Microsoft 70-410

Installing and Configuring Windows Server 2012

ABOUTTHEEXAM
The Microsoft 70410 exam is part one of a series of three exams that test the skills and
knowledge necessary to implement a core Windows Server 2012 infrastructure in an existing
enterprise environment. Passing this exam validates a candidates ability to implement and
configure Windows Server 2012 core services, such as Active Directory and the networking
services. Passing this exam along with the other two exams confirms that a candidate has the
skills and knowledge necessary for implementing, managing, maintaining, and provisioning
servicesandinfrastructureinaWindowsServer2012environment.

SixmajortopicsmakeuptheMicrosoft70410Certification.Thetopicsareasfollows:
InstallandConfigureServers
ConfigureServerRolesandFeatures
ConfigureHyperV
DeployandConfigureCoreNetworkServices
InstallandAdministerActiveDirectory
CreateandManageGroupPolicy

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.

OBJECTIVES

CHAPTER1:INSTALLANDCONFIGURESERVERS
1.1Installservers
1.2Configureservers
1.3Configurelocalstorage

CHAPTER2:CONFIGURESERVERROLESANDFEATURES
2.1Configurefileandshareaccess
2.2Configureprintanddocumentservices
2.3Configureserversforremotemanagement

CHAPTER3:CONFIGUREHYPERV
3.1Createandconfigurevirtualmachinesettings
3.2Createandconfigurevirtualmachinestorage
3.3Createandconfigurevirtualnetworks

CHAPTER4:DEPLOYANDCONFIGURECORENETWORKSERVICES
4.1ConfigureIPv4andIPv6addressing
4.2DeployandconfigureDynamicHostConfigurationProtocol(DHCP)service
4.3DeployandconfigureDNSservice

CHAPTER5:INSTALLANDADMINISTERACTIVEDIRECTORY
5.1Installdomaincontrollers
5.2CreateandmanageActiveDirectoryusersandcomputers
5.3CreateandmanageActiveDirectorygroupsandorganizationalunits(OUs)

CHAPTER6:CREATEANDMANAGEGROUPPOLICY
6.1CreateGroupPolicyobjects
6.2Configuresecuritypolicies
6.3Configureapplicationrestrictionpolicies
6.4ConfigureWindowsFirewall

CHAPTER1INSTALLANDCONFIGURESERVERS

1.1INSTALLSERVERS

Planforaserverinstallation

Server operating systems differ from a desktop OS in that they are often optimized for handling processes that run
behindthescenes(backgroundprocesses).
TheFoundationversionhasalimitationof15useraccountsandisavailableonlyforOEMs.
TheEssentialsversionhasalimitof25useraccountswithsupportforpreconfiguredconnectivity.
TheStandardversionhasfullWindowsServerfunctionalitywithamaxoftwovirtualinstances.
TheDatacenterversionoffersunlimitedvirtualinstances.

Planforserverroles

A server can be configured to perform specific roles. The applications that the server runs determine the particular
serversrole.Foraservertoundertakearole,additionalservicesandfeatureswillhavetobeinstalled.Thisiswhythe
serversroleisthesinglemostimportantfactorindeterminingthehardwarethataserverrequires.Normallyyouadd
rolesthroughtheServerManagerDashboarduponsetupcompletion.


Planforaserverupgrade

If you are running Windows Server 2008 Standard with SP2 or Windows Server 2008 Enterprise with SP2, you may
upgradetoWindowsServer2012StandardandWindowsServer2012Datacenter.
IfyouarerunningWindowsServer2008DatacenterwithSP2,youmayupgradetoWindowsServer2012Datacenter
only.
IfyouarerunningWindowsWebServer2008,youmayupgradetoWindowsServer2012Standardonly.

InstallServerCore

WhenyouinstallServer2012,youmaychoosebetweenServerCoreInstallationandServerwithaGUI,whichisthe
Fullinstallationoption.YoucanstartaServerwithaGUIinstallationandthenremovetheGraphicalShellsotheend
resultisaMinimalServerInterface.
OptimizeresourceutilizationbyusingFeaturesonDemand

FeaturesonDemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveoraddroles
andfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailablethatkeepsthefeature
files.

MigraterolesfrompreviousversionsofWindowsServer

YoucanusetheWindowsServerMigrationToolstomigrateroles.FirstyouinstallWindowsServerMigrationToolson
thedestination2012servers.Next,youcreatethedeploymentfoldersandcopythemfromthedestinationserversto
thesourceservers.Finally,youregisterWindowsServerMigrationToolsonthesourceservers.

1.2CONFIGURESERVERS

ConfigureServerCore

Ifyouarerunningaservercoreinstallation,youusesconfigtoperformserverconfiguration.Ithasanumberofoptions
for you to choose from. The tool presents a menu with options you can choose by pressing keys. You can set the
domainnameorworkgroupname,setthecomputername,addanewlocaladminandconfigureremotemanagement.
YoucanalsoconfigureWindowsUpdate.

Delegateadministration

Enterprise Admins, Domain Admins, Administrators, and Account Operators groups can create new computer
objectsinanyOU.Delegationofthepermissiontocreatecomputerobjectscanadministrativeoverhead.Thiscanbe
done by assigning the permissions to an OUs group so that local members of that OU can create computer objects
onlyinthatOU.ThisisachievedviatheDelegateControlWizard.

Addandremovefeaturesinofflineimages

InDISMyoucanswitchfromaServerwithaGUIinstallationtoServerCore.Fromanelevatedcommandpromptyou
rundi sm/ onl i ne / di sabl e- f eat ur e / f eat ur ename: Ser ver Cor e- Ful l Ser ver .
To switch from Server Core to the Server with GUI you run di sm / onl i ne / enabl e- f eat ur e
/ f eat ur ename: Ser ver Cor e- Ful l Ser ver / f eat ur ename: Ser ver - Gui - Shel l
/ f eat ur ename: Ser ver - Gui - Mgmt .
Toreboottheserver,runshut down r - f .




Deployrolesonremoteservers

Toinstall,configureanduninstallserverroleslocally,useServerManagerortheWindowsPowerShell.Remotelyyou
may use Server Manager, Remote Server, RSAT, or the Windows PowerShell. RSAT in particular provides you with
Server Manager, MMC snapins, consoles and PowerShell cmdlets that run on Windows Server. There are many
differentversionsofRSAT,supportingfromVistatoWindowsServer2012.

ConvertServerCoreto/fromfullGUI

To convert to a Server Core installation, you run UninstallWindowsFeature ServerGuiMgmtInfra restart. On the
other hand, to convert from a core only to a server with GUI you run I nst al l - Wi ndowsFeat ur e
Ser ver - Gui - Mgmt - I nf r a, Ser ver - Gui - Shel l Rest ar t .

Configureservices


Windows Server will start the Server Manager automatically upon installation completion and then at every server
startup.ServerManageristheprimaryconsoleforserverconfigurationandmanagement.Youcanmanageboththe
local server and the networked servers via Server Manager. You can configure whether Server Manager should be
invokedeverytimeyoustarttheserver.Youcanalsosethowoftenitrefreshestheinformationitdisplays.

