3.2.1 Create and configure DNS Resource Records (RR) including A, AAAA, PTR,
SOA, NS, SRV, CNAME, and MX records
SOA - Start of Authority - specifies primary name server, e-mail of domain admin, domain serial, timers
NS - identifies an authoritative name server
A - host record
AAAA - ipv6 host record
CNAME - alias
PTR - ip address to domain or host name
MX - mail server host
SRV - service record, used for AD.
fields of an SOA record:
Serial number - version of zone, to determine when to zone transfer
primary authoritative server
responsible person - zone admin
refresh interval - how often secondary servers check for updates
retry interval - how long to wait before a secondary server sends another request
expires after - after zone transferring, secondary server will hold that date until this time if it's not renewed.
minimum TTL - default time an RR remains in a DNS cache after a query. a RR TTL overrides this setting.
MX records - specify a priority when you have multiple records. The lower priority MX records are preferred.
dnscmd /recordadd contoso.com myworkstation A 192.168.134.30
dnscmd /recordadd contoso.com myworkstation AAAA fc00::199:45
dnscmd /recordadd contoso.com myalias CNAME myworkstation.contoso.com
dnscmd /recordadd contoso.com . MX 10 mymailserver.contoso.com
dnscmd /recordadd contoso.com . NS nameserver.contoso.com
dnscmd /recordadd 134.168.192.in-addr.arpa 30 PTR myworkstation.contoso.com
dnscmd /recorddelete contoso.com myworkstation A
Add-DnsServerResourceRecordA -name "myworkstation" -zonename "contoso.com" -IPv4Address "192.168.134.30"
Add-DnsServerResourceRecordAAAA -name "myworkstation" -zonename "contoso.com" -IPv6Address "fc00::199:45"
Add-DnsServerResourceRecordCNAME -name "myalias" -hostnamealias "myworkstation.contoso.com" -zonename "contoso.com"
Add-DnsServerResourceRecordMX -name "." -MailExchange "mymailserver.contoso.com" -Zonename "contoso.com" -preference 20
Add-DnsServerResourceRecordPTR -name "30" -zonename "134.168.192.in-addr.arpa" -ptrdomainname "myworkstation.contoso.com"
Remove-DnsServerResourceRecord -zonename "contoso.com" -RRtype -"A" -name "myworkstation"
Get-DnsServerResourceRecord -zonename "contoso.com" -rrtype "A"
3.2.2 configure zone scavenging
Zone scavenging removes "stale", old, records. Aging is the process of timing out records.
Scavenging is disabled by default, so it must be enabled to work.
RRs must be added dynamically or manually modified in order to be aged/scavenged.
In order to manually modify scavenging settings on records, go to View and select advanced in the DNS Manager. Now you can right click a record and check "Delete this record when it becomes stale" Hitting apply adds a timestamp, rounded from the current hour, used in scavenging.
Dynamic records will attempt to update themselves every 24 hours by default. These records are automatically set to scavenge
Scavenging settings on a zone:
right click zone, properties. Hit Aging button.Check the "Scavenge stale resource records".
No-refresh interval & refresh interval - both must expire before record will be scavenged.
No-refresh - record cannot be "refreshed", which is when a dynamic update does not change the host/ip record but tries to change the timestamp. A client changing the IP address will be exempt from this interval
After a record goes beyond "record timestamp + no-refresh interval", it enters refresh interval. During this time, refreshes to timestamp are allowed. If the timestamp is updated by a client, the no-refresh interval begins again. If it does not get updated, the record is eligible for scavenging.
You can also create a default scavenging settings, for any zone
created on this dns server, by right clicking the DNS server and
selecting "Set Aging/Scavenging for All Zones". Note that this will not
update current zones, only future zones that are created on this
specific server. However, there is an option after you click ok, "Apply
these settings to the existing AD-integrated zones". This will update
current AD-integrated zones with these settings.
The final thing to do to setup scavenging is to set it on the DNS server, under properties/Advanced. Check the "Enable automatic scavenging of stale records". This controls when scavenging will be done. Note that if a record is still in no-refresh/refresh intervals, it will not be scavenged when this process runs. When scavenging is run it creates event id 2501/2502 in event logs.
Set-DnsServerResourceRecordAging -nodename myserver.contoso.com. -zonename contoso.com
Get-DnsServerResourceRecord -zonename contoso.com -name myserver
Get-DnsServerZoneAging contoso.com
Set-DnsServerZoneAging contoso.com -aging $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
Set default scavenging settings on a DNS server:
Set-DnsServerScavenging -scavengingstate $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
(Note that -scavengingstate $true will apply to new zones created on this server. You can use -applyonallzones to update all current zones)
Only enable scavenging on a dns server and set the interval between scavengings (this does not affect other default DNS server scavenging settings as the above command.)
Set-DnsServerScavenging -scavenginginterval (New-TimeSpan -days 3)
Get-DnsServerScavenging
3.2.3 configure record options including Time To Live (TTL) and weight
In order to see TTL and change in the gui, you need to go to View/Advanced. Now you can double-click a RR and change the TTL in the properties.
Weight could have multiple meanings. MX records can be set with a priority to determine which mail server is preferred. Lower is preferred.
SRV records also have a weight in addition to a priority. Lower priorities are preferred. However, if multiple SRV records have equal priority, the weight determines how often(%) a SRV resource will be used in relation to others with the same priority. This is a basic load balance.
Powershell/dnscmd
3.2.4 configure round robin
Round robin is used by DNS by default to return resource records with the same name and same type. Round robin can be disabled on a server by right clicking on the DNS server and properties, clicking the advanced tab, and unselecting "Enable round robin option"
Get-DnsServerSetting -all | select roundrobin | ft -auto
3.2.5 configure secure dynamic updates
Secure dynamic updates are set per zone. Right click the zone and properties. Then on General, you have a dropdown for none, nonsecure and secure, and secure only. You can also setup secure updates when creating a new zone.
By default in an AD domain, authenticated users and computers can create new dnsNode records in dnsZones. You can alter specific permissions on the Security tab in the properties of a Zone. You can also set security on individual dnsNode records. ACLs are set on records by name so two records pointing to the same FQDN will have the same ACL.
Thursday, April 24, 2014
3. Configure network services and access 3.1 Configure DNS Zones
Review from 70-410 4.3:
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated
RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53
install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe
dnscmd dc.contoso.com /enumzones
PS:
get-dnsserverzone
3.1.1 Configure primary and secondary zones
Primary Zone:
Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated
dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com
Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually. Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)
dnscmd /zoneadd 10.168.192.in-addr.arpa /primary
add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"
Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)
dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary
add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"
Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)
dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8
add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8
AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD" option(AD-integrated) is available if the DNS server is a read-write Domain Controller. See 3.1.4.
3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.
Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).
If you integrate the stub zone into Active Directory Domain Services(AD DS), you have the option to specify that the DNS server hosting the stub zone uses a local list of master servers when it updates the stub zone's resource records, rather than having the DNS server use the master servers list that is stored in AD DS
Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in the menu, select New Server, and type in the IP address of your computer where you have installed DNS.
dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com
dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel
add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9
3.1.3 configure conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.
Conditional forwarding: You can forward DNS requests for certain domain names.
Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.
dnscmd /zoneadd google.com /forwarder 8.8.8.8
/timeout /slave
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8
3.1.4 configure zone and conditional forward storage in Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.
Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy
dnscmd /zonedelete bartledoo.contoso.com /dsdel
PS:
just add -replicationscope domain|forest|legacy|FQDN
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain
Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain
3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.
Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace
dnscmd /recordadd contoso.com child NS 192.168.10.119
add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119
3.1.6 configure zone transfer settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.
Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed.
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.
Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers
dnscmd /zoneresetsecondaries contoso.com
/nonsecure
/securens
/securelist
/noxfr (no transfer)
set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers -secondaryservers
notransfer
3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers
dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify
set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated
RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53
install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe
dnscmd dc.contoso.com /enumzones
PS:
get-dnsserverzone
3.1.1 Configure primary and secondary zones
Primary Zone:
Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated
dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com
Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually. Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)
dnscmd /zoneadd 10.168.192.in-addr.arpa /primary
add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"
Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)
dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary
add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"
Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)
dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8
add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8
AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD" option(AD-integrated) is available if the DNS server is a read-write Domain Controller. See 3.1.4.
3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.
Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).
If you integrate the stub zone into Active Directory Domain Services(AD DS), you have the option to specify that the DNS server hosting the stub zone uses a local list of master servers when it updates the stub zone's resource records, rather than having the DNS server use the master servers list that is stored in AD DS
Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in the menu, select New Server, and type in the IP address of your computer where you have installed DNS.
dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com
dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel
add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9
3.1.3 configure conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.
Conditional forwarding: You can forward DNS requests for certain domain names.
Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.
dnscmd /zoneadd google.com /forwarder 8.8.8.8
/timeout /slave
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8
3.1.4 configure zone and conditional forward storage in Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.
Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy
dnscmd /zonedelete bartledoo.contoso.com /dsdel
PS:
just add -replicationscope domain|forest|legacy|FQDN
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain
Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain
3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.
Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace
dnscmd /recordadd contoso.com child NS 192.168.10.119
add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119
3.1.6 configure zone transfer settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.
Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed.
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.
Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers
dnscmd /zoneresetsecondaries contoso.com
/nonsecure
/securens
/securelist
/noxfr (no transfer)
set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers -secondaryservers
notransfer
3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers
dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify
set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify
2. Configure file and print services 2.4 Configure advanced audit policies
2.4.1 Implement auditing using Group Policy and AuditPol.exe
http://technet.microsoft.com/en-us/library/dd772623
Group policy auditing:
Computer Configuration\Policies\Windows Settings\Security settings\Local Policies\Audit policy
gpedit.msc local:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Note: The GP setting "Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings" prevents the application of category-level audit policy in favor of Advanced Auditing. This policy is enabled by default, so if you want to use the following auditing policies, you must disable this policy setting. http://technet.microsoft.com/en-us/library/jj852246.aspx
Success or Failure:
Audit account logon events -Audits when a computer validates credentials for an account for which it is authoritative.
Audit account management - audit's account management on a computer, including changing passwords
Audit directory service access - audits access AD objects
Audit logon events - audits actual logon/logoff of user accounts on the computer
Audit object access - audit non-AD objects such as files, folders, printers, etc.
Audit policy change - audit user rights assignments, auditing, account policies, trust policies
Audit privilege use - audits user rights usage
Audit process tracking - process-related events.
Audit system events - system access such as time change, startup/shutdown, extensible authentication components, loss of auditing events, security log size beyond threshold
Be selective on what to audit, as high levels can affect performance, cause too many security event entries, and quickly fills the log.
Object Access:
After enabling the appropriate policy, you can setup auditing on specific objects(such as a file), by going to the security tab of the object, advanced, Auding tab.
Advanced Auditing Policy:
First introduced in Vista and Windows 2008 via auditpol, advanced auditing became available to configure in GP in Windows 2008 R2. Advanced auditing configured in GP will only apply to 2008R2 and later, and Windows 7 and later clients. As of 2012, there are 56 settings.
Setup in GP:
Computer Configuration\Policies\Windows Settings\Security settings\Advanced Audit Policy Configuration
gpedit.msc locally:
Computer Configuration\Windows Settings\Security settings\Advanced Audit Policy Configuration
Categories-
Account Logon - credential validation, kerberos authentication, kerberos service ticket ops, other account logon events
Account Management - application group management, computer account management, distribution group management, other account management, security group management, user account mgmt.
Detailed Tracking - DPAPI activity(encryption/decryption into DPAPI), process creation, process termination, RPC events(inbound)
DS Access - detailed DS replication, DS access, DS Changes, DS replication
Logon/Logoff - account lockout, user/device claims, ipsec extended mode, ipsec main mode, ipsec quick mode, logoff, logon, network policy server(RADIUS, NAP), other logon/logoff, special logon
Object Access(may require appropriate SACL set on object) - application generated(Windows auditing API usage), certification services(ADCS), detailed file share, file share, file system(must match SACL), filtering platform connection(firewall/WFP), WFP packet drop, handle manipulation(open/close depends on SACL), kernel object access(based on SACL usage), other object access(task scheduler, COM+, etc), registry, removable storage, SAM, central access policy staging
Policy Change - policy change, authentication policy change, authorization policy change, WFP policy change(IPSEC, WFP), MPSSVC Rule-Level policy change(Microsoft Protection Service(MPSSVC.exe) also used by Firewall), other policy change events(TPM, cryptographic ops, etc)
Privilege Use - non-sensitive privilege use, sensitive privilege use
System - IPSec driver, other system events, security state change, security system extension, system integrity.
Global Object Access Auditing - see 2.4.2
Auditpol.exe
Note: auditing set with auditpol will not show up in the local gpedit/secpol settings and also do not save between reboots.
auditpol /list category
auditpol /list subcategory:*
auditpol /set /subcategory:"Account Lockout" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /get subcategory:"Account Lockout"
auditpol /set /subcategory:"Account Lockout" /success:disable
auditpol /set /user:contoso\ajolie /subcategory:"Logon" /success:enable
auditpol /get /user:contoso\ajolie /subcategory:"Logon"
auditpol /remove /user:contoso\ajolie
removes all user auditing, on all policies, for contoso\ajolie
auditpol /remove /allusers
auditpol /clear - clears all auditing policies
auditpol /backup /file:"c:\auditpol.csv"
auditpol /restore /file:"c:\auditpol.csv"
2.4.2 create expression-based audit policies
2012 advanced policy:
Global Object Access Auditing - applies global SACL's for file system and/or registry. Must enable appropriate Object Access policy first(Advanced Audit Policy\System Audit Policies\Object Access) . You can also specify defined properties or attributes to audit on using expression-based auditing.
Note: If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
You can choose what permissions a user should be audited for, and whether that affects success, fail, or both.
The conditions you can add are called expression-based audit policies. This is a new feature of Windows 8 and 2012. For instance, you could choose a principal of Everyone or Authenticated Users. Then add a condition User-Group-Member of each-Value- then "Add items" and select a group. For example, Accounting. Now, any user affected by this policy, who is a member of the group "Accounting" will be audited for whichever permission and type settings you configured.
These properties are set in AD using Dynamic Access Control(covered in 70-412).
Extra Note: You can set /resourcesacl through auditpol, but setting a condition can be cryptic. for instance, the user-group setting is set with the SID as in the following example. Also, File in /type:File is actually case-sensitive:
auditpol /resourcesacl /set /type:File /user:"NT AUTHORITY\Authenticated Users" /success /failure /access:FW /condition:"(Member of {SID(S-1-5-21-1477645170-1045419550-4197897434-12603)})"
auditpol /resourcesacl /type:File /view
2.4.3 create removable device audit policies
Auditing removable devices is now configured under the advanced auditing as seen in 2.4.1, Object Access/Audit Removable Storage.
auditpol /set /subcategory:"Removable Storage" /success:enable
Event 4663 is for success and event 4656 logs failed
http://technet.microsoft.com/en-us/library/dd772623
Group policy auditing:
Computer Configuration\Policies\Windows Settings\Security settings\Local Policies\Audit policy
gpedit.msc local:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Note: The GP setting "Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings" prevents the application of category-level audit policy in favor of Advanced Auditing. This policy is enabled by default, so if you want to use the following auditing policies, you must disable this policy setting. http://technet.microsoft.com/en-us/library/jj852246.aspx
Success or Failure:
Audit account logon events -Audits when a computer validates credentials for an account for which it is authoritative.
