Exam Preparation: 70-741: Networking with Windows Server 2016
81 Slides4.02 MB
Exam Preparation: 70-741: Networking with Windows Server 2016 (In development) George Dobrea MCT, MVP
whoami George Dobrea XEduco [email protected] @gdobrea Microsoft Certified Trainer (since 1998) MVP – Enterprise Security (since 2005) EC-Council Instructor of the Year (2016)
Get-Content Session Objective(s): Certification Overview Exam preparation per section Describe key 70-741 exam objectives Prepare more effectively using the available study material Relate practical Windows Server 2016 experience to the exam Identify areas that may require extra studying Action plan for exam preparation and success
Click icon to add picture Why to Certify ?
MCSA Windows Server 2016 certification path MCSA: Windows Server 2016 Exam 70-740 Exam 70-741 Exam 70-742 Exam 70-743 Installation, Storage and Compute with Windows Server 2016 Networking with Windows Server 2016 Identity with Windows Server 2016 Upgrading Your Skills to MCSA: Windows Server 2016 O R Course 20740A Course 20741A Course 20742A Course 20743A Installation, Storage, and Compute with Windows Server 2016 Networking with Windows Server 2016 Identity with Windows Server 2016 Upgrading Your Skills to MCSA: Windows Server 2016
Cloud Platform & Infrastructure Cert Path MCSA Windows 410: 411: 412: Installing and ConfiguringAdministering Configuring AdvancedServer 2012 Windows Server 2012 Windows Server 2012Windows Server 2012 Services CLOUD PLATFORM & INFRASTRUCTURE 742: 740: 741: MCSA Windows Identity with Installation, Storage, andNetworking with Server 2016 Compute with Windows Server 2016Windows Server 2016 Windows Server 2016 LFCS: 533: Managing Linux Foundation Microsoft Azure Infrastructure Solutions Certified System Administrator Choose two from: 532: Developing Microsoft Azure Solutions 533: Managing Microsoft Azure Infrastructure Solutions 534: Architecting Microsoft Azure Solutions 473: Designing and Implementing Cloud Data Platform Solutions 475: Designing and Implementing Big Data Analytics Solutions MCSA Linux on Azure MCSA Cloud Platform MCSE Electiv e Cloud Platform & Infrastructure Earned: 2016 ELECTIVE EXAM POOL (SEPTEMBER 2016) 532: Developing Microsoft Azure Solutions 533: Managing Microsoft Azure Infrastructure Solutions 534: Architecting Microsoft Azure Solutions 473: Designing and Implementing Cloud Data Platform Solutions 475: Designing and Implementing Big Data Analytics Solutions 744: Securing Windows Server 2016 413: Designing and Implementing a Server Infrastructure 414: Implementing an Advanced Server Infrastructure 246: Monitoring and Operating a Private Cloud 247: Configuring and Deploying a Private Cloud
My first advice to you
70-741 Exam Objectives 1 Implement Domain Name System (DNS) 4 Implement Network Connectivity and Remote Access Solutions 2 Implement DHCP 5 Implement core and Distributed Network Solutions 3 Implement IP Address Management (IPAM) 6 Implement an Advanced Network Infrastructure
01 Implement Domain Name System (DNS) (15-20%)
Install and configure DNS servers Determine DNS installation requirements Determine supported DNS deployment scenarios on Nano Server Install DNS Configure forwarders, configure Root Hints, configure delegation Implement DNS policies Implement DNS global settings using Windows PowerShell Configure Domain Name System Security Extensions (DNSSEC) Configure DNS Socket Pool, configure cache locking Enable Response Rate Limiting Configure DNS-based Authentication of Named Entities (DANE) Configure DNS logging Configure delegated administration Configure recursion settings Implement DNS performance tuning Configure global settings using Windows PowerShell
DNS on Nano Server To use Nano Server as a DNS Server: Install the NanoServer Package Create a VHD with the Microsoft-NanoServer DNS-Package Import the VHD into Hyper-V as a virtual machine Configure networking settings and enable the remote management firewall ports Connect remotely to the server running Nano Server by using Windows PowerShell 5.0 on a Windows client or a server Run the command EnableWindowsOptionalFeature -Online -FeatureName DNS-Server-Full-Role Manage DNS remotely by using the Windows PowerShell 5.0 DNS commands
