windows server 2012 r2 - first look clinic - firebrand training · 2016-05-20 · “microsoft...

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

40005C First Look Clinic: What Is New in Windows Server® 2012 R2?

ii First Look Clinic: What Is New in Windows Server 2012?

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2013 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Product Number: 40005C

Released: 10/2013

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx

MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning

Competency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns

or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session

or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session

to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that

educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy

Program.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft

Official Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active Microsoft Partner Network program member in good standing.

l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for

corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program

Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre- release course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy

per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft

Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End

User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or

2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content,

provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid

license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session,

v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor- Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions,

viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and

ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.


User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or

2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor- Led Courseware, or

3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content,


license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid

licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session,

v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions,

viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.

c. If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft

Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.


User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or

2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or

3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content,


license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed

copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led

Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware,

vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session,

vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions,

viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC,

ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session.

ii. You may customize the written portions of the Trainer Content that are logically associated with

instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of

the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or

through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its technology, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning

Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.

4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: • access or allow any individual to access the Licensed Content if they have not acquired a valid license

for the Licensed Content, • alter, remove or obscure any copyright or other protective notices (including watermarks), branding

or identifications contained in the Licensed Content, • modify or create a derivative work of any Licensed Content, • publicly display, or make the Licensed Content available for others to access or use, • copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or

distribute the Licensed Content to any third party, • work around any technical limitations in the Licensed Content, or • reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the

Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to

you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.

You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail

to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed

Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and

supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs

the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

http://www.microsoft.com/exporting

http://www.microsoft.com/exporting

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws

of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS

AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM

MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet

sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,

or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et.

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Revised July 2013

First Look Clinic: What Is New in Windows Server 201P. xi

Welcome! Thank you for taking our training I We've worked together with our Microsoft Certified Partners

for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning experience-whether you're a professional looking to advance your skills or a student preparing for a career in IT

• Microsoft Certified Trainers and Instructors-Your instructor is a technical and

instructional expert who meets ongoing certification requirements. And, if instructors are delivering training at one of our Certified Partners for Learning Solutions, they are also evaluated throughout the year· by students and by Microsoft.

• Certification Exam Benefits-After training, consider taking a Microsoft Certification

exam. Microsoft Certifications validate your skills or1 Microsoft technologies and c.1n help differentiate you when finding a job or boosting your career. In fact, independent research by IDC concluded that 75% of managers believe certifications are important to team performancet Ask your instructor about Microsoft Certification exam promotions and discounts that may be available to you.

• Customer Satisfaction Guarantee--Our Certified Partners for Learning Solutions offer

a satisfaction guarantee and we hold them accountable for it. At the end of class, please complete an evaluation oftoday's experience. We value your feedback!

We wish you a great learning experience and ongoing success in your career!

Sincerely,

Microsoft Learning www.microsoft.com/learning

Microsott·l Learning

·!DC. Value of Certification· Team Certification and Organizational Performance,November 2006

http://www.microsoft.com/learning

xii First Look Clinic: What Is New in Windows Server 2012?

Acknowledgments Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Damir Dizdarevic – Content Developer / Course Designer Damir Dizdarevic is an MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified Technology Specialist (MCTS), and a Microsoft Certified Information Technology Professional (MCITP). He is a manager and trainer of the Learning Center at Logosoft d.o.o., in Sarajevo, Bosnia and Herzegovina. He also works as a consultant on IT infrastructure and messaging projects. Damir has more than 17 years of experience on Microsoft platforms, and he specializes in Windows Server®, Exchange Server, security, and virtualization. He has worked as a subject matter expert and technical reviewer on many Microsoft Official Courses (MOC) courses, and has published more than 400 articles in various IT magazines, such as Windows ITPro and INFO Magazine. He's also a frequent and highly rated speaker on most of Microsoft conferences in Eastern Europe. Additionally, Damir is a Microsoft Most Valuable Professional (MVP) for Windows Server, 7 years in a row. His technical blog is available at http://dizdarevic.ba/ddamirblog..

Mitch Garvis – Technical Reviewer Mitch Garvis is a Renaissance Man of the IT world. In addition to being a Virtual Technical Evangelist for Microsoft Canada, he is also a senior partner with SWMI Consulting Group. Among his numerous certifications are several MCITPs and the new MCSE: Private Cloud. He lectures and trains on a variety of topics including System Center, server virtualization, desktop deployment, and security. You can read his blog at www.garvis.ca and follow him on Twitter as @MGarvis. In his spare time he likes to break things, and has recently earned his Second Degree Black Belt in Taekwondo. He makes his home outside Toronto, Canada where he has a wife, two kids, two dogs, and three minutes to himself every day.

http://dizdarevic.ba/ddamirblog

http://www.garvis.ca/

First Look Clinic: What Is New in Windows Server 2012? xiii

Contents Module 1: Managing AD DS, Server and Storage in Windows Server 2012 R2

Lesson 1: What Is New in AD DS of Windows Server 2012 R2? 1-2 Lesson 2: What Is New in Server Management and Security in Windows Server 2012 R2? 1-13 Lesson 3: What Is New in High Availability in Windows Server 2012 R2? 1-18 Lesson 4: What Is New in Storage Management in Windows Server 2012 R2? 1-24

Module 2: Networking in Windows Server 2012 R2

Lesson 1: Network Services in Windows Server 2012 R2 2-2 Lesson 2: IPAM in Windows Server 2012 R2 2-10

Module 3: Hyper-V in Windows Server 2012 R2

Lesson 1: Virtual Machine Enhancements 3-2 Lesson 2: Storage Enhancements in Hyper-V on Windows Server 2012 R2 3-9 Lesson 3: Hyper-V Networking Improvements 3-14 Lesson 4: Hyper-V Availability Improvements 3-21

About This Clinic xv

About This Clinic This section provides you with a brief description of the clinic, audience, suggested prerequisites, and clinic objectives.

Clinic Description This three-hour clinic introduces you to the key new features in Windows Server® 2012 R2. It outlines the new features in AD DS, networking, storage management, Windows PowerShell®, and Hyper-V®. It also covers high availability enhancements in various scenarios.

Audience This clinic is intended for IT Professionals who are interested in learning about the new features and functionality in Windows Server 2012 R2. People who are key influencers and technology decision makers in an IT organization will also be interested in attending this clinic and will benefit from gaining early insight into some of the latest technologies included in Windows Server 2012 R2. In general, early adopters of new technology or people looking to gain early insight into new functionality in Windows Server 2012 R2 will benefit from attending this First Look Clinic.

Student Prerequisites This clinic requires that you meet the following prerequisites:

• Working experience and background knowledge of:

• Windows Server 2012

• Windows Server 2008 or Windows Server 2008 R2

• Windows Vista® or Windows® 7

• Hyper-V®

• Basic understanding of AD DS, DNS, DHCP, and general networking and storage technologies.

Clinic Objectives After completing this Clinic, students will be able to:

• Describe the new features in AD DS in Windows Server 2012 R2.

• Describe the new features in server management in Windows Server 2012 R2.

• Describe the new features in high availability in Windows Server 2012 R2.

• Describe the new features in storage management in Windows Server 2012 R2.

• Describe network services in Windows Server 2012 R2.

• Describe IPAM in Windows Server 2012 R2.

• Describe Hyper-V clustering enhancements.

• Describe Hyper-V Replica enhancements.

• Describe Live Migration enhancements.

xvi About This Clinic

Clinic Outline The clinic consists of three modules, as shown below.

Module 1: Managing AD DS, Server, and Storage in Windows Server 2012 R2

Module 2: Networking in Windows Server 2012 R2

Module 3: Hyper-V in Windows Server 2012 R2

Clinic Materials The following materials are included with your kit:

• Clinic Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.

• Clinic evaluation At the end of the clinic, you will have the opportunity to complete an online evaluation to provide feedback on the Clinic, training facility, and instructor.

• To provide additional comments or feedback on the Clinic, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send email to [email protected].

mailto:[email protected]

mailto:[email protected]

1-1

Module 1 Managing AD DS, Server and Storage in Windows Server 2012 R2 Contents: Module Overview 1-1

Lesson 1: What Is New in AD DS in Windows Server 2012 R2? 1-2

Lesson 2: What Is New in Server Management and Security in Windows Server 2012 R2? 1-13

Lesson 3: What Is New in High Availability in Windows Server 2012 R2? 1-18

Lesson 4: What Is New in Storage Management in Windows Server 2012 R2? 1-24

Module Review and Takeaways 1-31

Module Overview

Windows Server 2012 R2 includes many enhancements in Active Directory Domain Services (AD DS), server, and storage management. Active Directory Federation Services (AD FS) includes new technologies such as Web Application Proxy. The concept of Bring Your Own Device (BYOD) is supported by Work Folders and Workplace Join. In the segment of server administration, the Windows PowerShell command- line interface has been updated to a new version: Windows PowerShell 4.0. Also, Windows Server 2012 R2 provides several improvements in high availability and storage management. In this module, you will learn about the new features and enhancements in AD DS, high availability, server, and storage management in Windows Server 2012 R2.

Objectives After completing this module, you will be able to:

• Describe the new features in AD DS in Windows Server 2012 R2.

• Describe the new features in server management in Windows Server 2012 R2.

• Describe the new features in high availability in Windows Server 2012 R2.

• Describe the new features in storage management in Windows Server 2012 R2.

U

1-2 Managing AD DS, Server and Storage in Windows Server 2012 R2 Lesson 1 What Is New in AD DS in Windows Server 2012 R2?

AD DS in Windows Server 2012 R2 includes enhanced features to support the BYOD concept. Technologies such as Web Application Proxy, Workplace Join, and Work Folders help users to access their data from various devices in a secure way. In this lesson, you will learn about the AD DS enhancements in Windows Server 2012 R2.

Lesson Objectives After completing this lesson, you will be able to:

• Describe AD FS.

• Describe the purpose and functionality of Web Application Proxy.

• Describe the purpose and functionality of a Workplace Join.

• Describe the purpose and functionality of Work Folders.

• Implement and configure Work Folders.

• Describe Group Policy enhancements.

Overview of AD FS

You can use identity federation to provide identification, authentication, and authorization across organizational and platform boundaries. You can implement identity federation within a single organization to enable access to diverse web applications, or between two organizations that have an established trust relationship.

To establish an identity federation partnership, both partners agree to create a federated trust relationship. This federated trust is based on an ongoing business relationship, and it enables the organizations to implement business processes that are identified in the business relationship.

AD FS is the Microsoft implementation of an identity federation solution that uses claims-based authentication. AD FS provides mechanisms to implement both identity provider and service provider components in an identity federation deployment.

AD FS provides the following features:

• Enterprise claims provider for claims-based applications. You can configure an AD FS server as a claims provider, which means that it can issue claims about authenticated users. This enables an organization to provide its users with access to claims-aware applications in another organization by using single sign-on (SSO).

• Federation Service provider for identity federation across domains. This service offers federated web SSO across domains, which enhances security and reduces overhead for information technology (IT) administrators.

First Look Clinic: What Is New in Windows Server 2012 R2? 1-3

Note: The Windows Server 2012 version of AD FS is built on AD FS version 2.0, which is the second generation of AD FS released by Microsoft. The first version, AD FS 1.0, required AD FS Web Agent to be installed on all Web servers that used AD FS, and it provided both claims-aware and Windows NT token–based authentication. AD FS 1.0 did not support active clients, but it did support Security Assertion Markup Language (SAML) tokens.

AD FS Features The following list describes some of the key features of AD FS:

• Web SSO. In many organizations, AD DS is deployed as a main authentication service. After authenticating to AD DS through Integrated Windows authentication and the Kerberos version 5 protocol, users can access all other resources that they have permission to access within the AD DS domain and forest boundaries. AD FS extends this capability to intranet or Internet-facing applications, enabling customers, partners, and suppliers to have a similar SSO user experience when they access an organization’s web-based applications.

• Web services interoperability. AD FS supports and provides compatibility with Web services specifications, which are also known as WS-* specifications. AD FS employs the federation specification called Web Services Federation (WS-Federation), which enables organizations that do not use the Windows identity model to federate with Windows environments.

• Passive and smart client support. Because AD FS is based on the WS-* architecture, it supports federated communications between any WS-enabled endpoints, including communications between servers and passive clients, such as browsers. AD FS on Windows Server 2012 also enables access for Simple Object Access Protocol (SOAP)–based smart clients, such as mobile phones, personal digital assistants, and desktop applications. AD FS implements the WS-Federation Passive Requestor Profile and some of the WS-Federation Active Requestor Profile standards for client support.

• Extensible architecture. AD FS has a very extensible architecture, and it supports various security token types, such as SAML tokens and Kerberos authentication through Integrated Windows authentication, in addition to the ability to perform custom claims transformations. For example, AD FS can convert from one token type to another, or it can add custom business logic as a variable in an access request. Organizations can use this extensibility to modify AD FS to coexist with their current security infrastructures and business policies.

• Enhanced security. AD FS also increases the security of solutions where federation is implemented. It does that by delegating responsibility for account management to the organization that is closest to the user. Each organization in a federation continues to manage its own identities, and each is capable of securely sharing and accepting identities and credentials from other members’ sources.

The version of AD FS that ships with Windows Server 2012 includes several new features:

• Integration with the Windows Server 2012 operating system. In Windows Server 2012, AD FS is included as a server role that you can install by using Server Manager. When you install the server role, all required operating system components install automatically.

• Integration with Dynamic Access Control. When you deploy Dynamic Access Control, you can configure the user and device claims that AD DS domain controllers issue. AD FS can consume the AD DS claims that domain controllers issue. This means that AD FS can make authorization decisions based on both user and computer accounts.

• Windows PowerShell cmdlets for administering AD FS. Windows Server 2012 provides several new cmdlets that you can use to install and configure the AD FS server role.

1-4 Managing AD DS, Server and Storage in Windows Server 2012 R2

What Is New in AD FS in Windows Server 2012 R2? The version of AD FS included with Windows Server 2012 is the same version of AD FS that you can download as a separate package for Windows Server 2008 R2.

The version of AD FS included with Windows Server 2012 R2 is new, and it has additional features for multifactor authentication and different installation requirements.

The version of AD FS included with Windows Server 2012 required the installation of Internet Information Services (IIS) 8.0. Partly because of this IIS requirement, the installation of AD FS on domain controllers was not recommended for Windows Server 2012. In Windows Server 2012 R2, AD FS does not require the installation of IIS, and installation on a domain controller is now acceptable.

During the installation of AD FS for Windows Server 2012, you had an option to install AD FS as a stand- alone server. This option was useful for test environments, but it was not recommended for production environments because there were no options for expansion after installation. AD FS installation in Windows Server 2012 R2 does not include the option to install a stand-alone server. Instead, you can install a single server farm that provides the option for future expansion.

Enhanced Authentication The authentication methods available in AD FS are enhanced in Windows Server 2012 R2 to provide greater flexibility. You can configure authentication policies with global scope for all applications and services. You also can configure authentication policies that apply only to specific applications, specific devices, or clients in a specific location.

Multifactor authentication is another new feature in the Windows Server 2012 R2 version of AD FS. By default, AD FS allows the use of certificates for multifactor authentication. You also can integrate third- party providers for multifactor authentication to provide additional authentication methods.

New Claims Types Claims types in AD FS are information that is passed to the authenticating system for evaluation. To support additional devices and multifactor authentication, AD FS in Windows Server 2012 R2 includes additional claim types that are not in AD FS in Windows Server 2012. Most of the new claims types are related to device and certificate characteristics. Some examples of the new claims types are:

• Client application

• Device operating system type

• Device operating system version

• Public key

• Thumbprint

• Inside corporate network

• Password expiration time

Web Application Proxy Windows Server 2012 R2 includes a Web Application Proxy role service for remote access. A Web Application Proxy in a perimeter network provides secure remote access to web-based applications hosted on an internal network. You can use Web Application Proxy to provide access to AD FS servers on an internal network as an alternative to the AD FS proxy included with Windows Server 2012.

U

O


Overview of Web Application Proxy

Web Application Proxy in Windows Server 2012 R2 is a role service in the remote access role. You can use it to secure remote access to web-based applications on your internal network. It functions as a reverse proxy for web-based applications.

You should place Web Application Proxy in a perimeter network. External clients that access web-based applications initiate connections with Web Application Proxy. Web Application Proxy then connects to the web-based application on the internal network. You do not require any client-specific configuration to use Web Application Proxy.

When you implement Web Application Proxy, you protect an internal, web-based application from any malformed packets or requests that might result in a security breach. For example, Web Application Proxy can protect against a zero-day vulnerability that produces malformed requests, which could result in a denial of service attack on a server that hosts a web-based application. Web Application Proxy will drop invalid requests before they reach the web-based application on an internal network.

Authentication You can configure Web Application Proxy to use AD FS preauthentication or pass-through authentication. When you use AD FS preauthentication, AD FS authenticates a user request before it passes to an internal, web-based application. This ensures that only authorized users can send data to a web-based application. You must configure a web-based application to use AD FS authentication.

When you use pass-through authentication, no preauthentication is performed and valid requests pass to web-based applications on an internal network without performing authentication on a user. Any authentication for an application is performed by the application only after a user is connected.

To install Web Application Proxy, AD FS must be implemented in your organization already. All configuration information for Web Application Proxy is stored in AD FS. This applies even when you are not using AD FS preauthentication.

Many organizations need to provide authentication for users and devices that are located on a network that is external to the organization. In most cases, allowing clients to access an AD FS server located on an internal network directly from the Internet is an unacceptable security risk. To allow clients on the Internet to access AD FS, an AD FS proxy is strongly recommended.

An AD FS proxy is a reverse proxy in a perimeter network that is specifically for AD FS. Clients from the Internet communicate with the AD FS proxy in the perimeter network instead of directly with the AD FS server. The AD FS proxy mitigates the risks associated with Internet connectivity for AD FS.

In Windows Server 2012, you can install an AD FS proxy as part of an AD FS installation. In Windows Server 2012 R2, you can configure Web Application Proxy as an AD FS proxy.

Authentication Process An internal AD FS server uses Windows authentication to prompt for authentication. This works well for internal, domain-joined computers that can pass workstation credentials to AD FS automatically. This prevents users from seeing a request for authentication credentials.

When computers that are not domain-joined communicate with AD FS, users are presented with a logon prompt that is presented by a web browser. This logon prompt asks for a user name and password, but provides no context.

S


When you use an AD FS proxy, an authentication web page is provided for computers that are not domain-joined. This provides better compatibility than browser-based Windows authentication for AD FS clients that use non-Microsoft operating systems. You also can customize the web page to provide more context for users, such as a company logo.

Domain Name System (DNS) Resolution To provide seamless movement between internal and external networks, the same host name is used when accessing AD FS internally and externally. On the internal network, the AD FS host name resolves to the IP address of the internal AD FS server. On the external network, the AD FS host name resolves to the IP address of the AD FS proxy. In both cases, the AD FS host name is different from the computers that host the AD FS roles.

