Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Core vs Non-Core
Server with GUI is standard windows GUI, server manager tool and MMC console supported. All
rolls can be installed.
Windows server 2012 R2 core eliminates Start Screen, Explorer, IE and desktop.
Supported roles on server core:
AD Certificate services.
AD Domain Services.
AD Lightweight Domain Services.
AD Rights Management Services.
DHCP Server.
DNS Server.
File and Storage Services.
Hyper-V
Printer and Document Services.
Remote Access Services.
Streaming Media Services.
Web Server (IIS)
Windows Server Update Services.
Full Desktop Experience intended for using windows server as a desktop OS. Standard GUI
with traditional start screen plus windows store and store apps.
Upgrade Methods.
Clean Install: Used for new installs, used to delete old OS instances. Required When changing
from x86 to x64. When changing languages. WHen converting from Pre-Release to Full
versions.
Upgrade: Used when an existing OS require in place upgrade. Supported Upgrades, Server
2008 SP2, 2008 R2 and 2012 Standard and Datacenter.
License Conversion: DISM command can migrate windows server to a higher OS edition.
Role Migration. Windows Server Migration tools are available as an installable feature in server
manager. Powershell command"install-windowsfeature migration". Tools Must be installed onto
source and destination machines. Migration steps are different based off rolls. Powershell
commands "export-smigserversetting and import-smigserversetting" will bundle the items for
migration.
WinSxS is the windows side by side is used by windows to componentize the different roles,
services and features.
Configuring:
Network teaming can be configured via the NIC teaming. Under teaming you can identify the
adapters you want to use. Static and LacP both require switch configuration. Switch
Independant does not need to be configured on switch equipment. Set the Load balancing of
either Dynamic, Hyper-V if using Hyper-V and Address Hash.
Via Powershell.
get-netadapter (can see more via get-netadapter and then adapter name and fl* shows further
details) You can further configure by using set- and the different item. For new items you can
set using new- and item name. When setting the IP you need to use the -prefixlength to set the
subnet mask. Set-dnsclientserveraddress -(then ethernet alias) -serveraddresses.
New-netlbfoteam -name (this will be the name) -teammembers(this will be the adapters in the
team) -teamingmode(this will correspond to the above) -loadbalancingalgorithm (matching
above)
Help lbfo gives the info for teaming setup.
Delegate Administration:
tools, local security policy, user rights assignment.
To create local account go to computermanagement and then local users and groups.
Services.
Services.msc shows current installed services.
sc stop (item name) SC query shows the different services that are installed. Via Command
Line.
get-service (and then name) | stop, start, pause-service.
After adding the disk you must bring the disk online. Once online you can initialize the disk with
either MBR or GPT. Volumes tab shows the partition style.
Command line: diskpart.
Basic VS Dynamic.
Basic: Can be extended only to adjacent contiguous unallocated space on the same disk.
Dynamic: Supports spanned, striped, mirrored and raid-5 volumes. Supports unlimited number
of volumes. Spanned Volumes can extend across multiple disks.
Simple Volume: The most simple of the drive setup.
Spanned Volume: Attaches multiple disks to extend disk size between multiple drives. Loss of
one disk makes entire volume lost.
Mirrored Volume: Creates multiple copies of data between 2 disks.
Striped Volume: Takes data and stripes it between multiple disks for faster access speed.
Raid-5: Requires 3 disks. Creates one disk for parity as each item is cloned between one of the
other disks.
VHD.
Create Via Action and then set a location. You can set the size. VHD supports 2tb and VHDX
allows up to 64tb and is protected against power failures. Can set the fixed or dynamic size.
Dynamic expands as it gets used. To attach select Action and Attach then select location.
Name the Virtual Disk. (Storage tiers can allow you to move items from HDDs to SSDs. It will
move the frequently used/access items to the SSD. If the item is then no longer accessed as
often it will move it back.) You can select mirrored, simple and parity. Then select Fixed or Thin.
Set the size and create. Once the item is created you can create the volume.
Configuring IPv4
Networking and Sharing Center. Select adapter, go to properties. This will allow you to set the
addresses for both IPv4 and 6. If selecting obtain an IP automatically you can also set an
alternate configuration. You can add an additional address via the advanced settings. Test via
ping of the addresses you set.
