| Layer | On-Prem | Cloud (Azure) |
|---|---|---|
| Compute | ESXi, physical servers | Azure VMs, Scale Sets |
| Identity | AD, Domain Controllers | Entra ID, AD Connect |
| Storage | NAS, SAN, local | Blob, Files, Managed Disks |
| Network | VLANs, DNS/DHCP servers | VNet, NSG, Azure DNS |
| Backup | Rubrik appliance, tape | Rubrik archive, Azure Backup |
| Mgmt | vCenter, RSAT, RDP | Azure Portal, Monitor |
| Level | What it is | Example |
|---|---|---|
| Management Group | Container for subscriptions — enterprise governance | "All Production Subs" |
| Subscription | Billing unit. Separate Dev/Prod/Test subscriptions common. | "Heath-Production" |
| Resource Group | Logical container — deploy, manage, delete resources together. | "RG-WebServers-Prod" |
| Resource | Actual thing: VM, NIC, disk, NSG, VNet… | "VM-App01" |
| Series | Optimized For | Use Case |
|---|---|---|
| B-series | Burstable | Dev/test, light workloads |
| D-series | General purpose | Most production, web/app servers |
| E-series | Memory optimized | Databases, caching, SAP |
| F-series | Compute optimized | Batch, game servers |
| N-series | GPU | ML, rendering |
| Option | Protects Against | SLA |
|---|---|---|
| Availability Set | Rack/hardware failure in one datacenter (fault + update domains) | 99.95% |
| Availability Zones | Entire datacenter outage — VMs in physically separate buildings | 99.99% |
| Single VM + Premium SSD | Basic hardware redundancy | 99.9% |
| Disk | Use Case | IOPS |
|---|---|---|
| Standard HDD | Dev/test | Low |
| Standard SSD | Light web servers | Medium |
| Premium SSD | Production, databases — REQUIRED for SLA | High |
| Ultra Disk | SAP HANA, highest-performance DBs | Configurable up to millions |
| Component | What it does | Key fact |
|---|---|---|
| VNet | Private IP network in Azure. VMs live in subnets inside VNets. | VMs in same VNet can talk by default |
| NSG | Stateful firewall rules — allow/deny by port, protocol, IP range | Applied to subnet OR NIC. Subnet NSG = all VMs in subnet |
| Azure Bastion | Managed RDP/SSH from browser. No public IP on VM needed. | Best practice — never open 3389 to internet |
| VNet Peering | Connect two VNets privately. Microsoft backbone — no internet. | Not transitive — A↔B, B↔C ≠ A↔C |
| VPN Gateway | On-prem to Azure over encrypted tunnel (public internet) | Lower cost, higher latency than ExpressRoute |
| ExpressRoute | Dedicated private circuit from on-prem to Azure. No internet. | Higher cost, lower latency, more reliable |
| Private Endpoint | Azure service (Blob, SQL) accessed via private IP in your VNet | Traffic never leaves Microsoft network |
| On-Prem AD | Azure AD / Entra ID | |
|---|---|---|
| Protocol | Kerberos, LDAP, NTLM | OAuth 2.0, SAML, OpenID Connect |
| Structure | OUs, GPOs, Sites & Services | Flat — uses Conditional Access + Intune for policy |
| Auth | Domain Controller validates Kerberos tickets | Cloud token-based, supports passwordless |
Start-ADSyncSyncCycle -PolicyType DeltaYou know AWS naming. Here's how everything maps so you can translate instantly in an interview.
| AWS | Azure Equivalent | What it does |
|---|---|---|
| EC2 | Azure Virtual Machines | IaaS virtual servers. You manage OS up. Same concept — pick size, OS, attach storage, configure networking. |
| EC2 Auto Scaling Group | VM Scale Sets (VMSS) | Auto-scale VMs based on load rules. Min/max/desired counts. |
| Lambda | Azure Functions | Serverless — run code without managing servers. Event-triggered, pay per execution. |
| ECS / EKS | Azure Container Instances / AKS | Run containers. AKS = managed Kubernetes. ACI = single containers without orchestration. |
| Elastic Beanstalk | Azure App Service | PaaS for web apps. Deploy code, platform manages runtime, scaling, patching. |
| AMI (Amazon Machine Image) | Azure VM Image / Shared Image Gallery | Pre-configured OS image used to launch VMs. Azure equivalent = custom VM image captured via Sysprep + generalize. |
| Spot Instance | Azure Spot VM | Discounted unused capacity — can be evicted with 2min notice. Dev/test, batch jobs. |
| Reserved Instance (RI) | Azure Reserved VM Instance | 1 or 3 year commitment for significant discount vs pay-as-you-go. Same VM, lower cost. |
| AWS | Azure Equivalent | What it does |
|---|---|---|
| S3 | Azure Blob Storage | Object storage. HTTP API. Buckets → Containers. Keys → Blob names. You used S3 at CMS — same thing. |
| S3 Storage Classes (Standard / IA / Glacier) | Blob Tiers (Hot / Cool / Archive) | Tiered storage by access frequency. Glacier ≈ Archive tier — cheap, slow retrieval (hours). |
| EBS (Elastic Block Store) | Azure Managed Disks | Block storage attached to VMs. Types map roughly: gp3 ≈ Premium SSD, io2 ≈ Ultra Disk. |
| EFS (Elastic File System) | Azure Files | Managed NFS/SMB file share — mountable from multiple VMs simultaneously. Shared storage. |
| S3 Glacier | Azure Blob Archive tier | Cheapest long-term archive. Retrieval takes hours. Both used for compliance/DR archival. |
| AWS Backup | Azure Backup | Centralized backup service for cloud resources. Policies, retention, vaults. You used Dell CSM on top of AWS — Azure Backup is native. |
| Storage Gateway | Azure File Sync / StorSimple | Hybrid — on-prem to cloud storage bridge. Cache frequently used files on-prem, tier cold data to cloud. |
| AWS | Azure Equivalent | Notes |
|---|---|---|
| VPC | VNet (Virtual Network) | Private network in the cloud. VPC = VNet. Subnets work the same way in both. |