Certificates The certificate used on an internal AD FS server has a subject name that is the same as the host name for AD FS—for example, adfs.adatum.com. Because the same host name is used to access AD FS internally and externally through the AD FS proxy, you need to configure the AD FS proxy with the same certificate as the AD FS server. If the certificate subject does not match the host name, AD FS authentication will fail.

Overview of Workplace Join

The number of devices that people use every day grows. Besides using these devices for consumer purposes, more and more people expect to be able to access their business data on various types of devices. As we constantly use information technology throughout the day, traditional boundaries between work and home are becoming blurred.

In the past, users mostly accessed email from private devices such as laptops, smart phones, and tablets. Today, more and more companies are promoting the BYOD concept, where users are allowed to use devices of their own choosing to do their work. In a BYOD scenario, users do not have dedicated business and private computers. On the contrary, they can use any device that they prefer for both private and business use. In this scenario, users select and customize devices to fit their personalities, activities, and schedules.

In such scenarios, it is important that administrators have the ability to let users with non-company devices access company resources when they are in the workplace, but also when they are at home or traveling. Most users will not want or be able to join their private devices to a company’s AD DS domain. Some also might use non-Microsoft devices, such as iPads or Android-based devices.

In Windows Server 2012 R2, Microsoft has provided a new technology to address BYOD scenarios. With this technology, users can access business data with their own devices and with the same or similar user experience as if they were using domain-joined computers. This technology, named Workplace Join, follows the BYOD concept from both the administrator’s and the user’s perspective.

With Workplace Join technology, users are able to join their devices to company networks in a new way. Instead of joining the device to the AD DS domain, Workplace-Joined devices become known devices. A known device is one that is allowed access to company resources, and the user of the device is given an SSO experience when accessing company resources and applications. Known devices store a subset of

U S


their attributes in AD DS. This means that these attributes can manage conditional access for authorization. Also, it is possible to implement multifactor authentication for additional security.

To use Workplace Join, you must have Windows Server 2012 R2 with the AD FS role service installed. On the client side, you must use the Windows 8.1 client operating system or iOS-based devices such as the iPad.

A new service in AD FS called Device Registration Service (DRS) is responsible for making Workplace Join possible. When users initiate a Workplace Join process from their machines, DRS provisions a device object in AD DS and also issues a certificate for the Workplace-Joined device. This certificate is later used to represent device identity when accessing company resources. By default, this service works internally, which means that you have to connect a user’s device to the internal network to make it a known device. However, if used with Web Application Proxy, it also can be published to the Internet.

One of the most important benefits of Workplace Join, from a user’s perspective, is the SSO experience. When they use known devices, users will be prompted for their domain credentials only once during the lifetime of the SSO session, as if they were using domain-joined devices. However, an administrator can enforce a password prompt or reauthentication of some resources.

Note: When using Workplace-Joined known devices, users are still required to have valid domain user credentials.

To enable Workplace Join in a domain, administrators have to perform several preparation steps. You must install the AD FS role service, configure it, and then enable usage of the DRS.

First, you have to create the appropriate Group Managed Service account by executing the following cmdlets.

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) New-ADServiceAccount FsGmsa -DNSHostName adfs.adatum.com -ServicePrincipalNames http/adfs.adatum.com

After this, you install and configure the AD FS role service to use the service accounts created in the previous step, and then you enable DRS by using these two Windows PowerShell cmdlets.

Enable-AdfsDeviceRegistration –PrepareActiveDirectory, and Enable-AdfsDeviceRegistration

After these two cmdlets execute, you should open the AD FS Management console on your federation server, and in the AD FS Management Console, navigate to Authentication Policies. There, you should click Edit Global Primary Authentication, and then select the Enable Device Authentication check box.

On your federation server, you must have a Secure Sockets Layer (SSL) certificate installed. In the certificate, you should have the name of your federation server—in this example, it is adfs.adatum.com— and also the enterpriseregistration.adatum.com name. This enterpriseregistration name is the preconfigured name that clients look for in DNS when they want to perform Workplace Join.

To make this work, you must have the following records created in your DNS:

• Adfs A IP address of ADFS server

• Enterpriseregistration Alias(CNAME) adfs.adatum.com

U

O


Overview of Work Folders

For various reasons, storing user data on a local hard drive of a computer or a tablet is unsecure and inefficient. Because users commonly use more than one device, it is hard to keep these devices synchronized with business data, and it is hard to back up and protect this data efficiently.

As a result, users often use services such as Microsoft SkyDrive to store their data and to keep all their devices synchronized. However, these services are made for consumer data—not business data. Administrators cannot control the behavior of services such as SkyDrive on a user’s private computer, which makes it hard to implement in business environments.

On the other hand, users who have mobile computers or laptops that are members of a company’s AD DS domain often need to access company data while they are offline. So far, Offline Files were used mostly to keep important data available locally on a user’s computer, even when it was not connected to the network. However, Offline Files were synchronized only when the user connected to the company’s local network. If the user was offline for a long time, there was a great possibility that they were working on old copies of data.

To overcome these problems, in Windows Server 2012 R2 and Windows 8.1, Microsoft has implemented a new technology named Work Folders. This technology enables users to access their business data independently of their location, and it enables administrators to manage the data and settings of this technology.

The main purpose of Work Folders is to provide access to the latest data, no matter where the user is located, internally or externally. Also, by using Work Folders, administrators can manage data and a user’s connections to Work Folders. The administrator can enforce the encryption of Work Folders and can control which users can use this functionality. The administrator also can enforce some security settings on the device that uses Work Folders, even if it is not a domain member.

Users can use Work Folders on various types of devices while they are in a local network, but also when they are out of the network—for example, while they are at home or traveling. You can publish Work Folders to the Internet by using Web Application Proxy functionality, also specific to Windows Server 2012 R2, which allows users to synchronize their data whenever they have an Internet connection.

Note: Currently, Work Folders are available only for Windows 8.1 client operating systems. Support for Work Folders also will be provided for Windows 7, Windows 8, and iOS-based devices such as iPad.

S


The following table lists the comparison between similar technologies for managing and accessing user data.

Configuring Work Folders

To use Work Folders, you should have at least one Windows Server 2012 R2 file server and at least one Windows Server 2012 R2 domain controller in your network. Work Folders is a role service of the File and Storage Services server role, and you can install it by using Server Manager. As a best practice, you should install File Server Resource Manager and Data Deduplication functionality if you want to manage user data more efficiently. However, this is not mandatory.

Note: When you install Work Folders functionality, IIS Hostable Web Core and IIS Management tools also will be installed. You do not have to configure any IIS settings, but you must assign a trusted SSL certificate to your file server in the IIS Manager console and bind it to port 443 on the Default Web Site. The certificate should have a file server name and the name under which you plan to publish your Work Folders, if different.

After you install Work Folders functionality, you should provision a share where users’ data will be stored. You can store a share on any location that is accessible and controlled by the file server where you installed Work Folders. When you create a root share, we recommended that you retain the default values for Share and NTFS file system permissions and that you enable access-based enumeration.

After you create a root share where users’ Work Folders will be located, you should start New Sync Share Wizard to create the Work Folders structure. You should select the root folder that you provisioned as a share, and you also should choose the format for naming subfolders. It can be a user alias, or alias@domain. If you have more than one domain in your AD DS forest, you should choose the alias@domain naming format.

You can control Sync Access by explicitly listing users who will be able to use the Work Folders structure that you made, or by specifying a group. We recommend that you specify a group for later, easier


administration. Also, we recommend that you disable permission inheritance for Work Folders so that each user has exclusive access to his or her files. At the end, you can enforce additional security settings on devices that access Work Folders. You can enforce Work Folders with encryption and an automatic lock screen with password requirements.

Note: Enforcement of security settings related to Work Folders is not achieved by using Group Policy. These settings are enforced when a user establishes the Work Folders connection, and they are applied on computers that are domain-joined and on computers that are not domain-joined.

Configuring Clients to Use Work Folders Windows 8.1 clients can be configured manually to use Work Folders or by using Group Policy. For domain-joined computers, it is easier to configure settings by using Group Policy, but non-domain clients have to be configured manually.

If you use Group Policy to configure Work Folders automatically, there are two places where you should look. Work Folders are user-based, so configuration is performed in the user part of the Group Policy Object (GPO). When you open the Group Policy Management Editor, you should navigate to the User Configuration\Policies\Administrative Templates\Windows Components\Work Folders. Then, you should open the Specify Work Folders settings and enable the policy. Also, you have to configure the Work Folders URL. This URL is the location of your file server where you enabled Work Folders. It usually is https://fileserverFQDN. In this same GPO setting, you have the option to force automatic setup for each user. However, you should consider this option cautiously. If you enable this option, all users this GPO applies to will have their Work Folders configured on each device they log on to, without being prompted to do so. In some scenarios, you might not want to have this outcome.

You also can manage some Work Folders settings in the computer part of the GPO. If you navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Work Folders, you will find the option to force automatic setup of Work Folders for all users. Computers that have this GPO setting applied will configure Work Folders for every user that logs on.

After you apply these Group Policy settings to the users’—and optionally the computers’—domain, users can start using Work Folders.

If you also want to enable Work Folders on a non-domain joined computer—for example, on a tablet that an employee is using—you have to make manual configurations by using the Work Folders item in the Control Panel of Windows 8.1. You will have to provide a valid user name and password for the domain account that is allowed to use Work Folders, in addition to a file server URL.

Demonstration: Implementing and Configuring Work Folders

In this demonstration, you will see how to configure Work Folders on Windows Server 2012 R2.

Demonstration Steps

Installing Work Folders functionality 1. Sign in to LON-SVR1 as Adatum\Administrator with password Pa$$word.

2. Start Server Manager.

3. Add the Work Folders role service by using the Add Roles and Features Wizard.

4. Open Internet Information Services (IIS) Manager console.

https://fileserverfqdn/


5. Create a domain certificate for lon-svr2.adatum.com as follows:

o Common name: lon-svr2.adatum.com

o Organization: Adatum

o Organizational unit: IT

o City/locality : Seattle

o State/province : WA

o Country/region: US

6. Assign this certificate to the https protocol on the Default Web Site.

Share provisioning 1. On LON-SVR2, in Server Manager, expand File and Storage Services, and then click Shares.

2. Start the New Share Wizard.

3. Select the SMB Share – Quick profile.

4. Name the share WF-Share.

5. Enable access-based enumeration.

6. Leave all other options on default values.

Configuring and implementing Work Folders 1. On LON-SVR2, in Server Manager, expand File and Storage Services, and then select Work Folders.

2. Start the New Sync Share Wizard.

3. Select the share that you created in previous step: WF-Share.

4. Use User alias for the structure for user folders.

5. Grant access to the WFSync user group.

6. Switch to LON-DC1.

7. Open Group Policy Management.

8. Create a new GPO, and then name it Work Folders GPO.

9. Open the Group Policy Management Editor for Work Folders GPO.

10. Expand User Configuration\Policies \Administrative Templates \Windows Components, and then click Work Folders.

11. Enable the Work Folders support, and then type https://lon-svr2.adatum.com as the Work Folders URL.

12. Link the Work Folders GPO to the domain.

https://lon-svr1.adatum.com/

U

O


Group Policy Enhancements

Group Policy is one of the main mechanisms for managing both users and computers in AD DS environment. In Windows Server 2012 R2, Group Policy is enhanced with following functionalities:

• Support for IPv6. Windows Server 2012 R2 support for the IPv6 protocol is improved compared to previous Windows Server versions. Group Policy now supports IPv6 with printers, item-level targeting, and VPN network configuration.

• Policy caching. To improve Group Policy processing performance in scenarios where latent or unreliable connections to a domain controller are present, Group Policy is now cached in a client’s local store. When connectivity to a domain controller is present, the Group Policy client downloads and caches the latest GPO version. When the computer restarts, it reads the recent version of Group Policy from its local cache instead of initiating a download from the domain controller. Therefore, Group Policy processing time is reduced. This feature can be useful for clients on Direct Access connections. Group Policy caching is configurable by the policy called Configure Group Policy Caching.

• More detailed logging. Group Policy events provided in the operational log are now more detailed. You can now find information such as how long it takes to download and process GPOs, or details about Windows Management Instrumentation processing. By having this information, you can better analyze and troubleshoot slow logon issues.

S

U

First Look Clinic: What Is New in Windows Server 2012 R2? 1-13 Lesson 2 What Is New in Server Management and Security in Windows Server 2012 R2?

Server management in Windows Server 2012 R2 has been enhanced. This version includes an updated version of Windows PowerShell, new features in Windows Deployment Services (DS), and numerous enhancements in security and protection technologies. In this lesson, you will learn about enhancements in server management, security, and protection.


• Describe Windows PowerShell in Windows Server 2012 R2.

• Explain how to use the Windows PowerShell Integrated Scripting Environment (ISE).

• Describe Windows DS in Windows Server 2012 R2.

• Describe security and protection enhancements in Windows Server 2012 R2.

Windows PowerShell in Windows Server 2012 R2

Windows PowerShell has new features that facilitate managing larger groups of servers through better scaling, additional functionality, and better management. Windows PowerShell 3.0 includes the following new features:

• Windows PowerShell Workflow. This enables coordination of complex parallel and sequenced commands.

• Windows PowerShell Web Access. This feature enables encrypted and authenticated access to Windows PowerShell by using a web browser on any device.

• Scheduled jobs. This feature enables scheduling of Windows PowerShell commands and scripts to run administrative tasks automatically.

• Enhanced online help. You can download the latest Help files from Microsoft by using the Update-Help cmdlet and view the latest help online. This guarantees you get the latest information about how to use Windows PowerShell.

• Windows PowerShell ISE IntelliSense. Windows PowerShell ISE provides hints for cmdlets, including valid parameters that make it easier to use Windows PowerShell than in the past.

• Robust session connectivity. These connections enable you to connect to a remote server, and if connectivity is lost or you intentionally disconnect, you can resume the connection at the point it was disconnected. Previously, if a connection to a session was lost, all the session data, variables, and command history also would be lost.


Windows Server 2012 R2 ships with a newer version of Windows PowerShell, Windows PowerShell 4.0. Windows PowerShell 4.0 has several new features, including:

• Save-Help. The Save-Help cmdlet is used to download help documentation from the Microsoft website to a local computer.

• Windows PowerShell Desired State Configuration (DSC). DSC is a management system that you can use to deploy and manage configuration data for software deployed on any computer that runs Windows PowerShell 4.0. For instance, you can use DSC to ensure that a given website is present on a server, or that a given folder is not available on another server.

Note: To learn more about DSC, visit http://technet.microsoft.com/en-US/library /dn249918.aspx.

• Execution policy. The default execution policy for computers running Windows Sever 2012 R2 is RemoteSigned.

• Extra functionality. The following cmdlets have new parameters or changed functionality:

o Register-ScheduledJob and Set-ScheduledJob. These cmdlets now have a parameter named RunNow that is used to start a job immediately without using the Trigger parameter.

o Invoke-RestMethod and Invoke-WebRequest. The Header parameter has been implemented. This parameter existed before, but it always threw an exception when used.

o Get-Module. This cmdlet now has a parameter named FullyQualifiedName, which can be used to specify a fully qualified name for a module, including name, version, and GUID.

o New-JobTrigger and Set-JobTrigger. These cmdlets now have a parameter named RepeatIndefinitely that is used to repeat a job for an indefinite period.

o Enable-JobTrigger and Disable-JobTrigger. These cmdlets now have a parameter named Passthru, which is used to display all objects that are modified by the executed cmdlet.

o Add-Computer and Remove-Computer. These cmdlets now use the same parameter to refer to a workgroup, named WorkgroupName.

o Get-Process. This cmdlet now has a parameter named IncludeUserName that is used to display the user name on each retrieved process.

o Get-FileHash. This is a new cmdlet that is used to retrieve the hash value of a file.

What's New in Windows PowerShell

http://technet.microsoft.com/library/hh857339.aspx

Windows PowerShell DSC

http://technet.microsoft.com/en-US/library/dn249918.aspx

http://technet.microsoft.com/en-US/library

http://technet.microsoft.com/library/hh857339.aspx

http://technet.microsoft.com/en-US/library/dn249918.aspx

S


Demonstration: Using the Windows PowerShell ISE

The Windows PowerShell ISE application is a graphical tool that enables you to write and test Windows PowerShell scripts in a manner similar to the way a developer would write an application by using Microsoft Visual Studio. Windows PowerShell ISE for Windows PowerShell 3.0 includes IntelliSense, a Microsoft auto-completion tool to provide instance suggestions on the correct script syntax and available cmdlet parameters. Windows PowerShell ISE is divided into two main parts: the Script pane and the Console pane.

Demonstration Steps 1. Sign in to LON-DC1 as the domain administrator.

2. Open Windows PowerShell ISE as an administrator, and then review the Script pane and the Console pane.

3. Follow the steps in the following demonstration script: E:\ModXA\Democode\Using Windows PowerShell ISE.ps1.

Windows DS in Windows Server 2012 R2

Remote deployment and management of Windows operating systems is a very useful capability, especially in larger environments. Starting with Windows Server 2008, Microsoft provides built-in operating system deployment functionality called Windows DS. This role enables you to deploy Windows operating systems remotely to set up new computers by using a network-based installation. This technology works together with Dynamic Host Configuration Protocol (DHCP), DNS, and AD DS to provide the whole environment for light-touch and zero- touch installation deployments of operating systems.

In Windows Server 2012 R2, you can use Windows DS for remote deployment of following operating systems:

• Windows XP


• Windows Vista Service Pack 1


• Windows 7

• Windows Server 2008 R2


• Windows 8

• Windows 8.1 Preview

• Windows Server 2012 R2 Preview

U


You can use .wim and .vhd images for operating system deployment. From this version of Windows DS, you can manage .vhd files from the Windows DS management console. Also, .vhdx files are supported directly and over a multicast. Trivial File Transfer Protocol and multicast over IPv6 also are supported and work with DHCPv6.

You can manage Windows DS in Windows Server 2012 R2 from both the Windows DS management console and from Windows PowerShell. You can use Windows PowerShell to add driver packages, to add client images, to enable and disable boot and installation images, and to do many other common Windows DS tasks.

Multicast deployments are improved in Windows Server 2012 R2, and now you do not have to make a local copy of .wim files anymore. You can apply the Install.wim file while it is being downloaded without significant impact to the application process. This also decreases the overall time required for deployment. You can use multicast deployment on a stand-alone transport server with the included PXE provider for network boot.

For installation of drivers, Windows DS in Windows Server 2012 R2 now provides extended filters for drivers groups. These filters now support device model number as well as device group. Also, the drivers import procedure now can detect automatically if a duplicate driver is being imported and prevent such scenario.

Overview of Security and Protection Enhancements in Windows Server 2012 R2

Windows Server 2012 R2 offers several enhancements in the field of security and protection. Security has been improved in Windows Server 2012 R2, which also introduces new security technologies. The following sections describe the important security and protection enhancements in Windows Server 2012 R2.

Restricted Admin Mode for Remote Desktop Connection (RDC) When using Windows 8.1 and Windows Server 2012 R2, you can now connect through Remote Desktop Protocol (RDP) by using the Restricted Admin mode. In this mode, a user’s credentials are not sent to the remote host from a RDP client. Instead, the host that you connect to tries to verify that your user account has administrative rights, and if it succeeds, a connection is established in Restricted Admin mode. Otherwise, the connection attempt fails.

