2008 R2 ADS Vocabulary - Session 5

Question 1

Active Directory RMS

Answer 1

(AD RMS)

Question 2

Active Directory RMS is a technology that uses

Answer 2

licenses to protect information for applications enabled to use the service. It safeguards digital information from unauthorized use by defining user’s access rights. These rights specify which users can open, edit, print, forward, or carry out other actions on the information stored on the server.

Question 3

Windows Server 2008 R2 AD RMS features:

Answer 3

• Improved installation and administration
• Integration with AD FS
• Self-enrollment of AD RMS servers
• New AD RMS administrative roles
AD DS is responsible for validating user’s authorization to access content protected by an AD RMS server.

Question 4

The AD RMS server issues

Answer 4

issues rights account certificates (RACs), which identify trusted users and groups that are able to publish and assign rights and conditions for rights-protected content.
The AD RMS server creates a publishing license for the content that incorporates the specific usage rights and conditions within the content. This assures protection so that the content can be distributed across networks.

Question 5

AD RMS client

Answer 5

Clients can acquire licenses to decrypt rights-protected content and apply usage policies from an AD RMS. Client application users with the appropriate RAC can view and work with rights-protected data.

Clients can create rights-protected files and templates. AD RMD rights policy templates are deployed to control the rights that a user or group has on a particular element of rights-protected content

Question 6

Active Directory Lightweight Directory Services

Answer 6

(AD LDS)

Question 7

AD LDS provides independent

Answer 7

directory storage and access to applications, and uses the standard application programming interface (API) to access application data.

Question 8

The following are the features of AD LDS:

Answer 8

• The directory service solution ensures that specialized applications are able to use AD LDS as their own directory service
• Integration with the Network Operating System (NOS). AD LDS uses the same directory technology as AD
• Multiple Independent Instances of AD LDS can be run, with each instance tailored according to the specific application to which it applies
• Security Principles and Access Controls
• The installation of AD LDS does not affect the AD, and AD LDS can be reinstalled without restarting Windows

Question 9

Active Directory Federated Services

Answer 9

(AD FS)

Question 10

AD FS is based on a

Answer 10

single sign-on (SSO) technology that supports authentication of users in various web applications in a single browser session. AD FS provides a relationship of trust that is used to verify users’ digital identities and access rights to the trusted partners within and outside the organization.

Question 11

The following are features of AD FS:

Answer 11

• Installation is incorporated in Windows Server 2008 R2 as a server role.
• Application Support - AD FS is closely integrated with Microsoft Office SharePoint Service (MOSS) 2007 and AD RMS.
• The Establishment of Federated Trusts enables you to work with partner organizations using their internal NOS directories rather than by building forest trusts.

Question 12

Active Directory Certificate Services

Answer 12

(AD CS)

Question 13

AD CS

Answer 13

provides services that manage public key certificates, which are implemented in a software security system to authenticate secure data sharing and application access.
is used in organizations to improve security by binding users’ identifications, devices, or services to the corresponding public key certificates.

Question 14

AD RIGHTS MANAGEMENT SERVICE

Answer 14

(AD RMS)

Question 15

AD RMS enables you to create

Answer 15

information-protection solutions and apply these solutions to existing applications. Any application that is AD RMS-enabled can be protected. For applications, AD RMS provides persistent usage policies for information.

Question 16

Features of AD RMS include the following:

Answer 16

• Enhanced Administration and Installation Features
• Self-Enrollment
• Integration with AD FS
• Improved Delegation
• The Licensing of Rights-Protected Information

Question 17

Configuring AD RMS

Answer 17

• Install the AD RMS server role on a server connected to the AD domain and then configure the AD RMS cluster. The first server that you configure in an AD RMS environment is always configured as a root cluster.
• When registering the SCP during AD RMS installation, the installing user account must have write access to the Services container in AD DS.
• Configure client computers to enable them to use AD RMS.
• Verify the functionalities of the AD RMS cluster.
• Add the AD RMS cluster URL to the Local Intranet security zone.
• Verify AD RMS functionalities on the AD RMS client computers.

Question 18

ACTIVE DIRECTORY FEDERATION SERVICES

Answer 18

(AD FS)

Question 19

AD FS is a

Answer 19

server role that enables users to access applications in another forest or network without providing a web server with secondary credentials (allows the use of SSO).
Each organization in a federated environment manages the identities of its users, and manages and accepts the identities of users from other organizations.
A federation server can be deployed between multiple organizations to enable them to perform B2B transactions securely.

Question 20

In a federated system, there are two types of organizations that participate in B2B transactions:

Answer 20

• Resource Organizations

* Account Organizations

Question 21

The AD FS server role has two types of services:

Answer 21

• Federation services route

* Web agent services

Question 22

Installing AD FS

Answer 22

After joining the servers to their domains, you can install AD FS role services on each of the servers. Windows Server 2008 R2 comes equipped with AD FS version 1.1 – the latest version, AD FS version 2.0, is available as a separate download
To install AD FS services, you need to log on to both resource and account servers using the Administrator account for the domain.

Question 23

To install and configure AD FS, complete the following steps:

Answer 23

Step 1 - Install AD FS and the AD FS web agents
• Use Server Manager Add Roles
Step 2 - Configure IIS on the federation servers
• Use IIS Manager to configure the default web site on the AD FS server to require SSL and to accept client certificates
Step 3 - Create and export the required certificates to configure the web and federation server
1. Create a self-signed server authentication certificate for the web server
2. Create a self-signed certificate for the AD FS server
3. Export the token signing certificates to a file using the AD FS console
4. Export server authentication certificates to a file using IIS Manager console
5. Import the server authentication certificate for a federation server to the web server using the certificates MMC
6. Configuring the web server includes configuring IIS and setting up a claims-aware application on the web
server
7. A new folder to host the claims-aware application needs to be created in the C:\inetpub\wwwroot\claimapp
folder
8. To ensure that the application functions correctly, you need to create the Default.aspx file, the Web.config file,
and the Default.aspx.cs file
9. After creating the files, copy them into the C:\inetpub\wwwroot\claimapp folder
Step 4 - Configure the federation services on both servers
• Configure the trust policy for the server
• Create group claims for the appropriate claims-aware application
• Add and configure an AD DS account store