Monthly Archives: November 2015

New Functionality of AD-RMS in Windows Server 2012

New Functionality of AD-RMS in Windows Server 2012


Hello Friends, I am back with one of my article on AD-RMS enhancements in Windows Server 2012. I hope you like my articles, so I request you kindly subscribe my blog and leave your valuable comments so I can improve required changes in my new articles.

My another blog: Kindly visit my another blog on Microsoft Exchange, Windows Servers and Active Directory


Microsoft made significant changes to AD RMS in Windows Server 2012. These changes included an updated set of SQL Server requirements, Server Core support, a remote deployment option and an option to deploy with powershell commands.

For Windows Server 2012, AD RMS now has the following requirements for access to SQL Server.

  • The AD RMS installer account must have sysadmin permissions in the SQL Server installation.
  • The SQL Server Browser service must be running to locate available SQL instances.
  • Firewall exceptions should be enabled on the SQL server computer for ports that will be used by AD RMS setup. The TCP port for the SQL instance that will host the AD RMS databases should be enabled. The UDP port for the SQL Server Browser service should also be enabled. For example, the default ports are usually TCP port 1433 for the SQL Server instance and UDP port 1434 for the SQL Server Browser service.

In addition to the previous access requirements, for Windows Server 2012 the following versions of Microsoft SQL Server have been tested and are supported for use with AD RMS deployment.

  • SQL Server 2005 Service Pack 3
  • SQL Server 2008 Service Pack 3
  • SQL Server 2008 R2 Service Pack 1
  • SQL Server 2012

In previous releases, AD RMS Setup supported only deployment at the same server computer where AD RMS was to be installed. Based on customer feedback, this has been changed. For Windows Server 2012, AD RMS now supports remote deployment at targeted server computers. In previous releases, AD RMS Setup supported only deployment at the same server computer where AD RMS was to be installed. Based on customer feedback, this has been changed. For Windows Server 2012, AD RMS now supports remote deployment at targeted server computers.

For Windows Server 2012, Server Manager has been redesigned to provide support for remote deployment of AD RMS as part of a two-step process that can be summarized as follows:

  1. Launch the Add Roles and Features Wizard in Server Manager to add the AD RMS role. This will add and install the files necessary for AD RMS.
  2. After adding the AD RMS role, launch the AD RMS Configuration wizard to select deployment options and configure the AD RMS cluster.

When the AD RMS configuration wizard first launches, if you are installing AD RMS on a remote server you will be prompted for the credentials needed to complete AD RMS configuration.

The requirements for selecting the credentials that you enter here are as follows:

  • The account used to deploy AD RMS must have membership in the local Administrators group on the server computer where you are installing and configuring AD RMS.
  • The account used must also have sysadmin permissions on the server that hosts the configuration database for the AD RMS cluster.

 AD RMS now supports mobile devices when you install and configure AD-RMS mobile device extention, like for MAC computers

AD RMS fails to install if multiple installations are active simultaneously in Server Manager

In previous releases of AD RMS included with Windows Server® 2008 and Windows Server® 2008 R2 it was not possible to launch more than a single instance of the AD RMS Configuration wizard to install or update multiple AD RMS deployments from the same server computer. Because of design changes to Server Manager for Windows Server 2012, multiple instances of the Add Roles and Features Wizard can now be run simultaneously, making it possible to launch two or more instances of the AD RMS Configuration wizard.

Server Core Support for AD RMS

For Windows Server 2012, AD RMS now joins the list of server roles such as Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) that are supported for Server Core deployment. Server Core is an installation option that enables you to perform a minimal installation of the Windows Server operating system which can be useful for reducing total cost of ownership (TCO) in deploying and managing servers.

 Reference: For more details, visit Microsoft Technet site




Advanced Windows Server 2012 DNS configuration options

Advanced Windows Server 2012 DNS configuration options

Windows server 2012 offers some advanced configuration options that allows you to improve the security and performance of your DNS infrastructure. Let’s review some of them:

DNS Security Extensions (DNSSEC). The DNS protocol does not have any built-in capabilities to ensure authentication or check the integrity of the DNS information that is exchanged between DNS servers or delivered to DNS clients. This known vulnerability can be exploited by attackers who may be able to hijack the name resolution activity when users are trying to reach a website on the internet. One purpose of the attacker could be to take control of the process and redirect the user’s browser to a phony scam website where the user is asked to enter personal information like username, password, credit card, bank account or social security numbers. DNSSEC uses Public Key Infrastructure (PKI) certificates with the DNS protocol to allow the DNS servers to validate DNS responses. With DNSSEC, an administrator can digitally sign a DNS zone, which is a way to digitally sign all the records within that zone.

When a DNS query is issued for a resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. The validation process ensures that the data has not been modified or tampered with and can be trusted by the DNS resolver.

DNSSEC Resource Records

New resource record types are associated with DNSSEC. The signatures that are generated after implementing DNSSEC are contained within the DNS zone as a Resource Record Signature (RRSIG). When the DNS server responds to a name resolution query, one or more RRSIG records are returned in the response. A public cryptographic key that is stored in a DNSKEY resource record is used to verify the signature. The DNSKEY record is retrieved by a DNS server during the validation process. If no matching resource record is found, that means that there is no RRSIG record, however the DNS server response must still be validated, for in these cases the Next Secure (NSEC) records are used. A validator can use the NSEC record as proof that the name does not exist. The NSEC3 is a better alternative to the NSEC record; both are supported by Windows Server 2012.

Trust Points and Name Resolution Policy Table

Two important components of a DNSSEC implementation are Trust Points and Name Resolution Policy Table.

Trust Points. These provide a way to share the public key used to validate the RRSIG record’s digital signature with other trusted DNS servers. If the DNS server is running on a domain controller, trust points can be stored in the forest directory partition in Active Directory Domain Services (AD DS) from which they can be replicated to all DNS servers running on domain controllers in the forest.