If users connect by using Restricted Admin mode, they can access local resources on the server, but cannot access other network resources without providing valid credentials.

Local Security Authority (LSA) protection In Windows 8.1 and Windows Server 2012 R2, additional security is provided for LSA to prevent code injection attempts by non-protected processes. This additionally protects credentials stored within LSA.


Protected Users Security Group Windows Server 2012 R2 AD DS provides a new security group called Protected Users. You can use this group to reduce the types of credentials that are available when members of this group log on. Specifically, this means following:

• Members of the Protected Users group can log on only by using the Kerberos protocol, and they cannot use methods such as NTLM, Digest authentication, or others.

• When a member of the Protected Users group authenticates, the Kerberos protocol never uses weak encryption types such as Data Encryption Standard or RC4 in the preauthentication process. Because of this, you must configure the domain to support at least the Advanced Encryption Standard cipher suite.

• If a user is a member of the Protected Users group, his or her account cannot be delegated with Kerberos constrained delegation or with unconstrained delegation. If you configure delegation before the user is added to the Protected Users group, delegation will stop working after the user account is in the Protected Users group.

• The ticket-granting ticket that Kerberos issues to the user has a lifetime of four hours. After that, the user must authenticate again.

Authentication Policy If the domain functional level is set to Windows Server 2012 R2, you can use forest-based authentication policies and apply them to user accounts. With these policies, you can control which hosts the user can use to log on. These policies are complementary for the Protect Users security group. Administrators can apply access control conditions for authentication to accounts. These authentication policies isolate related accounts to constrain the scope of a network.

You can apply authentication policies on the following AD DS account classes:

• User

• Computer

• Managed service account

• Group Managed Service account

Credential Locker Credential Locker is a service that creates and maintains secure storage on the local computer that stores user names and passwords that a user saves from websites and Windows Store apps. It provides users with a seamless sign-in experience when they use apps from Windows Store that support Web Authentication Broker. In previous versions of Windows operating systems, when users stored multiple sets of credentials for a single service such as Facebook or Twitter, it was not possible to select default credentials. Now, users can designate default credentials. Also, users can see the date when each set of credentials was used last.

S

1-18 Managing AD DS, Server and Storage in Windows Server 2012 R2 Lesson 3 What Is New in High Availability in Windows Server 2012 R2?

High availability technologies are very important parts of an IT infrastructure. Windows Server 2012 provides new and updated technologies that support failover clustering to provide an efficient, stable, and highly available solution for many server roles. In this lesson, you will learn about high availability enhancements in Windows Server 2012 R2.


• Describe what is new in failover clustering.

• Describe an Active Directory-detached cluster.

• Describe Cluster Shared Volume (CSV) enhancements in Windows Server 2012 R2.

What Is New in Failover Clustering?

Failover clustering in Windows Server 2012 R2 is enhanced with many new features and existing technologies have been updated for better functionality. The following sections describe the most important enhancements in the failover clustering role.

Quorum Changes and Dynamic Witness In Windows Server 2012 R2, old quorum modes such as Node Majority, Node and Disk Majority, and Node and File Share Witness Majority, are not used anymore. Instead, Windows Server 2012 R2 introduces the concept of Dynamic Quorum. This feature provides the ability for a cluster to recalculate quorum in the event of node failure and still maintain working clustered roles, even when the number of voting nodes remaining in the cluster is less than 50 percent.

In Windows Server 2012 R2, this feature is enhanced additionally by introducing the concept of dynamic witness. When you configure a cluster in Windows Server 2012 R2, dynamic quorum is selected by default, but witness vote also is adjusted dynamically based on the number of voting nodes in the current cluster membership. For example, if a cluster has an odd number of votes, a quorum witness does not have a vote in the cluster. If the number of nodes is even, a quorum witness does have a vote. If a witness resource is for some reason failed or offline, the cluster will set the witness vote to a value of 0 automatically. By using this approach, the risk of a malfunctioned cluster because of a failing witness is greatly reduced. If you want to see if a witness has a vote, you can use Windows PowerShell and a new cluster property in the following cmdlet.

(Get-Cluster).WitnessDynamicWeight

A value of 0 indicates that the witness does not have a vote. A value of 1 indicates that the witness has a vote.


The cluster can now decide whether to use the witness vote based on the number of voting nodes that are available in the cluster. A much simpler quorum configuration when you create a cluster is an additional benefit. Windows Server 2012 R2 will configure quorum witness automatically when you create a cluster.

Also, when you added or evict cluster nodes, you no longer have to adjust the quorum configuration manually. The cluster now automatically determines quorum management options and quorum witness.

Force Quorum Resiliency This feature provides additional support and flexibility to split brain syndrome cluster scenarios. This scenario happens when cluster breaks into subsets of cluster nodes that are not aware of each other. The cluster node subset that has a majority of votes will run while others are turned down. This scenario usually happens in multisite cluster deployments. If you want to start cluster nodes that do not have a majority, you can force quorum to start manually by using the /fq switch.

In Windows Server 2012 R2, in such scenarios, the cluster will detect partitions in the cluster automatically as soon as connectivity between nodes is restored. The partition that was started by forcing a quorum is considered authoritative, and other nodes rejoin the cluster. When this happens, the cluster is brought back to a single view of membership. In Windows Server 2012, partitioned nodes without quorum were not started automatically, and administrator had to start them manually with the /pq switch. In Windows Server 2012 R2, both sides of the split cluster have a view of cluster membership, and they will reconcile automatically when connectivity is restored.

Tie Breaker for 50% Node Split Dynamic quorum in Windows Server 2012 R2 is enhanced with an additional functionality. The cluster now is able to adjust the running node’s vote status automatically to keep the total number of votes in the cluster at an odd number. This is called Tie breaker for 50% node split, and it works with dynamic witness functionality. You can use dynamic witness functionality to adjust the value of a quorum witness vote. For example, if you have a cluster with an even number of nodes and a file share witness, if the file share witness fails, the cluster will use dynamic witness functionality to remove the vote from file share witness automatically. However, because the cluster now has even number of votes, the cluster tie breaker will pick a node randomly and remove it from the quorum vote to maintain an odd number of votes. If the nodes are distributed evenly in two sites, this will help to maintain cluster functionality in one site. In previous Windows Server versions, if both sites have an equal number of nodes and a file share witness fails, both sites will stop the cluster.

If you want to avoid the node being picked randomly, you can use the LowerQuorumPriorityNodeID property to predetermine which node will have its vote removed. You can set this property by using the following Windows PowerShell command, where "1" is the example node ID for a node in the site that you consider less critical:

(Get-Cluster).LowerQuorumPriorityNodeID = 1

Global Update Manager Mode Global Update Manager is responsible for updating the cluster database. In Windows Server 2012, it was not possible to configure how these updates work. Windows Server 2012 R2 allows you to configure the mode of work for Global Update Manager.

Each time the state of a cluster changes, such as when a cluster resource is offline, all nodes in the cluster must receive notification about the event before the change is committed to the cluster database by Global Update Manager.

P


In Windows Server 2012, Global Update Manager works in Majority (read and write) mode. In this mode, when a change happens to a cluster, a majority of the cluster nodes must receive and process the update before it is committed to the database. When the cluster node wants to read the database, the cluster compares the latest time stamp from a majority of the running nodes and uses the data with the latest time stamp.

In Windows Server 2012 R2, Global Update Manager also can work in the All (write) and Local (read) mode. When working in this mode, all nodes in the cluster must receive and process an update before it is committed to the database. However, when the database read request is received, the cluster will read the data from the database copy that is stored locally. Because all roles receive and process the update, the local cluster database copy can be considered a relevant source of information.

Windows Server 2012 R2 also supports a third mode for Global Update Manager. This mode is Majority (write) and Local (read). In this mode, a majority of the cluster nodes must receive and process an update before it is committed to the database. When the database read request is received, the cluster reads the data from the database copy that is stored locally.

In Windows Server 2012 R2, the default setting for Hyper-V failover clusters is Majority (read and write). All other workloads in the clusters use All (write) and Local (read) mode. Majority (write) and Local (read) is not used by default for any workload.

The ability to change the working mode for Global Update Manager improves cluster database performance and increases the performance of cluster workloads because a cluster database no longer has to perform at the speed of the slowest node.

Cluster Node Health Detection In Windows Server 2012, the mechanism for node health detection within a cluster declares a node as down if it does not respond to heartbeats for more than five seconds. In Windows Server 2012 R2, specifically for Hyper-V failover clusters, the default threshold value is increased from five seconds to 10 seconds if nodes are in the same subnet, and to 20 seconds if nodes are in different subnets. This provides increased resiliency for temporary network failures for virtual machines that are running on a Hyper-V cluster, and this delays cluster recovery actions in cases of short network interruptions.

What Is an AD DS Detached Cluster?

Failover clusters in Windows Server 2012 are integrated with AD DS, and you cannot deploy a cluster if nodes are not members of same domain. When a cluster is created, appropriate computer objects for cluster name and clustered role name are created in AD DS.

In Windows Server 2012 R2, you can deploy an Active Directory-detached cluster. This is a cluster that does not have dependencies in AD DS for network names. When you deploy clusters in detached mode, cluster network name and network names for clustered roles are registered in local DNS, but corresponding computer objects for cluster and clustered roles are not created in AD DS.

Cluster nodes still have to be joined to the same AD DS domain, but the person that creates a cluster does not need to have permission to creating new objects in AD DS. Also, later management of these computer objects is not needed.

U


Deployment of Active Directory-detached clusters also has side effects. Since computer objects are not created, you cannot use Kerberos authentication when accessing cluster resources. Although Kerberos authentication is used between cluster nodes because they have their computer accounts and objects created outside the cluster, NTLM authentication is used. Because of this, we do not recommend that you deploy Active Directory-detached clusters for any scenario that requires Kerberos authentication.

The following table shows some common cluster workloads and their support for Active Directory- detached clusters.

To create an Active Directory-detached cluster, you must be running Windows Server 2012 R2 on all cluster nodes. These features cannot be configured by using the Failover Cluster Manager, so you must use Windows PowerShell.

You run Windows PowerShell with administrator rights, and you should use the New-Cluster cmdlet with the –AdministrativeAccessPoint parameter set to a value of Dns. The following cmdlet creates a failover cluster named Cluster1 from two nodes (Node1 and Node2), with an administrative access point of type DNS.

New-Cluster Cluster1 –Node Node1,Node2 –StaticAddress 192.168.1.16 -NoStorage – AdministrativeAccessPoint Dns

When you run this cmdlet, the cluster network name Cluster1 is created without a computer object in AD DS. Also, all subsequent network names for clustered roles are created without computer objects in AD DS.

You can verify the value of the AdministrativeAccessPoint attribute by running the following command.

(Get-Cluster).AdministrativeAccessPoint

U

O


CSV Enhancements in Windows Server 2012 R2

CSVs in a Windows Server 2012 failover cluster allow multiple nodes in the cluster to simultaneously have read-write access to the same disk that is provisioned as an NTFS file system volume, and added as storage to the cluster. When you use CSVs, clustered roles can fail over from one node to another more quickly without requiring a change in drive ownership or dismounting and remounting a volume. CSVs also help simplify managing a potentially large number of logical unit numbers (LUNs) in a failover cluster.

CSVs provide a general-purpose, clustered file system in Windows Server 2012, which is layered above the NTFS file system. They are not restricted to specific clustered workloads, but currently, they are supported only for Hyper-V clusters and scale out file server clusters.

In Windows Server 2012 R2, CSVs are additionally improved. The following sections describes the important improvements in CSV in Windows Server 2012 R2:

Optimized CSV Placement Policies In a failover cluster for Windows Server 2012, one node in the cluster is designated as a coordinator for a CSV, and there is no automatic rebalance of this designation. Note that the coordinator for CSV owns the physical disk resource that is associated with a LUN and all I/O operations that are specific to the file system are performed through the coordinator node. In Windows Server 2012 R2, CSV ownership now is distributed evenly between cluster nodes. This distribution is performed based on the number of CSVs that each node owns. The Failover Cluster service automatically performs a rebalance in scenarios when a node rejoins a cluster, when you add a new cluster, or when you restart a cluster node.

Increased CSV Resiliency CSV in Windows Server 2012 uses SMB as a transport for I/O forwarding between nodes in a cluster. SMB uses a Server service on cluster nodes, and if this service becomes unavailable, it can result in decreases in performance or the ability to access storage. Windows Server 2012 R2 implements multiple instances of Server service, which improves the resilience and scalability of inter-node SMB traffic. The default instance of Server service now accepts clients that access regular file shares, and a second CSV instance handles only inter-node CSV traffic. Also, if Server service becomes unhealthy on one cluster node, CSV ownership can be transitioned to another node automatically to ensure greater resiliency.

CSV Cache Allocation CSV cache enables the server to use RAM memory as a cache for write-through operations, which improves performance. In Windows Server 2012, CSV cache is disabled by default, and when enabled, it is possible to allocate up to 20 percent of total RAM for cache. In Windows Server 2012 R2, you can allocate up to 80 percent of memory for CSV cache, which enables you to achieve performance gains for the clustered server role. This is especially useful for scale out file server clusters. In deployments where a Hyper-V cluster is running on a scale out file server cluster, we recommend that you enable and use the CSV cache, but with greater allocation for a scale out file server deployment to achieve maximum performance of virtual machines stored on file servers.

Note: In Windows Server 2012 R2, the name of the private property of the cluster physical disk resource has been changed from CsvEnableBlockCache to EnableBlockCache.


CSV Diagnosability In Windows Server 2012 R2, you can now see the state of CSV on a per-node basis. For example, you can see whether I/O is direct or redirected, or whether the CSV is unavailable. If a CSV is in I/O redirected mode, you also can view the reason. This information can be retrieved by using the Windows PowerShell cmdlet Get-ClusterSharedVolumeState with the parameters StateInfo, FileSystemRedirectedIOReason, or BlockRedirectedIOReason. This provides you with a better view of how CSV works across cluster nodes.

CSV Interoperability CSVs in Windows Server 2012 R2 also support interoperability with the following technologies:

• Resilient File System (ReFS)

• Data Deduplication

• Parity Storage Spaces

• Tiered Storage Spaces

• Storage Spaces write-back caching

This added support expands the scenarios in which you can use CSVs, and enables you to take advantage of the efficiencies that are introduced in these features.

U

1-24 Managing AD DS, Server and Storage in Windows Server 2012 R2 Lesson 4 What Is New in Storage Management in Windows Server 2012 R2?

Windows Server 2012 R2 includes several improvements to storage management and storage access protocols. In Windows Server 2012, new storage technologies such as Storage Spaces, Data Deduplication, SMB 3.0.2, and Internet SCSI (iSCSI) target are additionally improved in Windows Server 2012 R2. In this lesson, you will learn about these improvements in storage technologies in Windows Server 2012 R2.


• Describe what is new in file and storage services.

• Describe what is new in SMB 3.0.2 in Windows Server 2012 R2.

• Describe Data Deduplication.

• Describe iSCSI target server enhancements.

• Describe Distributed File System (DFS) Replication enhancements.

What Is New in File and Storage Services?

File and Storage Services includes technologies that you can use to set up and manage one or more file servers. File servers are servers that act as central locations on the network where you can store files and, if required, share those files with users.

Windows Server 2012 R2 offers the following File and Storage Services features:

• Multiterabyte volumes. This feature deploys multiterabyte NTFS file system volumes, which support consolidation scenarios and maximize storage use. The Chkdsk tool introduces a new approach; it prioritizes volume availability and allows for the detection of corruption while the volume remains online and the data in it is available to the user during maintenance.

• Data Deduplication. This feature saves disk space by storing a single copy of identical data on the volume. With Windows Server 2012 R2, you now can use deduplication even with open virtual hard disk (VHD) files such as .vhd and .vhdx.

• iSCSI target server. The iSCSI target server blocks storage to other servers and applications on the network by using the iSCSI standard. Windows Server 2012 R2 also includes VHDX support and end-to-end management by using the Storage Management service.

• Storage spaces and storage pools. This feature enables you to virtualize storage by grouping industry standard disks into storage pools, and then creating storage spaces from the available capacity in the storage pools.

• Unified remote management of File and Storage Services in Server Manager. You can use this feature to manage multiple file servers remotely, including their role services and storage, from a single window.

U


• Windows PowerShell cmdlets for File and Storage Services. You can use the Windows PowerShell cmdlets for performing most administration tasks for file and storage servers.

• ReFS. Introduced in Windows Server 2012, ReFs provides enhanced integrity, availability, scalability, and error protection for file-based data storage.

• SMB 3.0.2: The SMB protocol is a network file sharing protocol that enables applications on a computer to read and write to files and to request services from server programs on a network.

• Offloaded Data Transfer (ODX). The ODX functionality enables ODX-capable storage arrays to bypass the host computer and directly transfer data within or between compatible storage devices.

• Chkdsk. The new version of Chkdsk runs automatically in the background and monitors the health state of the system volume. Chkdsk enables organizations to confidently deploy large, multiterabyte NTFS file system volumes without worrying about their availability being compromised, and it can detect any system corruption that happens.

Storage Spaces Enhancements Storage spaces were introduced in Windows Server 2012 as a new software layer and a framework for storage management. You can use the Windows Server 2012 R2 version of Storage Spaces to create a tiered storage solution that transparently delivers an appropriate balance between capacity and performance and meets the needs of enterprise workloads. The result is that the workload’s most frequently accessed data (the working set) is stored on the solid-state drive (SSD) tier automatically while the rest of the workload’s data is stored on the HDD tier.

Windows Server 2012 R2 also includes a new feature called write-back caching. While the goal of tiering is to balance capacity against performance, the purpose of write-back caching is to smooth out short-term bursts of random writes. Write-back caching integrates seamlessly into tiered volumes and is enabled by default. The write-back cache is located on the SSD tier of a storage space, and it services smaller, random writes. Larger, sequential writes are serviced by the HDD tier. You also can enable write-back caching on non-tiered volumes.

What Is New in SMB In Windows Server 2012 R2?

The SMB protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. You use this protocol on top of the TCP/IP set of protocols, and by using SMB, an application or a user can access files on a remote server. Windows Server 2012 introduced SMB 3.0 with many new features and enhancements, and Windows Server 2012 R2 provides additional improvements with SMB 3.0.2.


SMB version 3.0 and newer provide some new applications of the SMB protocol that were not possible before, such as:

• File storage for virtual machines. When using SMB 3.0, you can store your running virtual machines on a file server.

• SQL Server over SMB. SQL Server is able to store user database files on SMB 3.0 file shares.

Windows Server 2012 R2 brings following improvements to the SMB 3.0 protocol:

• Automatic rebalancing of Scale-Out File Server clients. Instead of tracking SMB client connections on a per-server basis, client connections are now tracked per file share. Using this approach, clients are redirected to the cluster node with the best access to the volume that is used by the file share. This technology improves performance and efficiency and reduces traffic between file server nodes. This technology is specific to Windows Server 2012 R2.

