Exam Ref 70-743 Upgrading Your Skills to MCSA: Windows Server 2016 Charles Pluta Exam Ref 70-743 Upgrading Your Skills to MCSA: Windows Server 2016 Published with the authorization of Microsoft Corporation by: Pearson Education, Inc. Copyright © 2017 by Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www. pearsoned.com/permissions/. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7356-9743-0 ISBN-10: 0-7356-9743-4 Library of Congress Control Number: 2016959957 First Printing December 2016 Trademarks Microsoft and the trademarks listed at https://www.microsoft.com on the “Trademarks” webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author, the publisher, and Microsoft Corporation shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or programs accompanying it. Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected] For questions about sales outside the U.S., please contact [email protected] Editor-in-Chief Greg Wiegand Acquisitions Editor Trina MacDonald Development Editor Rick Kughen Managing Editor Sandra Schroeder Senior Project Editor Tracey Croom Editorial Production Backstop Media, Troy Mott Copy Editor Jordan Severn Indexer Julie Grady Proofreader Christina Rudloff Technical Editor Ron Handlon Cover Designer Twist Creative, Seattle Contents at a glance Introduction Preparing for the exam CHAPTER 1 xix xxiii Install Windows Servers in host and compute environments 1 CHAPTER 2 Implement storage solutions 29 CHAPTER 3 Implement Hyper-V 51 CHAPTER 4 Implement Windows Containers 93 CHAPTER 5 Implement high availability 113 CHAPTER 6 Implement DNS 163 CHAPTER 7 Implement IP Address Management 183 CHAPTER 8 Implement network connectivity and remote access solutions CHAPTER 9 Implement an advanced network infrastructure CHAPTER 10 Install and configure Active Directory Domain Services CHAPTER 11 209 227 243 Implement identity federation and access solutions 273 Index 293 This page intentionally left blank Contents Introduction xix Organization of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Microsoft certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Free ebooks from Microsoft Press . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxi Microsoft Virtual Academy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxi Quick access to online references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxi Errata, updates, & book support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii We want to hear from you . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Stay in touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Preparing for the exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii Chapter 1 Install Windows Servers in host and compute environments 1 Skill 1.1: Install, upgrade, and migrate servers and workloads . . . . . . . . . . . . . . . . . 2 Determine Windows Server 2016 installation requirements 3 Determine appropriate Windows Server 2016 editions per workload 4 Install Windows Server 2016 4 Install Windows Server 2016 features and roles 5 Install and configure Windows Server Core 7 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: https://aka.ms/tellpress v Manage Windows Server Core installations using Windows PowerShell, command line, and remote management capabilities 8 Implement Windows PowerShell Desired State Configuration to install and maintain integrity of installed environments 9 Perform upgrades and migrations of servers and core workloads from Windows Server 2008 and Windows Server 2012 to Windows Server 2016 10 Determine the appropriate activation model for server installation, such as Automatic Virtual Machine Activation, Key Management Service, and Active Directory-based Activation 11 Skill 1.2: Install and configure Nano Server . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Determine appropriate usage scenarios and requirements for Nano Server 15 Install Nano Server 15 Implement roles and features on Nano Server 17 Manage and configure Nano Server 19 Skill 1.3: Create, manage, and maintain images for deployment . . . . . . . . 20 Plan for Windows Server virtualization 21 Plan for Linux and FreeBSD deployments 22 Assess virtualization workloads using the Microsoft Assessment and Planning Toolkit, determine considerations for deploying workloads into virtualized environments 24 Manage and maintain Windows Server Core, Nano Server images, and VHDs using Windows PowerShell, update images with patches, hotfixes, and drivers and install roles and features in offline images 25 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Thought Experiment Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 vi Contents Chapter 2 Implement storage solutions 29 Skill 2.1: Implement server storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Configure storage pools 30 Implement simple, mirror, and parity storage layout options for disks or enclosures 32 Expand storage pools 35 Configure tiered storage 35 Configure iSCSI target and initiator 36 New-IscsiVirtualDisk –Path “C:\temp\test.vhdx” -Size 10GB Configure iSNS 39 Configure Datacenter Bridging 40 Configure Multi-Path IO (MPIO) 41 Determine usage scenarios for Storage Replica 42 Implement Storage Replica for server-to-server, cluster-to-cluster, and stretch cluster scenarios 44 Skill 2.2: Implement data deduplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Implement and configure deduplication 45 Determine appropriate usage scenarios for deduplication 45 Monitor deduplication 47 Implement a backup and restore solution with deduplication 48 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Contents vii Chapter 3 Implement Hyper-V 51 Skill 3.1: Install and configure Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Determine hardware and compatibility requirements for installing Hyper-V 52 Install Hyper-V 52 Install management tools 52 Upgrade from existing versions of Hyper-V 54 Delegate virtual machine management 55 Perform remote management of Hyper-V hosts 58 Configure virtual machines using Windows PowerShell Direct 59 Implement nested virtualization 60 Skill 3.2: Configure virtual machine settings . . . . . . . . . . . . . . . . . . . . . . . . . 62 viii Contents Add or remove memory in running a VM 62 Configure dynamic memory 63 Configure Non-Uniform Memory Access support 63 Configure smart paging 64 Configure Resource Metering 65 Manage Integration Services 67 Create and configure Generation 1 and 2 VMs and determine appropriate usage scenarios 68 Implement enhanced session mode 68 Create Linux and FreeBSD VMs, install and configure Linux Integration Services, and install and configure FreeBSD Integration Services 69 Implement Secure Boot for Windows and Linux environments 70 Move and convert VMs from previous versions of Hyper-V to Windows Server 2016 Hyper-V 70 Export and import VMs 71 Implement Discrete Device Assignment (DDA) 72 Skill 3.3: Configure Hyper-V storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Create VHDs and VHDX files using Hyper-V Manager 73 Create shared VHDX files 75 Configure differencing disks 76 Configure pass-through disks 77 Resize a virtual hard disk 77 Manage checkpoints 79 Implement production checkpoints 79 Implement a virtual Fibre Channel adapter 80 Configure storage Quality of Service (QoS) 82 Skill 3.4: Configure Hyper-V networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Add and remove virtual network interface cards, configuring network adapters, configuring virtual machine queue, and configuring bandwidth management 83 Configure Hyper-V virtual switches and configure network isolation 84 Optimize network performance 85 Configure MAC addresses 86 Configure NIC teaming in VMs 88 Enable Remote Direct Memory Access on network adapters bound to a Hyper-V virtual switch using Switch Embedded Teaming 89 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Contents ix Chapter 4 Implement Windows Containers 93 Skill 4.1: Deploy Windows Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Determine installation requirements and appropriate scenarios for Windows Containers 94 Install and configure containers 94 Install Docker on Windows Server and Nano Server 95 Configure Docker daemon start-up options 96 Install a base operating system 97 Tag an image 98 Uninstall an operating system image 98 Create Windows Server containers 99 Create Hyper-V containers 99 Skill 4.2: Manage Windows Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Manage Windows or Linux containers using the Docker daemon 101 Manage Windows or Linux containers using Windows PowerShell 102 Manage container networking 103 Manage container data volumes 106 Manage resource control 106 Create new container images using Dockerfile 107 Manage container images using Docker Hub repository for public and private scenarios 107 Manage container images using Microsoft Azure 109 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 x Contents Chapter 5 Implement high availability 113 Skill 5.1: Implement high availability and disaster recovery options in Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Implement Hyper-V replica 114 Implement Live Migration 115 Implement shared nothing Live Migration 120 Configure CredSSP or Kerberos authentication protocol for Live Migration 121 Implement storage migration 123 Skill 5.2: Implement failover clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Implement workgroup, single, and multi-domain clusters 127 Configure quorum and configure cloud witness 130 Configure cluster networking 134 Restore single node or cluster configuration 136 Configure cluster storage and implement a Clustered Storage Spaces solution using Shared SAS storage enclosures 136 Implement Cluster-Aware Updating 138 Implement Cluster Operating System Rolling Upgrade 140 Configure and optimize clustered shared volumes (CSVs) 141 Configure clusters without network names 142 Implement Scale-Out File Server (SoFS) 142 Determine different scenarios for the use of SoFS vs. clustered File Server 143 Determine usage scenarios for implementing guest clustering 143 Implement Storage Replica 143 Implement VM resiliency 145 Implement shared VHDX as a storage solution for guest clusters 146 Contents xi Skill 5.3: Implement Storage Spaces Direct . . . . . . . . . . . . . . . . . . . . . . . . . 148 Determine scenario requirements for implementing Storage Spaces Direct 148 Enable Storage Spaces Direct using Windows PowerShell 148 Implement a disaggregated Storage Spaces Direct scenario in a cluster 149 Implement a hyper-converged Storage Spaces Direct scenario in a cluster 150 Skill 5.4: Manage failover clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configure role-specific settings, including continuously available shares 152 Configure VM monitoring 153 Configure failover and preference settings 154 Implement stretch and site-aware failover clusters 157 Enable and configure node fairness 157 Skill 5.5: Manage VM movement in clustered nodes . . . . . . . . . . . . . . . . . 158 Perform live migration 158 Perform quick migration 158 Perform storage migration 158 Import, export, and copy VMs 159 Configure VM network health protection 159 Configure drain on shutdown 160 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 xii Contents Chapter 6 Implement DNS 163 Implement and configure DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Determine DNS installation requirements 164 Determine supported DNS deployment scenarios on Nano Server 165 Install DNS 165 Configure forwarders 165 Configure root hints 168 Configure delegation 169 Implement DNS policies 171 Configure Domain Name System Security Extensions 172 Configure DNS socket pool 173 Configure cache locking 173 Enable Response Rate Limiting (RRL) 173 Configure DNS-based Authentication of Named Entities 174 Configure DNS logging 175 Configure delegated administration 175 Configure recursion settings 177 Implement DNS performance tuning 179 Configure global settings using Windows PowerShell 179 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Contents xiii Chapter 7 Implement IP Address Management 183 Skill 7.1: Install and configure IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Provision IPAM manually or by using Group Policy 184 Configure server discovery 191 Create and manage IP blocks and ranges 193 Monitor utilization of IP address space 195 Migrate existing workloads to IPAM 198 Configure IPAM database storage using SQL Server 198 Determine scenarios for using IPAM with System Center Virtual Machine Manager for physical and virtual IP address space management 199 Manage DHCP server properties using IPAM 200 Configure DHCP scopes and options 201 Configure DHCP policies and failover 202 Manage DNS server properties using IPAM 202 Manage DNS zones and records 203 Manage DNS and DHCP servers in multiple Active Directory forests 204 Delegate administration for DNS and DHCP using Role-Based Access Control (RBAC) 204 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Chapter 8 Implement network connectivity and remote access solutions 209 Implement Virtual Private Network and DirectAccess solutions . . . . . . . 209 xiv Contents Implement remote access and site-to-site VPN solutions using Remote Access Gateway 210 Configure different VPN protocol options 215 Configure authentication options 216 Configure VPN reconnect 217 Create and configure connection profiles 217 Determine when to use remote access VPN and site-to-site VPN and configure appropriate protocols 217 Install and configure DirectAccess 218 Implement server requirements 222 Implement client configuration 223 Troubleshoot DirectAccess 223 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Chapter 9 Implement an advanced network infrastructure 227 Skill 9.1: Implement high performance network solutions . . . . . . . . . . . . 228 Implement NIC Teaming or the Switch Embedded Teaming solution and identify when to use each 228 Enable and configure Receive Side Scaling and enable and configure virtual Receive Side Scaling on a Virtual Machine Queue capable network adapter 229 Enable and configure network Quality of Service with Data Center Bridging 231 Enable and configure SMB Direct on Remote Direct Memory Access enabled network adapters 231 Enable and configure SMB Multichannel 232 Enable and configure Virtual Machine Multi-Queue 233 Enable and configure Single-Root I/O Virtualization on a supported network adapter 233 Skill 9.2: Determine scenarios and requirements for implementing Software Defined Networking . . . . . . . . . . . . . . . . . . . . 234 Determine deployment scenarios and network requirements for deploying SDN 235 Determine requirements and scenarios for implementing Hyper-V Network Virtualization using Network Virtualization Generic Route Encapsulation encapsulation or Virtual Extensible LAN encapsulation 236 Contents xv Determine scenarios for implementation of Software Load Balancer for North-South and East-West load balancing 237 Determine implementation scenarios for various types of Windows Server Gateways, including L3, GRE, and S2S, and their uses 239 Determine requirements and scenarios for distributed firewall policies and network security groups 239 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Chapter 10 Install and configure Active Directory Domain Services 243 Skill 10.1: Install and configure domain controllers . . . . . . . . . . . . . . . . . . 243 Install a new forest 244 Add or remove a domain controller from a domain 248 Upgrade a domain controller 250 Install AD DS on a Server Core installation 251 Install a domain controller from Install from Media 253 Resolve DNS SRV record registration issues 257 Configure a global catalog server 258 Transfer and seize operations master roles 260 Install and configure a read-only domain controller 263 Configure domain controller cloning 267 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Thought experiment: Upgrading the forest . . . . . . . . . . . . . . . . . . . . . . . . . 270 Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 xvi Contents Chapter 11 Implement identity federation and access solutions 273 Skill 11.1: Install and configure Active Directory Federation Services . . . 274 Upgrade and migrate previous AD FS workloads to Windows Server 2016 275 Implement claims-based authentication, including Relying Party Trusts 275 Configure authentication policies 278 Configure multi-factor authentication 280 Implement and configure device registration 282 Integrate AD FS with Windows Hello for Business 283 Configure for use with Microsoft Azure and Office 365 283 Configure AD FS to enable authentication of users stored in LDAP directories 284 Skill 11.2: Implement Web Application Proxy . . . . . . . . . . . . . . . . . . . . . . . 284 Install and configure WAP 285 Implement WAP in pass-through mode 286 Implement and integrate WAP as AD FS proxy 287 Configure AD FS requirements 288 Publish web apps via WAP 289 Publish Remote Desktop Gateway applications 290 Configure HTTP to HTTPS redirects 290 Configure internal and external Fully Qualified Domain Names (FQDNs) 290 Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Thought Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Thought Experiment Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Index 293 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: https://aka.ms/tellpress Contents xvii This page intentionally left blank Introduction W ith each release of Windows Server, more and more features are added or modified that makes knowing the product inside and out more and more difficult. The 70-743 exam “Upgrading your skills to Windows Server 2016” is for administrators that have previously achieved the MCSA certification for Windows Server 2008, or Windows Server 2012, and plan to achieve the latest certification offering. Understanding that the exam is geared specifically towards administrators with existing knowledge, this Exam Ref book assumes you remember and know the knowledge that is necessary to pass the previous versions of the exam. Therefore, we focus solely on the skills that are measured in the 70-743 exam, sometimes skipping the basics of the skill. A lot of these skills build on the knowledge you’ve retained from Windows Server 2008 or Windows Server 2012. However, some of the skills are brand new to Windows Server 2016, and are expected to be highlighted on the exam. The goal of this book is to act as a reference to give you the tools and knowledge that you need to succeed in passing the exam. While we cover every skill that the exam measures and focus on real-world examples of how to use the technologies that are listed, there is no way of guaranteeing that you will pass the exam simply by using this book. As you are well aware as an existing MCSA credential holder, nothing is better than getting hands-on experience with each of the roles and features in Windows Server 2016 before taking the exam. It is recommended that you use the information in this book, combined with a hands-on approach of trying each role or feature discussed by using both graphical and Windows PowerShell (or command-line) tools. This will ensure that you have the best opportunity to succeed when taking the exam. This book covers every major topic area found on the exam, but it does not cover every exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft regularly adds new questions to the exam, making it impossible to cover specific questions. You should consider this book a supplement to your relevant real-world experience and other study materials. If you encounter a topic in this book that you do not feel completely comfortable with, use the “Need more review?” links you’ll find in the text to find more information and take the time to research and study the topic. Great information is available on MSDN, TechNet, MVA, and in blogs and forums. Introduction xix Organization of this book This book is organized by the “Skills measured” list published for the exam. The “Skills measured” list is available for each exam on the Microsoft Learning website: https://aka.ms/examlist. Each chapter in this book corresponds to a major topic area in the list, and the technical tasks in each topic area determine a chapter’s organization. If an exam covers six major topic areas, for example, the book will contain six chapters. Microsoft certifications Microsoft certifications distinguish you by proving your command of a broad set of skills and experience with current Microsoft products and technologies. The exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions with Microsoft products and technologies both on-premises and in the cloud. Certification brings a variety of benefits to the individual and to employers and organizations. MORE INFO ALL MICROSOFT CERTIFICATIONS For information about Microsoft certifications, including a full list of available certifications, go to https://www.microsoft.com/learning. Acknowledgments Charles Pluta I would like to thank my wife Jen for her love and support throughout all of my projects. I would also like to thank Greg Baker for giving me the opportunity to succeed from the beginning of my career. I would also like to thank Brian Svidergol, Elias Mereb, and Mike Corkery, who have provided their continued friendship and technical expertise throughout the years. Finally, I would like to thank Trina, Troy, and all of the editors and reviewers behind the scenes that dedicated their time to making this book happen. xx Introduction Free ebooks from Microsoft Press From technical overviews to in-depth information on special topics, the free ebooks from Microsoft Press cover a wide range of topics. These ebooks are available in PDF, EPUB, and Mobi for Kindle formats, ready for you to download at: https://aka.ms/mspressfree Check back often to see what is new! Microsoft Virtual Academy Build your knowledge of Microsoft technologies with free expert-led online training from Microsoft Virtual Academy (MVA). MVA offers a comprehensive library of videos, live events, and more to help you learn the latest technologies and prepare for certification exams. You’ll find what you need here: https://www.microsoftvirtualacademy.com Quick access to online references Throughout this book are addresses to webpages that the author has recommended you visit for more information. Some of these addresses (also known as URLs) can be painstaking to type into a web browser, so we’ve compiled all of them into a single list that readers of the print edition can refer to while they read. Download the list at https://aka.ms/examref743/downloads. The URLs are organized by chapter and heading. Every time you come across a URL in the book, find the hyperlink in the list to go directly to the webpage. Introduction xxi Errata, updates, & book support We’ve made every effort to ensure the accuracy of this book and its companion content. You can access updates to this book—in the form of a list of submitted errata and their related corrections—at: https://aka.ms/examref743/errata If you discover an error that is not already listed, please submit it to us at the same page. If you need additional support, email Microsoft Press Book Support at [email protected] Please note that product support for Microsoft software and hardware is not offered through the previous addresses. For help with Microsoft software or hardware, go to https://support.microsoft.com. We want to hear from you At Microsoft Press, your satisfaction is our top priority, and your feedback our most valuable asset. Please tell us what you think of this book at: https://aka.ms/tellpress We know you’re busy, so we’ve kept it short with just a few questions. Your answers go directly to the editors at Microsoft Press. (No personal information will be requested.) Thanks in advance for your input! Stay in touch Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress. Important: How to use this book to study for the exam Certification exams validate your on-the-job experience and product knowledge. To gauge your readiness to take an exam, use this Exam Ref to help you check your understanding of the skills tested by the exam. Determine the topics you know well and the areas in which you need more experience. To help you refresh your skills in specific areas, we have also provided “Need more review?” pointers, which direct you to more in-depth information outside the book. The Exam Ref is not a substitute for hands-on experience. This book is not designed to teach you new skills. We recommend that you round out your exam preparation by using a combination of available study materials and courses. Learn more about available classroom training at https://www.microsoft.com/learning. Microsoft Official Practice Tests are available for many exams at https://aka.ms/practicetests. You can also find free online courses and live events from Microsoft Virtual Academy at https://www.microsoftvirtualacademy.com. This book is organized by the “Skills measured” list published for the exam. The “Skills measured” list for each exam is available on the Microsoft Learning website: https://aka.ms/examlist. Note that this Exam Ref is based on this publicly available information and the author’s experience. To safeguard the integrity of the exam, authors do not have access to the exam questions. Introduction xxiii This page intentionally left blank CHAPTER 1 Install Windows Servers in host and compute environments I n this chapter we discuss the requirements for installing, upgrading, and migrating servers to Windows Server 2016. We’ll also cover Nano Server, the new version of Windows Server. Finally, we will discuss how to create, manage, and maintain images that can be used for Windows Server deployments. Windows Server 2016 introduces several new features compared to Windows Server 2012. These features include: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Nano Server Offers a new installation type that does not provide a graphical or command prompt experience and must be managed remotely. Containers Isolates applications from the operating system. Each container is isolated, but runs on the base operating system. You can further isolate a container by running it as a virtual machine with Hyper-V. I M P O R TA N T Have you read page xxiii? It contains valuable information regarding the skills you need to pass the exam. Docker Provides a method of managing containers, and is supported for Windows Server 2016 and Hyper-V. Rolling upgrades Enables you to add Windows Server 2016 nodes to an existing Windows Server 2012 R2 failover cluster and continue to operate the cluster until all nodes have been upgraded. Hyper-V memory enhancements Enables you to dynamically add or remove virtual memory and networking adapters from running virtual machines (VM). Nested virtualization within a VM. Provides a method of running a nested Hyper-V installation Shielded virtual machines Shields using a virtual machine that provides protection for the data that is stored on the VM. PowerShell Direct Enables you to run PowerShell on a VM without additional security policies, network, or firewall settings. Windows Defender Enables by default that Windows Server 2016 installations and anti-malware patterns are automatically kept up-to-date. Storage Spaces Direct Enables you to build a highly-available storage set with direct attached storage by using Server Message Block version 3.0 (SMB 3.0). 1 Storage Replica redundancy. ■ Enables you to replicate volumes at the block level for additional Microsoft Passport Enables you to use two-factor authentication by using an enrolled device with Windows Hello or a PIN. ■ Remote Desktop Services Allows an Azure Structured Query Language (SQL) database to be used, creating a highly available environment with the Remote Desktop Connection Broker. ■ Active Directory Domain Services (AD DS) Enables AD DS improvements to support privileged access management, Azure AD Join, and Microsoft Passport. ■ Skills in this chapter: ■ Install, upgrade, and migrate servers and workloads ■ Install and configure Nano Server ■ Create, manage, and maintain images for deployment Skill 1.1: Install, upgrade, and migrate servers and workloads Windows Server 2016 offers similar editions and installation options compared to Windows Server 2008 and 2012. In this section, we discuss the installation requirements for the base installation of Windows Server, and outline how Windows Server 2016 differs from previous versions. We discuss the differences in the installation process, server roles, and features. This section covers how to: ■ Determine Windows Server 2016 installation requirements ■ Determine appropriate Windows Server 2016 editions per workload ■ Install Windows Server 2016 ■ Install Windows Server 2016 features and roles ■ Install and configure Windows Server Core ■ ■ ■ ■ 2 CHAPTER 1 Manage Windows Server Core installations using Windows PowerShell, command line, and remote management capabilities Implement Windows PowerShell Desired State Configuration to install and maintain integrity of installed environments Perform upgrades and migrations of servers and core workloads from Windows Server 2008 and Windows Server 2012 to Windows Server 2016 Determine the appropriate activation model for server installation, such as Automatic Virtual Machine Activation, Key Management Service, and Active Directory-based Activation Install Windows Servers in host and compute environments Determine Windows Server 2016 installation requirements A set of minimum requirements have been published by Microsoft in order to define the bare essentials that are needed to install Windows Server 2016. These are simply minimums, meaning that you may encounter an error during or after installation if your computer doesn’t meet them. The minimum requirements are: ■ 1.4 GHz 64-bit processor ■ 512 MB RAM (Error Correcting Code, or ECC type) ■ 32 GB disk space Note that if installing Windows Server 2016 as a virtual machine, it might initially fail with only 512 MB of RAM. A workaround is to initially assign 800 MB, and then reduce it to 512 MB after installation. 32 GB of storage space is also a bare minimum, and should only be used for Server Core installations. A server with a Graphic User Interface (GUI) installation uses approximately 4 GB of additional space. Additionally, be aware that network installations and servers with more than 16 GB of RAM need additional disk space. EXAM TIP If you need to install the Server Core option, be aware that no GUI components are installed—you can’t enable a GUI from Server Manager. If you need a full GUI on the server, use the Server with Desktop Experience option. If you plan to use BitLocker Drive Encryption, then the physical server hardware must also have a Trusted Platform Module (TPM) chip that is version 2.0 or newer. The TPM chip must have an Endorsement Key certificate that is pre-provisioned or can be obtained by the device during the boot process. NEED MORE REVIEW? LEARN MORE ABOUT TPM CHIPS For more information regarding TPM chips and TPM Key Attestation, visit https://technet. microsoft.com/windows-server-docs/identity/ad-ds/manage/component-updates/tpm-keyattestation. While some previous versions of Windows Server have listed a recommended set of system requirements, Windows Server 2016 has no such list. The recommended hardware varies significantly between the different editions that can be deployed, as well as the server roles or applications that can be installed. Instead of relying on a recommended number of requirements, perform test deployments in the scenario that you need to obtain a good baseline for your environment. Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 3 Determine appropriate Windows Server 2016 editions per workload Microsoft offers several versions of Windows Server 2016. Selecting the appropriate version for your environment depends on the size or functionality that you expect to receive from the server. Table 1-1 lists the Windows Server 2016 editions that are available. TABLE 1-1 Comparing Windows Server 2016 Editions Edition Description License model Client access license Windows Server 2016 Datacenter Highly virtualized environments Per core Windows Server Windows Server 2016 Standard Physical or minimally virtualized environments Per core Windows Server Windows Server 2016 Essentials Small businesses Per processor N/A Windows Server 2016 MultiPoint Premium Server Academic volume licensing Per processor Windows Server and Remote Desktop Services Windows Storage Server 2016 OEM channel Per processor N/A Microsoft Hyper-V Server 2016 Free hypervisor N/A N/A Another installation option of Windows Server is Nano Server, which is discussed later in this chapter in “Skill 1.2: Install and configure Nano Server.” Install Windows Server 2016 Although there are a few different editions of Windows Server 2016, the installation process is fairly similar in each of them. Manually installing Windows Server is as simple as completing the GUI wizard and selecting the options. The most important aspect of the installation process is selecting the type of installation that you prefer: ■ Server Core (Default) ■ Server with Desktop Experience In previous versions of Windows Server, you can use Server Manager or Windows PowerShell to adjust whether the server has a GUI. With Windows Server 2016, once the installation type has been selected, it cannot be changed. Figure 1-1 shows the available options when manually installing Windows Server 2016. 4 CHAPTER 1 Install Windows Servers in host and compute environments FIGURE 1-1 Windows Setup Install Windows Server 2016 features and roles Windows Server 2016 introduces two new server roles that can be installed: ■ ■ Device Health Attestation Works with TPM chips and Mobile Device Management (MDM) to assess mobile device health. DHA enables organizations to raise the security of their mobile devices and monitor mobile device health. MultiPoint Services Originally designed for classroom and lab environments, MultiPoint (previously called Windows MultiPoint Server 2012) enables multiple users to share one computer while still receiving individual desktops. Unlike Remote Desktop Services, MultiPoint does not create a separate Remote Desktop Broker or Gateway. NEED MORE REVIEW? For more information regarding DHA with Windows 10, visit https://technet.microsoft.com/ en-us/library/mt750346.aspx en-us/library/mt750346.aspx. Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 5 The following features have been removed as of Windows Server 2016: ■ Ink and Handwriting Services ■ User Interfaces and Infrastructure Three new features have been added to Windows Server 2016: ■ ■ ■ Setup and Boot Event Collection Enables you to collect and log the setup and boot events from other computers on the network. VM Shielding Tools for Fabric Management Provides shielding tools for the Fabric Management server on a network. For the upgrade exam, Fabric Management is not specifically called out in the skills measured. Windows Defender Features for the server. Comes pre-installed and provides malware protection Remember that in addition to using Server Manager, you can also install server roles and features by using the Install-WindowsFeature cmdlet. To obtain the list of available features that can be installed, use the Get-WindowsFeature cmdlet. For example, to see the available server roles and features that relate to Active Directory, run the following command: Get-WindowsFeature -Name AD* | FT Name Windows returns a list of server roles and features similar to the following: Name ---AD-CertificateADCS-Cert-Authority ADCS-Enroll-Web-Pol ADCS-Enroll-Web-Svc ADCS-Web-Enrollment ADCS-Device-Enrollment ADCS-Online-Cert AD-Domain-Services ADFS-Federation ADLDS ADRMS ADRMS-Server ADRMS-Identity 6 CHAPTER 1 Install Windows Servers in host and compute environments Install and configure Windows Server Core Performing a default installation by using the GUI to install Windows Server creates a Server Core installation. The default settings for installing Windows Server do not include the Desktop Experience features. Figure 1-2 shows the initial logon screen after performing a Server Core installation. FIGURE 1-2 Server Core log on screen As Figure 1-2 shows, there is no graphical element to the installation. Unlike some previous versions, you cannot switch from a Server Core installation to an installation with a GUI. The Desktop Experience installation option must be selected during installation to add these specific features. After changing the password or logging in for the first time, you are simply presented with a blank command prompt. To make any configuration changes locally on the server, run the sconfig.cmd command from the command prompt. Figure 1-3 shows the available configuration options by running sconfig. FIGURE 1-3 sconfig.cmd Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 7 Most any task that you can complete from Server Manager can also be completed by running sconfig. Note that sconfig is not restricted just to Server Core, it can also be used to configure a full server installation with the Desktop Experience. NOTE MORE ON SCONFIG After options 10 and 11, the improve product opt-in and Windows Activation have been configured, they are removed from the sconfig menu. Manage Windows Server Core installations using Windows PowerShell, command line, and remote management capabilities Remote Management is enabled by default in a Server Core installation. There are a few different options for managing a Server Core installation remotely: ■ Server Manager ■ Windows PowerShell ■ Remote Server Administration Tools (RSAT) ■ Remote Desktop ■ Group Policy (Not supported on Nano Server) Server Manager can be used from a Windows Server that has the Desktop Experience features installed. Simply add the Server Core installation to Server Manager to manage it remotely. To use Windows PowerShell, simply specify the server in the command as you typically would a server with a desktop. As of this writing, a specific version of RSAT for Windows Server 2016 has not been released. However, the RSAT tools for Windows 10 can remotely manage a Windows Server 2016 installation. Ensure that you make the appropriate firewall exceptions for remote management to operate as expected. The following built-in exceptions need to be enabled: 8 ■ COM+ Network Access (DCOM-In) ■ Remote Event Log Management (NP-In) ■ Remote Event Log Management (RPC) ■ Remote Event Log Management (RPC-EPMAP) CHAPTER 1 Install Windows Servers in host and compute environments Implement Windows PowerShell Desired State Configuration to install and maintain integrity of installed environments Desired State Configuration (DSC) extends Windows PowerShell and enables you to deploy and configure a server based on a template or baseline. Using DSC you are able to automate the configuration of several settings, including: ■ Server roles and features ■ Registry settings ■ Files and directories ■ Processes and services ■ Groups and user accounts ■ Environment variables ■ PowerShell scripts In addition to performing the initial configuration, you can also use DSC to identify servers that no longer conform to the desired state. DSC has built-in resources to enable you to determine the actual configuration of a server, and implement changes if necessary. There are three primary components of DSC: ■ ■ ■ Local Configuration Manager (LCM) The LCM runs on every server (or target node) being managed. The LCM configures the target node based on the DSC. The LCM also performs other actions for the target node, including the refresh method, determining how frequently to perform refreshes, and making partial configurations. Resources Used to implement the changing states of a configuration change. Resources are part of the PowerShell modules, and can be written to mimic a file, process, server, or even a VM. Configuration Defined as the scripts that comprise and configure the resources. When running the configuration, DSC and the resources perform the configuration and ensure that the target node is configured as defined. When building a DSC Script, there are a few components of the syntax to be aware of. The Script is composed of: ■ ■ GetScript This block of code should return the current state of the node being tested. The value must be a String that is returned as the result. TestScript This block of code determines if the node that is being tested needs to be modified based on the returned configuration. If any configuration is found to be out of date, then it is remedied by the SetScript block. ■ SetScript ■ Credential ■ This block of code modifies the node to the desired configuration. The credentials that are needed for the script, if any are required. DependsOn This indicates that another resource must be running before the script can be run and configured. Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 9 The following is an example of the syntax for DSC: Script [string] #ResourceName { GetScript = [string] SetScript = [string] TestScript = [string] [ Credential = [PSCredential] ] [ DependsOn = [string[]] ] } NEED MORE REVIEW? LEARNING MORE ABOUT DSC For more information and a demonstration on DSC, visit https://mva.microsoft.com/en-US/ training-courses/getting-started-with-powershell-desired-state-configuration-dsc--8672. Perform upgrades and migrations of servers and core workloads from Windows Server 2008 and Windows Server 2012 to Windows Server 2016 Performing an OS upgrade to Windows Server 2016 is not too different from upgrading previous versions of Windows Server. A new feature for upgrading failover clusters is the Cluster OS Rolling Upgrade, which is discussed in detail in Chapter 5. Table 1-2 shows the supported upgrade paths to Windows Server 2016. TABLE 1-2 Supported upgrade paths 10 Original operating system and edition Upgrade edition Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise Windows Server 2016 Standard or Windows Server 2016 Datacenter Windows Server 2008 R2 Datacenter Windows Server 2016 Datacenter Windows Web Server 2008 R2 Windows Server 2016 Standard Windows Server 2008 R2 Datacenter with SP1 Windows Server 2016 Datacenter Windows Server 2008 R2 Enterprise with SP1 Windows Server 2016 Standard or Windows Server 2016 Datacenter Windows Server 2008 R2 Standard with SP1 Windows Server 2016 Standard or Windows Server 2016 Datacenter Windows Web Server 2008 R2 with SP1 Windows Server 2016 Standard Windows Server 2012 Datacenter or Windows Server 2012 R2 Datacenter Windows Server 2016 Datacenter Windows Server 2012 Standard or Windows Server 2012 R2 Standard Windows Server 2016 Standard or Windows Server 2016 Datacenter CHAPTER 1 Install Windows Servers in host and compute environments In addition to upgrades, you can also use the Server Migration Tools feature in Windows Server 2016 if you need to move away from a 32-bit operating system. The operating systems that you can migrate from are: ■ Windows Server 2003 ■ Windows Server 2003 R2 ■ Windows Server 2008 ■ Windows Server 2008 R2 ■ Windows Server 2012 ■ Windows Server 2012 R2 Determine the appropriate activation model for server installation, such as Automatic Virtual Machine Activation, Key Management Service, and Active Directory-based Activation As the name of the skill implies, there are three alternate methods of Windows activation besides simply activating each server individually. They are as follows: ■ Automatic Virtual Machine Activation (AVMA) ■ Key Management Service (KMS) ■ Active Directory-based Activation Automatic Virtual Machine Activation AVMA was added with Windows Server 2012 R2, and enables you to activate a virtual machine (VM) by using the underlying virtualization host. This provides a method for activation, even if the VM is in an offline environment. AVMA binds the activation process to the virtualization host, providing real-time reporting and tracking of the license state for each virtual machine. The reporting and tracking data can be generated from the virtualization server. EXAM TIP To use AVMA, the virtualization host must be running the Datacenter edition of Windows Server 2016, and it must be activated. The virtual machines can be running multiple editions of either Windows Server 2012 R2 or Windows Server 2016. By using AVMA, there are no additional product keys or licenses to keep track of. The VM is activated, and remains so regardless of VM migration across hosts or regions. Service providers who build multi-tenant environments do not have to share product keys with tenants, or even access the tenant’s virtual machine to activate it. The activation process is transparent to the VM and does not require any input from within the VM. Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 11 To use AVMA, you must configure the virtualization host with an AVMA key using the slmgr tool and the /ipk switch. For example: slmgr /ipk <key>. The AVMA activation for a VM is only valid for seven days. As the time period gets closer to expiration, the VM communicates with the virtualization host again to activate and reset the time period. To determine if a VM has been activated by AVMA, or to see the latest status, run the slgmgr.vbs /dlv command. Figure 1-4 shows the results of the command. FIGURE 1-4 AVMA results Note that in Figure 1-4, the description field includes the string VIRTUAL_MACHINE_ ACTIVATION. This indicates that the virtual machine is activated using AVMA. If you plan to automate the install of a virtualization host, you can also specify the AVMA key in the Unattended Setup file. Once configured, the registry on the virtualization server provides the following tracking and reporting information for the guest operating system: 12 ■ Fully qualified domain name ■ Operating system and service packs installed ■ Processor architecture ■ IPv4 and IPv6 network addresses ■ RDP addresses CHAPTER 1 Install Windows Servers in host and compute environments Key Management Service To use Key Management Service (KMS) to activate servers on the network, you must first have a server that is running the Volume Activation Services server role. During the server role installation, you can specify whether you want to use KMS or Active Directory-based Activation. When you select KMS, you are prompted to enter the KMS host key, which activates the Microsoft products that contact the server for activation. After installing and configuring the server role, you can verify that activation is being performed by using KMS clients, which can be servers or computers. NOTE KMS THRESHOLDS KMS requires a minimum threshold of 25 servers or computers before it can process the activation requests. Similar to AVMA, you can use the slmgr.vbs script to provide a KMS key for the clients. For example: slmgr.vbs /ipk <KMSKey>. After providing the key to the client, you can force an activation attempt by running the slmgr.vbs /ato command. KMS provides an easy method for virtual and physical machines on a network to activate through a central location. A KMS is especially useful if you plan to activate computers that are not on the same domain as the KMS host. Active Directory-based activation With AD-based activation, an activation object is created and stored in the schema of the domain. Then, when any non-activated server or computer that has a volume license key defined joins the domain, they access the activation object and areautomatically activated. As long as the device is a member of the domain, it remains activated. There are three basic steps to using AD-based activation: 1. Install the Volume Activation Services server role. 2. Add a KMS host key to the server. 3. Use a KMS client key on target computers and ensure that they activate. AD-based activation is extremely useful if all of the computers that you plan to activate are also members of the domain. There is no need for both AD-based activation and KMS hosts in this scenario. Figure 1-5 shows the activation scenarios when using either Key Management Service or AD-based activation. Skill 1.1: Install, upgrade, and migrate servers and workloads CHAPTER 1 13 FIGURE 1-5 Activation scenarios Skill 1.2: Install and configure Nano Server Nano Server is a new edition of Windows Server that is designed to be lightweight while providing the same services as a full installation. In this section, we discuss the requirements and scenarios in which you can use Nano Server. We also discuss how to install Nano Server, as well as the supported roles and features for Nano Service. Then we explain how to manage and configure a Nano Server installation. This section covers how to: 14 ■ Determine appropriate usage scenarios and requirements for Nano Server ■ Install Nano Server ■ Implement roles and features on Nano Server ■ Manage and configure Nano Server CHAPTER 1 Install Windows Servers in host and compute environments Determine appropriate usage scenarios and requirements for Nano Server Nano Server is a new installation option for the Windows Server family. Usage of Nano Server can include multiple scenarios: ■ Hyper-V hosts ■ Storage hosts for Scale-Out File Servers ■ DNS servers ■ IIS servers ■ Cloud application servers Nano Server is supported as both a virtual machine and as a physical host. As of this writing, there are no specific hardware requirements for installing Nano Server. The smallest Nano Server configuration is approximately 450 MB with minimal packages and features selected. A VHD with IIS and OEM drivers is more than 500 MB. Install Nano Server To install Nano Server, you must first use the Nano Server Image Generator to create the Nano Server image that you use for installation. The image generator is located in the NanoServer folder of the Windows Server 2016 installation media. The steps in creating a Nano Server image are: 1. Copy the NanoServer folder from the installation media to your computer. 2. Using PowerShell, change directories to the copied folder and import the NanoServerImageGenerator module. 3. Run the New-NanoServerImage cmdlet to create the installation file. Importing the PowerShell module is a relatively simple task, but can be troublesome if you use the PowerShell shortcuts. Ensure that you remove the trailing backslash when using tab shortcuts to complete the module name. Figure 1-6 displays successfully importing the image generator PowerShell module. Skill 1.2: Install and configure Nano Server CHAPTER 1 15 FIGURE 1-6 Importing the Nano Server Image Generator The New-NanoServerImage cmdlet has several parameters that are configured when running. For example: ■ ■ ■ ■ ■ ■ Edition Specifies the edition type of the installation, and can be either Standard or Datacenter. DeploymentType Specifies whether Nano Server runs as a virtual machine guest, or as a physical host. The accepted values are Guest or Host. MediaPath Specifies the location of the installation media for Windows Server 2016. This can be a mounted ISO location, or a copied location. BasePath This is the directory to which the packages and Windows image are copied. TargetPath This is the path, filename, and extension where the Nano Server VHD, VHDX, or WIM file is created. ComputerName pleted. This is the hostname of the Nano Server after installation has com- For example, to create a Standard Nano Server virtual machine named NanoSvr1 that is located in the current folder, run the following command: New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath D:\ -BasePath .\ -TargetPath .\NanoSvr1\NanoSvr.vhdx -ComputerName NanoSvr1 You can optionally include the AdministratorPassword parameter during the command, but the password would be plaintext. Omitting the parameter causes PowerShell to prompt 16 CHAPTER 1 Install Windows Servers in host and compute environments you for the Administrator account password. Figure 1-7 shows running the command successfully, specifying the password separately. FIGURE 1-7 New-NanoServerImage Once you have created the image type that you’d like to use, you can mount that image through Hyper-V, or install it on a physical server. For physical servers, it is recommended that you also include the OEMDrivers parameter. After the Nano Server image has been generated, this process is not any different than a normal VM or installation. Implement roles and features on Nano Server The roles and features for Nano Server can be specified during the image creation to include these packages within the image. The packages that are built into the base server image can be included with Nano Server. Simply specify the parameter during the image creation. Some of the parameters that can be specified include: ■ Storage ■ Compute This includes the Hyper-V server role. ■ Defender This includes Windows Defender, with a default signature file. ■ Clustering This includes the file server role and other storage components. This includes the Failover Clustering server role. After a Nano Server has been installed, you can manage the server roles and features by using the PackageManagement provider. To install the provider, run the Install-PackageProvider NanoServerPackage command. You can then import the provider by running the Import-PackageProvider NanoServerPackage command. Skill 1.2: Install and configure Nano Server CHAPTER 1 17 After you have the package provider installed, you can use the following PowerShell cmdlets to find and add packages to Nano Server: ■ Find-nanoServerPackage ■ Save-NanoServerPackage ■ Install-NanoServerPackage The InstallNanoServerPackage cmdlet can be used to install packages regardless of whether the Nano Server installation is online or offline. Table 1-3 describes the roles and features that can be installed with Nano Server. TABLE 1-3 Nano Server Roles and Features Server role or feature Option to install HyperV role Compute Failover clustering Clustering Drivers for a variety of network adapters and storage controllers (this is the same set of drivers included in a Server Core installation of Windows Server 2016) OEMDrivers File Server role and other storage components Storage Windows Defender, including a default signature file Defender DNS Server role Packages Microsoft-NanoServer-DNS-Package Desired State Configuration Packages Microsoft-NanoServer-DSC-Package IIS Packages Microsoft-NanoServer-IIS-Package Host support for Windows Containers Containers System Center Virtual Machine Manager agent Packages Microsoft-Windows-Server-SCVMMPackage Packages Microsoft-Windows-Server-SCVMMCompute-Package Network Performance Diagnostics Service (NPDS) Packages Microsoft-NanoServer-NPDS-Package Data Center Bridging Packages Microsoft-NanoServer-DCB-Package Boot and run from a RAM disk Packages Microsoft-NanoServer-Guest-Package Deploy on a virtual machine Packages Microsoft-NanoServer-Host-Package Secure Startup Packages Microsoft-NanoServer-SecureStartupPackage Shielded Virtual Machine Packages Microsoft-NanoServer-ShieldedVMPackage NEED MORE REVIEW? NANO SERVER PARAMETERS For more information on Nano Server and all of the installation parameters, visit https://aka.ms/nanoserver https://aka.ms/nanoserver. 