Microsoft Windows Server 2012 Inside OUT
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Microsoft Windows Server 2012 Inside OUT

on

  • 5,149 views

The ultimate, in-depth reference ...

The ultimate, in-depth reference
Hundreds of timesaving solutions
Supremely organized, packed with expert advice
Companion eBook

Conquer Windows Server administration—from the inside out!

Dive in—and discover how to really put Windows Server 2012 to work! This supremely organized reference packs the details you need to plan and manage a Windows Server 2012 implementation—including hundreds of timesaving solutions, troubleshooting tips, and workarounds. Learn how the experts tackle Windows Server 2012—and challenge yourself to new levels of mastery. Topics include:

•Managing Windows Server 2012 systems

•Storage and file systems

•TCP/IP networking

•DHCP and DNS

•Active Directory

•Group Policy

•Security and access

•Troubleshooting hardware

•Performance monitoring and tuning

•Backup and recovery

Statistics

Views

Total Views
5,149
Views on SlideShare
5,149
Embed Views
0

Actions

Likes
1
Downloads
130
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Thanks for this wonderful sharing,
    Keep Sharing & Help the world in Learning Microsoft Technology..
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Microsoft Windows Server 2012 Inside OUT Presentation Transcript

  • 1. About the AuthorMike Halsey is a MicrosoftMVP for Windows Expert-Consumer and the author ofmany Windows books includ-ing Troubleshooting Windows 7 InsideOut. He is also an editor for technologywebsites and has extensive experienceproviding IT support to both new andadvanced computer users.microsoft.com/mspressYou’re beyond the basics, so dive right into optimizing Windows 8—and really put your PC or tablet to work! This supremelyorganized reference packs hundreds of timesaving solutions,troubleshooting tips, and workarounds. It’s all muscle and no fluff.Discover how the experts keep their Windows 8 systems runningsmoothly—and challenge yourself to new levels of mastery.• Take control of Windows 8 maintenance and security features• Apply best practices to prevent problems before they occur• Help combat viruses, malware, and identity theft with expert advice• Master quick fixes to the most common issues• Extend the life of your hardware with clean-ups and repairs• Diagnose and repair more-complex problems with step-by-step guidance• Back up your system and data, and prepare a disaster recovery planOperating Systems/WIndowsISBN: 978-0-7356-7080-8U.S.A. $49.99Canada $51.99[Recommended]StanekWindowsServer2012Inside OUTThe ultimate, in-depth referenceHundreds of timesaving solutionsSupremely organized, packed with expert adviceCompanion eBookWindowsServer®2012Troubleshoot andOptimize Windows8William R. Stanek Award-winning author and Windows administration expertConquer system tuning, repair, andproblem solving—from the inside out!OUTInsideInside OUTFor Intermediate andAdvanced Users
  • 2. PUBLISHED BYMicrosoft PressA Division of Microsoft CorporationOne Microsoft WayRedmond, Washington 98052-6399Copyright © 2013 by William R. StanekAll rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by anymeans without the written permission of the publisher.Library of Congress Control Number: 2012955900ISBN: 978-0-7356-6631-3Printed and bound in the United States of America.First PrintingMicrosoft Press books are available through booksellers and distributors worldwide. If you need support relatedto this book, email Microsoft Press Book Support at mspinput@microsoft.com. Please tell us what you think ofthis book at http://www.microsoft.com/learning/booksurvey.Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property oftheir respective owners.The example companies, organizations, products, domain names, email addresses, logos, people, places, andevents depicted herein are fictitious. No association with any real company, organization, product, domain name,email address, logo, person, place, or event is intended or should be inferred.This book expresses the author’s views and opinions. The information contained in this book is provided withoutany express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, ordistributors will be held liable for any damages caused or alleged to be caused either directly or indirectly bythis book.Acquisitions Editor: Anne HamiltonDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: Waypoint PressTechnical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master,a member of CM Group, Ltd.Copyeditor: Roger LeBlancIndexer: Christina YeagerCover: Microsoft Press Brand Team
  • 3. To my readers—Windows Server 2012 Inside Out is my 40th book forMicrosoft Press. Thank you for being there with me through many booksand many years.To my wife—for many years, through many books, many millions ofwords, and many thousands of pages shes been there, providing supportand encouragement and making every place weve lived a home.To my kids—for helping me see the world in new ways, for havingexceptional patience and boundless love, and for making every day anadventure.To Anne, Karen, Martin, Lucinda, Juliana, and many others who’ve helpedout in ways both large and small.—William R. Stanek
  • 4. vContents at a GlancePart 1:  Windows Server 2012OverviewChapter 1Introducing Windows Server 2012. . . . . . . . . . . . 3Chapter 2Deploying Windows Server 2012. . . . . . . . . . . . 61Chapter 3Boot configuration . . . . . . . . . . . . . . . . . . . . . . . 101Part 2:  Managing Windows Server2012 SystemsChapter 4Managing Windows Server 2012 . . . . . . . . . . . 137Chapter 5Windows Server 2012 MMCadministration . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Chapter 6Configuring roles, role services, andfeatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Chapter 7Managing and troubleshootinghardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Chapter 8Managing the registry . . . . . . . . . . . . . . . . . . . 303Chapter 9Software and User Account Controladministration . . . . . . . . . . . . . . . . . . . . . . . . . . 349Chapter 10Performance monitoring and tuning. . . . . . . 369Chapter 11Comprehensive performance analysisand logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425Part 3  Managing Windows Server2012 Storage and File SystemsChapter 12Storage management. . . . . . . . . . . . . . . . . . . . . 479Chapter 13TPM and BitLocker Drive Encryption. . . . . . . 569Chapter 14Managing file systems and storage. . . . . . . . . 621Chapter 15File sharing and security. . . . . . . . . . . . . . . . . . . 715Chapter 16Managing file screening and storagereporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797Chapter 17Backup and recovery. . . . . . . . . . . . . . . . . . . . . . 821Part 4:  Managing Windows Server2012 Networking andDomain ServicesChapter 18Networking with TCP/IP. . . . . . . . . . . . . . . . . . . 875Chapter 19Managing TCP/IP networking. . . . . . . . . . . . . 909Chapter 20Managing DHCP. . . . . . . . . . . . . . . . . . . . . . . . . 941Chapter 21Architecting DNS infrastructure. . . . . . . . . . 1017Chapter 22Implementing and managing DNS. . . . . . . . 1047Chapter 23Implementing and maintaining WINS. . . . . 1113
  • 5. vi Contents at a GlancePart 5:  Managing Active Directoryand SecurityChapter 24Active Directory architecture. . . . . . . . . . . . . 1135Chapter 25Designing and managing the domainenvironment. . . . . . . . . . . . . . . . . . . . . . . . . . . 1161Chapter 26Organizing Active Directory . . . . . . . . . . . . . 1215Chapter 27Configuring Active Directory sites andreplication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233Chapter 28Implementing Active DirectoryDomain Services. . . . . . . . . . . . . . . . . . . . . . . . 1271Chapter 29Deploying read-only domain controllers. . 1315Chapter 30Managing users, groups, and computers. . 1345Chapter 31Managing Group Policy. . . . . . . . . . . . . . . . . 1387Chapter 32Active Directory site administration. . . . . . . 1443
  • 6. viiTable of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviiConventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviiiHow to reach the author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxixErrata & book support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxixWe want to hear from you . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxixStay in touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxixPart 1:  Windows Server 2012 OverviewChapter 1: Introducing Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Getting to know Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Windows 8 and Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Planning for Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Your plan: The big picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Identifying your organizational teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Assessing project goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Analyzing the existing network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Defining objectives and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Defining the new network environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Final considerations for planning and deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Thinking about server roles and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Planning for server usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Designing the Active Directory namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Managing domain trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Identifying the domain and forest functional level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Defining Active Directory server roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43What do you think of this book? We want to hear from you!Microsoft is interested in hearing your feedback so we can continually improve our books and learningresources for you. To participate in a brief online survey, please visit:microsoft.com/learning/booksurvey
  • 7. viii Table of ContentsPlanning for availability, scalability, and manageability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Planning for software needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Planning for hardware needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Chapter 2: Deploying Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Getting a quick start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Product licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Preparing for a Windows Server 2012 installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Understanding installation options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Determining which installation type to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Using Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Preinstallation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Installing Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Installation on BIOS-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Installation on EFI-based systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Planning partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Naming computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Network and domain membership options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Performing a clean installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Performing an upgrade installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Activation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Performing additional administration tasks during installations . . . . . . . . . . . . . . . . . . . . . . . 85Accessing a command prompt during installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Forcing disk-partition removal during installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Loading mass storage drivers during installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Creating, deleting, and extending disk partitions during installation . . . . . . . . . . . . . 90Troubleshooting installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Start with the potential points of failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Continue past lockups and freezes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Postinstallation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Chapter 3: Boot configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Boot from hardware and firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Hardware and firmware power states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Diagnosing hardware and firmware startup problems . . . . . . . . . . . . . . . . . . . . . . . . . 103Resolving hardware and firmware startup problems . . . . . . . . . . . . . . . . . . . . . . . . . . 107Boot environment essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Managing startup and boot configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Managing startup and recovery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Managing System Boot Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Working with BCD Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
  • 8. Table of Contents ixManaging the Boot Configuration Data store and its entries . . . . . . . . . . . . . . . . . . . . . . . . . 119Viewing BCD entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Creating and identifying the BCD data store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Importing and exporting the BCD data store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Creating, copying, and deleting BCD entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Setting BCD entry values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Changing Data Execution Prevention and physical addressextension options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Changing the operating system display order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Changing the default operating system entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Changing the default timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Changing the boot sequence temporarily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Part 2:  Managing Windows Server 2012 SystemsChapter 4: Managing Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Working with the administration tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Using Control Panel utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Using graphical administrative tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Using command-line utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Working with Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Getting to know Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Adding servers for management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Creating server groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Enabling remote management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Working with Computer Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Computer Management system tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Computer Management storage tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Computer Management Services And Applications tools . . . . . . . . . . . . . . . . . . . . . . 162Using Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Using the Folder Options utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Using the System console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Customizing the desktop and the taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring desktop items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring the taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Optimizing toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Displaying custom toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Creating personal toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Using Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Remote Desktop essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Configuring Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Supporting Remote Desktop Connection clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Tracking who’s logged on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
