Apr 06

VMware HOL (HandsOnLabs) What’s New with vSphere 6.5

What’s New with vSphere 6.5

HOL-1710-SDC-6-MYVMW-HOL . 1 hrvmware

  1. vCenter High Availability
    1. Essentially a 3 node HA vCenter cluster to eliminate protect from failures in hosts, hardware or appliances
    2. VAMI / vCenter Server Appliance Management Interface is now called; “vCenter Server Appliance Management UI” so I guess it’s VAMUI
    3. Totally incorrect instructions have you logging in vCenter Client, not the appliance mgt; look for the appliance MGMT link (local:5480)
    4. Look at various network and system utilization stats.
    5. Create support bundle, backup, shutdown, etc.
  2. Update Manager
    1. Next release of Update Manager is integrated with VCSA (VCenterServerAppliance) No longer will you be able to connect to Update Manager installed on a Windows Server
    2. To start the Update Manager on VCSA just start the service.
    3. Run on internal PostgreSQL DB.
    4. VCSA and UM run on the same DB instance but separate databases.
    5. For those not used to UM, it is used to patch and update ESXi hosts, install third party software on hosts, I.E., HP Firmware for example. Updates VMware tools.
  3. Content Library
    1. Lists all content like .ISOs, templates, vApps, scriptsvmwarecontentlibrary
    2. Enhancements include things like being able to mount .ISO to VM direct from Content Library
    3. Create new virtual machine with custom specification from Content Library
    4. Content Libraries can be synchronized across two vCenter servers.
    5. Create a new Content Library and sync to it.
  4. SOIC / Storage IO Control
    1. Show up by Host Profiles in “Policies and Profiles”
    2. Create multiple SIOC Policies
    3. Storage policies are defined by disk, so each disk could have different policy, for example on a DB server.
  5. HTML 5 Host Client (webclient)
    1. Walk through common features
    2. Generating GSS Support Bundle (Global Support Services)
  6. Encrypt VMs
    1. Add a Key Management Server
    2. Set up encryption storage policy
    3. Create encrypted VM, encrypt an existing VM
    4. Decrypt multiple VMs simultaneously.
    5. Encryption is essentially just another type of Storage Policy.
  7. Visit HOL here; http://hol.vmware.com/
Aug 16

vSphere 6.0 Foundations – Exam Blueprint

With 6.0 VCP you now have to take TWO tests. This Blueprint is for the FIRST of these called Foundations. It is an online, non-proctored test of the fundamentals. Here is the exam blueprint with links, all expanded.  First, here are the two exams; 2V0-620 (Foundations) and 2V0-621 (DCV)
cert-2v0-621-DCV cert-2v0-620-Foundations
+ Objective 1.1: Identify vSphere Architecture and Solutions for a given use casevSphere_6


  • Explain available vSphere editions and features
  • Explain the various data center solutions that interact with vSphere
  • Explain ESXi and vCenter Server architectures
  • Explain new solutions offered in the current version
  • Determine appropriate vSphere edition based on customer requirements


+ Objective 1.2: Install and configure vCenter Server


  • Deploy the vCenter Appliance (vCSA)
  • Install vCenter Server onto a virtual machine
  • Create an ODBC Connection to a vCenter Server
  • Given a scenario, size the vCenter Database based on requirements
  • Install additional vCenter Server Components
  • Install and configure vSphere Client / vSphere Web Client
  • Install/Remove vSphere Client plug-ins
  • Enable/Disable vSphere Client plug-ins
  • License vCenter Server
  • Determine availability requirements for a vCenter Server in a given vSphere implementation


+ Objective 1.3: Install and configure ESXi


  • Given a scenario, validate if an ESXi configuration meets given requirements
  • Perform a scripted installation of ESXi
  • Perform an interactive installation of ESXi using media or PXE
  • Configure NTP on an ESXi Host
  • Configure DNS and routing on an ESXi Host
  • Configure SSH and Shell access on an ESXi Host
  • Configure logs to be sent to a syslog server
  • License an ESXi host


+ Section 2: Configure vSphere Networking
+ Objective 2.1: Configure vSphere Standard Switches (vSS)