18 CHAPTER 1 Install Windows Servers in host and compute environments Manage and configure Nano Server After installing and signing into Nano Server, there are limited options for configuring the server directly form the console. The available information from the console includes: ■ Computer name ■ Workgroup or domain ■ Operating system version ■ Local data, time, and time zone ■ Network configuration Figure 1-8 displays the local console of a Nano Server installation. FIGURE 1-8 Nano Server Recovery Console The basic networking information for the Nano Server machine can be configured through the Networking screen of the Recovery Console. You can configure the desired network adapter from the screen, and then configure the desired network settings. Both IPv4 and IPv6 can be configured from the recovery console. Figure 1-9 displays the networking configuration of a Nano Server through the Recovery Console. Skill 1.2: Install and configure Nano Server CHAPTER 1 19 FIGURE 1-9 Nano Server Network Adapter Settings The firewall settings must be configured to enable remote management. Remote Management Firewall Settings can be found in the Inbound Firewall Rules screen of the Recovery Console. For additional security, you can also configure outbound firewall rules. The WinRM screen of the recovery console enables you to reset the firewall and remote management settings for the server back to default. This is useful if you can no longer access the server remotely, but are unaware of any network changes that might be preventing you from connecting. Skill 1.3: Create, manage, and maintain images for deployment You can use images to standardize deployments across physical or virtual machines. In this section, we discuss planning for Windows Server virtualization, as well as best practices for Linux and FreeBSD VM deployments. We also explain how to use the Microsoft Assessment and Planning Toolkit to assess an existing environment for upgrading or migrating to a Windows Server 2016 environment. Then we explore other considerations for virtualization, 20 CHAPTER 1 Install Windows Servers in host and compute environments including using and updating deployment images. Finally, we explain how to maintain VHDs for Windows Server Core and Nano Server by using Windows PowerShell. This section covers how to: ■ Plan for Windows Server virtualization ■ Plan for Linux and FreeBSD deployments ■ ■ ■ Assess virtualization workloads using the Microsoft Assessment and Planning Toolkit and determine considerations for deploying workloads into virtualized environments Update images with patches, hotfixes, and drivers and Install roles and features in offline images Manage and maintain Windows Server Core, Nano Server images, and VHDs using Windows PowerShell Plan for Windows Server virtualization When planning virtualization for Windows Server, there are a few steps that you need to be aware of. Figure 1-10 illustrates nine high-level steps to plan for server virtualization. FIGURE 1-10 Planning for server virtualization Skill 1.3: Create, manage, and maintain images for deployment CHAPTER 1 21 ■ Determine the scope Determine what part of the infrastructure will be virtualized. ■ Create workload list Identify the resources that are needed based on the workload. ■ ■ ■ ■ ■ ■ ■ Plan backup and fault tolerance Select the approach that will be used to back up the virtualized environment after deployment. Analyze workload requirements Identify the requirements for the virtualization solution. Design host hardware Identify the hardware requirements for the underlying hardware. Map workload to hosts alization hosts. Determine how workloads are placed on each of the virtu- Design backup and fault tolerance Determine the most appropriate approach for performing the backup from the previous planning. Design storage infrastructure ronment. Design the storage backend for the virtualized envi- Design network infrastructure Design the network connectivity for the virtualized environment. NEED MORE REVIEW? WINDOWS SERVER 2016 VIRTUALIZATION For a deep dive on virtualization with Windows Server 2016, visit https://mva.microsoft. com/en-us/training-courses/windows-server-2016-virtualization-deep-dive-14094. Plan for Linux and FreeBSD deployments Linux and FreeBSD operating systems have been supported on Hyper-V platforms since Windows Server 2008 R2. The current supported operating system list includes: ■ CentOS ■ Red Had Enterprise Linux ■ Debian ■ Oracle Linux ■ SUSE ■ Ubuntu ■ FreeBSD When using FreeBSD on Hyper-V, there are a few best practices to be aware of to optimize functionality and performance, including: ■ 22 CHAPTER 1 Enable Common Address Redundancy Protocol (CARP) When using FreeBSD 10.2, CARP enables multiple hosts on a network to share the same IP address and Install Windows Servers in host and compute environments Virtual Host ID for high availability. If a host or VM fails, then another active VM can transparently take over the services that were being provided. ■ ■ ■ Add UUIDs For all devices that are listed in fstab, ensure that the appropriate UUIDs are configured. When Hyper-V storage integration services are installed on a VM, some devices’ UUIDs might change, and the entry in fstab will no longer be valid. Disable Fast IDE drivers The Fast IDE driver conflicts with the Hyper-V IDE driver, and can result in the virtual CD-ROM being unavailable. Disabling Fast IDE enables the use of the virtual CD-ROM. Create GEOM labels When using FreeBSD 8.x, device nodes are created as discovered during the startup. Device labels can change during this process, which might result in disk mount errors. By creating permanent labels for each IDE partition, you avoid mounting errors. There are also best practices for using Linux on Hyper-V, including: ■ ■ ■ ■ ■ ■ ■ Tuning file systems Some Linux file systems use additional disk space, even if the file system is mostly empty. You can reduce the amount of extra space consumption by using a 1 MB block size, and formatting the virtual disk as ext4. Extend boot timeout Using the Grub boot menu on a Generation 2 virtual machine might cause the countdown timer to end quickly. The default timeout value is set to 5, but is recommended to be set to 100000 for Generation 2 virtual machines. PXE Boot Generation 2 VMs do not have a PIT timer, and network connections to a PXE TFTP server can be terminated early, preventing the network bootloader from starting. A legacy grub bootloader can be specified to mitigate the timeout issue. Static MAC addresses Linux virtual machines that are being used in a failover cluster should have static MAC addresses defined. In some versions of Linux, the network configuration details can be lost after a failover. To ensure that all services perform as expected, define a static MAC address. Network adapters It is recommended that you use the Hyper-V specific network adapters, and not a legacy network adapter. Legacy network adapters might display random values for parameters in ifconfig. I/O Scheduler For optimized disk I/O performance, use the NOOP I/O scheduled for Linux VMs. This can be changed in the bootloader configuration parameters. NUMA For Linux VMs that have more than 7 virtual processors or 30 GB of RAM, it is recommended that you disable NUMA in the bootloader configuration. Skill 1.3: Create, manage, and maintain images for deployment CHAPTER 1 23 Assess virtualization workloads using the Microsoft Assessment and Planning Toolkit, determine considerations for deploying workloads into virtualized environments One tool that is available to assess and plan for a migration—whether it is physical or virtual—is the Microsoft Assessment and Planning (MAP) Toolkit. MAP is classified as a solution accelerator that takes an inventory of your organization’s existing infrastructure. Based on the discovered information, MAP provides an assessment and report that you can use for upgrades, migrations, and virtualization workloads. MAP is available for several Microsoft products: ■ Windows Server 2016 ■ Windows Server 2012 R2 ■ Windows 10 ■ Windows 8.1 ■ SQL Server 2014 ■ Hyper-V Some of the general tasks that you can use MAP to perform include: ■ ■ ■ ■ Inventory Discover devices on the network and generate a detailed report of the servers that can run Windows Server 2016. Reporting Generate a report or proposal using the Windows Server 2016 Readiness Assessment. The proposal generates an Executive Overview, Assessment Rules, Next Steps, and a summary of overall readiness for Windows Server 2016. Performance metrics Use MAP to capture the performance of the current infrastructure to ensure that the workloads are acceptable for Windows Server 2016. Utilization Estimate server utilization before and after virtualization of workloads. You can also determine which physical hosts are specifically suited to become a VM. Figure 1-11 shows the MAP Toolkit on the server virtualization overview screen. 24 CHAPTER 1 Install Windows Servers in host and compute environments FIGURE 1-11 MAP Toolkit NEED MORE REVIEW? FINDING MORE ON MAP For more information on MAP, visit https://technet.microsoft.com/en-us/solutionaccelerators/dd537566. Manage and maintain Windows Server Core, Nano Server images, and VHDs using Windows PowerShell, update images with patches, hotfixes, and drivers and install roles and features in offline images For the purposes of this reference book, we combine the topics of managing, updating, and maintaining images and including roles and features for offline images. The process of using the Deployment Image Services and Management (DISM) platform to manage online and offline images has not significantly changed with Windows Server 2016. DISM is available both as a command-line utility, and as a PowerShell module. The PowerShell module is built-in to Windows Server, while the command-line utility is a part of the Windows Assessment and Deployment Kit (Windows ADK). NEED MORE REVIEW? WINDOWS POWERSHELL AND DISM For more information on using DISM with Windows PowerShell, visit https://technet. microsoft.com/en-us/library/dn376474.aspx. Skill 1.3: Create, manage, and maintain images for deployment CHAPTER 1 25 Chapter summary One of the main features of Windows Server 2016 is the ability to deploy a server without a GUI, as Nano Server. Nano Server provides most of the core server roles and features that a full graphical installation offers, with a much smaller footprint and less attack surface. In this chapter, we discussed: ■ ■ Available editions for Windows Server 2016, that include Standard, Datacenter and Nano Server Installation options for Windows Server 2016, including the default Server Core or with the Desktop Experience ■ Server Core installation and remote management options ■ The three primary activation models, including AVMA, KMS, and AD-based activation ■ How to generate and use a Nano Server image ■ Adding server roles and features to a Nano Server image ■ Using DISM to maintain online and offline images Thought Experiment You are a consultant for a small healthcare provider, which has two offices and about 75 employees. You plan to deploy two new servers to support the following roles: ■ Active Directory Domain Services (AD DS) ■ DNS ■ DHCP ■ Internet Information Services (IIS) You need to minimize the amount of resources that the servers consume. Which version, edition, and activation method of Windows Server 2016 would you choose? 26 CHAPTER 1 Install Windows Servers in host and compute environments Thought Experiment Answer Based on the scenario that is provided, we can deploy one server with a GUI that has the management tools installed, as well as the graphical server roles that are necessary. For the second server, you can use Nano Server to minimize the number of server resources that are needed. Any service or application that the customer has that cannot run on the Nano Server could be installed on the full installation. There is no additional information in the scenario that would require using the Datacenter edition of Windows Server 2016. However, based on the number of employees, KMS or ADbased activation could be a valid activation type for the server, as well as any future deployment plans. The scenario does not say that the customer is running Hyper-V, so AVMA is not an option. The deciding factor would be if the customer needs to activate computers that are not members of the domain. If so, they should use KMS over AD-based activation. Thought Experiment Answer CHAPTER 1 27 This page intentionally left blank CHAPTER 2 Implement storage solutions S torage solutions are a primary aspect of using Windows Server in a production environment. In this chapter, we explain some basic storage options and how to implement these storage options in Windows Server 2016. Then we cover data deduplication, which is a feature of Windows Server that enables you to oversubscribe the capacity of a given storage device by not writing duplicated data. Skills in this chapter: ■ Implement server storage ■ Implement data deduplication Skill 2.1: Implement server storage Windows Server 2016 offers editions and installation options similar to Windows Server 2008 and 2012. In this section, we explain the installation requirements for the base installation of Windows Server, as well as outline the differences between the editions. We cover the differences in installation process, server roles, and features compared to previous versions of Windows Server. This section covers how to: ■ ■ Configure storage pools Implement simple, mirror, and parity storage layout options for disks or enclosures ■ Expand storage pools ■ Configure Tiered Storage ■ Configure iSCSI target and initiator ■ Configure iSNS ■ Configure Datacenter Bridging ■ Configure Multi-Path IO ■ Determine usage scenarios for Storage Replica ■ Implement Storage Replica for server-to-server, cluster-to-cluster, and stretch cluster scenarios 29 Configure storage pools Storage pools enable you to group physical disks together for more a efficient use of capacity and, in some cases, to increase performance. You can create a storage pool with either Server Manager, or Windows PowerShell. The steps through Server Manager are fairly simple: 1. From Server Manager, navigate to File and Storage Services, and then click Storage Pools. 2. Click Tasks, and then click New Storage Pool. 3. Click Next to bypass the Before You Begin page. 4. On the Storage Pool Name page, shown in Figure 2-1, enter a name for the pool. Ensure that the group of disks that are available to the server are selected. FIGURE 2-1 New Storage Pool Wizard, Storage Pool Name 5. 30 CHAPTER 2 On the Physical Disk page, select the individual disks that make up the pool. Figure 2-2 shows three disks available. Select what you need to allocate to the pool, and then click Next. Implement storage solutions FIGURE 2-2 New Storage Pool Wizard, Physical Disks 6. After selecting the disks, you’ll be prompted to review the information on the Confirmation page. Click Create to confirm the details of the storage pool. The summary is shown in Figure 2-3. FIGURE 2-3 New Storage Pool Wizard, Confirmation Skill 2.1: Implement server storage CHAPTER 2 31 Using PowerShell to create the storage pool is slightly more complicated, only because you need to identify the physical disks that are available for the pool. First, to identify those disks, run the following command: Get-PhysicalDisk -CanPool $True This returns the available disks to pool. To make the disks easier to pass to the NewStoragePool cmdlet, set the disks to a variable. Then you can create a pool by using the following commands: $Disks = Get-PhysicalDisk -CanPool $True New-StoragePool -FriendlyName "Pool1" -StorageSubSystemFriendlyName "SubSystemName" -PhysicalDisks $Disks The results of the commands are shown in Figure 2-4. FIGURE 2-4 Creating a storage pool with PowerShell Implement simple, mirror, and parity storage layout options for disks or enclosures After a storage pool has been configured, you need to create a virtual disk that uses the pool. Virtual disks enable you to create resilient storage by using the disks in the storage pool. There are three types of resiliency layouts: ■ ■ ■ 32 CHAPTER 2 Simple Data is striped across the physical disks, enabling you to maximize capacity and throughput. However, a single disk failure causes the pool to be unavailable. Mirror Data is striped across physical disks, creating two or three copies of the same data. This increases the reliability of the data, ensuring that you can withstand a single (or multiple) disk failures without losing access to the data or the pool. However, storage capacity is diminished because the additional physical drives are being used for redundancy instead of capacity. ■ To protect against a single disk failure, use at least two physical disks in the pool. ■ To protect against two disk failures, use at least five disks in the pool. Parity Data and a parity bit is striped access the physical disks, increasing both reliability and storage capacity. Storage capacity is not maximized because of the parity data that must also be written, but protects against disk failures. Implement storage solutions ■ To protect against a single disk failure, use at least three disks. ■ To protect against two disk failures, use at least seven disks. Figure 2-5 shows selecting the storage layout from the New Virtual Disk Wizard. FIGURE 2-5 New Virtual Disk Wizard, Storage Layout The virtual disk also enables you to select the provisioning type: ■ ■ Thin Volumes on the virtual disk only uses space as data is being written, up to the maximum size of the volume. Fixed The volume allocates space from the storage pool immediately, regardless of any actual data written. This ensures that you do not oversubscribe capacity from the pool. Creating a virtual disk using PowerShell is also straightforward. The New-VirtualDisk cmdlet is used to create the virtual disk. For example, to create a thinly-provisioned disk named vDIsk2 using parity that is 50 GB, run the following command. New-VirtualDisk -StoragePoolFriendlyName Pool1 -FriendlyName vDisk2 -ResiliencySettingName Parity -Size 50GB -ProvisioningType Thin An alternate step to creating a virtual disk is to create a volume. In addition to the settings that you can configure for a virtual disk, a volume is what is actually presented to the server and used by the operating system, accessed by a drive letter. To create a volume in the GUI, Skill 2.1: Implement server storage CHAPTER 2 33 use the New Volume Wizard from within Server Manager. You will be asked to specify the following information during the wizard: ■ ■ ■ ■ Virtual disk This is the virtual disk that was previously created. Volume size This can vary in size, up to the maximum size of the virtual disk. If you presented 50 GB to the virtual disk, you could create two 25 GB volumes. Drive letter or folder You can assign a drive letter to the volume. Alternatively, you can mount the volume to a specific folder. For instance, the volume could be mounted in a specific user directory to give users dedicated storage space. File System settings These are the typical settings when creating a volume from a physical disk. The file system type, either the resilient filesystem (ReFS) or NTFS. You can also configure the allocation unit size and the volume label at the same time. To create a volume using similar settings to the virtual disk earlier, run the following command: New-Volume -StoragePoolFriendlyName Pool1 -Size 25GB -AccessPath F: -FriendlyName Volume1 -ResiliencySettingName Parity -FileSystem NTFS -ProvisioningType Thin In addition to using physical disks, you can also use external storage enclosures with a storage pool. When creating a virtual disk, you can enable enclosure awareness, which increases redundancy depending on the number of enclosures and the resiliency level that you select. This allows you to lose an entire enclosure without losing access to the storage pool. Table 2-1 shows the supported resiliency levels with enclosure awareness. TABLE 2-1 Enclosure awareness resiliency Resiliency type Three enclosures Four enclosures Simple Not supported Not supported Two-way mirror 1 enclosure or 1 disk per pool 1 enclosure or 1 disk per pool Three-way mirror 1 enclosure and 1 disk, or 2 disks 1 enclosure and 1 disk, or 2 disks Single parity Not supported Not supported Dual parity Not supported 1 enclosure and 1 disk, or 2 disks NEED MORE REVIEW? WINDOWS SERVER STORAGE POOLS For more information on storage pool with Windows Server, visit https://technet.microsoft. com/en-us/library/hh831739(v=ws.11).aspx com/en-us/library/hh831739(v=ws.11).aspx. 34 CHAPTER 2 Implement storage solutions Expand storage pools Expanding a storage pool with additional physical disks is a simple task. From Server Manager, select the storage pool that you intend to expand, right-click and select Add Physical Disk. Figure 2-6 depicts selecting the physical disk that you want to add to the storage pool. Simply place a checkmark next to the disk, and then click OK. FIGURE 2-6 Add Physical Disk Similar to creating a storage pool, adding a disk by using PowerShell requires you to first identify the disk to add. To identify and add the available disks to a storage pool, run the following commands: $Disks = Get-PhysicalDisk -CanPool $True Add-PhysicalDisk -StoragePoolFriendlyName Pool1 -PhysicalDisks $Disks Configure tiered storage Storage tiers can be enabled on a virtual disk if you have both hard-drive disks (HDD) and solid-state disks (SSD) in the storage pool. Storage tiering automatically moves the most frequently-accessed data to the faster storage type—the SSDs. Data that is not accessed frequently is stored on the spinning HDDs. Configuring storage tiering is a checkbox during the virtual disk creation. If you do not have a mixture of drive types, then the checkbox is not available during the wizard. If you are using PowerShell, you can specify the StorageTiers and StorageTierSizes parameters as part of the New-VirtualDisk cmdlet. EXAM TIP Storage tiers are not supported with thin provisioning. When using storage tiers, you must specify fixed disk sizes. Skill 2.1: Implement server storage CHAPTER 2 35 Configure iSCSI target and initiator Configuring an iSCSI target or initiator hasn’t changed much since Windows Server 2012 R2. And configuring an iSCSI target server enables you to network boot computers from a single boot image that has been provided to the network from a central location. You can use iSCSI targets with Windows Server 2016 to boot hundreds of computers from a single operating system image. Installing the iSCSI Target Server server role can be performed from both Server Manager and PowerShell. iSCSI Target Server is a part of the File and Storage Services storage role. Installing the server role also installs the management features that are used to configure the server role. After installing the role, you can configure iSCSI virtual disks. 1. To create a new iSCSI virtual disk, launch the wizard from Server Manager. The first screen of the wizard configures where to store the virtual disk. Ensure that the server is selected, select the volume or path of the storage, then click Next. Figure 2-7 shows the C: volume selected for Adatum-DC1. FIGURE 2-7 iSCSI virtual disk location 2. 36 CHAPTER 2 On the iSCSI Virtual Disk Size page, enter a size for the virtual disk. You can also configure whether the disk is fixed, dynamically expanding, or differencing. As shown in Implement storage solutions Figure 2-8, the default disk type is set to Dynamically Expanding. Click Next to continue the wizard. FIGURE 2-8 iSCSI virtual disk size 3. On the iSCSI Target page, select either an existing target or a new target, and then click Next. 4. On the Target Name And Access page, enter a name for the target and then click Next. 5. On the Access Servers page, click Add to specify the iSCSI initiators that access the new virtual disk. Figure 2-9 shows adding the iSCSI initiator. Skill 2.1: Implement server storage CHAPTER 2 37 FIGURE 2-9 iSCSI virtual disk size 6. On the Enable Authentication page, select whether you want to Enable CHAP or Enable Reverse CHAP for authentication. These are optional protocols to authenticate the initiator connections or target. Figure 2-10 shows the available options to configure CHAP and Reverse CHAP. FIGURE 2-10 iSCSI authentication method 38 CHAPTER 2 Implement storage solutions 7. Click Create to create the virtual disk using the settings that you specified during the wizard. As with other virtual disks, you can also create an iSCSI virtual disk by using PowerShell with the New-IscsiVirtualDisk cmdlet. For example, to create a 10GB disk, run the following command: New-IscsiVirtualDisk –Path “C:\temp\test.vhdx” -Size 10GB Configure iSNS The Internet Storage Name Service (iSNS) is a protocol, which can be added to a Windows Server installation, and used to communicate between iSNS servers and clients. iSNS clients are computers, or initiators, that search for storage devices, or targets, on a network. iSNS provides automated discovery, management, and configuration of iSCSI and Fibre Channel devices on a network. Figure 2-11 shows the iSNS Server properties page. FIGURE 2-11 iSNS Server Properties By default, when you create an iSNS Server, there are no iSCSI targets listed even if they have been configured already. To ensure that the configured iSCSI targets also appear in the iSNS Server, the iSNS Server must be added to the iSCSI Initiator properties, as shown in Figure 2-12. Skill 2.1: Implement server storage CHAPTER 2 39 FIGURE 2-12 iSCSI Initiator Properties In the iSNS properties, you can then see the connected devices, and whether they are an initiator or target. iSNS does not have any specific PowerShell cmdlets, but can be configured from the command-line by using the isnscli.exe utility. Configure Datacenter Bridging Datacenter Bridging (DCB) enhances the Ethernet connectivity between servers on a network. DCB requires DCB-capable network adapters on servers that are providing DCB, as well as DCB-capable network switches that the servers connect to. DCB can be installed by using the InstallWindowsFeature cmdlet: Install-WindowsFeature "data-center-bridging" After installing the DCB feature, you can manage DCB on a server by importing three different PowerShell modules: Import-Module netqos Import-Module dcbqos Import-Module netadapter 40 CHAPTER 2 Implement storage solutions NEED MORE REVIEW? DCB CONNECTIVITY For more information on how DCB enhances connectivity, visit https://technet.microsoft. com/en-us/library/hh849179(v=ws.11).aspx. Configure Multi-Path IO (MPIO) MPIO is another feature of Windows Server that can be installed from Server Manager or by using the Install-WindowsFeature cmdlet. There are four components that can be managed after installing MPIO: ■ ■ ■ ■ MPIO Devices These are the devices that are presented to the server and managed by MPIO. In some cases, a device can be presented, but not specifically added to MPIO. You can manually add additional devices to ensure that they are managed by the service. Discover Multi-Paths This enables you to run an algorithm that checks all of the attached devices to the server and ensure that they represent the same Logical Unit Number (LUN) through multiple paths. DSM Install This enables you to install DSMs that might be provided by the storage vendor that is being used. Many storage systems are compliant with the Microsoft DSM, but provide their own DSM to work with their architecture. Configuration Snapshot This enables you to save the MPIO configuration to a text file. The text file includes DSM information, the number of paths, and the current path state. In addition to being managed through the MPIO GUI, you can also use mpclaim to perform many of the configuration activities. NEED MORE REVIEW? CONFIGURE WITH MPCLAIM For more information on mpclaim, visit https://technet.microsoft.com/en-us/library/ ee619743(v=ws.10).aspx ee619743(v=ws.10).aspx. MPIO is also supported on Nano Server, but with some differences: ■ Only the Microsoft DSM is supported ■ The load-balancing policy cannot be modified ■ Default: Active/Active Round Robin ■ SAS HDD: LeastBlocks ■ ALUA: RoundRobin with Subset ■ Path states are picked up from the target storage system ■ Storage devices are claimed by bus type. For example, Fibre channel, iSCSI, or SAS Skill 2.1: Implement server storage CHAPTER 2 41 To enable MPIO for Nano Server, run the following command: Enable-WindowsOptionalFeature -Online -FeatureName MultiPathIO When MPIO is installed on a Nano Server, the disks that are presented are listed as duplicates, with a single disk being available through each path. MPIO must be configured to claim and manage the disks to ensure that only one path is used. A script has been provided by Microsoft to claim and manage the disks, and can be found at: https://technet.microsoft.com/ en-us/windows-server-docs/compute/nano-server/mpio-on-nano-server. Determine usage scenarios for Storage Replica Storage Replica is a new function available with Windows Server 2016 that provides disasterrecovery capabilities. Storage Replica enables you to efficiently use many datacenters by stretching or replicating clusters. If one datacenter goes offline, the workload can be moved to another. Some scenarios where Store Replica can be used include: ■ Stretch Cluster Enables the configuration of computers and storage as part of a single cluster. In this scenario, some nodes share one set of asymmetric storage, and other nodes share another set, then replicate the data with site awareness. The storage for this scenario can be JBOD, SAN, or iSCSI-attached disks. A stretch cluster can be managed by using Windows PowerShell and the Failover Cluster Manager tool, and can be configured for automated failover. Figure 2-13 illustrates using Storage Replica in a Stretch Cluster. FIGURE 2-13 Stretch Cluster ■ 42 CHAPTER 2 Cluster-to-Cluster Enables replication between two completely separate clusters, where one cluster copies the data to another cluster. This scenario can also use Storage Spaces on JBOD, SAN, or iSCSI-attached disks as the backend storage. A cluster-to- Implement storage solutions cluster storage replica can be managed by using PowerShell, but failover must occur manually. Figure 2-14 illustrates using a cluster-to-cluster storage replica. FIGURE 2-14 Cluster-to-cluster storage replica ■ Server-to-server This enables replication between standalone servers with Storage Spaces on JBOD, SAN, or iSCSI-attached disks. Individual servers can also be managed by PowerShell, and failover must be managed manually. Figure 2-15 illustrates a serverto-server storage replica. FIGURE 2-15 Server-to-server storage replica NEED MORE REVIEW? ACCESS THE STORAGE REPLICA For an in-depth look at Storage Replica, visit https://technet.microsoft.com/en-us/windowsserver-docs/storage/storage-replica/storage-replica-overview server-docs/storage/storage-replica/storage-replica-overview. Skill 2.1: Implement server storage CHAPTER 2 43 Implement Storage Replica for server-to-server, cluster-tocluster, and stretch cluster scenarios Storage Replica is only available in the Datacenter edition of Windows Server 2016. To install the feature, use the Add Roles and Features Wizard in Server Manager, or run the following command: Install-WindogetwsFeature -Name Storage-Replica -IncludeManagementTools There are 20 different PowerShell options in the Storage Replica module, including: TestSRTopology This verifies that the topology meets the requirements for a Storage Replica. ■ NewSRPartnership This configures the Storage Replica using the information that you provide. A source and destination name, volume, and replication group must be specified. ■ NewSRGroup This can optionally be used on one server in each location in combination with NewSRPartnership to configure the replication in stages. ■ NEED MORE REVIEW? STORAGE REPLICA For walkthroughs on configuring storage replica in a stretch cluster, between clusters, or between servers, visit https://technet.microsoft.com/en-us/windows-server-docs/storage/ storage-replica/storage-replica-windows-server-2016. Skill 2.2: Implement data deduplication Data deduplication enables you to oversubscribe the capacity of a given storage device by not writing the same data twice. For example, if you store multiple documents that contain a majority of the same information, only the difference in data is written to the disk. This section covers how to: 44 CHAPTER 2 ■ Implement and configure deduplication ■ Determine appropriate usage scenarios for deduplication ■ Monitor deduplication ■ Implement a backup and restore solution with deduplication Implement storage solutions Implement and configure deduplication Data deduplication is another server role that can be installed through the Add Roles and Features Wizard, or by using the Install-WindowsFeature cmdlet. The Data Deduplication server role also requires the File Server server role to be installed. Once installed, deduplication can be enabled on specific volumes by running the Enable-DedupVolume cmdlet. For example, to enable deduplication on the E drive, and begin an optimization job on that volume, run these commands: Import-Module Deduplication Enable-DedupVolume E: -UsageType Default -DataAccess Start-DedupJob E: -Optimization The DataAccess parameter indicates that data access will be enabled as part of the deduplicated volume. There are three possible options for the UsageType parameter when enabling deduplication: ■ Default This indicates a general purpose volume as the expected workload for the underlying disk. ■ Hyper-V ■ Backup This indicates that the volume stores VHDs for a Hyper-V server. This indicates that the volume is optimized for virtualized backup servers. There are four types of deduplication jobs that run periodically, or can be run manually: ■ ■ Optimization This manually starts the process of optimizing the volume for deduplication, and ensures that duplicated data does not consume additional storage. GarbageCollection Garbage collection ensures that deleted or modified data is removed from the reference table. ■ Scrubbing ■ Unoptimization This starts the data integrity scrubbing on the deduplicated volume. This removes the deduplication on a specific volume. Determine appropriate usage scenarios for deduplication Typical scenarios for deduplication are file shares that have user documents, software deployment images, or VHD files. These scenarios often generate a large savings of storage space by using deduplication. Table 2-2 shows some common deduplication scenarios. Skill 2.2: Implement data deduplication CHAPTER 2 45 TABLE 2-2 Deduplication scenarios Scenario Content Typical savings User documents Documents and photos 30-50 percent Deployment shares Software binaries and images 70-80 percent Virtualization libraries VHDs 80-95 percent General file share All of the above 50-60 percent After you have installed the data deduplication feature, you can also use the Deduplication Savings Evaluation Tool. The following output is an example of the ddpeval.exe tool: Data Deduplication Savings Evaluation Tool Copyright 2011-2012 Microsoft Corporation. All Rights Reserved. Evaluated folder: E: Processed files: 128 Processed files size: 120.03MB Optimized files size: 40.02MB Space savings: 80.01MB Space savings percent: 66 Optimized files size (no compression): 11.47MB Space savings (no compression): 571.53KB Space savings percent (no compression): 40 Files with duplication: 20 Files excluded by policy: 20 Files excluded by error: 0 Based on the percentage returned by the tool, you can decide whether to implement data deduplication in the environment. With Windows Server 2016, data deduplication introduces the following changes: ■ 46 CHAPTER 2 Increased volume sizes NTFS volumes up to 64 TB can have deduplication enabled. This has been enhanced by increasing the number of threads working in parallel for individual volumes. Implement storage solutions ■ ■ Increased file sizes storage volume. Individual files up to 1 TB can efficiently be deduplicated on a Nano Server support Deduplication is fully supported on volumes that are presented to a Nano Server installation. Monitor deduplication The built-in deduplication jobs support weekly scheduling for optimization, garbage collection, and scrubbing. Additionally, jobs can be configured by using the Windows Task Scheduler. Remember that the garbage collector reclaims space by removing data that is no longer being used. The default weekly schedule can be viewed by running the Get-DedupSchedule cmdlet. Get-DedupSchedule The following output is returned: Enabled Type StartTime Days Name ------- ---- --------- ---- ---- True GarbageCollection WeeklyGarbageCollection 2:45 AM Saturday True 3:45 AM Saturday True Optimization BackgroundOptimization Scrubbing WeeklyScrubbing The Get-DedupStatus cmdlet can be used to see the overall status of a server. Get-DedupStatus The following output is returned: FreeSpace SavedSpace OptimizedFiles InPolicyFiles Volume -------------- ---------- -------------- ------------- ------ 140.26 GB 265.94 GB 36124 36125 E: 76.26 GB 42.19 GB 43017 43017 F: To force a refresh of the deduplication service and require it to rescan the available volumes, use the Update-DedupStatus cmdlet. Skill 2.2: Implement data deduplication CHAPTER 2 47 Implement a backup and restore solution with deduplication Backup applications that work at the block level should work as expected, as the file system presents the full data to the application. Therefore, the destination media for the backup must be expecting the full data set, as if it was not deduplicated. For example, if a 1 TB volume has 700 GB of raw data that has been deduplicated down to 400 GB, the backup media must be capable of storing 700 GB of data. Windows Server Backup can back up an optimized volume and retain the deduplicated data without the need for the additional capacity. NEED MORE REVIEW? BACKUPS WITH DEDUPLICATION For more information on performing backups with deduplication, visit https://technet. microsoft.com/en-us/library/hh831600(v=ws.11).aspx microsoft.com/en-us/library/hh831600(v=ws.11).aspx. Chapter summary 48 ■ Managing storage pools for attached storage ■ Using simple, mirror, and parity virtual disks for storage pools ■ How to expand storage pools with additional disks ■ Configuring tiered storage with HDDs and SSDs ■ Configuring iSCSI targets and initiators ■ Using iSNS with iSCSI initiators ■ Configuring DCB for enhanced SMB functionality ■ Using MPIO to optimize multiple paths to attached storage ■ Stretched cluster, cluster to cluster, and server to server storage replicas ■ Using PowerShell to manage storage replicas ■ Installing and configuring data deduplication ■ Identifying the best scenarios for using data deduplication ■ Monitoring deduplication with PowerShell CHAPTER 2 Implement storage solutions Thought Experiment A company has two datacenters in two different geographic regions. Servers have direct-attached disks that are configured as JBOD. Each direct-attached storage system has a mixture of HDDs and SSDs. The JBOD storage must maximize the storage capacity presented to the server. Servers in each datacenter are members of a failover cluster. The failover cluster is limited to a single datacenter. A group of servers used for marketing contain a file share with marketing documents and photos. Another group of servers use local storage for Hyper-V VHDs. Using this information, answer the following questions: 1. What type of storage pool should the JBOD storage systems use? 2. Would tiered storage increase the performance of the JBOD array? 3. Which storage replica scenario works best for this company? 4. Would the Marketing servers benefit from using data deduplication? 5. Would the Hyper-V servers benefit from using data deduplication? Thought Experiment Answers 1. The JBOD storage system should use a parity pool to maximize the amount of storage that is presented to the server. 2. Yes, tiered storage would ensure that data that is frequently accessed is stored on the SSDs, while data that is not accessed frequently is stored on the HDDs. 3. Because the failover clusters are limited to a single datacenter, a cluster to cluster storage replica scenario is the best fit for this environment. A stretch cluster is not feasible because they are not members of the same cluster. This also eliminates individual server to server storage replicas. 4. Yes, documents and photos are a viable storage type for data deduplication. 5. Yes, Hyper-V machines with VHDs are a viable storage type for data deduplication. Thought Experiment Answers CHAPTER 2 49 This page intentionally left blank CHAPTER 3 Implement Hyper-V I n this chapter, we explore almost all of the settings that can be configured within the Hyper-V role. First we explain how to install or add the role to a server. Then we cover individual virtual machine (VM) settings, including the generation and versions. We also go through configuring the different storage options for Hyper-V, for both individual and shared virtual disks. Finally, we configure the networking capabilities of Hyper-V. Skills in this chapter: ■ Install and configure Hyper-V ■ Configure virtual machine settings ■ Configure Hyper-V storage ■ Configure Hyper-V networking Skill 3.1: Install and configure Hyper-V In this section, we cover the requirements and processes for adding the Hyper-V role. We also detail how to install the management tools, and use those tools to manage local and remote Hyper-V hosts. We also highlight is the configuration versions of VMs, and how those versions unlock specific features within Hyper-V. and, finally, we explain two new features in Hyper-V, Windows PowerShell Direct, and nested virtualization. This section covers how to: ■ Determine hardware and compatibility requirements for installing Hyper-V ■ Install Hyper-V ■ Install management tools ■ Upgrade from existing versions of Hyper-V ■ Delegate virtual machine management ■ Perform remote management of Hyper-V hosts ■ Configure virtual machines using Windows PowerShell Direct ■ Implement nested virtualization 51 Determine hardware and compatibility requirements for installing Hyper-V In addition to the system requirements that we discussed in Chapter 1 for Windows Server 2016, the Hyper-V role also has additional hardware requirements. Hyper-V requires a 64-bit processor that uses second-level address translation (SLAT). The virtualization components of Hyper-V will not be installed if the processor does not support SLAT. Note that this is strictly for the virtualization components. The Hyper-V Manager, PowerShell cmdlets, and management tools can be used without SLAT. You should also ensure that the Hyper-V host has enough memory to support both the Hyper-V OS itself, as well as the virtual machines. As a minimal configuration with the host OS and one VM, you should plan for at least 4 GB of RAM. Windows Server 2016 also introduces Shielded virtual machines. These VMs rely on virtualization-based security. The Hyper-V host must support UEFI 2.3.1c or later. This is for secure, measured boot. To support optional features, the Hyper-V host should also have a TPM v2.0, and IOMMU so that the host can provide direct memory access protection. Install Hyper-V The process for installing Hyper-V has not changed much since Windows Server 2008 and Windows Server 2012. Hyper-V is a server role that can be installed by using the Add Roles and Features Wizard from Server Manager, or by using Windows PowerShell: Install-WindowsFeature –Name Hyper-V -ComputerName Server1 -IncludeManagementTools -Restart Install management tools If you only need to install the management tools, this can also be performed by using the Add Roles and Features Wizard from Server Manager, or by using Windows PowerShell. However, there are a few different options when installing only the management tools. When using Server Manager, the option for installing the management tools is actually part of the Remote Server Administration Tools (RSAT), not Hyper-V. Expanding RSAT shows management tools that can be installed, including tools for Hyper-V. 52 CHAPTER 3 Implement Hyper-V FIGURE 3-1 Add Roles and Features Wizard Figure 3-1 shows the two components of installing Hyper-V, which are: ■ ■ Hyper-V GUI Management Tools This is the Hyper-V Manager and Virtual Machine Connect to manage and view virtual machines. Hyper-V Module for Windows PowerShell can be used to manage Hyper-V. These are the PowerShell cmdlets that When using PowerShell to install the management features, there are a few different options: ■ ■ ■ ■ Microsoft-Hyper-V-All tools. This installs Hyper-V itself as well as all of the management Microsoft-Hyper-V-Tools-All This installs all of the management tools, including the manager, Virtual Machine Connect, and PowerShell module. Microsoft-Hyper-V-Management-Clients Virtual Machine Connect. This installs only the GUI manager and Microsoft-Hyper-V-Management-PowerShell module for Hyper-V. This installs only the PowerShell To use PowerShell to install the management tools, use the following command: Enable-WindowsOptionalFeature -Feature 'Microsoft-Hyper-V-Tools-All' -Online Skill 3.1: Install and configure Hyper-V CHAPTER 3 53 Upgrade from existing versions of Hyper-V This could mean upgrading the operating system, or upgrading the virtual machine version in Hyper-V. Upgrading the operating system is a separate task that doesn’t specifically involve Hyper-V. The only consideration from a Hyper-V perspective is the VMs. You have the option of shutting them down temporarily while the upgrade is performed, or migrating them to a different host. Certain operating systems only support specific versions of virtual machines. Table 3-1 lists the supported VM versions for each operating system. TABLE 3-1 Supported VM versions Hyper-V host operating system Supported VM version number Windows 8.1 5.0 Windows Server 2012 R2 5.0 Windows 10 builds earlier than 10565 5.0, 6.2 Windows 10 build 10565 and later 5.0, 6.2, 7.0, 7.1, 8.0 Windows Server 2016 5.0, 6.2, 7.0, 7.1, 8.0 Each configuration represents the VM configuration file, saved state, and snapshots that are associated with the VM on the host. By using a newer virtual machine configuration, you also ensure that the virtual machine supports the latest features. Table 3-2 shows features that are only supported in specific VM configuration versions. TABLE 3-2 Version-specific features 54 Feature Minimum VM version Hot Add/Remove memory 6.2 Secure Boot for Linux VMs 6.2 Production Checkpoints 6.2 PowerShell Direct 6.2 Virtual Machine Grouping 6.2 Virtual Trusted Platform Module (vTPM) 7.0 Virtual machine multi-queues (VMMQ) 7.1 Nested virtualization 8.0 CHAPTER 3 Implement Hyper-V Delegate virtual machine management The most simple and effective method of enabling others to manage Hyper-V and virtual machines is to add them to the Hyper-V Administrators local security group for each of the Hyper-V hosts to which you plan to delegate management. However, this might not be the most secure method because doing so gives the new administrators permissions to change virtual switch and host settings in addition to VMs. To delegate access to individual VMs, you need to modify the Hyper-V Authorization Manager store. This enables you to create task and role definitions to which you can delegate access. The general steps to modifying the Hyper-V services authorization include: 1. Launch a Microsoft Management Console (MMC) session, and add the Authorization Manager to the console, as shown in Figure 3-2. FIGURE 3-2 Add or Remove Snap-ins 2. Right-click the Authorization Manager, and then click Open Authorization Store. 3. In the Open Authorization Store window, ensure that XML File is selected. Click Browse. Navigate to %systemroot%\ProgramData\Microsoft\Windows\Hyper-V\ and select InitialStore.xml, as shown in Figure 3-3. Click OK. Skill 3.1: Install and configure Hyper-V CHAPTER 3 55 FIGURE 3-3 Open Authorization Store 4. Expand Authorization Manager, Initial Store, Hyper-V services, Role Assignments. Note that by default, the only role assignment is an Administrator, as shown in Figure 3-4. FIGURE 3-4 Authorization Manager Role Assignments 56 5. Expand Definitions, and then right-click Task Definitions. Click New Task Definition. 6. Name the task definition “VM Managers.” In the notification prompt, click OK. In the Add Definition screen, click the Operations tab. 7. Select operations that you would want the VM Managers role to do. In this example, select all operations that are associated with a virtual machine, as shown in Figure 3-5, and then click OK twice. CHAPTER 3 Implement Hyper-V FIGURE 3-5 Add Definition 8. Now that you have created a group of tasks, you can create the role that can use these tasks. Right-click Role Definitions, and then click New Role Definition. 9. Name the Role Definition, such as VM Managers Role, and then click Add. Click the Tasks tab, select VM Managers, and then click OK. There are now be two role definitions, as shown in Figure 3-6. FIGURE 3-6 Authorization Manager Role Definitions Skill 3.1: Install and configure Hyper-V CHAPTER 3 57 10. Next, you can create the Role Assignment, which is what user accounts are linked to for the permissions. Right-click Role Assignments, and then click New Role Assignment. Select the VM Managers Role, and then click OK. 11. Right-click the new role assignment, select Assign Users and Groups, and then click From Windows and Active Directory. Select a user that you plan to delegate the permissions to, and then click OK. Figure 3-7 shows the final configuration, with the user Admin on a host named Host01 that can manage the tasks assigned as part of the VM Managers Role. FIGURE 3-7 Authorization Manager Role Assignments Perform remote management of Hyper-V hosts Performing remote management within the same domain simply requires the permissions or delegation discussed in the previous section. However, managing a Hyper-V server that is in a workgroup is slightly more complicated. First, the Hyper-V server must have PowerShell remoting enabled. This is easily accomplished by running the Enable-PSRemoting cmdlet. Note that the network provided on the server must be set to Private. Otherwise, you also need to specify the -SkipNetworkProfileCheck parameter. The second task on the Hyper-V host is to enable the WSMan credential role as a server. To do this, run the following command: Enable-WSManCredSSP -Role Server The more complicated steps occur on the computer from which you plan to manage the Hyper-V. First, you must trust the Hyper-V server from the remote client. If the Hyper-V host is named Host01, run the following command: Set-Item "WSMan:\localhost\Client\TrustedHosts" -Value "Host01" 58 CHAPTER 3 Implement Hyper-V Then on the remote client, you must also enable the WSMan credential role as a client, and specify the server to manage remotely. For example: Enable-WSManCredSSP -Role Client -DelegateComputer "Host01" Finally, you should also configure the local policy (or a Group Policy if you plan to have multiple remote management points) to allow credentials to be passed. This setting is located at Computer Configuration\Administrative Templates\System\Credentials Delegation. The specific setting is named “Allow delegating fresh credentials with NTML-only server authentication.” Enable this setting, and add wsman\Host01 as a server in the list. You should now be able to remotely manage the Hyper-V server that is in a workgroup. EXAM TIP For each of the client settings, TrustedHosts, Delegate Computer, and wsman, you can use a wildcard mask (*) as a substitute for specifying multiple Hyper-V hosts. Beginning with Windows 10 and Windows Server 2016, you also have the option to specify different credentials to manage the Hyper-V host from Hyper-V Manager. Note that the above steps must still be taken if the remote host is in a workgroup. Figure 2-8 shows connecting to a host with different credentials. FIGURE 3-8 Select Computer Configure virtual machines using Windows PowerShell Direct The name of this skill is slightly misleading, as you don’t really configure PowerShell Direct. PowerShell Direct is a new feature which allows you to connect to a VM through PowerShell. From that connection, you can run commands as if you were running them locally. You can perform a connection by using either of the following commands: Enter-PSSession -VMName VMName Invoke-Command -VMName -VMName -ScriptBlock { Commands } Skill 3.1: Install and configure Hyper-V CHAPTER 3 59 When making the connection, you are prompted to enter the credentials for the virtual machine, as shown in Figure 3-9. FIGURE 3-9 Windows PowerShell credential request Using EnterPSSession allows you to interactively manage the virtual machine. You can continue to run commands within the virtual machine until you explicitly exit the session. With InvokeCommand, you are limited to only what is within the ScriptBlock parameter. Once the command is over, you are returned to the local PowerShell session. In addition to the VMName, you can also use the VMId or the VMGUID to connect to a specific VM. To enter a PowerShell direct session, you must be logged onto the host as a Hyper-V administrator. The VM must be running locally and already booted to the OS. Implement nested virtualization Nested virtualization is a new feature that enables you to run Hyper-V inside of a virtual machine that is already running on Hyper-V. This is useful if you plan to use containers, use Hyper-V in a lab environment, or are testing multi-machine scenarios without additional hardware. 