Audit account management - audit's account management on a computer, including changing passwords
Audit directory service access - audits access AD objects
Audit logon events - audits actual logon/logoff of user accounts on the computer
Audit object access - audit non-AD objects such as files, folders, printers, etc.
Audit policy change - audit user rights assignments, auditing, account policies, trust policies
Audit privilege use - audits user rights usage
Audit process tracking - process-related events.
Audit system events - system access such as time change, startup/shutdown, extensible authentication components, loss of auditing events, security log size beyond threshold
Be selective on what to audit, as high levels can affect performance, cause too many security event entries, and quickly fills the log.
Object Access:
After enabling the appropriate policy, you can setup auditing on specific objects(such as a file), by going to the security tab of the object, advanced, Auding tab.
Advanced Auditing Policy:
First introduced in Vista and Windows 2008 via auditpol, advanced auditing became available to configure in GP in Windows 2008 R2. Advanced auditing configured in GP will only apply to 2008R2 and later, and Windows 7 and later clients. As of 2012, there are 56 settings.
Setup in GP:
Computer Configuration\Policies\Windows Settings\Security settings\Advanced Audit Policy Configuration
gpedit.msc locally:
Computer Configuration\Windows Settings\Security settings\Advanced Audit Policy Configuration
Categories-
Account Logon - credential validation, kerberos authentication, kerberos service ticket ops, other account logon events
Account Management - application group management, computer account management, distribution group management, other account management, security group management, user account mgmt.
Detailed Tracking - DPAPI activity(encryption/decryption into DPAPI), process creation, process termination, RPC events(inbound)
DS Access - detailed DS replication, DS access, DS Changes, DS replication
Logon/Logoff - account lockout, user/device claims, ipsec extended mode, ipsec main mode, ipsec quick mode, logoff, logon, network policy server(RADIUS, NAP), other logon/logoff, special logon
Object Access(may require appropriate SACL set on object) - application generated(Windows auditing API usage), certification services(ADCS), detailed file share, file share, file system(must match SACL), filtering platform connection(firewall/WFP), WFP packet drop, handle manipulation(open/close depends on SACL), kernel object access(based on SACL usage), other object access(task scheduler, COM+, etc), registry, removable storage, SAM, central access policy staging
Policy Change - policy change, authentication policy change, authorization policy change, WFP policy change(IPSEC, WFP), MPSSVC Rule-Level policy change(Microsoft Protection Service(MPSSVC.exe) also used by Firewall), other policy change events(TPM, cryptographic ops, etc)
Privilege Use - non-sensitive privilege use, sensitive privilege use
System - IPSec driver, other system events, security state change, security system extension, system integrity.
Global Object Access Auditing - see 2.4.2
Auditpol.exe
Note: auditing set with auditpol will not show up in the local gpedit/secpol settings and also do not save between reboots.
auditpol /list category
auditpol /list subcategory:*
auditpol /set /subcategory:"Account Lockout" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /get subcategory:"Account Lockout"
auditpol /set /subcategory:"Account Lockout" /success:disable
auditpol /set /user:contoso\ajolie /subcategory:"Logon" /success:enable
auditpol /get /user:contoso\ajolie /subcategory:"Logon"
auditpol /remove /user:contoso\ajolie
removes all user auditing, on all policies, for contoso\ajolie
auditpol /remove /allusers
auditpol /clear - clears all auditing policies
auditpol /backup /file:"c:\auditpol.csv"
auditpol /restore /file:"c:\auditpol.csv"
2.4.2 create expression-based audit policies
2012 advanced policy:
Global Object Access Auditing - applies global SACL's for file system and/or registry. Must enable appropriate Object Access policy first(Advanced Audit Policy\System Audit Policies\Object Access) . You can also specify defined properties or attributes to audit on using expression-based auditing.
Note: If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
You can choose what permissions a user should be audited for, and whether that affects success, fail, or both.
The conditions you can add are called expression-based audit policies. This is a new feature of Windows 8 and 2012. For instance, you could choose a principal of Everyone or Authenticated Users. Then add a condition User-Group-Member of each-Value- then "Add items" and select a group. For example, Accounting. Now, any user affected by this policy, who is a member of the group "Accounting" will be audited for whichever permission and type settings you configured.
These properties are set in AD using Dynamic Access Control(covered in 70-412).
Extra Note: You can set /resourcesacl through auditpol, but setting a condition can be cryptic. for instance, the user-group setting is set with the SID as in the following example. Also, File in /type:File is actually case-sensitive:
auditpol /resourcesacl /set /type:File /user:"NT AUTHORITY\Authenticated Users" /success /failure /access:FW /condition:"(Member of {SID(S-1-5-21-1477645170-1045419550-4197897434-12603)})"
auditpol /resourcesacl /type:File /view
2.4.3 create removable device audit policies
Auditing removable devices is now configured under the advanced auditing as seen in 2.4.1, Object Access/Audit Removable Storage.
auditpol /set /subcategory:"Removable Storage" /success:enable
Event 4663 is for success and event 4656 logs failed
2. Configure file and print services 2.3 Configure file and disk encryption
Examples of encryption algorithms:
Symmetric: uses a single key to encrypt and decrypt data
Asymmetric key: uses mathematically-related keys. This allows one key to be public, so it could be published in a certificate.
Hash: one-way encryption
EFS encryption: used to encrypt files on NTFS volume.
Bitlocker drive encryption(BDE): encrypt an entire volume.
EFS encryption: http://technet.microsoft.com/en-us/library/cc749610%28v=WS.10%29.aspx
EFS creates a certificate for the user encrypting the files, thus allowing only that user to automatically decrypt the files upon use. An encryption certificate can be added to the file in order to share it with other users.
To encrypt a folder or file, click properties on the object, Advanced, then check Encrypt contents to secure data. When you encrypt a folder, you have the option to apply changes to this folder only, or to this folder, subfolders, and files.
To decrypt a folder or file, you just uncheck the Encrypt contents.
You cannot both compress and encrypt an NTFS file
encrypted files are decrypted when moved to a non-NTFS volume
files are automatically encrypted when put in a folder that has encryption enabled. However, moving one out does not automatically decrypt it
Files that are set to System or in the root directory cannot be encrypted
cipher.exe /e c:\home\flintstones
cipher.exe /d c:\home\flintstones
to allow another user to decrypt a file, right click properties on the encrypted file, advanced, click Add under "users who can access this file". Click the user to select their EFS certification
EFS and group policy:
Computer configuration\policies\windows settings\security settings\public key policies\encrypting file system
Choose Allow or Don't Allow EFS
Allow, Require, or Don't allow Elliptic Curve Cryptography
Check on uncheck:
Encrypt the contents of the user's Documents folder
Require a smart card for EFS
Create caching-capable user key from smart card
Display key backup notifications when user key s created or changed
Certificates tab allows you to set key size. You can also enable or disable EFS from creating it's own certificates when a certificate authority is not available.
2.3.1 Configure Bitlocker encryption
http://technet.microsoft.com/en-us/library/jj612864.aspxhttp://technet.microsoft.com/en-us/library/hh831713.aspx
http://technet.microsoft.com/en-us/library/hh831412.aspx
http://technet.microsoft.com/en-us/library/jj649829%28v=wps.620%29.aspx
http://download.microsoft.com/download/F/4/1/F41E0BFA-8F1B-44E3-91F0-8AF84908DCC7/Understand_and_Troubleshoot_BitLocker_in_Windows_Server_8_Beta.docx
Bitlocker requires Trusted Platform Module 1.2 or 2.0, or USB access to save a startup key to a removable device.
Hard disk must be partitioned with at least two drives:
OS/boot drive contains operating system and its support files. Must be NTFS.
System drive contains files needed to load Windows after firmware has readied the hardware. Bitlocker is not enabled on this drive.
Windows automatically creates the partitions required for Bitlocker.
Bitlocker uses AES-128 or AES-256
Startup modes:
TPM: Bitlocker encryption key stored on TPM
PIN: user must supply a numeric pre-boot PIN
Enhanced PIN: alphanumeric PIN
USB key: A startup key is stored on a USB
Network key: a key provided by a WDS server.
For drives that are not OS volumes, you can choose to use a password or a smart card or have it automatically unlock. If you choose password or smart card, you can save a recovery key
Installing bitlocker:
Add roles and Features
select Bitlocker Drive Encryption(Bitlocker)
Installing Bitlocker will also install the feature Enhanced Storage(EnhancedStorage) to support hard drives that support hardware encryption
Including the management tools will also install Bitlocker Drive Encryption Administration(RSAT-Feature-Tools-Bitlocker), Bitlocker Drive Encryption Tools(RSAT-Feature-Tools-Bitlocker-RemoteAdminTool), Bitlocker Recovery Password Viewer(RSAT-Feature-Tools-Bitlocker-BdeAducExt), AD DS & AD LDS Tools(Rsat-AD-Tools), AD DS Tools(RSAT-ADDS) and AD DS Snap-ins and command-line(RSAT-ADDS-Tools), the manage-bde command line tool, and the PS module Bitlocker
install-windowsfeature bitlocker -includemanagementools
You can check whether your computer has TPM installed by running the TPM management(tpm.msc) snap-in. (You can also get to this mmc via the Bitlocker option in control panel). The TPM must be initialized here before using Bitlocker.
Enable Bitlocker for a drive or removable drive that's not the OS volume:
go to control panel, Bitlocker Drive Encryption.
Click Turn on Bitlocker for the volume you want to encrypt
You can select a Password or Smart card to unlock the drive. You can also allow it to auto unlock. Next you will be prompted with options for backing up your recovery key: Save to USB, Save to file, print the key.
You will be prompted with whether you want to use:
"Encrypt used disk space only": This will encrypt as space is used
"Encrypt entire drive"
Once you have encrypted the volume, you have the option to go back and backup the recovery key again, change or remove password, add or remove a smart card, turn on auto-unlock, or disable bitlocker.
Note: You can also use a certificate as a protector on a data volume using manage-bde
Bitlocker to Go
Allows encryption of removable usb drives. Once the drive is plugged in, you can Turn on Bitlocker in the bitlocker control panel
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft account online, or printed.
Bitlocker Recovery:
http://technet.microsoft.com/en-us/library/dn383583.aspx
Bitlocker allowed recovery options should be set in group policy (see 2.2.3)
1. Use a recovery password
2. A designated Data Recover Agent(DRA) can supply a certificate (configured by GP see 2.2.3)
3. An ADDS administrator can retrieve the recovery key from AD.
manage-bde - command line utility to manage bitlocker on a client.
A few parameters:
manage-bde -status to show bitlocker status
manage-bde -protectors -add c: -tpmandpin
manage-bde -on c: -password
-off, -lock, -unlock, -autounlock, -changepassword, -changepin, changekey
Powershell
http://technet.microsoft.com/en-us/library/jj649829.aspx
A few commands:
get-bitlockervolume
enable-bitlocker
disable-bitlocker
add-bitlockerkeyprotector
remove-bitlockerkeyprotector
lock-bitlocker
unlock-bitlocker
enable-bitlockerautolock
Extra Note: In an Enterpries, you may want to use the Microsoft Bitlocker Administration and Monitoring tool (MBAM),included with the Microsoft Desktop Optimization Pack(MDOP), for bitlocker administration. This can be used in standalone mode or integrated into SCCM.
2.3.2 configure the Network Unlock feature
http://technet.microsoft.com/en-us/library/jj574173.aspx
requirements:
Windows 8 or 2012 with UEFI DHCP drivers
Bitlocker Network Unlock feature installed on 2012
a 2012 WDS server
a DHCP server, separate from WDS
If you already have a WDS server in your environment, you can leverage it by installing the network unlock feature. Otherwise, whichever server you install Network Unlock on will install the WDS service. It doesn't have to be configured beyond the initial WDS configuration(to allow the wdsserver service to run)
Install the Network Unlock feature by going to Server Manager. Skip to Features and click on Bitlocker Network Unlock(bitlocker-networkunlock). If WDS is not installed, WDS(WDS), WDS Deployment(wds-deployment) and Transport(wds-transport) will be installed. If you check "include management tools", the WDS Tools(wds-adminpack) will also be installed.
install-windowsfeature bitlocker-networkunlock
The wdsserver service must be running.
If you have a CA, request a new certificate
Use the "Network Unlock on the Domain controller" template
Create the certificate
Export the public key certificate to create a .cer - Select DER encoded X.509 and do not export private key
Export the public key with private key to create a .pfx - Select Yes to export private key
Ot you can create a self-signed certificate and use certreq to create a new certificate. Import into certmgr, then export the .pfx
On the WDS server, go to certmgr.msc and right click certificates - Bitlocker Drive Encryption Network Unlock, and Import. Choose the PFX file.
Now you need to setup group policy to deploy the public key certificate to clients:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption Network Unlock Certificate
Add Netwok Unlock Certificate. Import the .CER file.
It's recommended you require TPM + startup pin on client computers: See 2.3.3
You can use a subnet access list to specify that only clients from certain subnets can network unlock. On the WDS server, create a bde-network-unlock.ini file in the same folder as the network unlock provider dll (nkpprov.dll in c:\windows\system32)
Extra Note: Client certificates for network unlock are stored in HKLM\Software\Policies\Microsoft\SystemCertificates\FVE_NKP
Extra Note: The first NIC on a compatible client must be configured for DHCP to use with network unlock
2.3.3 configure Bitlocker policies
add a Data Recovery agent for recovery - A DRA is an account who is authorized to recover Bitlocker drives with a certificate.
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption
There are a number of other bitlocker policies that can be configured in
Computer Configuraton\Administrative Templates\Bitlocker Drive Encryption
Some good ones to know:
Bitlocker Drive Encryption:
Store Bitlocker recovery information in AD DS
Choose how users can recover Bitlocker-protected drives
Choose drive encryption method and cipher strength
Operating System Drives:
Allow network unlock at startup
Require additional authentication at startup
Allow Enhanced PINS for startup
Choose how Bitlocker-protected operating system drives can be recovered
Fixed Data Drives:
Configure use of passwords for fixed data drives
Choose how Bitlocker-protected fixed drives can be recovered
Removable Data Drives:
Control use of Bitlocker on removable drives
Configure use of passwords for removable data drives
Choose how Bitlocker-protected removable drives can be recovered.
2.3.4 configure the EFS recovery agent
EFS data recovery agent is configured through GP:
Computer\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
2.3.5 manage EFS and Bitlocker certificates including backup and restore
certificates can be exported using certmgr.msc from Personal
Export with private key.
.PFX - Give it a password
To restore, just import the PFX file to Personal and supply the password
Bitlocker certs can also be exported using certmgr.msc
They can also be stored in ADDS with the"Store Bitlocker recovery information in AD DS" GP option.
Symmetric: uses a single key to encrypt and decrypt data
Asymmetric key: uses mathematically-related keys. This allows one key to be public, so it could be published in a certificate.
Hash: one-way encryption
EFS encryption: used to encrypt files on NTFS volume.
Bitlocker drive encryption(BDE): encrypt an entire volume.
EFS encryption: http://technet.microsoft.com/en-us/library/cc749610%28v=WS.10%29.aspx
EFS creates a certificate for the user encrypting the files, thus allowing only that user to automatically decrypt the files upon use. An encryption certificate can be added to the file in order to share it with other users.
