MCSA Windows Server 2012 R2

Vanlige verktøy å bruke

 

* Powershell

Med denne kommandoen så kan du i prinsippet gjøre alt du trenger å gjøre på en windows server 2012 R2.

Kommandoene forekommer på følgende vis: Get-WindowsFeature, install-windowsfeature, set-aduser etc. Alle Get kommandoer er for å sanke informasjon. Alle Install kommandoene gjennomfører installasjoner. Man kan også benytte seg av add-windowsfeature for eksempel, og denne kommandoen gjør samme kommandoen som install.

 

* Sconfig

Brukes til å gjøre initiell configurasjon på en Windows Server 2012 R2 (CORE) installasjon. Her endrer man Ip-adresse, computername, domene, aktivering etc.

 

* DISM

Used for offline and online images. To add or remove windows features

 

* NETSH (Network Shell) (Denne kommandoen jobber med alt som er nettverksrelatert)

 

 

Hvordan NTDS.DIT (Filen som lagrer Active Directory) er bygget opp.

** Disse replikeres til alle domene og over hele foresten

  • Domain
  • ** Schema (Ødelegger du denne, så har du vraka hele AD)
  • **Configuration
  • Application (Har lagrer DNS sine data)

 

Når man splitter opp i “Child Domains” i en domenestruktur så er en av hovedgrunnene til dette følgende:

 

  • Forskjellige lokasjoner
  • Språk
  • Sikkerhet **
  • Delegering av rettigheter ** (Aministrative role separation)
  • Mindre replikering ** i mellom domene

SYSVOL “C:\windows\sysvol”

This contains the Group Policies. It replicates domain wide, not forest wide.

 

Når du lager din første DC, så settes den automatisk som “Global Catalog Controller”

I den Globale katlogen så lagres alle objekter i AD

Global Catalog=

  • Logons
  • Lookups

Domain_Tree

Den er fem viktige roller en server kan  inneha, og det kan kun være en av disse i et domene, rollene er som følger:

 

Operation Master (FSMU)

  • Schema Master
  • Domain Naming Master (Used when domains are added or deleted)
  • RID Master (Relative Identity Master) Used when Objects like users or groups are created, and it keeps and creates a record of SID’s.
  • Infrastrukturemaster (Only used in multiple domain environments) Keeps a record of foreign objects, and makes sure they are valid.
  • PDC Emulator (Primary Domain Controller Emulator) This does the the following roles: Keeps group policy roles, and replicates to the other domain controllers. Prevent password synchronization issues. It acts as the master browser, for example unc paths, but it’s most important role is time synchronization. If the clocks are more than five minutes apart, the user will not be able to log on, as all logons will have to be within five minutes. The PDC Emulator is the first service that the DC uses for checking passwords if the DC does not have the last password. If the clocks are five minutes apart, the user will not be able to log on.

Når man skal promotere en ny domenekontroller til et eksisterende domene, så må RID MASTER være tilgjengelig.

 

Roller som kan være offline, men tas opp igjen er PDC Emulator and Infrastructure Master

For å kunne administrere disse rollene over, så er et av det kraftigste verktøyene NTDSutil.exe

I tillegg  til vanlige domenekontrollere med Global Catalog (GC) så kan man ha noe som heter (RODC) Read Only Domain Controller.

RODC inneholder følgende data:

Passord for brukere av den siten(Domenet) eks. sales.gustavsenit.no, hvorav hoveddomenet hk.gustavsenit.no har passord, brukernavn og alle objekter i domenet.
Fordelen ved å har en RODC er at man slipper å gå via WAN (internett) for å autentisere sin maskin for å logge seg på. Dette  betyr at hvis man har en RODC, så gjør klientene en forespørsel lokalt for å logge seg på, og på denne måten så vil man ikke ha forsinkelse for å logge seg på. RODC inneholder ikke passordene for brukere, men man konfigurerer vanligvis en “password replication policy”. Her defineres bruker-passord som replikeres til RODC og caches der. RODC gjør bare en sjekk mot den vanlige DC’n for å sjekke om det er nye passord osv. Hvis WAN linken dette ned, så vil RODC gjøre en sjekk i sin lokale Cache for å autentisere brukerene.

