Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 7: Maintaining Access Management Solutions Supporting AD CS Maintaining AD LDS Maintaining AD FS Maintaining AD RMS

Lesson 1: Supporting AD CS Common AD CS Maintenance Tasks Configuration of Role-Based Administration for Managing and Maintaining AD CS Tools Used to Maintain AD CS Configuration of CA Event Auditing How To Configure CA Event Auditing Methods of Backing Up and Restoring a CA

Common AD CS Maintenance Tasks Managing role-based administration Configuring and monitoring CA event auditing Monitoring system services Renewing CA certificate Backing up and restoring the CA

Configuration of Role-Based Administration for Managing and Maintaining AD CS Role and Group Security Permission Description CA Administrator Manage CA Allows configuring and maintaining of CA. This CA role includes the ability to assign other CA roles and renew a CA certificate. Certificate Manager Issue and Manage Certificates Allows approving of certificate enrollment and revocation requests. This is a CA role, also called as CA officer. Backup Operator Back up file and directories Restore file and directories Allows performing of system backup and recovery. Backup is an operating system feature. Auditor Manage auditing and security log Allows configuring, viewing, and maintaining of audit logs. This is an operating system feature and an operating system role. Enrollees Read Enroll Allows requesting of certificates from a CA. This is not a CA role. Enrollees are authorized clients for this purpose.

Tools Used to Maintain AD CS AD CS Server Manager Certification Authority snap-in Enterprise PKI snap-in Certificate Templates snap-in Certutil.exe

Configuration of CA Event Auditing Back up and restore CA database Issue and manage certificate requests Revoke certificates and publish CRLs Store and retrieve archived keys Start and stop AD CS Change the CA configuration Change CA security settings

Demonstration: How To Configure CA Event Auditing To configure the CA for auditing of object access To configure CA event auditing

Methods of Backing Up and Restoring a CA Windows Server® Backup CA CA Administrative Console Certutil Command Line Tool

Lesson 2: Maintaining AD LDS AD LDS Maintenance Tasks Backing Up AD LDS Restoration of Data to an AD LDS Instance Performing an Authoritative Restore of Data on an AD LDS Instance How To Back Up and Restore AD LDS Instances

AD LDS Maintenance Tasks AD LDS Maintenance Tasks include : Monitoring system events and services Backing up and restoring AD LDS instances Performing an authoritative restore of directory objects

Backing Up AD LDS Consider the following when backing up AD LDS: By default each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\ \data. You can use Windows Server® Backup or any compatible third party backup utility to backup AD LDS. You should ensure that the instance is started before backing up its AD LDS folder. You should ensure that you are a member of the Administrators group or equivalent. By default each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\ \data. You can use Windows Server® Backup or any compatible third party backup utility to backup AD LDS. You should ensure that the instance is started before backing up its AD LDS folder. You should ensure that you are a member of the Administrators group or equivalent.

Restoration of Data to an AD LDS Instance Consider the following when restoring data to an existing AD LDS instance: Stop the AD LDS instance for which the data will be restored. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Stop the AD LDS instance for which the data will be restored. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Consider the following when data to an new AD LDS instance that does not belong to a configuration set: Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance.

Performing an Authoritative Restore of Data on an AD LDS Instance Stop the running AD LDS instance for which the data is restored. Use the backup program to restore the instance and overwrite existing files. Activate the instance by using dsdbutil, at a command prompt. Use dsdbutil to perform an authoritative restore using one of the following commands: restore database restore object dn restore subtree dn Use dsdbutil to perform an authoritative restore using one of the following commands: restore database restore object dn restore subtree dn Authoritative Restore dsdbutil Back Up Program AD LDS

Demonstration: How To Back Up and Restore AD LDS Instances To back up a volume that contains an AD LDS instance by using Windows Server® Backup To restore an existing AD LDS instance

Lesson 3: Maintaining AD FS AD FS Maintenance Tasks Monitoring AD FS Events How To Monitor AD FS Events Backing Up AD FS Components

AD FS Maintenance Tasks Managing Server Authorization and Token Certificates Monitoring and Analyzing Event Log Levels AD FS Backing up AD FS Components AD FS Manufacturer Account Partner Supplier Resource Partner

Monitoring AD FS Events AD FS Trust Policy Event Log levels can be configured to provide the following information: ErrorRecords events logged by significant problems, to the event log Warning Records insignificant events that may cause future problems to the event log Informational Records informational logged events; such as token validations, or claim mappings Success Audit Records a security audit for every successful authentication or changed trust policy to this Federation Service Failure Audit Records a security audit for every unsuccessful change to trust policy for this Federation Service Detailed SuccessRecords a detailed security audit for successful authentications Detailed FailureRecords a detailed security audit for failed authentications

Demonstration: How To Monitor AD FS Events To enable trust policy logging To use Server Manager to view events and service summary data

Backing Up AD FS Components %systemdrive%\ADFS System state Components to Back Up by running AD FS Component on Server Files Web.config and other files under %systemdrive%\ADFS System state applicationhost.config Federation Service Proxy TrustPolicy.xml file Web.config and other files under %systemdrive%\ADFS System state Custom transform module (.dll) and related files applicationhost.config Federation Service Files to Back Up Component AD FS Web Agent

Lesson 4: Maintaining AD RMS AD RMS Maintenance Tasks How To Verify AD RMS Logging Viewing AD RMS Reports Decommissioning AD RMS

AD RMS Maintenance Tasks AD RMS Managing AD RMS log information Viewing AD RMS Reports Decommissioning AD RMS AD RMS

Demonstration: How To Verify AD RMS Logging To verify default enabling To verify the configuration of the server node Properties box To verify:  Requestor identification  Time of making  Source IP address  RMS server identification that handled the request  Success of request

Viewing AD RMS Reports Lists the number of total accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster. Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary Assists you in troubleshooting issues with AD RMS licenses by using a wizard. Statistics Report System Health Troubleshooting Reports

Decommissioning AD RMS Steps to decommission AD RMS: Encourage creative thinking among team members. 1 1 Ensure that you have all the information. 2 2 Manage discussions about the validity of a threat. 3 3 Include specialized network penetration testers. 4 4 Apply caution when it involves conflict of interests. 5 5 Consider technology-specific threats. 6 6

Lab 7: Maintaining Access Management Solutions Exercise 1: Configuring CA Event Logging Exercise 2: Implementing role-based administration in AD CS Exercise 3: Backing up a CA Exercise 4: Reconfiguring AD RMS cluster settings Exercise 5: Generating AD RMS Reports Exercise 6: Configuring AD RMS logging woodgrovebank.com Domain name Pa$$w0rd Password AdministratorUser name 6426A-NYC-DC1-BVirtual machine Estimated time: 60 minutes Logon information