Here are two quick videos showing the install and first boot of Server 2016 Technical Release 4
Server 2016 Technical Review 4
This first video we install and boot to Core. Core is the default of the two options; Core or GUI. So, if you select all the defaults, you will have Core.
In this second video we install and boot to the GUI install.
Desired State Configuration is a big part of most 2012 R2 certification tests; get an understanding from these 5 videos.
I have tried to arrange these in order; if you watch them in order, you should have a good basic understanding of DSC. It’s a very useful capability. The first two are approximately 1 hour each. DSC can do PUSH or PULL. Push would normally be ad hoc, test, or small needs. Most normal production use would be PULL.
Time = 1:09
Description; Targeted somewhat to developers; or with a dev mindset. Give a good overview of the design, deployment and possible uses. Lots of groundwork explanation. .MOF (Managed Object Format) file creation and use. This is a classroom recording, so there is some live Q & A.
VIDEO 2 – DSC is the ENDGAME for PowerShell
Time = 1:04
Published on May 19, 2014
Description; Windows PowerShell 4.0 introduces Desired State Configuration (DSC), and it’s time to put it to use. With DSC, you declaratively tell computers what you want them to look like, and how you want them to be configured, and let DSC make it happen and KEEP that configuration enforced. In this session, you not only see how DSC works, but you will be introduced to custom resource development, letting you start teaching; DSC how to configure internal applications, databases, and other infrastructure elements.
VIDEO 3 – More hands on and examples
Time = 1:17
Published on Nov 9, 2014
Description; Are you paying attention to DevOps? Adoption of DevOps practices can greatly improve your company’s deployment efficiency. PowerShell Desired State Configuration (DSC) helps teams take the management of their Windows-based infrastructure into the DevOps space by capturing their infrastructure as code. The declarative PowerShell model enables autonomous, idempotent, and transparent configuration and deployment of Windows infrastructure and components. Capturing infrastructure as code is not only a means to manage what they have, at scale and speed, it is also a way to decouple the complexity of their existing environment in order to facilitate a migration to the cloud. Come see how DSC works and how you can use it to make configuration of internal applications, databases, and other infrastructure elements more efficient.
VIDEO 4 – Use Powershell DSC to install SQL Server
Time = :14
Published on Dec 18, 2014
Description; I briefly show how powershell DSC can be used to configure and deploy a brand new SQL Server installation.
Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417
I have created two flashcard sets at http://www.flashcardmachine.com/, one for ITIL Foundations terms (remember, no acronym memorization is needed for Foundations test).
ITIL – 52 flashcards on the key terms and definitions.
70-410, 411, 412 and 417 PowerShell commands.
You can review these online, or you can download an APP to study them on your phone. The app is
Flashcard Machine flashcards for ITIL and 70-410
called Flashcard Machine, and it’s FREE. To find my two flashcard sets search for these terms on FlashCardMachine.com;
Over the past few months I have posted a series of Study Guides targeted at 70-412, which would also be useful for 70-417. I want to put a hyperlinked Table of Contents here to show what order would be best to review them. These are study guides from the FREE Pluralsight training.
Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.
These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and cmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.
Install and Configure AD Certificate Services. Essentially setting up internal certificate trusts to mirror, and and can negate the need for, external certificates like Microsoft, Verisign, etc.
Install an Enterprise Certificate Authority
The “issuing CA” creates the actual cert file. Issuing CA gets trust from Policy CA, who gets it from a Root CA
Root is typically standalone, offline. Policy CA standalone or enterprise, typically online. Issuing CA typically enterprise online.
Issuing CA is the one doing all the day to day work.
Install CA ROLE, and the Online Responder ROLE
optional web enrollment pieces, or can use the console to manage
Post install configuration; configure active directory certificate services, requires member of local admins for some services, and Enterprise Admin for some.
Decide what TYPE of CA you’re installing.
Choose a NAME for the CA, usually combination of server name, domain name. Choose validity period (default = 5 years)
Certificate Templates – basic templates are provided, then when you fill them out with specific information it creates the actual certificate. Some are “available for issue” then there are dozens of additional ones that are not available for issue by default.
refresh GP then root cert should be available through AD. certs are automatically trusted by any computer in the domain
from a client, you can “request a new certificate”, and it automatically enrolls
Configure CRL (certificate revocation list) Distribution Points
when you need to manage expiration due to termination, employee leaving, new job responsibilities, etc.