 


 

Active Directory Domain Services

 

Du trenger en bruker med “Domain Admin” rettgheter for å kunne legge til en ny domenekontroller. Du kan velge å sette den opp  som ekstra domene, ny forest eller child domain.

 

DSRM = Directory Services Restore Mode

Denne kan nås ved å trykke F8 under oppstart og velge DSRM mode. Du må da taste inn DSRM passordet som du satte opp første gang du installerte domene kontrolleren.

NTDSUTIL: Generelt verktøy for å administrere AD-database

for å legge til en ny domenekontroller på en remote site, så må man gjøre følgende.

 

NTDSUTIL

Activate instance NTDS (Enter)

IFM (Enter)

Denne lager c:\IFM

 

Create SYSVOL Full c:\windows\ifm

Create

Denne lager en kopi av AD og SYSVOL hvis man ønsker.

 

regsvr32 schmmgmt.dll Denne kommandoen kjøres fra Elevert command-line og aktiverer Schema managmenet snap-in i Active Directory
Managing Active Directory Domain Services Objects
built-in containers cannot be deletes, and you cannot apply group policy objects to it.
Commands to manipulate objects in AD
dsmod
dsadd
dsmove
dsquery
dsrm
eks: dsadd ou ou=Stokke,dc=gustavsenit,dc=no
eks2: dsadd ou ou=Vear,ou=Stokke,dc=gustavsenit,dc=no
The next one is:
Powershell:
new-aduser
new-adgroup
eks: new-aduser bruker4
eller
Get-aduser -Filter *
for å filtrere videre gjør man følgende:
get-aduser -filter * | format-list Name, SID
Get-Aduser -Filter * -SearchBase “ou=users,dc=gustavsenit,dc=no” -Searchscope Subtree | Format-list Name (Lister alle brukere i ou)
Get-Aduser -Filter * -SearchBase “ou=users,dc=gustavsenit,dc=no” -Searchscope Subtree | set-aduser -Department NERD (Setter avdeling for alle)
Security protocols:
There are two types of security protocols that needs to use “password that is reversable” these two are CHAP and DIGEST
Implementing Group Management
IGDLA=
Identifies
Global groups
Domain Local
IPv4
Classes=
A =1-126.x.x.x/8
B = 128 – 191.x.x.x/16
C = 192 – 223.x.x.x/24
D = 224 – 239.x.x.x (Multicasting)
E = 240 – 255.x.x.x/ (Broadcasting)
Private ip-ranges:
10.0.0.0
172.16.0.0 – 172.31.255.255
192.168.0.0
127.0.0.1 (loopback)/Localhost
169.254.0.0 (APIPA)
Så hvis man skal regne ut nettverksid,1. Host, Siste Host og Brodcast så må m an gjøre følgende for en adresse som for eksempel
192.168.2.10/29
128 64 32 16 8 4 2 1
11111111.11111111.11111111.11111000
255           255         255        248
net ID: 192.168.2.8
First host: 192.168.2.9 – 192.168.2.14
Broadcast: 192.168.2.15
This is Not the binary table, but describes the bits in an octet.
256 128 64 32 16 8 4 2
8        7    6   5    4  3 2 1
Det er totalt 32bits i en quartet, altså fire octetter. 8×4 = 32 Bits
  ipv4

TCP/IP Protocol Suite

OSI Modellen

Application

Presentation

Session

Transport

Network

Data link

Physical

 

Dette er de syv lagene i osi-modellen

 


Dag 3

Vi starter dagen med en liten prøve på 15 spm. Jeg vet at jeg fikk 3 feil på denne prøven, og det gjald et spmørsmålm om hvilke Roller som ikke måtte være tilgjengelig når man promoterer en domenekontroller. Altså, PDC Emulator, RID Master, Infrastrukture Master, Domain Naming Master eller Schema Master.

 

 

A little bit more about groups:

I, G, DL, A

Identities is placed within global groups, Global groups are placed within Domain Local Groups, Domain Local Groups are given acces to Resources.

Or

I, G, U, DL, A

Identifies is places within Global Group, Global Groups are places within Universal Groups, Universal Groups is placed within Domain Local Groups, and Domain Local group are given Access to the resource.

 

More about FSMO

Schema Master and Domain Naming Master are Domain wide roles

PDC Emulator, RID Master and Infrastructure Master are forest wide roles

By Editing the Schema partition we can choose which attributes are stored in  the Global Catalog, or using ADSIedit.