Name Resolution Policy Table (NRPT). It lists zones or namespaces that perform DNSSEC queries and those that do not. It is possible to use either group policy or Windows PowerShell to configure the NRPT to require that DNSSEC validation be performed on DNS responses on select namespaces.

DNS Socket Pool and Cache Locking

DNSSEC is designed to protect the DNS clients’ name resolution queries from forged DNS data, including DNS cache poisoning. Socket Pool and Cache Locking are two more advanced configuration options that may help strengthen your DNS security.

DNS Socket Pool.This feature allows the DNS server to use a random source port out of a preconfigured range when sending DNS queries. By not using the same port for each new DNS query, the socket pool improves protection against DNS cache poisoning attacks.

Cache Locking. When cache locking is enabled, the DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value on the DNS record. This feature protects the DNS cache records against possible DNS cache poisoning attacks by malicious users on the Internet.

Cache locking is configured as a percent value. Let’s say that you set the cache locking value at 75, the DNS server will not overwrite a cached entry for 75% of the duration of the TTL. By default, the cache locking percent value is 100 meaning that cached entries will not be overwritten for the entire duration of the TTL.

Reference: Originally published on website ……….. visit for more details.



What’s New in Windows Server 2012

What’s New in Windows Server 2012


AD-DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by “cloning” existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.

The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD-DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information.

 DAC: In Windows Server 2012, you can apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:

  • Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.
  • Control access to files by applying safety-net policies that use central access policies. For example, you could define who can access health information within the organization.
  • Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
  • Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. This infrastructure includes:

  • A new authorization and audit engine for Windows that can process conditional expressions and central policies.
  • Kerberos authentication support for user claims and device claims.
  • Improvements to the File Classification Infrastructure (FCI).
  • RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.


  • One or more Windows Server 2012 domain controllers
  • Windows Server 2012 file server
  • Enable the claims-policy in the Default Domain Controllers Policy
  • Windows Server 2012 Active Directory Administrative Center
  • For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly

Offline Domain Joining: The offline domain-join feature that was added to AD DS in Windows Server 2008 R2 effectively allows client computers to be joined to a domain without requiring network connectivity to a domain controller, but the client computer could not also be preconfigured for DirectAccess as part of the domain join.

Windows Server 2012 AD DS provides the following improvements:

  • Extends offline domain-join by allowing the blob to accommodate DirectAccess prerequisites
    • Certs
    • Group Policies
  • What does this mean?
    • A computer can now be domain-joined over the Internet if the domain is DirectAccess enabled
    • Getting the blob to the non-domain-joined machine is an offline process and the responsibility of the administrator


  • Windows Server 2012 domain controllers

PowerShell History Reviewer : To minimize the learning investment, Windows Server 2012 includes the new Windows PowerShell History Viewer. The benefits include:

  • Allow administrators to view the Windows PowerShell commands executed when using the Active Directory Administrative Center. For example:
    • The administrator adds a user to a group
    • The UI displays the equivalent Windows PowerShell for Active Directory command
    • The administrator copies the resulting syntax and integrates it into a script
    • Reduces Windows PowerShell learning-curve
    • Increases confidence in scripting
    • Further enhances Windows PowerShell discoverability


  • Windows Server 2012 Active Directory Administrative Center

 AD Recycle Bin Interface: The Active Directory Recycle Bin feature introduced with Windows Server® 2008 R2 provided an architecture permitting complete object recovery. Scenarios that require object recovery by using the Active Directory Recycle Bin are typically high-priority, such as recovery from accidental deletions, for example, resulting in failed logons or work stoppages. But the absence of a rich, graphical user interface complicated its usage and slowed recovery.

To address this challenge, Windows Server 2012 AD DS has a user interface for the Active Directory Recycle Bin that provides the following advantages:

  • Simplifies object recovery through the inclusion of aDeleted Objects node in the Active Directory Administrative Center (ADAC)
    • Deleted objects can now be recovered within the graphical user interface
  • Reduces recovery-time by providing a discoverable, consistent view of deleted object


  • Recycle Bin requirements must be met:
    • Windows Server 2008 R2 forest functional level
    • Recycle Bin optional-feature must be enabled
  • Windows Server 2012 Active Directory Administrative Center
  • Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)
    • By default, DOL is set to 180 days

 Fine-Grained Password Policy User Interface

The Fine-Grained Password Policy (FGPP) introduced with Windows Server 2008 provided more precise management of password-policies. In order to leverage the feature, administrators had to manually create password-settings objects (PSOs). It proved difficult to ensure that the manually defined policy-values behaved as desired, which resulted in time-consuming, trial and error administration.

In Windows Server 2012:

  • Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
  • Greatly simplifies management of password-settings objects


  • FGPP requirements must be met:
    • Windows Server® 2008 domain functional level
  • Windows Server 2012 Active Directory Administrative Center


Active Directory Replication and Topology Windows PowerShell cmdlets

Administrators require a variety of tools to manage Active Directory’s site topology

  • repadmin
  • ntdsutil
  • Active Directory Sites and Services

The usage of multiple tools results in an inconsistent experience that is difficult to automate.

Using Windows Server 2012 AD DS, administrators can:

  • Manage replication and site-topology with Windows PowerShell
    • Create and manage sites, site-links, site-link bridges, subnets and connections
    • Replicate objects between domain controllers
    • View replication metadata on object attributes
    • View replication failures
  • Take advantage of a consistent and easily scriptable experience
  • Compatible and interoperable with other Windows PowerShell cmdlets


  • Active Directory Web Service (also known as Active Directory Management Gateway for Windows Server 2003 or Windows Server 2008)
  • Windows Server 2012 domain controller or Windows Server 2012 with the Role Administration Tools (RSAT) for AD DS and AD LDS installed

 AD based Activation : In Windows Server 2012, the Active Directory-based activation provides the following improvements:

  • Uses your existing Active Directory infrastructure to activate your clients
    • No additional machines required
    • No RPC requirement; uses LDAP exclusively
    • Includes RODCs
  • Beyond installation and service-specific requirements, no data is written back to the directory
    • Activating initial CSVLK (customer-specific volume license key) requires:
      • One-time contact with Microsoft Activation Services over the Internet (identical to retail activation)
      • Key entered using volume activation server role or using command line.
      • Repeat the activation process for additional forests up to 6 times by default
    • Activation-object maintained in configuration partition
      • Represents proof of purchase
      • Computers can be member of any domain in the forest
    • All Windows 8 computers will automatically activate


  • Only Windows 8 computers can leverage AD BA
  • KMS and AD BA can coexist
    • You still need KMS if you require down-level volume-licensing
  • Requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers

 Group Managed Service Accounts (gMSA)

Managed Service Accounts (MSAs) were introduced with Windows Server 2008 R2. Clustered or load-balanced services that needed to share a single security-principal were unsupported. As a result, MSAs were not able to be used in many desirable scenarios.

