Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Module 1
Review Questions
Real-world Issues and Scenarios
• Tools
Microsoft Official Course
®
Module 2
Root Domain
Top-Level
Domain net com org
Second-Level
Domain contoso
Subdomain
west south east
Same Unique
Subdomain
Namespace Namespace
Public
Public DNS
DNS Public
Public DNS
DNS Public
Public DNS
DNS
Namespace
Namespace Namespace
Namespace Namespace
Namespace
Internal
Internal Internal
Internal Internal
Internal
Namespace
Namespace Namespace
Namespace Namespace
Namespace
Unique namespace:
• Record synchronization is not required
• Existing DNS infrastructure is unaffected
• Clearly delineates between internal and external DNS
Subdomain:
• Record synchronization is not required
• Contiguous namespace is easy to understand
Demonstration: Installing the DNS Server Role
DNS
DNS Server
Server
Subnet 2
DNS
DNS Zone
Zone
DNS
DNS Client
Client
Subnet 1
DNS
DNS Client
Client
DNS
DNS Server
Server
Subnet 3
DNS
DNS Zone
Zone
DNS
DNS Client
Client
Lesson 2: Configuring the DNS Server Role
Root “.”
Resource
Record
.com
.edu
Resource
Record
• An authoritative DNS server for the namespace will do one of the following:
• Return the requested IP address
• Return an authoritative “No”
• A nonauthoritative DNS server for the namespace will do one of the following:
• Check its cache
• Use forwarders
• Use root hints
DNS Resource Records
DNS Servers
Root Hints
com
DNS Server
microsoft
Client
What Is Forwarding?
Iterative Query
Forwarder Root Hint (.)
Ask .com
Iterati
v e Qu
ery
ry
A sk c
ue
ontos .com
o.com
eQ
.11
Iter
v
.0
rsi
ativ
07
Aut eQ
cu
hor ue r
1.1
Re
itat y
ive
13
131.1 Res
07.0. pon
11 se
Recur
siv
mail1. e Query fo contoso.com
conto r
so.com
Local DNS Server Client
How DNS Server Caching Works
Where’s
ServerA is at
ServerA?
131.107.0.44
ServerA
Client1
ServerA is at
Where’s
Client2 131.107.0.44
ServerA?
Demonstration: Configuring the DNS Server Role
.com
.com
microsoft.com
domain
microsoft.com
www.microsoft.com
microsoft.com zone
WWW ftp.microsoft.com
example.microsoft.com
FTP Zone file
De
leg
tea
d
example.microsoft.com
zone .exa mple
WWW
m p le example.microsoft.com
a
.ex
FTP www.example.microsoft.com
Zone file ftp.example.microsoft.com
What Are the DNS Zone Types?
Zones Description
Namespace: training.contoso.com
DNS Client2 = ?
192.168.2.46 = ?
DNS Client3
DNS Client1
DNS Client2
Overview of Stub Zones
DNS server
DNS server
Contoso.com
(Root domain)
fabrikam.com
DNS server DNS server
DNS server
na.contoso.com sa.contoso.com
na.fabrikam.com
DNS server DNS server
ny.na.contoso.com rio.sa.contoso.com
Demonstration: Creating Zones
DNS
DNS Server
Server
Contoso.com
DNS
DNS
Zone
Zone
DNS
DNS sub
sub
domain
domain
Sales
DNS
DNS
Zone
Zone
DNS
DNS Server
Server
Marketing
Lesson 4: Configuring DNS Zone Transfers
Feature Description
Indicates how long a DNS record will
TTL
remain valid
Occurs when records that have been
Aging inserted into the DNS server reach their
expiration and are removed
Performs DNS server resource record
Scavenging
grooming for old records in DNS
Demonstration: Managing DNS Records
Module 3
Overview of AD DS
Implementing Virtualized Domain Controllers
Implementing Read-Only Domain Controllers
Administering AD DS
• Managing the AD DS Database
Lesson 1: Overview of AD DS
Overview of AD DS Components
Understanding AD DS Forest and Schema Structure
• Understanding AD DS Domain Structure
Overview of AD DS Components
• Sites
• Organizational units
Understanding AD DS Forest and Schema Structure
Forest Root
Domain
Tree Root
Domain
adatum.com
fabrikam.com
atl.adatum.com
Understanding AD DS Domain Structure
DcCloneConfig.xml to
AD DS database
location
Export the VDC Import the VDC
Managing Virtualized Domain Controllers
• To deploy an RODC:
1. Ensure there is no computer account in AD DS for the
new RODC
2. Precreate the RODC account in AD DS in the Domain
Controllers container
3. Run the AD DS installation wizard on the new RODC
Managing RODC Credential Caching
• Authoritative restore
• Restore domain controller to previously known good state
• Mark objects that you want to be authoritative
• Domain controller is updated from its up-to-date-partners
• Domain controller sends authoritative updates to its partners
Domain Partition
Configuration
Partition
Schema Partition
AD DS
DC Database
Application
Partitions (optional)
What Is NTDSUtil?
