Page 1 of 212

Nov 24

4 videos to understand Windows Server Desired State Configuration (DSC) and FREE eBook

Posted on November 24, 2015 by admin

Desired State Configuration is a big part of most 2012 R2 certification tests; get an understanding from these 5 videos.

I have tried to arrange these in order; if you watch them in order, you should have a good basic understanding of DSC. It’s a very useful capability. The first two are approximately 1 hour each. DSC can do PUSH or PULL. Push would normally be ad hoc, test, or small needs. Most normal production use would be PULL.

Free eBook from Powershell.org The DSC Book

VIDEO 1

Time = 1:09
Description; Targeted somewhat to developers; or with a dev mindset. Give a good overview of the design, deployment and possible uses. Lots of groundwork explanation. .MOF (Managed Object Format) file creation and use. This is a classroom recording, so there is some live Q & A.

VIDEO 2 – DSC is the ENDGAME for PowerShell

Time = 1:04

Published on May 19, 2014

Description; Windows PowerShell 4.0 introduces Desired State Configuration (DSC), and it’s time to put it to use. With DSC, you declaratively tell computers what you want them to look like, and how you want them to be configured, and let DSC make it happen and KEEP that configuration enforced. In this session, you not only see how DSC works, but you will be introduced to custom resource development, letting you start teaching; DSC how to configure internal applications, databases, and other infrastructure elements.

VIDEO 3 – More hands on and examples

Time = 1:17

Published on Nov 9, 2014

Description; Are you paying attention to DevOps? Adoption of DevOps practices can greatly improve your company’s deployment efficiency. PowerShell Desired State Configuration (DSC) helps teams take the management of their Windows-based infrastructure into the DevOps space by capturing their infrastructure as code. The declarative PowerShell model enables autonomous, idempotent, and transparent configuration and deployment of Windows infrastructure and components. Capturing infrastructure as code is not only a means to manage what they have, at scale and speed, it is also a way to decouple the complexity of their existing environment in order to facilitate a migration to the cloud. Come see how DSC works and how you can use it to make configuration of internal applications, databases, and other infrastructure elements more efficient.

VIDEO 4 – Use Powershell DSC to install SQL Server

Time = :14

Published on Dec 18, 2014

Description; I briefly show how powershell DSC can be used to configure and deploy a brand new SQL Server installation.

Oct 11

Flashcard App sets for 70-410 PowerShell and ITIL

Posted on October 11, 2015 by admin

Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417

I have created two flashcard sets at http://www.flashcardmachine.com/, one for ITIL Foundations terms (remember, no acronym memorization is needed for Foundations test).

ITIL – 52 flashcards on the key terms and definitions.

70-410, 411, 412 and 417 PowerShell commands.

You can review these online, or you can download an APP to study them on your phone. The app is

Flashcard Machine ITIL and PowerShell sets

Flashcard Machine flashcards for ITIL and 70-410

called Flashcard Machine, and it’s FREE. To find my two flashcard sets search for these terms on FlashCardMachine.com;

ITIL – ITIL 2011 JL Key Service Management Terms (53 cards)

70-410 PowerShell – 70-410 JL PowerShell Commands (68 cards)

As you can see, I have “JL” in each title so you can make sure you’re getting my sets.

Sep 02

70-412 and 70-417 Study Guide List

Posted on September 2, 2015 by admin

Over the past few months I have posted a series of Study Guides targeted at 70-412, which would also be useful for 70-417. I want to put a hyperlinked Table of Contents here to show what order would be best to review them. These are study guides from the FREE Pluralsight training.

Here are the hyperlinks;

1) Configure Active Directory

2) Configure High Availability

3) Configure Network Services

4) Configure Continuity and Disaster Recovery

5) Configure File and Storage Solutions

6) Configure Identity and Access Solutions

Other useful links on this effort would be;

MCSA and Build a LAB

Server 2012 R2 – New Features of R2

Sep 02

Windows Server 2012 R2 (70-412) Identity and Access Solutions – Study Guide

Posted on September 2, 2015 by admin

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and cmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

Install and Configure AD Certificate Services. Essentially setting up internal certificate trusts to mirror, and and can negate the need for, external certificates like Microsoft, Verisign, etc.
1. Install an Enterprise Certificate Authority
  1. The “issuing CA” creates the actual cert file. Issuing CA gets trust from Policy CA, who gets it from a Root CA
  2. Root is typically standalone, offline. Policy CA standalone or enterprise, typically online. Issuing CA typically enterprise online.
  3. Issuing CA is the one doing all the day to day work.
  4. Install CA ROLE, and the Online Responder ROLE
    1. optional web enrollment pieces, or can use the console to manage
  5. Post install configuration; configure active directory certificate services, requires member of local admins for some services, and Enterprise Admin for some.
  6. Decide what TYPE of CA you’re installing.
  7. Choose a NAME for the CA, usually combination of server name, domain name. Choose validity period (default = 5 years)
  8. Certificate Templates – basic templates are provided, then when you fill them out with specific information it creates the actual certificate. Some are “available for issue” then there are dozens of additional ones that are not available for issue by default.
  9. refresh GP then root cert should be available through AD. certs are automatically trusted by any computer in the domain
  10. from a client, you can “request a new certificate”, and it automatically enrolls
2. Configure CRL (certificate revocation list) Distribution Points
  1. when you need to manage expiration due to termination, employee leaving, new job responsibilities, etc.
  2. The CRL location shows up in the “details” tab on the actual cert
  3. set up CRL revocation list locations BEFORE passing out certs
  4. you can’t delete crl revocations. Think about it, that makes sense. But when the list gets really long there are ways to make the queries faster.
3. Install and Configure Online Responder
  - Configure the Online Responder (which also needs a cert) OCSP response signing
  - Revocation Configuration for the Online Responder
  - Online responder downloads a copy of the CRL to make responses
  - enter the URL for the Online Responder in cert templates, and again have this set up prior to issuing any certs or you have to redo them all.
4. Implement Administrative Separation
  1. Principle of Least Privilege
  2. Read this Technet on Role Based Administration
  3. In the security tab of the CA, set up the right permissions
  4. one additional command; PS certutil -setreg ca\RoleSeparationEnabled 1 https://technet.microsoft.com/en-us/library/Cc782357(v=WS.10).aspx
5. Configure CA Backup and Recovery
  1. right click, all tasks, back up and restore recommend private key and logs (checkboxes)
  2. certutil can also do backups (old way)
  3. now of course PS Backup-CARoleService
Manage Certificates
1. Enrolling for Certificates
  1. instead of “find cert” start with “request”
  2. From IIS, you can create request and complete request from wizard on the right side of IIS.
  3. Example using a PS code signing certificate
2. Manage Certificate Templates
  
