31-08-2015

70-410 CH1 Deploy, Manage and Maintain

Servers
1.1 Deploy and Manage server images
WDS - Windows Deployment Service
Install the WDS Role, Config and manage boot, install and discover images, Install
features for offline images, Configure driver groups and packages
Preboot eXecution Environment (PXE)
4 Types of Image used by WDS: Boot images, install images, capture images and
discover images.
Boot - Windows PE images that reside in the \Sources folder on Windows
Installation media
Install - AreOS images that are deployed to the client computer
Capture - Used to create custom install image from an existing template
computer
Discover - Are used by WDS client computers that don’t support PXE boot.

Add an install image to the WDS environment:

Import-WdsInstallImage –Path “<WIM or VHD location>” –ImageGroup “<Group
Name>”

DISM - Deployment Image Servicing and Management, can be used to mount

an offline image and update directly.

Add or remove windows features in existing image or VHD by using

Enable-WindowsOptionalFeature, Disable-WindowsOptionalFeature

Manage driver and driver packages

Add-WdsDrvierPackage
Disable, enable, get, Import, Remove-WdsDriverPackage
 1. The best way to support new hardware is to capture and image and use as
template
2. Modify old images.

Abd, c, d,

1.2 Implement Patch Management

WSUS - Windows Server Update Services
Install and config WSUS role, Configure Group Policy Objects(GPOs) for updates,
Config WSUS groups, Config WSUS Synchronisation, Config client-side targeting,
Manage patch management in mixed environments
Wsusutil.exe needs to be ran to sort out whether it’s a WID database(inbuilt) or a
SQL one

To approve an update
Get-WsusUpdate –UpdateID <GUID> | Approve-WsusUpdate –Action Install –
TargetGroupName “All Computers”

Can be deployed using GroupPolicy

Use groups. C, ab, ab,

Install-WindowsRole
Bd, b, c, a, cd
1.3 Configure local storage
Design storage spaces, configure basic and dynamic disks, configure mbr andgpt
disks, manage volumes, create and mount VHDs, configure storage pools and disk
pools, create storage pools by creating disk encl
osures
New-StoragePool –FriendlyName <LOETB Storage> -Storage
SubSystemFriendlyName <subsystem name> -PhysicalDisks <CIM instances>
Get-StorageSystem Get-PhysicalDisk
Ad, ab, cd, c

70.410 2 Configuring Server Roles and Features

2.1 Configure file and share access

Create and configure shares, configure share permissions, configure offline files,
configure NTFS permissions, Configure ABE, configure Volume shadow copy
service, configure NTFS quotas, Create and configure work folders

2-types of folder shares

Server Message Blocks (SMB)
Network File System (NFS)

Assign Permissions
Share Permissions – control access to folders over network
NTFS Permissions – control access to files and folders stored on volume

Permissions, configured in the security tab,

Basic – same as – standard 6
Advanced – same as – Special 14

Inheritance

SID used in process for NTFS authorisation

Volume shadow copies
VSS can only be done for an entire volume

Exam tip, - 2 types of quota

NTFS and file Server resource Manager
Work Folders

Inhertied deny from Top level

C, B, ab, a, d

2.2 Configure print and document services

Configure easy print print driver, Enterprise Print Management, drivers, printer
pooling, print priorities, printer permissions

Deploying a print Server

4 Components, Print device, Printer, Print Server, Print Driver

Printer Control Language – PCL

Spooler is a print queue

Computer can’t perform Print device role but can all other roles

Direct Printing, locally attached printer sharing, network attached printing, network-
attached printer sharing
Easy print enables remote desktop clients to print to their local print devices

Setting Printer priorities

From 1-99 in printer priority box. The higher has most priority

Printer Pool
Print and Document Services Role
Print Server, Dist, scan server, Internet Printing, LPD Device

Create a Printer Pool

C, b, c, c, d

2.3 Configure servers for remote management

Configure WinRM, down-level Server management, day to day management tasks,

multiserver management, server core, windows firewall, manage non-domain joined
servers
Exam tip – should be familiar with domain and non-domain servers, particularly
authentication

Set-Item WSMan: \localhost\client\TrustedHosts –value <servername> -force

Creates trust between non domain server
Configure-SMRemoting.exe –Get – Enable – Disable WinRM management config

Set-NetFirewallRule – name<rule name> enabled True set firewall rules through

powershell

For older versions of Windows, (2008 r2) to add WinRM, net framework 4 and
windows management framework 3 need to be installed

