Best practices MOC20411D. Enjoy. Hope these help for our assessment. C.Stark. Module 1 – Configuring and troubleshooting DNS - Use a central forwarding DNS server for Internet name resolution. This security best practice can improve performance and simplify troubleshooting. You can locate the forwarding DNS sever on a perimeter network, which ensures that no server within the network is communicating directly to the Internet. - Conditional forwarding: Use conditional forwarders if you have multiple internal namespaces. This provides faster name resolution. Module 2 – Maintaining AD DS Credential Caching You should observe the following best practices to ensure the most effective use of cached credentials: - Create separate AD DS global groups for RODC (Read Only Domain Controller). - Do not cache passwords for domain-wise administrative accounts. Administering AD DS - Do not virtualize all domain controllers on the same hypervisor host or server. - Virtual machine snapshots provide an excellent reference point or quick recover method, but you should not use them as a replacement for regular backups. They also will not allow you to recover objects by reverting to an older snapshot - Use RODC’s when physical security makes a writable domain controller unfeasible. - Use the best tool for the job. Active Director Uses and Computers (ADUC) is the most commonly used tool for managing AD DS, but it is not always the best. You can use Active Directory Administrative Centre (ADAC) for performing large-scale tasks or those tasks that involve multiple objects. You can also use the Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated administrative tasks. - Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be invaluable in saving time when recovering accidentally deleted objects in the AD DS. Module 3 – Managing User and Server Accounts Module 4- Implementing a Group Policy Infrastructure Module 5 – Managing User Desktops with Group Policy Best practices related to Group Policy Management: - Include common comments on GPO settings. - Use a central store for Administrative templates when client computers run Windows Vista or newer. - Use Group Policy preferences to configure settings that are not available in the policy settings. - Use Group Policy software installation to deploy packages in .msi format to a large number of users or computers. Module 6 – Installing, Configuring and Troubleshooting the Network Policy Server Role Module 7 – Implement Network Access Protection Module 8 – Implementing Remote Access - Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 editions, Windows 8 introduces new features for improved manageability, ease of deployment, and improved scale and performance. - Monitoring of the environment is now much easier with Windows PowerShell, Windows Management Instrumentation (WMI) and GUI monitoring, along with Network Connectivity Assistant on the client side. - One of the best enhancements is that Direct Access can now access IPv4 servers on your network and your servers do not need to have IPv6 addresses to be exposed through DirectAccess, because your DirectAccess server acts as a proxy. - For ease of deployment, you do not need to have IP addresses on the Internet-facing network. Therefore, this is a good scenario for proof-of-concept. However, if you are concerned about security and if you want to integrate with Network Access Protection (NAP), you still need two public addresses. - Consider integrating DirectAccess with your existing Remote Access solution because Windows Server 2012 can implement DirectAccess sever behind the NAT device, which is the most common remote access server solution for organizations. Module 9 – Optimizing File Services - Use quota templates to control and monitor the amount of data that groups store. - Use file classification to identify and provide more granular control over certain types of data. - Do not use DFS (Distributed File System) for files that may be accessed by different people simultaneously. DFS is best suited for static files or one-way replication scenarios. - Data deduplication can help reduce the amount of storage space consumed by similar files. Module 10 – Configuring Encryption and Advanced Auditing Module 11 – Deploying and Maintaining Server Images Module 12 – Implementing Update Management Module 13 – Monitoring Windows Server 2012. - Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on proactively detecting potential failures or performance issues. - When monitoring, estimate the baseline of system utilizations for each server. This will help you determine whether the system is performing well or is overused. Module Review and Takeaway Questions and Answers. Module 1 – Configuring and troubleshooting DNS Q) You are deploying DNS servers into an Active Directory domain, and your customer requires that the infrastructure be resistant to single points of failure. What must you consider while planning the DNS configuration? A) - How many DNS zones will you configure on the server and how many DNS records will each zone contain? - How many DNS clients will be communicating with the server on which you configure the DNS role? - Where will you place the DNS servers? IE: will you place the servers centrally, or does it make more sense to locate DNS servers in branch offices? Q) What is the different between recursive and iterative queries? A) Recursive Queries – A recursive query is a query made by a DNS client to a DNS server. The DNS client service waits while the DNS server retrieves the answer. There are two possible results to a recursive query: - The recursive query returns the IP address of the requested host. - The DNS server cannot resolve an IP address. Iterative Queries - An iterative query is a query made by a DNS server for information it has either in its zone or in cache. Iterative queries provide a mechanism for accessing domain-name information that resides across the DNS system, and enable servers to resolve names quickly and efficiently across many servers. Q) You are the administrator of a Windows