 

 

DHCP-Server

Process of getting a DHCP address:

 

DHCP Discover (Broadcast)

DHCP Offer (From DHCP-Server)

DHCP Request (To DHCP-Server) – tells dhcp i want your address, and sends to the other dhcp servers, i do not want yours.

DHCP Acknowledgement (Is Sent back from the DHCP -Server) – Here lies the gateway, dns, wins etc.

 

To forward DHCP-discover from one subnet through a router to another subnet, we use relays.

 

RFC1542

RFC2153 compliance means that you can install/enable a relay agent on the Router.

 

If we don’t have this, we have another tool that is developed by Microsoft that is called RAS, and within this we can install the DHCP-Agent on the server.

This points to the DHCP-Server using a Unicast address (Regular ip-address) And it ONLY listens for BOOTP broadcasts.

When we configure DHCP-Server, we configure ranges, and for documentation reasons we should include the whole range that we are using, and then exclude them from the range via the wizard.

After this we configure options:

 

Options can be configured on 4 different levels:

  • Server
  •  Scope
  • Class –> eks, vendor, user, Computer types
  • Reserved Client

 

 

Options to remember is:

  • 003 Router
  • 006 DNS Server
  • 015 DNS Domain Name
  • 033 Static Route
  • 060 PXE (Defines the WDS Port)

 

WDS and DHCP uses Port 67 by Default

To enable DHCP Relat you go to. Routing and Remote Access->IPv4->General->New routing protocol-> new DHCP Relay Agent->

 

Hvis man ønsker å installere en DHCP-Server via powershell, så kjører man følgende kommandoer:

powershell-DHCP

 

Implementing DNS (Module 7)

A Domain name space start with a     . And service names like .com .gov .edu .uk .no

 

How the name resolution process works and the steps:

  1. Authorative for the Zone
  2. DNS Server Cache
  3. Confitional Forwarder
  4. Forwarder
  5. Root Hints

 

When you are using the same name on the Domain name and on the external internet domain, it is called “Split-Brain-DNS”

A-Record brukes for å rette directe mot en host som har en tjeneste. Eks www.sol.no med en IP-Adresse til

Cname (Canonical Name) brukes som alias for andre adresser

MX-Pointer Peker mot selskapets Exchange server

 

 

Implementing IPv6

IPv6 does not uset subnetmask, but PREFIX InStead

2001:00ab:000:0001:00ab:000:000:a2af/64

2001:AB:0:1:AB:0:0:A2AF/64

2001:ab:0:1:ab::a2af/64

::1 (Loopback addresss) Hele strengen er som følgende: 0000:0000:0000:0000:0000:0000:0000:0001

For å finne antall seksjoner med når, så må man telle antall seksjoner som ikke er skrevet i adressen.

 

Unicast: = One 2 One communication

Multicast: does the same as in iPv4, and also replaces broadcast

Anycast:

 

Det er tre forskjellige typer Unicast adresser som eksisterer, vi har:

Global Unicast (Public addresses) 2000:: or 3000:

Unique Unicast (Private addresses) Only routable internally  FC00:: or FD00::

Link Local Unicast (Non-Routable addresses) FE80::

 

Multicast: FF00:

Status for et nettverk kan være:

Static

DHCPv6

Stateless Autoconfig

 

Hva er de forskjellige delene av en IPv6 Adresse

 

2001:00AB:0000:0001:00AB:0000.0000.A3AF/64 Det som er Streket under er Global prefix, så Subnet i grønt og resten er Hoster.

 

DHCP – IPv6

 

Når man reserverer scope i IPv6 så bruker man ikke mac adresser, men DUIS og IAID (DHCP UNIQUE IDENTIFIER) and (INTERFACE ASSOCIATION IDENTIFIER)

 

 

 

2001:0001:0001:11000::/56

Q1

How Many Subnets/Networks  do we have?

 

64-56 = 8

NOT BINARY

256 128 64 32 16 8 4 2
8 7 6 5 4 3 2 1

 

The Answer is: 256 Networks/Subnetts

 

STORAGE

Storage Pools is a new feature in Windows Server 2012

When Creating storage layout you can choose from the following options:

 

Single At least 1 disk

Mirror 2 disks or 5 disks. with 2 disks you can loose one disk, and with five disk you can loose 2 disks

Parity 3 disk or 7 disks. With 3 disks you can loose 1 disk, and with 7 disks you can loose 2 disks.


