In this post, we’ll cover a whopping 77 Helpful Technet Articles For Advanced Microsoft System Administrators! We have neatly arranged articles into categories such as Active Directory, Configuring Network Services, File and Storage Solutions, Configuring High Availability, Identity and Access Solutions, as well as Continuity and Disaster Recovery.
- Active Directory Articles
- Network Services Articles
- File and Storage Articles
- High Availability Articles
- Identity and Access Solution Articles
- Continuity and Disaster Recovery Articles
Active Directory Articles
The Adprep command is a tool that ships with Windows Server to help you prepare an older version of an Active Directory network, for a newer version of Windows Server. If you add or upgrade a domain controller in an existing network to a newer version of Windows Server, you need to run Adprep first.
This article provides many helpful tips and possible known issues when installing Windows Server 2012. It covers system requirements, processors, ram, disk space, and x64 based considerations such as disabling driver signature enforcement.
Read-Only Domain Controllers serve a fairly specific use case in a Windows Server-based network. They are typically used in a remote location, where physical security may not be as high as at a central location. This article covers typical administration tasks one might be presented with when responsible for an RODC, especially for issues of password cache and replication.
A useful post about using the bcdedit command to ensure Windows restarts in safe mode for times when you may need it.
Talks about potential threats of inter forest trusts, security settings, minimum administrative credentials required, trust security, and other topics. It also covers the topic of disabling SID Filtering, and how it can reduce security in your domain.
A great article about how replication topologies work, in addition to the DEFAULTIPSITELINK and related site link concepts.
Covers some important facts to be aware of when upgrading a Windows Server network to Windows Server 2012. Notes that you can run Adprep on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012.
Covers details about communications over trust and security-related concepts of forest and domain trusts. Enabling and disabling SID Filtering can be used to deny or allow access to resources.
This article talks about moving a domain controller for purposes of site-specific user authentication. Recommends that you verify the IP address of the DC is included in the subnet range of the site before moving.
Talks about the complex infrastructure that is Group Policy and advises on checking group policy health, reading a group policy status report, checking active directory for replication issues, as well as how to verify a group policy object was replicated to all domain controllers.
Default groups are security groups that are created automatically when you create an Active Directory domain. The Domain Admins group is an example of a default group. An administrator can use these predefined groups to delegate specific domain-wide administrative roles and help control access to shared resources.
Located in the Local Users and Groups Microsoft Management Console snap-in is the Groups folder. It displays the default local groups as well as any local groups an administrator creates. When you install the Windows operating system, default local groups are created automatically. A user that belongs to a local group gives that user the rights and abilities to perform various tasks on the local computer such as operating the Windows Server Backup tool.
This Powershell cmdlet can be used to set the replication properties for an Active Directory site. It an administrator wanted to set a specific time interval for Active Directory replication changes to domain controllers in a forest, this command could be used.
A Trust Anchor is another way to describe a Public Cryptographic Key for a signed zone. This article covers types of trust anchors, delegations and the chain of trust, working with trust anchors, and trust anchor status.
A GlobalNames zone makes it possible to use shorter and easier to remember names than having to use a fully qualified domain name. This would allow DNS to query something like lenovothinkpad instead of lenovothinkpad.vegibit.com. Implemented by creating a GlobalNames zone that replicates to all domain controllers in the forest, and the creation of alias CNAME records.
This Powershell command is very powerful in its ability to directly modify properties of an Active Directory domain. There are many possible parameters and switches an administrator can apply with this cmdlet, so it is important to know what you are trying to accomplish before trying anything in production.
Migrates an end-user computer or member server from one domain to another with no disruption to shared resources. If an account does not already exist on the domain during the move, one is created automatically.
Can be used to reset, verify, or establish a trust between domains. One could use this command to fine-tune authentication requests across forest trusts.
