MCP Implementing an Advanced Server Infrastructure (70-414) – another study guide

Exam 70-414 Implementing an Advanced Server Infrastructure
============================================================

This blog post is a study guide to help you to prepare Microsoft MCP 70-414 : Implementing an Advanced Server Infrastructure

Now to prepare seriously this certification, here is a lot of content to read and understand !! Like every other Microsoft Certification, a technical background and experience on Microsoft Infrastructure (Windows Server 2003 –> 2012, Cluster and System Center) is better to have.

Official link on Microsoft Web site : https://www.microsoft.com/learning/en-us/exam-70-414.aspx

********************************************
Manage and maintain a server infrastructure (25–30%)
********************************************

- Design an administrative model -
-> Design considerations including user rights, built-in groups, and end-user self-service portal; design a delegation of administration structure for Microsoft System Center 2012

How to Create a Delegated Administrator User Role in VMM
https://technet.microsoft.com/en-us/library/hh356037.aspx

Creating User Roles in VMM
https://technet.microsoft.com/en-us/library/gg696971.aspx

- Design a monitoring strategy -
-> Design considerations including monitoring servers using Audit Collection Services (ACS), performance monitoring, centralized monitoring, and centralized reporting; implement and optimize System Center 2012 – Operations Manager management packs; plan for monitoring Active Directory

Agentless Monitoring in Operations Manager
https://technet.microsoft.com/en-us/library/hh212910.aspx

Well-known security identifiers in Windows operating systems (Event Log Readers group)
https://support.microsoft.com/kb/243330/en-us

Creating Data Collector Sets
https://technet.microsoft.com/en-us/library/cc749337.aspx

SQL Server Reporting Services (SSRS)

Defining a Service Level Objective Against an Application
https://technet.microsoft.com/en-us/library/hh230719.aspx

- Design an updates infrastructure -
-> Design considerations including Windows Server Update Services (WSUS), System Center 2012 – Configuration Manager, and cluster-aware updating; design and configure Virtual Machine Manager for software update management; update VDI desktop images

WSUS topology designs
- Single WSUS server
- Multiple independent WSUS servers
- Multiple internally synchronized WSUS Servers (1 upstream and multiple downstream servers)
- Disconnected WSUS Servers

Deploy Replica when you want a server to inherit update approvals from a central server

Choose a WSUS Management Style
https://technet.microsoft.com/en-us/library/cc708500(v=ws.10).aspx

Windows Internal Database Feature or SQL Server 2008 (or >)

How to Add an Update Server to VMM
https://technet.microsoft.com/en-us/library/gg675116.aspx
--> Add WSUS Console to VMM Server

- Implement automated remediation -
-> Create an Update Baseline in Virtual Machine Manager; implement a Desired Configuration Management (DCM) Baseline; implement Virtual Machine Manager integration with Operations Manager; configure Virtual Machine Manager to move a VM dynamically based on policy; integrate System Center 2012 for automatic remediation into your existing enterprise infrastructure

Overview of Desired Configuration Management
https://technet.microsoft.com/en-us/library/bb680553.aspx

Local Storage vs Remote Storage

WSUSUtil tool to configure SSL if used with SCCM

How to Install a WSUS Server for VMM
https://technet.microsoft.com/en-us/library/gg675099.aspx

If you install WSUS on a remote server, you must install a WSUS Administration Console on the VMM management server and then restart the VMM service.With a highly available VMM management server, you must install a WSUS Administration Console on each node of the cluster to enable the VMM service to continue to support update management. Update management in VMM requires a WSUS Administration Console, which includes the WSUS 3.0 Class Library Reference.