Test-Connection -computername (and then address you set) will work via powershell.
IP V4 and V6 subnetting.
IPv4 is 32 bit addressing scheme. Subnetting for IPv6 at times may be unneeded.
IPv6 can use zero compression to remove zeros and truncating the number.
IPv6.
You can get the information about the address via the same command of IPv4 family.
This is the same for setting statics on IPv4.
Subnet is allocated via Bits (IE 64 bits)
Intra-site automatic tunnel addressing protocol (ISATAP). Enables connectivity between 6 and 4
across an intranet. Automatically configured. First 64bits are link local, site local or global prefix.
32 should be 0000:5efe. Last 32 will be the IPv4 address. (IE Fe80::5efe:192.168.0.1)
DHCP process.
DHCP Client broadcasts a 0.0.0.0 to discover. DHCP server responds with an offer that
contains IP and Subnet. Client takes first offer it receives and sends a DHCP request. Server
then offers a DHCP Acknowledgement. Default for renew lease is 8 days. It will attempt to
renew at the 50% mark. If it cannot make the lease renew it will attempt to issue the request to
any server that can renew that lease. If the release cannot be renewed at all it will then go back
to an APIPA address.
Installing DHCP.
Dism /online /enable-feature /featurename.
Powershell.. install-windowsfeature DHCP -includemanagementtools (this will allow admin
tools).
Through Server Manager. Add Roles and Features, Click Next until you get to Server Roles.
Select DHCP in the roles area and select the tools if you need them.
Creating Scopes.
Select your IP type. Right Click and select new scope. Give name and description. Start and
End Address (IE 192.168.0.10 to 192.168.0.20) Set the Subnet Mask Length. You can set
exclusions (also can be a range). You can also set a delay for how long it waits to respond to
requests. The next field is the lease duration. You can then configure additional options. Once
completed you have to manually activate the scope. This information is the same for IPv6.
add-dhcpserverv4(or 6)scope -startrange (then starting IP) -endrange (then ending IP)
-subnetmask (subnet address)
Reservations.
New reservation. Give reservation name, set which IP address to assign. You will need the MAC
Address for the machine in question.
Configure PXE.
Configure Options, option 66 (boot server host name, which is the ip of the wds server) then
option 67 (boot file name, name of the file from the boot server)
Authorize DHCP.
On a domain controller or dhcp server you must authorize the server to do dhcp. Manage
Authorized Servers. Select Authorize, enter name or IP address, okay, okay again. Click server
and select okay in the list. Now it can use the scopes that were already configured.
Installing DNS.
Manage, Add Roles and Features, Select DNS. On a DOmain Controller DNS is already
installed.
From the command line DISM /online /enable-feature:dns-server-full-role
PowerShell. install-windowsfeature DNS -includemanagementtools will include the GUI.
To open the tool, Server Manager, Tools, DNS.
DC Zones.
Forward lookup zones: Find IP via name.
Properties contains Status, Type (IE active directory integrated, which stores the info via active
directory which comes with fault tolerance.) You can also change the replication. This allows
you to push the settings to other DNS servers.
Dynamic Updating: Secure must be authenticated before updating a dns record.
Reverse lookup zones: find name via IP. Setup the same as forward lookup zones. It will then
ask for IPv4 or 6 and then the network ID (IP address) of the network that the reverse lookup
can be done on.
Create Zones.
New Zone, Answer what kind of zone. Primary makes the DNS server the read/writable copy
that can be modified as needed. ADI keeps the data more secure and makes it harder to obtain
the information. Name the Zone as needed. Only Secure Dynamic updates means a system
must be authenticated before updates can be made. Allow Both Nonsecure means that other
items can update.
Creating an A-record
When you create it the FQDN is updated automatically based off name of item. (IE
client.mydomain.com) After creating record you may need to flush dns.
When creating as a Non-ADI the system creates a file on the server located at
systemroot\windows\system32\dns. There will be a text file named the same as the DNS Zone.
Stub Zone.
New zone, select Stub Zone, Select the Zone Name of the other DNS, enter IP address. Stubs
access the record you point it at and reply with the information find therein.
Configure forwarders.
