2640 12299 itu notes windows server 2012 installation and configuration

Copyright © 2013 IT University Online All rights reserved. www.ituniversityonline.com

Course Outline

§  Planning, Installing, and Configuring Windows Server 2012 §  Installing and Configuring an Active Directory Domain Controller §  Administering Active Directory Objects §  Automating Administrative Tasks §  Configuring IPv4 §  Configuring IPv6 §  Installing and Configuring DHCP §  Installing and Configuring DNS §  Configuring Storage Spaces and File and Print Services §  Configuring Group Policy §  Securing Windows Servers §  Installing and Configuring Virtual Servers and Clients

OV 1 - 1


Planning, Installing, and Configuring Windows Server 2012

§  Introduction to Windows Server 2012 §  Describe Windows Server 2012 Management §  Plan and Install Windows Server 2012 §  Configure Windows Server 2012

OV 1 - 2


Networking Environments

§  Local clients and servers §  Cloud services (public, private, or both)

OV 1 - 3


Windows Server 2012 Server Roles

§  Active Directory Certificate Services (AD CS) §  Active Directory Domain Services (AD DS) §  Active Directory Federation Services (AD FS) §  Active Directory Lightweight Directory Services (AD LDS) §  Active Directory Rights Management Services (AD RMS) §  Application Server §  DHCP Server §  DNS Server §  Fax Server §  File and Storage Services

OV 1 - 4


Windows Server 2012 Server Roles (Cont.)

§  Hyper-V §  Network Policy and Access Services §  Print and Document Services §  Remote Access §  Remote Desktop Services §  Volume Activation Services §  Web Server (IIS) §  Windows Deployment Services (WDS) §  Windows Server Update Services (WSUS)

OV 1 - 5


Windows Server 2012 Features

§  Windows BitLocker Drive Encryption §  Failover Clustering §  Group Policy Management §  Ink and Handwriting Services §  Internet Printing Client §  Network Load Balancing (NLB) §  Remote Assistance §  Remote Server Administration Tools §  Simple Mail Transfer Protocol (SMTP) Server §  Telnet Client, Telnet Server §  Windows PowerShell §  Windows Server Backup §  Windows System Resource Manager (WSRM) §  Wireless Local Area Network (LAN) Service §  Windows on Windows (WoW) 64 Support

OV 1 - 6


New Features in Windows Server 2012

§  Command auto-completion §  Enhanced storage §  Features on Demand §  IP Address Management (IPAM) Server §  New cmdlets §  Resilient File System (ReFS) §  Revised Task Manager §  User interface §  Windows BranchCache

OV 1 - 7


Comparing Server Roles and Features

§  Server Roles §  Programs that configure a server to perform a specific function for users and/or

computers on the network. Users typically access servers that are hosting server roles.

§  Examples: The DHCP Server role leases IP addresses to clients and devices; the DNS Server role configures the server to find the IP address for a given FQDN.

§  Features §  Applications that increase the functions the server can perform. In general, users do

not access features. §  Examples: You use Windows Server Backup to back up the server, not clients. The

Wireless LAN Service enables you to connect the server to the network wirelessly.

OV 1 - 8


Windows Server 2012 Editions

§  Windows Server 2012 Datacenter §  Designed for large organizations that need highly virtualized private and hybrid cloud network

environments. §  Designed for use by large organizations. §  Includes all features of Windows Server 2012 and unlimited virtual machine instances.

§  Windows Server 2012 Standard §  Designed for network environments with minimal virtualization needs. §  Includes all features of Windows Server 2012 and two virtual machine instances.

§  Windows Server 2012 Essentials §  Designed for use by small businesses with a maximum of 25 users and 50 network devices. §  Tailored to the needs of a small organization with no more than 25 users. §  Includes a streamlined interface, configuration for connecting to cloud services, and no support for

virtualization.

§  Windows Server 2012 Foundation §  Designed for very small organizations with up to 15 users. §  Includes general-purpose server functionality and no support for virtualization.

OV 1 - 9


Windows Server 2012 Licensing

§  Windows Server 2012 Datacenter §  Processor license for each CPU in the server. §  Client access license (CAL) for each user or device that connects to the server.

§  Windows Server 2012 Standard §  Processor license. §  CAL per user or device.

§  Windows Server 2012 Essentials §  Server license that supports a maximum of two server CPUs. §  Maximum of 25 users.

§  Windows Server 2012 Foundation §  Server license that supports only one CPU in the server. §  Maximum of 15 users.

OV 1 - 10


Administrative Tools and Tasks

§  Server Manager §  Add and configure server roles. §  Examine and configure services. §  Monitor events. §  Configure server and network settings such as name, domain, and IP addresses. §  Evaluate servers and the network (Best Practices Analyzer).

§  Windows PowerShell §  Perform nearly all tasks that can be managed in the GUI. §  Bulk administer objects.

§  Active Directory Users and Computers; Active Directory Administration Center

§  Create and manage Active Directory objects. §  Group Policy Management

§  Create and configure group policies. §  Performance Monitor

§  Monitor server and network performance.

OV 1 - 11


Administrative Tools and Tasks (Cont.)

§  Task Manager §  Monitor server and network functionality, and performance.

§  Resource Monitor §  Monitor server resources.

§  Task Scheduler §  Create and schedule administrative tasks to run automatically.

§  Various MMCs, such as the DNS console §  Perform server-role specific tasks.

§  Remote Desktop §  Perform remote management.

§  WinRM §  Perform remote management from a command-line interface.

OV 1 - 12


Introduction to Server Manager

§  Manage configuration of multiple servers. §  Review server event logs. §  Install and configure additional roles. §  Manage Windows services on each server. §  Launch PowerShell for command-line administration.

OV 1 - 13


The Server Manager Interface

OV 1 - 14


Multi-Server Management

§  Shows all servers running a particular service in the domain §  Gives quick statistics about each server and service §  Can open the management console for each service on each server §  Can open other management tools:

§  RDP §  PowerShell §  Add Roles and Features §  Computer Management §  NIC Teaming §  Performance Counters §  Shut Down

OV 1 - 15


The Dashboard Pane

§  Top section displays a list of steps for configuring a server. §  Bottom section displays “bird’s eye view” thumbnails of servers.

OV 1 - 16


All Servers Pane

§  View a series of sections: §  Servers §  Events §  Services §  Best Practices Analyzer §  Performance §  Roles and Features

OV 1 - 17


The File and Storage Services Pane

§  When selected, displays a second level of options: §  Servers §  Volumes §  Disks §  Storage Pools §  Shares §  iSCSI

OV 1 - 18


The File and Storage Services Pane (Cont.)

OV 1 - 19


Windows Server 2012 System Requirements Hardware Component Minimum Requirement Recommended Hardware

Processor 1.4 GHz 64-bit processor 3.1 GHz or faster

RAM 512 MB 16 GB or more

Disk space 32 GB 128 GB or larger

§  DVD drive §  Super VGA (800x600) or higher resolution monitor §  Keyboard and mouse §  Internet access

Additional hardware needed:

OV 1 - 20


Windows Server 2012 Installation Methods §  Optical media such as a DVD §  USB drive §  Network share §  Mounted ISO image §  Windows Deployment Services (WDS) §  System Center Configuration Manager (SCCM) §  Virtual Machine Manager templates

OV 1 - 21


Installation Types

§  Fresh install §  Upgrade §  Migration

OV 1 - 22


Installation Modes

§  Server Core §  Server with the graphical user interface (GUI) §  Server with the Minimal Server Interface

OV 1 - 23


Upgrade Paths for Windows Server 2012

Current Version of Windows Server Can Upgrade To

Windows Server 2008 Standard with SP2 or Windows Server 2008 Enterprise with SP2

Windows Server 2012 Standard, Windows Server 2012 Datacenter

Windows Server 2008 Datacenter with SP2 or Windows Server 2008 R2 Datacenter with SP1

Windows Server 2012 Datacenter

Windows Web Server 2008 or Windows Web Server 2008 R2

Windows Server 2012 Standard

Windows Server 2008 R2 Standard with SP1 or Windows Server 2008 R2 Enterprise with SP1

Windows Server 2012 Standard, Windows Server 2012 Datacenter

OV 1 - 24


Migrating to Windows Server 2012

You must migrate the following services from an older server to a Windows Server 2012 server: §  Active Directory Federation Services §  Health Registration Authority §  Hyper-V §  IP Configuration §  Network Policy Server §  Print and Document Services §  Remote Access §  Windows Server Update Services

OV 1 - 25


Installation Planning Worksheet

OV 1 - 26


Offline Images

§  Create and deploy server image using DISM §  Create image file §  Create answer file §  Modify image file

OV 1 - 27


Server Core Configuration

§  Assign a static IP address to the server. §  Change the computer name and domain membership. §  Implement network adapter teaming. §  Enable Remote Desktop. §  Activate the server.

OV 1 - 28


The Windows Server GUI Interface

Advantages of the full server with the graphical interface: §  Contains all graphical administrative utilities. §  Supports local and remote installation, configuration, and removal of server roles. §  Provides use of MMC to create additional graphical consoles. Disadvantages of the full server with the graphical interface: §  Is less secure. §  Uses more disk space. §  Consumes more RAM.

