70-410 Exam prep advice?

Stolls

Hey, all. Just seeking some advice regarding certification exam prep, specifically for MCSA/MCSE; I've been struggling on the 70-410 exam (Installing and Configuring Server 2012) for the last few months.

For study I've mostly been going over the Server 2012 training guide and Exam Ref books, with practice tests from both MeasureUp and Transcender, and some light experimentation on a demo version installed on a VM. While this all has helped me understand the software, sadly it hasn't been enough to pass the test. Despite being able to score 100% on both practice exams (in certification mode, twice, without consulting notes, as recommended) the actual exam has proven far more challenging.

Some questions were merely variations of the practice exams, and I didn't fail by much, but enough items were not covered in any material I've seen to make me wonder if I was taking the right exam. I'm wondering if there are any other study aids or resources to consult, perhaps something more comprehensive or closer to what the exam actually covers. I've heard good things about CBT Nuggets videos, and Microsoft also appears to offer a short training course on the software.

Are there any general or particular recommendations for preparing for a retake? Anything in particular that worked for those who've passed the exam? From what I understand the 70-410 is notoriously difficult, so any practical suggestions would be very welcome.

Djeet

I'm doing a self-study course for 2012 MSCE (cannot recall the exact tracks, there are 2 in the package I got, one general 2012 stuff and the other focused on virtualization and private cloud). From the study materials I've been working with it's evident that some hands on work is going to be required. I'm not even thinking of taking the test unless I've done a core-install of a hyper-V server, installed server from WIM, used Powershell to do install and configs, and I'm only 3 segments into a 12 segment course on 70-410. I think you're going to have to get your hands dirtier (working with servers/VMs, using a lab to really investigate how the parts all work together) if you want to gain mastery of the material.

I've done study guides (cheat sheets as it were) before and you may be able to pass by memorizing answers but it doesn't get you anywhere w/r/to learning to apply the stuff.

PedroAsani

I teach others on how to get through the MCSE tracks at work. From what you have said you are close to passing, and just stuck on a couple of areas. Do you know what they are? I can help out with some guidance on particular parts if I know what they are.

Actually, not to put you off doing the exams, but 410, 411 and 412 are a lot easier than 413 and 414. In general I recommend some practical experience before attempting them. Sandbox is good to brush up on the Best Practice, but really you need to work with these for about six months to get to grips with them.

Stolls

I kind of figured hands-on experience would be the missing component. Going off the exam sheet, I scored well on installation and configuration, as well as core network services, so-so on Hyper-V and configuring roles and features, and fell down on Active Directory and Group Policy. I don't think I have a huge problem understanding the core concepts - the Transcender exam came with a set of flash cards, which were helpful in avoiding rote memorization - so the issue is probably lack of familiarity with the software.

To cite one example, a question presented a test environment where a server (2012 R2) was being installed as a domain controller. The question stated the domain itself hadn't been set up yet, and possible answers included PowerShell commands for installing the DC, installing the domain, or installing the forest. It's my understanding the domain (and thus the containing forest) must exist first, but it's possible the question was literally just asking 'which of these commands installs the domain controller?' and I read it wrong. Several questions were posed similarly, with seemingly unrelated details before asking something fairly basic, like general IPv6 formatting.

All that said, you guys are probably right, and I think some hands-on experience is in order. I'm just not sure where to start getting it.

Aumni

Here is a good collection of technet articles and whatnot pertaining to the exam.
http://www.techexams.net/forums/mcsa-mcse-windows-2012-general/88247-70-410-resources.html

Also:
http://mcsa-70-410.blogspot.com/2013/07/powershell-commands-for-mcsa-70-410.html

If you haven't already get Windows 8 and play with Hyper-V client. Or you can setup Hyper-V Server Core on your machine and just run in a VM. Hyper-V Server core is free so it's totally doable. Having the experience of setting things up in Core is invaluable.

