Microsoft 70-412

Configuring Advanced Windows Server 2012 Services

ABOUTTHEEXAM
TheMicrosoft70412ispartthreeofaseriesofthreeexamsthattesttheskillsandknowledge
necessary to administer a Windows Server 2012 infrastructure in an enterprise environment.
Passing this exam validates a candidates ability to perform the advanced configuring tasks
required to deploy, manage, and maintain a Windows Server 2012 infrastructure, such as fault
tolerance, certificate services, and identity federation. Passing this exam along with the other
twoexamsconfirmsthatacandidatehastheskillsandknowledgenecessaryforimplementing,
managing, maintaining, and provisioning services and infrastructure in a Windows Server 2012
environment.

SixmajortopicsmakeuptheMicrosoft70412Certification.Thetopicsareasfollows:
Configureandmanagehighavailability
Configurefileandstoragesolutions
Implementbusinesscontinuityanddisasterrecovery
Configurenetworkservices
ConfiguretheActiveDirectoryinfrastructure
Configureidentityandaccesssolutions

Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.

OBJECTIVES

CHAPTER1:CONFIGUREANDMANAGEHIGHAVAILABILITY
1.1ConfigureNetworkLoadBalancing
1.2Configurefailoverclustering
1.3Managefailoverclusteringroles
1.4ManageVirtualMachine(VM)movement

CHAPTER2:CONFIGUREFILEANDSTORAGESOLUTIONS
2.1Configureadvancedfileservices
2.2ImplementDynamicAccessControl(DAC)
2.3Configureandoptimizestorage

CHAPTER3:IMPLEMENTBUSINESSCONTINUITYANDDISASTERRECOVERY
3.1Configureandmanagebackups
3.2Recoverservers
3.3Configuresitelevelfaulttolerance

CHAPTER4:CONFIGURENETWORKSERVICES
4.1 Implement an advanced Dynamic Host Configuration Protocol (DHCP)
solution
4.2ImplementanadvancedDNSsolution
4.3DeployandmanageIPAM

CHAPTER5:CONFIGURETHEACTIVEDIRECTORYINFRASTRUCTURE
5.1Configureaforestoradomain
5.2Configuretrusts
5.3Configuresites
5.4ManageActiveDirectoryandSYSVOLreplication

CHAPTER6:CONFIGUREIDENTITYANDACCESSSOLUTIONS
6.1ImplementActiveDirectoryFederationServices2.1(ADFSv2.1)
6.2InstallandconfigureActiveDirectoryCertificateServices(ADCS)
6.3Managecertificates
6.4InstallandconfigureActiveDirectoryRightsManagementServices(ADRMS)

CHAPTER1CONFIGUREANDMANAGEHIGHAVAILABILITY

1.1CONFIGURENETWORKLOADBALANCING(NLB)

InstallNLBnodes

RoundRobinLoadBalancingisforDNSservice.ItworksbycyclingthroughtheIPaddressescorrespondingtoaserver
group.HardwareloadbalancersarededicatedforroutingTCP/IPpacketstovariousserverswithinacluster.Software
Load Balancers are usually options that come shipped with expensive server application packages. Software based
solutionsusuallycostlessbutareoftenapplicationspecific.
WindowsServer2012canbalanceloadrequestsacrosstheclusteryoucanhavemax32computersinacluster.Toset
upsuchacluster,allparticipatinghostsmuststayinthesamesubnet.

ConfigureNLBprerequisites

NLBdoesn'tallowmulticastandunicasttotakeplace withinacluster.Torunin unicastmode,thenetwork adapter

must allow the changing of MAC address. Only TCP/IP can be used on the participating adapter, and that the IP
addressesoftheparticipatingserversmustNOTbedynamic.

Configureaffinity

AffinityisaparameterforMultiplehostfilteringmodeonly.Nonemeansmultipleconnectionsfromthesameclient
canbeprocessedbydifferentclusterhosts.Singlemeansmultiplerequestsfromthesameclientshouldbedirectedto
onlythesameclusterhost.ClassCaffinitymeansmultiplerequestsfromthesameTCP/IPClassCaddressrangewillbe
directedtothesameclusterhost.Thisoptionisneededifyourclientsareusingmultipleproxyserverstoaccessthe
cluster.

Configureportrules

Youuseportrulesareforcontrollinghowtheclusternetworktrafficishandled.Thereare3differentfilteringmodes,
andyoucanhavemax32portrulesperNLBcluster.Multiplehostsprovidesscaledperformanceandfaulttolerance.
Single host provides port specific fault tolerance. Disable is for blocking all network traffics that are addressed to a
specificrangeofports.

Configureclusteroperationmode

TheClusterOperationModeiseitherunicastormulticast(notenabledbydefault).Ifmulticastisturnedon,thecluster
MAC address will be converted into a multicast address, and you will be allowed to use IGMP. Internet Group
ManagementProtocolIGMPsupportusefulforlimitingswitchflooding.



UpgradeanNLBcluster

You may upgrade an existing NLB cluster to Windows Server 2012 if you take the entire cluster offline and then
upgradeallthehosts.Oryoumayperformarollingupgradewhichisallabouttakingindividualclusterhostsofflineone
byone.Beforemakingtheupgrade,youneedtofirstverifythattheinvolvedapplicationsandroles/featuresrunning
ontheclusterarecompatiblewithWindowsServer2012.Thetargetnode'sinitialhoststateshouldbesettoStopped
first.Whentheupgradeiscompleteonthehost,youshouldfirstverifythattheapplicationsworkfinebeforeaddingit
backtothecluster.

1.2CONFIGUREFAILOVERCLUSTERING

ConfigureQuorum

Thequorumconfigurationdeterminesthenumberoffailuresaclustercansustainatthemaxitisalwaysdetermined
bythenumberofvotingelementsthatarepartoftheactiveclustermembershipofthecluster.Aquorumwitnesscan
haveanadditionalsinglequorumvotesinceonequorumwitnesscanbesetupforeachcluster(itmaybeadesignated
diskresourceorafileshareresource).
There are several quorum modes. With Node majority (no witness), only nodes can have votes since there is no
quorum witness configured. Node majority with witness means both nodes and quorum witness can vote (witness
vote allowed). No majority (disk witness only) means only the disk witness and no one else can have vote. It is
recommended that the voting elements in the cluster be set to an odd number. The use of a disk witness is
recommendedaslongasallnodescanseethedisk.Adiskonlyconfiguration,however,isneverrecommended.
Voteweightallowsforflexibilitytheweightofeachvotecanbeadjustedthedefaultis1.
Cluster configuration can be done via the Failover Cluster Manager GUI. Alternatively, you can use the Set
ClusterQuorumPowershellcmdlet.
Inthecaseofafailovercluster,wheneveritgoesonlinethefirstdiskthatgoesonlinetogetherbecomestheonetobe
associatedwiththequorum.Thefailoverclusterexecutesadiskarbitrationalgorithmtodetermineownershipofthat
disk(andrepeatthisonallotherdisks).

Configureclusternetworking

In Windows Server 2012, you use the Server Managers Network Load Balancing Manager to configure NLB
clustering.Throughtheconsoleyoucanconfigurenewclusterandalsoenablelogging.

Youusetheclustervalidationwizardtorunfocusedtestsontheplannedclusternodestoseekanaccurateassessment
of how well failover clustering may be implemented on the proposed configuration. To begin adding hardware to a
failovercluster,youfirstconnectthehardwaretothefailoverclusterandthenruntheclustervalidationwizard.
ProperIPaddressconfigurationisnecessarybothatthehostandclusterlevels,whichcanallbedoneviatheGUI.

Restoresinglenodeorclusterconfiguration

Aclusterwithoutenoughquorumvoteswillnotstart.However,youcanoverridethisbyforcingtheclustertostartin
ForceQuorummodeviatheStartClusterNodecmdlet.
Forabackuptobeperformed,theclustermustberunningwithaquorum.OnlydisksthatareOnlineandownedby
theinvolvedclusternodecanbebackeduporrestored.Whenyourestorefromabackup,youcanchoosetorestore
onlytheclusterconfigurationorthediskdataorboth.

Configureclusterstorage

Allcomponentsofthestoragestackinaclustersetupshouldbeidenticalacrossallthenodesinsidethecluster.Itis
particularlyimportantforthemultipathI/OMPIOsoftwareandtheDeviceSpecificModuleDSMsoftwarecomponents
to be identical. The host bus adapter HBA, the relevant HBA drivers and the HBA firmware attached to the cluster
storageshouldbeidenticalaswell.