OV 1 - 29


Full Server with GUI Configuration

Perform the same tasks as with configuring Server Core: 1. Assign a static IP address to the server. 2. Change the computer name and domain membership. 3. Implement network card teaming. 4. Enable Remote Desktop. 5. Activate the server.

OV 1 - 30


Configure Server with a Static IP Address

Assign a static IP address,

subnet mask, and default

gateway

Assign at least one DNS server

address

OV 1 - 31


The Computer Name/Domain Changes Dialog Box

OV 1 - 32


Network Card Teaming

OV 1 - 33


Enable Remote Desktop

OV 1 - 34


Reflective Questions

1. In what scenario do you think it’s best to install Windows Server 2012 Server Core?

2. After configuring a server, why should you consider switching it from the GUI version of Windows Server 2012 to the Server Core version?

OV 2- 1 Copyright © 2013 IT University Online All rights reserved. www.ituniversityonline.com

Installing and Configuring an Active Directory Domain Controller

§  Overview of Active Directory §  Install an Active Directory Domain Controller


The Active Directory Physical Hierarchy

Fuller.local domain

Rochester.fuller.local domain

Boston. fuller.local domain

Each domain contains domain controllers, users, computers, printers, and so on


The Active Directory Logical Hierarchy

Fuller.local domain

Rochester.fuller.local domain

Boston. fuller.local domain

OU = Headquarters

OU = Rochester

OU = Boston

OU = Sales

OU = Accounting

OU = Admin

OU = Bookstore

Site = Rochester

Site = Boston


Active Directory Components

§  Domain controllers §  Data store §  Global catalog servers §  Read-only domain controllers (RODCs) §  Domain §  Domain tree §  Forest §  Site §  OU §  Partition §  Schema


Active Directory Containers

§  Forest §  Tree or domain tree §  Domain §  Site §  Organizational unit


Domain Controllers

Domain controllers perform these tasks: §  Store a copy of the AD DS database in the NTDS.dit file. §  Host a copy of the SYSVOL folder. §  Authenticate users for log on purposes and also for access to resources. §  Synchronize the SYSVOL folder using either File Replication Service (FRS)

or Distributed File Service (DFS) replication.


Global Catalog Server

Global catalog servers perform these functions in the forest: §  Contain a copy of the global catalog, which has references to every object

in the forest. §  Enable users and administrators to search for objects such as computers

and printers distributed throughout the forest. §  Support cross-domain searches.


Operations Master Roles

Domain controllers can also host forest-wide or domain-level operations master roles: §  Schema master: Is responsible for updates to the schema. §  Domain naming master:

§  Processes domain name changes. §  Adds or removes domains or application directory partitions to or from the forest. §  Adds replicas of application directory partitions to other domain controllers. §  Adds or removes cross-reference objects to or from external directories.

§  RID master: Allocates blocks of relative identifiers (RIDs) to every domain controller in the domain.

§  Infrastructure master: Updates references to objects in its own domain that point to objects in other domains, and also updates references to its local objects.

§  PDC emulator: §  Supplies the correct time to the domain. §  Stores the most-recent password changes. §  Administers Group Policy and Distributed File System (DFS).



1. What are the advantages of using Active Directory Domain Services? 2. Which types of installations do you expect to perform most often in your

working environment?

OV 3 - 1 Copyright © 2013 IT University Online All rights reserved. www.ituniversityonline.com

Administering Active Directory Objects

§  Design and Create an Active Directory Hierarchy §  Manage Users §  Manage Computers §  Manage Groups §  Delegate Administrative Tasks


Types of Active Directory Design

§  Geographical location §  Organizational chart §  Functional structure §  Hybrid structure


Active Directory Structure: Geographical Design Create domains and organizational units based on geographic locations for your organization.

fuller.local

us.fuller.local eu.fuller.local

paris.eu.fuller.local

london.eu.fuller.local

rochester.us.fuller.local atlanta.us.fuller.local

Root Level Domain

Country Domains

City Domains


Active Directory Structure: Organizational Chart Design Create domains and organizational units based on the organization’s organizational chart.

fuller.local

marketing.fuller.local

production.fuller.local

paris.production.fuller.local

rochester.production

.fuller.local rochester.marketing.

fuller.local atlanta.marketing.

fuller.local

Root Level Domain

Departmental Domains

City Domains


Active Directory Structure: Functional Design

fuller.local

publishing.fuller.local

administrative.fuller.local sales.fuller.local accounting.fuller.local

Root Level Domain

Functional Domains

Create domains and organizational units based on the organizational chart structure.


Active Directory Structure: Hybrid Design

fuller.local

publishing.fuller.local admin.fuller.local sales.fuller.local accounting.fuller.local

Root Level Domain

Functional Domains

Create domains and organizational units based on the organizational chart structure.

Atlanta

Location Domains or Organizational

Units

Rochester Rochester Rochester Rochester Boston Atlanta Boston


The Fuller & Ackerman Wide Area Network


The Active Directory Administrative Tools

§  Graphical Administrative Tools §  Active Directory Users and Computers §  Active Directory Sites and Services §  Active Directory Domains and Trusts §  Active Directory Schema §  Remote Server Administration Tools (RSAT) §  Active Directory Administrative Center

§  Windows PowerShell Commands §  Add-ADGroupMember §  Disable-ADAccount §  Get-ADDomain §  Move-ADObject §  New-ADGroup, New-ADOrganizationalUnit, New-ADUser §  Remove-ADGroup, Remove-ADGroupMember, Remove-ADUser

§  Command-Line Utilities §  Dsadd, Dsget, Dsmod §  Dsmove, Dsquery, Dsrm


Tools for Creating User Accounts

§  Active Directory Users and Computers §  Active Directory Administrative Center §  PowerShell command New-ADUser §  Command-line utility Dsadd.exe


User Profiles

User profiles contain the information necessary to establish the user’s desktop environment: § The Profile Path

§  Location where desktop settings are stored. §  Also referred to as a roaming profile.

§ Logon Scripts §  Batch files that map drive letters to network resources.

§ Home Folder Location §  A folder you create to store the user’s folders and files.


Default Active Directory Objects

§  Builtin §  Computers §  Domain Controllers §  ForeignSecurityPrincipals §  Managed Service Accounts §  Users


User Account Templates

§  Reduces workload of creating users. §  Has all non-user specific configurations including group memberships. §  Best practices:

§  Create the user account with an underscore at the beginning of the name. §  Leave the account disabled. §  Never let anyone use the template to log on. §  Don’t configure template with information that is user-specific.


The Computers Container

§  Default system container in Active Directory. §  New computer accounts are created here by default. §  Cannot have group policy directly applied to it. §  Has a relative distinguished name of “CN=Computers.” §  Redircmp.exe can be used to change the default computer container. §  Best practices:

§  Specify another container as you create the computer account. §  Move computer accounts out of this default container into real OUs.


Location Configuration

§  A best practice is to create OUs specifically to hold computer accounts. §  It is common to create parent OUs by geography or department. §  Child OUs can be for desktops or laptops. §  Other child OUs can be for users, administrators, and resources. §  Separate computers into OUs to delegate control and apply policy.


Permissions Management

§  By default, the following have permissions to create computer objects: §  Enterprise Admins §  Domain Admins §  Administrators §  Account Operators

§  You should restrict membership to administrator groups. §  Delegate control over an OU by using the Delegate Control wizard.


Secure Channels

§  Like users, computers log on to the domain. §  Ordinarily there is no need to manually reset a computer account. §  If for some reason the computer cannot access its own account, you may

have to perform a secure channel reset. §  You can reset a computer account using the following tools:

§  Active Directory Users and Computers §  DSmod §  netdom §  NLTest §  PowerShell


Types of Groups

§  Security §  Distribution


Group Scopes

§  Local §  Domain Local §  Global §  Universal


Default Management Groups

§  Schema Admins §  Enterprise Admins §  Domain Admins §  Administrators §  Server Operators §  Account Operators §  Backup Operators §  Print Operators


Active Directory Domain Services Permissions §  You can assign permissions to Active Directory objects:

§  Users §  Computers §  Groups

§  It is a best practice to delegate control to an entire OU. §  Effective permissions are cumulative from individual permissions and

group membership.



1. Do you foresee using user account templates in your organization? Why or why not?

2. Do you think you will delegate control to OUs in your organization? Why or why not?


Automating Administrative Tasks

§  Introduction to Windows PowerShell §  Use Windows PowerShell to Manage Active Directory Objects §  Use Command-Line Tools to Administer Active Directory §  Use Bulk Operations


Common PowerShell Uses for Administrators §  Add and remove Windows Server roles and features. §  Manage services. §  List processes. §  Create, list, and manage file systems. §  View event logs. §  Manage the Windows registry. §  Manage monitoring tools. §  Add, delete, and manage AD DS objects.


Windows PowerShell Features

§  Simplified syntax §  Updated help §  Enhanced module discovery §  Session recovery §  The show command §  Web access §  Delegated administration §  Safety


PowerShell Get-Help Command


Update Help

§  Download the latest help file. §  If Update Help cannot contact the Microsoft site, you can cancel and

continue.


