You are previewing Windows Server® 2008 Active Directory® Resource Kit.
O'Reilly logo
Windows Server® 2008 Active Directory® Resource Kit

Book Description

Get the definitive, in-depth resource for designing, deploying, and maintaining Windows Server 2008 Active Directory in an enterprise environment. Written by experts on directory services and the Active Directory team at Microsoft, this technical resource is packed with concrete, real-world design and implementation guidance. You’ll get in-depth guidance on installation, Active Directory components, replication, security, administration, and more. You also get answers to common questions from network architects, engineers, and administrators about Windows Server 2008 Active Directory—plus scripts, utilities, job aids, and a fully searchable eBook on CD.

For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.

Table of Contents

  1. Windows Server® 2008 Active Directory® Resource Kit
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Acknowledgments
    4. Introduction
      1. Overview of Book
        1. Part I – Windows Server 2008 Active Directory Overview
        2. Part II – Designing and Implementing Windows Server 2008 Active Directory
        3. Part III – Administering Windows Server 2008 Active Directory
        4. Part IV – Maintaining Windows Server 2008 Active Directory
        5. Part V – Identity and Access Management with Active Directory
      2. Document Conventions
        1. Reader Aids
        2. Sidebars
        3. Command-Line Examples
      3. Companion CD
        1. Management Scripts
        2. Using the Scripts
      4. Find Additional Content Online
      5. Resource Kit Support Policy
    5. I. Windows Server 2008 Active Directory Overview
      1. 1. What’s New in Active Directory for Windows Server 2008
        1. What’s New in Active Directory Domain Services
          1. Read-Only Domain Controllers (RODC)
            1. Read-Only AD DS Database
            2. RODC Filtered Attribute Set
            3. Unidirectional Replication
            4. Credential Caching
            5. Administrator Role Separation
            6. Read-Only DNS
          2. Active Directory Domain Services Auditing
          3. Fine-Grained Password Policies
            1. Storing Fine-Grained Password Policies
            2. Resultant Set of Policy for Fine-Grained Password Policy
          4. Restartable Active Directory Domain Services
          5. Database Mounting Tool
          6. User Interface Improvements
            1. Improvements in the AD DS Installation Wizard
            2. Improvements to the AD DS Management Tools
        2. Additional Active Directory Service Roles
          1. Active Directory Certificate Services Role
          2. Active Directory Federation Services Role
          3. Active Directory Lightweight Directory Services Role
          4. Active Directory Rights Management Services Role
        3. Summary
      2. 2. Active Directory Domain Services Components
        1. AD DS Physical Structure
          1. The Directory Data Store
          2. Domain Controllers
          3. Global Catalog Servers
          4. Read-Only Domain Controllers
            1. Credential Caching on RODCs
            2. Delegating Administrative Permissions on RODC
            3. RODC Limitations
          5. Operations Masters
            1. Schema Master
            2. Domain Naming Master
            3. RID Master
            4. PDC Emulator
            5. Infrastructure Master
          6. Transferring Operations Master Roles
          7. The Schema
            1. Schema Components
            2. Modifying the Schema
              1. Creating a New Attribute
            3. Deactivating Schema Objects
        2. AD DS Logical Structure
          1. AD DS Partitions
            1. Domain Directory Partition
            2. Configuration Directory Partition
            3. Schema Directory Partition
            4. Global Catalog Partition
            5. Application Directory Partitions
          2. Domains
          3. Forests
          4. Trusts
            1. Transitive Two-Way Trusts
            2. Shortcut Trusts
            3. Forest Trusts
            4. External Trusts
            5. Realm Trusts
          5. Sites
          6. Organizational Units
            1. Using OUs to Delegate Administrative Rights
            2. Using OUs to Administer Groups of Objects
        3. Summary
        4. Additional Resources
          1. Related Tools
          2. Resources on the CD
          3. Related Help Topics
      3. 3. Active Directory Domain Services and Domain Name System
        1. Integration of DNS and AD DS
          1. Service Location (SRV) Resource Records
          2. SRV Records Registered by AD DS Domain Controllers
          3. DNS Locator Service
          4. Automatic Site Coverage
        2. AD DS Integrated Zones
          1. Benefits of Using AD DS Integrated Zones
          2. Default Application Partitions for DNS
          3. Managing AD DS Integrated Zones
            1. Configuring DNS Application Partitions
            2. Managing Dynamic DNS
            3. Aging and Scavenging
