|
|
-
I've always been a great fan of Group Policy Objects. They are a fantastic way to retain control of your environment. With Windows Server 2012 the good things keep coming. Today we will look at what’s new in Group Policy in Windows Server 2012. more specifically we will discuss the following:
If you want to follow along, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and get acquainted with all the value you can extract from Windows Server 2012 and Group Policies
Remote Group Policy Update
We can now refresh Group Policy settings, including security settings that are set on a group of remote computers. BAMM!! no more need to call someone local and ask them to issue the old “GPUPDATE /FORCE” command.
it’s right there in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings. As long as those computer are running one of the following OS:
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows 8
- Windows 7
- Windows Vista
for anything else… you’re stuck with calling someone. or RDP in that machine and do it yourself.
One other requirement…
To schedule a Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.
| Server port |
Type of network traffic |
| TCP RPC dynamic ports, Schedule (Task Scheduler service) |
Remote Scheduled Tasks Management (RPC) |
| TCP port 135, RPCSS (Remote Procedure Call service) |
Remote Scheduled Tasks Management (RPC-EPMAP) |
| TCP all ports, Winmgmt (Windows Management Instrumentation service) |
Windows Management Instrumentation (WMI-in) |
There is already a started GPO that has all the required settings to facilitate your task. So use it and make a new GPO that will open all the appropriate ports in your environment. It is a best practice to create a new GPO from this Starter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order to configure all computers in the domain to enable a remote Group Policy refresh.
1- Right-click the OU on which you want to refresh the policy.
2- Select “Group Policy Update”
3- you’ll be prompted to confirm that you want to run the update. Click “Yes” and you’re done.
You can also use PowerShell to achieve the same results. for example, if you wanted to force the update on a single computer. you would use the following command:
Invoke-GPUpdate –Computer <Name> -Force |
to force the update on a complete OU, you would combine the Get-ADComputer with the Invoke-GPUpdate cmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Montreal OU of the PRlab.com domain, type the following:
Get-ADComputer –filter * -Searchbase "ou=Montreal, dc=prlab,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 0} |
more info here: http://technet.microsoft.com/en-us/library/jj134201.aspx
Group Policy infrastructure status
Display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.
What value does this change add?
Group Policy relies on being stored and replicated to all domain controllers in a domain. There can be a lag time after a change is made on one domain controller before the change is replicated to all other domain controllers. Until changes to a GPO are replicated to the domain controller that a client computer is accessing, that computer will receive the earlier version of the GPO during Group Policy refresh. In earlier versions of the Windows operating system, administrators had to download GPOtool.exe to diagnose these issues.
What works differently?
In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:
- Active Directory and SYSVOL security descriptor (ACL details)
- Active Directory and SYSVOL GPO version details
- Number of GPOs listed in Active Directory and SYSVOL for each domain controller
|
-
Over the past few months we have made a big deal about the storage features of Windows Server 2012, including how the built-in iSCSI Software Target allows you to build a low-cost software-SAN (storage area network) for small environments, and how that lets you create a Hyper-V Failover Cluster without the expense of an actual SAN appliance. We have also made a huge deal about building a Private Cloud with System Center 2012. What we did not mention is how to add your Software SAN as a Storage Device in System Center Virtual Machine Manager (VMM), a crucial component to putting it all together.
System Center VMM allows for three types of storage appliances:
- Windows-based file server (as managed storage device)
- Storage device that is managed by an SMI-S (Storage Management Initiative – Specification) provider
- Storage Device that is managed by an SMP provider
It is the second of these that we are going to focus on. In order to complete this setup you will need the following:
You can download the evaluation software by clicking on the links above.
Step 1: Configure an iSCSI Software Target
Step 2: Install System Center VMM
- This should be done on a separate server, although both can be virtualized on the same host. Ensure that you have network connectivity properly configured. System Center VMM needs to be a member of an Active Directory Domain; although your iSCSI Target does not have to be, it makes security easier to manage.
Note: I only now realized that we do not have a step-by-step article for installing the various System Center 2012 components which will be corrected over the next several weeks.
Step 3: Prepare your iSCSI Target
- In order to configure your Target as an SMI-S Provider it is important that you add a couple of extra Role Services and Features in Windows Server 2012.
- Once completed, patch your OS with the latest updates followed by the installation of KB 2758246.
- Next you have to install the Microsoft SMI-S Provider on your Target server. It is located on the media for System Center VMM 2012 at x:\amd64\Setup\msi\iSCSITargetProv. Alternately it is stored on your VMM server at \Program Files\Microsoft System Center 2012\Virtual Machine Manager\setup\msi\iSCSITargetProv. It is a quick install that does not look like it is doing very much.
- As a best practice, reboot the Target server once this is done. Alternately you can simply restart the Microsoft iSCSI Target Service.
Step 4: Register the SMI-S Provider
- Back in the Target server, and back in PowerShell! We have to register the iSCSI target as an SMI-S Provider, and provide a ConnectionURI. Via PowerShell enter the following command:
Register-SmisProvider
- When prompted I supply credentials for an account with Local Administrator rights on the Target server.
Step 5: Add Storage in VMM
At this point you are ready to add the iSCSI Target as a Storage Device in System Center VMM.
- In the Fabric context click Add Storage under Add Resources.
- In the Select Provider Type screen select Add a storage device that is managed by an SMI-S provider.
- In the Specify Discovery Scope screen:
- select SMI-S WMI from the Protocol drop-down;
- Type the FQDN of your Target server in the box Provider IP address or FQDN;
- Ensure that TCP/IP port is 5989;
- Select (or create) a Run As account with privileges on the Target server. (remember that your Target server does not need to be a Domain Member; this part is easier and cleaner if it is).
- Click Next.
- On the Gather Information screen select your Target server and click Next.
- On the Select Storage Devices screen select the drive (or drives) that you will convert to shared storage.
- Select the check box next to the device;
- In the Classification drop-down select the classification you will add this storage under. (If no classifications exist then click on the Create Classification… button.
- Click Next
- On the Summary screen click Finish. As with most screens in System Center 2012 you could also click the View Script button if you plan to make this a repeatable task.
- When your job (Sets Storage Array) is listed as completed then you are done!
Conclusion
Microsoft is making it easier for you to build out its tools in a sustainable lab environment, as well as in smaller IT environments. However these tools are a poor substitute for the real thing; if your business needs the efficiency and stability of a proper SAN for your production environment then there are many storage providers who make great products. For smaller environments, as well as for labs and classrooms, the software solutions are a great tool to learn, build, and practice.