Get-Help Service


Common Cmdlet Verbs

§  Add §  Backup §  Clear §  Close §  Disable §  Enable §  Install §  Get

§  New §  Set §  Show §  Stop §  Suspend §  Uninstall §  Rename

Note: some words such as “backup” or “new” are treated as single verbs in PowerShell.


Common Event Viewer Cmdlets

§  Get-EventLog §  Show-EventLog §  Clear-EventLog §  Limit-EventLog


The Get-EventLog Command

§  Get-EventLog retrieves log entries. §  Must include the name of the event log file. §  -Newest <number> gives most recent entries only.


Service Cmdlets

§  Start-Service §  Get-Service §  Stop-Service §  Suspend-Service §  Resume-Service §  Set-Service §  Restart-Service


Process Cmdlets

§  Start-Process §  Get-Process §  Stop-Process §  Wait-Process §  Debug-Process


An Advanced PowerShell Cmdlet

§  Get-Counter –Counter “\Processor(_Total)\% Processor Time” –SampleInterval 10 –MaxSamples 100


The -Whatif Parameter

§  -WhatIf shows what would happen without actually doing it.


The -Confirm Parameter

§  The -Confirm parameter executes a command with confirmation. §  Note: PowerShell will still ask you to confirm if the action will be taken

on more than one object.


PowerShell ISE


PowerShell ISE Scripting Pane

§  The Scripting pane is available on the toolbar.


Execution Policies

§  Restricted – Scripts will not execute. §  RemoteSigned – Locally created scripts will run; downloaded scripts

must be digitally signed. §  AllSigned – Scripts signed by a trusted publisher will run. §  Unrestricted – Any script, signed or unsigned, will run. Set-ExecutionPolicy Unrestricted


User Management PowerShell Cmdlets

§  Get-AdUser §  New-ADUser §  Set-ADUser §  Enable-ADAccount §  DisableADAccount §  Remove-ADUser §  Unlock-ADAccount §  Set-ADAccountPassword §  Set-ADAccountExpiration


Parameters for User Account Management §  AccountExpirationDate<DateTime> §  AccountPassword<securestring> §  CannotChangePassword<Boolean> §  ChangePasswordatlogon<Boolean> §  Department<String> §  DisplayName<String> §  HomeDirectory<String> §  ProfilePath §  EmailAddress


Display All User Accounts

§  Get-ADUser –filter *


View User Properties

§  Get-ADUser “Tracy White” –Properties *


User’s Home Folder Set Up in PowerShell

§  Set-ADUser “Tracy White” –HomeDirectory \\Users\tracywhitehomedir


Inactive and Disabled Accounts

§  Right-click an account in Active Directory Users and Computers to enable or disable it.

§  PowerShell examples: §  Get-ADUser –filter ‘department –eq “Training”’ | Enable-ADAccount §  $90Days = (get-date).adddays(-90) §  Get-ADUser -filter {(lastlogondate -le $90Days) -and (enabled -eq $true)} | Disable-

ADAccount


Group Management Cmdlets

§  Perform individual operations. §  Create scripts to perform bulk operations.

Windows PowerShell Cmdlet Description

Get-ADGroup Displays property values for groups

New-ADGroup Creates new groups

Set-ADGroup Modifies group properties

Remove-ADGroup Deletes groups


Parameters for Group Management

§  Groups have over 40 properties. §  Get-ADGroup –identity “Users” –Property * – Returns all properties

Parameter Description

Name Defines the group name.

GroupScope Defines the group scope as domain local, global, or universal. You must include this parameter.

DisplayName Defines the Lightweight Directory Access Protocol (LDAP) display name.

ManagedBy Defines a user or group that can manage the group.

Path Defines the organizational unit (OU) in which the group is created.

SamAccountName Defines a name that is backward compatible with older operating systems.


Viewing Group Properties in PowerShell

§  Get-ADGroup –identity “Users” – Returns most common properties


Verifying Group Creation

New-ADGroup -Name "BusinessAnalysts" -Path "ou=marketing,dc=Fuller,dc-local" -GroupScope Global -GroupCategory Security


Group Member and Membership Cmdlets

§  Add-ADGroupMember §  Get-ADGroupMember §  Remove-ADGroupMember §  Add-ADPrincipalGroupMembership §  Get-ADPrincipalGroupMembership §  Remove-ADPrincipalGroupMembership

§  Examples: §  Get-Adgroupmember -Identity administrators

§  Get-Adgroupmember -Identity Enterprise Admins –recursive

§  Add-ADGroupMember BusinessAnalysts -Members "TracyWhite"


Computer Account Management

§  Cmdlets §  Get-ADComputer §  New-ADComputer §  Set-ADComputer §  Test-ComputerSecureChannel §  Reset-ComputerMachinePassword §  Remove-ADComputer

§  Parameters §  Name §  Path §  Enabled


OU Management

§  Cmdlets §  Get-ADOrganizationalUnit §  New-ADOrganizationalUnit §  Set-ADOrganizationalUnit §  Remove-ADOrganizationalUnit

§  Parameters §  Name §  Path §  ProtectedFromAccidentalDeletion


Viewing OU Information

§  Get-ADOrganizationalUnit


Creating an OU

New-ADOrganizationalUnit -Name Philanthropy -Path "ou=Marketing,dc=Fuller,dc=Local"


Modifying OU Properties

Set-ADorganizationalunit -Identity "OU=Marketing, DC=Fuller,DC=Local" -Country "US" –StreetAddress "2111 Main Street" -City Seattle -State WA -PostalCode 30022


CSVDE

§  Export basic syntax: §  Csvde –f <filename>

§  Import basic syntax: §  Csvde –i –f <filename>


CSV File

§  Can be .csv or .txt §  First line contains attribute names


LDIFDE

§  Syntax like CSVDE §  Can be used to modify objects in place:

§  Use Changetype line


DS Commands

§  DSadd §  DSget §  DSquery §  DSmod §  DSrm §  DSMove

§  Examples: §  DSadd user “CN=Sally Green,OU=Sales,DC=fuller,DC=local” §  DSmod user “CN=Sally Green,OU=Sales,DC=fuller,DC=local” –dept Marketing


Bulk Operations

§  Three primary ways to perform bulk operations: §  Graphical tools §  Command-line tools §  Scripts


Querying Objects

§  SearchBase – Search path in AD hierarchy §  SearchScope – Depth or at what level search should be performed §  ResultSetSize – Maximum number of objects returned in a query §  ResultPageSize – Maximum number of objects for each page returned §  Properties – Which properties to display


Global Search


Object Configuration

§  Pipe output of Get command to input of Set command §  Get-ADUser | Set-ADUser §  Example:

§  Get-ADUser –Filter ‘lastlogondate –lt “September 1, 2012”’ | Disable-ADAccount



1. In what ways do you think PowerShell can help you to perform daily administrative tasks in your environment?

2. Do you foresee a need to use bulk operations to manage user accounts in your environment? Why or why not?


Configuring IPv4

§  Overview of the TCP/IP Protocol Suite §  Describe IPv4 Addressing §  Implement Subnetting and Supernetting §  Configure and Troubleshoot IPv4


The TCP/IP Protocol Suite


The OSI Model and the TCP/IP Suite

Comparing the OSI and TCP/IP models


IPv4 Packet


TCP/IP Applications

Protocol Description

HTTP HyperText Transfer Protocol. Used for communication between web browsers and web servers.

HTTPS HTTP Secure. Uses encryption for communication between web browsers and web servers.

POP3 Post Office Protocol 3. Retrieves email messages from an email server.

SMTP Simple Mail Transfer Protocol. Transfers mail over the Internet.

FTP File Transfer Protocol. Transfers files between FTP servers and clients.

SMB Server Message Block. Used for file and print sharing between servers and clients.

DNS Domain Name Service. Converts domain names to IP addresses.

RDP Remote Desktop Protocol. Allows remote control of a Windows operating system over a network.

DHCP Dynamic Host Configuration Protocol. Dynamically assigns IP addresses to network clients.


TCP/IP Sockets

§  A Windows TCP/IP socket consists of three components: §  The transport protocol used by the application, either TCP or UDP §  The TCP or UDP port number used by the application §  The IP address (IPv4 or IPv6) of the source and destination host connection

§  Well-known port numbers:

Port Transport Protocol Application Service 80 TCP HTTP 443 TCP HTTPS 110 TCP POP3 25 TCP SMTP 20, 21 TCP FTP 445 TCP SMB 53 UDP DNS name lookups 53 TCP DNS zone transfers


IPv4 Addresses

§  Allow for network layer data routing of IP datagrams from one IP device connection (source) to another (destination).

§  Each networked device must be configured with a unique IP address. §  To make IPv4 addresses easier for humans to manage, IPv4

address formatting expresses binary bit values as dotted decimal notation.

§  Each octet converts to a decimal number between 0 and 255.


Subnet Masks

§  Identifies which part of the IPv4 address is the network ID and which part is the host ID.

§  In its simplest implementation, the default subnet mask is either 255 or 0. §  Octets with a value of 255 identify the network ID part of the address, and a

value of 0 identifies the host part of the address. §  For the IP address 192.168.1.100 and the subnet mask 255.255.255.0, the

network ID is 192.168.1.0 and the host connection ID is 0.0.0.100.


Default Gateway

§  Usually a router, provides a default route used by TCP/IP hosts to forward packets to hosts on remote networks.

