Sei sulla pagina 1di 34

custom allows for pristine install of the server OS.

Types of windows 2012 R2.


Windows Server 2012 R2 Foundation: Intended for small office networks. Up to 15 users, no
cals. Single CPU socket/no core limits. Max 32gb of ram. No Virtualization rights.
Windows Server 2012 R2 Essentials: Also for small offices. Up to 25 users and 50 devices.
Preconfigured connectivity to cloud based services. Remote Web Access, My Server App for
phones, Microsoft Azure Backup Integration, office 365. No virtualization rights.
Windows Server 2012 R2 Standard: The entirety of Windows Server. Up to 2 CPU sockets/no
core limits. Two Virtual Instances.
Windows Server 2012 R2 Datacenter: The entirety of Windows server. Up to 2 cpu sockets/no
core limits. Unlimited Virtual Instances.

Core vs Non-Core
Server with GUI is standard windows GUI, server manager tool and MMC console supported. All
rolls can be installed.
Windows server 2012 R2 core eliminates Start Screen, Explorer, IE and desktop.
Supported roles on server core:
AD Certificate services.
AD Domain Services.
AD Lightweight Domain Services.
AD Rights Management Services.
DHCP Server.
DNS Server.
File and Storage Services.
Hyper-V
Printer and Document Services.
Remote Access Services.
Streaming Media Services.
Web Server (IIS)
Windows Server Update Services.
Full Desktop Experience intended for using windows server as a desktop OS. Standard GUI
with traditional start screen plus windows store and store apps.

Roles, Services and Features.


Adding a roll requires additional services and configuration.
Role: something the windows server aspires to be.
Role services: provide the functions for the roles.
Features: Other tasks that don't fit within an established role.

Powershell for install a feature.


get-windowsfeature lists roles, role services and features. It will show a checkbox for items that
are already installed.
install-windowsfeature installs the roles, services or features. Use feature name to install.
uninstall-windowsfeature and the installed role, service or feature name.

Supported roles on server core:


AD Certificate services.
AD Domain Services.
AD Lightweight Domain Services.
AD Rights Management Services.
DHCP Server.
DNS Server.
File and Storage Services.
Hyper-V
Printer and Document Services.
Remote Access Services.
Streaming Media Services.
Web Server (IIS)
Windows Server Update Services.

Upgrade Methods.
Clean Install: Used for new installs, used to delete old OS instances. Required When changing
from x86 to x64. When changing languages. WHen converting from Pre-Release to Full
versions.
Upgrade: Used when an existing OS require in place upgrade. Supported Upgrades, Server
2008 SP2, 2008 R2 and 2012 Standard and Datacenter.
License Conversion: DISM command can migrate windows server to a higher OS edition.
Role Migration. Windows Server Migration tools are available as an installable feature in server
manager. Powershell command"install-windowsfeature migration". Tools Must be installed onto
source and destination machines. Migration steps are different based off rolls. Powershell
commands "export-smigserversetting and import-smigserversetting" will bundle the items for
migration.

WinSxS is the windows side by side is used by windows to componentize the different roles,
services and features.

Configuring:
Network teaming can be configured via the NIC teaming. Under teaming you can identify the
adapters you want to use. Static and LacP both require switch configuration. Switch
Independant does not need to be configured on switch equipment. Set the Load balancing of
either Dynamic, Hyper-V if using Hyper-V and Address Hash.

Via Powershell.
get-netadapter (can see more via get-netadapter and then adapter name and fl* shows further
details) You can further configure by using set- and the different item. For new items you can
set using new- and item name. When setting the IP you need to use the -prefixlength to set the
subnet mask. Set-dnsclientserveraddress -(then ethernet alias) -serveraddresses.
New-netlbfoteam -name (this will be the name) -teammembers(this will be the adapters in the
team) -teamingmode(this will correspond to the above) -loadbalancingalgorithm (matching
above)
Help lbfo gives the info for teaming setup.

Delegate Administration:
tools, local security policy, user rights assignment.
To create local account go to computermanagement and then local users and groups.

Services.
Services.msc shows current installed services.
sc stop (item name) SC query shows the different services that are installed. Via Command
Line.
get-service (and then name) | stop, start, pause-service.

Configure via Server-Core.


set-displayresolution <width> <height>, timedate.cpl allows for changing time and date. Rename
Computer and Add computer allow you to rename and add a computer to a domain. slmgr.vbs
-ipk <productkey> (this sets the product key) and then slmgr.vbs -ato
Sconfig.cmb (this brings up a new window to enter commands and allows easier commanding)
cscript scregedit.wsf (allows you to do regedits)
Enable-PSremoting. (this allows you to use a remote item to configure the server)

Convert from Core to Full.


Dism command is what allows this.
First connect to location that has needed files.
Connecting via a network share. net use (drive letter, \\location\subfolder) CD to change
directory to the needed location.
mkdir c:\(locationg name for mounting).
dism /get-wiminfo (then location information) will get you the different options that are available.
dism /mountwim (then location information) /index:(this will be the location of the item you need)
/readonly (which will keep the item from being modified)
-source to change the mountpoint so that it can be installed via dism.
(this item will not work without fully updated ISOs or connection to the files via microsoft.

Convert from Full to Core.


remove-windowsfeature server-gui-shell,server-gui-mgmt-infra will take you to core.

Deploying roles on remote servers.


Same commands to install features and roles but with extra parameters.
install-windowsfeature (then feature name) -computername. This will allow you to configure
systems already on AD.

Add and remove features in offline images.


DISM is what allows this.
First Mount location where files are located.
dism /image (then mount location) /get-features
get-featureinfo /featurename:(then name of feature)
Enable-feature then the same commands turns the feature on.
dism /unmount-image /commit when done. If done in readonly you will get an error message.

Configure Local Storage.


Decide between GPT and MBR.
MBR: Supports up to 2tb drives. Uses a partition table on first sector of the disk to detail where
the local partition is located. Can only have 4 primary partitions or three primary plus one
extended.
GPT: Supports larger than 2tb drives. Not all previous windows versions cannot recognize GPT
disks.

After adding the disk you must bring the disk online. Once online you can initialize the disk with
either MBR or GPT. Volumes tab shows the partition style.
Command line: diskpart.

Basic VS Dynamic.
Basic: Can be extended only to adjacent contiguous unallocated space on the same disk.
Dynamic: Supports spanned, striped, mirrored and raid-5 volumes. Supports unlimited number
of volumes. Spanned Volumes can extend across multiple disks.
Simple Volume: The most simple of the drive setup.
Spanned Volume: Attaches multiple disks to extend disk size between multiple drives. Loss of
one disk makes entire volume lost.
Mirrored Volume: Creates multiple copies of data between 2 disks.
Striped Volume: Takes data and stripes it between multiple disks for faster access speed.
Raid-5: Requires 3 disks. Creates one disk for parity as each item is cloned between one of the
other disks.

VHD.
Create Via Action and then set a location. You can set the size. VHD supports 2tb and VHDX
allows up to 64tb and is protected against power failures. Can set the fixed or dynamic size.
Dynamic expands as it gets used. To attach select Action and Attach then select location.

Design Storage Spaces.


Requires basic disks but allows for functions found in dynamic disks. The storage pool allows
you create virtual disks using the basic disks.

Configure Storage Pool.


Select Storage Pools. This will show you the available storage spaces. Select new Storage
Pool, create a name for it, then select the disks that are part of the pool. It will only show you the
disks that can be used. You can set the allocate from manual, to automatic or hot-spare. Hot
Spare is an emergency backup. Once the pool is created a virtual disk is needed to allocate
storage.

Name the Virtual Disk. (Storage tiers can allow you to move items from HDDs to SSDs. It will
move the frequently used/access items to the SSD. If the item is then no longer accessed as
often it will move it back.) You can select mirrored, simple and parity. Then select Fixed or Thin.
Set the size and create. Once the item is created you can create the volume.