ConfigureNICteaming

NIC teaming refers to the process of grouping together multiple physical NICs into a single logical NIC for achieving
faulttoleranceandloadbalancing.LinkaggregationthroughLACPintheformofNICteamingisnotthesameasMPIO.
ItcannotimprovethethroughputofasingleI/Oflow.Itdoesimprovethroughputwhenyouhaveseveraluniqueflows.
WindowsServer2012hasbuiltinsupportforNICTeaming.ItcanbeenabledviaServerManager.Amaximumof32
physicaladaptorscanbeusedtogether.NotethatWindowsServer2012supportsteamingasaHyperVswitchportif
yourvirtualmachinesareusingindependentMACaddresses.
Alternatively, a hash can be created based upon components of the packet, and then assignment can be made
dynamicallytotheavailablenetworkadapters.InthecaseofVM,eachHyperVswitchportassociatedwithavirtual
machinethatisTeamingcapablemustallowMACspoofing.
1.3CONFIGURELOCALSTORAGE

Designstoragespaces

Partitioningreferstotheprocessofcreatingvirtualmarkersthatseparatedriveletters.Apartitiontableisthelistof
whatpartitionshavebeenconfiguredonadrive.Afilesystem,ontheotherhand,isadatastructurethatanoperating
systemusestokeeptrackoffilesonadiskorpartition.Onemaycreatefolderstoorganizeyourdataintogroupsand
tostoredatahierarchicallyontheharddisk.Keepinmind,disksarephysical,whereasstoragepoolsandvolumesare
logical.
TheStorageServicesRoleispartoftheFileandStorageServicesandisinstalledbydefault.

Configurebasicanddynamicdisks

The2012ServerManagerhasadiskmanagementsection.The3thingsyoucanmanagethroughtheUIareVolumes,
DisksandStoragePools.Rightclickingonavolumewilldisplayoptionssuchasfixingfileerrors,extendingvolumeand
assigningdriveletters.Youcanevenanalyzeandoptimize(defrag)thedrivesviatheGUI.



ConfigureMBRandGPTdisks

Thesearethehighlightsofthedifferencesbetweenthetwo:
MasterBootRecord(MBR)diskssupportformax4partitiontableentries.
MBRdiskpartitionsandlogicaldrivesareusuallycreatedbasedonthereportedcylinderboundaries.
GUIDPartitionTable(GPT)comeswiththeUnifiedExtensibleFirmwareInterface(UEFI)standard.
GPTdiskscanhaveverylargesizes.
OnWindowsyoucanhaveamaximumof128partitionsperGPTdisk.
BasicdisksanddynamicdiskscansupportMBRaswellasGPTdisks.

Managevolumes

NTFS5 is the native file system for Windows2012. NTFS 5 has many featuresfor security, quota management, disk
compressionandvolumemounting.
Transactional NTFS allows file operations to be performed in a transactional manner, with support for full atomic,
consistent,isolated,anddurablesemanticsfortransactions.SelfhealingNTFScancorrectdiskfilecorruptionsonline
withoutrequiringChkdsk.exetoberunmanually.
Astoragepoolisacollectionofvolumes.Avolumeisthebasicunitofstoragethatrepresentsanallocatedspaceona
disk.Thekeyisflexibility;storagecanbeexpandedasneededwhenyouaddnewdrives.


Createandmountvirtualharddisks(VHDs)

VirtualHardDisk(VHD)isafileformatforspecifyingavirtualharddisktobeencapsulatedinasinglefile.Itisnotthe
sameasHyperV.VHDworksonalmostallCPUtypes.HyperVdoesnotworkonincompatibleprocessors.


Virtualharddiskformatiseitherdynamicallyexpandingorfixed.VHDBootstartsWindowsfromaVirtualHardDiskfile.
ThisVHDfileismountedasavirtualdiskbutcanbeusedjustlikeanormalharddiskdrive.

Configurestoragepoolsanddiskpools

Astoragepoolallowsyoutomixandmatchdifferentdrivesforstoragepurposes.Apoolactsasacontainer.Youcan
createstoragepoolviatheGUI.IfyoupreferusingPowerShellforcreatingthestoragepools,youmustfirstusethe
getstoragesubsystemcmdlet.
Thepoolcreatedcanbeeasilyexpandedbyaddingnewdisks.Thepoolcanalsobedividedintospacesthatareused
likephysicaldisks.Infact,withinapoolyoucancreatevirtualdiskswhichareknownasspaces.
Datadeduplicationiseliminatingredundantdatainstoragepools.

CHAPTER2CONFIGURESERVERROLESANDFEATURES

2.1CONFIGUREFILEANDSHAREACCESS

Createandconfigureshares

SimplenetworkfoldersharingcanbemanagedviatheNetworkandSharingCenter.TheNetworkandSharingCenter
isaninterfaceforbasicnetworkingsetupaswellasnetworkdiscovery,connectionstatusandfilesharing.
Youcancreateafoldersharesimplybyrightclickingonthefolderandchoosingtheappropriatesharingoption.You
can also manage shared folders via Computer Management. Alternatively, from Server Managers File and Storage
sectionyoucanrightclickonaserverandchooseNewSharetoinvoketheNewShareWizard.

Configuresharepermissions

Advanced sharing and offline files can be configured by right clicking on a file and choosing Share with Advanced
sharing.TheServerManagersFileandStoragesectioncanalsobeusedtomanagestorageresourcesandshareson
localorremoteserversinrealtime.
WiththeFileServerResourceManagerinstalled,youcanconfigureanumberofadvancedfilesharesettingssuchas
security,encryptionandcaching.Keepinmind:
Sharepermissionsapplyonlywhenauserisaccessingafileorfoldernonlocally.Theycanbeappliedonauseror
onagrouplevel.
Assigningpermissionsonagroupbasisisalwaysrecommended.
Individualpermissionsandgrouppermissionsarecombinedtoformtheuserseffectivepermissions.

Configureofflinefiles

OfflineFilesmakenetworkfilesavailableevenwhenanetworkconnectiontotheserveriseitherunavailableorvery
slow.Forthesakeofperformanceyoushouldcreatearootshareontheserver,letthesystemcreatetheusersfolders
andthensynchronizefilesatlogoffviaFolderRedirectionwithOfflineFiles.Forsecuritypurposesyouwanttocreatea
securitygroupforthoseuserswhohaveredirectedfoldersonaparticularshareandaccordinglylimitaccessonlyto
thoseusers.


ConfigureNTFSpermissions

NTFS permissions allow you to assign permissions more granularly at the folder and file level. Keep in mind; file
permissions always take precedence over folder permissions. You can always set these by right clicking on a file or
folderandconfiguringthedesiredpermissionsfromProperties.

Configureaccessbasedenumeration(ABE)

Accessbased enumeration (ABE) is a builtin feature that can display only the files and folders that a user has
permissions to read. It works only when viewing files and folders in a shared folder. When you use the New Share
Wizard,thereisanoptiontoenableit.

