Tag Archive for 2012

NAP (Network Access Protection) on Windows Server 2012

keep-out

What is NAP?

Network Access Protection (NAP) is a new technology introduced in Windows Vista® and Windows Server® 2008. (NAP can also be deployed on computers running Windows Server 2008 R2 and Windows 7). NAP includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unrestricted network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a compliant client computer is connected to a network.

In addition, NAP provides an application programming interface (API) set that allows non-Microsoft software vendors to integrate their solutions into the NAP framework.

NAP enforcement occurs at the moment when client computers attempt to access the network through network access servers, such as a VPN server running Routing and Remote Access, or when clients attempt to communicate with other network resources. The way that NAP is enforced depends on the enforcement method you choose.

NAP enforces health requirements for the following:

  • Internet Protocol security (IPsec)-protected communications
  • Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
  • Virtual private network (VPN) connections
  • Dynamic Host Configuration Protocol (DHCP) configuration
  • Terminal Services Gateway (TS Gateway)

Installing NAP

  • Select Add Roles and Features and when the screen below comes up, Click Next

Nap1

  • Select Role-based or feature based installation

Nap2

  • Choose your server. I have a test Windows 2012 box called dacvtst001

Nap3

  • Select Network Policy and Access Services

Nap4

  • Click to Add Features when you select Network Policy and Access Services

Nap5

  • Click Next on Select Features

Nap6

  • Read the Network Policy and Access Services screen

Nap7

  • The following screenprints show the different descriptions of each Role Service. The first one being the Network Policy Server

Nap8

  • The second one being the Health Registration Authority

Nap9

  • The third one being the Host Credential Authorization Protocol
  • Choose your Certificate settings. I chose Select a CA later using the HRA Console as this is just a test system but choose whatever is relevant to your setup

Nap11

  • Choose Authentication Requirements

Nap12

  • Choose your Server Authentication Certificate for encryption

Nap13

  •  Read the Web Server Role (IIS)

Nap14

  • Select Web Server Role Services Features

Nap15

  • Confirm Installation Selections

Nap16

  •  You will also need to install the Group Policy Management Feature
  • In Server Manager, under Features Summary, click Add Features.
  • Select the Group Policy Management check box, click Next, and then click Install.
  • Verify the installation was successful, and then click Close to close the Add Features Wizard dialog box.
  • Close Server Manager.
  • Next once everything is installed and rebooted, hit the Windows Key and Q to see the Aero view of all Applications
  • Select Network Policy Server and you should see the below screen

NAP1

  • And here is what it looks like with the menus expanded

NAP

The NAP wizard helps you configure each NAP component to work with the NAP enforcement method you choose. These components are displayed in the NPS console tree, and include:

  • System Health Validators. System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. E.g. Configured to require only that Windows Firewall is enabled.
  • Health Policies. Health policies define which SHVs are evaluated, and how they are used in the validation of the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status.
  • Network Policies. Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with the health requirements, and a network policy that will be applied to computers that are noncompliant.
  • Connection Request Policies. Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed.
  • RADIUS Clients and Servers. RADIUS clients are network access servers. If you specify a RADIUS client, then a corresponding RADIUS server entry is required on the RADIUS client device. Remote DHCP servers are configured as RADIUS clients on NPS.
  • Remediation Server Groups. Remediation server groups allow you to specify servers that are made available to noncompliant NAP clients so that they can remediate their health state and become compliant with health requirements. If these servers are required, they are automatically available to computers on the restricted access subnet when you add them to remediation server groups.

Configuring NAP

  • In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start
  • Choose Dynamic Host Configuration Protocol (DHCP) Note I already have DHCP installed on this test VM

NAPconfig2

  • You should then see the below

NAPconfig3

  • Choose the Radius clients. Note I already have DHCP installed so I just click Next

NAPconfig4

  • Click Add and type a name for your DHCP Scope. Mine is called DACMT scope

NAPconfig5

  • Configure Machine Groups. Just click Next

NAPconfig6

  • Choose Remediation Server Groups. Just click Next here

NAPconfig7

  • Define NAP Health Policy. Verify that Windows Security Health Validator and Enable
    auto-remediation of client computers check boxes are selected, and then click Next

NAPconfig8

  • On the Completing NAP Enforcement Policy and Radius Client Configuration screen, check the details and click Finish

NAPconfig9

Configure SHVs

SHVs define configuration requirements for computers that attempt to connect to your network.

