• A
    Adam Tyler

    Hello ITPro, ran into a practice question that goes as follows. I've researched a ton and can't seem to pick out an answer that seems to cover it. What do you guys think?


    You have two servers that run Windows Server 2016. The servers are configured as shown in the following table:

    Server Name | Workgroup | DNS Suffix
    Server1 | Workgroup1 | None
    Server2 | Workgroup2 | wrkgrp.local

    You need to create a failover cluster that contains both servers.

    Which command should you run?

    A. wmic ComputerSystem Set Workgroup="Workgroup2" | ----I tested this in the lab and it didn't seem to make any impact on the DNS suffix configuration.

    B. New-Cluster -Name Cluster1 -Node Server1,Server2 -AdministrativeAccessPoint DNS | ----This should be the correct command to build the cluster once each node has a DNS suffix configured. Not a complete solution.

    C. New-Cluster -Name Cluster1 -Node Server1,Server2 -AdministrativeAccessPoint ActiveDirectoryAndDNS | ----This is the incorrect command for a Workgroup cluster.

    D. New-Cluster -Name Cluster1 -Node Server1,Server2 -AdministrativeAccessPoint None | ----I'm not sure when you would use this command, but it doesn't seem to apply to creating Workgroup clusters.

    E. netdom computername Server1 /MakePrimary:server1.wrkgrp.local | -------This seemed like a promising way to set the DNS suffix for Server1, but it just errors out in my lab.


    Reference material used:
    https://blogs.msdn.microsoft.com/clustering/2015/08/17/workgroup-and-multi-domain-clusters-in-windows-server-2016/

    http://woshub.com/windows-cannot-find-microsoft-software-license-terms/

    It seems that the only DNS requirement for Workgroup clusters is that each server has a DNS suffix. From what I can tell they don't even have to be the same DNS suffix. Just as long as they can each resolve each others FQDN.

    So it would seem that the first step given the question would be to set a DNS suffix for Server1, but based on the options provided, I am thinking this is a bad question.

    Any other input or thoughts would be welcome!

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    If I have a three node 2016 Hyper-V cluster, what settings would I modify if I wanted VMs to be moved off of an isolated node automatically after one minute? I am thinking I would make the following chagnes:

    ResiliencyLevel: <Leave default value>
    (Get-Cluster).ResiliencyLevel = 2

    ResiliencyPeriod:
    (Get-Cluster).ResiliencyDefaultPeriod = 60

    I am pretty confident with the ResiliencyPeriod, but I am not sure I fully understand the ResiliencyLevel setting. Why would I leave this in the default state vs changing it to "1"?

    Web description:

    ResiliencyLevel
    1 – Allow the node to be in Isolated
    state only if the node gave a notification and it went away for known reason, otherwise fail immediately. Known reasons include Cluster Service crash or Asymmetric Connectivity between nodes.

    2- Always let a node go to an Isolated state and give it time before taking over ownership of the VMs.

    posted in Microsoft read more
  • A
    Adam Tyler

    Adam G.! This path match detail has to be what the question is getting at. Great, thank you..

    Quick follow up question.. Is it a requirement that the "back end" URL use TLS/Certificate? Or can the Web Application Proxy add TLS to a site that otherwise wouldn't support it?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello, interested in your thoughts on this question regarding Web Application Proxy and Server 2016.


    You have a server named Server1 that runs Windows Server 2016. Server1 has the Windows Application Proxy role isntalled. You are publishing an application named App1 that will use intergrated Windows authentication as shown in the following graphic.

    0_1543940401351_Snap10.jpg

    0_1543940440612_Snap11.jpg


    Based on my research I am pretty sure we need to select "Configure the Backend server SPN:". The certificate FQDN seems to match and I think the HTTP/HTTPS redirection is more of a preference than a requirement.

    However on the part of "To ensure that users can access App1 externally, you must change the External URL to ______", I am a bit confused. Why wouldn't the external URL "https://server02.contoso.com/app1" work in this scenario?

    Thanks for your help
    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Thank you Mike for that complete answer.

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello, ran across this practice question and wanted to think through it with others.


