Here we go again... Microsoft announced in late February 2020 that this exam will be retired at the end of June of this year of 2020, together with the whole MCSA certifications! I found that out thanks to NetworkChuck, good thing I subscribed to his You Tube channel! So... let's go and take this exam before the expiration date

Latest update! *guess that due to the virus crisis, Microsoft has extended the end of line time for these exams by the end of January 2021

Anyway, we need to pass this 70-411 exam before it expires, and it is a good opportunity as well to refresh and gain some Microsoft knowledge on the way, of course. So, let's go ahead and do this thing. The topics for the 70-411 Administering Windows Server 2012 are here:

  1. Deploy, Manage and Maintain Servers, WDS, WSUS and DCs
  2. Configure File and Print Services, DFS, FSRM, EFS and Bitlocker
  3. Configure Network Services and Access, DNS zones, VPN and Direct Access
  4. Configure a Network Policy Server Infrastructure, NPS and RADIUS
  5. Configure and Manage Active Directory, AD
  6. Configure and Manage Group Policy, GPOs

Here are the bits of what I've covered in this article


Setup you lab

To create the different servers that we are going to use for this exam, get yourself a copy of VMware Workstation 15, and create a virtual machine with Windows Server 2012 R2 called "TEMPLATE_2012", then install on it the OS and make sure is up to date before proceeding... yup, the Windows Update might take a few hours to run...

Once all Windows Update are done, run C:\Windows\System32\sysprep\sysprep.exe > choose OOBE and shutdown.... and of course don't forget to tick the checkbox "Generalise", otherwise all the VMS you create from that template will have the same SSID, not good!

You are ready now to create new Server 2012 R2 VMs based on that template. Using VMware Workstation, right-click the TEMPLATE VM and go to Manage > Clone > and create a linked clone


That way you can create as many 2012 R2 VMs as you need without wasting time installing OS, patches, etc. The is the list of the VMs that I created for this exam:

Name Role IP Address
AD01 Forest Root Domain Controller, CA, DHCP
AD02 Domain Controller, ADFS
SRV01 DFS, BitLocker
SRV03 DFS, Direct Access, NPS (internal)

DHCP (external)

SRV04 (not Domain joined) Web Application Proxy

SRV05 Remote Access VPN


Download Remote Desktop Connection Manager on one of your servers to manage the lab environment from a single location


Active Directory stuff

Remember that the good old "dcpromo" is depreciated in Windows Server 2012, but you have to use it if you want to do an unattended installation (dcpromo /unattend). It might sound like a broken record, but it is good every now and then to have a review of the amazing features included in Active Directory:

  • Active Directory Certificate Services; this is where you setup your PKI, Public Key Infrastructure certificates
  • Active Directory Rights Management Services; creates reliable information protection solutions using technologies like encryption, certificates and authentication
  • IP Address Management; customise and monitor the IP address infrastructure on a corporate network
  • Kerberos Authentication; its version 5 is installed as a security support provider (SSP)
  • Glocal Catalog; be mindful of the size of your Universal Groups, those are the ones that pass between GCs
  • krbtgt account; the Key Distribution Center Service account is disabled and use by the operating system, it cannot be used to logon to the domain

Active Directory uses the concept of foreign security principals to allow permissions to be assigned to users who are not part of an Active Directory forest

Service Accounts Authentication; Local System account has more rights than Local Service and Network Service account. To create a service account for a specific service, do as follows in PS

New-Service -Name NAZAUDY -DisplayName "Nazaudy Service" -Description "Nazaudy test service"
-BinaryPathName C:\Windows\system32\notepad.exe

To run a service under its Virtual Account (virtually locally), set the username as NT SERVICE\$SERVICE_NAME$ with a blank password (don't forget the dollar sign at the end). Managed Service Accounts (MSA) are added by administrators as a Domain Account, but are tight to a specific machine only, which is a problem when you want to do accounts for farms or clusters; in situations where you want to use a MSA on more than one computer in a domain, create instead a Group Managed Service Account (gMSA). To create a 'manage' service account, do as follows:

New-ADServiceAccount -Name NAZAUDY3 -RestrictToSingleComputer
Add-ADComputerServiceAccount -Identity SERVER3 -ServiceAccount NAZAUDY3
Test-ADServiceAccount -Identity NAZAUDY3

#After the above, visit SERVER3 and run the following
Install-ADServiceAccount NAZAUDY3