| Security Group | NSG (Network Security Group) | Stateful firewall rules. AWS SG applies at instance level. Azure NSG applies at subnet or NIC level. |
| NACL (Network ACL) | NSG (subnet-level) | Stateless ACL in AWS. Azure NSG is stateful but applied at subnet scope — closest equivalent. |
| Internet Gateway | Azure Internet — built in | VNet subnets with public IPs have outbound internet by default. No separate gateway resource needed like AWS IGW. |
| NAT Gateway | Azure NAT Gateway | Outbound internet for private subnets. Same concept, same name. |
| VPC Peering | VNet Peering | Connect two VPCs/VNets privately. Neither is transitive — A↔B, B↔C does NOT give A↔C. |
| Transit Gateway | Azure Virtual WAN / Route Server | Hub-and-spoke networking — connect many VPCs/VNets centrally. Transit Gateway is more mature in AWS currently. |
| Direct Connect | ExpressRoute | Dedicated private circuit from on-prem to cloud. Not over internet. Lower latency, more reliable, more expensive. |
| Site-to-Site VPN | VPN Gateway (Site-to-Site) | IPsec VPN over public internet from on-prem to cloud. Lower cost, higher latency than Direct Connect/ExpressRoute. |
| Route 53 | Azure DNS | DNS hosting. Route 53 also does health checks and traffic routing (latency-based, failover) — Azure Traffic Manager handles that separately. |
| ELB / ALB / NLB | Azure Load Balancer / App Gateway | NLB ≈ Azure Load Balancer (L4). ALB ≈ Azure Application Gateway (L7 — HTTP/HTTPS, WAF). Azure Front Door = global L7 + CDN + WAF. |
| CloudFront | Azure CDN / Azure Front Door | CDN — cache content globally close to users. Front Door adds routing and WAF on top. |
| AWS | Azure Equivalent | Notes |
|---|---|---|
| IAM | Azure RBAC + Entra ID | Access control. AWS IAM = users, roles, policies. Azure splits it: Entra ID for identity, RBAC for resource permissions. More granular in Azure at resource level. |
| IAM Role (EC2 instance role) | Managed Identity | Lets a VM/service authenticate to other cloud services without storing credentials in code or config. |
| AWS Organizations / SCPs | Azure Management Groups + Azure Policy | Govern multiple accounts/subscriptions. Enforce policy at org level. SCPs ≈ Azure Policy deny effects. |
| AWS SSO / IAM Identity Center | Entra ID (Azure AD) + Conditional Access | SSO and access governance. Azure Conditional Access is more tightly integrated with device compliance and risk signals. |
| AWS Secrets Manager | Azure Key Vault | Store and rotate secrets, passwords, API keys, TLS certificates. Managed Identity grants services access to Key Vault without credentials. |
| AWS KMS | Azure Key Vault (keys) | Encryption key management. Customer-managed keys for encrypting storage, disks, databases. |
| AWS Shield / WAF | Azure DDoS Protection / Azure WAF | DDoS mitigation and web application firewall. WAF in Azure runs on App Gateway or Front Door. |
| GuardDuty | Microsoft Defender for Cloud | Threat detection across cloud resources. Analyzes logs and signals for malicious activity, misconfigurations. |
| AWS Config | Azure Policy + Defender for Cloud | Compliance posture — are your resources configured correctly? Enforces rules and reports drift. |
| AWS | Azure Equivalent | Notes |
|---|---|---|
| CloudWatch Metrics | Azure Monitor Metrics | Time-series numeric data from resources. CPU, network, disk. Both auto-collected. Set alarms/alerts on thresholds. |
| CloudWatch Logs | Log Analytics Workspace | Centralized log store. CloudWatch Logs Insights (query) ≈ KQL in Log Analytics. Both aggregate logs from many sources. |
| CloudWatch Alarms | Azure Monitor Alert Rules + Action Groups | Alert on metric/log condition → notify (email, SMS, webhook, PagerDuty). Action Groups = SNS Topics in AWS. |
| CloudTrail | Azure Activity Log | API-level audit trail — who did what to which resource and when. Critical for security forensics. |
| AWS Systems Manager (SSM) | Azure Arc + Azure Automation | Manage servers (cloud and on-prem) remotely. Run scripts, patch, inventory without opening inbound ports. SSM Session Manager ≈ Azure Bastion for SSH/RDP. |
| AWS Cost Explorer | Azure Cost Management + Billing | Analyze spend by service, tag, time period. Set budgets and alerts. Both support reserved instance recommendations. |
| AWS Trusted Advisor | Azure Advisor | Best practice recommendations — cost optimization, security, reliability, performance. Flags unused resources, open security groups, etc. |
| CloudFormation | ARM Templates / Bicep | Infrastructure as Code. Define resources in JSON/YAML (CFN) or JSON/Bicep (ARM). Both declarative — define desired state, cloud figures out how to get there. Terraform works on both. |
| AWS | Azure Equivalent | Notes |
|---|---|---|
| RDS | Azure SQL Database / Azure Database for MySQL/PostgreSQL | Managed relational databases. RDS SQL Server ≈ Azure SQL Database. Same concept — managed engine, you handle schema/data. |
| DynamoDB | Azure Cosmos DB | Managed NoSQL. Both globally distributed, low latency, serverless options. Different data models (DynamoDB = key-value/doc, Cosmos = multi-model). |
| ElastiCache | Azure Cache for Redis | Managed Redis or Memcached. In-memory caching for app performance. |
| SQS | Azure Service Bus / Storage Queues | Message queuing — decouple app components. SQS ≈ Storage Queues (simple). SNS+SQS fan-out ≈ Service Bus Topics. |
| SNS | Azure Event Grid / Service Bus | Pub/sub messaging. Event Grid = event routing. Service Bus = enterprise messaging with queues and topics. |
Every migration strategy falls into one of these. Know them — interviewers love this.
