1. 4/20/2017
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Exam prep: 70-411 & 70-417 MCSA: Administering Windows Server 2012
4/20/2017
Exam prep: & MCSA: Administering Windows Server 2012
(R2)
Alfred Ojukwu
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. But first… a little about me!
Alfred Ojukwu
19 Years of IT Experience
Senior Consultant with Microsoft Consulting Services (MCS)
Desktop Enterprise Management, ConfigMgr 2012 and Intune
Microsoft Communities both Internal and External
BlogSite
@thedevicepros - twitter.com/thedevicepros
Facebook –
Member of #TheKrewe

4. Session Objectives And Takeaways
Tech Ready 15
4/20/2017
Session Objectives And Takeaways
Session Objective(s):
Certification Overview
Exam Preparation per Section
Describe key & exam objectives
Prepare more effectively using available study material
Relate practical Windows Server 2012 experience to exam
Identify areas that may require extra studying
Action plan for exam preparation and success
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Microsoft Certification

6. For You Increased confidence in your abilities at work
Enhanced product knowledge
Learn about certification to educate your coworkers and bosses

7. For Your Career Makes a great commitment Shows drive an initiative
Tangible way to demonstrate mastery of a product
Sets you apart from your peers at review time
Recognition inside and outside of Microsoft
Completely achievable at SPC

8. Changes to Certifications and Exams
Relevance
Broader Skill Set
Rigor
Certification Requirements
Recertification
Deeper Skill Set

9. MCSE and MCSD Certifications
Private Cloud
Server Infrastructure
Desktop Infrastructure
Business Intelligence
Data Platform
Web Applications
Windows Store Apps

10. Increased Rigor Reflection of the real world New item types
Learn more, validate more
Solutions are more complex, questions must reflect that
Best way to measure candidates know what they know
New item types
Fewer multiple choice
Case studies
Scenario based
See big picture and make decisions
Innovative item types

11. Exam Tips

12. Exam Basics 40-60 questions 1-4 hours to complete exam
Can review questions
Cannot move between case studies
700 is passing
700 is not 70%

13. How to interpret questions
Business Problem
All questions have a consistent anatomy
Goal Statement
One or Multiple Correct Answers
Questions are not intended to trick you
Multiple Distracters

14. Exam Scoring Each exam has a "cut score"
Each question is worth one point
No partial credit
No points deducted for wrong answers

15. 4/20/2017 6:31 AM
70-411
&
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. 70-411 Exam Objectives Deploy, Manage, and Maintain Servers (15-20 %)
4/20/2017
Exam Objectives
Deploy, Manage, and Maintain Servers (15-20 %)
Configure File and Print Services (15-20 %)
Configure Network Services and Access (15-20 %)
Configure a Network Policy Server Infrastructure (15-20 %)
Configure and Manage Active Directory (15-20 %)
Configure and Manage Group Policy (15-20 percent)
Total Time: 195 minutes with comments, 150 minutes for exam
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Deploy, Manage, and Maintain Servers
TechReady 17
4/20/2017
Deploy, Manage, and Maintain Servers
Deploy and manage server images
Implement patch management
Monitor servers
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Windows Server 2012 - WDS Install using Roles and Features
4/20/2017
Windows Server WDS
Install using Roles and Features
Requires RSAT
Enables PXE Use
Deployment Methods
WDS Service must be enabled and show green
Configuration Options
Ensure DHCP, NTFS shares are available
Decide on PXE boot requests
Don’t forget about WDSUtil
Using WDS
Add Install Images and Drivers
Multicast transmissions
Install-WindowsFeature –Name WDS -ComputerName Server01 –IncludeManagementTools (Servermanagercmd.exe deprecated)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Deploy and Manage Server Images (2/2)
Update images - patches/hotfixes/drivers/features
Mount the offline image:
DISM /Mount-Image /ImageFile:<path> /Name:<name> /MountDir:<temppath>
Add package or driver to image:
DISM /Image:<temppath> /Add-Package /PackagePath:<path>
DISM /Image:<temppath> /Add-Driver /Driver:<path-to-INF>
Commit the changes and unmount:
DISM /Unmount-Image /MountDir:<temppath> /Commit

20. Deploy and Manage Server Images (1/2)
Boot, capture, install, discover images
Boot image is Windows PE + client (boot.wim on media)
Capture image is used to capture a reference computer to use for your install image
Install image is what you deploy (install.wim on media)
Discover image when computer can’t use PXE (boot to discover image media)