            4. Background Zone Loading
            5. DNS and Read-Only Domain Controllers
        3. Integrating DNS Namespaces and AD DS Domains
          1. DNS Delegation
          2. Forwarders and Root Hints
            1. Forwarders
            2. Conditional Forwarding
            3. Root Hints
            4. Stub Zones
          3. Troubleshooting DNS and AD DS Integration
          4. Troubleshooting DNS
          5. Troubleshooting SRV Record Registration
        4. Summary
        5. Best Practices
        6. Additional Resources
          1. Related Information
          2. Related Tools
          3. Resources on the CD
          4. Related Help Topics
      4. 4. Active Directory Domain Services Replication
        1. AD DS Replication Model
        2. Replication Process
          1. Update Types
          2. Replicating Changes
            1. Update Sequence Numbers
            2. High-Watermark Values
            3. Up-to-Dateness Vectors and Propagation Dampening
            4. Change Stamps and Conflict Resolution
            5. Replicating Object Deletions
        3. Replicating the SYSVOL Directory
        4. Intrasite and Intersite Replication
          1. Intrasite Replication
          2. Intersite Replication
          3. Replication Latency
          4. Urgent Replication
        5. Replication Topology Generation
          1. Knowledge Consistency Checker
          2. Connection Objects
            1. Modifying a Connection Object Created by KCC
            2. Creating a New Connection Object
          3. Intrasite Replication Topology
          4. Global Catalog Replication
          5. Intersite Replication Topology
          6. RODCs and the Replication Topology
        6. Configuring Intersite Replication
          1. Creating Additional Sites
          2. Site Links
          3. Site Link Bridges
          4. Replication Transport Protocols
            1. Configuring SMTP Replication
          5. Configuring Bridgehead Servers
        7. Troubleshooting Replication
          1. Process for Troubleshooting AD DS Replication Failures
          2. Tools for Troubleshooting AD DS Replication
            1. Active Directory Sites And Services
            2. Repadmin
            3. Dcdiag
            4. Additional Tools
        8. Summary
        9. Best Practices
        10. Additional Resources
          1. Related Information
          2. Related Tools
          3. Resources on the CD
          4. Related Help Topics
    6. II. Designing and Implementing Windows Server 2008 Active Directory
      1. 5. Designing the Active Directory Domain Services Structure
        1. Defining Directory Service Requirements
          1. Defining Business and Technical Requirements
            1. Business Requirements
            2. Functional Requirements
            3. Service Level Agreements
            4. Legal Requirements
            5. Security Requirements
            6. Project Constraints
          2. Documenting the Current Environment
            1. Documenting the Physical Network Infrastructure
            2. Documenting the Name Resolution Infrastructure
            3. Documenting the Active Directory Infrastructure
            4. Documenting Additional Infrastructure Components
            5. Documenting Administrative Models and Processes
        2. Designing the Forest Structure
          1. Forests and AD DS Design
          2. Single or Multiple Forests
          3. Designing Forests for AD DS Security
          4. Forest Design Models
            1. Organizational Forest Model
            2. Resource Forest Model
            3. Restricted Access Forest Model
          5. Defining Forest Ownership
          6. Forest Change Control Policies
        3. Designing the Integration of Multiple Forests
          1. Designing Inter-Forest Trusts
            1. Designing Forest Trusts
              1. Designing Forest Trust Direction
              2. Designing Selective Authentication
              3. Designing SID Filtering
              4. Designing UPN Suffix Routing
          2. Designing Directory Integration Between Forests
        4. Designing the Domain Structure
          1. Determining the Number of Domains
            1. Choosing a Single Domain
            2. Choosing Multiple Domains
          2. Designing the Forest Root Domain
          3. Designing Domain Hierarchies
          4. Domain Trees and Trusts
            1. Default Trust Configuration
            2. Shortcut Trusts
          5. Changing the Domain Hierarchy After Deployment
          6. Defining Domain Ownership
        5. Designing Domain and Forest Functional Levels
          1. Features Enabled at Domain Functional Levels
          2. Features Enabled at Forest Functional Levels
          3. Implementing a Domain and Forest Functional Level
        6. Designing the DNS Infrastructure
          1. Namespace Design
            1. Internal and External DNS Namespaces
              1. Using the Same Namespace Internally and Externally
              2. Using a Different Namespace Internally and Externally
            2. Namespace Design Options
