Table of Contents - IT Certification Training | MOS · Web viewThis course provides students with the knowledge to become industry certified as a Windows professional. It prepares
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Section 7.6: Failover Cluster with Hyper-V..........................................................78Section 8.1: Active Directory Certificate Services Overview................................80Section 8.2: Certificate Management..................................................................82Section 8.3: Certificate Revocation.....................................................................84Section 8.4: Certificate Templates.......................................................................86Section 8.5: Certificate Autoenrollment...............................................................88Section 8.6: Key Archival and Recovery.............................................................90Section 8.7: Certificate Authority (CA) Management...........................................92Section 8.8: CA Backup and Recovery...............................................................94Section 9.1: AD RMS Overview...........................................................................95Section 9.2: AD RMS Installation........................................................................97Section 9.3: AD RMS Client Deployments..........................................................99Section 9.4: AD RMS Templates.......................................................................100Section 10.1: AD FS Overview..........................................................................102Section 10.2: AD FS Certificates.......................................................................103Section 10.3: Resource Partner........................................................................104Section 10.4: Accounts Partner.........................................................................106Section 10.5: AD FS Proxies.............................................................................107Section 10.6: AD FS and Cloud Services..........................................................109Section 10.7: AD FS and AD RMS....................................................................110Server Pro: Advanced Services Practice Exams...............................................112Microsoft 70-412 Practice Exams......................................................................113Appendix A: Approximate Time for the Course.................................................114Appendix B: Exam 70-412: Configuring Advanced Windows Server 2012 Services Objectives...........................................................................................117Appendix C: Server Pro: Advanced Services Objectives..................................123
Course OverviewThis course prepares students for TestOut’s Server Pro: Advanced Services exam and Microsoft’s 70-412 certification exam.
Module 1 – Active Directory InfrastructureThis module teaches the students details about the infrastructure of Active Directory and how to manage the elements involved.
Module 2 – File and Storage SolutionsIn this module students will learn about file and storage solutions, such as file sharing, using BranchCache, implementing and managing Dynamic Access Control, configuring iSCSI, and storage spaces.
Module 3 – Disaster Recovery This module teaches students about backing up and restoring data, implementing shadow copies, and finding tools to assist in system recovery.
Module 4 – Advanced DHCPThis module examines using Dynamic Host Configuration Protocol (DHCP) and IPAM to centralize and streamline management of IP address assignments.
Module 5 – Advanced DNSIn this module students will learn concepts about configuring DNS security: DNSSEC, DNS Socket Pooling, Cache Locking, Advanced DNS settings, and GlobalNames zones.
Module 6 – Hyper-VThis module discusses management of virtual machines and Hyper-V replicas.
Module 7 – High Availability This module teaches students about the components that create high availability: Network load balancing, Failover Clustering, Active Directory Certificate Service, AD RMS, and AD FS.
Module 8 – Active Directory Certificate ServicesThis module examines encryption and certificate solutions using Active Directory Certificate Services. This includes managing and revoking certificates, using certificate templates, configuring Certificate Autoenrollment, archiving and recovering keys, and managing the Certificate Authority.
Module 9 – Active Directory Rights Management Services (AD RMS)In this module students will learn concepts about installing and deploying AD RMS.
Module 10 – Active Directory Federation Services 2.1 (AD FS)This module discusses using AD FS to provide access to resources that are offered by trusted partners across the Internet.
Practice ExamsIn Practice Exams students will have the opportunity to test themselves and verify that they understand the concepts and are ready to take the certification exam. The practice exams contain examples of the types of questions that a student will find on the actual exam:
Server Pro: Advanced Services Practice Exams Microsoft 70-412 Practice Exams
This course provides students with the knowledge to become industry certified as a Windows professional. It prepares the student for the following exams:
Microsoft’s 70-412: Configuring Advanced Windows Server 2012 Services TestOut’s Server Pro: Advanced Services
Microsoft’s 70-412: Configuring Advanced Windows Server 2012 Services certification measures the students’ ability to administer, configure, and manage Windows Server 2012 advanced services. The following knowledge domains are addressed:
Configure and manage high availability Configure file and storage solutions Implement business continuity and disaster recovery Configure network services Configure the Active Directory infrastructure Configure identity and access solutions
Note: MS 70-412 objectives are listed in Appendix B: 70-412: Configuring Advanced Windows Server 2012 Services Objectives
TestOut’s Server Pro: Advanced Services certification measures the students’ ability to perform real-world job skills using the Windows Server 2012 operating system. The following knowledge domains are addressed:
Advanced Active Directory Configuration Advanced Storage Management Server Data Protection Advanced DHCP and DNS Configuration High Availability Implementation Certificate Management Digital Rights Management
Note: TestOut’s Server Pro: Advanced Services objectives are listed in Appendix C: Server Pro: Advanced Services Objectives
The section introductions in LabSim and the lesson plans list the objectives that are met for each of the exams in that section.
The following icons are placed in front of lesson items in LabSim to help students quickly recognize the items in each section:
= Demonstration
= Exam
= Lab/Simulation
= Text lesson or fact sheet
= Video
The video and demonstration icons are used throughout the lesson plans to help instructors differentiate between the timing for the videos and demonstrations.
In the lesson plans the Total Time for each section is calculated by adding the approximate time for each section which is calculated using the following elements:
Video/demo times Approximate time to read the text lesson (the length of each text lesson is
taken into consideration) Simulations (5 minutes is assigned per simulation. This is the amount of
time it would take for a knowledgeable student to complete the lab activity. Plan that the new students will take much longer than this depending upon their knowledge level and computer experience.)
Questions (1 minute per question)
Note: Appendix A: Approximate Time for the Course contains the approximate time for each section, which are totaled for the entire course.
Section 1.1: Multi-Domain Forests SummaryThis section provides the basics of managing multi-domain forests. Concepts covered include:
Prerequisites required before adding the first domain controller running Windows Server 2012 to an existing Active Directory environment:
o Server disk spaceo Supported Windows Server 2012 editionso Forest and domain functional levels
Tools to prepare forest and domain to support Windows Server 2012:o Adprep /forestprepo Adprep /domainprepo Adprep /rodcprep
Installation scenarios for AD DS for Windows 2012:o Installing a new Windows Server 2012 foresto Installing a new Windows Server 2012 domain controller to create a
new domain in an existing Windows Server 2003, 2008, or 2008 R2 forest
Tools to promote the Windows Server 2012 system as a domain controller in the domain:
o Server Managero PowerShell (using ADDSDeployment cmdlets)o DCPromo (only for Server Core deployments using an answer file)
The role of a functional level Features available at each domain functional level Features available at each forest functional level Management of functional levels Guidelines that apply to raising the domain or forest functional levels
Students will learn how to:
Raise the functional level of a domain. Raise the functional level of a forest. Add a new child domain to a multi-domain forest.
Server Pro: Advanced Services Exam Objectives:
1.0 Advanced Active Directory Configuration.o Raise the functional level of an Active Directory forest
Which types of trusts are created automatically for domains within a forest?
What are the characteristics of automatically-created domain trusts? What are the characteristics of trusts between forests? When can forest trusts be used? When must you create an external trust? What advantages does selective authentication provide to system
administrators for securing resources in a forest?
Video/Demo Time1.2.1 Cross-Forest Trusts 6:261.2.2 Preparation for a Cross-Forest Trust 1:291.2.3 Preparing for a Cross-Forest Trust 7:401.2.4 Creating a Cross-Forest Trust 11:56
Section 1.3: External, Shortcut and Realm Trusts SummaryThis section provides details about creating external, shortcut, and realm trusts.
Students will learn how to:
Manually create an external trust to allow users on one domain to access resources in a domain of another forest.
Create a shortcut trust to speed up authentication between domains in the same forest.
Server Pro: Advanced Services Objectives:
1.0 Advanced Active Directory Configuration.o Create forest root, cross-forest, external, shortcut, and realm trusts
70-412 Exam Objectives:
502 Configure trusts.o Configure external, forest, shortcut, and realm trustso Configure trust authenticationo Configure SID filteringo Configure name suffix routing
Lecture Focus Questions:
How do shortcut trusts improve user logon times between two domains within a forest?
What are the characteristics of an external trust? When should you use a realm trust? What features does Active Directory Federated Services (AD FS) offer?
