DHCP ipv4 lease negotiation:
client DHCPDISCOVER
server DHCPOFFER
client accepts DHCPREQUEST
server accepts DHCPACK or not DHCPNAK.
client tests address with and fails DHCPDECLINE
DHCPRELEASE client releases lease
DHCPINFORM client requests more options
Client will attempt to renew lease starting at 50% of lifetime via DHCPREQUEST messages.
at 87.5% of lease and no responses, client will DHCPREQUEST broadcast for any dhcp server.
releases lease at 100% of no response, or a DHCPNAK response.
Install role DHCP Server (DHCP) and DHCP tools(RSAT-DHCP). When you install from the Gui Add Roles and Features, you will have a task for "complete DHCP configuration" in Server Manager. This wizard will prompt you to authorize the DHCP server,
Bind server to the NIC's that you want to use for DHCP: IPv4, or IPv6 properties, Advanced, Bindings.
4.2.1 Create and configure scopes
v4
DHCP manager, right click IPv4 and select New Scope.
Give the scope a name and description
Put in a start and end ip address for the scope. Then configure the subnet mask.
Add an exclusion range for ip's you do not want to be given out.
Set a lease duration.
You will be prompted to configure DHCP options(see 4.2.3)
Once created, you should right click the scope and select "Activate"
v6
DHCP manager, right click ipv6 and select new scope
Give the scope a name and description
Enter the prefix for the scope. Enter a preference, which determines which dhcp server has preference when
client receives messages from multiple dhcp servers(highest value is preferred). set to
255 for immediate use.
Add exclusion ranges, if necessary.
Configure lease durations. preferred determines how long an interface should consider address usable. valid
lifetime is how long the address is valid.
You are prompted to activate the scope, or you can manually activate it later.
Powershell:
v4
add-dhcpserverv4scope -name "192.168.11.0 scope" -startrange 192.168.11.1 -endrange
192.168.11.254 -subnetmask 255.255.255.0
add-dhcpserverv4exclusionrange
other commands:
get-dhcpserverv4scope, get-dhcpserverv4exclusionrange, remove-dhcpserverv4scope, remove-dhcpserverv4exclusionrange, set-dhcpserverv4scope
extra note:
superscope: container for ipv4 scopes, and can be used to distribute addresses from multiple logical ip networks in the same physical segment
multicast scope: class D network
failover scope: 2012 mode that automatically splits scopes between two dhcp servers
v6
add-dhcpserverv6scope -name "0200 scope" -prefix fc00:0:0:0200:0:0:0:0
add-dhcpserverv6exclusionrange -prefix fc00:0:0:200:: -startrange fc00:0:0:200::1 -endrange fc00:0:0:200:0:0:3:ffff
other commands:
get-dhcpserverv6scope, get-dhcpserverv6exclusionrange, remove-dhcpserverv6scope, remove-dhcpserverv6exclusionrange, set-dhcpserverv6scope
use -state active|inactive parameter with set-dhcpserverv#scope command to activate/deactivate scope
extra note: split-scope is where a scope is split between dhcp servers as a failover. you can right click the scope and advanced/split-scope to bring up the wizard. In 2012 should probably use the failover option instead.
4.2.2 configure a DHCP reservation
DHCP reservations are ip addresses that will always be assigned to a machine's interface when it requests an ip.
v4
Requires the mac address of the interface on the computer that will be assigned a reservation
Under the appropriate scope, right click reservations and new reservation.
give it a name, enter the ip address, then the mac address, and finally a description. specifiy dhcp if you wish
to only support dhcp for this reservation
After creation, you can right click the ip and specify specific dhcp options for this address.
v6
v6 reservation is similar to v4 except for v6 you will need the following from the interface, instead of a mac address. You can get both with ipconfig /all
DHCP Unique Identifier(DUID): This uniquely identifies a client or server
IAID: a unique id part of the Identity Association(IA) that identifies a specific interface.
powershell
v4
add-dhcpserverv4reservation -scopeid 192.168.10.0 -ipaddress 192.168.10.8
-clientid 00155d017506
v6
add-dhcpserverv6reservation -prefix fc00::200:0:0:0:0 -ipaddress fc00::200:0:0:0:6
-clientduid 0001000117d29a2e00155d017500 -iaid 536876381
other commands: get-dhcpserverv4reservation, remove-dhcpserverv4reservation, get-dhcpserverv6reservation, remove-dhcpserverv6reservation
4.2.3 configure
DHCP options
options are sent to the client. They can be configured for all scopes on server, a specific scope, or a single reservation.
You configure options for one scope under Scope options.
v4
common v4 options.
001-Subnet mask(sent by default from the scope)
003-Router: default gateway
006-DNS Servers
015- DNS name
044 Wins Server
v6
common v6 options
0023 DNS Recursive Name Server
0024 Domain Search List.
powershell
list all options available
get-dhcpserverv4optiondefinition
get-dhcpserverv6optiondefinition
show current values assigned to a specific scope:
get-dhcpserverv4optionvalue -scopeid 192.168.10.0
get-dhcpserverv6optionvalue -prefix fc00:0:0:200::
set new option values for a specific scope
set-dhcpserverv4optionvalue -scopeid 192.168.10.0 -optionid 6 -value 192.168.10.1, 192.168.10.2
set-dhcpserverv6optionvalue -prefix fc00:0:0:200:: -optionid 23 -value fc00:0:0:200::5
extra note: for dns server options. use -force to skip checking if they exist
extra note: you can define classes to assign options to a group of computers. right click ipv4 or ipv6 select define user classes. create a new ClassID. Use ipconfig /setclassid "LAN" ClassID on the client interfaces that will be in that class
4.2.4 configure client and server for PXE boot
if DHCP server is on same machine as WDS, set custom option 60 to PXECLIENT
if they are on separate servers on same subnet, use:
option 66: boot server host name
option 67: boot file name
Extra note: MS recommends using a router to ip-helper address to the DHCP and WDS servers on different subnet for all dhcp requests
4.2.5 configure DHCP
relay agent
If you aren't using a router to do DHCP relay, you can install RRAS role to get DHCP relay setup on a server:
add role Remote Access(RemoteAccess) and check Directaccess and VPN, as well as Routing
once installed, go into computer management, and go under Services and Applications
Right click Routing and Remote access and select "Configure and enable Routing and remote access"
select custom configuration, and then LAN Routing
Expand Ipv4 or Ipv6.
Go to general and right click the pane and "New Routing Protocol". Select DHCP Relay Agent
right click Dhcp Relay Agent and "New Interface"
Select options: Relay DHCP Packets(enabled), Hop-count threshold, Boot threshold(this delay is so local DHCP servers will respond first)
Right click DHCP Relay Agent, properties. Enter the IP address for the server to forward to.
IPv6 is similar except Boot threshold is called Elapsed-time threshold. Also, properties has Server tab for ipv6 servers. General tab is for event logging options.
extra note:
install-windowsfeature remoteaccess -includeallsubfeatures -includemanagementtools
4.2.6 authorize DHCP server
As stated above, you are prompted with a task to authorize the DHCP server when you first install the role. However, if you need to Unauthorize/Authorize the server, you can right click the server in DHCP Manager and select authorize/unauthorize.
Powershell:
If installed in powershell, the DHCP server is not automatically authorized. Use get-dhcpserverindc to see authorized DHCP servers. Then authorize the server with cmdlet:
add-dhcpserverindc -dnsname 'dc.contoso.com' -ipaddress 192.168.10.1.
command line:
netsh dhcp server \\dhcpsrv01 initiate auth
Wednesday, May 29, 2013
Monday, May 27, 2013
4. Deploy and configure core network services 4.1 Configure IPv4 and IPv6 addressing
4.1.1 Configure IP address options
4.1.2 configure subnetting
4.1.3 configure supernetting
Not going to spend a lot of time on this.
IPv4
Classful:
Class A: 1-127 8 network bits, but starts with 0(binary). 24 host bits
Class B: 128-191 16 network bits, starts with 10(binary). 16 host bits
Class C: 192-223 24 network bits, starts with 110(binary). 8 host bits
Class D: 224 multicast (1110)
Class E: 240 Experimental/unused
Classless Inter-Domain Routing(CIDR)
Allows the assigning of any size networks with a subnet mask that can be any number of bits and the network can then be further divided.
VLSM is the subdividing within a private network into smaller subnets that can be variable size.
subnetting is the process of dividing up networks into smaller networks
supernetting is a way to represent multiple contiguous networks with the same subnet mask by creating a
new subnet mask made up of their common network bits.
Static IP, Dynamic IP
Automatic Private IP Addressing - APIPA - A microsoft mechanism that automatically assigns an address in
the 169.254.0.0./16 network if Windows is unable to contact a DHCP server.
Configure IP address in the network adapter properts under TCP/IPv4 properties. IP address, subnet
mask, default gateway, DNS Servers. Or set to use DHCP
Powershell:
use modules Netadapter and NetTCPIP
To set an adapter to DHCP:
set-netipinterface 'ethernet 5' -dhcp enabled
To setup a static IP:
get-netipinterface
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress 192.168.10.20 -prefixlength 24 -defaultgateway 192.168.10.1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses 192.168.15.90, 192.168.15.91
To remove an ip address, use
remove-netipaddress 192.168.10.20 -defaultgateway 192.168.10.1
Note that you should remove the default gateway along with the ip address, or else the default gateway gets "stuck" on that interface, and cannot be removed using cmdlets until you add another ip in the same subnet to the same interface(or edit through the GUI).
To reset the dns server addresses to default, use the following:
set-dnsclientserveraddress 'ethernet 5' -resetserveraddresses
IPv6
128 bits
:: can be used to compress consecutive 0's. leading 0's can be left off.
63c5:0091:0000:0000:e8cc:011f:009a:c001 can be
63c5:91::e8cc:11f:9a:c001
types of ipv6 addresses:
global unicast address: registered ipv6 block
link-local unicast address: reserved block that can assign themselves automatically(like APIPA IPv4)
10 bit prefix 1111111010 fe80::/64
unique local address : reserved block in fc00::/7 for private use.
multicast: begin with 11111111 ffanycast: a unicast address that is assigned to identify the routers within a given address scope.
site-local address : reserved fec0::/10 for "private" use but has since been deprecated for unique local addresses(ULA)
neighbor discovery(ND): provides functions for v6 similar to v4's ICMP, ARP, Router Discovery, Router
redirect.
powershell
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress fc00::200:cd -prefixlength 64 -defaultgateway fc00::200:1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses fc00::199:40,fc00::199:41
remove an ipv6 address
remove-netipaddress -ipaddress fc00::200:cd -defaultgateway fc00::200:1
4.1.4 configure interoperability between IPv4 and IPv6
1.use a dual stack
2. tunneling:
static configuration with netsh
netsh interface ipv6 add v6v4tunnel tunnelname localaddress remoteaddress
netsh interface ipv6 add v6v4tunnel "tunnel" 192.168.90.1 192.168.91.1
automatic configuration:
6to4: provides automatic tunneling allowing ipv6/ipv4 hosts to establish ipv6 connectivity across ipv4
internet using ipv4 multicast
isatap: intra-site automatic tunnel addressing protocol : emulates an ipv6 link using a ip4 network. does not support multicasting.
teredo: encapsulates v6 packets inside UDP to facilitate tunneling behind nat routers. like 6to4 but works
with NAT
Extra Note: There is another technology called IP-HTTPS that can be used as a directaccess
fallback method of ipv6/ipv4 access
Translation technologies:
Nat64: used by directaccess on ipv4 networks.
DNS64: maps ipv6 AAAA name queries to ipv4 A records queries.
Portproxy: allows ipv4/ipv6 TCP traffic to be proxied.
4.1.5 configure ISATAP
uses a virtual ipv6 network interface whose link-local address is determined by concatenating either fe80::200:5efe for global unique, or fe80::5efe to the 32 bits of a v4 address
To configure ISATAP you only need a router name. You can configure ISATAP with either a GPO(Network/TCPIP Settings/IPv6 Transistion), set-netisatapconfiguration -router cmdlet, or using netsh interface isatap set router
to disable ISATAP, set the state to Disabled, using GPO, set-netisatapconfiguration -state, or netsh interface isatap set state disabled
The other two isatap states are:
enabled: link-local address configured on each isatap interface
default: attemps to contact isatap server. If it cannot be contacted, no addresses are configured.
other powershell commands: get-netisatapconfiguration, reset-netisatapconfiguration
4.1.6 configure Teredo
Teredo components:
clients, servers, relays, host-specific relays
Client: IPv6/IPv4 node that supports teredo tunneling.
Server: ipv6/ipv4 node that is connected to both ipv4 internet and ipv6 internet, and assists in the address configuration of teredo client and facilitate initial communication between teredo clients and other clients, or with ipv6-only hosts. listens on UDP 3544 for teredo traffic
Relay: ipv6/ipv4 router that can forward packets between teredo clients on the ipv4 internet.
Qualified Types:
qualified(enabled): teredo is always enabled.
not qualified: teredo is dormant when not in use.
You can only configure qualified type by GPO
State/types:
default: default is client state
client: teredo interface present only when host is not on a network with a Domain Controller
enterprise client: teredo interface is always present.
disabled
Configure by GPO: Teredo Default Qualified, Teredo Server Name, Teredo State
netsh interface teredo show state
netsh interface teredo set state servername
netsh interface teredo set state type
powershell:
get-netteredoconfiguration
set-netteredoconfiguration -servername -type
Disable teredo:
set state to disabled in GPO
netsh interface teredo set state type disabled
set-netteredoconfiguration -type disabled
4.1.2 configure subnetting
4.1.3 configure supernetting
Not going to spend a lot of time on this.
IPv4
Classful:
Class A: 1-127 8 network bits, but starts with 0(binary). 24 host bits
Class B: 128-191 16 network bits, starts with 10(binary). 16 host bits
Class C: 192-223 24 network bits, starts with 110(binary). 8 host bits
Class D: 224 multicast (1110)
Class E: 240 Experimental/unused
Classless Inter-Domain Routing(CIDR)
Allows the assigning of any size networks with a subnet mask that can be any number of bits and the network can then be further divided.
VLSM is the subdividing within a private network into smaller subnets that can be variable size.
subnetting is the process of dividing up networks into smaller networks
supernetting is a way to represent multiple contiguous networks with the same subnet mask by creating a
new subnet mask made up of their common network bits.
Static IP, Dynamic IP
Automatic Private IP Addressing - APIPA - A microsoft mechanism that automatically assigns an address in
the 169.254.0.0./16 network if Windows is unable to contact a DHCP server.
Configure IP address in the network adapter properts under TCP/IPv4 properties. IP address, subnet
mask, default gateway, DNS Servers. Or set to use DHCP
Powershell:
use modules Netadapter and NetTCPIP
To set an adapter to DHCP:
set-netipinterface 'ethernet 5' -dhcp enabled
To setup a static IP:
get-netipinterface
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress 192.168.10.20 -prefixlength 24 -defaultgateway 192.168.10.1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses 192.168.15.90, 192.168.15.91
To remove an ip address, use
remove-netipaddress 192.168.10.20 -defaultgateway 192.168.10.1
Note that you should remove the default gateway along with the ip address, or else the default gateway gets "stuck" on that interface, and cannot be removed using cmdlets until you add another ip in the same subnet to the same interface(or edit through the GUI).
