6.1.1 Configure a Central Store
http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx
Without a Central Store, Group Policy Management will read ADMX template files from the local administrative workstation to configure GPO's. A central store allows all administrator workstations that update GPO's to use the same templates.
Create a PolicyDefinitions folder in the %logonserver%
\sysvol\
%userdnsdomain%
\policies
folder for each domain you want to create a central store.
(you can also just go directly to \\%userdnsdomain%\sysvol ie \\contoso.com\sysvol)
Copy all the files and subfolders from %systemroot%\policydefintions to the new PolicyDefinitions folder in sysvol.
Note that any new custom admx files should now be added to the central store, and that the group policy editor will prefer the central store admx files over any local ones. The GP tools will ignore any ADM files that have updated ADMX files, but you can use custom ADM templates still.
6.1.2 manage starter GPOs
http://technet.microsoft.com/en-us/library/cc772538.aspx
starter GPO - default template policies.
These are stored in \\%userdnsdomain%\sysvol\%userdnsdomain%\StarterGPOs
If the StarterGPO's folder doesn't exist in this domain, then Group Policy Management will ask to create it when you click on the starter gpo link under the domain. It will then create the folder and populate with the default templates called System Starter GPO's. These templates are read only by default.
You can now create/edit your own starter GPO's.
6.1.3 configure GPO links
GPO's can be linked to sites, domains, and OU's, and can use security filtering to apply to specific users/groups.
Under Domains choose either the domain or an OU, right click, Link an existing GPO. Or go under Sites and select a site, right click and Link an existing GPO. By left clicking or expanding on a domain, OU, or site, you can see GPO's that are linked to this object. You can also see what locations are linked to a specific GPO by clicking on the GPO itself under "Group Policy Objects" and selecting the Scope tab.
6.1.4 configure multiple local group policies
http://technet.microsoft.com/en-us/library/cc731758.aspx
There are four types of local policies(LGPO) available on supported systems:
Local policy: This is the legacy policy that supports both user and computer settings
Administrators policy: User settings only that applies to administrators
Non-administrators policy: user settings only that applies to all non-administrators
Specific user policies: user settings only for a specific user.
Local policies are applied in this order: Local, Administrators/non-administrators, specific user.
To edit each policy, load the mmc console, and go to a file/addremove snapin. Select Group Policy Object and click Add. Click Finish to accept the default Local Computer OR to choose others, select Browse. If this version of windows supports multiple LGPO's, you should have a "users" tab here. click Users and select either Administrators, non-administrators, or a specific user. Do this multiple times if you want to see all policies in one custom snap-in.
6.1.5 configure security filtering
Security filtering is configured per GPO in the scope tab under Security Filtering. Because it's the GPO itself, this filtering will affect all containers that link to this GPO.
GPO security filtering defaults to Authenticated Users.
Saturday, June 15, 2013
Friday, June 14, 2013
5. Install and administer Active Directory 5.3 Create and manage active directory groups and organizational units(OUs)
Group types:
Security: used for granting resource permissions
Distribution: non-security for distribution of information
Group scopes:
Domain local : Can contain Accounts from any domain, Global and Universal groups from any domain,
but domain local groups from same domain only
Global: Can contain Accounts from same domain, global groups from same domain
Universal: Accounts from any domain in the forest, global groups from any domain in forest, universal
group from any domain in forest
Group permission assignment:
Universal: resources in any domain or forest
Global: resources in any domain
Domain local: only to resources in same domain
5.3.1 Configure group nestingMS's "best practice" AGUDLP method suggests putting users and other groups into Global groups, then assigning that to Universals if needed, then assigning to Domain Locals which are assigned permissions to a resource. So Global for users and groups, and domain locals for the resource assignments.
5.3.2 convert groups including security, distribution, universal, domain local, and domain global
Universal can convert to Domain local
Universal can convert to Global if no other universal groups exist as members.
Global can convert to universal, as long as its not a member in other Globals
Domain local can convert to universal as long as no other domain local groups exists as members.
5.3.3 manage group membership using Group Policy
In GPO drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Here you can configure what members can be in this group for the computers this GPO affects, and/or what groups this group can belong to in relation to the computers this GPO affects.
This is used most effectively to limit local group memberships.
5.3.4 enumerate group membership
ADUC and ADAC: right click properties, members tab
get-adgroupmember "cn=sales,ou=sales,dc=contoso,dc=com"
dsget group "cn=sales,ou=sales,dc=contoso,dc=com" -members
5.3.5 delegate the creation and management of Active Directory objects
see 1.2.2 Delegate Administraton
Tools used to delegate administration:
Delegation of Control Wizard in ADUC
ACL Editor
ldp.exe
dsacls.exe
acldiag.exe
dsrevoke.exe
5.3.6 manage default Active Directory containers; create, copy, configure, and delete groups and OUs
default containers CN objects cannot have GPO's assigned or use admin delegation
Domain container - root domain container
Builtin - default service admin accounts
Users - default location for new user and groups
Computers - default location for new computers
Other default containers: Foreign Security Principals. Managed Service Accounts
4 others are hidden in ADUC under Advanced: LostAndFound, NTDS Quotas, System, Program Data
There's also a default OU Domain Controllers.
Create new:
ADUC and ADAC: Right click and New-OU, right click and new Group
command line:
dsadd ou "ou=Sales,dc=contoso,dc=com"dsadd group "cn=salesgroup,ou=sales,dc=contoso,dc=com"
powershell:
new-adorganizationalunit -name HR -path "dc=contoso,dc=com"
new-adgroup -name "Human Resources" -path "ou=HR,dc=contoso,dc=com"
-groupscope Global
Configure: ADUC and ADAC: Right click, properties
command line
dsmod group "ou=sales,dc=contoso,dc=com" -addmbr
"cn=administrator,cn=users,dc=contoso,dc=com"
dsmod ou
powershell
set-adgroup -identity "cn=human resources,ou=HR,dc=contoso,dc=com"
add-adgroupmember -identity "cn=human resources,ou=HR,dc=contoso,dc=com" -members
"cn=John Doe,ou=HR,dc=contoso,dc=com"
set-adorganizationalunit
Remove:
ADUC and ADAC: right click, delete
remove-adgroup
remove-adorganizationalunit
Security: used for granting resource permissions
Distribution: non-security for distribution of information
Group scopes:
Domain local : Can contain Accounts from any domain, Global and Universal groups from any domain,
but domain local groups from same domain only
Global: Can contain Accounts from same domain, global groups from same domain
Universal: Accounts from any domain in the forest, global groups from any domain in forest, universal
group from any domain in forest
Group permission assignment:
Universal: resources in any domain or forest
Global: resources in any domain
Domain local: only to resources in same domain
5.3.1 Configure group nestingMS's "best practice" AGUDLP method suggests putting users and other groups into Global groups, then assigning that to Universals if needed, then assigning to Domain Locals which are assigned permissions to a resource. So Global for users and groups, and domain locals for the resource assignments.
5.3.2 convert groups including security, distribution, universal, domain local, and domain global
Universal can convert to Domain local
Universal can convert to Global if no other universal groups exist as members.
Global can convert to universal, as long as its not a member in other Globals
Domain local can convert to universal as long as no other domain local groups exists as members.
5.3.3 manage group membership using Group Policy
In GPO drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Here you can configure what members can be in this group for the computers this GPO affects, and/or what groups this group can belong to in relation to the computers this GPO affects.
This is used most effectively to limit local group memberships.
5.3.4 enumerate group membership
ADUC and ADAC: right click properties, members tab
get-adgroupmember "cn=sales,ou=sales,dc=contoso,dc=com"
dsget group "cn=sales,ou=sales,dc=contoso,dc=com" -members
5.3.5 delegate the creation and management of Active Directory objects
see 1.2.2 Delegate Administraton
Tools used to delegate administration:
Delegation of Control Wizard in ADUC
ACL Editor
ldp.exe
dsacls.exe
acldiag.exe
dsrevoke.exe
5.3.6 manage default Active Directory containers; create, copy, configure, and delete groups and OUs
default containers CN objects cannot have GPO's assigned or use admin delegation
Domain container - root domain container
Builtin - default service admin accounts
Users - default location for new user and groups
Computers - default location for new computers
Other default containers: Foreign Security Principals. Managed Service Accounts
4 others are hidden in ADUC under Advanced: LostAndFound, NTDS Quotas, System, Program Data
There's also a default OU Domain Controllers.
Create new:
ADUC and ADAC: Right click and New-OU, right click and new Group
command line:
dsadd ou "ou=Sales,dc=contoso,dc=com"dsadd group "cn=salesgroup,ou=sales,dc=contoso,dc=com"
powershell:
new-adorganizationalunit -name HR -path "dc=contoso,dc=com"
new-adgroup -name "Human Resources" -path "ou=HR,dc=contoso,dc=com"
-groupscope Global
Configure: ADUC and ADAC: Right click, properties
command line
dsmod group "ou=sales,dc=contoso,dc=com" -addmbr
"cn=administrator,cn=users,dc=contoso,dc=com"
dsmod ou
powershell
set-adgroup -identity "cn=human resources,ou=HR,dc=contoso,dc=com"
add-adgroupmember -identity "cn=human resources,ou=HR,dc=contoso,dc=com" -members
"cn=John Doe,ou=HR,dc=contoso,dc=com"
set-adorganizationalunit
Remove:
ADUC and ADAC: right click, delete
remove-adgroup
remove-adorganizationalunit
5. Install and administer Active Directory 5.2 Create and manage Active Directory users and computers
5.2.1 Automate the creation of Active Directory accounts
Ways to manage users:
Active Directory Administrative Center
Active Directory Users and Computers
dsadd.exe command line
new-aduser powershell
csvde.exe command line
LDIFDE.exe command line
5.2.2 create, copy, configure, and delete users and computers
Poweshell module = ActiveDirectory
Create User:
ADAC: Drill down to the OU you want to create in. In the right pane, under Users, select New User.
(you can also select the OU location for user in the new user page)
ADUC right click OU and new User
Powershell:
new-aduser -name"John Doe" -givenname "John" -surname "Doe" -displayname "John Doe"
-samaccountname "jdoe" -userprincipalname "jdoe@contoso.com" -enabled $true
-accountpassword (convertto-securestring -string "password" -asplaintext -force)
Copy User
ADAC: Not supported in ADAC
ADUC: right click user and Copy user.
Powershell: no specific cmdlets provided for this.
Configure User
ADAC: right click user, properties
ADUC right click user, properties
Powershell: set-aduser
Delete User
ADAC: right click, delete
ADUC: right click delete
Powershell: remove-aduser -identity "cn=John Doe,ou=Accounting,dc=contoso,dc=com"
Creating Computers:
ADUC and ADAC: Right click Ou and New-Computer
dsadd computer "cn=testpc,cn=computers,dc=contoso,dc=com"
new-adcomputer -name testpc -path "cn=computers,dc=contoso,dc=com"
Add new computer to domain with
GUI: right click computer, properties
netdom join testpc /domain:contoso.com
add-computer -computername testpc -domainname contoso.com
5.2.3 configure templates
Templates can be created in the ADUC because of the copy function. You create a user object and call it Default Template, for example. Clear the "user must change password at next logon" and check the "Disable account". Change the properties you want to use as template. Now you can just right click copy this user.
5.2.4 perform bulk Active Directory operations
Create a CSV with a header line that contains "columns" with AD attributes to be imported into new records
Use the objectclass attribute to specify the type of object ie user
csvde.exe -i -f filenametoimport.csv
You can only add or read records with CSVDE
LDIFDE.exe has 3 types of functions: add, modify, delete. The format of the data file is LDAP Data Interchange format(LDIF), which is different from CSV used in CSVDE. Example:
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: add
ObjectClass: user
SAMAccountname: jdoe
UserPrincipalName: jdoe@contoso.com
Here the Changetype variable distinguishes what should be done with this record.
you would use ldifde -i filenametoimport.ldf
Use "replace" variable with Modify changetype
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: modify
replace: emailaddress
emailaddress: jdoe@contoso.com
You can also use new-aduser by piping in import-csv cmdlet.
5.2.5 configure user rights
User rights for a computer can be configured locally using the GPedit MMC(gpedit.msc)
Or you can define the user rights in a group policy
The order of assigning rights is Local, Site, Domain, OU with each overwriting the previous. The exception is when domain policies use the Enforced option, they are not overwritten, unless another GPO with enforced is higher in the AD hierarchy.
Extra note: You can use Local User Policy(secpol.msc) but I believe gpedit is preferred in domain and secpol is just a subset of it.
5.2.6 offline domain join
offline domain joins are done using the djoin command line
using a computer with access to DC,
djoin /provision /domain contoso.com /machine OFFPC /savefile offlinefile.txt
then run on offline computer:
djoin /requestodj /loadfile offlinefile.txt /windowspath %systemroot% /localos
5.2.7 manage inactive and disabled accounts
Disable/Enable a user or computer in ADAC or ADUC: right click and disable/enable
Powershell:
enable-adaccount -identity
disable-adaccount -identity
For inactive accounts, you can use the
Search-adaccount -accountinactive
you can also use dsquery with -inactive parameter specifying number of weeks inactive
dsquery user dc=contoso,dc=com -inactive 4
Ways to manage users:
Active Directory Administrative Center
Active Directory Users and Computers
dsadd.exe command line
new-aduser powershell
csvde.exe command line
LDIFDE.exe command line
5.2.2 create, copy, configure, and delete users and computers
Poweshell module = ActiveDirectory
Create User:
ADAC: Drill down to the OU you want to create in. In the right pane, under Users, select New User.
(you can also select the OU location for user in the new user page)
ADUC right click OU and new User
Powershell:
new-aduser -name"John Doe" -givenname "John" -surname "Doe" -displayname "John Doe"
-samaccountname "jdoe" -userprincipalname "jdoe@contoso.com" -enabled $true
-accountpassword (convertto-securestring -string "password" -asplaintext -force)
Copy User
ADAC: Not supported in ADAC
ADUC: right click user and Copy user.
Powershell: no specific cmdlets provided for this.
Configure User
ADAC: right click user, properties
ADUC right click user, properties
Powershell: set-aduser
Delete User
ADAC: right click, delete
ADUC: right click delete
Powershell: remove-aduser -identity "cn=John Doe,ou=Accounting,dc=contoso,dc=com"
Creating Computers:
ADUC and ADAC: Right click Ou and New-Computer
dsadd computer "cn=testpc,cn=computers,dc=contoso,dc=com"
new-adcomputer -name testpc -path "cn=computers,dc=contoso,dc=com"
Add new computer to domain with
GUI: right click computer, properties
netdom join testpc /domain:contoso.com
add-computer -computername testpc -domainname contoso.com
5.2.3 configure templates
Templates can be created in the ADUC because of the copy function. You create a user object and call it Default Template, for example. Clear the "user must change password at next logon" and check the "Disable account". Change the properties you want to use as template. Now you can just right click copy this user.
5.2.4 perform bulk Active Directory operations
Create a CSV with a header line that contains "columns" with AD attributes to be imported into new records
Use the objectclass attribute to specify the type of object ie user
csvde.exe -i -f filenametoimport.csv
You can only add or read records with CSVDE
LDIFDE.exe has 3 types of functions: add, modify, delete. The format of the data file is LDAP Data Interchange format(LDIF), which is different from CSV used in CSVDE. Example:
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: add
ObjectClass: user
SAMAccountname: jdoe
UserPrincipalName: jdoe@contoso.com
Here the Changetype variable distinguishes what should be done with this record.
you would use ldifde -i filenametoimport.ldf
Use "replace" variable with Modify changetype
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: modify
replace: emailaddress
emailaddress: jdoe@contoso.com
You can also use new-aduser by piping in import-csv cmdlet.
5.2.5 configure user rights
User rights for a computer can be configured locally using the GPedit MMC(gpedit.msc)
Or you can define the user rights in a group policy
The order of assigning rights is Local, Site, Domain, OU with each overwriting the previous. The exception is when domain policies use the Enforced option, they are not overwritten, unless another GPO with enforced is higher in the AD hierarchy.