§  On a local subnet, you configure the local hosts with the IP address of the router, which is the default gateway, to enable local hosts to communicate with hosts on another network.

§  Configure the default gateway: §  In the GUI in the properties of the network adapter §  Command line

§  netsh interface ipv4 set address §  PowerShell

§  For new IP address: new-netipaddress §  Changing an IP address: set-netipaddress


Public and Private IP Addresses

§  Public IP address: §  Public IPv4 addresses, managed by IANA, must be unique §  Distributed by IANA §  ISP distributes to businesses and individuals §  Used to traverse the Internet

§  Private IP address: §  Reserved by IANA §  Can be used internally by businesses and individuals §  Does not route to the Internet §  Must be NATed to allow businesses or users to connect to the Internet

§  Private IPv4 address ranges established by IANA: 10.0.0.0/8 10.0.0.0 - 10.255.255.255 172.16.0.0/12 172.16.0.0 - 172.31.255.255 192.168.0.0/16 192.168.0.0 - 192.168.255.255


Binary Values and Dotted Decimal Notation


Subnetting

§  Provides a means to divide your network into smaller, discrete networks that better serve the needs of your organization.

§  Enables you to divide the 32 bits of an IPv4 address to create the number of subnets you need as well as the number of host addresses you need for that subnet.


Benefits of Subnetting

§  Segment a large network to increase administrative efficiency. §  Reduce network congestion by limiting host broadcasts to smaller

network segments. §  Increase security by isolating some hosts to a specific segment or

limiting internetwork communication using firewall access controls. §  Enable proactive capacity planning based on projected growth of an

organization.


Subnet Address Determination

§  Determine how many subnets you need. §  Use that to determine how many bits to move the subnet mask.

Number of Bits (n)

Number of Subnets (2n)

1 2

2 4

3 8

4 16

5 32

6 64

7 128


Subnet Address Determination (Cont.)

Binary Bits for Network Number

Decimal Value of Network Number

172.16.00000000.00000000 172.16.0.0

172.16.00100000.00000000 172.16.32.0

172.16.01000000.00000000 172.16.64.0

172.16.01100000.00000000 172.16.96.0

172.16.10000000.00000000 172.16.128.0

172.16.10100000.00000000 172.16.160.0

172.16.11000000.00000000 172.16.192.0

172.16.11100000.00000000 172.16.224.0


Host Address Determination

§  To determine the host bits in a subnet mask, you need to know the number of hosts you will support on a subnet.

§  You use the standard formula of 2n-2, in which n represents the number of bits when calculating host bits.

§  In classful addressing two host IDs are reserved, which is why you subtract two from the initial calculation.

Number of Bits (n)

Number of Hosts (2n-2)

2 2

3 6

4 14

5 30

6 62

7 126

8 254


Host Address Range Determination

Network Host Address Range

172.16.0.0/19 172.16.0.1-172.16.31.254

172.16.32.0/19 172.16.31.1-172.16.63.254

172.16.64.0/19 172.16.64.1 - 172.16.64.254

172.16.96.0/19 172.16.96.1 - 172.16.96.254

172.16.128.0/19 172.16.128.1 - 172.16.128.254

172.16.160.0/19 172.16.160.1 - 172.16.160.254

172.16.192.0/19 172.16.192.1 - 172.16.223.254

172.16.224.0/19 172.16.224.1 -172.16.255.254


Supernetting

§  Supernetting performs the opposite operation of subnetting. §  Combine multiple small contiguous networks into a single large network. §  Supernetting, also known as classless interdomain routing (CIDR), allows

you to create a logical network for the number of hosts you require.


Supernetting (Cont.)

Combine the following networks: Network Network Range 192.168.14.0 192.168.14.1 - 192.168.14.255 192.168.15.0 192.168.15.0 - 192.168.15.255 192.168.16.0 192.168.16.0 - 192.168.16.255 192.168.17.0 192.168.17.0 - 192.168.17.254 Here is the resulting supernet: Network Supernet Mask Network Range 192.168.14.0/21 255.255.252.0 192.168.14.1 - 192.168.17.254


IPv4 Manual Configuration

§  Servers need static IPv4 configurations to enable clients to connect to them consistently.

§  You can maintain current and accurate documentation of the IPv4 addresses used for various services on your network.

§  Configure them using TCP/IP properties, netsh, or PowerShell.


IPv4 Automatic Configuration

§  Dynamic Host Configuration Protocol (DHCP) server enables you to configure TCP/IP addresses and other configuration options dynamically for large numbers of hosts on a network.

§  DHCP servers are configured with a scope or range of IPv4 addresses. §  Clients send out a broadcast request to a DHCP server to obtain an IPv4

address automatically. §  DHCP servers also may be configured with additional configuration

settings a client may require. §  Windows Server 2012 and Windows clients use automatic private IP

addressing (APIPA), which is a reserved address range of 169.254.0.0 to 169.254.255.255.


IPv4 Troubleshooting Tools

§  IPconfig §  Ping §  Tracert §  Pathping §  Route §  Telnet §  Netstat §  Resource Monitor §  Network Diagnostics §  Event Viewer


TCP/IP Troubleshooting Process

§  Identify the communication problem §  Does it affect only one or all hosts? §  If one host, it is likely a configuration problem on the host. §  If all hosts, it is likely a server configuration problem. §  Remote connectivity could be server configuration, network configuration, or

network device failure. §  For a local problem

§  Verify that the local host’s TCP/IP information is configured properly. §  Ping the loopback address: 127.0.0.1. §  Ping the local host’s router. §  Ping a remote host – check firewall policies, router configuration.


Best Practices for Implementing IPv4

§  Plan the subnet schema carefully and factor in future growth. §  Configure servers with static IPv4 configuration settings, and document

services running on specific servers as well as IPv4 settings. §  Deploy DHCP servers for dynamic addressing for clients. §  If designing the IPv4 address space for a new network, map out the

address ranges and subnets based on specific purposes and locations.



1. What benefits do you see in using private IP addresses for your corporate network?

2. Do you expect to use subnetting or supernetting at your workplace?


Configuring IPv6

§  Overview of IPv6 §  Implement IPv6 Addressing §  Implement IPv6 and IPv4 §  Transition from IPv4 to IPv6


IPv6 Overview

§  Solves the problem of shrinking IP address pools §  Solves many administrative inefficiencies cause by manual configuration


IPv6 Benefits

§  Extended address space §  Hierarchical addressing and router efficiency §  Stateless and stateful address auto-configuration §  Eliminates broadcasts §  Integrated security (IPSec) §  Integrated QoS §  Eliminates need for NAT


Comparing IPv4 and IPv6

Characteristic IPv4 IPv6

Addresses 32 bit 128 bit

IPSec support Optional Required

QoS Header does not include packet flow info for QoS

Header includes flow label field for QoS

Checksum Included Not included

Packet fragmentation

Both sending and receiving host fragment Sending host determines packet size

IGMP IGMP used to manage multicast membership Multicast Listener Discovery (MLD) determines multicast group membership

Router discovery Optional ICMPv6 Router Solicitation and Router Advertisement messages

Broadcasting Broadcast addresses used to send traffic to all hosts on a subnet

Broadcasting replaced by multicasting

ARP Resolves IP address to MAC address Multicast neighbor solicitation

Configuration Manual or DHCP Auto-configuration

Resource records Host (A) IPv6 Host (AAAA)


IPv6 Address Space

§  IPv4 address bit order, expressed as decimal and binary:

§  IPv6 uses 128-bit addresses – 4 times the length of IPv4. §  Separated into eight 16-bit blocks:


IPv6 Address Space (Cont.)

§  Converting from binary to hexadecimal for IPv6:

1. Take the first 16-bit block and break it into four groups of four bits as shown: 0010 0000 0000 0001 2. Convert each bit in a group from right to left, with 0 converting to 0, and 1 converting to its position value: 2001 3. Separate each converted block with a colon: 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A


The Hexadecimal Numbering System

§  Base 16 numbering system §  0 through 9, A through F

Binary Decimal Hexadecimal 0001 1 1 0010 2 2 0011 3 3 0100 4 4 0101 5 5 0110 6 6 0111 7 7 1000 8 8 1001 9 9 1010 10 A 1011 11 B 1100 12 C 1101 13 D 1110 14 E 1111 15 F


Zero Compression

§  Allows reduction of notation §  Adjacent zeros are compressed §  One or more blocks of zeros can be written as :: §  Only one set of :: in an address §  Single block of zeros can also be written as 0 Example: 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A After dropping lead 0s and using zero compression: 2001:DB8::2AA:FF:FE28:9C5A


IPv6 Prefixes

§  Network part of address §  Can be aggregated for route summarization

Category Prefix Hex Value Prefix Binary Value

Reserved - 0000 0000

Global unicast address 2 or 3 001

Link-local unicast addresses FE8 1111 1110 1000

Unique local unicast addresses

FD 1111 1100

Multicast addresses FF 1111 1111


Unicast Addresses

§  Global unicast address §  Public, routable, from an ISP

§  Link-local unicast addresses §  Automatically generated §  Non-routable §  Similar in function to IPv4 APIPA addresses

§  Unique local unicast addresses §  Routable within an organization §  Not routable on the Internet §  Similar in function to IPv4 private addresses


