6426CD ENU LabManual

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6426C
Lab Instructions and Lab Answer Key: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6426C Part Number: X17-55422 Released: 04/2011
Module 1
Lab Instructions: Exploring Identity and Access Solutions
Contents:
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions
4
Lab: Identifying IDA Roles to Meet Business Requirements
Objectives
After completing the lab, you will be able to: Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Scenario
You are working as a systems administrator for Contoso Pharmaceuticals. As part of your job role, you need to understand how Active Directory is used to secure IT infrastructures. Management wants to ensure that the Contosos IT infrastructure can be protected by using multi-factor authentication. Management has also asked to protect Microsoft Office documents from being read by unauthorized people. Recently, some confidential Microsoft Word documents were emailed to an unauthorized person. Management wants to ensure that such documents are not readable even if the documents are obtained by unauthorized people. Contoso recently partnered with Tailspin Toys. Tailspin Toys needs access to Contosos claims-based web application but wants to ensure that users can continue to use their current Tailspin Toys Active Directory user accounts. Management has expressed concern for developer efficiency. Developers currently utilize a development instance of Active Directory Domain Services (AD DS). They have noted that developers are often waiting for IT and instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them separate identity logic from their applications. Human Resources (HR) maintain their own HR database that contains much of the same information that exists in Active Directory. However, some of the information in the HR database conflicts with the information in the Active Directory database. The databases should be synchronized so that the information in the databases is consistent.
Management has requested that you determine the Windows 2008 R2 server roles and IDA solutions available to address the organizations current issues.
In this exercise, you will identify the server roles needed to satisfy the objectives for Contoso Pharmaceuticals. The main tasks for this exercise are as follows: 1. 2. Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Task 1: Identify business requirements

Question: What are the business requirements for Contoso Pharmaceuticals?
Task 2: Determine server roles and solutions required to meet the business requirements
Questions: 1. 2. 3. 4. 5. 6. Which server role is required for certificate authentication? Which server role is required for protecting confidential Microsoft Office documents? Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Which server role can be used to give developers more efficient directory services capabilities? Which solution would you use to synchronize the HR database with the Active Directory database? Which technology would allow developers to externalize identity logic from their applications?
Results: After this exercise, you have identified the business requirements and the server roles required to meet the business requirements.
Module 2
Lab Instructions: Deploying and Configuring Active Directory Certificate Services
Contents:
Exercise 1: Deploying a Standalone Root CA Exercise 2: Deploying an Enterprise Subordinate CA 3 4
Lab: Deploying and Configuring Active Directory Certificate Services
Objectives
After completing the lab, you will be able to: Install the AD CS server role and deploy a Standalone Root CA. Install the AD CS server role, deploy an Enterprise Subordinate CA, issue and install the subordinate certificate.
Scenario
Building upon the blueprint created in the previous lab, you have been asked to implement AD CS within the Contoso Pharmaceuticals infrastructure. Since this is the first AD CS role installed, you have been asked to perform the following tasks: Install the AD CS server role, deploy a standalone Root CA, and configure the Root CA to issue subordinate certificates. Install the AD CS server role and deploy an Enterprise Subordinate CA.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines. Start the 6426C-NYC-DC1 and the 6426C-NYC-SVR1 virtual machines.
Exercise 1: Deploying a Standalone Root CA

The main task for this exercise is as follows: Install the AD CS server role with the CA role service.
Task: Install the AD CS server role and configure it as a stand-alone root Certificate
Authority (CA)
On the 6426C-NYC-DC1 virtual machine, install and configure AD CS by selecting the appropriate options in the Add Roles Wizard within Server Manager. Select the following options during the installation: Specify Setup Type: Standalone Specify CA Type: Root CA Set Up Private Key: Create a new private key Configure Cryptography for CA: default settings for all configurations except for key character length, which you should set to 4096. Common Name for this CA: ContosoCA Validity Period: default Configure Certificate Database: default
Results: After this exercise, you have installed the AD CS server role and deployed a standalone Root CA.
Exercise 2: Deploying an Enterprise Subordinate CA

The main tasks for this exercise are as follows: 1. 2. Install an enterprise subordinate CA with the web enrollment role service. Issue and install the subordinate certificate.
Task 1: Install an enterprise subordinate CA

On the 6426C-NYC-SVR1 virtual machine, install and configure AD CS by selecting the appropriate options within the Add Roles Wizard of Server Manager. Select the following options during the installation: Select Role Service: Certification Authority and Certification Authority Web Enrollment Specify Setup Type: Enterprise Specify CA Type: Subordinate CA Set Up Private Key: Create a new private key Configure Cryptography for CA: default settings for all configurations Common Name for this CA: ContosoIssuingCA Request Certificate from a Parent CA: ContosoCA Configure Certificate Database: default
Task 2: Issue and install the subordinate certificate

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, issue the pending subordinate certificate by using the Certification Authority console. On the 6426C-NYC-SVR1 virtual machine, install the subordinate certificate by using the Certification Authority console. On the 6426C-NYC-SVR1 virtual machine, start the Active Directory Certificate Services service.
Results: After this exercise, you have installed the AD CS server role, deployed an Enterprise Subordinate CA, configured the Root CA to issue Subordinate certificates, and installed the subordinate certificate on the Subordinate CA. Questions: 1. 2. 3. 4. 5. Which CA sits at the top of the PKI hierarchy? What is the benefit of selecting a certificate key length of 4096? Which server issued the certificate to the Subordinate CA? Can a Subordinate CA issue a certificate to another Subordinate CA? What option is available if your company and another company are merging but both organizations have existing PKI?
Module 3
Lab Instructions: Deploying and Configuring Certificates
Contents:
Exercise 1: Configuring Certificate Templates Exercise 2: Configuring Autoenrollment Exercise 3: Managing Certificate Revocation Exercise 4: Configuring Key Recovery 3 5 6 8
Lab: Deploying Certificates and Managing Enrollment
Objectives
After completing the lab, you will be able to: Configure certificate templates. Deploy and enroll certificates. Manage certificate revocation. Configure key recovery.
Scenario
Now that you have deployed an AD CS infrastructure, your IT Director wants to extend the functionality of the environment by providing a mechanism for users to automatically utilize the certificates. You have decided to implement certificate templates and make use of automatic enrollment mechanisms provided by AD CS. You must install and configure Windows Server 2008 R2 computers to support certificate services in the organization. To do so, you must perform the following consolidation activities: Configure certificate templates. Configure autoenrollment features in Group Policy for Certificate Services. Configure certificate revocation and the Online Responder functionality of Certificate Services. Implement custom certificate templates and a key archival and key recovery solution.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines.
Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.
Exercise 1: Configuring Certificate Templates

During this exercise, you configure AD CS certificate templates. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Duplicate, install, and manually enroll a certificate. Configure the template to be issued by the CA. Verify the certificate is updated. Create, duplicate, and supersede the Local User template by using a new template that includes smart card logon. Configure the new template to be issued by the CA. Verify the certificate is updated.
Task 1: Duplicate, install, and manually enroll a certificate

1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, then select Certification Authority. In the Certification Authority console, right-click Certificate Templates, and then click Manage. In the Details pane, duplicate the User certificate template specifying Windows Server 2008 Enterprise. In the Template display name box, type Local User. On the Subject Name tab, clear the Include email name in subject name and the Email name check boxes. For Authenticated Users, select Allow for the Enroll check box. Close the Certificate Templates console.
Task 2: Configure the template to be issued by the CA

1. 2. 3. In the Certification Authority console, define a new Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Local User template, and then click OK. Close the Certification Authority console.
Task 3: Verify that the certificate is updated

1. 2. 3. 4. Create a Certificates MMC console for the current user account. Request a new certificate by using the Certificate Enrollment Wizard. On the Request Certificates page, select the Local User check box. Click Enroll, and then click Finish. Refresh the console, and view the Local User certificate in the personal store.
Task 4: Create, duplicate, and supersede the Local User template by using a new
template that includes smart card logon
1. 2. 3. In the Certification Authority console, right-click Certificate Templates, and then click Manage. Duplicate the User certificate template as a version 3 template. Name the new template Contoso Smart Card User.
4. 5. 6. 7.
On the Subject Name tab, clear the Include email name in subject name and the Email name check boxes. On the Extensions tab, edit Application Policies to include smart card logon. On the Superseded Templates tab, add the Local User template. On the Security tab, ensure that Authenticated Users has Read, Enroll, and Autoenroll permissions.
Task 5: Configure the new template to be issued by the CA

1. 2. In the Certification Authority console, issue the Contoso Smart Card User certificate template. Close all windows and log off from the 6426C-NYC-SVR1-B virtual machine.
Results: After this exercise, you have duplicated, installed, and manually enrolled a certificate, configured the certificate to be issued by the CA, verified that the certificate was updated, created and duplicated the template with a superseded template, and configured the CA to issue the superseded template.
Exercise 2: Configuring Autoenrollment

During this exercise, you configure autoenrollment. The main tasks for this exercise are as follows: 1. 2. 3. Configure a certificate template for autoenrollment. Configure Group Policy for autoenrollment. Verify autoenrollment functionality on a domain-joined computer.
Task 1: Configure the Contoso Smart Card User certificate template for autoenrollment
1. 2. 3. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and then select Certification Authority. In the Certification Authority console, right-click Certificate Templates, and then click Manage. Verify the Contoso Smart Card User certificate template by configuring it to be published in Active Directory.
Task 2: Configure the Default Domain Policy for autoenrollment

1. 2. 3. 4. 5. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, then select Group Policy Management. In the Group Policy Management console, expand the forest and domain in the left pane until you see Group Policy Objects. Right-click Default Domain Policy and choose Edit. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Pubic Key Policies. Enable autoenrollment in the Certificate Services Client Auto-Enrollment policy setting. Enable autoenrollment in the Certificate Services Client Enrollment Policy setting.
Task 3: Validate autoenrollment functionality from 6426C-NYC-SVR1-B

1. 2. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account. Expand the Certificates - Current User node and then click Personal. Verify that you received the Contoso Smart Card User certificate in the right pane.
Results: After this exercise, you have configured the default domain policy for autoenrollment, configured a certificate template for autoenrollment, and verified autoenrollment functionality.
Exercise 3: Managing Certificate Revocation

During this exercise, you configure AD CS certificate revocation. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Examine the default CRL distribution points (CDPs) and configure the CRL publication interval. Install the Online Responder component on a Web server. Configure CA to include the Online Responder location in the authority information access (AIA). Issue the OCSP Response Signing template. Configure the Online Responder. Revoke a certificate. Publish the CRL. Ensure that the CRL is downloaded onto the client computer.
Task 1: Examine the default CRL distribution points (CDPs) and configure the CRL
publication interval
1. 2. 3. 4. 5. On 6426-NYC-SVR1-B, in the Certification Authority console, open the ContosoCA Properties dialog box. On the Extensions tab, examine the CDPs, and then close the ContosoCA Properties dialog box. Open the Revoked Certificates folder properties dialog box. Set the CRL Publication interval to 1 Month. Set the Publish Delta CRLs interval to 3 Days.
Task 2: Install the Online Responder component on a Web server

On 6426-NYC-SVR1-B, use Server Manager to install the AD CS Online Responder role service.
Task 3: Configure CA to include the Online Responder location in the Authority

Information Access (AIA)
1. 2. On 6426-NYC-SVR1-B, in the Certification Authority console, open the ContosoCA Properties dialog box. On the Extensions tab, add http://NYC-SVR1/ocsp as an AIA location. Also select the Include in the AIS extension of issued certificates and Include in the online certificate status protocol (OSCP) extension check boxes.
Task 4: Issue the OCSP Response Signing template

1. 2. On 6426-NYC-SVR1-B, use the Certificate Templates console to set the permissions on the OCSP Response Signing template so that you allow Enroll permission for Authenticated Users. Use the Certification Authority console to issue the template.
Task 5: Configure the Online Responder

1. 2. 3. On 6426-NYC-SVR1-B, launch the Online Responder Management console. Right-click Revocation Configuration, and then click Add Revocation Configuration. Use the wizard to create a new revocation configuration named ContosoCA Online Responder.
4. 5. 6.
Browse to and select the ContosoCA certificate. After you run the wizard, the revocation configuration status is set to Working. Close the Online Responder console.
Task 6: Revoke a certificate

1. 2. 3. On 6426-NYC-SVR1-B, open the Certification Authority console, and then click Issued Certificates. Locate and revoke the Contoso Smart Card User certificate issued in the last exercise. Select Change of Affiliation as the reason. Click the Revoked Certificates folder, and then ensure that the revoked certificate is visible.
Task 7: Publish the CRL

1. 2. 3. On 6426-NYC-SVR1-B, right-click the Revoked Certificates folder. Point to All Tasks, and then click Publish. Publish a new CRL.
Task 8: Ensure that the CRL is downloaded onto the client computer
1. 2. 3. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account. Under the Certificates Current User node, expand the Intermediate Certification Authorities node, and then click Certificate Revocation List. Notice the CRL from ContosoCA. Open the Properties dialog box for one of the ContosoCA lists, and then click the Revocation List tab. Notice that the certificate that was previously revoked is listed.
Results: After this exercise, you have installed and configured the Online Responder, revoked a certificate, published the CRL, and validated that the CRL was downloaded onto a computer.
Exercise 4: Configuring Key Recovery

During this exercise, you manage key archival and recovery. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Remove the requirement for CA Manager approval and verify who can enroll the KRA certificate. Configure the ContosoCA to issue KRA certificates. Acquire the KRA certificate. Configure the CA to allow key recovery. Configure a custom template for key archival. Add a user to the Server Operators group. Verify key archival functionality.
Task 1: Remove the requirement for CA Manager approval and verify who can enroll the
Key Recovery Agent (KRA) certificate
1. 2. 3. 4. On the 6426C-NYC-SVR1-B virtual machine, in the Certification Authority console, right-click the Certificates Templates folder, and then click Manage. In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog box. On the Issuance Requirements tab, clear the CA certificate manager approval check box. On the Security tab, notice that only Domain Administrator and Enterprise Administrator groups have the Enroll permission.
Task 2: Configure the ContosoCA to issue KRA certificates

1. 2. On 6426C-NYC-SVR1-B, right-click the Certificates Templates folder. Issue the Key Recovery Agent template.
Task 3: Acquire the KRA certificate