  • Explain vSphere Standard Switch (vSS) capabilities
  • Create/Delete a vSphere Standard Switch
  • Add/Configure/Remove vmnics on a vSphere Standard Switch
  • Configure vmkernel ports for network services
  • Add/Edit/Remove port groups on a vSphere Standard Switch
  • Determine use case for a vSphere Standard Switch


+ Objective 2.2: Configure vSphere Distributed Switches (vDS)


  • Explain vSphere Distributed Switch (vDS) capabilities
  • Create/Delete a vSphere Distributed Switch
  • Add/Remove ESXi Hosts from a vSphere Distributed Switch
  • Add/Configure/Remove dvPort groups
  • Add/Remove uplink adapters to dvUplink groups
  • Configure vSphere Distributed Switch general and dvPort group settings
  • Create/Configure/Remove virtual adapters
  • Migrate virtual adapters to/from a vSphere Standard Switch
  • Migrate virtual machines to/from a vSphere Distributed Switch
  • Configure LACP on Uplink port groups
  • Determine use case for a vSphere Distributed Switch


+ Objective 2.3: Configure vSS and vDS Features


  • Explain common vSS and vDS policies
  • Describe vDS Security Polices/Settings
  • Configure dvPort group blocking policies
  • Configure load balancing and failover policies
  • Configure VLAN/PVLAN settings
  • Configure traffic shaping policies
  • Enable TCP Segmentation Offload support for a virtual machine
  • Enable Jumbo Frames support on appropriate components
  • Given a scenario, determine appropriate VLAN configuration for a vSphere implementation


+ Section 3: Configure vSphere Storage
+ Objective 3.1: Connect Shared Storage Devices to vSphere


  • Explain storage naming conventions
  • Explain hardware/dependent hardware/software iSCSI initiator requirements
  • Configure FC/iSCSI/FCoE storage devices
  • Describe zoning and LUN masking practices
  • Create an NFS share for use with vSphere
  • Configure/Edit hardware/dependent hardware initiator
  • Connect/Configure NFS 3.x and 4.1 NAS devices
  • Enable/Disable software iSCSI initiator
  • Configure/Edit software iSCSI initiator settings
  • Configure iSCSI port binding
  • Enable/Configure/Disable iSCSI CHAP


+ Objective 3.2: Configure Software Defined Storage


  • Explain Virtual SAN (VSAN) Architecture
  • Create/Delete VSAN Cluster
  • Manage VSAN disk groups
  • Monitor VSAN storage
  • Add/Remove VSAN Nodes
  • Explain benefits of NFS 4.1
  • Determine use cases for Virtual SAN configurations


+ Objective 3.3: Create and Configure VMFS and NFS Datastores


  • Compare/Contrast supported NFS versions
  • Configure NFS storage for VMDK formatting
  • Configure storage multi-pathing
  • Compare/Contract VMFS3 and VMFS5
  • Configure Storage Distributed Resource Scheduler (SDRS)
  • Extend/Expand VMFS Datastores
  • Place a VMFS Datastore in Maintenance Mode


+ Section 4: Deploy and Administer Virtual Machines and vApps
+ Objective 4.1: Create and Deploy Virtual Machines


  • Place virtual machines in selected ESXi Hosts/Clusters/Resource Pools
  • Configure and deploy a Guest OS into a new virtual machine
  • Configure/Modify virtual hardware:
    • CPU
    • RAM
    • Disk
    • vNIC
  • Create/Convert thin/thick provisioned virtual disks
  • Install/Upgrade VMware Tools and Virtual Hardware
  • Configure PCI Pass-through and Direct I/O
  • Configure virtual machine time synchronization


+ Objective 4.2: Create and Deploy vApps


  • Create/Deploy/Clone a vApp
  • Add objects to an existing vApp
  • Edit vApp settings
  • Configure IP pools
  • Suspend/Resume a vApp


+ Objective 4.3: Manage Virtual Machine Clones and Templates


  • Explain Cloning and Template options
  • Clone an existing virtual machine
  • Create a template from an existing virtual machine
  • Deploy a virtual machine from a template
  • Update existing virtual machine templates
  • Deploy virtual appliances and/or vApps from an OVF template
  • Import an OVF template
  • Create a Local Library
  • Create a Remote Library with/without external storage
  • Publish/Subscribe/Share Content Library
  • Deploy a virtual machine from a content library


