache server in the branch office. If they find a hosted cach e server in the e branch office e, they will wor rk in hosted cach he mode.
To configure BranchCache settings by using the netsh branchcache set service command, open a command-line interface window, and perform the following steps: 1. Use the following netsh syntax for the Distributed Cache mode:
netsh branchcache set service mode=distributed
2.
Use the following netsh syntax for the hosted mode:

netsh branchcache set service mode=hostedclient location=<Hosted Cache server>
Configuring the Client Firewall to Enable BranchCache Protocols
In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers, and the WS-Discovery protocol for cached content discovery. You should configure the client firewall to enable the following incoming rules: BranchCacheContent Retrieval (Uses HTTP) BranchCachePeer Discovery (Uses WSDiscovery)
In Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client computers, but this mode does not use the WS-Discovery protocol. In the Hosted Cache mode, you should configure the client firewall to enable the incoming rule, BranchCacheContent Retrieval (Uses HTTP).
Additional Configuration Tasks for BranchCache
After you configure BranchCache, clients can access the cached data in BranchCacheenabled content servers, which are available locally in the branch office. You can modify BranchCache settings and perform additional configuration tasks, such as: Setting the cache size. Setting the location of the Hosted Cache server. Clearing the cache. Creating and replicating a shared key for using in a server cluster.
Demonstration: Configuring BranchCache

In this demonstration, you will see how to: Add BranchCache for the Network Files role service. Configure BranchCache in Local Group Policy Editor. Enable BranchCache for a file share.
Demonstration Steps Add BranchCache for the Network Files role service
1. 2. Log on to LON-DC1 and open Server Manager. In the Add Roles and Features Wizard, install the following roles and features to the local server: o
File And Storage Services (Installed)\File and iSCSI Services\BranchCache for Network Files

2-15
Enable Branc chCache for r the server

1. . 2. . On the Star rt screen, type gpedit.msc, and a then press s Enter.
Browse to Computer C Configuration\A Administrativ ve Templates\ \Network\Lan nman Server, and do the followin ng: o o Enable Hash Publica ation for Bran nchCache A hash publication on nly for shared folder on wh hich BranchCa ache is enable ed Select Allow
Enable Branc chCache for r a file share e

1. . 2. . Open Wind dows Explorer, and on drive C, create a fold der named Sh hare\. Configure the t Share folder properties as a follows: o o Enable Share this fo older Check Enable Branc chCache in Off fline Settings s
Monitoring M g BranchCa ache

After the initial configuration, , you want to verify v th hat BranchCache is configure ed correctly an nd fu unctioning correctly. You can n use the netsh branchcache sh how status all command to o di isplay the Bran nchCache service status. The e client an nd Hosted Cac che servers display additiona al in nformation, suc ch as the locat tion of the loca al ca ache, the size of o the local cache, and the st tatus of th he firewall rule es for HTTP and d WS-Discover ry protocols that BranchCache B uses. u Yo ou can also use the following tools to mon nitor Br ranchCache:
Event Viewer. Use this too ol to monitor BranchCache e events reporte ed in the Appli ication log loc cated in the Window ws Logs folder r, and in the Operational Log g located in the Application and Service Logs\Micro osoft\Windows s\BranchCache e folder.
Performanc ce counters. Us se this tool to monitor Branc chCache perfo ormance monit tor counters. BranchCach he performanc ce monitor cou unters are usef ful debugging g tools for mon nitoring BranchCache effectiveness and health. You can also use u BranchCac che performan nce monitoring g to determine e the bandwidth savings in the e Distributed Cache mode or r in the Hosted d Cache mode e. If you have implemente in the environment, you can ed Microsoft System S Center Operations M Manager 2012 i n use the Windows BranchCache B Management M Pack P for Opera tions Manager 2012.
Lesson 3
Optimizing St torage Usage U
Every organization stores data on o different sto orage systems s. As storage sy ystems process s more and more data a at higher spe eeds, the dema and for disk sp pace for storin g the data has s increased. Th he large amount of files s, folders, and information, and the way they are stored, organized, ma anaged, and m maintained, becomes a challen nge for organi izations. Furthermore, organ nizations must satisfy require ements for sec curity, com mpliance, and data d leakage prevention p for company con fidential inform mation. Win ndows Server 2012 2 introduce es many technologies that ca an help organizations respond to the challenges of man naging, mainta aining, securing, and optimiz zing data that is stored on d different storag ge devices. The techn nologies includ de the File Server Resource M Manager, file c classification in nfrastructure, a and Data deduplicatio on, each of which provides new features as s compared to o Windows Ser rver 2008 R2.

Afte er completing this lesson, yo ou will be able to: Describe the File Server Res source Manager. Describe file classification. c Describe class sification rules s. Explain how to t configure file classification n. Describe storage optimization options in Windows Serv ver 2012. Explain how to t configure Data D deduplication.
Wh hat Is File Server Res source Manager?

You u can use the File F Server Reso ource Manage er (FSR RM) to manage e and classify data d that is sto ored on file f servers. FSR RM includes th he following feat tures:
File classificat tion infrastruct ture. This featu ure automates the data classific cation process. You can dynamica ally apply acce ess policies to files f based on their classification n. Example pol licies include Dynamic Access Co ontrol for restri icting access to files s, file encryptio on, and file expiration. Yo ou can classify files automati ically by using file classification c ru ules, or manua ally by modifying the propertie es of a selected d file or folder.. We can modi ify file propert ties automatica ally based on the application, ty ype or content t of the file, or r by manually setting option ns on the serve er that will trigger file classification n.
File managem ment tasks. You u can use this feature to app ply a condition nal policy or ac ction to files, b based on their classification. The conditions c of a file managem ment task inclu ude the file loc cation, the classification properties, the e date the file was created, t the last modifi ed date of the e file, and the l last time that the file was accessed. The actions that a file m management t task can take in nclude the abi ility to expire files, encrypt files, an nd run a custom command.

2-17
Quota management. You can use this feature to limit the space that is allowed for a volume or folder. You can apply quotas automatically to new folders that are created on a volume. You can also define quota templates that you can apply to new volumes or folders. File screening management. You can use this feature to control the types of files that users can store on a file server. You can limit the extension that can be stored on your file shares. For example, you can create a file screen that disallows files with an .mp3 extension from being stored in personal shared folders on a file server. Storage reports. You can use this feature to identify trends in disk usage, and identify how your data is classified. You can also monitor attempts by users to save unauthorized files.
You can configure and manage the FSRM by using the File Server Resource Manager Microsoft Management Console (MMC) snap-in, or by using the Windows PowerShell command-line interface. The following FSRM features are new with Windows Server 2012: Integration with Dynamic Access Control. Dynamic Access Control can use a file classification infrastructure to help you centrally control and audit access to files on your file servers.
Manual classification. Manual classification enables users to classify files and folders manually without the need to create automatic classification rules.
Access Denied Assistance. You can use Access Denied Assistance to customize the access denied error message that displays for users in Windows 8 Consumer Preview when they do not have access to a file or a folder. File management tasks. The updates to file management tasks include Active Directory Domain Services (AD DS) and Active Directory Rights Management Services (AD RMS) file management tasks, continuous file management tasks, and dynamic namespace for file management tasks.
Automatic classification. The updates to automatic classification increase the level of control you have over how data is classified on your file servers, including continuous classification, Windows PowerShell for custom classification, updates to the existing content classifier, and dynamic namespace for classification rules.
Additional Reading: For more information about FSRM, see: http://technet.microsoft.com/en-us/library/hh831746.aspx Question: Are you currently using the FSRM in Windows Server 2008 R2? If yes, for what areas do you use it?
Wh hat Is File Classification?

File classifications enable admin nistrators to configure automa atic procedures for defining a desi ired property on o a file, based d on condition ns spec cified in classif fication rules. For F example, you y can set the Confid dentiality pro operty to High h on all documents d wh hose content co ontains the wo ord sec cret.
In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, classification managemen nt and file man nagement task ks enable administrators to man nage groups of o files based on o various file and a fold der attributes. You Y can autom mate file and fo older maintenance task ks, such as cleaning up stale data, d or protec cting sensitive e information. For this reason n, file and folder mainte enance tasks are more efficie ent as compare ed to maintain ning the file sy ystem by navig gating thro ough its hierarchical view. Clas ssification man nagement is de esigned to eas se the burden and managem ment of data th hat is spread across the organization. You can classify files in a variety of ways. I In most scenar rios, classification is perform med man nually. The file e classification infrastructure in Windows S erver 2012 enables organiza ations to conve ert s thes se manual processes into automated polic cies. Administra ators can spec cify file management policies base ed on a files classification, c and a apply corp porate requirem ments for man naging data ba ased on busine ess valu ue. You u can use file classification to o perform the following f actio ons: 1. 2. 3.
Define classification proper rties and value es, which you c can assign to fi iles by running g classification n rules. Create, updat te, and run classification rule es. Each rule as ssigns a single e predefined property and va alue to files within n a specified di irectory, based d on installed c classification p plug-ins. When running a classificatio on rule, reeval luate files that t are already cl lassified. You c can choose to overwrite exis sting classification values, or r add the value e to properties s that support multiple value es. You can also use classificati ion rules to de eclassify files th hat are not in t the classificatio on criterion anymore.
Wh hat Are Cla assification n Rules?

The file classification infrastructure uses classification rules s to scan files automatically, a and then n to classify them according to the conten nts of a file. You configu ure file classific cations in the File F Serv ver Resource Manager M conso ole. Classification properties are def fined centrally y in AD DS so that thes se definitions can c be shared across file serv vers with hin the organiz zation. You can create classification rules s that scan files for a standar rd strin ng, or for a string that match hes a pattern (reg gular expressio on). When a co onfigured classification para ameter is found d in a file, that t file is classified as con nfigured in the e classification rule.

2-19
When planning for file classifications, you should do following: 1. 2. 3. 4. Identify which classification or classifications that you want to apply on documents. Determine the method you to want to use to identify documents for classification. Determine the schedule for automatic classifications. Establish a review of classification success.
After you have a defined the classifications, you can plan the Dynamic Access Control implementation by defining conditional expressions that enable you to control access to highly confidential documents based on particular user attributes.
Demonstration: Configuring File Classification

In this demonstration, you will see how to: Create a classification property. Create a classification rule.
Demonstration Steps Create a classification property

1. 2.
On LON-SVR1, the Server Manager console should open automatically. From Server Manager, start the File Server Resource Manager. In File Server Resource Manager, create a local property with the following settings: o o Name: Corporate Documentation Property Type: Yes/No
3.
In File Server Resource Manager, create a classification rule with the following settings: o o o o o o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled. Scope tab: E:\Labfiles\Corporate Documentation Classification tab, Classification method: Folder Classifier Property-Choose a property to assign to files: Corporate Documentation Property-Specify a value: Yes. Evaluation type tab, Re-evaluate existing property values, and Aggregate the values.
4. 5.
Run the classification with all rules, and select Wait for classification to complete.
Review the Automatic classification report that displays in Windows Internet Explorer, and ensure that report lists the same number of files classified as in the Corporate Documentation folder.
Op ptions for Storage S Optimizatio on in Wind dows Serve er 2012

Win ndows Server 2012 2 includes new n options fo or stor rage optimizat tion that provid de you with an n effic cient way to de eploy, adminis ster, and secur re your storage solut tions. Storage optimization feat tures include: File access au uditing. File acc cess auditing in Windows Serv ver 2012 creat tes an audit ev vent whenever file es are accessed d by users. As compared to previous Wind dows Server versions, this audit event da ata contains additional inf formation about the attribut tes of the file that was w accessed.
Features on Demand. D Featu ures on Deman nd enables you u to save on d isk space by allowing you to o remove role and a feature file es from the op perating system m. If these role es and features s need to be installed on the server, the installation file es will be retrie eved from rem mote locations, installation m media, or Windows Update. U You ca an remove fea ature files from m both physica al and virtual computers, Win ndows image (.wim) files, and offline virtual hard d disks (VHDs) . Data deduplic cation. Data deduplication id dentifies and r removes duplications within data without compromising the integrity y of the data. Data D deduplica ation is highly scalable, resource efficient, and nonintrusive. It can run con ncurrently on la arge volumes of primary data without affe ecting other workloads on n the server. Lo ow impact on the t server wor rkloads is main ntained by thro ottling the CPU U and memory resources that are consumed. Us sing Data ded uplication jobs, you can schedule when Data deduplication n should run, specify s the reso ources to dedu uplicate, and f fine-tune file s selection. When combined wit th BranchCach he, the same optimization te echniques are a applied to dat ta that is transf ferred over the WAN N to a branch office. This res sults in faster f file download t times, and red duced bandwid dth consumption. NFS Data Store. The Netwo ork file system (NFS) Data Sto ore is the NFS server implem mentation in Windows Serv ver 2012 operating systems. In Windows S Server 2012, th he NFS server s supports high availability, which w means th hat you can de eploy the serve er in a failover clustering con nfiguration. When a client connec cts to a NFS ser rver in the failo over cluster, a nd if that serv ver fails, the NF FS server will fa ail over to anoth her node in the e cluster, so th hat the client c an still connec ct to the NFS s server.
De emonstration: Config guring Dat ta Dedupli ication

In th his demonstration, you will see s how to: Add the Data a deduplication n role service. Enable Data deduplication. d
Dem monstration n Steps Add the Data deduplicati d on role serv vice
1. 2. Log on to LO ON-SVR1 as Ad datum\Admin nistrator using g the password d Pa$$w0rd. Open Server Manager.

2-21
3.
In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\Data Deduplication
Enable Data deduplication

1. 2. 3. In the Volumes pane, right-click E:, and select Configure Data Deduplication. Configure Data deduplication with the following settings: o o o o Enable Data deduplication: Enabled Deduplicate files older than (in days): 3 Set Deduplication Schedule: Enable throughput optimization Start time: current time
In Server Manager, in the navigation pane, click File and Storage Services, and then click Volumes.
Lab A: Implementing Advanced File Services

Scenario
As A. Datum Corporation has expanded, the requirements for managing storage and shared file access has also expanded. Although the cost of storage has decreased significantly over the last few years, the amount of data produced by the A. Datum business groups has increased even faster. The organization is considering alternate ways to decrease the cost of storing data on the network, and is considering options for optimizing data access in the new branch offices. The organization would also like to ensure that data that is stored on the shared folders is limited to company data, and that it does not include unapproved file types. As a senior server administrator at A. Datum, you are responsible for implementing the new file storage technologies for the organization. You will implement iSCSI storage to provide a less complicated option for deploying large amounts of storage.
Objectives
Configure iSCSI storage. Configure the file classification infrastructure.
Lab Setup
Estimated Time: 75 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Estimated time: 75 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Adatum\Administrator Pa$$w0rd
Virtual Machine(s) User Name Password
5.
Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.

2-23
Exercise 1: Configuring iSCSI Storage

Scenario
To decrease the cost and complexity of configuring centralized storage, A. Datum has decided to use iSCSI to provide storage. To get started, you will install and configure the iSCSI target, and configure access to the target by configuring the iSCSI initiators. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the iSCSI target feature. Configure the iSCSI targets. Configure MPIO. Connect to and configure the iSCSI targets.
Task 1: Install the iSCSI target feature

1. 2. 3. Log on to LON-DC1 with username of Adatum\Administrator and the password Pa$$w0rd. Open Server Manager.
In the Add Roles and Features Wizard, install the following roles and features to the local server, and accept the default values: o File And Storage Services (Installed)\File and iSCSI Services\iSCSI Target Server
Task 2: Configure the iSCSI targets

1. 2.
On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then click iSCSI. Create a virtual disk with the following settings: o o o o o o Storage location: C: Disk name: iSCSIDisk1 Size: 5 GB iSCSI target: New Target name: lon-dc1 Access servers: 172.16.0.22 and 131.107.0.2
3. 4.
On the View results page, wait until the creation completes, and then click Close. Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk2 Size: 5 GB iSCSI target: lon-dc1
5.
Create a New iSCSI virtual disk with these settings: o o o o Storage location: C: Disk name: iSCSIDisk3 Size: 5 GB iSCSI target: lon-dc1
6.
7.
Task 3: Configure MPIO

1. 2. 3. 4. 5. On LON-SVR2, from Server Manager, open the Routing and Remote access console. On the Enable DirectAccess Wizard, click Cancel.
Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then close the Routing and Remote Access console. In Server Manager, start the Add Roles and Features Wizard and install the Multipath I/O feature. In Server Manager, on the Tools menu, open iSCSI Initiator, and configure the following: o o Enable the iSCSI Initiator service Quick Connect to target: LON-DC1
6.
In Server Manager, on the Tools menu, open MPIO, and configure the following: o Enable Add support for iSCSI devices on Discover Multi-paths
7. 8.
After the computer restarts, log on to LON-SVR2, with username of Adatum\Administrator and password of Pa$$w0rd. In Server Manager, on the Tools menu, click MPIO and verify that Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list.
Task 4: Connect to and configure the iSCSI targets

1. 2. On LON-SVR2, in Server Manager, on the Tools menu, open iSCSI Initiator. In the iSCSI Initiator Properties dialog box, perform the following steps: o o o Disconnect all Targets. Connect and Enable multi-path. Set Advanced options as follows: o Local Adapter: Microsoft iSCSI Initiator Initiator IP: 172.16.0.22 Target Portal IP: 172.16.0.10 / 3260
Connect to another target, enable multi-path, and configure the following Advanced settings: Local Adapter: Microsoft iSCSI Initiator Initiator IP: 131.107.0.2

2-25
3.
Target Portal IP: 131.107.0.1 / 3260
In the Targets list, open Devices for iqn.1991-05.com.microsoft:lon-dc1-lon-dc1-target, access the MPIO information, and then verify that in Load balance policy, Round Robin is selected. Verify that two paths are listed by looking at the IP addresses of both network adapters.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.
Exercise 2: Configuring the File Classification Infrastructure

Scenario
A. Datum has noticed that many users are copying corporate documentation to their mapped drives on the users or departmental file servers. As a result, there are many different versions of the same documents on the network. To ensure that only the latest version of the documentation is available for most users, you need to configure a file classification system that will delete specific files from user folders. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Create a classification property for corporate documentation. Create a classification rule for corporate documentation. Create a classification rule that applies to a shared folder. Create a file management task to expire corporate documents. Verify that corporate documents are expired.
Task 1: Create a classification property for corporate documentation

1. 2. On LON-SVR1, from Server Manager, start the File Server Resource Manager.
In File Server Resource Manager, under Classification Management, create a local property with the following settings: o o Name: Corporate Documentation Property Type: Yes/No
3.
Leave the File Server Resource Manager open.
Task 2: Create a classification rule for corporate documentation

1. In the File Server Resource Manager console, create a classification rule with following settings: o o o General tab, Rule name: Corporate Documents Rule, and ensure that the rule is enabled. Scope tab: E:\Labfiles\Corporate Documentation folder Classification tab: 2. 3. Classification method: Folder Classifier Property, Choose a property to assign to files: Corporate Documentation Property, Specify a value: Yes Evaluation type tab: Re-evaluate existing property values and Aggregate the values
Select both Run the classification with all rules and Wait for classification to complete. Review the Automatic classification report that displays in Internet Explorer, and ensure that the report lists the same number of classified files as in the Corporate Documentation folder.
4.
Close Internet Explorer, but leave the File Server Resource Manager open.
Task 3: Create a classification rule that applies to a shared folder

1. In the File Server Resource Manager, create a local property with following settings: o o 2. Name: Expiration Date Property Type: Date-Time
In the File Server Resource Manager console, create a classification rule with the following settings: o o o o o General tab, Rule name: Expiration Rule, and ensure that the rule is enabled Scope tab: E:\Labfiles\Corporate Documentation Classification tab, Classification method: Folder Classifier Property, Choose a property to assign to files: Expiration Date Evaluation type tab: Re-evaluate existing property values and Aggregate the values
3. 4. 5.
Select both Run the classification with all rules and Wait for classification to complete. Review the Automatic classification report that appears in Internet Explorer, and ensure that report lists the same number of classified files as the Corporate Documentation folder. Close Internet Explorer, but leave the File Server Resource Manager open.
Task 4: Create a file management task to expire corporate documents

1. In File Server Resource Manager, create a file management task with following settings: o o o o o o General tab, Task name: Expired Corporate Documents and ensure that the task is enabled Scope tab: E:\Labfiles\Corporate Documentation Action tab, Type: File expiration is selected, Expiration directory: E:\Labfiles\Expired Notification tab: Event Log and Send warning to event log Condition tab, Days since the file was last modified: 1
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or more, depending on each companys policy o o Schedule tab: Weekly and Sunday Leave the File Server Resource Manager console open.
Task 5: Verify that corporate documents are expired

1. 2. 3. 4.
In File Server Resource Manager, click Run File Management Task Now, and then click Wait for the task to complete. Review the File management task report that displays in Internet Explorer, and ensure that the report lists the same number of classified files as the Corporate Documentation folder. Start Event Viewer, and in the Event Viewer console, open the Application event log. Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job, and 909 FSRM finished a file management job.

2-27
Results: After completing this exercise, you will have configured a file classification infrastructure so that the latest version of the documentation is always available to users.
To prepare for the next lab

When you finish the lab, revert 20417A-LON-SVR2. To do this, complete the following steps. 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Keep all other virtual machines running for the next lab.
Lab B: Implementing BranchCache

Scenario
A Datum Corporation has deployed a new branch office, which has a single server. To optimize file access in branch offices, you must configure BranchCache. To reduce WAN use out to the branch office, you must configure BranchCache to retrieve data from the head office. You will also implement FSRM to assist in optimizing file storage at A. Datum.
Objectives
Configure the main office servers for BranchCache. Configure the branch office servers for BranchCache. Configure client computers for BranchCache. Monitor and verify BranchCache.
Lab Setup
Estimated Time: 30 Minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Estimated time: 30 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Adatum\Administrator Pa$$w0rd
Virtual Machine(s)
User Name Password
5.
Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.
Exercise 1: Configuring the Main Office Servers for BranchCache

Scenario
Before you can configure the BranchCache feature for your branch offices, you must configure the network components.

2-29
The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure LON-DC1 to use BranchCache. Simulate a slow link to the branch office. Enable a file share for BranchCache. Configure client firewall rules for BranchCache.
Task 1: Configure LON-DC1 to use BranchCache

1. 2. 3. 4. 5. Switch to LON-DC1. Open Server Manager, and install the BranchCache for network files role service. Open the Local Group Policy Editor (gpedit.msc).
Navigate to and open Computer Configuration/Administrative Templates/Network/Lanman Server/Hash Publication for BranchCache.
Enable the BranchCache setting, and then select Allow hash publication only for shared folders on which BranchCache is enabled.
Task 2: Simulate a slow link to the branch office

1. 2.
In the Local Group Policy Editor console, navigate to Computer Configuration\Windows Settings \Policy-based QoS. Create a new policy with the following settings: o o Name: Limit to 100 Kbps Specify Outbound Throttle Rate: 100
Task 3: Enable a file share for BranchCache

1. 2. In a Windows Explorer window, create a new folder named C:\Share. Share this folder with the following properties: o o o 3. Share name: Share Permissions: default Caching: Enable BranchCache
Copy C:\Windows\System32\write.exe to the C:\Share folder.
Task 4: Configure client firewall rules for BranchCache

1. 2. 3. 4. On LON-DC1, open Group Policy Management.
Navigate to Forest: Adatum.com\Domains\Adatum.com\Default Domain Policy, and then open the policy for editing. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Create a new inbound firewall rule with the following properties: a. b. c. Rule type: predefined Use BranchCache Content Retrieval (Uses HTTP) Action: Allow
5.
Create a new inbound firewall rule with the following properties:
d. e. f. 6.
Rule type: predefined Use BranchCache Peer Discovery (Uses WSD) Action: Allow
Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and enabled BranchCache on a file share.
Exercise 2: Configuring the Branch Office Servers for BranchCache

Scenario
The next step you must perform is to configure a file server for the BranchCache feature. You will install the BranchCache feature, request a certificate, and then link it to BranchCache. The main tasks for this exercise are as follows: 1. 2. Install the BranchCache feature on LON-SVR1. Start the BranchCache host server.
Task 1: Install the BranchCache feature on LON-SVR1
On LON-SVR1, from Server Manager, add the BranchCache for Network Files role service and the BranchCache feature.
Task 2: Start the BranchCache host server

1. 2. 3. 4. 5.
On LON-DC1, open Active Directory Users and Computers, and create a new organizational unit (OU) called BranchCacheHost. Move LON-SVR1 into the BranchCacheHost OU. Open Group Policy Management, and block GPO inheritance on the BranchCacheHost OU. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd. On LON-SVR1, open Windows PowerShell, and run the following cmdlet:
Enable-BCHostedServer RegisterSCP
6.
On LON-SVR1, in Windows PowerShell, run the following cmdlet:

Get-BCStatus
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
Exercise 3: Configuring Client Computers for BranchCache

Scenario
After configuring the network components, you must ensure that the client computers are configured correctly. This is a preparatory task for using BranchCache.

2-31
The main task for this exercise is as follows: 1. Configure client computers to use BranchCache in Hosted Cache mode
Task 1: Configure client computers to use BranchCache in Hosted Cache mode

1. 2. 3. On LON-DC1, open Server Manager, and then open Group Policy Management. Edit the Default Domain Policy. In the Group Policy Management Editor, browse to Computer Configuration\Policies \Administrative Templates\Network\BranchCache, and configure the following: o o o o 4. 5. 6. 7. Turn on BranchCache: Enabled Enable Automatic Hosted Cache Discovery by Service Connection Point: Enabled Configure BranchCache for network files: Enabled
Type the maximum round trip network latency (milliseconds) after which caching begins: 0
Start 20412A-LON-CL1, open a command prompt window, and refresh the Group Policy settings using the command gpupdate /force. At the command prompt, type netsh branchcache show status all, and then press Enter. Start the 20412A-LON-CL2, open the command prompt window, and refresh the Group Policy settings using the command gpupdate /force. At the command prompt, type netsh branchcache show status all, and then press Enter.
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 4: Monitoring BranchCache

Scenario
Finally, you must test and verify that the BranchCache feature is working as expected. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure Performance Monitor on LON-SVR1. View performance statistics on LON-CL1. View performance statistics on LON-CL2. Test BranchCache in the Hosted Cache mode.
Task 1: Configure Performance Monitor on LON-SVR1

1. 2. 3. On LON-SVR1, open Performance Monitor. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor.
Remove existing counters, change to report view, and then add the BranchCache object counters to the report.
Task 2: View performance statistics on LON-CL1

1. 2. 3. Switch to LON-CL1, and open the Performance Monitor. In the navigation pane of the Performance Monitor console, under Monitoring Tools, click Performance Monitor. In Performance Monitor, remove existing counters, change to a report view, and then add the BranchCache object to the report.

1. 2. 3. Switch to LON-CL2, and open Performance Monitor. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor. In the Performance Monitor, remove existing counters, change to a report view, and then add the BranchCache object to the report.
Task 4: Test BranchCache in the Hosted Cache mode

1. 2. 3. Switch to LON-CL1.
Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This could take several minutes because of the simulated slow link. Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served). Switch to LON-CL2.
4. 5. 6. 7.
Open \\LON-DC1.adatum.com\share, and copy the executable file to the local desktop. This should not take as long, because the file is cached. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

2-33

Question: How does BranchCache differ from the Distributed File System? Question: Why would you want to implement BranchCache in Hosted Cache mode instead of Distributed Cache mode? Question: Can you configure Data deduplication on a boot volume? Question: Why would you implement a file classification infrastructure?
Your organization is considering deploying an iSCSI solution. You are a Windows Server 2012 administrator who is responsible for designing and deploying the new solution. This new solution will be used by different type of technologies, such as Windows Server 2012 file server, Exchange Server, and SQL Server. You are facing a challenge of designing an optimal iSCSI solution, but at the same time you are not sure whether the solution you are going to propose to your organization will meet the requirements of all technologies that will be accessing the iSCSI storage. What should you do? Answer: You should include on the team that will design and deploy the iSCSI solution experts from different areas of specialization. Team members who will be involved in the project should include Windows Server 2012 administrators, network administrators, storage administrators, and security administrators. This is necessary so that the iSCSI storage solution has optimal performance and security, and has consistent management and operations procedures.
Your organization is considering deploying a BranchCache solution. You are a Windows Server 2012 administrator in your organization, and are responsible for designing and deploying the new solution. The organizations business managers are concerned about security of the data that will be stored in the branch offices. They are also concerned about how the organization will address security risks such as data tampering, information disclosure, and denial of service attacks. What should you do? Answer: You should include a security expert on your design team. You should also consider the defensein-depth model of analyzing security risks. BranchCache addresses the security risks as follows:
Data tampering. The BranchCache technology uses hashes to confirm that during the communication, the client and the server did not alter the data. Information disclosure. BranchCache sends encrypted content to clients, but they must have the encryption key to decrypt the content. Because potential malicious user would not have the encryption key, if an attacker attempts to monitor the network traffic to access the data while it is in transit between clients, the attempt will not be successful. Denial of service. If an attacker tries to overload the client with requests for data, BranchCache technology includes queue management counters and timers to prevent clients from being overloaded.
Your organization is using large amounts of disk space for data storage and is facing a challenge of organizing and managing the data. Furthermore, your organization must satisfy requirements for security, compliance, and data leakage prevention for company confidential information. What should you do? Answer: You should deploy the file classification infrastructure. Based on file classification, you can configure file management tasks that will enable you to manage groups of files based on various file and folder attributes. You can also automate file and folder maintenance tasks, such as cleaning up stale data or protecting sensitive information. Best Practice:
When considering an iSCSI storage solution for your organization, spend most of the time on the design process. The design process is crucial because it allows you to optimize the solution for all
technologies that will be using iSCSI storage, such as file services, Exchange Server, and SQL Server. The design should also accommodate future growth of your organizations business data. Successful design processes guarantee a successful deployment of the solution that will meet your organizations business requirements. When planning for BranchCache deployment, ensure that you work closely with your network administrators so that you can optimize network traffic across the WAN.
When planning for file classifications, ensure that you start with your organizations business requirements. Identify the classifications that you will apply to documents, and then define a method that you will use to identify documents for classification. Before you deploy the file classification infrastructure, create a test environment and test the scenarios to ensure that your solution will result in a successful deployment and that your organizations business requirements will be met.
Tools
Tool iSCSI target server iSCSI initiator Deduplication Evaluation tool (DDPEval.exe) File Server Resource Manager Use Configure iSCSI targets Configure a client to connect to an iSCSI target virtual disk Analyze a volume to find out the potential savings when enabling data deduplication A set of features that allow you to manage and classify data that is stored on file servers Where to find it In Server Manager, under File and Storage Servers In Server Manager, in the Tools dropdown list box C:\windows\system32
Server Manager

3-1
Module 3
Implementing Dynamic Access Control
Contents:
Module Overview Lesson 1: Overview of Dynamic Access Control Lesson 2: Planning for Dynamic Access Control Lesson 3: Deploying Dynamic Access Control Lab: Implementing Dynamic Access Control Module Review and Takeaways 3-1 3-2 3-8 3-13 3-22 3-30
Module Overview
The Windows Server 2012 operating system introduces a new feature for enhancing access control for file-based and folder-based resources. This feature, called Dynamic Access Control, extends regular NTFS file systembased access control by enabling administrators to use claims, resource properties, policies, and conditional expressions to manage access. In this module, you will learn about Dynamic Access Control, and how to plan for it and implement it.
Objectives
After completing this module, you will be able to: Describe Dynamic Access Control and its components. Plan for Dynamic Access Control implementation. Deploy Dynamic Access Control.
3-2
Lesson 1
Overvi iew of Dynami D c Acces ss Contr rol
Dyn namic Access Control C is a new w Windows Se erver 2012 feat ture that you c can use for acc cess managem ment. Dyn namic Access Control C offers a new way of securing s and c controlling acc cess to resourc ces. Before you u imp plement this feature, you sho ould understan nd how it work ks and which c components it uses. This less son pres sents an overv view of Dynamic Access Cont trol.

Afte er completing this lesson, yo ou will be able to: Define Dynam mic Access Con ntrol. Describe the foundation tec chnologies for r Dynamic Acc cess Control.
namic Access Control C with alternative and similar techno ologies such as s NTFS permis ssions Compare Dyn and Active Di irectory Rights s Management t Services (AD RMS). Define identit ty. Define claim and claim type es. Define a cent tral access policy.
Wh hat Is Dyna amic Acce ess Control l?

Typically, most of an organizatio ons data is sto ored on file f servers. Therefore, IT adm ministrators must prov vide proper se ecurity and acc cess control to file serv ver resources. In I previous ver rsions of Wind dows Serv ver, IT administrators controlled most acce ess to file server resourc ces by using NT TFS permission ns and access contro ol lists.
Dyn namic Access Control C in Wind dows Server 2012 is a new access co ontrol mechanism for file sys stem reso ources. It enables administrators to define cent tral file access policies that can c apply to ev very file server in the organization. o Dynamic D Acces ss Con ntrol implemen nts a safety net over file serv vers, and over a hare and NTFS S permissions. It also any existing sh ensu ures that regardless of how the t share and NTFS permiss ions might cha ange, this cent tral overriding g policy is still enfor rced. Dynamic c Access Contro ol combines m multiple criteria a into the acce ess decision; th his is som mething that NTFS permissions cannot do. Dyn namic Access Control C provide es a flexible way to apply an nd manage acc cess and audit ting to domain nbase ed file servers. Dynamic Acce ess Control uses claims in th he authenticati ion token, reso ource properties on the resource, and conditional ex xpressions with hin permission n and auditing g entries. With this combinat tion of feat tures, you can now grant acc cess to files and folders base ed on Active D Directory Dom main Services (A AD DS) attributes. Dyn namic Access Control C provide es: Data identific cation. You can n use automatic and manual l file classificat tion to tag dat ta in file server rs across the org ganization.
Access cont trol to files. Ce entral access policies enable organizations s to define, for example, who o can access health information n within an org ganization. f file access. Yo ou can use cen ntral audit poli icies for compliance reportin ng and forensic Auditing of analysis. Fo or example, you u can identify who accessed highly sensitiv ve information n.
Optional RM MS protection integration. You Y can use Rig ghts Managem ment Services (RMS) encrypt tion for sensitive Microsoft Office documents s. For example,, you can conf figure RMS to encrypt all documents s containing He ealth Insurance Portability a nd Accountab bility Act (HIPA AA) information.

3-3
Dynamic Access s Control is de esigned for fou ur main end-to o-end scenario os:
Central access policy for access a to files. Enables organ nizations to se et safety net po olicies that reflect business an nd regulatory compliance. c Auditing fo or compliance and analysis. Enables E targete ed auditing ac cross file servers for compliance reporting and forensic an nalysis.
Protecting sensitive information. Identifies and prote ects sensitive in nformation wit thin a Window ws Server 2012 enviro onment, and when w it leaves the Windows Server 2012 en nvironment. Access denied remediatio on. Improves the access-den nied experience e to reduce he elp desk load a and incident tim me for troubles shooting.
Foundation n Technolo ogies for Dynamic D A Access Con ntrol

Dynamic Access s Control combines many Windows W Se erver 2012 technologies to provide p a flexib ble and granular author rization and au uditing experie ence. Dynamic Access s Control uses the following te echnologies: Network pr rotocols, such as TCP/IP, Rem mote Procedure Call C (RPC), Server Message Block B (SMB), and Lightweight Directory D Acces ss Protocol (LDAP), for netw work communications between ho osts, and intera action with file e system and d directory lookups. Domain Na ame System (D DNS) for host name n resolution. AD DS and its dependent t technologies for enterprise e network man nagement. The Kerberos version 5 protocol, includ ding FAST Sear rch and Comp pound Identity for secure authenticat tion.
Windows Security (local security s authority (LSA), Net Logon service e) for secure lo ogon transactio ons. File classific cations for file categorization n. Auditing fo or secure monitoring and acc countability.
everal compon nents and tech hnologies are updated u in Wi ndows Server 2012 to suppo ort Dynamic A Access Se Control. The mo ost important updates are:
A new Wind dows authoriz zation and aud dit engine that can process c conditional exp pressions and c central policies. Kerberos au uthentication support s for user claims and device claims.
3-4
Improvement ts to the file classification inf frastructure.
Optional RMS S extensibility support so tha at partners can n provide solut tions for encry ypting files tha at are not Microsoft t Office files.
Dy ynamic Acc cess Contr rol vs. Alternative Pe ermissions Technologies

Dyn namic Access Control C controls access to file ebase ed resources. It I does not ove erlap with olde er, well l-known techn nologies that provide p similar func ctionality. Inste ead, Dynamic Access Contro ol exte ends the functionality of older technologie es for controlling file-ba ased resource access. a p versions of Window ws Server, the basic b In previous mec chanism for file e and folder access control was w NTF FS permissions. By using NTF FS permissions s and thei ir access control lists (ACLs), administrators s can control access to resources base ed on user nam me secu urity identifiers s (SIDs) or group membership SIDs s, and the leve el of access suc ch as Read-onl ly, Change, an d Full Control.. However, onc ce you provide e som meone with, for example, Rea ad Only access s to a docume nt, you cannot t prevent that person from copying the conte ent of that doc cument into a new documen nt or printing t the document t.
By implementing AD RMS, you can establish an a additional l level of file control. Unlike, N NTFS permissio ons, which are not app plication-aware e, AD RMS sets a policy that t can control d document acce ess inside the app plication that th he user uses to o open it. By im mplementing A AD RMS, you e enable users to o protect doc cuments within n applications.
How wever, you can nnot set condit tional access to o files by using g NTFS and AD D RMS. For exa ample, you cannot set NTFS permissions so that users can access documents if f they are mem mbers of specif fic groups and have thei ir EmployeeTy ype attributes set to Full Tim me Employee e (FTE). Additio onally, you can nnot set perm missions so tha at only users who w have a department attri ibute populate ed with the sam me value as th he dep partment attrib bute for the res source can acc cess the conte nt. However, y you can use co onditional expressions to acc complish these e tasks. You ca an use Dynami c Access Control to count at ttribute values s on user rs or resource objects when providing or denying d access s.
Wh hat Is Iden ntity?

Iden ntity is usually defined as a set of data that t uniq quely describe es a person or a thing (somet times refe erred to as subj ject or entity) and a contains info ormation about the subject's relationships to othe er entities. Identity is usually y verified by us sing a trus sted source of information. For example, whe en you go to th he airport, you u show w your passpo ort. Your passp port contains your y nam me, address, da ate of birth, an nd photograph h. Each h item of perso onal informati ion is a claim that t is mad de about you by b the country y issuing your pass sport. Your country ensures that the
in nformation tha at is published in a passport is accurate for r the passport owner. Becaus se you usually use the pa assport outside of your coun ntry of residen nce, other coun ntries must also trust the info ormation in yo our pa assport. They must m trust the organization that issued yo ur passport an nd consider it reliable. Based d on th hat trust, other r countries gra ant you access to their territo ories (which ca an be consider red resources). . Th herefore, in this example, to access resourc ces in other co ountries, each person is requ uired to have a ed source and do ocument (pass sport) that is is ssued by a relia able and truste d that contains s critical claims s that de escribe the person. Th he Windows Server operatin ng system uses s a similar conc cept of identity y. An administ trator creates a user ac ccount in AD DS D for a person n. The domain n controller pu blishes user ac ccount information, such as a se ecurity identifier and group membership attributes. a Whe en a user accesses a resource e, Windows Se erver cr reates an authorization token.
To o continue the e foreign trave el analogy, you u are the user, and the autho orization token n is the passpo ort. Each un nique piece of f information in the authoriz zation token is a claim made e about your user account. D Domain co ontrollers publish these claim ms. Domain-joined compute ers and domain n users trust domain control llers to provide authoritative informa ation. We W can then say that identity y, with respect to authenticat tion and autho orization, is inf formation pub blished ab bout an entity from a trusted d source. Furth hermore, the i nformation is considered au uthoritative because th he source is tru usted.
tifier (SID) to r Ea arlier versions of Windows Server used the e security ident represent the i identity of a user or co omputer. Users authenticate e to the domain with a specif fic user name and password. The unique logon na ame translates s into the SID. The domain controller valid ates the passw word and publishes the SID o of the se ecurity principa al and the SIDs of all the gro oups within wh hich the princi pal is a memb ber. The domai in co ontroller claim ms the user's SID is valid and should be use ed as the ident tity of the user r. All domain m members tr rust their doma ain controller; therefore, the e response is tr reated as authoritative. Id dentity is not limited to the user's u SID. App plications can u use any inform mation about the user as a fo orm of id dentity, if the application a trusts that the source of the inf formation is au uthoritative. Fo or example, m many ap pplications implement role based b access control (RBAC).. RBAC limits a access to resou urces based on n whether w the use er is a member of a specific role. Microsoft t SharePoint Server is a goo od example of f so oftware that im mplements role e-based securi ity. Windows S Server 2012 ca an also take ad dvantage of the ese op ptions to exten nd and enhanc ce the way ide entity is determ mined for a sec curity principa al.

3-5
What W Is a Claim? C
Windows W Server 2008 and Wi indows Server 2003 us se claims in Ac ctive Directory y Federation Se ervices (A AD FS). In this context, c claims s are statemen nts made m about use ersfor example, name, identity, ke ey, group, priv vilege, or capab bilitywhich are a un nderstood by the t partners in n an AD FS fe ederation. AD FS also provides AD DSbase ed claims, and the ability to conv vert the data from th hese claims into Security Assertions Markup La anguage (SAM ML) format. In previous p versio ons of AD FS, the only attributes that could be retrieved from AD DS and d incorporated d directly into a claim was w SID informa ation for user and a group acc counts. All oth er claim inform mation was de efined within and re eferenced from m a separate da atabase, know wn as an attribu ute store. Wind dows Server 20 012 now allow ws you to o read and use e any attribute directly from AD DS. You do o not need to use a separate e AD FS attribu ute st tore to hold th his type of information for Ac ctive Directory ybased comp puter or user ac ccounts.
3-6
By definition, d a cla aim is somethi ing that AD DS S states about a specific obje ect (usually a u user or compu uter). A claim provides information i fro om the trusted d source abou t an entity. So ome examples of claims are t the SID of a user or co omputer, the department d cla assification of a file, and the e health state o of a computer. . All thes se claims state e something ab bout a specific object.
An entity e normally y contains mo ore than one claim. When co onfiguring reso ource access, any combinatio on of claim ms can be used to authorize e access to reso ources.
In Windows W Serve er 2012, the au uthorization mechanism is ex xtended. You c can now use u user claims and d device claims for file f and folder r authorization n in addition to o NTFS permis ssions that are based on user rs SID or group g SIDs. By using claims, you can now base b your acce ess control dec cision on SID a and other attribute valu ues. Note that Windows Serv ver 2012 still su upports using group membe ership for auth horization decisions.
Use er Claim
A us ser claim is inf formation that is provided by y a Windows S Server 2012 do omain controll ler about a use er. Win ndows Server 2012 2 domain controllers c can use most AD DS user attrib butes as claim i information. T This prov vides administ trators with a wide w range of possibilities fo or configuring and using clai ims for access control.
Dev vice Claim

A de evice claimw which is often called c a compu uter claimis information th hat is provided d by a Window ws Serv ver 2012 doma ain controller about a a device e that is repres sented by a co omputer accou unt in AD DS. A As with h user claims, device d claims can c use most of o the AD DS a attributes that are applicable e to computer r obje ects.
Wh hat Is a Ce entral Acce ess Policy?

One e of the fundam mental compo onents of Dyna amic Access Control is the t central acc cess policy. This Win ndows Server 2012 2 feature enables adm ministrators to create policies s that they can n app ply to one or more m file server rs. You create policies in the Act tive Directory Administrative A e Cen nter, which then stores them in AD DS, and d you then n apply them by b using Group Policy. The cent tral access policy contains one or more central acce ess policy rules s. Each rule co ontains settings s that dete ermine applica ability and per rmissions.
Befo ore you create e a central acce ess policy, you mus st create at lea ast one central access rule. Central access r rules define al l parameters a and conditions s that control access to specific resour rces. A ce entral access ru ule has three configurable c parts: p Name. For ea ach central acc cess rule, you should s configu ure a descriptiv ve name.
Target resour rce. This is a co ondition that defines d to whic ch data the po olicy applies. Yo ou define a condition by specifying an attribute and its value. For e example, a par rticular central policy rule might apply to any data that you classify as sensitive. You can n also apply th e rule to all re esources to wh hich the central ac ccess policy ap pplies.
Permissions. This is a list of one or more access control entries (ACEs) that define who can access data. For example, you can specify Full Control Access to a user with attribute EmployeeType set to FTE (full-time employee). This is the key component of each central access rule. You can combine and group conditions that you place in the central access rule. You can set permissions either to proposed (for staging purposes) or current.
After you configure one or more central access rules, you then add these rules to the central access policy, which is then applied to the resources. The central access policy enhances, but does not replace, the local access policies or discretionary access control lists (DACLs) that are applied to files and folders on a specific server. For example, if a DACL on a file allows access to a specific user, but a central access policy that is applied to the file restricts access to the same user, the user will not be able to obtain access to the file. Likewise, if the central access policy allows access but the DACL does not allow access, then the user will not be able to access the file. Before implementing the central access policy, perform these steps: 1. 2. 3. 4. 5. 6. Create a claim, and then connect it to users or computer objects by using attributes. Create file property definitions. Create one or more central access rules. Create a Central Access Policy object and define its settings.
Use Group Policy to deploy the policy to file servers. By doing this, you make file servers aware that a central access policy exists in AD DS. On the file server, apply that policy to a specific shared folder.

3-7
3-8
Lesson 2
Planning for Dynami D ic Acces ss Contr rol
Dyn namic Access Control C require es detailed planning prior to o implementation. You shoul ld identify reas sons ting, for implementing Dynamic Acce ess Control, an nd plan for cen ntral access po olicy, file classifications, audit and access-denied d assistance. In n this lesson, you y will learn a about planning g Dynamic Acc cess Control.

Afte er completing this lesson, yo ou will be able to: sons for implem menting Dynamic Access Co ontrol. Describe reas Plan for centr ral access polic cy. Plan for file classifications. g. Plan for file access auditing Plan for acces ss-denied assis stance.
Reasons for Implemen nting Dyna amic Acces ss Control

Befo ore you implem ment Dynamic c Access Contr rol, you should clearly y identify the reasons r for using this feature. Dynamic Access Co ontrol should be b well l designed bef fore you imple ement it. An imp properly planne ed implementation can caus se som me users to be denied access to required data, and other users to o be granted access a to restricted data a.
The most common reason to im mplement Dyna amic Access Control is to t extend func ctionality of an n existing access control model. Most M organizat tions use NTFS and share permissions s to implemen nt acce ess control for file and folder resources. In most cases, N NFTS is sufficient, but in some scenarios, it does not work. For example, you cannot use NFTS ACL to protec ct a resource o on a file server, , which means that a us ser must simultaneously be a member of two groups to access the res source. You mu ust use Dynam mic Access Control ins stead of traditional methods s for implemen nting access co ontrol when yo ou want to use e mor re specific info ormation for au uthorization purposes. NTFS S and share pe ermissions use only user or group obje ects.

3-9
Planning P fo or Central Access Po olicy

Im mplementing central c access policy is not mandatory m for Dynamic D Access Control. Ho owever, fo or consistent co onfiguration of o access contr rol on all file servers, you y should imp plement at least one ce entral access policy. p By doing g so, you enab ble all fil le servers within a specific sc cope to use a central c ac ccess policy wh hen protecting g content in sh hared fo olders. Be efore you implement a central access polic cy, cr reate a detailed plan as follo ows: 1. .
Identify the e resources tha at you want to o protect. If all a these resources are on on ne file server or in just one folde er, then you might m not have to implement t a central acce ess policy. Inst tead, you can configure condit tional access on the folders ACL. However r, if resources a are distributed d across several serv vers or folders, , then you may y benefit from m deploying a c central access policy. Data th hat might require additional protection ma ay include pay yroll records, m medical history y data, employ yee personal information, and d company customer lists. Y You can also us se targeting within central ac ccess rules to ide entify resources to which you u want to appl y central access policy.
2. .
Define the authorization policies. These e policies are u usually defined d from your bu usiness require ements. Some exam mples are: o o All doc cuments that have h property confidentiality y set to high m must be availab ble only to managers. Market ting document ts from each country c should d be writable o only by market ting people fro om the same country. c Only fu ull time employees should be able to acce ss technical do ocumentation from previous s project ts.
o 3. .
Translate th he authorizatio on policies that you require into expressions. In the case e of Dynamic A Access Control, expressions are attributes a that are associated d with both th he resources (fi iles and folder rs) and the user or device that se eeks access to the resources. These express sions state add ditional identif fication requiremen nts that must be b met to acce ess protected d data. Values th hat are associated with any expressions s on the resource obligate th he user or devi ice to produce e the same value.
4. .
Next, you should break down d the expre essions that yo ou have create ed, and determ mine what claim m types, resource pr roperties, and device claims that you must t create to dep ploy your polic cies. In other w words, you must id dentify the attributes for acc cess filtering.
Note: You must use use er claims to de eploy central a access policies . You can use security groups to repre esent user iden ntities.
3-10 Implemen nting Dynamic Access Control
Pla anning File e Classifica ations

Whe en planning yo our Dynamic Access A Control imp plementation, you y should inc clude file classifications. Although file clas ssifications are e not man ndatory for Dy ynamic Access Control, they can enhance the automation of the entire process s. For exam mple, if you re equire that all documents d that are classified Conf fidentiality: High be accessib ble to top management only, regardle ess of the serve er on which the documents exist, you should ask yourself how you identify these documents, and a how w to classify the em appropriat tely.
The file classification infrastructure uses classification rules s to scan files automatically, a sify them acco ording to the c contents of the e file. and then class Clas ssification and d Resource pr roperties are defined d centra lly in AD DS so o that these de efinitions can b be shar red across file servers in the organization. You can creat te classification n rules that sca an files for a stan ndard string or r for a string th hat matches a pattern (regul lar expression) ). When a conf figured classification para ameter is found d in a file, that t file is classifie ed as configure ed in the classification rule. Whe en planning fo or file classifica ations, do the following: f Identify which h classification n or classificatio ons that you w want to apply t to documents. Determine the method that t you will use to t identify doc cuments for classification. Define the schedule for aut tomatic classifi ications. Establish periodic reviews to o determine th he success of t the classificatio ons.
You u configure file e classifications s in the File Server Resource Manager console.
Onc ce you have a defined the cla assifications, you y can plan th he implementa ation of Dynam mic Access Control by defining d conditional expressions which will enable you t o control acce ess to high con nfidential doc cuments based d on particular user attributes.
Pla anning File e Access Auditing A

In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, you can use e advanced audit policies to imp plement detaile ed and more precise p file syst tem auditing. In Windo ows Server 2012, you can als so imp plement auditin ng together with w Dynamic Access A Con ntrol to utilize the new Windows security auditing capabilities. By using conditional expressions, you can c configure auditing so that it only y occurs in spe ecific cases. For example, you u may y want to audit attempts to open o shared fold ders by users in n countries oth her than the country where the e shared folder is located. Yo ou achieve this by im mplementing proposed p perm missions in the central access rules. With Global Object Access auditing, administrators can defi ine computer system access s control lists (SAC CLs) according g to the object t type for eithe er the file syste em or registry. The specified SACL is then app plied automatic cally to every object o of that type. You can use a Global O Object Access Audit policy to

3-11
enforce the Object Access Audit policy for a computer, file share, or registry without configuring and propagating conventional SACLs. Configuring and propagating a SACL is a complex administrative task that is difficult to verify, particularly if you must verify to an auditor that a security policy is being enforced. Note: Auditors can verify that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy setting.
Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Audit policy to log all activity for a specific user and enabling the Access Failures audit policies in a resource such as a file system or registry can help administrators quickly identify which object in a system is denying a user access. Before you implement auditing you should prepare an audit plan. In the auditing plan, you should identify resources, users, and activities that you want to track. You can implement auditing for several scenarios, such as:
Tracking changes to user and machine attributes. As with files, users and machine objects can have attributes, and changes to these can affect whether users can access files. Therefore, tracking changes to user or machine attributes can be valuable. Users and machine objects are stored in AD DS, which means that you can track their attributes using Directory Service Access auditing. Obtaining more information from user logon events. In Windows Server 2012, a user logon event (4624) contains information about the attributes of the file that was accessed. You can view this additional information by using audit log management tools to correlate user logon events with object access events, and by enabling event filtering based on both file attributes and user attributes.
Providing more information from object access auditing. In Windows Server 2008 R2 and Windows Server 2012, file access events 4656 and 4663 now contain information about the attributes of the file that was accessed. Event log filtering tools can use this additional information to help you identify the most relevant audit events. Tracking changes to central access policies, central access rules, and claims. Because theseobjects are stored in AD DS, you can audit them just as you would any other securable object in AD DS by using Directory Service Access auditing.
Tracking changes to file attributes. File attributes determine which central access policy applies to the file. A change to the file attributes can potentially affect the access restrictions on the file. You can track changes to file attributes on any machine by configuring Authorization Policy Change auditing and Object Access auditing for file systems. Event 4911 is introduced in Windows Server 2012 to differentiate this event from other Authorization policy change events.
Pla anning Acc cess Denie ed Assistan nce
Access Denied Assistance helps end users dete ermine why th hey cannot acc cess a resource e. It also o allows IT staff f to properly diagnose d a problem, and then direct the re esolution. Wind dows Serv ver 2012 enables you to cust tomize messag ges abo out denied acce ess and provid de users with the ability to request access without contacting th he help p desk or IT tea am. In combin nation with Dyn namic Access Control, C Access s Denied Assist tance can inform the file e administrato or of user and reso ource claims, enabling e the ad dministrator to o mak ke educated decisions about t how to adjust policies or fix user r attributes (fo or example,. if the t departmen nt is listed as H HR instead of H Human Resources). Whe en planning fo or Access Denied Assistance, you should in nclude the follo owing : Define messages that users will see when n they try to ac ccess resources s for which the ey do not have e access rights. The message should be info ormal and easy y to understan nd. Create the em mail text that users u use to req quest access. I f you allow us sers to request t access to resources, you can prepare text that is ad dded to their e email messages.
Determine the recipients fo or the Access Request R email messages. You u can choose t to send email t to folder owners s, file server ad dministrators, or o any other sp pecified recipi ent. Messages s should alway ys be tool or monito directed to th he proper pers son. If you have a help desk t oring solution that allows em mail messages, you can also dire ect those mess sages to gener rate user reque ests in your he elp desk solutio on automatically y. Decide on the e target opera ating systems. Access A Denied d Assistance on nly works with Windows 8 o or Windows Serv ver 2012.

3-13
Lesson n3
Deplo oying Dynamic D c Access s Contro ol

After completin ng this lesson, you y will be able to: Describe th he prerequisite es for impleme enting Dynamic c Access Control. Enable support in AD DS for Dynamic Access A Control l. Implement claims and resource proper rty objects. Implement central access s rules and policies. Implement file access aud diting. Implement Access Denied d assistance. Implement file classificati ions. Implement Dynamic Acce ess Control.
To o deploy Dyna amic Access Co ontrol, you mu ust perform sev veral steps and d configure se everal objects. In this le esson, you will learn about im mplementing and a configurin ng Dynamic Ac ccess Control.
Prerequisit P es for Imp plementing g Dynamic c Access Co ontrol

Be efore impleme enting Dynami ic Access Cont trol, yo ou must ensur re that your servers meet cer rtain prerequisites. Claims-based authorization re equires th he following in nfrastructure: Windows Server 2012 mu ust be installed d on the file serv ver that will ho ost the resourc ces that Dynamic Ac ccess Control will w be protect ting. The file serv ver that will ho ost the share must m be a Windows Server 2012 file server so th hat it can read cla aims and devic ce authorizatio on data from a Kerb beros v5 ticket t, translate tho ose SIDs and claims from the ticke et into an authenticat tion token, and d then compar re the authoriz zation data in the token aga ainst condition nal expressions s in the securit ty descriptor.
At least one e Windows Server 2012 dom main controller r must be acce essible by the W Windows clien nt computer in the user's do omain. The new w authorizatio on and auditing mechanism requires exten nsions to AD DS. These T extensio ons build the Windows W claim dictionary, wh hich is where W Windows oper rating systems sto ore claims for an a Active Direc ctory forest. Cl laims authoriz zation also relie es on the Kerb beros Key Distribu ution Center (KDC). The Win ndows Server 2 2012 KDC cont tains the Kerberos enhancem ments that are req quired to trans sport claims within a Kerbero os ticket and c compound ide entity. Window ws Server 2012 KDC also a includes an a enhancement to support Kerberos armo oring. Kerbero os armoring is an implementa ation of Flexib ble Authenticat tion Secure Tu unneling. It pro ovides a protec cted channel b between the Kerbero os client and th he KDC. Windows Server 2012 domain controlle ers must be in each domain if you are usin ng claims across a forest trust. .
You must hav ve a Windows 8 client if you are using dev vice claims. Old der Windows o operating syste ems do not suppo ort device claim ms.
Alth hough a Windo ows Server 201 12 domain con ntroller is requ uired, there is n no requiremen nt for having a Win ndows Server 2012 2 domain and a forest func ctional level, u nless you wan nt to use claims across a fore est trus st. This means that t you can also a have domain controllers s on Windows Server 2008 a and Windows S Server 2008 R2 with the forest function nal level locate ed on Window ws Server 2008. ementing Dyn namic Access Control C in an e nvironment w with multiple fo orests has Note: Imple add ditional setup requirements. r
Ena abling Sup pport in AD DS for Dynamic D A Access Con ntrol

Afte er fulfilling the e software requ uirements for enabling Dynamic c Access Contr rol support, yo ou mus st enable claim m support for the t Windows Server S 2012 KDC. Kerber ros support for r Dynamic Acc cess Con ntrol provides a mechanism for f including user u claim m and device authorization information in na Win ndows authent tication token. Access checks s perf formed on resources (such as a files or folde ers), use this authorization information to verify iden ntity.
You u should first use Group Polic cy to enable AD A DS for Dynamic Acce ess Control. Bec cause this setting is spec cific to domain n controllers, you y can create e a new Group Policy Object (GPO) and then link the set tting to the Domain Co ontrollers organizational unit t (OU), or by e editing the Def fault Domain C Controllers GP PO that t is already link ked to that OU U. Whichever metho od you choose, , you should open o the Grou up Policy Obje ect Editor, exp pand Computer Con nfiguration, ex xpand Policies, expand Adm ministrative T Templates, expand System, and then expand KDC C. In this node e, open a settin ng called Supp port Dynamic Access Contr rol and Kerbe eros armoring g. To configure c the Support S Dynam mic Access Control and Kerb beros armoring g policy setting, choose one e of the four listed opt tions: Do not supp port Dynamic Access Contr rol and Kerbe eros armoring g Support Dyn namic Access Control and Kerberos K arm moring Always prov vide claims an nd FAST RFC behavior b Also fail una armored authentication req quests
Claims and Kerberos armoring support s are disabled by defa ault, which is e equivalent to t this policy setting not being configu ured, or being configured as Do not suppo ort Dynamic A ccess Control and Kerberos arm moring.
The Support Dyna amic Access Co ontrol and Ker rberos armorin ng policy settin ng configures Dynamic Acce ess Con ntrol and Kerbe eros armoring in a mix-mod de environmen ntwhen there e is a mixture o of Windows Se erver 2012 domain controllers and do omain controll lers running ea arlier versions of Windows S Server. You u use the remaining policy se ettings when all a the domain controllers are e Windows Server 2012 dom main controllers and th he domain func ctional level is configured to o Windows Ser rver 2012. The Always provid de claim ms and FAST RFC R behavior policy p setting and a the Also fa ail unarmored authenticatio on requests policy

3-15
se etting enable Dynamic D Acces ss Control and d Kerberos arm moring for the domain. Howe ever, the latter r policy se etting requires s all Kerberos authentication a service and ti cket-granting service (TGS) communicatio on to us se Kerberos ar rmoring. Windows Server 2012 domain co ntrollers read this configuration while oth her do omain controllers ignore this setting.
Im mplement ting Claims s and Reso ource Prop perty Obje ects
After you enable support for Dynamic Acce ess Control in AD DS, D you must next n create and d co onfigure claims and resource e property objects.
Creating C and d Configurin ng Claim Ty ypes
To o create and configure claim ms, you primarily use th he Active Direc ctory Administ trative Center. You us se the Active Directory D Administrative Cen nter to cr reate attribute-based claims, , which are the e most co ommon type of o claim. Howe ever, you can also a use th he Active Direc ctory module for f Windows Po owerShell to create certificate-based claims. All claims are store ed within the configuration pa artition in AD DS. Because th his is a forest-w wide partition,, all domains w within the fore est share the claim di ictionary, and domain contro ollers from the e domains issu ue claim inform mation during user and computer au uthentication.
To o create attribute-based clai ims in Active Directory D Adm inistrative Cen nter, navigate t to the Dynami ic Access Control node, and then open the Cla aim Types con ntainer. By defa ault, no claim types are defined he ere. In the Actions pane, you u can click Cre eate Claim Typ pe to view the e list of attributes. These attr ributes ar re used to source values for claims. When you create a c claim, you asso ociate the claim m with the spe ecific at ttribute. The va alue of that at ttribute is popu ulated as a cla im value. Ther refore, it is crucial that the in nformation con ntained within the Active Dir rectory attribu utes that are us sed to source c claim types co ontain ac ccurate inform mation, or rema ain blank.
When W you selec ct the attribute e that you wan nt to use to cre eate a claim, yo ou also must p provide a nam me for th he claim. The suggested s nam me for the claim m is always the e same as the selected attrib bute name. Ho owever, yo ou can also pro ovide an altern nate or more meaningful m na ame for the cla aim. Optionally y, you can also o provide suggest ted values for a claim. This is s not mandato ory, but do this s can reduce the possibility f for making m mistake es. Note: Cla aim types are sourced s from AD A DS attribut tes. For this reason, you mus st configure at ttributes for yo our computer and user accounts in AD DS with the infor rmation that is s correct for th he respective user u or comput ter. Windows Server S 2012 do omain controllers do not iss sue a claim fo or an attribute-based claim type t when the attribute for t the authentica ating principal is empty. Depending on the t configuration of the data a files Resourc ce Property O bject attribute es, a null va alue in a claim may result in the user being g denied acces ss to Dynamic Access Contro ol-protected da ata.
Creating C and d Configurin ng Resource e Properties s
Although resource properties s are at the cor re of Dynamic Access Contro ol, you should implement th hem af fter you have defined d user and device claim ms. Remembe er that if a claim m does not ma atch the specif fied re esource proper rty value, then n access to the data might no ot be allowed.. Therefore, rev versing the ord der of
3-16 Implementing Dynamic Access Control
implementation would risk inadvertently blocking users from data that they otherwise should be able to access.
When you use claims to control access to files and folders, you must also provide additional information for those resources. You do this by configuring the resource property objects. You manage resource properties in the Resource Properties container, which is located in the Dynamic Access Control node in the Active Directory Administrative Center. You can create your own resource properties, or you can use one of preconfigured properties, such as Project, Department, and Folder Usage. All predefined resource property objects are disabled by default. If you want to use any of them, you should first enable them. If you want to create your own resource property object, you can specify the property type, and the allowed or suggested values. When you create resource property objects, you can select properties to include in the files and folders. When evaluating file authorization and auditing, the Windows operating system uses the values in these properties along with the values from user and device claims.
After you have configured user and device claims and resource properties, you must then protect the files and folders by using conditional expressions that evaluate user and device claims against constant values, or values within resource properties. You can do this in any of the following three ways: If you want to include only specific folders, you can use the Advanced Security Settings Editor to create conditional expressions directly in the security descriptor.
To include several (or all) file servers, you can create central access policy rules, and then link those rules to the Central Policy objects. You can then use Group Policy to deploy the Central Policy objects to file servers, and then configure the share to use the Central Policy object. However, using central access policies is the most efficient and preferred method for securing files and folders. This is discussed further in the next topic. You can use file classifications to include certain files with a common set of properties across various folders or files.
You can use claims and resource property objects together in conditional expressions. Windows Server 2012 and Windows 8 support one or more conditional expressions within a permission entry. Conditional expressions simply add another applicable layer to the permission entry. The results of all conditional expressions must evaluate to True for Windows to grant the permission entry for authorization. For example, suppose that you define a claim called Department for a user (with a source attribute department), and that you define a resource property object called Dept. You can now define a conditional expression that says that the user can access a folder (with the applied resource property objects) only if the user attribute Department value is equal to the value of property Dept on the folder. Note that if the Dept resource property object has not been applied to the file(s) in question, or if Dept is a null value, then the user will be granted access to the data. Note: Access is controlled not by the claim, but by the resource property object. The claim must provide the correct value corresponding to the requirements set by the resource property object. If the resource property object does not involve a particular attribute, then additional or extra claim attributes associated with the user or device are ignored.

3-17
Im mplement ting Centra al Access Rules R and Policies

Central access policies p enable e you manage and de eploy consiste ent authorizatio on throughout t the or rganization by y using central access rules and Central Access Policy P objects. Central access policies p act as security s nets that an or rganization ap pplies across its s servers. You use Group Policy to o deploy the po olicies, and you apply th he policies to all a Windows Se erver 2012 file servers th hat will use Dynamic Access Control. A cen ntral ac ccess policy en nables you to deploy d a consistent co onfiguration to o several file se ervers.
Th he main comp ponent of a cen ntral access po olicy is ce entral access ru ule. Central Ac ccess Policy ob bjects represen nt a collection of central acce ess rules. Befo ore you cr reate a central access policy, you should cr reate a centrall access rule be ecause polices s are comprised of ru ules. A central access s rule contains multiple criteria that the W Windows operat ting system us ses when evalu uating ac ccess. For exam mple, a central l access rule ca an use conditio onal expressio ns to target sp pecific files and d fo olders. Each ce entral access ru ule has multiple permission e entry lists that you use to ma anage the rule e's cu urrent or proposed permissio on entries. You u can also retu urn the rule's c current permission entry list to its la ast known list of o permission entries. e Each central access r rule can be a m member of one or more Cen ntral Access Policy ob bjects.
Configuring C Central Acc cess Rules

Yo ou typically cre eate and confi igure central access a rules in the Active Dir rectory Admini istrative Cente er. rm the same task. However, you can also use Windows Power rShell to perfor To o create a new w central access rule, do the following: f 1. . 2. . Provide a name n and desc cription for the e rule. You sho ould also choose to protect t the rule agains st accidental deletion. d
Configure the t target reso ources. Use the e Target Reso ources section to create a scope for the ac ccess rule. You cr reate the scope by using reso ource propert ies within one or more cond ditional expressions. ue (All resour To simplify the process, you y can keep the default valu rces) and apply resource filte ering. You can join the conditio onal expression ns by using log gical operators s, such as AND D and OR. Additionally y, you can gro oup conditiona al expressions t together to co ombine the res sults of two or r more joined cond ditional expres ssions. The Tar rget Resource es section disp plays the currently configure ed conditional l expression th hat is being use ed to control t the rule's applicability. Configure permissions p wi ith either of th he following op ptions: o
3. .
Use fo ollowing perm missions as pro oposed perm missions. Use th his option to a add the permis ssions entries in the permissions list to the list of propo osed permissio ns entries for t the newly crea ated central access rule. You Y can combine the propos sed permission ns list with file system auditin ng to model the effective access a that use ers have to the e resource, without having to o change the permissions entries in n the current permissions p lis st. Proposed pe ermissions gen nerate a specia al audit event to t the event lo og that describ bes the propos sed effective ac ccess for the u users. Note: Pro oposed permis ssions do not apply a to resou rces; they exis st for simulatio on purposes
on nly.
Use follo owing permis ssions as curre ent permissio ons. Use this o ption to add t the permission ns entries in n the permissio ons list to the list of the curre ent permission ns entries for t the newly created central ac ccess rule. The e current perm missions list rep presents the ad dditional perm missions that th he Windows s operating sys stem considers s when you de eploy the central access rule to a file server. ization decisio Central access a rules do o not replace th he existing sec curity. When m making authori ons, Windows s evaluates per rmission entrie es from the ce ntral access ru ule's current pe ermissions list, NTFS, and share permissions lists.
Implementin ng File Acc cess Auditi ing

The Global Object t Access Auditing feature in Win ndows 8 and Windows W Serve er 2012 enables you to configure c objec ct access audit ting for every file and folder in a co omputers file system. s You us se this feature to cen ntrally manage e and configur re Win ndows operatin ng systems to monitor every y file and folder on the computer. To o enable object t acce ess auditing in n previous vers sions of Windo ows Serv ver, you had to o configure this option in ba asic audit policies (in GPOs), G and tur rn on auditing for a spec cific security principal p in the objects SACL L. Som metimes this ap pproach did no ot easily recon ncile with h company policiessuch as s Log all administrative writ te activity on s servers contain ning financial info ormationbec cause you can turn on object t access audit logging at the e object level, but not at the serv ver level. The new n audit category in Windo ows Server 200 08 R2 and Win ndows Server 2 2012 enables adm ministrators to manage objec ct access audit ting using a m uch wider scope.
Dyn namic Access Control C enable es you to create e targeted aud dit policies usi ng resource properties, and expressions based d on user and computer c claim ms. For examp ple, you could create an audit policy to tra ack all Rea ad and Write operations o on High Confiden ntial files perfo ormed by emp ployees who do not have a H High Security Clearance attribute po opulated with the appropria ate value. You can author expression-based audit policies dire ectly on a file or o folder, or ce entrally via Gro oup Policy usin ng Global Obje ect Access Aud diting. By using u this appr roach, you do not prevent unauthorized a ccess; instead,, you register a attempts to ac ccess the content by un nauthorized pe eople. You u configure Glo obal Object Ac ccess Auditing when you ena able object acc cess auditing a and global obj ject acce ess auditing. Enabling this fe eature turns on n auditing for the computer that applies the policy setting. e auditing eve How wever, enabling auditing alone does not always generate ents. The resou urcein this instance files and foldersmust t contain audit t entries.
You u should config gure Global Ob bject Access Auditing for yo ur enterprise b by using the se ecurity policy o of a dom main-based GP PO. The two se ecurity policy settings s that ar re required to enable global l object access s auditing are locat ted in the follo owing locations: Computer Co onfiguration\W Windows Settin ngs\Security Se ettings\Advanc ced Audit Polic cy\Audit Policies\Object Access\Audit File System cy\Audit onfiguration\W Windows Settin ngs\Security Se ettings\Advanc ced Audit Polic Computer Co Policy\Global Object Access s Auditing\File e System
Global Object Acc cess Auditing includes a subc category for fi ile system and registry.

3-19
Note: If both b a file or fo older SACL and a Global Obj bject Access Au uditing policy (or a single onfigured on a computer, re egistry setting SACL and a Global Object Access A Auditing g policy) are co th he effective SA ACL is derived by b combining the file or fold der SACL and t the Global Obj bject Access Auditing policy. . This means th hat an audit ev vent is generat ted if an activi ity matches eit ther the file or r folder SACL or o the Global Object O Access Auditing polic cy.
Im mplement ting Access s Denied Assistance A

One O of the mos st common err rors that users receive when w they try to o access a file or folder on a re emote file serv ver is an access s denied error. Ty ypically, this er rror occurs wh hen a user tries s to ac ccess a resourc ce without hav ving proper pe ermissions to do d so, or because of incorrec ctly co onfigured perm missions or res source ACLs. Using U Dynamic Access s Control can create c further co omplications. For F example, users u with pe ermissions will l not be grante ed access if a relevant r at ttribute in thei ir account is misspelled. m When W users receive this error, , they usually try t to co ontact the adm ministrator to obtain o access. However, adm ministrators usu ually do not ap pprove access to re esources, so they redirect the e users to som meone else for approval.
In n Windows Ser rver 2012, ther re is a new feat ture to help bo oth users and administrators s in such situat tions. Th his feature is called Access Denied D Assistan nce. It helps us sers respond to o access denie ed issues witho out in nvolving IT staf ff. It does this by providing information ab bout the probl em and direct ting users to th he proper person.
Access A Denie ed Remediation
Th he Access Den nied Assistance e feature provides three way ys for troublesh hooting issues with access denied er rrors:
Self-remediation. Administrators can cr reate customiz zed access den nied messages that are autho ored by the server administrator. a By using the information in these messages, users can t try to self-reme ediate access deni ied cases. The message can also a include U RLs that direct t users to self-remediation w websites that are pro ovided by the organization. For example, t the URL might t direct the use er to change the password to o an applicatio on, or to down nload a refresh hed copy of the client-side software.
Remediatio on by the data owner. Admin nistrators can d define owners for shared fol lders. This enables users to sen nd email messages to the da ata owners to r request access s. For example, if a user is accidentally y left off a secu urity group me embership, or the users dep partment attrib bute is misspelled, the data owner r might be able e to add the user u to the gro oup. If the data a owner does n not know how w to grant acces ss to the user, the t data owne er can forward this informati ion to the app propriate IT administrat tor. This is help pful because th he number of user support r requests escala ated to the sup pport desk should d be limited to o specialized ca ases, or cases t that are difficu ult to resolve. Remediatio on by the help desk and file server s adminis strators. If user rs cannot self-remediate issu ues and data owner rs cannot resol lve the issue either, then adm ministrators ca an troubleshoo ot issues by accessing a user inter rface to view th he effective pe ermissions for the user. Exam mples of when an administra ator should be involved are ca ases where claims attributes or resource o bject attribute es are defined incorrectly or contain incorrect informa ation, or when the data itself f seems to be corrupted.
You u use Group Po olicy to enable e the Access De enied Assistan ce feature. Op pen the Group Policy Object Edit tor and navigate to Compute er Configuratio on\Policies\Ad dministrative T Templates\Syst tem\Access-De enied Assi istance. In the Access-Denied d Assistance node, you can e enable Access Denied Assistance, and you u can also o provide custo omized messag ges for users. Alternatively, A y you can also use the File Ser rver Resource Man nager console to enable Acc cess Denied As ssistance. How wever, if this fea ature is enable ed in Group Po olicy, the appropriate se ettings in the File F Server Res source Manage er console are disabled for c configuration.
Implementin ng File Clas ssifications

To implement Dynamic Access Control effectively, you must have we ell-defined claims and resource properties. Althou ugh claims are defined by attributes for a us ser or a device, , resource properties are mo ost often manu ually created and defi ined. File classifications enab ble administrat tors to define d automat tic procedures s for defining a desi ired property on o the file, bas sed on conditions spec cified in a classification rule. For example, you can set the Confid dentiality pro operty to High h on all documents d wh hose content co ontains the wo ord sec cret. You could then use this property in Dyn namic Access Control C to spec cify that only employees e wit h their emplo oyeetype attrib butes set to Man nager can acc cess those docu uments.
In Windows W Serve er 2008 R2 and d Windows Ser rver 2012, class sification man nagement and file managem ment task ks enable administrators to manage m group ps of files based d on various fi ile and folder a attributes. Wit th thes se tasks, you can automate file f and folder maintenance tasks, such as cleaning up st tale data or prot tecting sensitiv ve information n.
Clas ssification man nagement is de esigned to eas se the burden and managem ment of data th hat is spread o out in the organization. You can classify files in a variety of ways. I In most scenar rios, you classify files manua ally. The file classification infrastructure in Window ws Server 2008 8 R2 enables organizations to o convert thes se man nual processes s into automated policies. Ad dministrators c can specify file e management t policies based on a files classificatio on, and then apply corporate e requirement ts for managin ng data based on a business value. You u can use file classification to o perform the following f actio ons:
iles by running Define classification proper rties and value es, which you c can assign to fi g classification n rules. Create, updat te, and run classification rule es. Each rule as ssigns a single e predefined property and va alue lug-ins. to files within n a specified di irectory based on installed c classification pl
When running a classificatio on rule, reeval luate files that t are already cl lassified. You c can choose to overwrite exis sting classification values or add the value e to properties that support multiple value es. You can also use this t to declassi ify files that ar re no longer in n the classificat tion criteria.

3-21
Im mplement ting Centra al Access Policy P Changes

After you imple ement Dynamic Access Contr rol, you might m have to make m some changes. For exa ample, yo ou might have e to update conditional expressions, or r you might want to change claims. You must m ca arefully plan any change to Dynamic D Access Control compon nents. ntral access policy can drastic cally Changing a cen af ffect access. Fo or example, a change c could po otentially gran nt more access s than desired, or, it co ould restrict a policy too much, resulting in n an ex xcessive numb ber of help des sk calls. As a be est practice, you sh hould test chan nges before im mplementing a central access policy updat te.
Fo or this purpose e, Windows Se erver 2012 introduces the co oncept of stagi ing. Staging en nables users to o verify th heir proposed policy updates before enfor rcing them. To o use staging, y you deploy the e proposed po olicies along with the enforced e polic cies, but you do not actually grant or deny y permissions. Instead, the W Windows op perating system logs an aud dit event (4818 8) any time the e result of the access check t that is using th he st taged policy differs from the e result of an access check th hat is using the e enforced pol licy.
Lab: Implementing Dynamic Access Control

Scenario
The Research team at A. Datum Corporation is involved in confidential work that provides a great deal of value to the business. Additionally, other groups at A. Datum, such as the Executive department, frequently store files containing business-critical information on the company file servers. The security department in the organization wants to ensure that these confidential files are only accessible to properly authorized personnel, and that all access to these files is audited.
As one of the senior network administrators at A. Datum, you are responsible for addressing these security requirements by implementing Dynamic Access Control on the file servers. You will work closely with the business groups and the security department to identify which files need to be secured, and who should have access to these files. You will then implement Dynamic Access Control based on the company requirements.
Objectives
Plan the Dynamic Access Control implementation. Configure user and device claims. Configure resource property definitions. Configure central access rules and central access policies. Validate and remediate Dynamic Access Control. Implement new resource policies.
Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Estimated time: 90 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-LON-CL2 Adatum\Administrator Pa$$w0rd
Virtual Machine(s)
User Name Password

3-23
5. 6.
Repeat steps 2-4 for 20412A-LON-SVR1. Do not start 20412A-LON-CL1 and 20412A-LON-CL2 until directed to do so.
Exercise 1: Planning the Dynamic Access Control Implementation

Scenario
A. Datum Corporation must ensure that documents used by the Research team and the Executive department are secured. Most of the files used by these departments are currently stored in shared folders dedicated to these departments, but confidential documents sometimes appear in other shared folders. Only members of the Research team should be able to access Research team folders, and only Executive department managers should be able to access highly confidential documents.
The security department is also concerned that managers are accessing files using their home computers, which may not be highly secure. Therefore, you must create a plan for securing the documents regardless of where they are located, and ensure that the documents can only be accessed from authorized computers. Authorized computers for managers are members of the security group ManagersWks. The support department reports that a high number of calls are generated by users who cannot access resources. You must implement a feature that helps users understand error messages better, and that will enable them to request access automatically. The main tasks for this exercise are as follows: 1. 2. Plan the Dynamic Access Control deployment. Prepare AD DS to support Dynamic Access Control.
Task 1: Plan the Dynamic Access Control deployment

Based on the scenario, describe how you will design Dynamic Access Control to fulfill the requirements for access control.
Task 2: Prepare AD DS to support Dynamic Access Control

1. 2. 3. 4. 5. 6. 7. 8. 9. On the LON-DC1, in Server Manager, open Active Directory Users and Computers. Create a new OU named Test. Move LON-CL1, LON-CL2, and LON-SVR1 computer objects into the Test OU. On LON-DC1, from Server Manager, open the Group Policy Management Console. Remove the Block Inheritance setting that is applied to the Managers OU. This is to remove the block inheritance setting used in a later module in the course. Edit the Default Domain Controllers Policy GPO.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click KDC. Enable the KDC support for claims, compound authentication and Kerberos armoring policy setting. In the Options section, click Supported.
10. On LON-DC1, refresh Group Policy. 11. Open Active Directory Users and Computers, and in the Users container, create a security group named ManagersWKS. 12. Add LON-CL1 to the ManagersWKS group.
13. Verify that user Aidan Delaney is a member of Managers department, and that Allie Bellew is the member of the Research department. Department entries should be filled into the appropriate attribute for each user profile.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment, and you will have prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Scenario
The first step in implementing Dynamic Access Control is to configure the claims for the users and devices that access the files. In this exercise, you will review the default claims, and then create new claims based on the department and computer description attributes. For users, you will create a claim for a department attribute. For computers, you will create a claim for a description attribute. The main tasks for this exercise are as follows: 1. 2. 3. Review the default claim types. Configure claims for users. Configure claims for devices.
Task 1: Review the default claim types

1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, open the Active Directory Administrative Center. In the Active Directory Administrative Center, click the Dynamic Access Control node. Open the Claim Types container, and verify that there are no default claims defined. Open the Resource Properties container, and note that all properties are disabled by default.
Open the Resource Property Lists container, and then open the properties of the Global Resource Property List. In the Resource Properties section, review available resource properties, and then click Cancel.
Task 2: Configure claims for users

1. 2. Open the Claim Types container, and create a new claim type for users and computers using the following settings: o o Source Attribute: Department Display name: Company Department
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control.
Task 3: Configure claims for devices

1. 2. In the Active Directory Administrative Center, in the Tasks pane click New, and then select Claim Type. Create a new claim type for computers using the following settings: o o Source Attribute: description Display name: description

3-25
Results: After completing this exercise, you will have reviewed the default claim types, configured claims for users, and configured claims for devices.
Exercise 3: Configuring Resource Property Definitions

Scenario
The second step in implementing Dynamic Access Control is to configure the resource property lists and resource property definitions. After you do this, you should make a new classification rule that classifies all files containing the word secret. These files should be assigned a value of High for the Confidentiality attribute. You should also assign the department property to the folder that belongs to the Research team. The main tasks for this exercise are as follows: 1. 2. 3. Configure resource property definitions. Classify files. Assign properties to a folder.
Task 1: Configure resource property definitions

1. 2. 3. 4. 5. 6. In the Active Directory Administrative Center, click Dynamic Access Control, and then open the Resource Properties container. Enable the Department and Confidentiality Resource properties. Open Properties for Department. Add Research as suggested value.
Open the Global Resource Property List, ensure that Department and Confidentiality are included in the list, and then click Cancel. Close the Active Directory Administrative Center.
Task 2: Classify files

1. 2. 3. On LON-SVR1, open File Server Resource Manager.
Refresh Classification Properties, and verify that Confidentiality and Department properties are listed. Create a Classification rule with following values: o o o o o o o Name: Set Confidentiality Scope: C:\Docs Classification method: Content Classifier Property: Confidentiality Value: High Classification Parameters: String secret
Evaluation Type: Re-evaluate existing property values, and then click Overwrite the existing value
4. 5.
Run the classification rule. Open a Windows Explorer window, browse to the C:\Docs folder, and then open the Properties window for files Doc1.txt, Doc2.txt, and Doc3.txt.
6.
Verify values for Confidentiality. Doc1.txt and Doc2.txt should have confidentiality set to High.
Task 3: Assign properties to a folder

1. 2. 3. On LON-SVR1, open Windows Explorer. Browse to C:\Research, and open its properties. On the Classification tab, set the Department value to Research.
Results: After completing this exercise, you will have configured resource properties for files, classified files, and assigned properties to a folder.
Exercise 4: Configuring Central Access Rules and Central Access Policies

Scenario
Now that you have configured your resource property definitions, you need to configure the central access rules and policies that will link the claims and property definitions. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Configure central access rules. Create a central access policy. Publish a central access policy by using Group Policy. Apply the central access policy to resources. Configure access denied remediation settings.
Task 1: Configure central access rules

1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. Click Dynamic Access Control, and then open the Central Access Rules container. Create a new Central Access Rule with the following values: o o o 4. Name: Department Match Target Resource: use condition Resource-Department-Equals-Value-Research Permissions: Remove Administrators, and then add Authenticated Users, Modify, with condition User-Company Department-Equals-Resource-Department
Create another Central Access Rule with the following values: o o o o Name: Access Confidential Docs Target Resource: use condition Resource-Confidentiality-Equals-Value-High Permissions : Set first condition to: User-Group-Member of each-Value-Managers Permissions: Set second condition to: Device-Group-Member of each-Value-ManagersWKS
Task 2: Create a central access policy

1.
On LON-DC1, in the Active Directory Administrative Center, create a new Central Access Policy with following values: Name: Protect confidential docs Rules included: Access Confidential Docs

3-27
2.
Create another Central Access Policy with following values: Name: Department Match Rules included: Department Match
3.
Close the Active Directory Administrative Center.
Task 3: Publish a central access policy by using Group Policy

1. 2. 3. 4. 5. 6. On LON-DC1, from the Server Manager, open the Group Policy Management Console. Create new GPO named DAC Policy, and in the Adatum.com domain, link it to Test OU. Edit the DAC Policy, browse to Configuration/Policies/Windows Settings/Security Settings /File System, and then right-click Central Access Policy. Click Manage Central Access Policies. Click both Department Match and Protect confidential docs, click Add, and then click OK. Close both the Group Policy Management Editor and the Group Policy Management Console.
Task 4: Apply the central access policy to resources

1. 2. 3. 4. 5. 6. On LON-SVR1, start Windows PowerShell. Refresh Group Policy on LON-SVR1. Open Windows Explorer, and browse to the C:\Docs folder. Apply the Protect confidential docs central policy to the C:\Docs folder. Browse to the C:\Research folder. Apply the Department Match Central Policy to the C:\Research folder.
Task 5: Configure access denied remediation settings

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, open the Group Policy Management Console. In the Group Policy Management Console, browse to Group Policy objects. Edit the DAC Policy.
Under the Computer Configuration node, browse to Policies\Administrative Templates\System, and then click Access-Denied Assistance. In the right pane, double-click Customize Message for Access Denied errors. In the Customize Message for Access Denied errors window, click Enabled. In the Display the following message to users who are denied access text box, type You are denied access because of permission policy. Please request access. Select the Enable users to request assistance check box, and then click OK.
Double-click Enable access-denied assistance on client for all file types, enable it, and click OK.
10. Close both the Group Policy Management Editor and the Group Policy Management Console. 11. Switch to LON-SVR1, and refresh Group Policy.
Results: After completing this exercise, you will have configured central access rules and central access policies for Dynamic Access Control.
Exercise 5: Validating and Remediating Dynamic Access Control

Scenario
To ensure that the Dynamic Access Control settings are configured correctly, you need to test various access scenarios. You will test both approved users and devices, and unapproved users and devices. You will also validate the access remediation configuration. The main task for this exercise is as follows: 1. Validate Dynamic Access Control functionality.
Task 1: Validate Dynamic Access Control functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. Start and then log on to LON-CL1 as Adatum\April with the password Pa$$w0rd. Click the Desktop tile, and then open Windows Explorer. Browse to \\LON-SVR1\Docs, and verify that you can only open Doc3. Try to access \\LON-SVR1\Research. You should be unable to access it. Log off LON-CL1. Log on to LON-CL1 as Adatum\Allie with the password Pa$$w0rd. Open Windows Explorer, and try to access \\LON-SVR1\Research. You should be able to access it and open files in it. Log off LON-CL1. Log on to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd.
10. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be able to open all files in this folder. 11. Log off LON-CL1. 12. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
13. Open Windows Explorer and try to access \\LON-SVR1\Docs. You should be unable to see Doc1 and Doc2, because the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
Exercise 6: Implementing New Resource Policies

Scenario
As a final step in implementing Dynamic Access Control, you will test the effect of implementing a new resource policy. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure staging for a central access policy. Configure staging permissions. Verify staging. Use effective permissions to test Dynamic Access Control.
Task 1: Configure staging for a central access policy

1. On LON-DC1, open Group Policy Management.

3-29
2. 3.
Open the Group Policy Management Editor for DAC Policy.
Browse to Computer Configuration\Policies\Windows Settings \Security Settings Advanced Audit Policy Configuration\Audit Policies, and then select Object Access. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK. Double-click Audit File System, select all three check boxes, and then click OK. Close the Group Policy Management Editor and the Group Policy Management console.
4. 5. 6.
Task 2: Configure staging permissions

1. 2. On LON-DC1, open Active Directory Administrative Center, and then open the properties for the Department Match central access rule.
In the Proposed permissions section, configure the condition for Authenticated Users as follows: User-Company Department-Equals-Value-Marketing.
Task 3: Verify staging

1. 2. 3. 4. Log on to LON-CL1 as Adatum\Adam with the password Pa$$w0rd. In Windows Explorer, try to access \\LON-SVR1\Research, and the files within it. Switch to LON-SVR1. Open Event Viewer, open Security Log, and then look for events with Event ID 4818.
Task 4: Use effective permissions to test Dynamic Access Control

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, open the properties for the C:\Research folder. Open the Advanced options for Security, and then click Effective Access. Click select a user.
In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and then click OK. Click View effective access. Review the results. The user should not have access to this folder. Click Include a user claim. On the drop-down list, select Company Department. In the Value text box, type Research.
10. Click View Effective access. The user should now have access. 11. Close all open windows.
Results: After completing this exercise, you will have implemented new resource policies.

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

Question: What is a claim? Question: What is the purpose of a central access policy? Question: What is Access Denied Assistance?

Common Issue Claims are not populated with the appropriate values. Troubleshooting Tip
A conditional expression does not allow access.
Best Practices
Use central access policies instead of configuring conditional expressions on resources. Enable Access Denied Assistance settings. Always test changes that you have made to central access rules and central access policies before implementing them. Use file classifications to assign properties to files.
Tools
Tool Active Directory Administrative Center Group Policy Management Console Group Policy Management Editor Use For administering and creating claims, resource properties, rules and policies Managing group policy Editing Group Policy Objects Location Administrative tools
Administrative tools Group Policy Management Console

4-1
Module 4
Implementing Network Load Balancing
Contents:
Module Overview Lesson 1: Overview of NLB Lesson 2: Configuring an NLB Cluster Lesson 3: Planning an NLB Implementation Lab: Implementing Network Load Balancing Module Review and Takeaways 4-1 4-2 4-5 4-10 4-16 4-21
Module Overview
Network Load Balancing (NLB) is a Windows Server network component. NLB uses a distributed algorithm to balance IP traffic load across multiple hosts. It helps to improve the scalability and availability of business-critical, IP-based services. NLB also provides high availability, because it detects host failures and automatically redistributes traffic to surviving hosts. To effectively deploy NLB, you must understand its functionality and the scenarios where its deployment is appropriate. The main change to NLB in Windows Server 2012 is the inclusion of a comprehensive set of Windows PowerShell cmdlets. These cmdlets enhance your ability to automate the management of Windows Server 2012 NLB clusters. The Network Load Balancing console, which is also available in Windows Server 2008 and Windows Server 2008 R2, is also present in Windows Server 2012 This module introduces you to NLB, and shows you how to deploy this technology, the situations for which NLB is appropriate, how to configure and manage NLB clusters, and how to perform maintenance tasks on NLB clusters.
Objectives
After completing this module, you will be able to: Describe NLB. Explain how to configure an NLB cluster. Explain how to plan an NLB implementation.
4-2
Implementing Network Load Ba alancing
Lesson 1
Overvi iew of NLB N
Befo ore you deploy y NLB, you nee ed to have a fi irm understan ding of the types of server w workloads for w which this high availability technology y is appropriate. If you do no ot understand the functionality of NLB, it i is possible that you will deploy it in a manner th hat does not a ccomplish you ur overall objectives. For exa ample, you need to unde erstand why NLB is appropria ate for web ap pplications, but not for Micro osoft SQL Ser rver data abases. o This s lesson provid des an overview w of NLB, and the features n new to NLB in Windows Serv ver 2012. It also desc cribes how NL LB works normally, and durin ng server failur re and server r recovery.

Afte er completing this lesson, yo ou will be able to: Describe NLB B technology. Describe how w NLB works. Explain how NLB N accommo odates server fa ailures and rec covery. Describe new w NLB features in Windows Server 2012.
Wh hat Is NLB?
NLB B is a scalable, high availability feature that t you can install on all editions e of Win ndows Server 2012. 2 A sc calable technol logy is one wh here you can ad dd add ditional compo onents (in this case c additiona al clus ster nodes) to meet increasin ng demand. A node in a Windows Serv ver 2012 NLB cluster is a com mputer, either physical or virt tual, that is run nning the Windows Serv ver 2012 opera ating system.
Win ndows Server 2012 2 NLB clust ters can have betw ween two and 32 nodes. Wh hen you create e an NLB B cluster, it creates a virtual network n addre ess and virtual network adapter. Th he virtual network adapter has an IP address and a media access s control (MAC C) address. Net twork traffic to o this address is evenly distributed d across the no odes in the cluster. In a basic c NLB configur ration, each no ode in an NLB clus ster will service e requests at a rate that is ap pproximately e equal to that o of all other nod des in the clust ter. Whe en an NLB clus ster receives a request, it will forward that request to the e node that is currently least t utilized. You can configure c NLB to preference e some nodes o over others.
NLB B is failure-awa are. This means that if one of the nodes in the NLB clust ter goes offline e, requests will l no long ger be forward ded to that node, but other nodes in the c cluster will con ntinue to accep pt requests. When the failed node re eturns to servic ce, incoming re equests will be e redirected un ntil traffic is ba alanced across s all nod des in the clust ter.

4-3
How H NLB Works W

When W you configure an application to use NLB, N clients address the t application n using the NL LB cluster address rather than the address of nodes n th hat participate in the NLB clu uster. The NLB B cluster ad ddress is a virtual address that is shared be etween th he hosts in the NLB cluster. NLB directs traf ffic in the following manner: All ho osts in the NLB B cluster receiv ve the incomin ng tr raffic, but only one node in the t cluster, which is de etermined thro ough the NLB process, will accept a th hat traffic. All other o nodes in the NLB clust ter will drop the traffic. .
Which W node in the t NLB cluste er accepts the traffic depend ds on the confi iguration of po ort rules and a affinity se ettings. Throug gh these settin ngs, you can de etermine if tra ffic that uses a particular po ort and protoco ol will be e accepted by a particular node, or whether any node in n the cluster w will be able to a accept and res spond.
NLB also sends traffic to node es based on cu urrent node ut tilization. New traffic is directed to nodes t that are be eing least utiliz zed. For example, if you hav ve a four node cluster where e three of the n nodes are resp ponding to o requests from m 10 clients an nd one node is s responding to o requests fro m 5 clients, th he node that has fewer . clients will recei ive more incom ming traffic un ntil utilization i is more evenly y balanced across the nodes.
How H NLB Works W with h Server Fa ailures and d Recovery y

NLB is able to detect d the failu ure of cluster nodes. n When W a cluster node is in a fa ailed state, it is re emoved from the t cluster, and d the cluster does d not di irect new traffic to the node. Failure is detected by y using heartb beats. NLB clus ster heartbeats s are tr ransmitted eve ery second between nodes in na cluster. A node is automatical lly removed fro om a NLB cluster if it misses five co onsecutive heartbeats. When W a node is s added or rem moved from a cluster, c a process known as convergence occurs. Convergence allows the cluste er to determin ne its cu urrent configuration. Conver rgence can only occur if each node is configured c wit th the same po ort rules.
Nodes can be configured to rejoin r a cluster r automatically y by setting th e Initial host s state setting on n the no odes properties using the Network N Load Balancing B Man nager. By defa ult, a host that is a member of a cluster will attem mpt to rejoin that t cluster automatically. Fo or example, if you reboot a s server that is a member m of an NLB N cluster aft ter applying a software upda ate, the server will rejoin the e cluster autom matically af fter the reboot t process comp pletes. Administrators can manually add or remove e nodes from NLB clusters. W When an admi inistrator remo oves a no ode, they can choose to perform a Stop or a Drainstop a action. The Sto op action term minates all exist ting co onnections to the cluster node and stops the t NLB servic e. The Drainstop action bloc cks all new co onnections wit thout terminat ting existing se essions. Once a all current sess sions end, the NLB service is s st topped.
4-4
NLB B can only dete ect server failu ure; it cannot detect d applicat tion failure. Th his means that if a web applic cation l continue to f fails s but the serve er remains operational, the NLB N cluster will forward traffic to the cluster node that t hosts the faile ed application n. One method d of managing this problem is to implement a monitorin ng solu ution such as Microsoft M Syste em Center 201 12 - Operation s Manager. W With Operations s Manager, you can mon nitor functiona ality of applica ations. You can n also configur re Operations Manager to generate an ale ert in the event that an application on n a cluster nod de fails. An ale rt in turn can c configure a remediation action, such h as restarting services, resta arting the serve er, or withdraw wing the node e from the NLB B cluster so tha at it doe es not receive further f incoming traffic.
NL LB Features in Windo ows Server r 2012

The most substantial change to NLB features in Win ndows Server 2012 2 is the inclusion of Wind dows Pow werShell suppo ort. The NetworkLoadBala ancingClusters module conta ains 35 NLBrelated N cm mdlets. This module become es avai ilable on a serv ver when the NLB N Remote Server S Adm ministration To ools (RSAT) are e installed. The e Win ndows PowerSh hell cmdlets ha ave the follow wing nou uns: NlbClusterNode. Lets you manage a cluster node. Include es the Add, Ge et, Remove, Resume, Set, Start, Stop, and a Suspend verbs. v
NlbClusterNodeDip. Lets you y configure the cluster no odes dedicated d managemen nt IP. Includes the Add, Get, Remove, and Se et verbs.
NlbClusterPo ortRule. Lets you y manage port p rules. Inclu udes the Add, Disable, Enab ble, Get, Remo ove, and Set verbs s.
NlbClusterVi ip. Lets you manage the NLB B clusters virtu ual IP. Includes the Add, Ge et, Remove, an nd Set verbs. NlbCluster. Lets L you manage the NLB clu uster. Includes s the Get, New w, Remove, Re esume, Set, St tart, Stop, and Suspend verbs. NlbClusterDriverInfo. Provides informat tion about the e NLB cluster d driver. Includes s the Get verb. NlbClusterNodeNetworkI Interface. Lets s you retrieve information ab bout a cluster nodes network interface driver. Includes th he Get verb. ss. Includes the New verb. NlbClusterIp pv6Address. Lets you config gure the cluste ers IPv6 addres
NlbClusterPo ortRuleNodeH HandlingPrio ority. Lets you set priority on n a per-port ru ule basis. Supports the Set ver., NlbClusterPo ortRuleNodeW Weight. Lets you y set node w weight on a pe er-port rule ba asis. Supports t the Set verb.
ee the list of Windows W Power rShell cmdlets for NLB, you c can use the ge etNote: To se com mmand module NetworkL LoadBalancingClusters com mmand.

4-5
Lesson n2
Configuring an NLB B Cluste er
To o deploy NLB successfully, you must first have h a firm un derstanding o of its deployme ent requirements. You must m also have planned the manner m in whic ch you are goi ng to use port t rules and affi inity settings t to en nsure that traf ffic to the application that is being hosted on the NLB cl luster is handle ed appropriate ely. Th his lesson prov vides you with information about a the infra astructure requ uirements that t you must con nsider clusters prior to deployi ing NLB. It also o provides you u with importa ant information n on how to co onfigure NLB c an nd nodes to be est suit your objectives. o

After completin ng this lesson you y will be able to: Describe NLB deploymen nt requirement ts. Describe ho ow to impleme ent NLB. Explain con nfiguration opt tions for NLB. Explain how w to configure e NLB affinity and a port rules. Describe ne etwork conside erations for NL LB.
Deploymen D nt Require ements for r NLB

NLB requires that all hosts in the NLB cluste er re eside on the sa ame TCP/IP subnet. Although TC CP/IP subnets can be configured to span multiple m ge eographic loca ations, NLB clu usters are unlik kely to ac chieve converg gence successf fully if the late ency be etween nodes exceeds 250 milliseconds m (m ms). When W you are designing d geog graphically dis spersed NLB clusters, yo ou should inste ead choose to deploy an n NLB cluster at a each site, an nd then use Do omain Name System (D DNS) round ro obin to distribu ute tr raffic between sites.
All network ada apters within an NLB cluster must be e configured as a either unicast or multicast t. You cannot c configure an N NLB cluster wh here there is a mixture of f unicast and multicast m adap pters. When using unicast mo ode, the netwo ork adapter must support ch hanging its s MAC address s. Yo ou can only us se TCP/IP protocol with netw work adapters that participat te in NLB clust ters. NLB supp ports IP Pv4 and IPv6. The T IP addresses of servers th hat participate e in an NLB clu uster must be s static and mus st not be e dynamically allocated. When you install NLB, Dynamic c Host Configu uration Protoco ol (DHCP) is disabled on n each interfac ce that you configure to par rticipate in the e cluster.
All editions of Windows W Serve er 2012 support NLB. Micros soft supports N NLB clusters with nodes that t are ru unning differen nt editions of Windows W Server 2012. Howe ever, as a best practice, NLB cluster nodes should be e computers with w similar har rdware specific cations, and th hat are running g the same ed dition of the W Windows Se erver 2012 ope erating system m.
4-6
De emonstration: Deplo oying NLB

This s demonstratio on shows how to create a Windows Server r 2012 NLB cluster.
Dem monstration n Steps Cre eate a Windows Server 2012 NLB Cluster C
1. 2. 3. Log on to LO ON-SVR1 using g the Adatum\ \Administrat or account. From the Too ols menu, open n the Windows s PowerShell In ntegrated Scri pting Environm ment (ISE). Enter the follo owing comma ands, and then press Enter:
Invoke-Command -Computername LON-S SVR1,LON-SVR2 2 -command {I Install-Windo owsFeature NLB,RSAT-NLB} New-NlbCluster -Interf faceName "Loc cal Area Conn nection" -Ope erationMode M Multicast ClusterPrimaryIP 172.16.0.42 -Clus sterName LON-NLB Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName e "LON-SVR2" NewNodeInterface "Local Area Conne ection"
4.
Open Networ rk Load Balanc cing Manager from the Tool s menu and vi iew the cluster r.
Co onfiguratio on Options s for NLB

Con nfiguring NLB clusters c involv ves specifying how h host ts in the cluste er will respond d to incoming netw work traffic. How NLB direct ts traffic depen nds on the t port and protocol p that it t is using, and whe ether the client t has an existin ng network session with h a host in the cluster. You can configure these t settings by using port rules and affinity settings.
Por rt Rules
With port rules, yo ou can configu ure how reque ests to spec cific IP address ses and ports are a directed by y the NLB B cluster. You can c load balan nce traffic on Tran nsmission Control Protocol (TCP) ( port 80 across a all nodes n in an NL LB cluster, whil le directing all requests to TC CP port 25 to a specific host t.
To specify s how yo ou want to dist tribute request ts across node es in the cluste er, you configu ure a filtering m mode whe en creating a port p rule. You can c do this in the Add/Edit Port Rule dia alog box, which h you can use to configure one of the t following filtering f mode es: Multiple hos sts. When you configure this s mode, all NL B nodes respo ond according to the weight assigned to each e node. Nod de weight is ca alculated auto omatically, base ed on the perf formance characteristics of the host. If I a node fails, other nodes in n the cluster c continue to res spond to incom ming requests. Mul ltiple host filte ering increases availability an nd scalability, a as you can increase capacity y by adding nodes s, and the cluster continues to t function in the event of n node failure. Single host. When W you con nfigure this mo ode, the NLB c cluster directs traffic to the n node that is assigned the highest priorit ty. In the event that the nod e assigned the e highest prior rity is unavailable, the host assig gned the next highest priorit ty handles the incoming traf ffic. Single hos st rules increase availability, but do not incre ease scalability y.

4-7
Note: Highest priority is the lowest number, with a priority of 1 being higher priority than a priority of 10.
Disable this port range. When you configure this option, all packets for this port range are dropped, without being forwarded to any cluster nodes. If you do not disable a port range and there is no existing port rule, the traffic is forwarded to the host with the lowest priority number.
You can use the following Windows PowerShell cmdlets to manipulate port rules: Add-NlbClusterPortRule. Use this cmdlet to add a new port rule. Disable-NlbClusterPortRule. Use this cmdlet to disable an existing port rule. Enable-NlbClusterPortRule. Use this cmdlet to enable a disabled port rule. Set-NlbClusterPortRule. Use this cmdlet to modify the properties of an existing port rule. Remove-NlbClusterPortRule. Use this cmdlet to remove an existing port rule.
Note: Each node in a cluster must have identical port rules. The exception to this is the load weight (in multiple-hosts filter mode) and handling priority (in single-host filter mode). Otherwise, if the port rules are not identical, the cluster will not converge.
Affinity
Affinity determines how the NLB cluster distributes requests from a specific client. Affinity settings only come into effect when you are using the multiple hosts filtering mode. You can select from the following affinity modes: None. In this mode, any cluster node responds to any client request, even if the client is reconnecting after an interruption. For example, the first webpage on a web application might be retrieved from the third node, the second web page from the first node, and the third web page from the second node. This affinity mode is suitable for stateless applications.
Single. When you use this affinity mode, a single cluster node handles all requests from a single client. For example, if the third node in a cluster handles a clients first request, then all subsequent requests are also handled by that node. This affinity mode is useful for stateful applications. Class C. When you set this mode, a single node will respond to all requests from a class C network (one that uses the 255.255.255.0 subnet mask). This mode is useful for stateful applications where the client is accessing the NLB cluster through load-balanced proxy servers. These proxy servers will have different IP addresses, but will be within the same class C (24 bit) subnet block.
Host Parameters
You configure the host parameters for a host by clicking the host in the Network Load Balancing Manager console, and then from the Host menu, clicking Properties. You can configure the following host settings for each NLB node:
Priority. Each NLB node is assigned a unique priority value. If no existing port rule matches the traffic that is addressed to the cluster, traffic will be assigned to the NLB node that is assigned the lowest priority value. Dedicated IP address. You can use this parameter to specify an address the host uses for remote management tasks. When you configure a dedicated IP address, NLB configures port rules so that they do not affect traffic to that address.
4-8
Implementing Network Load Balancing
Subnet Mask. When you are selecting a subnet mask, ensure that there are enough host bits to support the number of servers in the NLB cluster, and any routers that connect the NLB cluster to the rest of the organizational network. For example, if you plan to have a cluster that has 32 nodes and supports two routes to the NLB cluster, you will need to set a subnet mask that supports 34 host bits or moresuch as 255.255.255.192. Initial host state. You can use this parameter to specify the actions the host will take after a reboot. The default Started state will have the host rejoin the NLB cluster automatically. The Suspended state pauses the host, allowing you to perform operations that require multiple reboots without triggering cluster convergence. The Stopped state stops the node.
Demonstration: Configuring NLB Affinity and Port Rules
This demonstration shows how to configure affinity for NLB cluster nodes, and how to configure NLB port rules.
Demonstration Steps Configure Affinity for NLB Cluster Nodes

1. 2. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
In Windows PowerShell, enter each of the following commands, pressing Enter after each command:
Cmd.exe Mkdir c:\porttest Xcopy /s c:\inetpub\wwwroot c:\porttest Exit New-Website Name PortTest PhysicalPath C:\porttest Port 5678 New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
Configure NLB Port Rules

1. 2. 3. 4. On LON-SVR1, open the Network Load Balancing Manager. Remove the All port rule. In Network Load Balancing Manager, edit the properties of the LON-NLB cluster. Add a port rule with the following properties: o o o o 5. Port range: 80 to 80 Protocols: Both Filtering mode: Multiple Host Affinity: None
Create a port rule with the following properties: o o o Port range: 5678 to 5678 Protocols: Both Filtering mode: Single Host
6. 7.
Edit the host properties of LON-SVR1. Configure the port rule for port 5678 and set handling priority to 10.