Delete
Garbage
collect
Live Tombstoned Physically
deleted
Reanimate tombstone/
authoritative restore
Configuring the Active Directory Recycle Bin
Module 3
Overview of AD DS
Implementing Virtualized Domain Controllers
Implementing Read-Only Domain Controllers
Administering AD DS
• Managing the AD DS Database
Lesson 1: Overview of AD DS
Overview of AD DS Components
Understanding AD DS Forest and Schema Structure
• Understanding AD DS Domain Structure
Overview of AD DS Components
• Sites
• Organizational units
Understanding AD DS Forest and Schema Structure
Forest Root
Domain
Tree Root
Domain
adatum.com
fabrikam.com
atl.adatum.com
Understanding AD DS Domain Structure
DcCloneConfig.xml to
AD DS database
location
Export the VDC Import the VDC
Managing Virtualized Domain Controllers
• To deploy an RODC:
1. Ensure there is no computer account in AD DS for the
new RODC
2. Precreate the RODC account in AD DS in the Domain
Controllers container
3. Run the AD DS installation wizard on the new RODC
Managing RODC Credential Caching
• Authoritative restore
• Restore domain controller to previously known good state
• Mark objects that you want to be authoritative
• Domain controller is updated from its up-to-date-partners
• Domain controller sends authoritative updates to its partners
Domain Partition
Configuration
Partition
Schema Partition
AD DS
DC Database
Application
Partitions (optional)
What Is NTDSUtil?
Delete
Garbage
collect
Live Tombstoned Physically
deleted
Reanimate tombstone/
authoritative restore
Configuring the Active Directory Recycle Bin
Module 4
• CSVDE.exe
• CSVDE.exe
Import
• CSVDE.exe
• csvde –i -f filename [-k]
• i. Import–default mode is export
• k. Continue past errors (such as Object Already Exists)
• LDIFDE.exe
Import
• LDIFDE.exe
• ldifde [-i] [-f filename] [-k]
• i. Import–default mode is export
• k. Continue past errors (such as Object Already
Exists)
• Windows
PowerShell
Import
Module 5
A GPO is:
• A container for one or more policy settings
• Managed with the GPMC
• Stored in the GPOs container
• Edited with the GPME
• Applied to a specific level in the AD DS hierarchy
GPO Scope
• Policy
settings in the Computer Configuration
node are applied at system startup and every 90–
120 minutes thereafter
• User
Configuration policy settings are applied at
logon and every 90–120 minutes thereafter
Lesson 2: Implementing and Administering GPOs
Domain-Based GPOs
GPO Storage
Starter GPOs
Common GPO Management Tasks
Delegating Administration of Group Policies
• Managing GPOs with Windows PowerShell
Domain-Based GPOs
GPO Storage
GPO
• Stored in AD DS
• Provides version information
A Starter GPO:
Stores administrative template settings on which the
new GPOs will be based
Can be exported to .cab files
Can be imported into other areas of the enterprise
Load
starterGPO .cab file
cabinet file
Common GPO Management Tasks
Local Group
GPO2
Site
GPO3
GPO3
GPO4
GPO4
Domain
GPO5
OU
OU OU
Configuring GPO Inheritance and Precedence
Refreshing GPOs
Resultant Set of Policy
Generate RSoP Reports
Demonstration: How to Perform What-If Analysis
with the Group Policy Modeling Wizard
• Examine Policy Event Logs
Refreshing GPOs
Windows Server 2012 provides the following tools for performing RSoP
analysis:
GPO1
Local Group
GPO2
Site
Wizard GPO4
GPO4
The Group Policy Modeling Domain
Wizard
GPResult.exe GPO5
OU
OU OU
Generate RSoP Reports
Demonstration: How to Perform What-If Analysis
with the Group Policy Modeling Wizard
In this demonstration, you will see how to:
• Use GPResult.exe and the Group Policy Reporting
Wizard
• Use the Group Policy Modeling Wizard
Examine Policy Event Logs
Module Review and Takeaways
Review Questions
Tools
• Common Issues and Troubleshooting Tips
Microsoft Official Course
®
Module 6
• Control panel
• Control Panel