Forwarders will pass the request along to another server that might be better equipped to
handle the request.
Right-click, properties, forwarders, select Edit and then set the IP of the targeted DNS server.
Interfaces show the different IP addresses available. You can set the IPs that respond by
selecting only the following and then selecting the IP to respond.
Event logs you can set the different events that get logs. You can access these via global logs
in the DNS manager to show only DNS issues or events.
Domain controller.
These will hold the AD information. Minimum of 2 are required for a domain.
Global Catalogue.
This is what allows the login of clients. Common practice is to configure every DC as a global
catalogue server.
Organizational Unit.
Designed as the a way to separate user accounts and computers. This is for the benefit of IT
alone. Used to better assist with the administration of group policy.
FSMO Roles.
Schema Master: Performs updates to the AD Schema, includes adprep, /forestprep and other
applications that must modify the AD schema.
Domain Naming Master: Responsible for the naming of domains and application partitions. Must
be online.
PDC Emulator: Manages password changes for computer and user accounts on replica domain
controllers. Target DC for group policy updates, target for DC legacy applications. Must be
online and accessible at all times. Tends to also be the timekeeper for the domain and forest.
RID Master: Allocates active and standby Rids. Generally on forest root PDC.
Infrastructure Master: Updates cross domain references. In a single domain forest the IM can be
placed on an DC. In a multiple domain forest the IM is not put on on a Global Catalog, unless all
DCs are Global Catalogs.
Add Roles and Features. Find and install Active Directory Domain Services and all other AD
tools.
Powershell. install-windowsfeature -name ad-domain-services. -includemanagementtools.
Promoting the server. Are you installing a new forest, new domain to existing forest, or a domain
controller to existing domain (child will match naming scheme of parent, tree is independent)
Select the forest and domain functional level (2008, 2008 R2, 2012 and 2012 R2) This is
determined by restrictions on applications that may run on the domain. Select if the item should
be a DNS Server and Global Catalog. The first server will need to be a global catalog.Set the
Directory Services Restore Mode password. This will be set once and is used to do an
authoritative restore of the domains information. Specify the DNS Delegation options which will
allow you to create username and password for DNS admin. Set netbios domain name. It will
usually be your domain name without the .suffix. Determine database, log and sysvol folder
locations. Next will run the pre-req checks and determine if the install can complete.
View Script will show the commands needed to run this within powershell.
Import-Module ADDSDeployment
Install-ADDSForest
-creatednsdelegation:$(true or false)
-Databasepath “(location of database you want to use)”
-dnsdelegationcredential (get-credential)
-Domainmode “(IE WIN2012r2)”
-Domainname “(select your domain name)”
-Domainnetbiosname “(first part of domain name)”
-forestmode (same as domainmode)
-Installdns:$(true or false)
-Sysvolpath “(same style as database path)”
-Force:$(true or false)
Creating Template.
Usually name with _Template (or desired name), the account can be created with password not
expiring, never being changed and disabled. From there add membership as needed. Usually
%username% on the profile path (ie \\server\%username%.
Automate Creation of AD
get-adcomputer
New-ADcomputer or Remove-adcomputer.
Add-adcomputer or Remove-computer. (this and new-adcomputer perform much the same
tasks.)
Get-Aduser
New-aduser or remove-aduser
Manage inactive and Disabled Accounts.
You can check on inactive accounts via powershell. get-aduser -filter *(to show all) -properties
lastlogondate | ft name, lastlogondate.
Check disabled via get-aduser -filter {enable -ne &True} will show the accounts that are
disabled.
Search-adaccount. This will allow you check on different features of the account that can
bypass many of the filters.
Convert Groups.
You can convert domain local groups and global groups and to universal groups. Or a universal
to a global to a local.
You cannot convert domain locals to globals or globals to locals.
Via Powershell you can convert using: get-adgroup ”(then group name)” then set-adgroup
-groupscope (then the wanted scope) same command will work with -groupcatagory to set
security or distro.
Configuring WinRM
On Server 2012 R2 this feature is automatically on. The item is a web service on http and https
that can be set on default port 5985. Make sure that the WinRM service is started and set to
start type automatic. Create a listener on the TCP 5985. You will also need to create a firewall
exception.
