6426c-Enu Trainerhandbook 2

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6426Cand Troubleshooting Configuring

Identity and Access Solutions with Windows Server 2008 Active Directory
ii
Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6426C Part Number: X17-55422 Released: 04/2011
iii
iv
vi
vii
viii
ix
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Brian Svidergol Content Developer

Brian Svidergol is a subject matter expert focused on enterprise solutions based around Active Directory, Exchange, virtualization, and other infrastructure components. He has successfully completed over 50 migrations, numerous consolidation projects, and has consulted for Fortune 500 organizations and U.S. government agencies. When hes not playing with the latest technology, hes playing blocks with his 2 year old son Jack.
Nelson Ruest Technical Reviewer

Nelson Ruest is an IT expert focused on virtualization, continuous service availability and infrastructure optimization. As an enterprise architect, he has designed and implemented Active Directory structures that manage over one million users. He is the co-author of multiple books, including Virtualization: A Beginners Guide for McGraw-Hill Osborne, MCTS Self-Paced Training Kit (Exam 70-652): Configuring Windows Server Virtualization with Hyper-V, the best-selling MCTS Self-Paced Training Kit (Exam 70640): and Configuring Windows Server 2008 Active Directory for Microsoft Press.
xi
Contents
Module 1: Exploring Identity and Access Solutions
Lesson 1: Overview of Identity and Access Techniques Lesson 2: Active Directory Identity and Access Solutions Server Roles Lesson 3: Additional Identity and Access Management Tools and Solutions Lab: Identifying IDA Roles to Meet Business Requirements 1-3 1-9 1-19 1-31
Module 2: Deploying and Configuring Active Directory Certificate Services

Lesson 1: Overview of Public Key Infrastructure Lesson 2: Overview of Certification Authorities Lesson 3: Deploying Certification Authorities Lesson 4: Configuring Certification Authorities Lesson 5: Troubleshooting Active Directory Certificate Services Lab: Deploying and Configuring Active Directory Certificate Services 2-3 2-10 2-20 2-28 2-32 2-41
Module 3: Deploying and Configuring Certificates

Lesson 1: Managing Certificate Templates Lesson 2: Deploying Certificates and Managing Enrolment Lesson 3: Managing Certificate Revocation Lesson 4: Configuring Certificate Recovery Lab: Deploying Certificates and Managing Enrollment 3-3 3-14 3-24 3-35 3-44
Module 4: Deploying and Configuring Active Directory Lightweight Directory Services

Lesson 1: Overview of Active Directory Lightweight Directory Services Lesson 2: Deploying and Configuring Active Directory Lightweight Directory Services Lesson 3: Configuring AD LDS Instances and Partitions Lesson 4: Configuring Active Directory Lightweight Directory Services Replication Lesson 5: Troubleshooting Active Directory Lightweight Directory Services Lab: Deploying and Configuring Active Directory Lightweight Directory Services 4-3 4-8 4-16 4-24 4-31 4-36
xii
Module 5: Deploying and Configuring Active Directory Federation Services

Lesson 1: Overview of Active Directory Federation Services 2.0 Lesson 2: Deploying Active Directory Federation Services Lesson 3: Configuring Active Directory Federation Services Partner Organizations and Claims Lesson 4: Troubleshooting Active Directory Federation Services Lab: Deploying and Configuring Active Directory Federation Services 5-3 5-11 5-19 5-27 5-35
Module 6: Deploying and Configuring Active Directory Rights Management Services

Lesson 1: Overview of Active Directory Rights Management Services Lesson 2: Deploying and Configuring Active Directory Right Management Services Lesson 3: Configuring AD RMS Rights Policy Templates and Exclusion Policies Lesson 4: Configuring Active Directory Rights Management Services Trust Policies Lesson 5: Troubleshooting Active Directory Rights Management Services Lab: Deploying and Configuring Active Directory Rights Management Services 6-3 6-12 6-21 6-28 6-35 6-41
Module 7: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lesson 1: Maintaining Active Directory Certificate Services Lesson 2: Maintaining Active Directory Lightweight Directory Services Lesson 3: Maintaining Active Directory Federation Services Lesson 4: Maintaining Active Directory Rights Management Services Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions 7-3 7-10 7-18 7-25 7-32
Lab Answer Keys

Module 1 Lab: Identifying IDA Roles to Meet Business Requirements Module 2 Lab: Deploying and Configuring Active Directory Certificate Services Module 3 Lab: Deploying Certificates and Managing Enrollment Module 4 Lab: Deploying and Configuring Active Directory Lightweight Directory Services Module 5 Lab: Deploying and Configuring Active Directory Federation Services Module 6 Lab: Deploying and Configuring Active Directory Rights Management Services Module 7 Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions L1-1 L2-3 L3-7 L4-19 L5-25 L6-45 L7-55
MCT USE ONLY. STUDENT USE PROHIBITED

xiii
About This Course
About This Course
This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This three-day instructor-led course provides in-depth training on configuring and troubleshooting Active Directory Identity and Access (IDA) solutions Windows Server 2008 and Windows Server 2008 R2.
Audience
This course is intended for those who want to learn how IDA solutions are implemented in Windows Server 2008 and Windows Server 2008 R2. It is also intended for those preparing for MCTS: Windows Server 2008 Active Directory certification. This course provides a technology overview of IDA and PKI solutions, and details the implementation of each of the roles in Windows Server 2008 and Windows Server 2008 R2 that implement the IDA solution.
Student Prerequisites
This course requires that you meet the following prerequisites:
Technical skills in Active Directory Domain Services (AD DS). This includes technical skills equivalent to 6425C: Configuring Windows Server 2008 Active Directory Domain Services. Technical Skills in Windows Server 2008 equivalent to 6419B: Configuring, Managing and Maintaining Windows Server 2008 Servers.
Course Objectives
After completing this course, students will be able to:
Describe the fundamental IDA components and Windows Server 2008 and Windows Server 2008 R2 IDA technologies. Deploy, configure, troubleshoot, and maintain Active Directory Certificate Services (AD CS). Deploy, configure, and manage certificates. Deploy, configure, and troubleshoot Active Directory Lightweight Directory Services (AD LDS). Deploy, configure, and troubleshoot Active Directory Federation Services 2.0 (AD FS 2.0). Deploy, configure, and troubleshoot Active Directory Rights Management Services. (AD RMS). Maintain Windows Server 2008 and Windows Server 2008 R2 Active Directory IDA Solutions.
Course Outline
This section provides an outline of the course:
Module 1, Exploring Identity and Access Solutions introduces Identity and Access Management (IDA Management) solutions. You will learn the fundamental IDA components and Windows Server 2008 and Windows Server 2008 R2 IDA technologies. This module also provides an overview of Microsoft Forefront technologies that further enhance IDA solutions.
Module 2, Deploying and Configuring Active Directory Certificate Services explains the concepts of public key infrastructure (PKI) and certification authority (CA). You will learn how to deploy a CA hierarchy and install AD CS. This module also describes how to configure AD CS and how to resolve common AD CS issues.
xiv
About This Course
Module 3, Deploying and Configuring Certificates describes the deployment of certificates by using AD CS. In addition, the module elaborates on managing enrollment to deploy certificates, certificate revocation, and configuration of certificate template and certificate recovery.
Module 4, Deploying and Configuring Active Directory Lightweight Directory Services explains the concept of AD LDS. You will learn how to install AD LDS, configure of AD LDS instances and partitions, and configure AD LDS replication. This module also describes how to resolve common AD LDS issues. Module 5, Deploying and Configuring Active Directory Federation Services presents the concept of AD FS 2.0 and its deployment scenarios. You will learn how to deploy AD FS 2.0 and implement AD FS claims. This module also describes how to resolve common AD FS issues.
Module 6, Deploying and Configuring Active Directory Rights Management Services explains the concept of AD RMS. You will learn how to install and configure AD RMS server components, administer AD RMS rights policy templates, and implement AD RMS trust policies. This module also describes how to resolve common AD RMS issues. Module 7, Maintaining Windows Server 2008 Active Directory Identity and Access Solutions explains the maintenance of AD CS, AD LDS, AD FS 2.0, and AD RMS.
Exam/Course Mapping
This course, 6426C: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory in conjunction with course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services, is aligned to the exam objectives for the Microsoft exam 70-642: TS: Windows Server 2008 Active Director, Configuring. The below table is provided as a study aid that will assist you in preparation for taking this exam and to show you how the exam objectives and the course content fit together. The course is not designed exclusively to support the exam but rather provides broader knowledge and skills to allow a real-world implementation of the particular technology. The course will also contain content that is not directly covered in the examination and will utilize the unique experience and skills of your qualified Microsoft Certified Trainer.
Note: The exam objectives are available online at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-642#tab2
6425C Content Lab Configuring Domain Name System (DNS) for Active Directory Exam Objectives Configure zones Module 10 Lesson 1 to 4 Module 10 Lesson 1 to 4 Module 10 Lesson 1 to 4 Lab A Ex 2 Lab B Ex 1/2
6426C Content Lab
Configure DNS server settings Configure zone transfers and replication
Lab B Ex 1 Lab B Ex 3/4

xv
About This Course
(continued)
6425C Content Lab Configuring the Active Directory Infrastructure Module 1 Lesson 2/3 Ex 2 /3 Module 1 Configure a forest or a domain Lesson 2/3 Exam Objectives Module 11 Lesson 1/2 Module 14 Lesson 1/3 Module 14 Configure trusts Lesson 2 Module 12 Configure sites Lesson 1 Module 11 Lesson 4 Configure Active Directory replication Module 12 Lesson 3 Module 12 Configure the global catalog Lesson 2 Module 11 Configure operations masters Lesson 3 Configuring Active Directory Roles and Services Lab A Lab B
6426C Content Lab
Lab Ex 1/2 Lab A Lab D Lab C Lab B Lab C Module 1 Lesson 1/2
Lab Ex 1 Lab Ex 1/2/3 Lab Ex 1
Configure Active Directory Lightweight Directory Service (AD LDS).
Module 4 Lessons 1 to 5 Module 7 Lesson 2 Module 1 Lesson 1/2
Lab Ex 1 Lab Ex 1 to 4 Lab Ex 1
Configure Active Directory Rights Management Service (AD RMS)
Module 6 Lesson 1 to 5 Module 7 Lesson 4
xvi
About This Course
(continued)
6425C Content Lab Configuring Active Directory Roles and Services Module 9 Lab C Ex Lesson 3 1/2/3 Configure the read-only domain Module 10 controller (RODC) Lesson 3 Module 11 Lesson 4 Lab D Exam Objectives
6426C Content Lab
Module 1 Lesson 1/2 Configure Active Directory Federation Services (AD FSv2) Module 5 Lessons 1 to 4 Module 7 Lesson 3 Creating and Maintaining Active Directory Objects Module 3 Lesson 1/2/3 Automate creation of Active Directory accounts Module 4 Lesson 1/2/3 Module 5 Lessons 1/2/3 Module 3 Lesson 4 Module 4 Lesson 1/2/3 Module 5 Lessons 1/2/3 Module 7 Lessons 1 Module 6 Lessons 2/4/5/6/7
Lab Ex 1
Lab Lab Ex 1
Labs A/B/C
Labs A/B
Lab A/B/C Lab D Ex 1
Maintain Active Directory accounts
Labs A/B
Lab A/B/C Lab A
Create and apply Group Policy objects (GPOs)
Labs B/D/E

xvii
About This Course
(continued)
6425C Content Lab Creating and Maintaining Active Directory Objects Module 6 Configure GPO templates Lessons 3 Labs C Exam Objectives Deploy and manage software by using GPOs Configure account policies Module 7 Lessons 2/4/5 Module 9 Lesson 1 Module 8 Lesson 2
6426C Content Lab
Labs D/E Lab A Ex 1/2 Lab B Lab B
Configure audit policy by using GPOs
Module 9 Lesson 2 Maintaining the Active Directory Environment Module 13 Lesson 2/3/4 Module 13 Perform offline maintenance Lesson 2 Module 2 lesson 4 Monitor Active Directory Module 13 Lesson 3 Configuring Active Directory Certificate Services Configure backup and recovery
Lab B/C/D Lab B Lab C Ex 1
Install Active Directory Certificate Services
Module 1 Lesson 1/2 Module 2 Lesson 2/3 Module 1 Lesson 1/2 Module 2 Lesson 4/5
Lab Ex 1 Lab Ex 1/2
Configure CA server settings
Lab Ex 1 Lab Ex 1/2
xviii
About This Course
(continued)
6425C Content Lab Configuring Active Directory Certificate Services Exam Objectives
6426C Content Lab Module 3 Lesson 1/4 Module 7 Lesson 1 Module 3 Lesson 2 Module 3 Lesson 3
Manage certificate templates
Lab Ex 1/2/4
Manage enrollments Manage certificate revocations
Lab Ex 2 Lab Ex 3
Important: Attending this course alone will not successfully prepare you to pass any associated certification exams.
The taking of this course does not guarantee that you will automatically pass any certification exam. In addition to attendance at this course, you should also have the following: Minimum of 1-2 years real world, hands-on experience configuring and implementing a Windows Server 2008 Active Directory environment Additional study outside of the content in this handbook
There are additional study and preparation resources, such as practice tests, available for you to prepare for this exam. The details of these are available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-642#tab3
You should familiarize yourself with the audience profile and exam prerequisites to ensure you are sufficiently prepared before taking the certification exam. The complete audience profile for this exam is available at the following URL: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-642#tab1
The exam/course mapping table outlined above is accurate at the time of printing, however it is subject to change at any time and Microsoft bears no responsibility for any discrepancies between the version published here and the version available online and will provide no notification of such changes.

xix
About This Course
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send email to support@mscourseware.com. To inquire about the Microsoft Certification Program, send email to mcphelp@microsoft.com.
xx
About This Course
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business scenario of the course. Detailed steps for setting up the classroom are contained in the classroom setup guide.
Virtual Machine Configuration
In this course, you will use Microsoft Hyper-V deployed on Windows Server 2008 to perform the labs. Important: Before starting the virtual machines the first time, you must create a StartingImage snapshot for each virtual machine. At the end of each lab, you must close the virtual machine and revert to the StartingImage snapshot. To revert a virtual machine to the StartingImage snapshot, perform the following steps: 1. On the Hyper-V Manager, on the Snapshots pane, right-click the StartingImage snapshot, and click Apply. 2. In the Apply Snapshot dialog box, click Apply. The following table shows the role of each virtual machine used in this course: Virtual machine 6426C-NYC-DC1 6426C-NYC-SVR1 6426C-NYC-CL1 6426C-MIA-DC1 6426C-NYC-DC1-B 6426C-NYC-SVR1-B Role Windows Server 2008 R2 domain controller in the Contoso.com domain (Private Network A)
Windows Server 2008 R2 member server in the Contoso.com domain (Private Network A) Windows 7 64 bit computer with Office 2010 in the Contoso.com domain (Private Network A) Windows Server 2008 R2 domain controller in the WoodgroveBank.com domain (Private Network A) Windows Server 2008 R2 domain controller in the Contoso.com domain (Private Network B)
Windows Server 2008 R2 member server in the Contoso.com domain (Private Network B)
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2 Enterprise Windows 7
Course Files
There are files associated with the labs in this course. The lab files are located in the folder X:\Labfiles\ModXX on the Allfiles drive of the virtual machines.

xxi
About This Course
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. Each classroom computer will serve as the host for several virtual machines that will run in Hyper-V. Domain or workgroup membership for the host computer does not matter, nor does the network configuration of the host computers. After completion of the setup, all computers will be configured to run several virtual machines running Windows Server 2008 R2 and Windows 7.
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor Dual 120 GB hard disks 7200 RM SATA or better* 4 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers *Striped

1-1
Module 1
Exploring Identity and Access Solutions
Contents:
Lesson 1: Overview of Identity and Access Techniques Lesson 2: Active Directory Identity and Access Solutions Server Roles Lesson 3: Additional Identity and Access Management Tools and Solutions Lab: Identifying IDA Roles to Meet Business Requirements 1-3 1-9 1-19 1-31
1-2
Configuring and Troubleshooting Identity Access Solutions with Windows Server 2008 Active Directory
Module Overview
These days, people commonly access multiple systems and resources. They connect to resources from an internal or home network, from the internet, and from corporate partner networks. Environments typically consist of more than one authentication repository. Sometimes, corporate authentication repositories are maintained by different departments within IT. And users sometimes have user accounts in each authentication repository. Identity and Access (IDA) management simplifies the user experience for online users while streamlining the administrative effort of IT departments. IDA management solutions are a set of technologies and products designed to help organizations manage user identities and associated access privileges by establishing a single authoritative source for user authentication. The cost and administrative effort required to securely and efficiently manage multiple authentication repositories, identities, and policies is substantial. In large enterprise environments made up of diverse systems, the administrative effort can be overwhelming. However, without a good IDA solution, companies risk security breaches, regulatory compliance breakdowns, inefficient employee productivity, and ineffective user or customer support. Management of user identities and efficient access to critical information is a top priority for most organizations today. Any IDA solution, whether deployed in support of a small business or a large enterprise, is a balance between security and accessibility. The challenge for the IT professional who designs and implements an IDA solution is to understand the balance. Fundamentally, they must implement a system that meets the business requirements without imposing undue restrictions or inefficiencies on users. To understand the balance between security and accessibility, the IT professional must gather and understand the business reasons for considering an IDA solution. This module covers IDA solutions from the business perspective, and maps the business problems to technical solutions.
Objectives
After completing this module, you will be able to: Describe identity and access techniques. Describe Windows Server 2008 IDA server roles. Describe additional IDA tools and solutions.

1-3
Lesson 1
Overview of Identity and Access Techniques
IDA control consists of three core elements that are equally important. These elements work together to form the information security triad (also known as the CIA triad). These elements are:
Confidentiality: This ensures that information is only accessible to authorized persons. For example, when an online application accepts a credit card number, there is an expectation that the credit card number is kept safe from unauthorized access. A second example is the storage of patient medical records on a doctor's computer; patient medical records must remain confidential.
Integrity: In this context, integrity refers to storing and transferring information while preventing it from being modified or intercepted by unauthorized personnel. The previous example is applicable in this scenario. When an application receives a request to transmit sensitive information, such as the medical records of a patient or a credit card number, there is an expectation that the request is validated as originating from an authorized source, and that the information is transmitted without modification. Availability: In this context, availability refers to information being available when it is requested. For example, when an application requests a patients medical records or a credit card number, there is an expectation that the information is available to the application as necessary. This means that the systems used to protect that data are also available.
Objectives
After completing this lesson, you will be able to: Describe the business case for identity and access control. Describe IDA management solutions. Describe the end user and administrative enhancements that IDA provides.
1-4
The Business Case for Identity and Access Control
Key Points
Generally, when an IT professional deploys an IDA solution, it is not because his manager asked him to install a particular piece of technology, it is usually in response to a particular business problem. There are many problems that can be solved by IDA solutions, which can be summarized as follows: Reducing the information access workload: It is challenging to manage the identity and access problems within a single domain. When multiple domains or external systems and solutions are added, it can become a management nightmare.
Increase operational security: IT environments are becoming more and more complex, as well as more connected. Workforces are also more mobile. These issues interact to force IT professionals to consider security solutions that encompass more than one boundary.
Enable secure cross-organizational collaboration: Since the introduction of email, organizations have increasingly been communicating and collaborating through this medium. Although this makes for an efficient collaboration strategy, it is not very secure, nor does it have many built-in mechanisms to protect intellectual property. Protect intellectual property: There are many aspects to protecting corporate documents and other intellectual property. Even something as innocent as an email message could contain information that, when used in an improper manner, could lead to serious consequences.
Not explicitly listed but implied as part of the increased operational security bullet point are legal requirements around data storage, access, and usage. There are complex and varied legal obligations around the globe concerning what personal information can and cannot be stored and how that information can be accessed and used. The cost and effort required to effectively and securely implement and manage user access and control in a corporate network made up of multiple, diverse systems can be overwhelming. However, the failure to do so, risks security breaches, regulatory compliance breakdowns, and an inability to effectively deploy new business initiatives.
Windows Server 2008 contains roles and is capable of running services that can be used to implement IDA solutions and address these challenges.

1-5
Most organizations today make use of some type of directory service to assist in implementing some of the three elements of identity access control. A directory service lends itself to this purpose by maintaining a centralized directory of all objects on a network, thus allowing for the identification of access requests. By assigning access controls to objects and groups on a network, directory services can then provide a basic level of access control. However, as organizations and businesses grow and expand, more and more applications with unique requirements and internal or proprietary directories need to be protected. In such cases, directory services can become unwieldy, leading to unwanted tradeoffs in design and implementation. The implementation of IDA solutions can remedy such problems and allow businesses and organizations to grow without sacrificing their business requirements. Question: What are two business reasons to implement IDA?
1-6
IDA Management Solutions
Key Points
IDA management solutions help you manage various identities that users may have. Many organizations are struggling with the demands of maintaining independent directories. The directories are sometimes maintained by different departments within an organization which leads to additional management issues. This phenomenon is sometimes referred to as directory sprawl. The following list shows features of IDA management solutions:
Maintaining multiple identity stores in an organization: IDA solutions help you simplify the maintenance and administration of multiple identity stores. These stores can include products such as: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) Lotus Notes Novell eDirectory HR databases Active Directoryenabled applications
Determining the current and authoritative identity information: IDA solutions enable you to synchronize, maintain, and update identity information across multiple identity stores. Authoritative identity in this context means to identify attributes and a source for these attributes. This will act as the trusted source of information, which can then be used to validate synchronized information. Provisioning and deprovisioning user accounts: IDA solutions can be used to automate the provisioning process. Automation ensures data consistency, integrity, and enhanced security as compared to manual processes. Provisioning and deprovisioning is the process of providing and taking away user accounts and access to enterprise resources.
Authenticating and authorizing users: IDA solutions ensure that a user's identity is authenticated and authorized as access control information, such as an access control list (ACL). This determines the level of access you have associated with your identity to specific resources.

1-7
Securing shared information: IDA solutions help you securely exchange confidential information across disparate networks.
Securing collaboration between partners and vendors: With IDA solutions, you can use domain trusts, forest trusts, and federation for vendors, external partners, and other divisions to securely share and access data and resources. Securing access and distribution of sensitive data: With IDA solutions, you can safeguard confidential business details from unauthorized access and distribution even if the file containing the information is compromised. For example, a Microsoft PowerPoint presentation can be secured using Active Directory Rights Management Services (AD RMS) to ensure only employees have access to read the presentation, even if the file itself falls into unauthorized hands. Question: What benefits do IDA management solutions provide to end users?
1-8
Discussion: What End User and Administrative Enhancements Does IDA Provide?
Key Points
IDA technologies encompass a wide range of products and roles. Most organizations have some form of IDA in place, while few have a complete IDA solution involving several technologies working together.
What IDA technologies are you currently running in your organization? It starts with the receptionist. They serve as an IDA component to identify visitors, determine access requirements, and grant access.
What business enhancements do your IDA technologies provide? Tighter security, ability to meet compliance requirements, reduction in operational overhead by simplifying the management of multiple authentication repositories. What risks does your business currently face that IDA could help mitigate? Inability to identify who has access to what, inefficient employee off-boarding process, authentication repositories with mismatching information.
IDA solutions also provide many other benefits. Operational benefits, end user benefits, and ease of use are a few benefits often associated with IDA solutions. Question: How can IDA solutions simplify IT operations? Question: How do IDA solutions change the way people access enterprise resources? Question: How does IDA factor into auditing and compliance? Question: What obstacles do organizations without IDA have to overcome?

1-9
Lesson 2
Active Directory Identity and Access Solutions Server Roles
As introduced in Lesson 1, IDA management can be used to address identity management challenges, such as maintaining multiple identity stores in an organization, securely authenticating and authorizing users, and enhancing security for shared information.
The first step in planning the implementation of IDA management is to evaluate the requirement of Windows Server 2008 IDArelated server roles. A directory service manages and stores information about users and other entities, such as computers, security groups, and printer objects. Windows Server 2008 provides a complete IDA solution through the implementation of specific Windows Server 2008 roles. These roles, working both individually and collectively, combine to provide a comprehensive IDA solution to fit specific business and organizational challenges. Additional technologies outside of these roles, such as Microsoft Forefront Identity Manager 2010 (FIM 2010) and Microsoft Forefront Unified Access Gateway 2010 (UAG 2010) enhance and build upon these roles.
Objectives
After completing this module, you will be able to: Describe Active Directory Domain Services. Describe Active Directory Certificate Services. Describe Active Directory Lightweight Directory Services. Describe Active Directory Federation Services. Describe Active Directory Rights Management Services.
1-10
What Is Active Directory Domain Services?
Key Points
Active Directory Domain Services (AD DS) is a Windows Server 2008 server role that provides a directory service on top of which all other IDA services build and function. AD DS provides a centralized, multimaster database for storing users, groups, computers, and policies.
AD DS is often the authoritative source for enterprise resources and is used by client and server operating systems, messaging and collaboration software, and several other enterprise applications as these systems use AD DS for authentication and authorization. AD DS is a building block from which to extend the authentication and authorization to other directories, applications, and organizations while maximizing user efficiency. Question: How does Active Directory fit into the IDA architecture? Question: What types of objects does Active Directory store? Question: What does it mean for a directory service to be an authoritative source?

1-11
What Is Active Directory Certificate Services?
Key Points
Active Directory Certificate Services (AD CS) provides services for creating, managing, and distributing digital certificates. AD CS can automate public key infrastructure (PKI) services across the enterprise by utilizing Group Policy. Digital certificates can be distributed to users and computers and used to secure communications in Internet Information Server (IIS), Microsoft Outlook, and many other applications.
Organizations require authentication solutions to provide an efficient process to authenticate credentials and control access to resources based on trust and identity. The following table describes some of the uses of strong authentication server roles: Feature Ensures access security Ensures secure exchange of information Enhances organizational security Manages the distribution and use of certificates Description
Strong authentication provides a secure access method to authenticate users and devices as compared to the user name and password method. Certificates establish identity and create trusts for the secure exchange of information.
AD CS enhances security by binding the identity of a person, device, or service to a corresponding private key.
AD CS provides tools and services to manage the distribution and use of certificates and certificate revocation in various environments.
As organizations implement BitLocker to provide encryption for employees desktop computers, they quickly find out that it relies on digital certificates. While BitLocker can function with self-signed certificates, a large enterprise needs a method to automate the distribution of trusted digital certificates. The logical choice is AD CS, automating the distribution of digital certificates by using Group Policy, and implementing BitLocker with less administrative overhead.
1-12
Active Directory Certificate Services (AD CS) will be discussed in depth in Module 2, Deploying and Configuring Active Directory Certificate Services. Question: What are some common applications that can take advantage of digital certificates? Question: In what areas does AD CS enhance security? Question: What method is used to automate the deployment of digital certificates?

1-13
What Is Active Directory Lightweight Directory Services?
Key Points
Active Directory Lightweight Directory Services (AD LDS) provides organizations with a lightweight, flexible directory service when they do not require the services or overhead of a complete Active Directory Domain Services (AD DS) environment. Provides directory service: AD LDS provides directory services for directory-enabled applications without the dependencies required for AD DS, such as the need for domains and forests or a requirement for a single schema throughout a forest as compared to manual processes. AD LDS gives you all the benefits of having a directory but none of the features for managing resources on a network. Allows data synchronization: You can synchronize data from an AD DS forest to a configuration set of an AD LDS instance. To synchronize the data, you can use an Active Directory to ADAM Synchronizer tool known as adamsync.exe. Note AD LDS was previously called Active Directory Application Mode (ADAM), a feature that was available as a free download from Microsoft. AD LDS is now available as an installable role in Windows Server 2008 and Windows Server 2008 R2.
Allows storage of application data: AD LDS allows storage of an organizations application data without the deployment of a domain controller.
When a company is looking for a method to quickly and easily test new software releases, they can turn to AD LDS, enabling developers to host directory services on development workstations without the management overhead of Active Directory Domain Services. Additionally, the developers can run multiple, independent instances of AD LDS on a single computer which increases efficiency and minimizes hardware costs.
1-14
AD LDS will be discussed further in Module 4, Deploying and Configuring Active Directory Lightweight Directory Services. Question: Before AD LDS, what did organizations use for their applications? Question: What makes AD LDS more efficient than AD DS? Question: Can AD LDS replicate with AD DS?

1-15
What Is Active Directory Federation Services?
Key Points
Active Directory Federation Services 2.0 (AD FS) is a technology that simplifies access, provides single signon (SSO), and facilitates cross-organization collaboration by enabling single or multiple organizations to share information in a secure manner. AD FS can extend the use of Active Directory Rights Management Services (AD RMS), allow for cross-organization authentication using AD DS, and provide simplified access to cloud-based services. The following are the typical AD FS 2.0 deployment scenarios:
Federated Web SSO: This supports business-to-business (B2B) scenarios where information can be exchanged and shared between partners in different organizations. This is the most well-known implementation of federation services.
Web or Internal SSO to claims based identity applications in a single organization: This can be implemented to accommodate SSO access to multiple line of business applications, accommodate multiple users working off-site, or manage authentication where mergers and acquisitions have taken place. Federation with Cloud Services: This provides SSO access to cloud-based platforms such as Windows Azure and online services such as Office 365 or Microsoft Business Productivity Suite which contains Exchange Online and SharePoint Online and other software services. Cloud based services are becoming more widespread and ADFS 2.0 can allows users to access multiple platforms with a single set of credentials. This capability is supported for both Microsoft and non-Microsoft cloud services.
Depending on the specific implementation there will be different requirements. Typical points to consider, or to be aware of, are as follows: AD FS 2.0 requires an account store, such as AD DS, to authenticate users.
AD FS 2.0 supports web applications such as token-based and claims-aware applications that run on Windows.
1-16
AD FS 2.0 allows organizations to share resources while maintaining separate account management strategies, the ability to share contacts and free/busy information in Outlook 2010, Unified Communicator information sharing, and the ability to use Microsoft SQL Server 2008 Reporting services to report to external customers. AD FS 2.0 supports the following types of claims used for authorization purposes in an application: Identity claims such as user principal name (UPN), email, and common name Group claims Custom claims
AD FS 2.0 is discussed further in Module 5, Deploying and Configuring Active Directory Federation Services. Typical business reasons to implement AD FS 2.0 could include: Accommodating external clients or customers to be able to see Microsoft SharePoint sites. The ability to use common ports, such as 443 (HTTPS). The ability to share contacts and free/busy information in Outlook 2010. The ability to use SQL Server Reporting Services to report to outside customers.
For many organizations, Microsoft SharePoint stores project documents for employees. If a business partner wants to securely access those documents, AD FS 2.0 is a solution that allows the partner organization to access the confidential documents. Question: Which server role is primarily enhanced by using AD FS 2.0? Question: What two types of web applications does AD FS 2.0 support? Question: What does AD FS 2.0 bring to partner organizations using Outlook 2010?

1-17
What Is Active Directory Rights Management Services?
Key Points
Active Directory Rights Management Service (AD RMS) provides information protection for AD RMSenabled applications such as Microsoft Office, Microsoft Exchange, and Microsoft SharePoint. AD RMS is built on top of AD DS and utilizes encryption and AD RMS policies to determine who has access to the content and how long the content can be viewed before it expires. A key differentiator is that AD RMS protects information before and after it leaves the corporate network.
Information protection helps eliminate unauthorized viewing and distribution of sensitive corporate data. AD RMS technology manages and enforces access policies to safeguard sensitive electronic information from unauthorized use and distribution as compared to existing security solutions such as ACLs and firewalls, where the privacy of data is lost after it is accessed and received.
AD RMS helps you protect various forms of digital assets such as sensitive documents, email messages, and other content regardless of where and when the access occurs. You can deploy AD RMS for internal and external use. AD RMS rights policy templates specify the rights and conditions to protected content such as Copy, Edit, and Print. You can integrate AD RMS with AD FS to share the rights-protected content between organizations without the deployment of AD RMS in both organizations. AD RMSenabled client computers must have an AD RMSenabled browser such as Windows Internet Explorer 7 or above or an application such as Microsoft Word, Microsoft Outlook, or Microsoft PowerPoint. Also, if users do not have these applications, they cannot use or view the protected documents, and the security of the documents will continue to be maintained. For example: A law office was taking on some high profile cases and needed to ensure that case files were protected from unauthorized view. Lawyers stored case files in Microsoft SharePoint. The law office added the AD RMS server role to a Windows Server 2008 server and utilized the tight integration between Microsoft SharePoint and AD RMS. This enabled the lawyers to set up SharePoint document libraries with Information Rights Management (IRM) policies which mandated the necessary protection for the case documents.
1-18
AD RMS is discussed further in Module 6, Deploying and Configuring Active Directory Rights Management Services. Question: Can AD RMS protect any document type? Question: Besides Microsoft Office, what other applications work with AD RMS? Question: What is required to enable a partner organization to view another companys AD RMS-protected content?

1-19
Lesson 3
Additional Identity and Access Management Tools and Solutions
In addition to the Windows Server 2008 IDA roles, Microsoft offers other technologies that further enhance IDA and offer more benefits. Some of these technologies are available as a free download while others are products that require separate licenses.
These additional solutions simplify the management life cycle of a user's digital identity by providing capabilities such as smart cards, and integrating the management of certificates, passwords, and user provisioning in an organization. These solutions also allow you to consolidate various identity repositories, such as AD DS forests or third-party LDAP services into a single directory store. This lesson also discusses technologies that simplify identity on the internet and provide identity logic separation from applications.
Objectives
After completing this lesson, you will be able to: Describe the Forefront product range. Describe Forefront Identity Manager 2010 (FIM 2010). Describe FIM 2010 User and Group Management. Describe Forefront Unified Access Gateway (UAG) 2010. Describe Windows Identity Foundation (WIF) and Windows CardSpace. Describe interoperability between Windows Server 2008 identity and access solution server roles.
1-20
What Is the Forefront Product Range for IDA?
Key Points
Forefront offers the following products which enhance IDA management solutions:
Forefront Identity Manager (FIM) 2010 Forefront Unified Access Gateway (UAG) 2010
FIM 2010
FIM 2010 is Microsofts identity management solution that offers comprehensive metadirectory,
certificate, smart card management, and user provisioning services. FIM 2010 builds upon the services available in Identity Lifecycle Manager (ILM) 2007 by adding integrated user management and self-service management of credentials, groups, policies, and passwords. FIM 2010 includes the following features: Identity synchronization Certificate and smart card management User provisioning
UAG 2010
UAG 2010 delivers secure remote access to corporate resources for employees, partners, and vendors. UAG 2010 builds upon the technologies in the Intelligent Application Gateway (IAG) product. UAG 2010 extends DirectAccess and offers SSL virtual private network (VPN) connectivity. DirectAccess, introduced in the Windows 7 and Windows Server 2008 R2, allows remote users to securely access enterprise resources without connecting to a VPN. UAG 2010 includes the following benefits: Anywhere Access Integrated Security Simplified Management

1-21
FIM 2010 Overview
Key Points
FIM 2010 offers a wide range of IDA features and benefits. FIM 2010 ties directly into some of the other IDA roles such as AD DS for authentication and AD CS for digital certificates and smartcards. This lesson focuses on the three features that FIM 2010 offers for IDA.
Identity Synchronization
Organizations that have multiple identity directories need to ensure that those directories all contain the same information. If information changes in one directory, it should be synchronized in the other directories. FIM 2010 provides this identity synchronization. The following table outlines the components of synchronization: Components Connected Data Source (CD) Metaverse (MV) Description
This component provides extensibility to develop additional connectors. There are built-in connectors to most of the common identity stores. This component is a data store that contains the aggregated identity information from multiple connected data sources. MV provides a single, global, integrated view of identity data staged in the connector spaces.
Connector Space (CS)
This component is a location that stores information from various sources, for example, an HR database and an email system. It helps maintain and synchronize data across multiple directories or data stores. CS can determine the change in the connected data source. It helps stage incoming changes. This component links specific connected data sources to FIM 2010. The MA is responsible for moving data between a connected data source and FIM 2010.
Management Agent (MA)
1-22
Certificate and Smart Card Management
FIM 2010 acts as an administrative proxy and all digital certificate and smartcard management functions pass through FIM 2010. For example, if a user requests a new digital certificate, the request goes through FIM 2010. FIM 2010 uses the following components to manage certificates:
Server-side components: The server provides a web portal and is the focal point of administrative functions. It implements all certificate-based functionality, and communicates with the FIM 2010 database, Active Directory, and all managed CAs.
Certificate authority plug-in: A FIM 2010 policy module and an exit module must be installed and configured locally on each CA server to actively manage a CA. These modules communicate with the FIM 2010 server, control the behavior of the CA, and provide centralized logging and auditing. Client-side components: End users and administrators can manage smart cards by providing a connection from a computer to a smart card. The user can manage smart cards by using the portal.
The Microsoft Forefront Identity Manager Certificate Management (FIM CM) client includes the following components: Smart card self-service control: Provides certificate management capabilities. Smart card personalization control: Allows you to manage smart card applets that exist on the smart card. Bulk issuance client: Centralizes large-scale smart card deployment scenarios.
User Provisioning
FIM 2010 automates user provisioning and de-provisioning by using workflows. Workflows can be kicked off on a scheduled basis to ensure that the user provisioning process takes place at specified times. Additionally, the user provisioning process can be codeless. FIM 2010 is commonly used to perform inbound synchronization from an HR database to FIM 2010 and then to AD DS. This allows automatic creation of users in Active Directory as they are added to the HR database.

1-23
FIM 2010 User and Group Management
Key Points
User Management
FIM 2010 enhances user management capabilities by providing rich self-service capabilities that help reduce Helpdesk calls and operational support costs. Additionally, the provisioning and deprovisioning process has become easier to implement by providing a configuration interface that does not require custom code.
SharePoint-based Portal: Managing users in FIM 2010 is performed through the FIM 2010 Portal. The FIM 2010 Portal is a SharePoint-based site that can be hosted with other SharePoint sites on the same SharePoint server. It can be customized based on the business and operational requirements.
Automated, codeless user provisioning and deprovisioning: FIM 2010 provides an interface to configure user provisioning instead of requiring customized code. Provisioning of users is performed through workflows. The workflows can be simple, such as manually creating a user in FIM 2010 and having the user automatically provisioned in AD DS if the user attributes match defined criteria). Workflows can also be complex by adding additional steps after the provisioning process, such as adding users to groups, provisioning smart cards, or adding an Exchange 2010 mailbox to the user account.
Self-service management: Enables users to manage parts of their profile information such as phone numbers, addresses, and office location. Users can be delegated permissions to self-manage the profile or policies can be created so that user submitted profile changes require approval. In addition to profile self-service, self-service password reset is also available. A FIM 2010 password reset add-in feature integrates with the Windows logon screen and allows users to answer a set of password authentication challenge questions to reset their own password during logon.
1-24
Group Management
Group management has been greatly expanded in FIM 2010. Self-service plays a big role in FIM 2010 as it helps to reduce calls to the Helpdesk and operational costs for supporting distribution and security groups. Each group can have multiple owners which enables load balancing group membership approvals to multiple owners instead of relying on a single owner. Workflows are utilized for notification or as part of the provisioning processes. Rich group management capabilities: Allows users and administrators to manage their groups by requesting to be added to groups, approving or rejecting requests, and managing memberships from the centralized FIM 2010 portal. By using the FIM 2010 software add-in for Outlook, the same functionality is available with Outlook (2007 or 2010). Offline group membership approvals: Allows a manager or group owner to approve or deny requests to be added to groups while working offline in Microsoft Outlook (2007 or 2010). Additionally, users can make group membership requests while working offline in Microsoft Outlook (2007 or 2010). Manual, manager-based, and criteria-based group membership: FIM 2010 offers flexible group membership management by offering users the ability to request access to groups, allowing managers to approve or deny membership requests, and by offering dynamic groups based on configurable criteria. Some of the notable points of group membership in FIM 2010 are as follows: Open groups that allow anyone to join. Criteria-based group memberships (similar to dynamic distribution groups) where users are automatically added or removed from groups based on defined criteria. For example, if a user has a title of Engineer, he can be automatically added to the Engineering group. If he is promoted and becomes a Manager, he is automatically removed from the Engineering group. Groups with multiple owners only show a single owner known as the displayed owner.

1-25
Forefront Unified Access Gateway (UAG) 2010
Key Points
UAG 2010 is another Forefront product that ties directly into enterprise IDA solutions. UAG 2010 relies on a couple of other IDA roles AD DS as the authentication repository and AD CS (or a third-party certificate provider) as the supplier of digital certificates. This topic discusses three of UAG 2010's benefits: Anywhere Access Integrated Security Simplified Management
Anywhere Access
As workers are becoming more mobile and as internet access has become commonplace at restaurants, libraries, and airports, the ability to provide workers with access to enterprise resources from any internet connection has become more complex. Many organizations struggle with multiple access solutions which make for a confusing user experience and require more administrative overhead. UAG 2010 offers a centralized approach by combining technologies into a single solution and allowing users to connect to a single technology to access everything. SSL VPN: Provides a simpler VPN experience for users by minimizing user interaction with a VPN client and utilizing a familiar browsing experience in Internet Explorer under Windows 7.
DirectAccess: Available in Windows Server 2008 R2 and Windows 7 as a technology that seamlessly connects client computers to the corporate network without a VPN connection and even before a user logs on. UAG 2010 enhances the functionality by extending access to line of business servers using IPv4, improving manageability of remote users, and centralizing and simplifying overall access administration.
1-26
Integrated Security
Remote access increases exposure to enterprise resources. Securing remote access to mitigate the exposure plays an important part in enabling organizations to deploy resources to remote users. UAG 2010 provides integrated security, including the following benefits: Endpoint Health: Provides the use of fine-grained access policies which provide limited access to sensitive data based on the identity of the endpoint or the health of the endpoint.
Application Layer Inspection: Inspects requests for published applications such as SharePoint and Exchange to ensure that only legitimate connections are allowed. UAG 2010 includes many built-in application inspectors for Microsoft and third-party applications.
Simplified Management
As products and technologies are deployed and layered in an enterprise, IT administration becomes more complex. Administrators deal with multiple management consoles and multiple methods of performing administrative tasks. UAG 2010 simplifies the management experience for administrators. The following features simplify management: Access Management Consolidation: Centralizes remote access management technologies into a single management interface. Candidates for centralization include VPN, reverse proxy (application publishing), and other remote application access technologies.
Wizards and Policies: Built-in policies and UAG 2010 wizards help make the administrative process more efficient.

1-27
Windows Identity Foundation (WIF) and Windows CardSpace
Key Points
Windows Identity Foundation (WIF) and Windows CardSpace are two components of Microsofts open platform for simplified user access based on claims. Claims are statements, usually made up of a name, identity, key, group, or privilege, about users. WIF is the developer component while Windows CardSpace is the end user component. The third component is Active Directory Federation Services (AD FS) 2.0 which is discussed further in Module 5. WIF and Windows CardSpace are both available as free downloads from Microsoft.
Windows Identity Foundation (WIF)
A digital identity can be compared to what you might normally find in your walleta drivers license, Social Security card, or an identification card. A digital identity is tied to access rights based on the identity logic in the application. For many, identity logic is built in and varies from application to application. WIF provides .NET developers with a way to build claims-aware .NET applications and remove identity logic by externalizing it. Thus, a single claims-based identity model can be utilized by many applications. WIF enhances IDA in the following ways: More flexible and more granular authorization Zero impact if credential requirements change Support of federated security models
WIF works with AD FS 2.0 to allow development of single sign-on (SSO) capabilities while allowing access from external organizations such as partners and vendors. Think of AD FS 2.0 as the infrastructure of federation and WIF as the application layer.
1-28
Windows CardSpace 2.0

Windows CardSpace is freely downloadable software that allows users to provide their digital identity to online services in a more secure and simpler way than the traditional method of user names and passwords. The method uses information cards which have identity data associated with the cards. The cards use digital signatures to enhance online security. Windows CardSpace 2.0 enhances IDA in the following ways: Information cards employ strong cryptography Ability to use one information card for all of the websites you visit Integrates with other IDA technologies such as AD FS 2.0

1-29
Interoperability Between Windows Server 2008 Identity and Access Solution Server Roles
Key Points
Understanding how the IDA server roles work together is a key aspect of deploying a complete IDA enterprise solution. Virtually all of the server roles build upon the foundation of AD DS. The following list shows examples of the IDA roles building upon one another: AD CS can provide the certificate services for AD LDS, AD FS, and AD RMS.
AD LDS can synchronize from AD DS to provide directory information to a development environment or a perimeter network. AD FS can extend the functionality of AD DS and AD RMS by allowing separate organizations to collaborate over the internet without the need for multiple user identities.
By combining multiple roles together, IDA can provide a scalable and efficient method for managing identities information access within an organization. For example, a development team is working with directory-service aware applications using AD LDS. The team wants the ability to securely communicate with AD LDS. The team decides to use AD CS to generate a digital certificate for AD LDS which then allows for secure communication with AD LDS (LDAP over SSL). The following table lists the names of products and server roles and names of previous incarnations of the same tools and technologies. Product or Server Role Active Directory Application Mode (ADAM) Windows Rights Management Services (RMS) Windows Certificate Services (CS) Windows Federation Services (FS) New Name AD LDS AD RMS AD CS AD FS
1-30
Question: Which IDA product is available as a free download from Microsoft? Question: Which IDA roles can utilize digital certificates from AD CS?