| Strategy | Also called | What it means | When to use |
|---|---|---|---|
| Rehost | "Lift and Shift" | Move the VM/server as-is to the cloud. No changes to the app or OS. Fastest migration path. | Legacy apps you can't modify, tight migration deadlines, first wave of a large migration |
| Replatform | "Lift, Tinker, and Shift" | Minor optimizations without changing core architecture. Example: move on-prem MySQL → Azure Database for MySQL (managed). App stays the same, engine is now managed. | Get managed service benefits without full refactor. DB maintenance, patching, backups handled for you. |
| Refactor / Re-architect | "Re-architect" | Redesign the application to be cloud-native. Break monolith into microservices, adopt containers, serverless, etc. Highest value, highest effort. | Apps that need to scale dynamically, modernization initiatives, long-term investment |
| Repurchase | "Drop and Shop" | Replace on-prem software with a cloud SaaS equivalent. Example: on-prem Exchange → Exchange Online (M365). On-prem CRM → Salesforce. | When the SaaS alternative is better and cheaper than maintaining on-prem |
| Retire | Decommission | Identify apps/servers that are no longer needed. Turn them off. Saves money, reduces attack surface. | During discovery — typically 10–30% of workloads can be retired |
| Retain | "Revisit" | Keep it on-prem for now. Not ready to migrate — compliance, latency, dependency, or cost doesn't justify it yet. | Mainframes, apps with specialized hardware, regulatory requirements, recently upgraded systems |
| Phase | Steps | Tools / Notes |
|---|---|---|
| 1. Discover & Assess |
Inventory all servers, apps, dependencies. Identify what talks to what (dependency mapping). Classify by criticality and migration strategy (6 R's). Estimate cloud costs. |
AWS: Migration Evaluator, Application Discovery Service Azure: Azure Migrate (free), Movere Both: Cloudamize, Risc Networks, manual CMDB |
| 2. Plan & Design |
Define migration waves (which workloads move together). Design target architecture (VNet layout, subnets, NSGs). Plan identity (AD Connect, hybrid auth). Set up landing zone (subscriptions, networking, IAM baseline). Establish naming conventions and tagging strategy. Define rollback plan for each wave. |
Azure Landing Zone (Microsoft CAF framework) Azure Blueprints — deploy governance guardrails Draw.io, Visio for architecture diagrams |
| 3. Pilot Migration |
Migrate 1–3 non-critical workloads first. Test the migration tooling end to end. Validate networking, DNS, authentication. Document what broke and fix the process. | Run a full cycle: migrate → test → roll back → migrate again. Build confidence before touching critical systems. |
| 4. Migrate |
Execute in waves by dependency group. For each workload: replicate → test → cut over → validate → decommission old. Keep on-prem running in parallel until validation passes. Update DNS after cutover. Notify stakeholders of maintenance windows. |
Azure: Azure Site Recovery (ASR) for lift-and-shift VMs Azure Database Migration Service for databases Storage Migration Service for file servers AWS: AWS Server Migration Service, CloudEndure |
| 5. Optimize & Operate |
Right-size VMs based on actual utilization. Set up monitoring, alerting, backup policies. Apply Reserved Instances for stable workloads. Clean up — decommission on-prem hardware. Set up FinOps — ongoing cost governance. | Azure Advisor, Cost Management, Defender for Cloud. This phase never ends — cloud optimization is continuous. |
| Risk | Mitigation |
|---|---|
| Undiscovered dependencies (app calls a server nobody knew about) | Run dependency mapping tools for 2–4 weeks before migration. Use network flow analysis. Never skip discovery. |
| DNS propagation delays during cutover | Lower TTL to 60 seconds 48hrs before cutover. After migration, TTL can be raised again. |
| Performance worse in cloud than on-prem | Right-size based on performance data (not just current VM size). On-prem VMs are often overprovisioned. Profile before and after. |
| Cost higher than estimated | Use Reserved Instances, right-size aggressively, implement auto-shutdown for dev/test, use Blob lifecycle policies. |
| Data not fully replicated at cutover | Verify replication lag is zero before triggering cutover. Run validation queries on both sides for databases. |
| Rollback needed mid-migration | Keep on-prem running until sign-off. Have a documented rollback runbook with DNS revert steps before every migration window. |
Imagine your company has physical servers sitting in a room — a data center or server closet. Those servers run everything: file shares, databases, websites, Active Directory. You own the hardware. You maintain it. When it breaks, you fix it.
