Académique Documents
Professionnel Documents
Culture Documents
Basem Hamed
basemhamed@egyptnetriders.com
01001582348
1Page
- :
Egypt NetRiders | Press
2Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
3Page
Index
1st Book ..5
INTRO ... 6
Preparing to Install Active Directory . 7
Haw to join a physical computer to domain? . .. 14
Types of AD DS Objects ... .. 16
Different between computer and user Account!! . . .. 17
Computer account . . . ... 17
User account . . . . 18
Groups VS Organization unit . . . 23
Groups .. .25
Group Type 25
Forest, Tree, domain .. 31
Additional domain . . . .. 33
"RODC" . . .. .. 38
Child Domain . . ....50
Tree Root . . .. 54
Active Directory Partition . . . .. 59
FSMO Roles . . . . . 64
Active Directory Sites and Replications . . .. . 70
Trust .. .. ...77
Group Policy .. .. ..79
Deploy Software .. .. .. 87
Restricted Groups .. .. .... 91
Security in Group Policy . . .. 93
Group Policy Template .. .. ...104
Backup & Restore .... .. ...... 110
2ND Book .. .. . .... 119
Active Directory Certification Authority . .. 120
Certification.. .. . . 121
Installing Certification Services .. .. . .. . . 122
KRA .. .. . . 154
Active Directory Rights Management Services .. .. ...176
Active Directory Federation Service .. .. ... 195
Install Federation Service . .. .. ... 212
Active Directory Lightweight Directory Services .. .. . .229
Resources .. .. .. .. .. ..242
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
4Page
Course 6426A Configuring and Troubleshooting Identity and Access Solutions with
Windows Server 2008 Active Directory
Active Diverter
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
5Page
INTRO
,,
-:
Workgroup VS. Domain
-:Workgroup
-:Domain
Workgroup Domain
Domain Join Domain
Security and Centralize Administration
Domain
. Windows Server Family
. RedHat
Windows Server
Windows Server Family
Windows Server NT Windows Server 2008 R2
Windows Server 2012
Windows Server
Configuring and Troubleshooting Active Directory
6Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
7Page
ip subnet mask
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-:
run dcpromo Active Directory
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
2Page
Domain
Forest, Tree, Domain, Child
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
9Page
FQDN
check Domain Forest
10Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Machine - dns
Domain Controller
DNS IP IP Machine
Global Catalog (GC)
Any Domains Objects Attributes ( GC)
trusted domains
A partition of the data store called the global catalog (also known as The partial attribute
set) contains information about every object in the directory.
Can be used to locate objects in the directory. Programmatic interfaces such as Active
Directory Services Interface (ADSI) and protocols such as LDAP can be used to read and
manipulate the data store
By-default (GC) Domain
Domain
Forest Domain Search
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
11Page
12Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Domain
login name
13Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Administrator
14Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Domain
Restart
15Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Types of AD DS Objects
Attribute Object
User accounts
Enables a single sign-on for a user
Provides access to resources
Computer accounts
Enables authentication and auditing of computer access to resources
InetOrgPerson
Similar to a user account
Used for compatibility with other directory services
Organizational Unit
Used to group similar objects for administration
Applying group policies
Group accounts
Helps simplify administration and applying permissions
Printers
Used to simplify the process of locating and connecting to printers
Shared folders
Used to simplify the process of locating and connecting to shared folders
Start administrative tools active directory user and computer
R.click on domain new
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
16Page
Computer account
2000
Join to Computer Account
Domain
Container Join 2003
Computer
User Account
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
17Page
User Account
Logon name Full name
Full name Start
User User
Account Disable
,,
Hackers
User Account 100 !!
,,,,
run cmd users
"dsadd user "cn=ahmed,ou=it,dc=ciscawy,dc=com
dsadd domain services
cn canonical name
ahmed ou it Domain Ciscawy
User Account Disabled
User Account cmd
12Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
dsadd ou "ou=sales,dc=ciscawy,dc=com"
Ciscawy Domain sales ou
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
19Page
-: User Templates
Attribute Users
Domain
User R.click on user copy
Attribute
-: Security Identifier
UID
() ,
,Unique
.