1-31
Lab: Identifying IDA Roles to Meet Business Requirements
Objectives
After completing the lab, you will be able to: Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Scenario
You are working as a systems administrator for Contoso Pharmaceuticals. As part of your job role, you need to understand how Active Directory is used to secure IT infrastructures. Management wants to ensure that the Contosos IT infrastructure can be protected by using multi-factor authentication.
Management has also asked to protect Microsoft Office documents from being read by unauthorized people. Recently, some confidential Microsoft Word documents were emailed to an unauthorized person. Management wants to ensure that such documents are not readable even if the documents are obtained by unauthorized people. Contoso recently partnered with Tailspin Toys. Tailspin Toys needs access to Contosos claims-based web application but wants to ensure that users can continue to use their current Tailspin Toys Active Directory user accounts. Management has expressed concern for developer efficiency. Developers currently utilize a development instance of Active Directory Domain Services (AD DS). They have noted that developers are often waiting for IT and instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them separate identity logic from their applications.
Human Resources (HR) maintain their own HR database that contains much of the same information that exists in Active Directory. However, some of the information in the HR database conflicts with the information in the Active Directory database. The databases should be synchronized so that the information in the databases is consistent. Management has requested that you determine the Windows 2008 R2 server roles and IDA solutions available to address the organizations current issues.
1-32
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions
In this exercise, you will identify the server roles needed to satisfy the objectives for Contoso Pharmaceuticals. The main tasks for this exercise are as follows: 1. 2. Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Task 1: Identify business requirements

Question: What are the business requirements for Contoso Pharmaceuticals?
Task 2: Determine server roles and solutions required to meet the business requirements
Questions: 1. 2. 3. 4. 5. 6.
Which server role is required for certificate authentication? Which server role is required for protecting confidential Microsoft Office documents? Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Which server role can be used to give developers more efficient directory services capabilities? Which solution would you use to synchronize the HR database with the Active Directory database? Which technology would allow developers to externalize identity logic from their applications?
Results: After this exercise, you have identified the business requirements and the server roles required to meet the business requirements.

1-33
Module Review and Takeaways
Review Questions
1. 2. 3. 4. 5. 6. What are the five server roles that support IDA solutions? What technology can help you to simplify and automate user provisioning?
What server role or roles provide developers with an application test platform that allows schema changes independent of AD DS? What server role or roles provide access to web applications for an external partner organization without creating the trusts?
What server role and technology are required for the implementation and management of smart cards?
What server role or roles would protect the confidential data of important corporate documents and email messages?
Real-world Issues and Scenarios
The following scenario is provided to introduce a real world situation that ties back to the content of this module. Your company runs Active Directory Domain Services (AD DS) for the internal network. The companys Web servers are all in the perimeter network. Administration of the Web servers has been inefficient because they are joined to a workgroup. The company would like to significantly expand the perimeter network with additional web and utility servers.
1-34
As part of the server expansion, a new application is being deployed in the perimeter network. The new application must be available to two of the companys partners as well as employees. Management wants the application accessible from the internal network, the perimeter network, or the internet by using AD DS credentials. The user provisioning process must be simplified. The new application will deal with sensitive, confidential data. The Director of I.T. Security has mandated that all sensitive, confidential data must be protected so that only authorized users can view the data, even if the data files are stolen or removed from the premises. The application stores its data in Microsoft Excel (.XLSX) format. The Development team has asked for a method to simplify application testing as they plan to update the application often. The application is a directory-aware application. What roles and technologies can help you meet the companys goals?
To address the new application being available to partners and employees while residing in the perimeter network, use AD FS. A new AD DS environment should be deployed in the perimeter network and all servers in the perimeter network will join the perimeter domain. To protect confidential data, implement AD RMS. To simplify application development, implement AD LDS for the Development team so that they can build and deploy their application updates in the development environment without any interaction with the rest of IT. Deploy FIM 2010 to simplify the user provisioning process by allowing users to be created in the internal AD DS environment and be automatically created in the perimeter AD DS environment.
Best Practices
For a successful implementation, consider the following best practices: Clearly define your business requirements. Identify which roles and solutions will best meet their needs. Thoroughly test the proposed solution before implementing any IDA solutions.

2-1
Module 2
Deploying and Configuring Active Directory Certificate Services
Contents:
Lesson 1: Overview of Public Key Infrastructure Lesson 2: Overview of Certification Authorities Lesson 3: Deploying Certification Authorities Lesson 4: Configuring Certification Authorities Lesson 5: Troubleshooting Active Directory Certificate Services Lab: Deploying and Configuring Active Directory Certificate Services 2-3 2-10 2-20 2-28 2-32 2-41
2-2
Module Overview
Public Key Infrastructure (PKI) consists of several components that help you secure corporate communications and transactions. One such component is the Certification Authority (CA). You can use CAs to manage, distribute, and validate digital certificates that are used to secure information. You can install Active Directory Certificate Services (AD CS) as a root CA or a subordinate CA in your organization.
Objectives
After completing this module, you will be able to: Describe Public Key Infrastructure. Describe Certification Authorities. Deploy Certification Authorities. Configure Certification Authorities. Resolve common Active Directory Certificate Services issues.

2-3
Lesson 1
Overview of Public Key Infrastructure
A PKI helps verify and authenticate the identity of each party involved in an electronic transaction. It also helps establish trust between computers and the corresponding applications hosted on application servers. A common example includes the use of PKI technology to secure websites. Digital certificates are key PKI components that contain electronic credentials used to authenticate users or computers. Moreover, certificates can be validated using certificate discovery, path validation, and revocation checking processes. Windows Server 2008 supports PKI by using AD CS components.
Objectives
After completing this lesson, you will be able to: Describe a PKI. Describe the components that make up a PKI solution. Describe Microsofts implementation of PKI through AD CS.
2-4
What Is PKI?
Key Points
PKI is a combination of software, encryption technologies, processes, and services that assist an organization with securing its communications and business transactions.
PKI Components
Infrastructure: The meaning in this context is the same as in any other context, such as electricity, transportation, or water supply. Each one has requirements that must be met for it to function efficiently. For example, for a road infrastructure, you would need roads, traffic lights to regulate flow, traffic police to enforce regulations, an authority to issue drivers licenses, and so on. Each of these elements does a specific job, and the sum of them allows for the efficient and safe use of our roads. Some of the elements that make up a PKI are: a certification authority a certificate repository a registration authority an ability to revoke certificates an ability to back up, recover keys, and update keys an ability to regulate and track time client-side processing
Public/Private Keys: There are two methods for encrypting and decrypting data. One where the methods to encrypt and de-crypt are identical or mirrors of each other (symmetric), and one they are not identical or mirrors of each other (asymmetric). Symmetric encryption: Data is encrypted by using a particular method or key. To decrypt the data, you must have an identical key. Therefore, anyone who has the key can decrypt the data. The key must remain private to maintain the integrity of the encryption.

2-5
Asymmetric encryption: Data is encrypted by using a particular method or key. The person who decrypts the data uses a key that is not identical to the key used to encrypt the data. In this situation, the keys are sufficiently different that knowing or possessing one does not allow you to determine the other. Therefore, one of the keys can be made public without reducing the security of the data, as long as the other key remains privatehence the name public key.
The advantages of using PKI include: Confidentiality: A PKI enables you to encrypt both stored and transmitted data.
Integrity: You can use a PKI to digitally sign data. A digital signature identifies whether any data was modified while information was communicated. Authenticity and non-repudiation: Authentication data passes through hash algorithms such as Secure Hash Algorithm 1 (SHA-1) to produce a message digest. The message digest is then digitally signed using the senders private key to prove that the message digest was produced by the sender. Non-repudiation is digitally signed data in which the digital signature provides both proof of the integrity of signed data as well as proof of the origin of data.
Standards-based approach: A PKI is standards-based, which means that multiple technology vendors are compelled to support PKI-based security infrastructures. It is based on industry standards defined in RFC 2527.
Question: What benefits does a digital signature offer?
2-6
Components of a PKI Solution
Key Points
There are many components that are required to work together to provide a complete PKI solution. The PKI components are: Certification Authority: This component issues and manages digital certificates for users, services, and computers.
Digital certificates: This component is similar in function to an electronic passport. A certificate is used to prove the identity of the user (or other entity). Certificates are comprised of the electronic credentials associated with a public key and a private key that are used to authenticate users and other devices, such as Web servers and mail servers. Digital certificates are also used to ensure that software or code is run from a trusted source. Certificates are comprised of various fields, such as Subject, Issuer, and Common Name. These fields are used to determine the specific use of the certificate. For example, a Web server certificate might contain the Common Name field of web01.contoso.com, which would make that certificate valid only for that Web server. If an attempt was made to use that certificate on a Web server named web02.contoso.com, the user of that server would receive a warning.
Certificate templates: This component describes the content and purpose of a digital certificate. When requesting a certificate from an AD CS enterprise CA, the certificate requestor will, depending on his or her access rights, be able to select from a variety of certificate types based on certificate templates, such as User and Code Signing. The certificate template saves users from low-level, technical decisions about the type of certificate they need. Note You can configure certificate templates with Windows Server 2008 Standard Edition and Active Directory Certificate Services; however, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008.

2-7
CRLs and Online Responders:
Certificate Revocation Lists (CRLs) are complete, digitally signed lists of certificates that have been revoked. These lists are published periodically and can be retrieved and cached by clients (based on the configured lifetime of the CRL). The lists are used to verify a certificates revocation status. Online Responders are part of the Online Certificate Status Protocol (OCSP) role service in Windows Server 2008 and Windows Server 2008 R2. An Online Responder can receive a request to check for revocation of a certificate without requiring the client to download the entire CRL, which speeds up certificate revocation checking and reduces the network bandwidth. It also allows for increased scalability and fault tolerance by allowing for array configuration of Online Responders.
Public keybased applications and services: This relates to applications or services that support public key encryption. In other words, the application or services must be able to support public key implementations to gain the benefits from it.
Certificate and CA management tools: This component provides command-line and graphical user interface (GUI) based tools to: Configure CAs Recover archived private keys Import and export keys and certificates Publish CA certificates and CRLs Manage issued certificates
Authority Information Access (AIA) and CRL distribution points (CDPs): Because CRLs can become large, depending on the number of certificates issued and revoked by a CA, you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRLs and more quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data to be published more frequently because the size of a delta CRL means that it usually does not require as much time to transfer as a full CRL.
Hardware security module (HSM): A hardware security module is an optional secure cryptographic hardware device that accelerates cryptographic processing for managing digital keys. An HSM is typically physically attached to a computer. This is an optional add-on in your PKI and is most widely used in high security environments where there would be a significant impact if a key were compromised. Note The most important component of any security infrastructure is physical security. A security infrastructure is not just the PKI implementation. Other elements, such as physical security and adequate security policies, are also important parts of a holistic security infrastructure.
Question: Which PKI component is responsible for the content and purpose of a digital certificate?
2-8
How AD CS Supports PKI
Key Points
AD CS is a Windows Server 2008 R2 role that provides PKI services for issuing and managing digital certificates, certificate enrollment, and certificate revocation.
AD CS Components
The following are the components in AD CS, and each works closely together to form a complete solution: Certification Authority (CA), Network Device Enrollment Service (NDES), Online Responder Service, and Certification Authority Web Enrollment Support. Each of these components is discussed in further detail in Lesson 2s topic titled What do the Active Directory Certificate Services Role Services Do?
AD CS Features
Feature Customizable Certificate Templates Description
Templates can be customized for a specific use (such as Code Signing). Templates can also be customized so that only specified users can select the template during enrollment. There are three types of templates: Version 1 (not customizable), Version 2 which are customizable under Enterprise versions of Windows Server 2003 and Windows Server 2008, and Version 3 which are new in Windows Server 2008 and which support Cryptography Next Generation (CNG). CNG provides support for new cryptography algorithms such as the U.S. governments Suite B algorithms. If a certificate template is configured to require key archival, automatic key archival is performed during the certificate enrollment process. During enrollment, the private key is securely sent to the CA as part of the certificate request and is archived by the CA. Key archival is required to support key recovery. This feature is only available on the Enterprise and Data Center editions of Windows Server 2008.
Key Archival

2-9
(continued) Feature Role Separation Description
This feature allows for role-based administration to organize administrators into predefined CA roles, each with its own set of associated tasks. The default roles available are CA Administrator, Certificate Manager, Backup Operator, Auditor, and Enrollee. This feature is only available on the Enterprise and Data Center editions of Windows Server 2008.
Certificate Manager Restrictions
This feature allows administrators to restrict certificate management to specific certificate templates, even when the certificate managers have been assigned the Issue and Manage Certificates permission at the CA level. This feature is only available on the Enterprise and Data Center editions of Windows Server 2008. This feature allows limiting the permissions that enrollment agents have for enrolling smart card certificates on behalf of users. This feature is new to Windows Server 2008 and allows enrollment agents to have rights to enroll on behalf of specific users or groups. This feature is only available on the Enterprise and Data Center editions of Windows Server 2008.
Delegated Enrollment Agent Restrictions
Windows Server 2008 R2 introduced a few enhancements to AD CS which include:
The ability to enroll for certificates across forests. This is useful in consolidation scenarios and partner companies and requires Windows Server 2003 forest functional level on each side and a two-way transitive trust. Certificate enrollment over HTTP which extends use of autoenrollment. Better support for high-volume CAs such as those found in Network Access Protection (NAP) environments by reducing CA database size.
How AD CS Integrates with Microsofts IDA Solution
AD CS is the server role that offers the components that provide the following PKI functions: Certificate Authority, Network Device Enrollment Service, Online Responder Service, and the Certification Authority Web Enrollment Support. AD CS is relied upon by all of the Windows Server 2008 R2 IDA related roles and technologies such as AD DS, AD LDS, AD FS, AD RMS, FIM 2010, UAG 2010, and Windows Azure. AD CS issues the certificates required by these roles and technologies to securely perform their respective functions. Question: How would you ensure that your certificate template utilized Cryptography Next Generation (CNG)?
2-10
Lesson 2
Overview of Certification Authorities
A certificate authority (CA) is part of a PKI and serves as an authority in a network that issues and manages security credentials and public keys for encryption.
Objectives
After completing this lesson, you will be able to: Describe a Certification Authority. Describe the difference between a Public and Private Certification Authority. Describe the different types of Certification Authorities in Windows Server 2008. Describe Standalone versus Enterprise CAs. Describe usage scenarios in a CA hierarchy. Describe cross-certification hierarchy.
Describe the different roles services for Active Directory Certificate Services in Windows Server 2008.

2-11
What Are Certification Authorities?
Key Points
On a Windows Server 2008 network, a CA is a computer with the AD CS server role installed. A CA can sign and revoke certificates and also publish AIA and CRL information about revoked certificates to ensure that users, services, and computers are issued certificates that can be validated. A CA performs multiple functions or roles in a PKI. In a large PKI, separation of CA roles among multiple servers is common. A CA provides several management tasks, including: Verifying the identity of the certificate requestor. Issuing certificates to requesting users, computers, and services. Managing certificate revocation.
Question: Besides users and computers, what else can a CA issue a certificate to? Question: Which component of the PKI is responsible for revoking certificates?
2-12
Public vs. Private Certification Authorities
Key Points
You can configure a CA for your company by using an internal private CA by using AD CS. Otherwise, you can use a third-party CA. Both have advantages and disadvantages as specified in the following table. CA Type External public CA Advantages Disadvantages
Trusted by many external clients (web Higher cost as compared to an internal browsers, operating systems) CA Requires minimal administration Cost per certificate Certificate procurement is slower
Internal private CA
Provides greater control over certificate management Customized templates Autoenrollment
Is not trusted by external clients (web browsers, operating systems) by default
Some organizations have started using a hybrid approach to their PKI architecture. A hybrid approach uses an external public CA for the Root CA and a hierarchy of internal CAs for distribution of certificates. This gives organizations the advantages of having their internally issued certificates trusted by external clients while still providing the advantages of an internal CA. The only disadvantage is cost. A hybrid approach is typically the most expensive approach. Question: Which type of CA would you choose for Autoenrollment?

2-13
Types of Certification Authorities in Windows Server 2008
Key Points
There are two types of CAs available in Windows Server 2008:
Root CA: The root CA is trusted by all other CAs in the hierarchy. The root CA produces and signs its own certificate. Subordinate CA: A subordinate CA trusts the root CA (parent CA). This trust is created when a subordinate server receives a CA certificate from the root CA. Subordinate CAs issue certificates and implement policies.
You can create a hierarchy of CAs to do the following: Create CAs that specialize in generating certain types of certificates, or certificates for a specific purpose.
Meet the needs of several divisions within an organization that might require various CA policies or specific administrator access. Improve performance by offloading the certificate issuing process to dedicated CAs.
Restrict administrative access by delegating administrative permissions to specific CAs (and not the entire PKI).
A root CA produces and signs its own certificate. A subordinate CA receives its CA certificate from the root CA (or parent CA). Subordinate CAs perform tasks such as issuing certificates and implementing policies. Some of the benefits of creating a CA hierarchy include:
Enhanced security and scalability can be achieved by using dedicated CAs for specific types of tasks (such as smartcard management) and by balancing certificate issuance across multiple CAs (thus spreading out the load).
Flexible administration for the CA hierarchy enables role-based access control and decentralization of CA management.
2-14
Support for commercial CAs allows a hierarchys root to begin at a commercial CA root. Support for most applications is not a concern in a hierarchy because there are no issues with the applications that consume certificates from a hierarchy as opposed to a single CA environment.
Question: What ties a subordinate CA to a root CA?

2-15
Standalone vs. Enterprise CAs
Key Points
There are two types of CAs available in Windows Server 2008 and each has a specific set of features available, as outlined in the table: Characteristic Typical usage Stand-Alone CA Enterprise CA
A stand-alone CA is typically An enterprise CA is typically used to issue used for offline CAs, but it can certificates to users, computers, and services be used for a CA that is consist- and is not typically used as an offline CA. ently available on the network. A stand-alone CA does not depend on AD DS and can be deployed in nonActive Directory environments. Users can only request certificates from a standalone CA by using the web enrollment pages. All requests must be manually approved by a certificate administrator.
AD Dependencies
An enterprise CA requires AD DS which can be used as a configuration and registration database. It also provides a publication point for certificates issued to users and computers.
Certificate request methods
Request certificates from web enrollment page and Certificates Request Wizard (Certificates MMC snap-in). Certificates can also be requested and issued automatically through Group Policy by using autoenrollment. Requests are automatically issued or denied based on the templates discretionary access control list (DACL).
Certificate issuance methods
Question: Which type of CA would you choose if you did not want it to be a part of your Active Directory Domain Services (AD DS) environment?
2-16
Usage Scenarios in a CA Hierarchy
Key Points
The following points describe some usage scenarios in a CA hierarchy.
Policy CA Usage: This is a type of Subordinate CA directly below the Root CA in a CA hierarchy. Utilize Policy CAs to issue CA certificates to Subordinate CAs that are directly below it in the hierarchy. Use policy CAs when different divisions, sectors, or locations of your organization require different issuance policies and procedures. Cross-Certification Trust: In this scenario, two independent CA hierarchies interoperate when a CA in one hierarchy issues a CA certificate to a CA in the other hierarchy. Cross-Certification Trusts are discussed in more detail later in this module. Two-tier Hierarchy: In a two-tier hierarchy, there is a Root CA and at least one Subordinate CA. In this scenario, the Subordinate CA is responsible for policies and for issuing certificates to requestors.
Question: Your organization would like to segment certificate distribution to vendors from the rest of your certificate distribution infrastructure. What type of CA would help facilitate this?

2-17
What Is a Cross-Certification Hierarchy
Key Points
A cross-certification implies that each CA hierarchys root CA provides a cross-certification certificate to the other CA hierarchys root CA. The other hierarchy root CA installs the supplied certificate. By doing so, the trust flows down to all the subordinate CAs below the level where the cross-certification certificate was installed.
Cross-Certification Benefits
A cross-certification hierarchy provides the following benefits: It provides interoperability between businesses and between PKI products. It joins disparate PKI organizations. It assumes complete trust of a foreign CA hierarchy.
Question: Your company is currently acquiring another company. Both companies run their own PKI. What could you do to minimize disruption and continue to provide PKI services seamlessly?
2-18
What Do the Active Directory Certificate Services Role Services Do?
Key Points
AD CS is made up of several components known as role services. Each role service is responsible for a specific portion of the certificate infrastructure while working together to form a complete solution. The following table describes each AD CS role services and the role it plays in the PKI. AD CS role service Certification Authority Certification Authority Web Enrollment Online Responder What does it do?
This component issues certificates to users, computers, and services. In addition, it manages certificate validity. Multiple CAs can be chained to form a PKI hierarchy. This component provides a method to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, or for users of non-Microsoft operating systems.
This component allows for the configuration and management of Online Certificate Status Protocol (OCSP) validation and revocation checking. It decodes revocation status requests for specific certificates, evaluates the status of these certificates, and returns a signed response containing the requested certificate status information. An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2003, Windows Server 2008, or from a non-Microsoft CA. This component allows routers, switches, and other network devices to obtain certificates from AD CS. This component is only available on the Enterprise and Data Center editions of Windows Server 2008 R2.
Network Device Enrollment Service

2-19
(continued) AD CS role service Certificate Enrollment Web Service What does it do?
This component works as a proxy between Windows 7 client computers and the CA. It is new to Windows Server 2008 R2 and requires that the Active Directory forest be at the Server 2008 R2 level. It enables users to connect to a CA by means of a web browser to perform the following: Request, renew, and install issued certificates Retrieve CRLs Download a root certificate
Enrollment over the internet or across forests (new to Windows Server 2008 R2) Certificate Enrollment Policy Web Service This component is new to Windows Server 2008 R2. It enables users to obtain certificate enrollment policy information. Combined with the Certificate Enrollment Web Service, it enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
Question: Which role service enables you to download the root CA certificate using your web browser?
2-20
Lesson 3
Deploying Certification Authorities
The first Certification Authority (CA) that you install will be a root CA. After the root CA is installed, you can optionally install a subordinate CA to apply policy restrictions and distribute certificates. You can also use a CAPolicy.inf file to automate additional CA installations and provide additional configuration settings that are not available with the standard GUI-based installation.
Objectives
After completing this lesson, you will be able to: Describe the prerequisites for Root CAs and when a Root CA should be used. Deploy a Root CA. Describe the prerequisites for Subordinate CAs and when a Subordinate CA should be used. Describe the purpose of the CAPolicy.inf file, and what can be done with it. Describe the purpose of the CA Administrative Console.

2-21
Considerations for Deploying a Root Certification Authority
Key Points
The following are root CA prerequisites: Must have an existing, functional AD DS environment.
Must have an available server running Windows Server 2008 or Windows Server 2008 R2 Standard, Enterprise, or Data Center edition. The edition is based on the specific role services you require.
Server Edition Considerations for AD CS Components
There are a number of pre-installation configuration choices to make, as well as considerations which will impact the operating system selection. The following table outlines the immediate considerations around the choice of the operating system version. AD CS components CA Network Device Enrollment Service Online Responder service Standard
Yes No No
Enterprise
Yes Yes Yes
Based on the components required to meet your business requirements, you can select the appropriate operating system version. The next factor to consider is the operating system installation type. AD CS is supported in both the full installation and the Server Core installation scenarios. Server Core provides a smaller attack surface and less administrative overhead and should be a strong consideration for AD CS in an enterprise environment.
2-22
Server Edition Considerations for AD CS Features

Some AD CS features are also specific to the operating system edition. The following table maps the features with the availability on Windows 2008 R2 Standard and Enterprise editions. AD CS features Version 2 and version 3 certificate templates Key archival Role separation Certificate Manager restrictions Delegated enrollment agent restrictions Standard
No No No No No
Enterprise
Yes Yes Yes Yes Yes
As noted in the table, most of the advanced features of AD CS require the Enterprise edition of Windows Server 2008 R2.
Additional AD CS Deployment Considerations
Besides the operating system edition, there are several additional considerations included in the following table. Consideration Details
A cryptographic service provider The default CSP is Microsoft Strong Cryptographic Provider. (CSP) used to generate a new key Any provider whose name starts with a number sign (#) is a Cryptography: Next Generation (CNG) provider. The key character length The default key length for the Microsoft Strong Cryptographic Provider is 2,048 characters. This is the minimum recommended value for a root CA. The default value of the hash algorithm is SHA-1. The default value for certificates is five years.
The hash algorithm used to sign certificates issued by a CA The validity period for certificates issued by a CA The status of the root server (online or offline)
The root server should be deployed as an offline CA. This enhances security and safeguards the root certificate (since it is not available to attack over the network).
Question: If you need to support Version 2 and Version 3 certificates, which edition of Windows Server 2008 R2 should you select? Question: What is the main reason to deploy a root CA as an offline root? Question: What are the benefits of running AD CS on Windows Server 2008 R2 compared to Windows Server 2008?

2-23
Demonstration: How to Deploy a Root CA
Key Points
The following demonstration shows you how to install AD CS as a root CA.
Demonstration Steps
1. 2. 3. 4.
Start the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines and log on to 6426C-NYC-SVR1. On the 6426C-NYC-SVR1 virtual machine, add the Active Directory Certificate Services role, select Enterprise, select Root CA, and then enter a name in the Common Name field. Keep default settings for the other options. Confirm the settings and install the role.
Question: Where does the root CA get its certificate from? Question: What server role is a prerequisite for deploying an enterprise root CA?
2-24
Considerations for Deploying a Subordinate CA
Key Points
You can use a subordinate CA to implement policy restrictions for PKI and distribute certificates to clients. After installing a root CA for the organization, you can install one or more subordinate CAs. When using a subordinate CA to distribute certificates to users or computers that have an account in an Active Directory Domain Services (AD DS) environment, you can install the subordinate CA as an enterprise CA. Then, you can use the data of the client accounts in AD DS to distribute and manage certificates, and to publish certificates to AD DS.
You must be a member of the local administrators group or have equivalent permissions to complete this procedure. If the subordinate CA will be an enterprise CA, you also need to be a member of the Domain Admins group or have equivalent permissions. From a security perspective, having an offline root stand-alone CA and an enterprise subordinate CA is a recommended scenario. General benefits for implementing subordinate CAs include:
Usage: Certificates may be issued for a number of purposes, such as secure email and network authentication. The issuing policy for these uses may be distinct, and separation provides a basis for administering these polices.
Organizational divisions: There may be different policies for issuing certificates, depending upon an entitys role in the organization. You can create subordinate CAs to separate and administer these policies. Geographic divisions: Organizations often have entities at multiple physical sites. Limited network connectivity between these sites may require individual subordinate CAs for many or all sites.
Load balancing: If your PKI will be used to issue and manage a large number of certificates, having only one CA can result in considerable network load for that single CA. Using multiple subordinate CAs to issue the same kind of certificates divides the network load between CAs.
Backup and fault tolerance: Multiple CAs increase the possibility that your network will always have operational CAs available to respond to user requests.

2-25
Question: If you intend to use a subordinate CA to issue certificates to users and computers that are part of an AD DS environment, which type of subordinate should you choose? Question: What group should you be a member of if you plan to install an enterprise subordinate CA?
2-26
How the CAPolicy.inf File Is Used for Installation
Key Points
You can use the CAPolicy.inf file when installing AD CS to define the following:
Certification Practice Statement (CPS): Describes the practices that the CA uses to issue certificates. This includes the types of certificates issued, information for issuing, renewing, and recovering certificates, and other details about the CAs configuration. Object identifier (OID): Identifies a specific object or attribute. CRL publication intervals: Defines the interval between publications for the base CRL. CA renewal settings: Defines renewal settings as follows: Key size: defines the length of the key pair used during the root CA renewal. Certificate validity period: defines the validity period for a root CA certificate.
CDP and AIA paths: Provides the path used for root CA installations and renewals. Note The CAPolicy.inf file is processed both for root and subordinate CA installations and renewals.
Question: Is the CAPolicy.inf a prerequisite of AD CS?

2-27
Demonstration: Overview of the CA Administrative Console
Key Points
The following demonstration shows you how to open the CA administrative console and review the available options.
Demonstration Steps
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, run the Certification Authority tool. View the Properties of the CA and go through the tabs.
Ensure that the 6426C-NYC-DC1 virtual machine is still running and log on to 6426C-NYC-SVR1.
Question: What are two ways to get to the Certification Authority management console? Question: Using the CA management tool, how would you manage a CA located on a different server?
2-28
Lesson 4
Configuring Certification Authorities
Configuring CAs involves many steps such as maintaining role-based administration and using Group Policy to implement autoenrollment of certificates. If you plan to have multiple teams or people helping to maintain your PKI, take an in-depth look at the new role-based administration features available in AD CS under Windows Server 2008 R2.
Objectives
After completing this lesson, you will be able to: Describe role-based administration in AD CS. Implement role-based administration. Describe the use of Group Policy to configure AD CS.

2-29
Role-Based Administration in AD CS
Key Points
Role-based administration in AD CS provides the ability to delegate pre-defined permissions to users or groups based on the built-in CA roles. Each role can perform a predetermined task or series of tasks. The following table shows the details of roles and groups involved in role-based administration. Role/Group CA Administrator Certificate Manager Backup Operator Auditor Enrollees Purpose Manage the CA Issue and manage certificates Backup and restore files/directories Manage auditing and Security Event Log Read and enroll Information Assigned using CA console Assigned using CA console Operating system role Operating system role Can request certificates
Role-based administration combines operating system roles and AD CS roles to provide a complete, segmented management solution for your CAs. Instead of assigning local administrative privileges to the various IT personnel involved in managing the CA, you can assign roles which ensure that administrators have the minimum permissions necessary to perform their jobs.
Role-based administration also eases the administrative overhead of granting rights to administrators because the process involves adding a user to a group or role.
Question: What group do you have to be a member of in order to assign the CA Administrator role on an enterprise CA?
2-30
Demonstration: How to Implement Role-Based Administration
Key Points
The following demonstration shows you how to implement role-based administration in AD CS.
Demonstration Steps
1. 2. 3. Ensure that the 6426C-NYC-DC1 virtual machine is still running and log on to 6426C-NYC-SVR1. On the 6426C-NYC-SVR1 virtual machine, run the Certification Authority tool. Open the Properties of the CA and edit permissions from the Security tab.

2-31
Using Policy to Configure AD CS
Key Points
Once your PKI is in place, you will need to turn to Group Policy to automate distribution and set configuration options. Group policy can be used for the followings areas related to AD CS:
Credential roaming: Credential roaming enables a user to maintain certificate reconciliation with AD DS across multiple computers. This prevents administrators from needing to manage multiple client certificates and private keys across multiple client workstations for a single user. Autoenrollment of certificates: Autoenrollment simplifies the issuance of certificates by enabling client computers to automatically request and renew certificates. Autoenrollment requires an enterprise CA and Group Policy configuration.
Certificate path validation: With certificate path validation, you can manage certificates used for code signing, deploy subordinate CA certificates, block certificates that are not trusted, and configure retrieval settings for certificates and certificate revocation lists (CRLs). Certificate distribution: Typically, Group Policy is used for automated distribution of certificates (autoenrollment) or to specify specific settings related to enrollment.
Question: What type of CA is required for autoenrollment?
2-32
Lesson 5
Troubleshooting Active Directory Certificate Services
You can troubleshoot AD CS by using such tools as the Certificates snap-in, Enterprise Public Key Infrastructure (PKI), the Certification Authority snap-in, Certutil.exe, and the Certificate Templates snap-in. You should be aware of Enterprise PKI, and how it can be used to troubleshoot AD CS. You should be able to identify common AD CS issues. In addition, to troubleshoot AD CS, you should be able to troubleshoot errors related to web enrollment, client autoenrollment, and certificate validation. AD CS includes Certification Authorities (CAs), Online Responders, the Network Device Enrollment Service (NDES), and related client services that support the issuance and management of X.509 digital certificates used in a variety of applications.
Objectives
After completing this lesson, you will be able to: Describe the tools available to troubleshoot AD CS. Describe Enterprise PKI. Use Enterprise PKI to troubleshoot AD CS. Describe the common AD CS issues. Investigate and resolve Web enrolment issues. Investigate and resolve client autoenrollment issues. Investigate and resolve certificate validation issues.

2-33
Tools Used to Troubleshoot AD CS
Key Points
Troubleshooting AD CS begins with the built-in tools that give administrators a detailed view into the current conditions of the AD CS role services. The following are a few tools you can use:
Certificates snap-in: This snap-in is used to view and manage certificate stores for a computer, user, or service. Enterprise PKI: This PKI is used to monitor multiple CAs, Certificate Revocation Lists (CRLs), and authority information access (AIA) locations, and to manage AD CS objects that are published to Active Directory Domain Services (AD DS).
Certification Authority snap-in: This snap-in can be used to administer a CA and revoke and enroll a certificate.
Certutil.exe: This command-line tool can be used to display CA configuration information, configure AD CS, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Certificate Templates snap-in: This snap-in is used to analyze and provide critical information to manage the certificate templates in a domain.
Question: Which utility should you use to verify a certificate chain?
2-34
What Is Enterprise PKI?
Key Points
Enterprise PKI is a management tool included with Windows Server 2008. It was originally a Windows Server 2003 Resource Kit utility called the PKI Health Tool. It provides a summary view of the status of the PKI. It also allows the viewing of multiple CAs and their current health state. Enterprise PKI shows all of the CAs and their health state as indicated by a small icon. The following are the available health states: CA health state evaluation (question mark) CA has no problems (green indicator) CA has a non-critical problem (yellow indicator) CA has a critical problem (red indicator) CA is offline (red cross over CA indicator)
Enterprise PKI shows a quick health summary of the following areas by indicating their status (OK or Unable to Download). CA certificates AIA Locations CRLs CRL Distribution Points
Enterprise PKI Status Codes for the Online Responder State: Online Responder health state evaluation (question mark) Online Responder has no problems (green indicator) Online Responder has one or more non-critical problems (yellow indicator)

2-35
Online Responder has one or more critical problems (red indicator) Online Responder is offline (red cross over CA icon)
CRL Distribution Point or Authority Information Access State: Location health state evaluation (question mark) Data is available and has no problems (green indicator) Data is available and has one or more non-critical problems (yellow indicator) Data is available but has one or more critical problems (red indicator) Data is not available (red cross over CA icon)
Question: Which tool would you use to get a quick glance of the health of all of your CAs?
2-36
Demonstration: How to Use Enterprise PKI to Troubleshoot AD CS
Key Points
The following demonstration shows you how to use Enterprise PKI to troubleshoot AD CS.
Demonstration Steps
1. 2. 3. 4. Ensure that the 6426C-NYC-DC1 virtual machine is still running and log on to 6426C-NYC-SVR1. On the 6426C-NYC-SVR1 virtual machine, open the Enterprise PKI. View health indicators within the Enterprise PKI.
Discuss the significance of several of the health indicators and how they relate to AD CS functionality.
Question: How do you get to the Enterprise PKI tool? Question: Can you use the Enterprise PKI snap-in to resolve issues? Question: What information is available in the Enterprise PKI snap-in?

2-37
Common AD CS Issues
Key Points
The following are common AD CS issues you may encounter:
Client Autoenrollment Issues: These issues occur when clients do not automatically enroll for certificates after autoenrollment is configured. It may be caused by Group Policy information that is not replicated or that is improperly configured.
Unavailable Enterprise CA Option: This issue occurs when a user who is not a member of the Enterprise Admins or Domain Admins group installs a CA; as such, the CA might not be installed as an enterprise CA. In this case, the enterprise CA option is unavailable and information about the CA cannot be published to AD DS.
Error accessing CA Web Pages: This error occurs while accessing the CA web pages. In this case, you should check to ensure that the user is a member of the Administrators or Power Users group (Windows XP) on the client computer. Enrollment Agent Restriction: This restriction occurs when an enrollment agent cannot enroll on behalf of a user for a specific certificate template. This may occur because of the restrictions configured on the enrollment agent. Certificate Validation Errors: This error occurs when a new version 2 or version 3 certificate template cannot be added to a CA. This happens when a CA is installed on a server that runs Windows Server 2008 Standard (not Enterprise of Data Center editions).
Question: How can you determine if a user received an autoenrollment GPO?
2-38
Troubleshooting Web Enrollment Issues
Key Points
Certificate Services includes several CA web pages that users can access to submit basic and advanced certificate requests. By default, these pages are located at https://servername/certsrv, where servername is the name of the server hosting the Web pages. The following issues may be related to web enrollment: You must set the appropriate permissions on the certificate templates so that users can enroll for certificates using the templates.
You must confirm that script execution permissions are activated on the %systemroot%/System32/Certsrv folder on the Web server to prevent errors that may arise when you access the CA web pages. You must modify the certificate enrollment website to require Secure Socket Layer (SSL) for Secure Hypertext Transfer Protocol (HTTPS) transport, for Windows 7based client computers or Windows Server 2008based client computers to use Windows Server 2008 certificate enrollment web pages.
You must ensure that the user is a member of the Administrators or Power Users group on the local computer for client computers that are running operating systems prior to Windows Server 2008 and Windows 7, to install the Xenroll ActiveX control software. You must check if the users have added the website to the list of trusted sites in Windows Internet Explorer to access the Web server of a CA for the first time.
Question: A user is not seeing the certificate template that he needs on the CA Web enrollment page. Where should you look first?

2-39
Troubleshooting Client Autoenrollment Issues
Key Points
AD CS can distribute some types of certificates without any manual interaction by the client or without the client knowing that enrollment is occurring. To enroll clients automatically for certificates in an AD DS environment, you need to configure a certificate template with Autoenroll permissions. You also need to define an autoenrollment group policy for the particular domain.
One of the most common issues you may face while troubleshooting autoenrollment is client servers unable to enroll automatically for certificates. This happens because the group policy information used for autoenrollment is not being replicated to the client computers. By default, Group Policy information can take up to two hours to replicate to all computers. However, you can apply Group Policy immediately using the GPUpdate command-line tool. To configure autoenrollment permissions you need to ensure that the user is a member of a group that has Enroll permissions on the certificate template. In cases where a computer is removed, the certificates that were autoenrolled from a previous domain will not be removed.
In cases where the machine is a domain controller, the certificates sent from the previous domain will be removed. You may need to delete old certificates once a machine joins a new domain in case users have certificates required for secure network communications.
By default, autoenrollment logs errors, failures, and successful enrollments in the Application event log on the client computer. To audit events, you need to configure the audit policy. You can view and manage audit policy options in Group Policy at the following path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy Question: What permissions does the user require to enroll a certificate using a specific template?
2-40
Troubleshooting Certificate Validation Issues
Key Points
All certificates have a validity period. After the validity period expires, the certificate is no longer considered an acceptable credential. Client computers may not be able to connect to resources that require certificates if any certificate validation problems occur. AD CS startup may stop if there are problems of availability, validity, and chain validation for the CA certificate.
As an IT administrator, you need to use Enterprise PKI to verify that the AIA and CRL distribution point (CDP) locations and certificates are valid. In addition, you need to use the Certification Authority snap-in to install new certificates. Question: What are some issues that might occur when a computers certificate expires?

2-41
Lab: Deploying and Configuring Active Directory Certificate Services
Objectives
After completing the lab, you will be able to: Install the AD CS server role and deploy a Standalone Root CA.
Install the AD CS server role, deploy an Enterprise Subordinate CA, issue and install the subordinate certificate.
Scenario
Building upon the blueprint created in the previous lab, you have been asked to implement AD CS within the Contoso Pharmaceuticals infrastructure. Since this is the first AD CS role installed, you have been asked to perform the following tasks: Install the AD CS server role, deploy a standalone Root CA, and configure the Root CA to issue subordinate certificates. Install the AD CS server role and deploy an Enterprise Subordinate CA.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
Apply the StartingImage snapshot for the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines. Start the 6426C-NYC-DC1 and the 6426C-NYC-SVR1 virtual machines.
2-42
Exercise 1: Deploying a Standalone Root CA

The main task for this exercise is as follows: Install the AD CS server role with the CA role service.
Task: Install the AD CS server role and configure it as a stand-alone root Certificate Authority (CA)
On the 6426C-NYC-DC1 virtual machine, install and configure AD CS by selecting the appropriate options in the Add Roles Wizard within Server Manager. Select the following options during the installation: Specify Setup Type: Standalone Specify CA Type: Root CA Set Up Private Key: Create a new private key
Configure Cryptography for CA: default settings for all configurations except for key character length, which you should set to 4096. Common Name for this CA: ContosoCA Validity Period: default Configure Certificate Database: default
Results: After this exercise, you have installed the AD CS server role and deployed a standalone Root CA.

2-43
Exercise 2: Deploying an Enterprise Subordinate CA

The main tasks for this exercise are as follows: 1. 2. Install an enterprise subordinate CA with the web enrollment role service. Issue and install the subordinate certificate.
Task 1: Install an enterprise subordinate CA
On the 6426C-NYC-SVR1 virtual machine, install and configure AD CS by selecting the appropriate options within the Add Roles Wizard of Server Manager. Select the following options during the installation: Select Role Service: Certification Authority and Certification Authority Web Enrollment Specify Setup Type: Enterprise Specify CA Type: Subordinate CA Set Up Private Key: Create a new private key Configure Cryptography for CA: default settings for all configurations Common Name for this CA: ContosoIssuingCA Request Certificate from a Parent CA: ContosoCA Configure Certificate Database: default
Task 2: Issue and install the subordinate certificate

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, issue the pending subordinate certificate by using the Certification Authority console.
On the 6426C-NYC-SVR1 virtual machine, install the subordinate certificate by using the Certification Authority console. On the 6426C-NYC-SVR1 virtual machine, start the Active Directory Certificate Services service.
Results: After this exercise, you have installed the AD CS server role, deployed an Enterprise Subordinate CA, configured the Root CA to issue Subordinate certificates, and installed the subordinate certificate on the Subordinate CA. Questions: 1. 2. 3. 4. 5. Which CA sits at the top of the PKI hierarchy? What is the benefit of selecting a certificate key length of 4096? Which server issued the certificate to the Subordinate CA? Can a Subordinate CA issue a certificate to another Subordinate CA?
What option is available if your company and another company are merging but both organizations have existing PKI?
2-44
Review Questions
1. 2. 3. 4. What is the difference between a public key and a private key? What are some reasons that an organization would use PKI? What are some reasons that an organization would use an enterprise root CA? What are some reasons that an organization would publish a CRL?
Common Issues Related to Enrollment and Autoenrollment

Issue User cannot get to web enrollment page at: http://servername/certsrv User is unable to install the Xenroll ActiveX control on their XP client computer. Administrator is unable to install an enterprise CA because the enterprise option is not available. Autoenrollment is not functional. Troubleshooting tip

2-45

1.
Tailspin Toys wants to deploy an e-commerce website for customers. Using AD CS and their internal CA during testing, internet users receive certificate errors when visiting the e-commerce website. What are a couple of methods that Tailspin Toys can use to eliminate the user errors?
2. 3.
Fabrikam has been experiencing slowness on their single CA due to load issues. They want to enhance performance by load balancing CA services across multiple servers. How should they proceed? Contoso just installed their PKI and configured Group Policy for autoenrollment. However, users are not being automatically enrolled. What could be contributing to this issue?
Best Practices Related to Root CA Services

Supplement or modify the following best practices for your own work situations:
Utilize autoenrollment to simplify the certificate enrollment process across an enterprise environment. For organizations that use SSL for a lot of public facing services, consider a third-party root CA while deploying a subordinate CA internally. The CA private key should be maintained very strictly and should be stored in a secure vault that is protected through secure and audited processes.

