Download - Microsoft 70-411 Stdy Guide
-
7/21/2019 Microsoft 70-411 Stdy Guide
1/37
Microsoft 70-411Administering Windows Server 2012
-
7/21/2019 Microsoft 70-411 Stdy Guide
2/37
ABOUTTHEEXAM
TheMicrosoft 70411 exam is part two of a series of three exams that test the skills and
knowledge necessary to administer a Windows Server 2012 infrastructure in an Enterprise
environment.
Passing
this
exam
validates
a
candidate's
ability
to
administer
the
tasks
required
to maintain a Windows Server 2012 infrastructure, such as user and group management,
networkaccess,anddatasecurity.Passingthisexamalongwiththeothertwoexamsconfirms
that a candidate has the skills and knowledge necessary for implementing, managing,
maintaining, and provisioning services and infrastructure in a Windows Server 2012
environment.
SixmajortopicsmakeuptheMicrosoft70411Certification.Thetopicsareasfollows:
Deploy,Manage,andMaintainServers
ConfigureFileandPrintServices
ConfigureNetworkServicesandAccess
ConfigureaNetwork
Policy
Server
Infrastructure
ConfigureandManageActiveDirectory
ConfigureandManageGroupPolicy
Thisguidewillwalkyouthroughalltheskillsmeasuredbytheexam,aspublishedbyMicrosoft.
-
7/21/2019 Microsoft 70-411 Stdy Guide
3/37
OBJECTIVES
CHAPTER1: DEPLOY,MANAGE,ANDMAINTAINSERVERS
1.1Deployandmanageserverimages
1.2Implementpatchmanagement
1.3Monitorservers
CHAPTER2: CONFIGUREFILEANDPRINTSERVICES
2.1ConfigureDistributedFileSystem(DFS)
2.2Configure
File
Server
Resource
Manager
(FSRM)
2.3Configurefileanddiskencryption
2.4Configureadvancedauditpolicies
CHAPTER3: CONFIGURENETWORKSERVICESANDACCESS
3.1ConfigureDNSzones
3.2ConfigureDNSrecords
3.3ConfigureVPNandrouting
3.4ConfigureDirectAccess
CHAPTER4: CONFIGUREANETWORKPOLICYSERVERINFRASTRUCTURE
4.1ConfigureNetworkPolicyServer(NPS)
4.2ConfigureNPSpolicies
4.3ConfigureNetworkAccessProtection(NAP)
CHAPTER5: CONFIGUREANDMANAGEACTIVEDIRECTORY
5.1Configureserviceauthentication
5.2Configure
Domain
Controllers
5.3MaintainActiveDirectory
5.4Configureaccountpolicies
-
7/21/2019 Microsoft 70-411 Stdy Guide
4/37
-
7/21/2019 Microsoft 70-411 Stdy Guide
5/37
CHAPTER1DEPLOY,MANAGE,ANDMAINTAINSERVERS
1.1DEPLOYANDMANAGESERVERIMAGES
InstalltheWindowsDeploymentServices(WDS)role
Windows Deployment Services (WDS) is used to facilitate OS deployment. The WDS role is the updated and
redesignedversionofRemoteInstallationServices(RIS).ThroughityoumaydeployWindowsoperatingsystemsover
anetwork.
TouseWDS anexisting servermust configured as theDeployment Server and the Transport Server. Theymust
membersoforjoinadomainthathasDHCPandDNSrunningandproperlyconfigured.
Configureandmanageboot,install,anddiscoverimages
AtleastonebootimageandoneinstallimagemustbecreatedandmadeavailableinordertoboottotheWDSserver
andsubsequentlyinstallfromanimage.NotethattheclientcomputermustbecapableofperformingaPXEbootand
meet theminimumhardware requirements for theoperating systemof the install image.The clientmusthavea
minimumof512MBofRAM.
Updateimageswithpatches,hotfixes,anddrivers
OCSetup isacommandlinetoolused forapplyingupdates toanonlineWindows image.Thisallows installationof
*.msi files viaMSIExec.exe. It can also install and remove ComponentBased Servicing (CBS) packages online by
passingthemtoDISM.
Inorder to install the systemMSIpackagesviaOCSetup, theymust firstbe staged.Additionally, thepaths to the
packagesmustbespecifiedinananswerfile.Staginganinstallerfileinvolvesplacingitinthelocationspecifiedinthe
CustomSetupregistrykey.
Ifthe installationpackagerequiresacustom installer, itmustfirstberegistered.This isaccomplishedbyaddingthe
name
of
the
package
to
the
following
registry
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\
-
7/21/2019 Microsoft 70-411 Stdy Guide
6/37
Installfeaturesforofflineimages
Oscdimg is used to create an image in the *.iso format for customized Windows PE. You use Expand.exe to
decompresstheupdatefiles.Intlcfg.exeisusedtochangethelanguage&locale,fonts,inputsettings,etc.,foragiven
installation.
ThroughtheDeployment ImageServicingandManagement(DISM)toolyoucanbuildanddeployofflineWindows
images. It isascriptablecommandlineutilityused tomount/unmountsystem imagesaswellasupdateoperating
systemcomponents.
ForDISMtoworkproperly,theWindowsimagemustbelocal.Iftheanswerfileforanimageisnamedunattend.xml,
onlythesettingsspecifiedintheofflineServicingconfigurationpasscanbeapplied.
1.2IMPLEMENTPATCHMANAGEMENT
InstallandconfiguretheWindowsServerUpdateServices(WSUS)role
WindowsServerUpdateServices(WSUS)isaserverroleconfiguredviatheWSUSConfigurationWizard.
Forproperoperation,ensuretheserver'sfirewallallowsclientaccesstotheserversothatupdatescanberetrieved.
TheserveritselfmustbeabletoconnecttotheUpstreamServerifisdesignatedtodownloadupdatesfromelsewhere.
Ifthereisaproxyserver,itsnameandusercredentialsmustbeknownandprovidedwhenprompted.
Configuregroup
policies
for
updates
TheWSUSSetupprogramcanconfigure IIS toautomaticallydistribute the latestversionofAutomaticUpdates to
clientsthatcontactWSUS.ThiscanalsobedoneviadomainbasedGPOtoconfigureupdates.WithoutADDSonlythe
LocalGroupPolicyEditorcanbeusedtoconfigureAutomaticUpdates.
-
7/21/2019 Microsoft 70-411 Stdy Guide
7/37
NotethattheDefaultDomainorDefaultDomainControllerGPOsshouldnotbealteredforconfiguringWSUSsettings.
Also,priortosettinganyGroupPolicyoptionsforWSUS,thelatestadministrativetemplateshouldbeappliedtothe
computerusedtomanageGroupPolicy.TheadministrativetemplatethatcontainstherelevantWSUSsettingsiscalled
Wuau.adm. ThefollowingAutomaticUpdatesoptionscanbemadeavailabletotheclients:
Notifyfordownloadandnotifyforinstall.
Autodownloadandnotifyforinstall.
Autodownloadandscheduletheinstall.
Allowlocaladmintochoosesetting.
Configureclient
side
targeting
Whencomputersareassignedtocomputergroupsyouhavetwooptionstochoosefrom:serversidetargetingand
clientside targeting. The former involves adding each computer to its group manually. The latter involves
automaticallyassigningthecomputersviaGroupPolicyorregistrysettings.
ConfigureWSUSsynchronization
WSUSmustfirstbesynchronizedbeforeattemptingtomigratecontent.NotethatbydefaultWSUS isconfiguredto
useMicrosoftUpdate to retrieveupdates. Synchronizationmeans theWSUS server contactsMicrosoftUpdate to
determineifnew
updates
have
been
made
ready
for
download
since
the
last
time
synchronization
was
performed.
ThiscanbedoneviatheWSUSconsole.
ConfigureWSUSgroups
WSUS allows you to target updates to specific groups of client computers. By default, each clientside targeted
computer isassigned to theAllComputersgroup.Serverside targetedcomputersareassigned to theUnassigned
Computers groupunlessmanually added elsewhere. Remember, computers can be assigned to groups by either
serversidetargetingorclientsidetargeting(manualorautomatic).
-
7/21/2019 Microsoft 70-411 Stdy Guide
8/37
1.3MONITORSERVERS
ConfigureDataCollectorSets(DCS)
TheData
Collector
Set
is
an
XML
object
that
works
by
grouping
data
collectors
into
reusable
elements
to
fit
into
differentperformancemonitoringscenarios.ThedefaultDataCollectorSettemplatescancollectperformancedata
immediatelywithouttheneedforcomplicatedconfiguration.Additionalcounterscanbeaddedtothevariouslogfiles.