+ Objective 4.4: Administer Virtual Machines and vApps


  • Explain files used by virtual machines
  • Explain common practices for securing virtual machines
  • Hot Extend a virtual disk
  • Configure virtual machine options
  • Configure virtual machine power settings
  • Configure virtual machine boot options
  • Administer virtual machine snapshots
  • Assign a Storage Policy to a virtual machine
  • Verify Storage Policy compliance for virtual machines
  • Adjust virtual machine resources
  • Differentiate between stop/shutdown/reboot/restart of a virtual machine


+ Section 5: Establish and Maintain Availability and Resource Management Features
+ Objective 5.1: Create and Configure VMware Clusters


  • Determine how DRS and HA are applicable to an environment
  • Create/Delete a DRS/HA Cluster
  • Add/Remove ESXi Hosts from a DRS/HA Cluster
  • Add/Remove virtual machines from a DRS/HA Cluster
  • Configure Storage DRS
  • Configure Enhanced vMotion Compatibility
  • Monitor a DRS/HA Cluster
  • Configure migration thresholds for DRS and virtual machines
  • Configure automation levels for DRS and virtual machines
  • Enable/Configure/Disable Host Power Management/Distributed Power Management
  • Enable/Disable Host Monitoring
  • Enable/Configure/Disable virtual machine and application monitoring


+ Objective 5.2: Plan and Implement VMware Fault Tolerance


  • Configure VMware Fault Tolerance networking
  • Given a scenario, determine an appropriate VMware Fault Tolerance configuration
  • Enable/Disable VMware Fault Tolerance on a virtual machine
  • Test a Fault Tolerant configuration
  • Determine use case for enabling VMware Fault Tolerance on a virtual machine


+ Objective 5.3: Create and Administer Resource Pools


  • Explain vFlash architecture
  • Explain use cases for Resource Pools
  • Create/Remove a Resource Pool
  • Configure Resource Pool attributes
  • Add/Remove virtual machines from a Resource Pool
  • Create/Delete vFlash Resource Pool
  • Assign vFlash resources to VMDKs
  • Determine Resource Pool requirements for a given vSphere implementation


+ Objective 5.4: Migrate Virtual Machines


  • Explain Enhanced vMotion Compatibility (EVC)
  • Explain Long Distance vMotion
  • Explain process for vMotion/Storage vMotion migrations
  • Configure virtual machine swap file location
  • Migrate a powered-off or suspended virtual machine
  • Migrate virtual machines using vMotion/Storage vMotion


+ Objective 5.5: Backup and Restore Virtual Machines


  • Explain VMware Data Protection sizing Guidelines
  • Describe vSphere Replication architecture
  • Install and Configure VMware Data Protection
  • Create a backup job with VMware Data Protection
  • Perform a live full/file-level restore with VMware Data Protection
  • Create/Delete/Consolidate virtual machine snapshots
  • Perform a failback operation using vSphere Replication
  • Determine appropriate backup solution for a given vSphere implementation


+ Objective 5.6: Update ESXi and Virtual Machines


  • Create/Edit/Remove a Host Profile from an ESXi host
  • Attach/Apply a Host Profile to an ESXi host or cluster
  • Perform compliance scanning and remediation of an ESXi host using Host Profiles
  • Install and Configure vCenter Update Manager
  • Configure patch download options
  • Create/Edit/Delete an Update Manager baseline
  • Attach an Update Manager baseline to an ESXi host or cluster
  • Scan and remediate ESXi Hosts and virtual machines using Update Manager


+ Section 6: Perform Basic Troubleshooting
+ Objective 6.1: Perform Basic Troubleshooting of ESXi and vCenter Server


  • Troubleshoot common installation issues
  • Monitor status of ESXi management agents
  • Determine ESXi host stability issues and gather diagnostics information
  • Export diagnostic information
  • Monitor status of the vCenter Server service
  • Perform basic maintenance of a vCenter Server database


+ Objective 6.2: Perform Basic Troubleshooting of ESXi and vCenter Operations


  • Verify network configuration
  • Troubleshoot common storage issues
  • Troubleshoot common virtual machine issues
  • Given a scenario, verify a virtual machine is configured with the correct network resources
  • Troubleshoot virtual switch and port group configuration issues
  • Troubleshoot physical network adapter configuration issues
  • Recognize and detect common knowledge base article solutions