Extra note: You can use Local User Policy(secpol.msc) but I believe gpedit is preferred in domain and secpol is just a subset of it.
5.2.6 offline domain join
offline domain joins are done using the djoin command line
using a computer with access to DC,
djoin /provision /domain contoso.com /machine OFFPC /savefile offlinefile.txt
then run on offline computer:
djoin /requestodj /loadfile offlinefile.txt /windowspath %systemroot% /localos
5.2.7 manage inactive and disabled accounts
Disable/Enable a user or computer in ADAC or ADUC: right click and disable/enable
Powershell:
enable-adaccount -identity
disable-adaccount -identity
For inactive accounts, you can use the
Search-adaccount -accountinactive
you can also use dsquery with -inactive parameter specifying number of weeks inactive
dsquery user dc=contoso,dc=com -inactive 4
5. Install and administer Active Directory 5.1 Install domain controllers
5.1.1 Add or remove a domain controller from a domain
After installing the Active Directory Domain Services(AD-Domain-Services) role, you can Promote this Server to a domain controller.
Add a domain controller to an existing domain, add a new domain to an existing forest, add a new forest.
When adding a new domain or new forest:
Forest/Domain functional levels should coincide with the oldest version of domain controller that will be used as a DC in this forest or domain.
First domain in a forest must be Global Catalog and cannot be RODC.
Extra note: dcpromo command no longer works unless you are using an unattended answer file
5.1.2 upgrade a domain controller
You cannot upgrade 2003 or 32 bit 2008 DC's.
Pre-requisites:
pre-2003 DC's cannot exist when adding 2012 DC's
Forest functional level should be 2003+
Adding a 2012 DC will now perform an automatic run of the Adprep utility to extend the existing forest/domain schema. However, upgrading a DC to 2012 will require adprep to still be run.
Must be enterprise admin to run adprep /forestprep. Can only be run on 64 bit 2008/2008R2. Server you are running it on must be have connectivity to forest schema master and domain infra master.
Extra note: you can use dsquery to verify the opbjectversion of the forest schema. Objectversion should be 56:
dsquery * "cn=schema,cn=configuration,dc=contoso,dc=com" -scope base -attr objectversion
5.1.3 install Active Directory Domain Services (AD DS) on a Server Core installation
first, install the role:
install-windowsfeature -name ad-domain-services -includemanagementtools
install-addsforest - used for first dc in new forest
install-addsdomain - used for first dc in a new domain
install-addsdomaincontroller - used to add a dc to a domain
5.1.4 install a domain controller from Install from Media (IFM)
IFM is typically used to install a DC in a location where initial replication is impossible or too slow.
On a DC with the same windows version(In this case, 2012 obviously), run the ntdsutil:
c:\windows\system32\ntdsutil.exe: activate instance ntds
c:\windows\system32\ntdsutil.exe: ifm
c:\windows\system32\ntdsutil.exe: create full "c:\ntdsifm"
you can also include the sysvol:
c:\windows\system32\ntdsutil.exe: create sysvol full "c:\ntdsifm"
Now you copy the ntdsifm folder to a media that you transport to the location for the new DC.
While promoting the DC, you check "Install from media" on the Additional Options page, and point it at the media that has the DC info.
Powershell:
Us the -installationmediapath parameter with the install-addsdomaincontroller cmdlet
5.1.5 resolve DNS SRV record registration issues
run the dcdiag command
dcdiag /test:registerindns /dnsdomain:contoso.com
5.1.6 configure a global catalog server
Global Catalogs store information about the overall forest. Replication of a GC can possibly cause lots of traffic.
If you did not configure a DC as a GC you can always do so at a later time using the AD Sites and Services MMC, under the properties for the NTDS Settings for the server, General tab. Check/uncheck GC.
Monday, June 3, 2013
4. Deploy and configure core network services 4.3 Deploy and configure DNS service
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to
query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive
query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer
Stub: copy of primary zone that forwards or refers requests.
AD-integrated
Extra note: With Server 2012 and Powershell 3 you can configure dns server using cmdlets in module DnsServer. You can also use the command line tool dnscmd.
4.3.1 Configure Active Directory integration of primary zones
AD-integrated DNS is automatically replicated to other DC's with DNS installed
You can integrate a primary zone in AD while creating it, or by going to properties for the zone and Change/Type on general tab
Options for replication scope:
To all dns servers running on DC's in this forest
To all dns servers running on DC's in this domain
to all DC's in this domain
to all DC's specified in the cope of this directory partition
creates domaindnszones and forestdnszones subdomains
Extra note: _msdcs subdomain created for the first dns server in the forest. This zone contains SRV records for AD.
4.3.2 configure forwarders
Forwarders are DNS servers that will conduct the queries on behalf of other DNS servers.
Forwarders are configured in the DNS server properties under Forwarders.
Conditional Forwarders are DNS servers who conduct queries for specific zones. You can configure Conditional Forwarders under the node below the server.
add-dnsserverforwarder, add-dnsserverconditionalforwarderzone, get-dnsserverforwarder, remove-dnsserverforwarder, set-dnsserverforwarder, set-dnsserverconditionalforwarderzone
Extra Note: Root Hints will be contacted if there is no forwarder unless unchecked in the dns server properties/forwarders tab.
4.3.3 configure Root Hints
root hints are the list of the root name servers. These are configured in the properties for the server on the root hints tab.
get-dnsserverroothint, add-dnsserverroothint, remove-dnsserverroothint, set-dnsserverroothint
Extra Note: There are 13 default root names A through M dot root-servers.net(ex. A.root-servers.net) made up of many more physical servers all over the world
4.3.4 manage DNS cache
right click server, clear cache.
clear-dnsservercache, get-dnsservercache
dnscmd Servername /clearcache
dnscmd Servername /zoneprint
Extra note: Client dns cache's can be cleared by ipconfig /flushdns
4.3.5 create A and PTR resource records
Types of records:
SOA: Start of Authority: indicated the server is authoritative source for the zone. Each zone must have one SOA record
NS: SIdentifies Name Servers that can be authority for zone. Each primary/secondary DNS server must have NS record
A: A name to address mapping IPv4
AAAA: name-to address mapping for IPv6
PTR: address-to-name (reverse lookup)
CNAME: Creates an alias to an A record
MX: mail server record
SRV: records for services. Heavily used in AD to indicate different services.
Creating a new A/AAAA record:
Expand server node and Forward Lookup zones. Right click zone to create record in, and select New Host
Give it an IP Address, name, and you can create an associated PTR record here as well. There must be a Reverse Lookup zone created already for that network or the PTR record will not be created.
If you have a reverse lookup zone for the associated network of the host, you can either create a PTR record during A record creation, as above, or expand reverse lookup zones, and right click a specific zone and New Pointer(PTR).
get-dnsserverresourcerecord, add-dnsserverresourcerecordA, add-dnsserverresourcerecordPTR, add-dnsserverresourcerecordAAAA, remove-dnsserverresourcerecord, set-dnsserverresourcerecord, set-dnsserverresourcerecordaging
dnscmd /recordadd
dnscmd /recorddelete
dnscmd /enumrecords contoso.com .
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to
query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive
query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer
Stub: copy of primary zone that forwards or refers requests.
AD-integrated
Extra note: With Server 2012 and Powershell 3 you can configure dns server using cmdlets in module DnsServer. You can also use the command line tool dnscmd.
4.3.1 Configure Active Directory integration of primary zones
AD-integrated DNS is automatically replicated to other DC's with DNS installed
You can integrate a primary zone in AD while creating it, or by going to properties for the zone and Change/Type on general tab
Options for replication scope:
To all dns servers running on DC's in this forest
To all dns servers running on DC's in this domain
to all DC's in this domain
to all DC's specified in the cope of this directory partition
creates domaindnszones and forestdnszones subdomains
Extra note: _msdcs subdomain created for the first dns server in the forest. This zone contains SRV records for AD.
4.3.2 configure forwarders
Forwarders are DNS servers that will conduct the queries on behalf of other DNS servers.
Forwarders are configured in the DNS server properties under Forwarders.
Conditional Forwarders are DNS servers who conduct queries for specific zones. You can configure Conditional Forwarders under the node below the server.
add-dnsserverforwarder, add-dnsserverconditionalforwarderzone, get-dnsserverforwarder, remove-dnsserverforwarder, set-dnsserverforwarder, set-dnsserverconditionalforwarderzone
Extra Note: Root Hints will be contacted if there is no forwarder unless unchecked in the dns server properties/forwarders tab.
4.3.3 configure Root Hints
root hints are the list of the root name servers. These are configured in the properties for the server on the root hints tab.
get-dnsserverroothint, add-dnsserverroothint, remove-dnsserverroothint, set-dnsserverroothint
Extra Note: There are 13 default root names A through M dot root-servers.net(ex. A.root-servers.net) made up of many more physical servers all over the world
4.3.4 manage DNS cache
right click server, clear cache.
clear-dnsservercache, get-dnsservercache
dnscmd Servername /clearcache
dnscmd Servername /zoneprint
Extra note: Client dns cache's can be cleared by ipconfig /flushdns
4.3.5 create A and PTR resource records
Types of records:
SOA: Start of Authority: indicated the server is authoritative source for the zone. Each zone must have one SOA record
NS: SIdentifies Name Servers that can be authority for zone. Each primary/secondary DNS server must have NS record
A: A name to address mapping IPv4
AAAA: name-to address mapping for IPv6
PTR: address-to-name (reverse lookup)
CNAME: Creates an alias to an A record
MX: mail server record
SRV: records for services. Heavily used in AD to indicate different services.
Creating a new A/AAAA record:
Expand server node and Forward Lookup zones. Right click zone to create record in, and select New Host
Give it an IP Address, name, and you can create an associated PTR record here as well. There must be a Reverse Lookup zone created already for that network or the PTR record will not be created.
If you have a reverse lookup zone for the associated network of the host, you can either create a PTR record during A record creation, as above, or expand reverse lookup zones, and right click a specific zone and New Pointer(PTR).
get-dnsserverresourcerecord, add-dnsserverresourcerecordA, add-dnsserverresourcerecordPTR, add-dnsserverresourcerecordAAAA, remove-dnsserverresourcerecord, set-dnsserverresourcerecord, set-dnsserverresourcerecordaging
dnscmd /recordadd
dnscmd /recorddelete
dnscmd /enumrecords contoso.com .
Wednesday, May 29, 2013
4. Deploy and configure core network services 4.2 Deploy and configure Dynamic Host Configuration Protocol (DHCP) service
DHCP ipv4 lease negotiation:
client DHCPDISCOVER
server DHCPOFFER
client accepts DHCPREQUEST
server accepts DHCPACK or not DHCPNAK.
client tests address with and fails DHCPDECLINE
DHCPRELEASE client releases lease
DHCPINFORM client requests more options
Client will attempt to renew lease starting at 50% of lifetime via DHCPREQUEST messages.
at 87.5% of lease and no responses, client will DHCPREQUEST broadcast for any dhcp server.
releases lease at 100% of no response, or a DHCPNAK response.
Install role DHCP Server (DHCP) and DHCP tools(RSAT-DHCP). When you install from the Gui Add Roles and Features, you will have a task for "complete DHCP configuration" in Server Manager. This wizard will prompt you to authorize the DHCP server,
Bind server to the NIC's that you want to use for DHCP: IPv4, or IPv6 properties, Advanced, Bindings.
4.2.1 Create and configure scopes
v4
DHCP manager, right click IPv4 and select New Scope.
Give the scope a name and description
Put in a start and end ip address for the scope. Then configure the subnet mask.
Add an exclusion range for ip's you do not want to be given out.
Set a lease duration.
You will be prompted to configure DHCP options(see 4.2.3)
Once created, you should right click the scope and select "Activate"
v6
DHCP manager, right click ipv6 and select new scope
Give the scope a name and description
Enter the prefix for the scope. Enter a preference, which determines which dhcp server has preference when
client receives messages from multiple dhcp servers(highest value is preferred). set to
255 for immediate use.
Add exclusion ranges, if necessary.
Configure lease durations. preferred determines how long an interface should consider address usable. valid
lifetime is how long the address is valid.
You are prompted to activate the scope, or you can manually activate it later.
Powershell:
v4
add-dhcpserverv4scope -name "192.168.11.0 scope" -startrange 192.168.11.1 -endrange
192.168.11.254 -subnetmask 255.255.255.0
add-dhcpserverv4exclusionrange
other commands:
get-dhcpserverv4scope, get-dhcpserverv4exclusionrange, remove-dhcpserverv4scope, remove-dhcpserverv4exclusionrange, set-dhcpserverv4scope
extra note:
superscope: container for ipv4 scopes, and can be used to distribute addresses from multiple logical ip networks in the same physical segment
multicast scope: class D network
failover scope: 2012 mode that automatically splits scopes between two dhcp servers
v6
add-dhcpserverv6scope -name "0200 scope" -prefix fc00:0:0:0200:0:0:0:0
add-dhcpserverv6exclusionrange -prefix fc00:0:0:200:: -startrange fc00:0:0:200::1 -endrange fc00:0:0:200:0:0:3:ffff
other commands:
get-dhcpserverv6scope, get-dhcpserverv6exclusionrange, remove-dhcpserverv6scope, remove-dhcpserverv6exclusionrange, set-dhcpserverv6scope
use -state active|inactive parameter with set-dhcpserverv#scope command to activate/deactivate scope
extra note: split-scope is where a scope is split between dhcp servers as a failover. you can right click the scope and advanced/split-scope to bring up the wizard. In 2012 should probably use the failover option instead.
4.2.2 configure a DHCP reservation
DHCP reservations are ip addresses that will always be assigned to a machine's interface when it requests an ip.
v4
Requires the mac address of the interface on the computer that will be assigned a reservation
Under the appropriate scope, right click reservations and new reservation.
give it a name, enter the ip address, then the mac address, and finally a description. specifiy dhcp if you wish
to only support dhcp for this reservation
After creation, you can right click the ip and specify specific dhcp options for this address.
v6
v6 reservation is similar to v4 except for v6 you will need the following from the interface, instead of a mac address. You can get both with ipconfig /all
DHCP Unique Identifier(DUID): This uniquely identifies a client or server
IAID: a unique id part of the Identity Association(IA) that identifies a specific interface.
powershell
v4
add-dhcpserverv4reservation -scopeid 192.168.10.0 -ipaddress 192.168.10.8
-clientid 00155d017506
v6
add-dhcpserverv6reservation -prefix fc00::200:0:0:0:0 -ipaddress fc00::200:0:0:0:6
-clientduid 0001000117d29a2e00155d017500 -iaid 536876381
other commands: get-dhcpserverv4reservation, remove-dhcpserverv4reservation, get-dhcpserverv6reservation, remove-dhcpserverv6reservation
4.2.3 configure DHCP options
options are sent to the client. They can be configured for all scopes on server, a specific scope, or a single reservation.
You configure options for one scope under Scope options.
v4
common v4 options.
001-Subnet mask(sent by default from the scope)
003-Router: default gateway
006-DNS Servers
015- DNS name
044 Wins Server
v6
common v6 options
0023 DNS Recursive Name Server
0024 Domain Search List.
powershell
list all options available
get-dhcpserverv4optiondefinition
get-dhcpserverv6optiondefinition
show current values assigned to a specific scope:
get-dhcpserverv4optionvalue -scopeid 192.168.10.0
get-dhcpserverv6optionvalue -prefix fc00:0:0:200::
set new option values for a specific scope
set-dhcpserverv4optionvalue -scopeid 192.168.10.0 -optionid 6 -value 192.168.10.1, 192.168.10.2
set-dhcpserverv6optionvalue -prefix fc00:0:0:200:: -optionid 23 -value fc00:0:0:200::5
extra note: for dns server options. use -force to skip checking if they exist
extra note: you can define classes to assign options to a group of computers. right click ipv4 or ipv6 select define user classes. create a new ClassID. Use ipconfig /setclassid "LAN" ClassID on the client interfaces that will be in that class
4.2.4 configure client and server for PXE boot
if DHCP server is on same machine as WDS, set custom option 60 to PXECLIENT
if they are on separate servers on same subnet, use:
option 66: boot server host name
option 67: boot file name
Extra note: MS recommends using a router to ip-helper address to the DHCP and WDS servers on different subnet for all dhcp requests
4.2.5 configure DHCP relay agent
If you aren't using a router to do DHCP relay, you can install RRAS role to get DHCP relay setup on a server:
add role Remote Access(RemoteAccess) and check Directaccess and VPN, as well as Routing
once installed, go into computer management, and go under Services and Applications
Right click Routing and Remote access and select "Configure and enable Routing and remote access"
select custom configuration, and then LAN Routing
Expand Ipv4 or Ipv6.