To encrypt a folder or file, click properties on the object, Advanced, then check Encrypt contents to secure data. When you encrypt a folder, you have the option to apply changes to this folder only, or to this folder, subfolders, and files.
To decrypt a folder or file, you just uncheck the Encrypt contents.
You cannot both compress and encrypt an NTFS file
encrypted files are decrypted when moved to a non-NTFS volume
files are automatically encrypted when put in a folder that has encryption enabled. However, moving one out does not automatically decrypt it
Files that are set to System or in the root directory cannot be encrypted
cipher.exe /e c:\home\flintstones
cipher.exe /d c:\home\flintstones
to allow another user to decrypt a file, right click properties on the encrypted file, advanced, click Add under "users who can access this file". Click the user to select their EFS certification
EFS and group policy:
Computer configuration\policies\windows settings\security settings\public key policies\encrypting file system
Choose Allow or Don't Allow EFS
Allow, Require, or Don't allow Elliptic Curve Cryptography
Check on uncheck:
Encrypt the contents of the user's Documents folder
Require a smart card for EFS
Create caching-capable user key from smart card
Display key backup notifications when user key s created or changed
Certificates tab allows you to set key size. You can also enable or disable EFS from creating it's own certificates when a certificate authority is not available.
2.3.1 Configure Bitlocker encryption
http://technet.microsoft.com/en-us/library/jj612864.aspxhttp://technet.microsoft.com/en-us/library/hh831713.aspx
http://technet.microsoft.com/en-us/library/hh831412.aspx
http://technet.microsoft.com/en-us/library/jj649829%28v=wps.620%29.aspx
http://download.microsoft.com/download/F/4/1/F41E0BFA-8F1B-44E3-91F0-8AF84908DCC7/Understand_and_Troubleshoot_BitLocker_in_Windows_Server_8_Beta.docx
Bitlocker requires Trusted Platform Module 1.2 or 2.0, or USB access to save a startup key to a removable device.
Hard disk must be partitioned with at least two drives:
OS/boot drive contains operating system and its support files. Must be NTFS.
System drive contains files needed to load Windows after firmware has readied the hardware. Bitlocker is not enabled on this drive.
Windows automatically creates the partitions required for Bitlocker.
Bitlocker uses AES-128 or AES-256
Startup modes:
TPM: Bitlocker encryption key stored on TPM
PIN: user must supply a numeric pre-boot PIN
Enhanced PIN: alphanumeric PIN
USB key: A startup key is stored on a USB
Network key: a key provided by a WDS server.
For drives that are not OS volumes, you can choose to use a password or a smart card or have it automatically unlock. If you choose password or smart card, you can save a recovery key
Installing bitlocker:
Add roles and Features
select Bitlocker Drive Encryption(Bitlocker)
Installing Bitlocker will also install the feature Enhanced Storage(EnhancedStorage) to support hard drives that support hardware encryption
Including the management tools will also install Bitlocker Drive Encryption Administration(RSAT-Feature-Tools-Bitlocker), Bitlocker Drive Encryption Tools(RSAT-Feature-Tools-Bitlocker-RemoteAdminTool), Bitlocker Recovery Password Viewer(RSAT-Feature-Tools-Bitlocker-BdeAducExt), AD DS & AD LDS Tools(Rsat-AD-Tools), AD DS Tools(RSAT-ADDS) and AD DS Snap-ins and command-line(RSAT-ADDS-Tools), the manage-bde command line tool, and the PS module Bitlocker
install-windowsfeature bitlocker -includemanagementools
You can check whether your computer has TPM installed by running the TPM management(tpm.msc) snap-in. (You can also get to this mmc via the Bitlocker option in control panel). The TPM must be initialized here before using Bitlocker.
Enable Bitlocker for a drive or removable drive that's not the OS volume:
go to control panel, Bitlocker Drive Encryption.
Click Turn on Bitlocker for the volume you want to encrypt
You can select a Password or Smart card to unlock the drive. You can also allow it to auto unlock. Next you will be prompted with options for backing up your recovery key: Save to USB, Save to file, print the key.
You will be prompted with whether you want to use:
"Encrypt used disk space only": This will encrypt as space is used
"Encrypt entire drive"
Once you have encrypted the volume, you have the option to go back and backup the recovery key again, change or remove password, add or remove a smart card, turn on auto-unlock, or disable bitlocker.
Note: You can also use a certificate as a protector on a data volume using manage-bde
Bitlocker to Go
Allows encryption of removable usb drives. Once the drive is plugged in, you can Turn on Bitlocker in the bitlocker control panel
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft account online, or printed.
Bitlocker Recovery:
http://technet.microsoft.com/en-us/library/dn383583.aspx
Bitlocker allowed recovery options should be set in group policy (see 2.2.3)
1. Use a recovery password
2. A designated Data Recover Agent(DRA) can supply a certificate (configured by GP see 2.2.3)
3. An ADDS administrator can retrieve the recovery key from AD.
manage-bde - command line utility to manage bitlocker on a client.
A few parameters:
manage-bde -status to show bitlocker status
manage-bde -protectors -add c: -tpmandpin
manage-bde -on c: -password
-off, -lock, -unlock, -autounlock, -changepassword, -changepin, changekey
Powershell
http://technet.microsoft.com/en-us/library/jj649829.aspx
A few commands:
get-bitlockervolume
enable-bitlocker
disable-bitlocker
add-bitlockerkeyprotector
remove-bitlockerkeyprotector
lock-bitlocker
unlock-bitlocker
enable-bitlockerautolock
Extra Note: In an Enterpries, you may want to use the Microsoft Bitlocker Administration and Monitoring tool (MBAM),included with the Microsoft Desktop Optimization Pack(MDOP), for bitlocker administration. This can be used in standalone mode or integrated into SCCM.
2.3.2 configure the Network Unlock feature
http://technet.microsoft.com/en-us/library/jj574173.aspx
requirements:
Windows 8 or 2012 with UEFI DHCP drivers
Bitlocker Network Unlock feature installed on 2012
a 2012 WDS server
a DHCP server, separate from WDS
If you already have a WDS server in your environment, you can leverage it by installing the network unlock feature. Otherwise, whichever server you install Network Unlock on will install the WDS service. It doesn't have to be configured beyond the initial WDS configuration(to allow the wdsserver service to run)
Install the Network Unlock feature by going to Server Manager. Skip to Features and click on Bitlocker Network Unlock(bitlocker-networkunlock). If WDS is not installed, WDS(WDS), WDS Deployment(wds-deployment) and Transport(wds-transport) will be installed. If you check "include management tools", the WDS Tools(wds-adminpack) will also be installed.
install-windowsfeature bitlocker-networkunlock
The wdsserver service must be running.
If you have a CA, request a new certificate
Use the "Network Unlock on the Domain controller" template
Create the certificate
Export the public key certificate to create a .cer - Select DER encoded X.509 and do not export private key
Export the public key with private key to create a .pfx - Select Yes to export private key
Ot you can create a self-signed certificate and use certreq to create a new certificate. Import into certmgr, then export the .pfx
On the WDS server, go to certmgr.msc and right click certificates - Bitlocker Drive Encryption Network Unlock, and Import. Choose the PFX file.
Now you need to setup group policy to deploy the public key certificate to clients:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption Network Unlock Certificate
Add Netwok Unlock Certificate. Import the .CER file.
It's recommended you require TPM + startup pin on client computers: See 2.3.3
You can use a subnet access list to specify that only clients from certain subnets can network unlock. On the WDS server, create a bde-network-unlock.ini file in the same folder as the network unlock provider dll (nkpprov.dll in c:\windows\system32)
Extra Note: Client certificates for network unlock are stored in HKLM\Software\Policies\Microsoft\SystemCertificates\FVE_NKP
Extra Note: The first NIC on a compatible client must be configured for DHCP to use with network unlock
2.3.3 configure Bitlocker policies
add a Data Recovery agent for recovery - A DRA is an account who is authorized to recover Bitlocker drives with a certificate.
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption
There are a number of other bitlocker policies that can be configured in
Computer Configuraton\Administrative Templates\Bitlocker Drive Encryption
Some good ones to know:
Bitlocker Drive Encryption:
Store Bitlocker recovery information in AD DS
Choose how users can recover Bitlocker-protected drives
Choose drive encryption method and cipher strength
Operating System Drives:
Allow network unlock at startup
Require additional authentication at startup
Allow Enhanced PINS for startup
Choose how Bitlocker-protected operating system drives can be recovered
Fixed Data Drives:
Configure use of passwords for fixed data drives
Choose how Bitlocker-protected fixed drives can be recovered
Removable Data Drives:
Control use of Bitlocker on removable drives
Configure use of passwords for removable data drives
Choose how Bitlocker-protected removable drives can be recovered.
2.3.4 configure the EFS recovery agent
EFS data recovery agent is configured through GP:
Computer\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
2.3.5 manage EFS and Bitlocker certificates including backup and restore
certificates can be exported using certmgr.msc from Personal
Export with private key.
.PFX - Give it a password
To restore, just import the PFX file to Personal and supply the password
Bitlocker certs can also be exported using certmgr.msc
They can also be stored in ADDS with the"Store Bitlocker recovery information in AD DS" GP option.
2. Configure file and print services 2.2 Configure File Server Resource Manager (FSRM)
http://technet.microsoft.com/en-us/library/hh831746.aspx
http://technet.microsoft.com/en-us/library/cc770989%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc732431.aspx
http://technet.microsoft.com/en-us/library/jj900651.aspx
FSRM allows you to:
Quota Management-
Create quotes for a volume or folder tree, including notifications for thresholds
File Screening Management-
Create file filters to control what can be saved, including notifications for those trying to save blocked files
Storage Reports Management-
Generate or schedule storage reports for disk usage
Classification Management-
File classification - based on certain properties, apply policies such as restricting access, encrypting, expiration.
File Management Tasks-
Extra note: File classification is covered more in 70-412.
Extra note: In Windows Server 2012, the File Server Resource Manager command-line tools (dirquota.exe, filescrn.exe, and storrept.exe) are deprecated. They're still available but are meant to be replaced by the FSRM powershell cmdlets.
2.2.1 Install the FSRM role
Add Roles and Features in Server Manager, File Server Resource Manager(FS-Resource-Manager) found under File and ISCSI Services(File Services) and File and Storage Services(FileAndStorage-Services). Including the management tools will also install RSAT-FSRM-Mgmt with fsrm.msc and the PS module FileServerResourceManager
install-windowsfeature fs-resource-manager -includemanagementtools
FSRM server options:
right click the "File Resource Manager item" and select Configure Options:
Email notifications
set the SMTP server name/ip
specify default admin recipients
set the default "from" address
send a test e-mail
send-fsrmtestemail
Notification limits
set e-mail notification limits, event log notification limits, command notification limits, report notification limits
Storage reports
configure default canned report properties
Report locations
set folder locations for Incident, Scheduled, and Interactive(On-Demand) reports
File screen audit
Automatic classification
Access-Denied Assistance
Setup messages/e-mails for access-denied assistance when users are denied access to folders/files
get-fsrmadrsetting
set-fsrmadrsetting
Powershell for all of the above configuration settings:
get-fsrmsetting
set-fsrmsetting
2.2.2 configure quotas
Hard quota: stops users from saving anything that would go beyond the quota threshold
Soft Quota: used for notifications and monitoring. Will not stop files from being saved over the threshold.
Create a quota
Create a quota by clicking the Quotas tab under Quota Management, and right clicking the task area and "Create Quota".
Choose a folder in a path to create a quota on
Select "Create quota on path" will create a total quota on all existing and future subfolders and their nested subs. So if you put a 100 MB on a parent folder, you can only store 100 total MB in all folders below it.
You can choose to use a quota template, or create a custom quota.
If you create a custom quota, you are given the option of copying properties from an existing template, adding a description, setting your limit, choosing hard or soft quota, creating notification thresholds, and enable/disable quota after adding it. Click OK.
Once you hit Create, if you chose "custom quota", you are prompted with the option to save it as a template, unless the "Do not ask me to save as a template" option has been checked before.
Powershell:
Create a new basic 100MB quota:
new-fsrmquota -path "c:\quotaparent1" -size 100MB
Use a template:
new-fsrmquota -path "c:\quotaparent1" -template "100 MB Limit"
You can specify -disabled to create it disabled,-softlimit for soft quota, -description, and -threshold to add threshold notifcations(see below)
Create an auto apply quota
The next option only allows you to use a template. You cannot create a custom quota.
Selecting "Auto apply template and create quotas on existing and new subfolders" creates individual quotas for each subfolder that resides in the parent folder, but those quotas also include the total from the nested subs of each subfolder(as if you created an individual "Create quota on path" on each subfolder.) However, the parent folder is not affected; only it's subs and their nested subs.
Note that if you delete the auto-apply quota from the parent folder, the auto-applied quotas on the current subs will still exist.
Also note that you can place a quota on any nested subfolder whose parent(s) already have a quota applied. But it must be more restrictive than the parent, allowing you to place a quota deeper into the directory structure while maintaining the quotas of the parents. You cannot place a less restrictive quota, as the parent's quota is still enforced on all folders below it.
If you right click an applied quota you can edit it's settings. Even if you used a template to create the quota, you can customize the settings further. However, it will still be displayed under the Source templates expanded display.
Powershell:
new-fsrmautoquota -path "c:\quotaparent2" -template "100 MB Limit"
Since you can only choose template for auto quotas, the only other option to note here is -disabled
Quota Template
Creating a quota template is similar to the custom quota process outlined above.
Powershell:
Also similar to creating a quota
new-fsrmquotatemplate -name "Tiny" -size 10MB
-description, -softlimit, -threshold
get-fsrmquotatemplate -name "Tiny"
Display quotas:
You can view quota usage %'s in the Quotas menu, and filter by templates applied, applied quotas, auto apply quotas, as well as specific quota paths.
You can also use the Quota Usage storage report to view quotas that exceed a percentage.
Powershell
get-fsrmquota
get-fsrmquota -path "c:\quotaparent1"
get-fsrmautoquota
With an auto quota, you can still use get-fsrmquota to see all the auto-set quotas below the parent.
You can remove a quota with
remove-fsrmquota -path "c:\quotaparent1"
remove-fsrmautoquota -path "c:\quotaparent2"
Configuring notifications:
While creating or editing an applied quota, or creating/editing a template, you have the option to configure notifications
Adding or editing a notification gives you the following options:
The % of the threshold that triggers this notification
E-mail message:Send an e-mail to a specific address, and/or to the user who exceeded the threshold.
Event Log: Log this notification in the event log.