+ Objective 6.3: Perform Basic Troubleshooting of Virtual Machine Operations


  • Troubleshoot virtual machine resource contention issues
  • Recognize and detect:
    • Fault Tolerant network latency issues
    • VMware Tools installation issues
    • Virtual machines states
    • Virtual machine constraints
    • Guest OS installation issues
  • Given a scenario, determine root cause of a storage issue based on troubleshooting information
  • Explain common virtual machine boot disk errors


+ Objective 6.4: IIdentify and Troubleshoot Basic Misconfigurations


  • Troubleshoot:
    • Virtual switch and distributed switches port group configuration issues
    • Physical network adapter configuration issues
    • NFS networking configuration issues
    • iSCSI software initiator configuration issues
    • HA configuration and redundancy issues
    • DRS Resource Distribution Graph
    • vMotion/Storage vMotion migration issues
  • Interpret vMotion Resource Maps
  • Given a scenario, verify a virtual machine is configured with the correct network resources


+ Section 7: Monitor a vSphere Implementation
+ Objective 7.1: Monitor ESXi, vCenter Server and Virtual Machines


  • Explain:
    • Common memory metrics
    • Common CPU metrics
    • Common network metrics
    • Common storage metrics
  • Configure SNMP for vCenter Server
  • Configure SMTP settings for vCenter Server
  • Create a log bundle
  • Create/Edit/Delete a Scheduled Task
  • Configure/View/Print/Export resource maps
  • Start/Stop/Verify vCenter Server service status
  • Start/Stop/Verify ESXi host agent status
  • Configure vCenter Server timeout settings
  • Identify vCenter Server connection object status
  • Create an Advanced Chart


+ Objective 7.2: Create and Administer vCenter Server Alarms


  • List vCenter Server default utilization alarms
  • List vCenter Server default connectivity alarms
  • List possible actions for utilization and connectivity alarms
  • Create a vCenter Server utilization alarm
  • Create a vCenter Server connectivity alarm
  • Configure alarm triggers
  • Configure alarm actions
  • For a given alarm, identify the affected resource in a vSphere implementation


+ Objective 7.3: Install, Configure, and Manage vCenter Operations Manager


  • Differentiate Major/Minor vRealize Operations Manager badges
  • Explain vRealize Operations Manager architecture
  • Deploy and Configure vRealize Operations Manager appliance
  • Upgrade vRealize Operations Manager
  • Understand metrics used by Major/Minor vRealize Operations Manager badges
  • Monitor vSphere environment
  • For a given alarm, identify the affected resource in a vSphere implementation


Dec 02

Windows Server 2016 Technical Preview 4 install and first boot

Here are two quick videos showing the install and first boot of Server 2016 Technical Release 4

Server 2016 Technical Review 4

Server 2016 Technical Review 4


number1This first video we install and boot to Core. Core is the default of the two options; Core or GUI. So, if you select all the defaults, you will have Core.



number2In this second video we install and boot to the GUI install.


Nov 27

VMware vCenter 6.0 VCSA – Where is the .OVA?

Um, Yeah, there is no OVA with vCenter Server Appliance 6.0

We take a quick look at setting up vCenter Server Appliance (VCSA) 6.0 since it’s a bit different with no .OVA option. In fact, there is a VMware KB article they created because so many people were asking where to find the .ova download. With 6.0, there is ONLY an .ISO.  That’s the only option to download. You should be able to download VCSA 6.0 or VCSA 6.0U1 here.

If you remember the old process, you could set up one host, connect to the host with vSphere Client, and then import the .OVA and you’d be up and running in mere minutes.

Fortunately, the new process is almost as simple, as long as you get a couple of pieces right up front. Please watch the video from our YouTube Channel and we walk through the process. Essentially, you 1) download the .iso, 2) install the Client Integration Plugin and 3) install / push / import the VCSA to a host.

Nov 24

4 videos to understand Windows Server Desired State Configuration (DSC) and FREE eBook

Desired State Configuration is a big part of most 2012 R2 certification tests; get an understanding from these 5 videos.