To reset the dns server addresses to default, use the following:
set-dnsclientserveraddress 'ethernet 5' -resetserveraddresses
IPv6
128 bits
:: can be used to compress consecutive 0's. leading 0's can be left off.
63c5:0091:0000:0000:e8cc:011f:009a:c001 can be
63c5:91::e8cc:11f:9a:c001
types of ipv6 addresses:
global unicast address: registered ipv6 block
link-local unicast address: reserved block that can assign themselves automatically(like APIPA IPv4)
10 bit prefix 1111111010 fe80::/64
unique local address : reserved block in fc00::/7 for private use.
multicast: begin with 11111111 ffanycast: a unicast address that is assigned to identify the routers within a given address scope.
site-local address : reserved fec0::/10 for "private" use but has since been deprecated for unique local addresses(ULA)
neighbor discovery(ND): provides functions for v6 similar to v4's ICMP, ARP, Router Discovery, Router
redirect.
powershell
get-netipconfiguration 'ethernet 2' | new-netipaddress -ipaddress fc00::200:cd -prefixlength 64 -defaultgateway fc00::200:1
set-dnsclientserveraddress 'ethernet 5' -serveraddresses fc00::199:40,fc00::199:41
remove an ipv6 address
remove-netipaddress -ipaddress fc00::200:cd -defaultgateway fc00::200:1
4.1.4 configure interoperability between IPv4 and IPv6
1.use a dual stack
2. tunneling:
static configuration with netsh
netsh interface ipv6 add v6v4tunnel tunnelname localaddress remoteaddress
netsh interface ipv6 add v6v4tunnel "tunnel" 192.168.90.1 192.168.91.1
automatic configuration:
6to4: provides automatic tunneling allowing ipv6/ipv4 hosts to establish ipv6 connectivity across ipv4
internet using ipv4 multicast
isatap: intra-site automatic tunnel addressing protocol : emulates an ipv6 link using a ip4 network. does not support multicasting.
teredo: encapsulates v6 packets inside UDP to facilitate tunneling behind nat routers. like 6to4 but works
with NAT
Extra Note: There is another technology called IP-HTTPS that can be used as a directaccess
fallback method of ipv6/ipv4 access
Translation technologies:
Nat64: used by directaccess on ipv4 networks.
DNS64: maps ipv6 AAAA name queries to ipv4 A records queries.
Portproxy: allows ipv4/ipv6 TCP traffic to be proxied.
4.1.5 configure ISATAP
uses a virtual ipv6 network interface whose link-local address is determined by concatenating either fe80::200:5efe for global unique, or fe80::5efe to the 32 bits of a v4 address
To configure ISATAP you only need a router name. You can configure ISATAP with either a GPO(Network/TCPIP Settings/IPv6 Transistion), set-netisatapconfiguration -router cmdlet, or using netsh interface isatap set router
to disable ISATAP, set the state to Disabled, using GPO, set-netisatapconfiguration -state, or netsh interface isatap set state disabled
The other two isatap states are:
enabled: link-local address configured on each isatap interface
default: attemps to contact isatap server. If it cannot be contacted, no addresses are configured.
other powershell commands: get-netisatapconfiguration, reset-netisatapconfiguration
4.1.6 configure Teredo
Teredo components:
clients, servers, relays, host-specific relays
Client: IPv6/IPv4 node that supports teredo tunneling.
Server: ipv6/ipv4 node that is connected to both ipv4 internet and ipv6 internet, and assists in the address configuration of teredo client and facilitate initial communication between teredo clients and other clients, or with ipv6-only hosts. listens on UDP 3544 for teredo traffic
Relay: ipv6/ipv4 router that can forward packets between teredo clients on the ipv4 internet.
Qualified Types:
qualified(enabled): teredo is always enabled.
not qualified: teredo is dormant when not in use.
You can only configure qualified type by GPO
State/types:
default: default is client state
client: teredo interface present only when host is not on a network with a Domain Controller
enterprise client: teredo interface is always present.
disabled
Configure by GPO: Teredo Default Qualified, Teredo Server Name, Teredo State
netsh interface teredo show state
netsh interface teredo set state servername
netsh interface teredo set state type
powershell:
get-netteredoconfiguration
set-netteredoconfiguration -servername -type
Disable teredo:
set state to disabled in GPO
netsh interface teredo set state type disabled
set-netteredoconfiguration -type disabled
Saturday, May 25, 2013
3. Configure Hyper-V 3.3 Create and configure virtual networks
3.3.1 implement Hyper-V Network Virtualization
Network Virtualization is a layer 2 process in which the inside virtual network is independent of the outside physical network, and can be configured to communicate with other hypervisors as one network, regardless of the physical network.
2 possible ways that Hyper-V can accomplish this:
NVGRE: Network Virtual Generic Routing Encapsulation. This builds encapsulated tunnels between hyper-v virtual hosts.
IP Rewrite: this is a NAT approach at each host, which translate the virtual addresses to physical ones.
Provider Addresses(PA) : Unique IP addresses assigned to each host. physical addresses
Customer Addresses(CA): virtual IP addresses assigned to VM's.
Virtual subnet ID(VSID): a GRE key that signifies which virtual network the packet is on.
Routing Domain ID(RDID): a GUID id that signifies a "customer" network which is made up of one or more
VSID's
Network virtualization can be setup using Powershell.
3.3.2 configure Hyper-V virtual switches
Creating a new external switch will appear in the host's network connections. When bound to one of the host's network adapters, the host will communicate directly with the switch, not the physical network. The switch communicates with the physical network.
right-click the hyper-v server, and select Virtual Network Switch Manager
Click New Virtual Network Switch
Give it a name
Select switch type: External, Internal, or Private
External: VM's need access to physical network
Internal: VM's can only communicate internally on the host and with the host. The switch is not bound to a
network adapter
Private: VM's can only communicate with each other on this switch. Not the host or physical. switch is not
bound to a network adapter.
If external, select a network adapter to bind too. Check or uncheck "allow management operating system
to share this adapter". Check to enable SR-IOV
Select a Vlan ID if for the management network.
You can also set global mac addresses for this host in the Virtual Switch Manager(see 3.3.4)
A virtual switch can have up to 512 VM's assigned to it.
Powershell:
new-vmswitch -name "New External Switch" -netadaptername "Broadcom NetXtreme Gigabit Ethernet"
other VM switch commands:
get-vmswitch, set-vmswitch, rename-vmswitch, remove-vmswitch
3.3.3 optimize network performance
1. Use network adapter type(synthetic) instead of legacy for best performance
2. Configure bandwith management under each virtual network adapter in a VM
3. Configure hardware acceleration under virtual network adapter:
a. Virtual Machine Queue(VMQ): uses hardware packet filtering for VM to external VM networking.
enabled by default
b. IPsec task offloading: performs IPsec processing on the network adapter. Enabled by default
c. SR-IOV: maximmizes network throughput
4. Configure advanced settings under each virtual network adapter:
a. Mac Address static or dynamic
b. DHCP guard
c. Router guard
d. Port mirroring
e. NIC Teaming(LBFO)
You can also use GRE offloading for network virtualization if an adapter supports it.
Powershell:
Most of the options above can be set using the following command:
set-vmnetworkadapter http://technet.microsoft.com/en-us/library/hh848457.aspx
3.3.4 configure MAC addresses
In the virtual network switch manager, you can set a range of Mac addresses that will be assigned to guests. This is to prevent multiple hosts from accidently assigning the same mac addresses to VM's.
You can also set an adapter with a static mac address in the VM's network adapter settings
dynamic pool:
set-vmhost -macaddressminimum 00155d08e600 -macaddressmaximum 00155d08ffff
static mac:
set-vmnetworkadapter -vmname 'VMServer' -vmnetworkadaptername 'NIC 1'
-staticmacaddress 00155d08e601
3.3.5 configure network isolation
Setup standard vlans,
Use a private virtual switch, or
Port Virtual LAN (private VLAN): Can isolate a set of vm's from being able to see each other's traffic, using only 2 vlans: a primary and secondary vlan. This can be setup instead of hyper-v network virtualization if each customer needs to be isolated and only has one VM each.
Powershell examples:
PVLAN
set-vmnetworkadaptervlan -isolated -primaryvlanid 10 -secondaryvlandid 200
Standard VLANS
place all adapters on a VM in vlan 30
set-vmnetworkadaptervlan -vmname 'VMServer' -access 30
create a trunk on a specific adapter
set-vmnetworkadaptervlan -vmname 'VMserver' -vmnetworkadaptername 'NIC 1' -trunk
-nativevlanid 2 -allowedvlanidlist 1-36
Extra note: To remove vlan tagging on an adapter, you can use:
set-vmnetworkadaptervlan -vmname 'VMServer' -untagged
3.3.6 configure synthetic and legacy virtual network adapters
Each VM can have up to 12 virtual network adapters. up to 8 can be network adapter type(synthetic) and up to 4 can be legacy.
Network adapter type(synthetic): Relies on the guest integration components installed on the VM.
Legacy network adapter: supports OS's that do not support guest integration components. Also can be
used for PXE boot if needed.
Powershell
use the -IsLegacy $true parameter on the add-vmnetworkadapter cmdlet to setup a legacy adapter.
Network Virtualization is a layer 2 process in which the inside virtual network is independent of the outside physical network, and can be configured to communicate with other hypervisors as one network, regardless of the physical network.
2 possible ways that Hyper-V can accomplish this:
NVGRE: Network Virtual Generic Routing Encapsulation. This builds encapsulated tunnels between hyper-v virtual hosts.
IP Rewrite: this is a NAT approach at each host, which translate the virtual addresses to physical ones.
Provider Addresses(PA) : Unique IP addresses assigned to each host. physical addresses
Customer Addresses(CA): virtual IP addresses assigned to VM's.
Virtual subnet ID(VSID): a GRE key that signifies which virtual network the packet is on.
Routing Domain ID(RDID): a GUID id that signifies a "customer" network which is made up of one or more
VSID's
Network virtualization can be setup using Powershell.
3.3.2 configure Hyper-V virtual switches
Creating a new external switch will appear in the host's network connections. When bound to one of the host's network adapters, the host will communicate directly with the switch, not the physical network. The switch communicates with the physical network.
right-click the hyper-v server, and select Virtual Network Switch Manager
Click New Virtual Network Switch
Give it a name
Select switch type: External, Internal, or Private
External: VM's need access to physical network
Internal: VM's can only communicate internally on the host and with the host. The switch is not bound to a
network adapter
Private: VM's can only communicate with each other on this switch. Not the host or physical. switch is not
bound to a network adapter.
If external, select a network adapter to bind too. Check or uncheck "allow management operating system
to share this adapter". Check to enable SR-IOV
Select a Vlan ID if for the management network.
You can also set global mac addresses for this host in the Virtual Switch Manager(see 3.3.4)
A virtual switch can have up to 512 VM's assigned to it.
Powershell:
new-vmswitch -name "New External Switch" -netadaptername "Broadcom NetXtreme Gigabit Ethernet"
other VM switch commands:
get-vmswitch, set-vmswitch, rename-vmswitch, remove-vmswitch
3.3.3 optimize network performance
1. Use network adapter type(synthetic) instead of legacy for best performance
2. Configure bandwith management under each virtual network adapter in a VM
3. Configure hardware acceleration under virtual network adapter:
a. Virtual Machine Queue(VMQ): uses hardware packet filtering for VM to external VM networking.
enabled by default
b. IPsec task offloading: performs IPsec processing on the network adapter. Enabled by default
c. SR-IOV: maximmizes network throughput
4. Configure advanced settings under each virtual network adapter:
a. Mac Address static or dynamic
b. DHCP guard
c. Router guard
d. Port mirroring
e. NIC Teaming(LBFO)
You can also use GRE offloading for network virtualization if an adapter supports it.
Powershell:
Most of the options above can be set using the following command:
set-vmnetworkadapter http://technet.microsoft.com/en-us/library/hh848457.aspx
3.3.4 configure MAC addresses
In the virtual network switch manager, you can set a range of Mac addresses that will be assigned to guests. This is to prevent multiple hosts from accidently assigning the same mac addresses to VM's.
You can also set an adapter with a static mac address in the VM's network adapter settings
dynamic pool:
set-vmhost -macaddressminimum 00155d08e600 -macaddressmaximum 00155d08ffff
static mac:
set-vmnetworkadapter -vmname 'VMServer' -vmnetworkadaptername 'NIC 1'
-staticmacaddress 00155d08e601
3.3.5 configure network isolation
Setup standard vlans,
Use a private virtual switch, or
Port Virtual LAN (private VLAN): Can isolate a set of vm's from being able to see each other's traffic, using only 2 vlans: a primary and secondary vlan. This can be setup instead of hyper-v network virtualization if each customer needs to be isolated and only has one VM each.
Powershell examples:
PVLAN
set-vmnetworkadaptervlan -isolated -primaryvlanid 10 -secondaryvlandid 200
Standard VLANS
place all adapters on a VM in vlan 30
set-vmnetworkadaptervlan -vmname 'VMServer' -access 30
create a trunk on a specific adapter
set-vmnetworkadaptervlan -vmname 'VMserver' -vmnetworkadaptername 'NIC 1' -trunk
-nativevlanid 2 -allowedvlanidlist 1-36
Extra note: To remove vlan tagging on an adapter, you can use:
set-vmnetworkadaptervlan -vmname 'VMServer' -untagged
3.3.6 configure synthetic and legacy virtual network adapters
Each VM can have up to 12 virtual network adapters. up to 8 can be network adapter type(synthetic) and up to 4 can be legacy.
Network adapter type(synthetic): Relies on the guest integration components installed on the VM.
Legacy network adapter: supports OS's that do not support guest integration components. Also can be
used for PXE boot if needed.
Powershell
use the -IsLegacy $true parameter on the add-vmnetworkadapter cmdlet to setup a legacy adapter.
Thursday, May 23, 2013
3. Configure Hyper-V 3.2 Create and configure virtual machine storage
3.2.1 create VHDs and VHDX
VHD: original hyper-v image file. Max of 2TB in size.
VHDX: only supported by Windows 8 and 2012. up to 64 TB in size.
fixed: size is pre-allocated on disk
dynamic: can expand as it grows.
differencing: a "snapshot-like" type where a second child drive is created to hold changes and so the parent
is never written to
First disk is considered a "virtual IDE" drive. Others can be "virtual IDE" or "virtual SCSI"
Create a Virtual Disk while creating a new VM:
If you use Hyper-V manager from 2012, or windows 8, while creating a new VM, on the Connect Virtual Hard Disk menu. This will only allow you to create a dynamic VHDX, not a VHD.
Create a virtual disk from "New virtual hard disk" option.
Right click server, "New-> hard disk",
Choose VHD or VHDX, choose fixed, dynamic, or differencing,
Specify name and location
Configure the disk with a fixed/max size(value only accepts a minimum of 1GB, max depends on format), or
copy from a physical driver or another VHD/VHDX.