Remote Server Administration Tools – allows Server Management Tools to work on

client computer

Ralph can create a Server group in Server Manager

A, a, a, bc, b
70.411 2 CH3 Configuring Hyper-V

3.1 Create and configure Virtual Machine settings

Configure dynamic memory, smart paging, resource metering, guest integration

services, generation1 and generation2 VM’s, Enhanced Session mode

Type 2 virtualisation – hypervisor runs on top of a host

Type 1 virtualisation – Hypervisor interacts directly with Physical hardware

Installing HyperV role

Install-WindowsFeature –Name Hyper-V – ComputerName Oonaghmae –
IncludeManagementTools –Restart

Creating a VM
New-VM –name “VM Name” –MemoryStartupBytes <memory>
-NewVHDSizeBytes <disk size>

Generation 1 VM’s are backward compatabile and emulate hardware found on

typical computer
Generation 2 VM’s use synthetic drivers and software based devices, advantages
are
UEFI (Universal Extensible Firemware Interface) boot
SCSI Disks

Guest Integration Services are:

Operating System shutdown, Time Synchronization, Data exchange, heartbeat,
backup, guest services

Enhanced session mode:

Display config, audio, printers, clipboard, smart cards, usb devices, drives, plug and
play

Using Dynamic memory

Use an non fixed amount of memory, set maybe 2GB – 4GB

To configure memory settings

Set-VMMemory <vmname> - DynamicMemoryEnabled $true
-MinimumBytes <memory> -StartupBytes <memory>
-MaximumBytes <memory> -Priority <value> -Buffer <percentage>

Smart paging is where a system uses Hardisk memory for RAM

Resource metering metrics:

CPU utilization
Min, Max and average memory usage
Disk space usage
Income and outgoing net traffic
 3.2 Create and configure Virtual Machine storage

IDE – Integrated drive electronics

SCSI – Small Computer Systems Interface

Create VHD’s and VHDX, Configure differencing drives, modify VHDs, config pass-
through disks, manage checkpoints, implement a virtua fibre channel adapter, config
storage QoS

Virtual disk formats

Fixed hdisk image –space waste, more efficient
Dynamic hdisk image – max disk size, expands as written to, less efficient
Differecing hdisk image child\parent

VHDS – evaluation disk

VHD-2TB, VHDX-64TB

Create VHD PowerShell

New-VHD –Path c:\filename.vhd|c:\filename.vhdx
-Fixed|-dynamic|-differencing –SizeBytes <size>
[-BlockSizeBytes <block size>]
[-LogicalSectorsSizeBytes 512|4096} [-ParentPath <pathname>]

Checkpoint, were known as snapshots pre-2012, ie, used to revert back after update
deployed if update problematic –AVHD, AVHDX extension.

Fibre channel, not fiber optic

LUN – Logical Unit Number

New-VHD –Path ServerA\disk.VHD –Fixed 500GB –LogicalSectorsSizeBytes 4096

B, B, D, ACD, D
3.3 Create and configure Virtual Networks

Implement HyperV Network virtualization, config HyperV Switches, optimize network

performance, config MAC Addresses, config Net isolation, synthetic and legacy
virtual network adapters, config NIC teaming in VM’s

Switch types
External – Can access the physical network
Internal – VM’s can access each other but not physical adapter
Private – accessable only to child VMs

Create new VirtualSwitch using PowerShell

New-VMSwitch ,switch name> -NetAdapterName <adapter name> [-SwitchType
Internal | private]

Synthetic and Emulated Adapters

Synthetic – a virtual device not correspond to the real world product. Communicate
child – parent by VMBus

Emulated – legacy, standard network adapter driver that communicates with parent
partition by making calls directly to the hypervisor
Emulated adapter can be used for PXE boot and when installing an OS on your VMs
that does not have guest integrated services package on it.

70.410 CH4 Deploying and configuring core

network services

4.1 Configure IPv4 and IPv6 addressing

Configure IP Address options, subnetting, supernetting, interoperability between

IPv4 and IPv6, ISATAP, Teredo

1.1.1.0 – dotted decimal notation

11111111.11111111.11111111.0000000 = binary form
Subnet mask, differs Network and host bits

Class A (1-127), B(128-191), C(192-223). Classful addressing IPv4

IANA
All zeros – Network ID
All ones – broadcast address

CIDR – Classless Inter-domain routing

VLSM – Variable length subnet mask

IANA – Internet assigned numbers authority , managed by Internet Corp for assigned
names and numbers (ICANN) allocates address blocks to Regional Internet
Registries (RIR) which in turn allocate smaller blocks to (ISPs)
Private IPs
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

IPv4 subnetting
Supernetting (Aggregation)

Automatic Private IP addressing (APIPA) – 169.254.0.0/16

IPv6 Addressing
128-bit address size
8 x 16-bit Hex numbers
Xx:xx:xx:xx:xx:xx:xx:xx