Windows Server 2012 includes the following changes:

  • Introduces a new security principal type known as a gMSA
  • Services running on multiple hosts can run under the same gMSA account
  • One or more Windows Server 2012 domain controllers required
    • gMSAs can authenticate against any domain controllers that run any version of Windows Server
    • Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 domain controllers
  • Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
    • Password retrieval limited to authorized computers
  • Password-change interval defined at gMSA account creation (30 days by default)
  • Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools


  • Windows Server 2012 Active Directory schema updated in forests containing gMSAs
  • One or more Windows Server 2012 domain controllers to provide password computation and retrieval
  • Only services running on Windows Server 2012 can use gMSAs

 What’s new in DHCP in Windows Server 2012 R2

In Windows Server 2012 R2, DHCP offers enhanced support in the following areas.

Feature/functionality New or improved Description
DNS registration enhancements New You can use DHCP policies to configure conditions based on the fully qualified domain name (FQDN) of DHCP clients, and to register workgroup computers using a guest DNS suffix.
DNS PTR registration options New You can enable DNS registration of address (A) and pointer (PTR) records, or just enable registration of A records.


DHCP failover

This feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients. The two DHCP servers replicate lease information between them, allowing one server to assume responsibility for servicing of clients for the entire subnet when the other server is unavailable. It is also possible to configure failover in a load-balancing configuration with client requests distributed between the two servers in a failover relationship

 What’s new in DNS Server?

DNSSEC support

Enhanced support for DNSSEC includes changes to online signing for file-backed zones, and enhanced signing key management support:

  • In Windows Server 2012 R2, the Key Master role is introduced for file-backed multi-master zones.

The Key Master is an authoritative DNS server that generates and manages signing keys for a zone that is protected with DNSSEC. The Key Master role was introduced in Windows Server 2012 for Active Directory-integrated zones.

DNSSEC is enhanced to enable isolation of the key management process from primary DNS servers which are not the key masters of a zone. The entire process of signing key generation, storage, rollover, retirement, and deletion can be initiated only from the Key Master while the other primary servers can continue the zone signing by accessing these keys.

DNSSEC key separation is accomplished by enabling generation and storage of keys on a cryptographic next-generation (CNG) compliant offline storage module

 Dynamic DNS Forwarders

When you add more than one forwarder in the settings for a DNS Server in Windows Server 2012 R2, the DNS service reorders the list of servers in the list of forwarders based on response time of each server in the list. The reordering and response checking operations are enabled by default in Windows Server 2012 R2.

 Shared virtual hard disk

Hyper-V in Windows Server 2012 R2 enables clustering virtual machines by using shared virtual hard disk (VHDX) files.

 This feature is used to build a high availability infrastructure, and it is especially important for private cloud deployments and cloud-hosted environments that manage large workloads. Shared virtual hard disks enable multiple virtual machines to access the same virtual hard disk (VHDX) file, which provides shared storage for use by Windows Failover Clustering.. The shared virtual hard disk files can be hosted on Cluster Shared Volumes (CSV) or on Server Message Block (SMB)-based Scale-Out File Server file shares.

This feature is new in Windows Server 2012 R2. It was not possible to cluster virtual machines by using a shared virtual hard disk in previous releases of Windows Server.

Resize virtual hard disk

Hyper-V storage has been updated to support resizing virtual hard disks while the virtual machine is running.

Resizing virtual hard disks while the virtual machine is running enables an administrator to perform configuration and maintenance operations on the virtual hard disks while the associated virtual machine is online or the virtual hard disk data disk is in use.

Online virtual hard disk resizing is only available for VHDX files that are attached to a SCSI controller. The virtual hard disk size can be increased or decreased through the user interface while virtual hard disk is in use.

Live migrations

Hyper-V live migration has been updated with the following capabilities.

Improved performance

Hyper-V live migration has been updated to allow the administrator to select the optimal performance options when moving virtual machines to a different server.

In larger scale deployments, such as private cloud deployments or cloud hosting providers, this update can reduce overhead on the network and CPU usage in addition to reducing the amount of time for a live migration. Hyper-V administrators can configure the appropriate live migration performance options based on their environment and requirements.

Cross-version live migrations

Hyper-V live migration has been updated to support migrating Hyper-V virtual machines in Windows Server 2012 to Hyper-V in Windows Server 2012 R2.

Upgrading to a new version of Windows Server no longer requires downtime to the virtual machines.

Hyper-V administrators can move Hyper-V virtual machines in Windows Server 2012 to Hyper-V in Windows Server 2012 R2. Moving a virtual machine to a down-level server running Hyper-V is not supported.

When moving a virtual machine, the specified destination server can now be a computer running Windows Server 2012 R2. This applies to a move that is initiated in Hyper-V Manager or when using the Move-VM Windows PowerShell cmdlet.

Failover Clustering and Hyper-V

Using Windows Failover Clustering with Hyper-V enables virtual network adapter protection and virtual machine storage protection.

Hyper-V has been enhanced to detect physical storage failures on storage devices that are not managed by Windows Failover Clustering (SMB 3.0 file shares). Storage failure detection can detect the failure of a virtual machine boot disk or any additional data disks associated with the virtual machine. If such an event occurs, Windows Failover Clustering ensures that the virtual machine is relocated and restarted on another node in the cluster. This eliminates situations where unmanaged storage failures would not be detected and where virtual machine resources may become unavailable.