Zone ID

§  Relative to sending host §  Identifies the interface that is transmitting §  Syntax is address%zone_ID


IPv6 Address Auto-configuration

§  Automatic for IPv6-enabled hosts §  Stateless

§  Host auto-assigns link-local address §  Checks to see if link-local address is a duplicate §  Collects all valid prefixes advertised by adjacent routers §  Creates a global IPv6 address within each advertised /64 IPv6 prefix §  Uses either EUI-64 format or pseudo-random host ID as specified by RFC

§  Stateful §  Obtained from DHCPv6

§  Combination of stateless and stateful


Node Types

§  IPv4 only §  IPv6 only §  IPv6/IPv4 – Uses both IPv4 and IPv6 §  IPv4 – Uses IPv4; can be configured for IPv6 §  IPv6 – Uses IPv6; can be configured for IPv4


IPv6 over IPv4

§  Used in Windows 2008 and Windows 2012 §  Also called “6over4” §  A transition mechanism §  Does translations from IPv4 to IPv6 §  Uses multicast; both nodes and routers


Dual-Layer Architecture

§  Microsoft has dual IP layer §  Not dual IP stack §  Both IPv4 and IPv6 share same information in same TCP/IP stack §  Single shared implementation of TCP and UDP


DNS Requirements

§  Required for both IPv4 and IPv6 §  IPv4 Host record (A) §  IPv6 Host record (AAAA) §  PTR


Tunneling

§  ISATAP §  The 6to4 protocol §  Teredo


ISATAP

§  Transmits packets on top of IPv4 §  Treats IPv4 infrastructure as a non-broadcast multi-access network §  IPv6 address auto-configuration §  Queries DNS for address of ISATAP router §  ISATAP router encapsulates IPv6 into IPv4 packets §  Not “NAT friendly”


The 6to4 Protocol

§  Unicast connectivity between IPv6 across IPv4 §  IPv6 encapsulated in IPv4 §  Address format 2002:WWXX:YYZZ:Subnet_ID:Interface_ID §  Not “NAT friendly”


Teredo

§  A NAT traversal technology §  Full IPv6 connectivity to IPv6 hosts that are on an IPv4 network §  Encapsulates IPv6 in IPv4 UDP messages §  Clients are assigned an IPv6 address that starts with (2001:0::/32) §  Teredo server initially configures Teredo tunnel §  Teredo relay – remote end de-encapsulates Teredo tunnel


PortProxy

§  Transition mechanism §  Application gateway §  Proxies TCP traffic between IPv4 and IPv6 nodes §  Connection can be forwarded using the same or another protocol to the

specified port number §  Allows you to run IPv4 only services (like terminal services) over IPv6 §  The following nodes can access each other:

§  An IPv4-only node can access an IPv4 node. §  An IPv4 node can access an IPv6 node. §  An IPv6 node can access an IPv6 node. §  An IPv6 node can access an IPv4 node.


Migration Considerations

§  Application support §  Current routing infrastructure §  DNS infrastructure needs §  Supporting nodes §  Preparation and baselines §  Monitoring steps



1. Which benefits of IPv6 would be most important to your network? Which ones are not important to your network?

2. Would you run IPv4 and IPv6 concurrently? If so, which technology seems like a good choice for your network?

OV 7 - 1

Installing and Configuring DHCP

§  Install the DHCP Server Role §  Configure DHCP Scopes §  Manage a DHCP Database §  Secure and Monitor a DHCP Server

OV 7 - 2

Benefits of Automatic TCP/IP Configuration

§  Automatic IP addressing and other TCP/IP configuration settings §  The assurance of client configurations §  Flexible leasing durations §  Multiple configuration options §  Optional integration with other technologies such as DNS and Network

Policy Server §  Active Directory Domain Services (AD DS) authorization on AD DS

domains §  Automatic database backup §  Auditing and event monitoring

OV 7 - 3

PXE Boot Clients

§  Client boots from the network. §  Some clients do not yet have an operating system. §  DHCP starts the process of obtaining an operating system by providing

an IP address lease. §  Computers could be thin clients with no hard drive, or bare-metal boxes.

OV 7 - 4

DHCP Lease Process

§  The DHCP client broadcasts a DHCP discover packet. §  A DHCP server responds with a DHCP offer packet or a DHCP relay agent

forwards the packet to a DHCP server. §  The client receives the DHCP offer packet from the DHCP server(s). §  The client accepts the DHCP offer packet from the first DHCP server. §  The DHCP server assigns the client address, stores the client IP

information in its database, and issues the client a DHCP ACK (acknowledgement) message.

§  If the client does not get a response from a DHCP server: §  The client >= Windows 2000, it configures automatic private IP addressing (APIPA) in

the 169.254.0.0./16 range. §  The client is not a Windows client or <= Windows 2000, it will continue to broadcast

the DHCP discover packet until it receives a DHCP offer packet from a DHCP server.

OV 7 - 5

DHCP Relay Agents

§  Allows DHCP services to extend across multi-segmented IP networks. §  Routers block broadcasts, but RFC 1542–compliant routers can be

configured as BOOTP/DHCP relay agents to listen for DHCP requests and relay them to DHCP servers on different subnets.

§  You can configure a DHCP relay agent in Windows Server 2012 in Routing and Remote Access. Add the Remote Access role to any server that is not a DHCP server.

§  You cannot use the relay agent on a server that is running Network Address Translation (NAT) with automatic addressing enabled, or with Internet Connection Sharing (ICS).

OV 7 - 6

DHCP Server Authorization

§  For security, the DHCP Server service is integrated with Active Directory to require authorization for DHCP servers.

§  A DHCP server configured on a domain controller or that is a member of an AD DS domain queries Active Directory for a list of authorized servers identified by IP address.

§  If the server's IP address is not on the list, the DHCP server stops its startup sequence and shuts down.

§  A server that is configured with Windows Server 2012 and hosts a DHCP server, but that is not joined to the Active Directory domain can still be authorized.

§  The DHCP server on the standalone machine queries the Active Directory root domain for the list of authorized servers, and if it is authorized, it starts the DHCP service.

OV 7 - 7

DHCP Scopes

§  IPv4 scope properties: §  The scope name §  The IP addresses available for lease §  The subnet mask §  The lease duration §  Exclusions, which are addresses not offered for lease §  Reservations, which predefine the relationship between an IP address and a

machine's media access control (MAC) address §  Ensures that a DHCP client always receives the same address for which it is reserved §  Options, which may be configured to provide information to specific clients

§  IPv6 scope properties:

§  The scope name and description §  The IPv6 prefix §  Exclusions, which are addresses not offered for lease §  Preferred lifetime, which is the lease duration §  Options, which may be configured to provide information to specific clients

OV 7 - 8

DHCP Reservations

§  Predefines relationship between an IP address lease and the device’s MAC address

§  Ensures the device will always receive the same IP address from DHCP

OV 7 - 9

DHCP Options

§  Server level options apply to all scopes defined on a DHCP server. §  Scope level options apply to all clients that receive a lease from a specific

scope. §  Class level options apply only to those clients identified as a specific user

or vendor class. §  Reservation level options apply to one reserved DHCP client.

Option Code Name

1 Subnet Mask

3 Router

6 DNS Server

15 DNS Name

31 Router Discovery

33 Static Route

44 WINS Server

46 WINS/NetBIOS Node Type

47 NetBIOS Scope ID

OV 7 - 10

Policy Address Assignment

§  Windows Server 2012 includes a new policy-based IP address assignment feature for DHCP server.

§  This feature, which is integrated with Network Policy Server, enables you to group DHCP clients and define them based on a set of attribute criteria to customize IP address leasing and configuration settings to that group.

§  You can use the address assignment policies to differentiate between client types.

§  Address assignment policies are set at the server level and scope level.

OV 7 - 11

The DHCP Database

OV 7 - 12

DHCP Database Backup

§  Two methods: §  Automatic backup runs at 60-minutes intervals (synchronous) §  Manually performed by a network administrator (asynchronous)

§  Both methods back up the entire database: §  All scopes §  Leases §  Reservations

§  Options at all levels: server, scope, reservation, and class §  Registry keys and other pertinent configuration settings such as audit log

settings and folder locations that have been set in DHCP server properties:

§  Settings are stored in the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

OV 7 - 13

DHCP Database Restoration

§  Restore a DHCP backup using the DHCP management console. §  If no backup exists, you’ll have to rebuild the scope, delete any client

leases, and force all clients to reboot.

OV 7 - 14

DHCP Database Reconciliation

§  Reconciling the database can fix scope inconsistencies such as an incorrect configuration for a DHCP client IP address that is stored in scope information.

§  The DHCP Server service stores summary and detailed IP address information in the DHCP database.

§  When the server reconciles scopes it compares the summary and detailed entries to find inconsistencies.

§  After reconciliation of any scope inconsistencies, the DHCP server either restores the IP addresses to the original lease owners, or creates a temporary reservation for those addresses.

§  Reconcile DHCP on a per-scope basis by right-clicking the scope and selecting Reconcile.