Create a virtual disk using powershell
This is the only way to specify the block size and logical sector size.
the extension you specify for the filename determines whether it's a VHD or VHDX.
new-vhd -path 'c:\vhd-store\newserver.vhd' -fixed | -dynamic | -differencing -sizebytes 100GB -sourcedisk
3.2.2 configure differencing drives
1. Create a baseline VM and finish all your installs for it.
2. sysprep /generalize the image.
3. delete the VM but keep the parent VHD/VHDX. Set it to read-only just in case.
4. Create a child differencing disk and point it to the parent.
5. Create a VM and attach the child disk
differencing:
new-vhd -path 'c:\vhd-store\newserver.vhd' -differencing -parentpath 'c:\vhd-store\newserverparent.vhd'
3.2.3 modify VHDs
1. Right click server, Edit disk.
2. browse to the location of the vhd or vhdx
3. Choose an option:
Compact: compacts the size of the virtual disk
Convert: Copies the contents to a new VHD. You can switch between VHD and VHDX.
Expand: increases the capacity of the virtual disk.
Shrink(only available if there is free space in the file): reduce capacity of disk by deleting free space.
Merge(only available with differencing): combine child differencing disk with it's parent to form single disk.
As outlined in 1.3.5 you can mount a VHD/VHDX in disk management and access it's contents.
powershell:
optimize-vhd (compact)
convert-vhd
resize-vhd (expand)
resize-vhd (shrink)
merge-vhd
3.2.4 configure pass-through disks
a pass-through disk is a virtual disk points at a physical drive. the drive must be taken offline before it's available in the VM's settings: add a hard drive to a controller, select physical hard disk.
Powershell:
use -disknumber to point at the offline physical disk to attach
add-vmharddiskdrive -vmname Server -controllertype SCSI -controllernumber 0 -disknumber 2
3.2.5 manage snapshots
create a new snapshot by rightclick the VM and selecting snapshot. This creates a AVHD or AVHDX file in the snapshots folder.
Snapshots are managed in Snapshot pane. You have the following options:
Settings - read-only except name and notes
Apply -copies that snapshots data into the VM, deleting anything that's changed since.
Revert - revert to the last snapshot in the tree before "Now" state.
Rename
Delete - delete a single snapshot. If there is a child then it will merge with parent on next power off.
Delete snapshot subtree - deletes snapshot and every snapshot under it.
Powershell:
Create snapshot:
checkpoint-vm -name VMserver -snapshotname 'Snapshot 1'
Apply snapshot -
restore-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Delete snapshot -
remove-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Other commands: get-vmsnapshot, export-vmsnapshot, rename-vmsnapshot
3.2.6 implement a virtual Fibre Channel adapter
virtual fibre channel is a pass-through for a physical fibre channel HBA. The HBA drivers must support virtual fibre channel and address it's resources with LUNs.
Create a virtual SAN using Virtual SAN Manager
Right click hyper-v server choose Virtual San Manager.
New Fibre Channel San. The WWNN and WWPN of the HBA should show up. Apply.
Now settings of a VM, you can Add Hardware - Fibre Channel adapter.
powershell:
new-vmsan -name 'FC SAN' -worldwidenodename -worldwideportname
add-vmfibrechannelhba -vmname VMserver -sanname 'FC SAN'
VHD: original hyper-v image file. Max of 2TB in size.
VHDX: only supported by Windows 8 and 2012. up to 64 TB in size.
fixed: size is pre-allocated on disk
dynamic: can expand as it grows.
differencing: a "snapshot-like" type where a second child drive is created to hold changes and so the parent
is never written to
First disk is considered a "virtual IDE" drive. Others can be "virtual IDE" or "virtual SCSI"
Create a Virtual Disk while creating a new VM:
If you use Hyper-V manager from 2012, or windows 8, while creating a new VM, on the Connect Virtual Hard Disk menu. This will only allow you to create a dynamic VHDX, not a VHD.
Create a virtual disk from "New virtual hard disk" option.
Right click server, "New-> hard disk",
Choose VHD or VHDX, choose fixed, dynamic, or differencing,
Specify name and location
Configure the disk with a fixed/max size(value only accepts a minimum of 1GB, max depends on format), or
copy from a physical driver or another VHD/VHDX.
Create a virtual disk using powershell
This is the only way to specify the block size and logical sector size.
the extension you specify for the filename determines whether it's a VHD or VHDX.
new-vhd -path 'c:\vhd-store\newserver.vhd' -fixed | -dynamic | -differencing -sizebytes 100GB -sourcedisk
3.2.2 configure differencing drives
1. Create a baseline VM and finish all your installs for it.
2. sysprep /generalize the image.
3. delete the VM but keep the parent VHD/VHDX. Set it to read-only just in case.
4. Create a child differencing disk and point it to the parent.
5. Create a VM and attach the child disk
differencing:
new-vhd -path 'c:\vhd-store\newserver.vhd' -differencing -parentpath 'c:\vhd-store\newserverparent.vhd'
3.2.3 modify VHDs
1. Right click server, Edit disk.
2. browse to the location of the vhd or vhdx
3. Choose an option:
Compact: compacts the size of the virtual disk
Convert: Copies the contents to a new VHD. You can switch between VHD and VHDX.
Expand: increases the capacity of the virtual disk.
Shrink(only available if there is free space in the file): reduce capacity of disk by deleting free space.
Merge(only available with differencing): combine child differencing disk with it's parent to form single disk.
As outlined in 1.3.5 you can mount a VHD/VHDX in disk management and access it's contents.
powershell:
optimize-vhd (compact)
convert-vhd
resize-vhd (expand)
resize-vhd (shrink)
merge-vhd
3.2.4 configure pass-through disks
a pass-through disk is a virtual disk points at a physical drive. the drive must be taken offline before it's available in the VM's settings: add a hard drive to a controller, select physical hard disk.
Powershell:
use -disknumber to point at the offline physical disk to attach
add-vmharddiskdrive -vmname Server -controllertype SCSI -controllernumber 0 -disknumber 2
3.2.5 manage snapshots
create a new snapshot by rightclick the VM and selecting snapshot. This creates a AVHD or AVHDX file in the snapshots folder.
Snapshots are managed in Snapshot pane. You have the following options:
Settings - read-only except name and notes
Apply -copies that snapshots data into the VM, deleting anything that's changed since.
Revert - revert to the last snapshot in the tree before "Now" state.
Rename
Delete - delete a single snapshot. If there is a child then it will merge with parent on next power off.
Delete snapshot subtree - deletes snapshot and every snapshot under it.
Powershell:
Create snapshot:
checkpoint-vm -name VMserver -snapshotname 'Snapshot 1'
Apply snapshot -
restore-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Delete snapshot -
remove-vmsnapshot -name 'Snapshot 1' -VMname VMserver
Other commands: get-vmsnapshot, export-vmsnapshot, rename-vmsnapshot
3.2.6 implement a virtual Fibre Channel adapter
virtual fibre channel is a pass-through for a physical fibre channel HBA. The HBA drivers must support virtual fibre channel and address it's resources with LUNs.
Create a virtual SAN using Virtual SAN Manager
Right click hyper-v server choose Virtual San Manager.
New Fibre Channel San. The WWNN and WWPN of the HBA should show up. Apply.
Now settings of a VM, you can Add Hardware - Fibre Channel adapter.
powershell:
new-vmsan -name 'FC SAN' -worldwidenodename -worldwideportname
add-vmfibrechannelhba -vmname VMserver -sanname 'FC SAN'
Tuesday, May 21, 2013
3. Configure Hyper-V 3.1 Create and configure virtual machine settings
Hyper-V overview
Type 2 hypervisor: hypervisor runs on top of OS, which runs on top of the hardware
Type 1 hypervisor: hypervisor runs on top of the hardware
When you install Hyper-V role on Datacenter or Standard, it will load the hypervisor before the OS, so it is a Type 1. The OS is then run in the parent/root "partition"
Hyper-V 2012 Free product that will install Hyper-V role only into a server core install. Storage-Services role also installed. Remote-Desktop-Services role also available. No other roles can be installed. Guest OS's still have to be licensed if necessary.
3.1.1 configure dynamic memory
Enables Hyper-V to adjust memory as VM's need it.
While VM is off, go to Settings and Memory. Check "Dynamic Memory".
Minimum Ram: specifies the minimum amount of ram the machine will run with(after start). This value can be
less than startup ram, because running usually uses less.
Maximum Ram: The largest amount of ram this machine can use for itself.
Memory Buffer: Determines how much to allocate extra ram to allocate to a VM that needs it, based on
current memory utilization
Memory weight: Set priority of memory allocation for this VM compared to others.
After enabling dynamic memory, these values can be changed while the VM is running.
Powershell:
View current settings for all VM's on server:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, startup, minimum, maximum, buffer, priority
Output those numbers in MB instead:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, @{n='Startup(MB)';e={$_.startup / 1MB}}, @{n='Min(MB)';e={$_.minimum / 1MB}}, @{n='Max(MB)';e={$_.maximum / 1MB}}, buffer, priority
Now to set values on a specific vm:
set-vmmemory -vmname 'VMserv1' -dynamicmemoryenabled $true -startupbytes 4096MB -minimumbytes 2048MB -maximumbytes 8192MB -buffer 25 -priority 60
3.1.2 configure smart paging
Smart paging allows for a VM to restart/start even though it doesn't have enough physical memory to do so. It can page memory onto hard disk. This is of course slower than using physical memory.
Smart setting location is set in a VM's settings under Management/Smart Paging File Location node.
powershell:
set-vm -name 'VMserv1' -smartpagingfilepath 'd:\hyper-v_pagingfiles'
3.1.3 configure Resource Metering
Resource metering is a feature that will track VM usages by various criteria:
By default:
Cpu
Memory: min, max and average
Disk space
Incoming and outgoing network straffic.
Powershell:
enable-resourcemetering -vmname 'VMserv1'
show resource metering report:
measure-vm -vmname 'VMserver1'
You can also create resource pools across computers/resources
new-vmresourcepool
enable-vmresourcemetering -resourcepoolname serverpool
measure-vmresourcepool
3.1.4 configure guest integration services
Guest integration services is a software package that helps provide some guest OS features. This is installed on 2012 and Windows 8 by default. There is even a linux package available. Features included with Guest Integration Services:
Operating System Shutdown: Enabled Hyper-V manager to remotely shut down a guest OS gracefully.
Time synchronization: synchronize the os clocks in parent and child partitions
Data Exchange: Windows OS's on parent and child partitions can exchange some information
Heartbeat: Parent partitions "ping" child partitions to see if they are up
Backup: Enables backup of windows VM by using VSS.
To Upgrade/install GIS on a Windows guest OS:
1. Select the VM to install/upgrade GIS and click Connect
2. In VM connection windows, click Action/Insert Integration SErvices Setup Disk. Hyper-V will mount an image of GIS.
3. Install GIS and restart computer
Once GIS is installed, you can enable/disable the services available to this machine by going into VM settings, Management/Integration Services node and checking/unchecking the GIS services.
Type 2 hypervisor: hypervisor runs on top of OS, which runs on top of the hardware
Type 1 hypervisor: hypervisor runs on top of the hardware
When you install Hyper-V role on Datacenter or Standard, it will load the hypervisor before the OS, so it is a Type 1. The OS is then run in the parent/root "partition"
Hyper-V 2012 Free product that will install Hyper-V role only into a server core install. Storage-Services role also installed. Remote-Desktop-Services role also available. No other roles can be installed. Guest OS's still have to be licensed if necessary.
3.1.1 configure dynamic memory
Enables Hyper-V to adjust memory as VM's need it.
While VM is off, go to Settings and Memory. Check "Dynamic Memory".
Minimum Ram: specifies the minimum amount of ram the machine will run with(after start). This value can be
less than startup ram, because running usually uses less.
Maximum Ram: The largest amount of ram this machine can use for itself.
Memory Buffer: Determines how much to allocate extra ram to allocate to a VM that needs it, based on
current memory utilization
Memory weight: Set priority of memory allocation for this VM compared to others.
After enabling dynamic memory, these values can be changed while the VM is running.
Powershell:
View current settings for all VM's on server:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, startup, minimum, maximum, buffer, priority
Output those numbers in MB instead:
get-vm | get-vmmemory | format-table vmname, dynamicmemoryenabled, @{n='Startup(MB)';e={$_.startup / 1MB}}, @{n='Min(MB)';e={$_.minimum / 1MB}}, @{n='Max(MB)';e={$_.maximum / 1MB}}, buffer, priority
Now to set values on a specific vm:
set-vmmemory -vmname 'VMserv1' -dynamicmemoryenabled $true -startupbytes 4096MB -minimumbytes 2048MB -maximumbytes 8192MB -buffer 25 -priority 60
3.1.2 configure smart paging
Smart paging allows for a VM to restart/start even though it doesn't have enough physical memory to do so. It can page memory onto hard disk. This is of course slower than using physical memory.
Smart setting location is set in a VM's settings under Management/Smart Paging File Location node.
powershell:
set-vm -name 'VMserv1' -smartpagingfilepath 'd:\hyper-v_pagingfiles'
3.1.3 configure Resource Metering
Resource metering is a feature that will track VM usages by various criteria:
By default:
Cpu
Memory: min, max and average
Disk space
Incoming and outgoing network straffic.
Powershell:
enable-resourcemetering -vmname 'VMserv1'
show resource metering report:
measure-vm -vmname 'VMserver1'
You can also create resource pools across computers/resources
new-vmresourcepool
enable-vmresourcemetering -resourcepoolname serverpool
measure-vmresourcepool
3.1.4 configure guest integration services
Guest integration services is a software package that helps provide some guest OS features. This is installed on 2012 and Windows 8 by default. There is even a linux package available. Features included with Guest Integration Services:
Operating System Shutdown: Enabled Hyper-V manager to remotely shut down a guest OS gracefully.
Time synchronization: synchronize the os clocks in parent and child partitions
Data Exchange: Windows OS's on parent and child partitions can exchange some information
Heartbeat: Parent partitions "ping" child partitions to see if they are up
Backup: Enables backup of windows VM by using VSS.
To Upgrade/install GIS on a Windows guest OS:
1. Select the VM to install/upgrade GIS and click Connect
2. In VM connection windows, click Action/Insert Integration SErvices Setup Disk. Hyper-V will mount an image of GIS.
3. Install GIS and restart computer
Once GIS is installed, you can enable/disable the services available to this machine by going into VM settings, Management/Integration Services node and checking/unchecking the GIS services.
2. Configure server roles and features 2.3 Configure servers for remote management
2.3.1 Configure WinRM
enabled by default in 2012
In Server Manager, on Local Server, Properties Tile:
Remote Managent click and check or uncheck "Enable remote management..." to enable or disable.
2.3.2 configure down-level server management
You can setup some limited management of 2008 SP2 and 2008R2 SP1 using Server Manager:
1.install .Net Framework 4.0
2.install Windows Management Framework 3.0(also installs Powershell 3)
3.set-executionpolicy remotesigned
configure-smremoting.ps1 -enable
4. Enable Com+ Network Access and Remote Event log Management rules
Extra note: Im not sure if configure-smremoting.exe or enable-psremoting are available on 2008 in this case, but any of these should work.