ConfigureVolumeShadowCopyService(VSS)

VSS aims to create a consistent shadow copy of the data to be backed up. The VSS service can ensure that all VSS
componentscancommunicatewitheachotherproperly.YoushouldknowtheseVSScomponentsandterms:
TheVSSrequesterrequeststheactualcreationofshadowcopiesthroughabackupapplication.
TheVSSwriterensuresthereisaconsistentdatasettobackup.
TheVSSprovidercreatesandmaintainstheshadowcopiesviasoftwareorhardware.
Completecopymeansmakingacompletefullandreadonlycopyoftheoriginalvolume.
Copyonwritemakesadifferentialcopy.
Redirectonwritedoesnotmakeanychangestotheoriginalvolume.


ConfigureNTFSquotas

Through Computer Management Disk Management you can set quota and create custom quota entries. It works
evenifyourserverdidnotjoinAD.
Quota management is not enabled by default but you can enable it by hand. In fact, the Server Managers File and
Storagesectioncanbeusedtosetsoftorhardspacelimitsonavolumeorfoldertree.Youmayalsocreateandapply
quotatemplateswithstandardquotaproperties.

2.2CONFIGUREPRINTANDDOCUMENTSERVICES

ConfiguretheEasyPrintprintdriver

EasyPrintisforterminalserviceprinting.ItallowsuserstoprintfromaTerminalServicesRemoteAppprogramora
terminalserverdesktopsessionusingthecorrectlocalprinter.TheRedirectonlythedefaultclientprinterpolicysetting
can be used to specify whether the default client printer is the only printer to be redirected in Terminal Services
sessions.
ConfigureEnterprisePrintManagement

To provide printing service, the print spooler service must be running. Whenever something is wrong with the print
queue,problemscanbeoftenbesolvedbystoppingandrestartingthespooler.

ConfigureDrivers

Printer device configuration is done via Devices and Printers folder located in the Control Panel. Once a printer is
added,youcanrightclickittoconfiguresharingandotherparameters.Insteadofconfiguringonaperprinterbasis,
youcanmanageprinterdriversandpermissionsattheprintserverlevel.Whenthereisaprintingissue,thelogforthe
PrintServiceeventchannelcanbeveryhelpfulwithtroubleshooting.
Configureprinterpooling

Printingpoolrequiresthatyoucreatealogicalprinterformedbyagroupofactualphysicalprintersthatusetheexact
samedriver.Printuserscannotchoosetheactualphysicalprintertouse.YoucanconfigurepoolingviatheWindows
printerconfigurationappletoftheControlPanel.

Configureprintpriorities

Settingprintingprioritiesinvolveschangingtheorderofdocumentprinting.YoumusthavetheManageDocuments
permissiontomakethechanges.FromwithinPrintersandFaxesyoucangointoaspecificprintersqueue,rightclick
onthedesireddocumentandthenchangeitsprioritylevel.

Configureprinterpermissions

All users can pause, resume, restart, or cancel printing of their own documents. However, the Manage Documents
permissionwillberequiredtomanipulateprintjobsofotherpeople.IfyouhavetheManagePrinterspermission,you
canpauseorresumeprintingattheprinterlevel.
2.3CONFIGURESERVERSFORREMOTEMANAGEMENT

ConfigureWinRM

Remote Management WinRM implements WSManagement protocol, which is a standard Simple Object Access
Protocolbasedprotocol.Itfacilitatestheinteroperationofdifferenthardwareandoperatingsystems.
Computers that run Windows with WinRM will have management data supplied by Windows Management
Instrumentation (WMI). If your remote connection is behind a firewall, make sure connections on port 3389 are
allowed

Configuredownlevelservermanagement

ManagingdownlevelserversmeansmanagingremoteserversrunningWindowsServer2008R2SP1fullserver,Server
Core,orWindowsServer2008SP2fullserver.YoumustensuretheyhaveWindowsManagementFramework(WMF)
3.0properlyinstalled.Foraservercoremanagedserver,thereareseveralfeaturestoinstallusingDISM,including:
NetFx2ServerCore
MicrosoftWindowsPowerShell
NetFx2ServerCoreWOW64
MicrosoftWindowsPowerShellWOW64
Configureserversfordaytodaymanagementtasks

TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker,
LicensingandVirtualization.YoumayaddrolesthroughtheServerManagerDashboarduponsetupcompletion.
From Control Panels System Properties you can enable remote desktop connections to a server. Setting Remote
Desktopsessionstorunoveranencryptedchannelisconsideredbestpracticeasitcanpreventviewingofasession.It
isrecommendedtoalwaysusestrongpasswordswithanyaccountsthathaveaccesstoRemoteDesktop.

Configuremultiservermanagement

If you have multiple Administrator accounts in place, try to limit remote access only to those accounts that actually
needit.YoushoulduseLocalSecurityPolicytosetaccountlockoutsforthem.
Before creating a subscription to collect events on a computer, configure both the collecting computer and the
computerfromwhicheventswillbecollected.Alsonotethefollowing:
Yourunthewinrmquickconfigcommandonthesourcecomputer.
Youusethewecutilqccommandonthecollectorcomputer.
You add the computer account of the collector computer to the local Administrators group of the source
computer.

ConfigureServerCore

To install, configure or uninstall server roles remotely you may use Server Manager, Remote Server, RSAT, or the
Windows PowerShell. A Server Core installation option allows the installing of Windows Server with a minimal
environment for running specific server roles. Everything is done via command prompt, which cuts down the
maintenanceandmanagementrequirementsaswellastheattacksurface.
ThroughtheRSATtoolsyoucanmanagecomputersrunningServer2012,Server2008R2,Server2008,orServer2003.
BydefaulttheRSATtoolswillonlyopentheportsandenabletheservicesthatarerequiredforremotemanagementto
function.

ConfigureWindowsFirewall

Windows Firewall can be configured via the Windows Firewall with Advanced Security interface or the Netsh
advfirewallcommand.YoumayalsoaccessitviatheControlPanel.Itworksbyexaminingeachmessageand/orpacket
thatpassesthroughitandblocksthosethatdonotmeetthespecifiedsecuritycriteria.
NetworkLocationandWindowsFirewallareintheorymutuallyindependent.TheconfigurationofWindowsFirewall
wouldlargelybebasedonthecurrentnetworkcategoryorcategories.WhenconnectedtoaPublicnetwork,onlyCore
Networkingruleswillbeenabled.
Withinthenetshadvfirewallcontext,thefirewallsubcommandcanbeusedtochangetotheproperfirewallcontext
soyoucanview,create,andmodifyfirewallrules.

CHAPTER3CONFIGUREHYPERV

3.1CREATEANDCONFIGUREVIRTUALMACHINESETTINGS

Configuredynamicmemory

With Dynamic Memory, there is no need to stop and restart a VM when the memory size is changed. It is also
distributesmemorymoreefficiently,whichcouldbeaperformancedrawback,thusrequiringanincreasetothesizeof
thepagefileintheguestOS.YoumayalsoneedtoincreasethememorybufferconfiguredfortheVM.Keepinmind;
youmusthaveadequateRAMtoavoidexperiencingperformanceproblems.
Notethatbydefault,theminimumRAMvalueisthesameasthatoftheStartupRAM.