4-9
Network N Co onsiderations for NL LB

Yo ou must consid der several fac ctors when you u are de esigning a net twork to suppo ort an NLB cluster. Th he primary dec cision is wheth her you want to co onfigure the NLB N cluster to use u Unicast or Multicast M cluste er operation mode.
Unicast U Mod de
When W you configure a NLB cluster to use unicast mode, m all cluste er hosts use the e same unicast t MAC ad ddress. Outgoing traffic uses s a modified MAC M ad ddress that is determined d by y the cluster ho osts priority setting. This prevents the switch tha at ha andles outbou und traffic from m having problems with w all cluster hosts h using the e same MAC address. a
When W you use unicast u mode with w a single network n adapt er on each node, only comp puters that use e the sa ame subnet can communicat te with the node using the n nodes assigne ed IP address. I If you have to pe erform any no ode manageme ent tasks, such h as connecting g using Remot te Desktop to apply software e up pdates, you wi ill need to perf form these tas sks from a com mputer that is o on the same T TCP/IP subnet as the no ode.
When W you use unicast u mode with w two or more network a adapters, one a adapter will be e used for dedicated cluster commun nication, and the other adap pter or adapter rs can be used d for managem ment tasks. When you us se unicast mod de with multip ple network ad dapters, you ca an perform clu ster managem ment tasks such h as co onnecting usin ng Remote Pow werShell to add or remove r oles and featu ures.
Unicast mode can also minim mize problems that t occur whe en cluster nod des also host o other non-NLB related ro oles or services s. For example, using unicast t mode means s that a server that participat tes in a web se erver cluster on port 80 may also host another se ervice such as D DNS or DHCP.. Although this s is possible, M Microsoft re ecommends th hat all cluster nodes n have the e same configu uration.
Multicast M Mo ode
When W you configure an NLB cluster c to use multicast mod de, each cluster host keeps it ts original MAC C ad ddress, but also is assigned an a additional multicast m MAC C address. Each h node in the c cluster is assigned the sa ame additional MAC multica ast address. Mu ulticast mode requires netwo ork switches and routers tha at su upport multica ast MAC addre esses.
In nternet Group Manage ement Proto ocol Multica ast
In nternet Group Management Protocol (IGM MP) multicast m mode is a spec cial form of mu ulticast mode t that prevents the ne etwork switch from f being flo ooded with traf ffic. When you u deploy IGMP P multicast mo ode, tr raffic is forward ded only throu ugh switch por rts that particip pate in the NL LB cluster. IGM MP multicast m mode re equires switch hardware that t supports this functionality.
Network N Con nsiderations s
Yo ou can improv ve NLB cluster performance when w using un nicast mode by y using separa ate virtual loca al area ne etworks (VLAN Ns) for cluster traffic t and management traf ffic. Using VLA ANs segments traffic, thereby y preventing man nagement traff fic from affecting cluster traf ffic. When you u host NLB nod des on virtual machines m using Windows Serv ver 2012, you can also use n network virtual lization to segment manage ement tr raffic from clus ster traffic.
4-10 Implemen nting Network Load Balancing B
Lesson 3
Planning an NLB N Imp plement tation
Whe en you are pla anning an NLB implementati ion, you must ensure that th he applications s that you dep ploy are appropriate fo or NLB. Not all l applications are a suitable fo or deployment on NLB cluste ers, and it is imp portant for you u to be able to identify which h ones can ben nefit from this s technology. Y You also need to kno ow what steps you y can take to t secure NLB, and be familia ar with the op ptions that you u have to scale NLB, should the applica ation hosted on o the NLB cluster require gr reater capacity y.

Afte er completing this lesson you u will be able to: t Explain how to t design application and sto orage support t for NLB. Describe the special considerations for de eploying NLB c clusters on vir tual machines. Describe the options that you y can implem ment to secure e NLB. Describe the options for sca aling NLB.
Describe the meth hod you can use to upgrade e an NLB cluste er to Windows s Server 2012.
De esigning Application ns and Stor rage Supp ort for NL LB

Because clients ca an be redirecte ed to any node e in an NLB N cluster, ea ach node in the e cluster must be able e to provide a consistent exp perience. There efore, whe en you are des signing applica ations and stor rage support for NLB applications, a yo ou must ensur re that you configure eac ch node in the e same way, an nd that t each node ha as access to the same data. Whe en a highly available applica ation has multi iple tiers ssuch as a web w application n that includes s an SQL L Server databa ase tierthe web w application tier is ho osted on an NLB cluster. SQL Server, as a stateful applicatio on, is not made e highly available usin ng NLB. Instead d, you use tech hnologies such h as failover cl ustering, mirro oring, or Alway lity ysOn Availabil Groups, to make the t SQL Server r database tier r highly availab ble.
All hosts s and be confi h in an NLB cluster should run the sam me applications igured in the s same way. Whe en you are using web b applications, , you can use Internet Inform mation Services (IIS) 8.0s sha ared configura ation func ctionality to en nsure that all nodes n in the NLB N cluster are configured in n the same manner. Reference Links: L You can n find out mor re about IIS 8.0 0s shared conf h Windows figuration with Serv ver 2012 at htt tp://learn.iis.ne et/page.aspx/2 264/shared-co onfiguration/
You u can also use technologies t such s as file sha ares that are ho osted on Clust ter Shared Volumes (CSV) to o host app plication config guration inform mation. File shares hosted on n CSVs allow m multiple hosts to have access s to app plication data and a configurat tion informatio on. File shares that are hoste ed on CSVs are e a feature of Win ndows Server 2012. 2

4-11
Considerat C ions for Deploying an a NLB Clu uster on V Virtual Mac chines
As organization ns transition fro om physical to o virtual de eployments, administrators must consider r several fa actors when de etermining the e placement of f NLB cluster nodes on Hyper-V hos sts. This includes the ne etwork configu uration of virtu ual machines, the co onfiguration of the Hyper-V hosts, and the e be enefits of using Hyper-V's hi igh availability y fe eatures in conjunction with NLB. N
Virtual V Mach hine Placem ment
Yo ou should plac ce NLB cluster nodes on separate ha ard disks on th he Hyper-V host. h That way, should a disk or disk ar rray fail, even if i one node be ecomes unavai ilable, other N NLB cluster nod des that are ho osted on th he same Hyper r-V host will re emain online. As A a best pract tice, you should configure th he Hyper-V ho ost with re edundant hard dware, includin ng redundant disks, d network k adapters, and d power suppli ies. This will m minimize th he chance that t hardware failure on the Hyper-V host wil ll lead to all no odes in an NLB B cluster becom ming un navailable. Wh hen you are us sing multiple network n adapte ers, configure network team ming to ensure that virtual machines are able to maintain m access to the netwo ork even in the e event that individual netwo ork ad dapter hardwa are suffers a failure. Where W possible, deploy NLB virtual v machine e nodes on se parate hyper-V V hosts. When n you are plann ning th his type of con nfiguration, ens sure that the virtual v machine es that particip pate in the NL LB cluster are lo ocated on n the same TC CP/IP subnet. This T protects th he NLB cluster from other ty ypes of server f failure, such as s the fa ailure of a motherboard or any other single e point of failu ure.
Virtual V Mach hine Networ rk Configur ration
traightforward Be ecause adding g additional vir rtual network adapters a is a st d process, you can configure e the NLB cluster to use u unicast mo ode, and then deploy d each v virtual machine e with multiple e network adapters. Yo ou should crea ate separate vi irtual switches for cluster tra affic and node management traffic, becaus se se egmenting traf ffic can improv ve performanc ce. You can als so use network k virtualization n to partition c cluster tr raffic from nod de managemen nt traffic. You can use VLAN tags as a met thod of partitio oning cluster t traffic from node man nagement traff fic.
When W you are using u unicast mode, m ensure that t you enabl le MAC addres ss spoofing for the virtual ne etwork ad dapter on the Hyper-V host. . You can do th his by editing the virtual net twork adapter s settings on t the Virtual Machin ne Settings dia alog box, whic ch is available through the H Hyper-V Manag ger. Enabling MAC ad ddress spoofin ng allows unica ast mode to co onfigure MAC address assign nment on the virtual networ rk ad dapter.
NLB N Cluster vs. v Virtual Machine M Hig gh Availabi lity
Virtual machine e high availability is the proc cess of placing virtual machin nes on failover r clusters. Whe en a fa ailover cluster node fails, the virtual machin ne fails over, s o that it is hos sted on anothe er node. Though fa ailover clusterin ng and NLB ar re both high availability tech hnologies, they y serve different purposes. F Failover clustering suppo orts stateful ap pplications suc ch as SQL Serv ver, whereas N LB is suited to o stateless appl lications su uch as websites. Highly available virtual ma achines do no t allow an app plication to sca ale, because yo ou ca annot add nod des to increase e capacity. How wever, it is pos ssible to deplo oy NLB cluster nodes as high hly av vailable virtual l machines. In this scenario, the t NLB cluste er nodes fail ov ver to a new H Hyper-V host in n the ev vent that the original o Hyper-V host fails.
The degree of ava ailability and re edundancy req quired will fluc ctuate, depend ding on the ap pplication. A business-critical application that costs an orga anization milli ons of dollars when it is dow wn requires an n avai ilability that di iffers from that of an applica ation that caus ses minimal inconvenience if f it is offline.
Co onsideratio ons for Sec curing NLB B

NLB B clusters are almost a always used u to host web w app plications that are a important to the orga anization. Beca ause of this im mportance, you u should take steps to secure NLB B, both by restricting the traf ffic that can ad ddress the clus ster, and by ensuring that t appropriate permissions s are app plied.
Con nfigure Port Rules
Whe en securing NLB clusters, you must first en nsure that t you create po ort rules to blo ock traffic to all port ts other than those t used by applications hosted h on the t NLB cluste er. When you do d this, all inco oming traff fic that is not specifically s add dressed to app plications that are running o on the NLB cluster will be dropped, before being b forwarde ed to cluster nodes. n If you d o not do this f first step, all in ncoming traffic c that is no ot managed by a port rule will w be forward ded to the clus ter node with the lowest clu uster priority va alue.
Con nfigure Fire ewall Rules
ed Security is c You u should also ensure e that Win ndows Firewall with Advance configured on n each NLB cluster nod de. When you enable e NLB on n a cluster nod de, the followin ng firewall rule es are created and enabled auto omatically. Thi is allows NLB to t function and d communicat te with other n nodes in the cl luster: Network Load d Balancing (D DCOM-In) Network Load d Balancing (IC CMP4-ERQ-In) ) Network Load d Balancing (IC CMP6-ERQ-In) ) Network Load d Balancing (R RPCSS) Network Load d Balancing (W WinMgmt-In) Network Load d Balancing (IC CMP4-DU-In) Network Load d Balancing (IC CMP4-ER-In) Network Load d Balancing (IC CMP6-DU-In) Network Load d Balancing (IC CMP6-EU-In)
Whe en created, the ese firewall rul les do not include scope sett tings. In high-security enviro onments, you would configure an appr ropriate local IP I address or IP address rang ge, and a remo ote IP address for each of th hese rule es. The remote IP address or address range e should includ de the address ses that are use ed by other ho osts in the cluster. Whe en you are con nfiguring additional firewall rules, rememb ber the followi ing:
When you are e using multip ple network adapters in unica ast mode, con nfigure differen nt firewall rules for each network k interface. For r the interface used for mana agement tasks s, you should c configure the firewall rules to allow inbou und managem ment traffic only y. For example e, enabling the e use of remot te Windows Pow werShell, Wind dows Remote Manager M (Win dows RM), and d Remote Desktop for

4-13
management tasks. You should configure the firewall rules on the network interface the cluster node uses, to provide an application to the cluster, and to allow access to that application. For example, allow incoming traffic on TCP ports 80 and 443 on an application that uses the HTTP and HTTPS protocols. When you are using multiple network adapters in multicast mode, configure firewall rules that allow access to applications that are hosted on the cluster, but block access to other ports.
Configure Applications to Respond Only to Traffic Addressed to the Cluster
You should configure applications on each node to respond only to traffic that is addressed to the cluster, and to ignore application traffic that is addressed to the individual node. For example, if you deploy a web application that is designed to respond to traffic addressed to www.adatum.com, there will be a website on each node that will accept traffic on port 80. Depending on the NLB cluster configuration, it is possible that traffic that is addressed to the node on port 80 will generate a direct response. For example, getting the Adatum web application by entering the address http://nlb-node-3.adatum.com in a browser instead of entering the address http://www.adatum.com. You can secure applications from this type of direct traffic by configuring them to respond only to traffic that uses the NLB cluster address. For web applications, you can do this by configuring the website to use a host header. Each application that runs on an NLB cluster will have its own unique method of allowing you to configure the application to respond only to traffic directed at the cluster, rather than at the individual cluster node.
Securing Traffic with SSL
NLB websites must all use the same website name. When you are securing websites that you make highly available using NLB, you need to ensure that each website has an SSL certificate that matches the website name. You can use host headers on each node. In most cases, you will install the same website certificate on each node in the NLB cluster, because this is simpler than procuring separate certificates for each cluster node. In some cases, you will need to procure certificates that support subject alternative names (SANs). Certificates that support SANs allow a server to be identified by multiple names, such as the name used by the clustered application and the name of the cluster node. For example, a certificate with a SAN might support the names www.adatum.com, node1.adatum.com, node2.adatum.com, node3.adatum.com, and node4.adatum.internal.
Principle of Least Privilege
Ensure that users are only delegated permissions for tasks that they need to perform on the NLB node. Members of the local Administrators group on any single node are able to add and remove cluster nodes, even if they are not members of the local Administrators group on those nodes. Applications that run on NLB clusters should be configured in such a way that they do not require application administrators to have local Administrator privileges on the servers that host the application. Only users whose job role requires them to be able to make remote management connections to NLB cluster nodes should be able to make those connections.
Co onsideratio ons for Sca aling NLB

Scal ling is the proc cess of increas sing the capaci ity of an NLB N cluster. Fo or example, if you y have a fou urnod de NLB cluster and each node in the cluste er is bein ng heavily utili ized to the point where the clus ster cannot ma anage more tra affic, you can add a add ditional nodes. Adding nodes s will spread th he sam me load across more computers, reducing the t load d on each curr rent cluster node. Capacity incr reases because e a larger number of similarly y configured compu uters can manage a higher wor rkload than a smaller s numbe er of similarly configured compu uters.
3 nodes. This means that yo ou can scale-o out a single NL LB cluster so th hat 32 An NLB cluster supports up to 32 sepa arate nodes pa articipate in th hat cluster. Wh hen you consid der scaling an a application so that it is hoste ed on a 32 2-node NLB cluster, rememb ber that each node n in the clu uster must be o on the same T TCP/IP subnet. An alternative a to building single e NLB clusters is to build mu ultiple NLB clu sters, and then n to use DNS r round robin to share traffic between th hem. DNS round robin is a t technology tha at allows a DN NS server to pro ovide requ uesting clients s with different t IP addresses to the same h ostname in se equential order. For example e, if ther re are three ad ddresses associated with a ho ostname, the f first requesting g host receives s the first addr ress, the second receives the second address, the third t receives t the third, and so forth. When n you use DNS S round robin with NLB, you asso ociate the IP ad ddresses of eac ch cluster with h the hostname e that is used by the application.
Dist tributing traffic c between NLB B clusters using g DNS round r robin also allo ows you to dep ploy NLB cluste ers acro oss multiple sit tes. DNS round d robin supports netmask or rdering. This te echnology ens sures that clien nts on a su ubnet are prov vided with an IP address of a host on the sa ame network, if one is availa able. For exam mple, you might deploy y three four-no ode NLB cluste ers in the cities s of Sydney, M Melbourne, and d Canberra, and use DNS S round robin to distribute traffic t between n them. With n netmask ordering, a client th hat is accessing g the app plication in Syd dney will be dir rected to the NLB N cluster ho osted in Sydney y. A client that t is not on the same subnet as the NLB B cluster nodes s, such as a clie ent in the city of Brisbane, w would be direc cted by DNS ro ound robin to the Sydney, Melbourne e, or Canberra NLB cluster.
Co onsideratio ons for Upg grading NLB N Cluster rs

Upg grading NLB cl lusters involves moving clust ter nod des from one host h operating systemfor exam mple Windows Server 2003 or Windows Server 2008to Window ws Server 2012 2. Upgrading th he clus ster might not involve perfor rming an oper rating system upgrade on o each node, because in som me case es the original host operating system migh ht not support a direct upgrade u to Win ndows Server 2012. In cases where the e original host t operating sys stem doe es not support a direct upgra ade to Window ws Serv ver 2012, you can c perform a migration.
A ke ey consideratio on when you are a upgrading NLB clus sters is to reme ember that NL LB supports having clusters t hat are runnin ng a mixture of operating systems. This s means that you can have a cluster runnin ng a mixture o of Windows Server 2003, Win ndows Server 2 2008,

4-15
and Windows Server 2012. Keep in mind that while mixed operating system NLB clusters are supported, they are not recommended. You should configure the NLB cluster so that all hosts are running the same operating system as soon as possible. Note: In some situations, it will not be possible to upgrade the operating system of a cluster node. When you are performing an upgrade, you can use one of the following strategies:
Piecemeal Upgrade. During this type of upgrade, you add new Windows Server 2012 nodes to an existing cluster, and then remove the nodes that are running earlier versions of the Windows Server operating system. This type of upgrade is appropriate when the original hardware and operating system does not support a direct upgrade to Windows Server 2012.
Rolling upgrade. During this type of upgrade, you upgrade one node in the cluster at a time. You do this by taking the node offline, performing the upgrade, and then rejoining the node back to the cluster.
Reference Links: You can learn more about upgrading NLB clusters at the following link: http://technet.microsoft.com/en-us/library/cc731691(WS.10).aspx
4-16 Implementing Network Load Balancing
Lab: Implementing Network Load Balancing

Scenario
A. Datum Corporation is an engineering and manufacturing company. The organization is based in London, England, and is quickly expanding into Australia. As the company expands, the need for scalable web applications has increased. With this in mind, you are developing a pilot program to test the deployment of Windows NLB on hosts running the Windows Server 2012 operating system. As you intend to automate the process of deploying Windows NLB clusters, you will use Windows PowerShell to perform many of the cluster setup and configuration tasks. You will also configure port rules and affinity, which will allow you to deploy multiple load-balanced web applications on the same Windows NLB clusters.
Objectives
Create a Windows NLB cluster. Configure and manage an NLB cluster. Validate high availability for the NLB cluster.
Lab Setup
Estimated Time: 45 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 Username: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
5.
Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-LON-SVR2.
Exercise 1: Implementing an NLB Cluster

Scenario
You eventually want to automate the process of deploying Windows Server 2012 NLB clusters. With this in mind, you will be using Windows PowerShell to perform the majority of the NLB cluster deployment tasks. The main tasks for this exercise are as follows: 1. 2. 3. Verify website functionality for standalone servers. Install the Windows Network Load Balancing feature. Create a new Windows Server 2012 NLB cluster.

4-17
4. 5.
Add a second host to the cluster. Validate the NLB cluster.
Task 1: Verify website functionality for standalone servers

1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR1, navigate to the folder c:\inetpub\wwwroot.
Open iis-8.png in Microsoft Paint, and use the Paint Brush tool and the color red to mark the IIS Logo in a distinctive manner. Close Windows Explorer. Switch to LON-DC1 and then click to the Start screen. Open Internet Explorer.
Navigate to http://LON-SVR1. Verify that the web page is marked in a distinctive manner with the color red. Navigate to http://LON-SVR2. Verify that the website is not marked in a distinctive manner. Close Internet Explorer.
Task 2: Install the Windows Network Load Balancing feature

1. 2. On LON-SVR1, open Windows PowerShell ISE. Type the following command, and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature NLB,RSAT-NLB}
Task 3: Create a new Windows Server 2012 NLB cluster

1. On LON-SVR1, in Windows PowerShell ISE, type the following command, and then press Enter:
New-NlbCluster -InterfaceName "Local Area Connection" -OperationMode Multicast ClusterPrimaryIP 172.16.0.42 -ClusterName LON-NLB
2.
In Windows PowerShell ISE, type the following command, and then press Enter:
Invoke-Command -Computername LON-DC1 -command {Add-DNSServerResourceRecordA zonename adatum.com name LON-NLB Ipv4Address 172.16.0.42}
Task 4: Add a second host to the cluster
On LON-SVR1, in the Windows PowerShell ISE window, type the following command, and then press Enter:
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName "LON-SVR2" NewNodeInterface "Local Area Connection"
Task 5: Validate the NLB cluster

1. 2.
On LON-SVR1, open the Network Load Balancing Manager, and verify that nodes LON-SVR1 and LON-SVR2 display with the status of Converged. View the properties of the LON-NLB cluster, and verify the following: o o The cluster is set to use the Multicast operations mode.
There is a single port rule named All that starts at port 0 and ends at port 65535 for both TCP and UDP protocols, and that it uses Single affinity.
Results: After this exercise, you should have successfully implemented an NLB cluster.
Exercise 2: Configuring and Managing the NLB Cluster

Scenario
As you will want to deploy multiple separate websites to the NLB cluster and differentiate these websites based on port address, you want to ensure that you are able to configure and validate port rules. You also want to experiment with affinity settings to ensure that requests are distributed evenly across hosts. The main tasks for this exercise are as follows: 1. 2. 3. Configure port rules and affinity. Validate port rules. Manage host availability in the NLB Cluster.
Task 1: Configure port rules and affinity

1. 2. On LON-SVR2, open Windows PowerShell. In Windows PowerShell, enter the following commands, pressing Enter after each command:
Cmd.exe Mkdir c:\porttest Xcopy /s c:\inetpub\wwwroot c:\porttest Exit New-Website -Name PortTest -PhysicalPath "C:\porttest" -Port 5678 New-NetFirewallRule -DisplayName PortTest -Protocol TCP -LocalPort 5678
3. 4. 5. 6. 7. 8. 9.
Open Windows Explorer and then browse to and open c:\porttest\iis-8.png in Microsoft Paint. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner. Switch to LON-DC1. Open Internet Explorer and navigate to http://LON-SVR2:5678. Verify that the IIS Start page with the image marked with blue displays. Switch to LON-SVR1.
On LON-SVR1, open Network Load Balancing Manager, and view the cluster properties of LON-NLB.
10. Remove the All port rule. 11. Add a port rule with the following properties: o o o o Port range: 80 to 80 Protocols: Both Filtering mode: Multiple Host Affinity: None
12. Create a new port rule with the following properties: o o o Port range: 5678 to 5678 Protocols: Both Filtering mode: Single Host
13. Click OK to close the Cluster Properties dialog box.

4-19
14. Edit the host properties of LON-SVR1. 15. Configure the Handling Priority value of the port rule for port 5678 as 10.
Task 2: Validate port rules

1. 2. 3. Switch to LON-DC1.
Using Internet Explorer, navigate to http://lon-nlb, refresh the Web page 20 times, and verify that web pages with and without the distinctive red marking display.
On LON-DC1, navigate to address http://LON-NLB:5678, refresh the web page 20 times, and verify that only the web page with the distinctive blue marking displays.
Task 3: Manage host availability in the NLB Cluster

1. 2. 3. 4. 5. Switch to LON-SVR1. Use the Network Load Balancing Manager on LON-SVR1 to suspend LON-SVR1.
Verify that node LON-SVR1 displays as Suspended, and that node LON-SVR2 displays as Converged. Resume and then start LON-SVR1. Verify that both node LON-SVR1 and LON-SVR2 now display as Converged.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
Exercise 3: Validating High Availability for the NLB Cluster

Scenario
As part of preparing for the deployment of NLB in your organizations environment, you want to ensure that it is possible to perform maintenance tasks such as reboot operations, without affecting the availability of the websites that are hosted on the cluster. With this in mind, you will verify availability by rebooting one of the hosts while attempting to access the clustered website. You will also explore the Drainstop functionality. The main tasks for this exercise are as follows: 1. 2. Validate website availability when the host is unavailable. Configure and validate Drainstop.
Task 1: Validate website availability when the host is unavailable

1. 2. 3. 4. Restart LON-SVR1. Switch to LON-DC1. On LON-DC1, open Internet Explorer, and navigate to http://LON-NLB. Refresh the website 20 times. Verify that the website is available, but that it does not display the distinctive red mark on the IIS logo until LON-SVR1 has restarted.
Task 2: Configure and validate Drainstop

1. 2. On LON-SVR1, open Network Load Balancing Manager and initiate a Drainstop on LON-SVR2.
On LON-DC1, navigate to http://lon-nlb and verify that only the welcome page with the red IIS logo displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412-LON-SVR1 and 20412-LON-SVR2.
Lab Review
Question: How many additional nodes can you add to the LON-NLB cluster? Question: What steps would you take to ensure that LON-SVR1 always manages requests for web traffic on port 5678, given the port rules that exist at the end of this exercise? Question: What is the difference between a Stop and a Drainstop action?

4-21

Question: You have created a four-node Windows Server 2012 NLB cluster. The cluster hosts a website that is hosted on IIS. What happens to the cluster if you shut down the World Wide Web publishing service on one of the nodes? Question: You want to host the www.contoso.com, www.adatum.com, and www.fabrikam.com websites on a four-node NLB cluster. The cluster IP address will be a public IP address, and each fully qualified domain name (FQDN) is mapped in DNS to the cluster's public IP address. What steps should you take on each node to ensure that traffic is directed to the appropriate site? Question: You have an eight-node Windows NLB cluster that hosts a web application. You want to ensure that traffic from a client that uses the cluster remains with the same node throughout their session, but that traffic from separate clients is distributed equitably across all nodes. Which option do you configure to accomplish this goal?

To become a true high availability solution, use a monitoring solution with NLB that will detect application failure. This is because NLB clusters will continue to direct traffic to nodes with failed applications as long as NLBwhich is independent of the applicationcontinues to send heartbeat traffic.

5-1
Module 5
Implementing Failover Clustering
Contents:
Module Overview Lesson 1: Overview of Failover Clustering Lesson 2: Implementing a Failover Cluster Lesson 3: Configuring Highly Available Applications and Services on a Failover Cluster Lesson 4: Maintaining a Failover Cluster Lesson 5: Implementing a Multi-Site Failover Cluster Lab: Implementing Failover Clustering Module Review and Takeaways 5-1 5-2 5-14 5-20 5-25 5-30 5-36 5-41
Module Overview
Providing high availability is important for any organization that wants to provide continuous services to its users. High availability is a term that denotes the capability of a system or device to be usable when it is required. You can express high availability as a percentage, which is calculated by dividing the actual service time by the required service time. High availability does not mean that the system will be free of any downtime. However, a network that has an uptime of 99.999 percent often is considered highly available. Failover clustering is one of the main technologies in Windows Server 2012 that can provide high availability for various applications and services. In this module, you will learn about failover clustering, its components, and implementation techniques.
Objectives
After completing this module, you will be able to: Describe failover clustering. Implement a failover cluster. Configure highly available applications and services. Maintain a failover cluster. Implement multi-site failover clustering.
5-2
Implementing Failover Clusterin ng
Lesson 1
Overvi iew of Failover F r Cluster ring
Failo over clustering g is a high availability proces ss, wherein an instance of a service or app plication that is s runn ning over one machine can fail-over onto a different ma achine in the f failover cluster r if the first ma achine fails s. Failover clust ters in Window ws Server 2012 2 provide a hig gh availability solution for m many server roles and applications. By implement ting failover clu usters, you can n maintain app plication or service availabili ity if one e or more computers in the failover f cluster r fail. Befo ore you implem ment failover clustering, c you u should be fam miliar with gen neral high availability concepts. You u must also und derstand clustering terminology, and how w failover cluste ers work. Final lly, you must b be fam miliar with new clustering feat tures in Windo ows Server 201 12.

Afte er completing this lesson, yo ou will be able to: Describe high h availability. Describe failo over clustering improvement ts in Windows Server 2012. Describe failo over cluster components. Describe Clus ster Shared Vo olumes (CSV). Define failove er and failback k. Describe a qu uorum. Describe quorum modes in n Windows Serv ver 2012 failov ver clusters. Describe failo over cluster networks. Describe failo over cluster sto orage.
Wh hat Is High h Availability?

Availability refers to a level of se ervice that app plications, servi ices, or system ms provide. Availability is expr ressed as the percentage p of time that t a service or system is availa able. Highly avai ilable systems have minimal downtime whe ether planned or unplanned and are available mor re than 99 percent of the tim me, depending g on an organizations o needs and budget. For exam mple, a sy ystem that is unavailable for 8.75 hours per year wou uld have a 99.9 9 percent avail lability rating, and wou uld be conside ered highly ava ailable.
To improve availa ability, you must implement faulttole erance mechan nisms that mas sk or minimize e how failures o of the services s components and depende encies affe ect the system. You can achie eve fault tolera ance by implem menting redun ndancy to sing gle points of fa ailure. Mis scommunicatio on about servi ice-level expec ctations betwe een the custom mer and the IT organization can resu ult in poor bus siness decisions, such as unsu uitable investm ment levels and d customer dis ssatisfaction. B Be sure e to express av vailability requirements clear rly, so that the re are no misu understandings about the imp plications.
Th he availability measurement period can als so have a sign nificant effect o on the definitio on of availability. For ex xample, a requ uirement for 99.9 percent av vailability over a one-year pe eriod allows fo or 8.75 hours o of do owntime, whereas a requirem ment for 99.9 percent availa ability over a ro olling four-we eek window allows for on nly 40 minutes s of downtime e per period. Fo or high availab bility, you also should identif fy and negotia ate planned ou utages, service e and support h hours, maintenance m ac ctivities, service e pack updates, and softwar re updates. The ese are schedu uled outages, a and ty ypically not inc cluded as downtime; you typ pically calculat te availability b based on unpla anned outages only. However, you have h to negotia ate exactly which planned o utages you wi ill consider as d downtime.

5-3
Failover Clu ustering in n Windows s Server 20 012

While W most of the failover clu ustering feature es and ad dministration techniques t fro om Windows Server 20 008 R2 are pre esent in Windo ows Server 201 12, so ome new featu ures and techn nologies in Win ndows Se erver 2012 increase scalabilit ty and cluster storage av vailability, and provide bette er and easier management m an nd faster failov ver. Th he important new n features in n Windows Server 20 012 failover clustering includ de:
Increased scalability. In Windows W Serve er 2012, a failover cluster can have e 64 physical nodes n and can run n 4,000 virtual machines on each cluster. This s is a significan nt improvemen nt over Windo ows Server 200 08 R2, which su upports only 1 16 physical no odes and 1,000 0 virtual machines per cluste r. Each cluster you create is now available from the Server Manager M console. Server Ma anager in Wind dows Server 20 012 can discov ver and manag ge all clusters tha at are created in i an Active Directory Dom main Services ( (AD DS) doma ain. If you deploy the cluster in a multi-site scenario, the adm ministrator can now control w which nodes in n a cluster hav ve votes for establishing quorum. Failover cluste ering scalabilit ty is also impro oved for virtua al machines tha at are running on clusters. This will be discuss sed in more de etail in Module 6: Implemen nting Hyper-V V Availability. Improved CSVs C . This tech hnology was in ntroduced in W Windows Serve er 2008 R2, and d it became ve ery popular for r providing virt tual machine storage. s In Win ndows Server 2 2012, CSVs ap ppear as CSV file systems, an nd they suppor rt server messa age block (SM B) version 3.0 storage for Hy yper-V and o other applications. In addition, CSV can use the Server Mes ssage Block (SM MB) Multichan nnel and SMB Direct features to enable traffic to stream acro oss multiple ne etworks in a cl luster. It is also o possible to implement file server on CSVs, in scale-out mode. Fo or additional se ecurity, you can use Window ws BitLocker drive encrypt tion for CSV di isks, and you c can make CSV storage visible e only to a sub bset of nodes in a cluster. For reliability, you ca an scan and re epair CSV volumes with zero offline time.
Cluster-Aware Updating. In earlier versions of Windo ows Server, upd dating cluster nodes to mini imize or avoid down addition, upda ntime required d significant pr reparation and d planning. In a ating cluster nodes was a most tly manual procedure, which caused additi ional administ rative effort. W Windows Serve er 2012 introduces Cluster-Aware e Updating, a new n technolog gy for this purp pose. Cluster-A Aware Updatin ng automatica ally updates clu uster nodes with the Window ws Update hot tfix, while keep ping the cluste er online and minimi izing downtim me. This techno ology will be ex xplained in mo ore detail in L Lesson 4: Main ntaining a Failover Cluster. C
5-4
Active Directo ory integration n improvemen nts. In Window ws Server 2008,, failover cluste ering is integra ated in AD DS. Win ndows Server 2012 2 improves s on this integ gration. Administrators can n now create clus ster computer obj jects in targete ed organizatio onal units (OUs s), or by defau ult in the same OUs as the clu uster nodes. This al ligns failover cluster c depend dencies on AD DS with the d elegated dom main administra ation model that is used in many y IT organizatio ons. In additio n, you can now w deploy failover clusters wi ith access only to o read-only do omain controllers.
Management t improvement ts. Although fa ailover clusteriing in Window ws Server 2012 still uses almo ost the same man nagement con nsole and the same s administ trative techniques, Windows Server 2012 b brings some importa ant manageme ent improvements. In the Va alidation wizar rd, the validation speed for large failover cluste ers is improved d and new test ts for CSVs, the e Hyper-V role e, and virtual m machines are added. In add dition, new Windows PowerS Shell cmdlet ts are available e for managing g clusters, monitoring clustered virtua al machine app plications, and creating high hly available Internet Small Computer System Interface e (iSCSI) targets.
Rem moved and Deprecated d Features

In Windows W Serve er 2012 cluster ring, some of the features fro om older failov ver clustering versions are rem moved or depre ecated. If you are a upgrading g from an olde r version, you should be awa are of these changes:
The Cluster.ex xe command-line tool is dep precated. How wever, you can still optionally y install it with the failover cluste ering tools. Fai ilover clusterin ng Windows Po owerShell cmd dlets provide a functionality that is generally th he same as clu uster.exe commands. The Cluster Automation A Server (MSClus) Component O Object Model ( (COM) interfac ce is deprecate ed, but you can optionally o insta all it with the failover f cluster ring tools. The Support for f 32-bit cluster resource dynamic-link lib braries (DLLs) is deprecated, but you can optionally ins stall 32-bit DLL Ls. Cluster reso ource DLLs sho ould be update ed to 64-bit.
The Print Serv ver role is removed from the e High Availab bility Wizard, and it cannot b be configured i in the Failover Clust ter Manager. The Add-ClusterPrintServ verRole cmdlet is deprecated d, and it is not t supported in Windows Serv ver 2012.
Fai ilover Clus ster Components

As a failover cluster, a group of independent com mputers work together t to inc crease the avai ilability of app plications and services. s Physic cal cables and softwa are connect the e clustered ser rvers. Serv vers that partic cipate in the cluster are also kno own as nodes. If one of the cl luster nodes fa ails, ano other node beg gins to provide e services. This s proc cess is known as failover. With failover, use ers experience minim mal to no servic ce disruptions. A fa ailover clusterin ng solution co onsists of sever ral com mponents, whic ch include:
Nodes. These are computer rs that are mem mbers of a failover cluster. c These computers c run n Cluster servic ce, and resourc ces and applic cations associated to cluster.
Network. This is a network across which cluster nodes can communicate with one another, and with clients. There are three types of networks that can be used in a cluster: public, private, and publicand-private. These networks are discussed in more detail in the Failover Cluster Networks topic. Resource. This is an entity that is hosted by a node. It is managed by the Cluster service, and can be started, stopped, and moved to another node. Cluster storage. This is a storage system that is usually shared between cluster nodes. In some scenarios, such as clusters of servers running Microsoft Exchange Server, shared storage is not required. Clients. These are computers (or users) that are using the Cluster service. Service or application. This is a software entity that is presented to clients and used by clients.

5-5
In a failover cluster, each node in the cluster: Has full connectivity and communication with the other nodes in the cluster.
Is aware when another node joins or leaves the cluster. In addition, each node is aware when a node or resource is failing, and has the ability to take those services over. Is connected to a network through which client computers can access the cluster. Is usually connected through a shared bus or iSCSI connection to shared storage.
Is aware of the services or applications that are running locally, and the resources that are running on all other cluster nodes.
Cluster storage usually refers to logical devicestypically hard disk drives or logical unit numbers (LUNs)to which all the cluster nodes attach through a shared bus. This bus is separate from the bus that contains the system and boot disks. The shared disks store resources such as applications and file shares that the cluster will manage. A failover cluster typically defines at least two data communications networks: one network enables the cluster to communicate with clients, and the second isolated network enables the cluster node members to communicate directly with one another. If a directly-connected shared storage is not being used, then a third network segment (for iSCSI or Fibre Channel) can exist between the cluster nodes and a data storage network.
Most clustered applications and their associated resources are assigned to one cluster node at a time. The node that provides access to those cluster resources is the active node. If the nodes detect the failure of the active node for a clustered application, or if the active node is taken offline for maintenance, the clustered application is started on another cluster node. To minimize the impact of the failure, client requests are immediately and transparently redirected to the new cluster node.
5-6
Wh hat Are CS SVs?

In classic failover cluster deploy yment, only a single s nod de at a time co ontrols a LUN on o the shared stor rage. This means that anothe er node canno ot see shar red storage, un ntil it becomes s an active nod de. CSV V is a new technology introduced in Windo ows Serv ver 2008 R2, which w enables multiple m nodes s to shar re a single LUN N concurrently y. Each node obta ains exclusive access to indiv vidual files on the LUN N instead of to o the entire LUN. In other wo ords, CSV V provides a so olution so that multiple node es in the cluster can access the same NTFS file syste em simu ultaneously.
In th he first version n in Windows Server S 2008 R2 2, CSV was des signed only for hosting virtu ual machines th hat nabled administrators to hav are running on a Hyper-V serve er in a failover cluster. This en ve a single LUN that t hosts multiple virtual mach hines in a failov ver cluster. Mu ultiple cluster n nodes have ac ccess to the LU UN, but each virtual machine m runs only o on one no ode at a time. I If the node on n which a virtual machine is runn ning fails, CSV V enables the virtual v machine e to restart on a different no ode in the failo over cluster. Add ditionally, this provides simplified disk man nagement for hosting virtual machines, as compared to each virtu ual machine re equiring a sepa arate LUN. In Windows W Serve er 2012, CSV has additional improvements s. It is now pos sible to use CS SV for other ro oles, and not just Hype er-V. For example, you can now n configure the file server r role in failove er clustering in n the Scal le-Out File Ser rver scenario. Scale-Out S File Server is desig gned to provid de scale-out file shares that a are continuously available for file-b based server ap pplication stor rage. Scale-out t file shares provide the abili ity to shar re the same fo older from mul ltiple nodes in the same clus ster. In this con ntext, CSV in W Windows Serve er 2012 introduces support s for a read cache, wh hich can impro ove performanc ce in certain sc cenarios. In add dition, a CSV fil le system (CSV VFS) can perfor rm Chkdsk wit thout impactin ng application ns with open handles on the file e system. Oth her important improvements s in CSV in Win ndows Server 2 2012 are:
CSV proxy file e system (CSVF FS): In the Disk k Managemen t console, CSV V volumes now w appear as CS SVFS. However, this s is not a new file f system. The underlying t technology is s still the NTFS f file system, and s CSVFS, CSVFS volumes are still form matted with NTFS. However,, because volu umes appear as applications can c discover th hat they are ru unning on CSV Vs, which helps s improve com mpatibility. Additionally, because of the e single file na amespace, all f files have the s same name and path on any y node in a cluster. Multisubnet support s for CS SVs: CSVs have been enhance ed to integrate e with SMB Multichannel to help achieve faster r throughput for f CSV volumes.
Support for BitLocker B volum me encryption: Windows Ser rver 2012 supp ports BitLocker volume encryption fo or both traditio onal clustered disks and CSV Vs. Each node p performs decry yption by usin ng the computer acc count for the cluster c itself.
Support for SMB S 3.0 storag ge: SMB 3.0 sto orage is suppo orted for Hyper r-V and applic cations such as s Microsoft SQL Server. Thi is means that, for example, y you can host H Hyper-V virtual machine files s on a shared folder r. Integration with w SMB Multichannel and SMB S Direct: Th his integration allows CSV tra affic to stream across multip ple networks in n the cluster an nd to leverage network adap pters that supp port Remote D Direct Memory Acce ess (RDMA).
Integration with the Stora age Spaces fea ature in Windo ows Server 201 12: This integra ation can prov vide virtualized storage on clu usters of inexpe ensive disks.
Reduced do owntime: CSV in Windows Server 2012 let s you scan and d repair volum mes with zero o offline time.

5-7
Im mplementin ng CSV
Yo ou can configu ure CSV only when w you create a failover cl luster. After yo ou create the f failover cluster r, you ca an enable CSV V for the cluster, and then ad dd storage to t the CSV.
However, before you can add d storage to the CSV, you mu ust make the L LUN available as shared storage to th he cluster. Whe en you create a failover clust ter, all of the s shared disks th hat you configured in Server r Manager M are ad dded to the clu uster, and you can then add them to a CSV V. If you add m more LUNs to the sh hared storage, you must first t create volum mes on the LUN N, add the stor rage to the clu uster, and then n add th he storage to the t CSV.
As a best practice, you should d configure CSV before you make any virtu ual machines h highly availabl le. However, you can convert fro om regular disk k access to CSV V after deploy yment. The foll lowing conside erations ap pply: When you convert from regular r disk ac ccess to CSV, t his removes th he LUNs drive e letter or mou unt point. This means that yo ou must recrea ate all virtual m machines that a are stored on t the shared sto orage. If you must re etain the same e virtual machi ine settings, co onsider export ting the virtual machines, sw witching to CSV, and d then importing the virtual machines in H Hyper-V. If you have a r You cannot t add shared st torage to CSV if it is in use. I running virtual machine that t is using a clus ster disk, you must m shut dow wn the virtual m machine, and t then add the d disk to CSV.
What W Are Failover F an nd Failback k?

Fa ailover transfers from one no ode to another the re esponsibility fo or providing ac ccess to resour rces in a cluster. Failover r can occur when an adminis strator in ntentionally mo oves resources s to another no ode for maintenance, m or due to unpla anned downtim me of a no ode due to hardware failure or other reaso ons. In ad ddition, service e failure on an n active node can c in nitiate failover to another no ode. A failover attem mpt consists of the following steps: 1. .
The Cluster r service takes all the resourc ces in the instance offline, in an n order that is determined d by the instan nces dependen ncy hierarchy. This T means tha at dependent resources r are t taken offline fi irst, followed b by the resources on source, the Clu which they depend. For example, e if an application de epends on a physical disk res uster service take es the applicat tion offline first, which enabl les the applica ation to write c changes to the e disk before the disk is taken offline. o After all the e resources are e offline, the Cluster C service attempts to tr ransfer the inst tance to the no ode that is listed d next on the instances list of o preferred ow wners.
2. . 3. .
If the Cluste er service succ cessfully moves s the instance to another no ode, it attempt ts to bring all t the resources online. o This tim me, it starts at the t lowermost part of the de ependency hie erarchy. Failove er is complete when w all the resources are on nline on the ne ew node.
5-8
Onc ce the offline node n becomes s active again, the Cluster ser rvice can fail b back instances that were orig ginally host ted on the offline node. When the Cluster r service fails b back an instanc ce, it uses the s same procedu ures that t it performs during failover. The Cluster se ervice takes al l the resources s in the instanc ce offline, mov ves the instance, and then brings all the resources in the instan ce back online e.
Wh hat Is a Qu uorum?
A qu uorum is the number n of elem ments that must be online for a cluste er to continue running. Each clus ster node is an element, and in effect, each h elem ment can cast one vote to de etermine whet ther the cluster continues to run. If there t is an even num mber of nodes, , then an addit tional element t which is known as s a witnessis assigned to th he clus ster. The witness element can n be either a disk d or a file share. Each voting v elemen nt contains a co opy of the cluster configuration, and d the Cluster serv vice works to keep k all copies synchronized at all time es.
The cluster will sto op providing failover f protection if most of f the nodes fai il, or if there is s a problem wi ith com mmunication between b the clu uster nodes. Without W a quor rum mechanism m, each set of f nodes could continue to opera ate as a failove er cluster. This results in a pa artition within t the cluster. Qu uorum prevent ts two or more m nodes fro om concurrent tly operating a failover cluste er resource. If a clear majority is not achie eved betw ween the node e members, th hen the vote of f the witness b becomes crucia al to maintain the validity of f the clus ster.
Con ncurrent opera ation could occ cur when netw work problems prevent one s set of nodes fr rom communic cating with h another set of o nodes. That is, a situation might occur w where more th han one node t tries to contro ol acce ess to a resour rce. If that reso ource is, for example, a datab base applicatio on, damage su uch as corruption of the database coul ld result. Imagine the conseq quence if two or more instan nces of the sam me database a are mad de available on n the network, , or if data was s accessed and d written to a t target from mo ore than one s source at a time. If the ap pplication itsel lf is not damag ged, the data c could easily be ecome corrupt ted. Because a given cluster c has a sp pecific set of no odes and a spe ecific quorum configuration n, the cluster ca an calc culate the num mber of votes that are require ed for it to con ntinue providing failover pro otection. If the e s running, whi num mber of votes drops d below th he majority, th he cluster stops ich means it w will not provide e failo over protection n if there is a node n failure. Nodes N will still listen for the p presence of ot ther nodes, in c case ano other node app pears again on n the network. However, the nodes will not t function as a cluster until a majority consensu us or quorum is i achieved. Note: A fully functioning cluster depends not just on quorum, but also on the capacity of each h node to support the servic ces and applica ations that fail l over to that n node. For exam mple, a clus ster that has fiv ve nodes could d still have quo orum after two o nodes fail, but each remaining clus ster node woul ld continue serving clients only o if it has en nough capacity y (such as disk space, proc cessing power r, random acce ess memory (R RAM), or netwo ork bandwidth h) to support t the services and applications that t failed ove er to it. An imp portant part of f the design pr rocess is planning each nod des failover capacity. A failov ver node must t be able to ru n its own load d and the load of add ditional resourc ces that might fail over to it.

5-9
The Process of Achievin ng Quorum
Be ecause a given n cluster has a specific set of f nodes and a s specific quoru m configuratio on, the cluster r so oftware on eac ch node stores s information about a how ma any votes const titute a quorum for that clus ster. If th he number of votes v drops be elow the majority, the cluste er stops providing services. N Nodes will cont tinue to lis sten for incom ming connections from other nodes on por rt 3343, in case e they appear again on the n network, hieved. bu ut the nodes will w not begin to t function as a cluster until quorum is ach Th here are severa al phases a clu uster must com mplete to achie eve a quorum.. As a given no ode comes online, it de etermines whe ether there are e other cluster members, wit th which it can n communicate e. This process s may be in n progress on multiple m nodes s simultaneous sly. After estab blishing comm munication with h other memb bers, the members m comp pare their mem mbership views s of the cluster r until they agr ree on one vie ew (based on timestamps and d other information). A deter rmination is m made whether t this collection of members h has a qu uorum, or has enough mem mbers the total of which creat tes sufficient v votes so that a split scenario cannot ex xist. A split sce enario means that another se et of nodes tha at are in this cluster are runn ning on a part of the ne etwork that is inaccessible to o these nodes. Therefore, mo ore than one n node could be e actively trying g to provide access to t the same clustered resour rce. If there are e not enough votes to achie eve quorum, th he vo oters (the curre ently recogniz zed members of o the cluster) wait for more members to a appear. After a at least th he minimum vo ote total is attained, the Cluster service be egins to bring cluster resourc ces and applic cations in nto service. Wit th quorum attained, the clus ster becomes f fully functiona al.
Quorum Q Modes M in Windows W Se erver 2012 2 Failover C Clustering g
Th he quorum mo odes in Windo ows Server 201 12 fa ailover clusterin ng are the sam me modes that t are present in Wind dows Server 20 008. As before, ,a majority m of vote es determines whether a clus ster ac chieves quorum m. Nodes can vote, and whe ere ap ppropriate, either a disk in cluster storage (known as s a disk witness s) or a file shar re (known as a file sh hare witness) can c vote. There e is also a quor rum mode m called No o Majority: Disk Only, which fu unctions like th he disk-based quorum in Windows Se erver 2003. Other than the No N Majority: Disk Only O mode, the ere is no single e point of failur re with th he quorum mo odes, because only the numb ber of votes is important and d not whether r a particular element is available to vote.
Th he Windows Server 2012 fail lover clustering quorum mo ode is flexible. Y You can choos se the mode b best su uited to your cluster. c Be aware that most of o the time it is s best to use th he quorum mo ode that the cluster so oftware selects s. If you run the Quorum Configuration W izard, the quo orum mode tha at the wizard lists as re ecommended is the quorum mode that the cluster softw ware will choos se. You should d change the q quorum co onfiguration only if you have e determined that t the chang ge is appropria ate for your clu uster. Windows W Server 2012 failover r clustering has four quorum m modes:
Node Majo ority. Each node that is availa able and in com mmunication w with other nod des can vote. T The cluster func ctions only wit th a majority (m more than half f) of the votes. This model is s preferred wh hen the cluster cons sists of an odd d number of se erver nodes, an nd no witness is needed to m maintain or achieve quorum.
5-10 Implementing Failover Clustering
Node and Disk Majority. Each node plus the disk witness, which is a designated disk in the cluster storage, can vote when they are available and in communication. The cluster functions only with a majority (more than half) of the votes. This model is based on an even number of server nodes being able to communicate with one another in the cluster, in addition to the disk witness. Node and File Share Majority. Each node plus the file share witness, which is a designated file share created by the administrator, can vote when they are available and in communication. The cluster functions only with a majority (more than half) of the votes. This model is based on an even number of server nodes being able to communicate with one another in the cluster, in addition to the file share witness.
No Majority: Disk Only. The cluster has quorum if one node is available and in communication with a specific disk in the cluster storage. Only the nodes that are also in communication with that disk can join the cluster.
Except for the No Majority: Disk Only mode, all quorum modes in Windows Server 2012 failover clusters are based on a simple majority vote model. As long as a majority of the votes are available, the cluster continues to function. For example, if there are five votes in the cluster, the cluster continues to function as long as there are at least three available votes. The source of the votes is not relevantthe vote could be a node, a disk witness, or a file share witness. The cluster will stop functioning if a majority of votes is not available. In the No Majority: Disk Only mode, the quorum-shared disk can veto all other possible votes. In this mode, the cluster will continue to function as long as the quorum-shared disk and at least one node are available. This type of quorum also prevents more than one node from assuming the primary role. Note: If the quorum-shared disk is not available, the cluster will stop functioning, even if all nodes are still available. In the No Majority: Disk Only mode, the quorum-shared disk is a single point of failure, so this mode is not recommended. When you configure a failover cluster in Windows Server 2012, the Installation Wizard automatically selects one of two default configurations. By default, failover clustering selects: Node Majority configuration if there is an odd number of nodes in the cluster. Node and Disk Majority configuration if there is an even number of nodes in the cluster.
Note: You should modify this setting only if you determine that a change is appropriate for your cluster, and only once you understand the implications of making the change.
In addition to planning your quorum mode, you should also consider the capacity of the nodes in your cluster, and their ability to support the services and applications that may fail over to that node. For example, a cluster that has four nodes and a disk witness will still have quorum after two nodes fail. However, if you have several applications or services deployed on the cluster, each remaining cluster node may not have the capacity to provide services.

5-11
Failover Clu uster Netw works

Networks and network n adapters are import tant pa arts of each cluster impleme entation. You cannot c co onfigure a clus ster without co onfiguring the ne etworks that th he cluster will use. A network can pe erform one of the following roles in a clus ster: Private netw work. A private e network carr ries internal cluster communication. By usin ng this network, cluster nodes ex xchange heartbeats and check for f another no ode or nodes. The T failover cluster authentica ates all interna al communica ation. However, administrato ors who are especially concerned about security y may want to restrict internal communication c n to physically y secure netwo orks.
Public netw work. A public network n provid des client syste ems with acce ess to cluster ap pplication serv vices. IP address resources are cre eated on netwo orks that prov ide clients with h access to the e Cluster servic ce. Public-and-private netwo ork. A public-an nd-private net twork (also kno own as a mixe ed network) car rries internal cluster communication and connects clients to cluster app plication service es.
When W you configure network ks in failover clusters, you sho ould also dete ermine which n network to con nnect to th he shared stora age. If you use e iSCSI for the shared storage e connection, the network w will use an IP-b based Et thernet communications net twork. Howeve er, you should not use this n network for node or client co ommunication n. Sharing the iSCSI i network in this manne r may result in n contention and latency issu ues for bo oth users and for the resource that is being provided by y the cluster.
Although not a best practice, you can use the private and d public netwo orks for both c client and node e co ommunication ns. Preferably, you y should de edicate an isola ated network f for the private e node co ommunication n. The reasonin ng for this is sim milar to using a separate Eth hernet network for iSCSI, wh hich is to av void resource bottleneck and d contention issues. The pub blic network is s configured to o enable client t co onnections to the failover clu uster. Although the public n network can pr rovide backup for the private e ne etwork, a bette er design prac ctice is to defin ne alternative n networks for t he primary pri ivate and publ lic ne etworks, or at least team the e network interfaces that are e used for thes se networks. Th he networking g features in Windows W Server r 2012based clusters includ de the followin ng:
The nodes transmit and receive r heartbe eats by using U User Datagram m Protocol (UD DP) unicast, ins stead of UDP broadcast (which wa as used in lega acy clusters). T he messages a are sent on po ort 3343. You can inc clude clustered d servers on di ifferent IP subn nets, which red duces the com mplexity of sett ting up multi-site clusters. c The Failove er Cluster Virtu ual Adapter is a hidden devic ce that is adde d to each nod de when you in nstall the failover r clustering fea ature. The adapter is assigne ed a media acc cess control (M MAC) address b based on the MAC C address that t is associated with the first e enumerated ph hysical networ rk adapter in the node. Failover clu usters fully support IPv6 for both b node-to-node and nod de-to-client co ommunication. .
You can use e Dynamic Ho ost Configuratio on Protocol (D DHCP) to assig gn IP addresses s, or you can a assign and you static IP add dresses to all nodes n in the cl luster. Howeve er, if some nod des have static c IP addresses a configure others o to use DHCP, D the Valid date a Configu uration Wizard d will respond with an error. The cluster IP ad ddress resourc ces are obtaine ed based on th he configuratio on of the netw work interface that is supporting that cluster ne etwork.
5-12 Implemen nting Failover Cluster ring
Fai ilover Clus ster Storag ge

Mos st failover clustering scenario os require shared stor rage to provide e consistent da ata to a highly y avai ilable service or o application after failover. There T are three shared-s storage option ns for a failove er clus ster: Shared serial attached SCSI (SAS). Shared SAS is the lowest-cost option. However, H share ed SAS is not ver ry flexible for deployment d because the two t cluster nod des must be physically close together. In n addition, the e shared storag ge devices that t are supportin ng shared SAS ha ave a limited number n of connections for f cluster nod des.
iSCSI. iSCSI is a type of storage area netw work (SAN) tha t transmits sm mall computer s system interface (SCSI) comma ands over IP ne etworks. Perfo ormance is acce eptable for mo ost scenarios w when the phys sical medium for data d transmissi ion is between n 1 gigabit per r second (Gbps s) and 10 Gbps Ethernet. Thi is type of SAN is fairly inexpensive to imple ement, because e no specialize ed networking hardware is required. In Windows W Serve er 2012, you ca an implement iSCSI target so oftware on any y server, and present local storage over iSCSI interface to clients.
Fibre Channel. Fibre Channel SANs typica ally have bette er performance e than iSCSI SA ANs, but are m more expensive. Sp pecialized know wledge and ha ardware are re quired to imp lement a Fibre e Channel SAN N.
Note: The Microsoft M iSCSI Software Targ get is now an integrated fea ature in Windo ows Server 2012. This feature e can provide storage s from a server over a TCP/IP netwo ork, including s shared stor rage for applic cations that are e hosted in a failover cluster r. In addition, in Windows Se erver 2012, you can configure e a highly available iSCSI Tar rget Server as a clustered rol le by using Fai ilover Clus ster Manager or o Windows Po owerShell.
Sto orage Requirements

Befo ore choosing the t storage sol lution, you sho ould also be aw ware of the following storag ge requirements:
To use the na ative disk supp port that is included in failov ver clustering, u use basic disks s and not dyna amic disks.
You should fo ormat the part titions with NT TFS. For the dis sk witness, the e partition mus st be NTFS, because FAT is not sup pported. For the partition style of the disk, you can n use either m aster boot rec cord (MBR) or globally uniqu ue identifier (GU UID) partition table (GPT). Because impr rovements in failover f cluster ring require th at the storage e respond corre ectly to specifi ic SCSI comman nds, the storag ge must follow the SCSI Prim mary Command ds-3 (SPC-3) st tandard. In particular, the e storage must t support Persistent Reservat tions, as specif fied in the SPC C-3 standard.
The miniport driver used fo or the storage must work wit th the Storport t storage drive er. Storport off fers a higher perfor rmance archite ecture and bet tter Fiber Chan nnel compatib ility in Window ws operating systems.

5-13
You must isolate storage devices (one cluster per device). You should not allow servers that belong to different clusters to access the same storage devices. You can achieve this by using LUN masking or zoning. This prevents LUNs used on one cluster from being seen on another cluster. Consider using multipath input/output (I/O) software. Cluster nodes commonly use multiple host bus adapters to access storage, and this lets you achieve additional high availability. To be able to use multiple host bus adapters, you must use multipath software. For Windows Server 2012, your multipath solution must be based on Microsoft Multipath I/O (MPIO). Your hardware vendor usually supplies an MPIO device-specific module (DSM) for your hardware, although Windows Server 2012 includes one or more DSMs as part of the operating system.
Lesson 2
Implem menting g a Failo over Clu uster
Failo over clusters in n Windows Server 2012 have e specific reco ommended har rdware and so oftware configurations tha at enable Micr rosoft to suppo ort the cluster.. Failover clust ters are intend ded to provide a high her level of ser rvice than stan nd-alone serve ers. Therefore, cluster hardwa are requirements are frequently stric cter than requi irements for st tand-alone ser rvers.
This s lesson describ bes how to pre epare for clust ter implementa ation. In this le esson, you will l also discuss t the hard dware, networ rk, storage, infr rastructure, an nd software req quirements for Windows Ser rver 2012 failo over clus sters. Finally, th his lesson also outlines the st teps for using the Validate a Configuration n Wizard to en nsure corr rect cluster con nfiguration, an nd how to mig grate failover c clusters.

Afte er completing this lesson, yo ou will be able to: Explain how to t prepare for implementing g failover clust tering. Describe hard dware requirem ments for failo over clustering.. Describe netw work requirem ments for failov ver clustering. Describe infra astructure requ uirements for failover f cluste ring. Describe softw ware requirem ments for failov ver clustering. Explain how to t validate and d configure a failover f cluster r. Explain how to t migrate failo over clusters.
Pre eparing fo or Failover Cluster Im mplementa ation
Befo ore you implem ment failover clustering, c you u mus st identify serv vices and applications that yo ou wan nt to make highly available. Failover F cluste ering cannot be applied d to all applica ations, and som metimes, applic cations have th heir own redu undancy mech hanisms. In add dition, you sho ould be aware a that failover clustering g does not pro ovide imp proved scalability by adding nodes. You can only y obtain scalab bility by scaling g up and using g mor re powerful ha ardware for the e individual no odes. Therefore, you should only use failover cluste ering whe en your goal is s high availabil lity, and not scalability. In Windows Server 2012, there is one o exception to this: if you implement File e Services on C CSVs, you can also achie eve a level of scalability. s
Failo over clustering g is best suited d for stateful applications tha at are restricte ed to a single s set of data. On ne exam mple of such an a application is a database. Data is stored d in a single lo ocation and can n only be used d by sults one e database inst tance. You can n also use failov ver clustering for Hyper-V v virtual machine es. The best res for failover f clustering occur whe en the client can reconnect t to the applicat tion automatic cally after failo over. If the client does no ot reconnect au utomatically, then t the user m must restart th he client applic cation. Failo over clustering g uses only IP-based protoco ols and is, ther refore, suited o only to IP-base ed applications. Failo over clustering g now support ts both IPv4 an nd IPv6.

5-15
Consider the following guidelines when pla anning node ca apacity in a fa ilover cluster:
Spread out the highly ava ailable applications from a fa ailed node. W hen all nodes in a failover cl luster are active, the t highly available services or application ns from a failed d node should d be spread ou ut among the remaining no odes to prevent a single node e from being o overloaded.
Ensure that t each node ha as sufficient idle capacity to service the hig ghly available services or applications that are alloc cated to it whe en another no ode fails. This id dle capacity sh hould be a suff ficient buffer to av void nodes run nning at near capacity c after a failure event t. Failure to pla an resource ut tilization adequately y can result in a decrease in performance p fo ollowing node e failure. ss for Use hardwa are with similar capacity for all nodes in a cluster. This simplifies the planning proces failover, because the failo over load will be b evenly distr ributed among g the surviving g nodes.
Use standby servers to sim mplify capacity y planning. W hen a passive node is includ ded in the clust ter, then all highly av vailable service es or applications from a fai led node can f fail over to the e passive node e. This avoids the need for comp plex capacity planning. p If thi s configuratio n is selected, it is important that the standby y server has su ufficient capaci ity to run the l load from mor re than one no ode failure.
ou should also o examine all cluster c configuration compo nents to ident tify single poin nts of failure. Y You can Yo re emedy many single points of f failure with simple solution ns, such as add ding storage co ontrollers to se eparate an nd stripe disks, or teaming network n adapte ers, and using multipathing software. Thes se solutions re educe th he probability that a failure of o a single dev vice will cause a failure in the e cluster. Typic cally, server cla ass co omputer hardw ware has optio ons for multiple power supp lies for power redundancy, a and for creatin ng re edundant array y of independe ent disk (RAID D) sets for disk data redundan ncy.
Hardware H Requireme R ents for Fa ailover Clus ster Imple ementation n

It is very import tant to make good g decisions s when yo ou select hardw ware for cluste er nodes. Failo over clusters have to o satisfy the fol llowing criteria a to meet m availability y and support requirements: All hardwar re that you select for a failov ver cluster shou uld meet the Certified C for Windows W Server 2012 2 logo requirements. Hardwa are that has this log go has been independently tested t to meet the e highest techn nical bar for reliability, availability, a stability, security, , and platform co ompatibility. This logo also means m that official l support optio ons exist in cas se malfunction ns arise.
You should d install the sam me or similar hardware h on ea ach failover cluster node. Fo or example, if y you choose a sp pecific model of o network ada apter, you sho ould install this s adapter on each of the clus ster nodes.
If you are using u SAS or Fiber Channel st torage connec ctions, the mas ss storage dev vice controllers s that are dedicat ted to the clust ter storage sho ould be identi cal in all cluste ered servers. T They should als so use the same firmware versio on. If you are using u iSCSI stor rage connectio ons, each clust tered server m must have one o or more netwo ork adapters or r host bus adapters dedicate ed to the cluste er storage. The e network that t you use for iS SCSI storage con nnections shou uld not be used for network communicatio on. In all cluste ered servers, the network ad dapters that yo ou use to connect to the iSCS SI storage targ get should be identical, and we recommend d that you use e 1 Gbps Ethernet or more.
After you con nfigure the serv vers with the hardware, h all t ests provided in the Validate e a Configurat tion Wizard must be passed bef fore the cluster is considered d a configurati ion that will be e supported by y Microsoft.
Ne etwork Req quirement ts for Failo over Cluste er Impleme entation

One e of the netwo ork requiremen nts for failover clus ster implement tation is that failover cluster netw work compone ents must have e the Certified for Win ndows Server 2012 2 logo, and d must also pass the tests in the Valida ate a Configura ation Wizard. Add ditionally: ach node should be The network adapters in ea identical and have the same e IP protocol version, speed d, duplex, and flow control capabilities th hat are availab ble. The networks s and network equipment to o which you co onnect the nod des should be redundant so o that even a si ingle failure allows for the n odes to contin nue communic cating with one another. You can use netwo ork adapter teaming to prov vide single net twork redunda ancy. We recommend multiple m netwo orks to provide e multiple pat hs between no odes for inter-node communication. Otherwise, , a warning will generate du ring the valida ation process.
The network adapters in a cluster c networ rk must have th he same IP address assignment method, w which means either that they all use u static IP ad ddresses, or tha at they all use DHCP.
Note: If you u connect clust ter nodes with h a single netw work, the netwo ork passes the e redu undancy requi irement in the Validate a Co onfiguration W Wizard. Howeve er, the report f from the wiza ard will include e a warning th hat the network should not h have single po oints of failure.
Inf frastructur re Requirements for Failover C Cluster Imp plementat tion

Failo over clusters depend d on infr rastructure serv vices. Each h server node must be in the e same Active Dire ectory domain, and if you us se Domain Nam me Syst tem (DNS), the e nodes should d use the same e DNS serv vers for name resolution. r We recommend that you install l the same Win ndows Server 2012 2 features and a roles on each nod de. Inconsistent configuration n on cluster no odes can cause instability and performance issues. In add dition, you should not install the AD DS rol le on any of the cluster nodes, becaus se AD DS has its i own n fault-tolerance mechanism m. If you install the AD DS role on one of the nodes s, you must ins stall it on all no odes. Howeve er, this is not re ecommended.

5-17
You must have the following network infrastructure for a failover cluster:
Network settings and IP addresses. When you use identical network adapters for a network, also use identical communication settings such as speed, duplex mode, flow control, and media type on those adapters. Also, compare the settings between the network adapter and the switch to which it connects, and ensure that no settings are in conflict. Otherwise, network congestion or frame loss might occur, which could adversely affect how the cluster nodes communicate among themselves, with clients or with storage systems.
Unique subnets. If you have private networks that are not routed to the rest of the network infrastructure, ensure that each of these private networks uses a unique subnet. This is necessary even if you give each network adapter a unique IP address. In addition, these private network addresses should not be registered in DNS. For example, if you have a cluster node in a central office that uses one physical network, and another node in a branch office that uses a separate physical network, do not specify 10.0.0.0/24 for both networks, even if you give each adapter a unique IP address. This avoids routing loops and other network communications problems if, for example, the segments are accidentally configured into the same collision domain because of incorrect virtual local area network (VLAN) assignments. DNS. The servers in the cluster typically use DNS for name resolution. DNS dynamic update protocol is a supported configuration. Domain role. All servers in the cluster must be in the same Active Directory domain. As a best practice, all clustered servers should have the same domain role (either member server or domain controller). The recommended role is member server because AD DS inherently includes its own failover protection mechanism.
Account for administering the cluster. To be able to administer the cluster, you must have an account with appropriate permissions. You must have local administrator rights on all nodes that participate in the cluster. In addition, when you create the cluster, you must have the right to create new objects in domains. You can do this with the Domain Admin account, or you can delegate these rights to another domain account.
In Windows Server 2012, there is no cluster service account. Instead, the Cluster service automatically runs in a special context that provides the specific permissions and credentials that are necessary for the service (similar to the local system context, but with reduced credentials). When a failover cluster is created and a corresponding computer object is created in AD DS, that object is configured to prevent accidental deletion. In addition, the cluster Network Name resource has an additional health check logic, which periodically verifies the health and properties of the computer object that represents the Network Name resource.
Sof ftware Req quirement ts for Failo over Cluste er Impleme entation
Failo over clusters re equire that each cluster nod de mus st run the same edition of Windows W Server r 2012. The edition can be either Windows Serv ver 2012 Standard or Windows Serv ver 2012 Datacenter. The nodes n should also a have the same soft tware updates and service pa acks. Dependin ng on the role that will be b clustered, a Windows Server 2012 Server Core installation may also meet the t soft tware requirem ments. In Windows Server 20 012, Serv ver Core is the default install lation option, and ther refore you sho ould consider it t as a cluster node. n How wever, Failover r Clustering can also be insta alled on a full GUI versi ion. It is also importan nt that the sam me version of se ervice packs o or any operatin ng system updates exist on a all nod des that are parts of a cluster r. dows Server 20 012 provides Cluster-Aware C U Updating tech hnology that ca an help Note: Wind you maintain upd dates on cluste er nodes. This feature f will be discussed in m more detail in Lesson 4: Maintaining a Failover Cluster. Each h node must run the same processor p architecture. This m means that eac ch node must have the same e proc cessor family, which might be, b for example e, the Intel Xeo on processor f family with Ext tended Memo ory 64Technology, the AMD Optero on AMD64 fam mily, or the Inte el Itaniumbas sed processor family.
De emonstration: Valida ating and Configurin C ng a Failov ver Cluster r
The Validate a Co onfiguration Wizard W runs test ts that confirm m if the hardwa are and softwa are settings are e com mpatible with failover f cluster ring. Using the e wizard, you c can run the com mplete set of c configuration tests or a subset of the tests. You sho ould run the te ests on servers and storage d devices before you configure e the failo over cluster, an nd again after you make any y major change es to the clust ter. You can ac ccess the test r results in th he %windir%\c cluster\Report ts directory.
Dem monstration n Steps Val lidate and Configure C a Cluster

1. 2. 3. 4. 5. 6. Start the Failo over Cluster Manager M on the e LON-SVR3. Start the Valid date Configura ation Wizard. Review the re eport. Create a new cluster. Add LON-SVR3 L and d LON-SVR4 a as cluster node es. Name the clu uster Cluster1. Use 172.16.0 0.125 as the IP P address.

5-19
Migrating M Failover F Cl lusters

In n some scenarios, such as rep placing cluster r nodes, or r upgrading to o a newer version of a Windo ows op perating system, you will need to migrate clustered roles or o services from m one cluster to an nother. In Windows Server 2012, 2 it is possi ible to migrate m clustere ed roles and cl luster configur ration from clusters ru unning Window ws Server 2012 2, Windows W Server 2008 R2, or Windows W Serve er 2008. Yo ou can migrate these roles and a configurat tions in on ne of two way ys: Migrate fro om an existing cluster to a ne ew cluster that t is running Wi indows Server 2012: In this scenario, you have e two new cluster nodes runn ning Windows s Server 2012, and you then perform mi ndows Server 2008 or later. igration from an a existing clu uster with node es running Win
Perform an in-place migr ration on a two o-node cluster r: This is a mor re complex sce enario, where y you want to mig grate a cluster r to a new vers sion of the Win ndows operating system. In this scenario, y you do not have ad dditional comp puters for new w cluster nodes s. For example e, you may wan nt to upgrade a cluster that t is currently ru unning on Win ndows Server 2 2008 R2 to a cluster running g Windows Ser rver 2012. To ac chieve this, you u must first rem move resource es from one no ode, and evict that node from a cluster. Nex xt, you perform m a clean insta allation of Win dows Server 2 2012 on that se erver. After Wi indows Server 2012 2 is installed, you y create a on ne-node failov ver cluster, mig grate the clustered services a and applications from the old d cluster node to that failove er cluster, and then remove t the old node f from cluster. The e last step is to o install Windows Server 201 2 on another c cluster node, t together with failover cluster feature, add the se erver to the fa ailover cluster, and run valida ation tests to c confirm that th he overall configuration wor rks correctly.
Th he Cluster Mig gration Wizard d is a tool that lets you perfo orm the migrat tion of clustere ed roles. Becau use the Cluster Migratio on Wizard doe es not copy data from one st torage locatio n to another, y you must copy y or move m data or fo olders (includin ng shared fold der settings) du uring a migrat tion. In additio on, the Cluster Migration M Wizard does not migrate m mount-point informa ation (informat tion about har rd disk drives t that do no ot use drive letters, and are mounted in a folder on ano ther hard disk k drive). Howev ver, it can migrate physical disk res source settings to and from disks that use mount points s.
Lesson 3
Config guring Highly H Availabl A le Appli ications s and Se ervices on a Failo over Cluster
Afte er you have co onfigured your r clustering infrastructure, yo ou should conf figure specific roles or servic ces to first identify th be highly h available. Not all roles s can be cluste ered. Therefore e, you should f he resource that you want to put in n a cluster, and d then verify whether w that re esource is sup ported. In this s lesson, you w will lear rn about config guring roles an nd application ns in clusters, a and you will lea arn about configuring cluste er settings.

Afte er completing this lesson, yo ou will be able to: Describe and identify cluste er resources an nd services. Describe the process for clu ustering server r roles. Cluster a file server s role. Explain how to t configure fa ailover cluster properties. Explain how to t manage cluster nodes. Explain how to t configure application failo over settings.
Ide entifying Cluster C Res sources an nd Services s

Clus stered services are services or applications that are made highly available a by ins stalling them on o a failo over cluster. Cl lustered services are active on o one e node, but can n be moved to o another node e. A clus stered service that t contains an a IP address reso ource and a ne etwork name resource (and other o reso ources) is published to a client on the netw work und der a unique se erver name. Be ecause this gro oup of reso ources displays s as a single logical server to o clien nts, it is called a clustered ins stance. Users access appli ications or serv vices on an instance in the same manner as s they would if f the app plications or services were on n a non-cluster red server. Usu ually, applications or users do not know th hat they y are connecting to a cluster r, or the node to which they are connected d.
Reso ources are phy ysical or logical entitiessuc ch as a file sha re, disk, or IP a addressthat the failover cluster man nages. Resourc ces are the mo ost basic and sm mallest config urable units th hat may provid de a service to o clien nts, or may be e important parts of the clust ter. At any tim me, a resource c can run only o on a single nod de in a clus ster, and is online on a node when it provid des its service to that specifi ic node.
Ser rver Cluster Resources

A cl luster resource is any physica al or logical co omponent that t has the follow wing character ristics: It can be brou ught online an nd taken offline. It can be man naged in a serv ver cluster. It can be host ted (owned) by only one nod de at a time.

5-21
To o manage reso ources, the Clu uster service co ommunicates t to a resource D DLL through a resource mon nitor. When W the Cluster service mak kes a request for a resource, the resource m monitor calls t the appropriat te entry po oint function in the resource e DLL to check k and control t the resource st tate.
Dependent D Resources R
A dependent res source is one that t requires another resourc ce to operate. For example, because a net twork na ame must be associated a with h an IP addres ss, a network n name is consid ered a depend dent resource. Be ecause of this requirement, a network nam me resource de epends on an IP address resource. Depend dent re esources are ta aken offline be efore the resou urces upon wh hich they depend are taken o offline. Similarly, they ar re brought online after the resources r on which w they dep pend are broug ght online. A r resource can sp pecify on ne or more res sources on wh hich it is depen ndent. Resourc ce dependencie es also determ mine bindings. For ex xample, clients s will be bound d to the partic cular IP addres s on which a n network name resource depe ends.
When W you creat te resource de ependencies, co onsider the fac ct that althoug gh some depe endencies are s strictly re equired, others s are not requi ired but are re ecommended. For example, a file share tha at is not a Dist tributed wever, if the d File System (DFS S) root has no required depe endencies. How disk resource that holds the f file sh hare fails, the file f share will be b inaccessible e to users. Ther refore, it is log gical to make t the file share de ependent on the t disk resour rce. A resource can also specify a list of nodes on o which it can n run. Possible nodes and de ependencies ar re im mportant considerations whe en administrat tors organize r resources into groups.
Process P for r Clustering g Server Roles R

Fa ailover clusteri ing supports th he clustering of o se everal Window ws Server roles, , such as File Services, DHCP, and Hyp per-V. To imple ement clusterin ng for a se erver role, or fo or external app plications such h as Microsoft M SQL Server S or Excha ange Server, perform p th he following procedure: 1. . Install the failover f cluster ring feature. Use Server Man nager, dism.exe e, or Windows PowerShell to install the failover f cluster ring feature on all computers that will be cluster members. In Windows Se erver 2012, you u can install roles s and features on multiple se ervers simultaneously from single Server Manager console. Verify confi iguration and create a cluste er with the app propriate node es. Use the Failover Cluster Manager sn nap-in to first validate v a configuration, and d then create a cluster with selected node es.
2. . 3. . 4. . 5. . 6. .
Install the role r on all cluster nodes. Use e Server Manag ger, dism.exe, or Windows P PowerShell to i install the server role r that you want w to use in the cluster. Create a clu ustered applica ation by using the Failover C Cluster Manag ger snap-in. Configure the t application n. Configure options on the application th hat is being use ed in the cluster.
Test failove er. Use the Failover Cluster Management M sn nap-in to test failover by int tentionally mo oving the service from one nod de to another.
After you create e the cluster, you y can monito or its status by y using the Failover Cluster M Management c console, an nd manage av vailable options.
De emonstration: Cluste ering a File e Server Ro ole

Dem monstration n Steps Clu uster a File Server S Role
1. 2. 3. 4. On LON-SVR3, add Cluster r Disk 2 as cluster storage fo or Cluster1. c role. Configure a F File Server for r general use. Configure File Server as a clustered For the Client Access Poin nt name, type AdatumFS A wit th the address s of 172.16.0.5 55. Use Cluster Disk D 2 for the storage for Ad datumFS.
Co onfiguring Failover Cluster C Pro operties

Onc ce you create a cluster, the newly n created clus ster has many properties that you can configure. Whe en you open Cluster C Propert ties, you can configure cluster name or change the name, you y can add various ty ypes of resources such as IP add dress and netw work name to the cluster, and d you can also configure e cluster permissions. By configuring permissions, you de etermine who can have full control over o that speci ific cluster and d who can just read the cluster c configu uration. In addition, you can perform so ome standard man nagement task ks on each clus ster periodically, or on dema and. These tasks range from adding and rem moving cluster nodes, to mod difying the quo orum settings. Some of the m most frequent tly used configuration task ks include: Managing clu uster nodes: Fo or each node in a cluster, yo u can stop clu uster service temporarily, pau use the service, in nitiate remote desktop to the e node, or evic ct the node fro om the cluster r.
Managing clu uster networks s: You can add or remove clu uster networks s, and configur re networks th hat will be dedicated to inter-cluste er communication. Managing pe ermissions: By managing m per rmissions, you can delegate rights to admi inister a cluster. Configuring cluster c quorum m settings: By configuring c qu uorum settings s, you determi ine the way in which quorum m is achieved, as well as who o can have vot te in a cluster. Migrating ser rvices and app plications to a cluster: c You ca an implement existing services to the clust ter and make the em highly avai ilable. Configuring new n services and application ns to work in a cluster: You c can implement t new services to the cluster.
Removing a cluster: c You can remove a clu uster if you de ecide to stop u using clustering g, or if you want to move the cluster to anothe er set of nodes.
You u can perform most of these administrative e tasks by usin ng the Failover r Cluster Mana agement conso ole, or by using u Windows PowerShell. However, H Clus ster.exe, which h was used for r some of thes se tasks in prev vious Win ndows Server operating o syste em versions, is no longer sup pported in Win ndows Server 2012, and is not part t of the default installation.

5-23
Managing M Cluster No odes

Cluster nodes are mandatory for each cluster. After you create e a cluster and d put it into production, you u might have to t manage cluster no odes occasionally. Yo ou can manag ge cluster node es by using the e Fa ailover Cluster Management t console or Windows W Po owerShell. The ere are three aspects to managing cluster nodes: You can add a node to an n established failover f cluster by selecting s Add Node in the Failover F Cluster Man nagement Act tions pane in the Failover Clu uster Manager r console. The Add Node Wizard prompts yo ou for informat tion about the e additional no ode.
You can pause a node to prevent resou urces from bei ng failed over or moved to t the node. You typically pa ause a node wh hen it is under rgoing mainte nance or troub bleshooting. W When you are pausing a node, you u can choose to t drain roles from f that node e. You can evict a node, which is an irreve ersible process s for a cluster n node. After yo ou evict the node, it must be re-added to the cluster. You ev vict nodes whe en a node is d damaged beyo ond repair, or is no longer need ded in the clus ster. If you evic ct a damaged node, you can n repair or rep place it, and then add it back to th he cluster by using u the Add Node Wizard..
Configuring C g Applicat tion Failov ver Setting gs

Yo ou can adjust failover setting gs, including preferred owners and failback k settings, to control c ho ow the cluster responds whe en the applicat tion or se ervice fails. You u can configur re these setting gs on th he property sheet for the clu ustered service or ap pplication (eith her on the Gen neral tab or on the Fa ailover tab).
The following table provides examples that show how these settings work. Setting Example 1: General tab, Preferred owner: Node1 Failover tab, Failback setting: Allow failback (Immediately) Example 2: Failover tab, Maximum failures in the specified period: 2 Failover tab, Period (hours): 6 Result
If the service or application fails over from Node1 to Node2, when Node1 is once again available, the service or application will fail back to Node1.
In a six-hour period, if the application or service fails no more than two times, it will be restarted or failed over every time. If the application or service fails a third time in the six-hour period, it will be left in the failed state. The default value for the maximum number of failures is n-1, where n is the number of nodes. You can change the value, but we recommend a fairly low value so that if multiple node failures occur, the application or service will not be moved between nodes indefinitely.

5-25
Lesson n4
Maint taining a Failov ver Clus ster
Once O your clust ter infrastructu ure running, it is important t hat you establ lish monitoring g to prevent p possible fa ailures. In addit tion, it is impo ortant that you u have backup and restore p procedures for cluster configuration. Windows W Server 2012 has new w technology that t allows yo u to update cl luster nodes w without downti ime. In th his lesson, you will learn about monitoring failover cluste ers, backing up p and restoring g cluster co onfigurations, and updating cluster nodes.

After completin ng this lesson, you y will be able to: Explain how w to monitor failover clusters. Explain how w to back up and a restore a fa ailover cluster configuration n. Explain how w to maintain and troubleshoot failover cl usters. Describe Cluster-Aware Updating. U Updating. Configure Cluster-Aware C
Monitoring M g Failover Clusters
Many M tools are available in Windows W Server r 2012 to o help you monitor failover clusters. c You can use st tandard Windo ows Server too ols such as the Event Viewer and the Performance and Reliability y Monitor M snap-in n to review clu uster event log gs and pe erformance metrics. You can n also use Tr racerpt.exe to export data fo or analysis. Additionally, yo ou can use the Multipurpose In nternet Mail Ex xtension Hyper rtext Markup La anguage (MHT TML)formatte ed cluster co onfiguration re eports and the e Validate a Configuration Wizard W to troubleshoot prob blems with w the cluster configuration n and hardware e changes. Sin nce the cluster..exe command d-line tool is de eprecated in Windows W Serve er 2012, you ca an use Window ws PowerShell instead to perform similar t tasks.
Ev vent Viewer
When W problems s arise in the cluster, use the e Event Viewer to view event ts with a Critica al, Error, or Wa arning se everity level. Additionally, inf formational-le evel events are e logged to the e failover clust tering Operatio ons log, which w can be fo ound in the Eve ent Viewer in the t Applicatio ns and Service es Logs\Micros soft\Windows folder. In nformational-le evel events are e usually comm mon cluster op perations, such h as cluster nodes leaving an nd jo oining the clust ter, or resources going offlin ne or coming o online. In n previous Win ndows Server versions, v event logs were rep plicated to each node in the cluster. This simplified cluste er troubleshoo oting, because you could rev view all event l logs on a singl le cluster node e. Windows W Server 2012 does no ot replicate the event logs b between nodes s. However, the e Failover Clus ster Management M sn nap-in has a Cluster C Events option that e nables you to view and filter events across s all cluster nodes. This T feature is helpful h in corre elating events across cluster r nodes. The Fa ailover Cluster r Management M sn nap-in also pro ovides a Recen nt Cluster Eve ents option th hat will query a all the Error an nd Warning W events s from all the cluster c nodes in the last 24 h hours. You can access additio onal logs, such h as the
Ana alytic and Debu ug logs, in the e Event Viewer. To display th ese logs, modify the view on n the top men nu by sele ecting the Show w Analytic an nd Debug Log gs option.
Win ndows Even nt Tracing
Win ndows event tr racing is a kern nel component that is availa ble early after r startup, and late into shutd down. It is designed to allow a for fast tr racing and delivery of event s, to trace files s and to consu umers. Because e it is desi igned to be fast, Windows event tracing enables only ba asic in-process s filtering of ev vents based on n event attributes. The event trace lo og contains a comprehensive c e accounting o of the failover cluster actions s. Depending o on how w you want to view the data, , use Windows s PowerShell o r Tracerpt.exe to access the information in n the event trace log. Trac cerpt.exe will parse p the event trace logs on nly on the nod de on which it is run. All the individual logs s are colle ected in a central location. To T transform th he XML file int to a text file or an HTML file e that can be ope ened in Windows Internet Ex xplorer, you can parse the XM ML-based file by using the M Microsoft XSL pars sing command d prompt msxs sl.exe tool, and d an XSL style sheet.
Per rformance and a Reliability Monitor r Snap-In

The Performance and Reliability y Monitor snap p-in lets you: Trend applica ation performa ance on each node. n To deter rmine how an application is performing, y you can view and trend specific c information on o system reso ources that are e being used o on each node. Trend applica ation failures and a stability on n each node. Y You can pinpo int when appli ication failures s occur, and match the applic cation failures with other ev vents on the no ode.
Modify trace log settings. You Y can start, stop, s and adjus st trace logs, including their r size and locat tion.
Backing Up and a Restoring Failov ver Cluster r Configur ration

Clus ster configurat tion can be a time-consumin t ng proc cess with many details. Therefore, backing g up your cluster config guration is imp portant. You can c perf form cluster co onfiguration backup b and res store usin ng Windows Se erver Backup or o a non-Micro osoft backup tool. be Whe en you back up the cluster configuration, c awa are of the follo owing: You must test t your backup and recovery process befor re putting a clu uster into production. You must first add the Wind dows Server Backup feature , if you decide e to use it. You u can do this by using Server Manager, M by using u the dism.exe utility, or by using Wind dows PowerSh hell.
Win ndows Server Backup B is the built-in b backup p and recovery y software for Windows Serv ver 2012. To com mplete a succes ssful backup, consider c the fo ollowing:
For a backup to succeed in a failover clus ster, the cluste er must be run ning and must t have quorum m. In other words, enough nodes s must be runn ning and comm municating (pe erhaps with a witness disk o or witness file sh haredepending on the quo orum configur ration,) that th he cluster has a achieved quorum. You must bac ck up all cluste ered applicatio ons. If you clus ter a SQL Serv ver database, y you must have ea backup plan for f the databa ases and config guration outsid de the cluster configuration.

5-27
If applicatio on data must be b backed up, the disks on w which you stor re the data mu ust be made av vailable to the back kup software. You Y can achiev ve this by runn ning the backu up software fro om the cluster node that owns the t disk resour rce, or by runn ning a backup against the clu ustered resour rce over the ne etwork. If you are using u CSVs, you u can run back kup from any n node that is at ttached to the e CSV volume. The cluster service tracks which cluster configuration is the most re ecent, and it re eplicates that configuratio on to all cluste er nodes. If the e cluster has a witness disk, t the Cluster ser rvice also replicates the configu uration to the witness w disk.
Restoring R a Cluster C
Th here are two ty ypes of restore e:
Non-authoritative restore e. Use a non-authoritative re estore when a single node in n the cluster is damaged or o rebuilt, and the rest of the e cluster is ope erating correct tly. Perform a n non-authoritat tive restore by restoring r the system s recover ry (system stat te) information n to the damag ged node. Wh hen you restart that node, it will jo oin the cluster and receive th he latest cluste er configuratio on automatically.
Authoritativ ve restore. Use e an authoritat tive restore wh hen the cluster r configuration n must be rolle ed back to a previou us point in tim me. For example, use an auth horitative resto ore if an admin nistrator accide entally removed clustered resources or modifie ed other cluste er settings. Perform the auth horitative resto ore by stopping th n performing a system recov he cluster resource on each node, n and then very (system st tate) on a single nod de by using Windows W Server r Backup interf face. After the e restored node restarts the c cluster service, the e remaining clu uster nodes can also start the e cluster servic ce.
Maintainin M g and Trou ubleshoot ting Failov ver Clusters

Cluster validatio on functionalit ty implemente ed in Windows W Server 2012 failover r clustering, pr revents misconfiguratio m ons and non-w working clusters. However, in som me cases you may m still have to t pe erform mainte enance or clust ter troubleshooting. So ome common maintenance tasks can help p you prevent problem ms in cluster co onfiguration: Use the Val lidate a Config guration Wizar rd to highlight co onfiguration is ssues that might cause cluste er problems. Review clus ster events and d trace logs to identify app plication or ha ardware issues that might ca use an unstab ble cluster.
Review hard dware events and a logs to he elp pinpoint sp pecific hardware component ts that might c cause an unstable clu uster. Review SAN N components s, switches, ada apters, and sto orage controlle ers to help identify any pote ential problems.
When W troublesh hooting failove er clusters: Identify the e perceived pro oblem by colle ecting and doc cumenting the e symptoms of f the problem. .
Identify the e scope of the problem so th hat you can un nderstand wha at is being affected by the pr roblem, and the impact of that ef ffect on the ap pplication and the clients.
Collect inform mation so that you can accur rately understa and and pinpo oint the possib ble problem. A After you identify a list of possible problems, you can prioriti ize them by pr robability, or b by the impact of a repair. If you cannot pinpoi int the problem m, you should attempt to re e-create the pr roblem.
Create a sche edule for repairing the problem. For examp ple, if the prob blem only affects a small sub bset of users, you can n delay the rep pair to an off-p peak time so t that you can sc chedule downtime. Complete and d test each rep pair one at a ti ime so that yo ou can identify y the fix.
To troubleshoot t SAN S issues, start by checking g physical conn nections and b by checking ea ach of the hard dware com mponent logs. Additionally, run r the Validat te a Configura ation Wizard to o verify that th he current cluster configuration is st till supportable e. Note: When n you run the Validate V a Con nfiguration Wi izard, ensure that the storage tests that you select can be run on an online failover clu uster. Several o of the storage tests cause loss of serv vice on the clustered disk wh hen the tests are run.
Tro oubleshooting Group and a Resourc ce Failures

To troubleshoot t group g and reso ource failures: Use the Depe endency Viewe er in the Failov ver Cluster Man ap-in to identif fy dependent nagement sna resources. Check the Eve ent Viewer and d trace logs fo or errors from t the dependent resources.
Determine wh hether the pro oblem only hap ppens on a spe ecific node or nodes, by trying to re-creat te the problem on different d nodes s.
Wh hat Is Cluster-Aware e Updating g?

App plying Window ws operating sy ystem updates s to nod des in a cluster r requires extra a attention. If you y wan nt to provide zero z downtime e for a clustere ed role e, you must update cluster no odes manually y one afte er another, and d you must mo ove resources man nually from the e node that yo ou are updatin ng to ano other node. Thi is procedure can be very tim meconsuming. In Windows Server 2012, Microso oft has imp plemented a ne ew feature for automatic update of cluster c nodes. Clus ster-Aware Up pdating (CAU) is a Windows Serv ver 2012 feature that lets administrators update lity during the clus ster nodes auto omatically, wit th little or no lo oss in availabil e update proce ess. During an upd date procedure e, CAU transpa arently takes each cluster no ode offline, inst talls the updat tes and any dep pendent updates, performs a restart if nece essary, brings t the node back k online, and th hen moves to upd date the next node n in a cluster.
For many clustere ed roles, this au utomatic upda ate process trig ggers a planne ed failover, and d it can cause a tran nsient service interruption fo or connected clients. Howeve er, for continuo ously available e workloads in n Win ndows Server 2012such 2 as Hyper-V with live migration n or file server with SMB Transparent Failo over CAU U can orchestrate cluster upd dates with no effect on servi ice availability.

5-29
Cluster Updating Modes

CAU can orchestrate the complete cluster updating operation in two modes:
Remote-updating mode. In this mode, a computer that is running Windows Server 2012 or Windows 8 is called and configured as an orchestrator. To configure a computer as a CAU orchestrator, you must install failover clustering administrative tools on it. The orchestrator computer is not a member of the cluster that is updated during the procedure. From the orchestrator computer, the administrator triggers on-demand updating by using a default or custom Updating Run profile. Remote-updating mode is useful for monitoring real-time progress during the Updating Run, and for clusters that are running on Server Core installations of Windows Server 2012.
Self-updating mode. In this mode, the CAU clustered role is configured as a workload on the failover cluster that is to be updated, and an associated update schedule is defined. In this scenario, CAU does not have a dedicated orchestrator computer. The cluster updates itself at scheduled times by using a default or custom Updating Run profile. During the Updating Run, the CAU orchestrator process starts on the node that currently owns the CAU clustered role, and the process sequentially performs updates on each cluster node. In the self-updating mode, CAU can update the failover cluster by using a fully automated, end-to-end updating process. An administrator can also trigger updates on demand in this mode, or use the remote-updating approach, if desired. In the self-updating mode, an administrator can access summary information about an Updating Run in progress by connecting to the cluster and running the Get-CauRun Windows PowerShell cmdlet.
To use CAU, you must install the failover clustering feature in Windows Server 2012, and you must create a failover cluster. The components that support CAU functionality are installed automatically on each cluster node.
You must also install the CAU tools, which are included in the failover clustering Tools (which are also part of the Remote Server Administration Tools (RSAT)). The CAU tools consist of the CAU user interface (UI) and the CAU Windows PowerShell cmdlets. The failover clustering Tools are installed by default on each cluster node when you install the failover clustering feature. You can also install these tools on a local or a remote computer that is running Windows Server 2012 or Windows 8, and that has network connectivity to the failover cluster.
Demonstration: Configuring CAU

Demonstration Steps Configure CAU
1. 2. 3. 4. 5. 6. 7. Make sure that the failover cluster is configured and running on LON-SVR3 and LON-SVR4. Add failover clustering Feature to LON-DC1. Run Cluster-Aware Updating on LON-DC1, and configure it to connect to Cluster1. Preview updates that are available for nodes LON-SVR3 and LON-SVR4. Review available options for the Updating Run profile. Apply available updates to Cluster1 from LON-DC1. After updates are applied, configure Add CAU Clustered Role with Self-Updating Enabled on LON-SVR3.
Lesson 5
Implem menting g a Multi-Site Failover F r Cluste er
In so ome scenarios s, you may hav ve to deploy cluster nodes o n different site es. Usually, you u do this when n you build disaster reco overy solutions s. In this lesson n, you will lear rn about multi i-site failover c clusters, and th he prer requisites for implementing them. You will also learn ab bout synchrono ous and asynchronous replic cation, and the process of o choosing a quorum q mode for multi-site clusters.

Afte er completing this lesson, yo ou will be able to: Describe a multi-site failove er cluster. Describe prer requisites for im mplementing a multi-site clu uster. Describe sync chronous and asynchronous replication. Explain how to t choose a qu uorum mode for multi-site c clusters. Describe the process for de eploying multi-site clusters. Describe the challenges for r implementing g multi-site clu usters.
Wh hat Is a Mu ulti-Site Fa ailover Clu uster?

A multi-site m failov ver cluster is a cluster that ha as been extended so o that different t nodes in the same clus ster reside in se eparate physic cal locations. A mul lti-site failover r cluster thereb by provides hig ghly avai ilable services in more than one location. Mul lti-site failover r clusters can solve several sp pecific problems, but the ey also present t specific challenges. In a multi-site failover cluster, each site usually has a se eparate storage e system with replication betw ween the sites. Multi-site clu uster storage repl lication enable es each site to be independe ent, and provides fast access to the local disk. With separate sto orage systems, you cannot sh hare a single d disk betw ween sites.
A multi-site m failov ver cluster has three main ad dvantages in a failover site, a as compared to o a remote ser rver: When a site fails, f a multi-sit te cluster auto omatically fails over the clust tered service o or application t to another site. Because the cluster c configu uration is replic cated automat tically to each cluster node i in a multi-site d standby serv cluster, there is less adminis strative overhe ead than a cold ver, which requ uires you to replicate chan nges manually y.
The automate ed processes in n a multi-site cluster c reduce the possibility y of human error, which is present in manual pro ocesses.
c of a multi-site fai ilover cluster, i it might not be an ideal solu ution Because of increased cost and complexity for every e application or busines ss. When you are a considering g whether to d deploy a multi-site cluster, you should evaluate th he importance e of the applica ations to the b business, the ty ype of applications, and any y alternative solutio ons. Some applications can easily e provide m multi-site redu undancy with l log shipping o or

5-31
ot ther processes s, and can still achieve sufficient availability y with only a m modest increas se in cost and co omplexity. Examples for this are SQL Serve er log shipping g, Exchange Se erver continuous replication, , and DFS replication. .
Th he complexity of a multi-site e cluster requir res more archi itectural and h hardware plann ning. It also re equires yo ou to develop business processes to test th he cluster func ctionality routi inely.
Prerequisit P es for Imp plementing g a Multi-S Site Failov ver Cluster r

Pr rerequisites for implementat tion of multi-site cluster are diffe erent from thos se for single-si ite cluster impleme entation. It is im mportant to un nderstand wha at you must pr repare before you st tart implement tation of multi i-site cluster. Pr rior to implem menting multi-s site failover clu uster, yo ou must ensur re the following: You must have h enough nodes n and vote es on each site, so o that the clus ster can be onl line even if one site is down. This T setup requires additional hardware, h and can come wit th significant financial f costs. All nodes must m have the same s operatin ng system and service pack v version.
You must provide p at least t one low-latency and reliab ble network co onnection betw ween sites. This s is important for f cluster heartbeats. By def fault, regardle ess of subnet co onfiguration, h heartbeat freq quency (also known n as subnet de elay) is once ev very second (1 1,000 milliseco nds). The rang ge for heartbea at frequency is once every 250-2000 2 millis seconds on a c common subn net, and 250-4,000 millisecon nds across subn nets. By default, when a node misses a seriies of 5 heartb beats, another node will initia ate failover. The range for this value (also known k as subn net threshold) is from 3 through 10.
You must provide p a stora age replication n mechanism. F Failover clustering does not provide any st torage replication mechanism, so o you must provide another r solution. This s also requires that you have e multiple sto orage solutions, one for each h cluster you c create. You must ensure e that all other necessary services for cluster, such a as AD DS and DNS are also available on n a second site e. You must ensure e that clie ent connection ns can be redir rected to a new w cluster node e when failover happens.
Syn nchronous s and Asyn nchronous s Replicatio on

It is not possible for f a geograph hically disperse ed failo over cluster to use shared sto orage between n phy ysical locations. Wide area ne etwork (WAN) links are too slow and have too much h latency to support shared storage. This me eans that you must have separate inst tances of data. To have exac ct copies of data on both sides, ge eographically disp persed failover r clusters must synchronize data d betw ween locations s by using specialized hardw ware. Mul lti-site data rep plication can be b either sync chronous or as synchronous:
When you use synchronous s replication, the host receives a write comple ete response from the prima ary storage aft ter the data is written succes ssfully on both stora age systems. If the data is no ot written succ essfully to bot th storage syst tems, the application must m attempt to o write to the disk again. Wi ith synchronou us replication, both storage systems are id dentical. When you use asynchronou us replication, the node rece eives a write co omplete respo onse from the storage after the data is written successfu ully on the prim mary storage. The data is wr ritten to the secondary sto orage on a diff ferent schedule, depending on the hardwa are or software e vendors implementati ion. Asynchron nous replicatio on can be stora age-based, ho ost-based, or ev ven applicatio onbased. Howev ver, not all forms of asynchro onous replicat tion are sufficie ent for a multi-site cluster. F For example, DFS S Replication provides p file-lev vel asynchrono ous replication n. However, it does not supp port multi-site failover clustering g replication. This T is because e DFS Replicati ion replicates smaller docum ments that are not held h open continuously, and was not desig gned for high-speed, open-f file replication.
Wh hen to Use Synchronou S us or Asynch hronous Rep plication
Use synchronous replication wh hen data loss is s not acceptab ble. Synchrono ous replication solutions requ uire low-disk write late ency, because the applicatio on waits for bo oth storage solutions to ackn nowledge the d data writ tes. The require ement for low w latency disk writes w also limi ts the distance e between the e storage systems, because increased d distance can cause higher latency. If the disk latency is s high, the per rformance and d even the stability of the e application can c be affected d. Asynchronous rep plication overc comes latency and distance l imitations by acknowledging local disk wr rites only y, and by repro oducing the disk write on the remote stora age system in a separate tra ansaction. Beca ause asyn nchronous rep plication writes s to the remote e storage syste em after it writ tes to the loca al storage syste em, the possibility of data d loss durin ng a failure inc creases.

5-33
Selecting a Quorum Mode for Multi-Site e Clusters

Ea ach failover clu uster must hav ve quorum mo ode de efined, so that t a majority vo ote can be easily de etermined at any a time. For a geographically di ispersed cluste er, you cannot use quorum co onfigurations that t require a shared disk, because ge eographically dispersed clus sters do not us se sh hared disks. Bo oth the Node and a Disk Majority and No Majority: Disk Only quorum modes requ uire a sh hared witness disk d to provide e a vote for de etermining qu uorum. You sho ould only use these t tw wo quorum mo odes if the har rdware vendor r sp pecifically reco ommends and supports them m.
To o use the Node and Disk Ma ajority and No Majority: Disk k Only modes in a multi-site cluster, the sh hared di isk requires that:
You preserv ve the semantics of the SCSI commands ac cross the sites,, even if a com mplete communication failure occu urs between sit tes. You replicate the witness disk in real-time synchrono ous mode acro oss all sites.
Be ecause multi-s site clusters can have WAN failures f in addi ition to node a and local netw work failures, N Node Majority M and No ode and File Share Majority are better solu utions for multi-site clusters. If there is a W WAN fa ailure that caus ses the primary y and seconda ary sites to lose e communicat tion, a majority y must still be av vailable to con ntinue operatio ons.
If there are an odd o number of nodes, then use the Node Majority quor rum. If there is an even number of no odes, which is typical in a ge eographically-d dispersed clus ter, you can use the Node M Majority with F File Sh hare Majority quorum. q
If you are using Node Majorit ty and the sites lose commu nication, you n need a mechanism to determ mine which w nodes rem main in the clu uster, and whic ch nodes leave e the cluster. T The second site e requires ano other vo ote to obtain quorum q after a failure. To ob btain another v vote for quoru um, you must j join another n node to th he cluster, or create a file sha are witness.
Th he Node and File F Share Majo ority mode can n help maintai in quorum wit thout adding a another node t to the cluster. To prov vide for a single e-site failure and enable aut tomatic failove er, the file shar re witness mig ght have to o exist at a thir rd site. In a mu ulti-site cluster r, a single serve er can host the e file share wit tness. However, you must m create a se eparate file sha are for each cl luster. Yo ou must use th hree locations to enable auto omatic failove er of a highly a available servic ce or applicatio on. Lo ocate one nod de in the prima ary location tha at runs the hig ghly available s service or app plication. Locat te a se econd node in a disaster-rec covery site, and d locate the th hird node for t he file share w witness in a diff ferent lo ocation.
Th here must be direct d network k connectivity between all th hree locations. In this manne er, if one site b becomes un navailable, the e two remainin ng sites can still communicat te and have en nough nodes f for a quorum. Note: In Windows W Serve er 2008 R2, ad dministrators c could configure e the quorum to include no odes. However, if the quorum configuratio on included no odes, all nodes s were treated equally ac ccording to their votes. In Windows W Server r 2012, you ca n adjust cluste er quorum sett tings so that when w the cluste er determines whether w it has quorum, som me nodes have a vote and some do not. Th his adjustment t can be useful when you im mplement solut tions across multiple sites.
Pro ocess for Configurin C ng a Multi-Site Failov ver Cluster r

Con nfiguration of multi-site m clust ter is somewha at diffe erent from con nfiguring a single-site cluster. Mul lti-site clusters s are more com mplex to config gure and maintain, and d require more e administrativ ve effo ort to support. High-level ste eps to configur re a mul lti-site cluster are a as follows: 1. Ensure that you have enoug gh cluster nod des on each site. In addition, a ensur re that cluster nodes have similar hardwar re configuratio ons, and have the same version of operating system and se ervice pack.
2.
Ensure that networking bet tween sites is operational, and a that netwo ork latency is acceptable a for r configuring t he cluster. (Yo ou can validate e this by using Valid date Configura ation Wizard in Failover Clus ster Manager.) )
3. 4. 5. 6. 7. 8. 9.
Ensure that you have deplo oyed reliable st torage replicat tion mechanism between sit tes. Also, choo ose the type of replication for use. Ensure that key infrastructu ure services suc ch as AD DS, D DNS, and DHC CP, are present on each site.
Run the Valid date a Configuration Wizard on all of the c cluster nodes t to determine if f your configu uration is acceptable for creating a cluster. Determine the role that you u will configur re in a cluster. Determine the cluster quor rum mode that t you will use. Create a clust tered role. Configure failover/failback settings.
10. Validate failover and failbac ck. You u should be aw ware that multi-site clusters require r more a administrative effort during f failover and failb back. While sin ngle-site cluste er failover/failb back is mostly automatic, wit th multi-site clusters this is n not the case.
Challenges fo or Implem menting a Multi-Site M Cluster

Imp plementing mu ulti-site cluster rs is more complex than n implementin ng single-site clusters, c and ca an also o present sever ral challenges to the adm ministrator. Sto orage and netw work issues are e the mos st challenging aspects of imp plementing multisite clusters. In a multi-site cluster, there is no shared stora age that t the cluster no ode uses. This means that ev very nod de on each site e must have its s own storage instance. On the other o hand, fai ilover clusterin ng doe es not include any a built-in functionality to repl licate data bet tween sites. Th here are three

5-35
options for replicating data: block level hardware-based replication, software-based file replication installed on the host, or application-based replication.
Multi-site data replication can be either synchronous or asynchronous. Synchronous replication does not acknowledge data changes that are made in, for example, Site A until the data successfully writes to Site B. With asynchronous replication, data changes that are made in Site A are eventually written to Site B. When you deploy a multi-site cluster and run the Validate a Configuration Wizard, the disk tests will not find any shared storage, and will therefore not run. However, you can still create a failover cluster. If you follow the hardware manufacturers recommendations for Windows Server failover clustering hardware, Microsoft will support the solution.
Windows Server 2012 enables cluster nodes to exist on different IP subnets, which enables a clustered application or service to change its IP address based on that IP subnet. DNS updates the clustered applications DNS record so that clients can locate the IP address change. Because clients rely on DNS to find a service or application after a failover, you might have to adjust the DNS records Time to Live setting, and the speed at which DNS data replicates. Additionally, when cluster nodes are in multiple sites, network latency might require you to modify the inter-node communication (heartbeat) delay and timeout thresholds.
Lab: Implementing Failover Clustering

Scenario
As A. Datum Corporations business grows, it is becoming increasingly important that many of the applications and services on the network be available at all times. A. Datum has many services and applications that need to be available to their internal and external users who are working in different time zones around the world. Because many of these applications cannot be made highly available by using Network Load Balancing, you will need to use a different technology.
As one of the senior network administrators at A. Datum Corporation, you are responsible for implementing failover clustering on the Windows Server 2012 servers, to provide high availability for network services and applications. You will be responsible for planning the Failover Cluster configuration, and deploying applications and services on the Failover Cluster.
Objectives
Configure a failover cluster with CSV storage. Deploy and configure a highly available file server on the failover cluster. Validate the high availability of the failover cluster and storage. Configure Cluster-Aware Updating on the failover cluster.
Lab Setup
Estimated Time: 60 minutes 20412-LON-DC1 20412-LON-SVR1 20412-LON-SVR3 20412-LON-SVR4 MSL-TMG1
Username: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd
5. 6.
Repeat steps 2-4 for 20412A-LON-SVR1, 20412A-LON-SVR3 and 20412A-LON-SVR4. For MSL-TMG1, just repeat step 2.