Note that you won't be able to add/remove roles
You can also setup very limited Online view of 2008 and 2008r2 otherwise, and of 2003 by adding them to a group.
2.3.3 configure servers for day-to-day management tasks
http://technet.microsoft.com/en-us/library/hh831394.aspx
Manageability:
This section on the Dashboard will show Server Manager notifications for the associated Server Group.
Event log data collection:
For each server group in the server grouping nodes, you can manage the events to collect:
click a Server Group or Role-specific page.
On Events tile, select Tasks and Configure Event Data.
Check Critical, Error, Warning, and/or Informational
Select range to retrieve events from
If server group, select which event logs to get events from. (Role specific pages default to role logs)
You can also affect the Event alerts on the dashboard for a group/role by clicking Events in the associated dashboard tile. Event severity, sources, logs, time period, specific id's, and servers in the group.
Services alerts
You can setup alerts for services for a group in the dashboard by clicking on Services in a specific group tile.
Select Start Types, All or specific services, Service Status, and specific servers
Collect Performance Data and alerts
In a Server Group node,in Servers tile right click "Start Performance Alerts"
On Performance tile: Tasks/Configure Performance Alerts, or from Dashboard/server group tile/performance
Set CPU usage threshold fror Alert, Set Memory threshold. Set Performance Graph display period.
BPA Scan:
You can start a BPA scan from associated server group node under BPA tile.
You can also set alert criteria in the dashboard under Server Group tile.
2.3.4 configure multi-server management
Add servers by clicking Add Servers to Manage from Dashboard, or Manage, Add Server
Create a new server group from Dashboard, or Manage "Create Server Group"
2.3.5 configure Server Core
seems a bit redundant. covered in 1.2.1
WinRM is enabled by default in 2012
Enabling Win-RM:enable-psremoting
Disable Win-RM: disable-psremoting
See 2.3.6 for MMC access
Extra note: Some documentation talks about using configure-smremoting.exe -enable to enable Server Manager to remotely access the 2012 server core installs, but i believe this is superseded by enable-psremoting, which also enables Win-RM, and sets up win-rm listener, etc. Regardless, 2012 is enabled for remote management by default.
2.3.6 configure Windows Firewall
Enable for DCOM access: Com+ Network Access, Remote Event Log Management rules
This will allow MMC components to work.
set-netfirewallrule -name 'ComPlusNetworkAccess-Dcom-In' -enabled true
set-netfirewallrule -displaygroup 'Remote Event Log Management' -enabled true
enabled by default in 2012
In Server Manager, on Local Server, Properties Tile:
Remote Managent click and check or uncheck "Enable remote management..." to enable or disable.
2.3.2 configure down-level server management
You can setup some limited management of 2008 SP2 and 2008R2 SP1 using Server Manager:
1.install .Net Framework 4.0
2.install Windows Management Framework 3.0(also installs Powershell 3)
3.set-executionpolicy remotesigned
configure-smremoting.ps1 -enable
4. Enable Com+ Network Access and Remote Event log Management rules
Extra note: Im not sure if configure-smremoting.exe or enable-psremoting are available on 2008 in this case, but any of these should work.
Note that you won't be able to add/remove roles
You can also setup very limited Online view of 2008 and 2008r2 otherwise, and of 2003 by adding them to a group.
2.3.3 configure servers for day-to-day management tasks
http://technet.microsoft.com/en-us/library/hh831394.aspx
Manageability:
This section on the Dashboard will show Server Manager notifications for the associated Server Group.
Event log data collection:
For each server group in the server grouping nodes, you can manage the events to collect:
click a Server Group or Role-specific page.
On Events tile, select Tasks and Configure Event Data.
Check Critical, Error, Warning, and/or Informational
Select range to retrieve events from
If server group, select which event logs to get events from. (Role specific pages default to role logs)
You can also affect the Event alerts on the dashboard for a group/role by clicking Events in the associated dashboard tile. Event severity, sources, logs, time period, specific id's, and servers in the group.
Services alerts
You can setup alerts for services for a group in the dashboard by clicking on Services in a specific group tile.
Select Start Types, All or specific services, Service Status, and specific servers
Collect Performance Data and alerts
In a Server Group node,in Servers tile right click "Start Performance Alerts"
On Performance tile: Tasks/Configure Performance Alerts, or from Dashboard/server group tile/performance
Set CPU usage threshold fror Alert, Set Memory threshold. Set Performance Graph display period.
BPA Scan:
You can start a BPA scan from associated server group node under BPA tile.
You can also set alert criteria in the dashboard under Server Group tile.
2.3.4 configure multi-server management
Add servers by clicking Add Servers to Manage from Dashboard, or Manage, Add Server
Create a new server group from Dashboard, or Manage "Create Server Group"
2.3.5 configure Server Core
seems a bit redundant. covered in 1.2.1
WinRM is enabled by default in 2012
Enabling Win-RM:enable-psremoting
Disable Win-RM: disable-psremoting
See 2.3.6 for MMC access
Extra note: Some documentation talks about using configure-smremoting.exe -enable to enable Server Manager to remotely access the 2012 server core installs, but i believe this is superseded by enable-psremoting, which also enables Win-RM, and sets up win-rm listener, etc. Regardless, 2012 is enabled for remote management by default.
2.3.6 configure Windows Firewall
Enable for DCOM access: Com+ Network Access, Remote Event Log Management rules
This will allow MMC components to work.
set-netfirewallrule -name 'ComPlusNetworkAccess-Dcom-In' -enabled true
set-netfirewallrule -displaygroup 'Remote Event Log Management' -enabled true
Monday, May 20, 2013
2. Configure server roles and features 2.2 Configure print and document services
2.2.1 Configure the Easy Print print driver
Easy Print print driver redirects printing from a remote desktop session to the local client printers. It requires only that RDS role be installed.
2.2.2 Configure Enterprise Print Management
Install Print and Document Service(Print-Services) / Print Server(Print-Server) role.
This will add tab "Print Services" to Server Manager allows limited management.
View printer events
Manage Print Spooler service
Start performance counters
View installed print and documents roles
Most configuration and management done through Tools: Print Management
Nodes in Printer Management:
Custom Filters:
create custom views for print print management
Print Servers:
Individual print server management:
1. Change who can access the print server by right-click and Properties, Security tab
2. Configure drivers (see 2.2.3)
3. Configure forms
4. Configure ports
5. Configure Printers
a. View Printer Queue
b. List printer in AD
c. Deploy printer using GPO
d. Print test page
e. Share a printer by right clicking and "Manage Sharing"
f. Enable Branch office direct printing.
g. configure printer priority
h. Use Properties/Security tab to control who has access to the printer
Deployed Printers
Shows printers that have been deployed to a GPO.
Printer Sharing:
Right click printer choose Manage Sharing, or Sharing tab on properties
"Share this Printer" Printer Name
Render Print jobs on client computers: Uncheck to have this done on the server.
List in directory
Install addition drivers(V3 drivers).
When dealing with sharing, there are 3 types of driver distribution:
Enhanced Point and Print: V4 aware drivers no need to distribute to client.
Package Aware Point and Print: V3 distributed signed driver packages
Legacy Point and Print: v3 driver distribution
http://technet.microsoft.com/en-us/library/jj590748.aspx
Printer Migration
Migrate print servers from 2003, 2003 R2, 2008, 2008 R2
right-click root node in Print Management, Migrate printers
or
use the printbrm.exe tool
Powershell commands:
module: PrintManagement
get-command -module PrintManagement
get-printer, get-printerdriver, get-printerport, get-printerproperty, get-printjob,
get-printconfiguration
add-printer, add-printerdriver, add-printerport
rename-printer
set-printer, set-printerproperty, set-printconfiguration
remove-printer, remove-printerport, remove-printjob, remove-printer
restart-printjob, resume-printjob, suspend-printjob
Extra note:
Other subfeatures of Print and Document Services:
Distributed Scan Server - receives scanned documents from network scanners and routes them.
installs "Scan Management" tool
Internet Printing - installs IIS and allows users to manage their print jobs on a web site. Also allows
for use of Internet Printing Protocol(IPP)
Line Printer Daemon (LPD) - Unix-based printers
2.2.3 Configure drivers
Windows 8 and 2012 introduce new Version 4(V4) driver.
V3 drivers(Windows 2000+) still supported
V4 driver features:
Smaller disk footprint
Simplified drivers through new print class driver framework.
Driver isolation for better crash handling
Client architecture doesn't matter.
Supports multiple devices
Delete the driver: uninstall printer driver but leaves driver package in store
Remove driver package: uninstall and remove driver package
Configure driver isolation: (if driver supports it):
Shared - driver runs in driver shared process separate from print spooler
Isolated - driver runs in it's own process
None - driver runs in print spooler process
2.2.4 Configure printer pooling
1.In Printer properties, ports tab, select port for each print device in the pool
2.Check enable printer pooling
Repeat for each logical printer in the pool
2.2.5 Configure Print Priorities
Printer priorities are set in the Printer properties/advanced tab. A higher priority means this logical printer will have preference over another logical printer that is pointed at the same print device.
2.2.6 Configure Printer Permissions
http://technet.microsoft.com/en-us/library/jj190062#BKMK_Delegated_Print_Admin
Print Server permissions:
View Server: View server, including printers.
Manage Server: allows for ability to create and delete print queues, add or delete ports, and add or delete
forms.
Both Print Server and Printer permissions:
Print: ability to print and manage queue for their own documents
Manage Documents: Allows control for all documents in a queue, including delete
Manage Printers: assigns ability to pause/restart printer, change spooler settings, share printer, adjust
permissions, and change printer properties
Easy Print print driver redirects printing from a remote desktop session to the local client printers. It requires only that RDS role be installed.
2.2.2 Configure Enterprise Print Management
Install Print and Document Service(Print-Services) / Print Server(Print-Server) role.
This will add tab "Print Services" to Server Manager allows limited management.
View printer events
Manage Print Spooler service
Start performance counters
View installed print and documents roles
Most configuration and management done through Tools: Print Management
Nodes in Printer Management:
Custom Filters:
create custom views for print print management
Print Servers:
Individual print server management:
1. Change who can access the print server by right-click and Properties, Security tab
2. Configure drivers (see 2.2.3)
3. Configure forms
4. Configure ports
5. Configure Printers
a. View Printer Queue
b. List printer in AD
c. Deploy printer using GPO
d. Print test page
e. Share a printer by right clicking and "Manage Sharing"
f. Enable Branch office direct printing.
g. configure printer priority
h. Use Properties/Security tab to control who has access to the printer
Deployed Printers
Shows printers that have been deployed to a GPO.
Printer Sharing:
Right click printer choose Manage Sharing, or Sharing tab on properties
"Share this Printer" Printer Name
Render Print jobs on client computers: Uncheck to have this done on the server.
List in directory
Install addition drivers(V3 drivers).
When dealing with sharing, there are 3 types of driver distribution:
Enhanced Point and Print: V4 aware drivers no need to distribute to client.
Package Aware Point and Print: V3 distributed signed driver packages
Legacy Point and Print: v3 driver distribution
http://technet.microsoft.com/en-us/library/jj590748.aspx
Printer Migration
Migrate print servers from 2003, 2003 R2, 2008, 2008 R2
right-click root node in Print Management, Migrate printers
or
use the printbrm.exe tool
Powershell commands:
module: PrintManagement
get-command -module PrintManagement
get-printer, get-printerdriver, get-printerport, get-printerproperty, get-printjob,
get-printconfiguration
add-printer, add-printerdriver, add-printerport
rename-printer
set-printer, set-printerproperty, set-printconfiguration
remove-printer, remove-printerport, remove-printjob, remove-printer
restart-printjob, resume-printjob, suspend-printjob
Extra note:
Other subfeatures of Print and Document Services:
Distributed Scan Server - receives scanned documents from network scanners and routes them.
installs "Scan Management" tool
Internet Printing - installs IIS and allows users to manage their print jobs on a web site. Also allows
for use of Internet Printing Protocol(IPP)
Line Printer Daemon (LPD) - Unix-based printers
2.2.3 Configure drivers
Windows 8 and 2012 introduce new Version 4(V4) driver.
V3 drivers(Windows 2000+) still supported
V4 driver features:
Smaller disk footprint
Simplified drivers through new print class driver framework.
Driver isolation for better crash handling
Client architecture doesn't matter.
Supports multiple devices
Delete the driver: uninstall printer driver but leaves driver package in store
Remove driver package: uninstall and remove driver package
Configure driver isolation: (if driver supports it):
Shared - driver runs in driver shared process separate from print spooler
Isolated - driver runs in it's own process
None - driver runs in print spooler process
2.2.4 Configure printer pooling
1.In Printer properties, ports tab, select port for each print device in the pool
2.Check enable printer pooling
Repeat for each logical printer in the pool
2.2.5 Configure Print Priorities
Printer priorities are set in the Printer properties/advanced tab. A higher priority means this logical printer will have preference over another logical printer that is pointed at the same print device.
2.2.6 Configure Printer Permissions
http://technet.microsoft.com/en-us/library/jj190062#BKMK_Delegated_Print_Admin
Print Server permissions:
View Server: View server, including printers.
Manage Server: allows for ability to create and delete print queues, add or delete ports, and add or delete
forms.
Both Print Server and Printer permissions:
Print: ability to print and manage queue for their own documents
Manage Documents: Allows control for all documents in a queue, including delete
Manage Printers: assigns ability to pause/restart printer, change spooler settings, share printer, adjust
permissions, and change printer properties
2. Configure server roles and features 2.1 Configure file and share access
2.1.1 Create and configure shares
Add File Server(FS-FileServer) feature role
For advanced features, install FSRM
For NFS shares, install Server for NFS
In Explorer
Right click folder, share with. Right click, properties, sharing to manage. Use Advanced Sharing for caching options, or to setup a second share name for the same folder
In Server Manager
Share "Template" profiles
SMB Share - Quick = standard share
SMB Share - Advanced (requires FSRM installed)= advanced settings
SMB Share - Applications = SMB share with application permissions for server apps.
NFS share - Quick(requires Server for NFS feature) = Basic NFS share for unix compatibility. can set advanced options later
NFS share - Advanced (requires Server for NFS feature and FSRM)=
SMB Share-Quick: Point to share location, then give it a name.Setup settings include:
Access-based Enumeration, Caching(and Branchcache), Encrypt data access
SMB Share - Advanced(FSRM) adds settings:
Management properties - folder usage value
Quota - setup FSRM quota from template
NFS options add
Specify Authentication Methods
Specify share permissions
Create:
Right click Volumes/Volumes Tile or Shares/shares tile and select New Share.
Manage:
From Volumes tab, right click share tile and properties on a share.
From Shares tab, right click share and properties.
Powershell commands:
get-smbshare, new-smbshare, set-smbshare, remove-smbshare,
There are similar commands for NFS shares.
2.1.2 Configure share permissions
Share permissions: (Full Control, Change, Read:) Allow or deny.