  • 9. x Table of ContentsChapter 5: Windows Server 2012 MMC administration . . . . . . . . . . . . . . . . . . . . . . . 191Using the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191MMC snap-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192MMC modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194MMC window and startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196MMC tool availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198MMC and remote computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Building custom MMCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Step 1: Creating the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Step 2: Adding snap-ins to the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Step 3: Saving the finished console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Designing custom taskpads for the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Getting started with taskpads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Understanding taskpad view styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Creating and managing taskpads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Creating and managing tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Publishing and distributing your custom tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Chapter 6: Configuring roles, role services, and features . . . . . . . . . . . . . . . . . . . . . 229Using roles, role services, and features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Making supplemental components available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Installing components with Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Viewing configured roles and role services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Managing server roles and features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Managing server binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Installing components at the prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Going to the prompt for Server Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Understanding component names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Tracking installed roles, role services, and features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Installing components at the prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Removing components at the prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Chapter 7: Managing and troubleshooting hardware . . . . . . . . . . . . . . . . . . . . . . . . 263Understanding hardware installation changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Choosing internal devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Choosing external devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Installing devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Understanding device installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Installing new devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Viewing device and driver details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Working with device drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Device driver essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Understanding and troubleshooting driver signing . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
  • 10. Table of Contents xiViewing driver Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Viewing Advanced, Resources, and other settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Installing and updating device drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Restricting device installation using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Rolling back drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Removing device drivers for removed devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Uninstalling, reinstalling, and disabling device drivers . . . . . . . . . . . . . . . . . . . . . . . . . 292Managing hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Adding non–Plug and Play, legacy hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Enabling and disabling hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Troubleshooting hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Resolving resource conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298Chapter 8: Managing the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Introducing the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Understanding the registry structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Registry root keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311HKEY_LOCAL_MACHINE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312HKEY_USERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318HKEY_CLASSES_ROOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319HKEY_CURRENT_CONFIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319HKEY_CURRENT_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Registry data: How it is stored and used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Where registry data comes from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Types of registry data available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Registry administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Searching the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Modifying the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Modifying the registry of a remote machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328Importing and exporting registry data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Loading and unloading hive files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Working with the registry from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Backing up and restoring the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Maintaining the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Using the Microsoft Fix It Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Removing registry settings for active installations that have failed . . . . . . . . . . . . . . 337Removing partial or damaged settings for individual applications . . . . . . . . . . . . . . 338Securing the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Preventing access to the registry utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Applying permissions to registry keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Controlling remote registry access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Auditing registry access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
  • 11. xii Table of ContentsChapter 9: Software and User Account Control administration . . . . . . . . . . . . . . . . 349Software installation essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Mastering User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Elevation, prompts, and the secure desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Configuring UAC and Admin Approval Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Maintaining application integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Application access tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Application run levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Configuring run levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364Controlling application installation and run behavior . . . . . . . . . . . . . . . . . . . . . . . . . 366Chapter 10: Performance monitoring and tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Tuning performance, memory usage, and data throughput . . . . . . . . . . . . . . . . . . . . . . . . . 369Tuning Windows operating system performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Tuning processor scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Tuning virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Other important tuning, memory, and data considerations . . . . . . . . . . . . . . . . . . . . 375Tracking a system’s general health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377Monitoring essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378Getting processor and memory usage for troubleshooting . . . . . . . . . . . . . . . . . . . . 381Getting information on running applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Monitoring and troubleshooting processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391Monitoring and troubleshooting services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Getting network usage information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400Getting information on user and remote user sessions . . . . . . . . . . . . . . . . . . . . . . . . 402Tracking events and troubleshooting by using Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . 405Understanding the event logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405Accessing the event logs and viewing events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Viewing event logs on remote systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Sorting, finding, and filtering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Archiving event logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Tracking events using Windows PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Using subscriptions and forwarded events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Chapter 11: Comprehensive performance analysis and logging . . . . . . . . . . . . . . . . 425Establishing performance baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426Tracking per-process resource usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Tracking the overall reliability of the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Comprehensive performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Using Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Selecting performance objects and counters to monitor . . . . . . . . . . . . . . . . . . . . . . . 441Choosing views and controlling the display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443Monitoring performance remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
  • 12. Table of Contents xiiiResolving performance bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Resolving memory bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Resolving processor bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Resolving disk I/O bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452Resolving network bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454Performance logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457Viewing data collector reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467Configuring performance counter alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Monitoring performance from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Analyzing trace logs at the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475Part 3  Managing Windows Server 2012 Storageand File SystemsChapter 12: Storage management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Essential storage technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Using internal and external storage devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480Storage-management features and tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Storage-management role services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487Booting from SANs, and using SANs with clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Working with SMB 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493Installing and configuring file services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496Configuring the File And Storage Services role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497Configuring multipath I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500Meeting performance, capacity, and availability requirements . . . . . . . . . . . . . . . . . 505Configuring Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Configuring storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Using the Disk Management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Adding new disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519Using the MBR and GPT partition styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521Using the disk storage types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525Creating and managing virtual hard disks for Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . 529Converting FAT or FAT32 to NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531Working with removable disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Managing MBR disk partitions on basic disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Creating partitions and simple volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534Formatting a partition, logical drive, or volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538Configuring drive letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Configuring mount points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Extending partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543Shrinking partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546Deleting a partition, logical drive, or volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
  • 13. xiv Table of ContentsManaging GPT disk partitions on basic disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549MSR partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550Primary partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551LDM metadata and LDM data partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552OEM or unknown partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552Managing volumes on dynamic disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552Creating a simple or spanned volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553Configuring RAID 0: Striping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555Recovering a failed simple, spanned, or striped disk . . . . . . . . . . . . . . . . . . . . . . . . . . . 556Moving dynamic disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556Configuring RAID 1: Disk mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558Mirroring boot and system volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559Configuring RAID 5: Disk striping with parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Breaking or removing a mirrored set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Resolving problems with mirrored sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Repairing a mirrored system volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Resolving problems with RAID-5 sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568Chapter 13: TPM and BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569Working with trusted platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569Managing TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571Understanding TPM states and tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571Managing TPM owner authorization information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574Preparing and initializing a TPM for first use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Turning an initialized TPM on or off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580Clearing the TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580Changing the TPM owner password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582Introducing BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583BitLocker essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583BitLocker modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584BitLocker changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587Using hardware encryption, secure boot, and Network Unlock . . . . . . . . . . . . . . . . . . . . . . 588Hardware encrypted drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588Optimizing encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589Setting permitted encryption types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591Preparing BitLocker for startup authentication and secure boot . . . . . . . . . . . . . . . . 593Using Network Unlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594Provisioning BitLocker prior to deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596Deploying BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596Setting up and managing BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601Configuring and enabling BitLocker Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 602Determining whether a computer has BitLocker-encrypted volumes . . . . . . . . . . . . 605Enabling BitLocker on fixed data drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