5-37
Exercise 1: Configuring a Failover Cluster

Scenario
A. Datum Corporation has some critical applications and services that they want to make highly available. Some of these services cannot use Network Load Balancing. Therefore, you have decided to implement failover clustering with the use of iSCSI storage, which is already in place. To start this process, you need to implement the core components for failover clustering, validate the cluster, and then create the failover cluster. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Connect cluster nodes to the iSCSI targets. Install the failover clustering feature. Validate the servers for failover clustering. Create the failover cluster. Configure Cluster Shared Volumes.
Task 1: Connect cluster nodes to the iSCSI targets

1. 2. 3. 4. 5. 6. 7. On LON-SVR3, start iSCSI Initiator, and configure Discover Portal with IP address 172.16.0.21. Connect to the discovered target in the Targets list. Repeat steps 1 and 2 on LON-SVR4. Open Disk Management on LON-SVR3. Bring online and initialize the three new disks. Make a simple volume on each disk and format it with NTFS.
On LON-SVR4, open Disk Management, refresh the console and bring online the three new disks.
Task 2: Install the failover clustering feature

1. 2. On LON-SVR3, install the failover clustering feature by using Server Manager. On LON-SVR4, install the failover clustering feature by using Server Manager.
Task 3: Validate the servers for failover clustering

1. 2. 3. 4. 5. On LON-SVR3, open the Failover Cluster Manager console. Start the Validate a Configuration Wizard. Use LON-SVR3 and LON-SVR4 as nodes for test. Review the report and then close the report.
On the Summary page, remove the check mark next to Create the cluster now using the validated nodes, click Finish.
Task 4: Create the failover cluster

1. 2. 3. 4. On LON-SVR3, in the Failover Cluster Manager, start the Create Cluster Wizard. Use LON-SVR3 and LON-SVR4 as cluster nodes. Specify Cluster1 as the Access Point name. Specify the IP address as 172.16.0.125.
Task 5: Configure Cluster Shared Volumes

1. 2. 3. In the Failover Cluster Manager console on LON-SVR3, navigate to Storage->Disks. Locate a disk that is assigned to Available Storage. (If possible use Cluster Disk 2). Add this to Cluster Shared Volumes.
Results: After this exercise, you will have installed and configured the failover clustering feature.
Exercise 2: Deploying and Configuring a Highly Available File Server

Scenario
In A. Datum Corporation, File Services is one of the important services that must be highly available, because it hosts very important data that is being used all the time. After you have created a cluster infrastructure, you decide to configure a highly available file server and implement settings for failover and failback. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add the File Server application to the failover cluster. Add a shared folder to a highly available file server. Configure failover and failback settings. Validate cluster quorum settings.
Task 1: Add the File Server application to the failover cluster

1. 2. 3. 4. 5. Add the File Server role service to LON-SVR3 and LON-SVR4. On LON-SVR3, open the Failover Cluster Manager console. Add File Server as a cluster role. Choose to implement Scale-Out File Server for application data. Specify AdatumFS as Client Access Name.
Task 2: Add a shared folder to a highly available file server

1. 2. 3. 4.
On LON-SVR3, in the Failover Cluster Manager, start a New Share Wizard to add a new shared folder to the AdatumFS cluster role. Specify the profile for the share as SMB Share Quick. Name the shared folder as Data. Enable continuous availability.
Task 3: Configure failover and failback settings

1. 2. 3. 4. Enable failback between 4 and 5 hours. Select both LON-SVR3 and LON-SVR4 as the preferred owners. Move LON-SVR4 to be first in the Preferred Owners list.
On LON-SVR3, in the Failover Cluster Manager, open the Properties for the AdatumFS cluster role.

5-39
Task 4: Validate cluster quorum settings
In the Failover Cluster Manager console, review settings for Quorum Configuration. It should be set to Node and Disk Majority.
Results: After this exercise, you will have deployed and configured a highly available file server.
Exercise 3: Validating the Deployment of the Highly Available File Server

Scenario
In the process of implementing a failover cluster, you want to ensure that cluster s performing correctly, by performing failover and failback tests. The main tasks for this exercise are as follows: 1. 2. Validate the highly available file server deployment. Validate the failover and quorum configuration for the file server role.
Task 1: Validate the highly available file server deployment

1. 2. 3. 4.
On LON-DC1, open Windows Explorer, and attempt to access the \\AdatumFS\ location. Make sure that you can access the Data folder. Create a test text document inside this folder. On LON-SVR3, in the Failover Cluster Manager, move AdatumFS to the second node. On LON-DC1, in Windows Explorer, verify that you can still access \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. 2. 3. 4. 5. 6. 7. On LON-SVR3, determine the current owner for the AdatumFS role. Stop the Cluster service on the node that is the current owner of the AdatumFS role. Verify that AdatumFS has moved to another node, and that the \\AdatumFS\ location is still available from the LON-DC1 computer. Start the Cluster service on the node in which you stopped it in step 2. From the Disks node, take the disk witness offline. Verify that the \\AdatumFS\ location is still available from LON-DC1. Bring the disk witness back online.
Results: After this exercise, you will have tested the failover and failback scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Scenario
Earlier, implementing updates to servers with critical service was causing unwanted downtime. To enable seamless and zero-downtime cluster updating, you want to implement the Cluster-Aware Updating feature and test updates for cluster nodes. The main tasks for this exercise are as follows: 1. Configure Cluster-Aware Updating.
2.
Update the failover cluster and configure self-updating.
Task 1: Configure Cluster-Aware Updating

1. 2. 3. 4. On LON-DC1, install the Failover Clustering feature. From Server Manager, open Cluster-Aware Updating. Connect to Cluster1. Preview the updates available for nodes in Cluster1.
Task 2: Update the failover cluster and configure self-updating

1. 2. 3. On LON-DC1, start the update process for Cluster1. After the process is complete, log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd. On LON-SVR3, open Cluster-Aware Updating and configure self-updating for Cluster1, to be performed weekly, on Sundays at 4:00A.M.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR3, 20412A-LON-SVR4 and MSL-TMG1.
Lab Review
Question: What information will you have to collect as you plan a failover cluster implementation and choose a quorum mode? Question: After running the Validate a Configuration Wizard, how can you resolve the network communication single point of failure? Question: In which situations might it be important to enable failback of a clustered application only during a specific time?

5-41

Question: Why is using a No Majority: Disk-Only quorum configuration generally not a good idea? Question: What is the purpose of CAU? Question: What is the main difference between synchronous and asynchronous replication in a multi-site cluster scenario? Question: What is the multi-site clusters enhanced feature in Windows Server 2012?
Question: Your organization is considering the use of a geographically dispersed cluster that includes an alternative data center. Your organization has only a single physical location together with an alternative data center. Can you provide an automatic failover in this configuration?
Tools
The tools for implementing failover clustering include: Failover Cluster Manager console Cluster-Aware Updating console Windows PowerShell Server Manager iSCSI initiator Disk Management

6-1
Module 6
Implementing Failover Clustering with Hyper-V
Contents:
Module Overview Lesson 1: Overview of Integrating Hyper-V with Failover Clustering Lesson 2: Implementing Hyper-V Virtual Machines on Failover Clusters Lesson 3: Implementing Hyper-V Virtual Machine Movement Lesson 4: Managing Hyper-V Virtual Environments by Using VMM Lab: Implementing Failover Clustering with Hyper-V Module Review and Takeaways 6-1 6-2 6-7 6-15 6-21 6-31 6-36
Module Overview
One benefit of implementing server virtualization is that it allows you to provide high availability, both for applications or services that have built-in high availability functionality, and for applications or services that do not provide high availability in any other way. With the Windows Server 2012 Hyper-V technology, failover clustering, and Microsoft System Center 2012 - Virtual Machine Manager (VMM), you can configure high availability by using several different options.
In this module, you will learn about how to implement failover clustering in a Hyper-V scenario to achieve high availability for a virtual environment. You will also learn about basic virtual machine features.
Objectives
After completing this module, you will be able to: Describe how Hyper-V integrates with failover clustering. Implement Hyper-V virtual machines on failover clusters. Implement Hyper-V virtual machine movement. Manage a Hyper-V virtual environment by using VMM.
6-2
Implementing Failover Clusterin ng with Hyper-V
Lesson 1
Overvi iew of Integrat ting Hyper-V w with Failover Clusterin ng

Failo over clustering g is a Windows s Server 2012 feature f that en nables you to make applicat tions or service es high hly available. To T make virtua al machines hig ghly available in a Hyper-V e environment, y you must imp plement failove er clustering on Hyper-V hos st machines.
This s lesson summarizes the high h availability options o for Hyp per-Vbased v virtual machine es, and then fo ocuses on how h failover cl lustering work ks, and how to design and im mplement failo over clustering for Hyper-V.

Afte er completing this lesson, yo ou will be able to: Describe options for making virtual mach hines highly av vailable. Explain how failover f cluster ring works with h Hyper-V nod des. Describe new w failover cluste ering features for Hyper-V in n Windows Server 2012. lity in a virtual Describe best t practices for implementing g high availabil l environment. .
Op ptions for Making M Vi irtual Machines High hly Availab ble

Mos st organization ns have some applications th hat are business critical and must be highly availa able. To make m an applic cation highly available, a you must dep ploy it in an environment tha at provides redu undancy for al ll components that the app plication requir res. For virtual machines to be b high hly available, you y can choose e between sev veral options: Host clusterin ng, in which yo ou implement virtualization hosts as a clus stered role Guest clusteri ing, in which you y implement t clustering inside virtual machines Network Load d Balancing (N NLB) inside virt tual machines
Host Clusterin ng
Hos st clustering en nables you to configure c a fai ilover cluster b by using the Hyper-V host se ervers. When y you configure host clu ustering for Hy yper-V, you co onfigure the vir rtual machine as a highly av vailable resourc ce. Failo over protection is implemen nted at the hos st server level. This means th hat the guest o operating syste em and applications that t are runnin ng within the virtual v machin e do not have e to be cluster-aware. Howev ver, the virtual machin ne is still highly y available. Some examples of non-cluster r-aware applications are prin nt serv ver, or proprie etary network-based applications such as a an accounting application. S Should the hos st nod de that controls the virtual machine m unexpectedly becom me unavailable e, the secondary host node assu umes control and a restarts the e virtual machine as quickly as possible.
nother in a controlled mann You u can also mov ve the virtual machine m from one o node in th he cluster to an ner. For example, you could move th he virtual machine from one e node to anot ther while patc ching the host t ope erating system. . The applicatio ons or services s that are runn ning in the virt tual machine d do not have to o be com mpatible with failover f cluster ring, and they do not need t o be aware th at the virtual m machine is
clustered. Because the failover is at the virtual machine level, there are no dependencies on software that is installed inside the virtual machine.

6-3
Guest Clustering
You configure guest failover clustering very similarly to physical server failover clustering, except that the cluster nodes are multiple virtual machines. In this scenario, you create two or more virtual machines, and enable failover clustering within the guest operating system. The application or service is then enabled for high availability between the virtual machines by using failover clustering in each virtual machine. Because you implement failover clustering within each virtual machine nodes guest operating system, you can locate the virtual machines on a single host. This can be a quick and cost-effective configuration in a test or staging environment.
For production environments, however, you can more robustly protect the application or service if you deploy the virtual machines on separate failover clusteringenabled Hyper-V host computers. With failover clustering implemented at both the host and virtual machine levels, you can restart the resource regardless of whether the node that fails is a virtual machine or a host. This configuration is also known as a Guest Cluster Across Hosts. It is considered an optimal high availability configuration for virtual machines that are running critical applications in a production environment. You should consider several factors when you implement guest clustering:
The application or service must be failover clusteraware. This includes any of the Windows Server 2012 services that are cluster-aware, and any applications, such as clustered Microsoft SQL Server and Microsoft Exchange Server.
Hyper-V virtual machines can use Fibre Channelbased connections to shared storage (this is specific only to Microsoft Hyper-V Server 2012), or you can implement internet small computer system interface (iSCSI) connections from the virtual machines to the shared storage.
You should deploy multiple network adapters on the host computers and the virtual machines. Ideally, when using an iSCSI connection you should dedicate a network connection to the iSCSI connection, to the private network between the hosts, and to the network connection used by the client computers.
Network Load Balancing
NLB works with virtual machines in the same manner with which it works with physical hosts. It distributes IP traffic to multiple instances of a TCP/IP service, such as a web server that is running on a host within the NLB cluster. NLB transparently distributes client requests among the hosts, and it enables the clients to access the cluster by using a virtual host name or a virtual IP addresses. From the client computers point of view, the cluster seems to be a single server that answers these client requests. As enterprise traffic increases, you can add another server to the cluster. Therefore, NLB is an appropriate solution for resources that do not have to accommodate exclusive read or write requests. Examples of NLB-appropriate applications are web-based front ends to database applications, or Exchange Server Client Access servers.
When you configure an NLB cluster, you must install and configure the application on all virtual machines. After you configure the application, you install the NLB feature in Windows Server 2012 within each virtual machines guest operating system (not on the Hyper-V hosts), and then configure an NLB cluster for the application. Earlier versions of Windows Server also support NLB, which means that the guest operating system is not limited to only Windows Server 2012. Similar to a Guest Cluster Across Host, the NLB resource typically benefits from overall increased input/output (I/O) performance when the virtual machine nodes are located on different Hyper-V hosts.
6-4
Note: As with earlier vers sions of Windo ows Server, you u should not im mplement NLB B and failo over clustering g within the same guest oper rating system because the tw wo technologi ies conflict with h one another. .
Ho ow Does a Failover Cluster C Wo ork with Hy yper-V No odes?

Whe en you implem ment failover clustering c and configure virtual machines m as hi ighly available e reso ources, the failover cluster treats the virtua al mac chines like any y other applica ation or service e. Nam mely, if a host fails, failover clustering c will act a to restore access to the t virtual mac chine as quick kly as possible on anoth her host within n the cluster. Only O one e node at a tim me runs the virt tual machine. How wever, you can n also move the virtual mach hine to any a other node e within the same cluster. The failover proce ess transfers th he responsibilit ty of prov viding access to t resources within w a cluster from one e node to another. Failover can c occur when n an administr rator moves re esources to ano other node for r maintenance or other o reasons, or o when unpla anned downtim me of one nod de occurs beca ause of hardwa are failu ure or for othe er reasons. The failover proce ess consists of the following steps: 1.
The node where the virtual machine is running owns th he clustered in nstance of the virtual machin ne, controls access to the share ed bus or iSCSI connection to o the cluster storage, and ha as ownership o of any disks, or logic cal unit numbe ers (LUNs), assi igned to the v virtual machine e. All the node es in the cluste er use a private netw work to send regular r signals, , known as hea artbeat signals s, to one anoth her. The heartb beat signals that a node is functi ioning and com mmunicating o on the networ rk. The default t heartbeat configuration n specifies that t each node se end a heartbea at over TCP/UD DP port 3343 e each second (o or 1,000 millisec conds). Failover starts s when the node hosting the e virtual mach ine does not s send regular he eartbeat signa als over the netw work to the oth her nodes. By default, d this co orresponds to five consecutively missed heartbeats (or 5,000 milliseconds). Failove er may occur b because of a n node failure or r network failure.
2.
3.
When heartbeat signals sto op arriving from m the failed no ode, one of th e other nodes s in the cluster begins taking g over the reso ources that the e virtual machi nes use. You d define the nod de(s) that could d take over by configuring the Pre eferred and Possible P Owne ers properties.. The preferred d owner specif fies the hierarchy y of ownership if there is mor re than one po ossible failover r node for a re esource. By default, all nodes are po ossible owners. . Therefore, rem moving a node as a possible e owner absolu utely excludes it fro om taking ove er the resource e in a failure sit tuation. For ex xample, suppo ose that you implement a failover cluste er by using thre ee nodes. How wever, only two o nodes are co onfigured as preferred owners. During a failover event t, the resource e could still be taken over by y the third nod de if neither of the e preferred ow wners are online. Although th he third node is not configured as a prefer rred owner, as long as it is a pos ssible owner, the failover clu ster can use it t if necessary to o restore access to the resource. Resources are e brought online in order of dependency. For example, i if the virtual m machine references an iSCSI LUN, , access to the appropriate host h bus adapt ters (HBAs), ne etwork(s), and LUNs will be s stored in that order. Failover is com mplete when all a the resource es are online o on the new no ode. For clients s interacting with the resourc ce, there is a sh hort service in terruption, wh hich most user rs will not notic ce.

6-5
4. .
You can als so configure th he cluster servi ice to fail back k to the offline e node after it again become es active. Whe en the cluster service s fails ba ack, it uses the same procedu ures that it performs during failover. This means that the cluster ser rvice takes offl ine all the reso ources associated with that instance, moves m the instance, and then brings all the resources in t the instance ba ack online.
What W Is Ne ew in Failov ver Clustering for Hyper-V in Windows Server 2012

In n Windows Ser rver 2012, failo over clustering is much m improved d with respect to Hyper-V clu usters. So ome of the mo ost important improvements s are: Failover clu ustering now su upports up to 4,000 virtual machines, and the e improved Failover Cluster Man nager snap-in simplifies man naging many virtua al machines. Administrat tors can now perform p multis select actions to queue q live mig grations of multiple virtual machines, instead of one by one e as in earlier versi ions.
Administrat tors can also configure c the virtual v machine e priority attrib bute to contro ol the order in which virtual machines are start ted. Priority is also used to e nsure that low wer-priority vir rtual machines automatica ally release reso ources to high her priority virt tual machines as needed.
The Cluster r Shared Volum me (CSV) featu ure, which simp plifies the conf figuration and d operation of virtual machines, can c help impro ove security an nd performanc ce. It now supp ports scalable file-based serv ver application storage, incre eased backup and a restore an nd single consi istent file namespace. In add dition, you can now protect CSV V volumes by using u Windows s BitLocker Drive Encrypti ion, and by configuring g the CSV volumes to make storage s visible e to only a sub bset of nodes.
Virtual mac chine application monitoring g. You can now w monitor serv vices that are r running on clu ustered toring virtual machines. In cluste ers running Windows Server r 2012, administrators can co onfigure monit of services on clustered virtual v machine es that are also o running Win ndows Server 2 2012. This functionalit ty extends the high-level mo onitoring of vir rtual machines s that is implem mented in Win ndows Server 2008 8 R2 failover cl lusters. You can no ow store virtual machines on server messag ge block (SMB B) file shares in n a file server cluster. cluster This is a new w method for providing highly available v virtual machine es. Instead of c configuring a c between Hy yper-V nodes, you can now have Hyper-V V nodes out of cluster, but w with virtual mac chine files on a highly available e file share. To make this wor rk, you should d deploy a file server cluster in a scale-out file server mode e. Scale-out file servers can a also use CSV f for storage.
6-6
Best Practice es for Impl lementing High Ava ailability in n a Virtual Environment
Afte er you determi ine which applications you want w to deploy d on high hly available fa ailover clusters, you can plan and deploy the failove er clustering environment. Con nsider the follo owing reco ommendations s when you im mplement the failo over cluster: s Server 2012 as a the Hyper-V V Use Windows host. Window ws Server 2012 provides enhancement ts such as Hyp per-V 3.0, impr roved CSVs, virtual machine m migra ations, and oth her features that improve flexib bility and performance when you imp plement host failover cluste ering.
Plan for failov ver scenarios. When W you des sign the hardw ware requireme ents for the Hy yper-V hosts, m make sure that you include the hardware capac city that is req uired when ho osts fail. For ex xample, if you deploy a six-n node cluster, you y must deter rmine the num mber of host fa ailures that you want to accommodate. If you decid de that the clus ster must susta ain the failure of two nodes, , then the four r remaining no odes must have e the capacity to run all of th he virtual mac chines in the cluster. mize the failov Plan the netw work design for failover clust tering. To optim ver cluster per rformance and d failover, you should s dedicat te a fast netwo ork connection n for internode e communicat tion. As with ea arlier versions, this network should be logically y and physically y separate from the network k segment(s) u used by clients to communicate c with the cluste er. You can als so use this netw work connecti ion to transfer r virtual machin ne memory du uring a live mig gration. If you u are using iSC SI for any virtu ual machines, a also dedicate a ne etwork connection to the iSC CSI network co onnection. Plan the share ed storage for r failover cluste ering. When yo ou implement t failover cluste ering for Hype er-V, the shared sto orage must be e highly availab ble. If the shar red storage fails, the virtual m machines will a all fail, even if th he physical nod des are functio onal. To ensure e storage avail lability, plan fo or redundant connections to t the shared storage s and re edundant array y of independe ent disks (RAID D) redundancy y on the storage device. d
Use the recom mmended failo over cluster qu uorum mode. I If you deploy a cluster with an even numb ber of nodes, and sh hared storage is available to the cluster, th he Failover Cluster Manager automatically selects the No ode and Disk Majority M quoru um mode. If yo ou deploy a cluster with an o odd number o of nodes, the Fa ailover Cluster Manager auto omatically sele cts the Node M Majority quoru um mode. You u should not modify m the defa ault configurat tion unless you u understand t the implication ns of doing thi is. Deploy standardized Hyper r-V hosts. To simplify the de ployment and d management t of the failove er cluster and Hyper-V nodes, , develop a sta andard server h hardware and software platf form for all no odes. Develop standard managem eploy multiple ment practices s. When you de e virtual machi ines in a failov ver cluster, you in ncrease the risk that a single e mistake may shut down a large part of th he server deployment. For example, if i an administr rator accidenta ally configures s the failover c cluster incorrec ctly, and the cluste er fails, all virtu ual machines in the cluster w will be offline. To avoid this, develop and istrative tasks. thoroughly te est standardize ed instructions s for all admini

6-7
Lesson n2
Imple ementin ng Hype er-V Vir rtual Ma achines s on Fail lover Cluste ers
Im mplementing highly h available virtual mach hines is somew what different f from implementing other ro oles in a fa ailover cluster. Failover cluste ering in Windo ows Server 201 12 provides ma any features fo or Hyper-V clu ustering, in n addition to to ools for virtual l machine high h availability m management. In this lesson, y you will learn h how to im mplement high hly available virtual machines.

After completin ng this lesson, you y will be able to: Describe co omponents of a Hyper-V cluster. lover clusters. Describe pr rerequisites for implementing Hyper-V fail Implement failover cluste ering for Hyper-V virtual ma chines. Configure CSVs. C Implement highly availab ble virtual machines on SMB 3.0 file shares s. Describe co onsiderations for f implementing Hyper-V v virtual machine es in a cluster.
Componen C nts of Hype er-V Cluste ers

Hyper-V as a ro ole has some sp pecific require ements fo or cluster comp ponents. To fo orm a Hyper-V V cluster, you must have at leas st two physical nodes. Whereas W other clustered roles s (such as Dynamic Host Configurat tion Protocol (DHCP) ( file ser rver) allow for nodes to be virtual machines, m Hyp per-V no odes must be composed of physical hosts. You ca annot run Hyp per-V inside a virtual v machine on a Hyper-V host.
In n addition to having h nodes, you y must also have physical and vir rtual networks. . Failover clust tering re equires a network for interna al cluster co ommunication n, and also a ne etwork for clie ents. You can a also implement a storage network separate ely, de epending on the t type of sto orage that you are using. Aga ain, specific to o the Hyper-V role, you shou uld also co onsider virtual networks for clustered virtu ual machines. I t is important that you creat te the same virtual ne etworks on all physical hosts s that participa ate in one clus ster. Failure to do this will ca ause a virtual m machine to o lose network k connectivity when w moved from f one host to another.
ustering. You c can use any ty St torage is an im mportant comp ponent of virtu ual machine clu ype of storage that is su upported by Windows W Server 2012 failover clustering. As s a best practic ce, you should d configure sto orage as a CSV. This is discussed furthe er in a followin ng topic within n this module. Virtual machine es are components of a Hype er-V cluster. In n the Failover C Cluster Manag ger, you can cr reate ne ew highly available virtual machines, m or yo ou can make e existing virtual machines high hly available. In both ca ases, the virtua al machine storage location must be on sh hared storage t that all nodes can access. Ho owever, yo ou might not want w to make all virtual mac chines highly a available. In Failover Cluster Manager, you can se elect which virt tual machines that you want t to be part of f a cluster conf figuration.
6-8
Pre erequisites s for Imple ementing Hyper-V C Clusters

To deploy d Hyper-V on a failover cluster, you must m ensu ure that you meet m the hardw ware, software, , acco ount, and netw work infrastruc cture requirem ments as detailed d in the following sect tions.
Hardware Req quirements for f Failover r ustering with Hyper-V Clu

You u must have the following ha ardware for a twot nod de failover clus ster:
Server hardware. Hyper-V requires r an x64 4based processor, hardware-assisted virtualization, , and hardware e-enforced Da ata Execution Pre evention (DEP) ). As a best pra actice, the serv vers should hav ve similar hard dware. If you a are using Window ws Server 2008 8, the processo ors on the serv vers must be th he same versio on. If you are u using Windows Serv ver 2008 R2 or Windows Ser rver 2012, the processors mu ust use the sam me architectur re.
Note: Micro osoft supports s a failover clus ster solution o only if all the hardware featu ures are rked as Certifi ied for Window ws Server. Additionally, the complete con nfiguration (servers, mar netw work, and stor rage) must pas ss all tests in th he Validate Thi is Configuratio on wizard, which is included in the Fa ailover Cluster Manager snap p-in.
Network adap pters. As with the other features in the fail lover cluster so olution, the ne etwork hardwa are must be mark ked as Certifie ed for Window ws Server. To p provide netwo ork redundanc cy, you can con nnect cluster nodes s to multiple, distinct d networ rks, or you can n connect the n nodes to one n network that u uses teamed netw work adapters, redundant swi itches, redund ant routers, or r similar hardw ware to remove e single points of failure. As a best practice e, you should c configure mult tiple network a adapters on th he host compute er that you con nfigure as a clu uster node. Yo ou should conn nect one netw work adapter to o the private netwo ork that the int ter-host comm munications us ses. Storage adap pters. If you use e a Serial Attac ched SCSI (SAS S) or Fibre Cha annel, the mas ss-storage device controllers in all clustered servers s should be identical a nd should use e the same firm mware version. . If you are using g iSCSI, each clustered server r should have o one or more n network adapt ters that are dedicated to the cluster sto orage. The netw work adapters s that you use to connect to the iSCSI stora age target should d be identical, and a you should use a gigab it Ethernet or faster network k adapter.
Storage. You must use shar red storage tha at is compatib ble with Windo ows Server 201 12. If you deplo oy a failover cluste er that uses a witness w disk, th he storage mu ust contain at l east two separate volumes ( (or LUNs). One volume functions as the witness disk, and a additional volu umes contain t the virtual mac chine files that are shared s betwee en the cluster nodes. n Storage e consideratio ons and recommendations in nclude the following: o o o Use basic c disks, not dyn namic disks. Fo ormat the disk ks with the NTFS file system. Use eithe er master boot t record (MBR) ) or GUID part ition table (GP PT). If you are e using a stora age area netwo ork (SAN), the miniport drive er that the storage uses mus st work with h the Microsof ft Storport storage driver.
Consider using multipath I/O softw ware: If your SA AN uses a high hly available network design n with redund dant compone ents, you can deploy d failover r clusters with multiple host bus adapters b by using t level of redundancy and av multipa ath I/O softwa are. This provid des the highest vailability. For Windows Server 2008 8 R2 and Wind dows Server 20 012, your mult tipath solution n must be base ed on Multipath I/O (MPIO O).

6-9
Software Req quirements for Using Hyper-V H and d Failover C Clustering

Th he following are the softwar re requirement ts for using Hy yper-V and fail lover clustering:
All the serv vers in a failove er cluster must t run the x64-b based version of Windows Server 2012 Sta andard The nodes in a single failove Edition or Windows W Serve er 2012 Datace enter Edition. T er cluster cann not run different ve ersions. All the serv vers should hav ve the same so oftware update es and service packs. All the serv vers must be in nstalled as a Fu ull installations s or Server Cor re installations s.
Network N Infr rastructure Requirements
Th he following network n infrast tructure is requ uired for a failo over cluster an nd an administ trative account with th he following do omain permiss sions: Network se ettings and IP addresses. a Use e identical com mmunication se ettings on all n network adapt ters, including th he speed, duplex mode, flow w control, and media type se ettings. Ensure e that all netwo ork hardware supports the sa ame settings. If you use private p networ rks that are not t routed to yo our whole netw work infrastruc cture for communica ation between cluster nodes, ensure that e each of these p private networ rks uses a uniq que subnet.
DNS. The se ervers in the cluster must use Domain Nam me System (DN NS) for name r resolution. You u should use the DNS dynamic upd date protocol. . Domain rol le. All servers in the cluster must m be in the same Active D Directory Dom main Services (AD DS) domain. As s a best practic ce, all clustered d servers shou ld have the same domain ro ole, either mem mber server or do omain controller. The recom mmended role is member ser rver. You should avoid instal lling cluster nodes on domain controllers be ecause AD DS has its own hig gh availability mechanism. Account for administering the cluster. When W you first t create a clust ter or add serv vers to a cluste er, you must be log gged on to the e domain with h an administra ators account on all the clus sters servers. Additionally y, if the account is not a Dom main Admins a account, the a ccount must h have the Creat te Computer Objects perm mission in the domain. d
Im mplement ting Failov ver Clustering for Hy yper-V Virt tual Machi ines
To o implement failover clustering for Hyper-V virtual machines, you must co omplete the fo ollowing hi igh-level steps s: 1. . Install and configure c the required versions of Windows Server 2012. Af fter you compl lete the installation, , configure the e network settings, join the com mputers to an Active Directo ory domain, an nd configure th he connection to the shared stor rage.
6-10 Implementing Failover Clustering with Hyper-V
2. 3. 4.
Configure the shared storage. You must use Disk Manager to create disk partitions on the shared storage.
Install the Hyper-V and failover clustering features on the host servers. You can use Server Manager in the Microsoft Management Console (MMC) or Windows PowerShell for this. Validate the cluster configuration. The Validate This Cluster wizard checks all the prerequisite components that are required to create a cluster, and provides warnings or errors if any components do not meet the cluster requirements. Before you continue, resolve any issues that the Validate This Cluster wizard identifies.
5.
Create the cluster. Once the components pass the Validate This Cluster wizard, you can create a cluster. When you configure the cluster, assign a cluster name and an IP address. A computer account for the cluster name is created in the Active Directory domain, and the IP address is registered in DNS.
Note: You can enable clustered shared storage for the cluster only after you configure the cluster. If you want to use CSV, you should configure CSV before you proceed to the next step. 6.
Create a virtual machine on one of the cluster nodes. When you create the virtual machine, ensure that all files that are associated with the virtual machineincluding both the virtual hard disk and virtual machine configuration filesare stored on the shared storage. You can create and manage virtual machines in either Hyper-V Manager or Failover Cluster Manager. When you create a virtual machine by using Failover Cluster Manager, the virtual machine is made highly available automatically.
7.
Make the virtual machine highly available. To make the virtual machine highly available, in the Failover Cluster Manager, select the option to make a new service or application highly available. The Failover Cluster Manager then displays a list of services and applications that you can make highly available. When you select the option to make virtual machines highly available, you can select the virtual machine that you created on shared storage.
Note: When you make a virtual machine highly available, a list displays of all virtual machines that are hosted on all cluster nodesincluding virtual machines that are not stored on the shared storage. If you make a virtual machine that is not located on shared storage highly available, you receive a warning, but Hyper-V will add the virtual machine to the services and applications list. However, when you try to migrate the virtual machine to a different host, the migration will fail. 8.
Test virtual machine failover. After you make the virtual machine highly available, you can migrate the computer to another node in the cluster. If you are running Windows Server 2008 R2 or Windows Server 2012, you can select to perform a quick migration or a live migration.

6-11
Configuring C g CSVs
Yo ou do not hav ve to configure e and use CSV when yo ou implement high availability for virtual machines m in Hyper-V. In fact, you can config gure a Hyper-V cluster r without using g CSV. Howeve er as a be est practice, yo ou use CSV du ue to the follow wing ad dvantages: UNs for the dis sks. You can us se CSV Reduced LU to reduce the number of LUNs that you ur virtual machines require. When you con nfigure a CSV, you can store multiple virtual machines on a single LUN, and multiple host com mputers can access the same LUN N concurrently.
Better use of o disk space. Instead of plac cing each virtu ual hard disk (..vhdx) file on a separate disk k with empty spac ce so that the .vhdx . file can expand, e you ca an oversubscri ibe disk space by storing mu ultiple .vhdx files on o the same LU UN.
Virtual mac chine files store ed in a single logical locatio n. You can track the paths o of .vhdx files an nd other files that vir rtual machines s use. Instead of o using drive letters or GUIDs to identify disks, you can n specify ears in the \ClusterStorage f the path na ames. When yo ou implement CSV, all added d storage appe folder. The \Cluste erStorage folde er is created on the cluster n nodes system folder, and yo ou cannot mov ve it. This means that all Hyper r-V hosts that are members of the cluster must use the s same drive lett ter as their system m drive, or virtual machine fa ailovers will fa il. No specific hardware requirements. CSV V implementa ation does not have specific hardware requiremen nts. You can im mplement CSV on any suppo orted disk conf figuration, and d on either the e Fibre Channel or iSCSI SANs.
Increased resiliency. CSV increases resiliency because e the cluster ca an respond cor rrectly even if connectivity y between one e node and the SAN is interr rupted, or part t of a network k is down. The cluster reroutes the traffic to the e CSV through an intact part t of the SAN or network.
Im mplementin ng CSV
After you create e the failover cluster, c you can enable CSV for the cluster r, and then add d storage to th he CSV.
Be efore you can add storage to o the CSV, the e LUN must be e available as s hared storage e for the cluster. When yo ou create a failover cluster, all a the shared disks d that are c configured in Server Manager are added t to the cluster, and you u can then add d them to a CS SV. If you add m more LUNs to the shared sto orage, you mu ust first cr reate volumes on the LUN, add a the storage to the cluste er, and then ad dd the storage e to the CSV. As a best practice, you should d configure CSV before you make any virtu ual machines h highly availabl le. However, you can convert fro om regular disk k access to CSV V after deploy yment. When implementing CSV, th he following co onsiderations apply: a
The LUNs drive d letter or mount point is removed wh hen you convert from regula ar disk access t to CSV. This means that you must re-create all virtual machin nes that are sto ored on the sh hared storage. If you must keep the same virtu ual machine se ettings, conside er exporting th he virtual machines, switchin ng to CSV, and th hen importing the virtual ma achines in Hyp per-V. Addition nally, consider using the stor rage migration option o that is available a in the e Hyper-V role e in Windows S Server 2012.
You cannot t convert share ed storage to CSV. C If you hav ve any single r running virtual machine that t uses a cluster disk k, you must shu ut down the vi irtual machine e, and then add d the disk to C CSV.
6-12 Implemen nting Failover Cluster ring with Hyper-V
Implementin ng Highly Available A Virtual V Ma achines on n an SMB 3 3.0 File Sha are
In Windows W Serve er 2012, you ca an use a new tech hnique to mak ke virtual mach hines highly avai ilable. Instead of using host or guest cluste ering, you can now store e virtual machine files on a high hly available SMB 3.0 file sha are. By using th his app proach, high av vailability is achieved not by clus stering Hyper-V V nodes, but by b file servers that t host t virtual machi ine files on the eir file shares. With W this new capability, Hyper-V can n store all virtu ual mac chine files, including configu uration, .vhdx files, f and snapshots, on n highly available SMB 3.0 fil le shar res. This s technology re equires the fol llowing infrast tructure: One or more computers that are running g Windows Ser rver 2012 with the Hyper-V r role installed.
One or more computers that are running g Windows Ser rver 2012 with the File and S Storage Service es role installed. Domain mem mbers in the Ac ctive Directory y infrastructure e. The servers r running AD DS S do not need to run Windows s Server 2012.
Befo ore you implem ment virtual machines m on an n SMB 3.0 file s share, configure a file server r cluster. To do o this, you should have at a least two clu uster nodes, bo oth with file se ervices and fai lover clusterin ng installed on them m. In the Failover Clustering console, creat te a scale-out file server clus ster. After you configure the e clus ster, deploy the e new SMB file e share for app plications. This s share stores v virtual machine files. When t the shar re is created, you y can use the Hyper-V Ma anager to depl oy new virtual l machines on the SMB 3.0 f file shar re, or you can migrate existing virtual mac chines to the S SMB file share by using the s storage migrat tion met thod.
De emonstration: Implem menting Virtual V Mac chines on Clusters (o optional)

In th his demonstration, you will see s how to imp plement virtua al machines on n a failover clu uster. s demonstratio on, ensure that t LON-HOST1 is the owner o of the Note: Before starting this Clus sterVMs disk. If it is not, then n move the Clu usterVMs reso urce to LON-H HOST1 before doing this proc cedure.
Dem monstration n Steps Mo ove virtual machine m sto orage to the e iSCSI targe et
On LON-HOS ST1, open Windows Explorer r, browse to E:\ \Program File es\Microsoft Learning \20412\2041 12A-LON-COR RE\Virtual Ha ard Disks, and then move 20 0412A-LON-C CORE.vhd to t the C:\ClusterSto orage\Volume1 location.
Con nfigure the machine as s highly ava ailable

1. 2. In Failover Cluster Manager r, click Roles, and a then start the New Virtu ual Machine W Wizard. In the New Virtual Machine e Wizard, use the t following s settings: o Cluster node: LON-HO OST2.

6-13
o o o o 3. .
Compu uter name: Tes stClusterVM Store the file at C:\ClusterStorage e\Volume1. or TestClusterV VM: 1536 MB RAM fo Connec ct machine to existing virtua al hard disk dri ive 20412A-LO ON-CORE.vhd located at C:\Clus sterStorage\V Volume1.
From the Roles R node, sta art the virtual machine. m
Considerat C ions for Im mplementi ing Hyper-V Clusters

By y implementin ng host failover clustering, yo ou can make m virtual ma achines highly available. How wever, im mplementing host h failover clustering also adds a significant cost and complexit ty to a Hyper-V V de eployment. Yo ou must invest in additional server ha ardware to pro ovide redunda ancy, and you should s im mplement or have access to a shared stora age in nfrastructure. Consider the following recom mmendations to o en nsure that the failover cluste ering strategy meets th he organizations requiremen nts:
Identify the e applications or o services tha at require high availability. Unless U you hav ve the option of making all v virtual machin nes highly available, you must develop d priorities for which applications a yo ou will make highly available e.
Identify the e components that must be highly availab le to make the e applications highly availab ble. In some cases s, the applicatio on might run on o a single ser rver, and maki ing that server r highly availab ble is all that you ha ave to do. Othe er applications s may require that several se ervers and com mponents such h as storage or the t network, be b made highly y available. In addition, ensu ure that the do omain controll lers are highly avail lable, and that t you have at least one doma ain controller on separate hardware or virtualizatio on infrastructure. Identify the e application characteristics. You must und derstand sever ral aspects abo out the applica ation. o Is virtualizing the ser rver that is running the appli ication an opti ion? Some app plications are n not suppor rted in or recommended for a virtual envir ronment. What options o are ava ailable for mak king the applic cation highly a available? You can make som me applica ations highly available through options oth her than host clustering. If o other options a are availab ble, evaluate th he benefits and d disadvantage es of each opt tion.
What are a the perform mance requirements for each h application? ? Collect performance inform mation on the servers curren ntly running th he applications s to gain an un nderstanding o of the hardwar re require ements that are required when you virtual ize the server.
What capacity c is requ uired to make the Hyper-V v virtual machin nes highly available? As soon n as you identify y all the applic cations that yo ou must make highly availab ble by using ho ost clustering, y you can start to o design the ac ctual Hyper-V deployment. B By identifying the performan nce requireme ents and networ rk and storage e requirements s for applicatio ons, you can de efine the hardware that you have to implem ment for all the e applications in a highly ava ailable environ nment.
Live migration is one of the most important aspects of Hyper-V clustering. You use the Live Migration feature in Windows Server 2012 to perform live migrations of virtual machines. When implementing live migration, consider the following:
Verify basic requirements. Live migration requires that all hosts be part of a Windows Server 2012 failover cluster, and that the host processors have the same architecture. All hosts in the cluster must have access to shared storage, which meets the requirements for CSV.
Configure a dedicated network adapter for the private virtual network. When you implement failover clustering, you should configure a private network for the cluster heartbeat traffic. You use this network to transfer the virtual machine memory during a failover. To optimize this configuration, configure for this network a network adapter that has a capacity of one gigabit per second (Gbps) or higher.
Note: You must enable the Client for Microsoft Networks component, and the File and Printer Sharing for Microsoft Networks component, for the network adapter that you want to use for the private network.
Use similar host hardware. As a best practice, all failover cluster nodes should use the same hardware for connecting to shared storage, and all cluster nodes must have processors that have the same architecture. Whereas you can enable failover for virtual machines on a host with different processor versions by configuring processor compatibility settings, the failover experience and performance is more consistent if all servers have similar hardware. Verify network configuration. All nodes in the failover cluster must connect through the same IP subnet so that the virtual machine can continue communicating through the same IP address after live migration. In addition, the IP addresses that are assigned to the private network on all nodes must be on the same logical subnet. This means that multisite clusters must use a stretched virtual local area network (VLAN), which is a subnet that spans a wide area network (WAN) connection.
Manage live migrations. In Windows Server 2008 R2, each node in the failover cluster can perform only one live migration at a time. If you try to start a second live migration before the first migration finishes, the migration fails. In Windows Server 2012, you can now run multiple live migrations simultaneously.

6-15
Lesson n3
Imple ementin ng Hype er-V Vir rtual Ma achine Movem ment
Moving M virtual machines from m one location to another is a common pr rocedure in Hy yper-V environ nments. While W moving virtual v machine es in previous Windows Serv ver versions req quired downti ime, Windows Server 20 012 introduces s new technolo ogies to enable seamless vir rtual machine m movement. In this lesson, yo ou will le earn about virtual machine movement m and d migration op ptions.

After completin ng this lesson, you y will be able to: Describe migration m optio ons for virtual machines. m Describe storage migratio on. ve migration. Describe liv Explain how w Hyper-V rep plicas work. Configure a Hyper-V replica.
Virtual V Mac chine Migration Opt tions

Th here are severa al scenarios in which you wo ould want w to migrate e virtual machines from one lo ocation to anot ther. For exam mple, you migh ht want to o move a virtua al machine virtual hard disk from on ne physical dri ive to another on the same host. h Alternatively, yo ou may need to t move a virtu ual machine m from one o node in a cluster c to anot ther, or simply move a computer c from m one host ser rver to an nother host se erver without the hosts being g members m of a cluster. c Compared with Wind dows Se erver 2008 R2, Windows Serv ver 2012 provides significant enha ancements for this process in n ad ddition to simp plified procedures.
In n Windows Ser rver 2012, you can perform migration m of v irtual machine es by using the e following me ethods:
Virtual mac chine and stora age migration. With this me ethod, you mov ve a powered-on virtual machine from one lo ocation to ano other (or from one host to an nother) by usin ng a wizard in Hyper-V Man nager. Virtual mac chine and stora age migration do not requir re failover clus tering or any o other high ava ailability technology y. Additionally, you do not ne eed shared sto orage when yo ou move just the virtual mac chine. Quick Migr ration. This me ethod is also av vailable in Win ndows Server 2 2008. It require es you have fa ailover clustering e installed and configured. The T quick migr ration process saves the state e of the virtual machine be efore the failov ver, and then restarts r the vir rtual machine after failover c completes.
Live Migrat tion. This featu ure is an impro ovement over Q Quick Migratio on, and is also available in W Windows Server 2008 8 R2. The Live Migration feat ture enables y you to migrate e a virtual machine from one e host to another wit thout downtim me. Unlike the quick migratio on process, Liv ve Migration d does not save t the state of virtual machine; m instea ad, it synchronizes the state d during failover r. Hyper-V Re eplica. This new w feature in Windows W Server r 2012 enables s you to replicate rather than move a virtual ma achine to anot ther host, and to synchronize e all virtual ma achine change es from the primary host to the host that cont tains the replic ca.
Exporting and d importing virtual machine. This is an esta ablished meth hod of moving virtual machines without using g a cluster. You u export a virtu ual machine o n one host, an nd then physic cally move exp ported files to another host by per rforming an im mport operatio on. This is a tim me-consuming operation tha at requires you to t turn off the e virtual machines during exp port and impo ort. In Window ws Server 2012, , this migration me ethod is improved. You can import i a virtua al machine to a Hyper-V hos st without exporting it before b import. The Hyper-V role in Window ws Server 2012 2 is now capab ble of configur ring all the necess sary settings du uring the impo ort operation.
Ho ow Does Virtual Mac chine and Storage S M Migration W Work?

There are many ca ases in which an a administrat tor mig ght want to mo ove virtual mac chine files to ano other location. For example, if i the disk on which w a virtual machine hard disk resid des runs out of o spac ce, you must move m the virtual machine to ano other drive or volume. v Movin ng virtual mach hines to other o hosts is a common pro ocedure.
In Windows W Serve er 2008 and Windows W Server r 2008 R2, moving a virtual mach hine resulted in n dow wntime becaus se the virtual machine m had to o be turn ned off. If you moved a virtual machine betw ween two host ts, then you also had to perf form export and impor rt operations fo or that specific c virtual machi ine. Export operations can b be time-consum ming, dep pending on the e size of the virtual hard disk ks.
In Windows W Serve er 2012, virtual l machine and storage migra ation enables y you to move a virtual machi ine and its storage to another locat tion on the sam me host, or to another host computer, without having to o turn off the t virtual mac chine. Virtual machine and storage migration works as follows: 1. 2. 3.
To copy a virt tual hard disk, start live stora age migration by using the Hyper-V conso ole. Optionally y, you can use Wind dows PowerShe ell cmdlets. The migration n process creates a new virtu ual hard disk in n the destinati ion location an nd starts the copy process.
During the co opy process, th he virtual mach hine is fully fun nctional. Howe ever, all chang ges that occur during the co opy process are e written to bo oth the source e and destination locations. R Read operations are performed on nly from the so ource location. As soon as the disk copy pr rocess complet tes, Hyper-V sw witches virtual machines to run on the destination vi irtual hard disk k. In addition, if you are mov ving the virtua al machine to a another host, t the computer con nfiguration is copied c and the e virtual mach hine is associated with the ho ost. If a failure occurs on the e destination side, there is always a failbac k option to ru n back again o on the source directory. After the virtu ual machine co ompletes migr ration, the pro ocess deletes th he source virtu ual hard disks.
4.
5.
The time that is re equired to move a virtual ma achine depend ds on the sour rce and destina ation locations s, the spee ed of the hard d disks, storage e, or network, and a the size o f the virtual ha ard disks. The move process is faster if the source e and destinat tion locations are a on storage e, and the stor rage supports .odx files . Inst tead of using u buffered read and buff fered write ope erations, .the o odx file starts t the copy operation with an offlo oad read comm mand and retr rieves a token representing t the data from the storage device. It then u uses

6-17
an n offload write e command wi ith the token to t request data a movement from the sourc ce disk to the de estination disk k. When W you move a virtual mac chines virtual hard disks to a another location, the Virtual Machine Mov ve wizard w presents s three available options:
Move all th he virtual machines data to t a single loc y a single dest tination locatio on, such cation. Specify as disk file, configuration, snapshot, and smart pagin g. Move the virtual v machines data to a different loc cation. Specify y individual lo ocations for eac ch virtual machine item. y the virtual machines m virt tual hard disk k. Move only th he virtual hard d disk file. Move only
How H Does Live Migra ation Work?

Live migration enables e you to o move running virtual machines from one failover cluster node n to an nother node in n the same cluster. With live migration, m users s who are conn nected to the virtual machine m should d experience almost no serve er ou utage. hereas you can n also perform m live Note: Wh migration m of vir rtual machines s by using the virtual v machine m and storage migratio on method de escribed in n the previous topic, you sho ould be aware that liv ve migration is s based on failover clustering g. Unlike the stora age migration scenario, you can only perfo orm live migra ation if the virt tual machines ar re highly availa able. Yo ou can initiate e live migration n through one e of the followi ing methods: The Failove er Cluster Manager console.
The Virtual Machine Man nager Administ trator Console e, if you use VM MM to manage your physica al hosts. A Windows s Management t Instrumentat tion (WMI) or W Windows Pow werShell script.
Note: Liv ve migration en nables you to significantly re educe the perc ceived outage of a virtual machine m during g a planned fai ilover. During a planned failo over, you start t the failover m manually. Live migration m does not apply dur ring an unplan nned failover, s such as when t the node hosti ing the virtual machine fails.
Li ive Migratio on Process

Th he live migration process consists of four steps s that occu ur in the backg ground: 1. .
Migration setup. s When you start the failover of the v virtual machine e, the source n node creates a Transmissio on Control Pro otocol (TCP) co onnection with h the target ph hysical host. Th his connection is used to transfer the virtual machine configur ration data to the target phy ysical host. Liv ve migration cr reates a temporary virtual machin ne on the targe et physical hos st, and allocate es memory to the destinatio on virtual machine. The migration prepara ation also verif fies that the vir rtual machine can be migrat ted.
2.
Guest memor ry transfer. The e guest memo ory is transferre ed iteratively t to the target host while the v virtual machine is sti ill running on the source host. Hyper-V on n the source physical host m monitors the pa ages in the working set. As the sy ystem modifie es memory pag ges, it tracks a nd marks them m as being modified. During this phase e of the migrat tion, the migra ating virtual m machine contin nues to run. Hy yperV iterates the e memory copy y process several times, and each time a sm maller number of modified pages are copied to o the destinatio on physical computer. A fina al memory cop py process cop pies the remain ning modified mem mory pages to o the destinatio on physical ho ost. Copying stops as soon as s the number o of t not yet rewri pages that ha ave been modified in physica al memory but itten to disk often called d dirty pagesdrops s below a threshold, or after r 10 iterations are complete. State transfer r. To actually migrate m the virt tual machine t to the target h host, Hyper-V s stops the sour rce partition, tran nsfers the state e of the virtual machine (incl luding the rem maining dirty m memory pages s) to the target host, and then re estores the virt tual machine o on the target h host. The virtual machine pa auses during the fin nal state transf fer. Clean up. The e cleanup stage finishes the migration by d dismantling th he virtual mach hine on the source host, terminating the worke er threads, and d signaling the e completion o of the migratio on.
3.
4.
Ho ow Does Hyper-V Re eplica Wor rk?

In so ome cases, you might want to have a spar re copy of one virtua al machine tha at you can run if the original virtua al machine fails s. However, wh hen you implement hi igh availability y, you have only one e instance of a virtual machin ne. High availa ability doe es not prevent corruption of software that is runn ning inside the e virtual machine. One way to t add dress the issue of corruption is to copy the virtu ual machine. You Y can also ba ack up the virt tual mac chine and its st torage. Althou ugh this solutio on achieves the desir red result, it is resource-inten nsive and time-consum ming.
To resolve r this pro oblem and to enable administrators to hav ve an up-to-date copy of a single virtual ature in Windo mac chine, Microso oft has implemented Hyper-V V Replica, a fea ows Server 2012. This featur re enables virtual ma achines that ar re running at a primary site location or ho ost to be replic cated to a seco ondary site location or ho ost across a WA AN or LAN link. Hyper-V rep plica enables y you to have tw wo instances of fa sing gle virtual machine residing on o different ho osts: one as th he primary (live e) copy, and th he other as a replica (offline) copy. The ese copies are synchronized, and you can p perform failov ver at any time e. In the event of a failu ure at a primar ry site, you can n use Hyper-V Replica to exe ecute a failove er of the produ uction workloa ads to repl lica servers at a secondary lo ocation within minutes, thus incurring min nimal downtim me. The site configura ations do not have h to use the e same server or storage har rdware. Hyper r-V Replica ena ables an administrator a to t restore virtu ualized worklo oads to a point t in time depen nding on the R Recovery Histo ory sele ections for the virtual machin ne. Hyp per-V Replica technology t consists of severa al components s:
Replication engine: The rep plication engin ne manages the configuration d details and e replication c manages initi ial replication, delta replicati ion, failover, a nd test-failove er operations. It also tracks v virtual machine and storage mobility events, and d takes approp priate actions as needed. Th hat is, it pauses s replication ev vents until mig gration events complete, and d then resume es where they left off.
Change track king: This comp ponent tracks changes that o occur on the p primary copy o of the virtual machine. It is designed to track t the chang ges regardless s of where the virtual machin ne .vhdx files r reside.

6-19
Network module: The network module e provides a se ecure and efficient way to tra ansfer virtual m machine replicas bet tween primary y hosts and rep plica hosts. It u uses data comp pression, which is enabled b by default. The e transfer oper ration is secure e because it re elies on HTTPS S and certificat tion-based authenticat tion.
Hyper-V Re eplica Broker server role: This is a new serv ver role that is implemented in Windows S Server 2012, and you y configure it during failov ver clustering.. This server ro ole enables you u to have Hype er-V Replica functionality even n when the virtual machine b being replicate ed is highly av vailable and ca an move from one cluster node to another. The Hyper-V Repli ica Broker serv ver redirects all virtual mach hine specific eve ents to the app propriate node e in the replica a cluster. The B Broker queries the cluster da atabase to determin ne which node e should handl le which event ts. This ensures s that all event ts are redirecte ed to the correct node in the cluster in the ev vent that a qu ick migration, live migration n, or storage migration process p was ex xecuted.
Configuring C g Hyper-V V Replica

Be efore you implement Hyper-V Replica, ens sure th hat your infrast tructure meets s the following g prerequisites: The server hardware supp ports the Hype er-V role on Win ndows Server 2012. 2 Also, ens sure that the ser rver hardware has sufficient capacity to run all of the virtual machin nes to which you replicate it. Sufficient st torage exists on o both the primary and replica servers to hos st the files that t replicated virtual v machines use.
Network co onnectivity exis sts between th he locations th hat are hosting g the primary a and replica ser rvers. Connectivit ty can be throu ugh a WAN or r LAN link.
Firewall rule es are configured correctly to t enable repli ication betwee en the primary y and replica si ites. By default, traf ffic uses TCP port p 80 or port t 443.
If you want t to use certific cate-based aut thentication, e ensure that an X.509v3 certif ficate exists to support mutual authentication wi ith certificates. .
Yo ou do not hav ve to install Hyper-V Replica separately. Hy yper-V Replica is implemented as part of t the Hyper-V server role. You can use it on Hype er-V servers th hat are standal one or servers s that are part of a fa ailover cluster (in which case, you should configure the H Hyper-V Replic ca Broker serve er role). Unlike e fa ailover clusterin ng, a Hyper-V role is not dependent on AD D DS. You can n use it with Hy yper-V servers that ar re standalone, or that are me embers of diff ferent Active D Directory doma ains (except in case when servers ar re part of a failover cluster).
To o enable Hype er-V Replica, first configure the t Hyper-V se erver settings. In the Replica ation Configu uration group of option ns, enable the Hyper-V serve er as a replica s server, and sel lect the authen ntication and p port op ptions. You should also conf figure authoriz zation options . You can choo ose to enable replication fro om any se erver that succ cessfully authenticates, which h is convenient t in scenarios w where all serve ers are part of same do omain. Alterna atively, you can type fully qu ualified domain n names (FQD DNs) of servers that you acce ept as re eplica servers. In addition, yo ou must config gure the locatio on for replica files. You shou uld configure t these se ettings on each h server that will w serve as a replica r server. After you config gure options at a the server level, enable rep plication on a virtual machin ne. During this s co onfiguration, you y must specify the replica server name a and options fo or the connecti ion. If the virtu ual
machine has more than one virtual hard disk, you can select which virtual hard disk drives that you want to replicate. You can also configure the recovery history and the initial replication method. Start the replication process after you configure these options.
Demonstration: Implementing Hyper-V Replica (optional)

In this demonstration, you will see learn how to implement Hyper-V Replica.
Demonstration Steps Configure a replica

1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server. o o o 2. Authentication: Kerberos (HTTP) Allow replication from any authenticated server Create and use folder E:\VMReplica as a default location to store replica files.
Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.
Configure replication
1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine. o o o 2. Authentication: Kerberos (HTTP) Select to have only the latest recovery point available. Start replication immediately.
Wait for initial replication to finish and ensure that the 20412A-LON-CORE virtual machine appears in Hyper-V Manager on LON-HOST2.

6-21
Lesson n4
Mana aging Hyper-V Virtual Environments s by Using VMM
VMM is membe er of the System m Center 2012 2 family of pro oducts. It is a s uccessor of Sy ystem Center V Virtual Machine M Manag ger 2008 R2. VMM V extends management m f functionality fo or Hyper-V ho osts and virtual machines, m and it provides dep ployment and provisioning f for virtual mac chines and serv vices. In this le esson, yo ou will learn th he basics of VM MM.

After completin ng this lesson, you y will be able to: Describe VM MM. Describe th he prerequisite es for installing g VMM. Describe pr rivate cloud infrastructure co omponents. Describe ho ow to manage e hosts and hos st groups with h VMM. Describe ho ow to deploy virtual v machines with VMM. Describe se ervices and service templates s. Describe ph hysical-to-virtu ual (P2V) and virtual-to-virtu v ual (V2V) migr rations. Describe co onsiderations for f deploying a highly availa able VMM serv ver.
What W Is Sys stem Center 2012 - Virtual V Ma achine Manager?

VMM is a mana agement soluti ion for a virtua alized da ata center. VM MM enables yo ou to create an nd de eploy virtual machines m and services s to priv vate clouds by config guring and ma anaging your virtualization ho ost, networking g, and storage e re esources. You can c also use VMM to manag ge VMware ESX an nd Citrix XenSe erver hosts. VMM is a comp ponent of Syste em Center 201 12 that di iscovers, captu ures, and aggre egates knowle edge of th he virtualizatio on infrastructur re. VMM also manages m policie es, processes, and a best pract tices by di iscovering, cap pturing, and ag ggregating kn nowledge of th he virtualizatio on infrastructu ure.
VMM succeeds VMM 2008 R2 2, and is a key component in n enabling priv vate cloud infr rastructures, w which he elps transition enterprise IT from f an infrastructure-focus sed deploymen nt model into a service-oriented, us ser-centric env vironment. Th he VMM architecture consist ts of several in nterrelated com mponents. The ese componen nts are:
Virtual Mac chine Manager r server. The Virtual V Machine e Manager ser rver is the com mputer on whic ch the VMM servic ce runs. The Virtual Machine e Manager serv ver processes c commands an nd controls communica ations with the e Virtual Machine Manager d database, the library server, and the virtua al machine ho osts. The Virtua al Machine Ma anager server is the hub of a VMM deploy yment through h which all other VM MM componen nts interact an nd communica te. The Virtual l Machine Man nager server also connects to o a Microsoft SQL S Server da atabase that st tores all VMM configuration n information.
Virtual Machi ine Manager database. d VMM M uses a SQL S Server database to store the information th hat you view in th he VMM mana agement conso ole, such as m anaged virtua l machines, vir rtual machine hosts, virtual machin ne libraries, jobs, and other virtual v machin ne-related data a. VMM management console e. The manage ement console e is a program that you use t to connect to a VMM management server, to view and manage m physic al and virtual resources, including virtual machine host ts, virtual mach hines, services, , and library re esources.
of resources, s Virtual Machi ine Manager li ibrary. A library ry is a catalog o such as virtual hard disks, templates, an nd profiles, which are used to o deploy virtua al machines an nd services. A library server a also hosts shared folders that store file-based resources. The e VMM manag gement server r is always the default library y server, but you can add ad dditional librar ry servers later r.
Command sh hell. Windows PowerShell P is the t command-line interface that you use t to execute cmdlets that perform all available VMM V functions s. You can use these VMM-specific cmdlet ts to manage a all the actions in a VMM V environm ment. Self-Service Portal. P The Self f-Service Porta al is a website t that users who o are assigned to a self-service user role can use to deploy y and manage their own virtu ual machines.
Pre erequisites s for Instal lling VMM M 2012

Befo ore you deploy y VMM and its s components, , ensu ure that your system s meets the t hardware and soft tware requirem ments. While so oftware requ uirements do not n change ba ased on the num mber of hosts that t VMM man nages, hardwa are prer requisites may y vary. In addition, not all VM MM com mponents have e the same har rdware and soft tware requirem ments. Note: Wind dows Server 20 008 R2 and Win ndows Server 2012 2 are the only supported ope erating systems s for VMM 201 12.
Virtual Machin ne Manager r Server
In addition to hav ving Windows Server 2008 R2 R or Windows s Server 2012 i nstalled, the fo ollowing softw ware mus st be installed on the server that will run th he Virtual Mac chine Manager server: Microsoft .NE ET Framework 3.5 Service Pack 1 (SP1) or n newer Windows Aut tomated Installation Kit (AIK K) Windows Pow werShell 2.0, if the VMM management con nsole will run o on the same se erver
Windows Rem mote Managem ment 2.0. Note e that this is in nstalled by defa ault in Window ws Server 2008 8 R2, so you should d just verify that the service is running. SQL Server 20 008 Service Pack 2 (SP2) (Sta andard or Ente erprise) or SQL L Server 2008 R R2 SP1 Standard, Enterprise, or r Datacenter. This T is necessar ry only when y you install the VMM manage ement server a and SQL Server on n same compu uter.
Hardware requirements vary de epending on number of host ts, and have th he following lim mits: CPU: Single core CPU 2 gigahertz (GHz), Dual core CPU U 2.8 GHz

6-23
Random ac ccess memory (RAM): 48 gig gabytes (GB)
Disk space: 40 GB 150 GB, G depending g on whether y you install a SQ QL Server data abase on the sa ame server. In ad ddition, if the library is on th he same server r, then disk spa ace will also de epend on libra ary content.
Virtual V Mach hine Manager Database e
Th he Virtual Mac chine Manager r database stores all VMM co onfiguration in nformation, which you can a access an nd modify by using u the VMM M managemen nt console. The e Virtual Mach hine Manager database requ uires SQ QL Server 2008 8 SP2 or newe er. Because of this, t the base h hardware requ uirements for t the Virtual Machine Manager M database are equal to the minimu um system req uirements for installing SQL L Server. Additionally, if you are mana aging more tha an 150 hosts, you y should hav ve at least 4 G GB of RAM on t the database s server. So oftware requirements for the e Virtual Mach hine Manager d database are t the same as fo or SQL Server.
Virtual V Mach hine Manager Library
Th he Virtual Mac chine Manager r library is the server that ho osts resources f for building virtual machines, se ervices, and private clouds. In n smaller envir ronments, you u usually install the Virtual M Machine Manag ger lib brary on the VMM V managem ment server. If this is the case e, the hardwar re and softwar re requirement ts are th he same as for the VMM management serv ver. In larger a and more com plex environm ments, we recommend th hat you mainta ain Virtual Mac chine Manager library on a s separate serve er in a highly available co onfiguration. If f you want to deploy anothe er Virtual Mach hine Manager r library server, , the server sho ould meet m the follow wing requireme ents: Supported operating syst tem: Windows Server 2008 o or Windows Se erver 2008 R2 Hardware management: m Windows Rem mote Managem ment 2.0 CPU: at leas st 2.8 GHz RAM: at lea ast 2 GB Hard disk space: varies ba ased on the nu umber and size are stored e of files that a
Private P Cloud Infrastructure Co omponent ts in VMM

Th he key architec ctural concept t in VMM is the private cloud in nfrastructure. Similar S to public cloud solutions, , such as in Windows Azure , the private cloud in nfrastructure in n VMM is an ab bstraction laye er that shields the underlying g te echnical complexities and allows you to manage de efined resourc ce pools that consist of serve ers, ne etworking, and d storage, in th he enterprise in nfrastructure. By y using the VM MM management console us ser in nterface (UI), yo ou can create a private cloud d from Hyper-V, VMwa are ESX, and Citrix XenServer r hosts. Yo ou can also be enefit from cloud computing g attributes, inc cluding self-se ervicing, resource pooling, and el lasticity.
Yo ou can configu ure the followi ing resources from f the Fabri ic workspace i n the VMM management co onsole:
Servers. In the t Servers no ode, you can co onfigure and m manage severa al types of serv vers. Host grou ups contain virt tualization hos sts, which are the t destination ns you can use e to deploy vir rtual machines. Library
servers are th he repositories of building blockssuch as s images, .iso f files, and temp platesfor crea ating virtual machin nes.
Networking. The T Networkin ng node is whe ere you can de efine logical ne etworks, assign pools of stat tic IPs and media ac ccess control (M MAC) addresse es, and integra ate load balan cers. Logical n networks are userdefined groupings of IP sub bnets and virtu ual local area n networks (VLA ANs) that organ nize and simpl lify network assig gnments. Logic cal networks provide p an abst traction of the e underlying physical infrastructure e, and they ena able you to pro ovision and iso olate network traffic based o on selected criteria such as conne ectivity proper rties and servic ce level agreem ments (SLAs).
Storage. You can discover, classify, and provision remot orage arrays. V VMM te storage on supported sto uses the Micr rosoft Storage Management Servicethat t is enabled by y default during the installati ion of VMM to co ommunicate with w external ar rrays.
Ma anaging Hosts, Host Clusters, and Host G Groups wi ith VMM

In addition to virtual machine management, m VMM V can also help you manage and deploy Hyper-V host ts. In VMM, yo ou can use tech hnologies such h as Win ndows Deploym ment Services (Windows DS) ) to dep ploy Hyper-V hosts h on bare-m metal machine es and then manage e them with VM MM. When hos sts are associated wit th VMM, you can c configure seve eral options, su uch as host res serves, quotas, , perm missions, and cloud c memberships. VMM can c also o manage Hyper-V failover clusters. c VMM provides tw wo new feature es that help optimize power and resource usage on hosts that are managed by VMM: V dynamic c optimization n and power op ptimization. D Dynamic optim mization balanc ces the virtual machin ne load within a host cluster, , while power optimization e enables VMM to evacuate bala anced cluster hosts, h and then n turn them of ff to save pow wer.
The recommende ed way to orga anize hosts in VMM V is to crea ate host group ps. This simplif fies manageme ent task ks. A host grou up enables you u to apply setti ings to multip le hosts or hos st clusters with h a single actio on. By defa ault, there is a single host gr roup in VMM named n All Hos sts. However, i f necessary, yo ou can create add ditional groups s for your environment. Hos st groups are hierarchical. h When W you create a new child host group, it inherits the se ettings from th he w parent host group, the ch pare ent host group p. When a child d host group moves m to a new hild host group p maintains its origi inal settings ex xcept for Perfo ormance and R Resource Optim mization (PRO O) settings, whi ich are managed sepa arately. When the settings in n a parent hos t group chang ge, you can ap pply those chan nges to child c host grou ups. You u use host grou ups in the follo owing scenario os:
Provide basic c organization when you are managing ma any hosts and virtual machin nes. You can cr reate custom views s within the Ho osts view and the t Virtual Ma chines view to o provide easy monitoring and access to a ho ost. For examp ple, you might create a host group for each branch offic ce in your organization. Reserving resources for use e by hosts. Hos st reserves are useful when p placing virtual machines on a host. Host res serves determi ine the CPU, memory, m disk s pace, disk I/O capacity, and network capa acity that are conti inuously availa able to the hos st operating sy ystem.

6-25
Use the Host Group prop perties action for f the root ho ost group All H Hosts, to set de efault host rese erves for all hosts tha at VMM mana ages. If you want to use more e of the resources on some hosts instead of on other hosts s, you can set host h reserves differently d for e each host grou up. Designating g hosts on whi ich users can create c and ope erate their own n virtual mach hines. When a V VMM administrat tor adds self-se ervice user role es, one part of f role creation is to identify t the hosts on w which self-service users or groups in that role can create, op perate, and ma anage their ow wn virtual mac chines. As a best practice, you sh hould designat te a specific ho ost group for t this purpose.
Deploying D Virtual Ma achines wi ith VMM

One O of the adva antages of usin ng VMM to manage a virtualized env vironment is the flexibility th hat VMM provides to create and deploy new virtual machines m quick kly. Using VMM, you can manuall ly create a new w virtual machine with new con nfiguration sett tings an nd a new hard d disk. You can then deploy the t new virtual machine from one of following f sourc ces: An existing .vhd or .vhdx file, either blank or preconfigured A virtual machine templa ate A Virtual Machine M Manag ger library
Yo ou can create new virtual ma achines either by converting g an existing p physical compu uter, or by clon ning an ex xisting virtual machine. m
Creating C a New N Virtual Machine fro om an Exist ting VHD
Yo ou can create a new virtual machine m based d on either a b blank virtual ha ard disk (VHD) ) or a preconfi igured VHD that conta ains a guest op perating system m. VMM provid des two blank VHD template es that you can use to cr reate new disk ks: Blank Disk Small Blank Disk Large
Yo n ou can also use a blank VHD D when you wa ant to use an o operating syste em with a preb boot execution en nvironment (PXE). Alternativ vely, you can place p an .iso im mage on a virtu ual DVD-ROM, , and then inst tall an op perating system from scratch. This is an ef ffective way to o build a virtua al machines so ource image, w which yo ou can then us se as a future template. t To in nstall the oper rating system o on such a virtu ual machine, y you can us se an .iso imag ge file from the e library or fro om a local disk k, then map a p physical drive from the host . co omputer, or start the guest operating o syste em setup thro ough a network k service boot.
If you have a lib brary of VHDs that you want t to use in you r VMM enviro nment, you ca an create a virt tual machine m from an a existing VHD. You can also select existin ng VHDs when n you deploy a any operating system from which VMM cannot crea ate a template e, such as an op perating system that is not W Windows-base ed. When W you creat te a new virtua al machine using an existing g VHD, you are e essentially cre eating a new v virtual machine m configuration that is s associated with the VHD fil e. VMM will cr reate a copy o of the source V VHD so th hat you do not t have to move e or modify the original.
In this scenario, the source VHD must meet the following requirements:
Leave the Administrator password blank on the VHD as part of the System Preparation Tool (Sysprep) process. Install the Virtual Machine Additions on the virtual machine. Use Sysprep to prepare the operating system for duplication.
Note: VMM 2012 will support the .vhdx virtual hard drive format when VMM 2012 SP1 is released.
Deploying from a Template
You can create a new virtual machine based on a template from the Virtual Machine Manager library. The template is a library resource, which links to a virtual hard disk drive that has a generalized operating system, hardware settings, and guest operating system settings. You use the guest operating system settings to configure operating system settings such as the computer name, local administrator password, and domain membership. The deployment process does not modify the template, which you can reuse multiple times. If you are creating virtual machines in the Self-Service Portal, you must use a template. The following requirements apply if you want to deploy a new virtual machine from a template: You must install a supported operating system on the VHD.
You must leave the Administrator password blank on the VHD as part of the Sysprep process. However, you do not have to leave the Administrator password blank for the guest operating system profile. For customized templates, you must prepare the operating system on the VHD by removing the computer identity information. For Windows operating systems, you can prepare the VHD by using the Sysprep tool.
Deploying from the Virtual Machine Manager Library
If you deploy a virtual machine from the Virtual Machine Manager library, the virtual machine is removed from the library, and then placed on the selected host. When you use this method, you must provide the following details in the Deploy Virtual Machine wizard: The host for deployment. The template that you use provides a list of potential hosts and their ratings. The path of the virtual machine files on the host. The virtual networks used for the virtual machine. A list of existing virtual networks on the host will display.

6-27
What W Are Services S an nd Service Templates s?

Se ervices are a new concept in n VMM. You must un nderstand serv vices fully befo ore you deploy ya private cloud in nfrastructure.
Traditional Services S Scenario

Se ervices usually y refer to applic cations or sets s of ap pplications tha at provide serv vices to end us sers. For ex xample, you ca an deploy various types of webw ba ased services, but you can also implement ta se ervice such as email. e In a non n-cloud computing sc cenario, deploy yment of any type t of service e us sually requires s users, developers, and ad dministrators to t work togeth her through th he phases of creati ing a service, deploying d a service, testing t the service, an d maintaining g the service.
A service freque t work togethe ently includes several compu uters that must er to provide a service to en nd users. Fo or example, a web-based w ser rvice is usually y an applicatio n that deploys s on a web ser rver, connects to a da atabase server r that might be e hosted on an nother comput ter, and performs authentica ation on an Ac ctive Directory doma ain controller. Enabling E this application a req quires three ro oles, and possib bly three comp puters: a web server, a database serve er, and a domain controller. Deploying a t test environme ent for a servic ce such as s this can be time consuming g and resource e consuming. Ideally, develo opers work wit th IT administr rators to cr reate an enviro onment where e they can deploy and test th heir web applic cation.
Concept C of a Service in a Private Cl loud Scenar rio
With W the concept of a private e cloud, how yo ou deal with se ervices can change significantly. You can p prepare th he environmen nt for a service e, and then let developers de eploy it by usin ng a self-servic ce application such as Sy ystem Center 2012 2 - App Co ontroller. In n VMM, a servi ice is a set of one o or more virtual machines s that you dep ploy and mana age together a as a single entity. Yo ou configure th hese machines s to run togeth her to provide a service. In W Windows Serve er 2008, us sers could dep ploy new virtua al machines by y using the Sel f-Service Porta al. In VMM, en nd users can deploy ne ew services. By y deploying a service, s users are a actually de eploying the e ntire infrastruc cture, including the virtual machines, network con nnections, and applications t that are requir red to make th he service work k. However, you can also use services to deplo oy only a singl e virtual mach hine without any specific pur rpose. In nstead of deplo oying virtual machines m in the e historic way, you can now create a servic ce that will deploy a virtual machine with, for exam mple, Windows s Server 2008 R2, and with s several roles an nd features preinstalled and d joined to dom main. This simplifies the pro ocess of creatin ng and later up pdating new v virtual machines. m
Deploying a new w service requ uires a high lev vel of automat tion and prede efined compon nents, and requires management m so oftware suppo ort. This is why VMM provide es service temp plates. A servic ce template is a te emplate that encapsulates ev verything that is required to o deploy and ru un a new insta ance of an app plication. Ju ust as a private e cloud user ca an create new virtual machin nes on demand d, the user can n also use service te emplates to ins stall and start new applicatio ons on demand d.
Process P for Deploying D a New Servic ce

Yo ou use the foll lowing proced dure when you use VMM ser rvice templates s to deploy a n new service or ap pplication: 1. . The system administrator r creates and configures c VM M service tem mplates by usin ng the Service Template Designer. D
2.
The end-user r application ownerfor exam mple, a develo oper who has t to deploy the a application environmentopens App Controller C and requests a new w service depl oyment based d on the available service templates that the developer d can access. The de eveloper can d deploy the serv vice to a private cloud where a user has acce ess. As an alternative to App p Controller, th he user can als so use the VMM M Manager con nsole. The Virtual Machine M Manag ger server evaluates the subm mitted request t. VMM search hes for available has resources in the t private cloud, then calculates the user quota and ver rifies that the private cloud h enough resou urces for the re equested servi ice deploymen nt. Whereas the new service is created autom matically, the v virtual machin es and applica ations (if any) a are deployed on the host that is i selected by VMM. V
3.
4. 5. 6.
The user application owner r gains control over service v virtual machine es through Ap pp Controller, o or by Remote Desk ktop Protocol (RDP). ( If you need manual m approv val for resource e creation, you u can use Micr rosoft System C Center 2012 Service Mana ager to create workflows w for this purpose.
Info ormation In ncluded in the t Service Template T
The service template includes in nformation abo out the virtual l machines tha at are deployed d as part of th he serv vice, which app plications to in nstall on the virtual machines s, and the netw working config guration needed for the service (includ ding the use of f an NLB). The service templ ate can use ex xisting virtual m machine temp plates. While you can define the service without usin ng any existing g virtual machi ine templates, it is easier to build a te emplate if you have already created c virtual machine tem plates. After y you create a se ervice template e, you configure it for de eployment usin ng the Config gure Deploym ment option.
P2V and V2V V Migratio ons

Man ny organizatio ons have physic cal servers that they y do not use fu ully. VMM can convert existing phy ysical computers into virtual machines thro ough a pr rocess known as a P2V conversion. VMM simplifies P2V by providing a ta ask-based wiza ard to auto omate much of o the conversion process. Because the P2V process p suppo orts scripts, you u can start large-scale P2V P conversion ns through the e Win ndows PowerSh hell command d line interface. VMM converts an n operating sys stem that is runn ning on physic cal hardware to o an operating g system that is running in a Hype er-V virtual mac chine environm ment. VMM pr rovides a conve ersion wizard, which automa ates much of t the conversion n proc cess.
Dur ring a P2V conversion proces ss, VMM generates disk ima ges of the har rd disks on the e physical computer. It cr reates VHD file es for the new virtual machin ne using the d isk images as a basis. In add dition, it create es a hard dware configuration for the virtual machin ne similar to, o or the same as,, the hardware e in the physica al com mputer. The new virtual machine m has the e same compu uter identity as s the physical computer on w which it is based. Because of this, as s a best practic ce you should not use both a physical com mputer and its virtual replica a concurrently. Afte er the P2V conversion compl letes, you typic cally disconne ect the physical computer fro om the network and decommission d n it.

6-29
P2 2V conversion is finished in either e online or o offline mode e. In online mo ode, the sourc ce operating sy ystem ru uns during the conversion pr rocess. In offlin ne mode, the o operating syst tem does not r run and conversion oc ccurs through the Windows Preinstallation n Environment t (Windows PE E). Later topics in this lesson de escribe these modes m in furth her detail.
In n addition to converting und derused physic cal computers, VMM support ts the manage ement, migration, and co onversions of other o virtual machines m that were w created i n the VMware e environment. You can conv vert th hese virtual ma achines to Hyp per-V virtual machines, m place e them on Hyp per-V hosts, an nd then manag ge them un nder the Virtual Machine Ma anager Administrator Conso ole. In addition n, VMM and Hy yper-V suppor rt migrating m virtua al machines fro om one host to another with h minimal or z zero downtime e.
VMM allows you to convert existing e VMwar re virtual mach hines to virtua al machines run nning on the H Hyper-V platform. This process p is know wn as a V2V co onversion. With h V2V conversion, administra ators can cons solidate a virtual environ nment that is running r variou us virtual platfo orms without moving data o or rebuilding v virtual machines m from scratch. VMM allows you to copy existing VMware virtual v machin es and create Hyper-V virtual machines. Y You can co opy VMware virtual v machine es that are loca ated on ESX se erver hosts, in Virtual Machin ne Manager lib braries, s not or r on Windows shares. Althou ugh V2V is call led a conversio on, V2V is a re ead-only opera ation that does de elete or affect the original so ource virtual machine. m In add dition, the term m conversion is dedicated o only to th he process of converting c VM Mware virtual machines. m The t term migratio n is used for v virtual server machines. m
During the conv version proces ss, the VMM co onverts the VM Mware .vmdk f files to .vhd file es, and makes the op perating system on the virtu ual machine co ompatible with h Microsoft virt tualization tec chnologies. The e virtual machine m that th he wizard creat tes matches VMware virtual machine prop perties, including name, desc cription, memory, m and disk-to-bus assi ignments.
Considerat C ions for Deploying a Highly A Available V Virtual Mac chine Man nager Server
VMM now supp ports a highly available a Virtual Machine M Manag ger server. You u can use failov ver clustering to achieve high ava ailability for VM MM be ecause VMM is now a cluste er-aware applic cation. However, you should conside er several thing gs be efore you deploy a VMM clu uster. Be efore installing g a highly available VMM management m se erver, ensure that: You have in nstalled and co onfigured a fai ilover cluster that t is running Wi indows Server 2008 R2, Window ws Server 2008 8 R2 SP1, or Windows W Server 2012 2. All computers on which you y install the highly availab ble Virtual Mac chine Manager r server meet t the minimum hardware h requirements, and all prerequisit te software is i installed on all l computers.
You have created a doma ain account to be used by th he VMM servic ce. You must u use a domain u user account for r a highly avail lable Virtual Machine M Manag ger server.
You are pre epared to use distributed key y managemen nt to store encryption keys in n AD DS. You must use distribu uted key mana agement for a highly availab ble Virtual Mac chine Manager r server.
You have a computer with a supported SQL Server version installed and running. Unlike VMM 2008 R2, VMM will not install a SQL Server Express Edition automatically.
Highly Available Databases and Library Servers
To achieve full redundancy, you should use a highly available SQL Server. Install a highly available SQL Server on a separate failover cluster from the failover cluster on which you are installing the highly available Virtual Machine Manager server. Similarly, you should also use a highly available file server for hosting your library shares.
Self Service Portal and Clustered Virtual Machine Manager Server
As a best practice, do not install the Virtual Machine Manager Self-Service Portal on the same computer as the highly available Virtual Machine Manager server. If your Virtual Machine Manager Self-Service Portal currently resides on the same computer as the Virtual Machine Manager server, we recommend that you uninstall the Virtual Machine Manager Self-Service Portal for VMM 2008 R2 SP1 before upgrading to VMM. We also recommend that you install the Virtual Machine Manager Self-Service Portal on a highly available web server to achieve redundancy and NLB.
Failover Cluster Manager
You cannot perform a planned failoverfor example, to install a security update or perform maintenance on a cluster nodeby using the Virtual Machine Manager Administrator Console. Instead, to perform a planned failover, use the Failover Cluster Manager.
During a planned failover, ensure that there are no tasks actively running on the Virtual Machine Manager server. Any tasks that are executing during a failover will be stopped and will not restart automatically. Any connections to a highly available Virtual Machine Manager server from the Virtual Machine Manager Administrator Console or the Virtual Machine Manager Self-Service Portal will also be lost during a failover. However, the Virtual Machine Manager Administrator Console can reconnect automatically to the highly available Virtual Machine Manager server after a failover if the console was open before you performed the failover.

6-31

Scenario
The A. Datum Corporations initial virtual machine deployment on Hyper-V has been successful. As a next step in the deployment, A. Datum is now considering ways to ensure that the services and applications that are deployed on the virtual machines are highly available. As part of the implementation, A. Datum is also considering options for making the virtual machines that run on Hyper-V highly available.
As one of the senior network administrators at A. Datum, you are responsible for integrating Hyper-V with failover clustering to ensure that the virtual machines that are deployed on Hyper-V are highly available. You are responsible for planning the virtual machine and storage configuration, and for implementing the virtual machines as highly available services on the failover cluster. In addition, you are considering some other techniques for virtual machine high availability, such as Hyper-V Replica.
Objectives
Configure Hyper-V Replica. Configure a failover cluster for Hyper-V. Configure a highly available virtual machine.
Lab Setup
20412A-LON-DC1-B 20412A-LON-SVR1-B 20412A-LON-HOST1 20412A-LON-HOST2 Estimated time: 75 minutes 20412A-LON-DC1-B 20412A-LON-SVR1-B 20412A-LON-HOST1 20412A-LON-HOST2 Adatum\Administrator Pa$$w0rd
Virtual Machine(s)
User Name Password
You should perform this lab with a partner. To perform this lab, you must boot the host computers to Windows Server 2012. Ensure that you and your partner have booted into different hosts (one should boot to 20412A-LON-HOST1 and the other should boot to 20412A-LON-HOST2) and then log on as Adatum\Administrator with the password of Pa$$w0rd. Once you have booted into the Windows Server 2012 environment, perform the following setup tasks: 1. 2. On the host computer, in Server Manager, click Tools, and then click Hyper-V Manager. In Hyper-V Manager, click start the following virtual machines based upon your host: o o 3. 4. For LON-HOST1, start 20412A-LON-DC1-B. For LON-HOST2, start 20412A-LON-SVR1-B.
In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. User name: Adatum\Administrator
b.
Password: Pa$$w0rd
Note: For this lab, verify that the classroom is configured so that only LON-HOST1 and LON-HOST2 can communicate. Each pair of host computers must be isolated from the rest of the classroom.
Exercise 1: Configuring Hyper-V Replicas

Scenario
Before you begin cluster deployment, you need to evaluate the new technology in Hyper-V 3.0 for replicating virtual machines between hosts. You want to be able to mount a copy of a virtual machine on another host manually if the active copy (or host) fails. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Boot the physical host machines from VHD. Import the LON-CORE virtual machine on LON-HOST1. Configure a replica on both host machines. Configure replication for the LON-CORE virtual machine. Validate a planned failover to the replica site.
Task 1: Boot the physical host machines from VHD

1. Restart the classroom computer, and in the Windows Boot Manager, select either 20412A-LON-HOST1 or 20412A-LON-HOST2. Note: If you start LON-HOST1, your partner must start LON-HOST2. 2. 3. 4. Log on to the server as Adatum\Administrator with password Pa$$w0rd. On LON-HOST1, make sure that virtual machine 20412A-LON-DC1 is running. On LON-HOST2, make sure that virtual machine 20412A-LON-SVR1 is running.
Task 2: Import the LON-CORE virtual machine on LON-HOST1
On LON-HOST1, open Hyper-V Manager, and import the 20412A-LON-CORE virtual machine using the following settings: o o Path: E:\Program Files\Microsoft Learning\20412\Drives\20412A-LON-CORE Accept default values
Note: The drive letter may differ based on the number of drives on the physical host machine.
Task 3: Configure a replica on both host machines

1. On LON-HOST1 and LON-HOST2, configure each server to be a Hyper-V Replica server. o o o 2. Authentication: Kerberos (HTTP) Allow replication from any authenticated server Create and use folder E:\VMReplica as a default location to store replica files
Enable the firewall rule named Hyper-V Replica HTTP Listener (TCP-In) on both hosts.

6-33
Task 4: Configure replication for the LON-CORE virtual machine

1. On LON-HOST1, enable replication for the 20412A-LON-CORE virtual machine. o o o o 2. Replica server: LON-HOST2 Authentication: Kerberos authentication (HTTP) Configure Recovery History: Only the latest recovery point Start replication immediately
Wait for initial replication to finish, and verify that the 20412A-LON-CORE virtual machine displays in the Hyper-V Manager console on LON-HOST2.
Task 5: Validate a planned failover to the replica site

1. 2. 3. 4. On LON-HOST2, view replication health for 20412A-LON-CORE.
On LON-HOST1, perform planned failover to LON-HOST2. Verify that 20412A-LON-CORE is running on LON-HOST2. On LON-HOST1, remove replication for 20412A-LON-CORE. On LON-HOST2, shut down 20412A-LON-CORE.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Scenario
A. Datum has several virtual machines that are hosting important services that must be highly available. Because these services are not cluster-aware, A. Datum decided to implement Failover cluster on the Hyper-V host level. You plan to use iSCSI drives as storage for these virtual machines. The main tasks for this exercise are as follows: 1. 2. 3. Connect to the iSCSI target from both host machines. Configure failover clustering on both host machines. Configure disks for the failover cluster.
Task 1: Connect to the iSCSI target from both host machines

1. 2. 3. 4. 5. On LON-HOST1, start iSCSI initiator. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target. On LON-HOST2, start iSCSI initiator. Use 172.16.0.21 for the address that will be used to discover and connect to the iSCSI target. On LON-HOST2, navigate to Disk Management, and initialize and bring online all iSCSI drives: o o o 6. Format the first drive, and name it ClusterDisk. Format the second drive, and name it ClusterVMs. Format the third drive, and name it Quorum.
On LON-HOST1, navigate to Disk Management, and bring online all three iSCSI drives.
Task 2: Configure failover clustering on both host machines

1. 2. On LON-HOST1 and LON-HOST2, install the failover clustering feature. On LON-HOST1, create a failover cluster: o o o o Add LON-HOST1 and LON-HOST2 Name the cluster VMCluster Assign the 172.16.0.126 address Deselect the option to Add all eligible storage to the cluster
Task 3: Configure disks for the failover cluster

1. 2. 3. 4. On LON-HOST1, in the Failover Cluster Manager, add all three iSCSI disks to the cluster. Verify that all three iSCSI disks appear available for cluster storage. Add the disk named ClusterVMs to Cluster Shared Volumes. From the VMCluster.adatum.com node, select More Actions, and then configure the Cluster Quorum Settings to use typical settings.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
Exercise 3: Configuring a Highly Available Virtual Machine

Scenario
After you configuring the Hyper-V failover cluster, you want to add virtual machines as highly available resources. Additionally, you want to evaluate live migration and test storage migration. The main tasks for this exercise are as follows: 1. 2. 3. 4. Move virtual machine storage to the iSCSI target. Configure the virtual machine as highly available. Perform live migration for the virtual machine. Perform storage migration for the virtual machine.
Task 1: Move virtual machine storage to the iSCSI target

1. 2. 3.
In the Failover Cluster Manager, verify that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk to LON-HOST1. On LON-HOST1, open a Windows Explorer window, and browse to E:\Program Files \Microsoft Learning\20412\Drives\20412A-LON-CORE\Virtual Hard Disks. Move 20412A-LON-CORE.vhd to the C:\ClusterStorage\Volume1 location.
Task 2: Configure the virtual machine as highly available

1. 2. On LON-HOST1, in Failover Cluster Manager, click Roles, and then start the New Virtual Machine Wizard. Configure a virtual machine with the following settings: o o Cluster node: LON-HOST1. Computer name: TestClusterVM

6-35
o o o 3.
Store the file at C:\ClusterStorage\Volume1 RAM for TestClusterVM: 1536 MB
Connect machine to existing virtual hard disk drive 20412A-LON-CORE.vhd, which is located at C:\ClusterStorage\Volume1.
From the Roles node, start the virtual machine.
Task 3: Perform live migration for the virtual machine

1. 2.
On LON-HOST1, in the Failover Cluster Manager, start Live Migration failover of TestClusterVM from LON-HOST1 to LON-HOST2.
Connect to TestClusterVM, and ensure that you can operate the virtual machine while it is migrating to another host.
Task 4: Perform storage migration for the virtual machine

1. 2. 3. 4. On LON-HOST2, open Hyper-V Manager. Move 20412A-LON-SVR1-B from its current location to C:\LON-SVR1. Determine whether machine is operational during move process. When the migration completes, shut down all running virtual machines.
Results: After completing this exercise, you will have configured a highly available virtual machine.
1. 2. 3. 4.
To prepare for next module

Restart LON-HOST1.
When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter. Log on to the host machine as directed by your instructor. Repeat steps 1-3 on LON-HOST2.

Common Issue Virtual machine failover fails after implementing CSV and migrating the shared storage to CSV A virtual machine fails over to another node in the host cluster, but loses all network connectivity Four hours after restarting a Hyper-V host that is a member of a host cluster, there are still no virtual machines running on the host. Troubleshooting Tip
Question: In Windows Server 2008 R2, do you have to implement CSV in order to provide high availability for virtual machines in VMM?
Best Practice
Develop standard configurations before you implement highly available virtual machines. The host computers should be configured as close to identical as possible. To ensure that you have a consistent Hyper-V platform, configure standard network names, and use consistent naming standards for CSV volumes. Implement VMM. VMM provides a management layer on top of Hyper-V and Failover Cluster Manager that can block you from making mistakes when you manage highly available virtual machines. For example, it blocks you from creating virtual machines on storage that is inaccessible from all nodes in the cluster.

7-1
Module 7
Implementing Disaster Recovery
Contents:
Module Overview Lesson 1: Overview of Disaster Recovery Lesson 2: Implementing Windows Server Backup Lesson 3: Implementing Server and Data Recovery Lab: Implementing Windows Server Backup and Restore Module Review and Takeaways 7-1 7-2 7-7 7-16 7-20 7-25
Module Overview
Organizations are vulnerable to losing some of their data for reasons such as unintentional deletion of critical data, file system corruption, hardware failures, malicious users, and natural disasters. Because of this, organizations must have well-defined and tested recovery strategies that will help them to bring their servers and data back to a healthy and operational state, and in the fastest time possible. In this module, you will learn how to identify security risks for your organization. You will also learn about disaster recovery, and disaster recovery requirements. You will also learn how to plan backup across your organization, and what steps you can take to recover data.
Objectives
After completing this module, you will be able to: Describe disaster recovery concepts. Implement Windows Server Backup. Implement server and data recovery.
7-2
Implementing Disaster Recover ry
Lesson 1
Overvi iew of Disaster D r Recove ery
Disa aster recovery is a methodology that descr ribes all the ste eps that you n need to perform once a disaster tate. An effect has occurred, to bring b data, serv vices and serve ers back to an operational st tive disaster reco overy plan add dresses the org ganizations ne eeds without p providing an unnecessary lev vel of coverage e. While absolute pr rotection may seem desirable, it is unlikely y to be econom mically feasible e. In creating a disa aster recovery plan, you need d to balance th he cost to the organization o of a particular disaster, with the cost t to the organi ization of prot tection from th hat disaster.

Afte er completing this lesson, yo ou will be able to: equirements. Identify disaster recovery re Describe serv vice level agree ements. Describe ente erprise disaster r recovery strategies. Describe disaster mitigation n strategies. Describe best t practices for implementing g a disaster rec covery.
Ide entifying Disaster D Re ecovery Re equiremen nts

Befo ore developing g a disaster rec covery strategy, orga anizations must identify their disaster reco overy requ uirements to ensure e that the ey will provide app propriate prote ection for critic cal resources. The following is a high-level list t of steps that you can use to identify y disaster reco overy requirem ments: 1. Define organization critical resources. The ese resources include data, serv vices, and the servers upon which the dat ta and services s run.
2.
Identify risks associated wit th those critica al resources. For example, dat ta can be accidentally or o intentionally y deleted, and a hard drive o or storage con ntroller where d data is stored might fail. Additiona ally, services th hat use critical data might fa ail due to many y reasons such h as network problems, and d servers migh ht fail because of hardware f failures. Major power outage es could also c cause entire sites to o shut down. Identify the ti ime needed to o perform the recovery. Base ed on their bus siness requirem ments, organizations s should decide how much time is accepta able for recove ering critical re esources. Scena arios may vary from m minutes to hours, h or even a day.
3.
4.
Develop a rec covery strategy y. Based on the previous ste eps, organizatio ons will define e a service leve el agreement th hat will include e information such s as service e levels and service hours. Organizations should develop a dis saster recovery y strategy that will help them m minimize the e risks, and at the same time e, recover their critical resourc ces within the minimum tim me acceptable f for their business requireme ents.
anization will have h differing disaster d recove ery requirements based on t their Note: Orga ments and goals. Disaster rec covery requirem ments should not be static, b but they business requirem

7-3
sh hould be evalu uated and updated on a regu ular basisfor example once e every few mo onths. It is also important that t administrators test the disaster recove ery strategies on a regular b basis. The te esting should be b performed in an isolated, non-producti ion environme ent by using a copy of the production data a.
What W Are Service S Lev vel Agreem ments?

A service level agreement a (SLA A) is a docume ent that de escribes the re esponsibilities of o the IT department or r IT service pro ovider, with res spect to a spec cific set of f objectives. In n terms of data a protection SL LAs, th hese agreemen nts usually spe ecify precisely which w pa arts of the IT in nfrastructure and a data will be b protected, and how quickly th hey will return to se ervice after a fa ailure.
In n some organiz zations, SLAs are a formalized, , and th he performanc ce of the IT dep partment is measured m again nst the objectiv ves that are sp pelled ou ut in the SLA. These T metrics form part of the IT de epartments pe erformance ev valuation, and have a direct influence on it tems such as b budgets and sa alaries. Fo or managed se ervices or cloud providers, SLAs are critical l for billing pu urposes. In other organizations, SLAs ar re guidelines and a are less for rmalized. The key to develop ping an SLA is that it needs to be realistic and ac chievable, rath her than an unachievable sta andard, which may be impos ssible to reach. So ome of the ele ements of an SLA S include:
Hours of op peration. Hour rs of operation n defines how much time the e data and ser rvices are available to users, and how h much planned downtim me there will b e due to syste em maintenanc ce. Service availability. Servic ce availability is defined as a percentage o f time per year that data and services will be available to t users. For example, e a serv vice availability y of 99.9 perce ent per year m means that data and services wil ll have unplanned downtime e not more tha an 0.1 percent t per year, or 8 8.75 hours per year y on a 24 ho ours a day, sev ven days a wee ek basis.
Recovery point objective (RPO). An RPO O sets a limit o on how much data can be lo ost due to failu ure, measured as a a unit of tim me. For exampl le, if an organi ization sets an RPO of six ho ours, it would b be necessary to take a backu up every six ho ours, or to crea ate a replicatio on copy on dif fferent location ns at six-hour int tervals. In the event e of a failu ure, it would b be necessary to o go back to th he most recent backup, wh hich, in the worst-case scenario, assuming that the failur e occurred jus st before (or du uring) the next ba ackup, would be b six hours ag go.
You can configure backup software to take backups every hour, of ffering a theor retical RPO of 6 60 minutes. When W calculatin ng RPO, it is als so important t to take into account the time e it takes to pe erform the backup p. For example, , suppose it takes 15 minute es to perform a backup and y you back up e every hour. If a fa ailure occurs during the back kup process, yo our best possible RPO will b be 1 hour and 15 minutes. A realistic RPO must m always ba alance the des sired recovery time with the realities of the e network inf frastructure. Yo ou should not aim for an RP PO of 2 hours w when a backup p itself takes th hree hours to co omplete. The RPO also depends on n the backup software s techn nology. For exa ample, when y you use the sna apshot feature in Windows W Serve er Backup, or other o backup s software that u uses volume sh hadow copy se ervice (VSS), you are a backing up p to the point in time when t the backup wa as started.
Recovery time objective (RTO). ( An RTO O is the amoun nt of time it tak kes to recover from failure. T The RTO will vary de epending on th he type of failu ure. The loss o f a motherboa ard on a critica al server will ha ave a
7-4
different RTO O than the loss of a disk on a critical server r, because one of these comp ponents takes significantly longer to repla ace than the ot ther.
jectives. Reten ntion is a measure of the leng gth of time yo ou need to store backed-up data. Retention obj For example, you may need d to recover da ata quickly fro om up to a mo onth ago, but n need to store d data in some form m for several ye ears. The speed d at which you u agree to reco over data in yo our SLA will de epend on the age of f the data, with h some data being b quickly re ecoverable and other data n needing to be recovered fro om the archive es.
System performance. Altho ough not direct tly related to d disaster recove ery, system performance is a also an important component of SL LAs, because applications a th hat are included in an SLA sh hould be availa able, and they should also have acceptable o users reque a res sponse times to ests. If the syste em performan nce is slow, then bu usiness requirements will not t be met.
Note: Each organizations data protection SLA depen nds on the com mponents that t are portant to the organization. o imp
Ov verview of Enterprise e Disaster Recovery Strategies s

Whe en planning fo or backup for your y enterprise e, you need to develop strategies for recovering g data a, services, serv vers, and sites, , and you need d to mak ke some provis sion for offsite e backup.
Dat ta Recovery y Strategies

Data is the most commonly c reco overed catego ory in an enterprise e environment. This s is because it is mor re likely that users will delete e files accident tally, than n it is for serve er hardware to o fail or for app plications to cause data corru uption. Therefo ore, in developing d an enterprise disa aster recovery strategy, take into o account small disasters, suc ch as data a deletion, in addition a to big g disasters, suc ch as server or site failure.
Whe en considering g data recover ry strategies, backup is not th he only techno ology for data recovery. You u can add dress many file and folder rec covery scenarios by impleme enting previou us versions of f file functionali ity on file shares. You ca an also replicat te data in diffe erent physical locations, or to o a public or p private cloud. Y You could also use Microsoft System Center 2012 2 - Data Prote ection Manage er.
Ser rvice Recove ery Strategi ies
The functionality of the network k depends on the availability y of certain cri itical network services. Altho ough well l-designed net tworks build re edundancy int to core service s such as Dom main Name Sys stem (DNS) and Acti ive Directory Domain Services (AD DS), even those serv vices might ha ave issues, such h as when a major fault is replicated that requires a restore from m backup. In ad ddition, an ent terprise backup p solution mus st ensu ure that services such as Dyn namic Host Co onfiguration Pr rotocol (DHCP P) and Active D Directory Certif ficate Serv vices (AD CS), and a important t resources suc ch as file share es can be resto ored in a timely y and up-to-d date man nner.
Full Server Rec covery Strat tegies
Dev veloping a full-server recovery strategy inv volves determi ning which servers that you need to be ab ble to reco over, the RPO for critical serv vers, and the RTO R for critical l servers. Supp pose that you h have a site with two com mputers functio oning as doma ain controllers. . When develo oping your bac ckup strategy, should you aim to
ha ave both serve ers capable of full server reco overy with a 1 5 minute RPO O? Or is it only necessary for one able to provid se erver to be rec covered quickly y if it fails, give en that either server will be a de the same ne etwork se ervice and ensure business continuity? In n developing the full server recovery r comp ponent of your r organization s enterprise b backup plan, de etermine whic ch servers are required r to ensure business continuity, and d ensure that they are regularly ba acked up.

7-5
Site Recovery y Strategies s
Most M larger org ganizations hav ve branch offic ce sites. While it might be de esirable to bac ck up all the co omputers at th hose locations, , it may not be e economically y feasible to do o so. Developing a site recov very st trategy involve es determining g which data, services, s and se ervers at a spe ecific site must be recoverable to en nsure business s continuity.
Offsite O Backu up Strategie es
Many M organizat tions that do not n store offsite backups do not recover fr rom a primary site disaster. If f your or rganizations head h office site e has a fire, is subject s to a on nce-in-a-100-y year flood, a cyclone, or a to ornado, it will not matte er what backup ps strategies you have in pla ace if all those backups are stored at the lo ocation th hat was destroy yed by the dis saster. A comprehensiv ve enterprise data d protection n strategy invo olves moving b backed-up dat ta to a safe off fsite lo ocation so that t you can recov ver it no matte er what kind o of disaster occu urs. This does not need to ha appen ev very day. The RPO R for recove ery at the offsi ite locationo often called th he disaster reco overy siteis u usually di ifferent from the RPO at the e primary site.
Disaster D Mi itigation Strategies S

No matter how prepared organizations are, , they ca annot prevent disasters from m occurring. Th herefore, organizations must also develop p mitigation m strategies that will minimize the impact of f an unexpecte ed loss of data a, server, servic ce, or sit tes. To prepare e mitigation st trategies, or rganizations must m create risk k assessments that an nalyze all poss sible disaster sc cenarios, and how h to mitigate m each of o those scenar rios. Th he following ta able lists some e of the risks as ssociated with data or services loss, and th he ap ppropriate mit tigation strateg gies. Risk of disaste er The media wh here a copy of f the backup data is located becomes corrupted. An administra ator has accide entally deleted d an organizatio onal unit (OU) ) that contains many user and computer objects. A file server in n a branch offi ice where important file es are located has failed. Mitigation n strategy Have at le east two copie es of your back kup data, and validate y your backups o on a regular basis. Protect O OUs from accid dental deletion n, especially aft ter migration ns. Use Distri ibuted File Sys stem Replicatio on (DFS-R) to replicate files from bran nch offices to central data centers.
7-6
Ris sk of disaster Th he virtualizatio on infrastructure where bu usiness servers s are located is s un navailable. A major outage e in a data cent ter has ccurred. oc
Mitigation s strategy Avoid deplo oying all critica al servers, such h as domain controllers, on the same v virtual infrastructure. Deploy a se econdary data center that will contain replicas of t the critical serv vers in your pr rimary data center.
Best Practice es for Impl lementing a Disaster r Recovery y

Whe en implementing a disaster recovery strate egy, orga anizations sho ould follow the ese best practic ces: Perform a risk k assessment plan p first. This will help you iden ntify all of the risks associate ed with the avail lability of your r organization data, servers, servic ces, and sites.
Discuss the risks you evalua ated with your r business man nagers, and tog gether decide which resourc ces should be protected with h the disaster recov very plan, and which resourc ces should be pro otected with disaster d mitigat tion, and at which level. The high her the requirements s for disaster re ecovery are, th he more expen nsive they are. You also want t to have a low w-level disaster recov very plan for re esources that are a protected with disaster m mitigation. Each organiza ation should have h its own di isaster recover ry plan. Document in detail all of th he steps that sh hould be perfo ormed in a dis saster scenario o. Test your disa aster recovery plan on a regular basis in an n isolated, non n-production e environment.
Evaluate your r disaster recov very plan on a regular basis,, and update y your disaster re ecovery plan b based on your evalu uation.

7-7
Lesson n2
Imple ementin ng Wind dows Se erver Ba ackup
To o protect critic cal data, every organization must perform regular backu ups. Having a w well-defined and te ested backup strategy s ensure es that companies can resto re data if unex xpected failure es or data loss occur. Th his lesson desc cribes the Windows Server Backup feature e in Windows S Server 2012 a and the Micros soft Online O Backup Service S for Win ndows Server 2012.

After completin ng this lesson, you y will be able to:
Describe da ata and service e information that t needs to be backed up in a Windows s Server enviro onment. Describe th he backup type es. Describe ba ackup technolo ogies. Describe ba ackup capacity y. Describe ba ackup security. Describe Windows W Server r Backup. Explain how w to configure e a scheduled backup b using W Windows Serv ver Backup. Describe th he Windows Se erver 2012 online backup so lution. Describe th he consideratio ons for an ente erprise backup p solution. Summarize the features available a with System Center r 2012 Data Protection Ma anager.
What W Need ds to Be Ba acked Up?