User Domain SID
: S-1-5-32-1045337234-12924708993-5683276719-19000
SID
Run cmd whoami/user-:
Types of Users
Power user Under Administrator Account
20Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Domain User
@ upn 7
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
21Page
Domain
Security Wise Domain
Foot Printing ,, Domain
Domain
22Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Ou . Organization unit
o Domain
o Active Directory
o OU Monitor
& Troubleshoot Domain
o
o Group policy User ( Computer )
23Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
protect ..
24Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
GROUPS
Permissions
Read, write, full control
Start administrative tools active directory user and computer R.click new
Group
permissions
R.click on it Properties Security tap Edit
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
25Page
-:
Distribution group
email mail server exchange
Domain
security group
Security group
policy roles
email
Domain
email delay
group scope
Members
Access = Permission
Domain
Domain
Member permissions can be
Contain user from the same
assigned in any trusted
domain only
domain
Domain
Domain
26Page
01001582348
Global Group
Domain Local
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Universal
Domain
Contain user from any domain
Saved-in Global Catalog
Domain
Permission on any trusted
domain
object advanced
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
27Page
Domain Local
Contain users from any
Member permissions can be
domain
assigned only within the
same domain
!! Domain
Global convert to Universal convert to domain local
NESTED
-: Being a Member
Member of OR Nest of
TYPE
Global
Domain Local
Universal
-1
MEMBER OF
Universal
Domain local
Global
Only Domain Local
Universal
Domain Local
Add Member of Double click on any Group
Domain local ...
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
22Page
Member in OR Nest in
TYPE
Global
Domain Local
Universal
-2
MEMBER IN
Global
Universal
Domain local
Global
Universal
Global
Add Member of Double click on any Group
Universal ...
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
29Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
30Page
Windows Server2002
Domain dcpromo Domain -:
Domain Forest
DNS Forest
The Primary Domain First Root Domain
Global Catalog by default
default first site name
DNS Server
-:
Additional domain Domain ,
Load Balance Domain
Read Only Domain Controller Domain
31Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Forest Many Trees many Different Domains
Forest many Different Domains
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
32Page
Additional domain
Domain
Domain users 500
Load Balance Domain Additional
Object
Users Domain
Machine ,, Machine Domain
-: TCP / IP
33Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Next
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
34Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
35Page
Restore mode
36Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Priority Weight
37Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Provide valuable support for branch office scenarios by authenticating users in the branch
office.
RODCs reduce the security risk associated with placing a domain controller in a less
secure site.
You can configure which credentials an RODC will cache.
You can also delegate administration of the RODC without granting permissions to other
domain controllers or to the domain.
ciscawy.com Domain Machine
Start Administrative tools Active directory users and computers
R.click on Domain Controllers Rre-create Read Only Domain Account
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
32Page
User RODC
My Current Logged Enterprise Admin
RODC
39Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
40Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Finish
rodc icon
RODC machine
TCP/IP
Domain IP Gateway
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
41Page
Next Next
Forest
Credential
42Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Next Install
Icon RODC
RODC ,, RODC
Domain
Users cache Domain
Delay
Object Rodc
Enterprise Administrator
RODC
43Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
object NEW
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
44Page
RODC Domain !!
, , DomainRead Only
Password Replication Cache RODC
RODC
Start administrative tools active directory users and computers
Open domain controller's container R.click on RODC properties
45Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
allow deny
Allow
ok
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
46Page
Advanced
prepopulate password
47Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-: Replication
Allowed RODC Password Replication
Advanced
Account has been Authenticated
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
42Page
Prepopulate Password
,,
Two ahmed Read Only Domain Controller
Domain Domains
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
49Page
Child Domain
o Domain Domain Sub-Domain
o Users ,,
Domain Domain Enterprise Administrator
Database
o Machine Domain
o Additional or RODC Object ,, !