OV 7 - 15

Move a DHCP Database

§  Back up the DHCP database and restore it on the other server. §  Use the netsh dhcp command to export and import the settings:

§  netsh dhcp server export <file_name>.txt all §  netsh dhcp server import <file_name>.txt all

OV 7 - 16

DHCP Security Concerns

§  An unauthorized (rogue) DHCP server could give clients improper leases. §  Unauthorized clients could obtain a DHCP lease from a server and access

the network. §  A DHCP server could run out of available addresses, effectively halting

service availability.

OV 7 - 17

DHCP Activity and Audit Logs

§  Enable DHCP logging for suspicious activities. §  Analyze logs regularly. §  Server logging requires Administrator permissions or membership in the

DHCP Administrators group. §  View logs in %systemroot%\System32\dhcp. §  Logs have the name DhcpSrvLog-<day-of-week>.log.

OV 7 - 18

Audit Log Fields

Audit Log Field Description

ID DHCP server event ID

Date Date of log entry on the DHCP server

Time Time of log entry on the DHCP server

Description Description of the DHCP server event

IP Address IP address of the DHCP client

Host Name Host name of the DHCP client

MAC Address MAC address of client's network adapter

OV 7 - 19

Common Event Codes

DHCP server audit logs are located by default in the %systemroot\System32\dhcp folder.

Event ID Description

00 The log started.

01 The log stopped.

02 The log was temporarily stopped due to low disk space.

10 A new IP address was leased to a client.

11 A lease was renewed by a client.

12 A lease was released by a client.

13 An IP address was found in use on the network.

14 A lease request could not be satisfied because the address pool of the scope was exhausted.

15 A lease was denied.

20 A Bootstrap Protocol (BOOTP) address was leased to a client.

OV 7 - 20

Network Access Protection and DHCP

§  Network Access Protection (NAP) is an infrastructure that requires clients to prove system health before they are permitted to connect to the network.

§  DHCP can be configured to be a NAP enforcement point on a per-scope basis, refusing to grant an IP lease to a non-compliant client.

§  Configure DHCP for NAP enforcement in the scope properties.

OV 7 - 21

Client Configuration Settings for NAP

Setting What’s Important

NAP Agent Service This service must be running in order for a client to be NAP-capable.

IP Address Configuration The client must be configured to obtain an IPv4 address automatically.

DHCP Enforcement Client This is enabled through policy settings, either group policy or the local policy settings. If both settings are configured, group policy settings take precedence.

System Health Agents No configuration is necessary to use Windows System Health Validators (SHVs).

OV 7 - 22

Unauthorized Servers

§  An unauthorized server is considered to be a rogue server that must be located on the network and either be disconnected from the network or have the DHCP service disabled.

§  Ensure the DHCP server is authorized and check its IP address against the list of valid IP addresses.

§  If the IP address used by server is not on the list, decommission the server on the network.

OV 7 - 23

DHCP Administration Delegation

§  Restrict membership of the DHCP Administrators group as much as possible.

§  Any DHCP administrator can manage the DHCP Server service. §  Those who require only read access should be assigned membership in

the DHCP Users group.

OV 7 - 24


1. In your environment, do you envision needing more than one DHCP scope?

2. In your environment, do you envision yourself using DHCP as a NAP enforcement point? Why or why not?


Installing and Configuring DNS

§  Overview of DNS §  Install and Configure the DNS Server Role


Introduction to Name Resolution

§  Converts alphanumeric computer names to IP addresses. §  Clients rely on the Domain Name System (DNS) to locate computers and

services on the network. §  DNS forms a logical tree structure hosted by and distributed across

physical servers. §  On an internal network, DNS integrates with Active Directory. §  Active Directory mirrors the hierarchical DNS logical structure called the

DNS namespace.


Computer Names

§  The term "computer names" is a catchall used to talk about the name you assign to a computer.

§  A NetBIOS name is a 16-character (byte) name that identifies NetBIOS resources on the network:

§  The first 15 characters of the name identify the computer name, such as wkstnsales1.

§  The sixteenth character identifies the resource—such as an application—that is written to work with NetBIOS.

§  NetBIOS names form a flat namespace in which every name must be different. §  The host name is the first label of a fully qualified domain name (FQDN),

which is a DNS name that uniquely identifies a computer in the DNS namespace

§  A valid FQDN must adhere to specific rules: §  Use up to 255 characters. §  Use any combination of letters A-Z, a-z. §  Use any numbers from 0 to 9. §  Use hyphens (-) and periods. §  Use dots (.) to identify domain levels in an FQDN.


What Is DNS?

§  DNS is a hierarchical distributed naming system for computers, services, or any resources connected to the Internet or a private network. DNS forms a logical tree structure hosted by and distributed across physical servers.

§  DNS translates domain names to IP addresses.


Domain Name Levels

Logical structure:

Name Description

Root level The top of the namespace hierarchy, represented on the Internet by a dot (.).

Top level Represents a type of domain name. The Internet uses .com, .gov, .edu, .org, .biz, as well as extensions for other organizational entities and countries.

Second level Represents domain names for organizations (for example, microsoft.com, logicaloperations.com).

Subdomain Represents additional names appended to the second-level domain name to identify an organization's departments or geographic locations.

Host Represents a leaf in the DNS name tree and refers to a specific computer on an organization's network.


DNS Zones

§  A DNS zone is a specific, contiguous portion of the DNS namespace. A DNS database can be partitioned into multiple zones.

§  The zone on a DNS server contains resource records, which contain information about all of the network host names that end with the zone's root domain name.

§  A DNS zone is responsible for responding to queries for resource records in a specific domain.


Forward Lookup Zones


New Zone Wizard


Reverse Lookup Zones


Creating a Reverse Lookup Zone


DNS Resource Records

Resource Record Type Description

Start of Authority (SOA)

Indicates the DNS server that either created the record or that currently is the authoritative server for the zone.

Host (A) Contains the name of the host and its IP address. Used to resolve a host name to an IP address. The most common resource record found in a forward lookup zone.

Name Server (NS) Identifies the name servers listed in the DNS database for a specific zone.

Service (SRV) Specifies which resources perform a service.

Mail Exchanger (MX) Specifies the resources available for Simple Mail Transport Protocol (SMTP). Allows for mail exchange.

Pointer (PTR) Used in reverse lookup operations to map an IP address to a host name.

Canonical (CNAME) Specifies an alias name. These records allow you to use more than one name to point to a single host.

AAAA Maps an IPv4 IP address into a 128-bit address.


DNS Name Resolution Process

1. A network client sends a query to its local DNS server for the IP address of a web server.

2. The local DNS server checks its zone records and then its local cache to see if it has the record.

3. If the local DNS server does not have the record, it checks to see if it is configured to use a forwarder (another DNS server).

4. If it is configured to use a forwarder, it forwards the client query to the forwarder.

5. If it is not configured to use a forwarder, it checks to see if it has root hints (a list of root DNS servers).

6. If it has root hints, it begins an iterative search of the DNS tree, starting at the root, working its way down the tree, until if finds the desired record.

7. Upon finding the record, the DNS server returns the record to the client, caching a copy for future use.


DNS Components

§  DNS server §  A server service that resolves names to IP addresses. §  It responds to resolver queries, providing the record if it has it, or fetching the record

from other DNS servers if it does not.

§  DNS resolver §  A DNS client that needs to resolve a name to an IP address, and so queries a DNS

server for the information. §  A DNS server can also be a resolver, querying other DNS servers on behalf of the

client.


DNS Zone Types

§  Primary zone §  Secondary zone §  Stub zone §  Active Directory–integrated zone


Primary Zones

A primary zone on a DNS server contains a writeable (master) copy of all zone data.


Secondary Zone

§  A secondary zone is a read-only copy of the DNS zone. §  It replicates on a regular interval with either the primary or another

secondary DNS server.


Stub Zone

§  A stub zone is a tiny, non-authoritative representation of a zone. §  It contains records of authoritative nameservers, and refers clients to

those nameservers. §  The stub zone replicates with the authoritative zone, receiving updates

the nameserver records, but no host records.


Active Directory–Integrated Zone

§  A zone hosted on Active Directory domain controllers. §  Each copy of an Active Directory-Integrated zone is writeable (multi-

master). §  Active Directory–Integrated zones can be configured for Secure Dynamic

Updates, requiring hosts to authenticate before they can register their records in DNS.

§  The zone replicates as part of Active Directory replication. §  The zone is stored in the Active Directory database, protecting it from

unauthorized access or tampering.


Dynamic Updates

§  DNS clients can register and update their resource records with a DNS server whenever changes occur.

§  The Dynamic Host Configuration Protocol (DHCP) client service performs registration updates for clients with a leased IP address from a DHCP server and for clients with static IP configurations.

§  Clients register when certain events occur: §  When a client's IP address is added, configured, or changed. §  When the client starts and the DHCP client service starts.


DNS Queries

§  DNS queries are lookup requests for specified DNS resource records §  An authoritative response means that the DNS server returns an answer it

knows to be correct because the DNS server has a copy of the zone §  A non-authoritative response means that the DNS server must query

other DNS servers and cache the response §  DNS servers use forwarders, conditional forwarders and root hints to find

records that they do not already have §  Recursive queries usually are performed by resolvers that need a name

resolved fully in the response. §  Iterative queries require the DNS server either to return the best answer

available based on its zone and cache information or to respond with a referral, which is a pointer to a DNS server that may have the correct data.