The CRL location shows up in the “details” tab on the actual cert
set up CRL revocation list locations BEFORE passing out certs
you can’t delete crl revocations. Think about it, that makes sense. But when the list gets really long there are ways to make the queries faster.
Install and Configure Online Responder
Configure the Online Responder (which also needs a cert) OCSP response signing
Revocation Configuration for the Online Responder
Online responder downloads a copy of the CRL to make responses
enter the URL for the Online Responder in cert templates, and again have this set up prior to issuing any certs or you have to redo them all.
right click, all tasks, back up and restore recommend private key and logs (checkboxes)
certutil can also do backups (old way)
now of course PS Backup-CARoleService
Manage Certificates
Enrolling for Certificates
instead of “find cert” start with “request”
From IIS, you can create request and complete request from wizard on the right side of IIS.
Example using a PS code signing certificate
Manage Certificate Templates
Certificate Template Tabs
right click / manage, see “code signing certificate”
copy “duplicate” the template, then modify the new duplicate for use
publish certificate in AD checkbox
compatibility settings
choose encrypt/signature or both
auto renewal can force a different private key
WHAT this cert is going to be used for is baked in the cert configuration. For this example signing PS, this would be “code signing”
“subject name” is usually the FQDN of the webserver. In this case, we specify the user name for our PS signing cert.
you can configure manager approvals or signatures prior to approval
security tab; read, enroll, auto-enroll.
Implement and Manage Certificate Deployment, Validation and Revocation
now that the template is created, we talk about deployment, validation and revocation
now you have to right click on Certificate Templates, choose new certificate to issue and find the newly created template to issue.
revoke certificate from a right click on the cert. This is PERMANENT and not reversible. Note there is a “HOLD” that can be a temporary hold.
force a CRL update by “publish CRL”
new crl once a week, new delta crl once a day.
Configure and Manage Key Archival and Recovery
there is no default capability to archive keys
archive when enabled happens in AD
KRA Key recovery agent cert can recover keys
copy and modify certificate template
then you “enroll” for the KRA certificate
two commands to recover
PS certutil -GetKey
certutil -RecoverKey
Manage Certificate Renewal
manual non-GPO renewal
in Certificate console, right click on template, “re-enroll all certificate users”
Manage Certificate Enrollment and Renewal to Computers and Users using Group Policy
to auto populate our PS code signing certificate, assigned to our IT group
GPMC, new GPO
user side, public key policies
need certificate enrollment (AD)
auto-enrollment (enable)
auto-renewal /log expiry events, other options
auto renewal is 80% of cert lifespan, or the expiry of the renewal period
testing on machine, log in, gp runs, check for PS Signing cert
Configure and Enroll a Hyper-V Replica Certificate
If you choose replication in Hyper-V and select “encrypt”, then it will error as there is no dedicated custom cert
copy and rename a “Computer” template
then make it available for use
now when you go back to Hyper-V Manager it shows up.
Install and Configure AD Rights Management Services
Install a Licensing or Certificate AD RMS Server
RMS servers are referred to as “cluster”, just meaning multiple servers. You can also do a single server cluster. You need to be Enterprise Admin to complete this setup.
If you go to a document on File Server, you go to “protect document” then “restrict access” to connect to RMS and “get templates”. Will error if you have no RMS set up.
Install Active Directory Rights Management Server ROLE.
Post install configuration is required (yellow alert top right of Server Manager)
RMS is tied to email field in AD properties general/email field. Even if you don’t have email in reality it just pulls from that field.
Store RMS Cluster Key (keep this), password, website.
For location, suggest CName instead of FQDN so you can adapt in the future if the hardware changes.
Manage AD RMS Service Connection Point
Manage RMS Templates
Rights Policy Templates determine what/how you are going to offer to your users.
example; content that Finance group needs to protect
Name policy “Finance Protected Content”, add description.
Tied to the email associated with the finance security group, and you can choose what they can do. Lots of rights / actions, and you can create custom ones as well. view/edit/save/print/save/save as/etc.
you can disallow client side caching; they would have to be online to access the data
define revocation policy; when you revoke the license, you revoke the ability to access that policy, you also provide a url where the policy resides.