|
-
Hello Folks, Today we will look at some of the new features and enhancements in Active directory with Windows Server 2012. As usual, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and start exploring what’s new in Active directory. Let’s get going… Here are the points , In my own opinion, that are the most impactful enhancements of AD - Virtualization That Just Works
- Applying a snapshot to a DC
- Domain Controller cloning capabilities
- Simplified deployment of Active Directory
- Simplified Administration of Active Directory
- Active Directory Recycle Bin
- Fine-grained password policies
- The Windows PowerShell History Viewer
- Dynamic Access Control
Let’s look at these in more details. Virtualization That Just Works. Virtual environments present unique challenges to distributed workloads, such as Active Directory domain services (AD DS), that depend upon logical clock-based replication schemes. AD DS replication uses a monotonically increasing value assigned to transactions on each domain controller (known as a USN or Update Sequence Number). Each domain controller’s database instance is also given an identity, known as an InvocationID. The InvocationID of a domain controller and its USN together serve as a unique identifier associated with every write-transaction performed and must be unique within the forest. AD DS replication uses InvocationID and USNs to determine what changes need to be replicated to other domain controllers. If a domain controller is rolled back in time and a USN is reused for an entirely different transaction, replication will not converge since other domain controllers will believe they have already received the updates associated with the re-used USN. Virtual machines make it too easy for administrators to roll back a domain controller’s USNs (its logical clock) by, for example, applying a snapshot outside of the domain controller’s awareness. That one was a BAD thing to do… Until now… In Windows 2012, AD DS relies on the hypervisor platform to expose an identifier called VM GenerationID to detect if a virtual machine has been rolled back in time. The design uses a hypervisor-agnostic mechanism for surfacing the VM GenerationID in the virtual machine. Before completing any transaction, AD DS first reads the value of this identifier and compares it against the last value stored in the directory. A mismatch is interpreted as a ‘rollback’ and the domain controller employs AD DS safeguards new to Windows Server 2012 comprised of resetting the InvocationID and discarding the RID pool. From this point forward, all transactions are associated with the domain controller’s new InvocationID. Since other domain controllers do not recognize the new InvocationID, they will conclude that they have not already seen these USNs and will accept the updates identified by the new InvocationID and USNs allowing the directory to converge. This does not mean that you should snapshot to your heart’s content from now on… Snapshots should never be used a backup mechanism. EVER!!! The other virtualization enhancement we introduced in Windows Server 2012 is the Virtualized domain controller cloning capabilities. It enables administrators to create a clone of a virtualized domain controller. With virtualized domain controller cloning, administrators can now promote a single virtual domain controller per domain and rapidly deploy all additional replica virtual domain controllers through cloning. Administrators no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain controller and then complete additional configuration requirements for every replica domain controller. Simplified deployment of Active Directory. That means that we took the scary parts of the equation. Really… We did. I’ve talk to numerous Admins that told me that their AD was still at a 2003 functional levels. They have not upgraded their domain of forest because they are concerned with running ADPREP/FORESTPREP. Well as my friend Rick Claus so eloquently put it, “we took ADPREP behind the wood shed and shot it!”. It’s gone, It’s dead. The changes needed are still being done by a “pre-requisite check” that happen in the new wizard and background PowerShell process. This applies to the DCPROMO tool. the name has been kept but the process is all brand new. DCs can be deployed rapidly and remotely on multiple machines from a single Windows 8 machine ,from a Windows Server 2012 console, or a PowerShell command windows. Here are other example of simplified deployment enhancements 
Simplified Administration of Active Directory. The Active Directory Administrative Center (ADAC) has been enhanced to support graphical management of the Active Directory Recycle Bin and Fine-Grained Password Policies. Prior to Windows Server 2012, these activities required the use of the ADSI Edit tool, which was cumbersome and non-intuitive. The Windows PowerShell History Viewer and the ability to deploy Dynamic Access Control have also been added to the ADAC. Active Directory Recycle Bin: When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) environments. Fine-grained password policies: You can use fine-grained password policies to specify multiple password policies within a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. The Windows PowerShell History Viewer displays Windows PowerShell commands when a task is performed through the user interface. In Windows Server 2012, Administrators can leverage Active Directory Administrative Center to learn Windows PowerShell for Active Directory cmdlets. As actions are executed in the user interface, the equivalent Windows PowerShell for Active Directory command is shown to the user in Windows PowerShell History Viewer. These commands in turn can be copied and reused in administrators’ scripts. This improvement reduces the time to learn Windows PowerShell for Active Directory. It also increases the users’ confidence in the correctness of their automation scripts. PowerShell current history is stored "in-memory". You can archive it by using the "Start-Transcript" and "Stop-Transcript" if you want to preserve it. Dynamic Access Control: It allows the organization to leverage the information in AD to calculate permissions to access to data. This help organizations reach data compliance. DAC, uses the following info: - Who the user is
- What device they are using, and
- What data is being accessed
in an expression-based access policy to calculate access. Here is an example:
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
| In Windows Server 2012, we also made improvements to Group Policies, (I’m working on another post just on GPOs that should be out very soon). For more information on the added Active Directory value please see the following: - What's New in Active Directory Domain Services
And if you have time you can view Rick Claus’ session at TechEd New Zealand “What's New in Active Directory in Windows Server 2012” below. As always, I want to hear from you. Is there a feature you want me to explore for you? Just leave a comment, or email us at CDN-ITPro-Feedback@microsoft.com and we’ll get right on it. Cheers! 
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn 
|
-
Many of you know that used to do a lot of VMware training… primarily for a company called VMTraining. So I was thrilled when they reached out to me recently and asked if I was willing to do a webinar on Hyper-V for their customers… and for anyone else who was interested. While it is not in response to it, the webinar does follow a similar one done recently by one of their senior instructors that put forth that vSphere is the best hypervisor. I have said many times over the past year that Hyper-V can go head to head with any competitive product, and I am happy to step up to that challenge. Join me this afternoon at 1:00pm CST (2pm Eastern, 11am Pacific) for a one hour session on why Microsoft’s Hyper-V is truly the best hypervisor on the market today! Register here and listen in… if you weren’t sure before then you will be after the hour! http://www.vmtraining.net/technical-webinars/us-051713 …And to be ready to play with it, Download and install Windows Server 2012 in your lab. You can download the full Windows Server 2012 with Hyper-V, or you can download and install the free Hyper-V Server 2012. 
|
-
I love this time of year. The days are getting longer, warmer and the deck is calling my name.  (these are my feet….) At my house, summer months are very busy. the kids are home, my wife is at home (she’s a teacher) so I tend to hide in my office with the door shut so I can get work done. it’s busy at home but in a lot of IT shops, things slow down a bit. With the majority of Canadian IT pros taking one, two or more weeks of vacation it can feel like some projects slow down to a crawl. Why not take that time to invest in yourselves? complete that certification you’ve been considering. Learn how to harness that new technology you’ve been reading about. both you and your organization will benefit from it. you will gain new skills and experiences. The business will gain efficiencies. Everyone wins. You’re the only one that can make the time for yourself. some of my friends in the industry keep telling me that they’re too busy, they don't have the resources to learn, they don't know where to start. I call B.S… all you need is the will. The resources are here for you to use. Alternatively labs can also be completed in a virtual lab scenario by downloading and installing Hyper-V Server 2012. We are also standing by to assist. we’re continuing the step-by-step series. We want to hear what you need. tell us which of the following would you like to see us dive deeper into? - Configure server roles and features
- which role? Which feature?
- Configure Hyper-V
- the networking, the storage, the replication, …
- Deploy and configure core network services
- Install and administer Active Directory
- Create and manage Group Policy
- Deploy, manage, and maintain servers
- Configure file and print services
- Configure network services and access
- Configure a Network Policy Server infrastructure
- etc..
We’re willing to go where you needs us to… just leave a comment, or email us at CDN-ITPro-Feedback@microsoft.com Have a great weekend. 
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn 
|
-
While delivering an CANITPRO Camp not to long ago, an IT administrator shared his story as to why he had decided to move his organization's SQL backup to the cloud. It seemed that his predecessor was very diligent in switching the backup tapes every morning. He insured backups were created daily, weekly and monthly as well and locked the tapes in a fire proof safe at his home nightly. One day the organization he worked for has a massive fire and the server room suffered massive damage. When the servers were replaced, the IT administrator confidently inserted the backup tape only to find that the tape was empty. The same was true of the weekly and monthly tapes as well. All the tapes, 2 years worth of backups, stored in the home safe were blank. It was later realized that the safe used a magnetic lock which wiped or corrupted all the tapes contents every time the safe was locked.
Scenarios such as these occur more often than most realize. A great way to eliminate the need for tapes is by utilizing the cloud in a backup scenario. This Step-By-Step, provided by Keith Myer, will take us through instructions on SQL Server 2012 SP1 CU2 native backup capabilities to allow for database backups to be created on Windows Azure. This solution will allow you to eliminate the requirement for tape backup utilizing a secure online backup solution which can provide instant visibility to your database backups.
SQL Server 2012 Service Pack 1 Cumulative Update 2 provides the ability to backup SQL databases and logs to Windows Azure cloud storage via native SQL Server Backup. This backup is conducted by both SQL Server Management Objects ( SMO) and Transact-SQL ( T-SQL). Cloud storage backup is a great disaster recovery insurance policy since backups, when completed, are instantly located offsite. What more is that the pay scale of cloud storage economics provides a cost effective solution since Windows Azure storage costs are less than $100/TB per month. Geo-redundant storage based on current published costs as of this article’s date which costs less than a couple SDLT tapes. Microsoft also provides a current pricing model for Windows Azure Storage via a Price Calculator to ensure the economics meet your organizations needs.
Prerequisites
- Sign-up for a 90-day trial of Windows Azure so that the steps included can be completed.
NOTE: When signing up for the process, credit card information will be requested to confirm that you are a legitimate free trial subscriber. Credit card information is only used to confirm identity and will NOT be charged for any Windows Azure services unless the trial subscription is explicitly convert into a paid subscription at a later date.
Should you currently have a paid subscription or MSDN subscription for Windows Azure, please ensure that you have activated the Windows Azure Virtual Machines and Virtual Networks Preview Feature. When signing up for a new free trial account, this feature will automatically be activated.
- Download Cumulative Update 2 for SQL Server 2012 Service Pack 1 and apply it to the SQL Server instance.
Step 1: Provisioning Cloud Storage
- Launch the Windows Azure Management Portal and login with the credentials used when activating your Windows Azure 90-Day trial above.
- Click Storage in the left navigation pane of the Windows Azure Management Portal.
Windows Azure Management Portal – Storage Accounts
- On the Storage page of the Windows Azure Management Portal, click +NEW on the bottom toolbar to create a new storage account location.