Configure through explorer, or server manager on property sheet
Share permissions combined with NTFS permissions : most restrictive is applied.
Powershell:
get-smbshareaccess, grant-smbshareaccess, revoke-smbshareacces, block-smbshareaccess, unblock-smbshareaccess.
2.1.3 Configure offline files
Enable "allow caching of share"
Enable Branchcache if needed
powershell:
get-smbshare -name sharename | format-table name, path, cachingmode
set-smbshare -name sharename -cachingmode None or Manual or Documents or Programs or Branchcache or Unknown
2.1.4 Configure NTFS permissions
Change NTFS permissions on Security tab of folder/file/drive properties
In Server Manager, you can only edit NTFS permissions on a shared folder
Allow permissions combine from different sources
Deny permission override Allow permissions, regardless of source
Explicit permissions that are set will override inherited permissions.
To view the effective access for a user, group, or device, click ADvanced on the NTFS permissions security tab, then Effective Access
Disable Inheritance on Advanced on the security tab.
Six Basic permissions that are made up of various advanced permissions
Full Control: all advanced permissions
Modify: all permissions except "Delete subfolders and files","Change permissions", "take ownership"
Read & Execute: "Traverse folder/Execute file", "list folder/Read data", "Read attributes", "Read extended
attributes", "Read permissions", "Synchronize"
List Folder contents(only seen on Folder permissions): same as Read & execute but applies to folders only
Read: Read & Execute permission without the "Traverse folder/Execute file" permissions
Write: "Create files/Write data", "Create folders/append data", "Write attributes", "Write extended
attributes", "Read permissions", "Synchronize"
Fourteen advanced permissions:
Traverse Folders/Execute File: Traverse folder lets you directly access files in a folder even if you don't
have explicit permission to view its data. Execute file runs an executable file.
List Folder/Read Data: list folder contents, read contents of file.
Read Attributes: view basic attributes of file or folder: Read-Only, Hidden, System, Archive
Read Extended Attributes: View extended attributes/named data streams.
Create Files/Write Data: Create new files in a folder. Write allows overwriting data in a file.
Create Folders/Append Data: Allows creating subfolders. Append data lets you add data to end of file.
Write Attributes: change Read-Only, Hidden, System, Archive attributes
Write Extended Attributes: changed advanced attributes/named data stream
Delete subfolders and files(folder permissions): Lets you delete the contents of a folder. Overrides
specific "Delete" permissions in that folder
Delete: delete a file or subfolder
Read Permissions: Read basic and special permissions assigned to file or folder
Change Permissions: Change the permissions on file or folder
Take Ownership: You can change yourself to owner of a file or folder if you have this permission.
Administrators can always take ownership regardless of permissions.
Powershell:
get-acl, set-acl
2.1.5 Configure access-based enumeration (ABE)
Configured in Server Manager
Powershell:
get-smbshare -name sharename | format-table name, path, folderenumerationmode
set-smbshare -name sharename -folderenumerationmode AccessBased or Unrestricted
2.1.6 Configure Volume Shadow Copy Service (VSS)
VSS is a feature specific to NTFS that keeps "shadow" copies of files and is configured per volume. Files are copied to a "shadow store" during a specific time set by a schedule. Used with shared folders to restore files.
Two independent features of VSS:
1. Allows you to enable VSS on volume so that users can revert to earlier versions of files.
2. This feature also allows backup programs open or locked files. You do not have to enable VSS on a volume for this 2nd feature to be in effect, as long as the backup programs support VSS API.
Right click a volume, and select properties and Shadow copies. Enable a volume here. In settings, you can set the shadow store for this volume on another volume, and configure size.
2.1.7 Configure NTFS quotas
Set storage limits for users on a volume. For more specific quotas, you should use the File Server Resource Manager tool(FSRM). However, this objective only refers to NTFS quotas. This is a feature of the NTFS file system directly. Administrators are unaffected by quotas but you can still setup warnings for them.
In file explorer, right click a volume and properties. Select "Quota" tab.
Enable Quota Management: Allows for NTFS quotas
Deny disk space: Will stop users from exceeding their set levels(if unchecked, you can still setup warnings)
Limit disk space/Set Warning Level
Log Event when exceeding quota limit
Log Even when exceeding warning threshold
Quota entries(also accessible in Disk management): Show individual users that have data on the volume, or
you can add new entires for a user
Add File Server(FS-FileServer) feature role
For advanced features, install FSRM
For NFS shares, install Server for NFS
In Explorer
Right click folder, share with. Right click, properties, sharing to manage. Use Advanced Sharing for caching options, or to setup a second share name for the same folder
In Server Manager
Share "Template" profiles
SMB Share - Quick = standard share
SMB Share - Advanced (requires FSRM installed)= advanced settings
SMB Share - Applications = SMB share with application permissions for server apps.
NFS share - Quick(requires Server for NFS feature) = Basic NFS share for unix compatibility. can set advanced options later
NFS share - Advanced (requires Server for NFS feature and FSRM)=
SMB Share-Quick: Point to share location, then give it a name.Setup settings include:
Access-based Enumeration, Caching(and Branchcache), Encrypt data access
SMB Share - Advanced(FSRM) adds settings:
Management properties - folder usage value
Quota - setup FSRM quota from template
NFS options add
Specify Authentication Methods
Specify share permissions
Create:
Right click Volumes/Volumes Tile or Shares/shares tile and select New Share.
Manage:
From Volumes tab, right click share tile and properties on a share.
From Shares tab, right click share and properties.
Powershell commands:
get-smbshare, new-smbshare, set-smbshare, remove-smbshare,
There are similar commands for NFS shares.
2.1.2 Configure share permissions
Share permissions: (Full Control, Change, Read:) Allow or deny.
Configure through explorer, or server manager on property sheet
Share permissions combined with NTFS permissions : most restrictive is applied.
Powershell:
get-smbshareaccess, grant-smbshareaccess, revoke-smbshareacces, block-smbshareaccess, unblock-smbshareaccess.
2.1.3 Configure offline files
Enable "allow caching of share"
Enable Branchcache if needed
powershell:
get-smbshare -name sharename | format-table name, path, cachingmode
set-smbshare -name sharename -cachingmode None or Manual or Documents or Programs or Branchcache or Unknown
2.1.4 Configure NTFS permissions
Change NTFS permissions on Security tab of folder/file/drive properties
In Server Manager, you can only edit NTFS permissions on a shared folder
Allow permissions combine from different sources
Deny permission override Allow permissions, regardless of source
Explicit permissions that are set will override inherited permissions.
To view the effective access for a user, group, or device, click ADvanced on the NTFS permissions security tab, then Effective Access
Disable Inheritance on Advanced on the security tab.
Six Basic permissions that are made up of various advanced permissions
Full Control: all advanced permissions
Modify: all permissions except "Delete subfolders and files","Change permissions", "take ownership"
Read & Execute: "Traverse folder/Execute file", "list folder/Read data", "Read attributes", "Read extended
attributes", "Read permissions", "Synchronize"
List Folder contents(only seen on Folder permissions): same as Read & execute but applies to folders only
Read: Read & Execute permission without the "Traverse folder/Execute file" permissions
Write: "Create files/Write data", "Create folders/append data", "Write attributes", "Write extended
attributes", "Read permissions", "Synchronize"
Fourteen advanced permissions:
Traverse Folders/Execute File: Traverse folder lets you directly access files in a folder even if you don't
have explicit permission to view its data. Execute file runs an executable file.
List Folder/Read Data: list folder contents, read contents of file.
Read Attributes: view basic attributes of file or folder: Read-Only, Hidden, System, Archive
Read Extended Attributes: View extended attributes/named data streams.
Create Files/Write Data: Create new files in a folder. Write allows overwriting data in a file.
Create Folders/Append Data: Allows creating subfolders. Append data lets you add data to end of file.
Write Attributes: change Read-Only, Hidden, System, Archive attributes
Write Extended Attributes: changed advanced attributes/named data stream
Delete subfolders and files(folder permissions): Lets you delete the contents of a folder. Overrides
specific "Delete" permissions in that folder
Delete: delete a file or subfolder
Read Permissions: Read basic and special permissions assigned to file or folder
Change Permissions: Change the permissions on file or folder
Take Ownership: You can change yourself to owner of a file or folder if you have this permission.
Administrators can always take ownership regardless of permissions.
Powershell:
get-acl, set-acl
2.1.5 Configure access-based enumeration (ABE)
Configured in Server Manager
Powershell:
get-smbshare -name sharename | format-table name, path, folderenumerationmode
set-smbshare -name sharename -folderenumerationmode AccessBased or Unrestricted
2.1.6 Configure Volume Shadow Copy Service (VSS)
VSS is a feature specific to NTFS that keeps "shadow" copies of files and is configured per volume. Files are copied to a "shadow store" during a specific time set by a schedule. Used with shared folders to restore files.
Two independent features of VSS:
1. Allows you to enable VSS on volume so that users can revert to earlier versions of files.
2. This feature also allows backup programs open or locked files. You do not have to enable VSS on a volume for this 2nd feature to be in effect, as long as the backup programs support VSS API.
Right click a volume, and select properties and Shadow copies. Enable a volume here. In settings, you can set the shadow store for this volume on another volume, and configure size.
2.1.7 Configure NTFS quotas
Set storage limits for users on a volume. For more specific quotas, you should use the File Server Resource Manager tool(FSRM). However, this objective only refers to NTFS quotas. This is a feature of the NTFS file system directly. Administrators are unaffected by quotas but you can still setup warnings for them.
In file explorer, right click a volume and properties. Select "Quota" tab.
Enable Quota Management: Allows for NTFS quotas
Deny disk space: Will stop users from exceeding their set levels(if unchecked, you can still setup warnings)
Limit disk space/Set Warning Level
Log Event when exceeding quota limit
Log Even when exceeding warning threshold
Quota entries(also accessible in Disk management): Show individual users that have data on the volume, or
you can add new entires for a user
Sunday, May 19, 2013
Curiousity killed the cat: Enabling/Disabling File Sharing Part one
By default, 2012 Server disables the File and Printer Sharing group of rules in windows firewall. This means that you won't be able to get to shares, including the administrative shares, and by default, you won't be able to ping the server either.
There are multiple ways to enable these rules and get SMB(and therefore, File and Print Sharing) up and running.
Install a role/feature
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.
Windows Firewall
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.
Advanced Sharing Settings
The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile! But you have individual control of rules for each profile. More on that in a bit.
GUI is all well and good unless you installed Server Core. The next options will help you with that!
Command Line
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
This will also enable these rules for all Firewall profiles.
Powershell 3
A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule
The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true
There we go. But, it's still only one set of rules! This sets my OCD off. Why does changing multiple profiles in the "Advanced Sharing Settings" GUI create individual rules for each profile? Well, because it copies the rule set into new rules.
Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:
It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:
So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:
get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule
Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled. The final result:
OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.
One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012:
 | |
| "NO SMB FOR YOU!" |
Install a role/feature
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.
Windows Firewall
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.
Advanced Sharing Settings
The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile! But you have individual control of rules for each profile. More on that in a bit.
GUI is all well and good unless you installed Server Core. The next options will help you with that!
Command Line
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
This will also enable these rules for all Firewall profiles.
Powershell 3
A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule
The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true
 |
Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:
It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:
So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:
get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule
Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled. The final result:
OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.
One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012:
 |
Saturday, May 18, 2013
Curiousity killed the cat: Getting distracted by the File Server role feature
Note: "File and Printer Sharing" firewall rules are disabled by default on a
new install of 2012. This article assumes that these rules have been
enabled. I'll cover more about that in the next article.
While working on the 2.1 study notes, I've been distracted by a couple of quirks of windows. The first has to do with the File Server role feature in 2012.
The first thing to note is the File and Storage Services (FileAndStorage-Services) role itself, and the Storage Services (Storage-Services) role feature, are installed by default, and as far as I can tell cannot be removed.
Now, say you want to share a folder. A lot of documentation will tell you that you that you need to install the File Server (FS-Fileserver) first. I don't think you actually do(more on that in a bit) as long as you've enabled the File and Printer Sharing firewall rules. However, if you don't have it installed, and you attempt to share out a folder, the feature will be "automagically" installed(along with its parent feature role: File and iSCSI Services)! (This feature also adds some new firewall rules in the "File and Remote Management" group I'll also cover these in the next article). In the following example, I use new-smbshare but you could also create one in the gui.
(Note that even without fs-fileserver installed, the admin shares installed by default are still available remotely. For instance, you can still get to \\server\C$)
I don't yet know if there is a way to disable this automatic install process, but I think you can trick it into not installing. Use the -remove switch with uninstall-windowsfeature. (Note: before removing file server feature role, you will have to remove any non-system shares). But as outlined in 1.1.5 regarding features on demand, shouldn't it just use Windows Update as source to reinstall when you create a share? I'm actually not sure about this, since I'm using the MS virtual labs right now with no internet access.
Look Ma, no File Server role feature and i can share out folders!. But wait, File and iSCSI Services now shows as installed! What kind of trickery is this? I really have no idea. What I do know is that without the FS-Fileserver role installed, you won't be able to view the share in Server Manager, and I'm sure some other advanced functionality is missing. You can still browse to it from other computers, change settings in explorer, and use get-smbshare to see it.
Of course the real mystery here might be why I spent so much time on this!
While working on the 2.1 study notes, I've been distracted by a couple of quirks of windows. The first has to do with the File Server role feature in 2012.
The first thing to note is the File and Storage Services (FileAndStorage-Services) role itself, and the Storage Services (Storage-Services) role feature, are installed by default, and as far as I can tell cannot be removed.
Now, say you want to share a folder. A lot of documentation will tell you that you that you need to install the File Server (FS-Fileserver) first. I don't think you actually do(more on that in a bit) as long as you've enabled the File and Printer Sharing firewall rules. However, if you don't have it installed, and you attempt to share out a folder, the feature will be "automagically" installed(along with its parent feature role: File and iSCSI Services)! (This feature also adds some new firewall rules in the "File and Remote Management" group I'll also cover these in the next article). In the following example, I use new-smbshare but you could also create one in the gui.
 |
| File Server not installed, make folder, share folder, file server now installed! |
(Note that even without fs-fileserver installed, the admin shares installed by default are still available remotely. For instance, you can still get to \\server\C$)
I don't yet know if there is a way to disable this automatic install process, but I think you can trick it into not installing. Use the -remove switch with uninstall-windowsfeature. (Note: before removing file server feature role, you will have to remove any non-system shares). But as outlined in 1.1.5 regarding features on demand, shouldn't it just use Windows Update as source to reinstall when you create a share? I'm actually not sure about this, since I'm using the MS virtual labs right now with no internet access.
 |
| File Server removed from SxS, mkdir folder, share folder, File Server still removed |
Of course the real mystery here might be why I spent so much time on this!
Thursday, May 16, 2013
1. Install and Configure Servers 1.3 Configure Local Storage
Server manager is the only GUI tool that can manage storage pools and create
virtual disks. It can also perform some of the other disk and volume
management, but not all of them. Disk Management (diskmgmt.msc or expand from Computer Management) can still be used, as well as the command line diskpart.exe.