Section 1.4: Sites Overview SummaryThis section provides an overview of sites and subnets. Details covered include:
The role of a site The role of a subnet Considerations about sites and subnets Sites and subnets allow an administrator to monitor:
o Active Directory replication between locations o Workstation logon traffico Objects in Active Directoryo Distributed File System (DFS) resource accesso File Replication Service (FRS) characteristicso Properties for any site-aware application
Students will learn how to:
Create and manage sites, subnets, and site links.
70-412 Exam Objectives:
503. Configure sites.o Configure sites and subnetso Create and configure site linkso Move domain controllers between sites
Lecture Focus Questions:
How does a subnet differ from a site? What is the purpose of sites and subnets? What criteria are used to assign computers to sites? How are clients assigned to sites? What criteria determine the site that a domain controller is assigned?
Section 1.5: Managing Sites SummaryThis section discusses the following issues when managing sites:
Logon requests Site link cost Site link schedules Site link interval Global Catalog servers Universal Group Membership Caching
Students will learn how to:
Determine the domain controller that will process logon requests at a site. Set up a Global Catalog. Enable Universal Group Membership Caching.
Server Pro: Advanced Services Objectives:
1.0 Advanced Active Directory Configuration.o Manage sites, subnets, and site links
70-412 Exam Objectives:
503. Configure sites.o Manage site coverageo Manage registration of SRV records
Lecture Focus Questions:
How can you determine which domain controller will authenticate a client when more than one domain controller exists at a site?
How are site link costs determined? What steps can you take to ensure that a particular domain controller does
not authenticate clients from another site? How does a Global Catalog server facilitate faster searches and logon? What are the benefits of Universal Group Membership Caching? When
should it be used? What two things should you consider when defining site link schedules?
Terms to be familiar with:o Site link bridgeo Bridgehead servero Connection
Sites and Services distinguishes between two types of replication:o Intrasiteo Intersite
Transport protocols used by replication:o Directory Services Remote Procedure Call (DS-RPC)o Inter-Site Messaging Simple Mail Transfer Protocol (ISM-SMTP)
Facts about intrasite replication:o Occurs between domain controllers within a siteo By default, occurs once every houro Modifying the replication frequencyo Connections are created automatically as necessary
Intersite replication configuration steps:o Preferred bridgehead servero Replication scheduleo Replication frequencyo Site link costo Bridged site replicationo Forced replication
Example of site link bridging The role of SYSVOL folder File Replication Service (FRS) vs. Distributed File System (DFS) Benefits of DFS replication Migrating from FRS replication to DFS replication States that indicate stable stages in the migration process:
o Not initiatedo Starto Preparedo Redirectedo Eliminated
Manage replication of AD and SYSVOL. Monitor replication of AD and SYSVOL.
Server Pro: Advanced Services Objectives:
1.0 Advanced Active Directory Configuration.o Manage sites, subnets, and site links.o Configure site replication.
70-412 Exam Objectives:
504. Manage Active Directory and SYSVOL replication.o Monitor and manage replicationo Upgrade SYSVOL replication to Distributed File System Replication
(DFSR)
Lecture Focus Questions:
What types of trusts are enabled by default for site link bridges? How do you establish bidirectional communications between domain
controllers? How does intrasite replication differ from intersite replication? What are three ways that you can force replication? How can you force a certain path between sites for replication? What is the process for migrating from FRS replication to DFS replication
when the domain is at Windows Server 2003 functional level? During which migration stages are you able to roll back the migration?
Video/Demo Time1.6.1 Active Directory Replication 12:461.6.2 Monitoring and Managing Replication 12:51
Section 1.7: Read-Only Domain Controllers (RODCs)SummaryIn this section students will learn details about creating RODCs. Concepts covered include:
Features of RODCs:o Administrator role separationo Unidirectional replicationo Read-only datao Password replicationo DNS Server service
Requirements to be met before RODCs are installed in a domain Performing a staged installation of an RODC in which the installation is
performed by two different individuals in separated stages Generals steps to install a read-only domain controller (RODC) Considerations when installing RODC
Students will learn how to:
Create and configure an RODC account.
Server Pro: Advanced Services Exam Objectives:
1.0 Advanced Active Directory Configuration.o Implement read-only domain controllers
70-412 Exam Objectives:
504. Manage Active Directory and SYSVOL replication.o Configure replication to Read-Only Domain Controllers (RODCs)
Lecture Focus Questions:
In which environments is an RODC typically deployed? What are the benefits and the drawbacks of unilateral replication? What are the requirements for installing an RODC in a domain? How does the administrative role separation (ARS) feature protect domain
Section 1.8: RODC ManagementSummaryThis section discusses the following considerations managing an RODC:
Administrator role separation Replication traffic management Security management
Students will learn how to:
Configure the password replication policy on the RODC to cache only passwords for specified users.
Prepopulate passwords before users even attempt to log on.
Server Pro: Advanced Services Exam Objectives:
1.0 Active Directory Configuration.o Implement read-only domain controllers
70-412 Exam Objectives:
504. Manage Active Directory and SYSVOL replication.o Configure Password Replication Policy (PRP) for RODCs
Lecture Focus Questions:
How does the password replication policy control password replication? What preventative measures can you implement to protect the data on an
RODC in the event it is lost or stolen? How can you prevent certain data from being replicated to an RODC? What steps should you take if an RODC has been compromised? When does an RODC attempt inbound replication? Which two built-in groups can be used for password replication on
Section 2.1: Network File System (NFS) SummaryThis section discusses using Network File System (NFS) to transfer files between computers running Windows and UNIX/Linux operating systems. Details include:
Considerations when deploying NFS file sharing on Windows Server 2012:
o System requirementso NFS service installationo NFS service configurationo NFS share configuration
Students will learn how to:
Create and configure an NFS share.
Server Pro: Advanced Services Exam Objectives:
2.0 Advanced Storage Management.o Implement NFS to support UNIX/Linux systems
70-412 Exam Objectives:
201. Configure advanced file services.o Configure NFS data store
Lecture Focus Questions:
Which PowerShell cmdlets install NFS sharing components on a Windows Server 2012 system?
What configuration tasks must be completed before using the NFS Server or Client on a Windows Server 2012 system?
What are two ways you can create shares in the server's NTFS file system and export them to NFS clients?
In which two ways can you map a UNIX/Linux user or group to a Windows user or group?
Section 2.2: BranchCache SummaryThis section discusses using BranchCache to allow users in branch offices to access information more quickly. Concepts covered include:
The role of BranchCache BranchCache modes:
o Hosted Cacheo Distributed Cache
Students will learn how to:
Configure a BranchCache content server. Configure a hosted BranchCache server. Use PowerShell cmdlets to configure BranchCache clients. Verify BranchCache client settings.
Section 2.3: Dynamic Access Control (DAC) SummaryIn this section students will learn about using Dynamic Access control (DAC) to enable granular control over data access. Details include:
The role of Dynamic Access Control (AC) Factors that can be used to change the level of access of a user Components of DAC implementation:
o Resource propertieso Classification ruleso Claims-based access control:
User claims Devices claims
o Central access ruleso Central access policies
Considerations when setting up the permission for DAC and NTFS file permissions
Tasks to implement Dynamic Access Control (DAC):o Install FSRMo Define resource propertieso Create classification ruleso Configure claim typeso Define central access ruleso Define central access policieso Configure Group Policy settingso Apply central access policies
Students will learn how to:
Use FSRM to configure File Classification Infrastructure. Create and configure classification rules. Configure a classification schedule.
Server Pro: Advanced Services Exam Objectives:
2.0 Advanced Storage Management.o Implement Dynamic Access Control (DAC)
201. Configure advanced file services.o Configure File Classification Infrastructure (FCI) using File Server
Resource Manager (FSRM) 202. Implement Dynamic Access Control (DAC).
o Configure user and device claim typeso Configure file classificationo Create and configure Central Access rules and policieso Create and configure resource properties and lists
Lecture Focus Questions:
By implementing DAC, what criteria can you use to dynamically change the level of access a user has to file server data?
How can you use NTFS file system permissions and DAC to control resource access?