"Migrating to the cloud" means: stop running that stuff on your hardware, and run it on Microsoft's hardware (Azure) instead. You rent compute, storage, and networking from Microsoft. Your software still runs — it just runs somewhere else, and Microsoft owns and maintains the physical machines.
That's it. Everything else is just how you move each piece, and what you decide to do with each app along the way.
When you look at each server or application, you have to decide: what actually happens to it? The industry gave these decisions names:
Free tool in the Azure portal. You download a small VM appliance (OVA file) and import it into VMware or Hyper-V on-prem. It scans your environment for ~30 days, collects performance data, then uploads to Azure. You get:
Trend Micro Deep Security is an enterprise cloud workload protection platform (CWPP) — a security agent installed on servers (Windows and Linux) that protects them from threats at the OS and network level. It runs on physical servers, VMs, and cloud instances (AWS EC2, Azure VMs).
Think of it as the security layer inside the server — complementing the network firewall (which sits outside). It watches what's happening on the host itself.
| Module | What it does | Plain English |
|---|---|---|
| Anti-Malware | Real-time malware scanning of files and processes. Signature + behavioral detection. | Antivirus for servers — catches malware before it runs or as it runs. |
| IDS/IPS (Intrusion Detection/Prevention) | Inspects network traffic going in/out of the host. Detects and blocks known attack patterns. | Watches network traffic at the server level. Blocks exploit attempts even if the OS patch isn't applied yet (virtual patching). |
| Integrity Monitoring | Watches files, directories, registry keys for unauthorized changes. Alerts when something unexpected is modified. | "Someone changed a config file or system binary that shouldn't have changed." Detects tampering. |
| Log Inspection | Collects and filters OS and app logs. Forwards security-relevant events to SIEM. Reduces noise. | Reads logs and surfaces the ones that matter for security — failed logons, privilege escalation, service changes. |
| Firewall | Host-based firewall on the server. Controls inbound/outbound traffic by rule at the OS level. | Extra firewall layer inside the server itself, independent of the network firewall. |
| Application Control | Whitelist what software is allowed to run on the server. Block everything else. | "Only our approved apps run here." Stops unauthorized software and ransomware from executing. |
| Virtual Patching | IPS rules that block exploitation of known vulnerabilities — even before the OS/app patch is applied. | Buys you time between when a CVE drops and when you can patch. The IPS rule blocks the exploit in transit. |
| They ask about... | Your Trend Micro bridge | Azure/Modern equivalent |
|---|---|---|
| Endpoint/server security | "At CMS I managed Trend Micro Deep Security protecting 100+ hybrid cloud servers — anti-malware, IDS/IPS, integrity monitoring, and log inspection across Windows and Linux." | Microsoft Defender for Servers / Defender for Endpoint |
| IDS/IPS | "Deep Security's IPS module — virtual patching protected servers against known CVEs while we worked through the patch cycle." | Azure Firewall Premium (IDPS), NSG Flow Logs, Defender for Cloud |
| Security monitoring / SIEM | "Deep Security's log inspection module collected and forwarded security events from 100+ servers — failed logons, file integrity alerts, privilege escalation — reducing noise before it reached the SIEM." | Azure Monitor / Log Analytics / Microsoft Sentinel |
| Compliance / hardening | "Deep Security's integrity monitoring gave us evidence that system files and configs hadn't been tampered with — important for HIPAA compliance on the CMS contract." | Defender for Cloud compliance reports, Azure Policy |
| Cloud workload protection | "Deep Security ran on both on-prem servers and AWS/Azure VMs — it's a CWPP. I've applied the same security posture across hybrid environments." | Microsoft Defender for Cloud (formerly Azure Security Center) |
| Layer | Component | What it does |
|---|---|---|
| Hardware | Physical server (x86) | CPU, RAM, NICs, HBAs, local disks |
| Hypervisor | ESXi | Bare-metal hypervisor. Tiny footprint OS. VMs run on top. |
| Management | vCenter (VCSA) | Centralized management VM. Enables all advanced features — vMotion, HA, DRS. Without vCenter = per-host management only. |
| Platform | vSphere | Product suite name. ESXi + vCenter = vSphere. |
| Cluster | Cluster | Group of ESXi hosts managed together. Required for HA/DRS/vMotion. |
| Feature | Trigger | Downtime? | Requires |
|---|---|---|---|
| vMotion | Admin-initiated — move running VM to another host | Zero | vCenter, shared storage, compatible CPUs |
| Storage vMotion | Admin-initiated — move VM's disks between datastores while running | Zero | vCenter |
| vHA | Automatic — host fails unexpectedly | ~5 min restart time | vCenter, cluster, 2+ hosts |
| DRS | Automatic — load balances VMs across hosts via vMotion | Zero (vMotion) | vCenter, cluster, shared storage |
| FT | Shadow VM runs lockstep — instantaneous takeover | Zero | Specific CPU/NIC, high overhead — critical VMs only |
| Type | Space Allocated | Zeroed | Performance | Best For |
|---|---|---|---|---|
| Thin | On demand — starts small, grows | On write | Slight overhead | Dev/test, storage-constrained |
| Thick Lazy Zeroed | Full space at creation | On first write | Good | General production |
| Thick Eager Zeroed | Full space at creation | At creation | Best — consistent | Databases, FT VMs, highest performance |
| Type | Protocol | Notes |
|---|---|---|
| VMFS | Local / FC / iSCSI (block) | VMware's own FS. Multiple hosts can mount simultaneously. Most common for SAN. |
| NFS | NFS (file) | Mount NAS as datastore. Simple. Your EMC Isilon datastores at Disney were NFS. |
| vSAN | VMware software-defined | Pools ESXi host local disks into shared datastore. HCI — no external storage needed. |
| Standard vSwitch (VSS) | Distributed Switch (VDS) | |
|---|---|---|
| Scope | Single ESXi host | Cluster-wide — multiple hosts |
| Managed from | Host directly | vCenter only |
| Config | Each host separately | Central — VMs keep settings when vMotioned |
| Enterprise features | Basic | LACP, NetFlow, port mirroring, NIOC |
| Port Type | Traffic | Notes |
|---|---|---|
| Management | Host mgmt, SSH, vCenter comm | Required — configured first |
| vMotion | Live VM migration traffic | Dedicated NIC/VLAN recommended |
| vSAN | vSAN storage between hosts | Required for vSAN clusters |
| iSCSI | iSCSI SAN connectivity | For iSCSI-backed VMFS |
| NFS | NFS datastore connectivity | Used for Isilon NFS mounts |
| Fault Tolerance | FT logging — primary to shadow | Very low latency required |
You ran 500+ concurrent Horizon sessions at CMS. This is your VDI story.