Command: Run a specific command or script
Report: Generate a report(See 2.2.4)
Powershell:
First you must create an Action object using new-fsrmaction. Then you create a threshold object using new-fsrmquotathreshold. Note that actions and thresholds are not saved independently, so you must use them other ways, such as storing in variables or creating inline when applying to quotas or quota templates. Example of inline:
set-fsrmquota -path "c:\quotaparent1" -threshold (new-fsrmquotathreshold -percentage 85 -action (new-fsrmaction -type emaill -mailto:"admin@contoso.com" -subject "Threshold" -body "Too much stuff"))
Other Quota cmdlets:
set-fsrmautoquota
set-fsrmquotatemplate
update-fsrmquota
update-fsrmautoquota
(update is used to scan a path in order to resync usage reports for the path)
reset-fsrmquota
(update a quota with a template)
2.2.3 configure file screens
Using File Screening Management node in FSRM mmc:
File Groups:
Right click, create file group. Give the group a name then add file extensions or file name patterns that can be included or excluded for this group
Powershell:
new-fsrmfilegroup -name "Various" -includepattern @("*.mp3","*.exe","*.vbs")
Other parameters: -description, -excludepattern
get-fsrmfilegroup -name "Various"
set-fsrmfilegroup -name "Various" -includepattern @("*.exe","*.vbs")
remove-fsrmfilegroup -name "Various"
File Screens:
Right click, create File screen. Enter a path for the screen. Choose a template, or custom file screen properties. Defining custom properties allows the following options:
Settings tab:
Copy settings from a template
Choose:
Active Screening: Do not allow users to save unauthorized files
Passive Screening: Allow users to save. This is for monitoring those unauthorized files.
Select the file groups to block
E-mail message:
Choose "Send e-mail to administrators" and/or "Send e-mail to user"
Event Log
Create a log entry for the event log.
Command
Run a command or script
Report
Generate reports
Powershell:
new-fsrmfilescreen -path "c:\home" -includegroup "Various" -active
new-fsrmfilescreen -path "c:\screenme" -template "Block Image Files"
-description to add a description
-notification adds a notification created using new-fsrmaction
set-fsrmfilescreen -path "c:\home" -includegroup @("Various","E-mail files")
get-fsrmfilescreen
remove-fsrmfilescreen
File screen exceptions
An exception can be applied to a subfolder whose parent has a file screen applied and it needs to be overridden for this sub.
Powershell:
new-fsrmfilescreenexception
get-fsrmfilescreenexception
set-fsrmfilescreenexception
remove-fsrmfilescreenexception
File screening templates
Creating file screen templates is similar to creating a custom property file screen as listed above
new-fsrmfilescreentemplate -name "Various files" -includegroup "Various" -active
get-fsrmfilescreentemplate
set-fsrmfilescreentemplate
remove-fsrmfilescreentemplate
Other File screen cmdlets:
reset-fsrmfilescreen - reset a file screen to the default settings of a specified template
2.2.4 configure reports
To create, and schedule a report, right click the Storage Reports area and select "Schedule a new report task". This task will be saved for reuse
To create a report and run it now, right click and select Generate Reports now. This task will not be saved.
Settings tab:
If you are scheduling a task, you must give it a name. If you're just generating one, the name will be chosen for you as "Interactive Report Task" with the date/time.
Choose reports to include, and choose their parameters
Available canned reports:
Duplicate files - finds files with same size and modified date
File Screening Audit - Use to monitor screening policies. You can configure min number of days in past events occured, as well as pick specific users
File by File Group: List files that match file groups, in order to find those that take up lots of space.
File by Owner: Pick all owners or selected owners. You can include a file matching pattern as well
Files by Property: Used by classification to find files by property value
Folders by property: Used by classification
Large files: You can set the min file size, as well as a file name pattern to match.
Least recently accessed files: Choose min days since last accessed, as well as a file name pattern
Most recently accessed files: Choose max days since last accessed, as well as a file name pattern
Quota usage: Set minimum % quota usage. This checks all quotas.
Select the format(s) you want to save the report as: DHTML, HTML, XML, CSV, Text
Scope tab:
Select the file data groups to include(these are not the same as the File Screen file groups. If you don't select any of them, the report(s) will default to all files):
Application Files
Backup and Archival Files
Group Files
User Files
Choose the volume(s)/folders to check. Note that the reports will recursively check all subfolders below the one you choose.
Delivery tab:
Allows you to enter e-mail addresses to send the report to.
Schedule tab(only available if you chose Schedule a new report taks):
Choose a time, and the days to run the report on. You can choose to limit the max time the report will be able to run(in hours).
If you chose "Generate reports now", once you click OK you are given the option to Generate reports in the background to view later, or to generate now and view after they finish.
Reports are saved in the location set in the FSRM server options. Default is "c:\storagereports"
new-fsrmstoragereport -name "large" -interactive -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text")
scheduledreport:
Use new-fsrmscheduledtask to create a schedule object.
new-fsrmstoragereport -name "Large Files" -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text") -schedule (new-fsrmscheduled task -time (get-date "1:30am") -weekly "Monday)
get-fsrmstoragereport
unless you specify -name, in addition to schedule reports, this will show currently queued/running interactive and incident reports. The interactive and schedule properties tell you which it is.
set-fsrmstoragereport -name "Large Files" -namespace "c:\home"
remove-fsrmstoragereport -name "Large Files"
other commands:
start-fsrmstoragereport, stop-fsrmstoragereport, wait-fsrmstoragereport
Extra note: one more option available in Storage Reports: Add or Remove Reports for a report task just allows you to see all the report tasks and quickly configure the reports they use, instead of editing each report task individually.
2.2.5 (R2) Configure file management tasks
Right-click "File Management Tasks" under FSRM menu and select "Create File Management Task"
General tab: name the task. Check or uncheck Enable
Scope: Choose type of data to include and the folders to include.
Action: Choose a type of task.. If custom, you will need to provide a path to an executable and command line arguments, as well as working directory. Choose the account to run the task as.
Notification: Add an FSRM notification.
Report: Add an FSRM report to generate
Condition: Include conditions for the task
Schedule: Schedule when the task will run.
This task will be added to Task scheduler under Task Scheduler Library->Microsoft->Windows->File Server Resource Manager
http://technet.microsoft.com/en-us/library/cc770989%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc732431.aspx
http://technet.microsoft.com/en-us/library/jj900651.aspx
FSRM allows you to:
Quota Management-
Create quotes for a volume or folder tree, including notifications for thresholds
File Screening Management-
Create file filters to control what can be saved, including notifications for those trying to save blocked files
Storage Reports Management-
Generate or schedule storage reports for disk usage
Classification Management-
File classification - based on certain properties, apply policies such as restricting access, encrypting, expiration.
File Management Tasks-
Extra note: File classification is covered more in 70-412.
Extra note: In Windows Server 2012, the File Server Resource Manager command-line tools (dirquota.exe, filescrn.exe, and storrept.exe) are deprecated. They're still available but are meant to be replaced by the FSRM powershell cmdlets.
2.2.1 Install the FSRM role
Add Roles and Features in Server Manager, File Server Resource Manager(FS-Resource-Manager) found under File and ISCSI Services(File Services) and File and Storage Services(FileAndStorage-Services). Including the management tools will also install RSAT-FSRM-Mgmt with fsrm.msc and the PS module FileServerResourceManager
install-windowsfeature fs-resource-manager -includemanagementtools
FSRM server options:
right click the "File Resource Manager item" and select Configure Options:
Email notifications
set the SMTP server name/ip
specify default admin recipients
set the default "from" address
send a test e-mail
send-fsrmtestemail
Notification limits
set e-mail notification limits, event log notification limits, command notification limits, report notification limits
Storage reports
configure default canned report properties
Report locations
set folder locations for Incident, Scheduled, and Interactive(On-Demand) reports
File screen audit
Automatic classification
Access-Denied Assistance
Setup messages/e-mails for access-denied assistance when users are denied access to folders/files
get-fsrmadrsetting
set-fsrmadrsetting
Powershell for all of the above configuration settings:
get-fsrmsetting
set-fsrmsetting
2.2.2 configure quotas
Hard quota: stops users from saving anything that would go beyond the quota threshold
Soft Quota: used for notifications and monitoring. Will not stop files from being saved over the threshold.
Create a quota
Create a quota by clicking the Quotas tab under Quota Management, and right clicking the task area and "Create Quota".
Choose a folder in a path to create a quota on
Select "Create quota on path" will create a total quota on all existing and future subfolders and their nested subs. So if you put a 100 MB on a parent folder, you can only store 100 total MB in all folders below it.
You can choose to use a quota template, or create a custom quota.
If you create a custom quota, you are given the option of copying properties from an existing template, adding a description, setting your limit, choosing hard or soft quota, creating notification thresholds, and enable/disable quota after adding it. Click OK.
Once you hit Create, if you chose "custom quota", you are prompted with the option to save it as a template, unless the "Do not ask me to save as a template" option has been checked before.
Powershell:
Create a new basic 100MB quota:
new-fsrmquota -path "c:\quotaparent1" -size 100MB
Use a template:
new-fsrmquota -path "c:\quotaparent1" -template "100 MB Limit"
You can specify -disabled to create it disabled,-softlimit for soft quota, -description, and -threshold to add threshold notifcations(see below)
Create an auto apply quota
The next option only allows you to use a template. You cannot create a custom quota.
Selecting "Auto apply template and create quotas on existing and new subfolders" creates individual quotas for each subfolder that resides in the parent folder, but those quotas also include the total from the nested subs of each subfolder(as if you created an individual "Create quota on path" on each subfolder.) However, the parent folder is not affected; only it's subs and their nested subs.
Note that if you delete the auto-apply quota from the parent folder, the auto-applied quotas on the current subs will still exist.
Also note that you can place a quota on any nested subfolder whose parent(s) already have a quota applied. But it must be more restrictive than the parent, allowing you to place a quota deeper into the directory structure while maintaining the quotas of the parents. You cannot place a less restrictive quota, as the parent's quota is still enforced on all folders below it.
If you right click an applied quota you can edit it's settings. Even if you used a template to create the quota, you can customize the settings further. However, it will still be displayed under the Source templates expanded display.
Powershell:
new-fsrmautoquota -path "c:\quotaparent2" -template "100 MB Limit"
Since you can only choose template for auto quotas, the only other option to note here is -disabled
Quota Template
Creating a quota template is similar to the custom quota process outlined above.
Powershell:
Also similar to creating a quota
new-fsrmquotatemplate -name "Tiny" -size 10MB
-description, -softlimit, -threshold
get-fsrmquotatemplate -name "Tiny"
Display quotas:
You can view quota usage %'s in the Quotas menu, and filter by templates applied, applied quotas, auto apply quotas, as well as specific quota paths.
You can also use the Quota Usage storage report to view quotas that exceed a percentage.
Powershell
get-fsrmquota
get-fsrmquota -path "c:\quotaparent1"
get-fsrmautoquota
With an auto quota, you can still use get-fsrmquota to see all the auto-set quotas below the parent.
You can remove a quota with
remove-fsrmquota -path "c:\quotaparent1"
remove-fsrmautoquota -path "c:\quotaparent2"
Configuring notifications:
While creating or editing an applied quota, or creating/editing a template, you have the option to configure notifications
Adding or editing a notification gives you the following options:
The % of the threshold that triggers this notification
E-mail message:Send an e-mail to a specific address, and/or to the user who exceeded the threshold.
Event Log: Log this notification in the event log.
Command: Run a specific command or script
Report: Generate a report(See 2.2.4)
Powershell:
First you must create an Action object using new-fsrmaction. Then you create a threshold object using new-fsrmquotathreshold. Note that actions and thresholds are not saved independently, so you must use them other ways, such as storing in variables or creating inline when applying to quotas or quota templates. Example of inline:
set-fsrmquota -path "c:\quotaparent1" -threshold (new-fsrmquotathreshold -percentage 85 -action (new-fsrmaction -type emaill -mailto:"admin@contoso.com" -subject "Threshold" -body "Too much stuff"))
Other Quota cmdlets:
set-fsrmautoquota
set-fsrmquotatemplate
update-fsrmquota
update-fsrmautoquota
(update is used to scan a path in order to resync usage reports for the path)
reset-fsrmquota
(update a quota with a template)
2.2.3 configure file screens
Using File Screening Management node in FSRM mmc:
File Groups:
Right click, create file group. Give the group a name then add file extensions or file name patterns that can be included or excluded for this group
Powershell:
new-fsrmfilegroup -name "Various" -includepattern @("*.mp3","*.exe","*.vbs")
Other parameters: -description, -excludepattern
get-fsrmfilegroup -name "Various"
set-fsrmfilegroup -name "Various" -includepattern @("*.exe","*.vbs")
remove-fsrmfilegroup -name "Various"
File Screens:
Right click, create File screen. Enter a path for the screen. Choose a template, or custom file screen properties. Defining custom properties allows the following options:
Settings tab:
Copy settings from a template
Choose:
Active Screening: Do not allow users to save unauthorized files
Passive Screening: Allow users to save. This is for monitoring those unauthorized files.
Select the file groups to block
E-mail message:
Choose "Send e-mail to administrators" and/or "Send e-mail to user"
Event Log
Create a log entry for the event log.
Command
Run a command or script
Report
Generate reports
Powershell:
new-fsrmfilescreen -path "c:\home" -includegroup "Various" -active
new-fsrmfilescreen -path "c:\screenme" -template "Block Image Files"
-description to add a description
-notification adds a notification created using new-fsrmaction
set-fsrmfilescreen -path "c:\home" -includegroup @("Various","E-mail files")
get-fsrmfilescreen
remove-fsrmfilescreen
File screen exceptions
An exception can be applied to a subfolder whose parent has a file screen applied and it needs to be overridden for this sub.
Powershell:
new-fsrmfilescreenexception
get-fsrmfilescreenexception
set-fsrmfilescreenexception
remove-fsrmfilescreenexception
File screening templates
Creating file screen templates is similar to creating a custom property file screen as listed above
new-fsrmfilescreentemplate -name "Various files" -includegroup "Various" -active
get-fsrmfilescreentemplate
set-fsrmfilescreentemplate
remove-fsrmfilescreentemplate
Other File screen cmdlets:
reset-fsrmfilescreen - reset a file screen to the default settings of a specified template
2.2.4 configure reports
To create, and schedule a report, right click the Storage Reports area and select "Schedule a new report task". This task will be saved for reuse
To create a report and run it now, right click and select Generate Reports now. This task will not be saved.
Settings tab:
If you are scheduling a task, you must give it a name. If you're just generating one, the name will be chosen for you as "Interactive Report Task" with the date/time.
Choose reports to include, and choose their parameters
Available canned reports:
Duplicate files - finds files with same size and modified date
File Screening Audit - Use to monitor screening policies. You can configure min number of days in past events occured, as well as pick specific users
File by File Group: List files that match file groups, in order to find those that take up lots of space.
File by Owner: Pick all owners or selected owners. You can include a file matching pattern as well
Files by Property: Used by classification to find files by property value
Folders by property: Used by classification
Large files: You can set the min file size, as well as a file name pattern to match.
Least recently accessed files: Choose min days since last accessed, as well as a file name pattern
Most recently accessed files: Choose max days since last accessed, as well as a file name pattern
Quota usage: Set minimum % quota usage. This checks all quotas.
Select the format(s) you want to save the report as: DHTML, HTML, XML, CSV, Text
Scope tab:
Select the file data groups to include(these are not the same as the File Screen file groups. If you don't select any of them, the report(s) will default to all files):
Application Files
Backup and Archival Files
Group Files
User Files
Choose the volume(s)/folders to check. Note that the reports will recursively check all subfolders below the one you choose.
Delivery tab:
Allows you to enter e-mail addresses to send the report to.
Schedule tab(only available if you chose Schedule a new report taks):
Choose a time, and the days to run the report on. You can choose to limit the max time the report will be able to run(in hours).
If you chose "Generate reports now", once you click OK you are given the option to Generate reports in the background to view later, or to generate now and view after they finish.