    Your network contains one Active Directory domain named lab.local. You complete a trial deployement of DirectAccess for a test group called "LAB\Test Computers". The trial is now complete and you need to enable Direct Access for all computers in the domain.

    A. From Windows PowerShell, run the Set-DAClient cmdlet.
    B. From Windows PowerShell, run the Set-DirectAccess cmdlet.
    C. From Active Directory Users and Computers, modify the membership of the Windows Authorization Access Group.
    D. From Group Policy Management, modify the security filtering of an object named Direct Access Client Setting Group Polcy.


    So "A" doesn't seem to be correct as the "Set-DaClient" seems to only be used to change other unrelated settings like "Force Tunneling". "B" doesn't seem to work as "set-DirectAccess' doesn't appear to be a valid cmlet.

    I can't decide if "C" or "D" is the correct answer.. Based on my research it appears that a security group must be used to execute the recommended Microsoft deployment.

    Because the group "LAB\Test Computers" was used to deploy the current solution, I imagine this group would need to be swapped out for a different group either on the security filtering tab of the GPO or somewhere in the Direct Access config.. Anyone out there with a bit more experience with this role able to comment?

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/single-server-wizard/da-basic-configure-s1-infrastructure

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello, am I correct in assuming the difference between these two commands is the ability to specify a protocol/port with the "ExtendedAcl"? Otherwise they are both used to restrict access to or from a virtual machine?

    Add-VMNetworkAdapterExtendedAcl
    Add-VMNetworkAdapterAcl

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello, I ran across this trick practice question and thought I would just confirm my answer.


    You plan to install a Nano Server on a phyysical server named Nano1. Nano1 will host several virtual machines that will use live migration. Which package should you install on Nano1?

    A. Microsoft-NanoServer-SecureStartup-Package
    B. Microsoft-NanoServer-ShieldedVM-Package
    C. Microsoft-NanoServer-Compute-Package
    D. Microsoft-NanoServer-FailoverCluster-Package
    E. Microsoft-NanoServer-Storage-Package


    Initially I went directly to the "Microsoft-NanoServer-Compute-Package".. I know you don't need to create a cluster to use the live migration feature and "Compute" rang a bell for installing the Hyper-V role into a Nano image. However after reviewing the below article, It doesn't look like that package exists. It is just "-Compute".. Not "Microsoft-NanoServer-Compute-Package".. However what I did find was a valid package, "Microsoft-NanoServer-ShieldedVM-Package". It appears this this is a valid command/package and it install Hyper-V and accomplish our goal..

    So.. I am thinking "B". Who's with me?

    https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Thanks Adam, what I am hearing is "for exam purposes" if the processors are in the same "family", live migration should work without compatibility. Also going from 2012 R2 and 2016 is supported.

    In the real world, I too always use compatibility or in my case VMware's EVC. In fact, because there are so many different processors, I usually build my VMware clusters without EVC enabled. Then after the cluster is in place I choose whatever EVC level is compatible with all cluster CPUs by using the feedback in the interface as I choose each processor family.

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Thanks Adam! I have a pretty nice home lab and a growing list of things I want to stand up as I go through this material. My lab is built on VMware ESXi 6.5 and some 1 Gb 3500 series cisco switches. I imagine that I can use nested Windows svr 16 VMs to try this out..

    Just to clarify one point, You said that Switch embedded Teaming (SET) is used to allow RDMA to be utilized by both the host and the guests. The question asks for aggregation of the network links as well as passing through RDMA features to the guest, so that means we are deploying SET. Based on the article, that means we are running the following command:

    new-VMSwitch -name vswitchname -NetAdapterName net1,net2 -EnableEmbeddedTeaming $True

    Is that about right? If so, this seems to focus on convergence of all the network traffic over common links rather than anything to do with SDN. Am I correct in assuming this particular setting is not related to SDN in Svr 2016?

    It seems like a lot of talk for a very basic feature. I come from the VMware world in virtualization.. I've been doing this with VMware vswitches and port groups for years. However when it comes to iSCSI storage connections in VMware I generally would deploy a separate vswitch and dedicated VMK ports allocated to different physical NICs so that multipathing functioned correctly. How would you approach this with Svr 16 and SET?

    Regards,
    Adam Tyler

    posted in Microsoft read more