Similar in usage to Set-ADDomain, the Set-ADUser cmdlet directly modifies an Active Directory user. It has even more options than Set-ADDomain, so again, be sure to consult this article before making use of it. Some example switches are UserPrincipalName, Identity, AccountExpirationDate, City, Division, and AuthType.
Network Services Articles
IPAM stands for IP Address Management and involves the concepts of centralized management, monitoring, and bookkeeping of IP addresses and related infrastructure servers on an active directory network. This article provides step by step instructions now how to configure IPAM. These include: Choose an IPAM server, Specify the IPAM database, Choose a provisioning method, Configure the scope of discovery, Start server discovery, Configure settings on managed servers, Select manageability status on managed servers, Verify IPAM access, Retrieve data from managed servers, and Visualize Data.
When working with IPAM or IP Address Management, an administrator has a few options for configuration. One approach is to manually configure the active directory domain controller and network policy server. Another is by enabling IPAM access using Windows Firewall and the Event Log Readers security group.
This article can help administrators if they run into an issue where name protection has been enabled on an IPv4 scope, but secure DNS updates haven’t been enabled. If you want name protection to work correctly, secure updates must be enabled to prevent DNS name hijacking. In addition, you must also store the zone in Active Directory.
A scope can be thought of as a collection of IP addresses for computers on a subnet that uses DHCP. For each subnet, an administrator will typically configure an associated DHCP scope. You can also configure specific options for DHCP such as assigning DNS name servers to clients during IP address allocation.
The Set-DnsServerCache cmdlet can be used to modify cache settings on a given DNS server on the network. One might make use of it to ensure faster DNS resolution after a network change.
This is another article about configuring DHCP. When we think of DHCP, it is sometimes easy to just associated it with only handing out an IP address. The reality is that it is a little more complex than that. When considering DHCP options, there are default global options, class options, reserved client options, and scope options, which are applied to any clients that obtain a lease within that particular scope.
This article provides a high-level overview of the entire IPAM concept and covers some important deployment options to consider when choosing IPAM as an IP address solution. Some of those options are Distributed: An IPAM server deployed at every site in an enterprise, Centralized: One IPAM server in an enterprise, and Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site. Keep in mind that one can not install the IPAM role service on an Active Directory Domain Controller server.
Talks about a specific scenario regarding if the allow list is enabled, MAC address filtering should be populated, since you can run into an instance where all end users are denied an IP address. The admin should either disable the allow filters or add some MAC addresses to the allow filter.
Sometimes the command line can be more efficient than clicking away through the GUI. Dnscmd allows you to manage and script repetitive DNS administrative tasks right from the command line. It has a large number of associated commands such as clearcache, ageallrecords, config, createbuiltindirectorypartitions, createdirectorypartition, and many more.
As we mentioned, a GlobalNames Zone makes for very short and simple name resolution in your network. The specific steps for deployment can vary just a bit, but this document will cover all use cases.
During deployment of a GlobalNames Zone, you may need to run this command. It enables or disables single-label Domain Name System queries. It is also used to change configuration settings for a GlobalNames zone.
File and Storage Articles
The Start-OBRegistration command and the following command work together to register and configure a computer, or servers, for backup to a chosen destination.
The Set-OBMachineSetting command and the previous command work together to register and configure a computer, or servers, for backup to a chosen destination.
Data Deduplication is kind of a funny name that just means a specialized form of compression. It allows one to eliminate duplicate copies of data in order to better make use of existing resources. This article outlines the steps needed to configure this in your Windows Server environment. There are a few disk requirements associated with data deduplication such as can’t be a system boot volume, must not rely on the ReFS file system, and must not rely on cluster shared volumes.
The Vssadmin command is used to display the current volume shadow copy backups and all installed shadow copy writers and providers. With it, an administrator can add shadow storage along with many other options for shadow storage management.
Use this command to easily set or change the label of the file system for an existing volume.
The Set-SyncShare cmdlet is a little more advanced than Set-Volume as it modifies the settings for a sync share.