Configuresmartpaging

Smart Paging uses the hard disk as an option for providing the memory required by a VM if the physical RAM is
insufficient.Usingthistechniqueafailuretoloadmayoccurwhenthememoryrequestsaretoohighatagiventime.
Thisshouldonlybeusedasatemporaryfixbecauseusingharddrivespaceasmemoryhasanoticeableperformance
impact.

ConfigureResourceMetering

ResourcemeteringallowsyoutotracksystemresourceusageforyourVM.Itisnotenabledbydefault,though.You
canactivateitviaEnableVMResourceMetering.Statisticsarecollectedonceeveryhourbydefault,orasdictatedby
theResourceMeteringSaveIntervaloption.Todisplaythedata,useMeasureVM.

Configureguestintegrationservices

Integration Services aim to optimize the virtual environment drivers. It works by replacing the generic operating
system driver files for components such as the mouse, keyboard, display, network and SCSI controller, etc. It also
synchronizes the system time between the guest and host OS. File interoperability and heartbeat are also
implemented.TheDataExchangeServicecanset,andalsogetinformationfrom,aVMrunninginachildpartition.The
GuestShutdownServicecanmakeashutdownrequestfromtheparentpartitiontothechildpartitionthroughWMI
calls.

3.2CREATEANDCONFIGUREVIRTUALMACHINESTORAGE

CreateVHDsandVHDX

WithVHD,alltheactualdataisstoredinasinglefile,ofwhichyoucanrunonlyoneinstanceatatime.Thisisbecause
itabsorbsalmostalloftheprocessingpowerofthehostcomputer.NotethatVHDshaveasizelimitof2040GB.One
waytocreateaVHDistousediskpartatthecommandprompt.Firstyouinvokethediskpartcommand,thenyouuse
thecreatevdiskcommand.
VHDXistheformattouseifyouwanttogoover2040GBinsize.VHDXisalsoresilienttopowerfailure.Whenusingthe
NewVMWizardyoucanchoosewhichyouprefer;VHDorVHDX.



You can set a VHD to a fixed size or make it dynamic. A dynamic VHD is slower and may become more easily
fragmented.However,itusesspaceasneededandisthereforesmalleringeneral.

Configuredifferencingdrives

TocreateaVHDviatheWindowsGUI,openComputerManagementsDiskManagementsection.CreateVHDcanbe
selected from the Action menu. A dynamically expanding VHD can have a maximum size that is larger than the
availablefreespaceonthedrive.
NotethatinthecontextofVHD,attachingmeansmountingwhiledetachingmeansdismounting.

ModifyVHDs

YoucanexpandthesizeofaVHDthroughdiskpart.Firstmakesurethat theVHDisdetached. Thenselectit viathe

selectvdiskfile=command,thentypeexpandvdiskmaximum=forspecifyingthenewsize.
TheEditWizardcanbeusedtomodifyanexistingVHDaswell.

AdifferencingconfigurationisusefulwhenyouhaveanimageservingasaparentVHDthatyouprefernottomodify.
All modifications to the image will be made to a separate child VHD. In order to create a differencing VHD, use the
parentoptionwiththecreatevdiskcommandorviaGUI.

Configurepassthroughdisks

Passthroughdisksarenotvirtualized.Thisisafeatureintendedtoprovidethefastestpossiblediskperformance.Due
to the restrictive drawbacks it has, its support is minimal in Windows Server 2012. In fact, it is supported during
HyperV Live Migration if, and only if, the VM being migrated and the passthrough disk are managed by the same
HyperVcluster.Thesearebecomingobsolete.

Managesnapshots

AHyperVsnapshotcapturesthestatusofaVMatagiventime.ThissnapshotcanthenbeusedtorestoreaVMif
necessary.TocreateoneyousimplyselectaVMtocapturefromwithintheHyperVManagerinterfaceandthenselect
Snapshot from the Actions pane. You may take a maximum of 50 snapshots of a VM. Note that snapshot files are
AVHD/AVHDXfiles.EachVHDfilewillactasaparenttoitsAVHDfile.Similarly,eachVHDXfilewillactasaparenttoits
AVHDXfile.

ImplementavirtualFiberChanneladapter

VirtualFiberChannelforHyperVallowstheguestOStohavedirectaccesstoaSANviaastandardWorldWideName
(WWN) that is associated with a VM. This allows you to use Fiber Channel SANs to perform virtualization of the
workloads accessing the SAN. In particular it uses the existing N_Port ID Virtualization T11 standard for mapping
multiple virtual N_Port IDs to a single physical Fiber Channel N_port. There is a new NPIV port created on the host
wheneveryoustartaVMconfiguredwithavirtualHBA.

3.3CREATEANDCONFIGUREVIRTUALNETWORKS

ImplementHyperVNetworkVirtualization

HyperV is a server role that provides tools and services one can use to create a virtualized server computing
environment.YouaddthisroleviaServerManagerAddRoles.Youmayalsoaddfeaturesformanagingit.


From within the Create Virtual Networks page you can also select the LAN adapters you want to have shared with
yourguestsessions.AHyperVhostserverMUSTrunona64bitsystem.Anexternalnetworkprovidescommunication
between a virtual machine and a physical network. An internal network provides communication between the
virtualizationserverandvirtualmachineswithinthesameserversystem.Aprivatenetworkprovidescommunication
betweenvirtualmachines.
Avirtualswitchcan combineboththeinternalandtheexternalnetworkswitchsegments.Withdirectaddressing,a
guestsessioncanconnectdirectlytothebackboneofthenetwork.Thevirtualservercanactasaswitchthatconnects
allguestsessionstogether.

ConfigureHyperVvirtualswitches

A network virtual switch in the context of HyperV runs at the datalink layer. There is a MAC table with the layer 2
addressesofalltheVMsconnectedtoit.The2possibleswitchmodesareTrunkModeandAccessMode.

ThepossibletypesofvirtualswitchesareExternal,PrivateandInternal.OnlyExternalandInternalVirtualSwitchescan
run in Trunk Mode and Access Mode. The number of internal virtual switches that can be created is not limited by
default.

Optimizenetworkperformance

Assaidbefore,withdirectaddressingaguestsessioncanconnectdirectlytothebackboneofthenetwork.Foritto
work you need to configure an external connection in the Virtual Network Manager. You also must have a valid IP
addressonthatexternalsegment.
Tokeeptheguestsessionisolatedfromthenetwork,setupaninternalconnectionusinganIPaddressofasegment
thatiscommontotheotherguestsessionsonthesamehostsystem.

ConfigureMACaddresses

VM MAC addresses can be static or dynamic. By default, the MAC address is set to Dynamic. If you need the MAC
addresstobecomestatic,youmuststoptheVMfirst.

Configurenetworkisolation

If there are VLANs connected to your HyperV platform, each of your VMs must have a correct VLAN tag for the
network interfaces in use. You may want to use the PowerShell to set the necessary VLAN parameters. Use
SetVMNetworkAdapterVlantosetalloftheVLANrelatedsettings.

Configuresyntheticandlegacyvirtualnetworkadapters

If you have an older OS to virtualize, you may want to ensure compatibility via SetVMProcessor
CompatibilityForOlderOperatingSystemsEnabled$true.