Implementing DNS security DNS security feature Description DNS cache locking Prevents entries in the cache from being overwritten until a percentage of the TTL has expired DNS socket pool Randomizes the source port for issuing DNS queries. Enabled by default in Windows Server 2012. DANE (DNS-based Uses TLSA records that state the CA Authentication of from which they should expect a Named Entities ) certificate DNSSEC Enables cryptographically signing DNS records so that client computers can validate responses
Create and configure DNS zones and records Create primary zones; configure Active Directory integration of primary zones Create and configure secondary zones Create and configure stub zones Configure a GlobalNames zone Analyze zone-level statistics Create and configure DNS Resource Records (RR), including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records Configure zone scavenging Configure record options, including Time To Live (TTL) and weight Configure round robin Configure secure dynamic updates Configure unknown record support Use DNS audit events and analytical (query) events for auditing and troubleshooting; configure Zone Scopes Configure records in Zone Scopes Configure policies for zones
Install & Configure DNS DNS Terminology that you should know DNS Host Name Resolution Forward and reverse lookups Types of DNS zones Primary, secondary, Active DirectoryIntegrated, and stub zones For AD-Integrated, what is the domain partition, forestDNSZone, and domainDNSZone? Records SOA, NS, A, CNAME, PTR, SRV, and MX
Configure DNS zones Configure stub zones Stub zone used to identify authoritative DNS servers for a zone – useful in a merger/acquisition Watch for scenarios that offer stub zone and conditional forwarding as potential solutions Stub zones best when needing to dynamically maintain authoritative DNS servers for child zone Configure conditional forwarders Forwards to specific DNS servers which can then build up a cache for efficient resolution Often the best solution for merger/acquisition but can also speed up internal name resolution Configure zone and conditional forward storage in Active Directory DNS must be a domain controller, zone must be primary/stub/conditional Replication – all DNS DCs in forest, all DNS DCs in domain, all DCs in domain, all DCs in partition Configure zone delegation Key scenarios – delegate management, distribute load/improve perf/fault tolerance
Configure DNS records Create configure Resource Records (RR) including A, AAAA, PTR, SOA, NS, SRV, CNAME, and MX records Know that AAAA is IPv6 A record Use dnscmd /recordadd for mass record creation (or PowerShell) Add-DnsServerResourceRecord -A -Name “test" -ZoneName "woodgrovebank.com" -IPv4Address 172.16.1.200 Configure zone scavenging Must enable at server level and at zone level (watch for troubleshooting scenarios or choose all) Must also be enabled at resource record level (by default it is, but watch for troubleshooting) Cleans up dynamic records only (not static) Configure record options including TTL and weight TTL default is 1 hour – can be updated at zone level or individual resource record level
DNS policies – new in Windows Server 2016 You create DNS policies to control how a DNS Server handles queries based on different parameters DNS policy scenarios: Application high availability Traffic management Split brain DNS Filtering Forensics DNS policy objects: Client subnet Recursion scope Zone scope Use Windows PowerShell to create and manage DNS policies https://technet.microsoft.com/en-us/windows-server-docs/networking/dns/deploy/dns-policiesoverview
Split-Brain DNS Deployment Using Windows DNS Server Policies Add-DnsServerZoneScope ZoneName "contoso.com" -Name "internal“ Add-DnsServerResourceRecord ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "65.55.39.10" Add-DnsServerResourceRecord ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "10.0.0.39” -ZoneScope "internal“ AddDnsServerQueryResolutionPolicy Name "SplitBrainZonePolicy" -Action
Key Tips to Remember Always use host names instead of NetBIOS names. Use forwarders rather than root hints. Be aware of potential caching issues when you troubleshoot name resolution. Use Active Directory–integrated zones instead of primary and secondary zones. Use GlobalNames zone when you must have single-name entities. Use DNS policies to fine-tune client name resolution and zone transfers.