Thesecanbescheduledtostart,stop,anddefinethedurationofthecollectionasneeded.TocreateaDataCollector
SetagivenusermustbeloggedonasamemberoftheLocalAdministratorsorPerformanceLogUsersgroup.
Configurealerts
Alertscanbeconfiguredtogivenoticewhenparticulareventstakeplaceor predefinedperformancethresholdsare
reached.AlertscanbesentasmessagesorasloggedaseventsintheApplicationEventlog.Toconfigureanalert,start
theCreateNewDataCollectorSetWizardandchoosetheCreateManuallyoption.OnthesubsequentWhatTypeof
DataDoYouWanttoIncludepage,selectthedesiredPerformanceCounterAlertoption.
Monitorrealtimeperformance
ResourceMonitorisatoolthatprovidesrealtimeinformationregardingCPU,disk,network,andmemoryusage.Itis
veryusefulforidentifyingfilesthatarecausingprocesslockups.InordertouseResourceMonitor,theusermustbea
memberoftheLocalAdministratorsgrouporequivalentprivilegelevel.Constantlyhighutilizationinaparticulararea
indicatesfurtherinvestigationmaybenecessary.
-
7/21/2019 Microsoft 70-411 Stdy Guide
9/37
Monitorvirtualmachines(VMs)
ResourcemeteringcantracksystemresourceusageforasingleVMorforagroupofVMs.Bydefaultitisnotenabled,
butyoucanbeviaEnableVMResourceMetering.Resourcemeteringstatisticsarecollectedonceeveryhourbydefault,
butcanbeconfiguredfordifferentparametersviaSetVMHostwiththeResourceMeteringSaveIntervaloption.To
displaythemeasurementdata,simplyuseMeasureVM.
Monitorevents;configureeventsubscriptions
It ispossibletocollectcopiesofevents frommultipleremotecomputers.Topreciselyspecify theremoteevent to
collect, create an event subscription.However,before a subscription canbeused to collect eventson a remote
computer,boththecollectorandthesourcecomputermustbeproperlyconfigured.
Inaworkgrouponlyenvironment,onlyNormalmode(pullsubscriptions)canbeused.AWindowsFirewallexception
forRemoteEventLogManagementmustbecreatedonthesourcecomputer.Anaccountwithadminprivilegestothe
EventLogReadersgroupisalsorequiredonthesourcemachine.
Configurenetworkmonitoring
NetworkMonitor3.4isaprotocolanalyzerutilitythatcancaptureandviewnetworktraffic.Thistoolisavailablefor
x86,ia64andx64.Itrequiresatleast1GBRAM and60MBfreeharddiskspace.
Anetworktracecanalsobeperformedwithoutusingaprotocolanalyzer.Thiscanbedonebystartingatracevia
commandlineusingthecommandNetshTracestartcapture=yes.Tostopthetrace,enterthecommandNetshTrace
stop.Thiswillcreatea*.etlfile,whichcanthenbeconvertedtoXMLformatforfurtheranalysis.
-
7/21/2019 Microsoft 70-411 Stdy Guide
10/37
CHAPTER2CONFIGUREFILEANDPRINTSERVICES
2.1CONFIGUREDISTRIBUTEDFILESYSTEM(DFS)
InstallandconfigureDFSnamespaces
DFSNamespacesallowsgroupingofshared foldersthatare locatedondifferentservers intooneormore logically
structurednamespaces.Whenyoucreateanamespaceyoumaychoosetouseeitherastandalonenamespaceora
domainbasednamespace. Ifyougoaheadwithadomainbasednamespace,youmustchooseanamespacemode
whichisWindowsServerdependant.YoushouldpickastandalonenamespaceonlyifyoudonotuseADDS,orthat
youwant
to
create
asingle
namespace
that
has
oven
5000
DFS
folders
in
adomain.
IfyouwanttousetheWindowsServer2008mode,theforestmustbeoftheWindowsServer2003orhigherforest
functional level,and that thedomainmustbeof theWindows Server2008orhigherdomain functional level.All
namespaceserversmustbeatleastWindowsServer2008.
YoumayusetheSetDfsnRootGrantAdminAccountsandSetDfsnRootRevokeAdminAccountsWindowsPowerShell
cmdletstodelegateadministrationoftheDFsnamespace,aslongastheusersbelongtothelocaladmingroupofthe
namespaceserver.
ConfigureDFSReplicationTargets
DFS Replication allows you to keep folders synchronized between servers across very slow and weak network
connections.YouuseDFSReplicationtokeepfoldercontentsinsync.ToreplicatefoldertargetsyouneedtouseDFS
ManagementtoinvoketheReplicateFolderWizard.
Technicallyspeaking,afoldertargetissimplytheUNCpathofasharedfolder.Youmayaddmultiplefoldertargetsto
increasefolderavailability.YoumayaddafoldertargetviaDFSManagementortheNewDfsnFolderTargetcmdlet.
ConfigureReplicationScheduling
TheDistributed
File
System
Replication
(DFSR)
can
replicate
changes
according
to
the
schedule
created
during
site
topologydesign.IthasanefficientmultimasterreplicationenginewhichusesRPCforreplicatingafolderscope.The
possibleconfigurationmodesforthisserviceareWMIbasedandActiveDirectorybased.
You may edit the replication schedule or bandwidth via the SetDfsrConnectionSchedule cmdlet and the Set
DfsrGroupSchedulecmdlet.YoumayalsoforcereplicationviatheSyncDfsReplicationGroupcmdlet.To immediately
suspendreplication,useSuspendDfsReplicationGroup.
-
7/21/2019 Microsoft 70-411 Stdy Guide
11/37
ConfigureRemoteDifferentialCompressionsettings
RemoteDifferentialCompression (RDC) isa featurewithAPIs fordetermininganddetecting ifa setof fileshave
changed.Therearefunctionstodetectinsertions,removals,andrearrangementsofdatainfiles.Thegoalistoallowan
applicationtoreplicateonlythechangedpartsofafile.ToinstallRDC,useServermanagercmdInstallRdc.
Configurestaging;configurefaulttolerance
DFSReplicationmakesuseofstagingfoldersforeachreplicatedfolderascachesforcachingthenewandchangedfiles
thatarereadytobereplicated.Bydefaultthecached filesaresaved inthe localpathofthereplicatedfolder.This
folderresidesintheDfsrPrivate\Stagingfolder.Thequotasizeofeachstagingfolderis4096MB.Ontheotherhand,
eachConflict andDeleted folder occupies 660MB.DFSReplicationmay createmultiple staging and Conflict and
Deletedfolders,eachmaintainingitsveryownquota.Dokeepinmind,youcanchangetheirsizes.Infact,ifyouhavea
staging folder quota configured to be way too small, additional CPU and disk resources will be necessary for
regeneratingthestagedfiles.
2.2CONFIGUREFILESERVERRESOURCEMANAGER(FSRM)
InstalltheFSRMrole
Inapre2012R2setup,youmayrelyontheFileServerResourceManager(FSRM)tocontrol,andmanagethequantity
andtypeofdatabeingstoredonaserver.ThisrolecanbeaddedviatheServerManager. Infact,whenyou install
FSRMyoucanalsoconfigureStorageUsageMonitoring(youselectdiskvolumesformonitoringandspecifyvolume
usage
threshold
for
report
generation)
and
Report
Options
page
(this
is
where
you
pick
a
save
location
for
usage
reportsorhavereportssenttoyoubyemail youwillbeaskedtospecifyrecipientemailaddressesaswellastheSMTP
servertouse).
Configurequotas
Tocreateaquota,youneedtochooseaquotapathwhichisavolumeorfolderwithstoragelimitapplied.Thenyou
mayuseatemplatetocreateasinglequotathat limitsspaceusageonanentirevolumeorfolder,oranautoapply
quotawhichallowsquotastobeautomaticallygeneratedandappliedtosubfolders.Aquotatemplatehasspacelimit,
quotatype(hardVSsoft)andnotificationsdefined.YoumayusetheDirquota.exetooltodefineandmanagequotas,
auto
apply
quotas
and
quota
templates.
-
7/21/2019 Microsoft 70-411 Stdy Guide
12/37
Configurefilescreens
FileScreeningManagementallowsyoutocreatefilescreensforcontrollingthetypesoffilesthatuserscansaveand
use.Filescreeningtemplatescanbeappliedtonewvolumesorfolders,whilefilescreeningexceptionsareforusewith
filescreeningrules.Activescreeningdisallowsusersfromsavingunauthorizedfiles,whilepassivescreeningwouldonly
sendconfigurednotificationsbutdoesnotstopanything.Afilegroupdefinesanamespaceforafilescreen.Ithasaset
offilenamepatternsgroupedaseitherFilestoincludeorFilestoexclude.YoumayusetheFilescrn.exetooltocreate
andmanagefilescreens,templates,exceptionsandfilegroups.
