Study notes from September

Working toward the 70-412 exam:

A nifty DHCP icon reference is at http://technet.microsoft.com/en-us/library/gg722802. No such reference is available for DNS icons, but I did learn that if you sign a DNS zone (called DNSSEC), the icon for the zone gets a padlock on it.

Windows Server Backup 2012 can do system state, specific folders, and bare metal restores. Microsoft’s cloud backup (part of Azure) only supports folders at this time. Active Directory site links are bridged by default (which means they can all talk to each other directly). A bridge is a collection of 2+ site links (not the sites themselves). A site link is a collection of 2+ sites that can replicate to each other. To backup a certificate authority, you must be a member of the CA Administrators group, or the Backup Operators group. Reviewed Active Directory functional levels.

Studied up on Active Directory Federation Services tonight: watched the first 10 minutes of a video that explains it in simple terms, and the first 38 minutes of a really outstanding video that explains the concept and big idea of identity federation. By the time I started reading this TechNet article about claim rule set types, my eyes had glazed over and I decided that I really need to try this out hands-on. Wikipedia nicely explains claims-based identity. I did learn that you can see computer certificates by function, rather than logical store, in the MMC by simply toggling the view.

Learned about IPAM in this hour long video by Microsoft evangelist Rick Claus at TechEd Australia 2012. There’s also several “Jump Start 2012″ training videos with Rick and another guy, such as this one about IIS 8 (dynamic blacklisting, central SSL store), DHCP failover, and IPAM.

Microsoft’s Second Shot program is back – yay!

Hyper-V migration options in Server 2012: No shared storage is required for a “live storage” migration, but a similar processor architecture is required, VHD or VHDX hard disks are required (no pass-through disks), and the Hyper-V hosts must be members of the same AD domain. A “quick” migration can be used in clusters with shared storage – the guest’s state is saved on a node that is then “failed” and the VM is resumed on a “surviving” node. This article lays it all out…and here’s a native-English write-up on Hyper-V migration which is very readable. Here’s an article about Hyper-V failover policy in a clustered environment. If you need to move a Hyper-V guest to a host with a different processor manufacturer (Intel to AMD or vice versa), you need to do an export/import of the VM (page 233 in the 70-417 book). Lastly, if you have a VM with multiple snapshots, you can apply whichever snapshot you want, then export the VM & import it as a new VM - thus giving you a single new VHD to work with, unencumbered by multiple snapshots.

Last night at the office I worked on getting the FreePBX distribution of Asterisk to play happily with the DPMA (Digium Phones Module for Asterisk). This was inspired by the failure of AsteriskNOW 3.0 to work on an HP Proliant rack-mount server. I needed to run yum install avahi to get the mDNS service that the DPMA uses to notify Digium phones of its presence; then deleted the .htaccess files in /var/www/html/admin and /var/www/html/admin/modules to allow the Digium phones to download firmware from the PBX. Also uploaded the client’s logo so it appears on each phone’s display.

Back to Server 2012: in NLB, a non-clustered application will fail over to the host with the lowest numerical host priority.

Active Directory replication – in AD Sites & Services, you can tell a server which partner to replicate with, trigger an immediate repliction, and edit the “options” attribute to tell two sites to replicate immediately (within 5 seconds) via change notification rather than waiting the 15 (minimum) to 180 (default) or more minutes for a compressed and scheduled replication. Instant replication on manually created site links. TechNet in-depth explanation of AD replication. Troubleshooting AD replication. Windows PE order of operations.

Trust types:
- External trusts are for AD + NT 4 or a domain not included in a forest trust.
- Realm trusts are for AD + a non-Windows Kerberos 5+ realm (e.g. Unix).
- Forest trusts are for AD forests.
- Shortcut trusts are for situations where a forest trust is present, but slow; the shortcut trust is between two domains so that the chain of authentication is shorter & faster.

The term “transitive” in this context means that subdomains are included; “non-transitive” means that only those particular domains trust each other. The term “selective authentication” means that only explicitly defined security principles from the other forest or domain are authenticated, not everybody in the entire forest or domain.

A Server 2012 cluster can use basic disks at the “witness disk”, but not dynamic ones (reinforcing my aversion to dynamic disks). You can use SMB 3.0 file shares as shared storage for Hyper-V servers in a failover cluster.

Study time: installed an RODC. Learned that PowerShell 3.0 is available for Windows 7 (it ships on Windows 8 & 2012). It includes “resolve-DNSname”, as an enhanced alternative to NSLookup. Read about DNS Security Extensions - they can replicate automatically to other domain controllers, but for stand-alone DNS servers, you must manually import “Trust Anchors”. You can require Windows 7/8 DNS clients to use DNSSec for specific DNS suffixes via group policy. DNSLint is a tool for troubleshooting DNS replication. Here’s an article that explains how RODCs handle DNS updates (they send the DNS client an SOA record for a writeable DNS server, then they ask that SOA server for just that single record, to update their own cache – since they can only replicate in, not out).