Sep 02

Windows Server 2012 R2 (70-412) Identity and Access Solutions – Study Guide

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and2012GregShields cmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

 

  1. Install and Configure AD Certificate Services. Essentially setting up internal certificate trusts to mirror, and and can negate the need for, external certificates like Microsoft, Verisign, etc.
    1. Install an Enterprise Certificate Authority
      1. The “issuing CA” creates the actual cert file. Issuing CA gets trust from Policy CA, who gets it from a Root CA
      2. Root is typically standalone, offline. Policy CA standalone or enterprise, typically online. Issuing CA typically enterprise online.
      3. Issuing CA is the one doing all the day to day work.
      4. Install CA ROLE, and the Online Responder ROLE2012CertificateServicesRoles
        1. optional web enrollment pieces, or can use the console to manage
      5. Post install configuration; configure active directory certificate services, requires member of local admins for some services, and Enterprise Admin for some.
      6. Decide what TYPE of CA you’re installing. 2012CertificateServicesRolePermissions
      7. Choose a NAME for the CA,  usually combination of server name, domain name. Choose validity period (default = 5 years)
      8. Certificate Templates – basic templates are provided, then when you fill them out with specific information it creates the actual certificate. Some are “available for issue” then there are dozens of additional ones that are not available for issue by default.
      9. refresh GP then root cert should be available through AD. certs are automatically trusted by any computer in the domain
      10. from a client, you can “request a new certificate”, and it automatically enrolls
    2. Configure CRL (certificate revocation list) Distribution Points
      1. when you need to manage expiration due to termination, employee leaving, new job responsibilities, etc.
      2. The CRL location shows up in the “details” tab on the actual cert
      3. set up CRL revocation list locations BEFORE passing out certs
      4.  you can’t delete crl revocations. Think about it, that makes sense.  But when the list gets really long there are ways to make the queries faster.
    3. Install and Configure Online Responder
      • Configure the Online Responder (which also needs a cert) OCSP response signing
      • Revocation Configuration for the Online Responder
      • Online responder downloads a copy of the CRL to make responses
      • enter the URL for the Online Responder in cert templates, and again have this set up prior to issuing any certs or you have to redo them all.
    4. Implement Administrative Separation
      1. Principle of Least Privilege
      2. Read this Technet on Role Based Administration
      3. In the security tab of the CA, set up the right permissions
      4. one additional command; PS certutil -setreg ca\RoleSeparationEnabled 1  https://technet.microsoft.com/en-us/library/Cc782357(v=WS.10).aspx
    5. Configure CA Backup and Recovery
      1. right click, all tasks, back up and restore recommend private key and logs (checkboxes)
      2. certutil can also do backups (old way)
      3. now of course PS Backup-CARoleService
  2. Manage Certificates
    1. Enrolling for Certificates
      1. instead of “find cert” start with “request”
      2. From IIS, you can create request and complete request from wizard on the right side of IIS.
      3. Example using a PS code signing certificate
    2. Manage Certificate Templates
      Cert tabs
      Certificate Template Tabs
      1. right click / manage, see “code signing certificate”
      2. copy “duplicate” the template, then modify the new duplicate for  use
      3. publish certificate in AD checkbox
      4. compatibility settings
      5. choose encrypt/signature or both
      6. auto renewal can force a different private key
      7. WHAT this cert is going to be  used for is baked in the cert configuration. For this example signing PS, this would be “code signing”
      8. “subject name” is usually the FQDN of the webserver. In this case, we specify the user name for our PS signing cert.
      9. you can configure manager approvals or signatures prior to approval
      10. security tab; read, enroll, auto-enroll.
    3. Implement and Manage Certificate Deployment, Validation and Revocation
      1. now that the template is created, we talk about deployment, validation and revocation
      2. now you have to right click on Certificate Templates, choose new certificate to issue and find the newly created template to issue.
      3. revoke certificate from a right click on the cert. This is PERMANENT and not reversible. Note there is a “HOLD” that can be a temporary hold.
      4. force a CRL update by “publish CRL”
      5. new crl once a week, new delta crl once a day.
    4. Configure and Manage Key Archival and Recovery
      1. there is no default capability to archive keys
      2. archive when enabled happens in AD
      3. KRA Key recovery agent cert can recover keys
      4. copy and modify certificate template
      5. then you “enroll” for the KRA certificate
      6. two commands to recover
        1. PS certutil -GetKey
        2. certutil -RecoverKey
    5. Manage Certificate Renewal
      1. manual non-GPO renewal
      2. in Certificate console, right click on template, “re-enroll all certificate users”
    6. Manage Certificate Enrollment and Renewal to Computers and Users using Group Policy