Configurereports
Storage Reports Management allows you to schedule periodic storage reports, monitor attempts to save
unauthorized files,andgenerate storage reportsaccordingly. Ifyouwant togeneratea setof reportsbasedona
regularschedule,youshouldscheduleareporttask.Inanycaseyoumayusestorrept.exetofurtherconfigurereport
parametersandproducestoragereportsondemand(whichmeansGenerateReportsNow).
2.3CONFIGUREFILEANDDISKENCRYPTION
ConfigureBitlockerencryption
BitLocker is adisk encryption toolwith features forprotecting againstunauthorized access to localdrivedata. It
supportsfixeddatadrivewhenthedriveisformattedwithexFAT,FAT16,FAT32,orNTFSandthatthereis64MBof
availablediskspace.Toallowthedrivetobeunlockedautomatically,theOSdriveitselfmustbeprotectedbyBitLocker.
ConfiguretheNetworkUnlockfeature
NetworkUnlockprovidesautomaticunlockofvolumesuponsystem rebootatthetime it isconnectedtoawired
network.ForthisfeaturetoworktheclienthardwaremusthaveaDHCPdriverworkingfromwithinitsUEFIfirmware.
Simplyput,withthisfeatureenabledthevolumesprotectedbyTPM+PINprotectorswillnotrequiretheinputofaPIN
whenthemachinereboots.
ConfigureBitlockerpolicies
BitLocker Group Policy settings are in either the LocalGroup Policy Editor or theGPMC (you can find it under
ComputerConfiguration\AdministrativeTemplates\WindowsComponents\BitLockerDriveEncryption).Mostsettings
areappliedatthetimeBitLockerisinitiallyturnedonforadrive.Notethatyoucanhavepolicysettingsappliedto:
-
7/21/2019 Microsoft 70-411 Stdy Guide
13/37
allBitLockerprotecteddrives.
drivesonthelocalcomputeronwhichtheOSisinstalled.
drivespermanentlyinstalledonthelocalcomputer.
removabledatadrives.
ConfiguretheEFSrecoveryagent
Youshouldensurethattheprivatekeyforthedatarecoveryagentisnotalwayskeptonlineforthesakeofsecurity.To
beprecise,thedatarecoveryagentskeyshouldbemadeoffline(as.pfxfile)atalltimeunlessitisneededforusebya
recoveryprocess.
YoumayadddatarecoveryagentstotheEFSPolicy.However,ithasnoeffectontheexistingencryptedfiles.Anyuser
whocandecryptanEFSfilecanaddotherusers'publickeystoit.Also,youcannotassignkeysfromagroupofusers
eachuserspublickeyhastobeaccessedonanindividualbasis.
ManageEFS
and
Bitlocker
certificates
including
backup
and
restore
Bydefaultthedatarecoveryagentiscontainedinthepersonalcertificatestoreoftheadministratoraccountofthefirst
domain controller.However,on standalone/workgroupmachines itwouldbe contained in thepersonal certificate
storeofthelocaladministrator.
EncryptingFileSystem(EFS)certificatesallowthecertificateholdertoencryptanddecryptdata.OrdinaryEFSusers
shouldbegrantedthistypeofcertificate.FileRecoverycertificatesareforrecoveringencryptedfiles.Domainadmins
and/ordesignateddatarecoveryagentsshouldbegrantedthistypeofcertificateinstead.Inanycaseyoushoulduse
theCertificatesMMCsnapintobackupthedefaultrecoverykeys.
2.4CONFIGUREADVANCEDAUDITPOLICIES
ImplementauditingusingGroupPolicyandAuditPol.exe
YoumayimplementauditpolicyusingGPO.Youneedtofirstspecifythecategoriesofeventsthataretobeaudited(it
istheeventcategoriesthatconstituteyourauditpolicy).YouthenspecifythesizeandbehavioroftheSecurity log.
Basicauditpolicy isnever compatiblewith theadvancedauditpolicy settingsappliedviaGroupPolicy.When the
advanced audit policy settings are applied through usingGroup Policy, the current computer's local audit policy
settingsare
cleared.
Atthecommand line,youuseauditpol/gettoshowthecurrentauditpolicy.Youuseauditpol/settosettheaudit
policy.Youuseauditpol/cleartoclearapolicy.Youuseauditpol/backuptosavethepolicytoafile,oruse/restoreto
restorethepolicyfromthebackupfile.
-
7/21/2019 Microsoft 70-411 Stdy Guide
14/37
Createexpressionbasedauditpolicies
Expressionbasedauditpolicyallowstheuseofcomplexlogicforfilteringauditingtospecificcriteria.Inparticularyou
canspecifytheuseofthebooleanANDandORoperators.Youmayfurthergrouptogethercriteriatomakescriptlike
complexexpressions.
Createremovabledeviceauditpolicies
You may want to monitor attempts to use removable storage devices for accessing network resources. Under
AdvancedAudit Policy Configuration ObjectAccess there is an item known asAuditRemovable Storage.Once
enabled,fromtheEventViewer SecurityLogyoushouldseeevent4663forsuccessfulattemptsandevent4656for
failureattempts.
-
7/21/2019 Microsoft 70-411 Stdy Guide
15/37
CHAPTER3CONFIGURENETWORKSERVICESANDACCESS
3.1CONFIGUREDNSZONES
Configureprimaryandsecondaryzones
YouusetheNewZoneWizardtocreatethezones.Inparticularyouneedtohaveaprimaryzoneforyourdomain.
Otherzonescanalsobecreatedthroughit.Youwanttocreateasecondaryzoneforloadsharingandfaulttolerance.
OnlyprimaryzonescanbestoredinAD.Asecondaryzoneissimplyasecondarysourceforinformationofazone.It
mustbeobtainedfromaremoteDNSserverandcanbestoredintextfileonly.BecauseADimplementsamultimaster
replicationmodel,secondaryzonesbecomequiteunnecessary.
Configurestubzones
Withastub
zone
the
DNS
server
serves
as
asource
only
for
information
about
the
authoritative
name
servers
for
the
zone,whichmust also be obtained from a remoteDNS server. You can use stub zones to keepdelegated zone
informationcurrent, toenableaDNSserver toperform recursionvia thestub zone's listofname serverswithout
queryingsomewhereelse,andtosimplifyadministration.
-
7/21/2019 Microsoft 70-411 Stdy Guide
16/37
Configureconditionalforwards
YoumayhaveyourDNSserverdesignatedasaforwarder.YoucanusetheDNSManagerorthednscmdcommand
with the /ResetForwardersoption to configure this.DNSManager alsohasa section for configuring the so called
conditionalforwarder.
ConfigurezoneandconditionalforwardstorageinActiveDirectory
YoucanspecifythattheDNSserveronlyusesforwardersandnotattemptanyfurtherrecursioniftheforwardersfail
bycheckingtheDonotuserecursionforthisdomaincheckbox.YoucanalsodisablerecursionfortheDNSserverso
that itwillneverperformrecursiononanyquery.Bydoingsoyouwillnotbeabletouse forwardersonthesame
serveranymore.Keepinmind,youarenotallowedtouseadomainnameinaconditionalforwarderifthisDNSserver
ishostingaprimaryzone,secondaryzone,orstubzoneforthatdomainname.
Configurezonedelegation
Youuse
the
New
Delegation
Wizard
to
add
anew
delegated
domain.
Zone
delegation
works
like
"dividing"
your
DNS
namespace. You do this to distribute traffic loads among multiple servers and improve DNS name resolution
performance/resiliency.Youalsodo this toextend thenamespace toaccommodate theopeningofanewbranch
officeorremotesite.
-
7/21/2019 Microsoft 70-411 Stdy Guide
17/37
Configurezonetransfersettings
YouusetheDNSManagertoperformzonetransfer.YoushouldallowzonetransfersonlyforDNSserversintheNS
resourcerecordsforazoneorforthespecifiedDNSserversandnothingelse.Inthecommandlineyouusednscmd.
/NonSecuremeanstransfercanbemadetoanyserver./SecureNsmeanstransferscanbemadeonlytothoselistedin
thezone'sNSresourcerecords./SecureListmeanstoaspecificserveronly.
Configurenotifysettings
DNSNotifymeansthemasterserverforazonewouldfirstnotifysomesecondaryservers inthatzoneofchanges.
Thosesecondaryserversthenchecktodeterminewhethertheyshouldinitiateazonetransfer.Thisisdonetoimprove
consistencyofzonedataamongthesecondaryservers.