Go to general and right click the pane and "New Routing Protocol". Select DHCP Relay Agent
right click Dhcp Relay Agent and "New Interface"
Select options: Relay DHCP Packets(enabled), Hop-count threshold, Boot threshold(this delay is so local DHCP servers will respond first)
Right click DHCP Relay Agent, properties. Enter the IP address for the server to forward to.
IPv6 is similar except Boot threshold is called Elapsed-time threshold. Also, properties has Server tab for ipv6 servers. General tab is for event logging options.
extra note:
install-windowsfeature remoteaccess -includeallsubfeatures -includemanagementtools
4.2.6 authorize DHCP server
As stated above, you are prompted with a task to authorize the DHCP server when you first install the role. However, if you need to Unauthorize/Authorize the server, you can right click the server in DHCP Manager and select authorize/unauthorize.
Powershell:
If installed in powershell, the DHCP server is not automatically authorized. Use get-dhcpserverindc to see authorized DHCP servers. Then authorize the server with cmdlet:
add-dhcpserverindc -dnsname 'dc.contoso.com' -ipaddress 192.168.10.1.
command line:
netsh dhcp server \\dhcpsrv01 initiate auth
client DHCPDISCOVER
server DHCPOFFER
client accepts DHCPREQUEST
server accepts DHCPACK or not DHCPNAK.
client tests address with and fails DHCPDECLINE
DHCPRELEASE client releases lease
DHCPINFORM client requests more options
Client will attempt to renew lease starting at 50% of lifetime via DHCPREQUEST messages.
at 87.5% of lease and no responses, client will DHCPREQUEST broadcast for any dhcp server.
releases lease at 100% of no response, or a DHCPNAK response.
Install role DHCP Server (DHCP) and DHCP tools(RSAT-DHCP). When you install from the Gui Add Roles and Features, you will have a task for "complete DHCP configuration" in Server Manager. This wizard will prompt you to authorize the DHCP server,
Bind server to the NIC's that you want to use for DHCP: IPv4, or IPv6 properties, Advanced, Bindings.
4.2.1 Create and configure scopes
v4
DHCP manager, right click IPv4 and select New Scope.
Give the scope a name and description
Put in a start and end ip address for the scope. Then configure the subnet mask.
Add an exclusion range for ip's you do not want to be given out.
Set a lease duration.
You will be prompted to configure DHCP options(see 4.2.3)
Once created, you should right click the scope and select "Activate"
v6
DHCP manager, right click ipv6 and select new scope
Give the scope a name and description
Enter the prefix for the scope. Enter a preference, which determines which dhcp server has preference when
client receives messages from multiple dhcp servers(highest value is preferred). set to
255 for immediate use.
Add exclusion ranges, if necessary.
Configure lease durations. preferred determines how long an interface should consider address usable. valid
lifetime is how long the address is valid.
You are prompted to activate the scope, or you can manually activate it later.
Powershell:
v4
add-dhcpserverv4scope -name "192.168.11.0 scope" -startrange 192.168.11.1 -endrange
192.168.11.254 -subnetmask 255.255.255.0
add-dhcpserverv4exclusionrange
other commands:
get-dhcpserverv4scope, get-dhcpserverv4exclusionrange, remove-dhcpserverv4scope, remove-dhcpserverv4exclusionrange, set-dhcpserverv4scope
extra note:
superscope: container for ipv4 scopes, and can be used to distribute addresses from multiple logical ip networks in the same physical segment
multicast scope: class D network
failover scope: 2012 mode that automatically splits scopes between two dhcp servers
v6
add-dhcpserverv6scope -name "0200 scope" -prefix fc00:0:0:0200:0:0:0:0
add-dhcpserverv6exclusionrange -prefix fc00:0:0:200:: -startrange fc00:0:0:200::1 -endrange fc00:0:0:200:0:0:3:ffff
other commands:
get-dhcpserverv6scope, get-dhcpserverv6exclusionrange, remove-dhcpserverv6scope, remove-dhcpserverv6exclusionrange, set-dhcpserverv6scope
use -state active|inactive parameter with set-dhcpserverv#scope command to activate/deactivate scope
extra note: split-scope is where a scope is split between dhcp servers as a failover. you can right click the scope and advanced/split-scope to bring up the wizard. In 2012 should probably use the failover option instead.
4.2.2 configure a DHCP reservation
DHCP reservations are ip addresses that will always be assigned to a machine's interface when it requests an ip.
v4
Requires the mac address of the interface on the computer that will be assigned a reservation
Under the appropriate scope, right click reservations and new reservation.
give it a name, enter the ip address, then the mac address, and finally a description. specifiy dhcp if you wish
to only support dhcp for this reservation
After creation, you can right click the ip and specify specific dhcp options for this address.
v6
v6 reservation is similar to v4 except for v6 you will need the following from the interface, instead of a mac address. You can get both with ipconfig /all
DHCP Unique Identifier(DUID): This uniquely identifies a client or server
IAID: a unique id part of the Identity Association(IA) that identifies a specific interface.
powershell
v4
add-dhcpserverv4reservation -scopeid 192.168.10.0 -ipaddress 192.168.10.8
-clientid 00155d017506
v6
add-dhcpserverv6reservation -prefix fc00::200:0:0:0:0 -ipaddress fc00::200:0:0:0:6
-clientduid 0001000117d29a2e00155d017500 -iaid 536876381
other commands: get-dhcpserverv4reservation, remove-dhcpserverv4reservation, get-dhcpserverv6reservation, remove-dhcpserverv6reservation
4.2.3 configure DHCP options
options are sent to the client. They can be configured for all scopes on server, a specific scope, or a single reservation.
You configure options for one scope under Scope options.
v4
common v4 options.
001-Subnet mask(sent by default from the scope)
003-Router: default gateway
006-DNS Servers
015- DNS name
044 Wins Server
v6
common v6 options
0023 DNS Recursive Name Server
0024 Domain Search List.
powershell
list all options available
get-dhcpserverv4optiondefinition
get-dhcpserverv6optiondefinition
show current values assigned to a specific scope:
get-dhcpserverv4optionvalue -scopeid 192.168.10.0
get-dhcpserverv6optionvalue -prefix fc00:0:0:200::
set new option values for a specific scope
set-dhcpserverv4optionvalue -scopeid 192.168.10.0 -optionid 6 -value 192.168.10.1, 192.168.10.2
set-dhcpserverv6optionvalue -prefix fc00:0:0:200:: -optionid 23 -value fc00:0:0:200::5
extra note: for dns server options. use -force to skip checking if they exist
extra note: you can define classes to assign options to a group of computers. right click ipv4 or ipv6 select define user classes. create a new ClassID. Use ipconfig /setclassid "LAN" ClassID on the client interfaces that will be in that class
4.2.4 configure client and server for PXE boot
if DHCP server is on same machine as WDS, set custom option 60 to PXECLIENT
if they are on separate servers on same subnet, use:
option 66: boot server host name
option 67: boot file name
Extra note: MS recommends using a router to ip-helper address to the DHCP and WDS servers on different subnet for all dhcp requests
4.2.5 configure DHCP relay agent
If you aren't using a router to do DHCP relay, you can install RRAS role to get DHCP relay setup on a server:
add role Remote Access(RemoteAccess) and check Directaccess and VPN, as well as Routing
once installed, go into computer management, and go under Services and Applications
Right click Routing and Remote access and select "Configure and enable Routing and remote access"
select custom configuration, and then LAN Routing
Expand Ipv4 or Ipv6.
Go to general and right click the pane and "New Routing Protocol". Select DHCP Relay Agent
right click Dhcp Relay Agent and "New Interface"
Select options: Relay DHCP Packets(enabled), Hop-count threshold, Boot threshold(this delay is so local DHCP servers will respond first)
Right click DHCP Relay Agent, properties. Enter the IP address for the server to forward to.
IPv6 is similar except Boot threshold is called Elapsed-time threshold. Also, properties has Server tab for ipv6 servers. General tab is for event logging options.
extra note:
install-windowsfeature remoteaccess -includeallsubfeatures -includemanagementtools
4.2.6 authorize DHCP server
As stated above, you are prompted with a task to authorize the DHCP server when you first install the role. However, if you need to Unauthorize/Authorize the server, you can right click the server in DHCP Manager and select authorize/unauthorize.
Powershell:
If installed in powershell, the DHCP server is not automatically authorized. Use get-dhcpserverindc to see authorized DHCP servers. Then authorize the server with cmdlet:
add-dhcpserverindc -dnsname 'dc.contoso.com' -ipaddress 192.168.10.1.
command line:
netsh dhcp server \\dhcpsrv01 initiate auth
Monday, May 27, 2013
4. Deploy and configure core network services 4.1 Configure IPv4 and IPv6 addressing
4.1.1 Configure IP address options
4.1.2 configure subnetting
4.1.3 configure supernetting
Not going to spend a lot of time on this.
IPv4
Classful:
Class A: 1-127 8 network bits, but starts with 0(binary). 24 host bits
Class B: 128-191 16 network bits, starts with 10(binary). 16 host bits
Class C: 192-223 24 network bits, starts with 110(binary). 8 host bits
Class D: 224 multicast (1110)
Class E: 240 Experimental/unused
Classless Inter-Domain Routing(CIDR)
Allows the assigning of any size networks with a subnet mask that can be any number of bits and the network can then be further divided.
VLSM is the subdividing within a private network into smaller subnets that can be variable size.
subnetting is the process of dividing up networks into smaller networks
supernetting is a way to represent multiple contiguous networks with the same subnet mask by creating a
new subnet mask made up of their common network bits.
Static IP, Dynamic IP
Automatic Private IP Addressing - APIPA - A microsoft mechanism that automatically assigns an address in
the 169.254.0.0./16 network if Windows is unable to contact a DHCP server.
Configure IP address in the network adapter properts under TCP/IPv4 properties. IP address, subnet
mask, default gateway, DNS Servers. Or set to use DHCP
Powershell:
use modules Netadapter and NetTCPIP
To set an adapter to DHCP:
set-netipinterface 'ethernet 5' -dhcp enabled
To setup a static IP:
get-netipinterface
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress 192.168.10.20 -prefixlength 24 -defaultgateway 192.168.10.1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses 192.168.15.90, 192.168.15.91
To remove an ip address, use
remove-netipaddress 192.168.10.20 -defaultgateway 192.168.10.1
Note that you should remove the default gateway along with the ip address, or else the default gateway gets "stuck" on that interface, and cannot be removed using cmdlets until you add another ip in the same subnet to the same interface(or edit through the GUI).
To reset the dns server addresses to default, use the following:
set-dnsclientserveraddress 'ethernet 5' -resetserveraddresses
IPv6
128 bits
:: can be used to compress consecutive 0's. leading 0's can be left off.
63c5:0091:0000:0000:e8cc:011f:009a:c001 can be
63c5:91::e8cc:11f:9a:c001
types of ipv6 addresses:
global unicast address: registered ipv6 block
link-local unicast address: reserved block that can assign themselves automatically(like APIPA IPv4)
10 bit prefix 1111111010 fe80::/64
unique local address : reserved block in fc00::/7 for private use.
multicast: begin with 11111111 ffanycast: a unicast address that is assigned to identify the routers within a given address scope.
site-local address : reserved fec0::/10 for "private" use but has since been deprecated for unique local addresses(ULA)
neighbor discovery(ND): provides functions for v6 similar to v4's ICMP, ARP, Router Discovery, Router
redirect.
powershell
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress fc00::200:cd -prefixlength 64 -defaultgateway fc00::200:1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses fc00::199:40,fc00::199:41
remove an ipv6 address
remove-netipaddress -ipaddress fc00::200:cd -defaultgateway fc00::200:1
4.1.4 configure interoperability between IPv4 and IPv6
1.use a dual stack
2. tunneling:
static configuration with netsh
netsh interface ipv6 add v6v4tunnel tunnelname localaddress remoteaddress
netsh interface ipv6 add v6v4tunnel "tunnel" 192.168.90.1 192.168.91.1
automatic configuration:
6to4: provides automatic tunneling allowing ipv6/ipv4 hosts to establish ipv6 connectivity across ipv4
internet using ipv4 multicast
isatap: intra-site automatic tunnel addressing protocol : emulates an ipv6 link using a ip4 network. does not support multicasting.
teredo: encapsulates v6 packets inside UDP to facilitate tunneling behind nat routers. like 6to4 but works
with NAT
Extra Note: There is another technology called IP-HTTPS that can be used as a directaccess
fallback method of ipv6/ipv4 access
Translation technologies:
Nat64: used by directaccess on ipv4 networks.
DNS64: maps ipv6 AAAA name queries to ipv4 A records queries.
Portproxy: allows ipv4/ipv6 TCP traffic to be proxied.
4.1.5 configure ISATAP
uses a virtual ipv6 network interface whose link-local address is determined by concatenating either fe80::200:5efe for global unique, or fe80::5efe to the 32 bits of a v4 address
To configure ISATAP you only need a router name. You can configure ISATAP with either a GPO(Network/TCPIP Settings/IPv6 Transistion), set-netisatapconfiguration -router cmdlet, or using netsh interface isatap set router
to disable ISATAP, set the state to Disabled, using GPO, set-netisatapconfiguration -state, or netsh interface isatap set state disabled
The other two isatap states are:
enabled: link-local address configured on each isatap interface
default: attemps to contact isatap server. If it cannot be contacted, no addresses are configured.
other powershell commands: get-netisatapconfiguration, reset-netisatapconfiguration
4.1.6 configure Teredo
Teredo components:
clients, servers, relays, host-specific relays
Client: IPv6/IPv4 node that supports teredo tunneling.
Server: ipv6/ipv4 node that is connected to both ipv4 internet and ipv6 internet, and assists in the address configuration of teredo client and facilitate initial communication between teredo clients and other clients, or with ipv6-only hosts. listens on UDP 3544 for teredo traffic
Relay: ipv6/ipv4 router that can forward packets between teredo clients on the ipv4 internet.
Qualified Types:
qualified(enabled): teredo is always enabled.
not qualified: teredo is dormant when not in use.
You can only configure qualified type by GPO
State/types:
default: default is client state
client: teredo interface present only when host is not on a network with a Domain Controller
enterprise client: teredo interface is always present.
disabled
Configure by GPO: Teredo Default Qualified, Teredo Server Name, Teredo State
netsh interface teredo show state
netsh interface teredo set state servername
netsh interface teredo set state type
powershell:
get-netteredoconfiguration
set-netteredoconfiguration -servername -type
Disable teredo:
set state to disabled in GPO
netsh interface teredo set state type disabled
set-netteredoconfiguration -type disabled
4.1.2 configure subnetting
4.1.3 configure supernetting
Not going to spend a lot of time on this.
IPv4
Classful:
Class A: 1-127 8 network bits, but starts with 0(binary). 24 host bits
Class B: 128-191 16 network bits, starts with 10(binary). 16 host bits
Class C: 192-223 24 network bits, starts with 110(binary). 8 host bits
Class D: 224 multicast (1110)
Class E: 240 Experimental/unused
Classless Inter-Domain Routing(CIDR)
Allows the assigning of any size networks with a subnet mask that can be any number of bits and the network can then be further divided.