Command winrm quickconfig
Powershell: enable-psremoting.
Non-member Management.
You need to know a set of local credentials that will work on the server you want to manage.
From GUI: right-click the server you want to manager and select alternate credentials.
From Powershell: invoke-command -computername (then server name) -credential
(get-credential) {(what command you want to run)} then it will ask for the username and
password.
Creating Shares.
To start the share select manage, roles and features. Select File and iscsi services. Select File
server and other needed options. BranchCache stores local files so they can be accessed
offline.
Server for NFS will support Unix systems accessing the files.
Go into file and storage services. You can create this via Volumes as well as shares. Under
tasks you have the ability to create a new share.
SMB Share - Quick This basic profile represents the fastest way to create an SMB file share,
typically to share files with windows based computers. Suitable for general file sharing,
advanced options can be configured later.
You can then select a volume or custom path. You can then name the share (IE
\\fileserve\share). You will then have more advanced options on the following page.
Select user access, then click create.
From Powershell.
-smb (prefix for this command set)
to check permissions get-smbshareaccess -name (then share name)
new-smbshare -path (IE c:\share) -Name (name you want) -readaccess (who will have read only
access, IE everyone) -fullaccess (who will have full access to the share)
From Explorer.
Find target folder. Right-click folder select properties, select sharing, select advanced if need.
Set the share name, set number of simultaneous users if needed. Click permissions for who can
access via the permissions tab.
Options can be controlled via control panel, network and sharing center. You can turn on or off
network discovery. Ensure that file and printer sharing is turned on. You can then determine if
you want public or not.
Connecting to Shares.
From a client you can create shares using the Server Manager the same way you could set up
the shares from the server.
From Powershell via client.
new-smbshare -cimsession (then servername) -path (IE c:\share) -Name (name you want)
-readaccess (who will have read only access, IE everyone) -fullaccess (who will have full access
to the share)
New-smbmapping will allow you to map to a server.
New-smbmapping -localpath (then drive letter ie, f:) -remotepath (\\address\folder)
You can remove mapping by remove-smbmapping.
Offline Files.
This item is enabled by default. Open properties and advanced and select caching. In caching
you can set only files and programs that users specify are available offline, No files or programs
are shared offline and all files are shared offline.
Terminology.
Physical Device is a Print Device.
Printer Server is the server managing the print devices.
Printer Pools can handle multiple print devices.
Printer is the software on the server.
Printer Driver is the item that communicates with the print device.
Print Queue handles the sending and priority of prints.
Easy Print Drive allows printing via remote desktop or terminal services. This is configured via
group policy.
Printer Pooling.
This allows you to point a printer to multiple print devices by adding extra ports. The print
devices need to be able to use the same drivers.
Open the print management console. Select into printers and open the target printer properties.
You can see from here general settings, sharing and ports. Under settings you can see the
driver for the printer.
Under ports you can then select add to ports. (these can be local, ip and thinprint) At the bottom
of the page there is a selection that says allow printer pooling.
Printer Permissions.
By Default everyone can print and view printers.
From print management right click on the print server and select properties. Select security and
you can see the access levels of the basic groups defined.
You can also control the printers via the same rough steps by right clicking, selecting properties
and selecting security. From here you can define user access the same as define access to a
share or print server.
Group Policy.
Not intended to be the management for servers but meant to manage users.
Group Policy Container lives in active directory and stores attributes. Can be found within
ADUC, View, Advanced, System and Policies. It will show any existing group policies.
Group Policy Template holds the settings and exists in the sysvol. They hold the content of the
policy itself. Can be found under \\Name\Sysvol\name
Group Policy Object. This is the combination of the container and template. It is then split
between Computer configuration which manages computer settings (IE hkeylocal users) and
User Configuration (IE hkeylocal) and determines user settings.
OUs are the primary area a GPO gets linked into.
When Created a GPO will contain both users and computer configuration sides.
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies
Starter GPO.
A starter GPO gets invoked when creating a new policy.
Can be created from the Group Policy Manager and then Right-Clicking Starter GPO and
creating a new one. A starter GPO is limited to the admin templates. These can also be
exported as a .cab file that can be given to another person/system.
From Powershell.