  • 14. Table of Contents xvEnabling BitLocker on removable data drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608Enabling BitLocker on operating-system volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611Managing and troubleshooting BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615Chapter 14: Managing file systems and storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621Understanding the disk and file-system structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621Using FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625File allocation table structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625FAT features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626Using NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628NTFS structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629NTFS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633Analyzing the NTFS structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634Advanced NTFS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637Hard links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637Data streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638Change journals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640Object identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643Reparse points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644Sparse files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645Transactional NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647Using ReFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649ReFS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649ReFS structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651ReFS advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653ReFS integrity streams, data scrubbing, and salvage . . . . . . . . . . . . . . . . . . . . . . . . . . 654Using file-based compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656NTFS compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656Compressed (zipped) folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659Managing disk quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661How quota management works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661Configuring disk quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663Customizing quota entries for individual users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665Managing disk quotas after configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668Exporting and importing quota entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671Automated disk maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672Preventing disk-integrity problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672Running Check Disk interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675Analyzing FAT volumes by using ChkDsk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678Analyzing NTFS volumes by using ChkDsk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678Repairing volumes and marking bad sectors by using ChkDsk . . . . . . . . . . . . . . . . . . 679Automated optimization of disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680Preventing fragmentation of disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680Fixing fragmentation by using Optimize Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682Understanding the fragmentation analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
  • 15. xvi Table of ContentsManaging storage spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689Storage essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689Using and configuring offloaded transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691Working with available storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694Creating storage pools and allocating space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696Creating storage spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697Creating a virtual disk in a storage space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700Creating a standard volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702Configuring data deduplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704Chapter 15: File sharing and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715File-sharing essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716Understanding file-sharing models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716Enabling file sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717Using and finding shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719Hiding and controlling share access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723Special and administrative shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724Accessing shares for administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726Creating and publishing shared folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726Creating shares by using File Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727Creating shares by using Computer Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731Creating shared folders in Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735Changing shared folder settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741Publishing shares in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741Managing share permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742Understanding share permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743Configuring share permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744Managing access permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748File and folder ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749Permission inheritance for files and folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750Configuring access permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752Troubleshooting permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761Managing file shares after configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763Managing claims-based access controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765Understanding central access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766Enabling dynamic controls and claims-based policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 766Defining central access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768Auditing file and folder access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770Enabling basic auditing for files and folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771Enabling advanced auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773Specifying files and folders to audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775Extending access policies to auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779Monitoring the security logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
  • 16. Table of Contents xviiShadow copy essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781Using shadow copies of shared folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781How shadow copies works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782Implementing Shadow Copies for Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784Managing shadow copies in Computer Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786Configuring shadow copies in Computer Management . . . . . . . . . . . . . . . . . . . . . . . . 786Maintaining shadow copies after configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790Reverting an entire volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791Configuring shadow copies at the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792Enabling shadow copying from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792Create manual snapshots from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793Viewing shadow copy information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793Deleting snapshot images from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . 795Disabling shadow copies from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796Reverting volumes from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796Chapter 16: Managing file screening and storage reporting . . . . . . . . . . . . . . . . . . . 797Understanding file screening and storage reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797Managing file screening and storage reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802Managing global file-resource settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802Managing the file groups to which screens are applied . . . . . . . . . . . . . . . . . . . . . . . . 812Managing file-screen templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813Creating file screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816Defining file-screening exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817Scheduling and generating storage reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817Chapter 17: Backup and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821Disaster-planning strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821Developing contingency procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822Implementing problem-escalation and response procedures . . . . . . . . . . . . . . . . . . . 823Creating a problem-resolution policy document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824Disaster preparedness procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826Performing backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826Repairing startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827Setting startup and recovery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828Developing backup strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830Creating your backup strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831Backup strategy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831Selecting the optimal backup techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833Understanding backup types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835Using media rotation and maintaining additional media sets . . . . . . . . . . . . . . . . . . . 836
  • 17. xviii Table of ContentsBacking up and recovering your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837Using the backup utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838Backing up your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840Scheduling backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841Performing a one-time backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846Tracking scheduled and manual backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850Recovering your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852Recovering the system state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857Restoring the operating system and the full system . . . . . . . . . . . . . . . . . . . . . . . . . . . 858Backing up and restoring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859Backup and recovery strategies for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 860Performing a nonauthoritative restore of Active Directory . . . . . . . . . . . . . . . . . . . . . 861Performing an authoritative restore of Active Directory . . . . . . . . . . . . . . . . . . . . . . . 863Restoring Sysvol data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866Restoring a failed domain controller by installing a new domain controller . . . . . . 866Troubleshooting startup and shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868Resolving startup issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868Repairing missing or corrupted system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870Resolving restart or shutdown issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871Part 4:  Managing Windows Server 2012 Networkingand Domain ServicesChapter 18: Networking with TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875Navigating networking in Windows Server 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875Using TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880Understanding IPv4 addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883Unicast IPv4 addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883Multicast IPv4 addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886Broadcast IPv4 addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887Special IPv4 addressing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888Using subnets and subnet masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890Subnet masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890Network prefix notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892Understanding IP data packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897Getting and using IPv4 addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898Understanding IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900Understanding name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903Windows Internet Naming Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906Link-Local Multicast Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
  • 18. Table of Contents xixChapter 19: Managing TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909Installing TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909Preparing for installation of TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910Installing network adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911Installing networking services (TCP/IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911Configuring TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912Configuring static IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913Configuring dynamic IP addresses and alternate IP addressing . . . . . . . . . . . . . . . . . 917Configuring multiple IP addresses and gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919Configuring DNS resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921Configuring WINS resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924Managing network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926Checking the status, speed, and activity for network connections . . . . . . . . . . . . . . 926Viewing network configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928Enabling and disabling network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930Renaming network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930Troubleshooting and testing network settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931Diagnosing and resolving network connection problems . . . . . . . . . . . . . . . . . . . . . . 931Diagnosing and resolving Internet connection problems . . . . . . . . . . . . . . . . . . . . . . 931Performing basic network tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932Diagnosing and resolving IP addressing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933Diagnosing and resolving routing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935Releasing and renewing DHCP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936Diagnosing and fixing name-resolution issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938Chapter 20: Managing DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941DHCP essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941DHCPv4 and autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943DHCPv6 and autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944DHCP security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945DHCP and IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946Planning DHCPv4 and DHCPv6 implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948DHCPv4 messages and relay agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948DHCPv6 messages and relay agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950DHCP availability and fault tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952Setting up DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957Installing the DHCP Server service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 959Authorizing DHCP servers in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962Creating and configuring scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963Activating scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973Scope exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974Scope reservations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976Creating and using failover scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980