When W planning backups across your organi ization, en nsure that you u protect resou urces that are co onsidered miss sion critical. Co onsider the fol llowing: Critical reso ources Backup verification Backup security Compliance e and regulato ory requiremen nts
Determining D g Critical Res sources to Back B Up U
In n an ideal scenario, you would back up ev verything and instantly resto ore data as it existed e at a par rticular point i n time from any point in the e last se everal years. In n reality, such a backup strate egy would pro oduce expensiv ve cost of own nership. Theref fore, the fir rst step in plan nning backup across the enterprise is to de etermine what t exactly needs s to be backed d up. Fo or example, sh hould you back k up every dom main controlle er in the doma in, given that A Active Directo ory in nformation will be replicated d back to a rep placement dom main controller r as soon as it is promoted? Is it ne ecessary to back up every file server in all file shares if ev very file is rep licated to multiple servers th hrough a distributed file e system?
7-8
Implementing Disaster Recovery
You also need to distinguish between technical reasons and regulatory reasons for backing up data. Due to legal requirements, you may need to be able to provide your business with business-critical data for the past ten years or even longer. To determining what to back up, consider the following: If the data is only stored in one place, ensure that it is backed up.
If data is replicated, it may not be necessary to back up each replica. However, you must back up at least one location to ensure that the backup can be restored. Is the server or data a mission-critical component? If this server or disk failed, or if this data became corrupted, what steps would need to be taken to recover it?
Many organizations ensure the availability of critical services and data through redundancy. For example, Exchange Server 2010 provides continuous replication of mailbox databases to other servers through a technology called Database Availability Groups (DAGs). While DAGs do not mean that an organization should not back up its Exchange Server 2010 Mailbox servers, it does change how an organization should think about backing up its Mailbox servers or centralizing its backup strategies.
Verifying Your Backups
Performing a backup, and ensuring that the backup contains everything that you need, are two different tasks. You need to have a method for verifying that each backup has completed successfully. You also need to know when backups have failed. At a minimum, this will mean checking the logs on each server to determine whether a failure has occurred. If you have configured backups to occur on each server every six hours, how often should you check the logs? A better solution is to employ an alert mechanismsuch as that which is available in System Center 2012 - Operations Managerto alert you in the event that a backup fails. The point is to avoid discovering that your backups for a particular server have failed just when you need those backups to perform a recovery. One way of verifying backups is to perform regular testing of the recovery procedures, in which you simulate a particular failure. This allows you to verify not only the integrity of the data that you are using to perform a recovery, but also that the recovery procedures that you have in place effectively resolve the failure. It is better to discover that you need to add steps to your recovery procedure during a test, rather than during an actual failure.
Confirming That Backups Are Secure
By definition, a good set of backups contains all of your organizations critical data. This data needs to be protected from unauthorized access. Although data might be protected by permissions and access controls while it is hosted on servers in a production environment, anyone who has access to the media that hosts that backup data can restore it. For example, some products, such as Windows Server Backup, do not allow administrators to encrypt backup data. This means that physical security is the only way that you can ensure that critical data does not fall into the hands of unauthorized users. When developing an enterprise backup strategy, ensure that backup data is stored in a secure location.
You might also consider using backup software that allows you to split the backup and restore roles so that users who have permissions to back up data do not have permissions to restore that data, and users who have permissions to restore data do not have permissions to back it up.
Ensuring That Compliance and Regulatory Responsibilities Are Met

Systems administrators should be aware of what the organizations regulatory and compliance responsibilities are with respect to the archiving of data. For example, some jurisdictions require that business-relevant email message data be retained for a period of up to seven years. Unfortunately, regulatory requirements vary from country to country, and even from state to state. When developing
yo our organizatio ons data protection strategy y, you should schedule a me eeting with your organizatio ons le egal team to de etermine precisely which data needs to be e stored, and f for how long.

7-9
Backup B Typ pes

In n Windows Ser rver 2012, you can perform the t fo ollowing types of backups: Full backup p. A full backup p is a block-lev vel replica of all blocks on all the servers volumes. Ra ather than cop pying files and folders to backup media, m the und derlying block ks are copied acro oss to the back kup media.
Incrementa al backup. An incremental ba ackup is a copy of only o those bloc cks that have changed sin nce the last full or incremental backup. Du uring an increm mental backup p, these blocks are copied c across to the backup p media. When this process p compl letes, the block ks are then ma arked as backe ed up. During recovery, the o original set of block ks is restored. Then, T each set t of incrementa al blocks are a applied, bringing the recovered data back to the e appropriate state s in a consistent manner .
Backup B Tec chnologies s

Most M backup pr roducts in use today use the e VSS in nfrastructure th hat is present in i Windows Se erver 20 012. Some older applications, however, us se st treaming backup. It may be necessary to support su uch application ns in complex heterogeneou us en nvironments.
One O of the challenges of perf forming backups is en nsuring the co onsistency of th he data that yo ou are ba acking up. Bac ckups do not occur o instantly, they ca an take second ds, minutes, or r hours. Unfortunately, servers s are not t static and the e state of f a server at th he beginning of o a backup mi ight up completes.. If you do not take consisten no ot be the same e state that the e server is in when w the backu ncy ac ccount, this can cause proble ems during res storation beca ause the config guration of the e server may h have ch hanged during g the backup.
VSS V
VSSa technology that Micro osoft included with Window ws Server 2003 R2, and which h is present in all ne ewer server op perating system mssolves the e consistency p problem at the e disk-block le evel by creating g what is known as a sh hadow copy. A shadow copy y is a collection n of blocks on a volume that t is frozen at a specific po oint in time. Changes can still be made to the disk, but w when a backup p occurs, the c collection of fr rozen blocks are back ked up, which means m that any changes tha t might have o occurred since e the freeze are e not ba acked up. Creating a shad dow copy tells the operating system first to o put all files, s such as DHCP databases and d Active Directory datab urrent state of base files, in a consistent c state for a momen nt. Then the cu f the file system m is
7-10 Implemen nting Disaster Recove ery
reco orded at that specific s point in time. After VSS V creates the e shadow copy y, all write accesses that wou uld overwrite data, sto ore the previous data blocks s first. Therefo re, a shadow c copy is small in n the beginnin ng, and it grows over the time as da ata changes. By B default, the operating syst tem is configu ured to reserve e 12 perc cent of the vol lume for VSS data, d and VSS automatically a deletes older snapshots whe en this limit is reac ched. You can change this default value, and you can ch hange the defa ault location of the VSS data a. This ensu ures that the backup b has a snapshot of the e system in a c consistent state, no matter h how long it act tually take es to write the backup data to t the backup storage devic ce.
Streaming Bac ckup
Stre eaming backup p is often used d by older appl lications that d do not use VSS S. You back up p applications that are not VSSaware by using a method m known n as a streamin ng backup. In c contrast to VSS S where the ope erating system ensures that data d is kept in a consistent st tate and at a c current point in time, when y you use streaming bac ckup, the application or the data protectio on application is responsible e for ensuring t that the data remains in a consistent t state. In addition, after stre eaming backup p completes, some files have e the state they had in the t beginning of the backup p, while other files have the state of the en nd of the back kup window.
Pla anning Bac ckup Capa acity

Whe en you develo op an enterpris se recovery strategy, you need d to determine e how much stor rage capacity your y organizat tion will requir re for backups. The follo owing factors affect a the amo ount of space that is re equired to store backup data a: Space require ements for a fu ull backup Space require ements for an incremental backup Amount of tim me required to o back up Backup frequency Backup retention
Full Backup Re equirements
To calculate c the space required for a full back kup, determine e how much sp pace from all v volumes you w will need to back up. If the server ha as a dedicated d drive for bac kups, you wou uld not perform m a backup on n that driv ve.
With products tha at perform ima age-based bac ckups, such as Windows Serv ver Backup, this data is not com mpressed. On some s types of servers, notab bly file servers, the amount o of space requir red for a full ba ackup grow ws over time. You Y can lessen n this tendency y by using file expiration policies such as t those found in n File Serv ver Resource Manager M (FSRM M).
Inc cremental Ba ackup Requ uirements

An incremental i ba ackup on Wind dows Server Backup stores a all of the hard disk blocks that have chang ged ntially faster th sinc ce the last full or o incremental backup. Incre emental backu ups are substan han full backups and require less space. The dow wnside of incre emental backu ps is that they y can require g greater recover ry time e.

7-11
Amount A of Time T Requir red to Back up
Th he amount of time required to write data from the serve er being backe ed up to the b backup storage e device ca an have an imp pact on projec cted RPO, beca ause it is not re ecommended to begin a ne ew backup ope eration prior to the com mpletion of the e current one.
Backup B Frequency
Ba ackup frequency is a measur re of how often n backups are taken. With in ncremental blo ock-level backups, no su ubstantial diffe erence will exis st between the e amount of da ata written ov er the sum of four 30-minut te se essions and on ne 2-hour incre emental sessio ons on the sam me server. This is because ove er the two hou urs, the sa ame number of o blocks will have changed on o the server a as the four 30-minute sessio ons. However, t the four 30 0-minute sessi ions have brok ken it up into smaller s parts. W When backups s occur more f frequently, the ey re educe the time e required to perform p the ba ackup by splitt ting it into sma aller parts. The e overall total w will be ab bout the same e.
Backup B Rete ention
When W attemptin ng to determin ne the required backup capa acity, you shou uld determine precisely how w long yo ou need to ret tain backup da ata. For examp ple, if you need d to be able to o recover to an ny backup poin nt in the la ast 28 days, and d you have rec covery points generated g eve ery hour, you w will need more e space than if f you ha ave recovery points p generated once a day y and you only y need to resto ore from the la ast 14 days.
Planning P Backup Security

When W planning your backup security, consider the fo ollowing: Backups co ontain all organ nizational data a. By nature, bac ckups will contain all the data necessary to ensure your organizations s continued ability a to funct tion in the eve ent of failure. Because this data is likely to con ntain sensitive inf formation, you u should prote ect it with the same level of diligence as it is protected with w when hosted on the ser rver.
Access to backup b media means access to all data. If feas sible, use administrative role e separation to ensure that t the users who o back up the data are not t the users who can restore it. In high security env vironments, en nsure that backup and resto re operations are properly a audited so that t you can track backups, and re estore function n activity. Windows Server Backup does d not encry ypt backups. W Windows Serve er Backup writes backups in VHD format. This means that anyone a who ha as access to W Windows 8 or Windows Serv ver 2012 can m mount those backu ups as volume es, and then ex xtract data from m them. An ev ven more soph histicated attac ck might inclu ude booting into the backup p VHD to impe ersonate the ba acked up syste em on the organizatio onal network.
Keep backu up media in a secure s location. At a minimu um, backups should be kept t locked up in a secure location. If your organization is backing g up to disk dr rives that are a attached to servers by USB c cable, ensure that t those disk drives are locked d in place, eve n if they are lo ocated in a sec cure server roo om, and even if your organization ns server room m has a security y camera.
Wh hat Is Wind dows Serv ver Backup p?

The Windows Serv ver Backup fea ature in Windo ows Serv ver 2012 consists of a Micros soft Managem ment Con nsole (MMC) sn nap-in, the com mmand wbadm min, and Windows Pow werShell com mmands. You ca an use wizards in the e Windows Ser rver Backup fea ature to guide g you thro ough running backups b and reco overies. You u can use Wind dows Server Ba ackup 2012 to back up: Full server (all volumes). Selected volu umes. Select specific c items for bac ckup, such as specific s folders s or the system m state.
In addition, Windows Server Backup 2012 allo ows you to:
Perform a bare-metal resto ore. A bare-me etal backup con ntains at least all critical volu umes, and allo ows you to restore e without first installing an operating o syste em. You do this by using the e product med dia on a DVD or USB B key, and the Windows Recovery Environ ment (Window ws RE). You can n use this back kup type together with the Win ndows RE to recover from a h hard disk failure, or if you ha ave to recover r the whole compu uter image to new n hardware. Use system st tate. The backu up contains all information t to roll back a s server to a spe ecific point in t time. However, you u need an operating system installed prior r to recovering g the system st tate.
Recover indiv vidual files and d folders or vol lumes. The Ind dividual files and folders o option enables s you to select to back up and res store specific files, f folders, o or volumes, or y you can add specific files, fo olders, or volumes to o the backup when w you use an option such h as critical vo olume or system m state. Exclude selected files or file e types. For exa ample, you ca n exclude tem mporary files fro om the backup p. Select from more m storage lo ocations. You can c store back kups on remot te shares or no on-dedicated volumes. Use the Micro osoft Online Backup Service. . The Microsof ft Online Backu up Service is a cloud-based backup soluti ion for Window ws Server 2012 2 that enables s files and folde ers to be back ked up and recovered fro om the public or o private clou ud to provide o off-site backup p.
If th here are disaste ers such as har rd disk failures s, you can perf form system re ecovery by using a full serve er backup and Wind dows REthis will w restore your complete sy ystem onto th he new hard disk.
De emonstration: Config guring a Sc cheduled Backup
In th his demonstration, you will see s how to con nfigure Windo ows Server 201 12 to perform a scheduled backup of specific folders, with a filter to exclude spec cific file types.
Dem monstration n Steps

1. 2. On LON-SVR1, start Windo ows Server Backup. Configure the e backup schedule with the following f opti ons: o
Backup Configuration: C Custom and C:\HR C Data fo older is backed d up, with the e exception of C C:\HR Data\Old d HR file.txt

7-13
o o o
Backup p Time: Once a day, 1:00 AM M Destina ation Type: Ba ack up to a shared network k folder Remote Shared Folde er: \\LON-DC1\Backup: Re egister Backup Schedule: Use ername: Admi nistrator Password: Pa$$w w0rd
3. . 4. .
Run the Bac ckup Once Wizard using the e scheduled ba ackup options.. Close Wind dows Server Ba ackup.
What W Is On nline Backu up?

Th he Microsoft Online O Backup Service is a clo oudba ased backup solution for Windows Server 2012 th hat is managed d by Microsoft t. You can use this se ervice to back up files and fo olders, and to recover r th hem from the public or priva ate cloud to pr rovide of ff-site protection against dat ta loss caused by di isasters. You ca an use Microso oft Online Bac ckup Se ervice to back up and protec ct critical data from an ny location.
Microsoft M Onlin ne Backup Serv vice is built on the Windows W Azure e platform, an nd uses Windo ows Azure blob stor rage for storing g customer da ata. Windows W Server 2012 uses the downloadab ble Microsoft O Online Backup Service Agent t to transfer fil le and fo older data secu urely to the Mi icrosoft Online e Backup Servi ice. After you i install the Microsoft Online Backup Se ervice Agent, the t agent integ grates its funct tionality throu ugh the Windo ows Server Bac ckup interface.
Key K Features s
Th he key feature es that Window ws Server 2012 2 provides thro ough the Micro osoft Online B Backup Service in nclude:
Simple configuration and d management t. Integration w with the Windows Server Backup tool prov vides a seamless ba ackup and recovery experien nce to a local d disk, or to a clo es oud platform. Other feature include: o o Simple user interface e to configure and monitor b backups. Integra ated recovery experience e to recover files a nd folders fro m local disk or from a cloud d platform. Easy da ata recoverability for data th hat was backed d up onto any server of your r choice. Scriptin ng capability that is provided d by the Wind dows PowerShe ell command-line interface.
o o
Block-level incremental backups. b The Microsoft M Onlin ne Backup Age ent performs incremental ba ackups by tracking file and block k-level changes, and only tra ansferring the changed blocks, which redu uces the storage and d bandwidth usage. u Differen nt point-in-tim me versions of t the backups use storage efficiently by only storing the chang ged blocks bet tween these ve ersions.
Data compression, encryp ption, and thro ottling. The M icrosoft Online e Backup Service Agent ensu ures that data is s compressed and a encrypted d on the server r before it is se ent to the Micr rosoft Online B Backup Service on the t network. Therefore, T the Microsoft Onl ine Backup Se ervice only stor res encrypted data in cloud storage. The encryp ption passphra ase is not avail lable to the M icrosoft Online e Backup Service, and
therefore, the e data is never r decrypted in the cloud. In a addition, users s can set up throttling and configure how w the Microsoft Online Back kup Service use es the network k bandwidth w when backing u up or restoring info ormation.
Data integrity y verified in the cloud. In add dition to the s ecure backups s, the backed u up data is also o checked auto omatically for integrity after the backup co ompletes. Ther refore, any cor rruptions that may arise because e of data transf fer can be easi ily identified. T These corrupti ons are fixed a automatically in the next backup. Configurable retention poli icies for storing g data in the c cloud. The Mic crosoft Online Backup Servic ce accepts and implements ret tention policie es to recycle ba ackups that ex xceed the desired retention range, thereb by meeting bus siness policies and managing g backup cost ts.
Reference Links: You can n find out mor re about Wind dows Azure at: p://www.windo owsazure.com/ /en-us/home/features/stora ge/ http
Co onsideratio ons for an Enterprise e Backup S Solution

Win ndows Server Backup B is a single-server bac ckup solu ution. When planning backup for an enterprise, consider the following points: Maximum am mount of data lost. What is th he theoretical RP PO of the prod duct? Products s that offer restoration closer to the point of the e failure are like ely to cost mo ore than produ ucts that offer 15 minute or 30 minute m RPOs. You need to deter rmine your org ganizations ne eeds. Does your org ganization nee ed to be able to t recover to the e last SQL Serv ver transaction n, or is a 15-minute recovery win ndow an acceptable co ompromise?
How quick is RTO recovery? ? How long do oes it take to g go from failure e to restored fu unctionality? B Being able to restor re to the last SQL Server tran nsaction is the optimal soluti ion, but if it ta akes two days t to recover to tha at point, the so olution is not looking l as goo od. Does the solu ution provide centralized c bac ckup? Does th he product allo ow you to cent tralize your backup solution on one o server, or must m backups be performed directly on ea ach server in th he organization? Is the solution n supported by vendors? Some vendors us se undocumen nted applicatio on programmi ing interfaces (AP PIs) to back up p and recover specific s produc cts, or to back k up files witho out ensuring th hat the service is at a consistent state. Is the backup p solution compatible with yo our applicatio ns? For examp ple, a new upd date to a produ uct makes the ba ackup solution incompatible. . Check with th he application vendor to det termine wheth her the enterprise e backup solut tion is support ted. Recovery point capacity. De etermine what t the recovery point capacity y of the product is. How man ny restore points s does the enterprise data protection solut tion offer, and d is this adequa ate for your organizations needs?

7-15
What W Is Data Protect tion Manag ger?

DPM is a Micros soft enterprise e data protection and re ecovery product with the following feature es: Backup cen ntralization. DP PM uses a client/serve er architecture, where the client software is installed on al ll the compute ers that are to be backed up. Tho ose clients strea am backup dat ta to the DPM server. This allows each DPM server s to supp port entire sma all to medium-siz zed organizations. You can also a manage mu ultiple DPM se ervers from one centralized DPM console.
15-minute RPO. DPM allo ows 15-minute e snapshots of o supported products. p This includes most of the Micros soft enterprise suite of produ ucts, including Windows W Serve er with its roles s and services, Exchange Ser rver, Hyper-V , and SQL Ser rver.
Supports Microsoft M workl loads. DPM wa as designed sp pecifically by M Microsoft to su upport Microso oft applications such as Exch hange Server, SQL S Server, and d Hyper-V. Ho owever, DPM h has not been specifically designed to support non-M Microsoft serve r applications that do not ha ave consistent t states on disk, or that do not su upport VSS. Disk-based backup. DPM can perform scheduled bac ckups to disk a arrays and stor rage area netw works (SANs). You u can also conf figure DPM to o export specif ic backup data a to tape for re etention and compliance e related tasks. .
Remote site e backup. DPM M uses an architecture that a allows it to bac ck up clients th hat are located d in remote site es. This means that a DPM se erver that is loc cated in a head office site ca an perform backups of servers and a clients that t are located across a wide are ea network (W WAN) links.
Supports Ba ackup to Cloud strategies. DPM D supports backup of DPM M servers. This s means that a DPM server at a cloud-based hosting h facility can be used t to back up the e contents of a head office D DPM server. For disaster redun ndancy, you can also configu ure DPM servers to back up e each other.
Lesson 3
Implem menting g Server and Data D Rec covery
Recovering server rs and data req quires well-def fined and docu umented proc cedures that ad dministrators c can follo ow when failur res occur. The recovery proc cess also requir res knowledge e of the backup and restore hard dware and soft tware, such as DPM, and tap pe library devic ces. ing the Windo This s lesson describ bes how to res store data and d servers by usi ows Server Bac ckup feature in n Win ndows Server 2012, 2 and Micr rosoft Online Backup B Service e in Windows S Server 2012.
Op ptions for Server S Rec covery

Win ndows Server Backup B in Wind dows Server 2012 prov vides the following recovery y options: Files and folders. You can back b up individ dual files or folder rs as long as th he backup is on n separate volu ume or in a rem mote shared fo older. Applications and a data. You can recover applications and a data if the e application has h a VSS writer, an nd is registered d with Window ws Server Backup p. Volumes. Restoring a volum me always resto ores all the conten nts of the volume. When you u ders. choose to res store a volume e, you cannot restore r individ ual files or fold
Operating sys stem. You can recover the operating syste em through W indows RE, the e product DVD D, or a USB flash driv ve. Full server. Yo ou can recover r the full server through Win ndows RE. System state. System state creates c a point t-in-time back kup that you ca an use to resto ore a server to oa previous work king state.
The Recovery Wiz zard in Window ws Server Back kup provides s everal options s for managing g file and folde er reco overy. They are e:
Recovery De estination. Under Recovery Destination, yo ou can select a any one of the e following opt tions: o Original location. The e original locat tion restores th he data to the location to wh hich it was bac cked up origin nally. Another r location. Ano other location restores the d data to a differ rent location.
Conflict Reso olution. Resto oring data from m a backup fre equently confli icts with existin ng versions of the data. Conflict t resolution allo ows you to de etermine how t to handle thos se conflicts. When these con nflicts occur, you ha ave the following options: o o o Create copies and ret tain both vers sions. Overwrit te existing ve ersion with recovered versi ion. Do not recover r items if they alread dy exist in the e recovery loc cation.
Security Sett tings. Use this option to rest tore permissio ons to the data a that is being recovered.

7-17
Options O for r Server Re estore

Yo ou perform server restore by y starting the co omputer from the Windows Server 2012 in nstallation med dia, selecting the computer repair r op ption, and then selecting the e full server restore op ption. Alternat tively, you can use the installation media m on a USB B flash drive, or using Windo ows RE. When W you perfo orm full server r restore, consi ider the fo ollowing:
Bare-metal restore. Bare-metal restore is the process dur ring which you u restore an ex xisting server in its s entirety to ne ew or replacem ment hardware. When W you perf form a bare-m metal restore, the e restore proce eeds and the se erver restarts. Later, the serv ver becomes o operational. In some cases, you may m have to re eset the computers Active D Directory accou unt, because these accounts s can sometimes become desyn nchronized.
Same or lar rger disk drives. The server hardware h to wh hich you are re estoring must have disk driv ves that are the sam me size or large er than the drives of the orig ginal host serv ver. If this is no ot the case, the e restore will fail. It is s possible, alth hough not advisable, to succ cessfully restor e to hosts that t have slower processors and less rando om access mem mory (RAM). Importing to t Hyper-V. Be ecause server backup b data is s written to the e VHD format (which is also the format that t is used for vir rtual machine hard disks), if you are carefu ul it is possible e, to use full se erver backup dat ta as the basis for creating a virtual machin ne. Doing this ensures business continuity while sourcing th he appropriate replacement hardware.
Options O for r Data Rec covery

Data is the mos st frequently re ecovered comp ponent of f an IT infrastructure. This is due to users ac ccidently delet ting data, and needing you to t re ecover it. There e are several st trategies that you y ca an pursue whe en you are dev veloping a data a re ecovery proced dure. You can: Allow users s to recover their own data. Perform a recovery r to an alternative loc cation. Perform a recovery r to the e original locat tion. Perform a full f volume rec covery.
Users U Recove er Their Ow wn Data
Th he most comm mon form of da ata recovery performed p by I T departments is the recove ery of files and folders th hat users have deleted, lost, or o in some way corrupted. T The Previous V Versions of Fi iles functionality that was w introduced in Windows Server S 2003, (w which you can also enable on n all computer rs running Win ndows Se erver 2012,) lets users recove er their own fil les using the f ile or folder pr roperties right t from their workstation. w Aft ter end-users are a trained how to do this, t he IT departm ment spends les ss time recove ering us ser data, which h allows them to focus on more m valuable t tasks.
7-18 Implementing Disaster Recovery
From a planning perspective, you should consider increasing the frequency at which snapshots for previous versions of files are generated. This gives users more options when they try to recover their files.
Recover Data to an Alternative Location
A common recovery problem is the unintentional replacement of important data when recovering from backup. This can occur when recovery is performed to a location with live data, instead of to a separate location where the necessary data can be retrieved and the unnecessary data discarded.
When you perform a recovery to an alternative location, always ensure that permissions are also restored. A common problem is administrators recovering data that includes restricted material, to a location where permissions are not applied, thereby enabling unintended access to data for users that should not have it.
Recover Data to the Original Location
During some types of failures, such as data corruption or deletion, you will have to restore data to the original location. This is the case when applications or users who access the data are preconfigured with information about where the data is located.
Recover a Volume
If a disk fails, the quickest way to recover the data could be to perform a volume recovery, instead of a selective recovery of files and folders. When you perform a volume recovery, you must check whether any shared folders are configured for the disks, and whether the quotas and FSRM management policies are still in effect. Note: During the restore process, you should copy event logs before you start the restore process. If you overwrite the event log filesfor example with a system recoveryyou will be not able to read event log information that occurred before the restore started. That event log data could lead you to information about what caused the issue.
Demonstration: Using Windows Server Backup to Restore a Folder

In this demonstration, you will see how to use the Recovery Wizard to restore a folder.
Demonstration Steps
1. 2. On LON-SVR1, delete the C:\HR Data folder. In Windows Server Backup, run Recovery Wizard and specify the following information: o o o o o o o 3. Getting Started: A backup stored on another location Specify Location type: Remote Shared Folder Specify Remote Folder: \\LON-DC1\Backup Select Backup Date: Default value, Today Select Recovery Type: Default value, Files and Folders Select Items to Recover: LON-SVR1\Local Disk (C:)\HR Data Specify Recovery Options: Another Location (C:)
In Windows Explorer, browse to C:\, and ensure that the HR Data folder is restored.

7-19
Restoring R with w an On nline Backu up Solutio on

Yo ou can use the e Microsoft On nline Backup Service to o back up only y Windows Server 2012 serve ers. However, you do d not have to restore data on o to th he same server r from which you y backed it up. u Yo ou can recover files and fold ders by using both b Microsoft M Onlin ne Backup MM MC in Server Ma anager, or r by using the Windows Pow werShell comm mandlin ne interface. To use the Micr rosoft Online Backup B MMC, M perform the following steps: 1. . Select the server s on which backup data a was created orig ginally. This se erver could be a local server or an nother server. If you select th he option for another a server r, you must pro ovide your Mic crosoft Online e Backup Servic ce administrat tor credentials. .
2. . 3. . 4. .
Browse for files that have e to be restored, or you can s search for them in the Micro osoft Online Backup Service. After you lo ocate the files, select them fo or recovery, an nd select a loc cation to where e the files will be restored. When resto oring files, sele ect one of the following f opti ons: o
Create copies so that t you have bot th the restored d file and origi inal file in the same location n. The restore ed file has its name n in the fol llowing format t: Recovery Da ate+Copy of+Original File N Name. Overwr rite the existing versions with the recovere ed version. Do not t recover the it tems that alrea ady exist on th he recovery de estination.
o o
After you comp plete the restor re procedure, the t files will be e restored on to the Window ws Server 2012 2 server th hat is located in your site.
Lab: Implementing Windows Server Backup and Restore

Scenario
Much of the data that is stored on the A. Datum Corporations network is extremely valuable to the organization. Losing this data would be a significant loss to the organization. Additionally, many of the servers that are running on the network provide extremely valuable services for the organization, which means that losing these servers for a significant period of time would also result in losses to the organization. Because of the significance of the data and services, it is critical that they can be restored in the event of disaster.
A. Datum is considering backing up critical data to a cloud-based service. A. Datum is also considering this as an option for small branch offices that do not have a full data center infrastructure. As one of the senior network administrators at A. Datum, you are responsible for planning and implementing a disaster recovery solution that will ensure that critical data and services can be recovered in the event of any type of failure. You need to implement a backup and restore process that can recover lost data and services.
Objectives
Back up data on a Windows Server 2012 server. Restore files using Windows Server Backup. Implement Microsoft Online Backup and Restore.
Lab Setup
20412A-LON-DC1 20412A-LON-SVR1 MSL-TMG1 Estimated time: 60 minutes Virtual Machine(s) User Name Password 20412A-LON-DC1 20412A-LON-SVR1 MSL-TMG1 Adatum\Administrator Pa$$w0rd
5. 6.
Repeat steps 2-4 for 20412A-LON-SVR1. Repeat step 2 for MSL-TMG1.

7-21
Exercise 1: Backing Up Data on a Windows Server 2012 Server

Scenario
The LON-SVR1 server contains financial data that must be backed up on a regular basis. This data is critical to the organization. You decided to use Windows Server Backup to back up critical data. You will to install this feature and configure scheduled backups. The main tasks for this exercise are as follows: 1. 2. 3. Install Windows Server Backup. Configure a scheduled backup. Complete an on-demand backup.
Task 1: Install Windows Server Backup

1. 2. Switch to LON-SVR1.
From Server Manager, install the Windows Server Backup feature. Accept the default values on the Add Roles and Features Wizard.
Task 2: Configure a scheduled backup

1. 2. On LON-SVR1, start Windows Server Backup. Configure the backup schedule with the following options: o o o o Backup Configuration: Full server (recommended) Backup Time: Once a day, 1:00 AM Destination Type: Back up to a shared network folder Remote Shared Folder: \\LON-DC1\Backup Register Backup Schedule: Username: Administrator Password: Pa$$w0rd
Task 3: Complete an on-demand backup

1. 2. On LON-SVR1, start Windows Server Backup.
Run the Backup Once Wizard to back up the C:\Financial Data folder to the remote folder, \\LONDC1\Backup.
Results: After completing this exercise, you will have configured the Windows Server Backup feature, scheduled a backup task, and completed an on-demand backup.
Exercise 2: Restoring Files Using Windows Server Backup

Scenario
To ensure that the financial data can be restored, you must validate the procedure for restoring the data to an alternate location. The main tasks for this exercise are as follows: 1. 2. Delete a file from the server. Restore a file from backup.
Task 1: Delete a file from the server

On LON-SVR1, open Windows Explorer and then delete the C:\Financial Data folder.
Task 2: Restore a file from backup

1. o o o o o o o 2. Getting Started: A backup stored on another location Specify Location type: Remote Shared Folder Specify Remote Folder: \\LON-DC1\Backup Select Backup Date: Default value, Today Select Recovery Type: Default value, Files and Folders Select Items to Recover: LON-SVR1\Local Disk (C:)\Financial Data Specify Recovery Options: Another Location (C:)
In the Windows Server Backup MMC, run the Recovery Wizard and specify the following information:
Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a file from backup
Exercise 3: Implementing Microsoft Online Backup and Restore

Scenario
A. Datum has to protect critical data in small branch offices. These offices do not have backup hardware and full data center infrastructures. Therefore, A. Datum has decided to back up the critical data in branch offices to a cloud-based service by using Microsoft Online Backup Service in Windows Server 2012. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the Microsoft Online Backup Service component. Register the server with Microsoft Online Backup Service. Configure an online backup and start a backup. Restore files using the online backup. Unregister the server from the Microsoft Online Backup Service.
Task 1: Install the Microsoft Online Backup Service component

1. 2. 3. On LON-SVR1, in drive E, locate the installation file of the Microsoft Online Backup Agent, OBSInstaller.exe. Start installing Microsoft Online Backup Agent by double-clicking the installation file OBSInstaller.exe. Complete the setup by specifying the following information: o o o 4. Installation Folder: C:\Program Files Cache Location: C:\Program Files\Microsoft Online Backup Service Agent Microsoft Update Opt-In: I don't want to use Microsoft Update
Verify the installation and ensure that you receive the following message: Microsoft Online Backup Service Agent installation has completed successfully.

7-23
5. 6.
Clear the Check for newer updates check box, and then click Finish. On the Start screen, verify the installation by clicking Microsoft Online Backup Service and Microsoft Online Backup Service Shell.
Task 2: Register the server with Microsoft Online Backup Service
Before you register the server, you must rename LON-SVR1 to YOURCITYNAME-YOURNAME. For example: NEWYORK-ALICE. This is because you will perform this exercise online, and therefore the computer names used in this lab should be unique. If there is more than one student in the classroom with the same name, add a number at the end of the computer name, such as NEWYORK-ALICE-1. 1. 2. 3.
In the Server Manager window, rename LON-SVR1 as YOURCITYNAME-YOURNAME, and then restart YOURCITYNAME-YOURNAME. Wait until YOURCITYNAME-YOURNAME has restarted, and then log on as Adatum\Administrator with password Pa$$w0rd. In the Microsoft Online Backup Service console, register LON-SVR1 by specifying the following information: o o Username: holuser@onlinebackupservice.onmicrosoft.com Password: Pa$$w0rd
Note: In a real-life scenario, you would type the username and password of your Microsoft Online Backup Service subscription account. o 4. Enter passphrase: Pa$$w0rdPa$$w0rd Confirm passphrase: Pa$$w0rdPa$$w0rd
Verify that you receive the following message: Microsoft Online Backup Service is now available for this server.
Task 3: Configure an online backup and start a backup

1. 2. Switch to the Microsoft Online Backup Service console. Configure an online backup by using the following options: o o o 3. Select Items to back up: C:\Financial Data Specify Backup Time: Saturday, 1:00AM Specify Retention Setting: Default values
In the Microsoft Online Backup Service console, click Backup Now.
Task 4: Restore files using the online backup

1. 2. 3. On LON-SVR1, open Windows Explorer and delete C:\Financial Data. Switch to the Microsoft Online Backup Service console.
Restore files and folders by using the Recover Data option, and specify the following information: o o o o o Identify the server on which the backup was originally created: This server Select Recovery Mode: Browse for files Select Volume and Date: C:\ and date and time of the latest backup Select Items to Recover: C:\Financial Data
Specify Recovery Options: Original location and Create copies so that you have both versions
4.
In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive C.
Task 5: Unregister the server from the Microsoft Online Backup Service
1. 2. Switch to the Microsoft Online Backup Service console. Unregister the server from the Microsoft Online Backup Service using the following credentials: o o Username: holuser@onlinebackupservice.onmicrosoft.com Password: Pa$$w0rd
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent, registered the server with Microsoft Online Backup Service, configured a scheduled backup, and performed a restore by using Microsoft Online Backup Service.

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, and MSL-TMG1.

7-25

Question: You want to create a strategy the covers how to back up different technologies that are used in your organization such as DHCP, DNS, AD DS, and SQL Server. What should you do? Question: How frequently should you perform backup on critical data?

Common Issue The server has suffered a major failure on its components. Troubleshooting Tip
If a failure were to occur, your organization needs information about which data to back up, how frequently to back up different types of data and technologies, where to store backed up data (onsite or in the cloud), and how fast it can restore backed-up data. How would you improve your organizations ability to restore data efficiently when it is necessary?
Answer: Your company should develop backup and restore strategies based on multiple parameters, such as business continuity needs, risk assessment procedures, and resource and critical data identification. You must develop strategies that should be evaluated and tested. These strategies should take into consideration the dynamic changes occurring with new technologies, and changes that occur with the organizations growth.
Best Practice:
Analyze your important infrastructure resources and mission-critical and business-critical data. Based on that analysis, create a backup strategy that will protect the company's critical infrastructure resources and business data. Identify with the organizations business managers the minimum recovery time for business-critical data. Based on that information, create an optimal restore strategy. Always test backup and restore procedures regularly. Perform testing in a non-production and isolated environment.
Tools
Tool Windows Server Backup Microsoft Online Backup Service Use Performing on demand or scheduled backup and restoring data and servers Performing on-demand or scheduled backup to the cloud, and restoring data from the backup located in the cloud Where to find it Server Manager - Tools Server Manager - Tools

8-1
Module 8
Contents:
Module Overview Lesson 1: Overview of Distributed AD DS Deployments Lesson 2: Deploying a Distributed AD DS Environment Lesson 3: Configuring AD DS Trusts Lab: Implementing Complex AD DS Deployments Module Review and Takeaways 8-1 8-2 8-9 8-18 8-23 8-27
Implementing Distributed Active Directory Domain Services Deployments
Module Overview
For most organizations, the Active Directory Domain Services (AD DS) deployment may be the single most important component in the IT infrastructure. When organizations deploy AD DS or any of the other Active Directorylinked services within the Windows Server 2012 operating system, they are deploying a central authentication and authorization service that provides Single Sign On (SSO) access to many other network services in the organization. AD DS provides the primary security mechanism for authentication and authorization within most organizations, and enables policy-based management for user and computer accounts. With other AD DS services, you can extend some of this functionality to users who are external to the organization. This module will describe the key components of a complex AD DS environment, and how to install and configure a highly complex AD DS deployment.
Objectives
After completing this module, you will be able to: Describe the components of distributed AD DS deployments. Explain how to deploy a distributed AD DS deployment. Explain how to configure AD DS trusts. Explain how to implement complex AD DS deployments.
8-2
Implementing Distributed Activ ve Directory Domain Services Deployment ts
Lesson 1
Overvi iew of Distribu D uted AD D DS Deployme ents
Befo ore starting to configure a co omplex AD DS S deployment, it is importan nt to know the components t that com mprise the AD DS structure, and a how they interact with e each other to h help provide a scalable and more secu ure IT environm ment. The lesson starts by ex xamining the v various compo onents of an A AD DS environm ment, in particular, p dom mains, trees and d forests.

Afte er completing this lesson, yo ou will be able to: Describe the components of o an AD DS en nvironment. Explain how AD A DS domain ns and forests form f boundar ries for security y and administ tration. Explain reasons for having more than one e domain in an n AD DS enviro onment. Explain reasons for having more than one e forest in an A AD DS environ nment. Explain the im mportance of Domain D Name e System (DNS) ) in a complex x AD DS structu ure. Outline the options o for upg grade and coex xistence with p previous AD D DS versions.
Dis scussion: Overview O of o AD DS Componen C nts

An AD A DS environ nment has vari ious components, and it is importan nt for you to un nderstand the purpose of each component, c an nd how they inte eract with each h other. Some of the AD DS environment com mponents are domains, d trees, , and fore ests. There is one global cata alog in each fo orest, and there are trus st relationships s. It is also imp portant to unde erstand the pu urpose and benefit of these compone ents. Question: What is an AD DS D domain? Question: What is an AD DS D domain tree e? Question: What is an AD DS D forest? Question: What are trust re elationships? Question: What is a global catalog?

8-3
Overview O of o Domain and Fores st Bounda ries in an A AD DS Stru ucture

As already discu ussed, domains and forests provide p bo oundaries with hin the AD DS namespace. An A un nderstanding of o the differen nt types of bou undaries is essential to managing m a com mplex AD DS en nvironment.
Boundaries B and a Limits in AD DS Domains D and d Forests

Th he AD DS dom main forms bou undaries and li imits fo or several items:
o that ex xist in a single domain d All AD DS objects are stored in i the AD DS database d on ea ach domain con ntroller in the domain. The replication r pro ocess ensures t that all origina ating updates a are replicated to t all of the other domain co ontrollers in th he same domain. In large org ganizations wh here there are a large number r of changes, th he replication traffic can hav ve a noticeable e effect on net twork bandwidth between the domain d contro ollers. This is o ne of many fa ctors that you u must conside er when designing an a AD DS dom main structure. The manag gement of acce ess to resource es is usually str raightforward within a single e AD DS doma ain. Although you y can grant users u access to o resources thr roughout the A AD DS forest, it is simpler to o manage pe ermission withi in the AD DS domain d bound dary. This way, the administrators for the d domain have the pe ermission to do this in their own AD DS do omain.
Auditing is centrally managed by using g GPOs. The m aximum scope e of these settings is at the A AD DS domain lev vel. It is possible to have the same audit se ttings in differ rent AD DS do omains, but the en they must be ma anaged separa ately in each domain.
Group Polic cies can be linked at the following levels: l ocal, site, dom main, and orga anizational unit t (OU). Apart from site-level Group Policies, the scope of Gro oup Policies is the AD DSd domainthere e is no inheritance in to another, even if one AD e of Group Poli icies from one AD DS domai D DS domain i is lower than another in the DNS namespace.
The DNS se ervices work be est to support an AD DS env vironment whe en it is Active D DirectoryInte egrated. This means that instead of o the DNS rec cords being sto ored locally on n each DNS Se erver in text file es, they are stored and a replicated d in the AD DS database. Bec cause it is the d database for the AD DS dom main, it becomes th he limit of repl lication of thos se records. The e administrato or can then decide whether t to replicate th he DNS information to all do omain controlle ers in the dom main (regardles ss of whether t they are DNS servers), to all doma ain controllers that are DNS s servers in the domain, or to all domain controllers that are DNS servers s in the forest. f For the e last two optio ons, separate r replication par rtitions (domainDn nsZones and fo orestDnsZones) exist. Alterna atively, it is pos ssible to create e a custom partition where the administrator a has to select manually m which h domain cont trollers particip pate in its replication, but this me ethod is not of ften used.
Th he AD DS forest acts as a bo oundary for cer rtain replicatio on and management areas:
The schema a partition con ntains the rules s and syntax fo or the AD DS d database. This is replicated t to all the domain con ntrollers in the e AD DS forest. Because the s schema may h have to be modified to supp port certain app plications that are a integrated d with the AD D DS database, t there will have e to be careful control over the schema modifica ations that are e allowed, part ticularly to make sure that none of the upd dates adversely affect the opera ation of other applications o or the AD DS d database itself. . The configu uration partitio on contains the details of the e AD DS doma ain layout, including: domains, domain con ntrollers, replic cation partners s, site and sub bnet informatio on, and Dynam mic Host Configurati ion Protocol (D DHCP) authorization or the c configuration of Dynamic Ac ccess Control. The
8-4
configuration n partition also o contains information about t applications that are integrated with the e AD DS databa ase. An examp ple of one of th hese applicatio ons is Exchang ge Server 2010.
The global ca atalog is the re ead-only list co ontaining every y object in the e entire AD DS S forest. To kee ep it to a managea able size the global catalog contains c only some attribute es for each obj bject, but it can n still grow very large depending on the extent t of the organi ization. The siz ze of the globa al catalog and the number of on ngoing change es to it are imp portant factors s in the allocat tion of which A AD DS domain n controllers wi ill hold a copy of the global catalog. In ad dition, networ rk bandwidth i is also an impo ortant factor to take e into account. .
In an AD DS forest f with mu ultiple AD DS domains, d there e is a DNS zone e with forest-w wide replicatio on. This enables clients c to locat te records for AD A DS domain n controllers in n other AD DS S domains. The ere will be some DNS records that must be available to clie ents in every d domainfor ex xample, domain controllers that store a copy of the globa al catalog. Whe en AD DS dom main controller rs start up, they register sever ral server (SRV) ) resource reco ords in the DN NS database. So ome of these r records must b be replicated to every DNS ser rver in the AD DS forest, not t just restricted d to the AD DS S domainwh hich would be the e case if they were w added to a regular Activ ve Directoryin ntegrated DNS S zone. For thi is reason, a spec cial forest-leve el DNS zone na amed forestDn nsZones is crea ated, and the replication of this is to all DNS ser rvers in the AD D DS forest, rat ther than to ev very DNS serve er or AD DS do omain controller in the domain.
Wh hy Implem ment Multiple Domains?

Man ny organizatio ons can functio on adequately with a sin ngle AD DS do omain. Howeve er, some entiti ies requ uire multiple domains d for se everal reasons: The organizat tion is decentr ralized and can nnot support the numbers n of use ers by using a centralized AD DS model: In this case, AD D DS replication ov ver network lin nks may put an n undo strain on o the network k connections. For this reason, it t might be better to install a separate AD DS D domain for r the remote location. In practice, you wo ould not do th his unless there were w a large number of acco ounts that needed to t access the AD A DS domain n controllers. It may be nec cessary to divid de a large AD DS database i nto more man nageable sectio ons. By doing so, you can also reduce the impact of AD DS S replication tr affic on the ne etwork.
There is a req quirement for different d DNS namespaces: S Sometimes the ere is a require ement to have e more than one DNS S namespace in i an AD DS fo orest. This is ty ypically the cas se when one co ompany acqui ires another comp pany, or merges with anothe er organization n, and there is s need to prese erve the doma ain names from the t existing en nvironment. Security: Ther re may exist se ecurity or polit tical requireme ents to have different parts o of the AD DS database in different d doma ains. If a compa any is setting u up a facility in a foreign country and there e are political or leg gal reasons wh hy the new org ganization has s to have a ver ry distinct secu urity base, they y may need to imple ement separat te AD DS domains.
Dedicated roo ot domain: It is best practice e to separate t he AD DS fore est root domai in from the da ay-toicated day AD DS se erver usage. Th his model is sometimes refer rred to as an e mpty root dom main or a dedi root domain. Other variants are the peer-root domain, and the desig gnated domain n.
The AD DS forest root do omain has two groupsthe Schema Admi ns group and the Enterprise e Admins gro oupthat do not n exist in any y other domai in in the AD D DS forest. Becau use these grou ups have far-reaching rights in the AD DS forest, , you may wan nt to restrict th he use of these e groups by on nly using the AD DS forest root domain to store them. In early y implementati ions of Active Directory, this s model was often referred r to as the t empty root domain mod del. Compliance e: It may be de esirable to hav ve all active do omains at the s same level in t the namespace e, so that your organization ca an utilize the empty e root dom main model. In n certain organizations, it may be unacceptab ble to have diff ferent division ns in the same AD DS domain. The reason for this is that t the Domain Ad dmins in any AD DS domain have full cont rol over every object in the domain, and t this may violate certain corporate security policies. For examp ple, different de epartments wi ithin an organization may be req quired for legal compliance reasons r to not t be in the sam me AD DS dom main. In that case, there is the e need to at lea ast to create a separate AD D DS domain for r each departm ment, if not a s separate AD DS forest. Resource domains: For co ompanies that have made th he decision to utilize multiple domains, it m might be more ap ppropriate to provide p separa ate resource do omains for res sources shared across the oth her domains.

8-5
Why W Implement Multiple Fores sts?

Organizations O may m sometime es require that their AD DS design comprises more e than one for rest. Th here are severa al reasons why y one AD DS fo orest may m not be suff ficient: Security: If your organization requires isolated security, the en you should d implement a separate AD D DS forest. Th he AD DS fores st root domain has s the Schema Admins A and Enterprise Admins A groupswhich can affect all the dom mains in the AD D DS forest. Separate AD DS forests are often deployed d by governmen nt defense contractors and other o organizatio ons where the isolation of security is a requ uirement.
Schema mo odifications: Within W your ent terprise, there may be organ nizational grou ups that need s separate control of their t Active Dir rectory schema. Because the e schema is sha ared between the domains, multiple en ntities within a common fore est must agree to those chan nges, which mi ight take a larg ge amount tim me, or not be possible. p There efore, you may y need to deplo oy different fo orests for those e groups.
Security bo oundaries: If tw wo or more ind dependent org ganizations want to share res sources, but ar re not in a position where w they are e prepared to trust t the doma ain administra ators of the partners organiz zations, then separa ate forests are needed. Havin ng an AD DS s structure with multiple fores sts provides sec curity rces, they rely on manually boundaries s. Although do omains in different forests ca an share resour implemente ed trust relatio onships and ad dditional admi inistration. Eac ch forest maint tains its own is solated security dat tabases and ru ules. Politics: Som me countries have h strict controls over the ownership of enterprises within the count try. Having a se eparate AD DS S forest may pr rovide the adm ministrative iso olation to meet that need.
8-6
Note: The global g catalog is available on nly within a sin ngle forest, so that when the ere is reso ource sharing between b more e than one fore est, there will b be directory lo ookups in two or more glob bal catalogs. ce: As a best practice, p choos se the simplest t design that a achieves the re equired Best Practic goa al, as it will be less l costly to im mplement and d more straigh htforward to ad dminister.
DN NS Require ements for r Complex x AD DS En nvironmen nts
For an AD DS dom main to functio on, it requires DNS. There are many operations that t rely on DNS look kups in order to t take place. Name resolution is one e of the origina al uses for Dom main Name System. With name resolu ution, clients ca an connect to serv vice points by using the DNS S name, which reso olves to an IP address. a Howe ever, because so s man ny operations involve connecting to an AD D DS dom main controller r that offers a particular serv vice. AD DS requires se ervice (SRV) res source records s. If a user r wants to log on to their AD D DS user acco ount, then n their system uses DNS look kups to find SR RV reco ords for a dom main controller that is running the Kerbero os service. Whe en AD DS dom main controllers s need to communicate with each h other, they use u SRV record ds in DNS. If th he AD DS fores st contains mo ore than n one domain, , then it is imp portant to ensu ure that DNS lo ookups are suc ccessful for res sources that are in a diffe erent domain from the DNS resolver (the client c perform ming the DNS lo ookup). There are several important con nfiguration are eas that you ne eed to address s when deploy ying a DNS stru ucture to support a complex AD DS en nvironment:
DNS Client co onfiguration: Configure C all co omputers in th he AD DS dom main with at lea ast two addres sses of functional DN NS servers. All computers mu ust have good network conn nectivity with D DNS servers. Servers will usually be e configured statically, thus you should mo onitor their ne etwork configu uration and reconfigure as a necessary to o meet any cha anges in the in nfrastructure. IP Address Management (IP PAM) monitoring: A recomm mended option n is to use IPAM M to monitor the IP addressing, and the correct in the AD DS f t functioning and a availability y of DNS and D DHCP servers i forest. IPAM is new in i Windows Se erver 2012, and d it allows the central monit toring, reportin ng, and administration of decentralized DHCP and DNS service es. When you a are installing IP PAM, you cann not install it on a domain controller, only on a domain mem mber server. Event escalati ion options: If you have a monitoring solu ution such as M Microsoft Syst tem Center 20 012 Operations Manager, M ensur re that the eve ents raised by I IPAM are esca alated in your g global monitoring tions as a mon solution. IPAM M will not prov vide the same escalation opt nitoring infrast tructure (for example, notifications).
Verification: Verify V that all of o your compu uters, including g domain cont trollers, are ab ble to perform successful DN NS lookups for key resources s. Apart from r routine name r resolution for host to IP resolutions, all computers must m be able to o locate the SR RV records for r domain contr rollers in the A AD DS domain and the t AD DS fore est.
Som me of the ways s to enable suc ccessful DNS lo ookups within a multi-doma ain AD DS envi ironment are:
CL1, the DNS resolver in the adatum.com m DNS domain can perform s successful que eries for DNS records in the e DNS domain n adatum.com by contacting DNS 1. This is s because DNS S 1 stores the z zone file for the ad datum.com DN NS domain. If DNS D 1 receives s a DNS query for a node ou utside of the lo ocal
DNS domain, and if DNS 1 does not have the answer already cached in memory, it will by default contact a DNS server from the Internet root DNS domain by using the root level hints configured by default on the DNS server.
In order to speed up this process, you can configure DNS 1 to forward any queries that it cannot resolve by itself to one or more specific DNS servers. In this case, it could forward any query that it cannot resolve by itself to the DNS server for the Internet Service Provider (ISP). DNS 1 will utilize the fact that DNS-ISP will have cached a large number of DNS lookup replies and can answer (nonauthoritatively) out of memory. In a multi domain setting, you can configure DNS servers that receive DNS queries that they are unable to resolve themselves, to forward these queries to other DNS server in the network. By using forwarding, DNS servers can forward all their Internet DNS queries through a central DNS server, which streamlines the process and speeds up the resolution time. This can greatly reduce the DNS resolution traffic through the firewall.

8-7
If there are one or more separate DNS namespaces within your organization than can only be resolved by internal corporate DNS servers, you can facilitate this process by configuring conditional forwarders. The slide shows a separate DNS namespace for fabrikam.net, with its own DNS server, DNS 4. DNS 1 can be configured with a conditional forwarder so that queries for records in the fabrikam.net DNS namespace are directed to DNS 4, and all other queries are still forwarded to the ISP-DNS server. When there is a DNS domain that is lower in the DNS namespace (for instance the atl.adatum.com domain), you must configure the DNS servers for the parent DNS domain to enable DNS resolution for DNS records in the child domain. By default, DNS 1 has no knowledge of DNS 2. A delegated domain record in DNS creates a special subdomain in the adatum.com DNS domain that lists one or more DNS servers that store DNS records for the atl.adatum.com DNS domain. In this case, it will enable DNS 1 to pass DNS queries for atl.adatum.com to DNS 2
Another option to allow DNS resolution in a disjointed DNS domain environment is to use a secondary zone. In this example, DNS 1 will store a complete read-only copy of all the records in the unix.net DNS zone. Because the records in the unix.net zone are updated regularly, the secondary zone will contain an up-to-date copy of all of the records in the unix.net DNS zone. In a large organization, this may involve a large amount of replication traffic, and if that traffic has a detrimental effect on network connections, then it may not be the optimum solution. Note that in this scenario, there will be virtually no DNS lookup traffic over the network to DNS 3, but there will be regular zone transfer traffic.
The stub zone is another option for this case. The stub zone is a special type of secondary zone that only stores read-only records for the DNS servers in the remote DNS domain. However, like a standard secondary zone, the records are updated on a regular basis. The stub zone contains only the DNS records for the DNS server names and their IP addresses. This solution will often be the preferred option, because although there will be DNS lookup traffic over the network link, the stub zone update traffic will be low, and it may be a better solution.
Note: Forwarders, conditional forwarders, and delegation are set up by an administrator, and point to IP addresses of one or more DNS servers. These are entered manually, but the DNS servers to which they refer may have changes and these will not update the DNS records automatically. If you decide to use delegation, forwarding, or conditional forwarding, then there will need to be a system for regularly checking that the IP addresses entered for those server referrals are still valid. This would not be necessary if you use stub zones as the solution, because they are regularly updated with fresh information.
8-8
Op ptions for Upgrading U g and Coex xistence w with Previo ous AD DS Versions
If yo our current AD D DS environm ment is running g on Win ndows Server 2003 2 or Windo ow Server 2008 8 leve el AD DS doma ain controllers, , you may wan nt to consider upgradin ng to Window Server 2012. AD DS has new fe eatures that are e available onl ly in AD DS domains ru unning at Window Server 20 012 leve el. If yo ou decide to upgrade your existing e AD DS S dom main controller rs, you can upg grade them in n plac ce if they are running Windo ows Server 200 08 or Win ndows Server 2008 2 R2. Howe ever, you cannot upg grade previous s versions in place. There are three op ptions for upg grading your Active A Directory y domain cont trollers: 1.
r 2012. This op Upgrading th he existing AD DS domain co ontrollers to W Windows Server ption involves performing an in-place upg grade. The exis sting AD DS do omain control llers will be up pgraded directly to Windows Serv ver 2012. If the e AD DS forest t functional lev vel is lower tha an Windows S Server 2012 lev vel then some schema upgrade es will need to o be made befo ore starting th he upgrade of the operating systems. The version of Serv ver Manager that t comes wit th Windows Se erver 2012 is able to detect t the schema upda ates that are ne ecessary, and will w update the e schema as pa art of the Serv ver Manager A AD DS Installation wizard. w Joining one or o more Windo ows Server 201 12 servers to th he AD DS dom main, and prom moting them to o be AD DS domai in controllers. The Windows Server 2012 s ervers will be able to join th he domain, but t before they can c be promoted to AD DS domain d contro ollers, there wil ll be some schema updates t that need to be pe erformed. Aga ain, the Server Manager AD D DS Installation n wizard will pe erform automatically y. The AD DS domain d and forest functiona l levels must b be at least Win ndows Server 2 2003 Native mode. .
2.
3.
This third opt tion does not immediately i ra aise the AD DS S domain to W Windows Server 2012, but rel lies on introducing one o or more AD DS domains s that are runn ning Windows Server 2012. In this scenario o, one or more AD DS D domains fro om another pa art of the fores st or even a different forest w will be connec cted l allow the diff to the origina al domain with h trust relationships. This will ferent AD DS d domains to coexist and share res sources. At som me point in the e future, they c can be consoli idated into on ne or more AD DS domains runn ning at the Windows Server 2012 level.

8-9
Lesson 2
Deploying a Distributed AD DS Environment
This lesson outlines different ways to install an AD DS domain, and describes the different functional levels of AD DS domains and forests. In this lesson, you will learn about some of the important points that you must address when deploying a complex AD DS environment, and you will see how to upgrade from a previous version of AD DS.
Lesson Objectives
After completing this lesson, you will be able to: Explain how to install a domain controller in a new domain in a forest. Describe AD DS domain functional levels. Describe AD DS forest functional levels. Explain how to upgrade a previous version of AD DS to a Windows Server 2012 version. Explain how to migrate to Windows Server 2012 AD DS from a previous version. Describe some important considerations for implementing a complex AD DS environment.
Demonstration: Installing a Domain Controller in a New Domain in a Forest

In this demonstration, you will see how to install a domain controller in a new domain in a forest.
Demonstration Steps Configure LON-SVR1 as an AD DS Domain Controller in atl.adatum.com

1. 2. 3. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. On LON-DC1, in Server Manager, use the AD DS Installation Wizard to remotely install AD DS on LON-SVR1.
Use the AD DS Installation Wizard to install and configure LON-SVR1 as an AD DS domain controller in a new domain, atl.adatum.com.
Access LON-SVR1 as Adatum\Administrator

1. 2. Select options to install DNS and global catalog, and set the password for the Directory Services Restore Mode administrator account.
Reboot and log on as Adatum\Administrator with the password Pa$$w0rd, on the newly created AD DS domain controller LON-SVR1.
8-10 Implemen nting Distributed Active Directory Domain n Services Deployments
AD D DS Doma ain Functio onal Levels

AD DS domains ca an run at diffe erent functiona al leve els. Generally, upgrading u the e domain to a high her functional level will intro oduce addition nal feat tures. Some of the domain fu unctional levels are liste ed in the follow wing table.
Do omain functio onal lev vels Windows W 2000 Server na ative
Fe eatures Universal gro oups Group nestin ng ntifier (SID) hist tory Security iden
nstall Domain n Controllers from Media In In nstall from Me edia allows the e installation of f an AD DS do omain controlle er without w impact ting the netwo ork connection n, because mos st of the new A AD DS database d is rest tored locally fr rom an ntdsut til backup on a USB drive or DVD. In nstall from Me edia could also o be accessed o over the netwo ork when the network n is not busy. Once the e new AD DS d domain contro oller is installed and re ebooted, it wil ll use the netw work to retrieve e AD DS origin nating updates s that were w made sinc ce the ntdsutil backup was m made. This will be a small am mount of o replication, unless u there ha ave been many updates to the e y originating u AD A DS database, which the n new AD DS dom main controlle er needs to bring up to o date. Note: Wi indows Server 2012 domain controllers cannot be installed in a domain running at Window ws 2000 Server r native level.
Windows W Server 2003
LastLogonTi imestamp att ribute remem bers time of la ast domain log gon for users, and d replicates thi ontrollers in th he is to other AD DS domain co AD DS doma ain.
akes it possible for applications to take Constrained Delegation ma f the secure de elegation of us ser credentials s by using Kerb berosadvantage of based authen ntication. lows you to sp pecify the users and groups t that Selective authentication all t authenticate e to specific re esource servers s in a trusting are allowed to forest.
e DNS zones in n application p partitions, which allows them m to You can store be replicated d on domain co ontrollers that t are also DNS servers in the domain, or even across the e forest.
utes and other r multi-valued attributes are e replicated at the Group attribu attribute leve el, instead of th el. In previous v versions of AD D DS, he object leve group memb bership was co onsidered part of the object, and the group p his meant that would be rep plicated as a si ngle object. Th t if two administrators changed the e membership p of the same g group in the same replication pe eriod, the last write would w win. The first ch hanges made w would be lost, because the new ve ersion of the g group would replace the pre evious

8-11
Domain functional levels
Features
one entirely. With multivalued replication, group membership is treated at the attribute level, and therefore all originating updates are merged together. This also greatly reduces the replication traffic that would occur. An additional benefit from this is the removal of the previous group membership restriction that limited the maximum number of members to 5,000. Windows Server 2008 Distributed File System Replication (DFS-R) is available as a more efficient and robust file replication service for the SYSVOL folders. DFS-R can replace the file replication service NT File Replication Service (NTFRS). A large amount of interactive logon information is stored for each user, instead of just last logon time.
Fine-grained password settings allow account policies to be set for users and groups, which replaces the default domain settings for those users or group members. Personal virtual desktops are available for users to connect to, by using RemoteApp and Remote Desktop.
Advanced Encryption Services (AES 128 and 256) support for Kerberos is available. Read-only domain controllers (RODCs) provide a secure and economic way to provide AD DS logon services in remote sites, without storing confidential information such as passwords in untrusted environments.
Group and other multivalue attributes are replicated on a per-value level, instead of being replicated together (which removed the limit of 5,000 users per group). Windows Server 2008 R2 Authentication mechanism assurance, which packages information about a users logon method, can be used in conjunction with application authenticationfor example, with Active Directory Federation Services (AD FS). In another example, a user logging on by using a smart card can be granted access to more resources than when they log on with a username and password.
Managed services accounts allow account passwords to be managed by the Windows operating system, and provide service principal name (SPN) management. Windows Server 2012
Instead of the Windows PowerShell command-line interface, you can use Server Manager for setting up and managing the AD DS Recycle Bin. In Windows Server 2008, fine-grained password settings were complicated to set up and deploy. In Windows Server 2012, you can use Server Manager to deploy and manage these settings more conveniently. Support for Dynamic Access Control and Kerberos armoring
Note: Generally, you cannot roll back AD DS domain functional levels. However, in Windows Server 2012 and Windows Server 2008 R2, you are able to roll back to a minimum of Windows Server 2008, as long as you do not have optional features (such as the Recycle Bin) enabled. If you have implemented a feature that is only available in a higher domain functional level, you cannot rollback to an earlier state.
Additional Reading: To learn l more about the AD DS S domain functional levels, refer to the follo owing link: http p://technet.mic crosoft.com/en n-us/library/un nderstanding- active-directo ory-functionalleve els(v=ws.10).as spx
AD D DS Forest Function nal Levels

The AD DS forest can run at diff ferent function nal leve els, and someti imes raising th he AD DS fores st func ctional level makes m additional features avai ilable. The most noticeable additional a feat tures com me with the up pgrade to a Windows Server 2003 fore est functional level. Additional features tha at are mad de available with Windows Server S 2003 inc clude: Forest Trusts: AD DS forests s can have trus sts set up between them, t which en nables resourc ce sharing. There e are full trusts and selective e trusts. Linked-value replication: Th his feature improved Windows 2000 Se erver replicatio on, and impro oved how grou up membership p was handled d.
Improved AD D DS replication n calculation algorithms: a Kno owledge Cons sistency Check ker (KCC) and intersite topo ology generato or (ISTG) use im mproved algor rithms to spee d up the calcu ulation of the A AD DS replication infrastructure, and provide mu uch faster site link calculatio ons. Support for Read R Only Dom main Controlle ers (RODCs). RO ODCs are supp ported at the W Windows Serve er 2003 forest fu unctional level l. The RODC must m be runnin g Windows Se erver 2008 or later. Conversion of inetOrgPerso on objects to user u objects. Yo ou can conver rt an instance o of an inetOrgPerson object, used d for compatibility with certa ain non-Micros soft directory s services, into a an instance of class user. You can c also conve ert a user objec ct to an inetOrgPerson obje ect. Deactivation and redefiniti ion of attribute es and object classes. Althou ugh you canno ot delete an attribute or object o class in the t schema at the Windows Server 2003 fu unctional level, you can deactivate or redefine attrib butes or objec ct classes.
The Windows Serv ver 2008 fores st functional le evel does not a add new forest t-wide feature es. The Window ws Serv ver 2008 R2 fo orest functional level adds the Active Direc ctory Recycle B Bin feature. This feature allow ws the ability to restore deleted d Active Directory objects. Alth hough the Win ndows Server 2008 2 R2 AD DS S forest functio onal level intro oduced AD DS S Recycle Bin, t the Recy ycle Bin had to o be managed d with Window ws PowerShell. However, the version of Rem mote Server Adm ministration To ools (RSAT) tha at comes with Windows Serv ver 2012 has th he ability to m manage the AD D DS Recy ycle Bin by usi ing GUI tools. Whe en you raise th he forest funct tional level, you limit possibl e domain func ctional levels f for domains th hat you add to the forest. For exam mple, if you rais se the forest fu unctional level to Window Se erver 2012, yo ou cannot add a new w domain runn ning at Window ws Server 2008 8 R2 domain fu unctional level.

8-13
Upgrading U a Previous Version of AD DS t to Window ws Server 2012

To o upgrade a previous version ns of AD DS to o Windows W Server 2012 AD DS , you can use either of f the following g two methods s: Upgrade th he operating sy ystem on the existing e domain con ntrollers to Windows Server 2012. Introduce Windows W Serve er 2012 servers s as domain con ntrollers in the e existing domain. You can the en decommiss sion AD DS domain controllers running earlie er versions of AD A DS.
Of O these two methods, the se econd is prefer rred, be ecause there will w be no old or o disused cod de and fil les remaining. Instead, you will w have a clea an installation of the Window ws Server 2012 2 operating sy ystem an nd AD DS data abase.
Upgrading U to o Windows Server 2012
To o upgrade an AD DS domain n from Window ws Server 2008 8 functional le evel to Window ws Server 2012 2 fu unctional level, , you must first upgrade all the t domain co ontrollers from m the Window Server 2008 op perating system to the Wind dows Server 20 012 operating system. You c can achieve thi is by upgradin ng all of th he existing dom main controlle ers to Windows s Server 2012, or by introduc cing new dom main controllers s ru unning Window ws Server 2012 2, and then ph hasing out the existing doma ain controllers s. Th here is no reas son to prevent t Windows Serv ver 2012 serve ers from being g part of a Win ndows Server 2 2008 do omain. Howev ver, before you u can install the first domain controller tha at is running W Windows Serve er 2012, yo ou must upgra ade the schema. In versions of o AD DS prior r to Windows Server 2012, y you would run the ad dprep.exe tool l to perform th he schema upg grades. In a W Windows Server r 2012 environ nment, the Active Directory Doma ain Services Ins stallation Wiza ard that is inclu uded in Server r Manager inco orporates the co ommands nece essary to upgr rade the AD DS forest schem ma. Note: Win ndows Server 2012 still prov vides a 64-bit v version of ADP Prep, so you ca an run Adprep.exe separately. For ex xample, if the administrator a i installing the f first Windows Server 2012 do omain controller is not a me ember of the Enterprise E Adm mins group, the en you might need to run th he command separately. s You u only have to run adprep.ex xe if you are planning to do an in-place up pgrade for the e first Windows Server 2012 domain contro oller in the do omain.
The T Upgrade e Process

1. . 2. . 3. . Insert the in nstallation disk k for Windows s Server 2012, a and run Setup p. After the language select tion page, sele ect Install now w.
To o upgrade the e operating sys stem of a Wind dows Server 20 008 domain co ontroller to Windows Server 2012:
After the op perating system selection wi indow and the e license accep ptance page, o on the Which t type of installation do you want? ? window, choo ose Upgrade: Install Windo ows and keep p files, setting gs, and apps.
With W this type of o upgrade, AD D DS on the do omain controll ler is upgraded d to Windows Server 2012 A AD DS. . As a best practice, you should d check for har rdware and so ftware compa tibility before doing an upgrade. Fo ollowing the operating o syste em upgrade, re emember to u pdate your dr rivers and othe er services (suc ch as monitoring m age ents), and chec ck for updates for both Micro osoft applicati ions and non-Microsoft softw ware.
The e Clean Inst tallation Pro ocess

To introduce a cle ean install of Windows W Serve er 2012 as a do omain membe er: 1. 2. Deploy and configure c a new w installation of o Windows Se erver 2012, and then join it t to the domain n. Promote the new server to be a domain controller c in th he domain by using Server M Manager.
c upgrade directly d from Windows W Serve r 2008 and Wi indows Server 2008 R2 Note: You can to Windows W Serve er 2012. To upgrade servers that are runni ng a version o of Windows Se erver that is olde er than Windo ows Server 2008, you must ei ither perform an interim upg grade to Wind dows Server 2008 or Windows Server 2008 R2, R or perform a clean install l. Note that W Windows Server r 2012 AD DS domain co ontrollers are able a to coexist as domain co ntrollers in the e same domain n as Win ndows Server 2003 2 domain controllers c or newer. n
Migrating to o Windows s Server 20 012 AD DS S from a Previous Ve ersion

As part p of deployi ing AD DS, you u might choos se to restructure your environment e fo or the followin ng reas sons: To optimize the t arrangeme ent of element ts within the log gical Active Directory structu ure. To assist in co ompleting a bu usiness merger, acquisition, or o divestiture.
Rest tructuring invo olves the migration of resources betw ween AD DS domains d in eith her the same fo orest or in n different fore ests. After you deploy AD DS S, you mig ght decide to further reduce the complexit ty of your environment t by either rest tructuring AD D S domains b between AD D DS forests or re estructuring dom mains within a single AD DS forest. You u can use the la atest version of o the Active Directory D Migra ation Tool to p perform object t migrations an nd secu urity translatio on as necessary y, so that users s can maintain n access to netw work resource es during the mig gration process s.
Pre e-Migration n Steps

Befo ore performing g the migratio on, you must perform severa l tasks to prep pare the source e and target dom mains. These ta asks include:
For domain member m computers that are pre-Windows Vista Service e Pack 1 (SP1) or Windows Server 2008 R2, conf figure a registry on the targe et AD DS dom main controller to allow crypt tography algorithms th hat are compat tible with the Microsoft M Win dows NT Ser rver 4.0 operat ting system.
Enable firewa alls rules on source and targe et AD DS dom ain controllers s to allow file a and printer sha aring.
Prepare the source and targ get AD DS dom mains to mana age how the users, groups and user profile es will be handled. Create a rollb back plan. Establish trust t relationships s that are required for the m igration. Configure sou urce and targe et AD DS doma ains to enable SID History m migration. Specify servic ce accounts for r the migration n.

8-15
Perform a test t migration, , and fix any er rrors that are r reported.
Migration M St teps
When W you are confident c that all pre-migrat tion steps have e been comple eted, you can c complete the migration. m During this process, you will mig grate user acco ounts, group accounts and c computer acco ounts to th he new domain n. You will also o assign permissions to netw work resources using the accounts in the n new do omain.
Post-Migrati P ion Steps
Th he new accoun nts (SIDs) will still s have acces ss to resources s, because they y retain an attribute called S SID History H . For exa ample, a user uses u a new use er account to a attempt to acc cess a resource e to which the ey had ac ccess with thei ir old account. . Instead of the e user being d enied because e their SID is not referenced in the pe ermissions, the ey can present t their previous SID by using the SID Histo ory attribute. T The migration tools ca an re-permit th he resources so the new SIDs are entered into the perm issions on the resource, and the old SI ID can be remo oved. Once O you have tested everyth hing and verified that it is wo orking in the n new AD DS do omain, you can n de ecommission the t old domain controllers. Note: The e entire proces ss may involve e running the m migration seve eral times. For example, the ounts profile m us ser accounts would w be migra ated early in th he process, bu ut the user acco migration would w be accom mplished in another pass of the t migration tool. Additiona al Reading: Download D the Active A Directo ry Migration T Tool version 3.2 from ht ttp://www.mic crosoft.com/en n-us/download d/details.aspx? ?id=8377. Yo ou can downlo oad the Active e Directory Mig gration Tool G uide from ht ttp://www.mic crosoft.com/en n-us/download d/details.aspx? ?id=19188.
Considerat C ions for Im mplementi ing a Complex AD D DS Environment

Be efore impleme enting a complex AD DS en nvironment, it is important to t consider im mplications of the design if the deploymen nt is to be e successful. With W proper pla anning, you ca an de esign an AD DS D model to pr rovide the ad dministrative and a security re equirements fo or your or rganization.
8-16 Implementing Distributed Active Directory Domain Services Deployments
Some of the key points for consideration are listed in the following table. Scenario More than one AD DS forest? More than one AD DS tree? Number of AD DS domains DNS namespace design DNS resolution for host records and SRV records OUs Number and location of AD DS domain controllers Sites and replication topology Key Points to Consider Security, politics, multiple schemas, administrative separation Multiple namespaces, acquisition, merger Security, politics, administrative separationfor example, different departments in a governmental organization Must support the proposed AD DS domain structure Must support resolution throughout the organization Structure to support administrative delegation and Group Policy deployment Number of active accounts, network bandwidth, AD DS services availability, AD DS replication traffic AD DS replication requirements, network bandwidth, slow links, application support
Note: Details are discussed earlier in this module, and more information is available in Module 9.
AD DS Forest Root Domain

Each new AD DS forest starts with an AD DS forest root domain. This root domain has some unique features that do not exist in any other AD DS domain in the AD DS forest, including the following: The Schema Operations Master The Domain Naming Master The Schema Admins group The Enterprise Admins group
For this reason, the AD DS forest root domain must be treated with extra caution, particularly as the Enterprise Admins group and the Domain Admins group in the AD DS forest root domain have full control over every AD DS domain and object in the entire AD DS forest.
DNS Services
You should configure DNS services at the beginning of the deployment process, as all subsequent operations will depend on DNS functioning correctly. This also means that all computers should be configured with the IP addresses of at least two DNS servers so that they can successfully perform DNS lookups. In a complex environment, it will be necessary to decide how to make DNS records accessible to DNS resolvers (client computers).
Trust Relationships
You will also need to consider trust relationships for several reasons, such as: Enabling authentication between AD DS domain and external domains or realms.

8-17
Enabling authentication between AD DS forests (forest trustscomplete or selective). Facilitating fast and reliable authentication traffic between AD DS domains in the same forest (shortcut trusts).
Multiple UPN Suffixes
Multiple User Principal Name (UPN) suffixes may be required to allow users to log on to their user accounts using an email account name from a different DNS namespace. For example, a user named Holly in the adatum.com AD DS domain could log on to that user account by using a UPN such as holly@fabrikam.com.
Lesson 3
Config guring AD A DS Trusts T
This s lesson examines trust relati ionships and how h they provi ide functionali ity for accessin ng resources and logg ging on to the e domain. Ther re are several types t of trust r relationships, a and this lesson n describes the em in turn n. Whe en an AD DS multi-domain m forest f is create ed, then trusts are automatic cally created to o link all of the e ide AD DS domains in n the AD DS fo orest. In additio on, there are o other trusts tha at you can esta ablish to provi add ditional functio onality. These trusts t include shortcut, s exter rnal, realm, and d forest trusts. .

Afte er completing this lesson you u will be able to: t s that can be configured in a Windows Ser rver 2012 environment. Describe the types of trusts Explain how trusts t work wit thin an AD DS forest. Explain how trusts t work bet tween AD DS forests. f Describe how w to configure advanced trus st settings. Describe how w to configure a forest trust.
Ov verview of Different AD DS Tru ust Types

In a multi-domain n AD DS forest t, two-way tran nsitive trus st relationships s are generated d automaticall ly betw ween the AD DS D domains, so o that there is a path h of trust betw ween all of the AD DS domains. These trusts are ca alled parent-child trusts. The e trus sts that are aut tomatically cre eated in the forest are all transitive tr rusts. That mea ans that if A tr rusts B, and B trusts C, then A trusts C. C However, th his may y not be the most m efficient way w to provide an auth hentication connection betw ween all of the AD DS domains, and a you can im mprove perf formance by setting up shor rtcut trusts.
There are other ty ypes of trust th hat you can de eploy. For exam mple, you can set up a realm m trust with a n nonMicrosoft organiz zation that is ru unning Kerber ros V5 and Win ndows NT 4.0 domains can b be connected by usin ng an external trust. The follo owing table sh hows the main trust types. Trust type Pa arent and ch hild Tr ree-root Transitivity y Transitive Dire ection Two o-way Description n When a ne ew AD DS dom main is added to new parent and d an existing AD DS tree, n s are created. child trusts When a ne ew AD DS tree is created in a an D DS forest, a n new tree-root existing AD trust is crea ated. External tru usts enable res source access t to be granted d with a Windo ows NT 4.0 domain or an AD DS dom main in anothe er
Transitive
Two o-way
Ex xternal
Non-trans sitive
One e-way or two o-way

8-19
Trust T type
Transitiv vity
Di irection
Descriptio on forest. Th hese may also be set up to provide a framework fo or a migration n.
Realm
Transitiv ve or non-transitive Transitiv ve
One-way O or tw wo-way One-way O or tw wo-way One-way O or tw wo-way
Realm tru usts establish a an authenticat tion path betw ween a Windo ows Server AD DS domain a and a Kerberos V5 realm. Trusts be etween AD DS forests allow t two forests to o share resourc ces. Shortcut trusts improve e authenticatio on times bet tween AD DS domains that are in differe ent parts of an AD DS forest.
Forest (Complete or Selective) Shortcut
Transitiv ve
How H Trusts s Work Within a Fore est

When W you set up u trusts betwe een domains either e within w the same e forest, across s forests, or wit th an ex xternal realm, information ab bout these trusts is st tored in AD DS S so you can re etrieve it when n ne ecessary. A tru usted domain object o stores this in nformation. Th he trusted dom main object sto ores informatio on ab bout the trust such as the tru ust transitivity and ty ype. Whenever r you create a trust, a new tr rusted do omain object is i created and stored in the System co ontainer in the e trusts domai in.
How H Trusts Enable E User rs to Access Resources in a Forest
When W a user att tempts to acce ess a resource in another do main, the Kerb beros authenti ication protocol must de etermine whet ther the trustin ng domain has s a trust relatio onship with th e trusted dom main. To o determine th his relationship p, the Kerberos V5 protocol travels the tru ust path, utilizin ng trust inform mation an nd DNS lookup ps to obtain a referral to the e target domai ins domain co ontroller. The t target domain co ontroller issues s a service tick ket for the requ uested service.. The trust pat h is the shorte est path in the trust hi ierarchy.
When W the user in the trusted domain attem mpts to access t the resource in n the other do omain, the users co omputer first contacts c the do omain controller in its doma ain to get auth hentication to the resource. I If the re esource is not in the users domain, the do omain controlle er uses the tru ust relationship p with its paren nt, and re efers the users s computer to a domain controller in its pa arent domain. This attempt to locate a res source ot domain, an co ontinues up th he trust hierarc chy, possibly to o the forest roo nd down the tr rust hierarchy, until co ontact occurs with w a domain n controller in the t domain w here the resou urce is located.
Ho ow Trusts Work W Betw ween Fores sts

If th he AD DS envir ronment conta ains more than n one fore est, then it is possible to set up u trust relationships betw ween the AD DS D forest roots. . These forest trusts s can be either r complete tru usts or sele ective trusts. Fo orest trusts can n be one-way or two o-way. A single forest tru ust relationship p allows users who w are authenticated by a domain in one forest to t acce ess resources that t are in the other forest, as a long g as they have e been granted d access rights. . If the forest trust is one-way, dom main controller rs in the trusting forest t can authentic cate users in any dom main in the trusted forest. Fo orest trusts are significantly e easier to estab blish, maintain, and administe er than n separate trus st relationships between eac ch of the doma ains in the fore ests.
Fore est trusts are particularly p use eful in scenario os that involve e cross-organiz zation collabor ration or merg gers and acquisitions, or o within a single organization that has m ore than one f forest in which h to isolate Act tive Dire ectory data and services. For rest trusts are also a useful for application se ervice provider rs, for collabor rative business extranets s, and for com mpanies seeking g a solution fo or administrativ ve autonomy. Fore est trusts provide the followi ing benefits: Simplified ma anagement of resources acro oss two Windo ows Server 200 08 forests by re educing the number of ex xternal trusts necessary n to sh hare resources.. Complete two o-way trust relationships wit th every doma ain in each fore est. Use of UPN authentication a across two for rests. Use of both the Kerberos V5 V protocol and d NTLM authe entication prot tocols to impro ove the trustworthine ess of authoriza ation data that is transferred d between fore ests. Flexibility of administration a n. Administrativ ve tasks can be e unique to ea ach forest.
In AD A DS in Windows Server 2008, you can lin nk two Window ws Server 2003 3 or Windows Server 2008 fo orests toge ether to form a one-way or two-way trust relationship. Y You can use a two-way forest trust to form ma tran nsitive trust relationship betw ween every domain in both f forests.
You u can create a forest f trust only between tw wo AD DS fores sts, and you ca annot extend t the trust implic citly to a third forest. This T means tha at, if you create e a forest trust t between Fore est 1 and Fore est 2, and you c create a fo orest trust betw ween Forest 2 and a Forest 3, Forest F 1 does n not have an im mplicit trust with Forest 3. Fo orest trus sts are not tran nsitive. You u must address s several requir rements before you can imp plement a fore est trust, includ ding that the fo orest func ctional level must m be Windows Server 2003 or newer, an nd you must ha ave DNS name e resolution betw ween the fores sts.

8-21
Configuring C g Advance ed AD DS Trust T Setti ings

In n some cases, trusts t can present security issues. Additionally, if you y do not configure a trust t properly, users who w belong to o another dom main can ga ain unwanted access to som me resources. There ar re several tech hnologies that you can use to o help co ontrol and manage security in a trust.
SID Filtering
By y default, when you establish h a forest or domain tr rust, you enabl le a domain qu uarantine, which is also known as SID S filtering. When W a user au uthenticates in n a trusted dom main, the user presents author rization data th hat includes th he SIDs of f all of the gro oups to which the t user belon ngs. Additional lly, the users a authorization d data includes S SIDs from other attributes of the user u and the us sers groups.
AD DS sets SID filtering by de efault to prevent malicious u users who have e access at the domain or en nterprise ad dministrator le evel in a trusted forest or domain, from gra anting (to the mselves or to other user acc counts in n their forest or domain) elev vated user righ hts to a trustin g forest or do omain. SID filte ering prevents misuse of f the attributes s that contain SIDs on securi ity principals ( (including Inet tOrgPerson obj bjects) in the tr rusted fo orest or domain. One commo on example of f an attribute t that contains a SID is the SID D history attrib bute (SIDHistory S ) on n a user account object. Dom main administr rators typically y use the SID h history attribut te to se eamlessly migr rate the user and group acco ounts that are held by a secu urity principal from one dom main to an nother. All SID D filtering activ vities occur in the t backgroun nd, and admini istrators do no ot need to exp plicitly co onfigure anyth hing unless the ey want to disa able SID filterin ng.
When W security principals p are created c in a do omain, the SID D of the princip pal includes th he domain SID, , so that yo ou can identify y in which dom main it was cre eated. The dom main SID is imp portant, becau use the Window ws se ecurity subsyst tem uses it to verify v the iden ntity of the sec urity principal, which in turn n determines w which do omain resourc ces the user can access.
Authenticati A on
When W you creat te an external trust or a fore est trust, you ca an manage the e scope of aut thentication of f trusted se ecurity principa als. There are two t modes of authenticatio n for an extern nal or forest tr rust: Selective au uthentication
Domain-wide authenticat tion (for an ex xternal trust) o r forest-wide a authentication n (for a forest t trust)
If you choose domain-wide or forest-wide authentication a n, this enables all trusted use ers to authenticate for se ervices and acc cess on all com mputers in the trusting doma ain. Trusted us sers can, theref fore, be given pe ermission to access resource es anywhere in n the trusting d domain. If you use this authe entication mod de, you must m have confidence in your r enterprises security s proced dures and in th he administrat tors who imple ement th hose procedure es that trusted d users will not t receive inapp propriate acces ss to services. Remember, fo or ex xample, that users from a tru usted domain or forest are c considered Aut thenticated Us sers in the trus sting do omain. Therefo ore, if you cho oose domain-w wide or forest- wide authentication, any res source that ha as pe ermissions gra anted to Authe enticated Users s is accessible immediately t to trusted dom main users.
If, , however, you u choose select tive authentica ation, all users s in the trusted d domain are t trusted identiti ies. However, they are a allowed to authenticate only for servic ces on comput ters that you specify. For exa ample, im magine that yo ou have an external trust with a partner or rganizations d omain. You want to ensure that on nly users from the partner organizations marketing m gro oup can access shared folder rs on only one of your many m file server rs. You can con nfigure selectiv ve authenticat tion for the tru ust relationship p, and then giv ve the tr rusted users the right to auth henticate only for that one f file server.
Name Suffix Routing
Name suffix routing is a mechanism for managing how authentication requests are routed across Windows Server 2008 forests and Windows Server 2003 forests that are joined by forest trusts. To simplify the administration of authentication requests, when you create a forest trust, AD DS routes all unique name suffixes by default. A unique name suffix is a name suffix within a forest, such as a UPN suffix, SPN suffix, or DNS forest or domain tree name that is not subordinate to any other name suffix. For example, the DNS forest name fabrikam.com is a unique name suffix within the fabrikam.com forest.
AD DS routes all names that are subordinate to unique name suffixes implicitly. For example, if your forest uses fabrikam.com as a unique name suffix, authentication requests for all child domains of fabrikam.com (childdomain.fabrikam.com) are routed, because the child domains are part of the fabrikam.com name suffix. Child names appear in the Active Directory Domains and Trusts snap-in. If you want to exclude members of a child domain from authenticating in the specified forest, you can disable name suffix routing for that name. You also can disable routing for the forest name itself.
Demonstration: Configuring a Forest Trust
In this demonstration, you will see how to configure DNS name resolution by using a conditional forward. You will also see how to configure a two-way selective forest trust.
Demonstration Steps Configure DNS name resolution by using a conditional forwarder
Configure DNS name resolution between adatum.com and treyresearch.net by creating a conditional forwarder so that LON-DC1 has a referral to MUN-DC1 as the DNS server for the DNS domain treyresearch.net.
Configure a two-way selective forest trust
On LON-DC1, in Active Directory Domains and Trusts, create a two-way selective forest trust between adatum.com and treyresearch.net, by supplying the credentials of the treyresearch.net domain Administrator account.

8-23
Lab: Implementing Complex AD DS Deployments

Scenario
A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in its London data center. As the company has grown and added branch offices with large numbers of users, it is becoming increasingly apparent that the current AD DS environment is not meeting company requirements. The network team is concerned about the amount of AD DS-related network traffic that is crossing WAN links, which are becoming highly utilized. The company has also become increasingly integrated with partner organizations, some of whom need access to shared resources and applications that are located on the A. Datum internal network. The security department at A. Datum wants to ensure that the access for these external users is as secure as possible.
As one of the senior network administrators at A. Datum, you are responsible for implementing an AD DS infrastructure that will meet the company requirements. You are responsible for planning an AD DS domain and forest deployment that will provide optimal services for both internal and external users, while addressing the security requirements at A. Datum.
Objectives
Implement child domains in AD DS. Implement forest trusts in AD DS.
Lab Setup
Estimated Time: 45 minutes 20412A-LON-DC1 20412A-TOR-DC1 20412A-LON-SVR1 20412A-MUN-DC1
User name: Adatum\Administrator Password: Pa$$w0rd
5. 6.
Repeat steps 2-4 for 20412A-LON-SVR1 and 20412A-TOR-DC1. Start 20412A-MUN-DC1 and log on as Treyresearch\Administrator with the password of Pa$$w0rd.
Exercise 1: Implementing Child Domains in AD DS

Scenario
A. Datum has decided to deploy a new domain in the adatum.com forest for the North American region. The first domain controller will be deployed in Toronto, and the domain name will be na.adatum.com. You need to configure and install the new domain controller. The main tasks for this exercise are as follows: 1. 2. 3. Configure Domain Name System (DNS) for domain delegation. Install a domain controller in a child domain. Verify the default trust configuration.
Task 1: Configure Domain Name System (DNS) for domain delegation
On LON-DC1, open DNS Manager and configure a delegated zone record for na.adatum.com. Specify TOR-DC1 as the authoritative DNS server.
Task 2: Install a domain controller in a child domain

1. 2. On TOR-DC1, use Server Manager to install AD DS.
When the AD DS binaries have installed, use the Active Directory Domain Services Configuration Wizard to install and configure TOR-DC1 as an AD DS domain controller for a new child domain named na.adatum.com. When prompted, use Pa$$w0rd as the Directory Services Restore Mode (DSRM) password.
3.
Task 3: Verify the default trust configuration

1. 2. Log on to TOR-DC1 as NA\Administrator using the password Pa$$w0rd.
When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local Area Connection and then click Disable. Right-click Local Area Connection and then click Enable. The Local Area Connection should now show Adatum.com. From Server Manager, launch the Active Directory Domains and Trusts management console and verify the parent child trusts.
3.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC) verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes. You can continue with the lab and come back later to verify this step.
Results: After completing this exercise, you will have implemented child domains in AD DS.
Exercise 2: Implementing Forest Trusts

Scenario
A. Datum is working on several high-priority projects with a partner organization named Trey Research. To simplify the process of enabling access to resources located in the two organizations, they have deployed a dedicated wide area network (WAN) between London and Munich, where Trey Research is located. You now need to implement and validate a forest trust between the two forests, and configure the trust to allow access to only selected servers in London.

8-25
The main tasks for this exercise are as follows: 1. 2. 3. Configure stub zones for DNS name resolution. Configure a forest trust with selective authentication. Configure a server for selective authentication.
Task 1: Configure stub zones for DNS name resolution

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Using the DNS management console, configure a DNS stub zone for treyresearch.net. Use 172.16.10.10 as the Master DNS server. Close DNS Manager. Log on to MUN-DC1 as TreyResearch\Administrator with the password Pa$$w0rd. Using the DNS management console, configure a DNS stub zone for adatum.com. Use 172.16.0.10 as the Master DNS server. Close DNS Manager.
Task 2: Configure a forest trust with selective authentication

1. 2. 3.
On LON-DC1, create a one-way: outgoing trust between the treyresearch.net AD DS forest and the adatum.com forest. Configure the trust to use Selective authentication. Confirm and validate the trust from treyresearch.net. Close Active Directory Domains and Trusts.
Task 3: Configure a server for selective authentication

1. 2. On LON-DC1, from Server Manager open Active Directory Users and Computers.
On LON-SVR1, configure the members of treyresearch.com\it group with the Allowed to authenticate permission. If you are prompted for credentials, type Treyresearch\administrator with the password of Pa$$w0rd. On LON-SVR1, create a shared folder IT-Data and grant access to members of the treyresearch.net\it group. If you are prompted for credentials, type Treyresearch\administrator with the password of Pa$$w0rd. Log off of MUN-DC1. Log on to MUN-DC1 as treyresearch\alice, and access the shared folder on LON-SVR1.
3.
4. 5.
Results: After completing this exercise, you will have implemented forest trusts.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1, 20412-MUN-DC1, and 20412-LON-SVR1.
Lab Review
Question: Why did you configure a delegated subdomain record in DNS on LON-DC1 before adding the child domain na.adatum.com? Question: What are the alternatives to creating a delegated subdomain record in Q1? Question: When you are creating a forest trust, why would you create a selective trust instead of a complete trust?

8-27

To design and implement a reliable and efficient AD DS environment, it is important to have an understanding of which components are required and how they interact. This module covered the constituent parts of an AD DS design and also demonstrated the different ways to deploy AD DS in a complex scenario.
The Domain Name Service is crucial to the satisfactory functioning of an AD DS system, and students saw different ways to provide a robust DNS record resolution process in a multi-domain situation. The different DNS resolution methods were discussed, including forwarders, conditional forwarders, delegation, secondary zones, and stub zones. Students also saw how trust relationships can provide an effectual authentication mechanism in various environments.

Common Issue You receive error messages such as: DNS lookup failure, RPC server unavailable, domain does not exist, domain controller could not be found. User cannot be authenticated to access resources on another AD DS domain or Kerberos realm. Troubleshooting Tip

9-1
Module 9
Implementing Active Directory Domain Services Sites and Replication
Contents:
Module Overview Lesson 1: Overview of AD DS Replication Lesson 2: Configuring AD DS Sites Lesson 3: Configuring and Monitoring AD DS Replication Lab: Implementing AD DS Sites and Replication Module Review and Takeaways 9-1 9-2 9-10 9-16 9-22 9-26
Module Overview
When you deploy Active Directory Domain Services (AD DS), it is important to provide an efficient logon infrastructure and a highly available directory service. Implementing multiple domain controllers throughout the infrastructure helps you meet both of these goals. However, you must ensure that AD DS replicates Active Directory information between each domain controller in the forest. In this module, you will learn how AD DS replicates information between domain controllers within a single site and throughout multiple sites. You also will learn how to create multiple sites and monitor replication to help optimize AD DS replication and authentication traffic.
Objectives
After completing this module, you will be able to: Describe how AD DS replication works. Configure AD DS sites to help optimize authentication and replication traffic. Configure and monitor AD DS replication.
9-2
Implementing Active Directory Domain Services Site es and Replication
Lesson 1
Overvi iew of AD A DS Replicat R tion
Within an AD DS infrastructure, standard dom main controller rs replicate Active Directory information b by usin ng a multimast ter replication model. This means m that if a change is mad de on one dom main controlle er, that change then replicates to all oth her domain co ontrollers in th e domain, and d potentially to o all domain controllers throug ghout the entir re forest. This lesson provide es an overview w of how AD D DS replicates info ormation between both stand dard and read d-only domain controllers (RODC).

Afte er completing this lesson, yo ou will be able to: Describe the AD DS partitio ons. Describe the characteristics s of AD DS replication. Describe the replication pro ocess within a single site. Describe how w AD DS resolv ves replication conflicts. Describe how w you generate e the replicatio on topology. Describe how w read-only do omain controlle er replication w works. Describe System Volume (S SYSVOL) replica ation.
Wh hat Are AD D DS Partit tions?

The Active Directo ory data store contains info ormation that AD A DS distribu utes to all dom main controllers throug ghout the forest infrastructure. Muc ch of the infor rmation that th he data store contains is distributed within a single s domain. How wever, some in nformation ma ay be related to o, and replicated thr roughout, the entire forest, rega ardless of the domain d bound daries. To help h provide re eplication effic ciency and scalability betwee en domain con ntrollers, the Ac ctive Dire ectory data is separated s logically into seve eral part titions. Each pa artition is a un nit of replicatio on, and each partition n has its own replication r top pology. The de efault partitions include the f following:
Configuration n partition. The e configuration partition is c created autom matically when you create the e first domain of a forest. f The con nfiguration par rtition contain ns information about the fore est-wide AD D DS which domain structure, incl luding which domains d and sites s exist and w n controllers ex xist in each do omain. The configura ation partition also stores inf formation abo out forest-wide e services such h as DHCP authorization n and certificat te templates. This T partition re eplicates to all domain cont trollers in the f forest. tions of all the Schema partition. The schema partition contains c definit e objects and a attributes that you can create in the data store e, and the rules s for creating a and manipulat ting them. Sch hema informat tion replicates to all a domain con ntrollers in the e forest. Theref fore, all object ts must comply y with the sche ema object and at ttribute definition rules. AD DS D contains a default set of classes and attributes that y you cannot modif fy. However, if f you have Schema Admins c credentials, yo u can extend t the schema by y adding new attributes a and classes to repr resent applicat tion-specific classes. Many a applications such as Microsoft Exc change Server and Microsoft t System Cente er Configuratio on Manager m may extend the e
schema to provide applic cation-specific configuration n enhancements. These chan nges target the e domain con ntroller that co ontains the for rests schema m master role. O nly the schema master is pe ermitted to make ad dditions to clas sses and attributes. Domain partition. When you y create a new n domain, A AD DS automat tically creates and replicates s an instance of the domain partition p to all of o the domain ns domain con ntrollers. The d domain partitio on contains inf formation abo out all domain-specific objec cts, including u users, groups, c computers, organizatio onal units (OUs s), and domain n-related syste em settings. All objects in eve ery domain pa artition in a forest are a stored in th he global catalog, with only a subset of th heir attribute v values.
Application n partition. The e application partition p stores s nondomain, application-re elated information n is or have a spec that may ha ave a tendency y to be update ed frequently o cified lifetime. An application typically programed to determine how it stores, cate gorizes, and u uses application-specific info ormation stored in th he Active Direc ctory database e. To prevent u unnecessary re eplication of an n application partition, yo ou can designate which dom main controller rs in a forest w will host the sp pecific applications partition. Unlike U a domain partition, an n application p partition does n not store security principal o objects, such as use er accounts. Ad dditionally, the e global catalo ogue does not store data con ntained in app plication partitions. SI Edit to connect to and view w the partition ns. Note: You can use ADS

9-3
Characteris C stics of AD D DS Replic cation

An effective AD D DS replication n design ensur res that ea ach partition on o a domain co ontroller is con nsistent with w the replicas of that partit tion hosted on n other do omain controllers. Typically, not all domain co ontrollers have e exactly the sa ame information in th heir replicas at any one mom ment because ch hanges are occ curring to the direction cons stantly. However, Active e Directory rep plication ensur res that all changes to a partition are transferred to all re eplicas of the partition. p Activ ve Directory re eplication balances accuracy (or integrity) and co onsistency (called convergen nce) with performance (k keeping replica ation traffic to a reasonable level). Th he key charact teristics of Acti ive Directory replication r are::
Multimaste er replication. Any A domain co ontroller excep pt RODCs can initiate and co ommit a chang ge to AD DS. This s provides faul lt tolerance, an nd eliminates d dependency o on a single dom main controller to maintain th he operations of o the director ry store.
Pull replication. A domain n controller requests, or pull ls, changes fro om other doma ain controllers. Even though a domain control ller can notify its replication partners that it has changes s to the directo ory, or poll its part tners to see if they t have changes to the di rectory, in the e end, the targe et domain con ntroller requests an nd pulls the changes themselves.
Store-and-f forward replication. A doma ain controller c can pull chang ges from one p partner, and th hen make those e changes available to anoth her partner. Fo or example, domain controlle er B can pull changes initiated by y domain contr roller A. Then, domain contr roller C can pu ull the changes s from domain n controller B. B This helps ba alance the rep plication load f for domains th hat contain sev veral domain controllers.
9-4
Data store pa artitioning. A domains d doma ain controllers only host the domain-nami ing context for their domains, which helps minim mize replicatio on, particularly y in multidoma ain forests. By default, other data, including app plication direct tory partitions and the partia al attribute set t (global catalo og), do not replicate to every domain controller c in th he forest. Automatic ge eneration of an n efficient and robust replica ation topology y. By default, A AD DS configures an effective, two o-way replicatio on topology so that the loss s of one doma in controller d does not imped de replication. AD A DS automat tically updates s this topology y as domain co ontrollers are a added, remove ed, or moved betwe een sites. Attribute-leve el replication. When W an attrib bute of an obj ject changes, o only that attrib bute, and minimal metadata tha at describes tha at attribute, re eplicates. The e entire object d does not replic cate, except up pon its initial creation. rol of intrasite replication and intersite rep plication. You c can control rep plication within a Distinct contr single site and between site es.
Collision dete ection and management. On n rare occasion ns, you can mo odify an attribu ute on two dif fferent domain contr rollers during a single replica ation window. If this occurs, you must reco oncile the two o changes. AD DS has resolut tion algorithms that satisfy a almost all scenarios.
Ho ow AD DS Replicatio on Works Within W a Si ite

AD DS replication n within a singl le site is called d intra asite replicatio on, which takes s place auto omatically. However, you can configure it to occu ur manually, as necessary. Th he following concepts are relat ted to intrasite e replication: Connection objects o The knowledg ge consistency y checker (KCC C) Notification Polling
Con nnection Ob bjects
A do omain controller that replica ates changes from another d domain contro oller is called a replication pa artner. ct represents a replication p Rep plication partne ers are linked by b connection n objects. A con nnection objec path from m one domain controller to another. Conn nection objects s are one-way,, representing inbound-only y pull repl lication. To view v and confi igure connection objects, op pen Active Dire ectory Sites an nd Services, and then select t the NTD DS Settings container of a do omain controll lers server obj ject. You can f force replicatio on between tw wo dom main controller rs by right-clic cking the conn nection object, and then sele ecting Replicat te Now. Note that repl lication is inbo ound-only, so if i you want to replicate both h domain cont trollers, you ne eed to replicate the inbo ound connection object of each e domain controller.
The e Knowledg ge Consisten ncy Checker r
The replication pa aths built betw ween domain controllers c by c connection ob bjects create th he forests repl lication topolo ogy. You do no ot have to crea ate the replicat tion topology manually. By default, AD DS S crea ates a topology that ensures effective replication. The to opology is two o-way, which m means that if any one e domain contr roller fails, replication contin nues uninterru pted. The topo ology also ens sures that there are no more m than thre ee hops betwe een any two do omain control lers.
On each domain controller, a component of AD DS called the knowledge consistency checker (KCC) helps generate and optimize the replication automatically between domain controllers within a site. The KCC evaluates the domain controllers in a site, and then creates connection objects to build the two-way, three-hop topology described earlier. If you add or remove a domain controller, or if a domain controller is not responsive, the KCC rearranges the topology dynamically, adding and deleting connection objects to rebuild an effective replication topology. The KCC runs at specified intervals (every 15 minutes by default) and designates replication routes between domain controllers that are the most favorable connections available at the time. You can create connection objects manually to specify replication paths that should persist. However, creating a connection object manually is not typically required or recommended because the KCC does not verify or use the manual connection object for failover. The KCC will also not remove manual connection objects, which means that you must delete connection objects that you create manually.

9-5
Notification
When a change is made to an Active Directory partition on a domain controller, the domain controller queues the change for replication to its partners. By default, the source server waits 15 seconds to notify its first replication partner of the change. Notification is the process by which an upstream partner informs its downstream partners that a change is available. By default, the source domain controller then waits three seconds between notifications to additional partners. These delays, called the initial notification delay and the subsequent notification delay, are designed to stagger the network traffic that intrasite replication can cause. Upon receiving the notification, the downstream partner requests the changes from the source domain controller, and the directory replication agent pulls the changes from the source domain controller. For example, suppose domain controller DC01 makes an initial change to AD DS. It is the originating domain controller, and the change that it makes, that originates the change. When DC02 receives the change from DC01, it makes the change to its directory. DC02 then queues the change for replication to its own downstream partners.
Then, suppose DC03 is a downstream replication partner of DC02. After 15 seconds, DC02 notifies DC03 that it has a change. DC03 makes the replicated change to its directory, and then notifies its downstream partners. The change has made two hops, from DC01 to DC02, and then from DC02 to DC03. The replication topology ensures that no more than three hops occur before all domain controllers in the site receive the change. At approximately 15 seconds per hop, the change fully replicates in the site within one minute.
Polling
At times, a domain controller may not make any changes to its replicas for an extended time, particularly during off hours. Suppose this is the case with DC01. This means that DC02, its downstream replication partner, will not receive notifications from DC01. DC01 also might be offline, which would prevent it from sending notifications to DC02. It is important for DC02 to know that its upstream partner is online and simply does not have any changes. This is achieved through a process called polling. During polling, the downstream replication partner contacts the upstream replication partner with queries as to whether any changes are queued for replication. By default, the polling interval for intrasite replication is once per hour. You can configure the polling frequency from a connection objects properties by clicking Change Schedule, although we do not recommend it If an upstream partner fails to respond to repeated polling queries, the downstream partner launches the KCC to check the replication topology. If the upstream server is indeed offline, the KCC rearranges the sites replication topology to accommodate the change.
9-6
Resolving Re eplication Conflicts

Because AD DS su upports a mult timaster replica ation mod del, replication n conflicts may y occur. Typica ally, ther re are three types of replicat tion conflicts that may y occur in AD DS: D Simultaneous sly modifying the t same attrib bute value of the same s object on n two domain controllers. Adding or mo odifying the sa ame object on one domain contr roller at the same time that the t container obj ject for the obj ject is deleted on another domain controller. Adding objec cts with the sam me relative dis stinguished na ame into the sa ame container r.
To help h minimize conflicts, all domain d controllers in the for rest record and d replicate object changes at t the attribute level rath her than at the e object level. Therefore, cha anges to two d different attrib butes of an obj ject, such h as the users password and d postal code, do not cause a conflict even n if you change e them at the same time e from differen nt locations. Whe en an originating update is applied a to a domain control ller, a stamp is s created that t travels with the upd date as it replic cates to other domain contro ollers. The stam mp contains th he following co omponents:
Version numb ber. The versio on number starts at one for e each object at tribute, and in ncreases by one for each update. When perform ming an origin nating update, the version of f the updated attribute is on ne number higher than the version of the at ttribute that is being overwritten.
Timestamp. The time and date T timestamp p is the updates originating t e according to the system clo ock of the domain controller c wher re the change is made. Server globally unique iden ntifier (GUID). The T server GU ID identifies th he domain con ntroller that performed th he originating update.
Res solving Rep plication Con nflicts

The table below outlines o severa al conflicts and d how AD DS re esolves the iss sue: Co onflict Attribute value Resolution If the version n number value e is the same, but the attribu ute value is different, the en the timestam mp is evaluate ed. The update e operation that has the higher stamp v value replaces s the attribute value of the update opera ation with the lower stamp v value. After resoluti ion occurs at a all replicas, AD D DS deletes th he container object, and the leaf object is made a chil ld of the folde ers special nd container. S Stamps are not t involved in this LostAndFoun resolution. The object with w the larger stamp keeps t the relative dis stinguished name. AD DS S assigns the s ibling object a unique relativ ve distinguished d name by the e domain contr roller. The nam me assignment is the relative d distinguished n name + CNF: + a reserved character (the asterisk,) + t the objects GU UID. This name e assignment d name does n not conflict wit th any other ensures that the generated objects name.
Add or move un nder a de eleted contain ner object, or r the deletion of a co ontainer objec ct Adding objects with the sa ame relative di istinguished name

9-7
How H Replic cation Top pology Is Generated G
Re eplication topo ology is the ro oute by which replication dat ta travels thro ough a network k. To create a re eplication topo ology, AD DS must m determin ne which doma ain controllers replicate data a with other do omain co ontrollers. AD DS creates a re eplication topo ology based o on the informa ation that AD D DS contains. Be ecause ea ach AD DS par rtition may be replicated to different dom ain controllers s in a site, the replication top pology ca an differ for sc chema, configu uration, domai in, and applica ation partitions s.
Be ecause all dom main controller rs within a fore est share schem ma and config guration partiti ions, AD DS re eplicates sc chema and con nfiguration partitions to all domain d contro ollers. Domain controllers in the same dom main also replicate th he domain par rtition. Additionally, domain controllers tha at host an app plication partition also re eplicate the ap pplication parti ition. To optim mize replication n traffic, a dom main controller may have sev veral re eplication partners for differe ent partitions. In a single site e, the replication topology w will be fault tol lerant an nd redundant. This means th hat if the site contains c more than two dom main controller rs, each domai in co ontroller will have h at least tw wo replication partners for ea ach AD DS par rtition.
How H the Sch hema and Co onfiguration Partitions s Are Replic cated
Re eplication of the schema and d configuration partitions fo ollows the sam me process as a all other directo ory pa artitions. Howe ever, because these partition ns are forest-w wide rather tha an domain-wid de, connection n objects fo or these partitions may exist between any two t domain co ontrollers rega ardless of the d domain contro ollers do omain. Furthermore, the rep plication topolo ogy for these partitions inclu udes all domain controllers in the fo orest.
How H the Glo obal Catalog g Affects Re eplication
Th he configuratio on partition co ontains inform mation about th he site topolog gy and other g global data for r all do omains that ar re members of f the forest. AD D DS replicates s the configura ation partition n to all domain n co ontrollers through normal fo orest-wide replication. Each g global catalog g server obtain ns domain info ormation by y contacting a domain contr roller for that domain d and o obtaining the p partial replica i information. The co onfiguration partition also provides the do omain controll ers with a list of the forests global catalog g se ervers. Global catalog servers s registe er DNS service records in the e DNS zone tha at corresponds to the forest root do omain. These records, r which h are registered d only in the F Forest Root DN NS zone, help c clients and ser rvers lo ocate global ca atalog servers throughout t th he forest to pro ovide client log gon services.
How H RODC C Replicatio on Works

As previously mentioned, m dom main controllers re eplicate data by b pulling chan nges from othe er or riginating dom main controller rs. A RODC does not allow any non-r replicated chan nges to be wri itten to its s database and d never replica ates any inform mation ou ut to other domain controlle ers. Since chan nges are ne ever written to o an RODC dire ectly, other do omain co ontrollers do not n have to pull directory cha anges from an RODC. Restricting RO ODCs from or riginating chan nges prevents any changes or o co orruption that a malicious us ser or applicat tion might m make fro om replicating to the rest of the t fo orest.
9-8
Whe en a user or ap pplication atte empts to perfo orm a write req quest to a ROD DC, one of the following acti ions typically occurs:
ite request to a writable dom main controller, which is then replicated back to The RODC forwards the wri the RODC. Ex xamples of this s type of reque est includes pa assword chang ges, service principal name (S SPN) updates, and computer\domain member r attribute chan nges. ovides a referra al to a writable e domain cont troller. The The RODC responds to the client and pro application ca an then comm municate direct tly with a writa able domain co ontroller. Lightweight Direct tory Access Protoc col (LDAP) and d DNS record updates u are ex xamples of acc ceptable RODC C referrals. The write ope eration fails be ecause it is not t referred or fo orwarded to a writable doma ain controller. communicatio Remote proce edure call (RPC C) writes are an example of c on that may be e prohibited fr rom referrals or fo orwarded to an nother domain n controller.
en you implem ment an RODC C, the KCC dete ects that the d domain controller is configur red with a read d-only Whe repl lica of all appli icable domain partitions. Because of this, t the KCC create es one-way on nly connection n obje ects from one or more sourc ce Windows Se erver 2008 or h higher domain n controllers to o the RODC. For some tasks, an n RODC perfor rms inbound replication r usin ng a replicate-single-object (RSO) operatio on. This s is initiated on n-demand outside of the sta andard replicat tion schedule. These tasks in nclude: Password cha anges. DNS updates when a client is referred to a writable DN NS server by the RODC. The R RODC then attempts to pull p the change es back using an RSO operat tion. This only y occurs for Active Directoryintegrated DN NS zones. Updates for various v client attributes a inclu uding client na ame, DnsHost tName, OsNa ame, OsVersionInf fo, supported encryption types, and the L LastLogontime eStamp attrib bute.
Ho ow SYSVOL L Replication Works

The SYSVOL is a collection c of files and folders s on each h domain cont troller that is linked to %Sy ystemRoot%\S SYSVOL locatio on. SYSVOL contains logon scripts and objects related to Group Policy such h as Group Po olicy templates s. The contents of the SY YSVOL folder replicate r to eve ery dom main controller r in the domain using the connection object t topology and d schedule tha at the KCC C creates.
Dep pending on the e domain cont troller operatin ng system version, do omains functio onal level, and d mig gration status of o SYSVOL, the e File Replicatio on Serv vice or Distribu uted File System Replication replicates SYS SVOL changes between dom main controller rs. The File Replication Se ervice was used d primarily in Windows Serv ver 2003 R2 an nd older doma ain structures. T The File Replication Se ervice has limit tations in both h capacity and performance which has led to the adoption of Dist tributed File Sy ystem Replicat tion. In Windows W Serve er 2008 and ne ewer domains, you can use D Distributed File e System Repli ication to repli icate the contents of SY YSVOL. Distributed File Syste em Replication n supports rep lication scheduling and ban ndwidth throttl ling, and it use es a compression algorithm known as Rem mote Differenti ial Compressio on (RDC). Using RDC, Distributed File F System Rep plication replic cates only the differences (or changes with hin files s) between the e two servers, resulting r in low wer bandwidth h use during re eplication.