1. 2. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account. In the left pane, expand Personal and then right-click Certificates. Expand All Tasks and then click Request New Certificate to launch the Certificate Enrollment Wizard to request a new certificate and enroll the KRA certificate. Refresh the console window, and view the KRA in the personal store.
3.
Task 4: Configure the CA to allow key recovery

1. 2. On 6426C-NYC-SVR1-B, in the Certification Authority console window, open the ContosoCA properties dialog box. On the Recovery Agents tab, click Archive the key, and then add the certificate using the Key Recovery Agent Selection dialog box.
Task 5: Configure a custom template for key archival

1. 2. On 6426C-NYC-SVR1-B, open the Certificates Templates console. Duplicate the User template for Windows Server 2008 Enterprise, and name it Archive User.
10
3. 4. 5.
On the Request Handling tab, set the option for the Archive subjects encryption private key. By using the archive key option, the KRA can obtain the private key from the certificate store. Add the Archive User template as a new certificate template to issue. Log off from the 6426C-NYC-SVR1-B virtual machine.
Task 6: Add a user to the Server Operators group

1. 2. 3. 4. On 6426C-NYC-DC1-B, open the Active Directory Users and Computers console. From the Executives OU, add the user Tony Wang to the Server Operators group. Open Tony Wang Properties dialog box and configure the email address as tony@Contoso.com. Log off from the 6426C-NYC-DC1-B virtual machine.
Task 7: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7. Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Tony and use Pa$$w0rd as the password. Create a Certificates MMC console for the user account. Request and enroll a new certificate based on the Archive User template. From the personal store, locate the Archive User certificate. Open the properties of the certificate and write down the certificate serial number. You will use this for recovery of the private key. Log off the 6426C-NYC-SVR1-B virtual machine and then log back on as CONTOSO\Administrator. Use Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, at the command prompt, type certutil getkey serial numberoutputblob.
Note: Replace serial number with the serial number that you wrote down earlier.
8. 9.
To convert the outputblob file into an importable .pfx file, on the 6426C-NYC-SVR1-B virtual machine, at the command prompt, type Certutil -recoverkey outputblob tony.pfx. Verify the creation of the recovered key in the C:\Users\Administrator directory.
Results: After this exercise, you have configured a KRA, configured the CA to allow for key recovery, configured a key archival template, and verified key archival functionality.
Module 4
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Contents:
Exercise 1: Configuring AD LDS Instances and Partitions Exercise 2: Configuring AD LDS Replication Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps 4 5 6
Lab: Deploying and Configuring Active Directory Lightweight Directory Services
Objectives
After completing this lab, you will be able to: Configure AD LDS instances and partitions. Configure AD LDS replication. Identify AD LDS solution tools and troubleshooting steps.
Scenario
Contoso Pharmaceuticals is in the process of standardizing all applications that are used by internal intranet users. Each application will be customizable by users and the application personalization data be stored in a centralized directory service. Each application will make use of a single security profile. The application architecture team has decided that AD LDS meets the requirements outlined and will be deploying a test application to ensure that the AD LDS infrastructure can be supported. Your IT Director has asked you to configure an AD LDS environment that can store the application personalization information and that leverages multiple instances for disaster recovery and performance. You must perform the following activities to consolidate a solution: Provide support for the AD LDS user class and related classes. Users must be able to connect to the AD LDS instance by using LDAP port 6636 and LDAPS port 6389. To run the AD LDS instance, you need to configure the AD LDS instance by using the NT AUTHORITY\Network Service account. You also need to set up the CONTOSO\Administrator account to administer AD LDS. Create a second replica of the ContosoApp1 instance and configure AD LDS replication to avoid a single point of failure.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.
Exercise 1: Configuring AD LDS Instances and Partitions

The main tasks for this exercise are as follows: 1. 2. Installing AD LDS Server Role. Configuring AD LDS Instances and Partitions.
Task 1: Add the AD LDS server role by using Server Manager

1. 2. 3. On the 6426C-NYC-DC1-B virtual machine, in the Server Manager console, click the Roles node. Add the Active Directory Lightweight Directory Services role. If prompted to add required role services, click Add Required Role Services. Repeat steps 1 and 2 to install AD LDS on the 6426C-NYC-SVR1-B virtual machine.
Task 2: Create an AD LDS instance known as ContosoApp1 by using AD LDS Setup

Wizard
1. 2. 3. 4. From the Start menu on 6426C-NYC-DC1-B, point to Administrative Tools and then run the AD LDS Setup Wizard. Click Next and then create a unique instance named ContosoApp1. Specify the LDAP port number as 6389 and the SSL port number as 6636. Create an Application Directory Partition OU=App1,dc=CONTOSO,dc=local. Accept the defaults but select the MS-User.LDF in the wizard to finish the install.
Results: After this exercise, you have added the AD LDS server role to two virtual machines and created an AD LDS instance on one of the virtual machines.
Exercise 2: Configuring AD LDS Replication

The main tasks for this exercise are as follows: 1. 2. Configuring two AD LDS servers to replicate with one another. Verifying AD LDS Replication.
Task 1: Create a replica of ContosoApp1 by using the AD LDS Wizard

1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-SVR1-B virtual machine, point to Administrative Tools and then run the AD LDS Setup Wizard. Choose to create A replica of an existing instance and name it ContosoApp1. Specify LDAP port number as 6389; and the SSL port number as 6636. On the Joining a Configuration Set page, in the Server box, type NYC-DC1, and then in the LDAP port box, type 6389. Ensure that the Currently logged on user check box is selected. In the Copying Application Directory Partitions window, select the OU=App1,dc=CONTOSO,dc=local. Accept all the defaults to finish the wizard.
Task 2: Connect to the application partition and verify initial replication by using ADSI
Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, launch ADSI Edit. Connect to an instance and name it ContosoApplication. Under Connection Point, type OU=App1,dc=CONTOSO,dc=local. Under Computer, type NYC-SVR1:6389. In the console tree, click ContosoApplication [NYC-SVR1:6389], and then expand ContosoApplication [NYC-SVR1:6389] and OU=App1,dc=CONTOSO,dc=local. Verify that the local replica exists by opening the instance.
Results: After this exercise, you have added AD LDS to a virtual machine, configured it as a replicate and validated the replication.
Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps

Scenario
Now that AD LDS is installed and replicating, your team has asked you to document the AD LDS solution tools to solve common AD LDS issues. Your team has also asked you to document the AD LDS troubleshooting steps to solve common AD LDS issues. You plan to base your tools around a recent AD LDS issue that the company experienced: Users experienced issues connecting to the AD LDS instance. The problem occurred after a network upgrade project was implemented. The main tasks for this exercise are as follows: 1. 2. Identify solution tools to troubleshoot the recent AD LDS issue. Identify AD LDS troubleshooting steps for the recent AD LDS issue.
Task 1: Create a list of AD LDS troubleshooting tools

Question: Identify several tools that can be used to troubleshoot the recent AD LDS issue based on the scenario.
Task 2: Create a list of AD LDS troubleshooting steps

Question: Based on the scenario, and using the built-in tools available, describe the troubleshooting steps to be performed to identify the cause of the issue.
Results: After this exercise, you have identified the AD LDS solution tools and troubleshooting steps needed to troubleshoot a recently reported AD LDS issue.
Module 5
Lab Instructions: Deploying and Configuring Active Directory Federation Services
Contents:
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0 Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0 Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application 4 6 8 12
Lab: Deploying and Configuring Active Directory Federation Services
Objectives
After completing this lab, you will be able to: Install the PKI Infrastructure and prepare for federated collaboration with ADFS 2.0. Install and configure Active Directory Federation Services (ADFS) 2.0. Configure AD FS 2.0 for internal users to access an internal claim aware application. Configure AD FS 2.0 for internal users to access a partners claim aware application.
Scenario
Now that you have your development team working efficiently with AD LDS, your IT Director wants to extend the functionality of a partners main claims-aware web application so that your users can access the application with their own credentials. To do this, you first need to familiarize yourself with the various components. You decide to set up the pre-requisite PKI infrastructure, configure AD FS, identify a sample claims aware web application to use, configure the relevant certificates and associated rules and claims. Familiarizing yourself with these components helps to make sure you understand the concepts and processes involved before documenting your requirements, defining the project needs, and providing access to a broader test audience. You have decided to implement Active Directory Federation Services 2.0 in a single organization scenario, and then test it before you provide further access or collaboration with an external organization. The sample application you have decided to use is sourced from the Windows Identity Foundation (WIF) Software Development Kit (SDK) and will allow a proof of concept before using the partners application and involving more people at this early stage. You will install and configure the various components required to test Federated Service.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the Starting Image snapshot for the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and the 6426C-MIA-DC1 virtual machines.
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Scenario
You need to prepare your environment for AD FS and you have determined that you will require a PKI infrastructure. You then set about preparing a PKI Infrastructure for use with ADFS. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services in the Contoso Domain. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA). Configure the Web Server certificate template to allow domain controllers and domain computers permission to access the certificate. Create a certificate in Internet Information Services (IIS). Bind the certificate to a claims aware application for use with SSL. Export the Contoso root certificate for importing into the WoodgroveBank domain. Import the Certificates from the WoodgroveBank domain into the local Trusted Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy.
Task 1: Install Active Directory Certificate Services in the Contoso Domain

On the 6426-NYC-DC1 virtual machine, log on with user name CONTOSO\Administrator using password Pa$$w0rd, install ADCS accepting the setup defaults and ensure the following selections: Role Services: Certificate Authority and Certification Authority Web Enrollment Setup type: Enterprise CA Type: Root Create a new private key CA name: ContosoCA
Note: Before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA) extension locations listed below: 2. 3. Ldap://CN File://<serverDNSName>...
Choose to include the CDP and AIA extensions in issued certificates. Review the existing certificates that have been issued, refresh the list of certificates using certutil.exe and delete any legacy certificates containing these just deleted extensions.
Task 3: Configure the Web Server certificate template to allow domain controllers and
domain computers permission to access the certificate
1. 2. Edit the Web Server certificate template properties to allow Domain Computers, Domain Controllers, Network Service and IIS_USRS, Read and Enroll rights. Stop and restart the ADCS services using net stop and net start.
Task 4: Create a certificate in Internet Information Services (IIS)

Create a Domain Certificate in IIS with a friendly name of NYC-DC1.Contoso.com with the below details that is authenticated with the certificate authority ContosoCA: Common name: NYC-DC1.Contoso.com Organization: Contoso Pharmaceuticals Organization unit: IT Department City/locality: New York State/province: New York Country/region: US
Task 5: Bind the certificate to a claims aware application for use with SSL
Bind the certificate that you just created to the default web site for use under https connections using port 443.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank
domain
1. 2. On the 6426-NYC-DC1 virtual machine, export the Contoso root certificate for later use in the WoodgroveBank domain. Choose not to export the private key and choose the File format of DER encoded binary X.509 (.CER) to C:\Export\Certs.
Task 7: Import the Certificates from the WoodgroveBank domain into the local Trusted
1.
Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
On the 6426-NYC-DC1 virtual machine, import the WoodgroveBank root certificate from \\MIA-DC1\C$\Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. On the 6426-MIA-DC1 virtual machine, import the Contoso root certificate from \\NYC-DC1\C$ \Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. Refresh the group policy in both domains via the command line.
2.
3.
Results: After this exercise, you installed Active directory Certificate Services. Created, modified and managed certificates for use in a federated environment. Bound certificates to an SSL connection, exported and imported certificates across two separate domains. These are all preliminary tasks required for a successful ADFS implementation.
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Scenario
Now that you have installed the PKI Infrastructure, you decide to proceed with the installation and configuration of your ADFS environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install AD FS 2.0 on the Contoso domain. Create a stand-alone Federation Server using the AD FS 2.0 Federation Server Configuration wizard. Verify the Federation PowerShell Modules have been installed correctly and are available for use. Verify the FederationMetaData.xml is present and contains valid data. Create a new claim type and verify it has been successfully added to the claims list.
Task 1: Install AD FS 2.0 in the Contoso domain

1. 2. On the 6426C-NYC-DC1 virtual machine, log on with user name Contoso\Administrator using password Pa$$w0rd. Install ADFS from the folder X:\Labfiles\Mod05\AdfsSetup, choosing to install the Federation Server role Note As at the start of exercise 1 before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server
Configuration wizard
Run the AD FS 2.0 Federation Server Configuration Wizard from the AD FS 2.0 Management console specifying the following settings: Specifying a New Federation Service In a Stand-Alone environment Using the certificate NYC-DC1.Contoso.com for SSL connectivity with port number 443 (ensure this is the certificate you recently created by checking the certificate properties)
Note As at the start of exercise 1 before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service.
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are
available for use
1. 2. Open the Windows PowerShell Modules windows and review the ADFS properties by using the get-ADFSProperties PowerShell command. View all ADFS PowerShell cmdlets using the get-command *-ADFS* command.
Task 4: Verify the FederationMetaData.xml is present and contains valid data

View the Federation Metadata by opening Internet Explorer and opening the following file: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml
Task 5: Create a new claim type and verify it has been successfully added to the claims
list
1. In the AD FS 2.0 Management Console, create a new Claim Description with the below details and publish the claim description in the Federation Metadata as a claim type that the Federation Server can both accept and send: 2. 3. Display Name: Favorite Color Claim Identifier: http://www.favoritecolor.com/claim/colordescriptions
Open the Federation MetaData in Internet Explorer: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml Scroll to the end of the page after it renders and verify the claim type has been added to the list.
Results: After this exercise, you installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You also successfully added a new Claim type to the Claim descriptions.
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Scenario
Now that AD FS 2.0 is installed and the initial configuration is complete, you must test the environment in an internal stand-alone scenario. To test this, you have decided to use a sample application that you have obtained from the Windows Identity Foundation (WIF) SDK. You must now configure your AD FS environment to work with this sample application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Configure a Token Signing Certificate for NYC-DC1.Contoso.com. Configure a claims provider trust for NYC-DC1.Contoso.com. Configure the claims application to trust incoming claims by running the WIF Federation Utility. Configure a relying party trust to the claim aware application. Configure claim rules for the relying party trust. Test the access to the claims aware application. Configure claim rules for the claim provider trust and the relying party trust to allow access only for a certain group. Verify restrictions and accessibility to the claims aware application.
Task 1: Configure a Token Signing Certificate for NYC-DC1.Contoso.com