  • 19. xx Table of ContentsConfiguring TCP/IP options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984Levels of options and their uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985Policy-based assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986Options used by Windows clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987Using user-specific and vendor-specific TCP/IP options . . . . . . . . . . . . . . . . . . . . . . . . 988Settings options for all clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990Settings options for RRAS and NAP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993Setting add-on options for directly connected clients . . . . . . . . . . . . . . . . . . . . . . . . . 994Defining classes to get different option sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995Advanced DHCP configuration and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997Monitoring DHCP audit logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998Binding the DHCP Server service to a network interface . . . . . . . . . . . . . . . . . . . . . . 1001Integrating DHCP and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002Integrating DHCP and NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003Enabling conflict detection on DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007Saving and restoring the DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008Managing and maintaining the DHCP database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008Setting up DHCP relay agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011Configuring and enabling Routing And Remote Access . . . . . . . . . . . . . . . . . . . . . . . 1011Adding and configuring the DHCP relay agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012Chapter 21: Architecting DNS infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017DNS essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017Planning DNS implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019Public and private namespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020Name resolution using DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021Understanding DNS devolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024DNS resource records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025DNS zones and zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027Secondary zones, stub zones, and conditional forwarding . . . . . . . . . . . . . . . . . . . . 1032Integration with other technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036DNS queries and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036DNS dynamic updates and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037External DNS name resolution and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1038Architecting a DNS design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041Split-brain design: Same internal and external names . . . . . . . . . . . . . . . . . . . . . . . . 1041Separate-name design: Different internal and external names . . . . . . . . . . . . . . . . . 1043Securing DNS from attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044Chapter 22: Implementing and managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047Installing the DNS Server service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047Using DNS with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047Using DNS without Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051DNS setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
  • 20. Table of Contents xxiConfiguring DNS using the wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056Configuring a small network using the Configure A DNS Server Wizard . . . . . . . . 1056Configuring a large network using the Configure A DNS Server Wizard . . . . . . . . 1060Configuring DNS zones, subdomains, forwarders, and zone transfers . . . . . . . . . . . . . . . . 1065Creating forward lookup zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066Creating reverse lookup zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1068Configuring forwarders and conditional forwarding . . . . . . . . . . . . . . . . . . . . . . . . . 1068Configuring subdomains and delegating authority . . . . . . . . . . . . . . . . . . . . . . . . . . 1071Configuring zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074Configuring secondary notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076Deploying DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078DNSSEC essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078Securing zones with digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079Signing a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080111Adding resource records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082Host Address (A and AAAA) and Pointer (PTR) records . . . . . . . . . . . . . . . . . . . . . . . 1083Canonical Name (CNAME) records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086Mail Exchanger (MX) records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087Name Server (NS) records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088Start of Authority (SOA) records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090Service Location (SRV) records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091Deploying global names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092Maintaining and monitoring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094Configuring default application directory partitions andreplication scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094Setting the aging and scavenging rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097Configuring logging and checking DNS Server logs . . . . . . . . . . . . . . . . . . . . . . . . . . 1098Troubleshooting the DNS client service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099Try reregistering the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099Check the client’s TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099Check the client’s resolver cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101Perform lookups for troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102Troubleshooting the DNS Server service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102Check the server’s TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103Check the server’s cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103Check replication to other name servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103Examine the configuration of the DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104Examine zones and zone records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110Chapter 23: Implementing and maintaining WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113WINS essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113NetBIOS namespace and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113NetBIOS node types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115WINS name registration and cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
  • 21. xxii Table of ContentsWINS implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116Setting up WINS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117Configuring replication partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120Replication essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120Configuring automatic replication partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120Using designated replication partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122Configuring and maintaining WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124Configuring burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124Checking server status and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126Checking active registrations and scavenging records . . . . . . . . . . . . . . . . . . . . . . . . 1128Maintaining the WINS database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129Enabling WINS lookups through DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132Part 5:  Managing Active Directory and SecurityChapter 24: Active Directory architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135Active Directory physical architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135Active Directory physical architecture: A top-level view . . . . . . . . . . . . . . . . . . . . . . 1135Active Directory within the Local Security Authority . . . . . . . . . . . . . . . . . . . . . . . . . 1137Directory service architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139Data store architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147Active Directory logical architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150Active Directory objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151Active Directory domains, trees, and forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1152Active Directory trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154Active Directory namespaces and partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157Active Directory data distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159Chapter 25: Designing and managing the domain environment . . . . . . . . . . . . . . . 1161Design considerations for Active Directory replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162Design considerations for Active Directory search and global catalogs . . . . . . . . . . . . . . . 1164Searching the tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164Accessing the global catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165Designating global catalog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166Designating replication attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1168Design considerations for compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171Understanding domain functional level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171Understanding forest functional level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173Raising or lowering the domain or forest functional level . . . . . . . . . . . . . . . . . . . . . 1174Design considerations for Active Directory authentication and trusts . . . . . . . . . . . . . . . . 1175Universal groups and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175NTLM and Kerberos authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178Authentication and trusts across domain boundaries . . . . . . . . . . . . . . . . . . . . . . . . . 1183
  • 22. Table of Contents xxiiiAuthentication and trusts across forest boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . 1186Examining domain and forest trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189Establishing external, shortcut, realm, and cross-forest trusts . . . . . . . . . . . . . . . . . 1192Verifying and troubleshooting trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196Delegating authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196Delegated authentication essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197Configuring delegated authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197Design considerations for Active Directory operations masters . . . . . . . . . . . . . . . . . . . . . 1200Operations master roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201Using, locating, and transferring the Schema Master role . . . . . . . . . . . . . . . . . . . . . 1203Using, locating, and transferring the domain naming master role . . . . . . . . . . . . . . 1205Using, locating, and transferring the relative ID master role . . . . . . . . . . . . . . . . . . . 1206Using, locating, and transferring the PDC emulator role . . . . . . . . . . . . . . . . . . . . . . 1209Using, locating, and transferring the infrastructure master role . . . . . . . . . . . . . . . . 1212Seizing operations master roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212Chapter 26: Organizing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215Creating an Active Directory implementation or update plan . . . . . . . . . . . . . . . . . . . . . . . 1216Developing a forest plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216Forest namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217A single forest vs. multiple forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218Forest administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219Developing a domain plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221Domain design considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221A single domain vs. multiple domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222Forest root domain design configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223Changing domain design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224Developing an organizational unit plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225Using organizational units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226Using OUs for delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1227Using OUs for Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228Creating an OU design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228Chapter 27: Configuring Active Directory sites and replication . . . . . . . . . . . . . . . . 1233Working with Active Directory sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233Single site vs. multiple sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235Replication within and between sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236Determining site boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1237Understanding Active Directory replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1238Tracking Active Directory replication changes over time . . . . . . . . . . . . . . . . . . . . . . 1238Tracking Active Directory system volume changes over time . . . . . . . . . . . . . . . . . . 1240Replication architecture: An overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246Intersite replication essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
  • 23. xxiv Table of ContentsReplication rings and directory partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1256Developing or revising a site design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1260Mapping network infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1260Creating a site design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1262Chapter 28: Implementing Active Directory Domain Services . . . . . . . . . . . . . . . . . 1271Preinstallation considerations for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271Hardware and configuration considerations for domain controllers . . . . . . . . . . . . 1272Configuring Active Directory for fast recovery with storagearea networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274Connecting clients to Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276Installing Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276Active Directory installation options and issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276Using the Active Directory Domain Services Configuration Wizard . . . . . . . . . . . . . 1280Performing an Active Directory installation from media . . . . . . . . . . . . . . . . . . . . . . 1294Cloning virtualized domain controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297Using clones of virtualized domain controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297Creating a clone virtualized domain controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1298Finalizing the clone deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300Troubleshooting the clone deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301Uninstalling Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1302Creating and managing organizational units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307Creating an OU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307Setting OU properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1309Creating or moving accounts and resources for use with an OU . . . . . . . . . . . . . . . 1310Delegating the administration of domains and OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311Understanding delegation of administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311Delegating administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312Chapter 29: Deploying read-only domain controllers . . . . . . . . . . . . . . . . . . . . . . . . 1315Introducing read-only domain controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1315Design considerations for read-only replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319Installing RODCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1322Preparing for an RODC installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1323Installing an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324Installing an RODC from media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330Staging an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332Managing Password Replication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1336Working with Password Replication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1336Allowing or denying accounts in Password Replication Policy . . . . . . . . . . . . . . . . . 1338Viewing and managing credentials on an RODC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340Determining whether an account is allowed or denied access . . . . . . . . . . . . . . . . . 1341Resetting credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342Delegating administrative permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1343
