Category: Uncategorized

Windows Server 2012 – Install and configure servers

Install Servers

Plan for server installation

Windows Server 2012 installation requirements can be found here; in summary Windows Server 2012 requires 64 bit architecture, digitally signed kernel-mode drivers, 32GB disk space (note: pagefile, hibernation file etc takes space too).

Considerations for the installation:

  • Remove any unnecessary serial devices i.e. UPS
  • Mass storage device drivers maybe required
  • Windows firewall is enabled by default

Plan for server roles

Design, deployment and management guidance for Windows Server 2012 roles can be found here.

Active Directory Certificate Services – new functionality incl. PowerShell and integration with Server Manager.

Active Directory Domain Services – support for virtualisation incl. cloning of domain controllers, streamlined deployment with prerequisite checks, simplified management incl. claims-based authorisation and under-the-hood improvements to RID, deferred index creation, AD recycle bin GUI etc.

Active Directory Federation Services – PowerShell and Server Manager integration.

Active Directory Lightweight Directory Services – No change from Server 2008.

Active Directory Rights Management Services – Changes to SQL server requirements (no longer need local administrative credentials on the SQL server; sysadmin privilege is now suffice) and integration with Server Manager.

Application Server – No change from Server 2008.

Failover Clustering – In Windows Server 2012 – improved scalability; now scales to 64 nodes and 8000 virtual machines, new management interface using Server Manager, enhancements to cluster shared volumes, support for scale-out file servers, cluster aware updating, virtual machine application monitoring and management, improved validation tests, active directory integration and quorum configuration.

In Windows Server 2012 R2 – support for guest clusters, virtual machine drain i.e. live migration virtual machines on shutdown of the Hyper-V host, virtual network health detection, improved CSV placement policies, resiliency, diagnostics and interoperability. Less dependency on ADDS, improvements to quorum incl. dynamic witness.

File and Storage Services – work folders, SMB improvements incl. SMB direct, storage spaces incl. tiered storage, distributed RAID?

In Windows Server 2012 R2 SMB sessions are now tracked per file share rather than per server allowing for redirection with the best access to the volume.

Group Policy – remote group policy update, sign-in optimisation i.e. slow link processing, new starter group policies, new PowerShell cmdlets, increased max size of registry.pol, group policy client idling (improves client computer performance).

In Windows Server 2012 R2 group policy has added support for IPv6 around printers, item-level targeting and VPN connections, group policies cached locally which are good for latent connections.

Hyper-V – loads of new features, client Hyper-V, dynamic memory, virtual machine replicas, improvements to import of virtual machines, live migration without shared storage, improved Hyper-V administrative delegation, pass-thru networking and storage adapters, virtual machine storage on file servers using SMB 3.0 and virtual NUMA.

In Windows Server 2012 R2 Hyper-V has shared virtual hard disks to complement guest failover clustering. Virtual hard disk resizing on the fly, storage QoS; set minimum and maximum IOPs per virtual machine. Live migration improvements such as compressing memory before migrating and rDMA support where applicable. New virtual hardware for Windows Server 2012 and Windows 8 and later. Clustering can detect network and storage issues and restart the virtual machine elsewhere.

Hyper-V replica now has 24 hour recovery points and now supports more than one replica.

Networking – New 802.1x protocol EAP-TTLS (Tunneled Transport Layer Security) which supports non-Microsoft RADIUS. improvements to BranchCache, Data Center Bridging support for converged network adapters, DNSSEC improvements, DHCP failover, NIC teaming, QoS and improvements to IPsec IKEv2,

Windows Server 2012 R2 support virtual receive-side scaling to utilise multiple virtual CPU cores.

Print and Document Services – Branch Office direct printing, new driver support etc.

Remote Desktop Services – improvements to sounds and video playback, virtualised GPU support (requires a SLAT processor and GPU driver which supports DX11).

Security and Protection – Dynamic access control provides central access policies to grant or deny access to files and folders across all Windows Server 2012 computers. DNSSEC, improved IPsec, security policies and policy management, Bitlocker improvements, Group Managed Service Accounts, AppLocker improvements etc.

Volume Activation – Is now a server role which automates the issuance and management of Microsoft software licenses. KMS, VAMT and MAK proxies are still available.

Web Server – Web server instances, SSL certificates stores, Server Name Indication (SSL host headers), application initialisation and dynamic IP restrictions.

Windows Deployment Services – can deploy vim, vhd and vhdx images; vhdx can be applied to volumes in a similar way to wim files. Support for ARM architecture too.

