MCSE
MCSE
OSI Layers
1-Physical
Signaling
Clock Syncronization
2-Data link
Arbitration -> CSMA/CD & CSMA/CA
Physical Addressing ---> Next Hop
MAC Address -> 48 bits/Hex
OUI + Interface (2*24 bits)
Error Checking
Encapsulation/Decapsulation
Half Duplex/Full Duplex
HUB & Switch
Switching -> Transparent
Plug & Play
Mac Table -> Listening & Learning -> ARP
Collision Domain
3-Network
Logical Addressing
IP: 32 bits -> Net ID + Host ID
Subnetmask
Routing
Host Routing: Same Broadcast Domain
Router Routing: Different Broadcast Domain
Ping:
Transmit Failed. General Failure
Destination Host Unreachable
Request Timeout
TTL Expired
Reply
Tracert
Broadcast Domain
4-Transport
5-Session
6-Presentation
7-Application
Introduction
220 hrs -> 50% AD + 20% Network Infrastructure + 30% Application
Network Infrastructure: DHCP / DNS / RRAS (Direct Access)
Application: File SRV (DFS or Fail-Over Cluster)
SPOF? HA? Redundant? FT?
Group or Cluster?
Heartbeat
vip
MCSE 2008 & 2008 R2 -> 2012 -> 2016 & 2019 -> 2022
DNS:
Zone-> Forward Lookup & Reverse Lookup
Forwarding -> Conditional Forwarders & Unconditioanl Forwarding
Secondary Zone?
Zone Transfer?
Root Hints?
Delegation?
DHCP:
DORA? Scope? DHCP Options? DHCP Failover?
DHCP Relay Agent?
IPAM
Windows Firewall
RRAS:
NAT & PAT?
ICS?
VPN SRV
Tunneling Protocols
Remote Authentication
Radius SRV (NPS)
VPN Site 2 Site -> Trust & DHCP Relay Agent
File Server
Disk/ Partition Table/ MBR & GPT/
File System?
Block Level & File Level
Raid & Raid Types
Storage Types
iSCSI
Shared Storage
NTFS Permissions
Qouta
FSRM -> Data-Deduplication
DFS
Failover Cluster for File Server
IPv6
CA Failover
IPAM
Offline Root CA
Direct Access
DAC
******************************************
Each computer has 3 Unique Address: Computer Name & MAC Address & IP Address
Logon:
Anonymous or Authenticated Logon
2-Authorization:
Right : to the system itself
Permission: Allow or Deny (Level) : to the resources of the system
Access : physical access to system
3-Accounting
AAA Server
Domain Model (Server Based is wrong name) ->
centralized database of objects in MS ecosystem : Directory (GSD/DSD) -> To Domain
-> Domain User Account
Join to Domain
Local User Account -> CLI or GUI -> LSD -> This Machine
for /l %v in (1,1,3) do net user u%v Aa12345 /add
for /l %v in (1,1,3) do net user u%v /delete
Limited compatibility,It does not support all the server roles and
features as GUI
Some applications and drivers may not work properly
Requires more skills and experience to manage
1- Web SRV
Server side: IIS / Client Side: any web browser
Protocol: HTTP/HTTPS - Port:80/443
2- Mail SRV
Server Side: Exchange / Client Side: Outlook
Protocol: Pop3/Imap4/SMTP - Port:110/143/25
What is Directory?
Database -> Domain user Accounts -> Not Flat -> Hierarchical structure
Database: DataFile
NTDS.dit - Datafile -> Directory
2- Centralized Management
3- AD integrated applications
Structure vs Object
ADDS Objects:
User Accounts
Computer Accounts
Groups ...
ADDS Structures:
1)Logical: Domain, OU(Container), Tree(Namespace), Forest(Trust)
A)OU:
Domain Data Partition?
What is OU?
Advantages:
1- Hierarchical Structure (for Directory)
2- Hierarchical Structure (for Management)
3- Define & Assign Policy
4- Hide Objects
OU vs Group?!