ImplementClusterAwareUpdating

ClusterAwareUpdatingCAUcanautomatethesoftwareupdatingprocessonclusteredservers.Itcanputanodeinto
nodemaintenancemode,thenmovetheclusteredrolesoffthenodeandtheninstalltheupdatespriortoperforming
arestartwhenneeded.
CAU can schedule Updating Runs to take place on regular daily, weekly, or monthly intervals. It does not work for
Windows Server 2008/R2 though. You may start CAU via Server Manager, Failover Cluster Manager or the
ClusterUpdateUI.exeutility.

Upgradeacluster

You use the Migrate A Cluster Wizard makes it easy to migrate services and applications from an earlier cluster to
WindowsServer2012.ThewizardhasaGUIformigratingtheconfigurationsettingsforclusteredroles.Sinceitdoes
notmigratesettingsoftheclusterandstorage,youmustfirstensurethatthenewclusterisproperlyconfiguredand
readyforthemigrationprocess.
YouwanttoknowthatclusterupgradeiskindofsimilarbetweenWindowsServer2008andWindowsServer2012.

1.3MANAGEFAILOVERCLUSTERINGROLES

Configurerolespecificsettingsincludingcontinuouslyavailableshares

ContinuouslyAvailableFileSharesCAFSinvolvesmakinguseoftheWindowsfilesharingcapabilitiesthroughacluster
toincreasetheavailabilityoffileshares.YouconfigurethisviatheHighAvailabilityWizard.Forthisfeaturetowork,
SMB3.0isrequired,whichsupportsfeatureslikeSMBScaleOut,SMBDirect,andSMBMultichannel.
TheCAFSgeneralusefileserverimplementationcanbeusedtoallowafilesharetobesupportedonafailovercluster.
Ontheotherhand,thescaleoutfileserverimplementationoptionisforsupportingapplicationssuchasHyperVand
Database Server, with the ultimate goal of zero downtime. Do note that the implementation has a limit of max 4
servers.Also,CAFSwillnotworkontheEssentialsorFoundationeditions.

You may then use the New Share Wizard to determine the type of CAFS to create. SMB ShareQuick is general
purposewhileSMBShareApplicationsisforsupportingapplications.

ConfigureVMmonitoring

TheFailoverClusterManagerallowsyoutomonitorthehealthofclusteredVMs.YoucanrightclicktheclusteredVM
andthenselectConfigureMonitoringfromtheMoreActionsmenuitem.Youmaythenselecttheservicestomonitor.
alternativelyyoucanuseAddClusterVMMonitoredItemtoenablemonitoringviathePowershell.VMmonitoringdoes
requirethatyouhaveWindowsServer2012forboththehostandguestOS.

Configurefailoverandpreferencesettings

FailoverClusteringisthecoreFailoverClusteringfeaturewithoutanymanagementtools.RSATClusteringMgmthas
theFailoverClusterManagersnapinandalsotheClusterAwareUpdatinginterface.RSATClusteringPowerShellhas
therelevantcmdletsplustheClusterAwareUpdatingmoduleforPowerShell.RSATClusteringAutomationServerhas
the deprecated Component Object Model programmatic interface, while RSATClusteringCmdInterface offers the
deprecatedcluster.execommandlinetool.TheycanallbeinstalledviatheServerManagersAddRolesandFeatures
Wizard.

1.4MANAGEVIRTUALMACHINE(VM)MOVEMENT

PerformLiveMigration;performquickmigration

WithFailoverClusterManager,clustermigrationcanbeintheformof:
Livemigration
Quickmigration
MovingVMtoanothernode
YoumaynotuselivemigrationtomovemultipleVMtogetheratthesametime.Onlyonelivemigrationisallowedto
takeplaceatatime.Forliveandquickmigration,thehardwareandsystemsettingsoftheinvolvednodesshouldbe
highlysimilarifnottotallyidentical.
With Live Migration, HyperV connects to the destination host and produces an empty VM. Then it copies the VM's
memorytothenewVM.Thefullmemorycontentsarereplicatedtothedestinationhostthroughthenetwork.Shared
nothing live migration means changes made during migration are logged for applying to the VM on the destination
hostlater.
WithQuickMigration,aVMisfirstplacedinthesavedstate,thenitsmemoryinformationistransmittedtothetarget
hostforstartingtheVMintherethegoalisminimaldowntime.

Performstoragemigration

TomigratethestorageofarunningVMyouneedtoperformstoragemigration.Itworksassumingthattheinvolved
VMisconfiguredtouseonlyvirtualharddisksandnothingelseforstorage.DuringstoragemigrationtheinvolvedVM
canstillrunwithoutdowntime.

Import,export,andcopyVMs

You can import and export VMs between different Windows Server versions. To import a VM into Windows Server
2012,toavoidtroublesitshouldfirstbeexportedwithWindowsServer2008R2sothattheimportprocesscanfindit.
HOWEVER,technicallyWindowsServer2012HyperVcanimportaVMthatwasnotpreviouslyexportedbyreading
therawconfigurationXMLfile.Notethat:

YouuseImportVMtoimportaVM(youmustsupplyaXMLconfigurationfileasanargument).
YouuseExportVMtoexportaVM(youdonotneedtosupplytheconfigurationfile).
YouuseGetVMtoretrieveallrunningVMs.
TostartorstopaVMyouuseStartVMandStopVMrespectively.

ThroughtheVirtualMachineManagerAdministratorConsoleyoucanchoosetheCloneactiontocopyaVMviathe
NewVirtualMachineWizard.YoumayeitherplacethevirtualmachineonahostorstoretheVMinthelibrary.You
cannotchangetherelevantOSsettingsthough.

Migratefromotherplatforms(P2VandV2V)

V2VmeansconvertingaVMtoaVMMVirtualMachinewhileP2VmeansconvertingaPhysicalServertoaVM.Before
performingaV2Voperation,youneedtofirstaddthenecessaryVMWareserverbasedvirtualmachinefiles.The.vmx
filedescribesthepropertiesandstructureofaVM.The.vmdkfileistheVMwarevirtualharddisk.
YoumayusetheConvertVirtualMachineWizardtoperformV2Vconversion.Ontheotherhand,toperformP2Vthe
Virtual Machine Manager will need to install software on the physical computer for gathering the necessary
information.Thiswillberemoveduponconversioncompletion.

CHAPTER2CONFIGUREFILEANDSTORAGESOLUTIONS

2.1CONFIGUREADVANCEDFILESERVICES

ConfigureNFSdatastore

ServicesforNetworkFileSystem(NFS)providessupportforfilesharingbetweenWindowsandUNIX:
UNIXbased client computers accessing resources on computers running Windows Server 2012 this is done via
ServerforNFS
WindowsServerbasedcomputersaccessingresourcesonUNIXfileserversthisisdoneviaClientforNFS
YouusetheServicesforNFSGUIsnapintomanageeachinstalledcomponentofServicesforNFS.Touseit,youmust
beamemberofthelocaladmingroup.Youmayalsousecommandlinetoolstoachievethesame:
mapadmin,foradministeringtheservice.
nfsadmin,formanagingServerforNFSandClientforNFS.
nfsshare,forcontrollingNFSsharedresources.
nfsstat,forshowingandresettingcountsofcallsmadetoServerforNFS.

ConfigureBranchCache

You may have BranchCache deployed in a domainbased or nondomain based environment if VPN or DirectAccess
connectionisavailablebetweenthecontentserversandthebranchoffice.
TherearedifferentBranchCachemodes:
WithBranchCacheindistributedcachemode,thecontentcacheatabranchofficewillbedistributedamongclient
computers.
With BranchCache in hosted cache mode, the content cache at a branch office will be hosted on one or more
servercomputersknownashostedcacheservers.
Inanycase,onlyonemodecanbeusedinabranchoffice.
BranchCachecanvalidatecontentsusingblockhashesfoundinthecontentinformation.Also,torestrictcacheaccess
totheBranchCacheServicethelocalcacheisprotectedbyfilesystempermissions.Attheendoftheday,datastoredin
thecontentcacheisnotencrypted.
ConfigureFileClassificationInfrastructure(FCI)usingFileServerResourceManager(FSRM)

WiththeFileServerResourceManager(FSRM)itispossibletoconfigureadvancedfilesharesettingssuchassecurity,
encryptionandcaching.
FileClassificationInfrastructure(FCI)isafeaturethatcanautomatethedataclassificationprocessessothatyoumay
classifyfilesandapplypoliciesmoreeffectively.Keepinmind,FCIisexposedonlythroughFSRMandnowhereelse.
PropertiesinFCIrequiretwopiecesofinformation,whicharenameandtype.Thepossibletypessupportedinclude:
Yes/No
Date
Number
MultipleChoiceListandOrderedList
StringandMultiString
FolderClassifierchecksfileswithinthescopeofarule.ContentClassifiersearchescontentsforcertaintextorpatterns.
Youmayhavemultipleclassificationrulesbeingusedtogether.