21. Implement Patch Management
Install WSUS role
DISM /Online /Enable-Feature /FeatureName: (dism /online /get-features)
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
GPOs, client side targeting
Server-side targeting (default)
Client-side targeting (typically GPO)
Watch for non-domain joined clients or the manual step of creating groups in WSUS
Synchronization and WSUS groups
Synchronization – downloading updates from an upstream server
Watch for proxy server issue, firewall issue, or BITS issue
WSUS groups – used for targeting updates to group computers
Watch for client computers not showing up in the computer list

22. Monitor Servers: Data Collector Sets
TechReady 17
4/20/2017
Monitor Servers: Data Collector Sets
Concepts to know…
Collect performance over a given time
Excellent for baselines
Performance but also event trace, system configuration (registry)
Several default DCS
Can create DCS from current counters
Can create Templates
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Key Tips to Know ImageX, Package Manager and OCSetup – Deprecated
Automatic Approvals for WSUS
Boot, capture, install, discover images
Know your WDS Options with DHCP
PXE is a driving factor for deployments
Deploy & Capture Images
Update images - patches/hotfixes/drivers/features
Installing Features for Offline Images

24. Exam Updates for R2 Deploy, manage, and maintain server
Tasks currently measured
Task changed\added sinc January 2014
Deploy and manage server images
Install the Windows Deployment Services (WDS) role; configure and manage boot, install, and discover images; update images with patches, hotfixes, and drivers; install features for offline images
Configure driver groups and packages
Implement patch management
Install and configure the Windows Server Update Services (WSUS) role; configure group policies for updates; configure client-side targeting; configure WSUS synchronization; configure WSUS groups
Manage patch management in mixed environments
Monitor servers
Configure Data Collector Sets (DCS); configure alerts; monitor real-time performance; monitor virtual machines (VMs); monitor events; configure event subscriptions; configure network monitoring
Schedule performance monitoring

25. Exam Prep Question
Your network contains a Microsoft Windows Deployment Services (WDS) server. You have added a custom image named CustomWin8.wim to the server.
After creating and adding the custom image to the WDS server, you decide that the image is missing a feature. You mount the image to the c:\mount folder.
You need to add the Telnet Client feature the CustomWin8.wim image.
What should you do?
Run the command imagex /apply C:\mount\CustomWin8.wim 1 D:\
Run the command dism /Image:C:\mount /Enable-Feature /FeatureName:TelnetClient
Run the command dism /Image:CustomWin8.wim /Enable-Feature /FeatureName:TelnetClient
Run the command imagex /image:C:\mount /Enable-Features /FeatureName:TelnetClient

26. Configure File and Print Services
Configure Distributed File System (DFS)
Configure File Server Resource Manager (FSRM)
Configure file and disk encryption
Configure advanced audit policies

27. Configure DFS (1/2) Overview Install and configure DFS Namespaces
DFS Replication and DFS Namespaces are role services (rolling up to File and Storage Services role)
Know what’s new: PowerShell module, WMI mgmt., site awareness for DirectAccess, dedupe
Know what’s deprecated: dfscmd, FRS
Install and configure DFS Namespaces
Domain-based namespace
Stand-alone namespace
Get familiar with DFSnRoot & DfsnFolder for powershell
Requires the management of referrals

28. Configure DFS (2/2) Configure DFS Replication Targets
Keep folders in sync, use the Replicate Folder wizard to configure
Config changes must replicate via AD DS and then each namespace server must poll a DC for the config change (speed it up by forcing AD DS replication and then running the dfsrdiag.exe PollAD /Member:Contoso\Server01 command)
Configure Replication Scheduling
Create replication group:
Multipurpose or data collection
Hub and spoke, full mesh, or no topology
Replicate continuously (select bandwidth limits if desired)
Replicate during specific days/times (can set bandwidth to use per time slot)
Watch for staging folder size issues (if too small, high CPU or slow replication will result)
Use a different physical disk for staging folder for improved I/O

29. Configure FSRM (1/2) Install FSRM Configure Quotas
Add-WindowsFeature FS-Resource-Manager -IncludeManagementTools
Configure Quotas
Configure quotas on specific folder or on a path (which handles newly created folders)
Hard (users cannot exceed) or soft (users can exceed, used for monitoring)
Built-in templates which can be used to create a quota or to create a new customized template
When quota threshold met, option to send , log event, run command, or generate report
Be wary of deprecated tools such as dirquota.exe (instead use Set-FsrmQuota or similar)

