Nazaudy, a spark in your curious mind

Lab Setup for Microsoft Exam 70-643

This lab setup for Microsoft Exam 70-643 Applications Infrastructure, Configuring will test you in the following topics of the Windows Server 2008 R2 Operating System:

  1. Deploying Server (28%) [Windows Deployment Services, Windows Activation, Hyper-V, High Availability]
  2. Configuring Remote Desktop Services (26%) [Session Host, RD Gateway, RD Web, Connection Broker, etc.]
  3. Configuring Web Services Infrastructure (25%) [IIS, FTP, SMTP, SSL, authentication and authorization]
  4. Configuring Network Application Services (21%) [Media Services, Digital Right Management, SharePoint e-mail]

How do you prepare your environment for this exam? How many VMs do you need to setup in order to have a practical out-of-production-servers hands-on? Well, Microsoft doesn't tell and I'm no one to tell you what to do, but on the sections below I show you how I've done it

For Failover Clustering and SharePoint, please visit this other related page: Exam 70-643; Failover Clustering

 

Step 1: Create your Forest Root Domain Controller (FRDC) + Hyper-V tips

1.- Launch the wizard on Hyper-V Manager to create a new Hard Drive, and create a differencing disk called "DC01" based on the "ParentGUI" hard disk

 Parent hard disk

2.- Create a VM called "DC01" using the differencing disk that we have just created:

Hyper-V hard disk for Lab Setup for Microsoft Exam 70-643

3.- Once you have the VM running, set and IP address according to the section Table of IP addresses found below, then add the role "Active Directory Domain Services", run dcpromo.exe to create a domain called ms643.internal and also install the role "Active Directory Certificate Services (Certification Authority)" and configure the DHCP service with a scope of, let's say 10.10.10.100 to 120 all on \24. These are the roles and features that should be on your Domain Controller before proceeding:

Server Manager

4.-Now locally logon to your 70-643 Hyper-V and add the server to the Domain, this is to ensure we can manage the Hyper-V (it will let us authenticate properly) from within the domain we have just created. Ensure the DNS setting of the Hyper-V server is pointing to our DC, otherwise the Hyper-V will not be able to find it. And also, configure the DC now to always start-up whenever the Hyper-V starts:

  1. Ensure the "vds" service is started on the Hyper-V
  2. Then, on both servers (DC and Hyper-V) run this command: netsh advfirewall firewall set rule group=”Remote Volume Management” new enable=yes This will enable you to access the Hyper-V Disk Management from the DC
  3. On the DC, install the feature "Remote Server Administrative Tools > Hyper-V" so you get access to the Hyper-V manager

5. And finally, edit the Default Domain Policy and apply the settings recommended here: http://www.nazaudy.com/Technology/VMware50/10-DC-on-vSphere.html

 

Stuff you can do to learn Hyper-V:

  • Create a parent disk and then a differencing disk from it, then create VMs based on the differencing disks and then rename/delete the parent disk, how do you fix it? ;-)
  • Export a VM and then import it on another host, with or without a snapshot taken?
  • Add the feature Desktop Experience. Change the desktop background of a VM as you create snapshots of it, can you go up and down the snapshots?

Stuff that is good to know about Hyper-V:

The tool "Inspect Disk" is purely informative; the tool "Edit disk" allows you to compact, convert (from dynamically to fixed, the other way around you can't), expand or (applicable only to differencing disk) merge (to a parent or to a new one) and reconnect

Wizards: during the "New > Virtual Machine..." you can only create a dynamically expanded disk, while during the "New > Hard Disk..." you can create a fixed, dynamically or differencing disk, with the option (applicable only to fixed and dynamically disks) of copying the contents of a physical disk to the virtual disk to are about to create

Single-Sign-On (SSO); to pass your local credentials to your Remote Desktop Server enable the GP entry in Computer Configuration > Administrative Templates > System > Credentials Delegation

Dynamic Memory Allocation, which balances memory among VMs on the Hyper-V, is only supported on Windows Server 2008 R2 with Service Pack 1 (SP1).