3-1
Module 3
Deploying and Configuring Certificates
Contents:
Lesson 1: Managing Certificate Templates Lesson 2: Deploying Certificates and Managing Enrollment Lesson 3: Managing Certificate Revocation Lesson 4: Configuring Certificate Recovery Lab: Deploying Certificates and Managing Enrollment 3-3 3-14 3-24 3-35 3-44
3-2
Module Overview
Active Directory Certificate Services (AD CS) is used to deploy and maintain certificates within your public key infrastructure (PKI). You can use AD CS along with web enrollment, Group Policy, autoenrollment, and Network Device Enrollment Service (NDES) to automatically enroll users and computers with certificates. You can distribute Certificate Revocation Lists (CRLs) or use Online Certificate Status Protocol (OCSP) to communicate certificate status for revocation. Certificate templates can be configured to use the appropriate types of keys and cryptographic service providers (CSPs) that are required for your PKI implementation. Finally, certificate recovery can be implemented by configuring a key recovery agent (KRA) certificate and by establishing KRA policies.
Objectives
After completing this module, you will be able to: Manage certificate templates. Deploy certificates and manage enrollment. Manage certificate revocation. Configure certificate recovery.

3-3
Lesson 1
Managing Certificate Templates
Certificate templates define how a certificate can be requested and what it can be used for. Templates are configured on the Certification Authority (CA). Windows 2000 Enterprise Certification Authority (CA) supports version 1 certificate templates, Windows Server 2003 Enterprise supports version 1 and 2 templates, and Windows Server 2008 Enterprise supports version 1, 2, and 3 certificate templates. Users and computers are two types of certificate template categories, and each can be used for multiple purposes. You can assign Full Control, Read, Write, Enroll, and Autoenroll permissions to certificate templates. You can update certificate templates by modifying the original certificate template, duplicating a template, or superseding existing certificate templates. On July 13, 2010, support for Windows 2000 and Windows XP Service Pack 2 ended. Microsoft no longer issues security updates or non-security hotfixes for Windows 2000. In addition, assisted support is no longer available for Windows 2000. Users of Windows XP with Service Pack 2 (SP2) must upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7 to ensure that they receive all important security updates.
Objectives
After completing this lesson, you will be able to: Describe the purpose of certificate templates. Describe the different versions of certificate templates. Describe the certificate template categories and the purpose of each category. Configure certificate template permissions. Describe how to update certificate templates. Update and enable a certificate template.
3-4
What Are Certificate Templates?
Key Points
Certificate templates allow administrators to customize the distribution method of certificates and mandate the type of usage allowed by a certificate. Templates are easily created by administrators and quickly deployed to the enterprise by using the built-in graphical user interface (GUI) or command-line management utilities. The deployment of a certificate from a certificate template requires the Enterprise Edition of Windows Server 2008. The following points highlight some key facts when working with certificate templates: Certificate templates define the format and content of certificates.
Certificate templates are stored in Active Directory Domain Services (AD DS). This allows any CA in the domain to utilize the same templates. Each certificate template has an associated discretionary access control list (DACL). The DACL defines which security principals (users, groups, or computers) have permissions to read and configure the template and to enroll or use Autoenroll for certificates based on the template. The CAs use the certificate template to specify which users and computers can enroll for which types of certificates. They also use the certificate templates to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. If more than one Enterprise CA is running in the Active Directory forest, permission changes have an impact across all Enterprise CAs.
Question: What allows a new Certification Authority (CA) to utilize existing certificate templates that were created on an existing Certification Authority (CA)?

3-5
Certificate Template Versions
Key Points
Certificate template versions correspond to the operating system version (Windows 2000 corresponds to version 1, Windows 2003 corresponds to version 2, and Windows 2008 corresponds to version 3) while newer operating systems provide support for previous template versions, as follows: Windows 2000 Server Advanced Server provides support for version 1 certificate templates. The only modification allowed on version 1 templates is changing permissions to allow or disallow enrollment of the certificate template. When you install an Enterprise CA, version 1 certificate templates are created by default. As of July 13, 2010, Windows 2000 is no longer supported by Microsoft.
Windows Server 2003 Enterprise provides support for version 1 and version 2 templates. You can customize several settings in the version 2 templates. The default installation provides several preconfigured version 2 templates. You can add version 2 templates based on the requirements of your organization. Alternatively, you can duplicate a version 1 certificate template to create a new version 2 of the template. You can then modify and secure the newly created version 2 certificate template. When new templates are added to a Windows Server 2003 Enterprise CA, they are version 2 by default.
Windows Server 2008 Enterprise provides support for version 3 certificate templates. Additionally, support for version 1 and version 2 is provided. Version 3 certificate templates support several features of a Windows Server 2008 Enterprise CA, such as Cryptography API: Next Generation (CNG). This feature provides support for Suite B cryptographic algorithms such as Elliptic Curve Cryptography (ECC). In Windows Server 2008 Enterprise, you can duplicate default version 1 and version 2 templates to bring them up to version 3. Windows 2008 provides two new certificate templates by default, Kerberos Authentication and OCSP Response Signing.
3-6
When you use version 3 certificate templates, you can use CNG encryption and hash algorithms for the following: Certificate requests. Issued certificates. Protection of private keys for key exchange and key archival scenarios.
To configure support for these new features, you can use the template property sheets in the certificate templates Microsoft Management Console (MMC) of Windows Server 2008 Enterprise.
Upgrading certificate templates is a process that applies only in situations where the CA has been upgraded from Windows Server 2003 Enterprise to Windows Server 2008 Enterprise (a similar situation also existed when upgrading from Windows 2000 Advanced Server to Windows Server 2003 Enterprise). After the upgrade, the certificate templates can be upgraded by launching the Certificates Management console and accepting the upgrade prompt by clicking Yes. Question: What is the minimum version of the operating system that supports Elliptic Curve Cryptography (ECC)?

3-7
Certificate Template Categories and Purposes
Key Points
Windows Server 2008 Enterprise CAs use certificate templates to define the certificates that can be issued. These templates also define the intended use of the certificate. Certificate templates are the sets of rules and settings that define the following:
The format and content of a certificate based on the certificates intended use. The intended purpose of a certificate may relate to users or to computers, based on the types of security implementations required to use the PKI. The process of creating and submitting a valid certificate request.
You need to configure the certificate templates on a CA. The CA then applies these templates against incoming certificate requests. Windows Server 2008 provides 33 default certificate templates for purposes that include code signing (for digitally signing software), EFS (for encrypting data), and the ability for users to log on with a smart card. To customize a template for your company, duplicate the template and then modify the certificate configuration. The following two types of certificate can be used:
Single Purpose: A single purpose certificate serves a single purpose, such as allowing users to log on with a smart card. Organizations utilize single purpose certificates in cases where the certificate configuration is different than other certificates being deployed. For example, if all users will receive a certificate for use with EFS but only a couple of groups will receive a certificate for smart card logon, organizations will generally keep these certificate and templates separate to ensure that users only receive the required certificates. Multiple Purposes: A multi-purpose certificate serves more than one purpose at the same time (and many times, the purposes are not related). While some templates (such as the User template) serve multiple purposes by default, organizations will often modify templates to serve additional purposes. For example, if a company intends on issuing certificates for three purposes, those purposes can be combined into a single certificate template to ease the administrative effort and maintenance.
3-8
Question: If I want to issue a certificate for code signing to developers and a certificate for IPsec to the network engineers, should I utilize a single certificate?

3-9
Configuring Certificate Template Permissions
Key Points
To configure certificate template permissions, you need to define the DACL for each certificate template in the Security tab. The permissions assigned to a certificate template will define which users or groups can read, modify, enroll, or autoenroll for that certificate template. You can assign the following permissions to certificate templates: Full Control: The Full Control permission allows a security principal to modify all attributes of a certificate template, which includes permissions for the certificate template.
Read: The Read permission allows a user or computer to view the certificate template when enrolling for certificates. The Read permission is also required by the certificate server to find the certificate templates in Active Directory. Write: The Write permission allows a user or computer to modify the attributes of a certificate template, which includes permissions assigned to the certificate template.
Enroll: The Enroll permission allows a user or computer to enroll for a certificate based on the certificate template. However, to enroll for a certificate, you must also have Read permissions for the certificate template.
Autoenroll: The Autoenroll permission allows a user or computer to receive a certificate through the autoenrollment process. However, the Autoenroll permission requires the user or computer to also have both Read and Enroll permissions for a certificate template.
It is recommended that you assign certificate template permissions to global or universal groups only. This is because the certificate template objects are stored in the configuration naming context in Active Directory. You cannot assign permissions by using domain local groups found within an Active Directory domain. You should never assign certificate template permissions to individual user or computer accounts.
3-10
As a best practice, keep the Read permission allocated to the Authenticated Users group. This permission allocation allows all users and computers to view the certificate templates in Active Directory. This permission assignment also allows the CA running under the System context of a computer account to view the certificate templates when assigning certificates. Question: Besides Read and Autoenroll, what other permission is required for the autoenrollment process?

3-11
Methods for Updating Certificate Templates
Key Points
The CA hierarchy in most organizations has one certificate template for each job function. For example, there may be a certificate template for file encryption and another for code signing. Additionally, there may be a few templates that cover functions for most of the common groups of subjects.
As an IT administrator, you may need to modify an existing certificate template because of incorrect settings or other issues in the original certificate template. You may also need to merge multiple existing certificate templates into a single template. You can upgrade a certificate template in the following ways: Modify the original certificate template: To modify a version 2 certificate template, you need to make changes and apply them to that template. After this, any certificate issued by a CA based on that certificate template will include the modifications you had made.
Supersede existing certificate templates: The CA hierarchy of an organization may have multiple certificate templates providing the same or similar functionality. In such a scenario, you can supersede or replace the multiple certificate templates by using a single certificate template. You can make this replacement by designating that a new certificate template supersedes, or replaces, the existing certificate templates.
Question: If I modify a certificate template, will the changes affect certificates previously issued by that template?
3-12
Demonstration: How to Modify and Enable a Certificate Template
Key Points
The following demonstrations show you how to: Create, modify, and supersede a certificate template. Issue a certificate to be used by a CA.
Demonstration Steps
Create, Modify, and Supersede a Certificate Template 1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines and log on to 6426C-NYC-SVR1-B. On the 6426C-NYC-SVR1-B virtual machine, open the Certification Authority console. From the Certification Authority console, open the Certificate Templates console. Review the list of default templates, examine them and their properties. Duplicate the IPSec certificate template and select Windows Server 2008 Enterprise.
Review the tabs and note what you can modify in each tab. Cancel and do not save the new template. Duplicate the Exchange User certificate template, select Windows Server 2008 Enterprise and name it Exchange User Test1. Modify the new template so that it supersedes the Exchange User template. Assign the enrollment permissions to the new template and save it.
Issue a Certificate 1. 2. On the 6426C-NYC-SVR1-B virtual machine, open the Certification Authority console. From the Certification Authority console, issue the Exchange User Test1 certificate template.

3-13
Question: Why would you need to modify a certificate template? Question: What is the difference between modifying an original certificate template and superseding an existing certificate template?
3-14
Lesson 2
Deploying Certificates and Managing Enrollment
Digital certificates are electronic credentials associated with public keys and a private key. Each certificate deployed goes through the cycle of request, generation, distribution, usage with application, and expiry, renewal, or revocation. To assist in certificate deployment, you can select your choice of certificate enrollment method. Automatically deploying certificates (autoenrollment) involves the configuration of technologies such as certificate templates and Group Policy. Therefore, in the absence of these technologies, you might decide to use manual or web enrollment methods for obtaining certificates. If your infrastructure contains network devices that support PKI, you may also consider the use of NDES to enroll certificates for those devices.
Objectives
After completing this lesson, you will be able to: Describe the different methods available to enroll certificates. Obtain certificates by using web enrollment. Obtain certificates by using manual enrollment. Obtain a certificate for a Web service using manual enrollment. Issue certificates by using autoenrollment. Describe NDES.

3-15
Certificate Enrollment Methods
Key Points
The different methods available to enroll certificates are listed in the table: Enrollment method Autoenrollment Description
By using this method, the administrator defines the permissions and the configuration of a certificate template. These definitions help the requestor automatically request, retrieve, and renew certificates without end-user interaction. This method is used for Active Directory Domain Services (AD DS) domain computers. The certificate must be configured for autoenrollment through Group Policy.
Manual enrollment
By using this method, the private key and a certificate request are generated on a device, such as a web service or a computer. (Note: this is also the case for other enrollment methods.) The certificate request is then transported to the CA to generate the certificate. The certificate is then transported back to the device for installation. Use this method when the requestor cannot communicate directly with the CA or if the device does not support autoenrollment. By using this method, you can enable a website CA so that users can obtain certificates. To use web enrollment, you must first install Internet Information Services (IIS) and the web enrollment role on the CA of AD CS. To obtain a certificate, the requestor can log on to the website, select the appropriate certificate template, and then submit a request. The certificate is automatically issued if the user has the appropriate permissions to enroll for the certificate. The web enrollment method should be used to issue certificates when autoenrollment cannot be used. This can happen in the case of an Advanced Certificate request. However, there can also be cases where autoenrollment can be used for certain certificates, but not for all certificates.
Web enrollment
3-16
(continued) Enrollment method Enrollment agents Description
By using this method, a Windows CA administrator creates an enrollment agent account for a user. The user with enrollment agent rights can then enroll for certificates on behalf of other users. For example, use this method if you need to allow a manager to preload logon certificates of new employees on smart cards.
Question: What type of enrollment method is the most common when purchasing certificates from a trusted third-party certificate provider?

3-17
Obtaining Certificates by Using Web Enrollment
Key Points
The default web enrollment website is located on the address http://ServerName/certsrv. The following steps show how to request a certificate by using the web enrollment website. 1. 2. 3.
From Windows Internet Explorer, in the Address bar, type http://ServerName/certsrv. ServerName is the name of the Web server running Windows Server 2008 that hosts the CA. Click Request a Certificate. On the Request A Certificate page, do one of the following: To enroll a user certificate, click User Certificate. To enroll any other certificate, click Advanced Certificate Request. On the Advanced Certificate Request page, you can submit a request to the CA that indicates the certificate template, CSP, and other attributes of the requested certificate.
4. 5.
Type the required identification information. On the Certificate Issued webpage, click Install this certificate.
Question: Is web enrollment automatic or does it require administrator intervention?
3-18
Obtaining Certificates by Using Manual Enrollment
Key Points
The following table describes the options for manual enrollment: Enrollment method Certificates Microsoft Management Console (MMC) Description
The Certificates snap-in is a multipurpose tool to manage certificates for a user, computer, or service. You can use the snap-in tool to determine what certificates are stored on a computer, the stored location(s) of the certificates, and the certificate configuration options. In addition, you can use the snap-in tool for the following tasks: Enroll for new certificates Renew existing certificates Find certificates Import certificates Export or back up certificates
Requesting a certificate for servers such as Web servers NDES
If IIS is installed on the CA of AD CS, you can enable a website on the CA. The CA-enabled website provides a single web interface for users to obtain certificates, renew certificates, and retrieve CRLs. The NDES is a communication protocol that is the implementation of the Simple Certificate Enrollment Protocol (SCEP). You can use SCEP to access firmware for routers and switches that cannot be authenticated on the network and that cannot enroll for X.509 digital certificates from a CA.

3-19
Demonstration: How to Manually Obtain a Certificate for a Web Server
Key Points
The following demonstration shows you how to: Duplicate the Web Server certificate template, specify the appropriate permissions and set the certificate to be issued. Access the certificates snap-in and manually enroll the new certificate.
Demonstration Steps
Duplicate the Web Server Certificate Template, Specify the Permissions, and Issue the New Certificate 1. 2. 3. 4. 5.
Ensure that the 6426C-NYC-DC1-B virtual machine is still running and log on to 6426C-NYC-SVR1-B. On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Certificate Templates console.
Duplicate the Web Server certificate template, select Windows Server 2008 Enterprise and name it Web Server Test. Assign the enrollment permissions to the new template and save it. From the Certification Authority console, issue the Web Server Test certificate template.
Manually Enroll the New Certificate from the Certificates Snap-in 1. 2. 3. On the 6426C-NYC-SVR1-B virtual machine, open the MMC. From the MMC, add the Certificates snap-in for the local computer. From the Certificates snap-in, request the Web Server Test certificate, under Certificates in the Personal container.
3-20
4. 5.
Fill the required information to enroll the Web Server Test certificate and then enroll the Web Server Test certificate. Verify that the Web Server Test certificate is available in the Certificates folder in the Personal container.
Question: What are some benefits derived from duplicating certificate templates? Question: In this demonstration, how would the process have changed if the Web server was running a Unix-based operating system?

3-21
Issuing Certificates by Using Autoenrollment
Key Points
One of the most common methods for deploying certificates is to use autoenrollment. This method provides an automated way to deploy certificates to both users and computers within the PKI. Autoenrollment can be used in environments that meet specific requirements such as the use of certificate templates and Active Directory Group Policy. It is important to note that autoenrollment cannot be used with a stand-alone CA. You must have an Enterprise CA available to make use of autoenrollment. You can use autoenrollment to automatically deploy public keybased certificates to users and computers in an organization. The Certificate Services administrator duplicates a certificate template and configures the permissions to allow Read, Enroll, and Autoenroll permissions for the users who will receive the certificates. Domain-based group policies, such as computer-based and user-based policies, can activate and manage autoenrollment. By default, the Group Policy is applied when you restart computers, or at logon for users. By default, the Group Policy is also refreshed periodically. This Group Policy setting is named Certificate Services Client Auto-Enrollment. An internal timer triggers autoenrollment every eight hours after the last autoenrollment activation. The certificate template might specify user interaction for each request. For such a request, a pop-up balloon appears approximately 60 seconds after the user logs on. Autoenrollment simplifies certificate management by effectively removing the certificate administrator from the certificate enrollment and management process. Autoenrollment automates the process of enrolling for a certificate. Users may not even realize they are being enrolled for a certificate while the administrator does not have to worry about approving certificate requests or managing the certificate deployment.
3-22
Process for autoenrollment:
Configure Certificate Template: Each certificate template must be configured for autoenrollment by using the security permissions of the template. While not all certificate templates will be autoenrollment enabled, a strong consideration should be made to analyze each template to consider autoenrollment. Common templates for autoenrollment include IPsec, smart card logon, and EFS. Configure CA: Configure CA to issue certificates. Each CA needs to be configured to issue a certificate based on the templates that will be available for deployment.
Configure Group Policy: Use a Group Policy Object to configure autoenrollment. Configure a GPO to distribute certificates to the designated users and computers. Receive the certificate: Users and computers receive certificate through Group Policy.
Question: After a certificate template is enabled for autoenrollment, what else has to be modified to complete the autoenrollment setup configuration?

3-23
What Is NDES?
Key Points
The Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a CA.
Some devices, such as routers and switches, may contain software that uses SCEP to enroll for X.509 digital certificates from a CA. NDES is one implementation of SCEP. You can use NDES as an Internet Server Application Programming Interface (ISAPI) filter on IIS to perform the following functions: Create and provide one-time enrollment passwords to administrators. Retrieve awaiting requests from the CA. Collect and process SCEP enrollment requests for the software that runs on network devices.
Question: Is NDES available in Windows Server 2003?
3-24
Lesson 3
Managing Certificate Revocation
During the certificate management process, there will be times that you may need to revoke certificates. There may be a number of reasons for revoking certificates, such as if a key becomes compromised or if someone leaves the organization. You need to ensure that network clients can determine which certificates are revoked before accepting authentication requests. To ensure scalability and high availability, you can deploy the Active Directory CA Online Responder, which can be used to provide certificate revocation status.
Objectives
After completing this lesson, you will be able to: Describe how certificate revocation checking works in Windows Server 2008. Describe the reason codes available for certificate revocation. Describe the purpose of CRLs. Describe the purpose of Online Responders. Describe how Online Responders work. Describe how to configure an Online Responder. Configure an Online Responder.

3-25
How Does Certificate Revocation Work?
Key Points
An overview of the certificate revocation lifecycle is outlined as follows:
A certificate is revoked from the Certification Authority MMC snap-in. During revocation, a reason code and a date and time are specified.
The certificate revocation list (CRL) is published using the Certification Authority MMC snap-in (or the scheduled revocation list is published automatically based on the configured value). When Windows client computers are presented with a certificate, they use a process to verify revocation status by querying the issuing CA. This process determines whether the certificate is revoked and presents the information to the application requesting the verification.
The Windows operating systems include a CryptoAPI which is responsible for the certificate revocation and status checking processes. It utilizes the following phases in the certificate checking process: Certificate Discovery: Collects CA certificates, Authority Information Access (AIA) information in issued certificates, and details of the certificate enrollment process.
Path validation: The process of verifying the certificate through the CA chain (or path) until the root CA certificate is reached. Revocation checking: Each certificate in the certificate chain is verified to ensure that none of the certificates are revoked.
Network retrieval and caching: Network retrieval is performed by using OCSP. CryptoAPI is responsible for first checking the local cache for revocation information and if there is not a match, a call is made using OCSP which is based on the URL provided by the issued certificate.
Question: In which Windows client operating system did online certificate revocation checking become available?
3-26
Reason Codes for Revoking Certificates
Key Points
The following are the reason codes for certificate revocation: Reason code Description
Key compromise Use this reason code to keep an unauthorized user from accessing a token or disk location for a private key of a certificate. For example, you can use this reason code when a laptop is stolen or a smart card is lost. CA compromise
Use this reason code to keep an unauthorized user from accessing the token or disk location for the private key of a CA. When you revoke a CAs private key, all certificates that the CA signed by using the private key are revoked. Use this reason code when the user resigns from or is terminated by the organization. The reason code is indicated in the distinguished name (DN) attribute of the certificate. You do not have to revoke a certificate when a user changes departments, unless your security policy requires that the departmental CA issue a different certificate.
Affiliation change
Superseded
Use this reason code when you issue a replacement certificate to a user. The superseded code must also not include earlier reasons for certificate revocation. For example, you can use this reason code when a smart card fails or when a user forgets the password for a token. In addition, you can use the superseded code when the legal names of users have been modified. Use this reason code when you decommission a CA. You should not revoke a CAs certificate if the CA does not issue new certificates but still publishes CRLs for the currently issued certificates. Use this reason code to temporarily put a certificate on hold. It is considered revoked while it is on hold but can be unrevoked.
Cessation of operation Certificate Hold Unspecified
Use this reason code to revoke a certificate without providing a reason. However, it is not recommended to use this reason code because it does not provide the reason for certificate revocation.

3-27
Question: How can you revoke all of the certificates issued by a CA in a single operation?
3-28
What Are CRLs and CDPs?
Key Points
CRLs are lists of certificates that have been revoked. The lists are maintained by CAs as part of the certificate database. CRLs provide clients with one method of checking certificate revocation before accepting a certificate and proceeding with secure communication.
CDPs are used as a reference for clients to locate up to date CRLs. CDPs specify a location to access the CRLs using file system, LDAP, or HTTP (not all of these will be accessible or published though). Besides the location information, other common configuration options include whether the CA publishes CRLs to a location and whether the CA publishes Delta CRLs to a location. Question: Are CRLs better than online revocation checking?

3-29
What Is an Online Responder?
Key Points
By using OCSP, an Online Responder provides clients an efficient method to determine the revocation status of a certificate. OCSP submits certificate status requests by using HTTP.
Clients access CRLs to determine the revocation status of a certificate. CRLs might be large, and clients might utilize a large amount of time to search through these CRLs. An Online Responder can dynamically search these CRLs for the clients and respond only to the requested certificate. You can use a single Online Responder to determine revocation status information for certificates issued by a single CA or multiple CAs. However, you can use more than one Online Responder to distribute CA revocation information. You can install an Online Responder on any computer that runs Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. An Online Responder and a CA should be installed on different computers. The Online Responder is only supported by Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7.
For scalability and high availability, you can deploy the Online Responder in a load-balanced array using Windows Network Load Balancing (NLB) that processes certificate status requests. You can monitor and manage each member of the array independently. To configure the Online Responder, you must use the Online Responder management console. You must configure the CAs to include the Online Responders URL in the AIA extension of issued certificates. The OCSP client uses this URL to validate the certificate status. You must also issue the OCSP Response Signing certificate template so that the Online Responder can enroll that certificate. Question: If your environment contains a mix of Windows XP and Windows 7, how will clients check certification revocation?
3-30
How Online Responders Work
Key Points
The following steps describe how an Online Responder works:
An application validates a certificate containing the OCSP responders locations. Initially, the client component attempts to locate a cached OCSP response that contains the revocation data in the local memory and disk caches. If the client component does not locate a cached OCSP response, the Online Responder receives a request through HTTP. The Online Responder web proxy component decodes and validates the request. If the request is valid, the required revocation information is searched for in the web proxy cache. If the required information is not in the web proxy cache, the request is sent to the Online Responder. The Online Responder accepts the request and searches a local CRL. If the certificate is not listed in the local CRL, the revocation provider obtains an updated CRL from the revocation configuration locations. The Online Responder is then provided the status. The web proxy sends an encoded response to the client and stores a copy of the response for a limited time.
Differences Between OCSP and CRLs

CRLs A CRL is a file, created and signed by a CA. A CRL contains serial numbers of revoked certificates that have been issued by that CA. The CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Potential difficulties with using CRLs include: Potentially large file size: This could limit scalability.

3-31
OCSP
Bandwidth and storage overhead: Could be adversely affected by large file sizes on both server and client side. CA processing capacity: If publication frequency is too high, capacity can be negatively impacted.
Latency: Time lag between when a certificate is revoked and when that information is available.
OCSP uses the Hypertext Transfer Protocol (HTTP). OCSP allows a certificate status request to be submitted to an OCSP responder. The responder response is digitally signed and indicates the certificate status.
The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRLs, and rely on the publishing frequency of the CA. Some OCSP responders can receive data directly from the CAs certificate status database, and they can provide near real-time status. Potential difficulties with using OCSP:
Scalability: Because it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and possibly geographically dispersed servers to balance the load.
Response Times: The response signing and signature verification processes take time, which can adversely affect the overall response time. Additional Verification: The integrity of the signed response depends on the integrity of the OCSP responders signing key, the validity of this key must also be verified after a response is validated by the client.
Question: Where is the first place a client computer looks for certificate revocation information before sending an online request?
3-32
Steps to Configure an Online Responder
Key Points
To configure an Online Responder, you need to perform the following steps: 1. Perform the following to configure the CA to support the Online Responder: 2. 3. Enable the OCSP response signing certificate. Configure autoenrollment. Configure the AIA to support the OCSP extension.
Install the Online Responder role service. Perform the following to create a revocation configuration: Link the CA with the Online Responder. Select a signing certificate.
Question: How can you scale out the Online Responder for higher performance?

3-33
Demonstration: How to Configure an Online Responder
Key Points
The following demonstration shows you how to configure a CRL and install and configure the Online Responder. This demonstration contains the following steps:
Demonstration Steps
Configure CRL Publishing and CRL Delta Intervals 1. 2. 3. 4.
Ensure that the 6426C-NYC-DC1-B virtual machine is still running and log on to 6426C-NYC-SVR1-B. On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Properties of the CA. Examine the default CDP on the Extensions tab. Open the Properties of the Revoked Certificates, and configure the CRL Publication and Delta intervals to 1 month and 5 days respectively.
Install the Online Responder Role On the 6426C-NYC-SVR1-B virtual machine, add the Online Responder role services and the required role services.
Configure the CA to include the Online Responder Location in the Authority Information Access (AIA) 1. 2. 3. 4.
On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Properties of the CA.
Allow key archiving and adds the KRA certificate that was just issued to the Key Recovery Agents list.
Add the Online Responder location to the AIA, and select to include the location in the AIA extension of issued certificates and the OCSP extension. Restart the CA.
3-34
Issue the OCSP Response Signing Template 1. 2. 3.
On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Certificate Templates console. Assign the enrollment permissions for the OCSP Response Signing certificate template. Issue the OCSP Response Signing certificate template from the Certificate Authority console.
Configure the Online Responder 1. 2. On the 6426C-NYC-SVR1-B virtual machine, open the Online Responder Management console.
Add a Revocation Configuration, name it Test Online Responder, and select the OCSP Response Signing certificate that was just issued. Keep other selections as default.
Question: Which tool can you use to configure the Online Responder? Question: Which server operating systems support installation of the Online Responder? Question: Can you use non-Microsoft CAs with the Online Responder role service?

3-35
Lesson 4
Configuring Certificate Recovery
Certificate or key recovery is one of the most important management tasks during the certificate life cycle. A key archival and recovery agent is used for data recovery when you lose your public and private keys. You can also use manual or automatic key archival and key recovery methods to ensure that you can gain access to data in the event that your keys are lost.
Objectives
After completing this lesson, you will be able to: Describe the importance of key archival and recovery. Describe the methods to manually export certificates and private keys. Describe the process to implement key archival. Configure key archival. Recover a lost key.
3-36
Importance of Key Archival and Recovery
Key Points
When your public and private keys are lost, you cannot access any data encrypted by using the certificates public key, which can include Encrypting File System (EFS) and Secure/Multipurpose Internet Mail Extension (S/MIME). Therefore, archival and recovery of public and private keys are important. Thus, the ability to properly archive and recover keys is extremely important in a PKI deployment. Conditions for Losing Keys You may lose the key pair due to the following conditions:
User profile is deleted or corrupted: A CSP encrypts a private key and stores the encrypted private key in the local file system and registry in the user profile folder. The case of deletion or corruption of the profile results in the loss of the private key material. Operating system is reinstalled: When you reinstall the operating system, the previous installations of the user profiles are lost, including the private key material. Disk is corrupted: If the hard disk gets corrupted and the user profile is unavailable, the private key material is automatically lost.
Computer is stolen: If the computer of a user is stolen, the user profile with the private key material is unavailable.
Key Archival and Recovery Agents
Key archival and key recovery agents (KRA) are used for data recovery. You can ensure that CA administrators can recover private keys only by archiving them. KRAs can retrieve the original certificate, private key, and public key used to encrypt the data from the CA database. When you enable key archival in a version 2 certificate template, the CA encrypts and stores the private key in its database. In the case when the CA has stored the subjects private key in the CA database, you can use key recovery to recover a corrupted or lost key.

3-37
During the key recovery process, the certificate manager retrieves the encrypted file that contains the certificate and private key from the CA database. Then, a KRA decrypts the private key from the encrypted file and returns the certificate and private key to the user. Security for Key Archival
When you have a configured CA to issue a KRA certificate, any user with Read and Enroll permission on the KRA certificate template can enroll and become a KRA. As a result, Domain Administrators and Enterprise Administrators obtain permission by default. You must ensure the following: Only trusted users are allowed to enroll for this certificate. The KRAs recovery key is stored in a secure manner. The server where the keys are archived is secure.
Data Recovery versus Key Recovery
Data recovery is the process in which a user who loses access to his encryption key can provide his encrypted data to a designated administrator known as a Data Recovery Agent (DRA). The DRA can then either decrypt that data and return it to the user or re-encrypt it for use with a new private key. The DRA works as a shadow to the users encryption process where everything that the user encrypts with his key is also encrypted with a copy of the DRA key. Thus, when the users key is lost, the DRA can step in, get the ciphertext data, apply the DRA key to it for decryption (or re-encryption), and then return the data to the user. The DRA approach works well, but can be difficult to manage if the user has encrypted large amounts of data or does not have local IT staff to act as DRAs. Key recovery requires that the CA make a copy of the users encryption key during the key creation process and securely store a copy of the key in the CAs database. Then, when a user loses access to encrypted files, the CA administrator simply accesses this database and retrieves the users key. At that point, the user will immediately have access to his data without needing a DRA to recover it for him. Note There may be privacy, political, legal, compliance, or non-repudiation concerns whenever someone other than the subject has access to the private key. This needs to be taken into consideration. Question: Are there any downsides to key archival?
3-38
Methods to Export Certificates and Private Keys
Key Points
Manual key archival is one of the methods used for data recovery. It is supported in AD CS as a separate operation from enrollment, while manual key archival still offers centralized key archival. The procedure to export private keys manually from a Windows client is useful so that the private keys may be manually archived on the CA. This is especially useful for users who have enrolled by using the third-party CAs that do not support key archival. You can export keys and certificates by one of these methods: Public-Key Cryptography Standards (PKCS) #12 (.pfx file) by exporting from the Certificates MMC snap-in on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, or Windows Server 2008.
PKCS #12 (.pfx file) by exporting from the Microsoft Office Outlook 2003, Microsoft Office Outlook 2007, or Microsoft Office Outlook 2010. Certutil.exe. The command syntax to export by using Certutil is:
Certutil.exe [-p <Password>] exportpfx <CertificateId> <OutputFileName>
The CertificateID can be the certificates ID number which can be retrieved from the Certificates MMC. Question: Besides key archival, name a benefit derived from exporting certificates with private keys?

3-39
Configuring Automatic Key Archival
Key Points
The following paragraphs describe the steps in the automatic key archival process.
Configure certificate templates: Install CA and upgrade certificate templates to Windows Server 2008 or Windows Server 2003. Only Enterprise Administrators or Domain Administrators request a KRA certificate. This is because, by default, they are configured with the Enroll permission on the template. Configure certificate managers: CA enforces a person to be a Certificate Manager, if defined. The Certificate Manager holds a private key for valid KRA certificates. It is a best practice to separate these two roles. By default, the CA Administrator is a Certificate Manager for all users, except for cases with another explicit definition. A CA Officer is defined as a Certificate Manager who has the security permission to issue and manage certificates. The security permissions are configured on a CA by using the Security tab from the CA Properties dialog box in the Certification Authority MMC snap-in. A KRA is not necessarily a CA Officer or a Certificate Manager. They may be segmented as separate roles. A KRA is a person who holds a private key for a valid KRA certificate. Enabling a KRA: The following steps show how to enable a KRA: 1. 2. 3. 4. 5. Log on as Administrator of the server or as CA Administrator if role separation is enabled. On the Administrative Tools menu, click Certification Authority, and then select CA.
Right-click the CA name, click Properties, click the Recovery Agents tab, and then click Archive the key, to enable key archival. By default, the CA uses one KRA. However, you must first select the KRA certificate for the CA to begin archival by clicking Add.
The system finds valid KRA certificates and displays available KRA certificates. These are generally published to Active Directory by an Enterprise CA during enrollment. KRA certificates are stored under the KRA container in the Public Key Services branch of the configuration partition in Active Directory. Since, CA issues multiple KRA certificates, each KRA certificate will be added to the multivalued user attribute of the CA object.
3-40
6. 7.
Select one certificate, and then click OK. Ensure that you have selected the intended certificate. After you have added one or more KRA certificates, click OK. KRA certificates are only processed at service start.
Configure user templates: Use the following steps to configure user templates. 1. 2.
In the Certificate Templates MMC, right-click the key archival template, and then select Properties. On the Request Handling tab, select the Archive subjects encryption private key check box to always enforce key archival for the CA. In Windows Server 2008 CAs, select the Use advanced symmetric algorithm to send the key to the CA option.
Question: By default, which groups can enroll for a KRA certificate?

3-41
Demonstration: How to Configure Key Archival
Key Points
The following demonstration shows you how to configure key archival.
Demonstration Steps
Remove the Requirement for CA Manager Approval and Configure Enrollment Settings for the Key Recovery Agent (KRA) Certificate Template 1. 2. 3.
Ensure that the 6426C-NYC-DC1-B virtual machine is still running and log on to 6426C-NYC-SVR1-B. On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Certificate Templates console. Modify the Issuance requirements on the Key Recovery Agent certificate template and verify enrollment permissions.
Configure the CA to Issue KRA Certificates
On the 6426C-NYC-SVR1-B virtual machine, issue the Key Recovery Agent certificate template from the Certificate Authority console.
Acquire the KRA Certificate 1. 2.
On the 6426C-NYC-SVR1-B virtual machine, open the MMC, and add the Certificates snap-in for the current user. Request the KRA certificate under Certificates in the Personal container and enroll the KRA certificate.
3-42
Configure the CA to Allow Key Recovery 1. 2. 3.
On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the properties of the CA. Allow key archiving and add the KRA certificate that was just issued to the Key Recovery Agents list. Restart the CA.
Configure a Custom Template for Key Archival 1. 2. 3. 4.
On the 6426C-NYC-SVR1-B virtual machine, open the Certificate Authority console and then open the Certificate Templates console.
Duplicate the User certificate template, select Windows Server 2008 Enterprise and call it Archive User. Configure the Archive User certificate template to archive the subjects encryption private key. Issue the Archive User certificate template.
Question: What would you have to change to allow somebody that is not a member of Domain Administration or Enterprise Administration to request a KRA certificate? Question: What is a consideration when issuing a KRA certificate?

3-43
Recovering a Lost Key
Key Points
The process to recover a lost key is detailed in the following steps: 1. 2.
The private key is lost or corrupted: A key can be lost when a client computers hard drive fails or when a computer is compromised during a security incident.
The Certificate Manager finds the serial number of the certificate: You will require two pieces of information to perform key recovery. First, the Certificate Manager or the CA Administrator locates the correct certificate entry in the CA database. Then, the Certificate Manager or the CA Administrator obtains the serial number of the correct certificate entry and the KRA certificate required for key recovery.
3.
The Certificate Manager extracts the PKCS #7 from the CA: This is the first half of the key recovery step. A Certificate Manager or a CA Administrator retrieves the correct BLOB from the CA database. The certificate and the encrypted private key to be recovered are present in PKCS #7 BLOB. The private key is encrypted with the public key of one or more KRAs. The Certificate Manager transfers the PKCS #7 to the KRA: Since the KRA performs the second half of the recovery step, the PKCS #7 must be sent to the KRA. The KRA recovers the private key: This is the second half of the key recovery step. The holder of one of the KRA private keys decrypts the private key to be recovered. In addition, the holder generates a password-protected .pfx file that contains the certificate and private key.
4. 5.
6.
The user imports the private key: The password-protected .pfx file is delivered to the end user. The user imports the .pfx file into the local user certificate store. Alternatively, the KRA or an administrator can perform this part of the procedure for the user.
Question: What are the key recovery options if a PKI environment does not have automated key archiving?
3-44
Lab: Deploying Certificates and Managing Enrollment
Objectives
After completing the lab, you will be able to: Configure certificate templates. Deploy and enroll certificates. Manage certificate revocation. Configure key recovery.
Scenario
Now that you have deployed an AD CS infrastructure, your IT Director wants to extend the functionality of the environment by providing a mechanism for users to automatically utilize the certificates. You have decided to implement certificate templates and make use of automatic enrollment mechanisms provided by AD CS. You must install and configure Windows Server 2008 R2 computers to support certificate services in the organization. To do so, you must perform the following consolidation activities: Configure certificate templates. Configure autoenrollment features in Group Policy for Certificate Services. Configure certificate revocation and the Online Responder functionality of Certificate Services. Implement custom certificate templates and a key archival and key recovery solution.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.

3-45
Exercise 1: Configuring Certificate Templates

During this exercise, you configure AD CS certificate templates. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Duplicate, install, and manually enroll a certificate. Configure the template to be issued by the CA. Verify the certificate is updated.
Create, duplicate, and supersede the Local User template by using a new template that includes smart card logon. Configure the new template to be issued by the CA. Verify the certificate is updated.
Task 1: Duplicate, install, and manually enroll a certificate

1. 2. 3. 4. 5. 6. 7.
On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, then select Certification Authority. In the Certification Authority console, right-click Certificate Templates, and then click Manage. In the Details pane, duplicate the User certificate template specifying Windows Server 2008 Enterprise. In the Template display name box, type Local User.
On the Subject Name tab, clear the Include email name in subject name and the Email name check boxes. For Authenticated Users, select Allow for the Enroll check box. Close the Certificate Templates console.
Task 2: Configure the template to be issued by the CA

1. 2. 3. In the Certification Authority console, define a new Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the Local User template, and then click OK. Close the Certification Authority console.
Task 3: Verify that the certificate is updated

1. 2. 3. 4. Create a Certificates MMC console for the current user account. Request a new certificate by using the Certificate Enrollment Wizard. On the Request Certificates page, select the Local User check box. Click Enroll, and then click Finish. Refresh the console, and view the Local User certificate in the personal store.
Task 4: Create, duplicate, and supersede the Local User template by using a new template that includes smart card logon
1. 2. 3. In the Certification Authority console, right-click Certificate Templates, and then click Manage. Duplicate the User certificate template as a version 3 template. Name the new template Contoso Smart Card User.
3-46
4. 5. 6. 7.
On the Subject Name tab, clear the Include email name in subject name and the Email name check boxes. On the Extensions tab, edit Application Policies to include smart card logon. On the Superseded Templates tab, add the Local User template.
On the Security tab, ensure that Authenticated Users has Read, Enroll, and Autoenroll permissions.
Task 5: Configure the new template to be issued by the CA

1. 2. In the Certification Authority console, issue the Contoso Smart Card User certificate template. Close all windows and log off from the 6426C-NYC-SVR1-B virtual machine.
Results: After this exercise, you have duplicated, installed, and manually enrolled a certificate, configured the certificate to be issued by the CA, verified that the certificate was updated, created and duplicated the template with a superseded template, and configured the CA to issue the superseded template.

3-47
Exercise 2: Configuring Autoenrollment

During this exercise, you configure autoenrollment. The main tasks for this exercise are as follows: 1. 2. 3. Configure a certificate template for autoenrollment. Configure Group Policy for autoenrollment. Verify autoenrollment functionality on a domain-joined computer.
Task 1: Configure the Contoso Smart Card User certificate template for autoenrollment
1. 2. 3. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and then select Certification Authority. In the Certification Authority console, right-click Certificate Templates, and then click Manage.
Verify the Contoso Smart Card User certificate template by configuring it to be published in Active Directory.
Task 2: Configure the Default Domain Policy for autoenrollment

1. 2. 3. 4. 5.
On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, then select Group Policy Management.
In the Group Policy Management console, expand the forest and domain in the left pane until you see Group Policy Objects. Right-click Default Domain Policy and choose Edit.
Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Pubic Key Policies. Enable autoenrollment in the Certificate Services Client Auto-Enrollment policy setting. Enable autoenrollment in the Certificate Services Client Enrollment Policy setting.
Task 3: Validate autoenrollment functionality from 6426C-NYC-SVR1-B

1. 2. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account.
Expand the Certificates - Current User node and then click Personal. Verify that you received the Contoso Smart Card User certificate in the right pane.
Results: After this exercise, you have configured the default domain policy for autoenrollment, configured a certificate template for autoenrollment, and verified autoenrollment functionality.
3-48
Exercise 3: Managing Certificate Revocation

During this exercise, you configure AD CS certificate revocation. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Examine the default CRL distribution points (CDPs) and configure the CRL publication interval. Install the Online Responder component on a Web server. Configure CA to include the Online Responder location in the authority information access (AIA). Issue the OCSP Response Signing template. Configure the Online Responder. Revoke a certificate. Publish the CRL. Ensure that the CRL is downloaded onto the client computer.
Task 1: Examine the default CRL distribution points (CDPs) and configure the CRL publication interval
1. 2. 3. 4. 5.
On 6426-NYC-SVR1-B, in the Certification Authority console, open the ContosoCA Properties dialog box. On the Extensions tab, examine the CDPs, and then close the ContosoCA Properties dialog box. Open the Revoked Certificates folder properties dialog box. Set the CRL Publication interval to 1 Month. Set the Publish Delta CRLs interval to 3 Days.
Task 2: Install the Online Responder component on a Web server

On 6426-NYC-SVR1-B, use Server Manager to install the AD CS Online Responder role service.
Task 3: Configure CA to include the Online Responder location in the Authority Information Access (AIA)
1. 2.
On 6426-NYC-SVR1-B, in the Certification Authority console, open the ContosoCA Properties dialog box. On the Extensions tab, add http://NYC-SVR1/ocsp as an AIA location. Also select the Include in the AIS extension of issued certificates and Include in the online certificate status protocol (OSCP) extension check boxes.
Task 4: Issue the OCSP Response Signing template

1. 2. On 6426-NYC-SVR1-B, use the Certificate Templates console to set the permissions on the OCSP Response Signing template so that you allow Enroll permission for Authenticated Users. Use the Certification Authority console to issue the template.
Task 5: Configure the Online Responder

1. 2. 3. On 6426-NYC-SVR1-B, launch the Online Responder Management console. Right-click Revocation Configuration, and then click Add Revocation Configuration. Use the wizard to create a new revocation configuration named ContosoCA Online Responder.