Reference for Powershell 3 Storage cmdlets :http://technet.microsoft.com/en-us/library/hh848649.aspx
1.3.1 Design Storage Spaces
Storage Spaces are MS's new San-like virtual storage pool technology, available in 2012 and windows 8. You create a pool of disks, and then create spaces on those disk, which are presented as volumes to the system.
Storage Spaces facts:
1. you can use internal or external SATA or SAS drives
2. storage spaces can be thin provisioned(meaning the max space can be larger than available space. Used
space is provisioned as it's used)
3. storage spaces are stored as vhd files.
4. offers two types of redundancy: parity and mirrored.
5. storage can be dynamically added to the pool
6. storage pools can be shared among nodes in a cluster
7. can be used with ReFS
8. Microsoft recommends using Storage Spaces instead of dynamic disks
9. data is stored in allocated unit size of storage, called "slabs" by MS, across drives.
Storage Spaces can be configured in Server Manager or Powershell.
Extra notes: Storage space management is enabled by the Storage Services role service, which is part of the File and Storage Services role. This includes extensions for Server Manager, Powershell API and WMI, SMP interfaces for Storage Spaces, and a Pass-through API for extensibility.
1.3.2 Configure Basic and Dynamic Disks
About basic disks
basic disks can only be used to create simple volumes - space from a single disk.
the first three volumes on a basic disk setup in MBR partition style will be created as "Primary Partitions". The fourth volume created will create an "Extended Partition", which will span the rest of the space on the drive(even if the 4th volume does not fill all of the space). Any other volumes created will be created inside this extended partition.
In GPT partition style, a basic disk can have up to 128 volumes that are created as primary partitions. It does not use extended partitions.
About dynamic disks
dynamic disks create one partition that spans the entire disk, but allows for the creation of unlimited volumes within this partition. for this reason, you cannot mark a dynamic disk as "active".
dynamic disks also support several other types of volumes other than simple:
Spanned: consists of space from 2-32 physical dynamic disks. Windows will fill each drive one at a time, so this does not improve performance
Striped: Consists of space from 2-32 physical dynamic disks. Data is stripped across all of the drives, which improves performance.
Mirrored: This will mirror data between two dynamic disks. The system will read/write from both disks at the same time.
Raid-5: requires 3 or more dynamic disks, data is striped across but the last stripe is used for "parity" data. This allows for fault tolerance in that one drive can fail and the data will be ok. Write performance suffers in comparison to "Striped" due to parity.
Notes before configuration:
If you initialize a disk, Server Manager will default to a Basic disk and GPT partition style. There is no ability to convert from basic to dynamic here. In addition, dynamic disks will not show up in server manager or using the "get-disk" command in PS 3! This makes sense, considering MS really wants you to use storage spaces instead of dynamic disks There's also no way to create/convert to MBR partition style in server manager(although you can in PS 3!). Note that any volumes created on a dynamic disk will show up in Server Manager, even if the disk doesn't.
Configure a Basic Disk in Server Manager:
Click on File and Storage Services. Click the Disks tab. on the Disks tile, right click the drive and select "Bring Online" if it is offline. Then right-click and "initialize disk". This will initialize the disk as a basic disk with GPT partition style. If you need to convert, you can use disk management.
Configure a Basic Disk in Disk Management
Right click the Disk tab and click "Online" if it is currently Offline. Right-click and select "Initialize Disk". Put a checkmark next to this disk, and choose MBR or GPT as your partition style. You now have a basic disk.
Configure a Basic Disk in Powershell 3
First retrieve a listing of disks and take note of the disk's "number"
get-disk
If the disk is offline, bring it online:
set-disk -number # -isoffline $false
Now initialize:
initialize-disk -number # -partitionstyle GPT
or
initialize-disk -number # -partitionstyle MBR
Configure a Dynamic Disk in Disk Management
Right click the disk and choose "Convert to dynamic disk". Checkmark the specific disk to convert. Click OK.
Converting between Dynamic Disk and Basic Disk in Disk Management
You can convert between the two by right clicking the disk and selecting "Convert to dynamic disk" or "Convert to basic disk". You cannot convert from dynamic to basic if there are volumes existing on the disk. You can convert from basic disk to dynamic with existing volumes, but none of the partitions can be marked as active.
Extra notes: You can reset a disk to it's uninitialized state with no partition style by right clicking the drive in the "disks" tile in server manager and selecting "Reset Disk". Or you can use clear-disk command in PS 3. Remember, this is a destructive process! But it's good to know if you are running through these commands in a lab.
1.3.3 Configure MBR and GPT disks
You cannot create or convert MBR partition style in Server Manager. (Although you can view, in the Disks tile, which partition style a disk is by clicking Add Criteria and checking Partition). You can't convert from MBR to GPT in Server Manager either.
Remember that because converting from MBR to GPT is a destructive process, you have to delete any partitions/volumes on the drive first.
In Disk Management, you simply right click the disk and select "Convert to GPT" or "Convert to MBR".
In powershell 3, if the disk is uninitialized, you can create either partition-style when you use the initialize-disk command. If you don't specify a partitionstyle, it defaults to GPT.
If you need to convert an initialized disk, you use the set-disk command. You cannot use set-disk to change the partition style on an uninitialized disk.
set-disk -number # -partitionstyle GPT or MBR
1.3.4 Manage Volumes
See 1.3.2 for types of basic and dynamic volumes. You should be familiar with creating these in disk management.
Creating a volume in Server Manager
Go to either the volume or disks tile, click Tasks dropdown(or in disk tile, right click a disk), select "new volume". On "server and disk" select the disk to create the volume on. Set the size. Set the drive letter. Format as NTFS or ReFS. You can also enable data deduplication.
Creating a volume in Powershell 3
Use get-disk to return the correct drive number.
use new-partition to create a new partition. examples:
new-partition -disknumber 1 -assigndriveletter -usemaximumsize
This will create an NTFS partition on disk number 1 using max available space. Use the -size parameter to specify a size in bytes, KB, MB, GB, or TB
new-partition -disknumber 5 -assigndrivenumber -size 50GB
you can specify a drive letter with the -driveletter parameter.
Now we format:
format-volume -driveletter F
this will default to NTFS. You can specify filesystem with -filesystem parameter
Other volume options in Server Manager:
If you right click on a volume, you get a number of options:
New Share, New iSCSI virtual disk, scan file system for errors, Manage drive letter and access paths, Format, extend volume, Delete volume. Configure Data Dedup, and Properties.
Removing a volume in Powershell
remove-partition -driveletter
Extra notes:
To return the free space available on a disk(largestfreeextent in bytes), you can use:
get-disk | format-table number, operationalstatus, numberofpartitions, largestfreeextent -autosize
You can always pipe your new partition into the format command to get it all done on one line:
new-partition -disknumber 5 -assigndrivenumber -usemaximumsize | format-volume
1.3.5 Create and Mount Virtual Hard Disks (VHD)
VHD: Supported up to 2048 GB in size
VHDX: Supported up to 64 TB in size. Resilient to power failure. Not supported pre-2012
Using disk management
Go to Action on menu, select "Create VHD". Browse to location for the new VHD and give it a name. Choose the size of the VHD. Choose whether you want VHD or VHDX. Choose Fixed size or Dynamic size. Click OK. The VHD will be created and attached as a new disk.
To attach a VHD, go to Action on menu and select "Attach VHD".
To detach a vhd, right click the VHD disk and select "Detach VHD".
1.3.6 Configure Storage Pools and Disk Pools
Creating a storage pool in server manager
In Server Manager, go to File and Storage icon, click Storage Pools. In The storage pool tile, The primordial space is available disks that are qualified to be pooled. Right click(or Tasks) and "New Storage Pool". Under Storage Pool Name, give your new pool a name. Select the disks to be used in this pool. Confirm and create.
Managing pool in Server Manager:
Under Physical Disks tile, you can Tasks/Add Physical disk or you can right click a disk and remove it from the pool. Removing a disk can cause warnings/errors as the system will attempt to be rebuild the pool and you may not have enough space.
Create a new pool in Powershell:
This is a little tricky.
First get your storage subsystem friendly name out of
get-storagesubsystem
For our example, the friendlyname is "Storage Spaces on SERVER"
now, figure out which disks you want to pool using
get-physicaldisks
For our example, we want to pool physicaldisk1, physicaldisk2, and physicaldisk3.
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on SERVER" -physicaldisks (get-physicaldisk physicaldisk1, physicaldisk2, physicaldisk3)
this is tricky because you can't just use the friendlynames of the disks in the -physicaldisks parameter. You have to actually pass it the diskobjects from get-physicaldisk.
Manage a Storage pool in Powershell
get-storagepool
add-physicaldisk
remove-physicaldisk
Creating a new virtual disk in Server Manager
Click on the virtual disk tile, go to tasks, and "New Virtual Disk". Select the storage pool. Give the disk a name. Select your storage layout: simple, mirror, parity. Choose thin or fixed provisioning. Specify a size. Now you have a new disk you can create volumes in.
Creating a new virtual disk in Powershell
get the friendly storage pool name:
get-storagepool
new-virtualdisk -friendlyname NewDisk -storagepoolfriendlyname NewPool -size 20GB
This will create a 20 gig mirrored disk named NewDisk
To switch to simple or parity, use the -resiliencysettingname parameter
other commands: get-virtualdisk, remove-virtualdisk
Extra notes:
Here's another example that would create a pool using all available drives that can be pooled. This may not be ideal for your situation:
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on Server" -physicaldisks (get-physicaldisk -canpool $true)
Reference for Powershell 3 Storage cmdlets :http://technet.microsoft.com/en-us/library/hh848649.aspx
1.3.1 Design Storage Spaces
Storage Spaces are MS's new San-like virtual storage pool technology, available in 2012 and windows 8. You create a pool of disks, and then create spaces on those disk, which are presented as volumes to the system.
Storage Spaces facts:
1. you can use internal or external SATA or SAS drives
2. storage spaces can be thin provisioned(meaning the max space can be larger than available space. Used
space is provisioned as it's used)
3. storage spaces are stored as vhd files.
4. offers two types of redundancy: parity and mirrored.
5. storage can be dynamically added to the pool
6. storage pools can be shared among nodes in a cluster
7. can be used with ReFS
8. Microsoft recommends using Storage Spaces instead of dynamic disks
9. data is stored in allocated unit size of storage, called "slabs" by MS, across drives.
Storage Spaces can be configured in Server Manager or Powershell.
Extra notes: Storage space management is enabled by the Storage Services role service, which is part of the File and Storage Services role. This includes extensions for Server Manager, Powershell API and WMI, SMP interfaces for Storage Spaces, and a Pass-through API for extensibility.
1.3.2 Configure Basic and Dynamic Disks
About basic disks
basic disks can only be used to create simple volumes - space from a single disk.
the first three volumes on a basic disk setup in MBR partition style will be created as "Primary Partitions". The fourth volume created will create an "Extended Partition", which will span the rest of the space on the drive(even if the 4th volume does not fill all of the space). Any other volumes created will be created inside this extended partition.
In GPT partition style, a basic disk can have up to 128 volumes that are created as primary partitions. It does not use extended partitions.
About dynamic disks
dynamic disks create one partition that spans the entire disk, but allows for the creation of unlimited volumes within this partition. for this reason, you cannot mark a dynamic disk as "active".
dynamic disks also support several other types of volumes other than simple:
Spanned: consists of space from 2-32 physical dynamic disks. Windows will fill each drive one at a time, so this does not improve performance
Striped: Consists of space from 2-32 physical dynamic disks. Data is stripped across all of the drives, which improves performance.
Mirrored: This will mirror data between two dynamic disks. The system will read/write from both disks at the same time.
Raid-5: requires 3 or more dynamic disks, data is striped across but the last stripe is used for "parity" data. This allows for fault tolerance in that one drive can fail and the data will be ok. Write performance suffers in comparison to "Striped" due to parity.
Notes before configuration:
If you initialize a disk, Server Manager will default to a Basic disk and GPT partition style. There is no ability to convert from basic to dynamic here. In addition, dynamic disks will not show up in server manager or using the "get-disk" command in PS 3! This makes sense, considering MS really wants you to use storage spaces instead of dynamic disks There's also no way to create/convert to MBR partition style in server manager(although you can in PS 3!). Note that any volumes created on a dynamic disk will show up in Server Manager, even if the disk doesn't.
Configure a Basic Disk in Server Manager:
Click on File and Storage Services. Click the Disks tab. on the Disks tile, right click the drive and select "Bring Online" if it is offline. Then right-click and "initialize disk". This will initialize the disk as a basic disk with GPT partition style. If you need to convert, you can use disk management.
Configure a Basic Disk in Disk Management
Right click the Disk tab and click "Online" if it is currently Offline. Right-click and select "Initialize Disk". Put a checkmark next to this disk, and choose MBR or GPT as your partition style. You now have a basic disk.
Configure a Basic Disk in Powershell 3
First retrieve a listing of disks and take note of the disk's "number"
get-disk
If the disk is offline, bring it online:
set-disk -number # -isoffline $false
Now initialize:
initialize-disk -number # -partitionstyle GPT
or
initialize-disk -number # -partitionstyle MBR
Configure a Dynamic Disk in Disk Management
Right click the disk and choose "Convert to dynamic disk". Checkmark the specific disk to convert. Click OK.
Converting between Dynamic Disk and Basic Disk in Disk Management
You can convert between the two by right clicking the disk and selecting "Convert to dynamic disk" or "Convert to basic disk". You cannot convert from dynamic to basic if there are volumes existing on the disk. You can convert from basic disk to dynamic with existing volumes, but none of the partitions can be marked as active.
Extra notes: You can reset a disk to it's uninitialized state with no partition style by right clicking the drive in the "disks" tile in server manager and selecting "Reset Disk". Or you can use clear-disk command in PS 3. Remember, this is a destructive process! But it's good to know if you are running through these commands in a lab.
1.3.3 Configure MBR and GPT disks
You cannot create or convert MBR partition style in Server Manager. (Although you can view, in the Disks tile, which partition style a disk is by clicking Add Criteria and checking Partition). You can't convert from MBR to GPT in Server Manager either.
Remember that because converting from MBR to GPT is a destructive process, you have to delete any partitions/volumes on the drive first.
In Disk Management, you simply right click the disk and select "Convert to GPT" or "Convert to MBR".
In powershell 3, if the disk is uninitialized, you can create either partition-style when you use the initialize-disk command. If you don't specify a partitionstyle, it defaults to GPT.
If you need to convert an initialized disk, you use the set-disk command. You cannot use set-disk to change the partition style on an uninitialized disk.
set-disk -number # -partitionstyle GPT or MBR
1.3.4 Manage Volumes
See 1.3.2 for types of basic and dynamic volumes. You should be familiar with creating these in disk management.
Creating a volume in Server Manager
Go to either the volume or disks tile, click Tasks dropdown(or in disk tile, right click a disk), select "new volume". On "server and disk" select the disk to create the volume on. Set the size. Set the drive letter. Format as NTFS or ReFS. You can also enable data deduplication.