  • In the Network Policy Server console tree, double-click Network Access Protection, and then click System Health Validators >
  • In the details pane, click Windows Security Health Validator.
  • In the Windows Security Health Validator Properties dialog box, click Settings.

NAPconfig10

  • Tick whichever Security Health Validations you want to enforce on your network

Enable NAP settings for the scope

  • In the DHCP console, double-click dacvtst001.dacmt.local, and then double-click IPv4
  • Right-click Scope [10.1.1.0] DACMT Scope, and then click Properties.
    On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is chosen, and then click OK

NAPconfig11

Configure the default user class

Next, configure scope options for the default user class. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.

  • In the DHCP console tree, under Scope [10.1.1.0] DACMT Scope, right-click Scope Options, and then click Configure Options.
  • On the Advanced tab, verify that Default User Class is chosen next to User class.
  • Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.1.1.160, and then click Add.

DHCP1

  • Select the 015 DNS Domain Name check box, in String value, under Data entry, type dacmt.local, and then click OK.
  • The dacmt.local domain is a full-access network assigned to compliant NAP clients.

DHCP2

  • Note The 003 Router option is configured in the default user class if a default gateway is required for client computers. Because all computers in the test lab are located on the same subnet, this option is not required.

DHCP3

Configure the default NAP class

Next, configure scope options for the default network access protection class. These server options are used when a noncompliant client computer attempts to access the network and obtain an IP address from the DHCP server.  To configure default NAP class scope options

  • In the DHCP console tree, under Scope [10.1.1.0] DACMT Scope, right-click Scope Options, and then click Configure Options.
  • On the Advanced tab, next to User class, choose Default Network Access Protection Class.
  • Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.1.1.60, and then click Add.
  • Select the 015 DNS Domain Name check box, in String value, under Data entry, type restricted.dacmt.local, and then click OK. access network assigned to noncompliant NAP clients.
  • Note The 003 Router option is configured in the default NAP class if a default gateway is required for client computers to reach the DHCP server or remediation servers on a different subnet. Because all computers in the test lab are located on the same subnet, this option is not required.

Configure NAP client settings in Group Policy

The following NAP client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management feature on NPS1:

  • NAP enforcement clients
  • NAP Agent service
  • Security Center user interface

After these settings are configured in the GPO, security filters will be added to enforce the settings on computers you specify. The following section describes these steps in detail

  • On dacvtst001, click Start, click Run, type gpme.msc, and then press ENTER.
  • In the Browse for a Group Policy Object dialog box, next to dacmt.local, click the icon to create a new GPO, type NAP Client Settings for the name of the new GPO, and then click OK.
  • The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.
  • In the details pane, double-click Network Access Protection Agent.
  • In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

NAPconfig12

  • In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients.
  • In the details pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.

NAPconfig13

  • In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center.
  • In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.

NAPconfig14

  • Close the Group Policy Management Editor window.
  • If you are prompted to apply settings, click Yes

Configure security filters for the NAP client settings GPO

Next, configure security filters for the NAP client settings GPO. This prevents NAP client settings from being applied to server computers in the domain.

  • On dacvtst001, click Start, click Run, type gpmc.msc, and then press ENTER.
  • In the Group Policy Management Console (GPMC) tree, navigate to Forest: dacmt.local\Domains\Contoso.com\Group Policy Objects\NAP client settings.
  • In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.
  • When you are prompted to confirm the removal of delegation privilege, click OK. In the details pane, under Security Filtering, click Add.
  • In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers group, and then click OK.

NAPconfig15

  • Close the GPMC.

Windows Server 2012 Scale Out File Server

scales

Scale out File Server

Windows Server 2012 introduces a clustered Scale-Out File Server that provides more reliability by replicating file shares for application data. Scale-Out File Server varies from traditional file-server clustering technologies and isn’t recommended for scenarios with high-volume operations in which opening, closing, or renaming files occurs frequently.

In Windows Server 2012, the following clustered file servers are available:

  • Scale-Out File Server for application data (Scale-Out File Server)   This clustered file server is introduced in Windows Server 2012 and lets you store server application data, such as Hyper-V virtual machine files, on file shares, and obtain a similar level of reliability, availability, manageability, and high performance that you would expect from a storage area network. All file shares are online on all nodes simultaneously. File shares associated with this type of clustered file server are called scale-out file shares. This is sometimes referred to as active-active.
  • File Server for general use   This is the continuation of the clustered file server that has been supported in Windows Server since the introduction of Failover Clustering. This type of clustered file server, and thus all the shares associated with the clustered file server, is online on one node at a time. This is sometimes referred to as active-passive or dual-active. File shares associated with this type of clustered file server are called clustered file shares.

