Appendix

The Bottom Line

Each of The Bottom Line sections in the chapters suggests exercises to deepen skills and understanding. Sometimes there is only one possible solution, but often you are encouraged to use your skills and creativity to create something that builds on what you know and lets you explore one of many possibilities.

Chapter 2: Installing and Upgrading to Windows Server 2012 R2

Upgrade your old servers. Microsoft has provided several upgrade options for Windows Server 2012 R2.
Master It You have a Windows 2008 x86 file server. What will your upgrade path be to Windows Server 2012 R2?
Solution Windows Server 2012 R2 is available only as an x64 build. You will have to prepare a new machine with Windows Server 2012 R2. You will then migrate the services and data from the Windows 2008 machine to the Windows Server 2012 R2 machine.
Configure your server. Windows Server 2012 R2 allows you to use Server Manager and PowerShell to add or remove roles, role services, and features.
Master It You have started to deploy Windows Server 2012 R2. You are planning on automating as much of the build process as possible. What tool will you use to add or remove roles, role services, and features?
Solution Import-Module will add the following PowerShell cmdlets. Get-WindowsFeature will list the install status of every role, role service, and feature. Add-WindowsFeature will allow you to install a component, and Remove-WindowsFeature will allow you to uninstall a component. You can write PowerShell scripts to automate your configuration changes.
Build a small server farm. Installing Windows Server normally requires that you sit in front of the machine and answer a number of questions. This is time-consuming and distracts administrators from other engineering or project tasks that they could be working on. A number of alternative techniques can be employed.
Master It You have been instructed to build four new servers with Windows Server 2012 R2. This will be the first time your organization will deploy Windows Server 2012 R2. Your department is short-staffed because a number of your colleagues are on vacation. You want to do this job quickly and efficiently. How will you do it?
Solution If you had more time, you could look into preparing a server with Windows Deployment Services (WDS). However, you need to work quickly. You can download and install the latest Windows Automated Installation Kit (ADK) from Microsoft’s website. You use Windows System Image Manager (WSIM) to prepare an unattended answer file called autounattend.xml, copy that file onto a USB stick, insert the Windows Server 2012 R2 DVD into each server, and boot the server from the DVD. Insert the USB stick in the server, and the Windows Installer will load the answer file from the USB stick and automate the installation of Windows. Your next step on the server is to change the Administrator password and log in.

Chapter 3: Introduction to Server Core

Use the new functionality in Server Core. The Windows Server 2012 Server Core operating system is a trimmed-down version of its full installation. The removed code reduces the profile for security threats and also reduces performance demands. The primary administration interface is the command prompt. It can perform several but not all of the roles available with the full installation.
Master It The Windows Server 2012 Server Core version differs from the original release in Windows Server 2008. What are those key differences, and how does that impact the roles the server can perform?
Solution The original version did not allow you to switch between the GUI version and Server Core. Windows Server 2012 allows you to set up you server in GUI mode then just switch it over to Server Core.
Install and configure Server Core. The installation of Server Core is the same as installing a full installation of Windows Server 2012. The full installation provides a list of initial configuration tasks such as joining the domain, initiating automatic updates, and installing features. Each of these operations has a command associated with it.
Master It Server Core has a specific script to perform several common tasks that edit the registry. What is this script’s name? What parameter can provide a list of additional commands to perform many of the common configuration tasks?
Solution The SCRegedit.wsf script located in c:\windows\system32 performs several configurations, such as enabling automatic updates and enabling Remote Desktop. The /cli parameter lists the additional commands for performing the initial configuration tasks.
Set up Server Core for a branch-office deployment. The branch-office deployment is one possible scenario for the Server Core implementation. The infrastructure roles of Active Directory Domain Services, DNS, DHCP, File Services, and Print and Document Services would be installed and configured on a server, which would provide these basic services to the users within a small office environment. The configurations of these services could be performed remotely.
Master It To configure Active Directory Domain Services and DNS, the Active Directory Domain Services Installation Wizard (DCPromo) is run from the command line. What is needed to enter the parameters for the command?
Solution DCPromo requires an answer file to install on Server Core. Since many of the graphic capabilities have been removed from the installation, the utility cannot be run interactively. The command to use the answer file is dcpromo /unattend:answerFile.txt.
Remotely manage the operating system. Server Core can be remotely managed by three options. Remote Desktop administration is available, but only the command prompt and provided GUIs with Server Core can be used. The MMC snap-ins can connect to the server’s services to manage with the standard Windows tools. Finally, a new service, Windows Remote Shell, provides single-command connections to the server.
Master It The Windows Remote Shell offers a quickconfig option. What security concerns should system administrators be aware of when using this option? What can be done to address these concerns?
Solution The Windows Remote Shell quickconfig option sets up the service to listen for requests on TCP port 5985 using HTTP. This means the command and results will be transmitted unencrypted. In addition, the server is unauthenticated, which could result in configuring the wrong server. One way to resolve this is to set up IPSec between the server and clients. Another way is to configure the service to use HTTPS with TCP port 5986, which would encrypt the transmissions and authenticate the server.

Chapter 4: Windows Server 2012 R2 Networking Enhancements

Understand IPv6. The journey from IPv4 to IPv6 will definitely not happen in a short time frame, and it became apparent to the designers of IPv6 that both protocols would have to coexist and work together on the same infrastructure. The caveat is that IPv4 and IPv6 cannot natively talk to each other, and for the duration of this transitional period a solution was required to address the communication barriers between these two protocols.
Master It Which of the following is not an IPv6 transitional technology?
a. ISATAP
b. DirectAccess
c. 6to4
d. Teredo
Solution b. DirectAccess is not an IPv6 transitional technology.
Use PowerShell for better networking manageability. Windows Server 2012 R2 has nearly 2,500 PowerShell cmdlets to work with, and from this enormous pool there are literally hundreds that can be used to view, configure, and monitor all of its different networking components and services. You can perform a wide variety of tasks using these cmdlets, ranging from simple IP address configuration to more specialized functions like configuring Quality of Service and virtualization networking parameters.
Master It Which new cmdlet is built into Windows Server 2012 R2 that is a real contender to replace the traditional ping command?
Solution The Test-NetConnection cmdlet comes built into Windows Server 2012 R2 and will give you far greater information than the traditional ping command ever could.
Implement NIC Teaming. In today’s always-connected world, it’s essential that the network connections on your servers remain fault tolerant and that they can maintain uptime in the event of a failed adapter. Windows Server 2012 R2 helps to deliver this fault tolerance through the use of NIC Teaming and negates the need to purchase any additional (and potentially expensive) hardware or software.
Master It If you want to create your NIC team using PowerShell, how would you go about it?
Solution To create a new NIC team from a command, open a PowerShell window with an account that has administrative permissions and type the following (make sure to substitute the team and NIC names to match your own environment): New-NetLbfoTeam Team1 NIC3,NIC4.
Understand the new QoS features. Quality of Service (QoS) allows administrators to configure and deploy policies that predetermine which applications or services should be prioritized when it comes to allocating bandwidth. Administrators can determine critical interactive services, such as Voice over IP (VoIP) and line-of-business (LOB) applications, that must have acceptable levels and bandwidth available to them whenever they seek it.
Master It In earlier operating systems, you could use QoS only to enforce maximum bandwidth consumption, also known as rate limiting. Instead of a bandwidth-reservation system, it was more like a bandwidth-throttling solution. What QoS feature can you use in Windows Server 2012 R2 to solve this problem?
Solution To solve this problem, Minimum Bandwidth was introduced as a new feature to QoS in Windows Server 2012. Minimum Bandwidth provides the bandwidth-reservation solution that was missing with previous iterations and gives you the ability to ensure different types of network traffic get the granular bandwidth configurations they require.
Manage network performance. Understanding how to manage the performance of your Windows Server 2012 R2 networking environment is paramount to ensuring that your business can maintain an optimal level of productivity.
Master It Which of the following tools can be used to manage network performance in Windows Server 2012 R2? (Choose two.)
a. Ipconfig.exe
b. Perfmon.exe
c. Dfsrmon.exe
d. Server Performance Advisor
e. Networkview.exe
Solution b) Perfmon.exe and d) Server Performance Advisor are both tools that can be used to manage network performance in Windows Server 2012 R2.

Chapter 5: IP Address Management and DHCP Failover

Implement IPAM. IPAM is an integrated suite of tools to enable end-to-end planning, deploying, managing, and monitoring of your IP address infrastructure, with a rich user experience. IPAM automatically discovers IP address infrastructure servers on your network and enables you to manage them from a central interface.
Master It IPAM has some specific prerequisites that need to be in place before you can deploy it. What are the requirements for Active Directory that you should be aware of?
Solution An IPAM server must be a member of an Active Directory domain; non-domain-joined IPAM server deployments are not supported. The IPAM server can operate only within the confines of a single Active Directory forest, but inside that forest you can have a mix of trusted and untrusted domains that can all be managed by the IPAM server. Also, you can manage only domain-joined servers; any servers that are not members of an Active Directory domain will not be supported with IPAM.
Effectively use IPAM components. IPAM is made up of three different feature components that integrate to deliver holistic management of your IP address infrastructure. These three components deliver functionality for Multi-Server Management, Address Space Management, and Network Auditing.
Master It Which feature of IPAM enables you to perform simultaneous updates to all of your DHCP and DNS servers? (Choose one.)
a. Multi-Server Management
b. Address Space Management
c. Network Auditing
Solution a. The Multi-Server Management feature of IPAM delivers the automated discovery of manageable DHCP and DNS servers and provides centralization of the resources they serve. If you don’t want to use the automatic discovery method, you can still choose to add or remove your DHCP and DNS servers manually. If you want to perform simultaneous updates to all of your DHCP and DNS servers, this is where that functionality stems from.
Integrate IPAM with System Center 2012. With all the focus on datacenter and cloud management, it’s here that Microsoft has invested the most in enhancing IPAM for Windows Server 2012 R2. The Virtualized IP Address Space section of the IPAM console streamlines the management of your physical and virtual address spaces through a new integration connection with VMM. This integration opens up IP address-management capabilities between your on-premise and cloud-based IP address schemes.
Master It What version of Windows Server and VMM do you need to be running to enable IPAM integration?
Solution You need to be running Windows Server 2012 R2 with System Center 2012 R2 Virtual Machine Manager if you want to use the IPAM integration feature to manage your physical and virtual addresses seamlessly.
Manage IPAM delegation. When you install the IPAM server role, the installation process automatically creates a number of local security groups that can be used to deliver Role-Based Access Control of your IPAM environment to designated users and administrators. Depending on the type of administrative privileges that you want your users to have, all you need to do is to add their accounts to the appropriate security group.
Master It There are five local security groups that IPAM creates to deliver RBAC. Which group from the following list is not one of them? (Choose one.)
a. IPAM Administrators
b. IPAM IP Audit Administrators
c. IPAM ASM Administrators
d. IPAM Advanced Users
e. IPAM MSM Administrators
f. IPAM Users
Solution e) The IPAM Advanced Users group is not one of the five local security groups created by IPAM for RBAC and access delegation.
Understand DHCP Failover. The beauty of DHCP Failover is that there is now no need for any expensive shared storage, such as a Storage Area Network device, between your DHCP servers. Instead, the IP address lease data is replicated between each server continuously. With both DHCP Failover servers containing a copy of the latest IP address assignment and scope information, you will always be able to sustain a failure of one DHCP server without losing any DHCP functionality.
Master It The new DHCP Failover functionality allows you to configure two different types of failover relationships. What are these relationships called? (Choose two.)
a. Failover clustering (active/active)
b. Hot standby (active/passive)
c. Split-scope (active/passive)
d. Seeded (active/active)
e. Load balanced (active/active)
Solution b. Hot standby (active/passive) and e) load balanced (active/active) are the two different types of DHCP Failover relationships that you can choose from when creating a failover between servers.