To install Hyper-V on a core server (remember that Microsoft is depreciating the ocsetup.exe command):

  • start /w ocsetup.exe Microsoft-Hyper-V (work on Windows Server 2008 and 2008 R2)
  • dism /online /enable-feature /featurename:Microsoft-Hyper-V (only works on 2008 R2)

Other commands that are useful to know in relation to Server Core: dism /online /enable-feature:Multipathlo [enable the Microsoft Multipath for attached mass storage)

 

Stuff that is good to know about Windows Storage:

First of all, create a new VM called "RAID" and install an OS from the WDS on it, then add a few virtual hard drives to it and deep learn the commands associated with creating, deleting and modifying the hard drives; use the utility diskpart to do the following:

  • Convert basic disk to dynamic, and partitions to volumes
  • Create a delete simple, striped, spanned, mirrored and raid-5 volumes
  • Remove or break remove, extend volume and repair raid

Basic disks are divided into partitions while dynamic disks are divided into volumes, a volume can be on more than one partition; a LUN is similar to a volume in that it is a logical representation of a disk drive which is a part of a storage array;

Also, don't forget about the other utility associated to RAIDs, diskraid, get to know it too!

MBR partition tables only support up to 2TB hard drives; Windows Server 2008 R2 cannot boot from a GPT partition unless it is based on the Extensible Firmware Interface (EFI)

Okay, let's have a quick look at the type of disk configurations most commonly used. For a good insight of the types of RAID I recommend a great article at Lascon Storage: http://www.lascon.co.uk/hwd-raid.php

  • RAID-0 (single striped set) is where data is divided into blocks that are disturbed sequentially across all the drives in the set (maximum of 32 disks), very fast read and write performance (no parity involved) but hey, no fault tolerance
  • RAID-1: (disk mirror), the only way in which an OS partition can be protected; performance is good but, hey, it cost as you are virtually not using one whole drive until failure occurs
  • RAID-5; (disk striping with parity) faster to read but slower to write (good-out, bad-in), good for databases
  • RAID 0+1; this are two stripes that are mirrored
  • RAID 10: one stripe of two mirrors
  • RAID 6: parity that supports 2 hard drives failures

Mount Points surpass the limitation of 26 drive letters, by mounting a volume into an empty folder; this is an added security if you don't want anybody to access that mounted drive by a letter (would be hidden under My Computer)

Microsoft Drive Specific Module (DSM) is a driver that communicates with storage devices such as iSCSI, Fibre Channel or SAS

Microsoft built-in iSCSI initiator has a CPU overhead associated, and obviously is not recommended on production environments, but hey, but a charm for testing!

The purpose of iSNS (Internet Storage Name Service) is to help find available targets on a large iSCSI network

Below are the xcopy command popular switches:

  • xcopy /T (creates the sTructure only, does not copy files or empty folders)
  • xcopy /E (copy all folders including Empty ones))
  • xcopy /S (copy all folders exScluding the empty ones)
  • xcopy /U (copy only files that already exists on destination, from U to U)
  • xcopy /I (creates the destInation directory if it does exists)

To create a virtual disk of, let's say 1GB, run this command: diskpart > create vdisk file "C:\winhd.vhd" maximum=1000 type=expandeable" and then run "diskpart > attach vdisk" and finally to initialize it run "diskpart > convert mbr"

 

Step 2: Windows Deployment Services (WDS) + Microsoft Activation tips

1.- Create our Windows Deployment Services VM, called WDS01, and install the WDS role on it, then import some 64bit images to it, on this example I imported the images for Windows Server 2008 R2 Enterprise, Win7 Pro and Windows 8.1 Enterprise Evaluation

WDS Deployment

2.- Go ahead and install the Windows Automated Installation Kit (AIK) on our WDS server (insert the DVD on the Hyper-V and then modify the setting of the VM to choose the physical drive from the Hyper-V), then open the Windows System Image Manager (Windows SIM) and create a new answer file called autounattend.xml, adding the component from the Windows 7 Pro .wim file to join the machine to the domain. On this example I'm using 64bit (amd64):

Remember to save the answer file into the folder V:\RemoteInstall\WdsClientUnattend on our WDS server

Lab Setup for Microsoft Exam 70-643

3. Once you have configured the answer file with all the settings that you need, configure an image to use that answer file by visiting the Client tab of our WDS server; notice you can only have an image for 64-bit images and another for 32-bit images

Configure unattended file

 