9-9
Note: You can use the dfsrmig.exe tool to migrate SYSVOL replication from the File Replication Service to Distributed File System Replication . For the migration to succeed, the domain functional level must be at least Windows Server 2008.
9-10 Implemen nting Active Directory y Domain Services Sites and Replication
Lesson 2
Config guring AD A DS Sites S
Within a single sit te, AD DS repli ication occurs automatically y without regar rd for network k utilization. How wever, some organizations have h multiple lo ocations that a are connected d by wide area network (WAN) t network connections. If thi is is the case, you y must ensure that AD DS S replication do oes not impact utilization negativ vely between locations. You also may need d to localize ne etwork service es to a specific loca ation. For exam mple, you may want users at a branch offic ce to authentic cate to a doma ain controller loca ated in their lo ocal office, rath her than over the t WAN conn nection to a do omain controll ler located in t the main office. You can c implement t AD DS sites to t help manag ge bandwidth o over slow or unreliable netw work connections, and to assist in ser rvice localizatio on for authent tication as well as many othe er site-aware serv vices on the ne etwork.

Afte er completing this lesson, yo ou will be able to: Describe AD DS sites. Explain why organizations o might m implement additional l sites. Configure additional AD DS S sites. Describe how w AD DS replica ation works be etween sites. Describe the Inter-site Topo ology Generat tor. Describe how w Service Locat tor (SRV) recor rds are used to o locate doma in controllers. Describe how w client compu uters locate domain controlle ers.
Wh hat Are AD D DS Sites? ?

To most m administrators, a site is s a physical loca ation, an office e, or a city typically separated d by a WAN W connectio on. These sites are physically connected by network links that might be as basic as dial-up d connec ctions or as sop phisticated as fiber links. Together, th he physical locations and link ks mak ke up the phys sical network infrastructure. AD DS represents the physical network n infra astructure with h objects called sites. AD DS site obje ects are stored d in the Config guration container (CN=Sites, CN=Co onfiguration, DC= D forest root t dom main) and are used u to achiev ve two primary y serv vice management tasks:
Manage replication traffic. Typically, there are two type es of network LAN connectio ons within an enterprise environment: hig ghly connected d and less high hly connected. Conceptually y, a change ma ade to AD DS should d replicate imm mediately to other domain c controllers with hin the highly connected ne etwork in which the change c was made. m However r, you might no ot want the ch hange to replic cate immediately over a slower r, more expens sive, or less reliable link to an nother site. Ins stead, you mig ght want to optimize perf formance, redu uce costs, and manage band dwidth, you ca an manage rep plication over less highly connec cted segments s of your enter rprise. An Activ ve Directory si ite represents a highly conne ected portion of your enterprise. When you def fine a site, the domain contr rollers within the site replicate

9-11
changes alm most instantly. . However, you u can manage and schedule replication be etween sites as s needed.
rvice localizatio on. Active Dire ectory sites hel lp you localize e services, inclu uding those pr rovided Provide ser by domain controllers. Du uring logon, Windows W client ts are automat tically directed d to domain controllers in their sites. If domain cont trollers are not t available in t their sites, they y are directed to domain con nticate the clie ntrollers in the e nearest site that can authen ent efficiently. Many other se ervices such as rep plicated Distributed File Syste em (DFS) resou urces are also site-aware to e ensure that us sers are directed to a local copy of o the resource e.
What W Are Su ubnet Objects?
Su ubnet objects identify the ne etwork addresses that map c computers to A AD DS sites. A subnet is a se egment of f a TCP/IP netw work to which a set of logica al IP addresses s are assigned.. Because the s subnet objects s map to th he physical net twork, so do th he sites. A site can consist of f one or more subnets. For e example, if you ur ne etwork has thr ree subnets in New York and d two in Londo on, you can cre eate a site in N New York and one in Lo ondon, respect tively, and the en add the sub bnets to the res spective sites. Note: Wh hen designing your AD DS site configurati on, it is critica l that you corr rectly map IP su ubnets to sites. Likewise, if th he underlying network confi guration chan nges, you must t ensure that th hese changes are a updated to o reflect the cu urrent IP subne et to site mapp ping. Domain controllers us se the IP subne et information n in AD DS to map m client com mputers and se ervers to the c correct AD DS sit te. If this mapp ping is not acc curate, AD DS operations suc ch as logon tra affic and apply ying Group Po olicies are likely to happen across a WAN lin nks and may b be disrupted.
Default D First Site
st domain con AD DS creates a default site when w you insta all a forests firs ntroller. By def fault, this site is called Default-First-Sit D te-Name. You can rename th his site to a mo ore descriptive e name. When you install the e fo orests first dom main controller, AD DS place es it in the defa ault site autom matically. If you u have a single e site, it is not necessary y to configure subnets or add ditional sites s ince all machines will be cov vered by the d defaultfir rst-site-name default d site. Ho owever, multip ple sites need to have subne ets associated t to them as nee eded.
Why W Implement Add ditional Sites?

Ev very Active Dir rectory forest includes i at least one sit te. You should d create additio onal sites when: A slow link separates part t of the netwo ork. As previously mentioned, m a site s is characte erized by a locatio on with fast, re eliable, inexpen nsive connectivity y. If two locations are conne ected by a slow link, you should d configure each location as a separate AD D DS site. A slo ow link typically is one that has a connection of o less than 512 ki ilobits per seco ond (Kbps).
A part of th he network has s enough users to warrant hos sting domain controllers c or other services in that t location. Concentration C ns of users can also influence e your site design. If a netwo ork location has a sufficient number n of users for whom th he inability to authenticate w would be problematic, place a dom main controller r in the locatio on to support a authentication n within the loc cation. After you place p a domain n controller or other distribu ted service in a location that will support those
users, you might want to manage m Active Directory repl ication to the location or loc calize service u use by configuring an a Active Direc ctory site to represent the lo cation. You want to control c service e localization. By B establishing g AD DS sites, you can ensur re that clients use domain contr rollers that are e nearest to the em for authen ntication, which h reduces auth hentication lat tency and traffic on n WAN connec ctions. In most scenarios, eac ch site will con ntain a domain n controller. such as Distrib However, you u might config gure sites to localize services other than au uthentication, s buted ured File System, BranchCache, B and a Exchange Server service es. In this case, some sites might be configu without a dom main controlle er present in th he site. You want to control c replica ation between domain contr rollers. There m may be scenari ios in which tw wo well-connecte ed domain con ntrollers are al llowed to com mmunicate only y at certain tim mes of the day. Creating sites s allows you to o control how and a when rep lication takes place between n domain controllers.
De emonstration: Config guring AD DS Sites

In th his demonstration, you will see s how to con nfigure AD DS S sites.

1. 2. 3. 4. 5. 6. 7. From Server Manager, M open n Active Direct tory Sites and Services. Rename the Default-First-S D ite-Name site, , as needed.
Right-click the Sites node, and then click k New Site. Sp pecify a name, and then asso ociate the new site with the default site link. Create additio onal sites, as needed. n In the navigat tion pane, righ ht-click Subne ets, and then c click New Subnet. Provide the prefix, p and then n associate the e IP prefix to a an available site object. If required, move m a domain n controller to the new site.
Ho ow Replication Work ks Between n Sites

The main characte eristics or assu umptions abou ut repl lication within sites are: The network connections within w a site are e both reliable, cheap, and ha ave sufficient available bandwidth. Replication tr raffic within a site s is not compressed, because a site e assumes fast, highly reliable e network con nnections. Not compressing replication tra affic helps redu uce the processing load on the domain controllers. However, uncom mpressed traff fic may increase the network bandwidth. b A change not tification proce ess initiates rep plication withi in a site.

9-13
Th he main characteristics or as ssumptions abo out replication n between site es are:
The networ rk links betwee en sites have li imited availab le bandwidth, may have a higher cost, and d may not be relia able. Replication traffic betwee en sites can be e designed to o optimize band dwidth by com mpressing all replication traffic. Replica ation traffic is compressed c to o 10 to 15 perc cent of its orig ginal size befor re it is transmitted d. Although co ompression opt timizes netwo rk bandwidth, it imposes an n additional processing load on doma ain controllers, , when it comp presses and de ecompresses re eplication data a.
Replication between sites s occurs autom matically after y you have defin ned configurable values, suc ch as a schedule or r a replication interval. You can c schedule r replication for inexpensive o or off-peak hou urs. By ing to a sched default, cha anges are repli icated between sites accordi dule that you d define, and not t according to t when chang ges occur. The schedule dete ermines when replication can occur. The in nterval specifies ho ow often doma ain controllers check for cha anges during the time that re eplication can occur.
What W Is the e Inter-Site e Topology Generator?

When W you configure multiple e sites, the KCC C on on ne domain con ntroller in each h site is design nated as s the sites Inte er-Site Topolog gy Generator (ISTG). ( Th here is only on ne ISTG per site e, regardless of o how many m domains or other direct tory partitions s the sit te has. ISTG is responsible fo or calculating the t sit tes ideal replication topolog gy.
When W you add a new site to the t forest, each h sites IS STG determines which directory partitions are present in the new n site. The IS STG then calcu ulates ho ow many new connection ob bjects are nece essary to o replicate the new sites req quired information. In so ome networks, , you might wa ant to specify that t only certa ain domain controllers are re esponsible for in ntersite replicat tion. You can do d this by specifying bridge head servers. T The bridgehea ad servers are re esponsible for all replication into, and out of, the site. IST TG creates the e required connection agreement in its s directory, and this information is then re eplicated to the e bridgehead server. The bri idgehead server then cr reates a replica ation connection with the br ridgehead serv ver in the remo ote site, and re eplication beg gins. If a re eplication partner becomes unavailable, u th he ITSG autom atically selects s another dom main controller, , if po ossible. If bridg gehead server rs have been manually m assign ned, and they become unavailable, ISTG w will not au utomatically se elect other ser rvers.
Th he ISTG selects s bridgehead servers s automa atically, and cr reates the inte ersite replicatio on topology to o ensure th hat changes re eplicate effectiv vely between bridgeheads b s haring a site li ink. Bridgeheads are selected d per he pa artition, so it is s possible that t one domain controller c in a site might be the bridgehea ad server for th sc chema, while another a is for the t configurati ion. However, you usually w will find that on ne domain con ntroller is the bridgehea ad server for all partitions in a site, unless t there are dom main controller rs from other d domains or r application directory d partit tions. In this sc cenario, bridge eheads will be chosen for tho ose partitions.
Ov verview of SRV Records for Do omain Con ntrollers

Whe en you add a domain d contro oller to a doma ain, the domain controller advertise es its services by b crea ating SRV reco ords (also know wn as locator reco ords) in DNS. Unlike U host A records, which map host t names to IP addresses, a SRV V records map serv vices to host na ames. For exam mple, to publis sh its ability to provide authentication n and directory acce ess, a domain controller regi isters Kerberos s vers sion 5 protoco ol and LDAP SR RV records. The ese SRV V records are added to severa al folders within the forests DNS zones. z
Und der the domain n zone, a folde er exists that is s nam med name_tcp. . This folder co ontains the SRV V records for a all domain con ntrollers in the e domain. Add ditionally, unde er the domain zone exists a folder called n name_sites, wh hich contains s subfolders for e each site configured in the domain. Each E site-speci ific folder cont tains SRV reco ords that represent services avai ilable in the sit te. For example, if a domain controller is lo ocated in a sit e, a SRV record will be locat ted at the path _sites\sitename\_tcp, where w sitename e is the name of the site. A ty ypical SRV reco ord contains th he following in nformation:
ord indicates a service with a fixed port. It The service na ame and port. . This portion of o the SRV reco t does not have to be b a well-know wn port. SRV re ecords in Wind dows Server 20 012 include LD DAP (port 389), Kerberos (por rt 88), Kerbero os Password pr rotocol (KPASS SWD, port 464 4), and global c catalog service es (port 3268).
Protocol. The e TCP or UDP is s indicated as a transport pr rotocol for the e service. The same service ca an use both protoco ols in separate SRV records. Kerberos K recor rds, for examp le, are register red for both TC CP nts can use bo and UDP. Mic crosoft clients use only TCP, but UNIX clien oth UDP and T TCP. Host name. The T host name corresponds to t the A record d for the serve er hosting the service. When a client queries s for a service, the DNS serve er returns the S SRV record and associated A records, so th he client does no ot need to sub bmit a separate e query to reso olve the IP add dress of a service.
ord follows the e standard DN NS hierarchy w with componen nts separated b by The service name in an SRV reco dots s. For example e, a domain controllers Kerb beros service is s registered as:: kerb beros._tcp.siten name._sites.do omainname, wh here: domainName e: The domain or zone, for ex xample contos so.com _sites: All sites registered with DNS sitename: The e site of the do omain controller registering the service _tcp: Any TCP P-based service es in the site kerberos: A Kerberos K Key Distribution D Center (KDC)that t uses TCP as i ts transport pr rotocol

9-15
How H Client t Compute ers Locate Domain C Controllers s Within Si ites

When W you join a Windows clie ent to a doma ain and re estart it, it goes through a do omain controll ler lo ocation and reg gistration proc cess. The goal of this re egistration pro ocess is to locat te the domain n co ontroller with the t most effici ient and closes st lo ocation to the clients locatio on based on IP P subnet in nformation. Th he process for locating a domain controlle er is: 1. .
The new cli ient queries fo or all domain controllers in the domain n. As the new domain d client restarts, it receives an IP address from a DHCP serve er, and is ready y to authentica ate to the domain n. However, the client does not n know wher re to find a do omain controlle er. Therefore, the client queri ies for a domain controller by b querying th e _tcp folder, w which contains the SRV reco ords for all domain controllers in the domain. The client attempts a an LD DAP ping to all domain cont trollers in a seq quence . DNS returns a list o of all matching domain d controllers, and the client c attempt s to contact al ll of them on its first startup.
2. . 3. .
The first do omain controlle er responds. The first domai n controller th hat responds to the client ex xamines the clients IP address, cro oss-references s that address w with subnet ob bjects, and informs the clien nt of the site to whic ch the client be elongs. The client stores the site name in i its registry, and d then queries s for domain con ntrollers in the e site-specific _tcp _ folder. The client queries q for all domain d contro ollers in the sit te. DNS returns a list of all domain control llers in the site.
4. . 5. . 6. .
The client attempts a LDAP P ping sequent tially to all dom main controlle ers in the site. T The domain co ontroller that respon nds first authen nticates the client. The client forms f an affinit ty. The client forms f an affini ity with this do omain controll ler, and then a attempts to authenticate with the same s domain controller in t he future. If th he domain con ntroller is unav vailable, the client queries q the site es _tcp folder again, a and aga ain attempts to o bind with the first domain controller that responds in i the site.
If the client mov ves to another r site, such as the t case for a mobile compu uter, the client t attempts to au uthenticate to its preferred domain d contro oller. The dom ain controller notices that th he clients IP address is associated wit th a different site, s and then refers the clien nt to the new site. The client t then queries DNS fo or domain controllers in the local site
Automatic A Site Coverag ge
As mentioned previously, p you u can configure e sites to direc ct users to loca al copies of rep plicated resources, su uch as shared folders f replicated within a DFS D namespace e. There may b be scenarios in n which you on nly re equire service localization wi ith no need for a domain co ontroller locate ed within the site. In this case e, a ne earby domain controller will l register its SR RV records in t the site by usin ng a process ca alled site coverage. A site without a domain contr roller generally y is covered by y a domain co ontroller in a si ite with the low west sit te-link cost to the site that requires r covera age. You also c can configure site coverage and SRV record priority manually if you want to control aut thentication in sites without domain controllers. nal Reading: For more inform mation about how site coverage is evaluat ted see: Addition ht ttp://go.microsoft.com/fwlin nk/?LinkId=168 8550.
Lesson 3
Config guring and a Monitoring g AD DS S Replic cation
Afte er you configure the sites tha at represent yo our network in nfrastructure, t the next step is to determine e if any additional site e links are necessary to help control AD D S replication. A AD DS provide es several optio ons that t you can conf figure to contr rol how replica ation occurs ov ver site links. Y You also need to understand d the tools that you can n use to monitor and manag ge replication i in an AD DS ne etwork environ nment.

Afte er completing this lesson, yo ou will be able to: Describe AD DS site links. Explain the co oncept of site link bridging. Describe Univ versal Group Membership M ca aching. Describe how w to control int tersite replication. Configure AD D DS intersite replication. r Describe options for config guring passwor rd replication p policies for RO ODCs. Configure password replica ation policies. Describe tools used for monitoring and managing m repl ication.
Wh hat Are AD D DS Site Links? L

For two sites to ex xchange replic cation data, a site s link must connect t them. A site link is a logical l path h that the KCC C\ISTG uses to establish repl lication between sites. When n you create add ditional sites, yo ou must select t at least one site s link that will conn nect the new si ite to an existin ng site. . Unless a site link is in place e, the KCC cann not mak ke connections s between com mputers at diff ferent sites s, nor can replication occur between b sites.
The important thing to rememb ber about a sit te link is th hat it represent ts an available e path for repl lication. A sing gle site link doe es not control the netw work routes th hat are used. When W you create a site link a nd add sites to o it, you are te elling AD DS th hat it can replicate betw ween any of th he sites associa ated with the s site link. The IS STG creates connection objects, and those objects s will determine the actual re eplication path h. Although th e replication t topology that t the ISTG G builds doe re eplicate AD DS S effectively, it might not be efficient, give en your network topology.
To better b understand this conce ept, consider the following e example. When n you create a forest, one sit te link obje ect is created: DEFAULTIPSIT TELINK. By defa ault, each new w site that you add is associa ated with the DEF FAULTIPSITELIN NK. Consider an a organization with a data c center at the h headquarters a and three bran nch offic ces. The three branch offices s are each connected to the data center w with a dedicate ed link. You cre eate sites s for each bran nch office: Seattle (SEA), Amsterdam (AMS S), and Beijing (PEK). Each of f the sites, inclu uding headquarters, is associated with h the DEFAULT TIPSITELINK sit te link object Because all four si ites are on the e same site link k, you are instr ructing AD DS that all four sites can replicate with h each other. That T means tha at Seattle may y replicate chan nges from Am msterdam; Amsterdam may

9-17
re eplicate changes from Beijing g; and Beijing may replicate changes from m the headquarters, which in n turn re eplicates chang ges from Seatt tle. In several of o these replica ation paths, th he replication t traffic on the n network ink, you flo ows from one branch throug gh the headqu uarters on its w way to another r branch. With h a single site li do o not create a hub-and-spoke replication topology even n though your r network topo ology is hub-andsp poke. To o align your ne etwork topolo ogy with Active e Directory rep plication, you m must create sp pecific site links s. That is, , you can manually create sit te links that re eflect your inte ended replication topology. Continuing th he preceding exam mple, you woul ld create three e site links as fo ollows: HQ-AMS in ncludes the He eadquarters an nd Amsterdam sites. HQ-SEA inc cludes the Hea adquarters and d Seattle sites. HQ-PEK inc cludes the Hea adquarters and d Beijing sites.
After you create e site links, the e ISTG will use the topology to build an int tersite replicat tion topology that co onnects each site, s and then creates c connec ction objects a automatically t to configure th he replication paths. As a best practice, you should d set up your site s topology c correctly and a avoid creating connection ob bjects manually. m
What W Is Site e Link Brid dging?

After you have created site lin nks and the IST TG ge enerates connection objects s to replicate pa artitions betwe een domain co ontrollers that share a sit te link, your work w might be complete. In many m en nvironments, particularly p tho ose with st traightforward network topo ologies, site links might m be sufficient to manage e intersite replication. In n more comple ex networks, ho owever, you ca an co onfigure additional components and replic cation properties.
Automatic A Site Link Brid dging
By y default, all si ite links are bridged. For exa ample, if the Amsterdam and Headquarters sites ar re linked, and the Headquar rters and Seatt tle sites are linked, Amsterdam and d Seattle are lin nked with a higher cost. This s means, theor retically, that t the ISTG could d create a connection ob bject directly between b a dom main controller r in Seattle and d a domain co ontroller in Amsterdam whe en a domain controller c is no ot available at t the headquart ters for replica ation, again wo orking ar round the hub b-and-spoke network topolo ogy.
Yo ou can disable e automatic site-link bridging g by opening t the properties s of the IP tran nsport in the In nter-Site Tr ransports cont tainer, and the en clearing the e Bridge All Si ite Links check box. Before y you do this in a production environment, read d the technical resources ab out replication n in the Windo ows Server technical lib braries on Microsoft TechNe et at http://technet.microsoft t.com.
Site Link Brid dges
A site link bridg ge connects tw wo or more site e links in a way y that creates a transitive link. Site link brid dges are ne ecessary only when w you have cleared the Bridge B All Sit e Links check box for the tr ransport proto ocol. y default, in w Re emember that t automatic site-link bridging g is enabled by which case, site e link bridges a are not re equired. Th he figure on th he slide illustra ates the use of f a site link brid dge in a forest t in which auto omatic site-link bridging has be een disabled. By B creating a si ite link bridge,, AMS-HQ-SEA A, that include es the HQ-AMS S and
HQ-SEA site links, , those two site e links become e transitive, so o a replication connection ca an be made controller in S betw ween a domain controller in n Amsterdam and a a domain c Seattle.
Wh hat Is Univ versal Grou up Membe ership Cac ching?

One e of the issues that you may need to addre ess whe en configuring g AD DS replica ation is whethe er to dep ploy global catalog servers in n each site. Bec cause glob bal catalog ser rvers are required when user rs log on to t the domain, deploying a global g catalog g serv ver in each site e optimizes the e user experien nce. How wever, deploying a global ca atalog server in na site might result in additional re eplication traff fic, which may be an issue if the network connect tion betw ween AD DS si ites has limited d bandwidth. In I thes se scenarios, you can deploy y domain controllers runnin ng Windows Se erver 2008 or new wer, and then enable e universal group mem mbership cachin ng for the site e.
How Universal Group Membership Caching C Wo rks
A do omain controller in a site tha at has enabled d universal gro oup membersh hip caching, sto ores the unive ersal group information n locally after a user attempts to log on fo or the first time e. The domain n controller obtains the users universa al group membership inform mation from a global catalog g server in ano other site, it then cach hes the inform mation indefinit tely and period dically refreshe es it. The next time that the user tries to lo og on, the domain controller obtains the universal group member rship informati ion from its local cache with hout contacting a glob bal catalog serv ver. By default, d the un niversal group membership information co ontained by ea ach domain co ontrollers cach he is refre eshed every ei ight hours. To refresh the ca ache, domain c controllers sen nd a universal g group membe ership confirmation requ uest to a designated global catalog c server.. You u can configure e universal gro oup membersh hip caching fro om the proper rties of the NT TDS Site Settin ngs nod de.
Co ontrolling Intersite I Replication n

Whe en you create a site link, you u have a numb ber of configuration opt tions that you can use to help control inter-site replication. Th hese options include: Site Link Cos sts. Site link co osts manage th he flow of replication traffic when there is more m than one rout te for replication traffic. You u can configure site e link costs to indicate i that a link is faster, more e reliable, or is s preferred. Hig gher costs are used d for slow links s, and lower co osts are used for fast f links. AD DS D replicates by b using the con nnection with the t lowest cost. By default, all sit te links are con nfigured with a cost of 100.

9-19
Replication n Frequency. Intersite replic cation is based d only on polling. By default, , every three h hours a replication partner polls its i upstream re eplication part tners to determ mine whether changes are available. This replica ation interval may m be too lon ng for organiza ations that wa nt changes to the directory to replicate more quickly. Yo ou can change e the polling in nterval by acce essing the properties of the site link object. The minimum pol lling interval is s 15 minutes. n Schedules. By B default, rep plication occur rs 24 hours a d day. However, y you can restric ct Replication intersite rep plication to specific times by y changing the e schedule attr ributes of a site e link.
Demonstra D ation: Conf figuring AD DS Inter rsite Replic cation

In n this demonst tration, you will see how to configure c AD D DS intersite rep plication.
Demonstrati D ion Steps

1. . 2. . 3. . 4. . 5. . From Serve er Manager, op pen Active Dire ectory Sites an nd Services. Rename the e DEFAULTIPSITELINK as nee eded. Right-click the site link, and then click Properties P . Modify the Cost, Replicat tion interval, and Schedule a as needed.
If necessary y, open the pro operties of the e IP node, and then modify t the Bridge all site links opt tion.
Options O for r Configur ring Passw word Replic cation Policies for RO ODCs
RO ODCs have un nique AD DS re eplication re equirements re elated to cache ed users crede entials. Th hey use password replication n policies to de etermine whic ch users credentials might be ca ached on the server. s If a pass sword replicat tion po olicy allows an n RODC to cache a user's cr redentials, the RODC can pro ocess that user rs au uthentication and a service-tic cket activities . If a us ser's credentia als are not allow wed to be cached on th he RODC, the RODC R refers th he authenticat tion an nd service-tick ket activities to o a writable do omain co ontroller.
To o access the pa assword replic cation policy, open o the prope erties of the R ODC in the Do omain Control llers OU, an nd then click the Password Replication Policy P tab. An RODCs passw word replicatio on policy is de etermined by two multivalue ed attributes of o the RODC's computer acc count. These at ttributes are known co ommonly as th he Allowed List t and the Denied List. If a us ser's account is s on the Allow wed List, the user's cr redentials are cached. c You ca an include gro oups on the Al lowed List, in w which case all users who bel long to th he group can have h their cred dentials cached d on the RODC C. If the user is s on the Allowed List and the e Denied List, the e RODC does not n cache the user's u credenti als. The Denie ed List takes pr recedence.
To o facilitate the e management t of password replication po licy, two doma ain local security groups are created in n the Users con ntainer of AD DS. D The first on ne, the Allowe ed RODC Passw word Replicatio on Group, is added to th he Allowed List t for each new w RODC. By def fault, the grou up has no mem mbers. Therefo ore, by default, , a new RO ODC will not cache c any user rs credentials. If there are us sers whose cre edentials you w want to be cached by all domain ROD DCs, add those users to the Allowed A RODC C Password Rep plication Group. As a best pr ractice, yo ou can create one Allow List per site, and configure c only y the users assigned to that s site in the Allo ow List.
The second group p, the Denied RODC R Passwor rd Replication Group, is added to the Den nied List for eac ch new w RODC. If you u want to ensure that domain n RODCs neve er cache certain n users creden ntials, you can n add thos se users to the e Denied RODC C Password Re eplication Grou up. By default, this group co ontains security yomain Admins sens sitive accounts s that are mem mbers of group ps including Do s, Enterprise A Admins, Schema Adm mins, Cert Publishers, and Gr roup Policy Cre eator Owners.
De emonstration: Config guring Pas ssword Rep plication P Policies

In th his demonstration, you will see s how to con nfigure passwo ord replication n policies.

1. 2. 3. 4. 5. 6. 7. Run Active Di irectory Users and Compute ers. Precreate an RODC comput ter object nam med LON-ROD DC1. in Controllers s OU, open the e properties of f LON-RODC1 1. In the Domai licy. Click the Pass sword Replica ation Policy tab, and view t the default pol Close the LON N-RODC1 Prop perties. In the Active Directory User rs and Computers console tr ree, click the U Users containe er.
Double-click Allowed ROD DC Password Replication R G Group, and the en go to the M Members tab a and examine the default d memb bership of Allow wed RODC Pa assword Repl lication Group p. There should be no members by default. Click OK. Double-click Denied RODC C Password Rep plication Grou p, and then go o to the Memb bers tab.
8. 9.
10. Click Cancel to t close the De enied RODC Password Replic cation Group p properties.
Tools for Mo onitoring and a Manag ging Repli ication

Afte er you have im mplemented yo our replication configuration, you u must be able e to monitor repl lication for ong going support t, optimization n, and trou ubleshooting. Two T tools are particularly us seful for reporting and analyzing rep plication: the Rep plication Diagn nostics tool (Re epadmin.exe) and a the Directory Serv ver Diagnosis (Dcdiag.exe) ( to ool.
The e Repadmin n.exe Tool
The Replication Diagnostics D too ol, Repadmin.exe, is a co ommand-line tool t that enables you to repo ort the status of replication on each h domain controller. The inf formation that t Repadmin.exe prod duces can help p you spot a potential p problem with replic cation in the fo orest. You can view levels of detail dow wn to the replic cation metada ata for specific objects and a attributes, enab bling you to id dentify where a and whe en a problematic change was made to AD DS. You can e even use Repad dmin.exe to cr reate the replic cation topo ology and forc ce replication between b doma ain controllers s. Rep padmin.exe sup pports a numb ber of comman nds that perfor rm specific tas sks. You can learn about each com mmand by typing repadmin /?:command d. Most comma ands require a rguments. Ma any commands s take

9-21
a DC_LIST parameter, which is simply a network label (DNS, NetBIOS name, or IP address) of a domain controller. Some of the replication monitoring tasks you can perform by using Repadmin are:
Display the replication partners for a domain controller. To display the replication connections of a domain controller, type repadmin /showrepl DC_LIST. By default, Repadmin.exe shows only intersite connections. Add the /repsto argument to see intersite connections, as well. Display connection objects for a domain controller. Type repadmin /showconn DC_LIST to show the connection objects for a domain controller. Display metadata about an object, its attributes, and replication. You can learn a lot about replication by examining an object on two different domain controllers to find out which attributes have or have not replicated. Type repadmin /showobjmeta DC_LIST Object, where DC_LIST indicates the domain controller(s) to query. (You can use an asterisk [*] to indicate all domain controllers.) Object is a unique identifier for the object, its distinguished name or GUID, for example.
You can also make changes to your replication infrastructure by using Repadmin. Some of the management tasks you can perform are: Launching the KCC. Type repadmin /kcc to force the KCC to recalculate the inbound replication topology for the server.
Forcing replication between two partners. You can use Repadmin to force replication of a partition between a source and a target domain controller. Type repadmin /replicate Destination_DC_LIST Source_DC_Name Naming_Context.
Synchronizing a domain controller with all replication partners. Type repadmin /syncall DC/A /e to synchronize a domain controller with all its partners, including those in other sites.
The Dcdiag.exe Tool
The Directory Service Diagnosis tool, Dcdiag.exe, performs a number of tests and reports on the overall health of replication and security for AD DS. Run by itself, dcdiag.exe performs summary tests and reports the results. On the other extreme, dcdiag.exe /c performs almost every test. The output of tests can be redirected to files of various types, including XML. Type dcdiag /? for full usage information. You can also specify one or more tests to perform using the /test:Test Name parameter. Tests that are directly related to replication include: FrsEvent. Reports any operation errors in the File Replication System. DFSREvent. Reports any operation errors in the Distributed File System Replication system. Intersite. Checks for failures that would prevent or delay intersite replication. KccEvent. Identifies errors in the knowledge consistency checker. Replications. Checks for timely replication between domain controllers. Topology. Checks that the replication topology is connected fully for all domain controllers. VerifyReplicas. Verifies that all application directory partitions are instantiated fully on all domain controllers hosting replicas.
9-22 Implementing Active Directory Domain Services Sites and Replication
Lab: Implementing AD DS Sites and Replication

Scenario
A. Datum has deployed a single AD DS domain with all the domain controllers located in the London data center. As the company has grown and added branch offices with large numbers of users, it has become apparent that the current AD DS environment is not meeting the company requirements. Users in some of the branch offices report that it can take a long time for them to log on to their computers. Access to network resources such as the companys Microsoft Exchange 2010 servers and the Microsoft SharePoint servers can be slow, and they sporadically fail. As one of the senior network administrators, you are responsible for planning and implementing an AD DS infrastructure that will help address the business requirements for the organization. You are responsible for configuring AD DS sites and replication to optimize the user experience and network utilization within the organization.
Objectives
Configure the default site created in AD DS. Create and configure additional sites in AD DS. Configure and monitor replication between AD DS sites.
Lab Setup
20412A-LON-DC1 20412A-TOR-DC1 Estimated time: 60 minutes Virtual machines User Name Password 20412A-LON-DC1 20412A-TOR-DC1 Adatum\Administrator Pa$$w0rd
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20412A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: a. b. User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 through 4 for 20412A-TOR-DC1.
Exercise 1: Modifying the Default Site

Scenario
A. Datum has decided to implement additional AD DS sites to optimize the network utilization for AD DS network traffic. The first step in implementing the new environment is to install a new domain controller for the Toronto site. You will then reconfigure the default site and assign appropriate IP address subnets

9-23
to the site. You have been asked to change the name of the default site to LondonHQ and associate it with the IP subnet 172.16.0.0/24, which is the subnet range used for the London head office. The main tasks for this exercise are as follows: 1. 2. 3. Install the Toronto domain controller Rename the default site Configure IP subnets associated with the default site
Task 1: Install the Toronto domain controller

1. 2. 3. On TOR-DC1, use Server Manager to install Active Directory Domain Services.
When the AD DS binaries have installed, use the Active Directory Domain Services Configuration Wizard to install and configure TOR-DC1 as an additional domain controller for Adatum.com. After the server restarts, log on as Adatum\Administrator with the password of Pa$$w0rd.
Task 2: Rename the default site

1. 2. 3. If necessary, on LON-DC1, open the Server Manager console. Open Active Directory Sites and Services, and then rename the Default-First-Site-Name site to LondonHQ. Verify that both LON-DC1 and TOR-DC1 are members of the LondonHQ site.
Task 3: Configure IP subnets associated with the default site

1. 2.
If necessary, on LON-DC1, open the Server Manager console, and then open Active Directory Sites and Services. Create a new subnet with the following configuration: o o Prefix: 172.16.0.0/24 Site object: LondonHQ
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address subnets to the site.
Exercise 2: Creating Additional Sites and Subnets

Scenario
The next step in implementing the AD DS site design is to configure the new AD DS site. The first site that you need to implement is the Toronto site for the North American data center. The network team in Toronto would also like to dedicate a site called TestSite in the Toronto data center. You have been instructed that the Toronto IP subnet address is 172.16.1.0/24. The test network IP subnet address is 172.16.100.0/24. The main tasks for this exercise are as follows: 1. 2. Create the AD DS sites for Toronto Create IP subnets associated with the Toronto sites
Task 1: Create the AD DS sites for Toronto

1.
If necessary, on LON-DC1 open the Server Manager console, and then open Active Directory Sites and Services.
2.
Create a new site with the following configuration: o o Name: Toronto Site link object: DEFAULTIPSITELINK
3.
Create another new site with the following configuration: o o Name: TestSite Site link object: DEFAULTIPSITELINK
Task 2: Create IP subnets associated with the Toronto sites

1. 2. If necessary, on LON-DC1 open Active Directory Sites and Services. Create a new subnet with the following configuration: o o 3. Prefix: 172.16.1.0/24 Site object: Toronto
Create another new subnet with the following configuration: o o Prefix: 172.16.100.0/24 Site object: TestSite
4.
In the navigation pane, click the Subnets folder. Verify that the three subnets were created and associated with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses located in Toronto.
Exercise 3: Configuring AD DS Replication

Scenario
Now that the AD DS sites have been configured for Toronto, the next step is to configure the site links to manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto site. Currently all sites belong to DEFAULTIPSITELINK. You need to modify site linking so that LondonHQ and Toronto belong to one common site link called LON-TOR. You should configure this link to replicate every hour. Additionally, you should link the TestSite site only to the Toronto site using a site link named TOR-TEST. Replication should not be available from the Toronto site to the TestSite during the working hours of 9 A.M. and 3 P.M. You then will use tools to monitor replication between the sites. The main tasks for this exercise are as follows: 1. Configure site links between AD DS sites 2. Move TOR-DC1 to the Toronto site 3. Monitor AD DS site replication
Task 1: Configure site links between AD DS sites

1. 2. If necessary, on LON-DC1, open Active Directory Sites and Services. Create a new IP-based site link with the following configuration: o Name: TOR-TEST

9-25
o o 3.
Sites: Toronto, TestSite Modify the schedule to only allow replication from Monday 9am to Friday 3pm
Rename DEFAULTIPSITELINK and configure it with the following settings: o o o Name: LON-TOR Sites: LondonHQ, Toronto Replication: Every 60 minutes
Task 2: Move TOR-DC1 to the Toronto site

1. 2. 3. If necessary, on LON-DC1 open Active Directory Sites and Services. Move TOR-DC1 from the LondonHQ site to the Toronto site. Verify that TOR-DC1 is located under the Servers node in the Toronto site.
Task 3: Monitor AD DS site replication

1. 2. On LON-DC1, on the taskbar, click the Windows PowerShell button. Use the following commands to monitor site replication:
Repadmin /kcc
This command recalculates the inbound replication topology for the server:
Repadmin /showrepl
Verify that the last replication with TOR-DC1 was successful:

Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology:
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear:
DCDiag /test:replications
Verify that all connectivity and replication tests pass successfully. 3. Switch to TOR-DC1, and then repeat the commands to view information from the TOR-DC1 perspective.
Results: After this exercise, you will have configured site links and monitored replication.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1.

Question: Why is it important that all subnets are identified and associated with a site in a multisite enterprise? Question: What are the advantages and disadvantages of reducing the intersite replication interval? Question: What is the purpose of a bridgehead server?

Common Issue Client cannot locate domain controller in its site. Troubleshooting Tip
Replication between sites does not work.
Replication between two domain controllers in the same site does not work.
Best Practice
You should implement the following best practices when you manage Active Directory sites and replication in your environment: Always provide at least one or more global catalog servers per site. Ensure that all sites have appropriate subnets associated.
Do not setup long intervals without replication when you configure replication schedules for intersite replication. Avoid using SMTP as a protocol for replication.

10-1
Module 10
Implementing Active Directory Certificate Services
Contents:
Module Overview Lesson 1: PKI Overview Lesson 2: Deploying CAs Lesson 3: Deploying and Managing Certificate Templates Lesson 4: Implementing Certificate Distribution and Revocation Lesson 5: Managing Certificate Recovery Lab: Implementing Active Directory Certificate Services Module Review and Takeaways 10-1 10-2 10-10 10-16 10-21 10-29 10-33 10-41
Module Overview
Public key infrastructure (PKI) consists of several components that help you secure corporate communications and transactions. One such component is the Certification Authority (CA). You can use CAs to manage, distribute, and validate digital certificates that are used to secure information. You can install Active Directory Certificate Services (AD CS) as a root CA or a subordinate CA in your organization. In this module, you will learn about implementing AD CS server role and certificates.
Objectives
After completing this module, you will be able to: Describe PKI. Deploy CAs. Deploy and manage certificate templates. Implement certificate distribution and revocation. Manage certificate recovery.
10-2 Implemen nting Active Directory y Certificate Services
Lesson 1
PKI Ov verview
PKI helps you veri ify and authen nticate the iden ntity of each p party involved in an electronic transaction. . It also o helps you est tablish trust be etween compu uters and the c corresponding applications t that are hosted d on app plication server rs. A common example includes the use of f PKI technolog gy to secure w websites. Digita al cert tificates are key PKI components that cont tain electronic credentials, w which are used to authenticat te user rs or computers. Moreover, certificates c can n be validated using certifica ate discovery, path validation, and revocation ch hecking proces sses. Windows Server 2012 supports build ding a certifica ate services infra astructure in your y organization using AD CS C component ts.

Afte er completing this lesson, yo ou will be able to: Describe PKI. Describe com mponents of a PKI solution. Describe CAs. Describe the AD CS server role r in Window ws Server 2012 2. Describe new w features in AD D CS in Windo ows Server 201 12. Explain the difference betw ween public and private CAs. Describe cros ss-certification hierarchy.
Wh hat Is PKI? ?
PKI is a combinati ion of software e, encryption tech hnologies, processes, and services that assi ist an orga anization with securing its co ommunication ns and business transactions. It is a system of dig gital cert tificates, certification authori ities, and other regi istration autho orities. When an a electronic tran nsaction takes place, PKI verifies and auth henticates the validity of eac ch party involv ved. PKI standards are still evolving, but they are widely w imp plemented as an a essential component of elec ctronic comme erce.
Gen neral conce epts of PKI

In general, g a PKI solution s relies on several technologies and d components.. When you pla an to impleme ent PKI, you should co onsider and un nderstand the following:
Infrastructure e: The meaning g in this contex xt is the same as in any othe er context, such as electricity y, transportation, or water sup pply. Each of these elements s does a specif fic job, and has requirement ts that must be met for it to functi ion efficiently. The sum of th hese elements allows for the e efficient and safe use of PKI. So ome of the elements that ma ake up a PKI ar re the followin ng: o o o A CA A certificate repository y A registra ation authority y

10-3
o o o o
An ability to revoke certificates An ability to back up, recover, and update keys An ability to regulate and track time Client-side processing
Most of these components will be discussed in later topics and lessons of this module. Public/Private Keys: In general, there are two methods for encrypting and decrypting data: o
Symmetric encryption: The methods to encrypt and decrypt data are identical, or mirrors of each other. Data is encrypted by using a particular method or key. To decrypt the data, you must have the same, identical method or key. Therefore, anyone who has the key can decrypt the data. The key must remain private to maintain the integrity of the encryption.
Asymmetric encryption: In this case, the methods to encrypt and decrypt data are not identical or mirrors of each other. Data is encrypted by using a particular method or key. However, a different key is used to decrypt data. This is achieved by using a pair of keys. Each person gets a key pair, which consists of a public key and a private key. These keys are unique, and data that the public key encrypts can be decrypted by using the private key, and vice versa. In this situation, the keys are sufficiently different and knowing or possessing one does not allow you to determine the other. Therefore, one of the keys (public) can be made publicly available without reducing the security of the data, as long as the other key (private) remains privatehence the name Public Key Infrastructure.
Algorithms that use symmetric encryption are fast and efficient for large amount of data. However, because they use a symmetric key, they are not considered secure enough, because you always must transport the key to the other party. Alternatively, algorithms that use asymmetric encryption are secure, but very slow. Because of this, it is common to use hybrid approach, which means that data is encrypted by using symmetric encryption, while the symmetric encryption key is protected with asymmetric encryption. When you implement a PKI solution, your entire system, especially the security aspect, can benefit. The benefits of using PKI include: Confidentiality: A PKI solution enables you to encrypt both stored and transmitted data.
Integrity: You can use PKI to sign data digitally. A digital signature identifies whether any data was modified while information was transmitted.
Authenticity and non-repudiation: Authentication data passes through hash algorithms such as Secure Hash Algorithm 1 (SHA-1) to produce a message digest. The message digest is then digitally signed using the senders private key to prove that the message digest was produced by the sender. Non-repudiation is digitally signed data in which the digital signature provides both proof of the integrity of signed data, and proof of the origin of data.
Standards-based approach: PKI is standards-based, which means that multiple technology vendors are compelled to support PKI-based security infrastructures. It is based on industry standards defined in RFC 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
Co omponents s of a PKI Solution S

There are many co omponents that are required d to wor rk together to provide a com mplete PKI solu ution. The PKI compone ents in Window ws Server 2012 2 are: CA: CA issues s and manages s digital certific cates for users, serv vices, and com mputers. By deploying CA A, you establish h the PKI in yo our organization.
Digital certific cates: Digital certificates c are similar in func ction to an ele ectronic passpo ort. A digital certific cate is used to prove the identity of the user (o or other entity) ). Digital certificates contain the electronic crede entials that are e associated with a public key y and a private e key, which a re used to aut thenticate user rs and other devices such as Web servers and mail servers. Dig gital certificate es also ensure t that software or code is run from a trusted source. Digital cer rtificates conta ain various fiel ds, such as Subject, Issuer, and Common n Name. These e fields are used to determine the specific use of the cert tificate. For example, a Web server certific cate might con ntain the Comm mon Name fie eld of web01. .contoso.com m, which would d make that certificate valid only o for that web w server. If a n attempt wer re made to use e that certifica ate on a web server named web02 2.contoso.com m, the user of that server wo ould receive a warning. Certificate tem mplates: This component c de escribes the co ontent and pur rpose of a digital certificate. When reques sting a certifica ate from an AD D CS enterprise e CA, the certi ificate requestor will, depend ding on his or her access rights, be able to sele ect from a vari iety of certifica ate types base ed on certificat te templates, such as User and d Code Signing g. The certifica ate template sa aves users from m low-level, technical decisions about th he type of cert tificate they ne eed. In additio on, they allow a administrators s to distinguish who might requ uest which cert tificates. CRLs and Onl line Responders: o
Certificat te revocation lists (CRLs) are complete, dig gitally signed li ists of certifica ates that have been revoked. These lists are e published pe eriodically and can be retriev ved and cached by clients (b based on the co onfigured lifetime of the CRL L). The lists are e used to verify y a certificates revocation st tatus.
Online Re esponders are part of the On nline Certificat te Status Proto ocol (OCSP) ro ole service in Windows s Server 2008 and a Windows Server 2012. A An Online Resp ponder can rec ceive a reques st to check for r revocation of f a certificate without w requir ring the client to download t the entire CRL. This speeds up certificate re evocation chec cking, and red uces the netw work bandwidth h. It also increa ases scalability y and fault tolerance, by allo owing for array y configuratio n of Online Re esponders.
Public keyba ased applicatio ons and service es: This relates s to application ns or services t that support p public key encryptio on. In other wo ords, the applic cation or servi ces must be able to support t public key implementati ions to gain th he benefits from m it. Certificate and CA management tools: Management to ools provide co ommand-line a and GUI-based d tools to: o o o o o Configure CAs Recover archived a private keys Import and export keys s and certificat tes Publish CA C certificates and CRLs Manage issued certifica ates

10-5
Authority in nformation acc cess (AIA) and CRL distributi ion points (CD DPs): AIA points determine th he location wh here CA certific cates can be fo ound and valid dated, and CD DP locations de etermine the p points where certificate revocati ion lists can be e found during g certificate va alidation proce ess. Because CR RLs can become lar rge, (dependin ng on the number of certifica ates issued and d revoked by a CA), you can n also publish sma aller, interim CRLs C called del lta CRLs. Delta CRLs contain only the certif ficates revoked d since the last reg gular CRL was published. p This s allows clients s to retrieve th he smaller delt ta CRLs and mo ore quickly build a complete list of revoked d certificates. T The use of delt ta CRLs also allows revocatio on data to be published more frequently, becau use the size of f a delta CRL m means that it usually does no ot require as much m time to transfer t as a fu ull CRL.
Hardware security s modul le (HSM): A ha ardware securit ty module is a n optional sec cure cryptographic hardware device d that acc celerates crypto ographic proc essing for man naging digital keys. It is a hig gh security, specialized stora age that is connected to the CA for manag ging the certifi icates. An HSM M is typically att tached to a co omputer physic cally. This is an n optional add d-on in your PK KI, and is most t widely used in high security environments whe ere there wou ld be a signific cant impact if a key were compromis sed.
Note: The e most importa ant componen nt of any secur rity infrastruct ure is physical security. A ecurity infrastructure is not ju ust the PKI implementation. Other elemen ntssuch as physical se se ecurity and ade equate securit ty policiesare e also importa ant parts of a h holistic security y in nfrastructure.
What W Are CAs? C

A CA is a well-d designed and highly h trusted service in n an enterprise e, which provid des users and co omputers with h certificates, maintains m the CRLs, C an nd optionally responds r to OCSP requests. You ca an install a CA in your enviro onment by dep ploying th he AD CS role on Windows Server S 2012. When W th he first CA is in nstalled, it establishes the PK KI in the ne etwork, and it provides the highest h point in i the whole w structure e. You can have e one or more e ce ertification aut thorities in one e network, but t only on ne CA can be at a the highest point on the CA C hi ierarchy (that CA C is called the root CA, whi ich will be e discussed lat ter in this mod dule).
One O of the main n purposes of the CA is to issue certificate es, revoke certificates, and pu ublish AIA and d CRL in nformation. By doing that, th he CA ensures that users, ser rvices, and com mputers are iss sued certificate es that ca an be validated d. A CA performs multiple funct tions or roles in n a PKI. In a la rge PKI, separation of CA ro oles among mu ultiple se asks, including ervers is comm mon. A CA prov vides several management m ta g: Verifying th he identity of the t certificate requestor. Issuing cert tificates to requesting users, computers, an nd services. Managing certificate c revo ocation.
When W you deploy a first CA (r root CA) in you ur network, it issues a certifi cate for itself. After that, oth her CAs re eceive certificates from the first CA. You ca an also choose e to issue a cer rtificate for you ur CA by using g one of pu ublic CAs.
Ov verview of the AD CS S Server Ro ole in Win ndows Serv ver 2012

All PKI-related P components are deployed as role r serv vices of the AD D CS server role e. This role is made m up of o several com mponents that are known as role serv vices. Each role e service is resp ponsible for a spec cific portion of f the certificate infrastructur re, while working tog gether to form m a complete solu ution. Role e services of th he AD CS role are: CA. This component issues certificates to users, computers, and services. It also manages cert tificate validity y. Multiple CAs s can be chained to o form a PKI hierarchy.
CA Web enro ollment. This co omponent pro ovides a metho od to issue and d renew certificates for users s, computers, and devices tha at are not joine ed to the dom main, are not co onnected direc ctly to the netw work, or are for use ers of non-Win ndows operat ting systems.
Online Respo onder. You can use this comp ponent to conf figure and ma anage OCSP va alidation and revocation ch hecking. Online e Responder decodes d revoca ation status re equests for spe ecific certificate es, evaluates the status of thos se certificates, and returns a signed respon nse containing the requested d certificate status informatio on. Unlike in Windows W Serve r 2008 R2, you u can install On nline Responder on any version of o Windows Server 2012. The e certificate rev vocation data can come from m a CA on a computer tha at is running Windows W Serve er 2003, Windo ows Server 200 08, or from a n non-Microsoft CA. Network Device Enrollment t Service. With h this compone ent, routers, sw witches, and ot ther network devices can obtain o certificates from AD CS. C On Window ws Server 2008 8 R2, this comp ponent is only available on the t Enterprise and Datacente er editions, bu ut on Windows s Server 2012, you can instal ll this role service on any version of Windows Server. Certificate Enrollment Web Service. This component c wo orks as a proxy y between Win ndows 7 and Windows 8 cl lient computer rs and the CA. This compone ent is new to W Windows Serve er 2008 R2 and d Windows Serv ver 2012, and requires that the t Active Dire ectory forest b be at least at th he Server 2008 8 R2 level. It enables users to connect to a CA by means of a web browser r to perform th he following: o o o o Request, renew, and install issued certificates Retrieve CRLs Download a root certif ficate Enroll over the internet t or across fore ests (new to W Windows Server 2008 R2)
Certificate Au uthority Policy Web Service. This compone ent is new to W Windows Serve er 2008 R2 and d Windows Serv ver 2012. It en nables users to obtain certific cate enrollmen nt policy inform mation. Comb bined with the Certificate Enrollm ment Web Service, it enables policy-based c certificate enro ollment when the client comput ter is not a me ember of a dom main, or when n a domain me ember is not co onnected to th he domain.

10-7
What W Is Ne ew in AD CS C in Windows Serve er 2012

Like many other Windows Ser rver roles, AD CS is im mproved and enhanced e in Windows W Server 2012. Th he AD CS role in Windows Server 2012 stil ll has th he same six role services, as described d in th he previous topic. In addition, it now provides multiple m new fe eatures and cap pabilities comp pared to o previous vers sions.
In n Windows Ser rver 2008 R2, some s of the AD D CS ro ole services req quire a specific c Windows Ser rver ve ersion. For exa ample, Network Device Enrollment Se ervice (NDES) does not work k on the Windo ows Se erver 2008 Standard edition, , but only on the t Windows W Server 2008 Enterpr rise edition). In n Windows Ser rver 2012, all r role services ar re available on n all Windows W Server versions.
Th he AD CS Serv ver role, in addition to all rela ated role servi ces, can run o n Windows Se erver 2012 with h full GUI, Minimal Se erver Interface, or on a Serve er Core installa ation. You can deploy AD CS S role services in Windows W Server 2012 using Server S Manage er, or Windows s PowerShell cmdlets, while e working loca ally at th he computer or o remotely ove er the network k.
Fr rom a manage ement perspec ctive, AD CS an nd its events, a and the Best Pr ractices Analyz zer tool are no ow fully in ntegrated into the Server Ma anager console e, which mean s that you can n access all its o options directly from Se erver Manager r. AD CS is also o fully manage eable by using the Windows PowerShell co ommand-line in nterface. rsion Th he Windows Server 2012 ver rsion of AD CS S also introduc ces a new certificate templat te versionver cussed separately in Lesson 3. 4 which provid des some new w capabilities. This T will be disc
Certificate Enrollment Web Se ervices is also enhanced e in W Windows Serve er 2012. This fe eature, introdu uced in Windows W 7 and Windows Serv ver 2008 R2, allows a online c ertificate requ uests to come f from untrusted d Active Directory Doma ain Services (AD DS) domains or even from m computers o or devices that are not joined d to a do omain. AD CS in Windows Server 2012 adds the ability t to renew certif ficates automa atically for com mputers th hat are part of untrusted AD DS domains, or o are not join ned to a domain. Fr rom a security perspective, AD A CS in Windows Server 20 012 provides th he ability to re equire the rene ewal of a certificate with the same key. Windows Se erver 2012 also o supports gen nerating truste ed platform module (T TPM)protecte ed keys using TPM-based T key y storage prov viders (KSPs). T The benefit of using a TPM-b based KS SP is true non-exportability of keys that ar re backed up b by the anti-ha mmering mec chanism of TPM Ms (for ex xample, if a user enters a wro ong PIN too many m times). To o enhance sec curity even furt ther, you can n now fo orce encryption n of all certific cate requests that come to A AD CS in Windo ows Server 2012.
Virtual V Smar rt Cards
Sm mart cards, as an option for multi-factor authentication,, have been us sed since Wind dows Server 20 000. Th hey provide en nhanced secur rity over passw words, as it is m much more diff ficult for an un nauthorized us ser to ga ain and mainta ain access to a system. In addition, access to a smart car rd-protected system requires that a us ser both have a valid card an nd know the PIN P that provid des access to t hat card. By de efault, only on ne copy of f the smart car rd exists, so on nly one individual can be usi ng their login credentials at t a time. In add dition, a us ser will quickly y notice if their r card has been lost or stole n, especially w when their card d is combined with ac ccess to doors or other funct tions. This greatly reduces th he risk window w of credential theft in comp parison to o passwords.
How wever, implementation of sm mart card infrastructure has h historically som metimes been too expensive e. To imp plement smart cards, compan nies had to buy hardware, in ncluding smart t card readers and smart car rds. This s cost, in some e cases, prevented the deploy yment of mult ti-factor authe entication.
To address a these issues, Window ws Server 2012 2 AD CS introd duces a techno ology that prov vides the security of sma art cards while reducing mat terial and supp port costs. This s is done by pr roviding Virtua al Smart Cards. Virtual Smart Card ds emulate the e functionality of traditional smart cards, b but instead of requiring the purc chase of additional hardware, they utilize technology th hat users alread dy own and ar re more likely t to have with them at t all times.
ds in Windows s Server 2012 leverage the ca apabilities of t the TPM chip t that is present on Virtual Smart Card mos st of the comp puter motherboards produce ed in the past t two years. Bec cause the chip is already in t the com mputer, there is s no cost for buying b smart cards and smar rt card readers s. However, un nlike traditiona al sma art cards, wher re the user was s in a physical possession of the card, in th he Virtual Smart Card scenar rio, a com mputer (or to be b more specif fic, TPM chip on o its motherb board) acts like e a smart card. By using this app proach, two-fac ctor authentica ation similar to o traditional sm mart cards is a achieved. A use er must have h his or her computer (wh hich has been set s up with the e Virtual Smar rt Card), and al lso know the P PIN necessary to use his or o her Virtual Smart S Card. It is important to understand ho ow Virtual Sma art Cards prote ect private key ys. Traditional smart cards ha ave thei ir own storage e and cryptographic mechanism for protec cting the private keys. In the e Virtual Smart Card scen nario, private keys k are protec cted not by iso olation of phys sical memory, but rather by the cryptogra aphic capabilities of the e TPM: all sensitive information that is stor red on a smart t card is encryp pted using the e TPM, and then stored on o the hard dri ive in its encry ypted form. Alt though private e keys are stor red on a hard d drive (in encrypted e form m), all cryptographic operations occur in th he secure, isolated environm ment of the TPM. Priv vate keys never r leave this env vironment in unencrypted u fo orm. If the har rd drive of the machine is com mpromised in any a way, privat te keys cannot t be accessed, because they are protected and encrypted by TPM M. To provide more m security, you can also encrypt e the dr rive with Wind dows BitLocker r Drive Encryp ption. To deploy d Virtual Smart Cards, you y need Windows Server 2 012 AD CS an d a Windows 8 client machine with h a TPM chip on o motherboard.
Public vs. Pri ivate CAs

Whe en you are pla anning PKI imp plementation for f your organization n, one of the first choices you u should make is be etween private e and public CA As. It is po ossible for you u to establish PKI P by using ei ither of these approach hes. If you decide to use a pr rivate CA, then you deploy the AD CS server role, an nd then n establish an internal PKI. If f you decide to o use an external e PKI, yo ou do not hav ve to deploy an ny serv vice internally. Both approaches have advantag ges and disa advantages, as specified in th he following ta able. CA A type Ex xternal Public CA Adv vantages Trusted T by ma any external clients c (web br rowsers, operating o syst tems) Requires minim mal administration a n Disadvant tages Higher r cost as comp pared to an in nternal CA Cost is based per cate certific cate procurem ment is Certific

10-9
CA C type
Advantages A
Disadva antages slowe er
Internal Privat te CA
Provides gre eater control o over certificate management m a compared to oa Lower cast as public CA Customized templates ment Autoenrollm
By de efault, not trus sted by exter rnal clients (we eb brow wsers, operatin ng syste ems) Requ uires greater administration
So ome organizat tions have star rted using a hy ybrid approach h to their PKI a architecture. A hybrid appro oach us ses an external public CA for r the root CA, and a hierarch hy of internal C CAs for distribution of certificates. Th his gives organ nizations the advantage a of having h their int ternally issued d certificates tr rusted by exter rnal clients, while sti ill providing th he advantages of an internal CA. The only disadvantage is cost. A hybr rid ap pproach is typically the most t expensive ap pproach, becau use public cert tificates for CA As are very exp pensive. In n addition, you u can also choo ose to deploy internal PKI fo or internal purp poses such as Encrypting File e Sy ystem (EFS), an nd digital signa atures. For ext ternal purpose es, such as prot tecting web or r mail servers w with Se ecure Socket Layer L (SSL), you u must buy a public p certifica ate. This appro oach is not very y expensive, an nd is probably the most cost-effect tive solution.
What W Is a Cross-Certi C ification Hierarchy? H

As cross-certific cation implies, in cross-certification hi ierarchy the ro oot CA in each CA hierarchy provides a cross s-certification certificate to the t root CA A in the other CA hierarchy. The other hie erarchy ro oot CA then installs the supp plied certificate e. By do oing so, the trust flows down to all the su ubordinate CA As below the le evel where the crossce ertification cer rtificate was ins stalled.
Cross-Certifi C cation Bene efits

A cross-certifica ation hierarchy y provides the fo ollowing benef fits: Provides interoperability between busin nesses and bet tween PKI pro oducts rate PKIs Joins dispar Assumes co omplete trust of o a foreign CA A hierarchy
Companies usually deploy cro oss-certificatio ons to establish h a mutual trus st on PKI level, and also to im mplement som me other applic cations that rel ly on PKI, such h as Active Dire ectory Rights M Management Services (A AD RMS). Question: Your Y company y is currently acquiring anoth her company. Both companies run their own PKI. What W could you u do to minimize disruption and continue to provide PKI services seamlessly? ?
10-10
Implementing Active Directo ory Certificate Service es
Lesson 2
Deploy ying CA As
The first CA that you y install will be a root CA. After you inst all the root CA A, you can opt tionally install a subordinate CA to o apply policy restrictions an nd distribute ce ertificates. You u can also use a CAPolicy.inf f file to automate a additional CA insta allations and provide p additio onal configuration settings that are not avai ilable with the e standard GUIbased installa ation. In this le esson, you will learn about d deploying CAs in the Win ndows Server 2012 2 environm ment.

Afte er completing this lesson, yo ou will be able to: Describe options for implem menting CA hierarchies. Explain differences between n standalone and a enterprise e CAs. Describe cons siderations for r deploying a root r CA. Deploy a root t CA. Describe cons siderations for r deploying a subordinate s CA A. Describe how w to use CAPolicy.inf file for installing i the C CA.
Op ptions for Implemen I ting CA Hierarchies

Whe en you decide e to implement t PKI in your orga anization, one e of the first de ecisions you must mak ke is how to de esign your CA hierarchy. CA hier rarchy determi ines the core design d of your inte ernal PKI, and also a determine es the purpose e of each h CA in the hie erarchy. Each CA C hierarchy includes two or more m CAs. Usua ally, the second d CA (and d all others aft ter that) is dep ployed with a spec cific purpose, because only the t root CA is man ndatory. The following points describe so ome scenarios s for imp plementing a CA C hierarchy.
Policy CA: Policy CAs are a type of subord dinate CA that t are located d directly below t the root CA in n a CA hierarchy. You utilize policy y CAs to issue CA certificates s to subordinate CAs that are e located direc ctly below the po hen different d olicy CA in the hierarchy. Use e policy CAs wh divisions, secto ors, or location ns of your organiza ation require different d issuan nce policies an nd procedures.. Cross-certifica ation trust: In this scenario, two t independe ent CA hierarc chies interoper rate when a CA A in one hierarchy y issues a CA certificate c to a CA in the othe er hierarchy. C Cross-certification trusts are discussed in more m detail lat ter in this mod dule.
Two-tier hiera archy: In a two o-tier hierarchy y, there is a ro oot CA and at l east one subo ordinate CA. In n this scenario, the subordinate CA C is responsib ble for policies,, and for issuin ng certificates to requestors. .

10-11
Configuring A Advanced Windows S Server 2012 Service es
Standalone e vs. Enterp prise CAs

In n Windows Ser rver 2012, you can deploy tw wo types of f CAs: standalo one CA and en nterprise CA. These ty ypes are not ab bout hierarchy y, but about fu unctionality an nd configuratio on storage. The e most im mportant differ rence between n these two CA A types is Active Directo ory integration n and depende ency. A st tandalone CA can c work without AD DS, an nd does no ot depend on it in any way. An enterprise CA re equires AD DS, , but it also pro ovides several be enefits, such as autoenrollment. Th he following ta able details the e most signific cant di ifferences betw ween standalo one and enterp prise CA As. Characteristic C Typical usage e Standalone e CA A standalo one CA is typic cally used for offline o CAs, but t it can be use ed for a CA tha at is consistently available on n the netwo ork. A standalo one CA does n not depend on n AD DS and c can be deploy yed in nonAct tive Directory environments. e . Enterpr rise CA terprise CA is t typically An ent used to o issue certificates to users, c computers, an nd service es, and is not ty ypically used as an offline CA A. terprise CA req quires An ent AD DS , which can be e used as iguration and a confi registration database e. An enterp prise CA also provides a publ ication point f for certific cates issued to users and co omputers. rs can request User certi ificates from an ente erprise CA usin ng the follo owing methods: Man nual Enrollmen nt Web b Enrollment Auto oenrollment Enro ollment agent Certificate issuance methods All request ts must be manually approved a by a certificate administrator r. Reques sts can be automatically issued or denied d, based on the e templa ates discretion nary access control list (D DACL).
Active Directo ory dependencies s
Certificate req quest methods
Users can only request s from a certificates standalone e CA by using a manual pr rocedure or we eb enrollmen nt.
Most M commonly y, the root CA (which is the first f CA deploy yed) is deploye ed as standalo one CA, and it is taken of ffline after it is ssues a certifica ate for itself an nd for a subor rdinate CA. Alt ternatively, a subordinate CA A is us sually deploye ed as an enterp prise CA, and is configured in n one of scena arios described d in the previo ous to opic.
10-12
Co onsideratio ons for Dep ploying a Root CA

Befo ore you deploy y a root CA, th here are severa al decisions that you u should make e. First, you sho ould decide if you will be deploying an offline root t CA or not. n Based on that t decision, you y will also decide if yo ou will be depl loying a standalone root CA A or an enterprise e root t CA. Usually, if you are e deploying a single-layer s CA A hier rarchywhich means that yo ou deploy only ya sing gle CAit is most m common to t choose ente erprise root CA A. However, if you are deplo oying a tw wo-layer hierar rchy, the most common scen nario is to o deploy a stan ndalone root CA C and an ente erprise subordinate CA.
The next factor to o consider is th he operating sy ystem installat tion type. AD C CS is supported in both the f full installation and th es a smaller at he Server Core e installation sc cenarios. Serve er Core provide ttack surface and less administrative e overhead, an nd therefore sh hould be stron ngly considered for AD CS in n an enterprise e environment. In Windows W Serve er 2012, you ca an also use Wi ndows PowerS Shell to deploy y and manage e the AD CS role.
You u should also be b aware that you y cannot change compute er names or co omputer doma ain memberships afte er you deploy on o that compu uter a CA of an ny type, nor ca an you change e the domain n name. Therefore, it is im mportant to de etermine these e attributes before installing a CA. The following table details additional conside erations. Co onsideration A cryptographic c service provider (CSP) that rate a new key y is used to gener Descriptio on The def fault CSP is the e Microsoft Strong Cryptog graphic Provid er. Any pro ovider whose n name starts with a number r sign (#) is a c cryptography N Next Generat tion (CNG) pro ovider. Th he key charact ter length The defau ult key length f for the Microsoft Strong Cry yptographic P Provider is 2,04 48 characters s. This is the m minimum recommen nded value for r a root CA. The defau ult value of the e hash algorith hm is SHA-1. The defau ult value for ce ertificates is five years. The root s server should b be deployed a as an offline CA A. This enhance es security and d safeguard ds the root cert tificate (because it is over the netwo ork). not availa ble to attack o
Th he hash algorithm that is use ed to sign ce ertificates issue ed by a CA Th he validity per riod for certific cates issued by y a CA Th he status of the root server (online ( or of ffline)
Specifically, if you u decide to dep ploy an offline e standalone ro oot CA, there a are some spec cific considerat tions that t you should have h in mind:
Before you iss sue a subordin nate certificate e from root CA A, make sure th hat you provid de at least one CDP and AIA locat tion that will be b available to all clients. Thi s is because, b by default, a st tandalone root t CA

10-13
has the CDP and AIA loca ated on itself. Therefore, T whe en you take th he Root CA off f the network, revocation check will fail, as the CDP an nd AIA locatio ns will be inac ccessible. When you define t these locations, you hat location. y should manually copy CR RL and AIA inf formation to th
Set a validit ty period for CRLs C that root CA publishes t to a long perio od of time (for r example, one e year). This means that you will have to turn on o root CA onc ce per year to publish a new w CRL, and then n copy it to a locat tion that is ava ailable to clients. If you fail to o do so, after t the CRL on the e root CA expi ires, revocation check for all certificates c will also fail.
Publish roo ot CA certificate to a trusted root certificat ion authority s store on all ser rver and client t machines, by b using Group p Policy. You must m do this m manually, beca use a standalo one CA cannot t do it automatica ally, unlike an enterprise e CA. You can also p publish the root CA certifica ate to AD DS b by using the certutil command-lin ne tool.
Demonstra D ation: Depl loying a Ro oot CA

In n this demonst tration, you will see how to deploy d an Ente erprise root CA A.
Demonstrati D ion Steps Deploy D a Roo ot CA

1. . 2. . 3. . 4. . 5. . 6. . In Server Manager, M add the Active Dire ectory Certifi icate Services s role. Select the Certification C Authority A role e service.
After the in nstallation com mpletes success sfully, click the e text Configu ure Active Dire ectory Certifi icate Services on n the destination server. Select to install Enterpris se Root CA. Set the Key y length to 409 96. Name the CA C AdatumRo ootCA.
Considerat C ions for Deploying a Subordin nate CA

Yo ou can use a subordinate CA A to implemen nt policy re estrictions for PKI, P and to dis stribute certific cates to clients. After ins stalling a root CA for the or rganization, yo ou can install one o or more su ubordinate CA As.
When W you are using u a subord dinate CA to di istribute ce ertificates to users or compu uters that have e an ac ccount in an AD A DS environm ment, you can install th he subordinate e CA as an ente erprise CA. Then, you ca an use the data from the clie ent accounts in n AD DS to o distribute and manage cert tificates, and to pu ublish certifica ates to AD DS. However, to co omplete this procedure, p you must be a me ember of the lo ocal Administr rators group, o or have equiva alent pe ermissions. If the t subordinat te CA will be an enterprise C CA, you also ne eed to be a me ember of the D Domain Admins group or o have equiva alent permissio ons.
Fr rom a security perspective, a recommende ed scenario wo ould be to hav ve an offline ro oot standalone e CA and an n Enterprise su ubordinate CA.
10-14
A su ubordinate CA A is usually dep ployed to achie eve some of th he following fu unctionalities:
Usage: You may m issue certif ficates for a nu umber of purp poses, such as s secure email and network authentication. The issuing policy for these uses may b e distinct, and d separation pr rovides a basis s for administering g these polices s.
Organizational divisions: Yo ou may have different d policie es for issuing c certificates, de epending upon n an entitys role in n the organiza ation. You can create subord dinate CAs to s separate and a administer thes se policies. Geographic divisions: d Organizations often n have entities s at multiple p physical sites. L Limited networ rk connectivity between b these e sites may req quire individua al subordinate CAs for many or all sites. Load balancin ng: If you will be b using your PKI to issue an nd manage a l large number of certificates, , having only one o CA can res sult in considerable network k load for that single CA. Usin ng multiple subordinate CAs C to issue th he same kind of o certificates d divides the net twork load bet tween CAs.
Backup and fault tolerance: Multiple CAs increase the p possibility that t your network k will always ha ave operational CAs C available to o respond to user u requests.
Ho ow to Use the t CAPolicy.inf File e for Instal llation

If yo ou want to dep ploy root or su ubordinate CA A, and you want to both predefine som me values for use u during installation n and define so ome additiona al para ameters, you can c use the CA APolicy.inf file to t com mplete these st teps. The CAPo olicy.inf file is a plain text file that t contains vario ous settings th hat are used when ins stalling the AD D CS role, or when rene ewing the CA certificate. The e CAPolicy.inf file is not required to in nstall AD CS, bu ut without it, the t defa ault settings will w be applied, and in many cases, c the default setting gs are insufficient. You can use u the CAPolicy.inf fi ile to configure e CAs in more com mplicated deployments. Each h CAPolicy.inf file is divided into sections, and has a sim ple structure, w which can be described as follo ows: A section is an area in the .inf file that contains a logica al group of key ys. A section always appears in brackets in th he .inf file. A key is the parameter p that t is to the left of o the equal (= =) sign. A value is the e parameter that is to the rig ght of the equa al sign.
For example, if yo ou want to spe ecify Authority Information A Access point in n the CAPolicy. .inf file, you will use follo owing syntax:
[AuthorityInformationAccess] URL=http://pki.adatum.com/CertData a/adatumCA.cr rt
In th his example, AuthorityInform A mationAccess is i a section, UR RL is the key, a and http p://pki.adatum.com/CertD Data/adatumC CA.crt is the va alue.

10-15
You can also specify some CA server settings in the CAPolicy.inf file. One example of the section that specifies these settings is :
[certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=5 CRLPeriod=Days CRLPeriodUnits=2 CRLDeltaPeriod=Hours CRLDeltaPeriodUnits=4 ClockSkewMinutes=20 LoadDefaultTemplates=True AlternateSignatureAlgorithm=0 ForceUTF8=0 EnableKeyCounting=0
Note: All parameters from the previous examples are optional. You can also use the CAPolicy.inf file when installing AD CS to define the following:
Certification practice statement (CPS): Describes the practices that the CA uses to issue certificates. This includes the types of certificates issued, information for issuing, renewing, and recovering certificates, and other details about the CAs configuration. Object identifier (also known as OID): Identifies a specific object or attribute. CRL publication intervals: Defines the interval between publications for the base CRL. CA renewal settings: Defines renewal settings as follows: o o o Key size: Defines the length of the key pair used during the root CA renewal. Certificate validity period: Defines the validity period for a root CA certificate. CDP and AIA paths: Provides the path used for root CA installations and renewals.
Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder of your server (for example, C:\Windows) before you install the AD CS role, or before you renew the CA certificate. Note: The CAPolicy.inf file is processed for both the root and subordinate CA installations and renewals.
10-16
Lesson 3
Deploy ying and Mana aging Certificat te Templates
Cert tificate templa ates define how w a certificate can be reques sted and for w what it can be u used. Template es are configured on the e CA, and they y are stored in the Active Dir rectory databa se. There are d different versio ons of tem mplates: the Microsoft Windo ows 2000 Serve er Enterprise C CA supports ve ersion 1 certific cate templates s, the Win ndows Server 2003 2 Enterprise e Edition supp ports versions 1 and 2 templa ates, and Wind dows Server 20 008 Ente erprise suppor rts versions 1, 2, 2 and 3 certificate template es. Windows Se erver 2012 intr roduces version 4 tem mplates, yet still also supports s all three prev vious template e versions. Two o types of certi ificate templat te categories are a users and c computers, and d each can be used for mult tiple l permissions t purposes. You can n assign Full Control, Read, Write, W Enroll, a and Autoenroll to certificate tem mplates. You ca an update certificate templat tes by modifyi ng the origina al certificate te emplate, copying a tem mplate, or superseding existin ng certificate templates. In th his lesson, you u will learn how w to manage a and dep ploy certificate templates.

Afte er completing this lesson, yo ou will be able to: Describe certificate templat tes. Describe certificate templat te versions in Windows W Serve er 2012. Configure cer rtificate templa ate permission ns. Configure cer rtificate templa ate settings. Describe options for updating a certificat te template. Modify and enable e a certificate template.
Wh hat Are Ce ertificate Templates? T ?

Cert tificate templa ates allow adm ministrators to cust tomize the distribution meth hod of certifica ates, defi ine certificate purposes, and mandate the type of usage u allowed by a certificate e. Administrators can easily create templates, t and d can then quic ckly dep ploy them to th he enterprise by b using the bu uilt-in GUI or command-line managem ment utilities.
Asso ociated with each certificate template is its s DAC CL, which defin nes what secur rity principals have perm missions to rea ad and configu ure the templa ate, and to enroll or autoenroll for certificates c bas sed on the t template. The T certificate templates and d thei ir permissions are defined in n AD DS and ar re valid within the forest. If m more than one e enterprise CA A is runn ning in the Active Directory forest, permission changes w will affect all C CAs.
Whe en you define a certificate te emplate, the definition d of th he certificate te emplate must be available to o all CAs s in the forest. This is accomp plished by stor ring the certifi cate template information in n the Configur ration nam ming context, where w CN=Con nfiguration, an nd DC=ForestR RootName. Th he replication o of this informa ation dep pends on the Active A Directory y replication schedule, and t the certificate template may y not be available to all CAs C until replic cation complet tes. Storage an nd replication are accomplis shed automatic cally.

10-17
Note: Prio or to Windows s Server 2008 R2, R only the En nterprise versio on of Window ws Server su upported management of ce ertificate temp plates. In Wind ows Server 20 008 R2 and Win ndows Server 20 012, you can also a manage ce ertificate temp plates in the St tandard editio ns.
Certificate C Template Versions in Window ws Server 2 2012

Windows W Server 2012 Certific cation Authorit ty su upports four ve ersions of certificate templat tes. Certificate temp plates versions s 1, 2 and 3 are e legacy from previous versions v of Win ndows Server, while ve ersion 4 is new w to Windows Server 2012. Certificate temp plate versions correspond c to o the Windows W Server operating system version. Windows W 2000 Server, Windo ows Server 200 03, Windows W Server 2008, and Windows W Server r 2012 co orrespond to version v 1, versi ion 2, version 3, 3 and ve ersion 4 respec ctively.
Aside from corr responding wit th Windows Se erver op perating system versions, certificate templ late versions a lso have some e functional differences as fo ollows:
Windows 2000 Advanced d Server operating system pr rovides support for version 1 certificate templates. The only modification allow wed to version 1 templates is changing per rmissions to eit ther allow or dis sallow enrollment of the cert tificate templa ate. When you install an ente erprise CA, ver rsion 1 certificate templates t are created c by def fault. As of July y 13, 2010, Wi indows 2000 S Server is no lon nger supported by Microsoft.
Windows Server 2003 Ent terprise Edition operating sy ystems provide e support for v version 1 and v version 2 templates s. You can cust tomize several settings in th he version 2 templates. The d default installa ation provides se everal preconfigured version 2 templates. Y You can add v version 2 temp plates based on n the requiremen nts of your org ganization. Alte ernatively, you u can duplicate e a version 1 certificate temp plate to create a new version 2 of f the template. . You can then n modify and s secure the new wly created ver rsion 2 certificate template. t Whe en new templates are added to a Windows s Server 2003 e enterprise CA, they are version 2 by default.
Windows Server 2008 Ent terprise operating systems b bring support f for new, versio on 3 certificate e templates. Additionally, A support s for ver rsion 1 and ve rsion 2 is prov vided. Version 3 certificate templates support s severa al features of a Windows Serv rver 2008 enterprise CA, such h as CNG. CNG G provides su upport for Suite B cryptograp phic algorithm ms such as ellip ptic curve crypt tography (ECC C). In Windows Server 2008 Ent terprise, you can c duplicate d default version n 1 and version n 2 templates t to bring them up to o version 3. Windows Server 2008 provides s two new cert tificate templates by default: : Kerberos Authentication and OCSP Res sponse Signing g. In Windows Server 2008 R R2, the Standar rd version was s also able to support s certific cate templates s. When you use version 3 ce ertificate temp plates, r the certificate requests, issued certificate you can use e CNG encrypt tion and hash algorithms for es, and protection of private keys s for key excha ange and key archival scenarios. Windows Server 2012 operating system ms provide sup pport for versio on 4 certificate e templates, an nd for all other ve ersions from ea arlier editions of o Windows Se erver. These ce ertificate temp plates are available only to Win ndows Server 2012 2 and Wind dows 8. To hel lp administrato ors separate w what features a are supported by which oper rating system version, v the Co ompatibility t tab was added d to the certific cate template properties tab. It marks options as unavaila ble in the cert tificate template properties, depending upon the sele ected operating g system versi ons of certifica ate client and CA. Version 4
10-18
certificate tem mplates also su upport both CSPs and KSPs. They can also be configured d to require re enewal with a same key. k Upg grading certific cate templates s is a process that applies on nly in situations where the CA A has been upg graded from Windows W Server 2008 or 2008 8 R2 to Windo ows Server 201 12. After the up pgrade, you ca an upg grade the certif ficate templates by launchin ng the CA Man nager console and accepting g the upgrade prompt by clicking Yes.
Co onfiguring Certificate e Template e Permissi ions

To configure c certi ificate templat te permissions, you need to define the e DACL for eac ch certificate tem mplate in the Se ecurity tab. Th he permissions s that are assigned to a certificate tem mplate will defi ine which users or gro oups can read, , modify, enroll, or auto oenroll for that certificate te emplate. You u can assign the following pe ermissions to cert tificate templates:
Full Control: : The Full Control permissio on allows a security principal to modify all attributes of a certificate te emplate, which h includes perm missions for the e certificate template itself. It also includ des permission n to modify th he security desc criptor of the certificate tem mplate. Read: The Re ead permission n allows a user r or computer to view the ce ertificate temp plate when enr rolling te for certificate es. The Read permission is also required by y the certificat te server to find the certificat templates in AD A DS. Write: The Write W permissio on allows a use er or compute er to modify th he attributes of f a certificate template, which includes pe ermissions assigned to the c certificate temp plate itself.
Enroll: The Enroll permission allows a user or compute er to enroll for r a certificate b based on the certificate tem mplate. Howev ver, to enroll fo or a certificate e, you must als o have Read p permissions fo or the certificate tem mplate.
Autoenroll: The T Autoenro oll permission allows a user o or computer to o receive a cer rtificate throug gh the autoenrollme ent process. Ho owever, the Au utoenroll perm mission requir es the user or computer to a also have both Re ead and Enroll l permissions for f a certificate e template.
As a best practice, you should assign a certificat te template pe ermissions to g global or unive ersal groups o only. This s is because the certificate te emplate object ts are stored in n the configura ation naming context in AD DS. You u cannot assign n permissions by using doma ain local group ps that are fou und within an A Active Directo ory dom main. You shou uld never assig gn certificate te emplate perm issions to indiv vidual user or computer acc counts. As a best practice, keep the Rea ad permission allocated to th he Authentica ted Users grou up. This permission allocation allows all a users and computers to view v the certifi cate templates in AD DS. Th his permission assignment also allows a the CA that t is running g under the Sys stem context o of a computer r account to vie ew the certificate tem mplates when assigning a certificates.

10-19
Configuring C g Certifica ate Templa ate Setting gs
Be esides configu uring security settings s for cer rtificate te emplates, you can also config gure several other se ettings for each template. Be e aware howev ver, that th he number of configurable c options o depend ds on th he certificate te emplate versio on. For exampl le, ve ersion 1certific cate templates do not allow modification m of any settings, except e for secu urity, while w certificate e templates fro om higher vers sions allow you to configure most of o the available op ptions. Window ws Server 2012 2 provides sev veral de efault certificate templates for f purposes th hat in nclude code sig gning (for digitally signing so oftware), EFS (f for encrypting data), and the e ability for us ers to log on w with a smart ca ard. To custom mize a te emplate for yo our company, duplicate d the template t and t then modify th he certificate c configuration. Fo or example, yo ou can configu ure the followin ng: Format and d content of a certificate bas sed on the cert tificates intend ded use
Note: . Th he intended us se of a certifica ate may relate e to users or to o computers, b based on the ty ypes of security y implementat tions that are required r to us se the PKI. Process of creating c and submitting a va alid certificate request CSP suppor rted Key length Validity per riod Enrollment process or enrollment requirements
Yo ou can also de efine certificate e purpose in ce ertificate settin ngs. Certificate e templates ca an have the fol llowing pu urposes: Single Purp pose: A single purpose p certifi icate serves a s single purpose e, such as allow wing users to log on with a smar rt card. Organizations utilize e single purpos se certificates in cases where e the certificate configuratio on differs from m other certific cates that are b being deploye ed. For exampl le, if all users w will receive a ce ertificate for sm mart card logo on but only a c couple of grou ups will receive e a certificate f for EFS, organizatio ons will genera ally keep these certificates an nd templates s separate to ensure that users s only receive the required certi ificates.
) at the Multiple Pu urposes: A multi-purpose cer rtificate serves s more than on ne purpose (of ften unrelated) same time. While some te emplates (such h as the User t template) serve e multiple pur rposes by default, organizatio ons will often modify m templates to serve ad dditional purposes. For exam mple, if a comp pany intends on issuing certific cates for three purposes, tho ose purposes c can be combin ned into a single certificate template t to ea ase the administrative effort and maintena ance.
10-20
Op ptions for Updating U a Certifica ate Templa ate

The CA hierarchy in most organ nizations has one o cert tificate template for each job b function. For r exam mple, there may be a certific cate template for file encryption and another for code signing. Add ditionally, there e may be a few w templates th hat cove er functions fo or most of the common grou ups of subj jects. As an a IT administr rator, you may y need to mod dify an existing certificate e template bec cause of incorr rect settings or other issues i in the original certifica ate tem mplate. You ma ay also need to o merge multip ple existing certificate e templates int to a single tem mplate. You u can update a certificate tem mplate by either modifying t the template, o or superseding g the existing tem mplate:
Modify the original certifica ate template: To T modify a ce ertificate temp plate of version n 2, 3, or 4, you need to make e changes and then apply th hem to that tem mplate. After t this, any certifi icate issued by y a CA based on that t certificate template will inc clude the mod difications that t you made. Supersede ex xisting certifica ate templates: The T CA hierarc chy of an orga anization may have multiple certificate tem mplates that provide the sam me or similar fu unctionality. In n such a scenario, you can supersede or replace the multiple m certificate templates by using a sin ngle certificate e template. You u can make this rep placement in th he Certificate Templates T con nsole by design nating that a n new certificate e template supersedes, or rep places, the exis sting certificat e templates.
De emonstration: Modif fying and Enabling E a Certificat te Templat te

In th his demonstration, you will see s how to mo odify and enab ble a certificate e template.
Dem monstration n Steps Mo odify and en nable a certificate temp plate

1. 2. 3. 4. 5. 6. On LON-SVR1, open the Ce ertificate Temp plates console.. Review the lis st of available templates. Open Propert ties of IPSec ce ertificate temp plate and revie ew available se ettings.
Duplicate the e Exchange Us ser certificate template. Nam me it Exchang ge User Test1, and then con nfigure it to supersed de the Exchange User temp plate. Allow Authen nticated Users to enroll for th he Exchange U User Test1 tem mplate. Publish the te emplate on LO ON-SVR1.

10-21
Lesson n4
Imple ementin ng Certi ificate Distribu D ution an nd Revo ocation
One O step in dep ploying PKI in your y organization will be to define metho ods for certifica ate distribution n and en nrollment. In addition, a durin ng the certificate manageme ent process, the ere will be tim mes that you may need to o revoke certifi icates. There may m be a numb ber of reasons for revoking c certificates, such as if a key be ecomes compromised, or if someone leaves the organiz zation. You nee ed to ensure that network clients ca an determine which w certifica ates are revoke ed before acce epting authent tication reques sts. To ensure sc calability and high h availabilit ty, you can dep ploy the AD CS S Online Respo onder, which c can be used to o provide certifica ate revocation status. In this lesson, you w will learn about t methods for c certificate dist tribution an nd certificate revocation. r

After completin ng this lesson, you y will be able to: Describe op ptions for certi ificate enrollm ment. Describe ho ow autoenrollm ment works. Describe th he Restricted Enrollment Age ent. Explain how w to configure e the Restricted d Enrollment A Agent. Describe th he Network De evice Enrollment Service. Explain how w certificate re evocation work ks. Describe co onsiderations for f publishing AIAs and CDP Ps. Describe an n Online Respo onder. Configure Online O Respon nder.
Options O for r Certificat te Enrollm ment

In n Windows Ser rver 2012, seve eral methods can c be us sed to enroll fo or a user or co omputer certifi icate. Th he use of these e methods dep pends on spec cific sc cenarios. For example, autoe enrollment will probably be use ed to mass-deploy certificate es to a la arge number of o users or com mputers, while manual en nrollment will be used for ce ertificates dedi icated ju ust to specific security s princip pals. Th he following list describes th he different en nrollment met thods, and whe en to use them m:
Autoenrollm ment: Using th his method, the e administrat tor defines the e permissions and a the configuratio on of a certific cate template. These definiti ons help the r requestor to au utomatically re equest, retrieve, and renew certif ficates without t end-user inte eraction. This m method is used d for AD DS do omain computers. The certificate e must be con nfigured for au utoenrollment through Grou up Policy.
CA Web en nrollment: Usin ng this method d, you can ena ble a website CA so that use ers can obtain certificates. . To use CA We eb enrollment t, you must ins stall Internet In nformation Ser rver (IIS) and the web enrollment role on the CA A of AD CS. To o obtain a cert tificate, the req questor logs on to the websi ite, selects the appropriate ce ertificate temp plate, and then n submits a req quest. The cert tificate is issue ed
10-22
automatically y if the user ha as the appropriate permissio ns to enroll fo or the certificat te. The CA Web enrollment method m should be used to iss sue certificates s when autoen nrollment cann not be used. Th his can happen in the case of an a Advanced Certificate C requ uest. However r, there can also be cases where autoenrollme ent can be used d for certain certificates, but t not for all certificates.
Manual enrol llment: Using this t method, th he private key y and a certifica ate request are e generated on a device, such as a a web servic ce or a computer. The certifi icate request is then transpo orted to the CA A to or generate the certificate that is requested. . The certificat te is then trans sported back t to the device fo installation. Use U this method when the re equestor canno ot communicate directly with the CA, or if f the device does not n support au utoenrollment.
Enrollment on n behalf (Enrollment Agent): Using this me ethod, a CA ad dministrator cr reates an Enrollment Agent account for f a user. The e user with Enr rollment Agent rights can th hen enroll for certificates on n behalf of oth her users. For example, e use t this method if you need to a allow a manage er to cards preload logon n certificates of o new employ yees on smart c
Ho ow Does Autoenrollm ment Work?

One e of the most common c meth hods for deploying cert tificates in an Active A Director ry environmen nt is to use u autoenrollm ment. This met thod provides an auto omated way to o deploy certif ficates to both users and computers within the PKI. You Y can use auto oenrollment in n environment ts that meet sp pecific requ uirements, suc ch as the use of o certificate tem mplates and Gro oup Policy in AD A DS. It is imp portant to note e, however, tha at you cannot use auto oenrollment with w a standalone CA. You must have an enterprise e CA available to make use of o auto oenrollment.
You u can use autoe enrollment to deploy public keybased ce ertificates auto omatically to users and comp puters in an organization n. The Certifica ate Services ad dministrator du uplicates a cer rtificate templa ate, and then configures the permissions to allow Enroll and d Autoenroll p permissions for r the users who o will receive t the cert tificates. Doma ain-based Grou up Policies, suc ch as compute er-based and u user-based po olicies, can activ vate and manage auto oenrollment. By default, d Group Policy is applied when you restart compu uters, or at logon for users. A Also by default t, Group Policy is refreshed every 90 minutes on n domain mem mbers. This Gro oup Policy sett ting is named Cert tificate Service es Client - Auto o-Enrollment.
An internal i timer triggers autoe enrollment eve ery eight hours s after the last autoenrollme ent activation. The cert tificate template might speci ify user interac ction for each request. For su uch a request, a pop-up win ndow app pears approxim mately 60 secon nds after the user u logs on. Man ny certificates can be distributed without the t client even n being aware that enrollment is taking pla ace. omputers and These include mo ost types of cer rtificates that are a issued to co d services, as w well as many cert tificates issued to users. To enroll e clients automatically for certificates in a domain e environment, y you must: Have membe ership in Doma ain Admins or Enterprise Adm mins, (or equiv valent), which is the minimum required to co omplete this procedure. p Configure a certificate c temp plate with Aut toenroll permis ssions.

10-23
Configure an a autoenrollm ment policy for r the domain.
What W Is Cred dential Roam ming?
Credential Roam ming allows or rganizations to o store certifica ates and privat te keys in AD DS, separately y from ap pplication state or configura ation informati ion.
Credential Roam ming uses exist ting logon and d autoenrollm ent mechanism ms to downloa ad certificates and ke eys to a local computer c whenever a user lo ogs on and, if desired, remove them when n the user logs s off. In ad ddition, the int tegrity of these credentials is maintained u under any con nditions, such a as when certifi icates ar re updated, or r when users lo og on to more than one com mputer at a tim me. This avoids s the scenario w where a us ser is autoenro olled for a cert tificate on each h new machine e to which he or she logs on n. Credential Roam ming is trigger red any time a private key or r certificate in the user's loca al certificate st tore ch hanges, whene ever the user lo ocks or unlock ks the compute er, and whene ever Group Pol licy is refreshed.
All certificate-re elated communication betwe een componen nts on the loca al computer and between th he local co upported in W omputer and AD A DS is signed and encrypt ted. Credential l Roaming is su Windows 7 and d newer Windows W opera ating systems.
What W Is the e Restricte ed Enrollment Agent t?

In n earlier versions of Windows s Server CA, su uch as Windows W Server 2003, it is no ot possible to permit p an n Enrollment Agent A to enroll only a certain n group of f users. As a re esult, every use er with an Enro ollment Agent certificate is able to enroll on behalf of any us ser in an organ nization. Th he Restricted Enrollment E Agent allows you u to lim mit the permis ssions for users s who are designated as s Enrollment Agents, A to enro oll for smart ca ard ce ertificates on behalf b of other r users. The Re estricted En nrollment Age ent is a functionality that was s in ntroduced in th he Windows Se erver 2008 Ent terprise op perating system.
Ty ypically, one or o more author rized individua als within an o rganization ar re designated a as Enrollment Agents. Th he Enrollment Agent needs to t be issued an Enrollment A Agent certifica ate, which enables the agent t to en nroll for smart card certificat tes on behalf of o users. Enroll lment agents a are typically m members of cor rporate se ecurity, IT secu urity, or help desk teams, bec cause these ind dividuals have e already been entrusted wit th sa afeguarding va aluable resourc ces. In some organizations, s such as banks that have man ny branches, h help de esk and security workers mig ght not be con nveniently loca ated to perform m this task. In this case, desi ignating a branch manag ger or other tr rusted employe ee to act as an n Enrollment A Agent is required to enable s smart ca ard credentials s to be issued from f multiple locations. On O a Windows Server 2012 CA A, the restricte ed Enrollment Agent feature es allow an Enr rollment Agen nt to be us sed for one or many certifica ate templates. For each certi ificate templat te, you can cho oose on behalf of which w users or security s group ps the Enrollme ent Agent can enroll. You ca annot constrain n an Enrollmen nt Agent based on n a certain Active Directory organizational o unit (OU) or c container. Inste ead, you must t use se ecurity groups.
10-24
Note: Using g restricted Enrollment Agen nts will affect t he performanc ce of the CA. T To optimize performance, you should minimize the t number of f accounts that are listed as Enrollment Age ents. You minim mize the numb ber of account ts in the Enroll ment Agents permissions list. As a best t practice, use group accoun nts in both lists s instead of ind dividual user a accounts.
De emonstration: Config guring the e Restricted d Enrollme ent Agent

In th his demonstration, you will see s how to con nfigure the Re estricted Enrollment Agent.
Dem monstration n Steps Con nfigure the Restricted Enrollment Agent

1. 2. 3. 4. 5. 6. 7. 8. On LON-SVR1, open the Ce ertificate Temp plates console.. Configure All lie Bellew per rmissions to en nroll for an Enr rollment Agen nt certificate. Publish the En nrollment Age ent certificate template. t Log on to LON-CL1 as Ada atum\Allie wit th the passwor rd Pa$$w0rd. Open a MMC C console and add a the Certificates snap-in.. Request the Enrollment E Agent certificate. . Switch to LON N-SVR1, and open o the prope erties of Adatu umRootCA.
Configure the e Restricted En nrollment Agen nt so that Allie e can only issue certificates b based on the U User template, and d only for the Marketing security group.
Wh hat Is Netw work Devic ce Enrollm ment Servic ce?

The Network Device Enrollment t Service (NDES) is the Microsoft imp plementation of o Simple Certi ificate Enro ollment Protoc col (SCEP). SCE EP is a com mmunication protocol p that makes m it possib ble for soft tware that is ru unning on netw work devices such s as ro outers and switcheswhich cannot otherw wise on the networ be authenticated a rkto enroll for X.50 09 certificates from a CA. You u can use NDES S as an Interne et Server API (I ISAPI) filte er on IIS to per rform the following functions: Create and pr rovide one-tim me enrollment passwords to administrator rs. Retrieve awaiting requests from f the CA. Collect and process p SCEP enrollment requ uests for the s oftware that r uns on networ rk devices.
This s feature applie es to organizations that have PKIs with on ne or more Win ndows Server 2012based C CAs, and that want to enhance e the security of their network dev vices. Port secu urity, based on n 802.1x, requir res cert tificates be inst talled on switc ches and acces ss points. Secu re Shell (SSH), instead of Tel lnet, requires a cert tificate on the router, switch, , or access point. NDES is the e service that a allows adminis strators to inst tall cert tificates on dev vices using SCEP.

10-25
Adding support t for NDES can n enhance the flexibility and scalability of a an organizatio on's PKI. Therefore, th his feature should interest PK KI architects, planners, p and a administrators.. Be efore installing g NDES, you must m decide: Whether to o set up a dedicated user acc count for the s service, or use the Network S Service accoun nt. The name of o the NDES re egistration authority and wh hat country/reg gion to use. Th his information n is included in any SCEP cert tificates that are issued.
The CSP to use for the sig gnature key th hat is used to e encrypt communication betw ween the CA a and the registration n authority. The CSP to use for the en ncryption key that t is used to encrypt comm munication be etween the registration n authority and d the network device. The key len ngth for each of o these keys.
In n addition, you u need to creat te and configu ure the certifica ate templates for the certific cates that are used in co onjunction wit th NDES.
In nstalling NDES on a compute er creates a ne ew registration n authority and d deletes any p preexisting re egistration authority certifica ates on the com mputer. There fore, if you pla an to install ND DES on a computer where w another registration au uthority has alr ready been co onfigured, any pending certif ficate requests s should be e processed an nd any unclaim med certificate es should be cl aimed before you install ND DES.
How H Does Certificate e Revocatio on Work?

Re evocation is th he process in which w you disable va alidity of one or o more certificates. By initia ating th he revoke proc cess, you actua ally publish a ce ertificate thum mbprint in the corresponding c g CRL. An overview of the certificate e revocation life cycle is outlined as fo ollows: A certificate e is revoked from the CA MM MC snap-in. Du uring revocatio on, a reason co ode and a date and time are speci ified. This is op ptional, but recomm mended to fill.
The CRL is published usin ng the CA MMC snapmatically base in (or the sc cheduled revo ocation list is published autom ed on the configured value). CRLs can be pub blished in AD DS, D some share ed folder locat tion, or on a w website. When Wind dows client computers are presented p with a certificate, t they use a process to verify revocation status by quer rying the issuin ng CA. This pro ocess determines whether th he certificate is revoked, an nd then presen nts the informa ation to the ap pplication requ uesting the verification. The Windows client computer uses one of the t CRL locatio ons specified i n certificate to o check its validity.
Th he Windows operating o syste ems include a CryptoAPI, C wh ich is responsi ible for the cer rtificate revoca ation an nd status checking processes s. The CryptoA API utilizes the e following pha ases in the certificate checking process: Certificate Discovery: Cer rtificate discovery collects CA A certificates, A AIA informatio on in issued certificates, , and details of f the certificate e enrollment p process.
Path validation: Path valid dation is the process p of verif fying the certif ficate through h the CA chain (or path) until the t root CA ce ertificate is rea ached.
10-26
Revocation ch hecking: Each certificate in the certificate c chain is verifie ed to ensure th hat none of the e certificates ar re revoked. Network retri ieval and caching: Network retrieval r is per rformed by usi ing OCSP. Cryp ptoAPI is responsible fo or checking the local cache first f for revoca ation informat ion and if ther re is no match, , making a call using OCSP, which w is based d on the URL p provided by the e issued certifi icate.
Co onsideratio ons for Pub blishing AI IAs and CD DPs

Whe en you are ma anaging and issuing certificates, it is ve ery important to properly co onfigure certificate exte ensions that ar re used to verify the certifica ate of the CA, and the ce ertificate that is being used by the user. These ex xtensions, calle ed AIA and CD DP, are part t of each certif ficate. They mu ust point to pr roper loca ations, or PKI may m not function correctly.
Wh hat Is AIA?
AIA addresses are e the URLsad ddresses that uniq quely identify each location on the Interne et or intra anetin the certificates that t a CA issues. These T add dresses tell the verifier of a ce ertificate wher re to retrieve the CA's certificate. c AIA A access URLs can c be HTTP, F File Transfer Pr rotocol (FTP), L Lightweight Dire ectory Address s Protocol (LDA AP), or FILE addresses.
Wh hat Is CDP?
CDP P is a certificate extension th hat indicates from where the e certificate rev vocation list fo or a CA can be retrieved. It can co ontain none, one, o or many HTTP, H FILE, or L LDAP URLs.
AIA A and CDP Publishing P
If yo ou use only an n online CA, these values are configured by y default local ly on the CA. H However, if yo ou wan nt to deploy an n offline root CA C or if you wa ant to publish AIA and CDP to an internet t facing locatio on, you must reconfig gure these valu ues so that the ey apply to all certificates iss sued by the root CA. The AIA A and CDP P extensions define where client applicatio ons can locate AIA and CDP information fo or the root CA A. The are generally t form matting and pu ublishing of AI IA and CDP ex xtension URLs a the same for root CAs and subordinate CAs. You can publish the root CA A certificate an nd the CRL to t the following l locations: Active Directo ory Web servers File Transfer Protocol P (FTP) servers File servers
Pub blication Po oints
To ensure e accessib bility to all com mputers in the e forest, publis h the offline ro oot CA certific cate and the of ffline root t CAs CRL to Active A Director ry by using the e Certutil com mmand. This pla aces the root C CA certificate and CRL L in the Configuration namin ng context, which Active Dire ectory replicat tes to all doma ain controllers in the fore est. For computers tha at are not mem mbers of Activ ve Directory, pl ertificate and C CRL on web servers lace the CA ce by using u the HTTP P protocol. Loc cate the web servers s on the internal netwo ork, and also o on the external

10-27
ne etwork if exter rnal client com mputers (or inte ernal clients fr rom external n networks) require access. This s is very im mportant if you u are using int ternally issued certificates ou utside your com mpany. Yo ou can also pu ublish certificat tes and CRLs to ftp:// and FI LE:// URLs, but it is recommended that yo ou use on nly LDAP and HTTP URLs, be ecause they are the most wid dely supported d URL formats s for interopera ability pu urposes. The order o in which you list the CD DP and AIA ex xtensions is im portant becau use the certifica ate ch haining engine e searches the URLs sequent tially. Place the e LDAP URL fir rst in the list if your certificat tes are mostly m used inte ernally.
What W Is an Online Re esponder?