System Requirements: Update Management
https://technet.microsoft.com/en-us/library/gg610633.aspx

cluster-aware updating
- Remote-updating mode
- Self updating mode

Windows Server 2012 - Cluster Aware Updating (CAU) in action (few french text but a lot of screenshot in US)
https://blogs.technet.com/b/stanislas/archive/2013/01/14/windows-server-2012-cluster-aware-updating-cau-en-action.aspx

Virtual Machine Servicing Tool (VMST) --> need a WSUS or SCCM server in your infrastructure

Introduction to Compliance Settings in Configuration Manager
https://technet.microsoft.com/en-us/library/gg682139.aspx

Introduction to Collections in Configuration Manager
https://technet.microsoft.com/en-us/library/gg682177.aspx

What's New in BranchCache
https://technet.microsoft.com/en-us/library/jj127252.aspx

***********************************************************
Plan and implement a highly available enterprise infrastructure (25–30%)
***********************************************************

- Plan and implement failover clustering -
-> Plan for multi-node and multi-site clustering; design considerations including redundant networks, network priority settings, resource failover and failback, heartbeat and DNS settings, Quorum configuration, and storage placement and replication

Windows Server 2012: Improvements in Failover Clustering (Video 56min)
https://technet.microsoft.com/en-us/video/windows-server-2012-improvements-in-failover-clustering.aspx

What's New in Failover Clustering in Windows Server 2012
https://technet.microsoft.com/en-us/library/hh831414.aspx

Configure and Manage the Quorum in a Windows Server 2012 Failover Cluster
https://technet.microsoft.com/en-us/library/jj612870.aspx

witness disk in NTFS only

4 quorums node
- node majority
- node and disk majority
- node and file sahre majority
- no majority

Failover if 5 missed heartbeat (= 5 sec)

Installing the Failover Cluster Feature and Tools in Windows Server 2012
https://blogs.msdn.com/b/clustering/archive/2012/04/06/10291601.aspx

Cluster Shared Volumes Reborn in Windows Server 2012: Deep Dive
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WSV430

- Plan and implement highly available network services -
-> Plan for and configure Network Load Balancing (NLB); design considerations including fault-tolerant networking, multicast vs. unicast configuration, state management, and automated deployment of NLB using Virtual Machine Manager service templates

Network Load Balancing Overview
https://technet.microsoft.com/en-us/library/hh831698.aspx

- Plan and implement highly available storage solutions -
-> Plan for and configure storage spaces and storage pools; design highly available, multi-replica DFS namespaces; plan for and configure multi-path I/O, including Server Core; configure highly available iSCSI Target and iSNS Server

Six Uses for the Microsoft iSCSI Software Target
https://blogs.technet.com/b/storageserver/archive/2009/12/11/six-uses-for-the-microsoft-iscsi-software-target.aspx

Introduction of iSCSI Target in Windows Server 2012
https://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windows-server-2012.aspx

iSNS Server Overview
https://technet.microsoft.com/en-us/library/cc772568.aspx

The Microsoft iSNS Server only supports the discovery of iSCSI devices, and not Fibre Channel devices

1 disk mini to create a storage pool
2 disks mini to create a resilient mirror virtual disk (standalone server)
3 disks mini to create a resilient 2-way mirror virtual disk (Cluster Deploy)
5 disks mini to create a resilient 3-way mirror virtual disk (Cluster Deploy)
3 disks mini to create a resilient parity virtual disk (standalone server, can't use it on a failover

cluster)

Deploy Storage Spaces on a Stand-Alone Server
https://technet.microsoft.com/en-us/library/jj822938.aspx

Deploy Clustered Storage Spaces
https://technet.microsoft.com/en-us/library/jj822937.aspx

Provisioning : thin (flexible) ou fixed (better performance)

Clustered Storage space:
- Fixed provisioning
- SAS disks only
- No parity (only simple or mirror virtual disk)
- ReFS not allowed (CSV incompatible)

- Plan and implement highly available server roles -
-> Plan for a highly available Dynamic Host Configuration Protocol (DHCP) Server, Hyper-V clustering, Continuously Available File Shares, and a DFS Namespace Server; plan for and implement highly available applications, services, and scripts using Generic Application, Generic Script, and Generic Service clustering roles