Example question You are the system administrator for Tailspin Toys. You administer the Active Directory Domain Services (AD DS) environment along with DNS. Recently, another administrator added a new DNS Address (A) record for www2.tailspintoy.com. The record points to 10.10.5.254. Forward name resolution is fully functional. However, the web administrators are reporting that 10.10.5.254 is not resolving to www2.tailspintoys.com. You need to ensure that 10.10.5.254 resolves to www2.tailspintoys.com. What should you do? Add a second Address (A) record for 10.10.5.254 and point it to www2.tailspintoys.com. Add a second Address (AAAA) record for 10.10.5.254 and point it to www2.tailspintoys.com. C. Add a PTR record for www2.tailspintoys.com and point it to 10.10.5.254. D. Add a PTR record for 10.10.5.254 and point it to www2.tailspintoys.com. A. B.
02 Implement DHCP (15-20%)
Install and configure DHCP Install and configure DHCP servers, authorize a DHCP server Create and configure scopes, create and configure superscopes and multicast scopes Configure a DHCP reservation, configure DHCP options Configure DNS options from within DHCP Configure policies Configure client and server for PXE boot Configure DHCP Relay Agent, Implement IPv6 addressing using DHCPv6 Perform export and import of a DHCP server Perform DHCP server migration
Install and Configure DHCP Service Understand the DHCP options available
Implement an advanced DHCP solution Create and configure superscopes Handles multiple networks Add-DhcpServerv4Superscope Create and configure multicast scopes Stream packets DHCPv6 Stateful and stateless configurations Add-DhcpServerv6Scope –Name”Name”-Prefix Address Windows Server 2016 DHCP Server role no longer supports NAP !
Manage and maintain DHCP Configure a lease period Back up and restore the DHCP database Configure high availability using DHCP failover Configure DHCP name protection Troubleshoot DHCP
What is DHCP failover? DHCP failover: Enables two DHCP servers to provide IP addresses and optional configurations to the same subnets or scopes Requires failover relationships to have unique names Supports the hot standby mode and the load sharing mode When you use DHCP failover: The MCLT determines when a failover partner assumes control of the subnet or scope The auto state switchover interval determines when a failover partner is considered to be down Message authentication can validate the failover messages Firewall rules are auto-configured during DHCP installation
What are DHCP security options? Limit physical access to the network by: Disconnecting unused LAN drops Require authenticated layer 2 connections Enable DHCP auditing to track DHCP usage DHCP name protection: Prevents Windows operating systems from having their DNS name registration overwritten by non-Windows operating systems using the same name Uses a DHCID resource record to track the devices that originally requested the DNS name registration
Example question You are the system administrator for Fabrikam, Inc. You have a main office, a single DHCP server, and a single DHCP scope. You need to configure DHCP for high availability. What should you do? (Choose all that apply.) A. Add the Failover Cluster feature. B. Add the Network Load Balancing feature. C. Add the DHCP Server to the failover cluster. D. Configure NLB for network affinity. E. Deploy a new server. F. Add the DHCP role.