3-49
4. 5. 6.
Browse to and select the ContosoCA certificate. After you run the wizard, the revocation configuration status is set to Working. Close the Online Responder console.
Task 6: Revoke a certificate

1. 2. 3.
On 6426-NYC-SVR1-B, open the Certification Authority console, and then click Issued Certificates.
Locate and revoke the Contoso Smart Card User certificate issued in the last exercise. Select Change of Affiliation as the reason. Click the Revoked Certificates folder, and then ensure that the revoked certificate is visible.
Task 7: Publish the CRL

1. 2. 3. On 6426-NYC-SVR1-B, right-click the Revoked Certificates folder. Point to All Tasks, and then click Publish. Publish a new CRL.
Task 8: Ensure that the CRL is downloaded onto the client computer
1. 2. 3. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account.
Under the Certificates Current User node, expand the Intermediate Certification Authorities node, and then click Certificate Revocation List. Notice the CRL from ContosoCA.
Open the Properties dialog box for one of the ContosoCA lists, and then click the Revocation List tab. Notice that the certificate that was previously revoked is listed.
Results: After this exercise, you have installed and configured the Online Responder, revoked a certificate, published the CRL, and validated that the CRL was downloaded onto a computer.
3-50
Exercise 4: Configuring Key Recovery

1. 2. 3. 4. 5. 6. 7. Remove the requirement for CA Manager approval and verify who can enroll the KRA certificate. Configure the ContosoCA to issue KRA certificates. Acquire the KRA certificate. Configure the CA to allow key recovery. Configure a custom template for key archival. Add a user to the Server Operators group. Verify key archival functionality.
During this exercise, you manage key archival and recovery. The main tasks for this exercise are as follows:
Task 1: Remove the requirement for CA Manager approval and verify who can enroll the Key Recovery Agent (KRA) certificate
1. 2. 3. 4. On the 6426C-NYC-SVR1-B virtual machine, in the Certification Authority console, right-click the Certificates Templates folder, and then click Manage.
In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog box. On the Issuance Requirements tab, clear the CA certificate manager approval check box. On the Security tab, notice that only Domain Administrator and Enterprise Administrator groups have the Enroll permission.
Task 2: Configure the ContosoCA to issue KRA certificates

1. 2. On 6426C-NYC-SVR1-B, right-click the Certificates Templates folder. Issue the Key Recovery Agent template.
Task 3: Acquire the KRA certificate

1. 2. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account.
In the left pane, expand Personal and then right-click Certificates. Expand All Tasks and then click Request New Certificate to launch the Certificate Enrollment Wizard to request a new certificate and enroll the KRA certificate. Refresh the console window, and view the KRA in the personal store.
3.
Task 4: Configure the CA to allow key recovery

1. 2. On 6426C-NYC-SVR1-B, in the Certification Authority console window, open the ContosoCA properties dialog box. On the Recovery Agents tab, click Archive the key, and then add the certificate using the Key Recovery Agent Selection dialog box.
Task 5: Configure a custom template for key archival

1. 2. On 6426C-NYC-SVR1-B, open the Certificates Templates console. Duplicate the User template for Windows Server 2008 Enterprise, and name it Archive User.

3-51
3. 4. 5.
On the Request Handling tab, set the option for the Archive subjects encryption private key. By using the archive key option, the KRA can obtain the private key from the certificate store. Add the Archive User template as a new certificate template to issue. Log off from the 6426C-NYC-SVR1-B virtual machine.
Task 6: Add a user to the Server Operators group

1. 2. 3. 4. On 6426C-NYC-DC1-B, open the Active Directory Users and Computers console. From the Executives OU, add the user Tony Wang to the Server Operators group.
Open Tony Wang Properties dialog box and configure the email address as tony@Contoso.com. Log off from the 6426C-NYC-DC1-B virtual machine.
Task 7: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7.
Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Tony and use Pa$$w0rd as the password. Create a Certificates MMC console for the user account. Request and enroll a new certificate based on the Archive User template. From the personal store, locate the Archive User certificate.
Open the properties of the certificate and write down the certificate serial number. You will use this for recovery of the private key.
Log off the 6426C-NYC-SVR1-B virtual machine and then log back on as CONTOSO\Administrator. Use Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, at the command prompt, type certutil getkey serial numberoutputblob.
Note: Replace serial number with the serial number that you wrote down earlier.
8. 9.
To convert the outputblob file into an importable .pfx file, on the 6426C-NYC-SVR1-B virtual machine, at the command prompt, type Certutil -recoverkey outputblob tony.pfx. Verify the creation of the recovered key in the C:\Users\Administrator directory.
Results: After this exercise, you have configured a KRA, configured the CA to allow for key recovery, configured a key archival template, and verified key archival functionality.
3-52
Review Questions
1. 2. 3. 4. 5. 6. List the requirements to use autoenrollment for certificates. What is the DACL in a certificate template used for? What are some of the advantages of using a version 3 certificate template? What would you use manual certificate enrollment for? What are the steps to configure an Online Responder? What three methods can be used to export a certificate?

The following real-world scenarios are based on information from this module. 1.
The Security team has mandated that automatic key archival is against company policy. You just finished setting up a Web server. What should you do to ensure that you can recover the certificate in case of a system failure?
2.
You are deploying a new Web server farm that includes 10 Web servers. The servers will host a single website that is accessed by using SSL. You want to minimize the number of certificates that you utilize but must ensure that all of the Web servers are configured to use SSL. How should you proceed? You need to allow users from Group1 to enroll for a Basic EFS certificate with the ability to export the private key. However, you also need to allow users from Group2 to enroll for a Basic EFS certificate without the ability to export the private key. How could you accomplish this?
3.

4-1
Module 4
Deploying and Configuring Active Directory Lightweight Directory Services
Contents:
Lesson 1: Overview of Active Directory Lightweight Directory Services Lesson 2: Deploying and Configuring Active Directory Lightweight Directory Services Lesson 3: Configuring AD LDS Instances and Partitions Lesson 4: Configuring Active Directory Lightweight Directory Services Replication Lesson 5: Troubleshooting Active Directory Lightweight Directory Services Lab: Deploying and Configuring Active Directory Lightweight Directory Services 4-3 4-8 4-16 4-24 4-31 4-36
4-2
Module Overview
The Active Directory Lightweight Directory Services (AD LDS) role was previously known as Active Directory Application Mode (ADAM). AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that supports directory-enabled applications. The main components of AD LDS include databases, instances, schema, and partitions. Configuring multiple instances is beneficial to provide database redundancy and increased availability. You can configure replication to synchronize directory data associated with any AD LDS instance. In addition, you can integrate AD LDS with Active Directory Domain Services (AD DS) to provide access to additional users within your network environment.
Objectives
After completing this module, you will be able to: Describe Active Directory Lightweight Directory Services. Deploy and configure Active Directory Lightweight Directory Services. Configure Active Directory Lightweight Directory Services instances and partitions. Configure Active Directory Lightweight Directory Services replication. Resolve common Active Directory Lightweight Directory Services issues.

4-3
Lesson 1
Overview of Active Directory Lightweight Directory Services
This lesson introduces Active Directory Lightweight Directory Services (AD LDS), how it is used in realworld scenarios, and discusses the key differences between AD LDS and Active Directory Domain Services (AD DS).
Objectives
After completing this lesson, you will be able to: Describe AD LDS. Describe AD LDS deployment scenarios. Describe the difference between AD LDS and AD DS.
4-4
What Is AD LDS?
Key Points
AD LDS is a Windows Server 2008 role (or a free download for Windows 7 Professional, Enterprise, or Ultimate) that provides an LDAP directory service which supports directory-enabled applications. AD LDS was previously called Active Directory Application Mode (ADAM).
You can use AD LDS to perform many of the functions that AD DS offers. The advantage of AD LDS is that it does not require the dependencies required by AD DS such as the deployment of domains or domain controllers. When AD LDS and AD DS coexist in the same environment, AD LDS can use AD DS to authenticate Windowsbased users. You can deploy AD LDS on any computer running Windows 7, Windows Server 2008, or Windows Server 2008 R2, including a domain controller, because each AD LDS instance runs as a self-contained server service. AD LDS is commonly used as an authentication repository for directory-enabled applications. Instead of storing application information in a database or a flat file, applications can utilize AD LDS for storing application data.
The main difference between AD LDS and AD DS is that AD LDS does not support forests, domains, or Group Policy. In addition, Windows cannot authenticate user accounts stored in AD LDS (for example, for a shared folder). Multiple instances of AD LDS can be run on a single computer whereby AD DS uses the concept of domain controllers (one domain controller per server). AD LDS is a lightweight directory service implementation offering more flexibility and less overhead than AD DS.
Whats New in AD LDS on Windows Server 2008 R2
AD LDS does not change much in Windows Server 2008 R2. However, there are a few enhancements that Windows Server 2008 R2 offers for AD LDS. These enhancements are the same enhancements to AD DS in Windows Server 2008 R2:
Active Directory Recycle Bin: This feature, made available by a schema update, offers administrators the ability to recover accidentally deleted items.

4-5
Active Directory Web Services (AD WS): This feature, also available for the AD DS role, offers a web service interface that connects to AD LDS instances. This feature is automatically installed and available upon installing the AD LDS role. Active Directory Module for Windows PowerShell: This new feature provides a command line interface for administrators to use while performing administrative tasks or to automate routine tasks.
Question: How is AD LDS a lighter implementation than AD DS?
4-6
AD LDS Deployment Scenarios
Key Points
There are several common AD LDS usage scenarios, as outlined by the following deployment scenarios and benefits: Enterprise directory store: All directory-enabled enterprise applications can use AD LDS as their directory store. AD LDS can store directory data that pertains to the application in a local directory service.
Extranet authentication store: AD LDS can provide an extranet authentication store. For example, a web portal application that manages extranet access to corporate applications can use identities that are external to the corporate AD DS. Consolidating identity systems: You can use AD LDS to store a unified view of all known identity information. This information can be about enterprise users, applications, and network resources. Development environment for AD DS and AD LDS: You can use AD LDS as a prototype or pilot environment to test the schema compatibility of applications.
Configuration store for distributed applications: AD LDS allows developers to bundle AD LDS with the application providing immediate connectivity to a directory service upon installation. In a distributed scenario, the different application instances can replicate with each other to maintain a consistent data store. Migrating legacy directory-enabled applications: AD LDS can provide support for the legacy applications that use X.500-style naming. Combined with an identity management product such as Forefront Identity Manager (FIM) 2010, AD LDS allows organizations to migrate the X.500 applications to AD DS.
Question: How is AD LDS an option in the perimeter network?

4-7
Discussion: AD LDS or AD DS?
Key Points
Consider the following scenarios and decide whether to use AD LDS or AD DS: A development team is creating a phonebook application that allows employees to find other employees by using a website. The site includes employee contact information and group membership information. Should the development team use AD LDS or AD DS?
A development team is creating an ordering application for your companys partners. The partners connect to the application, log on, and then place orders. Should the development team use AD LDS or AD DS? The IT team is deploying Exchange Server 2010. Part of the deployment includes an Edge Transport server in the perimeter network. Should the development team use AD LDS or AD DS?
A company with AD DS is splitting into two separate companies. The first company continues to maintain AD DS. The second company is building their IT infrastructure from the ground up. They require the ability to manage client computers by enforcing policies and they plan to implement AD CS for smart card logon. Should the development team use AD LDS or AD DS?
4-8
Lesson 2
This lesson introduces deployment and configuration concepts for AD LDS while presenting more details about the AD LDS components and how they interoperate to provide a flexible and lightweight directory service.
Objectives
After completing this lesson, you will be able to: Describe the components of AD LDS. Install the AD LDS server role. Describe the purpose of the AD LDS Schema. Describe how clients connect to AD LDS instances. Describe AD LDS Service Principal Names. Describe AD LDS Service Publication.

4-9
AD LDS Components
Key Points
AD LDS provides a hierarchical directory store by using the Extensible Storage Engine (ESE) for storing files. AD DS uses the same ESE file storage technology. AD LDS components are defined as follows. Component Database Instance Schema Partitions Description
A database file and its associated transaction logs function as AD LDS data stores.
An AD LDS instance is a single deployment of the AD LDS service. Multiple instances of AD LDS can run on a single computer. A schema directory partition stores a unique configuration schema of each AD LDS configuration set.
An AD LDS directory store is composed of three partitionsconfiguration partition, schema partition, and application partition. A configuration partition and a schema partition are almost identical to an AD DS partition. Whereas, the application partition is similar to the application directory partition in the AD DS.
AD LDS supports both LDAP connections, secure LDAP (LDAPS) connections (now deprecated), and Transport Layer Security (TLS, which replaces the functionality of LDAPS for AD LDS). By default, LDAP connections use Transmission Control Protocol (TCP) port 389. LDAPS (LDAP over SSL) connections use TCP port 636 by default. TLS connections also use TCP port 636 by default. Question: What are some other products that rely on the ESE storage technology?
4-10
Demonstration: How to Install the AD LDS Server Role
Key Points
The following demonstration shows you how to: Install the AD LDS server role. Create an AD LDS instance and partition by using the AD LDS Setup Wizard.
Demonstration Steps
Install the AD LDS Server Role 1. 2. 3. Start the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines and log on to 6426C-NYCDC1-B. On the 6426C-NYC-DC1-B virtual machine, add the Active Directory Lightweight Directory Services role. You can repeat the installation on the 6426C-NYC-SVR1-B virtual machine.
Run the AD LDS Setup Wizard to Configure AD LDS 1. 2. 3. 4. 5. On the 6426C-NYC-DC1-B virtual machine, run the Active Directory Lightweight Directory Services Setup Wizard. Create a new AD LDS instance, name it test1, and set the LDAP port number to 6389 and the SSL port number to 6636. Create a new application partition and name it ou=test1,dc=contoso,dc=local. Assign the Network service account as the service account and the current user as the AD LDS Administrator. Import the MS-USER-LDF, keep the other selections as default and complete the AD LDS Setup Wizard.

4-11
Question: Can AD LDS be installed on a member server? Question: Can a single machine hold multiple AD LDS instances? Question: Is an instance created automatically when the server role is installed? Question: What may be some of the reasons for implementing AD LDS replication?
4-12
AD LDS Schema
Key Points
An AD LDS schema defines every object and attribute in the directory. When creating an object type in the directory, you must first define it in the schema. An AD LDS schema defines object types by using the data that you create and store in an AD LDS instance with object classes and attributes.
Each AD LDS configuration set has a unique and independent schema stored in the schema directory partition. By default, the AD LDS schema contains only the classes and attributes needed to start an instance. You can extend a schema such that AD LDS can keep specific data needed to run a particular application. When applications require different schemas, a separate AD LDS instance must be deployed for each application.
AD LDS directories can support applications that depend on schema extensions that are not desirable in the AD DS directory. You need to import only the required schema definition files for each instance. You can also customize the schema modifications for applications that require a custom schema. Similar to AD DS schema, you can extend the AD LDS schema by importing LDAP Data Interchange Format (LDIF) .ldf files into the schema. The Ldifde.exe tool can import .ldf files.
Protecting the AD DS schema is a critical aspect of maintaining an environment. Many applications rely on AD DS while users and computers depend on AD DS for basic functionality. As such, many organizations have implemented a strict review process for all AD DS schema changes. Such a process might include a voting committee. AD LDS offers administrators a quicker, simpler way to deploy schema updates without the level of ramifications normally found in a corporate AD DS environment. Question: What is one of the most common schema extensions for AD LDS?

4-13
Client Connections to AD LDS
Key Points
Connecting to AD LDS from a client computer requires some initial planning and configuration to ensure ease of use and proper security. Client computers need to know the following parts to establish a connection to AD LDS:
LDAP or LDAP over SSL: Client connections to AD LDS use standard LDAP (insecure) or LDAP over SSL (secure LDAP). While LDAP functionality is available without further configuration, LDAP over SSL requires the use of an SSL certificate. AD CS can provide the certificate and be a trusted root authority for client computers. In most enterprise environments, LDAP over SSL and TLS are the preferred connection choices. Instance port number: Clients need to know the port number used for the AD LDS instance that they are connecting to. This is especially important if the default ports are not being used or if the AD LDS computer is running multiple instances with multiple ports. IP address or DNS name of AD LDS server: Connectivity can be established by IP address or name, with name being the preferred choice for ease of management.
Question: Does the client computer also need an SSL certificate to connect to the AD LDS server using LDAP over SSL?
4-14
AD LDS Service Principal Names
Key Points
Service Principal Names (SPNs) play a key role in running AD LDS and AD DS in the same environment, allowing replication with Kerberos authentication between AD LDS and AD DS while providing ease of use for end users. AD LDS SPNs are names that allow client computers to identify an available service. An SPN contains information about the service including the service name, service type, instance name, and port number. Each service, such as an AD LDS service, must have its own SPN.
When AD LDS instances run in an AD DS environment, they register their SPNs in Active Directory so they can be used in Kerberos authentication during replication.
The registration of SPNs takes place using the security context of the AD LDS service account. The account must be the Network Service account for the registration to succeed. In a mixed environment with AD DS, the service account can also be a domain service account. In such cases, the domain service account must be a member of the Domain Administrators group to allow the SPN registration to succeed. In many environments, it is normal for the automatic registration process to fail. When it fails, it creates a batch (.bat) file so that a Domain Administrator can manually run the registration later (allowing the service account not to have to be a member of the Domain Administrators group). When replicating AD LDS with AD DS, you can force the use of SPNs for replication authentication by modifying the replication security level. To do so, change the security level of the configuration set to 2. Note that if the SPNs are not configured properly, replication may fail. Question: Does the AD LDS service account need to be a member of the Domain Administration group if you want to use Kerberos authentication during replication between AD LDS and AD DS?

4-15
AD LDS Service Publication
Key Points
Service publication is the act of sending service information about AD LDS to AD DS which helps client computers locate information about the AD LDS service. If AD LDS is running on a computer that is joined to an Active Directory domain, it tries to publish information by creating a service connection point (SCP). The AD LDS service account requires Create Child rights on the computer object where the SCP will be created. By default in such a setup, AD LDS runs under the Network Service account which has rights to create the SCP. An SCP contains information about the AD LDS service. Information in an SCP is broken into two categories:
Keywords: SCP keywords include LDAP object identifier, AD LDS LDAP object identifier, the GUID, the site where the AD LDS instance is running, operation master roles, distinguished name and GUID of the configuration partition, and the distinguished name and GUID of all application partitions. Binding information: Binding information contains the detailed connection information for clients to use for connecting. The information includes the LDAP connection point (ldap:\\computer:port) and the SSL connection point (ldaps:\\computer:port).
It is possible to run AD LDS in an AD DS environment without publishing the service information and without the use of SCPs. In such cases, clients use DNS to resolve the host name of the AD LDS computer. The default location for SCPs is under the computer object that is running AD LDS. The default location can be updated by modifying the SCPPublishingService object. Question: Which account has the rights to create an SCP object for AD LDS?
4-16
Lesson 3
Configuring AD LDS Instances and Partitions
AD LDS provides a flexible directory environment that can be run as a single instance or as multiple instances. The environment can be extended by using authentication, authorization, and access control. AD LDS also provides for multiple application partitions which all share the same schema.
Objectives
After completing this lesson, you will be able to: Describe the purpose of an AD LDS instance. Modify the AD LDS service account. Describe AD LDS authentication and authorization. Describe how access control works in AD LDS. Configure access control in AD LDS. Describe the purpose of an AD LDS application partition. Create an AD LDS application partition.

4-17
What Is an AD LDS Instance?
Key Points
AD LDS can be segmented to meet business or project requirements. The following points discuss the details of segmenting AD LDS into instances: An AD LDS instance is a single running copy of the AD LDS directory service. AD LDS instances that hold copies of the same directory partition or partitions form a logical grouping called a configuration set.
Each AD LDS configuration set has a specific and independent schema stored in the schema directory partition. Multiple application partitions can be deployed in a single AD LDS instance if they have compatible schemas.
Multiple copies of the AD LDS directory service can run concurrently on the same computer, each by using a separate directory data store and a unique service name. Creating multiple instances is better than creating multiple application partitions because of the following reasons: Some applications must maintain separate or incompatible schema. Some applications need specific replication settings.
The application administrator for one department should not have access to the application data for another department.
Question: If I have three directory-aware applications that each requires a unique schema, should I create three application partitions or three AD LDS instances?
4-18
Demonstration: Modify the AD LDS Service Account
Key Points
The following demonstration shows you how to modify an AD LDS instance service account. To complete this demonstration, you must have completed Demonstration: How to Install AD LDS Server Role.
Demonstration Steps
Change the AD LDS Service Account to a Domain Account 1. 2. 3. 4.
On the 6426C-NYC-DC1-B virtual machine, open the Services console, and stop the AD LDS service. Open the Command Prompt, and run the dsdbutil tool.
Run the dsdbutil command line to activate the AD LDS instance and change its service account to a domain account. Start the AD LDS service from the Services console.
Change the AD LDS Service Account Back to Network Service 1. 2. 3. 4.
On the 6426C-NYC-DC1-B virtual machine, open the Services console, and stop the AD LDS service. Open the Command Prompt, and run the dsdbutil tool. Run the dsdbutil command line to activate the AD LDS instance and change its service account to the Network Service account. Start the AD LDS service from the Services console.
Question: If you are planning on using an AD DS-based service account for your AD LDS instance, when is the best time to configure AD LDS with the service account?

4-19
AD LDS Authentication and Authorization
Key Points
AD LDS works with existing systems such as AD DS to provide a flexible authentication and authorization model, as follows.
AD LDS authenticates and authorizes the identity of users by using users, groups, and security descriptors. The security descriptors are called access control lists (ACLs) and can be used on directory objects to determine which objects a user has access to. AD LDS supports standard Windows users and AD LDS users (and both can be used at the same time). To use AD LDS users, you must import the user object class definitions available in AD LDS (which are available during installation or any time thereafter). Security principals are any object that can be uniquely identified with a security identifier (SID) and assigned permissions to objects in the AD LDS directory. AD LDS security principals are users created in AD LDS. Creating users requires that an object class definition be imported or created. Windows security principals that can be utilized in AD LDS include local Windows user or group accounts (such as accounts created on a member server or standalone server) and AD DS user or group accounts.
Bind redirection provides AD DS users with single sign-on (SSO) access to both AD LDS data and AD DS data. The default setting for binding to AD LDS with bind redirection requires a Secure Sockets Layer (SSL) connection (LDAPS). Redirection can be configured to not require SSL; however, this would result in passwords being sent in plain text. Bind redirection uses a proxy object to funnel all simple bind requests.
Access control builds upon authentication by tying security principals to specific resources. Rights are allocated to users or groups. Users attempting to access a resource are securely authenticated against AD LDS and then go through the access control process to determine if they have rights and which rights they have before being able to access the resource. Question: If I want to create users in AD LDS, what must I do first?
4-20
How Access Control Works in AD LDS
Key Points
Access control is about controlling who has access to what, as detailed below: Access control in AD LDS restricts users access to data. Access control in AD LDS is very similar to access control in AD DS. AD LDS provides access control that:
Authenticates the identity of all users: When a user tries to log on to or access the data in the AD LDS directory, the user must first be authenticated. A user is granted a security token that includes the security identifier (SID). Then, the SID is assigned to the user and to all AD LDS groups of which the user is a member.
Uses access control lists (ACLs) to determine if the user has permissions to access specific objects: When the user tries to access the object, the client computer presents the security token created during authentication. If the SIDs in the security token match the permissions assigned in the ACL, the user is granted access to the object.
Question: How is the user authenticated when an AD DS user attempts to access data in the AD LDS directory? Question: If you need to grant access to AD LDS data to AD LDS users and AD DS users, how would you go about simplifying the process? Question: Which process comes firstauthentication or access control, and why?

4-21
Demonstration: How to Configure Access Control in AD LDS
Key Points
The following demonstration shows you how to configure access control in AD LDS. To complete this demonstration, you must have completed Demonstration: How to Install AD LDS Server Role.
Demonstration Steps
Create a User, Create a Group, and Assign the User as a Member of the Group in AD LDS 1. 2. 3. 4. 5. On the 6426C-NYC-DC1-B virtual machine, open the ADSI Edit console. In the ADSI Edit console, connect to the AD LDS instance on the current computer. Create a User object and name it User1. Create a Group object, under CN=Roles, and name it Group1. Modify the Group1 object property, and add User1 to its member property.
Grant Permissions by Using Dsacls.exe 1. 2. 3. On the 6426C-NYC-DC1-B virtual machine, open the Command Prompt. Run the dsacls command line to view the permissions assigned to the test1 instance. Run the dsacls command line to assign User1 Generic All permissions on the instance.
Question: Which security principals are available in AD LDS? Question: Which tool can be used to customize access control in AD LDS? Question: What are the default role-based groups in AD LDS?
4-22
What Is an AD LDS Partition?
Key Points
AD LDS provides flexible support for directory-enabled enterprise applications, without the AD DS restrictions. You can create an application partition during the AD LDS server role setup or any time after completing the setup. Before creating objects, objects must be defined in the schema. The following items are the key aspects of an AD LDS application partition: An AD LDS application partition holds the data used by the application. The application partition can be easily identified by its fully qualified unique name assigned while creating the partition. An AD LDS top-level directory partition supports both DNS-style and X.500-style names. Unlike AD DS, which supports only DNS-style (that is, DC=) names for top-level directory partitions.
An AD LDS instance supports multiple application partitions sharing the same schema partition independently. This implies that a change in schema to support an application partition also affects each of the other applications in that instance.
In many cases, you can manage data in a particular applications directory partition by using your application. For example, any changes made in the directory-enabled application, such as creating a new user account or modifying the application configuration, are written by the application in the application directory partition. The following is an example of X.500:
/ou=<your organization name> /ou=<your organizational unit> /cn=recipients /cn=<alias>
Question: What is the single biggest factor in determining whether application partitions are the right choice for your applications?

4-23
Demonstration: How to Create an AD LDS Partition
Key Points
There are a couple of ways to perform the creation. One way is by using a directory-enabled application (common usage) and the other way is by manually creating the partition using LDP. The following demonstration shows you how to create an AD LDS application partition using LDP. To complete this demonstration, you must have completed Demonstration: How to Install AD LDS Server Role.
Demonstration Steps
Create an AD LDS Partition by Using LDP.exe 1. 2. 3. 4. 5. 6. On the 6426C-NYC-DC1-B virtual machine, open the LDP application. Connect to the AD LDS instance on the computer and bind as the current user. Create a new application partition and name it cn=test2,dc=contoso,dc=local. Add an attribute of type ObjectClass with value container. Add an attribute of type instanceType with value 5. Run the LDP application.
Question: Why is using a directory-enabled application the best way to create an application partition?
4-24
Lesson 4
Configuring Active Directory Lightweight Directory Services Replication
AD LDS replication provides high availability, load balancing, and data redundancy. It prevents conflicts in replication by using change tracking information. You can use a configuration set to configure all AD LDS instances to replicate one or more application directory partitions. Each configuration set maintains its own replication topology by using topology information stored as site objects and site link objects.
Objectives
After completing this lesson, you will be able to: Describe the importance of replication for AD LDS. Describe how AD LDS replication works. Describe the purpose of a configuration set. Configure replication for AD LDS. Describe the AD LDS replication topology.

4-25
Why Implement AD LDS Replication?
Key Points
You can deploy multiple AD LDS servers and configure replication between instances that run on different servers. For many companies, having another copy of the AD LDS data is a business requirement. AD LDS uses a type of replication known as multimaster replication. By using multimaster replication, you can modify directory data on any AD LDS instance. The importance of AD LDS replication can be summarized as follows:
High availability: You can use and distribute multiple replicas of an AD LDS instance on multiple servers at the same locations. This usage and distribution of AD LDS instances improves the availability of business critical applications.
Load balancing: A single server might not be able to handle many requests for an application. So, you can create multiple AD LDS replicas to be stored on multiple servers. You can then configure the application to balance the load between multiple AD LDS replicas. Geographic limitations: You can use AD LDS replication to improve the response of applications that users access from different geographic locations. Users need to target a local AD LDS replica, which is then replicated to other locations.
Question: How is the type of replication in AD LDS different than the type in AD DS?
4-26
How AD LDS Replication Works
Key Points
AD LDS replication shares some common traits with AD DS replication but there are a few important concepts to point out: Replication and configuration sets: Configuration sets are logical groupings of AD LDS instances that participate in replication of AD LDS data. Multimaster replication: If you modify directory data for any of the AD LDS instances, the modifications are replicated across all the instances that contain copies of the same directory partition.
Pull replication: In pull replication, a destination AD LDS instance requests information from a source AD LDS instance. This is in contrast to push replication (not used in AD LDS) in which a source pushes to a destination without knowing the needs of the destination. Preventing replication conflicts: AD LDS prevents replication conflicts by using change tracking information. The replication partners that receive conflicting changes examine the attribute data that is contained in the changes. Each change to the directory data contains a version and a time stamp. AD LDS instances accept only the change that is marked with the latest version. The instances then reject the other changes. If the versions are identical, AD LDS instances accept the change that contains the latest time stamp. Replication topology: An AD LDS configuration set maintains its own replication topology. You cannot replicate directory partitions between AD LDS instances and AD DS domain controllers. Replication security: AD LDS authenticates replication partners before beginning replication. All authentication and replication traffic is encrypted.
Question: How would you explain what multimaster replication is?

4-27
What Is a Configuration Set
Key Points
A configuration set is a group of AD LDS instances that replicate a common schema and configuration partition. You can configure all AD LDS instances in a configuration set to replicate one or more application directory partitions. However, you cannot configure replication between application directory partitions in different configuration sets. Each configuration set maintains its own replication topology. You can include an AD LDS instance in a configuration set only when you install the AD LDS instance. After creating an AD LDS instance, you cannot add the instance to a configuration set. You also cannot remove the AD LDS instance from a configuration set after creating the instance. Question: If you have application directory partitions in two different configuration sets, can you configure them to replicate?
4-28
Demonstration: How to Configure AD LDS Replication
Key Points
Replication within a site (Intrasite) replication occurs automatically and does not require any configuration beyond the construction of configuration sets. You may, however, configure the frequency. The following demonstration shows you how to configure AD LDS replication. To perform this demonstration you must have already completed Demonstration: How to Install AD LDS Server Role. In addition you must have installed AD LDS on 6426C-NYC-SVR1-B.
Demonstration Steps
Create a Replica of an AD LDS Instance 1. 2. 3. 4. 5. 6.
Ensure that the 6426C-NYC-DC1-B virtual machine is still running and log on to 6426C-NYC-SVR1-B. On the 6426C-NYC-SVR1-B virtual machine, run the Active Directory Lightweight Directory Services Setup Wizard.
Create a replica of an existing AD LDS instance, name it ContosoAppReplica, and set the LDAP port number to 6389 and the SSL port number to 6636. Copy the OU=test1,dc=contoso,dc=local application directory partition from NYC-DC1 server on port 6389. Assign the Network service account as the service account and the current user as the AD LDS Administrator. Keep the other selections as default and complete the AD LDS Setup Wizard.
Verify that the AD LDS Replication Is Created Successfully 1. 2. On the 6426C-NYC-SVR1-B virtual machine, open the ADSI Edit console. In the ADSI Edit console, connect to the AD LDS instance on the current computer. A successful connection indicates that 6426C-NYC-SVR1-B has a replica instance.

4-29
Question: What tool provides the ability to create an AD LDS replica? Question: What information is required to create an AD LDS replica? Question: What is the type of replication that AD LDS uses?
4-30
AD LDS Replication Topology
Key Points
AD LDS, like AD DS, uses topology information to build an efficient replication topology for a configuration set. The topology information for AD LDS is stored as site objects and site link objects in the configuration directory partition.
KCCs role in AD LDS replication: The Knowledge Consistency Checker (KCC), as implemented in AD LDS, is a process that maintains the replication topology in a configuration set. Its role is similar to that of the KCC in AD DS. AD Sites and Services: Similar to managing replication in an AD DS environment, administrators can use AD Sites and Services to manage replication of AD LDS configuration sets. ISTG: The Intersite Topology Generator (ISTG) is responsible for building and maintaining the connections between replication partners. Scheduling Intersite Replication: AD LDS replication occurs automatically by default. However, it can be configured to use a replication schedule instead. For example, you can block out congested network times (start of work day) or only schedule replication at night.
Question: How is administering AD LDS different than AD DS even though some of the same tools are used?

4-31
Lesson 5
Troubleshooting Active Directory Lightweight Directory Services
To troubleshoot IDA solutions, you must be able to identify common AD LDS issues including installation troubles, application connectivity issues, and issues with AD LDS instances.
Objectives
After completing this lesson, you will be able to: Describe the common AD LDS issues. Investigate and resolve common AD LDS installation issues. Investigate and resolve common AD LDS application connection issues. Investigate and resolve common AD LDS instance issues.
4-32
Common AD LDS Issues
Key Points
The most common AD LDS issues are communication failures, replication failures, and service startup failures. The following list describes common AD LDS issues that otherwise result in failure:
You must register configuration changes to an AD LDS instance in the internal database of that instance and the databases of any configured replication partners. If the local instance cannot receive any updates from its replication partners, you must replicate changes made to the local instance to its partners. Changes that require the update of replication partners include host name modification and changes to the network communication port and the service account. You must specify the correct port numbers to connect to the AD LDS instance. You must ensure that certificates are present on the server and that the client computers trust the certificates root server to establish SSL connections. You must ensure that the credentials are valid and that the service account has Run As A Service permission to avoid logon failures of the service account, because AD LDS instance startup failures may be related to logon failures of the service account.
Question: How do you plan for service account password changes for AD LDS?

4-33
Troubleshooting AD LDS Installation Issues
Key Points
In some situations, the installation or removal of an AD LDS instance fails to complete successfully.
If an error occurs in the AD LDS Setup Wizard before completion, you should review the error message that describes the cause of the problem.
You will find information that can help you troubleshoot the cause of the AD LDS setup failure in the log files in the following table. Situation Setup of AD LDS instance fails Removal of AD LDS fails Location of the Error Message %windir%\Debug\adamsetup.log %windir%\Debug\adamuninstall.log
After removing AD LDS, you will be prompted to restart the computer. Question: What value does the adamsetup.log provide if the setup of AD LDS completed successfully?
4-34
Troubleshooting AD LDS Application Connection Issues
Key Points
Some common AD LDS application connection issues and troubleshooting tips are shown below.
A directory-enabled application cannot find the AD LDS instance: Incorrect communication port numbers specified for the AD LDS instance always lead to connectivity problems. You should ensure that the same port is used by all AD LDS instances in the configuration set.
A user is not able to connect to an AD LDS instance: You need certificates on the server and clients to establish SSL connections. To secure an SSL communication, you must ensure that the AD LDS server and all clients import the root CA certificate into the trusted root CAs store. When you install or import a certificate from a trusted CA to the computer that runs AD LDS, store the certificate in the personal store of AD LDS. Use Ldp.exe to test connectivity to an AD LDS instance.
Question: How can you determine what port number your AD LDS instance is using?

4-35
Troubleshooting AD LDS Instance Issues
Key Points
One critical issue that can occur is an AD LDS instance not starting. The following explain what might cause such an issue.
The AD LDS service is not running: Check the status of the service and ensure that it is running. The AD LDS service will not start due to a logon failure: This is likely the result of the service account password expiring or the password changing. Obtain the correct password, update the service with the correct password, and then start the service.
The AD LDS service will not start due to another failure: The service account may not have the rights to run as a service. This scenario is most likely to occur after somebody changes the security policy or a new service account is specified (and not given rights to run as a service at that time). Give the account the right to run as a service and then start the service.
4-36
Lab: Deploying and Configuring Active Directory Lightweight Directory Services
Objectives
After completing this lab, you will be able to: Configure AD LDS instances and partitions. Configure AD LDS replication. Identify AD LDS solution tools and troubleshooting steps.
Scenario
Contoso Pharmaceuticals is in the process of standardizing all applications that are used by internal intranet users. Each application will be customizable by users and the application personalization data be stored in a centralized directory service. Each application will make use of a single security profile. The application architecture team has decided that AD LDS meets the requirements outlined and will be deploying a test application to ensure that the AD LDS infrastructure can be supported. Your IT Director has asked you to configure an AD LDS environment that can store the application personalization information and that leverages multiple instances for disaster recovery and performance. You must perform the following activities to consolidate a solution: Provide support for the AD LDS user class and related classes. Users must be able to connect to the AD LDS instance by using LDAP port 6636 and LDAPS port 6389. To run the AD LDS instance, you need to configure the AD LDS instance by using the NT AUTHORITY\Network Service account. You also need to set up the CONTOSO\Administrator account to administer AD LDS. Create a second replica of the ContosoApp1 instance and configure AD LDS replication to avoid a single point of failure.

4-37
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.
4-38
Exercise 1: Configuring AD LDS Instances and Partitions

The main tasks for this exercise are as follows: 1. 2. Installing AD LDS Server Role. Configuring AD LDS Instances and Partitions.
Task 1: Add the AD LDS server role by using Server Manager

1. 2. 3. On the 6426C-NYC-DC1-B virtual machine, in the Server Manager console, click the Roles node. Add the Active Directory Lightweight Directory Services role. If prompted to add required role services, click Add Required Role Services. Repeat steps 1 and 2 to install AD LDS on the 6426C-NYC-SVR1-B virtual machine.
Task 2: Create an AD LDS instance known as ContosoApp1 by using AD LDS Setup Wizard
1. 2. 3. 4. From the Start menu on 6426C-NYC-DC1-B, point to Administrative Tools and then run the AD LDS Setup Wizard. Click Next and then create a unique instance named ContosoApp1. Specify the LDAP port number as 6389 and the SSL port number as 6636. Create an Application Directory Partition OU=App1,dc=CONTOSO,dc=local. Accept the defaults but select the MS-User.LDF in the wizard to finish the install.
Results: After this exercise, you have added the AD LDS server role to two virtual machines and created an AD LDS instance on one of the virtual machines.

4-39
Exercise 2: Configuring AD LDS Replication

The main tasks for this exercise are as follows: 1. 2. Configuring two AD LDS servers to replicate with one another. Verifying AD LDS Replication.
Task 1: Create a replica of ContosoApp1 by using the AD LDS Wizard

1. 2. 3. 4. 5. 6. 7.
On the 6426C-NYC-SVR1-B virtual machine, point to Administrative Tools and then run the AD LDS Setup Wizard. Choose to create A replica of an existing instance and name it ContosoApp1. Specify LDAP port number as 6389; and the SSL port number as 6636.
On the Joining a Configuration Set page, in the Server box, type NYC-DC1, and then in the LDAP port box, type 6389. Ensure that the Currently logged on user check box is selected. In the Copying Application Directory Partitions window, select the OU=App1,dc=CONTOSO,dc=local. Accept all the defaults to finish the wizard.
Task 2: Connect to the application partition and verify initial replication by using ADSI Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, launch ADSI Edit. Connect to an instance and name it ContosoApplication. Under Connection Point, type OU=App1,dc=CONTOSO,dc=local. Under Computer, type NYC-SVR1:6389. In the console tree, click ContosoApplication [NYC-SVR1:6389], and then expand ContosoApplication [NYC-SVR1:6389] and OU=App1,dc=CONTOSO,dc=local. Verify that the local replica exists by opening the instance.
Results: After this exercise, you have added AD LDS to a virtual machine, configured it as a replicate and validated the replication.
4-40
Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps

Scenario
Now that AD LDS is installed and replicating, your team has asked you to document the AD LDS solution tools to solve common AD LDS issues. Your team has also asked you to document the AD LDS troubleshooting steps to solve common AD LDS issues. You plan to base your tools around a recent AD LDS issue that the company experienced: Users experienced issues connecting to the AD LDS instance. The problem occurred after a network upgrade project was implemented. The main tasks for this exercise are as follows: 1. 2. Identify solution tools to troubleshoot the recent AD LDS issue. Identify AD LDS troubleshooting steps for the recent AD LDS issue.
Task 1: Create a list of AD LDS troubleshooting tools
Question: Identify several tools that can be used to troubleshoot the recent AD LDS issue based on the scenario.
Task 2: Create a list of AD LDS troubleshooting steps
Question: Based on the scenario, and using the built-in tools available, describe the troubleshooting steps to be performed to identify the cause of the issue.
Results: After this exercise, you have identified the AD LDS solution tools and troubleshooting steps needed to troubleshoot a recently reported AD LDS issue.

4-41
Review Questions
1. 2. 3. How can you configure intersite replication for AD LDS? What are your options for high availability for AD LDS? If you want to run multiple instances of AD LDS on a single server, what networking pieces are needed?

1.
Fabrikam has a development team working at two locations. The development team is working on the same directory-aware application. Currently, AD LDS is deployed at one location. Due to bandwidth constraints, the development team at the other location has reported poor performance when working with the application. What can you do to improve the performance?
2.
The IT team at Contoso deployed AD LDS for their development team. To keep things simpler at that time, the team deployed AD LDS on an existing domain controller. The development team has asked for administrative access to perform tasks such as installing SSL certificates, stopping and starting services, and managing the AD LDS database. How should you proceed?
3.
Tailspin Toys has two teams working on independent instances of AD LDS. One team is in France and the other team is in Germany. For redundancy purposes, each instance of AD LDS in Germany replicates with an instance of AD LDS in France. Additionally, each AD LDS instance in France replicates with an instance in Germany. The network team has asked you if there is a way to reduce bandwidth during regular business hours. What options do you have for reducing bandwidth consumption during regular business hours?
4-42
Tools
Tool Adamsync.exe Dsdbutil.exe Ldifde.exe Use for Replicating between AD LDS and AD DS Changing AD LDS service account, viewing instance information, snapshots Importing data into AD LDS, updating schema Where to find it
Available on AD LDS server after importing user class. %systemroot%\system32 %systemroot%\system32

5-1
Module 5
Deploying and Configuring Active Directory Federation Services
Contents:
Lesson 1: Overview of Active Directory Federation Services 2.0 Lesson 2: Deploying Active Directory Federation Services Lesson 3: Configuring Active Directory Federation Services| Partner Organizations and Claims Lesson 4: Troubleshooting Active Directory Federation Services Lab: Deploying and Configuring Active Directory Federation Services 5-3 5-11 5-19 5-27 5-35
5-2
Module Overview
Configuring Active Directory Federation Services (AD FS) is one of the key aspects of configuring Identity and Access (IDA) solutions with Windows Server 2008 Active Directory.
To configure AD FS, you need to be familiar with the concept of AD FS and its various deployment scenarios. In addition, you should know how to deploy AD FS in your organization and implement AD FS claims.
Objectives
After completing this module, you will be able to: Describe Active Directory Federation Services. Deploy Active Directory Federation Services. Configure Active Directory Federation Services partner organizations and claims. Resolve common Active Directory Federation Services Issues.

5-3
Lesson 1
Overview of Active Directory Federation Services 2.0
AD FS 2.0 is made up of several identity federation components that enable businesses to establish trusts and share resources across pre-defined boundaries. Understanding AD FS 2.0 components and how they interact plays a direct role in a successful deployment.
Objectives
After completing this lesson, you will be able to: Describe Identity Federation. Describe AD FS 2.0. Describe AD FS 2.0 Components. Describe AD FS 2.0 Deployment Scenarios. Describe AD FS 2.0 Designs.
5-4
What Is Identity Federation?
Key Points
Identity federation is a process that enables the distribution of identification, authentication, and authorization across organizational and platform boundaries. You can implement identity federation between two organizations that have a relationship of trust between them. As a part of the trust, the organizations define which resources can be accessed and the method to access the resources.
You can use AD FS 2.0 to implement identity federation on Windows Server 2008 or Windows Server 2008 R2. AD FS 2.0 is an identity solution that provides streamlined browser-based access to one or more application or service. This is possible even when the user accounts and applications are located across a variety of networks or organizations. AD FS 2.0 relies on port 80 and port 443 for communication from the internet and this is considered a key advantage over a traditional Active Directory Domain Services (AD DS) trust. An AD DS trust relies on a large number of open ports including RPC, Kerberos, and LDAP/LDAPS. Question: What is the difference between AD FS 2.0 and the AD FS server role that comes with Windows Server 2008 and Windows Server 2008 R2?

5-5
What Is AD FS 2.0?
Key Points
Active Directory Federation Services 2.0 (AD FS 2.0) is a technology that simplifies access to resources through the use of a claims-based model. AD FS 2.0s predecessor, AD FS 1.1, is a server role in Windows Server 2008 and Windows Server 2008 R2. The original release of AD FS was called AD FS 1.0. Hereafter, versions of AD FS prior to version 2.0 are referred to as AD FS 1.x. AD FS 2.0 offers the following capabilities:
Enterprise claims provider for claims-based applications: An AD FS server can be configured as a Claims Provider and issue claims about authenticated users. This allows an organization to provide its users with access to claims-aware applications in another organization by using single sign-on (SSO). Federation Service for identity federation across domains: This service offers federated web SSO across domains which is discussed in more detail in later topics. This enhances security and reduces overhead for IT administrators.
The benefits of deploying AD FS 2.0 include:
Secures collaboration across different domains and organizations: With federation, collaborating with partner organizations is more secure and simpler for users. Reduces the need for duplicate accounts and other credential management overhead: Reducing the number of user accounts that users have to remember can increase efficiency and increase the collaboration between organizations. Single sign-on reduces the number of user accounts, even though it is not always to a single account.
Provides for identity delegation: AD FS 2.0 supports identity delegation which allows IT administrators to specify certain accounts (called delegates) to impersonate users. This functionality can be used in a common multi-tiered web environment where a database back end services some of the requests from the web environment.
5-6
Enables step-up authentication: Step-up authentication is a strategy implemented by many websites to increase the strength of authentication as users attempt to access higher value content. An example of step-up authentication is a website that requests a user name and password to gain access to the main areas of the website but requests a certificate or a smart card when high value content is requested.
Question: What are examples of step-up authentication used outside of IT?