To which types of data can classification rules be applied? How does the Content Classifier method of assigning a property to a file
differ from the Windows PowerShell Classifier method? What are the components of a central access rule? Which Kerberos Group Policy settings must be enabled to support DAC?
Video/Demo Time 2.3.1 DAC Overview 10:222.3.2 Configuring File Classification Infrastructure (FCI) using FSRM 11:302.3.3 Implementing DAC Policies 19:59
Section 2.4: DAC Management SummaryIn this section students will learn about options to manage Dynamic Access Control (DAC). Details in this section include:
Staging Access-denied remediation
Students will learn how to:
Staging policy changes for central access policies for DAC. Use Group Policy to configure file access auditing.
Server Pro: Advanced Services Exam Objectives:
2.0 Advanced Storage Management.o Implement Dynamic Access Control (DAC)
202. Implement Dynamic Access Control (DAC).o Implement policy changes and stagingo Perform access-denied remediation
Lecture Focus Questions:
How can you test the effect of DAC rules without enforcing them? What is the purpose of access-denied remediation? What are two requirements for using access-denied remediation? What should you be aware of if you use both File Server Resource
Manager and Group Policy to configure DAC?
Video/Demo Time 2.4.1 DAC Management 5.012.4.2 Implementing Policy Changes and Staging 6:402.4.3 Performing Access-denied Remediation 5:09
Section 2.5: Advanced Storage SummaryThis section examines using iSCSI and iSNS to provide advanced storage capabilities. Details include:
Hardware required to create an iSCSI SAN:o Ethernet cablingo Ethernet switcheso Ethernet NICs
The role of iSCSI targets The role of iSCSI initiator iSCSI terminology to be familiar with:
o network entityo network portalo Protocol Data Unit (PDU)o iSCSI nameo iSCSI Qualified Name (IQN)o iSCSI targeto iSCSI initiatoro LUN
Considerations when choosing between iSCSI and other SAN technologies
Steps to configure iSCSI initiators The role of Internet Storage Name Service (iSNS)
Students will learn how to:
Create an iSCSI virtual disk and configure an iSCSI target on it. Configure an iSCSI initiator with access to the virtual disk. Install the iSNS Server Service feature and configure iSNS.
Server Pro: Advanced Services Exam Objectives:
2.0 Advanced Storage Management.o Implement an iSCSI SAN
70-412 Exam Objectives:
203 Configure and optimize storage. o Configure iSCSI Target and Initiatoro Configure Internet Storage Name server (iSNS)
What are the hardware components of a SAN? What is the advantage of using Ethernet hardware for a SAN
implementation? What is the benefit from implementing a second, parallel network
infrastructure dedicated only to the iSCSI SAN? In an iSCSI SAN, what purpose does the network portal serve? What are the steps to configure iSCSI initiators? What functions does Storage Name Service (iSNS) provide?
Video/Demo Time2.5.1 iSCSI and Internet Storage Name Server (iSNS) 2:352.5.2 Configuring an iSCSI Target 2:232.5.3 Configuring the iSCSI Initiator 4:192.5.4 Configuring iSNS 3:11
Total 12:28
Lab/Activity
Configure an iSCSI TargetConfigure the iSCSI Initiator
203 Configure and optimize storage.o Implement thin provisioning and trimo Manage server free space using Features on Demand
Lecture Focus Questions:
How does fixed provisioning differ from thin provisioning? What are the limitations of the storage pool? Which PowerShell cmdlets can you use to manage storage spaces and
what is the function of each? How does data deduplication differ from Features on Demand? How can you use Features on Demand to manage free space of a
Section 3.1: Windows Server Backup SummaryThis section provides details of using Windows Server Backup. Concepts covered include:
The role of the Online Backup feature in Windows 2012 Steps to perform online backups The role of the Windows Server Local Backup Considerations about using Windows Server Backup Methods Windows Server Backup provides to run backups:
o Windows Server Backup MMC snap-ino Wbadmin from the command prompto PowerShell cmdlets for Windows Server Backup
Options available with Windows Server Backup:o Full Servero Bare metal recoveryo System stateo Individual volumeso Folders or files
Storage types that Windows Server Backup can save backups to:o Internal disko External disko Shared foldero DVD, other optical or removable media
When using Windows Server Backup you cannot back to:o Tapeo USB flash driveso Pen drives
Students will learn how to:
Install Windows Server Backup. Configure a regular backup schedule for a server. Back up a server.
Server Pro: Advanced Services Exam Objectives:
3.0 Server Data Protection.o Configure server backups
301 Configure and manage backups.o Configure Windows Server backupso Configure Windows Online backupso Configure role-specific backups
Lecture Focus Questions:
When using the Online Backup feature in Windows Server 2012, what options do you have for obtaining the certificate file?
Which types of backups are not supported by Online Backup and must be done using a local backup?
What is the best practice for securing the Online Backup passphrase? What happens if the online backup destination does not have sufficient
space available to store the backup? When using Windows Server Backup, which backup option would you use
if you want to be able to recover all volumes including system state and bare metal recoveries?
Which media types are not supported by Windows Server Backup?
Video/Demo Time3.1.1 Windows Server Backup 3:163.1.2 Configuring Windows Server Backup for Local Backup 2:333.1.4 Configuring Windows Server Backup for Online Backup 6:27
Section 3.2: Restore from Backup SummaryThis section discusses restoring from backup. Concepts covered include:
Considerations when restoring from backups Recovery types and the tools to perform them:
o Onlineo Files and folderso Hyper-Vo Volumeso Applicationso Bare metal or full servero System state
Students will learn how to:
Restore a server from backup. Restore user data from backup. Perform a Bare Metal Recovery.
Server Pro: Advanced Services Exam Objectives:
3.0 Server Data Protection.o Restore server data from backup
70-412 Exam Objectives:
302 Recover servers.o Restore from backupso Perform a Bare Metal Restore (BMR)
Lecture Focus Questions:
Which are the only types of files that can be recovered from an online backup?
Which are the only media supported for recovering files and folders using Windows Server Backup?
Who is authorized to perform recoveries using Windows Server Backup? What tool allows you to recover Hyper-V virtual machines? When recovering volumes, how is the existing data on the destination
Section 3.3: Volume Shadow Copies SummaryThis section discusses using Volume Shadow Copies to make copies of user files at regular intervals. Concepts covered include:
The role of Volume Shadow Copy Service (VSS) Considerations when using VSS VSS areas when implementing shadow copies:
o Schedulingo Storingo Recoveringo NTFS Permissionso VSSAdmin
Students will learn how to:
Enable and configure shadow copies for shared folders. Restore a previous version of a file. Use VSSAdmin to manage VSS settings from the command line.
Server Pro: Advanced Services Exam Objectives:
3.0 Server Data Protection.o Enable shadow copies
70-412 Exam Objectives:
301 Configure and manage backups.o Manage VSS settings using VSSAdmin
Lecture Focus Questions:
How do you view and manage previous versions of volumes, folders and files?
What criteria should you use for scheduling shadow copies of volume data?
How are NTFS permissions on previous versions of a file affected during recovery?
How does restoring folders affect new files that have been added since the shadow copy was made?
What steps should you take to allow defragmentation on volumes with VSS enabled?
What happens if you delete a volume before disabling VSS?
Section 3.4: Boot Configuration Data (BCD) StoreSummaryIn this section students will learn about Boot Configuration Data (BCD) Store. Concepts covered include:
Tools to assist in system recovery:o System Recovery Optionso Boot Configuration Data (BCD)o Windows Memory Diagnostic Tool (WMDT)o Startup and Recovery optionso System Configuration utility (Msconfig.exe)
The role of boot options Windows Server 2012 startup modes:
o Repair Your Computero Safe Modeo Safe Mode with Networkingo Safe Mode with Command Prompto Enable Boot loggingo Enable low-resolution videoo Last Known Good Configurationo Debugging Modeo Disable automatic restart on a system failureo Disable Driver Signature Enforcemento Disable Early Launch Anti-Malware Protection
Recommendations to troubleshoot startup errors with the advanced boot options
Students will learn how to:
Configure the BCD store. Use Advanced Boot options to boot a computer.