Chapter 6: DNS and Name Resolution in Windows Server 2012 R2

Explain the fundamental components and processes of DNS. DNS relies on integrated servers that manage a hierarchical naming structure. On the Internet, this structure starts with root servers and then top-level domain servers, which delegate subdomains to other DNS servers. Within a DNS server, the database of records is known as a zone, and it can be replicated between other DNS servers to provide distributed query resolution for a given namespace.
Master It Several common DNS records were discussed in this chapter. The SRV and MX records both have a parameter named priority. If there were two SRV records for the same service with a priority parameter of 10 and 20, which SRV record would be selected first?
Solution The priority parameter can have a value from 0 to 65535 on SRV records. However, the lowest number has the highest priority. Therefore, the record with the priority parameter of 10 would be selected first.
Configure DNS to support an Active Directory environment. Active Directory requires a DNS namespace to be available to support the assigned name of the domain. Windows Server 2012 R2 provides an automatic capability to create the required DNS structure through the domain controller promotion process. The DNS zones can be stored in the Active Directory database, which provides multimaster replication of the DNS records. With the use of SRV records and DDNS update, the domain controllers can register their services in DNS for clients to access them.
Master It The DNS service on DCs can create Active Directory integrated zones. In which locations within the Active Directory database can the zones be placed? What scope do these locations provide?
Solution There are four locations that can be chosen when creating a new zone:
Manage and troubleshoot DNS resolution for both internal and external names. Internal and external name resolution relies on the connectivity between DNS servers. Forwarding and root hints are the primary methods to allow DNS servers to send queries between them. Several tools are available to assist troubleshooting and monitoring DNS configurations and performance, including NsLookup, PowerShell, and DcDiag.
Master It The SRV record registration for domain controllers is performed by the netlogon service. It is a very complex and demanding task to attempt to perform this manually. What tests can be performed to verify whether SRV records are correctly registered within a domain?
Solution The DcDiag utility provides tests to verify whether SRV records are available within the specified domain. Dcdiag /registerindns validates that the domain controller can perform updates to the domain zone using DDNS updates.

Chapter 7: Active Directory in Windows Server 2012

Create a single-domain forest. Any Windows Server 2012 server can be promoted to a domain controller to create a single-domain forest. A DC hosts an instance of Active Directory Domain Services.
Master It You want to promote a server to a DC and create a single-domain forest. What should you do?
Solution Install the Active Directory Domain Services role and then run the Active Directory Domain Services Configuration Wizard. Follow the wizard to create a new forest.
Add a second DC to the domain. A single DC represents a potential single point of failure. If it goes down, the domain goes down. Often, administrators will add a second DC to the domain.
Master It You want to add a second DC to your domain. What should you do?
Solution Install the Active Directory Domain Services role and then run the Active Directory Domain Services Configuration Wizard. Follow the wizard to an existing domain.
Decide whether to add a global catalog. A global catalog server hosts a copy of the global catalog. Any domain controller can become a GC, but only the first domain controller is a GC by default.
Master It You are promoting a second server to a domain controller in your single-domain forest. Should you make it a GC?
Solution Yes. In a single-domain forest, all domain controllers should also be global catalog servers. This provides redundancy in the domain without any additional overhead.
Create accounts. Any domain needs to host user and computer accounts representing users and computers that will access the domain. There are several ways to create user and computer accounts.
Master It What are four methods that can be used to create a user account? Two have a GUI and the other two are command-line tools.
Solution The four methods are Active Directory Users and Computers, Active Directory Administrative Center, the DSAdd command-line tool, and PowerShell using the New-ADUser cmdlet.
Create fine-grained password policies. Windows Server 2012 introduced the ability to create multiple password policies within a domain by using fine-grained password policies. You can use a fine-grained password policy to assign a different password policy to a user or group within the domain.
Master It You want to create a fine-grained password policy for a group of administrators in your network. What should you create and what tool should you use?
Solution Create a password-settings object with the Active Directory Administrative Center GUI. You can also apply the PSO to users or groups using Active Directory Users and Computers.
Understand the Windows Server 2012 forest functional level. Each forest functional level has traditionally offered new functionality to Active Directory. For example, the Windows Server 2008 R2 forest functional level brought support for the Recycle Bin feature.
Master It What new feature is offered in the Windows Server 2012 forest functional level?
Solution There are no new features in the Windows Server 2012 forest functional level.
Upgrade your domain to Windows Server 2012. You currently have a Windows Server 2008 single-forest domain, and you are figuring out how to upgrade this forest. You want to have a Windows Server 2012 forest.
Master It What methods for upgrading or migrating your forest make the most sense?
Solution You probably want to perform in-place upgrades or a swing migration depending on your flavor. A migration using ADMT probably does not make sense.

Chapter 8: Creating and Managing User Accounts

Manage local users and groups. Local users and groups are stored on a computer and cannot be used to log into or access resources on other computers.
Master It You have 25 PCs with 25 users on a workgroup network, in other words, a network with no Active Directory or Windows domain. You are installing two file servers. You want to provide authorized-only access to shared resources on the file servers. How will you do this?
Solution You will need to create a user account for each of the 25 users. However, because there is no domain, you will need to create the user account on the users’ PCs and on each of the two servers. The username and password will have to be identical on their PCs and each of the two servers. You can speed the process up by using a scripted option, such as using the net user command in a script.
Manage users and groups in Active Directory. Users and groups can be stored in Active Directory. That means administrators can create a single copy of each user and group that is stored in a replicated database and can be used by member computers across the entire Active Directory forest. You can use Active Directory Users and Computers, the command prompt, PowerShell, and Active Directory Administrative Center to manage users and groups on Windows Server 2012.
Master It List the different types of Active Directory group types and scopes. Why would you use each of them?
Solution There are two Active Directory group types:
The members of an Active Directory group may be users or other group objects. There are three group scopes:
Manage users and computers in Windows Server 2012. You can manage users and computers using either PowerShell or the new Active Directory Administrative Center. ADAC makes it quicker and easier for administrators to perform day-to-day operations such as resetting passwords, unlocking user accounts, and finding objects in the forest that they want to manage. The Active Directory module for Windows PowerShell offers a command-line interface and way to script Active Directory management tasks. You can use this to automate repetitive tasks using scripts or to perform complex and large operations that would consume too much time using an administrative console.
Master It You are managing the Windows Server 2012 Active Directory forest for an international corporation. The directors have announced that a new call center with 5,000 employees is to be opened soon. The human resources department will be able to produce a file from its database with the names of the new employees thanks to some in-house developers. You want to create the user objects as quickly as possible with minimum human effort. How will you do this?
Solution You can work with the in-house developers so that the new employee export from the human resources application will be a CSV file. The header row will describe the entries in the following rows. Each of the following rows will contain the values that you would use in the PowerShell New-ADuser cmdlet, for example: 
Name,SamAccountName,GivenName,Surname,DisplayName,Path,UserPrincipalName,
AccountPassword
Rachel Kelly,RKelly,Rachel,Kelly,Rachel Kelly,"OU=Users,OU=BigFirm,DC=bigfirm,DC=com",RKelly@bigfirm.com,NewPassw0rd
Ulrika Gerhardt,UGerhardt,Ulrika,Gerhardt,Ulrika Gerhardt,"OU=Users,OU=BigFirm,DC=bigfirm,DC=com",UGerhardt@bigfirm.com,
NewPassw0rd
Tomasz Kozlowski, TKozlowski,Tomasz,Kozlowski,Tomaz Kozlowski,"OU=Users,OU=BigFirm,DC=bigfirm,DC=com",TKozlowski@bigfirm.com,
NewPassw0rd
You will then run a PowerShell command that reads each line of the CSV file and runs the New-ADuser cmdlet using the values in each row to create the new user objects, for example: 
PS C:\Users\Administrator> Import-CSV c:\users.csv | foreach {New-ADUser -Name $_.Name -SamAccountName $_.SamAccountName -GivenName $_.GivenName -Surname $_.Surname -DisplayName $_.DisplayName -Path $_.Path -UserPrincipalName $_.UserPrincipalName -AccountPassword (ConvertTo-SecureString -AsPlainText $_.AccountPassword -Force) -Enabled $true -ChangePasswordAtLogon 1}
This command will rapidly read the file and create each of the 5,000 user objects in the organizational unit(s) of your choice. Instead of spending days creating objects using a console, you will spend one minute typing this command.
Delegate group management. Part of the power of Active Directory is the ability to delegate administrative rights. You can grant permissions to users or groups to manage any organizational unit or object in the domain. You can limit those rights so people only have permissions to do what they need to do for their role in the organization.
Master It You are a domain administrator in a large organization. Your network contains several file servers. File shares are secured using domain-based security groups. You have delegated rights to help-desk staff to manage these groups. The organization is relying on the help desk to know who should have read, read/write, and no access to the file shares. Mistakes are being made and changes are taking too long, causing employees to be unable to access critical information. You’ve considered a paper-based procedure where the business owners of the file shares document who should have access. This has proven to be unpopular because it slows down the business. You have been asked to implement a solution that ensures the business is not delayed and where only authorized people have access to sensitive information.
Solution Perform the following steps:
1. Create a Read Only and Read and Write domain-based security group for each file share.
2. Grant each of these groups the appropriate permissions on the shares.
3. Create an additional Owners domain-based security group for each file share.
4. Add the business owners of the information in the shares to each Owners group.
5. Edit the properties of the Read Only and Read and Write groups.
6. Add the appropriate Owners groups as managers of the Read Only and Read and Write groups on the Managed By tab.
The result of this solution is that anyone who is a member of the Management Owners group for the Management share will be able to manage the membership of the Management Read Only and the Management Read and Write groups. The business owners know who should have access to their file shares. The help desk cannot know this. The business owners are now empowered to make the appropriate changes in the group memberships. IT is no longer involved in the process. This reduces the communication process and allows employees of the organization to access information without delay.
Deal with users leaving the organization. It is important to understand that Windows tracks users, groups, and computers by their security identifier and not by their visible friendly name. When you delete and re-create an object, the new object is actually a different object and does not keep the old object’s rights and permissions.
Master It The personnel department has informed you that an employee, BKavanagh, is leaving the organization immediately under bad circumstances. The security officer informs you that there is a security risk. You have been asked to deal with this risk without any delay. What do you do? Two hours later you are told that the personnel department gave you the wrong name. The correct name is BCavanagh. BKavanagh has called the help desk to say that she cannot do any work. What do you do to rectify the situation?
Solution When you originally disabled BKavanagh, you should have disabled the user account. This prevents the account from being usable. When you get the call that this was the wrong user account, you can simply reenable the account, and BKavanagh can start working again.
If you have a Windows Server 2012 Active Directory and you deleted the BKavanagh account, then you should reanimate it from the Active Directory Recycle Bin.
If you deleted the user account and don’t have a Windows Server 2012 Active Directory, then you will have to re-create it and add the user to all the groups that she was in before. This is a time-consuming process.
You should disable the BCavanagh account to comply with the security officer and the personnel department. You can delete the account after a predetermined time has passed and the user has not returned to the organization.