60 CHAPTER 3 Implement Hyper-V The first step to configuring nested virtualization is to ensure that the virtual machine can see the virtualization extensions from the host. This is accomplished from PowerShell by running the following command: Set-VMProcessor -VMName VM1 -ExposeVirtualizationExtensions $True When using nested virtualization, you want to ensure that dynamic memory is turned off for the VM. This can also be configured from PowerShell by running the following command: Set-VMMemory -VMName VM1 -DynamicMemoryEnabled $False Nested virtual switches present a challenge. There are two options to configure the networking in this scenario: ■ ■ MAC address spoofing switches. This allows the packets to be routed through two virtual Network Address Translation This creates a separate network internally for the virtual host. This is the more likely option, especially in a public cloud environment. MAC address spoofing is a simple configuration. You can enable spoofing on the VM adapter by running the following command: Get-VMNetworkAdapter -VMName VM1 | Set-VMNetworkAdapter -MacAddressSpoofing On Network Address Translation (NAT) requires a virtual NAT switch to be configured on the virtual Hyper-V host. As part of the NAT configuration, you need to specify the IP address range to use for the translation service. Note that virtual machines that are being used with nested virtualization no longer support these features: ■ Runtime memory resize ■ Dynamic memory ■ Checkpoints ■ Live migration NEED MORE REVIEW? NESTED VIRTUALIZATION For more information on nested virtualization, visit https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting. Skill 3.1: Install and configure Hyper-V CHAPTER 3 61 Skill 3.2: Configure virtual machine settings In this section, we go through the individual VM settings and options that can be configured. When studying for the exam, you should focus primarily on understanding how these options are configured, and the PowerShell cmdlets to configure them. This section covers how to: ■ Add or remove memory in running a VM ■ Configure dynamic memory ■ Configure Non-Uniform Memory Access support ■ Configure smart paging ■ Configure Resource Metering ■ Manage Integration Services ■ ■ ■ ■ ■ Create and configure generation 1 and 2 VMs and determine appropriate usage scenarios Implement enhanced session mode Create Linux and FreeBSD VMs, Install and configure Linux Integration Services (LIS), and Install and configure FreeBSD Integration Services Implement Secure Boot for Windows and Linux environments Move and convert VMs from previous versions of Hyper-V to Windows Server 2016 Hyper-V ■ Export and import VMs ■ Implement Discrete Device Assignment Add or remove memory in running a VM Adding or removing memory—or more accurately, increasing or decreasing the amount of memory that is assigned to a VM—is an easy task. The memory setting in the GUI of the VM settings can be configured even if the VM is running. However, you cannot enable Dynamic Memory if the VM is already running and was not already enabled. To configure VM memory by using PowerShell, use the Set-VMMemory cmdlet. For example, to configure a VM to use 4 GB of memory, run the following command: Set-VMMemory -VMName 743-02 -StartupBytes 4GB 62 CHAPTER 3 Implement Hyper-V Configure dynamic memory Dynamic memory enables a VM to scale up with additional memory automatically based on the needs of the VM operating system. To enable dynamic memory, the VM must be powered off. Dynamic Memory can be enabled in the GUI by simply placing a checkmark next to the option, and then configuring the Minimum RAM and Maximum RAM. The Startup RAM is the amount of memory assigned to the VM when it is first powered on. Dynamic Memory is also configured by using the Set-VMMemory cmdlet. For example, to enable Dynamic Memory with an initial value and minimum of 4 GB, and a maximum of 8 GB, run the following command: Set-VMMemory -VMName 743-02 -StartupBytes 4GB -DynamicMemoryEnabled $True -MinimumBytes 4GB -MaximumBytes 8GB Configure Non-Uniform Memory Access support Windows Server 2012 introduced support for virtual NUMA with Hyper-V, ensuring that VMs with large amounts of memory performed as expected. The NUMA topology can be configured in a few ways: ■ ■ ■ ■ Maximum processors per virtual NUMA node The maximum number of virtual processors that belong to the same VM, between 1 and 32. Maximum memory per virtual NUMA Node that can be allocated to a VM, up to 256 GB. The maximum amounts of memory Maximum virtual NUMA nodes per socket The maximum number of VMs that are allowed on a single socket, between 1 and 64. NUMA Spanning Allows individual NUMA VMs to access non-local memory, and is enabled by default. Figure 3-10 shows the default NUMA configuration for a Hyper-V VM. Skill 3.2: Configure virtual machine settings CHAPTER 3 63 FIGURE 3-10 NUMA Configuration NEED MORE REVIEW? NUMA DETAILS For more information on NUMA, visit https://technet.microsoft.com/en-us/library/ jj614459.aspx. Configure smart paging Windows Server 2012 introduced Smart Paging, which enhances virtual machine restarts. If a VM has low memory at startup, Hyper-V needs additional memory to start the VM. However, if the host is running several VMs, additional memory might not be available for the VM. Smart Paging is used to provide additional memory to a VM during startup if necessary. To configure smart paging, simply specify the location where smart paging files should be stored. Figure 3-11 shows the dedicated GUI tab that smart paging is configured from. 64 CHAPTER 3 Implement Hyper-V FIGURE 3-11 Smart Paging File Location Additionally, smart paging can be configured from PowerShell with the Set-VM cmdlet. To set the smart paging file location to E:\VMs\743\03\Paging, run the following command: Set-VM -VMName 743-03 -SmartPagingFilePath "E:\VMs\743\03\Paging" Configure Resource Metering Resource Metering is a built-in function that enables you to monitor the performance of a VM, including: ■ Average CPU usage ■ Average memory usage ■ Minimum memory usage ■ Maximum memory usage ■ Maximum amount of allocated disk space ■ Total inbound network traffic ■ Total outbound network traffic Skill 3.2: Configure virtual machine settings CHAPTER 3 65 Resource Metering is not enabled for a VM by default. To enable, run the EnableVMResourceMetering cmdlet. For example, to enable it on a VM named 743-01, run the following command: Enable-VMResourceMetering -VMName 743-01 Once Resource Metering has been enabled, you can view the data by running the MeasureVM cmdlet. The following example is for a VM named 743-01. Measure-VM -VMName 743-01 | FL And the output: VMId : 85c4c297-9553-41ed-80c5-553b275faf49 VMName : 743-01 CimSession : CimSession: . ComputerName : HOST01 AverageProcessorUsage : 9 AverageMemoryUsage : 2048 MaximumMemoryUsage : 2048 MinimumMemoryUsage : 2048 TotalDiskAllocation : 130048 AggregatedAverageNormalizedIOPS : 2 66 AggregatedAverageLatency : 240 AggregatedDiskDataRead : 0 AggregatedDiskDataWritten : 2 AggregatedNormalizedIOCount : 301 AvgCPU : 9 AvgRAM : 2048 MinRAM : 2048 MaxRAM : 2048 TotalDisk : 130048 CHAPTER 3 Implement Hyper-V Manage Integration Services With Windows Server 2016, the method of providing integration services has changed. The vmguest.iso file is no longer included with Hyper-V because integration services are provided through Windows Update. The enables you to centralize the management of integration services along with Windows Updates. This is also useful in scenarios where different groups or organizations manage individual VMs. By using Windows Update, the owner of the VM can determine when to upgrade the integration services for their VM. The available integration services are: ■ Guest Service Interface ■ Heartbeat ■ Key-Value Pair Exchange ■ Shutdown ■ Time Synchronization ■ VSS You can obtain the current integration services configuration of a VM by running the GetVMIntegrationService cmdlet. For example: Get-VMIntegrationService -VMName 743-01 By default, all integration services except for Guest Service Interface are enabled. To enable a specific service, run the Enable-VMIntegrationService cmdlet. For example: Enable-VMIntegrationService -VMName 743-01 -Name "Guest Service Interface" You can also manage integration services from within the VM itself. To view the list of services from within the VM, run the Get-Service cmdlet. For example: Get-Service -Name VM* The Get-Service cmdlet returns the same list of integration services, but with their service names: ■ vmicguestinterface ■ vmicheartbeat ■ vmickvpexchange ■ vmicrdv ■ vmishutdown ■ vmictimesync ■ vmiccvmsession ■ vmicvss From within the VM, you can run Start-Service or Stop-Service to manage the integration services. Skill 3.2: Configure virtual machine settings CHAPTER 3 67 Create and configure Generation 1 and 2 VMs and determine appropriate usage scenarios When creating a VM, you have the option of creating a Generation 1 or a Generation 2 VM. As a whole, Generation 1 VM is more flexible for most scenarios. However, depending on your situation, a Generation 2 VM might be necessary. A Generation 1 VM is required if the guest operating system is 32-bit, or if you plan on moving the VM to Azure at any point. However, if you’re using Azure Site Recovery, a Generation 2 VM automatically converts to a Generation 1 VM when migrated. A Generation 2 VM provides additional performance and security enhancements: ■ PXE support with native Hyper-V adapters ■ Faster boot time ■ Minimized hardware emulation for devices ■ UEFI disk partitions ■ Secure Boot ready You can attempt to convert a Generation 1 VM to Generation 2 by using a Microsoft-built script. However, this script is not supported or guaranteed to reconfigure the VM. NEED MORE REVIEW? VM CONVERSION UTILITY The VM conversion utility can be downloaded at: https://code.msdn.microsoft.com/ConvertVMGeneration. Note that when creating disks for use with VMs, Generation 1 VMs use the VHD file extension, while Generation 2 use the VHDX file extension. When installing Nano Server, a key difference is that a VHD is based on a Master Boot Record (MBR), while a Generation 2 VHDX uses GUID Partition Tables (GPT). Implement enhanced session mode An enhanced session in Hyper-V enables you to use local resources to connect to a VM. This can include passing flash drives to the virtual machine. Plus, the contents of the clipboard provide the ability to copy and paste files through the connection session. The local resources can be configured similar to the options that are available through Remote Desktop. Figure 3-12 shows the local resources that can be configured when connecting to a VM with an enhanced session. 68 CHAPTER 3 Implement Hyper-V FIGURE 3-12 Enhanced session settings Create Linux and FreeBSD VMs, install and configure Linux Integration Services, and install and configure FreeBSD Integration Services For the purpose of this exam, we combined the Linux and FreeBSD topics into one. Hyper-V supports both emulated and specific devices for VMs that run Linux and FreeBSD. When using emulated devices, no additional software is necessary. These emulated devices do not offer high performance or much management compared to specific devices. However, specific devices require additional drivers that are necessary for the devices to work as expected in the VM. The device drivers for these components are part of the Linux Integration Services and FreeBSD Integration Services. However, only certain versions of each distribution are supported with LIS and BIS. Do not expect to have to memorize the individual versions that are necessary to use Linux or FreeBSD with Hyper-V. NEED MORE REVIEW? LIS AND BIS For more information on supported distributions for LIS and BIS, visit https://technet. microsoft.com/en-us/windows-server-docs/compute/hyper-v/supported-linux-and-freebsdvirtual-machines-for-hyper-v-on-windows. Skill 3.2: Configure virtual machine settings CHAPTER 3 69 Implement Secure Boot for Windows and Linux environments With Windows Server 2016, both Windows and Linux operating systems that are running in a Generation 2 VM can use Secure Boot. Before booting with secure boot, you must configure the Microsoft UEFI Certificate Authority. To configure the VM, run the following command: Set-VMFirmware 743-01 -SecureBootTemplate MicrosoftUEFICertificateAuthority Similar to the integration services, you should not memorize specific versions of operating systems that are supported with Secure Boot. However, you should be aware of the Linux distributions that are supported with secure boot: ■ Ubuntu ■ SUSE Linux Enterprise ■ Red Hat Enterprise ■ CentOS Move and convert VMs from previous versions of Hyper-V to Windows Server 2016 Hyper-V Moving a VM from one host to another can be accomplished a few different ways: ■ ■ ■ Online migration Requires that a Hyper-V cluster be created so that a clustered VM can move from one host to another. The two physical servers should have the same processor to avoid corruption. Storage migration and import With this option, you can power off the VM to perform a storage migration. This ensures that all data associated with that VM is moved from the existing platform to the new platform. Export and import This option enables you to export the data from the disk, and then import the data back into Hyper-V as a different VM. An online migration can be performed to move a running VM from one host to another. With Windows Server 2016, the hosts do not have to be members of a failover cluster. Simply add both Hyper-V hosts to the Hyper-V Manager console, and use the Move wizard, or the Move-VM cmdlet. For example: Move-VM 743-01 Host02 -IncludeStorage -DestinationStoragePath D:\743-01 An offline method of migration would be to power down the VM and move all of the associated files with the VM, and then import the VM on the new Hyper-V host. We expand on this in the next section. 70 CHAPTER 3 Implement Hyper-V Once a VM has been migrated from a previous version of Hyper-V, it can be upgraded to the latest version that is available, 8.0. Figure 4-13 shows a portion of the Hyper-V manager, particularly the Upgrade Configuration Version option. FIGURE 3-13 Hyper-V Management Settings After the VM has been upgraded, it cannot be downgraded to a previous version of VM. Export and import VMs Beginning with Windows Server 2012, performing an export of a VM is not required for it to be imported. The function still exists from the console and PowerShell, and can be an easy way to prepare the VM to be moved, especially if the files are scattered in multiple directories. The files in the export are organized in the following folders: ■ ■ Snapshots If the VM has any checkpoints, an .XML file for each checkpoint exists with the checkpoint GUID as the name. Virtual Hard Disks files. The base VHDX disk and any associated checkpoint AVDHX disk Skill 3.2: Configure virtual machine settings CHAPTER 3 71 ■ Virtual Machines If the machine is off during the export, only the .XML configuration file is present. If the VM is in a saved state, a subfolder with the VM GUID also exists with a .BIN and .VSV saved state file. You can also export a VM by using the Export-VM cmdlet. For example: Export-VM -VMName 743-01 -Path F:\Export When importing a VM through the Import Virtual Machine wizard, you are presented with three options: ■ ■ ■ Register This uses the existing VM ID and registers it in-place. You should choose this option if you already copied the VM files to the desired location. Restore This uses the original VM ID and copies the files from their current location to the default location that is configured for that specific Hyper-V host. Copy This creates a new VM ID and copies the files from their current location to the default location that is configured for that specific Hyper-V host. When importing a VM, you can also use the Import-VM cmdlet. For example: Import-VM -Path "F:\Export\743-01\Virtual Machines\Filename.xml" -Register Note that when importing a VM by using PowerShell, to essentially restore a VM, you must use the Copy and GenerateNewId parameters. Restore is not a specific parameter for the cmdlet. Implement Discrete Device Assignment (DDA) Windows Server 2016 introduces DDA, a new feature that provides VMs with direct access to PCI Express devices. This is similar to SR-IOV, which was introduced with Windows Server 2012. DDA bypasses the virtualization components and gives VM direct access to the PCIe hardware. There are no DDA configuration options through Hyper-V Manager. As of this writing, managing DDA can only be performed by using the following Powershell cmdlets: ■ Get-VMAssignableDevice ■ Add-VMAssignableDevice ■ Remove-VMAssignableDevice To add a device to a VM, you must first disable the device for the Hyper-V host. Then using the InstanceId of the device, you can add the device to a specific VM. For example, to add a PCIe non-volatile RAM device to a VM, run this command: Add-VMAssignableDevice -LocationPath "PCIROOT(40)#PCI(0200)#PCI(0000)" -VMName 743-01 NEED MORE REVIEW? DDA DETAILS The virtualization team has a blog with several dedicated posts on DDA: https://blogs.technet.microsoft.com/virtualization/2015/11/. net.microsoft.com/virtualization/2015/11/ 72 CHAPTER 3 Implement Hyper-V Skill 3.3: Configure Hyper-V storage This section covers the details of configuring storage for Hyper-V hosts and virtual machines. Similar to other sections, you should focus on the concepts of how the storage components interact with a host and its VMs, as well as how to complete these actions by using Windows PowerShell. This section covers how to: ■ Create VHDs and VHDX files using Hyper-V Manager ■ Create shared VHDX files ■ Configure differencing disks ■ Modify virtual hard disks ■ Configure pass-through disks ■ Resize a virtual hard disk ■ Manage checkpoints ■ Implement production checkpoints ■ Implement a virtual Fibre Channel adapter ■ Configure storage Quality of Service Create VHDs and VHDX files using Hyper-V Manager Creating a disk, whether it is a VHD or VHDX, from Hyper-V Manager is as simple as using the New Virtual Hard Disk Wizard. The steps are: 1. From Hyper-V Manager, Click New, and then click Hard Disk. 2. In the New Virtual Hard Disk Wizard, click Next. 3. The first configuration option is the Choose Disk Format screen where you choose from VHD or VHDX. Another option is VHD Set, which is for shared disks that we cover in the next section. Select VHD or VHDX and click Next. 4. The next configuration is the Choose Disk Type screen, where you select from Fixed Size, Dynamically Expanding, or Differencing. Select Dynamically Expanding and click Next. ■ ■ Fixed size This provides the best performance because the full size of the disk is allocated at the time of provisioning. As data changes within the disk, the actual disk size remains the same on the host. Dynamically expanding This is a thinly-provisioned disk that only allocates data as the VM needs it. This ensures that you can obtain the most capacity from the host storage, but should be used cautiously. Skill 3.3: Configure Hyper-V storage CHAPTER 3 73 ■ Differencing A differencing disk uses a parent-child relationship type. In this case, the parent disk contains read-only data that does not change. All changes are written to a different disk—the differencing disk. 5. On the Specify Name and Location screen, provide a filename for the disk, as well as the directory in which you would like to store the disk. This does not specifically have to be with a VM, and can be anywhere that the Hyper-V host has access to. Click Next to continue. 6. Finally, the Configure Disk screen allows you to select from three options, as shown in Figure 3-14. Select Create a New Blank Virtual Hard Disk, and enter 100 in the Size box. Click Finish. ■ ■ ■ Create A New Blank Virtual Hard Disk attach to a VM. This is simply a blank disk that you can Copy The Contents Of The Specified Physical Disk Any physical disk that is presented to the Hyper-V host can be copied to the virtual disk. After the copy is complete, they are two separate sets of data. Any changes that a VM makes to the virtual disk is independent of the physical storage. Copy The Contents Of The Specified Virtual Hard Disk This enables you to select an existing VHD or VHDX and copy the contents of the existing disk to the new disk. FIGURE 3-14 Configure New Virtual Hard Disk Wizard 74 CHAPTER 3 Implement Hyper-V Create shared VHDX files Beginning with Windows Server 2012, a shared VHD can be used to connect a single VHD to multiple VMs. This shared VHD can act as shared storage for cluster configurations without the need for SAN equipment. A shared VHD is simply a VHD that is being accessed by multiple VMs. After creating a new disk, you can add the drive to a VM with the ShareVirtualDisk parameter. For example: Add-VMHardDiskDrive -VMName 743-01 -Path "\\Host01\Disks\Disk1.vhdx" -ShareVirtualDisk Using a UNC path ensures that even if you move the VM to a different host, it can still access the storage. If you are using Hyper-V Manager, a shared drive can be created by adding a drive from the controller. Figure 3-15 shows the option to add a shared drive to a VM. FIGURE 3-15 SCSI Controller Settings for a VM Skill 3.3: Configure Hyper-V storage CHAPTER 3 75 Configure differencing disks As we mentioned earlier in this chapter, a differencing disk uses a parent-child relationship type. In this case, the parent disk contains read-only data that does not change. A differencing disk is created using the same methods as a typical VHD, through the wizard or the New-VHD cmdlet, using the Differencing and ParentPath parameters. There are two primary methods of using differencing disks: ■ Many child objects to one parent In this scenario, a single parent disk is used and many child disks are formed off of this parent. This is useful in lab environments where all VMs share the same image. Only one base VHD is necessary, and then each VM has a differencing disk in the lab for individual changes on that VM. Figure 3-16 illustrates this scenario. FIGURE 3-16 Many child objects ■ 76 CHAPTER 3 A chain of child and parent disks In this scenario, disks build on the parent disk. This scenario is useful for patching multiple systems that use differencing disks. The base disk can be the installation of the operating system, and each child disk can represent a service pack or anniversary update. Figure 3-17 illustrates this scenario. Implement Hyper-V FIGURE 3-17 Chain of disks Configure pass-through disks A pass-through disk enables you to present a physical disk on the Hyper-V host and present it directly to a VM. Before presenting a disk to a VM, it must be initialized as either MBR or GPT, but set to offline. Figure 3-18 shows adding an offline physical disk to a VM. FIGURE 3-18 Adding physical hard disk to a VM Resize a virtual hard disk You can resize an existing virtual disk by using the Edit Virtual Hard Disk Wizard, or by using the Resize-VHD cmdlet. Figure 3-19 shows the options to edit a VHD. Skill 3.3: Configure Hyper-V storage CHAPTER 3 77 FIGURE 3-19 Editing a VHD The available options for editing a VHD are: ■ ■ ■ Compact This optimizes the capacity of a VHD and reduces the overall footprint on the Hyper-V host storage. Convert This enables you to change the disk type to other types discussed earlier in the chapter. Expand This simply increases the capacity of the VHD. When using PowerShell to manage VHDs, there is a separate PowerShell cmdlet to perform each of these actions: ■ 78 Optimize-VHD wizard. Optimizing a VHD provides the same actions as Compact in the ■ Convert-VHD This enables you to change the disk type of the VHD. ■ Resize-VHD This allows you to resize the VHD. CHAPTER 3 Implement Hyper-V Manage checkpoints Checkpoints enable you to capture point-in-time snapshots of a VM. This gives you an easy method of quickly restoring to a known working configuration, making them useful before installing or updating an application. When a checkpoint is created, the original VHD becomes read-only, and all changes are captured in an AVHD file. Conversely, when a checkpoint is deleted, the contents of the AVHD are merged with the original disk, which becomes the primary writable file. Standard checkpoints take a snapshot of both the disk and the memory state at the time that the checkpoint is taken. By default, in Windows Server 2016, snapshots are taken with Production checkpoints. We cover production checkpoints in the next section. The setting for production or standard is configured at the VM level, so you use the Set-VM cmdlet to make this change. For example: Set-VM -Name 743-01 -CheckpointType Standard Implement production checkpoints Windows Server 2016 introduces production checkpoints, with uses the Volume Shadow Copy Service on Windows guests or File System Freeze on Linux guests. This enables you to take a consistent snapshot of a VM without the running memory. If taking a production checkpoint fails, by default the host attempts to create a standard checkpoint. You can configure the type of checkpoint a VM uses by using the Set-VM cmdlet. For example: Set-VM -Name 743-01 -CheckpointType Production To set the VM to only use production checkpoints, without the ability to fall back to a standard checkpoint, replace the Production option with ProductionOnly. Checkpoints can also be configured from Hyper-V Manager by editing the settings of a VM. Figure 3-20 displays the checkpoint management of a VM. Skill 3.3: Configure Hyper-V storage CHAPTER 3 79 FIGURE 3-20 Virtual Machine Checkpoint Settings Implement a virtual Fibre Channel adapter A virtual Fibre Channel (FC) adapter can be used with a virtual SAN to provide direct SAN access to a virtual machine. This enables you to present LUNs from a SAN to a VM by using the virtual World Wide Name (WWN) that is assigned to the adapter. A FC adapter can be added from the settings screen of an individual VM. Figure 3-21 shows the new FC Adapter screen. 80 CHAPTER 3 Implement Hyper-V FIGURE 3-21 Virtual Machine Fibre Channel Adapter Settings Adding a FC adapter can also be accomplished by using PowerShell with the Add-VMFiberChannelHba cmdlet. For example: Add-VMFibreChannelHba -VMName 743-01 -SanName vSAN1 -GenerateWwn If you need to specify the WWNs that the VM uses the adapter, replace the GenerateWwn option with the following: ■ WorldWideNodeNameSetA ■ WorldWideNodeNameSetB ■ WorldWidePortNameSetA ■ WorldWidePortNameSetB For example, run the following command to create a FC adapter using these WWNs: Add-VMFibreChannelHba -VMName 743-Nano -SanName vSAN1 -WorldWideNodeNameSetA C003FF0000FFFF00 -WorldWidePortNameSetA C003FF73FD70000C -WorldWideNodeNameSetB C003FF0000FFFF00 -WorldWidePortNameSetB C003FF73FD70000D Skill 3.3: Configure Hyper-V storage CHAPTER 3 81 Configure storage Quality of Service (QoS) Windows Server 2012 introduced the ability to set QoS policies for storage on virtual machines. Windows Server 2016 builds on this functionality and for Scale-Out File Services, and allows you to assign them to one or more VM disks. The storage performance is then readjusted to meet the policies that have been defined. Storage QoS can primarily be used to achieve the following goals: Mitigate noisy neighbor issues This ensures that a single VM does not use all of the available storage resources and limit other VMs. ■ Monitor end-to-end storage performance As soon as a virtual machine is started, the performance of the VM is monitored. The details of all running VMs can be viewed from a single location. ■ Manage I/O per workload The QoS policies that you define ensure that the minimums and maximums meets the application workload for the environment. This helps ensure that performance is consistent, even in different environments. ■ Skill 3.4: Configure Hyper-V networking This section will examine the ways in which we use Hyper-V, including how to configure MAC addresses and NIC teaming to configuring virtual machine queues and bandwidth management. This section covers how to: ■ ■ Configure Hyper-V virtual switches ■ Optimize network performance ■ Configure MAC addresses ■ Configure network isolation ■ Configure NIC teaming in VMs ■ Configure virtual machine queue ■ ■ 82 CHAPTER 3 Add and remove virtual network interface cards and configuring network adapters Enable Remote Direct Memory Access on network adapters bound to a Hyper-V virtual switch using Switch Embedded Teaming Configure bandwidth management Implement Hyper-V Add and remove virtual network interface cards, configuring network adapters, configuring virtual machine queue, and configuring bandwidth management A virtual network adapter can be added by a similar method to a drive or Fibre Channel adapter from within Hyper-V Manager. Simply edit the settings of the VM, and select the option to add the network adapter. For Generation 1 VMs, you have the option of creating a standard network adapter, or a legacy network adapter. A standard adapter offers better performance, and a legacy adapter enables PXE boot. Figure 3-22 shows the options after adding a new network adapter. FIGURE 3-22 Virtual Machine Network Adapter Settings Skill 3.4: Configure Hyper-V networking CHAPTER 3 83 Adding a network adapter can also be accomplished by using PowerShell with the Add-VMNetworkAdapter cmdlet. For example: Add-VMNetworkAdapter -VMName 743-01 -SwitchName Switch01 After adding a network adapter to a VM, you can configure the VLAN identification, if necessary, for that adapter. Referring back to Figure 3-22, a synthetic network adapter also supports a few additional features: ■ ■ ■ Bandwidth management You can configure the minimum and maximum bandwidth targets for the network adapter. Virtual machine queue (VMQ) If supported by the corresponding physical adapter, VMQ can be enabled on the virtual adapter. IPsec task offloading If supported by the corresponding physical adapter, IPsec tasks can be offloaded to hardware. A legacy network adapter does not support these features, and can only be configured with a particular VLAN. Regardless of the adapter type, you can manage the adapter with PowerShell by using the Set-VMNetworkAdapter cmdlet. Configure Hyper-V virtual switches and configure network isolation For the purpose of preparing for the exam, we’ve combined configuring virtual switches and network isolation. Hyper-V virtual switches enable connection from the VM to the Hyper-V, depending on the connection type of the switch. Network isolation can be configured on a VM based on the network adapter and switch settings. There are three options to choose from when creating a virtual switch: ■ ■ ■ External network This connects the virtual switch to the selected physical network adapter of the Hyper-V host. This physical adapter can be dedicated to the VMs that are running, or it can be shared with the host operating system. Internal network This connects the VM only to the Hyper-V host and other VMs that have a network adapter connected to this switch. The VM does not have access to the physical adapter on the host. Private network This simply provides a connection to the VM, although it cannot communicate with the host or with other VMs on the same switch on other Hyper-V hosts. Figure 3-23 shows the configuration options for a virtual switch from the Virtual Switch Manager. 84 CHAPTER 3 Implement Hyper-V FIGURE 3-23 Virtual Switch Manager Virtual switches can be added from PowerShell by using the New-VMSwitch cmdlet. For example, to create a new internal virtual switch, run the following command: New-VMSwitch -Name Internal1 -SwitchType Internal Optimize network performance Optimizing network performance can be achieved from both a Hyper-V host perspective, as well as an individual VM perspective. When preparing for the exam, some performance options to be aware of include: Skill 3.4: Configure Hyper-V networking CHAPTER 3 85 ■ ■ ■ ■ ■ ■ ■ Synthetic network adapter The Hyper-V-specific network adapter is optimized to reduce the CPU usage of the Hyper-V host and increase network performance for the VM. When monitoring performance, a performance counter is available under \HyperV Virtual Network Adapter (*)\*. Offload hardware You can configure offloading to reduce the CPU usage of the Hyper-V host. Hyper-V supports LargeSend Offload and TCP checksum offload if the capabilities have been enabled in the drivers for the physical network adapter. Network switch topology Similar to designing an appropriate topology for physical environments, in large virtual environments the network switch configuration can also become the source of a bottleneck. You can use NIC teaming on multiple physical adapters to enhance the network performance of VMs. VLAN performance The synthetic Hyper-V network adapter supports VLAN tagging. If the physical network adapter supports the NDIS_ENCAPSULATION_ IEEE_802_3_P_AND_Q_IN_OOB, then the Hyper-V host can also use hardware offloading to increase the network performance for VMs. Dynamic VMQ Dynamic virtual machine queue (VMQ) enables you to automatically scale the number of processors used for a VMQ, based on the volume of the network traffic. MAC spoofing By default, VMs are configured to protect against duplicate MAC addresses. If you need the VM to be able to configure its own MAC address, MAC address spoofing must be enabled on the VM. Virtual Receive Side Scaling (vRSS) Enables the processing for ingress VM network traffic to be shared across multiple processors on the host and virtual machine. vRSS enables the host to dynamically balance the processing of inbound network traffic. NEED MORE REVIEW? PERFORMANCE TUNING For more information on performance tuning, visit https://msdn.microsoft.com/en-us/library/windows/hardware/dn567656(v=vs.85).aspx brary/windows/hardware/dn567656(v=vs.85).aspx. Configure MAC addresses By default, the network adapter in a VM uses a dynamic MAC address that is assigned from the pool of MAC addresses on the Hyper-V host. The pool of MAC addresses can be configured from the Virtual Switch Manager, as shown in Figure 3-24. 86 CHAPTER 3 Implement Hyper-V FIGURE 3-24 Virtual Switch Manager- MAC Address Range Although is it managed from the Virtual Switch Manager, it is configured from PowerShell by using the Set-VMHost cmdlet. For example: Set-VMHost -MacAddressMinimum 00155DA7E700 -MacAddressMaximum 00155DA7E7FF Configuring the MAC address on an individual network adapter is accomplished from the settings of the VM, as shown in Figure 3-25. Skill 3.4: Configure Hyper-V networking CHAPTER 3 87 FIGURE 3-25 VM Settings – Advanced Features The MAC address settings for a virtual network adapter can be configured with PowerShell by using the Set-VMNetworkAdapter cmdlet. For example, to assign a static MAC address, run the following command: Set-VMNetworkAdapter -VMName 743-01 -StaticMacAddress 00155DA7E73B Configure NIC teaming in VMs If you present multiple network adapters to a VM, you can configure them to be teamed within the VM. However, you must also enable the network adapter to be a member of the team from the Hyper-V host. Figure 3-26 shows the Advanced Features of a network adapter, where NIC teaming can be enabled. 88 CHAPTER 3 Implement Hyper-V FIGURE 3-26 Advanced Features of a Virtual Network Adapter Enabling NIC teaming for a virtual network adapter can also be performed through PowerShell by using the Set-VMNetworkAdapter cmdlet. Note that although the AllowTeaming parameter expects a Boolean value, the valid options are On and Off, not $True or $False. For example: Set-VMNetworkAdapter -VMName 743-01 -AllowTeaming On Enable Remote Direct Memory Access on network adapters bound to a Hyper-V virtual switch using Switch Embedded Teaming In previous versions of Windows Server and Hyper-V, you could not configure RDMA with network adapters that were part of a NIC team or a virtual switch. With Windows Server 2016, you can now enable RMDA on both network adapters that are part of a virtual switch, with Skill 3.4: Configure Hyper-V networking CHAPTER 3 89 or without Switch Embedded Teaming (SET). The first step in configuring RDMA with SET is to enable Data Center Bridging. Then, you can create a virtual switch with an RDMA vNIC and SET. For example: New-VMSwitch -Name SETvSwitch -NetAdapterName "SLOT 2","SLOT 3" -EnableEmbeddedTeaming $True After creating the vswitch, you can add the network adapters to the VM, and enable RDMA. For example: Add-VMNetworkAdapter -SwitchName SETswitch -Name SMB_1 -managementOS Add-VMNetworkAdapter -SwitchName SETswitch -Name SMB_2 -managementOS Enable-NetAdapterRDMA "vEthernet (SMB_1)","vEthernet (SMB_2)" NEED MORE REVIEW? RDMA WITH SET For more information on RDMA with SET, visit https://technet.microsoft.com/en-us/library/ mt403349.aspx mt403349.aspx. Chapter summary 90 ■ The requirements and how to install Hyper-V ■ Upgrading from previous versions of Hyper-V ■ Management tools and remote management for Hyper-V ■ Configuration versions and generation types of individual virtual machines ■ Using nested virtualization with Hyper-V ■ How to manage memory for a virtual machine ■ Configuring dynamic memory, NUMA, and smart paging ■ Using resource metering and integration services ■ Using Linux on Hyper-V ■ Moving, converting, importing, and exporting VMs ■ Creating and managing VHD and VHDX disk files ■ Configuring differencing, fixed, and dynamically expanding disks ■ Managing standard and production checkpoints ■ Adding and managing virtual network adapters ■ Optimizing network performance CHAPTER 3 Implement Hyper-V Thought Experiment A company is planning to create two servers that run Hyper-V in a workgroup. The servers must consume only the minimum resources that are required, and must be managed remotely. One of the Hyper-V servers must host a VM that must also use the Hyper-V role. After deploying the hosts, the company plans to deploy both Windows and Linux guest operating systems. Both operating systems must include the drivers for hardware that is being passed to the VM. The disks on the VMs must be thinly provisioned to maximize the capacity that is available on the hosts. Checkpoints that use VSS must be used to capture consistent snapshots. Using this information, answer the following questions. 1. How should the company install Hyper-V? 2. How should the management roles be configured? 3. Name a Linux operating system that the company can use. 4. What type of disks must the VMs use? 5. What type of checkpoints must the VMs use? Thought Experiment Answers 1. Based on this scenario, Hyper-V should be installed on a Nano Server. This consumes the absolute minimum amount of resources for the environment. 2. Because the hosts are in a workgroup, the WSMAN-trusted hosts must be configured for remote management. 3. Red Hat, CentOS, Ubuntu, or SUSE 4. The disks must be dynamically expanding to be thinly provisioned. 5. Only Production checkpoint types use VSS for consistent snapshots. Thought Experiment Answers CHAPTER 3 91 This page intentionally left blank CHAPTER 4 Implement Windows Containers I n this chapter we cover how to use containers to host virtualized images on a server. Containers are supported on both Windows Server and Hyper-V, however, the way they act and respond are slightly different. Containers can be isolated to ensure they operate independently of any other container or host that they are running on. In the first section of this chapter, we cover the basic process to deploy containers and go through the basic management aspects for containers. Skills in this chapter: ■ Deploy Windows Containers ■ Manage Windows Containers Skill 4.1: Deploy Windows Containers In this section we outline the basics for deploying containers on either Windows Server, Nano Server, or Hyper-V. We also detail how to change the Docker daemon configuration for startup, and detail specifics for images, such as tagging. This section covers how to: ■ ■ ■ Determine installation requirements and appropriate scenarios for Windows Containers Install and configure Windows Server container host in physical or virtualized environments Install and configure Windows Server container host to Windows Server Core or Nano Server in a physical or virtualized environment ■ Install Docker on Windows Server and Nano Server ■ Configure Docker daemon start-up options ■ Install a base operating system ■ Tag an image ■ Uninstall an operating system image ■ Create Windows Server containers ■ Create Hyper-V containers 93 Determine installation requirements and appropriate scenarios for Windows Containers Windows Containers is a new feature that is only available on Windows Server 2016, Nano Server, and Windows 10 Professional and Enterprise Anniversary Update editions. If you plan on using Hyper-V containers, then the Hyper-V role must also be installed on the computer or server. To use Windows Containers, the operating system must be installed as the C drive. If you plan to only use Hyper-V containers, then the operating system can be installed on any drive. From a physical aspect, Windows Containers with Hyper-V requires nested virtualization. Nested virtualization has the following requirements: ■ At least 4 GB of RAM for the Hyper-V host ■ A processes that uses Intel VT-x Also, the container host VM must have at least two virtual processors and dynamic memory must be disabled. As of this writing, Windows Server 2016 offers two container images: Server Core and Nano Server. If the host operating system is a Nano Server, then only the Nano Server image is available. Install and configure containers For the purpose of preparing for the exam, we’ve combined two of the listed skills: ■ ■ Install and configure Windows Server container host in physical or virtualized environments Install and configure Windows Server container host to Windows Server Core or Nano Server in a physical or virtualized environment For either host’s operating system, whether it is physical or virtual, containers is listed as a Windows Feature. For servers with a GUI, it can be installed from the Add Roles and Features wizard. Containers can also be installed by using Windows PowerShell by using the InstallWindowsFeature cmdlet. For example: Figure 4-1 shows installing the Containers feature by using the Install-WindowsFeature cmdlet. FIGURE 4-1 Install-WindowsFeature 94 CHAPTER 4 Implement Windows Containers Install-WindowsFeature Containers If you’re using Nano Server, you must first install the Nano Server Package, and then install the Container Feature. For example: Install-PackageProvider NanoServerPacakage Install-NanoServerPackage -Name Microsoft-NanoServer-Containers-Package Install Docker on Windows Server and Nano Server To manage containers on either Windows Server 2016 or Nano Server, you must also install the Docker service. Most all Docker installation and configuration options have both a PowerShell cmdlet or a Docker command line option. To install Docker on Windows Server 2016, it must be downloaded from the Docker website. You can do this manually, or by using PowerShell. For example: Figure 4-2 shows downloading and configuring the environment for the docker service to run. FIGURE 4-2 Obtaining docker Invoke-WebRequest "https://aka.ms/tp5/b/dockerd" -OutFile "$env:TEMP\docker-1.12.0.zip" -UseBasicParsing Expand-Archive -Path "$env:TEMP\docker-1.12.0.zip" -DestinationPath $env:ProgramFiles [Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\Docker", [EnvironmentVariableTarget]::Machine) & $env:ProgramFiles\docker\dockerd.exe --register-service Start-Service Docker docker tag windowsservercore:10.0.14300.1000 windowsservercore:latest NOTE The Invoke-WebRequest command in this example specifically uses Technical Preview 5, which was available at the time of writing. Locate the latest version that is available by using the Docker website before using this command in a lab environment. Skill 4.1: Deploy Windows Containers CHAPTER 4 95 After the installation is complete, run the docker info command. A portion of the output is shown in Figure 4-3. FIGURE 4-3 Docker info The above example is broken down like this: 1. First, the Docker engine and client is downloaded from the Docker website. 2. Then, the code extracts the compressed folder into the Program Files directory. 3. The path is set as a system variable, and the service is created and started. 4. Finally, the Docker image must be tagged with the version “latest.” For installing Docker on Nano Server, the same overall process must be followed. However, Nano Server does not currently support the Invoke-WebRequest cmdlet. Therefore, you must manually download the Docker files and copy them to the Nano Server operating system. From there you can set the environment variable, create the service, and then start the service. For Nano Server, you must also enable the FPS-SMB-In-TCP firewall rule. For example: Set-NetFirewallRule -Name FPS-SMB-In-TCP -Enabled True Configure Docker daemon start-up options Docker is configured by using a daemon.json file, which is located in the installation path of the directory. When using Docker on Windows Server 2016, only a subset of the configuration options is available. When creating the JSON file, only the necessary configuration changes need to be included in the file. For example, to configure the Docker Engine to accept connections on port 2375, add the following to the daemon.json file: { "hosts": ["tcp://0.0.0.0:2375"] } You can also configure Docker by using the sc config command. When using sc config, you are modifying the Docker Engine configuration flags directly on the Docker service. For example: 96 CHAPTER 4 Implement Windows Containers Figure 4-4 shows running the sc command to modify the docker service. FIGURE 4-4 Service configuration sc config docker binpath= "\"C:\Program Files\docker\dockerd.exe\" --run-service -H tcp://0.0.0.0:2375" NEED MORE REVIEW? DOCKER DAEMON For more information on configuring the Docker daemon, visit https://msdn.microsoft.com/ en-us/virtualization/windowscontainers/docker/configure_docker_daemon. Install a base operating system Before you can deploy a container, you must download a base operating system image. The procedure is the same whether you plan to manage Server Core or Nano Server base images. Obtaining the image is accomplished by running two PowerShell cmdlets: Install-PackageProvider, and Install-ContainerImage. For example: Install-PackageProvider ContainerImage -Force Install ContainerImage -Name WindowsServerCore This process might take a few minutes because it downloads the Server Core container image. After installing the image, you need to restart the Docker service. For example: Restart-Service Docker You can also use the docker command to download the base image. For example: docker pull microsoft/windowsservercore After downloading the images, you can also view the downloaded images with the docker command. For example: docker images Skill 4.1: Deploy Windows Containers CHAPTER 4 97 Figure 4-5 shows the results of downloading the images and how they are displayed after being downloaded. FIGURE 4-5 Obtaining images Tag an image When you download an image into the repository, you must also assign a tag to the image. Tagging an image enables you to set a version on the image, which is useful if you plan to have multiple versions. Microsoft suggests after downloading an image, to tag it at the “latest.” For example: docker tag windowsservercore:10.0.14300.1000 windowsservercore:latest The Docker tag can contain upper and lowercase characters, digits, underscores, periods, and dashes. However, the tag cannot start with a period or dash, and can be up to 128 characters. NEED MORE REVIEW? DOCKER TAG For more information on using the Docker tag, visit https://docs.docker.com/engine/reference/commandline/tag/. ence/commandline/tag/ Uninstall an operating system image As we have mentioned, most actions when using Docker can be completed by using PowerShell or the Docker daemon. To uninstall a container image from the repository, use the Uninstall-ContainerOSImage cmdlet. For example: Uninstall-ContainerOSImage -FullName CN=Microsoft_NanoServer_10.0.14304.1003 98 CHAPTER 4 Implement Windows Containers Create Windows Server containers You can deploy a container by using the Docker daemon. One of the first tasks you might need to do is view a list of the available container images. For example, the following command returns a list of available Microsoft images: docker search Microsoft A portion of the output is included for reference: NAME DESCRIPTION microsoft/aspnet ASP.NET is an open source server-side Web ... microsoft/dotnet Official images for working with .NET Core... mono Mono is an open source implementation of M... microsoft/azure-cli Docker image for Microsoft Azure Command L... microsoft/iis Internet Information Services (IIS) instal... Therefore, if you want to use the ASP.NET image, use the Docker daemon to pull the image: docker pull microsoft/aspnet Create Hyper-V containers Windows Server containers and Hyper-V containers are created and managed, and are functionally identical. Both types of containers also use the same container images. The difference between a Windows Server container and a Hyper-V container is the level of isolation that is present to the host, or other containers on that host. The first difference is that when creating the container, specify the --isolation=hyperv parameter. docker run -it --isolation=hyperv nanoserver cmd To demonstrate the isolation of a Hyper-V container, assume that a Windows Server container has been deployed. You start a running ping on the container. docker run -d windowsservercore ping localhost -t If you use the docker daemon, you can view the task thread that is running the ping. docker top windowservercore 4369 ping In this example, the process ID within the container is 4369. Within the container, you can also view the thread. get-process -Name ping Skill 4.1: Deploy Windows Containers CHAPTER 4 99 The following output is returned: Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id SI ProcessName ------- ------ ----- ----- ----- ------ -- -- ----------- 67 5 820 3836 ...71 0.03 4369 3 PING If you follow the same process when using a Hyper-V container, you receive a different end result. You can create and view the process from the host, using the Docker daemon. docker run -d --isolation=hyperv nanoserver ping -t localhost docker top nanoserver 2371 ping However, the difference is when trying to view the process on the container host. Get-process -Name ping Get-Process : Cannot find a process with the name "ping". Verify the process name and call the cmdlet again. At line:1 char:1 + Get-Process -Name ping + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo ProcessCommandException : ObjectNotFound: (ping:String) [Get-Process], + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands. GetProcessCommand The difference is in the process name. By using a Hyper-V container, the process is run by the vmwp process. The vmwp process is the virtual machine process on the host, and is protecting the process from the host operating system. Get-Process -Name vmwp 100 Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id SI ProcessName ------- ------ ----- ----- ----- ------ -- -- ----------- 1737 15 39452 19620 ...61 5.55 2376 CHAPTER 4 Implement Windows Containers 0 vmwp Skill 4.2: Manage Windows Containers In this section, we outline how to manage containers after they have been deployed. This includes using the Docker daemon to manage images, as well as using Windows PowerShell. We also cover configuring port mapping and networking options for use with Windows Containers. This section covers how to: ■ Manage Windows or Linux containers using the Docker daemon ■ Manage Windows or Linux containers using Windows PowerShell ■ Manage container networking ■ Manage container data volumes ■ Manage Resource Control ■ Create new container images using Dockerfile ■ ■ Manage container images using DockerHub repository for public and private scenarios Manage container images using Microsoft Azure Manage Windows or Linux containers using the Docker daemon After you have downloaded the image type that you plan to use, you can use the daemon to identify the images that have been downloaded. docker images The following output is returned: REPOSITORY TAG IMAGE ID CREATED SIZE microsoft/aspnet latest accd044753c1 11 days ago 7.907 GB You can also deploy a container by using the Docker daemon. docker run -d -p 80:80 microsoft/iis ping -t localhost Creating a new image can be performed by using the Docker daemon with the commit parameter. docker commit 475059caef8f windowsservercoreiis Skill 4.2: Manage Windows Containers CHAPTER 4 101 Removing an image is performed by using the Docker daemon with the rmi parameter. However, if any other container depends on the image that you are trying to remove, the command fails. The rmi parameter accepts either the image name or the ID of the image. docker rmi windowsservercoreiis To view the list of dependencies with Docker, use the history parameter. docker history windowsservercoreiis The following output is returned: IMAGE CREATED CREATED BY SIZE 2236b49aaaef 3 minutes ago cmd 171.2 MB 6801d964fda5 2 weeks ago COMMENT 0 B Manage Windows or Linux containers using Windows PowerShell As of this writing, the PowerShell for Docker module is in development. The team writing the module has adopted the Microsoft Open Source Code of Conduct, and welcomes contributions to the project in the form of bugs, suggestions, proposals, and pull requests through the Github repository. The project is available on Github here: https://github.com/Microsoft/ Docker-PowerShell/. The PowerShell module for Docker is simply an alternative to the Docker daemon. You can use the module as a replacement for, or in conjunction with, the Docker daemon. The PowerShell module can target any operating system that is running the Docker engine on both Windows and Linux. To compile the project, you need to obtain the .NET Core SDK, and the .NET SDKs for versions 4.5 and 4.6. The Docker endpoint that you are planning to connect to must support the API version 1.24. The latest release version of Docker can also be downloaded from GitHub here: https:// github.com/Microsoft/Docker-PowerShell/releases. Download and extract the compressed folder, and then use the Import-Module cmdlet, pointing to the extracted folder. This makes the Docker cmdlets available on the computer. 102 CHAPTER 4 Implement Windows Containers Manage container networking Container networks are similar to virtual networks through Hyper-V. Each container has a virtual network adapter that is connected to a virtual switch. To force isolation between containers that are running on the same host, compartments are created for each container. A Windows Server host uses Host vNICs to attach to the virtual, while Hyper-V containers use a synthetic VM NIC to attach to the virtual switch. Containers support four different networking modes: ■ ■ ■ ■ Network Address Translation (NAT) Each container receives an IP address from a private address pool. Port forwarding or mapping can be configured to transmit data from the host to the container. Transparent Each container endpoint has a direct connection to the physical network that the host is using. The IP address range that is being used on the physical network can be used on the container either as a static address or dynamically assigned. L2 Bridge Each container endpoint is in the same subnet as the host that is running it. The container IP address is assigned statically from the same prefix as the host. All container endpoints on the host use the same MAC address. L2 Tunnel This mode should only be used in a Microsoft Cloud Stack. By default, the Docker engine creates an NAT network when the Docker service runs for the first time. The default network that is used is 172.16.0.0/12. You can customize the network prefix used by modifying the daemon.json configuration file. The endpoints in the container are attached to this network and assigned an IP address from the private network. Table 4-1 outlines connections for a single-host environment. TABLE 4-1 Single host connection types Single host Container to container Container to external NAT Connects using Hyper-V Virtual Switch Routed through WinNAT with address translation Transparent Connects using Hyper-V Virtual Switch Direct access to physical network L2 Bridge Connects through Hyper-V Virtual Switch Access to physical network by using MAC address translation Additionally, Table 4-2 outlines the connections for a multi-host environment. Skill 4.2: Manage Windows Containers CHAPTER 4 103 TABLE 4-2 Multi-host connection types Multi-host container to Container Container to external NAT References external container host IP and port, routed through WinNAT with translations References external container host IP and port, routed through WinNAT with translations Transparent Directly references container IP endpoint Direct access to physical network L2 Bridge Directly references container IP endpoint Access to physical network by using MAC address translation NAT networks By default, when an endpoint is created, it connects to the NAT network. To specify the network that a container should attach to, use the --network parameter. docker run -it --network=NatNetwork <image> To access any applications that run within a container, you need to map the ports from the host to the endpoint. docker run -it -p 80:80 <image> docker run -it -p 8082:80 windowsservercore cmd The first command creates a port map between TCP port 80 on the host to TCP port 80 of the container endpoint. The second command uses port 8082 on the host, and forwards it to port 80 of the endpoint. EXAM TIP Port mapping must either be configured when the endpoint is created, or when the endpoint is in a STOPPED state. You cannot modify container port mapping while the endpoint is running. Transparent networks To use a transparent network, you must first create the network. docker network create -d transparent TransparentNetwork If the container host is virtualized, and you need to use DHCP for the IP address assignment, then you must also use MAC address spoofing on the VM network adapter. Without MAC address spoofing, the Hyper-V host blocks the network traffic from the containers in the VM with identical MAC addresses. Get-VMNetworkAdapter -VMName ContainerHost | Set-VMNetworkAdapter -MacAddressSpoofing On 104 CHAPTER 4 Implement Windows Containers L2 Bridge networks To use a L2 Bridge network, you must create a container network that uses the driver named l2bridge. The subnet and gateway for the network must also be specified when creating the object. docker network create -d l2bridge --subnet=10.10.0.0/16 --gateway=10.10.0.1 BridgeNetwork EXAM TIP When using an L2 Bridge network type, only static IP addresses are supported. Options for all network types You can use the Docker daemon to list the available networks. docker network ls The following output is returned: NETWORK ID NAME DRIVER SCOPE 0a297065f06a nat nat local d42516aa0250 none null local To remove a network, use the network rm parameter. docker network rm "nat" Figure 4-6 displays the networks on a docker host. FIGURE 4-6 Listing networks Skill 4.2: Manage Windows Containers CHAPTER 4 105 Manage container data volumes Data volumes are storage locations that are visible to both the container host and the container endpoint. The data that is in the volume can be shared between the two systems, as well as with other containers on the same host. Creating a new volume is part of the run parameter with the Docker daemon. docker run -it -v c:\volume1 windowsservercore cmd By default, new data volumes are created in C:\ProgramData\Docker\Volumes on the container host. In the command, the C:\Volume1 indicates that the volume is be accessible within the container endpoint at that path. After you have created a volume, to mount it to a different container, specify the source and destination paths using the same parameters: docker run -it -v c:\source:c:\destination windowsservercore cmd You can also pass-through a single file from the container host to the endpoint. The syntax is basically the same as specifying an existing volume. docker run -it -v c:\container-share\config.ini windowsservercore cmd Similarly, you can also mount a full drive from the container host to the endpoint. Note that when mounting a full drive, a backslash is not included with the drive letter. docker run -it -v d: windowsservercore cmd Finally, data volumes can be inherited from other endpoints using the --volumes-from switch in the run parameter. This is useful if the applications in multiple containers are sharing the same data. docker run -it --volumes-from Volume1 windowsservercore cmd Manage resource control Docker includes the ability to manage the CPU, disk IO, network, and memory consumption that an endpoint consumes. This ensures that you are able to manage the container host resources efficiently, as well as ensuring that you maximize the performance of all services running on a host. By default, the CPU is divided equally among all endpoints running on a container host. To change the share that an endpoint has, use the --cpu-shares switch with the run parameter. The --cpushares parameter accepts a value between 1 and 10000. The default weight of all endpoints is 5,000. docker run -it --cpu-shares 2 --name dockerdemo windowsservercore cmd 106 CHAPTER 4 Implement Windows Containers NEED MORE REVIEW? CPU RESOURCES For more information on managing CPU resources for an endpoint, visit https://docs. docker.com/engine/reference/run/#cpu-share-constraint. Create new container images using Dockerfile You can use Docker to automatically build images by reading the instructions that are placed in a Dockerfile. A Dockerfile is a text document that lists the commands that you would use in the CLI to create an image manually. After creating the Dockerfile, use the build parameter with the Docker daemon to automatically create the image. docker build -f C:\Dockerfile . The Docker daemon commits each line of the file one by one before outputting the image ID of for the endpoint that you have created. NEED MORE REVIEW? DOCKERFILE DETAILS For more information on Dockerfile, visit https://docs.docker.com/engine/reference/builder/. Manage container images using Docker Hub repository for public and private scenarios The Docker Hub is a repository that contains pre-built images. These images can be downloaded onto a host and used in a development or production environment. These images can also be used as a base for Windows container applications. To retrieve a list of the available images in the Docker Hub, use the search parameter with the Docker daemon: docker search * The following output is returned: NAME OFFICIAL DESCRIPTION STARS microsoft/sample-django [OK] Django installed in a Windows Server Core ... 