MCP Implementing an Advanced Server Infrastructure (70-414) – another study guide

Exam 70-414 Implementing an Advanced Server Infrastructure

This blog post is a study guide to help you to prepare Microsoft MCP 70-414 : Implementing an Advanced Server Infrastructure

Now to prepare seriously this certification, here is a lot of content to read and understand !! Like every other Microsoft Certification, a technical background and experience on Microsoft Infrastructure (Windows Server 2003 –> 2012, Cluster and System Center) is better to have.

Official link on Microsoft Web site :

Manage and maintain a server infrastructure (25–30%)

- Design an administrative model -
-> Design considerations including user rights, built-in groups, and end-user self-service portal; design a delegation of administration structure for Microsoft System Center 2012

How to Create a Delegated Administrator User Role in VMM

Creating User Roles in VMM

- Design a monitoring strategy -
-> Design considerations including monitoring servers using Audit Collection Services (ACS), performance monitoring, centralized monitoring, and centralized reporting; implement and optimize System Center 2012 – Operations Manager management packs; plan for monitoring Active Directory

Agentless Monitoring in Operations Manager

Well-known security identifiers in Windows operating systems (Event Log Readers group)

Creating Data Collector Sets

SQL Server Reporting Services (SSRS)

Defining a Service Level Objective Against an Application

- Design an updates infrastructure -
-> Design considerations including Windows Server Update Services (WSUS), System Center 2012 – Configuration Manager, and cluster-aware updating; design and configure Virtual Machine Manager for software update management; update VDI desktop images

WSUS topology designs
- Single WSUS server
- Multiple independent WSUS servers
- Multiple internally synchronized WSUS Servers (1 upstream and multiple downstream servers)
- Disconnected WSUS Servers

Deploy Replica when you want a server to inherit update approvals from a central server

Choose a WSUS Management Style

Windows Internal Database Feature or SQL Server 2008 (or >)

How to Add an Update Server to VMM
--> Add WSUS Console to VMM Server

- Implement automated remediation -
-> Create an Update Baseline in Virtual Machine Manager; implement a Desired Configuration Management (DCM) Baseline; implement Virtual Machine Manager integration with Operations Manager; configure Virtual Machine Manager to move a VM dynamically based on policy; integrate System Center 2012 for automatic remediation into your existing enterprise infrastructure

Overview of Desired Configuration Management

Local Storage vs Remote Storage

WSUSUtil tool to configure SSL if used with SCCM

How to Install a WSUS Server for VMM

If you install WSUS on a remote server, you must install a WSUS Administration Console on the VMM management server and then restart the VMM service.With a highly available VMM management server, you must install a WSUS Administration Console on each node of the cluster to enable the VMM service to continue to support update management. Update management in VMM requires a WSUS Administration Console, which includes the WSUS 3.0 Class Library Reference.

System Requirements: Update Management

cluster-aware updating
- Remote-updating mode
- Self updating mode

Windows Server 2012 - Cluster Aware Updating (CAU) in action (few french text but a lot of screenshot in US)

Virtual Machine Servicing Tool (VMST) --> need a WSUS or SCCM server in your infrastructure

Introduction to Compliance Settings in Configuration Manager

Introduction to Collections in Configuration Manager

What's New in BranchCache

Plan and implement a highly available enterprise infrastructure (25–30%)

- Plan and implement failover clustering -
-> Plan for multi-node and multi-site clustering; design considerations including redundant networks, network priority settings, resource failover and failback, heartbeat and DNS settings, Quorum configuration, and storage placement and replication

Windows Server 2012: Improvements in Failover Clustering (Video 56min)

What's New in Failover Clustering in Windows Server 2012

Configure and Manage the Quorum in a Windows Server 2012 Failover Cluster

witness disk in NTFS only

4 quorums node
- node majority
- node and disk majority
- node and file sahre majority
- no majority

Failover if 5 missed heartbeat (= 5 sec)

Installing the Failover Cluster Feature and Tools in Windows Server 2012

Cluster Shared Volumes Reborn in Windows Server 2012: Deep Dive

- Plan and implement highly available network services -
-> Plan for and configure Network Load Balancing (NLB); design considerations including fault-tolerant networking, multicast vs. unicast configuration, state management, and automated deployment of NLB using Virtual Machine Manager service templates

Network Load Balancing Overview

- Plan and implement highly available storage solutions -
-> Plan for and configure storage spaces and storage pools; design highly available, multi-replica DFS namespaces; plan for and configure multi-path I/O, including Server Core; configure highly available iSCSI Target and iSNS Server

Six Uses for the Microsoft iSCSI Software Target

Introduction of iSCSI Target in Windows Server 2012

iSNS Server Overview

The Microsoft iSNS Server only supports the discovery of iSCSI devices, and not Fibre Channel devices