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, log on with user name Contoso\Administrator using password Pa$$w0rd. Turn off the Auto Certificate Rollover feature in the Windows PowerShell windows by using the set-ADFSProperties AutoCertificateRollover $False command. In the AD FS 2.0 Management console, add a Token-Signing Certificate and choose NYC-DC1.Contoso.com as the certificate to use (ensure this is the certificate you recently created by checking the certificate properties). Set this newly added certificate as the Primary Token-Signing Certificate and delete the certificate that you just superseded.
4.
Task 2: Configure a claims provider trust for NYC-DC1.Contoso.com

1. 2. In the AD FS 2.0 Management console, go to the Claims Provider Trusts, highlight the Active Directory store and then go to Edit Claim Rules. In the Edit Claim Rules for Active Directory dialog on the Acceptance Transform Rules tab, launch the Add Transform Claim Rule Wizard and complete the wizard with the following settings: Select Send LDAP Attributes as Claims under Claim rule template. Name the claim rule Outbound LDAP Attribute Rule. Choose Active Directory as the Attribute Store.
In the Mapping of LDAP attributes to outgoing claim types select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. 2. Launch the Windows Identity Foundation Federation Utility from Administrative Tools. Complete the wizard with the following settings: Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\ContosoClaimApp\web.config. Specify an Application URI box by typing https://nyc-dc1.contoso.com/contosoclaimapp/. Select to Use an existing STS, and enter a path https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. If prompted, select to Disable certificate chain validation. Select No encryption.
Task 4: Configure a relying party trust to the claim aware application

1. 2. In the AD FS 2.0 Management console, click Required: Add a trusted relying party, in the middle pane. Complete the Add Relying Party Wizard with the following settings: Choose to Import data about the relying party published online or on a local network and type https://nyc-dc1.contoso.com/contosoclaimapp. Specify a Display name of WIF Sample Claims App. Choose to Permit all users to access this relying party. Select to open the Edit Claims Rules for WIF Sample Claims App when the wizard is complete check box.
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for WIF Sample Claims App properties dialog, choose to Add a Rule on the Issuance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings: Choose Pass through of Filter an Incoming Claim in the Claim rule template drop-down list. Name the claim rule Pass Through Windows Account Name. Select Windows account name in the incoming claim type drop-down list. Create three more rules to pass through E-Mail Address, UPN, and Name type claim.
10
Task 6: Test the access to the claims aware application

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel using password Pa$$w0rd. Launch Internet Explorer and specify the URL: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, enter CONTOSO\Axel with password Pa$$w0rd. Note If the page does not render successfully, as a first step in troubleshooting you should ensure that some core services required in the lab are running successfully on 6426C-NYC-DC1 at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service. Then retry accessing the application.
Task 7: Configure claim rules for the claim provider trust and the relying party trust to
allow access only for a certain group
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the AD FS 2.0 console. Edit claims rule for the Active Directory claims provider trust. Choose to Add Rule on the Acceptance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings: 5. 6. 7. 8. Select Send Group Membership as a Claim in the Claim rule template. Name the claim rule Send IT Admin Group Rule. Specify the ITAdmins_ContosoGG group. Select Group in the Outgoing claim type. Type ITADMIN for the Outgoing claim value.
Return to the AD FS 2.0 console and open the WIF Sample Claim App properties dialog box. In the Edit Claim Rules for WIF Sample Claims App properties dialog, remove the existing rule on the Issuance Authorization Rules tab. Choose to Add a Rule on the Issuance Authorization Rules tab. Complete the Add Issuance Authorization Claim Rule Wizard with the following settings: Select Permit or Deny Users Based on an Incoming Claim in the Claim rule template. Name the claim rule Permit IT Admin Group Rule. Select Group in the Incoming claim type. Type ITADMIN for the Incoming claim value and select the option to Permit access to users with this incoming claim.
11
Task 8: Verify restrictions and accessibility to the claims aware application

1. 2. 3. 4. 5. 6. 7. On 6426C-NYC-CL1, log on with user name CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer and attempt to access the sample application by entering the following URL: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials enter CONTOSO\Betsy with password Pa$$w0rd. You should be able to access the application. Log off from the 6426C-NYC-CL1 virtual machine. Now log on to the 6426C-NYC-CL1 virtual machine with user name CONTOSO\Aaron with password Pa$$w0rd. Launch Internet Explorer and in the browser address bar type https://nyc-dc1.contoso.com/ContosoClaimApp. You receive an Access Denied error. This is because CONTOSO\Aaron is not a member of the ITAdmins_ContosoGG group. Results: After this exercise, you configured a Token signing certificate and configured a Claims provider trust for Contoso.com. You also configured the sample application to trust incoming claims and configured a relying party trust and associated claim rules. You also tested access to the sample WIF application in a single organization scenario. You then created further rules for the relying party trust and verified the application access restrictions.
12
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
Scenario
You now have tested a single organization implementation of ADFS, but you are looking to extend that to a business to business scenario. Your organization is looking to access an application in the WoodgroveBank domain and you need to ensure that both organizations are configured to allow access. The main tasks for this exercise are as follows: 1. 2. 3. Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1. Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim aware application. Verify access to the Woodgrove Banks claim aware application by Contoso users.
Task 1: Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, log on with username WOODGROVEBANK\Administrator using password Pa$$w0rd. In the ASDFS 2.0 Management console, go to Trust Relationships, go to Claims Provider Trusts and then choose to Add Claims Provider Trust. Complete the Add Claims Provider Trust Wizard with the following settings: 4. Choose Import data about the claims provider published online or on a local network and enter https://nyc-dc1.contoso.com as the data source. In Display Name enter nyc-dc1.contoso.com. Complete the wizard.
In the Edit Claim Rules for the nyc-dc1.contoso.com properties dialog, use the following values: Add a Rule to the Acceptance Transform Rules. Choose Pass Through or Filter an Incoming claim in the Claim rule template list. Use Pass through Windows account name rule as the claim rule name. Choose Windows account name as the incoming claim type and then choose to Pass through all claim values. Complete the rule.
5.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
13
Task 2: Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim

aware application
1. 2. On the 6426C-NYC-DC1 virtual machine, log on with user name CONTOSO\Administrator using password Pa$$w0rd. In the AD FS 2.0 Management console, open the Add Relying Party Trust Wizard and complete it with the following settings: 3. Choose to Import data about the relying party published online or on a local network and type in https://mia-dc1.woodgrovebank.com. Specify a Display name of Woodgrove Bank Claim App B2B. Choose to Permit all users to access this relying party. Select to open the Edit Claim Rules for Woodgrove Bank Claim App B2B when the wizard is complete check box.
In the Edit Claim Rules for Woodgrove Bank Claim App B2B properties dialog box, on the Issuance Transform Rules tab, click to add a rule with the following settings: Choose Pass Through or Filter an Incoming claim in claim rule template list. In the Claim rule name box, type Pass through Windows account name rule. Choose Windows account name in Incoming claim type. Choose to Pass through all claim values. Complete the wizard.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. 3. 4. 5. On the 6426C-NYC-CL1 virtual machine, log on with username CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer and in the browser address bar type: https://mia-dc1.woodgrovebank.com/woodgrovebankclaimsapp Choose NYC-DC1.Contoso.com on the home realm discovery page. Use the credentials CONTOSO\Betsy with password Pa$$w0rd to view the page. Close Internet Explorer and re-connect to the application using the same credentials as in the previous step. What is different this time? 6. 7. Delete all cookies in the Internet Options General tab. Connect to the application again using the same credentials as before and verify that you are able to access the application.
Results: After this exercise, you configured a claims provider trust for Contoso on Woodgrove Bank and a relying party trust for Woodgrove Bank on Contoso. Finally, you verified access to the Woodgrove Bank claim aware application.
Module 6
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Contents:
Exercise 1: Installing and Configuring AD RMS Exercise 2: Configuring AD RMS Templates Exercise 3: Configuring AD RMS Trust Policies Exercise 4: Testing AD RMS Functionality Exercise 5: Generating AD RMS Reports 3 4 6 7 9
Lab: Deploying and Configuring Active Directory Rights Management Services
Objectives
After completing this lab, you will be able to: Install and configure AD RMS. Configure AD RMS templates. Configure AD RMS trust policies. Validate AD RMS functionality. Generate AD RMS Reports.
Scenario
The Contoso management team wants to enable collaboration between Contoso and partners. Because the content that Contoso shares with partners is of a proprietary nature, management wants to ensure that only authorized individuals can access the content, even if it was obtained through unauthorized means. The infrastructure security team has decided that Active Directory Rights Management Services will be used to protect content. You have been directed to install and configure AD RMS in the Contoso environment to protect the content. In addition, users have requested a method to streamline the process of protecting content with AD RMS. When the AD RMS deployment is complete, you need to test basic functionality to ensure that the AD RMS configuration is functional. In this lab, you use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
Start the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
Exercise 1: Installing and Configuring AD RMS

The main tasks for this exercise are as follows: 1. 2. Add a CNAME for the AD RMS cluster. Install and configure AD RMS.
Task 1: Add a CNAME for the AD RMS cluster

On the 6426C-NYC-DC1 virtual machine, add a DNS CNAME record that points rms.contoso.com to NYC-SVR1.contoso.com.
Task 2: Install and configure AD RMS

1. On the 6426C-NYC-SVR1 virtual machine, use Server Manager to install the AD RMS server role by using the following information: 2. Add the required role services when prompted. Create a new AD RMS cluster. Utilize the Windows Internal Database. Specify the service account by using the user name CONTOSO\adrms-svc and the password Pa$$w0rd. Use the AD RMS centrally managed key storage by using a cluster key password of Pa$$w0rd. On the Specify Cluster Address page, use an unencrypted connection and use rms.contoso.com as the fully qualified domain name. Use port 80 as the port. For the Server Licensor Certificate name, type Contoso Pharmaceuticals RMS. Configure the AD RMS service connection point to register during installation.
After the installation, log off from the 6426C-NYC-SVR1 virtual machine.
Results: After this exercise, you have installed the AD RMS server role and created a new AD RMS cluster.
Exercise 2: Configuring AD RMS Templates

The main tasks for this exercise are as follows: 1. 2. 3. Configure AD RMS rights policy templates. Configure AD RMS rights policy template distribution for Windows 7 client computers. Use Group Policy Management console to distribute the AD RMS rights policy template to Windows XP client computers.
Task 1: Configure AD RMS rights policy templates

1. 2. 3. Log on to the 6426C-NYC-SVR1 virtual machine by using the user name CONTOSO\Administrator and the password Pa$$w0rd. In the Active Directory Rights Management Console, enable the export of the rights policy templates and then specify the export location as \\NYC-DC1\templates. Create a Distributed Rights Policy Template with the following details: Name: Confidential Projects Description: Contoso Pharmaceuticals IT Department User and rights: 4. ITAdmins@Contoso.com: Edit rights Anyone: View rights
Set the policy to expire after 14 days and finish the creation wizard.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client
computers
1. 2. 3. 4. Log on to the 6426C-NYC-CL1 virtual machine by using the user name CONTOSO\Betsy, and the password Pa$$w0rd. Start the Computer Management console as the Administrator with the password of Pa$$w0rd. Expand Task Scheduler and then browse to Active Directory Rights Management Services Client. Enable the AD RMS Rights Policy Template Management (Automated) task and then Run the task. Note If you are prompted for credentials, use the credentials that you are logged on with; user name CONTOSO\Betsy and password Pa$$w0rd. 5. 6. 7. 8. Start Microsoft Word 2010, complete any startup wizards that appear and then close the application. Start the Registry Editor by using regedit.exe. In the Registry Editor, expand the HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common key. Create a new registry key under Common called DRM (if DRM already exists, proceed to the next step). Under DRM, create a new expandable string value and name it AdminTemplatePath.
9.
Specify the value data for the AdminTemplatePath key as %LocalAppData%\Microsoft\DRM \Templates. If there are problems locating this path on the virtual machine, an alternate value for the key is \\NYC-DC1\Templates.
10. Close the Registry Editor, and then log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy
template to Windows XP client computers
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the Group Policy Management console. Edit the Default Domain Policy Group Policy Object. Add the \\NYC-DC1\Templates\office14.adm template to the Administrative Templates node. In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Enable the Specify Permission Policy Path option. In the Enter path to policy templates for content permission box, type \\NYC-DC1\Templates and then click OK.
5. 6.
Results: After this exercise, you have configured an AD RMS template and set up template distribution for Windows 7 and Windows XP.
Exercise 3: Configuring AD RMS Trust Policies

The main tasks for this exercise are as follows: 1. 2. 3. 4. Export the Trusted User Domains policy. Export the Trusted Publishing Domains policy. Import the Trusted User Domain policy from the WoodgroveBank domain. Import the Trusted Publishing Domains policy from the WoodgroveBank domain.
Task 1: Export the Trusted User Domains policy

1. 2. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to export the contoso.com Trusted User Domain. Save the output as c:\contoso.bin.
Task 2: Export the Trusted Publishing Domains policy

1. 2. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to export the contoso.com Trusted Publishing Domain. Save the output as c:\contoso.xml.
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted User Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. Configure the Display name as WoodgroveBank Domain.
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted Publishing Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.xml. In the Display name field, type WoodgroveBank RMS and then type Pa$$w0rd as the password.
Results: After this exercise, you have exported the Contoso TUD and TPD and imported the Woodgrove Bank TUD and TPD.
Exercise 4: Testing AD RMS Functionality

The main tasks for this exercise are as follows: 1. 2. 3. Create a rights-protected document. Open the rights-protected document as a non-authorized user. Open and edit the rights-protected as an authorized user.
Task 1: Create a rights-protected document

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as Betsy. Start Microsoft Word 2010. Create a protected document by using the Confidential Projects rights policy template. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd. 4. 5. 6. In the document body, type This is a protected document. Save the document as \\NYC-DC1\templates\Protected.docx. Close Microsoft Word 2010 and then log off. Note The user accounts are authenticated against email addresses in AD DS in this test environment. If a user account does not have an email address assigned the user will not be able to use the RMS functionality.
Task 2: Open the rights-protected document as a non-authorized user