#Finally, open services.msc in SERVER3 and link the NAZAUDY3 service to its account
Leave the password blank, it will be managed by AD

To create Group Services Accounts, the Key Distribution Service needs to be enabled, to enable it on your AD run this command:

Add-KdsRootKey -EffectiveImmediately
#Even though it says inmediately, there is actually a 10 hours delay for replication

#Create a group managed service account
New-ADServiceAccount -Name NAZAUDY4 -DNSHostName NAZAUDY4.nazaudy.local -PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"

#Install AD PS module on server4 and server5
Invoke-Command -ComputerName server4,server5 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }

To use these accounts, the OS must be running Window 7 or higher for clients and Server 2008 R2 or higher for servers

FSMO Roles; Flexible Single-Master Operations, to check who has the roles installed on your domain, run:

netdom /query fsmo

#If using PS, use:
Get-ADForest nazaudy.local | FT SchemMaster, DomainNamingMaster

#For the record, these are the FSMO numbers:
PDCEmulator            0
RIDMaster              1  
InfrastructureMaster   2
SchemaMaster           3
DomainNameMaster       4
  • Schema master and domain naming master; only one DC can have this role in the whole forest
  • PDC, RIP pool manager and Infrastructure master are Domain specific, only one DC in the domain can have those roles. The PDC is a critical role, watch out for that one

To transfer roles you can use the GUI, but to 'seize' the roles you have to use the ntdsutil; the Domain-specific roles can be changed using AD Users & Computers, the Domain Name Master role (being Forest-specific) have to be changed using AD Domains & Trusts, and for the Schema Master you first need to register the tool that will allow you to change the role

regsvr32 schmgmt.dll

Once the Schema Management console is registered, add it through MMC >> Operations Master and change the role. To seize roles using ntdsutil, run:

:connect to server ad02.nazaudy.local
:transfer schema master #for example

RODC is for locations that are not very secure, where maybe the AD can be stolen or compromise, perfect for an unmanaged branch office. Watch out for the Allowed/Denied RODC Password Replication Groups to control/filter which groups will have their password cached by the RODC. Domain admins and other superheroes must be members of the Denied group so that their password are never stored on a RODC. To get the user or computer accounts that are authenticated by a RODC or that have passwords stored on the RODC, use this cmdlet:


Cloning a DC; this is a new feature in Windows Server 20212 R2; to do the cloning of a DC proceed as follows:

  1. Add the DC source to the group "Clonable Domain Controllers"
  2. Run the PS "Get-ADDCCloningExcludeApplicationList -GenerateXml" to find out which applications/services might be incompatible with the cloning. If you happens to find an incompatible application, do the following:
    1. Create an empty file named DCCloneConfig.xml
    2. Create a file named CustomDCCCloneAllowList.xml that contains the information in xml format of the app to be excluded from the cloning
  3. Run the PS "New-ADDCCloneConfigFile -ConeComputerName AD01 -IPv4Address -IPv4SubnetMask -IPDefaultGateway -IPv4DNSResolver -Static" to create a config file that is stored in C:\Windows\NTDS
  4. The above will check that the PDC is up in the domain, and that it runs Windows Server 2012
  5. Finally, once the clone is completed, remove both machines (the source and the newly created one) from the AD group

Maintenance of AD; if a domain controller goes bust, you will need to clear the metadata, using either dsa.msc or dsasite.msc; to do it using the ntdsutil run the following:

:metadata cleanup
:connect to server ad01.nazaudy.local
:select operation target
:list domains
:select domain 0
:list sites
:select sites 0
:list servers
:select server 2
:remove selected server

Use the lpd.exe tool to restore a single, deleted AD object doing tombstone

Remember that ntdsutil /snapshots are not backup, you cannot restore from them; they are use for diagnostics purposes. To restore an AD, reboot on Active Directory Restore Mode -ADRM- (F8 or much better run msconfig >> Boot >> and set the boot mode in there). Non-authoritative restore is useful when corruption or hardware failure has occurred, while authoritative restore is when you want the replication of the restored object to occur overriding the live one. Once you have rebooted on AD Restore Mode, open cmd and run:

wbadmin get versions
#copy the version identifer listed on the clipboard

wbadmin start systemrecovery -version: xxxx

#After the restore, run ntdsutil to make authoritative, still in ADRM, of course
:activate instance ntds
:auth res
:restore subtree "OU-myDeletedOUChild,OU-myOtherDeletedOUParent,dc=nazaudy,dc=local"