Chapter 9: Group Policy: AD’s Gauntlet and Active Directory Delegation

Understand local policies and Group Policy objects. Every Windows computer from Windows 2000 Professional and up has a local group policy. Windows 8 has many local group policies, which can accommodate for various situations where the computer might be located. There are Group Policy objects stored in Active Directory too, which allow for central administration of computers and users who are associated with the domain.
Master It Which of the following is not a local group policy?
Solution All Users is not a local group policy.
Create GPOs. Group Policy objects can and should be created within your Active Directory domain. These additional GPOs will allow you to control settings, software, and security on the different users and computers that you have within the domain. GPOs are typically linked to OUs but can be linked to the domain node and to AD sites as well. GPOs are created within AD by using the Group Policy Management console.
Master It Create a new GPO and link it to the HRUsers OU.
Solution To create the GPO and link it to HRUsers OU:
1. Create the HRUsers OU under the domain.
2. Within the GPMC, right-click the HRUsers OU, and select the option to create and link a GPO.
3. Give the new GPO a name of HRUserSecurity.
Troubleshoot group policies. At times a GPO setting or group policy fails to apply. There can be many reasons for this, and you can use many tools to investigate the issue. Some tools, such as the rsop.msc tool, are presented in a resulting window, and other tools, such as gpresult, are used on the command line. Regardless of the tool you use, troubleshooting Group Policy is sometimes required.
Master It Which tool would you use to ensure that all settings in all GPOs linked to Active Directory have applied, even if there have not been any changes to a GPO or a setting in a GPO?
Solution The tool to use to ensure all settings have been applied to active directory is gpupdate /force.
Delegate control using organizational units. Delegation is a powerful feature in Active Directory that allows domain administrators to delegate tasks to junior administrators. The idea is that the delegation granted is narrow in scope, providing only limited capabilities within Active Directory and the objects contained within.
Master It Establish delegation on the HRUsers organizational unit such that the HRHelpDesk security group can reset the passwords for all users in the HRUsers OU.
Solution
1. Create the HRHelpDesk security group under the Users container.
2. Create the HRUsers OU under the domain.
3. Run the Delegation of Control Wizard by right-clicking the HRUsers OU.
4. Grant permissions to the HRHelpDesk group.
5. Grant the Reset Password permission.
6. Complete the delegation.
Use advanced delegation to manually set individual permissions. There are thousands of individual permissions for any given AD object. Advanced delegation provides the ability to set any of these permissions to give a user or security group access to the object for the specified permission. The Delegation of Control Wizard is a useful tool to grant common tasks, but when the wizard does not provide the level of detail required, you must grant delegation manually.
Master It Delegation is another term for which of the following?
Solution Delegation is another term for setting permissions on AD objects.
Find out which delegations have been set. It is unfortunate, but the Delegation of Control Wizard is a tool that can only grant permissions, not report on what has been set. To find out what delegations have been set, you have to resort to using other tools.
Master It Name a tool that you can use to view what delegations have been set.
Solution dsacls is a command-line utility that comes with Windows Server 2012 R2 for viewing detailed delegation settings.

Chapter 10: Active Directory Federation Services

Install the AD FS role on a server. Installing the AD FS role on a server is one of the first steps in implementing an AD FS infrastructure. Windows Server 2012 R2 has made it easier than ever to install and use AD FS. AD FS provides you with single sign-on access within your corporate network, to a partner organization, and to websites and applications hosted on the Internet.
Master It How do you install AD FS on a server?
Solution Install the AD FS roles and features using Server Manager.
Configure the first federation server in a server farm. A federation server serves as part of a federation service that can issue, manage, and validate requests for security tokens and identity management. Multiple federation servers provide much-needed functionality like high availability and network load balancing in a large AD FS infrastructure. For proper SSO user access between your organization and a partner organization, federation servers must be deployed in the partner’s organization as well as your own.
Master It How do you create the first federation server in a federation services server farm?
Solution Using the AD FS Management snap-in, launch and complete the AD FS Server Configuration Wizard.
Configure AD FS performance monitoring. AD FS includes its own dedicated performance counters to help you monitor the performance of both federation servers and federation server proxy machines. This is a nice little addition that helps you manage AD FS more easily. Generated reports provide AD FS–specific details that show you how well it is running in the environment. Monitoring performance is an essential part of planning for growth and scalability. High utilization could mean that you need to deploy another federation server to balance the load more proficiently.
Master It How would you monitor the performance of your AD FS infrastructure?
Solution Using Performance Monitor, create a new AD FS data collection set.

Chapter 11: Shared Storage and Clustering Introduction

Use the available storage options for clustering. With the release of Windows Server 2012 R2, many more storage options are available for your clustering and high-availability solutions.
Master It You want to build out a JBOD solution and need the most effective type of disk capacity. The failover doesn’t matter as much as space and speed. What technology should you consider?
Solution You must build out a Storage Spaces solution utilizing simple volumes; this volume type is designed for throughput and size. Maximize the disks and access to the disks to make the solution fast and effective.
Use quorums to help in clustering. A quorum is “the minimum number of members required to be present at an assembly or meeting before it can validly proceed to transact business.” This definition holds true for the use of a quorum in clustering.
Master it You have chosen to deploy an odd-numbered cluster with five nodes, and you will use one node as a file share witness for quorum. Once the cluster is up and running, you host an application. But after the install the application has a major memory leak and starts seizing up the servers and shutting them down. How many nodes will go down before the cluster is completely offline?
Solution Since you have an even number of quorum nodes and a spare witness node, the cluster will remain online until the very last node is about to go down. With proper monitoring and alerting, you would never let anything get this far, would you? Hopefully not, but the benefit of a witness node is that you can keep your application up and active while you get those other servers either back online or rolled back to a different version of the application.
Build out host and guest clusters. Clustering is a mix of software and hardware and can be hosted on physical servers or virtual machines. Windows Server 2012 R2 has the components and tools built in to help you deploy your clusters, including a handy prerequisites wizard to validate that you have all the components and configurations in place to successfully set up a cluster.
Master it When planning your host- and guest-based clusters, excluding the Hyper-V role, what is the difference between the two in setting up a cluster?
Solution There is no difference; once you start to plan your hardware and networks, the requirements on both the VM and host sides of the cluster process are exactly the same. The process is simple and easy to step through.

Chapter 12: Windows 2012 R2 Storage: Storage Spaces, SANish Abilities, and Better Tools