Hyper-V and Windows Failover Clustering are enhanced to detect network connectivity issues for virtual machines. If the physical network assigned to the virtual machine suffers a failure (such as a faulty switch port or network adapter, or a disconnected network cable), the Windows Failover Cluster will move the virtual machine to another node in the cluster to restore network connectivity.

Hyper-V Replica

Hyper-V Replica adds the following new features in Windows Server 2012 R2:

  • You can configure extended replication. In extended replication, your Replica server forwards information about changes that occur on the primary virtual machines to a third server (the extended Replica server). After a planned or unplanned failover from the primary server to the Replica server, the extended Replica server provides further business continuity protection. As with ordinary replication, you configure extended replication by using Hyper-V Manager, Windows PowerShell, or WMI.
  • The frequency of replication, which previously was a fixed value, is now configurable. You can also access recovery points for 24 hours. Previous versions had access to recovery points for only 15 hours.

Linux support

As part of Microsoft’s continuing commitment to making Hyper-V the best all-around virtual platform for hosting providers, there are now more built-in Linux Integration Services for newer distributions and more Hyper-V features are supported for Linux virtual machines

Automatic Virtual Machine Activation

Automatic Virtual Machine Activation (AVMA) lets you install virtual machines on a computer where Windows Server 2012 R2 is properly activated without having to manage product keys for each individual virtual machine, even in disconnected environments. AVMA binds the virtual machine activation to the licensed virtualization server and activates the virtual machine when it starts. AVMA also provides real-time reporting on usage, and historical data on the license state of the virtual machine. Reporting and tracking data is available on the virtualization server.

Whats new in GPO

IPv6 support

Windows Server 2012 R2 expands support for IPv6 in Group Policy. This expanded support encompasses printers, item-level targeting, and VPN networks.

Policy caching

In Windows Server 2012 R2, when Group Policy gets the latest version of a policy from the domain controller, it writes that policy to a local store. Then if Group Policy is running in synchronous mode the next time the computer reboots, it reads the most recently downloaded version of the policy from the local store, instead of downloading it from the network. This reduces the time it takes to process the policy. Consequently, the boot time is shorter in synchronous mode. This is especially important if you have a latent connection to the domain controller, for example, with DirectAccess or for computers that are off premises. This behavior is controllable by a new policy called Configure Group Policy Caching.

 Remote Group Policy update

In Windows Server 2012, you can refresh Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings.

 What’s new in WDS

ARM architecture and support

WDS can now deploy images to ARM clients, which is a CPU architecture that is specially engineered for low-cost, low-power consumption devices such as tablets, cell phones, GPS units, portable game consoles, network routers, and media players.

 Note: PXE boot is not currently supported by the network drivers on ARM clients.

WDS infrastructure for custom deployments

New features that offer the ability to control all aspects of the deployment process.

The improvements include a variety of configuration options that allow administrators to more tightly control the deployment payload (such as images and driver packages) that is sent to client computers. These improvements include the following:

  • Install image filters, which are similar to the set of driver group filters.
  • Support for boot and install image priority to influence the ordering of these images as they appear in Boot Manager and WDS client image selection menus.
  • The Expected Deployment Results Wizard, which allows administrators to view deployment information such as the set of matching driver groups that would be sent to a prestaged device.
  • Ability to control which clients are able to boot from the PXE server.
  • Control over the boot parameters of PXE clients including boot program, prompt policy, and boot.wim instance.
  • Ability to control the WIM and VHD images that are deployed to the client.
  • More control over the drivers that are deployed to the client.
  • Control over the unattend file(s) that are used to customize the setup experience for the client.
  • Lower-level WDSUTIL commands that allow administrators to set custom metadata tags and values on deployment payload and prestaged devices that get matched to directly influence the deployment process.


WDSclient.exe is a new standalone client that can perform Dynamic Driver Provisioning (DDP) queries, direct VHD application, and metadata queries.

Standalone server mode

Standalone server mode removes the dependency on Active Directory.

Starting in Windows Server 2012, Windows Deployment Services can be installed in a Standalone server mode. This removes the dependency on Active Directory. You still require DHCP, DNS and sufficient permissions to install and configure Windows Deployment Services. In this scenario, a local store is used to retain information about pre-staged devices.

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) enhancements result in improved performance.

TFTP (Trivial File Transfer Protocol) has been enhanced and delivers improved results in performance.

You use the Windows Deployment Services Trivial File Transfer Protocol (TFTP) server to download the files that are needed to do a network boot using the Pre-Boot Execution Environment (PXE). PXE technology is a standard created by Intel that establishes a common and consistent set of pre-boot services within the boot firmware. The end goal is to enable a client to do a network boot and receive a network boot program (NBP) from a network boot server.

What’s new in RDS:

Session Shadowing

In Windows Server 2012 R2, Session Shadowing enables you to remotely monitor or control an active session of another user on a Remote Desktop Session Host (RD Session Host) server. The current version includes integration with Server Manager and Remote Desktop Connection (mstsc.exe).

Quick reconnect for remote desktop clients

In Windows Server 2012 R2 Quick Reconnect improves connection performance enabling users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops more quickly. The connection process for RemoteApp programs has been redesigned for Windows® 8.1 and Windows Server 2012 R2 clients, to be more informative and user friendly.

Virtual Desktop Infrastructure (VDI) deployment

Remote Desktop Services introduced a VDI deployment in Windows Server 2008 R2. In Windows Server 2012, Remote Desktop Services includes new ways to efficiently configure and manage your virtual desktops. Some of the enhancements include:

  • Unified central experience– Deploy VDI quickly, and then manage your pooled and personal virtual desktop deployments through a new unified central experience.
  • Automated and simple single-image management– Take advantage of automated ways to deploy and manage pooled virtual desktops with a virtual desktop template.
  • User personalization– Preserve user personalization settings for pooled virtual desktop deployments by using user profile disks.
  • Less expensive storage– Use inexpensive local storage with live migration functionality between host computers for pooled virtual desktops. Personal virtual desktops can use the less expensive SMB central storage.