Server 2012 DNS environment. Your company recently acquired another company. You want to replicate their primary DNS zone. The acquired company is using Berkeley Internet Name Domain (BIND) 4.9.4 to host its primary DNS zones. You notice a significant amount of traffic between the Windows Server 2012 DNS server and the BIND server. What is one possible reason for this? A) BIND 4.9.4 does not support IXFR (Incremental Zone Transfer). Each time a change occurs in the BIND zone, it has to replicate the entire zone to a computer that is running Windows Server 2012 to remain updated. Q) You must automate a DNS server configuration process so that you can automate the deployment of Windows Sever 2012. What DNS tool can you use to do this? A) Dnscmd.exe can be used for this. Module 2 – Maintaining AD DS Q) Which AD DS objects should have their credentials cached on an RODC located in a remote location? A) Typically, you would cache credentials that require authentication of AD DS for user, service and computer accounts on an RODC located remotely. Q) What benefits does Active Directory Administrative Centre (ADAC) provide over Active Directory Users and Computers (ADUC)? A) Active Directory Administrative Center (ADAC) is built on Windows PowerShell, so you can perform tasks on a larger scale with more flexibility. Windows PowerShell provides more granular control and parameters than many of the GUI-based tools. You also can use the Active Directory Administrative Center to administer components like Active Directory Recycle Bin and fine-grained password policies, unlike Active Directory Users and Computers. Module 3 – Managing User and Server Accounts Q) In what scenarios could users have multiple PSO’s (Password Settings Objects) applied to their accounts without actually having PSOs linked to their accounts? A) PSO’s can be linked to groups. If a user is a member of one or more groups to which PSO’s are linked, any PSO’s applied to those groups will be linked to the user account. However, only the PSO’s with the lowest precedence value will apply its settings to a user’s account. Q) What benefit do managed service accounts provide compared to standard user accounts when used for services? A) Managed service accounts provide managed password changes that do not require administrator intervention. Q) Why would you use secpol.msc to configure local account policy settings for a computer running the Windows Server 2012 operating system instead of using domain-based Group Policy account policy settings? A) Secpol.msc is applied to local user accounts, and as its name applies, it only relevant to your particular local machine. Module 4- Implementing a Group Policy Infrastructure Q) You have assigned a logon script to an OU via Group Policy. The script is in a shared network folder named Scripts. Some users in the OU receive the script, whereas others do not. What might be the cause? A) Security permissions might be a problem. If some users do not have read access to the shared network folder where the scripts are stored, they will not be able to apply policy. Also, security filtering on GPOs might be the cause for this problem. Q) What GPO settings apply across slow links by default? A) Registry policy and Security policy apply even when a slow link is detected. You cannot change this setting. Q) You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish that? A) Set the link to enforce at the domain level, and use security group filtering to deny Apply Group Policy permission to the Administrators group. Module 5 – Managing User Desktops with Group Policy Q) Why can some Group Policy settings take two log ins before going into effect? A) Users typically log in with cached credentials. Credential caching occurs before Group Policy is applied to the current session. The settings take effect at the next log in. However, by enabling the Always wait for the network at computer startup and logon policy setting, you can ensure that Group Policy settings take effect on the first log in. Q) How can you support Group Policy preferences on Windows XP? A) You must download and install the Group Policy client-side extensions for Group Policy preferences. Q) What is the benefit of having a central store? A) A central store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are required for administering Group Policy. After you have set up the central store, the Group Policy Management Editor recognizes it, and then loads all Administrative templates from the central store instead of from the local machine. Q) What is the main difference between Group Policy settings and Group Policy preferences? A) Group Policy settings enforce some settings on the client side and disable the client interface for modification of the settings that were configured. However, Group Policy preferences configure settings and allow the user to modify them. Q) What is the difference between publishing and assigning software through Group Policy? A) If you assign software to user or computer, it will be installed without asking users whether they want to install it. Publishing software will allow user to decide whether to install software. Q) Can you use Windows PowerShell® scripts as startup scripts? A) Only computers that are running the Windows Server® 2008 R2 operating system or newer or the Windows 7 operating system or newer can run Windows PowerShell scripts as startup scripts. Module 6 – Installing, Configuring and Troubleshooting the Network Policy Server Role Q) How can you make the most effective use of the NPS logging features? A) You can make the most effective use of the NPS logging features by performing the following tasks: - Turn on logging initially for both authentication and accounting records. Modify these selections after you determine what is appropriate for your environment. - Ensure that you configure event logging with sufficient capacity to maintain your logs. - Back up all log files on a regular basis, because you cannot recreate them when they become damaged or are deleted. - Use the RADIUS Class attribute to