Domain Database
o Enterprise Administrator
TCP/IP
Advanced mode
50Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
51Page
Next Next
Global Catalog
DNS load Domain
Next Next
Object
52Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-:
Domain Domain Domain Forest
,,
Start administrative tools active directory users and computers
R.click on domain Change Domain
Browse Domain
53Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
( )Domain
Domain Database Only One Enterprise
Administrator
Domain -:
A & B
UPN user@A.com , user@B.com
Domain Enterprise
Admin
Start run dcpromo
54Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
o
o
o
o
55Page
Tree
Domain Child
Browse
Domain
Domain
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
DNS & GC
Next Next
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
56Page
Object
-:
Domain Domain Domain Forest
,,
Start administrative tools active directory users and computers
R.click on domain Change Domain
Browse Domain
57Page
Enterprise Administrator
Domain New TREE
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
52Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Domain Level
1- Domain Partition
2- Application Partition
Schema Partition
Attribute Object
Enterprise administrator ) not recommended(
failure
-: partition
Start administrative tools ADSI edit
-1
R.click Connect to
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
59Page
Schema
Configuration Partition
-2
infrastructure
replication ip sites
-: Partition
Start administrative tools ADSI edit
R.click Connect to
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
60Page
Start administrative tools Active Directory Sites and Services
Domain Partition
-3
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
61Page
Application Partition
-4
Replication Software
DNS
Application partition Active Directory Integrated Zone
)Infra ( DNS Zones
Primary Zone Secondary Zone Stub Zone Active Directory Integrated Zone Start administrative tools DNS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
62Page
Change
DNS partition
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
63Page
Domain Level
1- Relative Identifier Master (RID)
2- Primary Domain Controller
Emulator (PDC)
3- Infrastructure Master
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
64Page
-: Role
Active Directory Domain and Trust
65Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
66Page
PDC Tap
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
67Page
5- Infrastructure Master
Domain
responsible for updating references
-: Role
Start administrative tools active directory users and computers
R.click on domain Operation master
Infra Tap
Eng.Basem Hamed
ntdsutil
activate instance ntds
role
connection
connect to server (server name)
quit
?
Domain
Seize schema master ()
basemhamed@egyptnetriders.com
01001582348
62Page
FSMO Roles
Start run cmd
dsquery server -hasfsmo schema
dsquery server -hasfsmo rid
dsquery server -hasfsmo pdc
Error Schema Role Domain
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
69Page
o
o
o
o
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
70Page
Enter
Mansoura Default first site name
Dekernes Site
Site Server
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
71Page
Site Subnet
Site Subnet
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
72Page
Sites IP
!! ,,
73Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
OK
Schedule Replication time Cast
Bridge Head
Site Replication Domain o
SMTP IP Replication o
Properties Server R.click o
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
74Page
Child Domain
Active Directory replication is:
MultiMate replication
Pull replication
Store-and-forward
75Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
76Page
Trust
Domains
:
. Two Way o
One Way o
Domains
Kerberos Authentication Protocol
Parent and Child
Default two ways in the same forest
Tree Root
Default two ways
Between Tree root domain and other Tree root domain
Shortcut Trust
One or Two way
Between Child in Tree and Child in other Tree
External Trust
One or Two way
Between any Domain in Forest and any other Domain in other Forest
Trust not inheriting
Forest Trust
One or Two way
Between Forest Root Domain in Forest and other Forest Root Domain in other Forest
Realm Trust
One or Two way
Between Microsoft Operating System and other Operating System likes Linux
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
77Page
Forset Trast
New Tree Child Domain
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
72Page
Group Policy
, , Restrictions
Policy Domain , Sites , OU Groups
Start administrative tools Group policy management
Policy ,
Deploy Software
Policy
Policy Policies
Policy
USB DVD Rom
Policy
Applications
Policy User and Computer Account
COMPUTER ACCOUNT
Policy Start Up
Assign Software
USER ACCOUNT
Policy Log on
Assign and Publish Software
79Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
20Page
Block Inheritance
Domain !