Configurefileaccessauditing

There are audit policy settings under Security Settings\Advanced Audit Policy Configuration. In particular there are
"ObjectAccess"policysettingsandauditeventsthatallowyoutotrackattemptstoaccessspecificobjectsortypesof
objectsonanetworkorcomputer.Throughthesesettingsyoumayauditattemptstoaccessafile,directory,registry
key, or any other object (such as files and folders on a shared folder) assuming you have enabled the appropriate
ObjectAccessauditingsubcategoryforsuccessand/orfailureevents.TheresultingDetailedFileSharesettingwilllog
an event every time a file or folder is accessed. Detailed File Share audit events cover detailed information on
permissionsandotherrelevantcriteriausedtograntordenyaccess.

2.2IMPLEMENTDYNAMICACCESSCONTROL(DAC)

Configureuseranddeviceclaimtypes

Dynamic Access Control (DAC)implementsclaimsbasedaccesscontrolsandauthentication,whichrelyonatrusted

identityprovidertoauthenticatetheuser.Thisidentityproviderissuesatokentotheuserasproofofidentity.TheAD
DSmaintainsaclaimsdictionaryineachforesttodescribehowaclaimmaytraverseatrustboundary.Allclaimsare
accordinglydefinedattheforestlevel.Touseuserclaims,youneedtohavesufficientWindowsServer2012domain
controllersinplace.
YouuseOpenGroupPolicyManagementtosupportuserclaims.Deviceclaimisanotherthingitmaybesourcedfrom
thedeviceobjectattributeinActiveDirectorythathasthevalueoftheclaim.
Implementpolicychangesandstaging

DAC allows you to implement central access policy. First you tag your data by marking the relevant folders, then
configure a Central Access Rule to specify that only specific security groups may access the tagged data in a specific
way,andthenyouapplyaCentralAccessPolicytothecorrespondingWindowsServer2012FileServers.Infactyoucan
create central access policies for files so to centrally deploy and manage authorization policies. Note that a staging
policyrulecanbesetuptomonitortheeffectsofanewpolicyentrybeforeactuallyenableit.

Performaccessdeniedremediation

Accessdenied Remediation allows those who encountered an Access Denied error to explain why they should be
allowedaccess.ThecaseissenttotheAdmindefinedinFSRMforfurtherreview.Thisfeatureisavailableonlyifyou
implementSMB3.0.Inotherwords,itmaynotworkwiththoseusinganearlierWindowsOS.
Configurefileclassification

YoumayusethePowerShellclassifiertoclassifyafileautomatically.YouuseEnhancedcontentclassifiertospecifythe
minimumandmaximumoccurrencesofastringorregularexpression.Youusedynamicnamespaceforclassification
rulesyoudothistospecifythetypeofinformationthatafoldercancontainandthenconfigureclassificationrules
basedonthetypeofdesiredinformation.

2.3CONFIGUREANDOPTIMIZESTORAGE

ConfigureiSCSITargetandInitiator

An initiator is a client which could be a software installed on the client operating system, or a hardware + software
combo. A target is a host providing the LUN. The target system must support the iSCSI protocol and allow its local
storageresourcestobeassignedtoaLUNsothatitcanbemadeaccessiblethroughtheiSCSIprotocol.TheLUNwill
neverbeinusebymorethanoneinitiatoratanyonetimeunlessinthecaseofaclusterwhereeachnodemustbe
abletoaccessaLUN.MicrosofthasafullblownWindowsbasedinitiator.TousethisinitiatortheiSCSIservicemust
firstberunning.

ConfigureInternetStorageNameserver(iSNS)

Internet Storage Name Service (iSNS) is a protocol for interaction between iSNS servers and clients. The clients are
initiatorswhichattempttodiscoverstoragedevicetargetsonthenetwork.Port3205isthetypicaliSNSServerport.
Keep in mind, the MS implementation of iSNS Server only supports the discovery of iSCSI devices but not the Fibre
Channeldevices.

Implementthinprovisioningandtrim

Thin provisioning and trim are features enabled by default for justintime allocations of storage space as well as
reclaiming storage. Assuming the storage array you use complies with the certification requirements for Windows
Server 2012, they would be appropriate if storage consumption is predictable, that the storage volume to use can
toleratebriefoutage,andthatstoragemonitoringprocessesareinplacetowatchanddetectthecriticalthresholds.To
usethemproperly,youshouldcarefullyplanforandpredictthecorrespondingcapacityrequirements.

ManageserverfreespaceusingFeaturesonDemand

Features on DemandisavailableonlyinWindowsServer2012andWin8.Thegoalistobeabletoremoveroleand
featurefilesoraddrolesandfeaturesremotely.Forthistoworkthereshouldbeasidebysidefeaturestoreavailable
thatkeepsthefeaturefiles.

CHAPTER3IMPLEMENTBUSINESSCONTINUITYAND
DISASTERRECOVERY

3.1CONFIGUREANDMANAGEBACKUPS

ConfigureWindowsServerbackups

Windows Server Backup is a feature that needs to be added manually. Once added, from Server Manager you can
invoke the Server Backup console and its wizard for making backups. You can use it to back up a full server (which
meansallvolumes),selectedvolumes,orjustthesystemstate.Infactyoucancreateandmanagebackupsforthelocal
computeroraremotecomputer.DokeepinmindthisconsoleisnotavailableinaServerCoreinstallation.

KeepinmindthattheWindowsServerBackupapplicationisforrestoringfilesandfoldersonly.Foracompletesystem
recovery, you may want to boot up from the Windows setup disk and then choose System Image Recovery in the
Advancedoptionsscreen.Ifyourbackupmediahasbeenattachedproperly,itshouldbeautomaticallydiscovered.

ConfigureWindowsOnlinebackups

Online Backupisforstoringbackupsin WindowsAzure.Forthis towork,inadditiontoaddingtheWindowsServer

Backupfeatureyoumustsignupfortheservice.Andyoumusthaveafastandreliableconnectionforthissolutionto
bepractical.

Configurerolespecificbackups

FeaturesonDemandallowsyoutoaddorremovefilesthatareassociatedwithspecificrolesandfeatures(theyare
calledpayloadfiles).Whenfilesareremoved,theymustbeaddedbacksincetheremovalwasnottemporary.
TousethefeatureviaDISMforfeatureremoval,thiscommandcanbeused:
DISM.exe/Online/DisableFeature/Featurename:
TousethefeatureviatheDISMPowerShellCmdlet,dothis:
DisableWindowsOptionalFeatureOnlineFeatureNameRemove
IfyouusetheServerManagerPowerShellCmdlet,followthis:
RemoveWindowsFeatureRemove

ManageVSSsettingsusingVSSAdmin

VSShasthreemajorcomponentsinadditiontotheserviceitself,whicharewriter,requesterandprovider.VSScreates
shadowcopyfortheentirevolume,NOTforanindividualfile.Youusevssadminaddshadowstoragetoaddavolume
shadow copy storage association. You use vssadmin create shadow to create a new volume shadow copy. You use
vssadmin delete shadows to delete volume shadow copies. And you use vssadmin delete shadowstorage to delete
volumeshadowcopystorageassociations.Youusevssadminlistshadowstolisttheexistingvolumeshadowcopies.
Andyouusevssadminlistshadowstoragetolistalltheshadowcopystorageassociationsonthesystem.

CreateSystemRestoresnapshots

VSS operates at the block level of the NTFS file system. System Restore snapshots are automatically created on a
periodic basis with a Task Scheduler job or when triggered by certain events. The snapshots created allow the
productionofconsistentbackupsofavolumeandavoidpotentialfilelockingsincetheyarereadonly.Theactualdata
copyprocesscanbehandledbytheWindowsfilesystem.

3.2RECOVERSERVERS

Restorefrombackups

YoucanrestorefromabackupusingtheRecoveryWizard.Itcanrestorefrombackupsstoredlocallyorinaremote
folder.

PerformaBareMetalRestore(BMR)

Baremetal restore (BMR) involves taking a physical machine that has crashed and have it brought up on another
physicalmachineyouareactuallyrestoringtoblankdiskdrives.Theproblemwiththiskindofrestoreisthatifthe
hardwareinvolvedisnotidenticalyoumayencounterproblems.ThroughtheWindowsServerBackupGUI,whenyou
choosetoBackupOnceyoucanpicktheBareMetalRecoveryoption.

RecoverserversusingWindowsRecoveryEnvironment(WinRE)andsafemode

ThedefaultWindowsREimageisknownasWinre.wim.AlltherequiredWindowsREconfigurationsareautomatically
setafterOOBE.InordertomanuallyenterWindowsREyouneedtobootusingaWindowssetupdiscorrestartthe
serversystemandchooseRepairYourComputer.
WindowsREgivesyoutheSystemImageRecoveryoption,allowingyoutorestorefromabackupcreatedbyWindows
ServerBackup.