VLSM is the subdividing within a private network into smaller subnets that can be variable size.
subnetting is the process of dividing up networks into smaller networks
supernetting is a way to represent multiple contiguous networks with the same subnet mask by creating a
new subnet mask made up of their common network bits.
Static IP, Dynamic IP
Automatic Private IP Addressing - APIPA - A microsoft mechanism that automatically assigns an address in
the 169.254.0.0./16 network if Windows is unable to contact a DHCP server.
Configure IP address in the network adapter properts under TCP/IPv4 properties. IP address, subnet
mask, default gateway, DNS Servers. Or set to use DHCP
Powershell:
use modules Netadapter and NetTCPIP
To set an adapter to DHCP:
set-netipinterface 'ethernet 5' -dhcp enabled
To setup a static IP:
get-netipinterface
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress 192.168.10.20 -prefixlength 24 -defaultgateway 192.168.10.1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses 192.168.15.90, 192.168.15.91
To remove an ip address, use
remove-netipaddress 192.168.10.20 -defaultgateway 192.168.10.1
Note that you should remove the default gateway along with the ip address, or else the default gateway gets "stuck" on that interface, and cannot be removed using cmdlets until you add another ip in the same subnet to the same interface(or edit through the GUI).
To reset the dns server addresses to default, use the following:
set-dnsclientserveraddress 'ethernet 5' -resetserveraddresses
IPv6
128 bits
:: can be used to compress consecutive 0's. leading 0's can be left off.
63c5:0091:0000:0000:e8cc:011f:009a:c001 can be
63c5:91::e8cc:11f:9a:c001
types of ipv6 addresses:
global unicast address: registered ipv6 block
link-local unicast address: reserved block that can assign themselves automatically(like APIPA IPv4)
10 bit prefix 1111111010 fe80::/64
unique local address : reserved block in fc00::/7 for private use.
multicast: begin with 11111111 ffanycast: a unicast address that is assigned to identify the routers within a given address scope.
site-local address : reserved fec0::/10 for "private" use but has since been deprecated for unique local addresses(ULA)
neighbor discovery(ND): provides functions for v6 similar to v4's ICMP, ARP, Router Discovery, Router
redirect.
powershell
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress fc00::200:cd -prefixlength 64 -defaultgateway fc00::200:1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses fc00::199:40,fc00::199:41
remove an ipv6 address
remove-netipaddress -ipaddress fc00::200:cd -defaultgateway fc00::200:1
4.1.4 configure interoperability between IPv4 and IPv6
1.use a dual stack
2. tunneling:
static configuration with netsh
netsh interface ipv6 add v6v4tunnel tunnelname localaddress remoteaddress
netsh interface ipv6 add v6v4tunnel "tunnel" 192.168.90.1 192.168.91.1
automatic configuration:
6to4: provides automatic tunneling allowing ipv6/ipv4 hosts to establish ipv6 connectivity across ipv4
internet using ipv4 multicast
isatap: intra-site automatic tunnel addressing protocol : emulates an ipv6 link using a ip4 network. does not support multicasting.
teredo: encapsulates v6 packets inside UDP to facilitate tunneling behind nat routers. like 6to4 but works
with NAT
Extra Note: There is another technology called IP-HTTPS that can be used as a directaccess
fallback method of ipv6/ipv4 access
Translation technologies:
Nat64: used by directaccess on ipv4 networks.
DNS64: maps ipv6 AAAA name queries to ipv4 A records queries.
Portproxy: allows ipv4/ipv6 TCP traffic to be proxied.
4.1.5 configure ISATAP
uses a virtual ipv6 network interface whose link-local address is determined by concatenating either fe80::200:5efe for global unique, or fe80::5efe to the 32 bits of a v4 address
To configure ISATAP you only need a router name. You can configure ISATAP with either a GPO(Network/TCPIP Settings/IPv6 Transistion), set-netisatapconfiguration -router cmdlet, or using netsh interface isatap set router
to disable ISATAP, set the state to Disabled, using GPO, set-netisatapconfiguration -state, or netsh interface isatap set state disabled
The other two isatap states are:
enabled: link-local address configured on each isatap interface
default: attemps to contact isatap server. If it cannot be contacted, no addresses are configured.
other powershell commands: get-netisatapconfiguration, reset-netisatapconfiguration
4.1.6 configure Teredo
Teredo components:
clients, servers, relays, host-specific relays
Client: IPv6/IPv4 node that supports teredo tunneling.
Server: ipv6/ipv4 node that is connected to both ipv4 internet and ipv6 internet, and assists in the address configuration of teredo client and facilitate initial communication between teredo clients and other clients, or with ipv6-only hosts. listens on UDP 3544 for teredo traffic
Relay: ipv6/ipv4 router that can forward packets between teredo clients on the ipv4 internet.
Qualified Types:
qualified(enabled): teredo is always enabled.
not qualified: teredo is dormant when not in use.
You can only configure qualified type by GPO
State/types:
default: default is client state
client: teredo interface present only when host is not on a network with a Domain Controller
enterprise client: teredo interface is always present.
disabled
Configure by GPO: Teredo Default Qualified, Teredo Server Name, Teredo State
netsh interface teredo show state
netsh interface teredo set state servername
netsh interface teredo set state type
powershell:
get-netteredoconfiguration
set-netteredoconfiguration -servername -type
Disable teredo:
set state to disabled in GPO
netsh interface teredo set state type disabled
set-netteredoconfiguration -type disabled
Saturday, May 25, 2013
3. Configure Hyper-V 3.3 Create and configure virtual networks
3.3.1 implement Hyper-V Network Virtualization
Network Virtualization is a layer 2 process in which the inside virtual network is independent of the outside physical network, and can be configured to communicate with other hypervisors as one network, regardless of the physical network.
2 possible ways that Hyper-V can accomplish this:
NVGRE: Network Virtual Generic Routing Encapsulation. This builds encapsulated tunnels between hyper-v virtual hosts.
IP Rewrite: this is a NAT approach at each host, which translate the virtual addresses to physical ones.
Provider Addresses(PA) : Unique IP addresses assigned to each host. physical addresses
Customer Addresses(CA): virtual IP addresses assigned to VM's.
Virtual subnet ID(VSID): a GRE key that signifies which virtual network the packet is on.
Routing Domain ID(RDID): a GUID id that signifies a "customer" network which is made up of one or more
VSID's
Network virtualization can be setup using Powershell.
3.3.2 configure Hyper-V virtual switches
Creating a new external switch will appear in the host's network connections. When bound to one of the host's network adapters, the host will communicate directly with the switch, not the physical network. The switch communicates with the physical network.
right-click the hyper-v server, and select Virtual Network Switch Manager
Click New Virtual Network Switch
Give it a name
Select switch type: External, Internal, or Private
External: VM's need access to physical network
Internal: VM's can only communicate internally on the host and with the host. The switch is not bound to a
network adapter
Private: VM's can only communicate with each other on this switch. Not the host or physical. switch is not
bound to a network adapter.
If external, select a network adapter to bind too. Check or uncheck "allow management operating system
to share this adapter". Check to enable SR-IOV
Select a Vlan ID if for the management network.
You can also set global mac addresses for this host in the Virtual Switch Manager(see 3.3.4)
A virtual switch can have up to 512 VM's assigned to it.
Powershell:
new-vmswitch -name "New External Switch" -netadaptername "Broadcom NetXtreme Gigabit Ethernet"
other VM switch commands:
get-vmswitch, set-vmswitch, rename-vmswitch, remove-vmswitch
3.3.3 optimize network performance
1. Use network adapter type(synthetic) instead of legacy for best performance
2. Configure bandwith management under each virtual network adapter in a VM
3. Configure hardware acceleration under virtual network adapter:
a. Virtual Machine Queue(VMQ): uses hardware packet filtering for VM to external VM networking.
enabled by default
b. IPsec task offloading: performs IPsec processing on the network adapter. Enabled by default
c. SR-IOV: maximmizes network throughput
4. Configure advanced settings under each virtual network adapter:
a. Mac Address static or dynamic
b. DHCP guard
c. Router guard
d. Port mirroring
e. NIC Teaming(LBFO)
You can also use GRE offloading for network virtualization if an adapter supports it.
Powershell:
Most of the options above can be set using the following command:
set-vmnetworkadapter http://technet.microsoft.com/en-us/library/hh848457.aspx
3.3.4 configure MAC addresses
In the virtual network switch manager, you can set a range of Mac addresses that will be assigned to guests. This is to prevent multiple hosts from accidently assigning the same mac addresses to VM's.
You can also set an adapter with a static mac address in the VM's network adapter settings
dynamic pool:
set-vmhost -macaddressminimum 00155d08e600 -macaddressmaximum 00155d08ffff
static mac:
set-vmnetworkadapter -vmname 'VMServer' -vmnetworkadaptername 'NIC 1'
-staticmacaddress 00155d08e601
3.3.5 configure network isolation
Setup standard vlans,
Use a private virtual switch, or
Port Virtual LAN (private VLAN): Can isolate a set of vm's from being able to see each other's traffic, using only 2 vlans: a primary and secondary vlan. This can be setup instead of hyper-v network virtualization if each customer needs to be isolated and only has one VM each.
Powershell examples:
PVLAN
set-vmnetworkadaptervlan -isolated -primaryvlanid 10 -secondaryvlandid 200
Standard VLANS
place all adapters on a VM in vlan 30
set-vmnetworkadaptervlan -vmname 'VMServer' -access 30
create a trunk on a specific adapter
set-vmnetworkadaptervlan -vmname 'VMserver' -vmnetworkadaptername 'NIC 1' -trunk
-nativevlanid 2 -allowedvlanidlist 1-36
Extra note: To remove vlan tagging on an adapter, you can use:
set-vmnetworkadaptervlan -vmname 'VMServer' -untagged
3.3.6 configure synthetic and legacy virtual network adapters
Each VM can have up to 12 virtual network adapters. up to 8 can be network adapter type(synthetic) and up to 4 can be legacy.
Network adapter type(synthetic): Relies on the guest integration components installed on the VM.
Legacy network adapter: supports OS's that do not support guest integration components. Also can be
used for PXE boot if needed.
Powershell
use the -IsLegacy $true parameter on the add-vmnetworkadapter cmdlet to setup a legacy adapter.
Network Virtualization is a layer 2 process in which the inside virtual network is independent of the outside physical network, and can be configured to communicate with other hypervisors as one network, regardless of the physical network.
2 possible ways that Hyper-V can accomplish this:
NVGRE: Network Virtual Generic Routing Encapsulation. This builds encapsulated tunnels between hyper-v virtual hosts.
IP Rewrite: this is a NAT approach at each host, which translate the virtual addresses to physical ones.
Provider Addresses(PA) : Unique IP addresses assigned to each host. physical addresses
Customer Addresses(CA): virtual IP addresses assigned to VM's.
Virtual subnet ID(VSID): a GRE key that signifies which virtual network the packet is on.
Routing Domain ID(RDID): a GUID id that signifies a "customer" network which is made up of one or more
VSID's
Network virtualization can be setup using Powershell.
3.3.2 configure Hyper-V virtual switches
Creating a new external switch will appear in the host's network connections. When bound to one of the host's network adapters, the host will communicate directly with the switch, not the physical network. The switch communicates with the physical network.
right-click the hyper-v server, and select Virtual Network Switch Manager
Click New Virtual Network Switch
Give it a name
Select switch type: External, Internal, or Private
External: VM's need access to physical network
Internal: VM's can only communicate internally on the host and with the host. The switch is not bound to a
network adapter
Private: VM's can only communicate with each other on this switch. Not the host or physical. switch is not
bound to a network adapter.
If external, select a network adapter to bind too. Check or uncheck "allow management operating system
to share this adapter". Check to enable SR-IOV
Select a Vlan ID if for the management network.
You can also set global mac addresses for this host in the Virtual Switch Manager(see 3.3.4)
A virtual switch can have up to 512 VM's assigned to it.
Powershell:
new-vmswitch -name "New External Switch" -netadaptername "Broadcom NetXtreme Gigabit Ethernet"
other VM switch commands:
get-vmswitch, set-vmswitch, rename-vmswitch, remove-vmswitch
3.3.3 optimize network performance
1. Use network adapter type(synthetic) instead of legacy for best performance
2. Configure bandwith management under each virtual network adapter in a VM
3. Configure hardware acceleration under virtual network adapter:
a. Virtual Machine Queue(VMQ): uses hardware packet filtering for VM to external VM networking.
enabled by default
b. IPsec task offloading: performs IPsec processing on the network adapter. Enabled by default
c. SR-IOV: maximmizes network throughput
4. Configure advanced settings under each virtual network adapter:
a. Mac Address static or dynamic
b. DHCP guard
c. Router guard
d. Port mirroring
e. NIC Teaming(LBFO)
You can also use GRE offloading for network virtualization if an adapter supports it.
Powershell:
Most of the options above can be set using the following command:
set-vmnetworkadapter http://technet.microsoft.com/en-us/library/hh848457.aspx
3.3.4 configure MAC addresses
In the virtual network switch manager, you can set a range of Mac addresses that will be assigned to guests. This is to prevent multiple hosts from accidently assigning the same mac addresses to VM's.
You can also set an adapter with a static mac address in the VM's network adapter settings
dynamic pool:
set-vmhost -macaddressminimum 00155d08e600 -macaddressmaximum 00155d08ffff
static mac:
set-vmnetworkadapter -vmname 'VMServer' -vmnetworkadaptername 'NIC 1'
-staticmacaddress 00155d08e601
3.3.5 configure network isolation
Setup standard vlans,
Use a private virtual switch, or
Port Virtual LAN (private VLAN): Can isolate a set of vm's from being able to see each other's traffic, using only 2 vlans: a primary and secondary vlan. This can be setup instead of hyper-v network virtualization if each customer needs to be isolated and only has one VM each.
Powershell examples:
PVLAN
set-vmnetworkadaptervlan -isolated -primaryvlanid 10 -secondaryvlandid 200
Standard VLANS
place all adapters on a VM in vlan 30
set-vmnetworkadaptervlan -vmname 'VMServer' -access 30
create a trunk on a specific adapter
set-vmnetworkadaptervlan -vmname 'VMserver' -vmnetworkadaptername 'NIC 1' -trunk
-nativevlanid 2 -allowedvlanidlist 1-36
Extra note: To remove vlan tagging on an adapter, you can use:
set-vmnetworkadaptervlan -vmname 'VMServer' -untagged
3.3.6 configure synthetic and legacy virtual network adapters
Each VM can have up to 12 virtual network adapters. up to 8 can be network adapter type(synthetic) and up to 4 can be legacy.
Network adapter type(synthetic): Relies on the guest integration components installed on the VM.
Legacy network adapter: supports OS's that do not support guest integration components. Also can be
used for PXE boot if needed.
Powershell
use the -IsLegacy $true parameter on the add-vmnetworkadapter cmdlet to setup a legacy adapter.
Thursday, May 23, 2013
3. Configure Hyper-V 3.2 Create and configure virtual machine storage
3.2.1 create VHDs and VHDX
VHD: original hyper-v image file. Max of 2TB in size.
VHDX: only supported by Windows 8 and 2012. up to 64 TB in size.
fixed: size is pre-allocated on disk
dynamic: can expand as it grows.
differencing: a "snapshot-like" type where a second child drive is created to hold changes and so the parent
is never written to
First disk is considered a "virtual IDE" drive. Others can be "virtual IDE" or "virtual SCSI"
Create a Virtual Disk while creating a new VM:
If you use Hyper-V manager from 2012, or windows 8, while creating a new VM, on the Connect Virtual Hard Disk menu. This will only allow you to create a dynamic VHDX, not a VHD.
Create a virtual disk from "New virtual hard disk" option.
Right click server, "New-> hard disk",
Choose VHD or VHDX, choose fixed, dynamic, or differencing,
Specify name and location
Configure the disk with a fixed/max size(value only accepts a minimum of 1GB, max depends on format), or
copy from a physical driver or another VHD/VHDX.