1 microsoft/dotnet35 [OK] .NET 3.5 Runtime installed in a Windows Se... 1 microsoft/sample-golang Go Programming AUTOMATED [OK] … Skill 4.2: Manage Windows Containers CHAPTER 4 107 Downloading an image from the Docker Hub is the same as retrieving a base image. Use the pull parameter with the Docker daemon: docker pull microsoft/aspnet The following output is returned: Using default tag: latest latest: Pulling from microsoft/aspnet f9e8a4cc8f6c: Pull complete b71a5b8be5a2: Download complete After downloading the image, it is available when viewing the images through the Docker daemon. docker images The following output is returned: REPOSITORY SIZE TAG IMAGE ID CREATED VIRTUAL microsoft/aspnet latest b3842ee505e5 5 hours ago 101.7 MB To upload an image to the Docker Hub, use the push parameter with the Docker daemon. First, you must login with your Docker ID to access the Hub. docker login The following output is returned: Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: username Password: 108 CHAPTER 4 Implement Windows Containers Login Succeeded docker push username/containername The push refers to a repository [docker.io/username/containername] 4341be770beb: Pushed fed398573696: Pushed latest: digest: sha256:ae3a2971628c04d5df32c3bbbfc87c477bb814d5e73e2787900da13228676c4f size: 2410 Manage container images using Microsoft Azure You can use Docker on Microsoft Azure a few different ways: ■ Deploy container hosts using the Docker Machine Azure driver ■ Use the Docker VM Extension on Azure VMs ■ Use the Docker VM Extension with Docker Compose ■ Deploy a Docker Swarm cluster on Azure Container Services The Azure Docker VM Extension installs and configures the Docker daemon, client, and Docker Compose on a Linux VM in Azure. This enables you to define and deploy container applications using Docker Compose and Docker Machine. Combine the extension with the Azure Resource Manager, and you can create and deploy templates for almost all aspects of your Azure environment. NEED MORE REVIEW? DOCKER VM EXTENSION For more information on the Docker VM Extension, visit https://azure.microsoft.com/en-us/ documentation/articles/virtual-machines-linux-dockerextension/. documentation/articles/virtual-machines-linux-dockerextension/ Skill 4.2: Manage Windows Containers CHAPTER 4 109 Chapter summary ■ The basics of using containers to run virtualized images. ■ How to install Docker on Windows Server and Nano Server ■ How to configure the start-up options for the Docker daemon ■ Performing a base operating system install ■ Tagging an image for use with containers ■ Creating containers for both Windows Server and Hyper-V ■ Managing containers using the Docker daemon and Windows PowerShell ■ Creating NAT, Transparent, and L2 Bridge networks for containers ■ Creating and managing data volumes for use by multiple container endpoints ■ Managing container host resources using Resource Control ■ Automating the build process for an image using Dockerfile ■ Using the Azure VM Extension with Docker Thought Experiment A company is testing containers and images in their development environment. They have installed the Docker engine on a Windows Server host, and deployed a base image connected to the default network. The company would like the images to connect directly to the physical network. They also plan to automate the creation of future images and store them in the Docker Hub. Using this information, answer the following questions: 110 1. What should be modified to configure the Docker daemon startup options? 2. Which network is the image that has been deployed connected to? 3. What type of network must the company create to achieve the goal? 4. What type of file does the Dockerfile need to be? 5. Which Docker daemon command is used to store images in the Docker Hub repository? CHAPTER 4 Implement Windows Containers Thought Experiment Answers 1. The JSON configuration file should be created or modified to change the startup options of the Docker daemon. 2. By default, images connect to a default NAT network. 3. A transparent network must be created to enable the images to connect directly to the physical network. 4. The Dockerfile script is a plain-text file that contains the actions to create an image. 5. The docker push command uploads the specified image to the Docker Hub after logging into the service. Thought Experiment Answers CHAPTER 4 111 This page intentionally left blank CHAPTER 5 Implement high availability T his chapter covers a major component of the upgrade exam. In addition to several skills being covered, there are many new features that have been introduced or enhanced that we discuss in this chapter. These features include: ■ Cluster Operating System Rolling Upgrade ■ Storage Replica ■ Cloud witness ■ Virtual machine resiliency ■ Site-aware clusters ■ Workgroup and multi-domain clusters ■ Virtual machine node fairness ■ Virtual machine start order In addition to these topics, we also cover other details of high availability using Hyper-V, failover clustering, and Storage Spaces Direct. Skills in this chapter: ■ Implement high availability and disaster recovery options in Hyper-V ■ Implement failover clustering ■ Implement Storage Spaces Direct ■ Manage failover clustering ■ Manage VM movement in clustered nodes 113 Skill 5.1: Implement high availability and disaster recovery options in Hyper-V This section explains the basic high availability and disaster recovery options that are available in Hyper-V. These options do not require any additional management components or failover clusters. Hyper-V has built-in redundancy and failover options. This section covers how to: ■ Implement Hyper-V replica ■ Implement Live Migration ■ Implement shared-nothing Live Migration ■ Configure CredSSP or Kerberos authentication protocol for Live Migration ■ Implement storage migration Implement Hyper-V replica A Hyper-V replica enables you to replicate virtual machines on one Hyper-V host to another host, either in the same physical location or a different location. The replication data can also be encrypted by using certificates. The certificate that is used can be local, self-signed, or supplied by a Certification Authority (CA). Windows Server 2012 R2 introduced extended replication which enables you to replicate a virtual machine to multiple sites. For example, you can replicate the VM to a secondary failover as well as an extended third site. There are a few additional considerations to be aware of when using an extended replica: ■ You cannot use application-consistent replication. ■ You can failover to the third site if necessary. ■ You can run a test failover to either site without disruption. A failover with Hyper-V replica is not an automatic process. There are three different types of failover that you can perform: ■ ■ 114 CHAPTER 5 Test failover You can test whether the replicated VM can start in the second or third site. This process creates a duplicate VM during the testing process that is started. The VM in the production environment is not affected. When you complete the failover process, the duplicate VM is deleted. Planned failover This method enables you to failover during a planned maintenance or downtime for specific sites. To perform a planned failover, the source VM must first be powered off. The failover process replication still occurs, but from the secondary Implement high availability site to the original primary. This ensures that both sites still maintain synchronized data. ■ Unplanned failover When an unexpected outage occurs you can perform an unplanned failover. This type of failover should only be used if the source VM fails and must be started in a secondary site. If recovery history is used, you can also recover to a previous snapshot. Configuring a Hyper-V replica is a multi-step process that requires planning from networking, storage, and server management aspects. The general steps to successfully implementing a Hyper-V replica include: 1. Set up the Hyper-V servers This includes the primary source server and at least one replication destination. Additional components that could need to be configured include networking and storage. 2. Set up the replication Enable both Hyper-V servers to be members of the replica. This ensures that replication can occur both from the primary to the secondary, and from the secondary to the primary in the event of a failover. 3. Test the deployment Conduct a test failover after all VM settings have been configured. This ensures that the communication and replication is ready for production. As part of the test, ensure that the duplicate VM is created on the replica. 4. Run a planned failover Run a planned failover to complete the process of moving the active VM from the primary to the secondary replica. This might be necessary during planned maintenance or downtime events. A planned failover can also be performed to ensure that an unplanned failover is successful. 5. Respond to an unplanned failover Unplanned failovers do not automatically transfer a VM if the primary VM is unavailable. You must manually failover the VM to the secondary replica. 6. Set up extended replication Configuring an extended replica provides another level of failover by using a third replica site. You can use the third site simply as another replica location, or move workloads to specific servers in the event of a planned or unplanned failover. NEED MORE REVIEW? For details and instructions for each step of the process of deploying a Hyper-V replica, visit https://technet.microsoft.com/library/jj134207.aspx. https://technet.microsoft.com/library/jj134207.aspx Implement Live Migration Live Migration is the ability to move VMs or VM storage without a failover cluster. Moving a VM or its storage can be performed from the Hyper-V Manager or from Windows PowerShell. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 115 To perform a live migration, first enable it from the settings of the Hyper-V host. To enable live migrations, the machine must be a domain member. Live migration is not available in a Hyper-V workgroup. Figure 5-1 shows the settings from the Hyper-V Manager. FIGURE 5-1 Live Migration settings The first step to perform the migration using Hyper-V Manager is to right-click the VM you plan to migrate, and click Move. The Move Wizard is displayed, as shown in Figure 5-2. The first option is whether to move the virtual machine, or move the storage of the virtual machine. In this section, we move the virtual machine. 116 CHAPTER 5 Implement high availability FIGURE 5-2 Move Wizard choose move type You are then prompted to specify the destination for the move. This can be any other Hyper-V host that you have permission to administer. Figure 5-3 shows specifying the destination host. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 117 FIGURE 5-3 Move Wizard specify destination You are then prompted for additional details of the migration type. The available options during a VM migration are shown in Figure 5-4: ■ ■ ■ 118 CHAPTER 5 Move The Virtual Machine’s Data To A Single Location This option moves all VM files, including disks, snapshots, and configuration information to a single specified location. Move The Virtual Machine’s Data By Selecting Where To Move The Items This option presents additional options for moving the storage of the VM, which we discuss in a later section. Move Only The Virtual Machine This option moves only the running configuration of the VM, but not the storage. The storage of the VM must be shared between the source and destination Hyper-V hosts. Implement high availability FIGURE 5-4 Move Wizard choose move options If you select to move only the virtual machine, then no additional options are displayed and you complete the wizard. If you plan to move all of the VM files to a single location, one additional screen is displayed, prompting you for the destination directory to store the VM and its files. Figure 5-5 shows specifying the destination directory. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 119 FIGURE 5-5 Move Wizard virtual machine You can also move a VM by using Windows PowerShell and using the Move-VM cmdlet. For example, to move a VM named VM1 to a Hyper-V server named Host2, run the following command: Move-VM "VM1" Host2 You must also configure a network to be used by the live migration service, which is accomplished by using the Set-VMHost cmdlet. For example: Set-VMHost –UseAnyNetworkForMigration $true Implement shared nothing Live Migration A “shared nothing” migration is simply the ability to migrate a VM across hosts that do not share common features, and are not in a failover cluster. By default, a migration using the Move wizard as discussed completes, even if the Hyper-V hosts do not share the same storage. One additional component to migrating VMs is processor compatibility. If you need to migrate a VM between Hyper-V hosts that do not share the same physical features, you can limit some VM features to ensure that a migration can occur. For example, if you need to 120 CHAPTER 5 Implement high availability move from an Intel-based Hyper-V server to an AMD-based host, you should enable processor compatibility before completing the migration. These settings are per-VM within the Processor tree, as shown in Figure 5-6. FIGURE 5-6 Processor compatibility Configure CredSSP or Kerberos authentication protocol for Live Migration With Windows Server 2016, the Hyper-V Manager communicates with the hosts by using the WS-MAN protocol. This enables using Credential Security Support Provider (CredSSP), Kerberos, or HTML authentication. CredSSP is now the default method of authentication for live migrations, and does not require constrained delegation to be enabled in Active Directory. Figure 5-7 shows the advanced features of configuring Live Migration, including CredSSP. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 121 FIGURE 5-7 Live Migration advanced settings Enabling Kerberos can also be performed from PowerShell by using the Set-VMHost cmdlet. For example: Set-VMHost –VirtualMachineMigrationAuthenticationType Kerberos You can also enhance the performance of a live migration by configuring additional options. These include: ■ ■ ■ 122 CHAPTER 5 TCP/IP With this option, the memory of the VM is transferred during the migration by using the available network over a typical TCP/IP connection. Compression With this option, the memory of the VM is first compressed before being sent to the destination by using a TCP/IP connection. SMB With this option, the memory of the VM is copied to the destination by using a SMB connection. If both the source and destination network adapters use Remote Direct Memory Access (RDMA), then SMB Direct is used for the copy. Implement high availability If you plan to use Kerberos as the authentication protocol, then you must also configure constrained delegation within Active Directory for each Hyper-V host. Constrained delegation is enabled by modifying the computer object properties for the host in Active Directory. For each host in the environment, add two services that refer to the other Hyper-V hosts in the environment: cifs and Microsoft Virtual System Migration Service. For example, if you had four Hyper-V hosts named Host1 – Host4, then the delegation settings on Host1 must contain each service for Host2, Host3, and Host4. Figure 5-8 shows adding these two services on the Host02 computer object, specifying Host01 for each service. FIGURE 5-8 Host02 Delegation properties Implement storage migration Performing a migration from Hyper-V manager is as simple as right-clicking a VM, and then selecting Move. The Move Wizard is displayed, walking you through the available options to move the VM or VM storage, based on what is available. Figure 5-9 shows the second screen of the Move Wizard. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 123 FIGURE 5-9 Move Wizard move type selection When moving the storage of a virtual machine, there are a few different options in the wizard, as shown in Figure 5-10. ■ ■ ■ 124 CHAPTER 5 Move All Of The Virtual Machine’s Data To A Single Location This option moves all VM data, regardless of its current location, to a single destination. Move the Virtual Machine’s Data to Different Locations This option enables you to first select which items you plan to move, and then specify the destination for each item. Items include the VHD files, configuration files, checkpoints, and smart paging files. Move Only the Virtual Machine’s Virtual Hard Disks move only the VHDs that are being used with the VM. Implement high availability This option enables you to FIGURE 5-10 Move Wizard choose move options Depending on the option you select, the wizard is automatically prompt for additional information. For example, choosing Move the virtual machine’s data to different locations adds a new page in the wizard for each configuration item. Figure 5-5 shows an example of specifying the destination for the VM. Skill 5.1: Implement high availability and disaster recovery options in Hyper-V CHAPTER 5 125 FIGURE 5-11 Move Wizard virtual machine Moving a VM’s storage can also be accomplished by using the Move-VM cmdlet. For example, to move a VM named VM1 to Host02 in the E:\VMs directory run the following command. Move-VM "VM1" Host02 –IncludeStorage –DestinationStoragePath E:\VMs Skill 5.2: Implement failover clustering In this section, we discuss several skills that are involved or need to be considered when creating a failover cluster. This includes the type of cluster to implement, cluster details such as quorum, networking, or storage. We also cover cluster management features including cluster-aware updating and cluster operating system rolling upgrade. Finally, we discuss features that can be used to augment failover clusters, such as CSVs, Storage Replica, and virtualized clusters. 126 CHAPTER 5 Implement high availability This section covers how to: ■ Implement Workgroup, Single, and Multi-Domain clusters ■ Configure quorum and Implement Cloud Witness ■ Configure cluster networking ■ Restore single node or cluster configuration ■ Configure cluster storage ■ Implement Cluster-Aware Updating ■ Implement Cluster Operating System Rolling Upgrade ■ Configure and optimize Clustered Shared Volumes ■ Configure clusters without network names ■ Implement Scale-Out File Server ■ Determine different scenarios for the use of SoFS versus the Clustered File Server ■ Determine usage scenarios for implementing guest clustering ■ Implement a Clustered Storage Spaces solution using Shared SAS storage enclosures ■ Implement Storage Replica ■ Implement VM resiliency ■ Implement shared VHDX as a storage solution for guest clusters Implement workgroup, single, and multi-domain clusters In previous versions of Windows Server, the nodes within a cluster had to be in the same domain. With Windows Server 2016, cluster nodes can span different domains, or be members of a workgroup. The traditional method of having all clusters nodes in the same domain is a single-domain cluster. For the purposes of this section, we focus primarily on workgroup and multi-domain clusters. There are a few prerequisites for implementing workgroup or multi-domain clusters: ■ A local user account must be created on all nodes. ■ The user account must have the same name and password on each node. ■ The user account must be a member of the local Administrators group. ■ ■ ■ The LocalAccountTokenFilterPolicy registry key at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System must be created and set to 1. When the cluster is created, it must be created as an Active Directory-Detached Cluster. The administrative access point must be set to DNS. Skill 5.2: Implement failover clustering CHAPTER 5 127 The first step to creating a failover cluster of any type is to install the Failover Cluster feature. This can be accomplished from Server Manager using the Add Roles and Features Wizard, or by using the Install-WindowsFeature cmdlet. After you have installed the Failover Cluster feature, you can create a cluster from PowerShell or by using the Failover Cluster Manager. The first step is to select the servers that you are including in the cluster. The Failover Cluster Manager ensures that the server has the Failover Cluster feature installed, and verify the settings on the server. Adding a server is shown in Figure 5-12. FIGURE 5-12 Create Cluster Wizard select servers The next step, performing validation, is optional. Validation ensures that the servers you are configuring as part of a failover cluster meet the supported requirements. If you select Yes, then a separate wizard launches above the Create Cluster Wizard and must be completed before returning. The validation warning is shown in Figure 5-13. 128 CHAPTER 5 Implement high availability FIGURE 5-13 Create Cluster Wizard validation warning Next, set a name for the cluster that is less than 15 characters. This is the name that is used when administering the cluster, as shown in Figure 5-14. FIGURE 5-14 Create Cluster Wizard administration access point Skill 5.2: Implement failover clustering CHAPTER 5 129 Finally, the confirmation screen details the settings for the cluster. Notice in Figure 5-15 that the cluster registration is set to DNS only. This indicates that the cluster is not a member of Active Directory domain, and is a workgroup cluster. FIGURE 5-15 Create Cluster Wizard confirmation Configure quorum and configure cloud witness The latest recommendation from Microsoft is to always configure a quorum witness, regardless of how many nodes in the cluster exist. By using Dynamic Quorum, the cluster automatically manages the vote that the quorum witnesses. There are three types of quorum available when configuring a failover cluster: ■ ■ ■ Disk Witness This was previously known as Node and Disk Majority. Disk witness monitors a storage volume to use to decide quorum. File Share Witness This was previously known as Node and File Share Majority. File share witness monitors a UNC path file share to decide quorum. The file share must not be used by the cluster. Cloud Witness This is new for Windows Server 2016. Cloud witness uses Azure blob storage to decide quorum. This section focuses primarily on using a cloud witness. With a cloud witness, a blob file is created in the blob storage. There is very little cost associated with using a cloud witness, as the blob file is only updated when the state of the cluster changes. Figure 5-16 shows a diagram of a common multi-site failover cluster that uses a cloud witness. 130 CHAPTER 5 Implement high availability FIGURE 5-16 Multi-site failover cluster with cloud witness The four general steps to using a cloud witness for quorum are: 1. Create an Azure storage account using locally-redundant replication It is important to select locally redundant, so that there is consistency for the cluster management. 2. Copy the storage access keys associated with the storage account By default, each storage account generates two access keys that can be used to access the storage account. The key is necessary to connect to Azure from the on-premises cluster. 3. Copy the blob URL There are three URLs associated with the storage account: blobs, tables, and queues. A cloud witness uses blob storage, so this is the URL that is used to connect to. Note that the URL can vary by country or region, so be sure to document the URL for any storage account that you create. 4. Complete the quorum configuration on the cluster by using the wizard, or PowerShell The Configure Cluster Quorum Wizard walks you through the steps to creating a cloud witness. You can also configure the cluster quorum by using the Set-ClusterQuorum cmdlet. The Configure Cluster Quorum Wizard can be launched from the More Actions menu of the Failover Cluster Manager. To add a quorum witness, choose the Select the Quorum Witness option in the wizard, as shown in Figure 5-17. Skill 5.2: Implement failover clustering CHAPTER 5 131 FIGURE 5-17 Configure Cluster Quorum Wizard select quorum configuration option Next, you are able to select the type of quorum witness to configure, as shown in Figure 5-18. Again, focus on creating a cloud witness. FIGURE 5-18 Configure Cluster Quorum Wizard select quorum witness 132 CHAPTER 5 Implement high availability The wizard prompts you for the name of the storage account that the blob container was created in, one of the access keys for the storage account, and the endpoint URL for the container. The configured details are shown in Figure 5-19. FIGURE 5-19 Configure Cluster Quorum Wizard configure quorum witness The configuration details that are needed are all to be found in the Azure portal where the storage account is configured. Figure 5-20 displays a portion of the Azure portal that contains the storage account name and access key for the container. The service endpoint is populated by default, and does not need to be changed. Skill 5.2: Implement failover clustering CHAPTER 5 133 FIGURE 5-20 Storage account in Azure portal In the above example, the storage account name is infxxxstorage1. The access key is the string that begins with the numbers 74. To configure the quorum witness by using PowerShell, use the Set-ClusterQuorum cmdlet. For example, using the same information, run the following command. Set-ClusterQuorum –CloudWitness –AccountName infxxxstorage1 -AccessKey 74dxzkTUdxWAUbwuH m4gPoVW5XgOeG+6ivP3lthzbVPicp/NEK6ivjGdA1J0oVcUuNRfLtaeYQ6WHZSwzq3/9Q== Figure 5-21 shows the successful result of running the command. FIGURE 5-21 Set-ClusterQuorum command Configure cluster networking After configuring the cluster and adding the nodes, the Failover Cluster Manager automatically detects the networks that are available on the nodes. Figure 5-22 shows the default configuration after adding two hosts to the cluster, with each host having access to the same two networks. 134 CHAPTER 5 Implement high availability FIGURE 5-22 Failover Cluster Manager Networks Each network can be configured to either allow or prevent cluster network communications. This communication is for cluster operations, and does not include any client traffic. For client connectivity, a network must specifically be granted as client use. Figure 5-23 shows the properties of a cluster network, with both options enabled. FIGURE 5-23 Cluster Network Properties Skill 5.2: Implement failover clustering CHAPTER 5 135 Restore single node or cluster configuration Performing a restore on a single node in a cluster, or entire cluster configuration, is no different than performing a backup and restore of any service or component on a Windows Server. Combining a failover cluster and Windows Backup scenario for an item on the exam seems unlikely; but you can prepare by understanding the default backup options within Windows Server 2016. Configure cluster storage and implement a Clustered Storage Spaces solution using Shared SAS storage enclosures There are three different types of storage that can be configured with failover clustering: ■ ■ ■ Disks Disks that are shared between nodes can be added to a Cluster Shared Volume or assigned to a specific failover cluster role. Pools Groups of disks that are combined logically to create a single volume. Clustered pools use the underlying Storage Spaces technology to create a virtual disk using the group of physical disks on the node. Enclosures Direct-attached disk chassis that contain multiple physical disks. You should validate the configuration of the cluster before attempting to configure storage. This ensures that the cluster is configured and can support clustered storage across all nodes. As an example, we create a storage pool for the cluster. From the Failover Cluster Manager on the Pools screen, click the New Storage Pool. Figure 5-24 shows the New Storage Pool Wizard. 136 CHAPTER 5 Implement high availability FIGURE 5-24 New Storage Pool Wizard storage pool name Then, you are prompted to select the disks to use for the storage pool. You need at least three disks to create a storage pool for use with failover clustering. Figure 5-25 shows the available disks for the storage pool. FIGURE 5-25 New Storage Pool Wizard physical disks Skill 5.2: Implement failover clustering CHAPTER 5 137 Implement Cluster-Aware Updating Cluster-Aware Updating (CAU) was introduced in Windows Server 2012 to reduce the effort and difficulty of performing software updates on cluster nodes. CAU has not been updated significantly for Windows Server 2016. To use CAU, the cluster must be joined to an Active Directory domain. CAU is not available on workgroup clusters. Performing Windows Updates typically requires a system reboot after performing the update. CAU helps to automate the process of performing the updates for all nodes that are in a cluster. Figure 5-26 shows the CAU tool for a cluster named WGCluster1. Neither node in the cluster has been updated. FIGURE 5-26 Cluster-Aware Updating You cannot apply updates without enabling the CAU self-updating role. To enable the role, configure the self-updating options from the CAU screen. Figure 5-27 shows the first configuration screen of the self-updating options wizard. 138 CHAPTER 5 Implement high availability FIGURE 5-27 Self-Updating Options cluster role After selecting the option to enable the role, you can configure the schedule to perform the self-updating process. Then you can configure advanced options for the cluster. The advanced options enable you to configure time boundaries, retry limits, and pre and post update scripts that must also be run when updating. Figure 5-28 shows a portion of the advanced options that are available. Skill 5.2: Implement failover clustering CHAPTER 5 139 FIGURE 5-28 Self-Updating Options advanced options By default, only important updates are installed based on the CAU tool. An additional option is to also include the recommended updates on the cluster. After applying the selfupdating options, the cluster can be updated by using CAU. Implement Cluster Operating System Rolling Upgrade Cluster Operating System Rolling Upgrade is a new feature in failover clustering for Windows Server 2016. If a Windows Server 2012 R2 failover cluster is running the Hyper-V or Scale-Out File Server roles, you can add Windows Server 2016 nodes without taking the failover cluster offline. For each node in the cluster, follow the process to upgrade the operating system in the correct phase. This ensures that the cluster does not require downtime to complete the upgrade. The overall steps to perform the upgrade include: 140 1. Pause the node and drain all virtual machines, if necessary. 2. Ensure that all virtual machines are migrated to another node in the cluster. CHAPTER 5 Implement high availability 3. Suspend and evict the node from the cluster. 4. Install Windows Server 2016 on the node and add it to the cluster. 5. Repeat steps 1-4 for each node in the cluster. 6. After all nodes have been upgraded, run the Update-ClusterFunctionalLevel cmdlet. Until the Update-ClusterFunctionalLevel cmdlet is run, the process can be suspended or reversed. You can also add Windows Server 2012 R2 hosts until the functional level has been updated. To retrieve the current functional level, run the Get-Cluster cmdlet. Get-Cluster | Select ClusterFunctionalLevel If the ClusterFunctionalLevel value is set to 8, then the cluster is at Windows Server 2012 R2. If the value is 9, then the cluster is at Windows Server 2016. It is also recommended that you disable Cluster-Aware Updating before attempting to perform za Rolling Operating System Upgrade. While the name implies upgrading the operating system, a best practice is to perform a clean installation of the operating system. An in-place upgrade is not recommended for cluster nodes. Configure and optimize clustered shared volumes (CSVs) CSVs were introduced in Windows Server 2008 R2 and have become a widely used featured of failover clusters. CSVs can be clustered VHDs for Hyper-V VMs, or scale-out file shares using the Scale-Out File Server (SoFS) clustered role. NTFS and Resilient File System (ReFS) can be used for VMs, however, ReFS is not supported with SoFS. CSVs can be created from a cluster-available disks in the nodes of the cluster. You can either use the wizard in the Failover Cluster Manager, or by using Windows PowerShell. To retrieve a list of disks that can be used in a cluster, run the Get-ClusterAvailableDisk cmdlet. To add the disks, run the Add-ClusterDisk cmdlet. You can combine these two into a single command: Get-ClusterAvailableDisk | Add-ClusterDisk After you have added the available disks, create a CSV by using the Add-ClusterSharedVolume cmdlet. Add-ClusterSharedVolume -Name "CSV1" Skill 5.2: Implement failover clustering CHAPTER 5 141 Configure clusters without network names A failover cluster without a network name is simply an Active Directory-detached cluster. However, this is different than a workgroup cluster, where the nodes are not joined to a domain. For an Active Directory-detached cluster, the nodes must be joined to a domain. As with a workgroup cluster, the administrative access point is also DNS. Without Active Directory, the failover cluster uses NTLM as the authentication method, and not Kerberos. You can create an Active Directory-detached cluster by using the New-Cluster Windows cmdlet, not the Failover Cluster Manager. For example: New-Cluster Cluster1 -Node Server1,Server2 -StaticAddress 10.0.0.10 -NoStorage -AdministrativeAccessPoint Dns Implement Scale-Out File Server (SoFS) SoFS is a subset of the File Server role when configuring a failover cluster. SoFS requires that CSVs be configured for storage. SoFS is useful for high-performance applications that need access to data across any node. Figure 5-29 shows adding the SoFS role to a failover cluster. FIGURE 5-29 High Availability Wizard 142 CHAPTER 5 Implement high availability Determine different scenarios for the use of SoFS vs. clustered File Server SoFS is not designed for use in a general purpose file share environment. SoFS is designed for applications that keep files open for long periods of time, and require additional resources to process and change those files. SoFS distributes client connections across all nodes in the cluster to enhance performance, and can increase complexity and troubleshooting for general file shares. Additionally, SoFS only use CSVs as storage, and cannot use individual disks. SoFS is not compatible with other file share technologies, including deduplication, DFS, and BranchCache. Determine usage scenarios for implementing guest clustering With advances in pass-through technologies in Hyper-V, guest clustering isn’t as complex with Windows Server 2016. A guest cluster is a failover cluster that is created using VMs instead of physical hosts. However, Hyper-V offers virtual SAN connectivity, so clustering storage and networking using VMs can be performed the same as if using physical hosts. Implement Storage Replica As discussed in Chapter 2, Storage Replica can be used for block-level replication between servers or clusters for disaster recovery. You can also use Storage Replica to stretch a failover cluster between sites. You can use synchronous replication to enable crashconsistent volumes, or use asynchronous replication for longer distance or lower latency connections. With failover clusters, Storage Replica can be used to replicate data from one cluster to another, or stretch a cluster across different sites. With cluster to cluster replication, you grant Storage Replica access on the cluster name instead of individual nodes. For example: Grant-SRAccess -ComputerName SR-SRV01 -Cluster SR-SRVCLUSB Figure 5-30 shows a cluster to cluster Storage Replica. Skill 5.2: Implement failover clustering CHAPTER 5 143 FIGURE 5-30 Cluster to cluster Storage Replica NEED MORE REVIEW? For details and instructions for using cluster to cluster Storage Replica, visit https://technet. microsoft.com/en-us/windows-server-docs/storage/storage-replica/cluster-to-cluster-storage-replication. You can also use Storage Replica in a stretch cluster. A stretch cluster is a single failover cluster that is spanned across multiple sites. However, with Storage Replica, the sites use different physical storage for each site. Storage Replica ensures that the data is mirrored between sites. NEED MORE REVIEW? For details and instructions for using a stretch cluster with Storage Replica, visit https:// technet.microsoft.com/en-us/windows-server-docs/storage/storage-replica/stretch-clusterreplication-using-shared-storage. Figure 5-31 shows a stretch cluster used with Storage Replica. 144 CHAPTER 5 Implement high availability FIGURE 5-31 Cluster to cluster Storage Replica Implement VM resiliency Windows Server 2016 includes increased resiliency with Hyper-V failover clusters. There are two primary resiliency enhancements: ■ ■ Compute resiliency There are additional options that can be configured for Hyper-V VMs that help to reduce intra-cluster communication. Storage resiliency VMs are more resilient to transient storage failures. New options for compute resiliency include: ■ Resiliency level ■ Resiliency period Defines how long VMs can run when they are isolated. Defines how failures are handled. You can also configure quarantines for nodes that are deemed unhealthy. These nodes cannot join a cluster, and prevents nodes from affecting other nodes in the cluster. Skill 5.2: Implement failover clustering CHAPTER 5 145 If a VM experiences a storage failure to the underlying storage, the VM pauses. When paused, the VM retains the application context for any existing I/O. When the storage recovers and is presented again to the VM, the VM recovers and returns to a running state. NEED MORE REVIEW? For more information on VM resiliency with failover clusters, visit https://blogs.msdn. microsoft.com/clustering/2015/06/03/virtual-machine-compute-resiliency-in-windowsserver-2016/. server-2016/ Implement shared VHDX as a storage solution for guest clusters Another method of configuring storage for virtualized clusters is to use VHDX sharing. Windows Server 2012 R2 introduced the ability to enable sharing on a virtual disk. Figure 5-32 shows the ability to create a shared drive from the settings of a VM. FIGURE 5-32 Creating a shared drive 146 CHAPTER 5 Implement high availability In Windows Server 2012, sharing was an advanced option of a VHDX file. In Windows Server 2016, a shared drive uses a VHDS file format, and can be shared among virtual machines. VHDS file can only be fixed or dynamically expanding, and cannot be a differencing disk. Figure 5-33 shows creating a VHD Set by using the New Virtual Hard Disk Wizard. FIGURE 5-33 Creating a shared drive The shared storage can be added to multiple virtual machines, enabling you to create a virtualized cluster without exposing any underlying storage. Skill 5.2: Implement failover clustering CHAPTER 5 147 Skill 5.3: Implement Storage Spaces Direct This section covers how to: ■ Determine scenario requirements for implementing Storage Spaces Direct ■ Enable Storage Spaces direct using Windows PowerShell ■ Implement a disaggregated Storage Spaces Direct scenario in a cluster ■ Implement a hyper-converged Storage Spaces Direct scenario in a cluster Determine scenario requirements for implementing Storage Spaces Direct Storage Spaces Direct expands on the existing Storage Spaces technology of using local storage for high availability and scalability. Storage Spaces Direct does not require any shared SAS or Fibre Channel environment. The network connectivity between the servers are used with SMB 3.0 and SMB Direct (Remote Direct Memory Access) to efficiently connect to and use storage. Storage Spaces Direct can be used with Scale-Out File Server, Cluster Shared Volumes, and Failover Clustering. There are two supported scenarios in which Storage Spaces Direct can be used: ■ ■ Disaggregated deployment The commuting cluster is separate from the Storage Spaces Direct servers that host the storage. Virtual Machines storage is configured on a Scale-out File Server, and is accessed by using SMB 3.0. Hyper-converged deployment The compute and storage components are stored and use the same cluster. The VM storage is configured as local storage using the Cluster Shared Volumes, and a Scale-Out File Server is not necessary. Enable Storage Spaces Direct using Windows PowerShell The disks that you plan to use with Storage Spaces Direct must not have any partitions or data already existing on them. If any partitions or data already exist, the data is not included with Storage Spaces Direct. Enabling Storage Spaces Direct is accomplished by running a single command: Enable-ClusterStorageSpacesDirect -CimSession Cluster1 148 CHAPTER 5 Implement high availability By running the command, Storage Spaces Direct automatically performs a few tasks: 1. Create a storage pool using the available disks. 2. Configure a cache, if necessary. This is only used if there is more than one media type available. 3. Create two tiers. The first tier is named Capacity. The second tier is named Performance. The tiers are configured with a mix of device types and resiliency. Other PowerShell cmdlets that can be used with Storage Spaces Direct include: ■ ■ ■ ■ Test-Cluster This tests the suitability of a configuration. Enable-ClusterS2D Configures a cluster for the Storage Spaces Direct using local SATA or NVMe devices. Optimize-StoragePool age changes. Rebalances the storage optimization if the underlying stor- Debug-StorageSubsystem Displays any faults that can affect the storage. Implement a disaggregated Storage Spaces Direct scenario in a cluster As discussed in the earlier section, “Determine scenario requirements for implementing Storage Spaces Direct,” a disaggregated scenario is simply a separation of the storage environment from the computing environment. In this scenario, you would configure the Hyper-V Failover Cluster as usual. Then configure the Storage Spaces environment on a separate cluster of servers. Figure 5-34 illustrates this separation of roles. Skill 5.3: Implement Storage Spaces Direct CHAPTER 5 149 FIGURE 5-34 Disaggregated Storage Spaces Direct deployment Implement a hyper-converged Storage Spaces Direct scenario in a cluster As discussed in the earlier section, “Determine scenario requirements for implementing Storage Spaces Direct,” a hyper-converged scenario is the combination of the computing and storage environment into the same cluster of servers. This deployment type eliminates the need for a Scale-Out File Server. Figure 5-35 shows a hyper-converged deployment scenario. 150 CHAPTER 5 Implement high availability FIGURE 5-35 Hyper-converged Storage Spaces Direct deployment NEED MORE REVIEW? For a step-by-step of using a hyper-converged deployment of Storage Spaces Direct, visit https://technet.microsoft.com/en-us/windows-server-docs/storage/storage-spaces/hyperconverged-solution-using-storage-spaces-direct. Skill 5.3: Implement Storage Spaces Direct CHAPTER 5 151 Skill 5.4: Manage failover clustering In this section, we discuss some of the basics to monitor and manage a failover cluster after it has been created. This includes configuring roles on the cluster and monitoring VMs that run in the cluster. Then, we cover how to configure failover, preference, and startup settings for services and roles in the cluster. Finally, we discuss site-aware failover clusters, and how to configure preferred clusters and groups for clusters. This section covers how to: ■ Configure role-specific settings, including continuously available shares ■ Configure VM monitoring ■ Configure failover and preference settings ■ Implement stretch and site-aware failover clusters ■ Enable and configure node fairness Configure role-specific settings, including continuously available shares There are several roles that can be configured by using Failover Cluster: ■ ■ ■ ■ ■ ■ ■ ■ 152 CHAPTER 5 DFS Namespace Server Provides an alias that can be used to access a DFS namespace. The DFS Namespaces role must be installed on the nodes in the cluster. DHCP Server Enables the DHCP service to failover between nodes in a cluster. Distributed Transaction Coordinator perform transactions. Supports distribution of applications that File Server Provides a central location where files can be accessed through the failover cluster. Generic application Provides high availability for applications that are not typically designed to run in a cluster. Generic script Host. Provides high availability for a script that runs in the Windows Script Generic service Provides high availability for a service that is not typically designed to run in a cluster. Hyper-V Replica Broker Hyper-V. Implement high availability Enables the failover cluster to participate in replication with ■ ■ ■ iSCSI Target Server Provides SCSI storage over TCP/IP in the failover cluster. iSNS Server An Internet Storage Name Service server that provides discovery of iSCSI Targets. Message Queuing Enables distributed applications running at different times to communicate across networks. ■ Other server ■ Virtual Machine ■ WINS server Provides a client access point and storage only. Enables VMs that are running on a physical host. Enables users to access resources by using NetBIOS names. You can combine file servers running in a failover cluster with the SMB 3 protocol to provide continuously available file shares to an environment. SMB 3 provides several benefits, including: ■ ■ ■ SMB Transparent Failover Enables a file share to be continuously available with SMB 3 clients. When a failover occurs, the SMB 3 client refreshes the connection to another node in the cluster. SMB Scale-out Enables additional bandwidth to be used by multiple cluster nodes. SMB Multichannel Uses multiple network interfaces to increase the performance of the SMB connection. Configure VM monitoring VMs that are configured in a failover cluster can have the VM itself as well as applications in the VM monitored by the Hyper-V host. The guest VM and the Hyper-V host must either belong to the same domain, or have a trust relationship configured between domains. The pre-defined Virtual Machine Monitoring rules must also be enabled on the VM. Figure 5-36 shows the rules that must be enabled. These rules include: ■ Virtual Machine Monitoring (DCOM-In) ■ Virtual Machine Monitoring (Echo Request – ICMPv4-In) ■ Virtual Machine Monitoring (Echo Request – ICMPv6-In) ■ Virtual Machine Monitoring (NB-Session-In) ■ Virtual Machine Monitoring (RPC) Skill 5.4: Manage failover clustering CHAPTER 5 153 FIGURE 5-36 Windows Firewall Inbound Rules After you have modified the firewall, you can configure monitoring for the VM from the Failover Cluster Manager. Right-click a VM, and in the More Actions menu, click Configure Monitoring. You are prompted with a list of services that exist on the VM. After selecting the service to monitor, you can also configure recovery settings for the service. By default, the first two times a service fails, the failover cluster attempts to restart the service. If the service fails to start, then a failover would be performed. Therefore, if you need to immediately failover (rather than try to wait for the service to restart), you need to change the first recovery action to Take No Action. This ensures that the VM failovers, as the monitored service is considered down. Configure failover and preference settings You can modify the properties of a role to assign settings for a role, as shown in Figure 5-37. ■ ■ 154 CHAPTER 5 Preferred owners The ordered list of nodes that attempt to handle client requests or moves. Start-up priority In the event of a failure, you can assign Low, Medium, High, or No Auto Start for a role. If No Auto Start is configured, the role is failed over after all other roles, but is not automatically started. By default, all roles have a Medium priority. Implement high availability FIGURE 5-37 Role general properties You can also control the number of times that the failover cluster service tries to restart or failover a role. These settings can be configured from the Failover tab, as shown in Figure 5-38. Skill 5.4: Manage failover clustering CHAPTER 5 155 FIGURE 5-38 Role failover properties Windows Server 2016 also introduces the ability to control the start order of VMs. VMs can be grouped into tiers, which can be used to define dependencies for starting order. This ensures that more important virtual machines are started before others. For example, you can configure all domain controllers to start first. 156 CHAPTER 5 Implement high availability Implement stretch and site-aware failover clusters We discussed using a stretch cluster earlier in the “Storage Replica” section. However, using a site-aware failover is new to Windows Server 2016. A site-aware failover cluster builds on a stretch cluster, where nodes in the same cluster are not in the same physical site. Site-awareness gives the cluster the ability to better control failovers, placement, heartbeats between nodes, and quorum. A new configuration option is to control the cross-site heartbeat. These thresholds can be configured by modifying new cluster properties: ■ ■ ■ CrossSiteDelay This property is set to 1,000 by default, and defines the amount of time in milliseconds that a heartbeat is sent to nodes across sites. CrossSiteThreshold This property is set to 20 by default, and defines the number of heartbeats that can be missed before the interface is considered to be down. PreferredSite The site that is assigned to a role for placement. The nodes of the site must first be assigned to the site before it can be set to preferred. During a cold start, VMs are also placed in the preferred site. The preferred site is also elected to be the active site in the event of a split quorum. The LowerQuorumPriorityNodeID property is deprecated with Windows Server 2016. Preferred sites can also be configured more granularly by using cluster groups. This enables you to control site placement on a group basis, in addition to the cluster. Groups in a cluster are placed based on the following priority order: 1. Storage affinity site 2. Group preferred site 3. Cluster preferred site Enable and configure node fairness VM node fairness is another new feature in Windows Server 2016. Node fairness enables load balancing between nodes in a cluster. Nodes that are overcommitted are identified based on virtual machine memory and processor use in the node. VMs are then automatically migrated to nodes that are not as heavily used, if available. The threshold of the load balancing can be configured and tuned to ensure the best cluster performance. By default, node fairness is enabled in a Windows Server 2016 failover cluster; but is disabled when System Center Virtual Machine Manager Dynamic Optimization is enabled. Skill 5.4: Manage failover clustering CHAPTER 5 157 Skill 5.5: Manage VM movement in clustered nodes This section covers the basic operations that are used when managing a failover cluster. This includes performing a live, quick, or storage migration of a virtual machine. It also includes importing, exporting, and copying these VMs. Finally, VM health protection and draining a node on shutdown are also discussed. These topics are covered briefly, as they do not introduce anything new in Windows Server 2016. This section covers how to: ■ Perform live migration ■ Perform quick migration ■ Perform storage migration ■ Import, export, and copy VMs ■ Configure VM network health protection ■ Configure drain on shutdown Perform live migration Performing a live migration is similar to performing a move through the Hyper-V Manager. In the context of a failover cluster, a live migration copies the running memory of a VM to the destination node before committing the migration. When using CSVs, the migration is almost instant, as no transfer of disk ownership is necessary. A live migration can be used in a planned maintenance or transfer, but not as an unplanned failover. To perform a live migration, you must enable the feature from the Hyper-V settings, as discussed earlier in this chapter. Perform quick migration As with a live migration, a quick migration copies the running memory of a VM. However, that memory is saved to disk rather than being transferred to the destination node. This still provides for a fast migration, but again cannot be used for an unplanned failover. Perform storage migration A storage migration copies the physical data from the node that currently owns the data to the destination node. The time that it takes to complete the migration depends on the size of the VM, and the storage connectivity method for the nodes. 