Tag Archives: 70-410

CBT Nuggets Microsoft Windows Server 2012 70-410 with R2 Updates

I’m currently doing a bit of revision of 70-410 content going through “Microsoft Windows Server 2012 70-410 with R2 Updates” training by Garth Schulte. First of all I already passed 70-410 exam and did 70-410 course by James Conrad, but just to take a break before 70-411 I decided to review 70-410 content + go through 70-698 CBT Nuggets course and take an exams on Windows 10 (yes it counts as a pouse before 70-411).

Few words about updated 70-410 training by Garth. First of all it is fully designed with R2 in mind (James Conrad’s course was pre-R2 + some R2 modules added later) so you can’t find there gotchas and detours related with hiccups related with recent release of a product, instead as it covers stable and current release you will find there well structured up-to-date content and as one expect from Garth well covered PowerShell side 🙂 I also like very good slides summarizing key facts you have to memorize before exam – they provide you with compressed knowledge (I guess I stole getAbsract slogan here 🙂 ) you need before taking your exam. Some examples:

Those slides are just great to review before exam (so it could be a good idea to save some screenshots as you go through the course).

Good job Gath 🙂 Once I done with this training and my Win 10 exam I will be focusing on 70-411. And I’m just wondering how do I inject TCF exam and preparation for it in my schedule…

How to: enable GC on domain controller (2 ways)

There are two ways of making your DC a GC and you can read on to learn how.

But before we launch into it, just look at this “making your DC a GC” sentence for a moment. It makes me think that it is a good example of what not to do in writing for non-technical audience 🙂 I’ve recently started to watch a very interesting course on CBT Nuggets – “Essential Soft Skills for the IT Professional” by Steve Richards, and there you may learn that key things in writing tech reports to non IT audience are: avoid JATB, give MWLH and don’t SUCK 🙂

CBT Nuggets Tech Reports for Non-tech audience

Which of course means avoid Jargon, Acronyms, Techspeak, Buzzwords (JATB), give More Why Less How (MWLH) and don’t Suffer from Using Computer Knowledge (SUCK) 🙂

OK, getting back to the main topic and switching to tech writing again. First it would be nice to check which DCs are already GC-enabled, and you can do this by issuing the following PS cmdlets:

Now how to enable/disable GC:

1) PS way of enabling GC:

And you can use the same cmdlet to disable it as shown on screenshot below:

Enable or disable GC with PS

2) GUI way. Access Active Directory Sites and Services (dssite.msc), locate domain controller you need to make a GC and access General tab of its NTDS Settings Properties:

NTDS Settings - Global Catalog

By the way there is an interesting connection between GC and group scopes. You can only convert to a universal group from any other group scope on a domain controller that has the global catalog. This is somewhat obvious, as universal groups, which combine the best of two worlds (i.e. domain local and global groups) can have members from domains other than the domain where the group object is stored and can be used to provide access to resources in any domain, only a global catalog server is guaranteed to have all universal group memberships that are required for authentication.

How to: Make sure that DHCP won’t issue IP which is already in use

Assume that you replaced failed DHCP server with a new one configured with the same scope. This can possibly lead to situation when your new DHCP server can lease addresses which were earlier issued by failed server if it was configured with the same scope.

To mitigate this you can use Conflict detection attempts setting which can be found on Advanced tab of your scope properties:

DHCP Conflict detection attempts setting

By default it is set to 0 which means that your DHCP server won’t attempt to perform any conflict detection before issuing an address. As soon as you set this parameter to something higher that 0, let’s say N, your DHCP server query the network N times before it assigns an IP address to make sure that address is not already in use.

Of course this is a good option to be aware of, but real solution here is to add extra DHCP server and configure DHCP Failover which is available in Windows Server 2012 or newer versions and ensures that you won’t need to have any headache if one of your DHCP servers fails.

Comparing IPv4 and IPv6 Addressing

As I preparing for 70-410 I just realized that I HAVE TO memorize some IPv6 related things, so hence this table was taken from MSFT documentation and slightly colored by me:


You may benefit from reading entire “Chapter 3 – IP Addressing” from ” TCP/IP Fundamentals for Windows” available on TechNet if you in a mood for going into details.

It is useful to memorize common prefixes for the exam and for practical purposes:

2000::/3 prefix for a globally unique IPv6 address (can be 2001/2002). It is equivalent to a public IPv4 address. Assigned by IANA. The full address will include a value representing the organization’s site, a subnet identifier, and host address.

FC00::/7 is the prefix used for a unique local unicast address (also FD00:://8). This is used in a private network like a private IPv4 address. Address values are unique only to that network and are routable only through the network. The address is not publically routable.

FE80::/64 prefix for link-local unicast address, which is equivalent to an IPv4 APIPA address. It is generated automatically when a network adapter is not configured with an IPv6 address and cannot lease an address from a DHCP server. This is not routable address. Even if you have DHCP or statically assigned IPv6 address you still going to have auto generated link-local address. This address is randomly generated, and in the past MSFT implementation used to insert MAC address into it, now MAC address no longer inserted into it.

FF00::/8 prefix for IPv6 multicast address

FEC0::/10 is a site-local address. Though still documented by many sources, the use of this prefix has been deprecated.



How to manage non-domain joined server using Server Manager

Managing non-domain joined server is a topic included in 70-410 exam updated for Server 2012 R2. Essentially it requires you to know some extra steps involved into making Server Manager work for you when you need to manage non-domain joined server (either one resided in workgroup or in non-trusted domain).

Unfortunately book I’m using to prepare for exam (“MCSA 70-410 Cert Guide R2: Installing and Configuring Windows Server 2012“) doesn’t go beyond telling beyond teaching you how to do “Manage As…” in Server Manager (don’t get me wrong, this is a good book which covers other things nicely). So in the book they just show you that you have to know how to do this:

But it is barely enough. For example you have to know that this “Manage As…” functionality of Server Manager works almost for all roles and features except for but RDS and IPAM do not support this functionality. Next, and more importantly there are extra steps you need to perform before you can manage non-domain joined server (and no it is not only involves adding it from DNS tab as opposed to Active Directory tab in Add Server dialog). Steps are the following:

0) Add non-domain joined server to server manager. Use DNS tab in Add Server dialog to add non-domain joined server.

Once this is done, server will be added but you will likely will get Refresh Failed and also “Kerberos target resolution error” for newly added server. Which means that you are unable to communicate with this server. Sample screenshot of this error can be found below:

Server Manager - Kerberos Target Resolution Error

1) Add non-domain joined server into trusted hosts on a management server. On management server (the one from which you run Server Manager) you have to add your target non-domain joined server to Trusted Hosts list by means of issuing the following PS command:

Set-Item wsman:localhost\client\trustedhosts Non-DomainJoinedServer1 -Concatenate -Force

Use this command to view your current Trusted Hosts list:

(Get-Item wsman:localhost\client\trustedhosts).value

2) Configure UAC to allow elevated remote sessions on a target non-domain joined computer. By default this is not allowed on a worgroup computers. You can this by issuing this PS command:

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

You may check current setting with this command:

(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').LocalAccountTokenFilterPolicy

3) Enable Remote Management (HTTP-In) inbound rule on managed computer.

4) At this point you should be able to do that “Manage As” trick:

Server Manager - Manage As

Here is a nice video covering this process – “Free Tutorial: Managing Non-Domain Joined Servers

Another ting of note is that there is downwards compatibility which only allows you to manage older OS versions from newer server manager but not the other way round.

Further reading:

Add Servers to Server Manager