3.2
CONFIGURE
DNSRECORDS
CreateandconfigureDNSResourceRecords(RR)includingA,AAAA,PTR,SOA,NS,SRV,CNAME,and
MXrecords
WithaDNSzonereadyyoucanrightclickonitandaddrecordsasnecessary.Exceptforimportantserversthatuse
staticaddresses,recordsshouldnotneedtobemanuallycreated.WhenActiveDirectoryisconfigured,theWizardwill
automaticallyconfigureDNSonanewdomaincontrollerandwillcreateresourcerecordsnecessary fortheproper
operationoftheDNSserver.
-
7/21/2019 Microsoft 70-411 Stdy Guide
18/37
Configurezonescavenging
Bothagingandscavengingareforperformingcleanupandremovalofstaleresourcerecordssotheydon'taccumulate
inzonedata.TheDNSManagerUIcanbeusedtoconfigurethese.Or,ifyouusednscmd,/Agingisforenablingaging
for zones, while /RefreshInterval is for specifying the Refresh interval for a scavengingenabled zone.
/ScavengingIntervalisforfinetuningthescavenginginterval.
ConfigurerecordoptionsincludingTimeToLive(TTL)andweight
TimetoLive(TTL)isusedbynameserversfordeterminingthelengthoftimeanamecanbecached.BydefaulttheTTL
is60minutes.YoucanmodifytheTTLvaluesviatheDNSManagerUI.Ontheclientside,registryeditingwouldbecome
necessary
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters).
ItisalsopossibletocutdowntheworkloadonthePDCemulatoroperationsmasterbyadjustingtheweightforDNS
service SRV resource records by editing the registry under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. The valid value is between 0 and 65535,with a
defaultof100.Ahighervaluealwaysindicatesalowerpriority.
-
7/21/2019 Microsoft 70-411 Stdy Guide
19/37
Configureroundrobin
RoundRobinLoadBalancing isprimarily forDNSservice.Youhaveabuiltinroundrobin featureoftheBINDDNS
serverwhichworksbycyclingthroughtheIPaddressescorrespondingtoaservergroup.Hardwareloadbalancers,I
contrast,arededicatedforroutingTCP/IPpacketstovariousserversinacluster.
FrominsidetheDNSManagerthereisaServeroptionssectionwhichprovidesyouwiththeEnableroundrobincheck
box.dnscmdalsohasa/RoundRobinoption.1meansonwhile0meansoff.
Configuresecuredynamicupdates
DNSSECincludesextensionsforhardeningtheDNSinfrastructureasspecifiedinseveralIETFRFCstandards,including
4033,4034and4035.Withit,thereareseveralnewtypesofrecord,whichareDNSKEY,RRSIG,DS,andNSEC/NSEC3.
DynamicDNSupdates canbeenabled forDNSSECsigned zones as long as activedirectory is there, and that the
scavengingstalerecordoptioncanbeusedforpurgingoldDNSSECrecords.Forthesetuptowork,aprimaryserver
mustbe
in
place
to
serve
key
management
and
key
generation
service
to
the
network
environment.
3.3CONFIGUREVPNANDROUTING
InstallandconfiguretheRemoteAccessrole
TheRoutingandRemoteAccessServerhasthreesubroles,whichareRemoteDesktopServicesConnectionBroker;
Licensing;and
Virtualization.
You
do
not
configure
any
of
these
server
roles
during
server
installation.
Instead,
you
add
rolesthroughtheServerManagerDashboarduponsetupcompletion.
ImplementNetworkAddressTranslation(NAT)
ThroughRRAS itispossibleto implementNetworkAddressTranslation(NAT).NATalready includesaddressingand
nameresolutionfeaturesthatprovideDHCPandDNSservicestoclients,youareadvisedtonotrunDHCPserviceor
DHCP Relay Agentwith NAT addressing enabled. You should also NOT run the DNS service unless NAT TCP/IP
networkingnameresolutioniscurrentlydisabled.
ConfigureVPN
settings
TheSetupanewconnectionornetworklinkcanbeusedforstartinguptheSetUpaConnectionorNetworkwizard,
whichisahelpfulUItoallofthenetworkconnectiontypesyoucancreate.Thefirstoptionisforconfiguringinternet
connectivity,while thesecond is forsettingupaVPN.VPNcanbethrougheitherthe internetorviadirectdialup
(throughphoneline).
-
7/21/2019 Microsoft 70-411 Stdy Guide
20/37
Configureremotedialinsettingsforusers
WhenRRAShasbeenaddedviatheServerManager,youmay invoketheRoutingandRemoteAccessServerSetup
Wizard via theRouting andRemoteAccess snapin. From there youmay clickConfigure andEnableRouting and
RemoteAccess. IntheRemoteAccesspageyoumayenabledialupsupport forendusers.Youmaysetupan IPv4
RemoteaccessserveroranIPv6Remoteaccessserver.BothIPv4ForwardingandIPv6Forwardingaresupported.
Configurerouting
ToallowRRAStobeoperatedasaIpv4router,youshouldalsoenableandconfigureRIP.Youcandosobyfirstclicking
onIpv4GeneralandthenclickontheActionmenu.
-
7/21/2019 Microsoft 70-411 Stdy Guide
21/37
ForIPv4,RIPVersion2forInternetProtocolisthemostpopulrchoice.Youmayaddit,thenrightclickRIPandchoose
New Interface. Youwill need to pick the interface that is connected to a subnet onwhich the remote router is
connectedsoyourinterfacecancommunicateusingRIP.YoucanalsorightclickonRIPandchooseShowneighborsto
findoutabouttheroutingpartnersonthenetwork.StaticroutescanbemanuallyaddedbyrightclickingontheStatic
Routesitem.
3.4CONFIGUREDIRECTACCESS
Implementserverrequirements
YouneedtoinstalltheDirectAccessandVPNroleandthecorrespondingroleservices.Infactwewouldrecommend
thatyoualsoinstallrouting:
-
7/21/2019 Microsoft 70-411 Stdy Guide
22/37
Afterroleinstallationyoumaycallupthewizardforfurtherconfiguration.Yourservermustbeamemberofadomain
orconfigurationwillfail.
AcompleteDirectAccesssolutionformobileaccesswouldrequireaDirectAccessserverrunningWindowsServer2012
withdualnetworkadapters.Youneedonefacingthe internetandanotherfacingtheintranet.Theformerneedsto
havetwoconsecutivepublicIPv4addressesassigned.TheremustalsobeadomaincontrollerandDNSserverrunning
WindowsServer
2012,
as
well
as
apublic
key
infrastructure
issuing
computer
certificates.
Implementclientconfiguration
DirectAccess aims to allow connectivity to the corporate network without the need for using traditional VPN
connections.ItsupportsdomainjoinedWindows7EnterpriseandUltimateeditionclientsaswellasWindows8clients.
Earlierclients,however,arenotsupported.
ConfigureDNSforDirectAccess
SplitbrainDNSreferstotheuseofthesameDNSdomainforbothInternetand intranetresources.Forthiskindof
setuptowork,youneedtolisttheFQDNsthatareduplicatedontheInternetandintranet.Youcanthenaccordingly
decidewhichresourcesyourDirectAccessclientmayreach.InanonsplitbrainsetuptheInternetnamespace isnot
thesameastheintranetnamespacesoyouwouldnotneedtomakesuchdecision.
IfyouareusingISATAPforIPv6connectivitytosupportyourDirectAccessclients,youbetteruseDNSserversthatrun
WindowsServer2008R2or later since theirDNSServerservicecansupport theprocessingofDNS trafficson the
ISATAPinterfaces.IfyourIPv6capablenonWindowsbasedDNSserverdonotsupportDNSdynamicupdateforIPv6
addresses,youwillneedtomanuallyaddAAAArecordsforyourservers.
TheDirectAccessSetupWizardallowsyoutoconfigurelocalnameresolutionbehavior.ThepossibleoptionsareUse
localname
resolution
only
ifthe
internal
network
DNS
servers
determined
that
the
name
does
not
exist;
Use
local
name resolution if the internal networkDNS serversdetermined that thename does not exist or if the internal
networkDNSserversarenotreachableandtheDirectAccessclientcomputer isonaprivatenetwork;andUse local
nameresolutionifthereisanytypeoferrorwhenattemptingtoresolvethenameusinginternalnetworkDNSservers.
Thefirstoptionisthemostsecure.
ConfigurecertificatesforDirectAccess
ThereshouldbeonecertificateperclientandoneperDirectAccessserver.Youmayusecertutiltodisplayinformation
onthedigitalcertificatesthathavebeeninstalledonaDirectAccessclient,DirectAccessserver,oranyotherintranet
resources.