• Desktop
• Network
• Network
• Printers
• Start menu and taskbar
• System
• System
• Windows components
• Windows components
ADM files:
ADMX files:
• Include language-neutral ADML files that provide the localized
language
• Are not stored in the GPO
• Are extensible through XML
The Central Store
ADMX files
Windows Vista
or Windows Server 2008 Domain controller Domain controller
workstation with SYSVOL with SYSVOL
Demonstration: Configuring Settings with
Administrative Templates
In this demonstration, you will see how to:
• Filter Administrative Template policy settings
• Apply comments to policy settings
• Add comments to a GPO
• Create a new GPO by copying an existing GPO
• Create a new GPO by importing settings that were
exported from another GPO
Lesson 2: Configuring Folder Redirection and Scripts
• Desktop • Favorites
• Start Menu • Saved Games
• Documents • Searches
• Pictures • Links
• AppData\Roaming • Music
• Contacts • Videos
• Downloads
Settings for Configuring Folder Redirection
Accounting
Target folder location options: Managers
• Redirect to the users’ home directory
(Documents folder only) Amy
• Create a folder for each user under the
root path
• Redirect to the following location Anne
• Are natively supported on Windows Server 2008 and Vista SP2 or newer
11 22
1.0
Preparation Deployment
44 33
2.0
Removal Maintenance
How Windows Installer Enhances
Software Distribution
Windows Installer:
Assign
Assign software
software
during computer
during computer
configuration
configuration
Software
Software Distribution
Distribution
Share
Share
Publish
Publish software
software using
using
Assign
Assign software
software during
during Add
Add oror Remove
Remove
user configuration
user configuration Programs
Programs
Publish
Publish software
software using
using
document activation
document activation
Managing Software Upgrades by Using
Group Policy
2.0
1.0
Users can decide
2.0 when to upgrade
Optional upgrade
2.0
You can select
1.0 specific users for an
upgrade
Selective upgrade
Microsoft Official Course
®
Module 7
Network
Policy Server
Health
Registration
Authority
Internet DHCP Server
NAP Health
Perimeter Intranet Policy Server
Network CA
Restricted
Network
Remediation
Servers
What Is the Network Policy and Access Services Role?
• Authentication:
• Verifies the credentials of a connection attempt
• Uses an authentication protocol to send the credentials
from the remote access client to the remote access
server in either plain text or encrypted form
• Authorization:
• Verifies that the connection attempt is allowed
• Occurs after successful authentication
Authentication Methods
Protocol Description Security Level
VPN VPN
Server Server
VPN
Medium Branch Office Server
VPN Home Office with
VPN Client
VPN
Server Remote User with VPN Client
Tunneling Protocols for VPN Connections
The CMAK:
• Allows you to customize users’ remote connection
experience by creating predefined connections on
remote servers and networks
• Creates an executable file that can be run on a client
computer to establish a network connection that you have
designed
• Reduces Help Desk requests related to the configuration
of RAS connections by:
• Assisting in problem resolution because the
configuration is known
• Reducing the likelihood of user errors when they
configure their own connection objects
Demonstration: How to Create a Connection Profile
START
Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Yes
Is the remote access
permission for the user
No account set to Deny Access?
Yes Reject
No connection
attempt
Is the remote Is the remote access
Reject
Yes access No permission on the
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
connection
No Does the connection
attempt
attempt match the
user object and
profile settings?