AtbootupifyoukeeppressingF8youcanreachamenuwhichallowsyoutobootintoSafeMode,whichgivesyou
access to basic files and drivers. On the other hand, Safe Mode with Networking loads all these drivers plus the
essentialservicesanddriverstoenablenetworking.Simplyput,SafeModeaimstohelpyoudiagnoseproblems.

ApplySystemRestoresnapshots

Systemrestorepointisasystemsnapshotthatcanbeconfiguredtotakeplaceautomatically.InPowershellyoucan
enablethefeatureviaEnableComputerRestore.TodisableityouuseDisableComputerRestore.Tofindoutaboutthe
availablerestorepointsyouuseGetComputerRestorePoint.ToaddanewoneyouuseCheckpointComputer.Togo
aheadwitharestoreyouuseRestoreComputerwiththeRestorePointoption.

ConfiguretheBootConfigurationData(BCD)store

YouuseBCDboottosetupasystempartitionorrepairthebootenvironment.Ontheotherhand,youuseBCDEditto
manage BCD stores. Boot Configuration Data Store BCD Store is firmwareindependent it is simply a namespace
container for boot configuration objects and elements that hold the information required to load Windows. At the
physical level it is a binary file following the registry hive format. In fact it is the Windows Deployment Services PXE
ProviderthatcreatestheBCDstoreforanimage.

3.3CONFIGURESITELEVELFAULTTOLERANCE

ConfigureHyperVReplicaincludingHyperVReplicaBrokerandVMs

HyperVReplicaisasoftwarebasedasynchronousreplicationmechanismyouuseitforreplicatingVMs.Itinvolves
replicating VMs to other locations, through intercepting writes to VHDs. Once Replica is enabled, a source host will
maintainaHyperVReplicaLogfileHRLfortheVHDs.AwritebytheVMmeansawritetotheVHDandalsoawriteto
theHRL.WiththelogfilereplayedtothereplicaVHD,replicationcantakeplaceevery5minutes.Thereisnoneedto
enableHyperVReplicaonthesourcehost.However,youwillneedtoenableitonallthereplicahosts.Thefirstinitial
copy may be made using offline media or other means. Do keep in mind all hosts involved must use the same
processortype.
Veryimportantly,HyperVReplicawillrequiretheFailoverClusteringroleknownasHyperVReplicaBrokerifeitherthe
primaryorthereplicaHyperVserverispartofaWindowsServercluster.

Configuremultisiteclusteringincludingnetworksettings,Quorum,andfailoversettings

Afailoverclusterhasmultipleindependentcomputersworkingtogethertoimproveavailability.Theclusteredserver
nodesareconnectedphysicallyviacablesandcanfunctionindifferentrolessuchasfileserver,printserver,mailserver,
anddatabaseserver.Ifonefails,anotherissupposedto"pickup".Alltheparticipatingserversinaclustermustbein
thesamedomain.Also,theyshouldhavethesamedomainrole(infacttheroleofmemberserverispreferred).There
isalsoacommonstorageunitphysicallyconnectedtoalltheparticipatingservers.Normallyyoushoulduseidentical
hardware for all the clustered servers. If you are using Serial Attached SCSI or Fibre Channel, all components of the
storagestackshouldbeidenticalinallservers.

CHAPTER4CONFIGURENETWORKSERVICES

4.1IMPLEMENTANADVANCEDDYNAMICHOSTCONFIGURATIONPROTOCOL(DHCP)
SOLUTION

Createandconfiguresuperscopesandmulticastscopes

ADHCPscopereferstoanadministrativegroupingofIPaddresses.Anadministratorcanfirstcreateascopeforeach
physicalsubnet,thenusesthescopetofurtherdefinetheparameterstobeusedbytheclients.Eachsubnetcanonly
haveonesingleDHCPscopewithasinglecontinuousrangeofIPaddresses.Ifyouwanttousemultipleaddressranges
withinasinglescopethenyouwillhavetocarefullyconfiguretherequiredexclusionranges.
Withasuperscope,youaretryingtoprovideleasesfrommorethanonescopetoyourclientsthatresideinasingle
physicalnetwork.TocreateasuperscopeyoumustuseDHCPManagertodefinethescopesthataretobeincludedin
thesuperscope(theyareknownasmemberscopes).YouwillfindthisusefulifyouhavemultiplelogicalIPnetworksin
aphysicalnetwork,orthatyouhaveclientsthatareabouttobemigratedtoanewscope.IfyouhaveDHCPclientson
theothersideofaBOOTPrelayagentwithmultiplelogicalsubnetsinaphysicalnetwork,thissuperscopeconfiguration
willalsowork.
MulticastscopemaybeusedthroughtheMulticastAddressDynamicClientAllocationProtocolMADCAP.Thisprotocol
allowsaMADCAPservertodynamicallyprovideIPaddressestotheMADCAPclients.YouwantyourMADCAPserverto
alsoactasamulticastserverMCS.ThisMCSisassignedanaddress.Yourmulticastclientsneedtoregistermembership
with the MCS in order to receive streams sent to this MCS address. Windows Server has the New Multicast Scope
WizardUIforcreatingamulticastscope.

ImplementDHCPv6

DHCPv6statelessmodeclientsmayuseDHCPv6toobtainnetworkconfigurationparametersseparatelyfromaddress
configuration.IPv6clients mayconfigureanIPv6addressviaanonDHCPv6basedmechanism (suchasIPv6 address
autoconfigurationandstaticconfiguration).
In contrast, DHCPv6 stateful mode allows clients to acquire both the IPv6 address and the network configuration
parametersthroughDHCPv6together.

ConfigurehighavailabilityforDHCPincludingDHCPfailoverandsplitscopes

Knowthe80/20ruleforscopes.ThismeansyoushoulddividescopeaddressesbetweentwoDHCPserversonewith
approximately80%oftheaddressesandanotherwithapproximately20%oftheaddresses.EmployingmultipleDHCP
servers for fault tolerance and redundancy is called splitscope configuration. There is in fact a DHCP SplitScope
ConfigurationWizardyoucanuseforIPv4scopes.
DHCPfailoverisafeatureinWindowsServer2012thatcansupporttheuseof2DHCPserversinafailoverrelationship
whendealingwithIPv4scopesandsubnets.Failoverpartnerscanoperateineitherhotstandbyorloadsharingmode.
Withtheformerthereisoneactiveprimaryserverandonesecondaryserver,althoughonlyonecanstayactiveata
time.Withloadsharing(thedefault),youhavetwoserversworkingsimultaneously.Suchasetupismostidealwhen
bothserversareinthesamephysicalsite.

ConfigureDHCPNameProtection

DHCP Name protection is a feature against name squatting, which is said to take place when a nonWindows
computer is registering itself in DNS with a name already registered to a Windowsbased computer (server name
squatted by a client/server name squatted by a server/client name squatted by a client/client name squatted by a
server).ThefeatureworksusingDynamicHostConfigurationIdentifierDHCIDintheDHCPserver.Forittoworkthe
DHCIDRRresourcerecordmustbesupportedinDNSformappingnamesandpreventingduplicateregistration.

4.2IMPLEMENTANADVANCEDDNSSOLUTION

ConfiguresecurityforDNSincludingDNSSEC,DNSSocketPool,andcachelocking

DNSSECreferstothegroupofextensionsforhardeningtheDNSinfrastructureasspecifiedinIETFRFC4033,4034and
4035.Ithasseveralnewtypesofrecord,includingDNSKEY,RRSIG,DS,andNSEC/NSEC3.DynamicDNSupdatescanbe
deployedforDNSSECsignedzoneswithactivedirectory,andthatthescavengingstalerecordoptioncanbeusedfor
purgingoldDNSSECrecords.YoucanenableDNSSECviatheZoneSigningWizard.
ADNSserverwithsocketpooliscapableofdeployingsourceportrandomizationthisisforprotectingagainstDNS
cachepoisoningattacks.Itsimplyallowstheservertorandomlypickasourceportwhentheservicestartssothereis
nolongerapredicablesourceportwhenissuingqueries.Thedefaultsizeofthissocketpoolis2500.
Cache lockingmeanstheDNSserverisdisallowingthecachedrecordstobeoverwrittenforthedurationoftheTTL
value.Thisisdonetoprotectagainstpossiblecachepoisoningattacks.Bydefaultithasavalueof100%,meaningthe
cachedentrieswillnotbeoverwrittenatall.

ConfigureDNSlogging

TheDNSserverlogcanbeviewedbytheDNSManagerortheEventViewer.FromthePropertiesoftheDNSServer,
insidetheDebugLoggingtabthereisacheckboxnamedLogPacketsforDebugging.Youmayalsousefilebasedlogsas
anadvancedtactic.However,thisshouldbetreatedasatemporarymeasureonly.Keepinmind,themoreyoulog,the
moreoverheadsaretobeinvolved.