track usage and simplify the identification of which department or user to charge for usage. Although the Class attribute, which is automatically generated, is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to track usage accurately. - To provide failover and redundancy with Microsoft SQL Server logging, place two computers that are running Microsoft SQL Server on different subnets. Use the Microsoft SQL Server Create Publication Wizard to configure database replication between the two servers. Q) What consideration must you follow if you choose to use a nonstandard port assignment for RADIUS traffic? A) If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall for the local computer to allow RADIUS traffic on the new ports. Q) Why must you register the NPS server in AD DS? A) When NPS is a member of an Active Directory domain, NPS performs authentication by comparing user credentials that it receives from NASs with the user-account credentials that AD DS stores. NPS authorizes connection requests by using network policy and by checking user account dial-in properties in AD DS. You must register the NPS server in AD DS to have permission to access useraccount credentials and dial-in properties. Module 7 – Implement Network Access Protection Q) What are the three main client configurations that you need to configure for most NAP deployments? A) Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAPcapable client computers. You also must configure the NAP enforcement clients on the NAP-capable computers. Q) You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events? A) NAP trace logging is disabled by default, but you should enable it if you want to troubleshoot NAP-related problems or evaluate the overall health and security of your organization’s computers. You can use the NAP Client Management console or the Netsh command-line tool to enable logging functionality. Q) On a client computer, what steps must you perform to ensure that its health is assessed? A) You must perform the following steps to ensure that it can be assessed for health: - Enable the NAP enforcement client. - Enable the Security Center. - Start the NAP agent service. Module 8 – Implementing Remote Access Q) What remote access solutions can you deploy by using Windows Server 2012 R2? A) In Windows Server 2012 R2, you can deploy following remote access solutions: DirectAccess, VPN, routing, and Web Application Proxy. Q) What are the main benefits of using DirectAccess for providing remote connectivity? A) The main benefits of using DirectAccess for providing remote connectivity are as follows: - Always-on connectivity. When the user is connected to the Internet, the user is also connected to the intranet. - A user has the same experience regardless of whether he or she connected locally or remotely. - Bidirectional access. When the client computer is accessing the intranet, the computer is also connected and managed by the administrators. - Improved security. Administrators can set and control the intranet resources that are accessible through DirectAccess. Q) How do you configure DirectAccess clients? A) To configure DirectAccess clients, use Group Policy. When you use the Configure Remote Access Wizard to configure DirectAccess, two GPOs are created and linked to the domain. These two GPOs define DirectAccess-related settings and are applied to the DirectAccess clients. Q) How does the DirectAccess client determine if it is connected to the intranet or the Internet? A) When you configure the DirectAccess server, you need to define the computer that will be a network location server. The network location server should be a highly-available web server. Based on the response from this web server, the DirectAccess client determines if it is connected to the intranet or the Internet. Q) What is the benefit of an NRPT? A) An NRPT stores a list of DNS namespaces and their corresponding configuration settings. These settings define the DNS server to contact and the DNS client behavior for that namespace. Q) What type of remote access solutions you can provide by using VPN in Windows Server 2012? A) You can configure the following remote access solutions by using VPN in Windows Server 2012: - Secure remote access to internal network resources for users located on the Internet. The users act as VPN clients that are connecting to Windows Server 2012 that, in turn, acts as a VPN server. - Secure communication between network resources located in different geographical locations or sites. This solution is called site-to-site VPN. In each site, Windows Server 2012 acts as a VPN server that encrypts communication between the sites. Q) What type of applications you can publish by using Web Application Proxy in Windows Server 2012 R2? A) Web Application Proxy in Windows Server 2012 R2 is a role service that you can use for publishing web applications. You can choose between two types of pre-authentication for web applications: - AD FS pre-authentication, which uses AD FS for web applications that use claims-based authentication. - Pass-through pre-authentication, where a user is connected to the web application through Web Application Proxy, and the user is authenticated by the web application. Module 9 – Optimizing File Services Q) How do FSRM templates for quotas and file screens provide a more efficient FSRM management experience? A) Templates enable administrators to create quotas and file screens quickly, based on predefined templates. You also can use templates to manage child quotas in a one-to-many manner. To change the file size for several quotas created from the template, you only need to change the template. Q) Why does DFS Replication make a more efficient replication platform than FSRM? A) DFS Replication uses an advanced delta-based heuristic, which only replicates modified portions of the file system, whereas FSRM always replicates the complete file. DFS Replication also uses remote differential compression RDC to reduce replication-based network traffic. Module 10 – Configuring Encryption and Advanced Auditing Q) Some