1. Log on to the 6426C-NYC-CL1 virtual machine as Aaron. Note Aaron is not a member of the ITAdmins group and should only have view access to the document. 2. 3. Start Microsoft Word 2010. Open the \\NYC-DC1\templates\Protected.docx document. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Aaron and password Pa$$w0rd. 4. 5. Verify the permissions that are allowed for the document. Close Microsoft Word 2010 and then log off.
Task 3: Open and edit the rights-protected document as an authorized user

1. Log on to the 6426C-NYC-CL1 virtual machine as Axel. Note Axel is a member of the IT Admins group and should have editing access to the document. 2. 3. Start Microsoft Word 2010. Open the \\NYC-DC1\templates\Protected.docx document. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Axel and password Pa$$w0rd. 4. 5. 6. 7. Verify the permissions that are allowed for the document. Type Edited successfully by Axel in a new line. Save the document. Close Microsoft Word 2010 and then log off.
Results: After this exercise, you have successfully tested functionality of AD RMS from a client computer.
10
Exercise 5: Generating AD RMS Reports

During this exercise, you prepare the environment for AD RMS reporting and view several built-in AD RMS reports. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install Microsoft Report Viewer. View AD RMS Statistics reports. View AD RMS System Health report. View AD RMS Troubleshooting report.
Task 1: Install Microsoft Report Viewer

1. 2.
On the 6426C-NYC-SVR1 virtual machine, browse to \\NYC-DC1\x$\Labfiles\Mod06\ and then double-click ReportViewer.exe to install Microsoft Report Viewer. Complete the installation wizard using the default options.
Task 2: View AD RMS Statistics reports

1.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Statistics Reports. View the statistics in the main window. Close the AD RMS console window.
2. 3.
Task 3: View AD RMS System Health report

1. 2. 3.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view System Health report. In the Actions pane, click View Report. Specify the query start and end dates when prompted, and then click Finish.
Task 4: View AD RMS Troubleshooting report

1. 2. 3. 4.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Troubleshooting report. In the Actions pane, click View Report. Specify the query start and end dates when prompted, enter CONTOSO\Aaron for User Name, and then click Finish. In addition, view the Troubleshooting report for CONTOSO\Betsy and CONTOSO\Axel.
Results: After this exercise, you have installed the Microsoft Report Viewer and viewed the Statistics report, System Health report and the AD RMS Troubleshooting report.
Module 7
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Contents:
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance Exercise 4: Configuring AD RMS Logging 3 4 5 6
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Objectives
After completing the lab, you will be able to: Configure CA event auditing. Back up Active Directory Certificate Services. Back up and restore Active Directory Lightweight Directory Services Instance. Configure AD RMS logging.
Scenario
You have completed the deployment and configuration of the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, back up, and restore AD CS, AD LDS, and AD RMS. You need to configure CA event auditing and schedule an ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures. In addition, Management has asked you to generate some AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports. Finally, complete the AD RMS maintenance task by enabling AD RMS logging. In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine. Start the 6426C-MIA-DC1 virtual machine, and log on using the user name WOODGROVEBANK\Administrator, and the password Pa$$w0rd.
Exercise 1: Configuring CA Event Auditing

During this exercise, you configure CA event auditing. The main tasks for this exercise are as follows: 1. 1. Enable the auditing of object access. Enable CA auditing.
Task 1: Enable the auditing of object access

1. 2. On the 6426C-MIA-DC1 virtual machine, modify the Default Domain Controller Policy to enable Audit object access auditing for Success and Failure events. Open a command prompt window and run gpupdate /force.
Task 2: Enable CA auditing

1. 2. On the 6426C-MIA-DC1 virtual machine, use the Certification Authority snap-in to enable auditing of all CA events. Restart the AD CS service.
Results: After this exercise, you have enabled auditing of object access and enabled CA auditing.
Exercise 2: Backing Up Active Directory Certificate Services

During exercise, you schedule an ongoing backup of the AD CS component. The main task for this exercise is as follows: Schedule a task to perform CA backup.
Task 1: Schedule a task to perform CA backup

1. On the 6426C-MIA-DC1 virtual machine, use Task Scheduler to create a new task with the following parameters: Name: CA Backup User account to run the task: WOODGROVEBANK\Backup User password: Pas$$w0rd Options: Run whether user is logged on or not Run with highest privileges
Trigger: Daily (set the time to run within five minutes from now) Action: Program/script: certutil Add arguments (optional): -backup -p Pa$$w0rd C:\CAbackup
2. 3.
Wait for the task to start, and then complete the backup. Confirm that the backup has completed successfully by viewing the content of the C:\CAbackup folder, and checking the task status.
Results: After this exercise, you have scheduled a task to perform an AD DS daily backup.
Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance
During this exercise, you test your AD LDS backup and restore procedures. The main tasks for this exercise are as follows: 1. 2. Backup the AD LDS instance. Restore the AD LDS instance from backup.
Task 1: Use dsdbutil to back up the test1 AD LDS instance

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, create a folder named backup in the root of C:\. Activate the test1 instance. Go to the ifm prompt and then use the create full command to create a full backup of AD LDS in the c:\backup\test1 folder.
Task 2: Use dsdbutil to restore the test1 AD LDS instance backup

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, stop the AD LDS test1 instance. Use xcopy to copy the .dit file from the backup folder to the default location of the AD LDS .dit file. Ensure that you use the xcopy switch to copy ownership and ACL information. Start the AD LDS test1 instance.
Results: After this exercise, you have performed a backup of the AD LDS test1 instance and performed a restore of the AD LDS test1 instance using the backup file.
Exercise 4: Configuring AD RMS Logging

During this exercise, you finish your AD RMS maintenance tasks by enabling AD RMS logging. The main tasks for this exercise are as follows: 1. 2. Enable logging for the cluster. Limit disk space usage for message queuing.
Task 1: Enable logging for the cluster
On the 6426C-MIA-DC1 virtual machine, use the AD RMS console window to enable logging.
Task 2: Limit disk space usage for message queuing

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, use Server Manager to access private queues. Expand Features, expand Message Queuing, expand Private queues, and then set the Limit message storage to (KB) to 1024000. Log off the 6426C-MIA-DC1 virtual machine. Note Message queuing stores all queued messages up to the limit of the free storage space. If all of the available disk space is used, the AD RMS server is not able to service any client requests. Results: After this exercise, you have enabled AD RMS logging and configured a limit for the message queuing storage space.
Module 1
Lab Answer Key: Exploring Identity and Access Solutions
Contents:
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions 2
Lab: Identifying IDA Roles to Meet Business Requirements

Task 1: Identify business requirements
Question: What are the business requirements for Contoso Pharmaceuticals? Answer: The business requirements for Contoso Pharmaceuticals are as follows: Ensure that the Contosos IT infrastructure can be protected by using certificate authentication. Protect Microsoft Office documents from being read by unauthorized people. Enable Tailspin Toys employee access to Contosos claims-based web application using their existing user credentials. Give developers the ability to manage their own directory services for development. Synchronize the HR database with the Active Directory database so that the information in the databases is consistent.
Task 2: Determine server roles and solutions required to meet the business requirements
Question 1: Which server role is required for certificate authentication? Answer 1: Active Directory Certificate Services (AD CS) provides the PKI infrastructure which enables certificate distribution and is the foundation for certificate authentication. AD CS requires AD DS as a foundation. Question 2: Which server role is required for protecting confidential Microsoft Office documents? Answer 2: Active Directory Rights Management Services (AD RMS) protects Microsoft Office documents and email messages using templates and policies. AD RMS requires the use of a digital certificate and would typically use AD CS or a trusted third-party certificate provider for the AD RMS certificate. Question 3: Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Answer 3: Active Directory Federation Services (AD FS) will allow Tailspin Toys access to the claimsaware web application. An alternative method, although not discussed in the module, is an AD DS forest trust. AD FS is the preferred choice when plausible as an AD DS forest trust requires more administrative overhead and has additional security implications. Question 4: Which server role can be used to give developers more efficient directory services capabilities? Answer 4: Active Directory Lightweight Directory Services (AD LDS) allows developers to run directory services on their development workstations or servers without the overhead of AD DS. AD LDS is quick and simple to deploy and can run multiple instances on a single computer. Question 5: Which solution would you use to synchronize the HR database with the Active Directory database?
Answer 5: Forefront Identity Manager (FIM) 2010 offers directory synchronization as one of its many IDA functions. The synchronization is typically scheduled on a repetitive basis (once an hour or once a day are common configurations). Question 6: Which technology would allow developers to externalize identity logic from their applications? Answer 6: Windows Identity Foundationexternalizing identity logic is the place where everybody is trying to go. Imagine the internet that uses a standard, single form of authentication (smartcard or user/pass) to get to any site. For example, sites that accept Windows Live authentication.
Module 2
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
Contents:
Exercise 1: Deploying a Standalone Root CA Exercise 2: Deploying an Enterprise Subordinate CA
2 4
Lab: Deploying and Configuring Active Directory Certificate Services

Lab Setup
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines.
Exercise 1: Deploying a Standalone Root CA

Task 1: Install the AD CS server role and configure it as a stand-alone root Certificate
Authority (CA)
1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-NYC-DC1 virtual machine and then start the 6426C-NYC-SVR1 virtual machine. Log on to both computers as CONTOSO\Administrator, and type the password as Pa$$w0rd. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. The Server Manager console appears. On the Server Manager console pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears. On the Before You Begin page, click Next. On the Select Server Roles page, under Roles, select the Active Directory Certificate Services check box, and then click Next. On the Introduction to Active Directory Certificate Services page, click Next. On the Select Role Services page, ensure that the Certification Authority check box is selected, and then click Next. On the Specify Setup Type page, select Standalone, and then click Next.
10. On the Specify CA Type page, ensure that Root CA is selected, and then click Next. 11. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. 12. On the Configure Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key character length to 4096. Click Next to continue. 13. On the Configure CA Name page, in the Common name for this CA box, type ContosoCA, and then click Next. 14. On the Set Validity Period page, click Next.
15. On the Configure Certificate Database page, click Next. 16. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 17. On the Installation Results page, click Close. 18. Close the Server Manager console.
Exercise 2: Deploying an Enterprise Subordinate CA

Task 1: Install an enterprise subordinate CA
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. The Server Manager console appears. In the Server Manager console pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears. On the Before You Begin page, click Next. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next. On the Introduction to Active Directory Certificate Services page, click Next. On the Select Role Services page, ensure that the Certification Authority check box is selected, and then select the Certification Authority Web Enrollment check box. The Add Roles Wizard dialog box appears. In the Add Roles Wizard dialog box, click Add Required Role Services. When the Select Role Services page is available again, click Next. On the Specify Setup Type page, ensure that Enterprise is selected, and then click Next. On the Specify CA Type page, ensure that Subordinate CA is selected, and then click Next.
7. 8. 9.
10. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. 11. On the Configure Cryptography For CA page, keep the default selections for CSP and Hash Algorithm. Keep the Key character length to 2048, and then click Next. 12. On the Configure CA Name page, in the Common name for this CA box, type ContosoIssuingCA, and then click Next. 13. On the Request Certificate from a Parent CA page, keep the default selection Send a certificate request to a parent CA selected, and then click Browse. The Select Certification Authority dialog box appears. 14. In the Select Certification Authority dialog box, click ContosoCA, and then click OK. When the Request Certificate From a Parent CA page is available again, click Next. 15. On the Configure Certificate Database page, click Next. 16. On the Web Server (IIS) page, click Next. 17. On the Select Role Services page, click Next. 18. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 19. On the Installation Results page, click Close. You will receive a warning message indicating that the AD CS installation is incomplete. In Task 2, the step to complete the AD CS installation will be performed. 20. Close the Server Manager console.
Task 2: Issue and install the subordinate certificate

1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. The certsrv - [Certification Authority (Local)] console appears. In the certsrv [Certification Authority (Local)] pane, expand ContosoCA, and then click Pending Requests. In the Details pane, right-click the pending request, point to All Tasks, and then click Issue. To install the subordinate certificate that has been issued, on the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. The certsrv [Certification Authority (Local)] console appears. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, point to All Tasks, and then click Install CA Certificate. The Select file to complete CA installation dialog box appears. In the Select file to complete CA installation dialog box, click Cancel. The CA Certificate Request dialog box appears. In the CA Certificate Request dialog box, click OK. This sends an online request to the parent CA. After a few moments, the Microsoft Active Directory Certificate Services dialog box appears. Click OK to trust the root certificate. The Certsrv - [Certification Authority (Local)] console should now be available again. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, point to All Tasks, and then click Start Service.
5. 6. 7. 8.
9.
10. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, and then click Properties. The ContosoIssuingCA Properties dialog box appears. 11. In the ContosoIssuingCA Properties dialog box, on the General tab, click View Certificate. The Certificate dialog box appears. 12. In the Certificate dialog box, notice that ContosoCA issued the certificate to ContosoIssuingCA. Click OK twice. 13. Close the certsrv - [Certificate Authority (Local)] console.
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down 6426C-NYC-DC1 and 6426C-NYC-SVR1. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1.
Module 3
Lab Answer Key: Deploying and Configuring Certificates
Contents:
Exercise 1: Configuring Certificate Templates Exercise 2: Configure Autoenrollment Exercise 3: Managing Certificate Revocation Exercise 4: Configuring Key Recovery 2 4 6 9
Lab: Deploying Certificates and Managing Enrollment

Lab Setup
Exercise 1: Configuring Certificate Templates

Task 1: Duplicate, install, and manually enroll a certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-NYC-DC1-B virtual machine and then start the 6426C-NYC-SVR1-B virtual machine. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Details pane, right-click the User certificate template, and then click Duplicate Template. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise, and click OK. In the Properties of New Template dialog box, in the Template display name box, type Local User. On the Subject Name tab, clear the Include e-mail name in subject name and the E-mail name check boxes. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select Allow for the Enroll check box, and then click OK.
10. Close the Certificate Templates console.
Task 2: Configure the template to be issued by the CA

1. 2. 3. In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Local User template, and then click OK. Close the Certification Authority console.
Task 3: Verify that the certificate is updated

