A quick description of fine grained password policies is that you can specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain

One of the nice features introduced in Windows Server 2010 “Server 8 beta” AD DS is the ability to configure fine grained password policies through GUI.

In this post we will walk through the configuration steps to create and assign different password policies to different user groups within the same Active Directory Domain, table below gives an example of different password policy requirements:

To configure password policies as per the table above

1.       Login using a domain admin account to a machine that has Active Directory administration tools and open Server Manager.

2.       Go to tools and open Active Directory Administrative Center.

3.       Click on Tree View.

4.       Navigate to System container then Password Settings Container.

5.       Right click Password Settings Container, then New-Password Policy

6.       Specify the password policy settings for each of the required policies

7.       Click add to link the created policy to users security group “Group1”

8.       Repeat steps 5-7 for the remaining policies.

Here is the second part of Windows Server 2012 Direct Access blog series.

Part1: http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx

In the first post we discussed what’s new and what are the design differences between new and previous version of Direct Access feature.

In this blog post, we’ll discuss about our Lab configuration that will lead us for the next parts and help us to design and test Direct Access feature within virtual environment.

To build a reliable Direct Access Lab, Microsoft provides Base and Test Lab guide documentations.

Base Lab: http://www.microsoft.com/en-us/download/details.aspx?id=29010

Test Lab: http://www.microsoft.com/en-us/download/details.aspx?id=29029

Regarding base lab guide, you can build a base lab that includes Infrastructure servers (DNS, Active Directory), Application Server (Intranet IIS Site), Simulated Internet (DNS Server) and single Direct Access Server.

After you build base virtual machines, then you should follow Test Lab guide and configure&test Direct Access feature.

Let’s look at the lab details and introduce virtual machines & roles.

- First of all you must build a Domain Controller as an intranet domain controller, DNS Server and DHCP server. This server will be responsible for authentication purposes and will act as main identity store for the Lab environment. Also a DNS server is a must to built a healthy Active Directory environment. DHCP is another role that you have to install. It will be used to configure Client1’s ip address automatically. Since you will change Client1 subnet frequently during test processes, providing ip addresses automatically will help us.

- One intranet member server running Windows Server 2012 named APP1. It will be configured as a general application and web server. When a client resides on internet network and successfully connects intranet network through IPSEC tunnel (Direct Access Server), to test Direct Access client side functionalities, being able to access real intranet resources will be more helpful test. On application server, a file share and an intranet IIS web site will be created.

- One member client computer running Windows 8 Consumer Preview named Clinet1. You will use that client machine for testing purposes. I recommend that put three network interface to try for internet, intranet and behind NAT communications.

- One intranet member server running Windows Server 2012 named EDGE1. That will be our Direct Access Server. Most important point is that it should have two different network cards to access both intranet and internet networks. This server also will act as a DNS64. That means it will get DNS ipv6 requests from Windows 8 clients that resided in Internet and make ipv4 DNS requests to the intranet DNS server on behalf of DA clients.

- And the last required server for base lab is INET1. It’s required to simulate internet network. You will have to create DNS zones to answer DNS queries from internet clients.

I’m sure if you want to build that lab, you will download base and test lab and follow the steps. So I will only highlight for the important steps that is also covered basically within documents.

- Since this is a limited Lab environment, you can minimize hardware requirements. 1024Gb ram will be enough for each VM.

- Unlike previous Windows 7 Direct Access Test lab guide, this guide includes PowerShell script for each step. You do not have to follow 15-20 steps one by one. Just copy powershell script provided and run within evelated powershell console .

After you complete Base Lab Guide and before to start Test Lab Guide, if you want to test Direct Access functionality behind a NAT device, you also have to build following HomeNet Lab.

Optional mini-module: Homenet subnet

It’s an optional step and will help you to fire up one another Windows 8 virtual machine that will act as a NAT device.

Before you start to install Direct Access Feature and test connectivity, you must have following environment:

I know it seems a little bit crowded, but once you build that kind of virtual lab, you can also use it to test other new  Windows Server 8 features.

Next part we will assume that you have a working Lab environment and will start to install and configure Direct Access feature.

To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm
   password.
3. At the DSRM command prompt, type one of the following
   lines:
   
   • To reset the password on the server on which you are
     working, type reset password on server null. The null
     variable assumes that the DSRM password is being reset on the local computer.
     Type the new password when you are prompted. Note that no characters appear
     while you type the password.
     
     -or-
   • To reset the password for another server, type
     reset password on server
     servername, where
     servername is the DNS name for the server on which
     you are resetting the DSRM password. Type the new password when you are
     prompted. Note that no characters appear while you type the
     password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.

This part demonstrate how to configure windows cluster for two server, to be used as SQL Cluster. 

Before you start

· You need to have two network adapters on each node, one Public and one Private(for heartbeat communication).