Create a storage pool on a virtual disk. Storage is an ever-growing business requirement. If you were constantly buying SAN solutions to meet this need, it would prove very costly. Also, it is very hard to predict what you may need in a year’s time. How would you manage your storage to get the most out of it and to meet your future storage needs?
Master It In your lab create a storage pool using the GUI with three disks. Create a virtual disk three times the size of the total usable capacity of the disk. Format it and get it ready to use.
Solution In Server Manager, under File and Storage Services, navigate to Volumes image Storage Pools. From the primordial pool, right-click and select a new storage pool. Enter a name and then select three physical disks (note their individual capacities and add them up). Select your storage pool from the Storage Pool window, and create a new virtual disk from it. Give it a useful name and select Parity as the storage layout. Select Single Parity and Thinly Provision the Disk. For its size use the total storage capacity you worked out times three. Create a volume on that virtual disk and copy some files into it.
Create additional storage on a virtual disk. A common occurrence in enterprises today is last-minute requests for provisioning of applications that require large amounts of storage. Often the storage available locally in the server is not large enough to meet the need. How can you get additional storage onto the server without adding local storage?
Master It In your lab deploy an iSCSI target, create a virtual disk, and then connect your server to use the newly created storage.
Solution New in 2012/2012 R2 Microsoft has introduced a variety of new cmdlets to help you configure the iSCSI target and client software. The steps you would take to configure this solution via PowerShell are listed as follows:
1. From PowerShell on the server you have selected as your iSCSI target server, run the following cmdlet: 
Add-windowsfeature FS-iSCSITarget-Server –IncludeManagementTools
2. Create a new iSCSI target as follows: 
New-IscsiServerTarget –TargetName TestTarget01 –InitiatorID iqn.1991-05.com.microsoft:server01.contoso.com
(Change the iqn to that of your remote server.)
3. Add a new virtual disk using the following cmdlet: 
New-IscsiVirtualDisk –path e:\newdisk.vhdx –SizeBytes 20GB
4. Add the disk to the previously created iSCSI target, as shown here: 
Add-IscsiVirtualDiskTargetMapping –TargetName TestTarget01 –path e:\newdisk.vhdx
5. On the remote server where you need the extra storage, from an elevated PowerShell prompt run the following: 
Set-Service –Name msiscsi –StartupType Automatic
Start-Service msiscsi
6. Type: 
New-iscsitargetportal –targetportaladdress TestTarget01
7. Then type: 
Get-IscsiTarget | Connect-IscsiTarget
8. Check Disk Manager for newly added disks, and then initialize them and bring them online.
Use deduplication techniques to reduce file size. Part of the reason behind data growth in today’s environments is the availability of storage, but storage will become a problem sooner rather than later. A high percentage of these files contain a large degree of identical data patterns, but using deduplication techniques can dramatically reduce the disk space required and make better overall use of the storage in place.
Master It In your lab copy an ISO multiple times into different shares, and repeat for office documents that are not located on your System volume. Enable Deduplication on the data drive, and exclude a share of importance in your environment.
Solution Deduplication in Windows Server 2012 R2 can be managed via PowerShell. Here we outline the steps you will take to work with deduplication and some of the cmdlets you would use.
1. From PowerShell type, 
Enable-DeDupVolume –Volume E:
where E: is the volume you are trying to dedup.
2. Exclude a folder using PowerShell: 
Set-DedupVolume –Volume E: -ExcludeFolder E:\shares
3. Verify all the information using: 
Get-DeDupVolume –Volume E: | fl *
4. Change the file age field to 0 days so all files are immediately considered for dedup: 
Set-DedupVolume –Volume E: -MinimumFileAgeDays 0
5. Start an optimization job: 
Start-Dedupjob –Type Optimization –Volume E:
6. Verify that space savings have been made: 
Get-DeDupStatus –Volume E:

Chapter 13: Files, Folders, and Basic Shares

Install additional File and Storage Services roles on a server. The File and Storage Services role includes services designed to optimize serving files from the server. A significant addition is the File Server Resource Manager role, which can be used to manage quotas, to add file screens, and to produce comprehensive reports.
Master It How do you add FSRM to the server?
Solution Install the File Server Resource Manager role service using Server Manager.
Combine share and NTFS permissions. When a folder is shared from an NTFS drive, it includes both share permissions and NTFS permissions. It’s important to understand how these permissions interact so that users can be granted appropriate permission.
Master It Maria is in the G_HR and G_HRManagers groups. A folder named Policies is shared as Policies on a server with the following permissions:
NTFS: G_HR Read, G_HR_Managers Full Control
Share: G_HR Read, G_HR Change
What is Maria’s permission when accessing the share? What is her permission when accessing the folder directly on the server?
Solution Maria’s permission when accessing the share is Change. You can determine the result of combined NTFS and share permissions in three steps:
If the folder is accessed directly, share permissions do not apply. So, she would have Full Control permission.
Implement BitLocker Drive Encryption. BitLocker Drive Encryption allows you to encrypt an entire drive. If someone obtains the drive that shouldn’t have access to the data, the encryption will prevent them from accessing the data.
Master It What are the hardware requirements for BitLocker Drive Encryption, and what needs to be done to the operating system to use BitLocker?
Solution BitLocker requires Trusted Platform Module 1.2, which is a hardware component and is typically included in the motherboard on systems that have it. It is possible to use BitLocker without TPM using either a password or a smart card and a PIN. BitLocker needs to be added as a feature using Server Manager before it can be implemented.

Chapter 14: Creating and Managing Shared Folders

Add a File and Storage Services role to your server. Before you can create and use DFS or NFS, share files and folders, or perform any other file-related function across the domain in Server 2012, you will need to install the additional File and Storage Services roles.
Master It Go into Server Manager, and add the server roles DFS and NFS.
Solution Perform the following steps:
1. Open Server Manager and click Tools image Add Roles and Features.
2. In the Add Roles and Features Wizard, drill down to the roles and features you wish to install, and then click the Install button.
3. After the wizard completes, go back into Server Manager, click Manage, and you should see the additional roles and features installed.
If done correctly, your server will show that the DFS and NFS roles are installed.
Add a shared folder using NFS. Once the proper File and Storage Services roles have been added, you can then share folders, such as a folder called APPS.
Master It Create a shared folder called APPS on your Windows Server 2012 R2 server; when you have finished, the wizard should show a successful share.
Solution Once you set up the permissions on your share, click Next to see the final screen of the Share a Folder Wizard, which lists the results and gives you the option to run the wizard again.
1. Select Control Panel image Administrative Tools image Computer Management image Shares image New image Share.
2. Follow the wizard, and browse to the folder you want to share. Click Next, and then set the kind of permissions you want for the shared folder. Click Finish.
Add a DFS root. If your organization ends up with a lot of file servers created over time, you may have users who do not know where all the files are located. You can streamline the process of finding and using multiple file servers by creating a DFS root and consolidate the existing file servers into common namespaces.
Master It Create a new namespace called MYFIRSTNS on your Windows Server 2012 R2 server; when you have finished, the wizard should show a new namespace called MYFIRSTNS.
Solution In the upper-right side of the DFS Management screen, click New Namespace. You will then see the Namespace Server Wizard. Follow the steps through to completion:
1. Select Server Manager image Tools image DFS Management.
2. In DFS Management, click the Action drop-down, and select New Replication Group.
3. In New Replication Group Wizard, select the group type. Enter the name of the replication group (MYFIRSTNS), add any descriptions, and click Next.
4. Add the servers, and then click Next.
5. Select the topology, and then click Next.
6. Add the hub members, and click Next.
7. Select the replication group schedule, and click Next.
8. Set whether it is a primary member, and click Next.
9. Now add the folders to replicate, and click Next.
10. Review the settings, and click Finish.

Chapter 15: Dynamic Access Control: File Shares, Reimagined

Secure your data using conditions. Understand how you can secure your data without being a part of hundreds of groups. Using this knowledge, you will understand the building blocks of Dynamic Access Control.
Master It In your lab and using the examples we have shown at the start of this chapter, create a new share called Projects, and secure it so that only people in the Engineering and IT groups can access it. Make sure you test it. Do you remember how?
Solution Using Advanced Security on the folder, add in a condition for the Authenticated Users principal that selects the IT or Engineering group. Refer to Figure 15.5, which will show you the fields you need to modify.
Create a new claim type and resource property. As you move away from using groups and bloated Kerberos tokens, you need to understand how to ensure that only the right people can access your data. Using claim types and resource properties allows you to secure data with new elements.
Master It How can you ensure that only employees from Ireland can access the data located on your shares? What do you need to do in order to be able to use Country as an authorization token?
Solution Using the Dynamic Access Control Configuration Tool in Active Directory Administrative Center, create a new claim type that is based on the Country Active Directory attribute, and add in different values including Ireland. Once you have created a new claim type, create a new referenced resource property, which should be based on the claim type you just configured.
Secure hundreds of servers. Dynamic Access Control is a powerful tool for securing data, but when you have a large server estate, you need to make this an easy technology to deliver to the organization to provide the maximum benefit.
Master It You need to secure all of your data across all of your files servers. How do you secure the data first so that only people in IT can have Full Control across all shares and Accounts and Engineering users have read-only access?
Solution First, you need to create Central Access rules, which will contain the permissions for securing your data. Then you need to add in authenticated users and set the permissions to Read Only and Read and Execute. Then modify the condition for users from the Accounts and Engineering departments. Then add authenticated users again, and add Full Control and a condition for users from the IT department.
Create a Central Access Policy and add the Central Access rule to the policy. When you have finished, create a new GPO and add the new Central Access Policy. Apply the group policy to the appropriate OU so it gets applied to the correct file servers.
If necessary, run GPUPDATE on the relevant file servers, and then on a share you want to apply the policy to, select the correct Central Access Policy.
Classify and secure data without knowing what the data is. Imagine a vast file server array with millions of files. As you know, it has not been common practice to properly classify documents as they are written. Knowing how to approach this and properly classify and secure this data is paramount to an organization.
Master It Across your file servers you have documents that contain sensitive information, including credit card numbers and payroll data. How can you automatically secure this data and ensure that only the Accounts and HR departments can access this information?
Solution First, create classification rules; the credit card rules should use regular expressions to detect credit card number patterns. The next set of rules should detect strings that are relevant to payroll, for example, monthly pay or salary. Configure the options in File Server Resource Manager to run on a schedule so it will retroactively apply to the entire server. Finally, using Dynamic Access Control, create a new access rule and policy that will target the resources that have been classified by department, and secure them using conditional access to the Accounts and HR departments.

Chapter 16: Sharing Printers on Windows Server 2012 R2 Networks

Add the Print and Document Services role. Windows Server 2012 R2 servers can be configured to perform as print servers. One of the first steps you must take is to add the Print and Document Services role. There are different steps needed if you’re adding the role to a full installation of Windows Server 2012 R2 vs. a Server Core installation.
Master It What tool would you use to add the Print and Document Services role on a full installation of Windows Server 2012 R2? What tool would you use to add the Print and Document Services role on a Server Core installation of Windows Server 2012 R2?
Solution Use Server Manager to add the Print and Document Services role on a full installation of Windows Server 2012 R2. Use the PowerShell command-line utility to add the Print and Document Services role on a Server Core installation of Windows Server 2012 R2. The actual command is as follows: 
add-WindowsFeature Print-Service
Manage printers using the Print Management console. After adding the Print and Documents Services role to the server, you can use the Print Management console to manage other print servers, printers, and print drivers.
Master It Your company has purchased a new print device, and you want it to be hosted on a server that is configured as a print server. How would you add the printer to the print server?
Solution You can add printers through the Print Management console. Right-click the printer’s node within the desired server, and select Add Printer to start the Add Printer Wizard.
Manage print server properties. The spool folder can sometimes take a significant amount of space on the C drive, resulting in space problems and contention issues with the operating system. Because of these issues, the spool folder is often moved to another physical drive.
Master It You want to move the spool folder to another location. How can you do this?
Solution Launch the PMC, and browse to the server. Right-click the server, and select Properties. Change the location of the spool folder on the Advanced tab. Any spooled documents will be lost, so you should ensure users aren’t currently printing to any printers hosted by the server.
Manage printer properties. Printers can be added to Active Directory so that they can be easily located by searching Active Directory. Printers must be shared first, but they aren’t published to Active Directory by default when they are shared.
Master It You want users to be able to easily locate a shared printer. What can you do to ensure the shared printer can be located by searching Active Directory?
Solution Launch the PMC, and browse to the printer. Right-click the printer, and select List in Directory, or access the Sharing tab of the printer’s properties, and select List in Directory.