1. 2. 3. 4. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK.
5. 6. 7. 8. 9.
Expand the Certificates - Current User node, and right-click Personal. Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next. On the Request Certificates page, select the Local User check box. Click Enroll, and then click Finish.
10. Right-click Certificates Current User, and click Refresh. View the Local User certificate in the personal store.
Task 4: Create, duplicate, and supersede the Local User template with a new template
that includes smart card logon
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Details pane, right-click the User certificate template, and then click Duplicate Template. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise, and then click OK. In the Properties of New Template dialog box, type Contoso Smart Card User in the Template display name box. On the Subject Name tab, clear the Include e-mail name in subject name and the E-mail name check boxes. On the Extensions tab, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click Add. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
10. Click the Superseded Templates tab, and click Add. 11. Click the Local User template, and click OK. 12. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select Allow for the Read, Enroll and Autoenroll check box, and then click OK. 13. Close the Certificate Templates console.
Task 5: Configure the new template to be issued by the CA

1. 2. 3. In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificates Templates dialog box, select the Contoso Smart Card User template, and click OK. Close the Console1-[Console Root] console and do not save changes. Close all open windows, and then log off from the 6426C-NYC-SVR1-B virtual machine. You will verify that the certificate is updated in the next Exercise.
Exercise 2: Configure Autoenrollment

Task 1: Configure the Contoso Smart Card User certificate template for autoenrollment
1. 2. 3. 4. 5. 6. 7. Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, select Certificate Templates, and click Add. Click OK to close the Add or Remove Snap-ins window. Click to highlight Certificate Templates. In the right pane, right-click the Contoso Smart Card User template and select Properties. On the General tab, verify that the Publish certificate in Active Directory option is selected. Click OK to close the certificate template properties window. Then, close the Console1-[Console Root] console and do not save changes.
Task 2: Configure the Default Domain Policy for autoenrollment

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the 6426C-NYC-DC1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Group Policy Management. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, then right-click Default Domain Policy and select Edit. Expand User Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click to highlight Public Key Policies. In the right pane, double-click Certificate Services Client Auto-Enrollment. In the Configuration Model drop-down box, choose Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates option. Select the Update certificates that use certificate templates option. Select the Expiration notification option and maintain the default value of 10%.
10. Click OK to close the properties window. 11. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy object. 12. In the Enrollment Policy tab, set the Configuration Model to Enabled and ensure that the certificate enrollment policy list shows the Active Directory Enrollment Policy (it should have a checkmark next to it and a status of Enabled). 13. Click OK to close the window, and then close the Group Policy Management Editor and the Group Policy Management snap-in.
Task 3: Validate autoenrollment functionality from 6426C-NYC-SVR1-B

1. 2. 3. 4. 5. 6. 7. 8. Start the 6426C-NYC-SVR1-B virtual machine (if 6426C-NYC-SVR1-B is already running, restart it). Log on to the 6426C-NYC-SVR1-B virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK. Expand the Certificates - Current User node, expand the Personal node, and then click Certificates. Examine the client authentication certificate issued to the administrator. Ensure that the certificate is based on the Contoso Smart Card User template; that is, scroll across the certificate properties in the Details pane to ensure that the template is based on the Contoso Smart Card User template.
Exercise 3: Managing Certificate Revocation

Task 1: Examine the default CRL distribution points (CDPs) and configure the CRL
publication interval
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box, on the Extensions tab, examine the default CDPs, and then click Cancel to close the dialog box. Expand the ContosoCA node, right-click the Revoked Certificates folder, and then click Properties. In the Revoked Certificates Properties dialog box, in the CRL publication interval list, click Months. In the CRL Publication interval box, type 1. Again in the Revoked Certificates Properties dialogue box, in the Publish Delta CRLs section, enter a Publication interval of 3 Days, and then click OK. Minimize the Certification Authority console.
Task 2: Install the Online Responder component on a Web server

1. 2. 3. 4. 5. 6. 7. Click Start, point to Administrative Tools, and click Server Manager. In the Server Manager console, click Roles. In the Details pane, in the Active Directory Certificate Services section, click Add Role Services. This launches the Add Role Services Wizard. On the Select Role Services page of the Add Role Services Wizard, select the Online Responder check box. Click Add Required Role Services, and click Next until the Confirmation page appears. Click Install. After the installation is completed, close the wizard, and then close Server Manager.
Task 3: Configure the CA to include the Online Responder location in the Authority
Information Access (AIA)
1. 2. 3. 4. Restore the Certification Authority console. Right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box, on the Extensions tab, in the Select extension list, select Authority Information Access (AIA), and then click Add. In the Add Location dialog box, in the Location box, type http://NYC-SVR1/ocsp, and click OK.
5. 6. 7.
Select the Include in the AIA extension of issued certificates check box. Select the Include in the online certificate status protocol (OCSP) extension check box, and then click OK. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes.
Task 4: Issue the OCSP Response Signing template

1. 2. 3. 4. 5. 6. 7. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Certificate Templates console, double-click the OCSP Response Signing template. In the OCSP Response Signing Properties dialog box, click the Security tab, under Permissions for Authenticated Users, check Allow for the Enroll check box, and then click OK. Close the Certificate Templates console. In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and then click OK. Minimize the Certification Authority console.
Task 5: Configure the Online Responder

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and then click Online Responder Management. In the Online Responder Management console, right-click Revocation Configuration, and then click Add Revocation Configuration. In the Add Revocation Configuration Wizard, click Next. On the Name the Revocation Configuration page, in the Name box, type ContosoCA Online Responder, and click Next. On the Select CA Certificate Location page of the wizard, click Next. On the Choose CA Certificate page, click Browse, click the ContosoCA certificate, click OK, and then click Next. On the Select Signing Certificate page, click Next. On the Revocation Provider page, click Finish. The revocation configuration status will appear as Working. Close the Online Responder console.
Task 6: Revoke a certificate

1. 2. 3. Restore the Certification Authority console. Expand ContosoCA, and click Issued Certificates. Locate and right-click the Contoso Smart Card User certificate that was issued in the previous exercise. It will have a Requester Name of Contoso\Administrator, it will have todays date, and a time approximate to when the previous exercise was completed. Point to All Tasks, and then click Revoke Certificate. In the Certificate Revocation dialog box, in the Reason code list, select Change of Affiliation, and then click Yes. Click the Revoked Certificates folder, and then ensure that the revoked certificate is visible.
4. 5. 6.
Task 7: Publish the CRL

1. 2. 3. In the Certification Authority console, right-click the Revoked Certificates folder. Point to All Tasks, and click Publish. In the Publish CRL dialog box, select New CRL, and then click OK.
Task 8: Ensure that the CRL is downloaded

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start. In the Search box, type MMC, and then press ENTER. Click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates Snap-in dialog box, click My user account, click Finish, and then click OK. Expand the Certificates Current User node. Expand the Intermediate Certification Authorities node, and then click Certificate Revocation List. Notice there are CRLs from ContosoCA. Double-click one of the ContosoCA lists, and then click the Revocation List tab in the Certificate Revocation List dialog box. In the Revoked certificates section, click the certificate serial number that is displayed. Also note the revocation date and time. Notice that this is the certificate revoked previously. Click OK to close the Certificate Revocation List dialog box, and then close the Console1 window without saving changes to the console.
Exercise 4: Configuring Key Recovery

Task 1: Remove the requirement for CA Manager approval and verify who can enroll the
Key Recovery Agent (KRA) certificate
1. 2. 3. 4. 5. 6. 7. 8. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click the Certificates Templates folder, and then click Manage. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements tab. Clear the CA certificate manager approval check box. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only groups that have the Enroll permission, and then click OK. Close the Certificate Templates console.
Task 2: Configure the Contoso CA to issue KRA certificates

1. 2. 3. In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Key Recovery Agent template, and then click OK. Close the Certification Authority console.
Task 3: Acquire the KRA certificate

1. 2. 3. 4. 5. 6. 7. 8. Click Start. In the Search box, type MMC, and then press ENTER. The Console1-[Console Root] console appears. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add. In the Certificates snap-in dialog box, select My user account, click Finish, and then click OK. Expand the Certificates - Current User node, and right-click Personal. Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next.
10
9.
On the Request Certificates page, select the Key Recovery Agent check box. Click Enroll, and then click Finish. properties and verify that the Certificate Template Key Recovery Agent is present.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate
Task 4: Configure the CA to allow key recovery

1. 2. 3. 4.
5.
Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, right-click ContosoCA, and then click Properties. Click the Recovery Agents tab, and then select Archive the key. Under Key recovery agent certificates, click Add. In the Key Recovery Agent Selection dialog box, click the certificate that is displayed, and then click OK twice. When prompted to restart the CA, click Yes.
Task 5: Configure a custom template for key archival

1. 2. 3. 4. 5. In the Certification Authority console, right-click the Certificates Templates folder, and then click Manage. In the Certificate Templates console, right-click the User certificate, and then click Duplicate Template. In the Duplicate Template dialog box, click Windows Server 2008 Enterprise, and then click OK. In the Properties of New Template dialog box, on the General tab, in the Template display name box, type Archive User. On the Request Handling tab, select the Archive subject's encryption private key check box, and then click OK. By using the archive key option, the KRA can obtain the private key from the certificate store. 6. 7. 8. 9. Close the Certificate Templates console. In the Certification Authority console, right-click the Certificates Templates folder, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Archive User template, and then click OK. Close the Certification Authority console.
10. Log off from the 6426C-NYC-SVR1-B virtual machine.
Task 6: Add a user to the Server Operators group

1. 2. 3. 4. 5. Log on to 6426C-NYC-DC1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Users and Computers. In the Active Directory Users and Computers dialog box, click the Executives OU, right-click the user Tony Wang, and then click Add to a group. In the Select Groups dialog box, type Server Operators, and then click OK twice. Right-click Tony Wang, and then click Properties.
11
6. 7. 8.
In the Tony Wang Properties dialog box, on the General tab, in the E-mail box, type tony@Contoso.com, and then click OK. Close the Active Directory Users and Computers dialog box. Log off from the 6426C-NYC-DC1-B virtual machine.
Task 7: Verify key archival functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1-B as CONTOSO\Tony, and type in Pa$$w0rd as the password. Click Start. In the Search box, type MMC, and then press ENTER. If the UAC dialog box appears, type Pa$$w0rd, and then click OK. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add, and then click OK. Expand the Certificates - Current User node, and right-click Personal. Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next.
10. On the Request Certificates page, select the Archive User check box. Click Enroll, and then click Finish. 11. It may take a minute for the information to become available. If you receive an error, log off and then log back on again as CONTOSO\Tony. 12. Refresh the console, and view the Archive User certificate in the personal store; that is, scroll down to the end of the templates listed and see the Archive User Template listed. 13. Double-click the certificate based off the Archive User template, click the Details tab, and write down the serial number. You will use this serial number for recovery purposes. 14. Log off from the 6426C-NYC-SVR1-B virtual machine. 15. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. 16. Click Start. Click Run, type CMD, and then click OK. 17. In the Command window that appears, type certutil getkey serial number outputblob, that is, certutil getkey AA BB CC DD EE FF GG HH II JJ outputblob. Note Type serial number with the serial number that you wrote down. The Certutil tool queries the CA and provides the certificate information in the command window. Notice the User Principal Name (UPN) and Template sections. 18. To convert the outputblob file into a .pfx file, in the Command window, type Certutil recoverkey outputblob tony.pfx.
12
Note
The user who needs to recover the key can import the .pfx file.
19. When prompted, type in Pa$$w0rd as the new password, and then confirm the password. 20. After the command is executed, close the command window. 21. Browse to C:\Users\Administrator.CONTOSO, and then verify that tony.pfxthe recovered keyis created.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1-B in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1-B.
Module 4
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
Contents:
Exercise 1: Configuring AD LDS Instances and Partitions Exercise 2: Configuring AD LDS Replication Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps 2 4 5
Lab: Deploying and Configuring Active Directory Lightweight Directory Services

Lab Setup
Exercise 1: Configuring AD LDS Instances and Partitions

Task 1: Add the AD LDS server role by using Server Manager
1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-NYC-DC1-B virtual machine and then start the 6426C-NYC-SVR1-B virtual machine. Log on to both virtual machines as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Server Manager. Click the Roles node. In the Details pane, click Add Roles. On the Before You Begin page, click Next. Select the Active Directory Lightweight Directory Services check box, and click Next. If prompted to add required role services, click Add Required Role Services. On the Introduction to Active Directory Lightweight Services page, click Next.
10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Repeat steps 3 and 10 to install AD LDS on the 6426C-NYC-SVR1-B virtual machine.
Task 2: Create an AD LDS instance known as ContosoApp1 by using AD LDS Setup

Wizard
1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-DC1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Lightweight Directory Services Setup Wizard. Click Next at the first screen of the wizard. On the Setup Options page, ensure that A unique instance type is selected, and click Next. On the Instance Name page, enter ContosoApp1 as the Instance name. Keep the default Description text and then click Next. If a Windows Firewall warning pops up, click Allow. On the Ports page, enter 6389 as the LDAP port number and 6636 as the SSL port number. Click Next. On the Application Directory Partition page, select Yes, create an application directory partition option. Enter ou=app1,dc=contoso,dc=local as the Partition name and then click Next. On the File Locations page, keep the default paths and click Next.
8. 9.
On the Service Account Selection page, ensure that Network service account option is selected, and click Next. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\administrator option is selected, and click Next.
10. On the Importing LDIF Files page, select MS-User.LDF, and click Next. 11. On the Ready to Install page, click Next. 12. When the installation is complete, a message indicating a successful installation will be displayed. Click Finish.
Exercise 2: Configuring AD LDS Replication