-
7/21/2019 Microsoft 70-411 Stdy Guide
23/37
CHAPTER4CONFIGUREANETWORKPOLICYSERVER
INFRASTRUCTURE
4.1CONFIGURENETWORKPOLICYSERVER(NPS)
ConfiguremultipleRADIUSserverinfrastructures
ARADIUSservergroupreferstoagroupofmultipleRADIUSservers.Thesetupallowsnetworkaccessrequeststobe
loadbalanceddynamicallybyaRADIUSproxy.DonotethateachRADIUSservergrouprepresentsoneuniquelydistinct
setof remoteaccesspolicies.Youmay in facthaveseparateRADIUSservergroupsdefined forseparate forestsor
untrusteddomains,whileallowingtheconnectionrequestpoliciestostayattheRADIUSproxy.
ConfigureRADIUSclients
WhenNPSisusedasaRADIUSserverorproxy,thecorrespondingnetworkaccessserversarecalledRADIUSclients.
TypesofclientsmayincludeWindowsbasednetworkaccessserversthatprovideremoteaccessconnectivity,wireless
APs,switchesandRADIUSproxiesthatforwardconnectionrequests.
NPSsendsandreceivesRADIUStrafficviaUDPports1812,1813,1645,and1646.WindowsFirewallontheNPSserver
willallowtheseRADIUStrafficstogetthroughbydefault.Shouldyouchangetheseportsbyhand,WindowsFirewall
mustbemodifiedaccordingly.
ManageRADIUStemplates
The template type known asRADIUSClients is for configuringRADIUS client settings that canbe reused through
selectingthetemplate intheproper locationoftheNPSconsole.RemoteRADIUSServers isanothertemplatetype
whichcanhelpyouconfigurethevariousremoteRADIUSserversettings.
ConfigureRADIUSaccounting
From inside theNPSconsoleyoucan invoketheAccountingConfigurationwizardwhichprovidestheseaccounting
settings:
SQLloggingonly youneedto configureadatalinktoaSQLServerforthistowork
Textloggingonly thisissimpleasitsimplylogsaccountingdatatoatextfile.
Parallellogging youlogbothtoSQLServerandtoatextfile
-
7/21/2019 Microsoft 70-411 Stdy Guide
24/37
SQLloggingwithbackup youlogfirsttoSQL,andusetextfileasbackupifSQLfails.
Configurecertificates
For client authentication to take place a digital certificatemust be installed on the RADIUS server for providing
authentication,encryption,andvalidation.ThiscanbedoneviatheCertificateConsole.
4.2CONFIGURENPSPOLICIES
Configureconnectionrequestpolicies
Networkpolicies refer to conditions, constraints, and settings thatdesignatewho is authorized to connect to the
networkandtherevelantcircumstances.Youmayviewyournetworkpoliciesasruleswithconditionsandsettings.
NPSwill
compare
the
conditions
of
the
rule
to
the
properties
of
the
connection
requests.
ConnectionrequestpoliciesaretheconditionsandsettingsthatallowyoutoindicatetheRADIUSserversthatperform
the authentication and authorization of connection requests. If you use NPS as the RADIUS server, the default
connection requestpolicywillbe theonlyconfiguredpolicy.However, ifNPS servesasaproxyonly,NPSwillnot
processanyconnectionrequestslocally.
ConfigurenetworkpoliciesforVPNclients(multilinkandbandwidthallocation,IPfilters,encryption,
IPaddressing)
Youcanconfiguretheseparametersintheclientsidenetworkpolicies:
MultilinkandBandwidthAllocationProtocolBAPdealswithusingmultipledialupconnectionsfromonecomputer.
IPFiltersareforcreatingIPv4andIPv6filtersforcontrollingtheIPtrafficthattheclientscansendorreceive.
Encryptionisforspecifyingtheencryptionlevelrequired.
IPSettingsareforspecifyingtheclientIPaddressassignmentrulesthatareforuseinthenetworkpolicy.
IdleTimeoutisforspecifyingthemaxtimeinminutesthatthenetworkaccessservercanstayidlebeforecutting
offtheconnection.
SessionTimeoutisforspecifyingthemaxtimeinminutesthatausermaystayconnected.
-
7/21/2019 Microsoft 70-411 Stdy Guide
25/37
ManageNPStemplates
YoucanuseNPStemplatestoconfigureNPSonservers.Therearemanytemplatesavailable,whichinclude:
SharedSecrets
RADIUSClients
RemoteRADIUSServers
IPFilters
HealthPolicies
RemediationServerGroups
Tocreateatemplate,youneedtousetheNPSConsole(yousimplyrightclickonatemplatetypeandclickNew).To
use
a
template,
from
within
the
RADIUS
client
properties
you
choose
the
option
known
as
Select
an
existing
Shared
Secretstemplate.
ImportandexportNPSpolicies
YoumayexportNPSconfigurationandpoliciesviaNetsh(youneedtousenetshnpsexport)orWindowsPowerShell
(viaExportNpsConfiguration).Withthelater,aXMLfilewillbecreatedforimportlater.Dorealizethattheexported
NPSserverconfigurationsareneverencryptedintheXMLfilesoyoumustbecarefulinprotectingit.
4.3CONFIGURENETWORKACCESSPROTECTION(NAP)
ConfigureSystemHealthValidators(SHVs)
WhenyouneedNPStobeconfiguredtoblockcertainclientsortraffics(inotherwords,toperformvalidation),the
stepsinvolvedare:
CreatingaSystemHealthValidatorSHV(youcandosoviatheNetworkPolicysnapin).
Creatingahealthpolicyforthecompliantclientsandalsothenoncompliantclients.
Creatinganetworkpolicyforthecompliantclientsandalsothenoncompliantclients.
-
7/21/2019 Microsoft 70-411 Stdy Guide
26/37
Configurehealthpolicies
YouusetheNAPClientConfigurationconsoletoconfigureNAPuserinterfacesettings,NAPenforcementclientsettings,
aswellasHealthRegistrationAuthorityHRAsettingsontheclientcomputers.IfyouconfigureNAPclientsettingsvia
GroupPolicy,thesettingswillbeautomaticallyconfiguredwhentheGroupPolicyisrefreshed.
ConfigureNAPenforcementusingDHCPandVPN
NAPhasdifferentenforcementmechanisms.TheDHCPenforcementmechanismmakesuseoftheDHCPserverasits
gatekeeper.ClientsthatconnecttoyournetworkwillrequestanIPaddressfromDHCP.ThisiswhentheNAPenabled
DHCPserverwillperformenforcement theclientmustgiveacorrectresponseinordertoreceiveanIPaddresswith
fullnetworkaccess.VPNenforcement issimilar aVPNservercanenforcehealthpolicywhenaclientattemptsto
connectviaaVPNconnection.
ConfigureisolationandremediationofnoncompliantcomputersusingDHCPandVPN
NoncompliantclientscomputersarethosethatfailtomeetyourNAPhealthrequirements.Strictlyspeaking,onlyNAP
client computers are either compliant or noncompliant.NAP remediation server is for providing services to the
noncompliantclients.Infact,thenumberandtypeofremediationserverstobemadeavailabledeterminesthelevelof
accessrestrictionbythenoncompliantclients.Withouthelpfromaremediationserverthenoncompliantcomputers
willfailtoperformproperlyinthenetwork.Forthesakeofsecurityyoumayevenhavethenoncompliantcomputers
furtherisolatedinaseparateremediationnetwork.
With VPN enforcement, youmaywant to place your remediation servers on either the corporate network or a
perimeternetwork.LimitedaccesstocorporateresourcesmaybemadeavailableviaIPpacketfiltersappliedtothe
VPNconnection.WithDHCPenforcement,yourremediationserversmaybeplacedinsidethecorporatenetworkbut
access
is
limited
to
the
DHCP
NAP
enforcement
server
and
any
other
remediation
servers
that
you
explicitly
allow.
ConfigureNAPclientsettings
IfyouwanttouseNAPtoenforcehealthpoliciesontheclientcomputers,youwillhavetofirstconfigureNAPsettings
onthem.YoumaydosoviatheNAPClientConfigurationconsole NAPCLCFG.MSCortheNetshnapclientcommand
line(youmayalsousetheNAPclientconfigurationsettingsfromwithintheGPMC).Theclientcomponentscompile
healthstatusstatementsonclientcomputersforanalysisbytheserver.TheNAPenforcementclientenforcesnetwork
accessrestrictions.Generally,youshouldmakeuseoftheNAPClientConfigurationthroughGroupPolicyinADwhen
therearealotofclientcomputerstomanage.