Root Hints

§  Root hints is a file that contains the names and IP addresses of the DNS root servers.

§  If you choose to simulate the Internet in a lab, you should designate one DNS server to be the root, and then on all the other DNS servers remove all the root hints and add your own.

§  On the designated root, create only a single standard primary zone with the name "."

§  Any DNS server configured to be a root will automatically have its Root Hints tab disabled.

§  The safest way to modify the original root hints file, cache.dns, is in the DNS server Properties on the Root Hints tab.


DNS Forwarding

§  If a resolver sends a query that a DNS server cannot resolve locally, the DNS server can send the query to a DNS server configured as a forwarder.

§  A DNS server configured to use a conditional forwarder forwards DNS queries according to the query's DNS domain name.


DNS Caching

§  When a DNS server resolves a DNS name query successfully, it caches the name and IP information for future use.


The DNS Server Role

§  Windows Server 2012 does not install the DNS Server role as part of the operating system's initial configuration setup.

§  It is a simple procedure to install the DNS service via the Server Manager console using the Add Roles and Features Wizard.

§  You can add the DNS Server role when you install AD DS and promote the server to a domain controller, or you can install the DNS Server role using the following PowerShell command:

§  Install-WindowsFeature DNS



1. In your environment, do you foresee the need to use stub zones? Why or why not?

2. In your environment, will you configure your DNS server to use a forwarder? Why or why not?


Configuring Storage Spaces and File and Print Services

§  Design and Implement Storage Spaces §  Secure Files and Folders §  Configure Offline Files and Shadow Copies §  Implement Network Printing


Disk Types

§  IDE §  EIDE §  SATA §  SCSI §  SAS §  SSD


Network Storage Devices

§  Direct attached storage (DAS) §  Network attached storage (NAS) §  Storage area networks (SANs)


RAID Types

§  RAID 0: Striping §  RAID 1: Mirroring §  RAID 3 and 4: Striping with dedicated parity §  RAID 5: Striping with distributed parity §  RAID 6: Striping with dual parity §  RAID 0+1: Striping and mirroring disk sets §  RAID 1+0 (or RAID 10): Mirroring and striping


Partition Table Formats

§  Master Boot Record (MBR) partition tables §  GUID partition table (GPT)


Basic and Dynamic Disks

§  Basic disks support traditional partitions: §  Up to four primary partitions §  One extended partition with logical drives

§  Dynamic disks can host volumes that span or are striped across multiple disks:

§  Simple volume §  Spanned volume §  Striped volume (RAID 0) §  Mirrored volume (RAID 1) §  Striped volume with parity (RAID 5)


Required Volumes for Server 2012

§  System volume – contains the Windows operating system §  Boot volume – stores files necessary to begin the boot process


Partition Types

§  Primary §  Extended §  Active §  Logical


File Systems

§  FAT §  FAT32 §  NTFS §  ReFS


What Is ReFS?

§  Resilient File System §  New for Windows Server 2012 §  Advantages include:

§  Metadata integrity with checksums §  Integrity streams with user data integrity §  Allocation on write transactional model §  Large volume, file, and directory sizes (278 bytes with 16-KB cluster size)

§  Storage pooling and virtualization §  Data striping for performance and redundancy §  Disk scrubbing for protection against latent disk errors §  Resiliency to corruptions with recovery §  Shared storage pools across machines


Mount Points

§  A physical location in the directory structure on which you graft—or mount—the root directory of another volume.

§  A mount point is an empty folder that is used as a link to another volume. §  It has its own file system, permissions, and quotas. §  Mount points are useful when:

§  You’re running out of disk space and you would like to add space without modifying the folder structure or the disk structure, so you configure a folder to point to another hard disk.

§  You are running out of available letters to assign partitions or volumes, so instead you use a directory name.

§  You need to separate disk I/O within a folder structure. Perhaps you have an application that needs to be within a particular directory structure but requires an intensive amount of disk I/O.


Links

§  Another name for a file or directory §  Similar to, but not exactly the same as, a shortcut §  Can be understood by applications that do not understand shortcuts §  Can be created using the mklink command


Volume Size Management

§  Extend or shrink NTFS volumes §  Extend, but not shrink, ReFS volumes §  Can modify the volume using these tools:

§  Disk Manager §  Diskpart.exe §  Resize-Partition cmdlet


Storage Management and Advanced Options

§  Virtualize storage using Storage Spaces. §  Select any type of available physical disks and add them to a storage

pool. §  Create virtual disks from storage pools. §  Storage can be allocated dynamically.


Storage Spaces


NTFS Permissions

§  For files: §  Read §  Write §  Read & execute §  Modify §  Full control §  Special permissions

§  For folders: §  Read §  Write §  Read & execute §  Modify §  Full control §  List folder content §  Special permissions


Permissions Inheritance

§  NTFS permissions flow down from parent to child. §  To block inheritance, select “This folder only” on the parent. §  Top level permissions are set at the volume level. §  If “Allow” or “Deny” check boxes are shaded, the permissions have been

inherited.


Effective Permissions

§  Permissions are cumulative: §  Adds all permissions from all of a

user’s group memberships §  Deny overrides all.


Shared Folders

§  Allows users and groups to have access to a folder and its contents, or to an entire drive.

§  SMB or NFS. §  Share a folder or an entire drive. §  Has an access control list. §  Share permissions are generally broader and more permissive. §  NTFS permissions refine and narrow the share permissions.


Access-Based Enumeration

§  First available as a downloadable package for Windows Server 2003 §  Now included with Windows Server 2012 §  Displays only the files and folders that a user has permissions to access §  Only active when viewing files in a shared folder, not on the local file

system


Configuring Access-Based Enumeration


Offline Files

§  Enables users to access network files even when a network connection is not available, or is slow or inconsistent

§  Creates a local copy of the network file §  Offline Mode is activated when:

§  Always Offline Mode is enabled. §  The server is unavailable. §  The network connection is slower than a configurable threshold. §  The user selects the Work Offline button in Windows Explorer.


Shadow Copies

§  Provides a copy of a shared folder or file at a specific point in time §  Can have multiple shadow copies of the same folder or file §  Enables users to:

§  Recover accidentally deleted files. §  Recover accidentally overwritten files. §  Compare versions of a file to view the changes that have been made.


Easy Print

§  Proxy for every print job §  Redirects all printing-related jobs back to the user’s local machine §  No need to install any print drivers on the RDP server §  Converts legacy GDI print jobs to XPS §  Can be configured in client printer properties §  Can also be configured using Group Policy


Network Printing

§  Local print device – physically attached to a computer §  Network print device – set up for remote access over the network


Printer Pooling

§  Combines multiple physical printers into a single logical unit §  Increases availability and scalability §  Requires that all printers use the same driver §  Requires that all printers are in the same location §  Works best when all printers are like models and have like configurations


Branch Office Direct Printing

§  Enables clients to print directly to network printers shared on a centralized print server

§  Print job is sent directly to branch office printer §  Requires Windows Server 2012 and Windows 8



1. Do you expect to use shadow copies in your work environment? Why or why not?

2. How will Windows Server 2012 printing options help your network? What is more useful to you: Branch Office Direct Printing or printer pooling?


Configuring Group Policy

§  Create Group Policy Objects §  Group Policy Processing §  Implement a Central Store


What Is Group Policy?

§  Configuration settings that enable you to modify registry settings on computers in an Active Directory domain.

§  Settings are combined into Group Policy Objects (GPOs). §  Applied to users, groups, and computers by linking the GPO to an OU.


Group Policy Management Console


Group Policy Management Editor


Group Policy Management from Active Directory Management


Group Policy Storage

§  Group Policy templates §  Group Policy containers


Creating a New GPO


GPO Scope


Configure GPO Settings


Windows Registry Key Permissions


GPO Context Menu


GPO Linking

§  A GPO must be linked to an Active Directory container to take effect. §  You can use the GPMC or PowerShell to link GPOs. §  Child containers and objects inherit Group Policy settings from the parent

container.


Detecting GPO Status


Group Policy Preferences

§  Extensions that expand configurable settings §  Are not enforced §  Can be used to create and manage items on the targeted computer


Default Domain Controllers Policy


Starter GPOs


GPO Delegation


GPO Processing

§  GPO settings are applied to a computer at startup. §  GPO settings are applied to a user at logon. §  Most GPO settings are refreshed in the background:

§  Every 90 minutes on clients §  Every 5 minutes on domain controllers

§  Policies are applied in order: §  Local Policy §  Site §  Domain §  OU §  Child OU

§  Conflicting settings are overwritten as policies are processed.


Group Policy Filtering

§  GPO requires two permissions to apply: §  Allow Read §  Allow Apply Group Policy

§  You can set permission to “Deny Apply” to exempt a user, group, or computer from receiving the permissions.


Group Policy Modeling Wizard


Group Policy Modeling Wizard Report


The Central Store

§  A single location to keep GPO templates §  Simplifies GPO management for administrators who edit from their own

workstations


Central Store Creation

§  Physically copy the PolicyDefinitions folder and all its contents from C:\Windows\PolicyDefinitions on a client.

§  Copy the templates to C:\Windows\SYSVOL\sysvol\<domain_name>\Policies on the domain controller.