Chapter 17: Remote Server Administration

Configure Windows Server 2012 R2 servers for remote administration. Servers must be configured to allow remote administration before administrators can connect remotely.
Master It Configure a server to allow remote connections by clients running RDC version 6.0 or greater.
Solution Click Start, right-click Computer, and select Properties. Click Remote Settings. Select “Allow connections only from computers running Remote Desktop with Network Level Authentication (Recommended).” Click OK.
Remotely connect to Windows Server 2012 R2 servers using Remote Desktop Connection. You can remotely connect to servers to do almost any administrative work. Servers are often located in a secure server room that is kept cool to protect the electronics. They can be in a different room, a different building, or even a separate geographical location, but they can still be remotely administered using either RDC or Remote Desktops.
Master It Connect to a server using RDC. Ensure your local drives are accessible when connected to the remote server.
Solution Launch RDC by selecting Start image Accessories image Remote Desktop Connection. Alternatively, you could enter mstsc from the command line or Run line. Enter the name of the remote server in the Computer text box. Click Options. Select the Local Resources tab. Click More, and select Drives.
Remotely connect to Windows Server 2012 R2 servers using a Remote Desktop Protocol file. If you regularly connect to a remote server using RDC, you can configure an RDP file that can be preconfigured based on your needs for this server. This RDP file will store all the settings you configure for this connection.
Master It Create an RDP file that you can use to connect with a server named Server1. Configure the file to automatically launch Server Manager when connected.
Solution Launch RDC by selecting Start image Accessories image Remote Desktop Connection. Click Options, and select the Programs tab. Select the “Start the Following Program on Connection” check box, and enter ServerManager.msc in the text box. Click the General tab, and enter Server1 in the Computer text box. Click Save As, and save the file.
Configure a server for Remote Assistance. When your environment includes remote locations where junior administrators may occasionally need assistance, you can use Remote Assistance to access their session and demonstrate procedures.
Master It Configure a server for Remote Assistance.
Solution Launch Server Manager, select Roles and Features, and add the Remote Assistance feature. Once the wizard has completed, ensure Remote Assistance is enabled. Click Start, right-click Computer, select Properties, and select Remote Settings. Verify that the Remote Assistance check box is selected.
Install the Remote Server Administration Tools. The Remote Assistance Server Administration Tools (RSAT) include the snap-ins and command-line tools needed to manage Server 2003, Server 2008, and Server 2012 servers from Windows Vista and Windows 7 and 8.
Master It Obtain and install RSAT on a Windows Vista or Windows 7 or 8 system.
Solution Obtain RSAT by going to Microsoft’s download site at www.Microsoft.com/downloads and typing in RSAT. Install RSAT by double-clicking the downloaded file and following the wizard. Enable the tools by adding the Remote Server Administration Tools feature via Control Panel image Programs image Turn Windows Features On or Off.

Chapter 18: Connecting Windows and Mac Clients

Verify your network configuration. DHCP provides centralized IP address configurations, and all Windows clients understand DHCP without any additional installations required.
Master It You need to verify that a client machine has received the correct IP address configuration via DHCP for the network you are working on. Which of the following commands would return these results?
Solution The ipconfig /all command returns local area connection configuration information including the following:
Join a client computer to a domain. Joining an Active Directory domain is key for workstations, because this provides centralized management from the Domain Admins group within the domain. Group Policy is centralized, security can be established, and even software can be controlled centrally.
Master It Is the following statement true or false? “When joining a computer to an Active Directory domain, the only way this can occur is if the user joining the computer to the domain is a domain admin.”
Solution It is false. Domain users can also add computers to the domain, but they can only do so up to 10 times. Users can also be delegated the right to add computers to the domain.
Change user passwords. By default Windows AD provides a 42-day maximum password age limit. This limit is preceded by a 14-day reminder that you need to change your password. The 42-day maximum is designed to maintain a certain level of security for the enterprise, not allowing passwords to become stale.
Master It A user has become paranoid and wants to change his user account password right away. He does not know how to do this and calls the help desk. The computer he is using is running the Windows 7 operating system. What do you tell him?
Solution Tell the user to open the Start menu, click the Windows Security button, and then click “Change a password.” He will need to input his old password and his new password and then click the arrow button.
Connect to network resources. Here’s a typical scenario: a user wants to connect to a printer on the domain that does double-sided printing and also stapling. But the user does not know where the company keeps these printers. The user calls the help desk.
Master It Which of the following is the most efficient way for the user to find printers matching this description?
a. Tell the user to walk around the office complex and check each printer to see whether it has these features.
b. Tell the user to use the net view command to check for shared printers on a per-computer basis.
c. Tell the user to start the Add Printer Wizard and then select the Search Active Directory option.
Solution c. The user should search Active Directory using the Add Printer Wizard. Using this wizard, the user can specify specific printer feature criteria and see all the printers that are published to Active Directory that have the feature set the user needs.
Prepare Active Directory for Mac OS X clients. Although Mac OS X can join Active Directory domains, you must take some preparatory steps to ensure they can communicate with Windows Server 2012.
Master it You want your Active Directory users who have Mac clients to connect to your Windows Server 2008 R2 servers using a single Active Directory logon. What network security feature of Windows must you change to permit Mac clients to communicate with your Windows Server 2012 domain?
Solution You must change the local policy for domain controllers to not always require SMB packet signing.
Connect a Mac to the domain. Mac OS X can connect to Active Directory and join domains. SMB protocol support is provided by a built-in version of Samba, letting OS X connect to Windows for file shares and printers.
Master it You want to add your Mac OS X client to your Active Directory domain. Which OS X utility should you use?
Solution Use Directory Access in your Utilities folder to configure and connect to Active Directory and create a computer account in the domain.
Connect to file shares and printers. OS X connects to Windows file shares and printers using the SMB support provided by Samba. Because support is integrated, you can use the Finder to connect to Windows resources directly rather than adding additional software.
Master It You are trying to access a network folder that is shared on a Windows Server 2012 computer from your domain-joined Mac client. How can you use the Finder to connect?
Solution In the Finder, click the Go menu, and select Connect to Server; then type the path using the format smb://servername/sharename.
Use Remote Desktop from a Mac client. Microsoft created the Remote Desktop Connection for Mac to provide Remote Desktop connectivity for Mac clients. Using RDC, you can access the functionality of your Windows computer directly from your Mac clients.
Master It You are using RDC to connect to your Windows Server 2012 server computer and want to save your network credentials so that you don’t have to enter them every time you connect. How can you do this?
Solution Enter your Active Directory credentials in Preferences under the RDC menu, and select the option to save the credentials in your Keychain.

Chapter 19: Web Server Management with IIS

Plan for and install IIS 8.5. Relatively lean by default, IIS 8.5 must be carefully and painstakingly planned so as not to install more modular functionality than you need. More than a resource concern, leaving unnecessary role services off the server is also a method of securing your websites. As always with Microsoft, there are multiple ways to install IIS 8.5, from an interactive GUI to PowerShell.
Master It You are about to install IIS 8.5 on a Windows Server 2012 R2 with the GUI removed. You want to install only the default roles as well as the ASP.NET role and what that role requires. What is the PowerShell command needed to accomplish this?
Solution The PowerShell command is Install-WindowsFeature -Name Web-Server, Web-ASP-Net45.
Manage IIS 8’s global default. IIS 8 modules are only one piece of evidence of the product’s compartmentalization. Web applications and individual configuration settings per site can be independently managed as well. A hierarchical ladder of global, web, application, and page settings allows granular administration by multiple engineers.
Master It What is feature delegation?
Solution Feature delegation is the art of allowing site administrators to configure a specific IIS feature at their own sites rather than accepting the feature behavior dictated by the global settings on the server. Delegation is enabled by unlocking specific sections of the web.config files on one or more sites.
Create and secure websites in IIS 8. Designing and generating new websites in IIS 8 can be accomplished via the GUI or CLI, allowing you to automate routine site creation. Permission structure can be copied from one site to another or managed from the upper layers of the settings hierarchy to simplify permission granting. IIS 8 eases site generation by packaging your website.
Master It You need to create a new website that has all the characteristics of the Default Web Site but must also support ASP.NET pages. You do not want to add ASP.NET support to the Default Web Site for fear of adding vulnerability to existing web content. How would you implement this?
Solution Create a new website, and add the ASP.NET module to the new site. Use a custom TCP/IP port number or host header to differentiate the new site from existing sites. Consider configuring a unique application pool identity for the site to isolate ASP.NET activity during troubleshooting.
Manage IIS 8 with advanced administration techniques. Day-to-day site maintenance and content posting may be the bulk of your IIS 8 administration. But additional higher-level management is what assures consistent and uninterrupted service of your web pages. Important configuring tasks, including recovering from disasters, monitoring performance, setting access or code security, and defining encryption, can be accomplished either locally or remotely.
Master It Because of limited storage space, you are revising your disaster-recovery plan. You are considering delaying backups of the IIS applicationhost.config file to monthly. However, you are concerned that minor global configuration changes made throughout the month may get lost if a failure occurs before the monthly backup. How would you recover a mid-month edit?
Solution IIS 8 maintains a configuration history of applicationhost.config according to the default schedule found in the iis_schema.xml file. Previous versions of the file can be restored with the Restore-WebConfiguration PowerShell command. By default, the automatically generated historical versions of applicationhost.config are stored in the history subdirectory under %systemdrive%\inetpub.