Address support types

Unicast – one to one transmission service to individual providers, server farms
sharing a single address
Multicast – one to many transmission service to groups of interfaces identified by
singl multicast address
Anycast – One to one of many transmission service to groups of interfaces

Global unicast – equivalent of registered ipv4 address

Link-local unicast – equivilant to APIPA IPv4
Ie fe80:0000:0000:0000/64
Unique local unicast address – Ipv4 equivalent of Private addresses

STATELESS IPV6 ADDRESS Autoconfig

Most of the world still using IPv4, so to transmit IPv6 needs to use IPv4

Dual IP stack
Uses both IPv4 and IPv6 running together, most routers don’t use IPv6

Tunnelling
Transporting Ipv6 traffic over IPv4 network.
IPv6 datagram encapsulated within a IPv4 packet

Netsh interface ipv6 add v6v4tunnel “interface” localaddress remoteaddress

6TO4
ISATAP – Intra-site Automaitc Addressing Protocol – emulates an IPv6 link by using
an IPv4 network
TEREDO –

Be using CIDR or 172.16.8.0/27

172.16.8.0, 172.16.8.32, 172.16.8.64 etc….

B, C, A, A, C

00000000
1248,16,32,64,128

4.2 Configure Servers

Create and configure scopes, configure a DHCP Reservation, DHCP options, client
and server for PXE boot, DHCP relay agent, DHCP Server, Authorise DHCP Server
DHCP, 3 Components
DHCP Service – responds to client requests for TCPIP settings
DHCP client – issue requests to servers and applies tcpip settings it receives to the
local computer
DHCP Comms protocol – defines the formats and sequencies of the messages

DHCP uses port 67 and 68

DHCP comms protocol 8 message types

DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPDECLINE, DHCPACK,
DHCPNAK, DHCPRELEASE, DHCPINFORM

BOOTP – Bootstrap Protocol is predecessor to DHCP, Primary difference is BOOTP

allocates IP Addresses permanently

Scope Options vrs Server Options, specific to scope, specific to Server

PXE – Preboot eXecution environment

TFTP – Trivial file transfer protocol, requires no authentication
WDS – Windows Deployment Services

Shorten the lease time on the scope or server options

D, D, C, B, ABD

4.3 Deploy and configure the DNS Service

Configure Active Directory Integration of Primary zones, forwarders, Root hints,

Manage DNS Cache, Create A and PTR resource records
DNS Server converts host names to IP Addresses, pre DNS was host tables

DNS has 3 elements

DNS Namespace - tree structured namespace each branch identifies a domain
Name Servers – DNS Server is a service running on a server that maintains info
about domain tree structure
Resolvers – is a client program that generates DNS queries and sends them to to a
DNS Server for fulfilment.

DNS cache
Ttl – the amount of time DNS data remains cached on a Server

Client-side resolver caching

DNS Referrals and queries

Recursive query – needs to resolve name resolution request
Iterative query – responds with best info at the time for name resolution request

DNS Forwarders
Reverse name resolution – convert IP address to DNS name

DNS zone types

Primary – Master copy of the zone database,
Secondary – duplicate of Primary zone on another computer, contains backup copy
master zone database file. Can only be updated by replicating from Primary, zone
transfer
Stub – creates copy of primary containing key resource records

Create a primary zone in AD with powershell

Add-DnsServerPrimaryZone –Name “zonename.om19.ie –ReplicationScope
“Domain” –PassThru
Resouce Record ->
SOA (Start of Authority) – best authoritative source for data concerning zone
NS (Name Server) – DNS Server functioning as an authority for zone
A(Address) – Name to address mapping for IPv4
AAAA(Address) - Name to address mapping for IPv6
PTR (Pointer) – Provides and address to name mapping, opposite of A record
CNAME (Canonical name) creat alias points to the real name of host identified by a
record
MX (Mail Exchanger) – System to direct email traffic sent to address in the domain to
the the individual recipient, a mail gateway etc….

Alice can reduce traffic by, changing the ttl for cache,

D, A, B, D, B

70.410 CH5 Installing and administering

Active Directory

5.1 Install domain controllers

Add or remove a domain controller from a domain, upgrade a domain controller,

install AD DS(domain services) on Server core installation, Deploy AD infrastructure
as a service (iaas) in Windows Azure, Install a domain controller from install from
(IFM), Resolve DNS SRV record registration issues, config global catalog server

DCPROMO.EXE – Depreciated
DSRM –Directory Services Restore Mode

Powershell commands for installing AD DS on Server Core

Install-WindowsFeature –name AD-Domain-Services –IncludeManagementTools
Promote to a DC
Install-ADDSForest
Install-ADDSDomainController
Install-ADDSDomain

Install-ADDSForest –DomainName “OM19.IE”