Windows Server Backup – ability to select individual virtual machines for backup and restore, support for large volumes e.g. greater than 2TB and 4 Kilobyte sectors.

Windows Server Essentials Experience – essentials experience can be installed in Windows Server 2012 Standard and Datacenter, it enables you to manage the server through a simplified dashboard, integrate with Office 365, Exchange Online, Windows Intune etc. Very much the same functionality as Small Business Server.

Windows Server Update Services – PowerShell improvements, improved security and client / server software separation.

Windows System Resource Manager – deprecated in favour of functionality provided by Hyper-V.

Plan for server upgrade

upgrade guidelines:

  • In-place upgrades from 32bit to 64 bit are not supported, nor are upgrades from one language to another and from one build type to another.
  • You cannot upgrade from a release candidate.
  • You cannot upgrade from core to full GUI and vice versa but you can configure Windows Server 2012 to utilise the full GUI or core mode after the upgrade.
  • You cannot upgrade to a lesser version i.e. Server 200x Datacenter to Server 2012 Standard.

Server Core Overview

Server core is now not an irreversible choice you can freely switch between a Gui, Minshell and core mode using PowerShell and DISM.

Install Server Core

Server core is the default choice when you install Windows Server 2012. The installation process is pretty streamlined with minimal questions asked.

Configure Features On Demand

Features on demand allows you to remove binaries from the installation which are not required e.g. if you have a web server which is a member of a domain you can safely remove the Active Directory binaries.

The best practice is to copy the WinSxs folder to a network share and assign the builtin group domain computers read share permissions.


If you need to install a role or feature where the binaries are no longer available on the local computer you can use the source share or Windows Update e.g. where Get-WindowsFeature returns an install state of Removed basically means the binaries no longer exist on the computer. The default locations used by Install-WindowsFeature are the location specified within the Gui wizard, the value of the group policy object ‘Specify settings for optional component installation and component repair’ and Windows Update. To override the above specify the source parameter.





Migrate Roles from Previous Versions of Windows Server

Server role upgrade guidelines:

  • Active Directory upgrade: see here. In summary forest functional level must be Windows Server 2003, compatible clients are Windows XP and later, verify application compatibility, a number of master roles should be accessible during the promotion of a Windows Server 2012 domain controller.
  • Active Directory Federation Services: in general guidelines suggest export AD FS configuration, perform in-place upgrade of the operating system, recreate AD FS configuration and restore AD FS service settings.
  • Active Directory Rights Management Services: In-place upgrades supported but will require the AD RMS upgrade wizard to be run to ensure consistency. NOTE: If AD RMS was installed with the Windows Internal Database (WID) then first of all the WID instance should be migrated to SQL Server. See here.
  • File and Storage services: if DFS was installed prior to the upgrade then DFS will need reinstalling.
  • Hyper-V: shutdown virtual machines and remove any existing snapshots prior to the upgrade.
  • Printer server: migrate using the Printer Migration Wizard.
  • Remote Access: the functionality provided by RRAS is now integrated into Remote Access Server (Direct Access). This role can be migrated to Windows Server 2012 by following this guide.
  • Remote Desktop Services: No migration path but you could utilise existing Server 2008 R2 session host servers by routing users through the Windows Server 2012 RD Web Access server.
  • Volume Activation Services: AD schema must be at Windows Server 2012 level to store activation objects.
  • Web Server: no change in functionality, web applications which work in IIS 7 will work in IIS 8.

Install, Use and Remove Windows Server Migration Tools

The Windows Server Migration Tools are installed on the destination server using Install-WindowsFeature Migration. To configure them browse to the migration tools directory c:\windows\system32\ServerMigrationTools\ then run smigdeploy.exe with the following parameters ‘smigdeploy.exe /package /architecture [amd64|x86] /os [WS03|WS08|WS08R2] /path [deployment folder e.g. c:\smigdeploy]’

Next copy the deployment folder to the source computer and run smigdeploy.exe to get access to the migration cmdlets Import- and Export-SmigServerSetting, Get-SmigServerFeature and Send and Receive-SmigServerData.

Once this part is complete go <a href=””>here</a&gt; to view the role migration guides.

Once the migration is complete you can remove the migration tools from Windows Server 2012 using Uninstall-WindowsFeature Migration and from Windows Server 2008 R2 and earlier using smigdeploy.exe /unregister.