Finally, run msconfig and uncheck the option to ADRM

dsamain; allows you to view the content of AD snapshots, it is the AD database mounting tool gives you too a way to compare data from different snapshots

dsmgmt; utility used to managed local administrators

repamin; allows you to diagnose replication problems between ADs

adsiedit.msc; manage objects and attribute in AD

wbadmin; the backup utility

AD Recycle Bin; in any case, the recommended way of restoring objects from AD is to use the AD Recycled bin, so we don't have to take AD offline, etc. To do this launch Server Manager >> AD Administrative Center >>> highlight your domain and choose "Enable Recycle bin". In order to use it, your forest functional level must be 2008 R2, and once the recycle bin is on... you can't turn it off, but come on that's okay. To enable it using PS run the following:

Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSEt -target nazaudy.local

Password Settings Object; the Default Domain GPO password policy applies to the whole domain, but if you want to be specific and have password policies for different users or groups, you can launch AD Administrative Center and configure PSO:

The "Precedence" setting allows you to order the priority when more than one PSO applies, the lower the value the higher the priority (1 is the best); and whichever PSO you use will override the Domain one (unless of course you remove it, in which case the Domain setting will take over). Note that PSO can only be applied to a User or a Global Security Group, they cannot be applied to computers or OUs

To get the Password Policy setting for the domain, run:


Remember that Kerberos Policies can only be applied at the domain level, any changes requirements to them implies the creation of a child domain

GPO stuff

The default processing order for GPOs is: Local >>  Site Policies > Domain Policies > OU Level > other OUs. The last writer always wins, so watch out for the "Link Order" when you apply more than one policies to objects, they'll be applied from top to bottom with the "Link Order" value 1 being the last one to be applied and therefore the winner

When you set "Block Inheritance" on an OU, no upper policies applied to parents OUs will be applied to that OU, as it blocks inheritance... unless the the upper policies has the "Enforced" setting on, in which case.. there is no way to deny your genes

#In GPO Management console, right-click OU > Group Policy Update
#From command prompt: gpupdate
gpupdate /force /target:computer #refreshes the GPOs for the computer
#From PS: Invoke-GPUpdate -Computer CLIENT1

To see whether the policies has been applied or not, use Resultant Set of Policy (rsop) or run:

gpresult /r /scope:computer #display result for the computer only
gpresult /r /scope:user

rsop.msc  #sees the results in a GUI

Use the entry "Group Policy Results Wizard" at the bottom of the GPO Mgmt console

GPO Loopback processing; intended for public places, laboratories and classrooms, it applies the user policy (or merges it) no matter which computer the user logs into. You find this setting under Computer Configuration >> Policies >> Administrative Templates >> System >> Group Policy >> Configure user Group Policy loopback processing mode ; when loopback is enabled in Merge mode, user settings from the computer's GPO take precedence in GPO conflicts. Study the different settings under Administrative Templates >> System >> Group Policy, some of them are really interesting like for example if you have slow links in your network

  • To speed everything up on slow links, enable "Change Group Policy process to run asynchronously when a slow network connection is detected"
  • To apply GPOs more frequently, modify "Set Group Policy refresh interval for computers"
  • GPO caching is enable by default on the clients (the policies there just allows you to customise the settings) but disabled by default on the server side; caching speed up synchronous foreground processing, so for a period of 90' it will not download the GPOs from the domain but read them from the cache instead, unless they change of course

Use Security Filtering to apply the policy to specific users/groups, and to prevent a certain user or group from getting the policy applied, you can visit Delegation >> Advanced and deny them the access


WMI Filters; allows you to target GPOs based on the VMI (Windows Management Instrumentation) classes of OS properties or specific hardware

Get-WimObject win32_operatingsystem | fl *
Get-WimObject win32_computersystem | fl *  #show WMI classes info at hardware level

To create a WMI query use the syntax: SELECT *** WHERE *** LIKE ***AND; for example, to target laptops use: "SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)" meaning that when the battery status doesn't equal zero (otherwise 1 or above), we are selecting the machines, in other words only laptops

Select * from Win32_LogicalDisk where FreeSpace > 10737418240 AND Caption = "C:"
#this WMI filter select the C:\ drive only if there is more than 10GB of free space

VMI Filters are different from Item-level targeting (ILT) in that VMI Filter only filters one thing or more than one thing as a group, while Item-level targeting can filter with the AND or OR operators, allowing you to construct specific queries