03 Implement IP Address Management (IPAM) (15-20%)
Install and configure IP Address Management (IPAM) Provision IPAM manually or by using Group Policy Configure server discovery Create and manage IP blocks and ranges Monitor utilization of IP address space Migrate existing workloads to IPAM Configure IPAM database storage using SQL Server Determine scenarios for using IPAM with System Center Virtual Machine Manager for physical and virtual IP address space management
Manage DNS and DHCP using IPAM Manage DHCP server properties using IPAM Configure DHCP scopes and options Configure DHCP policies and failover Manage DNS server properties using IPAM Manage DNS zones and records Manage DNS and DHCP servers in multiple Active Directory forests Delegate administration for DNS and DHCP using role-based access control (RBAC)
Audit IPAM Audit the changes performed on the DNS and DHCP servers Audit the IPAM address usage trail Audit DHCP lease events and user logon events
IP Address Management (IPAM) Inbox feature for integrated management of IP addresses, domain names, and device identities Tightly integrates with Microsoft DNS and DHCP servers Provides custom IP address space display, reporting, and management Audits server configuration changes and tracks IP address use Migrates IP address data from spreadsheets or other tools Monitors and manages specific IPAM distributed architecture Domain corp.woodbridge.co m Domain europe.corp.woodbridge.com DHCP, DNS, DC, and NPS servers IPAM Server (UK) IPAM server (Redmond) Site: UK Branch office Domain DHCP, DNS, DC, and NPS servers fareast.corp.woodbridge.com IPAM Server (Hyderabad) Site: Redmond Head office DHCP, DNS, DC, and NPS servers Site: Hyderabad Branch office IPAM Server (Bangalore) DHCP, DNS, DC, and NPS servers Site: Bangalore Branch office
Windows Server 2016 IPAM Tracking activity of IP address/user/mc IP utilization & trend Audit config Unified IP address Mgmt. Network audit & visibility Disaster Recovery Multiple instance deployment SQL Server database Extensive PS support Cross AD Support WS 2016 IP addressing management of physical and virtual networks (SCVMM integration) Integrated IP addressing, DNS and DHCP management Granular RBAC to manage IP address space, DHCP & DNS Delegated administration within and across datacenters Delegat ed Admin IPAM Scale, robustne ss & automati on Network services Mgmt. Automatic server discovery Single console DHCP and DNS management across datacenters Management of granular DNS properties
IP Address Management Configure IPAM Requirements : IPAM server must be member server, cannot be DC Trivia : if you install IPAM on a DHCP server, then IPAM won’t discover any DHCP servers Distributed, Centralized, and Hybrid Database not shared between servers Server discovery What can be discovered? DCs, DNS servers, DHCP servers, NPS servers Manage or not Windows Internal Database and external database (SQL) supported Windows Server 2016: IPAM supports multiple Active Directory forests when there is a two-way trust relationship between the forest where IPAM is installed and each of the remote forests
04 Implement Network Connectivity and Remote Access Solutions (25-30%)
Implement network connectivity solutions Implement Network Address Translation (NAT) Configure routing
Implement virtual private network (VPN) and DirectAccess solutions Implement remote access and site-to-site (S2S) VPN solutions using remote access gateway Configure different VPN protocol options Configure authentication options Configure VPN reconnect Create and configure connection profiles Determine when to use remote access VPN and site-to-site VPN and configure appropriate protocols Install and configure DirectAccess Implement server requirements Implement client configuration Troubleshoot DirectAccess
VPN and Routing Install and configure the Remote Access role Add-WindowsFeature RemoteAccess -IncludeManagementTools – IncludeAllSubFeature 2. Run the Configure and Enable Routing and Remote Access wizard 1. Implement Network Address Translation (NAT) Need two interfaces prior to enabling via wizard Configure VPN settings For SSTP, need to select the proper SSL certificate post install Configure remote dial-in settings for users Default in AD is control access through NPS Network Policy Need to adjust policy or create new policy in order to allow users in Configure Web Application proxy Configure Web Application proxy in pass-through mode