Reports are saved in the location set in the FSRM server options. Default is "c:\storagereports"
new-fsrmstoragereport -name "large" -interactive -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text")
scheduledreport:
Use new-fsrmscheduledtask to create a schedule object.
new-fsrmstoragereport -name "Large Files" -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text") -schedule (new-fsrmscheduled task -time (get-date "1:30am") -weekly "Monday)
get-fsrmstoragereport
unless you specify -name, in addition to schedule reports, this will show currently queued/running interactive and incident reports. The interactive and schedule properties tell you which it is.
set-fsrmstoragereport -name "Large Files" -namespace "c:\home"
remove-fsrmstoragereport -name "Large Files"
other commands:
start-fsrmstoragereport, stop-fsrmstoragereport, wait-fsrmstoragereport
Extra note: one more option available in Storage Reports: Add or Remove Reports for a report task just allows you to see all the report tasks and quickly configure the reports they use, instead of editing each report task individually.
2.2.5 (R2) Configure file management tasks
Right-click "File Management Tasks" under FSRM menu and select "Create File Management Task"
General tab: name the task. Check or uncheck Enable
Scope: Choose type of data to include and the folders to include.
Action: Choose a type of task.. If custom, you will need to provide a path to an executable and command line arguments, as well as working directory. Choose the account to run the task as.
Notification: Add an FSRM notification.
Report: Add an FSRM report to generate
Condition: Include conditions for the task
Schedule: Schedule when the task will run.
This task will be added to Task scheduler under Task Scheduler Library->Microsoft->Windows->File Server Resource Manager
2. Configure file and print services 2.1 Configure Distributed File System (DFS)
DFS groups shared folders into a single logical structure across one or more servers.
2.1.1 Install and configure DFS namespaces
http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx
http://technet.microsoft.com/fr-fr/library/ee404780%28v=ws.10%29.aspx
In Add Roles and Features, DFS Namespaces(FS-DFS-namespace) is found under File and Storage Services(FileandStorage-Services),File and iSCSI Services(File-services). The File Server(FS-FileServer) role feature should also be installed for share management. Including management tools installs the feature DFS Management Tools(RSAT-DFS-Mgmt-Con) and the PS module DFSN
Powershell:
install-windowsfeature fs-dfs-namespace -incluemanagementtools
Go to Server Manager Tools/DFS Management, or run dfsmgmt.msc from the command line.
Configuring DFS Namespaces:
Domain-based namespace: DFS configuration is stored in AD
Stand-alone namespaces: DFS configuration is stored on one server.
Windows 2008 mode supports up to 50k folders and access-based enumeration.
To use Windows 2008 mode with domain-based namespace, your AD forest must use windows 2003 mode or higher, the domain has to be 2008 or higher, and all namespace servers must be 2008 or higher.
The other option is using Windows 2000 Server mode which only supports 5k folders.
Create a new namespace and folder link:
Choose the namespace server that will host the namespace, click Next.
Enter the name for the namespace. This will appear after the \\server or \\domain
This will create a share on the namespace server if it does not exist, located under a folder called DFSRoots, so you can click edit settings to edit permissions for this DFS share. Else, hit Next.
Set Domain-based(2008 if applicable) or stand-alone namespace
Once you've created a new namespace, you can configure a new folder link for it. This link will be placed inside the namespace directory that you just created.
Double click the namespace, then New Folder.
Give the folder link a name, and choose the target folder(s) to which this link will pick.
Click ok. If you chose multiple target folders, and replication is enabled, you are given the option to set up a replication group.
Configuration:
Tabs for a namespace share:
Namespace: Lists namespace folder links
Namespace servers: Lists namespace servers for this namespace share. You can set share permissions or override referral targeting for this specific root share.
Delegation: Show delegation permissions for managing this namespace share
Search:
Properties of a namespace share:
You can change the referral cache duration for clients, and also select a method for ordering targets outside a client site: Lowest cost, Random Order, or Exclude other-site targets
You can also check to have clients fall back to preferred targets if their original target is available again.
Under advanced you can configure the DC polling for this share: Consistency vs scalability.
Consistency always polls the PDC emulator for namespace changes
Scalability will always poll the closest DC
You can also enable Access-based enumeration for this namespace under Advanced tab.
Tabs for a namespace folder link:
Folder targerts = targets for the folder link
Replication = shows replication status when there are multiple target folders and replication is enabled
Properties of a namespace folder link:
You can set client referral cache duration, and you can override the referral settings from the root namespace: Exclude targets outside the client's site or Clients fall back to preferred targets.
Under advanced you can set the view permissions for this folder link.
Properties of a folder link target:
Enable or disable referrals to this target, setup share permissions directly without having to go to the server
Under advanced, you can override referral ordering for this target.
Powershell configuration
http://blogs.technet.com/b/filecab/archive/2012/10/19/introducing-dfs-namespaces-windows-powershell-cmdlets.aspx
get-command -module dfsn
To create a new DFS root, you must setup a share first:
mkdir c:\dfsroot\public
new-smbshare -name public -path c:\dfsroot\public
There are lots of settings for a new-dfsnroot, but you only need path, targetpath, and type
path=domain or server namespace path, targetpath is first server share target path, type is standalone, domainv1 for 2003 or domainv2 for 2008
new-dfsnroot -path "\\contoso.com\public" -targetpath "\\server2\public" -type domainv2
get-dfsnroot will show your new namespace root
set-dfsnroot to set or change the other settings
get-dfsnroottarget -path "\\contoso.com\public" will show your first target. You can add other targets for this root namespace with
new-dfsnroottarget
set-dfsnroottarget configure settings on the root target
To put a folder link in the new namespace root, you also must make a new share:
mkdir c:\testshare
new-smbshare -name testshare -path c:\testshare
new-dfsnfolder -path "\\contoso.com\public\testshare" -targetpath "\\server2\testshare"
get-dfsnfolder to show the new folder link
get-dfsnfoldertarget -path "\\contoso.com\public\testshare" shows the first folder link target
Now we can add folder link targets to an existing folder link. I added a share on server1 already.
new-dfsnfoldertarget -path "\\contoso.com\public\testshare" -targetpath "\\server1\testshare"
get-dfsnfoldertarget -path "\\contoso.com\public\testshare" now shows both targets
set-dfsnfoldertarget to set configuration on the target
Of course, now you would want to setup replication for the two folder targets
Remove any of the above with:
remove-dfsnroot, remove-dfsnroottarget, remove-dfsnfolder, remove-dfsnfoldertarget
The rest of the PS commands:
set-dfsnserverconfiguration, move-dfsnfolder, get-dfsnaccess, grant-dfsnaccess, remove-dfsnaccess, revok-dfsnaccess
Extra note: a new namespace root created in PS will not show up in the DFS management gui until you "Add namespaces to display"
Extra note: It's important to note that the folder targets of a folder link will enforce their own share/NTFS permissions when a user is transparently forwarded to the share, and these permissions are not replicated. Therefore, if you have multiple target folders, you must manually keep the share and target folder NTFS permissions consistent or your users could suffer permission problems when redirected. However, any files and folders inside the target folders should replicate their own NTFS permissions to all target folders in the replication group.
2.1.2 configure DFS Replication Targets
For 2008/2008R2/2012, the following limits apply:
10 terabytes is the max size of all replicated files on a server
11 million replicated files max on a volume
64 gigabytes is the max size of one replicated file
There is no longer a limit to the number of replication groups, replicated folders, connections, or replication group members for 2012 R2
In Add Roles and Features, DFS Replication(FS-DFS-replication) is found under File and Storage Services(FileandStorage-Services),File and iSCSI Services(File-services).
Once installed, you can setup replication groups for multiple target folders on a single folder link. Or you can setup replication groups for folders that aren't even involved with DFS namespaces.
To setup a replication group for a DFS namespace folder link, right click the folder link and select "Replicate folder"
You can change the name of the replication group name and folder name
Next you can verify the folder targets
Select the server for the folder target that you want use as the source of the initial replication of it's contents to the others.
Select a topology. Hub and spoke for 3+ members, Full, or set your own custom one later.
Set your bandwith usage for replication, and replication schedules.
To setup a replication group for other folders, right click the "Replication" menu item and select "New Replication group".
Choose whether this is a multipurpose replication or if it will be used for data collection(hub and spoke)
Type a name for the group.
Choose servers that will participate in this group. They must have FS-DFS-Replication feature installed.
Select a topology. Hub and spoke for 3+ members, Full, or set your own custom one later.
Set your bandwith usage for replication, and replication schedules.
Select the server for the folder target that you want use as the source of the initial replication of it's contents to the others.
Choose the folder on the primary server to replicate
Enable and select folders for the other servers to replicate to. You can choose to set them to read-only.
Replication General settings:
Right clicking the Replication menu item allows you to
Create a new replication group
Add replication groups to display
Delegate management
Disable topology verification
Replication group settings:
right clicking a replication group allows you to:
Add a new member
Choose new folders to replicate for this group
Add a new connection
Change the topology.
Create a diagnostic report for this group
Verify the topology
Delegate management for this group
Edit the group replication schedule
Remove the replication group from displaying in the left menu.
Replication group tabs:
Memberships:
Shows all the replicated folders.
If you right click a member and properties, you can set Staging settings.
Connections:
Shows member server connections and status
Right clicking and properties allows you to enable/disable replication for this connection,
enable/disable RDC, or edit the replication schedule
You can also force a replication by right clicking and replicate now
Replicated folders:
Also shows the folders being replicated. This will show namespace info if it's a folder link
Delegation:
shows permissions for managing this group.
Extra note: 2012R2 introduces new PS cmdlets for DFS Replication. See http://technet.microsoft.com/en-us/library/dn296591.aspx
Extra note: also for 2012R2, DFS limits will increase: 100 terabytes max of replicated files on one server, 70 million max replicated files on a volume, 250 gigs is max file size that will replicate
2.1.3 configure Replication Scheduling
Right click the replication group and choose "Edit replication group schedule".
You can specify bandwith requirements per 1 hour by clicking on the graph, or you can click Details and manually input specific times. The minimum time period you can set is 15 minutes.
2.1.4 configure Remote Differential Compression settings
You can disable or enable RDC compression on a specific connection in a replication group by right clicking the connection on the Connections tab and selecting properties, then checking the "Use remote differential compressions (RDC)".
2.1.5 configure staging
Right click the replicated folders in the Memberships tab.
Choose properties and click the Staging tab.
You can choose the path for the staging for this specific server/folder
Choose the Quota in MB. The default is 4096.
Under the advanced tab, you can also set the Conflict and Deleted quota for this folder. The path is relative to your staging path.
2.1.6 configure fault tolerance
Once again I'm not sure what MS is looking for here that isn't covered above. This whole section is about DFS so what could this mean?
I'll just use this space to mention that there are other command line utilities associated with DFS:
Set up replication groups on the source server. Since the GUI wizard requires to select 2 or more servers in a replication group, we can do this using cmdlets:
new-dfsreplicationgroup -groupname "repgroup" | new-dfsreplicatedfolder -foldername "reptest"
add-dfsrmember -groupname "repgroup" -computername "server1"
set-dfsrmembership -groupname "repgroup" -foldername "reptest" -contentpath "c:\reptest" -computername "Server1" -primarymember $True
In Dfs-Replication Event Log, look for event id 4112 for successful initialization
Verify that replications on the same volume are in a status of 4 (Normal):
Get-WmiObject -Namespace "root\Microsoft\Windows\DFSR" -Class msft_dfsrreplicatedfolderinfo | format-table replicatedfoldername, state -auto
Use export-dfsrclone command:
export-dfsrclone -volume "C:" -Path "C:\dfsrclone"
volume is the volume on which replicated folders are that you want to export the DFS rep DB for. Path is where the clone backup will be stored.
Once run, export-dfsrclone will give you a couple of examples to copy the clone DB as well as the contents of the replicated folder(s) for use on the destination server. You should have config.xml and dfsr.db.clone files in the clone export directory.
Use get-dfsrclonestate command to check the export progress. Results: Ready - status before and after cloning. Started DB export, Started DB import, Processing DB export, Processing DB import, Resetting - rollback of export/import, Shutdown - due to requested backup or restore, Shutting Down.
You can also check the DFS Replication event viewer for Event ID 2406(initialize export), then 2402 for successful export.
On the destination server: Install fs-dfs-replication -includemanagementtools (for the cmdlets), copy replicated files to their folders on the new server, and copy clone DB to a staging directory. Check to see if replication is installed on the destination volume
get-childitem -path "c:\system volume information\dfsr" -hidden
If replication is enabled, there are other tasks to remove it or verify if there are replicated folders(see technet link)
Otherwise, import the clone DB:
import-dfsrclone -volume "c:" -path "c:\cloneimport"
After import, finish adding destination server to the group, setup the connection, and destination folder membership:
add-dfsrmember -groupname "repgroup" -computername "server2"
add-dfsrconnection -groupname "repgroup" -sourcecomputername "server1" -destinationcomputername "server2"
set-dfsrmembership -groupname "repgroup" -foldername "reptest" -contentpath "c:\reptest" -computername "server2"
2.1.1 Install and configure DFS namespaces
http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx
http://technet.microsoft.com/fr-fr/library/ee404780%28v=ws.10%29.aspx
In Add Roles and Features, DFS Namespaces(FS-DFS-namespace) is found under File and Storage Services(FileandStorage-Services),File and iSCSI Services(File-services). The File Server(FS-FileServer) role feature should also be installed for share management. Including management tools installs the feature DFS Management Tools(RSAT-DFS-Mgmt-Con) and the PS module DFSN
Powershell:
install-windowsfeature fs-dfs-namespace -incluemanagementtools
Go to Server Manager Tools/DFS Management, or run dfsmgmt.msc from the command line.
Configuring DFS Namespaces:
Domain-based namespace: DFS configuration is stored in AD
Stand-alone namespaces: DFS configuration is stored on one server.
Windows 2008 mode supports up to 50k folders and access-based enumeration.
To use Windows 2008 mode with domain-based namespace, your AD forest must use windows 2003 mode or higher, the domain has to be 2008 or higher, and all namespace servers must be 2008 or higher.
The other option is using Windows 2000 Server mode which only supports 5k folders.
Create a new namespace and folder link:
Choose the namespace server that will host the namespace, click Next.
Enter the name for the namespace. This will appear after the \\server or \\domain
This will create a share on the namespace server if it does not exist, located under a folder called DFSRoots, so you can click edit settings to edit permissions for this DFS share. Else, hit Next.
Set Domain-based(2008 if applicable) or stand-alone namespace
Once you've created a new namespace, you can configure a new folder link for it. This link will be placed inside the namespace directory that you just created.
Double click the namespace, then New Folder.
Give the folder link a name, and choose the target folder(s) to which this link will pick.
Click ok. If you chose multiple target folders, and replication is enabled, you are given the option to set up a replication group.
Configuration:
Tabs for a namespace share:
Namespace: Lists namespace folder links
Namespace servers: Lists namespace servers for this namespace share. You can set share permissions or override referral targeting for this specific root share.
Delegation: Show delegation permissions for managing this namespace share
Search:
Properties of a namespace share:
You can change the referral cache duration for clients, and also select a method for ordering targets outside a client site: Lowest cost, Random Order, or Exclude other-site targets
You can also check to have clients fall back to preferred targets if their original target is available again.
Under advanced you can configure the DC polling for this share: Consistency vs scalability.