158 CHAPTER 5 Implement high availability Import, export, and copy VMs Importing, exporting, and copying VMs are methods of manually transferring a VM from one node to another. Exporting a VM consolidates the VM into the files that are specified during the export process. They can then be copied and imported to a different node. Configure VM network health protection Windows Server 2012 R2 introduced a new option named Protected Network in the advanced settings of VM network adapters. Configuring a protected network is useful to protect a highly available VM from a failed network connection. With the protected network option enabled, the physical node monitors the network for disruptions. If the network connection goes down, then the VM is migrated to another physical node that has a working network connection. FIGURE 5-39 Virtual machine network adapter advanced features Skill 5.5: Manage VM movement in clustered nodes CHAPTER 5 159 Configure drain on shutdown Drain on shutdown is a necessary process to efficiently suspend a node. When a node is active, there can be several connections to the roles that operate on the node. By setting a node to drain, a node does not respond to any future requests in the cluster. Therefore, as existing connections complete or drop, the node is essentially removed from a cluster without affecting any existing, or future, connections. FIGURE 5-40 Draining a failover cluster node Chapter summary 160 ■ How to use the Hyper-V Manager to perform basic VM management ■ Configure migration and authentication details for Hyper-V servers ■ Install and configure a failover cluster ■ Configure quorum options, including Azure Cloud Witness ■ Use Cluster-Aware Updating to perform Windows Updates ■ Seamlessly upgrade clusters from Windows Server 2012 R2 to Windows Server 2016 ■ Optimize clusters using storage technologies like CSVs and Storage Replica ■ Implement Storage Spaces Direct for increased storage performance ■ Manage failover clusters using failover and preference settings ■ Perform basic VM management by using the Failover Cluster Manager. CHAPTER 5 Implement high availability Thought Experiment A company currently has a single site with two standalone Hyper-V hosts. Each Hyper-V host is connected to an external iSCSI enclosure. The storage enclosure stores the data for all virtual machines that the hosts run. The company plans to open an additional office in the same city. As part of the plan, the secondary office should be used with active connections, and serve as a backup if the primary office experiences a failure. Both offices should use a third site to determine which site is primary in the event of a failure. If the third site is unavailable from both offices, the original primary should accept the active client requests. Using the above scenario, answer the following questions. 1. What should be deployed in the primary office to accomplish the goal? 2. What should be deployed in the secondary office to accomplish the goal? 3. What technology should be used to ensure the secondary office maintains the latest available data? 4. What technology should be used to ensure only one site is active in the event of a failure? 5. What should be configured to ensure that the primary site is used in the event of a third-site failure? Thought Experiment Answers 1. The two Hyper-V servers should be placed in a failover cluster. 2. Two Hyper-V servers should be deployed as part of the same failover cluster, to service active requests when online. 3. Storage Replica should be used to synchronously transfer data from the primary office to the secondary, and back again if necessary. 4. A cloud witness should be configured to ensure a site is always active in the event of a failure. 5. The primary site should be configured as the preferred site to ensure it is active in the event the cloud witness is unavailable. Thought Experiment Answers CHAPTER 5 161 This page intentionally left blank CHAPTER 6 Implement DNS T his chapter covers one skill that is represented on the exam, implementing and configuring DNS servers. There are a few new technologies introduced in Windows Server 2016 for DNS servers: ■ ■ ■ ■ ■ DNS Policies requests. Policies can be created to specify how DNS servers respond to client Response Rate Limiting Mitigates denial of service attacks on DNS. DNS-based Authentication of Named Entities Uses Transport Layer Security Authentication to inform clients to expect a certificate from a Certification Authority for the DNS zone. Unknown record support Add records that are not explicitly supported by Windows Server DNS. IPv6 root hints Native IPv6 root hints have been added to DNS. We discuss these new technologies and review key technologies that already exist for DNS in this chapter. Skills in this chapter: ■ Implement and configure DNS servers Implement and configure DNS servers This section explains how DNS is used in a Windows Server environment. DNS has several components that include forwarders, root hints, policies, logging, and more. Each of these components are discussed, including how to configure the options for a typical enterprise environment. 163 This section covers how to: ■ Determine DNS installation requirements ■ Determine supported DNS deployment scenarios on Nano Server ■ Install DNS ■ Configure forwarders ■ Configure Root Hints ■ Configure delegation ■ Implement DNS policies ■ Configure Domain Name System Security Extensions ■ Configure DNS Socket Pool ■ Configure cache locking ■ Enable Response Rate Limiting ■ Configure DNS-based Authentication of Named Entities ■ Configure DNS logging ■ Configure delegated administration ■ Configure recursion settings ■ Implement DNS performance tuning ■ Configure global settings using Windows PowerShell Determine DNS installation requirements The DNS server role can be installed on any edition or version of Windows Server, including Nano Server. There are two primary use cases for running DNS on a Windows Server: ■ ■ 164 CHAPTER 6 Active Directory integration Active Directory Domain Services requires a DNS server for the directory to function properly. Once integrated, the DNS zones that are configured on the server can be stored in Active Directory for increased security. DNS and DHCP integration You can enable DNS records to be updated automatically when devices join the network for the first time, or if a device changes on the network. This works independently of Active Directory. Implement DNS Determine supported DNS deployment scenarios on Nano Server DNS can be installed on Nano Server, and offers the same features, security, and functionality as installing it on Server Core or graphical versions of Windows Server. The only difference in using Nano Server is the management of the server role after it has been deployed. After deploying DNS on a Nano Server, you can manage it by using Windows PowerShell remoting. Create a new session with the Nano Server by running the Enter-PSSession cmdlet. Enter-PSSession -ComputerName "Nano1" After connecting remotely to the Nano Server, you can import the PowerShell module for DNS by running the Import-Module cmdlet. Import-Module DNSServer You can then run any DNS PowerShell cmdlet on the Nano Server. Alternatively, you can run the DNS Manager from a separate management computer, and connect to the DNS service that is running on the Nano Server. This gives you the ability to manage the DNS service through the DNS Manager console as if it was installed on a server with a graphical interface. Install DNS DNS can be installed by using the Add Roles and Features Wizard through Server Manager, or by using Windows PowerShell with the Install-WindowsFeature cmdlet. Install-WindowsFeature DNS If adding the package to Nano Server, the package would be installed by using the Install-NanoServerPackage cmdlet. Install-NanoServerPackage -Package Microsoft-NanoServer-DNS-Package Configure forwarders When a DNS server receives a request to translate a domain name that it does not know, a forwarder is used to transfer the request to another DNS server. DNS forwarders use recursive queries as the list of forwarders are processed. A recursive query either accepts a record that is provided, or displays an error if the record cannot be found. Forwarders do not accept referrals to other DNS servers. The next DNS server could be a different DNS server within a corporate network, the ISP, or a public DNS server. Figure 6-1 shows the Forwarders configured for a DNS server, using Verisign and OpenDNS public servers, respectively. Implement and configure DNS servers CHAPTER 6 165 FIGURE 6-1 DNS Forwarders An option shown in Figure 6-1 for forwarders is the Use Root Hints If No Forwarders Are Available. This uses any configured root hints if the forwarders that have been configured are not available. By default, this option is disabled. From the GUI, forwarders are managed by modifying the properties of the DNS server. However, using Windows PowerShell, forwarders have separate cmdlets. To configure a forwarder with PowerShell, use the Add-DnsServerForwarder cmdlet. Add-DnsServerForwarder 8.8.8.8 To configure whether root hints are used if a forwarder is unavailable, run the Set-DnsServerForwarer cmdlet. Set-DnsServerForwarder -UseRootHint $False 166 CHAPTER 6 Implement DNS Conditional forwarders Another type of forwarder is a conditional forwarder. Conditional forwarders are useful for partner organizations or other DNS domains that an organization might have access to. For example, if your organization has partnered with adatum.com, then you can configure a conditional forwarder. Rather than use the global forwarders or root hints to identify unknown resources in the domain, a conditional forwarder routes DNS requests for adatum.com to the specified server. Figure 6-2 shows creating a conditional forwarder from DNS Manager. FIGURE 6-2 Conditional forwarder After forwarders have been configured, you can verify DNS is working properly by using nslookup. The nslookup tool is a command-line utility that enables you to query specific record types using DNS. Figure 6-3 shows performing successful queries for: Microsoft.com, the local domain contosoforest.com, and the partner domain adatum.com. If you plan to use PowerShell to create a conditional forwarder, use the Add-DnsServerConditionalForwarderZone cmdlet. Add-DnsServerConditionalForwarderZone -Name adatum.com -MasterServers 10.0.0.105 Implement and configure DNS servers CHAPTER 6 167 FIGURE 6-3 nslookup results Configure root hints Unlike forwarders which perform recursive queries, root hints perform iterative queries. If a DNS server cannot find the record for a query in the local configuration, it can query a DNS server on the internet. A root server responds with a referral to the DNS server that hosts the authoritative zone for the top-level domain (.com, .net, etc). The local server then queries the referred server for the record, which responds with another referral to the authoritative server for the DNS domain (contoso.com). The query and referral process continues until the record is successfully located, or the authoritative server says that the record does not exist. Windows Server 2016 introduces default root hints for IPv6 queries, so that IPv6 records can be located using iterative queries just as IPv4 addresses can be. These root hints have been pushed by Internet Assigned Numbers Authority (IANA), and can be used for IPv6 queries. Figure 6-4 shows the default root hints that have been added to Windows Server 2016. 168 CHAPTER 6 Implement DNS FIGURE 6-4 Root hints Root Hints can also be retrieved or configured by using PowerShell. To retrieve the same list that the GUI displays, run the Get-DnsServerRootHint cmdlet. To add additional root hints, use the Add-DnsServerRootHint cmdlet. Add-DnsServerRootHint -NameServer a.root-servers.net -IPAddress 2001:503:ba3e::2:30 Configure delegation Zone delegation enables you to divide a DNS namespace into multiple zones. These additional zones can be stored and replicated to other DNS servers. This is useful if you need to delegate management for a portion of a namespace, or want to improve network distribution by dividing larger zones. Creating a new delegation zone can be performed from DNS Manager by right-clicking the forward lookup zone that you plan to split, then click New Delegation. The New Delegation Wizard appears. The first configuration screen prompts for the domain that is delegated. For example, we specify the fully qualified domain name (FQDN) emea.contosoforest.com to be delegated as a separate domain. Figure 6-5 shows the New Delegation Wizard. Implement and configure DNS servers CHAPTER 6 169 FIGURE 6-5 New Delegation Wizard You are then prompted to enter the FQDN of the DNS server that is authoritative for the zone. You must also resolve the FQDN to the available IP addresses for that specific server. Figure 6-6 displays configuring the FQDN and associated IP addresses for delegation. FIGURE 6-6 New Name Server Record After you complete the wizard, the delegation zone is created in the forward lookup zone. You can also create the zone by using the Add-DnsServerZoneDelegation cmdlet. Add-DnsServerZoneDelegation -Name contosoforest.com -ChildZoneName emea.contosoforest. com -IPAddress 10.0.0.100 -NameServer DC1 170 CHAPTER 6 Implement DNS Implement DNS policies Windows Server 2016 introduces DNS policies to manage queries based on configurable parameters. There are a few scenarios in which DNS policies can be useful: ■ ■ ■ Application high availability for an application. DNS queries are forwarded to the healthiest endpoint Traffic management Use the closest available DNS server for client queries. Split-brain DNS If DNS records are split for internal and external addresses, clients receive the appropriate response depending on their location. ■ Filtering ■ Forensics DNS clients that are suspected to be malicious can be redirected. ■ Manage an IP blocking list to prevent malicious queries. Time-based redirects Provide different responses to DNS queries based on the time of day. There are three new objects in DNS that are used to manage DNS policies: ■ Client subnet ■ Recursion scope ■ Zone scope Represents an IPv4 or IPv6 subnet where queries originate from. Groups of settings that control recursion for a DNS server. Sets of DNS records for zones on the DNS server. There are two policies that can be configured at either the zone or server level, and a single server-only level policy. ■ ■ ■ Query Resolution Policy Can be applied to either a DNS server or a specific DNS zone. Query resolution policies are used to control incoming client queries and define how the DNS server handles the requests. Zone Transfer Policy Can be applied to either a DNS server or a specific DNS zone. Zone transfer policies control whether zone transfers are configured to either Deny or Ignore zone changes for a DNS topology. Recursion policy Recursion policies are only applied to the server level and control whether queries are denied or ignore recursion for the queries. You can also choose to configure a set of forwarders that are used for the queries. The overall process to creating a policy includes first creating the objects, and then creating the policies. For example: 1. Create the subnet objects that DNS clients are connecting from. 2. Create the zone scopes and resource records for each network as needed. 3. Create a policy to manage the queries from the defined subnets. As of this writing, policies are only configured by using PowerShell. To view the available cmdlets that can be used with policies, run the Get-Command cmdlet. Get-Command -Module DNSServer *policy* | Select Name Implement and configure DNS servers CHAPTER 6 171 The command returns a list similar to the following, which lists the cmdlets that are built-in to the DNS PowerShell module: Name ---Add-DnsServerQueryResolutionPolicy Add-DnsServerZoneTransferPolicy Disable-DnsServerPolicy Enable-DnsServerPolicy Get-DnsServerQueryResolutionPolicy Get-DnsServerZoneTransferPolicy Remove-DnsServerQueryResolutionPolicy Remove-DnsServerZoneTransferPolicy Set-DnsServerQueryResolutionPolicy Set-DnsServerZoneTransferPolicy NEED MORE REVIEW? CONFIGURING DNS POLICY For details and instructions for configuring a DNS policy, visit https://technet.microsoft. com/en-us/windows-server-docs/networking/dns/deploy/dns-policies-overview. Configure Domain Name System Security Extensions The process of using DNSSEC has not changed significantly from Windows Server 2012 or Windows Server 2012 R2 to Windows Server 2016. If a zone is supported by an authoritative DNS server, you can secure the zone by using zone signing. By signing the zone with DNSSEC, you are validating the zone without changing any of the queries or responses of DNS. To validate a DNS response, the response must include a digital signature. The signatures are contained in a DNSSEC resource record that are created during zone signing. Figure 6-7 illustrates transforming regular DNS records to using DNSSEC. FIGURE 6-7 DNSSEC Illustration 172 CHAPTER 6 Implement DNS The overall checklist to deploying DNSSEC includes: 1. Selecting a deployment method 2. Signing a DNS zone 3. Deploying trust anchors 4. Deploying DNS client policies 5. Deploy IPsec policies to protect zone transfers 6. Review and manage name resolution Configure DNS socket pool The DNS socket pool randomizes the source port that is used with DNS queries. In Windows Server 2008, the DNS service used a predictable source port number. When using a socket pool, the DNS server randomly selects a port number to mitigate attacks on the server. Beginning with Windows Server 2012 R2, the DNS socket pool has 2,500 random ports enabled by default and does not typically require additional configuration. To modify the number of ports, use the dnscmd utility. dnscmd /Config /SocketPoolSize 3000 Configure cache locking With cache locking, when a DNS server receives a query and then provides a response, the response is cached locally so that it can respond quicker to future requests. The timeout value for the cache is determined by the Time To Live (TTL) value of the DNS record that was obtained. Cache locking prevents the record from being overwritten if an update is received, until the TTL has expired. Cache locking was introduced in Windows Server 2008 R2 and has not changed significantly through to Windows Server 2016. By default, the cache locking percentage is set to 100. To modify the percentage, use dnscmd. dnscmd /Config /CacheLockingPercent 90 Enable Response Rate Limiting (RRL) Response Rate Limiting (RRL) is a new feature that is introduced with Windows Server 2016. RRL enables you to avoid Denial of Service (DoS) attacks on clients using the DNS server. RRL provides configuration settings to control how to respond to requests when receiving numerous requests. This mitigates a DoS attack using the DNS servers. The following settings can be configured with RRL: ■ ■ Responses per second in one second. Errors per second one second. The maximum number of responses a single client receives The maximum number of errors that are sent to a single client in Implement and configure DNS servers CHAPTER 6 173 ■ ■ ■ ■ Window client. The number of seconds that responses are suspended if a server blocks a Leak rate Determines the frequency that a DNS server responds to queries when requests are suspended. By default, if a server suspends a client for 10 seconds, the leak rate is 5. The DNS server responds to one of every five requests sent to the server. TC rate Informs the client that DNS requests have been suspended. By default, if the TC rate is 3, the server issues a request for a TCP connection for every 3 queries that are received. The TC rate should be configured lower than the leak rate to ensure that the client can connect using TCP before leaking responses. Maximum responses The maximum number of response that the server issues to clients while in a suspended state. ■ White list domains The list of domains that are excluded from RRL settings. ■ White list subnets ■ The list of subnets that are excluded from RRL settings. White list server interfaces settings. The DNS server interfaces that are excluded from RRL By default, RRL is disabled. You can either set RRL to log only the effects a configuration would have, or to enable the configuration. To enable or modify the RRL settings, use the Set-DnsServerResponseRateLimiting cmdlet. You can also use the Set-DnsServerRRL alias to reference the cmdlet. Set-DnsServerRRL -Mode LogOnly To create any of the white list objects, use the Add-DnsServerResponseRateLimitingExceptionList cmdlet. Add-DnsServerResponseRateLimitingExceptionlist -Name "Whitelist1" -Fqdn "EQ,*.contoso. com" Configure DNS-based Authentication of Named Entities DANE is another new feature that is introduced with Windows Server 2016. DANE uses Transport Layer Security Authentication to communicate to DNS clients to expect a certificate from a Certification Authority for the DNS zone. This ensures that a man-in-the-middle attack from presenting a different certificate to successfully corrupt DNS. For example, if the website www.contoso.com uses a certificate from a CA named TrustedCA, the DNS server would identify and save that the certificate is issued from that server. Then, if a malicious redirect occurs sending users to a different web server that presents a certificate signed from ExternalCA, the connection would be aborted. This is because by using DANE, the client is aware that the certificate that appears valid, is not actually from the CA that is trusted and registered with DNS. 174 CHAPTER 6 Implement DNS Configure DNS logging Windows Server 2016 provides enhanced DNS logging and diagnostics compared to Windows Server 2012 R2. However, when additional logging is enabled, the performance of the server can be affected. There are two primary types of logging: ■ ■ Diagnostic logging Provides detailed data from the DNS server for requests that are sent and received. Logs can be gathered by using packet capture tools. Recommended only for temporary use when detailed information is necessary, Audit and analytic event logging DNS Audit events are logged by default, and DNS Analytic events are not logged. By default in Windows Server 2016, additional logging is enabled and can be viewed by using Event Viewer. NEED MORE REVIEW? DNS LOGGING For more information on DNS logging, visit https://technet.microsoft.com/en-us/library/ dn800669(v=ws.11).aspx. Configure delegated administration There are three primary methods of delegating access to DNS: ■ ■ ■ The DnsAdmins Active Directory security group The security group grants permission to the members of the group to manage any DNS server in an Active Directory domain. Modifying the DNS server properties If the DNS server is in a workgroup, or you plan to grant read-only permissions to some administrators, you can modify the properties of the DNS server. Modifying the zone properties Individual zones inherits the permissions from the DNS server. However, you can disable the inheritance or modify the permissions, similar to managing files and directories. Figure 6-8 shows the default settings for the DnsAdmins security group on a DNS server. Implement and configure DNS servers CHAPTER 6 175 FIGURE 6-8 Server level permissions If you need to provide junior administrators the ability to view the DNS contents of the zones, create a new security group and assign the Read permission. You could also have a separate group that can create and update DNS objects, but not delete them. Modifying the properties of a zone is a similar process. The zone inherits the permissions that have been assigned at the server level. You can also add additional security groups that can manage the zone. Figure 6-9 shows the default properties of a forward lookup zone. 176 CHAPTER 6 Implement DNS FIGURE 6-9 Zone level permissions Configure recursion settings As discussed in the earlier section “Configured Root Hints," recursive DNS queries use forwarders and references to identify a DNS record. By using a forwarder in DNS, the DNS server uses recursive queries by default. This enables the server to forward the DNS request for unknown domains to the next DNS server configured. The next server refers the request to a different DNS server if it, too, does not have information about the record. This process could continue a few times before locating a non-authoritative response for the request. You can enable or disable recursion at the server level by using the Set-DnsServerRecursion cmdlet, or by using DNS Manager. Disabling recursion should be used in limited environments, as it can prohibit access to the Internet if not configured properly. Figure 6-10 shows the available options on the Advanced tab, including recursion. Implement and configure DNS servers CHAPTER 6 177 FIGURE 6-10 Advanced DNS settings In addition to enabling or disabling recursion, the PowerShell cmdlet also lets you configure specific recursion settings. For example, the RetryInterval setting specifies the amount of time in seconds before a DNS server uses recursion. By default, the RetryInterval is set to three seconds, but can be configured with a value from 1 to 15. Another configurable parameter is the AdditionalTimeout setting. This specifies the number of seconds before a DNS server waits after using a recursive request to receive a response from the next DNS server. By default, this setting is set to four seconds, but accepts a value from 0 to 15. Set-DnsServerRecursion -RetryInterval 2 Recursion can also be enabled or disabled for specified forwarders by using a recursion scope. A scope specifies a specific forwarder or forwarders to enable or disable recursion with. The Set-DnsServerRecursionScope cmdlet provides this option. Set-DnsServerRecursionScope -Name "DisabledScope" -Forwarder 192.168.0.1 -EnableRecursion $False 178 CHAPTER 6 Implement DNS Implement DNS performance tuning Performance tuning is a relative topic, and depends on the size of the domain, the physical specifications of a server, network performance, number of requests, and more. It would be very challenging to create a question on the exam for performance that only had one correct answer, without obviously stating the problem and thus providing a clear and simple resolution. Some simple methods of increasing DNS performance could include: ■ ■ ■ ■ Modifying firewall properties Ensure that UDP port 53 is allowed on each DNS server and has local only mapping enabled. Increase the number of logical cores The DNS service creates threads based on the total number of logical cores that are on the server. For a virtual machine, provide the maximum number of logical cores. Set the UDP receive thread count to 8 Modify the UdpRecvThreadCount DWORD parameter that is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters to ensure that all logical threads are used. Maximize network adapter buffers Set the receive buffers to “Maximum” by using the Set-NetAdapterAdvancedProperty cmdlet. NEED MORE REVIEW? SOME DNS PERFORMANCE The Windows Server Networking team tested performance of DNS on Windows Server 2012 R2. To review the results, visit https://blogs.technet.microsoft.com/networkhttps://blogs.technet.microsoft.com/network ing/2015/08/13/name-resolution-performance-of-authoritative-windows-dns-server2012-r2/. 2012-r2/ Configure global settings using Windows PowerShell The DNS module for Windows PowerShell has a total of 130 cmdlets that can be used to view or configure various components of a DNS server. Two of the cmdlets that have been added in Windows Server 2016 that we did not discuss in the previous sections include: ■ ■ Add-DnsServerZoneTransferPolicy Creates a new policy for zone transfers, and includes whether to deny or ignore a zone transfer. Associated cmdlets include Get, Set, and Remove-DnsServerZoneTransferPolicy. Add-DnsServerResourceRecord Updated to support unknown record types. Associated cmdlets include Get, Set, and Remove-DnsServerResourceRecord. Implement and configure DNS servers CHAPTER 6 179 Chapter summary ■ Preparing for and installing the DNS Server role ■ Configuring forwarders and conditional forwarders for lookup zones ■ Using Root Hints to identify authoritative DNS servers ■ Configuring delegation for DNS ■ Implementing policies to be used by DNS servers and clients ■ Using security extensions to secure DNS ■ Explaining the Socket Pool and cache locking to mitigate DNS attacks ■ Enabling Response Rate Limiting to mitigate DNS attacks ■ Delegating administration to manage or view DNS for other administrators ■ Enabling, disabling, and configuring recursive DNS queries ■ Using Windows PowerShell to manage DNS servers and settings Thought Experiment A company has a production environment and a test environment. The production environment is in an Active Directory domain with DNS integrated into the domain. The test environment is in a workgroup with a separate DNS server. The company needs to prohibit the test environment from resolving any names in the production environment, but must use the production server as a name server for the Internet. The production servers must be configured to suspend responses to queries in the event of a DNS request flood. The test environment must also wait 10 seconds before using non-authoritative DNS servers. You must also enable a junior administrator to be able to view all objects and settings on the DNS server without enabling them to make changes. Given the above scenario, answer these questions. 180 1. What should be used to prohibit resolution between networks? 2. What should be used to suspend queries when flooded? 3. How should the junior administrator be granted permissions? 4. What must be configured in the test environment to wait 10 seconds for non-authoritative responses? CHAPTER 6 Implement DNS Thought Experiment Answers 1. You can disable recursion to prevent the test DNS server from using the forwarder. Use a scope to specify recursion for the specific forwarder. 2. Response Rate Limiting should be configured to suspend queries when the DNS server is flooded with requests. 3. The junior administrator can be delegated permissions based on a custom security group that only has the Read permission to the DNS server. 4. The test environment must have the timeout period recursion setting modified to wait 10 seconds before using non-authoritative responses. Thought Experiment Answers CHAPTER 6 181 This page intentionally left blank CHAPTER 7 Implement IP Address Management I n this chapter, we will discuss how to install, configure, and use the built-in IP Address Management functionality. In past exams, IPAM was a major component of the exam skills that are tested. You should anticipate and be prepared to understand how to install and configure IPAM on Windows Server 2016. ■ Windows Server 2016 introduces new features to IPAM, including: ■ Enhanced DNS service management ■ Multiple Active Directory Domain Services forest support ■ Purge Utilization Data ■ Windows PowerShell cmdlets for Role-Based Access Control IPAM in Windows Server 2016 also improves on the existing IP address management and integrated DNS and DHCP management from the IPAM console. Skills in this chapter: ■ Install and configure IPAM ■ Manage DNS and DHCP using IPAM Skill 7.1: Install and configure IPAM In this section, we explain how to install and configure the basic IPAM configuration. This includes the default database to use, provisioning the server and Group Policy settings, configuring server discovery, and setting IP addresses. We also explain how to back up and restore an IPAM database, which enables you to migrate that database from a previous version of Windows Server to Windows Server 2016. We also cover how to use a Microsoft SQL Server as the database engine, and how to integrate IPAM with System Center. 183 This section covers how to: ■ Provision IPAM manually or by using Group Policy ■ Configure server discovery ■ Create and manage IP blocks and ranges ■ Monitor utilization of IP address space ■ Migrate existing workloads to IPAM ■ Configure IPAM database storage using SQL Server ■ Determine scenarios for using IPAM with System Center Virtual Machine Manager for physical and virtual IP address space management Provision IPAM manually or by using Group Policy IPAM is a feature that can be added by using the Add Roles And Features wizard, or by using the Install-WindowsFeature cmdlet. After installing the feature, one of the first tasks that you must complete is to provision the IPAM server. Figure 7-1 shows the first configuration option when provisioning IPAM, which is to specify the database that is being used. FIGURE 7-1 Configuring IPAM database 184 CHAPTER 7 Implement IP Address Management By default, IPAM uses a Windows Internal Database. We explain how to use a Microsoft SQL Server database later in this section. After configuring the database, you are prompted to select the provisioning type. There are two provisioning options: ■ ■ Manual This requires that the network shares, security groups, and firewall rules are created and managed individually on each server. Group-Policy-based This uses Group Policy Objects (GPOs) that are created in each domain that you plan to manage with IPAM. IPAM configures the GPOs as necessary, and the GPOs are applied to the servers in the domain. When using GPOs, the wizard asks for the prefix to name all GPOs with. For example, if you specify IPAM as the prefix, a GPO is named IPAM_DHCP for managed DHCP servers. Figure 7-2 shows selecting the provision method. FIGURE 7-2 Selecting the IPAM provisioning method EXAM TIP If you select a GPO-based deployment, you cannot revert to a manual deployment. However, a manual deployment can be changed to GPO-based by using the Set-IpamConfiguration cmdlet. Skill 7.1: Install and configure IPAM CHAPTER 7 185 You can provision the server by using the Invoke-IpamServerProvisioning cmdlet, then provision the GPOs by using the Invoke-IpamGpoProvisioning cmdlet. Invoke-IpamServerProvisioning -ProvisioningMethod Automatic -GpoPrefix "IPAM-" Invoke-IpamGpoProvisioning –Domain contosoforest.com –GpoPrefixName IPAM –IpamServerFqdn ipam.contosoforest.com Choosing the manual deployment method requires you to manually create or configure different options on each managed server, including: ■ Network shares ■ Security groups ■ Firewall rules DHCP servers A managed DHCP server requires that all three options be configured on the servers. Table 7-1 summarizes the rules that must be configured on a managed DHCP server. Table 7-1 DHCP server firewall changes Firewall direction Setting name Description Inbound DHCP Server Management Access DHCP server configuration data Inbound Remote Service Management Access DHCP server configuration data Inbound File and Printer Sharing Access DHCP server utilization data Inbound Remote Event Log Management Access DHCP server logs A universal security group must also be created in the domain with the name IPAMUG. The members of the security group must include the computer account objects for each DHCP server. Figure 7-3 shows the correct settings for the group. 186 CHAPTER 7 Implement IP Address Management FIGURE 7-3 IPAMUG Properties Once created, the IPAMUG universal security group must be added to the DHCP Users and Event Log Readers security groups on each managed server. Figure 7-4 shows adding the user group to the local groups on the DHCP server. If the server is also a domain controller, then the Event Log Readers group in the Builtin container should be used. FIGURE 7-4 Event Log Readers Properties Skill 7.1: Install and configure IPAM CHAPTER 7 187 The third configuration that must be made on a managed DHCP server is to create a network share of the %windir%\system32\dhcp directory, named dhcpaudit. Figure 7-5 shows the properties of the DHCP directory that has been shared. FIGURE 7-5 DHCP directory properties The permissions of the share must be modified to enable the IPAMUG universal security group to read the contents of the directory. Figure 7-6 shows the share permissions that are applied to the directory. 188 CHAPTER 7 Implement IP Address Management FIGURE 7-6 Dhcpaudit share permissions After making the required group membership changes, you must restart the DHCP service. This ensures that the new permission levels are activated. DNS Servers Similar to DHCP servers, DNS servers must have several configuration changes when deploying IPAM manually. These changes include: ■ Inbound firewall rules ■ Security group changes ■ Delegated DNS access Table 7-2 summarizes the DNS server firewall changes. TABLE 7-2 DNS server firewall changes Firewall direction Setting name Description Inbound DNS Service Discover managed DNS servers Inbound Remote Service Management Manage DNS servers Inbound Remote Event Log Management Monitor DNS zones and services Skill 7.1: Install and configure IPAM CHAPTER 7 189 Just as with a DHCP server, a DNS server must have the IPAMUG universal security group added to the Event Log Readers security group. Event log monitoring must also be enabled on a managed DNS server. To enable event log monitoring, perform these steps. Open a PowerShell session, and run the following command. 1. Get-ADComputer <IPAM Server Name> Copy the SID value for the IPAM server to the clipboard, as shown in Figure 7-7. 2. FIGURE 7-7 Get-ADComputer cmdlet 3. On the DNS server, open the registry editor. 4. Navigate to the HKLM\System\CurrentControlSet\Services\EventLog\DNS Server hive. 5. Double-click the CustomSD key. 6. At the end of the value field, append the following to the string, replacing the SID value for the server. Figure 7-8 shows adding the value to the key. (A;;0x1;;; S-1-5-21-1910878678-1601286290-2698553502-1000) FIGURE 7-8 CustomSD registry key 7. 190 CHAPTER 7 Click OK and then close the registry editor. Implement IP Address Management The third configuration for managed DNS servers is to add the IPAM server to the DnsAdmins security group. This ensures that the IPAM server can perform administrative tasks on the DNS server. Figure 7-9 shows that the IPAMUG, which contains the computer object for the IPAM servers, has been delegated rights to the DNS server. FIGURE 7-9 DnsAdmins security group Domain controller or NPS servers For managed DCs or Network Policy Servers (NPS), there are similar configuration changes that must be made. These servers must have the inbound Remote Event Log Management firewall rule enabled. The IPAMUG universal security group must be added to the Event Log Readers security group on both DCs and NPS servers. Configure server discovery After provisioning the IPAM server, the next in the deployment process is to configure and start server discovery. Figure 7-10 shows the discovery set for the forest and root domain. To include the domain in discovery, click Add. Skill 7.1: Install and configure IPAM CHAPTER 7 191 FIGURE 7-10 Configure server discovery With Windows Server 2016, you can also manage other Active Directory forests if a twoway forest trust has been configured. After you click add for the domain, you can configure whether to discover the domain controllers, DHCP servers, and DNS servers for the domain. You can also add the domain to be discovered by using the Add-IpamDiscoveryDomain cmdlet. Add-IpamDiscoveryDomain -Name "contosoforest.com" By default, after discovering the servers in the environment the manageability status is set to unspecified. To configure a server as being managed, edit the server in the discovery list. Set the Manageability Status to Managed, as shown in Figure 7-11. 192 CHAPTER 7 Implement IP Address Management FIGURE 7-11 Edit server Create and manage IP blocks and ranges IPAM address blocks define the IPv4 or IPv6 addresses that are be managed. IPAM automatically labels the IPv4 blocks as either public or private blocks based on Internet Assigned Numbers Authority (IANA) ranges. IP address blocks are typically divided into smaller chunks, named ranges. IP address ranges can be used as a DHCP scope or pool of static addresses that can be used on hosts. Ranges are comprised of individual IP addresses. Figure 7-12 shows creating an IPv4 address block. Skill 7.1: Install and configure IPAM CHAPTER 7 193 FIGURE 7-12 IPv4 address block Adding a block of IP addresses can also be completed from PowerShell using the AddIpamBlock cmdlet. Add-IpamBlock -NetworkId "10.0.0.0/8" Adding a range of IP addresses is like creating a block. The range expects the network ID and either the subnet prefix or subnet mask. Figure 7-13 shows creating an IPv4 address range. 194 CHAPTER 7 Implement IP Address Management FIGURE 7-13 IPv4 address block Like creating a block of IP addresses, a range can be created by using the Add-IpamRange cmdlet. Add-IpamRange -NetworkId "192.168.0.0/24" Monitor utilization of IP address space After you have added the blocks and ranges to the IPAM configuration, you can find available addresses a few different ways. From the IPAM interface in server manager, right-click a range and then click Find and Allocate Available IP Address. The tool searches the IP address range for the next available IP address based on the search criteria, as shown in Figure 7-14. Skill 7.1: Install and configure IPAM CHAPTER 7 195 FIGURE 7-14 Find and Allocate Available IP Address After locating an available IP address, you can use the same tool to then allocate that IP address as a DHCP reservation, create a DNS record, or provide any other custom configuration with the IP address. The IP Address Blocks and IP Address Range Groups pages in the IPAM interface also displays the utilization rate for each block or range. The three states that a block or range can be in are: ■ ■ ■ Under If the IP address allocation is less than 20 percent, then the block or range is considered under-utilized. Optimal If the IP address allocation is between 20 and 80 percent, then the block or range is considered optimal. Over If the IP address allocation is over 80 percent, then the block or range is considered over-utilized. Figure 7-15 shows a portion of the IPAM interface that displays the utilization rate. 196 CHAPTER 7 Implement IP Address Management FIGURE 7-15 IP address range utilization The under and over utilization rates can also be configured by modifying the utilization threshold for the IPAM configuration. From Server Manager, click Manage, and then click IPAM Settings. On the IPAM Settings screen, click Configure Utilization Threshold. Figure 7-16 shows the configuration screen for the threshold settings. FIGURE 7-16 Configure IP Address Utilization Threshold There are also three PowerShell cmdlets that can be used to identify available IP addresses. ■ ■ ■ Find-IpamFreeAddress This cmdlet finds one or more available IP addresses that are in a range of addresses defined on the IPAM server. Find-IpamFreeRange server. Find-IpamFreeSubnet IPAM server. This cmdlet finds free IP ranges that are available on the IPAM This cmdlet finds free IP subnets that are available on the Skill 7.1: Install and configure IPAM CHAPTER 7 197 Migrate existing workloads to IPAM If you selected the default installation options when installing IPAM, the Windows Internal Database (WID) files are located in the %WINDIR%\System32\ipam\Database directory. There are two files listed: ipam.mdf and ipam_log.ldf. To migrate from an existing installation, follow these general steps: 1. Stop the WID service on the existing server 2. Backup the IPAM database files on the existing server 3. Install the IPAM feature on the new server, specifying the WID database type 4. Stop the WID service on the new server 5. Restore the database files from the backup 6. Start the WID service on the new server After migrating the workload to a new server, or performing an in-place upgrade, use the Update-IpamServer cmdlet to update the IPAM schema based on the new operating system. If you are using a Microsoft SQL Server to host the database on the existing server, you can simply specify the server during the IPAM installation on the new server. If you need to migrate the SQL database, use the Move-IpamDatabase cmdlet as explained in the next section. Configure IPAM database storage using SQL Server As mentioned in the earlier section named “Provision IPAM manually or by using Group Policy,” a Microsoft SQL Server can also be used to store the IPAM database. The SQL server instance and database must be created to be used with IPAM. IPAM uses the NT AUTHORITY\ Network Service user account for all operations, for either a WID or SQL server database. To use a SQL server, the network service account must be granted the following SQL roles: ■ db_datareader ■ db_datawriter ■ db_ddladmin Additionally, the user account must also be granted the Alter and View database state permission levels for dbo. After the instance and database have been created, and you have assigned the appropriate permissions to the network service account, you can migrate the database to the SQL server by using the Move-IpamDatabase cmdlet. Move-IpamDatabase -DatabaseServer SQL1 -DatabaseName IPAMDB -DatabasePort 1433 -DatabaseAuthType Windows 198 CHAPTER 7 Implement IP Address Management Determine scenarios for using IPAM with System Center Virtual Machine Manager for physical and virtual IP address space management IPAM can be integrated with System Center Virtual Machine Manager (VMM) to manage the logical networks and virtual machine networks in VMM. To configure VMM to integrate with IPAM, a dedicated user account must be created. The user account, or a group that contains the user account, must be granted the IPAM ASM Administrator role to enable VMM to manage IPAM. We explain the different role-based access control levels later in this chapter. After the user account is created, specify the account as a Run As account in VMM. Create a network service, specifying the Run As account, for the Microsoft IP Address Management Provider. VMM then connects to the IPAM server using the credentials that you specified. Table 7-1 compares the VMM names to the names of objects used in IPAM. TABLE 7-1 Comparing VMM and IPAM object names VMM object name IPAM object name Logical network Virtualized IP address space Network site Virtualized IP address space IP address subnet IP address subnet IP address pool IP address range VM network Virtualized IP address space Skill 7.2: Manage DNS and DHCP using IPAM In this section, we discuss how to use IPAM to manage various aspects of DHCP and DNS. This includes the server properties, scopes, policies, and failover configuration to be used on the DHCP servers in the environment. The DNS options include server properties, zones, and individual records. We will also explain the new support for multiple AD DS forests, and how to delegate administration with RBAC. This section covers how to: ■ Manage DHCP server properties using IPAM ■ Configure DHCP scopes and options ■ Configure DHCP policies and failover ■ Manage DNS server properties using IPAM ■ Manage DNS zones and records ■ Manage DNS and DHCP servers in multiple Active Directory forests ■ Delegate administration for DNS and DHCP using role-based access control Skill 7.1: Install and configure IPAM CHAPTER 7 199 Manage DHCP server properties using IPAM After configuring the IPAM environment and successfully managing the discovered servers, you can begin managing the individual services on these servers. Figure 7-17 shows the DNS and DHCP services that are on a discovered server. FIGURE 7-17 Managed DHCP and DNS services Right-clicking a service offers multiple options, including managing the DHCP server properties from IPAM. Figure 7-18 displays the Edit DHCP Server properties configuration screen from the IPAM interface. FIGURE 7-18 Edit DHCP Server Properties 200 CHAPTER 7 Implement IP Address Management The DHCP properties that can be modified include: ■ ■ ■ ■ General The only option from IPAM is to enable DHCP audit logging. DNS Dynamic Updates This enables dynamic updates on the server, and allows for additional configuration for name protection and lease options. DNS Dynamic Update Credentials with dynamic updates. MAC Address Filters The credentials that are used to register names Whether an allow or deny list is used for the DHCP server. NEED MORE REVIEW? MORE ON DNS AND IPAM For more information on managing DNS with IPAM, watch this presentation at https://channel9.msdn.com/Blogs/windowsserver/Windows-Server-2016-DNS-management-in-IPAM. Configure DHCP scopes and options When you right-click the DHCP service from the IPAM interface, you are presented several options that involve configuring the scopes and options on the DHCP server. Figure 7-19 shows a portion of the IPAM interface that displays the available options. FIGURE 7-19 DHCP options in IPAM The available options that can be configured from IPAM include: ■ ■ Edit DHCP Server Options DHCP server. These are the options that can be configured for the Create DHCP Scope This create a new IPv4 DHCP scope on the DHCP server, including DNS updates and advanced options. Skill 7.1: Install and configure IPAM CHAPTER 7 201 ■ ■ ■ Configure Predefined DHCP Options Options for the server. Configure DHCP User Class server. This enables you to create DHCP Standard This enables you to create user classes on the DHCP Configure DHCP Vendor class DHCP server. This enables you to create vendor classes on the Configure DHCP policies and failover Configuring DHCP policies and failover is also performed by right-clicking the DHCP service from the IPAM console. Figure 7-12 also shows that you can manage DHCP policies from IPAM: ■ ■ ■ Configure DHCP Policy Enables you to create a DHCP policy that contains criteria, conditions, and options for the specified policy. Import DHCP Policy Enables you to import an existing policy at either the server or scope level to the IPAM database. Deactivate DHCP Policies lected DHCP server. This deactivates the policies that are applied to the se- Manage DNS server properties using IPAM Managing DNS from the IPAM interface is performed the same way as DHCP, but with fewer options when you right-click the service. Figure 7-20 shows a portion of the IPAM interface with the available DNS options. FIGURE 7-20 DNS options in IPAM The available options include: ■ 202 CHAPTER 7 Launch MMC face. This launches the DNS Manager MMC snap-in from the IPAM inter- Implement IP Address Management ■ ■ Create DNS zone This enables you to create a forward or reverse lookup zone with advanced options directly from IPAM. Create DNS Conditional Forwarder This enables you to create a conditional forwarder with advanced options directly from IPAM. ■ Set Access Scope ■ Retrieve Server Data Obtain the latest data from the DNS server. Configure the access scope for the DNS server. Manage DNS zones and records Individual zones and records can be managed from the DNS Zones tab of the IPAM interface. Figure 7-21 shows a portion of the IPAM interface that displays the available DNS zone options. FIGURE 7-21 DNS zone options in IPAM The available DNS zone options that can be configured from the IPAM interface include: ■ ■ ■ ■ Add DNS Resource Record DNS zone. This creates a record type, such as an A record, in the Configure Preferred DNS Server zone that is used by IPAM. Select the authoritative DNS server for the DNS Reset Zone Status Reset the status of the DNS zone in the IPAM database. Use the Retrieve Server Data option to collect the latest data from the DNS server. Edit DNS Zone Enables you to modify the name servers, scavenging, updates, and zone transfer settings for the zone. ■ Delete DNS Zone Remove the zone from the DNS server. ■ Set Access Scope Set the access scope on the IPAM server. Skill 7.1: Install and configure IPAM CHAPTER 7 203 Manage DNS and DHCP servers in multiple Active Directory forests In Windows Server 2012 R2, IPAM had to be in the same forest as the DNS and DHCP servers that were to be managed. With Windows Server 2016, IPAM can discover DNS and DHCP servers across forests, provided there is a two-way forest trust established. After the forest trust has been established, simply select the additional forests in the Configure Server Discover dialog box to add domains from remote forests. Figure 7-22 shows the Configure Server Discovery screen. To identify additional forests, click the Get Forests button. FIGURE 7-22 Configure server discovery After the additional domains have been added to the IPAM database, the management process is the same regardless of which forest the server is in. Delegate administration for DNS and DHCP using RoleBased Access Control (RBAC) While the day-to-day tasks of managing and configuring IPAM are simple enough, the more complex aspect is understanding the different role-based security groups that are used with IPAM. Table 7-3 summarizes the available groups and their associated permission level. 204 CHAPTER 7 Implement IP Address Management TABLE 7-3 IPAM role-based access control Task IPAM administrators IPAM ASM administrators IPAM IP audit administrators IPAM MSM administrators IPAM users Server Inventory Manage Manage Manage Manage View IP Address Space Manage Manage View View View Monitor and Manage Manage View View Manage View Event Catalog View View View View View IP Address Tracking View Denied View Denied Denied Common management tasks Manage Manage Manage Manage Manage The Access Control tab of the IPAM interface lists the available roles that are used with IPAM. EXAM TIP You should be familiar with each of these roles and the permissions that are granted as part of that role. A common question when permissions and roles are used is to ask the least privileged role that achieves a goal, to ensure that you do not over-assign permissions. The IPAM roles include that are listed on the Access Control tab include: ■ ■ ■ ■ ■ ■ ■ ■ ■ DNS Record Administrator Role records. This enables management of the DNS resource IP Address Record Administrator Role This enables management of IP addresses, including locating unallocated addresses, as well as creating and deleting IP addresses. IPAM Administrator Role This provides all permissions to manage IPAM. IPAM ASM Administrator Role This provides permissions to manage the IP address spaces, blocks, subnets, ranges, and individual addresses. IPAM DHCP Administrator Role This provides the permission to manage a DHCP server and its associated scopes and options. IPAM DHCP Reservations Administrator Role are needed to manage DHCP reservations. IPAM DHCP Scope Administrator Role DHCP scopes. IPAM DNS Administrator Role server, zones, and records. This provides the permission that This provides the permissions to manage This role provides the permission to manage a DNS IPAM MSM Administrator Role This role provides permissions to manage DHCP and DNS servers as well as the scopes and options for each service. Skill 7.1: Install and configure IPAM CHAPTER 7 205 Chapter summary ■ How to deploy and provision IPAM and the required GPOs ■ Configuring server discovery to locate servers to be managed by IPAM ■ Creating and managing IP address blocks and ranges ■ Locating available IP addresses by using the interface and PowerShell ■ Moving and migrating a WID database to a new server ■ Moving the WID database to a Microsoft SQL Server database ■ Configuring IPAM with System Center VMM ■ Managing DHCP servers and scopes by using IPAM ■ Managing DNS servers and zones by using IPAM ■ Using IPAM to manage multiple forests ■ Role-based permissions that are used by IPAM Thought Experiment A company has a single Active Directory forest with multiple child domains. The company has partnered with another organization, and a two-way Active Directory forest trust has been established. The company plans to use IPAM with a Windows Internal Database, but needs to ensure that the database is part of the backup strategy. The following users must be configured to manage the IPAM environment. Each user must not have more permissions than are necessary. ■ User1 must be configured to manage IP address blocks. ■ User2 must be configured to manage DNS and DHCP servers. ■ User3 must be configured to manage IP address allocation in IPAM. Using the above information, answer the following questions. 