What is Web Application Proxy? Web Application Proxy: Was introduced in Windows Server 2012 R2 Is a reverse web proxy functionality Uses AD FS proxy functionality Is located in a perimeter network Web Application Proxy Client devices Firewall Internet AD FS AD DS LOB application s Firewall Microsoft applications Corporate
Example question You are configuring a web application proxy (WAP) to provide external access to corporate applications. Users will typically be using untrusted internet connections outside the corporate firewall. You need to configure Active Directory Federation Services ( AD FS) to protect applications from unauthorized access. The configuration must meet the following requirements: User credentials cannot be sent as part of the authentication request. All users will access the applications by using a private computer secured by the user's local credentials. The most secure authentication method should be chosen. Which type of authentication should you use? A. B. C. D. Windows Username Basic Certificate
Example question You are configuring a web application proxy (WAP) to provide external access to corporate applications. Users will typically be using untrusted internet connections outside the corporate firewall. You need to configure Active Directory Federation Services ( AD FS) to protect applications from unauthorized access. The configuration must meet the following requirements: User credentials cannot be sent as part of the authentication request. All users will access the applications by using a private computer secured by the user's local credentials. The most secure authentication method should be chosen. Which type of authentication should you use? A. B. C. D. Windows Username Basic Certificate
How DirectAccess works for internal clients Internal client computers Internet Internet websites websites DirectAcces s server Connectio n security rules Active Directory AD DS domain domain controller controller DNS server DNS server NRPT CRL distribution point Internal network resources Network location server
How DirectAccess works for external clients DNS server DirectAccess server Internet websites t ne Int ra In fra st ru e ctu r Active Directory domain controller DNS server Connection security rules NRPT External client compute rs Internal network resources
DirectAccess Implement server requirements No longer requires PKI (can use Kerberos proxy over HTTPS instead along with port 443) New simplified deployment but then won’t get force tunneling, Network Access Protection (NAP) integration, or two-factor authentication Can use a single NIC card behind NAT (Windows Server 2012 required) Remote access servers and all client computers must be domain members IPv6 not required and IPv6 transition technologies are used (however, IPv6 best performance) If using internal CA or self-signed certificate, CRL distribution point must be available externally Implement client configuration Need to have security groups in place and then create GPOs DirectAccess offline domain join Join a domain without physical or VPN connection
Implement Network Policy Server (NPS) Configure a RADIUS server including RADIUS proxy Configure RADIUS clients Configure NPS templates Configure RADIUS accounting Configure certificates Configure Connection Request Policies Configure network policies for VPN and wireless and wired clients, import and export NPS policies
Configure NPS Configure multiple RADIUS server infrastructures 5 parts – access clients, access servers, NPS servers, NPS proxies, user account DBs Configure RADIUS clients Required: shared secret, friendly name, FQDN or IP, optional is vendor info (e.g. Cisco) Manage RADIUS templates Watch for questions involving administrative overhead as that may indicate the creation of a template or use of existing template. Configure RADIUS accounting Can log to SQL DB, text file on local computer, both simultaneously, or SQL with text file logging for failover (if SQL logging fails, continue to log via text file) If logging stops (out of disk, SQL down), users can’t get in (watch for situations that call out default install and sudden loss of functionality – could be out of disk space, consider moving logging to non-system disk)
Network Policy Server policies START Yes No Are there policies to process? Yes Yes No Reject connectio n attempt Yes No Go to next Does policy connection attempt match policy conditions? Is the remote access permission for the user account set to Deny Access? Yes No Is the remote access No permission for the user account set to Allow Access? No Reject connectio n attempt Is the remote access permission on the policy set to Deny remote access permission? Accept Yes Does the connection attempt match the user object and profile settings? connection attempt