Start-up/Shutdown scripts; you can also use PS scripts, but in all scenarios ensure the Computer and/or Users have got access to the resources, and of course that you places the .ps1 files in the right location of the GPO, you can find that by clicking on "Show Files"


When you install software through GPO, import any .admx (plus the associated adml) files that might be available from the manufacture; Copy the "PolicyDefinitions" folder from C:\Windows\ to C:\Windows\SYSVOL\domain\Policies, and them paste in there the admx files from the given application; remember that the "PolicyDefinitions" folder must be manually created in the Policies folder of the SYSVOL, otherwise it won't work. The adml (language) files go into the en-us folder, as explained in here:

To filter a GPO and find the setting your are so desperate looking for, right-click Administrative Templates >> Filter Options and tick "Enable Keyword Filters" to customise your search, such a handy feature!


Backup GPOs to a folder; to backup GPOs open gpmc.msc >> Right-Click the "Group Policy Objects" and select Backup All, note that the GUIs on the backup repository are backup-related-GUIs, not the actual GUIs of the GPOs. To do this process on PS run:

Backup-GPO -All -Path \\backupserver.nazaudy.local\Storage\Backups

To restore a specific policy, right-click "Group Policy Objects" >> Manage backups >> pickup the policy you want to restore and start the wizard. Note that this backup process doesn't include the WMI filter, inheritances or delegations, just the GPO settings, so remember that when restoring

Migrate GPOs to another domain; to do that, right-click 'Group Policy Objects" >> Open Migration Table Editor >> Tools >> Populate from GPO and select the policy that you want to migrate, then select the destination of the DC that you want

Delegation gives other the power to change and modified the delegated OU (remember that you can only delegate control to an OU)t; just refer to the "Delegation" tab and add the relevant group/user you want to modify that policy

Best practices: Use the Default Domain Policy only for the Account policies (account lockout, kerberos, etc) and use the Default Domain Controllers Policy for user rights and auditing; outside of that, please create your own GPO. In any case, if these Default policies are corrupted, etc, run this command to set them to their original settings:

dcgpofix /target:dc
dcgpofix /target:domain
dcgpofix /target:both #that will reset both, probably the best one!

Group Policies Preferences; gpp are client side extensions that pre-configure preferences for computers and users, that can be override and provide a starting point for the configuration, perfect for mapping drives ('update' is the most flexible choice, which creates it if it doesn't exist). Item-level targeting allows you to specify and filter with great details how the setting will apply, so you can configure a GPO called "Drive Mapping" at the domain level and item-target each mapping in accordance with group membership

PKI Infrastructure; certificates add a layer of protection, and you can use GPOs to manage all of that. Enable Certificate Auto--Enrolment by visiting Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Public Key Policies and edit the option in "Certificate Services Client - Auto-Enrolment"


DNS stuff

DNS is defined in RFC 1034 and 1035, the distributed database is thought as an "inverted tree", that's why the root (.) is at the top and from there the branches develop downwards through the TLDs, Top Level Domains like .com, .net, .org, etc. Only 13 root name servers are responsible for delegating TLDs. These are the types of DNS Queries you could have:

  • Iterative queries; the DNS server receives a query, and it responses with the best information it possesses at the time
  • Recursive queries; the DNS server receives a request and it takes full responsibility for resolving the name; if it has the information it replies immediately but if it doesn't it will send referral to other DNS servers until it finds the info needed
  • Inverse queries; instead of supplying a name and then asking for an IP address, in this query the client first provides the IP address and then asks for the name. It uses the domain to resolve this query, where IP addresses are listed left to right given the fact that they are most specific from left to right

Set a low TTL only when you need to respond quickly to a changing environment; a high TTL (let's say once a week) means that if you make a change in a DNS record the clients might not see the change for up to a week. Therefore, use always a TTL that is appropriate for your environment

A secondary zone gets its database from a primary zone, they are use for load balancing providing fault-tolerance. Stub Zones are similar to Secondary Zones (they are non-editable copies of a primary zone) but differ in that they only contain information, usually 3 record types (NS, SOA and A records), to identify the authoritative DNS servers for the zone. Stub Zones are used when companies merges or to connect 2 x domains across a slow link, they are NOT for redundancy or low balancing, their only advantage is that you basically contact the server directly for DNS queries, rather than going all the way up to the root servers and then down