Configuring IPv4
Networking and Sharing Center. Select adapter, go to properties. This will allow you to set the
addresses for both IPv4 and 6. If selecting obtain an IP automatically you can also set an
alternate configuration. You can add an additional address via the advanced settings. Test via
ping of the addresses you set.
Test-Connection -computername (and then address you set) will work via powershell.

Configuring IPv4 via server core.


sconfig to get to the tools. Option 8 will allow you to configure network settings. Index number is
the adapters available. using the options available to change settings. It will step through what
items need to be set, first IP, Subnet, Gateway.

IP Configuration via Powershell.


You can better find items via the get-command -module Nettcpip.
get-net ipinterface will show the different interfaces for the adapters in the system.
get-netipconfiguration shows familiar to ipconfig/all.
get-netipconfiguration -computername (then computer name) will show information about
remote computer on network.
get-netroute gives the route information for the system.
get-netipaddress will give the IP address information. get-help *-netipaddress shows the
different functions that can be used for -netipaddress
netsh interface (then IP type) show interface will show the adapters that operate off the ip style.
Netsh interface (ip type) add address (“then adapter name”) (then the new address and subnet)
will add a secondary address.
get-netipinterface -interfaceindex (then the number) with -addressfamily (then IPv4 or 6) |
new-netipaddress -Ipaddress (then new address) -prefixlength(then the number of the subnet)

IP V4 and V6 subnetting.
IPv4 is 32 bit addressing scheme. Subnetting for IPv6 at times may be unneeded.
IPv6 can use zero compression to remove zeros and truncating the number.

Classes and subclasses.


2000::/3 - Global Unicast.
Fe80::/64 - Equivalent of Apipa Addresses. This will also include a percent sign and number to
show you which adapter the address is associated with.
All Zeros: Loopback address.

IPv6.
You can get the information about the address via the same command of IPv4 family.
This is the same for setting statics on IPv4.
Subnet is allocated via Bits (IE 64 bits)

Configure Interoperability between 4 and 6.


IPv4 can be upgraded independently of other devices. Can add IPv6 hosts without affecting
other IPv4 hosts.

Intra-site automatic tunnel addressing protocol (ISATAP). Enables connectivity between 6 and 4
across an intranet. Automatically configured. First 64bits are link local, site local or global prefix.
32 should be 0000:5efe. Last 32 will be the IPv4 address. (IE Fe80::5efe:192.168.0.1)

ISATAP via Powershell.


get-netisatapconfiguration

6to4 addresses (for internet)


Meant to travel outside to internet or outside intranet. Will need additional router configuration.

Teredo (for apps that cross ipv4 nat system)


Meant to pass across NAT devices. encapsulates ipv6 info in ipv4 udp packets.

Configure the above via Group Policy.


Locate via server manager, tools, group policy management. Computer config, policies, admin
templates, tcpip settings. It will have the information for set information for isatap, 6to4 and
teredo.

DHCP process.
DHCP Client broadcasts a 0.0.0.0 to discover. DHCP server responds with an offer that
contains IP and Subnet. Client takes first offer it receives and sends a DHCP request. Server
then offers a DHCP Acknowledgement. Default for renew lease is 8 days. It will attempt to
renew at the 50% mark. If it cannot make the lease renew it will attempt to issue the request to
any server that can renew that lease. If the release cannot be renewed at all it will then go back
to an APIPA address.
Installing DHCP.
Dism /online /enable-feature /featurename.
Powershell.. install-windowsfeature DHCP -includemanagementtools (this will allow admin
tools).
Through Server Manager. Add Roles and Features, Click Next until you get to Server Roles.
Select DHCP in the roles area and select the tools if you need them.

To confirm select tools and ensure that DHCP is under tools.

Creating Scopes.
Select your IP type. Right Click and select new scope. Give name and description. Start and
End Address (IE 192.168.0.10 to 192.168.0.20) Set the Subnet Mask Length. You can set
exclusions (also can be a range). You can also set a delay for how long it waits to respond to
requests. The next field is the lease duration. You can then configure additional options. Once
completed you have to manually activate the scope. This information is the same for IPv6.

add-dhcpserverv4(or 6)scope -startrange (then starting IP) -endrange (then ending IP)
-subnetmask (subnet address)

Setting options and reservations.


Open Scope, Select Scope Options. This will override server options. You can then select the
different options you would like to add. For wins servers you need the node type (it will ask you
which node type with a quick description on the side of the window)

Reservations.
New reservation. Give reservation name, set which IP address to assign. You will need the MAC
Address for the machine in question.

Configure PXE.
Configure Options, option 66 (boot server host name, which is the ip of the wds server) then
option 67 (boot file name, name of the file from the boot server)

Authorize DHCP.
On a domain controller or dhcp server you must authorize the server to do dhcp. Manage
Authorized Servers. Select Authorize, enter name or IP address, okay, okay again. Click server
and select okay in the list. Now it can use the scopes that were already configured.

DHCP Relay Agent.


This will forward dhcp requests to a dhcp server and then the reply back to the client. You need
routing and remote access roll install. You can then set the DHCP relay agent under options.
Open Routing and Remote tool. New routing protocol. Set your new interface, which will allow
you to select your adapter. In properties select your DHCP server.
DNS Hierarchy and Queries.
Client connects to local DNS server, DNS Server queried must be the item that responds. DNS
server can go out to another server and request the information. DNS has root servers that can
be queried, which will then allocate out to the name spaces. The items are read Right to left and
passed each time a question is answered.

Installing DNS.
Manage, Add Roles and Features, Select DNS. On a DOmain Controller DNS is already
installed.
From the command line DISM /online /enable-feature:dns-server-full-role
PowerShell. install-windowsfeature DNS -includemanagementtools will include the GUI.
To open the tool, Server Manager, Tools, DNS.

DC Zones.
Forward lookup zones: Find IP via name.
Properties contains Status, Type (IE active directory integrated, which stores the info via active
directory which comes with fault tolerance.) You can also change the replication. This allows
you to push the settings to other DNS servers.
Dynamic Updating: Secure must be authenticated before updating a dns record.

Reverse lookup zones: find name via IP. Setup the same as forward lookup zones. It will then
ask for IPv4 or 6 and then the network ID (IP address) of the network that the reverse lookup
can be done on.

Create Zones.
New Zone, Answer what kind of zone. Primary makes the DNS server the read/writable copy
that can be modified as needed. ADI keeps the data more secure and makes it harder to obtain
the information. Name the Zone as needed. Only Secure Dynamic updates means a system
must be authenticated before updates can be made. Allow Both Nonsecure means that other
items can update.

Creating an A-record
When you create it the FQDN is updated automatically based off name of item. (IE
client.mydomain.com) After creating record you may need to flush dns.

When creating as a Non-ADI the system creates a file on the server located at
systemroot\windows\system32\dns. There will be a text file named the same as the DNS Zone.

Setting up other Zones.


New zone, same until selecting secondary. Secondary cannot be ADI. This creates a read only
copy of a zone that you specify. You then have to put in the name or IP of the server the DNS
zone resides on. By Default Microsoft does not allow access to the primary zone. Go to the
primary zone, properties and select zone transfers. You can then specify which servers the
primary will share with.
Other options: Any server or specify right in the window.
Right-click the secondary and select Transfer From Master and then refresh.

Stub Zone.
New zone, select Stub Zone, Select the Zone Name of the other DNS, enter IP address. Stubs
access the record you point it at and reply with the information find therein.

Configure forwarders.
Forwarders will pass the request along to another server that might be better equipped to
handle the request.
Right-click, properties, forwarders, select Edit and then set the IP of the targeted DNS server.

Configure Root Hints.


Properties, Root Hints. This will contain a list of Root Servers that may contain the ability to help
with your DNS requests.
Under systemroot\windows\system32\dns is a file with Cache.dns. You can open this with
notepad to see the item. You can also download an updated copy and replace the file with the
new file.
You can also copy the items from a specific server or blank the file so that your DNS cannot get
you to the internet.