Create a virtual disk using powershell
This is the only way to specify the block size and logical sector size.
the extension you specify for the filename determines whether it's a VHD or VHDX.
new-vhd -path 'c:\vhd-store\newserver.vhd' -fixed | -dynamic | -differencing -sizebytes 100GB -sourcedisk
3.2.2 configure differencing drives
1. Create a baseline VM and finish all your installs for it.
2. sysprep /generalize the image.
3. delete the VM but keep the parent VHD/VHDX. Set it to read-only just in case.
4. Create a child differencing disk and point it to the parent.
5. Create a VM and attach the child disk
differencing:
new-vhd -path 'c:\vhd-store\newserver.vhd' -differencing -parentpath 'c:\vhd-store\newserverparent.vhd'
3.2.3 modify VHDs
1. Right click server, Edit disk.
2. browse to the location of the vhd or vhdx
3. Choose an option:
Compact: compacts the size of the virtual disk
Convert: Copies the contents to a new VHD. You can switch between VHD and VHDX.
Expand: increases the capacity of the virtual disk.
Shrink(only available if there is free space in the file): reduce capacity of disk by deleting free space.
Merge(only available with differencing): combine child differencing disk with it's parent to form single disk.
As outlined in 1.3.5 you can mount a VHD/VHDX in disk management and access it's contents.
powershell:
optimize-vhd (compact)
convert-vhd
resize-vhd (expand)
resize-vhd (shrink)
merge-vhd
3.2.4 configure pass-through disks
a pass-through disk is a virtual disk points at a physical drive. the drive must be taken offline before it's available in the VM's settings: add a hard drive to a controller, select physical hard disk.
Powershell:
use -disknumber to point at the offline physical disk to attach
add-vmharddiskdrive -vmname Server -controllertype SCSI -controllernumber 0 -disknumber 2
3.2.5 manage snapshots
create a new snapshot by rightclick the VM and selecting snapshot. This creates a AVHD or AVHDX file in the snapshots folder.
Snapshots are managed in Snapshot pane. You have the following options:
Settings - read-only except name and notes
Apply -copies that snapshots data into the VM, deleting anything that's changed since.
Revert - revert to the last snapshot in the tree before "Now" state.
Rename
Delete - delete a single snapshot. If there is a child then it will merge with parent on next power off.
Delete snapshot subtree - deletes snapshot and every snapshot under it.
Powershell:
Create snapshot:
checkpoint-vm -name VMserver -snapshotname 'Snapshot 1'
Apply snapshot -
restore-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Delete snapshot -
remove-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Other commands: get-vmsnapshot, export-vmsnapshot, rename-vmsnapshot
3.2.6 implement a virtual Fibre Channel adapter
virtual fibre channel is a pass-through for a physical fibre channel HBA. The HBA drivers must support virtual fibre channel and address it's resources with LUNs.
Create a virtual SAN using Virtual SAN Manager
Right click hyper-v server choose Virtual San Manager.
New Fibre Channel San. The WWNN and WWPN of the HBA should show up. Apply.
Now settings of a VM, you can Add Hardware - Fibre Channel adapter.
powershell:
new-vmsan -name 'FC SAN' -worldwidenodename -worldwideportname
add-vmfibrechannelhba -vmname VMserver -sanname 'FC SAN'
VHD: original hyper-v image file. Max of 2TB in size.
VHDX: only supported by Windows 8 and 2012. up to 64 TB in size.
fixed: size is pre-allocated on disk
dynamic: can expand as it grows.
differencing: a "snapshot-like" type where a second child drive is created to hold changes and so the parent
is never written to
First disk is considered a "virtual IDE" drive. Others can be "virtual IDE" or "virtual SCSI"
Create a Virtual Disk while creating a new VM:
If you use Hyper-V manager from 2012, or windows 8, while creating a new VM, on the Connect Virtual Hard Disk menu. This will only allow you to create a dynamic VHDX, not a VHD.
Create a virtual disk from "New virtual hard disk" option.
Right click server, "New-> hard disk",
Choose VHD or VHDX, choose fixed, dynamic, or differencing,
Specify name and location
Configure the disk with a fixed/max size(value only accepts a minimum of 1GB, max depends on format), or
copy from a physical driver or another VHD/VHDX.
Create a virtual disk using powershell
This is the only way to specify the block size and logical sector size.
the extension you specify for the filename determines whether it's a VHD or VHDX.
new-vhd -path 'c:\vhd-store\newserver.vhd' -fixed | -dynamic | -differencing -sizebytes 100GB -sourcedisk
3.2.2 configure differencing drives
1. Create a baseline VM and finish all your installs for it.
2. sysprep /generalize the image.
3. delete the VM but keep the parent VHD/VHDX. Set it to read-only just in case.
4. Create a child differencing disk and point it to the parent.
5. Create a VM and attach the child disk
differencing:
new-vhd -path 'c:\vhd-store\newserver.vhd' -differencing -parentpath 'c:\vhd-store\newserverparent.vhd'
3.2.3 modify VHDs
1. Right click server, Edit disk.
2. browse to the location of the vhd or vhdx
3. Choose an option:
Compact: compacts the size of the virtual disk
Convert: Copies the contents to a new VHD. You can switch between VHD and VHDX.
Expand: increases the capacity of the virtual disk.
Shrink(only available if there is free space in the file): reduce capacity of disk by deleting free space.
Merge(only available with differencing): combine child differencing disk with it's parent to form single disk.
As outlined in 1.3.5 you can mount a VHD/VHDX in disk management and access it's contents.
powershell:
optimize-vhd (compact)
convert-vhd
resize-vhd (expand)
resize-vhd (shrink)
merge-vhd
3.2.4 configure pass-through disks
a pass-through disk is a virtual disk points at a physical drive. the drive must be taken offline before it's available in the VM's settings: add a hard drive to a controller, select physical hard disk.
Powershell:
use -disknumber to point at the offline physical disk to attach
add-vmharddiskdrive -vmname Server -controllertype SCSI -controllernumber 0 -disknumber 2
3.2.5 manage snapshots
create a new snapshot by rightclick the VM and selecting snapshot. This creates a AVHD or AVHDX file in the snapshots folder.
Snapshots are managed in Snapshot pane. You have the following options:
Settings - read-only except name and notes
Apply -copies that snapshots data into the VM, deleting anything that's changed since.
Revert - revert to the last snapshot in the tree before "Now" state.
Rename
Delete - delete a single snapshot. If there is a child then it will merge with parent on next power off.
Delete snapshot subtree - deletes snapshot and every snapshot under it.
Powershell:
Create snapshot:
checkpoint-vm -name VMserver -snapshotname 'Snapshot 1'
Apply snapshot -
restore-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Delete snapshot -
remove-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Other commands: get-vmsnapshot, export-vmsnapshot, rename-vmsnapshot
3.2.6 implement a virtual Fibre Channel adapter
virtual fibre channel is a pass-through for a physical fibre channel HBA. The HBA drivers must support virtual fibre channel and address it's resources with LUNs.
Create a virtual SAN using Virtual SAN Manager
Right click hyper-v server choose Virtual San Manager.
New Fibre Channel San. The WWNN and WWPN of the HBA should show up. Apply.
Now settings of a VM, you can Add Hardware - Fibre Channel adapter.
powershell:
new-vmsan -name 'FC SAN' -worldwidenodename -worldwideportname
add-vmfibrechannelhba -vmname VMserver -sanname 'FC SAN'
Tuesday, May 21, 2013
3. Configure Hyper-V 3.1 Create and configure virtual machine settings
Hyper-V overview
Type 2 hypervisor: hypervisor runs on top of OS, which runs on top of the hardware
Type 1 hypervisor: hypervisor runs on top of the hardware
When you install Hyper-V role on Datacenter or Standard, it will load the hypervisor before the OS, so it is a Type 1. The OS is then run in the parent/root "partition"
Hyper-V 2012 Free product that will install Hyper-V role only into a server core install. Storage-Services role also installed. Remote-Desktop-Services role also available. No other roles can be installed. Guest OS's still have to be licensed if necessary.
3.1.1 configure dynamic memory
Enables Hyper-V to adjust memory as VM's need it.
While VM is off, go to Settings and Memory. Check "Dynamic Memory".
Minimum Ram: specifies the minimum amount of ram the machine will run with(after start). This value can be
less than startup ram, because running usually uses less.
Maximum Ram: The largest amount of ram this machine can use for itself.
Memory Buffer: Determines how much to allocate extra ram to allocate to a VM that needs it, based on
current memory utilization
Memory weight: Set priority of memory allocation for this VM compared to others.
After enabling dynamic memory, these values can be changed while the VM is running.
Powershell:
View current settings for all VM's on server:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, startup, minimum, maximum, buffer, priority
Output those numbers in MB instead:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, @{n='Startup(MB)';e={$_.startup / 1MB}}, @{n='Min(MB)';e={$_.minimum / 1MB}}, @{n='Max(MB)';e={$_.maximum / 1MB}}, buffer, priority
Now to set values on a specific vm:
set-vmmemory -vmname 'VMserv1' -dynamicmemoryenabled $true -startupbytes 4096MB -minimumbytes 2048MB -maximumbytes 8192MB -buffer 25 -priority 60
3.1.2 configure smart paging
Smart paging allows for a VM to restart/start even though it doesn't have enough physical memory to do so. It can page memory onto hard disk. This is of course slower than using physical memory.
Smart setting location is set in a VM's settings under Management/Smart Paging File Location node.
powershell:
set-vm -name 'VMserv1' -smartpagingfilepath 'd:\hyper-v_pagingfiles'
3.1.3 configure Resource Metering
Resource metering is a feature that will track VM usages by various criteria:
By default:
Cpu
Memory: min, max and average
Disk space
Incoming and outgoing network straffic.
Powershell:
enable-resourcemetering -vmname 'VMserv1'
show resource metering report:
measure-vm -vmname 'VMserver1'
You can also create resource pools across computers/resources
new-vmresourcepool
enable-vmresourcemetering -resourcepoolname serverpool
measure-vmresourcepool
3.1.4 configure guest integration services
Guest integration services is a software package that helps provide some guest OS features. This is installed on 2012 and Windows 8 by default. There is even a linux package available. Features included with Guest Integration Services:
Operating System Shutdown: Enabled Hyper-V manager to remotely shut down a guest OS gracefully.
Time synchronization: synchronize the os clocks in parent and child partitions
Data Exchange: Windows OS's on parent and child partitions can exchange some information
Heartbeat: Parent partitions "ping" child partitions to see if they are up
Backup: Enables backup of windows VM by using VSS.
To Upgrade/install GIS on a Windows guest OS:
1. Select the VM to install/upgrade GIS and click Connect
2. In VM connection windows, click Action/Insert Integration SErvices Setup Disk. Hyper-V will mount an image of GIS.
3. Install GIS and restart computer
Once GIS is installed, you can enable/disable the services available to this machine by going into VM settings, Management/Integration Services node and checking/unchecking the GIS services.
Type 2 hypervisor: hypervisor runs on top of OS, which runs on top of the hardware
Type 1 hypervisor: hypervisor runs on top of the hardware
When you install Hyper-V role on Datacenter or Standard, it will load the hypervisor before the OS, so it is a Type 1. The OS is then run in the parent/root "partition"
Hyper-V 2012 Free product that will install Hyper-V role only into a server core install. Storage-Services role also installed. Remote-Desktop-Services role also available. No other roles can be installed. Guest OS's still have to be licensed if necessary.
3.1.1 configure dynamic memory
Enables Hyper-V to adjust memory as VM's need it.
While VM is off, go to Settings and Memory. Check "Dynamic Memory".
Minimum Ram: specifies the minimum amount of ram the machine will run with(after start). This value can be
less than startup ram, because running usually uses less.
Maximum Ram: The largest amount of ram this machine can use for itself.
Memory Buffer: Determines how much to allocate extra ram to allocate to a VM that needs it, based on
current memory utilization
Memory weight: Set priority of memory allocation for this VM compared to others.
After enabling dynamic memory, these values can be changed while the VM is running.
Powershell:
View current settings for all VM's on server:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, startup, minimum, maximum, buffer, priority
Output those numbers in MB instead:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, @{n='Startup(MB)';e={$_.startup / 1MB}}, @{n='Min(MB)';e={$_.minimum / 1MB}}, @{n='Max(MB)';e={$_.maximum / 1MB}}, buffer, priority
Now to set values on a specific vm:
set-vmmemory -vmname 'VMserv1' -dynamicmemoryenabled $true -startupbytes 4096MB -minimumbytes 2048MB -maximumbytes 8192MB -buffer 25 -priority 60
3.1.2 configure smart paging
Smart paging allows for a VM to restart/start even though it doesn't have enough physical memory to do so. It can page memory onto hard disk. This is of course slower than using physical memory.
Smart setting location is set in a VM's settings under Management/Smart Paging File Location node.
powershell:
set-vm -name 'VMserv1' -smartpagingfilepath 'd:\hyper-v_pagingfiles'
3.1.3 configure Resource Metering
Resource metering is a feature that will track VM usages by various criteria:
By default:
Cpu
Memory: min, max and average
Disk space
Incoming and outgoing network straffic.
Powershell:
enable-resourcemetering -vmname 'VMserv1'
show resource metering report:
measure-vm -vmname 'VMserver1'
You can also create resource pools across computers/resources
new-vmresourcepool
enable-vmresourcemetering -resourcepoolname serverpool
measure-vmresourcepool
3.1.4 configure guest integration services
Guest integration services is a software package that helps provide some guest OS features. This is installed on 2012 and Windows 8 by default. There is even a linux package available. Features included with Guest Integration Services:
Operating System Shutdown: Enabled Hyper-V manager to remotely shut down a guest OS gracefully.
Time synchronization: synchronize the os clocks in parent and child partitions
Data Exchange: Windows OS's on parent and child partitions can exchange some information
Heartbeat: Parent partitions "ping" child partitions to see if they are up
Backup: Enables backup of windows VM by using VSS.
To Upgrade/install GIS on a Windows guest OS:
1. Select the VM to install/upgrade GIS and click Connect
2. In VM connection windows, click Action/Insert Integration SErvices Setup Disk. Hyper-V will mount an image of GIS.
3. Install GIS and restart computer
Once GIS is installed, you can enable/disable the services available to this machine by going into VM settings, Management/Integration Services node and checking/unchecking the GIS services.
2. Configure server roles and features 2.3 Configure servers for remote management
2.3.1 Configure WinRM
enabled by default in 2012
In Server Manager, on Local Server, Properties Tile:
Remote Managent click and check or uncheck "Enable remote management..." to enable or disable.
2.3.2 configure down-level server management
You can setup some limited management of 2008 SP2 and 2008R2 SP1 using Server Manager:
1.install .Net Framework 4.0
2.install Windows Management Framework 3.0(also installs Powershell 3)
3.set-executionpolicy remotesigned
configure-smremoting.ps1 -enable
4. Enable Com+ Network Access and Remote Event log Management rules
Extra note: Im not sure if configure-smremoting.exe or enable-psremoting are available on 2008 in this case, but any of these should work.
Note that you won't be able to add/remove roles
You can also setup very limited Online view of 2008 and 2008r2 otherwise, and of 2003 by adding them to a group.
2.3.3 configure servers for day-to-day management tasks
http://technet.microsoft.com/en-us/library/hh831394.aspx
Manageability:
This section on the Dashboard will show Server Manager notifications for the associated Server Group.
Event log data collection:
For each server group in the server grouping nodes, you can manage the events to collect:
click a Server Group or Role-specific page.
On Events tile, select Tasks and Configure Event Data.
Check Critical, Error, Warning, and/or Informational
Select range to retrieve events from
If server group, select which event logs to get events from. (Role specific pages default to role logs)
You can also affect the Event alerts on the dashboard for a group/role by clicking Events in the associated dashboard tile. Event severity, sources, logs, time period, specific id's, and servers in the group.
Services alerts
You can setup alerts for services for a group in the dashboard by clicking on Services in a specific group tile.