            3. Integration with the Current DNS Infrastructure
        7. Designing the Organizational Unit Structure
          1. Organizational Units and AD DS Design
          2. Designing an OU Structure
            1. OU Design Based on Delegation of Administration
            2. OU Design Based on Group Policy Design
          3. Creating an OU Design
        8. Designing the Site Topology
          1. Sites and AD DS Design
          2. Creating a Site Design
          3. Creating a Replication Design
          4. Designing Server Locations
            1. Locating DNS Servers
            2. Locating Domain Controllers
            3. Locating Global Catalog Servers
            4. Designing Read-Only Domain Controller Deployments
              1. Designing RODC Placement
              2. Designing RODC Administration
              3. Designing Password Replication Policies
            5. Locating Operations Master Servers
        9. Summary
        10. Best Practices
        11. Additional Resources
          1. Related Information
          2. Resources on the CD
      2. 6. Installing Active Directory Domain Services
        1. Prerequisites for Installing AD DS
          1. Hard Disk Space Requirements
          2. Network Connectivity
          3. DNS
          4. Administrative Permissions
          5. Operating System Compatibility
        2. Understanding AD DS Installation Options
          1. Installation Configuration Tasks and the Add Roles Wizard
          2. Server Manager
          3. Active Directory Domain Services Installation
          4. Unattended Installation
        3. Using the Active Directory Domain Services Installation Wizard
          1. Deployment Configuration
          2. Naming the Domain
          3. Setting the Windows Server 2008 Functional Levels
          4. Additional Domain Controller Options
          5. File Locations
          6. Completing the Installation
          7. Verifying Installation of AD DS
        4. Performing an Unattended Installation
          1. Installing from Media
        5. Deploying Read-Only Domain Controllers
          1. Server Core Installation Window Server 2008
          2. Deploying the RODC
        6. Removing AD DS
          1. Removing Additional Domain Controllers
          2. Removing the Last Domain Controller
          3. Unattended Removal of AD DS
          4. Forced Removal of a Windows Server 2008 Domain Controller
        7. Summary
        8. Additional Resources
          1. Related Information
          2. Related Tools
      3. 7. Migrating to Active Directory Domain Services
        1. Migration Paths
          1. The Domain Upgrade Migration Path
            1. Windows NT 4.0 Upgrade
            2. Domain Upgrade
          2. Domain Restructuring
        2. Determining Your Migration Path
        3. Upgrading the Domain
          1. Upgrading from Windows 2000 Server and Windows Server 2003
            1. Preparing the Forest
            2. Preparing the Domain
        4. Restructuring the Domain
          1. Interforest Migration
            1. Creating the Pristine Forest
            2. Creating the Migration Accounts
            3. Creating the Trusts
            4. Installing the Active Directory Migration Tool
            5. Enabling Auditing in the Target and Source Domains
            6. Migrating Global Group and Domain Local Group Accounts
            7. Migrating User Accounts
            8. Identifying Service Accounts
            9. Migrating Computer Accounts
            10. Migrating Service Accounts
            11. Decommissioning the Source Domains
        5. Intraforest Migration
        6. Configuring Interforest Trusts
        7. Summary
        8. Best Practices
        9. Additional Resources
          1. Related Information
          2. Related Tools
    7. III. Administering Windows Server 2008 Active Directory
      1. 8. Active Directory Domain Services Security
        1. AD DS Security Basics
          1. Security Principals
          2. Access Control Lists
          3. Access Tokens
          4. Authentication
          5. Authorization
        2. Kerberos Security
          1. Introduction to Kerberos
          2. Kerberos Authentication
          3. Delegation of Authentication
          4. Configuring Kerberos in Windows Server 2008
          5. Integration with Public Key Infrastructure
          6. Integration with Smart Cards
          7. Interoperability with Other Kerberos Systems
          8. Troubleshooting Kerberos
            1. TCP/IP Network Connectivity Requirements
            2. Troubleshooting Authentication
        3. NTLM Authentication
        4. Implementing Security for Domain Controllers
          1. Decrease the Domain Controller Attack Surface
          2. Configuring the Default Domain Controllers Policy
            1. Configuring Domain Controller Audit Policy Settings
            2. Configuring Domain Controller Event Log Policy Settings
            3. Configuring Domain Controller User Rights Assignment Policy Settings
            4. Configuring Domain Controller Security Options Policy Settings
            5. Implementing SMB Signing