• Improved performance of SMB Direct. SMB Direct, which is also known as SMB over Remote Direct Memory Access (RDMA), was introduced in Windows Server 2012. In Windows Server 2012 R2, performance is improved for workloads with small I/O. These improvements are especially apparent when you use higher speed network interfaces, such as 40-gigabit Ethernet.

• Improved SMB event messages. Events logged for SMB now provide more detailed and useful information, which makes troubleshooting easier. Also, this reduces the need for event logging with more complex tools or for traffic capturing. By default, all essential information is logged, and some events also include configuration and troubleshooting solutions.

• VHDX files as shared storage for guest clustering. Guest clusters created in Windows Server 2012 R2 Hyper-V now can use a shared virtual .vhdx drive instead of a storage area network (SAN) or iSCSI-based storage. A shared .vhdx drive is added through the SCSI interface for virtual machines, and it must be stored either on a scale out file server or on a CSV volume. Shared virtual hard disks will be discussed in more details later in this course.

• Hyper-V live migration over SMB. It is now possible to perform live migration of virtual machines by using SMB 3.0 as a transport protocol. Because SMB 3.0 supports SMB Direct and SMB Multichannel, you can take advantage of the benefits of these technologies to perform fast live migrations with low CPU usage.

• Improved SMB bandwidth management. You can configure SMB bandwidth in Windows Server 2012 R2, based on the type of traffic that is going through SMB. There are three SMB traffic types: default, live migration, and virtual machine.

Overview of Data Deduplication

Data Deduplication is a role service of Windows Server 2012 that has been enhanced in Windows Server 2012 R2. This service identifies and removes duplication within data without compromising its integrity, which is used to store more data while also using less physical disk space.

The Data Deduplication Process The process for maintaining data integrity and recoverability involves evaluating checksum results and other algorithms. Data Deduplication is highly scalable, resource efficient, and


nonintrusive. It can run on dozens of large volumes of primary data concurrently, without affecting other workloads on a server. Data Deduplication maintains server-workload impact by throttling the CPU and memory resources that are consumed. By using Data Deduplication jobs, you can schedule when Data Deduplication should run, specify the resources to deduplicate, and tune file selection.

When you enable Data Deduplication on a volume, a background task runs with low priority and processes the files on the volume. The background task segments all file data on the volume into small, variable-sized chunks of 32–128 kilobytes (KB). Then it identifies chunks that have one or more duplicates on the volume. All duplicate chunks then are replaced or erased from disk, with a reference to a single copy of that chunk. Finally, all remaining chunks are compressed so that even more disk space is saved.

When combined with BranchCache, the same optimization techniques are applied to data that is transferred over a wide area network (WAN) to a branch office. This results in faster file download times and reduced bandwidth consumption.

Scenarios for Using Data Deduplication Data deduplication is designed to be installed on primary and not logically extended data volumes, without adding additional dedicated hardware. You can install and use the feature without affecting a server’s primary workload. The default settings are nonintrusive because only files older than 30 days are processed. The implementation is designed for low memory and CPU priority. However, if memory use becomes high, deduplication slows down and waits for available resources. You can schedule deduplication based on the type of data and the frequency and volume of changes that occur to the volume or particular file types.

You should consider using deduplication for the following areas:

• File shares. This includes group content publication or sharing, user home folders, and profile redirection (Offline Files). With the Release to Manufacturing (RTM) version of Windows Server 2012, you could save approximately 30 to 50 percent disk space. With CSV support in Windows Server 2012 R2, the disk savings can increase to 90 percent in some scenarios.

• Software deployment shares. This includes software binaries, images, and updates. You might be able to save space of approximately 70 to 80 percent.

• VHD and VHDX libraries. This includes VHD and VHDX file storage for provisioning to hypervisors. You might be able to save space of approximately 80 to 95 percent.

Volume Requirements for Data Deduplication After the feature is installed, you can enable Data Deduplication on a per-volume basis. Each volume must meet the following requirements:

• Volumes must not be a system or boot volume. Windows Server 2012 R2 does not support deduplication on volumes where the operating system is installed.

• Volumes might be partitioned by using master boot record or GUID partition table format, and they must be formatted by using the NTFS file system. ReFS is not supported for use on a Data Deduplication volume.

• Volumes must be exposed to the Windows operating system as non-removable drives—that is, no USB or floppy disk drives.

• Volumes can be on shared storage, such as a Fibre Channel or Serial Attached SCSI array, or an iSCSI SAN.

O

.


Windows Server 2012 R2 includes several important improvements to the way Data Deduplication works:

• Deduplication now can be used even with open VHD and VHDX.

• CSV volumes support has been added.

• Windows Server 2012 R2 includes performance enhancements resulting from faster read/write of optimized files and improved optimization speed.

iSCSI Target Server Enhancements

The iSCSI protocol supports access to remote, SCSI-based storage devices over a TCP/IP network. iSCSI carries standard SCSI commands over IP networks to facilitate data transfers over intranets, and to manage storage over long distances. You can use iSCSI to transmit data over LANs, WANs, or even over the Internet.

iSCSI relies on standard Ethernet networking architecture, and the use of specialized hardware such as host bus adapters or network switches is optional. iSCSI uses TCP/IP, typically TCP port 3260. This means that iSCSI simply enables two hosts to negotiate about parameters such as session establishment, flow control, and packet size, and then it exchange SCSI commands by using an existing Ethernet network. By doing this, iSCSI takes a popular, high performance, local storage bus subsystem architecture and emulates it over LANs and WANs, creating a SAN.

Unlike some SAN protocols, iSCSI requires no specialized cabling; it can be run over existing switching and IP infrastructure. However, the performance of an iSCSI SAN deployment can be decreased severely if not operated on a dedicated network or subnet, as is recommended in best practices.

iSCSI Target Server The iSCSI target server role service provides for a software-based and hardware-independent iSCSI disk subsystem. You can use the iSCSI target server to create iSCSI targets and iSCSI virtual disks. You then can use Server Manager to manage these iSCSI targets and virtual disks.

The new features in Windows Server 2012 include:

• Authentication. You can enable Challenge Handshake Authentication Protocol (CHAP) to authenticate initiator connections or to enable reverse CHAP to allow the initiator to authenticate the iSCSI target.

• Query initiator computer for ID. This is only supported with Windows 8 or Windows Server 2012.

The iSCSI target server included in Windows Server 2012 provides the following functionality:

• Network/diskless boot. By using boot-capable network adapters or a software loader, you can use iSCSI targets to deploy diskless servers quickly. By using differencing virtual disks, you can save up to 90 percent of the storage space for operating system images. This is ideal for large deployments of identical operating system images, such as a Hyper-V server farm or high-performance computing clusters.

P


• Server application storage. Some applications, such as Hyper-V and Microsoft Exchange Server, require block storage. The iSCSI target server can provide these applications with continuously available block storage. Because the storage is accessible remotely, it also can combine block storage for central or branch office locations.

• Heterogeneous storage. iSCSI target server supports iSCSI initiators that are not based on the Windows operating system, so you can share storage on Windows Servers in mixed environments.

• Lab environments. The iSCSI target server role enables your Windows Server 2012 computers to be a network-accessible block storage device. This is useful in situations when you want to test applications before deployment on SAN storage.

• Enabling iSCSI target server to provide block storage takes advantage of your existing Ethernet network.

No additional hardware is needed. If high availability is an important criterion, consider setting up a high availability cluster. With a high availability cluster, you will need shared storage for the cluster—either hardware Fibre Channel storage or a Serial Attached SCSI storage array. The iSCSI target server is integrated directly into the failover cluster feature as a cluster role.

The iSCSI initiator is included in Windows Server 2012 and Windows 8 as a service and is installed by default. To connect your computer to an iSCSI target, you just have to start the service and configure it.

Windows Server 2012 R2 Target Server Role Enhancements In Windows Server 2012 R2, iSCSI target server is enhanced with the following functionalities:

• VHDX support is now included, which enables the provisioning of larger LUNs of up to 64 terabytes in size. VHDX support also enables you to expand or shrink iSCSI LUNs while they are online and dynamically grow them for greater scalability and flexibility. VHDX is now the default virtual disk format when creating new iSCSI LUNs.

• You now can fully manage the iSCSI target server by using SMS-S. This means that you can now perform end-to-end management of your iSCSI storage system using Microsoft System Center 2012 Virtual Machine Manager.

DFS Replication Enhancements

DFS Replication is a role service in the File and Storage Services role. You can use this role service to replicate folders efficiently. You can replicate folders referred to by a DFS namespace path across multiple servers and sites. DFS Replication uses a compression algorithm known as remote differential compression. Remote differential compression detects changes to the data in a file, and it ensures that the DFS Replication role service replicates only the changed file blocks instead of the entire file.

DFS Replication is greatly improved in Windows Server 2012 R2, from a management, functionality, and performance perspective. It can be managed from the DFS Management console or by using Windows PowerShell.


The most important enhancements for DFS Replication in Windows Server 2012 R2 are:

• Database cloning for initial synchronization. It is now possible to export the DFS Replication database from one server and use that exported copy to do a preseeding on another server. After preseeding, replication continues normally. This can save time, especially on slow links. To export the DFS Replication database, you have to use the Export-DfsrClone cmdlet to export the database and the XML config file, and then Import-DfsrClone to import the database on the destination server and validate the files.

• Unexpected shutdown database recovery improvements. If there is an unexpected power loss or other unexpected stop of the DFS Replication service, Windows Server 2012 R2 can recover from a database shutdown automatically and resume replication. In previous Windows Server versions, you had to re-enable replication manually. It is enabled by default, but it is possible to disable this feature in the registry. However, disabling it is ignored for the SYSVOL folder.

• Cross-file RDC disable. In Windows Server 2012 R2, you now can disable cross-file RDC. Depending on your network topology, disabling cross-file RDC might reduce resource overhead, and it also can increase replication performance.

• Database corruption recovery. Besides being able to recover replication automatically, DFS Replication in Windows Server 2012 also can rebuild corrupt databases without data loss. In Windows Server 2012 and older, if a database is corrupted, DFS Replication deletes the database and starts the non-authoritative initial synchronization process as if replication was being set up for the first time. Because of this, any files on the server being recovered would lose all their conflicts. In that case, conflicts would move into the ConflictAndDeleted or PreExisting folders, leading to perceived or real data loss. In Windows Server 2012 R2, if its database is corrupted, it rebuilds by using local file and update sequence numbers information, and then it marks each file with a normal replicated state.

• File staging tuning. Unlike Windows Server 2012 and older versions where DFS Replication always used a 256 KB file size for determining staging requirements, you now can configure minimum and maximum staging file size. These values range from 256 KB to 512 TB. By configuring these values, you can increase replication performance.

First Look Clinic: What Is New in Windows Server 2012 R2? 1-31 Module Review and Takeaways

Best Practice: Use Web Application Proxy for publishing internal resources. Always place a firewall in front of Web Application Proxy.

• Take advantage of Workplace Join for personal devices.

• Use Group Policy to configure Work Folders.

• Migrate your clustered roles to Windows Server 2012 R2 clusters to take advantage of new quorum benefits.

• Use SMB 3.0.2 for file storage access.

Review Questions Question: What is the purpose of Web Application Proxy?

Question: What is the difference between Work Folders and Folder Redirection?

Question: What is the Protected Users Group?

Question: Which quorum modes can be selected in failover clustering in Windows Server 2012 R2?

Question: What are common scenarios for using Data Deduplication?

2-1

Module 2 Networking in Windows Server® 2012 R2

Contents: Module Overview 2-1

Lesson 1: Network Services in Windows Server 2012 R2 2-2

Lesson 2: IPAM in Windows Server 2012 R2 2-10


Module Overview

Windows-based networks rely heavily on the IP protocol for the transmission of network data. As a network administrator, you must understand IP functionality and the services that are implemented in Windows Server for IP management. Windows Server 2012 R2 brings several enhancements to existing networking services, such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), NIC Teaming, and IP Address Management (IPAM). In this module, you will learn about some key network services and their improvements in Windows Server 2012 R2.


• Describe network services in Windows Server 2012 R2.

• Describe IPAM in Windows Server 2012 R2.

2-2 Networking in Windows Server 2012 R2

S

Lesson 1 Network Services in Windows Server 2012 R2

Windows Server 2012 provides many services that you can use to manage IP address assignment, name resolution, network bandwidth optimization, and remote desktop connectivity. In this lesson, you will learn about the most important network services in Windows Server 2012 R2 and their enhancements.


• Describe DHCP enhancements in Windows Server 2012 R2.

• Describe DHCP Failover.

• Describe NIC Teaming.

• Describe DNS Enhancements in Windows Server 2012 R2.

• Describe Remote Desktop Enhancements in Windows Server 2012 R2.

DHCP Enhancements in Windows Server 2012 R2

DHCP plays an important role in the Windows Server 2012 infrastructure. DHCP provides centralized provisioning and configuration of IP addresses on IPv4 and IPv6 networks.

The following sections describe several new and updated features of the DHCP server role in Windows Server 2012 R2.

DNS Registration Enhancements Since Windows Server 2012 R2, you can configure policies in DHCP to register DHCP clients with a specific DNS suffix while overriding the DNS suffix that is configured on the client machine. Also, policies are extended in a way to allow administrators to create conditions based on the fully qualified domain name (FQDN) of clients. With these capabilities, you can use DHCP policies for full control of DNS registrations for computers and other devices. This includes computers that are not domain-joined or computers with specifically defined attributes.

DNS Pointer (PTR) Resource Record Registration Options In previous versions of Windows Server, dynamic registration of clients in a DNS database also initiates registration in the reverse lookup zone. By default, both host (A) and PTR resource records are registered during the client registration process. In DHCP in Windows Server 2012 R2, you can configure a DHCP server to register just the A resource record, and not the PTR resource record. You can do this in cases where the reverse lookup zone on DNS is not configured so that the DHCP server does not repeat failed attempts to register PTR resource records.

O

.


Windows PowerShell for DHCP Server Windows Server 2012 R2 includes several improvements to the management of the Windows PowerShell command-line interface for DHCP. The DHCP module for Windows PowerShell now includes numerous cmdlets that you can use to create DHCP groups, to configure credentials for DNS, and to manage scopes, superscopes, and multicast scopes. Moreover, existing cmdlets also are improved with new options and switches.

Overview of DHCP Failover

Besides using high availability techniques for DHCP, such as failover clustering and split scope, Windows Server 2012 provides you with new functionality to achieve a highly available DHCP server. This functionality is called DHCP Failover, which enables two DHCP servers to act as failover members without using Windows failover clustering. DHCP Failover provides a cost- effective, simple to configure, native method for high availability in DHCP. In a DHCP Failover configuration, you can configure two failover partners in either a hot standby or load balancing configuration.

To configure DHCP Failover, you must establish a failover relationship between two servers and then give this relationship a unique name. During the configuration, the DHCP server exchanges this name with the failover partner. This enables a single DHCP server to have multiple failover relationships with other DHCP servers, provided that all the servers have unique names. You can configure failover through a wizard that you can start on the shortcut menu of the IP node or the scope node.

Note: DHCP Failover is time-sensitive. You must ensure that the time is always synchronized between the partners in the relationship. If the time difference is greater than one minute, the failover process will stop with a critical error.

Configure Maximum Client Lead Time You can configure the Maximum Client Lead Time (MCLT) parameter to determine the time that a DHCP server waits if a partner is unavailable before assuming control of the entire address range. This value cannot be zero, and the default time is one hour.


U

Configure Failover Mode You can configure failover in one of the two modes: hot standby mode and load sharing mode. The following table describes these two modes in detail.

Mode Characteristics

Hot standby mode

In this mode, one server is the primary server and the other is a secondary server. The primary server actively distributes IP configurations for the scope or subnet. The other DHCP server will take over this role only if the primary server becomes unavailable. A DHCP server can act as the primary for one scope or subnet, and it can act as the secondary for another. Administrators must configure a percentage of the scope addresses to be assigned to a standby server. These addresses are distributed during the MCLT interval if a primary server is down. The default value is five percent of the scope. A secondary server takes control of the entire range after the MCLT has passed. The hot standby mode is best suited for deployments where a data recovery site is located at a different location. In this scenario, the DHCP server does not service client computers unless there is an outage of the main server.

Load sharing mode

This is the default mode. In this mode, both servers concurrently distribute IP configuration to client computers. Which server responds to IP configuration requests depends on how the administrator configures the load distribution ratio. The default ratio is 50:50.

Configure Auto State Switchover Interval When a server loses contact with its partner, it goes into a communication interrupted state. Because the server cannot determine what is causing the communication loss, it stays in this state until an administrator manually changes it to a partner-down state. An administrator also can enable automatic transition to partner-down state by configuring the auto state switchover interval. The default value for this interval is 10 minutes. Auto state switchover is disabled by default.

Configure Message Authentication Windows Server 2012 enables you to authenticate the failover message traffic between replication partners. An administrator can establish a shared secret, which acts like a password, in the configuration wizard for DHCP Failover. This validates that a failover message comes from a failover partner.

Firewall Considerations DHCP uses TCP port 647 to listen for failover traffic. DHCP installation creates the following incoming and outgoing firewall rules:

• Microsoft-Windows-DHCP-Failover-TCP-In

• Microsoft-Windows-DHCP-Failover-TCP-Out

Configure DHCP Failover The Configuration Failover Wizard takes you through the process of creating a failover relationship. The wizard prompts you to enter the following information:

• Name of the relationship

• Which scopes are selected for failover

• Name of the partner server

• The MCLT

• The Mode

. S


• The Load Balance Percentage

• The Auto State Switchover Interval

• Message Authentication Setting

• A shared secret

You then can modify the failover relationship as required by using the Failover tab in the properties of IPv4.

NIC Teaming

You can use NIC Teaming in Windows Server 2012 to aggregate network adapters to increase bandwidth capability and network availability. NIC Teaming involves taking two or more network adapters and combining them into a single, virtual network adapter that will be used by Windows operating systems and applications. NIC Teaming provides three key benefits.

• Increased throughput. When you combine network adapters into NIC teams, Windows Server 2012 can use the sum of the available throughput of all adapters to transmit data. So, a server with four 10 gigabytes (GB)-per-second network adapters in a NIC team can transmit data at up to 40 gigabytes (GB) per second. The aggregation of throughput enables you to use a server for workloads that involve applications requiring high network throughput for data transfer.

• Increased reliability. When you place network adapters in a NIC team, Windows Server 2012 uses only one logical interface to represent all of the network adapters. In this configuration, one of the network adapters in a team can fail, but the team will remain functional, although with reduced throughput capability.

• Network adapter load balancing. NIC Teaming uses heuristics that attempt to maintain balanced traffic flow among all members of a NIC team. This ensures that no single network adapter can act as a bottleneck for NIC team throughput.

NIC Teaming in Windows Server 2012 R2 Windows Server 2012 R2 includes dynamic NIC Teaming, which enables a more balanced distribution of traffic across the network adapters in a NIC team to provide even distribution of network traffic across the NIC team. Balancing in Dynamic NIC Teaming is based on flowlets, and it presents optimized utilization of NIC teams on network hardware. Flowlets provide an operating system with a more detailed level of traffic load balancing across all NICs in a team, and in both directions: inbound and outbound.