Select Start Types, All or specific services, Service Status, and specific servers
Collect Performance Data and alerts
In a Server Group node,in Servers tile right click "Start Performance Alerts"
On Performance tile: Tasks/Configure Performance Alerts, or from Dashboard/server group tile/performance
Set CPU usage threshold fror Alert, Set Memory threshold. Set Performance Graph display period.
BPA Scan:
You can start a BPA scan from associated server group node under BPA tile.
You can also set alert criteria in the dashboard under Server Group tile.
2.3.4 configure multi-server management
Add servers by clicking Add Servers to Manage from Dashboard, or Manage, Add Server
Create a new server group from Dashboard, or Manage "Create Server Group"
2.3.5 configure Server Core
seems a bit redundant. covered in 1.2.1
WinRM is enabled by default in 2012
Enabling Win-RM:enable-psremoting
Disable Win-RM: disable-psremoting
See 2.3.6 for MMC access
Extra note: Some documentation talks about using configure-smremoting.exe -enable to enable Server Manager to remotely access the 2012 server core installs, but i believe this is superseded by enable-psremoting, which also enables Win-RM, and sets up win-rm listener, etc. Regardless, 2012 is enabled for remote management by default.
2.3.6 configure Windows Firewall
Enable for DCOM access: Com+ Network Access, Remote Event Log Management rules
This will allow MMC components to work.
set-netfirewallrule -name 'ComPlusNetworkAccess-Dcom-In' -enabled true
set-netfirewallrule -displaygroup 'Remote Event Log Management' -enabled true
enabled by default in 2012
In Server Manager, on Local Server, Properties Tile:
Remote Managent click and check or uncheck "Enable remote management..." to enable or disable.
2.3.2 configure down-level server management
You can setup some limited management of 2008 SP2 and 2008R2 SP1 using Server Manager:
1.install .Net Framework 4.0
2.install Windows Management Framework 3.0(also installs Powershell 3)
3.set-executionpolicy remotesigned
configure-smremoting.ps1 -enable
4. Enable Com+ Network Access and Remote Event log Management rules
Extra note: Im not sure if configure-smremoting.exe or enable-psremoting are available on 2008 in this case, but any of these should work.
Note that you won't be able to add/remove roles
You can also setup very limited Online view of 2008 and 2008r2 otherwise, and of 2003 by adding them to a group.
2.3.3 configure servers for day-to-day management tasks
http://technet.microsoft.com/en-us/library/hh831394.aspx
Manageability:
This section on the Dashboard will show Server Manager notifications for the associated Server Group.
Event log data collection:
For each server group in the server grouping nodes, you can manage the events to collect:
click a Server Group or Role-specific page.
On Events tile, select Tasks and Configure Event Data.
Check Critical, Error, Warning, and/or Informational
Select range to retrieve events from
If server group, select which event logs to get events from. (Role specific pages default to role logs)
You can also affect the Event alerts on the dashboard for a group/role by clicking Events in the associated dashboard tile. Event severity, sources, logs, time period, specific id's, and servers in the group.
Services alerts
You can setup alerts for services for a group in the dashboard by clicking on Services in a specific group tile.
Select Start Types, All or specific services, Service Status, and specific servers
Collect Performance Data and alerts
In a Server Group node,in Servers tile right click "Start Performance Alerts"
On Performance tile: Tasks/Configure Performance Alerts, or from Dashboard/server group tile/performance
Set CPU usage threshold fror Alert, Set Memory threshold. Set Performance Graph display period.
BPA Scan:
You can start a BPA scan from associated server group node under BPA tile.
You can also set alert criteria in the dashboard under Server Group tile.
2.3.4 configure multi-server management
Add servers by clicking Add Servers to Manage from Dashboard, or Manage, Add Server
Create a new server group from Dashboard, or Manage "Create Server Group"
2.3.5 configure Server Core
seems a bit redundant. covered in 1.2.1
WinRM is enabled by default in 2012
Enabling Win-RM:enable-psremoting
Disable Win-RM: disable-psremoting
See 2.3.6 for MMC access
Extra note: Some documentation talks about using configure-smremoting.exe -enable to enable Server Manager to remotely access the 2012 server core installs, but i believe this is superseded by enable-psremoting, which also enables Win-RM, and sets up win-rm listener, etc. Regardless, 2012 is enabled for remote management by default.
2.3.6 configure Windows Firewall
Enable for DCOM access: Com+ Network Access, Remote Event Log Management rules
This will allow MMC components to work.
set-netfirewallrule -name 'ComPlusNetworkAccess-Dcom-In' -enabled true
set-netfirewallrule -displaygroup 'Remote Event Log Management' -enabled true
Monday, May 20, 2013
2. Configure server roles and features 2.2 Configure print and document services
2.2.1 Configure the Easy Print print driver
Easy Print print driver redirects printing from a remote desktop session to the local client printers. It requires only that RDS role be installed.
2.2.2 Configure Enterprise Print Management
Install Print and Document Service(Print-Services) / Print Server(Print-Server) role.
This will add tab "Print Services" to Server Manager allows limited management.
View printer events
Manage Print Spooler service
Start performance counters
View installed print and documents roles
Most configuration and management done through Tools: Print Management
Nodes in Printer Management:
Custom Filters:
create custom views for print print management
Print Servers:
Individual print server management:
1. Change who can access the print server by right-click and Properties, Security tab
2. Configure drivers (see 2.2.3)
3. Configure forms
4. Configure ports
5. Configure Printers
a. View Printer Queue
b. List printer in AD
c. Deploy printer using GPO
d. Print test page
e. Share a printer by right clicking and "Manage Sharing"
f. Enable Branch office direct printing.
g. configure printer priority
h. Use Properties/Security tab to control who has access to the printer
Deployed Printers
Shows printers that have been deployed to a GPO.
Printer Sharing:
Right click printer choose Manage Sharing, or Sharing tab on properties
"Share this Printer" Printer Name
Render Print jobs on client computers: Uncheck to have this done on the server.
List in directory
Install addition drivers(V3 drivers).
When dealing with sharing, there are 3 types of driver distribution:
Enhanced Point and Print: V4 aware drivers no need to distribute to client.
Package Aware Point and Print: V3 distributed signed driver packages
Legacy Point and Print: v3 driver distribution
http://technet.microsoft.com/en-us/library/jj590748.aspx
Printer Migration
Migrate print servers from 2003, 2003 R2, 2008, 2008 R2
right-click root node in Print Management, Migrate printers
or
use the printbrm.exe tool
Powershell commands:
module: PrintManagement
get-command -module PrintManagement
get-printer, get-printerdriver, get-printerport, get-printerproperty, get-printjob,
get-printconfiguration
add-printer, add-printerdriver, add-printerport
rename-printer
set-printer, set-printerproperty, set-printconfiguration
remove-printer, remove-printerport, remove-printjob, remove-printer
restart-printjob, resume-printjob, suspend-printjob
Extra note:
Other subfeatures of Print and Document Services:
Distributed Scan Server - receives scanned documents from network scanners and routes them.
installs "Scan Management" tool
Internet Printing - installs IIS and allows users to manage their print jobs on a web site. Also allows
for use of Internet Printing Protocol(IPP)
Line Printer Daemon (LPD) - Unix-based printers
2.2.3 Configure drivers
Windows 8 and 2012 introduce new Version 4(V4) driver.
V3 drivers(Windows 2000+) still supported
V4 driver features:
Smaller disk footprint
Simplified drivers through new print class driver framework.
Driver isolation for better crash handling
Client architecture doesn't matter.
Supports multiple devices
Delete the driver: uninstall printer driver but leaves driver package in store
Remove driver package: uninstall and remove driver package
Configure driver isolation: (if driver supports it):
Shared - driver runs in driver shared process separate from print spooler
Isolated - driver runs in it's own process
None - driver runs in print spooler process
2.2.4 Configure printer pooling
1.In Printer properties, ports tab, select port for each print device in the pool
2.Check enable printer pooling
Repeat for each logical printer in the pool
2.2.5 Configure Print Priorities
Printer priorities are set in the Printer properties/advanced tab. A higher priority means this logical printer will have preference over another logical printer that is pointed at the same print device.
2.2.6 Configure Printer Permissions
http://technet.microsoft.com/en-us/library/jj190062#BKMK_Delegated_Print_Admin
Print Server permissions:
View Server: View server, including printers.
Manage Server: allows for ability to create and delete print queues, add or delete ports, and add or delete
forms.
Both Print Server and Printer permissions:
Print: ability to print and manage queue for their own documents
Manage Documents: Allows control for all documents in a queue, including delete
Manage Printers: assigns ability to pause/restart printer, change spooler settings, share printer, adjust
permissions, and change printer properties
Easy Print print driver redirects printing from a remote desktop session to the local client printers. It requires only that RDS role be installed.
2.2.2 Configure Enterprise Print Management
Install Print and Document Service(Print-Services) / Print Server(Print-Server) role.
This will add tab "Print Services" to Server Manager allows limited management.
View printer events
Manage Print Spooler service
Start performance counters
View installed print and documents roles
Most configuration and management done through Tools: Print Management
Nodes in Printer Management:
Custom Filters:
create custom views for print print management
Print Servers:
Individual print server management:
1. Change who can access the print server by right-click and Properties, Security tab
2. Configure drivers (see 2.2.3)
3. Configure forms
4. Configure ports
5. Configure Printers
a. View Printer Queue
b. List printer in AD
c. Deploy printer using GPO
d. Print test page
e. Share a printer by right clicking and "Manage Sharing"
f. Enable Branch office direct printing.
g. configure printer priority
h. Use Properties/Security tab to control who has access to the printer
Deployed Printers
Shows printers that have been deployed to a GPO.
Printer Sharing:
Right click printer choose Manage Sharing, or Sharing tab on properties
"Share this Printer" Printer Name
Render Print jobs on client computers: Uncheck to have this done on the server.
List in directory
Install addition drivers(V3 drivers).
When dealing with sharing, there are 3 types of driver distribution:
Enhanced Point and Print: V4 aware drivers no need to distribute to client.
Package Aware Point and Print: V3 distributed signed driver packages
Legacy Point and Print: v3 driver distribution
http://technet.microsoft.com/en-us/library/jj590748.aspx
Printer Migration
Migrate print servers from 2003, 2003 R2, 2008, 2008 R2
right-click root node in Print Management, Migrate printers
or
use the printbrm.exe tool
Powershell commands:
module: PrintManagement
get-command -module PrintManagement
get-printer, get-printerdriver, get-printerport, get-printerproperty, get-printjob,
get-printconfiguration
add-printer, add-printerdriver, add-printerport
rename-printer
set-printer, set-printerproperty, set-printconfiguration
remove-printer, remove-printerport, remove-printjob, remove-printer
restart-printjob, resume-printjob, suspend-printjob
Extra note:
Other subfeatures of Print and Document Services:
Distributed Scan Server - receives scanned documents from network scanners and routes them.
installs "Scan Management" tool
Internet Printing - installs IIS and allows users to manage their print jobs on a web site. Also allows
for use of Internet Printing Protocol(IPP)
Line Printer Daemon (LPD) - Unix-based printers
2.2.3 Configure drivers
Windows 8 and 2012 introduce new Version 4(V4) driver.
V3 drivers(Windows 2000+) still supported
V4 driver features:
Smaller disk footprint
Simplified drivers through new print class driver framework.
Driver isolation for better crash handling
Client architecture doesn't matter.
Supports multiple devices
Delete the driver: uninstall printer driver but leaves driver package in store
Remove driver package: uninstall and remove driver package
Configure driver isolation: (if driver supports it):
Shared - driver runs in driver shared process separate from print spooler
Isolated - driver runs in it's own process
None - driver runs in print spooler process
2.2.4 Configure printer pooling
1.In Printer properties, ports tab, select port for each print device in the pool
2.Check enable printer pooling
Repeat for each logical printer in the pool
2.2.5 Configure Print Priorities
Printer priorities are set in the Printer properties/advanced tab. A higher priority means this logical printer will have preference over another logical printer that is pointed at the same print device.
2.2.6 Configure Printer Permissions
http://technet.microsoft.com/en-us/library/jj190062#BKMK_Delegated_Print_Admin
Print Server permissions:
View Server: View server, including printers.
Manage Server: allows for ability to create and delete print queues, add or delete ports, and add or delete
forms.
Both Print Server and Printer permissions:
Print: ability to print and manage queue for their own documents
Manage Documents: Allows control for all documents in a queue, including delete
Manage Printers: assigns ability to pause/restart printer, change spooler settings, share printer, adjust
permissions, and change printer properties
2. Configure server roles and features 2.1 Configure file and share access
2.1.1 Create and configure shares
Add File Server(FS-FileServer) feature role
For advanced features, install FSRM
For NFS shares, install Server for NFS
In Explorer
Right click folder, share with. Right click, properties, sharing to manage. Use Advanced Sharing for caching options, or to setup a second share name for the same folder
In Server Manager
Share "Template" profiles
SMB Share - Quick = standard share
SMB Share - Advanced (requires FSRM installed)= advanced settings
SMB Share - Applications = SMB share with application permissions for server apps.
NFS share - Quick(requires Server for NFS feature) = Basic NFS share for unix compatibility. can set advanced options later
NFS share - Advanced (requires Server for NFS feature and FSRM)=
SMB Share-Quick: Point to share location, then give it a name.Setup settings include:
Access-based Enumeration, Caching(and Branchcache), Encrypt data access
SMB Share - Advanced(FSRM) adds settings:
Management properties - folder usage value
Quota - setup FSRM quota from template
NFS options add
Specify Authentication Methods
Specify share permissions
Create:
Right click Volumes/Volumes Tile or Shares/shares tile and select New Share.
Manage:
From Volumes tab, right click share tile and properties on a share.
From Shares tab, right click share and properties.
Powershell commands:
get-smbshare, new-smbshare, set-smbshare, remove-smbshare,
There are similar commands for NFS shares.
2.1.2 Configure share permissions
Share permissions: (Full Control, Change, Read:) Allow or deny.
Configure through explorer, or server manager on property sheet
Share permissions combined with NTFS permissions : most restrictive is applied.
Powershell:
get-smbshareaccess, grant-smbshareaccess, revoke-smbshareacces, block-smbshareaccess, unblock-smbshareaccess.
2.1.3 Configure offline files
Enable "allow caching of share"
Enable Branchcache if needed
powershell:
get-smbshare -name sharename | format-table name, path, cachingmode
set-smbshare -name sharename -cachingmode None or Manual or Documents or Programs or Branchcache or Unknown
2.1.4 Configure NTFS permissions
Change NTFS permissions on Security tab of folder/file/drive properties
In Server Manager, you can only edit NTFS permissions on a shared folder
Allow permissions combine from different sources
Deny permission override Allow permissions, regardless of source
Explicit permissions that are set will override inherited permissions.
To view the effective access for a user, group, or device, click ADvanced on the NTFS permissions security tab, then Effective Access
Disable Inheritance on Advanced on the security tab.
Six Basic permissions that are made up of various advanced permissions
Full Control: all advanced permissions
Modify: all permissions except "Delete subfolders and files","Change permissions", "take ownership"
Read & Execute: "Traverse folder/Execute file", "list folder/Read data", "Read attributes", "Read extended
attributes", "Read permissions", "Synchronize"
List Folder contents(only seen on Folder permissions): same as Read & execute but applies to folders only
Read: Read & Execute permission without the "Traverse folder/Execute file" permissions
Write: "Create files/Write data", "Create folders/append data", "Write attributes", "Write extended
attributes", "Read permissions", "Synchronize"
Fourteen advanced permissions:
Traverse Folders/Execute File: Traverse folder lets you directly access files in a folder even if you don't
have explicit permission to view its data. Execute file runs an executable file.
List Folder/Read Data: list folder contents, read contents of file.
Read Attributes: view basic attributes of file or folder: Read-Only, Hidden, System, Archive
Read Extended Attributes: View extended attributes/named data streams.
Create Files/Write Data: Create new files in a folder. Write allows overwriting data in a file.