  Certificate Template Tabs
  1. right click / manage, see “code signing certificate”
  2. copy “duplicate” the template, then modify the new duplicate for use
  3. publish certificate in AD checkbox
  4. compatibility settings
  5. choose encrypt/signature or both
  6. auto renewal can force a different private key
  7. WHAT this cert is going to be used for is baked in the cert configuration. For this example signing PS, this would be “code signing”
  8. “subject name” is usually the FQDN of the webserver. In this case, we specify the user name for our PS signing cert.
  9. you can configure manager approvals or signatures prior to approval
  10. security tab; read, enroll, auto-enroll.
3. Implement and Manage Certificate Deployment, Validation and Revocation
  1. now that the template is created, we talk about deployment, validation and revocation
  2. now you have to right click on Certificate Templates, choose new certificate to issue and find the newly created template to issue.
  3. revoke certificate from a right click on the cert. This is PERMANENT and not reversible. Note there is a “HOLD” that can be a temporary hold.
  4. force a CRL update by “publish CRL”
  5. new crl once a week, new delta crl once a day.
4. Configure and Manage Key Archival and Recovery
  1. there is no default capability to archive keys
  2. archive when enabled happens in AD
  3. KRA Key recovery agent cert can recover keys
  4. copy and modify certificate template
  5. then you “enroll” for the KRA certificate
  6. two commands to recover
    1. PS certutil -GetKey
    2. certutil -RecoverKey
5. Manage Certificate Renewal
  1. manual non-GPO renewal
  2. in Certificate console, right click on template, “re-enroll all certificate users”
6. Manage Certificate Enrollment and Renewal to Computers and Users using Group Policy
  1. to auto populate our PS code signing certificate, assigned to our IT group
  2. GPMC, new GPO
  3. user side, public key policies
    1. need certificate enrollment (AD)
    2. auto-enrollment (enable)
    3. auto-renewal /log expiry events, other options
    4. auto renewal is 80% of cert lifespan, or the expiry of the renewal period
  4. testing on machine, log in, gp runs, check for PS Signing cert
7. Configure and Enroll a Hyper-V Replica Certificate
  1. If you choose replication in Hyper-V and select “encrypt”, then it will error as there is no dedicated custom cert
  2. copy and rename a “Computer” template
  3. then make it available for use
  4. now when you go back to Hyper-V Manager it shows up.
Install and Configure AD Rights Management Services
1. Install a Licensing or Certificate AD RMS Server
  1. RMS servers are referred to as “cluster”, just meaning multiple servers. You can also do a single server cluster. You need to be Enterprise Admin to complete this setup.
  2. If you go to a document on File Server, you go to “protect document” then “restrict access” to connect to RMS and “get templates”. Will error if you have no RMS set up.
  3. Install Active Directory Rights Management Server ROLE.
  4. Post install configuration is required (yellow alert top right of Server Manager)
  5. RMS is tied to email field in AD properties general/email field. Even if you don’t have email in reality it just pulls from that field.
  6. Store RMS Cluster Key (keep this), password, website.
  7. For location, suggest CName instead of FQDN so you can adapt in the future if the hardware changes.
2. Manage AD RMS Service Connection Point
3. Manage RMS Templates
  1. Rights Policy Templates determine what/how you are going to offer to your users.
  2. example; content that Finance group needs to protect
  3. Name policy “Finance Protected Content”, add description.
  4. Tied to the email associated with the finance security group, and you can choose what they can do. Lots of rights / actions, and you can create custom ones as well. view/edit/save/print/save/save as/etc.
  5. you can disallow client side caching; they would have to be online to access the data
  6. define revocation policy; when you revoke the license, you revoke the ability to access that policy, you also provide a url where the policy resides.
4. Configure Exclusion Policies
  1. you can determine “Lockbox version exclusion” which is pretty bizarre, read about it on the link.
5. Backup and Restore AD RMS
  1. what do you have to include in backups?
  2. Configuration DB, directory services DB, logging DB. Either in SQL or the Windows server internal SQL. The internal SQL requires a full server backup. So, from a backup perspective it’s better to use SQL.
  3. server certificate needs to be backed up
  4. cluster key password
  5. export trusted publishing domain
Implement AD Federation Services – focus seems to be on Workplace Join
1. Configure Workplace Join
  1. understanding Federation
    1. Traditionally, access is controlled by a user ID and login. Or, from AD permissions.
    2. Federation is used when access needs to be provided to users OUTSIDE of your domain. (Partner, merger, acquisition, etc.)
    3. Federation servers handle the federation process between organizations. It’s kind of a bridgehead or gateway for the access request/granting. It does this by generating “claims“.
    4. Relying Party (us) and Claims Provider (them)
    5. This happens from a pair of Trusts from each direction; Claims Provider Trust and Relying Party Trust.
  2. Think also for BYOD situations for non-domain joined devices. Device itself is added to AD.
  3. Typically connect through Web Application Proxy (not on the 412 test)
  4. Settings / network / “workplace” is where you see it.. on your desktop, not the server.
  5. Create a Group Managed Service Account.
  6. Create a certificate for AD FS
    1. domain computers needs to have enroll privileges
    2. Enroll from your AD FS server
    3. This will require entering additional information to enroll the cert; hostname, DNS name, etc.
    4. For non-domain devices, it’s a lot easier if you use a public cert, for access and CRL access which is open to non-domain users on the internet.
2. Install AD FS
  1. Now create ADFS, create the first server in a federation server farm.
    1. associate to cert
    2. name it, add display name
    3. add service account (use an existing account)
    4. SQL or internal database.
    5. finalize the wizard. now you should be the Relying Party Trust.
3. Implement Claims based Authentication including Relying Party Trusts
  1. in AD FS console, look under Relying Party Trusts to see the claims options.
4. Configure Authentication Policies
  1. from PowerShell
    1. Initialize-ADDeviceRegistration
  2. Back in console, enable device authentication in the global policy
  3. This is just using “windows authentication” instead of Forms based, or other options.
5. Configure Multi Factor Authentication
  1. This is a Authentication Policy in the console
  2. registered/unregistered, intranet/extranet
  3. now test Workplace Join from desktop. You just click “join” and it’s joined. Button changes from “join” to “leave”.