Configuredelegatedadministration

YoumayusetheNewDelegationWizardtoaddanewdelegateddomain.Zonedelegationworkslike"dividing"your
DNS namespace. You want to do this if you find the need to distribute traffic loads among multiple servers and
improveDNSnameresolutionperformance/resiliency,orthatyouprefertoextendthenamespacetoaccommodate
theopeningofanewremotebranch.

Configurerecursion
YoumayhaveyourDNSserverdesignatedasaforwarderwhentheotherDNSserversareconfiguredtoforwardthe
queries that can't be resolved locally. You can use the DNS Manager or the dnscmd command with the
/ResetForwardersoptiontoconfiguresuchfeature.


YoucanspecifythattheDNSserveronlyusesforwardersandmakenofurtherrecursioneveniftheforwardersfail.If
youdisablerecursionfortheDNSserver,itwillneverperformrecursiononanyquery.

Configurenetmaskordering

NetmaskorderingisafeatureyoucanusetoreturnaddressesfortypeADNSqueries.Youdothistoprioritizelocal
resourcestoyourDNSclients(youwantyourclientstoreceivequeryresultsthataremostrelevanttotheirlocation).
YouwillfindthisfeatureparticularlyusefulifyouhavemanytypeArecordsforthesameDNSname,thateachofthese
typeArecordshasadifferentaddress.YoumayuseDnscmd/Config/LocalNetPriorityNetMasktoachievethis.

ConfigureaGlobalNameszone

AspecialzonenamedGlobalNames(GNZ)canbeusedtoprovideresolutionofsinglelabelnames.GlobalNameszone
can be created via the DNS Manager UI or the dnscmd command. Do note that GNZ is for aiding the retirement of
WINSonly.AlsonotethatsinglelabelnameresolutionofrecordsisNOTsupposedtousedynamicregistration.

4.3DEPLOYANDMANAGEIPAM

ConfigureIPAMmanuallyorbyusingGroupPolicy

YoumayhaveanIPAMserverdeployedateverysite.Ifyournetworkisreasonablysmall,youmaywanttohaveone
IPAMserverdeployedfortheentirenetwork.YoushouldinstallIPAMonaserverthathasjoinedadomain,oryouwill
receiveawarning.

FYI,anIPAMservershouldbesetupasasinglepurposeserver.Donotcollocateothernetworkinfrastructureroleson
thesameserver!EachIPAMservercansupportmax150DHCPserversand500DNSservers.Externaldatabasesand
nonMSimplementationsarenotsupported.

Provisioning is the process that you must go through for the infrastructure servers to be managed. You choose a
provisioning method through the IPAM console overview (this is how you launch the Provision IPAM wizard). The
manualprovisioningmethodisusuallynotpreferredduetoconcernoncomplexity.TheGroupPolicybasedmethodis
lesspronetoerrorssinceGPOsareautomaticallyappliedtotheinfrastructureserversoncetheyareassignedastatus
ofmanagedviatheIPAMconsole.

Configureserverdiscovery

Server discovery involves defining the scope of discovery prior to actually discovering the servers. IPAM uses AD to
define the scope of servers that are to be managed. To begin discovering servers you first set a scope by invoking
ConfigureserverdiscoveryfromwithintheIPAMclientconsole.Youneedtochooseadomaintodiscover(thisisthe
scope).Toactuallydiscoverserverroles,youclickStartserverdiscoverytocalluptheIPAMServerDiscoverytask.

CreateandmanageIPblocksandranges

Youneedtoknowthebasicconceptshere.IPaddressblocksrefertothelargechunksofIPaddressesfororganizing
address space at a higher level. IP address ranges are smaller chunks of addressesthat correspond to DHCP scopes.
IndividualIPaddressesarethesmallestunitstheymaptoasingleIPaddressrange.Thegoalofalltheseistoallowa
morestructuralwayofmanagingtheoveralladdressspaceandvisualization.

IPaddressesdetailedtrackingandutilizationdataisavailable,thatIPv4andIPv6addressspacesareorganizedintoIP
address blocks, IP address ranges, and individual IP addresses. You may further organize IP address space into
hierarchical,logicalgroups.

MonitorutilizationofIPaddressspace

A single IPAM server can support max 6000 DHCP scopes and 150 DNS zones. Do remember, IP address utilization
trendsareIPv4only.Infact,IPAMcanautomaticallycollectthedynamicaddressscopestogetherwiththeirutilization
statisticsfromtheDHCPserversbeingmanaged.ThroughIPAMyoucanevencreate,duplicate,edit,ordeleteDHCP
scopesdirectlywithoutgoingthroughtheDHCPconsole.

MigratetoIPAM

To be managed and monitored by IPAM, the security settings and firewall ports on a Windows server must be
configuredtoallowtheIPAMservertoaccessit.ThiscanbedonemanuallyorviaGPOs.

DelegateIPAMadministration

TheIPAMsetupcreatesseverallocalsecuritygroupstoisolateandrestricttherelevantpermissions.IPAMUserscan
viewinformationinserverdiscovery,addressspaceconfiguration,andservermanagement.TheycanalsoviewIPAM
and DHCP server operational events but not the address tracking information. IPAM MSM Administrators can also
perform common management tasks and server management tasks. IPAM ASM Administrators can additionally
performIPaddressspacetasks.IPAMIPAuditAdministratorscaninparticularviewandtracktheimportantIPaddress
trackinginformation.IPAMAdministratorscandoeverythingIPAM.

ManageIPAMcollections

IPAMhasanumberofscheduleddatacollectiontasks.Theyareselfexplanatory:
AddressExpiry
AddressUtilization
Audit
ServerAvailability
ServerConfiguration
ServerDiscovery
ServiceMonitoring
Keepinmind,theinformationkeptintheIPAMdatabaseisregularlyupdatedwithinputsfromthesedatacollection
tasks,althoughthedatabasecanbemanuallymodifiedbyyoutheadministrator.

CHAPTER5CONFIGURETHEACTIVEDIRECTORY
INFRASTRUCTURE

5.1CONFIGUREAFORESTORADOMAIN

Implement multidomain and multiforest Active Directory environments including interoperability

withpreviousversionsofActiveDirectory

WhenthefirstWindowsServer2012basedDomainControllerisintroduced,theforestwilloperatebydefaultatthe
lowestfunctionallevelthatispossible,whichisWindows2003,sothatyoumaytakeadvantageofthedefaultActive
DirectoryfeatureswhileaccommodatingolderversionsofWindowsServer.
WindowsServer2012requiresattheleastaWindowsServer2003forestfunctionallevel.Beforeyoucanadddomain
controllersthatrunWindowsServer2012totheforest,theexistingforestfunctionallevelmustbeatleastWindows
Server2003.

Upgradeexistingdomainsandforestsincludingenvironmentpreparationandfunctionallevels

You need to install the Active Directory Domain Services (ADDS) role on a server so to allow it to act as a Domain
Controller.Afterthisyouneedtopromotetheservertoadomaincontroller.YoudoNOTusethedcpromocommand
anymore.
When you raise the forest functional level, newer advanced features can become available at the expense of
compatibility.Afteryouraisethedomainfunctionallevel,domaincontrollersrunningearlieroperatingsystemswillnot
beabletoparticipateinthedomainanymore.Keepinmind,rollbackorloweringoflevelishighlydifficult!Also,you
cannotsetthedomainfunctionalleveltoavaluelowerthantheforestfunctionallevel.

Configuremultipleuserprincipalname(UPN)suffixes

YoucanusetheADDomainsandTrustsUItoaddnewuserprincipalname(UPN)suffixes.BydefaulttheUPNsuffix
forauseraccountistheDNSdomainnamethatkeepstheuseraccount.ItispossibletoaddotherUPNsuffixesfor
simplifying administration and user logons (technically you can provide one single UPN suffix for all users). Do
remember,anUPNsuffixisonlyusefulinADitisnotmeanttobepartofanyformalDNSdomainname.

5.2CONFIGURETRUSTS

Configureexternal,forest,shortcut,andrealmtrusts

ThetoolsthatyoucanusetocreateandmanagetrustsareActiveDirectoryDomainsandTrusts(i.e.Domain.msc)and
Netdom.exe.Nltestisfortestingyoursecuredchannels.Netdiagisfortestingthenetworkhealth.Dcdiagisfortesting
thedomaincontrollerhealth.
Communicationbetweendifferentdomainshastotakeplacethroughtrusts,whichareauthenticationpipelines.The
necessary default trusts are created when you use the Active Directory Installation Wizard. You may also use the
Netdomcommandlinetooltocreatenewtrustsbyhand.
Youwantto createexternaltrustsforprovidingaccess toresourceslocatedona WindowsNT 4.0domain.Youalso
want to make use of forest trusts to share resources between forests. Shortcut trusts are for improving user logon
timesbetweentwodifferentdomains.
A realm trust is for establishing communication between nonWindows Kerberos V5 realm and Windows based
domain. Simply put, it provides crossplatform interoperability with security services running other Kerberos V5
versions.