CHAPTER4DEPLOYANDCONFIGURECORENETWORK
SERVICES
4.1CONFIGUREIPV4ANDIPV6ADDRESSING

ConfigureIPaddressoptions

InordertoconfigureprotocolsandaddressesforthenetworkinterfacesfromFileExplorer,yourightclickonNetwork
andchooseProperties.



An IP address is the unique number ID assigned to a network interface. IPv4 is 32 bit, whereas IPv6 is 128 bit. The
gatewayaddressistypicallyaroutersaddress.InaClassAaddress,thefirstoctetisthenetworkportion.InaClassB
address,thefirsttwooctetsarethenetworkportion.InaClassCaddress,thefirstthreeoctetsarethenetworkportion.
ClassDaddressesareformulticast,whileclassEaddressesarereserved.PrivateIPaddressesarenonroutableandare
forprivateuseonly.


An IPv6 address space has 128 bits. There are two major 64bit parts: the network prefix and the interface ID. The
exam,however,haslimitedcoverageofIPv6.

Configuresubnetting

Asubnetmaskhasfourbytes,thustotaling32bits.Thesubnetmaskiswrittenusingthedotteddecimalnotation,with
theleftmostbitsalwayssettothevalueof1.ThroughapplyingasubnetmasktoanIPaddressyoueffectivelysplitthe
addressintotwoparts.
VariableLengthSubnetMasks(VLSM)allowfortheuseofalongmaskonnetworkswithfewhostsandashortmask
onsubnetswithrelativelymorehosts.

Configuresupernetting

Classless Interdomain Routing (CIDR) is also known as supernetting. It improves address space
utilizationbyhavinganIPnetworkrepresentedbyaprefix.WithCIDR,youspecifyanIPaddressrange
usingacombinationofanIPaddressandnetworkmask.

ConfigureinteroperabilitybetweenIPv4andIPv6

WindowsServer2012supportsIPv4andIPv6.Bothareinstalledandenabledbydefault.YoumaytunnelIPv6traffic
throughanIPv4networkandviceversa.

ConfigureISATAP

TherearetransitiontechnologiesyoumayconsiderifyouarenotreadyforIPv6.ISATAPallowsunicastcommunication
betweenIPv6/IPv4hostsacrossyourIPv4intranet.
WindowsServer2012canbeconfiguredtoactasanISATAProuter.VirtualIPaddresses(VIPs)allowyoutousecluster
basedNetworkLoadBalancing.NeighborUnreachabilityDetection(NUD)canprotectagainstroutingloops.

ConfigureTeredo

6to4allowsunicastcommunicationstotakeplacebetweenIPv6/IPv4hostsandIPv6capablesitesthroughtheInternet.
Teredoissimilarto6to4andcanworkevenwhenthereareprivateIPv4addressesandNATdevicesinvolved.IPHTTPS
permitsIPv6tobetunneledusingHTTPwithSSLasatransport.
TouseTeredo,youneedtohavetwoconsecutivestaticpublicIPv4addressesonyouroutsidefacingnetworkinterface.
YoucanusetheSetDAServerTeredoEnabledcmdlettoturnonTeredoforDirectAccess.

4.2DEPLOYANDCONFIGUREDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)
SERVICE

Createandconfigurescopes

A DHCP scope refers to an administrative grouping of IP addresses. You may first create a scope for each physical
subnet,thenusethescopetofurtherdefinetheparameterstobeusedbyyourclients.EachscopehasarangeofIP
addresses,asubnetmaskandascopename.YouusetheNewScopeWizardtocreateone.


Eachsubnetcanhaveonly oneDHCPscopewithasinglecontinuous rangeofIPaddresses.Tousemultipleaddress
rangeswithinasinglescopeyouhavetocarefullyconfiguretherequiredexclusionranges,orconflictswilloccur.

ConfigureaDHCPreservation

AclientreservationisanIPaddressreservedforpermanentusebyaspecificDHCPclient.WhenmultipleDHCPservers
are configured with a scope that covers the range of the reserved IP address, you should manually make the same
clientreservationateachoftheinvolvedDHCPservers.Also,ifyoutrytoreserveanaddressthatisalreadyinuse,the
clientusingtheaddressmustfirstreleaseit.Thiscanbedoneviaipconfig/release.WhenspecificDHCPoptionsare
configuredforareservedclient,thevalueswilloverrideanythingdistributedviaotherassignmentmethods.

ConfigureDHCPoptions
DHCP scope options are configured for assignment to DHCP clients, such as a DNS server address, router address,
WINSserveraddress,etc.ServeroptionsapplytoallscopesandclientsofaDHCPserver.Scopeoptionsapplyonlyto
clientsofaselectedapplicablescope.ReservationoptionsapplyonlytoaspecificreservedDHCPclient.Classoptions
apply to member clients of a specified user or vendor class. User classes group clients that have been identified as
having a common need for certain options configuration. Vendor classes provide vendorspecific options to clients.
Most of the time you should only use scope options to assign most options clients need. Note that when the DHCP
serviceisinstalled,therearenodefaultDHCPoptiondefinitionscreatedsotheymustbeconfiguredmanually.
For BOOTP to work there must be a BOOTP table. By default this table is empty. DHCP can provide assignment to
BOOTPclients,buttheseclientscanonlyobtainanIPaddressleaseatboottime.Leaseexpirationtimesshouldbeset
accordinglysotheleasewillnotexpirebeforetheclientreboots.

ConfigureclientandserverforPXEboot

In order to support PXE Network Boot, there must be a working DHCP server with scope option 066 and 067
configured,plusaTFTPserverandaNFSserver.ThejobofDHCPinthisscenarioistoprovidethePXEenabledhost
withthecorrectTFTPhostandbootfilename.

ConfigureDHCPrelayagent

ADHCPRelayAgentcanrelayDHCPmessagesbetweenclientsandserversondifferentsubnets.Keepinmind,DHCPis
broadcastbased and therefore cannot be routed unless facilitated by RFC 1542 compliant relay agents. You may
enabletheDHCPRelayAgentfeatureviaRRAS,whereitislistedasaroutingprotocol.NotethereisanagentforIPv4
and another for IPv6. However, both of them cannot run simultaneously within the DHCP service on the same
computer.

AuthorizeDHCPserver

ForadomainjoinedDHCPMemberServer,youmayusetheDHCPMMCconsoletoauthorizetheserver.Ifitisnot
authorizeditwillnotleaseaddressestoclients.Thisisdoneforthesakeofsecurity.Iflocatedonaworkgroupserver,
authorizationisnotnecessary.Iflocatedonadomaincontroller,itistypicallyautomaticallyauthorized.

4.3DEPLOYANDCONFIGUREDNSSERVICE

ConfigureActiveDirectoryintegrationofprimaryzones

You use the DNS Manager to invoke the New Zone Wizard. It is always recommended that the DNS zones be
integrated with AD (due to the endless number of benefits offered by AD, such as AD DSintegrated replication of
updates).NotethatonlyprimaryzonescanbestoredinAD.Secondaryzonescanonlybestoredintextfiles.

