Exam 70-417: MCSA Windows (Part 2 of 2)

Configure network services in a pure IP environment using TCP/IP for client-server communications and external access, and install IPAM to manage DNS, address space, and group policy.

Allocate IP addresses and configuration centrally with DHCP, avoiding manual static assignments and address overlaps, including default gateways and DNS servers. Manage scope options and reservations in the DHCP console.

Explore the DHCP server components—the server service that allocates IP addresses, the DHCP database with configuration data, the DHCP console, and enterprise admin pre-authorization for RSAT.

Configure a DHCP scope with an IP range, subnet mask, and scope name; include optional default gateway and DNS, exclusions, and domain suffixes.

Describe the DHCP lease process: a client without an IP address broadcasts, a server offers an IP address, the client accepts the first offer. The server acknowledges.

Explore DHCP options, including super scopes and multicast scopes, and learn high availability features like DHCP failover, split scopes, and name protection in Windows Server 2012.

Examine how DHCP integrates with DNS to update host, pointer, and reverse lookup records; the DHCP server owns records and deletes them when IP leases expire.

Group subnets into a logical subnet with super scopes using the wizard to ease administration and expand address space, then explore multinetting with a second scope on another subnet.

learn to configure dhcp by creating and authorizing scopes, assign 192.168.1.5/24, configure router and dns servers, and then create a super scope that groups the two ranges.

Explore DHCPv6, expanding 32-bit IPv4 to 128-bit addresses, and compare stateless and stateful configurations, including server selection, lease lifetimes, prefixes, DNS, and exclusions.

Regional registries oversee IPv6 address allocation across regions, including ARIN for the Americas. They manage external IPv6 distribution while internal IPv6 remains in use.

Configure ipv4 and ipv6 dhcp scopes on server, set ranges and exclusions, apply lease duration, and define options such as default gateway and dns, then authorize as an enterprise admin.

Learn how DHCP name protection safeguards DNS registrations by DHCP clients, preserves static names, and uses a DHCP ID to verify the original requester and prevent record overwrites.

Enable dhcp name protection in the dhcp console by turning on dns dynamic updates and name protection for ipv4 and ipv6, applying settings at the ip version and scope levels.

Delegate dns permissions to manage dns zones, zone files, and backups, using domain admins, enterprise admins, or the global dns admins domain local group to separate responsibilities.

Enable and view DNS logs in the Windows System32 DNS directory, including server start/stop, configuration changes, errors, and verbose details on packet direction, protocol, request type, and IP-based filtering.

Explore the three levels of DNS security—DNS HiSeq, DNS cache locking, and the DNS socket pool—and see how they work together to protect your DNS solution.

DNSSEC signs all DNS records in a zone so clients can validate responses from the DNS server, protecting against spoofing and cache tampering.

This lecture provides a basic dnssec overview, covering trust anchors, dns keys, authoritative entries, resolvers building trust chains, and client rules that enforce validation when rtp is present.

Deploy dnssec by configuring both server and client sides, sign the dns zone with the dnssec configuration wizard on server 2012, and configure trust anchors and client settings.

Configure dnssec zone signing wizard options, including ksk values and defaults. Set 2048-bit default, upgrade to 4096, rsa-sha-256, seven-day signatures, and rollover keys; zsk lasts 90 days at 1024-bit.

Explore DNSSEC improvements in Windows Server 2012 R2, including the key master role for file backed multi master zones, and enhanced key management isolation with the CNG offline storage module.

Describe DNS resource records and DNS keys, including how public keys secure zones, how parent and child zones form a chain of trust, and how NSEC and NSEC3 prevent enumeration.

Sign a zone by configuring parameters manually, copying from an existing zone, or using the recommended settings, and learn how to unsign zones with DNS management interface to remove signatures.

Explore how DNS caches use time to live to retain recent resolutions, and how cache locking via a percentage value prevents overwriting entries during TTL.

Demonstrates configuring dns cache locking to prevent overwriting dns information during ttl. Configure cache locking percent with the dns command or powershell, then restart the dns service to apply changes.

Discover how a DNS socket pool enables port randomisation for DNS queries, with a size of 2500 and range 0 to 10000, set via DNS ACMD config socket pool size.