Centralized Resource Publishing

Remote Desktop Services in Windows Server 2012 enables you to publish and manage resources, such as RemoteApp programs, session-based desktops, and virtual desktops, from a centralized console. Using this new publishing feature, you can get an historic view of resources assigned to end users, change published resources for any given collection, and edit properties of published resources.

In addition to the centralized console, you can now configure a RemoteApp and Desktop Connection URL by using Group Policy, and then give users access to the URL automatically through an email address.

What’s new in RAS

Multi-tenant site-to-site VPN Gateway

With Windows Server 2012 R2, hosts can deploy multi-tenant site-to-site (S2S) gateways to provide cross-premises connectivity from networks at the tenant sites to virtual networks that are dedicated per tenant in the host’s network. The virtual network of the tenant could be built on top of Hyper-V Network Virtualization or VLAN at the hoster. A single gateway instance is capable of serving multiple tenants with overlapping IP address spaces, maximizing efficiency for the host as compared to deploying separate gateway instance per tenant. The Routing and Remote Access (RRAS) gateway is a software-only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.

 Multi-tenant Remote Access VPN Gateway

With Windows Server 2012, hosts can allow transparent VPN access to virtual machines that are replicated in the cloud even after a failure when the entire site of the tenant goes down. Windows Server 2012 reduces the CAPEX and OPEX for hosts with a single RRAS gateway that can service multiple tenants with overlapping IP address spaces. The RRAS gateway is a software-only solution that can be deployed in multiple instances of multi-tenant RRAS servers to balance the load.

 In Windows Server 2012, Border Gateway Protocol (BGP) enables dynamic distribution and learning of routes by using site-to-site (S2S) RRAS interfaces. This feature enables hosts (primarily infrastructure-as-a-service (IaaS) providers) to deploy BGP on a multi-tenant RRAS S2S gateway, so that the gateway can learn what packets need to be routed to the Internet, tenant premises, and tenant virtual network at the host, and then route them accordingly. A RRAS gateway with BGP enabled can also be deployed by enterprises at their premises edge to distribute internal routes to other edge gateways (of the same enterprise in physical or virtual networks) over secure tunnels.

Web Application Proxy is a new Remote Access role service in Windows Server 2012 R2. Web Application Proxy provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network.

SSL VPN plug-in from non-Microsoft vendors

Windows 8.1 for x86, amd64 (and ARM in Windows RT 8.1) support the SSL VPN plug-in from the following non-Microsoft VPN vendors:

  • Dell SonicWall, Inc.
  • Juniper Networks, Inc.
  • F5 Networks, Inc.
  • Checkpoint Software Technologies, Ltd.

 Site-to-site IKEv2 IPsec tunnel mode VPN

Cross-premise connectivity is a feature in Windows Server 2012 R2 and Windows Server 2012 that provides the network connectivity to enable service hosting providers to migrate their applications and infrastructure to the cloud. This feature includes a site-to site Internet Key Exchange version 2 (IKEv2) tunnel-mode VPN connectivity solution and management interface. Windows Server 2008 R2 introduced IKEv2 support in RRAS for VPN connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from one network to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec allows support for strong authentication and encryption methods. RRAS in Windows Server 2012 R2 and Windows Server 2012 provides added feature enhancements to enable IKEv2 for site-to-site VPN connections.

 Windows PowerShell 5.0

Windows Powershell 5.0 have hundreds of new cmdlets which helps IT Administrator to perform tasks more quickly.

Reference: Visit Microsoft Technet Sites for more details



What’s new in Windows Server 2016 or “Nano Server”

What’s new in Windows Server 2016 or “Nano Server”

Hello Friends, Again I am coming with you guys with one more new article on Microsoft Technologies, in this article, I am going to introduce you about the Microsoft latest Server OS, Windows Server 2016.

Finally Microsoft announced to release their brand new Server OS, Windows Server 2016 (also called NANO Server) with lots of new and exciting features, which includes latest security and other features. Microsoft always come with a milestone and I hope this is gonna one of milestone in Windows Server history. Microsoft given Nano Server nick name to their new OS.

In this article series, I am going to introduce you about the new exciting features of Windows Server 2016.

What’s Nano Server: Windows Server 2016 is also offer a new type of installation option called “Nano Server” which is similar to Core installation in previous version of Microsoft Servers. Nano Server offer a remotely managed OS optimized for private cloud and datacenters. It is similar to server core but it doesn’t have any local logon capability, and only support 64 bit application, tools and agents. It consume the less space and provide faster reboot feature.

You can use Nano Server for below server roles.

  • As a Compute host for Hyper-V VMs.
  • As a storage host for File Server
  • As a DNS Server
  • As a Web (IIS) Server
  • As an Application Server for the applications, which are deployed on Cloud.

What’s new in Compute and Virtualization: It provide large scale of Virtualization infrastructure for providing the simplified upgrades and new installation options.

  • Rolling upgrades for Hyper-V and scale-out file server clusters for faster adoption of new operating systems
  • Functionality for hot add and remove memory and NIC, reducing downtime
  • Virtual machine compute resiliency, so that virtual machines continue running even if the compute cluster fabric service fails
  • Nano Server, a deeply refactored version of Windows Server with a small footprint and remotely managed installation, optimized for the cloud and a DevOps workflow

Software defined Networking: Continued investment to make networking as flexible and cost-effective as possible while ensuring high performance.

  • Converged NIC across tenant and RDMA traffic to optimize costs, enabling high performance and network fault tolerance with only 2 NICs instead of 4
  • PacketDirect on 40G to optimize performance

Storage: Expanding capabilities in software-defined storage with an emphasis on resilience, reduced cost, and increased control.