Note: NIC Teaming does not allow data to travel directly to a network adapter without contacting the network stack. Remote Direct Memory Access (RDMA)–capable network adapters that are part of a NIC team cannot use RDMA functionality.


S

Configuring NIC Teaming To team network adapters, perform the following procedure:

1. Ensure that the server has more than one network adapter.

2. In Server Manager, click the Local Server node.

3. Click Disabled next to Network Adapter Teaming. This displays the NIC Teaming dialog box.

4. In the NIC Teaming dialog box, press Ctrl, and then click each network adapter that you want to add to the team.

5. Right-click the selected network adapters, and then click Add to New Team.

6. In the New Team dialog box, enter a name for the team, and then click OK.

7. Configure appropriate IP settings for the NIC team adapter.

DNS Enhancements in Windows Server 2012 R2

DNS is the foundation name service in Windows Server 2012. DNS provides name resolution and enables clients to locate network services such as Active Directory Domain Services (AD DS) domain controllers, global catalog servers, and messaging servers.

DNS was improved significantly, especially from a security aspect, in Windows Server 2012. Windows Server 2012 R2 includes additional enhancements for DNS. The following sections describe the most important new or updated features of DNS in Windows Server 2012 R2.

Enhanced Zone-Level Statistics Having data statistics about how your DNS works is very useful for monitoring and troubleshooting purposes. While some statistics are available in the DNS Manager console, you also can access some extended DNS statistics by using Windows PowerShell. In Windows Server 2012, when you run the Get-DnsServerStatistics cmdlet, you can get values for the following: CacheStatistics, DatabaseStatistics, DnssecStatistics, DsStatistics, ErrorStatistics, MasterStatistics, MemoryStatistics, NetBiosStatistics, PacketStatistics, PrivateStatistics, Query2Statistics, QueryStatistics, RecordStatistics, RecursionStatistics, SecondaryStatistics, SecurityStatistics, TimeoutStatistics, TimeStatistics, UpdateStatistics, and WinsStatistics.

Windows Server 2012 R2 provides some additional statistics data as described in the following sections:

• ZoneQueryStatistics. Zone query statistics provide information about:

o QueriesFailure. The number of queries that did not result in a successful response, such as when the response is DNS SERVER FAILURE.

o QueriesNameError. The number of queries that resulted in an NXDOMAIN or EMPTY AUTH response.

o QueriesReceived. The total number of queries received for the specified record type.

o QueriesResponded. The total number of queries that resulted in a valid DNS response.

These statistics are provided for many resource record types such as A, AAAA, PTR, CNAME, MX, NAPTR, NXT, SRV, TXT, NS, SOA, and many others.


• ZoneTransferStatistics. Zone transfer statistics provide information about AXFR and IXFR transactions, including:

o RequestReceived. The total number of zone transfer requests received by the DNS Server service when operating as a primary server for a specific zone.

o RequestSent. The total number of zone transfer requests sent by the DNS Server service when operating as a secondary server for a specific zone.

o ResponseReceived. The total number of zone transfer requests received by the DNS Server service when operating as a secondary server for a specific zone.

o SuccessReceived. The total number of zone transfers received by the DNS Server service when operating as a secondary server for a specific zone.

o SuccessSent. The total number of zone transfers successfully sent by the DNS Server service when operating as a primary server for a specific zone.

• ZoneUpdateStatistics. Zone update statistics provide information about:

o DynamicUpdateReceived. The total number of dynamic update requests received by the DNS server.

o DynamicUpdateRejected. The total number of dynamic updates rejected by the DNS server.

To access this data, you must use Windows PowerShell with administrative privileges. For example, if you want to get the DNS statistics data listed above for the adatum.com zone, you have to run the following commands in Windows PowerShell.

$statistics = Get-DnsServerStatistics –ZoneName adatum.com $statistics.ZoneQueryStatistics $statistics.ZoneTransferStatistics $statistics.ZoneUpdateStatistics

Enhanced DNSSEC Support Domain Name System Security Extensions (DNSSEC) enable a DNS zone and all records in the zone to be signed cryptographically such that client computers can validate DNS responses. DNS is often subject to various attacks such as spoofing and cache-tampering. DNSSEC helps protect against these threats, and it provides a more secure DNS infrastructure. When a DNS server that is hosting a digitally signed zone receives a query, the server returns the digital signatures with the requested records. A DNS resolver or another server can obtain the public key of the public/private key pair from a trust anchor, and then it can validate that the responses are authentic and have not been tampered with. To do this, you must configure the DNS resolver or server with a trust anchor for the signed zone or for a parent of the signed zone.

Windows Server 2012 first introduced DNSSEC, and Windows Server 2012 R2 includes additional improvements to it by introducing changes to online signing for file-backed DNS zones and changes to key management support. The Key Master role in DNS, which is the authoritative DNS server that manages and generates signing keys for a zone that is protected by DNSSEC, is now available for file- backed multimaster zones. Also, the key management process is isolated from DNS servers that do not have Key Master role. Any key management task such as generation, retirements, storage, and more are initiated only by the Key Master role.

S


Enhanced Windows PowerShell Support DNSSEC management tasks are improved with new Windows PowerShell cmdlets in Windows Server 2012 R2.

These new cmdlets are:

• Step-DnsServerSigningKeyRollover. This cmdlet forces a key-signing key rollover when waiting for a parent delegation signer update. If a server that is hosting a securely delegated zone is unable to check whether the delegation signer record in a parent is updated, this parameter enables you to force a rollover. It is expected that the delegation signer record has been updated manually in the parent.

• Add-DnsServerTrustAnchor –Root. The Root parameter set enables you to retrieve trust anchors from a URL specified in the RootTrustAnchorsURL property of the DNS server.

• RootTrustAnchorsURL. The Get-DnsServerSetting and Set-DnsServerSetting cmdlets have been extended to add a new output string of RootTrustAnchorURL.

Remote Desktop Enhancements in Windows Server 2012 R2

Remote Desktop Services (RDS) provides users with ability to connect to remote servers for administration, virtual desktops, session-based desktops, and RemoteApp programs. RDS has been used intensively for years, and it provides users and administrators the ability to work from anywhere and from almost any device.

In Windows Server 2012, RDS was improved to provide a better experience over wide area networks, a better administration experience, and a better user experience when RDS is used to connect to a Virtual Desktop Infrastructure (VDI).

Windows Server 2012 R2 includes additional RDS improvements to enhance the usage of RemoteApp and to further improve administration. Also, security for RDS-based remote administration is improved by implementing the Restricted Admin mode for Remote Desktop Connection, which was discussed in the previous module. The most significant changes to RDS in Windows Server 2012 R2 are described in the following sections.

Session Shadowing In Windows Server 2012 R2, it is now possible to shadow an RDS session from another user, made to RemoteApp or to the remote computer. By using this feature, you can see activities in another RDS session, and you can control an active session of another user. This feature can be very useful for troubleshooting purposes or for a help desk. No additional software is needed, and a regular Remote Desktop Client is used with a single or multiple monitors.


Improved RemoteApp Behavior The Remote App feature of RDS, which was introduced in Windows Server 2008, provides users with a similar or identical user experience when they are running remote (terminal) applications as when they are running locally installed applications. In Windows Server 2012 R2, Remote App supports transparency, live thumbnails, and seamless application movement that allows application content to remain visible while the application is moved on a screen. This additionally enhances the usage of the Remote App environment.

Improved Connectivity and Bandwidth Usage When you use RDC with Windows 8.1 clients, the performance when you reconnect an existing RDS session is even better. This provides users with a fast session reconnection in case of network failures. Also, Windows Server 2012 R2 brings new codecs that enable better traffic compression and bandwidth savings, especially in scenarios such as running videos inside an RDS session.

Dynamic Display Handling In Windows Server 2012 R2 and in Windows 8.1, changes to client displays, such as device rotation, monitor addition, and the removal or docking of a laptop, automatically reflect in RDS or a Remote App session. A session that is running in RDS now is aware of display changes made on a client and reacts accordingly.

RemoteFX Virtualized GPU Supports DirectX11.1 RemoteFX functionality provides the ability to virtualize the video card in a client virtual machine to provide better performance in demanding graphical tasks. RemoteFX vGPU in Windows Server 2012 R2 now provides support for DirectX 11.1. If an RDS server has a DirectX 11.1–capable video card, it can be virtualized with the DirectX 11.1 capabilities inside of the Windows 8.1 desktop virtual machine that is running on that physical host. RemoteFX in Windows Server 2012 R2 also provides support for non- uniform memory access and video RAM configuration.

U

2-10 Networking in Windows Server 2012 R2 Lesson 2 IPAM in Windows Server 2012 R2

The complexity of modern networks can make the management of technologies such DHCP and DNS across an enterprise a difficult task. You can use IPAM to deploy, manage, and monitor your IP addressing infrastructure. It is designed to help you manage multiple servers that are running the DHCP server or DNS server roles. The automatic discovery and agentless operation of IPAM makes it simpler to deploy and integrate with AD DS, DHCP, DNS, and the Network Policy Server role service, which enables you to manage an existing infrastructure with ease.


• Describe IPAM

• Describe IPAM enhancements in Windows Server 2012 R2.

• Describe the IPAM deployment architecture and prerequisites.

• Describe how to deploy IPAM servers and clients.

• Deploy IPAM.

• Describe IPAM role-based access control.

• Describe IPAM DHCP and DNS management.

• Describe how to use IPAM to manage IP addressing.

Overview of IPAM

Managing the allocation of IP addresses can be a complex task in large networks. IPAM provides a framework for discovering, auditing, and managing the IP address space of your network. It enables you to monitor and administer DHCP and DNS, and it provides a comprehensive view of where specific IP addresses are allocated.

You can configure IPAM to collect statistics from both domain controllers and servers that are running Network Policy Server (NPS). The resultant data is recorded in the Windows Internal Database (WID) or optionally in a Microsoft SQL Server database for Windows Server 2012 R2.

IPAM benefits include:

• IPv4 and IPv6 address space planning and allocation.

• IP address space utilization statistics and trend monitoring.

• Static IP inventory management, lifetime management, and DHCP and DNS record creation and deletion.

• Service and zone monitoring of DNS servers.

U


• IP address lease and logon event tracking.

• Remote administration support by using Remote Server Administration Tools (RSAT).

IPAM consists of four modules that provide the following functionality:

• IPAM discovery. You can configure IPAM to use AD DS for discovering servers that are running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and that are domain controllers or have either DNS or DHCP installed. You also can add servers manually.

• IP address space management. You can use this module to view, monitor, and manage an IP address space. You can dynamically issue or statically assign addresses. You also can track address utilization and detect overlapping DHCP scopes.

• Multiserver management and monitoring. You can use this module to manage and monitor multiple DHCP servers. Multiserver management enables tasks to run across multiple servers. For example, you can configure and edit DHCP properties and scopes, and track the status of DHCP and scope utilization. You also can monitor multiple DNS servers, and you can monitor the health and status of DNS zones across authoritative DNS servers.

• Operational auditing and IP address tracking. You can use the auditing tools to track potential configuration problems. You can collect, manage, and view details of configuration changes from managed DHCP servers. You also can collect address lease tracking from DHCP lease logs and logon event information from domain controllers and servers that are running NPS.

IPAM Enhancements in Windows Server 2012 R2

Windows Server 2012 R2 features several significant improvements to IPAM functionality. These features will be explored in greater detail later in this module:

• Role-based access control (RBAC) role. With the RBAC role, you can customize IPAM permissions and access for users and groups in your organization. This will be discussed in more detail later in this lesson.

• Virtual address space management. You can use virtual address space management to incorporate virtual address assignment and management into the same management infrastructure as your physical address space. The IPAM interface now allows you to narrow IP address space administration in a single place for both fabric network resources and virtual networks by integrating with Microsoft System Center 2012 R2 - Virtual Machine Manager (VMM). Also, this integration provides IPAM with the ability to detect and prevent potential address conflicts or overlaps that are defined in multiple VMM instances. IPAM is able to import and export network configuration automatically to and from VMM by using a dedicated add-in.

• AD DS Sites synchronization. IPAM in Windows Server 2012 R2 is capable of synchronizing IP address information configured on AD DS Sites. This will provide administrators with ability to see subnet IP associations with other IP-related data in a single console.

• Enhanced DHCP server management. Windows Server 2012 R2 includes several enhancements that provide a more robust management and monitoring environment for DHCP servers.

S


• External database support. IPAM now supports SQL Server, in addition to WID, which was previously supported.

• Upgrade and migration support. IPAM configuration data and functionality is migrated automatically when you upgrade from Windows Server 2012 to Windows Server 2012 R2. This provides a seamless upgrade to the new IPAM version without needing to reconfigure IPAM.

• Enhanced Windows PowerShell support. Windows Server 2012 R2 includes new cmdlets that support the management and maintenance of the IPAM environment.

For additional information, see “What’s New in IPAM in Windows Server 2012 R2” on the Microsoft website.

http://technet.microsoft.com/en-us/library/dn268500.aspx

IPAM Deployment Architecture and Prerequisites

IPAM consists of the following main components:

• IPAM server. An IPAM server performs data collection from the managed servers. In addition, an IPAM server manages WID and provides the RBAC role.

• IPAM client. An IPAM client provides the client computer interface and interacts with the IPAM server, invoking Windows PowerShell cmdlets to perform remote management, DHCP configuration, and DNS monitoring.

When deploying IPAM, you can select from the following three topologies:

• Distributed. Deploy an IPAM server to each site in your forest.

• Centralized. Deploy a single IPAM server for your entire forest.

• Hybrid. In addition to a centralized IPAM server, also deploy an IPAM server to each site.

To ensure a successful IPAM implementation, your organization’s network infrastructure must meet several prerequisites:

• The IPAM server must be a domain member, but it cannot be a domain controller.

• The IPAM server should be a single-purpose server. Do not install other network roles such as DHCP or DNS on the same server.

• To manage the IPv6 address space, you must enable IPv6 on the IPAM server.

• Sign in to the IPAM server with a domain account and not a local account.

• You must be a member of the correct IPAM local security group on the IPAM server.

• For IPAM’s IP address tracking and auditing feature to work, you must enable logging of account logon events on the domain controllers and servers that are running NPS.



IPAM Deployment Prerequisites The server on which you intend to deploy IPAM must meet the following hardware and software requirements:

• 2.0 gigahertz (GHz) dual-core processor or faster

• Windows Server 2012 operating system or newer

• 4 gigabytes (GB) or more of random access memory (RAM)

• 80 GB of free hard disk space

IPAM Deployment Considerations When designing an IPAM deployment, consider the following factors:

• By using IPAM, you can manage only a single AD DS forest.

• You cannot install IPAM on a domain controller.

• You should not install IPAM on a DHCP or DNS server. IPAM is designed to be installed on a single- purpose server. If IPAM is installed on a DHCP server, IPAM will not be able to detect other DHCP servers on the network.

• IPAM servers do not communicate with one another or share database information. If you deploy multiple IPAM servers, you must customize each server’s scope of discovery.

• You can define the scope of discovery to a subset of domains in the forest.

• A single IPAM server can support up to:

o 150 DHCP servers and 500 DNS servers.

o 6,000 DHCP scopes and 150 DNS zones.

• IPAM stores three years of forensics data (IP address leases, host media access control (MAC) addresses, user sign-in and sign-out information) for 100,000 users in a WID. There is no database purge policy provided, and the administrator must purge the data manually as needed.

• IPAM supports WID. Additionally, IPAM on Windows Server 2012 R2 supports SQL Server for storing the IPAM database.

• IP address utilization trends are provided only for IPv4.

• IP address reclamation support is provided only for IPv4.

• IPAM does not check for IP address consistency with routers and switches.

U

O


Deploying IPAM Servers and Clients

Deploying IPAM Servers The first step in deploying IPAM servers is to install the IPAM Server feature in Windows Server 2012 or Windows Server 2012 R2. You can implement IPAM server deployment in several different configuration models:

• Distributed. This model involves IPAM servers deployed for each site in an organization. This model can be useful when infrastructure management is assigned to individual business groups, for a specific area, or when the number of IPAM clients is too large for one IPAM server.

• Centralized. The centralized model consists of a single IPAM server that manages all infrastructure in the environment. This model is used when centralized administration and reporting is required or for smaller organizations.

• Hybrid. The hybrid model consists of a centralized IPAM server for management and reporting and individual IPAM servers at each site for increased redundancy, load handling, or administrative role separation.

After you have decided the IPAM topology to use, you can deploy IPAM servers by performing the following steps:

1. Install the IPAM Server feature. You can perform this step by using Server Manager, or by using the following Windows PowerShell command:

Install-WindowsFeature IPAM -IncludeManagementTools

2. Provision IPAM servers. After the feature installation, you must provision each IPAM server to create

the permissions, file shares, and settings on managed servers. You can do this manually or by deploying a Group Policy Object (GPO).

Using the GPO method offers several advantages over manual provisioning:

o GPO applied settings are less prone to human configuration error.

o GPO settings are applied to servers automatically when they are assigned a status of managed.

o Settings are removed easily by disabling or deleting a GPO link.

3. Configure and run server discovery. You must configure the scope of discovery for servers that you are going to manage. Discovery scope is determined by selecting the domain or domains on which the IPAM server will run discovery. You also can add a server manually in the IPAM management console by specifying the FQDN of the server you want to manage.

4. Choose and manage discovered servers. After discovery is complete and you have manually added any servers that were not discovered, you must choose the servers that you want to manage by editing the server properties in the IPAM console, and then by changing the Manageability Status to Managed. After the management permission for a server is set successfully, you will see a status indicator in the IPAM server inventory displaying IPAM Access status Unblocked.


Deploying IPAM Clients The IPAM client configures and manages IPAM servers. In most cases, the IPAM Client is installed during installation of the IPAM Server feature, and management tasks are performed on the same computer that is running IPAM Server. However, there might be specific instances where you must install an IPAM Client on a server or a workstation in your environment to manage an IPAM Server remotely.

• Windows Server 2012 and Windows Server 2012 R2. You can install the IPAM Client by installing the Windows Feature under Remote Server Administration Tools\Feature Administration Tools\IP Address Management (IPAM) Client.

• Windows 8 and Windows 8.1. The IPAM Client is installed automatically when you install the RSAT.

Demonstration: Deploying IPAM (Optional)

In this demonstration, you will see how to install and configure IPAM.

Demonstration Steps

Install IPAM • On LON-SVR2, in Server Manager, add the IPAM Server feature and all the required supporting

features.

Configure IPAM 1. In the IPAM Overview pane, connect to and provision the IPAM server.