Jul 30

Windows Server 2012 R2 (70-412) File and Storage Solutions – Study Guide

Posted on July 30, 2015 by admin

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

“Storage” – think more than just file server.

Configure and Optimize Storage
1. Configure Storage Spaces
  1. local disks
  2. create a Storage Pool
  3. all storage shows up (unused and available) in the PRIMORDIAL POOL
  4. new storage pool wizard
    1. during wizard can allocate “automatic” but can choose “manual” or “hot spare”
    2. leave it as automatic, can set RAID
  5. Then create a disk out of the storage pool. Then can create volumes on those disks as well.
  6. storage tiers checkbox is grayed out as tiering is not set up.
  7. can set simple/mirror/parity (RAID) in this wizard
  8. next button lets you choose thin or fixed provisioning.
  9. after creation, then create a volume on the new disk
  10. can enable data deduplication in next field (have to turn on the ROLE)
    1. general purpose or VDI de-dupe
    2. can choose exclusions, schedule, etc. Throughput optimization.
2. Configure Tiered Storage
  1. Start with creating a new storage pool. Has the different type disks (SSD and spinning)
    1. (hack to create each with VMware workstation)
      1. Get-PhysicalDisk
      2. Get-PhysicalDisk | ft friendlyname,size,mediatype
      3. can set them in PS to be and appear as SSD or mechanical
      4. Set-PhysicalDisk -mediatype HDD
      5. So essentially you are setting them to have some SSD and some HDD so you can set up tiering.
    2. Now you have a different option in the wizard (Faster tier, Standard tier)
    3. the tiering is handled by the windows subsystem, no mgmt
    4. can set specific files to SSD by PS; Set-FileStorageTier
3. Implement Thin Provisioning and TRIM
  1. we already talked about creating THIN
  2. tiered is THICK – cannot do THIN tiered
  3. see if THIN provisioning fits your needs
  4. TRIM – file delete notification. reclaim storage space. File Delete Notification is ON by default.
  5. disable file delete notification by registry setting if you want as it does add some overhead.
  6. PS Optimize-Volume
4. Configure iSCSI Target and Initiator
  1. provides a method for any of the above disks accessible over network
  2. Target = where storage is, Initiator is who needs the storage,
  3. Configure; easier to create the initiator first (the remote network server)
    1. tools/start iSCSI initiator get alert box to start service each time
  4. iSCSI console
    1. quick connect option might not be the best for enterprise use
  5. you have to click the ADVANCED button to choose adapter and initiator IP (critical when using a separate storage network)
  6. at this point, we haven’t create the storage target on the fileserver yet
  7. new iSCSI virtual disk wizard
    1. create new iSCSI disk name, size, dynamically expanding, etc.
    2. next screen asks for target name, and the previously created one shows up. (which is why we created it first)
    3. can enable CHAP authentication
    4. “CONNECT”, then go to ADVANCED to verify IP, network, etc. If you don’t specify the right network, you could end up sending storage traffic over your production network.
    5. the remote server shows the disk just like it was a local disk, needing brought online, format, etc.
    6. PS commands for iSCSI
      1. Connect-IscsiTarget
      2. Disconnect-IscsiTarget
5. Configure iSNS (Internet iStorage Name Service Server)
  1. used to simplify management of complex and large iSCSI setups (who is that?)
  2. registers initiators
  3. to register targets, you need PS command Set-WmiInstance -namespace root\wmi -Class WT_iSNSServer -Arguments @{ServerName=”actual server name”}
  4. after that, initiators and targets both show in iSNS console
6. Manage Server Free Space using Features on Demand.
  1. basically allows you to remove unused roles to save space.
  2. this gives you the Specify Alternate Source Path window (screenshot)
  3. this is a good article to show where it searches.
  4. you can create a “feature file store” and put it on the network. it’s the SXS folder.
Configure Advanced File Services
1. Configure a NFS file datastore
  1. NFS more interested in computers not users
  2. “Server for NFS” ROLE (under file server)
  3. New NFS Sharing tab on share properties
  4. incoming client settings, permissions (which machines)
  5. by DEFAULT all machines have read access, and root access is disallowed.
  6. PS NfsShare, Get-NfsShare, etc.
2. Configure file access auditing
  1. 50 new sub-categories, but same way to set up as previously
  2. Group Policy or local security policy
  3. 9 different original policies. Audit Object Access. Typically this is how we used to turn this on
  4. “Advanced Audit Policy Configuration”
  5. SACL; auditing view on file/folder properties, now you can also add CONDITIONS.
3. Configure BranchCache
  1. transparent; cache documents in remote locations. I.E., branch offices. Bandwidth was historical a reason. Used to need Enterprise Windows versions, limiting it’s use. Now any version of Windows 8 works. Turn it on and don’t think about. File server, web server, or BITS data.