Creating a volume in Powershell 3
Use get-disk to return the correct drive number.
use new-partition to create a new partition. examples:
new-partition -disknumber 1 -assigndriveletter -usemaximumsize
This will create an NTFS partition on disk number 1 using max available space. Use the -size parameter to specify a size in bytes, KB, MB, GB, or TB
new-partition -disknumber 5 -assigndrivenumber -size 50GB
you can specify a drive letter with the -driveletter parameter.
Now we format:
format-volume -driveletter F
this will default to NTFS. You can specify filesystem with -filesystem parameter
Other volume options in Server Manager:
If you right click on a volume, you get a number of options:
New Share, New iSCSI virtual disk, scan file system for errors, Manage drive letter and access paths, Format, extend volume, Delete volume. Configure Data Dedup, and Properties.
Removing a volume in Powershell
remove-partition -driveletter
Extra notes:
To return the free space available on a disk(largestfreeextent in bytes), you can use:
get-disk | format-table number, operationalstatus, numberofpartitions, largestfreeextent -autosize
You can always pipe your new partition into the format command to get it all done on one line:
new-partition -disknumber 5 -assigndrivenumber -usemaximumsize | format-volume
1.3.5 Create and Mount Virtual Hard Disks (VHD)
VHD: Supported up to 2048 GB in size
VHDX: Supported up to 64 TB in size. Resilient to power failure. Not supported pre-2012
Using disk management
Go to Action on menu, select "Create VHD". Browse to location for the new VHD and give it a name. Choose the size of the VHD. Choose whether you want VHD or VHDX. Choose Fixed size or Dynamic size. Click OK. The VHD will be created and attached as a new disk.
To attach a VHD, go to Action on menu and select "Attach VHD".
To detach a vhd, right click the VHD disk and select "Detach VHD".
1.3.6 Configure Storage Pools and Disk Pools
Creating a storage pool in server manager
In Server Manager, go to File and Storage icon, click Storage Pools. In The storage pool tile, The primordial space is available disks that are qualified to be pooled. Right click(or Tasks) and "New Storage Pool". Under Storage Pool Name, give your new pool a name. Select the disks to be used in this pool. Confirm and create.
Managing pool in Server Manager:
Under Physical Disks tile, you can Tasks/Add Physical disk or you can right click a disk and remove it from the pool. Removing a disk can cause warnings/errors as the system will attempt to be rebuild the pool and you may not have enough space.
Create a new pool in Powershell:
This is a little tricky.
First get your storage subsystem friendly name out of
get-storagesubsystem
For our example, the friendlyname is "Storage Spaces on SERVER"
now, figure out which disks you want to pool using
get-physicaldisks
For our example, we want to pool physicaldisk1, physicaldisk2, and physicaldisk3.
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on SERVER" -physicaldisks (get-physicaldisk physicaldisk1, physicaldisk2, physicaldisk3)
this is tricky because you can't just use the friendlynames of the disks in the -physicaldisks parameter. You have to actually pass it the diskobjects from get-physicaldisk.
Manage a Storage pool in Powershell
get-storagepool
add-physicaldisk
remove-physicaldisk
Creating a new virtual disk in Server Manager
Click on the virtual disk tile, go to tasks, and "New Virtual Disk". Select the storage pool. Give the disk a name. Select your storage layout: simple, mirror, parity. Choose thin or fixed provisioning. Specify a size. Now you have a new disk you can create volumes in.
Creating a new virtual disk in Powershell
get the friendly storage pool name:
get-storagepool
new-virtualdisk -friendlyname NewDisk -storagepoolfriendlyname NewPool -size 20GB
This will create a 20 gig mirrored disk named NewDisk
To switch to simple or parity, use the -resiliencysettingname parameter
other commands: get-virtualdisk, remove-virtualdisk
Extra notes:
Here's another example that would create a pool using all available drives that can be pooled. This may not be ideal for your situation:
new-storagepool -friendlyname NewPool -storagesubsystemfriendlyname "Storage Spaces on Server" -physicaldisks (get-physicaldisk -canpool $true)
Wednesday, May 15, 2013
1. Install and Configure Servers 1.2 Configure Servers
1.2.1 Configure Server Core
Set a new password -
You will be prompted the first time. You can always change it later with Ctrl-Alt-Delete/Change Password.
Set a static IP address -
get-netipinterface - to determine the interfaceindex of the network adapter you want to change.
new-netipaddress -interfaceindex ## -ipaddress 192.168.1.10 -prefixlength 24 -defaultgateway 192.168.1.1
(prefixlength is the subnet mask in CIDR format).
set-dnsclientserveraddress -interfaceindex ## -serveraddresses 192.168.1.90, 192.168.1.91
related commands: get-netipaddress, remove-netipaddress, get-netipconfiguration,
Join a domain
old school method was to use netdom join but i'm going to assume the test will ask about current PS method which is add-computer, for example
addcomputer -domainname contoso.com
Rename computer
rename-computer
Activate the server
technet still says to use slmgr.vbs . Is there really no cmdlet for this?
Configure windows firewall
check if enabled:
get-netfirewallprofile | format-table name, enabled
to enable the profiles
set-netfirewallprofile -profile domain, public, private -enabled true
to set a rule
set-netfirewallrule
create a new rule:
new-netfirewallrule
Enable Windows Powershell remoting
This one is super important. I think it's enabled by default, but this is how you will access the server core from a remote computer via powershell to do things like "invoke-command".
enable-psremoting
Extra Note:
You can use sconfig.cmd to configure some basic settings through a menu.
1.2.2 Delegate Administration
No clue why Microsoft puts this in this section, since it is AD related. Shouldn't it be in "Install and administer Active Directory?" Maybe they just want you to know that you cannot delegate using ADAC. And I assume they aren't talking about the Kerberos computer delegation. Anyways, unless I am missing some new 2012 feature, everything seems to point to this covering the old AD Delegation of Control Wizard.
You cannot do delegation with ADAC(However, you can access the security ACL here if you want to view delegation). You can delegate administration of an OU by using the Delegation of Control Wizard in ADUC. Sine the delegation wizard just sets ACL security settings, you can view the "delegations" by right-clicking the OU and selecting "advanced" under View. Then right click the OU and select properties and security tab. The built-in tasks for an OU that you can delegate with the Delegation Control Wizard:
Create, Delete, and Manage User Accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, manage groups
Modify the management of a group
Manage Group Policy Links
Generate Resultant Set of Policy (Planning)
Generate Resultant Set of Policy (Logging)
Create, delete, and manage Inetorgperson accounts
Reset inetOrgPerson passwords and force password change at next login
Read all inetOrgPerson information
You can also create a custom task to delegate
You can also run the Delegation of Control Wizard in ADSS and delegate sites,
Delegation tasks with their associated permissions are found in the c:\windows\system32\delegwiz.inf file
(You can create new ones here)
For more information than you probably need to know for this test, check out the Appendix G: Active Directory Delegation Tools and Appendix A: Active Directory Administrative Tasks
1.2.3 Add and remove features in offline images
Vhd's must be running 2012
Vhd cannot have more than one system volume or partition
If you choose to mount a VHD from a share, you must give the mounting computer Read/Write permissions to the share.
Using Server Manager:
Manage, Add Roles and Features Wizard. Select Role-based or feature-based install Next, select "Select a virtual hard disk". (The instructions on this dialog are nice enough to tell you about the share permissions). Select a server from the pool that will mount the image. Then select the VHD image. After that it's selecting the roles/features. As always, you can select an alternate source for the feature files.
Using Powershell
run install-windowsfeature with the -computername parameter to tell it what server will mount the vhd, or it will default to local. add the -vhd with the path to the offline VHD image. As above, if it is a share, you need to give R/W permissions to the share to the mounting computer account.
1.2.4 Deploy roles on remote servers
Shouldn't this go before the last one? Crazy MS. In Server Manager, like above except under "Server Selection", you select "Select a server from the server pool". In powershell, you just run install-windowsfeature with the -computername except this time computername refers to the remote server you want to install the role/feature on. ie. install-windowsfeature WDS -computername remoteserver1 -restart.
1.2.5 Convert Server Core to/from full GUI
no mention of Minimal Server Interface?
The important thing to remember here is:
The Server With a Gui(Full Gui) is made up of both the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) and the Server Graphical Shell(Server-Gui-Shell)
The minimal server interface has only the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) installed
And the server core has neither of these installed.
Because they both have the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) installed, you can convert from either Full Gui, or Minimal Server Interface, to anything else, using "Remove Roles and Features Wizard" in Server Manager. (Note that to get to server manager in Minimal Server Interface, you have to run servermanager.exe from command line). But obviously if you want to convert from Server Core, Powershell is your only option.
Server Core to Full GUI:
install-windowsfeature server-gui-shell, server-gui-mgmt-infra -restart
Full Gui to Server Core
uninstall-windowsfeature server-gui-shell, server-gui-mgmt-infra -restart
Minimal Server Interface to Full Gui:
install-windowsfeature server-gui-shell -restart
Full Gui to Minimal Server Interface:
uninstall-windowsfeature server-gui-shell -restart
Minimal Server Interface to Server Core:
uninstall-windowsfeature server-gui-mgmt-infra -restart
Server Core to Minimal Server Interface:
install-windowsfeature server-gui-mgmt-infra -restart
As an aside, Server-Gui-Shell is dependent on Server-Gui-Mgmt-Infra being installed. So if you have a Full Gui, and try to uninstall Server-Gui-Mgmt-Infra only, it will automatically uninstall Server-Gui-Shell. So technically, you can go from Full gui to Server Core with "uninstall-windowsfeature server-gui-mgmt-infra -restart" because server-gui-shell will also be uninstalled automatically! Obviously, I doubt this is the answer MS wants! But give it a try yourself sometime.
1.2.6 Configure Services
While you can still use services.msc for working with services, I'm guessing that MS wants to see us do it in Server Manager and through Powershell. The Services tile in Server Manager is pretty straightforward.
Powershell commands:
get-service
start-service
stop-service
suspend-service
resume-service
set-service
new-service
1.2.7 Configure NIC teaming
Two Modes:
Switch Independent - all adapters are connected to different switches, providing alternate routes through the network.
Switch Dependent - all adapters connected to same switch, providing single interface with combined bandwith.
Switch Independent can be used for failover: active/active mode, leaves all adapters active even if one fails. active/standby one adapter is left offline as a "hot swap" of sorts. It comes online if another one fails.
Switch Dependent can be setup with static teaming or use LACP, if the switch supports it.
Nic teaming can be setup in Server Manager in the Properties Tile/Nic Teaming.
To setup Switch Dependent, you go to additional properties on Team properties and select either LACP or static on the Teaming mode.
To setup Switch Independent, you select Switch Independent for teaming mode instead.
In Powershell: as an example, you want to team Nic1, Nic2, and Nic3 in SwitchIndependent teaming mode:
new-netlbfoteam -name NewTeam -teammembers Nic1, Nic2, Nic3 -teamingmode switchindependent
get-netlbfoteam - will show you the overall team
get-netlbfoteamnic - shows you the team combined as a single nic
get-netlbfoteammember - show individual members of a team
Other relevant PS commands: add-netlbfoteammember, remove-netlbfoteam, remove-netlbfoteammember, set-netlbfoteam, set-lbfoteammember, set-lbfoteamnic
Set a new password -
You will be prompted the first time. You can always change it later with Ctrl-Alt-Delete/Change Password.
Set a static IP address -
get-netipinterface - to determine the interfaceindex of the network adapter you want to change.
new-netipaddress -interfaceindex ## -ipaddress 192.168.1.10 -prefixlength 24 -defaultgateway 192.168.1.1
(prefixlength is the subnet mask in CIDR format).
set-dnsclientserveraddress -interfaceindex ## -serveraddresses 192.168.1.90, 192.168.1.91
related commands: get-netipaddress, remove-netipaddress, get-netipconfiguration,
Join a domain
old school method was to use netdom join but i'm going to assume the test will ask about current PS method which is add-computer, for example
addcomputer -domainname contoso.com
Rename computer
rename-computer
Activate the server
technet still says to use slmgr.vbs . Is there really no cmdlet for this?
Configure windows firewall
check if enabled:
get-netfirewallprofile | format-table name, enabled
to enable the profiles
set-netfirewallprofile -profile domain, public, private -enabled true
to set a rule
set-netfirewallrule
create a new rule:
new-netfirewallrule
Enable Windows Powershell remoting
This one is super important. I think it's enabled by default, but this is how you will access the server core from a remote computer via powershell to do things like "invoke-command".
enable-psremoting
Extra Note:
You can use sconfig.cmd to configure some basic settings through a menu.
1.2.2 Delegate Administration
No clue why Microsoft puts this in this section, since it is AD related. Shouldn't it be in "Install and administer Active Directory?" Maybe they just want you to know that you cannot delegate using ADAC. And I assume they aren't talking about the Kerberos computer delegation. Anyways, unless I am missing some new 2012 feature, everything seems to point to this covering the old AD Delegation of Control Wizard.
You cannot do delegation with ADAC(However, you can access the security ACL here if you want to view delegation). You can delegate administration of an OU by using the Delegation of Control Wizard in ADUC. Sine the delegation wizard just sets ACL security settings, you can view the "delegations" by right-clicking the OU and selecting "advanced" under View. Then right click the OU and select properties and security tab. The built-in tasks for an OU that you can delegate with the Delegation Control Wizard:
Create, Delete, and Manage User Accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, manage groups
Modify the management of a group
Manage Group Policy Links
Generate Resultant Set of Policy (Planning)
Generate Resultant Set of Policy (Logging)
Create, delete, and manage Inetorgperson accounts
Reset inetOrgPerson passwords and force password change at next login
Read all inetOrgPerson information
You can also create a custom task to delegate
You can also run the Delegation of Control Wizard in ADSS and delegate sites,
Delegation tasks with their associated permissions are found in the c:\windows\system32\delegwiz.inf file
(You can create new ones here)
For more information than you probably need to know for this test, check out the Appendix G: Active Directory Delegation Tools and Appendix A: Active Directory Administrative Tasks
1.2.3 Add and remove features in offline images
Vhd's must be running 2012
Vhd cannot have more than one system volume or partition
If you choose to mount a VHD from a share, you must give the mounting computer Read/Write permissions to the share.
Using Server Manager:
Manage, Add Roles and Features Wizard. Select Role-based or feature-based install Next, select "Select a virtual hard disk". (The instructions on this dialog are nice enough to tell you about the share permissions). Select a server from the pool that will mount the image. Then select the VHD image. After that it's selecting the roles/features. As always, you can select an alternate source for the feature files.
Using Powershell
run install-windowsfeature with the -computername parameter to tell it what server will mount the vhd, or it will default to local. add the -vhd with the path to the offline VHD image. As above, if it is a share, you need to give R/W permissions to the share to the mounting computer account.
1.2.4 Deploy roles on remote servers
Shouldn't this go before the last one? Crazy MS. In Server Manager, like above except under "Server Selection", you select "Select a server from the server pool". In powershell, you just run install-windowsfeature with the -computername except this time computername refers to the remote server you want to install the role/feature on. ie. install-windowsfeature WDS -computername remoteserver1 -restart.