30. Configure FSRM (2/2) Configure File Screens Configure Reports
Active screening (cannot save unauthorized files)
Passive screening (can save unauthorized files, used for monitoring)
Built-in templates (block audio/video files, files, executable files, images, monitor exe/system)
Be wary of deprecated filescrn.exe
Set-FsrmFileScreen, Set-FsrmFileScreenException, Set-FsrmFileScreenTemplate
Configure Reports
Run reports on demand – DHTML, HTML, XML, CSV, or text
Built-in reports – duplicate files, file screen audit, files by file group, files by owner, files by property, folders by property, large files, least recently accessed files, most recently accessed files, quota usage
Set scheduled reports and have reports ed to admin(s)

31. Configure file and disk encryption (1/3)
New Features
BitLocker provisioning (can enable BitLocker prior to deploying Windows 8 via WinPE)
Encrypt only used disk space (faster overall and takes only seconds for Windows 8 deployments)
Change PIN and password by standard users (no longer require admin rights)
Support for encrypted hard drives (encryption offloaded to the hard drive)
Configure BitLocker encryption
TPM version 1.2 or higher (required for provisioning prior to operating system deployment)
TPM owner authorization – separate object new for Windows 8 – requires AD schema update
Add BitLocker Drive Encryption feature, Enable-BitLocker (need volume/encryption method/key protector)

32. Configure file and disk encryption (2/3)
Configure the Network Unlock feature (new)
Install the BitLocker Network Unlock feature, WDS on Windows Server 2012, separate DHCP, UEFI DHCP drivers, PKI for issuing certificate (or self-signed certificate), Group Policy configured
For TPM+PIN systems, Network Unlock allows a form of two-factor authentication without user intervention when booting (on untrusted networks, TPM+PIN is used)
Configure BitLocker policies (Win8 or Win2012)
Choose drive encryption method and cipher strength
Configure use of hardware-based encryption for *** drives (fixed/operating/removable)
Enforce drive encryption type on *** drives – Full/Used only
Allow network unlock at startup

33. Configure file and disk encryption (3/3)
Configure the EFS recovery agent
Obtain a certificate for File Recovery for a data recovery agent user account
Add data recovery agent (DRA) by editing GPO:
Add from AD DS if certificated are published in AD DS (default not published)
Add from .cer files if not published in AD DS
Manage EFS and BitLocker certificates including backup and restore
For certificates, can enable archiving on the certificate templates to allow recovery
DRA can have a self-signed certificate which is backed up with standard backup methods
Windows 7 requires permissions update to ms-TPM-OwnerInformation for TPM owner info backup
Back up BitLocker recovery info to AD DS GPO setting (Pre-2008 requires schema extension)

34. Configure advanced audit policies (1/2)
Implement auditing using Group Policy and AuditPol.exe
Know difference between basic Audit Policy settings and advanced Audit Policy settings
To manually enable Advanced Audit subcategory auditing (high overhead for widespread use):
auditpol /set /subcategory:"RPC Events" /success:enable
Auditpol has a /backup switch and a /restore switch
Global object access auditing (for file system or registry – automatically applies to all objects)
For Global auditing, watch for situations that don’t also enable Audit File System and Audit Registry audit policy settings (required)
Advanced Audit Policy settings take precedence over basic Audit Policy settings

35. Configure advanced audit policies (2/2)
Create expression-based audit policies
Audit anybody not in Payroll that tries to access the sensitive payroll spreadsheets (can be set directly on a file/folder or in global policy), can be combined with Dynamic Access Control
Create removable device audit policies
Requires Windows 8 or Windows Server 2012
Logs event when users attempt to access a removable storage device (Audit Removable Storage)
Can also log removable storage device events (Audit Handle Manipulation)

36. Exam Updates for R2: Configure File and Print Services
Tasks currently measured
Task changed\added since January 2014
Configure Distributed File System (DFS)
Install and configure DFS namespaces; configure DFS Replication Targets; configure Replication Scheduling; configure Remote Differential Compression settings; configure staging; configure fault tolerance
Clone a DFS database; recover DFS databases; optimize DFS replication
Configure File Server Resource Manager (FSRM)
Install the FSRM role; configure quotas; configure file screens; configure reports
Configure file management tasks

37. Exam Prep Question
You are the system administrator for Contoso, Ltd. You manage an Active Directory Domain Services (AD DS) domain. All servers run Windows Server 2008 R2. The forest functional level is set to Windows Server The domain functional level is set to Windows Server You are preparing to deploy DFS. The deployment must meet the following requirements.
Users must not be able to see folders that they do not have access to
Users must be able to create 3,000 total folders
Minimize changes to the environment
You need to deploy DFS to meet the requirements. What should you do?
Update the forest functional level to Windows Server 2008 R2 and then deploy a standalone DFS namespace.
Update the forest functional level to Windows Server 2008 R2 and then deploy a domain-based DFS namespace by deselecting DFS Windows Server 2008 mode.
Deploy a standalone DFS namespace with Windows Server 2008 mode enabled.
Deploy a domain-based DFS namespace with Windows Server 2008 mode enabled.