Enable aging and scavenging to remove stale DNS host records, preventing bloated databases and ensuring timely cleanup; configure the refresh interval and non-refresh interval to govern automatic cleanup.

Maintain primary and AD integrated DNS zones by manual backups or automatic replication; export zones with DNSCMD or PowerShell for single-domain controllers or backups.

Maintain a DNS database by configuring a primary or Active Directory integrated zone and backing up the zone file. Export zones with DNS command or PowerShell for backups.

Optimize name resolution in enterprise DNS by using forwarding, conditional forwards, stub zones, net mask ordering, and recursion across multiple domains and forests.

Plan stub zones carefully, store them in Active Directory, and select replication scope domain-only or forest-wide with the master server holding the delegated domain's primary zone.

Enable the global names zone to support single-label name resolution. Navigate the forest beyond the flat wins namespace; zones are manually created, and domain name system appends the domain name.

Enable global names for single-label name resolution across DNS servers. Create a primary zone named global names, disable dynamic updates, and enable global with a DNS command for forest-wide replication.

Add a CNAME alias to a resource record zone by creating a new alias in the zone, using the host's fully qualified domain name and selecting a file server.

Explore ipam, an ip address management tool that plans, allocates, and tracks ip space across large networks, enabling change management, auditing, and centralized dhc and dns administration.

Define role based access control by mapping roles (built-in or custom) to users or groups in Windows, using access scopes (default global) and policies to tailor permissions.

Explore IPAM monitoring for IPv4 and IPv6 networks, including inventory, DNS and DHCP monitoring, Hyper-V, and cloud networks, with System Center 2012 integration and group-based server management.

Install IPAM on a dedicated server with no Active Directory directory service and no domain controller; use a domain account in the IPAM local security group, enable IPv6 and auditing.

Identify hardware and software requirements for Server 2012, including a dual-core processor, 4 gb of ram, and 80 gb disk space, with auto-install of features.

Install EPM on Windows Server 2008/2008 R2 requires a dual-core processor, RAM, and 80 GB space with Service Pack 2; install .NET Framework 4 and WMF 3 for remote management.

Gain insight into IPAM abilities, including DHCP and DNS capacity, zone replication, and 3 years of forensic data; utilize RSAT for IP allocation planning while noting non-Microsoft network limits.

Explore IPAM database support, from Windows internal database with no purge policies to SQL Server, co-located or remote, offering scalability, disaster recovery, and data migration from CSV.

Explore IPAM users and groups, detailing roles from EPM users who view inventory and address space to IBM administrators with full viewing and performing privileges.

Explore ipam deployment methods for Windows, including central, distributed, and hybrid approaches, with one ipam server per forest and site servers communicating with a central forest server.

Explore IPAM components with an IBM server and IBM client; the server collects data in a Windows internal database and PowerShell handles DHCP configuration, DNS monitoring, and remote management.

Provision IPAM after installing the i-Pad role by configuring network shares, security groups, and firewall rules, using group policy or manual per-server steps.

Master manual provisioning for IPAM by creating the Pam Yuji universal group, configuring domain controllers and event log readers, and granting DNS administrator rights to the DHC subdirectory share.

Set inbound firewall rules for domain controllers and DNS servers to allow event log management and service management, then enable DNS event log monitoring by editing the DNS server registry.

Provision gpos with the provisioning command to configure active directory, dhcp, and dns servers. The dc gpo handles dhcp shares and audit; dns configures event logs and dns administrator rights.

View the IP address space from multiple angles, inspecting subnets, ranges, and groups of addresses to inventory all addresses and switch between different views of the same data.

Monitor ipam by tracking dhcp scope utilization, dns zone status, and server events. Organize data with ipv4 and ipv6 subnets, and group servers by business unit or location.

migrate ipam to windows server 2012 and upgrade to r2 with a seamless database migration, ensuring your existing ipam data moves without issues.

Discover how to use PowerShell with IPAM by examining cmdlets, import addresses, provision GPO, and export an IP address range, leveraging 55 new PowerShell 2.0-based cmdlets in R2.

Configure IPAM provisioning via group policy and grant the domain permissions to the IP management server, then run server discovery and refresh policies.

Add an address space in EPM to serve as a container for IP address blocks, subnets, ranges, and single addresses; create objects manually or import, with defaults for required fields.