| Component | What it does | Your experience |
|---|---|---|
| Connection Server | Authentication broker. User connects here → gets directed to an available desktop from their pool. Runs on Windows Server. | Administered at CMS |
| Desktop Pool | Collection of VMs users can connect to. Can be dedicated (1 user always gets same VM) or floating (any available VM). | Managed pools at CMS |
| Instant Clone | VM "forked" from a running parent VM at login using vmFork. Provisioned in seconds. Stateless — wiped clean at logoff. Most scalable deployment type. | Configured at CMS |
| Linked Clone | Shares a base disk with parent, has own delta disk. Persistent — user's changes survive reboots. Slower to provision than instant clone. | Familiar |
| Full Clone | Complete independent copy of parent VM. Most storage, most flexibility. Used for long-term dedicated desktops. | Familiar |
| DEM (Dynamic Environment Manager) | Manages user profiles, folder redirection, app settings, env variables. Since instant clones are stateless (wiped at logoff), DEM is what saves the user's settings and data between sessions. | ✅ Configured at CMS |
| App Volumes | Application layering — apps packaged into virtual disks (AppStacks) attached to the VM at login. User gets their apps without them being installed in the master image. Fast app delivery. | Familiar |
| Unified Access Gateway (UAG) | Reverse proxy appliance in DMZ. External users connect to UAG — it authenticates and proxies traffic to internal Connection Server. Replaced Security Server. | Familiar |
| Protocol | What it is | Best for |
|---|---|---|
| Blast Extreme | VMware's modern protocol. HTML5/WebRTC-based. Works in browser. Adaptive bitrate. | Most use cases — LAN and WAN. Default choice. |
| PCoIP | Teradici's protocol. Older, Horizon still supports it. Hardware-accelerated on Teradici devices. | Environments with existing PCoIP hardware |
| RDP | Standard Microsoft RDP. Fallback. | Basic/legacy access only |
DEM captures user environment settings and stores them in a network location (file share or SDRS). At login, DEM restores the user's settings to the session — even on an instant clone that has never seen that user before. At logoff, DEM saves any changes back to the store.
| Scope | Contains | Assign permissions in | Use for |
|---|---|---|---|
| Global | Users from same domain | Any domain | Organizing users (by dept, role) |
| Domain Local | Users/groups from any domain | Same domain only | Resource access (shares, printers) |
| Universal | Anything | Anywhere | Multi-domain forests |
AGDLP: Accounts → Global groups → Domain Local groups → Permissions. Classic AD best practice.
GPOs are applied in this order. Later wins (unless enforced/No Override):
| Order | Level | Applied to |
|---|---|---|
| 1 | Local | Local machine policy (gpedit.msc) — lowest priority |
| 2 | Site | AD Site the computer belongs to |
| 3 | Domain | The domain level — default domain policy lives here |
| 4 | OU | OU GPOs — child OUs override parent OUs |
| GPO Type / Category | What it controls | Example settings |
|---|---|---|
| Security Policy | Password rules, account lockout, audit policy, user rights assignments, security options | Min password length: 12, Lockout after 5 bad attempts, Audit logon events, "Deny logon locally" for service accounts |
| Software Deployment | Push/install MSI packages to users or computers silently | Deploy 7-Zip.msi to all workstations, push VPN client to remote users OU, assign Office to specific department |
| Drive / Folder Mapping | Map network drives at login. Item-level targeting by group, department, OS. | Map H: to \\server\users\%username%, Map S: to \\server\shared only for "Finance" security group |
| Printer Deployment | Deploy printers to computers or users based on OU or group | Add \\printserver\HP-Floor3 to all computers in "Floor3-Computers" OU |
| Desktop Restrictions | Lock down what users can do on the desktop | Disable Control Panel, hide drives, remove "Run" from Start menu, set desktop wallpaper, disable Task Manager |
| Windows Firewall | Configure inbound/outbound firewall rules centrally | Allow RDP from IT subnet only, block outbound on port 25 from workstations, enable firewall on all profiles |
| BitLocker (Encryption) | Enforce disk encryption on Windows machines | Require BitLocker on OS drive, store recovery key in AD, set encryption strength (AES-256) |
| USB / Removable Media | Control USB storage device access | Deny write access to removable storage, block USB drives entirely on secure workstations, allow only approved device classes |
| Browser / Internet Settings | Configure IE/Edge/Chrome settings via ADMX templates | Set homepage, add trusted sites, disable browser history, deploy bookmarks/favorites, configure proxy settings |
| Windows Update / WSUS | Direct machines to WSUS server, set update schedule | Point to internal WSUS server, auto-install updates at 3am, set maintenance window, configure update categories |
| Registry Settings | Push specific registry keys/values to machines | Disable SMBv1 via registry, set NTP server, configure application-specific settings without ADMX template |