Configureforwarders

WhenanewDNSserverisnotalsoservingasadomaincontroller,youmayconfigureitbyfirstcreatingaforwardand
reverse (optional) lookup zone, then decide whether queries will be forwarded to other servers. You can choose to
designateaDNSserveronyourlocalnetworkasaforwarderbyconfiguringtheforwardingofqueries.Aconditional
forwarderisonethatforwardsDNSqueriesaccordingtotheDNSdomainnameinvolved(onlysomebutnotallqueries
willbeforwarded).

ConfigureRootHints

Throughroothintsyoumayprepareserversthatareauthoritativeforanonrootzonesothatitispossibleforthemto
discoverauthoritativeserversatahigherlevel.ThisisneededonDNSserversthatareauthoritativeatlowerlevelsof
thenamespace.Youmayconfigureroothints(locatedinpropertiesoftheDNSserver)viatheDNSManagerconsole.
Theroothintsfileisinfactthecachehintsfile.Thisfileistextbasedandcontainshostinformationforresolvingnames
outsideoftheauthoritativeDNSdomains.

ManageDNScache

CachingmeanstheDNSserverscanremembertheresultsfromearlierresolutions.Withpropercachingitispossibleto
reduceWANtrafficsincerequestscanbesatisfiedviathecache.However,itissometimesnecessarytouseipconfig
/flushdnstoflushthecache.TheDNSManagerGUIalsohastheClearCacheoptionwhenyourightclickonaserver.

TheadvancedoptionknownasSecurecacheagainstpollutionisforpreventingahackerfrompollutingtheDNScache.

CreateAandPTRresourcerecords

DNSrecordscanbecreatedviatheDNSManagerconsole.Yousimplyrightclickonazoneandthenchoosefromthe
optionsavailable.AhostresourcerecordisforassociatingtheDNSdomainnameofacomputertoanIPaddress.You
needtohavesucharesourcerecordforacomputersharingresourcesthatneedstobeidentifiedbytheDNSdomain
name.

When you create a new host record (A or AAAA), you have the option to also create an associated PTR record
automatically.PTRresourcerecordscreatedthiswaywillbedeletedifthecorrespondinghostrecordisdeleted.

CHAPTER5INSTALLANDADMINISTERACTIVEDIRECTORY
5.1INSTALLDOMAINCONTROLLERS

Addorremoveadomaincontrollerfromadomain

You need to install the Active Directory Domain Services ADDS role on the server to allow it to act as a Domain
Controller.Afterthisyouneedtopromotetheservertoadomaincontroller.YouusetheADDSInstallationWizardto
achievethis.
WhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthe
lowestfunctionallevelthatispossible.Whenyouraisethefunctionallevel,neweradvancedfeaturesbecomeavailable,
butthisisattheexpenseofcompatibility.Keepinmind;youcannothaveADDSinstalledonaserverthatalsorunsthe
HyperVServerrole.

Upgradeadomaincontroller

DomaincontrollersthatrunWindows2000Servermustberemoved.Youshouldfirstraisetheforestfunctionallevel
to Windows Server 2003 (or higher), install domain controllers that run Windows Server 2012, and then remove
domaincontrollersthatrunearlierversionsofWindows.
In order to install the first Windows Server 2012 domain controller in an existing domain or forest, this server must
have proper connectivity to the existing schema master. To install or remove a domain in a forest there must be
connectivitytothedomainnamingmaster.OnadomaincontrollerthatyouplantoupgradetoWindowsServer2012,
make sure you size the drive properly. The drive that hosts NTDS.DIT must have sufficient free space to allow the
upgradetogothrough.Thisisabout20%ofthesizeoftheDITfile.

InstallActiveDirectoryDomainServices(ADDS)onaServerCoreinstallation

In Windows Server 2012, commandline installation of AD relies on the ADDSDeployment Module of Windows
PowerShell.AdprepisfullyintegratedintotheADDSinstallationsoyoudonotneedtorunitmanually.
TheActiveDirectoryModuleforWindowsPowerShellisinstalledbydefaultwhentheADDSserverroleisaddedona
2012serverthereisnoadditionalsteprequiredotherthanaddingtheserverrole.ADDScanbeinstalledonaServer
Coreinstallation,andisoftenrecommendedforreadonlydomaincontrollersinsmallerbranchoffices.
On a server core, you add the Active Directory Services Role via InstallWindowsFeature
ADDomainServices IncludeManagementTools. To promote the server core, use InstallADDSDomainController
DomainName mydomain.com InstallDNS:$True Credential (GetCredential). You will be asked to supply a logon
credentialwithdomainadminrights.

InstalladomaincontrollerfromInstallfromMedia(IFM)

YoucanusetheNtdsutiltool'sifmcommandtocreateinstallationmediaforinstallingadditionaldomaincontrollers.
This minimizes data replication over the network. For this to work, you have to log on to a domain controller
interactively.Youmustalsobeabletomakeabackup.SinceIFMwillcreateatempdatabaseinthe%TMP% folder,
makesureyouhaveenoughfreedrivespace;approximately110%ofthesizeoftheexistingADDS.

ResolveDNSSRVrecordregistrationissues

Service(SRV)recordsareresourcerecords.Theyindicatetheresourcesthatperformaparticularservice.Alldomain
controllers are referenced by SRV records. In fact, through these records the domain controllers can advertise the
servicestheyprovide.AnSRVrecordmustbereadyfortheservicesof_kerberosand_ldap.IfyourDNSserverisNOT
runningWindows,youshouldverifytheSRVlocatorresourcerecordsthroughexaminingtheNetlogon.dnsfile.

Configureaglobalcatalogserver

Aglobalcatalog(GC)isadomaincontroller.EveryADhasatleastone.ItstoresacopyofallActiveDirectoryobjectsin
aforest.Itenablesandfacilitatesusersearchesfordirectoryinformationthroughoutalldomains.Italsoresolvesuser
principal names when the authenticating domain controller doesn't have knowledge of the involved account. It also
helpsotherdomaincontrollerstovalidatereferencestothoseobjectsthatbelongtootherdomainsintheforest.Ina
singledomainforestalldomaincontrollerscanrespondtoauthenticationorservicerequestssoyouhavelessworry
regarding GC placement. There is no need to have a GC at a location that does not use applications that are GC
dependant.However,roaminguserswillneedtocontactGCwhenevertheylogonforthefirsttimeatanylocation.To
addaGC,usetheActiveDirectorySitesandServicesconsole.

5.2CREATEANDMANAGEACTIVEDIRECTORYUSERSANDCOMPUTERS

AutomatethecreationofActiveDirectoryaccounts

Youcancreate,editanddeleteADdirectoryobjectsusingldifdefromwithinanelevatedcommandprompt(i.e.Runas
administrator). You can use an import file to automate object creation. In particular you can create user account
objectsfroman.ldffile.TheCSVDEcommandcanserveasimilarpurpose,butyouneedtosupply.CSVfilescontaining
theuseraccountdata.

Create,copy,configure,anddeleteusersandcomputers

You use the AD Users and Computers console or the new Active Directory Administrative Center ADAC UI to create
newresources,ADusers,printers,sharesandOUs.Ontheotherhand,youusetheADSitesandServicesconsoleto
createandmanagesites.Notethattousetheformeryoumustlogonasadomainadministrator.

