3 6 0 CHAPTER 7 Active Directory Certifi cate Services FIGURE 7-9 Backing up the CA. You can restore a private key and CA certifi cate by using the CA console or the certutil command. To restore using the CA console, right-click the CA, select All Tasks, and then select Restore CA. This starts the Certifi cation Authority Restore Wizard. You can choose to restore the private key and CA certifi cate and the certifi cate database and database log. During the restoration process, you are asked for the password that was supplied when the original backup of the private key and CA certifi cate was taken. AD CS is stopped while you are per- forming the restoration process and restarts automatically after the restoration is successful. If the restoration process is unsuccessful, you must restart AD CS manually. To restore AD CS from the command line, issue the certutil –restore BackupDirectory command. If you are restoring Certifi cate Services from scratch on a new computer with the same name as the original CA, fi rst import the CA certifi cate and private key to the local machine store and verify that CAPolicy.inf is imported to the %Winddir% folder. Add the AD CS role, selecting Use Existing Private Key and the original CA’s certifi cate. MORE INFO MORE ON CA BACKUP AND RECOVERY For more on archiving encryption keys, consult Chapter 14, “Planning and Implementing Disaster Recovery,” in Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Press, 2008). MORE INFO MORE ON CA BACKUP AND RECOVERY For more on archiving encryption keys, consult Chapter 14, “Planning and Implementing Disaster Recovery,” in Windows Server 2008 PKI and Security , by Brian Komar (Microsoft Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Windows Server 2008 PKI and Security Press, 2008). Lesson 1: Managing and Maintaining Certifi cate Servers CHAPTER 7 361 EXAM TIP Remember which steps you must perform before you take a standalone root CA offl ine. PracticE Installing a CA and Assigning Administrative Roles In this practice, you install an enterprise root CA in the contoso.internal domain and then confi gure a key recovery agent. ExErcisE 1 Install an Enterprise Root CA In this exercise, you install Active Directory Certifi cate Services on server Glasgow. Glasgow then functions as an enterprise root CA. 1. Log on to server Glasgow, using the Kim_Akers user account. 2. Open the Server Manager console. Right-click the Roles node, and then select Add Roles. This launches the Add Roles Wizard. 3. On the Before You Begin page, click Next. 4. On the Select Server Roles page, select the Active Directory Certifi cate Services check box, and then click Next. Review the information on the Introduction To Active Direc- tory Certifi cate Services page, and then click Next. 5. On the Role Services page, select the Certifi cation Authority and Certifi cation Author- ity Web Enrollment check boxes. 6. When you select the Certifi cation Authority Web Enrollment items, you are prompted by the Add Role Services dialog box. Click Add Required Role Services, and then click Next. 7. On the Specify Setup Type page, verify that Enterprise is selected, and then click Next. 8. On the Specify CA Type page, select Root CA, and then click Next. 9. On the Set Up Private Key page, select Create A New Private Key, and then click Next. 10. On the Confi gure Cryptography For CA page, change the character length to 4096 and select the Use Strong Private Key Protection Features Provided By The CSP check box, as shown in Figure 7-10, and click Next. 3 6 2 CHAPTER 7 Active Directory Certificate Services FIGURE 7-10 Configuring cryptography settings. 11. On the Configure CA Name page, verify that the common name is set to Contoso- GLASGOW-CA and the distinguished name suffix is set to DC=Contoso,DC=internal, and then click Next. 12. Verify that the validity period is set to 5 years, and then click Next. 13. Verify the certificate database location, and then click Next. 14. Review the information on the Confirm Installation Selections page, and then click Next twice. Click Install to install Active Directory Certificate Services and support role services from the Web Server (IIS) role. Click Close to dismiss the Add Roles Wizard when the installation completes. ExErcisE 2 Configure Enterprise Root CA Settings In this exercise, you configure key archival settings and assign administrative roles. 1. Log on to Glasgow, using the Kim_Akers user account. 2. Open the Certification Authority console from the Administrative Tools menu. Click Continue to dismiss the User Account Control dialog box. 3. Expand the Contoso-Glasgow-CA node, and then right-click the Certificate Templates node. Select New, and then select Certificate Template To Issue. 4. From the list of available certificate templates, select Key Recovery Agent, as shown in Figure 7-11, and then click OK. Lesson 1: Managing and Maintaining Certificate Servers CHAPTER 7 363 FIGURE 7-11 Enabling the KRA template. 5. From the Start menu, click Run, type mmc, and then click OK. Dismiss the UAC dialog box and add the Certificates snap-in for your user account. 6. Expand the Certificates – Current User node. 7. Right-click the Personal store, select All Tasks, and then select Request New Certificate. In the Certificate Enrollment Wizard, select the Key Recovery Agent check box and click Enroll. Click Finish when the certificate installation completes. 8. Return to the Certificate Authority console and select the Pending Requests node. In the details pane, right-click the pending certificate request, select All Tasks, and then select Issue. 9. In the Certification Authority console, right-click Contoso-GLASGOW-CA, and then select Properties. 10. On the Recovery Agents tab, select Archive The Key, and then click Add. Select the certificate issued to Kim Akers, and then click OK. Click Apply. In the dialog box asking whether you want to restart Active Directory Certificate Services, click Yes. 11. Open Active Directory Users And Computers. Create a new global security group called KRA_CertManagers in the Users container. Close Active Directory Users And Computers. 12. In the Certificate Authority console, right-click Contoso-GLASGOW-CA, and then select Properties. 13. On the Security tab, click Add. Add the KRA_CertManagers group, as shown in Figure 7-12, and assign the group the Allow Issue And Manage Certificates permission. Click Apply. 3 6 4 CHAPTER 7 Active Directory Certificate Services FIGURE 7-12 Assigning the Cert Manager role. 14. On the Certificate Managers tab, select Restrict Certificate Managers. Verify that the CONTOSO\KRA_CertManagers group is listed and, in the Certificate Templates area, click Add. 15. In the Enable Certificate Templates dialog box, select the Key Recovery Agent tem- plate, and then click OK. 16. In the Certificate Templates list, select <All>, and then click Remove. Verify that the CA Properties dialog box matches Figure 7-13, and then click OK. FIGURE 7-13 Certificate Managers configuration. Lesson 1: Managing and Maintaining Certifi cate Servers CHAPTER 7 365 Lesson Summary n Enterprise CAs are tightly integrated into AD DS. They can use custom certifi cate tem- plates, and you can confi gure them to auto-enroll certifi cates. Standalone CAs cannot use custom certifi cate templates, and certifi cate request data must be entered manu- ally rather than automatically extracted from AD DS. n You can take a standalone root CA offl ine and physically secure it. You cannot take an enterprise root CA offl ine. An enterprise CA can be a subordinate of a standalone root CA. n You must confi gure key archiving on the CA and from within a certifi cate template. You can confi gure a key recovery agent (KRA) by issuing a user a key recovery agent certifi cate. n You can back up certifi cate services by using a normal system state backup, by using the Certifi cation Authority Console, or by using the certutil.exe command-line utility. n The Certifi cate Manager role allows users granted the role the ability to issue and man- age certifi cates. The CA Administrator role allows users to start and stop Certifi cate Services, confi gure extensions, assign roles, and defi ne key recovery agents. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing and Maintaining Certifi cate Servers.” The questions are also available on the com- panion DVD if you prefer to review them in electronic form. NOTE ANSWERS Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You are planning the deployment of Active Directory Certifi cate Services in your Windows Server 2008 functional level forest. You want to be able to take the root CA offl ine but also integrate Certifi cate Services fully with AD DS. Which of the following deployments should you recommend for the fi rst CA in your organization? A. Enterprise root CA B. Enterprise subordinate CA C. Standalone root CA D. Standalone subordinate CA 2. On which of the following versions of Windows Server 2008 can you install an enter- prise subordinate CA? NOTE ANSWERS NOTE ANSWERSNOTE Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 3 6 6 CHAPTER 7 Active Directory Certificate Services A. Windows Web Server 2008 B. Windows Server 2008 Standard C. Windows Server 2008 Enterprise D. Windows Server 2008 Datacenter 3. You want to implement key archiving in your organization. Two users will have the responsibility for restoring private keys from the certificate server’s database. Which step must you take to ensure that these users will be able to restore archived keys? A. Ensure that you issue the users a certificate with the Key Recovery Agent OID. B. Ensure that you issue the users a certificate with the Enrollment Agent OID. C. Ensure that you issue the users a certificate with the Subordinate Certification Authority OID. D. Ensure that you issue the users a certificate with the EFS Recovery Agent OID. E. Ensure that you issue the users a certificate with the OCSP Response Signing OID. 4. Your CA hierarchy will involve an offline standalone root CA with three enterprise sub- ordinate CAs. You have just installed AD CS on the standalone root CA. Which of the following steps must you take prior to issuing signing certificates to the enterprise sub- ordinate CAs? (Choose four. Each correct answer presents part of a complete solution.) A. Change the CRL distribution point URL. B. Change the AIA distribution point URL. C. Add the standalone root CA certificate to the enterprise root store in AD DS. D. Set the standalone root CA to offline mode. E. Configure the AIA points in AD DS, using certutil.exe. 5. You want to ensure that the SSLCertManagers group is the only group able to issue certificates based on the Web Server template from a specific issuing CA. When you navigate to the Certificate Managers tab on the CA in question, the SSLCertManagers group is not present in the Certificate Managers list. Which step should you take to resolve this problem? A. Assign the SSLCertManagers group the Request Certificates permission on the Security tab of CA properties. B. Assign the SSLCertManagers group the Manage CA permission on the Security tab of CA properties. C. Assign the SSLCertManagers group the Issue and Manage Certificates permission on the Security tab of CA properties. D. Edit the Web Server certificate template properties. Assign the SSLCertManagers group the Read permission to this template. E. Edit the Web Server certificate template properties. Assign the SSLCertManagers group the Write permission to this template. Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 367 Lesson 2: Managing and Maintaining Certifi cates and Templates This lesson discusses managing certifi cate revocations, including publishing certifi cate revoca- tion lists and confi guring online responders, and the different methods of enrollment, such as Web and automatic enrollment. The lesson also covers certifi cate templates, which enable you to create advanced digital certifi cates that might be a better fi t for your organization than the default certifi cate templates that ship with Windows Server 2008. After this lesson, you will be able to: n Manage certifi cate revocations and confi gure online responders. n Manage certifi cate templates. n Manage and automate certifi cate enrollments. Estimated lesson time: 40 minutes Managing and Maintaining Certifi cate Revocation Lists Certifi cate revocation lists are just what they sound like: lists of revoked certifi cates. You trust a certifi cate issued by a CA because you trust the policies under which the CA issues certifi - cates. If you did not trust the CA, you would not trust any certifi cates issued by that CA. A certifi cate revocation list shows you which certifi cates issued by the CA are no longer trust- worthy. There are many reasons a certifi cate might be placed on a CRL list, such as a signing certifi cate issued to a subordinate CA being revoked because the subordinate CA has been compromised, but the primary statement made by a certifi cate being placed on a CRL list is “This certifi cate is no longer trustworthy.” Each time a new certifi cate is encountered, or an existing certifi cate is used, a check is made to see whether that certifi cate is listed on the issuing CA’s CRL list. If the CA is part of a hierarchy, another check occurs to see whether the upstream CA that issued the signing cer- tifi cate still trusts the CA that issued the certifi cate against which the check is occurring. This is because you should not trust a certifi cate issued by an untrustworthy CA! The location of the CRL is included with the certifi cate so that the software performing the CRL check knows where to access this information. The name for the location of the CRL is the CRL distribution point. It is possible for you to designate multiple CRL distribution points for a single CA. CRL Distribution Points You can confi gure the CRL distribution point for a specifi c certifi cate server by modifying the properties listed on the Extensions tab of the issuing CA’s properties. To edit CRL distri- bution point information, you must assign the user the CA Administrator role as described in Lesson 1. As shown in Figure 7-14, you can specify CRL distribution points as HTTP, FTP, or After this lesson, you will be able to: n Manage certifi cate revocations and confi gure online responders. n Manage certifi cate templates. n Manage and automate certifi cate enrollments. Estimated lesson time: 40 minutes 3 6 8 CHAPTER 7 Active Directory Certificate Services Lightweight Directory Access Protocol (LDAP) addresses or by file and folder location. Note that any changes to a certificate server’s CRL distribution points do not apply retroactively. This information is included in the certificate at the time of issue. If you change the CRL dis- tribution point, clients checking previously issued certificates will be unable to locate the new distribution point. If it becomes necessary to change a distribution point, develop a transi- tion strategy that either keeps the old distribution point available over the lifetime of already issued certificates or renews all existing certificates with the updated CRL distribution point information. FIGURE 7-14 Editing the CRL distribution point. CRLs are a single file that, over time, can become very large. This size is important because each time a client performs a check, it has to download the full CRL if it does not already have a copy in its cache. If you frequently update your CRL, clients must always download the entire CRL because it will not already be present in their cache. As a way of dealing with this problem, it is possible for you to publish a smaller CRL, known as a delta CRL. The delta CRL includes information only about certificates revoked since the publication of the CRL. The client downloads the delta CRL and appends it to the CRL in its cache. Because delta CRLs are smaller, you can publish them more often with less of an impact on the certificate server than would occur if you published the full CRL by using a similar schedule. To configure the CRL and delta CRL publication interval, open the Certificate Authority console, right-click the Revoked Certificates node, and then select Properties. This displays the Revoked Certificate Properties dialog box shown in Figure 7-15. The default CRL publication interval is one week, and the default delta CRL publication interval is one day. Use the certutil –CRL command to force the publication of a new CRL or delta CRL. Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 369 FIGURE 7-15 Revoking a certificate. Overlap periods describe the amount of time after the end of a published CRL’s lifetime that the CRL is still considered valid. Consider increasing the overlap period if you are using multiple CRL distribution points (CDPs) and replication of CRL data does not occur immedi- ately, such as if you use a distributed fi le system (DFS) share as a CDP and it takes a signifi cant amount of time for replication to complete. You can confi gure overlap periods for both CRLs and delta CRLs by using the certutil –setreg ca\CRLOverlapUnits command. MORE INFO CONFIGURING CERTIFICATE REVOCATION For more information on confi guring certifi cate revocation, see the following TechNet article: http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083 -8606-c0a4fdca9a251033.mspx?mfr=true. Authority Information Access The authority information access (AIA) extension contains the URLs at which the issuing CA’s certifi cate is published. The client uses these URLs when creating a certifi cate chain to retrieve the CA certifi cate if it does not have a copy of this certifi cate in a copy of the client cache. Modify the AIA extension to an alternate location if you want to take the CA offl ine. You must also export the CA certifi cate and place it in this alternate location to support certifi cate chain requests. The AIA also contains the URL of any online responders that you have confi gured to support revocation checks. You learn more about online responders later in this lesson. Revoking a Certifi cate A user must hold the Certifi cate Manager role to be able to revoke certifi cates. Just as you should not issue certifi cates in an arbitrary manner, you should not revoke certifi cates in an arbitrary manner. If possible, your organization should develop a certifi cate revocation policy MORE INFO CONFIGURING CERTIFICATE REVOCATION For more information on confi guring certifi cate revocation, see the following TechNet article: http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083 -8606-c0a4fdca9a251033.mspx?mfr=true . [...]... Estimated lesson time: 55 minutes Windows Server Backup The Windows Server Backup tool replaces, but is significantly different from, the Windows 2000 Server and Windows Server 2003 tool, ntbackup.exe As a Windows Server 2003 professional, you should be familiar with the ntbackup.exe tool, and you need to familiarize yourself with the capabilities and limitations of the new Windows Server Backup utility... requests n 3 84 You cannot customize Level 1 certificate templates, but you can use them on Windows 2000 Server, Windows Server 2003, and Windows Server 2008 CAs You can use level 2 certificate templates on Windows Server 2003 and Windows Server 2008 CAs and you can customize them You can use level 3 certificate templates only on Windows Server 2008 CAs, and you can use advanced cryptographic methods such... used to store backup data n 3 92 Installed a Windows Server 2008 Enterprise server configured as a domain controller in the contoso.internal domain as described in Chapter 1, “Configuring Internet Protocol Addressing.” Installed the Windows Server 2008 Enterprise server Boston in the contoso.internal domain as described in Chapter 2, “Configuring IP Services.” CHAPTER 8 Maintaining the Active Directory... customized level 2 certificate template based on the default level 1 user certificate template On which of the following operating systems can you install a CA that supports this customized template? (Choose three Each correct answer presents a complete solution ) a Windows 2000 Advanced Server b Windows Server 2008 Standard C Windows Server 2008 Enterprise D Windows Server 2008 Datacenter e 2 Windows. .. short server downtimes, and it is your job to meet these expectations In this lesson, you learn what is new in the process of backing up Windows Server 2008 and the data and services that it hosts for your organization You also learn how to plan and implement disaster recovery for your organization’s Windows Server 2008 environment You learn how to recover everything from single Active Directory... frequent, but you need to know exactly what to do when everyone else is panicking It would be unprofessional to wait until Windows Server 2008 is installed and then start to draw up a backup and recovery plan You need to learn about Windows Server 2008 backup and recovery, including the backup of server roles, applications, the Active Directory database (Ntds.dit), Active D ­ irectory Domain Services... under pressure before the problem becomes critical This chapter discusses the enhanced tools and techniques Microsoft Windows Server uses to back up and restore both user data and Active Directory settings It looks at offline Active Directory maintenance in Windows Server 2008 and considers the use of monitoring tools and the enhancements introduced in the new operating system CHAPTER 8 391 Exam objectives... the directory to all enterprise CAs in the forest Only the Enterprise and Datacenter editions of Microsoft Windows Server 2003 and Windows Server 2008 support customizable certificate templates Although Windows Server 2008 ships with a number of certificate templates that you can deploy to meet a general set of needs, the settings on the default set of certificates might not precisely suit your needs... for digital certificates in your own environment By creating your own certificate templates, you can address your organization’s needs more directly There are three versions of the certificate template, two of which you can create for use with Windows Server 2008 Enterprise Version 1 templates are compatible with Windows 2000 Server, Windows Server 2003, and Windows Server 2008 CAs You cannot modify... version 2 or 3 template to which you can make modifications You can customize version 2 templates, and they are compatible with Windows Server 2003 and Windows Server 2008 Enterprise and Datacenter CAs Version 3 certificate templates support Windows Server 2008 features such as Cryptography Next Generation (CNG) and Suite B cryptographic algorithms such as elliptic curve cryptography You can use only . Services A. Windows Web Server 2008 B. Windows Server 2008 Standard C. Windows Server 2008 Enterprise D. Windows Server 2008 Datacenter 3. You want to implement key archiving in your organization Recovery,” in Windows Server 2008 PKI and Security , by Brian Komar (Microsoft Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Windows Server 2008 PKI and Security Press, 2008) . . cate Revocation,” in Windows Server 2008 PKI and Security , by Windows Server 2008 PKI and Security, by Windows Server 2008 PKI and Security Brian Komar (Microsoft Press, 2008) . Quick Check