Embed Size (px)
Citation preview
Module 7
Maintaining Windows Server 2008
Active Directory Identity and Access
Solutions
Module Overview
• Maintaining Active Directory Certificate Services
• Maintaining Active Directory Lightweight Directory Services
• Maintaining Active Directory Federation Services
• Maintaining Active Directory Rights Management Services
Lesson 1: Maintaining Active Directory Certificate Services
• Common AD CS Maintenance Tasks
• Tools Used to Maintain Active Directory Certificate Services
• Certification Authority Event Auditing
• Backing Up a Certification Authority
• Restoring a Certification Authority
Common AD CS Maintenance Tasks
Manage role-based administration
Configure CA event auditing
Examine CA services
Review, renew, and revoke certificates
Back up and restore the CA
Publish templates and CRLs
Tools Used to Maintain Active Directory Certificate Services
AD CSServer Manager
Certification Authority snap-in
Enterprise PKI snap-in
Certificate Templates snap-in
Certutil.exe
Certification Authority Event Auditing
Back Up and Restore CA Database
Issue and Manage Certificate Requests
Revoke Certificates and Publish CRLs
Store and Retrieve Archived Keys
Start and Stop AD CS
Change the CA Configuration
Change CA Security Settings
Backing Up a Certification Authority
Windows Server
Backup
CA
CA Administrative Console
Certutil.exe Tool
DPM
Restoring a Certification Authority
Windows Server
Backup
CA
Certutil.exe Tool
DPMCA Administrative Console
Lesson 2: Maintaining Active Directory Lightweight Directory Services
• Common AD LDS Maintenance Tasks
• Tools Used to Maintain AD LDS
• Backing Up AD LDS
• How to Restore AD LDS
• Performing an Authoritative Restore of Data on an AD LDS Instance
Common AD LDS Maintenance Tasks
Start, stop, and restart an AD LDS instanceStart, stop, and restart an AD LDS instanceüü
Perform backup and authoritative restores of AD LDS dataPerform backup and authoritative restores of AD LDS dataüü
Move the AD LDS data filesMove the AD LDS data filesüü
Change the AD LDS service account and port numbersChange the AD LDS service account and port numbersüü
Administer containers and objectsAdminister containers and objectsüü
Copy the schema, import a schema from AD DS, extend the schemaCopy the schema, import a schema from AD DS, extend the schemaüü
Manage directory data between all sites in an AD LDS configuration setManage directory data between all sites in an AD LDS configuration setüü
Manage object permissionsManage object permissionsüü
Synchronize AD LDS and AD DSSynchronize AD LDS and AD DSüü
Import and export data to or from AD LDSImport and export data to or from AD LDSüü
Tools Used to Maintain AD LDS
• AdamSync.exe• Dsacls.exe• Ldifde.exe• Csvde.exe• Dsdbutil.exe
• Ldp.exe• ADSI Edit snap-in• AD DS/LDS Schema Analyzer• Active Directory Schema snap-in• Active Directory Sites and Services snap-in
GUI-based
Backing Up AD LDS
Consider the following when backing up AD LDS:Consider the following when backing up AD LDS:
By default, each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\instancename\data.
You can use Windows Server Backup or any compatible third-party backup utility to back up AD LDS.
You should ensure that the instance is started before backing up its AD LDS folder.
You should ensure that you are a member of the Administrators group or equivalent.
By default, each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\instancename\data.
You can use Windows Server Backup or any compatible third-party backup utility to back up AD LDS.
You should ensure that the instance is started before backing up its AD LDS folder.
You should ensure that you are a member of the Administrators group or equivalent.
How to Restore AD LDS
The following process is used when restoring data to a running AD LDS instance:
The following process is used when restoring data to a running AD LDS instance:
Stop the AD LDS instance for which the data will be restored.
Use the backup program to restore the instance and overwrite existing files.
Restart the AD LDS instance.
Stop the AD LDS instance for which the data will be restored.
Use the backup program to restore the instance and overwrite existing files.
Restart the AD LDS instance.
The following process is used when restoring data to an AD LDS instance that was lost during a server hardware failure:
The following process is used when restoring data to an AD LDS instance that was lost during a server hardware failure:
Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition.
Stop the newly created AD LDS instance.
Use the backup program to restore the instance and overwrite existing files.
Restart the AD LDS instance.
Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition.
Stop the newly created AD LDS instance.
Use the backup program to restore the instance and overwrite existing files.
Restart the AD LDS instance.
Performing an Authoritative Restore of Data on an AD LDS Instance
Stop the running AD LDS instance for which the data is restored.Stop the running AD LDS instance for which the data is restored.
Use the backup program to restore the instance and overwrite existing files.Use the backup program to restore the instance and overwrite existing files.
Activate the instance by using dsdbutil.exe at a command prompt.Activate the instance by using dsdbutil.exe at a command prompt.