Task 1: Create a replica of ContosoApp1 by using the AD LDS Wizard
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click Active Directory Lightweight Directory Services Setup Wizard. Click Next at the first screen of the wizard. On the Setup Options page, select the A replica of an existing instance option, and click Next. On the Instance name page, enter ContosoApp1 as the Instance name. Keep the default Description and then click Next. On the Ports page, enter 6389 as the LDAP port and enter 6636 as the SSL port. Click Next. On the Joining a Configuration Set page, enter NYC-DC1 as the Server, enter 6389 as the LDAP port, and click Next. On the Administrative Credentials for the Configuration Set page, ensure that the Currently logged on user: CONTOSO\administrator option is selected. Click Next. On the Copying Application Directory Partitions page, select the OU=app1,dc=contoso,dc=local partition DN, and click Next. On the File Locations page, keep the default paths, and click Next.
10. On the Service Account Selection, ensure that the Network service account option is selected, and click Next. 11. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\Administrator option is selected, and click Next. 12. On the Ready to Install page, click Next. 13. When the installation completes, click Finish.
Task 2: Connect to the application partition and verify initial replication by using ADSI
Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click ADSI Edit. In the ADSI Edit console, right-click ADSI Edit in the left pane, and then click Connect to. The Connection Settings dialog box appears. In the Connection Settings dialog box, in the Name box, type ContosoApplication. Under Connection Point, in the Select or type a Distinguished Name or Naming Context box, type ou=app1,dc=contoso,dc=local. Under Computer, in the Select or type a domain or server box:(Server | Domain [:port]) box, type NYC-SVR1:6389, and then click OK. A successful connection indicates that 6426C-NYC-SVR1-B has a replica instance. Close ADSI Edit.
Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps

Task 1: Create a list of AD LDS troubleshooting tools
The following table lists AD LDS troubleshooting tools: Certificates MMC Ldp.exe ADSI Edit Adamsync.exe Ldifde Csvde Event Viewer Network-based tools such as nslookup, ping, and tracert, and telnet
Task 2: Create a list of AD LDS troubleshooting steps

The following troubleshooting steps are not all inclusive but include the major items to check in the scenario: 1. 2. 3. Check to ensure that the AD LDS server is reachable by hostname and IP address to validate DNS functionality. Check to ensure that the AD LDS service is responding to network requests by using ping and telnet. Use telnet to access the AD LDS service port. Verify that the AD LDS service is running. If not, ensure that the service account is not locked out. Check to see if the service account is expired. Ensure that the service account has rights to run as a service. Validate that the SSL certificate in use by AD LDS is still valid, still in the certificate store on the AD LDS server, not expired, and not revoked. Validate that the client computer trusts the SSL certificates root CA. Use LDP.exe from the AD LDS server to attempt to establish a connection to the AD LDS instance. Check the Event Logs for any warnings or error messages related to AD LDS.
4. 5. 6. 7.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1-B in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1-B.
Module 5
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
Contents:
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0 Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0 Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application 2 8 11 17
Lab: Deploying and Configuring Active Directory Federation Services

Lab Setup
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines.
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Task 1: Install Active Directory Certificate Services in the Contoso domain
1. 2. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Log on to the 6426C-NYC-DC1 virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Note Before starting the lab in depth you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. b. Go to Start > Administrative Tools > Services. In the Services management console in the Services (Local) pane in the Extended tab locate the Active Directory Web Services service and ensure that the Status is set to Started and Startup Type is set to Automatic. If neither of these values are set as above set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the Active Directory Domain Services.
c. d. 3. 4. 5. 6. 7. 8. 9.
Click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager window, click Roles. Click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select the Active Directory Certificate Services check box and then click Next. On the Introduction to Active Directory Certificate Services page, click Next. On the Select Role Services page, ensure Certification Authority and Certification Authority Web Enrollment are both selected.
10. Click Add Required Role Services on the Add Roles Wizard dialog when it appears, and then click Next. 11. On the Specify Setup Type page, select Enterprise, and then click Next. 12. On the Specify CA Type page, select Root CA, and then click Next.
13. On the Setup Private Key page, select Create a new private key, and then click Next. 14. On the Configure Cryptography for CA page, accept the defaults, and then click Next. 15. On the Configure CA Name page, in the Common Name for this CA box, type ContosoCA, and then click Next. 16. On the Set Validity Period page, accept the defaults, and then click Next. 17. On the Configure Certificate Database page, accept the defaults, and then click Next. 18. On the Web Server (IIS) page, click Next. 19. On the Select Role Services page, accept the defaults, and then click Next. 20. On the Confirm Installation Selections page, click Install. 21. On the Installation Results page, click Close.
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. In the Certsrv - [Certification Authority (Local)] console, right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box that appears, click the Extensions tab. In the Select extensions drop-down list, select CRL Distribution Point (CDP) and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 5. 6. Highlight the http:// entry and then select Include in the CDP extension of issued certificates. In the Select extension list, select Authority Information Access (AIA), and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 7. 8. 9. Highlight the http:// entry and then select Include in the AIA extension of issued certificates. Click OK to exit the dialog box. On the Certification Authority dialog box, click Yes to restart the Active Directory Certificate Services.
10. Click Start. In the Search box, type MMC, and then press ENTER. 11. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. 12. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. 13. In the Certificate snap-in dialog box, select Computer account, and then click Next.
14. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 15. In the Add or Remove Snap-ins dialog box, click OK. 16. In the console tree, expand Certificates (Local Computer), and then expand Personal. 17. Under Personal folder, click Certificates and press F5. Note the certificates that are present and their details such as Issued To, Expiration Date, Intended Purposes, Friendly Name and Certificate Template. 18. Click Start, click All Programs, click Accessories, right-click Command Prompt and then click Run as Administrator. 19. In the Command Prompt window, type certutil pulse, and then press ENTER. 20. Return to the Certificates console, and then press F5 to refresh. 21. A new certificate should now be issued to NYC-DC1.contoso.com, issued by ContosoCA, with an intended purpose of Client Authentication, Server Authentication and based on the certificate template of Domain Controller. 22. Right-click this certificate and then click Delete. Click Yes to confirm the deletion. Note This certificate contains legacy LDAP CRL URLs which we cannot use in our federated environment so we need to purge this certificate now to avoid potential configuration trouble later.
Task 3: Configure the Web Server certificate template to allow domain controllers and
domain computers permission to access the certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In Available snap-ins, double-click Certificate Templates, and then click OK. In the console tree, click Certificate Templates. All the certificate templates appear in the details pane. In the details pane, right-click the Web Server template, and then click Properties. On the Security tab, click Add. In Enter the object name to select box, type Domain Computers, and then click OK. While Domain Computers is selected in the Group or user names, in the Permission list, under Allow, select the Read and Enroll check boxes. Repeat steps 6 to 8 for Domain Controllers, Network Service and IIS_IUSRS.
10. Click OK to close the Web Server Properties dialog box, and then close the console. Click No when asked to save the console settings. 11. Click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as Administrator. 12. In the Command Prompt window, type the following command to stop AD CS, and then press ENTER.
net stop "Active Directory Certificate Services"
13. In the Command Prompt window, type the following command to start AD CS, and then press ENTER.
net start "Active Directory Certificate Services"
Task 4: Create a certificate in the Internet Information Services (IIS)

1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree, highlight NYC-DC1 (Contoso\Administrator). In Features View pane in the middle, double-click the Server Certificates icon. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard opens. On the Distinguished Name Properties page of the wizard, enter the settings as listed below, and then click Next. 6. Common name: NYC-DC1.Contoso.com Organization: Contoso Pharmaceuticals Organization unit: IT Department City/locality: New York State/province: New York Country/region: US
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain. Note The Select button is only enabled when a CA is correctly configured and exists on the domain.
7. 8.
Select ContosoCA, and then click OK. In Friendly name, type NYC-DC1.Contoso.com, and then click Finish. Note You must provide a friendly name for the certificate.
Task 5: Bind the certificate to a claim aware application for use with SSL
1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree, expand NYC-DC1 (CONTOSO\Administrator), expand Sites, click Default Web Site, and then in the Actions pane, click Bindings. In the Site Bindings dialog box, click Add. In the Add Site Binding dialog box, under Type select https, and under Port enter 443. Expand the SSL Certificate drop-down list.
6. 7. 8.
If there is more than one certificate with name NYC-DC1.Contoso.com, you need to determine which one is the certificate you just created and the one you want to use. Select the NYC-DC1.Contoso.com certificate from the list, and then click View. In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list, and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog box. If the field is not present or the friendly name listed is different, click OK to close the Certificate dialog box and repeat steps 6 to 8 until you determine the correct certificate.
9.
10. Now that you have identified the correct certificate, select that certificate, click OK, and then click Close.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank
domain
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the console tree, expand Certificates (Local Computer), and then expand Personal. Under Personal folder, click Certificates. In the details pane, right-click ContosoCA certificate, point to All Tasks, and then click Export. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select No, do not export the private key, and then click Next. 11. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next. 12. On the File to Export page, type C:\Export\Certs\ContosoCA.cer, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
Task 7: Import the certificates from the WoodgroveBank domain into the local Trusted
Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
1. 2. 3. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Group Policy Wizard opens.
4. 5. 6. 7.
In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens. In Domains, OUs, and linked Group Policy Objects, select Default Domain Policy, and then click OK. Click Finish and then click OK. Double-click Default Domain Policy. In the console tree, expand the following path: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Right-click Trusted Root Certification Authorities, and then click Import. On the Welcome to the Certificate Import Wizard page, click Next.
8. 9.
10. On the File to Import page, click Browse. 11. In the Open window, in the File name box, type \\MIA-DC1\C$\Export\Certs \WoodgroveBankCA.cer, click Open, and then click Next. 12. On the Certificate Store page, select Place all certificates in the following store, verify that it is pointed to the Trusted Root Certification Authorities store, and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish. 14. You should receive a message saying The import was successful. Click OK. 15. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. 16. In the Command Prompt window, type gpupdate /force, and then press ENTER. 17. Log on to the 6426C-MIA-DC1 virtual machine as WOODGROVEBANK\Administrator, and type in Pa$$w0rd as the password. 18. Repeat steps 1 to 14 on the 6426C-MIA-DC1 virtual machine using \\NYC-DC1\C$\Export\Certs \ContosoCA.cer as the certificate to import. 19. On the 6426C-MIA-DC1 virtual machine, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. 20. In the Command Prompt window, type gpupdate /force and then press ENTER.
Results: At the end of this exercise, you have installed Active Directory Certificate Services (ADCS) created, modified and managed certificates for use in a Federated environment. Bound Certificates to an SSL connection and exported and imported certificates across different organizations. These are all preliminary tasks required for a successful ADFS implementation.
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Task 1: Install AD FS 2.0 in the Contoso domain
1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-DC1 virtual machine, right-click Start, and then click Open Windows Explorer. In Windows Explorer, go to the X:\Labfiles\Mod05\AdfsSetup folder, right-click the file AdfsSetup.exe, and then click Run as administrator. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next. On the End-User License Agreement page, select the I accept the terms in the License Agreement check box, and then click Next. On the Server Role page, ensure that Federation server is selected, and then click Next. In the Install Prerequisite Software window, click Next to begin the installation. In the Completed the AD FS 2.0 Setup Wizard window, ensure that the Start the AD FS 2.0 Management snap-in when this wizard closes option is selected, and then click Finish. The AD FS 2.0 console opens.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server
Configuration Wizard
1. 2. 3. 4. 5. 6. On the 6426C-NYC-DC1 virtual machine, in the AD FS 2.0 console, in the middle pane, click the AD FS 2.0 Federation Server Configuration Wizard link. On the Welcome page, ensure that Create a new Federation Service is selected, and then click Next. On the Select Stand-Alone or Farm Deployment page, select the Stand-alone federation server option, and then click Next. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is NYCDC1.Contoso.com, the Port is 443, and the Federation Service name is NYC-DC1.Contoso.com. Click View. In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list and scroll down through the list of items until you see the Friendly name field. If it is listed as NYCDC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog. Click Next. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and then click Next. The wizard should display the results for each component with the status being Configuration finished. Click Close. Note As was reccommended at the start of Exercise 1, you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. Go to Start > Administrative Tools > Services.
7. 8. 9.
b.
In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic. If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service.
c. d.
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are
available for use
1. 2. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. The PowerShell modules will load once the PowerShell window is opened. At the prompt, type the following command, and then press ENTER.
get-ADFSProperties
3.
Examine the output and determine what the fields and values mean. Note some of the more notable values such as AutoCertificateRollover, ClientCertRevocationCheck, DisplayName, HostName, the HTTP port values, Identifier and FederationPassiveAddress. Type the following PowerShell cmdlet and then press ENTER.
get-command *-ADFS*
4.
5.
Note the list of cmdlets and their associated definitions.
Task 4: Verify the FederationMetaData.xml is present and contains valid data

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, click Start, click All Programs, and then click Internet Explorer. Type the following address into the address bar: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml Verify that the xml file opens successfully and scroll through its contents.
Task 5: Create a new claim type and verify it has been successfully added to the
claims list
1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Service, and then click Claim Descriptions. Right-click Claim Descriptions, and then click Add Claim Description. In Display Name, type Favorite Color. In the Claim Identifier box type http://www.favoritecolor.com/claim/colordescriptions. Note You do not have to use a URL or even a valid URL; however, this is one method of providing information about what a particular claim type is and what it has been used in relation to and who was what format the information should take on.
10
6. 7. 8. 9.
Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can accept. Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can send. Click OK. Click Start, click All Programs, and then click Internet Explorer.
10. Type the following address into the address bar: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml 11. Scroll to the end and locate the entry that you have just created.
Results: At the end of this exercise, you have installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You have also successfully added a new Claim type to the Claim descriptions.
11
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Task 1: Configure a Token Signing Certificate for NYC-DC1.Contoso.com
Note Certificates cannot be modified within ADFS while the ADFS automatic rollover feature is enabled. This feature determines whether or not ADFS will manage certificate expiration and their replacement with new certificates. As such, before we can modify certificates within ADFS this feature needs to be turned off. 1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press ENTER. Type get-ADFSProperties, and then press ENTER. Verify that the value for AutoCertificateRollover is now False. Click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, in the left pane, expand Service, and then click Certificates. Right-click Certificates, and then click Add Token-Signing Certificate. In the select a token signing certificate dialog box, notice the certificates listed, and then select NYC-DC1.Contoso.com certificate. Click the Click here to view certificate properties link to open the Certificate Details window.
10. In the Certificate Details window, click the Details tab, select <All> in the Show drop-down list and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate Details window. 11. If the certificate properties dialog does not contain a Friendly name field, continue to the next certificate and repeat steps 8 to 10. 12. When you have found the correct certificate, click OK to close the Certificate Details window. Select the correct certificate, and then click OK. 13. If you are prompted with a dialog window on the certificate key length, click Yes, and then click OK. 14. Right-click the newly added certificate and then click Set as Primary. Take note of the warning message, understand the consequences would be in a production environment, and then click Yes. 15. Select the certificate that has just been superseded, right-click the certificate, and then click Delete. Click Yes to confirm the deletion.
Task 2: Configure a claims provider trust for NYC-DC1.Contoso.com