5-7
AD FS 2.0 Components
Key Points
AD FS 2.0 is a collection of many services, servers, and roles. To understand AD FS 2.0, it is important to be familiar with how these components work together to provide a complete end-to-end identity federation solution, as shown in the following table: Component Federation Server Federation Server Proxy What does it do?
The Federation server issues, manages, and validates requests involving identity claims (such as a users name). All implementations of AD FS 2.0 require at least one Federation Service to be installed. This component is usually deployed in a perimeter network. This deployment helps protect a federation server at the account partner level or at the resource partner level, or both. You can implement a proxy of the federation server to avoid direct exposure of the federation servers to the internet. A claim is a statement that is made by one object about another object such as a user. The claim could be about the users name, job title, or any other factor that might be used in an authentication scenario.
Claims
Claim Rules Attribute Store
Claim rules determine how claims are processed by using business logic. The rules are usually processed in real time as claims are made.
An attribute store is used by AD FS 2.0 to look up claim values. AD DS is a common attribute store and is available by default if AD FS 2.0 is installed on a domain-joined server. The claims provider authenticates users and sends them through the authorization process with a relying party. Claim Providers are the objects which issue claims about other objects. The relying party is a web service that consumes claims from the claims provider. The relying party server must have the Windows Identity Foundation (WIF) installed or utilize AD FS 1.0s claims-aware agent. The Relying Party is dependent on the veracity of the claim issued by the Claim Provider.
Claims Providers
Relying Parties
5-8
(continued) Component Certificates What does it do? AD FS 2.0 uses digital certificates when communicating over SSL or as part of the token issuing process, the token receiving process, and the metadata publishing process.
Endpoints
Endpoints are mechanisms which enable access to the AD FS 2.0 technologies including token issuance and metadata publishing. AD FS 2.0 comes with built-in endpoints that are responsible for a specific functionality. The six built-in endpoints are: WS-Trust 1.3, WS-Trust 2005, WS-Federation Passive / SAML Web SSO, Federation Metadata, SAML Artifact, and WS-Trust WSDL. The ADFS configuration data that is used to provide claims about a user or client to a relying party. It consists of various identifiers such as names, groups and various rules.
Relying Party Trust Claims Provider Trust Federation MetaData Information Cards
Configuration data that defines rules under which a client may request claims from a claims provider and subsequently submit them to a relying party. It consists of various identifiers such as names, groups and various rules. The format for configuration information to be exchanged between a claim provider and a relying party to allow successful configuration of claims provider trusts and relying party trusts. The format of is defined in SAML 2.0
Information cards are digital representations of a persons digital identity. They are sometimes used in authentication scenarios or in place of a user name and password.
Question: Your company wants to securely collaborate with a partner company. Both companies use AD FS 2.0 internally. Which AD FS 2.0 component will protect your companys internal AD FS 2.0 components? Question: Which Windows tool allows you to manage your information cards? Question: If you federate with a partner company and both of you have AD FS 2.0 and AD DS, what will serve as the attribute store when your users access the partner companys resources?

5-9
AD FS 2.0 Deployment Goals
Key Points
There are a few common deployment scenarios that AD FS 2.0 supports, as outlined in the following points:
Providing Users Access to Your Claims-Aware Applications and Services: Today, users routinely have multiple sets of credentials to access all of the resources available to them. This deployment scenario, utilizing AD FS 2.0, shows one way to reduce the number of credentials that users have to maintain. Instead of deploying a custom application and issuing another set of credentials to the users, developers can build applications as claims-aware applications, utilize AD FS 2.0, and allow the users to access the application by using their AD DS credentials. Provide Users Access to the Applications and Services of Other Organizations: Imagine a scenario where your company partners with another company for collaboration. Before identity federation, each company would create a user account for each employee of the other company. Those accounts had to be maintained (account lockout, password resets, name changes, new employees). In this scenario, using AD FS 2.0, a federation between the two companies allows your companys users to access the applications and services of a partner company by using their existing credentials. In this scenario, a federation trust is in place with the account provider being your organization and the resource provider being the partner (other) organization.
Provide Users in Another Organization Access to Your Claims-Aware Applications and Services: This scenario is similar to the previous one, except that the resources are in your companys network while the accounts are in a partner companys network. By utilizing AD FS 2.0, you minimize the administrative overhead of giving the partner company access to resources in your network. In this scenario, a federation trust is in place with the account provider being the partner (other) organization and the resource provider being your organization.
Question: You want to provide users from a partner organization access to your claims-aware application but you also want to control the user accounts. How do you maintain separation between your corporate user accounts and the partner user accounts?
5-10
Mapping Your Deployment Goals to an AD FS 2.0 Design
Key Points
The success of an AD FS 2.0 design depends on the correct identification of the deployment goals. Once you determine the goals related to the deployment, you can map them to a specific AD FS 2.0 design. There are three primary AD FS 2.0 designs. Deployment can be mapped to the following options:
Web or Internal SSO: With this option, a single organization deploys one or more web applications or services that the users can access within an organization. With the help of AD FS 2.0, users can access these applications by using their existing AD DS credentials.
Federated Web SSO: With this option, it may be two organizations or two security realms in a single organization that will provide access to applications or services across organizations. A federation trust will exist between the resource provider and the account provider. Federation with Cloud based services: With this option, multiple online services, such as Microsoft Business Productivity Online Suite, development platforms and many others can be accessed with a SSO solution while the service itself is managed and maintained by the service provider. Cloud-based services are becoming more and more prevalent and there are numerous cloud-based offerings around infrastructure, software and platforms. Whether or not businesses provision a service themselves or utilize one of the cloud-based offerings can have a huge impact on a business and it customers. Utilizing ADFS 2.0 streamlines the process.
Note that AD FS 2.0 no longer supports the Federated web SSO with forest trust design that was supported in AD FS 1.x.
You can also create a hybrid or custom AD FS 2.0 design to meet special requirements. You can use any combination of the AD FS 2.0 deployment goals to create these designs. Question: What is the difference between web SSO and Federated web SSO?

5-11
Lesson 2
Deploying Active Directory Federation Services
Deploying AD FS 2.0 has changed from previous versions which were available as a Windows 2008 and Windows 2008 R2 role service. AD FS 2.0 is a freely available download from the Microsoft Download Center. Specific prerequisites must be met before installing AD FS 2.0 and it is important to have a good understanding of the federation and proxy server components, as well as the interoperability with AD FS 1.x.
Objectives
After completing this lesson, you will be able to: Describe the AD FS 2.0 prerequisites. Describe federation servers. Install AD FS 2.0. Describe federation server proxies. Describe interoperability with AD FS 1.x.
5-12
AD FS 2.0 Prerequisites
Key Points
Prerequisites exist to outline minimum hardware and software requirements. This lesson focuses on a few of the most critical pieces of the AD FS 2.0 prerequisites as shown below: Network connectivity: TCP/IP connectivity must exist between: The client computer A domain controller Federation Service server Federation Service Proxy server (when applicable) AD FS 2.0 Web Agent
AD DS: AD DS is a critical piece of AD FS 2.0. Domain controllers should be running Windows Server 2003 SP1 as a minimum. While AD FS 2.0 can be installed on a domain controller, it is not recommended due to security implications. DNS: Name resolution allows clients to find federation servers. When a federation service proxy server is in the perimeter network, internet-based DNS is used by client computers to find the federation server (or proxy).
Certificates: Certificates are used to secure communications between most of the identity federation computers, including the federation servers, federation server proxies, claims-aware applications, and web clients.
Question: You are a resource partner deploying a federation service proxy server in your perimeter network. You have a federation server in your corporate network, a DNS server in your perimeter network and a separate DNS server for internet clients. How will DNS resolution differ between the internet DNS server and the perimeter DNS server?

5-13
Overview of Federation Servers
Key Points
A federation server exists on both sides of a federated trust. The federation server on the account partner side authenticates users and then issues tokens. The federation server on the resource partner side accepts and validates the tokens and then issues another token for the local resource servers to utilize during client access. There are two instances in which you would deploy a federation server: When implementing web-based Internal SSO or Federated Web SSO.
When using identity delegation and a service account (delegate) to impersonate a user to retrieve data in a multi-tiered application infrastructure.
When deploying federation servers, careful consideration should be taken when determining in which network segment to place the servers. A couple of recommended practices regarding federation server placement are: Treat a federation server as you would an AD DS domain controller. In other words, ensure extra protection for the federation servers and consider them high risk, high security.
Deploy federation servers in an internal, corporate network. Use a firewall to segment the network from the internet.
A federation server farm is made up of two or more federation servers sharing the same configuration and performing the same functions. A farm provides the following benefits: High availability: Some organizations have strict uptime requirements. High availability enables better uptime.
Load balancing/Scalability: For organizations with large deployments, sometimes there is a need to balance the load across multiple servers and allow for scaling out to ensure optimum performance.
5-14
AD FS 2.0 has three basic certificate requirements, as shown below:
Token-signing certificate: When federation servers create a token, they use public/private key pairs to digitally sign the token. AD FS 2.0 creates a self-signed certificate during installation which can be replaced thereafter. Service communication certificate: This certificate is also known as a server authentication certificate and is used to secure communication to web services. This is the same certificate that is bound in IIS.
Token-decryption certificate: This certificate is used by the resource federation server to decrypt tokens received from the account partner federation server. AD FS 2.0 creates a self-signed certificate during installation which can be replaced thereafter.
In addition to the certificate requirements, there are a couple of name resolution requirements. In a basic scenario, the federation server needs a single Address (A) record in DNS which points to the IP address of the federation server. In a load balanced scenario, the Address (A) record points to the NLB cluster IP address. As noted earlier, special consideration must be taken when a proxy is in use and DNS servers are spread across multiple networks: Internet DNS should point to the proxy server, not the federation server.
The proxy server should not use internet DNS. Instead it should use perimeter-based DNS (otherwise, the proxy server may have trouble locating the federation server).
Question: You have AD CS deployed in your AD DS environment. You are preparing to deploy AD FS 2.0. Should you use your internal PKI to issue certificates to meet your AD FS 2.0 certificate requirements?

5-15
Demonstration: Installing AD FS 2.0
Key Points
The following demonstration shows you how to install AD FS 2.0 as a stand-alone federation server.
Demonstration Steps
1. 2. 3. Start the 6426C-NYC-DC1 and log on to the 6426C-NYC-DC1 virtual machine.
On the 6426C-NYC-DC1 virtual machine, run the AD FS 2.0 setup file, and install a federation server. Run the AD FS 2.0 Federation server configuration, and select Stand-alone federation server.
Question: AD FS 2.0 will try to install any missing prerequisites during the AD FS 2.0 installation. Why might you not want AD FS 2.0 to install the prerequisites?
5-16
Overview of Federation Server Proxies
Key Points
Federation server proxies can be used on the account partner side and on the resource partner side. On the account partner side, the proxy collects the authentication information from clients and passes it to the account partner federation server for processing. Thereafter, the federation server issues a security token to the proxy which sends it to the resource partner proxy. The resource partner proxy issues a new security token for the specific resource being requested. A proxy should be created when: An organization has a perimeter network protected by a firewall. An organization wants to enhance security of the federation.
Similar to a federation server farm, a federation server proxy farm should be created to meet the following business requirements: High availability: As stated earlier in the lesson. Where there are high uptime requirements. High availability provides increased uptime.
Load balancing / Scalability: Again as stated earlier, for organizations with large deployments, there is a need to balance the load across multiple servers and allow for scaling to ensure optimum performance.
Federation server proxies have to meet specific requirements shown below:
Name resolution: Clients and federation servers must be able to locate the proxy server by using DNS. One important point to remember is that the proxy server must be able to locate the federation server (and in such scenarios, it is important that internet clients and perimeter network clients do not use the same DNS servers). Certificates: Proxies are required to use certificates to communicate with web clients. They are exposed to the internet and certificates can help minimize data exposure through encryption.
Question: What are the benefits of having a proxy on the resource partner side?

5-17
Interoperability with AD FS 1.x
Key Points
AD FS 2.0 federation servers can operate with both AD FS 1.0 and AD FS 1.1 servers. Inter-operation between AD FS 2.0 and AD FS 1.x requires an understanding of the differences and the configuration settings required for functionality. While most of the settings work similarly, some of the names of the settings have changed. A table at the end of this topic outlines the changes to the setting names. To configure interoperability between AD FS 2.0 and AD FS 1.x to be able to carry out the individual tasks outlined below, you need to perform the tasks listed underneath each item: Configure AD FS 2.0 to consume claims from AD FS 1.x: 1. 2. The claims provider trust must be manually created. A rule must be created to send an AD FS 1.x compatible claim.
Configure AD FS 2.0 to send claims to an AD FS 1.x federation server: 1. 2. 3. Manually create a relying party trust. Create a rule to send the AD FS 1.x compatible claim. Ensure that the AD FS 1.x administrator sets up a new account partner trust.
Configure AD FS 2.0 to send claims to an AD FS 1.x claims-aware web agent: 1. 2. 3. Manually create a relying party trust. Ensure that the AD FS 1.x administrator edits the web.config file to point to the AD FS 2.0 federation service web agent. Create a rule to send an AD FS 1.x compatible claim.
5-18
The following table displays the federation service name settings that have changed in AD FS 2.0: AD FS 1.x setting name Account Partner Resource Partner Application Application Properties Application URL Federation Service URL Federation Service endpoint URL AD FS 2.0 setting name Claims provider trust Relying party trust Relying party trust Relying party trust properties
Relying party identifier and WS-Federation Passive Endpoint URL Federation Service identifier WS-Federation Passive Endpoint URL
Question: Are there any pieces of AD FS 1.x that AD FS 2.0 does not support?

5-19
Lesson 3
Configuring Active Directory Federation Services Partner Organizations and Claims
Configuring partner organizations and claims involves understanding the roles of each partner type, the configuration process for both sides, and the associated attribute stores and claim rules.
Objectives
After completing this lesson, you will be able to: Describe an account partner organization. Describe a resource partner organization. Describe the process to configure the account partner organization. Describe the process to configure the resource partner organization. Create an attribute store. Describe claim rules.
5-20
What Is an Account Partner Organization?
Key Points
An account partner organization is the organization where the user accounts are stored in an attribute store. An account partner handles the following tasks: Gathering credentials from users using a web-based service and then authenticating those credentials.
Building up claims for users and then packaging the claims into security tokens. The tokens can then be presented across a federation trust to gain access to federation resources located at the resource partner organization.
Attribute stores for account partner organizations can include the following three supported types:
Active Directory in Windows Server 2003 and Active Directory Domain Services (AD DS) in Windows Server 2008 or Windows Server 2008 R2 Microsoft SQL Server 2005 or SQL Server 2008 Custom attribute stores
Question: What is the minimum version supported to use Windows Server 2003s Active Directory as your attribute store?

5-21
What Is a Resource Partner Organization?
Key Points
The resource partner organization is where the resources exist and are made accessible to account partner organizations. The resource partner handles the following tasks: Accepts security tokens produced by the account partner federation server and validates them.
Consumes the claims from the security tokens, and then provides new claims to its Web servers after making an authorization decision.
The Web server(s) must have WIF installed or have the AD FS 1.x Claims-Aware web Agent role services installed to externalize the identity logic and accept claims. Question: A company wants to give several companies access to your claims-aware web application. Is this possible?
5-22
How to Configure the Account Partner Organization
Key Points
Configuring the account partner organization to prepare for federation involves the following steps: 1.
Implement the physical topology for the account partner deployment. This is where the server requirements including the number of servers required are determined, and whether proxy services are needed. Then, the federation server and the federation proxy servers are deployed based on the design.
2.
Add an attribute store. Use the AD FS 2.0 management console to add the attribute store. Generally, your federation server is joined to an AD DS domain and has the AD DS domain available as an attribute store by default. Connect to a resource partner organization by creating a relying party trust. The creation process has three options: Manually enter data about the resource partner organization. Use a federation metadata URL provided by the resource partner organization. This is the preferred method because it is more efficient. Import the data from a file exported by the resource partner.
3.
4. 5.
Create claim rules for the relying party trust. The claim rules might be based on built-in AD FS 2.0 templates or they might be created manually using the claim rule language syntax. Add a claim description. This typically represents group membership information or other identifying information about a user.

5-23
6.
Prepare client computers for federation. This involves two steps: Add the account partner federation server to the trusted sites list in the browser of client computers.
Install SSL certificates on client computers. These certificates are for account federation servers, resource federation servers, and the destination Web servers. Some of these certificates may already be trusted by default depending on the certificates and configuration.
Question: You have several thousand client computers that need to be prepared for federation. How can you add a site to the trusted sites list without touching each client computer?
5-24
How to Configure the Resource Partner Organization
Key Points
Configuring the resource partner organization is similar to configuring the account partner organization and consists of the following steps: 1.
Implement the physical topology for the resource partner deployment. First, determine the server requirements including the number of servers required, and whether or not proxy services are needed. Then, deploy the federation server and the federation proxy servers based on the design. Add an attribute store. You use the AD FS 2.0 management console to add the attribute store. Generally, your federation server is joined to an AD DS domain and has the AD DS domain available as an attribute store by default. Connect to an account partner organization by creating a claims provider trust. The creation process has three options: Manually enter data about the account partner organization. Use a federation metadata URL provided by the account partner organization. This is the preferred method because it is more efficient. Import the data from a file exported by the account partner.
2.
3.
4.
Create claim rule sets for the claims provider trust.

5-25
Demonstration: How to Create an Attribute Store
Key Points
The following demonstration shows you how to create an AD FS 2.0 attribute store.
Demonstration Steps
1. 2. 3. 4. Log on to the 6426C-NYC-DC1 virtual machine. Open the AD FS 2.0 management console.
Expand Trust Relationships, then highlight Attribute Stores, then click the Add Attribute Store link in the far right pane. Specify the Name, Description, Attribute Store Type, and Connection String.
Question: You noticed that the LDAP attribute store and the SQL-based attribute store require a connection string. What are the connection string syntaxes?
5-26
What Are Claim Rules?
Key Points
Claim rules are rules made up of logic statements that apply specific conditions to incoming claims. An outgoing claim is produced based on the specific conditions. Claim rules exist on both sides of a federation. An example of a claim rule is an incoming claim containing a value of Marketing Department. A claim rule can take that and use logic to transform it into another value such as Level 2 which would be part of the outgoing claim and used for authorization. The web application might be configured to allow all claims with the value of Level 1 to access small portions of the application while allowing all claims with a value of Level 2 to access the entire application. The following are two types of claim rules: Claim rules for a claims provider trust. These are created in the resource partner organization to process incoming claims as shown in the example above.
Claim rules for a relying party trust. These are created in the account partner organization and are used for creating claims. An example is a rule to send an AD DS security group as a claim. Common rules like this are available in the built-in claim rules templates.
Question: Do administrators from the account partner organization need to work with the resource partner organization when creating claim rules?

5-27
Lesson 4
Troubleshooting Active Directory Federation Services
Troubleshooting AD FS 2.0 involves a thorough understanding of the AD FS 2.0 roles and services. Understanding how each of the AD FS 2.0 components work together, and in which order, is critical when AD FS 2.0 issues arise.
Objectives
After completing this lesson, you will be able to: Describe steps to prepare to diagnose AD FS 2.0 issues. Setup AD FS 2.0 event logging. Describe common AD FS 2.0 issues. Investigate and resolve AD FS federation service issues. Investigate and resolve AD FS user reported issues. Investigate and resolve AD FS trust management issues.
5-28
Preparing to Diagnose AD FS 2.0 Issues
Key Points
To diagnose AD FS 2.0 issues, you should configure federation servers and federation proxy servers for troubleshooting. The following are four key areas that are useful when troubleshooting:
AD FS 2.0 event logging: The first place to start is the Windows Event Viewer. The event logs are pre-configured and usually contain valuable information to help diagnose issues. This can save IT administrators time because they do not have to configure additional debug logging or auditing or spend time gathering performance metrics. AD FS 2.0 has a dedicated log named Admin which resides in the Applications and Services Logs area of the Event Viewer. A shortcut to viewing only the necessary information is to filter the AD FS 2.0 Admin log to only critical, error, or warning entries. Debug tracing: AD FS 2.0 also provides a built-in debug tracing log file that is viewable and configurable in the Windows Event Viewer. This log is not set to capture events by default. The default size of the debug log is 10GB so it is important to ensure you have ample room on your system drive (which is the default drive used for the log). It can be enabled by performing the following steps:
In Windows Event Viewer, click the View menu and then select the Show Analytic and Debug Logs option. Expand the AD FS 2.0 Tracing folder, right-click the Debug log, and then select the Enable Logging option. Click OK to close the dialog box. Restart the AD FS 2.0 Windows service.
Auditing: In high security environments or when troubleshooting, auditing can be enabled to provide additional information. It can be enabled by performing the following steps: Modify the local server security policy (or use a GPO) so that the AD FS 2.0 service account has the Generate security events right.

5-29
Run the following command at an elevated command prompt:

auditpol.exe /set /subcategory:Application Generated /failure:enable /success:enable
Edit the Federation Service Properties in the AD FS 2.0 management console. On the Events tab, select the Success audit and Failure audit options.
Performance monitoring: AD FS 2.0 creates dedicated performance counters during installation. These counters are specific to AD FS 2.0 and can be used to baseline your federated environment after the initial deployment. Later, when troubleshooting issues, you can use the Windows Reliability and Performance Monitor tool to look at current performance metrics and compare them against your baseline(s).
Question: What are some of the drawbacks to auditing?
5-30
Demonstration: How to Setup AD FS 2.0 Event Logging
Key Points
The following demonstration shows you how to view and set AD FS 2.0 event logging levels.
Demonstration Steps
1. 2. 3. Log on to the 6426C-NYC-DC1 virtual machine. Use Event Viewer to verify AD FS-related events appear in AD FS 2.0 Admin log. Use Get-ADFSProperties and Set-ADFSProperties -LogLevel cmdlets to view and set AD FS logging levels.
Question: How can you get a list of all of the ADFS-related Windows PowerShell cmdlets?

5-31
Common AD FS 2.0 Issues
Key Points
Understanding how to troubleshoot the most common AD FS 2.0 issues is a key skill for an IT administrator. The following are the most common AD FS 2.0 issues:
Federation service issues: Service issues are related to startup issues or shutdown issues. Both of these issues are typically seen when rebooting or performing other maintenance that requires a service stop. Service startup or shutdown issues are common across all service-based technologies and many of the same troubleshooting techniques apply.
User reported issues: The most common user reported issues are trouble reaching a federated website, trouble signing in, and trouble with access to a site after successfully signing in. These issues can typically be reproduced by a user or group of users and standard troubleshooting techniques again would apply. Trust management issues: The most common trust management issues are errors encountered by the federation service related to SSL, database reachability issues, and the federation service being unable to respond to connections or write data to the database. A trust monitoring service generally report errors in the event logs and those errors contain information that will assist you with troubleshooting.
Question: What is the best way to determine the severity of a user reported issue?
5-32
Troubleshooting AD FS 2.0 Federation Service Issues
Key Points
Many IT administrators have run into service startup issues. The following is a brief look at such a problem in AD FS 2.0. There are several common causes when the federation service fails to start: SSL certificate related issues such as being unable to load the certificate, unable to find the certificate, or unable to find the private key associated with the certificate. The SQL database server is unavailable (not reachable over the network, not responding to logon, or the AD FS service account fails to login or access the AD FS 2.0 database). Other AD FS 2.0 configuration errors. Errors relating to the configuration such as the network bindings or missing the ACL for the endpoint URL.
Question: Which common service startup troubleshooting steps are still effective for AD FS 2.0?

5-33
Troubleshooting AD FS 2.0 User Reported Issues
Key Points
User reported issues can vary widely and can be the easiest problem you ever solve or the toughest challenge you ever face. Reported problems can vary and so can the priority. Common AD FS 2.0 user reported issues include:
My client application failed to authenticate with AD FS 2.0: This is typically a user input problem (typing the wrong user name or the wrong password). Have the user try to log on again. Ensure that the user can log on to other applications that utilize the same credentials.
When I try signing in, it fails and the message I receive from AD FS 2.0 says I am not authorized: This usually indicates that the sign-in process succeeded but that the user does not have access to the requested website (or the portion that they are attempting to access). This error may also indicate some other issue so it is important to check the AD FS 2.0 logs for more information.
Question: What are some common user troubleshooting tips that can be applied to AD FS 2.0 scenarios?
5-34
Troubleshooting AD FS 2.0 Trust Management Issues
Key Points
Trust management issues in AD FS 2.0 are a bit less common than the typical user reported issues, but they are also more critical.
One common AD FS 2.0 trust management issue is when the Federation Service encounters an error while writing to an object in the configuration database. Common resolutions for this issue include checking and resolving SQL database server reachability issues (server is not reachable over the network, SQL service is not running, or the AD FS 2.0 service account does not have necessary write permissions). Also, if the federation service is in the middle of a write operation to the SQL database but is interrupted (SQL goes down, or a similar issue), this error might be seen. In such cases, the same resolution steps should be taken. Question: Besides SQL, what could be some other causes for trust management issues?

5-35
Lab: Deploying and Configuring Active Directory Federation Services
Objectives
After completing this lab, you will be able to: Install the PKI Infrastructure and prepare for federated collaboration with ADFS 2.0. Install and configure Active Directory Federation Services (ADFS) 2.0. Configure AD FS 2.0 for internal users to access an internal claim aware application. Configure AD FS 2.0 for internal users to access a partners claim aware application.
Scenario
Now that you have your development team working efficiently with AD LDS, your IT Director wants to extend the functionality of a partners main claims-aware web application so that your users can access the application with their own credentials.
To do this, you first need to familiarize yourself with the various components. You decide to set up the pre-requisite PKI infrastructure, configure AD FS, identify a sample claims aware web application to use, configure the relevant certificates and associated rules and claims. Familiarizing yourself with these components helps to make sure you understand the concepts and processes involved before documenting your requirements, defining the project needs, and providing access to a broader test audience. You have decided to implement Active Directory Federation Services 2.0 in a single organization scenario, and then test it before you provide further access or collaboration with an external organization. The sample application you have decided to use is sourced from the Windows Identity Foundation (WIF) Software Development Kit (SDK) and will allow a proof of concept before using the partners application and involving more people at this early stage. You will install and configure the various components required to test Federated Service.
5-36
Apply the Starting Image snapshot for the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and the 6426C-MIA-DC1 virtual machines.

5-37
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Scenario
You need to prepare your environment for AD FS and you have determined that you will require a PKI infrastructure. You then set about preparing a PKI Infrastructure for use with ADFS. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services in the Contoso Domain. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA).
Configure the Web Server certificate template to allow domain controllers and domain computers permission to access the certificate. Create a certificate in Internet Information Services (IIS). Bind the certificate to a claims aware application for use with SSL. Export the Contoso root certificate for importing into the WoodgroveBank domain. Import the Certificates from the WoodgroveBank domain into the local Trusted Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy.
Task 1: Install Active Directory Certificate Services in the Contoso Domain
On the 6426-NYC-DC1 virtual machine, log on with user name CONTOSO\Administrator using password Pa$$w0rd, install ADCS accepting the setup defaults and ensure the following selections: Role Services: Certificate Authority and Certification Authority Web Enrollment Setup type: Enterprise CA Type: Root Create a new private key CA name: ContosoCA
Note: Before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA) extension locations listed below: 2. 3. Ldap://CN File://<serverDNSName>...
Choose to include the CDP and AIA extensions in issued certificates.
Review the existing certificates that have been issued, refresh the list of certificates using certutil.exe and delete any legacy certificates containing these just deleted extensions.
5-38
Task 3: Configure the Web Server certificate template to allow domain controllers and domain computers permission to access the certificate
1. 2. Edit the Web Server certificate template properties to allow Domain Computers, Domain Controllers, Network Service and IIS_USRS, Read and Enroll rights. Stop and restart the ADCS services using net stop and net start.
Task 4: Create a certificate in Internet Information Services (IIS)
Create a Domain Certificate in IIS with a friendly name of NYC-DC1.Contoso.com with the below details that is authenticated with the certificate authority ContosoCA: Common name: NYC-DC1.Contoso.com Organization: Contoso Pharmaceuticals Organization unit: IT Department City/locality: New York State/province: New York Country/region: US
Task 5: Bind the certificate to a claims aware application for use with SSL
Bind the certificate that you just created to the default web site for use under https connections using port 443.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank domain
1. 2. On the 6426-NYC-DC1 virtual machine, export the Contoso root certificate for later use in the WoodgroveBank domain. Choose not to export the private key and choose the File format of DER encoded binary X.509 (.CER) to C:\Export\Certs.
Task 7: Import the Certificates from the WoodgroveBank domain into the local Trusted Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
1.
On the 6426-NYC-DC1 virtual machine, import the WoodgroveBank root certificate from \\MIA-DC1\C$\Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. On the 6426-MIA-DC1 virtual machine, import the Contoso root certificate from \\NYC-DC1\C$ \Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. Refresh the group policy in both domains via the command line.
2.
3.
Results: After this exercise, you installed Active directory Certificate Services. Created, modified and managed certificates for use in a federated environment. Bound certificates to an SSL connection, exported and imported certificates across two separate domains. These are all preliminary tasks required for a successful ADFS implementation.

5-39
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Scenario
Now that you have installed the PKI Infrastructure, you decide to proceed with the installation and configuration of your ADFS environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install AD FS 2.0 on the Contoso domain.
Create a stand-alone Federation Server using the AD FS 2.0 Federation Server Configuration wizard. Verify the Federation PowerShell Modules have been installed correctly and are available for use. Verify the FederationMetaData.xml is present and contains valid data. Create a new claim type and verify it has been successfully added to the claims list.
Task 1: Install AD FS 2.0 in the Contoso domain

1. 2. On the 6426C-NYC-DC1 virtual machine, log on with user name Contoso\Administrator using password Pa$$w0rd. Install ADFS from the folder X:\Labfiles\Mod05\AdfsSetup, choosing to install the Federation Server role Note As at the start of exercise 1 before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server Configuration wizard
Run the AD FS 2.0 Federation Server Configuration Wizard from the AD FS 2.0 Management console specifying the following settings: Specifying a New Federation Service In a Stand-Alone environment
Using the certificate NYC-DC1.Contoso.com for SSL connectivity with port number 443 (ensure this is the certificate you recently created by checking the certificate properties)
Note As at the start of exercise 1 before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service.
5-40
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are available for use
1. 2. Open the Windows PowerShell Modules windows and review the ADFS properties by using the get-ADFSProperties PowerShell command. View all ADFS PowerShell cmdlets using the get-command *-ADFS* command.
Task 4: Verify the FederationMetaData.xml is present and contains valid data

View the Federation Metadata by opening Internet Explorer and opening the following file: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml
Task 5: Create a new claim type and verify it has been successfully added to the claims list
1.
In the AD FS 2.0 Management Console, create a new Claim Description with the below details and publish the claim description in the Federation Metadata as a claim type that the Federation Server can both accept and send: Display Name: Favorite Color Claim Identifier: http://www.favoritecolor.com/claim/colordescriptions
2. 3.
Open the Federation MetaData in Internet Explorer: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml Scroll to the end of the page after it renders and verify the claim type has been added to the list.
Results: After this exercise, you installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You also successfully added a new Claim type to the Claim descriptions.

5-41
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Scenario
Now that AD FS 2.0 is installed and the initial configuration is complete, you must test the environment in an internal stand-alone scenario. To test this, you have decided to use a sample application that you have obtained from the Windows Identity Foundation (WIF) SDK. You must now configure your AD FS environment to work with this sample application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Configure a Token Signing Certificate for NYC-DC1.Contoso.com. Configure a claims provider trust for NYC-DC1.Contoso.com. Configure the claims application to trust incoming claims by running the WIF Federation Utility. Configure a relying party trust to the claim aware application. Configure claim rules for the relying party trust. Test the access to the claims aware application.
Configure claim rules for the claim provider trust and the relying party trust to allow access only for a certain group. Verify restrictions and accessibility to the claims aware application.
Task 1: Configure a Token Signing Certificate for NYC-DC1.Contoso.com

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, log on with user name Contoso\Administrator using password Pa$$w0rd.
Turn off the Auto Certificate Rollover feature in the Windows PowerShell windows by using the set-ADFSProperties AutoCertificateRollover $False command.
In the AD FS 2.0 Management console, add a Token-Signing Certificate and choose NYC-DC1.Contoso.com as the certificate to use (ensure this is the certificate you recently created by checking the certificate properties).
4.
Set this newly added certificate as the Primary Token-Signing Certificate and delete the certificate that you just superseded.
Task 2: Configure a claims provider trust for NYC-DC1.Contoso.com

1. 2. In the AD FS 2.0 Management console, go to the Claims Provider Trusts, highlight the Active Directory store and then go to Edit Claim Rules.
In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, launch the Add Transform Claim Rule Wizard and complete the wizard with the following settings: Select Send LDAP Attributes as Claims under Claim rule template. Name the claim rule Outbound LDAP Attribute Rule. Choose Active Directory as the Attribute Store.
5-42
In the Mapping of LDAP attributes to outgoing claim types select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
Task 3: Configure the claims application to trust incoming claims by running the WIF Federation Utility
1. 2. Launch the Windows Identity Foundation Federation Utility from Administrative Tools. Complete the wizard with the following settings: Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\ContosoClaimApp\web.config. Specify an Application URI box by typing https://nyc-dc1.contoso.com/contosoclaimapp/. Select to Use an existing STS, and enter a path https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. If prompted, select to Disable certificate chain validation. Select No encryption.
Task 4: Configure a relying party trust to the claim aware application

1. 2.
In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle pane. Complete the Add Relying Party Wizard with the following settings:
Choose to Import data about the relying party published online or on a local network and type https://nyc-dc1.contoso.com/contosoclaimapp. Specify a Display name of WIF Sample Claims App. Choose to Permit all users to access this relying party.
Select to open the Edit Claims Rules for WIF Sample Claims App when the wizard is complete check box.
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for WIF Sample Claims App properties dialog, choose to Add a Rule on the Issuance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings:
Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list. Name the claim rule Pass Through Windows Account Name. Select Windows account name in the incoming claim type drop-down list. Create three more rules to pass through E-Mail Address, UPN, and Name type claim.

5-43
Task 6: Test the access to the claims aware application

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel using password Pa$$w0rd. Launch Internet Explorer and specify the URL: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, enter CONTOSO\Axel with password Pa$$w0rd. Note If the page does not render successfully, as a first step in troubleshooting you should ensure that some core services required in the lab are running successfully on 6426C-NYC-DC1 at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service. Then retry accessing the application.
Task 7: Configure claim rules for the claim provider trust and the relying party trust to allow access only for a certain group
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the AD FS 2.0 console. Edit claims rule for the Active Directory claims provider trust. Choose to Add Rule on the Acceptance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings: 5. 6. 7. 8. Select Send Group Membership as a Claim in the Claim rule template. Name the claim rule Send IT Admin Group Rule. Specify the ITAdmins_ContosoGG group. Select Group in the Outgoing claim type. Type ITADMIN for the Outgoing claim value.
Return to the AD FS 2.0 console and open the WIF Sample Claim App properties dialog box.
In the Edit Claim Rules for WIF Sample Claims App properties dialog, remove the existing rule on the Issuance Authorization Rules tab. Choose to Add a Rule on the Issuance Authorization Rules tab. Complete the Add Issuance Authorization Claim Rule Wizard with the following settings: Select Permit or Deny Users Based on an Incoming Claim in the Claim rule template. Name the claim rule Permit IT Admin Group Rule. Select Group in the Incoming claim type.
Type ITADMIN for the Incoming claim value and select the option to Permit access to users with this incoming claim.
5-44
Task 8: Verify restrictions and accessibility to the claims aware application

1. 2. 3. 4. 5. 6. 7. On 6426C-NYC-CL1, log on with user name CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer and attempt to access the sample application by entering the following URL: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials enter CONTOSO\Betsy with password Pa$$w0rd. You should be able to access the application. Log off from the 6426C-NYC-CL1 virtual machine. Now log on to the 6426C-NYC-CL1 virtual machine with user name CONTOSO\Aaron with password Pa$$w0rd. Launch Internet Explorer and in the browser address bar type https://nyc-dc1.contoso.com/ContosoClaimApp. You receive an Access Denied error. This is because CONTOSO\Aaron is not a member of the ITAdmins_ContosoGG group.
Results: After this exercise, you configured a Token signing certificate and configured a Claims provider trust for Contoso.com. You also configured the sample application to trust incoming claims and configured a relying party trust and associated claim rules. You also tested access to the sample WIF application in a single organization scenario. You then created further rules for the relying party trust and verified the application access restrictions.

5-45
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
Scenario
You now have tested a single organization implementation of ADFS, but you are looking to extend that to a business to business scenario. Your organization is looking to access an application in the WoodgroveBank domain and you need to ensure that both organizations are configured to allow access. The main tasks for this exercise are as follows: 1. 2. 3. Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1.
Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim aware application. Verify access to the Woodgrove Banks claim aware application by Contoso users.
Task 1: Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1

1. 2. 3.
On the 6426C-MIA-DC1 virtual machine, log on with username WOODGROVEBANK\Administrator using password Pa$$w0rd. In the ASDFS 2.0 Management console, go to Trust Relationships, go to Claims Provider Trusts and then choose to Add Claims Provider Trust. Complete the Add Claims Provider Trust Wizard with the following settings:
Choose Import data about the claims provider published online or on a local network and enter https://nyc-dc1.contoso.com as the data source. In Display Name enter nyc-dc1.contoso.com. Complete the wizard.
4.
In the Edit Claim Rules for the nyc-dc1.contoso.com properties dialog, use the following values: Add a Rule to the Acceptance Transform Rules. Choose Pass Through or Filter an Incoming claim in the Claim rule template list. Use Pass through Windows account name rule as the claim rule name.
Choose Windows account name as the incoming claim type and then choose to Pass through all claim values. Complete the rule.
5.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
5-46
Task 2: Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim aware application
1. 2. On the 6426C-NYC-DC1 virtual machine, log on with user name CONTOSO\Administrator using password Pa$$w0rd.
In the AD FS 2.0 Management console, open the Add Relying Party Trust Wizard and complete it with the following settings: Choose to Import data about the relying party published online or on a local network and type in https://mia-dc1.woodgrovebank.com. Specify a Display name of Woodgrove Bank Claim App B2B. Choose to Permit all users to access this relying party.
Select to open the Edit Claim Rules for Woodgrove Bank Claim App B2B when the wizard is complete check box.
3.
In the Edit Claim Rules for Woodgrove Bank Claim App B2B properties dialog box, on the Issuance Transform Rules tab, click to add a rule with the following settings: Choose Pass Through or Filter an Incoming claim in claim rule template list. In the Claim rule name box, type Pass through Windows account name rule. Choose Windows account name in Incoming claim type. Choose to Pass through all claim values. Complete the wizard.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. 3. 4. 5. On the 6426C-NYC-CL1 virtual machine, log on with username CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer and in the browser address bar type: https://mia-dc1.woodgrovebank.com/woodgrovebankclaimsapp Choose NYC-DC1.Contoso.com on the home realm discovery page. Use the credentials CONTOSO\Betsy with password Pa$$w0rd to view the page. Close Internet Explorer and re-connect to the application using the same credentials as in the previous step. What is different this time? 6. 7. Delete all cookies in the Internet Options General tab.
Connect to the application again using the same credentials as before and verify that you are able to access the application.
Results: After this exercise, you configured a claims provider trust for Contoso on Woodgrove Bank and a relying party trust for Woodgrove Bank on Contoso. Finally, you verified access to the Woodgrove Bank claim aware application.

5-47
Review Questions
1.
You are troubleshooting an AD FS 2.0 user reported issue. You have checked the AD FS 2.0 Admin log but there is not enough information to diagnose the issue. What are two other options for gathering additional troubleshooting information? You are reviewing your design options for an upcoming AD FS 2.0 deployment. What are the two supported AD FS 2.0 designs?
2. 3.
A company is about to federate with another company using AD FS 2.0. The design does not call for the use of federation service proxy servers. Can the companies still take advantage of all of the AD FS 2.0 features?

1.
Tailspin Toys is deploying a new claims-based web application in the perimeter network. The application relies on a SQL database back end for data storage. The company wants to give a partner company access to the web application. However, in initial testing, the partner companys users are reporting issues when they attempt to use the web application to request data from the database. What AD FS 2.0 technology can solve this problem? Fabrikam is examining the requirements for AD FS 2.0. The company wants to use a federation proxy server for maximum security. Currently, Fabrikam has an internal network with internal DNS servers. Their internet-facing DNS is hosted by a hosting company. The perimeter network uses the hosting companys DNS servers for DNS resolution. What must the company do to prepare for the deployment?
2.
3.
Contoso is in the planning phase of a major project and trying to determine if AD FS 2.0 is the proper solution. There are two phases to the project. Phase 1 is a deployment of SharePoint 2010 and will be utilized by internal employees and customers. Phase 2 is a custom client-server application written in Java. The server will reside in the perimeter network. Internal employees and customers will use the client-server application. Can AD FS 2.0 be a part of either of these phases?

6-1
Module 6
Deploying and Configuring Active Directory Rights Management Services
Contents:
Lesson 1: Overview of Active Directory Rights Management Services Lesson 2: Deploying and Configuring Active Directory Rights Management Services Lesson 3: Configuring AD RMS Rights Policy Templates and Exclusion Policies Lesson 4: Configuring Active Directory Rights Management Services Trust Policies Lesson 5: Troubleshooting Active Directory Rights Management Services Lab: Deploying and Configuring Active Directory Rights Management Services 6-3 6-12 6-21 6-28 6-35 6-41
6-2
Module Overview
Configuring Active Directory Rights Management Services (AD RMS) requires knowledge of AD RMS and the installation and configuration of AD RMS server components. Further, knowledge of AD RMS administration and implementation of AD RMS trust policies aids in configuring AD RMS to meet the particular business objectives of the deployment.
Objectives
After completing this module, you will be able to: Describe Active Directory Rights Management Services. Deploy and configure Active Directory Rights Management Services. Configure Active Directory Rights Management Services Rights Policy Templates and Exclusion Policies. Configure Active Directory Rights Management Services Trust Policies. Resolve Common Active Directory Rights Management Services Issues.

6-3
Lesson 1
Overview of Active Directory Rights Management Services
You can protect information by using AD RMS. Usage scenarios of AD RMS include email message protection, rights enforcement, and content protection. AD RMS has several components that work together to provide a comprehensive information rights management (IRM) solution. AD RMS works with other IDA technologies including AD DS, AD CS, and AD FS.
Objectives
After completing this lesson, you will be able to: Describe how access management is enforced by using AD RMS. Describe the usage scenarios for AD RMS. Describe the AD RMS components. Describe AD RMS certificates and licenses. Describe AD RMS workflow. Describe AD RMS Integration.
6-4
How Access Management is Enforced by Using AD RMS
Key Points
AD RMS is an information rights management (IRM) solution that can protect email messages and supported attachments and sensitive documents in supported formats. It ties into AD RMS-aware applications and services such as Microsoft Office SharePoint Server 2007 (MOSS 2007), Microsoft SharePoint Server 2010, and Microsoft Exchange Server. AD RMS uses three methods to enforce access management: Establishes trusted participants: Trusted participants can be a single user, a group of users, computers, or applications. AD RMS can ensure that only trusted participants can access AD RMSprotected content. Assigns persistent usage rights and conditions: AD RMS utilizes persistence to ensure that the assigned usage rights and conditions remain with the protected content no matter where the protected content resides. Rights for protected content can include the ability to read, copy, print, save, forward, and edit. AD RMS conditions are the expiration dates of the protected content. After the expiration date, protected content can no longer be accessed, even by trusted participants.
Encrypts information: AD RMS uses encryption to protect content. Trusted participants can decrypt the protected content using a supported application or Internet Explorer.
Question: What are some uses for expiring protected content?