1.2.5 Convert Server Core to/from full GUI
no mention of Minimal Server Interface?
The important thing to remember here is:
The Server With a Gui(Full Gui) is made up of both the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) and the Server Graphical Shell(Server-Gui-Shell)
The minimal server interface has only the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) installed
And the server core has neither of these installed.
Because they both have the Graphical Management Tools and Infrastructure(Server-Gui-Mgmt-Infra) installed, you can convert from either Full Gui, or Minimal Server Interface, to anything else, using "Remove Roles and Features Wizard" in Server Manager. (Note that to get to server manager in Minimal Server Interface, you have to run servermanager.exe from command line). But obviously if you want to convert from Server Core, Powershell is your only option.
Server Core to Full GUI:
install-windowsfeature server-gui-shell, server-gui-mgmt-infra -restart
Full Gui to Server Core
uninstall-windowsfeature server-gui-shell, server-gui-mgmt-infra -restart
Minimal Server Interface to Full Gui:
install-windowsfeature server-gui-shell -restart
Full Gui to Minimal Server Interface:
uninstall-windowsfeature server-gui-shell -restart
Minimal Server Interface to Server Core:
uninstall-windowsfeature server-gui-mgmt-infra -restart
Server Core to Minimal Server Interface:
install-windowsfeature server-gui-mgmt-infra -restart
As an aside, Server-Gui-Shell is dependent on Server-Gui-Mgmt-Infra being installed. So if you have a Full Gui, and try to uninstall Server-Gui-Mgmt-Infra only, it will automatically uninstall Server-Gui-Shell. So technically, you can go from Full gui to Server Core with "uninstall-windowsfeature server-gui-mgmt-infra -restart" because server-gui-shell will also be uninstalled automatically! Obviously, I doubt this is the answer MS wants! But give it a try yourself sometime.
1.2.6 Configure Services
While you can still use services.msc for working with services, I'm guessing that MS wants to see us do it in Server Manager and through Powershell. The Services tile in Server Manager is pretty straightforward.
Powershell commands:
get-service
start-service
stop-service
suspend-service
resume-service
set-service
new-service
1.2.7 Configure NIC teaming
Two Modes:
Switch Independent - all adapters are connected to different switches, providing alternate routes through the network.
Switch Dependent - all adapters connected to same switch, providing single interface with combined bandwith.
Switch Independent can be used for failover: active/active mode, leaves all adapters active even if one fails. active/standby one adapter is left offline as a "hot swap" of sorts. It comes online if another one fails.
Switch Dependent can be setup with static teaming or use LACP, if the switch supports it.
Nic teaming can be setup in Server Manager in the Properties Tile/Nic Teaming.
To setup Switch Dependent, you go to additional properties on Team properties and select either LACP or static on the Teaming mode.
To setup Switch Independent, you select Switch Independent for teaming mode instead.
In Powershell: as an example, you want to team Nic1, Nic2, and Nic3 in SwitchIndependent teaming mode:
new-netlbfoteam -name NewTeam -teammembers Nic1, Nic2, Nic3 -teamingmode switchindependent
get-netlbfoteam - will show you the overall team
get-netlbfoteamnic - shows you the team combined as a single nic
get-netlbfoteammember - show individual members of a team
Other relevant PS commands: add-netlbfoteammember, remove-netlbfoteam, remove-netlbfoteammember, set-netlbfoteam, set-lbfoteammember, set-lbfoteamnic
Curiousity killed the cat: Does WDS run on 2012 Server Core?
Update 10/1/2013: I've since found new cmdlets for configuring WDS, but listed as applying to "Windows Powershell 4.0,
Windows Server 2012 R2 Preview". So perhaps WDS on server core is supported in 2012 R2. This blog entry refers to my experiences on Server 2012 with PS 3 only.
Per the technet doc http://technet.microsoft.com/en-us/library/jj574158 , 2012 Server core has a number of roles that are listed reported as being "supported" leading me to believe that others will not install/work. But oddly enough they still seem be listed in get-windowsfeature. In fact, if you do a compare-object(aka diff) between a Full gui server and a server core server, you will get no results:
For instance, local server is Full gui. Server2 is server core:
compare-object -referenceobject (get-windowsfeature) -differenceobject (invoke-command -computername server2 -scriptblock {get-windowsfeature}) -property name
This will return no results. Try the switch -includeequal to also include the ones that are the same, which is all of them.
So if something like WDS is listed in get-windowsfeature but not supposed to be supported on server core , what happens if you try to install it? After installing with install-windowsfeature WDS.
If you use get-windowsfeature *wds*, WDS, WDS-Deployment, and WDS-Transport show up as installed. At first glance, WDSutil runs. Go to another 2012 that has the WDS MMC, and you can connect to this server and configure it.
I'm still curious at what point I might find it's "broken", but I don't really want to spend any more time on this for now. I do wonder why 2012 server core even lists it in get-windowsfeature, and even stranger, let's you install it, if it's not supported.
(as an aside, I also tried to install Application-Server role also but it just installs .net framework 4.5 feature(AS-NET-Framework) by default, and that's supported by server core.)
Per the technet doc http://technet.microsoft.com/en-us/library/jj574158 , 2012 Server core has a number of roles that are listed reported as being "supported" leading me to believe that others will not install/work. But oddly enough they still seem be listed in get-windowsfeature. In fact, if you do a compare-object(aka diff) between a Full gui server and a server core server, you will get no results:
For instance, local server is Full gui. Server2 is server core:
compare-object -referenceobject (get-windowsfeature) -differenceobject (invoke-command -computername server2 -scriptblock {get-windowsfeature}) -property name
This will return no results. Try the switch -includeequal to also include the ones that are the same, which is all of them.
So if something like WDS is listed in get-windowsfeature but not supposed to be supported on server core , what happens if you try to install it? After installing with install-windowsfeature WDS.
If you use get-windowsfeature *wds*, WDS, WDS-Deployment, and WDS-Transport show up as installed. At first glance, WDSutil runs. Go to another 2012 that has the WDS MMC, and you can connect to this server and configure it.
I'm still curious at what point I might find it's "broken", but I don't really want to spend any more time on this for now. I do wonder why 2012 server core even lists it in get-windowsfeature, and even stranger, let's you install it, if it's not supported.
(as an aside, I also tried to install Application-Server role also but it just installs .net framework 4.5 feature(AS-NET-Framework) by default, and that's supported by server core.)
1. Install and Configure Servers 1.1 Install Servers
I hate generic objectives. What does "Plan for a server installation" really mean? More appropriately, what does MS think it means for the purpose of this test? As i run through these objectives I'm taking my best guess at information that satisfies them.
1.1.1 Plan for Server Install
It never hurts to know the minimum requirements as listed on technet: 1.4 ghz 64 bit cpu, 512 mb ram, 32gb hd space, dvd drive, super vga(800x600), kb and mouse(duh?), internet access. In reality, the minimum numbers are pointless. Nobody is going to install a server that bare. The only important thing here is the 64 bit cpu. No more 32 bit!
Next, let's consider the four versions of 2012. Thankfully not as many as 2008.
Datacenter - up to 64 cpu's, OEM and volume only, unlimited VOSS(2012 virtual machines).
Standard - same as datacenter except only 2 VOSS supported per license
Essentials - Standard without Server Core, Hyper-V, and ADFS. No VOSS licenses. max of 25 users.
Foundation - basic server features. max of 15 users.
Oddly enough, it looks like Foundation can be run as a DC, but with multiple limitations. I doubt they expect you to know this much about it for the test, but here you go: http://technet.microsoft.com/en-us/library/jj679892.aspx
Also, here's an interesting blog post about the virtual licensing, especially if you are considering running non-windows OS's, or a Virtual Desktop Infrastructure with windows client OS's as VM's on a Standard or Datacenter Hyper-V server: http://www.brianmadden.com/blogs/gabeknuth/archive/2012/07/13/looking-at-microsoft-windows-server-2012-editions-and-licensing-positive-changes-or-a-tightening-of-the-screws.aspx
There's three types of installs now: Server Core, Minimal Server Interface, Server with Gui. You can now switch between the three anytime after install. Server Core is now the default install.
Server Core: No Server Graphical Shell or Graphical Management Tools and Infrastructures. Roles not available: ADFS, App server, Fax Server, Network Policy and Access, RDS/RDG/RDSH/RDWA, Volume Activation, WDS.
Minimal Server Interface: Removes the Server Graphical Shell, so most desktop UI elements gone. Still has Graphical Management Tools and Infrastructure: Server Manager, MMC, Device Manager, and Powershell.
Server with Gui: Has both the Graphical Management Tools, and the Server Graphical Shell. Full install.
1.1.2 Plan for Server Roles - http://technet.microsoft.com/en-us/library/hh831669
In a nutshell, know the ones that have other objectives in the test, and be familiar with the rest. Here's a quick list:
ADCS, ADDS, ADFS, ADLDS, ADRMS, App Server, Failover Clustering, File and Storage, Group Policy, Hyper-V, Networking, Network Load Balance, Network Policy and Access, Print and Document Services, Remote Desktop Services, Security and Protecting, Telemetry, Volume Activation, Web Server(IIS), WDS, Windows Server Backup, WSUS, Windows System Resource Manager.
1.1.3 Plan for a Server Upgrade
No 32 bit to 64 bit upgrade
No upgrade from pre-release 2012 to release 2012No switching install types until after upgrade is finished(ie Server Core -> Full Gui)
Upgrade Paths:
1.1.4 Install Server Core
server core is installed by default in 2012. What more do they want here?
1.1.5 Optimize resource utilization by using Features on Demand
Features are stored in a side-by-side store(WinSxS).
Three states for installed features:
Enabled/Installed - Installed and binaries available
Disabled/Staged - Not installed, binaries available
Disabled with payload removed/Absent - Not installed, binaries removed
To put a feature in "Disabled with payload removed" status, you can use the -remove switch with Uninstall-WindowsFeature. To reinstall this feature at a later point, use the -source parameter with Install-WindowsFeature.
When installing a feature that is missing the payload, windows will try to find the payload in the following order:
1) User provided(ie, -source or providing an alternate source path in Add Roles and Features Wizard)
2) Group Policy: Computer Configuration\Administrative Templates\System\Specify settings for optional component installation and component repair
3) Windows Update
Other possible sources for the binaries: A share with a full install WinSXS folder copied over, a mounted WIM image(using DISM to mount the WIM image), or a mounted VHD image,
Also see 1.2.3 : add and remove features in offline images
1.1.6 Migrate roles from previous versions of Windows Server
Migration can be done from any version from 2003 SP2 to 2012 to any version 2003SP-2012.
Migration can be done 32 to 64 bit server to 2012.
Migration can be done between Server editions.
Migration can be between physical and virtual
Migration can be between install types.
Migrations are done with Windows Server Migration Tools. Installed from Add Roles and Features wizard, or install-windowsfeature migration
1.1.1 Plan for Server Install
It never hurts to know the minimum requirements as listed on technet: 1.4 ghz 64 bit cpu, 512 mb ram, 32gb hd space, dvd drive, super vga(800x600), kb and mouse(duh?), internet access. In reality, the minimum numbers are pointless. Nobody is going to install a server that bare. The only important thing here is the 64 bit cpu. No more 32 bit!
Next, let's consider the four versions of 2012. Thankfully not as many as 2008.
Datacenter - up to 64 cpu's, OEM and volume only, unlimited VOSS(2012 virtual machines).
Standard - same as datacenter except only 2 VOSS supported per license
Essentials - Standard without Server Core, Hyper-V, and ADFS. No VOSS licenses. max of 25 users.
Foundation - basic server features. max of 15 users.
Oddly enough, it looks like Foundation can be run as a DC, but with multiple limitations. I doubt they expect you to know this much about it for the test, but here you go: http://technet.microsoft.com/en-us/library/jj679892.aspx
Also, here's an interesting blog post about the virtual licensing, especially if you are considering running non-windows OS's, or a Virtual Desktop Infrastructure with windows client OS's as VM's on a Standard or Datacenter Hyper-V server: http://www.brianmadden.com/blogs/gabeknuth/archive/2012/07/13/looking-at-microsoft-windows-server-2012-editions-and-licensing-positive-changes-or-a-tightening-of-the-screws.aspx
There's three types of installs now: Server Core, Minimal Server Interface, Server with Gui. You can now switch between the three anytime after install. Server Core is now the default install.
Server Core: No Server Graphical Shell or Graphical Management Tools and Infrastructures. Roles not available: ADFS, App server, Fax Server, Network Policy and Access, RDS/RDG/RDSH/RDWA, Volume Activation, WDS.
Minimal Server Interface: Removes the Server Graphical Shell, so most desktop UI elements gone. Still has Graphical Management Tools and Infrastructure: Server Manager, MMC, Device Manager, and Powershell.
Server with Gui: Has both the Graphical Management Tools, and the Server Graphical Shell. Full install.
1.1.2 Plan for Server Roles - http://technet.microsoft.com/en-us/library/hh831669
In a nutshell, know the ones that have other objectives in the test, and be familiar with the rest. Here's a quick list:
ADCS, ADDS, ADFS, ADLDS, ADRMS, App Server, Failover Clustering, File and Storage, Group Policy, Hyper-V, Networking, Network Load Balance, Network Policy and Access, Print and Document Services, Remote Desktop Services, Security and Protecting, Telemetry, Volume Activation, Web Server(IIS), WDS, Windows Server Backup, WSUS, Windows System Resource Manager.
1.1.3 Plan for a Server Upgrade
No 32 bit to 64 bit upgrade
No upgrade from pre-release 2012 to release 2012No switching install types until after upgrade is finished(ie Server Core -> Full Gui)
Upgrade Paths:
server core is installed by default in 2012. What more do they want here?
1.1.5 Optimize resource utilization by using Features on Demand
Features are stored in a side-by-side store(WinSxS).
Three states for installed features:
Enabled/Installed - Installed and binaries available
Disabled/Staged - Not installed, binaries available
Disabled with payload removed/Absent - Not installed, binaries removed
To put a feature in "Disabled with payload removed" status, you can use the -remove switch with Uninstall-WindowsFeature. To reinstall this feature at a later point, use the -source parameter with Install-WindowsFeature.
When installing a feature that is missing the payload, windows will try to find the payload in the following order:
1) User provided(ie, -source or providing an alternate source path in Add Roles and Features Wizard)
2) Group Policy: Computer Configuration\Administrative Templates\System\Specify settings for optional component installation and component repair
3) Windows Update
Other possible sources for the binaries: A share with a full install WinSXS folder copied over, a mounted WIM image(using DISM to mount the WIM image), or a mounted VHD image,
Also see 1.2.3 : add and remove features in offline images
1.1.6 Migrate roles from previous versions of Windows Server
Migration can be done from any version from 2003 SP2 to 2012 to any version 2003SP-2012.
Migration can be done 32 to 64 bit server to 2012.
Migration can be done between Server editions.
Migration can be between physical and virtual
Migration can be between install types.
Migrations are done with Windows Server Migration Tools. Installed from Add Roles and Features wizard, or install-windowsfeature migration
Subscribe to:
Posts (Atom)