Consistency always polls the PDC emulator for namespace changes
Scalability will always poll the closest DC
You can also enable Access-based enumeration for this namespace under Advanced tab.
Tabs for a namespace folder link:
Folder targerts = targets for the folder link
Replication = shows replication status when there are multiple target folders and replication is enabled
Properties of a namespace folder link:
You can set client referral cache duration, and you can override the referral settings from the root namespace: Exclude targets outside the client's site or Clients fall back to preferred targets.
Under advanced you can set the view permissions for this folder link.
Properties of a folder link target:
Enable or disable referrals to this target, setup share permissions directly without having to go to the server
Under advanced, you can override referral ordering for this target.
Powershell configuration
http://blogs.technet.com/b/filecab/archive/2012/10/19/introducing-dfs-namespaces-windows-powershell-cmdlets.aspx
get-command -module dfsn
To create a new DFS root, you must setup a share first:
mkdir c:\dfsroot\public
new-smbshare -name public -path c:\dfsroot\public
There are lots of settings for a new-dfsnroot, but you only need path, targetpath, and type
path=domain or server namespace path, targetpath is first server share target path, type is standalone, domainv1 for 2003 or domainv2 for 2008
new-dfsnroot -path "\\contoso.com\public" -targetpath "\\server2\public" -type domainv2
get-dfsnroot will show your new namespace root
set-dfsnroot to set or change the other settings
get-dfsnroottarget -path "\\contoso.com\public" will show your first target. You can add other targets for this root namespace with
new-dfsnroottarget
set-dfsnroottarget configure settings on the root target
To put a folder link in the new namespace root, you also must make a new share:
mkdir c:\testshare
new-smbshare -name testshare -path c:\testshare
new-dfsnfolder -path "\\contoso.com\public\testshare" -targetpath "\\server2\testshare"
get-dfsnfolder to show the new folder link
get-dfsnfoldertarget -path "\\contoso.com\public\testshare" shows the first folder link target
Now we can add folder link targets to an existing folder link. I added a share on server1 already.
new-dfsnfoldertarget -path "\\contoso.com\public\testshare" -targetpath "\\server1\testshare"
get-dfsnfoldertarget -path "\\contoso.com\public\testshare" now shows both targets
set-dfsnfoldertarget to set configuration on the target
Of course, now you would want to setup replication for the two folder targets
Remove any of the above with:
remove-dfsnroot, remove-dfsnroottarget, remove-dfsnfolder, remove-dfsnfoldertarget
The rest of the PS commands:
set-dfsnserverconfiguration, move-dfsnfolder, get-dfsnaccess, grant-dfsnaccess, remove-dfsnaccess, revok-dfsnaccess
Extra note: a new namespace root created in PS will not show up in the DFS management gui until you "Add namespaces to display"
Extra note: It's important to note that the folder targets of a folder link will enforce their own share/NTFS permissions when a user is transparently forwarded to the share, and these permissions are not replicated. Therefore, if you have multiple target folders, you must manually keep the share and target folder NTFS permissions consistent or your users could suffer permission problems when redirected. However, any files and folders inside the target folders should replicate their own NTFS permissions to all target folders in the replication group.
2.1.2 configure DFS Replication Targets
For 2008/2008R2/2012, the following limits apply:
10 terabytes is the max size of all replicated files on a server
11 million replicated files max on a volume
64 gigabytes is the max size of one replicated file
There is no longer a limit to the number of replication groups, replicated folders, connections, or replication group members for 2012 R2
In Add Roles and Features, DFS Replication(FS-DFS-replication) is found under File and Storage Services(FileandStorage-Services),File and iSCSI Services(File-services).
Once installed, you can setup replication groups for multiple target folders on a single folder link. Or you can setup replication groups for folders that aren't even involved with DFS namespaces.
To setup a replication group for a DFS namespace folder link, right click the folder link and select "Replicate folder"
You can change the name of the replication group name and folder name
Next you can verify the folder targets
Select the server for the folder target that you want use as the source of the initial replication of it's contents to the others.
Select a topology. Hub and spoke for 3+ members, Full, or set your own custom one later.
Set your bandwith usage for replication, and replication schedules.
To setup a replication group for other folders, right click the "Replication" menu item and select "New Replication group".
Choose whether this is a multipurpose replication or if it will be used for data collection(hub and spoke)
Type a name for the group.
Choose servers that will participate in this group. They must have FS-DFS-Replication feature installed.
Select a topology. Hub and spoke for 3+ members, Full, or set your own custom one later.
Set your bandwith usage for replication, and replication schedules.
Select the server for the folder target that you want use as the source of the initial replication of it's contents to the others.
Choose the folder on the primary server to replicate
Enable and select folders for the other servers to replicate to. You can choose to set them to read-only.
Replication General settings:
Right clicking the Replication menu item allows you to
Create a new replication group
Add replication groups to display
Delegate management
Disable topology verification
Replication group settings:
right clicking a replication group allows you to:
Add a new member
Choose new folders to replicate for this group
Add a new connection
Change the topology.
Create a diagnostic report for this group
Verify the topology
Delegate management for this group
Edit the group replication schedule
Remove the replication group from displaying in the left menu.
Replication group tabs:
Memberships:
Shows all the replicated folders.
If you right click a member and properties, you can set Staging settings.
Connections:
Shows member server connections and status
Right clicking and properties allows you to enable/disable replication for this connection,
enable/disable RDC, or edit the replication schedule
You can also force a replication by right clicking and replicate now
Replicated folders:
Also shows the folders being replicated. This will show namespace info if it's a folder link
Delegation:
shows permissions for managing this group.
Extra note: 2012R2 introduces new PS cmdlets for DFS Replication. See http://technet.microsoft.com/en-us/library/dn296591.aspx
Extra note: also for 2012R2, DFS limits will increase: 100 terabytes max of replicated files on one server, 70 million max replicated files on a volume, 250 gigs is max file size that will replicate
2.1.3 configure Replication Scheduling
Right click the replication group and choose "Edit replication group schedule".
You can specify bandwith requirements per 1 hour by clicking on the graph, or you can click Details and manually input specific times. The minimum time period you can set is 15 minutes.
2.1.4 configure Remote Differential Compression settings
You can disable or enable RDC compression on a specific connection in a replication group by right clicking the connection on the Connections tab and selecting properties, then checking the "Use remote differential compressions (RDC)".
2.1.5 configure staging
Right click the replicated folders in the Memberships tab.
Choose properties and click the Staging tab.
You can choose the path for the staging for this specific server/folder
Choose the Quota in MB. The default is 4096.
Under the advanced tab, you can also set the Conflict and Deleted quota for this folder. The path is relative to your staging path.
2.1.6 configure fault tolerance
Once again I'm not sure what MS is looking for here that isn't covered above. This whole section is about DFS so what could this mean?
I'll just use this space to mention that there are other command line utilities associated with DFS:
|
|||||||||||
| 2.1.7 (R2) Clone a DFS database; recover DFS database; optimize DFS replication | |||||||||||
Exporting a DFS replication database can be used to setup an offline or otherwise unavailable/low-bandwith server for an initial replication. Or it can be used for failure recovery of a DFS replication DB. |
|||||||||||
new-dfsreplicationgroup -groupname "repgroup" | new-dfsreplicatedfolder -foldername "reptest"
add-dfsrmember -groupname "repgroup" -computername "server1"
set-dfsrmembership -groupname "repgroup" -foldername "reptest" -contentpath "c:\reptest" -computername "Server1" -primarymember $True
In Dfs-Replication Event Log, look for event id 4112 for successful initialization
Verify that replications on the same volume are in a status of 4 (Normal):
Get-WmiObject -Namespace "root\Microsoft\Windows\DFSR" -Class msft_dfsrreplicatedfolderinfo | format-table replicatedfoldername, state -auto
Use export-dfsrclone command:
export-dfsrclone -volume "C:" -Path "C:\dfsrclone"
volume is the volume on which replicated folders are that you want to export the DFS rep DB for. Path is where the clone backup will be stored.
Once run, export-dfsrclone will give you a couple of examples to copy the clone DB as well as the contents of the replicated folder(s) for use on the destination server. You should have config.xml and dfsr.db.clone files in the clone export directory.
Use get-dfsrclonestate command to check the export progress. Results: Ready - status before and after cloning. Started DB export, Started DB import, Processing DB export, Processing DB import, Resetting - rollback of export/import, Shutdown - due to requested backup or restore, Shutting Down.
You can also check the DFS Replication event viewer for Event ID 2406(initialize export), then 2402 for successful export.
On the destination server: Install fs-dfs-replication -includemanagementtools (for the cmdlets), copy replicated files to their folders on the new server, and copy clone DB to a staging directory. Check to see if replication is installed on the destination volume
get-childitem -path "c:\system volume information\dfsr" -hidden
If replication is enabled, there are other tasks to remove it or verify if there are replicated folders(see technet link)
Otherwise, import the clone DB:
import-dfsrclone -volume "c:" -path "c:\cloneimport"
After import, finish adding destination server to the group, setup the connection, and destination folder membership:
add-dfsrmember -groupname "repgroup" -computername "server2"
add-dfsrconnection -groupname "repgroup" -sourcecomputername "server1" -destinationcomputername "server2"
set-dfsrmembership -groupname "repgroup" -foldername "reptest" -contentpath "c:\reptest" -computername "server2"
1. Deploy, manage, and maintain servers 1.3 Monitor servers
1.3.1 Configure Data Collector Sets (DCS)
A DCS organizes performance counts, event traces, and system configuration data into one single object and allows Reports to be created for the DCS(found in Reports menu under Performance in the left pane)
In Performance Manager, left pane, expand DCS. Right click user defined folder and choose New Data Collector Set. Create from Template or Create manually. Choose a template if using templates. Save and close. Right click and Start the DCS.
Creating manually alllows you to select Performance counter data collector, Event Trace data collector, Config Data collectors, and performance counter alerts.
Performance counter DC allows collection of various performance related counters
Event Trace DC allows you to collect certain debug type data from specific events
Config DC's allow monitoring of registry keys.
Performance Alerts monitor thresholds for performance counters.
In the properties for the parent DCS, a few things you can configure: you can configure a root directory, a schedule for the DCS to run, permissions, stop conditions, run a task when the DCS stops,
For each task in the DCS, there are also properties specific to the type of task. Except for the performance alert, the other types allow you to define a file to store the collected data in.
Once you run a DCS, you can look at the results in the Report tab menu.
1.3.2 configure alerts
Performance alerts are notifications or tasks that are executed when a performance threshold is reached. Create a new DCS, choose Create manually, select performance counter alert. Add a performance counter to select which counter. choose Above or Below the limit value.
Now in the properties, we can set the interval under Alerts, or add/change/remove counters. Under "Alert Action", you can set the thresholds to log in the Application event log, or to start another DCS. Under Alert Task, you can set to run a task when alert is triggered.
1.3.3 monitor real-time performance
Task Manager: from Run/command prompt use taskmgr, or right click taskbar and Task Manager, or ctrl-alt-delete choose Task Manager
Processes lists the processes,Type,Status, Publisher, PID, Process Name, Command Line, CPU, Memory. Columns are selected by right clicking a column and checking/unchecking the ones you want to include.
Apps, Background, Windows processes. You can expand to see process tree. Right click to End task, Change memory resource value format, Create dump file, go to this process in the details tab, open file location to show the location, search online(via Bing) to find out more information, properties tab.
Performance tab shows CPU, Memory, and Ethernet stats.
CPU you can right click the right pane and select Change graph to -> To switch between overall usage and logical processors. It shows Utilization, Speed, Sockets/logical processors, VM capable, LM1 cache, processes, threads, handles, and up time.
Memory shows In Use, Available, Commited, Cached, Paged pool, and Non-paged pool, Slots used, Hardware reserved, Max memory possible
Ethernet shows Send/Receive, Adapter name, domain name, connect type, ipv4 & ipv6 address. Right click and view network details for more information for all nic's on the system.
Users tab shows logged in users, their id, session id, client name, status, cpu, and memory. right click colum to select which coluns to display. You can expand each user to show their processes.
Details tab shows even more selectable columns for processes. I won't list them all here.
Services tab shows Name, PID, Description, Status, and Group for services. You can start, stop, restart services here. Or you can open up the services MMC for more detailed service configuration.
Resource Monitor
A more detailed tool that shows usages of resources by processes, services, files, etc.
Access it through server manager via tools/resource monitor. Also in control panel/administrative tools. From command line you can use either resmon or perfmon /res . Or launch from within performance monitor by right clicking Monitoring Tools and selecting Resource Monitor.
Overview allows you to see CPU, Disk, Network, and Memory stats for processes. You can select individual processes to see filtered information for the process or processes in each category. If you right click the columns you can select/unselect various columns in each category.
CPU tab gives you same information as on overview but also adds Services, Associated Handles, and
Associated Modules. However, you must select a process or multiple processes to see their associated handles and associated modules. This will also filter the services that may be associated with the process(es) that have been selected. As in overview, the columns are also customizable.
Memory tab shows same thing as memory under overview, but also includes a bar graph of overall physical memory usage.
Disk The disk tab shows processes with disk activity as they access the disk in real time.
It also shows the same overall disk activity information as the overview page. There is also a section for logical disk storage. As the other tabs, you can customize columns viewing. You can further see current TCP connections per process and Listening ports per process. This is filterable by selecting a process or multiple process. Columns are customizable.
Network tab, like Disk tab, first shows you the processes that are accessing the network in real-time. Then it has a tab Network Activity that shows overall utilization like on the Overview tab.
Performance Monitor
http://technet.microsoft.com/en-us/library/cc749249.aspx
Performance Manager is in Server Manager/tools. Also found in control panel/administrative tools as well as command line "perfmon". Perfmon can be used to monitor performance in a graph format, via counters of various performance. You can view real-time data but also historical data in a Line, Histogram bar, or Report format.You can also define Data Collector Sets here(1.3.1) and associated Reports here. You can also shortcut to the "Action Center/Reliability Monitor" by right clicking "Monitoring Tools" and selecting "View system reliability", or the Resource Monitor by selecting "Resource Monitor"
To configure Perf mon, right click "performance monitor" and select properties. (You can also do some of this on the Perf mon toolbar) From here, you have the following tabs:
General: customize the graph view with "display elements". Change Report and histogram data to Min, Current, Default, Max, or Avg. Set sample frequency and how much will be graphed before redrawing. Sample automatically is the same as pausing the graph in the Toolbar.
Source allows you to set a source for historical perfomance data. You can choose Log files, or a data base. Or you can go back to real-time data with "Current Activity"
Data shows which counters are currently active and allows customization.
Graph allows you to configure the graph views.
Appearance is for further display customization, including colors, fonts, borders, and seperator.
The performance monitor toolbar includes options also found in the properties:
View current activity. View log data will take you to properties/source to select a data source. The next icon allows you to choose which graph you want. the + icon adds counters. X icon deletes counters. The "highlighter" icon highlights whichever counter is currently selected in the value bar.
The next icon copies properties as an activex control that can be embedded into an IE compatible web page. The clipboard icon pastes a counter list from the clipboard. You can pause real-time update, and also manually refresh with the next icon.