Stuff you can do to learn WDS

  1. Deploy a fully unattended image of both win7 and server 2008 R2
  2. Mount a .wim image using imagex
  3. Explore extensively the command wdsutil, and use it to add images to the server, etc; with this tool you can use powerful commands like: wdsutil /initialize-server /reminst:path\foldername
    1. wdsutil /set-server /answerclients:all
    2. wdsutil /set-server /answerclients:known
    3. wdsutil /set-server /useDHCPPorts:no /DHCPoption60:yes
    4. wdsutl /add-image /imgefile:D:\sources\install.wim /InstallType:install
  4. Use the bcdedit (Boot Configuration Data) to edit the boot loader

 

Stuff that is good to know about WDS

WIM are file-based and not sector-base, meaning they are editable, hardware independent and with a XML based catalogue

WIM images cannot be mixed between architectures, 32bit for 32bit only and 64bit for 64bit only (except when using IFM to create a RODC from our DC)

If WDS and DHCP are on the same VM, visit the DHCP tab and configure WDS for not to use port UDP 67

To run from network location, you can do setup.exe /unattend:myAutounattendFile.xml

Use the command imagex /apply myimage.win 1 c: to apply an image to a c:\ drive. The answer file for that installation should be kept on C:\Windows\Panther\unattend

WDS cannot be installed on Server Core

WDS can have a maximum of 13 boot images

To add a .vhd image to WDS, use this command: wdsutil /Verbose /Progress /Add-Image /ImageFile:"C:\clientimage.vhd" /Server:MyWDSServer /ImageType:install /ImageGroup:"MyInstallGroup"

To pre-stage a computer on Windows Server 2008 R2, first of all got to the AD Console and select View > Advance Features, then create the computer and edit its properties, then add the MAC address as illustrated

netbootGUI for Lab Setup for Microsoft Exam 70-643

To create a Windows Discovery Boot CD, do as follows:

1.- Import a boot image (from the source folder of a Windows Vista/7 DVD) to the Boot Image folder on the WDS console, then right-click on the image you have just imported and launch the "Create Discover Image..." wizard

Discover image

 

2.- Then, create a 64-bit WindowsPE bootable disk by issue the command copype.cmd amd64 c:\WinPEdisk from the Windows AIK command prompt. After done that, copy the "DiscoverImage.wim" file that you created earlier and pasted into the C:\WinPEdisk\ISO\sources folder, and rename it to be called "boot.wim"

Boot.wim file

3.- Then, visit the folder "C:\Program Files\Windows AIK\Tools\amd64" and copy the imagex to the root of the "C:\WinPEdisk" folder, this will allow us to have this awesome tool (imagex) on the disk after we created so we can troubleshoot systems

4.- And finally, issue the command oscdimg to create a .iso from the folder that you choose:

 ommand oscdimg to create a .iso

5.- That will create a Discovery Boot disk from which you can boot a machine and connect to the WDS server configured on the image and install an OS on the booted client from it

 

To create a "Capture" image, right click a boot image on the WDS and select the wizard "Create Capture Image..." This will create a capture image from which you can choose to boot after pressing F12 on the 'pristine' machine, uploading the image of the machine with all drives, etc. to the WDS server; obviously, don't forget to use sysprep > generalize before capturing the image of that machine

Boot image folder

 

Stuff that is good to know about Microsoft Windows Activation

Be aware, a KMS host installed on a Windows Vista can only activate Windows Vista clients

A KMS server uses port TCP 1688 to communicate with Microsoft and activate clients

Apart from the OEM (e.g. buy computer from DELL already activated) or Retail (e.g. buy OS from amazon and you need to activated) there is the Volume activation that can be summarised as this:

  • MAK (Multiple Activation Key), once activated the Windows will be activated forever or until 3 x hardware components changes occur; MAK can be further divided on two types: MAK Independent Activation; you can use the slmgr.vbs or slui.exe tool with direct connection to the Internet
  • MAK Proxy Activation; when activating computers without a direct Internet connection, download the VAMT tool from Microsoft and install it on a PC with a direct connection to activate the others

KMS (Key Management System); only works for environments with more than 25 physical computers if you need to activate client Operating Systems (Windows Vista, 7 or 8) or 5 physical computers if you are activating only server Operating Systems (2008 or 2008 R2). Once you insert a KMS key on a server it automatically becomes a KMS Server, remember this though:

  • Port 1688 needs to be open for KMS activation
  • Add the DNS SRV resource record entry srv_vlmcs._tcp on the DNS server so clients can automatically find the KMS Server using autodiscovery
  • KMS clients not activated will attempt to contact a KMS host once every 2 hours
  • KMS clients activated will attempt to re-activate every 7 days
  • KMS client that fail to re-activate (they try to re-activate every 7 days) will become de-activated after 180 days without contacting the KMS host. So, the big problem will be if the KMS host becomes unavailable for more than 180 days.

Using the VAMT tool, you can export the IIDs (Installation Unique Identifier) to an .xml file for activation on another VAMT server

Most common switches that I use with the slmgr tool:

  • slmgr -ipk xxx-xxx- xxx- (allows you to change the product key by entering the 25 digits number)
  • slmgr -ato (activate right now)
  • slmgr -dli (displays the license info and most important the status)
  • slmgr -xpr (displays when the license expires)

 

 Guide: Table of IP Addresses

No Server Name IP Address Roles and Features
1 DC01 10.10.10.10

AD Directory Services (+ DNS)

AD Certificate Services

DHCP

F: Group Policy Management

F: Remote Server Administration Tools

F: Windows System Resource Manager

2 WDS01 10.10.10.11

Windows Deployment Services

Remote Desktop Licensing Server

3 RAID 10.10.10.8

File Server Resource Manager

Remote Desktop Connection Broker

4 WebServer01 10.10.10.12

IIS

Windows Media Services (WMS) [10.10.10.13]

NLB Cluster [10.10.10.15]

F: SMTP Server (mail transfer)

5 WebServer02 (core based) 10.10.10.14

IIS

NLB Cluster [10.10.10.15]

6 RDS01 10.10.10.21

Remote Desktop Session Host

F: Desktop Experience

F: Windows System Resource Manager

7 RDS02 10.10.10.22

Remote Desktop Session Host

F: Windows System Resource Manager

8 RDWeb 10.10.10.23

RD Gateway (includes NPS)

Remote Desktop Web Access

 

Step3: Install the WebServers VMs + Streaming Media Services tips

1.-Create a couple of differencing disk, one for a VM called WebServer01 based on the ParentGUI and another for another VM called WebServer02 based on the ParentCore

Web Streaming media server 

2.- On WebServer01 install of the roles services related to IIS; in addition visit All-Free-Website-Templates and create up to 5 different websites on the server by downloading the templates of your choice; configure appropriate host headings, etc. (edit the bindings in the actions panel so that each site can start and they don't conflict to one another)

 Sunflower webpage

3.- On the other hand, on WebServer02, being a Server Core installation, you need to import the IIS module and then copy the templates sites across, good luck with that! ;-) Okay, let me help you out:

  • Join the domain: netdom join webserver02 /domain:ms643.internal /UserD:Administrator /PasswordD:*****
  • Display the available features in table formatl: Dism /online /get-features /format:table
  • Install the IIS role: Dism /online /enable-feature /featurename:WebServerRole
  • Install IIS Management Service: Dism /online /enable-feature /featurename:IIS-ManagementService
  • Enable Remote Management by changing the key EnableRemoteManagement to 1 in HKLM\Software\Microsoft\WebManagement\Server in the registry
  • Finally, start the Web Management Service by running: net start wmsvc
  • And run this command to ensure the service start with the next reboot of the core server: sc config wmsvc start= auto
  • To display the running services use: sc query

Stuff you can do to learn IIS

Edit the web.config of the sites and see the effects of the changes you make on the features

Using PowerShell you should do:

  • Set-ExecutionPolicy RemoteSigned (to enable the execution of scripts)

 

Stuff that is good to know about IIS

The tool appcmd can only be launched from the C:\Windows\system32\inetsrv path, unless you add it to the System Variables menu

Remember that two SMTP virtual servers cannot have the same IP Address when using the default port 25 (they can have the same name though)

Refer to this table to configure the .NET access policies (ASP.NetTrustLevel):

 