  • Virtual Machine Storage Path resiliency, enabling virtual machines to pause and restart gracefully in response to either transient or permanent storage path failures
  • Storage Spaces Direct to enable aggregation of Storage Spaces across multiple servers, pushing the cost of storage down while allowing for increased scale out
  • Storage quality of service (QoS) for more control and predictable performance
  • Storage Replica, giving you synchronous storage replication for affordable business continuity and disaster recovery strategies

Security and Assurance: Protecting against today’s threats with a “zero-trust” approach to security that is rooted in the hardware.

  • New Host Guardian Service, part of a trust and isolation boundary between the cloud infrastructure and guest OS layers
  • Just Enough Administration to reduce the risk of security breaches by allowing users to perform only specific tasks

Management: Ongoing advances to simplify server management and increase consistency in approach.

  • PowerShell Desired State Configuration (DSC) for easier, consistent and faster deployment and updates.
  • PowerShell Package Manager  for unified package management and deployment
  • Windows Management Framework 5.0 April Preview and DSC Resource Kit  (available online simultaneously with TP2)

And much more, including new features for IIS, RDS, and AD such as:

  • Conditional access control in AD FS, allows requiring a device compliant with policies to access resources
  • Support for application authentication with OpenID Connect and OAuth, making it easier to build mobile enterprise applications
  • Full OpenGL support with RDS for VDI scenarios
  • Server-side support for HTTP/2 including header compression, connection multiplexing and server push.

Download the Windows Server 2016 preview from here


Reference: Visit Microsoft Site for more details

About me: Hello dear readers, I am working as an AD & Exchange SME and handling complex setup of 60K users with hundreds of Email Servers. I am the founder and owner of “Q-Lative Solutions”. Under this IT Training and Consultancy we offer only customized course for my clients who are from across the world. I have already trained more than 500+ students in customized training.


Arun Chaudhary


AD/ Exchange SME, Founder/ Owner of

Q-Lative Solutions

Mail me:

Visit me:  My Another Blog on Microsoft Technologies




What is new in Microsoft Exchange Server 2016


  What is new in Microsoft Exchange Server 2016


Thanks for liking my first article of this series, in second article of this series, I am going to introduce you about the brand new features of Exchange Server 2016, which were not available in previous versions.

Exchange 2016 have lots of new exciting features which helps IT administrator to make more powerful, secure and highly available Exchange organization.

In this article we will discuss about all the new features which was not available in Exchange 2010 and as well Exchange 2013

New Functionality/ features from Exchange 2010:

Exchange Server 2016 have a number of new features which was not available in Exchange Serve 2010, here is list of new features.

Exchange Admin Center: Exchange 2016 provides a single unified management console that allows for managing your on-premises, Office 365 and hybrid deployments. The Exchange admin center (EAC) in Exchange 2016 replaces the Exchange 2010 Exchange Management Console (EMC) and the Exchange Control Panel (ECP), but still we have ECP as a virtual directory which used by EAC.

 Exchange Server 2016 Architecture: As we know Exchange Server 2010 have 5 different roles for different functionality, but in Exchange 2016 Microsoft reduce the Server roles and now Microsoft include all the functionality in a single server role (excluding Edge Server role).

  • Mailbox Service includes all the server components in Exchange Server 2010, like: MBX Role, CAS Protocol, Transport Service, Mailbox databases and UM services.
  • CAS service provide all the authentication, limited redirection and proxy related services. It also offer all client access protocol, like: HTTP, POP, IMAP and SMTP.

Note: Edge is a separate role and installed in DMZ zone, which is outside of your AD network, so you can use Edge server role, if required for your organization or you can go any other Anti spamming solution for your organization, like: EOP or any other third party which suites with your organization requirements.

Managed Store: In Exchange 2016, the Managed Store is the name of the Information Store processes, Microsoft.Exchange.Store.Service.exe and Microsoft.Exchange.Store.Worker.exe. The new Managed Store is written in C# and tightly integrated with the Microsoft Exchange Replication service (MSExchangeRepl.exe) to provide higher availability through improved resiliency.

The Managed Store works with the Microsoft Exchange Replication service to manage mailbox databases, which continues to use Extensible Storage Engine (ESE) as the database engine. The Microsoft Exchange Replication service is responsible for all service availability related to Mailbox servers. This change enables faster database failover and better physical disk failure handling.

Certificate Management: Security is a major concern in Exchange organization, to make secure communion we use digital certificates which improve the security in Exchange organization. The major enhancement in certificate management is, it was difficult to see when a digital certificate was nearing expiration. In Exchange 2016, the Notifications center will display warnings when a certificate stored on any Exchange 2016 server is about to expire. Administrators can also choose to receive these notifications via email.

New look of Installation Setup: Exchange 2016 Setup has been completely rewritten so that during the installation of Exchange 2016, make sure you’ve got the latest product rollups and security fixes is easier than ever. Improved readiness check that your organization is ready to accept the new Exchange 2016 in your organization or not.

Hybrid Configuration of Office 365: The hybrid configuration wizard, which was included in Exchange server 2013 itself have more enhancements, like: when you start hybrid configuration wizard it ask you to download and install as a small app. It provide you below new functionality:

  • The wizard can be updated quickly to support changes in the Office 365 service.
  • The wizard can be updated to account for issues detected when customers try to configure a hybrid deployment.
  • Improved troubleshooting and diagnostics to help you resolve issues that you run into when running the wizard.
  • The same wizard will be used by everyone configuring a hybrid deployment who’s running Exchange 2013 or Exchange 2016.
  • In addition to Hybrid Configuration Wizard improvements, multi-forest hybrid deployments are being simplified with Azure Active Directory Connect (AADConnect). AADConnect introduces management agents that will make it significantly easier to synchronize multiple on-premises Active Directory forests with a single Office 365 tenant.


Enhancement in DLP Policy: Exchange 2016 provides a built-in DLP policies based on regulatory standards such as personally identifiable information (PII) and payment card industry data security standards (PCI), and is extensible to support other policies important to your business. With a DLP policy in Exchange 2016, you can now identify, monitor, and protect 80 different types of sensitive information

Enhancement in Transport Rules: Exchange 2016 have some exciting enhancements in transport rules, which help IT Administrators to protect transport role. For Example:

Condition: With the new condition Any attachment has these properties, including any of these words

Action: With the new action Notify the recipient with a message       or

The action Generate incident report and send it to

So like this we can use new transport rules.