Creating a new Windows Azure Storage Account location
- Click Quick Create on the New > Storage popup menu and complete the fields as listed below:
- URL: XXXbackup01 ( where XXX represents your initials in lowercase )
- Region / Affinity Group: Select an available Windows Azure datacenter region for your new Storage Account.
NOTE: Because you will be using this Storage Account location for backup / disaster recovery scenarios, be sure to select a Datacenter Region that is not near to you for additional protection against disasters that may affect your entire local area.
Click the Create Storage Account button to create your new Storage Account location.
- Wait for your new Storage Account to be provisioned.
Provisioning new Windows Azure Storage Account
Once the status of your new Storage Account shows as Online, you may continue with the next step.
- Select your newly created Storage Account and click the Manage Keys button on the bottom toolbar to display the Manage Access Keys dialog box.
Manage Access Keys dialog box
Click the  button located next to the Secondary Access Key field to copy this access key to your clipboard for later use.
- Create a container within your Windows Azure Storage Account to store backups. Click on the name of your Storage Account on the Storage page in the Windows Azure Management Portal to drill into the details of this account, then select the Containers tab located at the top of the page.
Containers tab within a Windows Azure Storage Account
On the bottom toolbar, click the Add Container button to create a new container named “backups”.
Step 2: Performing the SQL Cloud Backup
- Launch SQL Server Management Studio and connect to your SQL Server 2012 SP1 CU2 database engine instance.
-
In SQL Server Management Studio, right-click on the database you wish to backup in the Object Explorer list pane and select New Query.
SQL Server Management Studio
-
In the new SQL Query Window, execute the following Transact-SQL code to create a credential that can be used to authenticate to your Windows Azure Storage Account with secure read/write access:
CREATE CREDENTIAL myAzureCredential
WITH IDENTITY='XXXbackup01',
SECRET=’PASTE IN YOUR COPIED ACCESS KEY HERE';
Prior to running this code, be sure to replace XXXbackup01 with the name of your Windows Azure Storage Account created above and paste in the Access Key you previously copied to your clipboard.
-
In the SQL Query Window, execute the following Transact-SQL code to perform the database backup to your Windows Azure Storage Account:
BACKUP DATABASE database_name TO
URL='https://XXXbackup01.blob.core.windows.net/backups/database_name.bak'
WITH CREDENTIAL='myAzureCredential' , STATS = 5;
Prior to running this code, be sure to replace XXXbackup01 with the name of your Windows Azure Storage Account and replace database_name with the name of your database.
Upon successful execution of the backup, you should see SQL Query result messages similar to the following:
Successful Backup Results
Once completed, backups are transported offsite to Windows Azure Storage via an authenticated SSL-encrypted network communications path. The actual backup data stored on the Windows Azure Storage platform can also be encrypted if Transparent Data Encryption (TDE) is enabled on your original SQL databases. Details on enabling Transparent Data Encryption in the TechNet Library.
Restoring the SQL Database is a easy as it was to back up. Simply use the following Transact-SQL syntax to restore the SQL Database back from Windows Azure:
RESTORE DATABASE database_name FROM
URL='https://XXXbackup01.blob.core.windows.net/backups/database_name.bak'
WITH CREDENTIAL=’myAzureCredential’, STATS = 5, REPLACE
|
-
TechEd is Microsoft's leading IT Professionals and Enterprise Developers technical conference being hosted on June 3rd -6th in New Orleans, LA.
Those who have attended TechEd in the past have always found it rewarding in the aspect of professional development and industry networking. Those who have yet to attend or are on the fence in deciding to attend, here’s a small summary as to what to expect at the event:
- Connect with Microsoft and industry thought leaders, and fellow attendees that share your technology interests and business challenges.
- Learn about the future of Microsoft’s products, solutions and services directly from the leaders with news, announcements, and demos.
- Explore Hands-on Labs and Technical Learning Centers designed to give you practical experience with the latest tools and technologies.
- Receive Value via 50% off certification testing to pre-registered attendees
What Can I Learn At TechEd?
There are many great sessions that will be delivered at TechEd this year led by Microsoft experts to adhere to almost any interest. View the full list of planned tracks and sessions with descriptions so that you can plan your TechEd experience.
What About Certification?
As mentioned, all registered attendees will be able to pre-register for 50% Certification Exam Discounts. Feel free to utilize the #CANITPRO Step-By-Step series to keep your skills sharp and be sure to download and install Windows Server 2012 in your lab to complete the provided exercises. Alternatively labs can also be completed in a virtual lab scenario by downloading and installing Hyper-V Server 2012.
If you’re having trouble gaining permission to attend TechEd, Microsoft has provided a great resource of talking points for assistance in your conversation. Once you gain approval, get started by Registering for TechEd. Once completed, your well on your way to gain the necessary tools to take the next step in your career. 
|
-
BranchCache enables remote offices to have centralized access to file-shares over the wide area network at faster speeds and using less bandwidth. Included in Windows Server 2012 and in some editions of Windows 8, BranchCache is part of a collection of solutions known as “wide area files services” or WAFS solutions. These type of solutions can be expensive but are included in the box with Windows Server. Content is stored either on servers that are configured to host the cache or on client computers that are running Windows 8 or Windows 7 when no server is available in the branch office. After a client computer in the branch office requests and receives content from the main office, content is cached at the branch office so that other computers at the same branch office can obtain the content locally rather than downloading the content from the content server over the WAN link. This solution is also optimal for those organization who have satellite offices connected by LTE or other cellular technology who's data rates could be kept at a minimum should data only be downloaded once as opposed to per request.
BranchCache has two modes of operation as illustrated below:
- Distributed cache mode: content cache at a branch office is distributed among client computers.
- Hosted cache mode: content cache at a branch office is hosted on one or more server computers called hosted cache servers.
Distributed cache mode is designed for small branch offices that do not contain a local server for use as a hosted cache server. Distributed cache mode allows your organization to benefit from BranchCache without the requirement of additional hardware in branch offices.
Prerequisites
Download and install Windows Server 2012 in your lab to complete this exercise. Alternatively you can complete this lab in a virtual lab setup by downloading and installing Hyper-V Server 2012.
Installing BranchCache
- Install the BranchCache feature on your lab server via the following PowerShell commands:
-
Install-WindowsFeature BrancheCache –IncludeManagementTools
-
Install-WindowsFeature FS-BranchCache –IncludeManagementTools
-
Install-WindowsFeature FS-Data-Deduplication -IncludeManagementTools
-
Restart-Computer
Or the BranchCache feature on your lab server via the Add Roles and Features Wizard found in Server Manager.
Creating A BranchCache Enabled File Share
- In Server Manager, navigate to File and Storage Services
- Under Shares, create a new share using the New Share Wizard
- When in the Configure Share Settings screen, enable both Allow caching of share and Enable BranchCache on the file share and click Next
- Overview your setup and click Create
Deploying a Hosted Cache Server
- On the computer selected to configure as a hosted cache server, run the following PowerShell command to install the BranchCache feature.
- Install-WindowsFeature BranchCache -IncludeManagementTools
-
Next configure the domain joined, newly appointed, hosted cache server to register a service connection point in Active Directory for automatic hosted cache server discovery by client computers via running the following PowerShell command
- Enable-BCHostedServer -RegisterSCP
- Verify the configuration is correct on the new hosted cache server running the following PowerShell command
Configuring the Windows 8 client to use BranchCache
-
On the Windows 8 client, run PowerShell and type the following command, then press ENTER.
-
Verify the configuration is correct on the new hosted cache server running the following PowerShell command
- Repeat on all computers the would benefit from the BranchCache connection
You organization will now be able to capitalize on bandwidth optimization with the enablement of BranchCache. 
|
-
Chatter around cloud computing has increased as of late as more organizations are investigating how to harness the power of the cloud. Having an always on, always operational infrastructure based in the cloud provides piece of mind for most. With Microsoft's recent announcement around Price Reductions for Virtual Machines and Cloud Services, Microsoft Cloud Services have been on top of mind of many IT professionals. One concern, highlighted by some IT Professionals, has been the lack of training material around Windows Azure. This is where Pierre, Mitch and I are here to help.
This Step-By-Step was produced by the Windows Azure team and is a great example of harnessing the power of the cloud to benefit one's organization.
- Sign-up for a FREE 90-day trial of Windows Azure so that the steps provided can be completed.
NOTE: When signing up for the process, credit card information will be requested to confirm that you are a legitimate free trial subscriber. Credit card information is only used to confirm identity and will NOT be charged for any Windows Azure services unless the trial subscription is explicitly convert into a paid subscription at a later date.