-
7/21/2019 Microsoft 70-411 Stdy Guide
27/37
CHAPTER5CONFIGUREANDMANAGEACTIVEDIRECTORY
5.1CONFIGURESERVICEAUTHENTICATION
CreateandconfigureServiceAccounts
Aserviceaccountisauseraccount,justthatitiscreatedforprovidingasecuritycontextforservices.Youmay
createandmanageserviceaccountsindividuallyviaActiveDirectoryUsersandComputers.
On a computer notjoined to a domain, youmay configure an application to run as Local Service,Network
Service,orLocalSystem.Theproblemwith theseaccounts is that theyare sharedamongmany servicesand
thereisnowaytohavethemmanagedatthedomainlevel.Ifyouuseadomainaccountinsteadofalocalone,
youcan
isolate
its
privileges,
just
that
you
must
manually
manage
the
passwords.
CreateandconfigureGroupManagedServiceAccounts
WhengroupManagedServiceAccounts(gMSA)isusedasserviceprincipal,Windowswillmanagethepassword
fortheaccount.gMSAislikeaManagedServiceAccountsMSAbutwithfunctionalityextendedacrossmultiple
servers.Withityoucantieagroupofserverstoonesingleserviceaccount,whichisparticularlyusefulformulti
instanceServercluster.
Donotethatthis isa feature that requiresWindowsServer2012R2DomainControllerwithActiveDirectory
PowerShellModule
imported
into
it.
CreateandconfigureManagedServiceAccounts
Amanaged serviceaccount (MSA)allowsservices tohave isolationof theirowndomainaccountsandat the
sametimeavoidingtheneedformanuallyadministeringtheaccountcredentials.Thegoalistocreateaclassof
domainaccountsformanagingandmaintainingservicesonthe localcomputers.Theclientcomputermustbe
running at leastWindows Server2008R2orWindows7 toenjoy the feature.Thedomainmustbe at least
Windows Server 2008 R2, or you will need to prepare the schema using adprep /forestprep and adprep
/domainpreprespectively.Inanycase,aMSAcanonlybeusedononedomainserver.
ConfigureKerberosdelegation
Constrained delegation is a feature of Kerberos V5. It allows a service to obtain service tickets using the
delegated user's identity. These service tickets allow access to only a restricted list of services running on
specificservers.Youmayaccordinglylimitthenetworkresourcesthataservicetrustedfordelegationmayreach.
-
7/21/2019 Microsoft 70-411 Stdy Guide
28/37
Unconstraineddelegation isslightlydifferent it issupportedonlywhenauser initiallyrenderscredentialsfor
obtainingaticketgrantingticketthatcanbeforwardedtoanyservicetrustedfordelegation.
ManageServicePrincipalNames(SPNs)
Aserviceprincipalname (SPN) isassociatedwiththesecurityprincipal,which iseitherauseroragroup.It is
usedtosupportmutualauthenticationbetweentheclientapplicationandtheservice.ASPNcanbeassociated
withonlyoneaccount,butanaccountcanhavemorethanoneSPNs.Itmaybeformedeitherusinginformation
thataclientlearnedaboutaservice,orassuppliedbyActiveDirectory.
Youdon'tnormallyneedtocreateaSPNbyhand.AclientcanandshouldcreatetheSPNforaservice. It isa
musthave.WhenaclientusesKerberostoauthenticateitself,itwillrequestasessionticketfortheSPN.With
certificatebasedauthentication,thisSPNwillhavetobevalidatedagainstthecertificateoftheserver.
A SPN is formed like this service_class/host_name:port: Note thatWindows providesmany builtin service
classesbutyoucanalsodefineyourown.Thehostnameisthenameofthecomputerhost.Byregisteringthe
SPNin
Active
Directory
the
SPN
is
mapped
to
the
Windows
account
under
which
the
service
specified
is
running.
AutomaticSPNmanagementcanmakeyourlifemucheasier.WhenaWindowsServerthatbelongstoagMSA
changeitshostname,thecorrespondingSPNwillbeautomaticallyupdatedaswell.Still,youcanuseSetspn.exe
tomanuallyregister,editandverifySPNs.
5.2CONFIGUREDOMAINCONTROLLERS
Configure
Universal
Group
Membership
Caching
(UGMC)
Universal group membership caching (UGMC) is a featurewhich can locally cache a user'smembership in
universalgroupsonthedomaincontrollerauthenticatingtheuser. Itismostlyusefulfordeploymentinbranch
officewithoutaglobalcatalogduetoconcernonWANtraffic.SinceUGMCissitespecific,youmayenableitvia
ActiveDirectorySitesAndServices(underNTDSSiteSettings).
Transferandseizeoperationsmasters
YouuseNtdsutil.exetotransferandseizeoperationsmasterrole.Thetoolwillfirsttrytomakeatransferfrom
thecurrentroleowner.Itwillgoaheadandseizetheroleifthecurrentroleownerisunavailable.Youmayview
thecurrent
operations
master
role
holders
via
the
roles
option
of
Ntdsutil.
To
actually
seize
arole,
at
the
fsmo
maintenancepromptyouusetheseizecommand.
-
7/21/2019 Microsoft 70-411 Stdy Guide
29/37
Installandconfigureareadonlydomaincontroller(RODC)
AReadOnlyDC(RODC)isanadditionaldomaincontrollerthathostsreadonlypartitionsoftheActiveDirectory
database.ItismostlyforuseinbranchofficewithpoorWANlink. Itcankeepcachedcredentialssothatfaster
logincanbecomepossible.However,thefirstdomaincontroller inaforestmustNOTbeanRODC.Unlessyou
haveamixofdifferentWindowsServerversions runningasdomain controllers,you shouldnotneed to run
adprep/rodcprepbeforeinstallingaRODC.
ConfigureDomainControllercloning
Cloningvirtualizeddomaincontrollersmakesthingseasywhendeployingmultipledomaincontrollers.Aslongas
boththesourceandtargetserversarerunningtheHyperVserverrole,cloningispossiblewithouttheneedto
use sysprep and the like. You may use the Active Directory Administrative Center ADAC UI to locate the
virtualized domain controller object and accordingly grant permissions tobe cloned. Then you run theGet
ADDCCloningExcludedApplicationListcmdlet to identifyprogramsor services thatarenot reallyclonable.And
then you run NewADDCCloneConfigFile to produce the necessary configuration file (which is
DCCloneConfig.xml)for
facilitating
the
export
and
import
of
VMs.
Normally
the
clone
domain
controller
will
be
placedinthesamesiteasthesourceunlessthereisadifferentsiteexplicitlyspecifiedinDCCloneConfig.xml.
5.3MAINTAINACTIVEDIRECTORY
BackupActiveDirectoryandSYSVOL
It
is
the
system
volume
(SYSVOL)
on
the
domain
controller
that
provides
a
default
Active
Directory
location
for
filesbeingsharedforaccessthroughoutadomain.TheSYSVOLfolderhasabunchofNETLOGONsharedfolders,
userlogonscriptsforearlierWindowsclients,filesystemjunctionsandFRSstagingdirectoriesandfiles.Onthe
otherhand,AD itselfhastheNtds.dit filewhich is theADdatabase, theEdb.chkcheckpoint file, theEdb*.log
transactionlogfiles,aswellastheRes1.logandRes2.logfiles.Theyareallconsideredassystemstatedata.
Agoodbackupshouldincludeatleastthesystemstatetogetherwiththecontentsofthesystemdisk.Youmust
backupatleast2domaincontrollersineachdomain,withonebeinganoperationsmasterroleholderexcluding
theRIDmaster.Donotethatyoucannotuseabackupfromonedomaincontrollertorestoreanotherone.Also
notethatabackupolderthanthetombstonelifetimesetinADshouldnotbeconsideredasagoodbackup.At
least 2 backups should be made within the tombstone lifetime (keep in mind, the default value for the
tombstonelifetimeis60days).
ManageActiveDirectoryoffline
YouusenetstopntdstostopADlocally.ThiscannotbedoneviaanyGUI. IfyoustartthesystemandpressF8to
enter theDirectoryServicesRestoreMode,youarealsoworkingoffline (youneed to logon locallyasa local
admin).
-
7/21/2019 Microsoft 70-411 Stdy Guide
30/37
OptimizeanActiveDirectorydatabase
Active Directory (AD) can automatically perform online defragmentation of the database at the default
intervals of every 12 hours during Garbage Collection. Online defragmentation can optimize the database
withoutreducing itssize.Itcanreclaimspace inthedirectoryfornewobjectsthough.Infact,theprocesswill
create
a
new
and
compacted
version
of
Ntds.dit.