Configuretrustauthentication

KerberosisthedefaultinWindowssotherearenoprerequisitesatallforimplementingKerberosbasedauthentication.
YoucansetthevariousKerberossecuritypolicyparametersviatheGroupPolicysnapin.Keepinmind,withKerberos
authentication transparent transitive trust is used among the domains inside a forest. It does not authenticate
between domains in different forests though. In order to use a resource in another forest, the user has to provide
credentialsforformallyloggingontoadomaininthatparticularforest.
TheintegrityofcommunicationsthattakeplacealonginterforesttrustscanbeprotectedviaSIDfilteringandselective
authentication.Theformercanbeusedtostopamalicioususerwithadmincredentialsinatrustedforestfromtaking
controloverthetrustingforest.Thelattercanrestrictthequantityofauthenticationrequestsallowedtopassthrough
aninterforesttrust.

ConfigureSIDfiltering

SIDfilteringmaybesetonalltrusts.YouwanttoknowthatSIDhistoryallowsforlegitimateuses,justthatthereisa
security threat when being used to exploit an unprotected trust a malicious user who has admin credentials may
manipulatetheSIDhistoryattributeofasecurityprincipalinthetrustedforesttogainfullaccesstothetrustingforest!
SIDfilteringworksbyverifyingtheincomingauthenticationrequestmadebyasecurityprincipalinthetrusteddomain
tomakesureitcontainsonlytheSIDofthesecurityprincipaloriginatedfromthetrusteddomain.
A SID filter quarantine is even stricter when being applied to a trusted domain only those SIDs from the trusted
domaincantraversethetrustrelationship.

Configurenamesuffixrouting

Namesuffixroutingisformanagingthewayauthenticationrequestsareroutedacrossforestsjoinedbyforesttrusts.
Whenever a forest trust is created, by default all the unique name suffixes are routed. A unique name suffix is not
subordinate to any other name suffix. All names that subordinate a unique name suffix are implicitly routed. If you
haveaneedtoselectivelyexcludemembersofachilddomainfromauthenticatinginaprespecifiedforest,youmay
consider to disable name suffix routing for the corresponding name. You may even disable routing entirely for the
forestnameitself!

5.3CONFIGURESITES

Configuresitesandsubnets

Asitetopologyservesasalogicalrepresentationofthephysicalnetwork.Designingasitetopologyinvolvesplanning
fordomaincontrollerplacementaswellasdesigningsitelinksandsitelinkbridgestoensureefficientroutingofquery
andtrafficsforreplication.YouwillalsoneedtoplanthecreationofsubnetobjectsforrepresentingallIPaddresses
withinasite.
SubnetobjectscanbecreatedinADviatheADSiteandServicesUI.Theseobjectsserveasthelogicalrepresentation
ofyourphysicalsubnets.Youmaypickasiteobjectforthesubnetobjectyoucreateinotherwords,asiteisactually
definedbythesubnetappliedtoit.NotethatallsubnetnamesinADtaketheformofnetwork/bitsmasked.
Itmakessenseforeachphysicallocationtoberepresentedbyasite.Foreverylocationwithasiteyouneedtoplanto
createsiteobjectsandassociatesubnetswiththesesites.Youshouldalsoplantocreatesubnetobjectsthatrepresent
allIPaddresseswithinthesite.InthecasethatyouhaveseveralnetworksconnectedwithfastandreliableWANlinks
thenyoumayincludeallofthesubnetsinonesinglesite.

Createandconfiguresitelinks

Toconnectyoursitesyouneedtousesitelinks.Youshouldfirstidentifythesitesthatyouwanttoconnectwiththe
site link, then create a site link object in the respective InterSite Transports container, and then give the site link a
namebeforesettingthesitelinkproperties.EachlinkobjectisforrepresentinganactualWANlink,andyoumayassign
costvaluestodifferentsitelinkstofavorcertainconnectionsovertheothers.

WhenmeasuringlogonperformancerequirementsovertheWANlink,youshouldconsiderfactorssuchaslinkspeed
andavailablebandwidth,numberofusersandpatternsofuse,andtheestimatedamountofnetworktraffic.Having
toomanydomaincontrollersinalocationmaypushupsupportcostsandproduceexcessivereplicationtraffic.

Managesitecoverage

TalkingaboutAutomaticSiteCoverage,bydefaulteachdomaincontrollerwillperformacheckonallsitesintheforest
andthenexaminethereplicationcostmatrix.Adomaincontrollerwilltrytoadvertiseitselfinsitesthatdonothavea
domaincontrollerinthere,suchthateverysitecanhaveadomaincontrollerdefinedbydefault.Therefore,intheory
domaincontrollerspublishedinDNSarethosethatcomefromtheclosestsite(asjudgedbyexaminingthereplication
topology). Automatic site coverage can calculate and determine the way in which a site covers another that has no
domaincontrollerinit.Doremember,sitecoverageisALWAYSdeterminedbysitelinkcosts(domaincontrollerswill
accordinglyregisterthemselvesinsites).

ManageregistrationofSRVrecords

WindowsbaseddomaincontrollersalwaysregisterDNSrecordsthatindicatethesitetheybelongto.WheneverDNSis
used, a Locator will first search for a sitespecific DNS record before looking for non sitespecific records. IP/DNS
compatibleLocatorisusedwhenthedomainnameisDNScompatible.WindowsNT4.0compatibleLocatorisusedif
thedomainnameisaNetBIOSname.
Acomputerclientmayormaynotbelocatedphysicallyinthesiteassociatedwithitsaddress.Adomaincontrollerwill
needtousesiteinformationtochecktheIPaddressoftheclientcomputeragainstalistofsubnetsofthesameforest.
BecausetherelevantConfigurationcontainerisreplicatedtoalldomaincontrollers,anydomaincontrollerinthesame
forestcanidentifythesitewhereaclientresides.
You need to know that during the registration of SRV records in DNS, it is the Site Coverage Algorithm that is being
usedtodeterminewhichdomaincontrollerscanregistersiteSRVrecordsthatdesignatethemasthepreferreddomain
controllersforsitesthatarenotrepresentedbyanyspecificdomaincontroller.

Movedomaincontrollersbetweensites

Domain controller placement is important as it relies on site information to inform clients about the domain
controllersthatpresentwithintheclosestsiteastheclients.Generallyyoushouldplaceforestrootdomaincontrollers
primarilyinhublocationsoratlocationsthathostuseintensivedatacenters.Youshouldalsoconsiderplacingregional
domaincontrollersforeachdomainrepresentedineachhublocation.

5.4MANAGEACTIVEDIRECTORYANDSYSVOLREPLICATION

ConfigurereplicationtoReadOnlyDomainControllers(RODCs)

ARODCReadOnlyDCissimplyanadditionaldomaincontrollerthathostsreadonlypartitionsoftheActiveDirectory
database.ItisprimarilyforuseinbranchofficewithpoorWANlink.Sinceitcankeepcachedcredentials,fasterlogin
canbemadepossible.
NotethataRODCcanonlyreplicatefromawritableWindowsServerdomaincontroller.Youmaytriggerreplicationto
a RODC via repadmin /replicate or repadmin /syncall. Management of a RODC can be performed remotely via the
RemoteServerAdministrationToolsRSATortheWindowsRemoteShellWinRS.

ConfigurePasswordReplicationPolicy(PRP)forRODCs

YoumayconfigurePasswordReplicationPolicy(PRP)viatheADUsersandComputersMMCsnapinortherepadmin
command. You may also view the cached passwords on a RODC via these tools. Keep in mind, RODCs of the same
domaininthesamesitecannotsharecachedcredentials.

Monitorandmanagereplication

Whenyouhavemultiplesitesconfigured,intersitereplicationwillprogressviaDEFAULTIPSITELINK,whichusesamesh
topology that is reliable but relatively bandwidth demanding. You may control site link availability through setting a
scheduleforsitelinks.Doremember,thetimesettingsinthesitelinkscheduleswouldconformonlytothelocaltime
of the site. You need to also set the site link replication interval property to indicate how frequently you want
replicationtotakeplaceduringthetimeswhenthescheduleallowsreplication.Asmallintervalcanreducelatencyat
theexpenseofWANtraffics.Generally,lowlatencyispreferredunlessyourWANlinkisslow.