In the Zone Transfers tab of DNS you have the "Notify..." button, add the IPs of whichever secondary DNS sever you want to push data to whenever there is a change in your DNS

In DNS console go to View >> Advanced, and then you can set a record stamp on every A record that you want to delete after it becomes stale

Background Zone Loading; when an AD-integrated DNS server restarts, the AD zone data populates the database in the background, allowing DNS to server clients almost immediately after the restart while the zone is still being loaded

  • RODC ;read-only domain controllers use for sites where security is a concern
  • DNS Socket Pools; allow port randomisation to protect against DNS cache-poisoning attacks
  • DNS Cache Locking; allows cached DNS records to remain safe for the duration of the TTL value, meaning cached DNS records cannot be overwritten or changed, making it more secure against hackers. The locking configuration is based on a percentage value, for example if you set the cached locking to 50% then the records will be securely locked half of the TTL
  • DNS Security Extensions; DNSSEC protocol allows your DNS servers to be secured by validating DNS responses; a zone implemented with DNSSEC get all of its DNS resource records marked with a digital signature
  • Trust Anchors; they are preconfigured public keys linked to a DNS zone that allow DNS servers to validate the DNSKEY resource records. If the server is not AD integrated, the trust anchors are stored in trustanchors.dns; to view them run the PS: Gete-DnsServerTrustAnchor yourdomain.local
  • DNS Devolution removes the leftmost label of the namespace, allowing a client of a child domain to query the parent domain natively
  • Netmask Ordering ;as you know with Round Robin the client A goes to queue A then client B to queue B, then C to queue A, thus providing load balancing. With netmask ordering (which is part of the round robin process), the server detects the netmask of the querying client
  • DNSUpdateProxy group; create a user account to run the DHCP sever, then add that account to the DNSUpdateProxy group in AD, this will ensure that DHCP securely updates DNS

Note that the trailing dot (.) at the end of a CNAME means the root domain, e.g., ad01.nazaudy.local.

DNS Caching-Only Server; they are not authoritative for the domain, and the information that they contain is limited to what has been cached while resolving queries; they are configure simply by populating the root server under the Root Hints tab in DNS

DNS delegation; is when you divided your zone, for example from nazaudy.local you decided to have london.nazaudy.local, chicago.nazaudy.local, malaga,nazaudy.local and delegate to a authoritative DNS on each on these locations the zone

DNS Forwarding; it can either be external, where the query is sent to the Root Hints, or conditional forwarding, where the query is sent to another DNS server (for example your internet provider DNS) for resolving

Troubleshooting; use the good old guy nslookup to troubleshoot; DNSLint is an utility that you need to download from Microsoft it verifies DNS records and generates a report in HTML, e.g. dnslint /d nazaudy.local. DNScmd is a powerful tool that allows you to display and change the properties of DNS servers, zones and resource records, as well as forcing replication between two servers

If you need to replicate to BIND Unix servers, tick the option "Enable BIND Secondaries" under the Advanced tab of the DNS server

For scavenging to operate, it must be enable both at the server and zone level


WDS stuff

To install Windows Deployment Service (WDS) using PS, execute the following (not required but is recommended to reboot after installation):

Get-WindowsFeature WDS*   #shows you what is already installed
Install-WindowsFeature WDS -IncludeAllSubFeature -IncludeManagementTools
Get-Command -Module WDS   #shows you all the commands you can use with WDS
  1. After installation, insert a Windows 7 iso disk on the WDS server, then choose WDS > Boot Images > and add the /source/boot.wim from the Windows 7 DVD
  2. Copy the "install.esd" file from sources and paste locally on your machine into a folder called "WIN10_ISO", then convert it from the compressed ESD format to the WIM format by running: dism /Export-Image /SourceImageFile:D:\Win10_ISO\install.esd /SourceIndex:9 /DestinationImageFile:D:\Win10_ISO\install.wim /Compress:Max /CheckIntegrity
  3. Under "Install Images" add a group called Windows 10 (group are used as a security boundary), then Add Install Image and add the *.wim file that you have just converted. In the previous extraction we selected SourceIndex:9, but if you want to see actually how many images are included on the ESD file, run dism /Get-WimInfo /WimFile:D:\Win10_ISO\x64\Sources\install.esd
  4. If you right-click a Boot Image you can create from it 2 x types of images:
    1. Capture Image ;boot from this image to capture the status of the client and create an image from it with the needed apps, settings, etc
    2. Discovery Image ;use on secure environment, you'll boot from this image and will only communicate to the specified WDS, DHCP, etc
  5. On your DHCP server, configure option 66 (wds server name) and option 67 (boot image name) for your scope


WSUS stuff

To configure Windows Update Services (WSUS) you must have local admin rights. WSUS (as well as Windows Updates) ensures that every updates is digitally signed by Microsoft, if it is not it will be discarded, thus preventing hacking from happening. Gosh, just image if a trojan is distributed through Windows Update, billions of PCs infected in just a few hours!