Configure NPS policies Configure connection request policies Policies have conditions such as connection type, day/time, network, computer Useful to authenticate untrusted domain (proxy policy first in the policy order) while still authenticating locally via NPS (to AD DS) If no local processing by NPS, then server is a proxy (can forward one place or multiple) Configure network policies for VPN clients (multilink and bandwidth allocation, IP filters, encryption, IP addressing) Watch for default installation questions Can use IP filters to enhance security, limit traffic type (IPv4 and IPv6) Manage NPS templates Can use templates for shared secrets, RADIUS clients, RADIUS servers, IP filter, health policies, and remediation server groups (minimize administrative overhead, speed up deployment) Can export templates to .XML file and import to another server
05 Implement core and Distributed Network Solutions (10-15%)
Implement IPv4 and IPv6 addressing Configure IPv4 addresses and options Determine and configure appropriate IPv6 addresses configure IPv4 or IPv6 subnetting Implement IPv6 stateless addressing Configure interoperability between IPv4 and IPv6 by using ISATAP, 6to4, and Teredo scenarios Configure Border Gateway Protocol (BGP) Configure IPv4 and IPv6 routing
Configure IPv4 and IPv6 Addressing Important factors to know about Addressing Understand IPv4 Subnetting & Supernetting Understand IPv6 Addressing Assign an IPv6 Addresses and check the route (route print) Tunneling Automatic or Manual Configuration 6to4 ISATAP Teredo PortProxy
Implement Distributed File System (DFS) and Branch Office solutions Install and configure DFS namespaces Configure DFS replication targets Configure replication scheduling Configure Remote Differential Compression (RDC) settings Configure staging Configure fault tolerance Clone a Distributed File System Replication (DFSR) database Recover DFSR databases Optimize DFS Replication Install and configure BranchCache Implement distributed and hosted cache modes Implement BranchCache for web, file, and application servers Troubleshoot BranchCache
Planning for DFS User in New York Server in New York 2 1 \\Contoso.com\Marketing 1 Folder Targets 2 User in London DFS \\NYC-SRV-01\ProjectDocs Replicatio n \\LON-SRV-01\ProjectDocs Namespace Server in London 1. User enters: \\contoso.com\marketing Client computers contact a namespace server and receive a referral 2. Client computers cache the referral and then contact the first server in the referral
Optimizing namespaces and replication You can optimize DFS by: Disabling referrals to a folder Specifying referral cache duration Configuring namespace polling Configuring replication groups Creating multiple replicated folders Modifying replication topology Clone a DFSR database for initial replication – preseeding the files ( Robocopy, Windows Backup)
Monitoring and troubleshooting DFS Tool Use Health Report Report replication statistics and general health of the topology Propagation Test Generate a test file to verify replication Propagation Report Report on the propagation test and provide replication statistics Verify Topology Report on the current status of the members of the topology Dfsrdiag.exe Monitor replication state of the DFS replication service Windows PowerShell Configure, monitor, and
Understanding BranchCache modes Head Office Branch Office (Hosted Cache Mode) Branch Office (Distributed Cache Mode)
Example question You are a system administrator for Contoso, Ltd. You have a main office and a branch office. The main office has a single file server. The branch office does not have a secure facility to house servers and has a high latency connection to the main office. You need to improve the performance when branch offices users access documents from the file server. What should you do? A. B. C. D. Implement Implement Implement Implement users. Branch Cache using the Hosted Cache mode Branch Cache using the Distributed Cache mode DirectAccess for all branch office users. universal group membership caching for all branch office
06 Implement an Advanced Network Infrastructure (10-15%)