Parametrs to make OU: Physical Locations -> No
Same Policies -> No
B)Domain:
Logical -> Users & Computers -> Same Policies
C)Forest:
Example: A network with multiple Domains
Trust
One-Way
- Direction-> incoming & outgoing
Two-way
Transitive or Non-Transitive
Manual or Automatic
... -> OU -> OU -> OU -> Domain -> Forest -> Active Directory
| |
D C -> Directory -> NTDS.dit -> Domain Data Partition
Computer Name: Netbios Name -> Flat (one segment) -> 15 Char -> without dot ->
Capital letters
FQDN or Full Computer Name or DNS Name -> dot -> Hostname + Suffix
Name (Network name)
D)Tree
Namespace -> Tree: Graph ( )همبند و بدون لوپ-> Root Domain & Child Domain
Windows Edition:
Standard
Data Center
Windows Installation: Boot Image & Install Image (Thin & Thick)
Sources: Boot.wim & Install.wim
Boot Image: RAM -> Ramdisk X: -> WinPE
Installation -> OOBE -> Sysprep -> Image (Dism) -> Mini Setup
#Name
hostname
sysdm.cpl
*CLI: netdom renamecomputer %computername% /newname:srv /usero:administrator
/passwordo:P@ssw0rd /force /reboot:10
Echo %computername%
shutdown /r /t 0
#Network Settings
ipconfig /all
ncpa.cpl
cli: netsh interface show interface
*netsh interface set interface name="Local Area Connection 2" newname=ETH
*netsh interface ipv4 show interface
*netsh interface ipv4 set address ETH static 192.168.10.1 255.255.255.0
#Firewall
firewall.cpl
cli: netsh advfirewall show allprofiles
*netsh advfirewall set allprofiles state off
#RDP
mstsc
netstat -na | findstr "3389"
regedit -> Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server: fDenyTSConnections
How to change port Num?
*reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t reg_dword /d 0 /f
#Change Password
Net User
Pause
Sconfig
Run as Administrator
CTRL+SHIFT+Enter
runas /profile /user:jafarinejad\administrator cmd
Windows Components -> Roles & Features -> Active directory domain services -> DC
Promotion
Server Side Applications:
Role? Feature?!
Pre-Requirements?!
OS Source?!
Add or Remove?!
Restart?!
CLI:
Dism /online /Enable-Feature /featurename:DHCP
What is SOPF?
Problem: SPOF -> Redundancy & FT -> HA -> SLA -> Performance -> Load Balance &
Quick Access
How to reach above requirements?
By DNS -> Round Robin
Problem: Data + Config Synchronization
Service: Stateful or Stateless
Cluster -> Heartbeat
Stateful (Failover) or Stateless (NLB)
Domain Controller
Minimum Requirement -> 1 DC
Minimum Recommended -> 2 DC
DC Replication description:
Push or Pull or Push & Pull
Push: By change (Change rate) or Time Interval
=> in AD: Pull Replication by
Notification (15S)
Pull: By Notification or Time Interval
Replication Topology
Double Ring -> Connection Object -> KCC (15mnts) --force--> repadmin /kcc
Admin Can change replication Topology
Problem: WAN links (Bad Links) -> Low Performnace for Logon
Create a new site
Site (Physical Structure): include one or more Dc's that connect with a well
Connection -> Quick Access
Wan Link <-> Router => Subnet (netid) -> CIP
Default-First-Site-Name
Schema: Pattern to Data Entry (Object class & Attributes) -> Schema Partition
Extend schema -> one-way : you can not go back once you extend
AD Integrated Applications
Application Directory Partition (Optional)
Example:
Delete an User Account
SID -> Read-Only -> Unique in Local SAM
Domain User Accounts -> SID + GUID (Forest)
AD Recycle Bin:
Delete Object: Tombstone (Win2008 R2,180 Days) -> Default Disable
Services?!