· Shared storage (like SAN storage) should be present and connected to both cluster nodes  with at least:

• Quorum Disk (5GB)
• DTC Disk (1GB)
• SQL data files and log file disk(s)

· domain user account (SPSadmin): add SPSadmin user as administrator on both servers

· Prepare a preserved static IP and Cluster Name to be used.

· Prepare a preserved static IP and DTC Name to be used.

Windows Cluster Configuration

1. Install latest windows updates on all server nodes.

2. Install Application role and IIS role on both SQL DB server nodes

3. Install Fail over clustering feature on both SQL DB server nodes.

4. Provide a Cluster Name and Cluster IP for the database nodes:

Note: make sure that the public network is used here not the private (heartbeat)

5. Below are the servers info

6. Cluster Disk files are configured as the following:

7. Configure DTC as clustered service , this is a pre requisite for SQL Cluster installation

8. DTC cluster configuration

9. Assign the DTC a cluster disk

10. Create SQL Group which is a logical group to include all SQL resources in :

Part 2 - Install and configure SQL Cluster

Part 3 - Install and Configure NLB on WFE

part 4 - Install and configure SharePoint farm (3-tier)

In our last article Part6: Software Updates (SUP), we’ve configure the Software Update point and ran the synchronization with Microsoft Updates server.

As a result of this process, we’ve got the Software Updates metadata synchronized and the result can be viewed from the Configuration Manager console

Throughout this article, we will select few updates and deploy them to a collection of Windows 7 machines. Before we do that, it would be nice to review the Software Update policy to make sure its properties satisfy our business needs.

From the Client Settings in the Administration tab, Click Software Update

If you are planning to use Software Update point to patch your environment, make sure you do not configure domain policy for client computers to receive updates from WSUS through Group Policy Settings. The group policy settings used by Windows Update Agent (WUA) on client computers will override any machine policy sent from Configuration Manager and hence the client agent will retrieve the updates specified by the “unmanaged” WSUS.

Deploying Software Updates to client machines is simply the process of adding software updates to a software update group and then deploy the software update group to clients. There are actually two methods to deploy updates. The first one is a manual process where we select updates from the console and deploy it to a collection of machines and the second method is automatic by using an automatic deployment rule or by adding software updates to an update group that has active an deployment.

At your initial install, you might need to use first the manual method to get your devices up-to-date with required software updates and then you create an automatic deployment rule to manage your ongoing monthly software update deployments.

As you’ve seen in our first screenshot, there are hundreds of updates in the console. The first step here would be to filter the updates by criteria.

To do so, from the Configuration Manager console, click Software Library.

Expand Software Updates and click All Software Updates.

In the search pane, click Add Criteria and select the criteria that you want to use to filter software updates and click Add

Click Search to filter the Software Updates

Select the updates you wish to deploy, right click on your selection and click Deploy

On the General page, specify the name of the deployment, the software update group name and the collection where the updates will be deployed

On the Deployment Settings page, make sure Required is selected as the Type of deployment to make sure the updates will be mandatory with an installation deadline and Minimal for Detail level.

On the Scheduling page, select Client local time, on the Software Available Time, select As soon as possible to make sure clients are notified for updates installation as soon as their next policy polling cycle and on the Installation deadline, specify a time where the software updates will get installed automatically

On the User Experience page, you can keep the default settings and click Next

On the Alerts page, configure how Configuration Manager and Operations Manager will generate Alerts

On the Download Settings page, when a client is connected to a slow network or is using a fallback content location, specify whether the client will download and install the software updates and when the content for the software updates is not available on a preferred distribution point, you can specify whether to have the client download and install the software updates from a fallback distribution point and on the Allow clients to share content with other clients on the same subnet: specify whether to enable the use of BranchCache for content downloads

On the Deployment Package page, select to create a new deployment package and specify its properties

On the Distribution point page, select the distribution point to host the software update files.

On the Download location page, select to Download software updates from the internet

On the Language selection page, select the languages for which the selected software updates are downloaded.

On the Summary page, review the settings and click Save As Template to save the settings for a future deployment

Click Next and on the Completion screen click Close.

At this stage, you would need to wait for the next policy polling cycle on the client machine or you can force the client machine to retrieve the machine policy by double clicking the Configuration Manager Client Agent found in Control Panel.

From the Actions tab, select Machine Policy Retrieval & Evaluation Cycle and click Run Now

After few seconds, you will notice a notification message

From the Software Center, you can check the Software Updates deployment settings

Once the updates get installed, you will be able to view the installed updates with a description of each update

This comes to the end of this article where we’ve discussed the required steps to deploy Software Updates to devices. We will be discussing in a future article the automatic deployment rule when it comes to Endpoint Protection.

“This article can also be viewed from my blog”