| Script Deployment | Run scripts at startup, shutdown, logon, logoff | Startup script: map drives, check disk space, update inventory. Logoff script: sync offline files. Logon: set environment variables. |
| Power Management | Configure sleep, hibernate, screen timeout | Never sleep on servers, 15-min screen lock on workstations, require password on resume |
| AppLocker / Software Restriction | Whitelist or blacklist what software can run | Only allow signed executables from trusted publishers, block .exe from %TEMP%, prevent running unapproved software |
| VDI / Loopback GPO | Apply computer-side GPOs to user sessions on VDI | Disable USB redirection, lock down desktop, redirect folders to network share, apply DEM settings via GPO triggers |
| Record | Maps | Example |
|---|---|---|
| A | Hostname → IPv4 | server01.co.com → 10.0.0.50 |
| AAAA | Hostname → IPv6 | server01.co.com → 2001:db8::1 |
| CNAME | Alias → another hostname | mail.co.com → exchange01.co.com |
| MX | Domain → mail server | co.com → mail.co.com (priority 10) |
| PTR | IP → hostname (reverse DNS) | 10.0.0.50 → server01.co.com |
| SRV | Service location | AD clients use SRV to find domain controllers |
| TXT | Text — SPF, DKIM, domain verify | "v=spf1 include:sendgrid.net ~all" |
| Zone | What it is |
|---|---|
| AD-Integrated | Stored in AD. Replicates via AD replication. All DCs with DNS = primary (multi-master). Secure DDNS. Best practice for internal. |
| Primary | Writable authoritative copy. One server holds it. |
| Secondary | Read-only copy from primary. Redundancy + load distribution. |
| Stub | Only NS/SOA/A records. Points to authoritative servers for a zone without hosting full copy. |
| Step | Message | What happens |
|---|---|---|
| 1 | Discover | Client broadcasts "I need an IP" to 255.255.255.255 |
| 2 | Offer | DHCP server offers an available IP |
| 3 | Request | Client accepts the offer, broadcasts to inform all servers |
| 4 | Acknowledge | Server confirms — client now has the IP |
| Option # | Sets |
|---|---|
| 003 | Default Gateway |
| 006 | DNS Servers |
| 015 | DNS Domain Name (search suffix) |
| Filesystem | Max File Size | Max Volume | Use Case & Key Facts |
|---|---|---|---|
| NTFS | 16 TB | 256 TB | Standard for all Windows servers and workstations. Supports permissions (ACLs), encryption (EFS), compression, quotas, journaling (recovers from crashes), symbolic links, alternate data streams. You live here. |
| ReFS (Resilient FS) | 16 EB | 4.7 EB | Designed for large data, storage spaces, Hyper-V VHDs. Self-healing — detects/corrects corruption automatically. Does NOT support: boot volumes, EFS encryption, NTFS compression, dedup on some versions. Server 2012+ |
| FAT32 | 4 GB | 2 TB | Legacy. USB drives, removable media, boot partitions for EFI. No permissions. No journaling. Can't store files over 4GB — common pain point for large ISOs. |
| exFAT | 128 PB | 128 PB | Modern replacement for FAT32 on removable media. Large files OK. No permissions. Cross-platform (Windows/Mac/Linux). USB drives, SD cards. |
| Permission | What it allows |
|---|---|
| Full Control | Read, write, modify, delete, change permissions, take ownership |
| Modify | Read, write, delete files/folders — cannot change permissions |
| Read & Execute | View and run files — cannot modify |
| Read | View file contents and attributes only |
| Write | Create files and folders, modify content — cannot delete |
| List Folder Contents | View folder contents only (folders, not files) |
| Filesystem | Notes | Common Use |
|---|---|---|
| ext4 | Default for most Linux distros. Journaling, mature, stable. Max file 16TB, max volume 1EB. | Root partition, most Linux servers |
| XFS | High-performance, scalable. Excellent for large files and high-throughput workloads. RHEL default since v7. | Large data, media, databases, RHEL servers |
| Btrfs | Copy-on-write, built-in snapshots, RAID, checksums. Modern but less proven than ext4 for enterprise production. | Snapshots, Fedora, some enterprise use |
| ZFS | Enterprise-grade. Built-in RAID (RAIDZ), snapshots, compression, dedup, checksums. Memory-hungry. Not in mainline kernel. | Storage servers, FreeBSD/Solaris, NAS appliances |
| NFS | Network filesystem — mount remote shares over network. Your Isilon exports were NFS. | Shared storage, VMware NFS datastores, home dirs |
| tmpfs | RAM-based filesystem. Extremely fast. Lost on reboot. Mounted at /tmp, /run. | Temporary files, fast scratch space |
| Tool | What it does | Complexity |
|---|---|---|
| Sysprep | Generalizes a Windows installation — removes machine-specific info (SID, hostname, hardware config) so it can be deployed to other hardware. Required before capturing any Windows image. | Basic — built into Windows |
| WDS (Windows Deployment Services) | PXE boot server — workstations boot from network and pull a WIM image. Basic deployment. Built into Windows Server. | Low — simple environments |
| MDT (Microsoft Deployment Toolkit) | Free toolkit from Microsoft. Task sequences to automate full OS deployment: format disk → apply WIM → install drivers → apply updates → join domain → install apps. Works standalone or integrated with SCCM/Intune. | Medium — small/mid-size orgs |