 

Day 4

 

File And Share permissions

 

Powershell command for new share is: New-SmbShare

from the command use net share

 

Printers

You can enable printer pooling, and attach several devices. You should be using printers of the same brand and specifications.

About printer priority: If The higher the Number, the higher The priority. Så a printer with a priority of 99 would go in front of a priority of 1

Group Policies

Group Policies applies mainly to Users and Computers

Group Policy Example

Local –

 

Site –  GPO1 (Deploy Red Background) – [Enforced] <- Security Filter = Deny Read, Deny Apply to user BOB

 

Domain – GPO2 (No Contol Panel)

_____________Block_____________

OU – GPO3 (Deploy App1)

GPO4 (Deploy Blue Background)

(BOB is a member here)

 

The result of these policies will be that Bob get’s the Blue backround

Important to remember

DCGPOFIX.EXE are used for resetting the defulat domain policy to the default state.

GPFIXUP.exe This is used when you rename the domain

When backup up GPO’s from untrusted Forest or domain you will have to do the following.

Export the gpo from the untrusted source

Copy the files

Create a new empty GPO on the new Domain

Import it to this GPO.

 

HyperV

 

There are three types of switches in HyperV that we can configure:

They are : Internal, External and Private virtual switches

 

Storage types in HyperV is:

Physical disks or Virtual Disks

 

To use a Physical Disk, it has to be set offline on the Host HyperV

Physical Disks = Pass-Through Disks

When you use this form of disk for VM, you loose the following possibilities:

Snapshot(checkpoint)

Moving between between different hosts.

backup

 

 

Virtual Disk extension

from Windows Server 2012 .vhdx

windows Server 2008 R2 and Windows server 2008 uses .vhd and can only use this.

 

Enable-VMResourceMetering dc1 for example.

After this use

Measure-vm DC1

 

 

Hyper-V Generations:

 

Generation 1 and 2 is supported on Windows Server 2012 R2, but on Windows Server 2012, only Generation 1 is supported

 

Day 5

 

Group Policy Commands (Important to remember)

Backup-GPO

Copy-GPO

Import-GPO

Invoke-GPUPDATE

new-GPLink

New-Gpo

Set-GpInheritance

Set-GPPermission

Set-GpLink

 

 

Back to Group Policies and standard settings for managing Security!

 

 

 

Day 5

 

About Read Only Domain Controllers (RODC)

There can only be one pr. site

 

About Restore and Backup.

You can have :

 

non-Authorative (NTDS.DIT AD – DataBase Corruption)

  1. Reboot the DC
  2. At reboot press F8 – Adv startup options
  3. DSRM (Directory Service Recovery Mode)
  4. Login with DSRM Password (Note. NTDSUTIL to reset this password)
  5. Use backup App to restore SystemState Data
  6. Reboot

Authorative (AD Object has been deleted)

  1. Reboot the dc
  2. At Reboot Press F8
  3. Select DSRM
  4. Login with DSRM Password
  5. Use Backup App to restore SystemState Data
  6. Go to NTDSUTIL.exe
  7. Go to the Authorative restore Prompt
  8. Enter the DN of the Object or Objects (DN = distinguished Name)
  9. Reboot

AD DataBase Snapshots is the third option that you can use for restoring NTDS.DIT (Note. NTDSUTIL and DSAMAIN can be used for this operation) DSAMAIN assigns a port to a mounted copy of the database.

Tombstone Re-Animation

AD-Recycle Bin (This is disabled by default) This was introduced with Windows Server 2008 R2 (AD-Optional Feature)
Once it’s turned on you cannot turn it off.

This Feature replaces the Tombstone.

The recycle bin stores all of the attributes of the deleted object (Keeps entire object). The Recycle Bin holds it 180-days by default.

 

The powershell is called: Install AD Optional Feature

The Container in AD is called “Deleted Objects”

Active Directory is called Restartable AD. This is because

 

To stop AD (NTDS.DIT)

CMD

Net stop NTDS

The powershell command is: stop-service ntds -force

to start: start-service ntds

Active Directory Administrative Center

 

About passwords: You can define a different set of password setting for groups and computers in ADAM

You can define the order that these password are set by using precedence. If you have the same precedence, the password setting applied closest to the user wins. These password settings override Group Policies as well.