Scale-Out File Server for Application Data Overview
https://technet.microsoft.com/en-us/library/hh831349.aspx

up to 64 physical nodes in a cluster
4000 VM per cluster

Cluster-Aware Updating
Cluster computer objects in targeted OU

Step-by-Step: Configure DHCP for Failover
https://technet.microsoft.com/en-us/library/hh831385.aspx

- Plan and implement a business continuity and disaster recovery solution -
-> Plan a backup and recovery strategy; planning considerations including Active Directory domain and forest recovery, Hyper-V replica, domain controller restore and cloning, and Active Directory object and container restore using authoritative restore and Recycle Bin

DPM -> 15 min RPO

AD DS Recycle Bin : forest level 2008 R2

Requirements for Active Directory Recycle Bin
https://technet.microsoft.com/en-us/library/dd379484(v=ws.10).aspx

Enable Active Directory Recycle Bin
https://technet.microsoft.com/nl-nl/library/dd379481(v=ws.10).aspx
Enable-ADOptionalFeature

DPM to Backup Virtual Machines
- Protection of a standalone host -> DPM Agent on Hyper-V
- Protection of the virtual machine --> DPM Agent in VM
- Protection of a VM running on ta clustered host --> DPM agent on all Cluster Node
- Host Hyper-V and storage located on different servers -> DPM agents on both server. backup occur at host level

Hyper-V Replica Overview
https://technet.microsoft.com/en-us/library/jj134172.aspx
https://technet.microsoft.com/en-us/library/hh831716.aspx

Hyper-V: To participate in replication, servers in failover clusters must have a Hyper-V Replica Broker

configured (en-US)
https://social.technet.microsoft.com/wiki/contents/articles/12798.hyper-v-to-participate-in-replication-servers-in-failover-clusters-must-have-a-hyper-v-replica-broker-configured-en-us.aspx

To configure Hyper-V Replica Broker
https://technet.microsoft.com/en-us/library/jj134153#BKMK_1_4

Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta
https://www.microsoft.com/en-us/download/details.aspx?id=29016

******************************************************
Plan and implement a server virtualization infrastructure (25–30%)
******************************************************

- Plan and implement virtualization hosts -
-> Plan for and implement delegation of virtualization environment (hosts, services, and VMs), including self-service capabilities; plan and implement multi-host libraries including equivalent objects; plan for and implement host resource optimization; integrate third-party virtualization platforms

How to Configure Host Group Properties in VMM
https://technet.microsoft.com/en-us/library/hh335101.aspx

Configuring Dynamic Optimization and Power Optimization in VMM
https://technet.microsoft.com/en-us/library/gg675109.aspx

Tuning PRO Performance Thresholds
https://technet.microsoft.com/en-us/library/ee423768.aspx

The Hyper-V Administrators group is a new local security group. Add users to this group instead of the local Administrators group to provide them with access to Hyper-V. Members of the Hyper-V Administrators have complete and unrestricted access to all features of Hyper-V

What's New in Hyper-V
https://technet.microsoft.com/en-us/library/hh831410.aspx

System Requirements: Citrix XenServer Hosts
https://technet.microsoft.com/library/gg610587.aspx

Managing VMware ESX Hosts Overview
https://technet.microsoft.com/en-us/library/gg610683.aspx

- Plan and implement virtualization guests -
-> Plan for and implement highly available VMs; plan for and implement guest resource optimization including smart page file, dynamic memory, and RemoteFX; configure placement rules; create Virtual Machine Manager templates

How to Create a Guest Operating System Profile
https://technet.microsoft.com/en-us/library/hh427296.aspx

About Hardware Profiles
https://technet.microsoft.com/en-us/library/bb740879.aspx

SCVMM 2012 : how to create a VM Template (few text in french but all screenshots in english)
https://blogs.technet.com/b/stanislas/archive/2011/11/22/scvmm-2012-comment-d-233-ployer-une-vm-224-partir-d-un-mod-232-le-de-machine-virtuelle.aspx