To configure Automatic Updates through the registry, instead of GPO, visit: HLM >> Software >> Policies >> Microsoft >> Windows >> WindowsUpdate > AU ;then specify the following:

  • UseWUServer ; 1 means you'll provide yours, 0 uses the public Microsoft Update Server
  • WUServer ;enter the URL of your WSUS, for example http://myWUS (note is http, not https)

To install WSUS using PS, do as follows:

Get-WindowsFeature UpdateServices*   #shows you what is already installed
Install-WindowsFeature UpdateServices,UpdateServices-DB -IncludeManagementTools
Get-Command -Module UpdateServices #shows you all the commands you can use with WDS

Out of the box, the Reports sections of WSUS does not work. You'll need to download Microsoft Report Viewer 2008 SP1 , which in turn requires that you Manage >> Add Roles and Features and add .NET Framework 3.5, which will required you to insert the Windows 2012 R2 DVD and point to it as the source D:\sources\sxs... Honestly, I really don't know why M$ hasn't included the 3.5 Framework on the local copy of the OS, like many of the other features

On the WSUS console visit Options >> Computers, and to start registering clients set:

  • Use the Update Services console; known as server-side targeting where you create groups manually and drag computer accordingly
  • Use Group Policy or registry settings on computers; that's the way to do it really

Edit the Domain GPO >> Computer >> Policies >> Administrative Templates >> Windows Update >> and set:

  • Specify intranet Microsoft update service location: Enabled, set both detection and statistics to http://mywsus.nazaudy.local:8530
  • Configure Automatic Updates: Enabled, 4-Auto download and schedule the install, every day at 6pm; I recommend you to have "disabled" the Install during automatic maintenance
  • Automatic Update Detection frequency: Enabled, set it to 3 hours so that machine will check the WSUS for update on that interval

Now edit the GPO of the OUs where you have your Computer and set the "Enable client-side targeting" to whichever group you want the machines to be on WSUS, else they'll go into Unassigned Computers. Run gpupdate /force target:computer on the affected machines. The command Windows-Update Auto-Update Client, wuauclt /detectnow and then wuauclt /reportnow on the clients, and they will check WSUS and register if needed


Remote Access stuff

As part of VPNs we have the following protocols:

  • PPTP Tunnelling; pretty straightforward, it encapsulates packets using the "Encapsulation Primer" method, but then encrypt it using MPPE (Microsoft Point-to-point encryption). The encryption keys are generated dynamically for each connection
  • LT2P/IPsec Tunnelling; more flexible than PPTP but also more complicated. L2TP uses port 1701, it doesn't offer any security, but its traffic is then encrypted byIPSec using ISAKMP which does provide security
  • SSTP Tunnelling; Secure Socket Tunnelling Protocol uses port 443, https

Web Application Proxy (WAP) ; allows the users to access internal applications from outside the network using BYOD.There are basically 2 ways of authentication, and on both cases ADFS (AD Federation Services) is a requirement

  • ADFS Authentication; provides SSO (Single Sign-On), multi-factor authentication and Workplace Join
  • Pass-through Authentication; the user is authenticated to the application it is going to access, not through AD

To configure a certificate for ADFS, follow this amazing guide: 

If you cannot complete the AD FS Web Application Configuration Wizard, go through this document:  and /or

Normally the Web Application Proxy server is placed in the DMZ (therefore not AD-joined), also notice that the path for both the external link application and the internal one must obviously be the same

Direct Access; is a always-on VPN. In comparison, and from the point of view of the user, Direct Access is much better than VPN, though from the admins point is a lot more difficult to configure. It requires IPSec, IPv6 and a Public Key Infrastructure; Windows Firewall must be enable on all devices and in the communication between the client (IPv4) and the server (IPv6) an IPv6-over-IPv4 tunnel is created using either 6to4 or Teredo