70-412 Exam Objectives:
302 Recover servers.o Recover servers using Windows Recovery Environment (Win RE)
and safe modeo Configure the Boot Configuration Data (BCD) store
When would you need to use the System Image Recovery tool? In which situations would the System Configuration utility (bcd) be
useful? What actions can you take to boot your system if it is not running and will
not boot normally? When should you access the Repair Your Computer option? When should you boot your computer into safe mode? In which situations will the Last Known Good Configuration option be
useful? Why would it be useful to enable the Disable automatic restart on
system failure option?
Video/Demo Time3.4.1 BCD Store Overview 1:273.4.2 Configuring the BCD Store 7:55
Section 4.1: DHCP Overview SummaryThis section provides an overview of DHCP. Concepts covered include:
Methods that clients use to obtain an address from a DHCP server:o DHCP Discover (D)o DHCP Offer (O)o DHCP Request (R)o DHCP ACK (A)
DHCP Authorization requirements DHCP Server authorization verification Considerations when installing and configuring a DHCP Server DHCP console context-sensitive icons:
o Check mark in a green circleo Red down arrowo Horizontal white line inside a red circleo Exclamation sign inside a yellow triangleo Exclamation sign inside a blue circle
Students will learn how to:
Install a DHCP server. Authorize a DHCP server.
70-412 Exam Objectives:
401 Implement an advanced Dynamic Host Configuration Protocol (DHCP) solution.
o Implement DHCPv6
Lecture Focus Questions:
What are the steps a DHCP client uses to obtain an IP address from a DHCP server?
What permissions do you need to authorize a DHCP server? When is authorization not required for a DHCP server? What happens when a DHCP server's IP address is not found in Active
Directory? How would you set up a DHCP Administrator so that the administrator has
rights on all DHCP servers in the domain? In the DHCP console, you notice that the DHCP server icon has a red
down arrow beside it. What is the status of the DHCP server?
What are the four levels of DHCP IP configuration options and what is the purpose of each?
In what order are DHCP options applied? Which option values take precedence: those delivered through DHCP or
those configured manually on the client? How can you change the subnet mask in an existing scope? When should you use reservations for a DHCP client? When would you use a DHCP policy? When might you use a superscope?
Section 4.3: DHCP and IPv6SummaryThis section provides the basic information about the structure of IPv6 and using DHCP in an IPv6 environment.
Components of a IPv6 address:o Formato Leading zeroso Prefix and interface ID
Considerations when using Ipv6 Comparison of IPv4 address types with IPv4 address types The process to configure the IPv6 Address assignment Address types of an autoconfigured IPv6 address:
o Tentativeo Valid:
Preferred Deprecated
o Invalid The role of DHCP in an IPv6 environment DHCPv6 broadcasts:
401 Implement an advanced Dynamic Host Configuration Protocol (DHCP) solution.
o Implement DHCPv6
Lecture Focus Questions:
How does IPv6 differ from IPv4? What is the purpose of a neighbor solicitation? If the M and O flags in the router advertisement (RA) message are set to
1, what type of configuration method should you use? What options do you have for dealing with zeros (0s) in an IPv6 address? How is autoconfiguration in IPv6 improved over autoconfiguration in IPv4? What does a multicast address indicate?
Section 4.5: IPAM Overview SummaryThis section provides an overview of IP Address Management (IPAM). Details include:
The role of IPAM Key IPAM specifications Phases for the process of installing IPAM:
o Install the IPAM roleo Connect to the IPAM servero Provision the IPAM servero Configure server discoveryo Discover serverso Define managed serverso Gather data from managed servers
Features that Windows Server 2012 R2 supports
Students will learn how to:
Manually configure IPAM. Configure IPAM using the IPAM Provisioning Wizard, a Group Policy
based provisioning method. Configure server discovery to discover domain controllers, DHCP servers,
DNS servers, and NPS servers, and automatically add them to the IPAM console.
70-412 Exam Objectives:
403 Deploy and manage IPAM.o Configure IPAM manually or by using Group Policyo Configure server discoveryo Migrate to IPAMo Configure IPAM database storage
What functions does the IP Address Management (IPAM) server perform? What is the IPAM server scope discovery range in Active Directory? Why should you not install IPAM on a DHCP server? What is IPAM provisioning? What are the steps for provisioning an IPAM server? What tasks must be performed before the Server Discovery task can work
properly? How do you configure discovered servers as managed servers?
Video/Demo Time4.5.1 IPAM Basics 4:384.5.2 Configuring IPAM Manually or Using GPO 9:564.5.3 IPAM on Server 2012 R2 11:01
Section 4.6: IPAM Configuration SummaryIn this section students will learn about configuring IPAM. Concepts covered in this section include:
IP Address information managed by IPAM is organized into the following hierarchy:
o IP address spaceo IP address blockso IP address rangeso IP address inventory
IPAM console provide the following options:o DNS and DHCP serverso DHCP scopeso DNS zoneso Server groups
Students will learn how to:
Manage IP block and ranges from the IPAM console. Use the IPAM console to manage DHCP and DNS servers.
70-412 Exam Objectives:
403 Deploy and manage IPAM.o Create and manage IP blocks and rangeso Monitor utilization of IP address spaceo Manage IPAM collections
Lecture Focus Questions:
What is the hierarchical organization of IP address information managed by IPAM?
How does the IP address inventory organize IP addresses? What information about DNS and DHCP servers does IPAM store? How do you view IP address ranges using the IPAM console? What DNS zone information can you view in IPAM?
Section 4.7: IPAM Management SummaryThis section discusses the following key tasks of managing an IPAM server.
Assign the appropriate right to the user. Allow the user to access the server remotely. Add the remote IPAM server to the server pool in Server Manager.
Students will learn how to:
Assign a user the rights to remotely act as an IPAM administrator.
70-412 Exam Objectives:
403 Deploy and manage IPAM. o Delegate IPAM administration
Lecture Focus Questions:
Which local group on the IPAM server should you assign a user to so that they will have the appropriate rights to manage an IPAM server?
Which tasks must be completed to delegate to a user the ability to manage an IPAM server?
If Group Policy provisioning was used to set up the IPAM server, what domain administrator privileges should a user have in order to indicate that servers in inventory are managed or not managed?
Which group must a user be a member of in order to access the IPM server from a remote IPAM client?
How can you allow a user to manage an IPAM server from a remote location?
Section 5.1: DNS Security SummaryThis section discusses strategies for DNS security. The following details are covered:
Goals for designing security for a DNS solution Strategies to improve DNS security:
o Provide redundancy and automatic backup of DNS datao Prevent zone transfer except to specific serverso Prevent unauthorized modification of zone data on secondary
serverso Prevent zone transfers except to domain controllerso Secure zone transfer data while in transito Prevent unauthorized modification of dynamic DNS recordso Secure DNS data on the serverso Cryptographically sign DNS zone recordso Lock records in the DNS cacheo Randomize the port used for DNS querieso Audit DNS activity
Security considerations for DNS servers available to Internet users
Students will learn how to:
Configure DNSSEC on a zone to secure data by signing DNS zones and records.
Configure DNS socket pooling and cache locking to increase security for the DNS cache.
Server Pro: Advanced Services Exam Objectives:
4.0 Advanced DHCP and DNS Configuration.o Protect zone data with DNSSEC
70-412 Exam Objectives:
402 Implement an advanced DNS solution.o Configure security for DNS including DNSSEC, DNS Socket Pool,
and cache lockingo Isolate DNSSEC key management and storage
What security goals should you set for your DNS solution? How can you limit zone transfer to specific servers? How can you limit zone transfer to specific domain controllers? What security issue is addressed by converting all zones to Active
Directory-integrated and allowing only secure dynamic update? How does DNSSec make DNS zone records more secure? How do you randomize the port used for DNS queries?
Video/Demo Time5.1.1 DNS Security 12:505.1.2 Configuring DNSSEC 10:215.1.3 Configuring DNS Socket Pooling 2:205.1.4 Configuring Cache Locking 1:19
What information do you enter on the Forwarders tab of DNS Manager? When are root name servers used to resolve DNS queries? Which DNS Manager feature would you use to gather data about the type
of traffic being sent to your system? What advanced DNS Manager feature prevents corrupted zone data from
being loaded into DNS? How does the Secure cache against pollution feature keep the DNS
cache accurate and streamlined?