2. Enter IPAM as the GPO name prefix, and then provision IPAM.

3. In the IPAM Overview pane, configure server discovery for the Adatum domain.

4. In the IPAM Overview pane, start the server discovery process.

5. In the IPAM Overview pane, add the servers to be managed.

6. Verify that IPAM access currently is blocked.

7. Use Windows PowerShell to grant the IPAM server permission to manage LON-DC1 by using the following command.

Invoke-IpamGpoProvisioning –Domain Adatum.com –GpoPrefixName IPAM –IpamServerFqdn LON-SVR2.adatum.com –DelegatedGpoUser Administrator

8. Set the Manageability Status to Managed for both servers.

9. Switch to LON-DC1 and force the update of Group Policy.

10. Switch to LON-SVR1 and force the update of Group Policy.

11. Switch back to LON-SVR2, and then refresh the IPv4 view.

12. In the IPAM Overview pane, retrieve data from the managed server.

U

O

U


IPAM Role-Based Access Control

Configuring administration for IPAM can be a complex task, depending on how your IPAM infrastructure is deployed and who is managing the infrastructure. An IPAM server can manage multiple domains, or you can limit an IPAM server to specific roles, or you can limit the servers that are managed.

The RBAC role provides you with the ability to customize roles, access scopes, and access policies. Thus, you can define and establish fine-grained control for users and groups, which enables them to perform a specific set of administrative operations on specific objects that are managed by IPAM.

• Roles. A role is a collection of IPAM operations. You can associate a role with a user or group in the Windows operating system by using an access policy. Eight built-in administrator roles are provided for convenience, but you also can create customized roles to meet your business requirements.

• Access scopes: An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope named Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.

• Access policies: An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an access policy for a user with a role named IP Block Admin and an access scope named Global\Asia. Therefore, this user will have permission to edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any other IP address blocks in IPAM.

IPAM has several built-in, role-based security groups that you can use for managing your IPAM infrastructure.

S


(Continued from previous page)

IPAM DHCP and DNS Management

You can configure DHCP servers and scope information by using the IPAM administration interface. IPAM enables you to configure multiple DHCP servers and to use functionality such as DHCP Failover so that servers work together in your DHCP implementation. You also can manage name resolution in your organization by implementing DNS management with IPAM.

Configuring DHCP Servers You typically would perform DHCP configuration for individual servers from the DNS and DHCP Servers page. You can perform several configuration tasks on a DHCP server from within the IPAM administration interface:

• View DHCP scope information across all servers.

• Edit DHCP Server Properties. You can edit server properties such as DHCP audit logging, DNS dynamic update configuration, and MAC address filtering allow and deny lists.

• Edit DHCP Server Options. You can configure and create DHCP server options based on vendor class or user class.

• Configure DHCP Vendor or User Class. You can view and modify user and vendor classes.

• Configure DHCP Policy. You can edit DHCP policy properties and conditions.

• Import DHCP Policy. You can import DHCP policies by using files exported from other DHCP servers.

• Add DHCP MAC Address Filter. You can add DHCP MAC address filters to allow or deny DHCP address assignment based on MAC address.

• Launch the DHCP MMC. You can open the Microsoft Management Console (MMC) console for the selected server.


• Activate and Deactivate DHCP Policies. You can control the implementation of DHCP policies.

• Replicate DHCP Server. Replicates the configuration of DHCP Failover scopes on a server to DHCP Failover partner servers.

Configuring DHCP Scopes You can configure DHCP scope details in IPAM by performing the following tasks:

• Edit DHCP scope properties.

• Duplicate DHCP scope. Use a DHCP scope as a template for creating a new scope on the same server or another server.

• Create a DHCP reservation.

• Add to DHCP superscope.

• Configure DHCP Failover.

• Import DHCP policy.

• Activate and deactivate DHCP scopes.

• Activate and deactivate DHCP policies for the selected scope.

• Replicate DHCP scope.

• Remove DHCP Failover configuration.

• Remove a scope from a DHCP superscope.

In Windows Server 2012 R2, you also can perform following tasks in IPAM:

• DHCP Failover configuration.

• DHCP policies configuration.

• DHCP superscopes configuration.

• DHCP filters configuration.

• DHCP reservations configuration.

Using IPAM in Windows Server 2012 R2, you can create and manage policies centrally across multiple DHCP servers. You can create a policy for multiple servers or scopes in a single operation. You also can copy policies from one server or scope to another.

IPAM DNS Management IPAM enables you to manage DNS zones for all servers that are managed by the IPAM server. During discovery, IPAM discovers all authoritative DNS servers in the domains that you specify. You can use IPAM to perform any of the following DNS management tasks:

• View DNS servers and zones. You can view all managed DNS servers and the forward lookup zones and reverse lookup zones on those DNS servers. Zone status and health is available for forward lookup zones, but not for reverse lookup zones.

• Open a DNS console for any server that is managed by IPAM. You can open an MMC console for DNS by right-clicking a server on the DNS and DHCP Servers page, and then selecting the DNS MMC console.

S


• Create DNS records for existing IP addresses. To create a DNS record in IPAM, perform the following procedure:

a. Select one or more IP addresses and verify that each has the correct information in all required DHCP record fields.

b. Right-click the selected IP addresses, and then click Create DNS Host Record to create a forward lookup record.

c. Right-click the selected IP addresses, and then click Create DNS PTR Record to create a reverse lookup record.

Verify that Create Success is displayed under DNS Host Record Sync or DNS PTR Record Sync in the display pane. Status also is displayed on the Configuration Details tab.

Using IPAM to Manage IP Addressing

You can use IPAM to manage, track, audit, and report your organization’s IPv4 and IPv6 address spaces. The IPAM IP Address Space pane provides you with IP address utilization statistics and historical trend data so that you can make informed planning decisions for dynamic, static, and virtual address spaces. IPAM periodic tasks automatically discover address spaces and utilization data as configured on the DHCP servers that are managed by IPAM. You also can import IP address information from comma-separated value files.

IPAM also enables you to detect overlapping IP address ranges that are defined on different DHCP servers, to find free IP addresses within a range, to create DHCP reservations, and to create DNS records.

Viewing and Managing IP Addressing The IPAM administrative interface provides a number of ways to filter the view of the IP address space. You can customize how you view and manage the IP address space by using any of the following views:

• IP address blocks

• IP address ranges

• IP addresses

• IP address inventory

• IP address range groups

IP Address Blocks IP address blocks are the highest-level entities within an IP address space organization. An IP block is an IP subnet that is marked by a start IP address and an end IP address. You can use IP address blocks to create and allocate IP address ranges to DHCP. You can add, import, edit, and delete IP address blocks. IPAM automatically maps IP address ranges to appropriate IP address blocks based on the boundaries of the range.


IP Address Ranges IP address ranges are the next hierarchical level of IP address space entities after IP address blocks. An IP address range is an IP subnet that is marked by a start IP address and an end IP address. IP address ranges typically correspond to a DHCP scope, a static IPv4 or IPv6 address range, or an address pool that is used to assign addresses to hosts.

IP Addresses IP addresses are the addresses that make up the IP address range. IPAM enables end-to-end life-cycle management of IPv4 and IPv6 addresses, including record synchronization with DHCP and DNS servers. IPAM automatically maps an address to an appropriate range based on the starting and ending address of the IP address range.

IP Address Inventory In the IP address inventory view, you can see a list of all IP addresses in the enterprise with their device names and types. IP address inventory is a logical group within the IP addresses view. You can use this group to customize the way the address space is displayed for managing and tracking IP usage.

IP Address Range Groups IPAM enables you to organize IP address ranges into logical groups. For example, you might organize IP address ranges geographically or by business division. Logical groups are defined by selecting the grouping criteria from built-in or user-defined fields.

Monitoring DHCP and DNS Servers IPAM enables automated, periodic service monitoring of DHCP and DNS servers across a forest. Monitoring and managing \ DHCP and DNS servers is organized into the views listed in the following table.

You can use the IPAM address space management feature to view, monitor, and manage the IP address space on a network. The address space management feature supports IPv4 public and private addresses, and IPv6 global and unicast addresses.


Utilization Monitoring IPAM maintains utilization data for:

• IP address ranges

• IP address blocks

• IP range groups

You can configure thresholds for the percentage of the IP address space that is utilized, and then you can use those thresholds to determine underutilization or overutilization.

You can perform utilization-trend building and reporting for IPv4 address ranges, blocks, and range groups.

Demonstration: Managing IP Addressing with IPAM

Demonstration Steps 1. On LON-SVR2, In Server Manager, add the following IP address block:

o Network ID: 172.16.18.0

o Prefix length: 24

o Start IP address: 172.16.18.0

o End IP address: 172.16.18.255

o Description: Toronto subnet

2. Change the Current view to IP Address Blocks to view the newly created block.

3. In Server Manager, on the IP Address Blocks page, edit the IP Address Range for the 172.16.20.0/23 Network.

4. Add a Reservation for the IP address: 172.16.20.160.

5. Use IPAM to create new DHCP scope on LON-DC1 with following data:

o Scope name: IPAM Scope1

o Start IP address: 172.17.0.1

o End IP address: 172.17.0.100


Module Review and Takeaways

Best Practice: Use DHCP Failover for DHCP high availability.

• In highly secure environments, always implement DNSSEC.

• If possible, use Windows 8.1 clients for Remote App and VDI to take advantage of RDS enhancements.

• For more complex networks, implement IPAM to manage IP addressing and name resolution.

Review Questions Question: What is the difference between DHCP in Windows failover clustering and DHCP Failover?

Question: Does IPAM provide any advantages if you are not configuring or managing your IP addressing environment centrally?

Question: What is the difference between an IP address block and an IP address range in IPAM?

3-1

Module 3 Hyper-V® in Windows Server® 2012 R2

Contents: Module Overview 3-1

Lesson 1: Virtual Machine Enhancements 3-2

Lesson 2: Storage Enhancements in Hyper-V on Windows Server 2012 R2 3-9

Lesson 3: Hyper-V Networking Improvements 3-14

Lesson 4: Hyper-V Availability Improvements 3-21


Module Overview

Hyper-V has been a Windows Server role since the release of Windows Server 2008. In each new version of Windows Server, Hyper-V has included improvements to its management, high availability, security, and performance features. In Windows Server 2012 R2, Hyper-V introduces a new generation of virtual machines, several storage management enhancements, and also significant improvements in networking and high availability. In this lesson, you will learn about the most important changes to Hyper-V in Windows Server 2012 R2.


• Describe virtual machine enhancements.

• Describe storage enhancements in Hyper-V on Windows Server 2012 R2.

• Describe Hyper-V networking enhancements.

• Describe Hyper-V availability enhancements.

U

3-2 Hyper-V in Windows Server 2012 R2 Lesson 1 Virtual Machine Enhancements

Hyper-V in Windows Server 2012 R2 provides many virtual machine enhancements over the previous version of Hyper-V. It includes a new generation of virtual machines with more flexible activation. Hyper-V in Windows Server 2012 R2 also provides the ability to export virtual machines while they are running, in addition to new features in Virtual Machine Connection software. In this lesson, you will learn about virtual machine enhancements to Hyper-V in Windows Server 2012 R2.


• Describe Generation 2 virtual machines.

• Create and manage Generation 2 virtual machines.

• Describe Automatic Virtual Machine Activation (AVMA).

• Describe online virtual machine export.

• Describe enhanced session mode in Virtual Machine Connection.

• Explain how to use enhanced session mode.

• Describe Generation ID.

• Explore the purpose of Generation ID.

Overview of Generation 2 Virtual Machines

Virtual machines work the same way that physical computers do. Most operating systems and applications that run on virtual machines will not be aware that they are virtualized. By using emulated hardware, operating systems that are not virtualization-aware can still be run in virtual machines. On machines running enlightened operating systems, integration services allow virtual machines to access synthetic devices and thus perform better. With the broad adoption of virtualization, many modern operating systems now include integration services.

Windows Server 2012 R2 brings some significant changes to virtual machines. Hyper-V in Windows Server 2012 R2 still fully supports the existing type of virtual machines by naming them Generation 1 virtual machines, but it also provides support for a new type of virtual machines, called Generation 2 virtual machines.

Generation 2 virtual machines are built on the assumption that operating systems are virtualization-aware. Generation 2 removes all legacy and emulated virtual hardware devices and uses only synthetic devices. BIOS-based firmware is replaced by advanced Unified Extensible Firmware Interface (UEFI) firmware, which supports secure boot. Virtual machines start from a small computer system interface (SCSI) controller or by using the Pre-Boot Execution Environment (PXE) from a network adapter. All legacy and emulated devices are removed from Generation 2 virtual machines, and the remaining virtual devices use virtual machine bus (VMBus) to communicate with parent partitions.


Generation 1 and Generation 2 virtual machines have similar performance, except during startup and when installing operating systems. In these instances, Generation 2 is considerably faster. You can run Generation 1 and Generation 2 virtual machines side by side on the same Hyper-V host. You select the virtual machine generation when you create a new virtual machine, and you cannot change it later. Generation 1 virtual machines will still be in use for a long time because you can install almost any operating system on such virtual machines. Generation 2 virtual machines currently support only Windows Server 2012, Windows 8 (64-bit), and newer 64-bit Windows operating systems.

For more information, see “Generation 2 Virtual Machine Overview” on the Microsoft TechNet website.


Question: Can you convert a Generation 1 virtual machine that has Windows Server 2012 R2 installed to a Generation 2 virtual machine?

Demonstration: Creating and Managing Generation 2 Virtual Machines

Demonstration Steps 1. On LON-HOST1, use Hyper-V Manager to create a new virtual machine with following settings:

o Name: LON-VM2

o Generation: Generation 2

o Startup Memory: 1024 MB

o Use Dynamic Memory: Enabled

2. Use the Windows PowerShell command-line interface cmdlet New-VM to create a new virtual machine with following settings:

o Name: LON-VM1

o Generation: Generation 1

o Startup Memory: 1 GB

o Boot Device: IDE

3. Use the cmdlet Add-VMHardDiskDrive to add the C:\Shares\VHDs\Differencing.vhdx disk to the IDE Controller of LON-VM1.

4. On LON-HOST1, use Hyper-V Manager to confirm that there are three types of hardware listed in the Add Hardware section in the details pane for LON-VM2. Also, confirm that no BIOS, IDE Controllers, COM ports or Diskette Drive are listed, but that Firmware is listed.

5. Use Hyper-V Manager to confirm that you can add five hardware types to LON-VM1. Also, confirm that BIOS, IDE Controllers, COM ports and a Diskette Drive display, but no Firmware displays.


U

O

3-4 Hyper-V in Windows Server 2012 R2

Overview of AVMA

When implementing virtualization, it is important to ensure proper licensing of virtual machine operating systems. Running on a physical host, Windows Server 2012 Datacenter provides you with the right to run an unlimited number of Windows Server–based virtual machines as long as they are running on that same physical host.

In Windows Server 2012 R2, Microsoft provided AVMA technology that you can use to run Windows-based products on virtual machines in accordance with the Product Use Rights and Microsoft Software License Terms.

AVMA technology enables you to install virtual machines on a physical host that is running Windows Server 2012 R2 Datacenter without the need to have a product key for every single virtual machine. This is done by binding the virtual machine activation state with a licensed and activated physical virtualization server. Because of this, the physical server that is running Windows Server 2012 R2 Datacenter must be licensed and activated properly. When using AVMA, each virtual machine that is running on such a host is activated when it starts up. Also, AVMA provides usage reporting and historical data about the license state of the virtual machine. Reporting and tracking data is available on the virtualization server.

With AVMA, there is no need to use product keys or case stickers for licensing. Virtual machines are activated automatically, and they stay activated even when they are migrated to another physical host— for example, during failover. In this scenario, the second physical host must have a properly licensed operating system. For hosting providers with Microsoft Services Provider License Agreements, AVMA removes the need to share product keys with tenants.

AVMA only requires a virtualization server that is running Windows Server 2012 R2 Datacenter. The guest virtual machine operating system must be Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, or Windows Server 2012 R2 Essentials.

To implement AVMA, you first have to install Windows Server 2012 R2 Datacenter on a physical host machine and then add the Hyper-V role to it. When the Hyper-V role is installed, you create a new virtual machine and install any of the supported guest operating systems.

After that, you install an AVMA key in the virtual machine. From an elevated command prompt or Windows PowerShell, run the following command.

slmgr /ipk <AVMA_key>

The virtual machine will activate the license against the virtualization server automatically.

U

O


Online Virtual Machine Export

In Windows Server 2012 R2, you can perform a live export of a virtual machine or checkpoint. You can export them while a virtual machine is running. In Hyper-V on Windows Server 2012, you first have to save the state or shut down the virtual machine prior to performing the export.

When you want to perform an export, you need to specify a location in which to export the files. Export creates a subfolder and consolidates virtual machine files in that subfolder. For example, if a virtual machine uses virtual disks from different locations, after the export, all the virtual disks will be stored in the same folder. If a virtual machine uses differencing virtual hard disks, Hyper-V exports all the parent disks. If multiple virtual machines are exported and they all use the same parent disk, the parent disk is exported for each machine. This can increase the total size of export considerably when you compare it to the size of virtual machines prior to export. When you export a virtual machine, Hyper-V also exports all the checkpoints of that virtual machine.

Exporting a checkpoint exports only a single point-in-time snapshot of a virtual machine. The exported virtual machine is an exact copy of the virtual machine at the moment when you create the checkpoint. If there are additional checkpoints in a hierarchy before the one you are exporting—which means that the virtual machine is using the hierarchy of differencing virtual hard disks—all of those differencing virtual hard disks will be merged for the exported virtual machine.

After you import an exported virtual machine (when you export a checkpoint, the virtual machine is exported without a checkpoint), you should update integration services on the virtual machine, especially if the target Hyper-V host is running a newer version of Hyper-V. You also should check if the imported virtual machine contains a saved state or a checkpoint that was created when the virtual machine was running. If that is the case, you will have to discard its memory content if the saved state or checkpoint was created on the Hyper-V host prior to Windows Server 2012, or if the Hyper-V host was running on different hardware architecture such as Intel or AMD.

You can export a virtual machine or a checkpoint in the Hyper-V Manager console by right-clicking it and then clicking Export. You also can use the Windows PowerShell cmdlets Export-VM and Export- VMSnapshot to export a virtual machine or a checkpoint.

Enhanced Session Mode in Virtual Machine Connection

Hyper-V uses the Virtual Machine Connection tool to connect to virtual machines by using Remote Desktop Protocol. Prior to Windows Server 2012 R2, Virtual Machine Connection provided only basic redirection of a virtual machine screen, keyboard, and mouse, such as a Keyboard Video Mouse switch over IP. The tool also provided limited cut-and-paste functionality, which was limited to text and did not support any other content such as graphics or files.


In Windows Server 2012 R2, you still use the same method to connect to virtual machines, but Hyper-V also supports the enhanced session mode. Enhanced session mode utilizes the Remote Desktop Services (RDS) component in virtual machines and establishes full Remote Desktop sessions over VMBus. Even if a virtual machine has no network connectivity, if there is network connectivity to the Hyper-V host on which the virtual machine is running, you can connect to the virtual machine by using the Virtual Machine Connection tool and by using enhanced session mode. This means that local resources such as smart cards, printers, drives, USB devices, or any other supported Plug and Play devices can be redirected to virtual machines. You also can use Folder Redirection, use a shared Clipboard for copying content to virtual machines, or even copy files to virtual machines in drag-and-drop operations, even if a virtual machine does not have network connectivity. Enhanced session mode and full Remote Desktop are available even when virtual machines are running in Hyper-V on a Server Core installation or Microsoft Hyper-V Server 2012 R2.