§  The central store will be automatically detected and used by clients.


Administrative Templates

§  Composed of ADMX and ADML files. §  Contain the registry settings to be modified by Group Policy. §  Each new version of a Microsoft operating system introduced its own

administrative templates.


Managed and Unmanaged Policy Settings

§  Managed policy settings: §  Controlled by Group Policy service §  Removed if out of scope §  Have a locked UI §  Shown by default in the GPME

§  Unmanaged policy settings: §  Not controlled by Group Policy service §  Not removed if out of scope §  Do not have a locked UI §  Hidden by default in the GPME



1. How do you think using GPOs for firewall settings would improve security in your network?

2. Will creating and filtering GPOs to refine who they are applied to help you as a network administrator? Why?


Securing Windows Servers

§  Analyze Security §  Configure Windows Server User Security §  Configure Windows Server Software Security §  Configure Windows Firewall


Security Risks

§  Confidentiality – an unauthorized person might access data. §  Integrity – unauthorized changes might be made to the data. §  Availability – data might not be available when needed.


Security Measures

§  Individual firewalls §  Access control lists §  Backup and restore procedures in place §  Physical security §  Training


Best Practices

§  Apply patches in a timely manner. §  Use the principle of least privileges. §  Restrict console logon. §  Restrict physical access.


User Rights

§  Determine the actions a user can perform within the operating system. §  Use secpol.msc to set user rights locally. §  Use Group Policy to set user rights in a domain. §  Common user rights:

§  Add workstation to domain §  Allow log on locally §  Allow log on through Remote Desktop Services §  Back up files and directories §  Change the system time §  Force shutdown from a remote system §  Shut down the system


Security Tools

§  secpol.msc §  secedit.exe §  GPMC §  Security Templates §  Security Configuration and Analysis §  Security Configuration Wizard (SCW) §  Security Compliance Manager (SCM)


UAC

§  UAC prompts the user for administrator credentials. §  By default, both standard users and administrators run applications as a

standard user. §  There is no UAC prompt if you are logged in as the built-in administrator.


User Account Control Settings


Account Policies

§  Password policy §  Account lockout policy §  Kerberos policy


Local Security Policy


Restricted Groups

§  Manages group membership automatically. §  You define who should and should not be a member of the group. §  If someone else changes the membership, it gets changed back on policy

refresh.


Security Templates

§  Three default security templates in Windows Server 2012: §  Defltbase.inf §  Defltsvc.inf §  Defltdc.inf

§  You can create a blank template and configure: §  Account policies §  Local policies §  Event Log §  Restricted Groups §  System Services §  Registry §  File System


Security Template Distribution

§  secedit.exe §  Security Template snap-in §  Security Configuration Wizard §  Group Policy §  Security Compliance Manager


Auditing

§  Log security-related events. §  View events in the Security log of Event Viewer.


Dynamic Access Control

§  Automatically or manually classify files. §  Tag data in file servers across the organization. §  Control access to files by deploying Central Access Policies. §  Apply Rights Management Services (RMS) to automatically encrypt

sensitive Microsoft Office documents.


Software Restriction Policies


Software Restriction Policy Configuration


AppLocker

§  Applies Application Control Policies §  New capabilities to control how users can access and use executables §  AppLocker rules are defined based on:

§  Publisher name §  Product name §  File name §  File version


Defining AppLocker Settings


AppLocker Enforcement


Windows Firewall with Advanced Security

§  Stateful, host-based firewall that allows or blocks network traffic §  Provides enhancements to the original Windows Firewall:

§  Separate inbound and outbound rules that the administrator can configure §  Integrated firewall filtering and IPSec protection settings §  Network location–aware profiles §  The ability to import and export policies

§  Can be configured using a number of tools: §  Windows Firewall with Advanced Security console in Server Manager Tools §  Windows Firewall with Advanced Security MMC snap-in §  secpol.msc §  Group Policy §  netsh advfirewall command §  PowerShell *-NetFirewall* cmdlets


Windows Firewall with Advanced Security Console


Inbound and Outbound Rules


New Connection Security Rule Wizard


Firewall Profiles

§  Domain §  Public §  Private



1. In what ways do you think User Account Control enhances security? 2. Will AppLocker benefit your network's security, and if so, how?


Installing and Configuring Virtual Servers and Clients

§  Identify Virtualization Solutions §  Implement Hyper-V §  Configure Hyper-V §  Manage Virtual Networking


Hyper-V Benefits

§  Invisible to users §  Different operating systems for guest machines §  More efficient use of hardware §  Simplified server deployment §  Virtual machine templates


MED-V and Compatibility Mode


VDI

§  Runs desktop in a server-based virtual machine §  Makes it easy to deploy new desktops, complete with software §  Offers the following benefits:

§  Includes a scenario deployment tool that you can use to automate the configuration and deployment of virtual machines and sessions

§  Standardizes and helps you automate common VDI maintenance tasks such as updates and patching

§  Provides simplified single sign-on that reduces the number of password prompts for each user

§  Creates a historic view of resources assigned to users, along with the ability to change or edit properties of published resources

§  Includes Windows PowerShell scripts that you can use to automate deployment and configuration tasks


VDI and Remote Desktop


Presentation Virtualization

§  Allows you to keep data in a central location, not on the PCs §  Many technologies available:

§  Remote Desktop Services §  Full Desktop with RDC §  Application using RemoteApp §  Remote Access through Remote Desktop Gateway §  Terminal Services


Application Virtualization

§  Very similar to desktop virtualization. §  Only a single application is virtualized. §  Offers the following benefits:

§  Application isolation §  Application portability §  Application versions on one computer


Hyper-V Overview

§  Hardware virtualization role in Windows Server 2012. §  Can run on full GUI or Server Core. §  Guest virtual machines run as child partitions on the host. §  Requires x64 platform that supports virtualization. §  Provides the following virtual hardware:

§  BIOS §  RAM §  Processor §  IDE Controller 0 §  IDE Controller 1 §  SCSI Controller §  Network Adapter §  COM 1 §  COM 2 §  Diskette drive


Dynamic Memory

§  Hyper-V allows memory needed by VMs to be allocated and de-allocated dynamically.

§  Smart Paging uses disk space when there isn’t enough physical RAM for a guest VM restart.


Start and Stop Actions

§  You can configure the following Hyper-V start actions: §  Do nothing. §  Automatically start if it was running when the VM service stopped. §  Always start the VM.

§  You can configure the following Hyper-V stop actions: §  Save the state of the VM. §  Turn off the VM. §  Shut down the virtual operating system.


Integration of VMs and Hosts

§  Install integration services in the guest OS. §  Installed already in Windows Server 2012 and Windows 8. §  The following can be integrated:

§  Operating system shutdown §  Time synchronization §  Date exchange §  Heartbeat §  Backup (volume snapshot)


Hyper-V Memory Management


Virtual Hard Disks

§  New VHDX format §  Can still use VHDs §  Can convert VHDs to VHDX


Differencing Disks

§  Stores changes only from original disk. §  Saves space. §  Base disk (aka master or parent) provides a read-only, sysprepped OS. §  Have a differencing disk for every different VM on top of the base. §  Changes to the parent will change all the children.


VM Snapshots

§  Point-in-time copy of a virtual machine §  Used to roll a VM back to a previous state §  Can be exported from one VM and imported to another VM


Pass-Through Disks

§  Physical disk the guest VM can directly access §  Can be directly attached or a SAN LUN §  Must be placed in an offline state from the host server’s perspective §  Cannot be dynamically expanded §  Cannot have snapshots §  Cannot use differencing disks


Resource Metering

§  Monitor Hyper-V resources. §  Create cost-effective, usage-based billing solutions. §  You can monitor:

§  Average GPU use §  Memory use (average, minimum, and maximum) §  Maximum disk space allocation §  Incoming network traffic for a network adapter §  Outgoing network traffic for a network adapter


Network Virtualization

§  Isolate VMs that share the same host. §  Each VM has two addresses:

§  Customer IP address assigned to the VM by customer §  Provider IP address assigned to VM by provider for management

§  Virtualization can be configured as: §  Virtual switches, connecting different VM adapters to the switches §  VLANs to extend segmentation to hardware switches that support VLANs


Types of Virtual Switches

§  External – shares a physical network adapter §  Internal – communicate between the VMs and the host §  Private – communicate between the VMs, but not with the host


MAC Addresses

§  Uniquely identify the network card §  Must not be duplicated §  Are automatically generated §  Can easily be changed manually on a VM interface


Virtual Network Adapters

§  Network adapter: §  Formerly known as a synthetic network adapter §  Specifically designed for VMs to significantly reduce CPU overhead during network

I/O §  Uses shared memory on the VM bus for more efficient data transfer §  Has significantly better performance than the legacy adapter

§  Legacy adapter: §  Formerly known as an emulated network adapter §  Simulates a hardware network interface card §  May be required to boot VM from network



1. Consider how MED-V would improve your network’s security and administrative efficiency. Would your end users benefit from virtual desktops they could access from anywhere within the network?

2. Consider your network needs. Is a cloud solution like Azure

best for your network? If so, how would you implement the cloud? What things would you want to virtualize in the cloud?

2640 12299 itu notes windows server 2012 installation and configuration

Documents