Use dsdbutil.exe to perform an authoritative restore using one of the following commands:
Restore object dn
Restore subtree dn
Restore database
Use dsdbutil.exe to perform an authoritative restore using one of the following commands:
Restore object dn
Restore subtree dn
Restore databaseAuthoritative Restore
Dsdbutil.exe
Backup Program
AD LDS
Lesson 3: Maintaining Active Directory Federation Services
• Common AD FS Maintenance Tasks
• Tools Used to Maintain AD FS
• Monitoring AD FS Events
• Backing Up AD FS Components
Common AD FS Maintenance Tasks
Renew and import certificates
Monitor/maintain AD DS/AD LDS account store availability
Back up and restore AD FS components
Manage resource groups of resource partner organization
Resolve DNS names during troubleshooting
Ensure network connectivity for the server and clients
Add new applications
Maintain the health and performance of web servers
Tools Used to Maintain AD FS
• Wevtutil.exe• Windows PowerShell:
• Get-ADFSProperties• Add-ADFSAttributeStore• Set-ADFSRelyingPartyTrust
• Active Directory Federation Services snap-in• Event Viewer
GUI-based
Monitoring AD FS Events
AD FS Trust Policy event log levels can be configured to provide the following information:
Verbose This is the default level that captures the most information besides debug logging (which is not specific to AD FS Trust Policy logging)
Error Records significant problem events to the event log
Warning Records insignificant events that may cause future problems, to the event log
Informational Records informational logged events, such as token validations or claim mappings
Success Audit Records a security audit for every successful authentication or changed trust policy to this Federation Service
Failure Audit Records a security audit for every unsuccessful change to trust policy for this Federation Service
Detailed Success Records a detailed security audit for successful authentications
Detailed Failure Records a detailed security audit for failed authentications
Backing Up AD FS Components
• %systemdrive%\ADFS• System state
Servers running AD FS components must be backed up based on the information in the following table.
• Web.config and other files under
%systemdrive%\ADFS• System state • Applicationhost.config
Federation Service Proxy
• TrustPolicy.xml file• Web.config and other files under %systemdrive%\ADFS• System state• Custom transform module (.dll) and related files• Applicationhost.config
Federation Service
Files to Back UpComponent
AD FS Web Agent
Lesson 4: Maintaining Active Directory Rights Management Services
• Common AD RMS Maintenance Tasks
• Tools Used to Maintain AD RMS
• AD RMS Database Maintenance
• Viewing AD RMS Reports
• Backing Up the AD RMS Configuration Database
Common AD RMS Maintenance Tasks
Create trust and exclusion policiesCreate trust and exclusion policiesüü
Manage the AD RMS databasesManage the AD RMS databasesüü
Configure and distribute rights policy templatesConfigure and distribute rights policy templatesüü
Register or change the service connection point (SCP)Register or change the service connection point (SCP)üü
Change the AD RMS cluster key passwordChange the AD RMS cluster key passwordüü
Configure and maintain the health, performance, logging, and reportingConfigure and maintain the health, performance, logging, and reportingüü
Maintain user and service accountsMaintain user and service accountsüü
Tools Used to Maintain AD RMS
• Active Directory Rights Management Services Bulk Protection Tool
• Windows PowerShell (25 cmdlets for Group Policy)• Windows PowerShell for AD RMS:
• Set-RmsSvcAccount• Export-RmsTUD
• Active Directory Rights Management Services console• Group Policy Management Console• Internet Information Services (IIS) Manager
GUI-based
AD RMS Database Maintenance
Log backup
Log trimming
Log Consolidation
Log shipping
AD RMS databases:• Configuration database• Directory services database• Logging database
Viewing AD RMS Reports
Lists the total number of accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster.
Lists the total number of accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster.
Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: • Request Type Summary • Request Performance Summary
Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: • Request Type Summary • Request Performance Summary
Assists you in troubleshooting issues with AD RMS licenses by using a wizard.Assists you in troubleshooting issues with AD RMS licenses by using a wizard.
Statistics Report
Troubleshooting Report
System Health
Backing Up the AD RMS Configuration Database
Locate the DRMS_Config_servername_domainname databaseLocate the DRMS_Config_servername_domainname databaseüü
Right-click the database, expand Tasks, and then select Back UpRight-click the database, expand Tasks, and then select Back Upüü
Verify the database to be backed up, the backup type, and the destinationVerify the database to be backed up, the backup type, and the destinationüü
Register or change the service connection point (SCP)Register or change the service connection point (SCP)üü
Upon successful back up, a popup will indicate that the backup completedUpon successful back up, a popup will indicate that the backup completedüü
Use Microsoft SQL Server Management Studio toback up the AD RMS configuration database:
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
• Exercise 1: Configuring CA Event Auditing
• Exercise 2: Backing Up Active Directory Certificate Services
• Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance
• Exercise 4: Configuring AD RMS Logging
Logon information
Virtual machine 6426C-MIA-DC1
User name WOODGROVEBANK\Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
Lab Scenario
• You have completed the deployment and configuration of the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, backup, and restore AD CS, AD LDS, and AD RMS.
• You need to configure CA event auditing and schedule an ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures.
• In addition, Management has asked you to generate some AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports.
• Finally, complete the AD RMS maintenance task by enabling AD RMS logging.
Lab Review
In this lab, you have:
• Configured CA event auditing
• Backed up AD CS
• Backed up and restore an AD LDS instance
• Configured AD RMS Logging
Module Review and Takeaways
• Review Questions
Course Evaluation