          3. Configuring SYSKEY
        5. Designing Secure Administrative Practices
        6. Summary
        7. Best Practices
        8. Additional Resources
          1. Related Information
          2. Related Tools
          3. Resources on the CD
          4. Related Help Topics
      2. 9. Delegating the Administration of Active Directory Domain Services
        1. Active Directory Administration Tasks
        2. Accessing Active Directory Objects
          1. Evaluating Deny and Allow ACEs in a DACL
        3. Active Directory Object Permissions
          1. Standard Permissions
          2. Special Permissions
          3. Permissions Inheritance
          4. Effective Permissions
          5. Ownership of Active Directory Objects
        4. Delegating Administrative Tasks
        5. Auditing the Use of Administrative Permissions
          1. Configuring the Audit Policy for the Domain Controllers
          2. Configuring Auditing on Active Directory Objects
        6. Tools for Delegated Administration
          1. Customizing the Microsoft Management Console
        7. Planning for the Delegation of Administration
        8. Summary
        9. Additional Resources
          1. Related Information
      3. 10. Managing Active Directory Objects
        1. Managing Users
          1. User Objects
          2. inetOrgPerson Objects
          3. Contact Objects
          4. Service Accounts
        2. Managing Groups
          1. Group Types
            1. Authorization Manager Application Groups
          2. Group Scope
          3. Default Groups in Active Directory
          4. Special Identities
          5. Creating a Security Group Design
        3. Managing Computers
        4. Managing Printer Objects
          1. Publishing Printers in Active Directory
          2. Printer Location Tracking
        5. Managing Published Shared Folders
        6. Automating Active Directory Object Management
          1. Command-Line Tools for Active Directory Management
          2. Using LDIFDE and CSVDE
            1. LDIFDE
            2. CSVDE
          3. Using VBScript to Manage Active Directory Objects
            1. Active Directory Scripting Components
            2. Creating and Running a VBScript
              1. Binding to an Object
              2. Creating an Object
              3. Saving Changes
              4. Modifying an Existing Object
            3. Using Windows PowerShell to Manage Active Directory Objects
            4. Cmdlet Syntax
            5. Accessing Active Directory Objects
            6. Using CSV Files
            7. Exchange Management Shell Commands
        7. Summary
        8. Best Practices
        9. Additional Resources
          1. Related Information
          2. Related Tools
          3. Resources on the CD
      4. 11. Introduction to Group Policy
        1. Group Policy Overview
          1. How Group Policy Works
          2. What’s New in Windows Server 2008 Group Policy?
        2. Group Policy Components
          1. Overview of the Group Policy Container
          2. Components of the Group Policy Template
          3. Replication of the Group Policy Object Components
        3. Group Policy Processing
          1. How Clients Process GPOs
          2. Initial GPO Processing
          3. Background GPO Refreshes
          4. How GPO History Relates to Group Policy Refresh
          5. Exceptions to Default Background Processing Interval Times
            1. Forcing a Background Refresh of Group Policy
            2. Processing GPOs over Changing Network Conditions
            3. Group Policy Loopback Processing
        4. Implementing Group Policy
          1. GPMC Overview
          2. Using the GPMC to Create and Link GPOs
          3. Modifying the Scope of GPO Processing
            1. Modifying the Link Order of GPO Links
            2. Enabling and Disabling Policy Processing
            3. Blocking and Enforcing GPO Processing
            4. Filtering GPO Processing Using Security Groups and WMI
              1. Overview of Security Filtering
              2. Using WMI Filters with GPOs
          4. Delegating the Administration of GPOs
          5. Implementing Group Policy Between Domains and Forests
        5. Managing Group Policy Objects
          1. Backing Up and Restoring GPOs
          2. Copying Group Policy Objects
          3. Importing Group Policy Object Settings
          4. Modeling and Reporting Group Policy Results
            1. Group Policy Modeling
            2. Group Policy Results
        6. Scripting Group Policy Management
        7. Planning a Group Policy Implementation
        8. Troubleshooting Group Policy
        9. Summary
        10. Additional Resources
          1. Related Information
      5. 12. Using Group Policy to Manage User Desktops
        1. Desktop Management Using Group Policy
        2. Managing User Data and Profile Settings
          1. Managing User Profiles
            1. How Local Profiles Work
            2. How Roaming Profiles Work
            3. Configuring Roaming Profiles
            4. Mandatory and Super Mandatory Profiles
          2. Using Group Policy to Manage Roaming User Profiles