Key benefits provided by Scale-Out File Server in Windows Server 2012 include:

  • Active-Active file shares   All cluster nodes can accept and serve SMB client requests. By making the file share content accessible through all cluster nodes simultaneously, SMB 3.0 clusters and clients cooperate to provide transparent failover to alternative cluster nodes during planned maintenance and unplanned failures with service interruption.
  • Increased bandwidth   The maximum share bandwidth is the total bandwidth of all file server cluster nodes. Unlike previous versions of Windows Server, the total bandwidth is no longer constrained to the bandwidth of a single cluster node, but rather the capability of the backing storage system. You can increase the total bandwidth by adding nodes.
  • CHKDSK with zero downtime   CHKDSK in Windows Server 2012 is significantly enhanced to dramatically shorten the time a file system is offline for repair. Clustered shared volumes (CSVs) in Windows Server 2012 take this one step further and eliminates the offline phase. A CSV File System (CSVFS) can perform CHKDSK without impacting applications with open handles on the file system.
  • Clustered Shared Volume cache    CSVs in Windows Server 2012 introduces support for a read cache, which can significantly improve performance in certain scenarios, such as Virtual Desktop Infrastructure.
  • Simpler management   With Scale-Out File Servers, you create the Scale-Out File Server and then add the necessary CSVs and file shares. It is no longer necessary to create multiple clustered file servers, each with separate cluster disks, and then develop placement policies to ensure activity on each cluster node.

When to use Scale-Out File Server

You should not use Scale-Out File Server if your workload generates a high number of metadata operations, such as opening files, closing files, creating new files, or renaming existing files. A typical information worker would generate a lot of metadata operations. You should use a Scale-Out File Server if you are interested in the scalability and simplicity that it offers and you only require technologies that are supported with Scale-Out File Server. The following table shows the new capabilities in SMB 3.0, common Windows file systems, file server data management and applications, and if they are supported with Scale-Out File Server, or will require a traditional clustered file server:

Scale Out File Server

Review Failover Cluster Requirements

  • Scale-Out File Server is built on top of Failover Clustering so any requirements for Failover Clustering apply to Scale-Out File Server. You should have an understanding of Failover Clustering before deploying Scale-Out File Server
  • The storage configuration must be supported by Failover Clustering before you deploy Scale-Out File Server. You must successfully run the Cluster Validation Wizard before you add Scale-Out File Server.
  • Scale-Out File Server requires the use of Clustered Shared Volumes (CSVs). Since CSVs are not supported with Resilient File System, Scale-Out File Server cannot use Resilient File System.
  • Accessing a continuously available file share as a loopback share is not supported. For example, Microsoft SQL Server or Hyper-V storing their data files on SMB file shares must run on computers that are not a member of the file server cluster for the SMB file shares

Review Storage Requirements

  • Fibre Channel Storage Area Network You can use an existing fibre channel Storage Area Network as the storage subsystem for Scale-Out File Server.
  • iSCSI Storage Area Network You can use an existing iSCSI Storage Area Network as the storage subsystem for Scale-Out File Server.
  • Storage Spaces Storage Spaces is new in Windows Server 2012 and can also be used as the storage subsystem for Scale-Out File Server.
  • Clustered RAID controller A clustered RAID controller is new in Windows Server 2012 and can be used as the storage subsystem for Scale-Out File Server.

Review Networking Requirements

  • Ensure that the network adapter configurations are consistent across all of your nodes in Scale-Out File Server
  • Ensure that the network that includes the CSV redirection traffic has sufficient bandwidth
  • Use DNS dynamic update protocol for the cluster node name and all of the cluster nodes. You should ensure that the cluster node name is registered by using DNS dynamic update protocol. This should include the name of the Scale-Out File Server and the IP addresses of all of the network adapters in every cluster node on the client network.

Deploy Scale Out File Server

To take full advantage of Scale-Out File Server, all servers running the server applications that are using scale-out file shares should be running Windows Server 2012. If the server application is running on Windows Server 2008 or Windows Server 2008 R2, the servers will be able to connect to the scale-out file shares but will not take advantage of any of the new features. If the server application is running Windows Server 2003, the server will get access-denied error when connecting to the scale-out file share.