Configuretemplates

To allow objects to be created easily, you can create template objects. You simply create objects as usual with
commonlyusedpropertiesandDISABLEtheaccount.Thenwheneveryouneedtousethetemplateforobjectcreation
yousimplyCOPYit.

PerformbulkActiveDirectoryoperations

BatchoperationsinADcanbeperformedusingtheLDIFDEutilityortheADSI/VBScript.Theformermakesuseofthe
LDAPDataInterchangeFormatLDIFfile,whichisanInternetdraftstandardfileformatforperformingbatchoperations
ondirectories.ActiveDirectoryServicesInterfacesADSIcanbeusedtowritedirectoryenabledapplications.VBScript
canbeusedtowritesimplescriptsusingVBlikelanguage.

Configureuserrights

ADuserrightscanbeconfiguredviatheADUsersandComputersconsolebyrightclickingthedesireduserobjectand
then choosing Properties. From the Security tab, click Advanced to view all of the permission entries that exist and
makechangesaccordingly.

Offlinedomainjoin

OfflineDomainJoinisimplementedthroughDjoin.exe.Youuseittojoinacomputertoadomainwithoutphysically
contacting a domain controller. You first run djoin /provision to create the necessary computer account metadata
whichissavedina.txtfile.Thenyourundjoin/requestODJtoinsertthecomputeraccountmetadataintothedirectory.
Onceyourebootthedestinationcomputer,thecomputerwillbejoinedtoAD.DirectAccessofflinedomainjoinfurther
allowsWindowsServer2012orWindows8basedcomputerstojoinADremotely.

Manageinactiveanddisabledaccounts

To clean up inactive accounts, you should use dsquery. Through dsquery you can query the directory using specific
searchcriteria.Forexample,youcanusedsquerycomputerwithinactive/disabledtosearchforcomputeraccounts
thatareeffectivelyinactive/disabled.Dsqueryusercandothesamewithuseraccounts.

5.3CREATEANDMANAGEACTIVEDIRECTORYGROUPSANDORGANIZATIONALUNITS
(OUS)

Configuregroupnesting

Groupnestingisaddingagroupasamemberofanothergroup.Thisisusefulforconsolidatingmemberaccounts.By
default, when you nest a group within another, the user rights are automatically inherited. Note that groups with
universalscopescanhaveothergroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.
Groupswithglobalscopescanhaveothergroupswithglobalscopesfromthesamedomain.Groupswithdomainlocal
scopescanhavegroupswithuniversalscopesaswellasgroupswithglobalscopesfromanydomain.Itcanalsohave
groupswithdomainlocalscopesfromwithinthesamedomain.

Convertgroupsincludingsecurity,distribution,universal,domainlocal,anddomainglobal

Distribution groups are for use with email distribution lists, while security groups are for assigning permissions to
sharedresources.Youmayusedsmodgrouptoconvertbetweengrouptypes.Groupswithdomainlocalscopesarefor
managing access to resources within a single domain. Groups with global scopes are for managing directory objects
thatrequirefrequentmaintenance.Theyareneverreplicatedtootherdomains.Groupswithuniversalscopesarefor
consolidatinggroupsthatspanacrossmultipledomains.
ManagegroupmembershipusingGroupPolicy

Group Policy can be used to configure computer and user settings within networks based on the Active Directory
Domain Services (AD DS). For Group Policy to work, your network must be based on AD DS and the computers you
want to manage must be joined to the domain. You must also havethe relevant permissions tocreate and edit the
policyobjects.

Enumerategroupmembership

Youmayusedsgetgrouptoshowthepropertiesandmembersofagroup.Thistaskcanbeautomatedusingascript.

DelegatethecreationandmanagementofActiveDirectoryobjects

Withdelegationofadministration,theresponsibilityforspecificADadministrativetasksistransferredtothosewho
mustperformtherespectivetasksonly.Simplyput,highleveladministratorsauthorizethedelegatedlowerlevelstaff
administratorstoperformspecificadministrativetasks.WhenyoudesignyourOUstructureyoushouldconsiderthe
factorofdelegation.

ManagedefaultActiveDirectorycontainers

EverydomaincontainsastandardsetofdefaultcontainerscreatedduringADinstallation.Adomaincontaineristhe
root container to the hierarchy. A builtin container keeps the default service administrator accounts. The users
container keeps new user accounts and groups created for the domain. The computers container keeps the new
computeraccountscreated.TheDomainControllersOUprovidesadefaultlocationforthecomputeraccountsofthe
domaincontrollers.
Note there is no way to apply Group Policy settings to the default Users and Computers containers. You must first
createnewOUs,movethedesireduserandcomputerobjectstothenewOUsandthenapplythedesiredgrouppolicy.

Create,copy,configure,anddeletegroupsandOUs

YouusetheADUsersandComputersconsoleorthenewActiveDirectoryAdministrativeCenter(ADAC)UItocreate
newresources,ADusers,printers,sharesandOUs.Youmayalsousenetgrouptocreateanewgroupaccount,but
groupnamesarelimitedto64characters.

CHAPTER6CREATEANDMANAGEGROUPPOLICY
6.1CREATEGROUPPOLICYOBJECTS(GPOS)

ConfigureaCentralStore

Group Policy can be used to configure computer and user settings on networks based on the Active Directory
Domain Services (AD DS). Although you can choose to configure Group Policy settings locally, it should be
avoidedsincedomainbasedGroupPolicycentralizesmanagementwhilelocalizedpolicydoesnot.

TheADMX/ADMLtemplatefilesareforkeepingadmintemplates.InAD,thesecanbereplicatedacrossdomain
controllers.RatherthanreplicatingthemtotheSYSVOLfolderofalldomaincontrollers(eventhoughtheGPOs
are by default stored in the SYSVOL folder) inside the domain, creating a Central Store which serves as a file
locationthatwillbecheckedbytheGroupPolicytoolsisconsideredbestpractice.Thisstorecanbecreatedvia
WindowsVistaorlaterclientcomputer.

ManagestarterGPOs

StarterGroupPolicyObjectsderivefromaGPO.TheseareusedtostoreAdministrativeTemplatepolicysettings.
Grouping these settings inside a single object makes imports and exports much easier. These are created and
managedviatheGroupPolicyManagementConsoleUI.SelectingNewGPOfromtheStarterGPOoptionallow
thesebeusedastemplatesforGPOcreation.

ConfigureGPOlinks

ThesettingsofaGPOcanbeappliedbyaddingalinktothatGPO.MultipleGPOlinkscanbeaddedtoadomain,
site,orOUviatheGPMC.Ifyouwanttoapplypolicysettingsbaseduponphysicallocationonly,addalinktothe
desired site. If the settings do not clearly correspond to any particular site, linking to an OU or a domain is
consideredbestpractice.

InorderforaGPOtobeappliedtoagivenuserorcomputer,thatuserorcomputermusthavebothReadand
ApplyGroupPolicy(AGP)permissionsforthatGPO.However,youcannothaveaGPOlinkeddirectlytoauser,a
computer,orasecuritygroup.

