Configuring and

Troubleshooting Identity and

Access Solutions with
Windows Server® 2008
Active Directory®
Module 7: Maintaining Access Management Solutions
• Supporting AD CS

• Maintaining AD LDS

• Maintaining AD FS

• Maintaining AD RMS
Lesson 1: Supporting AD CS
• Common AD CS Maintenance Tasks

• Configuration of Role-Based Administration for Managing

and Maintaining AD CS
• Tools Used to Maintain AD CS

• Configuration of CA Event Auditing

• How To Configure CA Event Auditing

• Methods of Backing Up and Restoring a CA

Common AD CS Maintenance Tasks

Managing role-based administration

Configuring and monitoring CA event auditing

Monitoring system services

Renewing CA certificate

Backing up and restoring the CA

 Configuration of Role-Based Administration for
Managing and Maintaining AD CS

Role and Security

Description
Group Permission
Allows configuring and maintaining of CA. This CA role
CA
Manage CA includes the ability to assign other CA roles and renew a CA
Administrator
certificate.

Issue and
Certificate Allows approving of certificate enrollment and revocation
Manage
Manager requests. This is a CA role, also called as CA officer.
Certificates

• Back up file
and
Backup directories Allows performing of system backup and recovery. Backup is
Operator • Restore file an operating system feature.
and
directories

Manage Allows configuring, viewing, and maintaining of audit logs.

Auditor auditing and This is an operating system feature and an operating system
security log role.

•Read
Allows requesting of certificates from a CA. This is not a CA
Enrollees
•Enroll role. Enrollees are authorized clients for this purpose.
Tools Used to Maintain AD CS

Server Manager
Certutil.exe
AD CS

Certification Authority
snap-in
Certificate Templates
snap-in
Enterprise PKI snap-in
Configuration of CA Event Auditing

Back up and restore CA database

Change the CA configuration

Change CA security settings

Issue and manage certificate requests

Revoke certificates and publish CRLs

Store and retrieve archived keys

Start and stop AD CS

Demonstration: How To Configure CA
Event Auditing
• To configure the CA for auditing of object access

• To configure CA event auditing

Methods of Backing Up and Restoring a CA

CA

Windows Server® CA Administrative Certutil

Backup Console Command Line Tool
Lesson 2: Maintaining AD LDS
• AD LDS Maintenance Tasks

• Backing Up AD LDS

• Restoration of Data to an AD LDS Instance

• Performing an Authoritative Restore of Data on an AD LDS

Instance
• How To Back Up and Restore AD LDS Instances
 AD LDS Maintenance Tasks
AD LDS Maintenance Tasks include :

Monitoring system events and services

Backing up and restoring AD LDS instances

Performing an authoritative restore of directory objects

Backing Up AD LDS

Consider the following when backing up AD LDS:

By default each instance stores Adamntds.dit and associated log files

in %Program Files%\Microsoft ADAM\<instancename>\data.
You can use Windows Server® Backup or any compatible third party
backup utility to backup AD LDS.
You should ensure that the instance is started before backing up its AD
LDS folder.
You should ensure that you are a member of the Administrators group
or equivalent.
Restoration of Data to an AD LDS Instance
Consider the following when restoring data to an existing AD LDS instance:

Stop the AD LDS instance for which the data will be restored.
Use the backup program to restore the instance and overwrite existing
files.
Restart the AD LDS instance.

Consider the following when data to an new AD LDS instance that does not
belong to a configuration set:

Create a new instance specifying the same settings used during the
original AD LDS installation, without creating an application partition.
Stop the newly created AD LDS instance.
Use the backup program to restore the instance and overwrite existing
files.
Restart the AD LDS instance.
Performing an Authoritative Restore of Data on
an AD LDS Instance

Stop the running AD LDS instance for which the data is

restored.

AD LDS

Use the backup program to restore the instance and overwrite

existing files.