Prerequisites

  • First of all you will need 2 x Windows Server 2012 Servers built, updated and ready to work with for the Windows Failover Cluster
  • You will need 2 virtual NICs on each Windows 2012 Server. One for the Main Network and one for a Heartbeat network. Modify the provider order so the Main Network always comes first. In Network Connections hold down Alt and F then select Advanced and move your Main Network to the top of the binding order

scaleout40

  • I set up a iSCSI Target Disk from another server for my Scale Out File Server Share. Please see the previous blog for instructions on how to do this
  • I also set up an iSCSI Target from another server for my Quorum Disk. Please see the previous blog for instructions on how to do this
  • * Optional * You can also add 3 basic Virtual disks to your first server which are going to be set up as a Storage Space as detailed in the steps below and leave them as Online, Initialised and Unformatted in Disk Management on your Server. I wanted to see if these could be added into the Failover Cluster Pool as an experiment

scaleout48

  • When you have a default build of your servers before adding any roles and features I would take a snapshot so at least you can go back to where you were when everything was a fresh build and worked!! (Setting this up didn’t work too well for me the first time round and I ended up rebuilding servers and getting cross!)

Procedure

  • Log on to the first server as a member of the local Administrators group.
  • In the QUICK START section, click Add roles and features
  • On the Before you begin page of the Add Roles and Features Wizard, click Next.

Scaleout1

  • On the Select installation type page, click Role-based or feature-based installation, and then click Next.

Scaleout2

  • On the Select destination server page, select the appropriate server, and then click Next. The local server is selected by default.

Scaleout3

  • On the Select server roles page, expand File and Storage Services, expand File Services, and then select the File Server check box. Click Next.

Scaleout4

  • On the Select features page, select the Failover Clustering check box, and then click Next.

Scaleout5

  • Click OK to the pop up box

Scaleout6

  • On the Confirm installation selections page, click Install.

Scaleout7

  • Repeat the steps in this procedure for each server that will be added to the cluster
  • Next Click Tools, and then click Failover Cluster Manager
  • Under the Management heading, click Validate Configuration
  • On the Before You Begin page, click Next

Scaleout8

  • On the Select Servers or a Cluster page, in the Enter name box, type the FQDN of one of the servers that will be part of the cluster, and then click Add. Repeat this step for each server that will be in the cluster

Scaleout9

  • Click OK to see the chosen servers

Scaleout10

  • On the Testing Options page, ensure that the Run all tests (recommended) option is selected, and then click Next.

Scaleout11

  • On the Confirmation page, click Next.

Scaleout12

  • The Validation tests will now run

Scaleout13

  • On the Summary page, ensure that the Create the cluster now using the validated nodes check box is selected, and then click Finish. View the report to make sure you do not need to fix anything before proceeding. The Create Cluster Wizard appears.

Scaleout14

  • On the Before You Begin page, click Next

Scaleout15

  • On the Access Point for Administering the Cluster page, in the Cluster Name box, type a name for the cluster, and choose an IP Address then click Next.

Scaleout16

  • On the Confirmation page, click Next.
  • Untick Add all eligible storage to the cluster

Scaleout17

  • On the Summary page, click Finish.

Scaleout18

  • Right click on Disks in Failover Cluster Manager and select Add Disk

scaleout49

  • The 5GB Disk is my Quorum iSCSI Target Disk
  • The 15GB Disk is my Scale Out File Server iSCSI Target Disk
  • The 3 x 10GB Disks are the 3 basic unformatted virtual disks I added at the start of this procedure to my first server in order to try setting up a storage pool from within the Failover Cluster. Keep these unticked for now
  • You should now see the disks looking like the below

scaleout50

  • You should be now be able to change the Quorum setting from Node Majority to Node and Disk Majority as per the instructions below which is the recommended configuraton for a 2 Node Failover Cluster Server
  • Note the Quorum Disk cannot be a Cluster Shared Volume. Please click Quorum Disk to follow a link to mofe information
  • Right click on the Cluster name in Failover Cluster Manager and select More Actions > Configure Cluster Quorum Settings

scaleout42

  • Select Quorum Configuration Options

scaleout43

  • Select Quorum Witness

scaleout44

  • Configure Storage Witness to be your 5GB Drive

scaleout45

  • Confirmation

scaleout46

  • Summary

scaleout47

  • Next Go to Failover Cluster Manager > Storage > Pools and Select New Pool
  • Note that once physical disks have been added to a pool, they are no longer directly usable by the rest of Windows – they have been virtualized, that is, dedicated to the pool in their entirety