      1. to auto populate our PS code signing certificate, assigned to our IT group
      2. GPMC, new GPO
      3. user side, public key policies
        1. need certificate enrollment (AD)
        2. auto-enrollment (enable)
        3. auto-renewal   /log expiry events, other options
        4. auto renewal is 80% of cert lifespan, or the expiry of the renewal period
      4.  testing on machine, log in, gp runs, check for PS Signing cert
    7. Configure and Enroll a Hyper-V Replica Certificate
      1. If you choose replication in Hyper-V and select “encrypt”, then it will error as there is no dedicated custom cert
      2. copy and rename a “Computer” template
      3. then make it available for use
      4. now when you go back to Hyper-V Manager it shows up.
  3. Install and Configure AD Rights Management Services
    1. Install a Licensing or Certificate AD RMS Server
      1. RMS servers are referred to as “cluster”, just meaning multiple servers. You can also do a single server cluster. You need to be Enterprise Admin to complete this setup.
      2. If you go to a document on File Server, you go to “protect document” then  “restrict access” to connect to RMS and “get templates”. Will error if you have no RMS set up.
      3. Install Active Directory Rights Management Server ROLE.
      4. Post install configuration is required (yellow alert top right of Server Manager)
      5. RMS is tied to email field in AD properties general/email field. Even if you don’t have email in reality it just pulls from that field.
      6. Store RMS Cluster Key (keep this), password, website.
      7. For location, suggest CName instead of FQDN so you can adapt in the future if the hardware changes.
    2. Manage AD RMS Service Connection Point
    3. Manage RMS Templates
      1. Rights Policy Templates determine what/how you are going to offer to your users.
      2. example; content that Finance group needs to protect
      3. Name policy “Finance Protected Content”, add description.
      4. Tied to the email associated with the finance security group, and you can choose what they can do. Lots of rights / actions, and you can create custom ones as well. view/edit/save/print/save/save as/etc.
      5. you can disallow client side caching; they would have to be online to access the data
      6. define revocation policy; when you revoke the license, you revoke the ability to access that policy, you also provide a url where the policy resides.
    4. Configure Exclusion Policies
      1. you can determine  “Lockbox version exclusion” which is pretty bizarre, read about it on the link.
    5. Backup and Restore AD RMS
      1. what do you have to include in backups?
      2. Configuration DB, directory services DB, logging DB. Either in SQL or the Windows server internal SQL. The internal SQL requires a full server backup. So, from a backup perspective it’s better to use SQL.
      3. server certificate needs to be backed up
      4. cluster key password
      5. export trusted publishing domain
  4. Implement AD Federation Services – focus seems to be on Workplace Join
    1. Configure Workplace Join
      1. understanding Federation
        1. Traditionally, access is controlled by a user ID and login. Or, from AD permissions.
        2. Federation is used when access needs to be provided to users OUTSIDE of your domain. (Partner, merger, acquisition, etc.)
        3. Federation servers handle the federation process between organizations. It’s kind of a bridgehead or gateway for the access request/granting. It does this by generating “claims“.
        4. Relying Party (us) and Claims Provider (them)
        5. This happens from a pair of Trusts from each direction; Claims Provider Trust and Relying Party Trust.
      2. Think also for BYOD situations for non-domain joined devices. Device itself is added to AD.
      3. Typically connect through Web Application Proxy (not on the 412 test)
      4. Settings / network / “workplace” is where you see it.. on your desktop, not the server.
      5. Create a Group Managed Service Account.
      6. Create a certificate for AD FS
        1. domain computers needs to have enroll privileges
        2. Enroll from your AD FS server
        3. This will require entering additional information to enroll the cert; hostname, DNS name, etc.
        4. For non-domain devices, it’s a lot easier if you use a public cert, for access and CRL access which is open to non-domain users on the internet.
    2. Install AD FS
      1. Now create ADFS, create the first server in a federation server farm.
        1. associate to cert
        2. name it, add display name
        3. add service account (use an existing account)
        4. SQL or internal database.
        5. finalize the wizard. now you should be the Relying Party Trust.
    3. Implement Claims based Authentication including Relying Party Trusts
      1. in AD FS console, look under Relying Party Trusts to see the claims options.
    4. Configure Authentication Policies
      1. from PowerShell
        1. Initialize-ADDeviceRegistration
      2. Back in console, enable device authentication in the global policy
      3. This is just using “windows authentication” instead of Forms based, or other options.
    5. Configure Multi Factor Authentication
      1. This is a Authentication Policy in the console
      2. registered/unregistered, intranet/extranet
      3. now test Workplace Join from desktop. You just click “join” and it’s joined. Button changes from “join” to “leave”.