Use this reference to automate all management tasks by combining cmdlets for iSCSI target, iSCSI initiator, and iSCSI storage.
Configure the ability to have users request assistance from a custom access denied message by configuration in the File Server Resource Manager options.
High Availability Articles
Learn how to set up a Hyper-V Replica. This article advises to Set up the Hyper-V server, Set up replication, Test the deployment, Run a planned failover, Respond to an unplanned failover, and Set up an extended replica. Learn how to use Failover Cluster Manager, Hyper-V Replica Broker role, and configure node based Hyper-V settings.
If you have an application that was not originally designed to run in a failover cluster, or a developer builds a new application that is not cluster-aware, you can use this command to make it work.
Network Load Balancing is a means of distributing incoming TCP, UDP, and HTTP requests across multiple member servers. NLB is defined in software that is present on each member of the cluster. Learn about things like Client Affinity, which is used to associate clients to a particular member, a particular IP address, or via the class C portion of their IP address. For example, Affinity-Single is useful for maintaining session state for users.
Hyper-V allows administrators to configure a virtualized server environment without the need for additional software such as a VMWare solution. This migration guide outlines how to migrate the Hyper-V role, associated Virtual Machines, data, and OS settings from a source server to a destination server. Keep in mind the source and destination server should be using the same type of processor for migrations to work correctly.
Amazingly, you can move the virtual machine storage without downtime or interruption to end-users with a process called Storage Migration. This guide shows you how to make that happen should you need to.
When working with a Cluster in Windows Server, you can configure the Preferred Owners in a failover situation. This article is by a Microsoft High Availability and Clustering software engineer who describes exactly how this works.
This article gives a full overview of NLB and the concepts that make it work. Topics covered include Host Priorities, Port Rules, Managing Server Applications, Rolling Upgrades, Cluster traffic, and Remote Control.
Scale-Out File Server is a clustered file server technology that lets you store server application data, such as Hyper-V virtual machine files, on file shares, and obtain a similar level of reliability and high performance that you might expect from a storage area network. All file shares are online on all nodes simultaneously. File shares associated with this type of clustered file server are called scale-out file shares.
Quorum is another word for Majority, as in a vote of confidence. Quorum is in place to determine how many failures a Cluster can sustain. If the votes drop below a majority, nodes cease to operate as a cluster. When the problems clear, and votes increase above the majority, node may begin to function again as a cluster. Yes, it is tricky stuff – but this article will help! The configurations to be aware of are:
- Node Majority: recommended for clusters with an odd number of nodes
- Node and Disk Majority: recommended for clusters with an even number of nodes
- Node and File Share Majority: for clusters with special configurations
- No Majority: Disk Only: not recommended
This technet article provides a procedural approach to migrate clustered services and applications from one multi-node cluster to another.
Covers new topics in Failover Clustering which offers high availability and scalability to application workloads such as Microsoft Exchange Server, Hyper-V, Microsoft SQL Server, and custom-built applications.
Multi-Site failover clusters may require some fine-tuning for optimum performance. The goal is to minimize any downtime experienced by clients, and this can be impacted by how fast DNS replication occurs and how quickly clients query DNS information for updates. This article shows how to adjust heartbeat and DNS settings for optimization.
Failover Cluster monitoring settings may differ from business case to business case. This article takes a look at some best practices for configuring failover settings in a cluster network, and what the pros and cons are of each approach.
When multiple nodes operate as a cluster, you still must take into account that these servers may need to be upgraded as patches and security fixes are made available. The Add-CauClusterRole will help administrators with this task.
Before spinning up a Virtual Machine, it is probably a good idea to be sure the host can support the type of virtual machine you would like to run. The Compare-VM command will help with just that task as it compares a VM and a VM Host for compatibility.
A Clustered Shared Volume is the concept of multiple nodes having simultaneous read and write access to the same Logical Unit Number provisioned as an NTFS volume. This article shows you how to put CSVs to work for your environment.