Interfaces show the different IP addresses available. You can set the IPs that respond by
selecting only the following and then selecting the IP to respond.

Event logs you can set the different events that get logs. You can access these via global logs
in the DNS manager to show only DNS issues or events.

Create A and PTR records.


IPv6 has AAAA under the Type.
Static means that the record is created manually, which also has to be updated manually.
If done via DHCP it will update reach or to the DNS and create a record. If the IP changes it will
automatically communicate this.
CNAME record: Canonical Name Record. This is an alias, you can then select the appropriate
record type to point the item too. If someone accesses the Alias it will forward the item to the
target point.
MX record: This directs mail into a messaging environment (Exchange). You will set the priority
which will then direct the mail to the server needed.
Pointer Record: gets created when you create an a record. You can create this when creating a
A record.

Domain controller.
These will hold the AD information. Minimum of 2 are required for a domain.

Global Catalogue.
This is what allows the login of clients. Common practice is to configure every DC as a global
catalogue server.

Organizational Unit.
Designed as the a way to separate user accounts and computers. This is for the benefit of IT
alone. Used to better assist with the administration of group policy.

FSMO Roles.
Schema Master: Performs updates to the AD Schema, includes adprep, /forestprep and other
applications that must modify the AD schema.
Domain Naming Master: Responsible for the naming of domains and application partitions. Must
be online.
PDC Emulator: Manages password changes for computer and user accounts on replica domain
controllers. Target DC for group policy updates, target for DC legacy applications. Must be
online and accessible at all times. Tends to also be the timekeeper for the domain and forest.
RID Master: Allocates active and standby Rids. Generally on forest root PDC.
Infrastructure Master: Updates cross domain references. In a single domain forest the IM can be
placed on an DC. In a multiple domain forest the IM is not put on on a Global Catalog, unless all
DCs are Global Catalogs.

Add and Remove Domain Controller.


Ensure that the DC can be resolved all ways that someone may try to connect to it (via forward
lookup and reverse lookup). Test with NSlookup (then name of server), nslookup (fully qualified
domain name) Ensure that the primary DNS suffix is added under the computer name.
NSlookup (then IP address) If each succeeds then it may be ready to promote to a DC.

Add Roles and Features. Find and install Active Directory Domain Services and all other AD
tools.
Powershell. install-windowsfeature -name ad-domain-services. -includemanagementtools.

Promoting the server. Are you installing a new forest, new domain to existing forest, or a domain
controller to existing domain (child will match naming scheme of parent, tree is independent)

Select the forest and domain functional level (2008, 2008 R2, 2012 and 2012 R2) This is
determined by restrictions on applications that may run on the domain. Select if the item should
be a DNS Server and Global Catalog. The first server will need to be a global catalog.Set the
Directory Services Restore Mode password. This will be set once and is used to do an
authoritative restore of the domains information. Specify the DNS Delegation options which will
allow you to create username and password for DNS admin. Set netbios domain name. It will
usually be your domain name without the .suffix. Determine database, log and sysvol folder
locations. Next will run the pre-req checks and determine if the install can complete.

View Script will show the commands needed to run this within powershell.
Import-Module ADDSDeployment
Install-ADDSForest
-creatednsdelegation:$(true or false)
-Databasepath “(location of database you want to use)”
-dnsdelegationcredential (get-credential)
-Domainmode “(IE WIN2012r2)”
-Domainname “(select your domain name)”
-Domainnetbiosname “(first part of domain name)”
-forestmode (same as domainmode)
-Installdns:$(true or false)
-Sysvolpath “(same style as database path)”
-Force:$(true or false)

Remove Domain Controller.


Remove roles and features, next, select your server, deselect the services you want to remove.
The domain controller must be demoted first before you can remove the services.
Powershell unistall-addsdomaincontroller, then remove windows feature.

Install Domain Controller from Media.


First create snapshot of Domain Controller you want to copy.
ntdsutil, then activate instance NTDS and enter, Then IFM. Create as needed (IE create full),
select location to process the snapshot to. The file will contain a ntds.dit file.

Install from server core.


install-windowsfeature -name ad-domain-services.
Install-addsdomaincontroller -domainname (then the name you want to you) -credential
(get-credential domain\administrator)

Upgrade Domain Controller.


Make sure that you have a healthy machine. Check and correct major errors.
Extend the Schema. (Command is ADprep) File is located on windows media under
support\adprep. It will execute LDF files that are human readable. you can add /forestprep
which is run first, then domainprep which happens in each domain needed, then /RODCprep
used to create a read only domain controller.
Relocate FSMO roles so that they are online as needed.
Raise Domain/Forest Functional level. Under tools, active directory domains and trust. From
there you can raise the functional level.
This is one directional. You cannot downgrade, you can only upgrade.

Resolve DNS SRV record registration issues.


Are found within the DNS items. The are located in a folder _tcp nested beneath other folders
(such as gc/_site/default-first-site-name/_tcp.
also found \windows\system32\config.

Configure Global Catalog.


Tools, Active Directory sites and services, (remember sites are for geographical sorting of
services)NTDS settings, check or uncheck global catalog.

Deploy AD IaaS in Microsoft Azure.


This is a virtual machine within microsoft azure.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-mac
hine/

Create via ADAC.


Adac has dynamic access controls and runs on top of powershell. This runs a powershell
command to create items. Adac shows information via long page but configures much the same
as aduc.

Create via ADUC.


Right-click user, select new user, then add the information located in the window. (First name,
last name, full name, user logon name and UPN suffix.) Click Next and enter password and
select from the password policies needed. You can then right click on the new user and add
further information or unlock accounts or set an expiration date, set what groups they belong to
via member of.

Creating Template.
Usually name with _Template (or desired name), the account can be created with password not
expiring, never being changed and disabled. From there add membership as needed. Usually
%username% on the profile path (ie \\server\%username%.

Automate Creation of AD
get-adcomputer
New-ADcomputer or Remove-adcomputer.
Add-adcomputer or Remove-computer. (this and new-adcomputer perform much the same
tasks.)
Get-Aduser
New-aduser or remove-aduser
Manage inactive and Disabled Accounts.
You can check on inactive accounts via powershell. get-aduser -filter *(to show all) -properties
lastlogondate | ft name, lastlogondate.
Check disabled via get-aduser -filter {enable -ne &True} will show the accounts that are
disabled.
Search-adaccount. This will allow you check on different features of the account that can
bypass many of the filters.

Bulk Actions in Active Directory.


You can use csvde (which uses a csv file to import or export information.) It will default to
export. The command should look like csvde -f (then the filename you want) will show you all.
csvde -f (then filename) -d “(then a path to the container you want information for, IE
cn=users,dc=company=dc(then DC name)” -r “outputclass”.
csvde -i will allow for an import of csv files.
Ldifde works the same as csvde but outputs the file as ldf file.

offline domain join.


If computer cannot connect direct to network.
Djoin allows for this.
djoin /provision /domain (then name of domain) /machine (name of server for DC) /savefile (then
name of the file you want to create) will create the account.
Once the TXT file is created you go to the computer that is being added. Copy the file to the
target system. From command prompt.
djoin /requestodj /loadfile (then the file name) /windowspath %systemroot% /localos.

Group Types and Scopes.


Security groups deals with security and settings.
Distro deals with email and the like to multiple users.
Groups include. Global Groups, Domain Local Groups, Universal Groups.
Global tends to include high level functions in the business.
Domain Local Groups tend to organize resources.
Universal groups are handled by DC and global catalogs. It includes users and groups from any
domain in a forest and can grant permissions to items in the forest.

Create Organizational Unit.