          3. Folder Redirection
            1. Configuring Folder Redirection
              1. Configuring Basic Redirection
              2. Configuring Advanced Redirection
            2. Managing Offline Files for Folder Redirection
            3. Group Policy Settings for Folder Redirection
        3. Administrative Templates
          1. Understanding Administrative Template Files
          2. Managing Domain-based Template Files
          3. Best Practices for Managing ADMX Template Files
        4. Using Scripts to Manage the User Environment
        5. Deploying Software Using Group Policy
          1. Windows Installer Technology
          2. Deploying Applications
          3. Using Group Policy to Distribute Non–Windows Installer Applications
          4. Configuring Software Package Properties
            1. Setting the Default Software Installation Properties
            2. Installing Customized Software Packages
            3. Updating an Existing Software Package
            4. Configuring File Extension Activation
            5. Removing Software Deployed by Group Policy
          5. Using Group Policy to Configure Windows Installer
          6. Planning for Group Policy Software Installation
          7. Limitations to Using Group Policy to Manage Software
        6. Overview of Group Policy Preferences
          1. Group Policy Preferences vs. Policy Settings
          2. Group Policy Preferences Settings
            1. Windows Settings
            2. Control Panel Settings
          3. Group Policy Preferences Options
        7. Summary
        8. Additional Resources
          1. Related Information
          2. On the Companion CD
      6. 13. Using Group Policy to Manage Security
        1. Configuring Domain Security with Group Policy
          1. Overview of the Default Domain Policy
            1. Account Policies
              1. Password Policy
              2. Account Lockout Policy
              3. Kerberos Policy
            2. Local Policies
          2. Overview of the Default Domain Controllers Policy
            1. User Rights Assignment
            2. Security Options
          3. Recreating the Default GPOs for a Domain
          4. Fine-Grained Password Policies
            1. Planning for Fine-Grained Password Policies
            2. Implementing Fine-Grained Password Policies
            3. Understanding the Resultant PSO for a User
        2. Hardening Server Security Using Group Policy
          1. Software Restriction Policies
        3. Configuring Network Security Using Group Policy
          1. Configuring Wired Network Security
          2. Configuring Wireless Network Security
          3. Configuring Windows Firewall and IPsec Security
        4. Configuring Security Settings Using Security Templates
          1. Deploying Security Templates
            1. Using Group Policy to Deploy Security Templates
            2. Using the Security Configuration And Analysis Tool to Apply Security Templates
            3. Using the Secedit.exe Tool to Apply Security Templates
            4. Integrating the Security Configuration Wizard with Security Templates and Group Policy
        5. Summary
        6. Additional Resources
          1. Related Information
    8. IV. Maintaining Windows Server 2008 Active Directory
      1. 14. Monitoring and Maintaining Active Directory
        1. Monitoring Active Directory
          1. Why Monitor Active Directory
            1. Benefits of Monitoring Active Directory Domain Services
            2. Costs of Active Directory Monitoring
          2. Monitoring Server Reliability and Performance
            1. Resource Overview
            2. Performance Monitor
            3. Reliability Monitor
            4. Overview of Data Collector Sets and Reports
          3. How to Monitor Active Directory
            1. Establishing the Baselines and Thresholds
            2. Performance Counters and Thresholds
              1. Active Directory Performance
              2. Replication Performance Counters
              3. Security Subsystem Performance
              4. Core Operating System Performance
            3. Monitoring Active Directory with Event Viewer
          4. What to Monitor
          5. Monitoring Replication
        2. Active Directory Database Maintenance
          1. Garbage Collection
          2. Online Defragmentation
          3. Offline Defragmentation of the Active Directory Database
          4. Managing the Active Directory Database Using Ntdsutil
            1. Recovering the Transaction Logs
            2. Checking the Database for Integrity
            3. Semantic Database Analysis
            4. Moving Database and Transaction Log Locations
        3. Summary
        4. Additional Resources
          1. Related Information
      2. 15. Active Directory Disaster Recovery
        1. Planning for a Disaster
        2. Active Directory Data Storage
        3. Backing Up Active Directory
          1. The Need for Backups
          2. Tombstone Lifetime
          3. Backup Frequency
        4. Restoring Active Directory
          1. Restoring Active Directory by Creating a New Domain Controller
