Академический Документы
Профессиональный Документы
Культура Документы
Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Module Overview
Maintaining Active Directory Certificate Services Maintaining Active Directory Lightweight Directory Services
Examine CA services
Server Manager
AD CS
Certutil.exe
Revoke Certificates and Publish CRLs Store and Retrieve Archived Keys
CA
CA Administrative Console
Certutil.exe Tool
DPM
CA
CA Administrative Console
Certutil.exe Tool
DPM
Backing Up AD LDS
How to Restore AD LDS Performing an Authoritative Restore of Data on an
AD LDS Instance
Ldp.exe ADSI Edit snap-in AD DS/LDS Schema Analyzer Active Directory Schema snap-in Active Directory Sites and Services snap-in
GUI-based
Backing Up AD LDS
Consider the following when backing up AD LDS: By default, each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\instancename \data. You can use Windows Server Backup or any compatible thirdparty backup utility to back up AD LDS. You should ensure that the instance is started before backing up its AD LDS folder.
You should ensure that you are a member of the Administrators group or equivalent.
The following process is used when restoring data to an AD LDS instance that was lost during a server hardware failure:
Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance.
Use the backup program to restore the instance and overwrite existing files.
Backup Program
Use dsdbutil.exe to perform an authoritative restore using one of the following commands: Restore object dn Restore subtree dn
Authoritative Restore
Restore database
Monitoring AD FS Events
Backing Up AD FS Components
GUI-based
Monitoring AD FS Events
AD FS Trust Policy event log levels can be configured to provide the following information:
Verbose Error Warning Informational This is the default level that captures the most information besides debug logging (which is not specific to AD FS Trust Policy logging) Records significant problem events to the event log Records insignificant events that may cause future problems, to the event log Records informational logged events, such as token validations or claim mappings Records a security audit for every successful authentication or changed trust policy to this Federation Service Records a security audit for every unsuccessful change to trust policy for this Federation Service Records a detailed security audit for successful authentications
Success Audit
Detailed Failure
Backing Up AD FS Components
Servers running AD FS components must be backed up based on the information in the following table.
Component Files to Back Up
TrustPolicy.xml file Web.config and other files under %systemdrive%\ADFS System state Custom transform module (.dll) and related files Applicationhost.config Web.config and other files under %systemdrive%\ADFS System state Applicationhost.config %systemdrive%\ADFS System state
Federation Service
AD FS Web Agent
Active Directory Rights Management Services Bulk Protection Tool Windows PowerShell (25 cmdlets for Group Policy) Windows PowerShell for AD RMS: Set-RmsSvcAccount Export-RmsTUD
Active Directory Rights Management Services console Group Policy Management Console Internet Information Services (IIS) Manager
GUI-based
Log backup
Log shipping
Log trimming
Log Consolidation
Lists the total number of accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster. Statistics Report
Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary
System Health
Troubleshooting Report
Verify the database to be backed up, the backup type, and the destination
Upon successful back up, a popup will indicate that the backup completed
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services
Logon information
Lab Scenario
You have completed the deployment and configuration of
the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, backup, and restore AD CS, AD LDS, and AD RMS. ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures. AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports. enabling AD RMS logging.
Lab Review
In this lab, you have:
Configured CA event auditing
Backed up AD CS
Backed up and restore an AD LDS instance Configured AD RMS Logging
Course Evaluation