By y using OCSP, an Online Res sponder provid des clients with an efficient e way to o determine th he re evocation statu us of a certifica ate. OCSP subm mits ce ertificate status requests usin ng HTTP. Clients access CRLs C to determ mine the revoca ation st tatus of a certif ficate. CRLs might be large, and clients might ut tilize a large am mount of time e to se earch through these CRLs. An Online Responder ca an dynamically y search these CRLs for the clients c an nd respond on nly to the requ uested certifica ate.
Yo ou can use a single Online Responder R to de etermine revocation status information for ce ertificates that are issued by a single CA, or o by multiple C CAs. However,, you can use m more than one e Online Re esponder to distribute CA re evocation infor rmation. Yo ou can install an a Online Resp ponder on any y computer tha at runs Windo ows Server 200 08 Enterprise o or Windows W Server 2012. You sh hould install an n Online Respo onder and a CA A on different computers. Th he fo ollowing opera ating systems can c use Online e Responder fo or validation o of certificate sta atus: Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista V Windows 7 Windows 8
Fo or scalability and high availa ability, you can n deploy the O Online Respond der in a load-b balanced array y using Network Load Balancing B (NLB B), which proce esses certificat te status reque ests. You can m monitor and m manage ea ach member of o the array ind dependently. To T configure th he Online Resp ponder, you m must use the Online Re esponder man nagement cons sole. Yo ou must config gure the CAs to t include the URL of the On nline Responde er in the AIA e extension of iss sued ce ertificates. The e OCSP client uses u this URL to o validate the certificate stat tus. You must also issue the OCSP Re esponse Signin ng certificate template, t so th hat the Online Responder ca an also enroll t that certificate.
How H to Insta all and Conf figure Onlin ne Responde er
Yo ou can install Online O Respon nders on comp puters that are e running Wind dows Server 20 008 R2 or Windows Se erver 2012. Yo ou should insta all Online Resp ponders after t he CAs, but be efore issuing a any client certif ficates.
10-28
The certificate revocation data is derived from a published CRL that can come from a CA on a computer that is running Windows Server 2008 or newer, or Windows Server 2003, or from a non-Microsoft CA. Before configuring a CA to support the Online Responder service, the following must be present: IIS must be installed on the computer during the Online Responder installation. The correct configuration of IIS for the Online Responder is installed automatically when you install an Online Responder.
An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed.
The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status.
After an Online Responder has been installed, you need to create a revocation configuration for each CA and CA certificate that is served by an Online Responder. A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued using a specific CA key. These configuration settings include: CA certificate. This certificate can be located on a domain controller, in the local certificate store, or imported from a file.
Signing certificate for the Online Responder. This certificate can be selected automatically for you, selected manually (which involves a separate import step after you add the revocation configuration), or you can use the selected CA certificate.
Revocation provider that will provide the revocation data used by this configuration. This information is entered as one or more URLs where the valid base and delta CRLs can be obtained.
Demonstration: Configuring an Online Responder

In this demonstration, you will see how to configure an Online Responder.
Demonstration Steps Configure an Online Responder

1. 2. 3. 4. 5. 6. 7. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS role. Configure a new AIA distribution location on AdatumRootCA to be http://lon-svr1/ocsp. On AdatumRootCA, publish the OCSP Response signing certificate template, and allow Authenticated users to enroll. Open the Online Responder Management console. Add revocation configuration for AdatumRootCA. Enroll for OCSP Response signing certificate. Ensure that the revocation configuration status displays as working.

10-29
Lesson n5
Mana aging Ce ertificat te Reco overy
Certificate or ke ey recovery is one o of the mo ost important m management t tasks during th he certificate li ife cycle. Yo ou use a key archival and rec covery agent for f data recove ery if you lose e your public and private key ys. You ca an also use aut tomatic or manual key archival and key re ecovery metho ods to ensure t that you can gain ac ccess to data in the event that your keys are lost. In this lesson, you wi ill learn how to o manage key y ar rchival and rec covery in AD CS C in Windows Server 2012 A AD CS.

After completin ng this lesson, you y will be able to: Describe th he process of key k archival and recovery. Configure Automatic A Key y Archival. Configure CA C for Key Arc chival. Explain key y recovery. Recover a lost key.
Overview O of o Key Arch hival and Recovery R

If you lose your r public and pr rivate keys, you u will no ot be able to access a any data that is encry ypted by us sing the certifi icates public key. k This data can c in nclude Encrypt ting File System m (EFS) and Se ecure/Multipurpose Internet t Mail Extensio ons (S S/MIME). There efore, archival and recovery of pu ublic and priva ate keys are im mportant.
Conditions C fo or Losing Keys K

Yo ou may lose ke ey pairs due to o the following g co onditions:
User profile e is deleted or corrupted. A CSP C encrypts a private key and stores the en ncrypted priva ate key in the l local file system m and registry y in the user profile e folder. Deletion or corruption of the prof file results in th he loss of the private key ma aterial.
Operating system s is reins stalled. When you y reinstall th he operating s system, the pre evious installat tions of the user pro ofiles are lost, including the private key m aterial. Disk is corrupted. If the hard h disk becom mes corrupted d and the user r profile is unav vailable, the private key materia al is lost autom matically. Computer is i stolen. If a users compute er is stolen, the e user profile w with the private key material is unavailable e.
Key K Archival and Recovery Agents
Yo ou use key arc chival and Key Recovery Age ents (KRA) for d data recovery. You can ensu ure that CA ad dministrators can c recover pr rivate keys by archiving a them m. KRAs are de esignated users s who are able e to re etrieve the orig ginal certificate e, private key, and public ke ey that were us sed to encrypt the data, from m the CA A database. A specific certifi icate template e is applied to a KRA. When y you enable key archival in a version 2 certificate tem mplate, the CA encrypts and stores that pri ivate key in its s database. In s situations whe ere the
10-30
CA has stored the e subjects private key in the CA database, you can use k key recovery to o recover a corr rupted or lost key.
Dur ring the key recovery process, the certificat te manager re etrieves the encrypted file that contains the cert tificate and private key from the CA database. Next, a KR RA decrypts th he private key from the encry ypted file and returns th he certificate and private key y to the user.
Sec curity for Ke ey Archival
Whe en you have a configured CA A to issue a KR RA certificate, a any user with Read and Enr roll permission n on the KRA certificate e template can n enroll and be ecome a KRA. As a result, Do omain Admins s and Enterpris se Adm mins receive pe ermission by default. d Howev ver, you must e ensure the foll lowing: Only trusted users are allow wed to enroll for this certifica ate. The KRAs rec covery key is st tored in a secu ure manner. The server wh here the keys are a archived is in a separate physical secur re location.
Understanding g Key Archiv val and Rec covery
Key recovery implies that the pr rivate key port tion of a publi c-private key p rchived and pair may be ar reco overed. Private e key recovery does not reco over any data o or messages. It t merely enables a user to retrieve lost or damaged keys, or o for an administrator to as sume the role of a user for d data access or data reco overy purposes. In many app plications, data a recovery can not occur with hout first perfo orming key reco overy. The key recovery procedure is as a follows: 1.
The user requ uests a certifica ate from a CA and provides a copy of the private key as s part of the re equest. The CA, which h is processing g the request, archives the e ncrypted priva ate key in the C CA database a and issues a certif ficate to the re equesting user. The issued ce ertificate can be used by an application a suc ch as EFS to en ncrypt sensitiv ve files.
2. 3.
If, at some po oint, the privat te key is lost or r damaged, th e user can con ntact the comp panys Certifica ate Manager to recover r the private key. The Certificate Ma anager, with th he help of the KRA, recovers the private key, st tores it in a protected file fo ormat, and sen ds it back to t he user.
4.
s store, it once After the user r stores the rec covered privat te key in the u sers local keys e again can be e used by an applica ation such as EFS to decrypt previously enc crypted files or r to encrypt ne ew ones.
Co onfiguring Automatic Key Arch hival

Befo ore you can us se key archival, you must perform seve eral configurat tion steps. The e key archival feat ture is not enabled by default, and you sho ould configure both CA A and certificate templates for f key archival and key k recovery. The following step ps describe the e automatic ke ey arch hival process: 1. Configure the e KRA certificate template. Only O Enterprise Ad dministrators or o Domain Administrators are allowed to request a KRA K certificate. If you y want to en nroll some oth her user with a KR RA certificate, you must spec cify it on the templa ate DACL.

10-31
2.
Configure Certificate Managers: a.
CA enforces a person to be a Certificate Manager, if defined. The Certificate Manager usually holds a private key for valid KRA certificates. By default, the CA Administrator is a Certificate Manager for all users, except for cases with another explicit definition. However, as a best practice, you should separate these two roles if possible.
b.
A CA Officer is defined as a Certificate Manager. This user has the security permission to issue and manage certificates. The security permissions are configured on a CA in the Certification Authority MMC snap-in, in the CA Properties dialog box, from the Security tab. A KRA is not necessarily a CA Officer or a Certificate Manager. These roles may be segmented as separate roles. A KRA is a person who holds a private key for a valid KRA certificate.
c. 3.
Enable KRA: a. b. c. d. Log on as Administrator of the server, or as CA Administrator if role separation is enabled.
In the CA console, right-click the CA name, and then click Properties. To enable key archival, on the Recovery Agents tab, click Archive the key. By default, the CA uses one KRA. However, you must first select the KRA certificate for the CA to begin archival by clicking Add.
The system finds valid KRA certificates, and then displays available KRA certificates. These are generally published to AD DS by an enterprise CA during enrollment. KRA certificates are stored under the KRA container in the Public Key Services branch of the configuration partition in AD DS. Because CA issues multiple KRA certificates, each KRA certificate will be added to the multivalued user attribute of the CA object. Select one certificate, and then click OK. Ensure that you have selected the intended certificate.
e. f. 4.
After you have added one or more KRA certificates, click OK. KRA certificates are only processed at service start.
Configure user templates: a. b. In the Certificate Templates MMC, right-click the key archival template, and then click Properties.
To always enforce key archival for the CA, in the Properties dialog box, on the Request Handling tab, select the Archive subjects encryption private key check box. In Windows Server 2008 or later CAs, select the Use advanced symmetric algorithm to send the key to the CA option.
Demonstration: Configuring CA for Key Archival

In this demonstration, you will see how to configure automatic key archival.
Demonstration Steps Configure automatic key archival

1. 2. 3. 4. Configure adatumRootCA to issue Key Recovery Agent certificates without approval. Enroll Administrator for Key Recovery Agent certificate. Configure adatumRootCA to use certificate enrolled in step 2 as Key Recovery Agent. Configure Exchange User Test 1 certificate template to allow key archival.
10-32
5.
Configure adatumRootCA A to allow key archival. a
Recovering a Lost Key

Key recovery cons sists of several steps, and you mus st strictly follow w the procedu ure to recover arch hived keys. The e procedure fo or key recovery y is as follo ows: 1. Find recovery y candidates. You Y will require e two pieces of info ormation to pe erform key reco overy. First, the Cert tificate Manager or the CA Administrator locates the correct certifica ate entry in the CA C database. Then, T the Certif ficate Manager or the CA Administrator obtains s the serial number r of the correc ct certificate en ntry and the KRA certificate required for key recovery.
2.
Retrieve PKCS S #7 BLOB from m the databas se. This is the f first half of the e key recovery step. A Certificate Manager or a CA Administr rator retrieves the correct BL LOB from the C CA database. T The certificate and the encrypted d private key to be recovered are present in PKCS #7 BL LOB. The privat te key is encry ypted alongside the e public key of f one or more KRAs.
3.
Recover key material m and sa ave to PKCS #12 (.pfx). This is the second half of the key y recovery step p. The holder of one e of the KRA private keys dec crypts the priv vate key to be recovered. In addition, the h holder the certificate and private ke generates a password-prote p ected .pfx file that contains t ey.
port recovered keys. The password-protect ted .pfx file is d delivered to th he end user. Th his user import ts the Imp .pfx file into the lo ocal user certif ficate store. Alt ternatively, the e KRA or an ad dministrator ca an perform this part of the procedure on behalf of th he user.
De emonstration: Recov vering a Lo ost Private Key (optio onal)

In th his demonstration, you will see s how to rec cover a lost pri ivate key.
Dem monstration n Steps Rec cover a lost private key y

1. 2. 3. 4. 5. 6. Enroll Administrator for Exc change User Te est1 certificate e. Delete the ce ertificate from Administrator A personal store e to simulate k key loss. On LON-SVR1 in CA console, retrieve the e serial numbe er of lost certifi icate. Use command Certutil -ge etkey <serialn number> outp putblob to ge enerate blob fi ile. Use command Certutil -rec coverkey outputblob reco over.pfx, to rec cover the priva ate key. Import the pr rivate key back k to administra ator personal s store.

10-33
Lab: Implementing Active Directory Certificate Services

Scenario
As A. Datum Corporation has expanded, its security requirements have also increased, and the security department is particularly interested in enabling secure access to critical web sites, and in providing additional security for features such as EFS, smart cards, and the Windows 7 and Windows 8 DirectAccess feature. To address these and other security requirements, A. Datum Corporation has decided to implement a PKI using the AD CS role in Windows Server 2012.
As one of the senior network administrators at A. Datum Corporation, you are responsible for implementing the AD CS deployment. You will be deploying the CA hierarchy, developing the procedures and process for managing certificate templates, and deploying and revoking certificates.
Objectives
Deploy a standalone root CA, and an enterprise subordinate CA. Configure certificate templates. Configure certificate enrollment. Configure certificate revocation. Configure and perform private key archival and recovery.
Lab Setup
Estimated Time: 120 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-SVR2 20412A-LON-CA1 20412A-LON-CL1
User Name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2, 20412A-LON-CA1 and 20412ALON-CL1. Do not log on until instructed to do so.
Exercise 1: Deploying a standalone root CA

Scenario
A. Datum Corporation wants to start using certificates for various purposes, and you now need to install the appropriate CA infrastructure. Because they are using AD DS with Windows Server 2012 AD DS, you decided to implement the AD CS role. When you were reviewing available designs, you decided to
10-34
implement a standalone root CA. This CA will be taken offline after it issues a certificate for a subordinate CA. The main tasks for this exercise are as follows: 1. 2. Install the Active Directory Certificate Services (AD CS) server role on non-domain joined server. Configure a new certificate revocation location.
Task 1: Install the Active Directory Certificate Services (AD CS) server role on nondomain joined server
1. 2. 3. 4. 5. Log on to LON-CA1 as Administrator using the password Pa$$w0rd. Use the Add Roles and Features Wizard to install the Active Directory Certificate Services role. After installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server. Configure the AD CS role as a standalone root CA. Name it AdatumRootCA. Set the key length to 4096, accept all other values as default.
Task 2: Configure a new certificate revocation location

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CA1, open the Certification Authority console. Open the Properties window for AdatumRootCA.
Configure new locations for CDP to be on http://lon-svr1.adatum.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients use this to find Delta CRL locations. Configure new locations for AIA to be on http://lon-svr1.adatum.com/CertData /<ServerDNSName>_<CaName><CertificateName>.crt Select the Include in the AIA extension of issued certificates check box. Publish the certificate revocation list on LON-CA1. Export the root CA certificate, and copy the .cer file to \\lon-svr1\C$. Copy the content of folder C:\Windows\System32\CertSrv\CertEnroll to \\lon-svr1\C$.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
Exercise 2: Deploying an Enterprise Subordinate CA

Scenario
After deploying the standalone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum Corporation wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because root CA is standalone, you want to publish its certificate to all clients. The main tasks for this exercise are as follows: 1. 2. 3. Install and configure AD CS role on LON-SVR1. Install a subordinate Certification Authority (CA) certificate. Publish the RootCA certificate through Group Policy.

10-35
Task 1: Install and configure AD CS role on LON-SVR1

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd. Install the Active Directory Certificate Services role on LON-SVR1. Include the Certification Authority and Certification Authority Web Enrollment role services. After installation is successful, click Configure Active Directory Certificate Services on the destination server. Select the Certification Authority and Certification Authority Web Enrollment role services. Configure LON-SVR1 to be an Enterprise CA. Configure the CA Type to be a Subordinate CA. For the CA Name type Adatum-IssuingCA. Save the request file to the local drive.
Task 2: Install a subordinate Certification Authority (CA) certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, install the RootCA.cer certificate in the Trusted Root Certification Authority store.
Navigate to Local Disk (C:) and copy the AdatumRootCA.crl and LON-CA1 _AdatumRootCA.crt files to C:\inetpub\wwwroot\CertData. Copy the LON-SVR1.Adatum.com_Adatum- IssuingCA.req request file to \\lon-ca1\C$\. Switch to LON-CA1.
From the Certification Authority console on LON-CA1, submit a new certificate request, by using .req file that you copied in step 3. Issue the certificate and export it to p7b format with complete chain. Save the file to \\lon-svr1\C$\SubCA.p7b. Switch to LON-SVR1. Install the SubCA certificate on LON-SVR1 using the Certification Authority console. Start the service.
Task 3: Publish the RootCA certificate through Group Policy

1. 2. 3. On LON-DC1, from Server Manager open the Group Policy Management Console. Edit the Default Domain Policy. Publish the RootCA.cer file from \\lon-svr1\C$ to Trusted Root Certification Authorities store in Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate CA
Exercise 3: Configuring Certificate Templates

Scenario
After deploying the CA infrastructure, the next step is to deploy the certificate templates that are required in the organization. For the beginning, A. Datum Corporation wants to implement a new Web server certificate and implement smart card certificates for users. They also want to implement new certificates on the LON-SVR2 web server.
10-36
The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a new template based on the Web server template. Create a new template for users that includes smart card logon. Configure the templates so they can be issued. Update the Web server certificate on the LON-SVR2 Web Server.
Task 1: Create a new template based on the Web server template

1. 2. 3. 4. 5. On LON-SVR1, from the Certification Authority console, open the Certificate Templates Console. Duplicate the Web Server template. Create a new template and name it Adatum Web Server. Configure validity for 3 years. Configure the private key as exportable.
Task 2: Create a new template for users that includes smart card logon
1. 2. 3. 4. 5. 6. 7. In the Certificate Templates Console, duplicate the User certificate template. Name the new template Adatum Smart Card User. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail name check boxes. Add Smart Card Logon to Application Policies of the new certificate template. Configure this new template to supersede the User template. Allow Authenticated Users to Read, Enroll, and Autoenroll for this certificate. Close the Certificate Templates Console.
Task 3: Configure the templates so they can be issued
Configure LON-SVR1 to issue certificates based on the Adatum Smart Card User and Adatum Web Server templates.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
1. 2. 3. 4. Log on to LON-SVR2 as Adatum\Administrator with the password of Pa$$w0rd. Refresh the Group Policy and restart server if needed. From Server Manager, open the Internet Information Services (IIS) Manager. Enroll for a domain certificate using the following parameters: o o o o o o 5. Common name: lon-svr2.adatum.com Organization: Adatum Organizational Unit: IT City/locality: Seattle State/province: WA Country/region: US
Create HTTPS binding for Default Web Site, and associate it with new certificate.

10-37
Results: After completing this exercise, you will have created and published new certificate templates.
Exercise 4: Configuring Certificate Enrollment

Scenario
The next step in implementing the PKI at A. Datum Corporation is configuring certificate enrollment. A. Datum wants to enable different options for distributing the certificates. Users should be able to enroll automatically, and smart card users should get their smart cards from Enrollment Agents. Adatum has delegated enrollment agent rights for the Marketing department group to Allie Bellew. The main tasks for this exercise are as follows: 1. 2. 3. Configure autoenrollment for users. Verify autoenrollment. Configure the Enrollment Agent for smart card certificates.
Task 1: Configure autoenrollment for users

1. 2. 3. 4. On LON-DC1, open Group Policy Management. Edit the Default Domain Policy. Navigate to User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Public Key Policies. Enable the Certificate Services Client Auto-Enrollment option, and enable Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Enable the Certificate Services Client Certificate Enrollment Policy. Close Group Policy Management Editor and Group Policy Management console.
5. 6.
Task 2: Verify autoenrollment

1. 2. 3. On LON-SVR1, open Windows PowerShell and use gpupdate /force to refresh Group Policy. Open an mmc.exe console and add the Certificates snap-in focused on the user account. Verify that you have been issued a certificate based on the Adatum Smart Card User template.
Task 3: Configure the Enrollment Agent for smart card certificates

1. 2. 3. 4. 5. On LON-SVR1, from the Certification Authority console, open the Certificate Templates console. Allow Allie Bellew to enroll for an Enrollment Agent certificate. Publish the Enrollment Agent certificate template. Log on to LON-CL1 as Allie, and enroll for an Enrollment Agent certificate.
On LON-SVR1, open properties of Adatum-IssuingCA, and configure Restricted Enrollment Agent so that Allie can only issue certificates based on Adatum Smart Card User, for security group Marketing.
Results: After completing this exercise, you will have configured and verified autoenrollment for users, and configured an enrollment agent for smart cards.
10-38
Exercise 5: Configuring Certificate Revocation

Scenario
As part of configuring the certificate infrastructure, A. Datum Corporation wants to configure revocation components on newly established CAs. You will configure CRL and Online Responder components. The main tasks for this exercise are as follows: 1. 2. Configure Certified Revocation List (CRL) distribution. Install and configure an Online Responder.
Task 1: Configure Certified Revocation List (CRL) distribution

1. 2. 3.
On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates, and then click Properties. Set the CRL publication interval to 1 Day, and set the Delta CRL publication interval to 1 hour. Review CDP locations on Adatum-IssuingCA.
Task 2: Install and configure an Online Responder

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, use Server Manager to add an Online Responder role service to the existing AD CS role.
When the message displays that installation succeeded, click Configure Active Directory Certificate Services on the destination server. Configure the online responder. On LON-SVR1, open the Certification Authority console. Configure the new AIA distribution location on Adatum-IssuingCA to be http://lon-svr1/ocsp. On Adatum-IssuingCA, publish the OCSP Response signing certificate template, and allow Authenticated users to enroll. Open the Online Responder Management console. Add revocation configuration for Adatum-IssuingCA. Enroll for an OCSP Response signing certificate. Ensure that revocation configuration is working.
Results: After completing this exercise, you will have configured certificate revocation settings.
Exercise 6: Configuring Key Recovery

Scenario
As a part of establishing a PKI, you want to configure and test procedures for recovery of private keys. You want to assign a KRA certificate for an administrator, and configure CA and specific certificate templates to allow key archiving. In addition, you want to test a procedure for key recovery. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Configure the CA to issue Key Recovery Agent (KRA) certificates. Acquire the KRA certificate. Configure the CA to allow key recovery. Configure a custom template for key archival. Verify key archival functionality.

10-39
Task 1: Configure the CA to issue Key Recovery Agent (KRA) certificates

1. 2. 3. 4. 5.
On LON-SVR1, in the Certification Authority console, right-click the Certificates Templates folder, and then click Manage.
In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog box. On the Issuance Requirements tab, clear the CA certificate manager approval check box.
On the Security tab, notice that only Domain Admins and Enterprise Admins groups have the Enroll permission. Right-click the Certificates Templates folder, and enable the Key Recovery Agent template.
Task 2: Acquire the KRA certificate

1. 2. 3.
Create an MMC console window that includes having the Certificates snap-in for the current user loaded. Use the Certificate Enrollment Wizard to request a new certificate, and enroll the KRA certificate. Refresh the console window, and view the KRA in the personal store.
Task 3: Configure the CA to allow key recovery

1. 2. 3. On LON-SVR1, in the Certification Authority console window, open the Adatum-IssuingCA Properties dialog box.
On the Recovery Agents tab, click Archive the key, and then add the certificate by using the Key Recovery Agent Selection dialog box. Restart Certificate Services when prompted.
Task 4: Configure a custom template for key archival

1. 2. 3. 4. 5. On LON-SVR1, open the Certificates Templates console. Duplicate the User template, and name it Archive User.
On the Request Handling tab, set the option for the Archive subject's encryption private key. Using the archive key option, the KRA can obtain the private key from the certificate store. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name check boxes. Add the Archive User template as a new certificate template to issue.
Task 5: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-CL1 as Adatum\Aidan, using the password Pa$$w0rd. Create an MMC console window that includes the Certificates snap-in. Request and enroll a new certificate based on the Archive User template. From the personal store, locate the Archive User certificate. Delete the certificate for Alan Brewer to simulate a lost key. Switch to LON-SVR1. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued Certificates store.
In the Certificate Authority Console, note the serial number of the certificate that has been issued for Alan Brewer.
10-40
9.
On LON-SVR1, open a command prompt, and type: certutil getkey <serial number> outputblob Note: Replace serial number with the serial number that you wrote down.
10. Verify that the Outputblob file has appeared in the C:\Users\Administrator folder.
11. To convert the Outputblob file into an importable .pfx file, at the command prompt, type Certutil recoverkey outputblob aidan.pfx. 12. Enter the password Pa$$w0rd for the certificate. 13. Verify the creation of the recovered key in the C:\Users\Administrator folder. 14. Cut and paste the aidan.pfx file to the root of drive C on LON-CL1. 15. Switch to LON-CL1, and import the aidan.pfx certificate. 16. Verify that the certificate appears in the Personal store. Results: After completing this exercise, you will have implemented key archival, and tested private key recovery.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, 20412A-LON-CA1 and 20412ALON-SVR2.
Lab Review
Question: Why is it not recommended to install just an Enterprise root CA? Question: What is the main benefit of OCSP over CRL? Question: What must you do to recover private keys?

10-41

Question: What are some reasons that an organization would utilize PKI? Question: What are some reasons that an organization would use an enterprise root CA? Question: List the requirements to use autoenrollment for certificates. Question: What are the steps to configure an Online Responder?

Common Issue The location of the CA certificate that is specified in the authority information access extension is not configured to include the certificate name suffix. Clients may not be able to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation may fail. CA is not configured to include CRL distribution point locations in the extensions of issued certificates. Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. CA was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled. An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. Troubleshooting Tip
Contoso, Ltd wants to deploy PKI for supporting and securing several services. They have decided to use Windows Server 2012 Certificate Services as a platform for PKI. Certificates will be primarily used for EFS, digital signing, and for Web servers. Because documents that will be encrypted are important, it is crucial to have a disaster recovery strategy in case of key loss. In addition, clients that will access secure parts of the company website must not receive any warning in their browsers. 1. 2. 3. 4. What kind of deployment should Contoso, Ltd choose? What kind of certificates should Contoso use for EFS and digital signing? What kind of certificates should Contoso use for a website? How will Contoso ensure that EFSencrypted data is not lost if a user loses a certificate?
Best Practice
When deploying CA infrastructure, deploy a standalone (non-domain joined) root CA, and an enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from RootCA, take RootCA offline. Issue a certificate for RootCA for a long period of time such as 15 or 20 years.
10-42
Use autoenrollment for certificates that are widely used. Use a Restricted Enrollment Agent whenever possible. Use Virtual Smart Cards for improving logon security.
Tools
Certificate Authority console Certificate Templates console Certificates console Certutil.exe

11-1
Module 11
Contents:
Module Overview Lesson 1: AD RMS Overview Lesson 2: Deploying and Managing an AD RMS Infrastructure Lesson 3: Configuring AD RMS Content Protection Lesson 4: Configuring External Access to AD RMS Lab: Implementing AD RMS Module Review and Takeaways 11-1 11-2 11-7 11-13 11-19 11-24 11-31
Implementing Active Directory Rights Management Services
Module Overview
Active Directory Rights Management Services (AD RMS) provides a method for protecting content that goes beyond simply encrypting storage devices using Windows BitLocker Drive Encryption, or individual files using Encrypting File System (EFS). AD RMS provides a method to protect data in transit and at rest, and ensures that it is accessible only to authorized users for a specific duration. This module introduces you to AD RMS, and describes how to deploy it, how to configure content protection, and how to make AD RMSprotected documents available to external users.
Objectives
After completing this module, you will be able to: Provide an overview of AD RMS. Deploy and manage an AD RMS infrastructure. Configure AD RMS content protection. Configure external access to AD RMS.
11-2 Implemen nting Active Directory y Rights Managemen nt Services
Lesson 1
AD RM MS Over rview
Prio or to deploying g AD RMS, you u need to know w how AD RM S works, what components are included in n an AD RMS deploym ment, and how you should de eploy AD RMS . You must als o understand the concepts beh hind various AD D RMS certifica ates and licens ses. This s lesson provid des an overview w of AD RMS, and the scena arios in which y you can use it to protect an orga anization's con nfidential data a.

Afte er completing this lesson you u will be able to: t Describe AD RMS. Explain the sc cenarios in which you can us se AD RMS. List the AD RM MS componen nts. List the different AD RMS certificates and d licenses. Explain how AD A RMS works s.
Wh hat Is AD RMS? R
AD RMS is an info ormation prote ection technolo ogy that t is designed to o minimize the e possibility of f data leak kage. Data leak kage is the una authorized tran nsmission of information, either to people with hin the organiz zation or peop ple outside the e orga anization, who o should not be able to acce ess that t information. AD RMS integ grates with exis sting Microsoft product ts and operating systems including Exchang ge, SharePoint t, and the Micr rosoft Office Suite.
AD RMS can prote ect data in transit and at rest. For exam mple, AD RMS S can protect documents d sen nt as ema ail messages, ensuring e that a message cannot be opened d even if it is a accidentally ad ddressed to the e wro ong recipient. You Y can also use AD RMS to protect data s stored on devices such as re emovable USB driv ves. A drawbac ck of file and fo older permissio ons is that onc ce the file is co opied to anoth her location, th he orig ginal permissio ons no longer apply. a A file th hat is copied to o a USB drive w will inherit the e permissions o on the dest tination device e. Once copied d, a file that wa as read-only c can be made e ditable by alte ering the file and fold der permissions. With AD RM MS, the file can be protected in any locatio on, irrespective e of file and folder perm missions that grant g access. With W AD RMS, only the users s who are auth horized to open the file will b be able e to view the contents c of tha at file.

11-3
Usage U Scen narios for AD A RMS

Th he primary use e for AD RMS is i to control th he di istribution of sensitive s inform mation. You ca an use AD RMS in com mbination with encryption te echniques to se ecure data when it is in stora age or in n transit. There e can be many reasons to control th he distribution of sensitive in nformation, suc ch as ne eeding to ensu ure that only authorized a staf ff members m have access to a file e, ensuring tha at se ensitive email messages m cann not be forward ded, or en nsuring that details of an un nreleased proje ect are no ot made public. Consider the following sce enarios.
Scenario 1
Th he CEO copies s a spreadsheet file containin ng the compen nsation packag ges of an orga anization's executives from a protecte ed folder on a file server to the CEOs perso onal USB drive e. During the c commute hom me, the CEO leaves the USB drive on the t train, wher re someone w with no connection to the org ganization find ds it. Without W AD RM MS, whoever fin nds the USB dr rive can open the file. With A AD RMS, it is p possible to ens sure that th he file cannot be b opened by unauthorized users.
Scenario 2
An internal document should be viewable by b a group of a authorized pe ople within th he organization n. These pe eople should not n be able to edit or print the document.. While it is po ossible to use the native fu unctionality of Microsoft Of ffice Word to restrict r these f features, doing g so requires e each person to o have a Windows W Live account. With h AD RMS, you u can configure e these permis ssions based o on existing acco ounts in AD DS. Pe eople within th he organizatio on should not be b able to forw ward sensitive e-mail messag ges that have been as ssigned a parti icular classifica ation. With AD D RMS, you can n allow a sender to assign a particular classification to a new e-mail message, and that classifica tion will ensur re that the recipient cannot forward th he message.
Overview O of o the AD RMS R Comp ponents

Th he AD RMS root certification n cluster is the first AD RMS server that you deplo oy in a forest. The AD RMS root ce ertification clus ster manages all lic censing and ce ertification traf ffic for the dom main in which w it is installed. AD RMS stores s configuration in nformation eith her in a Micros soft SQL Serve er da atabase or in the t Windows Internal Database. In la arge environme ents, the SQL Server S databas se is ho osted on a server that is separate from the e server th hat hosts the AD A RMS role. AD RMS licensin ng-only clusters are used in di istributed envi ironments. Lice ensing-only clusters do o not provide certification, but b do allow th he distribution n of licenses th hat are used fo or content co onsumption an nd publishing. Licensing-only clusters are o often deploye ed to large branch offices in or rganizations th hat use AD RM MS.
AD D RMS Serve er
AD RMS servers must m be memb bers of an AD DS D domain. W hen you instal ll AD RMS, info ormation abou ut the loca ation of the clu uster is publish hed to AD DS to t a location k known as the s service connection point. Com mputers that are members of the domain query q the serv vice connection n point to dete ermine the loc cation of AD A RMS service es.
AD D RMS Client t
AD RMS client is built b into the Windows W Vista a, Windows 7, a and Windows 8 operating sy ystems. The AD D RMS S client allows AD RMS-enab bled applicatio ons to enforce the functionality dictated b by the AD RMS S tem mplate. Without the AD RMS client, AD RMS-enabled app plications wou uld be unable t to interact with AD RMS S-protected co ontent.
AD D RMS Enabl led Applicat tions

AD RMS-enabled applications allow a users to create c and con nsume AD RMS-protected co ontent. For exam mple, Microso oft Outlook allo ows users to vi iew and create e protected em mail messages. . Microsoft Wo ord allows uses to view w and create protected p word d processing d documents.
AD D RMS Cert tificates an nd License es

To understand u ho ow AD RMS wo orks, you need to be familiar f with its different certificates and license type es. Each of the ese certificates and licenses func ctions in a diff ferent way. Som me certificates s, such as the server licen nsor certificate (SLC), are critically imp portant and you must back them up on a regu ular basis.
SLC C
The SLC is generated when you create the AD D RMS clus ster. It has a va alidity of 250 years. y The SLC allows the AD RM MS cluster to iss sue: SLCs to other r servers in the e cluster. Rights Account Certificates to clients. Client licenso or certificates. Publishing lic censes. Use licenses. Rights policy template.
The SLC public ke ey encrypts the e content key in i a publishing g license. This allows the AD RMS server to o extr ract the conten nt key and issu ue end use lice enses (EULs) ag gainst the pub blishing key.
AD D RMS Mach hine Certificate
The AD RMS machine certificate e is used to ide entify a trusted d computer or r device. The c certificate iden ntifies the client comput ter's lockbox. The T machine certificate publ lic key encrypt ts the Rights A Account Certific cate priv vate key. The machine m certificate private ke ey decrypts the e Rights Accou unt Certificate es.
Rig ghts Accoun nt Certificate e

The Rights Account Certificate (RAC) ( identifie es a specific use er. The default t validity time for a RAC is 365 days. RACs can on nly be issued to o users in AD DS whose user r accounts hav ve email addre esses that are

11-5
as ssociated with them. A RAC is issued the fi irst time a user r attempts to a access AD RMS-protected co ontent. Yo ou can adjust the default validity time usin ng the Rights A Account Certif ficate Policies node of the Active Directory Rights s Management Services cons sole.
A temporary RA AC has a validit ty time of 15 minutes. m Temp porary RACs ar re issued when n a user is acce essing AD RMS-protec cted content fr rom a compute er that is not a member of t the same or tru usted forest as s the AD RMS cluster r. You can adju ust the default validity time u using the Righ hts Account Ce ertificate Policies node of f the Active Directory Rights s Management t Services cons sole. AD RMS suppor rts the followin ng additional RACs: R
Active Directory Federatio on Services (AD FS) RACs are e issued to fed derated users. They have a validity of seven da ays. Two types of o Windows Live ID RAC are supported. Windows Live e ID RACs used d on private computers have a validity y of six months. Windows Liv ve ID RACs use ed on public c computers are valid until the us ser logs off.
Client C Licens sor Certifica ate
A client licensor r certificate allows a user to publish AD RM MS-protected c content when the client com mputer is not connected to the same network as th he AD RMS clu ster. The client licensor certi ificate public k key en ncrypts the sym mmetric conte ent key and inc cludes it in the e publishing lic cense that it issues. The clien nt lic censor certifica ate private key y signs any pub blishing licens es that are issu ued when the client is not co onnected to th he AD RMS clu uster.
Client licensor certificates c are tied to a spec cific user's RAC C. If another us ser who has no ot been issued d a RAC at ttempts to pub blish AD RMS protected con ntent from the e same client, t they will be un nable to until t the client is connected to the AD RMS cluster and can issue t hat user with a RAC.
Publishing P License
A publishing license (PL) dete ermines the rig ghts that apply y to AD RMS-p protected cont tent. For example, the pu ublishing licen nse determines s if the user can edit, print, o or save a docu ment. The pub blishing license e co ontains the content key, which is encrypted using the pu ublic key of th e licensing ser rvice. It also co ontains th he URL and the e digital signat ture of the AD D RMS server.
End Use Lice ense
An EUL is requir red to consum me AD RMSprotected conte ent. The AD RM MS server issue es one EUL per r user pe er document. EULs are cache ed by default.
How H AD RM MS Works
AD RMS works in the followin ng manner: 1. . An author receives r a clien nt licensor cert tificate from the AD RMS server the t first time he h or she configu ures rights protection for information n. The author is able to defi ine a collection n of usage right ts and conditio ons for the file. When the author does this, the application en ncrypts the file with h a symmetric key.
2. .
11-6 Implementing Active Directory Rights Management Services
3. 4.
This symmetric key is encrypted to the public key of the AD RMS server that is used by the author.
The recipient of the file opens it using an AD RMS application or browser. It is not possible to open AD RMS-protected content unless the application or browser supports AD RMS. If the recipient does not have an account certificate on the current device, one will be issued to the user at this point. The application or browser transmits a request to the author's AD RMS server for a Use License.
5. 6. 7.
The AD RMS server determines if the recipient is authorized. If the recipient is authorized, the AD RMS server issues a Use License. The AD RMS server decrypts the symmetric key that was encrypted in step 3, using its private key. The AD RMS server re-encrypts the symmetric key using the recipient's public key and adds the encrypted session key to the Use License.

11-7
Lesson n2
Deplo oying and Man naging an a AD R RMS Inf frastructure
Be efore deployin ng AD RMS, it is important to o have a deplo oyment plan th hat is appropriate for your or rganization's environment. e AD A RMS deplo oyment in a sin ngle-domain fo orest is different from AD RM MS de eployment in scenarios s where you need to o support the publication an nd consumptio on of content a across multiple m forests, to trusted pa artner organiza ations, or acro ss the public I nternet. Before e deploying A AD RMS, yo ou also need to have an und derstanding of f the client req uirements, and d an appropria ate strategy fo or ba acking up and d recovering AD D RMS. Th his lesson prov vides an overview of deployi ing AD RMS, a and the steps y you need to ta ake to back up p, re ecover, and de ecommission an AD RMS infr rastructure.

After completin ng this lesson you y will be able to: Describe AD D RMS deploy yment scenario os. Configure the t AD RMS cluster. Explain how w to install the e first server of f an AD RMS c luster. Describe AD D RMS client requirements. r Explain how w to implemen nt an AD RMS backup and re ecovery strateg gy. Explain how w to decommission and remove AD RMS.
AD A RMS De eployment t Scenarios

An AD RMS dep ployment cons sists of one or more se ervers known as a a cluster. An n AD RMS clust ter is no ot a high-availability failover cluster. When n you ar re deploying AD A RMS, you should host the e server so o that it is high hly available. AD A RMS is com mmonly de eployed as a highly h available e virtual machine. When W you deploy AD RMS in a single forest t, you ha ave a single AD D RMS cluster. . This is the mo ost co ommon form of o AD RMS deployment. You u add se ervers to the AD A RMS cluster r as needed, to o provide additional capacity.
When W you deploy AD RMS ac cross multiple forests, f ea ach forest mus st have its own n AD RMS root t cluster. It is n necessary to co onfigure AD RM MS Trusted Pu ublishing Domains to ens sure that AD RMS content ca an be protecte ed and consum med across the e multiple fores sts. Yo ou can also de eploy AD RMS to extranet locations. In this s deployment, the AD RMS licensing serve er is ac ccessible to ho osts on the inte ernet. You use this type of d eployment to support collab boration with external us sers. Yo ou can deploy y AD RMS with Active Directo ory Federation n Services (AD FS) or the Mic crosoft Federat tion Gateway. In this s scenario, users leverage fed derated identit ty to publish a and consume r rights-protecte ed co ontent.
As a best practice, you should d not deploy AD A RMS on a d domain contro oller. You can o only deploy AD D RMS on n a domain co ontroller if the service accoun nt is a membe er of the Doma ain Admins gro oup.
Co onfiguring the AD RM MS Cluster r

Onc ce you have de eployed the AD D RMS server role, you need to confi igure the AD RMS R cluster be efore it is possible to us se AD RMS. Co onfiguring the AD RMS cluster in nvolves perform ming the follow wing step ps: 1. AD RMS clust ter: Choose wh hether to creat te a new AD RMS root cluster, or o join an exist ting cluster.
2.
Configuration n database: Select whether to use an existing SQ QL Server insta ance in which to t store the AD RMS configura ation database e, or to configure and a install the e Windows Inte ernal Database loca ally. You can use u SQL Server 2008, SQL Ser rver 2008 R2, o or SQL Server 2012 to suppo ort an AD RMS deployment in Windows Server 2012. As a b best practice, u use a SQL Serv ver database th hat is hosted on a separate s server. Service accou unt: Microsoft recommends using u a standa ard domain us er account wit th additional permissions. You Y can use a managed serv vice account a s the AD RMS service account. Cryptographic mode: Choo ose the strengt th of the crypt ography used with AD RMS. o o Cryptogr raphic Mode 2 uses RSA 204 48-bit keys and d SHA-256 has shes. Cryptogr raphic Mode 1 uses RSA 104 45-bit keys and d SHA-1 hashe es.
3. 4.
5.
Cluster key st torage: Choose e where the clu uster key is sto ored. You can either have it stored within AD RMS, or use u a special cr ryptographic service provide er (CSP). If you choose to use e a CSP, you need to manually distribute d the key k if you wan nt to add addit tional servers.
6. 7. 8.
Cluster key pa assword: This password p encr rypts the cluste er key, and is r required if you u want to join other AD RMS serve ers to the clust ter, or if you want w to restore e the cluster fro om backup. Cluster website: Choose wh hich website on n the local serv ver will host th he AD RMS clu uster website.
Cluster addre ess: Specify the e fully qualified d domain nam me (FQDN) used d with the clus ster. You have the option of cho oosing between an Secure So ockets Layer (S SSL)encrypted d and non-SSL L-encrypted website. If you choose non-SSL-encrypted d, you will be unable to add d support for Id dentity Federa ation. Once you set the cluster ad ddress and por rt, you cannot change them without comp pletely removin ng AD RMS. Licensor certificate: Choose e is the friendly y name used b by the SLC. It should represent the function n of the certificate e.
9.
10. Service conne ection point re egistration: Choose whether the service co onnection poin nt is registered in AD DS when the AD RMS cluster is create ed. The service e connection p point allows co omputers that are members of the t domain to locate the AD D RMS cluster a automatically. Only users tha at are members of the Enterprise e Admins grou up are able to register the se ervice connection point. You u can perform this step after the e AD RMS clust ter is createdyou do not ha ave to perform m it during the configuration process.

11-9
Demonstration: Installing the First Server of an AD RMS Cluster

In this demonstration, you will deploy AD RMS on a computer that is running Windows Server 2012.
Demonstration Steps Configure Service Account

1. 2. 3. Log on to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd.
Use the Active Directory Administrative Center to create an Organizational Unit (OU) named Service Accounts in the adatum.com domain. Create a new user account in the Service Accounts OU with the following properties: o o o o o First name: ADRMSSVC User UPN logon: ADRMSSVC Password: Pa$$w0rd Password never expires: Enabled User cannot change password: Enabled
Prepare DNS
Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the following properties: o o Name: adrms IP Address: 172.16.0.21
Install the AD RMS role

1. 2. Log on to LON-SVR1 with the Adatum\Administrator account using the password Pa$$w0rd.
Use the Add Roles and Features Wizard to add the AD RMS role to LON-SVR1 using the following option: o Role services: Active Directory Rights Management Server
Configure AD RMS
1. 2.
In Server Manager, from the AD RMS node, click More to start post deployment configuration of AD RMS. In the AD RMS Configuration Wizard, provide the following information: o o o o o o o o o o Create a new AD RMS root cluster Use Windows Internal Database on this server Use Adatum\ADRMSSVC as the service account Cryptographic Mode: Cryptographic Mode 2 Cluster Key Storage: Use AD RMS centrally managed key storage Cluster Key Password: Pa$$w0rd Cluster Web Site: Default Web Site Connection Type: Use an unencrypted connection Fully Qualified Domain Name: http://adrms.adatum.com Port: 80
11-10
Implementing Active Directo ory Rights Manageme ent Services
o o 3.
Licensor Certificate: Ad datum AD RM MS Register AD A RMS Servic ce Connection n Point: Regist ter the SCP No ow
Log off from LON-SVR1. m sign out before you can manage AD RMS Note: You must
AD D RMS Clie ent Require ements

AD RMS content can c only be pu ublished and consumed by com mputers that are running the e AD RMS client. All versions of Windows W Vista , Win ndows 7, and Windows W 8 clie ent operating systems include AD A RMS client software. Wind dows Serv ver 2008, Wind dows Server 20 008 R2, and Win ndows Server 2012 2 operating g systems also include the AD RM MS client. Thes se operating systems do not re equire addition nal configuration to consume and pub blish AD RMS protected con ntent. AD RMS client sof ftware is availa able for download to computers c that t are running the t Windows XP X ope erating system, , and Mac OS X. X This client software must be installed be efore it is poss sible for users of thes se operating sy ystems to be able a to consum me and publish h AD RMSpro otected conten nt.
AD RMS requires compatible ap pplications. Ser rver applicatio ons that suppo ort AD RMS inc clude the following: Microsoft Exc change Server 2007 Exchange Ser rver 2010 Exchange Ser rver 2013 Microsoft Off fice SharePoint t Server 2007 SharePoint Se erver 2010 SharePoint Se erver 2013
Client applications, such as thos se included in Microsoft Offi ice 2007, Offic ce 2010, and O Office 2013 can n pub blish and consu ume AD RMS protected con ntent. You can use the AD RM MS Software D Development K Kit (SDK) to create ap pplications tha at can publish and a consume AD RMSprot tected content t. Microsoft XP PS view w AD RMSpr wer and Windo ows Internet Ex xplorer are also able to view rotected conte ent.

11-11
Im mplement ting an AD D RMS Back kup and R Recovery Strategy

To o prevent data a loss, you mus st ensure that the AD RMS server is ba acked up in su uch a way that it can be e recovered in n the event of file f corruption or se erver failure. If the AD RMS server s become es in naccessible, all AD RMS-protected content also be ecomes inacce essible.
A simple strateg gy for impleme enting AD RMS ba ackup and recovery is to run n AD RMS serv ver as a virtual machine, and then use e an enterprise e ba ackup product t such as Micro osoft System Center C 20 012 - Data Pro otection Manager to perform m re egular virtual machine m backu ups. Some of the im mportant comp ponents that require backup ps are the priva ate key, certific cates, the AD RMS database e, and te emplates. You can also perfo orm a full serve er backup, by r running AD RM MS server on a virtual machine.
As a best practice, you need to t back up the e AD RMS priva ate key and all certificates used by AD RM MS. The simplest method of doing this is to export the t certificates s to a safe loca ation. You mus st also back up p the AD RMS databa ase on a regula ar basis. The method m you use e to do this de epends on whe ether AD RMS uses SQ QL Server or th he Windows In nternal Databa ase. To back up p templates, co onfigure the te emplates to be e ex xported to a sh hared folder, and a then back up these temp plates. t may be nece When W you are performing p rec covery of the AD A RMS role, it essary to delete e the Se erviceConnec ctionPoint obj ject from AD DS. D You need t to do this if yo ou are recoveri ing an AD RMS root co onfiguration se erver, and the server attemp pts to provision n itself as a lice ensing-only se erver.
Decommiss D sioning an nd Removing AD RM MS

Pr rior to removin ng an AD RMS S server, you sh hould de ecommission that t server. De ecommissionin ng AD RMS puts th he cluster into a state where co onsumers of AD A RMSprotec cted content are a able to o obtain specia al keys that de ecrypts that content, irrespective of the t existing res strictions that were placed on the use u of that con ntent. If you do o not ha ave a decomm missioning period, and if you simply re emove the AD RMS server, th hen the AD RM MS protected conte ent will becom me inaccessible. To o decommissio on AD RMS, pe erform the foll lowing st teps: 1. . 2. . Log on to the t server that is hosting AD RMS, and tha at you wish to decommission n.
Modify the access contro ol list (ACL) of the t file decom mmissioning.a asmx. Grant th he Everyone gr roup Read & Exe ecute permission on the file e. This file is sto ored in the on folder. %systemdrive%\inetpub\ \wwwroot\_wm mcs\decomissio
3. . 4. . 5. .
In the Activ ve Directory Rights Managem ment Services console, expan nd the Securit ty Policies node, and then click the Decommis ssioning node e. In the Actio ons pane, selec ct Enable Decommissionin g. Click Decom mmission.
11-12
6.
When prompted to confirm that you want to decommission the server, click Yes.
After the AD RMS decommissioning process is complete, you should export the server licensor certificate prior to uninstalling the AD RMS role.

11-13
Lesson n3
Configuring AD RM MS Conte ent Pro otection n
AD RMS uses rig ghts policy tem mplates to enf force a consiste ent set of polic cies when prot tecting conten nt. When W configuring AD RMS, you y also need to t develop stra ategies to ensu ure that users can still access protected conte ent from a com mputer that is not connected d to the AD RM MS cluster. You u also need to o de evelop strateg gies for excludi ing some users s from being a able to access AD RMSprotected content, and st trategies to ensure that prote ected content can be recove ered in the eve ent that it has expired, the te emplate ha as been delete ed, or if the author of the content is no lon nger available..

After completin ng this lesson you y will be able to: Describe th he function of rights policy te emplates. Explain how w to create a rights policy te emplate. Implement strategies to ensure e rights policy p template es are availabl le for offline use. Describe ex xclusion policie es. Explain how w to create an exclusion poli icy to exclude an application n. Implement an AD RMS su uper users group.
What W Are Rights R Policy Templa ates?

Ri ights policy templates allow you to configure st tandard metho ods of impleme enting AD RM MS po olicies across the t organizatio on. For example, you ca an configure st tandard templates that gran nt viewon nly rights, bloc ck the ability to edit, save, an nd print, or if used with Microsof ft Exchange Se erver, block the ability y to forward, re eply, and reply y all to messages. m
Ri ights policy templates are cr reated using th he Active Directory y Rights Management Servic ces co onsole. They are stored in th he AD RMS dat tabase, an nd can also be e stored in XML format. Whe en co ontent is consu umed, the client checks with h AD RMS to ve erify that it ha as the most rec cent version of f the te emplate.
A document author can choo ose to protect content c by app plying an exist ting template. This is done u using an AD RMSaware application. For F example, in n Office Word, you apply a t emplate by us sing the Prote ect Document D func ction. When yo ou do this, Off fice Word que ries AD DS to determine the e location of th he AD RMS server. Once the loca ation of the AD D RMS server i is acquired, tem mplates that a are available to o the co ontent author can be used. AD RMS templa ates support th he following rights: Full Contro ol. Gives a user full control over o an AD RM MSprotected d document. View. Gives s a user the ab bility to view an n AD RMSpro otected docum ment. Edit. Allows s a user to mo odify an AD RM MSprotected d document.
11-14
Save. Allows a user to use the Save function with an AD RMSprotected document.
Export (Save as). Allows a user to use the Save As function with an AD RMSprotected document. Print. Allows an AD RMSprotected document to be printed. Forward. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to forward that message.
Reply. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to reply to that message. Reply All. Used with Exchange Server. Allows the recipient of an AD RMSprotected message to use the Reply All function to reply to that message. Extract. Allows the user to copy data from the file. If this right is not granted, the user cannot copy data from the file. Allow Macros. Allows the user to utilize macros. View Rights. Allows the user to view assigned rights. Edit Rights. Allows the user to modify the assigned rights.
Rights can only be granted, and cannot be explicitly denied. For example, to ensure that a user cannot print a document, the template associated with the document must not include the Print right. Administrators are also able to create custom rights that can be used with custom AD RMSaware applications. AD RMS templates can also be used to configure documents with the following properties: Content Expiration. Determines when the content expires. The options are: o o o Never. The content never expires. Expires on a particular date. Content expires at a particular date and time. Expires after. The content expires a particular number of days after it is created.
Use license expiration. Determines the time interval in which the use license will expire, and a new one will need to be acquired. Enable users to view protected content using a browser add-on. Allows content to be viewed using a browser add-on. Does not require the user have an AD RMSaware application.
Require a new use license each time content is consumed. When you enable this option, clientside caching is disabled. This means that the document cannot be consumed when the computer is offline.
Revocation policies. Allows the use of a revocation list. This allows an author to revoke permission to consume content. You can specify how often the revocation list is checked, with the default being once every 24 hours.
Once an AD RMS policy template is applied to a document, any updates to that template will also be applied to that document. For example, if you have a template without a content expiration policy that is used to protect documents, and you modify that template to include a content expiration policy, those protected documents will now have an expiration policy. Template changes are reflected when the EUL is acquired. If EULs are configured not to expire and the user who is accessing the document already has a license, then they may not receive the updated template. You should avoid deleting templates, because documents that use those templates will become inaccessible to everyone except for members of the super users group. As a best practice, archive templates instead of deleting them.

11-15
Yo ou can view th he rights assoc ciated with a te emplate by sel ecting the tem mplate within t the Active Dire ectory Ri ights Managem ment Services console, and then t in the Ac ctions menu, c clicking View R Rights Summary.
Demonstra D ation: Creating a Rights Policy Template e
In n this demonst tration, you will create a righ hts policy temp plate that allow ws users to vie ew a document, but no ot to perform other actions.
In the Activ ve Directory Rights Managem ment Services console, use th he Rights Polic cy Template node to create a Dis stributed Rights Policy Temp plate with the following prop perties: o o o o o o o o o Langua age: English (U United States s) Name: ReadOnly Descrip ption: Read-on nly access. No o copy or prin nt. Users and a rights: exe ecutives@ada atum.com Rights for Anyone: View V Grant owner (autho or) full contro ol right with n no expiration n Conten nt Expiration: Expires E after 7 days Use lice ense expiration: Expires after 7 days
Require e a new use lic cense every tim me content is c consumed (dis sable client-sid de caching): En nabled
Providing P Rights R Poli icy Templa ates for Of ffline Use

If users are goin ng to publish AD A RMSconnected te emplates when n they are not connected to the ne etwork, you ne eed to ensure that they have e access to o a local copy of o the available rights policy y te emplates. Yo ou can configu ure computers s to acquire an nd store pu ublished rights s policy templates automatic cally, so th hat they are av vailable offline. To enable this fe eature, comput ters must be running the fol llowing Windows W opera ating systems: Windows Vista V SP1 or new wer Windows 7 Windows 8 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012
To o enable this functionality, f in n the Task Scheduler, enable e the AD RMS S Rights Policy y Template Scheduled Ta Management M (Automated) ( ask, and then edit the follow wing registry k key:
11-16
HKE EY_CURRENT_ _USER\Softwa are\Microsoft t\Office\12.0\ \Common\DR RM Prov vide the follow wing location for f templates to t be stored: %Lo ocalAppData% %\Microsoft\DR RM\Templates Whe en computers that are runni ing these oper rating systems are connected d to the doma ain, the AD RM MS clien nt polls the AD D RMS cluster for new templ lates, or updat tes to existing templates. You u can configure e a shared fold der for templat tes by perform ming the follow wing steps: 1. 2.
In the Active Directory Righ hts Manageme ent Services co onsole, right-cl lick the Rights s Policy Temp plates node, and the en click Prope erties. On the Right ts Policy Temp plates Proper rties dialog bo ox, specify the location of the shared folde er to which templa ates will be pub blished.
Wh hat Are Exclusion Po olicies?

Excl lusion policies allow you to prevent p specifi ic user r accounts, clie ent software, or o applications s from usin ng AD RMS.
Use er Exclusion n
The User Exclusion policy allows s you to config gure AD RMS so that specific user accountswhich h are iden ntified based on o email addre essesare una able to obtain o Use Lice enses. You do this t by adding g each user r's RAC to the exclusion list. User Exclusion n is disa abled by defau ult. Once you have h enabled User U Excl lusion, you can n exclude spec cific RACs.
You u can use user exclusion in th he event that you y needed to o lock a specific AD RMSprote ected c user out of A content. For exam mple, when use ers leave the organization, yo ou might exclu ude their RACs s to ensure tha at they y are unable to o access protected content. You Y can block k the RACs tha t are assigned to both intern nal user rs and external users.
Application Ex xclusion
App plication Exclus sion allows you u to block spe ecific applicatio onssuch as O Office PowerPo ointfrom cre eating or consuming c AD RMSprotecte ed content. Yo ou specify app lications based d on executab ble names. You u also spec cify a minimum m and a maxim mum version of o the applicati ion. Applicatio on Exclusion is disabled by defa ault. p to circ cumvent Applic cation Exclusio on by renamin ng an executab ble file. Note: It is possible
Loc ckbox Exclu usion
Lockbox exclusion n allows you to o exclude AD RMS R clients, su uch as those us sed with specific operating systems such as Windows W XP an nd Windows Vista. Lockbox v version exclusi ion is disabled by default. Once you have enabled d Lockbox version exclusion, you must spe cify the minim mum lockbox v version that can be used d with the AD RMS cluster.

11-17
Additiona al Reading: To o find out more about enab bling exclusion policies, refer r to the fo ollowing TechN Net webpage: http://technet t.microsoft.com m/en-us/librar ry/cc730687.as spx
Demonstra D ation: Creating an Ex xclusion Po olicy to Exclude an A Application n

In n this demonst tration, you will see how to exclude e a spec cific application n from AD RM MS.

1. . 2. . In the Activ ve Directory Rights Managem ment Services console, enab le Application exclusion. In the Exclu ude Application dialog box x, enter the fol lowing inform mation: o o o Applica ation File name: Powerpnt.e exe Minimu um version: 14 4.0.0.0 Maximum version: 16 6.0.0.0
AD A RMS Su uper Users Group

Th he AD RMS super users grou up provides a data d re ecovery mecha anism for AD RMSprotected R d co ontent. This mechanism is us seful in the eve ent that AD RMSprotec cted data need ds to be recove ered, su uch as when co ontent has exp pired, when a te emplate has be een deleted, or when you do o not ha ave access. Members M of the e super users group g are assig gned Owner O Use Licenses for all content that is protected by th he AD RMS cluster on which that pa articular super r users group is enabled. Me embers of f the super use ers group are able a to reset th he AD RMS server's private key password. p
a any AD RMSprotecte ed content, you must be esp pecially As members of the super users group can access ca areful when yo ou are managing the membe ership of this g group. If you c choose to use t the AD RMS su uper us sers group, you should consider implemen nting restricted d groups polic cy and auditing g to limit grou up membership, m an nd audit any changes that ar re made. Supe er User activity y is written to t the Application n event lo og. Th he super users s group is disab bled by defaul lt. Yo ou enable the super users gr roup by perfor rming the follo owing steps: 1. . 2. . 3. .
In the Activ ve Directory Rights Managem ment Services console, expan nd the server n node, and then click Security Po olicies. In the Secu urity Policies area, a under Su uper Users, clic ck Change Su uper User Sett tings. In the Actio ons pane, click k Enable Super Users.
To o set a particular group as th he super users group: 1. . 2. . In the Secu urity Policies\ \Super Users Super S Users a rea, click Chan nge super use er group. Provide the e e-mail address associated with w the super r users group.
11-18
Lesson 4
Config guring External E l Access s to AD RMS
It is often necessa ary to allow use ers that are no ot a part of the e organization access to AD RMSprotecte ed content. This could be a situatio on where an ex xternal user is a contractor w who requires a access to sensit tive mat terials, or a par rtner organization where your users will re equire access t to protected content publish hed by their t AD RMS server. s AD RMS provides a number n of diffe erent options for granting e external users a access to protected p cont tent.

Afte er completing this lesson, yo ou will be able to: Describe the options available for making g AD RMSpro otected conten nt accessible to o external user rs. Explain how to t implement Trusted T User Domains. D List the steps necessary to deploy d Trusted d Publishing D Domains.
Describe the steps necessar ry to configure e AD RMS to s hare protected d content to u users with Wind dows Live IDs. Determine the appropriate solution for sh haring AD RM Sprotected c content with ex xternal users.
Op ptions for Enabling E External E Us sers to Acc cess AD RM MS

Trus st policies allow w users who are external to the orga anization the ability a to consume AD RMS prot tected content t. For example e, a trust policy y can allow users in Brin ng Your Own Device D (BYOD) ) environments to consume c AD RMSprotected R d content, even tho ough those com mputers are no ot mem mbers of the organization's o AD A DS domain n. AD RMS trusts are e disabled by default, d and ne eed to be b enabled bef fore being use ed. AD RMS supports the follo owing trust pol licies.
Tru usted User Domains D
Trus sted User Dom mains (TUD) allows an AD RM MS clus ster to process requests for client c licensor certificates, c or use licenses fr rom people who have RACs issued by a differe ent AD RMS cluster. For exam mple, A. Datum m Corporation n and Trey Research are sepa arate orga anizations that have each de eployed AD RM MS. TUD allow ws each organiz zation to publish and consume AD RMSprotecte ed content to and a from the partner p organi ization withou ut having to im mplement AD D DS trus sts or AD FS.
Tru usted Publis shing Doma ains

Trus sted Publishing g Domains (TP PD) allows one e AD RMS clust ter to issue EU ULs to content that uses pub blishing license es that are issued by a differe ent AD RMS cl luster. TPD con nsolidates exis sting AD RMS infra astructure.
Fed deration Tru ust
Federation Trust provides p Single e Sign On (SSO O) for partner technologies. Federated par rtners can consume AD RMSprotecte ed content without deploying their own A D RMS infrastr ructure. Federation Trust req quires dep ployment of AD D FS.

11-19
Windows W Liv ve ID Trust
Yo ou can use Windows Live ID to allow stand dalone users th hat have Wind dows Live IDs t to consume AD D RMS protected conte ent generated by users in yo our organizatio on. However, W Windows Live ID users are un nable to cr reate content that t is protected by the AD RMS cluster.
Microsoft M Fe ederation Ga ateway
Microsoft M Feder ration Gateway y allows an AD D RMS cluster t to process req quests to publish and consum me AD RMSprotec cted content fr rom external organizations, o by accepting c claims-based a authentication n tokens from the Micros soft Federation n Gateway. Rather than conf figuring a Fed eration Trust, each organiza ation has a relationship with e Microsoft Fe w the Micros soft Federation n Gateway. The ederation Gate eway acts as a trusted broker. ollowing link: al Reading: You can learn more m about AD D RMS Trust Po olicies at the fo Additiona ht ttp://technet.m microsoft.com/ /en-us/library/ /cc755156.asp x
Im mplement ting TUD

TU UD allows AD RMS to service e requests from m users who w have RACs issued by diff ferent AD RMS S de eployments. You can use exc clusions with each e TU UD to block ac ccess to specific users and groups.
To o configure AD D RMS to supp port service req quests from users who have RACs iss sued by differe ent AD RMS deploy yments, you ad dd the organiz zation to o the list of TUDs. TUDS can be one-way, where w or rganization A is a TUD of org ganization B, or o bidi irectional, whe ere organizatio on A and organization B are TUDs of each e other. In one-way o de eployments, it t is possible for r the users of the t TUD to o consume the e content of th he local AD RM MS deployment t, but they can nnot publish A AD RMSprotec cted co ontent by using the local AD D RMS cluster.
Yo ou need to enable anonymo ous access to the AD RMS lic censing service e in Internet In nformation Ser rvices (IIS) when using g TUD, as by de efault, accessin ng the service requires authe enticating usin ng Integrated Windows W Authe entication. To o add a TUD, perform p the fo ollowing steps: 1. . 2. . 3. . 4. . 5. .
The TUD of f the AD RMS deployment d th hat you want t to trust must h have already b been exported, and the file mus st be available e. (TUD files use the .bin exte ension.) In the AD RMS R console, expand e Trust Policies P , and t then click Trus sted User Dom mains. In the Actio ons pane, click k Import Trust ted User Dom main. In the Trusted User Dom main dialog bo ox, enter the p path to the exp ported TUD file e with the .bin n extension.
Provide a name n to identif fy this TUD. If you have conf figured federa ation, you can also choose to o extend the trust to o federated use ers of the impo orted server.
Yo ou can use the e Import-Rms sTUD PowerSh hell cmdlet, w which is part of f the ADRMSADMIN PowerS Shell module, m to add a TUD.
11-20
To export e a TUD, perform the fo ollowing steps s: 1. 2. 3. In the Active Directory Righ hts Manageme ent Services co onsole, expand d Trust Policie es, and then click Trusted User r Domains. In the Actions s pane, click Ex xport Trusted d User Domai in. Save the TUD D file with a descriptive name e.
You u can also use the t Export-Rm msTUD cmdlet to export an AD RMS serve er TUD.
Implementin ng TPD
You u can use TPD to t set up a tru ust relationship p betw ween two AD RMS deployments. An AD RMS TPD D, which is a local AD RMS de eployment, can gran nt EULs for con ntent publishe ed using the Tr rusted Pub blishing domain's AD RMS de eployment. Fo or exam mple, Contoso o, Ltd and A. Datum D Corpora ation are set up as TPD partners. TPD allows users of o the Con ntoso AD RMS deployment to t consume co ontent pub blished using th he A. Datum AD A RMS dep ployment, by using EULs that t are granted by b the Con ntoso AD RMS deployment.
You u can remove a TPD at any ti ime. When you u do this, , clients of the remote AD RM MS deploymen nt will not be a able to issue E EULs to access content prote ected by your y AD RMS cluster. c Whe en you are con nfiguring a TPD, you import the SLC of an other AD RMS S cluster. TPDs s are stored in XML form mat, and are protected by pa asswords. To export e a TPD, perform the fo ollowing steps: 1. 2. 3. In the AD RM MS console, exp pand Trust Po olicies, and the en click Truste ed Publishing g Domains.
In the Results s pane, choose e the certificate e for the AD R MS domain th hat you want to o export, and then in the Actions s pane, click Ex xport Trusted d Publishing D Domain. Choose a stro ong password and a filename e for the TPD.
V1compatible trusted publishing domain en you are exp porting a TPD, it is possible to t save it as a V n file. Whe This s allows the TP PD to be impor rted into organizations that are using AD RMS clusters o on earlier versi ions of the Windows Server operatin ng system, such h as the versio on available in Windows Serv ver 2003. You can use the Export-RmsTPD cmdle et to export a TPD. T To import a TPD, perform the fo ollowing steps s: 1. 2. 3. 4. In the Active Directory Righ hts Manageme ent Services co onsole, expand d Trust Policie es, and then click Trusted Publishing Doma ains. In the Actions s pane, click Im mport Trusted d Publishing Domain. Specify the pa ath of the Trus sted Publishing g Domain file that you want t to import. Enter the password to open n the Trusted Publishing P Dom main file, and enter a display y name that identifies the TPD.
You u can also use the t Import-Rm msTPD cmdle et to import a T TPD.

11-21
Additiona al Reading: You can learn more m about im mporting TPDs on the followi ing Microsoft Te echNet referen nce: http://technet.microsoft t.com/en-us/li brary/cc77146 60.aspx
Sharing AD D RMSPro otected Do ocuments b by Using W Windows L Live ID

Yo ou can use Windows Live ID as a method of o providing RACs to users who are not part of o your or rganization. To o trust Window ws Live IDbas sed RACs, perfo orm the fo ollowing steps: : 1. . In the Activ ve Directory Rights Managem ment Services console, expand Trust Policies, and then click Trusted T User Domains D . In the Actio ons pane, click k Trust Windo ows Live ID.
2. .
To o exclude spec cific Windows Live ID email do omains, right-click the Wind dows Live ID ce ertificate, click k Properties, a and then click t the Excluded Windows W Live IDs tab. You can c then enter r the Windows s Live IDs that y you want to ex xclude from being ab ble to procure RACs.
To o allow users with w Windows Live IDs to ob btain RACs from m your AD RM MS cluster, you need to configure IIS to o support anon nymous access s. To do this, perform p the fol llowing steps: 1. . 2. . 3. . 4. . 5. . Open the II IS Manager co onsole on the AD A RMS server r.
Navigate to o the Sites\De efault Web Sit te\_wmcs nod de, right-click t the Licensing virtual directo ory, and then click Switch S to Con ntent View. Right-click license.asmx, and then click Switch to C ontent View. Double-clic ck Authentication, and then n enable Anon nymous Authentication. Repeat this step for the fi ile ServiceLoc cator.asmx.
Additiona al Reading: You can learn more m about us ing Windows Live ID to esta ablish RACs fo or users at the following link: http://techne et.microsoft.co om/en-us/libra ary/cc753056.a aspx
11-22
Co onsideratio ons for Imp plementing External l User Acce ess to AD RMS
The type of extern nal access that t you configure e dep pends on the ty ypes of external users that need acce ess to your org ganization's co ontent. Whe en you are det termining whic ch method to use, consider the following question ns: Does the exte ernal user belo ong to an organization that has an ex xisting AD RMS S deployment? Does the exte ernal user's org ganization hav ve an existing feder rated trust with the internal organization? ? Has the exter rnal user's orga anization estab blished a relati ionship with th he Microsoft F Federation Gateway?
Does the exte ernal user need d to publish AD RMSprotec cted content t hat is accessib ble to internal R RAC holders?
It is possible that organizations may use one solution s befor re settling on a another. For ex xample, during g initial stages, only y a small numb ber of external users may req quire access to o AD RMSpro otected conten nt, in which case, using Windows Live e IDs for RACs may be appro opriate. When larger numbers of external u users from m a single orga anization requ uire access, a different solutio on may be app propriate. The financial bene efit a solu ution brings to o an organization must excee ed the cost of implementing g that solution.

11-23
Lab: Implementing AD RMS

Scenario
Because of the highly confidential nature of the research that is performed at A. Datum Corporation, the security team at A. Datum wants to implement additional security for some of the documents that the Research department creates. The security team is concerned that anyone with Read access to the documents can modify and distribute the documents in any way that they choose. The security team would like to provide an extra level of protection that stays with the document even if it is moved around the network or outside the network. As one of the senior network administrators at A. Datum, you need to plan and implement an AD RMS solution that will provide the level of protection requested by the security team. The AD RMS solution must provide many different options that can be adapted for a wide variety of business and security requirements.
Objectives
Install and configure AD RMS. Configure AD RMS Templates. Implement AD RMS Trust Policies. Verify AD RMS Deployment.
Lab Setup
Estimated Time: 60 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-MUN-DC1 20412A-MUN-CL1
User Name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat step 2 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and 20412A-MUN-CL1. Do not log on until directed to do so.
11-24
Exercise 1: Installing and Configuring AD RMS

Scenario
The first step in deploying AD RMS at A. Datum Corporation is to deploy a single server in an AD RMS cluster. You will begin by configuring the appropriate DNS records and the AD RMS service account, and then will continue with installing and configuring the first AD RMS server. You will also enable the AD RMS super users group. The main tasks for this exercise are as follows: 1. 2. 3. Configure Domain Name System (DNS) and the Active Directory Rights Management Services (AD RMS) service account. Install and configure the AD RMS server role. Configure the AD RMS Super Users group.
Task 1: Configure Domain Name System (DNS) and the Active Directory Rights Management Services (AD RMS) service account
1. 2. 3. Log on to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd. Use Active Directory Administrative Center to create an OU named Service Accounts in the adatum.com domain. Create a new user account in the Service Accounts OU with the following properties: o o o o o 4. 5. 6. 7. First name: ADRMSSVC User UPN logon: ADRMSSVC Password: Pa$$w0rd Password never expires: Enabled User cannot change password: Enabled
Create a new Global security group in the Users container named ADRMS_SuperUsers. Set the email address of this group as ADRMS_SuperUsers@adatum.com.
Create a new global security group in the Users container named Executives. Set the email address of this group as executives@adatum.com. Add the user accounts Aidan Delaney and Bill Malone to the Executives group.
Use the DNS Manager console to create a host (A) resource record in the adatum.com zone with the following properties: o o Name: adrms IP Address: 172.16.0.21
Task 2: Install and configure the AD RMS server role

1. 2. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$word.
Use the Add Roles and Features Wizard to add the Active Directory Rights Management Services role to LON-SVR1 using the following option: o Role services: Active Directory Rights Management Services
3. 4.
From the AD RMS node in Server Manager, click More to start post deployment configuration of AD RMS. On the AD RMS Configuration Wizard, provide the following information:

11-25
o o o o o o o o o o o o 5.
Create a new AD RMS root cluster Use Windows Internal Database on this server Service account: Adatum\ADRMSSVC Cryptographic Mode: Cryptographic Mode 2 Cluster Key Storage: Use AD RMS centrally managed key storage Cluster Key Password: Pa$$w0rd Cluster Web Site: Default Web Site Connection Type: Use an unencrypted connection Fully Qualified Domain Name: http://adrms.adatum.com Port: 80 Licensor Certificate: Adatum AD RMS Register AD RMS Service Connection Point: Register the SCP Now
Log off LON-SVR1.
Note: You must sign out before you can manage AD RMS. This lab uses port 80 for convenience. In production environments, you would protect AD RMS using an encrypted connection.
Task 3: Configure the AD RMS Super Users group

1. 2. 3. 4. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd. Open the Active Directory Rights Management Services console. From the Active Directory Rights Management Services console, enable Super Users. Set the ADRMS_SuperUsers group as the Super Users group.
Results: After completing this exercise, you should have installed and configured AD RMS.
Exercise 2: Configuring AD RMS Templates

Scenario
After deploying the AD RMS server, the next step is to configure the rights policy templates and exclusion policies for the organization. You will deploy both components. The main tasks for this exercise are as follows: 1. 2. 3. Configure a new rights policy template. Configure the rights policy template distribution. Configure an exclusion policy.
Task 1: Configure a new rights policy template

On LON-SVR1, use the Rights Policy Template node of the Active Directory Rights Management Services console to create a Distributed Rights Policy Template with the following properties: o o o Language: English (United States) Name: ReadOnly Description: Read only access. No copy or print
11-26
o o o o o o
Users and rights: executives@adatum.com Rights for Anyone: View Grant owner (author) full control right with no expiration Content Expiration: 7 days Use license expiration: 7 days Require a new use license every time content is consumed (disable client-side caching)
Task 2: Configure the rights policy template distribution

1.
On LON-SVR1, open a Windows PowerShell prompt and issue the following commands each followed by Enter:
Cmd.exe mkdir c:\rmstemplates net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL mkdir c:\docshare net share docshare=c:\docshare /GRANT:Everyone,FULL
2. 3.
In the Active Directory Rights Management Services console, set the Rights Policy Templates file location to \\LON-SVR1\RMSTEMPLATES. In Windows Explorer, view the c:\rmstemplates folder. Verify that the ReadOnly.xml template is present.
Task 3: Configure an exclusion policy

1. 2. In the Active Directory Rights Management Services console, enable Application exclusion. In the Exclude Application dialog box, enter the following information: o o o Application File name: Powerpnt.exe Minimum version: 14.0.0.0 Maximum version: 16.0.0.0
Results: After completing this exercise, you should have configured AD RMS templates.
Exercise 3: Implementing the AD RMS Trust Policies

Scenario
As part of the deployment, you need to ensure that AD RMS functionality is extended to the Trey Research AD RMS deployment. You will configure the required trust policies, and then validate that you can share protected content between the two organizations. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Export the Trusted User Domains policy. Export the Trusted Publishing Domains policy. Import the Trusted User Domain policy from the partner domain. Import the Trusted Publishing Domains policy from the partner domain. Configure anonymous access to the AD RMS licensing server.

11-27
Task 1: Export the Trusted User Domains policy

1. On LON-SVR1, open a Windows PowerShell prompt and issue the following commands:
Cmd.exe mkdir c:\export net share export=c:\export /GRANT:Everyone,FULL
2. 3. 4. 5.
Use the Active Directory Rights Management Services console to export the Trusted User Domains policy to the \\LON-SVR1\export share as ADATUM-TUD.bin. Log on to MUN-DC1 with the TREYRESEARCH\Administrator account and the password Pa$$w0rd. On MUN-DC1, open the Active Directory Rights Management Services console. Export the Trusted User domains policy to the \\LON-SVR1\export share as TREYRESEARCH-TUD.bin.
Task 2: Export the Trusted Publishing Domains policy

Use the Active Directory Rights Management Services console to export the Trusted Publishing Domains policy to the \\LON-SVR1\export share as ADATUM-TPD.xml. Protect this file using the password Pa$$w0rd. Switch to MUN-DC1. Use the Active Directory Rights Management Services console to export the Trusted Publishing Domains policy to the \\LON-SVR1\export share as TREYRESEARCH-TPD.xml. Protect this file using the password Pa$$w0rd.
3. 4.
Task 3: Import the Trusted User Domain policy from the partner domain
1. 2. 3. 4. Switch to LON-SVR1. Import the Trusted User Domain policy for Treyresearch by importing the file \\LON-SVR1\export\treyresearch-tud.bin. Use the display name TreyResearch. Switch to MUN-DC1. Import the Trusted User Domain policy for Trey Research by importing the file \\LON-SVR1\export\adatum-tud.bin. Use the display name Adatum.
Task 4: Import the Trusted Publishing Domains policy from the partner domain
Import the Trey Research Trusted Publishing Domain by importing the file \\LON-SVR1\export\treyresearch-tpd.xml using the password Pa$$w0rd and the display name Trey Research. Switch to MUN-SVR1. Import the Adatum Trusted Publishing Domain by importing the file \\LON-SVR1\export\adatum-tpd.xml using the password Pa$$w0rd and the display name Adatum.
3. 4.
Task 5: Configure anonymous access to the AD RMS licensing server
On LON-SVR1, use Internet Information Services (IIS) to enable anonymous authentication on the following two files under Defaut Web Site\_wmcs\Licensing
11-28
o o
license.asmx ServiceLocator.asmx
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
Exercise 4: Verifying the AD RMS Deployment

Scenario
As a final step in the deployment, you will validate that the configuration is working correctly. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a rights-protected document. Verify internal access to protected content. Open the rights-protected document as an unauthorized user. Open and edit the rights-protected document as an authorized user at Trey Research.
Task 1: Create a rights-protected document

1. 2. 3. 4. Log on to LON-CL1 with the Adatum\Aidan account and the password Pa$$w0rd. Open Microsoft Word 2010. Create a document named Executives Only. In the document, type the following text: This document is for executives only, it should not be modified. 5. 6. 7.
From the Permissions item, choose to restricted access. Grant bill@adatum.com permission to read the document. Save the document in the share \\lon-svr1\docshare. Log off from LON-CL1.
Task 2: Verify internal access to protected content

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-CL1 with the Adatum\Bill account using the password Pa$$w0rd. In the \\lon-svr1\docshare folder, open the Executives Only document. When prompted, provide the credentials, Adatum\Bill with the password of Pa$$w0rd. Verify that you are unable to modify or save the document. Select a line of text in the document. Right-click the line of text. Verify that you cannot modify this text. View the document permissions. Log off from LON-CL1.
Task 3: Open the rights-protected document as an unauthorized user

1. 2. 3. Log on to LON-CL1 as Adatum\Carol using the password Pa$$w0rd. In the \\lon-svr1\docshare folder, attempt to open the Executives Only document. Verify that Carol does not have permission to open the document.

11-29
4.
Log off from LON-CL1.
Task 4: Open and edit the rights-protected document as an authorized user at Trey Research.
1. 2. 3. 4. Log on to LON-CL1 with the Adatum\Aidan account using the password Pa$$w0rd. Open Microsoft Word 2010. Create a new document named \\LON-SVR1\docshare\TreyResearch-Confidential.docx. In the document, type the following text: This document is for Trey Research only, it should not be modified. 5. 6. 7. 8. 9. Restrict the permission so that april@treyresearch.net is able to open the document. Log on to MUN-CL1 as TREYRESEARCH\April. Use Windows Explorer to navigate to \\LON-SVR1\docshare. Use the credentials Adatum\Administrator and Pa$$w0rd to connect. Copy the TreyReserch-Confidential.docx document to the desktop.
Attempt to open the document. When prompted enter the following credentials, select Remember my credentials, and then click OK: o o Username: April Password: Pa$$w0rd
10. Verify that you can open the document, but that you cannot make modifications to this document. 11. View the permissions that the april@treyresearch.com account has for the document.
Results: After completing this exercise, you should have verified that the AD RMS deployment is successful.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and 20412A-MUN-CL1.
Lab Review
Question: What steps can you take to ensure that Information Rights Management can be used with the AD RMS role?
11-30

Question: What are the benefits of having an SSL certificate installed on the AD RMS server when you are performing AD RMS configuration? Question: You need to provide access to AD RMSprotected content to five users who are unaffiliated contractors, and are not members of your organization. Which method should you use to provide this access? Question: You want to block users from protecting Office PowerPoint content using AD RMS templates. What steps should you take to accomplish this goal?
Best Practice
Prior to deploying AD RMS, you must analyze your organizations business requirements and create the necessary templates. You should meet with users to inform them of AD RMS functionality and also ask for feedback on the types of templates that they would like to have available.
Strictly control membership of the Super Users group. Users in this group can access all protected content. Granting a user membership of this group gives them complete access to all AD RMS protected content.

12-1
Module 12
Implementing Active Directory Federation Services
Contents:
Module Overview Lesson 1: Overview of AD FS Lesson 2: Deploying AD FS Lesson 3: Implementing AD FS for a Single Organization Lesson 4: Deploying AD FS in a B2B Federation Scenario Lab: Implementing AD FS Module Review and Takeaways 12-1 12-2 12-11 12-17 12-23 12-28 12-36
Module Overview
Active Directory Federation Services (AD FS) in Windows Server 2012 provides flexibility for organizations who want to enable their users to log on to applications that may be located on the local network, at a partner company, or in an online service. With AD FS, an organization can manage its own user accounts, and users only have to remember one set of credentials. However those credentials can be used to provide access to a variety of applications, which can be located in a variety of places. This module provides an overview of AD FS, and then details how to configure AD FS in both a single organization scenario and in a partner organization scenario.
Objectives
After completing this module, you will be able to: Describe AD FS. Explain how to configure the AD FS prerequisites, and deploy the AD FS services. Describe how to implement AD FS for a single organization. Deploy AD FS in a business-to-business federation scenario.
12-2 Implemen nting Active Directory y Federation Services s
Lesson 1
Overvi iew of AD A FS
AD FS is the Micro osoft impleme entation of an identity federa ation framewo ork that enable es organization ns to esta ablish federatio on trusts and share s resource es across organ nizational and Active Directo ory Domain Se ervices (AD D DS) boundaries. AD FS is co ompliant with common web services stand dards, so as to enable inte eroperability with w identity fed deration soluti ions provided by other vend dors.
AD FS is designed d to address a variety v of busi iness scenarios s, where the ty ypical authenti ication mechanisms used d in a single organization do o not work. This lesson provi ides an overvie ew of the conc cepts and stan ndards that t are implemen nted in AD FS, and also the business b scena arios that can b be addressed w with AD FS.

Afte er completing this lesson, yo ou will be able to: Describe Iden ntity Federation. Describe claim ms-based iden ntity. Describe web b services. Describe AD FS. Explain how AD A FS enables single sign-on n (SSO) within a single organ nization. Explain how AD A FS enables SSO between business part ners. Explain how AD A FS enables SSO between on-premises a and cloud-bas sed services.
Wh hat Is Iden ntity Feder ration?

Iden ntity federation enables the distribution of f iden ntification, authentication, an nd authorization acro oss organizatio onal and platfo orm boundarie es. You u can implement identity fed deration within na sing gle organizatio on to enable ac ccess to divers se web b applications, or between tw wo organizatio ons that t have a relatio onship of trust t between them m. To establish e an identity federati ion partnership p, both partners agr ree to create a federated trust relationship. This federated trus st is based on an a ong going business relationship, and a enables th he orga anizations to implement bus siness processe es iden ntified in the business b relatio onship. Note: A fed derated trust is s not the same as a forest tru ust that organi izations can co onfigure betw ween Active Directory D Doma ain Services (AD DS) forests. In a federated d trust, the AD FS servers r. In addition, all in tw wo organizatio ons never have e to communic cate directly w with each other com mmunication in n a federation deployment occurs o over HT TTPS, so you do o not need to open mul ltiple ports on any firewalls to t enable fede eration.
As a part of the fe ederated trust, each partner defines what r resources are a accessible to t the other orga anization, and how access to o the resources is enabled. F For example, to o update a sale es forecast, a s sales

12-3
re epresentative may m need to collect information from a su upplier's datab base that is hos sted on the supplier's ne etwork. The ad dministrator of f the domain for f the sales re epresentative is responsible f for ensuring th hat the ap ppropriate sale es representatives are memb bers of the gro oup requiring a access to the s suppliers database. Th he administrat tor of the orga anization wher re the database e is located is responsible to o ensure that the pa artners emplo oyees only hav ve access to the e data they req quire. In n an identity fe ederation solut tion, user identities and thei r associated cr redentials are stored, owned d, and managed m by the e organization n where the us ser is located. A As part of the identity federa ation trust, eac ch . Each or rganization als so defines how w the user iden ntities are shar red securely to o restrict access to resources. pa artner must de efine the servic ces that it mak kes available to o trusted partn ners and custo omers, and which ot ther organizat tions and users s it trusts. Each h partner must t also define w what types of credentials and d re equests it accepts, and its pri ivacy policies to t ensure that private inform mation is not a accessible acro oss the tr rust.
Id dentity federat tion can also be used within a single organ nization. For ex xample, an org ganization may plan to o deploy several web-based applications th hat require au thentication. B By using AD FS S, the organiza ation ca an implement one authentic cation solution n for all of the applications, m making it easy y for users in m multiple in nternal domain ns or forests to o access the ap pplication. The solution can a also be extend ded to external pa artners in the future, f without changing the e application.
What W Is Cla aims-Based d Identity? ?
Claims-based authentication is designed to ad ddress issues by b extending ty ypical authent tication an nd authorizatio on mechanism ms outside the bo oundaries that t are associated with that mechanism. m For r example, in most m organizat tions, when w users log on to the netw work, they are au uthenticated by b an AD DS domain controller. A us ser who provid des the right credentials to the t do omain controller is granted a security toke en. Applications tha at are running on servers in the sa ame AD DS environment trust the security y tokens th hat are provide ed by the AD DS D domain co ontrollers, because the serve ers can commu unicate with th he same doma in controllers where the use ers are au uthenticated.
Th he problem wi ith this type of f authenticatio on is that it do es not easily e extend outside e the boundaries of th he AD DS fores st. Although it is possible to implement Ke erberos or NTL LM-based trusts between tw wo AD DS forests, client c compute ers and domain controllers o on both sides o of the trust mu ust communica ate with do omain controllers in the other forest to ma ake decisions a about authent tication and au uthorization. T This co ommunication n requires netw work traffic tha at is sent on m ultiple ports, s so these ports must be open n on all fir rewalls betwee en the domain n controllers an nd other comp puters. The pro oblem become es even more co omplicated wh hen users have e to access reso ources that are e hosted in clo oud-based syst tems, such as Azur Windows W re or Microso oft Office 365 5. Claims-based authentication provides a me echanism for se eparating user r authenticatio on and authori ization from individual applications. With W claims-ba ased authentic cation, users ca an authenticat te to a directo ory se ervice that is lo ocated within their t organizat tion, and be g ranted a claim m based on tha at authentication. The claim can then be presented to t an applicati ion that is run ning in a diffe erent organizat tion. The appli ication is designed to enable e user acc cess to the info ormation or fe eatures, based on the claims presented. All co ommunication n also occurs over HTTPS.
The claim that is used u in claims-based authen ntication is a st tatement abou ut a user that is defined in on ne orga anization or te echnology, and d trusted in an nother organiz zation or techn nology. The cla aim could inclu ude a variety of informa ation. For exam mple, the claim m could define the users e-m mail address, U User Principal N Name (UPN), and inform mation about specific groups s to which the user belongs. This informati ion is collected d from m the authenti ication mechanism when the e user successf fully authentic cates. The organization that manages the applicatio on defines wha at types of clai ms will be acc cepted by the app plication. For ex xample, the ap pplication may y require the e email address o of the user to v verify the user r iden ntity, and it ma ay then use the group membership that is s presented ins side the claim to determine what leve el of access the e user should have h within the e application.
We eb Services Overview w
For claims-based authentication n to work, orga anizations hav ve to agree on the format for exch hanging claims. Rather than have each business defi ine this format t, a set of specifications broa adly iden ntified as web services has be een developed d. Any orga anization inter rested in imple ementing a fede erated identity y solution can use this set of spec cifications. Web b services are a set of specifi ications that are used d for building connected applications and serv vices, whose fu unctionality and interfaces ar re exposed to potential users through web tech hnology standards such as Ex xtensible Mark kup Language e (XML), SOAP, Web Services s Description applications using web servi Language (WSDL) ), and HTTP(S). The goal for creating web a ices is to simplify inte eroperability fo or applications s across multip ple developme nt platforms, t technologies, a and networks. To enhance e intero operability, we eb services are defined by a s set of industry y standards. W Web services are e base ed on the follo owing standard ds:
Most web ser rvices use XML L to transmit data through H HTTP(S). With X XML, develope ers can create t their own customiz zed tags, there eby facilitating g the definition n, transmission n, validation, and interpretat tion of data between n applications and between organizations. o . Web services expose useful l functionality to web users t through a stan ndard web pro otocol. In most t cases, the pro otocol used is SOAP, S which is s the commun nications proto ocol for XML w web services. SO OAP is a specification that define es the XML for rmat for messa ages, and esse entially describ bes what a valid d XML docume ent looks like.
Web services provide a way y to describe their interfaces s in enough de etail to enable a user to build da client application to communicate with th he service. Thi s description is usually provided in an XML document called a WSDL document. In other n XML document that descr o words, a WSDL file is an ribes a set of SOAP messages, m and how the mess sages are exch hanged. Web services are registered d so that poten ntial users can find them eas sily. This is don ne with Universal Discovery Description and Integration I (UDDI). A UDDI directory entry y is an XML file that describe es a business and the services it offers.
WS S-* Security Specificatio ons
There are many co omponents inc cluded in web b services speci ifications (also o known as W WS-* specifications). How wever, the mos st relevant spe ecifications for an AD FS env vironment are t the WS-Securi ity specificatio ons. The specifications s that are part of the WS-Sec curity specifica ations include the following:

12-5
WS-Security - SOAP Mess sage Security and a X.509 Cer rtificate Token Profile: WS-Se ecurity describ bes enhanceme ents to SOAP messaging m that provide qual lity of protecti on through m message integri ity, message co onfidentiality, and a single message authent tication. WS-Se ecurity also pro ovides a generalpurposey yet extensible mechanism for f associating g security toke ens with messa ages and a mec chanism to encode binary b security y tokensspec cifically X.509 c certificates and Kerberos ticketsin SOAP P messages. WS-Trust: WS-Trust W defin nes extensions that build on WS-Security t o request and issue security tokens and to man nage trust relat tionships. WS-Federation: WS-Fede eration defines s mechanisms t that WS-Secur rity can use to enable attribu utebased ident tity, authentica ation, and authorization fed eration across s different trust realms.
WS-Federation Passive Re equestor Profile: This WS-Se ecurity extensio on describes h how passive clients such as web b browsers can n be authentic cated and auth horized, and ho ow the clients can submit cla aims in a federation scenario. Pas ssive requestors of this profi le are limited to the HTTP o or HTTPS proto ocol.
WS-Federation Active Requestor Profile e: This WS-Sec curity extension describes ho ow active clien nts, such as SOAP-ba ased mobile de evice applicati ions, can be au uthenticated a and authorized d, and how the e clients can submit claims in a fed deration scena ario.
Security Asse ertion Mark kup Languag ge
Th he Security Ass sertion Markup Language (S SAML) is an XM ML-based standard for excha anging claims be etween an identity provider and a service or application n provider. SAM ML assumes th hat a user has b been au uthenticated by b an identity provider, p and that t the identi ity provider ha as populated t the appropriate claim in nformation in the t security token. When the e user is authe enticated, the I Identity Provid der passes a SA AML as ssertion to the e service provid der. On the basis of this asse ertion, the serv vice provider can make au uthorization an nd personaliza ation decisions s within an app plication. The communicatio on between fed deration se ervers is based around an XM ML document that stores the e X.509 certific cate for token-signing, and t the SA AML 1.1 or 2.0 0 token.
What W Is AD D FS?
(A AD FS is the Microsoft implem mentation of an a id dentity federation solution th hat uses claims s-based au uthentication. AD FS provide es the mechan nisms to im mplement both h the identity provider p and the t se ervice provider r components in an identity fe ederation deployment. AD FS provides the following features: Enterprise claims c provide er for claims-ba ased applications: You can con nfigure an AD FS server as a claims provide er, which mean ns that it can issue claims about authenticated users. This enable es an organizat tion to provide e its users with access a to claim ms-aware appli ications in ano other organizat tion by using SSO. Federation Service for ide entity federatio on across dom mains: This serv vice offers fede erated web SSO across dom mains, thereby enhancing e sec curity and redu uces overhead d for IT adminis strators.
Note: The e Windows Ser rver 2012 ver rsion of AD FS is built on AD D FS version 2.0 0, which is th he second generation of AD FS released by y Microsoft. Th he first version n, AD FS 1.0, re equired
12-6 Implementing Active Directory Federation Services
AD FS web agents to be installed on all web servers that were using AD FS, and provided both claims-aware and NT token-based authentication. AD FS 1.0 did not support active clients or SAML.
AD FS Features
The following are some of the key features of AD FS:
Web SSO: Many organizations have deployed AD DS. After authenticating to AD DS through Integrated Windows authentication, users can access all other resources that they have permission to access within the AD DS forest boundaries. AD FS extends this capability to intranet or Internet-facing applications, enabling customers, partners, and suppliers to have a similar, streamlined user experience when they access an organizations web-based applications.
Web services interoperability: AD FS is compatible with the web services specifications. AD FS employs the federation specification of WS-*, called WS-Federation. WS-Federation makes it possible for environments that do not use the Windows identity model to federate with Windows environments. Passive and smart client support: Because AD FS is based on the WS-* architecture, it supports federated communications between any WSenabled endpoints, including communications between servers and passive clients, such as browsers. AD FS on Windows Server 2012 also enables access for SOAPbased smart clients, such as servers, mobile phones, personal digital assistants (PDAs), and desktop applications. AD FS implements the WS-Federation Passive Requestor Profile and WSFederation Active Requestor Profile standards for client support.
Extensible architecture: AD FS provides an extensible architecture that supports various security token types, including SAML and Kerberos authentication, and the ability to perform custom claims transformations. For example, AD FS can convert from one token type to another, or add custom business logic as a variable in an access request. Organizations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies.
Enhanced security: AD FS also increases the security of federated solutions by delegating responsibility of account management to the organization closest to the user. Each individual organization in a federation continues to manage its own identities, and is capable of securely sharing and accepting identities and credentials from other members sources.
Additional Reading: For information on the different identity federation products that can interoperate with AD FS, and for stepby-step guides on how to configure the products, see the AD FS 2.0 Step-by-Step and How To Guides, located at http://technet.microsoft.com/enus/library/adfs2-step-by-step-guides%28v=ws.10%29.aspx.
New Features in Windows Server 2012 AD FS

The version of AD FS that is shipping with Windows Server 2012 includes several new features:
Integration with the Windows Server 2012 operating system. In Windows Server 2012, AD FS is included as a server role that you can install using Server Manager. When you install the server role, all required operating system components are installed automatically.
Integration with Dynamic Access Control (DAC). When you deploy DAC, you can configure user and device claims that are issued by AD DS domain controllers. AD FS can consume the AD DS claims that the domain controllers issue. This means that AD FS can make authorization decisions based on both user accounts and computer accounts. Windows PowerShell cmdlets for administering AD FS. Windows Server 2012 provides several new cmdlets that you can use to install and configure the AD FS server role.

12-7
How H AD FS S Enables SSO S in a Single Orga anization

Fo or many organ nizations, configuring access s to ap pplications and d services may y not require an AD FS deployment. If all users s are members s of the sa ame AD DS for rest, and if all applications a ar re ru unning on serv vers that are members m of the e same fo orest, you can usually just use AD DS au uthentication to t provide acc cess to the ap pplication. How wever, there are several scen narios where w you can use AD FS to optimize o the user ex xperience by enabling e SSO: The applica ations may not t be running on o Windows se ervers or on an ny servers that t support AD D DS authentication, or on Windows W Serve r servers that a are not domainjoined. The applications may require SAML or web services for au uthentication and authorization.
Large organ nizations frequ uently have multiple domain ns and forests that may be th he results of m mergers ers in multiple and acquisi itions, or due to t security requirements. Use e forests might t require acces ss to the same applic cations.
Users from outside the of ffice might req quire access to o applications t that are runnin ng on internal servers. The externa al users may be logging on to t the applicat tions from com mputers that are not part of the internal domain.
plementing AD D FS does not necessarily me ean that users are not prompted for Note: Imp au uthentication when w they acc cess applications. Depending g on the scena ario, users may y be prompted for th heir credentials. However, us sers always aut thenticate usin ng their intern nal credentials in n the trusted ac ccount domain, and they ne ever need to re emember alter rnate credentia als for the ap pplication. In addition, a the in nternal creden ntials are never r presented to the applicatio on or to the pa artner AD FS server. s
Organizations O can c use AD FS to enable SSO O in these scen arios. Because e all users and the applicatio on are in th he same AD DS S forest, the or rganization on nly has to depl oy a single fed deration server. This server c can op perate as the claims c provide er so that it aut thenticates use er requests an d issues the claims. The sam me server is also the relyin ng party, or the consumer of f the claims to o provide autho orization for application acc cess. Note: The e slide and the e following des scription use t he terms fede ration server a and he federation s fe ederation service proxy to de escribe AD FS server roles. Th server is respo onsible for issuing claims, and a in this scen nario, is also re esponsible for consuming th he claims. The Federation Se ervice Proxy is a proxy comp ponent that is recommended r d for deployme ents where use ers outside th he network nee ed access to th he AD FS envir ronment. Thes se components s are covered in more de etail in the nex xt lesson. Th he following st teps describe the t communic cation flow in t this scenario. 1. . 2. .
The client computer, c whic ch is located outside o the net twork, must ac ccess a web-ba ased applicatio on on the web ser rver. The client t computer sends an HTTPS request to the e web server. The web se erver receives the t request, an nd identifies th hat the client c computer does s not have a cl laim. The web se erver redirects the client com mputer to the F Federation Ser rvice Proxy.
3.
The client com mputer sends an HTTPS requ uest to the Fed deration Servic ce Proxy. Depe ending on the scenario, the Federation Service Proxy ma ay prompt the e user for auth entication, or use Integrated d Windows authentication to o collect the us ser credentials.. The Federatio on Service Prox xy passes on th he request and d the credentials to the fede eration server. The federatio on server uses AD A DS to auth henticate the u user.
4. 5. 6. 7. 8.
If authenticat tion is successf ful, the federat tion server col lects AD DS in nformation abo out the user, w which is then used to t generate the users claims s.
If the authent tication is succ cessful, the aut thentication in nformation and d other inform mation is collec cted in a security tok ken and passed d back to the client c compute er, through the e Federation S Service Proxy. The client the en presents the e token to the web server. T he web resour rce receives th he request, vali idates the signed to okens, and uses s the claims in the users tok ken to provide access to the application.
Ho ow AD FS Enables E SS SO in a Bus siness-to-B Business Fe ederation

One e of the most common c scena arios for deplo oying AD FS is to provid de SSO in a business-to-business (B2B B) federation. In the scenario o, the organiza ation that t requires acce ess to another organizations s app plication or serv vice can mana age their own user acco ounts and defi ine their own authentication a n mec chanisms. The other organization can define wha at applications and services are a exposed to o user rs outside the organization, and what claim ms it acce epts to provide e access to the e application. To T enable application n or service sharing in this scen nario, the orga anizations have e to establish a fede eration trust, and a then define the rules for r exchange cla ims between t the two organizations.
The slide for this topic t demonst trates the flow w of traffic in a federated B2B B scenario usin ng a claims-aw ware web b application. In this scenario o, users at Trey y Research hav ve to access a w web-based ap pplication at A. . Datum Corporatio on. The AD FS authentication n process for this scenario is as follows: 1. 2.
A user at Trey y Research use es a web brows ser to establish h an HTTPS co onnection to th he web server at A. Datum Corpo oration.
The web application receive es the request and verifies th hat the user do oes not have a valid token s stored in a cookie by y the web brow wser. Because the user is not t authenticate ed, the web application redir rects the client to the t federation server at A. Datum (by usin g an HTTP 302 2 redirect mes ssage). The client com mputer sends an HTTPS requ uest to the A. Datum Corporations federa ation server. Th he federation server determine es the home re ealm for the u ser. In this cas se, the home re ealm is Trey Research. The client com mputer is redir rected again to o the federatio on server in th he users home e realm, Trey Research. The client com mputer sends an HTTPS requ uest to the Tre ey Research fed deration serve er. If the user is already a logged d on to the do omain, the fede eration server can take the u users Kerberos s ticket and req quest authentication from AD DS on the u users behalf, using Integrate ed Windows authentication. If the user is not logged onto o their dom main, the user is prompted fo or credentials.
3.
4. 5. 6.

12-9
7. .
The AD DS domain contr roller authentic cates the user,, and sends the e success mess sage back to the federation server, along with w other info ormation abou ut the user that t can be used to generate th he users claims. ules defined fo The federat tion server creates the claim for the user b based on the ru or the federation partner. The claims data is i placed in a digitally-signe d d security toke en, and then sent to the clie ent computer, which w posts it back to A. Dat tum Corporati ions federatio on server. A. Datum Corporations C federation f serv ver validates th hat the securit y token came from a trusted d federation partner.
8. .
9. .
10 0. A. Datum Corporations C federation f serv ver creates and d signs a new t token, which it sends to the client computer, which w then sen nds the token back to the or riginal URL req quested.
11 1. The applica ation on the web server rece eives the reque est and validat es the signed tokens. The web server issue es the client a session s cookie e indicating tha at it has been successfully au uthenticated, a and a file-based persistent p cook kie is issued by y the federatio on server (good d for 30 days b by default) to eliminate th he home realm m discovery ste ep during the cookie lifetime e. The server then provides a access to the application, based on the claims provided by t the user.
How H AD FS S Enables SSO S with Online O Serv vices

As organization ns move service es and applica ations to cloud-based ser rvices, it is incr reasingly impo ortant th hat these organizations have e some way to simplify the aut thentication an nd authorizatio on ex xperience for their t users as they t consume the cloud-based ser rvices. Cloud-b based services add an nother level of f complexity to o the IT enviro onment, as s they are located outside th he direct ad dministrative control c of the IT administrato ors, and may m be running g on many diff ferent platform ms. Yo ou can use AD D FS to provide e an SSO exper rience to o users across the t various clo oud-based plat tforms ntials, they cou av vailable. For ex xample, once users u are authe enticated with h AD DS creden uld then acces ss Microsoft M Onlin ne Services, suc ch as hosted Microsoft M Excha ange Online o r SharePoint Online, by usi ing th hose domain credentials.
AD FS can also provide SSO to o non-Microso oft cloud prov iders. Because e AD FS is base ed on open sta andards, it can interoperate with any compliant claim ms-based syste em.
Th he process for accessing a cloud-based ap pplication is qu uite similar to t the B2B scenario. One example of a cloud-based ser rvice that uses s AD FS for aut thentication is a hybrid Exch hange Online d deployment. In n this ty ype of deploym ment, an organ nization deploys some or all of their mailb boxes in an Off fice 365 and Ex xchange Online O environm ment. However, the organiza ation manages s all of their us ser accounts in n their on-prem mises AD DS environm ment. The deployment uses the t Microsoft Online Service es Directory Sy ynchronization n Tool to sy ynchronize use er account info ormation from the on-premi ises deployme ent to the Exch hange Online de eployment. When W users try to log on to th heir Exchange Online mailbo ox, the user m ust be authenticated using t their in nternal AD DS credentials. If users try to log g on directly t to the Exchang ge Online environment, they y are re edirected back k to the interna al AD FS deplo oyment to auth henticate befo ore they are giv ven access.
12-10
The following steps describe what happens when a user tries to access their online mailbox using a web browser: 1. 2. The user opens a web browser and sends an HTTPS request to the Exchange Online Microsoft Outlook Web App server. The Outlook Web App server receives the request and verifies whether the user is part of a hybrid Exchange Server deployment. If this is the case, the server redirects the client computer to the Microsoft Online Services federation server. The client computer sends an HTTPS request to the Microsoft Online Services federation server. The client computer is redirected again to the on-premises federation server. The client computer sends an HTTPS request to the on-premises federation server.
3. 4. 5. 6.
If the client computer is already logged on to the domain, the on-premises federation server can take the users Kerberos ticket and request authentication from AD DS on the users behalf, using Integrated Windows authentication. If the user is logging on from outside the network or from a computer that is not a member of the internal domain, the user is prompted for credentials. The AD DS domain controller authenticates the user, and sends the success message back to the federation server, along with other information about the user that the federation server can use to generate the users claims.
7.
8.
The federation server creates the claim for the user based on the rules defined during the AD FS server setup. The claims data is placed in a digitally-signed security token, and then sent to the client computer, which posts it back to the Microsoft Online Services federation server. The Microsoft Online Services federation server validates that the security token came from a trusted federation partner. This trust is configured when you configure the hybrid Exchange Server environment.
9.
10. The Microsoft Online Services federation server creates and signs a new token, which it sends to the client computer, which then sends the token back to the Outlook Web App server.
11. The Outlook Web App server receives the request and validates the signed tokens. The server issues the client a session cookie indicating that it has authenticated successfully. The user is then granted access to their Exchange Server mailbox.

12-11
Lesson n2
Deplo oying AD A FS
After you under rstand how AD D FS works, the e next step is d deploying the service. Before e deploying AD FS, yo ou must under rstand the com mponents that you will need to deploy, an nd the prerequ uisites that you u must meet, m particular rly in regard to o certificates. This T lesson pro ovides an overv view of deploy ying the AD FS S server ro ole in Windows Server 2012.