Open tools and either Aduc or Adac. Found under users and it will identify which group an item
belongs to. On this area you can set the manager(user that can access and change the groups).
If there is a small box in the folder then the item is an Organizational Unit.
Right-click New, Select Organizational Unit. You can then set the item to protected from
accidental deletion. Group Policy can be assigned via organizational unit.
From Powershell. get-adgroup (shows info)
new-adgroup and remove-adgroup
new-adgroupmember and remove-adgroupmember (add and remove from a group)
New-adorganizationalunit “(then OU name)”
New-adgroup -Name “(name you desire”) -groupscope global -path “ou=company user,
dc=company, dc=(domain suffix)
add-adgroupmember “(name you created)” then usernames.

Configure Group Nesting.


Best Practices Approach: Users into global groups, Global Groups go into Domain Local
Groups, Assign Permissions to Domain Local Groups.

Enumerate Group Membership.


With Powershell you can determine what users are part of which groups or nested groups.
Get-Adgroupmember “(groupname)” | FT name. This will show who or what groups are part of
the group specified.
get-adprinicipalgroupmembership (then username) | ft name will show which user is part of
which groups.
get-aduser -filter ‘memberof -recursivematch “cn=Domain admins, cn=users, dc=company,
dc=(suffix)”

Convert Groups.
You can convert domain local groups and global groups and to universal groups. Or a universal
to a global to a local.
You cannot convert domain locals to globals or globals to locals.
Via Powershell you can convert using: get-adgroup ”(then group name)” then set-adgroup
-groupscope (then the wanted scope) same command will work with -groupcatagory to set
security or distro.

Manage using Group Policy.


Tools, computer management shows local users and groups which you can then add groups or
people to the needed group.
use Group Policy Management Console. In security settings, and then restricted groups will
allow you to set which groups are part of something like the administrators group on each pc.

Delegate the Creation and Management of Active Directory Objects.


Run Delegation of control. (be very careful, as this is difficult to undo) Ad the group you have
named. You can then set the tasks that they can do via the drop down list. You can find this in
the advanced view and then the security tab. In the tab you can select advanced and show you
the permissions that exist for the person or group.

Manage Default AD Containers.


Containers are the folders without boxes within them. To change the directory you use: redircmp
(this will allow you to change the location for new computers).
Redircmp “ou=(then ou you created), dc=(suffix)”
Each time a new item is created it will move to the corrected folder.

Configuring WinRM
On Server 2012 R2 this feature is automatically on. The item is a web service on http and https
that can be set on default port 5985. Make sure that the WinRM service is started and set to
start type automatic. Create a listener on the TCP 5985. You will also need to create a firewall
exception.
Command winrm quickconfig
Powershell: enable-psremoting.

Configuring WinRM commands.


winrm g(et)
winrm get winrm/config will show the configuration of the winrm client.
Winrm quickconfig, this will start asking questions about features that winrm needs to run.
(you can enter a shell session with Enter-pssession -computername (then name of the device)
This will drop you to the cmd line of the target PC.
Powershell can also invoke commands with: Invoke-command -computername (then name)
{Then command}

Via Powershell command configuration.


Enable-PSremoting -Force (this will make all the changes)
Exact Command is: Set-WSmanquickconfig then follow the prompts for what items it needs.
Also helpful: get-help about_remote_trouble will show that the different items that are needed
for troubleshooting.

WinRM on Downlevel servers.


For windows 7 and 2008 R2 and above you want Powershell V4, installed via Windows
Management Framework 4 (read the notes as some of the products running on a downlevel
server may not be compatible with the WMF4.) WMF4 Supports Windows 7, Windows
Embedded Standard 7, Windows Server 2008 R2, Windows Server 2012.
For XP and 2003: WMF2.0

Configure Servers for Day-to-Day Management tasks.


For the local machine you operate from you can download the RSAT tools (Remote Server
Admin Tools). Select the appropriate tools for your client system. Insure that this feature is
turned on in windows features within control panel.
Access Server Manager from client via CMD\Servermanager. Right-click allows you to change
the domain or items you want to manage.
You can also manage via MMC. File, add remove snapin, then select the tools you want to
manage from. (IE active directory or task scheduler. You can set the task scheduler to also be
the item from another system).

From Task Scheduler to create a task.


Set task name, Set when you want the item triggered (IE daily, weekly) chose time of day if
selected, select start a program then target the program. Below the field you can add arguments
(code)
Once created you can modify the user account that executes the item, the triggers (when it
goes) or additional conditions, You can also set if it can be run on demand.

Configure Multi Server Management.


Open Server manager, select local server. This will show you the remote management option,
from here you can enable or disable remote management.
Remote Desktop is disabled by default. This can be enabled by selecting it and toggling the
allow remote computers, then apply.
From the client, launch servermanager.Add the additional servers you need to manage.
(selected by naming the server and allowing it to find them) In the dashboard you can also
group the servers.
Select Create Server Group, set a name for the groupp, select the servers from the list below
then select okay. Some groups are created automatically, such as AD DS and DNS server
groups.
When you select the server it will show you running services and general warnings.
From here on the client you can add roles and features and other items that can be done server
manager via the server itself.

Configure Server Core.


Once the Rsat tools are installed you can verify if the Server Core is ready for remote
management. To get current configuration winrm get-config.
You can then do enable-psremoting to turn on the server core. You can also use Sconfig (option
4) to configure winrm. Once completed the server core can be managed from the client with
RSAT tools. This allows for GUI management (same as other servers)
You can also do this via MMC, Add-remove snapin then select computer management, then
connect to another computer and enter the name of the item to be managed. This will allow you
to access the computer management snapin of the server in question.

Configure Windows Firewall.


Within Control panel, system security, windows firewall, advanced settings and inbound rules.
When configuring automatically it will configure the items correctly when you setup winrm.
Check on rule titled Windows Remote Management (Http-in) if selected you can see the port
that this is allowing.
From Command Line: netsh, then enter. netsh, then advanced firewall, (then ? for the available
commands), firewall set rule group “remote administration” new enable=yes.
From powershell: get-netfirewallrule will show the rules in the firewall. This can be filtered with |
select-object -property name, displayname | where {$_.displayname -like “*remote*”} will show
a more narrowed rules that only shows item with remote in them.
get-netfirewall Winrm-http-in-tcp | Set Netfirewallrule -enabled:true.

Non-member Management.
You need to know a set of local credentials that will work on the server you want to manage.
From GUI: right-click the server you want to manager and select alternate credentials.
From Powershell: invoke-command -computername (then server name) -credential
(get-credential) {(what command you want to run)} then it will ask for the username and
password.

Creating Shares.
To start the share select manage, roles and features. Select File and iscsi services. Select File
server and other needed options. BranchCache stores local files so they can be accessed
offline.
Server for NFS will support Unix systems accessing the files.
Go into file and storage services. You can create this via Volumes as well as shares. Under
tasks you have the ability to create a new share.
SMB Share - Quick This basic profile represents the fastest way to create an SMB file share,
typically to share files with windows based computers. Suitable for general file sharing,
advanced options can be configured later.
You can then select a volume or custom path. You can then name the share (IE
\\fileserve\share). You will then have more advanced options on the following page.
Select user access, then click create.

From Powershell.
-smb (prefix for this command set)
to check permissions get-smbshareaccess -name (then share name)
new-smbshare -path (IE c:\share) -Name (name you want) -readaccess (who will have read only
access, IE everyone) -fullaccess (who will have full access to the share)

From Explorer.
Find target folder. Right-click folder select properties, select sharing, select advanced if need.
Set the share name, set number of simultaneous users if needed. Click permissions for who can
access via the permissions tab.

Options can be controlled via control panel, network and sharing center. You can turn on or off
network discovery. Ensure that file and printer sharing is turned on. You can then determine if
you want public or not.
Connecting to Shares.
From a client you can create shares using the Server Manager the same way you could set up
the shares from the server.
From Powershell via client.
new-smbshare -cimsession (then servername) -path (IE c:\share) -Name (name you want)
-readaccess (who will have read only access, IE everyone) -fullaccess (who will have full access
to the share)
New-smbmapping will allow you to map to a server.
New-smbmapping -localpath (then drive letter ie, f:) -remotepath (\\address\folder)
You can remove mapping by remove-smbmapping.