You can configure an enhanced session mode at the following levels:

• Server settings. The Enhanced Session Mode Policy setting affects all virtual machines that are running on the Hyper-V host. If this setting is enabled, enhanced session mode connections to virtual machines on this Hyper-V host will be allowed.

Note: The default setting for the Allow enhanced session mode is set to Disabled in Hyper-V on Windows Server 2012 R2, and it is set to Enabled on Windows 8.1.

• User settings. The Enhanced Session Mode setting determines if the Virtual Machine Connection tool attempts to use enhanced session mode.

• Guest operating system. Enhanced session mode is available only if you connect to virtual machines that are running Windows Server 2012 R2 or Windows 8.1. RDS must be running on the virtual machine, and the user account you will be using to sign in to the virtual machine must be a member of the Remote Desktop Users local group.

For more information, see “Virtual Machine Connection - Enhanced Session Mode Overview” on the Microsoft TechNet website.


Question: Can you use enhanced session mode to start a virtual machine from a USB device?

Demonstration: Using Enhanced Session Mode

Demonstration Steps 1. On LON-HOST1, confirm that when Virtual Machine Connection with LON-CL1 opens, your previous

session displays.

2. On LON-HOST1, use Hyper-V Manager to configure Allow enhanced session mode.

3. Use Hyper-V Manager to connect to LON-CL1. Confirm that local drives are redirected.

4. Confirm that you are not signed in automatically to LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd.

5. On LON-HOST1, use File Explorer to browse to C:\Windows, and then copy Write.exe.

6. On LON-CL1, paste Write.exe on the desktop.


O

.


7. On LON-CL1, use File Explorer to confirm that drives from LON-HOST1 are mapped to a virtual machine.

8. On LON-CL1, confirm that Remote Desktop is disabled.

What is Generation ID?

To address situations in which virtual machines are reverted back to a previous checkpoint, Hyper-V on Windows Server 2012 utilizes the virtual machine Generation ID feature. Generation ID is a 64-bit integer value that is associated with an instance of a virtual machine configuration file. Every checkpoint has its own configuration file, which also means that it has a different Generation ID value.

The Generation ID value is accessible to the operating system through the virtual machine BIOS, and it is unique across all virtual machine configurations. Applications in virtual machines can read the Generation ID value when the virtual machine starts or resumes and then compare it with the last value of which the application is aware. If both values are the same, it implies that the state of the virtual machine has not changed. For example, the virtual machine is not cloned and a checkpoint has not been applied, so the application can continue to run normally.

If the previous and current Generation ID values are different, this means that the virtual machine identity is not the same. This can be the result of different actions such as creating a new virtual machine and attaching it to a virtual hard disk (VHD) with an installed operating system, restoring a system backup to a different virtual machine, or applying the checkpoint to the existing virtual machine. When the application detects a change in Generation ID, it should consider that it is running in a different virtual machine and should act accordingly. For example, when Active Directory Domain Services detects a change in Generation ID value, it updates its InvocationID value and effectively modifies the identity of the domain controller.

To use a virtual machine Generation ID from inside a virtual machine, the following prerequisites apply:

• The virtual machine must be running on a hypervisor that implements support for virtual machine Generation ID. Several virtualization platforms meet this requirement, including Windows 8, Windows Server 2012, and newer Windows operating systems, and VMware vSphere 5.0 update 2 and newer.

• The virtual machine must be running an operating system that is aware of and is using Generation ID. Windows 8, Windows Server 2012, and newer Windows operating systems meet this requirement.

o If a virtual machine has integration services installed from Windows 8 or Windows Server 2012, applications on other operating systems such as Windows Server 2008 Service Pack 2 or Windows 7 Service Pack 1 also can read the Generation ID value. These older operating systems are not Generation ID–aware, but applications running on the virtual machine can still read the Generation ID value.

Note: The Generation ID value is projected into a virtual machine through an emulated BIOS device, and integration services presents it as a Microsoft Hyper-V Generation Counter. Because of this, operating systems on a virtual machine can access the Generation ID value only if it has integration services from Windows 8, or Windows Server 2012 or newer installed.


Actions that will cause the Generation ID to change include:

• The virtual machine starts from a checkpoint.

• The same checkpoint is applied multiple times.

• The virtual machine is restored from a backup.

• The virtual machine is migrated by using Microsoft System Center 2012 - Virtual Machine Manager (VMM) export and import.

• The virtual machine is imported.

Actions that will not cause the Generation ID to change include:

• The virtual machine is live-migrated.

• The virtual machine is paused or resumed.

• The virtual machine is restarted.

• The Hyper-V host is restarted.

Note: Virtualized domain controller cloning takes advantage of the Generation ID feature.

For more information, see the “Virtual Machine Generation ID” document, which is available

from the Microsoft download website.

http://go.microsoft.com/fwlink/?LinkId=260709

For more information, see “Virtual machine generation identifier” on the MSDN website.

http://msdn.microsoft.com/en-us/library/jj643357(v=vs.85).aspx

Demonstration: Exploring Generation ID

Demonstration Steps 1. On LON-VM1, use Device Manager to confirm that the Microsoft Hyper-V Generation Counter system

device is present. This is how a virtual machine presents Generation ID to the operating system.

2. Turn off LON-VM1.

http://go.microsoft.com/fwlink/?LinkId=260709

http://msdn.microsoft.com/en-us/library/jj643357(v%3Dvs.85).aspx

S

U

First Look Clinic: What Is New in Windows Server 2012 R2? 3-9 Lesson 2 Storage Enhancements in Hyper-V on Windows Server 2012 R2

Storage is a very important part of a virtualization environment. Windows Server 2012 Hyper-V introduced some significant changes to virtual machine storage, and Windows Server 2012 R2 brings some new functionality to better manage storage capabilities and also to optimize its usage. In this lesson, you will learn about storage enhancements in Hyper-V in Windows Server 2012 R2.


• Describe storage Quality of Service (QoS).

• Explain how to work with storage QoS.

• Describe online virtual hard disk resizing.

• Describe shared virtual hard disks for guest clusters.

Storage QoS

In earlier versions of Hyper-V, it was not possible to limit I/O operations per second (IOPS) per virtual machine. If a virtual machine had an application that was storage-intensive with a large number of read/write operations to storage, the virtual machine could monopolize the Hyper-V host, and other virtual machines could have slower access to storage. In Windows Server 2012 R2, Hyper-V includes an option to configure QoS parameters when virtual machines are accessing storage so that you can provide enough IOPS to each virtual machine.

You can configure storage QoS for each virtual hard disk. By specifying the maximum IOPS value in the advanced features of the virtual hard disk, you can balance and throttle the storage I/O between virtual machines, and you can prevent a virtual machine from consuming excessive storage I/O operations, which could affect other virtual machines. You also can configure the minimum IOPS value and receive a notification when the IOPS for that virtual hard disk is below the configured value. In addition, the virtual machine metrics infrastructure is updated with storage-related parameters so that you can monitor performance and chargeback for used resources.

Note: Virtual disk maximum IOPS settings are specified in terms of normalized IOPS. IOPS are measured in 8-kilobyte increments.

Note: Storage QoS is not available if you are using shared virtual hard disks.

S

U

U 3-10 Hyper-V in Windows Server 2012 R2

Demonstration: Working with Storage QoS

Demonstration Steps 1. On LON-CL1, run the following command:

C:\LabFiles\sqlio.exe

2. After the test completes, make note of the IOPS result.

3. On LON-HOST1, use Hyper-V Manager to select Enable Quality of Service management, type 100 as Minimum and 200 as Maximum for Hard Drive under IDE Controller 0.

4. On LON-CL1, run the following command again:

C:\LabFiles\sqlio.exe

5. After the test completes, verify the IOs/sec result, and then confirm that it is close to the 200 limit

that you set, which is considerably lower than the first result.

6. On LON-HOST1, in Windows PowerShell, use the cmdlet Set-VMHardDiskDrive to disable QoS management for IDE Hard Disk on 20409A-LON-CLx.

Online Virtual Hard Disk Resizing

In previous versions of Hyper-V, you had to turn off a virtual machine if you wanted to expand or shrink the size of a virtual hard disk. In Windows Server 2012 R2, you can perform these operations without having any downtime by turning off a virtual machine. Virtual hard disk maintenance operations now can be performed while a virtual machine is running, so the workloads inside a virtual machine are available all the time.

To use this feature, your user account must be a member of the Hyper-V Administrators group or the Administrators group. Also, your virtual machines must use .vhdx virtual hard disk format. Older, .vhd files are not supported for online resizing. When using .vhdx virtual hard drives, you do online resizing for fixed, differencing, and dynamic virtual hard drives. Virtual hard drives that can be resized must be connected by using a SCSI controller; it is not possible to use IDE controllers for this purpose.

You can perform two main operations with online virtual hard disk resizing: expanding and shrinking.

When you perform online expanding, you actually increase the capacity of your virtual hard disk. You must configure the additional space that you gain by expanding by using the Disk Management tool. When you perform an expansion, new space appears as unallocated space. You should use the Extend Volume Wizard in Disk Management to merge the added space with your current volume.

When you perform shrinking, the total size of your virtual hard drive decreases. The amount of space that you can subtract from your current virtual hard drive depends on how much space is used currently by the virtual machine. Before you perform a shrinking, you first must use the Disk Management tool inside the virtual machine to shrink the volume used by the virtual machine. After that, you can perform online shrinking of a virtual hard drive.

O

.


Note: The UI option to shrink a virtual hard disk is visible only for virtual hard disks that have been expanded previously.

You can perform both operations by using the Edit Virtual Hard Disk Wizard in the Hyper-V console. You also can use Windows PowerShell to perform these operations.

Shared Virtual Hard Disks for Guest Clusters

In previous versions of Windows Server, to implement guest clustering, you had to expose shared storage to the virtual machine. You could connect to shared storage by using a Virtual Fibre Channel interface or by using Internet SCSI (iSCSI). In some scenarios, it was a complicated task to perform if you did not have the support of appropriate drivers for Virtual Fibre Channel, or if you did not have iSCSI support on the storage. Also, in some scenarios such as when virtual machines are hosted at a hosting provider, administrators do not want to expose a storage layer to virtual machine users or tenant administrators.

To address these issues in Windows Server 2012 R2, Microsoft has provided an additional layer of abstraction for virtual machine cluster storage. You now can share a virtual hard disk (in .vhdx format only) between two or more virtual machines, and you can use that virtual hard disk as shared storage when building guest clusters. You can use a shared virtual hard disk as a witness disk or as a data disk in a cluster.

How Does a Shared Virtual Hard Disk Work? You add shared virtual hard disks as SCSI drives in the virtual machine settings. They appear as virtual serial attached SCSI (SAS) disks in a virtual machine. You can add a shared virtual hard disk to any virtual machine that is running on a Windows Server 2012 R2 Hyper-V platform. By using this technology, guest clustering configuration is simplified because you have several options for providing shared storage for guest clusters. These options include shared virtual hard disks, Fibre Channel, Server Message Block (SMB), storage spaces, and iSCSI storage. You can use shared virtual disks to provide storage for solutions such as Microsoft SQL Server databases and file server clusters.

How to Configure Shared Virtual Hard Disks? Shared virtual disks are used only in guest cluster scenarios. To configure a guest failover cluster that uses shared virtual hard disks, you require the following:

• At least a two-node Hyper-V failover host cluster is necessary.

• All servers must be running Windows Server 2012 R2.

• All servers must belong to the same Active Directory domain.

• Configured shared storage resources must be available—for example, Cluster Shared Volume (CSVs) on block storage such as clustered storage spaces, or a Scale-Out File Server cluster that is running Windows Server 2012 R2 with SMB 3.0 for file-based storage.

• Sufficient memory, disk, and processor capacity within the failover cluster is necessary to support multiple virtual machines that are implemented as guest failover clusters.

U


For guest operating systems, you can use Windows Server 2012 and Windows Server 2012 R2. However, if you use Windows Server 2012 in virtual machines that are using shared virtual hard disks, you must install Hyper-V integration services from Windows Server 2012 R2. Both Generation 1 and Generation 2 virtual machines are supported.

When you decide to implement shared virtual hard disks as storage for guest clusters, you first must decide where to store the shared virtual hard disk. You can deploy a shared virtual hard disk in the following locations:

• CSV location. In this scenario, all virtual machine files, including the shared .vhdx files are stored on a CSV that is configured as shared storage for a Hyper-V failover cluster.

• Scale-Out File Server SMB 3.0 share. This scenario uses SMB file–based storage as the location for the shared .vhdx files. You must deploy a Scale-Out File Server and create an SMB file share as the storage location. You also need a separate Hyper-V failover cluster.

Note: You cannot deploy a shared virtual hard disk on an ordinary file share or on a local hard disk on a host machine. You must deploy a shared virtual hard disk on a highly available location.

You can configure a shared virtual hard drive by using Hyper-V Manager or Windows PowerShell. After you prepare your environment and create a virtual hard disk in .vhdx format in an appropriate location, open virtual machine settings in Hyper-V Manager and add a new SCSI disk drive. When adding a new drive, you must point the location of your shared virtual hard disk. Before accepting changes in the virtual machine settings interface, you must mark this drive as shared in the advanced properties of the SCSI disk. Then, repeat this procedure on all virtual machines that should use this shared virtual disk drive.

To share a virtual hard disk by using Windows PowerShell, you should use the Add-VMHardDiskDrive cmdlet with the –ShareVirtualDisk parameter. This command must run with administrator privileges on the Hyper-V host for each virtual machine that will use the shared .vhdx file.

For example, the following command adds a shared virtual hard disk (Data1.vhdx) stored on Volume1 of a CSV to a virtual machine that is named VM1.

Add-VMHardDiskDrive -VMName VM1 -Path C:\ClusterStorage\Volume1\Data1.vhdx - ShareVirtualDisk

Also, the following command adds a shared virtual hard disk (Witness.vhdx) that is stored on an SMB file share (\\Server1\Share1) to a virtual machine that is named VM2.

Add-VMHardDiskDrive -VMName VM2 -Path \\Server1\Share1\Witness.vhdx -ShareVirtualDisk

U S


Comparing Shared Virtual Disk and Other Shared Storage Technologies The following table shows a comparison between shared virtual disks, Virtual Fibre Channel, and iSCSI when used for virtual machine shared storage.

For more information, see “Deploy a Guest Cluster Using a Shared Virtual Hard Disk” on the Microsoft TechNet website.



U

3-14 Hyper-V in Windows Server 2012 R2 Lesson 3 Hyper-V Networking Improvements

Virtual machines are isolated even when they are running on the same Hyper-V host and they communicate only over the network. Hyper-V in Windows Server 2012 and Windows Server 2012 R2 includes an entirely redesigned and extensible virtual switch, which enables basic network packet forwarding. New, advanced features such as network virtualization and Windows Server Gateway additionally improve networking management in virtual environments. In this lesson, you will learn about networking improvements in Hyper-V in Windows Server 2012 R2.


• Describe virtual switches in Hyper-V.

• Describe virtual switch enhancements in Windows Server 2012 R2.

• Describe Hyper-V Network Virtualization.

• Describe Windows Server Gateway.

• Describe network adapter (NIC) Teaming in virtual machines.

Virtual Switches in Hyper-V

When you have multiple physical computers that you want to connect inside the same network segment, you typically connect them by using network switches. Switches operate on layer two (the data-link layer) of the Open Systems Interconnection model. Switches act as network hubs with an intelligent layer added to them. Network switches can inspect data packets, determine the source and destination of each data packet, and forward data packets appropriately. By delivering packets only to the intended connected device, network switches conserve network bandwidth and offer better performance than network hubs.

A Hyper-V virtual switch offers similar functionalities as hardware network switches. A Hyper-V virtual switch is a software-implemented Layer 2 network switch that is available as part of the Hyper-V role. You can use the Hyper-V virtual switch to connect virtual machines to virtual networks and physical networks. On the Hyper-V host, the host operating system, for example Windows Server 2012 R2, also is running on the virtual machine (parent partition), which means that you can use the Hyper-V virtual switch when the parent partition connects to a network. Prior to Windows Server 2012, Hyper-V included a simple network switch that was not extensible and provided only basic networking features. The Hyper-V virtual switch in Windows Server 2012 and Windows Server 2012 R2 is fully extensible. It provides advanced features such as policy enforcement, tenant isolation, traffic shaping, and protection against malicious virtual machines. You also can extend it with non-Microsoft extensions.

The Hyper-V virtual switch provides ways to extend the virtual switch without replacing the entire switch—for example, to add monitoring, filtering, or forwarding functionality. You implement extensions by using network device interface specification filter drivers and Windows Filtering Platform callout

U

S


drivers, which are two public platforms for extending Windows networking functionality. If you extend a virtual switch, the virtual switch extensions are listed in the Virtual Switch Manager feature of Hyper-V Manager.

You can manage Hyper-V virtual switches by using the Virtual Switch Manager or Windows PowerShell cmdlets. For example, the following cmdlet lists all of the Hyper-V virtual switches on a Hyper-V host:

Get-VMSwitch

VMNetworkAdapter is the primary noun that you can use to manage various security features, QoS, port mirroring, and other features. You can get more information about these features by running the following cmdlet:

Get-Help Set-VMNetworkAdapter

The host operating system on a Hyper-V host also runs inside a virtual machine (parent partition), which means that you can add and manage virtual network adapters to it in a similar manner as with other virtual machines. You can connect each virtual network adapter to a separate Hyper-V virtual switch or to the same Hyper-V virtual switch as other adapters. You can create multiple parent virtual network adapters that you then can use for purposes such as live migration, accessing a SAN, and parent operating system management. You also can limit bandwidth for each virtual network adapter by assigning a QoS policy to the adapter. If you want to create a virtual network adapter in the parent partition, run the following Windows PowerShell cmdlets:

Add-VMNetworkAdapter –ManagementOS –Name Management Add-VMNetworkAdapter –ManagementOS –Name Storage Add-VMNetworkAdapter –ManagementOS –Name “Live Migration”

Question: Do you need to create a virtual switch on a Hyper-V host?

Virtual Switch Enhancements in Windows Server 2012 R2

Virtual switches in Hyper-V are improved in Windows Server 2012 R2 by implementing several new technologies. The enhancements to virtual switches in Windows Server 2012 R2 compared to the virtual switches in Windows Server 2012 Hyper-V are discussed in the following sections.

Extended Port Access Control Lists You can use extended port access control lists (ACLs) in a Hyper-V virtual switch to enforce security policies and firewall protection at the switch level for virtual machines. The difference between the ACLs in Windows Server 2012 and Windows Server 2012 R2 Hyper-V include:

• Administrators now can include socket port numbers when developing ACLs.

• Hyper-V switch supports unidirectional, stateful rules with a timeout parameter.

