Errata

There is no mention in the book about where this feature is enabled and configured.

http://blogs.technet.com/b/teamdhcp/archive/2012/06/28/ensuring-high-availability-of-dhcp-using-windows-server-2012-dhcp-failover.aspx

Ambiguity #1: "...general DNS resolution..."
What exactly does the author mean by "general" name resolution? What other types of name resolutions exist?

Ambiguity #2: "...the domain controllers are separate from the DNS servers that clients use for normal Internet name resolution."
A clearer wording would be "...the domain controllers that are also DNS servers but are not used by clients for Internet name resolution."
http://technet.microsoft.com/en-us/library/ee649165(v=ws.10).aspx also points out that "Do not disable recursion on a DNS server if it is used by other DNS servers for server-level forwarding, or if DNS client computers use it for name resolution."

Ambiguity #3: "...normal Internet name resolution..."
What other types of Internet name resolutions exist?

Ambiguity #4: "If your domain has both types of records, you should consider splitting the DNS namespace between external and internal servers."

Issue #1: "...both types of records..." - suspecting the author means internal and external records, on the same DNS server, hosted in the same or different DNS zones, as in, for example, a host record that resolves to an IP address in the private corporate address space, and a host record which resolves to a publicly routable IP address as defined in RFC1918, http://tools.ietf.org/html/rfc1918. Please clarify.

Issue #2: "...consider splitting the DNS namespace between external and internal servers." the author fails to finish this scenario and provide further information for it to make sense. More details at http://technet.microsoft.com/en-us/library/cc770636.aspx. Please finish the idea, otherwise it makes no sense or it looks outright technically incorrect.

"Unfortunately, this feature can't be controlled using the DNS management tool and must instead be configured by using either the dnscmd tool or the registry."

Ddnscmd *is* a DNS management tool and so is the DNS Management MMC snap-in.

Therefore the sentence should read:

"Unfortunately, this feature can't be controlled using the DNS Management MMC console and must instead be configured by using either the dnscmd tool or the registry."

Only dnscmd is given as a way to create and enlist servers in application partitions, however Powershell can be used too. Given that during the exam this can be tested as well, these commands should also be included (Add-DnsServerDirectoryPartition / Register-DnsServerDirectoryPartition).

"When installed, IPAM creates five security groups..."

There are quite a number of security group types, such as local, domain global, universal etc. It would have been nice to be specific and state that these are local groups created on the IPAM server. See http://technet.microsoft.com/en-us/library/jj878342.aspx and http://technet.microsoft.com/en-us/library/hh831622.aspx.

Also it would have been nice to spell out what the group name acronyms mean. As per http://technet.microsoft.com/en-us/library/hh831622.aspx:

IPAM MSM Administrators - IPAM multi-server management (MSM) administrators
IPAM ASM Administrators - IPAM address space management (ASM) administrators

The subheading lacks specific details, such as where are the firewall exceptions to be applied: on the RAS server, and if so, on the internal or external facing adapter, or the corporate firewalls between the RAS server and the rest of the world?

The information is incomplete and it lacks references, hence it is unusable both in real life and in the exam.

For usable information and specific configuration details see "1.4. Configure firewalls" at http://technet.microsoft.com/en-us/library/jj134204.aspx.

"...but also to connect sites or data centers to each other. This can be done to provide redundancy."

Q1. Redundancy of what: connection, RAS server, VPN/DA service, Disaster Recovery/Business Continuity?

Q2: If a branch site is connected to the head office via a site-to-site VPN, and branch users access applications via the VPN that are hosted at the head office (e.g. a SharePoint portal), how does the VPN in this scenario provide "redundancy"? Please clarify.

Q3: Did the author mean that a site-to-site VPN facilitates DR/BC scenarios where a secondary data center can take over the work should the primary data center fail, and the VPN is used to replicate data and services across the VPN to the DR site? Please clarify.

"When used for redundancy, the Remote Access server has two network adapters, each connected to a different Internet service provider (ISP). The sites can then have tunnels created between them."

Q1: If my RAS server has two network adapters, then I would normally connect one to the Internet and the other to the corporate LAN, as per http://technet.microsoft.com/en-us/library/jj134204.aspx. That is *two* network adapters and *one* ISP. If both adapters are connected to two different ISPs then how do I connect my server to the corporate LAN?

Q2: The way the author worded it, the last sentence implies that if a RAS server isn't connected to two different ISPs then site-to-site tunnels aren't possible. Please clarify.

Extremely slim explanation, half-explained concepts that are as confusing as anything. No architectural or conceptual diagram to help the reader untangle what the author really meant, and, as it is, it is technically incorrect in at least the following ways:

- With two network adapters, each connected to two separate ISPs, the server would need a third adapter to connect to the LAN also. Otherwise what's the point of having a RAS server?

- A RAS server doesn't need to connect to two separate ISPs to set up a site-to-site tunnel. I do not need to connect one adapter to Telstra and the other to Optus in my Sydney RAS server to create a tunnel to Melbourne. However the way the author worded it, this is what filters through.

Mr Suehring, if this isn't what you meant, then please provide accurate and complete information, complemented with appropriate diagrams instead of throwing around half thoughts. Also please include links to sites and articles to back what you intended to convey.

Extremely poor and superficial material, unsuitable for training.

"You can virtualize Active Directory in Windows Server 2012 much more easily, thus enabling a domain controller to be deployed in a cloud-hosted environment."

A couple of questions:

1. Deploying a DC in a cloud-hosted environment means IaaS, such as Amazon's VPC (http://aws.amazon.com/vpc/) or Windows Azure Virtual Network (http://www.windowsazure.com/en-us/services/virtual-network/). Both allow the installation of domain controllers in the cloud network. Can you please confirm that this is what you meant and NOT AD-FS/DirSync/SSO (http://technet.microsoft.com/en-us/library/hh852486.aspx)?

2. I have deployed domain controllers in IaaS environments, as defined in point 1 above, which are not Windows Server 2012, without any issues. However your statement "..thus enabling a domain controller to be deployed in a cloud-hosted environment" suggests that only Windows Server 2012 based DCs can be deployed in the cloud, or the cloud must use Windows Server 2012 based hypervisors exclusively to allow DCs to be deployed in an IaaS environment. Your statement can be read either way, and both ways are technically incorrect. Please clarify.

3. Now that hybrid deployments are mentioned, please include references or, instead of throwing it together in two paragraphs, be as explicit as possible for the information to make sense.

"With Windows Server 2012, you can extend Active Directory control into cloud-based platforms..."

The statement suggests that Windows Server 2012 is a *requirement* for managing cloud-based services, and older operating systems cannot be used for the task.

Like it or not, not every aspiring MCSE has experience with cloud services. Such individuals are potentially mislead by the statement.

Please provide clear and technically accurate information.