  2. First access of document initiates the copy to the branch.
  3. Distributed Mode (stores on desktop machine) or server based Hosted Mode.
  4. file is split into chucks that are hashed then only changed chunks are updated.
  5. One piece only does files, different piece does Web and BITS. These are in different places in FEATURES
  6. Turn it on via GPO, choose hash type, configure client side “turn on branch cache”, set hosted cache server name, set cache expiration, etc.
  7. You can pre-populate bia PS Publish-BCFileContent, Export-BCCachePackage
Implement Dynamic Access Control (DAC) DAC is supposedly heavily represented on 70-412 and 70-417 tests. Here is a great example and scenario about how to use DAC in a real-world situation, from the Microsoft Storage Team; http://mints4.rssing.com/chan-3739609/all_p2.html
1. Addresses file permissions getting lost/changed during file moves. New security requirements also drive this advancement in security.
  1. needs to have characteristics set in AD
  2. Also settings on file servers.
  3. Scenario; you can filter all documents for SSN, and then disallow anyone from viewing such document unless the user is in certain group, site, etc.
  4. Can filter and scan files as they are updated (SSN added to file that did not previously have one)
  5. Think big IF THEN statement; IF this user is in FINANCE group, AND user is in DENVER, then allow read/write/etc.
  6. DAC scans documents regularly to keep up with changes.
2. Configure User and Device Claim Types
  1. Install File Server Resource Manager ROLE (screenshot)
  2. CLASSIFICATION tab in properties on your file server now.
  3. Active Directory Administrative Center (different from ADUC) has DAC
    1. Trying to get steps in order here;
    2. create claim types in ADAC for USERS
    3. Resource properties for files set up in ADAC / DAC console. Some examples built in are; Personal Use, Project, Intellectual Property, Immutable (?), Department, Compliancy, Personally Identifiable Information, etc. Then there are different values; NOT PII, Public, Low, Moderate, High, and you can create/edit values. These are set up then used later in AD to apply to files and folders
    4. Resource property lists ( add resource property to global) This is just a container of resource properties. Grouping these makes it more manageable to attach to documents. To use this, use PS Update-FSRMClassificationproperyDefinition, which enables the property list. Now it shows up on folder/share/file “Properties” as a new TAB. Users aren’t going to use this manually very much so you have to use server options; screen templates, file screens, classification management. This is the first step to determine what type of content you’re looking for in files / folders. You can scope to specific types of files; user files/ backup files, application files, etc. Scope this down to only the ones interested in, or you can get into resource issues. After picking scope, then choose the TYPE of classifier; for this a “content classifier” which looks at file content. Then you set the content classifier to “high, low, etc.” to apply that to hits that it finds. then you build the classification parameters which are detailed search expressions. you can look up the patterns on the internet or wherever like this one for SSNs. Now schedule to determine when and how often it searches. Check-box ” enable fixed schedule” then choose the times/dates/recurrence. You CAN force it to “run now” to see if it works. It allows logging and post scan reports. When if finds a HIT, then it actually will show as an updated “properties” tab on the file. You also can configure email request assistance and notification for remediation.
    5. Create new central access rule. This is in ADAC / DAC to set up how you want to apply the settings above to control access based on the detail above. Generally apply to “authenticated users” , they get access when certain defined conditions exist; user is in Kansas City, and belongs to HR, etc.
    6. Create central access policy is how the rule above gets applied to file servers. Then use Group Policy to deploy. New GPO for DAC policy. This would apply to File Servers. Then go back to properties on the share/folder and there is a “Central Policy” tab that you have to choose the policy.
    7. I guarantee this is a test question that MS uses. Keep in mind test questions are random so it might not be on EVERY test, but it’s on one I took.
3. Implement Policy Changes and Staging
4. Create and Configure Resource Properties and Lists
5. Configure File Classification
6. Perform Access Denied Remediation
7. Create and Configure Central Access Rules and Policies

Jul 15

List of FREE courses on Pluralsight

Posted on July 15, 2015 by admin

Course subscriptions

Jul 11

Windows Server 2012 R2 (70-412) Continuity and Disaster Recovery – Study Guide

Posted on July 11, 2015 by admin

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

Videos at the bottom (WinRE)

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

All, or nearly all, sections include DEMOS so I’m not notating that separately.