Configure Servers

Configure Server Core

Common core configuration tasks are:

  • Setting an administrative password: you’re prompted to set a password after the installation is finished. To change a password use Ctrl + Alt + Del.
  • Setting an IP address: you can use sconfig.cmd or PowerShell.
    • PowerShell: Get-NetIPInterface and note the number within the IfIndex column.
    • GetNetIPInterface
    • PowerShell: New-NetIPAddress -InterfaceIndex # -IPaddress -PrefixLength ## -DefaultGateway
    • NewNetIPAddress
    • PowerShell: Set-DNSClientServerAddress -InterfaceIndex # -ServerAddresses,
    • SetDNSClientServerAddress
  • Adding the computer to the domain: run add-computer and follow the prompts or provide the information to the cmdlet.
    • AddComputer
  • To rename a computer use the rename-computer cmdlet, to get the existing computer name use hostname.
  • To activate the computer use slmgr.vbs -ato; you may need to provide a product key using -ipk.
  • To configure the Windows Firewall use Set-NetFirewallProfile, New-NetFirewallRule, Set-NewFirewallRule…more here.
  • To enable PowerShell remoting use Enable-PSRemoting

Add and Remove Server Roles and Features

Use Install-WindowsFeature and Uninstall-WindowsFeature. These commands have optional parameters such as:

  • IncludeAllSubFeature (all applicable sub features) – Install cmdlet only
  • IncludeManagementTools
  • ComputerName (if the computer is remote)
  • ConfigurationFilePath (used to specify roles and features to be installed and any configuration parameters required) – Install cmdlet only
  • LogPath (if you want the cmdlet results)
  • Remove (removes the binaries from the computer) – Uninstall cmdlet only

Convert Server Core to / from Full “Server with Gui”

The installation of server core can be converted to minshell or full GUI by running dism /mount-wim /wimfile:d:\sources\install.wim /index:4 /mountdir:c:\DVD /ReadOnly



Note: my DVD drive letter is D:\ and I created a directory on C:\ called DVD. The index number of the installation can be found by using the PowerShell cmdlet Get-WindowsImage -ImagePath d:\sources\install.wim


To install the full Gui run Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell -Restart -Source c:\DVD\Windows\WinSxs

If you just want the minshell leave out Server-Gui-Shell.


The -Source parameter is needed if you have installed the core mode.



on restart you’ll see ‘Configuring Windows Features’


The full GUI can be converted to core or minshell using the PowerShell cmdlet Uninstall-WindowsFeature e.g

To get to the minshell:

Uninstall-WindowsFeature Server-Gui-Shell -Restart


To get to the core mode:

Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart


Configure Services

The Get-Service cmdlet can be used to get the status of all services; you could pipe this output to Start-Service or Stop-Service depending on the value of the status property.

The Get-Process cmdlet can be used to return all running processes.

MCTS 70-646 Plan and implement group policy strategy

Plan and implement group policy strategy

Starter Group Policy Objects (GPO)

Starter GPOs are baseline templates you can use when building GPOs. Starter GPOs can be exported to other domains too. Starter GPOs are backed up and restored using the backup all and manage backups via the starter GPOs node.

Starter GPOs can only contain administrative template settings.

Group Policy backup and Recovery

Standard group policies can be backed up and restored from within the group policy objects node.

Group Policy Strategy

The best advice with Group Policy is to keep it simple; avoid too much inheritance blocking, organisational units with lots of GPOs, many organisational units linking to the same GPO, monolithic GPOs which change frequently and implement functional GPO where necessary i.e. where changes are frequent; this will speed up the client side extension processing.

It is recommended you disable the user and computer configuration portion of a policy if it is not used; note this is unlikely to speed up processing, the group policy client still has to query Active Directory to check if that portion of the policy is disabled.

The Group Policy ADMX files should be stored in a central store this stores domain controllers storing redundant copies of the same data. The central store should be configured with sysvol; to configure the central store create a policyDefinitions folder and copy the admx policy files to it, create a en-us folder within the policyDefinitions folder and copy the adml language files.

Starter Group Policy Objects should be used to create standardised combinations of administrative templates.

Troubleshooting Group Policy

The first step is to check the core configuration i.e. the computer is connected to the network, can you ping it, can you resolve DNS names, is the system clock within the limits defined by kerberos. Some of the above checks will also test services e.g. resolving DNS confirms the DNS service is working, logging onto the domain confirms the AD DS is working. Remember the core services for group policy are AD DS, DNS and TCP/IP.

Tools such as gpotool.exe, rsop.msc and gpresult.exe can be used to verify what policies are being or not being applied. rsop.msc can point towards why policies are not applied. gpotool.exe can be used to verify policies are correct.

The operational logs within Windows event viewer are also very useful when reviewing which policies have been applied and how long they took.