Object Policy
Enforced
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Policies Server 90
Start Run Cmd gpupdate Group Policy
gpupdate /force
Computer User
Policies administrative template system group policy
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
21Page
Browse
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
22Page
Domain
23Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Next
-
Site Policy
Next
-
24Page
Filter
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Policy OU
R.click OU
25Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Two Modes
Replace Policy Domain
Merge ,, Restriction
26Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Deploy Software
Group policy
27Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Deploying
Assign
Publish
User
User Account
Computer
-:
Full
Partial
o OU Test
R.click OU
o User Account
Policies Software Setting Software Installation
R.click New Package
22Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
o Advanced Developing
o Publish
o gpupdate /force Run
o 7
OU Policy
Control Panel\Programs\Programs and Features
R.click Install
29Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Computer Account o
Policies Software Setting Software Installation
R.click New Package
Computer Account Publish
-: Advanced o
Upgrade Properties Package R.click
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
90Page
Policy ,, Deploying
R.click on package all tasks remove
91Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Group Browse
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
92Page
Password
93Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
94Page
kerberos Protocol
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
95Page
Computer Configuration Policies Windows Setting Security Setting
Account Policy Local Policy
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
96Page
Viste 7 Windows XP
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
97Page
Authentication
WPA2-Enterprise
TKIP
Policy Going Throw
Network Permission
92Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Add SSID
SSID Access Point
Access Point Load Balance
Load
User
Windows Firewall
Computer Configuration Policies Windows Setting Windows Firewall and
Advanced Security
Role Filter
R.click New Role
99Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Port Role
IP Security
Computer Configuration Policies Windows Setting IP Security Policy
-:
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
100Page
Secure
Secure
Secure
Secure Connection
Response
Require Security
Request Security
Device
Printer
Folder Options
101Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Option
Filter Policy
Administrative Tempelate R.click Filter option
Explain text Comments
Policy Setting Tittle
102Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Lab
User configuration Policies Admin template Network Connection
TCP/IP
RUN gpupdate /force
Policy
Control Panel\Network and Internet\Network and Sharing Center
Properties
Administrator
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
103Page
Template Policies ,,
Import Group Policy
104Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Group Policy
Policy
Templete
Policy
105Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Saving
Templates Template
C:\Users\Administrator\Documents\Security\Templates
Security templates
Allow you to configure any of the following types of policies and settings:
Account Policies Specify password restrictions, account lockout policies, and Kerberos
policies.
Local Policies Configure audit policies, user rights assignments, and security Options
policies.
Event Log Policies Configure maximum event log sizes and rollover policies.
Restricted groups specify the users permitted to be members of specific groups.
System Services specify the startup types and permissions for system services.
Registry Permissions Set access control permissions for specific registry keys.
file System Permissions Specify access control permissions for NTFS files and folders
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
106Page
-: Templete
o
o
o
o
o
107Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
COMPUTER ACCOUNT
Start up
Shut down
X Shared Folder
Group Policy Management
Policy Edit
User configuration Policies windows setting scripts
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
102Page
Net use administrator p@ssw0rd
administrator
open ok
7 Policy
My Computer
Map Drive
109Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
110Page
-: Backup Schedule Backup Backup
Next
Custom
111Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Drive
Backup
112Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Next Finish
-: Backup
Run cmd
? wbadmin
START BACKUP
ctrl+c
113Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
,, Backup
Schedule
Custom
\C:
Custom
114Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Shared Folder
Local
Clients
Disk
Next Backup
115Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Backup -: Restore
F8
116Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
dcpromo
!!
Restore Domain Administrators
Database Domain
Domain ,, Authontication
Next
117Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Recover
Database System
Recovery Disk
Next Recover
Backup
112Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Active Directory
Course 6426A
Configuring and Troubleshooting Identity and Access Solutions
with Windows Server 2008 Active Directory
-: 4
Active Directory Certification Authority
Active Directory Federation Service
Active Directory Light Weight Directory Service
Active Directory Rights Management Service
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
119Page
Encryption o
IP Sec o
Securing Web Site o
Smart Card o
Signing Drivers o
-:
Symmetric Key Encryption
AES, EDS, DES
Asymmetric Keys
Public and Private
RSA, DHA
MD5 Password HASH
Certification
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
120Page
Cross Hierarchy
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
121Page
AD Certification Services
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
122Page
Web Enrollment
Website Certification User
Online Responder
) (Certification
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
123Page
IIS
124Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Server
Key
125Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Machine
Certification
126Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Install Finish
Sub-ordinate Server
Joined in Domain Machine
CS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
127Page
Certificate
Browse Root
Approve Administrator
CA
Start Administrative tools AD Certification Authority
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
122Page
Revoked Certificates
Issued Certificates
Users Certificate Administrator
Self Sign Certificate
Pending Certificates
Administrator
.