These training courses should be preferably taken in this order (screenshot).

Configure and Manage Backup Solutions
1. Configure Windows Server Backups FEATURE
  1. Compared to NT backups, this focuses on VOLUMES.
  2. Pretty fully featured technology today.
  3. If you want to do Bare Metal backups, you need to check that along with System State, System Reserved, and probably the C or OS drive.
  4. Advanced settings
    1. excluded files
    2. VSS settings
      1. copy vs. full (are you using some other backup application, if so you use COPY)
  5. Destination
    1. local volume
    2. remote shared folder
    3. Optimize backup performance = types of backups (full, incremental, etc.)
  6. POWERSHELL WB = Windows Backup
  7. Get-WBJob
  8. Stop-WBJob
  9. Get-WBVSSBackupOption
2. Configure Azure Backups
  1. designed to just get a back up into the Cloud
  2. Create “Backup Vault” tied to subscription and choose location
  3. Download Vault credentials, and download and install Azure Backup Agent
  4. Is now called MICROSOFT Azure Backup NOT Windows Azure Backup
  5. set up encryption; Microsoft cannot recover data
  6. Azure looks almost the same as a Windows backup. File and folder; just data, not system restore.
3. Configure role-specific backups
  1. Backup Operators is the default, maybe too many permissions for many cases; can shut down system.
  2. Create your own role for backup files and directories and restore files and directories
4. Manage VSS settings using VSS Admin
  1. extended from original design (previous versions for users) to now include backups (quiescence)
  2. VSS writer (specific by vendor for the application, Exchange, Oracle, AD, SQL, etc.
  3. the VSS requester is the partner to the writer
  4. PS vssadmin list writers
  5. vssadmin list providers
  6. vssadmin add shadowstorage /for=c: /on=f: /maxsize=20% set location for VSS
  7. vssadmin create shadow /for=c: create vss shadow copy, very quick nearly instantly
  8. vssadmin can remove, revert, etc.
Recover Servers (restore)
1. individual file or folder recovery
  1. backup from – choose location, then choose files and folders (other choices volumes, applications, system state, or virtual machines)
  2. can put back in same, or different location
2. Bare metal server recovery
  1. boot into WINRE (WINdows Recovery Environment) and also here; Tom’s Guide; when to use RE
    1. one option is to use shutdown command shutdown /r /o /t 0 (Check out Windows 8 new shutdown switches here)
    2. the /o is a new switch
    3. This is a gui based windows recovery console. Allows you to find the system image, install drives, connect to network locations to find image. Do you want to repartition drives.
    4. Don’t even need DVD media.
    5. Here is a link to a video of the WINRE console.
    6. The F8 replacement is WINRE
    7. msconfig – set what startup you get for NEXT boot to boot into safe mode, AD repair, etc. In case boots are so fast you can’t see F8
    8. you can also boot to windows DVD
    9. From WINRE you can boot to command prompt view, and you can manipulate unmounted drive (OS is not mounted). You can tell because command prompt is on the X drive which is the WINRE OS
      1. startrep (start repair scan)
      2. bootrec (boot record repair) Fixmbr, Fixboot, ScanOS, RebuildBcd
      3. Advanced boot options (looks like the F8 options)
        
        safe mode, with networking, with command prompt, boot logging, debugging, low-resolution video, last known good, disable restart, disable early launch anti-malware etc., etc.
    10. Configure the boot configuration data store
    11. multi boot menu to offer recovery options (not multi os boot)
      1. bcdedit
      2. bcdedit /export c:\save (export and save config)
Configure site level fault tolerance
1. Configure Hyper-V Replica, including Replica Broker and VMs
  1. Replica is NOT failover clustering
  2. provides a way to keep another copy of VM files (usually at remote site)
  3. Replica CAN work with failover clusters
  4. Replica is NOT OS specific; you can set it up with just shell VM, no OS to prove it
  5. Kerberos – not encrypted traffic, requires trusted AD
  6. certs – encrypted, no trusted domain needed
  7. set up on each VM individually
  8. configure frequency
  9. can also set up scheduled recovery points
  10. VSS for application consistent recovery points
  11. you can do the initial replication via external media, network, choose other machine, etc.
  12. set failover TCP/IP
  13. on the TARGET location server there is “test failover” under network adapter in Hyper-V Manager
  14. PLANNED failovers all start from the SOURCE location
  15. UNPLANNED start from Destination location (thought is that the source location is down, or offline)
  16. Adding Replica to Failover Cluster, need to
    1. Need to add the Hyper-V Replica Broker ROLE
2. Configure Multi Site Clustering, including network settings, Quorum, and Failover Settings
3. Configure Hyper-V Replica Extended Replication
  1. create a second replication site
  2. this is initiated from the TARGET location of the original source.
  3. most other stuff is the same
4. Configure Global Update Manager
  1. https://technet.microsoft.com/en-us/library/dn265972.aspx#BKMK_GUM
  2. When a state change occurs such as a cluster resource is taken offline, the nodes in a failover cluster must be notified of the change and acknowledge it before the cluster commits the change to the database. The Global Update Manager is responsible for managing these cluster database updates. In Windows Server 2012 R2, you can configure how the cluster manages global updates. By default, the Global Update Manager uses the following modes for failover cluster workloads in Windows Server 2012 R2:
5. Recover a Multi Site Failover Cluster
  1. make sure you can support the IP and network configuration in the failover site
  2. same Cluster Manager is used to manage stretch (multi site) clusters
  3. configure preferred owners to deselect the DR site
  4. QUORUM
    1. node and file share is preferred
    2. even number of hosts per location preferred
    3. Force start without a quorum; https://msdn.microsoft.com/en-us/library/hh270275.aspx