          2. Performing a Nonauthoritative Restore of Active Directory
            1. Nonauthoritative Restore on an Existing Server
            2. Full Server Recovery of a Domain Controller
          3. Performing an Authoritative Restore of Active Directory
            1. Restoring Computer Accounts
            2. Performing an Authoritative Restore
          4. Restoring Group Memberships
            1. Group Membership Maintenance
            2. Linked Value Replication
            3. Recovering Group Membership from Backlinks
            4. Recovering Domain Local Group Memberships in Remote Domains
            5. Restoring Groups
          5. Reanimating Tombstone Objects
            1. The Reanimation Process
          6. Using the Active Directory Database Mounting Tool
            1. Managing Active Directory Snapshots
            2. Exposing and Accessing Active Directory Snapshots
          7. Restoring SYSVOL Information
          8. Restoring Operations Masters and Global Catalog Servers
            1. PDC Emulator
            2. Schema Master
            3. Domain Naming Master
            4. Infrastructure Master
            5. Relative Identity (RID) Master
            6. Global Catalog Servers
        5. Summary
        6. Best Practices
        7. Additional Resources
          1. Related Information
          2. Related Tools
    9. V. Identity and Access Management with Active Directory
      1. 16. Active Directory Lightweight Directory Services
        1. AD LDS Overview
          1. AD LDS Features
          2. AD LDS Deployment Scenarios
        2. AD LDS Architecture and Components
          1. AD LDS Servers
          2. AD LDS Instances
          3. Directory Partitions
            1. Configuration Directory Partition
            2. Schema Directory Partition
            3. Application Directory Partitions
          4. AD LDS Replication
            1. Configuration Sets
            2. AD LDS Replication Security
          5. AD LDS Security
            1. Security Principals in AD LDS
            2. Default Groups in AD LDS
            3. Assigning Permissions in AD LDS
            4. Authentication in AD LDS
              1. Simple LDAP Bind for AD LDS Security Principals
              2. SASL Bind for Windows Security Principals
              3. Bind Redirection for AD LDS Proxy Objects
        3. Implementing AD LDS
          1. Configuring Instances and Application Partitions
          2. AD LDS Management Tools
            1. Using the ADSI Edit Tool
            2. Using the Ldp.exe Tool
            3. Using the Dsdbutil Tool
            4. Configuring Access Control
          3. Configuring Replication
            1. Creating AD LDS Replicas
            2. Configuring AD LDS Sites
          4. Backing Up and Restoring AD LDS
            1. Backing Up AD LDS
            2. Restoring AD LDS
              1. Restore an Existing AD LDS Instance
              2. Restore an AD LDS Instance to a New Server
            3. Authoritatively Restore an AD LDS Instance
        4. Configuring AD DS and AD LDS Synchronization
        5. Summary
        6. Best Practices
        7. Additional Resources
          1. Related Tools
          2. Resources on the CD
          3. Related Help Topics
      2. 17. Active Directory Certificate Services
        1. Active Directory Certificate Services Overview
          1. Public Key Infrastructure Components
            1. Certificate and CA Management Tools
            2. Digital Certificates
            3. Certification Authorities
            4. Certificate Revocation List
            5. Certificate Templates
            6. Certificate and CRL Distribution Points
            7. Public Key-Enabled Applications
          2. Certification Authorities
            1. CA Hierarchy
            2. Enterprise and Stand-Alone CAs
            3. Offline CAs
          3. Certificate Services Deployment Scenarios
        2. Implementing AD CS
          1. Installing AD CS Root Certification Authorities
            1. CAPolicy.inf
            2. Hardware Security Modules
          2. Installing AD CS Subordinate Certification Authorities
          3. Configuring Web Enrollment
          4. Configuring Certificate Revocation
            1. CRL Configuration
            2. Online Responder Configuration
              1. Installing an Online Responder
              2. Configuring CAs
              3. Configuring an OCSP Response Signing Certificate
              4. Configuring Revocation Information
              5. Online Responder Arrays
          5. Managing Key Archival and Recovery
            1. Manual Key Archival
            2. Automatic Key Archival
              1. Designate Key Recovery Agents
              2. Enable Key Archival on the CA
              3. Configure Certificate Templates
              4. Recover an Archived Key
              5. Import the Recovered Key
        3. Managing Certificates in AD CS
          1. Configuring Certificate Templates
            1. Configure Certificate Template Security
            2. Deploy Certificate Templates
            3. Update Certificate Templates