UpgradeSYSVOLreplicationtoDistributedFileSystemReplication(DFSR)

SYSVOL replication relies on the File Replication Service (FRS) or the Distributed File System Replication (DFSR) to
replicatechanges,andtheybothreplicateaccordingtotheschedulecreatedduringsitetopologydesign.
TheDFSRserviceisanewandmoreefficientmultimasterreplicationenginewhichworksusingRPCforreplicatinga
folderscopedefinedbythereplicatedfolderpath.ItcachesconfigurationinformationstoredinXMLfiles.Thepossible
configurationmodesareWMIbasedandActiveDirectorybased.ItissaidthatDFSRismoresecureduetotheuseof
ActiveDirectorysecurityandWMIsecurity.

CHAPTER6CONFIGUREIDENTITYANDACCESSSOLUTIONS

6.1IMPLEMENTACTIVEDIRECTORYFEDERATIONSERVICES2.1(ADFSV2.1)

ImplementclaimsbasedauthenticationincludingRelyingPartyTrusts

Active Directory Federation Services (ADFS) is the role that provides Web based singlesignon mechanism for
authenticatingusertomultipleWebapplicationswithinasinglesession.ItsWebAgentisaroleservicethatcreatesan
ADFSenabledWebserver.AnADFSenabledWebservercanauthenticateandauthorizefederatedaccesstolocally
hostedWebapplications.
A federation server authenticates and routes requests from user accounts outside of the internal network. A
federation server proxy provides intermediary proxy services between an Internet client and a federation server
behindthefirewall.AfederationpartneristrustedbytheFederationServicetoprovidesecuritytokenstoitsusers.A
resource partner is a federation partner that trusts the Federation Service to issue claimsbased security tokens. A
resourcefederationserverreferstothefederationserverthatresidesintheresourcepartnerorganization.
Youmaysetupfederationtrustrelationshipsbetweentwopartnerorganizations.Dorealizethatfederationtrustsdo
not involve any direct communication over the network between the account Federation Service and the resource
FederationService.

ConfigureClaimsProviderTrustrules

Claims are statements used primarily for authorizing access to claimsbased applications while a claim type is for
providing context for the claim value. A claim rule is for representing an instance of business logic that will take
incoming claims, apply conditions to these claims and accordingly produce outgoing claims. Through the AD FS you
definetheclaimsthataretobeexchangedbetweenfederatedpartners.
YoumayaddanewclaimsprovidertrustviatheADFSManagementsnapin.Withthiswizardthereareoptionstouse
the WSFederation Passive protocol and the SAML 2.0 WebSSO protocol. Alternatively you may use the AD FS
Managementsnapintoautomaticallyimportconfigurationdatafromthefederationmetadatathatyourpartnerhas
published.

ConfigureattributestoresincludingActiveDirectoryLightweightDirectoryServices(ADLDS)

An organization may host an AD FSsecured application in a perimeter network that maintains a separate store of
customeraccountsintheperimeternetwork.Thisarrangementallowsyoutomoreeasilyisolatecustomeraccounts
andemployeeaccounts.Youcanaccordinglymanagethelocalaccountsforcustomersintheperimeternetworkvia
theADDSor theADLightweightDirectoryServicesastheaccountstore.Note thatADLDSisLDAPbaseditoffers
flexible support for directoryenabled applications. You can run it on member servers or even standalone server
computers.ADLDShasitsownserverrole.However,itcanrunconcurrentlywithADDSinthesamenetwork.

ManageADFScertificates

Afederationservermustpossessatleastaserverauthenticationcertificateandatokensigningcertificatebeforeitis
allowedtotakepartinADFScommunications.Thetrustpolicywillalsorequireaverificationcertificatewhichisinfact
thepublickeyportionofthetokensigningcertificate.
TheserverauthenticationcertificateisSSLbasedyouuseittosecurewebservicestrafficwithyourclientsandproxy.
ItmaybeinstalledviatheIISsnapin.Thetokensigningcertificateisforsigningallthesecuritytokensitproduces.The
verificationcertificateisforverifyingthatasecuritytokenwasinfactissuedbyavalidfederationserver.Itisinfactthe
tokensigning certificate of another federation server. On the other hand, a server that runs the Federation Service
ProxyroleserviceneedstohaveaSSLclientauthenticationcertificateandalsoaserverauthenticationcertificate.

ConfigureADFSproxy

An account federation server is the server located in the corporate network of your partner organization. It is the
server that issues security tokens to users. On the other hand, an account federation server proxy is located in the
perimeternetworkofthepartnerorganization.Itcancollectauthenticationcredentialsfromwebbrowserclientsthat
logonovertheInternet.
UsingafederationserverproxycanprovideadditionalsecuritylayerstoyourADFSdeploymentsinceitisolatesADFS
fromtheoutsideworld.Whenyouplaceafederationserverproxyintheperimeternetworkoftheaccountpartner,it
collectsusercredentialinformation.Ifyouplaceitintheperimeternetworkofyourresourcepartner,itrelayssecurity
token requests to the resource federation server and accordingly produces the necessary organizational security
tokens.YoumaycreateitviatheADFSFederationServerProxyConfigurationWizardGUIorFsconfig.exe.

Integratewithcloudservices

You want to know that AD FS 2.0 supports Security Assertion Markup Language SAML 2.0, which is essential in
providinginteroperabilitywithcloudservices.ItisalsoknownthatyoumayuseDirsyncandADFStosynchronizeyour
localADuserswiththecloudbasedOffice365andthenconfigureADFStoimplementsinglesignonaccordingly.

6.2INSTALLANDCONFIGUREACTIVEDIRECTORYCERTIFICATESERVICES(ADCS)

InstallanEnterpriseCertificateAuthority(CA)

ACertificateAuthority(CA)generatesandvalidatesdigitalcertificates.Ittypicallyaddsitsownsignaturetothepublic
keyoftheclientsotoindicatethatthepublickeyisvalidifyoutrustthisCA.FromServerManageryouneedtousethe
AddRolesWizardtoaddActiveDirectoryCertificateServicesbyhand.
YouneedtodeterminethetypeofCAyouprefer.AstandaloneCAdoesnotrequiretheuseofAD.Ifyouchooseto
use an Enterprise CA, it means the CA is AD integrated so all the manual tasks become automatic UNLESS you are
servingpeoplewhodonotbelongtoAD.

EnterpriseCAscanonlyissuecertificatestomembersoftheADforest.Certificatetemplatesthatdefinetheformatand
contentofthecertificatescanonlybeusedwithenterpriseCAs.

ConfigureCRLdistributionpoints

When the outstanding certificates issued by this CA are revoked, a Certificate Revocation List (CRL) should be
published to reflect the change. You use the Certification Authority MMC snapin to add or change CRL distribution
points, which are paths represented as attributes on a certificate issued. You can also fine tune the relationship
between a full CRL and delta CRL (which holds a list of all the revoked certificates since the last time a full CRL was
made) through specifying an overlap period between them. This overlap period specifies the amount of time at the
endofaCRL'slifetimethatacertificateclientmaystilluseforobtaininganewCRLbeforetheoldonestopsworking.

InstallandconfigureOnlineResponder

OnlineResponderservicemaybeusedtoimplementOnlineCertificateStatusProtocol(OCSP).Thisserviceworksby
decodingrevocationstatusrequestsforspecificcertificatesandperformingevaluationaccordingly.Infactyoumayuse
itasanalternativetooranextensionofCRLsforprovidingcertificaterevocationdatatoyourclients.
Keepinmind,foranOCSPtofunctioncorrectlytheremustbeavalidResponseSigningcertificate(evenifyouarenot
usingaMicrosoftOCSPresponder).Inadditiontoconfiguringthecertificatetemplatesandissuancepropertiesforthe
OCSPResponseSigningcertificates(whichmaybedoneviatheCertificateTemplatessnapin),thelocationoftheOCSP
responder must be added to the authority information access extension on the CA. And you must enable the OCSP
ResponseSigningcertificatetemplateforthisCA.

Implementadministrativeroleseparation

AdministratorRoleSeparation(ARS)canbeconfiguredtoauserwhoisnotadomainadmin.Thegoalistoallowsome
localadmintaskstobedelegated.

ConfigureCAbackupandrecovery

Youshouldregularlybackupthecertificationauthoritydatabase,theCAcertificate,andtheCAkeysonaregularbasis
givenconsiderationonthenumberofcertificatesissued.ThemorecertificatesyouissuethemorefrequentlytheCA
shouldbebackedup.WhenyouloginasaCAadministratororamemberoftheBackupOperatorsgroupyoucanback
upaCAviatheCertificationAuthoritysnapin.FromitsActionmenuthereisataskknownasBackUpCA.Ontheother
hand,thereisanactionknownasRestoreCAforcallinguptheCertificationAuthorityRestoreWizard.

6.3MANAGECERTIFICATES

Managecertificatetemplates

Certificate templates have different versions. Since Windows Server 2008 there are new version 3 certificate
templatesupdatedtosupportnewfeatures,encryptionandhashalgorithms.Therearetemplatepropertiesoptionsin
the Certificate Templates MMC snapin. Kerberos Authentication template serves a different purpose to issue
certificatestodomaincontrollerswhichinturnpresentthecertificatestoclientcomputersduringauthentication.To
createanewtemplate,thebestthingtodoistoduplicateanexistingtemplateanduseitspropertiesasthedefaultfor
yours.