Configuration DB, directory services DB, logging DB. Either in SQL or the Windows server internal SQL. The internal SQL requires a full server backup. So, from a backup perspective it’s better to use SQL.
server certificate needs to be backed up
cluster key password
export trusted publishing domain
Implement AD Federation Services – focus seems to be on Workplace Join
Configure Workplace Join
understanding Federation
Traditionally, access is controlled by a user ID and login. Or, from AD permissions.
Federation is used when access needs to be provided to users OUTSIDE of your domain. (Partner, merger, acquisition, etc.)
Federation servers handle the federation process between organizations. It’s kind of a bridgehead or gateway for the access request/granting. It does this by generating “claims“.
Relying Party (us) and Claims Provider (them)
This happens from a pair of Trusts from each direction; Claims Provider Trust and Relying Party Trust.
Think also for BYOD situations for non-domain joined devices. Device itself is added to AD.
Typically connect through Web Application Proxy (not on the 412 test)
Settings / network / “workplace” is where you see it.. on your desktop, not the server.
VEEAM is offering a FREE ebook on the Microsoft 70-409 certification; Server Virtualization with Windows Server Hyper-V and System Center. This book is by @orinthomas (http://orinthomas.com/) who is a great IT author and trainer, I’ve used a lot of his material. You could study this book, online resources, and use the Second Shot to pick up this cert. Here is the link to the download page on VEEAM; http://go.veeam.com/microsoft-certification-exam
Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.
Videos at the bottom (WinRE)
These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.
All, or nearly all, sections include DEMOS so I’m not notating that separately.
These training courses should be preferably taken in this order (screenshot).
Configure and Manage Backup Solutions
Configure Windows Server Backups FEATURE
Compared to NT backups, this focuses on VOLUMES.
Pretty fully featured technology today.
If you want to do Bare Metal backups, you need to check that along with System State, System Reserved, and probably the C or OS drive.
Advanced settings
excluded files
VSS settings
copy vs. full (are you using some other backup application, if so you use COPY)
Destination
local volume
remote shared folder
Optimize backup performance = types of backups (full, incremental, etc.)
POWERSHELL WB = Windows Backup
Get-WBJob
Stop-WBJob
Get-WBVSSBackupOption
Configure Azure Backups
designed to just get a back up into the Cloud
Create “Backup Vault” tied to subscription and choose location
Download Vault credentials, and download and install Azure Backup Agent
Is now called MICROSOFT Azure Backup NOT Windows Azure Backup
set up encryption; Microsoft cannot recover data
Azure looks almost the same as a Windows backup. File and folder; just data, not system restore.
Configure role-specific backups
Backup Operators is the default, maybe too many permissions for many cases; can shut down system.
Create your own role for backup files and directories and restore files and directories
Manage VSS settings using VSS Admin
extended from original design (previous versions for users) to now include backups (quiescence)
VSS writer (specific by vendor for the application, Exchange, Oracle, AD, SQL, etc.
the VSS requester is the partner to the writer
PS vssadmin list writers
vssadmin list providers
vssadmin add shadowstorage /for=c: /on=f: /maxsize=20% set location for VSS
This is a gui based windows recovery console. Allows you to find the system image, install drives, connect to network locations to find image. Do you want to repartition drives.
msconfig – set what startup you get for NEXT boot to boot into safe mode, AD repair, etc. In case boots are so fast you can’t see F8
you can also boot to windows DVD
From WINRE you can boot to command prompt view, and you can manipulate unmounted drive (OS is not mounted). You can tell because command prompt is on the X drive which is the WINRE OS
startrep (start repair scan)
bootrec (boot record repair) Fixmbr, Fixboot, ScanOS, RebuildBcd
Advanced boot options (looks like the F8 options)
safe mode, with networking, with command prompt, boot logging, debugging, low-resolution video, last known good, disable restart, disable early launch anti-malware etc., etc.