          2. Configuring Certificate Autoenrollment
          3. Managing Certificate Acceptance with Group Policy
          4. Configuring Credential Roaming
        4. Designing an AD CS Implementation
          1. Designing a CA Hierarchy
            1. Prepare to Design a CA Hierarchy
            2. Hierarchy Types
            3. CA Hierarchy Roles
            4. Role Separation for Management
          2. Designing Certificate Templates
            1. Validity and Renewal Periods
            2. Certificate Purpose
            3. Subject Name Requirements
            4. Issuance Policies
            5. Issuance Security
          3. Designing Certificate Distribution and Revocation
            1. Certificate Distribution
            2. Certificate Revocation
        5. Summary
        6. Best Practices
        7. Additional Resources
          1. Related Information
          2. Related Tools
      3. 18. Active Directory Rights Management Services
        1. AD RMS Overview
          1. AD RMS Features
          2. AD RMS Components
            1. AD RMS Root Cluster
            2. Web Services
            3. Licensing-only Clusters
            4. Active Directory Domain Services (AD DS)
            5. Database Services
            6. AD RMS Client
          3. How AD RMS Works
          4. AD RMS Deployment Scenarios
            1. Deploying AD RMS within the Corporate Intranet
            2. Deploying AD RMS to Users over the Internet
            3. Deploying AD RMS with Active Directory Federation Services
        2. Implementing AD RMS
          1. Preinstallation Considerations Before Installing AD RMS
          2. Installing AD RMS Clusters
          3. Configuring the AD RMS Service Connection Point
          4. Working with AD RMS Clients
            1. Configuring Client Service Discovery
            2. Creating Rights-Protected Content with Microsoft Office
        3. Administering AD RMS
          1. Managing Trust Policies
            1. Trusted User Domains
            2. Trusted Publishing Domains
            3. Federated Identity Support
          2. Managing Rights Policy Templates
            1. Creating a New Distributed Rights Policy Template
            2. Distributing Rights Policy Templates
          3. Configuring Exclusion Policies
          4. Configuring Security Policies
            1. Managing Super Users
            2. Changing the Cluster Key Password
            3. Decommissioning AD RMS
          5. Viewing Reports
        4. Summary
        5. Additional Resources
          1. Related Information
      4. 19. Active Directory Federation Services
        1. AD FS Overview
          1. Identity Federation
          2. Web Services
          3. AD FS Components
            1. Federation Trusts
            2. Account Partner
            3. Resource Partner
            4. Federation Service
            5. Federation Claims
            6. Federation Service Proxy
            7. AD FS Web Agents
          4. AD FS Deployment Designs
            1. Web SSO Design
            2. Federated Web SSO Design
            3. Federated Web SSO with Forest Trust Design
        2. Implementing AD FS
          1. AD FS Deployment Requirements
            1. Network Requirements
            2. Client Web Browser requirements
            3. Account Store Requirements
              1. AD DS
              2. AD LDS
            4. Web Server Requirements
            5. Public Key Infrastructure (PKI) Requirements
              1. Certificates Used by Federation Servers
              2. Certificates Used by Federation Server Proxies
              3. Certificates Used by the AD FS Web Agent
          2. Implementing AD FS in a Federation Web SSO Design
            1. Implementing Federation Web SSO Design Overview
              1. Preparing the Environment
              2. Configuring the Account Federation Partner
              3. Configuring the Resource Federation Partner
              4. Configuring the Web Server and Web-based Applications
            2. Deploying Federation Servers
            3. Deploying Federation Service Proxy Servers
            4. Deploying the AD FS Web Agent
          3. Configuring the Account Partner Federation Service
            1. Configuring the Trust Policy
            2. Configuring Organization Claims
            3. Adding an Account Store
            4. Adding Group and Custom Claims Extractions
            5. Adding a Resource Partner
            6. Adding Outgoing Claim Mappings
          4. Configuring Resource Partner AD FS Components
            1. Configuring Applications
            2. Adding Account Partners
            3. Adding Incoming Claim Mappings
          5. Configuring AD FS for Windows NT Token-based Applications
          6. Implementing a Web SSO Design
          7. Implementing a Federated Web SSO with Forest Trust Design
        3. Summary
        4. Best Practices
        5. Additional Resources
          1. Resources on the CD
          2. Related Help Topics
    10. A. About the Authors
    11. B. System Requirements
    12. Index
    13. SPECIAL OFFER: Upgrade this ebook with O’Reilly