Chapter 20: Advanced IP: Routing with Windows

Document the life of an IP packet routed through your network. Understanding how the routing components work inside your hosts and routers will allow you to predict where network traffic will travel throughout your network. With this understanding comes the ability to troubleshoot network issues that appear perplexing.
Master It In the New York/London network from Figure 20.1, use your understanding of the route taken by an IP packet from host A in the New York site to host C in the London site to determine which addresses you should ping in order to discover routing issues that are preventing packets from traveling between A and C.
Solution When using the ping tool to track traffic from one host to another, it is important to realize that you are tracking return traffic. If a route is broken, it may well be in the return journey. Having said that, when debugging router issues from system A (New York) to system C (London), you should ping, in order, the following IP addresses:
A—192.168.0.1—To ensure that IP is configured on host A (New York)
D—192.168.0.100—To ensure that the router is on the network
D—192.169.0.100—To ensure that the router is routing traffic
B—192.169.0.3—To ensure that host B (London) is receiving, and responding to, traffic
Explain the class-based and classless views of IP routing. When discussing routing with networking professionals, it is important to understand the old class-based terminology to allow for conversations and documentation that may still linger on these terms. Understanding how classless IP routing works is key to avoiding inefficiencies brought on by too strict an adherence to class boundaries in network addressing.
Master It The address 172.24.255.255 lies inside class B, whose default netmask is 255.255.0.0. It also lies in the 172.16/20 RFC 1918 private network range, whose default netmask is 255.255.240.0. Given this information, is the address 172.24.255.255 a host address or a subnet broadcast address?
Solution The information given is insufficient to determine whether the address 172.24.255.255 is a host address or a subnet broadcast address. The default netmask is not relevant; only the netmask that is actually in use is relevant. If this is a network built by a network designer who was not thinking about supernetting or CIDR, this address may very well be treated as a subnet broadcast address. It is more likely, given that RFC 1918 talks about supernetting this address range, that this is a simple host address.
Use NAT devices to route TCP traffic. Until we all switch to using IPv6, we will need to use NAT devices to route TCP traffic from our many networked hosts to the outside world, while using only a few of the increasingly rare public IP addresses. Understanding how NAT devices change the source and destination addresses of IP packets will allow you to read network packet traces and interpret which systems are intended as recipients of data.
Master It A user complains that when he tries to connect to an FTP site, the connection initially succeeds, but the first time that a file listing is attempted, his connection is severed, and the server states that it cannot connect to 192.168.0.10.
What are likely causes of this problem, and how could this be addressed?
Solution FTP, like SIP and several other protocols, often includes the IP address of the host in its communication.
Whenever an RFC 1918 address such as 192.168.*.* is seen as part of an error, your first thought should be that there may be a problem with a NAT router between the two hosts. With FTP, there are a number of possible causes and fixes:

Chapter 21: Getting from the Office to the Road: VPNs

Add the Network Policy and Access Services role. The first step to create a VPN server is to add the Network Policy and Access Services role. Once the role is added, you can take additional steps to configure the VPN server.
Master It You need to add the Network Policy and Access Services role to create a VPN server. How can you accomplish this?
Solution Launch the Server Manager image Local Server image Manage menu, choose the Add Roles and Features option, and then add the Network Policy and Access Services role.
Understand the Remote Access role. The Remote Access role includes much more than just the ability to create a traditional VPN server.
Master It Name the individual services within this role (choose three):
a. Remote Access Service
b. VPN Service
c. Routing
d. IPsec
e. DirectAccess
Solution a, c, e Remote Access Service, Routing, and DirectAccess are the three individual services that make up the Remote Access role.
Configure a VPN server. You have added the Remote Access role and now want to configure your VPN server to accept connections from clients.
Master It What should you do to configure your VPN server?
Solution Launch Routing and Remote Access by selecting Server Manager image Tools image Routing and Remote Access. Right-click the server, and select Configure and Enable Routing and Remote Access. Use the wizard to complete the configuration.
Explore DirectAccess. DirectAccess enables remote users to securely connect back into the corporate environment without the need to use a traditional VPN client.
Master It What client operating systems are supported for Windows Server 2012 R2 DirectAccess?
Solution Only Windows 7 Enterprise and Ultimate and Windows 8 Enterprise are supported client operating systems for DirectAccess.

Chapter 22: Adding More Locations: Sites in Active Directory

Create a site. Site objects are added to Active Directory to represent well-connected physical locations that will host domain controllers. Once a decision has been made to place a DC in a physical location, you need to add a site.
Master It Create a site to represent a new business location in Virginia Beach.
Solution Launch Active Directory Sites and Services. Right-click Sites, and select New Site. Name the site VB, select an existing site link, and click OK.
Add subnets to sites. Active Directory uses clients’ subnets to determine which site they are in. For this to work, subnet objects need to be created and associated with sites.
Master It Create a subnet object to represent the 10.15.0.0/16 subnet that exists in the Virginia Beach location. Associate the subnet object with the VB site.
Solution Launch Active Directory Sites and Services. Right-click Subnets, and select New Subnet. Enter 10.15.0.0/16 as the prefix, and select the VB site. Click OK.
Configure a site link to replicate only during certain times. It’s often desirable to restrict when replication occurs between sites. If the defaults are used, replication will occur every 180 minutes. If the WAN link is heavily used during certain periods, you can configure the schedule so that it replicates only during certain times.
Master It Configure the Default-First-Site-Name site (or another site) to replicate only between midnight and 5 a.m.
Solution Launch Active Directory Sites and Services. Right-click the DefaultIPSiteLink site link, and select Properties. Click the Change Schedule button. Click Replication Not Available to change the schedule so that replication isn’t scheduled. Use your mouse to highlight the hours 5 a.m. to midnight for all seven days of the week. Click Replication Available, and click OK.
Configure Group Policy for the next nearest site. If a domain controller can’t be reached in a client’s site, the client will look for any domain controller without regard to how close it is. This can negatively impact logons for enterprises with several locations connected with different speed WAN links. You can configure Windows Vista (and newer) clients to locate and log on to a DC in the next nearest site if a DC can’t be located in their site. This can be done using Group Policy or the Registry Editor.
Master It Which of the following Group Policy settings can be manipulated to enable the next nearest site setting?
1. Computer Configuration image Policies image Administrative Templates image System image Logon image DC Locator DNS Records
2. Computer Configuration image Policies image Administrative Templates image System image Net Logon image DC Locator DNS Records
3. User Configuration image Policies image Administrative Templates image System image Logon image DC Locator DNS Records
4. User Configuration image Policies image Administrative Templates image System image Net Logon image DC Locator DNS Records
Solution Computer Configuration image Policies image Administrative Templates image System image Net Logon image DC Locator DNS Records. The setting applies to computers, not users. Additionally, it affects how the netlogon service (not the logon process) locates domain controllers.

Chapter 23: The Third DC: Understanding Read-Only Domain Controllers

Prepare a forest and a domain for RODCs. RODCs are an excellent infrastructure asset in Windows Server 2012 R2 and can’t be added until the forest and domain are prepared. The preparation will modify the schema and permissions.
Master It Identify the command that needs to be executed to prepare the forest to support RODCs.
Solution The adprep command needs to be executed from the command line. The following command will prepare the forest: adprep /forestprep.
Prepare the domain. In addition to preparing the forest, you must also prepare the domain before RODCs can be added.
Master It Identify the two commands that need to be executed to prepare the domain to support RODCs.
Solution The adprep command needs to be executed from the command line. The following two commands should be executed after adprep /forestprep:
If a forest is created with all Windows Server 2008 or later servers as domain controllers, it’s not necessary to execute adprep /forestprep and adprep /domainprep, but adprep /rodcprep still must be executed.
Allow passwords on any RODC. The RODC can cache passwords for users based on how it’s configured. When a user’s password is cached on the RODC, the authentication process doesn’t have to traverse the WAN link and is quicker. However, a cached password is susceptible to an attack, so privileged accounts should not be cached on the server.
Master It What should you modify to allow users to have their passwords cached on any RODC in the domain?
Solution You should modify the Allowed RODC Password Replication group. Members of this group can have their passwords replicated or cached on any RODC in the domain.
Allow passwords on a single RODC. It’s possible to configure the environment so members of a group can have their passwords replicated and cached to any RODC in the domain. It’s also possible to configure the environment so that the passwords will be replicated or cached only to a single RODC.
Master It What should you modify to allow users to have their passwords cached on a specific RODC in the domain?
Solution You should modify the password replication policy. Each RODC has a Password Replication Policy tab that can be modified to allow users to have their passwords cached or replicated onto that RODC.