Safe Mode -> Safe Mode with Networking -> Backup application
DSRM -> MSConfig
Servers:
1- Stand Alone Server
2- Member Server
3- DC
SYSVOL:
Policy -> Notify
Netlogon:
Scripts
ADDS Tools:
dsa.msc -> DDP
domain.msc -> Trust
dssite.msc -> Sites
Adsiedit.msc -> link to all partitions
dsac
gpmc.msc
active directory schema snap-in (regsvr32 -> schmmgmt.dll)
ntdsutil
Partition Management: Connections
Server connections: connect to server dc.mcse.com
Server connections: q
Partition Management: List
ldp.exe
dcdiag
esentutl
3rd party applications -> (Manageengine,ADREPLSTATUS)
c:\windows\debug
Replication Check
dssite.msc
repadmin /kcc
repadmin /syncall
repadmin /replsum
DC Demotion
Online:
1- Physical & Logical Connection in Network
2- DC+DNS Available
3- Logon Locally (This Machine) -> Local User Account -> Local Administrators
(Built-In)
4- Domain -> FQDN
5- DNS Client
6- Domain User Account -> Standard User Account
who want the user account?
what's for?
which user account is enough?
Computer Account
Local or Remote
regsvr32 schmmgmt.dll
Local user account: This Machine / LSD (SAM) / NTLM / built-in (Administrator &
Guest) / Right -> Administrators (lusrmgr.msc,compmgmt.msc)
Domain user account : To domain / Directory -> Domain Data partition / kerberos
5.0 (TGT)/ built-in / AD Permission / UPN or Down Level
Examples:
Local Group Policy -> link to Computer / Apply to Computer & User (don't need
refresh & Update but maybe for take effect)
3- Password Policy
Password Policy
How to change password policy?!
Example:
1- Password Policy
SYSVOL
Refresh or Update
Computer Configuration -> Restart / After 90 + Random (0-30 mins) / for dc: 5
mins
User Configuration -> Logoff
gpupdate /force (/target)
gpresult /H
specops gpupdate -> Force Remote Update
Group policy update on OU (After 2012)
Sysvol or domain data partition ?! Template -> Sysvol + Container -> DDP (System
Container)
Unique ID for group policy object in sysvol
dcgpofix
DN: Object Address in Directory -> Standard & Standard Name (Example: URL, MAC
address, UNC Path)
1- از جز به کل
2- object type before object name
3- CN -> User Account/Computer Account/Group/Container
OU
DC
Tools -> Adsiedit
dsadd
dsadd user cn=u1,ou=mcse,dc=mcse,dc=com -pwd -upn
dsrm
dsrm cn=u1,ou=mcse,dc=mcse,dc=com
dsmove
ou to ou , domain to domain -> ADMT
User account (Object) -> Sid , Guid , Sid history
sid filtering
Find Object
design per site -> wrong definitions Domain & DC -> All Users (OU)
Solution: dsquery (how to search?)
saved queries -> User profiles
cmd: dsquery user -name a* ou=mcse,dc=mcse,dc=com (|)
redircmp , redirusr
redircmp ou=...,dc=mcse,dc=com
net computer \\pc2 /add
Logon Hours Expires: computer -> windows -> security -> local policies -> security
options
Does Not apply to Administrator Account
Lockout policies: computer -> windows -> security Settings -> Account Policies
Does Not apply to Administrator Account
to prevent D-Dos attack -> Logon To ...
Map a network drive -> user -> policies -> windows settings -> scripts
net use driveletter: \\unc path\sharedname
net use driveletter: /delete
Example: Policy for ie -> preferences -> control panel -> internet settings
policy for network drive -> preferences -> control panel -> drive maps
Home folder -> %username%
Users can not store Data on WinDir -> Redirect or Move desktop
User Configuration -> Windows Settings -> Folder Redirection
CSV + Script
****** OU ******
Overview
What is OU?
Advantages:
1- Hierarchical Structure (for Directory)
2- Hierarchical Structure (for Management)
3- Define & Assign Policy
4- Hide Objects
OU vs Group?!
Parametrs to make OU: Physical Locations -> No
Same Policies -> No
Delegation
by Security Options
by Wizard
Run as Different User
Allow logon local policy -> Default Domain Controllers Policy
Machine account password age: (30 Days) Local Policies -> Security options
Logon Cache (10) -> gpedit -> Local Policies -> Security options
Rename
Pre-stage
which OU & joint by which User?
what is trust?
Conditions of trusts
1- One way or Two way
Incoming or Outgoing
2- Transitive or non-transitive
3- Automatic or Manual
Questions:
1- Which domains?