1. 2. 3. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claims Provider Trusts. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
12
4. 5. 6. 7. 8. 9.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard appears. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims, and then click Next. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute store drop-down list, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
10. Click Finish, and then click OK.
Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. 2. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows Identity Foundation Federation Utility. On the Welcome to the Federation Utility wizard page, in the Application configuration location, enter C:\inetpub\wwwroot\ContosoClaimApp\web.config for the location of the web.config file of the WIF sample application. In the Application URI box, type https://nyc-dc1.contoso.com/ContosoClaimApp/ to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next to continue. On the Security Token Service page, select Use an existing STS, type https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml for the STS WS-Federation metadata document location, and then click Next to continue. Note If you are using a certificate that has not been issued by a Certificate Authority, you will receive a wizard page concerning the certificate validation. If you have selected the certificates as outlined in the exercises in this lab, you will not encounter this page. However, if you choose a non-CA issued certificate, you will need to complete step 5. If you have used a CA issued certificate, you can proceed directly to step 6.
3.
4.
13
5.
On the STS signing certificate chain validation error page, click Disable certificate chain validation, and then click Next. Note Selecting this option is not recommended in a production environment. The Disable certificate validation option is used in this test lab environment only to simplify the scenario.
6. 7.
On the Security token encryption page, select No encryption, and then click Next. On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. Note If you scroll to the end of the claims, you should see the claim you added in Exercise 2.
8.
On the Summary page, review the changes that will be made to the sample application by the Federation Utility wizard, scroll through the items to understand what each item is doing, and then click Finish. Click OK.
9.
Task 4: Configure a relying party trust to the claim aware application

1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the middle pane, click Required: Add a trusted relying party. On the Welcome page of the Add Relying Party Trust Wizard, click Start. On the Select Data Source page, select Import data about the relying party published online or on a local network, and then type https://nyc-dc1.contoso.com/ContosoClaimApp. Click Next to continue. Note This action prompts the wizard to check for the MetaData of the application that the web server role hosts. 6. 7. 8. 9. On the Specify Display Name page, in the Display name box, type WIF Sample Claims App, and then click Next. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this relying party is selected, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next. On the Finish page, click Close. The Edit Claim Rules for WIF Sample Claims App window opens.
Task 5: Configure claim rules for the relying party trust

1. 2. In the Edit Claim Rules for WIF Sample Claims App window, on the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard opens. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.
14
Note This action passes an incoming claim through to the user by means of Windows Integrated Authentication. 3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name rule. In the Incoming claim type drop-down list, select Windows account name, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the Incoming claim type drop-down list, select E-mail Address, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming claim type drop-down list, select UPN, and then click Finish.
4. 5. 6. 7. 8. 9.
10. Click Add Rule. 11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. 12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming claim type drop-down list, select Name, and then click Finish. 13. Click Apply, and then click OK.
Task 6: Test the access to the claims aware application

1. 2. 3. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Axel with password Pa$$w0rd, and then press ENTER. The page renders and you see the claims that were processed to allow access to the web site.
15
Note If you receive an error saying the page could not be accessed, as a first step in torubleshooting you should ensure that some core services that are required are running successfully then retry accessing the application as outliend above.To do this you should do the following a. b. c. Log on to 6426C-NYC-DC1 with user name Contoso\Administrator and password pa$$word. Go to Start > Administrative Tools > Services. In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic. If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service. Retry steps 1 to 3 above.
d. e. f. 4.
Log off from the 6426C-NYC-CL1 virtual machine.
Task 7: Configure claim rules for the claim provider trust and the relying party trust to
allow access only for a certain group
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claim Provider Trusts. Select the Active Directory, and in the Actions pane on the right side, click Edit Claim Rules. On the Acceptance Transform Rules tab, click the Add Rule button to start the Add Transform Claim Rule Wizard. On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Send IT Admin Group Rule, and click Browse. In Enter the object name to select box, type ITAdmins_ContosoGG, and then click OK. In Outgoing claim type, select Group, in Outgoing claim value, type ITADMIN, and then click Finish. Click OK to close the property page and save the changes to the claim provider trust.
10. In the AD FS 2.0 console, expand Trust Relationships, and then click Relying Party Trusts. 11. Select the WIF Sample Claims App, and in the Actions pane on the right side, click Edit Claim Rules. 12. On the Edit Claim Rules for WIF Sample Claims App window, click the Issuance Authorization Rules tab. 13. On the Issuance Authorization Rules tab, select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With no rules, no users are permitted access. 14. On the Issuance Authorization Rules tab, click the Add Rule button to start the Add Issuance Authorization Claim Rule Wizard.
16
15. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim, and then click Next. 16. On the Configure Rule page, in Claim rule name type Permit IT Admin Group Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type ITADMIN, select the option to Permit access to users with this incoming claim, and then click Finish. 17. Click OK to close the property page and save the changes to the relying party trust.
Task 8: Verify restrictions and accessibility to the claims aware application

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application. Log off from the 6426C-NYC-CL1 virtual machine. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Aaron using password Pa$$w0rd. Launch Internet Explorer and in the browser address bar, type: https://nyc-dc1.contoso.com/ContosoClaimApp. When prompted for credentials, type CONTOSO\Aaron with password Pa$$w0rd, and then press ENTER. You receive an Access Denied error. This is because CONTOSO\Aaron is not a member of the ITAdmins_ContosoGG group, and therefore not authorized to access the site. Log off from the 6426C-NYC-CL1 virtual machine.
Results: At the end of this exercise, you have configured a stand-alone AD FS 2.0 federation server and verified the Federation PowerShell Modules installed successfully and are available.
17
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
Task 1: Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claims Provider Trusts. In the Actions pane, click Add Claims Provider Trust. On the Welcome page, click Start. On the Select Data Source page, select Import data about the claims provider published online or on a local network, type https://nyc-dc1.contoso.com, and then click Next. On the Specify Display Name page, click Next. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to save the configuration. On the Finish page, click Close to close the wizard. The Edit Claim Rules for nyc-dc1.contoso.com window appears. On the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click Next. 11. In the Claim rule name box, type Pass through Windows account name rule. 12. In the Incoming claim type drop-down list, select Windows account name. 13. Select Pass through all claim values, and then click Finish. Note Read, understand and acknowledge the warning message that appears by clicking Yes. 14. Click OK and then close the AD FS 2.0 console. 15. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. 16. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
17. Close the PowerShell window. Note We have not made any modification to the application itself.
18
Task 2: Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim

aware application
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Relying Party Trusts. In the Actions pane, click Add Relying Party Trust. On the Welcome page, click Start. On the Select Data Source page, select Import data about the relying party published online or on a local network, type https://mia-dc1.woodgrovebank.com, and then click Next. On the Specify Display Name page, in the Display name box, type Woodgrove Bank Claim App B2B, and then click Next. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save the configuration. On the Finish page, click Close to close the wizard. The Edit Claim Rules for Woodgrove Bank Claim App B2B window appears.
10. On the Issuance Transform Rules tab, click Add Rule. 11. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click Next. 12. In the Claim rule name box, type Pass through Windows account name rule. 13. In the Incoming Claim type drop-down list, select Windows account name. 14. Select Pass through all claim values, and then click Finish. 15. Click OK and then close the AD FS 2.0 console.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note The logon process has changed and you now need to select an authority which can authorize and validate the access request. The Home Realm Discovery page (the Sign In page) appears and you need to select an authority. 3. 4. 5. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application. Close Internet Explorer.
19
6.
Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note You are not prompted for a home realm again. Once users have selected a home realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, in order for us to log on multiple times, we should delete that cookie after each logon attempt to return to a clean state.
7. 8. 9.
Click Cancel. In the Internet Explorer, click Tools, and then click Internet Options. On the General tab, in the Browsing History section, click Delete.
10. Select all the check boxes and then click Delete. 11. Click OK and close Internet Explorer. 12. Launch Internet Explorer again and in the browser address bar type: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. 13. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in. 14. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1, 6426C-NYC-CL1 and 6426C-MIA-DC1 virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-CL1 and 6426C-MIA-DC1.
Module 6
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
Contents:
Exercise 1: Installing and Configuring AD RMS Exercise 2: Configuring AD RMS Templates Exercise 3: Configuring AD RMS Trust Policies Exercise 4: Testing AD RMS Functionality Exercise 5: Generating AD RMS Reports 2 4 6 8 10
Lab: Deploying and Configuring Active Directory Rights Management Services

Lab Setup
In this lab, you use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
Exercise 1: Installing and Configuring AD RMS

Task 1: Add a CNAME for the AD RMS Cluster
1. 2. 3. 4. 5. 6. 7. Start the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines and Log on to 6426C-NYC-DC1 as CONTOSO\Administrator, and type in Pa$$w0rd as the password. On the 6426C-NYC-DC1, click Start, point to Administrative Tools, and then click DNS. In DNS Manager, expand NYC-DC1, expand Forward Lookup Zones, and expand Contoso.com. Right-click Contoso.com and then click New Alias (CNAME). In the Alias name (uses parent domain if left blank) field, type RMS. In the Fully qualified domain name (FQDN) for target host field, enter NYC-SVR1.contoso.com. Click OK and then close the DNS console.
Task 2: Install and configure AD RMS

1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to 6426C-NYC-SVR1 as CONTOSO\Administrator with the password Pa$$w0rd. On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. Click Roles, then in the Details pane, click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select the Active Directory Rights Management Services check box. When prompted, click Add Required Role Services, and then click Next. Click Next twice. On the Create or Join an AD RMS Cluster page, select Create a new AD RMS cluster, and then click Next. On the Select Configuration Database page, select Use Windows Internal Database on this server, and then click Next.
10. On the Specify Service Account page, click Specify, type CONTOSO\adrms-svc, type Pa$$w0rd for the password, click OK to provide a domain user account for the AD RMS service account, and then click Next. 11. On the Configure AD RMS Cluster Key Storage page, select Use AD RMS centrally managed key storage, and then click Next.
12. On the Specify AD RMS Cluster Key Password page, type Pa$$w0rd as the AD RMS cluster key password, and then click Next. 13. On the Select AD RMS Cluster Web Site page, ensure that Default Web Site is selected, and then click Next. 14. On the Specify Cluster Address page, in the Internal Address box, type rms.contoso.com, select Use an unencrypted connection (http://), click Validate, and then click Next. 15. On the Name the Server Licensor Certificate page, in the Name box, type Contoso Pharmaceuticals RMS, and then click Next. 16. On the Register AD RMS Service Connection Point page, ensure that Register the AD RMS service connection point now is selected, and then click Next three times. 17. On the Confirm Installation Selections page, view the informational messages, and then click Install to complete the installation. 18. After the installation is complete, click Close, and then log off from the 6426C-NYC-SVR1 virtual machine.
Exercise 2: Configuring AD RMS Templates

Task 1: Configure AD RMS rights policy templates
1. 2. Log on to the 6426C-NYC-SVR1 virtual machine as CONTOSO\Administrator with the password of Pa$$w0rd. On the 626C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Note It may take a couple of minutes for the AD RMS console to become available and you may see an error, but the console will eventually become available. 3. 4. 5. 6. 7. Expand NYC-SVR1 (Local), and click Rights Policy Templates. In the Actions pane, under Rights Policy Templates, click Properties. In the Rights Policy Templates Properties page, select Enable export. In the Specify templates file location (UNC) box, type \\NYC-DC1\templates, and then click OK. In the far right pane, click Create Distributed Rights Policy Template. Then, after the wizard is launched, click Add. In the Add New Template Identification Information box, set Language to English (United States), set Name to Confidential Projects, set Description to Contoso Pharmaceuticals IT Department, and click Add. Then, click Next. On the Add User Rights page, click Add, and in the Add User or Group box, type ITAdmins@Contoso.com, and then click OK. Under Rights for ITAdmins@Contoso.com, select the Edit check box.
8. 9.
10. Click Add, select Anyone, and then click OK. 11. Under Rights for ANYONE, select the View check box, and then click Next. 12. On the Specify Expiration Policy page, select the Expires after the following duration (days) option to specify content expiration, and type 14 as the value. 13. Click Finish, close the Active Directory Rights Management Services console, and then log off from the 6426C-NYC-SVR1 virtual machine.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client
computers
1. 2. 3. 4. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy with the password Pa$$w0rd. On the 6426C-NYC-CL1 virtual machine, click Start, right-click Computer, and then click Manage. In the User Account Control dialog box, type Administrator as the user name, and Pa$$w0rd as the password, and then click Yes. In the Computer Management console, expand Task Scheduler, expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.
5. 6.
Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable. Right-click AD RMS Rights Policy Template Management (Automated), click Run, and then close Computer Management. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd.
7. 8. 9.
Click Start, type regedit.exe in the Search box, and then press ENTER. Browse to HKEY_CURRENT_USER, expand Software, expand Microsoft, expand Office, expand 14.0, and then click Common. Right-click Common, point to New, and then click Key.
10. Name the new key DRM. This key is only available if the user has previously launched any Microsoft Office program and used rights management. If DRM was not already created, you must create it manually. This is also true for the Office > 14.0 key. 11. Right-click DRM, point to New, and then click Expandable String Value. 12. In the New Value #1 box, type AdminTemplatePath, and then press ENTER. 13. Double-click the AdminTemplatePath registry value. In the Value data box, type %LocalAppData%\Microsoft\DRM\Templates, and then click OK. 14. Close the Registry Editor, and log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy
template to Windows XP client computers
1. 2. 3. 4. 5. 6. 7. 8. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. Under Contoso.com, right-click the Default Domain Policy shortcut, and then click Edit. In the Group Policy Management Editor, browse to User Configuration, and then expand Policies. Right-click Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, and then click Add/Remove Templates. Click Add, and in the File name box, type \\NYC-DC1\templates, and then click Open. In the Policy Templates dialog box, select office14.adm, click Open, and then click Close. In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates: Policy definitions (ADMX files) retrieved from local machine\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Double-click Specify Permission Policy Path, and then select Enabled.
9.
10. In the Enter path to policy templates for content permission box, type the complete path to the permission policy templates, \\NYC-DC1\templates, and then click OK. 11. Close the Group Policy Management Editor, and then close the Group Policy Management console.
Exercise 3: Configuring AD RMS Trust Policies