Anotheroption istodefragthedatabaseoffline,which isamorethoroughdefragalsocapableofcompacting
thedatabase.Beforeattemptingofflinedefragmentation,youarestronglyrecommendedtomakeafullsystem
statebackupofthedomaincontroller.Domakesurethereisenoughfreespaceonthedrive.Whenyouperform
offlinedefragmentationWindows isnotgoingtochangetheoriginalActiveDirectorydatabase. Instead itwill
produceadefragmentedcopy.Thisiswhytheprocessneedstousealargeamountoffreespaceonthedriveas
theworkspaceplusspaceforstoringthecopy(whichshouldbeatleast115%oftheoriginalsize).
AssaidbeforeyouusenetstopntdstostopADlocally.Fromwithinntdsutilyouneedtouseactivateinstance
ntdsandthenfilestoreachthefilemaintenanceprompt,thenstartthedefragprocessviacompactto.When
done
you
need
to
quit
ntdsutil
entirely
and
manually
copy
the
new
database
to
the
original
directory
database
location.
Cleanupmetadata
Metadatacleanup isaprocessyouneedtoperformonadomaincontrollerafterADDSremoval.Theprocess
primarilyremovesthosedataitemsthatidentifyadomaincontrollertotheADDSreplicationsystemaswellas
all FRS/DFS Replication connections. The processwill also try to transfer or seize any remaining operations
masterroles.
You
use
Active
Directory
Users
and
Computers
or
Active
Directory
Sites
and
Services
to
delete
a
domain
controllerpermanently.Youmayalsousentdsutil'smetadatacleanupcommandtocleanupthemetadata.
ConfigureActiveDirectorysnapshots
AsnapshotisinfactashadowcopyofthevolumesthatcontaintheActiveDirectorydatabase.Withityoucan
viewthedata inside itwithouttheneedtoruntheserver inDirectoryServicesRestoreMode.Donotethat it
doesnot letyoutocopy items from insidethesnapshottothe livedatabase,unlessyoumanuallyexportthe
objectsoutofit.Youcanusentdsutilundertheelevatedcommandprompttocreateasnapshot.Youreachthe
snapshot:promptvia the snapshotcommandand thenusecreate tocreate thesnapshot.Youmayview the
availablesnapshotsvialistall.Andyoumaymountoneviamount.
Performobject andcontainerlevelrecovery
Withanauthoritativerestoreyoureturnadeletedobjectorcontainertoitspredeletionstateatthetimeitwas
backedup. There are usually 2 parts to such restore process. First there is anonauthoritative restore from
backup, then there is an authoritative restore of the deleted objects. You need to do this before allowing
replicationtooccur.
-
7/21/2019 Microsoft 70-411 Stdy Guide
31/37
To perform an authoritative restore, you need to use the authoritative restore subcommand ofNtdsutil or
Dsdbutil(whichisavailableifyouhavetheADLDSserverroleinplace).YouneedtofirststoptheADDSservice
ortheADLDSservice,andyoumustsettheactiveinstanceaccordingly.
SinceWindows
Server
2012
there
is
the
Active
Directory
recycle
bin
facility
which
allows
you
to
restore
active
directoryuserobjectsnatively, as long as your foresthas the Windows server2008R2 functional levelor
beyond.Theprocessdoestaketimetocompletesincereplicationisnecessary.
PerformActiveDirectoryrestore
Assaidbefore,ifyoustartthesystemandpressF8toentertheDirectoryServicesRestoreMode,youarealso
workingoffline.Youwillneedto logon locallyasa localadmin.ANonauthoritativerestoremeansyouhavea
domain controller restored frombackupmedia, then allow the restoreddata tobeupdated throughnormal
replication.Thisprocessusuallyrequiresthatyoutakethedomaincontrolleroffline.
Aftergoingoffline,youmay invoketheRestoreWizardtorestoretheSystemStatedata.YouclickStart Run,
thentypeinNtbackupto invoketheBackuptool.FromtheToolsmenuyouclickRestoreWizardtocallupthe
wizard.
5.4CONFIGUREACCOUNTPOLICIES
Configuredomainuserpasswordpolicy
Password policies are for domain accounts or local accounts they determine a number of settings for
passwords,suchas:
Enforcingpasswordhistory
Enforcingmaximumpasswordage
Enforcingminimumpasswordage
Enforcingminimumpasswordlength
Enforcingpasswordcomplexityrequirements
Storingpasswordsusingreversibleencryption
-
7/21/2019 Microsoft 70-411 Stdy Guide
32/37
AtthedomainlevelthebestthingtodoforapplyingpasswordpoliciesistouseGroupPolicy.Thetooltouseis
ActiveDirectoryUsersandComputers.PSOisanothersolutionyoucanuse.Wewilltalkaboutthisinthenext
section.
ConfigureandapplyPasswordSettingsObjects(PSOs)
NotethatsinceWindowsServer2008youcanusefinegrainedpasswordpoliciestospecifymultiplepassword
policiestodifferentgroupsofuserswithinasingledomain.TherearetwoobjectclassesinActiveDirectorythat
dealwiththese.TheyarethePasswordSettingsContainerandthePasswordSettingsobjectPSO.Youcancreate
aPSOusingADSIEdit,oryoucanusetheNewADFineGrainedPasswordPolicycmdlettoachievethesame.
Delegatepasswordsettingsmanagement
Youmaydelegatepasswordmanagementtosomeoneelse.FromwithinActiveDirectoryUsersandComputers
you call up theDelegation of ControlWizard. Thiswizard allows you to pick the password related tasks to
delegate.
Configurelocaluserpasswordpolicy
LocalsecuritypolicyislocalserverspecificthepoliciesarenotstoredinActiveDirectory.Asalocaladminyou
mayopenuptheLocalSecurityPolicyUIviasecpol.msc.TheUIhasaNavigationpanewithanoptionknownas
AccountPolicies.YoucanclickPasswordPolicytomakethenecessarypolicysettings.
Configureaccountlockoutsettings
You all knowwhat account lockout is about. Technically, Account Lockout Policy settings are configured in
ComputerConfiguration\WindowsSettings\SecuritySettings\AccountPolicies\Account LockoutPolicy through
theGPMC.Intermsofduration,thevalidrangeisfrom1through99,999minutes.Ifyousetthevalueto0,the
accountislockedoutuntilyouexplicitlyhaveitunlocked.Accountlockoutthresholddeterminesthenumberof
failedlogonattemptsthatcanbetolerated.Thenumberofminutesthatcanbespecifiedisbetween1and999.
-
7/21/2019 Microsoft 70-411 Stdy Guide
33/37
CHAPTER6CONFIGUREANDMANAGEGROUPPOLICY
6.1CONFIGUREGROUPPOLICYPROCESSING
Configureprocessingorderandprecedence
Bydefault,GroupPolicysettingsareprocessedinthisorder:LocalGroupPolicyobject>Site>Domain>OU
Keepinmind,localGPOsarealwaysprocessedfirst,whileGPOslinkedtotheOUarealwaysprocessedlast.The
lastonebeingprocessedcanoverwritesettingsmadeintheearlierGPOsshouldconflictsarise.Exceptionsmay
bepossibleifaGPOlinkisenforcedordisabled,orthatanOUhasBlockInheritanceenabled.
Configureblockingofinheritance
Youmaysetacontainertoblockanypoliciesfromhigherlevelsfrombeingapplied.DonotethatBlockPolicy
Inheritance is a containerproperty,NOT a linkproperty. In fact, Enforced at ahigher levelwill always take
precedenceoverBlockPolicyInheritanceatalowerlevel.Simplyput,GPOlinksthatareenforcedisnotallowed
tobeblocked.
Configureenforcedpolicies
Youmay
set
apolicy
at
ahigher
level
to
always
apply
via
enforcement
(i.e.
no
override).
Do
note
that
Enforced
is
a linkproperty,NOT a containerproperty. It always takesprecedenceoverBlockPolicy Inheritance.As said
previously,GPOlinksthatareenforcedisnotallowedtobeblocked.
ConfiguresecurityfilteringandWMIfiltering
WMIandsecuritygroupfilterscanbothbeusedtorestricteachGPOtothecomputersofamembershipgroup
running theversionofWindows forwhichtheGPO is targeting.Tobeprecise,security filteringappliespolicy
settingstoonlyaparticularsetofusersandcomputersthatyouchoose,whileWMIfilterscanbeusedbasedon
thetargetcomputerspecifications(make,model,OS...etc).
When
you
define
a
new
WMI
filter,
you
will
need
to
supply
a
WMI
query,
which
is
a
WMI
Query
Language
WQL
stringthatcanreturnavalueofTRUEwhenappliedtothecorrectWindowsversion.