Creating Service Templates in VMM
https://technet.microsoft.com/en-us/library/gg675105.aspx

- Plan and implement virtualization networking -
-> Plan for and configure Virtual Machine Manager logical networks; plan for and configure IP address and MAC address settings across multiple Hyper-V hosts including IP virtualization; plan for and configure virtual network optimization

- Plan and implement virtualization storage -
-> Plan for and configure Hyper-V host storage including stand-alone and clustered setup using SMB 2.2 and CSV; plan for and configure Hyper-V guest storage including virtual Fibre Channel, iSCSI, and pass-through disks; plan for storage optimization

Note : SMB 2.2 is an old name. New name is SMB 3.0

- Plan and implement virtual guest movement -
-> Plan for and configure live, SAN, and network migration between Hyper-V hosts; plan for and manage P2V

and V2V

P2V Prerequisites
https://technet.microsoft.com/en-us/library/hh427293.aspx

- Manage and maintain a server virtualization infrastructure -
-> Manage dynamic optimization and resource optimization; manage Operations Manager integration using PRO Tips; automate VM software and configuration updates using service templates; maintain library updates

Configuring Dynamic Optimization and Power Optimization in VMM
https://technet.microsoft.com/en-us/library/gg675109.aspx

Tuning PRO Performance Thresholds
https://technet.microsoft.com/en-us/library/ee423768.aspx

Adding and Configuring VMM Library Servers
https://technet.microsoft.com/en-us/library/bb894355.aspx

**************************************************
Design and implement identity and access solutions (20–25%)
**************************************************

- Design a Certificate Services infrastructure -
-> Design a multi-tier Certificate Authority (CA) hierarchy with offline root CA; plan for multi-forest CA deployment; plan for Certificate Enrollment Web Services; plan for network device enrollment; plan for certificate validation and revocation; plan for disaster recovery; plan for trust between organizations

Active Directory Certificate Services Overview (to learn different roles in AD CS)
https://technet.microsoft.com/en-us/library/hh831740.aspx

CEP Encryption : Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests

The CAPolicy.inf contains settings that can be used to modify the default installation of the Certification Authority role of Active Directory Certification Service (AD CS). The file is also used when renewing the CA certificate. A CAPolicy.inf file is not required to install AD CS or renew a CA certificate. The file is only needed to modify default settings. Once you have created your CAPolicy.inf file, you must copy it into the %windir% folder (such as the C:\Windows) of your server before you install AD CS or renew the CA certificate.

Prepare the CAPolicy.inf File
https://technet.microsoft.com/en-us/library/jj125373.aspx

Cross-certification creates a shared trust between two CAs that do not share a common root CA. These CAs exchange cross-certificates that allow their organizations to communicate. In this way, the organizations do not have to create and manage additional root CAs. Cross-certification might be the best option if a common root CA for both PKIs does not exist

- Implement and manage a Certificate Services infrastructure -
-> Configure and manage offline root CA; configure and manage Certificate Enrollment Web Services; configure and manage Network Device Enrollment Services; configure Online Certificates Status Protocol responders; migrate CA; implement administrator role separation; implement and manage trust between organizations; monitor CA health

Using a Cross-Certification Configuration
https://technet.microsoft.com/en-us/library/cc778829(v=ws.10).aspx

- Implement and manage certificates -
-> Manage certificate templates; implement and manage deployment, validation, and revocation; manage certificate renewal including Internet-based clients; manage certificate deployment and renewal to network devices; configure and manage key archival and recovery

Certificate Templates Overview
https://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx

- Design and implement a federated identity solution -
-> Plan for and implement claims-based authentication including planning and implementing Relying Party Trusts; plan for and configure Claims Provider Trust rules; plan for and configure attribute stores including Active Directory Lightweight Directory Services (AD LDS); plan for and manage Active Directory Federation Services (AD FS) certificates; plan for Identity Integration with cloud services