After completin ng this lesson, you y will be able to: Describe th he components s that you can include in an AD FS deploy yment. List the pre erequisites for an a AD FS deployment.
Describe th he Public Key Infrastructure (PKI) ( and certif ficate requirem ments for the A AD FS deploym ment. Describe th he AD FS feder ration server ro oles. Install the AD A FS server ro ole.
AD A FS Com mponents
AD FS is installe ed as a server role r in Window ws Se erver 2012. Ho owever, there are a many diffe erent co omponents tha at you install and a configure in an AD FS deployment. Th he following ta able lists the AD A FS components.
Component C Federation se erver
Wha at does it do?
The e federation se erver issues, m anages, and v validates reque ests involving identity claims. All A implementa ations of AD FS S require at lea ast one Federa ation rvice for each participating p fo orest. Ser
Federation se erver proxy
The e federation se erver proxy is a an optional co omponent that t you usually d deploy in a perimeter ne etwork. It does s not add any f functionality to o the AD FS dep ployment, but is deployed ju ust to provide a layer of secu urity for conne ections from the Internet t to the federa ation server. A claim c is a statement that is m made by a trust ted entity abo out an object such as a user. The claim could include e the users nam me, job title, o or any other factor tha at might be use ed in an authe entication scen nario. With Win ndows Server 2012, the e object can als so be a device e used in a DAC C deployment t. Claim rules deter rmine how claiims are proces ssed by the fed deration servers. For ample, a claim rule may state e that an emai il address is ac ccepted as a va alid exa clai im, or that a group name fro om one organization is trans slated into an app plication-speci ific role in the other organiz zation. The rule es are usually
Claims
Claim rules
12-12
Implementing Active Directo ory Federation Services
Co omponent
What does it do? proce essed in real time as claims a are made.
Attribute store
AD FS S uses an attrib bute store to l ook up claim v values. AD DS is a common attrib bute store and is available by y default if AD D FS is installed d on a domainjoined d server. The claims c provider is the server that issues claims and authe enticates users. A claim ms provider ena ables one side of the AD FS a authentication n and autho orization proce ess. The claims s provider man nages the user r authenticatio on, and then t issues the e claims that th he user presen nts to a relying party.
Claims provider rs
Re elying parties
The relying party is s where the ap pplication is loc cated, and it enables the sec cond side of o the AD FS authentication and authoriza ation process. T The relying pa arty is a web w service tha at consumes cl laims from the e claims provid der. The relying g party y server must have h the Micro osoft Windows s Identity Foun ndation installe ed, or use e the AD FS 1.0 claims-awar re agent. Confi iguration data that defines r rules under wh hich a client may request claims from a claims provi ider and subse equently subm mit them to a re elying party. T The trust consists of var rious identifier rs such as nam mes, groups and d various rules s. The AD A FS configur ration data tha at is used to pr rovide claims a about a user o or client t to a relying party. p It consist ts of various id dentifiers, such h as names, group ps, and various s rules.
Claims provider r rust tr Re elying party trust
Certificates
AD FS S uses digital certificates c wh en communica ating over SSL L or as part of t the token n issuing proce ess, the token receiving proc cess, and the m metadata publishing process. . Digital certific cates are also used for token n signing.
En ndpoints
Endpoints are mech hanisms that e enable access t to the AD FS technologies ding token issu uance and me etadata publish hing. AD FS co omes with built t-in includ endpoints that are responsible fo or a specific functionality.
Note: Many y of these com mponents are described d in m ore detail thro oughout the re emainder of this module.
AD D FS Prereq quisites
Befo ore deploying AD FS, you must ensure tha at your internal netw work meets som me basic prer requisites. The e configuration n of the following netw work services is i critical for a successful AD FS dep ployment: Network conn nectivity: The following f netw work connectivity is required: o The clien nt computer must be able to communicate with the web application, the resou urce federation n server or federatio on server proxy y, and the acco ount federatio on server or fed deration proxy y using HT TTPS.

12-13
The federation server proxies must be able to communicate with the federation servers in the same organization using HTTPS Federation servers and internal client computers must be able to communicate with domain controllers for authentication.
AD DS: AD DS is a critical piece of AD FS. Domain controllers should be running Windows Server 2003 Service Pack 1 (SP1) as a minimum. Federation servers must be joined to an AD DS domain. The Federation Service proxy does not have to be domain-joined. Although you can install AD FS on a domain controller, it is not recommended due to security implications. Attribute stores: AD FS uses an attribute store to build claim information. The attribute store contains information about users, which is extracted from the store by the AD FS server after the user has been authenticated. AD FS supports the following attribute stores: o o Active Directory Application Mode (ADAM) in Windows Server 2003 Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 Microsoft SQL Server 2005 (all editions) Microsoft SQL Server 2008 (all editions) A custom attribute store
o o o
Note: AD DS can be used both as the authentication provider and as an attribute store. AD FS can also use AD LDS as an attribute store. In AD FS 1.x, AD LDS can be used as an authentication store, but in the current version of AD FS, AD LDS can only be used as an attribute store.
DNS: Name resolution allows clients to find federation servers. The client computers must resolve the DNS names for all federation servers to which they connect, and the web applications that the client computer is trying to use. If the client computer is external to the network, the client computer must resolve the DNS name for the Federation Service Proxy, not the internal federation server. The Federation Service Proxy must resolve the name of the internal federation server. If internal users have to access the internal federation server directly, and external users have to connect through the federation server proxy, you will need to configure different DNS records in the internal and external DNS zones. Operating system prerequisites: You can only deploy the Windows Server 2012 version of AD FS as a server role on a Windows Server 2012 server.
12-14
PK KI and Cert tificate Req quirement ts

AD FS is designed d to enable com mputers to com mmunicate securely, even tho ough they may y be loca ated in differen nt locations. In n this scenario, most of the communica ations between n computers passes p thro ough the Internet. To provide security for the t netw work traffic, all communicati ions are protec cted usin ng Secure Sock kets Layer (SSL L). This factor means m that t it is importan nt to correctly choose and as ssign SSL certificates to the AD FS ser rvers. To provid de SSL security, AD FS F servers use certificates c as serv vice communic cation certifica ates, token-signing cert tificates, and to oken-decryptin ng certificates.
Ser rvice Comm munication Certificates C
You u use a service communicatio on certificate to t secure SSL c communications to the webs sites running o on the AD FS server. This s certificate is bound b to the default d website e on the AD FS S server. You c can choose wh hich cert tificate to use when w you configure the AD FS server role on the server,, and can chan nge the assigned cert tificate after de eployment by using the AD FS console. Th his certificate is s also called a server auth hentication certificate.
Tok ken-Signing g Certificate es
The token-signing g certificate is used to sign every e token tha at a federation n server issues. . This certificat te is critical in an AD FS deployment t because the token t signatur re indicates wh hich federation n server issued d the toke en. This certific cate is used by y the claims pr rovider to iden ntify itself, and it is used by t the relying par rty to verify that the tok ken is coming from a trusted d federation pa artner. The relying party also requires a token-signing certificate to o sign the toke ens that it prep pares for other AD FS components, such as web b applications and clients. Th hese tokens m must be signed by the relying g part tys token-sign ning certificate e to be validate ed by the dest tination applications.
Whe en you configu ure a federatio on server, the server s assigns a self-signed c certificate as the token-signing cert tificate. Becaus se no other parties trust the self-signed ce ertificate, you m might choose to replace the e selfsign ned certificate with a trusted certificate. As s an alternative e, you can con nfigure all fede eration servers in part tner organizations to trust th he self-signed certificate. Yo ou can have mu ultiple token-s signing certific cates configured on the e federation se erver, but only the primary c certificate is us ed to sign tok kens.
Tok ken-Decryp pting Certific cates
Tok ken-decrypting g certificates ar re used to encrypt the entire e user token before transmit tting the token n acro oss the networ rk. To provide this functionality, the public c key from the relying party federation ser rver cert tificate must be provided to the claims pro ovider federati ion server. The e certificate is s sent without the priv vate key. The claims provider r server uses th he public key f from the certif ficate to encry ypt the user tok ken. Whe en the token is returned to the t relying par rty federation server, it uses the private ke ey from the cert tificate to decr rypt the token. . This provides s an extra layer r of security w when transmitti ing the certific cates acro oss the Interne et. Whe en you configu ure a federatio on server, the server s assigns a self-signed c certificate as the tokendecrypting certific cate. Because no n other partie es have to trus st this certifica ate, it is possible to continue e to use this certificate e without repla acing it with a trusted certific cate. ion certificate. Note: Feder ration server proxies p only require a service e communicati . The cert tificate is used to enable SSL communicatio on for all clien nt connections . Because the federation

12-15
se erver proxy do oes not issue an ny tokens, it does not need t the other two types of certif ficates. Web se ervers that are deployed as part p of an AD FS F deploymen nt should also b be configured with SSL se erver certificate es to enable se ecure commun nications with client comput ters.
Choosing C a Certification C n Authority
AD FS federatio on servers can use self-signed d certificates, c certificates fro om an internal, , private Certif fication Authority (CA), or certificates that have bee en purchased f from an extern nal, public CA.
In n most AD FS deployments, d the t most impo ortant factor w when choosing the certificate es is that the ce ertificates be trusted by all parties p involved d. This means that if you are e configuring a an AD FS deplo oyment th hat interacts with w other organizations, you are almost ce ertainly going t to use a public c CA for the SS SL ce ertificate on fe ederation serve er proxy, becau use the certific cates issued by y the public CA A are trusted b by all pa artners automatically.
If you are deplo oying AD FS just for your org ganization, and d all servers an nd client comp puters are under your co ontrol, conside er using a certi ificate from an n internal, priva ate CA. If you deploy an inte ernal Enterpris se CA on Windows W Server 2012, you can use Group Policy P to ensur re that all com puters in the o organization au utomatically tr rust the certific cates issued by y the internal C CA. Using an i nternal CA can n significantly de ecrease the co ost of the certif ficates. Note: Deploying an inte ernal CA using g Active Direct tory Certificate e Services (AD CS) is a st traightforward process, but it is critical that the deploym ment be planne ed and implem mented ca arefully.
Federation Server Ro oles

When W you insta all the AD FS server s role, you u can co onfigure the se erver as either a federation server s or r federation se erver proxy. Af fter installing the fe ederation serve er role, you can configure th he se erver as either a Claims Provider, a Relying g Party, or r both. These server s function ns are as follow ws:
Claims prov vider: A claims s provider is a federation server that pro ovides to users s signed tokens that t contain claim ms. Claims prov vider federation servers are deployed in organizatio ons where user r accounts are located. Wh hen a user requests a token, the claims prov vider federation server verifie es the user aut thentication using AD DS, an nd then collec cts information n from an attri ibute store, suc ch as AD DS o or AD LDS, to p populate the u user claim with h the attributes required by the e partner orga anization. The s server issues to okens in SAML L format. The c claims provider federation serve er also protects s the contents of security tokens in transit t, by signing an nd optionally encrypting e the em.
Relying Par rty: A relying party p is a feder ration server th hat receives se ecurity tokens f from a trusted d claims provider. Th he relying part ty federation servers s are dep ployed in orga anizations that t provide application access to claims provider organizations s. The relying p party accepts a and validates t the claim, and then issues new security token ns that the web b server can us se to provide a appropriate ac ccess to the application.
12-16
Note: A single AD FS server can operate as both a claims provider and a relying party, even with the same partner organizations. The AD FS server functions as a claims provider when it is authenticating users and providing tokens for another organization, but it can also accept tokens from the same or another organization in a relying party role.
Federation Server Proxy: A federation server proxy provides an extra level of security for AD FS traffic that is coming from the Internet to the internal AD FS federation servers. Federation server proxies can be deployed in both the claims provider and relying party organizations. On the claims provider side, the proxy collects the authentication information from client computers and passes it to the claims provider federation server for processing. The federation server issues a security token to the proxy, which sends it to the relying party proxy. The relying party federation server proxy accepts these tokens, and then passes them on to the internal federation server. The relying party federation server then issues a security token for the web application, and then sends the token to the federation server proxy, which then forwards the token to the client. The federation server proxy does not provide any tokens or create claims; it only forwards requests from clients to internal AD FS servers. All communication between the federation server proxy and the federation server uses HTTPS.
Note: A federation server proxy cannot be configured as a claims provider or a relying party. The claims provider and relying party must be members of an AD DS domain. The federation server proxy can be configured as a member of a workgroup, or as a member of an extranet forest, and deployed in a perimeter network.
Demonstration: Installing the AD FS Server Role

In this demonstration, you will see how to install and complete the initial configuration of the AD FS server role in Windows Server 2012. The instructor will install the server role, and then run the AD FS Federation Server Configuration Wizard to configure the server as a standalone federation server.
Demonstration Steps Install the AD FS Server Role

On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
Configure the AD FS Server Role

1. Run the AD FS Federation Server Configuration Wizard using the following parameters: o o o o 2. Create a new federation service Create a stand-alone deployment Use the LON-DC1.Adatum certificate. Choose the service name LON-DC1.Adatum.com
Open Internet Explorer and connect to https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml.

12-17
Lesson n3
Imple ementin ng AD FS F for a Single O Organiz zation
Th he simplest de eployment scen nario for AD FS is within a si ngle organization. In this scenario, a single AD FS se erver can operate both as the claims provider and as the e relying party y. All users in th his scenario are in nternal to the organization, o as a is the applic cation that the e users are acce essing. Th his lesson prov vides details on n the components that are r required to co nfigure AD FS in a single or rganization de eployment of AD A FS. These components c in nclude configu uring claims, claim rules, claim ms provider trusts, and relying pa arty trusts.

After completin ng this lesson, you y will be able to: Describe AD D FS claims. Describe AD D FS claim rule es. Describe cla aims provider trusts. Describe re elying party tru usts. Configure claims c provide er and relying party p trusts.
What W Are AD A FS Claim ms?
AD FS claims pr rovide the link between the claims c provider and re elying party rol les in an AD FS S de eployment. An n AD FS claim is a statement made ab bout a particular subject (suc ch as a user) by b a tr rusted entity (s such as a claim ms provider). Th he claims provider creates the cla aims and the relying r pa arty consumes s the claims. AD FS claims pr rovide a st tandards-based d and flexible way for claims s provider organi izations to pro ovide specific in nformation abo out users in their organizatio ons, and a way for relying parties to de efine exactly what w in nformation the ey require to provide applica ation ac ccess. The claim m information n provides the details require ed by applicati ions to enable e access to claimsaw ware applicatio ons.
Claim C Types
Ea ach AD FS claim has a claim type, such as email e address,, UPN, or last n name. Users ca an be issued claims ba ased on any defined claim ty ype. Therefore e, a user might t be issued a c laim with a typ pe of Last Nam me and a value of, for example, e Webe er. AD FS provi ides several bu uilt-in claim ty ypes. Optionall ly, you can cre eate new on nes based on the t organizatio on requiremen nts. Note: In AD A FS 1.0, you could configu ure claims as id dentity claims,, group claims, or custom claims. These claim types do not n apply to AD A FS 2.0 or lat ter. Essentially,, all claims are e now co onsidered cust tom claims.
Ea ach AD FS claim type is identified by a Uni iform Resource e Identifier (U RI) that unique ely identifies the claim type. This information is s provided as part of the AD D FS server met tadata. For exa ample, if the c claims
12-18
provider organization and the relying party organization decide to use a claim type of AccountNumber, both organizations must configure a claim type with this name. The claim type is published and the claim type URI must be identical on both AD FS servers.
How Claim Values are Populated
The claims issued by a claims provider contain the information that is required by the relying party to enable appropriate application access. One of the first steps in planning an AD FS deployment is to define exactly what information the applications must have about each user, to provide that user access to the application. Once this information is defined, the claims are then defined on the claims provider federation server. The information required to populate the claim can be obtained in several ways:
The claim can be retrieved from an attribute store. Frequently, the information required for the claim is already stored in an attribute store that is available to the federation server. For example, an organization might decide that the claim should include the users UPN, email address, and specific group memberships. This information is already stored in AD DS, so the federation server can just retrieve this information from AD DS when creating the claim. Because AD FS can use AD DS, AD LDS, SQL Server, a non-Microsoft Lightweight Directory Access Protocol (LDAP) directory, or a custom attribute store to populate claims, you can define almost any value within the claim.
The claim can be calculated based on collected information. Claims provider federation servers can also calculate information based on information that is gathered from an attribute store. For example, you may want to provide information about a persons salary within a claim. This information is likely stored in a Human Resources database, but the actual value may be considered confidential. You can define a claim that categorizes salaries within an organization, and then have the AD FS server calculate to which category a specific user belongs. In this way, the claim only includes the salary category information, not the actual user salary. The claim can be transformed from one value to another. In some cases, the information that is stored in an attribute store does not exactly match the information required by the application when making authorization information. For example, the application may have different user roles defined that do not directly match the attributes that are stored in any attribute store. However, the application role may correlate to AD DS group membership. For example, users in the Sales group may correlate to one application role, while users in the Sales Management group may correlate to a different application role. To establish the correlation in AD FS, you can configure a claims transformation that takes the value provided by the claims provider and translates the value into to a claim that is useful to the application in the relying party. If you have deployed DAC, a DAC device claim can be transformed into an AD FS claim. This can be used to ensure that users can access AD FS Web site only from trusted workstations that have been issued a valid device claim.

12-19
What W Are AD A FS Claim m Rules?

Claim rules define how claims s are sent and co onsumed by AD A FS servers. Claim C rules def fine the bu usiness logic that is applied to claims that are provided by claims providers, , and to claims s that ar re accepted by y the relying parties. You can n use claim rules to: ch incoming claims are accepted Define whic from one or o more claims providers. Define whic ch outbound claims c are prov vided to one or mor re relying parti ies. Apply authorization rules s to enable acc cess to a specific rely ying party for one o or more users u or groups s of users.
Yo ou can define two types of claim c rules:
Claim rules for a claims provider p trust. A claims provi der trust is the e AD FS trust r relationship that is configured between an AD A FS server an nd a claims pro ovider. You ca an configure claim rules to define how the cla aims provider processes and issues claims. Claim rules for a relying party p trust. A relying r party tr rust is the AD FS trust relatio onship that is configured between an AD A FS server an nd a relying pa arty. You can c configure claim m rules that de efine how the rel lying party acc cepts claims fro om the claims s provider.
a AD FS claim ms provider are e all considere d acceptance transform rule es. These rules Claim rules on an de etermine what t claim types are a accepted fr rom the claims s provider, and d then sent to a relying party y trust. When W configuring AD FS with hin a single org ganization, the ere is a default t claims provid der trust that is s co onfigured with h the local AD DS domain. Th his rule set def fines the claim ms that are acce epted from AD D DS. Th here are three types of claim m rules for a relying party tru ust: Issuance Transform Rules s: These rules define d the claim ms that are se nt to the relyin ng party that h has been define ed in the relyin ng party trust.
Issuance Au uthorization Ru ules: These rules define whic ch users are pe ermitted or de enied access to o the relying part ty defined in the relying party trust. This ru ule set can inc clude rules that explicitly per rmit access to a relying party, and/or rules that explicitly d deny access to o a relying part ty.
Delegation Authorization n Rules: These rules define th he claims that specify which users can act on behalf of ot ther users whe en accessing th he relying part ty. This rule set can include r rules that explicitly permit dele egates for a relying party, or rules that exp plicitly deny de elegates to a re elying party.
Note: A single claim rul le can only be associated wit th a single fed derated trust re elationship. Th his means that t you cannot create c a set of rules for one t trust and then re-use those r rules for ot ther trusts that you configur re on your federation server..
AD FS servers are preconfigur red with a set of o default rule es and several default templa ates that you c can use to o create the most common claim c rules. You can also crea ate custom cla aim rules using g the AD FS cla aim rule la anguage.
12-20
Wh hat Is a Cla aims Provider Trust? ?

A claims provider trust is config gured on the re elying part ty federation server. s The clai ims provider tr rust iden ntifies the claim ms provider, and describes how h the relying party consumes c the claims that the claim ms provider issues. You mus st configure a claim ms provider trust for each claims provider.
By default, d an AD FS server is co onfigured with ha claim ms provider trust named Act tive Directory. This trus st defines the claim c rules, wh hich are all acce eptance transf form rules that t define how th he AD FS server acce epts AD DS cre edentials. For exam mple, the defa ault claim rules s on the claims s prov vider trust incl lude rules that t pass through the user nam es, security ide entifiers (SIDs) ) and group SIDs to the relying party. In a single org ganization AD FS deploymen nt, where AD D DS authenticat tes all users, th he defa ault claims pro ovider trust ma ay be the only required claim ms provider tru ust.
Whe en you expand d the AD FS de eployment to include i other o organizations,, you must create additional claim ms provider trusts for each federated f orga anization. Whe en configuring g a claims prov vider trust, you u have thre ee options:
Import data about a the claim ms provider through the fed deration metad data. If the AD FS federation server or fede eration proxy server s is access sible through t the network fr rom your AD F FS federation s server, you can enter the host nam me or URL for the t partner fed deration server. Your AD FS federation ser rver connects to the partner ser rver, and down nloads the fede eration metadata from the s server. The federation me etadata includ des all the information that is s required to c configure the c claims provide er trust. As part of the federat tion metadata download, yo our federation server also do ownloads the S SSL certificate tha at is used by th he partner federation server.. this option if t Import data about a the claim ms provider fro om a file. Use t the partner fed deration server is not directly accessible from m your federation server, but t the partner o organization ha as exported its s configuration n and provided d you the infor rmation in a fil le. The configu uration file mu ust include the e configuration n information for f the partner r organization,, as well as the e SSL certificate that the part tner federation server uses.
Manually con nfigure the clai ims provider tr rust. Use this o option if you w want to configure all of the settings for th he claims prov vide trust direc ctly. When you u choose this o option, you mu ust provide the e features that the claims pro ovider supports, the URL use ed to access the claims provider AD FS serv vers, and add the SSL S certificate that the partn ner organizatio on uses.

12-21
What W Is a Relying R Par rty Trust?

A relying party trust is defined d on the claim ms provider federation server. Th he relying party y trust id dentifies the re elying party, an nd also defines s the claims rules that define how the t relying par rty ac ccepts and pro ocesses claims from the claim ms provider.
n a single organization scena ario, the relying g party In tr rust defines ho ow the AD FS server interacts s with th he applications s deployed wit thin the applic cation. When W you configure the relying party trust in a single organizat tion, you provide the URL fo or the in nternal application, and conf figure settings such as whether w the application supp ports SAML 2.0 or whether it requires AD F FS 1.0 tokens, t the SSL certific cate and URL used by the e web server, and a the issuan nce authorizati on rules for th he application. Th he process for configuring re elying party trust is similar to o that for the claims provide er trust. When you ex xpand the AD FS deploymen nt to include other o organizat tions, you mus st create addit tional relying p party tr rusts for each federated f orga anization. Whe en configuring g a relying part ty trust, you ha ave three options:
Import data a about the relying party thr rough the fede eration metadata. If the AD FS federation server or federatio on proxy serve er is accessible through the n network from y your AD FS fed deration serve er, you can enter th he host name or URL for the e partner feder ration server. Y Your AD FS fed deration serve er connects to o the partner server, s and the en downloads t the federation n metadata fro om the server. The federation metadata inclu udes all the inf formation that t is required to o configure the relying party y trust. As part of the t federation metadata dow wnload, your f federation serv ver also downloads the SSL certificate that t the partne er federation server s uses.
Import data a about the relying party fro om a file. Use t this option if th he partner fed deration server r is not accessible from f your fede eration server directly. In this s case, the par rtner organizat tion can expor rted its configuratio on information n to a file, and d then provide it to you. The e configuration n file must include the configuratio on information n for the partn ner organizatio on, and the SSL certificate th hat the partner r federation server uses.
Manually M config gure the claims provider trus st. Use this opt tion if you wan nt to configure e all of the set ttings fo or the claims provide p trust di irectly.
Demonstra D ation: Conf figuring Cl laims Prov vider and R Relying Pa arty Trusts
In n this demonst tration, you will see how to configure c claim ms provider tru usts and relying party trusts. The vider trust. The instructor will also in nstructor will sh how how to ed dit the default Active Directo ory claims prov cr reate a new relying party tru ust, and demon nstrate how to o configure the e trust.
Demonstrati D ion Steps Configure C a Claims Prov vider Trust

1. . 2. . 3. .
In the AD FS F console, go to the Claims s Provider Tru usts, highlight the Active Di irectory store, , and then click Edit E Claim Rul les.
In the Edit Claim Rules for f Active Dir rectory dialog box, on the A Acceptance Tr ransform Rule es tab, start the Ad dd Transform m Claim Rule Wizard W and co omplete the w izard with the following sett tings: Under Claim m rule templat te select Send LDAP Attribu utes as Claim ms.
12-22
4. 5. 6.
Name the claim rule Outbound LDAP Attribute Rule. Choose Active Directory as the Attribute Store. In the Mapping of LDAP attributes to outgoing claim types select the following values: o o E-Mail-Addresses to E-Mail Address User-Principal-Name to UPN
Configure a Windows Identity Foundation Application for AD FS

1. 2. On LON-SVR1, from the Start screen, start the Windows Identity Foundation Federation Utility. Complete the wizard with the following settings: o Point to the web.config file sample application by browsing to C:\Inetpub\wwwroot\AdatumTestApp\web.config. Specify an Application URI box by typing https://lon-svr1.adatum.com/AdatumTestApp/. Select Use an existing STS, and then enter the path https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml. Disable certificate chain validation. Select No encryption.
o o
Configure a Relying Party Trust

1. 2. Complete the Add Relying Party Wizard with the following settings: o
In the AD FS Management console, in the middle pane, click Required: Add a trusted relying party,
Select Import data about the relying party published online or on a local network, and type https://lon-svr1.adatum.com/adatumtestapp. Specify a Display name of ADatum Test App. Select Permit all users to access this relying party.
o o o
Ensure that the Edit Claim Rules for ADatum Test App check box is selected when the wizard is complete.

12-23
Lesson n4
Deplo oying AD A FS in a B2B Federat tion Sce enario
A second comm mon scenario fo or implementi ing AD FS is in n a B2B federat tion scenario. In this scenario o, users in n one organiza ation require access to an ap pplication in an nother organiz zation. AD FS in this scenario o en nables SSO. Th his way, users always a log on to their home AD DS enviro onment, but ar re granted acce ess to th he partner app plication based d on the claims s acquired from m their local A AD FS server. Configuring AD D FS in a B2B fe ederation scen nario is quite si imilar to configuring AD FS in a single or rganization sce enario. The primary difference is that now w both the claim ms provider tr rusts and the re elying pa arty trusts refe er to external organizations, o rather than in ternal AD DS o or application.

After completin ng this lesson, you y will be able to: Configure the t account pa artner in a B2B B federation sc cenario. Configure the t resource partner p in a B2B B federation sc cenario.
Ex xplain how to configur re claims ru ules for a B2 2B federatio on scenario. .

Explain how w home realm discovery wor rks. Configure claims c rules.
Configuring C g an Account Partne er

In n a B2B AD FS scenario, the terminology t th hat you us se to describe the two partners involved in n the AD FS deployment changes slightly. In this sc cenario, the cla aims provider organization is also ca alled the accou unt partner org ganization. An n ac ccount partner r organization is the organiza ation in which w the user accounts a are stored s in an att tribute st tore. An account partner han ndles the follow wing ta asks: Gather cred dentials from users u who are using a web-based service, and then authentica ating those crede entials.
Build up cla aims for users, and then package the claim ms into security y tokens. The t tokens can the en be presented across a a federa ation trust to gain g access to federation res sources that ar re located at th he resource pa artner organiza ation.
e account partner organization to prepare for federation n involves the following step ps: Configuring the . 1.
Implement the physical topology for th he account par rtner deploym ment. This step could include deciding on n the number of federation servers and fe deration serve er proxies to deploy the loca ations to rtificates. deploy them m to, and conf figuring the re equired DNS re ecords and cer Add an attr ribute store. Use the AD FS management m c console to add d the attribute store. In most t cases, you use the e default Active Directory att tribute store (w which must be e used for auth hentication), but you can also add other attribu ute stores if re equired to buil d the user clai ims.
2. .
3. .
Connect to a resource pa artner organiza ation by creati ng a relying p party trust. The e easiest way to o do this is to us se the federatio on metadata URL U that is pro ovided by the r resource partn ner organizatio on. With
12-24
this option, your AD FS serv ver automatica ally collects the e information required for the relying par rty trust. 4.
Add a claim description. d Th he claim description lists the claims that yo our organizatio on provides to o the relying partne er. This inform mation may include user nam mes, email addr resses, group m membership information, or o other identifying information about a u user. Prepare client t computers fo or federation. This T may invol lve two steps: a.
5.
Add the account partner federation server. s In the b browser of clie ent computers, add the acco ount partner federation serv ver to the Loca al Intranet list. By adding the e account partner federation n server to the Local Intra anet list on the e client compu uters, you enable Integrated d Windows authentic cation, which means m that use ers are not pro ompted for authentication if f they are alrea ady logged in nto the domain. You can use e Group Policy y Objects (GPO Os) to assign th he URL to the Local Intranet site s list. Configure certificate trusts. This is an n optional step p that is require ed only if one or more of the servers th hat clients acce ess do not hav ve trusted cert ificates. The client computer r may have to e federation se connect to t the account t federation se ervers, resource ervers, or fede eration proxy servers, and a the destina ation web serv vers. If any of t these certificat tes are not from a trusted pu ublic CA, you may m have to add the approp priate certificat te or root cert tificate to the c certificate store on the client ts. You can do this by using GPOs.
b.
Co onfiguring a Resourc ce Partner

The resource part tner organizati ion is the relyin ng part ty in a B2B fed deration scenario. The resour rce part tner organization is where th he resources exist and are made acc cessible to acco ount partner orga anizations. The e resource par rtner handles the t follo owing tasks: Accepts secur rity tokens tha at the account partner feder ration server produces, and validates them m. Consumes the e claims from the security to okens, and then prov vides new claims to its web servers after making m an aut thorization dec cision.
m have either Windows Id dentity Founda ation or the AD D FS 1.x Claims-Aware Web The web servers must Age ent role service es installed to externalize e the e identity logic c and accept c claims. Note: Wind dows Identity Foundation F pro ovides a set of f consistent de evelopment tools that enable developers to integrate claims-based authentication a n and authoriz zation into their app plications. Wind dows Identity Foundation also includes a S Software Deve elopment Kit (S SDK) and sam mple applications. You use a Windows W Iden ntity Foundatio on sample app plication in the e lab for this module.

12-25
Configuring the e resource part tner organization is similar t to configuring the account p partner organiz zation an nd consists of the following steps: 1. . Implement the physical topology for th he resource pa artner deploym ment. The plan nning and implementa ation steps are e the same as the t account pa artner, with th he addition of planning the w web server locat tion and config guration.
2. . 3. . 4. .
Add an attr ribute store. On O the resource e partner, the a attribute store e is used to po opulate the claims that are offered to the client to t present to the web server r. Connect to an account pa artner organiz zation by creat ting a claims p provider trust. Create claim m rule sets for the claims pro ovider trust.
Configuring C g Claims Rules R for B2B B Scenar rios

In n a single organization deplo oyment of AD FS, it may m be quite ea asy to design and a implemen nt claims ru ules. In many cases, c you may y need to provide on nly the user na ame or group name that is co ollected from the t claim and presented to the t web se erver. In a B2B scenario, it is more likely that you will w have to con nfigure more complicated cla aims ru ules to define user u access between widely varying v sy ystems. Claim rules define how account partners (cl laims providers) creat te claims, and how resource pa artners (relying g parties) cons sume claims. AD A FS provides several templates that you can use e when configu uring claim ru les:
Send LDAP Attributes as Claims rule tem mplate. Use th his template w when you select t specific attrib butes in an LDAP at ttribute store to populate cla aims. You can c configure mul ltiple LDAP att tributes as individual claims in a single claim ru ule that you cr reate from this s template. For r example, you u can create a rule that extract ts the sn (surname) and give enName AD D DS attributes fr rom all authen nticated users, and then send these t values as s outgoing claims to be sent t to a relying p party. Send Group p Membership p as a Claim rule template. U Use this templa ate to send a p particular claim m type and associa ated claim valu ue that is based d on the users s AD DS secur rity group mem mbership. For example, yo ou might use this t template to t create a rule e that sends a group claim t type with a value of SalesAdmin n, if the user is a member of the Sales Man nager security group within t their AD DS do omain. This rule iss sues only a single claim, base ed on the AD DS group that t you select as a part of the template. Pass Throug gh or Filter an Incoming Claim rule templa ate. Use this te emplate to set t additional restrictions on which claim ms are submitted to relying parties. For ex xample, you m might want to u use a user email address a as a cl laim, but only forward the e mail address if f the domain s suffix on the email address is adatum.com. a When W using this template, yo ou can either p pass through w whatever claim m you extract from m the attribute e store, or you can configure e rules that filt er whether the e claim is passed on based on va arious criteria.
Transform an a Incoming Claim C rule template. Use this s template to m map the value of an attribute in the claims prov vider attribute store to a different value in the relying pa arty attribute s store. For exam mple, you may wa ant to provide e all members of the Marketi ing departmen nt at A. Datum m Corporation limited access to a purchasing ap pplication at Trey Research. A At Trey Resear rch, the attribu ute used to de efine the limited acce ess level may have h an attribu ute of Limited dPurchaser. To o address this scenario, you can
12-26
configure a claims rule that t transforms an n outgoing cla aim where the Department v value is Market ting, to an incomin tribute is Limi ng claim where e the Applicat tionAccess att itedPurchaser r. Rules created from this tem mplate must ha ave a one-to-o one relationshi p between the e claim at the claims provide er and the claim at the relying par rtner.
Permit or Den ny Users Based d on an Incoming Claim rule e template. Thi is template is a available only when you are configuring Issuanc ce Authorizatio on Rules or De elegation Auth horization Rule es on a relying party trust. Use this s template to create c rules tha at enable or d eny access by users to a rely ying party, bas sed on the type and value of an incoming claim. This claim rul e template all ows you to pe erform an authorization n check on the claims provider before claim ms are sent to a relying party y. For example e, you can use this rule template to t create a rule e that only per rmits users fro om the Sales gr roup to access sa relying party, while authent bers of other g tication reques sts from memb groups are not t sent to the re elying party.
If no one of the built-in claim rule e templates pr rovide the func ctionality that you require, y you can create more com mplex rules usin ng the AD FS claim c rule lang guage. By crea ating a custom m rule, you can extract claims s info ormation from multiple attrib bute stores and d also combin ne claim types into a single c claim rule.
Ho ow Home Realm R Disc covery Wo orks

Som me resource pa artner organiza ations that are e host ting claims-aw ware applicatio ons may want to t enable multiple account partners to access th heir app plications. In th his scenario, wh hen users conn nect to the web application, there must m be some mec chanism for directing the use ers to the AD FS fede eration server in their home domain, rathe er than n to another organizations o federation f serv ver. The process for di irecting clients s to the appropriate acco ount partner is s called home realm discover ry. Hom me realm disco overy occurs after the client connects to the re elying partys website w and th he clien server. At this point, the rely nt has been re edirected to the relying party ys federation s ying partys fede eration server must redirect the client to th he federation server in the c clients home r realm so that t the user r can be authe enticated. If the ere are multiple claims prov viders configur red on the rely ying party fede eration server, it has to know w to which federation server r to redirect the client. At a high level, there are three ways w in which to implement t home realm d discovery: 1.
Ask users to select s their hom me realm. With this option, when the user r is redirected to the relying partys federa ation server, th he federation server s can disp play a web pag ge requesting t that the user identify for which w company y they work. Once the user s elects the app propriate comp pany, the federation server can use e that informa ation to redirec ct the client co omputer to the e appropriate home federation server for aut thentication. Modify the lin nk for the web b application to o include a WH HR string that specifies the u users home re ealm. The relying partys federatio on server uses this string to redirect the us ser to the appropriate home e realm automa atically. This means m that the user does not t have to be pr rompted to select the home e realm, becaus se the WHR string in the URL that the user r clicks relays t the needed inf formation to t the relying partys federation se erver. The mod dified link mig ght look somet thing like https://www.a adatum.com/O OrderApp/?wh hr=urn:federat tion:TreyResea rch.
2.
3.
If the remote application is SAML 2.0-com mpliant, users can use a SAM ML profile calle ed IdPInitiated d SSO. This SAML profile configure es users to acc cess their local claims provid er first, which can prepare th he

12-27
users token with the claims required to access the partners web application. This process changes the normal process for accessing the web application, by having the users log on to the claims provider federation server first, and then prompting them to select which application they want to access, so that their token can be created with the appropriate information. Note: The home realm discovery process occurs the first time the user tries to access a web application. After the user authenticates successfully, a home realm discovery cookie is issued to the client so that the user does not have to go through the process the next time. This home realm discovery cookie expires after a month, unless the cookie cache is cleared prior to expiration.
Demonstration: Configuring Claims Rules
In this demonstration, you will see how to configure claims rules on a relying party trust that forwards a group name as part of the claim. You will also see how to configure a claims rule that limits access to the application only to members of a particular group.
Demonstration Steps Configure Claims Rules

1.
On LON-DC1, edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes through or filters an incoming claim. Name the rule Send Group Name Rule, and configure the rule to use an incoming claim type of group. Delete the Issuance Authorization Rule that grants access to all users.
2. 3.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming claim. Configure the rule with the name Permit Production Group Rule, an Incoming claim type of Group, an Incoming claim value of Production, and select the option to Permit access to users with this incoming claim Create a new Issuance Authorization Rule that permits or denies user access based on the incoming claim. Configure the rule with the name Allow A Datum Users, an Incoming claim type of UPN, an Incoming claim value, of @adatum.com, and select the option to Permit access to users with this incoming claim, and then click Finish. Open the Allow A Datum Users rule properties, and show the claims rule language to the students.
4.
5.
12-28
Lab: Implementing AD FS
Scenario
A. Datum Corporation has set up a variety of business relationships with other companies and customers. Some of these partner companies and customers must access business applications that are running on the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality and access to these companies. The Security and Operations departments want to ensure that the partners and customers can only access the resources to which they require access, and that implementing the solution does not significantly increase the workload for the Operations team. A. Datum is also working on migrating some parts of their network infrastructure to online services, including Windows Azure and Office 365. To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the company plans to use AD FS to implement SSO for internal users who access an application on a web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey Research users must be able to access the same application. As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS solution. As a proof of concept, you plan to deploy a sample claims-aware application, and configure AD FS to enable both internal users and Trey Research users to access the same application.
Objectives
Configure the AD FS prerequisites. Install and configure AD FS. Configure AD FS for single organization. Configure and validate SSO for a business federation scenario.
Lab Setup
Estimated Time: 90 minutes 20412A-LON-DC1 20412A-LON-SVR1 20412A-LON-CL1 20412A-MUN-DC1
User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
5.
Repeat steps 2 to 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-MUN-DC1. a. Log on to 20412A-LON-SVR1 as Adatum\Administrator.

12-29
b. c.
Do not log on to 20412A-LON-CL1 at this point.
On 20412A-MUN-DC1, log in as TreyResearch\Administrator with the password Pa$$w0rd.
Exercise 1: Configuring AD FS Prerequisites

Scenario
To deploy AD FS at A. Datum Corporation, you must verify that all required components are configured. You plan to verify that AD CS is deployed in the organization, and then configure the certificates required for AD FS on the AD FS server and on the web servers. You also plan to configure the DNS forwarders to enable communication between Adatum.com and TreyResearch.net. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure DNS forwarders. Exchange root certificates to enable certificate trusts. Request and install a certificate for the web server.
Bind the certificate to the claims-aware application on the web server, and verify application access.
Task 1: Configure DNS forwarders

1. 2.
On LON-DC1, create a new conditional forwarder for the TreyResearch.net domain, using the DNS server IP address of 172.16.10.10.
On MUN-DC1, create a new conditional forwarder for the Adatum.com domain, using the DNS server IP address of 172.16.0.10.
Task 2: Exchange root certificates to enable certificate trusts

1. 2. 3. 4. 5. 6. On LON-DC1, copy MUN-DC1.TreyResearch.net_TreyResearchCA.crt from \\MUN-DC1.treyresearch.net\certenroll to the Documents folder. Create a new MMC, and add the Group Policy Management Editor. Edit the Default Domain Policy Group Policy Object and import the copied root certificate to the Trusted Root Certification Authorities folder. On MUN-DC1, copy the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt from \\LON-DC1.Adatum.com\certenroll to the Documents folder. Create a new MMC, and add the Certificates snap-in focused on the Local Computer. Import the copied root certificate to the Trusted Root Certification Authorities folder.
Task 3: Request and install a certificate for the web server

1. 2. On LON-SVR1, open the Internet Information Services (IIS) Manager. Request a new domain certificate for the server using the following parameters: o o o o o o 3. Common name: LON-SVR1.adatum.com Organization: A. Datum Organization unit: IT City/locality: London State/province: England Country/region: GB
Request the certificate from Adatum-LON-DC1-CA.
12-30
Task 4: Bind the certificate to the claims-aware application on the web server, and verify application access
1. 2. 3. 4. On LON-DC1, open Internet Explorer and connect to https://lon-svr1.adatum.com/adatumtestapp. Verify that you can connect to the site, but that you receive a 401 access denied error. This is expected, because you have not yet configured AD FS for authentication. Close Internet Explorer.
On LON-SVR1, in IIS, create a new HTTPS site binding, and then select the newly created certificate.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum and Trey Research, and you exchanged root certificates between the two organizations. You also installed and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Scenario
To start the AD FS implementation, you plan to install AD FS on the A. Datum Corporations domain controller, and configure the server as a standalone federation server. You also plan to configure the server to use a CA-signed token signing certificate. The main tasks for this exercise are as follows: 1. 2. 3. Install and configure AD FS. Create a standalone federation server using the AD FS Federation Server Configuration Wizard. Verify that FederationMetaData.xml is present and contains valid data.
Task 1: Install and configure AD FS

On LON-DC1, in Server Manager, add the Active Directory Federation Services server role.
Task 2: Create a standalone federation server using the AD FS Federation Server Configuration Wizard
o o o o Create a new federation service. Create a standalone deployment. Use the LON-DC1.Adatum.com certificate. Choose a service name of LON-DC1.Adatum.com
On LON-DC1, run the AD FS Federation Server Configuration Wizard using the following parameters:
Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. 2. 3. 4. 5. On LON-CL1, log on as Adatum\Brad, using the password Pa$$w0rd. Open Internet Explorer. Open Internet Options, and add https://LON-DC1.Adatum.com, and https://LON-SVR1.adatum.com to the Local intranet zone. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06 /federationmetadata.xml. Verify that the xml file opens successfully, and then scroll through its contents.

12-31
6.
Close Internet Explorer.
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configuring AD FS for a Single Organization

Scenario
The first scenario for implementing the proof of concept AD FS application is to ensure that internal users can use SSO to access the web application. You plan to configure the AD FS server and a web application to enable this scenario. You also want to verify that internal users can access the application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Configure a Token-signing certificate for LON-DC1.Adatum.com. Configure the Active Directory claims provider trust. Configure the claims application to trust incoming claims by running the Windows Identity Foundation Federation Utility. Configure a relying party trust for the claims-aware application. Configure claim rules for the relying party trust. Test access to the claims-aware application.
Task 1: Configure a Token-signing certificate for LON-DC1.Adatum.com

1. 2.
On LON-DC1, use the set-ADFSProperties AutoCertificateRollover $False command to enable modification of the assigned certificates.
In the AD FS Management console, add the LON-DC1.Adatum.com certificate as a new token-signing certificate. Verify that the certificate has a subject of CN=LON-DC1.Adatum.com, and purposes of Proves your identity to a remote computer and Ensures the identity of a remote computer. Make the new certificate the primary certificate, and remove the old certificate.
3.
Task 2: Configure the Active Directory claims provider trust

1. 2.
On LON-DC1, in the AD FS Management console, go to the Claims Provider Trusts, highlight the Active Directory store and then go to Edit Claim Rules.
In the Edit Claim Rules for Active Directory dialog box, on the Acceptance Transform Rules tab, launch the Add Transform Claim Rule Wizard and complete the wizard with the following settings: o o o Select Send LDAP Attributes as Claims under Claim rule template. Name the claim rule Outbound LDAP Attribute Rule. Choose Active Directory as the Attribute Store.
3.
In the Mapping of LDAP attributes to outgoing claim types select the following values: o o o E-Mail-Addresses to E-Mail Address User-Principal-Name to UPN Display-Name to Name
12-32
Task 3: Configure the claims application to trust incoming claims by running the Windows Identity Foundation Federation Utility
1. 2. On LON-SVR1, from the Start screen, launch the Windows Identity Foundation Federation Utility. Complete the wizard with the following settings: o
Point to the web.config file of the Windows Identity Foundation sample application by pointing to C:\Inetpub\wwwroot\ AdatumTestApp \web.config. Specify an Application URI box by typing https://lon-svr1.adatum.com/AdatumTestApp/. Select to Use an existing STS, and enter a path https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml. Select No encryption.
Task 4: Configure a relying party trust for the claims-aware application

1. 2. Complete the Add Relying Party Wizard with the following settings: o
In the AD FS Management console, in the middle pane, click Required: Add a trusted relying party.
Choose to Import data about the relying party published online or on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp. Specify a Display name of ADatum Test App. Choose to Permit all users to access this relying party.
o o o
When the wizard completes, accept the option to open the Edit Claims Rules for ADatum Test App.
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for Adatum Test App properties dialog box, choose to add a rule on the Issuance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings: o o o 3. In the Claim rule template drop-down list, click Pass through or Filter an Incoming Claim. Name the claim rule Pass through Windows Account name rule. In the Incoming claim type drop-down list, click Windows account name.
Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
Task 6: Test access to the claims-aware application

1. 2. On LON-CL1, open Internet Explorer, and connect to https://lonsvr1.adatum.com/AdatumTestApp/ Verify that you can access the application.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust for Adatum.com. You also should have configured the sample application to trust incoming claims, and configured a relying party trust and associated claim rules. You also tested access to the sample Windows Identity Foundation application in a single organization scenario.

12-33
Exercise 4: Configuring AD FS for Federated Business Partners

Scenario
The second deployment scenario is to enable TreyResearch users to access the web application. You plan to configure the integration of AD FS at TreyResearch with AD FS at A. Datum Corporation, and then verify that TreyResearch users can access the application. You also want to confirm that you can configure access that is based on user groups. You must ensure that all users at A. Datum, and only users who are in the Production group at TreyResearch, can access the application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Add a claims provider trust for the TreyResearch.net AD FS server. Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware application. Verify access to the A. Datum test application for Trey Research users.
Configure claim rules for the claim provider trust and the relying party trust to allow access only for a specific group. Verify restrictions and accessibility to the claims-aware application.
Task 1: Add a claims provider trust for the TreyResearch.net AD FS server

1. 2.
On LON-DC1, in the AD FS Management console, go to Trust Relationships, go to Claims Provider Trusts, and then choose to Add Claims Provider Trust. Complete the Add Claims Provider Trust Wizard with the following settings: o
Choose Import data about the claims provider published online or on a local network, and enter https://mun-dc1.treyresearch.net as the data source. In Display Name, type mun-dc1.treyresearch.net. Complete the wizard.
o o 3.
In the Edit Claim Rules for the mun-dc1.treyresearch.net properties dialog box, use the following values: o o o o Add a Rule to the Acceptance Transform Rules. Choose Pass Through or Filter an Incoming Claim in the Claim rule template list. Use Pass through Windows account name rule as the claim rule name.
Choose Windows account name as the incoming claim type, and then choose to Pass through all claim values. Complete the rule.
o 4.
On LON-DC1, run the following command in Windows PowerShell.

Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.net SigningCertificateRevocationCheck None
Note: You should disable certificate revocation checking only in test environments. In a production environment, certificate revocation checking should be enabled.
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware application
1. On MUN-DC1, in the AD FS Management console, open the Add Relying Party Trust Wizard, and complete it with the following settings:
12-34
Choose to Import data about the relying party published online or on a local network and type in https:// lon-dc1.adatum.com . Specify a Display name of Adatum TestApp. Choose to Permit all users to access this relying party.
o o o 2.
Accept the option to open the Edit Claim Rules for Adatum TestApp when the wizard completes.
In the Edit Claim Rules for Adatum TestApp properties dialog box, on the Issuance Transform Rules tab, click to add a rule with the following settings: o o o o o In the claim rule template list, choose Pass Through or Filter an Incoming claim. In the Claim rule name box, type Pass through Windows account name rule. Choose Windows account name in Incoming claim type. Choose to Pass through all claim values. Complete the wizard.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. 2. 3. 4. On MUN-DC1, open Internet Explorer and connect to https://lon-svr1.adatum.com/adatumtestapp/ Select mun-dc1.treyresearch.net as the home realm, and log on as TreyResearch\April, with the password Pa$$w0rd. Verify that you can access the application.
Close Internet Explorer, and connect to the same web site. Verify that this time you are not prompted for a home realm.
Note: You are not prompted for a home realm again. Once users have selected a home realm and been authenticated by a realm authority, they are issued an _LSRealm cookie by the relying party federation server. The default lifetime for the cookie is 30 days. Therefore, to log on multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust to allow access only for a specific group
1. 2.
On MUN-DC1, open the AD FS Management Console, access the Adatum TestApp relying party trust. Add a new Issuance Transform Rule that sends the group membership as a claim. Name the rule Permit Production Group Rule, configure the Users Group as Production, configure the Outgoing claim type as Group, and the Outgoing claim value as Production.
3.
On LON-DC1, in the AD FS Management Console, edit the mun-dc1.treyresearch.net Claims Provider Rule to create a new rule that passes through or filters an incoming claim with the rule name of Send Production Group Rule. Configure the rule with an incoming claim type of Group. Edit the Adatum Test App relying party trust by creating a new Issuance Transform Rule that passes through or filters an incoming claim. Name the rule Send TreyResearch Group Name Rule, and configure the rule to use an incoming claim type of Group. Delete the Issuance Authorization Rule that grants access to all users.
4.
5. 6.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming claim. Configure the rule with the name Permit TreyResearch Production Group Rule, an Incoming claim type of Group, an Incoming claim value of Production, and select the option to Permit access to users with this incoming claim.

12-35
7.
Create a new Issuance Authorization Rule that permits or denies user access based on the incoming claim. Configure the rule with the name Temp, an Incoming claim type of UPN, an Incoming claim value, of @adatum.com, and select the option to Permit access to users with this incoming claim, and then click Finish. Edit the Temp rule and copy the claim rule language into the clipboard. Delete the Temp rule.
8. 9.
10. Create a new rule that sends claims using a custom rule named ADatum User Access Rule.
11. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box. Edit the first URL to match the following text, and then click Finish.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~ "^(?i).+@adatum\.com$"]=> issue(Type = http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Task 5: Verify restrictions and accessibility to the claims-aware application

1. 2. 3. 4. 5. On MUN-DC1, open Internet Explorer, and connect to https://lon-svr1.adatum.com/adatumtestapp/ Verify that TreyResearch\April no longer has access to the A. Datum test app. Clear the browsing history in Internet Explorer. Connect to https://lon-svr1.adatum.com/adatumtestapp/.
Verify that TreyResearch\Morgan does have access to the A. Datum test app. Morgan is a member of the Production group.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware application. Then you configured the application to restrict access from TreyResearch to specific groups, and you verified appropriate access.
To shut down the virtual machines

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, and 20412A-LON-DC1.
Lab Review
Question: In this lab, you implemented access to a claims-aware application for both internal and external users. What extra steps did you have to take in the relying party to enable access for external users? Question: How can you identify which claims are used to provide user access to the sample Windows Identity Foundation application that you used in the lab?
12-36

Question: What are the benefits of deploying AD FS with a cloud-based application or service? Question: Under what circumstances would you choose to deploy a federation proxy server? Under what circumstances, do you not need to deploy a federation proxy server?

Common Issue Certificate errors on the federation server Troubleshooting Tip
Certificate errors on the client
Client application failed to authenticate with AD FS

1.
Question: Tailspin Toys is deploying a new claims-based web application. The web application needs to be accessible to both Tailspin Toys users and to TreyResearch users. What AD FS components will you need to deploy at Tailspin Toys to enable this level of access? Answer:
2.
Question: Fabrikam, Inc. is examining the requirements for AD FS. The company wants to use a federation proxy server for maximum security. Fabrikam, Inc. currently has an internal network with internal DNS servers, and their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting companys DNS servers for DNS resolution. What must the company do to prepare for the deployment? Answer:

12-37
Cours se Evalu uation
Yo our evaluation n of this course e will help Microsoft underst tand the qualit ty of your learning experience. Pl lease work with your training g provider to access a the cou urse evaluation n form.
s to Microsoft M will ke eep your answ wers to this sur rvey private an nd confidential your responses l and will use y im mprove your fu uture learning experience. Yo our open and honest feedba ack is valuable e and apprecia ated.

L1-1
Module 1: Implementing Advanced Network Services
Lab: Implementing Advanced Network Services

Exercise 1: Configuring Advanced DHCP Settings
Task 1: Configure a superscope
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click DHCP.
In the DHCP console, click LON-DC1.adatum.com, select and then right-click IPv4, and then click New Scope. In the New Scope Wizard, click Next. On the Scope Name page, in the Name box, type Scope1, and then click Next.
On the IP Address Range page, in the Start IP address box, type 192.168.0.50, and then in the End IP address box, type 192.168.0.100. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next. On the Add Exclusions and Delay page, click Next. On the Lease Duration page, click Next.
On the Configure DHCP Options page, select Yes, I want to configure these options now, and then click Next.
10. On the Router (Default Gateway) page, in the IP address box, type 192.168.0.1, click Add, and then click Next.
11. On the Domain Name and DNS Servers page, ensure the parent domain is Adatum.com, and then click Next. 12. On the WINS Servers page, click Next. 13. On the Activate Scope page, click No, I will activate this scope later, and then click Next. 14. On the Completing the New Scope Wizard page, click Finish. 15. Right-click IPv4, and then click New Scope. 16. In the New Scope Wizard, click Next. 17. On the Scope Name page, in the Name box, type Scope2, and then click Next.
18. On the IP Address Range page, in the Start IP address box, type 192.168.1.50, and then in the End IP address box, type 192.168.1.100. 19. In the Subnet mask box, ensure that 255.255.255.0 is entered, and then click Next. 20. On the Add Exclusions and Delay page, click Next. 21. On the Lease Duration page, click Next.
22. On the Configure DHCP Options page, select Yes, I want to configure these options now, and then click Next. 23. On the Router (Default Gateway) page, in the IP address box, type 192.168.1.1, click Add, and then click Next.
L1-2 Module 1: Implementing Advanced Network Services
24. On the Domain Name and DNS servers page, ensure the parent domain is Adatum.com, and then click Next. 25. On the WINS Servers page, click Next. 26. On the Activate Scope page, click No, I will activate this scope later, and then click Next. 27. On the Completing the New Scope Wizard page, click Finish. 28. Right-click the IPv4 node, and then click New Superscope. 29. In the New Superscope Wizard, click Next. 30. On the Superscope Name page, in the Name box, type AdatumSuper, and then click Next. 31. On the Select Scopes page, select Scope1, hold down the Ctrl key, select Scope2, and then click Next. 32. On the Completing the New Superscope Wizard page, click Finish.
Task 2: Configure DHCP name protection

1. 2. 3. 4. 5. 6. On LON-DC1, in the DHCP console, expand Lon-DC1.adatum.com. Right-click IPv4, and then click Properties. Click the DNS tab. In the Name Protection pane, click Configure. Select the Enable Name Protection check box, and then click OK. Click OK again.
Task 3: Configure and verify DHCP failover

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in Server Manager, click Tools, and then from the drop-down list, click DHCP. Note that the server is authorized, but that no scopes are configured. On LON-DC1, in the DHCP console, right-click the IPv4 node, and then click Configure Failover. In the Configure Failover Wizard, click Next. On the Specify a partner server to use for failover page, in the Partner Server box, enter 172.16.0.21, and then click Next. On the Create a new failover relationship page, in the Relationship Name box, enter Adatum. In the Maximum Client Lead Time field, set the hours to 0, and set the minutes to 15.
Ensure that the Mode field is set to Load balance, and that the Load Balance Percentage is set to 50%. Select the State Switchover Interval check box. Keep the default value of 60 minutes. In the Enable Message Authentication Shared Secret box, type Pa$$w0rd, and then click Next.
10. Click Finish, and then click Close. 11. On LON-SVR1, refresh the IPv4 node, and then note that the IPv4 node is active. 12. Expand the IPv4 node, expand Scope Adatum, click the Address Pool node, and note that the address pool is configured. 13. Click the Scope Options node, and note that the scope options are configured. 14. Start 20412A-LON-CL1 and log on as Adatum\Administrator with a password of Pa$$w0rd. 15. On the Start screen, type Control Panel.

L1-3
16. In the Apps Results box, click Control Panel. 17. In Control Panel, click Network and Internet, click Network and Sharing Center, click Change adapter settings, and then right-click Local Area Connection, and then click Properties.
18. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 19. In the Properties window, select the Obtain an IP address automatically radio button, click Obtain DNS server address automatically, and then click OK. 20. In the Local Area Connection Properties dialog box, click Close. 21. Hover over the bottom right corner to expose the fly-out menu, and then click Search Charm. 22. In the Apps search box, type Cmd, and then press Enter. 23. In the command prompt window, type ipconfig, and then press Enter. Record your IP address. 24. On LON-DC1, on the taskbar, click the Server Manager icon. 25. In Server Manager, click Tools, and then click Services. 26. In the Services window, locate the DHCP Server service, and then click Stop the service. 27. Close the Services window, and close the DHCP console. 28. On LON-CL1, in the command prompt window, type ipconfig /release, and then press Enter. 29. Type ipconfig /renew, and then press Enter. 30. Type ipconfig, and then press Enter. What is your IP address? Answers may vary. 31. Shut down the LON-SVR1 server. 32. On LON-DC1, in the Services console, start the DHCP server service. 33. Close the Services console.
Results: After completing this exercise, you will have configured a superscope, DHCP Name Protection, and configured and verified DHCP failover.
Exercise 2: Configuring Advanced DNS Settings

Task 1: Configure DNSSEC
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then in the drop-down list, click DNS. Expand LON-DC1, expand Forward Lookup Zones, click Adatum.com, and then right-click Adatum.com. On the menu, click DNSSEC>Sign the Zone. In the Zone Signing Wizard, click Next. On the Signing options page, click Customize zone signing parameters, and then click Next. On the Key Master page, ensure that LON-DC1 is the Key Master, and then click Next. On the Key Signing Key (KSK) page, click Next. On the Key Signing Key (KSK) page, click Add. On the New Key Signing Key (KSK) page, click OK.
10. On the Key Signing Key (KSK) page, click Next.
11. On the Zone Signing Key (ZSK) page, click Next. 12. On the Zone Signing Key (ZSK) page, click Add. 13. On the New Zone Signing Key (ZSK) page, click OK. 14. On the Zone Signing Key (ZSK) page, click Next. 15. On the Next Secure (NSEC) page, click Next. 16. On the Trust Anchors page, select the Enable the distribution of trust anchors for this zone check box. Click Next. 17. On the Signing and Polling Parameters page, click Next. 18. On the DNS Security Extensions page, click Next, and then click Finish. 19. In the DNS console, expand Trust Points, expand com, and then click Adatum. Ensure that the DNSKEY resource records display, and that their status is valid. 20. Minimize the DNS Manager. 21. In Server Manager, click Tools, and then on the drop-down list, click Group Policy Management.
22. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit. 23. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, and then click Name Resolution Policy. 24. In the right pane, under Create Rules, in the Suffix box, type Adatum.com to apply the rule to the suffix of the namespace.
25. Select the Enable DNSSEC in this rule check box, select the Require DNS clients to check that the name and address data has been validated by the DNS server check box, click Create. 26. Close the Group Policy Management Editor and Group Policy Management Console.
Task 2: Configure the DNS socket pool

1. 2. 3. In the Apps search box, type Cmd, and then press Enter. In the command prompt window, type the following command, and then press Enter to view the current size of the DNS socket pool. Note that the current size is 2,500.
On LON-DC1, hover over the bottom right corner to expose the fly-out menu, and then click Search.
4.
Type the following command, and then press Enter to change the socket pool size to 3,000.
dnscmd /config /socketpoolsize 3000
5.
Type the following command, and then press Enter to stop the DNS server.
net stop dns
6.
Type the following command, and then press Enter to restart the DNS server.
net start dns
7.
Type the following command, and then press Enter to confirm the new socket pool size.

L1-5
Task 3: Configure DNS cache locking

1.
In the command prompt window, type the following command, and then press Enter to display the current percentage value of the DNS cache lock.
Note that the current value is 100 percent. 2.
Type the following command, and then press Enter to change the cache lock value to 75 percent.
dnscmd /config /CacheLockingPercent 75
3.
Type the following command, and then press Enter to stop the DNS server.
net stop dns
4.
Type the following command, and then press Enter to restart the DNS server.
net start dns
5.
Type the following command, and then press Enter to display the current percentage value of the DNS cache lock.
Note the new value is 75 percent. 6. Leave the command prompt window open for the next task.
Task 4: Configure a GlobalName Zone

1. Create an Active Directory integrated forward lookup zone named Contoso.com by running the following command:
Dnscmd LON-DC1 /ZoneAdd Contoso.com /DsPrimary /DP /forest
2.
In the command prompt window, type the following command, and then press Enter to enable support for GlobalName zones:
dnscmd lon-dc1 /config /enableglobalnamessupport 1
3.
Create an Active Directory integrated forward lookup zone named GlobalNames by running the following command:
Dnscmd LON-DC1 /ZoneAdd GlobalNames /DsPrimary /DP /forest
4. 5. 6. 7. 8.
Minimize the command prompt window. Restore the DNS console from the taskbar. In the DNS console, click Action, and then click Refresh to refresh the view. In the DNS console, expand Forward Lookup Zones, click the Contoso.com zone, right-click Contoso.com, and then click New Host (A or AAAA). In the New Host dialog box, in the Name box, type App1. Note: The Name box uses the parent domain name if it is left blank.
9.
In the IP address box, type 192.168.1.200, and then click Add Host.
10. Click OK, and then click Done. 11. Right-click the GlobalNames zone, and then click New Alias (CNAME). 12. In the New Resource Record dialog box, in the Alias name box, type App1. 13. In the Fully qualified domain name (FQDN) for target host box, type App1.Contoso.com, and then click. 14. Close DNS Manager and close the command prompt.
Results: After completing this exercise, you will have configured DNSSEC, the DNS socket pool, DNS cache locking, and the GlobalName zone.
Exercise 3: Configuring IP Address Management

Task 1: Install the IPAM feature
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR2, in the Server Manager Dashboard, click Add roles and features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, click Next. On the Select features page, select the IP Address Management (IPAM) Server check box. In the Add features that are required for IP Address Management (IPAM) Server popup, click Add Features, and then click Next. On the Confirm installation selections page, click Install. Close the Add Roles and Features Wizard when complete.
Task 2: Configure IPAMrelated GPOs

1. 2. 3. 4. 5. 6. 7. In the Server Manager navigation pane, click IPAM. In the IPAM Overview pane, click Connect to IPAM server, and then select LON-SVR2.Adatum.com and then click OK. Click Provision the IPAM server. In the Provision IPAM Wizard, click Next.
On the Select provisioning method page, ensure that the Group Policy Based method is selected, in the GPO name prefix box, type IPAM, and then click Next. On the Confirm the Settings page, click Apply. Provisioning will take a few moments to complete. When provisioning completes, click Close.
Task 3: Configure IP management server discovery

1. 2. 3. On the IPAM Overview pane, click Configure server discovery. In the Configure Server Discovery settings dialog box, click Add, and then click OK. In the IPAM Overview pane, click Start server discovery. Discovery may take 5-10 minutes to run. The yellow bar will indicate when discovery is complete.

L1-7
Task 4: Configure managed servers

1. 2. 3. 4.
In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access. Notice that the IPAM Access Status is blocked. Scroll down to the Details view, and note the status report, which is that the IPAM server has not yet been granted permission to manage LON-DC1 via Group Policy.
On the taskbar, right-click the Windows PowerShell icon, right-click Windows PowerShell and then click Run as Administrator. At the command prompt, type the following command, and then click Enter:
Invoke-IpamGpoProvisioning Domain Adatum.com GpoPrefixName IPAM IpamServerFqdn LON-SVR2.adatum.com DelegatedGpoUser Administrator
5. 6. 7. 8. 9.
When you are prompted to confirm the action, type Y, and then press Enter. The command will take a few moments to complete. Close Windows PowerShell. In Server Manager, in the details pane, right-click LON-DC1, and then click Edit Server.
In the Add or Edit Server dialog box, set the Manageability status to Managed, and then click OK. Switch to LON-DC1, open the PowerShell prompt from the Taskbar.
10. Type Gpupdate /force, and then press Enter. 11. Close the command prompt window.
12. Switch to LON-SVR2, in Server Manager, in the IPAM console, right-click the LON-DC1 entry, and then click Refresh Server Access Status. After the refresh completes, click the IPv4 console refresh button. It may take up to 10 minutes for the status to change. If necessary, repeat both refresh tasks as needed until a green check mark displays next to LON-DC1 and the IPAM Access Status shows Unblocked. 13. In the IPAM Overview pane, click Retrieve data from managed servers. This action will take a few moments to complete.
Task 5: Configure and verify a new DHCP scope with IPAM

1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-SVR2, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers. In the details pane, right-click the instance of LON-DC1.Adatum.com that holds the DHCP server role, and then click Create DHCP Scope. In the Create DHCP Scope dialog box, in the Scope Name box, type TestScope. In the Start IP address box, type 10.0.0.50. In the End IP address box, type 10.0.0.100. Ensure the subnet mask is 255.0.0.0 In the Create scope pane, click Options. In the Configure options pane, click the Option drop-down arrow, and then select 003 Router. Under Values, in the IP Address box, type 10.0.0.1, click Add to list, and then click OK.
10. On LON-DC1, in the Server Manager toolbar, click Tools, and then click DHCP. 11. In the DHCP console, expand LON-DC1, expand IPv4, and confirm that the TestScope exists.
12. Minimize the DHCP console.
Task 6: Configure IP address blocks, record IP addresses, and create DHCP reservations and DNS records
1. 2. 3. On LON-SVR2, in Server Manager, in the IPAM console tree, click IP Address Blocks. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address Block.
In the Add or Edit IPv4 Address Block dialog box, provide the following values, and then click OK: o o o Network ID: 172.16.0.0 Prefix length: 16 Description: Head Office
4. 5. 6.
In the IPAM console tree, click IP Address Inventory. In the right pane, click the Tasks drop-down arrow, and then click Add IP Address. In the Add IP Address dialog box, under Basic Configurations, provide the following values, and then click OK: o o o o IP address: 172.16.0.1 MAC address: 112233445566 Device type: Routers Description: Head Office Router
7. 8.
Click the Tasks drop-down arrow, and then click Add IP Address. In the Add IP Address dialog box, under Basic Configuration, provide the following values: o o o IP address: 172.16.0.10 MAC address: 223344556677 Device type: Host
9.
In the Add IPv4 Address pane, click DHCP Reservation, and then enter the following values: o o o Reservation server name: LON-DC1.Adatum.com Reservation name: Webserver Reservation type: Both
10. In the Add IPv4 Address pane, click DNS Record, enter the following values, and then click OK: o o o Device name: Webserver Forward lookup zone: Adatum.com Forward lookup primary server: LON-DC1.adatum.com
11. When the entry displays in the IPv4 details pane, right-click the entry, and then click Create DHCP Reservation. 12. Right-click the entry again, and then click Create DNS Host Record.
13. On LON-DC1, open the DHCP console, expand IPv4, expand Scope (172.16.0.0) Adatum, and then click Reservations. Ensure that the 172.16.0.10 Webserver reservation displays. 14. Open the DNS console, expand Forward Lookup Zones, and then click Adatum.com. Ensure that a host record displays for Webserver.

L1-9
Results: After completing this exercise, you will have installed IPAM and configured IPAM with IPAMrelated GPOs, IP management server discovery, managed servers, a new DHCP scope, IP address blocks, IP addresses, DHCP reservations, and DNS records.

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR2 and 20412A-LON-CL1.

L2-11
Module 2: Implementing Advanced File Services

Exercise 1: Configuring iSCSI Storage
Task 1: Install the iSCSI target feature
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-DC1 with username of Adatum\Administrator and the password Pa$$w0rd. In Server Manager, click Add roles and features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next.
Lab A: Implementing Advanced File Services
On the Select destination server page, ensure that Select server from the server pool is selected, and then click Next. On the Select server roles page, expand File And Storage Services (Installed), expand File and iSCSI Services, select the iSCSI Target Server check box, and then click Next. On the Select features page, click Next. On the Confirm installation selections page, click Install. When the installation completes, click Close.
Task 2: Configure the iSCSI targets

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services. In the File and Storage Services pane, click iSCSI.
In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New iSCSI Virtual Disk. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage location, click C:, and then click Next.
On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk1, and then click Next. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, ensure GB is selected in the drop-down list box, and then click Next. On the Assign iSCSI target page, click New iSCSI target, and then click Next. On the Specify target name page, in the Name box, type LON-DC1, and then click Next. On the Specify access servers page, click Add.
10. In the Select a method to identify the initiator dialog box, click Enter a value for the selected type, in the Type drop-down list box, click IP Address, in the Value text box, type 172.16.0.22, and then click OK. 11. On the Specify access servers page, click Add.
12. In the Select a method to identify the initiator dialog box, click Enter a value for the selected type, in the Type drop-down list box, click IP Address, in the Value text box, type 131.107.0.2, and then click OK. 13. On the Specify access servers page, click Next. 14. On the Enable Authentication page, click Next.
L2-12 Module 2: Implementing Advanced File Services
15. On the Confirm selections page, click Create. 16. On the View results page, wait until creation completes, and then click Close.
17. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New iSCSI Virtual Disk. 18. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage location, click C:, and then click Next. 19. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk2, and then click Next.
20. On the Specify iSCSI virtual disk size page, in the Size box, type 5, in the drop-down list box, ensure GB is selected, and then click Next. 21. On the Assign iSCSI target page, click lon-dc1, and then click Next. 22. On the Confirm selection page, click Create. 23. On the View results page, wait until creation completes, and then click Close.
24. In the iSCSI VIRTUAL DISKS pane, click TASKS, and then in the TASKS drop-down list box, click New iSCSI Virtual Disk.
25. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage, click C:, and then click Next.
26. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk3, and then click Next. 27. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box, ensure GB is selected, and then click Next. 28. On the Assign iSCSI target page, click lon-dc1, and then click Next. 29. On the Confirm selection page, click Create. 30. On the View results page, wait until creation completes, and then click Close.
33. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk4, and then click Next. 34. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box, ensure GB is selected, and then click Next. 35. On the Assign iSCSI target page, click lon-dc1, and then click Next. 36. On the Confirm selection page, click Create. 37. On the View results page, wait until creation completes, and then click Close.
40. On the Specify iSCSI virtual disk name page, in the Name text box, type iSCSIDisk5, and then click Next.

L2-13
41. On the Specify iSCSI virtual disk size page, in the Size text box, type 5, in the drop-down list box, ensure GB is selected, and then click Next. 42. On the Assign iSCSI target page, click lon-dc1, and then click Next. 43. On the Confirm selection page, click Create. 44. On the View results page, wait until creation completes, and then click Close.
Task 3: Configure MPIO

1. 2. 3. 4. 5. 6. 7. 8. 9.
Log on to LON-SVR2 with username of Adatum\Administrator and the password of Pa$$w0rd.
In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Routing and Remote access. In the Enable DirectAccess Wizard, click Cancel, and then click OK on the Confirmation dialog box. Right-click LON-SVR2 and then click Disable Routing and Remote Access. Click Yes and then close the Routing and Remote Access console. In Server Manager click Add roles and features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, make sure that Select server from the server pool is selected, and then click Next. On the Select server roles page, click Next.
10. On the Select features page, click Multipath I/O, and then click Next. 11. On the Confirm installation selections page, click Install. 12. When installation is complete, click Close.
13. In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI Initiator. 14. In the Microsoft iSCSI dialog box, click Yes.
15. In the iSCSI Initiator Properties dialog box, on the Targets tab, in the Target box, type LON-DC1, and then click Quick Connect. In the Quick Connect box, click Done. 16. Click OK to close the iSCSI Initiator Properties dialog box.
17. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO. 18. In MPIO Properties dialog box, click the Discover Multi-Paths tab.
19. Select the Add support for iSCSI devices check box, and then click Add. When you are prompted to reboot the computer, click Yes. 20. After the computer restarts, log on to LON-SVR2 with username of Adatum\Administrator and password of Pa$$w0rd.
21. In Server Manager, on the menu bar, click Tools, and then in the Tools drop-down list, select MPIO. 22. In the MPIO Properties dialog box, on the MPIO Devices tab, notice that additional Device Hardware ID MSFT2005iSCSIBusType_0x9 is added to the list. 23. Click OK to close the MPIO Properties dialog box.
Task 4: Connect to and configure the iSCSI targets

1. 2. 3. 4. 5. 6.
On LON-SVR2, in Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select iSCSI Initiator. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Disconnect. In the Disconnect From All Sessions dialog box, click Yes. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect. In the Connect to Target window, click Enable multi-path, verify that the Add this connection to the list of Favorite Targets check box is selected, and then click the Advanced button.
In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, click 172.16.0.22 and in the Target Portal IP drop-down list, click 172.16.0.10 / 3260. In the Advanced Settings dialog box, click OK. In the Connect to Target window, click OK. In the iSCSI Initiator Properties dialog box, on the Targets tab, click Connect.
7. 8. 9.
10. In Connect to Target window, click Enable multi-path, verify that the Add this connection to the list of Favorite Targets check box is selected, and then click the Advanced button.
11. In the Advanced Settings dialog box, on the General tab, change the Local Adapter from Default to Microsoft iSCSI Initiator. In the Initiator IP drop-down list, select 131.107.0.2 and in the Target Portal IP drop-down list, select 131.107.0.1 / 3260. 12. In the Advanced Settings dialog box, click OK. 13. In the Connect to Target window, click OK. 14. In the iSCSI Initiator Properties dialog box, click the Volumes and Devices tab. 15. In the iSCSI Initiator Properties dialog box, on the Volumes and Devices tab, click Auto Configure. 16. In the iSCSI Initiator Properties dialog box, click the Targets tab. 17. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-dc1-target, and then click Devices. 18. In the Devices dialog box, click the MPIO button.
19. Verify that in Load balance policy, Round Robin is selected. Under This device has the following paths, notice that two paths are listed. Select the first path and then click the Details button. 20. Note the IP address of the Source and Target portals, and then click OK. 21. Select the second path and then click the Details button. 22. Verify that the Source IP address is of the second network adapter, and then click OK. 23. Click OK to close the Device Details dialog box. 24. Click OK to close the Devices dialog box. 25. Click OK to close the iSCSI Initiator Properties dialog box.
Results: After completing this exercise, you will have configured and connected to iSCSI targets.

L2-15
Exercise 2: Configuring the File Classification Infrastructure

Task 1: Create a classification property for corporate documentation
1. 2. 3.
On LON-SVR1, in Server Manager, in the upper-right corner, click Tools, and then click File Server Resource Manager.
In the File Server Resource Manager window, expand Classification Management, select and then right-click Classification Properties, and then click Create Local Property.
In the Create Local Classification Property window, in the Name text box, type Corporate Documentation, in the Property Type drop-down list box ensure that Yes/No is selected, and then click OK. Leave the File Server Resource Manager console open.
4.
Task 2: Create a classification rule for corporate documentation

1. 2. 3. 4. 5.
In File Server Resource Manager, expand Classification Management, click Classification Rules, and then in the Actions pane, click Create Classification Rule. In the Create Classification Rule window, on the General tab, in the Rule name text box, type Corporate Documents Rule, and then ensure that the Enable checkbox is selected. Click the Scope tab, and then click Add. In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate Documentation, and then click OK.
In the Create Classification Rule window, on the Classification tab, in the Classification method drop-down list box, click Folder Classifier, in the Property-Choose a property to assign to files drop-down list box, click Corporate Documentation, and then in the Property-Specify a value drop-down list box, click Yes. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the Aggregate the values radio button is selected, and then click OK.
6. 7. 8. 9.
In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
In the Run classification window, select the Wait for classification to complete radio button, and then click OK.
Review the Automatic classification report that displays in Windows Internet Explorer, and ensure that the report lists the same number of classified files as in the Corporate Documentation folder.
10. Close Internet Explorer, but leave the File Server Resource Manager open.
Task 3: Create a classification rule that applies to a shared folder

1. 2. 3. 4. 5. In File Server Resource Manager, expand Classification Management, right-click Classification Properties, and then click Create Local Property.
In the Create Local Classification Property window, in the Name text box, type Expiration Date, in the Property Type drop-down list box, ensure that Date-Time is selected, and then click OK.
In File Server Resource Manager, expand Classification Management, click Classification Rules, and then in the Actions pane, click Create Classification Rule. In the Create Classification Rule window, on the General tab, in the Rule name text box, type Expiration Rule, and ensure that the Enable check box is selected. Click the Scope tab, and then click Add.
6. 7.
In the Browse For Folder window, expand Allfiles (E:\), expand Labfiles, click Corporate Documentation, and then click OK.
Click the Classification tab, in the Classification method drop-down list box, click Folder Classifier, and then in the Property-Choose a property to assign to files drop-down list box, click Expiration Date. Click the Evaluation type tab, click Re-evaluate existing property values, ensure that the Aggregate the values radio button is selected, and then click OK. In File Server Resource Manager, in the Actions pane, click Run classification with all rules now.
8. 9.
10. In the Run classification window, select the Wait for classification to complete radio button, and then click OK. 11. Review the Automatic classification report that displays in Internet Explorer, and ensure that the report lists the same number of classified files as in the Corporate Documentation folder. 12. Close Internet Explorer, but leave the File Server Resource Manager open.
Task 4: Create a file management task to expire corporate documents

1. 2. 3. 4. 5.
In File Server Resource Manager, select and then right-click File Management Tasks, and then click Create File Management Task. In the Create File Management Task window, on the General tab, in the Task name text box, type Expired Corporate Documents, and then ensure that the Enable check box is selected. Click the Scope tab, and then click Add.
In the Browse For Folder window, select E:\Labfiles\Corporate Documentation, and then click OK. In the Create File Management Task window, on the Action tab, in the Type drop-down list box, ensure that File expiration is selected, and then in the Expiration directory box, type E:\Labfiles\Expired. Click the Notification tab, and then click Add.
6. 7. 8.
In the Add Notification window, in the Event Log tab, select the Send warning to event log check box, and then click OK.
Click the Condition tab, select the Days since the file was last modified check box, and then in the same row, replace the default value of 0 with 1.
Note: This value is for lab purposes only. In a real scenario, the value would be 365 days or more, depending on the companys policy. 9. Click the Schedule tab, ensure that the Weekly radio button is selected, select the Sunday check box, and then click OK.
10. Leave the File Server Resource Manager open.
Task 5: Verify that corporate documents are expired

1. 2. 3. In File Server Resource Manager, click File Management Tasks, right-click Expired Corporate Documents, and then click Run File Management Task Now.
In the Run File Management Task window, click Wait for the task to complete, and then click OK.
Review the File management task report that displays in Internet Explorer, and ensure that report lists the same number of classified files as in the Corporate Documentation folder.

L2-17
4. 5. 6.
In Server Manager, click Tools, and then click Event Viewer. In the Event Viewer console, expand Windows Logs, and then click Application.
Review events with numbers 908 and 909. Notice that 908 FSRM started a file management job, and 909 FSRM finished a file management job.
Results: After completing this exercise, you will have configured a file classification infrastructure so that the latest version of the documentation is always available to users.
To prepare for the next lab

When you finish the lab, revert 20417A-LON-SVR2. To do this, complete the following steps. 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20417A-LON-SVR2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Keep all other virtual machines running for the next lab.
Lab B: Implementing BranchCache

Exercise 1: Configuring the Main Office Servers for BranchCache
Task 1: Configure LON-DC1 to use BranchCache
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, on the taskbar, click the Server Manager icon. In Server Manager, click Add roles and features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next.
On the Select destination server page, ensure that Select server from the server pool is selected, and then click Next. On the Select server roles page, expand File And Storage Services (Installed), expand File and iSCSI Services, select the BranchCache for Network Files check box, and then click Next. On the Select features page, click Next. On the Confirm installation selections page, click Install. Click Close and then close Server Manager.
10. Point to the lower-right corner of the screen, click Search, in the Search text box, type gpedit.msc, and then press Enter. 11. In the Local Group Policy Editor console, in the navigation pane, under Computer Configuration, expand Administrative Templates, expand Network, and then click Lanman Server.
12. On the Lanman Server result pane, in the Setting list, right-click Hash Publication for BranchCache, and then click Edit. 13. In the Hash Publication for BranchCache dialog box, click Enabled, in the Hash publication actions list, select the Allow hash publication only for shared folders on which BranchCache is enabled check box, and then click OK.
Task 2: Simulate a slow link to the branch office

1. 2. In the Local Group Policy Editor console, in the navigation pane, under Computer Configuration, expand Windows Settings, right-click Policy-based QoS, and then click Create new policy.
In the Policy-based QoS Wizard, on the Create a QoS policy page, in the Policy name text box, type Limit to 100 Kbps, click the Specify Outbound Throttle Rate check box, and in the Specify Outbound Throttle Rate text box type 100, and then click Next. On the This QoS policy applies to page, click Next. On the Specify the source and destination IP addresses page, click Next. On the Specify the protocol and port numbers page, click Finish. Close the Local Group Policy Editor.
3. 4. 5. 6.
Task 3: Enable a file share for BranchCache

1. 2. 3. 4. On the taskbar, click the Windows Explorer icon. In the Windows Explorer window, browse to Local Disk (C:). In the Local Disk (C:) window, on the menu, click the Home tab, and then click New Folder. Type Share, and then press Enter.

L2-19
5. 6. 7. 8. 9.
Right-click Share, and then click Properties. In the Share Properties dialog box, on the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click Caching.
In the Offline Settings dialog box, select the Enable BranchCache check box, and then click OK. In the Advanced Sharing dialog box, click OK.
10. In the Share Properties dialog box, click Close.
11. Point to the lower-right corner of the screen, click Search, in the Search text box, type cmd, and then press Enter. 12. At the command prompt, type the following command, and then press Enter:
Copy C:\windows\system32\write.exe c:\share
13. Close the command prompt. 14. Close Windows Explorer.
Task 4: Configure client firewall rules for BranchCache

1. 2. 3. 4. On LON-DC1, on the taskbar, click the Server Manager icon.
In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click Group Policy Management. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
In the Group Policy Management Editor, in the navigation pane, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security.
5. 6. 7. 8. 9.
In Windows Firewall with Advanced Security, in the navigation pane, expand Windows Firewall with Advanced Security, and then click Inbound Rules. In the Group Policy Management Editor, on the Action menu, click New Rule.
In the New Inbound Rule Wizard, on the Rule Type page, click Predefined, click BranchCache Content Retrieval (Uses HTTP), and then click Next. On the Predefined Rules page, click Next. On the Action page, click Finish to create the firewall inbound rule.
10. In the Group Policy Management Editor, in the navigation pane, click Inbound Rules, and then in the Group Policy Management Editor console, on the Action menu, click New Rule. 11. On the Rule Type page, click Predefined, click BranchCache Peer Discovery (Uses WSD), and then click Next. 12. On the Predefined Rules page, click Next. 13. On the Action page, click Finish. 14. Close the Group Policy Management Editor and Group Policy Management console.
Results: At the end of this exercise, you will have deployed BranchCache, configured a slow link, and enabled BranchCache on a file share.
Exercise 2: Configuring the Branch Office Servers for BranchCache

Task 1: Install the BranchCache feature on LON-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in Server Manager, click Add roles and features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next.
On the Select destination server page, ensure that Select server from the server pool is selected, and then click Next. On the Select server roles page, expand File And Storage Services (Installed), expand File and iSCSI Services, and then select the BranchCache for Network Files check box. On the Select server roles page, click Next. On the Select features page, click BranchCache, and then click Next. On the Confirm installation selections page, click Install. Click Close.
Task 2: Start the BranchCache host server

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-DC1. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list, click Active Directory Users and Computers. In Active Directory Users and Computers, right-click Adatum.com, point to New, and then click Organizational Unit. In the New Object - Organization Unit window, type BranchCacheHost, and then click OK. Click the Computers container. Click LON-SVR1, and then drag it to BranchCacheHost. Click Yes to clear the warning about moving objects. Close Active Directory Users and Computers. In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list, click Group Policy Management.
10. In Group Policy Management, under Domains, expand Adatum.com, right-click BranchCacheHost, and then click Block Inheritance. 11. On LON-DC1, close all open windows. 12. Restart LON-SVR1 and log on as Adatum\Administrator with the password Pa$$w0rd. 13. On LON-SVR1, on the taskbar, click the Windows PowerShell icon. 14. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Enable-BCHostedServer RegisterSCP
15. In the Windows PowerShell window, type the following cmdlet, and then press Enter:
Get-BCStatus
16. Close Windows PowerShell.

L2-21
Results: At the end of this exercise, you will have enabled the BranchCache server in the branch office.
Exercise 3: Configuring Client Computers for BranchCache

Task 1: Configure client computers to use BranchCache in Hosted Cache mode
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, on the taskbar, click Server Manager.
In Server Manager, on the menu bar, click Tools and then in the Tools drop-down list, select Group Policy Management. In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
In the Group Policy Management Editor, in the navigation pane, under Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache. In the BranchCache results pane, in the Setting list, right-click Turn on BranchCache, and then click Edit. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
In the BranchCache results pane, in the Setting list, right-click Enable Automatic Hosted Cache Discovery by Service Connection Point, and then click Edit.
In the Enable Automatic Hosted Cache Discovery by Service Connection Point dialog box, click Enabled, and then click OK.
In the BranchCache results pane, in the Setting list, right-click Configure BranchCache for network files, and then click Edit.
10. In the Configure BranchCache for network files dialog box, click Enabled, in the Type the maximum round trip network latency (milliseconds) after which caching begins text box, type 0, and then click OK. This setting is required to simulate access from a branch office and is not typically required. 11. Close the Group Policy Management Editor. 12. Close the Group Policy Management Console. 13. Start 20412A-LON-CL1, and log on as Adatum\Administrator with the password Pa$$w0rd.
14. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type cmd, and then press Enter. 15. At the command prompt, type the following command, and then press Enter:
gpupdate /force
16. At the command prompt, type the following command, and then press Enter:
netsh branchcache show status all
17. Start 20412A-LON-CL2, and log on as Adatum\Administrator with the password Pa$$w0rd.
18. On the Start screen, in the lower-right corner of the screen, click Search, in the Search text box, type cmd, and then press Enter. 19. At the command prompt, type the following command, and then press Enter:
gpupdate /force
20. At the command prompt, type the following command, and then press Enter:
netsh branchcache show status all
Results: At the end of this exercise, you will have configured the client computers for BranchCache.
Exercise 4: Monitoring BranchCache

Task 1: Configure Performance Monitor on LON-SVR1
1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1.
In Server Manager, on the menu bar, click Tools, and then from the Tools drop-down list box, click Performance Monitor. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor. In the Performance Monitor results pane, click the Delete (Delete Key) icon. In the Performance Monitor results pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. On the Change Graph type button, select Report.

1. 2. 3. 4. 5. 6. 7. Switch to LON-CL1.
Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and then press Enter. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor. In the Performance Monitor results pane, click the Delete (Delete Key) icon. In the Performance Monitor results pane, click the Add (Ctrl+N) icon. In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report. Notice that the value of all performance statistics is zero.

1. 2. 3. 4. 5. Switch to LON-CL2.
Point to the lower-right corner of the screen, click Search, in the Search text box, type perfmon, and then press Enter. In the Performance Monitor console, in the navigation pane, under Monitoring Tools, click Performance Monitor. In the Performance Monitor results pane, click the Delete (Delete Key) icon. In the Performance Monitor results pane, click the Add (Ctrl+N) icon.

L2-23
6. 7.
In the Add Counters dialog box, under Select counters from computer, click BranchCache, click Add, and then click OK. Change graph type to Report. Notice that the value for all performance statistics is zero.
Task 4: Test BranchCache in the Hosted Cache mode

1. 2. 3. 4. 5. 6. 7. Switch to LON-CL1. On the taskbar, click the Windows Explorer icon. In Windows Explorer, navigate to \\LON-DC1.adatum.com\Share, and then press Enter. In the Share window, in the Name list, right-click write.exe, and then click Copy. In the Share window, click Minimize. On the desktop, right-click anywhere, and then click Paste.
Read the performance statistics on LON-CL1. This file was retrieved from LON-DC1 (Retrieval: Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval: Bytes Served) Switch to LON-CL2. On the taskbar, click the Windows Explorer icon.
8. 9.
10. In the Windows Explorer address bar, type \\LON-DC1.adatum.com\Share, and then press Enter. 11. In the Share window, in the Name list, right-click write.exe, and then click Copy. 12. In the Share window, click Minimize. 13. On the desktop, right-click anywhere, and then click Paste.
14. Read the performance statistics on LON-CL2. This file was obtained from the hosted cache (Retrieval: Bytes from Cache). 15. Read the performance statistics on LON-SVR1. This server has offered cached data to clients (Hosted Cache: Client file segment offers made).
Results: At the end of this exercise, you will have verified that BranchCache is working as expected.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

L3-25

Exercise 1: Planning the Dynamic Access Control Implementation
Task 1: Plan the Dynamic Access Control deployment
The scenario requires following: 1. 2. 3.
Lab: Implementing Dynamic Access Control
Folders that belong to the Research team should be accessible and modifiable only by employees that belong to the Research team. Files classified with classification High should be accessible only to managers.
Managers should access confidential files only from workstations that belong to the ManagersWKS security group.
You can meet these requirements by implementing claims, resource properties, and file classifications, as follows: 1. 2. 3. 4. 5. Create the appropriate claims for users and devices. The user claim uses department as the source attribute, and the device claim uses description as source attribute. Configure the resource property for the research department.
Configure central access rules and central access policies to protect the resources. At the same time, you should configure file classification for confidential documents.
Apply a central access policy to folders in which files for the research departments and managers are located. As a solution for users who receive error messages, you should implement Access Denied Assistance.
Task 2: Prepare AD DS to support Dynamic Access Control

1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console, right-click Adatum.com, click New, and then click Organizational Unit. In the New Object Organizational Unit dialog box, in the Name field, type Test, and then click OK. Click the Computers container.
Press and hold the Ctrl key, click the LON-SVR1, LON-CL1, and LON-CL2 computers, right-click, and then select Move. In the Move window, click Test, and then click OK. Close the Active Directory Users and Computers console. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. Expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
10. Right-click the Managers OU, and then click Block Inheritance. This is to remove the block inheritance setting used in a later module in the course. 11. Click the Group Policy Objects container. 12. In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
L3-26
13. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click KDC.
14. In the right pane, double-click KDC support for claims, compound authentication and Kerberos armoring. 15. In the KDC support for claims, compound authentication and Kerberos armoring window, select Enabled, in the Options section, click the drop-down list, select Supported, and then click OK. 16. Close the Group Policy Management Editor console and Group Policy Management Console. 17. On the taskbar, click the Windows PowerShell icon. 18. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter. After Group Policy updates, close the Windows PowerShell window.
19. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. 20. Expand Adatum.com, right-click Users, click New, and then click Group. 21. In the Group name field, type ManagersWKS, and then click OK. 22. Click the Test OU. 23. Right-click LON-CL1, and then click Properties. 24. Click the Member Of tab, and then click Add.
25. In the Select Groups window, type ManagersWKS, click Check Names, click OK, and then click OK again. 26. Click the Managers organization unit (OU). 27. Right-click Aidan Delaney, and then select Properties.
28. Click the Organization tab. Ensure that the Department field is populated with the value Managers, and then click Cancel. 29. Click the Research OU. 30. Right-click Allie Bellew, and select Properties.
31. Click the Organization tab. Ensure that the Department field is populated with the value Research, and then click Cancel.
Results: After completing this exercise, you will have planned for Dynamic Access Control deployment, and you will have prepared AD DS for Dynamic Access Control implementation.
Exercise 2: Configuring User and Device Claims

Task 1: Review the default claim types
1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control. In the central pane, double-click Claim Types. Verify that there are no default claims defined.
In the navigation pane, click Dynamic Access Control, and then double-click Resource Properties. Review the default resource properties. Note that all properties are disabled by default.

L3-27
7. 8. 9.
In the navigation pane, click Dynamic Access Control, and then double-click Resource Property Lists. In the central pane, right-click Global Resource Property List, and then click Properties.
In the Global Resource Property List, in the Resource Properties section, review the available resource properties, and then click Cancel.
Task 2: Configure claims for users

1. 2. 3. 4. 5.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control, and then double-click Claim Types. In the Claim Types container, in the Tasks pane, click New, and then click Claim Type. In the Create Claim Type window, in the Source Attribute section, select department. In the Display name text box, type Company Department. Select both User and Computer check boxes, and then click OK.
Task 3: Configure claims for devices

1. 2. 3.
In the Active Directory Administrative Center, in the Tasks pane, click New, and then select Claim Type. In the Create Claim Type window, in the Source Attribute section, click description. Clear the User check box, select the Computer check box, and then click OK.
Results: After completing this exercise, you will have reviewed the default claim types, configured claims for users, and configured claims for devices.
Exercise 3: Configuring Resource Property Definitions

Task 1: Configure resource property definitions
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Active Directory Administrative Center, click Dynamic Access Control. In the central pane, double-click Resource Properties. In the Resource Properties list, right-click Department, and then click Enable. In the Resource Properties list, right-click Confidentiality, and then click Enable. In the Global Resource Property List, ensure that both the Department and Confidentiality properties are enabled. Double-click Department. Scroll down to the Suggested Values section, and then click Add.
In the Add a suggested value window, in both Value and Display name text boxes, type Research, and then click OK two times. Click Dynamic Access Control, and then double-click Resource Property Lists.
10. In the central pane, double-click Global Resource Property List, ensure that both Department and Confidentiality display and then click Cancel. If they do not display, click Add, add these two properties, and then click OK. 11. Close the Active Directory Administrative Center.
L3-28
Task 2: Classify files

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in Server Manager, click Tools, and then click File Server Resource Manager. In the File Server Resource Manager console, expand Classification Management. Select and then right-click Classification Properties, and then click Refresh. Verify that Confidentiality and Department properties are listed. Click Classification Rules. In the Actions pane, click Create Classification Rule. In the Create Classification Rule window, for the Rule name, type Set Confidentiality. Click the Scope tab, and then click Add. In the Browse For Folder dialog box, expand Local Disk (C:), click the Docs folder, and then click OK.
10. Click the Classification tab. 11. Make sure that following settings are set, and then click Configure: o o o Classification method: Content Classifier Property: Confidentiality Value: High
12. In the Classification Parameters dialog box, click the Regular expression drop-down list, and then click String. 13. In the Expression field (next to the word String,) type secret, and then click OK. 14. Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the existing value, and then click OK.
15. In the File Server Resource Manager, in the Actions pane, click Run Classification with all rules now. 16. Click Wait for classification to complete, and then click OK. 17. After the classification is complete, you will be presented with a report. Verify that two files were classified. You can confirm this in the Report Totals section. 18. Close the report. 19. Open a Windows Explorer window, and browse to the C:\Docs folder. 20. Right-click Doc1.txt, click Properties, and then click the Classification tab. Verify that Confidentiality is set to High. 21. Repeat step 20 on files Doc2.txt and Doc3.txt. Doc2.txt should have same Confidentiality as Doc1.txt, while Doc3.txt should have no value. This is because only Doc1 and Doc2 have the word secret in their content.
Task 3: Assign properties to a folder

1. 2. 3. On LON-SVR1, open Windows Explorer, and browse to drive C. In drive C, right-click the Research folder, and then click Properties. Click the Classification tab, and then click Department. In the Value section, click Research, click Apply, and then click OK.

L3-29
Results: After completing this exercise, you will have configured resource properties for files, classified files, and assigned properties to a folder.
Exercise 4: Configuring Central Access Rules and Central Access Policies

Task 1: Configure central access rules
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center.
In the Active Directory Administrative Center, in the navigation pane, click Dynamic Access Control, and then double-click Central Access Rules. In the Tasks pane, click New, and then click Central Access Rule. In the Central Access Rule dialog box, in the Name field, type Department Match. In the Target Resources section, click Edit. In the Central Access Rule dialog box, click Add a condition. Set a condition as follows: Resource-Department-Equals-Value-Research, and then click OK. In the Permissions section, click Use following permissions as current permissions. In the Permissions section, click Edit.
10. Remove permission for Administrators. 11. In Advanced Security Settings for Permissions, click Add. 12. In Permission Entry for Permissions, click Select a principal.
13. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click Check Names, and then click OK.
14. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes. 15. Click Add a condition. 16. Click the Group drop-down list, and then click Company Department. 17. Click the Value drop-down list, and then select Resource. 18. In the last drop-down list, select Department. Note: You should have this expression as a result: User-Company Department-EqualsResource-Department. 19. Click OK three times. 20. In the tasks pane, click New, and then click Central Access Rule. 21. For the name of rule, type Access Confidential Docs. 22. In the Target Resources section, click Edit. 23. In the Central Access Rule window, click Add a condition. 24. In the last drop-down list, click High. Note: You should have this expression as a result: Resource-Confidentiality-EqualsValue-High.
L3-30
25. Click OK. 26. In the Permissions section, click Use following permissions as current permissions. 27. In the Permissions section, click Edit. 28. Remove permission for Administrators. 29. In Advanced Security Settings for Permissions, click Add. 30. In the Permission Entry for Permissions, click Select a principal. 31. In the Select User, Computer, Service Account or Group window, type Authenticated Users, click Check Names, and then click OK.
32. In the Basic permissions section, select the Modify, Read and Execute, Read and Write check boxes. 33. Click Add a condition. 34. Set the first condition to: User-Group-Member of each-Value-Managers, and then click Add a condition. Note: If you cannot find Managers in the last drop-down list, click Add items. Then in the Select User, Computer, Service Account or Group window, type Managers, click Check Names, and then click OK. 35. Set the second condition to: Device-Group-Member of each-Value-ManagersWKS. Note: If you cannot find ManagersWKS in the last drop-down list, click Add items. Then in the Select User, Computer, Service Account or Group window, type ManagersWKS, click Check Names, and then click OK. 36. Click OK three times.
Task 2: Create a central access policy

1. 2. 3. 4. 5. 6. 7. 8.
On LON-DC1, in the Active Directory Administrative Center, click Dynamic Access Control, and then double-click Central Access Policies. In the tasks pane, click New, and then click Central Access Policy. In the Name field, type Protect confidential docs, and then click Add. Click the Access Confidential Docs rule, click >>, and then click OK twice. In the tasks pane, click New, and then click Central Access Policy. In the Name field, type Department Match, and then click Add. Click the Department Match rule, click >>, and then click OK twice. Close the Active Directory Administrative Center.
Task 3: Publish a central access policy by using Group Policy

1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console, under Domains, expand Adatum.com, right click Test, and then click Create a GPO in this domain, and link it here. Type DAC Policy, and then click OK.

L3-31
4. 5.
Right-click DAC Policy, and then click Edit.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand File System, right-click Central Access Policy, and then click Manage Central Access Policies. Click both Department Match and Protect confidential docs, click Add, and then click OK. Close the Group Policy Management Editor. Close the Group Policy Management Console.
6. 7. 8.
Task 4: Apply the central access policy to resources

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, on the taskbar, click the Windows PowerShell icon. Type gpupdate /force, and then press Enter. Close the command prompt window.
Open Windows Explorer, browse to drive C, right-click the Docs folder, and then click Properties. In the Properties dialog box, click the Security tab, and then click Advanced. In the Advanced Security Settings for Docs window, click the Central Policy tab, and then click Change. On the drop-down list, select Protect confidential docs, and then click OK two times. Right-click the Research folder, and then click Properties. In the Properties dialog box, click the Security tab, and then click Advanced.
10. In the Advanced Security Settings for Research window, click the Central Policy tab, and then click Change. 11. In the drop-down list, select Department Match, and then click OK two times.
Task 5: Configure access denied remediation settings

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Group Policy objects. Right-click DAC Policy, and then select Edit. Under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click Access-Denied Assistance. In the right pane, double-click Customize Message for Access Denied errors. In the Customize Message for Access Denied errors window, click Enabled. In the Display the following message to users who are denied access text box, type You are denied access because of permission policy. Please request access. Select the Enable users to request assistance check box. Review other options but do not make any changes, and then click OK.
10. In the right pane of the Group Policy Management Editor, double-click Enable access-denied assistance on client for all file types. 11. Click Enabled, and then click OK. 12. Close both the Group Policy Management Editor and the Group Policy Management Console.
L3-32
13. Switch to LON-SVR1, on the taskbar click the Windows PowerShell icon. 14. At the Windows PowerShell command-line interface, type gpupdate /force, and then press Enter.
Results: After completing this exercise, you will have configured central access rules and central access policies for Dynamic Access Control.
Exercise 5: Validating and Remediating Dynamic Access Control

Task 1: Validate Dynamic Access Control functionality
1. 2. 3. 4. 5. 6. 7. 8. 9. Start and then log on to LON-CL1 as Adatum\April with the password Pa$$w0rd. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows Explorer address bar, type \\LON-SVR1\Docs, and then press Enter. In the Docs folder, try to open Doc3. You should be able to open that document. Close notepad.
In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter. You should be unable to access folder. Click Request assistance. Review options for sending messages, and then click Close. Log off LON-CL1. Log on to LON-CL1 as Adatum\Allie with the password Pa$$w0rd. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon.
10. In the Windows Explorer address bar, type \\LON-SVR1\Research, and then press Enter. 11. Verify that you can access this folder and open documents inside, because Allie is a member of the Research team. 12. Log off LON-CL1. 13. Log on to LON-CL1 as Adatum\Aidan with the password Pa$$w0rd. 14. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. 15. In the Windows Explorer address bar, type \\LON-SVR1\Docs. 16. Verify that you can access this folder and open all files inside. 17. Log off LON-CL1. 18. Start and then log on to LON-CL2 as Adatum\Aidan with the password Pa$$w0rd.
19. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows Explorer address bar, type \\LON-SVR1\Docs. You should be unable to view Doc1 or Doc2, because the LON-CL2 is not permitted to view secret documents.
Results: After completing this exercise, you will have validated Dynamic Access Control functionality.
Exercise 6: Implementing new resource policies

Task 1: Configure staging for a central access policy
1. On LON-DC1, open Server Manager, click Tools, and then select Group Policy Management.

L3-33
2. 3. 4.
In the Group Policy Management Console, expand Forest:adatum.com, expand Domains, expand Adatum.com, and then click Group Policy object. Right-click DAC Policy, and then select Edit.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Advanced Audit Policy Configuration, expand Audit Policies, and then click Object Access. Double-click Audit Central Access Policy Staging, select all three check boxes, and then click OK. Double-click Audit File System, select all three check boxes, and then click OK. Close the Group Policy Management Editor and the Group Policy Management console.
5. 6. 7.
Task 2: Configure staging permissions

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, open Server Manager, and then open Active Directory Administrative Center. In the navigation pane, click Dynamic Access Control. Double-click Central Access Rules. Right-click Department Match, and then select Properties.
Scroll down to the Proposed Permissions section, click Enable permission staging configuration, and then click Edit. Click Authenticated Users, and then click Edit.
Change the condition to: User-Company Department-Equals-Value-Marketing, and then click OK. Click OK two more times to close all windows. Switch to LON-SVR1 and open Windows PowerShell.
10. Type gpupdate /force and press Enter. 11. Close Windows PowerShell window.
Task 3: Verify staging

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-CL1 as Adatum\Adam with the password Pa$$w0rd. Click the Desktop tile, and then on the taskbar, click the Windows Explorer icon. In the Windows Explorer address bar, click the yellow icon, and then type \\LON-SVR1\Research. Try to open the Research folder and its files. You will not be able to open it. Switch to LON-SVR1. Open Server Manager, click Tools, and then select Event Viewer. Expand Windows Logs, and then navigate to Security Log. Look for Events with ID 4818. Read the content of these logs.
Task 4: Use effective permissions to test Dynamic Access Control

1. 2. 3. On LON-SVR1, open Windows Explorer. In the Windows Explorer window, navigate to C:\Research, right-click Research, and then click Properties.
In the Properties dialog box, click the Security tab, click Advanced, and then click Effective Access.
L3-34
4. 5. 6. 7. 8. 9.
Click select a user.
In the Select User, Computer, Service Account, or Group window, type April, click Check Names, and then click OK. Click View effective access. Review the results. The user April should not have access to this folder. Click Include a user claim. On the drop-down list, click Company Department.
10. In the Value text box, type Research. 11. Click View Effective access. The user should now have access. 12. Close all open windows.
Results: After completing this exercise, you will have implemented new resource policies.

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-CL1, and 20412A-LON-CL2.

L4-35
Module 4: Implementing Network Load Balancing

Exercise 1: Implementing an NLB Cluster
Task 1: Verify website functionality for standalone servers
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, on the taskbar, click the Windows Explorer icon. Navigate to the folder c:\inetpub\wwwroot. Double-click the file iis-8.png. This will open the file in Microsoft Paint. Ensure that the Paint Brush tool is selected, and then in the palette, click the color Red. Use the mouse to mark the IIS Logo distinctively, using the color red. Save the changes that you made to iis-8.png, and then close Microsoft Paint. Close Windows Explorer. Switch to LON-DC1. Click to the Start screen.
Lab: Implementing Network Load Balancing
10. Click the Internet Explorer icon.
11. In the Internet Explorer address bar, type the address http://LON-SVR1 and then press Enter. Verify that the web page displays the IIS logo with the distinctive color red mark that you added.
12. In the Internet Explorer address bar, enter the address http://LON-SVR2 and then press Enter. Verify that the web page does not display the marked IIS logo. 13. Close Internet Explorer.
Task 2: Install the Windows Network Load Balancing feature

1. 2. 3. Switch to LON-SVR1. In the Server Manager console, click the Tools menu, and then click Windows PowerShell ISE. In the blue PowerShell ISE window, enter the following command and then press Enter:
Invoke-Command -Computername LON-SVR1,LON-SVR2 -command {Install-WindowsFeature NLB,RSAT-NLB}
Task 3: Create a new Windows Server 2012 NLB cluster

1.
On LON-SVR1, in the Windows PowerShell ISE window, type the following command, and then press Enter:
New-NlbCluster -InterfaceName "Local Area Connection" -OperationMode Multicast ClusterPrimaryIP 172.16.0.42 -ClusterName LON-NLB
2.
In the Windows PowerShell ISE window, type the following command, and then press Enter:
Invoke-Command -Computername LON-DC1 -command {Add-DNSServerResourceRecordA zonename adatum.com name LON-NLB Ipv4Address 172.16.0.42}
L4-36 Module 4: Implementing Network Load Balancing
Task 4: Add a second host to the cluster
On LON-SVR1, in the Windows PowerShell ISE window, type the following command and then press Enter:
Add-NlbClusterNode -InterfaceName "Local Area Connection" -NewNodeName "LON-SVR2" NewNodeInterface "Local Area Connection"
Task 5: Validate the NLB cluster

1. 2. 3. 4. 5. 6.
On LON-SVR1, in the Server Manager Console, click the Tools menu, and then click Network Load Balancing Manager.
In the Network Load Balancing Manager, verify that nodes LON-SVR1 and LON-SVR2 display with the status of Converged for the LON-NLB cluster. Right-click the LON-NLB cluster, and then click Cluster properties.
On the Cluster Parameters tab, verify that the cluster is set to use the Multicast operations mode.
On the Port Rules tab, verify that there is a single port rule named All that starts at port 0 and ends at port 65535 for both TCP and UDP protocols, and that it uses Single affinity. Click OK to close the Cluster Properties dialog box.
Results: After this exercise, you should have successfully implemented an NLB cluster.

