TestOut Server Pro: Manage and Administer English 3.1.x LESSON PLAN. Revised 2016/05/17

TestOut Server Pro: Manage and Administer English 3.1.x LESSON PLAN Revised 2016/05/17

Table of Contents Course Overview... 4 Course Introduction for Instructors... 5 Section 1.1: Active Directory Overview... 7 Section 1.2: Speeding Up Authentication... 8 Section 1.3: Single Master Operations Roles (FSMO)... 9 Section 1.4: Read Only Domain Controllers (RODCs)... 11 Section 1.5: Virtual Domain Controllers... 13 Section 1.6: Service Accounts... 14 Section 1.7: Maintaining Active Directory... 16 Section 1.8: Restoring Active Directory... 18 Section 2.1: Group Policy Foundation... 20 Section 2.2: Administrative Templates... 23 Section 2.3: Folder Redirection... 25 Section 2.4: Software Deployment... 26 Section 2.5: Security Settings... 28 Section 2.6: Password and Account Policies... 30 Section 2.7: Advanced Auditing... 32 Section 2.8: Preferences... 34 Section 2.9: Group Policy Management... 36 Section 2.10: Management Delegation... 38 Section 3.1: File Server Resource Manager... 39 Section 3.2: Distributed File System... 41 Section 3.3: Distributed File System Replication... 43 Section 3.4: File Encryption... 45 Section 3.5: Disk Encryption... 47 Section 4.1: DNS Name Resolution... 49 Section 4.2: DNS Forwarding and Delegation... 50 Section 4.3: DNS Zone... 52 Section 4.4: DNS Zone Management... 54 Section 4.5: DNS Records... 56 Section 4.6: DNS Options... 58 Section 5.1: Routing... 60 Section 5.2: Network Address Translation (NAT)... 62 Section 5.3: Virtual Private Networks (VPN)... 63 Section 5.4: Network Policy Server... 65 Section 5.5: RADIUS... 67 Section 5.6: Network Access Protection... 69 Section 5.7: DirectAccess... 71 Section 6.1: Windows Software Update Services (WSUS)... 73 Section 6.2: Windows Deployment Services (WDS)... 76 Section 6.3: WDS Image Management... 78 Section 6.4: Performance Monitor... 80 Section 6.5: Event Viewer... 82

Section 6.6: Network Monitor... 84 Server Pro: Manage and Administer Practice Exams... 85 Microsoft 70-411 Practice Exams... 86 Appendix A: Approximate Time for the Course... 87 Appendix B: Exam 70-411: Administering Windows Server 2012 Objectives... 90 Appendix C: Server Pro: Manage and Administer Objectives... 96

Course Overview This course prepares students for TestOut s Server Pro: Manage and Administer exam and Microsoft s 70-411 certification exam. Module 1 Active Directory This module teaches the students details about using Active Directory. This will include authentication, FSMO, RODCs, and maintaining and restoring Active Directory. Module 2 Group Policy In this module students will learn about creating, configuring and managing GPOs. Module 3 File Services This module teaches students about controlling and organizing file resources and protecting access to data. Module 4 DNS This module examines name resolution, resolving queries for records, creating and managing DNS zones, and creating DNS records. Module 5 Remote Access Management In this module students will learn concepts about managing remote access. This includes understanding and configuring routers, securing communications over an untrusted network, authorizing remote clients and protecting access to a network. Module 6 Server Management This module discusses management of server such as, updating software, deploying operating systems, and monitoring server, logs, and network traffic. Practice Exams In Practice Exams students will have the opportunity to test themselves and verify that they understand the concepts and are ready to take the certification exam. The practice exams contain examples of the types of questions that a student will find on the actual exam: Microsoft 70-411 Practice Exams Server Pro: Manage and Administer Practice Exams

Course Introduction for Instructors This course provides students with the knowledge to become industry certified as a Windows professional. It prepares the student for the following exams: Microsoft s 70-411: Administering Windows Server 2012 TestOut s Server Pro: Manage and Administer Microsoft s 70-411: Administering Windows 2012 certification measures the students ability to administer, configure, and manage Windows Server 2012 operating system. The following knowledge domains are addressed: Deploy, manage, and maintain servers Configure file and print services Configure network services and access Configure a network policy server infrastructure Configure and manage Active Directory Configure and manage Group Policy Note: MS 70-411 objectives are listed in Appendix B: 70-411: Administering Windows Server 2012 Objectives TestOut s Server Pro: Manage & Administer certification measures the students ability to perform real-world job skills using the Windows Server 2012 operating system. The following knowledge domains are addressed: Active Directory Management Group Policy Configuration File Services Management DNS Configuration Routing Configuration Routing and Remote Access Configuration Deployment Management Note: TestOut s Server Pro: Manage & Administer objectives are listed in Appendix C: Server Pro: Manage and Administer Objectives The section introductions in LabSim and the lesson plans list the objectives that are met for each of the exams in that section.

The following icons are placed in front of lesson items in LabSim to help students quickly recognize the items in each section: = Demonstration = Exam = Lab/Simulation = Text lesson or fact sheet = Video The video and demonstration icons are used throughout the lesson plans to help instructors differentiate between the timing for the videos and demonstrations. In the lesson plans the Total Time for each section is calculated by adding the approximate time for each section which is calculated using the following elements: Video/demo times Approximate time to read the text lesson (the length of each text lesson is taken into consideration) Simulations (5 minutes is assigned per simulation. This is the amount of time it would take for a knowledgeable student to complete the lab activity. Plan that the new students will take much longer than this depending upon their knowledge level and computer experience.) Questions (1 minute per question) Note: Appendix A: Approximate Time for the Course contains the approximate time for each section which are totaled for the entire course.

Section 1.1: Active Directory Overview Summary This section provides an overview of Active Directory. Concepts covered include: Active Directory: o Centralized database o Contains user account and security information o Hierarchical framework with the following components: Domain Object Organization Unit (OU) Generic Containers Trees and Forests Domain Controller Sites and Subnets o NTDS.dit database file: Data table Link table Security descriptor (SD) Lecture Focus Questions: Why is DNS important for Active Directory? What is the purpose of the schema? What are the advantages of using organizational units over generic containers? What is the difference between a tree and a forest? How can you tell when a new domain starts a new tree? How does a site differ from a domain? Video/Demo Time 1.1.1 Overview of Active Directory 8:13 Number of Exam Questions 7 questions Total Time About 20 minutes

Section 1.2: Speeding Up Authentication Summary This section provides information about speeding up authentication in the case of multiple-domain and multiple-site design. Features to improve performance in these situations include: Global Catalog Universal Group Membership Caching (UGMC) Global Catalog vs UGMC Lightweight Directory Access Protocol (LDAP) Students will learn how to: Add or remove the global catalog from a domain controller. Enable Universal Group Membership Caching for a site. Server Pro: Manage and Administer Exam Objectives: 1.0 Active Directory Management. o Implement Global Catalog Servers o Implement Universal Group Membership Caching (UGMC) 70-411 Exam Objectives: 502. Configure Domain Controllers. o Configure Universal Group Membership Caching (UGMC) Lecture Focus Questions: What are the advantages of having more than one Global Catalog server? Why does a single domain network not need a Global Catalog server? What is the function of Universal Group Membership caching? When should Universal Group Membership caching be implemented? When would you use global catalog servers instead? Video/Demo Time 1.2.1 Authentication Overview 4:47 1.2.2 Global Catalog Servers and UGMC 2:23 Total 7:10 Lab/Activity Configure Global Catalog Servers Enable Universal Group Membership Caching Number of Exam Questions 8 questions Total Time About 30 minutes

Section 1.3: Single Master Operations Roles (FSMO) Summary This section provides details about Single Master Operations Roles (FSMO). Students will learn about: The role of operations master roles Operation roles at the forest levels: o Schema master o Domain naming master Operation roles at the domain levels: o Relative ID (RID) Master o Primary Domain Controller (PDC) Emulator o Infrastructure Master Considerations about using operations master roles Recommendations when designing operations master roles placement Managing operations master role placement Tools to manage operations master role placement: o MMC Snap-in Management Tool o Ntdsutil.exe Details about the standby operations master Students will learn how to: Transfer operation master roles among domain controllers. Troubleshoot operation master roles to diagnose network problems. Seize an operation master role in the case of a failed role operations master. Server Pro: Manage and Administer Exam Objectives: 1.0 Active Directory Management. o Manage Flexible Single-Master Operation (FSMO) roles 70-411 Exam Objectives: 502. Configure Domain Controllers. o Transfer and seize operations masters

Lecture Focus Questions: What is the purpose of an operation master role server? What is the function of a PDC emulator? What does the infrastructure master do? Which operations master roles are located at the forest level? How many of these roles are there in a forest? How many domain operations masters are in a forest? You are installing a new domain controller in a new domain in an existing forest. How many operation master roles will that server hold? What might happen if the RID master becomes unavailable? Which role(s) should be placed on a global catalog server? Which roles should not? What is the difference between transferring a role and seizing a role? Video/Demo Time 1.3.1 Overview of FSMO Roles 10:00 1.3.2 FSMO Role Transfer/Failure 2:38 1.3.3 Viewing FSMO Roles 4:11 1.3.5 Transferring FSMO Roles 4:18 1.3.6 Seizing FSMO Roles 4:41 Total 25:48 Lab/Activity Transfer RID and PDC Masters Transfer the Infrastructure Master Troubleshoot Operations Masters Number of Exam Questions 7 questions Total Time About 55 minutes

Section 1.4: Read Only Domain Controllers (RODCs) Summary This section provides information about deploying Read Only Domain Controllers (RODCs). Details covered include: Features of RODCs: o Administrator role separation o Unidirectional replication o Read-only data o Password replication o DNS Server service Installing RODC Students will learn how to: Pre-create RODC accounts in Active Directory. Install an RODC. Server Pro: Manage and Administer Exam Objectives: 1.0 Active Directory Management. o Implement a Read Only Domain Controller (RODC) 70-411 Exam Objectives: 502. Configure Domain Controllers. o Install and configure a read-only domain controller (RODC) Lecture Focus Questions: What is the purpose of administrator role separation? How does unidirectional replication protect your network? How does using an RODC allow for domain logon in the event of a WAN link failure? How do DNS zones work differently on an RODC? What are the forest functional level requirements for installing an RODC? Which operating system versions must run on the PDC emulator? Which permissions do you need to install an RODC?

Video/Demo Time 1.4.1 Read Only Domain Controllers (RODCs) 6:46 1.4.3 Pre-creating the RODC Account 7:19 Total 14:05 Lab/Activity Create RODC Accounts Number of Exam Questions 6 questions Total Time About 30 minutes

Section 1.5: Virtual Domain Controllers Summary This section discusses creating virtual domain controllers. Details covered include: Issues concerning creating a snapshot of a Virtual Domain Controller and later reverting back to earlier snapshots o Update Sequence Number (USN) rollback o VM-Generation-ID System requirements: o Supported hypervisors o Supported guest operating systems Virtual Domain Controller Cloning System prerequisites before cloning a virtual domain controller: o Supported hypervisors o Supported guest operating systems o PDC Emulator The basic steps for cloning a virtual domain controller 70-411 Exam Objectives: 502. Configure Domain Controllers. o Configure Domain Controller cloning Lecture Focus Questions: Which versions of the Windows operating system support VM- Generation-ID identifiers? Why is the VM-Generation-ID stored in two different locations? What is the advantage of creating a new virtual domain controller by cloning an existing virtual domain controller? Which group must the computer object for the domain controller be a member of to be cloned? Video/Demo Time 1.5.1 Domain Controller Cloning 7:41 Number of Exam Questions 6 questions Total Time About 20 minutes

Section 1.6: Service Accounts Summary This section examines using service accounts to allow an application or service to interact with the operating system. Concepts covered include: Categories of service accounts: o Built-in local user account o Domain user account o Managed service account o Virtual account o Group managed service account Requirements to use managed or virtual accounts Common service account cmdlets: o New-ADServiceAccount o Get-ADServiceAccount o Set-ADServiceAccount o Remove-ADServiceAccount o Install-ADServiceAccount Considerations when using group managed service accounts Students will learn how to: Create a service account. Create a managed service account and a group managed service account. 70-411 Exam Objectives: 501 Configure service authentication. o Create and configure Service Accounts o Create and configure Group Managed Service Accounts o Create and configure Managed Service Accounts o Configure Kerberos delegation o Manage Service Principal Names (SPNs) o Configure virtual accounts

Lecture Focus Questions: What are the differences between a managed service account and a virtual service account? Which operating system is required to manage a service with a managed service account? Which Windows PowerShell cmdlet will create a new managed service account? If you have a domain controller running Windows Server 2003, how can you still use a virtual account? Video/Demo Time 1.6.1 Overview of Service Accounts 2:55 1.6.2 Kerberos Delegation 2:33 1.6.3 Creating Service Accounts 10:32 1.6.4 Creating Managed Service Accounts 5:13 1.6.5 Creating Group Managed Service Accounts 7:43 1.6.6 Configuring Virtual Accounts 1:25 Total 30:21 Number of Exam Questions 8 questions Total Time About 45 minutes

Section 1.7: Maintaining Active Directory Summary In this section students will learn details about maintaining Active Directory. Concepts covered include: Considerations when performing a system state backup Using the Group Policy Management console to back up and restore only Group Policy data Steps to make and use snapshots of the Active Directory database Tasks that can be performed from the command using the NTDSUtil command o Changing the recovery mode password o Cleaning the metadata o Manually compacting the database o Manually moving the database and log files Students will learn how to: Back up Active Directory and the SYSVOL. Create and mount an Active Directory snapshot. Use the NTDSUtil command to manage and optimize Active Directory from the command line. Server Pro: Manage and Administer Exam Objectives: 1.0 Active Directory Management. o Backup Active Directory 70-411 Exam Objectives: 503 Maintain Active Directory. o Back up Active Directory and SYSVOL o Manage Active Directory offline o Optimize an Active Directory database o Clean up metadata o Configure Active Directory snapshots

Lecture Focus Questions: Which backup type should you perform if you want to protect Active Directory? What are the requirements for performing a system state backup? When using the dsamain command with the /dbpath option to expose a snapshot through an LDAP server, why can't you use port 389? Which port should you use? Using NTDSUtil, which tasks can you perform to manage the Active Directory? Video/Demo Time 1.7.1 Backing up Active Directory 2:10 1.7.2 Backing up AD and the SYSVOL 2:36 1.7.4 Managing AD Snapshots 7:51 1.7.7 Active Directory Maintenance 4:17 1.7.8 Using NTDSUtil 12:25 Total 29:19 Lab/Activity Back up Active Directory Number of Exam Questions 8 questions Total Time About 50 minutes

Section 1.8: Restoring Active Directory Summary This section discusses methods of restoring Active Directory. Details include: Active Directory Recycle Bin: o Requirements o Enabling the Recycle Bin Steps to enable the Recycle Bin in an existing forest Considerations when using the Recycle Bin to restore delete Active Directory objects Types of restoration available when restoring Active Directory: o Nonauthoritative o Authoritative Methods for performing a domain controller restore: o Reinstalling Active Directory o Nonauthoritative system state restore o Authoritative system state restore o Critical volume or Bare metal recovery Set the Burflags registry settings at the domain controller to perform a restore to all replicas in the domain: o D2 performs a nonauthoritative restore o D4 performs an authoritative restore Methods to restore lost Active Directory data: o LostAndFound container o Nonauthoritative restore o Authoritative restore o Active Directory Recycle Bin o Database snapshot Warning and solution of a problem where group membership will not be restored when you restore Active Directory objects with an authoritative restore Students will learn how to: Use the AD Recycle Bin to recover AD deleted objects. Use the Administrative Center to recover a user. Use the PowerShell command to recover a user. Perform an authoritative restore using NTDSUtil.

70-411 Exam Objectives: 503 Maintain Active Directory. o Perform object- and container-level recovery o Perform Active Directory restore o Configure and restore objects by using the Active Directory Recycle Bin Lecture Focus Questions: What is the difference between an authoritative and a nonauthoritative restore? Why might group membership not be restored with an authoritative restore? When would this problem exist and how can you overcome it? Which forest functional level is required for the Active Directory Recycle Bin? What are the differences when a deleted object lifetime expires versus when a recycled object lifetime expires? Video/Demo Time 1.8.1 Restoring Active Directory 6:56 1.8.2 Active Directory Recycle Bin 6:28 1.8.4 AD Restore 10:00 Total 23:24 Number of Exam Questions 12 questions Total Time About 45 minutes

Section 2.1: Group Policy Foundation Summary This section discusses creating and managing Group Policy objects. Details include: GPO settings: o Undefined o Defined Considerations when you configure GPO settings Intervals that Windows refreshes the effective Group Policy settings Gpupdate command switches to manually refresh group policy settings: o No switch o /force o /target:user o /target:computer o /boot o /logoff Group Policy inheritance: o The order in which GPOs are applied o Effective GPO settings o Categories: Computer policies User policies Methods to customize how GPO settings are applied: o Block inheritance o Enforced o GPO Permissions o Disabling a GPO link o Disabling a part of the GPO o WMI filtering o Loopback processing o Slow link detection o Group Policy caching o Account policies Guidelines when you use GPOs to deploy GPOs Students will learn how to: Create and link Group Policy objects. Modify and control Group Policy processing order. Control how group policies are processed by configuring Group Policy slow link detection and loopback processing. Troubleshoot Group Policy from a workstation using gpresult and RSOP.

Troubleshoot Group Policy from a server using Group Policy Modeling and Group Policy Results. Block inheritance to domain controllers and member servers. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Manage Group Policy processing order 70-411 Exam Objectives: 601 Configure Group Policy processing. o Configure processing order and precedence o Configure blocking of inheritance o Configure enforced policies o Configure security filtering and WMI filtering o Configure loopback processing o Configure and manage slow-link processing o Configure client-side extension (CSE) behavior Lecture Focus Questions: What is the difference between deleting a GPO and deleting a GPO link? What is an undefined GPO setting? How does this affect the effective settings for a user or computer? When are Group Policy settings refreshed? How do you manually refresh Group Policy settings? What will determine the effective Group Policy setting when an individual setting is configured in two different GPOs? When are computer policies enforced? User policies enforced? How do you prevent inheritance from being blocked for a specific GPO?

Video/Demo Time 2.1.1 Group Policy Processing Order 4:51 2.1.2 Linking GPOs 4:04 2.1.3 Modifying GPO Processing Order 4:34 2.1.4 Modifying GPO Processing Order 8:54 2.1.5 Loopback Processing and Slow Link Detection 2:25 2.1.6 Loopback Processing and Slow Link Detection 8:16 2.1.7 Configuring Group Policy Caching 3:54 2.1.9 Troubleshooting Group Policy 8:51 Total 45:49 Lab/Activity Control GPO Inheritance Configure GPO Permissions Number of Exam Questions 10 questions Total Time About 70 minutes

Section 2.2: Administrative Templates Summary This section discusses using Administrative Templates. Concepts covered include: Prior to Windows Server 2008, the Administrative Template format was.adm files The process to work with.adm files Older adm file format has been replaced on Windows Server 2008 (and later) by the following: o.admx files o.adml files ADMX files are saved on the local computer in the %systemroot%\policydefinitions folder The central storage location for.admx and.adml files on a domain controller is SYSVOL\domain_name\Policies\PolicyDefinitions folder Students will learn how to: Import custom Administrative Templates. Use the ADMX Migrator to convert older.adm Administrative Templates to the new.admx format. Configure property filters for Administrative Templates. Create a Central Store to share.admx files with multiple computers. Server Pro: Manage and Administer Exam Objectives: 1.0 Group Policy Configuration. o Create custom administrative templates by importing GPOs 70-411 Exam Objectives: 602 Configure Group Policy settings. o Configure settings including software installation, folder redirection, scripts, and administrative template settings o Import security templates o Import custom administrative template file o Convert administrative templates using ADMX Migrator o Configure property filters for administrative templates

Lecture Focus Questions: What is the Administrative Template central store and where is it located? What are the advantages of the.admx file format? What is the function of.adml files? Video/Demo Time 2.2.1 Custom Administrative Templates 1:50 2.2.2 Importing Custom Administrative Templates 3:58 2.2.4 Converting Administrative Templates 4:06 2.2.5 Configuring Property Filters 2:18 2.2.6 Central Stores 1:45 2.2.7 Creating a Central Store 3:52 2.2.8 Exploring Admin Template Settings 6:48 Total 24:37 Lab/Activity Import a GPO Number of Exam Questions 6 questions Total Time About 35 minutes

Section 2.3: Folder Redirection Summary In this section students will learn the benefits of folder redirection and how to configure folder redirection. Students will learn how to: Configure folder redirection to move the contents of the Documents folder to a new location. 70-411 Exam Objectives: 602 Configure Group Policy settings. o Configure settings including software installation, folder redirection, scripts, and administrative template settings Lecture Focus Questions: Why would you choose to use folder redirection? What is the difference between basic redirection and advanced redirection? A folder that has been redirected appears to be on the local system, but where is it actually stored? Video/Demo Time 2.3.1 Folder Redirection 1:52 2.3.2 Configuring Folder Redirection 3:59 Total 5:51 Number of Exam Questions 5 questions Total Time About 10 minutes

Section 2.4: Software Deployment Summary In this section students will learn about the software deployment lifecycle. Details in this section include: Steps in the software deployment lifecycle: o Plan o Deploy o Manage (Upgrade) o Remove Guidelines when you manage software distribution Students will learn how to: Assign and publish software installer packages. Configure software installation packages to customize deployment and removal. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Deploy software using Group Policy 70-411 Exam Objectives: 602 Configure Group Policy settings. o Configure settings including software installation, folder redirection, scripts, and administrative template settings Lecture Focus Questions: What is the difference between assigned and published software? Why should you use the UNC path to an installer package rather than the local path? What does it mean when a user or computer is outside of the scope of management for a software installation package? What happens to the software when this condition exists?

Video/Demo Time 2.4.1 Software Deployment 2:43 2.4.2 Deploying Software with a GPO 14:38 Total 17:21 Lab/Activity Assign Software Deploy Software 1 Deploy Software 2 Number of Exam Questions 14 questions Total Time About 50 minutes

Section 2.5: Security Settings Summary This section examines the following common GPO security setting categories: Account Policies Local Policies/Audit Policy Local Policies/User Rights Assignment Local Policies/Security Options Windows Firewall with Advanced Security Network List Manager Policies Public Key Policies Software Restriction Policies Application Control Policies IP Security Policies Advanced Audit Policy Configuration Event Log Restricted Groups System Services Registry File System Wireless Network Students will learn how to: Configure, save, and import a security template. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Implement the following GPO policies: Security Advanced audit 70-411 Exam Objectives: 602. Configure Group Policy settings. o Import security templates

Lecture Focus Questions: What is the difference between a user right and a security option? Under what conditions are Account Policies in effect? What are some of the User Rights Assignments you might consider using? What is the function of the Network List Manager Policies? Video/Demo Time 2.5.1 Security Options 1:43 2.5.2 Creating Security Templates 10:10 Total 11:53 Lab/Activity Configure Security Options Number of Exam Questions 7 questions Total Time About 30 minutes

Section 2.6: Password and Account Policies Summary This section covers password and account policies. Concepts covered include: Password Policy: o Enforce password history o Maximum password age o Minimum password age o Minimum password length o Password must meet complexity requirements o Store passwords using reversible encryption Account Lockout Policy: o Account lockout duration o Account lockout threshold o Reset account lockout after Considerations when managing account policies Kerberos policies: o Enforce user logon restrictions o Maximum lifetime for service ticket o Maximum lifetime for user ticket o Maximum lifetime for user ticket renewal o Maximum tolerance for computer clock synchronization The role of granular password policies Facts about granular password policies Using ADSI Edit to create a PSO Managing granular passwords using Active Directory Administrative Center Students will learn how to: Configure and manage Account Policy settings. Use ADSI Edit to configure granular password policy settings. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Implement the following GPO policies: Account Fine-grained password 70-411 Exam Objectives: 504. Configure account policies.

o Configure domain user password policy o Configure and apply Password Settings Objects (PSOs) o Delegate password settings management o Configure local user password policy o Configure account lockout settings o Configure Kerberos policy settings Lecture Focus Questions: Users in a network have to change their passwords every 30 days, but many users have reported that they simply enter the same password to make the change. Which policy can you configure to prevent this? What is the effect of setting the minimum password age account policy to 5 days? How can you prevent users from creating passwords like desk, mom, chair, or office? What is the effect of setting the account lockout policy to 0? What happens when you configure the Account Policies settings in a GPO linked to an OU? How can you configure different account policy settings for different users? Which object types can you associate with a granular password policy? A user has a granular password policy applied directly to the user account, and a different policy applied to a group of which the user is a member. Which policy will be in effect? Video/Demo Time 2.6.1 Password Policies 2:09 2.6.2 Configuring Domain User Password Policy 4:30 2.6.3 Configuring Account Lockout 2:18 2.6.4 Configuring Local Password Policies 3:11 2.6.5 Configuring Kerberos Policy Settings 6:47 2.6.8 Creating a Fine-grained Password Policy 9:25 Total 28:20 Lab/Activity Configure Account Policies Create a Fine-grained Password Policy Number of Exam Questions 14 questions Total Time About 60 minutes

Section 2.7: Advanced Auditing Summary This section provides information about 53 new auditing capabilities that have been integrated with Group Policy. Concepts covered include: Details about the advanced audit policy configuration Categories of the 53 new auditing policy settings: o Account Logon o Account Management o Detailed Tracking o DS Access o Logon/Logoff o Object Access o Policy Change o Privilege Use o System o Global Object Access Auditing Students will learn how to: Use Group Policy to enforce auditing and secure audit logs. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Implement the following GPO policies: Advanced audit 70-411 Exam Objectives: 204. Configure advanced audit policies. o Implement auditing using Group Policy and AuditPol.exe o Create expression-based audit policies o Create removable device audit policies Lecture Focus Questions: What is the difference between auditing for success and auditing for failure? How can you configure auditing to track changes to Active Directory objects? What is the result of excessive auditing? Why should you design periodic reviews of audit logs?

Video/Demo Time 2.7.1 Advanced Audit Policies 7:22 2.7.2 Auditing Folder Access 14:46 Total 22:08 Lab/Activity Configure Advanced Auditing Configure Removable Device Auditing Number of Exam Questions 12 questions Total Time About 45 minutes

Section 2.8: Preferences Summary This section discusses using Group Policy preferences to configure, deploy, and manage operating system and application settings that you cannot manage using Group Policy settings. Details covered include: Comparison of characteristics of Group Policy preferences to Group Policy settings Facts about Group Policy preferences Group Policy preferences: o Drive maps o Environment o Files Folders o Ini Files o Network shares o Registry o Shortcuts o Devices o Folder options o Internet settings o Local users and groups o Network options o Power options o Printers o Regional options o Scheduled tasks o Services o Start menu Students will learn how to: Configure Group Policy preferences in a GPO. Deploy shortcuts in a GPO. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Configure Group Policy Preferences

70-411 Exam Objectives: 604 Configure Group Policy preferences. o Configure Group Policy Preferences (GPP) settings including printers, network drive mappings, power options, custom registry settings, Control Panel settings, Internet Explorer settings, file and folder deployment, and shortcut deployment. o Configure item-level targeting Lecture Focus Questions: What is the main difference between Group Policy preferences and Group Policy settings? Which types of applications and operating system features does Group Policy preferences support? How do you configure Group Policy preferences? What are the operating system prerequisites for applying Group Policy preferences? Video/Demo Time 2.8.1 Group Policy Preferences 1:58 2.8.2 Configuring Group Policy Preferences 7:47 Total 9:45 Lab/Activity Configure Internet Explorer Settings in a GPO Configure Power Options in a GPO Deploy Desktop Shortcuts in a GPO Number of Exam Questions 6 questions Total Time About 35 minutes

Section 2.9: Group Policy Management Summary This section examines management of Group Policy objects. Concepts covered include: Considerations when you manage Group policy objects Methods to create another GPO from an existing GPO: o Copy o Backup and Import o Starter GPO Using cmdlets in the Group Policy module for Windows PowerShell to manage domain-based GPOs Common GPO management cmdlets include: o New-GPO o Copy-GPO o Get-GPO o Backup-GPO o Remove-GPO o Rename-GPO o Restore-GPO o Import-GPO o New-GPLink o Set-GPLink o Remove-GPLink o New-GPStarterGPO The dcgpofix command switches to restore the default group Policy objects to their original state: o /target:dc o /target:domain o /target:both o /ignoreschema Using the Remote Group Policy update Updating Group Policy using the Group Policy Management console Students will learn how to: Back up and restore a GPO. Create and configure a migration table to migrate domain-specific settings. Restore default GPOs to what they were initially when Active Directory was installed.

Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Backup and restore GPOs 70-411 Exam Objectives: 603. Manage Group Policy objects (GPOs). o Back up, import, copy, and restore GPOs o Create and configure Migration Table o Reset default GPOs o Force Group Policy update Lecture Focus Questions: What is the difference between deleting a GPO and deleting a GPO link? How can you copy a GPO from one domain to another? How can you copy starter GPOs? Which tools can you use to manage GPOs and GPO links? When moving GPOs from one domain to another, how do you handle settings that are domain-specific and cannot be copied directly? Video/Demo Time 2.9.1 Group Policy Management 1:26 2.9.2 Managing GPOs 5:14 2.9.5 Migration Tables 1:10 2.9.6 Configuring Migration Tables 4:26 2.9.7 GPO Default Setting 1:31 2.9.8 Resetting GPO Defaults 3:18 2.9.9 Forcing Group Policy Updates 1:15 Total 18:20 Lab/Activity Back Up a GPO Restore a GPO Number of Exam Questions 9 questions Total Time About 40 minutes

Section 2.10: Management Delegation Summary This section examines delegating out Group Policy management. Students will learn how to: Create a GPO and delegate the management of particular tasks for all GPOs to a specified group. Use the Delegation of Control Wizard to delegate common administrative tasks. Server Pro: Manage and Administer Exam Objectives: 2.0 Group Policy Configuration. o Delegate GPO management 70-411 Exam Objectives: 603. Manage Group Policy objects (GPOs). o Delegate Group Policy management Lecture Focus Questions: What is the two-step procedure required to delegate Group Policy object management? Which tools are required to complete a delegation of management? Video/Demo Time 2.10.1 GPO Management Delegation 1:07 2.10.2 Delegating GPO Management 4:30 2.10.4 Delegating Password Management 4:24 Total 10:01 Lab/Activity Delegate GPO Creation Delegate Administrative Control Number of Exam Questions 6 questions Total Time About 25 minutes

Section 3.1: File Server Resource Manager Summary This section provides details of using the File Server Resource Manager to allow administrators to understand, control, and manage the quantity and type of data stored on their servers. Concepts covered include: FSRM is installed as a role service of the File Services role Key FSRM features: o Quotas o Notifications o File Screening o Storage Reports o File Classification o File Management Methods for configuring quotas for Windows Server: o NTFS Disk Quotas o FSRM Folder and Volume Quotas Students will learn how to: Configure volume and folder quotas. Create quota templates. Configure file screens and file screen exceptions. Generate FSRM reports for both quotas and overall file system use. Schedule FSRM reports. Server Pro: Manage and Administer Exam Objectives: 3.0 File Services Management. o Configure FSRM quotas o Configure FSRM file screens 70-411 Exam Objectives: 202 Configure File Server Resource Manager (FSRM). o Install the FSRM role o Configure quotas o Configure file screens o Configure reports

Lecture Focus Questions: What are the primary differences between disk quotas with NTFS and quotas implemented through FSRM? How does a soft quota differ from a hard quota? How do quota templates facilitate quota management? What is the difference between a quota and a file screen? How is an active file screen more restrictive than a passive file screen? How can you automatically assign classification information to files? What can you accomplish with the file expiration task? Video/Demo Time 3.1.1 File Server Resource Manager (FSRM) 2:49 3.1.2 Installing FSRM 1:07 3.1.4 FSRM Quotas 4:59 3.1.6 File Screens 4:41 3.1.8 Configuring Reports 3:32 Total 17:08 Lab/Activity Add Role Services for FSRM Configure FSRM Quotas Configure FSRM File Screens Number of Exam Questions 15 questions Total Time About 50 minutes

Section 3.2: Distributed File System Summary This section discusses using the Distributed File System (DFS) to provide a way to logically organize shared folders on multiple servers into a single logical folder hierarchy called a namespace. Concepts covered include: DFS Namespaces include the following components: o Namespace o Namespace server o Namespace root o Folder Namespace types and criteria: o Stand-alone o Domain-based Considerations when managing DFS Namespaces Students will learn how to: Create a DFS namespace with folders and targets. Add role services as required to support DFS and the appropriate replication method. Server Pro: Manage and Administer Exam Objectives: 3.0 File Services Management. o Implement DFS replication 70-411 Exam Objectives: 201. Configure Distributed File System (DFS). o Install and configure DFS namespaces Lecture Focus Questions: What is the difference between the namespace root and a folder within DFS? If you have multiple namespace servers, which namespace type should you implement? Which namespace type and mode would you choose to support accessbased enumeration? If you have a single namespace server and that server fails, what happens to client access for folders within the DFS structure? Why?

How can you prevent users from adding or changing files in a replicated folder? Video/Demo Time 3.2.1 DFS Namespaces and Replication 4:54 3.2.2 Installing a DFS Namespace 4:38 Total 9:32 Lab/Activity Add Role Services for DFS and Create a Namespace Number of Exam Questions 6 questions Total Time About 25 minutes

Section 3.3: Distributed File System Replication Summary This section discusses using the Distributed File System replication to increase fault tolerance and improve access. Concepts covered include: Components that DFS replication uses to control replications: o Replication group o Replicated folder o Connection Considerations when configuring DFS Cloning the DFS database in Windows Server 2012 R2 Recovering a corrupted database using DFS Replication in Windows Server 2012 R2 Optimization strategies for DFS: o Fault tolerance o Referrals o Remote Differential Compression (RDC) o Polling o Staging o Single-master Students will learn how to: Configure DFS replication of folder targets. Create and configure a replication schedule. Manage and optimize DFS by configuring staging and fault tolerance. Server Pro: Manage and Administer Exam Objectives: 3.0 File Services Management. o Implement DFS replication 70-411 Exam Objectives: 201. Configure Distributed File System (DFS). o Configure DFS Replication Targets o Configure Replication Scheduling o Configure Remote Differential Compression settings o Configure staging o Configure fault tolerance

Lecture Focus Questions: When can you add a failover cluster to a DFS replication group? How does Remote Differential Compression conserve bandwidth? Adam, Bob, and Curt access different copies of a replicated folder and modify the same file simultaneously. When each of them saves the file, which file becomes the authoritative copy? What happens to the other copies of this file? Video/Demo Time 3.3.1 Staging and Fault Tolerance 12:00 3.3.2 Configuring DFS Replication Targets 6:53 3.3.3 Cloning the DFS Database 10:58 3.3.5 Optimizing DFS 10:00 Total 39:51 Number of Exam Questions 9 questions Total Time About 55 minutes

Section 3.4: File Encryption Summary In this section students will learn about protecting data through file and disk encryption. Concepts covered include: Components of EFS: o Encryption Process o Access to Encrypted Data o EFS-Related Group Policy o Encrypted Data Management o Remote Storage o Certificate Management Students will learn how to: Encrypt or decrypt a file or folder. Add authorized users to allow encrypted file access. Designate DRAs for file recovery. Configure EFS settings in Group Policy. Server Pro: Manage and Administer Exam Objectives: 3.0 File Services Management. o Encrypt files and folders with EFS 70-411 Exam Objectives: 203. Configure file and disk encryption. o Configure the EFS recovery agent o Manage EFS and Bitlocker certificates including backup and restore Lecture Focus Questions: What is the importance of the DRA in the encryption process? Which users have access to encrypted files and folders? What is the relationship between encryption and compression? What is the significance of encrypting the pagefile? How does Rekeywiz affect your encryption deployment?

Video/Demo Time 3.4.1 Overview of EFS 2:25 3.4.2 EFS Recovery Agents 2:38 3.4.3 Encrypting a Folder 8:38 3.4.4 Designating an EFS Recovery Agent 11:49 3.4.5 Managing EFS Certificates 6:31 Total 32:01 Lab/Activity Encrypt a Folder Number of Exam Questions 11 questions Total Time About 50 minutes

Section 3.5: Disk Encryption Summary In this section students will learn about using BitLocker to protect unauthorized data access on lost, stole or otherwise compromised systems. Concepts covered include: BitLocker key is required to access the contents of the encrypted volume BitLocker uses integrity checking BitLocker is only available on: o Windows Vista Ultimate and Enterprise editions o Windows 7 Ultimate and Enterprise editions o Windows 8 Professional and Enterprise editions o Windows Server 2008 or Windows Server 2008 R2 o Windows Server 2012 BitLocker is not installed by default BitLocker To Go Components of BitLocker: o BitLocker partition o Trusted Platform Module (TPM) o Non-TPM device support How BitLocker differs from the Encrypting File System (EFS) Security components of a BitLocker configuration: o TPM owner password o Recovery key o PIN o Startup key o Data volume key o Data Recovery Agent o Network Unlock BitLocker modes which determine the security level: o TPM-only o TPM with startup key o TPM with PIN o TPM with PIN and startup key o Without a TPM How to configure and manage BitLocker Students will learn how to: Generate recovery keys and create a BitLocker DRA. Configure BitLocker on a computer with a TPM.

Server Pro: Manage and Administer Exam Objectives: 3.0 File Services Management. o Encrypt the server hard disk with BitLocker 70-411 Exam Objectives: 203. Configure file and disk encryption. o Configure BitLocker encryption o Configure the Network Unlock feature o Configure BitLocker policies o Manage EFS and BitLocker certificates including backup and restore Lecture Focus Questions: When implementing BitLocker, why is it a good idea to run a system check before encrypting the drive? What is the difference in function between BitLocker and BitLocker To Go? When using BitLocker, what are the requirements of the Trusted Platform Module? How can you implement BitLocker without a TPM? What would happen if BitLocker were enabled, and the USB flash device which holds the key were to be lost? Video/Demo Time 3.5.1 BitLocker Disk Encryption 11:35 3.5.2 Configuring BitLocker Encryption 11:40 Total 23:15 Lab/Activity Configure BitLocker with a TPM Number of Exam Questions 15 questions Total Time About 50 minutes

Section 4.1: DNS Name Resolution Summary This section provides details of how DNS Name Resolution maps logical host names to IP addresses. Concepts covered include: A DNS server holds a database of hostnames and their corresponding IP addresses HOSTS file Components of the DNS hierarchy: o.dot domain (also called the root domain) o Top Level Domains (TLDs) (.com,.edu,.gov) o Second-level and additional domains o Hosts Fully Qualified Domain Name (FQDN) DNS is a distributed database Caching-only DNS DNS name resolution process for the client DNS name resolution process for the server Lecture Focus Questions: What is the purpose of DNS? How does an FQDN identify a host? What is the difference between a DNS server and a caching-only DNS server? What is the difference between forwarding and recursion? Video/Demo Time 4.1.1 Fully Qualified Domain Names 3:20 4.1.3 Name Resolution 8:17 Total 11:37 Number of Exam Questions 11 questions Total Time About 25 minutes

Section 4.2: DNS Forwarding and Delegation Summary This section provides details of using DNS forwarding and delegation to resolve queries for records. Concepts covered include: The role of a forwarder Methods to control the server s use of forwarders: o Secondary zone o Stub zone o Conditional forwarder o Disable recursion Reasons to perform zone delegation Process to delegate a zone Students will learn how to: Create a root zone. Use DNS Manager to setup forwarding and conditional forwarding to resolve names. Create a delegation to enable name resolution. Server Pro: Manage and Administer Exam Objectives: 4.0 DNS Configuration. o Configure DNS forwarders o Create DNS delegations 70-411 Exam Objectives: 301. Configure DNS zones. o Configure zone and conditional forwards o Configure zone and conditional forward storage in Active Directory o Configure zone delegation Lecture Focus Questions: What is the role of a forwarder? What could be a disadvantage of using secondary zones? Under what circumstances would you choose to set up conditional forwarding? When should you set up zone delegation?

Video/Demo Time 4.2.1 Configuring Forwarding and Root Hints 9:46 4.2.4 Creating a Delegation 4:43 Total 14:29 Lab/Activity Configure Forwarders Delegate Domains Number of Exam Questions 7 questions Total Time About 35 minutes

Section 4.3: DNS Zone Summary This section discusses provides the basic information about creating and using DNS zones. Concepts covered include: Types of DNS zones: o Primary o Secondary o Active Directory-integrated o Stub Zones are classified as one of two types: o Forward lookup zone o Reverse lookup zone Details about zone transfers Tools to update of zone data: o DNS console o Dnscmd command An Active Directory-integrated zone stores DNS information in Active Directory rather than a zone file Students will learn how to: Create a standard primary zone and a standard secondary zone. Create a stub zone to refer requests over to the authoritative server. Create a Primary forward lookup zone and configure it to allow zone transfers to any server. Configure a reverse lookup zone. Create a new zone and configure the zone to be stored in Active Directory. Server Pro: Manage and Administer Exam Objectives: 4.0 DNS Configuration. o Create the following types of DNS zones Primary Secondary Stub Reverse-lookup Active Directory-integrated

70-411 Exam Objectives: 301. Configure DNS zones. o Configure primary and secondary zones o Configure stub zones Lecture Focus Questions: What is the difference between the name resolution of a forward lookup zone and a reverse lookup zone? What are the advantages of using an Active Directory-integrated zone? What are the main difference between a primary zone and a secondary zone? Which tools can you use to manually force an update of zone data? Which type of DNS server can host an Active Directory-integrated zone? What is the function of the Start of Authority (SOA) record? Video/Demo Time 4.3.1 Forward and Reverse Lookup Zones 2:05 4.3.2 Standard DNS Zones 5:57 4.3.3 AD Integrated Zones 5:37 4.3.6 Creating a New Zone 11:29 Total 25:08 Lab/Activity Create Standard Zones Create a Reverse Lookup Zone Create an Active Directory-integrated Zone Number of Exam Questions 8 questions Total Time About 55 minutes

Section 4.4: DNS Zone Management Summary This section discusses management of DNS zones. Concepts covered include: Details about configuring DNS zones Zone data is replicated based on the replication scope: o All domain controllers in this domain o All DNS servers in this domain o All DNS servers in this forest o Application partition Reverse Zone Name Format for: o IPv4 o IPv6 Students will learn how to: Change an existing zone to a different zone type. Configure the properties of an existing zone as needed. Disable zone transfers for a specified zone. Enable Dynamic DNS to minimize DNS administration. Server Pro: Manage and Administer Exam Objectives: 4.0 DNS Configuration. o Manage zone transfers 70-411 Exam Objectives: 302. Configure DNS records. o Configure zone scavenging o Configure record options including Tim to Live (TTL) and weight o Configure secure dynamic updates Lecture Focus Questions: How does replicating DNS information to all domain controllers in the domain affect network traffic versus replicating to all DNS servers in the forest? Which type of zone would you create if you wanted to use secure dynamic updates? What is the purpose of PTR records? What is the zone name format for the reverse lookup network of 1375:2614:DDAB:EE21?