Back Up Program

Activate the instance by using dsdbutil, at a command prompt.

dsdbutil

Use dsdbutil to perform an authoritative restore using one of

the following commands:
restore database
restore object dn
Authoritative Restore restore subtree dn
Demonstration: How To Back Up and Restore
AD LDS Instances
• To back up a volume that contains an AD LDS instance by using Windows
Server® Backup
• To restore an existing AD LDS instance
Lesson 3: Maintaining AD FS
• AD FS Maintenance Tasks

• Monitoring AD FS Events

• How To Monitor AD FS Events

• Backing Up AD FS Components
 AD FS Maintenance Tasks

Managing Server
Authorization
and Token
Certificates

Manufacturer Supplier

Monitoring and
Resource
Analyzing Event
Account Partner Log Levels
Partner

AD FS

Backing up AD
FS Components
AD FS
AD FS
Monitoring AD FS Events
AD FS Trust Policy Event Log levels can be configured to provide the following
information:

Error Records events logged by significant problems, to the event log

Records insignificant events that may cause future problems to the

Warning
event log

Records informational logged events; such as token validations, or

Informational
claim mappings

Records a security audit for every successful authentication or

Success Audit
changed trust policy to this Federation Service

Records a security audit for every unsuccessful change to trust

Failure Audit
policy for this Federation Service

Detailed Success Records a detailed security audit for successful authentications

Detailed Failure Records a detailed security audit for failed authentications

Demonstration: How To Monitor AD FS Events
• To enable trust policy logging

• To use Server Manager to view events and service summary data

Backing Up AD FS Components

Components to Back Up by running AD FS Component on Server Files

Component Files to Back Up

• TrustPolicy.xml file
• Web.config and other files under
%systemdrive%\ADFS
Federation Service • System state
• Custom transform module (.dll) and
related files
• Web.config and other files under
• applicationhost.config

Federation Service Proxy

%systemdrive%\ADFS
• System state
• applicationhost.config
• %systemdrive%\ADFS
AD FS Web Agent • System state
Lesson 4: Maintaining AD RMS
• AD RMS Maintenance Tasks

• How To Verify AD RMS Logging

• Viewing AD RMS Reports

• Decommissioning AD RMS
AD RMS Maintenance Tasks

AD RMS

AD RMS

Viewing AD RMS Decommissioning Managing AD RMS

Reports AD RMS log information
Demonstration: How To Verify AD RMS Logging
• To verify default enabling

• To verify the configuration of the server node Properties box

• To verify:

 Requestor identification
 Time of making
 Source IP address
 RMS server identification that handled the request
 Success of request  
Viewing AD RMS Reports

Lists the number of total accounts, domain accounts, and

federated identities certified, or granted a rights account
certificate (RAC), by the AD RMS root cluster.
Statistics Report

Provides information about the overall health of the

AD RMS cluster by using a wizard. The System Health
report has two views:
• Request Type Summary
System Health • Request Performance Summary

Assists you in troubleshooting issues with AD RMS licenses

by using a wizard.
Troubleshooting
Reports
Decommissioning AD RMS

Steps to decommission AD RMS:

1 Encourage creative thinking among team members.

2 Ensure that you have all the information.

3 Manage discussions about the validity of a threat.

4 Include specialized network penetration testers.

5 Apply caution when it involves conflict of interests.

6 Consider technology-specific threats.

Lab 7: Maintaining Access Management Solutions
• Exercise 1: Configuring CA Event Logging

• Exercise 2: Implementing role-based administration in AD CS

• Exercise 3: Backing up a CA

• Exercise 4: Reconfiguring AD RMS cluster settings

• Exercise 5: Generating AD RMS Reports

• Exercise 6: Configuring AD RMS logging

Logon information

Virtual machine 6426A-NYC-DC1-B

User name Administrator

Password Pa$$w0rd
Domain name woodgrovebank.com

Estimated time: 60 minutes