Implement high performance network solutions Implement NIC Teaming or the Switch Embedded Teaming (SET) solution, and identify when to use each Enable and configure Receive Side Scaling (RSS) Enable and configure network Quality of Service (QoS) with Data Center Bridging (DCB) Enable and configure SMB Direct on Remote Direct Memory Access (RDMA) enabled network adapters; enable and configure SMB Multichannel Enable and configure virtual Receive Side Scaling (vRSS) on a Virtual Machine Queue (VMQ) capable network adapter Enable and configure Virtual Machine Multi-Queue (VMMQ) enable and configure Single-Root I/O Virtualization (SR-IOV) on a supported network adapter
Converged Networking Management OS DCB policies configured for Mgmt, Storage, Migration & Clustering traffic. Utilizes SMB Multichannel & SMB Direct VM(s) Management OS VM vNIC VM vNIC Hyper-V vSwitch NIC Team RDM A NIC 1 RDM A NIC 2 10G NIC 1 Windows Server 2012 R2 VM(s) 10 G NIC 2 Host vNIC 0 Host RDMA vNIC 1 Host RDMA vNIC 2 Hyper-V vSwitch with SET RDM A NIC 1 Windows Server 2016 RDM ANIC 2
Virtual switch expanded functionality The virtual switch improvements in Windows Server 2016 include: Extended port ACLs Dynamic load balancing Coexistence with third-party forwarding extensions RSS support on the virtual machine network path Network tracing enhancements Router guarding DHCP guarding Trunk mode for virtual machine Port mirroring VLAN isolation through a Private VLAN Extended bandwidth management
Network adapter advanced features Hardware acceleratio n: VMQ IPsec task offloading SR-IOV
Determine scenarios and requirements for implementing software-defined networking (SDN) Determine deployment scenarios and network requirements for deploying SDN Determine requirements and scenarios for implementing Hyper-V Network Virtualization (HNV) using Network Virtualization Generic Route Encapsulation (NVGRE) encapsulation or Virtual Extensible LAN (VXLAN) encapsulation Determine scenarios for implementation of Software Load Balancer (SLB) for North-South and East-West load balancing Determine implementation scenarios for various types of Windows Server Gateways, including L3, GRE, and S2S, and their use Determine requirements and scenarios for distributed firewall policies and network security groups
What is Software Defined Networking? Software Defined Networking enables you to: Virtualize the network layer in a datacenter Define polices for the physical and virtual networks Manage the virtualized network infrastructure The Microsoft Software Defined Networking solution includes: Network Controller Hyper-V Network Virtualization Hyper-V Virtual Switch RRAS Multitenant Gateway NIC Teaming System Center Operations Manager System Center Virtual Machine Manager
What is network virtualization? Test virtual machine Production virtual machine Physical server Server virtualization: Multiple virtual machines on the same physical server Each virtual machine is isolated from others Test network Production network Physica l networ k Network virtualization: Multiple virtual networks on the same physical network Each virtual network is isolated from others
What is Generic Route Encapsulation? 192.168.2.22 GRE 10.1.1.11 MAC 192.168.5.55 Key 5001 10.1.1.12 192.168.2.22 GRE 10.1.1.11 MAC 192.168.5.55 Key 6001 10.1.1.12 192.168.2.22 (PA) 10.1.1.11 (CA) 10.1.1.11 10.1.1.11 10.1.1.12 10.1.1.11 (CA) 10.1.1.11 10.1.1.11 10.1.1.12 192.168.5.55 (PA) 192.168.5.55 10.1.1.12 (CA) 10.1.1.12 10.1.1.11 10.1.1.12 10.1.1.12 (CA) 10.1.1.12 10.1.1.11 10.1.1.12 Customer address space based on virtual machine configuration Provider address space based on physical network and is not visible to the virtual machines
What are network virtualization policies? Define CA-PA mappings: Specify the Hyper-V server on which the virtual machines are running Hyper-V implements policies by translating incoming and outgoing packets If a virtual machine is moved, policies are modified, but the virtual machine configuration stays the same Policy settings SQL 10.1.1. 1 WE B 10.1.1. 2 PA space Blue Yonder Airlines CA PA VSID 10.1.1. 1 192.168.1. 10 5001 10.1.1. 2 198.168.1. 12 CA PA VSID 10.1.1. 1 192.168.1. 10 600 1 10.1.1. 2 192.168.1. 12 Datacenter network 192.168.1. 10 Hyper-V Host 1 192.168.1. 12 Hyper-V Host 2 Woodgrove Bank SQL 10.1.1. 1 WE B 10.1.1. 2 SQL SQL WE B WE B 10.1.1. 1 10.1.1. 1 10.1.1. 2 10.1.1. 2 CA spaces
Network Controller Overview Highly available and scalable server role Southbound API for NC to communicate with the network Northbound API allows you to communicate with the NC Southbound API Network aware applications Management applications Network Controller can discover network devices, detect service configurations, and gather all of the information you need about the network Provides pathway to send information to the network infrastructure, such as configuration changes that you have made Northbound API (Rest interface) Network Controller Virtual network infrastructure Provides you with the ability to gather network information from Network Controller and use it to monitor and configure the network Configure, monitor, troubleshoot, and deploy new devices on the network by using Windows PowerShell, REST, SCVMM, SCOM etc. Can manage: Hyper-V VMs & vSwitches, Physical Network Switches, Physical Network Routers, Firewall Software, VPN Physical network infrastructure NIC
