Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Published byChester Amos Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"— Presentation transcript:

1 Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

2 Module 7: Maintaining Access Management Solutions Supporting AD CS Maintaining AD LDS Maintaining AD FS Maintaining AD RMS

3 Lesson 1: Supporting AD CS Common AD CS Maintenance Tasks Configuration of Role-Based Administration for Managing and Maintaining AD CS Tools Used to Maintain AD CS Configuration of CA Event Auditing How To Configure CA Event Auditing Methods of Backing Up and Restoring a CA

4 Common AD CS Maintenance Tasks Managing role-based administration Configuring and monitoring CA event auditing Monitoring system services Renewing CA certificate Backing up and restoring the CA

5 Configuration of Role-Based Administration for Managing and Maintaining AD CS Role and Group Security Permission Description CA Administrator Manage CA Allows configuring and maintaining of CA. This CA role includes the ability to assign other CA roles and renew a CA certificate. Certificate Manager Issue and Manage Certificates Allows approving of certificate enrollment and revocation requests. This is a CA role, also called as CA officer. Backup Operator Back up file and directories Restore file and directories Allows performing of system backup and recovery. Backup is an operating system feature. Auditor Manage auditing and security log Allows configuring, viewing, and maintaining of audit logs. This is an operating system feature and an operating system role. Enrollees Read Enroll Allows requesting of certificates from a CA. This is not a CA role. Enrollees are authorized clients for this purpose.

6 Tools Used to Maintain AD CS AD CS Server Manager Certification Authority snap-in Enterprise PKI snap-in Certificate Templates snap-in Certutil.exe

7 Configuration of CA Event Auditing Back up and restore CA database Issue and manage certificate requests Revoke certificates and publish CRLs Store and retrieve archived keys Start and stop AD CS Change the CA configuration Change CA security settings

8 Demonstration: How To Configure CA Event Auditing To configure the CA for auditing of object access To configure CA event auditing

9 Methods of Backing Up and Restoring a CA Windows Server® Backup CA CA Administrative Console Certutil Command Line Tool

10 Lesson 2: Maintaining AD LDS AD LDS Maintenance Tasks Backing Up AD LDS Restoration of Data to an AD LDS Instance Performing an Authoritative Restore of Data on an AD LDS Instance How To Back Up and Restore AD LDS Instances

11 AD LDS Maintenance Tasks AD LDS Maintenance Tasks include : Monitoring system events and services Backing up and restoring AD LDS instances Performing an authoritative restore of directory objects

12 Backing Up AD LDS Consider the following when backing up AD LDS: By default each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\ \data. You can use Windows Server® Backup or any compatible third party backup utility to backup AD LDS. You should ensure that the instance is started before backing up its AD LDS folder. You should ensure that you are a member of the Administrators group or equivalent. By default each instance stores Adamntds.dit and associated log files in %Program Files%\Microsoft ADAM\ \data. You can use Windows Server® Backup or any compatible third party backup utility to backup AD LDS. You should ensure that the instance is started before backing up its AD LDS folder. You should ensure that you are a member of the Administrators group or equivalent.

13 Restoration of Data to an AD LDS Instance Consider the following when restoring data to an existing AD LDS instance: Stop the AD LDS instance for which the data will be restored. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Stop the AD LDS instance for which the data will be restored. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Consider the following when data to an new AD LDS instance that does not belong to a configuration set: Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance. Create a new instance specifying the same settings used during the original AD LDS installation, without creating an application partition. Stop the newly created AD LDS instance. Use the backup program to restore the instance and overwrite existing files. Restart the AD LDS instance.

14 Performing an Authoritative Restore of Data on an AD LDS Instance Stop the running AD LDS instance for which the data is restored. Use the backup program to restore the instance and overwrite existing files. Activate the instance by using dsdbutil, at a command prompt. Use dsdbutil to perform an authoritative restore using one of the following commands: restore database restore object dn restore subtree dn Use dsdbutil to perform an authoritative restore using one of the following commands: restore database restore object dn restore subtree dn Authoritative Restore dsdbutil Back Up Program AD LDS

15 Demonstration: How To Back Up and Restore AD LDS Instances To back up a volume that contains an AD LDS instance by using Windows Server® Backup To restore an existing AD LDS instance

16 Lesson 3: Maintaining AD FS AD FS Maintenance Tasks Monitoring AD FS Events How To Monitor AD FS Events Backing Up AD FS Components

17 AD FS Maintenance Tasks Managing Server Authorization and Token Certificates Monitoring and Analyzing Event Log Levels AD FS Backing up AD FS Components AD FS Manufacturer Account Partner Supplier Resource Partner

18 Monitoring AD FS Events AD FS Trust Policy Event Log levels can be configured to provide the following information: ErrorRecords events logged by significant problems, to the event log Warning Records insignificant events that may cause future problems to the event log Informational Records informational logged events; such as token validations, or claim mappings Success Audit Records a security audit for every successful authentication or changed trust policy to this Federation Service Failure Audit Records a security audit for every unsuccessful change to trust policy for this Federation Service Detailed SuccessRecords a detailed security audit for successful authentications Detailed FailureRecords a detailed security audit for failed authentications

19 Demonstration: How To Monitor AD FS Events To enable trust policy logging To use Server Manager to view events and service summary data

20 Backing Up AD FS Components %systemdrive%\ADFS System state Components to Back Up by running AD FS Component on Server Files Web.config and other files under %systemdrive%\ADFS System state applicationhost.config Federation Service Proxy TrustPolicy.xml file Web.config and other files under %systemdrive%\ADFS System state Custom transform module (.dll) and related files applicationhost.config Federation Service Files to Back Up Component AD FS Web Agent

21 Lesson 4: Maintaining AD RMS AD RMS Maintenance Tasks How To Verify AD RMS Logging Viewing AD RMS Reports Decommissioning AD RMS

22 AD RMS Maintenance Tasks AD RMS Managing AD RMS log information Viewing AD RMS Reports Decommissioning AD RMS AD RMS

23 Demonstration: How To Verify AD RMS Logging To verify default enabling To verify the configuration of the server node Properties box To verify:  Requestor identification  Time of making  Source IP address  RMS server identification that handled the request  Success of request

24 Viewing AD RMS Reports Lists the number of total accounts, domain accounts, and federated identities certified, or granted a rights account certificate (RAC), by the AD RMS root cluster. Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary Provides information about the overall health of the AD RMS cluster by using a wizard. The System Health report has two views: Request Type Summary Request Performance Summary Assists you in troubleshooting issues with AD RMS licenses by using a wizard. Statistics Report System Health Troubleshooting Reports

25 Decommissioning AD RMS Steps to decommission AD RMS: Encourage creative thinking among team members. 1 1 Ensure that you have all the information. 2 2 Manage discussions about the validity of a threat. 3 3 Include specialized network penetration testers. 4 4 Apply caution when it involves conflict of interests. 5 5 Consider technology-specific threats. 6 6

26 Lab 7: Maintaining Access Management Solutions Exercise 1: Configuring CA Event Logging Exercise 2: Implementing role-based administration in AD CS Exercise 3: Backing up a CA Exercise 4: Reconfiguring AD RMS cluster settings Exercise 5: Generating AD RMS Reports Exercise 6: Configuring AD RMS logging woodgrovebank.com Domain name Pa$$w0rd Password AdministratorUser name 6426A-NYC-DC1-BVirtual machine Estimated time: 60 minutes Logon information

Download ppt "Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®"

Similar presentations

Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Implementing and Administering AD FS

Implementing and Administering AD FS
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Similar presentations

Ads by Google