If you have a need of security on your disks in a Cluster Shared Volume, you can configure BitLocker to provide this service. One thing to be aware of, however, is that if you would like to make use of this feature, you would have to enable it on all nodes in the cluster.
Identity and Access Solutions Articles
In order for clients to use Windows Integrated authentication to access a federation server, an administrator can take these 5 steps to add an (A) record to corporate domain name server federation server.
This article talks about how to configure all users in a domain to be issued a certificate that may be used for client authentication, encrypting file system, as well as email security.
Covers all of the new features of Kerberos Authentication in Windows Server 2012 such as claims, compound authentication, and kerberos armoring.
If you need an overview of what Dynamic Access Control, Central Access Rules, Central Access Policies, Claims, Expressions, and Proposed Permissions are, this document will help you better understand them.
Covers the phases of deploying a central access policy such as identifying the need for a policy and required configuration, implementing the configuration of said policy, deploying the central access policy and policy maintenance including staging and changes.
Helps administrators understand how to manage password policies and read only domain controller scenarios such as pre populating a password for a user on a remote read only domain controller.
OCSP stands for Online Certificate Status Protocol and this document talks about configuring an Online Responder to have a valid OCSP signing certificate. You can make use of the certutil command to assist with this task.
In Active Directory Rights Management Services you can assign rights to users with a federated trust via Active Directory Federation Services. With this approach, a company can enable shared access to rights protected content by another company if desired – with no need for an additional AD trust or AD RMS infrastructure.
Fine grained passwords can be used to apply different restrictions for password and account lockout policies to different sets of users in a domain. Fine grained passwords can be used with PSO or Password Settings Objects within a domain. The PSO has attribute settings such as Enforce password history, Maximum password age, Minimum password age, Minimum password length, and more.
If you have a need to provide a user the ability to read a data folder where they are currently prohibited by an authentication firewall, you could follow the steps in this article to accomplish that task.
This article has information and procedures you can use to configure role based access control which consists of Roles, Access Scopes, and Access Policies.
Active Directory Rights Management Services has many topics to be aware of before one deploys a particular solution. This article covers such topics as Administrative Accounts, Cross-Boundary Collaboration Considerations, Trusted User Domains (TUD), Trusted Publishing Domains (TPD), Federated Identity using Active Directory Rights Management Services ADFS, Additional Components for Multi-forest Environments, AD RMS Service Discovery, and Publishing AD RMS to the Internet.
With this command an administrator can assign a virtual disk to an iSCSI target.
Disaster Recovery Articles
If you find yourself in the unlucky situation of having to resort to a bare metal recovery, the Wbadmin start sysrecovery command will help you.
Administrators should consider the hardware available and what information they would like to preserve when determining where to save backup data.
Bootsect.exe updates the master boot code for hard disk partitions to switch between BOOTMGR and NTLDR. You can use this tool to restore the boot sector on your computer. This tool replaces FixFAT and FixNTFS. Bootrec.exe on the other hand is used for “Bootmgr Is Missing” issues.
Provides helpful tips on how to run the Bootrec.exe tool in Windows Recovery Options.
The Get-OBPolicy cmdlet gets the details about scheduling backups, files included in the backup, and retention policy, of the current backup policy. Often used with the Set-OBPolicy cmdlet to store updates to the policy.
Provides a good overview of Backup Operator permissions such as Backup files and directories, Restore files and directories, and Shut down the system.
Should you want to make use of cloud backup technologies in your disaster recovery implementation, this article will be helpful.
Use this command with Get-OBPolicy to configure the details of a scheduled backup service.
Offers more helpful tips for backup and recovery of production environments to the cloud.
77 Helpful Technet Articles For Advanced Microsoft System Administrators Summary
Well there you have it, 77 Helpful Technet Articles For Advanced Microsoft System Administrators. We hope you found this list helpful for your day to day system administration needs. Share with a friend!