Should you currently have a paid subscription or MSDN subscription for Windows Azure, please ensure that you have activated the Windows Azure Virtual Machines and Virtual Networks Preview Feature. When signing up for a new free trial account, this feature will automatically be activated.
- Create a Virtual Network for Cross-Premises Connectivity configured between Windows Azure Virtual network and Corp network.
- Create a cloud service in the virtual network.
- Deploy two VMs in the Cloud Service that are part of the virtual network (specify the subnet where you want to place the VM). For more information, see Add a Virtual Machine to a Virtual Network. One VM must be size L or greater in order to attach two data disks to it. The data disks are needed to store:
- The Active Directory database and logs.
- System state backups.
- A Corp network with two VMs (YourPrimaryDC and FileServer).
- Domain Name System (DNS) infrastructure deployed if you need to have external users resolve names for accounts in Active Directory. In this case, you should create a DNS zone delegation before you install DNS server on the domain controller, or allow the Active Directory Domain Services Installation Wizard create the delegation. For more information about creating a DNS zone delegation, see Create a Zone Delegation.
- On the DC that you install on a Windows Azure VM, configure DNS client resolver settings as follows:
- Preferred DNS server: on-premises DNS server
- Alternate DNS server: loopback address or, if possible, another DNS server running on a DC on the same virtual network.
Note
- You need to provide your own DNS infrastructure to support AD DS on Windows Azure Virtual Network. The Windows Azure-provided DNS infrastructure for this release does not support some features that AD DS requires, such as dynamic SRV resource record registration.
-
Log on to YourPrimaryDC on the Corp network.
-
In Server Manager, click View Network Connections.
-
Right-click the local area network connection and click Properties.
-
Click Internet Protocol Version 4 (TCP/IPv4) and click Properties.
-
Verify that the server is assigned a static IP address.
-
In the RDP session for the VM, click Start, type dcpromo, and press ENTER.
-
On the Welcome page, click Next.
-
On the Operating System Compatibility page, click Next.
-
On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and click Next.
-
On the Name the Forest Root Domain page, type corp.contoso.com the fully qualified domain name (FQDN) of the forest root domain and click Next.
-
On the Set Forest Functional level page, click Windows Server 2008 R2 and then click Next.
-
On the Additional Domain Controller Options page, click DNS server and click Next.
-
If the following DNS delegation warning appears, click Yes.
-
On the Location for Active Directory database, log files and SYSVOL page, type or select the location for the files and click Next.
-
On the Directory Services Restore Administrator page, type and confirm the DSRM password and click Next.
-
On the Summary page, confirm your selections and click Next.
-
After the Active Directory Installation Wizard finishes, click Finish and then click Restart Now to complete the installation.
- On YourPrimaryDC, click Start, click Administrative Tools and then click Active Directory Sites and Services.
-
Click Sites, right-click Subnets, and then click New Subnet.
-
In Prefix::, type 10.1.0.0/24, select the Default-First-Site-Name site object and click OK.
-
Right-click Sites and click New Site.
-
In Name, type CloudSite, select DEFAULTIPSITELINK and click OK.
-
Click OK to confirm the site was created.
-
Right-click Subnets, and then click New Subnet.
-
In Prefix::, type 10.4.2.0/24, select the CloudSite site object and click OK.
-
Log on to YourVMachine, click Start, type dcpromo, and press ENTER.
-
On the Welcome page, click Next.
-
On the Operating System Compatibility page, click Next.
-
On Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and click Next.
-
On the Network Credentials page, make sure you are installing the domain controller in corp.contoso.com domain and type credentials of a member of the Domain Admins group (or use corp\administrator credentials).
-
On the Select a Domain page, click Next.
-
On the Select a Site page, make sure that CloudSite is selected and click Next.
-
On the Additional Domain Controller Options page, click Next.
-
On the Static IP assignment warning, click Yes, the computer will use an IP address automatically assigned by a DHCP server (not recommended)
Important
Although the IP address on the Windows Azure Virtual Network is dynamic, its lease lasts for the duration of the VM. Therefore, you do not need to set a static IP address on the domain controller that you install on the virtual network. Setting a static IP address in the VM will cause communication failures.
-
When prompted about the DNS delegation warning, click Yes.
-
On the Location for Active Directory database, log files and SYSVOL page, click Browse and type or select a location on the data disk for the Active Directory files and click Next.
-
On the Directory Services Restore Administrator page, type and confirm the DSRM password and click Next.
-
On the Summary page, click Next.
-
After the Active Directory Installation Wizard finishes, click Finish and then click Restart Now to complete the installation.
-
Reconnect to the VM.
-
Click Start, right-click Command Prompt and click Run as Administrator.
-
Type the following command and press ENTER: 'Dcdiag /c /v'
-
Verify that the tests ran successfully.
After the DC is configured, run the following Windows PowerShell cmdlet to provision additional virtual machines and have them automatically join the domain when they are provisioned. The DNS client resolver settings for the VMs must be configured when the VMs are provisioned. Substitute the correct names for your domain, VM name, and so on.
For more information about using Windows PowerShell, see Getting Started with Windows Azure PowerShell and Windows Azure Management Cmdlets.
-
To create an additional virtual machine that is domain-joined when it first boots, open Windows Azure PowerShell ISE, paste the following script, replace the placeholders with your own values and run it.
To determine the Internal IP address of the domain controller, click the name of virtual network where it is running.
In the following example, the Internal IP address of the domain controller is 10.4.3.1.The Add-AzureProvisioningConfig also takes a -MachineObjectOU parameter which if specified (requires the full distinguished name in Active Directory) allows for setting Group Policy settings on all of the virtual machines in that container.
After the virtual machines are provisioned, log on by specifying a domain account using User Principal Name (UPN) format, such as administrator@corp.contoso.com.
#Deploy a new VM and join it to the domain#-------------------------------------------#Specify my DC's DNS IP (10.4.3.1) $myDNS =New-AzureDNS-Name'ContosoDC13'-IPAddress'10.4.3.1'# OS Image to Use $image ='MSFT__Sql-Server-11EVAL-11.0.2215.0-08022012-en-us-30GB.vhd' $service ='myazuresvcindomainM1' $AG ='YourAffinityGroup' $vnet ='YourVirtualNetwork' $pwd ='p@$$w0rd' $size ='Small'#VM Configuration $vmname ='MyTestVM1' $MyVM1 =New-AzureVMConfig-name $vmname -InstanceSize $size -ImageName $image |Add-AzureProvisioningConfig-WindowsDomain-Password $pwd -Domain'corp'-DomainPassword'p@$$w0rd'-DomainUserName'Administrator'-JoinDomain'corp.contoso.com'|Set-AzureSubnet-SubnetNames'BackEnd'New-AzureVM-ServiceName $service -AffinityGroup $AG -VMs $MyVM1 -DnsSettings $myDNS -VNetName $vnet
Step 7: Backup the domain controller
-
Connect to YourVMachine.
-
Click Start, Click Server Manager, click Add Features, and then select Windows Server Backup Features. Follow the instructions to install Windows Server Backup.
-
Click Start, Click Windows Server Backup, click Backup once.
-
Click Different options and click Next.
-
Click Full Server and click Next.
-
Click Local drives and click Next.
-
Select the destination drive that does not host the operating system files or the Active Directory database, and click Next.
-
Confirm the backup settings you selected and then click Backup.
Step 8: Test authentication and authorization
-
In order to test authentication and authorization, create a domain user account in Active Directory. Log on to the client VM in each site and create a shared folder on the VM
-
Test access to the shared folder using different accounts and groups and permissions.
Learn more support features Windows Azure has to offer and have a chance in winning your own lab computer by participating in the free Microsoft offered Virtual Academy. Complete two TechNet evaluations, and take the selected Microsoft Virtual Academy courses for your chance at a $5,000 grand prize or a chance to win a HP EliteBook Revolve and two chances to win 400 Microsoft Points. 
|
-
There is a lot of new stuff in Windows Server 2012 Active Directory. -
Active Directory management enhancements -
Active Directory Administrative Center -
Active Directory Recycle Bin management -
Fine-Grained Password Policy management -
Windows PowerShell History Viewer -
Dynamic Access Control -
Group Policy enhancements -
Kerberos constrained delegation changes -
Active Directory deployment enhancements -
Active Directory-based activation In this post we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance. **NOTE: DAC is the amalgamation of different features working together. It leverage AD, GPO, File Servers … It is one the more involved Labs we have tackled so far. Microsoft has focused on the following areas: -
Identify the information that needs to be managed to meet business and compliance requirements -
Apply appropriate access policies to information -
Audit access to information -
Encrypt information You can now create and managed Central Access and Audit Policies in Active Directory through the ADAC . These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control: Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: "User is from the Finance department" and "User's security clearance is High" Here is a sample usage of DAC | Policy Type | Usage | | Organization-wide authorization policy | - Most commonly initiated from the information security office
- Driven by compliance or a high-level organization requirements
- Relevant across the organization.