Scaleout21

  • Specify a Name for the Storage Pool and choose the Storage Subsystem that is available to the cluster and click Next
  • Select the Physical Disks for the Storage Pool
  • Note the disks should be Online, Initialised but unallocated. If you don’t see any disks, you need to go into Server Manager and delete the volumes

Scaleout23

  • Confirm Selections

Scaleout24

  • Click Create and you will see the wizard running through the tasks

Scaleout25

  • The next step is to create a Virtual Disk (storage space) that will be associated with a storage pool. In the Failover Cluster Manager, select the storage pool that will be supporting the Virtual Disk. Right-click and choose New Virtual Disk

Scaleout35

  • Select the Storage Pool

Scaleout27

  • Specifiy the Virtual Disk Name

Scaleout28

  • Select the Storage Layout. (Simple or Mirror; Parity is not supported in a Failover Cluster) and click Next

Scaleout29

  • Specifiy the Provisioning Type

Scaleout30

  • Specify the size of your virtual disk – I chose Maximum

Scaleout31

  • Check and Confirm and click Create

Scaleout32

  • View Results and make sure Create a Volume when this wizard closes is ticked

Scaleout33

  • The volume wizard opens

Scaleout34

  • Select the Cluster and your disk

Scaleout36

  • Specify the size of the volume

Scaleout37

  • Choose a drive letter

Scaleout38

  • Select File System Settings

Scaleout39

  • Confirm and Create

Scaleout40

  • You should now see this Virtual Disk Storage space as a drive in Windows
  • Open Failover Cluster Manager.
  • Right-click the cluster, and then click Configure Role.
  • On the Before You Begin page, click Next.
  • On the Select Role page, click File Server, and then click Next.
  • On the File Server Type page, select the Scale-Out File Server for application data option, and then click Next.

Scaleout43

  • On the Client Access Point page, in the Name box, type a NETBIOS name that will be used to access Scale-Out File Server, and then click Next
  • On the Confirmation page, confirm your settings, and then click Next.
  • On the Summary page, click Finish.

Scaleout47PNG

  • Click Start, type Failover Cluster, and then click Failover Cluster Manager
  • Expand the cluster, and then click Roles.
  • Right-click the file server role, and then click Add File Share.
  • On the Select the profile for this share page, click SMB Share – Applications, and then click Next.
  • On the Select the server and path for this share page, click the cluster shared volume, and then click Next.
  • On the Specify share name page, in the Share name box, type a name, and then click Next.
  • On the Configure share settings page, ensure that the Enable continuous availability check box is selected, and then click Next.
  • On the Specify permissions to control access page, click Customize permissions, grant the following permissions, and then click Next:
  • If you are using this Scale-Out File Server file share for Hyper-V, all Hyper-V computer accounts, the SYSTEM account, and all Hyper-V administrators must be granted full control on the share and the file system.
  • If you are using Scale-Out File Server on Microsoft SQL Server, the SQL Server service account must be granted full control on the share and the file system
  • On the Confirm selections page, click Create.
  • On the View results page, click Close
  • Note: You should not use access-based enumeration on file shares for Scale-Out File Server because of the increased metadata traffic that is generated on the coordinator node.

Useful Links

http://technet.microsoft.com/en-us/library/jj612868.aspx

http://support.microsoft.com/kb/2813005/en-us

Installing and Configuring iSCSI Target Server on Windows Server 2012

iscsi

What is iSCSI Target Server?

iSCSI Target allows your Windows Server to share block storage remotely. iSCSI leverages the Ethernet network and does not require any specialized hardware. There is a brand new UI integrated with Server manager, along with 20+ cmdlets for easy management.

iSCSI Terms

  • iSCSI:

An industry standard protocol allow sharing block storage over the Ethernet. The server shares the storage is called iSCSI Target. The server (machine) consumes the storage is called iSCSI initiator. Typically, the iSCSI initiator is an application server. For example, iSCSI Target provides storage to a SQL server, the SQL server will be the iSCSI initiator in this deployment.