Implementandmanagecertificatedeployment,validation,andrevocation

Keepinmind,ifyouareusinganEnterpriseCA,yourcertificatetemplateswillbestoredinAD.
Aspreviouslysaid,certificatetemplateshavedifferentversions.IfyouupgradeaCA,youmayalsoneedtoupdatethe
ADschemaforsupportingthenewcertificatetemplateattributes.Youmayaswellupgradethecertificatetemplatesto
includethenewattributes.YoumaydosobeforeorafterupgradingyourCAstoWindowsServer2012.
WhenconfiguringnewtemplatesthereisanoptionknownasDonotstorecertificatesandrequestsintheCAdatabase.
Withit,yourCAwillprocesscertificaterequestswithoutaddingrecordstotheCAdatabase(sotosaveworkloadand
space). On the other hand, the Do not include revocation information in issued certificates option can be used to
excluderevocationinformationfromtheissuedcertificates(sotocutdownvalidationtime).
The Enterprise PKI MC snapin is a monitoring tool. You need to manually add it (under Active Directory Certificate
Services). With it you can view the CA status information. The status may be OK, Warning, Error, or Unable to
download.
Youmayusecertificatetrustpolicytomakethenecessarycertificatepathvalidationsettings(sotofacilitateautomatic
certificatemanagement).Withthesesettingsyoumaymanage:
TrustedRootCertificates.
TrustedPublishers.
NetworkRetrievalandPathValidation.
RevocationCheckingPolicy.

Managecertificaterenewal

Whenconfiguringenrollment,youshouldnotassignpermissionstodomainlocalgroupssinceassigningpermissionsto
localgroupsmayleadtoresultininconsistencyintheapplicationofpermissions.Ifyouwanttouseautoenrollment
(which may be configured to work in background task that require no user input at all), the user or computer must
belongtodomaingroupswithRead,Enroll,andAutoenrollpermissions.ToenableenrollmentviatheCertificatessnap
in,Webbasedenrollmentorautomaticrenewal,makesuretheReadandEnrollpermissionsareproperlyassigned.For
certificaterenewalinparticular,theReadandEnrollpermissionsmustbepresent.

ManagecertificateenrollmentandrenewaltocomputersandusersusingGroupPolicies

Aspreviouslysaid,properpermissionsarenecessaryforrenewalandenrollment.Youmayusegrouppoliciestoassign
thesepermissionsasneeded.

Configureandmanagekeyarchivalandrecovery

EnterpriseCAshaveakeyrecoveryagentcertificatetemplatewithdefaultconfigurationthatgrantspermissionstothe
Domain Admins/Enterprise Admins so they may enroll for key recovery agent certificates. You may also add a key
recoveryagentcertificatetemplateviatheCertificationAuthorityMMCsnapin.ThisUIcanalsobeusedtoconfigure
keyrecovery.Remember,keyrecoverymaybeperformedonaCAonlyforthosecertificatesissuedbythatsameCA.If
therearemultipleissuingCAsyouwillneedtoconfigureeachCAonebyone.
Atypicalkeyrecoveryprocessinvolvesanumberofsteps.Firstyouneedtoidentifythearchivedkeysforrecoveryvia
Certutil.exegetkey.ThenyouneedtoretrievethearchivedkeysfromtheCAdatabase(youmaydosothroughusing
thecertificate'sserialnumber).ThenyouneedtodecryptthearchivedkeysviabothCertutil.exerecoverkeyandthe
key recovery agent certificate (you need to have Certificate Management privileges). Once decrypted, store it in a
passwordprotectedfileandhaveittransferredtotheuserwhoneedsit.Theuserneedstoimportthecertificateand
thecorrespondingrecoveredkeysviaCertutil.exeimportPFXintohispersonalcertificatestoreinordertouseit.
You must understand that key recovery agent keys are high value data assets that must be protected against
compromiseandloss.Aprivatekeymustbemadeavailableforusepriortoarchivalforaslongasthedataencrypted
withthatkeyisstillneeded.Auditingofthekeyrecoveryeventsshouldalsobeconsidered(whichcanalsobedonevia
theCertificationAuthoritysnapin).

6.4INSTALLANDCONFIGUREACTIVEDIRECTORYRIGHTSMANAGEMENTSERVICES
(ADRMS)

InstallalicensingorcertificateADRMSserver

Active Directory Rights Management Services (AD RMS) is for safeguarding digital information and preventing
unauthorized use. You should install AD RMS as a server role via Server Manager. The first RMS server is the root
cluster in the case of loadbalancing. You should be a member of the Enterprise Admins group to perform the
necessaryclusterconfigurationtasks.

ManageADRMSServiceConnectionPoint(SCP)

The AD RMS Service Connection Point (SCP) is an AD object. This object holds the web address of your AD RMS
certificationcluster.AllADRMSenabledapplicationswillrelyonthisSCPfordiscoveringtheADRMSservice.Inother
words,itservesasthefirstconnectionpointfordiscoveringtheADRMSwebservices.Youcanhaveonlyonesingle
SCPinAD.ToaddanewSCPtheexistingonemustfirstberemoved.

ManageADRMSclientdeployment

There is an AD RMS client included in the default installation of Vista, Windows Server 2008 and later versions. To
properlyconsumerightsprotectedcontenttheclientmustaddtheADRMSURLtotheLocalIntranetsecurityzoneof
thebrowser.
You may use the Rights Protected Folder Explorer to work with Rights Protected Folders. You can use it to securely
storeorsendfilestoauthorizedusers.Also,withityoucancontrolwhichuserswillbeabletoaccessthosefiles.

ManageTrustedUserDomains

YouneedtoknowthatintheworldofADRMSeverysingleentityisrepresentedbyacertificate.TheADRMSserver
clusterisrepresentedbyaServerLicensorCertificateSLC.ClientcomputershaveaSecurityProcessorCertificateSPC.
UsersareidentifiedbyaRightsAccountCertificateRACwhenbeingauthenticatedbytheRMSserver.Bydefault,AD
RMSwillnotprocessrequestsfromthosewithRACsissuedbyanotherADRMSclusterUNLESSyouaddthoseADRMS
domainstoalistoftrusteduserdomains.

ManageTrustedPublishingDomains

TheRACisalwaysusedbytheserverforencryptinglicensesbeingsenttotheuser.Thereisalsoacertificateknownas
ClientLicensorCertificate(CLC),whichisobtainedduringclientactivation.PublishingLicenses(PL)arecertificatesthat
expressrightsoveradocument.YoucanhaveaPLstampedintoaprotecteddocumentandencryptedwiththeSLC's
publickey,plusgettingsignedwiththeusersCLC.Similarly,youmayaddtrustpolicies(trustedpublishingdomainTPD)
sothatADRMScanhandlelicensingrequestsforcontentsrightsprotectedbyanotherADRMScluster.

ManageFederatedIdentitysupport

Technicallyspeaking,rightscanbeassignedtouserswhohaveafederatedtrustwithADFS.Thisallowsyoutoshare
access to those rightsprotected contents with another organization without setting up a separate Active Directory
trust.Federatedidentitysupportisafeatureyoucanusetoallowuserstomakeuseofcredentialsestablishedbya
federated trust relationship through AD FS for obtaining a RAC. Do note that when RACs are issued through a
federated identity, the standard rights account certificate validity period will be based on those specified in the
FederatedIdentitySupportsetting.

ManageRMStemplates

RightspolicytemplatesinADRMSareforcontrollingtherightsthatauserorgrouphasonaparticularrightsprotected
contentitem.Bydefault,ADRMSstoresrightspolicytemplatesintheconfigurationdatabaseandalsokeepsacopyof
allrightspolicytemplatesinasharedfolder.Thereisarightspolicytemplatecreationwizardyoucanusefortemplate
creation. There is also a rights policy template distribution pipeline that can guide you through the template
distributionprocess.

ConfigureExclusionPolicies

Youmayuseexclusionpoliciestodisallowcertainentitiestoacquirecertificateandmakelicenserequests.
Thiscanbedoneonthebasisofuser,application,andlockboxversion.Uselicensesthatarecreatedforthat
entity by servers of the AD RMS cluster will keep a record in the exclusion list. To enable exclusion, from
withintheADRMSconsoleyouneedtofindandturnontheExclusionPoliciesEnableApplicationExclusion
option.Tosetupexclusion,youmayusetheExcludeUserAccountwizardortheExcludeApplicationwizard.
TosetuplockboxexclusionyouwillneedtoturnontheEnableLockboxExclusionoptionseparately.