- Example: HBI files are accessible to only full-time employees
| | Departmental authorization policy | - Each department in an organization has some special data-handling requirements that they want to enforce
- Example: the finance department might want to limit access to finance servers to the finance employees
| | Specific data-management policy | - Usually relates to compliance and business requirements, and is targeted at protecting the correct access to the information that is being managed
- Example: financial institutions might implement information walls so that analysts do not access brokerage information and brokers do not access analysis information
| | Need-to-know policy | - Typically used in conjunction with the previous policy types
- Example: vendors should be able to access and edit only files that pertain to a project they are working on
| You king find different scenarios of DAC usage here. What we will do in this post is setup DAC and create a rule to show the flexibility and the value you can get from this technology. Step-by-Step: enabling and configuring DAC DAC is a claim based security feature. Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature. To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts. -
Claim Type -
Resource properties for files -
Resource property lists ( add resource property to global) -
Create new central access rule -
Create central access policy First, we logged on our domain controller ITCamp-DC1 and created some accounts for this lab. -
Create the following users with the attributes indicated: | User | Username | Email address | Department | Country/Region | | Myriam Delesalle | MDelesalle | MDelesalle@ITCAMP.Local | Finance | Canada | | Miles Reid | MReid | MReid@ITCAMP.Local | Finance | United States | | Esther Valle | EValle | EValle@ITCAMP.Local | Operations | Canada | | Maira Wenzel | MWenzel | MWenzel@ITCAMP.Local | HR | Canada | | Jeff Low | JLow | JLow@ITCAMP.Local | HR | United States | | RMS Server | rms | rms@ITCAMP.Local | | | It's now time to enable Dynamic Access Control for ITCamp.Local -
Open the Group Policy Management Console, click ITCamp.Local, and then double-click Domain Controllers. -
Right-click Default Domain Controllers Policy, and select Edit. -
In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC. -
Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. You need to enable this setting to use Central Access Policies. -
Open an elevated command prompt, and run the following command: Configure Claim Type In this step we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user's department and his country 1- After login to the DC , you can just open the Active Directory Administrative Center to start configuring the Dynamic Access Policy (DAP). 
2- In the Claim Type Section, click "New" and "Claim Type" in the task pane, 
3- Select the attribute you want to use, in our case "c" and in the suggested value section define the countries you want to define. In our Lab we will look for Canada and United States. 
4- Repeat for the department attribute with the following suggested value. (HR, Finance, Operations) Configure Resource properties for files 1- In this step, we will configure the properties which will be downloaded by file servers and used to classify files or directories or shares. The DAC rules will compare user attribute values with resource properties. You can enable existing properties or create new ones. 
2- Click on resource property and here you can select the existing resource properties or also you can create the new ones, I have selected Country and Department. 
Resource property lists (add resource property to global) 1- Each resource property must be added to at least one resource property list. It will then be downloaded by file servers in your environment. The global resource property list is downloaded by all file servers. 
Our properties are already part of the global list. Create new central access rule This is when we create a Rule that uses the properties we have defined earlier. This describes which conditions must be met in order for file access to be granted. 1- In the Central Access Rule section, click "New" and "Central Access Rule" 
2- Give it a name in the Create Central Access Rule form. 
3- In the Permission section, click "Use Following Permissions" and click "Edit" 
4- Click "Add" and in the following "permission Entry for Permissions" select The "Authenticated User" as the principal and set the following conditions. 
5- Click "OK" you are back to the DAC configuration screen. Create central access policy This part is very straight forward. 1- In the Central Access Policy, click "New" and "Central Access Policy" and give the new policy a name in the "Create Central Access Policy" form. We named our CAP. You also need to Add the Central Access Rule you created earlier to the policy. 
2- Once that is created we need to tell AD about the policy. In the "Group Policy Management Console" we edited the "Default domain policy" but you can apply a different policy as you see fit. And in the Computer ManagementàPoliciesàWindows SettingsàSecurity settingsàFile SystemàCentral Access Policy, right-click the right pane and select manage Central Access Policy. 
3- Add the Policy you created to the Applicable Central Access Policies. 
We are done configuring the DAC… well… not quite. We still need to configure our shares and share properties. To configure the shares the File Server Resource Manager must be installed on the server that will be used as the files server. In our case the file server we are using is VMHost10B.itcamp.local. -
Logon VMHost10B.itcamp.local as itcamp\administrator -
In Server Manager, click Add Roles and Features. -
On the Before you begin page, click Next. -
On the Select installation type page, click Next. -
On the Select destination server page, click Next. -
On the Select Server Roles page, expand File and Storage Services, select the check-box next to File and iSCSI Services, expand, and select File Server Resource Manager. -
In the Add Roles and Features Wizard, click Add Features, and then click Next. -
On the Select features page, click Next. -
On the Confirm installation selections page, click Install. -
On the Installation progress page, click Close On the VMHost10B machine we created 2 SMB Shares-Advanced shares. (HR, Finance) select all defaults to complete this part. Once the shares have been created, we need to go the location where the directory has been created and modify the properties of each folders. 
To include the classification of these folders. 
And in the advanced Security Settings, in the Central Policy Tab, change the "No central Access Policy" to "CAP" the policy we defined. You can test to see if everything worked well by using the effective Access tab. 
That is that start of the value that DAC can bring. But we just skimmed the surface. So try it for yourself. It's well worth the effort. You can deploy this in you lab and take advantage of the flexibility this technology can provide. Try it for yourself by downloading Windows Server 2012? Cheers!
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn Additional Resources TechNet manual : http://technet.microsoft.com/en-us/library/hh831717.aspx
Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data)
Dynamic Access Control at MMS 2012: http://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview 
|
-
Sharing knowledge amidst social media is a passion of mine. I challenge myself to try and spark a conversation via any of the most widely used social media avenues available. So when a request for a Step-By-Step post on Active Directory migration following the previous Step-By-Step post on DHCP Migration, Pierre, Mitch and I were only too happy to oblige. Before detailing Active Directory migration, we felt it pertinent to showcase how to add a Windows Server 2012 Domain Controller to an existing network first. Migration of Active Directory from Windows Server 2003 to 2012 would be the next step once this Step-By-Step has been completed successfully.
Prerequisites
- Download Windows Server 2012. If you plan on completing this Step-By-Step in a virtual lab, it is recommended to download the FREE Hyper-V Server 2012 first.
- Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode. This is the lowest required Domain Functional Level that would allow a Windows Server 2012 Domain Controller installation. Windows NT / 2000 Domain Controllers are not supported via this process.
- Via the Active Directory Users and Computers console, select the domain via the right mouse button on it.
- Select Raise Domain Functional Level and review the Current domain functional level reported
The Domain Functional Level does not need to be raised if the Current domain functional level is reporting Windows Server 2003.
NOTE: Should a lower domain be showcased (i.e., Windows Server 2000), please keep in mind that raising Domain Functional Level is a one time action and cannot be reverted. Remember Windows NT / 2000 Domain Controllers are not supported via this process.
- Ensure your profile is a member of the Enterprise Admins group.
Getting Started
- Setup and install your Windows Server 2012 machine
- Configure the new server's IP address to correspond to the target domain and ensure the existing Domain Controllers, where DNS is installed and configured, are visible by your new Windows Server 2012 install.
Setting Up Domain Controller Fuctionality
- Open the Server Manager console and click on Add roles and features
- Select Role-based of featured-based installation and select Next.
- Select the Active Directory Directory Services role.
- Accept the default features required by clicking the Add Features button.
- On the Features screen click the Next button.
- On the Confirm installation selections screen click the Install button.
NOTE: Check off the Restart the destination server automatically if required box to expedite the install should you be able to reset the target server automatically.
- Click the Close button once the installation has been completed.
- Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller.
- Select add a Domain Controller into existing domain
- Ensure the target domain is specified. If it is not, please either Select the proper domain or enter the proper domain in the field provided.
- Click Change, provide the required Enterprise Administrator credentials and click the Next button.
- Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC
- Click the Next button on the DNS options screen.
- In the Additional Options screen you are provided with the option to install the Domain Controller from Install From Media (IFM). Additionally you are provided the option to select the point from which DC replication should be completed. The server will choose the best location for AD database replication if not specified. Click the Next button once completed.
- Specify location for AD database and SYSVOL and Click the Next button.
- Next up is the Schema and Domain preparation. Alternately, one could run Adprep prior to commencing these steps, Regardless, if Adprep is not detected, it will automatically be completed on your behalf.
- Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.
- Should all the prerequisites pass, click the Install button to start the installation.
- After it completes the required tasks and the server restarts, the new Windows Server 2012 Domain Controller setup is completed.
- Lastly, on each server/workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server/scope options and add the IP address of your new Domain Controller as DNS server.
Should you see one of our #CANITPRO Step-By-Step posts in any social media venue, feel free to contribute thoughts and additional ideas. Additionally, feel free to connect with us on any topic you would like to see covered. We are always happy to oblige. 
|
-
Anyone who has attended one of our #CANITPRO Camps provided across Canada has been appreciative of the fact that actual hardware is provided to run all labs. Attendees are also appreciative of the amount of hours that Pierre, Mitch, and I put forth in setting up said hardware in every city. This practice however, is slowly coming to an end and we are currently exploring options to utilize "the cloud" to enable attendees to conduct camps on their own hardware. As you know, Microsoft has been showcasing Azure's new features as of late and has really "turned up the dial" in pushing organizations to utilize cloud services. Some IT Administrators have pushed back as their lack of knowledge around the subject has some holding on tight to their on premise servers.
Taking our first steps together into the cloud via this "Step-By-Step" created by DPE colleague Keith Mayer will provide insight and confidence should any IT Professional be interested in deploying Azure within their organization.
Prerequisites
- Sign-up for a FREE 90-day trial of Windows Azure so that the steps included can be completed.
NOTE: When signing up for the process, credit card information will be requested to confirm that you are a legitimate free trial subscriber. Credit card information is only used to confirm identity and will NOT be charged for any Windows Azure services unless the trial subscription is explicitly convert into a paid subscription at a later date.
Should you currently have a paid subscription or MSDN subscription for Windows Azure, please ensure that you have activated the Windows Azure Virtual Machines and Virtual Networks Preview Feature. When signing up for a new free trial account, this feature will automatically be activated.
- Login to the Windows Azure Management Portal.
Login to the web-based Windows Azure Management Portal with the same logon credentials you used to sign-up for the FREE 90-day Trial above. Once you’ve logged in, you should see the main Windows Azure Management portal dashboard.
On the Windows Azure Management Portal, you’ll find the options for managing Virtual Machines, Virtual Networks and Storage in the cloud. These are the items we’ll be primarily working with in this article series.
- Define a new Windows Azure Affinity Group.
Affinity Groups in Windows Azure are used to group your cloud-based services together, such as Virtual Machines, Virtual Networks and Storage, in order to achieve optimal performance. When you use an affinity group, Windows Azure will keep all services that belong to your affinity group running within the same data center as close as possible to each other to reduce latency and increase performance.
- Create a new Affinity Group by selecting Settings from the side navigation bar in the Windows Azure Management Portal.
- On the Settings page, select Affinity Groups from the navigation bar.
- Click the +CREATE button on the bottom navigation bar.
On the Create Affinity Group form, enter the following details:
- Name: Enter a unique name for your new Affinity Group, such as XXXlab01 (where XXX is replaced with your initials)
- Region: Select the closest Windows Azure data center region to your locale. This is the data center region in which your services will be provisioned. Be sure to select one of the Windows Azure data center regions in which the Virtual Machines preview offer is currently enabled:
- East US
- West US
- West Europe
- North Europe
- Southeast Asia
- East Asia
- Create a new Windows Azure Storage Account.
Virtual Machines that are provisioned in Windows Azure are stored in the world-wide cloud-based Windows Azure Storage service. In terms of high availability, the Storage service provides built-in storage replication capability – where every VM is replicated to three separate locations within the Windows Azure data center region you select. In addition, Windows Azure Storage provides a geo-replication feature for also replicating your VMs to a remote data center region.
Create a new Storage account by clicking the +NEW button on the bottom toolbar in the Windows Azure Management Portal and then select Data Services | Storage | Quick Create.
Complete the following fields for creating your Storage account:
- URL: Enter a unique name for your new storage account, such as XXXlabstor01 (where XXX is replaced with your initials)
- Region/Affinity Group: Select the Affinity Group you created in Step 3 above.
- Enable Geo-Replication: By default, this option is selected. Leave the default option in place.
- Click the CREATE STORAGE ACCOUNT button to create your new Windows Azure Storage account.
- Download, Install and Configure the Windows Azure PowerShell Management Tools
In addition to managing Windows Azure via the web-based Management Portal, Microsoft also provides a Windows Azure PowerShell module for scripted management of Windows Azure services. Both the Management Portal and PowerShell will be used in this series, requiring installation and configuration off the Windows Azure PowerShell cmdlets to get prepared.
- Download and Install the Windows Azure PowerShell cmdlets. Note that a restart may be required after installing this module.
- Right-click on Windows PowerShell in your Start Menu or Start Screen and choose Run As Administrator.
- Set the PowerShell Execution Policy for scripts by running the following command at the PowerShell command prompt:
PS C:\> Set-ExecutionPolicy RemoteSigned
- Import the Windows Azure PowerShell module and supporting cmdlets by running the following command at the PowerShell command prompt:
PS C:\> Import-Module Azure
- Download and save your Windows Azure Publish Settings file by running the following command at the PowerShell command prompt:
PS C:\> Get-AzurePublishSettingsFile
- Import the saved Windows Azure Publish Settings file by running the following command at the PowerShell command prompt:
PS C:\> Import-AzurePublishSettingsFile
"full_path_to_saved_file.publishsettings"
Step 1: Register a DNS Server in Windows Azure
Register the internal IP address that our domain controller VM will be using for Active Directory-integrated Dynamic DNS services by performing the following steps:
- Sign in at the Windows Azure Management Portal with the logon credentials assigned when signing up for your Free 90-Day Windows Azure Trial.
- Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
- Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Register DNS Server.
- Complete the DNS Server fields as follows:
- NAME: XXXlabdns01
- DNS Server IP Address: 10.0.0.4
- Click the REGISTER DNS SERVER button.
Step 2: Define a Virtual Network in Windows Azure
Define a common virtual network in Windows Azure for running Active Directory, Database and SharePoint virtual machines by performing the following steps:
- Sign in at the Windows Azure Management Portal with the logon credentials assigned when signing up for your Free 90-Day Windows Azure Trial.
- Select Networks located on the side navigation panel on the Windows Azure Management Portal page.
- Click the +NEW button located on the bottom navigation bar and select Networks | Virtual Network | Quick Create.
- Complete the Virtual Network fields as follows:
- NAME: XXXlabnet01
- Address Space: 10.---.---.---
- Maximum VM Count: 4096 [CIDR: /20]
- Affinity Group: Select the Affinity Group defined in the Prerequisites section above.
- Connect to Existing DNS: Select XXXlabdns01 – the DNS Server registered in Exercise 1 above.
- Click the CREATE A VIRTUAL NETWORK button.
Step 3: Deploy a New Windows Server 2012 VM in Windows Azure
In this exercise, you will provision a new Windows Azure VM to run a Windows Server 2012 on the Windows Azure Virtual Network provisioned in Exercise 2.
- Sign in at the Windows Azure Management Portal with the logon credentials assigned when signing up for your Free 90-Day Windows Azure Trial.
- Select Virtual Machines located on the side navigation panel on the Windows Azure Management Portal page.
- Click the +NEW button located on the bottom navigation bar and select Compute | Virtual Machines | From Gallery.
- In the Virtual Machine Operating System Selection list, select Windows Server 2012, December 2012 and click the
 button.
- On the Virtual Machine Configuration page, complete the fields as follows:
- Virtual Machine Name: XXXlabad01
- New Password and Confirm Password fields: Choose and confirm a new local Administrator password.
- Size: Small (1 core, 1.75GB Memory)
Click the  button to continue.
Note: It is suggested to use secure passwords for Administrator users and service accounts, as Windows Azure virtual machines could be accessible from the Internet knowing just their DNS. You can also read this document on the Microsoft Security website that will help you select a secure password: http://www.microsoft.com/security/online-privacy/passwords-create.aspx.
- On the Virtual Machine Mode page, complete the fields as follows:
- Standalone Virtual Machine: Selected
- DNS Name: XXXlabad01.cloudapp.net
- Storage Account: Select the Storage Account defined in the Prerequisites section above.
- Region/Affinity Group/Virtual Network: Select XXXlabnet01 – the Virtual Network defined in Exercise 2 above.
- Virtual Network Subnets: Select Subnet-1 (10.0.0.0/23)
Click the  button to continue.
- On the Virtual Machine Options page, click the
 button to begin provisioning the new virtual machine.