Task 1: Export the Trusted User Domains policy
1. 2. 3. 4. 5. 6. Log on to the 6426C-NYC-SVR1 virtual machine as CONTOSO\Administrator with the password of Pa$$w0rd. On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted User Domains. In the Details pane, select the Enterprise object. In the Actions pane, click Export Trusted User Domain. In the File name box, type c:\Contoso.bin, and then click Save.
Task 2: Export the Trusted Publishing Domains policy

1. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted Publishing Domains. In the Details pane, select the Contoso Pharmaceuticals RMS. In the Actions pane, click Export Trusted Publishing Domain. Click Save As. In the File name box, type c:\Contoso.xml, and then click Save. Type and confirm Pa$$w0rd as password. Click Finish.
2. 3. 4. 5. 6. 7.
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. 4. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted User Domains. Right-click Trusted User Domains, and click Import Trusted User Domain. In the Trusted user domain file box, type \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. In the Display name box, type WoodgroveBank Domain, and then click Finish. The WoodgroveBank Domain Trusted User domain information is displayed in the Details pane of the AD RMS console.
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted Publishing Domains Right-click Trusted Publishing Domains, and click Import Trusted Publishing Domain. In the Trusted publishing domain file box, type \\NYC-DC1\x$\Labfiles\Mod06 \WoodgroveBank.xml. Type Pa$$w0rd as password.
2. 3. 4.
5. 6.
In the Display name box, type WoodgroveBank RMS, and then click Finish. The WoodgroveBank RMS TPD information is displayed in the Details pane of the AD RMS console. Close the Active Directory Rights Management Services console.
Exercise 4: Testing AD RMS Functionality

Task 1: Create a rights-protected document
1. 2. 3. 4. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy with the password Pa$$w0rd. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010. In the blank Word document, type This is a protected document. Click the File menu, click the Info button, click Protect Document, and then click Restrict Permission by People and select Confidential Projects. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd. 5. 6. Click the File menu, click Save, type \\NYC-DC1\templates\Protected.docx in the File name box, and then click Save. Close Microsoft Office Word, and then log off from the 6426C-NYC-CL1 virtual machine. Note The user accounts are authenticated against email addresses in AD DS in this test environment. If a user account does not have an email address assigned the user will not be able to use the RMS functionality.
Task 2: Open the rights-protected document as a non-authorized user

1. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Aaron with the password Pa$$w0rd. Note that Aaron is not a member of the IT Admins group and should only have view access to the document. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010. Click the File menu, and then click Open. In the File name box, type \\NYC-DC1\templates\Protected.docx, and then click Open. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Aaron and password Pa$$w0rd. 5. 6. In the message box indicating that permission to the document is restricted, click OK. The document opens. In the Confidential Projects bar, click View Permission. Notice that Aaron only has permission to view the document and that the permission expires in about 14 days. Click OK, and then verify that all editing tools are disabled. Close Microsoft Office Word, and log off from the 6426C-NYC-CL1 virtual machine.
2. 3. 4.
7.
Task 3: Open and edit the rights-protected document as an authorized user

1. 2. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Axel with the password Pa$$w0rd. Note that Axel is a member of the IT Admins group and should have editing access to the document. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Word 2010.
3. 4.
Click the File menu, and then click Open. In the File name box, type \\NYC-DC1\templates\Protected.docx, and then click Open. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Axel and password Pa$$w0rd.
5. 6. 7. 8. 9.
In the message box indicating that permission to the document is restricted, click OK. The document opens. In the Confidential Projects bar, click View Permission. Notice that Axel has Editing permissions because he is a member of the IT Admins group, and then click OK. Type Edited successfully by Axel in a new line. Click the File menu, and then click Save. Close Microsoft Office Word, and log off from the 6426C-NYC-CL1 virtual machine.
10
Exercise 5: Generating AD RMS Reports

Task 1: Install Microsoft Report Viewer
1. 2. 3. 4. On the 6426C-NYC-SVR1 virtual machine, open Windows Explorer, and browse to \\NYC-DC1\x$\Labfiles\Mod06\. Double-click ReportViewer. Follow the wizard steps to complete the setup. Click Finish to close the wizard, and then close Windows Explorer.
Task 2: View AD RMS Statistics reports

1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. Expand NYC-SVR1 (Local), expand Reports, and then click Statistics Reports. View the statistics in the main window.
Task 3: View AD RMS System Health report

1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand the NYC-SVR1 (Local), expand Reports, and click System Health. In the Actions pane, click View Report. In the Create Report box, specify the query start and end dates, and click Finish.
Task 4: View AD RMS Troubleshooting report

1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand the NYC-SVR1 (Local), expand Reports, and click Troubleshooting. In the Actions pane, click View Report. In the Create Report box, specify the query start and end dates, enter CONTOSO\Aaron for User Name, and click Finish.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. Shut down the 6426C-NYC-DC1, 6426C-NYC-SVR1 and 6426C-NYC-CL1 virtual machines. On the host computer, start Hyper-V Manager. Right-click 6426C-NYC-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat these steps for 6426C-NYC-SVR1 and 6426C-NYC-CL1.
Module 7
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Contents:
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance Exercise 4: Configuring AD RMS Logging 2 4 5 6
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lab Setup
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine.
Exercise 1: Configuring CA Event Auditing

Task 1: Enable the auditing of object access
1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6426C-MIA-DC1 virtual machine, and log on using the user name WOODGROVEBANK\Administrator, and the password Pa$$w0rd. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Group Policy Management. Expand Forest: Woodgrovebank.com, expand Domains, expand Woodgrovebank.com, and then click Group Policy Objects. Right-click the Default Domain Controllers Policy, and then click Edit. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Local Policies. Click Audit Policy. Right-click Audit object access, and then click Properties. Select the Define these policy settings check box. Under Audit these attempts, select the check box next to Success and Failure, and then click OK.
10. Close the Group Policy Management Editor and the Group Policy Management console. 11. Click Start, click All Programs, click Accessories, and then click Command Prompt. 12. In the Command Prompt window, type gpupdate /force, and then press ENTER. 13. Close the Command Prompt window.
Task 2: Enable CA auditing

1. 2. 3. 4. 5. 6. On 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. In the Certsrv -[Certification Authority (Local)] console, click WoodgrovebankCA. On the Action menu, click Properties. On the Auditing tab, in the Events to Audit section, check all 7 checkboxes and then click OK in the resultant Microsoft Active Directory Certificate Services message box. Click OK to close the WoodgrovebankCA Properties box. On the Action menu, point to All Tasks, and then click Stop Service to stop the service.
7.
On the Action menu, point to All Tasks, and then click Start Service to start the service.
Exercise 2: Backing up Active Directory Certificate Services

Task 1: Schedule a task to perform CA backup
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Task Scheduler. In the Actions pane, click Create Task. In the Create Task window, click the General tab; type CA Backup in the Name box. Click Change User or Group. In Select User or Group, type Woodgrovebank\Backup, and then click OK. In the Multiple Names Found box, select Backup, and then click OK. Select Run whether user is logged on or not. Select Run with highest privileges. On the Triggers tab, click New, click Daily, set the time to run (schedule it within the next five minutes), select the Enabled check box, and then click OK.
10. On the Actions tab, click New. 11. In the Program/script box, type certutil. 12. In the Add arguments (optional): box, enter -backup -p Pa$$w0rd C:\CAbackup, and then click OK. 13. In the Create Task box, click OK. When you are prompted for the credentials, enter Woodgrovebank\Backup and the password, Pa$$w0rd, and then click OK. 14. Click the Task Scheduler Library node. Wait for the task to start, and complete the backup. 15. Confirm that the backup has completed successfully by viewing the contents of the C:\CAbackup folder and checking the task status. To view the task status, you will have to refresh the Task Scheduler console view. 16. Close Task Scheduler and log off from the 6426C-MIA-DC1 virtual machine.
Exercise 3: Backing up and Restoring an Active Directory Lightweight Directory Services Instance
Task 1: Use dsdbutil to back up the test1 AD LDS instance
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, and then click Computer. Double-click the C: drive and then create a new folder in the root of C:\ named backup. Click Start, click All Programs, click Accessories, and then right-click Command Prompt and select Run as administrator. At the command prompt, type dsdbutil and then press ENTER. At the dsdbutil prompt, type activate instance test1 and then press ENTER. At the dsdbutil prompt, type ifm and then press ENTER. At the ifm prompt, type create full c:\backup\test1 and then press ENTER. The backup will proceed. When complete, it will display the message IFM media created successfully in c:\backup\test1. Type quit at the ifm prompt, and then press ENTER. Type quit at the dsdbutil prompt, and then press ENTER.
10. Type exit, and then press ENTER to close the command prompt.
Task 2: Use dsdbutil to restore the test1 AD LDS instance backup

1. 2. 3. 4. 5. 6. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Services. In the right pane, scroll until you locate the test1 service. Right-click the test1 service and click Stop. Click Start, and then click Computer. Navigate to C:\Program Files\Microsoft ADAM\test1. Delete all of the files in the data folder. Click Start, click All Programs, click Accessories, and then right-click Command Prompt and click Run as administrator. At the command prompt, run the xcopy /os c:\backup\test1\adamntds.dit "C:\Program Files \Microsoft ADAM\test1\data\adamntds.dit" command. If you are prompted to choose whether the path represents a file or directory, enter F for file. Click Start, point to Administrative Tools, and then click Services. In the right pane, scroll until you locate the test1 service. Right-click the test1 service and select Start. Upon successful startup of the test1 service, the AD LDS instance is now running from the restored backup.
7. 8. 9.
Exercise 4: Configuring AD RMS Logging

Task 1: Enable logging for the cluster
1. 2. 3. 4. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. In the Active Directory Rights Management Services console, expand the mia-dc1.woodgrovebank.com (Local) cluster. Right-click the mia-dc1.woodgrovebank.com (Local) cluster, and then click Properties. On the Logging tab, ensure that the Enable Logging check box is selected, and then click OK. Close the Active Directory Rights Management Services console.
Task 2: Limit disk space usage for message queuing

1. 2. 3. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Server Manager. Expand Features, expand Message Queuing, and then click Private Queues. Right-click drms_logging_mia_dc1_woodgrovebank_com_80, click Properties, select the Limit message storage to (KB) check box, type 1024000, and then click OK. Note Message Queuing stores all queued messages up to the limit of the free storage space. If all of the available disk space is used, the AD RMS server will not be able to service any client requests. 4. Close Server Manager.
To reset the virtual machine

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. Shut down the 6426C-MIA-DC1 virtual machine. On the host computer, start Hyper-V Manager. Right-click 6426C-MIA-DC1 in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.

6426CD ENU LabManual

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6426CD ENU LabManual

Uploaded by

Copyright:

Available Formats

O F F I C I A L

Product Number: 6426C Part Number: X17-55422 Released: 04/2011

Lab Instructions: Exploring Identity and Access Solutions

Lab: Identifying IDA Roles to Meet Business Requirements

Lab Instructions: Exploring Identity and Access Solutions

Lab Instructions: Exploring Identity and Access Solutions

Task 1: Identify business requirements

Lab Instructions: Deploying and Configuring Active Directory Certificate Services

Lab: Deploying and Configuring Active Directory Certificate Services

Lab Instructions: Deploying and Configuring Active Directory Certificate Services

Exercise 1: Deploying a Standalone Root CA

Lab Instructions: Deploying and Configuring Active Directory Certificate Services

Exercise 2: Deploying an Enterprise Subordinate CA

Task 1: Install an enterprise subordinate CA

Task 2: Issue and install the subordinate certificate

Lab Instructions: Deploying and Configuring Certificates

Lab: Deploying Certificates and Managing Enrollment

Lab Instructions: Deploying and Configuring Certificates

Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.

Lab Instructions: Deploying and Configuring Certificates

Exercise 1: Configuring Certificate Templates

Task 1: Duplicate, install, and manually enroll a certificate

Task 2: Configure the template to be issued by the CA

Task 3: Verify that the certificate is updated

Lab Instructions: Deploying and Configuring Certificates

Task 5: Configure the new template to be issued by the CA

Lab Instructions: Deploying and Configuring Certificates

Exercise 2: Configuring Autoenrollment

Task 2: Configure the Default Domain Policy for autoenrollment

Task 3: Validate autoenrollment functionality from 6426C-NYC-SVR1-B

Lab Instructions: Deploying and Configuring Certificates

Exercise 3: Managing Certificate Revocation

Task 2: Install the Online Responder component on a Web server

Task 3: Configure CA to include the Online Responder location in the Authority

Task 4: Issue the OCSP Response Signing template

Task 5: Configure the Online Responder

Lab Instructions: Deploying and Configuring Certificates

Task 6: Revoke a certificate

Task 7: Publish the CRL

Lab Instructions: Deploying and Configuring Certificates

Exercise 4: Configuring Key Recovery

Task 2: Configure the ContosoCA to issue KRA certificates

Task 3: Acquire the KRA certificate

Task 4: Configure the CA to allow key recovery

Task 5: Configure a custom template for key archival

Lab Instructions: Deploying and Configuring Certificates

Task 6: Add a user to the Server Operators group

Task 7: Verify key archival functionality

Lab: Deploying and Configuring Active Directory Lightweight Directory Services

Exercise 1: Configuring AD LDS Instances and Partitions

Task 1: Add the AD LDS server role by using Server Manager

Task 2: Create an AD LDS instance known as ContosoApp1 by using AD LDS Setup

Exercise 2: Configuring AD LDS Replication

Task 1: Create a replica of ContosoApp1 by using the AD LDS Wizard

Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps

Task 1: Create a list of AD LDS troubleshooting tools

Task 2: Create a list of AD LDS troubleshooting steps

Lab Instructions: Deploying and Configuring Active Directory Federation Services

Lab: Deploying and Configuring Active Directory Federation Services

Lab Instructions: Deploying and Configuring Active Directory Federation Services

Lab Instructions: Deploying and Configuring Active Directory Federation Services

Task 1: Install Active Directory Certificate Services in the Contoso Domain