Download Administering Windows Server 2012.70-411.TestKing.2018-09-10.176q.vcex

By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view the snapshots because they contain sensitive AD DS data. If you want to access snapshot data from an old domain or forest that has been deleted, you can allow nonadministrators to access the data when you run Dsamain.exe. If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use. A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port and UDP [7] port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. All information is transmitted using Basic Encoding Rules (BER).   References:http://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx

Note:* -s <SPN> Adds the specified SPN for the computer, after verifying that no duplicates exist. Usage: setspn –s SPN accountnameFor example, to register SPN "http/daserver" for computer "daserver1":setspn -S http/daserver daserver1 Attn: with Windows 2008 option is-abut with Windows 2012 it started to show-sDefinition of an SPN An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias of its host. Adding SPNs To add an SPN, use the setspn -s service/namehostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update. For example, if there is an Active Directory domain controller with the host name server1.contoso.com that requires an SPN for the Lightweight Directory Access Protocol (LDAP), type setspn -s ldap/server1.contoso.com server1, and then press ENTER to add the SPN. The HTTP service class The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. For example, the command may resemble the following command:setspn–S HTTP/iis6server1. mydomain.com mydomain\appPool1 References:http://support.microsoft.com/kb/929650/en-ushttp://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

The Active Directory Recycle Bin does not have the ability to track simple changes to objects.  If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.

The clone domain controller uses the security context of the source domain controller (the domain controller whose copy it represents) to contact the Windows Server 2012 R2 Primary Domain Controller (PDC) emulator operations master role holder (also known as flexible single master operations, or FSMO). The PDC emulator must be running Windows Server 2012 R2, but it does not have to be running on a hypervisor. Reference:http://technet.microsoft.com/en-us/library/hh831734.aspx

Create file screens to control the types of files that users can save, and generate notifications when users attempt to save unauthorized files. With File Server Resource Manager (FSRM) you can create file screens that prevent users from saving unauthorized files on volumes or folders. File Screen Enforcement:You can create file screens to prevent users from saving unauthorized files on volumes or folders. There are two types of file screen enforcement: active and passive enforcement. Active file screen enforcement does not allow the user to save an unauthorized file. Passive file screen enforcement allows the user to save the file, but notifies the user that the file is not an authorized file. You can configure notifications, such as events logged to the event log or e-mails sent to users and administrators, as part of active and passive file screen enforcement.

The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager.

Because removing user accounts from an Active Directory group will not send them to the Active Directory Recycle Bin, performing an authoritative restore is the best option.

RODC: using the dsmgmt.exe utility to manage local administratorsOne of the benefits of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the ability to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt.

Note:Box 1:Group Managed Service Accounts Requirements:At least one Windows Server 2012 Domain Controller A Windows Server 2012 or Windows 8 machine with the ActiveDirectory PowerShell module, to create/manage the gMSA. A Windows Server 2012 or Windows 8 domain member to run/use the gMSA. Box 2:To create a new managed service account On the domain controller, click Start, and then click Run. In the Open box, type dsa. msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon. Run the following command: New-ADServiceAccount [-SAMAccountName<String>] [-Path <String>].Box 3:Configure a service account for Internet Information Services Organizations that want to enhance the isolation of IIS applications can configure IIS application pools to run managed service accounts. To use the Internet Information Services (IIS) Manager snap-in to configure a service to use a managed service account Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Double-click <Computer name>, double-click Application Pools, right-click <Pool Name>, and click Advanced Settings. In the Identity box, click …, click Custom Account, and then click Set. Type the name of the managed service account in the format domainname\accountname. Reference: Service Accounts Step-by-Step Guide