  • Target:

It is an object which allows the iSCSI initiator to make a connection. The Target keeps track of the initiators which are allowed to be connected to it. The Target also keeps track of the iSCSI virtual disks which are associated with it. Once the initiator establishes the connection to the Target, all the iSCSI virtual disks associated with the Target will be accessible by the initiator.

  • iSCSI Target Server:

The server runs the iSCSI Target. It is also the iSCSI Target role name in Windows Server 2012.

  • iSCSI virtual disk:

It also referred to as iSCSI LUN. It is the object which can be mounted by the iSCSI initiator. The iSCSI virtual disk is backed by the VHD file.

  • iSCSI connection:

iSCSI initiator makes a connection to the iSCSI Target by logging on to a Target. There could be multiple Targets on the iSCSI Target Server, each Target can be accessed by a defined list of initiators. Multiple initiators can make connections to the same Target. However, this type of configuration is only supported with clustering. Because when multiple initiators connects to the same Target, all the initiators can read/write to the same set of iSCSI virtual disks, if there is no clustering (or equivalent process) to govern the disk access, corruption will occur. With Clustering, only one machine is allowed to access the iSCSI virtual disk at one time.

  • IQN:

It is a unique identifier of the Target or Initiator. The Target IQN is shown when it is created on the Server. The initiator IQN can be found by typing a simple “iscsicli” cmd in the command window.

  • Loopback:

There are cases where you want to run the initiator and Target on the same machine; it is referred as “loopback”. In Windows Server 2012, it is a supported configuration. In loopback configuration, you can provide the local machine name to the initiator for discovery, and it will list all the Targets which the initiator can connect to. Once connected, the iSCSI virtual disk will be presented to the local machine as a new disk mounted. There will be performance impact to the IO, since it will travel through the iSCSI initiator and Target software stack when comparing to other local I/Os. One use case of this configuration is to have initiators writing data to the iSCSI virtual disk, then mount those disks on the Target server (using loopback) to check the data in read mode.

Instructions

The aim of this particular blog is to configure an iSCSI Target Disk which my Windows Server 2012 Failover Cluster can use as its Quorum Disk so we will be configuring a 5GB Quorum Disk which we will then present to the Failover Cluster Servers

  • Open Server Manager and click Add Roles and Features

ISCSI1

  • Choose Role based or Feature based installation

iSCSI2

  • Select Destination Server

iSCSI3

  • Select Server Roles > File and Storage Services > File and iSCSI Services > iSCSI Target Server

iSCSI4

  • Add Features that are required for iSCSI Target Server (None ticked here)

iSCSI5

  • Confirm Installation Selections

iSCSI6

  •  To complete iSCSI target server the configuration go to Server Manager , click File and Storage Services > iSCSI
  • Go to iSCSI Virtual disks and click “Launch the New Virtual Disk wizard to create a virtual disk” and walk through the Virtual Disks and targets creation
  • Select an iSCSI virtual disk location

iSCSI7

  • Specify iSCSI virtual disk name

iSCSI8

  • Specify iSCSI virtual disk size

iSCSI9

  • Assign iSCSI Target

iSCSI10

  • Specify Target Name. Underscores are not allowed but it will change them for you

iSCSI12

  • Specify Access Servers

iSCSI14

  • Select a method to identify the initiator

iSCSI13

  • Click Browse and type in the name of the servers which will need to access this virtual disk
  • I have added my 2 Windows Failover Cluster VMs which are called dacvsof001 and dacvsof002

iSCSI15

  • Enable Authentication

iSCSI16

  • Confirm Selections

iSCSI17

  • View Results

iSCSI18

  • Next we need to go to the first Failover Cluster Server dacvsof001 and add the disk
  • On dacvsof001, open Server Manager click Tools and select iSCSI Initiator. When you select this, you will get the following message. Click Yes

iSCSI19

  • Type the Target Server address in which is the server you created the Virtual Disk on and click Quick Connect

iSCSI20

  • You will the Target listed which is available for connection

iSCSI21

  • Click Done
  • Now open Disk Management to make sure that the disk is presented correctly

iSCSI22

  • Right click on this and select Online
  • Right click again and select Initialise
  • Create new Volume. I used Q for Quorum Disk

iSCSI23

  • Now go to the second Windows Failover Cluster Server and do exactly the same thing
  • Leave this disk online and initialised but not given a letter

Windows 2012 Domain Controller Command Line Tools

tools-icon

Once you install the Windows 2012 Domain Controller Role, you will find you are able to right click on the server in the console and a menu will appear showing that you are able to connect to several different command line tools. This looks like a very handy feature to have so lets have a deeper look at these tools

You can run these commands in the Active Directory Module for Windows PowerShell or cmd.exe

tools

What does Dcdiag.exe do?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health and DNS Health

dcacls

What does Dsacls.exe do?