2- One-way or Two ways
3- Transitive or non-transitive
4- Auto or Manual
Type of Trusts:
1- Tree root Trust
2- Parent-child Trust
3- Shortcut Trust: Optional/Non-transitive/Manual
4- External Trust: Optional/Non-transitive/Manual
5- Forest Trust: Optional/Transitive/Manual
6- Realm trust: AD vs Non-AD (Kerberos ver 5.0)
Domain.msc
Type of Trust In Wizard?!
External Trust
domain-wide or Selective
Forest Trust
forest-wide or selective
What's for?!
1- Prevent Unnecessary repeatition
2- Modular
3- Independence of Resource
1) Built-in
2) Non-Builtin
AD Group:
Built-in: OS or Active directory
windows: Built-in Container
AD: Users
Types of Groups:
Change Type
security <---> distributed
Global -> member from local domain / resource from each domain (Trust)
Domain Local -> member from each domain (trust) / resource from local domain
Universal -> member from local forest / resource from local forest
Group Naming:
Global Named by Members
DL Named by Permissions
change scope
G <---> DL
G <---> Uni
DL <---> Uni
Nested Group
G ---> DL
G ---> Uni
Uni ---> DL
Usecase of Groups:
Group Strategy
AP
A L P -> Workgroup
A G P
A G L P -> Built-in
A G DL P
A G U DL P
Master Roles:
Multi Master By Single Role
Domain Naming
Add or Remove Domain to the Forest
Domain Wides:
Graphical by snap-in:
regsvr32 schmmgmt.dll -> schema master role
domain.msc -> domain naming
dsa.msc -> domain wides
CMD:
Netdom query fsmo
dsquery server -hasfsmo schema
Powershell:
get-adforest
Note: Schema & Domain Naming master -> Same DC that is GC SRV
RID & PDC Emulator -> Same or seprated DC (when overload)
Infrastructure -> DC that is not a GC srv exception as under:
1- Every DC in a domain is GC
2- Domain in a multi-domain forest contains only one domain controller
3- There is only one domain in forest
Have a Failover Plan
Force Removal:
Schema
Domain naming
RID
Temporary:
Infra
PDC
ntdsutil
roles
fsmo maintenance: connections
server connections: connect to server dc1.mcse.com
fsmo maintenance: seize pdc
1- Read only
2- No password -> (RODC Computer Account & an AD Account)
3- One-way Replication
AD Physical Structure:
Management Tools
GUI -> dssite.msc
CLI -> repadmin /kcc /Syncall /replsum
3rd party -> manage engine or Dell Quest
DNS Query
_ldap._tcp.mcse.com
_ldap._tcp._siteA.mcse.com
Site Attributes
1-Site Name -> Default-First-Site-Name
2-DC or DCs of site
3-Subnets
4-Site Link (Instructions for inter-site Rep)
Name: DefaultIPsitelink
Which sites?
Schedule: when?
15mins <= Replicate every <= 7 Days
Transport Type: Application Layer protocol
RPC(IP) or SMTP
RPC (Remote Procedure Call) -> Primary: 135
-> Secondary: Random
SMTP -> un-stable link
Need Certificate
Can't replicate Domain Data Partition
Wrong Scenarios
1 forest, 1 Domain, 1 Site
1 forest, 1 Domain, 2 Site
Solution:
1 forest, 2 Domain
2 forest
5-Cost
How many site link should i have?
which site link should i use?
-> what is + not cost?
Example: SiteA - SiteB - SiteC (Different bandwidth) -> STP (Spanning Tree
Protocol)
GC/GC Srv
Universal Group membership caching
Overview
Add local User Account or Chnage Administrator Password
CMD: Net user administrator 123
Preferences
Control Panel Settings
Local Users and Groups -> Laps (Local Administrator password Solution)
1-Block Inheritance
2-Enforced
3-Loopback processing
Administrative Templates -> System -> Group Policy -> Configure User group
policy ... -> Merge or Replace
4-Slow Link Detection (Default: 500kbps) -> ICMP / NLA (Network Location Awareness)
Software Installation
Folder Redirection
Disk Quota
...