Video/Demo Time5.2.1 Configuring Advanced DNS Settings 4:335.2.2 Using DNS Zone Statistics 2:46
Section 5.3: GlobalNames Zones SummaryThis section covers using GlobalNames zone on the DNS server that is used for single-label name resolution.
The role of GlobalNames zone Considerations for managing the GlobalNames zone
Students will learn how to:
Create a GlobalNames zone.
Server Pro: Advanced Services Exam Objectives:
4.0 Advanced DHCP and DNS Configuration. o Configure a GlobalNames zone
70-412 Exam Objectives:
402. Implement an advanced DNS solution. o Configure a GlobalNames zone
Lecture Focus Questions:
In addition to supporting single-label name resolution, what are other features of a GlobalNames zone?
What are the steps for configuring a GlobalNames zone? How can you extend the GlobalNames zone to multiple forests? What is the server operating system requirement for authoritative DNS
servers when you implement the GlobalName zone? What changes are required for client machines when you implement the
Methods to move an entire virtual machine along with the virtual hard disks:
o Export/Importo Manual
Cloning an existing virtual domain controller System prerequisites before cloning a virtual domain controller:
o Supported Hypervisorso Supported Guest Operating Systemso PDC Emulator
The process for cloning a virtual domain controller
Students will learn how to:
Export and import virtual machines. Clone domain controllers to quickly provide new domain controllers.
70-412 Exam Objectives:
104 Manage Virtual Machine (VM) movement.o Import, export, and copy VMso Migrate from other platforms (P2V and V2V)
303 Configure site-level fault tolerance.o Configure Hyper-V Replica including Hyper-V Replica Broker and
VMs
Lecture Focus Questions:
What options do you have for moving an entire virtual machine, including virtual disks?
How can an exported snapshot of a virtual machine be used? Why is it useful to use the Copy on Import feature of Hyper-V? What are the steps for manually moving a virtual machine? How are domain controllers cloned? What system prerequisites must be met before cloning a virtual domain
controller? What should you do if the New-ADDCCLoneConfigFile cmdlet found
incompatible applications on the source domain controller?
Section 6.2: Hyper-V High AvailabilitySummaryThis section examines Hyper-V high availability. Concepts covered include:
The role of Hyper-V Replication Initial replication Replication frequency Planned failover Reverse replication Unplanned failover Prerequisites for deploying Hyper-V Replica:
o Physical locationo Networko Storage hardwareo Servero Domain membershipo Encryption
Tasks to implement Hyper-V Replica:o Configure the replica server to accept replicationo Enable virtual machine replicationo Monitor replication
Failover options available once a virtual machine has been protected with Hyper-V Replica:
o Test failovero Planned failovero Unplanned failover
Students will learn how to:
Configure Hyper-V replicas for failover.
Server Pro: Advanced Services Exam Objectives:
5.0 High Availability Implementation. o Enable virtual machine replication
70-412 Exam Objectives:
303 Configure site-level fault tolerance.o Configure Hyper-V Replica including Hyper-V Replica Broker and
What prerequisites must be met before deploying a Hyper-V Replica? In which two ways can you complete the initial replication process? What steps do you take to perform a planned failover? When you perform a planned failover, how can you make sure that
changes made to the replica virtual machine are copied back to the primary virtual machine when it is brought back online?
How can you monitor replication? What steps do you take to perform an unplanned failover?
What are the characteristics of NLB cluster members? What mechanism do cluster members use to communicate consistent
information about cluster membership? In unicast mode, how are MAC addresses used by cluster members? How does communication between cluster members take place when
multicast mode is implemented? What are the prerequisites for installing and configuring a Network Load
Balancing cluster? What are the steps for creating an NLB cluster? If you add a new host to a cluster, when does the new host to come
Port rules Considerations when configuring port rules Cluster status options for the Network Load Balancing Manger console or
Nlb.exe to manage the status of the NLB cluster:o Suspendo Resumeo Starto Stopo Drainstop
Students will learn how to:
Create and configure an Network Load Balancing cluster. Define the port rules and cluster parameters for a NLB cluster.
70-412 Exam Objectives:
101 Configure Network Load Balancing (NLB).o Configure affinityo Configure port ruleso Upgrade an NLB cluster
Lecture Focus Questions:
How do port rules control how an NLB cluster functions? What is the client affinity setting? How can you ensure that requests from clients on a specific subnet
always connect to a specific cluster host? What happens when you add a host to a cluster that has different port
rules? What tasks do you perform to implement a load balancing cluster? What happens to traffic processing after you use the drainstop option?
Section 7.3: Failover Clustering SummaryThis section examines using Failover Clustering to increase the availability and fault tolerance of network servers. Details covered include:
The role of Failover Clustering Quorum modes:
o Node Majorityo Node and Disk Majorityo Node and File Share Majorityo No Majority: Disk Only
Dynamic quorum management Cluster Shared Volumes New key Failover Clustering features in Windows Server 2012:
o Cluster managemento Scale-out file server supporto Cluster-aware updateso Virtual machine monitoring and management
New Failover Clustering features in Windows Server 2012 R2:o CSV enhancementso Guest clusteringo Active Directory-detached cluster support
Prerequisites before implementing Failover Clustering:o Hardwareo Software
Tasks to configure Failover Clustering:o Configure shared storageo Add the Failover Clustering feature to the cluster memberso Validate the cluster configurationo Create the failover clustero Configure the quorumo Configure cluster storage
Implementing a guest cluster
Students will learn how to:
Install the Failover Cluster role on specified servers and create a failover cluster.
Configure cluster storage. Validate the cluster storage using the Validate Cluster Wizard. Configure a cluster quorum. Configure a file share witness.
Video/Demo Time7.3.1 Failover Clustering Overview 10:517.3.2 Creating a Failover Cluster 4:447.3.3 Configuring Cluster Storage 2:257.3.4 Failover Clusters on Server 2012 R2 19:597.3.5 Configuring Failover Clusters on Server 2012 R2 4:307.3.6 Configuring Guest Clusters 17:027.3.7 Deploying a No Name Cluster 5:47
Total 65:18
Lab/Activity
Create a Failover ClusterConfigure Cluster Quorum SettingsAdd Storage to a Cluster
Types of networks a cluster can use:o Cluster storageo Cluster node communicationo Client connections
How to simulate a failure and test failover procedures Considerations when implementing a multi-site cluster Cluster-Aware Updating (CAU) CAU terminology:
o Updating runo Update coordinatoro Updating run profiles
Tasks to implement CAU:o Install CAUo Verify CAU requirementso (Optional) Configure hosts for remote updatingo Disable other automatic update mechanismso Launch the CAU consoleo Run the CAU Best Practices Analyzer
Using the CAU console
Students will learn how to:
Manage failover clusters. Manage a multi-site failover cluster. Implement cluster-aware updating. Rebuild a failed cluster.
70-412 Exam Objectives:
102 Configure failover clustering.o Restore single node or cluster configurationo Implement Cluster Aware Updatingo Upgrade a cluster
What are some ways you can simulate a failure in order to test failover procedures?
What are the three types of networking available with clusters? What is the advantage of locating the file share witness at a different
location than a cluster node? In what two ways can you configure multi-site clustering? Which
configuration would be more likely to experience failover latency? What are the steps to restore a failed cluster database from backup? How can you tune the heartbeat settings to optimize a multi-site cluster? Why can't you use DFS to replicate data in a multi-site cluster? What is Cluster-Aware Updating?
Section 7.6: Failover Cluster with Hyper-V SummaryThis section discusses using Failover Clustering to increase the availability of Hyper-V virtual machines. Details include:
Tasks to implement a virtual machine within a cluster:o Install the clustero Implement CSVo Create the virtual machine and install the guest operating system
Windows Server 2012 features to manage the availability of clustered Hyper-V virtual machines:
o Replicationo Storage migrationo Quick migrationo Live migrationo Virtual machine monitoring
Students will learn how to:
Migrate a virtual machine and all of its storage to a Hyper-V host server.