The Sybex books are fantastic resources as well. Really well written.
http://www.amazon.com/Mastering-Windows-Server-2012-R2/dp/1118289420/ref=sr_1_2?ie=UTF8&qid=1401323601&sr=8-2&keywords=sybex+windows+server+2012

PedroAsani

Stolls wrote: »

I kind of figured hands-on experience would be the missing component. Going off the exam sheet, I scored well on installation and configuration, as well as core network services, so-so on Hyper-V and configuring roles and features, and fell down on Active Directory and Group Policy. I don't think I have a huge problem understanding the core concepts - the Transcender exam came with a set of flash cards, which were helpful in avoiding rote memorization - so the issue is probably lack of familiarity with the software.

To cite one example, a question presented a test environment where a server (2012 R2) was being installed as a domain controller. The question stated the domain itself hadn't been set up yet, and possible answers included PowerShell commands for installing the DC, installing the domain, or installing the forest. It's my understanding the domain (and thus the containing forest) must exist first, but it's possible the question was literally just asking 'which of these commands installs the domain controller?' and I read it wrong. Several questions were posed similarly, with seemingly unrelated details before asking something fairly basic, like general IPv6 formatting.

All that said, you guys are probably right, and I think some hands-on experience is in order. I'm just not sure where to start getting it.

If I remember that question correctly, the installation has been started and they are asking how to do the next step. With 2012 and R2, new installations seem to go partway through and then disappear if you don't know where to look. (Adding the role to the server is just part 1. Configuring the DC is part 2, and I think that is what they were looking for.)

AD questions usually look at Groups (Security or Distribution; Domain Local, Global or Universal) and GPO. GPO they usually want you to know two things, the processing order and the Enforced/Block Inheritance rules.

Stolls

PedroAsani wrote: »

If I remember that question correctly, the installation has been started and they are asking how to do the next step. With 2012 and R2, new installations seem to go partway through and then disappear if you don't know where to look. (Adding the role to the server is just part 1. Configuring the DC is part 2, and I think that is what they were looking for.)

AD questions usually look at Groups (Security or Distribution; Domain Local, Global or Universal) and GPO. GPO they usually want you to know two things, the processing order and the Enforced/Block Inheritance rules.

Yeah, I had a sneaking suspicion that question was actually straightforward and I was overthinking it. AD groups and GPOs seem more or less linked, in that learning one helps understand the other, so it wouldn't hurt for me to review that in particular. I confess to some confusion as to how groups are different from organizational units, in terms of policy deployment; seems like there's some overlap in function, with the two just providing different ways of distributing access/restrictions.

Aumni wrote: »

Here is a good collection of technet articles and whatnot pertaining to the exam.
http://www.techexams.net/forums/mcsa-mcse-windows-2012-general/88247-70-410-resources.html

Also:
http://mcsa-70-410.blogspot.com/2013/07/powershell-commands-for-mcsa-70-410.html

If you haven't already get Windows 8 and play with Hyper-V client. Or you can setup Hyper-V Server Core on your machine and just run in a VM. Hyper-V Server core is free so it's totally doable. Having the experience of setting things up in Core is invaluable.

The Sybex books are fantastic resources as well. Really well written.
http://www.amazon.com/Mastering-Windows-Server-2012-R2/dp/1118289420/ref=sr_1_2?ie=UTF8&qid=1401323601&sr=8-2&keywords=sybex+windows+server+2012

Interesting, I hadn't considered a server core installation. These links look useful too: a PowerShell reference sheet will be handy for server core, and that book looks pretty well recommended. Thanks!

PedroAsani

Well in AD, Groups are used to better regulate and manage Access Control Lists (ACLs). For example, give 50 people access to a share on a server and the ACL has 50 entries. But if you instead add those 50 people to a Group and then give the Group the permission for the share, that is a single entry. Doesn't seem important, but it turns out that an ACL has a limit on the number of entries (about 1,800) and for large companies, abandoning Best Practice can cause problems.