206 1. How many IPAM servers must be deployed to manage both forests? 2. How should the IPAM database be included in the backup strategy? 3. Which role should User1 be added to? 4. Which role should User2 be added to? 5. Which role should User3 be added to? CHAPTER 7 Implement IP Address Management Thought Experiment Answers 1. One. With Windows Server 2016, IPAM can manage multiple Active Directory forests if a two-way trust has been established. 2. The MDF and LDF files should be included in backup, that are typically located in the %WINDIR%\System32\IPAM\Database directory. 3. User1 should be a member of the IPAM ASM Administrator Role. This enables the user to manage IP address blocks and ranges, but not other aspects of the IPAM configuration. 4. User2 should be a member of the IPAM MSM Administrator Role. This enables the user to manage DNS and DHCP without managing other aspects of IPAM. 5. User3 should be a member of the IPAM IP Address Record Administrator Role. This enables the user to manage IP address allocation within IPAM. Thought Experiment Answers CHAPTER 7 207 This page intentionally left blank CHAPTER 8 Implement network connectivity and remote access solutions This chapter covers one skill that is represented on the exam, which is implementing Virtual Private Networks (VPNs) and DirectAccess. This is a small portion of the exam, and has not changed significantly since Windows Server 2012 R2. The same protocols, authentication options, and DirectAccess requirements that exist in Windows Server 2012 R2 still apply to Windows Server 2016. Skills in this chapter: ■ Implement Virtual Private Network and DirectAccess solutions Implement Virtual Private Network and DirectAccess solutions In this section, we discuss how to implement a VPN and DirectAccess solution. We explain the various VPN protocols and authentication options that can be used with the protocols. DirectAccess is also explained, including how to install and configure it using the available wizard. 209 This section covers how to: ■ Implement remote access and site-to-site VPN solutions using remote access gateway ■ Configure different VPN protocol options ■ Configure authentication options ■ Configure VPN reconnect ■ Create and configure connection profiles ■ Determine when to use remote access VPN and site-to-site VPN and configure appropriate protocols ■ Install and configure DirectAccess ■ Implement server requirements ■ Implement client configuration ■ Troubleshoot DirectAccess Implement remote access and site-to-site VPN solutions using Remote Access Gateway A remote access gateway, or RAS Gateway, is installed with the Remote Access server role. When installing the server role, there are three role services that can be included: ■ ■ ■ DirectAccess and VPN (RAS) This installs the DirectAccess service to provide a method of seamless Connectivity for client computers connecting to a corporate network. The VPN services enable encrypted tunnels to connect remote clients to corporate offices. Routing This enables support for NAT, BGP, RIP, and other multicast networks. Web Application Proxy This publishes web-based applications from the corporate network to remote devices. Web application proxies are commonly used with Active Directory Federation Services (AD FS) to authenticate users before granting access to applications. AD FS is explained in Chapter 11. EXAM TIP While the Web Application Proxy is commonly used with AD FS, the role service requires the Remote Access server role to be installed. 210 CHAPTER 8 Implement network connectivity and remote access solutions When configuring a RAS Gateway, there are a few different VPN options: ■ ■ ■ ■ ■ Site-to-site VPN corporate office. This connects two networks together, such as a branch office to a Point to site VPN This enables individual remote connections from client computers to a corporate office. Dynamic routing with Border Gateway Protocol (BGP) BGP provides automatic route reconfiguration based on the routes that are connected from site-to-site VPNs. Network Address Translation (NAT) NAT enables you to share a single IP address to connect multiple devices to a network. DirectAccess server DirectAccess provides a method of seamless VPN services for client computers that are connecting to a corporate network. The Remote Access server role can be installed by using the Add Roles and Features wizard, or by using the Install-WindowsFeature cmdlet. After installing the role, use the Routing and Remote Access MMC snap-in to manage the server role. The initial setup requires completing the Routing and Remote Access Server Setup Wizard. Figure 8-1 shows the default configuration of the RAS snap-in. Note that the server icon is showing as down because no configuration has been defined. FIGURE 8-1 RAS snap-in To perform the initial configuration on the RAS server, right-click the server and then select Configure And Enable Routing And Remote Access. Figure 8-2 shows the available options to configure the RAS server. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 211 FIGURE 8-2 RAS Setup Wizard Configuration To enable remote access and VPN access for remote clients, use the Remote Access option. The next configuration screen in the wizard prompts to configure the server for the type of connect: VPN or Dial-up. Figure 8-3 shows selecting VPN as the connection type. FIGURE 8-3 RAS Setup Wizard Remote Access 212 CHAPTER 8 Implement network connectivity and remote access solutions The next configuration option in the wizard is to bind the services to a specific network adapter. The available network adapters on the server are be displayed. By default, when a network adapter is selected, the necessary firewall rules are enabled for the adapter to allow inbound traffic on the adapter. Figure 8-4 shows the network adapter selection screen of the wizard. FIGURE 8-4 RAS Setup Wizard VPN Connection For clients to connect to the network, they must have an IP address that is either on the network, or is routable for the network. The RAS server provides the option to assign IP addresses to clients automatically, from either a DHCP server on the network, or act as a DHCP server itself. You can also define a certain range of IP addresses for the RAS server to use specifically for remote clients. Figure 8-5 shows the IP Address Assignment screen of the wizard. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 213 FIGURE 8-5 RAS Setup Wizard VPN IP Address Assignment Finally, the last option in the wizard is to configure the authentication method for the remote clients. By default, the RAS server authenticates the clients using Windows Authentication through Extensible Authentication Protocol (EAP) or Microsoft encrypted authentication version 2 (MS-CHAP v2). Optionally, you can configure a RADIUS server to authenticate the clients, or configure the RAS server to act as a RADIUS server. Figure 8-6 shows the authentication configuration during the wizard. 214 CHAPTER 8 Implement network connectivity and remote access solutions FIGURE 8-6 RAS Setup Wizard authentication options You can also configure the RAS role by using the Install-RemoteAccess cmdlet. Install-RemoteAccess -VpnType Vpn Configure different VPN protocol options A RAS server supports a few different VPN protocols for connectivity. These protocols include: ■ ■ ■ Point-to-Point Tunneling Protocol (PPTP) PPTP enables traffic to be encrypted and encapsulated before it is sent across the network. PPTP can be used for remote access and site-to-site VPNs. PPTP uses Microsoft Point-to-Point Encryption (MPPE) with encryption keys generated from MS-CHAP v2 or EAP-TLS authentication. Layer Two Tunneling Protocol (L2TP) L2TP encrypts traffic over any point-to-point network, including IP and Asynchronous Transfer Mode (ATM) connections. L2TP uses IPsec Transport Mode for encryption services instead of MPPE. Secure Socket Tunneling Protocol (SSTP) SSTP is the newest of the protocols and uses HTTPS to secure VPN traffic. This reduces firewall footprint by enabling an existing firewall port (443) to be used for VPN traffic. SSTP encapsulates the network traffic over SSL to provide transport-level security. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 215 Configure authentication options There are two primary authentication options that are used with a RAS server: ■ ■ Windows authentication This method is used by default for VPN connections, and queries Active Directory or local accounts as part of the authentication process. RADIUS authentication. RADIUS authentication uses an external source for authentication and authorization services. The RAS server can be configured as a RADIUS server, or you can specify an external RADIUS server from the RAS server properties. By default, Windows authentication is configured with RAS VPN services. When using Windows authentication, there are a few authentication methods that can be used: ■ ■ Extensible Authentication Protocol (EAP) This method is enabled by default, and should be used if Network Access Protection (NAP) is also being used with the VPN service. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) enabled by default. ■ Encrypted authentication (CHAP) ■ Unencrypted password (PAP) ■ ■ By default, this is disabled for VPN services. By default, this is disabled for VPN services. Allow machine certificate authentication for IKEv2 based authentication is disabled for VPN services. Unauthenticated access This method is also By default, this certificate- By default, this is disabled for VPN services. Figure 8-7 shows the Authentication Methods dialog box with the default options selected. FIGURE 8-7 Windows Authentication Methods 216 CHAPTER 8 Implement network connectivity and remote access solutions Configure VPN reconnect VPN Reconnect was introduced with Windows Server 2008. However, DirectAccess can replace a VPN as the recommended remote access method for client computers. VPN reconnect is used with the IKEv2 tunneling protocol to provide seamless reconnects for mobile clients. This scenario can be whether a laptop is roaming between wireless access points, or a mobile phone that has been configured with a VPN connection. With other protocols, when a connection is interrupted, the device is typically disconnected. The connection would then have to be reestablished manually to access resources on the network. With VPN reconnect, the connection attempts to reconnect automatically from any interruption. VPN reconnect also uses multiple network adapters to attempt to establish a connection, if available. Create and configure connection profiles Remote connection profiles are used with System Center Configuration Manager and Microsoft Intune to enable users to access corporate resources, even if they are not on a domain-joined computer. These devices include: ■ Windows-based personal computer ■ Android devices ■ iOS devices With Intune, connection profiles enable you to deploy Remote Desktop Connection settings through a company portal. The portal is used to establish a remote desktop connect to either a Remote Desktop Services (RDS) server, or to their individual work computer on the network. Connection profiles can be used without Intune, but then requires a VPN connection for the remote desktop connection. NEED MORE REVIEW? THE SYSTEM CENTER CONFIGURATION MANAGER For more information on connection profiles with System Center Configuration Manager, visit https://technet.microsoft.com/en-us/library/dn261225.aspx. Determine when to use remote access VPN and site-to-site VPN and configure appropriate protocols The recommended deployment scenarios for a RAS gateway include: ■ Single tenant edge Connect an edge device in the network with a single tenant, either a corporate or branch office network, with another network over the Internet. This can be combined with BGP to provide dynamic routing based on the available connections. Combined with DirectAccess, remote client computers can connect to any resource anywhere on the network, regardless of physical location. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 217 ■ Multitenant edge A RAS gateway for multitenant environments enables a cloud provider to offer all the same features of a single tenant, including BGP, DirectAccess, and NAT. The primary difference is that the device filters or reroutes traffic based on the tenant that is being accessed. Single tenant mode Most corporate environments use the single tenant mode. In single tenant mode, a RAS gateway can be deployed as an edge device for a VPN server, DirectAccess server, or both. The RAS gateway can enable remote client computers with multiple options for connecting back to the corporate network. Multitenant mode If there are multiple tenants hosted in the datacenter that are accessed, then the multitenant mode should be used. Multitenancy enables a datacenter to provide a cloud infrastructure to support virtual machine workloads, virtual networks, and storage. Virtual networks can be created by using Hyper-V Network Virtualization. A RAS gateway can be integrated with the Hyper-V Network Virtualization stack to route network traffic efficiently depending on the tenant that is being accessed. With Windows Server 2016, a RAS gateway can route traffic to any resource within a private or hybrid cloud network. The RAS gateway can route traffic between physical and virtual networks at any location. Install and configure DirectAccess DirectAccess is a component of the Remote Access server role that provides seamless connectivity for remote clients to a corporate network. After configuring the RAS role on a server, DirectAccess can be enabled from either the Routing and Remote Access MMC snap-in, from the Remote Access Management Console, or by using Windows PowerShell. Figure 8-8 shows the Remote Access Management Console, where DirectAccess can be enabled from the Tasks panel. FIGURE 8-8 Remote Access Management Console 218 CHAPTER 8 Implement network connectivity and remote access solutions Enabling DirectAccess launches the Enable DirectAccess Wizard. One of the first steps of the wizard is to perform a prerequisite check on the server that you are enabling DirectAccess on. If successful, the wizard enables you to continue with the configuration. The first configuration item in the wizard is to select the security groups that contain the computer objects foe which DirectAccess is enabled. You can also determine whether to only enable DirectAccess for mobile computers, or to force tunneling so that all Internet traffic from the computer uses the corporate network. Figure 8-9 shows the configuration options for DirectAccess groups. FIGURE 8-9 Selecting DirectAccess computer groups Next, you identify the topology of the DirectAccess implementation. The RAS server can be in one of three configurations: ■ ■ ■ Edge The RAS server is directly connected to the Internet with no physical firewall or NAT device in place. Behind An Edge Device (With Two Network Adapters) The RAS server is behind a network firewall or other device and has two network adapters. One network adapter is on the network with the firewall. The second network adapter is on the corporate internal network. Behind An Edge Device (With A Single Network Adapter) The RAS server is behind a network firewall or edge device. The network adapter on the RAS server is connected to both the firewall and the internal corporate network. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 219 For any configuration, the external FQDN or IP address that clients uses to connect must be specified. Figure 8-10 shows the network topology configuration in the wizard. FIGURE 8-10 Specifying the network topology After selecting the network topology, you can configure the DNS Suffix list that is used by DirectAccess clients. This is similar to setting a suffix list from DHCP. Anytime a DirectAccess client uses a single-label name, such as Server1, the server appends a list of DNS suffixes until a response is found for a FQDN. The order that the list is in is also important. If a match is found, then the remaining domains are skipped. If there are two Server1 objects in different lookup zones (or FQDNs), then the first in the list is returned to the DirectAccess client. Figure 8-11 shows configuring DirectAccess with the domain name and an additional domain. 220 CHAPTER 8 Implement network connectivity and remote access solutions FIGURE 8-11 Specifying the network topology The final step is to configure the Group Policy Objects (GPOs) that are used to apply the DirectAccess policies. Two GPOs are created and linked to the domain: ■ ■ DirectAccess client GPO ents. This contains the client settings for the DirectAccess cli- DirectAccess server GPO server. This contains the RAS server settings for the DirectAccess Figure 8-12 shows the confirmation to create the two new GPOs in the domain. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 221 FIGURE 8-12 GPO Configuration Implement server requirements In studying for the exam, this topic can be slightly vague as to which requirements. For this book, we assume that you are familiar with the the DirectAccess prerequisites. These include: ■ Windows Firewall enabled for all network adapter profiles. ■ All versions of Windows Server beginning with 2008 R2 are supported. ■ All Windows Enterprise clients beginning with Windows 7 are supported. ■ Force tunnel with a single server, or using KerbProxy authentication is not supported. ■ Changing policies by using another method than the DirectAccess Management Console or Windows PowerShell is not supported. Do not make changes directly to GPOs. NEED MORE REVIEW? DEPLOYING DIRECTACCESS For more information on the prerequisites for deploying DirectAccess, visit https://technet. microsoft.com/en-us/windows-server-docs/networking/remote-access/directaccess/prerequisites-for-deploying-directaccess. 222 CHAPTER 8 Implement network connectivity and remote access solutions Implement client configuration Similar to the previous section, “Implement server requirements”, implementing the client configuration is also vague. In a best practice configuration, the GPOs that are configured configure all of the necessary client components to enable the client to connect to the DirectAccess server. It is possible to perform a configuration manually for a computer that has not been joined to the domain to receive the GPO settings. In that case, the client must be configured with a few different settings: ■ The Teredo client must be set to the first IPv4 address of the DirectAccess server. ■ The 6to4 relay must be set to the first IPv4 address of the DirectAccess server. ■ The IP-HTTPS client must be enabled and configured. Additionally, the Name Resolution Policy Table (NRPT) must be configured with the FQDN of the corporate intranet. NEED MORE REVIEW? DIRECTACCESS CLIENT CONFIGURATION For details on performing a manual DirectAccess client configuration, visit https://technet. microsoft.com/en-us/library/ee649267(WS.10).aspx microsoft.com/en-us/library/ee649267(WS.10).aspx. Troubleshoot DirectAccess Troubleshooting DirectAccess can be performed from either the Remote Access Management Console, or by using PowerShell. You can also use the Remote Access Best Practices Analyzer to identify any warnings or errors, then follow the provided steps to fix the issue. Some DirectAccess fixes involve modifying the registry, which should not be memorized for the exam. Overall, you should be able to: ■ Restore a DirectAccess configuration using PowerShell ■ Refresh a DirectAccess configuration using PowerShell ■ Troubleshoot client connection issues ■ Configure a proxy for an NRPT rule NEED MORE REVIEW? TROUBLESHOOT DIRECTACCESS WITH WINDOWS SERVER 2016 For details on troubleshooting DirectAccess with Windows Server 2016, visit https://technet.microsoft.com/en-us/windows-server-docs/networking/remote-access/directaccess/ troubleshooting-directaccess. Implement Virtual Private Network and DirectAccess solutions CHAPTER 8 223 Chapter summary ■ Implementing the remote access server role ■ Configuring VPN options by using the RAS server role ■ Configuring authentication options through Windows or RADIUS authentication ■ Using VPN reconnect to automatically reconnect mobile clients ■ Setting connection profiles by using Intune or System Center ■ Understanding scenarios for single tenant and multitenant deployments ■ Installing and configuring the DirectAccess service ■ Implementing prerequisites for DirectAccess ■ Using GPOs to manage client configuration ■ Understanding basic troubleshooting methods for DirectAccess Thought Experiment A company has a corporate office and three branch offices. The corporate office has approximately 10,000 client computers. Each branch office has approximately 1,000 client computers. Each branch office must have connectivity to the corporate office. The company also employs 1,000 sales and field staff that must connect remotely to the corporate network. All mobile clients run Windows 8.1 or Windows 10 Enterprise editions. Executive-level staff must have the ability to connect to the corporate network using their home computers that are not domain joined. IT staff must have the ability to VPN into the corporate networking using SSL. Using the above scenario, answer the following questions. 224 1. How should the sales and field staff connect to the corporate office? 2. How should executive-level staff connect to the corporate network? 3. How should the branch offices connect to the corporate office? 4. Which VPN protocol should the IT staff use for the VPN connection? CHAPTER 8 Implement network connectivity and remote access solutions Thought Experiment Answers 1. Sales and field staff should connect using DirectAccess for the most seamless experience. 2. Executive-level staff should use a company portal to access corporate resources from computers that are not domain joined. 3. The branch offices should be configured with a site-to-site VPN to connect to the corporate office. 4. IT staff should use the SSTP protocol, as it is the only protocol that connects using SSL. Thought Experiment Answers CHAPTER 8 225 This page intentionally left blank CHAPTER 9 Implement an advanced network infrastructure I n this chapter, we will review the new features and skills that can be used with a network infrastructure in Windows Server 2016. From a networking perspective, the primary change to Windows Server 2016 is in the Software Defined Networking (SDN) components. These updating include the ability to: ■ Mirror and route traffic to new or existing appliances ■ Dynamically segment workloads similar to Microsoft Azure ■ Use a distributed firewall and network security groups ■ Deploy and manage the SDN with System Center Virtual Machine Manager ■ Combine SDN with Docker for container networking Windows Server 2016 also includes enhancements to the TCP stack, however, these changes are not called out on the exam skills. These improvements include: ■ ■ ■ ■ Increasing the Initial Congestion Window from 4 to 10 TCP Fast Open (TFO) has been enabled to reduce the time to establish a TCP connection TCP Tail Loss Probe (TLP) has been implemented to assist in recovering from packet loss. Recent Acknowledgement (RACK) has been implemented to reduce the time required to transmit a packet Skills in this chapter: ■ ■ Implement high performance network solutions Determine scenarios and requirements for implementing Software Defined Networking 227 Skill 9.1: Implement high performance network solutions In this section, we discuss and outline the various high performance networking solutions that can be used with Windows Server 2016. This includes teaming network adapters with virtual switches and making individual network adapter configuration changes to enhance performance. This section covers how to: ■ ■ ■ ■ Implement NIC Teaming or the Switch Embedded Teaming solution and identify when to use each. Enable and configure Receive Side Scaling and enable and configure virtual Receive Side Scaling on a Virtual Machine Queue capable network adapter. Enable and configure network Quality of Service with Data Center Bridging. Enable and configure SMB Direct on Remote Direct Memory Access enabled network adapters. ■ Enable and configure SMB Multichannel. ■ Enable and configure Virtual Machine Multi-Queue. ■ Enable and configure Single-Root I/O Virtualization on a supported network adapter. Implement NIC Teaming or the Switch Embedded Teaming solution and identify when to use each NIC Teaming was introduced as a method of load balancing and failover for individual server hosts. NIC Teaming enables you to use two or more network adapters to provide bandwidth aggregation, or failover between adapters or external switches. With Windows Server 2016, Switch Embedded Teaming (SET) can be used with Hyper-V virtual switches to team up to eight network adapters into a single virtual network adapter. Using SET provides similar benefits to traditional teaming, in that the virtual switch increases performance and redundancy using several underlying network adapters. Configuring SET is as simple as creating a NIC Team on the host machine, and then providing the team to the virtual switch. Figure 9-1 shows creating a NIC team. Note that the figure was taken from a virtual machine that does not enable all possible options that would be available on a physical host. 228 CHAPTER 9 Implement an advanced network infrastructure FIGURE 9-1 NIC Teaming Enable and configure Receive Side Scaling and enable and configure virtual Receive Side Scaling on a Virtual Machine Queue capable network adapter Receive Side Scaling (RSS) can be used for a virtual machine path to enable the VM to support additional network traffic loads. RSS distributes the traffic loads across multiple processor cores on the Hyper-V host and the VM. A VM can only use RSS if the processor on the host supports the feature, and if the VM is configured to use multiple processor cores. RSS can be enabled from the Advanced tab of the network adapter properties. Figure 9-2 displays the Advanced tab with RSS enabled. Skill 9.1: Implement high performance network solutions CHAPTER 9 229 FIGURE 9-2 Network Adapter Properties You can also enable RSS by using the netsh command. Figure 9-3 shows running the full netsh command. netsh interface tcp set global rss=enabled FIGURE 9-3 netsh RSS command If you plan to use RSS in a virtual environment, then the Hyper-V host processor and network adapter must support RSS. Simply configure RSS by using the same methods within the virtual machine. 230 CHAPTER 9 Implement an advanced network infrastructure Enable and configure network Quality of Service with Data Center Bridging Data Center Bridging (DCB) is based on an Institute of Electrical and Electronics Engineers (IEEE) standard for networking. DCB enables multiple types of network traffic to be sent across the same physical Ethernet media. DCB allocates bandwidth and Quality of Service (QoS) at the hardware level, rather than from the operating system. DCB is a feature that can be installed on server that runs Windows Server 2012 and later. Nano Server also supports using DCB by specifying the Microsoft-NanoServer-DCB-Package option. Using DCB requires that each component of the network topology supports the capabilities. From a Windows Server perspective, DCB can only be configured by using the following PowerShell modules: ■ netqos ■ dcbqos ■ netadapter Some important cmdlets in the dcbqos module to be aware of include: ■ Enable-NetQoSFlowControl ■ New-NetQoSTrafficClass Creates a new traffic class to be used with DCB. ■ Switch-NetQoSDcbxSetting adapters on the server. Enables priority-based flow control with DCB. Sets the policy for globally or for specific network Enable and configure SMB Direct on Remote Direct Memory Access enabled network adapters As discussed in Chapter 3, “Implement Hyper-V,” Remote Direct Memory Access (RDMA) provides direct memory access between computers without the need for the operating system. RDMA enables high performance with low latency for storage environments. RDMA is currently supported on three types of network adapters: ■ Infiniband ■ Internet Wide Area RDMA Protocol (iWARP) ■ RDMA over Converged Ethernet (RoCE) Windows Server 2016 introduces new RDMA support, including: ■ ■ Converged RMDA. RDMA adapters can be teamed for multiple types of network traffic. Switch Embedded Teaming (SET). Up to eight network adapters can be teamed and used with virtual switches and provide the same benefits as discussed earlier in this chapter. Skill 9.1: Implement high performance network solutions CHAPTER 9 231 NEED MORE REVIEW? USING RDMA WITH SET For more information on using RDMA with SET, visit https://technet.microsoft.com/en-us/ library/mt403349.aspx library/mt403349.aspx. To obtain a list of network adapters on a server that can be used with RDMA, run the Get-NetAdapterRdma cmdlet. To enable SMB Direct on a specific network adapter, run the Enable-NetAdapterRdma cmdlet. To enable SMB Direct for all network adapters, run the SetNetOffloadGlobalSetting cmdlet. Enable and configure SMB Multichannel SMB Multichannel provides a method of aggregating available bandwidth and redundancy if multiple paths are available between an SMB 3.0 client and server connection. SMB multichannel can be combined with Cluster Shared Volumes (CSV) to stream traffic across RDMA network adapters and increase performance. When combined with Hyper-V, SMB Multichannel provides increased performance for virtual machine migrations with low CPU utilization. SMB Multichannel can be configured by using the Set-SmbServerConfiguration cmdlet. Figure 9-4 shows running the full command to enable SMB multichannel. Set-SmbServerConfiguration -EnableMultiChannel $True FIGURE 9-4 Set-SmbServerConfiguration SMB Multichannel must be enabled on both the client and the server for it to be used. If either one of the systems are disabled, then the SMB Multichannel is not used. Configuring a client uses the same parameter, but is set by using the Set-SmbClientConfiguration cmdlet. 232 CHAPTER 9 Implement an advanced network infrastructure Enable and configure Virtual Machine Multi-Queue Virtual Machine Multi-Queue (VMMQ) uses hardware queues for each virtual machine on the Hyper-V host. This provides a performance increase compared to previous versions of HyperV hosts. To enable VMQ on a network adapter, use the Enable-NetAdapterVmq cmdlet. Once enabled, VMQ can be configured by using the Set-NetAdapterVmq cmdlet. VMQ assists in routing packets for virtual machines on a Hyper-V host. By routing packets to different queues, different processors can process the network traffic for multiple virtual machines, increasing performance. NEED MORE REVIEW? POWERSHELL SYNTAX For more information on the VMQ interface, visit https://technet.microsoft.com/en-us/ library/jj130870.aspx library/jj130870.aspx. Enable and configure Single-Root I/O Virtualization on a supported network adapter Single-Root IO Virtualization (SR-IOV) provides virtual machines with access to physical PCI Express resources that are on a Hyper-V host. This requires specific supported hardware to be used on the Hyper-V host, and additional drivers to be installed on the virtual machine. SRIOV can only be used with 64-bit versions of guest operating systems. SR-IOV uses both Virtual Functions and is associated with a Physical Function. The Physical Function is what is used on the Hyper-V host, and is treated as a PCI-E device. The virtual machine uses Virtual Functions to interact with the physical PCI-E device. A single physical PCI-E device, such as a network adapter with multiple ports, can present each physical port as a different Virtual Function to virtual machines. Figure 9-5 shows the settings of a virtual machine. Both the VMQ and SR-IOV settings can be configured from the Hardware Acceleration options of a virtual machine. Skill 9.1: Implement high performance network solutions CHAPTER 9 233 FIGURE 9-5 Virtual Machine Hardware Acceleration Settings Skill 9.2: Determine scenarios and requirements for implementing Software Defined Networking In this section, we discuss the scenarios are requirements that are commonly used with SDN. That includes the requirements for using Hyper-V Network Virtualization, Generic Route Encapsulation, and Virtual Extensible LAN encapsulation. We will also discuss new features that can be used with Software Load Balancing to manage different traffic loads. Finally, we will explain how to implement a Windows Server Gateway with different SDN needs, and how to use new firewall policies to manage network traffic. 234 CHAPTER 9 Implement an advanced network infrastructure This section covers how to: ■ ■ ■ ■ ■ Determine deployment scenarios and network requirements for deploying SDN. Determine requirements and scenarios for implementing Hyper-V Network Virtualization using Network Virtualization Generic Route Encapsulation encapsulation or Virtual Extensible LAN encapsulation. Determine scenarios for implementation of Software Load Balancer for North-South and East-West load balancing. Determine implementation scenarios for various types of Windows Server Gateways, including L3, GRE, and S2S, and their use. Determine requirements and scenarios for distributed firewall policies and network security groups. Determine deployment scenarios and network requirements for deploying SDN Software-defined Networking (SDN) enables you to virtualize networks by abstracting individual networking components such as IP addresses, ports, and switches. An SDN configuration uses policies to manage how traffic is routed through both physical and virtual networks. Windows Server 2016 provides a few tools to configure and manage a SDN: ■ ■ ■ ■ ■ Network Controller New to Windows Server 2016, the network controller centralizes the management, configuration, monitoring, and troubleshooting for infrastructures. Hyper-V Network Virtualization This assists in the process of abstracting the software and workload from physical to virtual networks. Hyper-V Virtual Switch Provides the connection from individual virtual machines to virtual and physical networks in the infrastructure. RRAS Multitenant Gateway Extends a network to Microsoft Azure to provide an on-demand hybrid infrastructure. NIC Teaming Combines network adapters to aggregate bandwidth and provide redundancy for underlying physical networks. A common scenario for an SDN configuration is to integrate with the Microsoft System Center suite to extend the capabilities of the SDN. Some System Center benefits include: ■ ■ ■ System Center Operations Manager and public clouds. This enables you to monitor private, hybrid, System Center Virtual Machine Manager This enables you to manage virtual machines, networks, and policies that apply to an infrastructure. Windows Server Gateway This virtual endpoint enables you to route internal or cloud traffic to the appropriate network. Windows Server Gateway is discussed in more detail later in this chapter. Skill 9.2: Determine scenarios and requirements for implementing Software Defined Networking CHAPTER 9 235 NEED MORE REVIEW? DEPLOY SDN WITH VMM For more information on the deploying an SDN with System Center Virtual Machine Manager, visit https://technet.microsoft.com/en-us/library/mt210892.aspx. https://technet.microsoft.com/en-us/library/mt210892.aspx A typical SDN deployment includes the following components: ■ ■ ■ ■ ■ ■ Management and Hyper-V Network Virtualization Logical networks that can be accessed by all Hyper-V hosts. Hyper-V network Virtualization is discussed in detail in the next section. Load balancing networks A dedicated network for gateways and software load balancing that can be used for transit, public, private, or GRE networks. RDMA-based storage network RDMA is used for storage connections, when a separate VLAN should be defined. Routing Virtual IP addresses should be advertised to other networks as necessary by using BGP or another routing protocol. BGP peering can be configured on physical switches or routers with the physical infrastructure. Default gateways One default gateway must be defined that can connect to the different networks that have been configured. Network hardware The underlying physical network must support the scaling capabilities that the virtual network provides to the cloud services. Determine requirements and scenarios for implementing Hyper-V Network Virtualization using Network Virtualization Generic Route Encapsulation encapsulation or Virtual Extensible LAN encapsulation Network virtualization enables you to manage network traffic like managing a virtual machine. Just as many virtual machines can run on a single Hyper-V host, many virtual networks can be connected to provide multiple networks, network isolation, or improved performance. Hyper-V in Windows Server 2016 supports using network virtualization by using two IP addresses for individual virtual machines. This provides a method to separate the logical and physical network topologies. The Hyper-V switch processes the network traffic to allow communication from the virtual machine to the physical network without additional overhead. Network virtualization is typically used in these common scenarios: ■ ■ 236 CHAPTER 9 Provide flexible VM placement This ensures that you can use a virtual machine on any Hyper-V host regardless of the underlying physical network. Multitenant network isolation Network traffic isolation can be defined for tenants, even without using separate VLANs. Network virtualization uses a 24-bit identifier for Implement an advanced network infrastructure virtual networks, and does not require any additional configuration on physical networking devices when moving or creating virtual machines. ■ IP address management Virtual machines that are in different virtual networks can use the same IP address, even if they are on the same physical network. Network Virtualization Generic Route Encapsulation (NVGRE) is the process of using two IP addresses for a single virtual network adapter. These two IP addresses include: ■ ■ Customer Address (CA) The IP address that is used by the virtual machine’s guest operating system and by the tenant of the virtual machine. This IP address is used for communication with other virtual machines on the same network. Provider Address (PA) The IP address that is used by the cloud provider and is assigned to a virtual machine by the Hyper-V host. When used with network virtualization, the Hyper-V host encapsulates packets from virtual machines and sends them with the source modified to be the PA address. This ensures that the physical network can route the packet appropriately, and that the Hyper-V hosts deliver responses to the correct virtual machine. Table 9-1 lists IP addresses that might exist in an example environment. TABLE 9-1 Example IP address with network virtualization Server name CA PA Server1 192.168.1.100 10.0.0.1 Server2 192.168.1.101 10.0.0.2 Server3 192.168.1.102 10.0.0.3 Using the information in the above table, when Server1 communicates with Server2, only the CA addresses are used during the communication. These addresses are on a virtual network that are only used by the virtual machines associated with the network. However, when any of the servers communicate with the Internet, the CA is encapsulated by the Hyper-V host. The Hyper-V host then modifies the source IP address of the packet header as the PA. The PA is used on the physical network to exit the virtual network and onto the Internet. When a response is received, it is sent to the PA address. The Hyper-V hosts then translate the PA back to the CA to deliver to the individual virtual machine. Determine scenarios for implementation of Software Load Balancer for North-South and East-West load balancing A new feature introduced with Windows Server 2016 is Network Controller. The Network Controller feature provides two APIs: Southbound and Northbound. The Southbound API enables you to communicate with a given network. The Northbound API enables you to communicate with the Network Controller. Skill 9.2: Determine scenarios and requirements for implementing Software Defined Networking CHAPTER 9 237 The Southbound API enables you to: ■ Discover network devices ■ Detect network configurations ■ Ascertain network topology details ■ Push configuration changes to the network infrastructure The Northbound API enables you to obtain information from the Network Controller to monitor and configure a given network. The Northbound API can be used with: ■ Windows PowerShell ■ REST API ■ Management applications, including System Center The Network Controller features can be used with Software Load Balancing (SLB) to distribute network traffic based on the policies defined in the load balancer. This includes: ■ Layer 4 load balancing for North-South and East-West network traffic ■ Internal and external network traffic ■ Dynamic IP addresses ■ Health probes An SLB maps virtual IP addresses to the dynamic addresses in an environment. The components of an SLB environment include: ■ ■ ■ ■ ■ 238 CHAPTER 9 Virtual machine Manager Controller and SLB. System Center can be used to manage the Network Network Controller Deploying the Network Controller feature is a requirement for deploying SLB in an environment. SLB Multiplexer address. Maps and directs traffic so that it is sent to the correct dynamic IP SLB Host Agent Listens for policy updates from the Network Controller and configures virtual switches with the configured policy. BGP-enabled router Multiplexer. BGP enables you to route the traffic to and from the SLB Implement an advanced network infrastructure Determine implementation scenarios for various types of Windows Server Gateways, including L3, GRE, and S2S, and their uses With Windows Server 2016 and System Center, you can deploy a Windows Server Gateway to for routing in a multitenant environment. Windows Server Gateway supports BGP options, including Local BGP IP Address and Autonomous System Numbers (ASN), List of BGP Peer IP Addresses, and ASN values. This enables a cloud provider to route datacenter traffic between virtual and physical networks to and from the internet. A RAS Gateway can be used with Hyper-V Network Virtualization to provide several benefits: ■ ■ ■ ■ Site-to-site VPNs over the Internet. Point-to-site VPNs net. GRE tunneling works. Connect two networks at different physical locations together Connect individual clients to a corporate network over the Inter- Provide connectivity for tenant virtual networks and external net- BGP routing Uses a dynamic routing protocol to learn subnets and routes that are connected to the RAS gateway. A RAS Gateway is useful in several scenarios, including: ■ ■ ■ Multitenant gateway Virtual networks direct traffic to the RAS gateway. The RAS gateway can then direct the traffic over a site-to-site VPN or other destination based on the packet. Multitenant NAT The RAS gateway can also forward the traffic from virtual networks to the Internet, and translate the addresses to publicly routable addresses. Forwarding gateway If the virtual networks need access to physical resources on a network, the RAS gateway can forward the traffic to the appropriate resource. Determine requirements and scenarios for distributed firewall policies and network security groups A new service with Windows Server 2016 is the Datacenter Firewall. Datacenter firewall provides stateful, multitenant firewall protection at the network layer. Figure 9-6 outlines the how the firewall is used by a Network Controller. Skill 9.2: Determine scenarios and requirements for implementing Software Defined Networking CHAPTER 9 239 FIGURE 9-6 Virtual Machine Hardware Acceleration Settings The Datacenter Firewall provides several benefits: ■ Scalable and manageable software-defined firewall ■ Move virtual networks without effecting tenant networks ■ Protect tenant services outside of an operating system By using a Datacenter Firewall, you can apply firewall policies to virtual machines or subnets. Like a network access list, a Datacenter Firewall policy can be configured to look at five key network traffic elements: 240 ■ Protocol ■ Source port number ■ Destination port number ■ Source IP address ■ Destination IP address CHAPTER 9 Implement an advanced network infrastructure Chapter summary ■ Using NIC Teaming with virtual switches and Switch Embedded Teaming ■ How to enable Receive Side Scaling ■ Using Quality of Service with Data Center Bridging ■ Enabling SMB Direct with RDMA ■ Enabling VMMQ and SR-IOV on virtual machine network adapters ■ Define scenarios for using Software Defined Networking ■ Configuring Network Virtualization with Generic Route Encapsulation ■ Using Software Load Balancing with Network Controller ■ Using a RAS Gateway as a Windows Server Gateway ■ Using a Datacenter Firewall for multitenant network protection Thought Experiment A cloud provider is planning an expansion of their services. Additional Hyper-V hosts, network resources, storage, and other support components are installed. The cloud provider plans to provide new capabilities to their customers as part of the expansion. These capabilities must include: ■ Built-in firewall services for tenant networks ■ Tenant networks must support overlapping IP addresses ■ Enhanced storage performance. The provider also plans to use a Software Load Balancer for their network. Using the above scenario, answer the following questions. 1. What feature should the provider use to protect tenant networks? 2. How can the provide ensure that tenant networks can overlap using the same IP addresses? 3. What technology should the network equipment support to enhance storage performance? Thought Experiment CHAPTER 9 241 Thought Experiment Answers 242 1. The provider should use the Network Controller and Datacenter Firewall features to ensure that tenant networks have an additional layer of protection. 2. Network Virtualization with Generic Route Encapsulation (NVGRE) can be used to ensure that tenants can assign IP addresses that might overlap with other virtual networks. 3. Networking equipment should support using RDMA to ensure that storage performance is maximized over the network. CHAPTER 9 Implement an advanced network infrastructure CHAPTER 10 Install and configure Active Directory Domain Services Organizations around the world use Active Directory Domain Services (AD DS) in their infrastructures to support and manage the users and devices on their networks. In doing so, they benefit from enterprise-grade scalability, security, and manageability. AD DS leverages a hierarchical design structure, enabling administrators to organize user and device objects across multiple containers based on the needs of the business. For the exam, you need to be familiar with the various deployment elements for AD DS, such as the installation and configuration of domain controllers. Skills in this chapter: ■ Install and configure domain controllers Skill 10.1: Install and configure domain controllers The first step in implementing AD DS involves installing and configuring a domain controller. In its simplest form, a domain controller is a server running the Windows Server operating system with the AD DS role installed. Depending on the size of an organization, the number of domain controllers supporting AD DS can vary. Considerations like location, security, and redundancy play a major role in the architectural design of AD DS. Imagine you are a system administrator for Wide World Importers. The organization has twelve offices across the globe with 3,500 employees. Four of these offices have limited physical security, but all of them require reliable authentication to the network. In this scenario, you might expect to see redundant domain controllers at each office to improve performance and reliability. The four offices with limited physical security could utilize read-only domain controllers (RODC) to improve logical security. There are a few different approaches for installing domain controllers, including the creation of a new forest and adding and removing domain controllers from that forest. After installing AD DS, we spend some time reviewing basic configuration tasks, such as how to 243 configure a global catalog server, and transferring the operations master role. By the end of this section you should have a good understanding of these fundamentals and be comfortable walking through the steps. This section covers how to: ■ Install a new forest ■ Add or remove a domain controller from a domain ■ Upgrade a domain controller ■ Install AD DS on a Server Core installation ■ Install a domain controller from Install from Media ■ Resolve DNS SRV record registration issues ■ Configure a global catalog server ■ Transfer and seize operations master roles ■ Install and configure a read-only domain controller ■ Configure domain controller cloning Install a new forest The AD DS framework is built using a standardized logical structure. This design enables administrators to organize their domain and domain resources in a format that meets the needs of their business. There are four core components in the Active Directory logical structure that contribute to a forest. These include the following: ■ ■ ■ 244 CHAPTER 10 Organizational Units Used for organizing the objects in your Active Directory infrastructure. These are individual containers that enable administrators to structure objects with similar requirements. For example, an organization with multiple offices could have a separate organizational unit for each location. Beneath those containers they have separate organizational units for computers and users. This format enables the administrator to apply Group Policy settings and delegate administrative control on a per-site basis. Domains A collection of objects that share a common directory database. Each domain acts as an administrative boundary for the associated objects. A single domain can cover multiple geographical locations and contain millions of objects. Domain Trees Consist of multiple domains. Domains that are grouped into trees follow a parent child relationship. In a hierarchical structure, the tree root domain is Install and configure Active Directory Domain Services referred to as the parent domain. Domains joined to the parent domain are referred to as child domains. ■ Forests Make up a complete Active Directory instance. Each forest acts as a security boundary for the information contained within that Active Directory instance. A forest can contain multiple domains and all objects within. To get started with AD DS, we first need to install a new forest. In the following example, Wingtip Toys has decided to implement AD DS into their environment. They are using Windows Server 2016 for all their domain controllers. For this exam, you should be familiar with installing a forest using Server Manager and PowerShell. Install a new forest using Server Manager In this section, we are going to install a new forest using Server Manager. Follow these steps to complete the installation: 1. Open Server Manager. 2. On the Server Manager Dashboard, click Add Roles And Features. 3. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 4. On the Installation Type page, confirm Role-Based or Feature-Based Installation is selected and click Next. 5. On the Server Selection page, make sure that Select A Server From The Server Pool is selected and your server is highlighted in the list. Click Next. 6. On the Server Roles page, check the box for Active Directory Domain Services. When prompted to add additional features, review the list and select Include Management Tools (If Applicable) is checked. Click Add Features and click Next. 7. On the Features page, click Next. 8. On the AD DS page, click Next. 9. On the Confirmation page, review the list of roles and features to be installed. Refer to Figure 10-1 as a reference. Click Install to begin the installation of AD DS. Skill 10.1: Install and configure domain controllers CHAPTER 10 245 FIGURE 10-1 The Add Roles and Features Wizard shows a list of new roles and features to be installed for AD DS 10. After completing the installation of AD DS, a new warning notification is displayed in Server Manager. Click the notification icon and click Promote This Server To A Domain Controller. 11. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, select Add A New Forest. For the Root Domain Name, type WingtipToys.local and click Next. 12. On the Domain Controller Options page, review the default settings for forest and domain functional level. Confirm that Domain Name System (DNS) Server is checked. For the Directory Services Restore Mode (DSRM) Password, type [email protected] in the two fields and click Next. 13. On the DNS Options page, note the DNS warning at the top of the wizard. This is ex- pected as this is a new single-server installation of AD DS and we do not currently have a DNS server. Click Next. 14. On the Additional Options page, review the NetBIOS domain name and click Next. 15. On the Paths page, review the default paths for the AD DS database, log files, and sysvol folder. Click Next. 16. On the Review Options page, review the list of configuration options. Click View Script. This opens a text file with the PowerShell commands used to configure AD DS. Copy 246 CHAPTER 10 Install and configure Active Directory Domain Services the contents of this text file for use in the next section of this objective. Close the text file and click Next. 17. On the Prerequisites Check page, review any warnings displayed in the results pane and click Install. Once installation completes, the server automatically reboots to finish the AD DS configuration. After completing these steps, you have a new AD DS forest for WintipToys.local that consists of a single domain controller. The first time you log into a new forest, use the WINGTIPTOYS\ Administrator account. Once logged in. you can create additional administrative accounts for managing the objects in the domain. Install a new forest using PowerShell In this section, we are going to install a new forest using PowerShell. We utilize the PowerShell script generated in the Server Manager example to assist with this task. Follow these steps to complete the installation: 1. Save the following PowerShell code to a text file under C:\ADDS and name the file ADDSSetup.ps1. Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath “C:\Windows\NTDS” ` -DomainMode “WinThreshold” ` -DomainName “WingtipToys.local” ` -DomainNetbiosName “WINGTIPTOYS” ` -ForestMode “WinThreshold” ` -InstallDns:$true ` -LogPath “C:\Windows\NTDS” ` -NoRebootOnCompletion:$false ` -SysvolPath “C:\Windows\SYSVOL” ` -Force:$true 2. Open an elevated PowerShell window. 