Create Folders/Append Data: Allows creating subfolders. Append data lets you add data to end of file.
Write Attributes: change Read-Only, Hidden, System, Archive attributes
Write Extended Attributes: changed advanced attributes/named data stream
Delete subfolders and files(folder permissions): Lets you delete the contents of a folder. Overrides
specific "Delete" permissions in that folder
Delete: delete a file or subfolder
Read Permissions: Read basic and special permissions assigned to file or folder
Change Permissions: Change the permissions on file or folder
Take Ownership: You can change yourself to owner of a file or folder if you have this permission.
Administrators can always take ownership regardless of permissions.
Powershell:
get-acl, set-acl
2.1.5 Configure access-based enumeration (ABE)
Configured in Server Manager
Powershell:
get-smbshare -name sharename | format-table name, path, folderenumerationmode
set-smbshare -name sharename -folderenumerationmode AccessBased or Unrestricted
2.1.6 Configure Volume Shadow Copy Service (VSS)
VSS is a feature specific to NTFS that keeps "shadow" copies of files and is configured per volume. Files are copied to a "shadow store" during a specific time set by a schedule. Used with shared folders to restore files.
Two independent features of VSS:
1. Allows you to enable VSS on volume so that users can revert to earlier versions of files.
2. This feature also allows backup programs open or locked files. You do not have to enable VSS on a volume for this 2nd feature to be in effect, as long as the backup programs support VSS API.
Right click a volume, and select properties and Shadow copies. Enable a volume here. In settings, you can set the shadow store for this volume on another volume, and configure size.
2.1.7 Configure NTFS quotas
Set storage limits for users on a volume. For more specific quotas, you should use the File Server Resource Manager tool(FSRM). However, this objective only refers to NTFS quotas. This is a feature of the NTFS file system directly. Administrators are unaffected by quotas but you can still setup warnings for them.
In file explorer, right click a volume and properties. Select "Quota" tab.
Enable Quota Management: Allows for NTFS quotas
Deny disk space: Will stop users from exceeding their set levels(if unchecked, you can still setup warnings)
Limit disk space/Set Warning Level
Log Event when exceeding quota limit
Log Even when exceeding warning threshold
Quota entries(also accessible in Disk management): Show individual users that have data on the volume, or
you can add new entires for a user
Add File Server(FS-FileServer) feature role
For advanced features, install FSRM
For NFS shares, install Server for NFS
In Explorer
Right click folder, share with. Right click, properties, sharing to manage. Use Advanced Sharing for caching options, or to setup a second share name for the same folder
In Server Manager
Share "Template" profiles
SMB Share - Quick = standard share
SMB Share - Advanced (requires FSRM installed)= advanced settings
SMB Share - Applications = SMB share with application permissions for server apps.
NFS share - Quick(requires Server for NFS feature) = Basic NFS share for unix compatibility. can set advanced options later
NFS share - Advanced (requires Server for NFS feature and FSRM)=
SMB Share-Quick: Point to share location, then give it a name.Setup settings include:
Access-based Enumeration, Caching(and Branchcache), Encrypt data access
SMB Share - Advanced(FSRM) adds settings:
Management properties - folder usage value
Quota - setup FSRM quota from template
NFS options add
Specify Authentication Methods
Specify share permissions
Create:
Right click Volumes/Volumes Tile or Shares/shares tile and select New Share.
Manage:
From Volumes tab, right click share tile and properties on a share.
From Shares tab, right click share and properties.
Powershell commands:
get-smbshare, new-smbshare, set-smbshare, remove-smbshare,
There are similar commands for NFS shares.
2.1.2 Configure share permissions
Share permissions: (Full Control, Change, Read:) Allow or deny.
Configure through explorer, or server manager on property sheet
Share permissions combined with NTFS permissions : most restrictive is applied.
Powershell:
get-smbshareaccess, grant-smbshareaccess, revoke-smbshareacces, block-smbshareaccess, unblock-smbshareaccess.
2.1.3 Configure offline files
Enable "allow caching of share"
Enable Branchcache if needed
powershell:
get-smbshare -name sharename | format-table name, path, cachingmode
set-smbshare -name sharename -cachingmode None or Manual or Documents or Programs or Branchcache or Unknown
2.1.4 Configure NTFS permissions
Change NTFS permissions on Security tab of folder/file/drive properties
In Server Manager, you can only edit NTFS permissions on a shared folder
Allow permissions combine from different sources
Deny permission override Allow permissions, regardless of source
Explicit permissions that are set will override inherited permissions.
To view the effective access for a user, group, or device, click ADvanced on the NTFS permissions security tab, then Effective Access
Disable Inheritance on Advanced on the security tab.
Six Basic permissions that are made up of various advanced permissions
Full Control: all advanced permissions
Modify: all permissions except "Delete subfolders and files","Change permissions", "take ownership"
Read & Execute: "Traverse folder/Execute file", "list folder/Read data", "Read attributes", "Read extended
attributes", "Read permissions", "Synchronize"
List Folder contents(only seen on Folder permissions): same as Read & execute but applies to folders only
Read: Read & Execute permission without the "Traverse folder/Execute file" permissions
Write: "Create files/Write data", "Create folders/append data", "Write attributes", "Write extended
attributes", "Read permissions", "Synchronize"
Fourteen advanced permissions:
Traverse Folders/Execute File: Traverse folder lets you directly access files in a folder even if you don't
have explicit permission to view its data. Execute file runs an executable file.
List Folder/Read Data: list folder contents, read contents of file.
Read Attributes: view basic attributes of file or folder: Read-Only, Hidden, System, Archive
Read Extended Attributes: View extended attributes/named data streams.
Create Files/Write Data: Create new files in a folder. Write allows overwriting data in a file.
Create Folders/Append Data: Allows creating subfolders. Append data lets you add data to end of file.
Write Attributes: change Read-Only, Hidden, System, Archive attributes
Write Extended Attributes: changed advanced attributes/named data stream
Delete subfolders and files(folder permissions): Lets you delete the contents of a folder. Overrides
specific "Delete" permissions in that folder
Delete: delete a file or subfolder
Read Permissions: Read basic and special permissions assigned to file or folder
Change Permissions: Change the permissions on file or folder
Take Ownership: You can change yourself to owner of a file or folder if you have this permission.
Administrators can always take ownership regardless of permissions.
Powershell:
get-acl, set-acl
2.1.5 Configure access-based enumeration (ABE)
Configured in Server Manager
Powershell:
get-smbshare -name sharename | format-table name, path, folderenumerationmode
set-smbshare -name sharename -folderenumerationmode AccessBased or Unrestricted
2.1.6 Configure Volume Shadow Copy Service (VSS)
VSS is a feature specific to NTFS that keeps "shadow" copies of files and is configured per volume. Files are copied to a "shadow store" during a specific time set by a schedule. Used with shared folders to restore files.
Two independent features of VSS:
1. Allows you to enable VSS on volume so that users can revert to earlier versions of files.
2. This feature also allows backup programs open or locked files. You do not have to enable VSS on a volume for this 2nd feature to be in effect, as long as the backup programs support VSS API.
Right click a volume, and select properties and Shadow copies. Enable a volume here. In settings, you can set the shadow store for this volume on another volume, and configure size.
2.1.7 Configure NTFS quotas
Set storage limits for users on a volume. For more specific quotas, you should use the File Server Resource Manager tool(FSRM). However, this objective only refers to NTFS quotas. This is a feature of the NTFS file system directly. Administrators are unaffected by quotas but you can still setup warnings for them.
In file explorer, right click a volume and properties. Select "Quota" tab.
Enable Quota Management: Allows for NTFS quotas
Deny disk space: Will stop users from exceeding their set levels(if unchecked, you can still setup warnings)
Limit disk space/Set Warning Level
Log Event when exceeding quota limit
Log Even when exceeding warning threshold
Quota entries(also accessible in Disk management): Show individual users that have data on the volume, or
you can add new entires for a user
Sunday, May 19, 2013
Curiousity killed the cat: Enabling/Disabling File Sharing Part one
By default, 2012 Server disables the File and Printer Sharing group of rules in windows firewall. This means that you won't be able to get to shares, including the administrative shares, and by default, you won't be able to ping the server either.
There are multiple ways to enable these rules and get SMB(and therefore, File and Print Sharing) up and running.
Install a role/feature
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.
Windows Firewall
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.
Advanced Sharing Settings
The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile! But you have individual control of rules for each profile. More on that in a bit.
GUI is all well and good unless you installed Server Core. The next options will help you with that!
Command Line
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
This will also enable these rules for all Firewall profiles.
Powershell 3
A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule
The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true
There we go. But, it's still only one set of rules! This sets my OCD off. Why does changing multiple profiles in the "Advanced Sharing Settings" GUI create individual rules for each profile? Well, because it copies the rule set into new rules.
Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:
It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:
So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:
get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule
Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled. The final result:
OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.
One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012:
 | |
| "NO SMB FOR YOU!" |
Install a role/feature
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.
Windows Firewall
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.
Advanced Sharing Settings
The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile! But you have individual control of rules for each profile. More on that in a bit.
GUI is all well and good unless you installed Server Core. The next options will help you with that!
Command Line
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
This will also enable these rules for all Firewall profiles.
Powershell 3
A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule
The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true
 |
Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:
It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:
So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:
get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule
Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled. The final result:
OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.
One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012:
 |
Saturday, May 18, 2013
Curiousity killed the cat: Getting distracted by the File Server role feature
Note: "File and Printer Sharing" firewall rules are disabled by default on a
new install of 2012. This article assumes that these rules have been
enabled. I'll cover more about that in the next article.
While working on the 2.1 study notes, I've been distracted by a couple of quirks of windows. The first has to do with the File Server role feature in 2012.
The first thing to note is the File and Storage Services (FileAndStorage-Services) role itself, and the Storage Services (Storage-Services) role feature, are installed by default, and as far as I can tell cannot be removed.
Now, say you want to share a folder. A lot of documentation will tell you that you that you need to install the File Server (FS-Fileserver) first. I don't think you actually do(more on that in a bit) as long as you've enabled the File and Printer Sharing firewall rules. However, if you don't have it installed, and you attempt to share out a folder, the feature will be "automagically" installed(along with its parent feature role: File and iSCSI Services)! (This feature also adds some new firewall rules in the "File and Remote Management" group I'll also cover these in the next article). In the following example, I use new-smbshare but you could also create one in the gui.
(Note that even without fs-fileserver installed, the admin shares installed by default are still available remotely. For instance, you can still get to \\server\C$)
I don't yet know if there is a way to disable this automatic install process, but I think you can trick it into not installing. Use the -remove switch with uninstall-windowsfeature. (Note: before removing file server feature role, you will have to remove any non-system shares). But as outlined in 1.1.5 regarding features on demand, shouldn't it just use Windows Update as source to reinstall when you create a share? I'm actually not sure about this, since I'm using the MS virtual labs right now with no internet access.
Look Ma, no File Server role feature and i can share out folders!. But wait, File and iSCSI Services now shows as installed! What kind of trickery is this? I really have no idea. What I do know is that without the FS-Fileserver role installed, you won't be able to view the share in Server Manager, and I'm sure some other advanced functionality is missing. You can still browse to it from other computers, change settings in explorer, and use get-smbshare to see it.
Of course the real mystery here might be why I spent so much time on this!
While working on the 2.1 study notes, I've been distracted by a couple of quirks of windows. The first has to do with the File Server role feature in 2012.
The first thing to note is the File and Storage Services (FileAndStorage-Services) role itself, and the Storage Services (Storage-Services) role feature, are installed by default, and as far as I can tell cannot be removed.
Now, say you want to share a folder. A lot of documentation will tell you that you that you need to install the File Server (FS-Fileserver) first. I don't think you actually do(more on that in a bit) as long as you've enabled the File and Printer Sharing firewall rules. However, if you don't have it installed, and you attempt to share out a folder, the feature will be "automagically" installed(along with its parent feature role: File and iSCSI Services)! (This feature also adds some new firewall rules in the "File and Remote Management" group I'll also cover these in the next article). In the following example, I use new-smbshare but you could also create one in the gui.
 |
| File Server not installed, make folder, share folder, file server now installed! |
(Note that even without fs-fileserver installed, the admin shares installed by default are still available remotely. For instance, you can still get to \\server\C$)
I don't yet know if there is a way to disable this automatic install process, but I think you can trick it into not installing. Use the -remove switch with uninstall-windowsfeature. (Note: before removing file server feature role, you will have to remove any non-system shares). But as outlined in 1.1.5 regarding features on demand, shouldn't it just use Windows Update as source to reinstall when you create a share? I'm actually not sure about this, since I'm using the MS virtual labs right now with no internet access.
 |
| File Server removed from SxS, mkdir folder, share folder, File Server still removed |
Of course the real mystery here might be why I spent so much time on this!
Thursday, May 16, 2013
1. Install and Configure Servers 1.3 Configure Local Storage
Server manager is the only GUI tool that can manage storage pools and create
virtual disks. It can also perform some of the other disk and volume
management, but not all of them. Disk Management (diskmgmt.msc or expand from Computer Management) can still be used, as well as the command line diskpart.exe.
Reference for Powershell 3 Storage cmdlets :http://technet.microsoft.com/en-us/library/hh848649.aspx
1.3.1 Design Storage Spaces
Storage Spaces are MS's new San-like virtual storage pool technology, available in 2012 and windows 8. You create a pool of disks, and then create spaces on those disk, which are presented as volumes to the system.
Storage Spaces facts:
1. you can use internal or external SATA or SAS drives
2. storage spaces can be thin provisioned(meaning the max space can be larger than available space. Used
space is provisioned as it's used)
3. storage spaces are stored as vhd files.
4. offers two types of redundancy: parity and mirrored.
5. storage can be dynamically added to the pool
6. storage pools can be shared among nodes in a cluster
7. can be used with ReFS
8. Microsoft recommends using Storage Spaces instead of dynamic disks
9. data is stored in allocated unit size of storage, called "slabs" by MS, across drives.
Storage Spaces can be configured in Server Manager or Powershell.
Extra notes: Storage space management is enabled by the Storage Services role service, which is part of the File and Storage Services role. This includes extensions for Server Manager, Powershell API and WMI, SMP interfaces for Storage Spaces, and a Pass-through API for extensibility.
1.3.2 Configure Basic and Dynamic Disks
About basic disks
basic disks can only be used to create simple volumes - space from a single disk.
the first three volumes on a basic disk setup in MBR partition style will be created as "Primary Partitions". The fourth volume created will create an "Extended Partition", which will span the rest of the space on the drive(even if the 4th volume does not fill all of the space). Any other volumes created will be created inside this extended partition.
In GPT partition style, a basic disk can have up to 128 volumes that are created as primary partitions. It does not use extended partitions.
About dynamic disks
dynamic disks create one partition that spans the entire disk, but allows for the creation of unlimited volumes within this partition. for this reason, you cannot mark a dynamic disk as "active".
dynamic disks also support several other types of volumes other than simple:
Spanned: consists of space from 2-32 physical dynamic disks. Windows will fill each drive one at a time, so this does not improve performance
Striped: Consists of space from 2-32 physical dynamic disks. Data is stripped across all of the drives, which improves performance.
Mirrored: This will mirror data between two dynamic disks. The system will read/write from both disks at the same time.
Raid-5: requires 3 or more dynamic disks, data is striped across but the last stripe is used for "parity" data. This allows for fault tolerance in that one drive can fail and the data will be ok. Write performance suffers in comparison to "Striped" due to parity.
Notes before configuration:
If you initialize a disk, Server Manager will default to a Basic disk and GPT partition style. There is no ability to convert from basic to dynamic here. In addition, dynamic disks will not show up in server manager or using the "get-disk" command in PS 3! This makes sense, considering MS really wants you to use storage spaces instead of dynamic disks There's also no way to create/convert to MBR partition style in server manager(although you can in PS 3!). Note that any volumes created on a dynamic disk will show up in Server Manager, even if the disk doesn't.