Computer Configuration
Assigend
Install
Remove
User Configuration
.msi & .zap
Published (msi,zap)
exe to zap:
[Application]
Friendlyname ="program name"
SetupCommand = \\path\filename.exe
DisplayVersion = X
Publisher = Corporation Name
URL = http://....
[ext]
xlS =
xlA =
XLB =
Advanced
Security Levels
Unrestricted
Disallowed
Basic User
RSOP:
Logging Mode
cmd: rsop or gpresult
dsa.msc
mmc -> add snap-in
gpmc.msc -> Group policy results
Planning Mode ?!
ntdsutil
snapshot
Create -> Activate Instance ntds
Delete
Mount
NT Backup (XP & 2003) -> Windows Server Backup (Feature) -> wbadmin.msc
Backup Strategy:
Which Data?
Which Application:
Backup Exec
Veeam Backup
SCDPM
Schedule
Type
Storage
Archive -> Tape
Verification
Types Of Backup:
Full Backup
Only changes
Transaction Logs
Copy Backup
Scenario:
1- Install Backup Server Feature
2- Backup From Selected DC
3- Restore DSRM (if needed)
NTDSUtil -> Set DSRM Password -> Reset Password on ...
4- Reboot DC on Safe Mode
MSConfig -> Boot -> Safe Boot -> Active Directory Repair
5- Backup Recovery
6- Increase USN
NTDSUTIL -> Authoritative Restore -> Activate Instance ntds -> Restore
Subtree DN
AAA (NTLM or Kerberos) -> TGT & TGS -> Service Principal Name (SPN)
Golden Ticket -> kerberos -> ATA (Advanced Threat Analytics)
Manage Service Account (MSA or gMSA)
Runas savecred / Process Monitor
LAPS
Ransomware -> Backup
DLP (Data Leakage) -> ADRMS
DC Rename -> Netdom computername
Domain Rename -> ADMT
GPO Planning
how to work? or who's to apply?
CSE (Client Side extension)
Site Link Bridge
Slow link detection -> NLA (Network Level Authentication)
Applocker
Phantom Objects
Normal Object
Deleted before tombstone lifetime expires
Object is removed from ad completely
External refrences still exist
Transparent Encryption
DNS SRV:
Protocol: DNS
Port: UDP/53
ping vs nslookup
Domain:
ADDS -> Policy
DNS -> Suffix Name
MX Record?
Example for Send & Recieve Emails:
Inside a network
Between two networks
nslookup:
set q=mx
set q=a
other records
New Domain
AD Domain -> DNS Domain -> Zone -> Data File
1 Zone with multiple DNS Domain
Join to DNS Domain
SOA Record
Example: 1 Zone with multiple DNS Server
Retry Interval
Expire After
Default TTL (for Static Records)
Per Record
NS Record
Glue Record -> A record DNS SRV
1- DNS SRV:
Active DDNS
Suffix Name
2- DNS Client:
DDNS Support (2000)
DNS Client of this DNS SRV
Suitable Suffix Name
Register this -> checkmark
When register Record? -> Hard Registration or Soft Registration
ipconfig /registerdns
Aging
for Dynamic Records
Update or Refresh
Stale & Scavenge
Blocklist:wpad , isatap
DNScmd: info , config
enableglobalquery block
Forward to forwarders
C) Conditional Forwarding(2003)
DNS Queries:
1- Non-Recursive Queries (Reverse)
2- Recursive Queries -> Last Answer
3- Iterative Queries -> Next Step
Root Hints
Domain Controller:
LDAP SRV
Kerberos SRV
GC SRV
-> IP Address & Port
Make AD Zones
Make Srv Record
=> Service Locations or SRV Record -> Netlogon
what is DMZ?!
Caching Only DNS SRV
DORA:
1- DHCP Discover -> Broadcast
DHCP SRV: 67/UDP
DHCP Client: 68/UDP
2- DHCP Offer
3- DHCP Request
4- DHCP Ack + Options
Questions:
4 steps?
Broadcast?
Transaction ID -> Application layer
DHCP Pre-reqiurements
Static IP Address
2-Management tools:
dhcpmgmt.msc
netsh
powershell
3-DHCP Configuration:
Network monitor or wireshark for dhcp discover packet
Restart DHCP Service
Security problem -> rogue DHCP Srv (Fake)
Microsoft solution: Authorization -> Domain Admins
Cisco: DHCP Spoofing
Stand alone DHCP SRV
Firewall
Scope -> Address Range or Address Pool
Activate Scope
Discover but no offer
Scope with Same netid <=> Primary IP Address
How Many Scope = VLANs That Include DHCP Client
4- Options
what is option?
Code & Name
option type -> boolean,string,...
Policy
define user classes (Class ID)
policy in scope
Compact
jetpack
jetpack dhcp.mdb temp.mdb
batch file:
cd %systemroot%\system32\dhcp
net stop dhcpserver
jetpack dhcp.mdb temp.mdb
net start dhcpserver
HA & FT
Problem:
SRVs are not sync => ip conflict
Solution:
1-Devide scope by Exclusion
Problem:
Insufficient IP Address due to full scope => NACK
3-Failover Cluster
4-DHCP Failover (2012) -> Per Scope -> Only 2 DHCP SRV -> Port: TCP 647 for
heartbeat
Maximum Client Lead Time -> Just for Hot-Standby
Multicast Scope
Types of IP Address -> Unicast, Multicast, Broadcast
Multicast: first octet 224 to 239
Standard: RIP v2 (224.0.0.9)
Static
Dynamic
Bad Address?!
Bootp Table
phpIPAM or Solarwinds
Microsoft: MS Proxy 2.2 , ISA 2000/2004/2006 , TMG 2010 => 2012 Discontinue
Kerio Control
Packet Filtering
Static Packet filtering & Dynamic Packet Filtering => Stateless Firewall &
Stateful Firewall
Application Filtering (Layer 7) -> UTM (Unified Threat Management) -> Firewall +
IDS + IPS + VPN + Accounting + Anti-Spam & Anti Virus + Reporting
Content Filtering?!
Priority of Rules
Example:
Ping
Routing Table
Arp -a
echo request
wf.msc
firewall.cpl
Browse
Routing Table?
Route print
Route add
Route add -p
Route Delete
Route -f -> Flush routing table
1- Network Destnation
=> Destination
2- Netmask
3- Gateway (to)
=> Action
4- Interface (from)
5- Metric => Cost
Default route ?!
Default Gateway -> 0.0.0.0 0.0.0.0
Example) Private network connect with Public Network (NAT & PAT)
1-Routing
2-NAT
3-NAT Table
4-PAT
5-Basic Firewall -> Packet Filtering
ICS?!
Private + Public Interfaces (Gateway)
Route + NAT + PAT + DHCP Allocator + DNS Proxy
*** Install & Configure R-RAS ***
Scenario 2) NAT
Install R-RAS
rrasmgmt.msc
Configure R-RAS
Configue NAT Protocol
Configure Protocol
Interface Binding
Configure Interfaces
Show Mapping
Example for Mapping
DNS & Web Service -> Configure to Service Publishing
3-Accounting: logging
IP Address Assignment
Range or DHCP SRV
Tunnelling protocol
PPTP
L2TP
SSTP
IKEV2
Scenario 1: PPTP
A- Configure Tunelling Protocol on VPN Connection (Client)
B- Configure Dial-in Tab on User Account (VPN SRV)
3- Header Compression
Radius Proxy
Full Access or Limited Access?
What is Shared Secret?
Radius Clients:
VPN Srv
Switch
-> 802.1x
AP
1-Network Infra-Structure
2-DNS
Conditional Forwarding or Stub Zone
3-Authentication
Trust
External or Forest -> one or two way
Scenario 1)
S2S VPN (PPTP & L2TP):
THR vs SHZ
1- Install R-RAS
2- Configure R-RAS to VPN SRV
3- Customize R-RAS
4- Make New Demand Dial Interface
Scenario 2)
How to Configure DHCP Relay Agent?
1- Install DHCP Role on DHCP Server
2- Create Scope on DHCP Server
3- Add DHCP Relay Agent protocol on VPN Server
Scenario 3)
Trust Between 2 Domains
1- Install ADDS Role
2- Create Trust
External (Domain-Wide or Selective)
Forest (Forest-Wide or Selective)
3- DNS & Name Resoliution
Extended
1- Partition -> Logical Drive -> Volume
Free Space?
Unallocated Space?
Diskpart
List Disk
Select Disk
Re-Scan
Import Foreign Disk
What is Storage?!
Disk vs Storage
BAY, Cage (Box), Storage Pool (Space), Enclosure (SAS Cable, SAS Controller)
What is RAID?
Disk (Group or Array) + Policy
Why?
SPOF with Disk (FT)
Performance
Capacity
Raid Configuration
Hardware RAID vs Software RAID
Raid Controller or OS
Resources
Abilities
Flexibiliy
Raid vs Backup
Hot Spare?
Raid Technologies:
Striping
Mirroring
Parity
Raid 5
3 <= Disk <= 32
Raid 0 + Parity
What is Parity?
Same Capacity
Fault Tolerance but low Performance
Use for Data Store
Hybrid Raid
1+0 / 0+1 / 5+0 / 6+0
DAS
Block Level Access
Performance
Can not use as a Shared Storage
Internal
External
NAS
NIC
TCP/IP
OS: Unix Base
How many interface?
How many power?
Join to AD
WebUI
NFS/CIFS/HTTP
RAID
File Server & Backup Destination
File Level Access
SAN
what is the problem?
Performance
Security
HBA
SFP: Single or Multi
HBA or FCA: FC Technology
16G or 32G
WWN & WWPN: 2*64 bit
Server to Storage & Storage to Storage
1-Hosts
2-Storage Networking -> Fiber Channel
3-Storages
iSCSI
iSCSI Initiator & iSCSI Target
FCoE
HBA + NIC ---> CNA (Converged Network Adapter)
What is Usage?!
SPOF -> FT -> HA + LB + QA
Public Solution:
DNS
Example) Web Server
What is problems?
1- load Balancing without weight
2- Some apps just try for one IP (Ping)
3- Problem with Public IP
4- Visit without name or Cache DNS
5- Delay
6- Awareness?!
Maximum: 32 Hosts
MAC Address -> bit 7 (0 -> Built-in) & bit 8 (0 -> Unicast)
Problem with unicast Mode -> MAC Address Flapping & Connectivity Between Clients
Unicast Mode for Backward Compatibility
NLBmgr
nlb or wlbs
Rule:
Per IP Address
Per Port
Per protocol
Network:
Client Network (24 Bits)
Parameters -> Rule & Number of Hosts
Application Awareness?!
Server
Cost
Space
Capex & Opex
Advantages & Disadvantages?!
Hyper-V Requirements:
64 Bits
CPU -> VT Support
Bios
Management Tools: virtmgmt.msc
P2V Applications
Edit disk
Compact
Convert
Merge
VMConnect
Replication
primary & Replica
virtmgmt.msc
VM Migration (Move)
V-Motion -> Compute / Storage / Compute + Storage
Export & Import / move vhdx
live migration
NIC Teaming
VM1: DC + DNS + GC
Shared Storage
iSCSI Target Server (iSCSI) -> SDS (2012)
Install iSCSI Target
Prepare Shared storage -> Create LUN (Vdisk) & Present to VMs
Failover
Failback
Switchover
File System
FAT -> FAT16
FAT32
ExFAT
NTFS
ReFS
NTFS Specification:
Security Tab
Compression
EFS
Quota
Allow vs Deny
Effective Permissions
Advance tab
Auditing
Object Auditing
Windows Auditing -> Configure Group Policy
Advanced Audit Policy configuration (2008R2)
Event vs Report
File Screening
Define File types by file Screen (No Content Filtering)
7- Workgroup Folder
8- Shadow Copy -> Default Shared folders (fsmgmt.msc) -> Configure shadow copy
How to share a folder remotely?!
Policy for delete default shared folders -> Computer Configuration ->
preferences
SPOF
File Server -> HA
Statefulll -> Failover Cluster -> Shared Storage
Microsoft: DFS (Namespace + Replication)
Example: DC (sysvol)
Set Active
Diagnostic Report
What is Printer?
Hardware -> Print Device
Software -> Driver
Practical scenario
Print Server:
Intall printer
Share Printer
Permission
Quota Management
=> Papercut
Monitoring
Management Requirements:
Snap-in For Print Server Management
Policy for Install Network Printer
Bugs:
1-SPOF in Print Server
Failover Cluster
3-Interface Problem
Network Interface Print Device
Pre-Requirements:
NIC with PXE Boot-ROM
DHCP Server for IP Address
WDS with Boot & Install Image
Scenarios:
1- Client , DHCP Server , WDS in the Same Broadcast domain -> UDP 67
2- Client is not in same Broadcast Domain With WDS -> Options 66 (WDS Server) , 67
(Boot Image Address)
3- DHCP & WDS Services are on a Same Server
Option 60 & Change Port for WDS Service
Best Practice:
- Install & Configure a DC
- Install a DHCP Server
- Install a WDS Server
wdsmgmt.msc or wdsutil
2000 (SP2) or XP
Manual Update:
Check for Update
Download
Test
Install
1- Check/Download/Install
2- Check/Download/Notify for Install
3- Check/Notify for Download/Notify for Install
4- Windows Update Disabled
3-Disconnected WSUS
4-Mobile Devices
Requirements:
Hardware
Optimize
Software
Role & Feature Installation
Database:
WID (Windows Internal Database)
SQL Server as Database -> Failover (Always-on)
Apps for Report
Microsoft Report Viewer 2012
Microsoft System CLR Types for SQL Server 2012
NTFS Drive
Wsusutil
Movecontent
Which Modules?
Default Documents
Physical Path
Security
Authentication
Basic (Not Secure)
Digest
Windows
Web-Based or Form-Based
Config:
IIS 6.0 -> Registry
IIS 7.0 -> Text
Vitual Directory
Redirection
Confidentiality + Authentication:
SRV Authentication (Computer Account/Pre-shared key/Certificate) & Client
Authentication (User Account)
Certificate
Issued by & Issued To
Validation Date
Public Key Infrastructure (PKI)
Public Key: ---.cer
Public + Private Key: ---.pfx (Password)
Self-sign or CA (Private or Public)
3- f(a) = C
=> a = b
f(b) = C
Exm: Data A = Data B -> Help us for Integrity
digiboy.ir , Google.com
4) P.txt + Private key -> f(x) => C.txt + Publuc Key -> f(x) => C'.txt --->
Confidentiality + Integrity
5) P.txt + Secrect Key -> f(x) => C.txt + Private key -> f(x) => c'.txt --->
Confidentiality + Integrity
SRV:
1- Submit a request -> .pfx
2- Install or Import
3- Binding
Client:
1- Trust to CA -> CTL
2- Expiration Date
3- Issued To!?
4- Revoke?! -> CRL & CDP: Base CRL & Delta CRL
Certificate Errors?!
1- Feature of NTFS
2- Usecase & Problems
3- How to Encrypt File & Folders
Encryption: Symmetric (AES-256 bits) + Asymmetric (Public Key for Keys) -> Self
signed Certificate
Certmgr.msc
Note: EFS works Transparent
Recovery Agent
Domain Administrator -> For Doman-Based Networks
Certificate for File Recovery
cipher /r
Bind by Policy
Add Recovery Agent
Install Certificate
****** CA ******
Internal CA or Private CA
External CA or Public CA
Root CA
Subordinate CA
Issuer CA
Offline Root CA
Microsoft CA
Stand-Alone (Workgroup & Domain Model)
Enterprise (Domain Model)
Server Manager
1-Install ADCS Role
CA Web Enrollment (IIS)
2-Configure CA
Certlm.msc -> Computer
inetmgr
Certsrv.msc -> CA Mangement Tool (Console)
Request Filtering?!
Certificate Templates
Pending Requests
properties -> Policy Modules -> Properties
4-Install Certificate
Certmgr.msc -> User
Export?
Extensions
Create Certificates
Web Based
By Service Console
By Certlm Console
By Policiy