  • 24. Table of Contents xxvChapter 30: Managing users, groups, and computers . . . . . . . . . . . . . . . . . . . . . . . . 1345Managing domain user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345Configuring user account policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345Creating Password Settings Objects and applying secondary settings . . . . . . . . . . 1350Understanding user account capabilities, privileges, and rights . . . . . . . . . . . . . . . . 1354Assigning user rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355Creating and configuring domain user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1357Configuring account options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1361Configuring profile options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364Troubleshooting user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366Maintaining user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367Deleting user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367Disabling and enabling user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368Moving user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368Renaming user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369Resetting a user’s domain password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370Unlocking user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371Creating a user account password backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371Managing groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373Understanding groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373Creating a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1374Adding members to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377Deleting a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377Modifying groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378Managing computer accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379Creating a computer account in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379Joining computers to a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381Moving a computer account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382Disabling a computer account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382Deleting a computer account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382Managing a computer account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382Resetting a computer account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383Troubleshooting computer accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383Recovering deleted accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385Enabling Active Directory Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385Recovering objects from the recycle bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385Chapter 31: Managing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1387Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388Local and Active Directory Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388Group Policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389Group Policy architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1390Administrative templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1392
  • 25. xxvi Table of ContentsImplementing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393Working with Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1394Working with Group Policy Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 1397Working with the default Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403Managing Group Policy through delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406Managing GPO creation rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406Reviewing Group Policy management privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1407Delegating Group Policy management privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1409Delegating privileges for links and RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1410Managing Group Policy inheritance and processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1411Group Policy inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1411Changing link order and precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1412Overriding inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1414Blocking inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1415Enforcing inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1416Filtering Group Policy application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417Group Policy processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1418Modifying Group Policy processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1420Modifying user policy preference using loopback processing . . . . . . . . . . . . . . . . . 1421Using scripts in Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422Configuring computer startup and shutdown scripts . . . . . . . . . . . . . . . . . . . . . . . . . 1422Configuring user logon and logoff scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1423Applying Group Policy through security templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424Working with security templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1425Applying security templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1426Maintaining and troubleshooting Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1427Group Policy refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1427Modifying Group Policy refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1428Viewing applicable GPOs and the last refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431Modeling GPOs for planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1433Refreshing Group Policy manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1437Backing up GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1438Restoring GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1440Fixing default Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1441Chapter 32: Active Directory site administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443Managing sites and subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443Creating an Active Directory site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1444Creating a subnet and associating it with a site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1445Associating domain controllers with a site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446Managing site links and intersite replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1447Understanding IP and SMTP replication transports . . . . . . . . . . . . . . . . . . . . . . . . . . 1448Creating a site link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1449
  • 26. Table of Contents xxviiWhat do you think of this book? We want to hear from you!Microsoft is interested in hearing your feedback so we can continually improve our books and learningresources for you. To participate in a brief online survey, please visit:microsoft.com/learning/booksurveyConfiguring replication schedules for site links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453Configuring site-link bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455Determining the ISTG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1457Configuring site bridgehead servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1458Configuring advanced site-link options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1461Monitoring and troubleshooting replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1462Using the Replication Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1463Using PowerShell to monitor and troubleshoot replication . . . . . . . . . . . . . . . . . . . . 1464Monitoring replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465Modifying intersite replication for testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1466 Index to troubleshooting topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1469 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1471
  • 27. xxixIntroductionWelcome to Windows Server 2012 Inside Out. As the author of many popular­technology books, I’ve been writing professionally about Windows and ­WindowsServer since 1994. Over the years, I’ve gained a unique perspective—thekind of perspective you can gain only after working with technologies for many years.The ­advantage for you, the reader, is that my solid understanding of these technologiesallowed me to dig into the Windows Server 2012 architecture, internals, and configurationto see how things really work under the hood and then pass this information on to you­throughout this book.From top to bottom, Windows Server 2012 is substantially different from earlier versions ofWindow Server. Not only are there major changes throughout the operating system, butthis just might be the first version of Windows Server that you manage using a touch-baseduser interface. If you do end up managing it this way, mastering the touch-based UI andthe revised interface options will be essential for your success. For this reason, I discuss boththe touch UI and the traditional mouse and keyboard techniques throughout this book.When you are working with touch UI–enabled computers, you can manipulate onscreenelements in ways that weren’t possible previously. You can enter text using the onscreenkeyboard and manipulate onscreen elements in the following ways:• Tap  Tap an item by touching it with your finger. A tap or double-tap of elementson the screen generally is the equivalent of a mouse click or double-click.• Press and hold  Press your finger down, and leave it there for a few seconds.Pressing and holding elements on the screen generally is the equivalent of aright-click.• Swipe to select  Slide an item a short distance in the opposite direction of howthe page scrolls. This selects the items and also might bring up related commands.If pressing and holding doesn’t display commands and options for an item, tryswiping to select instead.• Swipe from edge (slide in from edge)  Starting from the edge of thescreen, swipe or slide in. Sliding in from the right edge opens the Charms panel.Sliding in from the left edge shows open apps and allows you to easily switchbetween them. Sliding in from the top or bottom edge shows commands forthe active element.
  • 28. xxx Introduction• Pinch  Touch an item with two or more fingers, and then move those fingerstoward each other. Pinching zooms in or shows less information.• Stretch  Touch an item with two or more fingers, and then move those fingersaway from each other. Stretching zooms out or shows more information.In this book, I teach you how server roles, role services, and features work; why they workthe way they do; and how to customize them to meet your needs. Regardless of your jobtitle, if you’re deploying, configuring, managing, or maintaining Windows Server 2012,this book is for you. To pack in as much information as possible, I had to assume that youhave basic networking skills and a basic understanding of Windows Server, and that youare familiar with Windows commands and procedures. With this in mind, I don’t devoteentire chapters to basic skills or why you want to use Windows Server. Instead, I focus on­configuration, security, auditing, storage management, performance analysis, performancetuning, troubleshooting, and much more.ConventionsThe following conventions are used in this book:• Abbreviated menu commands  For your convenience, this book uses­abbreviated menu commands. For example, “Tap or click Tools, Track Changes,Highlight Changes” means that you should tap or click the Tools menu, selectTrack Changes, and then tap or click the Highlight Changes command.• Boldface type  Boldface type is used to indicate text that you enter or type.• Initial Capital Letters  The first letters of the names of menus, dialog boxes,dialog box elements, and commands are capitalized. Example: the Save As dialogbox.• Italicized type  Italicized type is used to indicate new terms.• Plus sign (+) in text  Keyboard shortcuts are indicated by a plus sign (+)­separating two key names. For example, Ctrl+Alt+Delete means that you press theCtrl, Alt, and Delete keys at the same time.
  • 29. Introduction xxxiHow to reach the authorEmail: williamstanek@aol.comWeb: http://www.williamrstanek.com/Facebook: https://www.facebook.com/William.Stanek.AuthorTwitter: http://twitter.com/williamstanekErrata & book supportWe’ve made every effort to ensure the accuracy of this book and its companion ­content.Any errors that have been reported since this book was published are listed on our­Microsoft Press site at oreilly.com:http://go.microsoft.com/FWLink/?Linkid=275534If you find an error that is not already listed, you can report it to us through the same page.If you need additional support, email Microsoft Press Book Support atmspinput@microsoft.com.Please note that product support for Microsoft software is not offered through theaddresses above.We want to hear from youAt Microsoft Press, your satisfaction is our top priority, and your feedback our most­valuable asset. Please tell us what you think of this book at:http://www.microsoft.com/learning/booksurveyThe survey is short, and we read every one of your comments and ideas. Thanks inadvance for your input!Stay in touchLet’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.
  • 30. 1PART 1Windows Server 2012OverviewCHAPTER 1Introducing Windows Server 2012 . . . . . . . . . . 3CHAPTER 2Deploying Windows Server 2012 . . . . . . . . . . 61CHAPTER 3Boot configuration . . . . . . . . . . . . . . . . . . . . . . 101
  • 31. 3CHAPTER 1Introducing Windows Server 2012Windows Server 2012 is Microsoft’s most powerful, versatile, and fully featuredserver op­erating system yet. If you’ve been using Windows Server operating­systems for a while, I think you’ll be impressed. Why? For starters, WindowsServer 2012 includes a significantly enhanced operating system kernel, the NT 6.2 kernel.Because this kernel is also used by Windows 8, the two operating systems share a commoncode base and many common features, enabling you to readily apply what you know aboutWindows 8 to ­Windows Server 2012.In Windows Server 2012, Microsoft delivers a server operating system that is somethingmore than the sum of its parts. Windows Server 2012 isn’t just a server operating system ora network operating system. It is a best-of-class operating system with the foundation tech-nologies necessary to provide networking, application, web, and cloud-based services thatcan be used anywhere within your organization. From top to bottom, Windows Server 2012is dramatically different from earlier releases of Windows Server operating systems—somuch so that it has an entirely new interface as well.The way you approach Windows Server 2012 will depend on your background and yourimplementation plans. If you are moving to Windows Server 2012 from an early Windowsserver operating system or switching from UNIX, you’ll find that Windows Server 2012 is asignificant change that requires a whole new way of thinking about the networking, appli-cation services, and interoperations between clients and servers. The learning curve will besteep, but you will find clear transition paths to Windows Server 2012. You will also findthat Windows Server 2012 has an extensive command-line interface that makes it easier tomanage servers, workstations, and, indeed, the entire network, using both graphical andcommand-line administration tools.If you are moving from Windows Server 2008 or Windows Server 2008 R2 to WindowsServer 2012, you’ll find the changes are no less significant but easier to understand. You arealready familiar with the core technologies and administration techniques. Your learningcurve might still be steep, but in only some areas, not all of them.Getting to know Windows Server 2012. . . . . . . . . . . . . . . . 4Windows 8 and Windows Server 2012. . . . . . . . . . . . . . . . . 8Planning for Windows Server 2012. . . . . . . . . . . . . . . . . . . 10Thinking about server roles and Active Directory. . . . . . 36Planning for availability, scalability,and manageability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