Direct Access Server; needs to be "multihomed", with 2 x nics one internal and the other for the Internet; it also needs to be domain-joined for the GPOs to be applied, that's a requirement

Being an IPv6 technology, Direct Access uses IP-HTTPS. The Network Location Server allows the client to determine whether they are inside or outside the network, and by the way the clients needs to be "Enterprise" edition of Windows 10

Extensible Authentication Protocol; EAP doesn't provide any authentication itself, instead it relies on external third-party authentication method including smart cards, secure access tokens, ordinary passwords, etc; each authentication schema is called "EAP Type", and each EAP type is implemented as a plug-in module; EAP-TLS is the strongest authentication that you can use. Only servers running Network Policy Server (NPS)

Conditions determine if the policy if applied to a connection, while Constrains happens after a policy has already been applied to a connection. The certificate for the NPS server is never placed on the client machines, it is only installed in the Personal store under Certificates (Local) on the NPS server itself; what the clients need to have is the certificate of the trusted root that issued the NPS certificate in the Trusted Root Certificate Authority

Network Access Protection (NAP); has been depreciated in Windows Server 2016, and what it does is to check the computer for antivirus updates, health, etc, before admitting the remote computer to the network. The unhealthy clients go into a remediation area, and auto-remediation fixes some problems, like for example starting Windows Update service if stooped. Before connecting, the NAP-enabled clients need to have the service "Network Access Protection Agent" started, then run "napclcfg.msc" and enable the type connection you'd be using; lastly enable the enforce network access protection on the VPN setting connection. To ensure clients can discover the HRA (Health Registration Authority) server add an SVR record for it on DNS, create a GPO that modifies that Request Policy setting for the NAP client and set the EnableDiscovery = 1 for the clients under HKLM >> SOFTWARE >> Policies >> Microsoft >>NetworkAccessProtection >>ClientConfig >> Enroll >> HcsGroups

When creating network policies, the list conditions are use for the following purposes:

  • Day and Time Restrictions
  • Authentication Method; CHAP, EAP, MS-CHAP and MS-CHAP v2
  • Tunnel Type; either PPTP or L2TP
  • Service Type; RADIUS service type, specifies either a frames (PPP) or login such as Telnet
  • WS-Service Class; defines a DHCP scope from which the computer must have received an IP address
  • Location Group; specifies a Health Credential Authorisation Protocol (HCAP) location group
  • Allowed EAP Type; specifies when EAP is used such as EAP-TLS
  • NAS port type; specifies the type of media used to connect (ISDN, tunnel, VPN, 802.11, etc)
mbsacli.exe /hf -h AD01  #scans machine AD01 for vulnerabilities
mbsacli.exe /hf -i 192.168.0.x   #scans machine with that IP address


File Server Resource Manager (FSRM) stuff

To install FSRM using PS, execute:

Install-WindowsFeature -Name -FS-Resource-Manager -IncludeManagementTools


BitLocker Drive Encryption stuff

It uses the chip Trusted Platform Module (TPM) version 1.2 or newer to store the security key; if you don't have a TPM chip on your mobo (must be an old mobo!) you can store the security key on a USB, which will be needed every time the system reboot. The Bitlocker version of Windows 7 had to encrypt the whole drive, while now the new version for Window 10 can encrypt only the space used, thus making the encryption process a lot faster. Network Unlock allows an administrator to unlock an encrypt a hard drive during boot process while the device is connected to a trusted environment. Although it does not need to be configured, the WDS role must be installed for Network Unlock to be installed too. Full Disk Encryption (FDE) encrypts block by block, offering a much better encryption but slows the HDD down a bit

The BitLocker installation requires two reboots of the sever, to install it using PS run:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

When using EFS (Encrypted File System) you can use the cipher.exe command line to manage the files. If your machine does not have a TPM chip, use these GPOs to configure Bitlocker:

  • Default Domain > Computer Config > Admin Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at startup : Enable
  • Default Domain > Computer Config > Admin Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Choose how Bitlocker-protected OS drives can be recovered  : Enable

Network Unlock has lots of requirements like PKI infrastructure, DHCP and WDS


Distributed File System (DFS) stuff

The 3 main tasks you have to do after the server roles and roles services are installed are:

  1. Create a Namespace
  2. Share and publish the folders
  3. Create a Topology for the replication

To use DFS install the roles "DFS Namespaces" (it gives you the virtual tree) and "DFS Replication". Some of the advantages of using DFS are:

  • Simplified Data Migration; because users don't need to know the physical location of the data, this one can be move from server to server by admins
  • Security Integration; all access is rule by NTFS
  • Access-Based Enumeration (ABE); DFS can display only the filles users have access to, and hide the rest

Some PS command that you can do with DFS are these

Get-WindowsFeature FS-DFS*
Install-WindowsFeature FS-DFS-Namespace -IncludeManagementTools
Get-Command -Module DFS*
Invoke-Command -ComputerName SRV01,SRV02 -Command {Install-WindowsFeature FS-DFS-Replication}
Invoke-Command -ComputerName SRV01,SRV02 -Command {Install-WindowsFeature FS-DFS-Namespace}

When configuring replication you might want to turn off the synchronisation protocol "Use remote differential compression (RDC)" if the servers affected are on the same network segment. You must have this setting on if the connection between the servers is slow


Watch out for the quota of the "Staging" folder, it needs to be big enough to replicate the files on your DFS Name infrastructure, visit Event Viewer >> Application & Services >> DFS Replication for any errors in the logs. It is recommended to put the "Staging" folder and the actual replicated folder on different drives. For initial replication, remember that Robocopy is far more efficient than the replication protocol

A new feature of Server 2012 R2 is the ability to clone a DFS database to another server instead of waiting for DFS replication to complete; to do so follow these steps:

  1. Create a replication group and a replication folder [New-DfsReplication -GroupName "REP01"] [New-DfsReplicateFolder -GroupName "REP01" -FolderName "FOLDER1"]
  2. Add the upstream server as a member of the DFS topology, a member of the group and folder
  3. Run Update-DfsConfigurationFromAD to update the DFSR AD Domain configuration on the upstream server
  4. Wait for replication to complete, you'll know is completed when Event ID 4112 shows up in the DFS Replication Event log
  5. On the upstream server, export the cloned database by using Export-DfsClone cmdlet. The export will be completed when you see event ID 2402
  6. Use Robocopy to preseed the files
  7. After that, use robocopy.exe to copy the files to the destination server
  8. And finally, import the cloned database into the destination server

A new feature of Windows Server 2012 R2 is the ability to restore files from the "ConflictAndDeleted" and "PreExisting" folders by using the cmd Ge-DfsPreservedFiles

The prefetch folder is a folder that Windows uses to store programs to shorten the amount of time it takes to startup programs by minimizing disk head movements

Performance Monitor stuff

Open Server Manager >> Tools >> and there you'll see both Performance Monitor and Resource Manager

Registry changes happens without the need to reboot. Make only one change at a time, otherwise (if you make too many changes) you'll never know which of those changes had the positive impact; in addition, making one change at a time allows you to roll back if needed. The System Stability Index of Performance Monitor goes from the value of 1 (least stable) to up to 10 (most stable). These are some of the tools included with Performance Monitor:

  • Data Collector Sets ;defines where the logs are stored , the credentials to run the set and when the logs are run
  • Other tools you can use are Network Monitor (you can download it here:, Task Manager and Event Viewer. The different tabs of Task Manager are Process (see memory and CPU allocation), Performance (see graphs), Users (disconnect and message them), details (stop applications and set affinity level) and Services (stop and start, also can open services.msc from there)
  • The Subscriptions section of Event Viewer allows you to receive alerts about events that you predefine. Custom Views is a great way of creating a view of the logs that you're interested in
  • SNMP ;install the SNMP from Roles and Features, then configure the Service using "services.msc"
  • The good old Microsoft Baseline Security Analyser (MBSA) can still be downloaded from here: Run a scan when you open the app to check for vulnerabilities
mbsacli.exe /hf -h AD01  #scans machine AD01 for vulnerabilities
mbsacli.exe /hf -i 192.168.0.x   #scans machine with that IP address


Auditing stuff

Use the settings of GPO Policies >> Windows Settings >> Security Settings >> Audit Policy ;the "auditpol.exe" command can be used to backup, restore and set audit policies. Refer to this my other article for a deep dive on Account Audit Policies:

Expression-Based Audit Policies are use with Dynamic Access Control to allow admins to track al read/write operations on files that are considered critical. When using Advanced Audit Policy Configurations, ensure that those settings are not overridden by basic audit policy configurations


London, 9 April 2020





Print Friendly, PDF & Email

Comments powered by CComment