I have tried to arrange these in order; if you watch them in order, you should have a good basic understanding of DSC. It’s a very useful capability. The first two are approximately 1 hour each. DSC can do PUSH or PULL. Push would normally be ad hoc, test, or small needs. Most normal production use would be PULL.

Free eBook from Powershell.org The DSC Book

number1VIDEO 1

Time = 1:09
Description; Targeted somewhat to developers; or with a dev mindset. Give a good overview of the design, deployment and possible uses. Lots of groundwork explanation. .MOF (Managed Object Format) file creation and use. This is a classroom recording, so there is some live Q & A.

number2VIDEO 2 – DSC is the ENDGAME for PowerShell

Time = 1:04

Published on May 19, 2014

Description; Windows PowerShell 4.0 introduces Desired State Configuration (DSC), and it’s time to put it to use. With DSC, you declaratively tell computers what you want them to look like, and how you want them to be configured, and let DSC make it happen and KEEP that configuration enforced. In this session, you not only see how DSC works, but you will be introduced to custom resource development, letting you start teaching; DSC how to configure internal applications, databases, and other infrastructure elements.

number3VIDEO 3 – More hands on and examples

Time = 1:17

Published on Nov 9, 2014

Description; Are you paying attention to DevOps? Adoption of DevOps practices can greatly improve your company’s deployment efficiency. PowerShell Desired State Configuration (DSC) helps teams take the management of their Windows-based infrastructure into the DevOps space by capturing their infrastructure as code. The declarative PowerShell model enables autonomous, idempotent, and transparent configuration and deployment of Windows infrastructure and components. Capturing infrastructure as code is not only a means to manage what they have, at scale and speed, it is also a way to decouple the complexity of their existing environment in order to facilitate a migration to the cloud. Come see how DSC works and how you can use it to make configuration of internal applications, databases, and other infrastructure elements more efficient.


VIDEO 4 – Use Powershell DSC to install SQL Server

Time = :14

Published on Dec 18, 2014

Description; I briefly show how powershell DSC can be used to configure and deploy a brand new SQL Server installation.

Oct 11

Flashcard App sets for 70-410 PowerShell and ITIL

Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417

I have created two flashcard sets at http://www.flashcardmachine.com/, one for ITIL Foundations terms (remember, no acronym memorization is needed for Foundations test).

ITIL – 52 flashcards on the key terms and definitions.

70-410, 411, 412 and 417 PowerShell commands.

You can review these online, or you can download an APP to study them on your phone. The app is

Flashcard Machine ITIL and PowerShell sets

Flashcard Machine flashcards for ITIL and 70-410

called Flashcard Machine, and it’s FREE. To find my two flashcard sets search for these terms on FlashCardMachine.com;

ITIL – ITIL 2011 JL Key Service Management Terms (53 cards)

70-410 PowerShell – 70-410 JL PowerShell Commands (68 cards)

As you can see, I have “JL” in each title so you can make sure you’re getting my sets.

Oct 05

ITIL V3 2011 Study Resources

ITIL V3 2011 study resources

I passed my test with a 98% (one wrong).

First, a word about versions. The most current version is “V3, 2011”.  Version 3 was enacted in 2007. Then, in 2011 there was a minor update commonly called “2011”.  So, if you’re studying a straight “V3” resource, it might not be the most current, although there isn’t a HUGE difference. One of the .PDF below is V3 and one is 2011.

For the Foundations class, you do NOT have to know any acronyms. This is useful to know because there are about a thousand in the book, so don’t waste your time memorizing acronyms. The test spells out all terms, and does’t require you to know acronyms.

Terms; there are a lot of terms to know. I have gathered the basics intoITILV32011FlashCardApp a flashcard set at http://www.flashcardmachine.com/. If you log on online, or use the free app, you can download the set I created just search for “ITIL 2011 JL” as shown in the screenshot; my set is currently 53 cards. These are the core terms you should know.