Jul 11

Installing Hyper-V Role in VMware Workstation; error Hyper-V cannot be installed: A hypervisor is already running

Posted on July 11, 2015 by admin

This quick post and video shows how to get past the Hyper-V cannot be installed: “A hypervisor is already running” error when trying to install the Hyper-V Role on a server running as a VM on VMware Workstation. This is common in a virtual lap scenario for certification study.

To resolve this issue, change the guest OS type to Hyper-V.Caution: Hyper-V functionality inside VMware Fusion is experimental and is unsupported.To change the guest OS type to Hyper-V:

Shut down the virtual machine.
Click Virtual machine > Settings.
Select General and change the guest OS type to Hyper-V (unsupported).
Select Processors & Memory in the Settings.
In the Advanced options of Processors & Memory, select Enable hypervisor applications in the virtual machine
Reboot the virtual machine to enable Hyper-V.

The video is here

Jun 27

Windows Server 2012 R2 (70-412) Configure Network Services – Study Guide

Posted on June 27, 2015 by admin

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

All, or nearly all, sections include DEMOS so I’m not notating that separately.

Implement an Advanced DHCP Solution
1. Create and configure superscopes and multicast scopes
  1. superscopes – combine multiple DHCP scopes to have broader range of addresses
  2. initial subnet didn’t have enough addresses
  3. when you run out of addresses;
    1. define by geographical location; floor, building, city, etc.
    2. assign multiple network IPs to router (downside is network admin involvement)
    3. DHCP RELAY – we’ve been there…allows DHCP traffic to cross router
    4. DEMO
      1. In DHCP, create superscope, then add multiple scopes to it
      2. Multicast scope –
        
        create Multicast scope, pick start/end IP, set TTL
        
        unlikely would be allowed on most modern networks
        
        most common use is WDS or other desktop deployments
2. Configure DHCP filters and policies
  1. nodes in DHCP mmc
    1. filters; allow or deny by MAC
    2. then have to “enable” by checkbox
    3. can set exemptions
    4. Policies; what options will the managed machines get
      1. vendor class
      2. MAC
      3. FQDN
    5. Then set what treatment those hosts that fit the policy actually get
3. Implement DHCPv6
  1. Not a lot of real world use yet
  2. NOT very simple
  3. built into IPv6 can auto assign anyhow. Don’t believe it read this article…IPv6 address autoconfiguration
  4. This would be used for anything beyond what the protocol can do.
  5. CANNOT assign a default gateway
  6. CAN assign most other options
  7. NOT really needed for auto assignment, more used for address control
  8. DEMO
    1. click on IPv6, right click “new scope”
    2. etc. pretty much like IPv4
    3. beware of test questions about WHY you would use it.
4. HA for DHCP – failover and split scopes
  1. split scopes (the old way)
    1. 80% / 20% is the most common (I’m sure I’ve seen test questions that said that was wrong though). Well the 80/20 split scope is Microsoft best practice see here.
    2. Can be messy recovering from a server outage; the DHCP databases don’t know anything about what the other one is doing.
  2. DHCP Failover
    1. one DB
    2. can use 100% of scope
  3. DEMO
    1. split scopes (split scope configuration wizard)
    2. DHCP Failover
      1. per scope
      2. “Configure Failover”
      3. set load balance or hot standby and some other settings
      4. you can enable message authentication via shared secret
      5. Configure DNS registration, can discard as well
5. DHCP Name Protection
  1. mainly for non-windows computers (screenshot)
  2. prevents non-windows from registering a name that is already in use.
6. DNS Registration
  1. 1. Configure DNS registration, can discard as well
Implement an Advanced DNS Solution
1. Configure Security for DNS, including DNSSEC, DNS Socket Pool, and Cache Locking
  1. DNSSEC does not necessarily require certs.
  2. To enable you “sign” the zone.
  3. Key Master is the authoritative DNS server that generates and manages the key for the zone.
  4. when you create the new key, then you have all kinds of options
  5. Needs to be AD integrated zone
  6. KSK – Key Signing Key and ZSK – Zone Signing Key
  7. Trust Anchor (for authenticating non-authoritative server
  8. Then GP is used to tell clients to ask for the DNS key
  9. “name resolution policy”, checkbox for enable DNSSEC
  10. create rules to determine who it applies to
  11. DNS Socket Pool (in response to Kaminsky attack DNS vulnerability)
    1. randomizes the SOURCE PORT to not be using TCP/53 and UDP/53
    2. enabled by default, but you tweak settings like number of ports
    3. DnsCmd /config /socketpoolsize 100000
    4. DnsCme /info /socketpoolsize
  12. Cache Locking
    1. Locks cache after update in cache.
    2. cannot be overwritting by a percentage of TTL
    3. default is 100% of TTL
    4. DnsCmd /config /cachelockingpercent 50
2. Configure DNS Logging
  1. two places it can be configured depending on what you want
  2. event logging (1) goes into event logs
  3. debug logging (2) goes into file
3. Configure Delegated Administration
  1. under “security” tab
  2. for you to delegate activities, you MUST have AD integrated zone (test question?)
4. Configure recursion
  1. disabled by default
  2. servicing servers outside your network
  3. should be ON on external server to prevent DNS attacks
5. Configure Netmask ordering
  1. common use – WSUS
  2. essentially allows DNS server give a client an address that corresponds to the subnet that they are in. For traveling users.
  3. First response goes to server with same subnet
6. Configure Global Names Zone
  1. for needs that used to be handled by WINS
  2. short name resolution
  3. create a zone called “GlobalNames”
  4. will contain short names
  5. you have to explicitly enable on all DNS servers
  6. dnscmd servername /config /enableglobalnamessupport 1
7. Analyze Zone level statistics
  1. Get-DNSServerStatistics -zonename company.local
  2. DNSLint
    1. graphical display of internal/external on .htm file
    2. dnslint
Deploy and Manage IP Address Management – IPAM
1. Provision IPAM via manual or GP
2. IMPORTANT NOTE: to change the IPAM provisioning method (like from manual to automatic) you must UNINSTALL and REINSTALL!
  1. install FEATURE
  2. configure from Server Manager
  3. choose database (internal or SQL)
  4. GPO Name prefix (manual configuration of IPAM is tedious and not recommended)
  5. run PS command Invoke-IpamGpoProvisioning -Domain ….creates the Group Policies and links them.
  6. Run IPAM server discovery
  7. Choose the ones you want and set them to managed.
    1. managed servers need to show up in “security filtering’ box on the GPO
    2. machine has to receive and apply the GP before it shows as “unblocked” and “managed”
    3. IPAM is more of a “push” instead of pulling in existing IP use
    4. IP Address block
      1. 1 or more IP ranges
    5. Add address range (block of IPs or open range that IPAM can use)
    6. can add reservations and VIPs
    7. along with normal DNS, gateway and other information
3. Configure server discovery
4. create and manage IP blocks and ranges
5. migrate to IPAM
  1. tasks / import IP addresses (imports from .csv). certain mandatory columns for IPAM imports – IPAddress,IPAddressState,AssignmentType,ManagedByService,ServiceInstance,AssetTag
6. monitor utilization of IP address space
  1. lirrlw pie chart by each range, can be adjusted for the entire server
7. delegate IPAM administration
  1. there is an “ACCESS CONTROL” link on the very bottom left to set up roles and access.
  2. several default roles but you can create your own customized roles and set the policy settings
8. Manage IPAM collections
  1. request new addresses (fine and allocate) “find next”
  2. RECLAIM ip addresses that are no longer used, delete resource records and DHCP reservations if exist.
  3. EVENT CATALOG – log viewer of IPAM events
  4. ADDRESS RANGE GROUPS – group by custom fields you defined during IP creation
9. configure IPAM database storage
  1. PS Move-IPAMDatabase (moved internal IPAM DB to SQL if you want)
  2. lots of IPAM powershell commands (automation possibilities)