Server Pro: Advanced Services Exam Objectives:
2.0 Advanced Storage Management. o Migrate virtual machine storage.
70-412 Exam Objectives:
103. Manage failover clustering roles.o Configure VM monitoring
104 Manage Virtual Machine (VM) movement. o Perform live migration o Perform quick migration o Perform storage migration
How does Storage Migration differ from Quick Migration? What condition could cause an unplanned Live Migration to occur? What is the main difference between a Quick Migration and a Live
Section 8.1: Active Directory Certificate Services Overview SummaryThis section provides an overview of Active Directory Certificate Services. Details covered include:
Terms with encryption and certificates:o Cipher or algorithmo Keyo Certificate
Certification Authorities (CA) Certification hierarchy Role services to choose from when installing Active Directory Certificate
Services (AD CS):o Certification Authorityo Certification Authority Web Enrollmento Online Respondero Network Device Enrollment Service (NDES)o Certificate Enrollment Web Serviceo Certificate Enrollment Policy Web Service
Features available through Active Directory Certificate Services:o Certificate templateso Autoenrollmento Web enrollmento Credential roamingo Certificate enrollment across forests (cross-certification)o High-volume CA support
6.0 File Certificate Management. o Configure a private certification authority
70-412 Exam Objectives:
602 Install and configure Active Directory Certificate Services (AD CS). o Install an Enterprise Certificate Authority (CA)
Lecture Focus Questions:
What is the difference between symmetric and asymmetric encryption? How do certificates prove identity? What kinds of information do certificates hold? What is the relationship of a CA to a PKI? How can you ensure that users outside your organization trust your
certificate? What are the advantages of using an enterprise CA over a standalone
CA? How does an enterprise root differ from an enterprise subordinate? Which server role should you add to make a server a CA that can issue
certificates to other CAs, users, and computers? What features does the Online Responder service provide? What is credential roaming?
Video/Demo Time8.1.1 Overview of Certificates 11:218.1.2 Overview of Certificate Services 9:178.1.3 Installing an Enterprise AD CS 5:42
603 Install and configure Active Directory Certificate Services (AD CS).o Manage certificate renewalo Implement and manage certificate deployment, validation, and
revocationo Manage certificate enrollment and renewal to computers and users
Situations in which a digital certificate would be revoked Facts about certificate revocation:
o The process used by a client to retrieve the certificate status information
o The process to configure the online responder: Install the Online Responder role service Configure the OCSP Response Signing certificate Configure each CA to issue the OCSP Response Signing
template Configure each CA to include the online responder Configure revocation configurations on the online responder
o Considerations when configuring the online responder Additional features that can be configured for the Revocation
Configuration on an online responder:o Nonce/no-nonce request supporto Advanced cryptographyo Kerberos protocol integration
Considerations when configuring a single CA with multiple online responders
Students will learn how to:
Configure a CRL Distribution Point. Configure an Online Responder. Manage certificate revocation.
Server Pro: Advanced Services Exam Objectives:
6.0 File Certificate Management. o Revoke certificates
70-412 Exam Objectives:
602 Install and configure Active Directory Certificate Services (AD CS). o Configure CRL distribution pointso Install and configure Online Responder
o Implement and manage certificate deployment, validation, and revocation
Lecture Focus Questions:
In what situations would a certificate be revoked? If a revoked certificate might be reinstated, what reason for revocation
should you use? How do you specify CRL Distribution Points? When would you publish a delta CRL? What are the advantages to using an Online Responder to verify
certificate status? What two options do you have for obtaining the OCSP Response Signing
Certificate? Why is it necessary to configure CRLs and CDPs when you use an Online
Responder?
Video/Demo Time8.3.1 Certificate Revocation 5:078.3.2 Configuring a CRL Distribution Point 2:298.3.3 Configuring an Online Responder 3:36
The role of certificate templates Considerations when managing certificate templates Certificate template permissions:
o Full Controlo Reado Writeo Enrollo Autoenroll
Considerations when managing certificate template permissions Schema version 1, 2, and 3 templates Settings that can be modified for schema version 2 and 3 templates:
o Validity Periodo Publish in Active Directoryo Key Purposeo Cryptographic Service Provider (CSP)o Subject Nameo Issuance Requiremento Extensions
Students will learn how to:
Manage and modify certificate templates. Create and issue a certificate template.
603 Install and configure Active Directory Certificate Services (AD CS).o Manage certificate templateso Implement and manage certificate deployment, validation, and
What are the purpose and the benefits of a certificate template? What is best practice for maintaining the integrity of default templates? How do you control which templates a CA can issue? How are certificate templates replicated? Which permissions does an administrator need to set and modify
certificate template contents and permissions?
Video/Demo Time8.4.1 Certificate Templates 4:248.4.2 Using Certificate Templates 9:40
Section 8.5: Certificate Autoenrollment SummaryIn this section students will learn about certificate autoenrollment. Details include:
The role of autoenrollment Steps to configure autoenrollment
Students will learn how to:
Configure the templates for autoenrollment. Enable certificate autoenrollment for users and computers. Create certificates for smart cards and require smart cards for logon.
603 Manage certificates. o Manage certificate renewalo Manage certificate enrollment and renewal to computers and users
using Group Policies
Lecture Focus Questions:
Which three autoenroll settings require user intervention when selected? In addition to allowing certificates to be requested, issued, or renewed,
which other management tasks does autoenrollment perform? Which template version(s) is required for autoenrollment? When automatic renewal is enabled, how can you force users to re-enroll
for a certificate template? When configuring autoenrollment, which permissions should you grant to
Section 8.6: Key Archival and Recovery SummaryThis section examines key archival and recovery. Details in this section include:
Methods to back up private keys Key archival Steps to configure key archival Recovering a lost key
Students will learn how to:
Create and publish the key recovery agent to the CA. Configure a CA for key archival. Recover a key.
Server Pro: Advanced Services Exam Objectives:
6.0 File Certificate Management. o Issue certificates
70-412 Exam Objectives:
603 Manage certificates. o Configure and manage key archival and recovery
Lecture Focus Questions:
In order for a user's private key to be backed up, what action must the user take? Which permission does this action require?
What is key archival? What steps are involved in key archival? What function does a Key Recovery Agent perform? What are the template requirements for key archival? What are the steps for recovering a lost key?
Video/Demo Time8.6.1 Key Archival and Recovery 3:038.6.2 Creating and Managing Key Recovery Agents 3:498.6.3 Configuring a CA for Key Archival 4:478.6.4 Recovering a Key 3:49
Configure security roles on the CA; the enrollment agent, certificate manager, and the CA manager.
Restrict the security role of an enrollment agent or a certificate manager to a particular template.
Configure administrative role separation to not allow a user to have multiple roles assigned.
70-412 Exam Objectives:
602 Manage certificates. o Implement administrative role separation
Lecture Focus Questions:
Which permission(s) do you need to access and modify CA properties? What is administrative role separation? What implication does it have for
assigning permissions for certificate management? How do you control the certificates that a manager can manage? How can you monitor changes to the CA configuration? Which Group
Policy setting must you enable to do this? What are the steps in key archival?
Video/Demo Time8.7.1 Managing the CA 3:508.7.2 Configuring Security Roles on the CA 2:028.7.3 Limiting Security Roles on the CA 3:288.7.2 Configuring Administrative Role Separation 1:36Total 10:56
How do usage policies help safeguard digital information from intentional or unintentional misuse?
How are usage policy templates used by administrators in implementing AD RMS?
How does a client license differ from a use license? How are protected documents created? What RMS related functions do RMS-enabled applications perform?
Section 9.2: AD RMS Installation SummaryThis section discusses installing and configuring AD RMS. Concepts covered include:
AD RMS hardware and software requirements Configuration choices to make during AD RMS installation:
o Clustero Database locationo Service accounto Cluster keyo Cluster addresso Service connection point (SCP)
Considerations about AD RMS installation Windows PowerShell cmdlets modules for:
o AD RMS deploymento AD RMS administration
Key tasks for AD RMS backup and recovery:o Secure the cluster key passwordo Export the trusted publishing domaino Back up the AD RMS databaseo Restore the AD RMS database
Students will learn how to:
Install and configure AD RMS. Configure the AD RMS Service Connection Point (SCP).
Server Pro: Advanced Services Exam Objectives:
7.0 Digital Rights Management.o Configure trusted publishing domains
70-412 Exam Objectives:
604 Install and configure Active Directory Rights Management Services (AD RMS).
o Install a licensing or certificate AD RMS servero Manage AD RMS Service Connection Point (SCP)o Backup and restore AD RMS
In addition to the AD RMS role, which Web services are required to install AD RMS?