38. Configure Network Services and Access
TechReady 17
4/20/2017
Configure Network Services and Access
Configure DNS zones
Configure DNS records
Configure VPN and routing
Configure DirectAccess
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Configure DNS zones (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure DNS zones (1/2)
Configure primary and secondary zones
Primary zone can be stored in file or in AD DS – authoritative source for the zone
Secondary zone cannot be stored in AD DS and is a read-only copy of a primary zone
Configure stub zones
Stub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisition
Watch for scenarios that offer stub zone and conditional forwarding as potential solutions
Stub zones best when needing to dynamically maintain authoritative DNS servers for child zone
Configure conditional forwarders
Forwards to specific DNS servers which can then build up a cache for efficient resolution
Often the best solution for merger/acquisition but can also speed up internal name resolution
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Exam Content Deploy and Configure Network Services
DNS = system
DNS = host name resolution
Forward and reverse lookups
Types of DNS
Primary, secondary, Active Directory-Integrated, and stub zones
For AD-Integrated, what is the domain partition, forestDNSZone, and domainDNSZone? Hint: replication scope
Records =SOA, NS, A, CNAME, PTR, SRV, and MX
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. Windows Server 2012 Network Services
Microsoft Consumer Channels and Central Marketing Group
4/20/2017
Windows Server 2012 Network Services
IPv4 & IPv6 addressing
DHCP – failover, name protection
DNS – zones, records, DNSSEC
IPAM
VPN & routing
DirectAccess
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42. VPN and Routing Install and configure the Remote Access role
TechEd 2013
4/20/2017 6:31 AM
VPN and Routing
Install and configure the Remote Access role
Add-WindowsFeature RemoteAccess -IncludeManagementTools –IncludeAllSubFeature
Run the Configure and Enable Routing and Remote Access wizard
Implement Network Address Translation (NAT)
Need two interfaces prior to enabling via wizard
Configure VPN settings
For SSTP, need to select the proper SSL certificate post install
Configure remote dial-in settings for users
Default in AD is control access through NPS Network Policy
Need to adjust policy or create new policy in order to allow users in
Configure routing
IPv4 and IPv6 static routes, DHCP relay, need to enable router for protocol
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. DirectAccess (1/2) Implement server requirements
TechEd 2013
4/20/2017 6:31 AM
DirectAccess (1/2)
Implement server requirements
No longer require PKI (can use Kerberos proxy over HTTPS instead along with port 443)
New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP) integration, or two-factor authentication
Can use a single NIC card behind NAT (Windows Server 2012 required)
Remote access servers and all client computers must be domain members
IPv6 not required and IPv6 transition technologies are used (however, IPv6 = best performance)
Implement client configuration
Need to have security groups in place and then create GPOs
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. DirectAccess (2/2) Configure DNS for DirectAccess
TechEd 2013
4/20/2017 6:31 AM
DirectAccess (2/2)
Configure DNS for DirectAccess
Name Resolution Policy Table (NRPT) – used to send specific queries to specific DNS servers (otherwise, use normal name resolution) – Windows 7 or later required (config via GPO)
Configure certificates for DirectAccess
If using internal CA or self-signed certificate, CRL distribution point must be available externally
Can’t use self-signed cert in a multi-site environment
Internal PKI is required if Kerberos proxy over HTTPS not available/possible
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45. Exam Updates for R2: Configure Network Services and Access
Tasks currently measured
Task changed\added since January 2014
Configure VPN and routing
Install and configure the Remote Access role; implement Network Address Translation (NAT); configure VPN settings; configure remote dial-in settings for users; configure routing
Configure Web Application proxy in pass-through mode