1 disk mini to create a storage pool
2 disks mini to create a resilient mirror virtual disk (standalone server)
3 disks mini to create a resilient 2-way mirror virtual disk (Cluster Deploy)
5 disks mini to create a resilient 3-way mirror virtual disk (Cluster Deploy)
3 disks mini to create a resilient parity virtual disk (standalone server, can't use it on a failover


Deploy Storage Spaces on a Stand-Alone Server

Deploy Clustered Storage Spaces

Provisioning : thin (flexible) ou fixed (better performance)

Clustered Storage space:
- Fixed provisioning
- SAS disks only
- No parity (only simple or mirror virtual disk)
- ReFS not allowed (CSV incompatible)

- Plan and implement highly available server roles -
-> Plan for a highly available Dynamic Host Configuration Protocol (DHCP) Server, Hyper-V clustering, Continuously Available File Shares, and a DFS Namespace Server; plan for and implement highly available applications, services, and scripts using Generic Application, Generic Script, and Generic Service clustering roles

Scale-Out File Server for Application Data Overview

up to 64 physical nodes in a cluster
4000 VM per cluster

Cluster-Aware Updating
Cluster computer objects in targeted OU

Step-by-Step: Configure DHCP for Failover

- Plan and implement a business continuity and disaster recovery solution -
-> Plan a backup and recovery strategy; planning considerations including Active Directory domain and forest recovery, Hyper-V replica, domain controller restore and cloning, and Active Directory object and container restore using authoritative restore and Recycle Bin

DPM -> 15 min RPO

AD DS Recycle Bin : forest level 2008 R2

Requirements for Active Directory Recycle Bin

Enable Active Directory Recycle Bin

DPM to Backup Virtual Machines
- Protection of a standalone host -> DPM Agent on Hyper-V
- Protection of the virtual machine --> DPM Agent in VM
- Protection of a VM running on ta clustered host --> DPM agent on all Cluster Node
- Host Hyper-V and storage located on different servers -> DPM agents on both server. backup occur at host level

Hyper-V Replica Overview

Hyper-V: To participate in replication, servers in failover clusters must have a Hyper-V Replica Broker

configured (en-US)

To configure Hyper-V Replica Broker

Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta

Plan and implement a server virtualization infrastructure (25–30%)

- Plan and implement virtualization hosts -
-> Plan for and implement delegation of virtualization environment (hosts, services, and VMs), including self-service capabilities; plan and implement multi-host libraries including equivalent objects; plan for and implement host resource optimization; integrate third-party virtualization platforms

How to Configure Host Group Properties in VMM

Configuring Dynamic Optimization and Power Optimization in VMM

Tuning PRO Performance Thresholds

The Hyper-V Administrators group is a new local security group. Add users to this group instead of the local Administrators group to provide them with access to Hyper-V. Members of the Hyper-V Administrators have complete and unrestricted access to all features of Hyper-V

What's New in Hyper-V

System Requirements: Citrix XenServer Hosts

Managing VMware ESX Hosts Overview

- Plan and implement virtualization guests -
-> Plan for and implement highly available VMs; plan for and implement guest resource optimization including smart page file, dynamic memory, and RemoteFX; configure placement rules; create Virtual Machine Manager templates

How to Create a Guest Operating System Profile

About Hardware Profiles

SCVMM 2012 : how to create a VM Template (few text in french but all screenshots in english)

Creating Service Templates in VMM

- Plan and implement virtualization networking -
-> Plan for and configure Virtual Machine Manager logical networks; plan for and configure IP address and MAC address settings across multiple Hyper-V hosts including IP virtualization; plan for and configure virtual network optimization

- Plan and implement virtualization storage -
-> Plan for and configure Hyper-V host storage including stand-alone and clustered setup using SMB 2.2 and CSV; plan for and configure Hyper-V guest storage including virtual Fibre Channel, iSCSI, and pass-through disks; plan for storage optimization

Note : SMB 2.2 is an old name. New name is SMB 3.0

- Plan and implement virtual guest movement -
-> Plan for and configure live, SAN, and network migration between Hyper-V hosts; plan for and manage P2V

and V2V

P2V Prerequisites

- Manage and maintain a server virtualization infrastructure -
-> Manage dynamic optimization and resource optimization; manage Operations Manager integration using PRO Tips; automate VM software and configuration updates using service templates; maintain library updates

Configuring Dynamic Optimization and Power Optimization in VMM

Tuning PRO Performance Thresholds

Adding and Configuring VMM Library Servers

Design and implement identity and access solutions (20–25%)

- Design a Certificate Services infrastructure -
-> Design a multi-tier Certificate Authority (CA) hierarchy with offline root CA; plan for multi-forest CA deployment; plan for Certificate Enrollment Web Services; plan for network device enrollment; plan for certificate validation and revocation; plan for disaster recovery; plan for trust between organizations

Active Directory Certificate Services Overview (to learn different roles in AD CS)

CEP Encryption : Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests

The CAPolicy.inf contains settings that can be used to modify the default installation of the Certification Authority role of Active Directory Certification Service (AD CS). The file is also used when renewing the CA certificate. A CAPolicy.inf file is not required to install AD CS or renew a CA certificate. The file is only needed to modify default settings. Once you have created your CAPolicy.inf file, you must copy it into the %windir% folder (such as the C:\Windows) of your server before you install AD CS or renew the CA certificate.