-
7/21/2019 Microsoft 70-411 Stdy Guide
34/37
Configureloopbackprocessing
BydefaultGroupPolicy isapplieddependingonwhereboththeuserandthecomputerobjectsare located.If
youwanttohavepolicyappliedbasedonlyonthe locationofthecomputerobject,theGroupPolicy loopback
featuremaybeofgreatuse,assumingyourclientcomputersareatleastWindows2000. WithMergeMode,the
computer'sGPOshavehigherprecedencethantheuser'sGPOs.WithReplaceMode,theuser's listofGPOs is
nevergatheredsoonlythecomputer'sGPOsareused.
Configureandmanageslowlinkprocessing
WhenprocessingGPOoveraslowlink,notallcomponentsareprocessed.Aratethatisslowerthan500Kbpsis
consideredaslowlink. YoumayusetheGroupPolicyObjectEditortospecifysettingsforslowlinkdetectionfor
computers(youwanttopayattentiontotheAllowprocessingacrossaslownetworkconnectionpolicyoption).
Theoptions thatareavailable forprocessing include IPSecuritypolicy,EFS recoverypolicy, InternetExplorer
Maintenancepolicy,ScriptspolicyandFolderRedirectionpolicy.
Configureclientsideextension(CSE)behavior
Clientsideextensions (CSE)arealmostalways implementedas .dll files.Theyareforprocessingandapplying
Group Policy settings at the target computers.With each CSE the GPO processing order is determined by
obtaining a listofGPOs.A computer policy canbeused to control thebehaviorof theCSE. Youmay set a
computerpolicyaccordinglyviatheGroupPolicyObjectEditor.Thepossiblecomputerpolicyoptionsyoucan
configureareAllowprocessingacrossaslownetworkconnection(whichshouldbeusedwithGroupPolicyslow
linkdetection),Donotapplyduringperiodicbackgroundprocessing(thepolicyisappliedbothatboottimeand
regularlyevery90minutes),andProcesseveniftheGroupPolicyobjectshavenotchanged.
6.2CONFIGUREGROUPPOLICYSETTINGS
Configure settings including software installation, folder redirection, scripts, and administrative
templatesettings
YoumayuseGroupPolicytoconfigurecomputerandusersettingsonnetworksbasedontheActiveDirectory
Domain Services (AD DS). ForGroup Policy towork, your networkmust be based on ADDS and that the
computers
you
want
to
manage
must
be
joined
to
the
domain.
You
must
also
have
the
relevant
permissions
to
createandeditthepolicyobjects.AlthoughyoumayconfigureGroupPolicysettings locally,youshouldavoid
doingsosincedomainbasedGroupPolicycancentralizemanagementwhilelocalizedpolicycannot.
YoumaymanageallaspectsofGroupPolicyviatheGroupPolicyManagementConsole(GPMC).
-
7/21/2019 Microsoft 70-411 Stdy Guide
35/37
Importsecuritytemplates
YoumaywanttodeploysecuritytemplatesthroughimportingthemintoaGPO.FirstyoushouldcreateOUsfor
thedifferent
types
of
computers
that
are
to
use
adifferent
security
template.
Then
you
add
the
computer
accountsforthesecomputerstotheproperOU.FinallyyouaddalinktoaGPOforeachofthesecomputerOUs.
YoucanalwaysimportasecuritytemplateintoaGPOviatheGroupPolicyObjectEditor.
Importcustomadministrativetemplatefile
AdministrativeTemplates forGPOscanbeused tosetandcontrol registrysettings.AdministrativeTemplate
filesareXMLbasedfordefiningregistrybasedGroupPolicysettingsthatcanbeconfiguredviatheGroupPolicy
ManagementEditor.With the languageneutralADMX file it ispossible todetermine thenumber, typesand
locationsofpolicysettingsbycategoryintheeditor.ADMLfiles,ontheotherhand,areforsupplyinglanguage
specific
information
to
the
ADMX
files.
Note
that
when
you
use
GPEDIT.msc
to
launch
the
Group
Policy
Object
Editor,itwillautomaticallyreadallADMXfilesthatarestoredinthe%systemroot%\PolicyDefinitions\folder.
ConvertadministrativetemplatesusingADMXMigrator
TheADMXMigratorutility isa freeMMCsnap in toolyoucanuse toconvert legacyADM files into thenew
ADMXformat.YoucanalsousetheADMXMigrator'sADMXEditortoeditADMXfileviaaGUI.Thistoolcanbe
downloadedfrom:
http://www.microsoft.com/enhk/download/details.aspx?id=15058
Thetoolrequires.NETframework2.0attheleast.TheminimumOSversionrequiredisWindowsXPSP2.
http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058http://www.microsoft.com/en-hk/download/details.aspx?id=15058 -
7/21/2019 Microsoft 70-411 Stdy Guide
36/37
Configurepropertyfiltersforadministrativetemplates
FromwithintheGPMCyoumaychangethecriteriafordisplayingAdministrativeTemplatepolicysettingsusing
propertyfilters.TheavailablepropertyfiltersareManaged,ConfiguredandCommented.Keepinmind,withthe
Managed filter theGroupPolicy servicewillonlygovernManagedpolicy settings. In termsofpolicy state,a
policysettingcanbeNotConfigured (thedefault),Enabled ,andDisabled.TheCommentedpropertyalsohas
severalstates,whichincludeAny,Yes,andNo.
6.3MANAGEGROUPPOLICYOBJECTS(GPOS)
Backup,import,copy,andrestoreGPOs
Fromwithin theGPMCconsoletreeyoucandoa lotof things.Forexample,youcanrightclickGroupPolicy
Objectsin
the
forest
and
domain
in
which
you
want
to
create
aGPO
and
then
click
New
to
create
anew
object.
Youmayalsochoosetocopy,backup,restoreor importGPOsviatheconsole.YouuseBackupGPOtomakea
backupofaGPO.YouusetheRestoreGroupPolicyObjectWizardortheRestoreGPOcmdlettorestoreaGP
thathasbeenbackedup.Youusethe ImportSettingsWizardto importaGPOfromanotherdomainorforest
(youmayneedtoupdatesomereferencesbyhand).AndyoumayuseCopyGPOtomakeaGPOcopy.Todelete
one,useRemoveGPO(alllinkstoitwillbedeletedaswell).
CreateandconfigureMigrationTable
Whenyoucopyor importaGPO fromanotherdomainyourelyonamigrationtabletotellhowthedomain
specificdata
should
be
handled.
From
the
GPMC
you
can
open
the
Migration
Table
Editor.
You
may
validate
yourmigrationtablebychoosingTools Validate.Oryoumayautopopulateamigrationtable (byscanninga
GPO)bychoosingTools AutopopulatefromGPO.Allmigrationtablesstoremapping informationasXMLfile
withanextensionof.migtable.
ResetdefaultGPOs
YouarenotsupposedtomodifythedefaultGPOs.However, ifyoudidandyouwanttofixthembyrestoring
themtothedefaultvalue,youshouldusethedcgpofixcommandwiththe/targetparameterspecified.
DelegateGroupPolicymanagement
YoumaydelegatesomeGroupPolicytaskstootherpeople.TheGPMC(thereisatabnamedDelegation)offers
severalcategoriesofAllowedPermissionsonaGPO,includingRead;Editsettings;Edit,delete,modifysecurity;
Read(fromSecurityFiltering)andCustom.Youcanfinetunetheseforproperdelegation.Notethattherightto
createnewGPOs canonlybedelegatedat thedomainsGroupPolicyObjects containeror theStarterGPOs
container.
-
7/21/2019 Microsoft 70-411 Stdy Guide
37/37
6.4CONFIGUREGROUPPOLICYPREFERENCES
ConfigureGroupPolicyPreferences(GPP)settingsincludingprinters,networkdrivemappings,power
options,custom registry settings,ControlPanel settings, InternetExplorer settings, fileand folder
deployment,and
shortcut
deployment
GroupPolicyPreferences(GPP)cansimplifythedeploymentandstandardizationofconfigurations.Preferences
aresettings thatcanbechangedbyusers later (inotherwords, itonly setsan initialstate foranapplication
configuration). . You can also use GPP to configure applications that are not Group Policyaware. GPP is
consideredquitepowerfulsinceitcanbeusedtochangeorremoveregistrysetting,file,folder,andshortcut...
etc.Keep inmind, thepreference value can remain in the local registry and canoverwrite the application's
configurationsettings.
Configureitemleveltargeting
Itemleveltargeting(whichispartoftheCommonPropertieswiththeGPMC)isafeaturethatcanbeusedwith
GPP.YouuseittosetsophisticatedtargetingforeachindividualpreferenceconfiguredinaGPO.Inotherwords,
youuse ittochangethescopeof individualpreference items.Eachtargeting itemhasavaluewhich iseither
trueorfalse.YoucanusemultipletargetingitemstoapreferenceitemandyoucanuseANDorORtocombine
them.