U


Dynamic Load Balancing of Network Traffic When you map a virtual network to a NIC team on a Windows Server 2012 R2 Hyper-V host, network traffic is load balanced continuously across network adapters, with traffic streams moved as necessary to maintain this balance. In Windows Server 2012 Hyper-V, traffic streams remained with the network adapter in the team that they were assigned to initially and would not be dynamically moved to other network adapters in the team.

Coexistence with Third-Party Forwarding Extensions Third-party switch extensions are supported in coexistence scenarios with Hyper-V virtual switches. The Hyper-V Network Virtualization module forwards the network traffic that is encapsulated through Hyper-V Network Virtualization Generic Routing Encapsulation (GRE) and any installed third-party forwarding extensions forward any non-NVGRE network traffic forwarded by.

Receive Side Scaling on the Virtual Machine Network Path Windows Server 2012 R2 supports virtual receive side scaling on the virtual machine network path. This allows virtual machines to support greater network traffic loads. Virtual receive side scaling accomplishes this by spreading the processing load across multiple processor cores on both the Hyper-V host and the virtual machine. The virtual machine can take advantage of the virtual receive side scaling improvements only if the processor on the Hyper-V host supports RSS and the virtual machine is configured to use multiple processor cores.

Network Tracing Improvements You use Netsh Trace commands to trace packets. Improvements in Windows Server 2012 R2 enable you to view port and switch information as you trace network traffic through Hyper-V virtual switches.

What's New in Hyper-V Virtual Switch in Windows Server 2012 R2


Overview of Hyper-V Network Virtualization

Network virtualization provides similar functionality to network traffic as server virtualization to virtual machines. You can use server virtualization to run multiple virtual machines on the same physical server. Each virtual machine is isolated from other virtual machines, and from each virtual machine, it seems as though that virtual machine is the only one running on the physical server, even when multiple virtual machines are running on the same physical server simultaneously.

The same approach is used for network virtualization. You can have multiple virtual networks that are logically isolated, and potentially, each virtual network uses overlapping IP address space on the same physical network infrastructure. From each virtual network, it seems as if only that virtual network is using the physical network infrastructure, even though multiple virtual networks could be using the same physical infrastructure at the same time.

Network virtualization is an implementation of software-defined networking. It provides a layer of abstraction between the physical network and network traffic. To achieve this abstraction, the virtualization platform has to support it.



The Hyper-V virtual switch in Windows Server 2012 and Windows Server 2012 R2 supports this virtualization by using two IP addresses for each virtual machine. By using two IP addresses, network virtualization enables you to keep a logical network topology, which is virtualized, separate from the actual underlying physical network topology and addresses that are used on a physical network. This enables you to run virtual machines and provide them with the same network access without any modification on any Hyper-V host, assuming that the Hyper-V hosts are configured to map between both IP addresses.

Benefits of Network Virtualization Network virtualization provides a layer of abstraction between a physical network and network traffic. Virtual machines can run on physical servers and are not aware that they are actually virtualized. Similarly, networks can be virtualized and can use their own IP address space, regardless of the IP address space used on a physical network. You can implement network isolation by using different solutions such as virtual local area networks (VLANs), private VLANs, and port ACLs. However, network virtualization avoids their limitations relating to scalability and complex configuration. Network virtualization provides a scalable, standards-based, and inexpensive solution for providing multitenant network isolation.

Network virtualization provides the following benefits:

• Flexible virtual machine placement. Network virtualization provides abstraction and separates virtual machine IP addresses (customer address) from physical network IP addresses (provider address). This way, you can place a virtual machine on any Hyper-V host in a data center, and placement is no longer restricted by the IP address assignment or VLAN isolation restrictions of a physical network.

• Multitenant network isolation without VLANs. You can define and enforce network traffic isolation without using VLANs or reconfiguring physical network switches. Also, you are not limited to 4,094 VLAN IDs. In addition, with network virtualization, when you move existing virtual machines or create new ones, you do not need to reconfigure physical hardware manually.

• IP address reuse. Virtual machines in different virtual networks can use the same or overlapping IP address space even when they are deployed on the same physical network. Virtual networks are isolated, and they can use the same address space without any conflict or issue.

• Live migration across subnets. Virtual machine live migration was limited to the same IP subnet or VLAN because when a virtual machine was moved to different subnets, it should have changed its IP address. With network virtualization, you can move a virtual machine by using live migration between two Hyper-V hosts in different subnets without needing to change the virtual machine IP address. With network virtualization, the virtual machine location change is updated and synchronized among the computers that have ongoing communication with the migrated virtual machine.

• Compatibility with existing network infrastructure. Network virtualization is compatible with existing network infrastructure, and you can deploy it in an existing data center.

• Transparent moving virtual machines to a shared infrastructure as a service (IaaS) cloud. When network virtualization is used, IP addresses, IP policies, and virtual machine configurations remain unchanged, regardless of which Hyper-V host the virtual machine is running on. As a result, you can move virtual machines between Hyper-V hosts in your data center, between Hyper-V hosts in different data centers, and between Hyper-V hosts in your data center and shared IaaS cloud.

• Configuration by Windows PowerShell. Network virtualization supports Windows PowerShell for configuring network virtualization and isolation policies. The Hyper-V module includes cmdlets that you can use to configure, monitor, and troubleshoot network virtualization. You should use tools such as VMM 2012 R2 to configure and manage network virtualization.

Question: Do you need to modify a network virtualization configuration when you migrate virtual machines between Hyper-V hosts?

U

O


Overview of Windows Server Gateway

Windows Server 2012 R2 provides a new software-based router that can be used in virtual environments. This feature is called Windows Server Gateway.

Windows Server 2012 provides network virtualization in Hyper-V environments that provide you with the ability to decouple the exact physical location of an IP subnet from the virtual network topology. Because of this approach, you can move IP subnets to private or public clouds while keeping the same IP addresses.

However, at the same time, it was difficult to provide connectivity between virtual machines on a virtual network and resources on physical networks at local and remote sites.

Windows Server Gateway in Windows Server 2012 R2 works as a router that routes IP traffic between a physical network and virtual machine network resources at the same physical location, or at many different physical locations.

In a simple scenario, Windows Server Gateway, running inside a virtual machine on a Hyper-V host, allows you to establish connectivity between virtualized networks and a physical network. In a more complex scenario where your virtual network is hosted by a cloud service provider, you can use Windows Server Gateway to establish a virtual private network (VPN) connection between your local network infrastructure and your virtualized network in the cloud.

Windows Server Gateway integrates with Hyper-V Network Virtualization in such a way that it allows network traffic between different tenants—for example, in a hosted environment—while still maintaining their isolation. By default, network virtualization provides total isolation between different virtual networks. In scenarios where it is necessary to establish communication between these isolated virtual networks, administrators can deploy Windows Server Gateway to perform routing.

You also can use Windows Server Gateway to provide Internet access to virtual machines that are running on isolated virtual networks. You can do this by implementing multitenant network address translation.

We recommend that you deploy Windows Server Gateway inside a virtual machine that is running on a dedicated Windows Server 2012 R2 Hyper-V host. If you want to make this service highly available, you can deploy two Hyper-V hosts and use failover clustering. You only can configure Windows Server Gateway in virtual machines that are running Windows Server 2012 R2.

Windows Server Gateway Hardware and Configuration Requirements



U

O


NIC Teaming in Virtual Machines

NIC Teaming is one of the features in Windows Server 2012 R2 that you can use to consolidate up to 32 physical network adapters to use as a single interface. This strategy provides higher network throughput and redundancy. NIC Teaming is not a feature that is specific to Hyper-V. Because of this, all applications that are running at the system level on Windows Server 2012 R2 can benefit from it, including Hyper-V.

NIC Teaming also is available to guest operating systems that are running on virtual machines, regardless of whether NIC Teaming is used at the system level. This enables virtual machines with multiple virtual network adapters to team the adapters and still have connectivity, even when one of the adapters is disconnected or one of the virtual switches (physical network adapter that is connected to the virtual switch) fails.

Using NIC Teaming To benefit from virtual machine NIC Teaming, you should create at least two external virtual switches and then connect virtual machine network adapters to them. You can configure physical network adapters that are connected to virtual switches to use single-root I/O virtualization (SR-IOV), although this is not mandatory. SR-IOV is a standard that specifies how a hardware device can make its functionality available for direct use by virtual machines. These functionalities are called virtual functions and are associated with physical functions. Physical functions are what a parent partition uses in Hyper-V.

If virtual machine network adapters are connected to SR-IOV–enabled virtual switches, the virtual machine will install virtual functions for them and can use them in a NIC team. If one of the physical network adapters is disconnected or it fails, a virtual machine continues to use the virtual functions of the remaining SR-IOV–enabled network adapters, and it still has network connectivity. If virtual switches are connected to physical network adapters that are not SR-IOV–enabled, the end result is the same. However, physical network adapters are not mapped directly to a virtual machine by using virtual functions, but are mapped by using a Hyper-V virtual network adapter instead. Another option is to use a combination of adapters that are SR-IOV–enabled and adapters that are not in the same virtual machine NIC team.

You can enable virtual machine NIC Teaming from the Advanced Properties settings page of the virtual network adapter or by using the Windows PowerShell cmdlet Set-VmNetworkAdapter. Virtual machine NIC Teaming is not enabled by default. If you do not enable it, and if one of the physical network adapters stops working, the NIC team that is created in the guest operating system on the virtual machine will lose connectivity.

Note: Because failover between network adapters in a virtual machine results in traffic being sent with the media access control (MAC) address of the other network adapter, each virtual network adapter that uses NIC Teaming must be set to allow MAC address spoofing, or it must have the AllowTeaming=On parameter set by using the Windows PowerShell cmdlet Set- VmNetworkAdapter.


At the Hyper-V host level, NIC Teaming is not supported when physical network adapters use SR-IOV or RDMA, because network traffic is delivered directly to the adapter, thereby bypassing the network stack and not allowing path redirection. When you configure NIC Teaming at a virtual machine level, physical network adapters that are connected to virtual switches can use SR-IOV.

Question: Are there any special hardware requirements if you want to use NIC Teaming in a virtual machine?

S

U

First Look Clinic: What Is New in Windows Server 2012 R2? 3-21 Lesson 4 Hyper-V Availability Improvements

Failover clustering is a Windows Server 2012 feature that provides high availability. Hyper-V in Windows Server 2012 uses failover clustering to provide highly available virtual machines. For disaster recovery scenarios, you can use Hyper-V Replica technology to create a replica of critical virtual machines on another site. In this lesson, you will learn about Hyper-V high availability enhancements in Windows Server 2012 R2.


• Describe redundancy in Hyper-V.

• Describe Hyper-V clustering enhancements.

• Describe Hyper-V Replica enhancements.

• Describe Live Migration enhancements.

Redundancy in Hyper-V

To make a virtual machine highly available, you must deploy it in an environment that provides redundancy for all components and makes it available even when failure occurs. The most basic high availability strategy is to ensure that hardware is as robust as possible, thereby minimizing failures in the first place. However, because failures are unavoidable, Hyper-V builds on top of Windows Server 2012 R2 high availability features such as NIC Teaming, Network Load Balancing (NLB), and failover clustering. Hyper-V also introduces its own virtualization-specific features such as Live Migration, live storage migration, and Hyper-V Replica. Hyper- V builds on and includes the following features to mitigate failures and provide high availability at different levels:

• Hardware failure. Hyper-V benefits from Windows Server 2012 R2 availability and serviceability, in addition to Windows Hardware Error Architecture, which provides a common infrastructure for handling hardware errors on Windows-based platforms. With Hyper-V, if a memory error is detected at a memory location that Hyper-V does not use, it will be marked as bad and the operating system will not use it in the future. If the memory error is in the physical random access memory (RAM) that the virtual machine uses, only that virtual machine will be affected. The entire host and all virtual machines will fail only if the memory error is in the physical RAM that the Hyper-V host kernel uses.

• Physical server failure. Hyper-V uses the failover clustering feature to provide redundancy if an entire physical server fails. The failover clustering feature is part of all Windows Server 2012 R2 editions, in addition to Hyper-V Server 2012 R2. If a server is a node in a failover cluster, virtual machines that were running on it will fail over to other cluster nodes automatically and will be available after a minimal downtime caused by the virtual machine restart. Hyper-V also includes Live Migration, which

U


enables you to move virtual machines between Hyper-V hosts without downtime. An example is if you need to upgrade hardware or install updates to a Hyper-V host, or if you simply want to rebalance your virtualization workload.

• I/O redundancy. Windows Server 2012 R2 includes several features such as SMB 3.0 Multichannel, storage Multipath I/O, NIC Teaming, and NLB, which can provide high availability and benefit from network path redundancy. If a network adapter or other network infrastructure component fails, Hyper-V uses these features to preserve network connectivity. If there are multiple network paths between the source and the destination, and if network equipment on one of those paths fails, Hyper-V uses these features to maintain connectivity to virtual machines.

• Application or service failover. If a service or application on a virtual machine fails or loses network connectivity, a Hyper-V host can detect it and try to recover the application by moving the virtual machine to another node. You also can configure failover clustering on virtual machines by using iSCSI or Fibre Channel shared storage, an SMB 3.0 file share, or by using virtual hard disk sharing. In the same way that you can benefit from teaming physical network adapters on a Hyper-V host, you also can use team network adapters in virtual machines, which can be especially beneficial when using SR-IOV).

• Disaster recovery. Windows Server 2012 R2 includes CSV integration with storage arrays for synchronous replication. This can provide protection against a disaster at a single location because Hyper-V hosts also are at an alternate location and accessing replicated storage. However, Hyper-V also includes Hyper-V Replica, a feature that provides asynchronous replication of running virtual machines to an alternate location at configurable intervals. Hyper-V Replica failover requires virtual machine downtime during failover.

Hyper-V Clustering Enhancements

In Windows Server 2012 R2, Microsoft has enhanced existing functionalities and provided additional functionalities for virtual machine clustering. With these features, you can implement clustering with less administrative time, and you can manage and monitor cluster resources more effectively.

The new features for virtual machine clustering in Windows Server 2012 R2 are as follows:

• Shared virtual hard disk. When creating a guest cluster, you now can use a .vhdx virtual hard disk to provide shared storage for cluster nodes. By using this, it is no longer required to have shared storage on Fibre Channel or iSCSI interface available to virtual machines. This feature was described in detail in the lesson, “Storage Enhancements in Hyper-V on Windows Server 2012 R2.”

• Virtual machine drain on shutdown. This feature provides an additional safety mechanism in scenarios when one cluster node shuts down. If such a scenario occurs in Windows Server 2012 R2, virtual machines are migrated automatically to another cluster node instead of being placed in a saved state. In Windows Server 2012, shutting down a cluster node before draining it resulted in virtual machines being put into a saved state and then moved to other nodes and resumed. This caused an interruption in the availability of the virtual machines. If such a scenario occurs in Windows Server 2012 R2, the cluster automatically live migrates all running virtual machines before the Hyper-V node shuts down. Configuration of this functionality, called virtual machine drain on

S


shutdown, is not accessible through Failover Cluster Manager. To configure it, you must use Windows PowerShell and configure the DrainOnShutdown cluster property. It is enabled by default and the value of this property is set to 1.

• Network health detection. Windows Server 2012 R2 also can monitor the failure of virtual machine storage and loss of network connectivity with a technology called network health detection. Storage failure detection can detect the failure of a virtual machine boot disk or any other virtual hard disk that a virtual machine uses. If failure happens, the failover cluster moves and restarts the virtual machine on a different node. You also can configure a virtual network adapter to connect to a protected network. If network connectivity to such a network is lost because of reasons such as physical switch failure or a disconnected network cable, the failover cluster will move the virtual machine to a different node to restore network connectivity.

When planning for high availability for virtual machines in Windows Server 2012 R2, you should be aware of these features so that you can build a stable environment with less downtime.

Hyper-V Replica Enhancements

In Windows Server 2012 R2, the Hyper-V Replica feature has been improved with the following enhancements:

• Ability to change the replication frequency. In previous versions of Windows Server, Hyper-V Replica was set to a 5-minute replication interval, and you were not able to change this value. In Windows Server 2012 R2, you now can set the replication interval to 30 seconds, 5 minutes, or 15 minutes. This means that you can configure your replication traffic based on your real environment. However, keep in mind that replication with a higher latency, such as 15 minutes, will generate more traffic when it happens.

• Extended replication. In Windows Server 2012, it is possible to have only one replica of an existing virtual machine. Windows Server 2012 R2 provides you the ability to replicate a single virtual machine to a third server. This means that you can replicate a running virtual machine to two independent servers. However, the replication does not happen from one server to two other servers. The server that is running an active copy of the virtual machine replicates to a Replica server, and the Replica server then replicates to the extended Replica server. You create a second replica by running the Extend Replication Wizard on a passive copy. In this wizard, you can set the same options that you configured when configuring the first replica.

Administrators now can benefit from these features, as they help optimize the usage of Hyper-V Replica and increase the availability of critical virtual machines.

U

O


Live Migration Enhancements

In Windows Server 2012 R2, Hyper-V Live Migration technology is updated. Now, it allows you to select performance-related options when you want to move a virtual machine or machines to a different physical server. This directly helps reduce network overhead and CPU usage during migration, and this also reduces the total amount of time needed to perform a live migration.

You now can configure the following options for Live Migration:

• TCP/IP. When this option is selected, a virtual machine is copied to another server by using a TCP/IP-based connection. This is the same approach as in Windows Server 2012.

• Compression. When this option is selected, the memory of the virtual machine that is being migrated is compressed, and then TCP/IP is used to copy it to the destination server. This is the default setting in Windows Server 2012 R2.

• SMB 3.0. If this is selected, memory content is copied by using the SMB 3.0 protocol. If network adapters on source and destination servers support RDMA, SMB Direct technology is used for copying. If SMB Multichannel is configured, multiple connections can be used.

To support simplified migration of virtual machines from Windows Server 2012 to Windows Server 2012 R2, Microsoft has implemented cross-version live migrations. Now you can move virtual machines from Windows Server 2012 Hyper-V to Windows Server 2012 R2 Hyper-V without causing downtime. However, moving a virtual machine to a server that is running an older version of Hyper-V is not supported.

Note: If you migrate virtual machines from Windows Server 2012 to Windows Server 2012 R2, make sure that you update Integration Services after the migration is complete.

O

First Look Clinic: What Is New in Windows Server 2012 R2? 3-25 Module Review and Takeaways

Best Practice: If possible, create Generation 2 virtual machines when creating new virtual machines.

• Take advantage of AVMA for more flexible activation management.

• Use storage QoS to prevent virtual machines from taking too much I/O traffic.

• Implement Windows Server Gateway if you need to provide external network access to virtual machines on virtualized networks.

Common Issues and Troubleshooting Tips

Review Questions Question: Can two virtual machines always communicate if they are connected to an external virtual switch?

Question: Can you use network virtualization to allow virtual machines that are running on multiple segments to communicate while isolating that traffic from other network traffic?

Question: When would you use shared virtual hard disks?

Question: Can you use virtual machine settings to discover whether it is Generation 1 or Generation 2?

U

O

3-26 Hyper-V in Windows Server 2012 R2 Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

windows server 2012 r2 - first look clinic - firebrand training · 2016-05-20 · “microsoft...

Documents