Microsoft RM (Right Management) Connector: The Microsoft Rights Management connector (RMS connector) is an optional application that helps you enhance data protection for your Exchange 2016 server by connecting to cloud-based Microsoft Rights Management services. Once you install the RMS connector, it provides continuous data protection throughout the life span of the information and because these services are customizable, you can define the level of protection you need.

For example, you can limit email message access to specific users or set view-only rights for certain messages.

Enhancement in Auditing:  Auditing is a feature which used by organizations to monitor the users or have some compliance policy for auditing. The EAC in Exchange Server 2016 includes a new auditing functionality so that you can run reports or export entries from the mailbox audit log and the administrator audit log. This can help you troubleshoot configuration issues or identify the cause of problems related to security or compliance.

New Mail flow Architecture: Exchange 2016 have different architecture of mail flow compare then previous versions. These are the new components of mail flow in Exchange Server 2016

  • Transport pipeline: The transport pipeline in Exchange 2016 is now made up of several different services: the Front End Transport service, the Transport service, and the Mailbox Transport service.
  • Routing: Mail routing in Exchange 2016 recognizes DAG boundaries as well as Active Directory site boundaries. Also, mail routing has been improved to queue messages more directly for internal recipients.
  •  Connectors: The default maximum message size for a Send connector or a Receive connector, as specified by theMaxMessageSize parameter, has been increased from 10MB to 25MB. You can set a Send connector in the Transport service of a Mailbox server to route outbound mail through a Front End transport server in the local Active Directory site.
  • Edge Transport: You can optionally install an Edge Transport server in your perimeter network to reduce your attack surface and provide message protection and security.


Enhancement in Recipients: Exchange Server 2016 have below new enhancement in recipient section:

  • In Exchange Server 2016 now IT Administrators can use the EAC to create agroup naming policy, which helps you manage the names of distribution groups created by users in your organization.
  • You can also use the EAC to track delivery information for email messages sent to or received by any user in your organization. You just select a mailbox, and then search for messages sent to or received by a different user.


Integration with SharePoint and Skype for business: In Exchange 2016, you can also integrate the SharePoint and Skype for business to enhance the Exchange functionality.

Outlook on Web: Outlook Web Access is replaced now with Outlook on Web, mean now you can access your emails from any of the supported web browser, like: Microsoft Edge, IE, Chrome, Mozilla and Safari.

Offline Outlook on Web: Internet Explorer 11 and Windows Store apps using JavaScript support the Application Cache API (or AppCache), as defined in the HTML5 specification, which allows you to create offline web applications. AppCache enables webpages to cache (or save) resources locally, including images, script libraries, style sheets, and so on. In addition, AppCache allows URLs to be served from cached content using standard Uniform Resource Identifier (URI) notation. The following is a list of the browsers that support AppCache:

  • Microsoft Edge
  • Internet Explorer 11 or later versions
  • Google Chrome 44 or later versions
  • Firefox 39 or later versions
  • Safari 8 or later (only on OS X/iOS) versions


MAPI over HTTP: In Exchange 2016 MAPI over HTTP is now the default protocol which used by Outlook to communicate with Exchange Server. MAPI over HTTP improves the reliability and stability of the Outlook and Exchange connections by moving the transport layer to the industry-standard HTTP model. This allows a higher level of visibility of transport errors and enhanced recoverability.

Document collaboration: Exchange 2016 will enable Outlook on the web users to link to and share documents stored in OneDrive for Business in an on-premises SharePoint server instead of attaching a file to the message.

Batch mailboxes move: Exchange 2016 support batch mailbox move feature, which mean now you can move multiple mailboxes in large batch files.

Enhancement in High Availability and Site resiliency: Exchange 2016 uses DAGs and mailbox database copies, along with other features such as single item recovery, retention policies, and lagged database copies, to provide high availability, site resilience, and Exchange native data protection.


New Functionality/ features from Exchange 2013:

Exchange Server 2016 is little bit similar to Exchange 2013 but again there is lots of new features, which introduced in Exchange 2016.

Here is the list of Exchange Server 2016.

  • Enhanced Exchange Server 2016 architecture
  • Outlook on Web
  • MAPI over HTTP
  • Document collaboration
  • Office 365 Hybrid enhancements
  • Enhancement in messaging policy and compliance



Kindly provide your valuable comments and feedback on my articles to motivate me, so I will continue with more new articles of this series.

In next article I will explain you about “How to install Exchange Server 2016”………. So wait me J



Arun Chaudhary


AD/ Exchange SME, Founder/ Owner of

Q-Lative Solutions

Mail me:

Visit me:


About me: Hello dear readers, I am working as an AD & Exchange SME and handling complex setup of 60K users with hundreds of Email Servers. I am the founder and owner of “Q-Lative Solutions”. Under this IT Training and Consultancy we offer only customized course for my clients who are from across the world. I have already trained more than 500+ students in customized training. We offer a complete package for training on real world scenario and setup by SME’s. We offer a full package of products, Eg:


Messaging Expert: This package include Exchange 2010, 2013, 2016, Office 365, Proof point Gateway, Blackberry, EOP and Google-App, Migration and Office 365 Migration with Hybrid configuration wizard and all the installation, configuration and functionality on a very cheaper price in all the world.


Wintel Admin: This package include Windows Server 2008, R2, 2012, Basic of Active Directory, Hyper-V, SCVMM, VMware (VCP), and Server Patching, monitoring and Backup / Restoring on real world scenario.


AD Admin/ Expert: Windows Server 2008, R2, 2012 including in-depth knowledge of Active directory and Windows Server Roles, AD-DS, AD-CS, AD-FS, IIS, WDS, RRAS and VPN Server installation, configuration and managing.