| SCCM / MECM | Enterprise Microsoft tool. Full lifecycle: OS deployment, software deployment, patch management, inventory, compliance. OSD (OS Deployment) task sequences are the gold standard for large orgs. | High — enterprise |
| Clonezilla | Open-source disk cloning. Sector-by-sector copy or partition-level. Good for small shops, bare-metal recovery, physical-to-physical cloning. | Low |
| Intune Autopilot | Modern cloud-based zero-touch provisioning. New device registers with Autopilot → user signs in with Azure AD credentials → Intune pushes apps, config, policies automatically. No imaging required. | Medium — modern cloud shops |
sysprep /generalize /oobe /shutdown — removes SID, hostname, and resets to Out-of-Box Experience. Machine shuts down.dism /Capture-Image /ImageFile:C:\images\win11.wim /CaptureDir:C:\ /Name:"Win11-Base"dism /Add-Driver| Port | Protocol | Service |
|---|---|---|
| 22 | SSH | Secure shell — Linux/network device remote access |
| 25 | SMTP | Email sending (server to server) |
| 53 | DNS | Domain Name System |
| 67/68 | DHCP | IP address assignment |
| 80 | HTTP | Web traffic (unencrypted) |
| 88 | Kerberos | AD authentication |
| 135/445 | SMB/RPC | Windows file sharing, AD communication |
| 389/636 | LDAP/LDAPS | AD queries (636 = encrypted) |
| 443 | HTTPS | Secure web traffic |
| 3389 | RDP | Remote Desktop — never expose to internet |
| 5985/5986 | WinRM | PowerShell remoting (5986 = HTTPS) |
| CIDR | Subnet Mask | Hosts | Common Use |
|---|---|---|---|
| /24 | 255.255.255.0 | 254 | Standard office subnet |
| /25 | 255.255.255.128 | 126 | Split /24 in half |
| /26 | 255.255.255.192 | 62 | Small department |
| /30 | 255.255.255.252 | 2 | Point-to-point links |
| /16 | 255.255.0.0 | 65,534 | Large enterprise / VNet |
Set-SmbServerConfiguration -EnableSMB1Protocol $false/etc/ssh/sshd_config set PermitRootLogin noPasswordAuthentication no in sshd_config.AllowUsers or AllowGroups in sshd_config to limit who can SSH in./etc/security/pwquality.conf — min length, complexity requirements.chage -M 90 -W 14 username (expire after 90 days, warn 14 days before).firewalld (RHEL/CentOS) or ufw (Ubuntu). Block everything, allow only what's needed.ss -tulnp or netstat -tulnp. Close anything not in use./etc/sysctl.conf./etc/hosts.allow, /etc/hosts.deny) for legacy service restriction.systemctl disable --now <service>yum update -y (RHEL) or apt upgrade -y (Ubuntu). Automate with cron or unattended-upgrades.find / -perm /4000 -type f — know what has elevated permissions./etc/sudoers — use visudo, limit commands, use groups not individual users.Microsoft 365 (formerly Office 365) is a SaaS subscription that bundles cloud productivity apps, security, and device management. For a sysadmin, the key services you'd touch:
| Service | What it is | Admin tasks |
|---|---|---|
| Exchange Online | Cloud email platform. Replaces on-prem Exchange Server for most orgs. | Create/manage mailboxes, shared mailboxes, distribution groups, aliases, mail flow rules, spam filtering |
| SharePoint Online | Cloud document management and intranet platform. | Create sites/libraries, manage permissions, storage quotas |
| OneDrive for Business | Per-user cloud file storage. 1TB+ per user. | Monitor storage, recover deleted files, external sharing policy |
| Teams | Chat, video, collaboration. Backed by SharePoint (file storage) and Exchange (calendar, voicemail). | Create teams/channels, guest access, meeting policies, calling plans |
| Intune | MDM/MAM — manage devices and apps from Entra ID. Part of M365. | Device enrollment, compliance policies, app deployment |
| Entra ID (Azure AD) | Identity backbone for all M365 services. Users, MFA, Conditional Access. | User management, license assignment, MFA enforcement, Conditional Access policies |
| Defender for M365 | Security layer: anti-phishing, Safe Links, Safe Attachments, attack simulation. | Configure policies, review threats, run simulations |
| Type | What it is | License needed? |
|---|---|---|
| User Mailbox | Standard personal mailbox for one user | Yes — M365 license required |
| Shared Mailbox | Accessed by multiple users (e.g., info@company.com, helpdesk@). No one logs into it directly. | No license if under 50GB |
| Room Mailbox | Represents a meeting room. Users invite the room. Auto-accepts/declines based on availability. | No license required |
| Equipment Mailbox | Like room but for equipment (projectors, AV cart) | No license required |
| Archive Mailbox | Additional mailbox storage that auto-archives old email. Requires compliance license. | E3 or above |
| Plan | Key Inclusions | Typical Use |
|---|---|---|
| M365 Business Basic | Exchange Online, Teams, SharePoint, OneDrive — web/mobile only | Light users, frontline workers |
| M365 Business Standard | Above + desktop Office apps (Word/Excel/PowerPoint) | Most office users |
| M365 Business Premium | Above + Intune, Defender, Azure AD P1, advanced security | SMB that needs security features |