Configuring Share Permissions.


Read: Read only, cannot modify files.
Change: Can read, can modify files.
Full: Same as above and can change permissions.
From server manager. Select share, select permissions, select customize permissions. Then
select share within the tabs and select the item you want to add or edit.
Deny overrides Allow.

Configuring NTFS permissions.


command line is icacls.exe
Can be found in the share location under security.
Under permissions you can select disable inheritance. When you select this it will ask if you
want to go to a clean slate or add the permissions via the previous inherited permissions.
When you copy the permissions do not follow. It will take the permissions with the inheriting
from the pasted location.
Moving will keep the permissions that have been set.

Offline Files.
This item is enabled by default. Open properties and advanced and select caching. In caching
you can set only files and programs that users specify are available offline, No files or programs
are shared offline and all files are shared offline.

Configure Access Based Enumeration.


This enables the server to make it so the client without access to the folder cannot see a folder.
Launch server manager, shares and select the target share. Go to settings. Select Access
Based Enumeration. Once this is done the client will no longer be able to see the files or folders
they do not have access to.

Configure Volume Shadow Copy Service. (VSS)


Under drive properties select shadow copies. It’s default is disabled. When you enable you can
then set the time frame and size via the settings portions.
Set NTFS Quotas.
By Default Quotas are not enabled. By enabling you have not set any restrictions. You can then
set up a default limit and a warning level. This will create an event log when a user exceeds the
items. You can also deny access if quota is exceeded (not recommended)
In quota entries you can select quota, then put a username or group into the entry. You can
then set the limits that the person has access to.
Add roles and features, file and storage there is file server resource manager. This will allow a
more flexible quota setup.
Open Server manager and then file server resource manager. By default there are no quotas
but there are templates pre-built for this. Right-click and select create quota. Browse path to the
target location. You can then set from a template or define a custom quota allowed. Hard quota
will lock the user from saving, soft will email, create an event log, run a command (IE something
that checks the files being saved) When doing a custom it will ask you to save as a template for
future use when created.

Create and Configure Work Folders.


These allow for syncing back and forth to servers and clients.
First add roles and features, file and storage, file and iscs and select work folders. Add the
feature and select install.
Under files and storage services select work folders. A wizard will guide you through the
process to setup the work forlder. You can then select your path, setup how your subfolders are
setup (user alias or domain name), Select a share name if not already chosen. Add a person
with sync access.
From the client, system and security, work folders, setup work folder. Type in your needed email
address, this will then create the work folder. For across the net you will need certificates and
firewall changes.

Terminology.
Physical Device is a Print Device.
Printer Server is the server managing the print devices.
Printer Pools can handle multiple print devices.
Printer is the software on the server.
Printer Driver is the item that communicates with the print device.
Print Queue handles the sending and priority of prints.

Installing the Role.


Server manager, manage, add roles and features, print and document services, include the
client tools. Select next, then next to install the role.
This can also be setup to support scanning, internet printer and unix printing.
Once installed you get a list of the installed printers and print devices via the print management
tool.
Setup Via control panel.
Hardware, devices and printers, advanced printer setup. Select the printer that I want isn’t listed.
In the next screen select a shared printer. (also via ip, host name or bluetooth). You can also set
as local. You can use existing port of file, it will then take you to the driver selection page. You
can then set the printer name (again not device) and then set the printer as shared. In the share
you set the share name, Location (this is a physical location) comment is a general note. You
can then print a test page.

Setting up Printers via the management console.


Tools, Print Management, right-click print management will allow you to add and remove
printers.
To change the drivers you can select the drivers portion and then select the driver you want to
modify or change.
This follows the same steps as the control panel in the majority of the steps.
You can then publish the printer if the print server is part of active directory. This will add the
printer into active directory. You can also manage multiple via Server Manager on client by
using the print management tool and selecting add server.
You can then search within active directory if the item is published, double clicking on the item
will install the printer locally for you so you can print to the print device.

Easy Print Drive allows printing via remote desktop or terminal services. This is configured via
group policy.

Printer Pooling.
This allows you to point a printer to multiple print devices by adding extra ports. The print
devices need to be able to use the same drivers.
Open the print management console. Select into printers and open the target printer properties.
You can see from here general settings, sharing and ports. Under settings you can see the
driver for the printer.
Under ports you can then select add to ports. (these can be local, ip and thinprint) At the bottom
of the page there is a selection that says allow printer pooling.

Enable Branch Office Direct printing.


This allows clients in a branch office to print to a local printer without having to cross the wan to
get to the print server.

Configure Printer Priorities.


This allows you to increase the printer usability. Follow same steps to open the print
management console. First Create a port by right clicking ports and selecting Add a port. Name
the Printer and select the port description. From here you need to create the software defined
printers. This is handled the same as installing your printers.
Once the printer is installed we can alter the printing priority. Go into printer properties and the
advanced tab. You can from here set times that the printer is available and the printing priorities.
1=lowest 99=highest.
Once a job is in progress the job will complete. The item with the highest priority will then take
the next spot. If two jobs have the same priority the one in queue longer will print first.
You can then set the printer permissions to keep people from printing to the wrong printer in a
pool.

Printer Permissions.
By Default everyone can print and view printers.
From print management right click on the print server and select properties. Select security and
you can see the access levels of the basic groups defined.
You can also control the printers via the same rough steps by right clicking, selecting properties
and selecting security. From here you can define user access the same as define access to a
share or print server.

Group Policy.
Not intended to be the management for servers but meant to manage users.

Group Policy Container lives in active directory and stores attributes. Can be found within
ADUC, View, Advanced, System and Policies. It will show any existing group policies.
Group Policy Template holds the settings and exists in the sysvol. They hold the content of the
policy itself. Can be found under \\Name\Sysvol\name
Group Policy Object. This is the combination of the container and template. It is then split
between Computer configuration which manages computer settings (IE hkeylocal users) and
User Configuration (IE hkeylocal) and determines user settings.
OUs are the primary area a GPO gets linked into.
When Created a GPO will contain both users and computer configuration sides.

Group Policy Precedence.


This is if GPO conflicts with another. It reads Local First, which can be overwritten by Site policy.
Site will lose out to Domain. Domain will lose out to OU. Last Writer will always take
precedence.

Configure A Central Store.


Before Server 2008 the files lived in an ADM file.
In 2008 and R2 this was changed to ADMX and ADML. ADMX took content in the ADM file and
moved it to XML. It then created a human readable file in ADML. This also referenced a central
ADMX instead of creating a new one for each GPO.
To create a central store you need to copy information from C\Windows\PolicyDefinitions. This
folder will contain the ADMX files needed for a central store.
Creating The Central Store is accomplished by copying the PolicyDefinitions folder and pasting
the item to a new folder as such.
To take advantage of the benefits of .admx files, you must create a Central Store in the
SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the
Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The
files that are in the Central Store are later replicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies

Note FQDN is a fully qualified domain name.

PCname\C\windows\Sysvol\name\policies\(new folder named PolicyDefinitions).


Once you have the Central Store configured it will pull admin templates from the sysvol.

Starter GPO.
A starter GPO gets invoked when creating a new policy.
Can be created from the Group Policy Manager and then Right-Clicking Starter GPO and
creating a new one. A starter GPO is limited to the admin templates. These can also be
exported as a .cab file that can be given to another person/system.
From Powershell.
New-GPSStarterGPO
New-GPO

Configure GPO Links.


The object is found in the Group Policy Objects. It can then be linked to Users or Computers,
but only one OU at a time.
You can then set either user or computer settings disabled from Details in GPO status. Best
Practice is to leave the item enabled.
You can then set Block Inheritance in an OU which will keep an OU from getting a GPO.
Enforced will make sure that domain policies get past blocks.
You can also set a GPO that does not apply to all users or computers within an OU. From
Delegation under the GPO you are working with you can select advanced. You can then add in
a group and then select Deny Apply Group Policy. This will make it so the Group Policy does
not get applied to certain groups.
This can also be done via WMI (discussed in 70-411)

Configure Multiple Local Group Policies.