Configure the boot configuration data store
multi boot menu to offer recovery options (not multi os boot)
bcdedit
bcdedit /export c:\save (export and save config)
Configure site level fault tolerance
Configure Hyper-V Replica, including Replica Broker and VMs
Replica is NOT failover clustering
provides a way to keep another copy of VM files (usually at remote site)
Replica CAN work with failover clusters
Replica is NOT OS specific; you can set it up with just shell VM, no OS to prove it
Kerberos – not encrypted traffic, requires trusted AD
certs – encrypted, no trusted domain needed
set up on each VM individually
configure frequency
can also set up scheduled recovery points
VSS for application consistent recovery points
you can do the initial replication via external media, network, choose other machine, etc.
set failover TCP/IP
on the TARGET location server there is “test failover” under network adapter in Hyper-V Manager
PLANNED failovers all start from the SOURCE location
UNPLANNED start from Destination location (thought is that the source location is down, or offline)
Adding Replica to Failover Cluster, need to
Need to add the Hyper-V Replica Broker ROLE
Configure Multi Site Clustering, including network settings, Quorum, and Failover Settings
Configure Hyper-V Replica Extended Replication
create a second replication site
this is initiated from the TARGET location of the original source.
When a state change occurs such as a cluster resource is taken offline, the nodes in a failover cluster must be notified of the change and acknowledge it before the cluster commits the change to the database. The Global Update Manager is responsible for managing these cluster database updates. In Windows Server 2012 R2, you can configure how the cluster manages global updates. By default, the Global Update Manager uses the following modes for failover cluster workloads in Windows Server 2012 R2:
Recover a Multi Site Failover Cluster
make sure you can support the IP and network configuration in the failover site
same Cluster Manager is used to manage stretch (multi site) clusters
configure preferred owners to deselect the DR site
This quick post and video shows how to get past the Hyper-V cannot be installed: “A hypervisor is already running” error when trying to install the Hyper-V Role on a server running as a VM on VMware Workstation. This is common in a virtual lap scenario for certification study.
To resolve this issue, change the guest OS type to Hyper-V.Caution:Hyper-V functionality inside VMware Fusion is experimental and is unsupported.To change the guest OS type to Hyper-V:
Shut down the virtual machine.
Click Virtual machine > Settings.
Select General and change the guest OS type to Hyper-V (unsupported).
Select Processors & Memory in the Settings.
In the Advanced options of Processors & Memory, select Enable hypervisor applications in the virtual machine
Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.
These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.
All, or nearly all, sections include DEMOS so I’m not notating that separately.
Implement an Advanced DHCP Solution
Create and configure superscopes and multicast scopes
superscopes – combine multiple DHCP scopes to have broader range of addresses
initial subnet didn’t have enough addresses
when you run out of addresses;
define by geographical location; floor, building, city, etc.
assign multiple network IPs to router (downside is network admin involvement)
DHCP RELAY – we’ve been there…allows DHCP traffic to cross router
DEMO
In DHCP, create superscope, then add multiple scopes to it
Multicast scope –
create Multicast scope, pick start/end IP, set TTL
unlikely would be allowed on most modern networks
most common use is WDS or other desktop deployments
Configure DHCP filters and policies
nodes in DHCP mmc
filters; allow or deny by MAC
then have to “enable” by checkbox
can set exemptions
Policies; what options will the managed machines get
vendor class
MAC
FQDN
Then set what treatment those hosts that fit the policy actually get
managed servers need to show up in “security filtering’ box on the GPO
machine has to receive and apply the GP before it shows as “unblocked” and “managed”
IPAM is more of a “push” instead of pulling in existing IP use
IP Address block
1 or more IP ranges
Add address range (block of IPs or open range that IPAM can use)
can add reservations and VIPs
along with normal DNS, gateway and other information
Configure server discovery
create and manage IP blocks and ranges
migrate to IPAM
tasks / import IP addresses (imports from .csv). certain mandatory columns for IPAM imports – IPAddress,IPAddressState,AssignmentType,ManagedByService,ServiceInstance,AssetTag
monitor utilization of IP address space
lirrlw pie chart by each range, can be adjusted for the entire server
delegate IPAM administration
there is an “ACCESS CONTROL” link on the very bottom left to set up roles and access.
several default roles but you can create your own customized roles and set the policy settings
Manage IPAM collections
request new addresses (fine and allocate) “find next”
RECLAIM ip addresses that are no longer used, delete resource records and DHCP reservations if exist.
EVENT CATALOG – log viewer of IPAM events
ADDRESS RANGE GROUPS – group by custom fields you defined during IP creation
configure IPAM database storage
PS Move-IPAMDatabase (moved internal IPAM DB to SQL if you want)
lots of IPAM powershell commands (automation possibilities)