Add an ip address block to ipam by entering the network id and a /24 prefix; the range auto derives, and specify regional internet registry for public ranges with PowerShell.

Add an IP address subnet to IPAM by specifying a friendly name, network ID, and a prefix length, with optional settings, using PowerShell with -ip subnet and -network id.

Learn how to add an IP address range to IPAM, handle default values and assignments, create missing addresses if not found, and validate site, VM, IP pool, and network ID.

Learn how to add an IP address to IPAM, associate it with a reservation, and map it to a containing range, while leveraging managed-by-service options, default properties, and custom fields.

Demonstrate text file examples in a csv format with quoted headers and records, showing IP address, managed by service instance, device type, address, state, and assignment types.

Learn to deploy and manage a global enterprise IP infrastructure by coordinating DHCP and DNS servers and addressing complex IP configurations beyond small networks.

Configure identity and access solutions with federation services to enable single sign-on with partner networks, managing claims provider trusts, rules, Active Directory Lightweight Directory Services stores, certificates, and federation proxy.

Understand Windows Server 2012 authentication policies for federated services and relying party trusts, including Windows-based, forms-based, and certificate methods for internal and external access.

Leverage multi-factor authentication, requiring more than one authentication sequence with certificates installed on the local machine and supported by phone, text, or mobile app factors.

Apply claim rules in federated services to govern claims, determining what is accepted and issued to relaying parties and applications; provider trust and relying party trust shape processing and acceptance.

Learn how a claims provider trust links a federated server to Active Directory directory services, governs credential processing, and allows configuration via federation metadata or manual setup with SSL certificates.

Explain claims based identity, separating authentication from authorization with a security token service. Authenticated users present claims like email, user principal name, and group membership to determine access.

Explore web services that connect applications and services via different web interfaces, using soap and web services description language, and register them with UDDI.

Discover federation services features in Server 2012, including server roles integration for easier installation, PowerShell commands to install and configure federation services, and dynamic access control enhancements for administration.

Explore how single sign-on works inside an organization, tracing the path from a client to the federation service proxy, to the federation server and active directory to issue a token.

Demonstrate a business-to-business single sign-on flow where a corporation user is redirected to a federation server, authenticates via Active Directory, and receives a digitally signed token (claim) to access resource.

Apply certificate requirements for the exam, covering the WCF message service, the SSL certificate, and the token signing and token decrypting certificates.

Explore the federation services components, including the federation server that issues and validates claims for each forest, and the optional proxy in the perimeter network with claim rules.

Explore how ad fs components issue security tokens from the home domain, using a provider, attribute store, and claim rules for the relaying party in federation.

Explore AD FS components, including relaying party trust and user claims (names, groups, email), plus certificates for SSL and metadata, and endpoints for token issuing and receiving with WCF.

Guides you through installing Active Directory Federation Services, configuring a federation service with a server farm or standalone setup, and establishing certificates, DNS prerequisites, and trust relationships for single sign-on.

Explore how multi-factor access works in Active Directory Federation Services, using access tokens and incoming claims to define authentication rules that permit or deny users.

Master multi-factor access control in AD FS with Windows Server 2012 R2, enabling per-application authorization based on user, device, and network location.

Explore the claim types in AD FS on Windows Server 2012 R2, operating system version, IP address, group, given name, email address, certificate subject and issuer, and Windows account name.

Enable secure access for personal devices through workplace join, using the device registration service to control access by application, user, device, and location, with company data wipe when users leave.

Register devices in Active Directory via the device registration service, provisioning device objects and certificates, enabling workplace joined devices from internal and external networks through web proxies.

Compare workplace joined versus non-joined devices by logging into a company web app with a domain account, noting missing single sign-on and repeated credential prompts due to token claims.

Join your Windows device to a corporate network by accessing PC settings, selecting Network, then Workplace, and entering your corporate username and password to enable device management.

Join your iOS device to the workplace via Safari, install the profile, enter your PIN when prompted, and view the profile in Settings > General > Profiles.

Review identity and access solutions using Active Directory Federation Services to enable single sign-on for external access across organizations and forests. Learn installation, configuration, and components essential to federation services.

Wrap up MCSA Windows Server 2012 training by reviewing server roles, features, virtualization, Active Directory maintenance, Network Policy Server, Group Policy, high availability, file and storage solutions, and disaster recovery.