3. Run the following command to install the Active Directory Domain Services role and all required features: Install-WindowsFeature AD-Domain-Services –IncludeAllSubFeature – IncludeManagementTools 4. Run the following command to run the ADDSSetup.ps1 script: C:\ADDS\ADDSSetup.ps1 5. When prompted for the Safe Mode Administrator Password, type [email protected] 6. Review the status messages in the PowerShell window as AD DS is configured on your server. Once the operation completes, the server automatically reboots. Skill 10.1: Install and configure domain controllers CHAPTER 10 247 At this point, we have completed the installation and configuration of a new AD DS forest using both Server Manager and PowerShell. Both methods are effective and relatively straight forward, but as with most operations, PowerShell does enable you to automate the installation. In the next section, we walk through the process of adding and removing domain controllers from an existing forest. Add or remove a domain controller from a domain As an administrator of AD DS, you occasionally need to retire domain controllers and deploy new ones. This might be due to an operating system update, or possibly due to some recent expansion in your organization. In these situations, it is important to know the process. Install a new domain controller In the following example, you are a system administrator for Wingtip Toys. This organization has a healthy AD forest running a single domain. Inside the WingtipToys.local domain, there are three domain controllers located across three geographically dispersed offices. Wingtip Toys has decided to close its Chicago office and open a new location in Washington. You have been tasked with demoting the domain controller in Chicago and deploying a new one in Washington. We start the process by deploying the new domain controller in Washington. Before you begin, you need to set up a new server running Windows Server 2016. Confirm that the server is on your network and can successfully resolve the WingtipToys.local domain. Complete the following steps to install a new domain controller using Server Manager: 1. Open Server Manager. 2. On the Server Manager Dashboard, click Add Roles And Features. 3. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 4. On the Installation Type page, confirm Role-Based or Feature-Based Installation is selected and click Next. 5. On the Server Selection page, highlight Select A Server From The Server Pool, and be sure that your server is highlighted in the list. Click Next. 6. On the Server Roles page, check the box for Active Directory Domain Services. When prompted to add additional features, review the list and confirm that Include Management Tools (If Applicable) is checked. Click Add Features and click Next. 7. On the Features page, click Next. 8. On the AD DS page, click Next. 9. On the Confirmation page, review the list of roles and features to be installed. Refer to Figure 10-1 as a reference. Click Install to begin the installation of AD DS. 10. After completing the installation of AD DS, a new warning notification is displayed in Server Manager. Click the notification icon and click Promote This Server To A Domain Controller. 248 CHAPTER 10 Install and configure Active Directory Domain Services 11. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, select Add A Domain Controller To An Existing Domain. Click the Select option that appears next to the Domain field. When prompted, enter the domain credentials for an account in the wingtiptoys.local domain that is a member of the Domain Admins group. Select the WingtipToys.local domain and click Next. 12. On the Domain Controller Options page, review the default options. Confirm that Domain Name System (DNS) Server and Global Catalog (GC) are checked. For the Directory Services Restore Mode (DSRM) password, type [email protected] in the two fields and click Next. 13. On the DNS Options page, click Next. 14. On the Additional Options page, note the default option for Replication and click Next. 15. On the Paths page, review the default paths for the AD DS database, log files, and sysvol folder. Click Next. 16. On the Review Options page, review the list of configuration options. Click View Script. This opens a text file with the PowerShell commands used to configure the new domain controller, which is similar to what we saw when we installed a new forest. Close the text file and click Next. 17. On the Prerequisites Check page, review any warnings displayed in the results pane and click Install. Once the installation is complete, the server automatically reboots to complete the installation. After completing these steps, the new domain controller is now associated as an object in the WingtipToys.local domain. Open Active Directory Users and Computers from an existing domain controller and confirm that the new server is shown in the Domain Controllers organizational unit. As with the installation of a new forest, adding a new domain controller can also be automated using the PowerShell script output seen in Step 16. Most notably, the Install-ADDSDomainController cmdlet. Demoting an existing domain controller Continuing with our task, we now demote the domain controller in the Wingtip Toys Chicago office. For this operation, let’s use PowerShell to demonstrate how quickly a domain controller can be demoted. Note that this same procedure can be accomplished in Server Manager using the Remove Roles And Features Wizard. Follow these steps to demote the domain controller using PowerShell: 1. Open an elevated PowerShell window. 2. Type the following command to uninstall the AD DS domain controller role: Uninstall-ADDSDomainController 3. When prompted, type the local administrator password for the server. Skill 10.1: Install and configure domain controllers CHAPTER 10 249 4. When prompted, type Y to complete the operation. Monitor the output shown in the PowerShell window for any warnings or errors. Refer to Figure 10-2 for an example of the expected output. Once complete, the server automatically reboots. FIGURE 10-2 The Uninstall-ADDSDomainController cmdlet can be used to demote a domain controller from an existing forest. The process of promoting or demoting a domain controller is something you need to be comfortable with. There are many situations where this can be a required task. Another possible scenario involves upgrading a domain controller to achieve a more current domain functional level, which we discuss in the next section. Upgrade a domain controller Once a domain controller is deployed, often they remain untouched, aside from routine maintenance and patches. Of course, there are times where it does become important to upgrade or refresh these servers. One such scenario involves upgrading the functional level for your domain. With each iteration of Windows Server, new features and enhancements are introduced for AD DS. Some of these features are domain-wide, such as the AD recycle bin. However, before you can enable domain-wide features, you must first raise the functional level of your domain. This task involves updating each of the domain controllers in your domain to the latest version of Windows Server and then raising the domain functional level to match. Imagine you are a systems administrator for Wide World Importers. This organization has a single domain that consists of 18 domain controllers. The domain functional level is currently set to Windows Server 2008 R2 and there is a mixture of operating system versions among the existing domain controllers. Half of the servers are three to four years old and are running Windows Server 2008 R2. The other half are one to two years old and are 250 CHAPTER 10 Install and configure Active Directory Domain Services running Windows Server 2012 R2. Your team has been tasked with upgrading the operating system across all 18 domain controllers to Windows Server 2016, followed by raising the domain functional level to match. There are three approaches to consider when faced with this scenario: ■ ■ ■ In-place upgrade In-place upgrades of the Windows Server operating system are supported. They also tend to be more cost effective, allowing you to reuse the existing hardware. If you plan to do an in-place upgrade of the operating system, be aware of the updated system requirements for the new operating system version. Also, take into consideration any application compatibility concerns if the domain controller is hosting additional roles for your organization. Demote, upgrade, and promote If costs are a concern but a fresh installation is preferred over an in-place upgrade, consider demoting the existing domain controller, formatting it, installing the latest version of Windows Server, and promoting it back into the domain. When taking this approach, you still need to consider the system requirements for the newer version of Windows Server, and the lifecycle of the physical hardware you are reusing. Side-by-side upgrade A side-by-side upgrade is not as cost efficient as the previous two options, but might be mandatory if existing hardware has reached end-of-life or doesn’t meet the system requirements for the latest version of Windows Server. In this situation, you would build a new server and promote it as a domain controller. You want to consider the need for new host names, IP addresses, and possibly firewall changes to support the side-by-side upgrade. After a new domain controller is online, you will transition any roles from the existing domain controller, and then demote the existing domain controller. After reviewing the above options, the best approach for Wide World Importers involves a mixture of side-by-side upgrades and refreshing existing domain controllers. Knowing that a portion of the existing domain controllers are three to four years old, it is safe to assume that the hardware for those domain controllers is reaching end-of-life and should be replaced soon. Whereas the servers that are one to two years old could be demoted, refreshed, and promoted back into the domain. Install AD DS on a Server Core installation The first time you install Windows Server 2016, notice that the default installation type is set to Server Core. Server Core is a minimalistic install of the Windows Server operating system. This install type only provides access to certain core server roles, with the option to install additional roles as needed. This type of installation reduces system overhead and greatly improves the security posture of the server. Since its introduction with Windows Server 2008, several enhancements have been made to Server Core, enabling administrators to manage these servers centrally. For example, you can add and manage dozens of Server Core installs from a central management server using Server Manager and PowerShell. Skill 10.1: Install and configure domain controllers CHAPTER 10 251 As we mentioned earlier in this chapter, domain controllers are often deployed and then managed from a central location, or through a set of tools that do not require direct access to the server. A Server Core installation is an ideal install in these working conditions, while collecting on the benefits that Server Core provides. In the following example, we are going to walk through the steps for installing AD DS on a Server Core installation of Windows Server 2016. Let’s create a new forest for Wingtip Toys. Before installing AD DS on any server, it is important that we configure the network interface first. There are multiple ways to accomplish this task in Server Core. The Server Configuration tool is one option, which provides you with a basic text interface for configuring core components. You can access the Server Configuration tool by typing sconfig at the command prompt. Another option is to use PowerShell. Let’s look at the PowerShell cmdlets used for configuring the network adapter on our server. 1. Log in to your server running Windows Server 2016 Server Core. 2. At the command prompt, type powershell.exe to start PowerShell. 3. Run the Get-NetAdapter command to retrieve a list of available network adapters on your server. Make a note of the adapter name that you are configuring. 4. Run the following command to assign a static IP address, replacing the value for InterfaceAlias with the name of your network adapter: New-NetIPAddress -IPAddress 10.0.0.10 -InterfaceAlias “Ethernet” -DefaultGateway 10.0.0.254 -AddressFamily IPv4 -PrefixLength 24 5. Run the following command to assign the DNS servers: Set-DnsClientServerAddress -InterfaceAlias “Ethernet” -ServerAddresses (“10.0.0.1”,”10.0.0.10”) 6. Run the ipconfig /all command and review the IP and DNS settings for your network adapter. Confirm that the values match the assignments set above. With the network adapter configured, we can now install the AD DS role on this server. To do so, utilize the same PowerShell cmdlets discussed earlier in this chapter. 1. Log in to your server running Windows Server 2016 Server Core. 2. At the command prompt, type powershell.exe to start PowerShell. 3. Run the following command to install the Active Directory Domain Services role and all required features: Install-WindowsFeature AD-Domain-Services –IncludeAllSubFeature – IncludeManagementTools 4. Run the following command to create the new forest and promote the server to a domain controller: Install-ADDSForest –DomainName WintipToys.local 5. 252 CHAPTER 10 When prompted for the Safe Mode Administrator Password, type [email protected] Install and configure Active Directory Domain Services 6. When prompted to continue and allow an automatic reboot, type Y. 7. Review the status messages in the PowerShell window as AD DS is configured on your server. Once the operation completes the server automatically reboots. After rebooting, your server is now an active domain controller in the WingtipToys.local domain. At this point, you have the option of installing the AD DS management tools on a remote server, or downloading the Remote Server Administration Tools (RSAT) for Windows 10 and managing AD from your workstation. As you explore Server Core, familiarize yourself with the sconfig utility. These options are important starting points for managing your Server Core installs. Install a domain controller from Install from Media Every Active Directory domain rests on the shoulders of a database. This database varies in size based on the amount of data stored in Active Directory, which is typically dictated by the size of your organization and the number of objects you manage. As your database grows in scale, variables such as replication and bandwidth become increasingly important. These variables are even more important when dealing with WAN connections that have limited bandwidth between remote offices. In this section, we are going to look at promoting another domain controller, but this time let’s use the Install From Media (IFM) feature. IFM is an option presented during the process of promoting a new domain controller that enables you to select a recent database export from your existing domain. Doing so eliminates the need for the new domain controller to replicate a complete copy of the database when it first comes online. Instead, IFM only replicates the recent changes since the last export was created. This method can greatly reduce the replication traffic and deployment time for a new domain controller. In some cases, this might be a mandatory operation depending on a few factors, such as the size of your AD database, the available bandwidth to the remote location, or if you have a short time window to deploy the new domain controller. There are four types of installation media that can be created. The four types include: ■ ■ ■ ■ Create Full This installation media type is used for writable domain controllers or Active Directory Lightweight Directory Services (AD LDS) instances. Create Sysvol Full This installation media type is used for writable domain controllers and includes SYSVOL. Create RODC (RODC). This installation media type is used for read-only domain controllers Create Sysvol RODC SYSVOL. This installation media type is used for RODC and includes EXAM TIP For the exam, you should be familiar with each installation media type and the output they provide. Skill 10.1: Install and configure domain controllers CHAPTER 10 253 As a systems administrator for Wide World Importers, you are responsible for deploying new domain controllers when the need arises. You work at the corporate headquarters, located in San Francisco, CA. Your manager has just informed you that a new office is set to open in Dublin, Ireland later this year. This is the company’s first office in Dublin, with the expectation of future growth. Initially you are limited to a 10 MB WAN link between the new office and the corporate headquarters. In the following example, we walk through the process of exporting the existing AD database, copying it to a new server, and using the IFM option to promote the server to a domain controller. 1. Log in to a domain controller on your domain. 2. Open an elevated command prompt. 3. At the command prompt, run the ntdsutil command to start the command-line tool for managing AD DS. 4. Run the activate instance ntds command to set NTDS as the active instance. 5. Run the ifm command to start the Install from Media process. 6. Run the following command to begin exporting a copy of your AD database and corresponding files. In this example, we are using the create sysvol full media type. 7. create sysvol full C:\IFM Several status messages appear in the command prompt; these provide you with a progress report as the export runs. Once the export has completed successfully you receive a status message, as shown in Figure 10-3. At this stage, you can copy the contents of the IFM directory to a removable media source, or to the drive on the new server before you ship it to its future destination. FIGURE 10-3 The ntdsutil command line tool is used to manage Active Directory, including the ability to create installation media for new domain controllers 254 CHAPTER 10 Install and configure Active Directory Domain Services In this example, we copy the contents of the IFM folder to the root of the system drive on our new server. Upon arrival, the server is powered up and ready to be promoted. The following steps demonstrate walk through promoting a domain controller using the IFM export: 1. Open Server Manager. 2. On the Server Manager Dashboard, click Add Roles And Features. 3. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 4. On the Installation Type page, confirm Role-Based Or Feature-Based Installation is selected and click Next. 5. On the Server Selection page, confirm Select A Server From The Server Pool is selected and your server is highlighted in the list. Click Next. 6. On the Server Roles page, select Active Directory Domain Services. When prompted to add additional features, review the list and confirm that Include Management Tools (If Applicable) is checked. Click Add Features and click Next. 7. On the Features page, click Next. 8. On the AD DS page, click Next. 9. On the Confirmation page, review the list of roles and features to be installed. Refer to Figure 10-1 as a reference. Click Install to begin the installation of AD DS. 10. After completing the installation of AD DS, a new warning notification is displayed in Server Manager. Click the notification icon and click Promote This Server To A Domain Controller. 11. On the Deployment Configuration page of the Active Directory Domain Services Con- figuration Wizard, select Add A Domain Controller To An Existing Domain. Click Select next to the Domain field. When prompted, enter the domain credentials for an account in the wingtiptoys.local domain that is a member of the Domain Admins group. Select the WingtipToys.local domain and click Next. 12. On the Domain Controller Options page, review the default options. Confirm that Domain Name System (DNS) Server and Global Catalog (GC) are checked. For the Directory Services Restore Mode (DSRM) password, type [email protected] in the two fields and click Next. 13. On the DNS Options page, click Next. 14. On the Additional Options page, check the box for Install From Media, as shown in Figure 10-4. In the path field, enter C:\IFM, where we copied the database export, and click Verify to confirm the files can be accessed. Click Next. Skill 10.1: Install and configure domain controllers CHAPTER 10 255 FIGURE 10-4 The Active Directory Domain Services Configuration wizard includes the Install from Media (IFM) feature on the Additional Options page 15. On the Paths page, review the default paths for the AD DS database, log files, and sysvol folder. Click Next. 16. On the Review Options page, review the list of configuration options. Click View Script. Note the additional parameter for InstallationMediaPath. Close the text file and click Next. 17. On the Prerequisites Check page, review any warnings displayed in the Results pane and click Install. Once installation completes the server automatically reboots to complete the installation. 18. After your new domain controller is online, log in and open Active Directory Users and Computers. Compare the contents with an existing domain controller. Confirm that the OU structure, objects, and attributes match across both domain controllers. At this stage in the chapter we have walked through multiple installation scenarios for promoting a new domain controller. IFM adds some additional flexibility in your deployments, enabling you to reliably deploy domain controllers remotely, with limited saturation to your organization’s WAN. These same methods can be used to prepare for larger deployments. For example, an organization that specializes in retail might have hundreds of stores across the globe, each with their own domain controller. Using IFM in this situation can be very beneficial in reducing overhead. 256 CHAPTER 10 Install and configure Active Directory Domain Services Resolve DNS SRV record registration issues Throughout this chapter, we have deployed a few domain controllers under different circumstances. One common component among those domain controllers has been DNS. For AD DS to function properly, DNS must be installed and configured correctly. Every environment is different when it comes to DNS, and that plays a major role in the overall health of your AD DS forest. AD DS relies on SRV records—also referred to as service records. Each record performs a different purpose, such as guiding clients to their nearest LDAP server, or allowing servers to communicate with each other. As the administrator for AD DS, you need to be familiar with these SRV records and how to troubleshoot registration issues. When problems do arise, there are a few resources that you can use to find a solution. Let’s look at those now. ■ DNS Manager. The DNS management console is part of the AD DS management tools. You can explore the SRV records in your domain using DNS Manager. In Figure 10-5, you can see we are looking at the forward lookup zone for WingtipToys.local. In the sites directory, we can confirm that the Ldap and Kerberos SRV records are present for our domain controllers. FIGURE 10-5 The DNS Manager management console is an important tool for checking on SRV records ■ Dcdiag The dcdiag utility is a command-line tool that provides tests that can assist in troubleshooting issues in your AD DS forest. A DNS test can be initiated from any of your domain controllers by running the following command from an elevated command prompt: dcdiag /test:dns. Skill 10.1: Install and configure domain controllers CHAPTER 10 257 ■ ■ Ipconfig The ipconfig utility provides network-specific information on your windows devices. If DNS is setup to accept dynamic DNS updates, and you suspect a workstation or server has not registered their SRV record, you can run the following command from an elevated command prompt: ipconfig /registerdns. Netlogon.dns In environments where dynamic DNS is not enabled—and DNS is managed by a separate appliance—you can retrieve the mandatory SRV records from the netlogon.dns file on your domain controllers. This information can be provided to your DNS team so they can ensure it is added. This file is located in the following path: %WinDir%\System32\Config\netlogon.dns. The DNS health among your domain controllers is an important variable when managing your AD DS environment. For the exam, make sure you are familiar with each of the tools mentioned above. Spend time exploring DNS manager and reviewing the SRV records in your domain. Configure a global catalog server In AD DS, the global catalog is designed to improve performance in environments with multiple domain controllers, or sites with limited bandwidth. The global catalog contains partial representation of every object in your AD DS forest. Domain Controllers can be designated as global catalog servers, enabling them to answer global catalog requests. If an application is connected to Active Directory, and that application issues a search to a nearby global catalog server, the search completes faster because it has the necessary information available. Let’s start by determining whether a domain controller has been configured as a global catalog server. There are places we can look for this information. The first location is in Active Directory Users And Computers. If you navigate to the Domain Controllers container, there is a column named DC Type. Domain controllers that have been designated as global catalog servers have a DC type of GC (Global Catalog). In Figure 10-6, you can see that two of our three domain controllers are set up as Global Catalog servers. 258 CHAPTER 10 Install and configure Active Directory Domain Services FIGURE 10-6 The Active Directory Users and Computers management console displays the DC type for the domain controllers in your domain Another location for reviewing the status of a global catalog server is within the Active Directory Sites And Services Management console. To reveal these options, you need to expand sites, followed by the site where your domain controller is assigned. Under the site, expand Servers. With the desired domain controller selected, right-click NTDS Settings and choose Properties. On the General tab of the NTDS Settings properties window, there is a checkbox for designating the global catalog role, as shown in Figure 10-7. If you need to toggle this role on or off, apply the action here and the AD DS topology is updated. FIGURE 10-7 The Active Directory Users and Computers management console displays the DC type for the domain controllers in your domain Skill 10.1: Install and configure domain controllers CHAPTER 10 259 As you promote new domain controllers, you’ll notice that the Global Catalog role is checked by default. In most scenarios, having the global catalog on every domain controller in your environment is a positive addition. In rare situations, depending on the AD DS topology, you might find a case in which removing the global catalog role from specific domain controllers might improve the environment. Other considerations include a ReadOnly Domain Controller (RODC), which can be designated as a Global Catalog Server. However, not all directory-enabled applications supports connectivity to a Global Catalog Server hosted on a RODC. NEED MORE REVIEW? ADDITIONAL DETAILS ON THE GLOBAL CATALOG To study more about the global catalog, dependencies, and interactions, visit https://technet.microsoft.com/library/cc728188(v=ws.10).aspx net.microsoft.com/library/cc728188(v=ws.10).aspx. Transfer and seize operations master roles AD DS is comprised of five Flexible Single Master Operation (FSMO) roles. These roles are assigned to the domain controllers in your environment. Each role can only be assigned to a single domain controller, but there are no restrictions as to which roles are assigned where. For example, if you have five different domain controllers, you could technically assign each role to a different domain controller. It is also worth noting that RODCs cannot host any of the FSMO roles. Let’s look at the function for each role: ■ ■ ■ ■ ■ 260 CHAPTER 10 Schema master The schema master role can only be assigned to a single domain controller at any given time. This role is responsible for performing schema updates within AD. After processing a schema update, the schema master replicates the changes to the other domain controllers. Domain naming master The domain naming master role can only be assigned to a single domain controller at any given time. This role is responsible for making changes to the forest-wide domain name space within AD. RID master The RID master role is responsible for processing relative ID (RID) requests from all domain controllers in your domain. PDC emulator The PDC emulator role is responsible for synchronizing time within AD. This role has associations with core security components, such as password changes and account lockouts. Infrastructure master The infrastructure master role is responsible for keeping domain references to objects up-to-date. It accomplishes this by comparing its data with the information in the global catalog. Due to its design, it is best to have the infrastructure master role on a domain controller that is not designated as a global catalog server, but does have a strong connection to a global catalog server. If all your domain controllers are designated as global catalog servers, the infrastructure manager role does not operate. Install and configure Active Directory Domain Services EXAM TIP You should be familiar with each of the FSMO roles, their individual purpose, and how to transfer the roles to a different DC. Now that you have a basic understanding of the FSMO roles, let’s look at where these roles are installed in your domain. 1. Log in to a domain controller on your domain. 2. Open an elevated command prompt. 3. Run the following command to lookup where each FSMO role is assigned, as shown in Figure 10-8: netdom /query FSMO FIGURE 10-8 The netdom utility can assist in identifying where the FSMO roles are assigned in your domain After you have identified which domain controllers have which FSMO roles assigned, we need to understand the difference between transferring a role and seizing a role. ■ ■ Transfer Transferring an FSMO role is the preferred operation. You should use the transfer option when the current role holder is operational and can be accessed on the network by the future FSMO owner. Seize Seizing an FSMO role is undesirable, but might be necessary in disaster recovery scenarios. You should use the seize option when the current role holder is experiencing a failure and is otherwise nonoperational. Skill 10.1: Install and configure domain controllers CHAPTER 10 261 Transferring FSMO roles Transferring and seizing FSMO roles is accomplished using the ntdsutil utility. Figure 10-8 shows that WTT-DC-01 contains all the FSMO roles for the domain. Let’s transfer the infrastructure master role to WTT-DC-03. 1. Log in to a domain controller on your domain. 2. Open an elevated command prompt. 3. Type ntdsutil and press enter. 4. Type roles and press enter. 5. Type connections and press enter. 6. Type connect to server WTT-DC-03. Review the output and confirm that the connection was successful. 7. Type q and press enter. 8. Type transfer infrastructure master and press enter. When prompted to confirm the transfer, click Yes. Review the output and confirm that the transfer was successful. 9. Type q to exit FSMO maintenance and q again to exit the ntdsutil. After the role has been transferred, run the netdom utility again and confirm that the infrastructure master role is now assigned to WTT-DC-03, as shown in Figure 10-9. FIGURE 10-9 The netdom utility can assist in identifying where the FSMO roles are assigned in your domain. Seizing FSMO roles Let’s imagine that WTT-DC-03 has suffered a catastrophic failure, which is preventing us from cleanly transferring the assigned FSMO roles. In this example, the domain controller is no longer on the network, so let’s use the seize option to recover the role and reassign it to WTT-DC-01. 262 CHAPTER 10 Install and configure Active Directory Domain Services 1. Log in to a domain controller on your domain. 2. Open an elevated command prompt. 3. Type ntdsutil and press enter. 4. Type roles and press enter. 5. Type connections and press enter. 6. Type connect to server WTT-DC-01. Review the output and confirm that the connection was successful. 7. Type q and press enter. 8. Type seize infrastructure master and press enter. When prompted to confirm the transfer, click Yes. Review the output and confirm that the transfer was successful. 9. Type q to exit FSMO maintenance and q again to exit the ntdsutil. After the role has been seized, run the netdom utility once more and confirm that the infrastructure master role is now assigned to WTT-DC-01 EXAM TIP For the exam, make sure you understand the differences between the transfer and seize operations. Install and configure a read-only domain controller Security is a critical consideration for any organization. The virtual perimeter surrounding your intellectual property requires constant attention and remediation. AD DS contains user accounts, e-mail addresses, passwords, and most importantly, access to resources and services that are intended to be tightly secured. When you review the security of AD DS, one consideration to consider is the physical placement of your domain controllers, and the expected requirements of those servers. Here are a few questions you should consider when reviewing the security of your domain controllers: 1. Is there physical security? 2. Is the domain controller connected to an external network or DMZ? 3. Are non-administrative users requesting access to the domain controller to support internal applications? The RODC was first introduced with Windows Server 2008. It was designed to address the questions listed above. The features shown in Table 10.1 were introduced with the intention of providing additional security to AD DS and your organization. Skill 10.1: Install and configure domain controllers CHAPTER 10 263 TABLE 10-1 RODC security feature chart Feature Description Unidirectional replication Unlike writable domain controllers, RODCs are designed to replicate changes inbound but not outbound. The other domain controllers in your forest does not replicate changes from an RODC. This improves security by preventing the possibility of a malicious update from replicating outward through your forest. Special krbtgt account The krbtgt account prevents a comprised RODC from accessing resources at a remote site. Password Replication Policy (PRP) The PRP prevents passwords from being cached locally on the RODC. If an RODC is compromised, no account passwords can be obtained. RODC Filtered attribute set (FAS) The FAS enables the administrator to assign which applications can replicate data to RODCs. This is accomplished by adding the attributes for the application to the RODC FAS and marking them as confidential. For example, Wingtip Toys has recently expanded into the retail market, with 12 new stores set to open in the next six months. These stores require local domain controllers to support the multiple point-of-sale computers at each location. The physical security of these stores is limited, and in some cases, requires your servers to share some centralized rack space with the joining stores. Based on these requirements you have chosen to promote RODCs at each store. Let’s walk through process of promoting a RODC: 1. Open Server Manager. 2. On the Server Manager Dashboard, click Add Roles And Features. 3. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 4. On the Installation Type page, confirm Role-Based or Feature-Based Installation is selected and click Next. 5. On the Server Selection page, confirm Select A Server From The Server Pool is selected and your server is highlighted in the list. Click Next. 6. On the Server Roles page, check the box for Active Directory Domain Services. When prompted to add additional features, review the list and select Include Management Tools (If Applicable). Click Add Features and click Next. 7. On the Features page, click Next. 8. On the AD DS page, click Next. 9. On the Confirmation page, review the list of roles and features to be installed. Refer to Figure 10-1 as a reference. Click Install to begin the installation of AD DS. 10. After completing the installation of AD DS, a new warning notification is displayed in Server Manager. Click the notification icon and click Promote This Server To A Domain Controller. 264 CHAPTER 10 Install and configure Active Directory Domain Services 11. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, select Add A Domain Controller To An Existing Domain. Click Domain field option. When prompted, enter the domain credentials for an account in the wingtiptoys.local domain that is a member of the Domain Admins group. Select the WingtipToys.local domain and click Next. 12. On the Domain Controller Options page, review the default options. Check the box for Read Only Domain Controller (RODC), as shown in Figure 10-10. For the Directory Services Restore Mode (DSRM) password, type [email protected] in the two fields and click Next. FIGURE 10-10 The Active Directory Domain Services Configuration Wizard includes the option for promoting a RODC on the Domain Controller Options page 13. On the RODC Options page, review the default accounts and groups that replicate pass- words to the RODC and those that are denied, as shown in Figure 10-11. Click Next. Skill 10.1: Install and configure domain controllers CHAPTER 10 265 FIGURE 10-11 The Active Directory Domain Services Configuration Wizard includes password replication permissions on the RODC Options page 14. On the DNS Options page, click Next. 15. On the Additional Options page, note the default option for replication and click Next. 16. On the Paths page, review the default paths for the AD DS database, log files, and sysvol folder. Click Next. 17. On the Review Options page, review the list of configuration options. Click View Script. This opens a text file with the PowerShell commands used to configure the RODC. Close the text file and click Next. 18. On the Prerequisites Check page, review any warnings displayed in the results pane and click Install. Once installation completes, the server automatically reboots to complete the installation. After completing the steps above, you should have a new domain controller in your domain with a DC type of Read-only. Let’s connect to this domain controller and see what options are available. 1. Log in to one of your domain controllers. 2. Open Active Directory Users And Computers. 3. In the left pane of the Active Directory Users And Computer Management console, right-click WingtipToys.local and choose Change Domain Controller. 266 CHAPTER 10 Install and configure Active Directory Domain Services 4. On the Change Directory Server dialog window, select the RODC in the list and click OK. Before connecting to the RODC you are presented with a warning stating that write operations are not permitted, as shown in Figure 10-12. Click OK. FIGURE 10-12 RODC does not allow you to perform write operations 5. Right-click the Users container. Notice that the option to create new items is not available. 6. Click the Users container. Right-click the Administrator account. Notice the options to update group membership, disable the account, and reset the password are all disabled. Now that you have deployed an RODC and explored some of the basic functionality, consider the cases where this would make sense in your environment. The RODC is very effective at preventing changes to your existing AD DS forest. However, be cautious in your deployments. I had a customer that insisted on replacing all the writable domain controllers with RODCs at each of their remote offices. This quickly introduced a lot of management overhead. Changes could only be made on the writable domain controllers at the central office. This affected replication when multiple changes needed to be made. Offices were thousands of miles apart and operated in different time zones. These domain controllers were all racked in secure locations, so the RODC topology didn’t make sense for this environment. Configure domain controller cloning Prior to Windows Server 2012, it was an unsupported practice to use any form of duplication to deploy a new domain controller. This included operations like cloning the VHD of an existing domain controller. Doing so could severely affect your AD DS infrastructure. This has since changed with the introduction of Windows Server 2012 and subsequent releases of Window Server. Under the right circumstances, administrators can now clone an active virtual domain controller, enabling them to do consistent deployments, in rapid succession if needed. Before you can clone a virtual domain controller, you must meet the following requirements: ■ ■ The target domain control must be running a Windows Server 2012 or later. The administrator performing the cloning operation must be a member of the Domain Admins group. Skill 10.1: Install and configure domain controllers CHAPTER 10 267 ■ ■ The domain controller containing the PDC emulator role must be online during the cloning process and The hypervisor for the domain controller must support VM-Generation ID. With these prerequisites in mind, let’s walk through the process of cloning an existing virtual domain controller. In this example, let’s use Hyper-V for our hypervisor. 1. Log in to the source domain controller in your domain. This is the domain controller that we plan on cloning. In this example, the name of our domain controller is WTTDC-02. 2. Confirm that the PDC emulator role is not currently assigned to this domain controller. To do so, run the following command from an elevated command prompt: netdom /query FSMO 3. Open an elevated PowerShell window. 4. Add the source domain controller to the AD security group: Cloneable Domain Controllers security group in AD. To do so, run the following command: Add-ADGroupMember -Identity “Cloneable Domain Controllers” -Members “WTTDC-02$” 5. Confirm that the source domain controller does not have any applications or services installed that are not compatible with cloning. To do so, run the following command: Get-ADDCCloningExcludedApplicationList 6. If any items appear in the application list, they need to be removed from the domain controller or added to a CustomDCCloneAllowList.xml before you can proceed with cloning. To create the CustomDCCloneAllowList.xml, run the following command: Get-ADDCCloningExcludedApplicationList -GenerateXML 7. Create a new clone configuration file for the source domain controller. To do so, run the following command and review the output for any warnings or errors: New-ADDCCloneConfigFile -CloneComputerName “WTT-DC-03” -SiteName DefaultFirst-Site-Name -IPv4Address 10.0.0.15 -IPv4DefaultGateway 10.0.0.254 -IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 10.0.0.1,10.0.0.15 –Static 8. Shutdown the source domain controller. At this point we have prepared the source domain controller for cloning by granting it access in the directory, validating the running services, and creating a configuration file. Next let’s clone the VM by first exporting a copy of the source domain controller and re-importing it. Because we are using Hyper-V, let’s utilize PowerShell for these steps. 1. Open an elevated PowerShell window on your Hyper-V host. 2. Run the following command to export a copy of your source Domain Controller. Export-VM –Name WTT-DC-02 –path D:\VMExports 268 CHAPTER 10 Install and configure Active Directory Domain Services 3. Run the following command to import the new virtual machine Import-VM -Path “<XMLFile> -Copy -GenerateNewId -VhdDestinationPath D:\WTTDC-03 Once the import has completed, power on the new virtual machine. Be sure to leave the source domain controller powered off during this time. When you start the new virtual machine, it initially runs under the context of the source domain controller until the cloning process has completed, at which point you can restore the source domain controller to active duty. When the new domain controller powers up for the first time the cloning process triggers automatically. This process utilizes the cloning configuration file that we created earlier in this section. The boot sequence displays a simple percentage to indicate how far along the cloning process is, as shown in Figure 10-13. FIGURE 10-13 The domain controller cloning process starts automatically Once the cloning process has completed, log in to your new domain controller. Open Active Directory Sites and Services on your new domain controller. Navigate to the DefaultFirst-Site-Name site and look in the Servers directory. Confirm that all three domain controllers are present. At this stage, you can power on your source domain controller that was previously left offline. In preparation for the exam, familiarize yourself with the PowerShell cmdlets used to generate the custom application list XML and cloning configuration XML. Be prepared to answer questions related to prerequisites, such as knowing with versions of Windows Server support domain controller cloning. Skill 10.1: Install and configure domain controllers CHAPTER 10 269 Chapter summary ■ How to install a new forest by using the GUI and PowerShell ■ Adding and removing a domain controller ■ Upgrading a domain controller ■ Using Server Core with AD DS ■ Using the Install from Media option to provision a domain controller ■ Using DNS SRV records with AD DS ■ Configuring a domain controller as a global catalog ■ Using FSMO roles in AD DS ■ Installing a read-only domain controller ■ Configuring domain controller cloning Thought experiment: Upgrading the forest In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find answers to this thought experiment in the next section. You are a systems administrator for Wingtip Toys, an organization with 16 offices around the globe, and an additional 45 stores that specialize in high performance quadcopters and drones. Your team is relatively new to the organization, inheriting a single-domain with a total of 72 domain controllers. A single physical writeable domain controller is present at each retail store, and a mixture of 1-2 domain controllers are present at each office. All the domain controllers are running Windows Server 2008 R2 and the domain functional level is set to match. All the hardware for these domain controllers are reaching end-of-support over the next six months. Your enterprise applications team is also interested in integrating AD DS with their public facing retail web portal. Your manager has added a domain controller refresh to the annual budget. In preparation for this work, he has requested answers to the following questions: 1. There is a concern with the limited physical security at each of the retail stores. What would you recommend for enhancing the logical security of the domain controllers at these locations? 2. System maintenance for the retail stores can only occur after hours, and it is critical that all systems are online before stores open. What is your recommendation for deploying the new domain controllers in this limited timeframe? 3. The main offices are not running a consistent number of domain controllers at each location. What is your recommendation for improving this topology? 4. What type of install would you recommend for the public facing retail web portal? 270 CHAPTER 10 Install and configure Active Directory Domain Services Thought experiment answers 1. Implementing RODCs at the retail stores helps restrict potential malicious activities if the local domain controller is compromised. 2. Utilizing IFM for the deployment of these new domain controllers enables the team to rapidly deploy the new servers, as well as greatly reducing the replication overhead across the multiple WAN links. 3. To improve reliability and redundancy, each office should utilize two domain controllers. New servers should be deployed to offices that only contain a single domain controller. 4. For the web portal, utilizing a server core installation to host the domain controller improves security and limit downtime for routing patching, due to the reduced number of security patches. Thought experiment answers CHAPTER 10 271 This page intentionally left blank CHAPTER 11 Implement identity federation and access solutions I n this chapter, we discuss the identify management solutions that are provided with Active Directory Federation Services (AD FS). AD FS can also be combined with the Remote Access server role, which can be used to enable a Web Application Proxy (WAP). AD FS can be used to manage federated environments, and enable multi-factor authentication for organizations. Used together with a WAP, clients can be preauthenticated by an application or service before being directed to the application server. Windows Server 2016 introduces a few new features to AD FS, not all of which are included on the upgrade exam. New features include: ■ ■ ■ ■ ■ ■ ■ ■ Azure multi-factor authentication (MFA) application or server in the organization. Use Azure to enable MFA for an Password-less access from devices Use Azure AD or Intune MDM policies to enable sign-on and access control based on the compliance status for the device. Sign in using Windows Hello for Business Microsoft Passport for Work. This was previously known as Enable sign-in using third-party LDAP LDAP v3-compliance directories can be used as a source for authenticating users. Customizable sign-in The logon screen for individual applications can be customized for companies or brands. Enhanced auditing AD FS in Windows Server 2016 has been streamlined and less verbose to reduce administrative complexity. SAML 2.0 support AD FS can be used with InCommon Federations and other SAML 2.0 configurations. Simplified password management When federating with Office 365, password expiration notifications can be sent and managed by AD FS when a user is being authenticated. 273 Easier upgrades Previous versions required exporting a configuration and the importing it to a new farm. AD FS can now be upgraded using the existing farm to introduce the new capabilities in Windows Server 2016. ■ Skills in this chapter: ■ Install and configure Active Directory Federation Services ■ Implement Web Application Proxy Skill 11.1: Install and configure Active Directory Federation Services In this section, we discuss how to use Active Directory Federation Services (AD FS) to manage federated environments. First, we explain the new upgrade process that can be used with AD FS. We also explain new methods of managing authentication, including access control policies, multi-factor authentication, and device registration. Another new capability with Windows Server 2016 is enabling Windows Hello for Business for Windows 10 devices. Finally, we cover using new integration capabilities with Azure, Office 365, and other LDAP directories. This section covers how to: 274 CHAPTER 11 ■ Upgrade and migrate previous AD FS workloads to Windows Server 2016 ■ Implement claims-based authentication, including Relying Party Trusts ■ Configure authentication policies ■ Configure multi-factor authentication ■ Implement and configure device registration ■ Integrate AD FS with Windows Hello for Business ■ Configure for use with Microsoft Azure and Office 365 ■ Configure AD FS to enable authentication of users stored in LDAP directories Implement identity federation and access solutions Upgrade and migrate previous AD FS workloads to Windows Server 2016 To ensure that the new AD FS features introduced in Windows Server 2016 can be used in an AD FS farm, the farm behavior level (FBL) has been introduced to determine which features can and cannot be used. An AD FS farm that is comprised of Windows Server 2012 R2 hosts has an FBL of Windows Server 2012 R2. FBL works as the domain or forest functional level for Active Directory. When a Windows Server 2016 host is added to a farm, the farm is considered running in a mixed mode. The new features available with Windows Server 2016 cannot be used until the FBL has been raised to Windows Server 2016. The FBL cannot be raised until all Windows Server 2012 R2 servers have been removed from the farm. Upgrading a farm can be performed by performing in-place operating system upgrades for individual servers, or add and replace servers as necessary. It is not necessary to deploy a new farm or export and import configuration settings to perform an upgrade in the farm. The overall process of upgrading the farm includes: 1. Add the Windows Server 2016 servers to the existing farm. 2. Configure the AD FS farm properties by using the Set-AdfsSyncProperties cmdlet. 3. Complete the domain and forest preparation for Windows Server 2016. 4. Upgrade the AD FS FBL by using the Invoke-AdfsFarmBehaviorLevelRaise cmdlet. 5. Verify the current farm behavior by using the Get-AdfsFarmInformation cmdlet. NEED MORE REVIEW? UPGRADING AD FS For more information on using upgrading AD FS farms, visit: https://technet.microsoft.com/ en-us/windows-server-docs/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windowsserver-2016. Implement claims-based authentication, including Relying Party Trusts When adding a Relying Party Trust, you can choose to make the trust claims aware or non-claims aware. Claims aware applications use security tokens as part of the process for authentication and authorization. Non-claims aware applications can be used with a Web Application Proxy (WAP) with Windows Integrated Authentication. Creating a Relying Party Trust can be performed from the AD FS snap-in. Figure 11-1 shows the initial screen of the wizard, selecting claims aware or non-claims aware. Skill 11.1: Install and configure Active Directory Federation Services CHAPTER 11 275 FIGURE 11-1 Add Relying Party Trust The next step of configuring a relying party trust is to specify the source data for the relying party. This information can be provided in one of three ways: ■ From a published source, online or on the network. ■ From a federation metadata file. ■ Entered manually in the wizard. Figure 11-2 shows the available options for providing the configuration details. 276 CHAPTER 11 Implement identity federation and access solutions FIGURE 11-2 Specifying data source When specifying the details manually, the information that is required includes: ■ Display name ■ Optional certificate ■ Federation URLs ■ Relying party trust identifiers After specifying the trust details, the next configuration item is whether to set access control policies. These policies can be configured now, or at a later time. A common access method is to permit everyone, but require multi-factor authentication when the request is external. Figure 11-3 shows selecting an access control policy. Skill 11.1: Install and configure Active Directory Federation Services CHAPTER 11 277 FIGURE 11-3 Specifying data source Configure authentication policies Authentication policies, or access control policies as defined in the AD FS management snap-in, define the authentication methods for an application. These policies can be used to define how users or devices can access an application by using AD FS. Figure 11-4 shows the built-in policies from the AD FS management snap-in. 278 CHAPTER 11 Implement identity federation and access solutions FIGURE 11-4 Access Control Policies You can also specify a custom access control policy from the AD FS management snap-in. The available options to permit: ■ Everyone ■ Users ■ From a specific network ■ From specific security groups ■ From devices that have a specific trust level ■ With specific claims in the request ■ And require multi-factor authentication You can also permit these users or groups with the following exceptions: ■ Specific networks ■ Specific groups ■ Devices with specific trust levels ■ Specific claims in the request Skill 11.1: Install and configure Active Directory Federation Services CHAPTER 11 279 Figure 11-5 shows defining a custom access control policy. FIGURE 11-5 Custom access control policy Configure multi-factor authentication Using Azure multi-factor authentication (MFA) with AD FS has several pre-requisites: ■ Azure subscription that includes Azure Active Directory ■ Azure multi-factor authentication ■ As of this writing, this is included with Azure AD Premium and the Enterprise Mobility Suite subscription options. ■ On-premises AD FS at the Windows Server 2016 Farm Behavior Level ■ The on-premises AD FS must be federated with Azure AD ■ The Windows Azure Active Directory Module for Windows PowerShell must be installed ■ You must have global administrator permissions to modify Azure AD ■ You must have Enterprise Administrator credentials to configure the AD FS farm 280 CHAPTER 11 Implement identity federation and access solutions Overall, the general configuration process for using MFA with Azure includes: 1. Generate a certificate for Azure MFA on each AD FS server. 