Jun 24

Windows Server 2012 R2 (70-412) Configure High Availability – Study Guide

Posted on June 24, 2015 by admin

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics andcmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

All, or nearly all, sections include DEMOS so I’m not notating that separately.

Configure Network Load Balancing
1. most commonly used with IIS
2. stateless (doesn’t matter what node user connects with)
3. Configure NLB Prerequisites
  1. install Feature
  2. Unicast, Multicast, IGMP Multicast
  3. Unicast
    1. always works
    2. 1:1
    3. requires a second NIC on each server
    4. causes subnet flooding; all traffic to all hosts goes to all hosts
  4. Multicast
    1. no second NIC
    2. network configurations
    3. does not solve subnet flooding
  5. IGMP Multicast – best practice
    1. no second nic
    2. network requirements
    3. solve subnet flooding problem
4. Install NLB Nodes
5. Configure Cluster Operation Mode
6. Configure Port Rules and Affinity
7. Upgrade an NLB Cluster
Configure Failover Clustering (read prior post here)
1. Cluster Storage
  1. shared storage is not built in Windows; it’s a foreign concept
  2. proper configuration of storage is critical
  3. iSCSI, FC, Storage Spaces (in our previous FS training)
  4. we’re using iSCSI here in this demo
2. Configure Cluster networking
  1. best practice to separate cluster private network and storage network
  2. Failover Cluster Manager – console for cluster management
  3. Cluster Validation wizard (lots of experience with this 😉
  4. In this Demo, Cluster Private network, Storage network, and Management / Production
  5. Check the networks in Failover Cluster Manager
3. Cluster Shared Volumes (CSV) used by Hyper-V virtual machines
  1. Quorum (chosen by smallest size)
  2. Available Storage LUNs (if containing a VM, they all would have to fail over at the same time (or each have dedicated LUN)
  3. CSV, each VM can fail over individually
  4. you can define a disk as a CSV, and you can revert also.
  5. More here on Using CSV for Failover Cluster
    1. CSV cache size configuration; (Get-Cluster).BlockCacheSize = 512 for Server 2012 R2, for more read the link above.
  6. Quorum configuration
    1. Quorum is only to identify if enough of a cluster remains to still operate as a quorum.
    2. Quorum Models (dependent on number of nodes)
      1. Node majority (used for ODD number of nodes)
      2. Node and Disk Majority (even number of nodes)
      3. “split brain” when cluster breaks into two separate groups of nodes who each think they are quorum
      4. No Majority Disk Only (old, not used any more)
      5. Node and File Server Majority (special considerations) even nodes, multi site. The separate vote goes to a disk file share somewhere.
    3. Configure quorum model in Failover Cluster Manager
      1. MS automatically manages cluster quorum setting now. “use default quorum configuration”
      2. Or, you can go to advanced features and dance with the complexity on your own.
  7. Clusters without network names (detached cluster) Deploy an Active Directory-Detached Cluster
    1. SQL server outside your firewall
    2. not supported for several additional roles
    3. no bitlocker
    4. no CAU (Cluster Aware Updating)
    5. read the link
    6. cannot use FOCM
    7. PS – (Get-Cluster).AdministrativeAccessPoint
      1. read the link for more
  8. CAU (Cluster Aware Updating)
    1. “update cluster” item in Server Manager
    2. allows cluster to manage resource movement to update nodes/hosts.
    3. configure self-updating options wizard
    4. add the ROLE on the cluster
    5. choose schedule (normal WSUS stuff)
    6. reboot timeouts, max retries, pre or post scripts, recommended / important
    7. All the above is for Windows updates, not WSUS
    8. “Analyze cluster updating readiness”
    9. PS
      1. Cluster-Aware Updating Cmdlets in Windows PowerShell
  9. Restoring single node of cluster
    1. Evict = kicking node out
    2. restore configuration from backup (make sure you have system state)
  10. Upgrading a cluster
    1. not recommended to directly upgrade a cluster
    2. this is a cut and move
    3. “copy cluster roles” from a wizard from the TARGET cluster, connect to OLD cluster to get configs.