When policies are not being applied or take an inordinate amount of time to apply it is always good to understand how the group policy process works.

First of all the group policy client queries the nearest Domain Controller to get a list of Group Policy Object which apply to the logged in user and computer.

Next the client side extension processing starts; the newer Windows operating systems use Network Location Awareness (NLA) to determine whether they’re within the domain or on a public internet connection. NLA uses the connection specific DNS information and the NetworkName registry key, if they’re the same the client attempts to query the domain controller using LDAP.

Once NLA deems the client computer to be in the domain the group policy client reads the CSE information from the registry then the group policy client uses LDAP to search for GPOs with the gpLink attribute.

The group policy client then checks whether the user or computer has permission to read the GPO, finally the group policy client reads the gpt.ini to determine if the policy has been updated; it uses information within the client registry to determine this.

MCTS 70-646 Plan for backup and recovery

Plan for backup and recovery

Major changes since NTBackup

  • Windows Server backup no longer supports tape media
  • Windows Server backup on Windows Server 2008 does not support scheduled optical or remote share backups; Windows Server 2008 R2 does support scheduled remote share backups but with the caveat of only one backup being stored.
  • The smallest backup object is a volume
  • Only NTFS volumes can be backed up
  • Backups are stored as VHD files
  • Windows Server backup on Windows Server 2008 R2…
  • …supports the inclusion or exclusion of files, file types and paths.
  • …incremental backup forever
  • …system state backup use shadow copy versions to minimise the backup set size

The backup operator role can only schedule adhoc backups; full administrator rights are required to configured scheduled backups.

Ideally backup sets should be kept offsite and where data is encrypted, encryption recovery keys should be kept with the backup set too. If using a disaster recovery site then adequate resource should be available; one benefit of Windows Server backup is that backup files are stored as VHD files, so virtualisation at the disaster recovery site is a viable solution.

Recovery strategy

Windows Server backup can restore applications that have Volume Shadow Service writer functionality in a more simplified manner; Windows Server backup will restore the application data, configuration settings and application program.

File recovery where duplicates exists will either overwrite, make a copy or ignore.

Server Recover Strategy

Complete server recovery requires you boot from the installation DVD and select repair; this will enter into Windows Recovery Environment (WinRE), from here you can select a backup to restore. This restore can also be used on differing hardware. NOTE full recovery requires the new disk be at least the same size as the original.

Directory Service Recovery strategy

Active Directory Authoritative restores require you restart the domain controller in Directory Services Restore Mode. Once in *DSRM restore the system state backup then start ntdsutil activating the ntds instance. Type authoritative restore, restore subtree “OU=OUName,DC=Domain,DC=com”, once the **authoritative restore is complete restart the domain controller. NOTE: authoritative restores are only valid if you have more than one domain controller i.e a non-authoritative restore would do the trick.

*an easy way to get into DSRM is by modifying the boot database, use:

bcdedit /set safeboot dsrepair

then when the restore is complete

bcdedit /deletevalue safeboot

**During a authoritative restore you will be notified of numerous ldif files which contain back links i.e. group membership, etc. note these then use:

ldifde.exe -L -K [path to file]\ldif.filename

Tombstone lifetime by default is 180 days, you cannot recover anything older than the tombstone lifetime. The tombstone lifetime was previously 60 days in Windows Server 2003 RTM.


Performing Authoritative Restore of Active Directory Objects

Object level recovery

Volume shadow copies for shared folders functionality allows end users to recover deleted or corrupted files. Shadow copies can be used on non-shared folders too.

A maximum of 64 shadow copies can be created, if the disk holding the shadow copies is out of disk space then the oldest shadow copy will be deleted. The default space available for shadow copies is 10% of available disk space and the default schedule is 7am every weekday.

Active Directory objects can be restored individually using Active Directory snapshots created with ntdsutil or system state backups.

To restore an object from a system state backup first restore the system state redirecting the restore to an empty volume, then mount the ntds.dit database using dsamain.exe, use ldp.exe to restore the AD DS object.

To restore an object from a ntdsutil snapshot, mount the snapshot using ntdsutil, mount the ntds.dit database using dsamain.exe then use use ldp.exe to restore the AD DS object.

Object level recovery of objects using authoritative restores type restore object rather restore authoritative.

Windows Server 2008 R2 domain controllers running forest functional level Windows Server 2008 R2 have the AD recycle bin functionality; the recycle bin is enabled via PowerShell and requires you restore object using PowerShell; objects deleted before AD recycle bin was enabled will be missing linked value replication information i.e. group membership.