6-5
Usage Scenarios for AD RMS
Key Points
AD RMS offers organizations several benefits to enhance security and data confidentiality, including:
Secure confidential files: Files can be protected with AD RMS and then stored on a file server, on a client computer, or even on a portable hard drive. If a confidential file that is protected with AD RMS is lost or stolen, it remains protected and inaccessible.
Secure email messages: Protecting email messages is vital because it is the most widely used communication platform in business today. Confidential information is routinely sent by unprotected email. Additionally, confidential attachments are common. AD RMS ensures that an email message and its attachments can only be consumed by an authorized recipient. Safeguard intranet content: Security is best as a multi-layered approach. By also securing intranet content, AD RMS covers three of the most widely used mediums for storing and sending data. Intranet content is content that resides in MOSS 2007 or SharePoint Server 2010.
Identity federation support: Federation allows two organizations to share AD RMS-protected content over the Internet. Identity federation extends the functionality of AD RMS by enabling secure collaboration. Identity federation uses AD FS for the federation and AD RMS as the IRM technology.
Question: If an authorized user leaves his computer unlocked and an unauthorized user copies some AD RMS-protected documents from the computer to a portable hard drive, will they be accessible to the unauthorized user on another computer?
6-6
AD RMS Components
Key Points
AD RMS has several components. Each component plays a part in the AD RMS workflow, as shown in the following table: Component AD RMS Certification Server Cluster AD RMS Licensing-only Cluster What does it do?
It is used for AD RMS administration and configuration and handles all of the major AD RMS functions, including licensing, publishing, account certification, and recovery. There is a limit of one AD RMS Certification Server Cluster per AD DS forest.
It is used to segment the AD RMS templates. With a single AD RMS Certification Server Cluster, all templates are shared among all users. By deploying a Licensing-only Cluster, templates can be created for use by a specific group of users such as the Legal department of the executive management team. It offers better separation and resource tracking when the AD RMS deployment includes business partners. The AD RMS database stores the configuration and log data. A Windows Internal Database can be used in place of SQL but it is not supported in a production environment. AD DS is an AD RMS prerequisite and is used to store users and groups used within AD RMS. Clients query AD DS for the service connection point (SCP) to discover registered AD RMS services.
SQL Database
AD DS
AD RMS Client
The client, which comes built-in to Windows Vista, Windows 7 and Windows Server 2008, is a free download for earlier Windows versions. There is also an addon client for Internet Explorer. It serves as the client component and interacts with the AD RMS Certificate Server Cluster to encrypt and decrypt data.
Question: The Board of Directors has recently requested some AD RMS templates. The templates will be used to apply protection to communication concerning a confidential acquisition that the company is involved in. What component do you utilize to meet the request?

6-7
AD RMS Certificates and Licenses
Key Points
The AD RMS components use certificates and licenses to establish identity and allow clients to work with protected content. The following list shows certificates and licenses that AD RMS uses:
Server Licensor Certificate: This is the certificate created when the AD RMS Server Cluster is initially created. This certificate signs all of the licenses and certificates granted by the cluster. It contains the public key of the server and can be exported to establish a trust with other AD RMS cluster.
Machine certificate: On each client computer, the first time an AD RMS-enabled application is used, a machine certificate is created. The machine certificate contains the public key of the client computer.
Rights Account Certificate: When a user first attempts to consume protected content, the AD RMS client obtains a rights account certificate (RAC) from the AD RMS cluster. By default, a standard RAC is valid for 365 days. Client licensor certificate: The client licensor certificate (CLC) is obtained by the client computer while it is connected to the corporate network where the AD RMS cluster resides. It gives the user the right to publish protected content when not connected to the corporate network. Publishing license: When an AD RMS client saves rights-protected content, a publishing license is created. The license contains the authorized users that can view the content, the conditions attached to the content (for example, requiring a connection to verify a users permission upon opening), and the actual rights that the authorized users have to the content (Read only or ability to print are some examples).
Use license: The use license contains the rights that apply to the protected content. The license relies on the RAC being present. If the RAC is not present, the use license does not open the protected content.
Question: Which certificate should be exported to establish a trust with another organization that uses AD RMS?
6-8
AD RMS Workflow
Key Points
The following sequence outlines the AD RMS workflow: 1.
When the author initially protects content, the AD RMS cluster issues a RAC and a client licensor certificate (CLC). This establishes the authors AD RMS credentials. The author can now publish secure information offline. The author creates a file and specifies usage rights and conditions by using an AD RMSenabled application. A publishing license that contains the usage policies is generated. The publishing license is tied to the protected file.
2.
3.
The application encrypts the file with a symmetric key, which is encrypted by the public key of the AD RMS cluster. The key is inserted into the publishing license and the publishing license is bound to the file. The author distributes the file. Some distribution methods are email, SharePoint document libraries, and file servers. A recipient obtains the protected file and opens it by using an AD RMSenabled application. If the recipient does not have a RAC on the current computer, a RAC is issued from the AD RMS cluster. The application requests a use license. This request is sent to the AD RMS cluster that issued the publishing license for the secured information.
4. 5. 6. 7.
The AD RMS cluster confirms that the recipient is authorized, checks that the recipient is a named user, and creates a use license. The server decrypts the symmetric key by using the private key of the server, re-encrypts the symmetric key by using the public key of the recipient, and then adds the encrypted symmetric key to the use license. The use license also includes the content expiration (if applicable).
8.
After the confirmation is complete, the licensing server returns the use license to the recipients client computer.

6-9
9.
After receiving the use license, the application verifies the license and the account certificate of the recipient. This helps determine whether any certificate, in either chain of trust, requires a revocation list. If required, the application checks for a local copy of the revocation list that has not expired. If required, it retrieves a current copy of the revocation list. The application then applies any relevant revocation conditions in the current context. If the revocation conditions allow access to the file, the application renders the data. Users can then apply their granted rights.
Question: Which applications can users use to create AD RMS-protected content?
6-10
AD RMS Integration
Key Points
Extending AD RMS to partner organizations, mobile devices, and to AD RMS-aware applications brings new benefits and enhancements.
Identity Federation: Module 5 covered identity federation and technologies such as AD FS. AD RMS can work in parallel with AD FS to extend the features to partner organizations that are also using AD RMS. This allows both organizations to share AD RMS-protected content through email, SharePoint, or other file distribution methods.
Microsoft Office SharePoint Server: Windows SharePoint Services, which comes as a server role in Windows Server 2008 and Windows Server 2008 R2, does not support AD RMS integration. However, there are two forms of support for AD RMS integration with SharePoint Server and one way of using AD RMS-protected documents without integration:
Document libraries: With AD RMS integration, SharePoint document libraries can be configured with IRM policies which control the protection applied to supported document types that are uploaded or download to the document libraries.
Attachments to list items: With AD RMS integration, attachments to list items can be protected. The SharePoint administrator can enable IRM for the list.
Uploading protected content without integration: Users can upload AD RMS-protected content to SharePoint even if SharePoint is not integrated with AD RMS. However, there are some drawbacks to this approach: the documents cannot be searched or indexed, the protection is manually performed by the user, and a single document library can contain documents with different use policies and different authorized users.
Microsoft Exchange Server: Integrating with Exchange Server is supported for Exchange Server 2007 and Exchange Server 2010. The integration provides the ability to set up IRM-based transport rules for automatic protection of message based on pre-configured rules. Integration has other benefits including the ability to read (Exchange Server 2007 and Exchange Server 2010) and send (Exchange Server 2010 only) protected email messages from OWA.

6-11
Windows Mobile: The AD RMS features are embedded as part of the Windows Mobile operating system. Smartphones running Windows Mobile 6.0 or later can consume AD RMS-protected content. In addition, they can send and received AD RMS-protected email messages. Windows Mobile cannot utilize AD RMS templates to protect email messages. Instead, users must rely on a single protection option Do not forward. At the time of this writing, Windows Phone 7 does not support AD RMS.
Question: If you want to use AD RMS to send protected email messages, why would you choose to manually protect email messages within Outlook instead of automatically protecting email messages by using IRM-based transport rules?
6-12
Lesson 2
Successfully deploying AD RMS requires a thorough understanding of the available deployment scenarios and a solid understanding of the cluster configuration process as well as the upgrade and migration options.
Objectives
After completing this lesson, you will be able to: Describe the AD RMS deployment scenarios. Install the first server of an AD RMS cluster. Describe the upgrade and migration options and steps for AD RMS. Configure AD RMS clusters. Implement the AD RMS client.

6-13
AD RMS Deployment Scenarios
Key Points
The standard topology for AD RMS consists of one or more physical servers that make up the AD RMS cluster. When relying on AD RMS for mission critical applications, it is important to cluster the AD RMS deployment. The deployment options for AD RMS are:
AD RMS in a single forest: This scenario contains a single server or has multiple servers in a single AD RMS cluster. A cluster provides fault tolerance and high availability.
AD RMS licensing-only cluster: This scenario is used to distribute licensing services. Unlike the root cluster, which provides all AD RMS services, servers in a licensing-only cluster provide only licensing and publishing services. Licensing-only clusters are optional and are deployed to manage specific licensing requirements. These requirements include: The support of exclusive rights-management requirements of a department (such as exclusive departmental templates). The support of rights management for external business partners as part of an extranet that requires a strong separation and resource tracking for specific business partners. The removal of root cluster licensing tasks.
AD RMS in a multi-forest environment: This scenario requires the use of AD RMS root clusters in each forest. AD RMS trust policies must be configured so that certificates and licenses generated by each AD RMS cluster can be trusted.
AD RMS in an extranet: This scenario is an extension of an AD RMS cluster to the Internet. In this scenario, users can consume rights-protected content if not connected to the internal network. This deployment supports the collaboration of partners or customers that need to exchange protected content through file transfer, email messages, or websites. AD RMS by using Active Directory Federation Services (AD FS): This scenario is an optional service role that allows federated identities to consume rights-protected content by using AD FS.
6-14
Question: In a deployment scenario where AD RMS would be deployed in a multi-forest environment, what is the minimum number of AD RMS servers that can be used?

6-15
Demonstration: How to Install the First Server of an AD RMS Cluster
Key Points
The following demonstration shows you how to install the first server of an AD RMS cluster.
Demonstration Steps
Use DNS to Add a CNAME for the AD RMS Cluster 1. 2.
Start the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines and log on to 6426C-NYC-DC1. On the 6426C-NYC-DC1, open the DNS Manager and then create a new alias (CNAME) rms.contoso.com pointing to NYC-SVR1.contoso.com.
Install the AD RMS Server Role 1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the 6426C-NYC-SVR1 virtual machine.
On the 6426C-NYC-SVR1 virtual machine, add the Active Directory Right Management Services role. Create a new AD RMS cluster select to use the Windows Internal Database. Specify a service account of CONTOSO\adrms-svc with Pa$$w0rd for the password.
Select the option Use AD RMS centrally managed key storage and then type Pa$$w0rd as the AD RMS cluster key password. Use the default website, use rms.contoso.com for the RMS cluster address, and then specify to use an unencrypted connection. Name the server licensor certificate NYC-SVR1 and then choose to register the SCP now. Complete the installation. Log off from the 6426C-NYC-SVR1 virtual machine.
6-16
Upgrading and Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2
Key Points
There are two ways to move from AD RMS on Windows Server 2008 to AD RMS on Windows Server 2008 R2. Both a migration and an upgrade are options and each option requires some preparation work prior to commencing. Preparing to migrate or upgrade an AD RMS cluster 1. 2. Back up the AD RMS configuration database: This is a precaution in case the upgrade or migration fails and you have to roll back to using AD RMS on Windows Server 2008.
Export the server licensor certificate (SLC): The SLC is used to decrypt all content protected by the AD RMS cluster. If it is lost, protected content cannot be decrypted. Exporting it prior to performing the upgrade is a good preventative measure. Export and install software-based CSP key: If you are using a software-based CSP key, it must also be exported prior to performing the upgrade or migration. It stores the AD RMS private key and must be installed on the new or upgraded AD RMS server.
3.
Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 1. 2. 3. Install Windows Server 2008 R2 on a new computer: This step is part of a migration sometimes known as a swing migration. Install AD RMS and join the computer to the existing AD RMS cluster: Thereafter, the original AD RMS server can be removed from the cluster and taken out of service. Join additional servers to the AD RMS cluster: This step allows you to add servers for high availability.

6-17
Upgrading AD RMS from Windows Server 2008 to Windows Server 2008 R2 1. 2. 3. Upgrade the existing AD RMS server to Windows Server 2008 R2: Insert the installation media and perform the operating system upgrade.
Run the AD RMS Upgrade Wizard: This step is crucial because if the upgrade wizard is not run, AD RMS does not function. Upgrade remaining AD RMS servers to Windows Server 2008 R2: All AD RMS servers must be running the same version of Windows.
Question: What are some factors to help determine whether an upgrade or a migration is the right path when upgrading AD RMS?
6-18
Configuring the AD RMS Cluster
Key Points
The principal tool to administer AD RMS features is the AD RMS console. The following are common configuration tasks: 1. 2. 3.
Administering Certificates: Administration of certificates includes tasks such as exporting the SLC, configuring the RAC validity periods, and renewing certificates. Enabling Exclusion Policies: Exclusion policies allow you to deny certain entities the capability to acquire certificates and licenses.
Establishing Trust Policies: Trust Policies allow you to activate a trust relationship between your AD RMS cluster and an AD RMS cluster in another domain. It is also possible to activate such relationships with a cluster that is part of a different organization. Managing the AD RMS databases: The databases contain configuration, logging, and directory services information.
4. 5. 6. 7.
Configuring Accounts: Accounts are used for the operation and maintenance of an AD RMS cluster. Configuring Rights Policy Templates: Templates are used to control the rights a user or group has on a particular piece of rights-protected content.
Configuring AD RMS Across Forests: There are four steps to perform when configuring AD RMS to work across forest boundaries: 1.
Create a trusted user domain between each AD RMS installation: Each AD RMS administrator has to export their trusted user domain enterprise certificate, send each other the exports, and then import the certificate from the other administrator. Enable anonymous access on the AD RMS licensing pipeline: This step involves modifying two files for anonymous access: AD RMS license.asmx and servicelocator.asmx.
2.

6-19
3.
Extend the Active Directory schema: The schema extension adds a new attribute named msExchOriginatingForest. This step is performed only if Exchange Server 2003, 2007, or 2010 has not been installed in the forest. If Exchange has been installed in the forest, the schema update was already performed at that time.
4.
Create contact objects and distribution groups: Each user and group that use AD RMS must exist as either an AD DS user account or a contact. This allows each AD RMS installation to locate AD RMS users in the forest in which they reside.
Question: An organization is planning to extend their existing AD RMS installation to another forest. A few years ago, the organization ran Exchange Server 2003 but it was uninstalled and replaced by a third-party email server. Does the organization need to extend their AD DS schema before implementing AD RMS across forests?
6-20
Implementing the AD RMS Client
Key Points
An IT professional must understand the purpose of the AD RMS client, the installation options, options to deploy the client, and the availability of the client on mobile devices. The purpose of the AD RMS client is to create and manage the certificate and lockbox on the client computer while also serving as the interface to AD RMS-compatible applications such as SharePoint and Exchange Server.
The AD RMS client is included in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. It is also available as a free download for Windows 2000, Windows XP, and Windows Server 2003. There are a many ways to implement the AD RMS client: Deploy it by using System Center Configuration Manager (SCCM) 2007: SCCM can fully automate the installation and provide excellent reports detailing the deployment status.
Unattended Installation Script: By using an unattended installation script, an IT professional can minimize the amount of effort needed to deploy the AD RMS client. This method is useful for organizations that do not have SCCM or have been using this method for other software installations. Group Policy: Distributing software by Group Policy is efficient and provides two distribution methods publishing (optional installation) or assigning (mandatory installation).
Embed client in Operating System Image: Some organizations prefer to embed as much software as possible in their operating system images. This is a feasible method for some organizations. One drawback is that if the AD RMS client has to be reinstalled (or later updated), the automated installation methods is not in place and ready (as they are in the previous implementation examples).
For mobile devices, the AD RMS client is available on Windows Mobile 6.0 and higher. It is built-in to the operating system so the IT professional does not need to prepare for a deployment. For devices running earlier versions of Windows Mobile, an AD RMS client is not available. Question: Are there any scenarios where an organization would need to deploy both the AD RMS client and the AD RMS add-on for Internet Explorer?

6-21
Lesson 3
Configuring AD RMS Rights Policy Templates and Exclusion Policies
Successfully administering AD RMS requires a thorough understanding of AD RMS templates and policies, including the ability for users to work offline.
Objectives
After completing this lesson, you will be able to: Describe rights policy templates. Create a rights policy template. Provide rights policy templates for offline use. Describe exclusion policies. Create an exclusion policy.
6-22
What Are Rights Policy Templates?
Key Points
Rights policy templates control access by dictating the rights and conditions of use. They can be distributed in a few ways, based on the operating systems used in an organization.
Rights policy templates are used to control the rights of users and groups to a particular piece of rightsprotected content. They can include various conditions, such as specific recipients or AD DS groups. Some other conditions are the period for which a use license for the content remains valid and the period for which after publication the content can be consumed. The use rights available include Full Control, View, Edit, Save, Print, Forward, and Reply.
The rights policy templates can be stored in the configuration database or in a shared folder. Users must have access to the templates to be able to access rights-protected content. However, many administrators prefer to place the template files on each client computer so that they can be used for offline and online publishing of rights-protected content. AD RMSenabled clients running Windows Server 2008, Windows Vista SP1, and Windows 7 can use the template distribution pipeline to automatically update their rights policy templates. If a rights policy template has changed or is deleted, the client automatically detects these changes and updates the local rights policy templates.
All versions of the RMS client prior to Windows Server 2008 and Windows Vista SP1 use the previous method for rights policy template distribution. They can use Group Policy or Systems Management Server (SMS). Starting with Windows Server 2008, an IT professional can distribute rights policy templates to client computers and archive any rights policy templates that should not be distributed. By default, all rights policy templates are distributed. A rights policy template should not be deleted because any content protected by that rights policy template will not be accessible. Question: Can an organization utilize AD RMS without using rights policy templates? And if so, what limitations exist in that situation?

6-23
Demonstration: How to Create a Rights Policy Template
Key Points
The following demonstration shows you how to create a rights policy template. To perform this demonstration you must have already completed Demonstration: How to Install the First Server of an AD RMS Cluster.
Demonstration Steps
Configure a Distributed Rights Policy Template 1. 2. 3. 4.
Ensure that the 6426C-NYC-DC1 virtual machine is still running and log on to 6426C-NYC-SVR1.
On the 6426C-NYC-SVR1 virtual machine, open the Active Directory Rights Management Services console. In the Distributed Rights Policy Templates window, set \\NYC-DC1\Templates as the location to store policy templates and enable them to be exported. Create a Distributed Rights Policy Template with the following details: Name: Confidential Projects Description: Contoso Pharmaceuticals IT Department User and rights: ITAdmins@Contoso.com: Edit rights Anyone: View rights
5. 6.
Set the policy to expire after 14 days and finish the creation wizard. Go to \\NYC-DC1\Templates to view the template you just created.
6-24
Manage Archived Rights Policy Templates 1. 2. On the 6426C-NYC-SVR1 virtual machine, archive the policy template that you have just created. View the properties of the template that you have just archived and go through the tabs.
Question: What is a reason to archive rights policy templates?

6-25
Providing Rights Policy Templates for Offline Use
Key Points
1. Distributing rights policy templates: You must distribute the rights policy templates to the computers that use the templates. You must create a shared folder on a server for storing rights policy templates. Define share settings in AD RMS console: You must define the share settings in the AD RMS console.
There are a few options to understand when preparing to provide offline use for rights policy templates:
2. 3.
Locally deploying template files: You should deploy template files to client computers so that the client computer can maintain the template files on their local hard drive. This allows users to use the templates even if they are not connected to the network. If a template is subsequently modified, you should redeploy each template to the client computers to ensure that users have the latest version of the template. AD RMS clients running on Windows Vista with SP1, Windows 7, Windows Server 2008, and Windows Server 2008 R2 automatically detect changes to templates. Those systems automatically update the rights policy templates while connected to the network. Locating templates: AD RMS clients try to locate template locations in the following registry places:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM \AdminTemplatePath Or HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM \AdminTemplatePath
4.
Question: What are the disadvantages of using a shared folder as the only location of rights policy templates?
6-26
What Are Exclusion Policies?
Key Points
AD RMS exclusion policies prevent the acquisition of new licenses from an AD RMS cluster. Only new license requests are denied, and any existing licenses are still valid. Exclusion policies are very useful for disabling the rights of terminated users or preventing specific applications from accessing protected content. The types of exclusion policies are as follows: 1. 2.
By user: A user RAC can be excluded when you exclude its public key. This kind of exclusion policy is used when a trusted users AD RMS credentials are compromised. By application: Excluding by applications allows an IT Professional to specify that a specific version an AD RMS-enabled application is required to acquire a use license. An example is configuring exclusion for older versions of the AD RMS client. This prevents users of older AD RMS clients from protecting content until they are running a supported version. By lockbox version: The lockbox stores the users private key. You can exclude certain lockbox versions that correspond to the version of the AD RMS client (which makes this a second way to exclude based on the version of the AD RMS client). Users of an excluded lockbox version cannot protect content until they update to a supported version. Note A fourth exclusion policy was available in Windows Server 2008 but is no longer available in Windows Server 2008 R2. That option allowed an exclusion to be created to exclude specific versions of Windows. For example, an exclusion policy could be created to exclude windows XP.
3.
Question: Besides security, what are other benefits of exclusion policies?

6-27
Demonstration: How to Create an Exclusion Policy to Exclude an Application
Key Points
The following demonstration shows you how to create an exclusion policy to exclude an AD RMS-enabled application. To perform this demonstration you must have already completed Demonstration: How to Install the First Server of an AD RMS Cluster.
Demonstration Steps
1. 2. 3.
On the 6426C-NYC-SVR1 virtual machine, open the Active Directory Rights Management Services console. Set to Enable Application Exclusion. Create an Application Exclusion for the following application: Application file name: test.exe Minimum version: 1.2.0.0 Maximum version: 1.2.1.0
Question: If an organization excludes version 1.0 of an AD RMS-enabled application, what limitations are placed on users that use version 1.0 of the application?
6-28
Lesson 4
Configuring Active Directory Rights Management Services Trust Policies
Configuring AD RMS trust policies requires the knowledge of types of trust policies, and knowledge of trusted user and trusted publishing domain interaction. Knowledge about the configuration of trust policies and deployment of AD RMS by using AD FS is important to ensure a successful deployment of AD RMS with AD FS.
Objectives
After completing this lesson, you will be able to: Describe AD RMS trust policies. Describe the interaction for trusted user domains. Describe the interaction for trusted publishing domains. Configure trust policies. Describe the process of deploying AD RMS with AD FS.

6-29
What Are AD RMS Trust Policies?
Key Points
Several trust hierarchies can be implemented for an organization. A trust hierarchy contains an AD RMS cluster. An AD RMS cluster issues RACs to users. By default, an AD RMS cluster does not service requests for users with RACs from an AD RMS cluster in a different trust hierarchy. However, you can create trust policies so that an AD RMS cluster trusts and processes licensing requests from users or groups from a different AD RMS cluster. You can define the following trust policies: 1.
Trusted user domains: You can add a trusted user domain so that the AD RMS root cluster processes requests for CLCs. A trusted user domain also allows the AD RMS root cluster to process licenses from users with RACs issued by a different AD RMS root cluster. You can add a trusted user domain by importing the server licensor certificate (SLC) of the AD RMS cluster to the trust. Trusted publishing domains: You can add a trusted publishing domain so that an AD RMS cluster can issue use licenses against publishing licenses from a different AD RMS cluster. You can add a trusted publishing domain by importing the SLC and the private key of the server to the trust. Windows Live ID: You can configure a trust with Windows Live ID so that an AD RMS user can send rights-protected content to a user who has a Windows Live ID. However, the Windows Live ID user cannot create AD RMS-protected content.
2.
3.
4.
Federated trust: You can establish a federated trust between two forests by using AD FS. In scenarios where one AD DS forest without AD RMS wants to consume protected content from another AD DS forest that has AD RMS, a federated trust can provide the solution.
Question: Contoso Pharmaceuticals has AD DS and AD RMS. A partner organization has AD DS but does not have AD RMS. The partner organization has three users that need to consume AD RMS protected content from Contoso. What are two ways to achieve the goal?
6-30
Overview of Trusted User Domain Interaction
Key Points
By default, AD RMS does not issue use licenses if RACs were issued by a different user domain. To configure AD RMS to issue these use licenses, you must import the SLC of the required user domain. You must then add the imported certificate to the list of trusted user domains for AD RMS. After you configure AD RMS, users with RACs that were issued by the trusted user domain can submit requests for use licenses to your AD RMS installation. AD RMS then processes these use licenses as requests from internal users.
Each organization has an associated AD RMS installation. After you configure trusted user domains (TUDs), an organization can add the AD RMS installation of another organization to the list of trusted user domains. Users from both organizations can then work together on protected content. These users can also exchange the content through the Internet or through an extranet. The following steps show an example of TUD Interaction Process: 1. 2. 3. 4. 5. Contoso sends SLC to Northwind Traders. Northwind Traders imports the SLC. Northwind Traders employee sends RMS-protected content to Contoso employee. Contoso employee sends PL and RAC with request for UL from Northwind Traders. Server uses imported SLC to verify RAC and returns UL.
Question: How can an organization add additional protection to the AD RMS cluster setting up a TUD with a partner organization?

6-31
Overview of Trusted Publishing Domain Interaction
Key Points
By default, AD RMS servers do not issue use licenses against publishing licenses issued by an AD RMS server in a different cluster. However, you can configure an AD RMS cluster to trust the publishing licenses issued by a different AD RMS cluster. The AD RMS cluster can then implement a trusted publishing domain (TPD) to issue use licenses against the publishing licenses. For an organization, you might publish content by using AD RMS clusters in another organization or in a division which exists in another forest. In such cases, you must configure TPDs. By using a TPD, the AD RMS cluster can grant use licenses to users for the published content.
When you add a TPD, you implement a trust relationship between the AD RMS cluster that you install and the other AD RMS cluster. For the trust relationship, you import the SLC of the other cluster. You can configure any number of TPDs for an AD RMS cluster. The following steps show an example of the TPD interaction process: 1. 2. 3. 4. 5. Northwind Traders exports private key and SLC. Contoso imports private key and SLC. Northwind Traders employee sends RMS content to Contoso employee. Contoso employee sends PL and RAC with request for UL from Northwind Traders. Contoso uses imported private key to decrypt PL and issues.
Question: Two separate organizations have AD DS and AD RMS. They decide to merge. How do you decommission one of the AD RMS environments?
6-32
Demonstration: How to Configure Trust Policies
Key Points
The following demonstration shows you how to configure trust policies. To perform this demonstration you must have already completed Demonstration: How to Install the First Server of an AD RMS Cluster.
Demonstration Steps
1. 2. 3. 4. 5. 6. Ensure that the 6426C-NYC-DC1 and the 6426C-NYC-SVR1 virtual machines are still running, start and log on to the 6426C-MIA-DC1 virtual machine.
On the 6426C-MIA-DC1 virtual machine, open the Active Directory Rights Management Services console.
Expand Trust Policies, expand Trusted User Domains and then export the Enterprise Trusted User Domain. Save the Trusted user domain file and then copy the file to \\NYC-DC1\Trust Policies share.
On the 6426C-NYC-SVR1 virtual machine, open the Active Directory Rights Management Services console. Expand Trust Policies, expand Trusted User Domains, and then import the Trusted User Domains from the Trusted user domain file on the \\NYC-DC1\Trust Policies share and name it Woodgrove Bank. On the 6426C-MIA-DC1 virtual machine, open the Active Directory Rights Management Services console. Expand Trust Policies, expand Trusted Publishing Domain and then export the MIA-DC1 Trusted Publishing Domain. Save the Trusted publishing domain file with password Pa$$w0rd.
7. 8. 9.
Question: If one organization is running AD RMS on Windows Server 2008 R2 and another organization is running RMS 1.0 on Windows Server 2003, can RMS 1.0 import the trusted publishing domain file?

6-33
Deploying AD RMS with AD FS
Key Points
Deploying AD RMS along with AD FS requires the following tasks to be completed to ensure proper functionality. 1.
Assign a SSL certificate to the website that hosts the AD RMS cluster: For federated scenarios, a third-party trusted certificate is the recommended certificate. It helps ensure a smoother implementation and requires less administrative overhead. The certificate can be installed during the AD RMS installation or it can be imported after the installation by using the IIS management console.
2.
Install and configure AD RMS: During the installation, several key parameters are required such as the database server, the service account credentials, the type of key storage, the cluster key password, and the URL of the AD RMS cluster. Grant the AD RMS service account permissions to generate security audits: This is required when using AD RMS with AD FS. Use the Local Security Policy on the AD RMS server(s) to grant the permission.
3.
4.
On the AD FS resource partner, create a claims-aware application for the AD RMS certification and licensing pipelines: An example of a common claims-aware application deployed with AD RMS and AD FS is Microsoft SharePoint 2007 or 2010. Add an AD RMS extranet cluster URL: The extranet URL is used by external clients to locate the AD RMS cluster. A DNS record must exist for the extranet fully qualified domain name. Install the AD RMS Identity Federation role service: This step can take place during the initial installation of AD RMS or it can take place anytime thereafter. You must know the URL of the federation service that you are federating with.
5. 6.
6-34
Windows Server 2008 R2 greatly improves the deployment of AD RMS with AD FS by offering group expansion. In Windows Server 2008, federated users had to be individually managed and added to rights templates. Now, in Windows Server 2008 R2, federated users can be added to groups and the groups can be expanded. This simplifies the management of AD RMS with AD FS. The key requirement to implementing group expansion is that all of the participating federated users have to be created as contacts in the forest where AD RMS is deployed. Question: An organization is going to federate their AD RMS with a partner organization by using AD FS. Can each organization use their internal PKI to issue digital certificates?

6-35
Lesson 5
Troubleshooting Active Directory Rights Management Services
Troubleshooting AD RMS involves investigating and resolving AD RMS installation issues, URL availability issues, and the AD RMS SCP. All of these play a critical role in the functionality of AD RMS.
Objectives
After completing this lesson, you will be able to: Describe common AD RMS issues. Investigate and resolve AD RMS cluster installation issues. Investigate and resolve AD RMS cluster URL availability issues. Investigate and resolve AD RMS SCP configuration.
6-36
Common AD RMS Issues
Key Points
Use the troubleshooting reports in the AD RMS console to identify common AD RMS issues. To view these reports, you must install and use Microsoft Report Viewer. Some AD RMS issues are related to the following: Cluster installation Cluster URL availability SCP configuration Federated identity support installation
In addition, AD RMS stops functioning if the AD RMS service account password expires.

6-37
Troubleshooting AD RMS Cluster Installation Issues
Key Points
You can use the Server Manager to install the AD RMS server role. However, the AD RMS installation might not be successful. The following troubleshooting steps help resolve the most common installation issues:
Verify the AD RMS service account is a member of the Local Administrators group: Ensure that the user account you use to install AD RMS is a member of the local administrators group on the AD RMS server. If you are installing AD RMS on a domain controller, the AD RMS service account must be a member of Domain Admins. Verify the AD RMS administrator account has proper permissions on IIS virtual directory: The virtual directory, named _wmcs, hosts all AD RMS web services. The installing user account must have access to read and write to the IIS home directory to create the virtual directory. By default, the IIS home directory is located at %systemdrive%:\inetpub\wwwroot. Verify the AD RMS service account has proper permissions on the configuration database server: There are three important parts of the database server permissions: The service account must have the rights to create new databases. If using SQL 2005 or SQL 2008, the service account must be a member of the System Administrators (sysadmins) database role (or equivalent).
If the SQL server is remote (not installed locally on the AD RMS server), the service account must be a member of the local administrators group on the SQL server.
Ensure the AD RMS service account and installation accounts are different: During the installation of AD RMS, if you attempt to use the installation account as the service account, the installation wizard does not proceed and generates an error.
If installing AD RMS on a domain controller, add the AD RMS service account to the Domain Admins group: Due to the security ramifications of adding the service account to Domain Admins, it is a common practice to avoid installing AD RMS on a domain controller.
6-38
Question: The installation of AD RMS is failing. You suspect the database is the problem. However, the service account has all of the required rights. How can you test connectivity from the AD RMS server to the SQL server to rule out a network or firewall issue?

6-39
Troubleshooting AD RMS Cluster URL Availability Issues
Key Points
If the cluster URL that you specify in the AD RMS installation does not respond to an HTTP request, you must investigate the availability of the AD RMS cluster on the network. Check the following three areas to: DNS: Ensure that the AD RMS cluster URL fully qualified domain name resolves by testing resolution using nslookup.exe. SSL certificates: Validate the AD RMS certificates to ensure that they are still valid and properly installed.
Ports: AD RMS uses Transmission Control Protocol (TCP) ports 80 and 443 to communicate with AD RMSenabled clients and AD RMS servers in the cluster. Firewalls must be configured to allow communication on these ports.
Question: You are testing connectivity to port 443 on the AD RMS server. You cannot connect on port 443. What additional troubleshooting steps can you take to determine the cause?
6-40
Troubleshooting AD RMS SCP Configuration Issues
Key Points
AD RMS clients use an SCP to automatically locate the AD RMS cluster. If the AD RMS installation fails to register the SCP in AD DS, you can perform the following steps to troubleshoot and resolve the most common SCP issues:
Ensure user registering SCP has sufficient group membership: To register the SCP, the installation account must be a member of the Enterprise Admins group. Otherwise, after the installation, you can use an Enterprise Admin account to register the SCP by using the AD RMS management console.
Delete existing SCP and create a new one: If AD RMS was previously installed (even if it was subsequently removed), you may have an old SCP entry. In such cases, you need to delete the old SCP entry and create a new one. You can perform this task by using the AD Sites and Services management console (ensure that you are viewing the services node in the console). Verify DNS is configured and working properly: The SCP record points clients to a fully qualified domain name. That name must be resolvable in DNS. Verify the SCP record and then validate that it is resolve in DNS.
Question: How can you test AD RMS functionality without a registered SCP?

6-41
Lab: Deploying and Configuring Active Directory Rights Management Services
Objectives
After completing this lab, you will be able to: Install and configure AD RMS. Configure AD RMS templates. Configure AD RMS trust policies. Validate AD RMS functionality. Generate AD RMS Reports.
Scenario
The Contoso management team wants to enable collaboration between Contoso and partners. Because the content that Contoso shares with partners is of a proprietary nature, management wants to ensure that only authorized individuals can access the content, even if it was obtained through unauthorized means. The infrastructure security team has decided that Active Directory Rights Management Services will be used to protect content.
You have been directed to install and configure AD RMS in the Contoso environment to protect the content. In addition, users have requested a method to streamline the process of protecting content with AD RMS. When the AD RMS deployment is complete, you need to test basic functionality to ensure that the AD RMS configuration is functional. In this lab, you use the available virtual machine environment. Before you begin the lab, you must:
Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines. Start the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
6-42
Exercise 1: Installing and Configuring AD RMS

The main tasks for this exercise are as follows: 1. 2. Add a CNAME for the AD RMS cluster. Install and configure AD RMS.
Task 1: Add a CNAME for the AD RMS cluster
On the 6426C-NYC-DC1 virtual machine, add a DNS CNAME record that points rms.contoso.com to NYC-SVR1.contoso.com.
Task 2: Install and configure AD RMS

1. On the 6426C-NYC-SVR1 virtual machine, use Server Manager to install the AD RMS server role by using the following information: 2. Add the required role services when prompted. Create a new AD RMS cluster. Utilize the Windows Internal Database. Specify the service account by using the user name CONTOSO\adrms-svc and the password Pa$$w0rd. Use the AD RMS centrally managed key storage by using a cluster key password of Pa$$w0rd. On the Specify Cluster Address page, use an unencrypted connection and use rms.contoso.com as the fully qualified domain name. Use port 80 as the port. For the Server Licensor Certificate name, type Contoso Pharmaceuticals RMS. Configure the AD RMS service connection point to register during installation.
After the installation, log off from the 6426C-NYC-SVR1 virtual machine.
Results: After this exercise, you have installed the AD RMS server role and created a new AD RMS cluster.

6-43
Exercise 2: Configuring AD RMS Templates

The main tasks for this exercise are as follows: 1. 2. 3. Configure AD RMS rights policy templates. Configure AD RMS rights policy template distribution for Windows 7 client computers. Use Group Policy Management console to distribute the AD RMS rights policy template to Windows XP client computers.
Task 1: Configure AD RMS rights policy templates

1. 2. 3.
Log on to the 6426C-NYC-SVR1 virtual machine by using the user name CONTOSO\Administrator and the password Pa$$w0rd. In the Active Directory Rights Management Console, enable the export of the rights policy templates and then specify the export location as \\NYC-DC1\templates. Create a Distributed Rights Policy Template with the following details: Name: Confidential Projects Description: Contoso Pharmaceuticals IT Department User and rights: ITAdmins@Contoso.com: Edit rights Anyone: View rights
4.
Set the policy to expire after 14 days and finish the creation wizard.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client computers
1. 2. 3. 4.
Log on to the 6426C-NYC-CL1 virtual machine by using the user name CONTOSO\Betsy, and the password Pa$$w0rd.
Start the Computer Management console as the Administrator with the password of Pa$$w0rd.
Expand Task Scheduler and then browse to Active Directory Rights Management Services Client. Enable the AD RMS Rights Policy Template Management (Automated) task and then Run the task. Note If you are prompted for credentials, use the credentials that you are logged on with; user name CONTOSO\Betsy and password Pa$$w0rd.
5. 6. 7. 8.
Start Microsoft Word 2010, complete any startup wizards that appear and then close the application. Start the Registry Editor by using regedit.exe. In the Registry Editor, expand the HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common key.
Create a new registry key under Common called DRM (if DRM already exists, proceed to the next step). Under DRM, create a new expandable string value and name it AdminTemplatePath.
6-44
9.
Specify the value data for the AdminTemplatePath key as %LocalAppData%\Microsoft\DRM \Templates. If there are problems locating this path on the virtual machine, an alternate value for the key is \\NYC-DC1\Templates.
10. Close the Registry Editor, and then log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy template to Windows XP client computers
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the Group Policy Management console. Edit the Default Domain Policy Group Policy Object. Add the \\NYC-DC1\Templates\office14.adm template to the Administrative Templates node.
In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Enable the Specify Permission Policy Path option. In the Enter path to policy templates for content permission box, type \\NYC-DC1\Templates and then click OK.
5. 6.
Results: After this exercise, you have configured an AD RMS template and set up template distribution for Windows 7 and Windows XP.

6-45
Exercise 3: Configuring AD RMS Trust Policies

The main tasks for this exercise are as follows: 1. 2. 3. 4. Export the Trusted User Domains policy. Export the Trusted Publishing Domains policy. Import the Trusted User Domain policy from the WoodgroveBank domain. Import the Trusted Publishing Domains policy from the WoodgroveBank domain.
Task 1: Export the Trusted User Domains policy

1. 2. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to export the contoso.com Trusted User Domain. Save the output as c:\contoso.bin.
Task 2: Export the Trusted Publishing Domains policy

1. 2. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to export the contoso.com Trusted Publishing Domain. Save the output as c:\contoso.xml.
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted User Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. Configure the Display name as WoodgroveBank Domain.
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted Publishing Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.xml.
In the Display name field, type WoodgroveBank RMS and then type Pa$$w0rd as the password.
Results: After this exercise, you have exported the Contoso TUD and TPD and imported the Woodgrove Bank TUD and TPD.
6-46
Exercise 4: Testing AD RMS Functionality

The main tasks for this exercise are as follows: 1. 2. 3. Create a rights-protected document. Open the rights-protected document as a non-authorized user. Open and edit the rights-protected as an authorized user.
Task 1: Create a rights-protected document

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as Betsy. Start Microsoft Word 2010. Create a protected document by using the Confidential Projects rights policy template. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd. 4. 5. 6. In the document body, type This is a protected document. Save the document as \\NYC-DC1\templates\Protected.docx. Close Microsoft Word 2010 and then log off. Note The user accounts are authenticated against email addresses in AD DS in this test environment. If a user account does not have an email address assigned the user will not be able to use the RMS functionality.
Task 2: Open the rights-protected document as a non-authorized user

1. Log on to the 6426C-NYC-CL1 virtual machine as Aaron. Note Aaron is not a member of the ITAdmins group and should only have view access to the document. 2. 3. Start Microsoft Word 2010. Open the \\NYC-DC1\templates\Protected.docx document. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Aaron and password Pa$$w0rd. 4. 5. Verify the permissions that are allowed for the document. Close Microsoft Word 2010 and then log off.

6-47
Task 3: Open and edit the rights-protected document as an authorized user

1. Log on to the 6426C-NYC-CL1 virtual machine as Axel. Note Axel is a member of the IT Admins group and should have editing access to the document. 2. 3. Start Microsoft Word 2010. Open the \\NYC-DC1\templates\Protected.docx document. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Axel and password Pa$$w0rd. 4. 5. 6. 7. Verify the permissions that are allowed for the document. Type Edited successfully by Axel in a new line. Save the document. Close Microsoft Word 2010 and then log off.
Results: After this exercise, you have successfully tested functionality of AD RMS from a client computer.
6-48
Exercise 5: Generating AD RMS Reports
During this exercise, you prepare the environment for AD RMS reporting and view several built-in AD RMS reports. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install Microsoft Report Viewer. View AD RMS Statistics reports. View AD RMS System Health report. View AD RMS Troubleshooting report.
Task 1: Install Microsoft Report Viewer

1.
On the 6426C-NYC-SVR1 virtual machine, browse to \\NYC-DC1\x$\Labfiles\Mod06\ and then double-click ReportViewer.exe to install Microsoft Report Viewer. Complete the installation wizard using the default options.
2.
Task 2: View AD RMS Statistics reports

1.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Statistics Reports. View the statistics in the main window. Close the AD RMS console window.
2. 3.
Task 3: View AD RMS System Health report

1.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view System Health report. In the Actions pane, click View Report. Specify the query start and end dates when prompted, and then click Finish.
2. 3.
Task 4: View AD RMS Troubleshooting report

1.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Troubleshooting report. In the Actions pane, click View Report.
2. 3.
Specify the query start and end dates when prompted, enter CONTOSO\Aaron for User Name, and then click Finish. In addition, view the Troubleshooting report for CONTOSO\Betsy and CONTOSO\Axel.
4.
Results: After this exercise, you have installed the Microsoft Report Viewer and viewed the Statistics report, System Health report and the AD RMS Troubleshooting report.

6-49
Review Questions
1. 2. 3. What are some reasons to deploy AD RMS? What special requirement must be met to install AD RMS on a domain controller?
You run across an AD RMS-protected document that you cannot open. You were able to open it a couple of months ago so you are positive that you had the proper authorization. What might cause this?
Common Issues related to Active Directory Rights Management Services

Issue Unable to exchange AD RMS protected email messages with partner company. Windows XP client computer not able to protect documents using AD RMS. Multi-domain environment, AD RMS protected email sent to group cannot be opened by group members. Unable to protect Microsoft Office documents using Windows SharePoint Services. Troubleshooting tip
6-50

1. An organization wants to offer employees persistent protection for Microsoft Word documents. In addition, the organization wants to enable employees to be able to send confidential messages to anybody on the internet. What technology or technologies should this organization use?
2.
Fabrikam runs AD DS, AD RMS, and Exchange Server 2010. The company wants to ensure that when employees send other employees an email that contains the phrase Top Secret that the email message is automatically protected with AD RMS protection. How should they accomplish this?
3.
A Fabrikam employee named Bob receives an AD RMS protected email from a Fabrikam employee named Susan. However, Susans Sent Items indicates that the message was not protected by AD RMS. What could explain this?
Tools
Tool AD RMS Bulk Protection Tool Windows PowerShell Use for Protecting files in bulk Install, configure, administer AD RMS Where to find it
http://go.microsoft.com/fwlink/?LinkID=212934 Import AD RMS PowerShell modules: Import-Module AdRmsAdmin Import-Module AdRms
Rights Management Services Administration Toolkit with SP2
Misc. AD RMS administrative tools
http://go.microsoft.com/fwlink/?LinkId=98961

7-1
Module 7
Contents:
Lesson 1: Maintaining Active Directory Certificate Services Lesson 2: Maintaining Active Directory Lightweight Directory Services Lesson 3: Maintaining Active Directory Federation Services Lesson 4: Maintaining Active Directory Rights Management Services Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions 7-3 7-10 7-18 7-25 7-32
Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
7-2
Module Overview
A successful IDA solution starts with a good design and corresponding implementation plan. Choosing the right technologies to work together to provide a streamlined identity and access solution is critical to ensuring success. Later, ultimate success is achieved with proper maintenance of the IDA solution. To properly maintain an IDA solution, you need to understand the tasks and procedures, the tools, and the methods for backing up and restoring services.
Objectives
After completing this module, you will be able to: Maintain Active Directory Certificate Services. Maintain Active Directory Lightweight Directory Services. Maintain Active Directory Federation Services. Maintain Active Directory Rights Management Services.