How does a root cluster differ from a licensing-only cluster? What advantages does a licensing-only cluster have in implementing AD
RMS? What are the requirements for setting up the service account for AD RMS? Which tasks use the AD RMS administrator password? What should you consider when defining a cluster address?
Video/Demo Time 9.2.1 AD RMS Installation 4:069.2.2 Installing AD RMS 10:599.2.3 Configuring AD RMS Backup and Recovery 6:409.2.4 Configuring the AD RMS Service Connection Point (SCP) 2:27
Section 9.4: AD RMS TemplatesSummaryIn this section students will learn about using AD RMS templates. Concepts covered include:
Rights policy templates:o Distributed rights policy templateso Archived rights policy templateso Exclusion policies
Tasks to create a new distributed rights policy template:o Add template identification informationo Add user rightso Specify an expiration policyo Specify extended policy conditionso Specify a revocation policy
Best practice guidelines when deploying rights policy templates with AD RMS client
Certificates or licenses that are used by AD RMS:o Server Licensor Certificate (SLC)o Rights Account Certificate (RAC)o Client Licensor Certificate (CLC)o Machine Certificateo Publishing Licenseo Use License
Students will learn how to:
Create custom templates that can be distributed to users. Configure a user exclusion policy that will restrict particular users from
obtaining licenses from a specified cluster.
Server Pro: Advanced Services Exam Objectives:
7.0 Digital Rights Management.o Manage AD RMS templates
70-412 Exam Objectives:
604 Install and configure Active Directory Rights Management Services.o Manage RMS templateso Configure Exclusion Policies
How can administrators deploy rights policy templates to user computers so the templates are available for offline publishing?
What is the purpose of archiving rights policy templates that are no longer being used for new documents?
What are lockbox exclusion policies? How does the AD RMS client manage rights policy templates? What conditions can be used to configure an expiration policy? What is self-enrollment? How is it used in AD RMS?
Video/Demo Time9.4.1 AD RMS Templates 1:529.4.2 Using AD RMS Templates 15:12
Total 17:04
Lab/Activity
Configure a Distributed Rights Policy TemplateConfigure a User Exclusion
Section 10.1: AD FS Overview SummaryThis section provides an overview of Active Directory Federation Services (AD FS). Concepts covered include:
The role of AD FS Organizations that AD FS is designed for AD FS terms:
o Account partnero AD FS Web agento AD FS-enabled Web servero Claimo Claims-aware applicationo Claim mappingo Federationo Federation serverso Federation trusto Organization claimo Resource partnero Security tokeno Security Token Service (STS)o Single Sign-On (SSO)o Trust policyo Windows token-based
Lecture Focus Questions: What are the benefits of Active Directory Federated Services (AD FS)? You have users in a domain who need to access a Web application in a
partner domain. Which domain is the account domain, and which is the resource domain?
What is a claim? What type of information can be included in a claim? What is the difference between a claims-aware application and a token-
based application? What is claim mapping? What is a trust policy?
Section 10.2: AD FS Certificates SummaryThis section provides details of using AD FS certificates.
AD FS requires each server have a certificate that is used for SSL communications
Tasks to configure AD FS server relationships:o Issuance an SSL certificate to the root CAs in both forestso Export both root CAs’ certificateso Enroll the SSL certificates on the AD FS serverso Configure each serer to trust its own root CAo Configure each AD FS server to trust the root CAs from the other
forest
Students will learn how to:
Enroll SSL certificates on AD FS servers. Configure an AD FS server to trust its own root CAs. Configure an AD FS server to trust the root CA from another forest.
70-412 Exam Objectives: 601 Implement Active Directory Federation Services 2.1 (AD FSv2.1).
o Manage AD FS certificates
Lecture Focus Questions: What trust relationships must be configured for AD FS servers? How do you configure an AD FS server to trust the root CA from another
forest? Which parameters do you configure when using the Certificate Enrollment
wizard to request an SSL certificate? When exporting root CA certificates, which parameters should you use?
Video/Demo Time10.2.1 AD FS Certificates 1:3310.2.2 Managing AD FS Certificates 11:35Total 13:08
Section 10.3: Resource PartnerSummaryThis section provides information about configuring the resource partner. Concepts covered include:
Role services that can be installed during the installation of AD FS:o Federation Serviceo Federation Service Proxyo Claims-aware Agento Windows Token-based Agent
Tasks to install AD FS:o Create SSL certificateso Create a group managed service accounto Install the AD FS role\Run the AD FS Federation Server
Configuration Wizard The role of the resource partner The role of federation servers The role of the AD FS Management snap-in Tasks to create a claims provider trust on the resource partner:
o Start the Add Claims Provider Trust Wizardo Specify the data sourceo Configure a display nameo Edit claim rules
Windows Server 2012 R2: o AD FS can use multi-factor authentication (MFA)o Default AD FS authentication primary methods to validate users’
identities: Forms Authentication Windows Authentication
o The process to configure MFAo Workplace joino Considerations when applying an authentication policy as a global
The role of account partner The role of Federation servers Using the AD FS Management snap-in Tasks to create a relying party trust on the account partner:
o Start the Add Relying Party Trust Wizardo Specify the data sourceo Configure a display nameo Configure issuance authorization ruleso Edit claim rules
Students will learn how to:
Create a relying party trust on the account partner.
70-412 Exam Objectives:
601 Implement Active Directory Federation Services 2.1 (AD FSv2.1). o Implement claims-based authentication including Relying Party
Trusts
Lecture Focus Questions:
How do federation servers in the account partner organization enable single sign-on capabilities to users?
What are relying party trusts? In which locations are relying party trusts usually created? What functions does the account partner provide? What is the purpose of delegation authorization rules?
Video/Demo Time10.4.1 Configuring the Accounts Partner 8:21
Section 10.5: AD FS Proxies SummaryThis section discusses AD FS proxies. Details include:
The role of the AD FS Proxy Tasks to configure an AD FS Proxy server:
o Export the internal AD FS server certificateo Import AD FS server certificateo Configure an SSL certificate on the default IIS web siteo Add an entry for the AD FS server to the hosts fileo Install the AD FS Proxy role serviceo Configure the AD FS Proxyo Configure the DNS records
Students will learn how to:
Install an AD FS proxy server. Configure an AD FS proxy server.
70-412 Exam Objectives:
601 Implement Active Directory Federation Services 2.1 (AD FSv2.1). o Configure AD FS proxy
Lecture Focus Questions:
What are the differences between the Federation Service and Federation Service Proxy?
How can an AD FS Proxy provide protection for your network? How does DNS perform resolution when an AD FS proxy resides in a
DMZ? What information does the AD FS proxy server store? For what purposes does AD FS proxy use WE-Federation Passive
Section 10.6: AD FS and Cloud Services SummaryIn this section students will learn the following facts about integrating AD FS and cloud services.
Install prerequisite software Install Windows Azure Pack for Windows Server Configure the AD FS server Configure the Azure management portals to trust the AD FS server Configure the Azure tenant authentication site to trust the AD FS server Configure the AD FS server to trust the Azure management portals
70-412 Exam Objectives:
601 Implement Active Directory Federation Services 2.1 (AD FSv2.1). o Integrate with Cloud Services
Lecture Focus Questions:
What are the benefits of integrating AD FS with Cloud services? What Web Platform products must be installed before installing Windows
Azure on a Windows Server? Which management portals must the AD FS host be configured to reach? Which transformation rules must be applied to the management portal for
tenants?
Video/Demo Time 10.6.1 AD FS and Cloud Services 1:25
Section 10.7: AD FS and AD RMS SummaryIn this section students will learn about options to select if the AD RMS system need to support users located in a different forest:
Trusted user domains Trusted publishing domains AD RMS federated identity support
Students will learn how to:
Configure a trusted user domain. Configure a trusted publishing domain. Enable Federated Identity Support on an AD RMS server.
70-412 Exam Objectives:
604 Install and configure Active Directory Rights Management Services (AD RMS).
o Manage Federated Identity support
Lecture Focus Questions:
What is a possible ramification of failing to configure trusted email domains?
What options do you have if the AD RMS system needs to support users located in a different forest?