  • 32. Chapter14 Chapter 1  Introducing Windows Server 2012You can adopt Windows Server 2012 incrementally as well. For example, you might addWindows Server 2012 Print And Document Services and Windows Server 2012 File AndStorage Services to allow the organization to take advantage of the latest enhancementsand capabilities without having to implement a full transition of existing servers. In most,but not all, cases, incremental adoption has little or no impact on the network, while allow-ing the organization to test new technologies and incrementally roll out features to users aspart of a standard continuance or upgrade process.Regardless of your deployment plans and whether you are reading this book to preparefor implementation of Windows Server 2012 or to manage existing implementations, mymission in this book is to help you take full advantage of all the features in Windows Server2012. You will find the detailed inside information you need to get up to speed quickly withWindows Server 2012 changes and technologies, to make the right setup and configurationchoices the first time, and to work around the rough edges, annoyances, and faults of thiscomplex operating system. If the default settings are less than optimal, I’ll show you how tofix them so that things work the way you want them to work. If something doesn’t functionlike it should, I’ll let you know and I’ll also show you the fastest, surest way to work aroundthe issue. You’ll find plenty of hacks and secrets, too.To pack as much information as possible into the 1500-plus pages of this book, I amas­suming that you have basic networking skills and some experience managing Windows-based networks but that you don’t need me to explain the basic structure and architectureof an operating system. So, I’m not going to waste your time answering such questions as,“What’s the point of networks?”, “Why use Windows Server 2012?”, or “What’s the differ-ence between the GUI and the command line?” Instead, I’ll start with a discussion of whatWindows Server 2012 has to offer so that you can learn about changes that will most affectyou, and then I’ll follow this discussion with a comprehensive, informative look at WindowsServer 2012 planning and installation.Getting to know Windows Server 2012A primary purpose of Windows Server 2012 is to ensure that the operating system canbe­o­ptimized for use in small, medium, and large enterprises. An edition of the serverop­erating system is available to meet your organization’s needs whether you want todeploy a basic server for hosting applications, a network server for hosting domain services,a robust enterprise server for hosting essential applications, or a highly available data-­center server for hosting critical business solutions.Windows Server 2012 is available for production use only on 64-bit hardware. 64-bitc­omputing has changed substantially since it was first introduced for Windows operat-ing systems. Not only do computers running 64-bit versions of Windows perform betterand run faster than their 32-bit counterparts, they are also more scalable because they
  • 33. Getting to know Windows Server 2012 5Chapter1can process more data per clock cycle, address more memory, and perform numeric­c­­­­al­culations faster. The primary 64-bit architecture supported by Windows Server 2012 isbased on 64-bit extensions to the x86 instructions set, which is implemented in AMD64processors, Intel Xeon processors with 64-bit extension technology, and other processors.This architecture offers native 32-bit processing and 64-bit extension processing, allowingsimultaneous 32-bit and 64-bit computing.INSIDE OUT  Running 32-bit applications on 64-bit hardwareIn most cases, 64-bit hardware is compatible with 32-bit applications; however, 32-bitapplications typically perform better on 32-bit hardware. Windows Server 2012 64-biteditions support both 64-bit and 32-bit applications using the Windows on Windows64 (WOW64) x86 emulation layer. The WOW64 subsystem isolates 32-bit applicationsfrom 64-bit applications. This prevents file system and registry problems. The o­peratingsystem provides interoperability across the 32-bit/64-bit boundary for Co­mponentObject Model (COM) and basic operations, such as cut, copy, and paste from thecl­ipboard. However, 32-bit processes cannot load 64-bit dynamic-link libraries (DLLs),and 64-bit processes cannot load 32-bit DLLs.64-bit computing is designed for performing operations that are memory-intensive andthat require extensive numeric calculations. With 64-bit processing, applications can loadlarge data sets entirely into physical memory (that is, RAM), which reduces the need topage to disk and increases performance substantially.NoteIn this text, I typically refer to 32-bit systems designed for x86 architecture as 32-bitsystems and 64-bit systems designed for x64 architecture as 64-bit systems. Support forItanium 64-bit (IA-64) processors is no longer standard in Windows operating systems.Running instances of Windows Server 2012 can either be in a physical operating systemenvironment or a virtual operating system environment. To better support mixed environ-ments, Microsoft introduced a new licensing model, based on the number of processors,users, and virtual operating system environments. Thus, the four main product editions canbe used as follows:●● Windows Server 2012 Foundation  Has limited features and is available only fromoriginal equipment manufacturers (OEMs). This edition supports one physical proces-sor, up to 15 users, and one physical environment, but it does not support virtualized
  • 34. Chapter16 Chapter 1  Introducing Windows Server 2012environments. Although there is a specific user limit, a separate client access license(CAL) is not required for every user or device accessing the server.●● Windows Server 2012 Essentials  Has limited features. This edition supports upto two physical processors, up to 25 users, and one physical environment, but itdoes not support virtualized environments. Although there is a specific user limit, as­eparate CAL is not required for every user or device accessing the server.●● Windows Server 2012 Standard  Has all the key features. It supports up to 64physical processors, one physical environment, and up to two virtual instances. Twoincremental virtual instances and two incremental physical processors are added foreach Standard license. Thus, a server with four processors, one physical environment,and four virtual instances would need two Standard licenses, but the same serverwith eight virtual environments would need four Standard licenses. CALs are requiredfor every user or device accessing the server.●● Windows Server 2012 Datacenter  Has all the key features. It supports up to 64physical processors, one physical environment, and unlimited virtual instances. Twoincremental physical processors are added for each Datacenter license. Thus, a serverwith two processors, one physical environment, and 32 virtual instances would needonly one Datacenter license, but the same server with four processors would needtwo Datacenter licenses. CALs are required for every user or device accessing theserver.NoteWindows Server 2012 Datacenter is not available for retail purchase. If you want to usethe Datacenter edition, you need to purchase it through Volume Licensing, an OEM, ora Services Provider Licensing Agreement (SPLA).You implement virtual operating system environments using Hyper-V. Hyper-V is a­vi­rt­ual-machine technology that allows multiple guest operating systems to run concur-rently on one computer and provide separate applications and services to client computers,as shown in Figure 1-1. As part of the Hyper-V role, which can be installed on servers withx64-based processors that implement hardware-assisted virtualization and hardware dataexecution protection, the Windows hypervisor acts as the virtual machine engine, providingthe necessary layer of software for installing guest operating systems. You can, for example,use this technology to concurrently run Ubuntu, Linux, and Windows Server 2012 on thesame computer.
  • 35. Getting to know Windows Server 2012 7Chapter1Processor ArchitectureOperating SystemsVirtualizationWIndows ServerApplicationsLinuxApplicationsUbuntuApplicationsClient 1 Client nClient 3Client 2Figure 1-1  A conceptual view of virtual machine technology.NoteWith Hyper-V enabled, Windows Server 2012 Standard and Datacenter support up to320 logical processors. Otherwise, these operating systems support up to 640 logicalprocessors.Hyper-V also is included as a feature of Windows 8 Pro and Windows 8 Enterprise. Thenumber of virtual machines you can run on any individual computer depends on the com-puter’s hardware configuration and workload. During setup, you specify the amount ofmemory available to a virtual machine. Although that memory allocation can be changed,the amount of memory actively allocated to a virtual machine cannot be otherwise used.Virtualization can offer performance improvements, reduce the number of servers, andreduce the Total Cost of Ownership (TCO).
  • 36. Chapter18 Chapter 1  Introducing Windows Server 2012Windows 8 and Windows Server 2012Like Windows Server 2012, Windows 8 has several main editions. These editions include thefollowing:●● Windows 8  The entry-level operating system designed for home users●● Windows 8 Pro  The basic operating system designed for use in Windows domains●● Windows 8 Enterprise  The enhanced operating system designed for use inW­indows domains with extended management featuresWindows 8 Pro and Enterprise are the only editions intended for use in Active Directorydomains. You can manage servers running Windows Server 2012 from a computer runningWindows 8 Pro or Windows 8 Enterprise using the Remote Server Administration Toolsfor Windows 8. Download the tools from the Microsoft Download Center (http://download.microsoft.com).Windows 8 uses the NT 6.2 kernel, the same kernel that Windows Server 2012 uses. S­haringthe same kernel means that Windows 8 and Windows Server 2012 share the followingcomponents as well as others:●● Automatic Updates  Responsible for performing automatic updates to the­o­per­­­ating system. This ensures that the operating system is up to date and has themost recent security updates. If you update a server from the standard WindowsUpdate to Microsoft Update, you can get updates for additional products. By default,automatic updates are installed but not enabled on servers running Windows Server2012. You can configure automatic updates using the Windows Update utility in­Control Panel.●● BitLocker Drive Encryption  Provides an extra layer of security for a server’s harddisks. This protects the disks from attackers who have physical access to the server.BitLocker encryption can be used on servers with or without a Trusted PlatformM­odule (TPM). When you add this feature to a server using the Add Roles And­Features Wizard, you can manage it using the BitLocker Drive Encryption utility inControl Panel.●● Remote Assistance  Provides an assistance feature that allows an administrator tosend a remote assistance invitation to a more senior administrator. The senior admin-istrator can then accept the invitation to view the user’s desktop and temporarily takecontrol of the computer to resolve a problem. When you add this feature to a serverusing the Add Roles And Features Wizard, you can manage it using options on theRemote tab of the System Properties dialog box.
  • 37. Windows 8 and Windows Server 2012 9Chapter1●● Remote Desktop  Provides a remote connectivity feature that allows you toremotely connect to and manage a server from another computer. By default,Remote Desktop is installed but not enabled on servers running Windows Server2012. You can manage the Remote Desktop configuration using options onthe Remote tab of the System Properties dialog box. You can establish remoteco­nnections using the Remote Desktop Connection utility.●● Task Scheduler  Allows you to schedule execution of one-time and recurring tasks,such as tasks used for performing routine maintenance. Like Windows 8, WindowsServer 2012 makes extensive use of the scheduled task facilities. You can view andwork with scheduled tasks in Computer Management.●● Desktop Experience  Installs additional Windows 8 desktop functionality on aserver. You can use this feature when you use Windows Server 2012 as your desk-top operating system. When you add this feature using the Add Roles And Features­Wizard, the server’s desktop functionality is enhanced and these programs areinstalled as well: Windows Media Player, desktop themes, Video for Windows (AVIsupport), Disk Cleanup, Sync Center, Sound Recorder, Character Map, and SnippingTool.●● Windows Firewall  Helps protect a computer from attack by unauthorized users.Windows Server 2012 includes a basic firewall called Windows Firewall and anadvanced firewall called Windows Firewall With Advanced Security. By default, thefirewalls are not enabled on server installations.●● Windows Time  Synchronizes the system time with world time to ensure that thesystem time is accurate. You can configure computers to synchronize with a spe-cific time server. The way Windows Time works depends on whether a computer isa member of a domain or a workgroup. In a domain, domain controllers are usedfor time synchronization and you can manage this feature through Group Policy. Ina workgroup, you use Internet time servers for time synchronization and you canm­anage this feature through the Date And Time utility.●● Wireless LAN Service  Installs the Wireless LAN Service feature to enable wirelessconnections. Wireless networking with Windows Server 2012 works the same as itdoes with Windows 8. If a server has a wireless adapter, you can enable this featureusing the Add Roles And Features Wizard.In most instances, you can configure and manage these core components in exactly thesame way on both Windows 8 and Windows Server 2012.
  • 38. Chapter110 Chapter 1  Introducing Windows Server 2012Planning for Windows Server 2012Deploying Windows Server 2012 is a substantial undertaking, even on a small network. Justthe task of planning a Windows Server 2012 deployment can be a daunting process, espe-cially in a large enterprise. The larger the business, however, the more important it is thatthe planning process be thorough and fully account for the proposed project’s goals, aswell as lay out exactly how those goals will be accomplished.Accommodating the goals of all the business units in a company can be difficult, and it isbest accomplished with a well-planned series of steps that includes checkpoints and plentyof opportunity for management participation. The organization as a whole will benefit fromyour thorough preparation and so will the Information Technology (IT) department. Carefulplanning can also help you avoid common obstacles by helping you identify potential pit-falls and then determine how best to avoid them, or at least be ready for any unavoidablecomplications.Your plan: The big pictureA clear road map can help with any complex project, and deploying Windows Server 2012in the enterprise is certainly a complex project. A number of firms have developed modelsto describe IT processes such as planning and systems management. For our purposes, I’llbreak down the deployment process into a roughly sequential set of tasks:●● Identify the team  For all but the smallest rollouts of a new operating system, ateam of people will be involved in both the planning and deployment processes. Theactual size and composition of this team will be different in each situation. Collectingthe right mixture of skills and expertise will help ensure the success of your project.●● Assess your goals  Any business undertaking the move to Windows Server 2012has many reasons for doing so, only some of which are obvious to the IT department.You need to carefully identify the goals of the entire company before determiningthe scope of the project to ensure that all critical goals are met.●● Analyze the existing environment  Examine the current network environment,even if you think that you know exactly how everything works—you will often findyou are only partially correct. Gather hardware and software inventories, networkmaps, and lists of which servers are providing which services. Also, identify criticalbusiness processes, and examine the administrative and security approaches that arecurrently in place. Windows Server 2012 offers a number of improvements, and you’llfind it useful to know which ones are particularly important in your environment.