Process for Creating and Configuring a
Network Policy
To create a network policy:
• Determine authorization by user or group
• Determine appropriate settings for the user account’s
network access permissions
To configure the New Network Policy Wizard:
• Configure network policy conditions
• Configure network policy constraints
• Configure network policy settings
Demonstration: How to Create a Network Policy
Common problems
regarding remote access
include:
• Error 800: VPN unreachable
• Error 721: Remote computer
not responding
• Error 741/742: Encryption
mismatch
• L2TP/IPsec issues
• EAP-TLS issues
Lesson 5: Configuring DirectAccess
Features of DirectAccess:
• Connects automatically to corporate network over the
public network
• Uses various protocols, including HTTPS, to establish IPv6
connectivity
• Supports selected server access and IPsec authentication
• Supports end-to-end authentication and encryption
• Supports management of remote client computers
• Allows remote users to connect directly to intranet servers
Components of DirectAccess
Internet
Internet websites
websites Internal
Internal clients
clients AD
AD DS
DS domain
domain
controller
controller
DNS
DNS server
server
DirectAccess
DirectAccess Server
Server
NRPT/
NRPT/
Consec
Consec
IPv6\IPs
IPv6\IPs
ec
ec
External
External clients
clients
Internal
Internal network
network
resources
resources
NLS
NLS
PKI
PKI deployment
deployment
Name Resolution Policy Table
Using NRPT:
• DNS servers can be defined for each DNS namespace rather than
for each interface
• DNS queries for specific namespaces can be optionally
secured by using IPsec
How DirectAccess Works for Internal
Client Computers
Internal
Internal
Internet
Internet
Internet
Internet Internal
Internal
client
client AD DS domain
AD
AD
AD DS
DSDS domain
domain
domain
websites
websites
websites
websites client
client
computers
computers controller
controller
controller
controller
computers
computers Connection
Connection
security
DNS
DNS server
server
security
rules
rules
DirectAccess
DirectAccess
DirectAccess
DirectAccess NRPT
NRPT
server
server
server
server
NLS
NLS
Internal
Internal network
network
CRL
CRL dist
dist
resources
point resources
point
How DirectAccess Works for External
Client Computers
AD
AD DS
DS domain
domain
AD
AD
ADAD
DS
AD
DS DS
DS domain
domain
domain
domain
AD DS domain
DS
controllerdomain
controller
Internet DNS
Internet DNS
DNS server
server
DNS server
server controller
controller
controller
DNS
DNS server
server controller
DNS
DNS server
server
websites
websites DNS
DNS
DNS
DNS server
server
server
server
DNS
DNS server
server
DNS
DNS server
server
DirectAccess
DirectAccess
DirectAccess
DirectAccess
DirectAccess
DirectAccess
server
server
server
server DirectAccess
DirectAccess
server
server
server
r
c tu re
Connectio
Connectio u u ture
Connection
Connection
Connection
Connection
nn security
security Connectionastr ructastruc
Connection
security fr et fr
security
security
security
rules
rules
rules
rules security In fras In et
security rules
rules
rules
rules In tran tranet
In In
NRPT
NRPT
NRPT
NRPT
NRPT
NRPT
NRPT
NRPT
External
External
External
External client
client Internal
Internal network
network
External
External
External
External client
client
client
client Internal
Internal
Internal
Internal network
network
network
network
client
client
computers
computers resources
computers
computers
computers
computers
computers resourcesInternal
resources
resources
resources
resources Internal network
network
computers resources
resources
Prerequisites for Implementing DirectAccess
PKI
ICMPv6
ICMPv6 Echo
Group Policy Request traffic
IPv6
ple
Sam IPv6 and transition
AD DS technologies
DirectAccess
server
Configuring DirectAccess
To configure DirectAccess:
1. Configure the AD DS domain controller and DNS
Review Questions
• Tools
Microsoft Official Course
®
Module 8
Installing, Configuring, and
Troubleshooting the Network
Policy Server Role
Module Overview
Configuration Description
• Local authentication takes place against the local
security account database or Active Directory.
Connection policies exist on that server.
Local vs. RADIUS
authentication • RADIUS authentication forwards the connection
request to a RADIUS server for authentication against
a security database. RADIUS maintains a central store
of all the connection policies.