Network Controller features Fabric Network Management IP subnets VLANS, L2 and L3 switches Host NICs Firewall Management Allow/Deny Rules East/West & North/South Firewall rules plumbed into vSwitch port of VMs Rules for incoming/outgoing traffic Log traffic allowed/denied Network Topology Service Chaining Automatic discovery of network elements & relationships Rules for redirecting traffic to one or more virtual appliances Software Load Balancer Network Monitoring Centralized configuration of SLB policies Physical & Virtual Active network data: network loss, latency, baselines, deviations Fault localization Element data: SNMP polling & traps Limited set of critical data via public management info bases (MIB) i.e. Link state, system restarts, BGP peer status Device (switch, router) and Device Group (racks, subnets etc.) health Gathers network loss, latency, device CPU/memory usages, link utilization, and packet drops Impact analysis: overlay networks affected by underlying faulty physical networks using topology information to determine vNet footprint & health System Center Operations Manager integration for health & statistics. Virtual Network Management Deploy Hyper-V Network Virtualization Deploy Hyper-V Virtual Switch Deploy Virtual Network Adaptors to VMs Store and Distribute virtual network policies Supports NVGRE and VXLAN Windows Server Gateway Management Deploy, configure & manage WSGs - Host & VMs S2S VPN with IPsec, S2S VPN with GRE P2S VPN, L3 Forwarding, BGP Routing Load balancing of S2S and P2S connections across Gateway VMs logging config/state
Datacenter Firewall Highly scalable, manageable, and diagnosable software-based firewall Freedom to move tenant virtual machines to different compute hosts without breaking tenant firewall policies Deployed as a vSwitch port host agent firewall Tenant virtual machines get the policies assigned to their vSwitch host agent firewall Firewall rules are configured in each vSwitch port, independent of the actual host running the virtual machine Guest OS agnostic
Software Load Balancing Layer 4 load balancing for both “North-South” and “East-West” Transmission Control Protocol/User Datagram Protocol (TCP/UDP) traffic
RAS Gateway Software-based, multitenant, BGP-capable router RAS Gateway features: Addition and removal of gateway VMs Site-to-site VPN gateway connectivity by using IPsec Site-to-site VPN gateway connectivity by using GRE Point-to-site VPN gateway connectivity Layer 3 forwarding capability BGP routing
Network Controller Deployment Requirements You can only deploy Network Controller to the Windows Server 2016 Datacenter edition. The management client you use must be installed on a computer or virtual machine running Windows 10, Windows 8.1, or Windows 8. You must configure dynamic DNS registration to enable registration of required DNS records for Network Controller. If the computers or virtual machines running Network Controller or the management client for Network Controller are joined to a domain, you must: o Create a security group that holds all the users that have permission to configure Network Controller. o Create a security group that holds all of the users that have permission to configure and manage the network by using Network
Learning Resources M I C R O S O F T C O N F I D E N T I A L – I N T E R N A L O N LY
Course 20741 - outline Module 1 Planning and implementing an IPv4 network Module 2 Implementing DHCP Module 3 Implementing IPv6 Module 4 Implementing DNS Module 5 Implementing and managing IPAM
Course 20741 outline, continued Module 6 Remote access in Windows Server 2016 Module 7 Implementing DirectAccess Module 8 Implementing VPNs Module 9 Implementing networking for branch offices Module 10 Configuring advanced networking features Module 11 Implementing software-defined networking
Born To Learn Site http:// borntolearn.mslearn.net/
TechNet https://technet.microsoft.com/
TechNet Virtual Labs https:// technet.microsoft.com/enus/virtuallabs/default
Microsoft Virtual Academy https://mva.microsoft.com/enUS/training-courses/whats-new in-windows-server-2016