  • 39. Planning for Windows Server 2012 11Chapter1●● Define the project scope  Project scope is often one of the more difficult areas topin down, and one that deserves particular attention in the planning process. Defin-ing scope requires prioritizing the goals of the various groups within the o­rganizationand then realistically assessing what can be accomplished within an acceptable bud-get and time frame. It’s not often that the wish list of features and capabilities fromthe entire company can be fulfilled in the initial, or even later, deployment.●● Design the new network environment  After you have pinned down the projectscope, you must develop a detailed design for the new operating system deploymentand the affected portions of the network. During this time, you should create docu-mentation describing the end state of the network, as well as the process of gettingthere. This design document serves as a road map for the people building the testingenvironment and, with refinements during the testing process, for the IT departmentlater on.●● Test the design  Thorough testing in the lab is an often overlooked, but criticallyimportant, phase of deploying a new network operating system. By building a testlab and putting a prototype environment through its paces, you can identify andsolve many problems in a controlled environment rather than in the field.●● Install Windows Server 2012  After you have validated your design in the lab andmanagement has approved the deployment, you can begin to install Windows Server2012 in your production environment. The installation process has two phases:❍❍ Pilot phase  During the pilot phase, you deploy and test a small group ofservers running Windows Server 2012 (and perhaps clients running MicrosoftWindows 8) in a production environment. You should pick a pilot group thatis comfortable working with new technology, and for whom minor interrup-tions will not pose significant problems. In other words, this is not a good thingto do to the president of the company or the finance department just beforetaxes are due.❍❍ Rollout  After you have determined that the pilot phase was a success, youcan begin the rollout to the rest of the company. Make sure you scheduleadequate downtime, and allow for ongoing minor interruptions and increasedsupport demands as users encounter changed functionality.As mentioned, these steps are generally sequential, but not exclusively so. You are likely tofind that as you work through one phase of planning, you must return to activities that aretechnically part of an earlier phase. This is actually a good thing, because it means you arerefining your plan dynamically as you discover new factors and contingencies.
  • 40. Chapter112 Chapter 1  Introducing Windows Server 2012INSIDE OUT  Getting off to a quick startPeople need not be assigned to all these tasks at the beginning of the planningp­rocess. If you have people who can take on the needs analysis and research on thecurrent and new network environment, you can get the project under way whilere­cruiting the rest of the project team.Identifying your organizational teamsA project like this requires a lot of time and effort as well as a broad range of knowledge,expertise, and experience. Unless you are managing a very small network, this project islikely to require more than one person to plan and implement. Team members are assignedto various roles, each of which is concerned with a different aspect of the project.Each of these roles can be filled by one or more persons, devoting all or part of their­workday—and beyond in some cases—to the project. No direct correlation exists betweena team role and a single individual who performs it. In a large organization, a team of­individuals might fulfill each of these roles, while in a small organization one person can fillmore than one role.As with IT processes, a number of vendors and consultants have put together team ­models,which you can use in designing your own team. Specific teams you might want to useinclude●● Architecture team  In increasingly complex IT environments, there needs to besomeone responsible for overall project architecture and providing guidance forintegrating the project into existing architecture. This role is filled by the architec-ture team. Specific deliverables include the architecture design and guidance for the­integration solution­.●● Program management team  Program management’s primary responsibility isensuring that project goals are met within the constraints set forth at the begin-ning of the project. Program management handles the functional design, budget,schedule, and reporting. Specific deliverables include a vision or scope document,functional specifications, a master project plan, a master project schedule, and statusreports.●● Product management team  This team is responsible for identifying the businessand user needs of the project and ensuring that the final plan meets those needs.
  • 41. Planning for Windows Server 2012 13Chapter1Specific deliverables include the project charter and team orientation guidance aswell as documents for project structure documents and initial risk assessment.●● User experience team  This team manages the transition of users to the newe­nvironment. This includes developing and delivering user training, as well asconducting an analysis of user feedback during testing and the pilot deployment.­Specific deliverables include user reference manuals, usability test scenarios, and userinterface graphical elements.●● Development team The development team is responsible for defining the p­hysicaldesign and feature set of the project and estimating the budget and time neededfor project completion. Specific deliverables include any necessary source code orb­inaries as well as necessary integrated-solution components.●● Testing team The testing team is critical in ensuring that the final deployment issuccessful. It designs and builds the test environment, develops a testing plan, andthen performs the tests and resolves any issues it discovers before the pilot deploy-ment occurs. Specific deliverables include test specifications, test cases with expectedresults, test metrics, test scripts, test data, and test reports.●● Release management team The release management team designs the testdeployment and then performs that deployment as a means of verifying the reli-ability of the deployment before widespread adoption. Specific deliverables includedeployment processes and procedures, installation scripts and configuration settingsfor deployment, operations guides, help desk and support procedures, knowledgebase, help and training materials, operations documentation, and troubleshootingdocumentation.Working together, these teams cover the various aspects of a significant project, such asrolling out Windows Server 2012. Although all IT projects share some things in common,and therefore need someone to handle those areas of the project, that’s where the com-monality stops. Each company has IT needs related to its specific business activities. Thismight mean additional team members are needed to manage those aspects of the project.For example, if external clients, the public, or both also access some of your IT systems asusers, you have a set of user acceptance and testing requirements different from manyother businesses.The project team needs business managers who understand, and who can represent,the needs of the various business units. This requires knowledge of both the businessop­erations and a clear picture of the daily tasks performed by staff.Representatives of the IT department bring their technical expertise to the table not onlyto detail the inner workings of the network, but also to help business managers realistically
  • 42. Chapter114 Chapter 1  Introducing Windows Server 2012assess how technology can help their departments and sort out the impractical goals fromthe realistic ones.Make sure that all critical aspects of business operations are covered—include­r­­­ep­resentatives from all departments that have critical IT needs, and be sure the team takesthe needs of the entire company into account. This means that people on the project teammust collect information from line-of-business managers and the people actually doing thework. (Surprisingly enough, the latter escapes many a project team.)After you have a team together, management must ensure that team members havea­dequate time and resources to fulfill the tasks required of them for the project. Thiscan mean shifting all or part of their usual workload to others for the project durationor providing resources such as Internet access, project-related software, and so on. Anyproject is easier, and more likely to be successful, with this critical real-time support frommanagement.INSIDE OUT  Hiring talentSometimes you don’t have people available in-house with all the needed skills andmust look to consultants or contracted workers. Examine which tasks should beoutsourced and exactly what you must receive from the relationship. Pay particularat­tention to highly specialized or complex areas—the Active Directory Domain Servicesarchitecture, for example—and those with a high rate of change.One-time tasks, such as creating user training programs and documentation, are alsogood candidates for outsourcing. For areas in which there will be an ongoing need forthe lacking expertise, such as security, it might be a better idea to send a staff memberto get additional training instead.Assessing project goalsCarefully identifying the goals behind moving to Windows Server 2012 is an important partof the planning process. Without a clear list of objectives, you are unlikely to achieve them.Even with a clear set of goals in mind, it is unlikely you will accomplish them all. Most largebusiness projects involve some compromises, and the process of deploying Windows Server2012 is unlikely to be an exception.Although deploying a new operating system is ultimately an IT task, most of the reasonsbehind the deployment won’t be coming from the IT department. Computers are, after all,tools used by business to increase productivity, enhance communications, facilitate busi-ness tasks, and so on; the IT department is concerned with making sure that the computeren­vironment needed by the business is implemented.
  • 43. Planning for Windows Server 2012 15Chapter1INSIDE OUT Creating documentation almost painlesslyDuring the planning process, and as you begin to use the new network environment,you’ll be creating numerous documents describing the current state of the network,the planned changes, IT standards, administrative procedures, and the like. It’s a goodidea to take advantage of all of this up-to-date information to create policies and pro-cedures documents, which will help ensure that the network stays in compliance withyour new standards and administration is accomplished as intended.The same set of documents can also serve as a basis for user guides, as well asa­dministrator and user training, and can be made available through the corporateintranet. If the people working on the project, especially those performing testing,take notes about any error conditions they encounter and the resolutions to them,you’ll also have a good start on frequently asked questions (FAQs) and other technicals­upport data.The business perspectiveMany discussions of the business reasons for new software deployments echo commonthemes: enhance productivity, eliminate downtime, reduce costs, and the like. Translatingthese often somewhat vague (and occasionally lofty) aspirations into concrete goals some-times takes a bit of effort. It is well worth taking the time, however, to refine the big pictureinto specific objectives before moving on. An IT department should serve the needs of thebusiness, not the other way around; if you don’t understand those needs clearly, you’ll havea hard time fulfilling them.Be sure to ask for the input of people close to where the work is being done—departmentmanagers from each business area should be asked about what they need from IT, whatworks now, and what doesn’t. These people care about the day-to-day operations of theircomputing environment. Will the changes help their staff do their work? Ask about workpatterns, both static and burst—the finance department’s workflow is not the same in Julyas it is in April. Make sure to include all departments, as well as any significant subsets—human resources (HR), finance, sales, business units, executive management, and so on.You should also identify risks that lie at the business level, such as resistance to change, lackof commitment (frequently expressed as inadequate resources: budget, staff, time, and soon), or even the occasional bit of overt opposition. At the same time, look for positives toexploit—enthusiastic staff can help energize others, and having a manager in your cornercan smooth many bumps along the way. By getting people involved, you can gain allieswho are vested in the success of the project.
  • 44. Chapter116 Chapter 1  Introducing Windows Server 2012INSIDE OUT  Talk to the people who will use the technologyNot to put too fine a point on it, but make sure that the team members who will behandling aspects of the user experience actually talk with users. The only way to ade-quately assess what the people doing the work need in critical areas such as usability,training, and support is to get in the trenches and see what they are doing. If possible,have meetings at the user’s workstation because it can provide additional insight intodaily operations. If passwords are visible on sticky notes stuck to monitors—a far toocommon practice—you know you have security issues.Identifying IT goalsIT goals are often obvious: improve network reliability, provide better security, deliverenhanced administration, and maybe even implement a particular new feature. They arealso easier to identify than those of other departments—after all, they are directly relatedto technology.When you define your goals, make sure that you are specific. It is easy to say you willimprove security, but how will you know when you have done so? What’s improved, and byhow much? In many cases, IT goals map to the implementation of features or procedures;for example, to improve security you will implement Internet Protocol Security (IPsec) andencrypt all traffic to remote networks.Don’t overpromise either—eliminating downtime is a laudable goal, but not one you arelikely to achieve on your network, and certainly not one on which you want your nextreview based.Get to know each otherBusiness units often seem to have little idea of the IT department’s capabilities andoperations—or worse, they have an idea, but it is an extremely unrealistic one. Thiscan lead to expectations ranging from improbable to absurd, which is bad for everyoneinvolved.A major project like this brings together people from all over the company, some fromdepartments that seldom cross paths. This is a great opportunity for members of thevarious areas of the company to become familiar with IT operations, and vice versa. Aclearer understanding of both the big picture of the business and the workings of otherdepartments will help smooth the interactions of IT and the rest of the company.
  • 45. Planning for Windows Server 2012 17Chapter1Examining the interaction between IT and business unitsA number of aspects of your organization’s business should be considered when evaluatingyour overall IT requirements and the business environment in which you operate. Considerthings such as the following:●● Business organization  How large is the business? Are there offices in morethan one location? Does the business operate across international, legal, or otherb­oundaries? What sorts of departmental or functional boundaries exist?●● Stability  Does the business undergo a lot of change? Are there frequent­r­­eor­ganizations, acquisitions, changes, and the like in business partnerships?What is the expected growth rate of the organization? Conversely, are substantial­dow­nsizings planned in the future?●● External relationships  Do you need to provide access to vendors, partners, and soon? Are there external networks that people operating on your network must access?●● Impact of Windows Server 2012 deployment  How will this deployment affectthe various departments in your company? Are there any areas of the company thatare particularly intolerant of disruption? Are there upcoming events that must betaken into consideration in scheduling?●● Adaptability  Is management easily adaptable to change? If not, make sure youget every aspect of your plan right the first time. Having an idea of how staff mightrespond to new technologies and processes can help you plan for education andsupport.Predicting network changePart of planning is projecting into the future and predicting how future business needs willinfluence the activities of the IT department. Managing complicated systems is easier whenit’s done from a proactive stance rather than a reactive one. Predicting network change isan art, not a science, but it will behoove you to hone your skills at it.This is primarily a business assessment, based on things such as expected growth, changesin business focus, or possible downsizing and outsourcing—each of which provides its ownchallenges to the IT department. Being able to predict what will happen in the businessand what those changes will mean to the IT department allows you to build in room for­expansion in your network design.When attempting to predict what will happen, look at the history of the company. Aremergers, acquisitions, spin-offs, and so on common? If so, this indicates a considerableneed for flexibility from the IT department, as well as the need to keep in close contact withpeople on the business side to avoid being blindsided by a change in the future.