Note: We offer SCOM, ITIL, SNOW, Remedy training fully free and mandatory with all the courses. We also offer live servers troubleshooting and how to create Incidents/ Problem Tickets, Change Request with complete ITIL Process, which used by all MNC.




Difference between the Exchange Server 2010/2013 and Exchange 2016 Server

Difference between the Exchange Server 2010/2013 and Exchange 2016 Server


Hello My dear readers, This is my first article on this blog, kindly revert with your valuable feedback.

So in this article series, I am going to introduce you about the Microsoft Exchange Server 2016 new enhancements and the features that have been removed or replaced in Exchange 2016.

This is the first article of this series and here I am going to introduce you about the features which are discontinued from legacy Exchange versions, like: 2010 & 2013.


Finally after a long wait, Microsoft launch Exchange Server brand new version called “Microsoft Exchange 2016” with lots of new features and also remove some of previous version features.

Microsoft Exchange Server 2016 mostly focused on cloud technologies and provide a fully compatibility with all the Microsoft cloud services, like: Office 365, Microsoft Azure and many mores, which helps organizations to reduce the cost.

What’s discontinued in Exchange Server 2016


Discontinued features from Exchange Server 2013:

CAS Server Role: The Client Access server role has been replaced by Client Access services that run on the Mailbox server role. The Mailbox server role now performs all functionality that was previously included with the Client Access server role.

MAPI/CDO library: The MAPI/CDO library has been replaced by Exchange Web Services (EWS), Exchange ActiveSync (EAS), and Representational State Transfer (REST)* APIs. If an application uses the MAPI/CDO library, it needs to move to EWS, EAS, or the REST APIs to communicate with Exchange 2016.

The following features are being de-emphasized in Exchange 2016 and may not be included in future versions of Exchange.


  • Third-party replication APIs
  • RPC over HTTP
  • Database Availability Group support for failover cluster administrative access points


Discontinued features from Exchange Server 2010:

There are lots of features which were also discontinued from Exchange Server 2013 also but if we compare with the Exchange 2016, this list increased more no of removal or replaced features.

Here are the table for the discontinued features in Exchange 2016 from Exchange 2010.

Features Comments and mitigation
HUB Role The Hub Transport server role has been replaced by Transport services which run on the Mailbox server role. The Mailbox server role includes the Microsoft Exchange Transport, Microsoft Exchange Mailbox Transport Delivery, the Microsoft Exchange Mailbox Transport Submission, and the Microsoft Exchange Frontend Transport service.
UM Role The Unified Messaging server role has been replaced by Unified Messaging services which run on the Mailbox and Client Access server roles. The Mailbox server role includes the Microsoft Exchange Unified Messaging service and the Client Access server role includes the Microsoft Exchange Unified Messaging Call Router service.
MAPI/CDO library The MAPI/CDO library has been replaced by Exchange Web Services (EWS), Exchange ActiveSync (EAS), and Representational State Transfer (REST)* APIs. If an application uses the MAPI/CDO library, it needs to move to EWS, EAS, or the REST APIs to communicate with Exchange 2016.
EMC and ECP The Exchange Management Console and the Exchange Control Panel have been replaced by the Exchange Admin Center (EAC). EAC uses the same virtual directory (/ecp) as the Exchange Control Panel
Legacy Outlook 2003 version not supported To connect Microsoft Outlook to Exchange 2016, the use of the Autodiscover service is required. However, Microsoft Outlook 2003 doesn’t support the use of the Autodiscover service.
RPC/TCP access for Outlook clients In Exchange 2016, Microsoft Outlook clients can connect using Outlook Anywhere (RPC/HTTP) or MAPI over HTTP Outlook 2013 Service Pack 1 and later. If you have Outlook clients in your organization, using Outlook Anywhere and/or MAPI over HTTP is required.
Linked connectors The ability to link a Send connector to a Receive connector has been removed. Specifically, theLinkedReceiveConnector parameter has been removed from New-SendConnector and Set-SendConnector.
Anti-spam agent management in the EMC In Exchange 2010, when you enabled the anti-spam agents on a Hub Transport server, you could manage the anti-spam agents in the Exchange Management Console (EMC). In Exchange 2016, when you enable the anti-spam agents on a Mailbox server, you can’t manage the agents using the EAC. You can only use the Shell. For information about how to enable the anti-spam agents on a Mailbox server
Connection Filtering agent on Hub Transport servers In Exchange 2010, when you enabled the anti-spam agents on a Hub Transport server, the Attachment Filter agent was the only anti-spam agent that wasn’t available. In Exchange 2016, when you enable the anti-spam agents on a Mailbox server, the Attachment Filter agent and the Connection Filtering agent aren’t available. The Connection Filtering agent provides IP Allow List and IP Block List capabilities.
Managed Folders In Exchange 2010, you use managed folders for messaging retention management (MRM). In Exchange 2016, managed folders aren’t supported. You must use retention policies for MRM.
Port Managed Folder wizard In Exchange 2010, you use the Port Managed Folder wizard to create retention tags based on managed folder and managed content settings. In Exchange 2016, the Exchange admin center doesn’t include this functionality. You can use the New-RetentionPolicyTag cmdlet with the ManagedFolderToUpgrade parameter to create a retention tag based on a managed folder.
Directory lookups using Automatic Speech Recognition (ASR) In Exchange 2010, Outlook Voice Access users can use speech inputs using Automatic Speech Recognition (ASR) to search for users listed in the directory. Speech inputs could be also used in Outlook Voice Access to navigate menus, messages, and other options. However, even if an Outlook Voice Access user is able to use speech inputs, they have to use the telephone key pad to enter their PIN, and navigate personal options.

In Exchange 2016, authenticated and non-authenticated Outlook Voice Access users can’t search for users in the directory using speech inputs or ASR in any language. However, callers that call into an auto attendant can use speech inputs in multiple languages to navigate auto attendant menus and search for users in the directory.


Note: You can visit my another blog on hundreds of topics.

Visit on My another blog on Microsoft Servers


In next article I will explain you about the brand new features of Exchange Server 2016……. So wait me J