User beets Group, and Group beets Policy when it comes to these password settings.

When it comes to Precedence, the lowest value win.

These was introduced with windows server 2008.

Powershell: New-ADFineGrainedPasswordPolicy

 

To clone a Virtual Domain controller on a vm do the following:

 

Get-ADDCCloningExcludedApplicationList 
Get-ADDCCloningExcludedApplicationList 

 

 

 

Get-ADDCCloningExcludedApplicationList
Get-ADDCCloningExcludedApplicationList 

 

 

RAS, NPS

 

VPN protocols:

  • PPTP Port 1723
  • L2TP 1703
  • SSTP 443
  • IKEv2 several ports. 500, 4500,50 and 1701

 

CMAK (Connection Manager Administration Kit)

Authentication methods are

PAP

CHAP

MS-CHAP

MS-CHAPv2

EAP 802.1x

To be able to log on, there are three things that need to be in place:

Authentication, Authorization and Accounting (Logging)

Network Policies:

  1. Conditions
  2. Permissions
  3. Profile/Constraints

 

Installing RAS Server

 

There are two tools you use.

 

  • Routing and Remote Access
  • Remote Access Management

 

You can use NLB to pass the request from two or more radius servers to a single NPS server with policies.

If you have Connection request policies that says for example that everyone from a widgets.com domain are authenticated by a remote radius proxy.

In this case the user would be forwarded to another network or another corporation.

 

FullSizeRender

 

Network Access Protection

 

System Health Validators

This is a service that can make sure that the client computer has certain conditions available before it let’s you connect.

 

It can force the  firewall on the client computer to be tuned on, and then let you connect.

 

About Direct ACCESS

 

NRPT= Name Resolution Policy Table

This keeps a list of Domain names,DNS and IP-Addresses, The Client are able to decide if the traffic should go to your RAS server (Corporate Domain) or the ISP for resolution of addresses.

The RAS server is also your Direct Access server

 

 

Day 6

 

RAS & NAP

Nap Agent Service

Nap Enforcement Client

And Security Center  Has to be running on the laptop for Health Policies to work and enforce firewall managemnt.

This is turned on through Group Policies or Local Policies.

 

About DSC “Desired State Configuration”

When you create the config, it creates .mof files

The Local Configuration Manager is the service that monitors maintains the DSC configuration.

 

File Server Resource Manager

Used for Classification, Reports of Disk Quota, Automatic Encryption of files with certain words in it, email-reports to admins..etc…

 

DFS

DFSN IS DNS Namespaces

You can find this under DFS Management->Namespaces

 

DNSR Is DNS Replication between servers.

 

The NameSpace only hold references to the share it self.

 

Deploying and Maintaining Server Images

 

.WIM

Hardware Agnostic

Multiple Images

Offline-Servicing

Non-Destructive

ADK = Assessment and Deployment ToolKit

A set of tools for storing, securing and deploying images

MDT = Microsoft Deployment Toolkit

Is a Sequencing deployment application.

By this we mean that we build the image in sequence.

= Step By Step Deployment

You can also use DISM for managing .wim files

 

WDS need two roles to function:

 

The Roles are Deployment Server (Here we vonfigure manage and customize images)

The Transport Server holds the images and brodcast the Multicast package.

 

Boot Image: Holds a list of the different versions you have made. For example: Windows 10 32-bit and Windows 10 64-Bit. Gives Access to install images.

Capture Image: used to capture images. For example from a running windows machine. And sysprep it to become an Install Image.

Install Image: This is the image that is being uploaded to the client. This file contains all the Default images for the different versions of the operating system.

 

Windows Update Services

Uses port 8530, 8531

You can define classes, OS, Groups for distribution of WSUS

You will have to Approve the updates that you want to distribute, and you can choose which groups the updates are distributed to. By doing this we can test the updates before we distribute them to the entire company.