Now, some online resources;

  1. There is a veritable BOATLOAD of free online training on ITIL from Microsoft Virtual Academy. This is online and FREE. Here is the link to ITIL on MVA.
  2. YouTube has some great training. The one that seems to mirror our training at work is this one.
  3. For some printable resources start with this partial .pdf; they want you to buy a complete guide, but this sample provides a lot of info. ThoughtRock sample ITIL 2011. (pdf)
  4. This one is V3, but NOT 2011, so very similar, terms would be the same.
  5. Free online sample test; http://www.pmweb.co.uk/itil-freequiz/
  6. Free online sample test from Axelow (The official ITIL outfit); https://www.axelos.com/qualifications/sample-papers
  7. Lastly, I thought the “7 Common Mistakes” was worthwhile.
  8. And, another good compilation page to check out; http://blog.pluralsight.com/free-itil-resources

Good luck! Feel free to share this post with anyone else.

Sep 12

Server 2012 R2 Core, Minimal GUI, GUI

SO, what are all the options with core?  What is “minimal  GUI”?  How do you move from one to the other?

I wanted to post to outline these options as this understanding will probably be included on several questions in the 70-412 or 70-417 tests.

There are THREE options for the interface on Server 2012.

From the most basic, to the most features, they look like this;

  1. Server Core – always installed and enabled; the baseline feature for all Windows Servers. This includes the fundamental capabilities that cannot be removed and are core to the OS.
    1. What you get; ONLY command prompt (Powershell)
  2. Minimal Server Interface; Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface;
    1. What you get; Server Manager and command prompt, and MMC
  3. Server Graphical Shell – equivalent to Server with a GUI
    1. What you get; this is the full GUI interface that most Administrators work with

Link to overview and diagram shown below.

Server 2012 GUI Layers

Server 2012 GUI Layers


We are going to demonstrate scenarios with VIDEO

  1. Starting with Server Graphical Shell (normal full blown GUI)
    1. We remove the Graphical Shell, which takes us to MINIMAL SERVER INTERFACE.  Then we return to the Server Graphical Shell.
      1. Link to video going from Server Graphical Shell to Minimal Server Interface, and back. Also looking at the tools in Minimal Server Interface, and how you restart your tools if you close them all and are looking at a black, blank desktop in Minimal Server Interface.
      2. https://youtu.be/O1mNgwzUewQ 
    2. We remove Graphical Shell and minimal interface and go directly to CORE, then we return to Graphical Shell
      1. This command gets you from CORE to Minimal Server Interface; Install-WindowsFeature Server-Gui-Mgmt-Infra
      2. Add this command as well, and you go back to full Server Graphical Shell; Install-WindowsFeatureServer-Gui-Shell 
      3. So, to go from Core back to Server Graphical Shell in one step, this is your command; Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell
      4. Link to video going from Server Graphical Shell to Core, and back. Also looking at the tools in Core, and how you restart your tools if you close them all and are looking at a black, blank desktop in Core.
      5. https://youtu.be/sAwOOpuD4mA
Sep 02

70-412 and 70-417 Study Guide List

Over the past few months I have posted a series of Study Guides targeted at 70-412, which would alsoServer2012TOC be useful for 70-417.  I want to put a hyperlinked Table of Contents here to show what order would be best to review them. These are study guides from the FREE Pluralsight training.



Here are the hyperlinks;

1) Configure Active Directory

2) Configure High Availability

3) Configure Network Services

4) Configure Continuity and Disaster Recovery

5) Configure File and Storage Solutions

6) Configure Identity and Access Solutions

Other useful links on this effort would be;

MCSA and Build a LAB

Server 2012 R2 – New Features of R2

Sep 02

Windows Server 2012 R2 (70-412) Identity and Access Solutions – Study Guide

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and2012GregShields cmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.