New-GPSStarterGPO
New-GPO
gpudate/force makes a forced gp update on whatever computer is needed. You can then do
gpresult-r and see the GPOs that are being applied.
You can then check the audit policy by typing in cmd auditpol /get /catagory:* will show all audit
policies.
Blacklisting VS Whitelisting.
Blacklisting. IE AV Software. This will stop something from running on your system. It requires
consistent upgrading of the blacklist to keep things from getting through it.
Whitelisting. Is an explicit list of items that are allowed to run on a system.
Configure Applocker.
Create a GPO as normal.
Select Windows Settings and then select application control policies and then applocker.
It will allow you to select from the rules that applocker has. This will also allow you to set enforce
or audit only.
Packaged app rules only works on windows 8 and above (no confirm on 10 yet)
DLL rules can affect system performance.
In Executable rules you can select create default rules. This will create rules that allow for
windows folder and program files folders. The default rules can be created in windows install,
script and packaged app.
In create a new rule under exe. rules you can select allow or deny, then permissions and set
who (or what groups) this rule should apply to. File Path and hash still have the same pros and
cons. New rules include Publisher rules.
Publisher rules will allow you to set the target and will populate the publisher name, file name,
file version and product name. You can then adjust the slider to how specific you want to
become when setting this. hierarchy is: Publisher, Product Name, File name, File version. As
you go down the list the item becomes more specific. You can then enter exceptions to the
publisher rule which allow you to set items that are denied even if they pass the publisher
check.
Deploy Applocker.
Once all items needed have been set you can add it to a OU. Make sure that Application
Identity service is running. If it is not applocker will not run.
Firewall Foundations.
By standard items listen on tcp/80. Dynamic ports are created when a PC or server makes a
request, usually this are high numbered and tend to close when the client drops the connection.
You can configure both outbound and inbound rules when configuring firewall rules. Servers
tend to need to be configured differently as they tend to match outbound from pc to inbound on
server and so-on.
Installing Hyper-V
These can be set as a role based installation in 2012 r2 or you can install a Standalone version.
From Powershell. install-windowsfeature -name hyper-v -includemanagement tools -restart.
Server Manger, Manage, Add Roles and Feature, Select the server you want. Then select
Hyper-V from the list of roles available. Select if you want to include management tools then
click next, then next. Specific to hyper-v it will require a network to have the guest machines
work on (suggested that you have multiple NICs on the server hyper-v runs on) it will then ask
you if you want to set virtual machine migrations (this can be adjusted latter) then it will ask for
locations to install the hyper-v systems. (Default location is
C:\programdata\microsoft\windows\hyper-v for the virtual machine config files and
C:\user\public\documents\hyper-v\virtual hard drives for the virtual hard drives.)
You can then select next and start the install with or without and automatic restart.
Remove FX allows for a GPU to be used to run graphics rather than a CPU. To this this up you
first need a Graphics card. It must be atleast DX11 compatible, and must be SLAT compatible.
Once that is done you need to install the remote desktop service tool remote desktop
virtualization via roles and features.
Once that is completed a Gen 1 VM can then be set via Add hardware and selecting remotefx
from the list.
Gen 2 can access this feature via setting Physical Graphics.
Manage Checkpoints.
Captures the current state and data and configuration of the VM. You can also merge the
checkpoints. A passthrough disk cannot be checkpointed.
To create the checkpoint you can right-click on the VM and select checkpoint.
To use the checkpoint you right click on the checkpoint that you want and select apply. It will
give you a warning to tell you that you will lose any changes. Checkpoints are not meant to be
used as a backup, a backup system is still needed.
When deleting you can select delete a specific checkpoint or delete a checkpoint subtree (this
will remove a checkpoint and any underneath it)
If you remove a virtual switch that is applied to a VM it will give an error message when starting
up. A new switch will need to be selected for the VM.
In a VM.
First it needs to Virtual Switches tied to two different physical cards. In a VM make sure the
secondary Virtual Switch is configured as a network adapter. Then go into advanced Features
and select at the bottom that they are enabled for NIC teaming.
Once that is done Start the virtual machine. When started you will open server manager and
select configure local server. It should show the local adapters. Select and enable NIC teaming
in the same way it is configured on a physical box.