Prepare the CAPolicy.inf File

Cross-certification creates a shared trust between two CAs that do not share a common root CA. These CAs exchange cross-certificates that allow their organizations to communicate. In this way, the organizations do not have to create and manage additional root CAs. Cross-certification might be the best option if a common root CA for both PKIs does not exist

- Implement and manage a Certificate Services infrastructure -
-> Configure and manage offline root CA; configure and manage Certificate Enrollment Web Services; configure and manage Network Device Enrollment Services; configure Online Certificates Status Protocol responders; migrate CA; implement administrator role separation; implement and manage trust between organizations; monitor CA health

Using a Cross-Certification Configuration

- Implement and manage certificates -
-> Manage certificate templates; implement and manage deployment, validation, and revocation; manage certificate renewal including Internet-based clients; manage certificate deployment and renewal to network devices; configure and manage key archival and recovery

Certificate Templates Overview

- Design and implement a federated identity solution -
-> Plan for and implement claims-based authentication including planning and implementing Relying Party Trusts; plan for and configure Claims Provider Trust rules; plan for and configure attribute stores including Active Directory Lightweight Directory Services (AD LDS); plan for and manage Active Directory Federation Services (AD FS) certificates; plan for Identity Integration with cloud services

Attribute Store in ADFS is a directory or database that you can user to store user accounts and their associated attributes. Attibutes stores for ADFS in Windows Server 2012 can be :
- SQL Server 2005 and >
- Custom attribute store (eg. CSV files)

- Design and implement Active Directory Rights Management Services (AD RMS) -
-> Plan for highly available AD RMS deployment; manage AD RMS Service Connection Point; plan for and manage AD RMS client deployment; manage Trusted User Domains; manage Trusted Publishing Domains; manage Federated  Identity support; manage Distributed and Archived Rights Policy templates; configure Exclusion Policies; decommission AD RMS

How AD RMS Works

AD RMS Infrastructure Deployment Tips

Understanding AD RMS Clusters

Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest.

AD RMS Multi-forest Considerations

Service Connection Point (SCP) for Active Directory Rights Management Services (AD RMS) identifies the connection URL for the service to the AD RMS-enabled clients in your organization. After you register the SCP in Services de domaine Active Directory (AD DS), clients will be able to discover the AD RMS cluster to request use licenses, publishing licenses, or rights account certificates (RACs).

The Active Directory Rights Management Services (AD RMS) super user feature is a special role that enables users or groups to have full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from

Configure the AD RMS Super Users Group

What's New in Active Directory Rights Management Services (AD RMS)?

for Windows Server 2012 the following versions of Microsoft SQL Server have been tested and are supported for use with AD RMS deployment.
- SQL Server 2005 Service Pack 3
- SQL Server 2008 Service Pack 3
- SQL Server 2008 R2 Service Pack 1

If you are going to be viewing reports related to AD RMS, you must also install the .NET Framework 3.5 On Server Core installations, the optional Identity Federation Support role service for the AD RMS server role is not supported. This is because Identity Federation Support relies on a role service of the AD FS Server role, the Claims-aware Agent, which is disabled on Server Core installations Windows Server 2012 also includes the following feature updates, which have been added recently as updates

for the AD RMS role in Windows Server 2008 R2.
- Simple delegation : Simple delegation for AD RMS enables you to have the same access rights to protected content that are assigned to one person delegated to other individuals within their organization Simple delegation provides the ability to have content rights assigned to executives and managers be easily and effectively delegated to their assistants.wo attributes, msRMSDelegator and msRMSDelegatorBL must be added to the Active Directory schema
- Strong cryptography : enables you to increase the cryptographic strength of your AD RMS deployment by running in an advanced mode known as cryptographic mode

AD RMS and cryptographic support for SHA-2/RSA 2048

Test Lab Guide: Deploying an AD RMS Cluster

I encourage you also to download Windows Server 2012, install it and test it as much as you can because there are some questions where you need to have already manipulate User Interface or commands.

You can download eval version of Windows Server 2012 as :
- an ISO image :
- a pre-build system on VHD :

You can also try Windows Server 2012 on Windows Azure IaaS for some scenarios (but not those with hyper-V or network like DHCP of course) :

- Stanislas Quastana -