Access Security Trust Level set to.... ...restrict the following:
Full the default trust level, all allowed
High
  • cannot call unmanaged code
  • cannot call services components
  • cannot invoke code by visiting reflection
  • cannot write to Event Log
  • cannot access Microsoft Messanging Queuing
  • cannot access ODBC or Oracle Data Sources
Medium

Restrict all above plus:

  • cannot access files outside the Application directory
  • cannot access the registry
  • cannot make network or web services call
Low

Restrict all above plus:

  • cannot write to access File System
  • cannot call the Assert Method
Minimal application has only execute permissions

 

Advance Logging for IIS is actually an extension that you can install from here: http://www.microsoft.com/web/gallery/install.aspx?appsxml=&appid=AdvancedLogging%3bAdvancedLogging

To enable IIS Manager to the sites of the server, configure the Management Server feature at the server level (the only place it resides anyway) to use this identity credentials

 Management service

When adding a site using the appcmd command, the two parameters that must be entered are:

  • /name:[nameOfTheSite]; the physical path or binding are not essesntial, the appcmd will assume the defaults
  • /id:[integer]; specifies the unsigned integer that you want to assign to the web site

 

 

Tips about Streaming Media Services

A key is used to decrypt and unlock media packaged content, that key is composed of " license key seed" + "key ID"

Download and install on WebServer01 the KB963697 Microsoft Update Standalone Package (MUS) for Streaming Media Services, more info here: http://support.microsoft.com/en-us/kb/963697

To add an additional IP address for listening to HTTP Streaming, follow this instructions: http://www.iis.net/learn/media/windows-media-services/using-http-for-streaming-and-downloading-from-the-same-computer

Streaming media services for Lab Setup for Microsoft Exam 70-643

If you have bandwith contention when playing videos...

  • Enable "Advanced Fast Start", if the user has Windows Media 10 or later, the video will start playing with less initial buffering delay
  • Enable "Fast Reconnect", available in Windows Media Player 9 and later

If you have enough bandwith to play videos...

  • Enable "Fast Cache", beneficial when the available bandwidth exceeds the requirements of the content

Windows Media Player 6.2 or higher is needed to play packages media files

 

Step 5: Install the RDS (Remote Desktop Services) VMs

1.-Create 3 differencing VMs from our ParentGUI, and based on that create these 3 different VMs:

 

RDS01 RDS02 RDS03
RDSO1 Server RDS02 Server RDS03 Server

 

Stuff you can do to learn Remote Desktop Services

Install an application on your RDS server by placing/removing the server on the appropriate modes, after the program is installed don't forget to add it to the RemoteApp list, remember:

  • change user /install (after running this, go and install the application and make the needed changes to it, like setting preferences, default paths, etc, the changes you made will be captured on the registry)
  • change user /execute (once installed, put the server on execute mode so that users can access the application, they will not be able to change the setting you configured on the application while on /install mode)
  • change user /query (hello? on which state are we running?)

Deploy a few of the .msi packages created in RDS to one of the client computers you built earlier using WDS

Export packages from one RDS server and import them into another RDS server, so much fun!

 

Stuff that is good to know about Remote Desktop Services

RD CAPs (Connection Authorizations Policies) are authorization policies that specify who can connect to a RD Gateway, once you have a RD CAP in place, you can create a RD RAPs (Resource Authorization Policy) to establish what the authorized users can access. Both policies must be created when initially configuring a RD Gateway

RD Gateway requires the following to be installed too:

  • Feature: RPC over HTTP Proxy
  • Role: IIS
  • Role: Network Policy and Acccess Services

To fine-tune the bandwith of a RDS server and customise the experience of users, alleviating the issue of having a slow or unresponsive mouse after sending a large print job, change the following values under this key: HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Services\TermDD

  1. FlowControlChannelBandwith; default is 30, gives priority to clipboard, file transfers and print job, max is 255
  2. FlowControlChangePostCompression; this determines wether flow control calculates the bandwidth based on precompression or postcompression bytes, the default value is zero which is precompression

Font Smoothing; If you have a LCD screen, enable ClearType effect and the Window Color and Appearance applet

If the RD RemoteApp server and RD Web Access are on separate boxes, the RD Web Access must be added to the local security group on the RD RemoteApp

A member of a session broker load-balanced group can be placed in drain mode, aka maintenance mode, where users can reconnect to disconnected sessions but no establish new sessions