As the new virtual machine is being provisioned, you will see the Status column on the Virtual Machines page of the Windows Azure Management Portal cycle through several values including Stopped, Stopped (Provisioning), and Running (Provisioning). When provisioning for this new Virtual Machine is completed, the Status column will display a value of Running and you may continue with the next exercise in this guide.
- After the new virtual machine has finished provisioning, click on the name ( XXXlabad01 ) of the new Virtual Machine displayed on the Virtual Machines page of the Windows Azure Management Portal to open the Virtual Machine Details Page for XXXlabad01.
Step 4: Configure a Windows Server Active Directory Forest in a Windows Azure VM
In this exercise, you will install and configure a new Windows Server 2012 Active Directory Forest on the VM deployed in Exercise 3.
- On the Virtual Machine Details Page for XXXlabad01, make note of the Internal IP Address displayed on this page. This IP address should be listed as 10.0.0.4.
If a different internal IP address is displayed, the virtual network and/or virtual machine configuration was not completed correctly. In this case, click the DELETE button located on the bottom toolbar of the virtual machine details page for XXXlabad01, and go back to Exercise 2 and Exercise 3 to confirm that all steps were completed correctly.
- On the virtual machine details page for XXXlabad01, click the Attach button located on the bottom navigation toolbar and select Attach Empty Disk. Complete the following fields on the Attach an empty disk to the virtual machine form:
- Name: XXXlabad01-data01
- Size: 10 GB
- Host Cache Preference: None
Click the  button to create and attach the a new virtual hard disk to virtual machine XXXlabad01.
- On the virtual machine details page for XXXlabad01, click the Connect button located on the bottom navigation toolbar and click the Open button to launch a Remote Desktop Connection to the console of this virtual machine. Logon at the console of your virtual machine with the local Administrator credentials defined in Exercise 3 above.
Wait for the Server Manager tool to launch before continuing with the next step.
- In the Server Manager window, format the disk attached in Step 2 above by launching the Computer Management tool from the Tools menu located on the top navigation bar.
- In the Computer Management window, click on Disk Management in the left navigation pane.
- When prompted with the Initialize Disk dialog box, click the OK button to continue.
- Right-click on the unallocated disk space on Disk 2 and select New Simple Volume… from the pop-up menu.
- In the New Simple Volume Wizard, click the Next button on each page to accept all default values.
- Click the Finish button on the last page of the wizard to create a new F: volume.
- When the new volume has finished the formatting process, close the Computer Management window.
- In the Server Manager window, install Active Directory Domain Services by launching the Add Roles and Features wizard from the Manage menu located on the top navigation bar.
- In the Add Roles and Feature Wizard dialog box, click the Next button three times to advance to the list of Roles to install.
- In the list of roles, check the checkbox for the Active Directory Domain Services role. When prompted to add additional features, click the Add Features button.
- Click the Next button until you advance to the Confirm installation selections page of the wizard. Click the Install button to begin the installation process.
- When the installation of Active Directory Domain Services has completed, do not click the Close button. Instead, click the link titled Promote this server to a domain controller.
This will launch the Active Directory Domain Services Configuration Wizard.
- In the Active Directory Domain Services Configuration Wizard dialog box, select the deployment operation for Add a new forest.
- In the Root domain name: field, enter contoso.com as the name of the root domain in the new Active Directory forest. Click the Next button.
- On the Domain Controller Options page of the wizard, enter and confirm a recovery password in the Directory Services Restore Mode (DSRM) password fields. Click the Next button.
- On the DNS Options page of the wizard, ignore the warning message and click the Next button to continue.
- On the Additional Options page of the wizard, accept the default value for NetBIOS domain name and click the Next button.
- On the Paths page of the wizard, change the Database folder, Log files folder and SYSVOL folder paths to begin with F: instead of C:. Click the Next button.
- On the Review Options page, click the View Script button. A PowerShell script snippet will be displayed in a Notepad window. This snippet includes the cmdlets needed to Install a new Active Directory forest via PowerShell with the options selected in the wizard. Save this snippet to your Documents folder for future reference as a file named PSSnippet-Install-ADDSForest.ps1 and close the Notepad window.
- On the Review Options page, click the Next button.
- On the Prerequisites Check page, ignore the warnings displayed and click the Install button. The warnings displayed are due to the dynamic IP addressing used within Windows Azure Virtual Networks and do not apply to this cloud environment.
The Active Directory Domain Services configuration process will be begin for the new AD Forest.
When the Active Directory configuration process is complete, the server will automatically restart.
Step 5: Export / Import Lab Virtual Machines
At this point the Windows Server 2012 Active Directory Forest VM is now functional amidst the cloud-based lab. Be aware that as long as a virtual machine is provisioned, it will continue to accumulate compute hours against your Free 90-Day Windows Azure Trial account even in a shutdown or any other of virtual machine state.
To save our compute hours for productive study time, one can leverage the Windows Azure PowerShell module to automate export and import tasks to de-provision the virtual machine when not in use and re-provision our virtual machine when it is needed again.
This step will utilize Windows PowerShell to automate:
- De-provisioning lab virtual machines when not in use
- Re-provisioning lab virtual machines when needed again.
Once configured, the PowerShell snippets below will spin up your cloud-based lab environment when needed.
Note: Prior to beginning this exercise, please ensure that the Windows Azure PowerShell module has been downloaded, installed and configured as outlined in the Prerequisite section of this step-by-step guide.
- De-provision the lab. Use the Stop-AzureVM and Export-AzureVM cmdlets in the PowerShell snippet below to shutdown and export lab VMs when they are not being used.
# Specify the Name of the VM to Export
$myVM = "XXXlabad01"
# Stop the VM prior to exporting it
Stop-AzureVM -ServiceName $myVM -Name $myVM
# Set the Export folder path for the VM configuration file. Make sure this folder exists!
$ExportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"
# Export the VM to a file
Export-AzureVM -ServiceName $myVM -name $myVM -Path $ExportPath
# After you've confirmed that the Export file exists, delete the VM
Remove-AzureVM -ServiceName $myVM -name $myVM
- Re-provision the lab. Use the Import-AzureVM and Start-AzureVM cmdlets in the PowerShell snippet below to import and start lab VMs when needed again.
# Specify the Name of the VM to Import
$myVM = “XXXlabad01"
# Specify the Name of the Virtual Network on which to Import the VM
$myVNet = "XXXlabnet01"
# Specify the Import Path of the VM’s exported configuration file.
$ImportPath = "C:\ExportVMs\ExportAzureVM-$myVM.xml"
# Import the VM to Windows Azure
Import-AzureVM -Path $ImportPath | New-AzureVM -ServiceName $myVM -VNetName $myVNet
# Start the VM
Start-AzureVM -ServiceName $myVM -name $myVM
Learn more support features Windows Azure has to offer and have a chance in winning your own lab computer by participating in the free Microsoft offered Virtual Academy. Complete two TechNet evaluations, and take the selected Microsoft Virtual Academy courses for your chance at a $5,000 grand prize or a chance to win a HP EliteBook Revolve and two chances to win 400 Microsoft Points. 
|
-
Hello folks, In this series, we’ve looked at deploying or leveraging the goodness of Windows Server 2012. we’ve looked at VDI, Data Deduplication, DirectAccess, Hyper-v among others… Today we’ll look at ReFS. It’s part of the Windows Server 2012 Storage Platform. It has been designed from the ground up to meet a broad set of customer requirements, for all the different ways that Windows is deployed. ReFS interfaces with Storage Spaces to automatically fix corruption. 
We’ve already covered Storage Spaces & Thin provisioning. So, we’ll concentrate on ReFS for this post. ReFS inherits the features and semantics from NTFS including BitLocker encryption, access-control lists for security, USN journal, change notifications, symbolic links, junction points, mount points, reparse points, volume snapshots, file IDs, and oplocks. ReFS is very well suited for the following: - General-purpose file server. Customer deploys a file server attached to a JBOD storage configuration with Serial ATA (SATA) or Serially Attached SCSI (SAS) drives.
- Consolidated remote application data storage. Customer deploys a scale-out, two-node file server cluster with Storage Spaces, in which the cluster uses a shared JBOD storage configuration with SATA or SAS drives.