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

dsacls

What does Dsdbutil.exe do?

Dsdbutil is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDS server role installed. To use dsdbutil, you must run the dsdbutil command from an elevated command prompt It performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer

dbsdbutil

What does Dsmgmt.exe do?

Dsmgmt is a command-line tool which is available if you have the AD LDS server role installed. To use dsmgmt, you must run the dsmgmt command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. It facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)

dsm

What does Gpfixup.exe do?

This tool is used to fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation

gpfixup

What does ldp.exe do?

This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata. LDP is a GUI-based, Windows Explorer–like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text displayed in the details pane can be selected with the mouse and “copied” to the Clipboard.

  • Connect through PowerShell to ldp.exe
  • Click Connection
  • Put in your DC Name
  • You are then connected and ready to use the tool

http://technet.microsoft.com/en-us/library/cc756988%28v=ws.10%29.aspx

ldp

What does Netdom.exe do?

This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line. You can join a machine to a domain, manage computer accounts for domain member workstations and member servers, establish one-way or two-way trust relationships between domains, including certain kinds of trust relationships, verify and/or reset the secure channel for the following configurations and manage trust relationships between domains

http://technet.microsoft.com/en-us/library/cc781853%28v=ws.10%29.aspx 

What does Nltest.exe do?

Nltest.exe is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT) This tool can do the following

  • Get a list of domain controllers
  • Force a remote shutdown
  • Query the status of trust
  • Test trust relationships and the state of domain controller replication in a Windows domain
  • Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

http://technet.microsoft.com/en-us/library/cc731935%28v=WS.10%29.aspx

What does Ntdsutil.exe do?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

ntdsutil

What does Repadmin do?

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

http://technet.microsoft.com/en-us/library/cc736571%28v=ws.10%29.aspx

What does W32tm.exe do?

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such

http://technet.microsoft.com/en-us/library/cc773263%28v=WS.10%29.aspx

Installing a Windows Server 2012 Domain Controller and DNS

corpdir-lg

Installing a new DC

  • Install Windows Server 2012
  • Click Manage > Install Roles and Features
  • The Add Roles and Features Wizard will start

step_1

  • Click Next
  • Choose Role based or Feature installation

Step-2

  • Select the Server

Step-3

  • Click Next and Choose Active Directory Domain Services

Step-4

  • A box will pop up as per below
  • Click Add Features

Step-5

  •  Click DNS as well

step-9

  • A box will pop up
  • Click Add Features

Step-8

  • Click Next
  • Read the Notes

Step-7

  • Read the Notes about the DNS Server

step-10

  • Select Restart

Step-11

  • You will get the following message after selecting the checkbox for Restarting

step-12

  • Click Install
  • The final screen will show the progress of the install

step13

  • You can also Export Configuration Settings which are in the form of PowerShell commands allowing you to install from these to another DC in the future
  • Click Export Configuration Settings

step14

  • Once AD Domain Services has been installed, you now need to promote this server to be a Domain Controller
  • In Server Manager, you will see a notification triangle in the top right. Click this and you will get the following message

step15

  • Click Promote this server to a Domain Controller

step16

  • I am going to add this Domain Controller to my current domain dacmt.local
  • Click Next

step17

  • Type in a Directory Services Restore Mode Password
  • Click Next
  • Click Next on the DNS Screen

step18

  • Choose your replication option

step19

  • Choose paths for the AD Files
  • Note Best Practice would advise you to separate out these services on different redundant drives but this is just a demo so they all reside on the C Drive

step20

  • Check the Preparation Options

step21

  • Review Options

step22

  • Pre Requisites Check

step23

  • Click Install
  • Reboot when Install is finished
  • Once in Server Manager and you have chosen the AD DS role scroll down and you will see a section called Best Practices Analyzer. You can then go to Tasks and choose to run the BPA scan. This BPA scan can also be run from Windows PowerShell

Microsoft Technet Further Information

http://technet.microsoft.com/library/hh472162.aspx