  1. Install and Configure AD Certificate Services. Essentially setting up internal certificate trusts to mirror, and and can negate the need for, external certificates like Microsoft, Verisign, etc.
    1. Install an Enterprise Certificate Authority
      1. The “issuing CA” creates the actual cert file. Issuing CA gets trust from Policy CA, who gets it from a Root CA
      2. Root is typically standalone, offline. Policy CA standalone or enterprise, typically online. Issuing CA typically enterprise online.
      3. Issuing CA is the one doing all the day to day work.
      4. Install CA ROLE, and the Online Responder ROLE2012CertificateServicesRoles
        1. optional web enrollment pieces, or can use the console to manage
      5. Post install configuration; configure active directory certificate services, requires member of local admins for some services, and Enterprise Admin for some.
      6. Decide what TYPE of CA you’re installing. 2012CertificateServicesRolePermissions
      7. Choose a NAME for the CA,  usually combination of server name, domain name. Choose validity period (default = 5 years)
      8. Certificate Templates – basic templates are provided, then when you fill them out with specific information it creates the actual certificate. Some are “available for issue” then there are dozens of additional ones that are not available for issue by default.
      9. refresh GP then root cert should be available through AD. certs are automatically trusted by any computer in the domain
      10. from a client, you can “request a new certificate”, and it automatically enrolls
    2. Configure CRL (certificate revocation list) Distribution Points
      1. when you need to manage expiration due to termination, employee leaving, new job responsibilities, etc.
      2. The CRL location shows up in the “details” tab on the actual cert
      3. set up CRL revocation list locations BEFORE passing out certs
      4.  you can’t delete crl revocations. Think about it, that makes sense.  But when the list gets really long there are ways to make the queries faster.
    3. Install and Configure Online Responder
      • Configure the Online Responder (which also needs a cert) OCSP response signing
      • Revocation Configuration for the Online Responder
      • Online responder downloads a copy of the CRL to make responses
      • enter the URL for the Online Responder in cert templates, and again have this set up prior to issuing any certs or you have to redo them all.
    4. Implement Administrative Separation
      1. Principle of Least Privilege
      2. Read this Technet on Role Based Administration
      3. In the security tab of the CA, set up the right permissions
      4. one additional command; PS certutil -setreg ca\RoleSeparationEnabled 1  https://technet.microsoft.com/en-us/library/Cc782357(v=WS.10).aspx
    5. Configure CA Backup and Recovery
      1. right click, all tasks, back up and restore recommend private key and logs (checkboxes)
      2. certutil can also do backups (old way)
      3. now of course PS Backup-CARoleService
  2. Manage Certificates
    1. Enrolling for Certificates
      1. instead of “find cert” start with “request”
      2. From IIS, you can create request and complete request from wizard on the right side of IIS.
      3. Example using a PS code signing certificate
    2. Manage Certificate Templates
      Cert tabs
      Certificate Template Tabs
      1. right click / manage, see “code signing certificate”
      2. copy “duplicate” the template, then modify the new duplicate for  use
      3. publish certificate in AD checkbox
      4. compatibility settings
      5. choose encrypt/signature or both
      6. auto renewal can force a different private key
      7. WHAT this cert is going to be  used for is baked in the cert configuration. For this example signing PS, this would be “code signing”
      8. “subject name” is usually the FQDN of the webserver. In this case, we specify the user name for our PS signing cert.
      9. you can configure manager approvals or signatures prior to approval
      10. security tab; read, enroll, auto-enroll.
    3. Implement and Manage Certificate Deployment, Validation and Revocation
      1. now that the template is created, we talk about deployment, validation and revocation
      2. now you have to right click on Certificate Templates, choose new certificate to issue and find the newly created template to issue.
      3. revoke certificate from a right click on the cert. This is PERMANENT and not reversible. Note there is a “HOLD” that can be a temporary hold.
      4. force a CRL update by “publish CRL”
      5. new crl once a week, new delta crl once a day.
    4. Configure and Manage Key Archival and Recovery
      1. there is no default capability to archive keys
      2. archive when enabled happens in AD
      3. KRA Key recovery agent cert can recover keys
      4. copy and modify certificate template
      5. then you “enroll” for the KRA certificate
      6. two commands to recover
        1. PS certutil -GetKey
        2. certutil -RecoverKey
    5. Manage Certificate Renewal
      1. manual non-GPO renewal
      2. in Certificate console, right click on template, “re-enroll all certificate users”
    6. Manage Certificate Enrollment and Renewal to Computers and Users using Group Policy
      1. to auto populate our PS code signing certificate, assigned to our IT group