MS-CHAP
CHAP
PAP
Unauthenticated
access
Using Certificates for Authentication
Review Questions
• Tools
Microsoft Official Course
®
Module 9
• NAP can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not
meet health requirements
• NAP cannot:
• Prevent authorized users with compliant computers from
performing malicious activity on the network
• Restrict network access for computers that are running
Windows versions previous to Windows XP SP2, when
exception rules are configured for those computers
NAP Scenarios
802.1X enforcement for IEEE • Computer must be compliant to obtain unlimited access
802.1X-authenticated wired or through an 802.1X connection (authentication switch or
wireless connections access point)
VPN enforcement for remote • Computer must be compliant to obtain unlimited access
access connections through a Remote Access Service connection
Health
Registration
Authority
Internet
NAP Health
DHCP server
Perimeter Intranet Policy Server
network
Restricted
network
Remediation
Servers NAP client with
limited access
Lesson 2: Overview of NAP Enforcement Processes
IEEE 802.1X
Network Access Devices
IPsec Enforcement
Event ID Meaning
Review Questions
• Tools
Microsoft Official Course
®
Module 10
Overview of FSRM
Using FSRM to Manage Quotas, File Screens, and
Storage Reports
Implementing Classification and File Management
Tasks
Overview of DFS
Configuring DFS Namespaces
• Configuring and Troubleshooting DFS-R
Lesson 1: Overview of FSRM
Payroll.rpt
Classification Property
IsConfidential
What Are Classification Properties?
What Is DFS?
What Is a DFS Namespace?
What Is DFS Replication?
How DFS-N and DFS-R Work
What Is Data Deduplication?
DFS Scenarios
• Demonstration: How to Install the DFS Role
What Is DFS?
• Standalone namespace
• Namespace is stored on the local server
• Only redundant of stored on a failover cluster
What Is DFS Replication?
1
1
\\Contoso.com\Marketing
DFS
1
1 \\NYC-SRV-01\ProjectDocs Replication
Folder
Targets \\LON-SRV-01\ProjectDocs
Namespace
Namespace
2
User
User in
in London
London Server
Server in
in London
London
Scenario Example
Branch Office Hub Site
Data collection
Site 1
Branch Office
Data distribution
Site 2
Lesson 5: Configuring DFS Namespaces
Optional tasks:
• Set target priority to override referral ordering
• Enable client failback
• Replicate folder contents using DFS-R
• Delegate namespace administration
Permissions Required to Create and
Manage a Namespace
• Replication Group:
• A set of servers that participate in replicating one or
more replicated folders
• Replicated Folder
• A folder that is kept replicated on each server
Replication Group
Connection
Projects\Spec.doc
Member
Proposals\Budget.xls
Projects Projects
Replicated
Folders
Proposals Proposals
Initial Replication Process
Tool Used to
Module 11
FEK header
File Encrypted
file
Public
key
File
Encrypted
file with FEK
in header Encrypted file
FEK header
Symmetric key
Recovering EFS–Encrypted Files
Review Questions
• Tools
Microsoft Official Course
®
Module 12
Implementing Update
Management
Module Overview
Overview of WSUS
• Deploying Updates with WSUS
Lesson 1: Overview of WSUS
What Is WSUS?
The WSUS Update Management Process
• Server Requirements for WSUS
What Is WSUS?
Microsoft
Update
Automatic website
updates
Server running
Windows Server
Update Services
Test clients
LAN
Internet
Automatic
updates
The WSUS Update Management Process
Phase 1: Assess
• Set up a production environment that will support update
management for routine and emergency scenarios
Assess
Phase
Phase 4: Deploy
4: Deploy Phase 2: Identify
••Approve
Approve andandschedule
schedule • Discover new updates in
update installations
update installations Update a convenient manner
•Review theprocess
process Deploy Management Identify
• Review the after • Determine whether
after the deployment
the deployment is is updates are relevant to
complete
complete the production
environment
Evaluate
and Plan
• Software requirements:
• Internet Information Services 6.0 or newer
• Microsoft .NET Framework 2.0 or newer
• Microsoft Management Console 3.0
• Microsoft Report Viewer Redistributable 2008 or newer
• SQL Server 2012, SQL Server 2008, SQL Server 2005 SP2,
or Windows Internal Database
• Hardware requirements:
• 1.4 GHz or faster x64 processor
• 2 GB of RAM or greater
• 10 GB available disk space (40 GB or greater is
recommended)
Lesson 2: Deploying Updates with WSUS
Review Questions
• Tools
Microsoft Official Course
®
Module 13
Monitoring Tools
Using Performance Monitor
• Monitoring Event Logs
Lesson 1: Monitoring Tools
Active
Directory
DNS server
Internet
DHCP server
Perimeter Intranet
network
Considerations for Monitoring Virtual Machines
Review Questions
• Tools
Course Evaluation