Module 7

Maintaining Windows Server 2008 Active Directory Identity and Access Solutions

Module Overview
Maintaining Active Directory Certificate Services Maintaining Active Directory Lightweight Directory Services

Maintaining Active Directory Federation Services

Maintaining Active Directory Rights Management Services

Lesson 1: Maintaining Active Directory Certificate Services

Common AD CS Maintenance Tasks Tools Used to Maintain Active Directory Certificate Services

Certification Authority Event Auditing

Backing Up a Certification Authority Restoring a Certification Authority

Common AD CS Maintenance Tasks

Manage role-based administration

Configure CA event auditing

Examine CA services

Review, renew, and revoke certificates

Back up and restore the CA

Publish templates and CRLs

Tools Used to Maintain Active Directory Certificate Services

Server Manager

AD CS

Certutil.exe

Certification Authority snap-in Enterprise PKI snap-in

Certificate Templates snap-in

Certification Authority Event Auditing

Back Up and Restore CA Database

Change the CA Configuration

Change CA Security Settings

Issue and Manage Certificate Requests

Revoke Certificates and Publish CRLs Store and Retrieve Archived Keys

Start and Stop AD CS

Backing Up a Certification Authority

CA

CA Administrative Console

Certutil.exe Tool

Windows Server Backup

DPM

Restoring a Certification Authority

CA

CA Administrative Console

Certutil.exe Tool

Windows Server Backup

DPM

Lesson 2: Maintaining Active Directory Lightweight Directory Services

Common AD LDS Maintenance Tasks Tools Used to Maintain AD LDS

Backing Up AD LDS
How to Restore AD LDS Performing an Authoritative Restore of Data on an

AD LDS Instance

Common AD LDS Maintenance Tasks

Start, stop, and restart an AD LDS instance Perform backup and authoritative restores of AD LDS data

Move the AD LDS data files

Change the AD LDS service account and port numbers Administer containers and objects Copy the schema, import a schema from AD DS, extend the schema Manage directory data between all sites in an AD LDS configuration set

Manage object permissions

Synchronize AD LDS and AD DS Import and export data to or from AD LDS

Tools Used to Maintain AD LDS

AdamSync.exe Dsacls.exe Ldifde.exe Csvde.exe Dsdbutil.exe

Ldp.exe ADSI Edit snap-in AD DS/LDS Schema Analyzer Active Directory Schema snap-in Active Directory Sites and Services snap-in

GUI-based

Backing Up AD LDS
Consider the following when backing up AD LDS: By default, each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\instancename \data. You can use Windows Server Backup or any compatible thirdparty backup utility to back up AD LDS. You should ensure that the instance is started before backing up its AD LDS folder.

You should ensure that you are a member of the Administrators group or equivalent.

How to Restore AD LDS

The following process is used when restoring data to a running AD LDS instance: Stop the AD LDS instance for which the data will be restored. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance.

The following process is used when restoring data to an AD LDS instance that was lost during a server hardware failure:
Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance.

Performing an Authoritative Restore of Data on an AD LDS Instance

Stop the running AD LDS instance for which the data is restored.
AD LDS

Use the backup program to restore the instance and overwrite existing files.
Backup Program

Activate the instance by using dsdbutil.exe at a command prompt.

Dsdbutil.exe

Use dsdbutil.exe to perform an authoritative restore using one of the following commands: Restore object dn Restore subtree dn
Authoritative Restore

Restore database

Lesson 3: Maintaining Active Directory Federation Services

Common AD FS Maintenance Tasks Tools Used to Maintain AD FS

Monitoring AD FS Events
Backing Up AD FS Components

Common AD FS Maintenance Tasks

Renew and import certificates Monitor/maintain AD DS/AD LDS account store availability Back up and restore AD FS components Manage resource groups of resource partner organization Resolve DNS names during troubleshooting Ensure network connectivity for the server and clients Add new applications

Maintain the health and performance of web servers

Tools Used to Maintain AD FS

Wevtutil.exe Windows PowerShell: Get-ADFSProperties Add-ADFSAttributeStore Set-ADFSRelyingPartyTrust

Active Directory Federation Services snap-in Event Viewer

GUI-based

Monitoring AD FS Events
AD FS Trust Policy event log levels can be configured to provide the following information:
Verbose Error Warning Informational This is the default level that captures the most information besides debug logging (which is not specific to AD FS Trust Policy logging) Records significant problem events to the event log Records insignificant events that may cause future problems, to the event log Records informational logged events, such as token validations or claim mappings Records a security audit for every successful authentication or changed trust policy to this Federation Service Records a security audit for every unsuccessful change to trust policy for this Federation Service Records a detailed security audit for successful authentications

Success Audit

Failure Audit Detailed Success

Detailed Failure

Records a detailed security audit for failed authentications

Backing Up AD FS Components
Servers running AD FS components must be backed up based on the information in the following table.
Component Files to Back Up
TrustPolicy.xml file Web.config and other files under %systemdrive%\ADFS System state Custom transform module (.dll) and related files Applicationhost.config Web.config and other files under %systemdrive%\ADFS System state Applicationhost.config %systemdrive%\ADFS System state

Federation Service

Federation Service Proxy

AD FS Web Agent

Lesson 4: Maintaining Active Directory Rights Management Services

Common AD RMS Maintenance Tasks Tools Used to Maintain AD RMS

AD RMS Database Maintenance

Viewing AD RMS Reports Backing Up the AD RMS Configuration Database

Common AD RMS Maintenance Tasks

Create trust and exclusion policies

Manage the AD RMS databases

Configure and distribute rights policy templates

Register or change the service connection point (SCP)

Change the AD RMS cluster key password

Configure and maintain the health, performance, logging, and reporting

Maintain user and service accounts

Tools Used to Maintain AD RMS

Active Directory Rights Management Services Bulk Protection Tool Windows PowerShell (25 cmdlets for Group Policy) Windows PowerShell for AD RMS: Set-RmsSvcAccount Export-RmsTUD

Active Directory Rights Management Services console Group Policy Management Console Internet Information Services (IIS) Manager

GUI-based

AD RMS Database Maintenance

AD RMS databases: Configuration database Directory services database Logging database

Log backup

Log shipping

Log trimming

Log Consolidation

Viewing AD RMS Reports

Lists the total number of accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster. Statistics Report
Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary

System Health

Troubleshooting Report

Assists you in troubleshooting issues with AD RMS licenses by using a wizard.

Backing Up the AD RMS Configuration Database

Use Microsoft SQL Server Management Studio to back up the AD RMS configuration database:

Locate the DRMS_Config_servername_domainname database

Right-click the database, expand Tasks, and then select Back Up

Verify the database to be backed up, the backup type, and the destination

Register or change the service connection point (SCP)

Upon successful back up, a popup will indicate that the backup completed

Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services

Exercise 3: Backing Up and Restoring an Active Directory

Lightweight Directory Services Instance

Exercise 4: Configuring AD RMS Logging

Logon information

Virtual machine User name Password

Estimated time: 60 minutes

6426C-MIA-DC1 WOODGROVEBANK\Administrator Pa$$w0rd

Lab Scenario
You have completed the deployment and configuration of

the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, backup, and restore AD CS, AD LDS, and AD RMS. ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures. AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports. enabling AD RMS logging.

You need to configure CA event auditing and schedule an

In addition, Management has asked you to generate some

Finally, complete the AD RMS maintenance task by

Lab Review
In this lab, you have:
Configured CA event auditing

Backed up AD CS
Backed up and restore an AD LDS instance Configured AD RMS Logging

Module Review and Takeaways

Review Questions

Course Evaluation