L4-37
Exercise 2: Configuring and Managing the NLB Cluster

Task 1: Configure port rules and affinity
1. 2. On LON-SVR2, on the taskbar, click the Windows PowerShell icon.
In Windows PowerShell, type each of the following commands, pressing Enter after each command:
Cmd.exe Mkdir c:\porttest Xcopy /s c:\inetpub\wwwroot c:\porttest Exit New-Website Name PortTest PhysicalPath C:\porttest Port 5678 New-NetFirewallRule DisplayName PortTest Protocol TCP LocalPort 5678
3. 4. 5. 6. 7. 8. 9.
On the taskbar, click the Windows Explorer icon. Click drive C, double-click the porttest folder, and then double-click iis-8.png. This will open Microsoft Paint. Select the color blue from the palette. Use the Blue paintbrush to mark the IIS Logo in a distinctive manner. Save the changes to iis-8.png, and then close Microsoft Paint. Switch to LON-DC1. Click to the Start screen.
10. On the Start screen, click the Internet Explorer icon. 11. In the Internet Explorer address bar, type http://LON-SVR2:5678 and then press Enter. 12. Verify that the IIS Start page with the IIS logo distinctively marked with blue displays in Internet Explorer. 13. Switch to LON-SVR1. 14. On LON-SVR1, switch to Network Load Balancing Manager.
15. In the Network Load Balancing Manager, right click LON-NLB, and then click Cluster Properties.
16. In the Cluster Properties dialog box, on the Port Rules tab, select the All port rule, and then click Remove. 17. On the Port Rules tab, click Add. 18. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK: o o o o Port range: 80 to 80 Protocols: Both Filtering mode: Multiple Host Affinity: None
19. Click OK. 20. On the Port Rules tab, click Add. 21. In the Add/Edit Port Rule dialog box, enter the following information, and then click OK: o o o Port range: 5678 to 5678 Protocols: Both Filtering mode: Single Host
L4-38 Module 4: Implementing Network Load Balancing
22. Click OK to close the Cluster Properties dialog box. 23. In the Network Load Balancing Manager, right click LON-SVR1, and then click Host Properties.
24. In the Port Rules tab, click the port rule that has 5678 as the Start and End value, and then click Edit. 25. Click the Handling priority value, and change it to 10.
26. Click OK twice to close both the Add/Edit Port Rule dialog box and the Host Properties dialog box.
Task 2: Validate port rules

1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-DC1. Switch to the Start screen. On the Start screen, click the Internet Explorer icon. In the Internet Explorer address bar, type http://lon-nlb, and then press Enter. Click the Refresh icon 20 times. Verify that you see web pages with and without the distinctive red marking. On LON-DC1, verify that you have Internet Explorer open. In the address bar, enter the address http://LON-NLB:5678, and press Enter.
In the address bar, click the Refresh icon 20 times. Verify that you are able to view only the web page with the distinctive blue marking.
Task 3: Manage host availability in the NLB Cluster

1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1. Select the Network Load Balancing Manager. Right-click LON-SVR1, click Control Host, and then click Suspend. Click the LON-NLB node. Verify that node LON-SVR1 displays as Suspended, and that node LON-SVR2 displays as Converged. Right-click LON-SVR1, click Control Host, and then click Resume. Right-click LON-SVR1, click Control Host, and then click Start. Click the LON-NLB node. Verify that both nodes LON-SVR1 and LON-SVR2 now display as Converged. You may have to refresh the view.
Results: After this exercise, you should have successfully configured and managed an NLB cluster.
Exercise 3: Validating High Availability for the NLB Cluster

Task 1: Validate website availability when the host is unavailable
1. 2. On LON-SVR1, on the taskbar, click the Windows PowerShell icon. Type the following command, and then press Enter:
Shutdown /r /t 5
3. 4. 5.
Switch to LON-DC1. On LON-DC1, open Internet Explorer. In the Internet Explorer address bar, type the address http://LON-NLB, and then press Enter.

L4-39
6.
Refresh the website 20 times. Verify that the website is available while LON-SVR1 reboots, but that it does not display the distinctive red mark on the IIS logo until LON-SVR1 has completed the reboot cycle.
Task 2: Configure and validate Drainstop

1. 2. 3. 4. 5. 6. Log on to LON-SVR1 with the username Adatum\Administrator and the password Pa$$word. In Server Manager, click the Tools menu, and then click Network Load Balancing Manager.
In the Network Load Balancing Manager console, right-click LON-SVR2, click Control Host, and then click Drainstop. Switch to LON-DC1. In Internet Explorer, in the address bar, type http://lon-nlb, and then press Enter. Refresh the site 20 times, and verify that only the welcome page with the red IIS logo displays.
Results: After this exercise, you should have successfully validated high availability for the NLB cluster.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412-LON-SVR1, and 20412-LON-SVR2.

L5-41
Module 5: Implementing Failover Clustering
Lab: Implementing Failover Clustering

Exercise 1: Configuring a Failover Cluster
Task 1: Connect cluster nodes to the iSCSI targets
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR3, in Server Manager, click Tools, and then click iSCSI Initiator. In the Microsoft iSCSI dialog box, click Yes. Click the Discovery tab. Click Discover Portal. In the IP address or DNS name box, type 172.16.0.21, and then click OK. Click the Targets tab. Click Refresh.
In the Targets list, select iqn.1991-05.com.microsoft:LON-SVR1-target1-target, and then click Connect. Select Add this connection to the list of Favorite Targets, and then click OK two times.
10. On LON-SVR4, in Server Manager, click Tools, and then click iSCSI Initiator. 11. In the Microsoft iSCSI dialog box, click Yes. 12. Click the Discovery tab. 13. Click Discover Portal. 14. In the IP address or DNS name box, type 172.16.0.21, and then click OK. 15. Click the Targets tab. 16. Click Refresh.
17. In the Targets list, select iqn.1991-05.com.microsoft:LON-SVR1-target1-target, and then click Connect. 18. Select Add this connection to the list of Favorite Targets, and then click OK two times. 19. On LON-SVR3, in Server Manager, click Tools, and then click Computer Management. 20. Expand Storage, and then click Disk Management. 21. Right-click Disk 1, and then click Online. 22. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK. 23. Right-click the unallocated space next to Disk 1, and then click New Simple Volume. 24. On the Welcome page, click Next. 25. On the Specify Volume Size page, click Next. 26. On the Assign Drive Letter or Path page, click Next.
27. On the Format Partition page, in the Volume Label box, type Data. Select the Perform a quick format check box, and then click Next.
28. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click Cancel.)
L5-42 Module 5: Implementing Failover Clustering
29. Repeat steps 21 through 28 for Disk 2 and Disk 3. (Note: Use Data2 and Data3 for Volume Labels). 30. Close the Computer Management window. 31. On LON-SVR4, in Server Manager, click Tools, and then click Computer Management. 32. Expand Storage, and then click Disk Management. 33. Right-click Disk Management, and then click Refresh. 34. Right-click Disk 1, and then click Online. 35. Right-click Disk 2, and then click Online. 36. Right-click Disk 3, and then click Online. 37. Close the Computer Management window.
Task 2: Install the failover clustering feature

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR3, in Server Manager, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, make sure that Select server from the server pool is selected, and then click Next. On the Select server roles page, click Next.
On the Select features page, in the Features list, click Failover Clustering. In the Add features that are required for Failover Clustering? window, click Add Features. Click Next. On the Confirm installation selections page, click Install. When installation is complete, click Close. Repeat steps 1 through 8 on LON-SVR4.
Task 3: Validate the servers for failover clustering

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR3, in the Server Manager, click Tools, and then click Failover Cluster Manager. In the Actions pane of the Failover Cluster Manager, click Validate Configuration. In the Validate a Configuration Wizard, click Next. In the Enter Name box, type LON-SVR3, and then click Add. In the Enter Name box, type LON-SVR4. Click Add, and then click Next. Verify that Run all tests (recommended) is selected, and then click Next. On the Confirmation page, click Next.
Wait for the validation tests to finish (it might take up to 5 minutes), and then on the Summary page, click View Report.
10. Verify that all tests completed without errors. Some warnings are expected. 11. Close Internet Explorer.
12. On the Summary page, remove the check mark next to Create the cluster now using the validated nodes, click Finish.

L5-43
Task 4: Create the failover cluster

1. 2. 3. 4. 5. 6. 7. 8.
On LON-SVR3, in Failover Cluster Manager, in the center pane, under Management, click Create Cluster. In the Create Cluster Wizard on the Before You Begin page, read the information.
Click Next, in the Enter server name box, type LON-SVR3, and then click Add. Type LON-SVR4, and then click Add. Verify the entries, and then click Next. In Access Point for Administering the Cluster, in the Cluster Name box, type Cluster1. Under Address, type 172.16.0.125, and then click Next. In the Confirmation dialog box, verify the information, and then click Next. On the Summary page, click Finish to return to the Failover Cluster Manager.
Task 5: Configure Cluster Shared Volumes

1. 2.
On LON-SVR3, in the Failover Cluster Manager console, expand cluster1.Adatum.com, and then expand Storage, and click Disk.
In the right pane, locate a disk that is assigned to Available Storage (you can see this is in Assigned To column). Right-click that disk, and select the Add to Cluster Shared Volumes option. (If possible use Cluster Disk 2). Make sure that disk is assigned to Cluster Shared Volume.
3.
Results: After this exercise, you will have installed and configured the failover clustering feature.
Exercise 2: Deploying and Configuring a Highly Available File Server

Task 1: Add the File Server application to the failover cluster
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR3, in Server Manager, click Dashboard and then click Add roles and features. On the before your begin page click Next. On the Select installation type page click Next. On the Select destination server page click Next.
On the Select server roles page, expand File and Storage Services (Installed), expand File and iSCSI services and select File Server. Click Next two times. On the Confirmation page, click Install. When installation succeeded message appears click Close. Repeat steps 1-8 on LON-SVR4.
10. On LON-SVR3, open the Failover Cluster Manager, and then expand Cluster1.Adatum.com. 11. Right-click Roles, and then click Configure Role. 12. On the Before You Begin page, click Next. 13. On the Select Role page, select File Server, and then click Next.
14. On the File Server Type page, click Scale-Out File Server for application data, and then click Next.
15. On the Client Access Point page, in the Client Access Name box, type AdatumFS, and then click Next. 16. On the Confirmation page, click Next. 17. On the Summary page, click Finish.
Task 2: Add a shared folder to a highly available file server

1. 2. 3. 4. 5. 6. 7. 8.
On LON-SVR3, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click Add File Share. In the New Share Wizard, on the Select the profile for this share page, click SMB Share Quick, and then click Next.
On the Select the server and the path for this share page, click Select by volume, and then click Next. On the Specify share name page, in the Share name box, type Data, and then click Next.
On the Configure share settings page, verify that Enable continuous availability is selected, and then click Next. On the Specify permissions to control access page, click Next. On the Confirmation page, click Create. On the View results page, click Close.
Task 3: Configure failover and failback settings

1. 2. 3. 4. 5. 6. 7. On LON-SVR3, in the Failover Cluster Manager, click Roles, right-click AdatumFS, and then click Properties. Click the Failover tab and then click Allow failback. Click Failback between, and set values to 4 and 5 hours. Click the General tab. Select both LON-SVR3 and LON-SVR4 as preferred owners. Move LON-SVR4 up. Click OK.
Task 4: Validate cluster quorum settings

1. 2. 3. Open the Failover Cluster Manager console. In the Failover Cluster Manager console, click Cluster1.Adatum.com.
In the central pane, review the value for Quorum Configuration. It should be set to Node and Disk Majority.
Results: After this exercise, you will have deployed and configured a highly available file server.
Exercise 3: Validating the Deployment of the Highly Available File Server

Task 1: Validate the highly available file server deployment
1. On LON-DC1, open Windows Explorer, and in the Address bar, type \\AdatumFS\, and then press Enter.

L5-45
2. 3. 4.
Verify that you can access the location and that you can open the Data folder. Create a test text document inside this folder. On LON-SVR3, open the Failover Cluster Manager. Expand Cluster1.adatum.com, and then click Roles. Note the current owner of AdatumFS.
Note: You can view the owner in the Owner node column. It will be either LON-SVR3 or LON-SVR4. 5. 6. 7. 8. Right-click AdatumFS, and then click Move, and then click Select Node. In the Move Clustered Role dialog box, click OK. Verify that AdatumFS has moved to a new owner. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
Task 2: Validate the failover and quorum configuration for the file server role
1. 2. On LON-SVR3, in the Failover Cluster Manager, click Roles. Verify the current owner for the AdatumFS role.
Note: You can view the owner in the Owner node column, which will be either LON-SVR3 or LON-SVR4. 3. 4. 5. 6. 7. 8. Expand Nodes, and then select the node that is the current owner of the AdatumFS role.
Right-click the node, click More Actions, and then click Stop Cluster Service. In the Stop Cluster Service dialog box, click Yes.
Verify that AdatumFS has moved to another node. To do this, click the other node, and verify that AdatumFS is running. Switch to the LON-DC1 computer and verify that you can still access the \\AdatumFS\ location.
Switch to the LON-SVR3 computer. In the Failover Cluster Manager, right-click the stopped node, click More Actions, and then click Start Cluster Service.
Expand Storage and then click Disks. In the center pane, right-click the disk that is assigned to Disk Witness in. Note: You can view can view this in the Assigned to column.
9.
Click Take Offline, and then click Yes.
10. Switch to LON-DC1, and verify that you can still access the \\AdatumFS\ location. By doing this, you verify that the cluster is still running, even if the witness disk is offline. 11. Switch to LON-SVR3, and in the Failover Cluster Manager console, click Storage, right-click the disk that is in Offline status, and then click Bring Online.
Results: After this exercise, you will have tested the failover and failback scenarios.
Exercise 4: Configuring Cluster-Aware Updating on the Failover Cluster

Task 1: Configure Cluster-Aware Updating
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Add roles and features. In the Add roles and features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, make sure that Select server from the server pool is selected, and then click Next. On the Select server roles page, click Next.
On the Select features page, in the list of features, click Failover Clustering. In Add features that are required for Failover Clustering? dialog box, click Add Features. Click Next. On the Confirm installation selections page, click Install. When installation is complete, click Close. On LON-DC1, in the Server Manager dashboard, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating window, in the Connect to a failover cluster drop-down list, select Cluster1. Click Connect. 11. In the Cluster Actions pane, click Preview updates for this cluster.
12. In the Cluster1-Preview Updates window, click Generate Update Preview List. After several minutes, updates will be shown in the list. Review updates and then click Close. Note: An Internet connection is required for this step to complete successfully. Make sure that MSL-TMG1 server is up and running and that you can access Internet from LON-DC1.
Task 2: Update the failover cluster and configure self-updating

1. 2. 3. 4. 5. 6. On LON-DC1, in the Cluster-Aware Updating console, click Apply updates to this cluster. On the Getting Started page, click Next. On the Advanced options page, review the options for updating, and then click Next. On the Additional Update Options page, click Next. On the Confirmation page, click Update, and then click Close. In the Cluster nodes pane, you can review the progress of updating.
Note: Remember that one node of the cluster is in Waiting state and the other node is restarting after it is updated. 7. Wait until the process is finished. Process is finished when both nodes have Succeeded in Last Run status column. Note: This may require a restart of both the nodes. 8. Log on to LON-SVR3 with the username as Adatum\Administrator and password as Pa$$w0rd.

L5-47
9.
On LON-SVR3, in the Server Manager, click Tools, and then click Cluster-Aware Updating.
10. In the Cluster-Aware Updating dialog box, in the Connect to a failover cluster drop-down list, select Cluster1. Click Connect. 11. Click the Configure cluster self-updating options in the Cluster Actions pane. 12. On the Getting Started page, click Next.
13. On the Add CAU Clustered Role with Self-Updating Enabled page, click Add the CAU clustered role, with self-updating mode enabled, to this cluster, and then click Next.
14. On the Specify self-updating schedule page, click Weekly, in the Time of day box, select 4:00 AM, and then in the Day of the week box, select Sunday. Click Next. 15. On the Advanced Options page, click Next. 16. On the Additional Update Options page, click Next. 17. On the Confirmation page, click Apply. 18. After the clustered role is added successfully, click Close.
Results: After this exercise, you will have configured Cluster-Aware Updating on the Failover Cluster.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-LON-SVR3, 20412A-LON-SVR4 and MSL-TMG1.

Exercise 1: Configuring Hyper-V Replicas
Task 1: Boot the physical host machines from VHD
1. Restart the classroom computer, and in the Windows Boot Manager, select either 20412A-LON-HOST1 or 20412A-LON-HOST2. Note: If you start LON-HOST1, your partner must start LON-HOST2. 2. 3. 4. 5. Log on to the server as Adatum\Administrator with password Pa$$w0rd. On LON-HOST1, from Server Manager, click Tools, and then click Hyper-V manager. Ensure that virtual machine 20412A-LON-DC1 is running.
Repeat steps 3 and 4 on LON-HOST2, and ensure that virtual machine 20412A-LON-SVR1 is running.

L6-49
Task 2: Import the LON-CORE virtual machine on LON-HOST1

1. 2. 3. 4. 5. On LON-HOST1, open the Hyper-V Manager console. In the Actions pane, click Import Virtual Machine. In the Import Virtual Machine Wizard, on the Before You Begin page, click Next. On the Locate Folder page, click Browse.
Browse to folder E:\Program Files\Microsoft Learning\20412\Drives\20412A-LON-CORE, click Select Folder, and then click Next.
Note: The drive letter may differ based on the number of drives on the physical host machine. 6. 7. 8. On the Select Virtual Machine page, click 20412A-LON-CORE, and then click Next. On the Choose Import Type page, click Next. On the Summary page, click Finish.
Task 3: Configure a replica on both host machines

1. 2. 3. 4. 5. 6. On LON-HOST2, open the Microsoft Hyper-V Manager console. In Hyper-V Manager, right-click LON-HOST2, and then click Hyper-V Settings. In Hyper-V Settings for LON-HOST2, click Replication Configuration. In the Replication Configuration pane, click Enable this computer as a Replica server. In the Authentication and ports section, select Use Kerberos (HTTP).
In the Authorization and storage section, click Allow replication from any authenticated server, and then click Browse.
L6-50
7. 8. 9.
Click Computer, double-click Local Disk (E), click New folder, in the Name text box, type VMReplica, and then press Enter. Select the E:\VMReplica\ folder, and then click Select Folder. In Hyper-V Settings for LON-HOST2, click OK.
10. In the Settings dialog box, read the notice, and then click OK. 11. Point to the lower left-hand corner of the desktop, and then click Settings. 12. Click Control Panel, click System and Security, and then click Windows Firewall. 13. Click Advanced settings. 14. In Windows Firewall with Advanced Security, click Inbound Rules. 15. In the right pane, in the rule list, find the rule named Hyper-V Replica HTTP Listener (TCP-In). Right-click the rule, and then click Enable Rule. 16. Close the Windows Firewall with Advanced Security console, and then close Windows Firewall. 17. Repeat steps 1-16 on LON-HOST1.
Task 4: Configure replication for the LON-CORE virtual machine

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-HOST1, open Hyper-V Manager, click LON-HOST1, right-click 20412A-LON-CORE, and then click Enable Replication. On the Before You Begin page, click Next. On the Specify Replica Server page, click Browse. In the Select Computer window, type LON-HOST2, click Check Names, click OK, and then click Next. On the Specify Connection Parameters page, review settings, ensure that Use Kerberos authentication (HTTP) is selected, and then click Next.
On the Choose Replication VHDs page, ensure that 20412A-LON-CORE.vhd is selected, and then click Next. On the Configure Recovery History page, select Only the latest recovery point, and then click Next.
On the Choose Initial Replication Method page, click Send initial copy over the network, select Start replication immediately, and then click Next. On the Completing the Enable Replication Wizard page, click Finish.
10. Wait 10-15 minutes. In the Hyper-V Manager console, you can monitor the progress of the initial replication in the Status column. 11. When replication completes, ensure that 20412A-LON-CORE appears on LON-HOST2 in Hyper-V Manager.
Task 5: Validate a planned failover to the replica site

1. 2. 3. 4.
On LON-HOST2, in Hyper-V Manager, right-click 20412A-LON-CORE, select Replication, and then click View Replication Health.
Review the content in the window that appears, ensure that there are no errors, and then click Close. On LON-HOST1, open Hyper-V Manager, and verify that 20412A-LON-CORE is turned off. Right-click 20412A-LON-CORE, select Replication, and then click Planned Failover.

L6-51
5. 6. 7. 8. 9.
In the Planned Failover window, ensure that Start the Replica virtual machine after failover is selected, and then click Fail Over. In the Planned Failover window, click Close. On LON-HOST2, in Hyper-V Manager, ensure that 20412A-LON-CORE is running. On LON-HOST1, right-click 20412A-LON-CORE, point to Replication, and then click Remove replication. In the Remove replication dialog box, click Remove Replication.
10. On LON-HOST2, right-click 20412A-LON-CORE, and then click Shut Down. 11. In the Shut Down Machine dialog box, click Shut Down.
Results: After completing this exercise, you will have configured a Hyper-V Replica.
Exercise 2: Configuring a Failover Cluster for Hyper-V

Task 1: Connect to the iSCSI target from both host machines
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-HOST1, from the taskbar, click the Server Manager icon to open Server Manager, click Tools, click iSCSI Initiator, and then at the Microsoft iSCSI prompt, click Yes. Click the Discovery tab. Click Discover Portal. In the IP address or DNS name box, type 172.16.0.21, and then click OK. Click the Targets tab, and then click Refresh. In the Targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click Connect. Select Add this connection to the list of Favorite Targets, and then click OK twice. On LON-HOST2, from the taskbar, click the Server Manager icon to open Server Manager, click Tools, and then click iSCSI Initiator. In the Microsoft iSCSI dialog box, click Yes.
10. Click the Discovery tab, and then click Discover Portal. 11. In the IP address or DNS name box, type 172.16.0.21, and then click OK. 12. Click the Targets tab, and then click Refresh.
13. In the Discovered targets list, select iqn.1991-05.com.microsoft:lon-svr1-target1-target, and then click Connect. 14. Select Add this connection to the list of Favorite Targets, and then click OK twice. 15. On LON-HOST2, in Server Manager, click Tools, and then click Computer Management. 16. Expand Storage, click Disk Management, right-click Disk 2, and then click Online. 17. Right-click Disk 2 again, and then click Initialize Disk. 18. In the Initialize Disk dialog box, click OK. 19. Right-click the unallocated space next to Disk 2, and then click New Simple Volume. 20. On the Welcome page, click Next.
L6-52
21. On the Specify Volume Size page, click Next. 22. On the Assign Drive Letter or Path page, click Next. 23. On the Format Partition page, in the Volume label box, type ClusterDisk, select the Perform a quick format check box, and then click Next. 24. Click Finish. 25. Repeat steps 17 through 24 for Disk 3 and Disk 4. In step 23, provide the name ClusterVMs for Disk 3, and the name Quorum for Disk 4. 26. On LON-HOST1, in Server Manager, click Tools, and then click Computer Management. 27. Expand Storage, and then click Disk Management. 28. Right-click Disk Management, and then click Refresh. 29. Right-click Disk 2, and then click Online. 30. Right-click Disk 3, and then click Online. 31. Right-click Disk 4, and then click Online.
Task 2: Configure failover clustering on both host machines

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-HOST1, on the taskbar, click the Server Manager icon to open Server Manager. From the Dashboard, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next.
On the Select destination server page, ensure that Select server from the server pool is selected, and then click Next. On the Select server roles page, click Next. On the Select features page, in the Features list, click Failover Clustering. At the Add features that are required for failover clustering prompt, click Add Features, and then click Next. On the Confirm installation selections page, click Install.
10. When installation completes, click Close. 11. Repeat steps 1 through 10 on LON-HOST2. 12. On LON-HOST1, in Server Manager, click Tools, and then click Failover Cluster Manager. 13. In the Failover Cluster Manager, in the center pane, under Management, click Create Cluster. 14. In the Create Cluster Wizard, on the Before You Begin page, read the information, and then click Next.
15. On the Select Servers page, in the Enter server name box, type LON-HOST1, and then click Add. 16. In the Enter server name box, type LON-HOST2, and then click Add. 17. Verify the entries, and then click Next. 18. On the Validation Warning page, click No. I dont require support from Microsoft for this cluster, and then click Next.
19. In the Access Point for Administering the Cluster page, in the Cluster Name box, type VMCluster. 20. In the IP address name box, under Address, type 172.16.0.126, and then click Next.

L6-53
21. In the Confirmation dialog box, verify the information, clear the Add all eligible storage to the cluster check box, and then click Next. 22. On the Summary page, and then click Finish.
Task 3: Configure disks for the failover cluster

1. 2. 3. 4. 5. 6. 7. 8.
On LON-HOST1, in the Failover Cluster Manager, expand VMCluster.Adatum.com, expand Storage, right-click Disks, and then click Add Disk. In the Add Disks to a Cluster dialog box, verify that all disks are selected, and then click OK. In the Failover Cluster Manager, verify that all disks appear available for cluster storage. Select the ClusterVMs disk, right-click ClusterVMs, and then select Add to Cluster Shared Volumes. Right-click VMCluster.adatum.com, select More Actions, click Configure Cluster Quorum Settings, and then click Next.
On the Select Quorum Configuration Option page, click Use typical settings, and then click Next. On the Confirmation page, click Next. On the Summary page, click Finish.
Results: After completing this exercise, you will have configured a failover cluster for Hyper-V.
Exercise 3: Configuring a Highly Available Virtual Machine

Task 1: Move virtual machine storage to the iSCSI target
1. 2. 3.
In the Failover Cluster Manager, verify that LON-HOST1 is the owner of the ClusterVMs disk. If it is not, move the ClusterVMs disk to LON-HOST1. On LON-HOST1, open a Windows Explorer window, and browse to E:\Program Files \Microsoft Learning\20412\Drives\20412A-LON-CORE\Virtual Hard Disks. Move the 20412A-LON-CORE.vhd virtual hard drive file to the C:\ClusterStorage\Volume1 location.
Task 2: Configure the virtual machine as highly available

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-HOST1, in the Failover Cluster Manager, click Roles and then in the Actions pane, click Virtual Machines. Click New Virtual Machine. Select LON-HOST1, and then click OK. In the New Virtual Machine Wizard, click Next.
On the Specify Name and Location page, in the Name text box, type TestClusterVM, click Store the virtual machine in a different location, and then click Browse. Browse to and select C:\ClusterStorage\Volume1, click Select Folder, and then click Next. On the Assign Memory page, type 1536, and then click Next. On the Configure Networking page, click select External Network, and then click Next. On the Connect Virtual Hard Disk page, click Use an existing virtual hard disk, and then click Browse.
L6-54
10. Browse to C:\ClusterStorage\Volume1, click 20412A-LON-CORE.vhd, and then click Open. 11. Click Next, and then click Finish. 12. In the High Availability Wizard, on the Summary page, click Finish.
13. In Failover Cluster Manager, from the Roles node, right-click the TestClusterVM, and then click Start. 14. Ensure that the machine starts successfully.
Task 3: Perform live migration for the virtual machine

1. 2. 3. 4. 5. 6. On LON-HOST1, open the Failover Cluster Manager., expand VMCluster.Adatum.com, and then click Roles. Right-click TestClusterVM, click Move, click Live Migration, and then click Select Node. Click LON-HOST2, and then click OK. Right-click TestClusterVM, and then click Connect. Ensure that you can access and operate the virtual machine while it is migrating to another host. Wait until migration completes.
Task 4: Perform storage migration for the virtual machine

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-HOST2, open Hyper-V Manager. In the central pane, click 20412A-LON-SVR1-B. In the Actions pane, click Move. On the Before You Begin page, click Next.
On the Choose Move Type page, click Move the virtual machine's storage, and then click Next.
On the Choose Options for Moving Storage page, click Move all of the virtual machines data to a single location, and then click Next. On the Choose a new location for virtual machine page, click Browse. Browse to C:\, create a new folder called LON-SVR1, click Select Folder, and then click Next.
On the Summary page, click Finish. While the virtual machine is migrating, connect to it and verify that it is fully operational.
10. After the move process completes, click Close. 11. Shut down all running virtual machines.
Results: After completing this exercise, you will have configured a highly available virtual machine.
To prepare for next module

1. 2. 3. 4. Restart LON-HOST1.
When you are prompted with the boot menu, select Windows Server 2008 R2, and then press Enter. Log on to the host machine as directed by your instructor. Repeat steps 1-3 on LON-HOST2.

L7-55
Lab: Implementing Windows Server Backup and Restore

Exercise 1: Backing Up Data on a Windows Server 2012 Server
Task 1: Install Windows Server Backup
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch on LON-SVR1. In Server Manager, in the Welcome pane, click Add roles and features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, click Next. On the Select features page, select Windows Server Backup, and then click Next. On the Confirm installation selections page, click Install. On the Installation progress page, wait until the Installation succeeded on LONSVR1.adatum.com message displays, and then click Close.
Task 2: Configure a scheduled backup

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup. In the navigation pane, click Local Backup. Click Backup Schedule. In the Backup Schedule Wizard, on the Getting Started page, click Next.
On the Select Backup Configuration page, click Full server (recommended), and then click Next.
On the Specify Backup Time page, next to Select time of day, select 1:00 AM, and then click Next. On the Specify Destination Type page, click Backup to a shared network folder, and then click Next. Review the warning, and then click OK.
On the Specify Remote Shared Folder page, in the Location text box, type \\LON-DC1\Backup, and then click Next.
In the Register Backup Schedule dialog box, in the Username text box, type Administrator, in the Password text box, type Pa$$w0rd, and then click OK.
10. Click Finish, and then click Close.
Task 3: Complete an on-demand backup

1. 2. 3. 4. 5. On LON-SVR1, in Server Manager, click Tools, and then click Windows Server Backup. In the Actions pane, click Backup Once.
In the Backup Once Wizard, on the Backup Options page, click Different options, and then click Next. On the Select Backup Configuration page, click Custom, and then click Next. On the Select Items for Backup page, click Add Items.
L7-56
6. 7. 8. 9.
Expand Local disk (C:), select the Financial Data check box, click OK, and then click Next. On the Specify Destination Type page, click Remote shared folder, and then click Next. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next. On the Confirmation page, click Backup.
10. On the Backup Progress page, after the backup is complete, click Close.
Results: After completing this exercise, you will have configured the Windows Server Backup feature, scheduled a backup task, and completed an on-demand backup.
Exercise 2: Restoring Files Using Windows Server Backup

Task 1: Delete a file from the server
1. 2. On LON-SVR1, on the task bar, click Windows Explorer. In Windows Explorer, browse to Local Disk (C:), right-click Financial Data, and then click Delete.
Task 2: Restore a file from backup

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Windows Server Backup console, in the Actions pane, click Recover. On the Getting Started page, click A backup stored on another location, and then click Next. On the Specify Location Type page, click Remote shared folder, and then click Next. On the Specify Remote Folder page, type \\LON-DC1\Backup, and then click Next. On the Select Backup Date page, click Next. On the Select Recovery Type page, click Next. On the Select Items to Recover page, expand LON-SVR1, click Local Disk (C:), and on the right pane, select Financial Data, and then click Next. On the Specify Recovery Options page, under Another Location, type C:\, and then click Next. On the Confirmation page, click Recover.
10. On the Recovery Progress page, click Close. 11. Open drive C:\, and ensure that the Financial Data folder is restored.
Results: After completing this exercise, you will have tested and validated the procedure for restoring a file from backup
Exercise 3: Implementing Microsoft Online Backup and Restore

Task 1: Install the Microsoft Online Backup Service component
1. 2. 3. 4. On LON-SVR1, on the taskbar, click the Windows Explorer icon. In Allfiles (E:), in the details pane, double-click OBSInstaller.exe, and then click Run. In the Microsoft Online Service Pre-Release Agreement dialog box, select I accept the Service Agreement terms and conditions, and then click OK. On the Prerequisites Check page, click Next.

L7-57
5.
On the Installation Settings page, specify the settings (if not default), and then click Next: o o Installation Folder: C:\Program Files Cache Location: C:\Program Files\Microsoft Online Backup Service Agent
6. 7.
On the Microsoft Update Opt-In page, select I don't want to use Microsoft Update, and then click Install.
On the Installation page, ensure that the Microsoft Online Backup Service Agent installation has completed successfully message displays, clear the Check for newer updates check box, and then click Finish. On LON-SVR1, click Start, and then click Microsoft Online Backup Service. On LON-SVR1, click Start, and then click Microsoft Online Backup Service Shell.
8. 9.
Task 2: Register the server with Microsoft Online Backup Service
Before you register the server, you must rename LON-SVR1 to YOURCITYNAME-YOURNAME. For example, NEWYORK-ALICE. This is because you will perform this exercise online, and therefore the computer names used in this lab should be unique. If there is more than one student in the classroom with a same name, add a number at the end of the computer name, such as NEWYORK-ALICE-1. 1. 2. 3. 4. 5. 6. 7.
In the Server Manager window, on the Welcome to Server Manager page, click 1. Configure this local server. In the Server Manager window, on the Local Server page, click LON-SVR1.
In the System Properties window, click Change, in the Computer Name box, type YOURCITYNAMEYOURNAME, click OK twice, and then click Close. In a window that displays the message that you should restart your computer, click Restart Now.
Wait until YOURCITYNAME-YOURNAME has restarted, and then log on as Adatum\Administrator with the password Pa$$w0rd. Start the Microsoft Online Backup Service console, and then click Register Server.
In the Register Server Wizard, on the Account Credentials page, in the Username box, type holuser@onlinebackupservice.onmicrosoft.com, in the Password box, type Pa$$w0rd, and then click Next.
Note: In a real-life scenario, you would type the username and password of your Microsoft Online Backup Service subscription account. 8. 9. On the Proxy Configuration page, click Next.
On the Encryption Settings page, in the Enter passphrase and Confirm passphrase boxes, type Pa$$w0rdPa$$w0rd, and then click Register.
10. On the Server Registration page, ensure that the Microsoft Online Backup Service is now available for this server message displays, and then click Close.
Task 3: Configure an online backup and start a backup

1. 2. 3. 4. Switch to the Microsoft Online Backup Service console, and then click Schedule Backup. On the Getting started page, click Next. On the Select Items to back up page, click Add Items. In the Select Items dialog box, expand C:, select Financial Data, click OK, and then click Next.
L7-58
5. 6. 7. 8. 9.
On the Specify Backup Time page, select Saturday, click 1:00 AM, click Add, and then click Next. On the Specify Retention Setting page, accept the default settings, and then click Next. On the Confirmation page, click Finish. On the Modify Backup Progress page, click Close. In the Microsoft Online Backup Service console, click Back Up Now.
10. In the Back Up Now Wizard, on the Confirmation page, click Back Up.
11. On the Backup progress page, wait until Backup is successfully completed message displays, and then click Close.
Task 4: Restore files using the online backup

1. 2. 3. 4. 5. 6.
On LON-SVR1, on the taskbar, click the Windows Explorer icon, and then in the Windows Explorer navigation pane, click Local Disk (C:). In the Local Disk (C:) window, right-click Financial Data, and then click Delete. Switch to the Microsoft Online Backup Service console, and then click Recover Data. In the Recover Data Wizard, on the Getting Started page, select This server, and then click Next. On the Select Recovery Mode page, select Browse for files, and then click Next. On the Select Volume and Date page, in the Select the volume drop-down list box, select C:\. In the calendar, click the date when you performed the backup, in the Time drop-down list, click the time when you performed backup, and then click Next. On the Select Items to Recover page, expand C:\, click the Financial Data folder, and then click Next. On the Specify Recovery Options page, select Original location and Create copies so that you have both versions, and then click Next. On the Confirmation page, click Recover.
7. 8. 9.
10. On the Recovery Progress page, ensure that File(s) recovery job succeeded status message displays, and then click Close.
11. In Windows Explorer, expand drive C:\, and ensure that the Financial Data folder is restored to drive C.
Task 5: Unregister the server from the Microsoft Online Backup Service
1. 2. 3. Switch to the Microsoft Online Backup Service console, and then click Unregister Server. On the Getting started page, click Unregister this server, and then click Next. On the Account Credentials page, provide the following credentials: o o 4. 5. Username: holuser@onlinebackupservice.onmicrosoft.com Password: Pa$$w0rd
Click Unregister. On the Server Unregistration page, click Close.

L7-59
Results: After completing this exercise, you will have installed the Microsoft Online Backup Service agent, registered the server with Microsoft Online Backup Service, configured a scheduled backup, and performed a restore by using Microsoft Online Backup Service.

1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, and MSL-TMG1.

L8-61
Lab: Implementing Complex AD DS Deployments

Exercise 1: Implementing Child Domains in AD DS
Task 1: Configure Domain Name System (DNS) for domain delegation
1. 2. 3. 4. 5. 6. 7. On LON-DC1, in Server Manager, click Tools, and then click DNS. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, select and then right-click Adatum.com, and then click New Delegation.
In the New Delegation Wizard, click Next, in the Delegated domain text box, type na, and then click Next. In the Name Servers box, click Add.
In the Server fully qualified domain name (FQDN) text box, type TOR-DC1.adatum.com, clear <Click here to add an IP Address>, type 172.16.0.25, and then click OK. In the Name Servers window, click Next. In the Complete the New Delegation Wizard window, click Finish.
Task 2: Install a domain controller in a child domain

1. 2. 3. 4. 5. 6. 7. 8. 9.
On TOR-DC1, in Server Manager, click Manage, and from the drop-down list box, click Add Roles and Features. On the Before you begin page, click Next.
On the Select installation type page, confirm that Role-based or feature-based installation is selected, and then click Next. On the Select destination server page, ensure that Select a server from the server pool is selected, and that TOR-DC1.adatum.com is highlighted, and then click Next. On the Select server roles page, click Active Directory Domain Services.
On the Add features that are required for Active Directory Domain Services? page, click Add Features. On the Select server roles page, click Next. On the Select features page, click Next. On the Active Directory Domain Services page, click Next.
10. On the Confirm installation selections page, click Install. (This may take a few minutes to complete.)
11. When the Active Directory Domain Services (AD DS) binaries have installed, click the blue Promote this server to a domain controller link. 12. In the Deployment Configuration window, click Add a new domain to an existing forest. 13. Verify that Select domain type is set to Child Domain, and that Parent domain name is set to Adatum.com. In the New domain name text box, type na.
L8-62
14. Confirm that Supply the credentials to perform this operation is set to ADATUM\Administrator (Current user), and then click Next. (If this is not the case, then use the Change button to enter the credentials Adatum\Administrator, and the password Pa$$w0rd). 15. In the Domain Controller Options window, ensure that Domain functional level is set to Windows Server 2012 Release Candidate.
16. Ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are selected. 17. Confirm that Site name: is set to Default-First-Site-Name.
18. Under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both text boxes and then click Next. 19. On the DNS Options page, click Next. 20. On the Additional Options page, click Next. 21. On the Paths window, click Next. 22. On the Review Options window, click Next. 23. On the Prerequisites Check window, confirm that there are no issues, and then click Install.
Task 3: Verify the default trust configuration

1. 2. Log on to TOR-DC1 as NA\Administrator using the password Pa$$w0rd.
When Server Manager opens, click Local Server. Verify that Windows Firewall shows Domain: On. If it does not, then next to Local Area Connection click 172.16.0.25, IPv6 enabled. Right-click Local Area Connection and then click Disable. Right-click Local Area Connection and then click Enable. The Local Area Connection should now show Adatum.com. In Server Manager, from the Tools menu, click Active Directory Domains and Trusts. In the Active Directory Domains and Trusts console, expand Adatum.com, right-click na.adatum.com and then click Properties. Select the Trusts tab. In the Domain trusted by this domain (outgoing trusts) box, click Adatum.com, and then click Properties.
3. 4. 5. 6. 7. 8. 9.
In the Adatum.com Properties window, click Validate and select Yes, validate the incoming trust.
In the User name text box, type administrator, and in the Password text box, type Pa$$w0rd, and then click OK. A message will display: The trust has been validated. It is in place and active.
Note: If you receive a message that the trust cannot be validated, or that the secure channel (SC) verification has failed, ensure that you have completed step 2 and then wait for at least 10-15 minutes. You can continue with the lab and come back later to verify this step. 10. Click OK. 11. Click OK twice to close the Adatum.com Properties dialog box.
Results: After completing this exercise, you will have implemented child domains in AD DS.

L8-63
Exercise 2: Implementing Forest Trusts

Task 1: Configure stub zones for DNS name resolution
1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-DC1, in Server Manager, click the Tools menu, and then from the drop-down menu, click DNS. In the DNS tree pane, expand LON-DC1, right-click Forward Lookup Zones, and then click New Zone. In the New Zone Wizard, click Next. On the Zone Type window, click Stub zone, and then click Next. On the Active Directory Zone Replication Scope window, click To all DNS servers running on domain controllers in this forest: adatum.com, and then click Next. In the Zone name: text box, type treyresearch.net, and then click Next.
On the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type 172.16.10.10, click on the free space, and then click Next. On the Completing the New Zone Wizard window, click Next and then Finish.
Select and then right-click the new stub zone treyresearch.net and then click Transfer from Master.
10. Right-click treyresearch.net and then click Refresh. 11. Confirm that the treyresearch.net stub zone has some records. 12. Switch to MUN-DC1. 13. In Server Manager, click the Tools menu, and from the drop-down menu, click DNS.
14. In the tree pane, expand MUN-DC1, select and then right-click Forward Lookup Zones, and then click New Zone. 15. In the New Zone Wizard, click Next. 16. On the Zone Type window, click Stub zone, and then click Next. 17. In the Active Directory Zone Replication Scope window, select To all DNS servers running on domain controllers in this forest: Treyresearch.net and then click Next. 18. In the Zone name: text box, type adatum.com, and then click Next.
19. In the Master DNS Servers window, click <Click here to add an IP Address or DNS Name>, type 172.16.0.10, click on the free space, and then click Next. 20. In the Completing the New Zone Wizard window, click Next and then click Finish.
21. Select and then right-click the new stub zone adatum.com, and then click Transfer from Master. 22. Right-click adatum.com, and then click Refresh. 23. Confirm that the adatum.com stub zone has some records. 24. Close DNS Manager.
Task 2: Configure a forest trust with selective authentication

1. 2. 3. On LON-DC1, from the Tools menu, click Active Directory Domain and Trusts.
In the Active Directory Domains and Trusts management console window, right-click Adatum.com, and then click Properties. In the Adatum.com Properties window, click the Trusts tab, and then click New Trust.
L8-64
4. 5. 6. 7. 8. 9.
On the New Trust Wizard window, click Next. In the Name text box, type treyresearch.net and then click Next. In the Trust Type window, select Forest trust and click Next. In the Direction of Trust window, select One-way: outgoing, and then click Next. In the Sides of Trust window, select Both this domain and the specified domain and then click Next.
In the User Name and Password window type Administrator as the user name and Pa$$w0rd as the password in the appropriate boxes, and then click Next.
10. In the Outgoing Trust Authentication Level-Local Forest window, select Selective authentication, and then click Next. 11. In the Trust Selections Complete page, click Next. 12. On the Trust Creation Complete page, click Next. 13. On the Confirm Outgoing Trust page, click Next. 14. Click Finish. 15. In the Adatum.com Properties window, click the Trusts tab. 16. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), select treyresearch.net and click Properties. 17. In the treyresearch.net Properties window, click Validate. 18. Review the message that appears: The trust has been validated. It is in place and active. 19. Click OK, and then click No at the prompt. 20. Click OK twice. 21. Close Active Directory Domains and Trusts.
Task 3: Configure a server for selective authentication

1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, in Server Manager, from the Tools menu, click Active Directory Users and Computers.
In the Active Directory Users and Computers console, from the View menu, click Advanced Features. Expand Adatum.com, and then click Computers. Right-click LON-SVR1 and then click Properties. Click the Security tab, and then click Add. On the Select Users, Computers, Service Accounts, or Groups window, click Locations. Click treyresearch.net and then click OK.
In the Enter the object name to select (examples:) text box, type treyresearch\it, and then click Check Names. When prompted for credentials, type treyresearch\administrator with the password of Pa$$w0rd. Click OK. On the Select Users, Computers, Service Accounts, or Groups window, click OK.
9.
10. In the LON-SVR1 Properties window, ensure that treyresearch\it is highlighted, and select the Allow checkbox that is in line with Allowed to authenticate. 11. Click OK.

L8-65
12. Switch to LON-SVR1. 13. On the taskbar, click Windows Explorer. 14. Click Local Disk (C). 15. Right-click in the details pane, click New, and then click Folder. 16. In the Name text box, type IT-Data, and then press Enter. 17. Right-click IT-Data, and then click Properties. 18. In the IT-Data Properties window, click the Security tab, and then click Edit. 19. On the Permission for IT-Data window, click Add.
20. In the Enter the object names to select (examples:) text box, type treyresearch\it, and then click Check Names. When the name resolves, click OK. If you are prompted for credentials, type Treyresearch\administrator with the password of Pa$$w0rd. Click OK twice. 21. In the Permissions for IT-Data window, select treyresearch\it, click the Allow that is opposite the Modify permission and then click OK. 22. Click the Sharing tab, select Advanced Sharing, and then click Share this folder. 23. Click Permissions, confirming that Everyone is highlighted, and then click Full Control. 24. Click OK twice, and then click Close. 25. Log off of MUN-DC1. 26. Log on to MUN-DC1 as treyresearch\Alice with the password Pa$$w0rd. 27. Hover your pointer in the lower-right corner of the desktop, and when the sidebar displays, click Search. 28. In the Search text box, type \\LON-SVR1\IT-Data. The folder will open.
Results: After completing this exercise, you will have implemented forest trusts.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1, 20412-MUN-DC1, and 20412-LON-SVR1.

L9-67
Lab: Implementing AD DS Sites and Replication

Exercise 1: Modifying the Default Site
Task 1: Install the Toronto domain controller
1. 2. 3. 4. 5. 6. 7. 8. 9. On TOR-DC1, click Manage, and from the drop-down list box, click Add Roles and Features. On the Before you begin page, click Next.
On the Select installation type page, confirm that Role-based or feature-based installation is selected, and then click Next. On the Select destination server page, ensure that Select a server from the server pool is selected, and that TOR-DC1.adatum.com is highlighted, and then click Next. On the Select server roles page, click Active Directory Domain Services.
On the Add features that are required for Active Directory Domain Services? page, click Add Features. Click Next. On the Select features page, click Next. On the Active Directory Domain Services page, click Next. On the Confirm installation selections page, click Install. (This may take a few minutes to complete.)
10. When the AD DS binaries have installed, click the blue Promote this server to a domain controller link. 11. In the Deployment Configuration window, click Add a domain controller to an existing domain. Click Next. 12. In the Domain Controller Options window, ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are selected.
13. Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both the Password and Confirm password boxes. Click Next. 14. On the DNS Options page, click Next. 15. On the Additional Options page, click Next. 16. On the Paths window, click Next. 17. On the Review Options window, click Next.
18. On the Prerequisites Check window, confirm that there are no issues, and then click Install. The server will automatically restart. 19. After TOR-DC1 restarts, log on as Adatum\Administrator with the password Pa$$w0rd.
L9-68
Task 2: Rename the default site

1. 2. 3. 4. 5. 6. If necessary, on LON-DC1 open the Server Manager console. In Server Manager, click Tools, and then click Active Directory Sites and Services. In the Active Directory Sites and Services console, in the navigation pane, expand Sites. Right-click Default-First-Site-Name, and then click Rename. Type LondonHQ, and then press Enter. Expand LondonHQ. expand the Servers folder, and then verify that both LON-DC1 and TOR-DC1 belong to the LondonHQ site.
Task 3: Configure IP subnets associated with the default site

1. 2. 3. 4.
On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, expand Sites, and then click the Subnets folder. Right-click Subnets, and then click New Subnet. In the New Object Subnet dialog box, under Prefix, type 172.16.0.0/24. Under Select a site object for this prefix, select LondonHQ, and then click OK.
Results: After completing this exercise, you will have reconfigured the default site and assigned IP address subnets to the site.
Exercise 2: Creating Additional Sites and Subnets

Task 1: Create the AD DS sites for Toronto
1. 2. 3. 4. 5. 6. 7. On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then click New Site. In the New Object Site dialog box, next to Name, type Toronto. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK. In the Active Directory Domain Services dialog box, click OK. The Toronto site displays in the navigation pane.
In the Active Directory Sites and Services console, in the navigation pane, right-click Sites, and then click New Site. In the New Object Site dialog box, next to Name, type TestSite. Under Select a site link object for this site, select DEFAULTIPSITELINK, and then click OK. The TestSite site displays in the navigation pane.
Task 2: Create IP subnets associated with the Toronto sites

1. 2. 3. 4. 5.
On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, expand Sites, and then click the Subnets folder. Right-click Subnets, and then click New Subnet. In the New Object Subnet dialog box, under Prefix, type 172.16.1.0/24. Under Select a site object for this prefix, select Toronto, and then click OK. Right-click Subnets, and then click New Subnet.

L9-69
6. 7. 8.
In the New Object Subnet dialog box, under Prefix, type 172.16.100.0/24. Under Select a site object for this prefix, select TestSite, and then click OK.
In the navigation pane, click the Subnets folder. Verify the three subnets were created and associated with their appropriate site as displayed in the details pane.
Results: After this exercise, you will have created two additional sites representing the IP subnet addresses located in Toronto.
Exercise 3: Configuring AD DS Replication

Task 1: Configure site links between AD DS sites
1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand Inter-Site Transports, and then click the IP folder. Right-click IP, and then click New Site Link. In the New Object Site Link dialog box, next to Name, type TOR-TEST. Under Sites not in this site link, select Toronto, select TestSite, click Add, and then click OK. Right-click TOR-TEST, and then click Properties. In the TOR-TEST Properties dialog box, click Change Schedule.
In the Schedule for TOR-TEST dialog box, highlight the range from Monday 9am to Friday 3pm. Select Replication Not Available, and then click OK. Click OK to close TOR-TEST Properties.
10. Right-click DEFAULTIPSITELINK, and then click Rename. 11. Type LON-TOR, and then press Enter. 12. Right-click LON-TOR, and then click Properties. 13. Under Sites in this link, click TestSite, and then click Remove. 14. Next to Replicate Every, change the value to 60 minutes, and then click OK.
Task 2: Move TOR-DC1 to the Toronto site

1. 2. 3. 4.
On LON-DC1, in the Active Directory Sites and Services console, in the navigation pane, expand Sites, expand LondonHQ, and then expand the Servers folder. Right-click TOR-DC1, and then click Move. In the Move Server dialog box, click Toronto, and then click OK. In the navigation pane, expand the Toronto site, expand Servers, and then click TOR-DC1.
Task 3: Monitor AD DS site replication

1. 2. On LON-DC1, on the taskbar, click the Windows PowerShell button. At the command prompt, type the following, and then press Enter:
Repadmin /kcc
This command recalculates the inbound replication topology for the server.
L9-70
3.
At the command prompt, type the following, and then press Enter:
Repadmin /showrepl
Verify that the last replication with TOR-DC1 was successful. 4. At the command prompt, type the following, and then press Enter:
Repadmin /bridgeheads
This command displays the bridgehead servers for the site topology. 5. At the command prompt, type the following, and then press Enter:
Repadmin /replsummary
This command displays a summary of replication tasks. Verify that no errors appear. 6. At the command prompt, type the following, and then press Enter:
DCDiag /test:replications
Verify that all connectivity and replication test pass successfully. 7. Switch to TOR-DC1, and then repeat steps 1 through 6 to view information from the TOR-DC1 perspective.
Results: After this exercise, you will have configured site links and monitored replication.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-TOR-DC1.
L10-71
Lab: Implementing Active Directory Certificate Services

Exercise 1: Deploying a standalone root CA
Task 1: Install the Active Directory Certificate Services (AD CS) server role on non-domain joined server
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-CA1 as Administrator with the password Pa$$w0rd. In the Server Manager console, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next.
On the Select server roles page, select Active Directory Certificate Services. When Add Roles and Features Wizard window displays, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Certificate Services page, click Next. On the Select role services page, ensure that Certification Authority is selected, and then click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, after installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server. 12. In the AD CS Configuration Wizard, on the Credentials page, click Next. 13. On the Role Services page, select Certification Authority. Click Next. 14. On the Setup Type page, select Standalone CA, and then click Next. 15. On the CA Type page, ensure that Root CA is selected, and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
17. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.
18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click Next. 19. On the Validity Period page, click Next. 20. On the CA Database page, click Next. 21. On the Confirmation page, click Configure. 22. On the Results page, click Close. 23. On the Installation progress page, click Close.
L10-72
Task 2: Configure a new certificate revocation location

1. 2. 3. 4. 5. 6. 7. 8. On LON-CA1, in the Server Manager console, click Tools, and then click Certification Authority.
In the certsrv [Certification Authority (Local)] console, right-click AdatumRootCA, and then click Properties. In the AdatumRootCA Properties window, click the Extensions tab.
In the Extensions tab, in the Select extension: drop-down list, select CRL Distribution Point (CDP) and then click the Add button. In the Location text box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down list box, click <CaName>, and then click Insert.
In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert. In the Variable drop-down list box, click <DeltaCRLAllowed>, and then click Insert. In the Location text box, position the cursor at the end of URL, type .crl, and then click OK.
Select options: Include in the CDP extensions of issued certificates and Include in CRLs. Clients use this to find Delta CRL locations. Click Apply. In the Certification Authority pop-up window, click No. In the Select extension: drop-down list box, click Authority Information Access (AIA), and then click Add.
9.
10. In the Location text box, type http://lon-svr1.adatum.com/CertData/, then in Variable drop-down box click <ServerDNSName>, and then click Insert. 11. In the Location text box, type an underscore (_), in the Variable drop-down list box, click <CaName>, and then click Insert. 12. In the Variable drop-down list box, click <CertificateName>, and then click Insert. 13. In the Location text box, position the cursor at the end of URL, type .crt, and then click OK. 14. Select the Include in the AIA extension of issued certificates check box, and then click OK. 15. Click Yes to restart Certification Authority service.
16. In the Certification Authority console, expand AdatumRootCA, right-click Revoked Certificates, point to All Tasks, and then click Publish. 17. In the Publish CRL window, click OK. 18. Right-click AdatumRootCA, and then click Properties. 19. In the AdatumRootCA Properties dialog box, click View Certificate. 20. In the Certificate window, click the Details tab. 21. On the Details tab, click Copy to File. 22. On the Certificate Export Wizard Welcome page, click Next. 23. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.
24. On the File to Export page, click Browse. In the File name text box, type \\lon-svr1\C$, and then press Enter. 25. In the File name text box, type RootCA, click Save, and then click Next. 26. Click Finish, and then click OK three times. 27. Open a Windows Explorer window, and browse to C:\Windows\System32\CertSrv\CertEnroll.
Configuring Advanced Windows Server 2012 Service
L10-73
28. In the Cert Enroll folder, select both files, right-click the highlighted files, and then click Copy. 29. In the Windows Explorer address bar, type \\lon-svr1\C$, and then press Enter. 30. Right-click the empty space, and then click Paste. 31. Close Windows Explorer.
Results: After completing this exercise, you will have installed and configured a standalone root CA.
Exercise 2: Deploying an Enterprise Subordinate CA

Task 1: Install and configure AD CS role on LON-SVR1
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-SVR1 as Adatum\Administrator with the password of Pa$$w0rd. In the Server Manager console, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, select Active Directory Certificate Services.
When the Add Roles and Features Wizard window displays, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Certificate Services page, click Next.
10. On the Select role services page, ensure that Certification Authority is selected already, and select Certificate Authority Web Enrollment. 11. When the Add Roles and Features Wizard window displays, click Add Features, and then click Next. 12. On the Confirm installation selections page, click Install.
13. On the Installation progress page, after installation is successful, click the text Configure Active Directory Certificate Services on the destination server. 14. In the AD CS Configuration Wizard, on the Credentials page, click Next.
15. On the Role Services page, select both Certification Authority and Certification Authority Web Enrollment, and then click Next. 16. On the Setup Type page, select Enterprise CA, and then click Next. 17. On the CA Type page, click Subordinate CA, and then click Next.
18. On the Private Key page, ensure that Create a new private key is selected, and then click Next. 19. On the Cryptography for CA page, keep the default selections, and then click Next.
20. On the CA Name page, in the Common name for this CA text box, type Adatum-IssuingCA,, and then click Next. 21. On the Certificate Request page, ensure that Save a certificate request to file on the target machine is selected, and then click Next. 22. On the CA Database page, click Next. 23. On the Confirmation page, click Configure. 24. On the Results page, click Close.
L10-74
25. On the Installation progress page, click Close.
Task 2: Install a subordinate Certification Authority (CA) certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, open a Windows Explorer window, and navigate to Local Disk (C:). Right-click RootCA.cer, and then click Install Certificate. In the Certificate Import Wizard, click Local Machine, and then click Next. On the Certificate Store page, click Place all certificates in the following store, and then click Browse. Select Trusted Root Certification Authorities, and then click OK. Click Next, and then click Finish. Click OK.
In the Windows Explorer window, select the adatumRootCA.crl and LON-CA1_AdatumRootCA.crt files, right-click the files, and then click Copy. Double-click inetpub. Double-click wwwroot.
10. Create a new folder, and name it CertData. 11. Paste the two copied files into that folder. 12. Switch to Local Disk (C:). 13. Right-click the file LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Copy. 14. In the Windows Explorer address bar, type \\LON-CA1\C$, and then press Enter. 15. In the Windows Explorer window, right-click an empty space, and then click Paste. Make sure that request file is copied to LON-CA1. 16. Switch to the LON-CA1 server. 17. In the Certificate Authority console, right-click AdatumRootCA, point to All Tasks, and then click Submit new request. 18. In the Open Request File window, navigate to Local Disk (C:), select file LON-SVR1.Adatum.com_Adatum- IssuingCA.req, and then click Open. 19. In the Certification Authority console, click the Pending Requests container. Right click Pending Requests item and click Refresh. 20. In the right pane, right-click the request (with ID 2), point to All Tasks, and then click Issue. 21. Click the Issued Certificates container. 22. In the right pane, double-click the certificate, and then click the Details tab. 23. Click Copy to File. 24. On the Certificate Export Wizard Welcome page, click Next. 25. On the Export File Format page, select Cryptographic Message Syntax Standard PKCS #7 Certificates (.P7B), select Include all certificates in the certification path if possible and then click Next. 26. On the File to Export page, click Browse. 27. In the File name text box, type \\lon-svr1\C$, and then press Enter. 28. In the File name text box, type SubCA, click Save, and then click Next.
L10-75
29. Click Finish, and then click OK twice. 30. Switch to LON-SVR1. 31. In Server Manager, click Tools, and then click Certification Authority.
32. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then click Install CA Certificate. 33. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open. 34. Wait for 15-20 seconds, and then on the toolbar, click the green icon to start the CA service. 35. Ensure that CA starts successfully.
Task 3: Publish the RootCA certificate through Group Policy

1. 2. 3. On LON-DC1, open Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management Console, expand Forest:Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
In the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import. Click Next. On the File to Import page, click Browse. In the file name text field, type \\lon-svr1\C$, and then press Enter. Select file RootCA.cer, and then click Open. Click Next two times, and then click Finish. Click OK.
4. 5. 6. 7. 8. 9.
10. Close the Group Policy Management Editor. 11. Close the Group Policy Management Console.
Results: After completing this exercise, you will have deployed and configured an enterprise subordinate CA
Exercise 3: Configuring Certificate Templates

Task 1: Create a new template based on the Web server template
1. 2. 3. 4. 5. On LON-SVR1, in the Certification Authority console, expand Adatum-IssuingCA, right-click Certificate Templates, and then select Manage.
In the Certificate Templates Console, locate the Web Server template in the list, right-click it, and then select Duplicate Template. Click the General tab. In the Template display name field, type Adatum Web Server, and set the Validity period to 3 years Click the Request Handling tab, select Allow private key to be exported, and then click OK.
L10-76
Task 2: Create a new template for users that includes smart card logon
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Certificate Templates Console, right-click the User certificate template, and then click Duplicate Template.
In the Properties of New Template dialog box, click the General tab, and in the Template display name text box, type Adatum Smart Card User. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-mail name check boxes. On the Extensions tab, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click Add. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice. Click the Superseded Templates tab, and then click Add. Click the User template, and then click OK.
On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select the Allow check box for Read, Enroll and Autoenroll, and then click OK.
10. Close the Certificate Templates Console.
Task 3: Configure the templates so they can be issued

1. 2.
On LON-SVR1, in the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates window, select Adatum Smart Card User and Adatum Web Server, and then click OK.
Task 4: Update the Web server certificate on the LON-SVR2 Web Server
1. 2. 3. 4. 5. 6. Log on to LON-SVR2 as Adatum\Administrator with the password of Pa$$w0rd. Open Windows PowerShell window from taskbar and type gpupdate /force and press Enter. If prompted to do so, restart the server, and logon with same credentials as in step 1. From Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. In the IIS console, click LON-SVR2, click No at the Internet Information Services (IIS) Manager prompt, and then in the central pane, double-click Server Certificates. In the Actions pane, click Create Domain Certificate. On the Distinguished Name Properties page, complete the following fields, and then click Next:: o o o o o o 7. 8. 9. Common name: lon-svr2.adatum.com Organization: Adatum Organizational Unit: IT City/locality: Seattle State/province: WA Country/region: US
On the Online Certification Authority page, click Select. Click Adatum-IssuingCA, and then click OK. In the friendly name text box, type lon-svr2, and then click Finish.
L10-77
10. Ensure that the certificate displays in the Server Certificates console. 11. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site. 12. In the Actions pane, click Bindings. 13. In the Site Bindings window, click Add. 14. In the Type drop-down list box, click https. 15. In the SSL certificate drop-down list box, click lon-svr2, click OK, and then click Close. 16. Close the IIS console.
Results: After completing this exercise, you will have created and published new certificate templates.
Exercise 4: Configuring Certificate Enrollment

Task 1: Configure autoenrollment for users
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click Default Domain Policy, and then click Edit.
Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Public Key Policies. In the right pane, double-click Certificate Services Client Auto-Enrollment. In the Configuration Model drop-down list box, click Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates option. Select the Update certificates that use certificate templates option. Click OK to close the properties window. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy object.
10. On the Enrollment Policy tab, set the Configuration Model to Enabled, and ensure that the certificate enrollment policy list displays the Active Directory Enrollment Policy (it should have a checkmark next to it, and a status of Enabled). 11. Click OK to close the window. 12. Close both the Group Policy Management Editor and the Group Policy Management console.
Task 2: Verify autoenrollment

1. 2. 3. 4. 5. 6. 7. On LON-SVR1, open Windows PowerShell from task bar. Type gpupdate /force, and then press Enter. After the policy is refreshed, type mmc.exe, and then press Enter. In Console1, click File, and then in the File menu, click Add/Remove Snap-in. Click Certificates, and then click Add>. Click Finish, and then click OK. Expand Certificates Current User, expand Personal, and then click Certificates.
L10-78
8. 9.
Verify that certificate based on Adatum Smart Card User template is issued for administrator. Close Console1.
Task 3: Configure the Enrollment Agent for smart card certificates

1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-SVR1, in the Server Manager console, click Tools, and then open Certification Authority.
In the certsrv console, expand Adatum-IssuingCA, right-click Certificate Templates, and then click Manage. In the Certificate Templates console, double-click Enrollment Agent. Click the Security tab, and then click Add.
In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names, and then click OK.
On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click OK. Close the Certificate Templates Console. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LON-CL1, and log on as Adatum\Allie with the password Pa$$w0rd.
11. Open a command prompt window, and at a command prompt, type mmc.exe, and then press Enter. 12. In Console1, click File, and then click Add/Remove Snap-in. 13. Click Certificates, and then click Add>. 14. Click OK 15. Expand Certificates Current User, expand Personal, click Certificates, right-click Certificates, point to All Tasks, and then click Request New Certificate. 16. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next. 17. On the Select Certificate Enrollment Policy page, click Next. 18. On the Request Certificates page, select Enrollment Agent, and then click Enroll. 19. Click Finish. 20. Switch to LON-SVR1. 21. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties. 22. Click the Enrollment Agents tab. 23. Click Restrict Enrollment agents. 24. On the pop-up window that displays, click OK. 25. In the Enrollment agents section, click Add. 26. In the Select User, Computer or Group field, type Allie, click Check Names, and then click OK. 27. Click Everyone, and then click Remove. 28. In the certificate templates section, click Add. 29. In the list of templates, select Adatum Smart Card User, and then click OK.
L10-79
30. In the Certificate Templates section, click <All>, and then click Remove. 31. In the Permission section, click Add.
32. In the Select User, Computer or Group field, type Marketing, click Check Names, and then click OK. 33. In the Permission section, click Everyone, and then click Remove. 34. Click OK.
Results: After completing this exercise, you will have configured and verified autoenrollment for users, and configured an enrollment agent for smart cards.
Exercise 5: Configuring Certificate Revocation

Task 1: Configure Certified Revocation List (CRL) distribution
1. 2. 3. 4. 5. 6.
On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates, and then click Properties. In the Revoked Certificates Properties window, set the CRL publication interval to 1 Day and the Delta CRL publication interval to 1 hour, and then click OK. Right-click Adatum-IssuingCA, and then click Properties. In the Properties window, click the Extensions tab. On the Extensions tab, review the values for CDP. Click Cancel.
Task 2: Install and configure an Online Responder

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR1, open Server Manager. In Server Manager, click Add roles and features. Click Next three times.
On the Select server roles page, expand Active Directory Certificate Services (Installed), and then select Online Responder. Click Add Features. Click Next two times, and then click Install.
When the message displays that installation succeeded, click Configure Active Directory Certificate Services on the destination server. In AD CS Configuration Wizard, click Next. Select Online Responder, and then click Next.
10. Click Configure, and then click Close two times. 11. On LON-SVR1, open the Certification Authority console. 12. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
13. In the Adatum-IssuingCA Properties dialog box, on the Extensions tab, in the Select extension list, click Authority Information Access (AIA), and then click Add. 14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.
L10-80
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check box, and then click OK. 17. In the Certificate Authority dialog box, restart AD CS by clicking Yes.
18. In the certsrv console, expand Adatum-IssuingCA, right-click the Certificate Templates folder, and then click Manage. 19. In the Certificate Templates console, double-click the OCSP Response Signing template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under Permissions for Authenticated Users, select the Allow for Enroll check box, and then click OK. 21. Close the Certificate Templates console.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and then click Certificate Template to Issue. 23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and then click OK. 24. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management. 25. In the ocsp Management console, right-click Revocation Configuration, and then click Add Revocation Configuration. 26. In the Add Revocation Configuration Wizard, click Next. 27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA Online Responder, and then click Next. 28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the Adatum-IssuingCA certificate, click OK, and then click Next. 30. On the Select Signing Certificate page, verify that Automatically select a signing certificate is selected, and Auto-Enroll for an OCSP signing certificate are both selected, and then click Next. 31. On the Revocation Provider page, click Finish. The revocation configuration status will appear as Working. 32. Close the Online Responder console.
Results: After completing this exercise, you will have configured certificate revocation settings.
Exercise 6: Configuring Key Recovery

Task 1: Configure the CA to issue Key Recovery Agent (KRA) certificates
1. 2. 3. 4. 5. On LON-SVR1, open the Certification Authority console. In the Certification Authority console, expand the Adatum-IssuingCA node, right-click the Certificates Templates folder, and then click Manage. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab. Clear the CA certificate manager approval check box.
L10-81
6. 7. 8. 9.
Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that have the Enroll permission, and then click OK. Close the Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Key Recovery Agent template, and then click OK.
10. Close the Certification Authority console.
Task 2: Acquire the KRA certificate

1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-SVR1, open Windows PowerShell window. At a command prompt, type MMC.exe, and then press Enter. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK. Expand the Certificates - Current User node, and right-click Personal. Point to All Tasks, and then click Request New Certificate. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next. On the Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, select the Key Recovery Agent check box. Click Enroll, and then click Finish.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate properties and verify that the Certificate Template Key Recovery Agent is present. 11. Close Console1 without saving changes.
Task 3: Configure the CA to allow key recovery

1. 2. 3. 4. 5.
On LON-SVR1, in the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties. In the Adatum-IssuingCA Properties dialog box, click the Recovery Agents tab, and then select Archive the key. Under Key recovery agent certificates, click Add.
In the Key Recovery Agent Selection dialog box, click the certificate that is for Key Recovery Agent purpose (it will most likely be last on the list), and then click OK twice. When prompted to restart the CA, click Yes.
Task 4: Configure a custom template for key archival

1. 2. 3.
On LON-SVR1, in the Certification Authority console, right-click the Certificates Templates folder, and then click Manage. In the Certificate Templates console, right-click the User certificate, and then click Duplicate Template.
In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Archive User.
L10-82
4. 5. 6. 7. 8. 9.
On the Request Handling tab, select the Archive subject's encryption private key check box. Click OK on the popup window. Click the Subject Name tab, clear the E-mail name and Include e-mail name in subject name check boxes, and then click OK. Close the Certificate Templates Console. In the Certification Authority console, right-click the Certificates Templates folder, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Archive User template, and then click OK. Close the Certification Authority console.
Task 5: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the LON-CL1 virtual computer as Adatum\Aidan, using the password Pa$$w0rd. On the Start screen, type mmc.exe and then press Enter. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. Click OK. Expand the Certificates - Current User node, right click Personal, click All Tasks, and then click Request New Certificate. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next. Click Next. On the Request Certificate page, select the Archive User check box, click Enroll, and then click Finish. Refresh the console, and view that a certificate is issued to Aidan, based on the Archive User certificate template.
10. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click the certificate that you just enrolled, select Delete, and then click Yes to confirm. 11. Switch to LON-SVR1. 12. Open the Certification Authority console, expand Adatum-IssuingCA, and then click Issued Certificates store. 13. In the details pane, double-click a certificate with Requestor Name Adatum\Aidan, and Certificate Template name of Archive User.
14. Click the Details tab, copy the Serial Number, and then click OK. (You may either copy the number to Notepad (select it and press CTRL+C), or write it down on paper.) 15. Open Windows PowerShell console from task bar.
16. In the command prompt window that appears, type the following command (where <serial number> is the serial number that you copied), and then press Enter:
certutil getkey <serial number> outputblob
Note: If you paste the serial number from Notepad, remove spaces between numbers. 17. Verify that outputblob file now displays in the C:\Users\Administrator.Adatum folder.
L10-83
18. To convert the outputblob file into a .pfx file, in the command prompt window, type the following command, and press Enter:
Certutil recoverkey outputblob aidan.pfx
19. When prompted, type Pa$$w0rd as the new password, and then confirm the password. 20. After the command executes, close the Windows PowerShell window.
21. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfxthe recovered keyis created. 22. Copy aidan.pfx file to \\lon-cl1\C$. 23. Switch to LON-CL1, and ensure that you are still logged on as Aidan. 24. Browse to drive C and double-click the aidan.pfx file. 25. On the Welcome to the Certificate Import Wizard page, click Next. 26. On the File to Import page, click Next. 27. On the Password page, enter Pa$$w0rd as password, and then click Next. 28. On the certificate store page, click Next, click Finish, and then click Ok. 29. Expand the Certificates - Current User node, expand Personal, and then click Certificates. 30. Refresh the console, and verify that the certificate for Aidan is restored.
Results: After completing this exercise, you will have implemented key archival, and tested private key recovery.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, 20412A-LON-CA1 and 20412ALON-SVR2.
L11-85
Lab: Implementing AD RMS

Exercise 1: Installing and Configuring AD RMS
Task 1: Configure Domain Name System (DNS) and the Active Directory Rights Management Services (AD RMS) service account
1. 2. 3. 4. 5. 6. Log on to LON-DC1 with the Adatum\Administrator account and the password Pa$$w0rd. In Server Manager, click Tools, and then click Active Directory Administrative Center. Select and then right-click Adatum (local), click New, and then click Organizational Unit.
In the Create Organizational Unit dialog box, in the Name field, type Service Accounts, and then click OK. Right-click the Service Accounts OU, click New, and then click User. On the Create User dialog box, enter the following details, and then click OK: o o o o o First name: ADRMSSVC User UPN logon: ADRMSSVC Password: Pa$$w0rd Password never expires: Enabled User cannot change password: Enabled
7. 8.
Right-click the Users container, click New, and then click Group. In the Create Group dialog box, enter the following details, and then click OK: o o Group name: ADRMS_SuperUsers E-mail: ADRMS_SuperUsers@adatum.com
9.
Right-click the Users container, click New, and then click Group.
10. In the Create Group dialog box, enter the following details, and then click OK. o o Group name: Executives E-mail: executives@adatum.com
11. Double-click the Managers OU. 12. Hold down the Ctrl key, and click the following users: o o Aidan Delaney Bill Malone
13. In the Tasks pane, click Add to group 14. In the Select Groups dialog box, type Executives, and then click OK. 15. Close the Active Directory Administrative Center. 16. In Server Manager, click Tools, and then click DNS. 17. In the DNS Manager console, expand LON-DC1, and expand Forward Lookup Zones.
L11-86
18. Select and then right-click Adatum.com, and click New Host (A or AAAA). 19. In the New Host dialog box, enter the following information, and then click Add Host: o o Name: adrms IP address: 172.16.0.21
20. Click OK, and then click Done, and close the DNS Manager console.
Task 2: Install and configure the AD RMS server role

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$word. In Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard, click Next three times. On the Server Roles page, click Active Directory Rights Management Services. In the Add Roles and Features dialog box, click Add Features, and then click Next four times. Click Install, and then click Close. In Server Manager, click the AD RMS node.
Next to Configuration required for Active Directory Rights Management Services at LON-SVR1, click More. On the All Servers Task Details page, click Perform Additional Configuration.
10. In the AD RMS Configuration: LON-SVR1.adatum.com dialog box, click Next. 11. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then click Next.
12. On the Configuration Database page, click Use Windows Internal Database on this server, and then click Next. 13. On the Service Account page, click Specify. 14. In the Windows Security dialog box, enter the following details, click OK, and then click Next: o o Username: ADRMSSVC Password: Pa$$w0rd
15. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next. 16. On the Cluster Key Storage page, click Use AD RMS centrally managed key storage, and then click Next. 17. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then click Next. 18. On the Cluster Web Site page, verify that Default Web Site is selected, and then click Next. 19. On the Cluster Address page, provide the following information, and then click Next: o o o Connection Type: Use an unencrypted connection (http://) Fully Qualified Domain Name: adrms.adatum.com Port: 80
20. On the Licensor Certificate page, type Adatum AD RMS, and then click Next. 21. On the SCP Registration page, click Register the SCP now, and then click Next. 22. Click Install, and then click Close. 23. Click to the Start screen, click Administrator, and then click Sign Out.
L11-87
Note: You must sign out before you can manage AD RMS.
Task 3: Configure the AD RMS Super Users group

1. 2. 3. 4. 5. 6. 7. Log on to LON-SVR1 with the Adatum\Administrator account and the password Pa$$w0rd. In Server Manager, click Tools, and then click Active Directory Rights Management Services.
In the Active Directory Rights Management Services console, expand the LON-SVR1 node, and then click Security Policies. In the Security Policies area, under Super Users, click Change super user settings. In the Actions pane, click Enable Super Users. In the Super Users area, click Change super user group. In the Super Users dialog box, in the Super user group text box, type ADRMS_Superusers@adatum.com, and then click OK.
Results: After completing this exercise, you should have installed and configured AD RMS.
Exercise 2: Configuring AD RMS Templates

Task 1: Configure a new rights policy template
1. 2. 3. 4. 5. Ensure that you are logged on to LON-SVR1. In the Active Directory Rights Management Services console, click the LON-SVR1\Rights Policy Templates node. In the Actions pane, click Create Distributed Rights Policy Template. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification information page, click Add.
On the Add New Template Identification Information page, enter the following information, and then click Add: o o o Language: English (United States) Name: ReadOnly Description: Read only access. No copy or print
6. 7. 8. 9.
Click Next. On the Add User Rights page, click Add. On the Add User or Group page enter executives@adatum.com, and then click OK. When executives@adatum.com is selected, under Rights, click View. Verify that Grant owner (author) full control right with no expiration is selected, and then click Next.
10. On the Specify Expiration Policy page, choose the following settings and then click Next: o o Content Expiration: Expires after the following duration (days): 7 Use license expiration: Expires after the following duration (days): 7
11. On the Specify Extended Policy page, click Require a new use license every time content is consumed (disable client-side caching), click Next, and then click Finish.
L11-88
Task 2: Configure the rights policy template distribution

1. 2. On LON-SVR1, on the taskbar, click the Windows PowerShell icon. In the Windows PowerShell window, issue the following commands, each followed by Enter:
Cmd.exe mkdir c:\rmstemplates net share RMSTEMPLATES=C:\rmstemplates /GRANT:ADATUM\ADRMSSVC,FULL mkdir c:\docshare net share docshare=c:\docshare /GRANT:Everyone,FULL
3. 4. 5. 6. 7. 8. 9.
To exit the Windows PowerShell window, type exit twice. Switch to the Active Directory Rights Management Services console. Click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click Change distributed rights policy templates file location. In the Rights Policy Templates dialog box, click Enable Export.
In the Specify Templates File Location (UNC), type \\LON-SVR1\RMSTEMPLATES, and then click OK. On the taskbar, click the Windows Explorer icon. Navigate to the C:\rmstemplates folder, and verify that ReadOnly.xml is present.
10. Close the Windows Explorer window.
Task 3: Configure an exclusion policy

1. 2. 3. 4. 5. Switch to the Active Directory Rights Management Services console. Click the Exclusion Policies node, and then click Manage application exclusion list. In the Actions pane, click Enable Application Exclusion. In the Actions pane, click Exclude Application In the Exclude Application dialog box, enter the following information, and then click Finish: o o o Application File name: Powerpnt.exe Minimum version: 14.0.0.0 Maximum version: 16.0.0.0
Results: After completing this exercise, you should have configured AD RMS templates.
Exercise 3: Implementing the AD RMS Trust Policies

Task 1: Export the Trusted User Domains policy
1. 2. On LON-SVR1, on the taskbar, click the Windows PowerShell icon. In the Windows PowerShell window, issue the following commands, and then press Enter:
Cmd.exe mkdir c:\export net share export=c:\export /GRANT:Everyone,FULL
3. 4.
To close the Windows PowerShell window, type exit twice. In the Active Directory Rights Management Services console, expand the Trust Policies node, and then click the Trusted User Domains node.
L11-89
5. 6. 7. 8. 9.
In the Actions pane, click Export Trusted User Domains.
In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file name to ADATUM-TUD.bin, and then click Save. Log on to MUN-DC1 with the TREYRESEARCH\Administrator account and the password Pa$$w0rd. In Server Manager, click Tools, and then click Active Directory Rights Management.
In the Active Directory Rights Management Services console, expand MUN-DC1, expand the Trust Policies node, and then click the Trusted User Domains node.
10. In the Actions pane, click Export Trusted User Domains.
11. In the Export Trusted User Domains As dialog box, navigate to \\LON-SVR1\export, set the file name to TREYRESEARCH-TUD.bin, and then click Save.
Task 2: Export the Trusted Publishing Domains policy

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-SVR1.
In the Active Directory Rights Management Services console, under the Trust Policies node, click the Trusted Publishing Domains node. In the Actions pane, click Export Trusted Publishing Domains. In the Export Trusted Publishing Domain dialog box, click Save As.
In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set the file name to ADATUM-TPD.xml, and then click Save. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and then click Finish. Switch to MUN-DC1.
In the Active Directory Rights Management Services console, under the Trust Policies node, click the Trusted Publishing Domains node. In the Actions pane, click Export Trusted Publishing Domains.
10. In the Export Trusted Publishing Domain dialog box, click Save As.
11. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON-SVR1\export, set the file name to TREYRESEARCH-TPD.xml, and then click Save. 12. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd twice, and then click Finish.
Task 3: Import the Trusted User Domain policy from the partner domain
1. 2. 3. 4. Switch to LON-SVR1.
In the Active Directory Rights Management Services console, under the Trust Policies node, click the Trusted User Domains node. In the Actions pane, click Import Trusted User Domain.
In the Import Trusted User Domain dialog box, enter the following details, and then click Finish: o o Trusted user domain file: \\LON-SVR1\Export\TREYRESEARCH-TUD.bin Display Name: Trey Research
5.
Switch to MUN-DC1.
L11-90
6. 7. 8.
In the Active Directory Rights Management Services console, under the Trust Policies node, click the Trusted User Domains node. In the Actions pane, click Import Trusted User Domain. In the Import Trusted User Domain dialog box, enter the following details, and then click Finish: o o Trusted user domain file: \\LON-SVR1\Export\ADATUM-TUD.bin Display Name: Adatum
Task 4: Import the Trusted Publishing Domains policy from the partner domain
1. 2. 3. 4. Switch to LON-SVR1.
In the Active Directory Rights Management Services console, under the Trust policies node, click the Trusted Publishing Domains node. In the Actions pane, click Import Trusted Publishing Domain. In the Import Trusted Publishing Domain dialog box, enter the following information, and then click Finish: o o o Trusted publishing domain file: \\LON-SVR1\export\ TREYRESEARCH-TPD.xml Password: Pa$$w0rd Display Name: Trey Research
5. 6. 7. 8.
Switch to MUN-DC1.
In the Active Directory Rights Management Services console, under the Trust policies node, click the Trusted Publishing Domains node. In the Actions pane, click Import Trusted Publishing Domain.
In the Import Trusted Publishing Domain dialog box, provide the following information, and then click Finish: o o o Trusted publishing domain file: \\LON-SVR1\export\adatum-tpd.xml Password: Pa$$w0rd Display Name: Adatum
Task 5: Configure anonymous access to the AD RMS licensing server

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-SVR1. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
In Internet Information Services (IIS) Manager, expand LON-SVR1\Sites\Default Web Site\_wmcs. Right-click licensing, and then click Switch to Content View. Right-click license.asmx, and then click Switch to Features View. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click Enable. Right-click licensing, and then click Switch to Content View. Right-click ServiceLocator.asmx, and then click Switch to Features View. Double-click Authentication, click Anonymous Authentication, and in the Actions pane, click Enable.
L11-91
10. Close Internet Information Services (IIS) Manager.
Results: After completing this exercise, you should have implemented the AD RMS trust policies.
Exercise 4: Verifying the AD RMS Deployment

Task 1: Create a rights-protected document
1. 2. 3. 4. 5. Log on to LON-CL1 as Adatum\Aidan using the password Pa$$w0rd. On the Start screen, type Word. In the Results area, click Microsoft Word 2010. In the User Name dialog box, click OK.
In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click OK. In the document, type the following text: This document is for executives only, it should not be modified.
6. 7.
Click File, click Protect Document, click Restrict Permission by People, and then click Manage Credentials. In the Windows Security dialog box, enter the following credentials. o o User name: Aidan Password: Pa$$w0rd
8. 9.
Enable Remember My Credentials, and then click OK. In the Select User dialog box, click OK.
10. In the Permission dialog box, enable Restrict Permission to this document. 11. In the Read text box, type bill@adatum.com, and then click OK. 12. Click Save.
13. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as Executives Only.docx. 14. Click to the Start screen, click the Aidan Delaney icon, and then click Sign out.
Task 2: Verify internal access to protected content

1. 2. 3. 4. 5. 6. 7. 8. Log on to LON-CL1 as Adatum\Bill using the password Pa$$w0rd. On the Start screen, click Desktop. On the taskbar, click the Windows Explorer icon. In the Windows Explorer window, navigate to \\lon-svr1\docshare. Double-click the Executives Only document. In the User Name dialog box, click OK. In the Microsoft Word dialog box, click Yes. In the Windows Security dialog box, enter the following credentials, select Remember my credentials, and then click OK. o Username: Bill
L11-92
o 9.
Password: Pa$$w0rd
In the Select User dialog box, ensure that bill@adatum.com is selected, and then click OK.
10. In the Microsoft Office dialog box, click OK. 11. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click OK. 12. When the document opens, verify that you are unable to modify or save the document. 13. Select a line of text in the document. 14. Right-click the text, and verify that you cannot make changes. 15. Click View Permission, review the permissions, and then click OK. 16. Click to the Start screen, click the Bill Malone icon, and then click Sign out.
Task 3: Open the rights-protected document as an unauthorized user

1. 2. 3. 4. 5. 6. 7. Log on to LON-CL1 as Adatum\Carol using the password Pa$$w0rd. On the Start menu, click Desktop. On the taskbar, click the Windows Explorer icon. In the Windows Explorer window, navigate to \\lon-svr1\docshare. Double-click the Executives Only document. Verify that Carol is unable to open the document. Click to the Start screen, click the Carol Troup icon, and then click Sign out.
Task 4: Open and edit the rights-protected document as an authorized user at Trey Research.
1. 2. 3. Log on to LON-CL1 as Adatum\Aidan using the password Pa$$w0rd. On the Start screen, type Word. In the Results area, click Microsoft Word 2010. In the document, type the following text: This document is for Trey Research only, it should not be modified. 4. 5. 6. 7. 8. 9. Click File, click Protect Document, click Restrict Permission by People, and then click Manage Credentials. In the Select User dialog box, click OK. In the Permission dialog box, enable Restrict Permission to this document. In the Read text box, enter april@treyresearch.net, click OK, and then click Save. In the Save As dialog box, save the document to the \\lon-svr1\docshare location as TreyResearch-Confidential.docx. Click to the Start screen, click the Aidan Delaney icon, and then click Sign Out.
10. Log on to MUN-CL1 as TREYRESEARCH\APRIL. 11. On the Start screen, click Desktop. 12. On the taskbar, click the Windows Explorer icon. 13. In the Windows Explorer window, navigate to \\lon-svr1\docshare. 14. In the Windows Security dialog box, enter the following credentials, and then click OK:
L11-93
o o
Username: Adatum\Administrator Password: Pa$$w0rd
15. Copy the file TreyResearch-Confidential.docx to the desktop. 16. Double-click the file. 17. In the User Name dialog box, click OK. 18. In the Microsoft Word dialog box, click Yes. 19. In the Windows Security dialog box, enter the following credentials, select Remember my credentials, and then click OK: o o Username: April Password: Pa$$w0rd
20. In the Select User dialog box, ensure that april@treyresearch.com is selected, and then click OK. 21. In the Microsoft Office dialog box, click OK.
22. In the Welcome to Microsoft Office 2010 dialog box, click Don't make changes, and then click OK. 23. When the document opens, verify that you are unable to modify or save the document. 24. Select a line of text in the document and verify. 25. Right-click the text, and verify that you cannot make changes. 26. Click View Permission, review the permissions, and then click OK.
Results: After completing this exercise, you should have verified that the AD RMS deployment is successful.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-SVR1, 20412A-MUN-DC1, 20412A-LON-CL1, and 20412A-MUN-CL1.
L12-95
Lab: Implementing AD FS
Exercise 1: Configuring AD FS Prerequisites
Task 1: Configure DNS forwarders
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click DNS. Expand LON-DC1, and then click Conditional Forwarders. Right-click Conditional Forwarders, and then click New Conditional Forwarder. In the DNS Domain dialog box, type TreyResearch.net. Click in the IP address column, and type 172.16.10.10. Press Enter, and then click OK. Close the DNS Manager. On MUN-DC1, in Server Manager, click Tools, and then click DNS. Expand MUN-DC1, and then click Conditional Forwarders. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
10. In the DNS Domain box, type Adatum.com. 11. Click in the IP address column, and type 172.16.0.10. Press Enter, and then click OK. 12. Close the DNS Manager.
Task 2: Exchange root certificates to enable certificate trusts

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, access the Search page. In the Search box, type \\MUN-DC1.treyresearch.net\certenroll, and then press Enter
In the CertEnroll window, right-click the MUN-DC1.TreyResearch.net_TreyResearchCA.crt file, and then click Copy. In the left pane, click Documents, and then paste the file into the Documents folder. Open a Windows PowerShell command prompt, type MMC, and then press Enter. In the Console1 window, click File, and then click Add/Remove Snap-in. Click Group Policy Management Editor, and then click Add. In Group Policy Object, click Browse. Click Default Domain Policy, and then click OK.
10. Click Finish, and then click OK. 11. Double-click Default Domain Policy. In the console tree, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. 12. Right-click Trusted Root Certification Authorities, and then click Import. 13. On the Welcome to the Certificate Import Wizard page, click Next. 14. On the File to Import page, click Browse.
L12-96
15. In the Open window, click MUN-DC1.TreyResearch.net_TreyResearchCA.crt, click Open, and then click Next. 16. On the Certificate Store page, verify that Place all certificates in the following store is selected, verify that the Trusted Root Certification Authorities store is listed, and then click Next. 17. On the Completing the Certificate Import Wizard page, click Finish, and then click OK. 18. Close the Group Policy Management Editor without saving changes. 19. On MUN-DC1, access the Search page. 20. In the Search box, type \\LON-DC1.adatum.com\certenroll, and press Enter.
21. In the CertEnroll window, right-click the LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt file, and then click Copy. 22. In the left pane, click Documents, and paste the file into the Documents folder. 23. Open a Windows PowerShell command prompt, type MMC, and then press Enter. 24. In the Console1 window, click File, and then click Add/Remove Snap-in. 25. Click Certificates, and then click Add. 26. Click Computer Account, and click Next. 27. Verify that Local computer is selected, click Finish, and then click OK. 28. Expand Certificates, and then click Trusted Root Certification Authorities. 29. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import. 30. On the Welcome to the Certificate Import Wizard page, click Next. 31. On the File to Import page, click Browse.
32. In the Open window, click LON-DC1.Adatum.com_Adatum-LON-DC1-CA.crt, click Open, and then click Next. 33. On the Certificate Store page, verify that Place all certificates in the following store is selected, verify that the Trusted Root Certification Authorities store is listed, and then click Next. 34. On the Completing the Certificate Import Wizard page, click Finish, and then click OK. 35. Close Console1 without saving changes.
Task 3: Request and install a certificate for the web server

1. 2. 3. 4. 5. On LON-SVR1, in Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click LON-SVR1 (Adatum\Administrator). Click No to dismiss the message that displays. In middle pane, double-click Server Certificates. In the Actions pane, click Create Domain Certificate. On the Distinguished Name Properties page, enter the settings as listed below, and then click Next. o o o Common name: LON-SVR1.adatum.com Organization: A. Datum Organization unit: IT
L12-97
o o o 6. 7. 8.
City/locality: London State/province: England Country/region: GB
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain. Select Adatum-LON-DC1-CA, and then click OK. In Friendly name, type LON-SVR1.adatum.com, and then click Finish.
Task 4: Bind the certificate to the claims-aware application on the web server, and verify application access
1. 2. 3. 4. 5. 6. 7. 8.
On LON-SVR1, in Internet Information Services (IIS) Manager, expand Sites, click Default Web Site, and then in the Actions pane, click Bindings. In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, under Type, select https, and under Port, verify that 443 is selected. In the SSL Certificate drop-down list, click LON-SVR1.adatum.com, and then click OK. Click Close, and then close Internet Information Services (IIS) Manager. On LON-DC1, open Windows Internet Explorer. Connect to https://lon-svr1.adatum.com/adatumtestapp. Verify that you can connect to the site, but that you receive a 401 access denied error. This is expected because you have not yet configured AD FS for authentication. Close Internet Explorer.
Results: In this exercise, you configured DNS forwarding to enable name resolution between A. Datum and Trey Research, and you exchanged root certificates between the two organizations. You also installed and configured a web certificate on the application server.
Exercise 2: Installing and Configuring AD FS

Task 1: Install and configure AD FS
1. 2. 3. 4. 5. 6. 7. 8. 9. On the LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features. On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next.
On the Select server roles page, select the Active Directory Federation Services check box, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Federation Services (AD FS) page, click Next. On the Select role services page, click Next.
On the Confirm installation selections page, click Install, and wait for the installation to finish. Do not close the window.
L12-98
Task 2: Create a standalone federation server using the AD FS Federation Server Configuration Wizard
1. 2. 3. 4. 5. On the Installation progress page, click Run the AD FS Management snap-in. In the Overview pane, click the AD FS Federation Server Configuration Wizard link. On the Welcome page, ensure that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and then click Next.
On the Specify the Federation Service Name page, ensure that the SSL certificate selected is LONDC1.Adatum.com, the Port is 443, and the Federation Service name is LON-DC1.Adatum.com, and then click Next. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and then click Next. Wait for the configuration to finish, and then click Close.
6. 7.
Task 3: Verify that FederationMetaData.xml is present and contains valid data

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the LON-CL1 virtual machine as Adatum\Brad using the password Pa$$w0rd. Click the Desktop tile, and then open Internet Explorer. Click the Tools icon at the top right corner, and then click Internet options On the Security tab, click Local intranet. Click Sites, and clear the Automatically detect intranet network check box. Click Advanced, and in the Add this website to the zone box, type https://lon-dc1.adatum.com, and then click Add. Type https://lon-svr1.adatum.com, click Add, and then click Close. Click OK twice. Connect to https://lon-dc1.adatum.com/federationmetadata/2007-06 /federationmetadata.xml.
10. Verify that the xml file opens successfully, and scroll through its contents. 11. Close Internet Explorer.
Results: In this exercise, you installed and configured the AD FS server role, and verified a successful installation by viewing the Federation Meta Data .xml contents.
Exercise 3: Configuring AD FS for a Single Organization

Task 1: Configure a Token-signing certificate for LON-DC1.Adatum.com
1. 2. 3. On the LON-DC1 virtual machine, in Server Manager, click Tools, and then click Windows PowerShell. At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press Enter. This step is required so that you can modify the certificates that AD FS uses. Close the Windows PowerShell window.
L12-99
4. 5. 6. 7. 8.
In Server Manager, click Tools, and then click AD FS Management. In the AD FS console, in the left pane, expand Service, and then click Certificates. Right-click Certificates, and then click Add Token-Signing Certificate.
In the Select a token signing certificate dialog box, click the first certificate with the name LONDC1.Adatum.com, and then click Click here to view certificate properties.
Verify that the certificate purposes includes Proves your identity to a remote computer and Ensures the identity of a remote computer, and click OK. The certificate may also have other purposes, but these two are required. If the certificate does not have the intended purposes, view the properties of the other certificates until you find one with the intended purposes. Click OK. When the AD FS Management warning dialog box displays, click OK.
9.
Note: Verify that the certificate has a subject of CN=LON-DC1.Adatum.com. If no name displays under the Subject when you add the certificate, delete the certificate, and add the next certificate in the list.
10. Right-click the newly-added certificate, and then click Set as Primary. Review the warning message, and then click Yes. 11. Select the certificate that has just been superseded, right-click the certificate, and then click Delete. Click Yes to confirm the deletion.
Task 2: Configure the Active Directory claims provider trust

1. 2. 3. 4. 5. 6. 7.
On LON-DC1, in the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. In the Add Transform Claim Rule Wizard, in the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims, and then click Next.
On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute Store drop-down list, select Active Directory.
In the Mapping of LDAP attributes to outgoing claim types section, select the following values for the LDAP Attribute and the Outgoing Claim Type: o o o E-Mail-Addresses = E-Mail Address User-Principal-Name = UPN Display-Name = Name
8.
Click Finish, and then click OK.
Task 3: Configure the claims application to trust incoming claims by running the Windows Identity Foundation Federation Utility
1.
On LON-SVR1, click to the Start screen, and then click Windows Identity Foundation Federation Utility.
L12-100
2.
On the Welcome to the Federation Utility wizard page, in Application configuration location, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the web.config file of the Windows Identity Foundation sample application. In Application URI, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next to continue.
3.
4.
On the Security Token Service page, select Use an existing STS, type https://lon-dc1.adatum.com/federationmetadata/2007-06/federationmetadata.xml for the STS WS-Federation metadata document location, and then click Next to continue. On the Security token encryption page, select No encryption, and then click Next.
5. 6. 7.
On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. On the Summary page, review the changes that will be made to the sample application by the Federation Utility wizard, scroll through the items to understand what each item is doing, and then click Finish. Click OK.
8.
Task 4: Configure a relying party trust for the claims-aware application

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in the AD FS Management console, click AD FS. In the middle pane, click Required: Add a trusted relying party. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
On the Select Data Source page, select Import data about the relying party published online or on a local network, and then type https://lon-svr1.adatum.com/adatumtestapp. Click Next to continue. This action prompts the wizard to check for the Metadata of the application that the web server role hosts. On the Specify Display Name page, in the Display name box, type ADatum Test App, and then click Next.
On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this relying party is selected, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next. On the Finish page, click Close. The Edit Claim Rules for ADatum Test App window opens.
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for Adatum Test App properties dialog box, on the Issuance Transform Rules tab, click Add Rule.
In the Add Transform Claim Rule Wizard, on the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. This action passes an incoming claim through to the user by means of Integrated Windows authentication. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name rule. In the Incoming claim type drop-down list, select Windows account name, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.
3.
4. 5.
L12-101
6. 7. 8. 9.
On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule, in the Incoming claim type drop-down list, select E-mail Address, and then click Finish. Click Add Rule.
On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through UPN rule, in the Incoming claim type drop-down list, select UPN, and then click Finish.
10. Click Add Rule.
11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule, in the Incoming claim type drop-down list, select Name, and then click Finish. 13. Click Apply, and then click OK.
Task 6: Test access to the claims-aware application

1. 2. On LON-CL1, open Internet Explorer. Connect to https://lon-svr1.adatum.com/AdatumTestApp/ Note: Ensure that you type the trailing forward slash (/). 3.
If you are prompted for credentials, type Adatum\Brad with password Pa$$w0rd, and then press Enter. The page renders, and you see the claims that were processed to allow access to the web site.
Results: In this exercise, you configured a Token signing certificate and configured a claims provider trust for Adatum.com. You also should have configured the sample application to trust incoming claims, and configured a relying party trust and associated claim rules. You also tested access to the sample Windows Identity Foundation application in a single organization scenario.
Exercise 4: Configuring AD FS for Federated Business Partners

Task 1: Add a claims provider trust for the TreyResearch.net AD FS server
1. 2. 3. 4. 5. 6. 7. 8. On LON-DC1, if required, in Server Manager, click Tools, and then click AD FS Management. In the AD FS console, expand Trust Relationships, and then click Claims Provider Trusts. In the Actions pane, click Add Claims Provider Trust. On the Welcome page, click Start.
On the Select Data Source page, select Import data about the claims provider published online or on a local network, type https://mun-dc1.treyresearch.net, and then click Next. On the Specify Display Name page, click Next.
On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to save the configuration. On the Finish page, click Close.
L12-102
9.
In the Edit Claim Rules for mun-dc1.treyresearch.net properties dialog box, on the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click Next. 11. In the Claim rule name text box, type Pass through Windows account name rule. 12. In the Incoming claim type drop-down list, select Windows account name. 13. Select Pass through all claim values, and then click Finish. Click Yes. 14. Click OK, and then close the AD FS console. 15. On LON-DC1, in Server Manager, click Tools, and then click Windows PowerShell. 16. At the command prompt, type the following command, and then press Enter:
Set-ADFSClaimsProviderTrust TargetName mun-dc1.treyresearch.net SigningCertificateRevocationCheck None
17. Close the Windows PowerShell window.
Task 2: Configure a relying party trust on MUN-DC1 for the A. Datum claims-aware application
1. 2. 3. 4. 5. 6. 7. 8. 9. On the MUN-DC1, in Server Manager, click Tools, and then click AD FS Management. In the AD FS console, on the Overview page, click Required: Add a trusted relying party. On the Welcome page, click Start.
On the Select Data Source page, select Import data about the relying party published online or on a local network, type https://lon-dc1.adatum.com, and then click Next.
On the Specify Display Name page, in the Display name text box, type Adatum TestApp, and then click Next. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save the configuration. On the Finish page, click Close. The Edit Claim Rules for Adatum TestApp window opens.
In the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click Next. 11. In the Claim rule name box, type Pass through Windows account name rule, in the Incoming Claim type drop-down list, select Windows account name. 12. Select Pass through all claim values, and then click Finish. 13. Click OK, and then close the AD FS console.
Task 3: Verify access to the A. Datum test application for Trey Research users
1. On MUN-DC1, open Internet Explorer, and connect to https://lon-svr1.adatum.com/adatumtestapp/.
L12-103
Note: The logon process has changed, and you must now select an authority that can authorize and validate the access request. The Home Realm Discovery page (the Sign In page) appears and you must select an authority. 2. 3. 4. 5. 6. 7. On the Sign In page, select mun-dc1.treyresearch.net, and then click Continue to Sign in.
When prompted for credentials, type TreyResearch\April with the password Pa$$w0rd, and then press Enter. You should be able to access the application. Close Internet Explorer. Open Internet Explorer, and connect to https://lon-svr1.adatum.com/adatumtestapp/ again.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press Enter. You should be able to access the application. Close Internet Explorer.
Note: You are not prompted for a home realm again. Once users have selected a home realm and been authenticated by a realm authority, they are issued an _LSRealm cookie by the relying party federation server. The default lifetime for the cookie is 30 days. Therefore, to log on multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Task 4: Configure claim rules for the claim provider trust and the relying party trust to allow access only for a specific group
1. 2. 3. 4. 5. 6. 7. 8. 9. On MUN-DC1, open the AD FS console, expand Trust Relationships, and then click Relying Party Trusts. Select Adatum TestApp, and in the Actions pane, click Edit Claim Rules.
On the Edit Claim Rules for Adatum TestApp window, on the Issuance Transform Rules tab, click Add Rule.
On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim, and then click Next. On the Configure Rule page, in the Claim rule name field, type Permit Production Group Rule. Next to Users Group, click Browse, type Production, and then click OK. Under Outgoing claim type, click Group. Under Outgoing claim value, type Production, and then click Finish. Click OK. On LON-DC1, if required, open the AD FS Management console.
10. In the AD FS console, expand Trust Relationships, and then click Claim Provider Trusts. 11. Select mun-dc1.treyresearch.net, and in the Actions pane, click Edit Claim Rules. 12. On the Acceptance Transform Rules tab, click Add Rule.
13. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. 14. On the Configure Rule page, in Claim rule name, type Send Production Group Rule.
15. In the Incoming claim type drop-down list, click Group, and then click Finish. Click Yes, and then click OK. 16. In the AD FS console, under Trust Relationships, click Relying Party Trusts.
L12-104
17. Select the Adatum Test App, and in the Actions pane, click Edit Claim Rules. 18. On the Issuance Transform Rules tab, click Add Rule.
19. Under Claim rule template, click Pass Through or Filter an Incoming Claim, and then click Next. 20. Under Claim rule name, type Send TreyResearch Group Name Rule. 21. In the Incoming claim type drop-down list, click Group, and then click Finish.
22. On the Edit Claim Rules for Adatum Test App window, on the Issuance Authorization Rules tab, select the rule named Permit Access to All Users, and then click Remove Rule. Click Yes to confirm. With no rules, no users are permitted access. 23. On the Issuance Authorization Rules tab, click Add Rule.
24. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim, and then click Next. 25. On the Configure Rule page, in Claim rule name, type Permit TreyResearch Production Group Rule, in the Incoming claim type drop-down list, select Group, in Incoming claim value, type Production, select the option to Permit access to users with this incoming claim, and then click Finish. 26. On the Issuance Authorization Rules tab, click Add Rule.
27. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim, and then click Next. 28. On the Configure Rule page, in the Claim rule name field, type Temp, in the Incoming claim type drop-down list, select UPN, in the Incoming claim value field, type @adatum.com, select the option to Permit access to users with this incoming claim, and then click Finish. 29. Click the Temp rule, and click Edit Rule. 30. In the Edit Rule Temp dialog box, click View Rule Language. 31. Press Ctrl + C to copy the rule language to the clipboard, and then click OK. 32. Click Cancel. 33. Click the Temp rule, click Remove Rule, and then click Yes. 34. On the Issuance Authorization Rules tab, click Add Rule. 35. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next. 36. On the Configure Rule page, in the Claim rule name field, type ADatum User Access Rule. 37. Click in the Custom rule box, and then press Crtl + V to paste the clipboard contents into the box. Edit the first URL to match the following text, and then click Finish.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value =~ "^(?i).+@adatum\.com$"]=> issue(Type = http://schemas.microsoft.com/authorization/claims/permit, Value = PermitUsersWithClaim);
Note: This rule enables access to anyone who presents a claim that includes the User Principal Name (UPN) of @adatum.com. The Value line in the first URL defines the attribute that much be matched in the claim. In this line, ^ indicates the beginning of the string to match, (?i) means that the text is case insensitive, .+ means that one or more characters will be added, and $ means the end of the string.
L12-105
38. Click OK to close the property page, and save the changes to the relying party trust.
Task 5: Verify restrictions and accessibility to the claims-aware application

1. 2. On MUN-DC1, open Internet Explorer, and connect to https://lonsvr1.adatum.com/adatumtestapp/.
When prompted for credentials, type TreyResearch\April with password Pa$$w0rd, and then press Enter. April is not a member of the Production group, so she should not be able to access the application. Close Internet Explorer. Re-open Internet Explorer, click the Tools icon in the top right corner, and then click Internet options. Under Browsing history, click Delete, click Delete again, and then click OK. Connect to https://lon-svr1.adatum.com/adatumtestapp/. On the Sign In page, click mun-dc1.treyresearch.net and then click Continue to Sign in.
3. 4. 5. 6. 7. 8.
When prompted for credentials, type TreyResearch\Morgan with password Pa$$w0rd, and then press ENTER. Morgan is a member of the Production group, and should be able to access the application. Close Internet Explorer.
9.
Results: In this exercise, you configured a claims provider trust for TreyResearch on Adatum.com. and a relying party trust for Adatum on TreyResearch. You verified access to the A. Datum claim-aware application. Then you configured the application to restrict access from TreyResearch to specific groups, and you verified appropriate access.
To shut down the virtual machines

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20412A-MUN-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20412A-LON-CL1, 20412A-LON-SVR1, and 20412A-LON-DC1.

20412A ENU TrainerHandbook

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

20412A ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Product Number: 20412A Part Number: X18-48644 Released: 09/2012

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

survive this agreement.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Stan Reimer Content Developer

Damir Dizdarevic Subject Matter Expert/Content Developer

Orin Thomas Content Developer

Vladimir Meloski Content Developer

Nick Portlock Author

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Gary Dunlop Subject Matter Expert

Ulf B. Simon-Weidner Technical Reviewer

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Module 2: Implementing Advanced File Services

Module 3: Implementing Dynamic Access Control

Module 4: Implementing Network Load Balancing

Module 5: Implementing Failover Clustering

Module 6: Implementing Failover Clustering with Hyper-V

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Lab: Implementing Failover Clustering with Hyper-V

Module 7: Implementing Disaster Recovery

Module 8: Implementing Distributed Active Directory Domain Services Deployments

Module 9: Implementing Active Directory Domain Services Sites and Replication

Module 10: Implementing Active Directory Certificate Services

Module 11: Implementing Active Directory Rights Management Services

Module 12: Implementing Active Directory Federation Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Advanced Windows Server 2012 Services

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Lab Mod 4 Ex 1/2/3

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Course Content Lesson 1/2/3

Lessons 1/3 Lesson 1

MCT USE ONLY. STUDENT USE PROHIBITED