Manage Failover Clustering Roles
1. remember MSCS is a “general purpose” clustering solution
2. role-specific settings
  1. DFS, SHCP, DTC, FIle Server, iSCSI target, etc., etc..
  2. Generic application, script, or service
  3. DEMO – clustered NOTEPAD via Generic Application
  4. cluster is a SINGLE instance of the app that fails from node to node, moving the resources (including created drives) as needed
  5. Continuously available file server
    1. General Use, or SOFS (Scale Out File Server) (used for Hyper-V and SQL)
  6. Configure Virtual Machines
    1. do not put SOFS and VMs on same CSV
3. fail-over and preferences
  1. ROLES (shared app, file server, VM, etc.)
  2. move, stop, change startup priority
  3. no autostart
  4. add resources or storage
  5. “show dependency” report
    1. graphical representation of dependencies
  6. “preferred owner” unchecked can be used, just not preferred
  7. failover max
  8. failback now/yes, set hours it can happen
  9. cluster handles DNS records for cluster required records
  10. you can manually add dependencies
4. possible and preferred owners
  1. possible owners (cannot be on any node that is not checked)
  2. preferred owner (can use unchecked nodes, they’re just not preferred)
5. guest clustering
  1. another layer of abstraction
  2. simply means clustering VMs that are on the MSCS cluster
  3. shared .VHDX
  4. new feature (like RDMs) in VMware
  5. advanced features “enable virtual hard disk sharing”
Manage VM Movement
1. Migration – Live, Quick, Storage
  1. Quick
    1. the old fashioned, with a quick period of loss of service
  2. Live
    1. no loss of service
  3. Storage
    1. moving the .vhdx, the data
  4. Quick is technically faster, and uses less bandwidth than Live
  5. Live – procs need to be same manufacturer and similar family
  6. virtual switches needs to be named the same
  7. physical devices must be disconnected
  8. DEMO
    1. constrained delegation has to be configured to the hosts that you want to migrate to/from
    2. CredSSP alternative to Kerbos/constrained delegation but CredSSP requires you to log onto the machine to start the migration
2. Import, Export, Copy
  1. have to export/import if you can’t do quick/live migration
3. Configure VM Health Protection
  1. move to locations without proper networks, or something similar
  2. VMHP is under Network Adapter / advanced features
  3. it will move it back to prior location if it ends up isolated
  4. ENABLED by default
4. Configure Drain on Shutdown
  1. drain a node on shutdown
  2. ENABLED by default
5. Configure VM Monitoring
  1. “resources” tab on bottome of Failover Cluster Manager
  2. checkbox to enable automatic recovery for application health monitoring
  3. if/when enabled, you can select services via checkbox that you want to include for application monitoring.

IT Services

I.T. Topics and Random Rants

Tag Archives: 70-412

4 videos to understand Windows Server Desired State Configuration (DSC) and FREE eBook

Desired State Configuration is a big part of most 2012 R2 certification tests; get an understanding from these 5 videos.

Like this:

Flashcard App sets for 70-410 PowerShell and ITIL

Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417

Like this:

70-412 and 70-417 Study Guide List

Like this:

Windows Server 2012 R2 (70-412) Identity and Access Solutions – Study Guide

Like this:

Windows Server 2012 R2 (70-412) File and Storage Solutions – Study Guide

Like this:

List of FREE courses on Pluralsight

Course subscriptions

Like this:

Windows Server 2012 R2 (70-412) Continuity and Disaster Recovery – Study Guide

Like this:

Installing Hyper-V Role in VMware Workstation; error Hyper-V cannot be installed: A hypervisor is already running

Like this:

Windows Server 2012 R2 (70-412) Configure Network Services – Study Guide

Like this:

Windows Server 2012 R2 (70-412) Configure High Availability – Study Guide

Like this:

Desired State Configuration is a big part of most 2012 R2 certification tests; get an understanding from these 5 videos.

Share this:

Like this:

Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Course subscriptions

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: