Active Directory Certifcate Services and Public key infrastructure in Server 2008.

In this class
*Lets talk Security
* Lions and Tigers and keys and Certificates
* Respect my Authority

*Security In networks is a huge area, but a good place to start is by using Certificate Services as a way to:
- Encrypt Data files
- Encrypt Remote communications
- Secure Email
- Secure Logons with Smart Cards
- Secure Servers with network Access protection (Require Certificates)
- Protect Data from Tampering

So, thats neat and all, but what is Certificate?
* A Certificate is a file that contains
- A public key for encryption
- A Digital Signature for identify verification
- A name, which can refer to a person, a computer or an organization.
- A validity period
- The location of a revocation center (Usally a URL)

* Its used to both encrypt files and communications as well as prove identify.
* A certificate is generated by a certificate authority (Thats a CA if you're cool) using a Private key, which part of a whole Public Key infrastructure.

The Certificates have to come from somewhere

1) Server 2008 Standalone Certificate authority
2) Server 2008 Enterprise Certificate Authority (Integrated into AD)
3) Third party certificate authority (I.e Verisign etc)

* Certificate Authority (CA) Servers that generates certificates are called "Root CA's"
* Certificates are generated from one of these three types of certificate and then passed on to users, devices, other servers and so on.
* Certificate authorities also can provide verification of a user's or organization identify with online responder services.

Multiple Tiers provide Multiple levels of protection
* Usually you'll have more than one machine actually doing certificate services.
* With a Standalone CA, you will create certificates and then pass them off to issuing servers. Then you will take the standalone offline.
* Pretty much all the work is done manually with a standalone CA. You can't just have it autoenroll users.

Enterprise CA's stay online, and need to be highly available
* With an Enterprise CA, it stays online all the time and is integrated with AD.
* Enterprise CA's can assign certificates automatically to uses in AD using Auto enrollment.
* At least a second tier is still a good idea, and you may have more depending on your security needs.

CRL's, NDES's, and OR's - Could I vague it up even more?
* When a certificate is presented by a user when attempting to access an encrypted file or whatever has been secured, the certificate is checked against a Certificate Revocation list (RCL) by a certificate Authority to make sure it hasn't been revoked.
* An Online Responder (OR) can be used in place of a Certificate Authority server. An Online Responder (*new* in server 2008) doesn't need to check the certificate against an entire RCL, and instead just checks to see if the certificate is valid. It's much faster and efficient.
* Network Device Enrollment Service (NDES) allows you to include routers and switches in yuor PKI hierarchy if you really think you need it.

AD CS in a Nutshell
* AD Certificates services allow you to secure just about anything in your network,.
* You need at least one Root CA to create certificates, and will probably have other subordinate servers issue them out to protect your Root CA from getting abused.
* Certification Revocation lists allow for validation of certificates by CA server when they are used, but the new online responder service available in AD CS as of Server 2008 is faster and more efficient.
* The new Network Device Enrollment Service (NDSE) allows you to include switches and routers in your PKI as well.

DNS Stuff in 2008

In this class
*A Quick Overview of DNS
* What are DNS Zones really?
* The Different kinds of DNS records
* Forwarders and Roots Hints
* Globla Names Zones : The WINS Killer (Kind of)

*Domain Name Servcie (DNS) is a server 2008 Role thats basically a big phone book allowing users and computers to look up a Hosts IP address by using a Host name.
* The process of locating a computer via an IP address by looking it up by name is called Name Resolution.
* When computers (or Hosts) get assigned IP address by DHCP or by an administrator, they register their name and IP address with a DNS Server.
* The computer can now be found through the process of Name Resolution, and AD can now find users, computers, and other hosts by working in Conjuction with the DNS server.

What are DNS Zones really?
* A DNS zone is basically a Text file or Database that defines what machines it knows about in the "Namespace".
* There are 4 basic types of Zones you need to know about :
- * Recommended for Server 2008*
AD integrated Zone : DNS database is stored as an AD Object. No need for secondary Zones if all your DNS Servers are also DC's.
- Primary : Used in a Standalone DNS Server, it acts as a Master DNS Server that records and reads info.
- Secondary : A read only copy of a primary Zone. Must copy zone files from a DNS Server that has a primary zone.
- Stub : Only contains informations about other DNS Servers.

Why An AD integrated Zone?
* Let AD manage a lot of the DNS stuff for you!
* AD integrated Zones allow for :
- Zone transfers during AD replication
- Multimaster Replication
- Secure Dynamic Updates
- Backwards compatible to Secondary Zones (If you have any in your network)
* Forward Lookup Zones : Looks up a host IP address by name.
* Reversse lookup Zones : Looks up a host name by Ip address - used mostly for security and error checking.
* Conditional Forwarders : Used in place of Stub Zones to forward DNS requests about other Domains.

The Different Kinds of DNS Records

What contains in a DNS Zone?
* A (Host) : Name and IP address of a Host (Computer, network printer, PDA, etc)
* PTR (Pointer) : A record in a Reverse Zone.
* SOA (Start of Authority) : The begining record of a zone.
* SRV (Service Locator) : For Servers and Service Providing hosts.
* NS (Name Server) : A record that points to a DNS Server.
* MX (Mail Exchanger) : For Email Servers
* CNAME (Alisas) A "nickname" record that allows for multiple names for the same machine.

Forwarders and Root Hints:
* Root Hints allow your DNS Server to communicate with Name Servers on the Internet.
* A Forwarder can act in the place of root hints if your security requirements are higher.
- you need two DNS servers for this - One on the inside of your network perimeter that doesn't use Root Hints and one on the permiter that does.
- Internet DNS requests are forwarded out to the perimeter DNS Server by the internet DNS and then brought back in.

WINS
* WINS is an older technology that allows you to use NetBIOS for some Resolution.
* Most WINS server technology is being replaced by DNS for speed, reliability, and security.
* Global Name Zones are a NEW feature of Server 2008 for Single label Name Resolution.
* Use it for easy access intranet websites, and a potential replacement for WINS if you have older network-aware software applications still running that require WINS (Especially if you're rolling over to IPv6)
* WINS is still available on Server 2008 as a Feature (Not a role) if you need it.
* On your primary DNS Server, run this command to prepare your  DNS for global names:
dnscmd/ config /enableglobalnamesupport1
* Then create a new forward lookup zone called GlobalNames.
*Add CNAME Records for any web site or machine you want to have single lable resolution for.

The New Generation of Server 2008 Certifications:

The Three New Server Certification Blocks for Network Admins
- MCTS
- MCITP : Server Administrator and Enterrpise Administrator.

What you need to take for each Credential
* MCTS - Take any one exam from a large selection.
* MCITP : Server Administrator Exams (From Scratch - Three Exams)
-70-640 : Technology Specialist Active Directory
-70-642 : TS Network Infrastructure
-70-646 Pro : Server Administrator

*MCITP : Enterprise Administrator ( (From Scratch - Five Exams)
-70-620 : Vista
-70-640 : TS Acitive Directory
-70-642 : Network Infrastructure
-70-643 : TS Server 2008 Application Infrastructure, configuring.
-70-647 Pro:  Enterprise Administrator

Connecting the Continents, Creating Forest to Forest relationship in Server 2008

*Tokyo is now a Server 2008 network -so now what?
* Our two options to connect tokyo and new york
* What you need for AD federation Services.
* What you need for a TRUST
* The Globmantics / verde Petra Solution : Trusts

Now here we have
DC1 - globamntics.com
Childdomain = na.globamantics.com
Verdepetra.com - different network.* New - AD Federation Services allows two separate AD networks to authenticate Users from either Domain for shared folders and resources. It uses Port 443 (SSL Port) for Secure transmissions.
*We can also create a Trust between the two forests as well since we have more or less a direct link via VPN between New York and Tokyo.

What you need for AD federation Services?
* AD FS is an SSO (Single Sig-on) method of sharing information between two partner networks, usually through a web site or application like share point services or Sharepoint server.
* It users port 443, the SSL Port, and HTTPS to transfer info back and forth. It also uses cookies to keep track of authentication.
* Here's what AD FS requires:

 On Home domain Globamantics.com
1) AD DS server
2) AD FS Server
3) Web Server (Sharepoint) with SSl Certificate
4) DMZ with Federation proxy Server

Internet

On Other forest


1) AD DS server
2) AD FS Server
3) DMZ with Federation proxy Server


What you need for a Trust?
* A trust allows users from different networks to access infromation on another network.
* As long as there's a secure connection between the two networks (Like Our VPN) all we really need is a DC on either side.
* Each Domain should be running at least server 2008 Function level, and the Forest Functional level has to be least server 2003. (Server 2008 Preferred)







 How many kinds of Trusts are there?
*External Trust - Allows separate Domains in Separate Forests to trust each other's users without trusting every Domain in a Forest.
*Forest Trust - Trusts between two forest Root Domains that can allow users from any Domain inside of either forest to share resources.
*Shortcut Trusts - Simply allows users to access resources in a different Domain in the same Forest faster.
* Realm Trusts - Allows a windows Directory Network that uses Kerberos to trust a UNIX based network that also uses kerberos to share resources.

How many Directions are there in Trust?
*Trust can be one way, two- way, and Transitive.

1) One way Trust
*Network A trusts, Network B.
*Users from Network B can access allowed resources on A but Users from A cannot access stuff on Network B.

2) Two way Trust
* Network A trusts Network B.
* Users from either network can access allowed resources on the other.

3) Transitive Trusts
* If Domain A trusts Domain B and the trust is transitive.
* And if C trusts B, then A and C also have a trust relationship.
____________________________
Now what you are going to do:

* You're going to implement a two way forest trust, as well as an External trust between Verde Petra and Na.globomnatics.co (Child domain) so that users will be able to access stuff faster.
* You need to ensure that the DNS servers on both networks are configurred to know about each other.
* Both DNS servers are AD inegrated but a trust doesnt make it so that either DNS server knows about the other one.
* You will set up a stub zone on each DNS server, so that any DNS requests for resources on the other network will be forwarded to the DNS server in the other network.

How to create a Trust ?
1) We will Trust in DC2 for load balancing.
2) Open DNS server > Expand DNS
3) Select Forward Lookup Zones > Right click > New Zone
4) Select Stub Zone (Check mark : Store te Zone in AD) > Next
5) Select : To all DNS servers in this forest > Next
6) Type other DC name which is present in different forest Ex : Verdepetra.com > Next
7) Type the Ip address of the other DC name and select the Check mark (Use the above servers to create  local list of master servers) > Next
8) Ok.

1) Now go to Verdepetra.com domain and repeat the same above steps and configure DNS for globamantics.com
2) Now go to Domains and Trusts > Right click and raise forest functional level  to windows server 2008 on both Domains.

1) Now on DC1 Globamantics.com go to Domains and trusts > Properties > Trusts > New Trust >
2) Type the other domain name Vedrapetra.com > next > Give crednetials > Select Forest trust >
3) Select Two-way > next > Select Both this doman and Specified domain > Next > Enter credentials.> next
4) Select Forest wide authentication > Next.
5) Yes, Confirm the outgoing trust > Next
6) Yes, Confirm the incoming trust > Next
7) Finsih

Now we want to add the TKSales group (vedrapetra.com) (Make sure it is under universal group) to SalesUsers Group (Make sure it is under Domain Local group) on Globamantics.com
Now add the TKsales group to SalesUsers on Globamantics.com

Notes:
*AD Federation Services - A server role that allows partner networks to share information across domains using single sign-on. Most often used to share intranet web sites and applications like sharepoint.
*Trusts -  A relationship between forests or Domains that allows sharing of resources.
* Stub zone - A DNS zone that simply provides information that another Domains DNS servers.
* Conditional Forwarder -  An entry in a DNS server that forwards on a DNS request if the request meets a specific requirement, i.e. The request is for information about a computer in another domain.
* External Trust - Allows seprate Domains in separate Forests to trust each other's users without trusting every domain in a forest.
* Forest Trust - Trusts between two forest root domains that can allow userse from any domain inside of either forest to share resources.
* Shortcut trusts - simply allows users to access resources in a different domain faster.
* Realm Trusts - Allows a windows AD network that uses kerberos to trust a Unix based network that also uses Kerberos to share resources.
* Transitive Trust - A trust property that allows for trusting of other domains if the domain that is being trusted trusts other domains.
* AD migration Tool - A  free download from Microsoft that allows you to move AD objects (Ie : User accounts, etc) between domains for consolidation.

After this class, now you can :
* Define the requirements and describe the use of AD Federation Servicse.
* Define the types and directions of Trusts.
* Create Stub  Zones  in a DNS server in preparation for a Trust.
* Implement a two way transitive forest trust.
* Add a Universal Group from another Domain to a Domain Local Group in a home Domain.

Upgrading a Server 2003 Machine to Server 2008

*Advantages of the Server 2008 Domain Functional Level
* The Upgrade process

Scenario :
Here we have a small company, Verde Petra, Inc. Their network is a simple 1 DC setup with 10 client machines, an outsourced email solutions, and a couple of netwokr printers.
However, their DC is runing a 32 bit edition of server 2003, and needs to be upgraded to server 2008 to take advantage of all the extras that a server 2008 functional level provides.  Before we do anything to integrate, you need to prepare the Verde Petra DC by upgrading it to Server 2008 Enterprise 32 bit.

Features of 2008 Functional level :
* DFS (Distributed File System Replication)
* Advanced Encryption Standard support for the Kerberos protocol.
* Last Interactive login information.
- GPO Found in computer connfiguration > Policies > Administative templates > Windows Components > Windows Logon options > Display information about previous logons during user logon.
* Fine-grained password policies.

The Upgrade Process from Server 2003 to Server 2008
* When upgradinng a DC, you will need to grab some scripts off the Server 2008 disc and run adprep /FORESTPREP and adprep /DOMAINPREP
*The reset of the Upgrade process is simple - put in the CD and click on the Upgrade option when it comes up, and install as normal.

Note : You cannot upgrade Server 2000 to Server 2008. You would have to first upgrade the server to 2003 and then to 2008.

Steps :
1) Now on Server 2003, insert Server 2008 DVD and go to Sources folder
2) Then copy adprep folder and paste it in C drive.
3) Now open cmd and type cd adprep
4) Type adprep /forestprep
5) Now to continue Type C and press enter
6) Once the Adprep process gets complete, Now type adprep /domainprep (Before typing this command make sure you have raise the Domain functional level to 2003)
7) Now install the Server 2008 setup from CD
8) Click on Upgrade and continue with the installation.
9) Once the installation gets complete you need to raise functional level to 2008.

Strategies to use when Recreating a Dead Domain Controller in Server 2008.

*Seizing Operations Masters for Quick Restoration of Functionality
*Possible Solutions for Restoring Domain Controllers.

Now here we have :
DC1 has Domaing Naming, Schema master Roles
DC2 has PDC emulator, RID master Role.
DC3 has Infrastructure master.
Here DC3 blows up, The good news is , you still have two other DC running so users can still log in. You need to get an Infrastructure Master back online as fast as you can first, and then decide how to get DC back.

Seizing Operations masters for Quick Restoration of Functionality

How to seize an Operations Master role when the Machine Doesn't Exist Anymore:
*The GUI :
- Try to move an Operations Masters from the GUI like you would normaly.
* NTDSUTIL:
- You can also use NTDSUTIL to seize an Operations Master rle with the following operation:
1) Go into NTDSUTIL like normal, and don't forget to type activate instance NTDS as your first command.
2) Type roles to move into the Roles context.
3) Type help to get a list of the commands.
- To seize the infrastructure Master, type seize infrastructure master.

How to transfer Roles through GUI ?
1) Open AD users and computers on DC2
2) Select Domain > Right click
3) Go to Operations Masters > Click on Infrastructure Master  > Then you can see a message "The current operations master is offline. The role cannot be transferred".
4) Click on Change > Then you will be prompted are you sure you want to transfer this role to GC server > click Yes.
5) A message would be prompted saying that FSMO operation failed. Do you want to attempt a forced transfer > Click No.

Lets use through Command prompt.

 

1) Open cmd.
2) Type ntdsutil
3) type activate instance NTDS
4) type Roles
5) type help
6) type connections
7) type connect to domain globamantics.com
8) type quit
9) type seize infrastructure master
10) click yes on the prompt window.

Possible Solutions for Restoring DC it all depends:
*If the hardware and Server 2008 OS is Okay but AD has been trashed, you can just do a System state Restore from the last backup.
*If your Hardware is trashed, build a new server 2008, install Server backup, and do a recovery of the last full backup of DC3 (Require the Backup to be on a DVD or NAS)
*Last, if you don't have access to a set of backup files, since DC3 is more of an auxiliary machine, you can
- Delete the DC3 computer account from the DC OU.
-Build a brand new server 2008 machine, install AD DS and run DCPromo.
-Let replication do the job of restoring the AD database.
- Move the Infrastructure master back to the New DC3.

After this class, what you can do :
* Seize an Operations Master and thereby transfer the functionality to a live Domain Controller.
* Identify a methodology to restore a Domain Controller to functional Status.