To prevent a single server from being overwhelmed by new logon requests, RD Session Broker Load Balancing sets a limit of 16 maximum pending logon requests to any one terminal server. The session limit of a RD server can be changed by creating the key UserSessionLimit under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

RDC 6.1 is required to connect to RD Web Access, RDC 6.1 is only available on Windows Vista SP1, Windows XP SP3 and Windows Server 2008, of course RDC 7.0 is available on the later versions (Windows 7) and also support RD Web Access. To force users to use RDC 7.0, you should tick the option "Only allow client connection to Remote Desktop Session Hosts server that enforce RD Gateway device redirection" under the CAP policy:

 CAP for Lab Setup for Microsoft Exam 70-643

 

For automatic discover of the licensing server, this has to be installed on a Domain Controller

Issuance report of Per User CALs only support licensing servers that are in a domain

The revocation process only works on Per Device (and up to 20% of device type) and not Per User

Licensing Diagnosis only works when the RD Session Host role is installed, not even from the licensing server you can run the diagnosis unless the RD Session Host service is running

WDS license

To control which RD licensing server issue licences to which RD Session host, enable the GPO "License server security group" located in "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Licensing" and then add the RD Session host servers to the "Terminal Server Computers" local group of the RD Licensing server

Terminal Server properties

 

Remote Desktop Services checks for a licensing server in this order:

  1. First attempt is to contact the license server listed in the Configuration Tool or Group Policies
  2. Next, will try to contact the license server that is installed on the same box as the RDS
  3. Next, will try to contact any license server which is published in Active Directory
  4. Finally, RDS will try to contact a license server installed on Domain Controllers in the domain

If the Dynamic Fair Share Sessions (DFSS) is set on the registry, the policy applied by WSRM is Weighted_Remote_Sessions; this is also the case if the Kernel Resource Manager (KRM) bit is set in the registry

What does TS Session Broker do:

  • The Session Broker server ensures users are re-directed to their original session if they get disconnected
  • The Session Broker server also enables the balance of session between the RDS servers on a farm

If the RD Web Access server and the RD Session host server holding the RemoteApp are on different servers, we must give access to the RD Web server to display the apps by adding it to the local group "TS Web Access" on the RD Session host

 

Step 6: Windows System Resource Manager

Windows System Resource Manager is so flipping cool!

Commands that are good to know for Server Core 2008 R2

Just a few random handful commands that are worth mentioning:

cscript sregedit.wsf /AU /4 ; enable automatic updates, if using the /1 it will disable the updates

cscript C:\Windows\System32\Sregedit.wsf /cs 0 ; will enable Remote Access for administrative purposes

 

 

London, 15 May 2015

 

 

References

Windows 7 Automated Install Settings; huge thanks to Mischa Taylor for this amazing blog: http://misheska.com/blog/2013/07/26/windows-7-automated-install-settings/

Installing and Configuring WDS; lots of thanks to Augusto Alvarez for his great blog: http://blog.augustoalvarez.com.ar/2008/12/12/installing-and-configuring-wds-windows-deployment-services-full-images-deployment-part-iii/

Running Hyper-V in a nested VM; thanks to Andrea Mauro for this great blog: http://vinfrastructure.it/2014/05/running-hyper-v-nested-vm/

Ho to install Roles and Features on Windows Server 2008 R2 Core (Shell); great stuff from Thomas Maurer http://www.thomasmaurer.ch/2010/07/howto-install-roles-and-features-windows-server-2008-r2-core-shell/

Server Core 2008 R2 oclist and ocsetup v.s. dism; nice once from Nady Elkhodary http://www.watchandapply.com/2013/05/server-core-oclist-and-ocsetup-vs-dism.html

Fix "RPC Server is Unavailable" Error in Windows Server 2008 R2 Remote Disk Management; another great article from Petri https://www.petri.com/rpc-server-is-unavailable-error

Installing Windows Server 2012 Core; great initial steps for a shell installation of Microsoft OS system, my thanks to Rand Morimoto, Andrew Abbate, Chris Amaris, Omar Droubi, Michael Noel and Guy Yardeni http://www.informit.com/articles/article.aspx?p=1947698&seqNum=5