These are policies that are applied on non-domain attached machines. In older versions of the
OS they couldn’t be managed by a remote admin.
Found within MMC, Group Policy Object editor. (this is specific to the local machine) You can
then set the focus (IE local computer or local users of the machine)
MLGPO has a different Precedence order.
Local GPO, Administrator VS Non-Administrator (this allows to configure certain things based
on admin status), Individual User (you can create multiple for each defined user on a machine)
Last Writer still wins.

Security Requirements Use Case.


Disable Local Build in Administrator and replace it with something else.
Add and IT Global Group.
GrantITBackups Group right to perform remote backups.
Enforce machine lock after 15 minutes of inactivity and display user info once locked.
audit logon and account logon failure events.
audit removable storage.
Enforce UAC and remove Over the Shoulder Elevation prompt.
Disable UAC for software installs.

Configure the Local Users and Groups.


First determine where the GPO needs to be placed for effective use.
Name the GPO you want to create in the location determined.
Edit within the GPME and select the location you need to edit (users or computer)
To create the new user. In the local users and groups create a new local user (name the item as
needed) and determine settings that are needed. Then Create a new Group that the new user
can be added to. You can select Delete all member users and groups which adds security. In
this new group add the needed groups (ie domain admins, IT help desk) and you new local
account that was just created. This can be referenced by selecting from the add portion
%computername%\(account you created name) this will create the item that has been created
locally while referencing the computer name.
To disable an existing account create a new local user. Select the account you want to modify
under user name. In the below steps then select the “account is disabled”.

gpudate/force makes a forced gp update on whatever computer is needed. You can then do
gpresult-r and see the GPOs that are being applied.

Granting IT backups groups right to perform remote backups.


Select your Group policy and then select local policy. From there select User Rights
Assignment.
Add the appropriate group to the “backup files and directories” as well as “Access this computer
from the network”

Configure Security options for screen locking.


Also found within Local Policies. In the Security Options
First set the Machine Inactivity Limit. Set your time (in seconds).
Then Select Display user information when locked. Once opened select display username in the
drop down box.
Configure Audit Logon
You can see the old items via Audit Policies but the advanced gives might tighter control.
Select Advanced Audit Policy.
Select Logon and from there select Audit Credential Validation. From here you can set to
generate a log when either success or failure occurs. Then check for logon/logoff and select
Audit Logon and Logoff and select success or failure in the same way.

Audit Removable Storage.


Under Audit Policies select Object access. Then select Audit Removable storage and set for
success and failure.

Make sure that advanced settings are used.


In Security Options select Audit and force audit policy subcat settings override. When enabled
advanced options are used rather than the general options.

You can then check the audit policy by typing in cmd auditpol /get /catagory:* will show all audit
policies.

Configuring User account Control.


The UAC is found under Security Options near the bottom.
Set the UAC Behavior of Elevation prompt gives the following, Elevate without prompting,
prompt for credentials on the secure desktop, Prompt for consent on secure desktop and so-on.
In most situations you will set prompt for consent.
You may also want to set the local administration account to include the same defaults.
You can then disable the over the shoulder elevation prompt by setting the item to deny.
You can then set the Detect Application Installation to disabled so it does not require elevation
when installing software packages.

Configure Security Templates.


This can accomplish the same items that the GPO settings can. You can open tools and local
security policy to see the policy. To make this easier you can then export the file to an .inf.
To import you would open MMC, and then add the security templates and security config and
analysis snapins. You can then use the templates to view the file and make sure it is correct.
You can then use the analysis to check the file and the system and it will report back what the
database and computer setting.

Blacklisting VS Whitelisting.
Blacklisting. IE AV Software. This will stop something from running on your system. It requires
consistent upgrading of the blacklist to keep things from getting through it.
Whitelisting. Is an explicit list of items that are allowed to run on a system.

Software Restriction Policies VS Applocker.


SRP Introduced with XP and 2003. Supported on all OS versions of windows. Scoped to all
users. File has, path, cert and reg path rules and internet zone rules. Can use both Whitelisting
and Blacklisting. Always enforcing the policy.
Applocker. Introduced with 7 and 2008R2. Requires 7-8 enterprise or windows server
std,ent,datacenter. Scoped to specific users or groups. Just file has, path and publisher rules.
Only allows Whitelisting. Allows for enforcing and auditing.

Configure Software Restriction Policy.


From the Domain Control launch the Group Policy Management Console then create a new
GPO. Name the GPO as needed and then select windows settings via computer configure or
user configure (depending on where this needs to be set). You can then open Security Settings
and software restriction policy. Default within SRP is unrestricted. You can set this to basic user
or disallowed. Be careful when setting disallowed as it can lock out all software if not configured
correctly. Basic user is mainly for Vista Clients.
Once the policy is set you can then set up the rules.
Cert Rules: You can use the cert rule to identify the cert and then import that policy for any apps
that have been signed with the cert. You most likely don’t have the cert.
Hash Rules will create a hash that is unique to the program you want to run. You can then set
the security level as needed. This becomes a problem if there are multiple .exe files that are
being run for a single file.
A path rule identifies the path to a location where the software is that is being allowed to run.
This will allow any .exe files under the path to run. If a malicious or unwanted .exe gets added to
the area then it will run.
Network Zone Rule work off the trusted sites rules.

Configure Applocker.
Create a GPO as normal.
Select Windows Settings and then select application control policies and then applocker.
It will allow you to select from the rules that applocker has. This will also allow you to set enforce
or audit only.
Packaged app rules only works on windows 8 and above (no confirm on 10 yet)
DLL rules can affect system performance.
In Executable rules you can select create default rules. This will create rules that allow for
windows folder and program files folders. The default rules can be created in windows install,
script and packaged app.
In create a new rule under exe. rules you can select allow or deny, then permissions and set
who (or what groups) this rule should apply to. File Path and hash still have the same pros and
cons. New rules include Publisher rules.
Publisher rules will allow you to set the target and will populate the publisher name, file name,
file version and product name. You can then adjust the slider to how specific you want to
become when setting this. hierarchy is: Publisher, Product Name, File name, File version. As
you go down the list the item becomes more specific. You can then enter exceptions to the
publisher rule which allow you to set items that are denied even if they pass the publisher
check.

Automatically generate Applocker rules.


You can set a reference machine as a default and then have applocker check against it. Under
Applocker and executable rules and automatically generate rules. The target will need the
Group Policy Management Console and GPME installed as when you click browse you only see
the local system. Once you set the path it will try to create rules based on either publisher and
file has, for items that are not signed you can select hash or path rules.
It will identify the publisher rules and hash or path rules. It will also tell you the number of .exe
files it has found.

Deploy Applocker.
Once all items needed have been set you can add it to a OU. Make sure that Application
Identity service is running. If it is not applocker will not run.

Firewall Foundations.
By standard items listen on tcp/80. Dynamic ports are created when a PC or server makes a
request, usually this are high numbered and tend to close when the client drops the connection.
You can configure both outbound and inbound rules when configuring firewall rules. Servers
tend to need to be configured differently as they tend to match outbound from pc to inbound on
server and so-on.

Configure Multiple Profiles using group policy.


Open GPMC. Create a new GPO for Firewall. You can then open policies, windows settings,
security settings and then windows firewall with advanced security. Select the items you want to
configure. In the most basic you can set it to turn off the firewall while on the domain under
domain profile.
You can then set the private and public profiles to turn the firewall on. From here you can set
both inbound and outbound to either allow or block. (block is default on outbound, allow is
default on inbound.) You can also set the notifications to show if something is blocked. You can
set unicast (yes by default). Then set rule merging, which will set local firewall settings and
apply local connection security rules. Both of these are yes by default (mind this is for local
admins).