Chapter 24: Creating Larger Active Directory Environments: Beyond One Domain

Explain the fundamental concepts of Active Directory with clarity. The Active Directory environment gets back to nature with the forest and trees. The forest is the collection of domains built in relation to each other through AD DS. The trees are domains within a hierarchal DNS namespace with “the same last name.” The key to the relation between domains is the automatic and nonconfigurable two-way transitive trust relation.
Master It When the first domain controller for the first domain is created, three partitions are created within the Active Directory database. What are these three partitions named, what is contained in them, and which are replicated to the other domain controllers of the forest?
Solution The three partitions are the domain partition, the schema partition, and the configuration partition. The domain partition contains objects pertaining to the domain such as computer and user accounts and is replicated to domain controllers of the domain. The schema partition defines the objects of Active Directory and which data values are assigned to each object. The configuration partition holds data concerning Active Directory replication and other forest-related configurations. The schema and configuration partitions are replicated throughout the forest.
Choose between using domains, multiple domains, or multiple forests with an Active Directory design. In planning an Active Directory design, you might decide you need multiple domains instead of using organizational units within a single domain. Replication limitations, legal requirements, and political forces are the top reasons for considering multiple domains.
Master It What features of Windows Server 2012 R2 eliminate two security-related reasons for multiple domains?
Solution The two security-related reasons for multiple domains were password policies and poor security at branch offices. The feature of fine-tuned password policies that can be applied to users through the use of GPOs relieved the need for creating separate domains for differing password policies. The read-only domain controller with password caching reduces the risk of a stolen domain controller getting into the hands of an evil hacker and retrieving passwords from the Active Directory database or replicating corrupt changes to the rest of domain controllers.
Add domains to an Active Directory environment. You have to use the Active Directory Domains Services Configuration Wizard whenever you are going to build a new domain or replica domain controller in an Active Directory forest. In previous versions of Windows Server, the DNS structure needed to be in place prior to the installation. With Windows Server 2012 R2, everything is done for you.
Master It Since DNS is now handled by Windows Server 2012 R2, it would be nice to know if it did it right. What four changes should you see if you add a new child domain?
Solution You should see these changes:
Manage function levels, trusts, FSMO roles, and the global catalog. Several forest-related configurations were discussed, which would be managed by enterprise admins. The functional levels for the forest and domains provide the availability of features of the latest Windows Server version. All domain controllers need to be upgraded to that level to benefit from these features. Although you can raise functional levels, you can’t lower them. The five FSMOs are specific roles assigned to domain controllers within the domains and forest. The PDC Emulator, RID Master, and Infrastructure Master are domain-related roles. The Domain Naming Master and Schema Master are forest-related roles. Trusts are required to share resources between domains that are not part of the same forest. The exception is shortcut trusts, which reduce the trust path between two domains within the same forest.
Master It The placement of an FSMO role is dictated by the domain to which it is assigned and the Global Catalog role. Which two roles have rules concerning placement in regard to the global catalog?
Solution The Domain Naming Master, which is located in the forest root domain, has to be placed on a domain controller with the Global Catalog role. The Infrastructure Master role, which is located in each domain, cannot be located on a domain controller with the Global Catalog role. However, in a single-domain Active Directory environment, this doesn’t apply.

Chapter 25: Migrating, Merging, and Modifying Your Active Directory

Introduce new versions of Active Directory into a network. Upgrading to a new version of Windows Server means you also need to upgrade existing domain controllers. There are two basic methods to add a new version of Active Directory into an organization: Upgrading a domain controller or upgrading the domain by adding a new domain controller.
Master It Both operations require you to modify the Active Directory database using the adprep.exe utility. What three options do you need to run? What option can you also run?
Solution /forestprep modifies the schema of the Active Directory forest to support Windows Server 2008 R2’s Active Directory.
/domainprep prepares the domain for a Windows Server 2008 R2 domain controller.
/gpprep modifies permissions on Group Policy objects for replication to Windows Server 2008 R2 domain controllers.
/rodcprep prepares the forest for deploying the read-only domain controllers. This is optional and can be run at another point.
Migrate domains accounts from one domain to another. The requirement to move users and groups from an existing domain to a clean and pristine domain often happens when companies merge or spin off. In addition, this can be required when a forest restructuring is justified. Microsoft offers the ADMT utility to perform domain migrations.
Master It After a user account is migrated to the new domain, what gives the user access to resources within the original domain?
Solution Resources in the original domain have permissions assigned, allowing access to listed security principles such as user accounts. The permissions, also named ACEs, list the user’s SID. After a user account is migrated, its SID changes. However, the original SID is saved as SID history. When the user authenticates in the other domain, the SID history will identify with the permission on the resource.
SID filtering, which is enabled by default on domain trusts, will prevent this action from happening. You must manually disable this security feature.

Chapter 26: Advanced User Account Management and User Support

Deploy home directories to multiple users. Home directories allow a user to have a personal store of information stored on a file server. This makes their data available to them no matter where they log in on the network.
Master It You’ve been tasked with deploying home directories to many users in the OU that you manage. You want to do this as quickly as possible. Your backup application uses an administrator user account, so you need to ensure that it has access to the users’ home directories on the file server. How will you set this up?
Solution
1. Create a file share on the file server to contain your home directories, and set the permissions appropriately.
2. Configure a Group Policy object for your OU. Enable “Add the Administrators security group to roaming users’ profiles,” which can be found in Computer Configuration\Administrative Templates\System\User Profiles.
3. Navigate to the OU in Active Directory Users and Computers. Select all of the user objects in the OU, right-click, and select Properties. Enter the path of the home directory file share, and add \%username to the end.
Your home directories will be created automatically and administrators on the file server will have access to them.
Set up mandatory roaming profiles. Mandatory roaming profiles can be used to provide users with a preconfigured working environment and to prevent them from saving changes to it.
Master It Your manager has asked you to set up a mandatory roaming profile for users of Windows 8. You’re also asked to see whether there is a way to prevent users from logging in if the mandatory roaming profile cannot be loaded.
Solution You need to configure a super mandatory roaming profile:
1. Log in as a sample user on a PC. Configure the working environment as required.
2. Log back into the PC as an administrator, and copy the sample user’s profile onto the network. You need to ensure that the required Active Directory security group has Full Control over the registry hive in the profile using regedit.exe.
3. Rename NTUSER.DAT in the profile to NTUSER.MAN. This will cause the profile to become a mandatory profile.
4. Rename the profile to something like Mandatory.V2 knowing that the .V2 is required for Windows 8 users.
5. To make this roaming mandatory profile into a super mandatory profile, you can rename the profile folder to Mandatory.MAN.V2.
Create logon scripts to automate administration. Administrators can use logon scripts to run a series of commands to preconfigure the working environment for a user when they log in. Administrators can use scripting languages such as command-prompt command, VBScript, or PowerShell.
Master It You are designing an Active Directory for a large multisite organization. You need to be able to set up logon scripts for different scenarios:
You are asked what the running order will be for any user who will run all of the logon scripts.
Solution Write the three logon scripts, and save them into the NETLOGON folder on your domain controller. Create three Group Policy objects. Link the first GPO to the domain, and edit it to run the logon script for everyone. Link the second GPO to the Accounts OU, and edit it to run the logon script for the Accounts OU. Link the third GPO to the Dublin Active Directory site, and edit it to run the Dublin logon script.
The running order for GPOs is site, domain, OU, child OU. The running order of the logon scripts for a user inheriting all of the policies will be as follows:

Chapter 27: Server Virtualization with Hyper-V

Understand server virtualization. You are buying new servers whose main role will be to run Hyper-V. However, you are concerned that the new servers may not be capable of running Hyper-V because they do not meet the minimum requirements.
Master It What are the base CPU and BIOS requirements to run Hyper-V?
Solution You need an x64-based CPU and a BIOS that supports both CPU-assisted virtualization and Data Execution Prevention (DEP). A common problem is that although these features are offered by the system, they are not typically enabled in the BIOS of older server hardware. Make sure these features are turned on. If you need to change the DEP or virtualization settings, be aware that a cold boot is required: the computer must be turned completely off. A reset or software reboot is not sufficient.
Explore what’s new in Hyper-V 2012 R2. Microsoft has released a large number of new features and enhancements with Hyper-V 2012 R2 that should give IT pros, administrators, and consultants a much easier job in convincing their customers and bosses to use Hyper-V inside the business.
Master It In earlier versions of Hyper-V, rich copy and paste into VMs could be achieved only by using a Remote Desktop connection and didn’t work at all if there was no network connection present. What’s the name of the new feature that enables copy and paste into a VM with no network connection by utilizing the VMBus?
Solution Enhanced session mode allows you to easily copy and paste directly to and from a VM, even without a network connection being configured. It’s the same experience you get with a Remote Desktop connection to a machine but minus the need to worry about networking. Enhanced session mode leverages the VMBus via the Hyper-V integration components to deliver this experience.
Understand Hyper-V architecture. When you deploy the Hyper-V role to your computer, you’re creating a hypervisor architecture. A hypervisor is a software layer between the hardware and the operating systems running on the host. This is known as the bare-metal approach: virtualization at the lowest possible level. The main purpose of the hypervisor is to create isolated execution environments (partitions) for all operating systems. In line with that function, it is responsible for arbitrating access to the hardware.
Master It During the Hyper-V role deployment, the host restarts a couple of times to accommodate the placement of Hyper-V on top of the hardware, which is located at which ring level? (Choose one.)
a. Ring 3
b. Ring 0
c. Ring -1
d. Ring 2
Solution c. Ring -1 is where Hyper-V is placed on top of the hardware.
Install and configure a Hyper-V host. Just about the only thing you need to decide before you install the Hyper-V role is which NIC to use for managing the Hyper-V host. The idea is to have at least two NICs in the host, although you can make do with one if you really must. Expect no performance miracles in that case. With two NICs available, dedicate one to managing the host and the second for VM network traffic.
Master It If you have two or more NIC’s available for your Hyper-V environment, which option that’s enabled by default should you uncheck on the virtual NIC?
Solution It’s recommended to uncheck the “Allow management operating system to share this network adapter” option from your virtual NIC once the Hyper-V setup wizard has completed. Leaving this enabled means the host can access this switch, meaning that traffic between the VMs and their host operating system is shared, thus causing performance issues in heavily utilized environments. In a lab or non-production environment where you might have just one NIC available, leaving this option enabled should suffice, but if you have more than one NIC or are running a production Hyper-V environment, then it’s recommended to disable this option by simply unchecking the box and clicking Apply.
Configure and install a virtual machine. Conceptually, it takes two steps to create a VM from scratch. First you configure the virtual hardware of the VM, then you boot the VM and start installing the operating system. Once these two steps have been completed, you can use either Hyper-V Manager or PowerShell to manage the VM.
Master It When using the GUI to manage your VM, the console can “capture” the keyboard and mouse. You do so by clicking the virtual screen. When they’ve been captured, all input from the keyboard and mouse are sent to the VM. Initially, you can’t release control from the VM by just moving the mouse. What keyboard combination is configured by default to release control of the keyboard and mouse back to the host OS?
Solution You press the key sequence Ctrl+Alt+left arrow to release control. In a fully running VM with Integration Services installed, the experience is much better: you can move the mouse out of the virtual screen onto the desktop, and when that happens, the host takes control of the keyboard and mouse again. There is one special case: the Ctrl+Alt+Del sequence. Even when the VM has control, the host will process it. To send the Ctrl+Alt+Del sequence to a VM, you can either press Ctrl+Alt+End or use the console menu action (Ctrl+Alt+Del).