Configure a Basic Disk in Server Manager:
Click on File and Storage Services. Click the Disks tab. on the Disks tile, right click the drive and select "Bring Online" if it is offline. Then right-click and "initialize disk". This will initialize the disk as a basic disk with GPT partition style. If you need to convert, you can use disk management.
Configure a Basic Disk in Disk Management
Right click the Disk tab and click "Online" if it is currently Offline. Right-click and select "Initialize Disk". Put a checkmark next to this disk, and choose MBR or GPT as your partition style. You now have a basic disk.
Configure a Basic Disk in Powershell 3
First retrieve a listing of disks and take note of the disk's "number"
get-disk
If the disk is offline, bring it online:
set-disk -number # -isoffline $false
Now initialize:
initialize-disk -number # -partitionstyle GPT
or
initialize-disk -number # -partitionstyle MBR
Configure a Dynamic Disk in Disk Management
Right click the disk and choose "Convert to dynamic disk". Checkmark the specific disk to convert. Click OK.
Converting between Dynamic Disk and Basic Disk in Disk Management
You can convert between the two by right clicking the disk and selecting "Convert to dynamic disk" or "Convert to basic disk". You cannot convert from dynamic to basic if there are volumes existing on the disk. You can convert from basic disk to dynamic with existing volumes, but none of the partitions can be marked as active.
Extra notes: You can reset a disk to it's uninitialized state with no partition style by right clicking the drive in the "disks" tile in server manager and selecting "Reset Disk". Or you can use clear-disk command in PS 3. Remember, this is a destructive process! But it's good to know if you are running through these commands in a lab.
1.3.3 Configure MBR and GPT disks
You cannot create or convert MBR partition style in Server Manager. (Although you can view, in the Disks tile, which partition style a disk is by clicking Add Criteria and checking Partition). You can't convert from MBR to GPT in Server Manager either.
Remember that because converting from MBR to GPT is a destructive process, you have to delete any partitions/volumes on the drive first.
In Disk Management, you simply right click the disk and select "Convert to GPT" or "Convert to MBR".
In powershell 3, if the disk is uninitialized, you can create either partition-style when you use the initialize-disk command. If you don't specify a partitionstyle, it defaults to GPT.
If you need to convert an initialized disk, you use the set-disk command. You cannot use set-disk to change the partition style on an uninitialized disk.
set-disk -number # -partitionstyle GPT or MBR
1.3.4 Manage Volumes
See 1.3.2 for types of basic and dynamic volumes. You should be familiar with creating these in disk management.
Creating a volume in Server Manager
Go to either the volume or disks tile, click Tasks dropdown(or in disk tile, right click a disk), select "new volume". On "server and disk" select the disk to create the volume on. Set the size. Set the drive letter. Format as NTFS or ReFS. You can also enable data deduplication.
Creating a volume in Powershell 3
Use get-disk to return the correct drive number.
use new-partition to create a new partition. examples:
new-partition -disknumber 1 -assigndriveletter -usemaximumsize
This will create an NTFS partition on disk number 1 using max available space. Use the -size parameter to specify a size in bytes, KB, MB, GB, or TB
new-partition -disknumber 5 -assigndrivenumber -size 50GB
you can specify a drive letter with the -driveletter parameter.
Now we format:
format-volume -driveletter F
this will default to NTFS. You can specify filesystem with -filesystem parameter
Other volume options in Server Manager:
If you right click on a volume, you get a number of options:
New Share, New iSCSI virtual disk, scan file system for errors, Manage drive letter and access paths, Format, extend volume, Delete volume. Configure Data Dedup, and Properties.
Removing a volume in Powershell
remove-partition -driveletter
Extra notes:
To return the free space available on a disk(largestfreeextent in bytes), you can use:
get-disk | format-table number, operationalstatus, numberofpartitions, largestfreeextent -autosize
You can always pipe your new partition into the format command to get it all done on one line:
new-partition -disknumber 5 -assigndrivenumber -usemaximumsize | format-volume
1.3.5 Create and Mount Virtual Hard Disks (VHD)
VHD: Supported up to 2048 GB in size
VHDX: Supported up to 64 TB in size. Resilient to power failure. Not supported pre-2012
Using disk management
Go to Action on menu, select "Create VHD". Browse to location for the new VHD and give it a name. Choose the size of the VHD. Choose whether you want VHD or VHDX. Choose Fixed size or Dynamic size. Click OK. The VHD will be created and attached as a new disk.
To attach a VHD, go to Action on menu and select "Attach VHD".
To detach a vhd, right click the VHD disk and select "Detach VHD".
1.3.6 Configure Storage Pools and Disk Pools
Creating a storage pool in server manager
In Server Manager, go to File and Storage icon, click Storage Pools. In The storage pool tile, The primordial space is available disks that are qualified to be pooled. Right click(or Tasks) and "New Storage Pool". Under Storage Pool Name, give your new pool a name. Select the disks to be used in this pool. Confirm and create.
Managing pool in Server Manager:
Under Physical Disks tile, you can Tasks/Add Physical disk or you can right click a disk and remove it from the pool. Removing a disk can cause warnings/errors as the system will attempt to be rebuild the pool and you may not have enough space.
Create a new pool in Powershell:
This is a little tricky.
First get your storage subsystem friendly name out of
get-storagesubsystem
For our example, the friendlyname is "Storage Spaces on SERVER"
now, figure out which disks you want to pool using
get-physicaldisks
For our example, we want to pool physicaldisk1, physicaldisk2, and physicaldisk3.
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on SERVER" -physicaldisks (get-physicaldisk physicaldisk1, physicaldisk2, physicaldisk3)
this is tricky because you can't just use the friendlynames of the disks in the -physicaldisks parameter. You have to actually pass it the diskobjects from get-physicaldisk.
Manage a Storage pool in Powershell
get-storagepool
add-physicaldisk
remove-physicaldisk
Creating a new virtual disk in Server Manager
Click on the virtual disk tile, go to tasks, and "New Virtual Disk". Select the storage pool. Give the disk a name. Select your storage layout: simple, mirror, parity. Choose thin or fixed provisioning. Specify a size. Now you have a new disk you can create volumes in.
Creating a new virtual disk in Powershell
get the friendly storage pool name:
get-storagepool
new-virtualdisk -friendlyname NewDisk -storagepoolfriendlyname NewPool -size 20GB
This will create a 20 gig mirrored disk named NewDisk
To switch to simple or parity, use the -resiliencysettingname parameter
other commands: get-virtualdisk, remove-virtualdisk
Extra notes:
Here's another example that would create a pool using all available drives that can be pooled. This may not be ideal for your situation:
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on Server" -physicaldisks (get-physicaldisk -canpool $true)
Reference for Powershell 3 Storage cmdlets :http://technet.microsoft.com/en-us/library/hh848649.aspx
1.3.1 Design Storage Spaces
Storage Spaces are MS's new San-like virtual storage pool technology, available in 2012 and windows 8. You create a pool of disks, and then create spaces on those disk, which are presented as volumes to the system.
Storage Spaces facts:
1. you can use internal or external SATA or SAS drives
2. storage spaces can be thin provisioned(meaning the max space can be larger than available space. Used
space is provisioned as it's used)
3. storage spaces are stored as vhd files.
4. offers two types of redundancy: parity and mirrored.
5. storage can be dynamically added to the pool
6. storage pools can be shared among nodes in a cluster
7. can be used with ReFS
8. Microsoft recommends using Storage Spaces instead of dynamic disks
9. data is stored in allocated unit size of storage, called "slabs" by MS, across drives.
Storage Spaces can be configured in Server Manager or Powershell.
Extra notes: Storage space management is enabled by the Storage Services role service, which is part of the File and Storage Services role. This includes extensions for Server Manager, Powershell API and WMI, SMP interfaces for Storage Spaces, and a Pass-through API for extensibility.
1.3.2 Configure Basic and Dynamic Disks
About basic disks
basic disks can only be used to create simple volumes - space from a single disk.
the first three volumes on a basic disk setup in MBR partition style will be created as "Primary Partitions". The fourth volume created will create an "Extended Partition", which will span the rest of the space on the drive(even if the 4th volume does not fill all of the space). Any other volumes created will be created inside this extended partition.
In GPT partition style, a basic disk can have up to 128 volumes that are created as primary partitions. It does not use extended partitions.
About dynamic disks
dynamic disks create one partition that spans the entire disk, but allows for the creation of unlimited volumes within this partition. for this reason, you cannot mark a dynamic disk as "active".
dynamic disks also support several other types of volumes other than simple:
Spanned: consists of space from 2-32 physical dynamic disks. Windows will fill each drive one at a time, so this does not improve performance
Striped: Consists of space from 2-32 physical dynamic disks. Data is stripped across all of the drives, which improves performance.
Mirrored: This will mirror data between two dynamic disks. The system will read/write from both disks at the same time.
Raid-5: requires 3 or more dynamic disks, data is striped across but the last stripe is used for "parity" data. This allows for fault tolerance in that one drive can fail and the data will be ok. Write performance suffers in comparison to "Striped" due to parity.
Notes before configuration:
If you initialize a disk, Server Manager will default to a Basic disk and GPT partition style. There is no ability to convert from basic to dynamic here. In addition, dynamic disks will not show up in server manager or using the "get-disk" command in PS 3! This makes sense, considering MS really wants you to use storage spaces instead of dynamic disks There's also no way to create/convert to MBR partition style in server manager(although you can in PS 3!). Note that any volumes created on a dynamic disk will show up in Server Manager, even if the disk doesn't.
Configure a Basic Disk in Server Manager:
Click on File and Storage Services. Click the Disks tab. on the Disks tile, right click the drive and select "Bring Online" if it is offline. Then right-click and "initialize disk". This will initialize the disk as a basic disk with GPT partition style. If you need to convert, you can use disk management.
Configure a Basic Disk in Disk Management
Right click the Disk tab and click "Online" if it is currently Offline. Right-click and select "Initialize Disk". Put a checkmark next to this disk, and choose MBR or GPT as your partition style. You now have a basic disk.
Configure a Basic Disk in Powershell 3
First retrieve a listing of disks and take note of the disk's "number"
get-disk
If the disk is offline, bring it online:
set-disk -number # -isoffline $false
Now initialize:
initialize-disk -number # -partitionstyle GPT
or
initialize-disk -number # -partitionstyle MBR
Configure a Dynamic Disk in Disk Management
Right click the disk and choose "Convert to dynamic disk". Checkmark the specific disk to convert. Click OK.
Converting between Dynamic Disk and Basic Disk in Disk Management
You can convert between the two by right clicking the disk and selecting "Convert to dynamic disk" or "Convert to basic disk". You cannot convert from dynamic to basic if there are volumes existing on the disk. You can convert from basic disk to dynamic with existing volumes, but none of the partitions can be marked as active.
Extra notes: You can reset a disk to it's uninitialized state with no partition style by right clicking the drive in the "disks" tile in server manager and selecting "Reset Disk". Or you can use clear-disk command in PS 3. Remember, this is a destructive process! But it's good to know if you are running through these commands in a lab.
1.3.3 Configure MBR and GPT disks
You cannot create or convert MBR partition style in Server Manager. (Although you can view, in the Disks tile, which partition style a disk is by clicking Add Criteria and checking Partition). You can't convert from MBR to GPT in Server Manager either.
Remember that because converting from MBR to GPT is a destructive process, you have to delete any partitions/volumes on the drive first.
In Disk Management, you simply right click the disk and select "Convert to GPT" or "Convert to MBR".
In powershell 3, if the disk is uninitialized, you can create either partition-style when you use the initialize-disk command. If you don't specify a partitionstyle, it defaults to GPT.
If you need to convert an initialized disk, you use the set-disk command. You cannot use set-disk to change the partition style on an uninitialized disk.
set-disk -number # -partitionstyle GPT or MBR
1.3.4 Manage Volumes
See 1.3.2 for types of basic and dynamic volumes. You should be familiar with creating these in disk management.
Creating a volume in Server Manager
Go to either the volume or disks tile, click Tasks dropdown(or in disk tile, right click a disk), select "new volume". On "server and disk" select the disk to create the volume on. Set the size. Set the drive letter. Format as NTFS or ReFS. You can also enable data deduplication.
Creating a volume in Powershell 3
Use get-disk to return the correct drive number.
use new-partition to create a new partition. examples:
new-partition -disknumber 1 -assigndriveletter -usemaximumsize
This will create an NTFS partition on disk number 1 using max available space. Use the -size parameter to specify a size in bytes, KB, MB, GB, or TB
new-partition -disknumber 5 -assigndrivenumber -size 50GB
you can specify a drive letter with the -driveletter parameter.
Now we format:
format-volume -driveletter F
this will default to NTFS. You can specify filesystem with -filesystem parameter
Other volume options in Server Manager:
If you right click on a volume, you get a number of options:
New Share, New iSCSI virtual disk, scan file system for errors, Manage drive letter and access paths, Format, extend volume, Delete volume. Configure Data Dedup, and Properties.
Removing a volume in Powershell
remove-partition -driveletter
Extra notes:
To return the free space available on a disk(largestfreeextent in bytes), you can use:
get-disk | format-table number, operationalstatus, numberofpartitions, largestfreeextent -autosize
You can always pipe your new partition into the format command to get it all done on one line:
new-partition -disknumber 5 -assigndrivenumber -usemaximumsize | format-volume
1.3.5 Create and Mount Virtual Hard Disks (VHD)
VHD: Supported up to 2048 GB in size
VHDX: Supported up to 64 TB in size. Resilient to power failure. Not supported pre-2012
Using disk management
Go to Action on menu, select "Create VHD". Browse to location for the new VHD and give it a name. Choose the size of the VHD. Choose whether you want VHD or VHDX. Choose Fixed size or Dynamic size. Click OK. The VHD will be created and attached as a new disk.
To attach a VHD, go to Action on menu and select "Attach VHD".
To detach a vhd, right click the VHD disk and select "Detach VHD".
1.3.6 Configure Storage Pools and Disk Pools
Creating a storage pool in server manager
In Server Manager, go to File and Storage icon, click Storage Pools. In The storage pool tile, The primordial space is available disks that are qualified to be pooled. Right click(or Tasks) and "New Storage Pool". Under Storage Pool Name, give your new pool a name. Select the disks to be used in this pool. Confirm and create.
Managing pool in Server Manager:
Under Physical Disks tile, you can Tasks/Add Physical disk or you can right click a disk and remove it from the pool. Removing a disk can cause warnings/errors as the system will attempt to be rebuild the pool and you may not have enough space.
Create a new pool in Powershell:
This is a little tricky.
First get your storage subsystem friendly name out of
get-storagesubsystem
For our example, the friendlyname is "Storage Spaces on SERVER"
now, figure out which disks you want to pool using
get-physicaldisks
For our example, we want to pool physicaldisk1, physicaldisk2, and physicaldisk3.
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on SERVER" -physicaldisks (get-physicaldisk physicaldisk1, physicaldisk2, physicaldisk3)
this is tricky because you can't just use the friendlynames of the disks in the -physicaldisks parameter. You have to actually pass it the diskobjects from get-physicaldisk.
Manage a Storage pool in Powershell
get-storagepool
add-physicaldisk
remove-physicaldisk
Creating a new virtual disk in Server Manager
Click on the virtual disk tile, go to tasks, and "New Virtual Disk". Select the storage pool. Give the disk a name. Select your storage layout: simple, mirror, parity. Choose thin or fixed provisioning. Specify a size. Now you have a new disk you can create volumes in.
Creating a new virtual disk in Powershell
get the friendly storage pool name:
get-storagepool
new-virtualdisk -friendlyname NewDisk -storagepoolfriendlyname NewPool -size 20GB
This will create a 20 gig mirrored disk named NewDisk
To switch to simple or parity, use the -resiliencysettingname parameter
other commands: get-virtualdisk, remove-virtualdisk
Extra notes:
Here's another example that would create a pool using all available drives that can be pooled. This may not be ideal for your situation:
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on Server" -physicaldisks (get-physicaldisk -canpool $true)
Subscribe to:
Posts (Atom)