Configure Windows Firewall Allow and Deny.


Open GPMC. Access the windows firewall gpo and firewall settings.
Inbound rules by default is empty. You can select to create a new rule. You can set them via
Program(this will let you define a program that will be allowed to listen on any ports), Port(tcp or
udp then allow or deny connection and set does this apply domain private or public),
Predefined(this will allow for known microsoft connections IE printer sharing or remote
assistance), or custom. You can at the action portion set allow or block as needed, including
allow connection if secure (https)
Under the rule properties you can then more custom rules that allow user restriction or computer
restriction.
Netsh advfirewall firewall /? will show the help file for making this changes via command line.

Import and Export Settings.


This allows you to create an example machine and move the rules over to another machine or
GPO.
On sample machine right click on windows firewall, select export. it will then create an exported
file.
On GPMC you can then right click on the inbound or outbound and select import and the file
location to import the rules.

Configuration of connection security rules.


This is generally IPsec (ip security) turning on encryption can be a performance drain. You can
open Ipsec settings and select customize. This will give the options for key exchange and data
protection and authentication method. You can select user, computer or computer and user or
advanced.
These are created via Windows firewall with advanced settings and then connection security
rules From here you can select:
Isolation. This will will be a domain that allows the machines within it to communicate with each
other but no one on the outside.
Authentication Exemption. Does not authenticate connection with or deny connection with exept
computers.
Server-to-server. Authenticate connection between the specified computers. Allows you to
authenticate a connection between two specific locations which can chose which ips are
allowed.
Tunnel. Authenticate via multiple machines on a specific path.

Configure Authenticated Firewall Exception (bypass)


This assumes that is someone has already already been authenticated then it can set rules for
trusted computers. This is akin to isolation-lite.
Under inbound rules you can set port and then connection if secure. This will allow the
connection if the user or service is trusted. On the next page you can set to:
allow the connection if it is authenticated and integrity-protected (allow only the connections that
are both authed and protected by using ipsec, only compatible with vista and later)
Require the connections to be encrypted.
Allow the connection using null encapsulation.
At the bottom there is a checkbox to override block rules. This means if the connection would be
blocked the authenticated user can bypass the block.
When hitting next you can enter the authorized users or computers or groups as needed.

Installing Hyper-V
These can be set as a role based installation in 2012 r2 or you can install a Standalone version.
From Powershell. install-windowsfeature -name hyper-v -includemanagement tools -restart.
Server Manger, Manage, Add Roles and Feature, Select the server you want. Then select
Hyper-V from the list of roles available. Select if you want to include management tools then
click next, then next. Specific to hyper-v it will require a network to have the guest machines
work on (suggested that you have multiple NICs on the server hyper-v runs on) it will then ask
you if you want to set virtual machine migrations (this can be adjusted latter) then it will ask for
locations to install the hyper-v systems. (Default location is
C:\programdata\microsoft\windows\hyper-v for the virtual machine config files and
C:\user\public\documents\hyper-v\virtual hard drives for the virtual hard drives.)
You can then select next and start the install with or without and automatic restart.

Creating a Hyper-V virtual Machine.


From Powershell: The nouns of the cmds are prefixed with VM. The cmds are also found in the
module Hyper-V.
From Server Manager. Launch tool Hyper-V Manager.
In Hyper-V Manager you can connect the item to multiple servers. The first item will list any
virtual machines. On the right side select new, virtual machine. A wizard will populate and ask
you to select next and then Select a name. Below the name you can set the path for the virtual
machines storage location.
It will then ask if you want Gen1 or Gen2 machine. Once you create the VM it cannot be
changed. Gen1: uses x86 bios, supports floppy drives, supports legacy ide controllers and
network adapters. Supports Com Ports
Gen2: does not support gen1 items. It uses unified extensible firmware interface instead of bios.
It will also allow a pxe boot and scsi boots. Gen2 is only supported in 2012, 2012r2 and
windows 8.1. Will also support up to 8 network adapters.
Then select the memory you want for and select if the memory is dynamic. On the next page
you can then select the network settings.
The next page will create a virtual hard disk. It will in gen2 try and create a vhdx and it will by
default be a dynamic disk. On this page you can select to use an existing virtual hard disk or
select to create a disk later. (in most instances it may be better to create the disk later so you
can have a more firm control over settings)
The next page allows for install of OS. You can select install later, install from ISO or PXE boot
(gen2).
Once completed it will allow you to start the machine (this does not happen automatically) Once
started it will allow you to start the install of the OS you want to install.

Configuring Dynamic Memory.


Hyper-V assumes you will use multiple machines on the same host. In this there is a tool that
allows for sharing of memory. To get to settings for dynamic memory right click on the VM and
select settings. (from here you can checkpoint, move, export, rename or delete and replicate)
On a Gen 2: Contains a Firmware option and a boot sequence.
On a Gen 1: Generation one will show comports, diskette drive and IDE controllers. It will also
include under hardware a legacy network adapter.
On both they have a memory section. You can see the ram that was set for the machine. Below
this there is a section that says “Enable Dynamic Memory”. Once Enabled you can set the
minimum amount of ram for the virtual machine. Next you can specify the max amount of
memory. You can then set a Buffer, this sets ram that stays in a reserved state to keep the VM
happy.
Weight is how important is the server in getting the memory it is asking for. (Low is least likely to
get the memory it asks for and high is most likely)
Some Products do not work well with dynamic memory. (Exchange uses its memory to cache
operations and tends to be hurt by dynamic memory)

Configure Smart Paging.


With Dynamic Memory you can run into some issues. If the minimum is below the startup the vm
may have some issues restarting. Smart Paging will create a set of temporary files on disk to
achieve the difference between minimum and startup ram. You cannot change this setting while
the server is running. Smart Pages are by default located in
C:\programdata\microsoft\windows\hyper-v. When the smart page is no longer needed the
Smart Pages are removed. Windows 2012 and R2 solve this problem automatically.

Configure Resource Metering.


This will show you the resources that are currently being used. In Server 2012 R2 they added
resource metering. This was to replace tools that may not show correct numbers.
This is done via powershell. You can start with get-vm which will show the VMs that are
configured on the Hyper-V machine.
To get more detailed: get-vm -name (then name of VM) | format-list -proptery * (this will show
you the state, if resource metering is enabled) by default the resource metering is not enabled
by default.
To Turn Resource metering: get-vm -name (then name) | enable-vmresourcemetering. This is
all that is needed to turn on resource metering.
To gather the information the cmd is: measure-vm.
(get-vm -name (then name) | measure-vm) will show the results that the VM. It will show items
like average memory usage, max usage and minimum usage. This will give you an idea if more
resources are needed. You can then disable the metering when it is no longer needed.

Configuring Guest Integration Services.


This allows you to enhance the drivers for performance and connectivity to replace the generic
drivers that installed with the OS. It will show you via update required under Integration services
if there is optimization that is needed. This will allow for things like, time sync between host and
guest, data exchange (registry info), backup (checkpoint) for the VM.
To Setup you install on the guest OS (the vm). Under action there is an option that says insert
integration services disk. It will then give an install prompt. Once installed a restart is required.
Once completed it will show integration services as up to date. Once this is done you can
control the services you want to use.
Configure Enhanced Session Mode and RemoteFX.
These settings are built to assist VDI.
Enhanced Session mode is on by default in server 2008 but off by default in 2012 R2.. Under
settings you can set the item under left hand size item Enhanced Session Mode Policy. In here
there is a checkbox that turns the service on. This will allow for local items to be used on the VM
(usb, printers and cd drives commonly)

Remove FX allows for a GPU to be used to run graphics rather than a CPU. To this this up you
first need a Graphics card. It must be atleast DX11 compatible, and must be SLAT compatible.
Once that is done you need to install the remote desktop service tool remote desktop
virtualization via roles and features.
Once that is completed a Gen 1 VM can then be set via Add hardware and selecting remotefx
from the list.
Gen 2 can access this feature via setting Physical Graphics.