Which option for AD RMS support poses the greatest security risk? What are the advantages to using AD RMS Federated Identity support?
Video/Demo Time10.7.1 AD FS and AD RMS 2:4910.7.2 Configuring Trusted User Domains 2:5110.7.4 Configuring Trusted Publishing Domains 3:1710.7.6 Managing Federated Identity Support 4:10
Total 13:07
Lab/Activity
Configure a Trusted User DomainConfigure a Trusted Publishing Domain
Server Pro: Advanced Services Practice ExamsSummary This section provides information to help prepare students to take the Server Pro: Advanced Services certification exam. Students will have the opportunity of testing their mastery of the concepts presented in this course to reaffirm that they are ready for the certification exam.
Students will typically take about 5-10 minutes (depending upon the complexity and their level of knowledge) to complete each simulation question in the following practice exams. There is no time limit on the amount of time a student can take to complete the practice exams for the following domains.
Objective 1: Advanced Active Directory Configuration (10 simulation questions)Objective 2: Advanced Storage Management (4 simulation question)Objective 3: Server Data Protection (4 simulation questions)Objective 4: Advanced DHCP and DNS Configuration (7 simulation questions)Objective 5: High Availability Implementation (10 simulation questions)Objective 6: Certificate Management (8 simulation questions)Objective 7: Digital Rights Management (4 simulation questions)
The Server Pro: Advanced Services Certification Practice Exam consists of 15 simulation questions that are randomly selected from the above practice exams. Each time the Certification Practice Exam is accessed different questions may be presented.
Microsoft 70-412 Practice ExamsSummary This section provides information to help prepare students to take the MS 70-412 exam and to register for the exam. Students will have the opportunity of testing their mastery of the concepts presented in this course to reaffirm that they are ready for the certification exam.
Students will typically take about 1 minute to complete each question in the following practice exams. There is no time limit on the amount of time a student can take to complete the practice exams for the following domains.
Objective 100. Configure and Manage High Availability (62 questions)Objective 200. Configure File and Storage Solutions (37 questions)Objective 300. Implement Business Continuity and Disaster Recovery (39 questions)Objective 400. Configure Network Services (67 questions)Objective 500. Configure the Active Directory Infrastructure (60 questions)Objective 600. Configure Identity and Access Solutions (112 questions)
The Microsoft 70-412 Certification Practice Exam consists of 60 questions that are randomly selected from the above practice exams. Each time the Certification Practice Exam is accessed different questions may be presented. The Certification Practice Exam has a time limit of 2 hours. A passing score of 95% should verify that the student has mastered the concepts and is ready to take the real certification exam.
The total time for the LabSim Server Pro: Advanced Services course is approximately 40 hours and 10 minutes. The time is calculated by adding the approximate time for each section which is calculated using the following elements:
Video/demo times Approximate time to read the text lesson (the length of each text lesson is
taken into consideration) Simulations (5 minutes assigned per simulation, of course many students
may take longer depending upon their knowledge level and experience) Questions (1 minute per question)
The breakdown for this course is as follows:
Module Sections Time Minute HR:MM 1.0 Active Directory Infrastructure 1.1 Multi-Domain Forests 50
Appendix B: Exam 70-412: Configuring Advanced Windows Server 2012 Services Objectives
The Windows Exam 70-412: Configuring Advanced Windows Server 2012 Services certification exam covers the following objectives. In the spread sheet below, the column to the right lists the sections where the information is located in the course:
# Objective Module.Section
100 Configure and Manage High Availability (17 percent)
101 Configure Network Load Balancing (NLB)This objective may include but is not limited to:
Install NLB nodesConfigure NLB prerequisitesConfigure affinityConfigure port rulesConfigure cluster operation modeUpgrade an NLB cluster
7.1, 7.2
102 Configure failover clusteringThis objective may include but is not limited to:
Configure QuorumConfigure cluster networkingRestore single node or cluster configurationConfigure cluster storageImplement Cluster Aware UpdatingUpgrade a clusterConfigure and optimize clustered shared
volumesConfigure clusters without network namesConfigure storage spaces
2.6, 7.3, 7.4
103 Manage failover clustering rolesThis objective may include but is not limited to:
Configure role-specific settings, including continuously available shares
Configure virtual machine (VM) monitoringConfigure failover and preference settings
104 Manage Virtual Machine (VM) movementThis objective may include but is not limited to:
Perform live migrationPerform quick migrationPerform storage migrationImport, export, and copy VMsMigrate from other platforms (P2v and V2V)Configure VM network health protectionConfigure drain on shutdown
6.1, 7.3, 7.6
200 Configure File and Storage Solutions (16 percent)
201 Configure advanced file servicesThis objective may include but is not limited to:
Configure NFS data storeConfigure BranchCacheConfigure File Classification Infrastructure
(FCI) using File Server Resource Manager (FSRM)
Configure file access auditing
2.1, 2.2, 2.3, 2.4
202 Implement Dynamic Access Control (DAC)This objective may include but is not limited to:
Configure user and device claim typesImplement policy changes and stagingPerform access-denied remediationConfigure file classificationCreate and configure Central Access rules and
policiesCreate and configure resource properties and
lists
2.3, 2.4
203 Configure and optimize storageThis objective may include but is not limited to:
Configure iSCSI Target and InitiatorConfigure Internet Storage Name server (iSNS)Implement thin provisioning and trimManage server free space using Features on
DHCP failover and split scopesConfigure DHCP Name ProtectionConfigure DNS registration
402 Implement an advanced DNS solutionThis objective may include but is not limited to:
Configure security for DNS including Domain Name System Security Extensions (DNSSEC), DNS Socket Pool, and cache locking
Configure DNS loggingConfigure delegated administrationConfigure recursionConfigure netmask orderingConfigure a GlobalNames zoneAnalyze zone level statisticsIsolate DNSSEC key management and
storage.
5.1, 5.2, 5.3
403 Deploy and manage IPAMThis objective may include but is not limited to:
Provision IPAM manually or by using Group Policy
Configure server discoveryCreate and manage IP blocks and rangesMonitor utilization of IP address spaceMigrate to IPAMDelegate IPAM administrationManage IPAM collectionsConfigure IPAM database storage
4.5, 4.6, 4.7
500 Configure the Active Directory Infrastructure (18 percent)
501 Configure a forest or a domainThis objective may include but is not limited to:
Implement multi-domain and multi-forest Active Directory environments including interoperability with previous versions of Active Directory
Upgrade existing domains and forests including environment preparation and functional levels
Install and configure Active Directory Certificate Services (AD CS)This objective may include but is not limited to:
Install an Enterprise Certificate Authority (CA)Configure CRL distribution pointsInstall and configure Online ResponderImplement administrative role separationConfigure CA backup and recovery
8.1, 8.3. 8.7, 8.8
603
Manage certificatesThis objective may include but is not limited to:
Manage certificate templatesImplement and manage certificate deployment,
validation, and revocationManage certificate renewalManage certificate enrollment and renewal to
computers and users using Group PoliciesConfigure and manage key archival and recovery
8.2, 8.3, 8.4, 8.5, 8.6
604
Install and configure Active Directory Rights Management Services (AD RMS)This objective may include but is not limited to:
Install a licensing or certificate AD RMS serverManage AD RMS Service Connection Point (SCP)Manage RMS templatesConfigure Exclusion PoliciesBack up and restore AD RMS
Appendix C: Server Pro: Advanced Services Objectives
The Server Pro: Advanced Services certification exam covers the following objectives. In the spread sheet below, the column to the right lists the sections where the information is located in the course:
# Objective Module.Section
1.0 Advanced Active Directory Configuration
Raise the functional level of an Active Directory forest.
Create forest root, cross-forest, external, shortcut, and realm trusts.
Manage sites, subnets, and site links.Configure site replication.Implement read-only domain controllers.
1.1, 1.2, 1.3, 1.5, 1.6, 1.7, 1.8
2.0 Advanced Storage Management
Implement NFS to support UNIX/Linux systems.
Implement Dynamic Access Control (DAC).
Implement an iSCSI SAN.Migrate virtual machine storage.
2.1, 2.3, 2.4, 2.5, 7.6
3.0 Server Data Protection
Configure server backups.Enable shadow copies.Restore server data from backup.