      2. GPMC, new GPO
      3. user side, public key policies
        1. need certificate enrollment (AD)
        2. auto-enrollment (enable)
        3. auto-renewal   /log expiry events, other options
        4. auto renewal is 80% of cert lifespan, or the expiry of the renewal period
      4.  testing on machine, log in, gp runs, check for PS Signing cert
    7. Configure and Enroll a Hyper-V Replica Certificate
      1. If you choose replication in Hyper-V and select “encrypt”, then it will error as there is no dedicated custom cert
      2. copy and rename a “Computer” template
      3. then make it available for use
      4. now when you go back to Hyper-V Manager it shows up.
  3. Install and Configure AD Rights Management Services
    1. Install a Licensing or Certificate AD RMS Server
      1. RMS servers are referred to as “cluster”, just meaning multiple servers. You can also do a single server cluster. You need to be Enterprise Admin to complete this setup.
      2. If you go to a document on File Server, you go to “protect document” then  “restrict access” to connect to RMS and “get templates”. Will error if you have no RMS set up.
      3. Install Active Directory Rights Management Server ROLE.
      4. Post install configuration is required (yellow alert top right of Server Manager)
      5. RMS is tied to email field in AD properties general/email field. Even if you don’t have email in reality it just pulls from that field.
      6. Store RMS Cluster Key (keep this), password, website.
      7. For location, suggest CName instead of FQDN so you can adapt in the future if the hardware changes.
    2. Manage AD RMS Service Connection Point
    3. Manage RMS Templates
      1. Rights Policy Templates determine what/how you are going to offer to your users.
      2. example; content that Finance group needs to protect
      3. Name policy “Finance Protected Content”, add description.
      4. Tied to the email associated with the finance security group, and you can choose what they can do. Lots of rights / actions, and you can create custom ones as well. view/edit/save/print/save/save as/etc.
      5. you can disallow client side caching; they would have to be online to access the data
      6. define revocation policy; when you revoke the license, you revoke the ability to access that policy, you also provide a url where the policy resides.
    4. Configure Exclusion Policies
      1. you can determine  “Lockbox version exclusion” which is pretty bizarre, read about it on the link.
    5. Backup and Restore AD RMS
      1. what do you have to include in backups?
      2. Configuration DB, directory services DB, logging DB. Either in SQL or the Windows server internal SQL. The internal SQL requires a full server backup. So, from a backup perspective it’s better to use SQL.
      3. server certificate needs to be backed up
      4. cluster key password
      5. export trusted publishing domain
  4. Implement AD Federation Services – focus seems to be on Workplace Join
    1. Configure Workplace Join
      1. understanding Federation
        1. Traditionally, access is controlled by a user ID and login. Or, from AD permissions.
        2. Federation is used when access needs to be provided to users OUTSIDE of your domain. (Partner, merger, acquisition, etc.)
        3. Federation servers handle the federation process between organizations. It’s kind of a bridgehead or gateway for the access request/granting. It does this by generating “claims“.
        4. Relying Party (us) and Claims Provider (them)
        5. This happens from a pair of Trusts from each direction; Claims Provider Trust and Relying Party Trust.
      2. Think also for BYOD situations for non-domain joined devices. Device itself is added to AD.
      3. Typically connect through Web Application Proxy (not on the 412 test)
      4. Settings / network / “workplace” is where you see it.. on your desktop, not the server.
      5. Create a Group Managed Service Account.
      6. Create a certificate for AD FS
        1. domain computers needs to have enroll privileges
        2. Enroll from your AD FS server
        3. This will require entering additional information to enroll the cert; hostname, DNS name, etc.
        4. For non-domain devices, it’s a lot easier if you use a public cert, for access and CRL access which is open to non-domain users on the internet.
    2. Install AD FS
      1. Now create ADFS, create the first server in a federation server farm.
        1. associate to cert
        2. name it, add display name
        3. add service account (use an existing account)
        4. SQL or internal database.
        5. finalize the wizard. now you should be the Relying Party Trust.
    3. Implement Claims based Authentication including Relying Party Trusts
      1. in AD FS console, look under Relying Party Trusts to see the claims options.
    4. Configure Authentication Policies
      1. from PowerShell
        1. Initialize-ADDeviceRegistration
      2. Back in console, enable device authentication in the global policy
      3. This is just using “windows authentication” instead of Forms based, or other options.
    5. Configure Multi Factor Authentication
      1. This is a Authentication Policy in the console
      2. registered/unregistered, intranet/extranet
      3. now test Workplace Join from desktop. You just click “join” and it’s joined. Button changes from “join” to “leave”.