46. TechEd 2013
4/20/2017 6:31 AM
Exam Prep Question
You are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A) record for www2.tailspintoy.com. The record points to Forward name resolution is fully functional. However, the web administrators are reporting that is not resolving to www2.tailspintoys.com. You need to ensure that resolves to www2.tailspintoys.com.
What should you do?
Add a second Address (A) record for and point it to www2.tailspintoys.com.
Add a PTR record for and point it to www2.tailspintoys.com.
Add a second Address (AAAA) record for and point it to www2.tailspintoys.com.
Add a PTR record for www2.tailspintoys.com and point it to
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. Configure a Network Policy Server Infrastructure
TechReady 17
4/20/2017
Configure a Network Policy Server Infrastructure
Configure Network Policy Server (NPS)
Configure NPS policies
Configure Network Access Protection (NAP)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48. Configure NPS (1/2) Configure multiple RADIUS server infrastructures
TechEd 2013
4/20/2017 6:31 AM
Configure NPS (1/2)
Configure multiple RADIUS server infrastructures
5 parts – access clients (laptops), access servers (VPN/wireless devices), NPS servers (RADIUS server), NPS proxies (RADIUS proxy, fault tolerance by using two with one being a backup, domain membership optional, use NETSH to copy config from one proxy to another), user account DBs (such as AD DS)
Configure RADIUS clients
Required: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco)
Manage RADIUS templates
Watch for questions involving administrative overhead as that may indicate the creation of a template or use of existing template.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49. Configure NPS (2/2) Configure RADIUS accounting Configure certificates
TechEd 2013
4/20/2017 6:31 AM
Configure NPS (2/2)
Configure RADIUS accounting
Can log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging for failover (if SQL logging fails, continue to log via text file)
If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default install and sudden loss of functionality – could be out of disk space, consider moving logging to non-system disk)
Configure certificates
Certificate-based auth - NPS servers need a server certificate
Minimize administrative overhead in large environment – autoenrollment
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50. Configure NPS policies (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure NPS policies (1/2)
Configure connection request policies
Policies have conditions such as connection type, day/time, network, computer
Useful to authenticate untrusted domain (proxy policy first in the policy order) while still authenticating locally via NPS (to AD DS)
If no local processing by NPS, then server is a proxy (can forward one place or multiple)
Configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing)
Watch for default installation on encryption as all encryption options are enabled (40-bit, 56-bit, 128-bit)
Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. Configure NPS policies (2/2)
TechEd 2013
4/20/2017 6:31 AM
Configure NPS policies (2/2)
Manage NPS templates
Can use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and remediation server groups (minimize administrative overhead, speed up deployment)
Can export templates to .XML file and import to another server
Import and export NPS policies
Can use NETSH or Export-NpsConfiguration to export entire NPS server config including policies
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. Configure NAP (1/2) Configure System Health Validators (SHVs)
TechEd 2013
4/20/2017 6:31 AM
Configure NAP (1/2)
Configure System Health Validators (SHVs)
One default SHV – Windows Security Health Validator – can require specific firewall settings, antivirus settings, spyware protection, automatic updates settings
If noncompliant with SHV, can restrict network access or remediate
Windows XP does not have spyware protection settings available
Configure health policies
Policy dictates how many SHV checks must be passed or failed
Health policies are added to network policies (NPS) to ascertain who should gain access
Configure NAP enforcement using DHCP and VPN
Non-compliant devices – full access, full access with limited time, limited access
Limited access usually is tied with remediation servers for updating components for compliance
If full network + limited time and client subsequently becomes compliant, will be disconnected!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53. Exam Updates for R2: Configure a Network Policy Server Infrastructure
Tasks currently measured
Task changed\added since January 2014
Configure Network Policy Server (NPS)
Configure multiple RADIUS server infrastructures; configure RADIUS clients; manage RADIUS templates; configure RADIUS accounting; configure certificates
Configure a RADIUS server, including RADIUS proxy; manage configure RADIUS NPS templates

54. TechEd 2013
4/20/2017 6:31 AM
Configure NAP (2/2)
Configure isolation and remediation of non-compliant computers using DHCP and VPN
Default network policy has automatic remediation enabled by default
Can add remediation servers and a troubleshooting URL for employees
Configure NAP client settings
Remember that Group Policy overrides NETSH and NAP Client Configuration console
Enable tracing - netsh nap client set tracing state = enable
Use the NAP Client Configuration console to create .xml config file for use in a GPO
By default, NAP enforcement clients are disabled
To enforce health policies, must enable at least one NAP enforcement client
IPsec – need to configure NAP health registration authority settings
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55. Configure and Manage Active Directory
TechReady 17
4/20/2017
Configure and Manage Active Directory
Configure service authentication
Configure Domain Controllers
Maintain Active Directory
Configure account policies
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