  • 46. Chapter118 Chapter 1  Introducing Windows Server 2012As people meet to discuss the deployment, talk about what is coming up for the businessunits. Cultivate contacts in other parts of the company, and talk with those people regularlyabout what’s going on in their departments, such as upcoming projects, as well as what’shappening with other companies in the same business sector. Reading the company’s newsreleases and articles in outside sources can also provide valuable hints of what’s to come. Bykeeping your ear to the ground, doing a little research, and thinking through the po­tentialimpact of what you learn, you can be much better prepared for whatever is coming upnext.The impact of growth on managementMany networks start out with a single administrator (or a small team), which onlymakes sense because many networks are small when first implemented. As thosenetworks grow, it is not uncommon for a few administrative tasks to be delegated toothers in the company who, although it is not their job, know how to assist the highlylimited IT staff. This can lead to a haphazard approach to management, where whois doing what isn’t always clear, and the methods for basics (such as data backups)vary from one department to the next, leading to potential problems as time goes byand staff moves on. If this sounds familiar to you, this is a good time to remedy thesituation.Analyzing the existing networkBefore you can determine the path to your new network environment, you must determinewhere you are right now in terms of your existing network infrastructure. This requiresdetermining a baseline for network and system hardware, software installation and con-figuration, operations, management, and security. Don’t rely on what you think is the case;actually verify what is in place.Project worksheets consolidate informationAlarge network environment, with a lot of architectural and configuration­information to be collected, can require juggling enormous amounts of data.If this is the case, you might find it useful to use project worksheets of some sort. Ifyour company has not created customized worksheets, you can use those created by­Microsoft to aid in the upgrade process. Typically, these are available in the operatingsystem deployment kit.Evaluating the network infrastructureYou should get an idea of what the current network looks like before moving to anew operating system. You will require configuration information while designing the
  • 47. Planning for Windows Server 2012 19Chapter1modifications to the network and deploying the servers. In addition, some aspects of­Windows Server 2012, such as the sites used in Active Directory replication, are basedon your p­hysical network configuration. (A site is a segment of the network with good­connectivity, consisting of one or more Internet Protocol [IP] subnets.)For reasons such as this, you’ll want to assess a number of aspects related to your physicalnetwork environment. Consider such characteristics as the following:●● Network topology  Document the systems and devices on your network, includinglink speeds, wide area network (WAN) connections, sites using dial-up connections,and so on. Include devices such as routers, switches, servers, and clients, noting allforms of addressing, such as both computer names and IP addresses for Windowssystems.●● Network addressing  Are you currently employing Internet Protocol version 4(IPv4) and Internet Protocol version 6 (IPv6)? What parts of the address space are­p­rivate or public? Which IP subnets are in use at each location?●● Remote locations  How many physical locations does the organization have?Are they all using broadband connections, or are there remote offices that connects­poradically by dial-up? What is the speed of those links?●● Traffic patterns  Monitoring network traffic can provide insights into ­current­performance, as well as help you to identify potential bottlenecks and other­problems before they occur. Examine utilization statistics, paying attention to bothregularly occurring patterns and anomalous spikes or lulls, which might indicate aproblem.●● Special cases  Are there any portions of the network that have out-of-the-ordinaryconfiguration needs, such as test labs that are isolated from the rest of the network?INSIDE OUT  Mapping the territoryCreate a network map illustrating the location of all your current resources—this iseasier by using tools such as Microsoft Visio. Collect as much detailed information aspossible about those resources, starting with basics, such as what is installed on eachserver, the services it’s providing, and so on. Additional information, such as criti-cal workflow processes and traffic patterns between servers, can also be very u­sefulwhen it comes time to consolidate servers or deploy new ones. The easier it is to­cross-reference all of this information, the better.
  • 48. Chapter120 Chapter 1  Introducing Windows Server 2012Assessing systemsAs part of planning, you should inventory the existing network servers, identifying eachsystem’s operating system version, IP address, Domain Name System (DNS) names, aswell as the services provided by that system. Collect such information by performing the­fol­lowing tasks:●● Inventory hardware  Conduct a hardware inventory of the servers on yourn­etwork, noting central processing unit (CPU), random access memory (RAM), diskspace, and so on. Pay particular attention to older machines that might presentcompatibility issues if upgraded. You can use the Microsoft Assessment and Planning(MAP) toolkit, Microsoft System Center Configuration Manager (SCCM), or othertools to help you with the hardware inventory.●● Identify operating systems  Determine the current operating system on eachc­omputer, including the entire version number (even if it runs to many digits), as wellas service packs, hot fixes, and other post-release additions.●● Assess your current Microsoft Windows domains  Do you have only ­Windowsdomains on the network? Are all domains using Active Directory? Do you havemu­ltiple Active Directory forests? If you have multiple forests, detail the trust­relationships. List the name of each domain, what it contains (users, resources, orboth), and which servers are acting as domain controllers.●● Identify localization factors  If your organization crosses international­bou­ndaries,language boundaries, or both, identify the localized versions of Windows Serverin use and the locations in which they are used. This is critical when upgrading to­­Windows Server 2012 because attempting an upgrade using a different localized­version of Windows Server 2012 might fail.●● Assess software licenses  Evaluate licenses for servers and client access. This willhelp you select the most appropriate licensing program.●● Identify file storage  Review the contents and configuration of existing file servers,identifying partitions and volumes on each system. Identify existing distributed filesystem (DFS) servers and the contents of DFS shares. Don’t forget shares used to storeuser data.
  • 49. Planning for Windows Server 2012 21Chapter1INSIDE OUT  Where is the data?Locating file shares that are maintained at a departmental, team, or even individuallevel can take a little bit of investigation. However, the effort to do so can well beworth it because it allows you to centralize the management of data that is importantto individual groups, while providing valuable services such as ensuring that regulardata backups are performed.You can gather hardware and software inventories of computers that run the Windowsoperating system by using a tool such as System Center Configuration ­Manager. Reviewthe types of clients that must be supported so that you can configure se­rvers appropri-ately. This is also a good time to determine any client systems that must be upgraded (orreplaced) to use Windows Server 2012 functionality.NoteYou can also gather this information with scripts. To find more information on scripting,I recommend Microsoft Windows PowerShell 2.0 Administrator’s Pocket Consultant byWilliam R. Stanek (Microsoft Press, 2009).Identify network services and applicationsLook at your current network services, noting which services are running on which s­ervers,and the dependencies of these services. Do this for all domain controllers and mem-ber servers that you’ll be upgrading. You’ll use this information later to plan for server­pl­­acement and service hosting on the upgraded network configuration. Some examples ofservices to document are as follows:●● DNS services  You must assess your current DNS configuration. If you’re currentlyusing a non–Microsoft DNS server, you’ll want to carefully plan DNS support becauseActive Directory relies on Windows Server 2012 DNS. See Chapter 21, “ArchitectingDNS infrastructure,” for guidance, and be sure to review “Deploying global nameszones” in Chapter 22, “Implementing and managing DNS.”●● WINS services  You should assess the use of Network Basic Input/Output ­System(NetBIOS) by legacy applications and computers running early versions of the
  • 50. Chapter122 Chapter 1  Introducing Windows Server 2012W­indows operating system to determine whether NetBIOS support (such as WindowsInternet Naming Service [WINS]) will be needed in the new network configuration.See “Understanding name resolution” in Chapter 18, “Networking with TCP/IP,” toreview important changes, including Link-Local Multicast Name Resolution (LLMNR).●● Print services  List printers and the print server assigned to each one. Considerwho is assigned to the various administrative tasks and whether the printer will bepublished in Active Directory. Also determine whether all of the print servers will beupgraded in place or whether some will be consolidated.●● Network applications  Inventory your applications, creating a list of theap­plications that are currently on the network, including the version number (as wellas post-release patches and such), which server hosts it, and how important eachapplication is to your business. Use this information to determine whether upgradesor modifications are needed. Also watch for software that is never used and thusneed not be purchased or supported—every unneeded application you can removerepresents savings of both time and money.This list is only the beginning. Your network will undoubtedly have many more services thatyou must take into account.CAUTION!Make sure that you determine any dependencies in your network configuration.D­iscovering after the fact that a critical process relied on the server that you justdecommissioned is not going to make your job any easier. You can find out whichMicrosoft and third-party applications are certified to be compatible with WindowsServer 2012 in the Windows Server Catalog (http://www.windowsservercatalog.com/).Identifying security infrastructureWhen you document your network infrastructure, you will need to review many aspectsof your network security. In addition to security concerns that are specific to your networkenvironment, the following factors should be addressed:●● Consider exactly who has access to what and why. Identify network resources, securitygroups, and assignment of access permissions.
  • 51. Planning for Windows Server 2012 23Chapter1●● Determine which security protocols and services are in place. Are adequate virus­p­rotection, firewall protection, email filtering, and so on in place? Do any applicationsor services require legacy NTLM authentication? Have you implemented a public keyinfrastructure (PKI) on your network?●● Examine auditing methods, and identify the range of tracked access and objects.●● Determine which staff members have access to the Internet and which sorts of accessthey have. Look at the business case for access that crosses the corporate firewall—does everyone who has Internet access actually need it, or has it been providedacross the board because it was easier to provide blanket access than to provideaccess selectively? Such access might be simpler to implement, but when you look atInternet access from the security perspective, it presents many potential problems.●● Consider inbound access as well; for example, can employees access their informationfrom home? If so, examine the security that is in place for this type of access.ImportantSecurity is one area in which well-established methods matter—pay particular attentionto all established policies and procedures, what has been officially documented, andwhat isn’t documented as well.Depending on your existing network security mechanisms, the underlying security ­methodscan change upon deployment of Windows Server 2012. Windows Server 2003 is them­inimum forest and domain functional level supported by Windows Server 2012. Whenthe forest and domain functional levels are raised to this level or higher from a lower level,Kerberos is the default authentication mechanism used between computer systems. Thisalso means that although the Windows NT 4 security model (using NTLM authentication)continues to be supported, it is no longer the default authentication mechanism.Reviewing network administrationExamining the administrative methods currently in use on your network provides you witha lot of information about what you are doing right, as well as identifying areas that coulduse some improvement. Using this information, you can tweak network procedures whereneeded to optimize the administration of the new environment.
  • 52. Chapter124 Chapter 1  Introducing Windows Server 2012How did you get here?Some networks are entirely designed—actually considered, discussed, planned, andso forth—while other networks grow. At one extreme is a formally designed andcarefully implemented administration scheme, complete with its supporting docu-mentation set, training, and ongoing compliance monitoring. At the other end of thespectrum is the network for which administrative methods just sort of happen organi-cally—someone did it that way once, it worked, that person kept doing it that way andmaybe even taught others to do it that way. Not surprisingly, this occurs most often onsmall networks. In the middle, and perhaps more typically, is a looser amalgamation ofpolicies and procedures, some of which were formally implemented, while others werecreated ad hoc.Depending on the path that led to your current administrative methods, you mighthave more or less in the way of documentation, or an actual idea, of the detailed­workings of day-to-day administration. Even if you have fully documented policies andprocedures, you should still assess how management tasks are actually performed—youmight be surprised at what you learn.Network administrative model  Each company has its own sort of approach to networkadministration—some are very centralized, with even the smallest changes being made bythe IT department, while others are partially managed by the business units, which controlaspects such as user management. Administrative models fit into these categories:●● Centralized  Administration of the entire network is handled by one group, perhapsin one location, although not necessarily. This provides a high degree of control atthe cost of requiring IT staff for every change to the network, no matter how small.●● Decentralized  This administrative model delegates more of the control of day-to-day operations to local administrators of some sort, often departmental. Certainaspects of network management might still be managed by a central IT department,in that a network with decentralized administration often has well-defined proce-dures controlling exactly how each administrative task is performed.●● Hybrid  On many networks, a blend of these two methods is used. A centralized ITdepartment performs many tasks (generally, the more difficult, delicate operations,and those with the broadest impact on the network), while delegating simpler tasks(such as user management) to departmental or group administrators.Disaster recovery  The costs of downtime caused by service interruption or data loss canbe substantial, especially in large enterprise networks. As part of your overall planning,determine whether a comprehensive IT disaster recovery plan is in place. If one is in place,
  • 53. Planning for Windows Server 2012 25Chapter1this is the time to determine its scope and effectiveness, as well as to verify that it is beingfollowed. If one isn’t in place, this is the time to create and implement one.Document the various data sets being archived, schedules, backup validation routine, staffassignments, and so on. Make sure there are provisions for offsite data storage to prot