users are encrypting files that are stored on network shares to protect them from other departmental users with file system permissions to those files. Is this an effective way to prevent users from viewing and modifying those files? A) Yes. Unauthorized users cannot open or modify an EFS-encrypted file. By default, only the user who encrypted the file and the recovery agent can decrypt the file. Q) Why might EFS be considered a problematic encryption method in a widely distributed network file server environment? A) EFS encryption is based primarily on personal certificates, which are commonly stored in a user profile. The ability to decrypt files relies strictly on access to the certificate in the profile or access to a data recovery agent, which might not be available. This will depend on the computer the user is logging on to. Q) You have configured an audit policy by using Group Policy to apply to all of the file servers in your organization. After enabling the policy and confirming that the Group Policy settings are being applied, you discover that audit events are not being recorded in the event logs. What is the most likely reason for this? A) To audit file access, you must configure files or folders to audit specific events. If you do not do so, the audit events will not be recorded. Q) You need to encrypt the data of a folder that is used by the HR department on a shared computer. Three different people need to read and modify the data in the folder. Should you use EFS or BitLocker to encrypt the data? A) Because only a single folder will be encrypted, EFS is the right choice. EFS can encrypt a single folder and will meet the requirements of having multiple people work with the data. Module 11 – Deploying and Maintaining Server Images Q) Windows Deployment Services supports two types of multicast transmission. Which type is suitable for minimizing total network traffic during deployment to a fixed number of clients? A) Scheduled-Cast configuration is such that it waits for a threshold number of clients before starting and deploying simultaneously, which makes it better for a fixed number of clients. This is especially true if deployment occurs at different times for different computers. Auto-cast loops around while client computers are connected. If clients do not connect simultaneously, the Windows Deployment Services server transmits the image multiple times. This may consume large amounts of network bandwidth. Q) How is Windows ADK useful for Windows Deployment Services deployments? A) Windows ADK provides tools such as ImageX.exe, Sysprep.exe, and Windows SIM that enable you to manage images for use by Windows Deployment Services. For example, you can use Windows SIM to create and configure answer files for automating Windows Deployment Services deployments. You also can use Sysprep to generalize a capture image for Windows Deployment Services. Additionally, Windows ADK provides a number of Windows PE images and management tools. Q) What steps are necessary to automate the end-to-end deployment process? A) The following steps are required to automate the end-to-end deployment process: 1. Configure your PXE boot policy to Always Continue PXE boot. 2. Configure a default boot image. 3. Create and associate an answer file for your Windows Deployment Services client file. 4. Create and associate an answer file for an install image. 5. Configure clients to boot first from hard disk and then from PXE, to avoid boot loop. 6. If necessary, configure multicast transmission. Module 12 – Implementing Update Management Q) Your manager has asked if all updates to the Windows operating system should be applied automatically when they are released. Do you recommend an alternative process? A) An alternative process could be testing the updates before they are approved, declining if they are not needed and removing if they cause problems. Q) Your organization implements several applications that are not Microsoft applications. A colleague has proposed using WSUS to deploy application and operating system updates. Are there any potential issues with using WSUS? A) Some issues could potentially be: - Computers not appearing in WSUS. This results from a misconfiguration of the client computer or a GPO that is not applied to the client computer. - WSUS server stops with full database. When this happens, you will notice an SQL (Structured Query Language) Server dump (SQLDumpnnnn.txt) in the LOGs folder for SQL Server. This is usually due to index corruption in the database. You may need help from an SQL Server DBA to recreate indexes or you may simply need to re-install WSUS to fix the problem. - You cannot connect to WSUS. Verify network connectivity. Ensure the client can connect to the ports used by WSUS using the Telnet client utility. - Other problems. Consider using the server diagnostics tool and the client diagnostics tool available from Microsoft. Q) Why is WSUS easier to manage in an Active Directory Domain Services domain? A) Because you have one place to manage it instead of multiple. Module 13 – Monitoring Windows Server 2012. Q) What significant counters should you use to monitor in Performance Monitor? A) Primary Processor Counters – This counter measures the percentage of elapsed time the processor spends executing a nonidle thread. Primary Memory Counters – The memory performance object consists of counters that describe the behaviour of the computers physical and virtual memory. Primary Disk Counters – The physical disk performance object consists of counters that monitor hard or fixed disk drives. Primary Network Counters – Most workloads require access to production networks to ensure communication with other applications, and services and to communicate with users. Q) Why is it important to monitor server performance periodically? A) To determine whether the system is performing well or is overused. Q) Why should you use performance alerts? A) You should use performance alerts because they notify you when certain events occur or when certain performance thresholds are reached.