2. Add the credentials to the Azure MFA Auth-client SPN. 3. Configure the AD FS farm. Generating a certificate for Azure MFA is completed by running the New-AdfsAzureMfaTenantCertificate cmdlet. This certificate is generated and placed in the local machines certificate store on the AD FS server. The subject name of the certificate is the TenantID for the Azure AD directory. To add the credentials to the SPN for Azure MFA, obtain the credentials from the generated certificate. Add the credentials by using the New-MsolServicePrincipalCredential cmdlet and specify the GUID for the Azure MFA Auth Client. Finally, you can configure the AD FS farm by using the Set-AdfsAzureMfaTenant cmdlet. This cmdlet requires the TenantId and ClientId for the Azure subscription. After making the configuration change, the AD FS service must be restarted on each server in the farm. After restarting the service, Azure MFA is available as an authentication method. Figure 11-6 shows using Azure MFA as an authentication method. FIGURE 11-6 Authentication methods Skill 11.1: Install and configure Active Directory Federation Services CHAPTER 11 281 Implement and configure device registration AD FS in Windows Server 2016 enhances device registration to enable sign on and access control based on the compliance status of a device. When users authenticate using a device credential, the device’s compliance is re-evaluated to ensure that policies are applied appropriately. This can include: ■ Enable access only from devices that are managed and/or compliant ■ Enable external access for devices that are managed and/or compliant. ■ Require MFA for computers that are not managed or compliant. Figure 11-7 illustrates using device registration with AD FS. Users and devices can be enrolled by using Azure AD or Microsoft Intune. Both services use Azure AD with Azure AD Connect device write-back. The devices can connect to on-premises services that might also contain conditional access policies, device authentication, or MFA. FIGURE 11-7 Device registration illustration A device’s trust level is one of three levels: ■ ■ ■ 282 CHAPTER 11 Authenticated Devices that have been authenticated are registered in Azure AD, but have not been enrolled in a mobile device management (MDM) policy. Managed policy. Managed devices are registered devices that are also enrolled in an MDM Compliant Devices that are compliant are registered and enrolled in an MDM policy. In addition, the device meets the requirements of the MDM policy. Implement identity federation and access solutions Integrate AD FS with Windows Hello for Business Windows Hello for Business enables organizations to replace user passwords with a PIN or biometric gestures. AD FS supports these Windows 10 capabilities to provide authentication without needing a password. The general steps to enable Windows Hello with AD FS include: 1. Deploy System Center Configuration Manager with a public key infrastructure. 2. Configure policies settings through Configuration Manager or Group Policy. 3. Configure certificate profiles with smart card sign-in extended key usage. NEED MORE REVIEW? CONFIGURING SCCM WITH WINDOWS HELLO For a step by step of configuring Configuration Manager with Windows Hello, visit https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoinpassport-deployment/. passport-deployment/ Configure for use with Microsoft Azure and Office 365 Earlier in this chapter we explained that you can enroll devices in MDM policies through Azure AD and enable MFA with Azure AD. AD FS can also integrate with Azure and Office 365 to send password expiration claims to applications that are federated with AD FS. With Office 365, the password expiration notice can be sent to Exchange and Outlook to notify users that their password soon expires. As of this writing, these claims are only available for authentication using a username and password, or using Windows Hello for Business. If a user authentication uses window integrated authentication without Windows Hello for Business, then the password expiration is not displayed. Additionally, a password expiration notice is only displayed if the password expires within the next 14 days. To configure AD FS to enable password expiration claims, add the following claim rule to the relying party trust. c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"] => issue(store = "_PasswordExpiryStore", types = ("http://schemas.microsoft.com/ ws/2012/01/passwordexpirationtime", "http://schemas.microsoft.com/ws/2012/01/ passwordexpirationdays", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};", param = c1.Value); Skill 11.1: Install and configure Active Directory Federation Services CHAPTER 11 283 Configure AD FS to enable authentication of users stored in LDAP directories AD FS in Windows Server 2016 introduces supports for three new LDAP scenarios: ■ Third-party LDAP v3 compliant directories ■ AD forests that do not have a two-way trust ■ AD Lightweight Directory Services (AD LDS) You can create a connection from AD FS to the LDAP directory by using the New-AdfsLdapServerConnection cmdlet. Figure 11-8 shows creating a new LDAP server connection. FIGURE 11-8 New-AdfsLdapServerConnection Then, you can map LDAP attributes to AD FS claims by using the New-AdfsLdapAttributeToClaimMapping cmdlet. For example, you can map name, surname, and displayname fields to the appropriate AD FS claim. Finally, register the LDAP store with the AD FS farm as a claims provider by using the Add-AdfsLocalClaimProviderTrust cmdlet. Skill 11.2: Implement Web Application Proxy In this section, we explain how to install and configure a reverse proxy by using the Web Application Proxy (WAP). A WAP is useful for integrating with AD FS and providing access to internal applications. A WAP enables organizations to use either pass-through or AD FS preauthentication in a perimeter network for external users. 284 CHAPTER 11 Implement identity federation and access solutions This section covers how to: ■ Install and configure WAP ■ Implement WAP in pass-through mode ■ Implement WAP as AD FS proxy ■ Integrate WAP with AD FS ■ Configure AD FS requirements ■ Publish web apps via WAP ■ Publish Remote Desktop Gateway applications ■ Configure HTTP to HTTPS redirects ■ Configure internal and external Fully Qualified Domain Names Install and configure WAP While the WAP role service is used with AD FS, the role service itself is a part of the Remote Access server role. Installing the role service is accomplished by using the Add Role or Feature Wizard, or by using Windows PowerShell. Once added, use the Web Application Proxy Configuration Wizard as shown in Figure 11-9 to configure the service. FIGURE 11-9 Web Application Proxy Configuration Skill 11.2: Implement Web Application Proxy CHAPTER 11 285 As part of the configuration wizard, you connect to the AD FS farm and obtain the certificates that are available and can be used with the Web Application Proxy. Select the desired certificate, as shown in Figure 11-10, and then complete the wizard. FIGURE 11-10 Web Application Proxy Configuration Additionally, you can configure the Web Application Proxy by using the Install-WebApplicationProxy cmdlet. The cmdlet must specify the federation service name and certificate thumbprint to be used: Install-WebApplicationProxy -CertificateThumbprint 'A142A369FC60C7984A70A56A17E31228546D85D8' -FederationServiceName 'host02.contosoforest. com' Implement WAP in pass-through mode Pass-through mode instructs the WAP to not perform any authentication. All requests that are received by the WAP are automatically forwarded to the destination application. Figure 11-11 shows selecting pass-through as the WAP authentication method. 286 CHAPTER 11 Implement identity federation and access solutions FIGURE 11-11 Publish New Application Wizard Alternatively, you can use the Add-WebApplicationProxyApplication cmdlet and specify PassThrough for the ExternalPreAuthentication parameter. Add-WebApplicationProxyApplication -BackendServerURL 'https://app1.contosoforest.com/' -ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b' -ExternalURL 'https://app1.contosoforest.com/' -Name 'App1 (no preauthentication)' -ExternalPreAuthentication PassThrough Implement and integrate WAP as AD FS proxy There are two sections of the skills that include using WAP with AD FS, which we combine for this section. Figure 11-10 also shows the other pre-authentication option for WAP, which is AD FS. If the WAP receives a request that is not authenticated, then the request is redirected to the AD FS farm. After being authenticated by AD FS, the request is then sent to the backend application. If the client is using Windows integrated authentication, then the WAP can forward the credentials to the backend application. Skill 11.2: Implement Web Application Proxy CHAPTER 11 287 Figure 11-12 shows the supported clients that can be used with an AD FS proxy, including: ■ ■ ■ Web and MSOFBA Authenticates web apps, including Microsoft Office. HTTP Basic New for Windows Server 2016, this is used for clients that do not support HTTP redirect, such as Exchange ActiveSync. OAuth2 Windows Store apps or Office clients that support OAuth2 authentication. FIGURE 11-12 Supported clients Configure AD FS requirements The only requirement for using a WAP with AD FS is that a farm is configured with a relying party trust. Without a relying party trust, you are not able to publish an application to be used with the WAP. 288 CHAPTER 11 Implement identity federation and access solutions Publish web apps via WAP Publishing an application is performed from the Remote Access Management Console by using the Publish New Application Wizard. When publishing an application, you must specify specific information for the application: ■ Preauthentication method ■ Supported clients ■ Relying party trust ■ Publishing settings Figure 11-13 shows the publishing settings that must be defined for an application. FIGURE 11-13 Publish New Application Wizard Alternatively, you can use the Add-WebApplicationProxyApplication cmdlet to publish an application. Add-WebApplicationProxyApplication -BackendServerUrl 'https://app1.contosoforest.com' -ExternalCertificateThumbprint '2FC38D0224B0A6412F450A9597271179878708B0' -EnableHTTPRedirect:$true -ExternalUrl 'https://app1.contosoforest.com' -Name 'App1' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'AD FS' Skill 11.2: Implement Web Application Proxy CHAPTER 11 289 Publish Remote Desktop Gateway applications Publishing a Remote Desktop Gateway (RDG) enables you to restrict access to the RDG and add a layer of pre-authentication using a WAP. This is especially useful for enabling MFA with RDG. The process of publishing a RDG through a WAP depends on whether the RD Web Access and RD Gateway are configured on the same server or different servers. Using one server enables you to only publish the root FQDN. Using different servers means that you must publish two directories separately. As with other published applications, you must create a relying party trust using the FQDN of the RDG. You can then publish the root of the site in the WAP. You must also disable the HttpOnly cookie property in the WAP for the published application. NEED MORE REVIEW? PUBLISHING RDG WITH WAP For a step by step of publishing an RDG with a WAP, visit https://technet.microsoft.com/ en-us/library/dn765486.aspx en-us/library/dn765486.aspx. Configure HTTP to HTTPS redirects Windows Server 2016 and WAP introduces a new capability to automatically redirect user requests from unsecure HTTP to secure HTTPS connections. The redirection setting is controlled per published application, and is simply enabled or disabled for the application. Figure 11-14 shows the setting enabled for a published application. When using the Add-WebApplicationProxyApplication cmdlet, the EnableHTTPRedirect parameter accepts either $True or $False to enable or disable redirecting client requests. Configure internal and external Fully Qualified Domain Names (FQDNs) As shown in Figure 11-13, there are two FQDN addresses that are configured with an application. The External URL is the FQDN that external users request access to when attempting to access an application. The backend server URL is the FQDN of the internal resource where the application is available. In most scenarios, these URLs should be the same. If the FQDNs are different for external and internal requests, then URL translation must also be configured to ensure requests are redirected correctly. To enable URL translation, use the Set-WebApplicationProxyApplication cmdlet. Set-WebApplicationProxyApplication –ID AppID -DisableTranslateUrlInRequestHeaders:$False 290 CHAPTER 11 Implement identity federation and access solutions Chapter summary ■ Using the Farm Behavior Level in AD FS to determine features ■ Creating a relying party trust for claims-based authentication ■ Configuring access control policies for AD FS ■ Using multi-factor authentication with AD FS ■ Understanding device registration with AD FS ■ Integrating Windows Hello for Business with AD FS ■ Using third-party LDAP with AD FS ■ Installing and configuring a Web Application Proxy ■ Using pass-through or AD FS modes of a WAP ■ Publishing applications through a WAP ■ Publishing Remote Desktop Gateways through WAP ■ Redirecting user requests to be secure with HTTPS ■ Understanding the external and backend URLs with WAP Thought Experiment An organization has an existing Windows Server 2012 R2 AD FS farm. They plan to upgrade the farm to Windows Server 2016. After the upgrade, they also plan to implement Azure MFA with their applications. The organization does not currently have any additional configuration software in their environment. The MFA solution must also work with biometric options. After the upgrade, they plan to centralize user requests by using a reverse proxy. All user requests must be secured. Using the above scenario, answer the following questions. 1. How should the organization complete the upgrade? 2. What additional software should the organization use to integrate Azure MFA? 3. What technology should the organization use to enable biometric MFA? 4. How should the organization ensure that all requests are secure? Thought Experiment CHAPTER 11 291 Thought Experiment Answers 1. The organization should perform individual upgrades to raise the Farm Behavior Level of the AD FS farm. They should not reinstall AD FS and export the configuration. 2. They should use System Center Configuration Manager to simplify the configuration and management of Azure MFA. 3. Windows Hello for Business should be used to ensure that biometric authentication can be used with the published applications. 4. They should set the WAP to redirect all HTTP requests to HTTPS for each published application. 292 CHAPTER 11 Implement identity federation and access solutions Index A access. See data access access control role-based 204–205 access control policies 278–280 ACEs. See Access Control Entries (ACEs) ACM. See Application Compatibility Manager ACT. See Application Compatibility Toolkit activation models 11–14 Active Directory-based activation 13–14 Automatic Virtual Machine Activation (AVMA) 11–12 Key Management Service (KMS) 13 Active Directory (AD) forests 204 Active Directory-based activation 13–14 Active Directory Domain Services (AD DS) 2, 243–272 DNS and 257–258 DNS server and 164 domain controllers 243–272 cloning 267–269 demoting existing 249–250 installation 243–248 installing from Install from Media 253–256 installing new 248–249 read-only 243, 263–267 upgrading 250–251 Flexible Single Master Operation (FSMO) roles 260 forests installation 244–248 global catalog servers 258–260 installing on Server Core 251–253 logical structure 244–245 Active Directory Domain Services Configuration Wizard 246, 249, 266 Active Directory Federation Services (AD FS) 210, 273–292 authentication claims-based 275–278 multi-factor 280–281 of users stored in LDAP directories 284 policies 278–280 device registration 282 features of 273 installation 274–275 Microsoft Azure and 283 migration of 275 Office 365 and 283 upgrades 274, 275 WAP and 287–288 Windows Hello for Business and 283 Active Directory Federation Services (AD FS) Proxy role service. See Web Application Proxy Active Directory Sites And Services Management console 259 Add-AdfsLocalClaimProviderTrust cmdlet 284 Add-ClusterDisk cmdlet 141 Add-ClusterSharedVolume cmdlet 141 Add DNS Resource Record option 203 Add-DnsServerConditionalForwarderZone cmdlet 167 Add-DnsServerForwarder cmdlet 166 Add-DnsServerResourceRecord cmdlet 179 Add-DnsServerRootHint cmdlet 169 Add-DnsServerZoneDelegation cmdlet 170 Add-DnsServerZoneTransferPolicy cmdlet 179 Add-IpamBlock cmdlet 194 Add-IpamDiscoveryDomain cmdlet 192 Add-IpamRange cmdlet 195 Add Role or Feature Wizard 285 Add Roles and Features wizard 211 Add Roles and Features Wizard 52–53, 246 Add Roles And Features wizard 184 ADDSSetup.ps1 script 247 293 Add-WebApplicationProxyApplication cmdlet Add-WebApplicationProxyApplication cmdlet 287, 289, 290 AD FS. See Active Directory Federation Services; See Active Directory Federation Services AdministratorPassword parameter 16 Allow machine certificate authentication for IKEv2 216 applications Remote Desktop Gateway 290 web-based 210 web, publishing 289 apps. See also application management App-V. See Microsoft Application Virtualization ASN. See Autonomous System Numbers Asynchronous Transfer Mode (ATM) 215 ATM. See Asynchronous Transfer Mode auditing AD FS 273 audit logging 175 authentication Allow machine certificate authentication for IKEv2 216 CHAP 38 claims-based 275–278 DNS-based 163 Encrypted 216 Extensible Authentication Protocol 216 HTML 121 Kerberos 121–123 KerbProxy 222 Microsoft Encrypted Authentication version 2 216 multi-factor 273, 280–281 OAuth2 288 options 216 policy configuration 278–280 RADIUS 216 remote clients 214–215 Reverse CHAP 38 Windows 216 Windows Integrated Authentication 275 Authorization Manager role 55–57 Automatic Virtual Machine Activation (AVMA) 11–12 Autonomous System Numbers (ASN) 239 Azure AD FS and 283 multi-factor authentication 273, 280–281 Azure portal storage account in 133–134 Azure Structured Query Language (SQL) 2 294 B backend server URLs 290 backup options 136 backup solutions deduplication and 48 bandwidth management 84 base operating system installation 97 BGP. See Border Gateway Protocol BGP-enabled router 238 BGP routing 239 BitLocker Drive Encryption 3 blob files 130 Border Gateway Protocol (BGP) 211 C CA. See Customer Address cache locking 173 certificates. See digital certificates; See user certificates Certification Authority (CA) 114 CHAP protocol 38 checkpoints management of 79 child domains 244 claims-based authentication 275–278 client configuration for DirectAccess 223 client subnets 171 cloning domain controllers 267–269 cloud witnesses configuration of 130–134 Cluster-Aware Updating (CAU) 138–140 clustered shared volumes (CSVs) 141 cluster networking 134–135 Cluster Operating System Rolling Upgrade 140–141 Cluster OS Rolling Upgrade 10 clusters guest 146–147 multi-domain 127–130 naming 129 single 127 site-aware 157–158 storage configuration 136–137 db_ddladmin Storage Spaces Direct in 149–150 stretch 42, 157–158 without network names 142 workgroup 127–130 Cluster Shared Volumes (CSV) 232 cluster-to-cluster replication 42–43 collaboration. See also sharing commit parameter 101 Common Address Redundancy Protocol (CARP) 22 compute resiliency 145 conditional forwarders 167 configuration Datacenter Bridging (DCB) 40 data deduplication 45–46 Desired State Configuration (DSC) 9–10 differencing disks 76 Docker 96–97 dynamic memory 63 FreeBSD Integration Services 69 Hyper-V networking 82–90 Hyper-V storage 73–82 Internet Storage Name Service (iSNS) 39–40 iSCSI target and initator 35–40 Linux Integration Services 69 MAC addresses 86–88 Microsoft UEFI Certificate Authority 70 Multi-Path IO (MPIO) 41–42 Nano Server 19–20 Non-Uniform Memory Access 63–64 pass-through disks 77 Resource Metering 65–66 Smart Paging 64–65 storage pools 30–32 storage Quality of Service 82 tiered storage 35 virtual machines 62–72 using Windows PowerShell Direct 59 Windows Containers 94–96 Configure Cluster Quorum Wizard 131–132 Configure DHCP Policy 202 Configure DHCP User Class 202 Configure DHCP Vendor class 202 Configure Predefined DHCP Options 202 Configure Preferred DNS Server option 203 connection profiles 217 connectivity. See also client connectivity connectors. See also receive connectors; See also send connectors constrained delegation 123 containers 1 Converged RMDA 231 ConvertVHD cmdlet 78 Create DHCP Scope 201 Create DNS Conditional Forwarder 203 Create DNS zone 203 Create Full installation media 253 Create RODC installation media 253 Create Sysvol Full installation media 253 Create Sysvol RODC installation media 253 credentials script 9 Credential Security Support Provider (CredSSP) 121–123 CrossSiteDelay property 157 CrossSiteThreshold property 157 CSV. See Cluster Shared Volumes CustomDCCloneAllowList.xml 268 Customer Address (CA) 237 D daemon.json file 96–97 DANE. See DNS-based Authentication of Names Entities data shared. See shared resources DataAccess parameter 45 database storage configuration of IPAM, using SQL Server 198 Data Center Bridging 90 Datacenter Bridging (DCB) configuration 40 Data Center Bridging (DCB) 231 Datacenter Firewall 239–240 data deduplication 44–47 backup and restore solution with 48 configuration 45–46 implementation 45–46 monitoring 47–48 usage scenarios for 45–46 data volumes container 106–107 db_datareader 198 db_datawriter 198 db_ddladmin 198 295 DCB DCB. See Data Center Bridging dcdiag utility 257 DCP. See Data Collection Package DDA. See Discrete Device Assignment Deactivate DHCP Policies 202 Debug-StorageSubsystem cmdlet 149 default gateways 236 delegated administration of DNS server 175–177 Delete DNS Zone option 203 Denial of Service (DoS) attacks 173 DependsOn 9 deployment 20–25 FreeBSD 22–23 Linux 22–23 Windows Containers 93–99 Deployment Image Services and Management (DISM) 25 Desired State Configuration (DSC) 9–10 components of 9 scripts 9 Desktop Experience 7 Device Health Attestation 5 device registration 282 DFS. See Distributed File System DHCP. See Dynamic Host Configuration Protocol DHCP directory properties 188 diagnostic logging 175 differencing disks 74 configuration of 76 DirectAccess 209 client configuration 223 configuration 218–222 DNS Suffix list 220 Group Policy Objects 221–222 installation 218–222 network topology 220–221 server requirements 222 troubleshooting 223 DirectAccess and VPN (RAS) role service 210 DirectAccess client GPO 221 DirectAccess server 211 DirectAccess server GPO 221 Directory Services Restore Mode (DSRM) password 249, 265 296 disaggregated Storage Spaces Direct 149 disaster recovery Storage Replica for 42–44 Discrete Device Assignment (DDA) 72 disks 136 disk witness 130 distributed firewall policies 239–240 DLP. See Data Loss Prevention; See Data Loss Preventio DNS. See Domain Name System DnsAdmins Active Directory security group 175 DnsAdmins security group 191–192 DNS-based Authentication of Named Entities (DANE) 174 DNS Manager 257 DNS Record Administrator Role 205 DNSSEC. See Domain Name System Security Extension DNS servers 163–182 cache locking 173 configuration, for IPAM deployment 189–191 delegated administration 175–177 delegation configuration 169–170 dynamic updates 201 forwarders configuration 165–168 installation 164–165 managing, in multiple AD forests 204 modifying global settings using PowerShell 179 performance tuning 179 properties 175 managing, using IPAM 202–203 recursion settings 177–178 Response Rate Limiting 173–174 root hints 168–169 usage scenariors 164 DNS Suffix list 220 docker 1 docker command 97 Docker daemon Docker Hub and 107 installation 95–96 listing available networks using 105 Microsoft Azure and 109 resource control using 106 start-up options 96–97 Windows Container management using 101–102 Dockerfile 107 External URLs Docker Hub 107–108 Docker tag 98–99 Docker VM Extension 109 documents. See also files domain controllers 191, 243–272 cloning 267–269 demoting existing 249–250 DNS and 257–258 Flexible Single Master Operation (FSMO) roles 260 forests installation 244–248 global catalog servers 258–260 installation 243–248 from Install from Media 253–256 new 248–249 read-only 243, 260, 263–267 upgrading 250–251 Domain Name System (DNS) deployment on Nano Server 165 DHCP integration 164 logging 175 policies 163, 171–172 records 203 socket pool 173 split-brain 171 using RBAC for administration of 204–205 zones 203 Domain Name System Security Extensions (DNSSEC) 172–173 domain naming master role 260 domains 244 adding domain controller 248–249 demoting existing domain controllers 249–250 domain trees 244 Doman Name System (DNS) SRV record registration issues 257–258 DRA. See Data Recovery Agent dynamically expanding disks 73 Dynamic Host Configuration Protocol (DHCP) 164 configuration failover 202 options 201–202 policies 202 scopes 201–202 managing, using IPAM 199–202 server properties managing, using IPAM 200–201 servers configuration 186–189 in multiple AD forests 204 IP addresses 213 using RBAC for administration of 204–205 dynamic memory configuration 63 Dynamic Quorum 130 dynamic routing 211 dynamic virtual machine queue (VMQ) 86 E EAP. See Extensible Authentication Protocol Edit DHCP Server Options 201 Edit DNS Zone option 203 Edit Virtual Hard Disk Wizard 77 emulated devices 69 Enable-ClusterS2D cmdlet 149 Enable DirectAccess Wizard 219 Enable-NetAdapterRdma cmdlet 232 Enable-NetAdapterVmq cmdlet 233 Enable-NetQoSFlowControl cmdlet 231 Enable-PSRemoting cmdlet 58 EnableVMResourceMetering cmdlet 66 encapsulation Network Virtualization Generic Route Encapsulation 237 enclosure awareness resiliency 34–35 enclosures 136 Encrypted authentication (CHAP) 216 encryption Microsoft Point-to-Point Encryption 215 enhanced session mode 68–69 EnterPSSession 60 Enter-PSSession cmdlet 165 ESRA. See EdgeSync replication account (ESRA) Event Log Readers group 187 Event Viewer 175 exporting virtual machines 71–72 Extensible Authentication Protocol (EAP) 214, 216 External URLs 290 297 Fabric Management F Fabric Management shielding tools for 6 failover DHCP 202 Failover Cluster feature 128 failover clustering 126–146 Cluster-Aware Updating 138–140 clustered shared volumes 141 cluster networking 134–135 Cluster Operating System Rolling Upgrade 140–141 clusters without network names 142 configure drain on shutdown 160–161 guest clusters 143, 146–147 live migration 158 management of 152–157 managing VMs in clustered nodes 158–161 multi-domain clusters 127–130 node fairness 157 preference settings 154–155 quorum and cloud witnesses 130–134 restore single node or cluster configuration 136 role-specific settings 152 Scale-Out File Server 142 single clusters 127–130 site-aware clusters 157–158 storage configuration 136–137 Storage Replica 143–144 stretch clusters 157–158 VHDX sharing 146–147 VM monitoring 153 VM resiliency 145 workgroup clusters 127–130 Failover Cluster Manager 128, 141 failover clusters upgrading 10 failovers planned 114 test 114 unplanned 115 with Hyper-V replica 114–115 farm behavior level (FBL) 275 farms upgrading 275 Fast IDE drivers 23 298 FBL. See farm behavior level federated environments 273 Fibre Channel (FC) adapters virtual 80–81 files shared. See shared resources file share witness 130 file sizes deduplication and 47 file system settings 34–35 filtered attribute set (FAS) 264 FindIpamFreeAddress cmdlet 197 FindIpamFreeRange cmdlet 197 FindIpamFreeSubnet cmdlet 197 firewall policies distributed 239–240 firewall port 443 215 firewall properties 179, 186, 189, 213 firewall settings Nano Server 20 fixed size disks 73 Flexible Single Master Operation (FSMO) roles 260–263 functions of 260 installation 261 seizing 261, 262–263 transferring 261, 262 forests about 245 DHCP servers in multiple 204 DNS servers in multiple 204 installation 244–249 using PowerShell 247–248 using Server Manager 245–247 forwarders 177 conditional 167 configuration of 165–168 forwarding gateways 239 FPS-SMB-In-TCP firewall rule 96 FreeBSD deployment 22–23 virtual machines 69 FreeBSD Integration Services (BIS) 69 FSMO. See Flexible Single Master Operation fully qualified domain name (FQDN) 169–170, 220 configuration 290 Hyper-V G garbage collection 45, 47 Generation 1 VMs 68 Generation 2 VMs 68 Generic Route Encapsulation 234 GEOM labels 23 Get-ADComputer cmdlet 190 Get-ClusterAvailableDisk cmdlet 141 Get-Command cmdlet 171 Get-DnsServerRootHint cmdlet 169 Get-NetAdapter cmdlet 252 Get-NetAdapterRdma cmdlet 232 GetScript 9 GetVMIntegrationService cmdlet 67 GetWindowsFeature cmdlet 6 Github repository 102 global catalog servers 258–260 Graphic User Interface (GUI) installation 3 GRE tunneling 239 Group Policy IPAM provisioning with 185 Group Policy Objects (GPOs) 185 DirectAccess policies 221–222 Grub boot menu 23 guest clusters 143, 146–147 GUID Partition Tables (GPT) 68 H hard-drive disks (HDD) 35 hardware requirements 3, 15 for Hyper-V 52 nested virtualization 94 high availability 113–162, 171 failover clustering 126–146, 152–157 in Hyper-V 114–126 Live Migration and 115–124 managing VMs in clustered nodes 158–161 Storage Spaces Direct 147–150 high performance network solutions 228–234 Data Center Bridging 231 NIC Teaming 228–229 Receive Side Scaling 229–230 Remote Direct Memory Access 231–232 Single-Root IO Virtualization 233–234 SMB Multichannel 232 Switch Embedded Teaming 228–229 Virtual Machine Multi-Queue 233 history parameter 102 HTML authentication 121 HTTP Basic 288 HTTP to HTTPS redirects 290 hygiene. See message hygiene hyper-converged Storage Spaces Direct 150–151 Hyper-V containers 99–101 delegation of virtual machine management 55–58 Discrete Device Assignment 72 enhanced session mode 68–69 FreeBSD and 69 guest clustering in 143 hardware and compatibility requirements for 52 high availability in 114–126 implementation 51–92 installation 51–58 integration services 67 Linux and 69 Live Migration in 115–120 management tools 52–53 memory enhancements 1 Move Wizard 123–126 moving and converting VMs 70–71 nested virtualization 60 network configuration 82–90 MAC addresses 86–88 network adapters 83–85 network isolation 84–85 network performance optimization 85–86 NIC teaming 88–89 virtual switches 84–85 vNICs 83–85 remote management of hosts 58–59 replica 114–115 resiliency 145 Smart Paging 64–65 storage configuration 73–82 storage migration 123–126 supported operating systems 22 upgrading from existing versions 54 virtual machine configuration 62–72 VM monitoring 153 Windows Containers and 94 299 Hyper-V Administrators group Hyper-V Administrators group 55 Hyper-V Authorization Manager store 55 Hyper-V Manager adding virtual network adapters 83–85 checkpoint configuration 79 creating VHD and VHDX files with 73–74 Hyper-V network virtualization 234, 235, 236–237, 239 Hyper-V Network Virtualization 218 Hyper-V Virtual Switch 235 I identity management 273–292 Web Application Proxy 284–290 IFM. See Install from Media IKEv2 tunneling protocol 217 images base operating system 97 creating new container 107 for deployment 20–25 management of using Docker Hub 107–108 using Microsoft Azure 109 managing 25 tagging 98–99 uninstalling operating system 98 viewing list of available container 99 image templates. See template images Import DHCP Policy 202 importing virtual machines 71–72 Import-Module cmdlet 165 Import-PackageProvider NanoServerPackage command 17 Import Virtual Machine wizard 72 Infiniband 231 infrastructure master role 260 Initial Congestion Window 227 in-place upgrades 251 installation base operating system 97 Docker 95–96 FreeBSD Integration Services 69 GUI 3 Hyper-V 51–58 iSCSI Target Server server role 36 300 Linux Integration Services (LIS) 69 Nano Server 14–18 Server Core 7–8 server roles 6 Windows Containers 94–95 Windows Server 2016 2–14 activation models 11–14 features and roles 5–6 requirements 3 installation media Install from Media feature 253–256 types of 253 Install from Media (IFM) 253–256 InstallNanoServerPackage cmdlet 18 Install-PackageProvider NanoServerPackage command 17 Install-RemoteAccess cmdlet 215 Install-WebApplicationProxy cmdlet 286 InstallWindowsFeature cmdle 94 Install-WindowsFeature cmdlet 184, 211 InstallWindowsFeature cmdlet 6, 40 Institute of Electrical and Electronics Engineers (IEEE) 231 integration services management of 67 Internet Assigned Numbers Authority (IANA) 168, 193 Internet Storage Name Service (iSNS) configuration 39–40 Internet Wide Area RDMA Protocol (iWARP) 231 Intune 217. See Microsoft Intune InvokeCommand 60 Invoke-IpamGpoProvisioning cmdlet 186 Invoke-IpamServerProvisioning cmdlet 186 I/O scheduler 23 IP Address Blocks page 196 IP addresses 103 filtering 171 for virtual machines 236 RAS server 213–214 space utilization 195–197, 199 virtual 238 with network virtualization 237 IP address management (IPAM) 183–208 configuration of database storage using SQL Server 198 DHCP management using 199–202, 204–205 LT tunnels DNS management using 202–205 DNS server properties management using 202–203 DNZ records management using 203 DNZ zone management using 203 install and configure 183–199 IP address space utilization monitoring 195–197 IP blocks and ranges 193–195 migrating existing workloads to 198 object names 199 provisioning 184–191 RBAC and 204–205 server discovery 191–193 updating schema 198 virtual machines 237 with System Center Virtual Machine Manager 199 IP Address Range Groups page 196 IP address ranges 193–195, 196–197 IP Address Record Administrator Role 205 IPAM address blocks 193–195 IPAM Administrator Role 205 IPAM ASM Administrator Role 205 IPAM DHCP Administrator Role 205 IPAM DHCP Reservations Administrator Role 205 IPAM DHCP Scope Administrator Role 205 IPAM DNS Administrator Role 205 ipam_log.ldf file 198 ipam.mdf file 198 IPAM MSM Administrator Role 205 IPAMUG universal security group 186–187, 188, 190, 191 ipconfig utility 258 IPsec task offloading 84 IPv4 address blocks 193–195 IPv4 address ranges 194–195 IPv6 root hints 163, 168–169 iSCSI initiator configuration of 35–40 iSCSI target configuration of 35–40 iSCSI Target Server server role installation 36 isolation of Hyper-V containers 99–101 iterative queries 168 J JSON file 96–97 K Kerberos authentication 121–123 KerbProxy authentication 222 Key Management Service (KMS) 13 krbtgt account 264 L L2 Bridge networks 105 L2 bridges 103 L2TP. See Layer Two Tunneling Protocol LargeSend Offload 86 Launch MMC 202 Layer Two Tunneling Protocol (L2TP) 215 LDAP directories 284 legal hold. See litigation hold Linux deployment 22–23 Secure Boot 70 virtual machines 69 Linux containers management of 102 Linux Integration Services (LIS) 69 LIS. See Linux Integration Services Live Migration 158 advanced settings 122 CredSSP and 121–123 implementation of 115–120 Kerberos authentication protocol for 121–123 shared nothing 120–121 load balancing networks 236 Local BGP IP Address 239 Local Configuration Manager (LCM) 9 logging audit and analytic event 175 diagnostic 175 logical cores 179 Logical Unit Number (LUN) 41 LT tunnels 103 301 MAC addresses M MAC addresses configuration 86–88 spoofing 61, 104 static 23 MAC address filters 201 MAC spoofing 86 mail flow. See also email delivery; See also message delivery management tools Hyper-V installation 52–53 Master Boot Record (MBR) 68 master roles 260–263 MBR. See Master Boot Record MeasureVM cmdlet 66 memory adding or removing, in VM 62 dynamic 63 Non-Uniform Memory Access 63–64 message delivery. See also email delivery message transport. See transport MFA. See multi-factor authentication Microsoft Assessment and Planning (MAP) Toolkit assessing virtualization workloads using 24–25 Microsoft Azure managing container images using 109 Microsoft Encrypted Authentication version 2 (MS-CHAP v2) 216 Microsoft Hyper-V Server 2016 4. See also Hyper-V Microsoft Intune 217 Microsoft Management Console (MMC) 55 Microsoft-NanoServer-DCB-Package option 231 Microsoft Open Source Code of Conduct 102 Microsoft Passport 2 Microsoft Passport for Work 273 Microsoft Point-to-Point Encryption (MPPE) 215 Microsoft UEFI Certificate Authority 70 migration of existing workloads to IPAM 198 online 70 to Windows Server 2016 10–11 mirror storage layout 32–34 Mobile Device Management (MDM) 5 Move-IpamDatabase cmdlet 198 302 Move-IpamDatabase cmdlet. 198 mpclaim 41 MPIO devices 41 MPPE. See Microsoft Point-to-Point Encryption MRM. See Messaging Records Management multi-domain clusters 127–130 multi-factor authentication (MFA) 273, 280–281 multi-host environment connection types 103–104 Multi-Path IO (MPIO) configuration 41–42 MultiPoint Services 5 multi-site failover clusters 131 multitenant edge 218 multitenant gateways 239 multitenant NAT 239 multitenant network isolation 236–237 N Name Resolution Policy Table (NRPT) 223 Nano Server 1, 4 configuration and management 19–20 deduplication and 47 DNS deployment scenarios on 165 Docker installation 95–96 firewall settings 20 installation 14–18 MPIO on 41–42 requirements for 15 roles and features implementation 17–18 usage scenarios for 15 virtual machines and 68 Windows Container installation 95 Nano Server Image Generator 15–16 Nano Server Package 95 Nano Server Recovery Console 19 NAT. See network address translation NAT networks 104 nested virtualization 1 implementation of 60 requirements for 94 netdom utility 261, 263 netlogon.dns file 258 netsh command 230 network adapter buffers 179 OWA network adapters 23, 213, 217 configuring multiple 88–89 Remote Direct Memory Access (RDMA) 89–90 RMDA support 231–232 RSS on 229–230 synthetic 86 virtual 88, 89 Network Address Translation (NAT) 61, 103, 211 network configuration Hyper-V 82–90 MAC addresses 86–88 network adapters 83–85 network isolation 84–85 network performance optimization 85–86 NIC teaming 88–89 virtual switches 84–85 vNICs 83–85 network connectivity 209–226 Virtual Private Network 209–218 Network Controller 235, 237–238, 239 network hardware 236 network infrastructure 227–242 high performance network solutions 228–234 Data Center Bridging 231 NIC Teaming 228–229 Receive Side Scaling 229–230 Remote Direct Memory Access 231–232 Single-Root IO Virtualization 233–234 SMB Multichannel 232 Switch Embedded Teaming 228–229 Virtual Machine Multi-Queue 233 Software-Defined Networking 234–240 networking cluster 134–135 container 103–105 L2 Bridge networks 105 NAT networks 104 Software-Defined Networking 234–240 standards 231 transparent networks 104 network interface cards (NICs) virtual 83–85 Network Policy Servers (NPS) 191 networks load balancing 236 Quality of Service (QoS) 231 RDMA-based storage 236 virtual 218 network security groups 239–240 network switch topology 86 network virtualization 236–237 Network Virtualization Generic Route Encapsulation (NVGRE) 237 New-AdfsAzureMfaTenantCertificate cmdlet 281 New-AdfsLdapAttributeToClaimMapping cmdlet. 284 New-AdfsLdapServerConnection cmdlet 284 New-Cluster cmdlet 142 New-MsolServicePrincipalCredential cmdlet 281 NewNanoServerImage cmdlet 16–17 New-NetQoSTrafficClass cmdlet 231 NewSRGroup 44 NewSRPartnership 44 New Storage Pool Wizard 136–137 New Virtual Disk Wizard 33–34 New Virtual Hard Disk Wizard 73–74 NewVMSwitch cmdlet 85 New Volume Wizard 33–34 NICs. See network interface cards (NICs); See network interface cards NIC teaming 88–89 NIC Teaming 228–229, 235 node fairness 157 Non-Uniform Memory Access (NUMA) 63–64 Northbound API 237–238 NRPT. See Name Resolution Policy Table NT AUTHORITY\Network Service 198 ntdsutil command line tool 254 ntdsutil utility 262 O OAuth2 authentication 288 Office 365 AD FS and 283 offline migration 70 offloading 86 online migration 70 operating system images uninstalling 98 Optimize-StoragePool cmdlet 149 OptimizeVHD cmdlet 78 Organizational Units (OUs) 244 OWA. See Outlook Web App (OWA); See Outlook Web App 303 PackageManagement provider P PackageManagement provider 17 parent-child disks 76 parent domains 244 parity storage layout 32–34 pass-through disks configuration 77 pass-through mode WAP 286–287 Password Replication Policy (PRP) 264 passwords Directory Services Restore Mode (DSRM) 249, 265 management, in AD FS 273 Safe Mode Administrator Password 247 unencrypted 216 PDC emulator role 260 performance tuning 179 PFS. See Perfect Forward Secrecy Physical Functions 233 planned failovers 114 platform-as-a-service. See PaaS Point-to-Point Tunneling Protocol (PPTP) 215 point-to-site VPNs 211, 239 port 443 215 port mapping 104 PowerShell adding disks using 35 adding FC adapter using 81 adding network adapters using 84 container management using 102 direct running of 1 DISM in 25 Docker installation 95 enabling remoting in 58 exporting and importing VMs using 72–73 Hyper-V installation using 52 importing 15 MAC address configuration from 87 management tools installation using 53 managing virtual hard disks using 78 NIC teaming in 89 storage pool creation using 32–33 Storage Replica module 44 virtual disk creation using 33–34, 39 virtual switches from 85 Windows Container installation using 94 304 PowerShell Direct configuring virtual machines using 59 PPTP. See Point-to-Point Tunneling Protocol preference settings for failover clustering 154–155 PreferredSite property 157 processor compatibility VMs and 120–121 production checkpoints 79–80 Protected Network 159 Provider Address (PA) 237 provisioning types 33–35 proxies web application 210 Publish New Application Wizard 289 PXE boot 83 PXE TFTP server 23 Q Quality of Service (QoS) 231 storage 82 query resolution policy 171 quick migration of VMs 158 quorum witnesses configuration of 130–134 R RADIUS authentication 216 RADIUS server 214 RAS Gateway 210–215 deployment scenarios 217–218 multitenant edge 218 single tenant edge 217, 218 VPN options 211 with Hyper-V Network Virtualization 239 RDG. See Remote Desktop Gateway RDMA. See Remote Direct Memory Access RDMA-based storage networks 236 RDMA over Converged Ethernet (RoCE) 231 RDS. See Remote Desktop Services read-only domain controllers (RODCs) 243, 260, 263–267 security features 264 Receive Side Scaling (RSS) 229–230 ScriptBlock parameter Recent Acknowledgement (RACK) 227 records support for unknown 163 recursion policies 171 recursion scope 171 recursion settings 177–178 recursive queries 168 Relying Party Trusts 275–278 Remote Access Best Practices Analyzer 223 remote access gateway (RAS Gateway) 210–215 deployment scenarios 217–218 multitenant edge 218 single tenant edge 217, 218 VPN options 211 with Hyper-V Network Virtualization 239 Remote Access Management Console 218, 223 Remote Access server 210, 211 authentication methods 214–215 authentication options 216 configuration 211–215, 219–220 connection profiles 217 DirectAccess and 218–223 installation 211 IP addresses 213–214 network adapters 213 VPN protocol options 215 RemoteApp Azure. See Azure RemoteApp remote clients authentication method for 214–215 Remote Desktop Connection settings 217 Remote Desktop Gateway (RDG) 290 Remote Desktop Services 2 Remote Desktop Services (RDS) 217 Remote Direct Memory Access (RDMA) 89–90, 231–232 Remote Event Log Management 191 remote management of Hyper-V hosts 58–59 of Server Core 8 Remote Management Firewall Settings 20 Remote Server Administration Tools (RSAT) 8, 52–53, 253 Remove Roles And Features Wizard 249 replication Storage Replica 143–144 Reset Zone Status option 203 resiliency layouts 32–34 resilient filesystem (ReFS) 34–35 Resilient File System (ReFS) 141 resilient storage 32–34 ResizeVHD cmdlet 77, 78 resource control management of 106 Resource Metering configuration 65–66 Response Rate Limiting (RRL) 163, 173–174 restores on single node or cluster configuration 136 restore solutions deduplication and 48 Retrieve Server Data 203 Reverse CHAP protocol 38 RID master role 260 rmi parameter 102 rm parameter 105 RoCE. See RDNA over Converged Ethernet role assignment creation 58 role-based access control (RBAC) delegate administration of DNS and DHCP using 204–205 rolling upgrades 1 root hints 168–169 routing 236 dynamic 211 Routing and Remote Access MMC snap-in 211, 218 Routing and Remote Access Server Setup Wizard 211 Routing role service 210 RRAS Multitenant Gateway 235 RRL. See Response Rate Limiting RSAT. See Remote Server Administration Tools S Safe Mode Administrator Password 247 SAML 2.0 273 Scale-Out File Server (SoFS) 141, 150 implementation 142 usage scenarios 142 sc config command 96–97 schema master role 260 sconfig.cmd command 7–8 SCP. See Service Connection Point ScriptBlock parameter 60 305 second-level address translation (SLAT) second-level address translation (SLAT) 52 Secure Boot 70 Secure Socket Tunneling Protocol (SSTP) 215 security. See also passwords security groups 186–187, 190–192 Self-Updating Options cluster role 139 Server Core AD DS installation on 251–253 installation 7–8 remote management 8 server discovery 191–193, 204 Server Manager 8 forest installation using 245–247 storage pool creation in 30–31 Server Message Block version 3 (SMB 3) 1 Server Migration Tools 11 server roles installing 6 list of 6 Nano Server 17, 18 server storage Datacenter Bridging configuration 40 implementation of 29–44 iSCSI target and initiator 35–40 Multi-Path IO configuration 41–42 server pools 34–35 storage pools 30–32 Storage Replica 42–44 tiered storage 35 virtual disks 32–34 server-to-server replication 43 service records 257–258 SET. See Switch Embedded Teaming (SET); See Switch Embedded Teaming Set Access Scope option 203 Set-AdfsAzureMfaTenant cmdlet 281 Set-DnsServerForwarer cmdlet 166 Set-DnsServerRecursion cmdlet 177 Set-DnsServerRecursionScope cmdlet 178 Set-IpamConfiguration cmdlet 185 Set-NetAdapterVmq cmdlet 233 Set-NetOffloadGlobalSetting cmdlet 232 SetScript 9 Set-SmbClientConfiguration cmdlet 232 Set-SmbServerConfiguration cmdlet 232 Setup and Boot Event Collection 6 SetVM cmdlet 79 306 Set-VMHost cmdlet 122 SetVMHost cmdlet 87 Set-VMMemory cmdlet 63 SetVMNetworkAdapter cmdlet 88, 89 Set-WebApplicationProxyApplication cmdlet 290 shared nothing migration 120–121 share permissions 189 Sharepoint. See Microsoft Sharepoint ShareVirtualDisk parameter 75 sharing. See also collaboration external. See external users shielded virtual machines 52 side-by-side upgrades 251 sign-ins customizable 273 using third-party LDAP 273 simple storage layout 32–34 single-domain clusters 127 single-host environment connection types 103 Single-Root IO Virtualization (SR-IOV) 233–234 SIP addresses. See Session Initiation Protocol (SIP) addresses site-aware clusters 157–158 site-to-site (S2S) VPNs 210–215, 217–218, 239 SLAT. See second-level address translation SLB. See Software Load Balancing SLB Host Agent 238 SLB Multiplexer 238 slmgr tool 12 slmgr.vbs script 13 Smart Paging configuration 64–65 SMB Direct 231–232 SMB Multichannel 232 SMTP. See Simple Mail Transfer Protocol socket pools 173 Software Defined Networking (SDN) deployment scenarios 235–236 firewall policies 239–240 Hyper-V network virtualization and 236–237 network controller 237–238 network requirements 235–236 network security groups 239–240 Windows Server Gateway 239–240 Software-Defined Networking (SDN) 234–240 Software Load Balancing (SLB) 234, 238 UsageType parameter solid-state disks (SSD) 35 Southbound API 237–238 SPF. See send policy framework (SPF) records split-brain DNS 171 SQL database 198 SQL Server 198 configuration of IPAM database storage using 198 SR-IOV 72. See Single-Root IO Virtualization SRV records 257–258 SSTP. See Secure Socket Tunneling Protocol static MAC addresses 23 storage Hyper-V configuration 73–82 Quality of Service (QoS) 82 VHDX shared 146–147 with failover clustering 136–137 storage account 133–134 storage layouts 32–34 storage migration 123–126, 158 storage migration and import 70 storage pools 136 configuration of 30–32 expanding 34–35 Storage Replica 2 implementation 143–144 implementation of 44–45 usage scenarios for 42–43 storage resiliency 145 storage sets 1 storage solutions 29–50 data duplication 44–47 server storage 29–44 Storage Spaces Direct 147–150 disaggregated, in a cluster 149 enabling, using Windows PowerShell 148 hyper-converged, in cluster 150–151 usage scenarios 148 stretch clusters 42, 144–145, 157–158 Switch Embedded Teaming (SET) 90, 228–229, 231 Switch-NetQoSDcbxSetting cmdlet 231 synthetic network adapters 86 System Center 235, 239 System Center Configuration Manager 217 System Center Operations Manager 235 System Center Virtual Machine Manager 235 System Center Virtual Machine Manager (VMM) 199 T TCP checksum offload 86 TCP Fast Open (TFO) 227 TCP Tail Loss Probe (TLP) 227 Test-Cluster cmdlet 149 test failovers 114 TestScript 9 TestSRTopology 44 threshold settings for IP address utilization 197 tiered storage configuration of 35 time-based redirects 171 Time To Live (TTL) value 173 TPM. See Trusted Platform Module traffic management 171 transparent networks 104 troubleshooting DirectAccess 223 trust claims 275–278 Trusted Platform Module (TPM) chips 3 U UCE. See Update Compatibility Evaluator (UCE); See Update Compatibility Evaluator UdpRecvThreadCount DWORD parameter 179 UE-V. See User Experience Virtualization Unattended Setup file 12 unauthenticated access 216 Unencrypted password (PAP) 216 unidirectional replication 264 Uninstall-ADDSDomainController cmdlet 250 universal security groups 186–187, 190, 191 unplanned failovers 115 Update-ClusterFunctionalLevel cmdlet 141 Update-IpamServer cmdlet 198 Upgrade Configuration Version option 71–72 upgrades Hyper-V 54 paths 10–11 rolling 1 VMs 70–71 UsageType parameter 45 307 validation V validation failover clusters 128–129 VHD file extension 68 VHD files creating 73–74 shared 75 VHDX file extension 68 VHDX files creating 73–74 shared 75 VHDX sharing 146–147 virtual disks creating 32–34 iSCSI 36–40 provisioning types 33–35 Virtual Extensible LAN encapsulation 234 virtual Fibre Channel (FC) adapters 80–81 Virtual Functions 233 virtual hard disks resizing 77–78 virtualization hosts 11 Hyper-V network 236–237 nested 1 Single-Root IO Virtualization 233–234 Windows Server planning for 21–22 workload assessment 24–25 VIRTUAL_MACHINE_ACTIVATION string 12 Virtual Machine Manager (VMM) object names 199 using IPAM with 199 Virtual Machine Multi-Queue (VMMQ) 233 virtual machine queue (VMQ) 84 dynamic 86 virtual machines adding or removing memory 62 adding physical hard disk to 77 Automatic Virtual Machine Activation (AVMA) 11–12 checkpoints 79 configuration 62–72 using Windows PowerShell Direct 59 delegation of management 55–58 Discrete Device Assignment (DDA) 72 dynamic memory configuration 63 308 enhanced session mode 68–69 export and import 71–72 FreeBSD 69 Generation 1 or Generation 2 68 integration services 67 Linux 69 moving and converting 70–71 nested virtualization 60 networking configuration 83–91 NIC teaming 88–89 Non-Uniform Memory Access (NUMA) 63–64 production checkpoints 79–80 QoS policies 82 Resource Metering 65–66 SCSI Controller settings for 75 shielded 1, 52 Smart Paging 64–65 supported 54 virtual Fibre Channel (FC) adapters 80–81 virtual machines (VMs) configure drain on shutdown 160–161 copying 159 exporting 159 importing 159 IP addresses for 236 Live Migration of 115–120, 158 managing, in clustered nodes 158–161 monitoring 153 network health protection 159 node fairness 157 processor compatibility 120–121 quick migration of 158 Receive Side Scaling on 229–230 replication of 114–115 resiliency 145 shared nothing migration of 120–121 storage migration of 123–126, 158 System Center Virtual Machine Manager 199 VHDX sharing 146–147 virtual network adapters 88, 89 virtual network interface cards (vNICs) 83–85 virtual networks creation of 218 Virtual Private Network (VPN) 209–218 connection profiles 217 dynamic routing 211 point-to-site 211, 239 Windows Server 2016 protocol options 215 site-to-site 210, 217–218, 239 VPN Reconnect 217 Virtual Receive Side Scaling (vRSS) 86 virtual switches 84–85 Virtual Switch Manager 84–85, 86–87, 88 VLAN performance 86 VM-Generation ID 268 VMM. See Virtual Machine Manager VMs. See virtual machines vmwp process 100 Volume Activation Services server role 13 volumes creating 33–34 Volume Shadow Copy Service 79 volume sizes 34–35 deduplication and 46 VPN. See Virtual Private Network VPN Reconnect 217 W WAP. See Web Application Proxy WCE. See Windows Compatibility Evaluator WDS. See Windows Deployment Services Web Application Proxy Configuration Wizard 285 Web Application Proxy role service 210 Web Application Proxy (WAP) 273, 275, 284–290 as AD FS proxy 287–288 configuration 285–286 configure AD FS requirements 288 FQDN configuration 290 HTTP to HTTPS redirects 290 installation 285–286 pass-through mode 286–287 publish RDG applications via 290 publish web apps via 289 uses of 284 web-based applications 210 Windows Assessment and Deployment Kit (Windows ADK) 25 Windows authentication 216 Windows Containers base operating system 97 configuration 94–96 creating new images using Dockerfile 107 deployment 93–99 Hyper-V 94, 99–101 image tagging 98–99 implementation 93–112 installation 94–95 requirements 94 management of 101–108 data volumes 106–107 images 107–108 networking 103–105 resource control 106 using Docker daemon 101–102 using Microsoft Azure 109 using PowerShell 102 scenarios for 94 Windows Server 99 Windows Defender 1, 6 Windows Hello for Business 273, 274, 283 Windows Integrated Authentication 275 Windows Internal Database 185 Windows Internal Database (WID) files 198 Windows Powershell modifying DNS global settings using 179 Windows PowerShell adding IP address blocks with 194 DCB configuration using 231 Desired State Configuration (DSC) 9–10 enabling DirectAccess using 218 enabling Storage Spaces Direct with 148 forest installation using 247–248 identifying available IP addresses with 197 Server Core installation using 8 Windows Server 2008 upgrading and migrating from 10–11 Windows Server 2012 upgrading and migrating from 10–11 Windows Server 2016 AD FS worloads in 275 configuration Desired State Configuration (DSC) 9–10 Docker installation 95–96 editions 4 features 1–2, 6 installation 2–14 activation models 11–14 features and roles 5 requirements 3 network infrastructure 227–242 Secure Boot 70 309 Windows Server 2016 Datacenter server storage 29–44 upgrades and migrations to 10–11 virtualization planning for 21–22 Windows Server 2016 Datacenter 4 Windows Server 2016 Essentials 4 Windows Server 2016 MultiPoint Premium Server 4 Windows Server 2016 Standard 4 Windows Server Backup 48 Windows Server Core. See Server Core Windows Server Gateway 235 implementation scenarios 239–240 Windows Storage Server 2016 4 Windows Update 67 Windows Updates 138 workgroup clusters 127–130 World Wide Name (WWN) 80 WS-MAN protocol 121 310 About the author C HARLE S PLUTA is a technical consultant and Microsoft Certified Trainer (MCT) who has authored several certification exams, lab guides, and learner guides for various technology vendors. As a technical consultant, Charles has assisted small, medium, and large organizations deploy and maintain their IT infrastructure. He is also a speaker, staff member, or trainer at several large industry conferences every year. Charles has a degree in Computer Networking, and holds more than 25 industry certifications. He makes a point to leave the United States to travel to a different country once every year. When not working or traveling, he plays pool in Augusta, Georgia. 947
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement