Understanding Windows Server 2012: All the Facts, in Less Time

Understanding Windows Server 2012: All the Facts, in Less Time	"'All the facts, in less time.' That's just what I was looking for — the lazy way to learn 2012, and you delivered. Thanks for saving me time learning the new Windows server, Mark — I'll use this as soon as I go home!"
a two-day course by Mark Minasi, author of the upcoming Mastering Windows Server 2012
Where You Can Attend This Seminar • Course Objectives • Course Outline • Course Materials • Bring a Class to Your Site • About the Instructor • Attendee comments
Course Objectives When Microsoft announces a new version of Windows, we just never know whether we're getting mostly bug fixes and tweaks (NT 3.51, 2003 R2), a bushel of sizeable, discrete changes that are nice, but not earth-shaking (NT 4.0, Server 2008), or a disc full of game-changers (NT 3.5, Windows 2000, Vista). Give Windows Server 2012 a look, however, and you'll see that it's all three. 2012 includes a completely new storage subsystem that's almost certainly keeping some SAN vendors up at night. A near-complete focus on virtualization and remote administration ( for example, Server core is the default install) clearly drove most of 2012's innovations. Game-changers all, but they might be outdone by a completely new file sharing system called Dynamic Access Control that grants access not just on the basis of group memberships but also on the basis of your user account attributes, what sort of workstation you're sitting at and if particular keywords exist in a file. The new server also contains a lot of hey-that's-not-essential-but-it's-pretty-cool stuff as well, and plenty of it. Over two thousand new in-the-box PowerShell tools. A new software-based NIC teaming feature which makes that linchpin of high availability affordable by even the smallest network. And then there's the new DirectAccess, which enables any enterprise to build a policy-driven and non-user-irritating VPN in essentially a half-dozen clicks. (It really is that easy — no certs, no IPv6.) And little fit-and-finish tweaks? Almost too many to tell. It's no longer dangerous to virtualize a domain controller. 2008's flexible password policies and the 2008R2's AD Recycle Bin finally get a GUI as part of enhancements to Active Directory Administrative Center. Typing long, complex passwords is no longer a game of blind man's buff, with a small new button that lets you see what you typed in your logon password field. We haven't seen these many changes to Server since the turn of the century — which is pretty cool — but discovering, testing, and analyzing them all could be a pretty daunting and extremely time-consuming task for IT professionals and managers whose plates are already over-full... which is why we created this course. Your course director and instructor — you never get the second-string instructors at MR&D seminars! — is Windows Server expert Mark Minasi, the popular columnist, trusted technical commentator and author of 37 books on computing topics, including the best-selling line of Mastering Windows Server books that have sold millions of copies in their nearly twenty year lifespan. Mark has been working with Server 2012 since its earliest betas, enabling him to pass along "just the good stuff," and so provide an expert guided tour of what you need to know about Server 2012. You'll learn what's great, what's just okay, what's forgettable. Even better, Mark gets that done for you in just two fast, fun, information-packed days that include a bit of "catch-up" tutorials on storage and cluster technologies. Many IT shops are "version skippers," rolling out only every other version of Server to their data centers, and that's often a wise move. But is skipping 2012 a good idea for your organization? Join Mark and get the independent answer! Key Seminar Benefits Quickly understand what Server 2012 can (or can't) do for you, enabling you to start planning sooner Know which of Server 2012's new capabilities help your existing network and desktops, rather than ones that require Windows 8 desktops Get tips on installing Server quickly, easily and cheaply See dozens of PowerShell examples that will not only show you how to save time administering Save time and avoid having to spend weeks poring through white papers and Web sites about 2012 — get the answers that you want now from a recognized industry expert Understand the four — count 'em, four! — GUI options on Server, and choose the right one for you Configure your system easily with PowerShell and Server Manager Get the most out of your NICs with software NIC teaming (and know when teaming won't help) See how to "glue together" several PowerShell cmdlets to create a better IPConfig Offer better DHCPs services cheaply with DHCP failover Review and fill in your storage and iSCSI knowledge See how to set up and manage Windows storage technology with Storage Spaces, an inexpensive SAN replacement Discover why you need fear CHKDSK no more Understand how Windows servers provide storage as iSCSI "servers" Learn the basics of Windows clusters, see how 2012 improves clusters and understand what that "active/active" stuff is all about Grasp how the new file server — SMB 3.0 — can replace SAN shared storage in Server 2012 Realize the benefits of the file server's new encryption and "multi-TCP" can secure and speed your file services Know exactly what the heck the "scale-out file server for application data" is, and whether or not it can help you Discover "access-denied file server remediation" — an obscure name for a new and improved "access denied" error message — and how to exploit and configure it to cut down help desk calls Survey and then "deep dive" into Dynamic Access Control (DAC), a completely new way of securing files and file folders to simplify share permissions, exploit the user information that you've already got in Active Directory, classify files containing potentially troublesome data, and more easily use permissions to assist in meeting compliance requirements like HIPAA or SOX Examine the new file classification infrastructure (FCI) component of DAC, which lets you define file classification types and then classify files either manually or automatically Use Hyper-V and 2012 to quickly clone virtual DCs for standard DC expansion and fast forest reconstruction Utilize AD activation to simplify licensing Enterprise Windows systems See how 2012 Hyper-V virtual machines can be easily created with PowerShell Know how to do "poor person's clustering" with Hyper-V replication Simplify VM management with "shared nothing" live migration Course Outline Server 2012: The Big Picture A really quick look at the list of new things in 2012 can be a bit overwhelming, but it all seems to make better sense if you understand what seem to be the big goals of the new server. We'll start off the course with those topics in this first section. "A persistent whiff of the Cloud" Pervasive virtualization-friendly aspects Should appeal to more organizations, with an unusual number of new capabilities for small and medium-sized organizations, or just anyone who's pinching pennies AD features tend not to require any new functional levels Remote administration is assumed to be the default PowerShell owns 2012... but it's not a bad thing, really Installing and Managing Server 2012 Like a Pro, or, Better, Like an Evil Overlord! Server 2012 comes with a real treasure trove of useful new tools, but none of those tools are of any value if you don't know how to install them, start them up and point them where you want them to go. Rolling out Server 2012 is similar to deploying Servers 2008 and 2008 R2, as it still uses the "Panther" setup engine, so if you've installed 08 or R2, then 2012 setup won't seem too foreign, although it does have a few new wrinkles. Once the server's running, however, get ready for some big changes, as Server Core and remote access is the default configuration. If your next question is "so does Server 2012 have a GUI at all?," the answer is "sure... four GUIs in fact, counting Server Core." Assuming you've opted for the traditional style of GUI, you'll find that 2012 has something called Server Manager, but it's completely different from the Server Managers we've seen since 2003 SP1. The new Server Manager is, however, not the biggest change in server management, believe it or not — no, that title has to go to the ten-fold increase in PowerShell tools. The more things change, though, the more they stay the same, as in the end analysis every server needs the same sort of tender loving care — give it a name, give it an IP address, assign some roles and features, join it to a domain and the like. Once you've finished this section, you'll be ready to crack the whip on your new servers more quickly, easily, and ~~consistently~~ ruthlessly. Miss this section, and you may end up helplessly trapped in the Roles and Features wizard, and trust us, that is a terrible way to go! Setting up Server 2012 Hardware requirements Upgrade considerations Server Core or not? New answers with 2012 Make Server 2012 setup easier with autounattend.xml The new Server Manager Meet Metro: it's (groan) two desktops in one! Meet the almost-Metro/Mango/Multi-Server Manager The four GUIs of 2012 A real multi-server perspective and new "server pools" Server Manager's now PowerShell under the hood Remote management is the default Service-centric management rather than server-centric management Exporting and importing server configuration Handling roles and services with SM and with PowerShell Event management (and new filtering!) in roles and services Shutdown and restart (yes, even that's different) A bit of PowerShell 101 (and 102 and 103 and 104...): the essential PowerShell "survivor's guide" Easier PowerShell: show-command, the new Integrated Script Editor, finding the missing help files Multi-server management with PowerShell 2012 Networking Many new 2012 features seem to fall in the category of "hey, it's almost like someone at Microsoft actually uses the product," kind of. We imagine that building their Azure cloud led to a bunch of "why don't we..." questions. How to keep track of static IP addresses... especially when they're a half-yard apiece long, like IPv6 addresses? Why the heck is making fault tolerant DHCP so difficult? How come "teamed" NICs — a great idea all along — cost so much? In this section, you'll learn about a bunch of nice networking add-ons that we're pretty sure will be welcome additions to your network infrastructure ... or at least will make building a test network easier. Dozens of new networking PowerShell commands Building a better IPConfig NIC Teaming Bandwidth aggregation Fault tolerance Choosing a teaming mode Selecting the best load balancing algorithm Building a team from the GUI Building a team from PowerShell In what situations should you expect teaming to work? RDMA support: what it is, why you care IPAM Static IP address management DNS and DHCP monitoring IPAM setup (you're going to be thankful for PowerShell here, trust us) Provisioning options Tracking a user's IP addresses Troubleshooting IPAM failures Reports DHCP clusters Types: understanding failover versus load balanced modes Configuring a maximum client lead time (MCLT) Configuring hot standby mode Configuring load sharing mode Securing cluster communications Failover modes: "communications interrupted" and "partner down" Controlling failover from PowerShell and the GUI DNSSEC made insanely easy SAN-sational Storage: Storage Tech Made Simple Storage Area Networks (SANSs) and shared storage have been around and common for a while, but now Microsoft's gotten serious with some storage offerings, as you'll learn very soon. Before that, though, we'll do a quick review of what networked storage technologies are all about, cover all the essential buzzwords and do a bit of a "level-set." The world before SANs SAN concepts: a socket in the wall for data From physical to virtual and back, kind of: what SANs do Block storage versus file storage Talking SCSI, but not offending: intiators, SCSI IDs, targets, LUNs Why all this is better than just plugging drives into servers Interfaces: fiber channel, iSCSI Drive options: SATA and SAS Command languages: ATA and SCSI Storage made just for clusters: sharing LUNs without tears iSCSI background: iSCSI for the uninitiated What problem is iSCSI trying to solve? Re-using terms: back to initiators, targets and LUNs iSCSI as an Internet protocol iSCSI performance: moving the dial from software to hardware Names in iSCSI Storage in Server 2012 Much has changed in the network storage world since NT 3.1 appeared, including the various technologies allowing for storage area networks and shared storage in general, technologies that Windows has largely ignored... until now. With Server 2012, you can easily take some commodity hardware, throw a bunch of drives and a few NICs in it, and in no time you've got an iSCSI-aware shared storage device and, even better, a shared storage device that you can control using Windows' familiar management tools. Even if you currently have and love your SAN, there's still storage issues that you'll love about 2012, including a kindler, gentler CHKDSK and, finally, native 4K sector support. Native 4K sector support All kinds of new PowerShell support Native support for ISO and VHD mounting Storage Spaces: a SANer way to do network storage JBOD to Storage Pool (both the GUI and PowerShell way) Storage Pool to "virtual disk" (not the kind you think) Virtual disk into volumes Overcommit option Can de-dup (more on that later) Fault tolerance options It's all offline by default: Server 2012's "SAN policy" Volumes into iSCSI "virtual disks" iSCSI initiators in Windows clients and servers iSCSI targets NFS shares Managing a Storage Space Controlling parity: interleaves, columns and stripes How tolerant is the fault tolerance? Controlling disk modes (autoselect, hotspare, journal, retired) Two-way and three-way mirrors Incorporating journal disks in Storage Spaces Handling a drive fault Retiring a drive Collecting health information De-Dup in 2012 Variable-block de-dup in 2012 Compression options Scheduling de-dup De-dup in networking iSCSI support in Windows Setting up target and initiator (server and client) software Creating the target and LUN via GUI and PowerShell Connecting to the initiator Enabling shared storage for clusters: multiple initiators connected to a single target CHKDSK without tears — fear the CHKDSK reboot no more Resilient File System (ReFS) concepts and features BitLocker 2012 "Used disk space only" encryption control Encrypt the disk before installing Server AD can auto-supply a BitLocker PIN User data affinity: keep those roaming profiles from roaming everywhere Cluster Background and Basics: Windows Clusters Made Simple One of the biggest and, unfortunately, most expensive innovations in the network business is Windows Clusters. Clusters provide a way to combine a whole bunch of moderately-reliable systems into one big and very reliable systems. If PC server-based networks can convince even the most risk-averse to shut off their mainframes, it'll be clusters that can do that. (And have done that, actually.) But clusters have been only the province of well-heeled organizations, which is why most IT pros have never created one. Server 2012 changes that, though, offering a way to build truly cheap but still quite reliable clusters. In this section, we'll get you all caught up on "the story so far" in clusters so you're ready to learn about what 2012 delivers. Basic idea: two or more servers, a third device with shared storage, redundant networking Heartbeats, quorum/witness disks The problem of "shared nothing" One answer: "cluster shared volumes" (CSVs) What CSVs did in R2 CSV limitations Cluster setup planning and skills The trick to connecting iSCSI storage to a cluster SMB 3.0: File Servers Get Better, Part One There are few things as old in the Windows world as the file server service, software that contains code literally written back in 1969, or, rather that once contained code that old. Microsoft took a stab at modernizing Server Message Block (SMB) back in 2006, with Vista and Server 2008, and after a rocky start, SMB 2.0's turned out to be a useful, if undersung, upgrade. Server 2012/Windows 8's new file server service, first dubbed SMB 2.2 and then rechristened SMB 3.0 with 2012's Release Candidate, includes some features that are obscure but will thrill its users as well as a few that will get pretty widespread attention — for example, you can now build a super-cheap file cluster using just a file share instead of a SAN device. SMB 3.0 overview: the big goals SMB Direct: the fastest file shares in the world Encrypted SMB How it works, how it's new Enabling it Handling downlevel clients SMB Multichannel: teamed NICs plus file shares File shares as shared storage Scale-Out File Server for Application Data How SOFS differs from traditional clustered file shares Clients and transparent failover Cluster shared volumes return in SOFS VHD and SQL with SOFS: a marriage made in Redmond Building an SOFS CSVs can now boot with AD SMB directory leasing: faster branch office access Dynamic Access Control: File Servers Get Better, Part Two The competition for the title of "most significant change in Server 2012" is a pretty tough one, but Dynamic Access Control (DAC) may be the winner. It's a huge topic — it probably wouldn't be hard to build a complete day's class on it — but in movie/TV terms, it is really nothing less than a complete re-imagining of what file servers do and how they do it. As you probably know, before 2012, we controlled access to file shares via group memberships — if you were a member of the right group, you got to the share. DAC adds many ways to control access to a file share. You can require users to be members of multiple groups or to have particular Active Directory attributes before granting access. You can control access to a share based on the machine the user's sitting at. You can link access to a file based on file type and ontents, as in "only allow access to files of type 'source code' to users with the title 'programmer.'" But wait, there's more... you can tell 2012 to classify a file as being of type "source code" if it included the text "#include," and, well, that's not all ... which is why you won't want to miss this section. DAC explained from a "what it changes" point of view Example DAC scenarios Using DAC to assist in compliance Keeping complex permissions consistent across the organization Automatically classifying files The players: users, devices, resources Simplest DAC: multi-group policies Enabling DAC Creating a multi-group permission Troubleshooting DAC with Window's improved "effective permissions" Claims: using AD attributes Workstations get into the act: device groups, device claims Resource information: FCI (file classification infrastructure) What is FCI? "Resource properties:" picking out the dangerous files and keeping prying eyes away Classifying files by hand Classifying files automatically with the File System Resource Manager Building permissions that are file-content-aware Central Access Policies Why bother? Simplifying creating complex rules Step one: create central access rules Step two: assemble central access policies Step three: deploy central access policies with group policies Applying a central access policy to a share "Access Denied" remediation Less Bloat: DAC, Kerberos and smaller tokens Quick review: what's "token bloat?" Resource group compression Relax the bloat messages: GPs to quiet shrill DCs Kerberos armoring: making DAC possible "Dynamic Audit Control:" Thinning Out the Logs Why does everyone talk about the problem of obesity among Americans but so few talk about how bloated most event logs are? By now, you will have seen that Dynamic Access Control lets you fine-tune who gets to your sensitive data and, more importantly, who doesn't. Interestingly enough, that sort of fine-tuned set of access controls now also works on audit logs. That's why it's nice that you can now use DAC-like policies to tell the event log what sorts of events to ignore. In this section, learn how to keep your logs lean, mean, and much more information rich. What you can do with DAC-like event log policies Creating an event log policy Active Directory in 2012 Like other pieces of Windows Server 2012, Active Directory gets a number of upgrades. The biggest ones are — no surprise — virtualization-related, but the one that may be most administrators' favorite may be the one that makes KMS activation largely irrelevant, or possibly the boy-does-that-make-my-life-easier group managed service accounts. An easier "first DC" than before DCPROMO's gone, new-adforest arrives (yup, more PowerShell!) ADUC's retired, AD Administrative Center's front and... center Learning PowerShell gets easier in 2012 with the PowerShell History Viewer Running services under domain accounts gets easier with group managed service accounts 2012 can clone DCs in under five minutes (virtually) How it works Do's and don'ts Configuring the XML (it's not that bad) Usage example: super-fast forest recovery It's now safe to roll back snapshots of virtualized DCs Bye-bye KMS servers: joining AD activates your systems Delegation gets a bit more secure with resource-based constrained delegation Fewer DC reboots Hyper-V in Server 2012 As you've already read, in some senses virtualization is the subtle and central theme of Server 2012. Our last section looks at the changes in Windows' central engine for virtualization — Hyper-V server. 2012 Hyper-V scale changes: bigger clusters, more VMs, new networking Virtual networking with new "Hyper-V virtual switch," SR-IOV and virtual Fiber Channel adapters New virtual storage VHDXes pump up virtual drives 4K support 16TB size Solves import problems Converting between VHD and VHDx Virtual machine application monitoring Simplified shared storage for Hyper-V clusters Simple SMB 3.0 file shares Scale-out file server Hyper-V Shared Nothing Live Migration vs Hyper-V Replication Hyper-V Shared Nothing Live Migration (SNOLM) Overall considerations Enabling Live Migration Firewall considerations Reference: constrained Kerberos delegation explanation Configure NICs for live migration Storage migration options Using PowerShell to do SNOLM Handling problems... processor mismatch, network switch mismatch Hyper-V Replication (HVR) HVR steps: overview Initial replication Firewall considerations Powershell and GUI steps Doing a planner failover Doing an test failover Doing an unplanned failover Course Materials and Course Format The class works from PowerPoint presentations. Every attendee gets a printed copy of the PowerPoints. To make it possible to run this course in just two days, this runs in mainly lecture/demo format. You'll see an 2012-based AD run through its paces in a series of interesting and explanatory demonstrations. Arranging a Course At Your Location We offer this class as a public seminar at locations around the US; you can view the current schedule at www.minasi.com/pubsems.htm. But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs. For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email assistant@minasi.com to discuss scheduling and fees. Attendee Comments on our Server 2012 class: Great way to "cut to the chase" on what's new and important in Server 2012! Mark is one of the most entertaining speakers I have ever seen. Huge topic to cover in two days. Pacing was fast but not bad -- good job getting through it all. Could definitely use a third day. I never understood clustering before, but now I do -- thanks! The last time I came to one of your classes, what I learned got me a new position at work. Can't wait to see the results this time! Very good overview of changes and new features in 2012. You've inspired me to learn more PowerShell! There is a LOT of it in 2012. Mark, you are very good at what you do. Keep it up! I look forward to attending your future seminars and wholeheartedly endorse and recommend them for anyone looking for a concise and informative dive into Windows Server. And, yes, you can quote me on that! I came to the Server 2012 class expecting great things, based on your books and newsletters, and left much, much more than I expected. Great job, please keep it up! Mark takes large amounts of dry, boring technical Server 2012 information and filters it down to meaningful how-to's while making it fun to learn. Thanks Mark! Although this wasn't actually a PowerShell class, well, I've been to a multi-day PowerShell class, and you know what? That instructor was good... but you're better! Great class. There's no telling how many hours this Server 2012 class has saved me!