Configuremultiplelocalgrouppolicies

Multiple Local Group Policy (MLGP) is a collection of local GPOs. These objects include:

Local Computer Policy
Administrators Local Group Policy
Non-Administrators Local Group Policy
User-Specific Local Group Policy

They may be edited via the Group Policy Object Editor. Note that these are available only on computers that are
not domain controllers.

Configuresecurityfiltering

SecurityfilteringallowsyoutofinetunewhichusersandcomputerswillreceiveandapplythesettingsofaGPO.
Security filtering is used to apply only some of the security principals within a container to which the GPO is
linked.YoumayusetheGPMCtoaddandremovegroups,users,andcomputersthataretobeusedassecurity
filtersforaGPO.

6.2CONFIGURESECURITYPOLICIES

ConfigureUserRightsAssignment

User rights are for defining capabilities at the level of local computer only. Technically they can be applied to
individualuseraccounts,butshouldbeadministeredonagroupaccountbasis.Userrightsassignedtoagroup
areappliedtoallmemberswithinthegroup.

ConfigureSecurityOptionssettings

It is possible to use Dynamic Access Control (DAC) to dramatically reduce the complexity of amalgamated
security groups. You may create central access policies for files to centrally deploy and manage authorization
policies that include conditional expressions using a variety of criteria such as user claims, device claims, and
resourceproperties.

The primary goal of Security Auditing, in context of DAC, is regulatory compliance. This helps to establish the
presenceofsuchpoliciesandalsoprovecomplianceornoncompliancewiththesestandards.Stagingallowsyou
toverifyproposedpolicychangesbeforeenforcingthem.

ConfigureSecuritytemplates

The Security Configuration Wizard is used to produce security policies using security templates that are in .inf
format. This allows for prioritization of templates to ensure the correct settings are taking the proper
precedence.

InAD,itisconsideredbestpracticetodeploysecuritytemplatesbyimportingthemintoaGPO.Thisisfacilitated
byfirstcreatingOUsforthecomputersthataretousethevariousspecificsecuritytemplates,thenaddingthe
computers accounts to the proper OU. Finally, the OU is linked to the desired GPO. To import a security
templateintoaGPO,usetheGroupPolicyObjectEditorUI.

ConfigureAuditPolicy

There are many audit policy setting categories contained within Security Settings\Advanced Audit Policy
Configuration.Theseare:
AccountLogon
AccountManagement
DetailedTracking
DSAccess
Logon/Logoff
ObjectAccess
PolicyChange
PrivilegeUse
System
GlobalObjectAccessAuditing

Object Access policy settings are used to track attempts to access specific objects or types of objects on a
network or computer. This allows for auditing attempts to access a file, directory, registry key, or any other
object,suchasfilesandfolderswithinasharedfolder.TheappropriateObjectAccessauditingsubcategoryfor
successand/orfailureeventsmustbeenabled,however.

ConfigureLocalUsersandGroups

Local users and groups can be managed through the Server Manager or the Task Manager. You can create,
modifyorremoveusersandgroupsasneeded.

ConfigureUserAccountControl(UAC)

User Account Control (UAC) is a feature that can limit privileges of users by default. This can be overridden from a
givenuseraccountsessionbyusingtheRunasadministratoroptionfromagivencontextmenu,andthensupplying
theadmincredentialswhenprompted.

6.3CONFIGUREAPPLICATIONRESTRICTIONPOLICIES

Configureruleenforcement

Software Restriction Policies rely on four types of rules to identify software. These are Hash, Certificate, Path
and Zone. These policies do not prevent restricted processes that run under the name of the System account.
Notethateachtypeofrulehasitsbenefitsanddrawbacks.

A rule may be Unrestricted or Disallowed. Software restriction policies can be applied to allow only a list of trusted
applicationsortospecificallydisallowthoseundesiredapplicationsorfiletypesthatshouldbeprohibited.Bydefault,
thereisnoruleorpolicyapplied.

ConfigureApplockerrules

ApplockercanbeusedtoconfigureApplicationControlPoliciestoblocktheexecutionofasoftwareasneeded.
You can have AppLocker rules associated with a specific user or group within an organization. No rules are in
placebydefault.Defaultrules,ifany,should NOTbeusedfor productionpurpose.Unlike Software Restriction
Policies,anAppLockerrulecollectionwouldonlyfunctionasanallowedlistoffiles,whichmeansonlythosefiles
thatarelistedwouldbeallowedtorun.

ConfigureSoftwareRestrictionPolicies

SoftwarerestrictionpoliciescanbedealtwithviatheLocalSecurityPolicyEditor.Checkouttheleftpaneandyouwill
seeitthere.Ifyouaddpoliciesthroughherethoseinheritedpolicieswillbeoverridden.Thisiswhyyoushouldaddnew
policiesthroughtheActionmenuinstead.

6.4CONFIGUREWINDOWSFIREWALL

ConfigurerulesformultipleprofilesusingGroupPolicy

Asastatefulhostbasedfirewall,WindowsFirewallcanbeconfiguredviatheWindowsFirewallwithAdvanced
SecurityinterfaceorviatheNetshadvfirewallcommand.YoumayalsoaccessitviatheControlPanel.However,
configurationviatheControlPanelismostlyfortypicalendusertasks.

Configuration through group policy is possible. To do so, first determine the Group Policy settings in a test
environment before formal deployment. Domain profile settings are used when computers are connected to a
network that has domain controllers for the domain of which the computer is a member. On the other hand,
standardprofilesettingsareusedwhenthenetworkdoesnotcontaindomaincontrollers.

Configureconnectionsecurityrules

Firewall rules are used to allow server computers to send traffic to, or receive traffic from, programs, system
services,computers,orusers.Firewallrulescanbecreatedtoallowtheconnection,allowaconnectiononlyifit
issecuredthroughIPsec,orblocktheconnectionentirely.Rulesmaybeforeitherinboundtrafficoroutbound
trafficandmayspecifythecomputersorusers,program,service,port(allportsorspecifiedports),protocol(TCP
vsUDP)andthetypeofnetworkadapterinvolved.

ConnectionsecurityrulesdefineauthenticationusingIPsecandenforceNetworkAccessProtection(NAP)policy.

ConfigureWindowsFirewalltoallowordenyapplications,scopes,ports,andusers

The windows services and third party programs that require access should be determined initially and then
allowed to communicate between different network locations. Inside the netsh advfirewall context there are
severalsubcommandsthatallowchangessoyoucanview,create,andmodifyfirewallrules.Theseincludeadd,
delete,setandshow.Directionoftrafficcanbeeitherinorout,whiletheavailableactionsareallow,blockor
bypass.

Configureauthenticatedfirewallexceptions

Authenticated bypass rules allow connections that bypass other inbound rules when the traffic is protected
withIPsec.Blockrulesexplicitly blockparticulartypesoftraffic,and canbeused tooverrideamatchingallow
rule. If Windows Firewall is blocking a specific program that should be allowed to communicate, it should be
addedtothelistofallowedprograms(alsocalledtheexceptionslist).

Importandexportsettings

Under Advanced settings, in the Action Pane, you can choose to import or export your firewall policies. Also,
fromwithinthenetshadvfirewallcommandpromptyoucanaccessthesesameimportandexportcommands.