However, before we go any further, let me state that ReFS supports the majority of the Win32 APIs, but there are certain features that ReFS does not support. - Legacy stuff like Short Names and TxF (or Transactional NTFS)
- NTFS-specific features like named streams, object IDs, short names, compression, file level encryption (EFS), user data transactions, sparse, hard-links, extended attributes, and quotas
- and for those of you who looked at my Data Deduplication post , deduplication is not supported on ReFS.
deploying it is very easy. You do not need a Storage Pool to use ReFS, (you can just create a volume with the ReFS file system,. However, Storage Spaces protects data from partial and complete disk failures by allowing you to maintain copies on multiple disks. On read failures, Storage Spaces is able to read alternate copies, and on write failures (as well as complete media loss on read/write) it is able to reallocate data transparently. Many failures don’t involve media failure, but happen due to data corruptions, or lost and misdirected writes. These are exactly the failures that ReFS can detect using checksums. Once ReFS detects such a failure, it interfaces with Storage Spaces to read all available copies of data and chooses the correct one based on checksum validation. It then tells Storage Spaces to fix the bad copies based on the good copies. All of this happens transparently from the point of view of the application In our case we already have a Storage Pool created with a Mirrored disk created. we called it ReFS-VDisk. 1- Using Server manger, in the “File and Storage Services, we create a new volume. 
2- In the “New Volume Wizard” we select the Server and disk we want to use. in our case as mentioned we selected a Virtual disk built on a Storage Pool, with 2 mirrored drive. and click Next 
3- We allocated the maximum capacity, and click Next. 
4- I like to use drive letters that make sense to me… so I selected the letter “R” for “Resilient”. and click Next, 
5- When asked to select a File System, Select ReFS instead of NTFS. and click Next, you can also give it a volume name that is representative, so we called our “ReFS Volume”, 
9- click “Create” to complete the creation on the ReFS volume. 
10- The server will Create and format the volume, when completed you can click “Close”. 
11- as you can see in File Manger, the volume is created. 
We are done!. We have create a ReFS volume that will allow us to safeguard our data from corruptions. if you want to see a really cool demo of the results of that corruption protection? please look at the following recording of Rick Claus’ session at TechEd (the ReFS demo is at time index 0:48:35) That’s it. Are you waiting for corruption to wipe your data? Use the Windows Server 2012 evaluation copy to try this in your own environment and see how you can protect your business from corruption. Cheers! ![Signature_thumb[3]](http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-48-12-metablogapi/5635.Signature_5F00_thumb3_5F00_thumb_5F00_5D3BD63C.jpg "Signature_thumb[3]")
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn More resources - Storage Spaces FAQ
- How to Configure Clustered Storage Spaces in Windows Server 2012
- Virtualizing Storage for Scale, Resiliency, and Efficiency
- Resilient File System Overview
|
-
Hello folks,
A new feature of Windows Server 2012 called Storage Spaces is designed to change the storage task for enterprises by providing an in-box storage virtualization that can use low-cost commodity storage devices. We’ve covered Storage Spaces a few time already:
for this Step-by-Step we’ll look at Data Deduplication. and how we enable and configure it on a Volume create on a Storage pool. We’ll assume your storage pool is created and is in use with data on it. for my lab I copied my families' picture library on it. (I know that there are a lot of duplicates).
Data Deduplication in Windows Server 2012 stores more data in less physical space. It achieves greater storage efficiency than was possible in previous releases with Single Instance Storage or NTFS Compression. It can run on dozens of large volumes of primary data simultaneously without affecting other workloads on the server.
Deduplication maintains redundancy to ensure that the data is recoverable in the event of data corruption. Deduplication is only on files on a file server; it is not supported for Exchange databases and SQL databases.
Today, we will do 3 things with data deduplication.
- Install deduplication
- Enable and configure deduplication on an existing volume
- Observe the results of deduplication
Install
1- From the Add Roles and Features Wizard, under Server Roles, File and Storage Services, File and iSCSI Services and select Data Deduplication
Click Next until the Install button is active, and then click Install.
When complete click Close
You can also use PowerShell to install it by using the following command:
PS C:\> Import-Module ServerManager
PS C:\> Add-WindowsFeature -name FS-Data-Deduplication
PS C:\> Import-Module Deduplication |
Enable and configure deduplication on an existing volume
1- From the Server Manager dashboard, right-click a data volume and choose Configure Data Deduplication. The Deduplication Settings page appears.
2- Select the Enable data deduplication check box, enter the number of days that should elapse from the date of file creation until files are deduplicated, enter the extensions of any file types that should not be deduplicated, and then click Add to browse to any folders with files that should not be deduplicated.
** for the purpose of this lab we set the number of days to 0. If you set MinimumFileAgeDays to 0, deduplication will process all files, regardless of their age. This is suitable for a test environment, where you want to exercise maximum deduplication. In a production environment, however, it is preferable to wait for a number of days (the default is 5 days), because files tend to change a lot for a brief period of time before the change rate slows. This allows for the most efficient use of your server resources.
3- Click Apply to apply these settings and return to the Server Manager dashboard
4- In Server Manager, under File and Storage Services, and Servers, right-click the server and select Deduplication Schedule to continue to set up a schedule for deduplication.
|
To enable deduplication on a volume, Using PowerShell command on the server. In this example deduplication is enabled on volume G.
PS C:\> Enable-DedupVolume G:
Optionally, set the minimum number of days that must pass before a file is deduplicated by using the following command.
PS C:\> Set-Dedupvolume G: -MinimumFileAgeDays 20
|
That is it. Data deduplication has been setup and configured.
Observe the results of deduplication
Let’s use PowerShell to see the results of the data Deduplication.
1) on the Server console Click Windows PowerShell.
2) Type Start-DedupJob -Type Optimization -Volume F:, and then press ENTER.
3) Type Get-Dedupjob, and then press ENTER. Run this command every few seconds until there are no active jobs.
4) Type Get-DedupStatus, and then press ENTER.
you can also look at the properties of the volume to show how much space you have saved.
Go ahead and try it for yourself.
You can deploy this in you lab and take advantage of the flexibility this technology can provide. Try it for yourself by downloading Windows Server 2012?
Cheers!
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn
More Information
Data Deduplication Overview
http://technet.microsoft.com/en-us/library/hh831602.aspx 
|
-
Mitch, Pierre and I have been delivering #CANITPRO camps for some time now and we are thoroughly enjoying connecting with the IT community across Canada. Many IT professionals we have encountered have enjoyed both version "A", concentrating on Hyper-V, and version "B", centered around Windows Server 2012 tools and management, and have been enthusiastic to learn how Microsoft's latest server offering would better prepare them to support their organization within their own environment. Many attendees have also expressed interest in migrating their operations from Windows Server 2003 to 2012 to take advantage of the new capabilities Windows Server 2012 has to offer and have asked for further support around the topic. One such ask came at a recent camp delivered in Edmonton where an IT Professional was inquiring on migrating her organizations DHCP from 2003 to 2012 to take advantage of the failover capabilities 2012 had to offer.
Migration from Windows Server 2003 to 2012 has been deemed troublesome by few as the netsh DHCP command-line was replaced in Windows Server 2012 by PowerShell. The process however is actually quite easy and can be completed in a few steps.
Beginning the export process on Windows Server 2003
- On the Windows 2003 DHCP server, navigate to a command prompt
- Type the following Command: netsh
- Type the following Command: DHCP
- Type the following Command: server \\Name or IP Address
- Type the following Command: export c:\w2k3DHCPdb all
Note You must have local administrator permissions to export the data.
Importing the DHCP database on Windows Server 2012
- Copy the exported DHCP database file to the local hard disk of the Windows Server 2008-based computer.
- From within Server Manager, select Add roles and features
- Select Role-based of featured-based installation and select Next.
-
On the Server Selection window, leave the default and select Next. When the Server Roles window opens, select DHCP. Select Add Features in the pop-up window, then select Next.
-
Once the DHCP install has been completed, select DHCP located in the Server Manager dashboard
-
Right click the designated DHCP server in the services pane, then select Stop.
-
Delete the DHCP.mdb file under c:\windows\system32\DHCP folder.
-
Return to DHCP located in the Server Manager dashboard
-
Right click the designated DHCP server in the services pane, then select Start.
-
Right-click on the bottom left hand side of the desktop screen to invoke the admin menu
-
Select Command Prompt (Admin) to open the cmd prompt using elevated privileges.
-
Type the following Command: netsh
-
Type the following Command: DHCP
-
Type the following Command: server \\Name or IP Address
-
Type the following Command: import c:\w2k3DHCPdb
-
Close the command prompt when completed.
- Return to DHCP located in the Server Manager dashboard.
- Right click the designated DHCP server in the services pane, then select Restart.
- Disable and remove DHCP from the Windows 2003 server.
Simply setup your scope options for your new Windows Server 2012 DHCP server and then Authorize it within your domain and the migration is complete.
Learn more support features Windows Server 2012 has to offer and have a chance in winning your own lab computer by participating in the free Microsoft offered Virtual Academy. Complete two TechNet evaluations, and take the selected Microsoft Virtual Academy courses for your chance at a $5,000 grand prize or a chance to win an HP EliteBook Revolve and two chances to win 400 Microsoft Points.
|
|
|
|