56. Configure service authentication (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure service authentication (1/2)
Create and configure Service Accounts
Used to enhance security but the pain point is the password management and SPN mgmt.
Create/configure Group Managed Service Accounts
Must create/configure on a server running Windows Server 2012 or on a Windows 8 computer
Automated password management and can be used across multiple servers
Minimum of one DC that runs Windows Server 2012
Before you begin, must create KDS Root Key - Add-KDSRootKey –EffectiveImmediately
New-ADServiceAccount and Set-ADServiceAccount
Create and configure Managed Service Accounts
Introduced in Windows Server 2008 R2 / Windows 7
New-ADServiceAccount with the –RestrictToSingleComputer parameter
Automated password management and can be used on a single server
Not supported for scheduled tasks, Exchange, SQL
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

57. Configure service authentication (2/2)
TechEd 2013
4/20/2017 6:31 AM
Configure service authentication (2/2)
Configure Kerberos delegation
IIS may require the Trust this computer for delegation to any service (Kerberos only) option
Manage Service Principal Names (SPNs)
SetSPN (note that it cannot register duplicate names in a domain in Windows Server 2012)
<service type>/<instance name>:<port number>/<service name>
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58. Configure Domain Controllers (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure Domain Controllers (1/2)
Configure Universal Group Membership Caching
Eliminates dependency on GC during logons
Set-ADObject "CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=COM"
Transfer and seize operations masters
NTDSUTIL can transfer and seize roles
Move-ADDirectoryServerOperationMasterRole for transfer, use –Force for seize
Install and configure an RODC
Cannot upgrade writable DC to RODC
Staged installation – delegate installation to non-Domain Admin at remote site (+IFM for speed)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59. Configure Domain Controllers (2/2)
TechEd 2013
4/20/2017 6:31 AM
Configure Domain Controllers (2/2)
Configure Domain Controller cloning
VM-GenerationID (supported on Hyper-V on 2012 and VMware 5.0 and later)
Source VM must be 2012, PDC emulator must be 2012
Add the source DC to the Cloneable Domain Controllers group
Run New-ADDCCloneConfig to create DCCloneConfig.xml file (IP info, site info)
Export source DC (Hyper-V or Export-VM cmdlet)
Import the VM (Hyper-V or Import-VM cmdlet)
DefaultDCCloneAllowList.XML contains a list of services that are supported for cloning (watch out for unsupported services such as DHCP)
CustomDCCloneAllowList.xml is for custom services that you are sure about
See (the entire series is valuable)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

60. Maintain Active Directory (1/2)
TechEd 2013
4/20/2017 6:31 AM
Maintain Active Directory (1/2)
Back up Active Directory and SYSVOL
wbadmin start systemstatebackup -backuptarget:e:
(this includes SYSVOL)
Manage Active Directory offline
Stop the Active Directory Domain Services service (Services console or Stop-Service cmdlet)
Can perform offline defrag (or other maintenance) and then start the service
Optimize an Active Directory database
LDIFDE can be used to manually kick off a garbage collection process (free up space inside)
NTDSUTIL can compact ntds.dit file (need adequate disk space to hold second copy of .dit file)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61. Maintain Active Directory (2/2)
TechEd 2013
4/20/2017 6:31 AM
Maintain Active Directory (2/2)
Clean up metadata
Since 2008, deletion of DC from default OU results in automatic metadata cleanup
Deletion of DC’s NTDS Settings from Sites & Services also results in automatic metadata cleanup
Otherwise – ntdsutil, metadata cleanup, remove selected server <DN of DC>
Configure Active Directory snapshots
Ntdsutil, snapshot, activate instance ntds, create
Perform object- and container-level recovery
Ntdsutil or Restore-ADObject (need Recycle Bin to get the link-valued attributes)
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target DomainName -server DomainControllerName
Perform Active Directory restore
Authoritative vs. non-authoritative (watch for situations where you restore and the objects gets subsequently deleted after the restore)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62. Configure account policies (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure account policies (1/2)
Configure domain user password policy
Without fine-grained, one password and one lockout policy per domain
Configure via GPO
Configure and apply Password Settings Objects
New-ADFineGrainedPasswordPolicy – apply to user or groups (not OU)
Active Directory Administrative Center
Delegate password settings management
Can delegate ability to apply a PSO to user or group (Write Property permissions on the PSO)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63. Configure account policies (2/2)
TechEd 2013
4/20/2017 6:31 AM
Configure account policies (2/2)
Configure local user password policy
Can use a GPO linked to an OU with the computer objects
Configure account lockout settings
“Account lockout duration” setting set to 0 means an administrator must unlock locked accounts
“Account lockout threshold” setting set to 0 means an account will never get locked out
“Reset account lockout counter after” setting resets the number of failed logon attempts
Watch for requirements such as minimizing calls to the Help Desk, maintaining the highest level of security, or situations where a Denial of Service (DoS) is occurring
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64. Exam Updates for R2: Configure and manage Active Directory
Tasks currently measured
Task changed\added since January 2014
Configure service authentication
Create and configure Service Accounts; create and configure Group Managed Service
Accounts; create and configure Managed Service Accounts; configure Kerberos delegation; manage Service Principal Names (SPNs)
Configure virtual accounts
Maintain Active Directory
Back up Active Directory and SYSVOL; manage Active Directory offline; optimize an Active Directory database; clean up metadata; configure Active Directory snapshots; perform object- and container level recovery; perform Active Directory restore
Active Directory Recycle Bin
Configure account policies
Configure domain user password policy; configure and apply Password Settings Objects (PSOs); delegate password settings management; configure local user password policy; configure account lockout settings
Configure Kerberos Policy settings