Failed Certificates
Administrator
Certificate Templates
Users
Templates Users!!
R.click on Certificate Templates Manage
129Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Template
130Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
!! Enrollment OK
R.click on Certificate Template New Certificate Template to Issue
OK
Certificate Template
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
131Page
Certificate User
Web Server o
MMC o
Enroll & Autoenroll Cert Group Policy o
IIS
HTTP IIS
HTTPS Not Secure
Binding
Add
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
132Page
Machine HTTPS
Connection HTTPS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
133Page
!! CA
Run MMC
File Add/Remove Snap-in
Add Certification
Computer Account
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
134Page
Personal o
User Certification
Trusted o
Site Servers
User Certification Export
All Tasks Export R.click
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
135Page
Next Finish
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
136Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
137Page
Next Finish
Win-7
Web Server Internet Explorer
https:\\ca.ciscawy.com\certsrv
Site
Run MMC
File Add/Remove Snap-in
Add Certification
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
132Page
Computer Account
Next Finish
Certificate
Group Policy Restart
Certificate
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
139Page
Web Server
Request
Server CA
140Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Submit
Download
141Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Save
MMC
User Account
142Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
CA Server
Issued Certificate
Domain Controller 2
CA 3
User 4
Cert Revoke
R.click All Tasks Revoke
User Account
Certification Authority
R.click Cert Template Manage
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
143Page
Issuance Requirements
Cert Administrator
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
144Page
Security
Users Computers Cert
Templates
Win-7
User
MMC Certification
145Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
AD Enrollment Policy
Cert
Show all templates Cert
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
146Page
!! Personal
Server
Template Pending
R.click on it Issue
Windows 7
147Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Enabled
Certification Authority
R.click Cert Template Manage
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
142Page
Duplicate Template
Security
Autoenroll Enroll Authenticated
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
149Page
Cert D.click
Server Issued by
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
150Page
Public Key
Domain R.click
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
151Page
Administrator Issued
Permissions
152Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Log Files
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
153Page
-:
Certification
Profile
User
Cert
User Account
Recover Cert
User Member of Domain Admin Group
CA Cert Template
R.click Manage
154Page
Security
User Full Control
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Request Handling
Private Key Cert Private Key
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
155Page
Subject Name
Include E-mail
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
156Page
Issued Templates
User KRA
MMC Request Cert
Cert Root KRA Root
R.click Domain
View Cert
157Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
152Page
Next Next
Shared Folder
Win-7
Cert Shared Folder
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
159Page
Cert
Next Next
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
160Page
KRA
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
161Page
NextFinish
Cert Administrator Issued Root CA
Server
CA
Issued Cert KRA
D.Click
Details
Copy to File
162Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Cryptographic Message
Cert
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
163Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
164Page
All Files
Next Finish
Two Certifications
Root KRA
KRA Cert D.Click
Details Copy to File
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
165Page
Private Key
Key Cert Export Import
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
166Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
167Page
Next Next
KRA Root CA
R.Click on Domain Prop
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
162Page
Add
OK
Service
169Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Error Valid
Win-7
Start Run MMC
File Add\Remove Snap-in
R.click on Personal All Tasks Request New Cert
User Cert
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
170Page
Cert!!!