7-3
Lesson 1
Maintaining Active Directory Certificate Services
Successfully maintaining AD CS involves performing the most common administrative tasks to keep PKI services running and available. Much of the maintenance is based on being aware of the AD CS events taking place and the ongoing backup tasks.
Objectives
After completing this lesson, you will be able to: Describe the common Active Directory Certificate Services maintenance tasks. Describe the tools used to maintain Active Directory Certificate Services. Describe Certification Authority Event Auditing. Backup a Certificate Authority (CA). Restore a CA.
7-4
Common AD CS Maintenance Tasks
Key Points
After you have set up the CA environment, you need to maintain and monitor the CA environment. The following table describes the most common AD CS maintenance tasks. AD CS Maintenance Task Manage role-based administration Configure CA event auditing Examine CA services Review pending certificate requests Renew CA certificates Backup and restore the CA Revoke certificates Publish certificate templates Publish certificate revocation lists (CRLs) Task Description
Assign CA roles to the CA administrators. Each CA role defines a unique set of tasks that can be performed. Audit all the events related to the management of a CA. Examine all infrastructure services to ensure that the CA servers are available to process certificate requests. Decide if the request for a certificate should be approved. Take necessary steps to renew CA certificates before expiration. Take preventive steps to shield a CA against any kind of data loss.
Revoke certificates when the certificates are compromised or no longer valid for the intended purpose. Publish new certificate templates and remove old certificate templates. Inform your clients whether they can trust a certificate.
Question: What are some of the AD CS maintenance tasks that an administrator might need to perform on client computers?

7-5
Tools Used to Maintain Active Directory Certificate Services
Key Points
The following table describes tools used to maintain AD CS: Tool Server Manager Description Use the Server Manager tool to set up the following AD CS components: CAs Web enrollment Online Responder Network Device Enrollment Service (NDES) Certification Authority snap-in (Certsrv.msc) Use this tool for the following administrative tasks: Start and stop the CA Backup and restore the CA Renew certificates Configure security permissions and delegate administrative control for the CA Revoke certificates Enterprise PKI snap-in (PKIView)
PKIView is a tool that provides the status of the networks public key infrastructure (PKI) environment. Use this tool to view multiple CAs and their current health state. The current health state can include the validity or accessibility of authority information access (AIA) locations and CRL distribution points (CDPs).
7-6
(continued) Tool Certificate Templates snap-in Certutil.exe Description
This helps you manage certificate templates that define the format and content of a certificate. This is a command-line program installed as part of AD CS. It can perform the following tasks: Extract and show CA configuration information Configure Certificate Services Backup and restore CA components Verify certificates, key pairs, and certificate chains
Question: You want to have a single management interface for your IDA roles. How can you achieve this?

7-7
Certification Authority Event Auditing
Key Points
As an administrator, you can audit the following CA tasks: Backup and restore the CA database. Change the CA configuration. Change CA security settings. Issue and manage certificate requests. Revoke certificates and publish certificate revocation lists (CRLs). Store and retrieve archived keys. Start and stop AD CS.
A CA administrator or a CA auditor can use the Certification Authority snap-in to facilitate CA auditing. If the CA has been configured to enforce role-based administration, CA auditing can be enabled.
Prior to auditing events, you need to configure the computer to audit the access of an item. You can view and manage audit policy options in local or domain Group Policy by using the following path:
Computer Configuration\Windows Settings\Security Settings\Local Policies
7-8
Backing Up a Certification Authority
Key Points
To back up a Certification Authority, you need to back up the following: AD CS Entire server
The following methods can be used to perform the Certification Authority backup:
Certification Authority snap-in: The CA snap-in has a backup and restore option. This method is most useful after the initial deployment or before a major change. Because it is a manual process, it is not well suited to be a regular ongoing solution. Certutil: This is a command-line tool which can provide backup and restore functionality for the CA. It can be scripted and scheduled which makes it a little more useful than the CA snap-in as a regular ongoing backup solution.
Windows Backup: This is a GUI-based backup solution that can be scheduled. It can also backup non-CA related files and services so it is a more flexible ongoing backup solution than the CA snap-in or Certutil. System Center Data Protection Manager (DPM) 2010: DPM is part of the System Center family of products and provides a full service disaster recovery solution for the CA and other IDA server roles and technologies.
Question: How can you back up the certificate templates?

7-9
Restoring a Certification Authority
Key Points
When restoring a CA, you can choose to restore the following: AD CS Entire server
The following tools can be used to perform a restore:
Certification Authority snap-in: Restoring from the CA snap-in usually occurs when you want to go back in time to your configuration at the time of the backup that is being restored. If the entire server fails, the recovery process begins by restoring the hardware and operating system. Certutil: This is a command-line tool that can perform the same restore functions as the CA snap-in. It has a similar limitation in that the tool is not viable until the hardware and operating system are in working order. Windows Server Backup: This also requires that the hardware and operating system are in working order. Windows Server Backup can restore the CA and any other software and services that were on the CA server.
DPM: This can provide a bare metal restore for your CA server. This is the cleanest and quickest way to recover your CA. When performing the DPM recovery, the administrator directs the bare metal recovery to a shared folder. The administrator starts the CA server by using the Windows installation media and then selects the Repair your computer option. From there, the administrator chooses the PC recovery option and browses to the shared folder. When the process completes, the server is fully recovered.
Question: How long can my PKI continue to function if the CA goes down?
7-10
Lesson 2
Maintaining Active Directory Lightweight Directory Services
As part of the overall maintenance of an IDA solution, knowledge of AD LDS maintenance procedures is important. Understanding the common administrative tasks, the tools to perform administration, and a thorough understanding of the backup and restore options allows an IT professional to successfully maintain AD LDS.
Objectives
After completing this lesson, you will be able to: Describe common Active Directory Lightweight Directory Services maintenance tasks. Describe the tools used to maintain Active Directory Lightweight Directory Services. Backup Active Directory Lightweight Directory Services. Restore Active Directory Lightweight Directory Services. Perform an authoritative restore of Active Directory Lightweight Directory Services.

7-11
Common AD LDS Maintenance Tasks
Key Points
The most common AD LDS maintenance tasks include the following:
Start, stop, and restart an AD LDS instance: This is a routine task performed during maintenance or as part of troubleshooting. Perform backup and authoritative restores of AD LDS data: Backing up and restoring AD LDS data are very common administrative tasks. AD LDS is often used in rapidly changing development environments, so backups and restores are used more regularly than with many other IT technologies. Move the AD LDS data files: Administrators move AD LDS data as space becomes low or as performance needs increase.
Change the AD LDS service account and port numbers: The most common time to change an AD LDS service account is when an administrator leaves or during an initial setup. Port numbers are often changed for testing or as new environments are brought online. Administer containers and objects: Creating, deleting, and modifying containers and objects occur on a regular basis. Extend AD LDS schema: In some environments, extending the AD LDS schema occurs for every AD LDS instance, while in other environments, a schema is never extended.
Copy a schema from Active Directory Domain Services (AD DS): Administrators can use the AD DS/LDS Schema Analyzer to copy the schema from AD DS to AD LDS, or from one AD LDS instance to another AD LDS instance. The AD DS/LDS Schema Analyzer creates an LDIF import file. Import an AD DS schema into AD LDS: Administrators can use the LDIFDE command-line utility to import LDIF files. The LDIF file contains the AD DS schema elements. Manage directory data between all sites in an AD LDS configuration set: Ensuring that AD LDS replication is performing optimally and functioning correctly are important routine tasks for the AD LDS administrator.
7-12
Manage object permissions: Administrators often give permissions to objects and remove permissions to objects. Synchronize AD LDS and AD DS: The Adamsync command-line tool can be used to synchronize data between AD DS and AD LDS.
Import and export data to or from AD LDS: The command-line tool LDIFDE can be used to import and export data. The tool works with AD LDS and AD DS.
Question: Mistakes made during common administrative tasks are often the cause of production outages. How can organizations limit the damage of these outages?

7-13
Tools Used to Maintain AD LDS
Key Points
The following table outlines the common tools used to maintain AD LDS: AD LDS tool AdamSync.exe Dsacls.exe Ldifde.exe or Csvde.exe Dsdbutil.exe What does it do?
Adamsync is a command-line utility to synchronize data between AD DS and AD LDS. DSacls is a tool to manage ACLs for objects in an LDAP-based directory such as AD DS or AD LDS. LDIFDE and CSVDE are both command-line tools to query and export data from LDAP-based directories. LDIFDE can also be used to import data into LDAP-based directories. Dsdbutil is a command-line management tool for ADAM and AD LDS. It provides a variety of administrative functions including change the AD LDS service account. LDP is a GUI-based LDAP client that can be used to connect to AD DS or AD LDS to perform searches and modify data.
Ldp.exe ADSI Edit snap-in AD DS/LDS Schema Analyzer AD LDS Setup Wizard
ADSIEdit is a tool to manage LDAP-based directories such as AD DS or AD LDS. ADSIEdit and LDP provide similar functionality. The AD DS /LDS Schema Analyzer is used to export AD DS schema elements to an LDIF import file which can then be imported into the AD LDS schema.
7-14
(continued) AD LDS tool Active Directory Schema snap-in Active Directory Sites and Services snap-in What does it do?
The Active Directory Schema snap-in allows administrators to view and edit the schema for AD DS or AD LDS. The Active Directory Sites and Services snap-in allows administrators to look at the replication configuration and status for AD DS or AD LDS.
Question: What are some other common AD DS tools that can be used with AD LDS?

7-15
Backing Up AD LDS
Key Points
There are a few key considerations for backing up AD LDS:
By default, each AD LDS instance stores its database file and the associated log files in an instancespecific folder. The default location for this folder is %Program Files%\Microsoft ADAM\instancename, where instancename refers to the AD LDS instance name. You should include these files in the regular backup schedule of the organization. You can use Windows Server Backup, dsdbutil.exe, or any other backup program to perform the backup. Ensure that the AD LDS instance is running when the backup is performed. Dsdbutil.exe is a command-line based backup that can target just the AD LDS instance for the backup.
Like any other production data, you should backup AD LDS database and log files regularly to ensure data availability. Membership in local administrators group or in the Backup Operators group is required to perform the backup.
Question: During a backup, the AD LDS instance should be running. Is that the same recommendation when performing a restore?
7-16
How to Restore AD LDS
Key Points
There are a couple of methods to consider when restoring AD LDS. One method is used when restoring data to a running AD LDS instance and the other method is used to restore an AD LDS instance that that was lost during a server hardware failure. The following is the process to restore a running AD LDS instance: 1. 2. 3. Stop the AD LDS instance. Use a backup program to restore the instance and overwrite any existing files. Restart the AD LDS instance.
The following is the process to restore an AD LDS instance after a server hardware failure: 1.
On a new server, create a new AD LDS instance using the same settings that were originally used for the original instance. Do not create an application directory partition during the AD LDS setup process. Stop the new instance. Use a backup program to restore and overwrite any existing files. Restart the AD LDS instance.
2. 3. 4.
Question: What are two methods to stop an AD LDS instance?

7-17
Performing an Authoritative Restore of Data on an AD LDS Instance
Key Points
An authoritative restore is used when objects are deleted and the changes have replicated to other AD LDS servers in the configuration set. By authoritatively restoring AD LDS, the restored objects are replicated to the other AD LDS servers in the configuration set. The authoritative restore procedure includes the following steps: 1. 2. 3. 4. Stop AD LDS instance. The instance should be stopped before beginning the restore. Use Windows Server Backup to restore the instance data and overwrite files.
Use Dbsutil.exe to activate the instance. Activate the instance to perform additional actions on the instance.
Use Dbsutil.exe to perform an authoritative restore. The actual command authoritative restore followed by the restore type (restore object or restore subtree) performs the authoritative restore.
Start the AD LDS instance after the restore and verify the restored data is present. Question: How can Windows PowerShell be used to stop and start AD LDS instances?
7-18
Lesson 3
Maintaining Active Directory Federation Services
The maintenance of AD FS focuses on managing resource groups, renewing and importing certificates, troubleshooting and resolving DNS issues, and monitoring and investigating AD FS events. The ability to backup and restore AD FS is also a valuable skill when maintaining AD FS.
Objectives
After completing this lesson, you will be able to: Describe the common Active Directory Federation Services maintenance tasks. Describe the tools used to maintain Active Directory Federation Services. Monitor Active Directory Federation Services events. Backup Active Directory Federation Services components.

7-19
Common AD FS Maintenance Tasks
Key Points
The common AD FS maintenance tasks include: Renew and import certificates: Digital certificates expire. They must be renewed or replaced to maintain services. To minimize the administrative overhead, some organizations choose to get certificates that are valid for three to five years.
Monitor and maintain AD DS and AD LDS to ensure account store availability: Managing IDA involves many roles and technologies. The account stores are a large piece of an IDA solution so it is important to monitor those environments. When certain thresholds are met, the support teams should be alerted so issues can be quickly resolved. Backup and restore AD FS components: Backing up and restoring AD FS components should involve a simulated disaster recovery scenario where the support team performs a recovery using a real backup. Typically, the recovery occurs in a controlled, lab environment. It can be trouble if you find yourself in a disaster recovery situation and the team has never actually restored the AD FS components. Manage resource groups of the resource partner organization if you use Windows tokenbased applications: This is a fairly routine task which typically involves adding and removing members for the resource groups.
Resolve DNS names to ensure that the server and clients can locate resources: During troubleshooting, DNS resolution is one of the first areas to validate. DNS validation can be added to your monitoring and alerting system. Ensure network connectivity for the server and clients: Keeping all of the machines connected and communicating with each other on the network comes into play during troubleshooting or migrations.
Add new applications: An occasional administrative task will be to add a new AD FS 2.0 application to the environment. It is important for the support team to be comfortable with this as it may happen in a troubleshooting scenario too.
7-20
Maintain the health and performance of web servers: Best practices call for creating a performance baseline for your servers and applications upon initial deployment. Later, you will have good reference points for troubleshooting and upgrades. Maintaining the health of web servers requires you to ensure that the servers run within their established baseline, install the latest patches, and monitor events and performance.
Question: You recently implemented monitoring for your IDA technologies. You have two roles on your teammid-level administrators and senior-level administrators. How can you design your alerting to make the most efficient use of the different administrative roles?

7-21
Tools Used to Maintain AD FS
Key Points
IT Professionals may find that there are few maintenance tools for AD FS 2.0. The following tools are typically used by AD FS administrators:
Wevtutil.exe: This is a built-in tool available in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. It allows administrator to manage the Windows Event Logs from the command line. Windows PowerShell: AD FS 2.0 adds over 40 PowerShell cmdlets to Windows PowerShell. PowerShell is helpful for automating routine tasks and performing advanced configuration and troubleshooting.
Active Directory Federation Services snap-in: The AD FS snap-in is the main management console for AD FS configuration tasks. The snap-in is where much of the initial configuration occurs and where administrators update the configuration. Event Viewer: AD FS 2.0 has its own event logs in the Event Viewer. Administrators usually go to the AD FS-specific logs first and then follow-up with a review of the Application, Security, and System logs.
Question: How can you obtain all of the available PowerShell cmdlets for AD FS?
7-22
Monitoring AD FS Events
Key Points
AD FS has configurable event logging that can betailored to an organizations requirements. The default log levels for AD FS include the following:
This is used to capture the maximum amount of information besides debug logging. Verbose logging for AD FS is the default and can be run continuously without any issue. These are events that most likely require immediate action and indicate a serious problem.
These events are of moderate importance and may indicate a current issue or an issue that is building. These events are the least important event type and can be filtered out of the event view for maximum efficiency.
AD FS also has configurable auditing that can log additional information to the Security event log. Auditing is typically enabled for troubleshooting only due to the large volume of events. The following auditing events can be enabled: An entry is logged in the event log for every successful authentication or changed policy. An entry is logged in the event log for every unsuccessful authentication attempt or unsuccessful policy update attempt.
This is similar to the Success Audit auditing except additional information about the involved tokens is also logged.
This is similar to the Failure Audit auditing except additional information about the involved tokens is also logged.

7-23
In addition to the built-in logging, IT professionals need to figure out how to gather the events to a centralized location and then report on those events based on defined criteria. Such a solution is a monitoring solution and usually involves the use of a monitoring application or service. Microsoft System Center Operations Manager (SCOM) can monitor and alert on AD FS events by using a dedicated AD FS 2.0 management pack. By combining the AD FS 2.0 management pack with other management packs such as the AD DS management pack, an IT professional can provide end-to-end monitoring for their IDA solution. Question: How can you use Windows Server 2008 to provide basic monitoring and notification for AD FS 2.0?
7-24
Backing Up AD FS Components
Key Points
You can use Windows Server Backup or any other supported backup application to backup AD FS 2.0. The following table describes the components and files that you must backup on servers that run AD FS components. AD FS Component Federation Service Components and files to backup TrustPolicy.xml Web.config and other files located in %systemdrive%\ADFS System state Custom transform module (.dll) and other related files Applicationhost.config Federation Service Proxy Web.config and other files under %systemdrive%\ADFS System state Applicationhost.config AD FS Web Agent %systemdrive%\ADFS System state
Question: Besides the AD FS components that run on AD FS servers, what else should be backed up to support an end-to-end backup solution for AD FS?

7-25
Lesson 4
Maintaining Active Directory Rights Management Services
To maintain AD RMS, administrators should be familiar with AD RMS logging, reporting, and the AD RMS console. In addition, administrators should understand the common maintenance and administrative tasks required.
Objectives
After completing this lesson, you will be able to: Describe the common Active Directory Rights Management Services maintenance tasks. Describe the tools used to maintain Active Directory Rights Management Services. Describe Active Directory Rights Management Services database maintenance. View AD RMS Reports. Backup the Active Directory Rights Management Services configuration database.
7-26
Common AD RMS maintenance Tasks
Key Points
The most common AD RMS maintenance tasks are listed below: Enable exclusion policies: This routine task allows administrators to exclude users or application versions from acquiring a use license.
Establish trust policies: When an organization wants to extend AD RMS to an outside organization or to Windows LiveTM ID, trust policies can be enabled. Manage AD RMS databases: This task may be owned by the database team in large enterprise environments. In smaller environments, a single team may be responsible for AD RMS and Microsoft SQL Server.
Configure and distribute rights policy templates: Maintaining templates is an ongoing task. Users may request updated templates or new templates as requirements change. Change the AD RMS service account: This task should be fairly uncommon. It might occur if an AD RMS administrator leaves the organization, if there is a security breach, or if you are upgrading or migrating. Register or change the service connection point (SCP): This task occurs during installation and troubleshooting or when recovering from a disaster. Change the cluster key password: Administrators may change the cluster key password when an AD RMS administrator leaves the organization or if there has been a security breach.
View AD RMS reports: Viewing reports is a common maintenance task. Determining current usage numbers and looking at the health of the environment are common goals when viewing reports. Configure AD RMS logging: Administrators can configure additional logging for troubleshooting situations. Then, administrators can use the extra information to help resolve an issue and configure logging back to regular levels.

7-27
Maintain the health and performance of AD RMS servers: As part of the initial deployment, administrators should capture a performance baseline of the AD RMS servers and use that as part of the maintenance to ensure the health and performance of AD RMS.
Configure and maintain user accounts: Configuring administrative accounts, service accounts, and delegating rights are common AD RMS maintenance tasks.
Question: It seems like keeping detailed or debug logging enabled is a benefit for all IDA related technologies. What are the downsides?
7-28
Tools Used to Maintain AD RMS
Key Points
The maintenance of AD RMS can be handled by using the following command line methods and a few management console snap-ins:
Active Directory Rights Management Services Bulk Protection Tool: The AD RMS Bulk Protection Tool is a utility offered by Microsoft as a free download. It is a command line tool that can encrypt and decrypt documents in bulk. For example, if a hundred Microsoft Word documents need to be encrypted, the AD RMS Bulk Protection Tool can encrypt them with minimal administrative overhead. Windows PowerShell: There are 25 Group Policy related cmdlets for working with Group Policy Objects. Windows PowerShell for AD RMS: AD RMS adds several AD RMS-specific cmdlets to Windows PowerShell. The cmdlets can perform everything from an installation to advanced configuration. Active Directory Rights Management Services console: This is the main administrative console that is used to configure AD RMS, configure policies, configure templates, and view reports and health information. Group Policy Management Console: The GPMC is where administrators configure Group Policy Objects for template distribution or for deploying client software (or client software updates).
Internet Information Services (IIS) Manager: IIS is where administrators go to install or update the SSL certificate, configure IIS logging, or troubleshoot IIS related issues.

7-29
AD RMS Database Maintenance
Key Points
AD RMS relies on three distinct databases: Configuration database: The configuration database stores the AD RMS configuration, account certification, and licensing information. Each AD RMS cluster has a configuration database. Directory services database: The directory service database is the database used to house information about users, group membership, and other data obtained from the AD DS backend. Think of the directory services database as a cache of the AD DS database information.
Logging database: The logging database is used by the AD RMS logging service to log data. AD RMS has decreased the size of the logging database significantly since RMS version 1.
Maintaining the AD RMS databases revolves around the following administrative tasks:
Log backup: Backing up the AD RMS logs is important to recover from a disaster. A daily full backup is the recommended backup, unless specific business requirements mandate a different strategy.
Log shipping: Log shipping refers to the sending of SQL transaction logs from the source server to a standby destination server. The destination server houses a replica of the source database and is updated as new logs are shipped. Log shipping does not replace a backup but can be the first stop in a disaster recovery situation. Log trimming: Trimming the logs (sometimes referred to as log database purging) is an ongoing maintenance task that keeps the logging databases from growing indefinitely. Microsoft provides a sample script that performs this task for the AD RMS logging database.
Log Consolidation: Some organizations report on technologies and provide trending information to organizational departments. In such a situation, log trimming makes providing long term trending information difficult. Log consolidation allows an administrator to use a script to send important database fields to a longer term aggregation database. The aggregation database can be used for reporting and trending over the long term.
Question: Why is log shipping often the first step in a disaster recovery situation?
7-30
Viewing AD RMS Reports
Key Points
You can use AD RMS to generate reports that provide information about AD RMS licenses, domain accounts and the overall health of the AD RMS cluster. The following table lists the reports that AD RMS can generate. Reports Statistics reports Description
This report provides information about the total number of accounts, domain accounts, and federated identities that the AD RMS root cluster certifies, or grants a rights account certificate (RAC) to. This report uses a wizard to provide information about the overall health of the AD RMS cluster. The System Health Report has two views: Request Type Summary Request Performance Summary
System Health reports
Troubleshooting reports
This report uses a wizard to provide information about troubleshooting issues with AD RMS licenses.
You must install the Microsoft Report Viewer to access the System Health and Troubleshooting reports. Question: Besides the reporting available in AD RMS, where could you get detailed reporting data?

7-31
Backing Up the AD RMS Configuration Database
Key Points
Backing up the AD RMS database is performed from the SQL Server Management Studio, as follows: 1. 2. 3. 4. 5.
Locate the DRMS_Config_servername_domainname database in the list of databases on the SQL server. Right-click the database, expand Tasks, and then select Back Up. Verify the database to be backed up, verify the backup type, and then verify the destination. Click OK to start the backup. Upon successful backup, a popup indicates that the backup completed successfully.
Question: In SQL, what is the difference between a simple backup and a full back up?
7-32
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Objectives
After completing the lab, you will be able to: Configure CA event auditing. Back up Active Directory Certificate Services. Back up and restore Active Directory Lightweight Directory Services Instance. Configure AD RMS logging.
Scenario
You have completed the deployment and configuration of the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, back up, and restore AD CS, AD LDS, and AD RMS.
You need to configure CA event auditing and schedule an ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures. In addition, Management has asked you to generate some AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports. Finally, complete the AD RMS maintenance task by enabling AD RMS logging. In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine. Start the 6426C-MIA-DC1 virtual machine, and log on using the user name WOODGROVEBANK\Administrator, and the password Pa$$w0rd.

7-33
Exercise 1: Configuring CA Event Auditing

During this exercise, you configure CA event auditing. The main tasks for this exercise are as follows: 1. 2. Enable the auditing of object access. Enable CA auditing.
Task 1: Enable the auditing of object access

1. 2. On the 6426C-MIA-DC1 virtual machine, modify the Default Domain Controller Policy to enable Audit object access auditing for Success and Failure events. Open a command prompt window and run gpupdate /force.
Task 2: Enable CA auditing

1. 2.
On the 6426C-MIA-DC1 virtual machine, use the Certification Authority snap-in to enable auditing of all CA events. Restart the AD CS service.
Results: After this exercise, you have enabled auditing of object access and enabled CA auditing.
7-34
Exercise 2: Backing Up Active Directory Certificate Services

During exercise, you schedule an ongoing backup of the AD CS component. The main task for this exercise is as follows: Schedule a task to perform CA backup.
Task 1: Schedule a task to perform CA backup

1.
On the 6426C-MIA-DC1 virtual machine, use Task Scheduler to create a new task with the following parameters: Name: CA Backup User account to run the task: WOODGROVEBANK\Backup User password: Pas$$w0rd Options: Run whether user is logged on or not Run with highest privileges
Trigger: Daily (set the time to run within five minutes from now) Action: Program/script: certutil Add arguments (optional): -backup -p Pa$$w0rd C:\CAbackup
2. 3.
Wait for the task to start, and then complete the backup. Confirm that the backup has completed successfully by viewing the content of the C:\CAbackup folder, and checking the task status.
Results: After this exercise, you have scheduled a task to perform an AD DS daily backup.

7-35
Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance
During this exercise, you test your AD LDS backup and restore procedures. The main tasks for this exercise are as follows: 1. 2. Backup the AD LDS instance. Restore the AD LDS instance from backup.
Task 1: Use dsdbutil to back up the test1 AD LDS instance

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, create a folder named backup in the root of C:\. Activate the test1 instance.
Go to the ifm prompt and then use the create full command to create a full backup of AD LDS in the c:\backup\test1 folder.
Task 2: Use dsdbutil to restore the test1 AD LDS instance backup

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, stop the AD LDS test1 instance.
Use xcopy to copy the .dit file from the backup folder to the default location of the AD LDS .dit file. Ensure that you use the xcopy switch to copy ownership and ACL information. Start the AD LDS test1 instance.
Results: After this exercise, you have performed a backup of the AD LDS test1 instance and performed a restore of the AD LDS test1 instance using the backup file.
7-36
Exercise 4: Configuring AD RMS Logging

During this exercise, you finish your AD RMS maintenance tasks by enabling AD RMS logging. The main tasks for this exercise are as follows: 1. 2. Enable logging for the cluster. Limit disk space usage for message queuing.
Task 1: Enable logging for the cluster
On the 6426C-MIA-DC1 virtual machine, use the AD RMS console window to enable logging.
Task 2: Limit disk space usage for message queuing

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, use Server Manager to access private queues. Expand Features, expand Message Queuing, expand Private queues, and then set the Limit message storage to (KB) to 1024000. Log off the 6426C-MIA-DC1 virtual machine. Note Message queuing stores all queued messages up to the limit of the free storage space. If all of the available disk space is used, the AD RMS server is not able to service any client requests.
Results: After this exercise, you have enabled AD RMS logging and configured a limit for the message queuing storage space.

7-37
Review Questions
1. 2. What tool can you use to perform a bare metal restore of the Certification Authority server?
You accidentally deleted an AD LDS user account. You restored the AD LDS instance by using Windows Server Backup. However, a few minutes later, you notice that the user account is deleted again. What should you do? What log level should you use to capture the maximum amount of logging for AD FS 2.0?
3.
7-38
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

L1-1
Lab: Identifying IDA Roles to Meet Business Requirements

Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions
Task 1: Identify business requirements
Question: What are the business requirements for Contoso Pharmaceuticals? Answer: The business requirements for Contoso Pharmaceuticals are as follows:
Ensure that the Contosos IT infrastructure can be protected by using certificate authentication. Protect Microsoft Office documents from being read by unauthorized people. Enable Tailspin Toys employee access to Contosos claims-based web application using their existing user credentials. Give developers the ability to manage their own directory services for development.
Synchronize the HR database with the Active Directory database so that the information in the databases is consistent.
Task 2: Determine server roles and solutions required to meet the business requirements
Question 1: Which server role is required for certificate authentication? Answer 1: Active Directory Certificate Services (AD CS) provides the PKI infrastructure which enables certificate distribution and is the foundation for certificate authentication. AD CS requires AD DS as a foundation. Question 2: Which server role is required for protecting confidential Microsoft Office documents?
Answer 2: Active Directory Rights Management Services (AD RMS) protects Microsoft Office documents and email messages using templates and policies. AD RMS requires the use of a digital certificate and would typically use AD CS or a trusted third-party certificate provider for the AD RMS certificate.
Question 3: Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Answer 3: Active Directory Federation Services (AD FS) will allow Tailspin Toys access to the claimsaware web application. An alternative method, although not discussed in the module, is an AD DS forest trust. AD FS is the preferred choice when plausible as an AD DS forest trust requires more administrative overhead and has additional security implications.
Question 4: Which server role can be used to give developers more efficient directory services capabilities? Answer 4: Active Directory Lightweight Directory Services (AD LDS) allows developers to run directory services on their development workstations or servers without the overhead of AD DS. AD LDS is quick and simple to deploy and can run multiple instances on a single computer.
L1-2
Question 5: Which solution would you use to synchronize the HR database with the Active Directory database?
Answer 5: Forefront Identity Manager (FIM) 2010 offers directory synchronization as one of its many IDA functions. The synchronization is typically scheduled on a repetitive basis (once an hour or once a day are common configurations). Question 6: Which technology would allow developers to externalize identity logic from their applications?
Answer 6: Windows Identity Foundationexternalizing identity logic is the place where everybody is trying to go. Imagine the internet that uses a standard, single form of authentication (smartcard or user/pass) to get to any site. For example, sites that accept Windows Live authentication.

L2-3

Lab Setup
Apply the StartingImage snapshot for the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines.
Exercise 1: Deploying a Standalone Root CA

Task 1: Install the AD CS server role and configure it as a stand-alone root Certificate Authority (CA)
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to both computers as CONTOSO\Administrator, and type the password as Pa$$w0rd.
Start the 6426C-NYC-DC1 virtual machine and then start the 6426C-NYC-SVR1 virtual machine.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. The Server Manager console appears. On the Server Manager console pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears. On the Before You Begin page, click Next. On the Select Server Roles page, under Roles, select the Active Directory Certificate Services check box, and then click Next. On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, ensure that the Certification Authority check box is selected, and then click Next. On the Specify Setup Type page, select Standalone, and then click Next.
10. On the Specify CA Type page, ensure that Root CA is selected, and then click Next.
11. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.
12. On the Configure Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key character length to 4096. Click Next to continue. 13. On the Configure CA Name page, in the Common name for this CA box, type ContosoCA, and then click Next. 14. On the Set Validity Period page, click Next.
L2-4
15. On the Configure Certificate Database page, click Next.
16. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 17. On the Installation Results page, click Close. 18. Close the Server Manager console.

L2-5
Exercise 2: Deploying an Enterprise Subordinate CA

Task 1: Install an enterprise subordinate CA
1. 2. 3. 4. 5. 6.
On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. The Server Manager console appears. In the Server Manager console pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears. On the Before You Begin page, click Next.
On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next. On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, ensure that the Certification Authority check box is selected, and then select the Certification Authority Web Enrollment check box. The Add Roles Wizard dialog box appears. In the Add Roles Wizard dialog box, click Add Required Role Services. When the Select Role Services page is available again, click Next. On the Specify Setup Type page, ensure that Enterprise is selected, and then click Next. On the Specify CA Type page, ensure that Subordinate CA is selected, and then click Next.
7. 8. 9.
10. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. 11. On the Configure Cryptography For CA page, keep the default selections for CSP and Hash Algorithm. Keep the Key character length to 2048, and then click Next.
12. On the Configure CA Name page, in the Common name for this CA box, type ContosoIssuingCA, and then click Next. 13. On the Request Certificate from a Parent CA page, keep the default selection Send a certificate request to a parent CA selected, and then click Browse. The Select Certification Authority dialog box appears. 14. In the Select Certification Authority dialog box, click ContosoCA, and then click OK. When the Request Certificate From a Parent CA page is available again, click Next. 15. On the Configure Certificate Database page, click Next. 16. On the Web Server (IIS) page, click Next. 17. On the Select Role Services page, click Next.
18. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 19. On the Installation Results page, click Close. You will receive a warning message indicating that the AD CS installation is incomplete. In Task 2, the step to complete the AD CS installation will be performed. 20. Close the Server Manager console.
L2-6
Task 2: Issue and install the subordinate certificate

1. 2. 3. 4.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. The certsrv - [Certification Authority (Local)] console appears. In the certsrv [Certification Authority (Local)] pane, expand ContosoCA, and then click Pending Requests. In the Details pane, right-click the pending request, point to All Tasks, and then click Issue.
To install the subordinate certificate that has been issued, on the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. The certsrv [Certification Authority (Local)] console appears. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, point to All Tasks, and then click Install CA Certificate. The Select file to complete CA installation dialog box appears.
5. 6. 7. 8.
In the Select file to complete CA installation dialog box, click Cancel. The CA Certificate Request dialog box appears. In the CA Certificate Request dialog box, click OK. This sends an online request to the parent CA.
After a few moments, the Microsoft Active Directory Certificate Services dialog box appears. Click OK to trust the root certificate. The Certsrv - [Certification Authority (Local)] console should now be available again. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, point to All Tasks, and then click Start Service.
9.
10. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, and then click Properties. The ContosoIssuingCA Properties dialog box appears. 11. In the ContosoIssuingCA Properties dialog box, on the General tab, click View Certificate. The Certificate dialog box appears.
12. In the Certificate dialog box, notice that ContosoCA issued the certificate to ContosoIssuingCA. Click OK twice. 13. Close the certsrv - [Certificate Authority (Local)] console.
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down 6426C-NYC-DC1 and 6426C-NYC-SVR1. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1.

L3-7

Lab Setup
Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines.
Exercise 1: Configuring Certificate Templates

Task 1: Duplicate, install, and manually enroll a certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password.
Start the 6426C-NYC-DC1-B virtual machine and then start the 6426C-NYC-SVR1-B virtual machine.
On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Details pane, right-click the User certificate template, and then click Duplicate Template. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise, and click OK. In the Properties of New Template dialog box, in the Template display name box, type Local User.
On the Subject Name tab, clear the Include e-mail name in subject name and the E-mail name check boxes.
On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select Allow for the Enroll check box, and then click OK.
10. Close the Certificate Templates console.
Task 2: Configure the template to be issued by the CA

1. 2. 3.
In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Local User template, and then click OK. Close the Certification Authority console.
L3-8
Task 3: Verify that the certificate is updated

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK. Expand the Certificates - Current User node, and right-click Personal.
Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next. On the Request Certificates page, select the Local User check box. Click Enroll, and then click Finish.
10. Right-click Certificates Current User, and click Refresh. View the Local User certificate in the personal store.
Task 4: Create, duplicate, and supersede the Local User template with a new template that includes smart card logon
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Details pane, right-click the User certificate template, and then click Duplicate Template.
In the Duplicate Template dialog box, select Windows Server 2008 Enterprise, and then click OK. In the Properties of New Template dialog box, type Contoso Smart Card User in the Template display name box. On the Subject Name tab, clear the Include e-mail name in subject name and the E-mail name check boxes. On the Extensions tab, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click Add. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
10. Click the Superseded Templates tab, and click Add. 11. Click the Local User template, and click OK.
12. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select Allow for the Read, Enroll and Autoenroll check box, and then click OK. 13. Close the Certificate Templates console.

L3-9
Task 5: Configure the new template to be issued by the CA

1. 2. 3.
In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificates Templates dialog box, select the Contoso Smart Card User template, and click OK.
Close the Console1-[Console Root] console and do not save changes. Close all open windows, and then log off from the 6426C-NYC-SVR1-B virtual machine. You will verify that the certificate is updated in the next Exercise.
L3-10
Exercise 2: Configure Autoenrollment

1. 2. 3. 4. 5. 6. 7. Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, select Certificate Templates, and click Add. Click OK to close the Add or Remove Snap-ins window.
Task 1: Configure the Contoso Smart Card User certificate template for autoenrollment
Click to highlight Certificate Templates. In the right pane, right-click the Contoso Smart Card User template and select Properties. On the General tab, verify that the Publish certificate in Active Directory option is selected.
Click OK to close the certificate template properties window. Then, close the Console1-[Console Root] console and do not save changes.
Task 2: Configure the Default Domain Policy for autoenrollment

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the 6426C-NYC-DC1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Group Policy Management. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, then right-click Default Domain Policy and select Edit.
Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Public Key Policies. In the right pane, double-click Certificate Services Client Auto-Enrollment. In the Configuration Model drop-down box, choose Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates option. Select the Update certificates that use certificate templates option. Select the Expiration notification option and maintain the default value of 10%.
10. Click OK to close the properties window. 11. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy object. 12. In the Enrollment Policy tab, set the Configuration Model to Enabled and ensure that the certificate enrollment policy list shows the Active Directory Enrollment Policy (it should have a checkmark next to it and a status of Enabled). 13. Click OK to close the window, and then close the Group Policy Management Editor and the Group Policy Management snap-in.

L3-11
Task 3: Validate autoenrollment functionality from 6426C-NYC-SVR1-B

1. 2. 3. 4. 5. 6. 7. 8. Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.
Start the 6426C-NYC-SVR1-B virtual machine (if 6426C-NYC-SVR1-B is already running, restart it).
Expand the Certificates - Current User node, expand the Personal node, and then click Certificates. Examine the client authentication certificate issued to the administrator. Ensure that the certificate is based on the Contoso Smart Card User template; that is, scroll across the certificate properties in the Details pane to ensure that the template is based on the Contoso Smart Card User template.
L3-12
Exercise 3: Managing Certificate Revocation

Task 1: Examine the default CRL distribution points (CDPs) and configure the CRL publication interval
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, right-click ContosoCA, and then click Properties.
In the ContosoCA Properties dialog box, on the Extensions tab, examine the default CDPs, and then click Cancel to close the dialog box. Expand the ContosoCA node, right-click the Revoked Certificates folder, and then click Properties. In the Revoked Certificates Properties dialog box, in the CRL publication interval list, click Months. In the CRL Publication interval box, type 1.
Again in the Revoked Certificates Properties dialogue box, in the Publish Delta CRLs section, enter a Publication interval of 3 Days, and then click OK. Minimize the Certification Authority console.
Task 2: Install the Online Responder component on a Web server

1. 2. 3. 4. 5. 6. 7. Click Start, point to Administrative Tools, and click Server Manager. In the Server Manager console, click Roles. In the Details pane, in the Active Directory Certificate Services section, click Add Role Services. This launches the Add Role Services Wizard. On the Select Role Services page of the Add Role Services Wizard, select the Online Responder check box. Click Add Required Role Services, and click Next until the Confirmation page appears. Click Install. After the installation is completed, close the wizard, and then close Server Manager.
Task 3: Configure the CA to include the Online Responder location in the Authority Information Access (AIA)
1. 2. 3. 4. Restore the Certification Authority console. Right-click ContosoCA, and then click Properties.
In the ContosoCA Properties dialog box, on the Extensions tab, in the Select extension list, select Authority Information Access (AIA), and then click Add. In the Add Location dialog box, in the Location box, type http://NYC-SVR1/ocsp, and click OK.

L3-13
5. 6. 7.
Select the Include in the AIA extension of issued certificates check box.
Select the Include in the online certificate status protocol (OCSP) extension check box, and then click OK. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes.
Task 4: Issue the OCSP Response Signing template

1. 2. 3. 4. 5. 6. 7. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Certificate Templates console, double-click the OCSP Response Signing template.
In the OCSP Response Signing Properties dialog box, click the Security tab, under Permissions for Authenticated Users, check Allow for the Enroll check box, and then click OK. Close the Certificate Templates console.
In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and then click OK. Minimize the Certification Authority console.
Task 5: Configure the Online Responder

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Online Responder Management.
In the Online Responder Management console, right-click Revocation Configuration, and then click Add Revocation Configuration. In the Add Revocation Configuration Wizard, click Next. On the Name the Revocation Configuration page, in the Name box, type ContosoCA Online Responder, and click Next. On the Select CA Certificate Location page of the wizard, click Next.
On the Choose CA Certificate page, click Browse, click the ContosoCA certificate, click OK, and then click Next. On the Select Signing Certificate page, click Next.
On the Revocation Provider page, click Finish. The revocation configuration status will appear as Working. Close the Online Responder console.
L3-14
Task 6: Revoke a certificate

1. 2. 3. Restore the Certification Authority console. Expand ContosoCA, and click Issued Certificates. Locate and right-click the Contoso Smart Card User certificate that was issued in the previous exercise. It will have a Requester Name of Contoso\Administrator, it will have todays date, and a time approximate to when the previous exercise was completed. Point to All Tasks, and then click Revoke Certificate.
4. 5. 6.
In the Certificate Revocation dialog box, in the Reason code list, select Change of Affiliation, and then click Yes. Click the Revoked Certificates folder, and then ensure that the revoked certificate is visible.
Task 7: Publish the CRL

1. 2. 3. In the Certification Authority console, right-click the Revoked Certificates folder. Point to All Tasks, and click Publish. In the Publish CRL dialog box, select New CRL, and then click OK.
Task 8: Ensure that the CRL is downloaded

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start. In the Search box, type MMC, and then press ENTER. Click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates Snap-in dialog box, click My user account, click Finish, and then click OK. Expand the Certificates Current User node. Expand the Intermediate Certification Authorities node, and then click Certificate Revocation List. Notice there are CRLs from ContosoCA. Double-click one of the ContosoCA lists, and then click the Revocation List tab in the Certificate Revocation List dialog box.
In the Revoked certificates section, click the certificate serial number that is displayed. Also note the revocation date and time. Notice that this is the certificate revoked previously. Click OK to close the Certificate Revocation List dialog box, and then close the Console1 window without saving changes to the console.

L3-15
Exercise 4: Configuring Key Recovery
Task 1: Remove the requirement for CA Manager approval and verify who can enroll the Key Recovery Agent (KRA) certificate
1. 2. 3. 4. 5. 6. 7. 8. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password.
On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click the Certificates Templates folder, and then click Manage. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab. Clear the CA certificate manager approval check box.
Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that have the Enroll permission, and then click OK. Close the Certificate Templates console.
Task 2: Configure the Contoso CA to issue KRA certificates

1. 2. 3.
In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Key Recovery Agent template, and then click OK. Close the Certification Authority console.
Task 3: Acquire the KRA certificate

1. 2. 3. 4. 5. 6. 7. 8. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK. Expand the Certificates - Current User node, and right-click Personal.
Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next.
L3-16
9.
On the Request Certificates page, select the Key Recovery Agent check box. Click Enroll, and then click Finish.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate properties and verify that the Certificate Template Key Recovery Agent is present.
Task 4: Configure the CA to allow key recovery

1. 2. 3. 4. 5. Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, right-click ContosoCA, and then click Properties. Click the Recovery Agents tab, and then select Archive the key. Under Key recovery agent certificates, click Add.
In the Key Recovery Agent Selection dialog box, click the certificate that is displayed, and then click OK twice. When prompted to restart the CA, click Yes.
Task 5: Configure a custom template for key archival

1. 2. 3. 4. 5. In the Certification Authority console, right-click the Certificates Templates folder, and then click Manage. In the Certificate Templates console, right-click the User certificate, and then click Duplicate Template.
In the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and then click OK.
In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Archive User. On the Request Handling tab, select the Archive subject's encryption private key check box, and then click OK. By using the archive key option, the KRA can obtain the private key from the certificate store.
6. 7. 8. 9.
Close the Certificate Templates console. In the Certification Authority console, right-click the Certificates Templates folder, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Archive User template, and then click OK. Close the Certification Authority console.
10. Log off from the 6426C-NYC-SVR1-B virtual machine.
Task 6: Add a user to the Server Operators group

1. 2. 3. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Users and Computers.
Log on to 6426C-NYC-DC1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password.
In the Active Directory Users and Computers dialog box, click the Executives OU, right-click the user Tony Wang, and then click Add to a group.