65. Configure and Manage Group Policy
TechReady 17
4/20/2017
Configure and Manage Group Policy
Configure Group Policy processing
Configure Group Policy settings
Manage Group Policy objects (GPOs)
Configure Group Policy preferences
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

66. Exam Content Create and Manage Group Policy
GP options
Enforce
Block inheritance
Loopback – merge, replace
WMI filters
ADMX central store
Allows editing of the ADMX file
Extends the functionality of GPMC
Group Policy Preferences (GPP)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

67. Exam Content Create and Manage Group Policy
Deploy software
Publish to users
Assign to users
Assign to computers
Software removal
Software Restriction Policies
AppLocker
Win7 & 2008 R2
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

68. Configure Group Policy processing (1/3)
TechEd 2013
4/20/2017 6:31 AM
Configure Group Policy processing (1/3)
Configure processing order and precedence
LSDOU – remember this!
Link order – 1 is highest (also referred to as the “top of the list”)
Configure blocking of inheritance
Nothing above will apply unless a GPO is enforced
Configure enforced policies
Right-click a GPO and click Enforced to ensure that the GPO cannot blocked
Enforced GPOs also ensure that the settings aren’t overwritten by GPOs applied lower in structure
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

69. Configure Group Policy processing (2/3)
TechEd 2013
4/20/2017 6:31 AM
Configure Group Policy processing (2/3)
Configure security filtering and WMI filtering
Read and Apply Group Policy (AGP) permissions are required for GPO to apply
Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows Server 2012 Datacenter”
Configure loopback processing
Loopback with Replace – ensures that settings from User Configuration of GPOs that apply to the computer replace the settings that are set in User Configuration of GPOs that apply to the user
Loopback with Merge – ensures that settings from the User Configuration of GPOs that apply to the computer merge with the settings that are set in User Configuration of GPOs that apply to the user
Watch for scenarios such as a kiosk or public computer where all users must have the exact same settings on the computer!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

70. Configure Group Policy processing (3/3)
TechEd 2013
4/20/2017 6:31 AM
Configure Group Policy processing (3/3)
Configure and manage slow-link processing
Some settings not applied when slow link detected (software installation, folder redirection, etc.)
Default slow link is less than 500Kbps
Computer Configuration\Administrative Templates\System\Group Policy
Configure client-side extension (CSE) behavior
Allow processing across a slow network connection
Do not apply during periodic background processing
Process even if the Group Policy objects have not changed
Settings can be set on extensions such as Scripts, Security, Registry, or other extensions (note that some only have two options, not all three)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

71. Configure Group Policy settings (1/2)
TechEd 2013
4/20/2017 6:31 AM
Configure Group Policy settings (1/2)
Configure settings including software installation, folder redirection, scripts, and administrative template settings
Assign to user (shortcuts appear on Start menu, not installed yet)
Assign to computer (no shortcut, install typical at startup)
Publish to user (add/remove programs availability)
Import security templates
Import from Group Policy Object Policy/Computer Configuration/Windows Settings/Security Settings
“Clear this database before importing” option will overwrite, without it you get a merge
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