Attribute Store in ADFS is a directory or database that you can user to store user accounts and their associated attributes. Attibutes stores for ADFS in Windows Server 2012 can be :
- AD DS
- AD LDS (LDAP)
- SQL Server 2005 and >
- Custom attribute store (eg. CSV files)

- Design and implement Active Directory Rights Management Services (AD RMS) -
-> Plan for highly available AD RMS deployment; manage AD RMS Service Connection Point; plan for and manage AD RMS client deployment; manage Trusted User Domains; manage Trusted Publishing Domains; manage Federated  Identity support; manage Distributed and Archived Rights Policy templates; configure Exclusion Policies; decommission AD RMS

How AD RMS Works
https://technet.microsoft.com/en-us/library/how-adrms-works.aspx

AD RMS Infrastructure Deployment Tips
https://technet.microsoft.com/en-us/library/jj554774.aspx

Understanding AD RMS Clusters
https://technet.microsoft.com/en-us/library/cc771175.aspx

Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest.

AD RMS Multi-forest Considerations
https://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx

Service Connection Point (SCP) for Active Directory Rights Management Services (AD RMS) identifies the connection URL for the service to the AD RMS-enabled clients in your organization. After you register the SCP in Services de domaine Active Directory (AD DS), clients will be able to discover the AD RMS cluster to request use licenses, publishing licenses, or rights account certificates (RACs).

The Active Directory Rights Management Services (AD RMS) super user feature is a special role that enables users or groups to have full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from

Configure the AD RMS Super Users Group
https://technet.microsoft.com/en-us/library/ee849845(v=ws.10).aspx

What's New in Active Directory Rights Management Services (AD RMS)?
https://technet.microsoft.com/en-us/library/hh831554.aspx

for Windows Server 2012 the following versions of Microsoft SQL Server have been tested and are supported for use with AD RMS deployment.
- SQL Server 2005 Service Pack 3
- SQL Server 2008 Service Pack 3
- SQL Server 2008 R2 Service Pack 1

If you are going to be viewing reports related to AD RMS, you must also install the .NET Framework 3.5 On Server Core installations, the optional Identity Federation Support role service for the AD RMS server role is not supported. This is because Identity Federation Support relies on a role service of the AD FS Server role, the Claims-aware Agent, which is disabled on Server Core installations Windows Server 2012 also includes the following feature updates, which have been added recently as updates

for the AD RMS role in Windows Server 2008 R2.
- Simple delegation : Simple delegation for AD RMS enables you to have the same access rights to protected content that are assigned to one person delegated to other individuals within their organization Simple delegation provides the ability to have content rights assigned to executives and managers be easily and effectively delegated to their assistants.wo attributes, msRMSDelegator and msRMSDelegatorBL must be added to the Active Directory schema
- Strong cryptography : enables you to increase the cryptographic strength of your AD RMS deployment by running in an advanced mode known as cryptographic mode

AD RMS and cryptographic support for SHA-2/RSA 2048
https://blogs.technet.com/b/rms/archive/2012/04/29/ad-rms-and-cryptographic-support-for-sha-2-rsa-2048.aspx

Test Lab Guide: Deploying an AD RMS Cluster
https://technet.microsoft.com/en-us/library/adrms-test-lab-guide-base

I encourage you also to download Windows Server 2012, install it and test it as much as you can because there are some questions where you need to have already manipulate User Interface or commands.

You can download eval version of Windows Server 2012 as :
- an ISO image : https://aka.ms/jeveuxwindows2012
- a pre-build system on VHD : https://aka.ms/jeveuxwindows2012

You can also try Windows Server 2012 on Windows Azure IaaS for some scenarios (but not those with hyper-V or network like DHCP of course) : https://www.windowsazure.com/fr-fr/pricing/free-trial/

- Stanislas Quastana -