The type of Groups that you use depends on what you are doing. Typically you will only be using Domain Local and Global if you are in a single Domain. Take those 50 people from earlier, say they are the Accounting department. It makes sense that people doing the same job will for most of the time require access to the same resources. So you throw them all into a Global group call Accounting-G. Now because the person who set up the file shares was unimaginative, there is a folder called Accounting. If you wanted to grant access you could simply add the Accounting-G group to the ACL. But suppose you also have Auditors, Board of Directors, etc. The Best Practice way is to use a Domain Local group for assigning permissions to a resource, and then putting the Global groups inside them. So the Accounting folder would have a Domain Local group Accounting-DL, which contains Accounting-G (and Auditors-G and BoardOfDirectors-G).

The reason to do it this way is down to how the underlying database for Active Directory works, and if you dig into that, it makes a lot more sense. But really, Global groups should be used to organise Users into manageable collections, whilst Domain Local groups should be used for assigning permissions.

GPOs don't get assigned to Groups. They are assigned to OUs. Now, Groups can be put in OUs, so in that way GPOs affect Groups. But GPOs are more about how people can do certain things. For example, when can someone log on? Can they log on using this specific machine? Can they install software, are they barred from running certain software?

I'd suggest you spin up some DCs and just start making fake company structures. Write out the scenarios in a real world way: Business A has n departments, with needs to access the following resources {resource1, resource2...}. Do this for 5 companies, and then start attempting mergers and split-offs.

Aumni

I forgot to mention that with Hyper-V Server Core - you need to have a separate machine to access the VMs on Server Core.

Stolls

PedroAsani wrote: »

Well in AD, Groups are used to better regulate and manage Access Control Lists (ACLs). For example, give 50 people access to a share on a server and the ACL has 50 entries. But if you instead add those 50 people to a Group and then give the Group the permission for the share, that is a single entry. Doesn't seem important, but it turns out that an ACL has a limit on the number of entries (about 1,800) and for large companies, abandoning Best Practice can cause problems.

The type of Groups that you use depends on what you are doing. Typically you will only be using Domain Local and Global if you are in a single Domain. Take those 50 people from earlier, say they are the Accounting department. It makes sense that people doing the same job will for most of the time require access to the same resources. So you throw them all into a Global group call Accounting-G. Now because the person who set up the file shares was unimaginative, there is a folder called Accounting. If you wanted to grant access you could simply add the Accounting-G group to the ACL. But suppose you also have Auditors, Board of Directors, etc. The Best Practice way is to use a Domain Local group for assigning permissions to a resource, and then putting the Global groups inside them. So the Accounting folder would have a Domain Local group Accounting-DL, which contains Accounting-G (and Auditors-G and BoardOfDirectors-G).

The reason to do it this way is down to how the underlying database for Active Directory works, and if you dig into that, it makes a lot more sense. But really, Global groups should be used to organise Users into manageable collections, whilst Domain Local groups should be used for assigning permissions.

GPOs don't get assigned to Groups. They are assigned to OUs. Now, Groups can be put in OUs, so in that way GPOs affect Groups. But GPOs are more about how people can do certain things. For example, when can someone log on? Can they log on using this specific machine? Can they install software, are they barred from running certain software?

I'd suggest you spin up some DCs and just start making fake company structures. Write out the scenarios in a real world way: Business A has n departments, with needs to access the following resources {resource1, resource2...}. Do this for 5 companies, and then start attempting mergers and split-offs.

This clarifies a lot. Thanks for the explanation, I think I've got a better grasp on it now.

Aumni wrote: »

I forgot to mention that with Hyper-V Server Core - you need to have a separate machine to access the VMs on Server Core.

Understood. Seems like the best idea is to start setting up dummy servers, VMs, and groups, though I'll also make use of the stuff you linked earlier.

Thanks all for the advice! I plan to take my time before the retake, so we'll see how it goes.