 

 

Group Policies (AGAIN)

Ways to manipulate Group Policies

 

  • Enforced
  • Security Filtering
  • WMI Filters
  • Block Inheritance
  • Loopback Processing
  •  Link Order
  • Item Level Targeting
  • Slow-Link Detection

 

About Slow-Link Detection:

  • We can enable this on group policies that distributes applications, so that the user will not download an application over a slow WAN

About Item Level targeting:

  • We apply this to drive maps in the user configuration under policies.
  • We can set attributes that are met, and this will apply.
  • Under Computer config, we find Slow link detection

 

About Look Back Processing:

  • We can find this setting under the GPO object computers-> Administrative templates -> system-> Group Policy -> Configure User Group Loopback Processing

note. Slow link mode is for detection regarding offline files. If the connection drops under a certain bandwidth, the computer treats the wan as being offline, and only uses the offline files.

 

Loopback can replace or merge properties

IIS = Internet Information Services

IIS -> SiteOne -> Application Pools -> Application Pool Identity -> Service Account

 

To be Able to autenticate against a SQL server the service user needs a SPN (Service Principal Name). AD uses the Service Principal name for checking that the Service Account is trusted for delegation. By enabling this the iis can impersonate the user that is requesting access to the website.

 

To set Service Principal Name we can use these commands:

 

setspn -l user1 give the SPL for the user

setspm -S http/siteone User2 eks: setspm -S http/www.bbc.co.uk BBC_Service_User

Usually there is a problem with the password expiring, so we user

Managed Service Accounts in-stead.

This account can only be given access to one server

dependencies: .net 3.5 and Active directory Module for Windows Powershell

recommended to run with Windows Server 2008 R2 Functional level or higher.

Group Managed Service Accounts

This account can be give rights to several machines, and run scheduled administrative tasks on the machines.

 

DNS

The option BIND Secondaries needs to be enabled if you use unix DNS servers.

 

DAY Something, can’t even remember

 

Anyway…Clustering and failover… 😀

 

The first option is Split-Scope

 

For failover with DHCP we can set up at DHCP Failover.

We have features on a DHCP to ensure that we do not have conflicts.

 

One of the features are called Conflict detection Attempts

Fail over dhcp cluster is the second option we can use.

they share the same database for giving out IP-addresses.

 

The last one is DHCP Failover

You have to two stand-alone DHCP-Servers that share the address leases between each other. (Replicates the addresses)

This can run in two modes: Hot Standy, or Load Sharing Mode (Load Balancing).

They share a HeartBeat

If you have set up up in Hot Standy 5% of the addresses are reserved by default to the Hot Standy DHCP server.

Port 647 is used for replicating and sharing HeartBeats

——————————–

IPAM Server can be used for manage these DHCP servers on a enterprise level, and Monitor

IPAM cannot be installed on a Domain Controller

There is two IPAM components:

IPAM Server

IPAM Remote management tools

First you Provision the domain after installation of the feature

Then run the

Invoke-IpamGpoProvisioning -Domain FB.com -GpoPrefixName (Name of prfix)

The configure Server discovery.

The configure the services that you want to monitor and manage, and set the server to Managed

On the machine that want to manage, run gpupdate /force<3

 

 

In a Galaxy far, far away…

 

NLB (Network Load Balancing)

 

We can connect several nodes to a cluster. We can add or remove nodes at will.

When we load balance IIS servers we use a Heartbeat between all the servers to communicate with each other. After 5 HeartBeats the node presumes that the other node is down. The HeartBeat is sendt every second.

The Cluster is given it’s own ip, and you will have to do this, as there has to be a cluster name with members.

 

When we connecct using HTTPS or HTTP or any other service, we have something called Affinity options to exchange information between the servers.(The Affinity options defines how the clients reconnect)

These are the Affinity types:

  1. None (Round Robin)
  2. Single (One Machine responds on first connection, second time you connect the other machine responds)
  3. Class-c (First time user connects it’s Round robin, the next time the user connects, it goes to the same ip.)

Modes of operations for network cards in Load Balancing are Multicast and Unicast.

Unicast mode only responds to the cluster ip.

Multicast mode: The server responds to the network ip on the host, and the Cluster ip

IGMP Multicast:

When using Multicast mode, you will have to configure network correctly.

 

HyperV Replication And Livee Migratioon

to enable HyperV replication, we need to enable this on the receiving host, and and enable this as a replica server.

To enable live migration, we also need to enable this on the HyperV server.

Failover Clustering

to much to write, but it’s AWESOME. Specially  Cluster Aware Updating CAU 🙂