1.3.4 monitor virtual machines (VMs)
Hyper-V resource monitoring
activated and viewed using powershell
Enable-VMResourceMetering
Disable-VMResourceMetering
Reset-VMResourceMetering
Measure-VM
As outlined in 3.1.3 of 70-410, you can setup resource pools to monitor resources across multiple computers using:
new-vmresourcepool
measure-vmresourcepool
then when you enable-vmresourcemetering, you can use the -resourcepoolname switch
enable-vmresourcemetering -resourcepoolname serverpool
1.3.5 monitor events
Event Viewer
Run from Start/Administrative tools, or in Server Manager under Tools, or run eventvwr.msc
Multiple logs available:
Custom Views:
Create custom views using specific logs/sources, event levels, categories and keywords, logging period, and user/computers. Administrative Events is a default log that logs Critical, Error, Warning levels from all administrative event logs. There may be other default logs depending on server roles installed
Windows Logs:
Application - events from applications and programs
Security - events dealing with logins and resource/object access. Must enable auditing to log these events
Setup: application setup logs
System: System events such as boot and services
Forwarded events: can store events from remote computers using event subscription. Not compatible pre-windows 7 or 2008.
Application and Services Logs:
Logs specific to some applications and services.
Subscriptions:
see 1.3.6
Common Event fields(properties of an event):
Source: software/component that logged the event
Event ID: A specific event code
Level: Event severity (Information, Warning, Error, Critical, Success Audit, Failure Audit)
User, Computer:
Logged date/time
Task Category
Keywords
Opcode
Filtering events:
Right click log, select filter current log. This is similar to setting up a custom log. You can configure the same fields except the By log is set to the log you are filtering.
Attaching a task to an event:
You can choose to attach a task to a log or a specific event
Right click the log and select attach a task. Any event logged in this log will trigger the task
Right click a specific event and choose attach a task to this event. The task will only trigger on this event.
Under action, choose "Start a program".
Extra Note: With "attaching a task to an event", you may see the actions Send an e-mail (deprecated) and Display a message (deprecated). MS plans to remove these and seems to be encouraging people to do these functions via powershell. In my version they are still selectable but I didn't bother to test them out.
1.3.6 configure event subscriptions
Event Viewer subscriptions
Setup forwarding computers and a collecting computer. The forwarders send events to the collector, who places the events in the Forwarded events log.
Note: You may need to run the winrm quickconfig command to setup remote monitoring. You may also need to add the collector computer to the administrators group of the forwarding computers if you setup Machine account in user account.
Subscription types:
Collector initiated: collector contacts source(forwarder) computers and provides subscription
Source initiated: source(forwarder) computers contact collector and receive subscription. Must be configured through policy or local config on the source computers.
You can filter the events to be subscribed too. You can also click Advanced and setup bandwidth management for the event sub as well as HTTP or HTTPS.
1.3.7 configure network monitoring
various tools for monitoring a network connection: ping, nslookup, tracert, arp, ipconfig, netstat.
Packet sniffers(protocol analyzers): I personally use Wireshark but MS offers one called Microsoft Network Monitor. This GUI based tool also has a command line tool called nmcap. You can also capture network traces using netsh trace.
1.3.8 (R2) Schedule performance monitoring
Data Collector Sets can be scheduled in properties. Click on Schedule tab for the DCS, and Add Schedule. Set the range of dates that this DCS will be run, or just set a beginning date with no expiration. Set the Start/Launch time. Choose which days of the week this DCS will run on.
A DCS organizes performance counts, event traces, and system configuration data into one single object and allows Reports to be created for the DCS(found in Reports menu under Performance in the left pane)
In Performance Manager, left pane, expand DCS. Right click user defined folder and choose New Data Collector Set. Create from Template or Create manually. Choose a template if using templates. Save and close. Right click and Start the DCS.
Creating manually alllows you to select Performance counter data collector, Event Trace data collector, Config Data collectors, and performance counter alerts.
Performance counter DC allows collection of various performance related counters
Event Trace DC allows you to collect certain debug type data from specific events
Config DC's allow monitoring of registry keys.
Performance Alerts monitor thresholds for performance counters.
In the properties for the parent DCS, a few things you can configure: you can configure a root directory, a schedule for the DCS to run, permissions, stop conditions, run a task when the DCS stops,
For each task in the DCS, there are also properties specific to the type of task. Except for the performance alert, the other types allow you to define a file to store the collected data in.
Once you run a DCS, you can look at the results in the Report tab menu.
1.3.2 configure alerts
Performance alerts are notifications or tasks that are executed when a performance threshold is reached. Create a new DCS, choose Create manually, select performance counter alert. Add a performance counter to select which counter. choose Above or Below the limit value.
Now in the properties, we can set the interval under Alerts, or add/change/remove counters. Under "Alert Action", you can set the thresholds to log in the Application event log, or to start another DCS. Under Alert Task, you can set to run a task when alert is triggered.
1.3.3 monitor real-time performance
Task Manager: from Run/command prompt use taskmgr, or right click taskbar and Task Manager, or ctrl-alt-delete choose Task Manager
Processes lists the processes,Type,Status, Publisher, PID, Process Name, Command Line, CPU, Memory. Columns are selected by right clicking a column and checking/unchecking the ones you want to include.
Apps, Background, Windows processes. You can expand to see process tree. Right click to End task, Change memory resource value format, Create dump file, go to this process in the details tab, open file location to show the location, search online(via Bing) to find out more information, properties tab.
Performance tab shows CPU, Memory, and Ethernet stats.
CPU you can right click the right pane and select Change graph to -> To switch between overall usage and logical processors. It shows Utilization, Speed, Sockets/logical processors, VM capable, LM1 cache, processes, threads, handles, and up time.
Memory shows In Use, Available, Commited, Cached, Paged pool, and Non-paged pool, Slots used, Hardware reserved, Max memory possible
Ethernet shows Send/Receive, Adapter name, domain name, connect type, ipv4 & ipv6 address. Right click and view network details for more information for all nic's on the system.
Users tab shows logged in users, their id, session id, client name, status, cpu, and memory. right click colum to select which coluns to display. You can expand each user to show their processes.
Details tab shows even more selectable columns for processes. I won't list them all here.
Services tab shows Name, PID, Description, Status, and Group for services. You can start, stop, restart services here. Or you can open up the services MMC for more detailed service configuration.
Resource Monitor
A more detailed tool that shows usages of resources by processes, services, files, etc.
Access it through server manager via tools/resource monitor. Also in control panel/administrative tools. From command line you can use either resmon or perfmon /res . Or launch from within performance monitor by right clicking Monitoring Tools and selecting Resource Monitor.
Overview allows you to see CPU, Disk, Network, and Memory stats for processes. You can select individual processes to see filtered information for the process or processes in each category. If you right click the columns you can select/unselect various columns in each category.
CPU tab gives you same information as on overview but also adds Services, Associated Handles, and
Associated Modules. However, you must select a process or multiple processes to see their associated handles and associated modules. This will also filter the services that may be associated with the process(es) that have been selected. As in overview, the columns are also customizable.
Memory tab shows same thing as memory under overview, but also includes a bar graph of overall physical memory usage.
Disk The disk tab shows processes with disk activity as they access the disk in real time.
It also shows the same overall disk activity information as the overview page. There is also a section for logical disk storage. As the other tabs, you can customize columns viewing. You can further see current TCP connections per process and Listening ports per process. This is filterable by selecting a process or multiple process. Columns are customizable.
Network tab, like Disk tab, first shows you the processes that are accessing the network in real-time. Then it has a tab Network Activity that shows overall utilization like on the Overview tab.
Performance Monitor
http://technet.microsoft.com/en-us/library/cc749249.aspx
Performance Manager is in Server Manager/tools. Also found in control panel/administrative tools as well as command line "perfmon". Perfmon can be used to monitor performance in a graph format, via counters of various performance. You can view real-time data but also historical data in a Line, Histogram bar, or Report format.You can also define Data Collector Sets here(1.3.1) and associated Reports here. You can also shortcut to the "Action Center/Reliability Monitor" by right clicking "Monitoring Tools" and selecting "View system reliability", or the Resource Monitor by selecting "Resource Monitor"
To configure Perf mon, right click "performance monitor" and select properties. (You can also do some of this on the Perf mon toolbar) From here, you have the following tabs:
General: customize the graph view with "display elements". Change Report and histogram data to Min, Current, Default, Max, or Avg. Set sample frequency and how much will be graphed before redrawing. Sample automatically is the same as pausing the graph in the Toolbar.
Source allows you to set a source for historical perfomance data. You can choose Log files, or a data base. Or you can go back to real-time data with "Current Activity"
Data shows which counters are currently active and allows customization.
Graph allows you to configure the graph views.
Appearance is for further display customization, including colors, fonts, borders, and seperator.
The performance monitor toolbar includes options also found in the properties:
View current activity. View log data will take you to properties/source to select a data source. The next icon allows you to choose which graph you want. the + icon adds counters. X icon deletes counters. The "highlighter" icon highlights whichever counter is currently selected in the value bar.
The next icon copies properties as an activex control that can be embedded into an IE compatible web page. The clipboard icon pastes a counter list from the clipboard. You can pause real-time update, and also manually refresh with the next icon.
1.3.4 monitor virtual machines (VMs)
Hyper-V resource monitoring
activated and viewed using powershell
Enable-VMResourceMetering
Disable-VMResourceMetering
Reset-VMResourceMetering
Measure-VM
As outlined in 3.1.3 of 70-410, you can setup resource pools to monitor resources across multiple computers using:
new-vmresourcepool
measure-vmresourcepool
then when you enable-vmresourcemetering, you can use the -resourcepoolname switch
enable-vmresourcemetering -resourcepoolname serverpool
1.3.5 monitor events
Event Viewer
Run from Start/Administrative tools, or in Server Manager under Tools, or run eventvwr.msc
Multiple logs available:
Custom Views:
Create custom views using specific logs/sources, event levels, categories and keywords, logging period, and user/computers. Administrative Events is a default log that logs Critical, Error, Warning levels from all administrative event logs. There may be other default logs depending on server roles installed
Windows Logs:
Application - events from applications and programs
Security - events dealing with logins and resource/object access. Must enable auditing to log these events
Setup: application setup logs
System: System events such as boot and services
Forwarded events: can store events from remote computers using event subscription. Not compatible pre-windows 7 or 2008.
Application and Services Logs:
Logs specific to some applications and services.
Subscriptions:
see 1.3.6
Common Event fields(properties of an event):
Source: software/component that logged the event
Event ID: A specific event code
Level: Event severity (Information, Warning, Error, Critical, Success Audit, Failure Audit)
User, Computer:
Logged date/time
Task Category
Keywords
Opcode
Filtering events:
Right click log, select filter current log. This is similar to setting up a custom log. You can configure the same fields except the By log is set to the log you are filtering.
Attaching a task to an event:
You can choose to attach a task to a log or a specific event
Right click the log and select attach a task. Any event logged in this log will trigger the task
Right click a specific event and choose attach a task to this event. The task will only trigger on this event.
Under action, choose "Start a program".
Extra Note: With "attaching a task to an event", you may see the actions Send an e-mail (deprecated) and Display a message (deprecated). MS plans to remove these and seems to be encouraging people to do these functions via powershell. In my version they are still selectable but I didn't bother to test them out.
1.3.6 configure event subscriptions
Event Viewer subscriptions
Setup forwarding computers and a collecting computer. The forwarders send events to the collector, who places the events in the Forwarded events log.
Note: You may need to run the winrm quickconfig command to setup remote monitoring. You may also need to add the collector computer to the administrators group of the forwarding computers if you setup Machine account in user account.
Subscription types:
Collector initiated: collector contacts source(forwarder) computers and provides subscription
Source initiated: source(forwarder) computers contact collector and receive subscription. Must be configured through policy or local config on the source computers.
You can filter the events to be subscribed too. You can also click Advanced and setup bandwidth management for the event sub as well as HTTP or HTTPS.
1.3.7 configure network monitoring
various tools for monitoring a network connection: ping, nslookup, tracert, arp, ipconfig, netstat.
Packet sniffers(protocol analyzers): I personally use Wireshark but MS offers one called Microsoft Network Monitor. This GUI based tool also has a command line tool called nmcap. You can also capture network traces using netsh trace.
1.3.8 (R2) Schedule performance monitoring
Data Collector Sets can be scheduled in properties. Click on Schedule tab for the DCS, and Add Schedule. Set the range of dates that this DCS will be run, or just set a beginning date with no expiration. Set the Start/Launch time. Choose which days of the week this DCS will run on.
1. Deploy, manage, and maintain servers 1.2 Implement patch management
Multiple WSUS servers installed in either of two modes:
Autonomous mode: upstream WSUS servers share updates with downstream servers, but updates must be approved at each WSUS server
Replica mode: upstream WSUS servers share updates with downstream servers, and all updates can be approved at an upstream server for replication downstream.
Server-side targeting:
You manually move computers into their WSUS group.
Client-side targeting:
Via GP, local GP, or registry, you can specify a WSUS group for the client computer to place itself in.
1.2.1 Install and configure the Windows Server Update Services (WSUS) role
Server Manager, Add roles and features
Select Windows Server Update Services.
WSUS requires RSAT tools and IIS to be installed
Check WSUS Services.
Check either WID Database if you will not be using a dedicated SQL server, or Database if you will. WID is a "Windows Internal Database"
Select a path to store updates.
Powershell install:
install-windowsfeature updateservices -includemanagementtools
This will also install, if not installed already, IIS Web server (Web-Server) and associated role features, .Net Framework 4.5(NET-Framework-45-ASPNET), RSAT, RSAT-Role-Tools and associated UpdateServices-RSAT feature for WSUS cmdlets/console. It also installs Windows Process Activation Service(WAS and WAS-Config-APIs)
Also Note that this will install the WID database(UpdateServices-WidDB & Windows-Internal-Database) by default. If you need to use a SQL server, install the feature updateservices-DB.
Post-install initial configuration:
Run the WSUS tool from Server Manager tools.
It will verify the path where you want to store updates
Choose Upstream Server: either MS Update or another WSUS server. use SSL is recommended. This is where you can set the upstream mode.
Specify a proxy server if needed.
The configuration will attempt to download WSUS information from MS update to configure further
Choose the update languages
Choose products for which you want updates from the upstream
Choose the type of updates, drivers, etc you want to download from the upstream.
Set sync Schedule. Manual or automatic
Finished: You can manually force an upstream sync now and/or launch the WSUS console.
Server Options:
Update Source and Proxy Server, Products and Classifications, Update Files and Languages, Synchronization Schedule, Microsoft Update Improvement Program:
You set these up in the intial configuration above. They can be changed here.
Update Files(And Languages): Languages was done in inital config. But Update Files lets you
choose to either store files locally or not. if not, computers install from MS Update.
Store locally options:
Download update files only when updates are approved: Deselect to download all updates
regardless of approval
Download express installation files: faster download and install
Download files from MS update: If WSUS uses upstream server, this option makes
the WSUS server download updates from MS update instead.
Automatic Approvals: Setup automatic approval rules for classifications and computer groups.
Computers: This is where you choose how updates are assigned to computers:
Use the update services console: server-side targeting
Use Group Policy or registry settings: client-side targeting
Server Cleanup Wizard: cleans up WSUS server for old computers, updates, and files
Reporting Rollup: Here you can configure whether downstream servers should send their
update/computer statuses sent upstream for central management in replica mode.
E-mail notifications
Personalization: Configure reporting rollup display, validation errors, to-do list display
WSUS configuration wizard: reruns the initial configuration.