72. Configure Group Policy settings (2/2)
TechEd 2013
4/20/2017 6:31 AM
Configure Group Policy settings (2/2)
Import custom administrative template file
Add/remove templates while editing GPO
ADM and ADMX (ADMX cuts down on SYSVOL size because it isn’t stored in GPO)
ADMX – Central Store (ADM not supported in Central Store)
Convert admin templates using ADMX Migrator
Free download, GUI conversion using “Generate ADMX from ADM”
Command line - faAdmxConv.exe name.adm
Configure property filters for admin templates
Managed – any = all, yes = only, no = only unmanaged
Configured – any = all, yes = only, no = only not configured
Commented – any = all, yes = only, no = only uncommented
(filters to limit what you see in the GUI)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

73. Manage Group Policy objects (GPOs)
TechEd 2013
4/20/2017 6:31 AM
Manage Group Policy objects (GPOs)
Backup, import, copy and restore GPOs
PW - bacjup-GPO, Import-GPO,CopyGPO, Restore-GPO
C:\Program Files (x86)\Microsoft Group Policy\GPMC Sample Script (.WSF scripts
Create and configure Migration Table
Manually open Migration Table Editor, select source, destination
Cross-Domain Copying Wizard
Users, Groups, computers and UNC paths
Reset default GPOs
Dcgpofix /target:Domain (can also use DC or Both as target)
Delegate Group Policy Management
Group Policy Creator Owners group - create new GPOs and edit/delete GPOs that they created
Linking a GPO requires additional permissions (can be granted via ADUC on OU)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

74. Comparing Group Policy Preferences and GPO Settings
2: Managing User Desktops with Group Policy
Comparing Group Policy Preferences and GPO Settings
Group Policy Settings
Group Policy Preferences
Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify
Are written to the normal locations in the registry that the application or operating system feature uses to store the setting
Typically disable the user interface for settings that Group Policy is managing
Do not cause the application or operating system feature to disable the user interface for the settings they configure
Refresh policy settings at a regular interval
Refresh preferences by using the same interval as Group Policy settings by default

75. Exam Updates for R2: Configure and Manage Group Policy
Tasks currently measured
Task changed\added since January 2014
Configure Group Policy processing
Configure processing order and precedence; configure blocking of inheritance; configure enforced policies; configure security filtering and WMI filtering; configure loopback processing; configure and manage slow-link processing; configure client-side extension (CSE) behavior
Force Group Policy update; configure and manage slow-link processing and Group Policy caching

76. Example question
You are the system administrator for Woodgrove Bank. An existing GPO named GPO1 is linked to an OU named Corp. The Corp OU contains all user objects. You need to ensure that a GPO named GPO2 applies to all users in the Corp OU while also ensuring that settings in GPO2 take precedence over the same settings in GPO1.
What should you do?
Link GPO2 to the domain.
Link GPO2 to the site.
Migrate GPO2 to a local GPO.
Configure GPO2 to be enforced.

77. In Review: Session Objectives And Takeaways
Tech Ready 15
4/20/2017
In Review: Session Objectives And Takeaways
Session Objective(s):
Certification Overview
Exam Preparation per Section
Describe key & exam objectives
Prepare more effectively using available study material
Relate practical Windows Server 2012 experience to exam
Identify areas that may require extra studying
Action plan for exam preparation and success
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

78. Related Content Addition Exam Prep Sessions Hands-on Labs
Tech Ready 15
4/20/2017
Related Content
Addition Exam Prep Sessions
EXM08 Exam Prep: and MCSA: Windows Server 2012 (Repeated)
Tuesday, May 13 5:00 PM - 6:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)
EXM01 Exam Prep: and MCSA: Windows Server 2012
Monday, May 12 3:00 PM - 4:15 PM Room: Hilton L2 Ballrm F (Alfred Ojukwu)
EXM03 Exam Prep: and MCSA: Windows Server 2012
Monday, May 12 4:45 PM - 6:00 PM Room: Hilton L2 Ballrm F (Peter De Tender)
EXM10 Exam Prep: and MCSE: Server Infrastructure
Wednesday, May 14 10:15 AM - 11:30 AM Room: Hilton L2 Ballrm F (Ryan Sokolowski)
Hands-on Labs
Any session that starts with PCIT-H3XX Windows Server 2012 R2
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

79. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
4/20/2017
Resources
Sessions on Demand
Learning
Microsoft Certification & Training Resources
TechNet
Resources for IT Professionals
msdn
Resources for Developers
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

80. Complete an evaluation and enter to win!
4/20/2017
Complete an evaluation and enter to win!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

81. Evaluate this session Scan this QR code to evaluate this session.
4/20/2017
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

82. 4/20/2017
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.