| M365 E3 | Full desktop Office, advanced compliance, archive mailbox, Azure AD P1 | Enterprise |
| M365 E5 | E3 + Defender for M365, Azure AD P2, Power BI Pro, voice | Enterprise with advanced security/compliance |
Set-MsolUserLicense (older) or Set-AzureADUserLicense / Graph API (modern).| Tool | Platform | Key Capabilities | Your Level |
|---|---|---|---|
| Intune | Windows, Mac, iOS, Android | Enrollment, compliance policies, app deployment, BitLocker, Conditional Access integration | Limited — bridge via BigFix |
| JAMF Pro | Mac / Apple ecosystem | Mac DEP/ADE enrollment, profiles, scripts, app catalog, OS updates, inventory | None — bridge via BigFix concepts |
| BigFix | Windows, Linux, Mac, AIX | Patch mgmt, software deployment, compliance reporting, custom fixlets | Real — Disney + CMS |
| Horizon DEM | Windows VDI | Profile management, app config, folder redirection | Real — CMS 2,000+ users |
| Type | Protocol | Access Model | Use Case | Your Experience |
|---|---|---|---|---|
| DAS | SATA, SAS, NVMe | Block — single server | OS drives, local DBs | Server disks generally |
| NAS | NFS (Linux), SMB (Windows) | File — shared over network | File shares, home dirs, VMware NFS datastores | ✅ EMC Isilon — 3 clusters Disney |
| SAN | Fibre Channel, iSCSI | Block — presented as local disk | VMware VMFS datastores, databases | iSCSI experience |
| Object Storage | HTTP/S REST API | Object — flat, metadata-rich | Backups, archives, logs at scale | ✅ AWS S3, Azure Blob at CMS |
| vSAN | VMware proprietary | Block distributed across ESXi hosts | HCI — no external storage | Conceptual |
| Type | Captures | Backup Speed | Restore Speed | Storage | Notes |
|---|---|---|---|---|---|
| Full | Everything, every time | Slowest | Fastest — one set | Most | Foundation of any backup strategy. Required to start any chain. |
| Incremental | Changed since LAST backup (any type) | Fastest | Slowest — need full + all incrementals | Least | Long restore chain = restore risk. Rubrik avoids this with incremental-forever + synthetic full. |
| Differential | Changed since last FULL | Medium (grows daily) | Fast — full + 1 diff | Medium (grows until next full) | Simpler restore than incremental. Grows large before the next full. |
| Snapshot | Point-in-time storage state (delta) | Near-instant | Near-instant | Grows as changes accumulate | NOT a backup — same storage system. Safety net for changes. Rubrik captures snapshots then moves data off to its own storage. |
| CDP | Every write in real time | Always running | Any point in time | High | Near-zero RPO. Used for critical DBs. High overhead. |
| Synthetic Full | Constructs full from existing chain without reading source | Server-side process | Fastest — treated as full | Efficient | Rubrik's secret weapon. All recovery points look like fulls. No weekly full backup window needed. |
| Mirror/Clone | Exact copy of data, updated continuously | Continuous | Instant — already a full copy | 2x | RAID-1 or replication. Not backup by itself — doesn't protect against logical corruption or ransomware. |
| Dell CloudSnapshot Manager | Rubrik Equivalent |
|---|---|
| Tag-based policy assignment | SLA Domain assigned to objects (VMs, filesets, DBs) |
| Backup policy (frequency + retention) | SLA Policy (frequency, retention tiers, archival rules) |
| EBS Snapshot | Rubrik incremental-forever snapshot (stored in Rubrik cluster) |
| Cross-region snapshot copy | Rubrik replication to secondary cluster OR cloud archive to Azure/S3 |
| Restore from snapshot | Instant recovery / live mount or full restore from RSC |
| CSM web UI | Rubrik Security Cloud (RSC) — centralized SaaS console |
| Scenario | Backup Type Used | How Rubrik Does It |
|---|---|---|
| First ever backup of a workload | Full | Reads all data and ingests to the Rubrik cluster. Foundation of the protection chain. |
| All subsequent scheduled backups | Incremental-forever | Only changed blocks since last backup transferred. No periodic full needed. Dedup + compression applied at ingest. |
| Every recovery point appears as a full | Synthetic Full (virtual) | Rubrik constructs a full image on demand from the chain. No source re-read. Every restore point is instantly accessible as if it were a full backup. |
| Fast recovery — Live Mount | Snapshot (in-place) | Rubrik presents the backup data directly to vCenter as a live datastore. VM boots in seconds. Background restore runs. When done, VM is migrated back transparently. Cuts RTO from hours to minutes. |
| File-level recovery | Object restore from snapshot | Browse backup contents like a file explorer. Select individual file(s) and restore to original or alternate location. No full VM restore needed. |
| Long-term archive retrieval | Object restore from cold storage | Rehydrate from Azure Blob Archive or S3 Glacier. May take hours depending on tier. Plan this for DR scenarios, not daily operations. |
| Ransomware recovery | Immutable snapshot | Backups stored with immutability — even Rubrik admins can't delete them during the retention window. Find last clean recovery point before infection. Instant mount to validate, then restore. |
Pick 2–3. Show curiosity, not neediness.