Viewing status reports on computers and other wsus reports:
You must have Microsoft Viewer 2008 installed. Download from MS if not installed.
Microsoft Viewer 2008 requires .net 2.0 You can install 3.5(includes .net 2 and 3)(Net-Framework-Features) using server manager, add roles and features, feature install.
Approving Updates:
You can activate updates while viewing computer reports, or in the Updates menu.
Powershell:
Pipe get-wsusupdate into approve-wsusupdates
Powershell WSUS configuration:
http://technet.microsoft.com/library/hh826166
http://blogs.technet.com/b/heyscriptingguy/archive/2013/05/27/use-the-updateservices-module-to-manage-wsus.aspx
WSUS troubleshooting:
Server logs:
Application event log
c:\Program Files\Update Services\Logfiles\change.log
c:\program files\update services\logfiles\softwaredistribution.log
Client troubleshooting:
logs:
c:\windows\windowsupdate.log
c:\windows\softwaredistribution\reportingevents.log
reset updates due to corrupted update or other reason:
(wuauserv is the windows update service)
net stop wuauserv
delete everything in c:\windows\softwaredistribution
net start wuauserv
wuauclt /detectnow
This will query the WSUS server and check for updates
wuauclt /detectnow /resetauthorization
This expires a locally stored cookie with WSUS information, therefore it contacts the wsus server for fresh info and check for unpdates. Used when certain changes are made. For instance, if you change client-side targeting you may need to gpupdate /force on the client and then wuauclt /detectnow /resetauthorization
Extra note: I learned the hard way that you should run a Server Cleanup fairly often on WSUS server, depending on how much data you are storing. Besides the console server option, you can also do this in powershell with the invoke-wsusservercleanup cmdlet.
Extra note: It looks like 2012 is lacking a lot of cmdlets necessary for most powershell configurations, but the previous links list the ones you can use if you need some quick and dirty command line configs. If you're trying to do a post-install initial configuration, your best bet is to use the console installed on GUI 2012 or windows 8. When I first wrote these notes,I had thought they would add more by R2 but that does not seem to be the case.
1.2.2 configure group policies for updates
Configuring client computers to access the WSUS server:This can be done through GP or local GP edit(gpedit.msc) or registry. This must be done regardless of whether you use server-side targeting or client-side targeting.
local GP(gpedit.msc)
Local Computer Policy -> Computer Configuration ->Administrative Templates -> Windows Components -> Windows Update
GP
Computer Configuration ->Policies -> Administrative Templates -> Windows Components -> Windows Update
Registry
http://technet.microsoft.com/en-us/library/dd939844%28v=ws.10%29.aspx
First you must enable Automatic Updates. This is done using the Configure Automatic Updates setting in GP and local GP. You can also enable AU by using the control panel/Windows Updates.
Next you have to assign the WSUS server on a client.This is done in GP and local GP using the "Specify intranet Microsoft update service location" setting. Check the Enabled and enter your WSUS server in both intranet update service field and intranet statistics server field. You should preface the url with http or https. (Note that using SSL requires more complex setup on the server). It's important to note that WSUS 4 on 2012 defaults to port 8530 for http and 8531 for https. So you must also specify the port. Depending on your network setup, you can use server name or FQDN. Example:
http://wsusserver.contoso.com:8530
Other GP settings:
"Do not display 'Install Upates and Shutdown' option in Shutdown Windows dialog'"
"Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog'"
"Enable Windows Update Power Management to automatically wake up the system to install
scheduled updates"
"Automatic Updates detection frequency"
"Allow non-administrators to receive update notifications"
"Turn on Software Notifications"
"Allow Automatic Updates immediate installation"
"Turn on recommended updates via Automatic updates"
"No auto-restart with logged on users for scheduled automatic updates"
"Re-prompt for restart with scheduled installations"
"Delay Restart for scheduled installations"
"Reschedule Automatic Updates scheduled installations"
"Enable client-side targeting": see 1.2.3
"Allowed signed updates from an intranet MS update service location"
Extra note: Before WSUS 4, WSUS would default to port 80 unless there was a web site already on port 80. Then it would use 8530. In 2012, WSUS 4 just installs to 8530 regardless.
1.2.3 configure client-side targeting
Set the "Enable client-side targeting" to the WSUS group you want this group policy to apply to. Any computers affected by the GP will place themselves in that WSUS group.
You can also configure using the registry:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
TargetGroup should be set to the group you want
\AU key value UseWUServer needs to be set to 1
1.2.4 configure WSUS synchronization
I already covered a lot of this in 1.2.1
Use Synchronization menu to see current synchronizations.
Select products and classifications to synchronize
Classifications:
Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates
Configure Update files
Setup manual or automatic synchronization on Synchronization Schedule option
Powershell:
Disable a product:
get-wsusproduct -titleincludes "SQL Server" | set-wsusproduct -disable
To enable, run set-wsusproduct without -disable switch
Same with classification except get-wsusclassification does not include -titleincludes parameter, so you must pipe through where-object
Enable Drivers classification:
get-wsusclassification | where -filterscript {$_.classification.title -eq "Drivers" | set-wsusclassification
set-wsusserversynchronization only allows configuration of upstream servers/MS update. No options for scheduling.
Set server to sync from MS Update:
set-wsusserversynchronization -syncfrommu
Configure an upstream server to synch from on port 1337 using SSL:
set-wsusserversynchronization -useservername UpWsus -portnumber 1337 -UseSSL
Configure an upstream server by piping in
1.2.5 configure WSUS groups
All computers will always show all computers. New computers are also assigned to Unassigned Computers, unless configured via client-side targeting.
Right click All Computers and Add a new computer group.
Server side targeting requires you to manually move computers from unassigned computers by right clicking and "Change Membership"
Powershell:
There doesn't seem to be a powershell cmdlet to configure groups.
Add a computer to a group:
get-wsuscomputer -nameincludes "WDSserver" | add-wsuscomputer -targetgroupname "Windows 2012"
Extra note: Another errata in MOAC 70-411 book. They give example Add-Wsuscomputer -computer PC1 to add Pc1 to a targetgroup. Add-wsuscomputer requires an input object piped from get-wsuscomputer. A string won't work.
1.2.6 (R2) Manage patch management in mixed environments
I still have not worked out what this R2 added objective is asking for.
Autonomous mode: upstream WSUS servers share updates with downstream servers, but updates must be approved at each WSUS server
Replica mode: upstream WSUS servers share updates with downstream servers, and all updates can be approved at an upstream server for replication downstream.
Server-side targeting:
You manually move computers into their WSUS group.
Client-side targeting:
Via GP, local GP, or registry, you can specify a WSUS group for the client computer to place itself in.
1.2.1 Install and configure the Windows Server Update Services (WSUS) role
Server Manager, Add roles and features
Select Windows Server Update Services.
WSUS requires RSAT tools and IIS to be installed
Check WSUS Services.
Check either WID Database if you will not be using a dedicated SQL server, or Database if you will. WID is a "Windows Internal Database"
Select a path to store updates.
Powershell install:
install-windowsfeature updateservices -includemanagementtools
This will also install, if not installed already, IIS Web server (Web-Server) and associated role features, .Net Framework 4.5(NET-Framework-45-ASPNET), RSAT, RSAT-Role-Tools and associated UpdateServices-RSAT feature for WSUS cmdlets/console. It also installs Windows Process Activation Service(WAS and WAS-Config-APIs)
Also Note that this will install the WID database(UpdateServices-WidDB & Windows-Internal-Database) by default. If you need to use a SQL server, install the feature updateservices-DB.
Post-install initial configuration:
Run the WSUS tool from Server Manager tools.
It will verify the path where you want to store updates
Choose Upstream Server: either MS Update or another WSUS server. use SSL is recommended. This is where you can set the upstream mode.
Specify a proxy server if needed.
The configuration will attempt to download WSUS information from MS update to configure further
Choose the update languages
Choose products for which you want updates from the upstream
Choose the type of updates, drivers, etc you want to download from the upstream.
Set sync Schedule. Manual or automatic
Finished: You can manually force an upstream sync now and/or launch the WSUS console.
Server Options:
Update Source and Proxy Server, Products and Classifications, Update Files and Languages, Synchronization Schedule, Microsoft Update Improvement Program:
You set these up in the intial configuration above. They can be changed here.
Update Files(And Languages): Languages was done in inital config. But Update Files lets you
choose to either store files locally or not. if not, computers install from MS Update.
Store locally options:
Download update files only when updates are approved: Deselect to download all updates
regardless of approval
Download express installation files: faster download and install
Download files from MS update: If WSUS uses upstream server, this option makes
the WSUS server download updates from MS update instead.
Automatic Approvals: Setup automatic approval rules for classifications and computer groups.
Computers: This is where you choose how updates are assigned to computers:
Use the update services console: server-side targeting
Use Group Policy or registry settings: client-side targeting
Server Cleanup Wizard: cleans up WSUS server for old computers, updates, and files
Reporting Rollup: Here you can configure whether downstream servers should send their
update/computer statuses sent upstream for central management in replica mode.
E-mail notifications
Personalization: Configure reporting rollup display, validation errors, to-do list display
WSUS configuration wizard: reruns the initial configuration.
Viewing status reports on computers and other wsus reports:
You must have Microsoft Viewer 2008 installed. Download from MS if not installed.
Microsoft Viewer 2008 requires .net 2.0 You can install 3.5(includes .net 2 and 3)(Net-Framework-Features) using server manager, add roles and features, feature install.
Approving Updates:
You can activate updates while viewing computer reports, or in the Updates menu.
Powershell:
Pipe get-wsusupdate into approve-wsusupdates
Powershell WSUS configuration:
http://technet.microsoft.com/library/hh826166
http://blogs.technet.com/b/heyscriptingguy/archive/2013/05/27/use-the-updateservices-module-to-manage-wsus.aspx
WSUS troubleshooting:
Server logs:
Application event log
c:\Program Files\Update Services\Logfiles\change.log
c:\program files\update services\logfiles\softwaredistribution.log
Client troubleshooting:
logs:
c:\windows\windowsupdate.log
c:\windows\softwaredistribution\reportingevents.log
reset updates due to corrupted update or other reason:
(wuauserv is the windows update service)
net stop wuauserv
delete everything in c:\windows\softwaredistribution
net start wuauserv
wuauclt /detectnow
This will query the WSUS server and check for updates
wuauclt /detectnow /resetauthorization
This expires a locally stored cookie with WSUS information, therefore it contacts the wsus server for fresh info and check for unpdates. Used when certain changes are made. For instance, if you change client-side targeting you may need to gpupdate /force on the client and then wuauclt /detectnow /resetauthorization
Extra note: I learned the hard way that you should run a Server Cleanup fairly often on WSUS server, depending on how much data you are storing. Besides the console server option, you can also do this in powershell with the invoke-wsusservercleanup cmdlet.
Extra note: It looks like 2012 is lacking a lot of cmdlets necessary for most powershell configurations, but the previous links list the ones you can use if you need some quick and dirty command line configs. If you're trying to do a post-install initial configuration, your best bet is to use the console installed on GUI 2012 or windows 8. When I first wrote these notes,I had thought they would add more by R2 but that does not seem to be the case.
1.2.2 configure group policies for updates
Configuring client computers to access the WSUS server:This can be done through GP or local GP edit(gpedit.msc) or registry. This must be done regardless of whether you use server-side targeting or client-side targeting.
local GP(gpedit.msc)
Local Computer Policy -> Computer Configuration ->Administrative Templates -> Windows Components -> Windows Update
GP
Computer Configuration ->Policies -> Administrative Templates -> Windows Components -> Windows Update
Registry
http://technet.microsoft.com/en-us/library/dd939844%28v=ws.10%29.aspx
First you must enable Automatic Updates. This is done using the Configure Automatic Updates setting in GP and local GP. You can also enable AU by using the control panel/Windows Updates.
Next you have to assign the WSUS server on a client.This is done in GP and local GP using the "Specify intranet Microsoft update service location" setting. Check the Enabled and enter your WSUS server in both intranet update service field and intranet statistics server field. You should preface the url with http or https. (Note that using SSL requires more complex setup on the server). It's important to note that WSUS 4 on 2012 defaults to port 8530 for http and 8531 for https. So you must also specify the port. Depending on your network setup, you can use server name or FQDN. Example:
http://wsusserver.contoso.com:8530
Other GP settings:
"Do not display 'Install Upates and Shutdown' option in Shutdown Windows dialog'"
"Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog'"
"Enable Windows Update Power Management to automatically wake up the system to install
scheduled updates"
"Automatic Updates detection frequency"
"Allow non-administrators to receive update notifications"
"Turn on Software Notifications"
"Allow Automatic Updates immediate installation"
"Turn on recommended updates via Automatic updates"
"No auto-restart with logged on users for scheduled automatic updates"
"Re-prompt for restart with scheduled installations"
"Delay Restart for scheduled installations"
"Reschedule Automatic Updates scheduled installations"
"Enable client-side targeting": see 1.2.3
"Allowed signed updates from an intranet MS update service location"
Extra note: Before WSUS 4, WSUS would default to port 80 unless there was a web site already on port 80. Then it would use 8530. In 2012, WSUS 4 just installs to 8530 regardless.
1.2.3 configure client-side targeting
Set the "Enable client-side targeting" to the WSUS group you want this group policy to apply to. Any computers affected by the GP will place themselves in that WSUS group.
You can also configure using the registry:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
TargetGroup should be set to the group you want
\AU key value UseWUServer needs to be set to 1
1.2.4 configure WSUS synchronization
I already covered a lot of this in 1.2.1
Use Synchronization menu to see current synchronizations.
Select products and classifications to synchronize
Classifications:
Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates
Configure Update files
Setup manual or automatic synchronization on Synchronization Schedule option
Powershell:
Disable a product:
get-wsusproduct -titleincludes "SQL Server" | set-wsusproduct -disable
To enable, run set-wsusproduct without -disable switch
Same with classification except get-wsusclassification does not include -titleincludes parameter, so you must pipe through where-object
Enable Drivers classification:
get-wsusclassification | where -filterscript {$_.classification.title -eq "Drivers" | set-wsusclassification
set-wsusserversynchronization only allows configuration of upstream servers/MS update. No options for scheduling.
Set server to sync from MS Update:
set-wsusserversynchronization -syncfrommu
Configure an upstream server to synch from on port 1337 using SSL:
set-wsusserversynchronization -useservername UpWsus -portnumber 1337 -UseSSL
Configure an upstream server by piping in
1.2.5 configure WSUS groups
All computers will always show all computers. New computers are also assigned to Unassigned Computers, unless configured via client-side targeting.
Right click All Computers and Add a new computer group.
Server side targeting requires you to manually move computers from unassigned computers by right clicking and "Change Membership"
Powershell:
There doesn't seem to be a powershell cmdlet to configure groups.
Add a computer to a group:
get-wsuscomputer -nameincludes "WDSserver" | add-wsuscomputer -targetgroupname "Windows 2012"
Extra note: Another errata in MOAC 70-411 book. They give example Add-Wsuscomputer -computer PC1 to add Pc1 to a targetgroup. Add-wsuscomputer requires an input object piped from get-wsuscomputer. A string won't work.
1.2.6 (R2) Manage patch management in mixed environments
I still have not worked out what this R2 added objective is asking for.
Subscribe to:
Posts (Atom)