L3-17
4. 5. 6. 7. 8.
In the Select Groups dialog box, type Server Operators, and then click OK twice. Right-click Tony Wang, and then click Properties. In the Tony Wang Properties dialog box, on the General tab, in the E-mail box, type tony@Contoso.com, and then click OK. Close the Active Directory Users and Computers dialog box. Log off from the 6426C-NYC-DC1-B virtual machine.
Task 7: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1-B as CONTOSO\Tony, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. If the UAC dialog box appears, type Pa$$w0rd, and then click OK. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add, and then click OK. Expand the Certificates - Current User node, and right-click Personal.
Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next.
10. On the Request Certificates page, select the Archive User check box. Click Enroll, and then click Finish.
11. It may take a minute for the information to become available. If you receive an error, log off and then log back on again as CONTOSO\Tony. 12. Refresh the console, and view the Archive User certificate in the personal store; that is, scroll down to the end of the templates listed and see the Archive User Template listed.
13. Double-click the certificate based off the Archive User template, click the Details tab, and write down the serial number. You will use this serial number for recovery purposes. 14. Log off from the 6426C-NYC-SVR1-B virtual machine. 15. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. 16. Click Start. Click Run, type CMD, and then click OK.
17. In the Command window that appears, type certutil getkey serial number outputblob, that is, certutil getkey AA BB CC DD EE FF GG HH II JJ outputblob. Note Type serial number with the serial number that you wrote down. The Certutil tool queries the CA and provides the certificate information in the command window. Notice the User Principal Name (UPN) and Template sections.
L3-18
18. To convert the outputblob file into a .pfx file, in the Command window, type Certutil recoverkey outputblob tony.pfx. Note The user who needs to recover the key can import the .pfx file. 19. When prompted, type in Pa$$w0rd as the new password, and then confirm the password. 20. After the command is executed, close the command window.
21. Browse to C:\Users\Administrator.CONTOSO, and then verify that tony.pfxthe recovered keyis created.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1-B in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1-B.

L4-19

Lab Setup
Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines.
Exercise 1: Configuring AD LDS Instances and Partitions

Task 1: Add the AD LDS server role by using Server Manager
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to both virtual machines as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Server Manager. Click the Roles node. In the Details pane, click Add Roles. On the Before You Begin page, click Next. Select the Active Directory Lightweight Directory Services check box, and click Next. If prompted to add required role services, click Add Required Role Services. On the Introduction to Active Directory Lightweight Services page, click Next.
Start the 6426C-NYC-DC1-B virtual machine and then start the 6426C-NYC-SVR1-B virtual machine.
10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Repeat steps 3 and 10 to install AD LDS on the 6426C-NYC-SVR1-B virtual machine.
Task 2: Create an AD LDS instance known as ContosoApp1 by using AD LDS Setup Wizard
1. 2. 3. 4. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Lightweight Directory Services Setup Wizard. Click Next at the first screen of the wizard. On the Setup Options page, ensure that A unique instance type is selected, and click Next. On the Instance Name page, enter ContosoApp1 as the Instance name. Keep the default Description text and then click Next. If a Windows Firewall warning pops up, click Allow.
L4-20
5. 6. 7. 8. 9.
On the Ports page, enter 6389 as the LDAP port number and 6636 as the SSL port number. Click Next. On the Application Directory Partition page, select Yes, create an application directory partition option. Enter ou=app1,dc=contoso,dc=local as the Partition name and then click Next. On the File Locations page, keep the default paths and click Next.
On the Service Account Selection page, ensure that Network service account option is selected, and click Next. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\administrator option is selected, and click Next.
10. On the Importing LDIF Files page, select MS-User.LDF, and click Next. 11. On the Ready to Install page, click Next. 12. When the installation is complete, a message indicating a successful installation will be displayed. Click Finish.

L4-21
Exercise 2: Configuring AD LDS Replication

Task 1: Create a replica of ContosoApp1 by using the AD LDS Wizard
1. 2. 3. 4. 5. 6. 7. 8. 9.
On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Lightweight Directory Services Setup Wizard. Click Next at the first screen of the wizard.
On the Setup Options page, select the A replica of an existing instance option, and click Next. On the Instance name page, enter ContosoApp1 as the Instance name. Keep the default Description and then click Next. On the Ports page, enter 6389 as the LDAP port and enter 6636 as the SSL port. Click Next. On the Joining a Configuration Set page, enter NYC-DC1 as the Server, enter 6389 as the LDAP port, and click Next. On the Administrative Credentials for the Configuration Set page, ensure that the Currently logged on user: CONTOSO\administrator option is selected. Click Next.
On the Copying Application Directory Partitions page, select the OU=app1,dc=contoso,dc=local partition DN, and click Next. On the File Locations page, keep the default paths, and click Next.
10. On the Service Account Selection, ensure that the Network service account option is selected, and click Next. 11. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\Administrator option is selected, and click Next. 12. On the Ready to Install page, click Next. 13. When the installation completes, click Finish.
Task 2: Connect to the application partition and verify initial replication by using ADSI Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click ADSI Edit. In the ADSI Edit console, right-click ADSI Edit in the left pane, and then click Connect to. The Connection Settings dialog box appears. In the Connection Settings dialog box, in the Name box, type ContosoApplication.
Under Connection Point, in the Select or type a Distinguished Name or Naming Context box, type ou=app1,dc=contoso,dc=local. Under Computer, in the Select or type a domain or server box:(Server | Domain [:port]) box, type NYC-SVR1:6389, and then click OK. A successful connection indicates that 6426C-NYC-SVR1-B has a replica instance. Close ADSI Edit.
L4-22
Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps

Task 1: Create a list of AD LDS troubleshooting tools
The following table lists AD LDS troubleshooting tools: Certificates MMC Ldp.exe ADSI Edit Adamsync.exe Ldifde Csvde Event Viewer Network-based tools such as nslookup, ping, and tracert, and telnet
Task 2: Create a list of AD LDS troubleshooting steps

The following troubleshooting steps are not all inclusive but include the major items to check in the scenario: 1. 2. 3. Check to ensure that the AD LDS server is reachable by hostname and IP address to validate DNS functionality.
Check to ensure that the AD LDS service is responding to network requests by using ping and telnet. Use telnet to access the AD LDS service port. Verify that the AD LDS service is running. If not, ensure that the service account is not locked out. Check to see if the service account is expired. Ensure that the service account has rights to run as a service. Validate that the SSL certificate in use by AD LDS is still valid, still in the certificate store on the AD LDS server, not expired, and not revoked. Validate that the client computer trusts the SSL certificates root CA. Use LDP.exe from the AD LDS server to attempt to establish a connection to the AD LDS instance. Check the Event Logs for any warnings or error messages related to AD LDS.
4. 5. 6. 7.

L4-23

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1-B in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1-B.

L5-25

Lab Setup
Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines.
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Task 1: Install Active Directory Certificate Services in the Contoso domain
1. 2. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Log on to the 6426C-NYC-DC1 virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Note Before starting the lab in depth you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. b. Go to Start > Administrative Tools > Services.
In the Services management console in the Services (Local) pane in the Extended tab locate the Active Directory Web Services service and ensure that the Status is set to Started and Startup Type is set to Automatic. If neither of these values are set as above set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the Active Directory Domain Services.
c. d. 3. 4. 5. 6. 7. 8. 9.
Click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager window, click Roles. Click Add Roles. On the Before You Begin page, click Next.
On the Select Server Roles page, select the Active Directory Certificate Services check box and then click Next. On the Introduction to Active Directory Certificate Services page, click Next.
On the Select Role Services page, ensure Certification Authority and Certification Authority Web Enrollment are both selected.
L5-26
10. Click Add Required Role Services on the Add Roles Wizard dialog when it appears, and then click Next. 11. On the Specify Setup Type page, select Enterprise, and then click Next. 12. On the Specify CA Type page, select Root CA, and then click Next. 13. On the Setup Private Key page, select Create a new private key, and then click Next. 14. On the Configure Cryptography for CA page, accept the defaults, and then click Next. 15. On the Configure CA Name page, in the Common Name for this CA box, type ContosoCA, and then click Next. 16. On the Set Validity Period page, accept the defaults, and then click Next. 17. On the Configure Certificate Database page, accept the defaults, and then click Next. 18. On the Web Server (IIS) page, click Next. 19. On the Select Role Services page, accept the defaults, and then click Next. 20. On the Confirm Installation Selections page, click Install. 21. On the Installation Results page, click Close.
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. In the Certsrv - [Certification Authority (Local)] console, right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box that appears, click the Extensions tab. In the Select extensions drop-down list, select CRL Distribution Point (CDP) and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 5. 6. Highlight the http:// entry and then select Include in the CDP extension of issued certificates. In the Select extension list, select Authority Information Access (AIA), and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 7. 8. 9. Highlight the http:// entry and then select Include in the AIA extension of issued certificates. Click OK to exit the dialog box. On the Certification Authority dialog box, click Yes to restart the Active Directory Certificate Services.

L5-27
10. Click Start. In the Search box, type MMC, and then press ENTER. 11. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
12. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. 13. In the Certificate snap-in dialog box, select Computer account, and then click Next.
14. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 15. In the Add or Remove Snap-ins dialog box, click OK. 16. In the console tree, expand Certificates (Local Computer), and then expand Personal.
17. Under Personal folder, click Certificates and press F5. Note the certificates that are present and their details such as Issued To, Expiration Date, Intended Purposes, Friendly Name and Certificate Template. 18. Click Start, click All Programs, click Accessories, right-click Command Prompt and then click Run as Administrator. 19. In the Command Prompt window, type certutil pulse, and then press ENTER. 20. Return to the Certificates console, and then press F5 to refresh.
21. A new certificate should now be issued to NYC-DC1.contoso.com, issued by ContosoCA, with an intended purpose of Client Authentication, Server Authentication and based on the certificate template of Domain Controller. 22. Right-click this certificate and then click Delete. Click Yes to confirm the deletion. Note This certificate contains legacy LDAP CRL URLs which we cannot use in our federated environment so we need to purge this certificate now to avoid potential configuration trouble later.
Task 3: Configure the Web Server certificate template to allow domain controllers and domain computers permission to access the certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In Available snap-ins, double-click Certificate Templates, and then click OK.
In the console tree, click Certificate Templates. All the certificate templates appear in the details pane. In the details pane, right-click the Web Server template, and then click Properties. On the Security tab, click Add. In Enter the object name to select box, type Domain Computers, and then click OK.
While Domain Computers is selected in the Group or user names, in the Permission list, under Allow, select the Read and Enroll check boxes. Repeat steps 6 to 8 for Domain Controllers, Network Service and IIS_IUSRS.
L5-28
10. Click OK to close the Web Server Properties dialog box, and then close the console. Click No when asked to save the console settings. 11. Click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as Administrator.
12. In the Command Prompt window, type the following command to stop AD CS, and then press ENTER.
net stop "Active Directory Certificate Services"
13. In the Command Prompt window, type the following command to start AD CS, and then press ENTER.
net start "Active Directory Certificate Services"
Task 4: Create a certificate in the Internet Information Services (IIS)

1. 2. 3. 4. 5.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree, highlight NYC-DC1 (Contoso\Administrator). In Features View pane in the middle, double-click the Server Certificates icon. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard opens.
On the Distinguished Name Properties page of the wizard, enter the settings as listed below, and then click Next. Common name: NYC-DC1.Contoso.com Organization: Contoso Pharmaceuticals Organization unit: IT Department City/locality: New York State/province: New York Country/region: US
6.
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain. Note The Select button is only enabled when a CA is correctly configured and exists on the domain.
7. 8.
Select ContosoCA, and then click OK. In Friendly name, type NYC-DC1.Contoso.com, and then click Finish. Note You must provide a friendly name for the certificate.

L5-29
Task 5: Bind the certificate to a claim aware application for use with SSL
1. 2. 3. 4. 5. 6. 7. 8.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, expand NYC-DC1 (CONTOSO\Administrator), expand Sites, click Default Web Site, and then in the Actions pane, click Bindings. In the Site Bindings dialog box, click Add. In the Add Site Binding dialog box, under Type select https, and under Port enter 443. Expand the SSL Certificate drop-down list. If there is more than one certificate with name NYC-DC1.Contoso.com, you need to determine which one is the certificate you just created and the one you want to use. Select the NYC-DC1.Contoso.com certificate from the list, and then click View.
In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list, and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog box. If the field is not present or the friendly name listed is different, click OK to close the Certificate dialog box and repeat steps 6 to 8 until you determine the correct certificate.
9.
10. Now that you have identified the correct certificate, select that certificate, click OK, and then click Close.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank domain
1. 2. 3. 4. 5. 6. 7. 8. 9.
On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the console tree, expand Certificates (Local Computer), and then expand Personal.
Under Personal folder, click Certificates. In the details pane, right-click ContosoCA certificate, point to All Tasks, and then click Export. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select No, do not export the private key, and then click Next. 11. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next. 12. On the File to Export page, type C:\Export\Certs\ContosoCA.cer, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
L5-30
Task 7: Import the certificates from the WoodgroveBank domain into the local Trusted Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER.
In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Group Policy Wizard opens. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens. In Domains, OUs, and linked Group Policy Objects, select Default Domain Policy, and then click OK. Click Finish and then click OK. Double-click Default Domain Policy. In the console tree, expand the following path: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Right-click Trusted Root Certification Authorities, and then click Import. On the Welcome to the Certificate Import Wizard page, click Next.
8. 9.
10. On the File to Import page, click Browse. 11. In the Open window, in the File name box, type \\MIA-DC1\C$\Export\Certs \WoodgroveBankCA.cer, click Open, and then click Next. 12. On the Certificate Store page, select Place all certificates in the following store, verify that it is pointed to the Trusted Root Certification Authorities store, and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish. 14. You should receive a message saying The import was successful. Click OK.
15. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. 16. In the Command Prompt window, type gpupdate /force, and then press ENTER.
17. Log on to the 6426C-MIA-DC1 virtual machine as WOODGROVEBANK\Administrator, and type in Pa$$w0rd as the password. 18. Repeat steps 1 to 14 on the 6426C-MIA-DC1 virtual machine using \\NYC-DC1\C$\Export\Certs \ContosoCA.cer as the certificate to import.
19. On the 6426C-MIA-DC1 virtual machine, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator.

L5-31
20. In the Command Prompt window, type gpupdate /force and then press ENTER.
Results: At the end of this exercise, you have installed Active Directory Certificate Services (ADCS) created, modified and managed certificates for use in a Federated environment. Bound Certificates to an SSL connection and exported and imported certificates across different organizations. These are all preliminary tasks required for a successful ADFS implementation.
L5-32
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Task 1: Install AD FS 2.0 in the Contoso domain
1. 2. 3. 4. 5. 6. 7. In Windows Explorer, go to the X:\Labfiles\Mod05\AdfsSetup folder, right-click the file AdfsSetup.exe, and then click Run as administrator. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next. On the End-User License Agreement page, select the I accept the terms in the License Agreement check box, and then click Next. On the Server Role page, ensure that Federation server is selected, and then click Next. In the Install Prerequisite Software window, click Next to begin the installation. In the Completed the AD FS 2.0 Setup Wizard window, ensure that the Start the AD FS 2.0 Management snap-in when this wizard closes option is selected, and then click Finish. The AD FS 2.0 console opens. On the 6426C-NYC-DC1 virtual machine, right-click Start, and then click Open Windows Explorer.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server Configuration Wizard
1. 2. 3. 4. 5. 6. On the 6426C-NYC-DC1 virtual machine, in the AD FS 2.0 console, in the middle pane, click the AD FS 2.0 Federation Server Configuration Wizard link. On the Welcome page, ensure that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, select the Stand-alone federation server option, and then click Next.
On the Specify the Federation Service Name page, ensure that the SSL certificate selected is NYCDC1.Contoso.com, the Port is 443, and the Federation Service name is NYC-DC1.Contoso.com. Click View. In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list and scroll down through the list of items until you see the Friendly name field. If it is listed as NYCDC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog. Click Next. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and then click Next. The wizard should display the results for each component with the status being Configuration finished. Click Close.
7. 8. 9.

L5-33
Note As was reccommended at the start of Exercise 1, you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. b. Go to Start > Administrative Tools > Services.
In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic.
c. d.
If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service.
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are available for use
1. 2. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. The PowerShell modules will load once the PowerShell window is opened. At the prompt, type the following command, and then press ENTER.
get-ADFSProperties
3.
Examine the output and determine what the fields and values mean. Note some of the more notable values such as AutoCertificateRollover, ClientCertRevocationCheck, DisplayName, HostName, the HTTP port values, Identifier and FederationPassiveAddress. Type the following PowerShell cmdlet and then press ENTER.
get-command *-ADFS*
4.
5.
Note the list of cmdlets and their associated definitions.
Task 4: Verify the FederationMetaData.xml is present and contains valid data

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, click Start, click All Programs, and then click Internet Explorer. Type the following address into the address bar: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml Verify that the xml file opens successfully and scroll through its contents.
Task 5: Create a new claim type and verify it has been successfully added to the claims list
1. 2.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Service, and then click Claim Descriptions.
L5-34
3. 4. 5.
Right-click Claim Descriptions, and then click Add Claim Description. In Display Name, type Favorite Color. In the Claim Identifier box type http://www.favoritecolor.com/claim/colordescriptions. Note You do not have to use a URL or even a valid URL; however, this is one method of providing information about what a particular claim type is and what it has been used in relation to and who was what format the information should take on.
6. 7. 8. 9.
Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can accept. Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can send. Click OK. Click Start, click All Programs, and then click Internet Explorer.
10. Type the following address into the address bar: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml 11. Scroll to the end and locate the entry that you have just created.
Results: At the end of this exercise, you have installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You have also successfully added a new Claim type to the Claim descriptions.

L5-35
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Task 1: Configure a Token Signing Certificate for NYC-DC1.Contoso.com
Note Certificates cannot be modified within ADFS while the ADFS automatic rollover feature is enabled. This feature determines whether or not ADFS will manage certificate expiration and their replacement with new certificates. As such, before we can modify certificates within ADFS this feature needs to be turned off. 1. 2. 3. 4. 5. 6. 7. 8. 9.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules.
At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press ENTER. Type get-ADFSProperties, and then press ENTER. Verify that the value for AutoCertificateRollover is now False. Click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, in the left pane, expand Service, and then click Certificates. Right-click Certificates, and then click Add Token-Signing Certificate. In the select a token signing certificate dialog box, notice the certificates listed, and then select NYC-DC1.Contoso.com certificate. Click the Click here to view certificate properties link to open the Certificate Details window.
10. In the Certificate Details window, click the Details tab, select <All> in the Show drop-down list and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate Details window. 11. If the certificate properties dialog does not contain a Friendly name field, continue to the next certificate and repeat steps 8 to 10.
12. When you have found the correct certificate, click OK to close the Certificate Details window. Select the correct certificate, and then click OK.
13. If you are prompted with a dialog window on the certificate key length, click Yes, and then click OK. 14. Right-click the newly added certificate and then click Set as Primary. Take note of the warning message, understand the consequences would be in a production environment, and then click Yes.
15. Select the certificate that has just been superseded, right-click the certificate, and then click Delete. Click Yes to confirm the deletion.
Task 2: Configure a claims provider trust for NYC-DC1.Contoso.com

1. 2. 3.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claims Provider Trusts. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
L5-36
4. 5. 6. 7. 8. 9.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard appears. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims, and then click Next.
On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute store drop-down list, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
10. Click Finish, and then click OK.
Task 3: Configure the claims application to trust incoming claims by running the WIF Federation Utility
1. 2.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows Identity Foundation Federation Utility. On the Welcome to the Federation Utility wizard page, in the Application configuration location, enter C:\inetpub\wwwroot\ContosoClaimApp\web.config for the location of the web.config file of the WIF sample application.
3.
In the Application URI box, type https://nyc-dc1.contoso.com/ContosoClaimApp/ to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next to continue. On the Security Token Service page, select Use an existing STS, type https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml for the STS WS-Federation metadata document location, and then click Next to continue. Note If you are using a certificate that has not been issued by a Certificate Authority, you will receive a wizard page concerning the certificate validation. If you have selected the certificates as outlined in the exercises in this lab, you will not encounter this page. However, if you choose a non-CA issued certificate, you will need to complete step 5. If you have used a CA issued certificate, you can proceed directly to step 6.
4.

L5-37
5.
On the STS signing certificate chain validation error page, click Disable certificate chain validation, and then click Next. Note Selecting this option is not recommended in a production environment. The Disable certificate validation option is used in this test lab environment only to simplify the scenario.
6. 7.
On the Security token encryption page, select No encryption, and then click Next.
On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. Note If you scroll to the end of the claims, you should see the claim you added in Exercise 2.
8.
On the Summary page, review the changes that will be made to the sample application by the Federation Utility wizard, scroll through the items to understand what each item is doing, and then click Finish. Click OK.
9.
Task 4: Configure a relying party trust to the claim aware application

1. 2. 3. 4. 5.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the middle pane, click Required: Add a trusted relying party. On the Welcome page of the Add Relying Party Trust Wizard, click Start.
On the Select Data Source page, select Import data about the relying party published online or on a local network, and then type https://nyc-dc1.contoso.com/ContosoClaimApp. Click Next to continue. Note This action prompts the wizard to check for the MetaData of the application that the web server role hosts.
6. 7. 8. 9.
On the Specify Display Name page, in the Display name box, type WIF Sample Claims App, and then click Next.
On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this relying party is selected, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next. On the Finish page, click Close. The Edit Claim Rules for WIF Sample Claims App window opens.
L5-38
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for WIF Sample Claims App window, on the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard opens. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. Note This action passes an incoming claim through to the user by means of Windows Integrated Authentication. 3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name rule. In the Incoming claim type drop-down list, select Windows account name, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.
4. 5. 6. 7. 8. 9.
On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the Incoming claim type drop-down list, select E-mail Address, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming claim type drop-down list, select UPN, and then click Finish.
10. Click Add Rule. 11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.
12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming claim type drop-down list, select Name, and then click Finish. 13. Click Apply, and then click OK.
Task 6: Test the access to the claims aware application

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Axel with password Pa$$w0rd, and then press ENTER. The page renders and you see the claims that were processed to allow access to the web site.

L5-39
Note If you receive an error saying the page could not be accessed, as a first step in torubleshooting you should ensure that some core services that are required are running successfully then retry accessing the application as outliend above.To do this you should do the following a. b. c.
Log on to 6426C-NYC-DC1 with user name Contoso\Administrator and password pa$$word. Go to Start > Administrative Tools > Services.
In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic.
d. e. f. 4.
If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service. Retry steps 1 to 3 above.
Log off from the 6426C-NYC-CL1 virtual machine.
Task 7: Configure claim rules for the claim provider trust and the relying party trust to allow access only for a certain group
1. 2. 3. 4. 5. 6. 7. 8. 9.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claim Provider Trusts. Select the Active Directory, and in the Actions pane on the right side, click Edit Claim Rules. On the Acceptance Transform Rules tab, click the Add Rule button to start the Add Transform Claim Rule Wizard.
On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Send IT Admin Group Rule, and click Browse. In Enter the object name to select box, type ITAdmins_ContosoGG, and then click OK. In Outgoing claim type, select Group, in Outgoing claim value, type ITADMIN, and then click Finish. Click OK to close the property page and save the changes to the claim provider trust.
10. In the AD FS 2.0 console, expand Trust Relationships, and then click Relying Party Trusts. 11. Select the WIF Sample Claims App, and in the Actions pane on the right side, click Edit Claim Rules.
12. On the Edit Claim Rules for WIF Sample Claims App window, click the Issuance Authorization Rules tab. 13. On the Issuance Authorization Rules tab, select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With no rules, no users are permitted access.
L5-40
14. On the Issuance Authorization Rules tab, click the Add Rule button to start the Add Issuance Authorization Claim Rule Wizard.
15. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim, and then click Next. 16. On the Configure Rule page, in Claim rule name type Permit IT Admin Group Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type ITADMIN, select the option to Permit access to users with this incoming claim, and then click Finish. 17. Click OK to close the property page and save the changes to the relying party trust.
Task 8: Verify restrictions and accessibility to the claims aware application

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application. Log off from the 6426C-NYC-CL1 virtual machine. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Aaron using password Pa$$w0rd. Launch Internet Explorer and in the browser address bar, type: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Aaron with password Pa$$w0rd, and then press ENTER. You receive an Access Denied error. This is because CONTOSO\Aaron is not a member of the ITAdmins_ContosoGG group, and therefore not authorized to access the site. Log off from the 6426C-NYC-CL1 virtual machine.
Results: At the end of this exercise, you have configured a stand-alone AD FS 2.0 federation server and verified the Federation PowerShell Modules installed successfully and are available.

L5-41
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
1. 2. 3. 4. 5. 6. 7. 8. 9.
Task 1: Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1

On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claims Provider Trusts. In the Actions pane, click Add Claims Provider Trust. On the Welcome page, click Start.
On the Select Data Source page, select Import data about the claims provider published online or on a local network, type https://nyc-dc1.contoso.com, and then click Next. On the Specify Display Name page, click Next.
On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to save the configuration. On the Finish page, click Close to close the wizard. The Edit Claim Rules for nyc-dc1.contoso.com window appears. On the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click Next. 11. In the Claim rule name box, type Pass through Windows account name rule. 12. In the Incoming claim type drop-down list, select Windows account name. 13. Select Pass through all claim values, and then click Finish. Note Read, understand and acknowledge the warning message that appears by clicking Yes. 14. Click OK and then close the AD FS 2.0 console.
15. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. 16. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
17. Close the PowerShell window. Note We have not made any modification to the application itself.
L5-42
Task 2: Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim aware application
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Relying Party Trusts. In the Actions pane, click Add Relying Party Trust. On the Welcome page, click Start.
On the Select Data Source page, select Import data about the relying party published online or on a local network, type https://mia-dc1.woodgrovebank.com, and then click Next. On the Specify Display Name page, in the Display name box, type Woodgrove Bank Claim App B2B, and then click Next.
On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.
On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save the configuration. On the Finish page, click Close to close the wizard. The Edit Claim Rules for Woodgrove Bank Claim App B2B window appears.
10. On the Issuance Transform Rules tab, click Add Rule. 11. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click Next. 12. In the Claim rule name box, type Pass through Windows account name rule. 13. In the Incoming Claim type drop-down list, select Windows account name. 14. Select Pass through all claim values, and then click Finish. 15. Click OK and then close the AD FS 2.0 console.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note The logon process has changed and you now need to select an authority which can authorize and validate the access request. The Home Realm Discovery page (the Sign In page) appears and you need to select an authority. 3. 4. 5. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application. Close Internet Explorer.

L5-43
6.
Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note You are not prompted for a home realm again. Once users have selected a home realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, in order for us to log on multiple times, we should delete that cookie after each logon attempt to return to a clean state.
7. 8. 9.
Click Cancel. In the Internet Explorer, click Tools, and then click Internet Options. On the General tab, in the Browsing History section, click Delete.
10. Select all the check boxes and then click Delete. 11. Click OK and close Internet Explorer. 12. Launch Internet Explorer again and in the browser address bar type: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. 13. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in.
14. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1, 6426C-NYC-CL1 and 6426C-MIA-DC1 virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-CL1 and 6426C-MIA-DC1.

L6-45

Lab Setup
In this lab, you use the available virtual machine environment. Before you begin the lab, you must:
Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
Exercise 1: Installing and Configuring AD RMS

Task 1: Add a CNAME for the AD RMS Cluster
1. 2. 3. 4. 5. 6. 7.
Start the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines and Log on to 6426C-NYC-DC1 as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1, click Start, point to Administrative Tools, and then click DNS.
In DNS Manager, expand NYC-DC1, expand Forward Lookup Zones, and expand Contoso.com. Right-click Contoso.com and then click New Alias (CNAME). In the Alias name (uses parent domain if left blank) field, type RMS.
In the Fully qualified domain name (FQDN) for target host field, enter NYC-SVR1.contoso.com. Click OK and then close the DNS console.
Task 2: Install and configure AD RMS

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1 as CONTOSO\Administrator with the password Pa$$w0rd.
On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. Click Roles, then in the Details pane, click Add Roles. On the Before You Begin page, click Next.
On the Select Server Roles page, select the Active Directory Rights Management Services check box. When prompted, click Add Required Role Services, and then click Next. Click Next twice.
On the Create or Join an AD RMS Cluster page, select Create a new AD RMS cluster, and then click Next. On the Select Configuration Database page, select Use Windows Internal Database on this server, and then click Next.
L6-46
10. On the Specify Service Account page, click Specify, type CONTOSO\adrms-svc, type Pa$$w0rd for the password, click OK to provide a domain user account for the AD RMS service account, and then click Next. 11. On the Configure AD RMS Cluster Key Storage page, select Use AD RMS centrally managed key storage, and then click Next. 12. On the Specify AD RMS Cluster Key Password page, type Pa$$w0rd as the AD RMS cluster key password, and then click Next.
13. On the Select AD RMS Cluster Web Site page, ensure that Default Web Site is selected, and then click Next. 14. On the Specify Cluster Address page, in the Internal Address box, type rms.contoso.com, select Use an unencrypted connection (http://), click Validate, and then click Next. 15. On the Name the Server Licensor Certificate page, in the Name box, type Contoso Pharmaceuticals RMS, and then click Next. 16. On the Register AD RMS Service Connection Point page, ensure that Register the AD RMS service connection point now is selected, and then click Next three times. 17. On the Confirm Installation Selections page, view the informational messages, and then click Install to complete the installation. 18. After the installation is complete, click Close, and then log off from the 6426C-NYC-SVR1 virtual machine.

L6-47
Exercise 2: Configuring AD RMS Templates

Task 1: Configure AD RMS rights policy templates
1. 2.
Log on to the 6426C-NYC-SVR1 virtual machine as CONTOSO\Administrator with the password of Pa$$w0rd. On the 626C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Note It may take a couple of minutes for the AD RMS console to become available and you may see an error, but the console will eventually become available.
3. 4. 5. 6. 7.
Expand NYC-SVR1 (Local), and click Rights Policy Templates. In the Actions pane, under Rights Policy Templates, click Properties.
In the Rights Policy Templates Properties page, select Enable export. In the Specify templates file location (UNC) box, type \\NYC-DC1\templates, and then click OK. In the far right pane, click Create Distributed Rights Policy Template. Then, after the wizard is launched, click Add. In the Add New Template Identification Information box, set Language to English (United States), set Name to Confidential Projects, set Description to Contoso Pharmaceuticals IT Department, and click Add. Then, click Next. On the Add User Rights page, click Add, and in the Add User or Group box, type ITAdmins@Contoso.com, and then click OK. Under Rights for ITAdmins@Contoso.com, select the Edit check box.
8. 9.
10. Click Add, select Anyone, and then click OK. 11. Under Rights for ANYONE, select the View check box, and then click Next. 12. On the Specify Expiration Policy page, select the Expires after the following duration (days) option to specify content expiration, and type 14 as the value.
13. Click Finish, close the Active Directory Rights Management Services console, and then log off from the 6426C-NYC-SVR1 virtual machine.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client computers
1. 2. 3. 4.
Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy with the password Pa$$w0rd. On the 6426C-NYC-CL1 virtual machine, click Start, right-click Computer, and then click Manage. In the User Account Control dialog box, type Administrator as the user name, and Pa$$w0rd as the password, and then click Yes. In the Computer Management console, expand Task Scheduler, expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.
L6-48
5. 6.
Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable.
Right-click AD RMS Rights Policy Template Management (Automated), click Run, and then close Computer Management. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd.
7. 8. 9.
Click Start, type regedit.exe in the Search box, and then press ENTER. Browse to HKEY_CURRENT_USER, expand Software, expand Microsoft, expand Office, expand 14.0, and then click Common. Right-click Common, point to New, and then click Key.
10. Name the new key DRM. This key is only available if the user has previously launched any Microsoft Office program and used rights management. If DRM was not already created, you must create it manually. This is also true for the Office > 14.0 key. 11. Right-click DRM, point to New, and then click Expandable String Value. 12. In the New Value #1 box, type AdminTemplatePath, and then press ENTER. 13. Double-click the AdminTemplatePath registry value. In the Value data box, type %LocalAppData%\Microsoft\DRM\Templates, and then click OK. 14. Close the Registry Editor, and log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy template to Windows XP client computers
1. 2. 3. 4. 5. 6. 7. 8.
On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Group Policy Management.
In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. Under Contoso.com, right-click the Default Domain Policy shortcut, and then click Edit.
In the Group Policy Management Editor, browse to User Configuration, and then expand Policies. Right-click Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, and then click Add/Remove Templates. Click Add, and in the File name box, type \\NYC-DC1\templates, and then click Open. In the Policy Templates dialog box, select office14.adm, click Open, and then click Close.
In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates: Policy definitions (ADMX files) retrieved from local machine\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Double-click Specify Permission Policy Path, and then select Enabled.
9.
10. In the Enter path to policy templates for content permission box, type the complete path to the permission policy templates, \\NYC-DC1\templates, and then click OK. 11. Close the Group Policy Management Editor, and then close the Group Policy Management console.

L6-49
Exercise 3: Configuring AD RMS Trust Policies

Task 1: Export the Trusted User Domains policy
1. 2. 3. 4. 5. 6.
Log on to the 6426C-NYC-SVR1 virtual machine as CONTOSO\Administrator with the password of Pa$$w0rd. On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted User Domains. In the Details pane, select the Enterprise object. In the Actions pane, click Export Trusted User Domain. In the File name box, type c:\Contoso.bin, and then click Save.
Task 2: Export the Trusted Publishing Domains policy

1. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted Publishing Domains. In the Details pane, select the Contoso Pharmaceuticals RMS. In the Actions pane, click Export Trusted Publishing Domain. Click Save As. In the File name box, type c:\Contoso.xml, and then click Save. Type and confirm Pa$$w0rd as password. Click Finish.
2. 3. 4. 5. 6. 7.
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. 4.
On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted User Domains. Right-click Trusted User Domains, and click Import Trusted User Domain.
In the Trusted user domain file box, type \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. In the Display name box, type WoodgroveBank Domain, and then click Finish. The WoodgroveBank Domain Trusted User domain information is displayed in the Details pane of the AD RMS console.
L6-50
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted Publishing Domains Right-click Trusted Publishing Domains, and click Import Trusted Publishing Domain. In the Trusted publishing domain file box, type \\NYC-DC1\x$\Labfiles\Mod06 \WoodgroveBank.xml. Type Pa$$w0rd as password.
2. 3. 4. 5. 6.
In the Display name box, type WoodgroveBank RMS, and then click Finish. The WoodgroveBank RMS TPD information is displayed in the Details pane of the AD RMS console. Close the Active Directory Rights Management Services console.

L6-51
Exercise 4: Testing AD RMS Functionality

Task 1: Create a rights-protected document
1. 2. 3. 4. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010. In the blank Word document, type This is a protected document. Click the File menu, click the Info button, click Protect Document, and then click Restrict Permission by People and select Confidential Projects. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd. 5. 6.
Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy with the password Pa$$w0rd.
Click the File menu, click Save, type \\NYC-DC1\templates\Protected.docx in the File name box, and then click Save. Close Microsoft Office Word, and then log off from the 6426C-NYC-CL1 virtual machine. Note The user accounts are authenticated against email addresses in AD DS in this test environment. If a user account does not have an email address assigned the user will not be able to use the RMS functionality.
Task 2: Open the rights-protected document as a non-authorized user

1.
Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Aaron with the password Pa$$w0rd. Note that Aaron is not a member of the IT Admins group and should only have view access to the document. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010. Click the File menu, and then click Open. In the File name box, type \\NYC-DC1\templates\Protected.docx, and then click Open. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Aaron and password Pa$$w0rd.
2. 3. 4.
5. 6.
In the message box indicating that permission to the document is restricted, click OK. The document opens.
In the Confidential Projects bar, click View Permission. Notice that Aaron only has permission to view the document and that the permission expires in about 14 days. Click OK, and then verify that all editing tools are disabled. Close Microsoft Office Word, and log off from the 6426C-NYC-CL1 virtual machine.
7.
L6-52
Task 3: Open and edit the rights-protected document as an authorized user

1. 2. 3. 4.
Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel with the password Pa$$w0rd. Note that Axel is a member of the IT Admins group and should have editing access to the document. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010. Click the File menu, and then click Open. In the File name box, type \\NYC-DC1\templates\Protected.docx, and then click Open. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Axel and password Pa$$w0rd.
5. 6. 7. 8. 9.
In the message box indicating that permission to the document is restricted, click OK. The document opens. In the Confidential Projects bar, click View Permission. Notice that Axel has Editing permissions because he is a member of the IT Admins group, and then click OK. Type Edited successfully by Axel in a new line. Click the File menu, and then click Save. Close Microsoft Office Word, and log off from the 6426C-NYC-CL1 virtual machine.

L6-53
Exercise 5: Generating AD RMS Reports

Task 1: Install Microsoft Report Viewer
1. 2. 3. 4. On the 6426C-NYC-SVR1 virtual machine, open Windows Explorer, and browse to \\NYC-DC1\x$\Labfiles\Mod06\. Double-click ReportViewer. Follow the wizard steps to complete the setup. Click Finish to close the wizard, and then close Windows Explorer.
Task 2: View AD RMS Statistics reports

1. 2. 3.
On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Expand NYC-SVR1 (Local), expand Reports, and then click Statistics Reports. View the statistics in the main window.
Task 3: View AD RMS System Health report

1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand the NYC-SVR1 (Local), expand Reports, and click System Health. In the Actions pane, click View Report. In the Create Report box, specify the query start and end dates, and click Finish.
Task 4: View AD RMS Troubleshooting report

1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand the NYC-SVR1 (Local), expand Reports, and click Troubleshooting. In the Actions pane, click View Report.
In the Create Report box, specify the query start and end dates, enter CONTOSO\Aaron for User Name, and click Finish.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1, 6426C-NYC-SVR1 and 6426C-NYC-CL1 virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1 and 6426C-NYC-CL1.

L7-55
Lab Setup
Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine.
Exercise 1: Configuring CA Event Auditing

Task 1: Enable the auditing of object access
1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-MIA-DC1 virtual machine, and log on using the user name WOODGROVEBANK\Administrator, and the password Pa$$w0rd.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Group Policy Management.
Expand Forest: Woodgrovebank.com, expand Domains, expand Woodgrovebank.com, and then click Group Policy Objects. Right-click the Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Local Policies. Click Audit Policy. Right-click Audit object access, and then click Properties. Select the Define these policy settings check box.
Under Audit these attempts, select the check box next to Success and Failure, and then click OK.
10. Close the Group Policy Management Editor and the Group Policy Management console. 11. Click Start, click All Programs, click Accessories, and then click Command Prompt. 12. In the Command Prompt window, type gpupdate /force, and then press ENTER. 13. Close the Command Prompt window.
L7-56
Task 2: Enable CA auditing

1. 2. 3. 4. 5. 6. 7. On 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. In the Certsrv -[Certification Authority (Local)] console, click WoodgrovebankCA. On the Action menu, click Properties.
On the Auditing tab, in the Events to Audit section, check all 7 checkboxes and then click OK in the resultant Microsoft Active Directory Certificate Services message box. Click OK to close the WoodgrovebankCA Properties box. On the Action menu, point to All Tasks, and then click Stop Service to stop the service. On the Action menu, point to All Tasks, and then click Start Service to start the service.

L7-57
Exercise 2: Backing up Active Directory Certificate Services

Task 1: Schedule a task to perform CA backup
1. 2. 3. 4. 5. 6. 7. 8. 9.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Task Scheduler. In the Actions pane, click Create Task. In the Create Task window, click the General tab; type CA Backup in the Name box. Click Change User or Group. In Select User or Group, type Woodgrovebank\Backup, and then click OK. In the Multiple Names Found box, select Backup, and then click OK. Select Run whether user is logged on or not. Select Run with highest privileges. On the Triggers tab, click New, click Daily, set the time to run (schedule it within the next five minutes), select the Enabled check box, and then click OK.
10. On the Actions tab, click New. 11. In the Program/script box, type certutil.
12. In the Add arguments (optional): box, enter -backup -p Pa$$w0rd C:\CAbackup, and then click OK. 13. In the Create Task box, click OK. When you are prompted for the credentials, enter Woodgrovebank\Backup and the password, Pa$$w0rd, and then click OK. 14. Click the Task Scheduler Library node. Wait for the task to start, and complete the backup. 15. Confirm that the backup has completed successfully by viewing the contents of the C:\CAbackup folder and checking the task status. To view the task status, you will have to refresh the Task Scheduler console view. 16. Close Task Scheduler and log off from the 6426C-MIA-DC1 virtual machine.
L7-58
Exercise 3: Backing up and Restoring an Active Directory Lightweight Directory Services Instance
Task 1: Use dsdbutil to back up the test1 AD LDS instance
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, and then click Computer. Double-click the C: drive and then create a new folder in the root of C:\ named backup.
Click Start, click All Programs, click Accessories, and then right-click Command Prompt and select Run as administrator. At the command prompt, type dsdbutil and then press ENTER. At the dsdbutil prompt, type activate instance test1 and then press ENTER. At the dsdbutil prompt, type ifm and then press ENTER. At the ifm prompt, type create full c:\backup\test1 and then press ENTER.
The backup will proceed. When complete, it will display the message IFM media created successfully in c:\backup\test1. Type quit at the ifm prompt, and then press ENTER. Type quit at the dsdbutil prompt, and then press ENTER.
10. Type exit, and then press ENTER to close the command prompt.
Task 2: Use dsdbutil to restore the test1 AD LDS instance backup

1. 2. 3. 4. 5. 6. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Services. In the right pane, scroll until you locate the test1 service. Right-click the test1 service and click Stop.
Click Start, and then click Computer. Navigate to C:\Program Files\Microsoft ADAM\test1. Delete all of the files in the data folder. Click Start, click All Programs, click Accessories, and then right-click Command Prompt and click Run as administrator. At the command prompt, run the xcopy /os c:\backup\test1\adamntds.dit "C:\Program Files \Microsoft ADAM\test1\data\adamntds.dit" command. If you are prompted to choose whether the path represents a file or directory, enter F for file. Click Start, point to Administrative Tools, and then click Services. In the right pane, scroll until you locate the test1 service. Right-click the test1 service and select Start. Upon successful startup of the test1 service, the AD LDS instance is now running from the restored backup.
7. 8. 9.

L7-59
Exercise 4: Configuring AD RMS Logging

Task 1: Enable logging for the cluster
1. 2. 3. 4.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. In the Active Directory Rights Management Services console, expand the mia-dc1.woodgrovebank.com (Local) cluster. Right-click the mia-dc1.woodgrovebank.com (Local) cluster, and then click Properties.
On the Logging tab, ensure that the Enable Logging check box is selected, and then click OK. Close the Active Directory Rights Management Services console.
Task 2: Limit disk space usage for message queuing

1. 2. 3.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. Expand Features, expand Message Queuing, and then click Private Queues.
Right-click drms_logging_mia_dc1_woodgrovebank_com_80, click Properties, select the Limit message storage to (KB) check box, type 1024000, and then click OK. Note Message Queuing stores all queued messages up to the limit of the free storage space. If all of the available disk space is used, the AD RMS server will not be able to service any client requests.
4.
Close Server Manager.
To reset the virtual machine

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. Shut down the 6426C-MIA-DC1 virtual machine. On the host computer, start Hyper-V Manager. Right-click 6426C-MIA-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.

6426c-Enu Trainerhandbook 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6426c-Enu Trainerhandbook 2

Uploaded by

Copyright:

Available Formats

O F F I C I A L

6426Cand Troubleshooting Configuring

Product Number: 6426C Part Number: X17-55422 Released: 04/2011

Brian Svidergol Content Developer

Nelson Ruest Technical Reviewer

Module 2: Deploying and Configuring Active Directory Certificate Services

Module 3: Deploying and Configuring Certificates

Module 4: Deploying and Configuring Active Directory Lightweight Directory Services

Module 5: Deploying and Configuring Active Directory Federation Services

Module 6: Deploying and Configuring Active Directory Rights Management Services

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

6426C Content Lab

Configure DNS server settings Configure zone transfers and replication

Lab B Ex 1 Lab B Ex 3/4

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

6426C Content Lab

Lab Ex 1 Lab Ex 1/2/3 Lab Ex 1

Configure Active Directory Lightweight Directory Service (AD LDS).

Module 4 Lessons 1 to 5 Module 7 Lesson 2 Module 1 Lesson 1/2

Lab Ex 1 Lab Ex 1 to 4 Lab Ex 1

Configure Active Directory Rights Management Service (AD RMS)

Module 6 Lesson 1 to 5 Module 7 Lesson 4

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

6426C Content Lab

Lab A/B/C Lab D Ex 1

Maintain Active Directory accounts

Lab A/B/C Lab A

Create and apply Group Policy objects (GPOs)

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

6426C Content Lab

Labs D/E Lab A Ex 1/2 Lab B Lab B

Configure audit policy by using GPOs

Lab B/C/D Lab B Lab C Ex 1

Install Active Directory Certificate Services

Lab Ex 1 Lab Ex 1/2

Configure CA server settings

Lab Ex 1 Lab Ex 1/2

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Manage certificate templates

Manage enrollments Manage certificate revocations

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Virtual Machine Environment

Virtual Machine Configuration

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Exploring Identity and Access Solutions