Get-Help

Install from media (IFM)

Streamline process of deploying replica DC’s to remote Site’s
DC replicating AD DS database can take a long time over a WAN link
Ntdsutil – can create a copy of install media that includes a copy of the ADDS
database(full replication not necessary on install

ADprep.exe was used when upgrading DC to a different version of Windows

IAAS on Windows Azure – installing DC on Cloud

AD DS and Windows Azure AD

Demote Domain Controller using Windows PowerShell

Uninstall-ADDSDomainController –ForceRemoval –LocalAdministratorPassword

<password> -Force

Global Catalog – an index of all AD DS objects in a Forest

Confirm a DC had been registered in the DNS ->

Dcdiag /test:registerdns /dnsdomain:<domain name> /v

3 DC’s for 2 domains inside and litware.com. maybe an Azure DC for London office
A, AC, A, A, B

5.2 Create and manage Active Directory users and computers

Automate the creation of AD accounts, Create, copy, configure and delete users and
computers, config templates, perform bulk AD operations, configure user rights,
offline domain join, manage inactive and disabled accounts

To create multiple users or groups use:

Dsadd.exe, Windows PowerShell, Comma-separated Value Directory
exchange(CSVDE.exe), LDAP

DN – Distinguished Name
Cn=matthew, ou=it, dc=nis, dc=ie

Create a new user in AD

New-ADUser –Name “Mattie C” –SamAccountName “mattie”
-GivenName “Mattie” –SurName “C” –path ‘OU=Research, DC=NIS, dc=ie’
-Enabled $true –AccountPassword “Passw0rd” –ChangePasswordAtLogon $true

Bulk User Creation command

Import-CSV users.csv | foreach
{New-ADUser –SamAccountName $ .SamAccountrName
-Name $_.name –Surname $_.surname
-GivenName $_.GivenName –Path “OU=IT, DC=NIS, DC=IE” –AccountPassword
Passw0rd
-Enabled $true}
Security identifier – SID

Creating Computer object

New-ADComputer –Name <computer name. –path<distinguished name>

Disable\enable User account

Disable-ADAccount –Identity<account name>
Enable-ADAccount –Identity<account name>
Djoin.exe – joins a computer to a domain offline
D,
B, B, C, D, CD

5.3 Create and manage AD groups andOU’s

OU’s are not security principals, global, domain local and universal groups
do this

Configure group nesting, Convert groups, manage group membership using Group
policy, Enumerate group membership, delegate the creation and management of AD
objects, manage default AD containers, Create, copy, configure and delete groups
and OUs

Access Tokens – only generated when user first log on to network from their PC,
access tokens used to identify users access rights

2Group types
Distribution and Security

Group Scope

Domain local groups, Global groups, Universal groups

Create a new Group

New-ADGroup –Name <group name> -SAMAccountName <SAM name>
-GroupCategory Distribution|security –GroupScope DomainLocal |Global |Universal
-Path <dn>
 70.410 CH6 Creating and managing Group
Policy

6.1 Create Group Policy objects

Configure a Central Store, Manage starter GPOs, configure GPO links, Configure
multiple local group policies, Conf security filtering

3types of GPOs
Local, non-local (Active directory GPOs) and starter

Group Policy management console

Group Policy Management Editor

Group Policy settings

Computer Configuration, User configuration
Software, Windows settings, Administrative templates

Local policy settings are overridden by nonlocal setttings

Allow Executives group access to override

B, B, C, A, A

6.2 Configure Security Policies

Configure user rights assignment, security options settings, security templates, audit
policy, local users and groups, user account control (UAC)

Security template stored as a .inf file

None, d
B, ac, c, a, a

6.3 Configure application restriction policies

Configure rule enforcement, AppLocker rules, software restriction policies

3Basic strategies for enforcing restirctions

Unrestricted, disallowed, basic user
4types of software restriction rules
Hash, certificate, path, network zone

Additional setttings
Designated file types, enforcement, trusted publishers
AppLocker – Application control policies, can only be used in win7, win 2008 r2 or
later
Executable rules, windows installer rules, script rules, packaged app rules
AppLocker needs Application identity service running

Sophie can apply an allow rule in Applocker to groups ResDev and RDint

D, b, c, b, a

6.4 Configure windows firewall

Configure rules for multiple profiles using group policy, connection security rules,
windows firewall to allow or deny applications, scopes, ports and users,
authenticated firewall exceptions, import and export settings

3criteria that firewalls use in their rules

IP Addresses, protocol numbers, port numbers

Previously, allowed apps was called exceptions

Export to .wfw

IPSec = collection of documents that define a method for securing data

Ralph can set up an app specific rule or use IPSec

D, b, C, AC