Chapter 28: Managing Virtual Machines

Virtualize domain controllers. Windows Server 2012 includes a new method of deploying any number of virtual DCs very quickly through virtual domain controller cloning. This gives administrators a supported solution to rapidly spin up replica domain controllers using an existing template DC for reference. Virtual DC cloning can be beneficial to organizations that want to quickly deploy multiple DCs into new domains as well as a helpful feature in private cloud environments to meet scalability requirements.
Master It What is the minimum supported version of Active Directory that you can use with virtual DC cloning?
Solution A virtual DC running Windows Server 2012 or higher that is a member of the same domain that a PDC emulator also running Windows Server 2012 or higher is required for virtual DC cloning.
Understand how to move your VMs around. Hyper-V in Windows Server 2012 gives you the option to export and import VMs between hosts with relative simplicity. This is made possible by the fact that all Hyper-V hosts offer almost identical hardware to their VMs through the integration components and synthetic drivers. If you wanted to move OS installations around in the physical server world, you would at the very least need to move the physical disks, which works only if the hardware is similar enough and isn’t always a guaranteed success.
Master It When moving a VM to another Hyper-V host, which three parameters need to be moved?
Solution The three parameters of a VM that need to be moved to another host when performing a VM move are configuration, current state, and data.
Manage your VMs. Although virtualization brings a lot of new features and flexibility to the table, there are still some of the more traditional maintenance tasks that you need to consider for your VMs, such as backing them up, managing malware protection, and keeping them up to date with the latest patches.
Master It If you are running a Hyper-V failover cluster on Windows Server 2012 R2, what technology would you use to patch your production VMs?
Solution If you have a Hyper-V failover cluster environment running Windows Server 2012 or higher, then you can leverage the Cluster-Aware Updating (CAU) feature, which will allow you to patch your servers with minimal downtime while the updates are being deployed.
CAU integrates with the built-in Windows Update Agent and Windows Server Update Services (WSUS) to download and install the updates. When you want to patch a Hyper-V cluster node running Windows Server 2012 R2, all you need to do is shut down the host and the new VM Drain feature will kick in, which will migrate all the VMs over to any other available hosts.
Understand disaster recovery with Hyper-V. Hyper-V Replica (HVR) is a feature available in Windows Server 2012 and higher. It allows for host-based replication of VMs without the need for any shared cluster components to support disaster-recovery scenarios.
Master It How many sites outside of your production site can you replicate your VMs to if you are running Hyper-V Replica on Windows Server 2012 R2?
Solution Using Hyper-V Replica, you can take a VM running on a Hyper-V host in one site and easily replicate it over to another site, up to a maximum of two additional sites.

Chapter 29: Installing, Using, and Administering Remote Desktop Services

Limit the maximum number of connections. You can change the licensing mode of a server to help ensure you remain compliant with the licensing agreement and allocations you have.
Master It You want to know what licensing mode the server is in. How do you do it?
Solution
1. Launch Server Manager.
2. Click Remote Desktop Services.
3. Choose Tasks image Edit Deployment.
4. Choose RD Licensing.
Add an application to an RD Session Host server. Once the RDS role is added and the RD Session Host server is configured, you can add applications to make them available to the server.
Master It Your company has purchased an application that supports multiuser access. You want to install it on the RD Session Host server. What should you do?
Solution Install the application using the .msi (Windows Installer) file or using the Control Panel Add/Remove Programs Wizard.
If the application can be installed via one of these methods, it is not necessary to use the Change User command that was required in older versions of Terminal Services. If it can’t be installed using the .msi file or Add/Remove Programs, you must use the Change User /install command before installation and the Change User /execute command after the installation.
Add a RemoteApp for Web Access. RemoteApp applications can be configured so that they are accessible to users via a web browser. Users simply need to access the correct page and select the application to launch it.
Master It Assume you have already configured your environment to support RemoteApp applications. You now want to add a RemoteApp application. What should you do?
Solution
1. Open Server Manager.
2. Click Remote Desktop Services.
3. Choose Collections.
4. Select your collection.
5. Click Tasks on the RemoteApp window and select Publish RemoteApp.
6. Select your app from the list or by navigating to the binary.
7. Click Publish.
8. Click Close.

Chapter 30: Monitoring Windows Server 2012 R2

Use Server Manager to monitor multiple servers. The new Server Manager console in Windows Server 2012 R2 delivers out-of-box monitoring and health checks of your local and remote server infrastructure. It can be utilized to monitor multiple servers and the roles they are responsible for—all from one central console.
Master It You need to have a collated health state for the collective roles on multiple servers and want to manage them through Server Manager. What do you need to deploy? (Choose one.)
a. Security groups
b. Server groups
c. Distribution groups
d. Administrative groups
Solution b. Server groups are used when you need to have a collated health state for the collective roles on multiple servers and want to manage them through Server Manager.
Understand how to use Event Viewer. Event Viewer in Windows Server 2012 R2 is one of the essential tools used to monitor your system. Often, it’s one of the first places you’ll look once you realize your server has a problem, but it can also be used to proactively monitor servers. Event Viewer can often help you to quickly identify the source of a problem or at least gain enough knowledge to know where to look next.
Master It You’ve just deployed the Hyper-V role to your Windows Server 2012 R2 computer. Where would you find the associated event log for this role?
Solution The Applications and Services Logs folder includes logs for specific applications or components, and this is where you’d find the associated log for the Hyper-V role.
Explore Performance Monitor. Data collector sets can be used to measure and monitor the performance of a server. Performance Monitor includes built-in data collector sets that can be run on demand, and you can also create your own data collector set.
Master It Run the System Performance data collector set and view the resulting report.
Solution Launch the Performance Monitor suite via Server Manager image Tools image Performance Monitor. Right-click the System Performance data collector set, and select Start. When it completes, right-click the data collector set, and select Latest Report.
Explore the PAL and PerfView tools. Performance Analysis of Logs (PAL) and PerfView are two external tools that can help you simplify the collection and analysis of your performance data, as well as create comprehensive performance baselines for your applications that are running on Windows Server 2012 R2.
Master It PAL can be very useful when used in conjunction with Performance Monitor counter logs. What file extension is used with these counter logs? (Choose one.)
a. .chk
b. .perf
c. .blg
d. .evnt
Solution c. .blg file extensions are used with Performance Monitor counter logs.
Understand System Center 2012 R2 Operations Manager. Operations Manager (also known as OpsMgr or SCOM) is an end-to-end monitoring solution that covers Microsoft and 19 different cross-platform environments. With it, you can centrally monitor servers, applications, hardware, and operations for many computers from a central console. You can use it to map out all of the components of your individual IT services and then roll them up into a holistic and easy-to-manage single monitoring view.
Master It When you first deploy Operations Manager and decide to push an agent out to a server, it will only see that server as an entity that is either up or down. How do you get Operations Manager to see the different roles and applications on your servers?
Solution Operations Manager understands what it has to monitor on each agent through specific management packs that have been developed and made available by either the application/product vendor or the general System Center community. These management packs throw light on the Operations Manager infrastructure and allow the agents to understand the roles and applications that need to be brought under monitoring control.

Chapter 31: Patch Management

Use Windows Automatic Updates to check for new updates on a computer running Windows 8. Windows Automatic Updating is a Control Panel item used to check the Microsoft Update site to see whether any updates are available for your computer.
Master It On a Windows 8 computer, use Windows Automatic Updating to see whether any new updates are available for your computer.
Solution Follow these steps to see if updates are available:
1. Click Start, and then type Control Panel.
2. Click Windows Update.
3. Click “Check for updates.”
If updates are available for your computer, you will be prompted to install them.
Use the Windows Update Standalone Installer to silently install a security update. The Windows Update Standalone Installer is used to install security updates on all Windows operating systems since Windows Vista and Windows Server 2008.
Master It Install a security update in quiet mode and defer a required reboot by using the Windows Update Standalone Installer.
Solution Run executable /quiet /norestart at an elevated command prompt where executable is the filename of the security update.
Identify the four phases of patch management. According to Microsoft, there are four phases in planning a patch-management strategy.
Master It Which of the following is not one of the four phases of patch management?
1. Identify
2. Troubleshoot
3. Evaluate and Plan
4. Assess
5. Deploy
Solution Troubleshoot is not one of the four phases of patch management. The four phases in order are as follows:
1. Identify
2. Evaluate and Plan
3. Assess
4. Deploy
Following a standardized, documented process helps bring order to the chaos of patch management.

Chapter 32: Windows Server 2012 R2 and Active Directory Backup and Maintenance

Use Windows Server Backup to back up and restore a Windows Server 2012 R2 computer. Windows Server Backup is installed as a feature in Windows Server 2012 R2 and can be used to create various types of backups to protect your server computer. Full server backups contain the operating system, critical volumes, and all data on the server; while critical volume backups protect all volumes the operating system depends on, but not necessarily the additional data stored on the server.
Master It Your server contains two hard disks; the first contains the operating system, and the second contains user data. How can you use Windows Server Backup to protect the operating system and the user data?
Solution Perform a full server backup, which will by default back up both volumes.
Defragment AD DS offline. Windows Server 2012 R2 gives you the ability to perform an offline defragmentation and integrity check of the AD DS database without having to restart the computer and enter DSRM. Instead, you can stop AD DS and then use Ntdsutil.exe from an elevated command prompt to perform the offline defragmentation and integrity check.
Master It You want to defragment your AD DS database but do not want to shut down the server and restart it in DSRM. How do you do that?
Solution Stop AD DS, and then use Ntdsutil.exe from an elevated command prompt to defragment the Ntds.dit database.
Install the Active Directory Recycle Bin. A downside for some people with the Windows Server 2008 R2 version of the Recycle Bin was that it had to be managed fully through PowerShell. In Windows Server 2012 R2, you now have GUI management of the Recycle Bin.
Master It You want to install the Active Directory Recycle Bin without using PowerShell. How do you achieve this?
Solution From the Active Directory Administrative Center, click your (local) domain from the navigation pane on the left, and then in the Tasks pane on the right, click Enable Recycle Bin.
Create and recover a system state backup for Active Directory. Because domain controllers contain all the database information for Active Directory, recovering a failed domain controller server is critically important. When using Windows Server Backup or the command-line utility Wbadmin.exe, perform backups containing the system state at a minimum to preserve Active Directory.
Master It You want to protect your Active Directory data from the possibility of complete hardware failure of the server computer. Which types of backup will provide this protection?
Solution Use a system state backup at a minimum. Critical volume and full server backups also include all the information necessary to recover Active Directory.