Creating VHD and VHDX


Under the new option in the Hyper V Manager you can select create Hard Disk.
VHD supports older style VMs (2008 and 2008 R2) and supports up to 2 terabytes.
VHDX supports up to 64tbs. This will run on Server 2012 R2
Select the type you want. On the next page it will ask you to choose a disk type.
Fixed will set the site immediately, Dynamic will set the max size and grow as needed.
Fixed has a better performance because it will create the full amount up front. Some apps
require a fixed disk to be select.
On the next page you can select the name you want to call the drive. It will then tell you the max
size you can make the drive. Below that section it will show you what physically is available to
the VM.
Once done you can open the SCSI controller via options you can browse to the disk that has
been created.
Dynamic disk takes less total space upfront. When an application needs a lot of Input/Output
operations. During the creation process it will show you the max size that you can create the
disk to be. It will expand to the size set over time and use.

Creating a Differencing disk.


A Differencing disk can be create the same way as a VHD and VHDX.
The disk is meant to be used to keep an OS separate from the rest of the written items. This
allows you to roll back by deleting the differencing disk. This will store the settings that are
created after the OS is installed.
Differencing disks are non-bootable disks and must be hooked to a parent disk. On the next
page it will ask you to attach the disk to a parent disk.
This allows you to use a base virtual disk as the parent for multiple vms as the machine will read
from there for basic settings and any changes are wrote to the differencing disk.

Modify Virtual Disks.


Converting VHD to VHDX. Select Edit Disk. It will then ask you to identify the disk you want to
work with. The next page shows convert and expand. Convert will ask what you want to convert
it to, and if you want to keep it fixed or dynamic. It will then ask for a new location to save the
disk.
When editing Dynamic the first part are much the same. Under the Convert and Expand page it
will also add Compact. (this is also available on differencing disk). Once compact is selected it
will remove unused space and finish.
To expand follow the same steps as above and choose expand. it will then bring you to a page
that lets you expand the size as needed.
Differencing disks also have the option to Merge. This will merge the changes that have been
made to the parent disk.
Shrinking a disk: The process must start inside the VM first. This is done via computer
management and disk management. Once there you can select the item you want to change
and then select shrink volume. You can then set the new size. Once this change is made the
edit of the disk will now include the shrink option. You can from there set the space to close the
distance between was was originally set and what is needed.

Configuring Pass-Through Disks.


Pass through disks write directly to the specific disk and not a file on the disk targeted.
Checkpoints do not work with a passthrough disk.
First you have to add storage to the hyper-v host. You can see this via disk management. The
disk has to be offline for the hyper-v machine to use it. You will want to initialize the disk to
make sure it has a partition and then set the item to offline.
To add it you will add the item to VM in the SCSI section. Below the Virtual disk portion is a
section for Physical Hard Disk. It will show you the items that are available. Keep in mind if the
disk does not show it may not be set to offline.
Once all that is done you have to open the VM and set the disk to online and set the drive letter
wanted.

Manage Checkpoints.
Captures the current state and data and configuration of the VM. You can also merge the
checkpoints. A passthrough disk cannot be checkpointed.
To create the checkpoint you can right-click on the VM and select checkpoint.
To use the checkpoint you right click on the checkpoint that you want and select apply. It will
give you a warning to tell you that you will lose any changes. Checkpoints are not meant to be
used as a backup, a backup system is still needed.
When deleting you can select delete a specific checkpoint or delete a checkpoint subtree (this
will remove a checkpoint and any underneath it)

Implement Virtual Fibre Channel Adapter.


Select Virtual San manager and then select Virtual Fibre Channel SAN. Once it is selected you
can click create and then set a name.
From there in the settings in the VM you can go to add hardware and then select your Virtual
Fibre Channel.

Configure Storage Quality of Service.


This is built to keep VMs from causing problems with too many vms competing for the same
storage space. First you must know the amount of IOPS that your program needs.
In settings the this can be set per each virtual drive. You can select the + sign by each of the
virtual drives and then select advanced features. In here you can select Enable QoS. It will allow
you to set the min and max number of IOPS.
If something tries to go beyond the max the VM will be throttled to what is set as the max
amount.
On this page you can also enable virtual hard disk sharing. This allows for clustering via multiple
VMS.

Configure Hyper-V Virtual Switches.


This allows us to create software base, layer 2 switches. You can see the network switch via
Network adapter in VM settings.
On the right hand side select Virtual Switch Manager. It will show the default one first, which can
be named to a more appropriate name.
To create a new one you have to select one of 3 options.
External: Name the item, put in your notes. Select your External Network card from the drop
down list. You can then allow the OS to share this network (this is so mutliple items on the
virtual switch can access the physical adapter). You can also select Enable single-root IO
virtualization (this can only be set when creating). You can also set up VLAN identification.
Select Apply and okay.
Internal: This will allow the VMs to communicate to each other and the Hyper-V host. This does
not by default contain an external connection (cannot access internet or greater network). Name
the network and select other settings as before. You can have an external route to an external if
needed.
Private: Does not allow communication between host and VM. Set name as needed.

If you remove a virtual switch that is applied to a VM it will give an error message when starting
up. A new switch will need to be selected for the VM.

Optimize Network performance:


This works the same as the physical devices.
Select Virtual Switch Manager. For this we are looking at Enable SR-IOV.
In settings of the VM select network adapter. You can enable bandwidth management. This
allows you to set a minimum and maximum bandwidth. To leave the maximum unrestricted
leave the max as 0.
In the + sign you can also enable Hardware acceleration. These options are available when
selecting sriov. In this portion you have access for virtual machine queue (what priority it gets)
and IPsec.
Configure Mac Address.
MAC always stays the same on a system even when IP changes. Mac must always be unique.
In Hyper-V it will assign a mac to each virtual network card. The default mac address is
dynamically assigned a mac address. In the virtual switch manage is a section called Global
Network Settings. It will then give a min and max mac address range. The first created will be
the min and it will use all others until max. You can change these to keep from Hyper-V
machines from overlapping.

To Specify your mac address.


Open the VM you need and hit + next to network adapter. You can then set the advanced
features. In advanced Features you can set the Mac address to static. The available options are
dynamic and static. You can also enable mac address spoofing. (This is used for load balancing
in some instances.)

Configure Network Isolation.


One way to do this in the virtual switch manager and select Private.
You can also do this via Hyper-V. In the Virtual Switch that is tied to a physical adapter. You can
select Enable Virtual Lan Identification. Once that is done set the VLAN number that that virtual
switch can talk to. This will allow to items on the same switch to see each other.
You can then set in the Network Adapter settings and set the VLAN. This will keep them on the
same virtual switch but it will not communicate with other devices. (up to 5 VMs on each VLAN).

Configure Synthetic and Legacy Adapters.


In Gen 2: Under Add Hardware you see the option Network Adapter. This is a synthetic network
adapter. This will show more features than in gen 1.
In Gen 1: Under add hardware you will see Network Adapter and Legacy Network Adapter.
Legacy is setup much the same as the other adapters that have been configured. In the
advanced features of the Legacy does not have any of the hardware acceleration options.

Configure NIC teaming.


This allows for better performance and failover.
In server manager, select local server. Once that is done select NIC teaming. Select New Team
under the tasks drop down. You can then select the items you want to be part of the team. (this
is for a physical server)
You can also create a Virtual Switch on a NIC team which will allow multiple VMs to get a
performance boost.

In a VM.
First it needs to Virtual Switches tied to two different physical cards. In a VM make sure the
secondary Virtual Switch is configured as a network adapter. Then go into advanced Features
and select at the bottom that they are enabled for NIC teaming.
Once that is done Start the virtual machine. When started you will open server manager and
select configure local server. It should show the local adapters. Select and enable NIC teaming
in the same way it is configured on a physical box.

Potrebbero piacerti anche