KRA Machine CA
Profile KRA Cert
171Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Cert
Cert
172Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Certutil getkey " Serial Numer For Cert that Copied" file name
Certutil getkey
Cert " "
Cert
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
173Page
Certutil recoverkey
pfx. Cert
\C:
Shared Folder
Win-7 User Cert
Shared Folder Cert
Start Run MMC
File Add\Remove Snap-in
R.click on Personal All Tasks Import
174Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
175Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
176Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
A Record Browse
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
177Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
172Page
) ( Issue
Cert Export
R.click on Ciscawy-CA Properties
View Cert
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
179Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
120Page
Next Next
Shared Folder
Shared Folder Machine
Cert
Start run MMC
File Add\Remove Snap-in
Cert Add
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
121Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
122Page
Next Next
Next
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
123Page
IIS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
124Page
Cluster
Cluster Load Balancing
Server Cluster
DB Server
Windows Internal DB
125Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
User
126Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Default Web Site
Sites
HTTP or HTTPS
Machine
127Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Enterprise Administrator
Point
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
122Page
Install Finish
RestartServer
Server Manager
AD RMS
Change Service Account User
129Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Add
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
190Page
Policy
191Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Finish
Machine Shared Folder
Client Microsoft office 2007\2010
Win-7
Distributed Rights Policy User
Shared Folder Word
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
192Page
RMS
User
Read
Change
More Option
E-mail Attributes
Basem Read
Shared Folder
Permission
Active Menu
193Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
194Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-: Federation Service
Authentication ( ) - ADLDS ADDS
195Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
196Page
Ciscawy.com Forest
Authentication Group User
Netriders.com Forest Conditional Forward DNS
IP Forest
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
197Page
Netriders.com Forest
Ciscawy.com Conditional Forward
Federation
Server manager Roles add role
IIS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
192Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
199Page
200Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Two Forest
-: Netriders.com Forest
Web Server Certificate Export
Start run IIS Server Certificates
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
201Page
Password
Shared Folder
Netriders.com Member Machine
Web Server
Server manager Roles add role
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
202Page
ACFS
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
203Page
IIS
Next
-:
Client Certificate mapping authentication
IIS management console
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
204Page
Next Finish
Self Sign Certificate IIS Machine
Start run IIS Server Certificates
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
205Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
206Page
Add
Type https
Certification Machine
OK
SSl Machine
207Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Certificate
MMC
Start run MMC File add\remove snap in
Add Certificate
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
202Page
Next Finish
Certificate Trusted Root
R.click All tasks Import
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
209Page
Export
210Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Aware Application
IIS
R.click Default Web Site Add Application
Select Classic.net
C:\inetpub\wwwroot\claim
aware application
Machine web.config
211Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Federation Service
Ciscawy.com
Start administrative tools Active Directory Federation Service
Trust Policy
R.click on trust policy Properties
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
212Page
un:federation:Ciscawy
Display Name
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
213Page
Account
AD Account
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
214Page
Finish
Group Claim Group
Add
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
215Page
ok Group
Netriders.com
Start administrative tools Active Directory Federation Service
Trust Policy
R.click on trust policy Properties
un:federation:Netriders
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
216Page
Display Name
Application Authorization Decision Group Claim
Ciscawy.com
Web Server Authentication
Trusted Policy My Organization Organization Claim
R.click New Organization Claim
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
217Page
Claims-aware application
Web Server
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
212Page
/https://web.netriders.com/claimapp
Web Server Machine web.netriders.com
Next Finish
-: Trust
Netriders.com Ciscawy.com Policy Emport
Ciscawy.com
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
219Page
Folder
Folder Share
Netriders.com
Forest
Policy
Start administrative tools Active Directory Federation Service
Account Partner R.click New Account Partner
Account Ciscawy
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
220Page
Browse Policy
221Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
SSO
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
222Page
Forest
Next Finish
R.click New Incoming Group
Simple claim aware application
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
223Page
Folder
Folder Share
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
224Page
Ciscawy.com
Forest
Start administrative tools Active Directory Federation Service
Partner Organization Resource Partner New
Resource Netrider
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
225Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
226Page
Next Finish
) (IIS Restart
Client
Start run
https://web.netriders.com/claimapp
Web Server
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
227Page
Continue
Domain ! Ciscawy Submit
Credential User
222Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Machine 3 Partitions
ADDS
Schema Configuration Application - Object Attribute User
229Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
230Page
Unique Instance
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
231Page
Application Partition
232Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Partition Domain
Install
233Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-: LDS
Start Administrative Tools ADSI Edit
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
234Page
Server Object
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
235Page
AD Frame Work
Port Number User Firewall
Replication 15
Instance
A replica instance
236Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Server
Browse Domain
237Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
Port
Instance
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
232Page
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
239Page
Objects
-: Replication
Active Directory Sites and Services
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
240Page
Online
Site
Site LDS
Site Servers
Sites and Services
241Page
01001582348
basemhamed@egyptnetriders.com
Eng.Basem Hamed
-:
Tecknet
70-640 TS Windows Server 2008 Active Directory, Configuring 2ND.pdf
Power Point
70-640 Server 2008 Active Directories PPT
Eng.Basem Hamed
basemhamed@egyptnetriders.com
01001582348
242Page