Active Directory Objects Flashcards
DC have 4 main partiitions:
- domain directory - users, groups and network resources fo the domain
- configuration directory - forests, domain and domain trees
- Schema directory - relating to control on objects and attributes that exist in an AD. network resources stored on the AD are known as AD objects and consist of users, groups, computers, security policies, printers, contacts and other network devices.
- Application directory - part of DNS and stores AD integrated zones (not replicated by the global catalog)
user accounts
also known as security principals
3 user accounts are created by default on a new domain
Administrator
Guest
HelpAssistant
InetOrgPerson class
used in LDAP and x.500 directory services to represent users in an organization, users on any platform can obtain directory information from LDAP
cope identifies how the group is applied to domain or forest, there are three groups
domain local - just permissions applied to domain
global - any domain in a forest
universal - can include other groups and accounts from any domain tree or forest.
2 types of groups AD DS - distribution and security.
Distribution lists cannot be added to the DACLs (Discretionary Access Control Lists)
addtl groups can be added by Account Operators, DC Admins, E Admins
Each Computer Account has the following components
SAM (Security Accounts Manager)
DNS Suffix - DNS host name
SPN (Service Principal Name
DNS name is the full name of the computer:
bsalt.internal.mesacounty.us
UPN
User Principal Name
(login name and suffix
linz. th@
mesacounty. us is the UPN suffix
Can import and export into AD DS two ways
LDIFDE -utility allows you to do AD objects along with passwords - files are saved with a .ldf extension
CSVDE - AD objects but not passwords
Admin group to perform this function
AD LDS doesn’t require a DC or DNS server
can be used to sync with directory servers and data management
cmd.exe prompt syntax:
ldifde [-i][-f filename][-s servername][-z]
[-b username domain password][-h]
ldifde Syntax commands
- i = specifies an import function
- v = enables the verbose mode
- u = unicode format
- t = port specifies ldap port. default is 3889 and global default 3268
- j = path of file
- s = server to bind with
- f = filename
- k = ignore errors during the import (constant violation and object already exist errors)
- c = FromDN toDN replaces all occurrences of the DN above, this is used to replace the distinguished name of the export domain with that of the import domain when importing data from one domain to another.
csvde syntax
- f = filename
- j = save a log file during import -j”C:\folder”
- d = RootDN root of the ldap seach for data export
- r = filter creates and ldap search filter for exporting data
- p = Search Scope base, onelevel or subtree
- l = list of attributes (if not specified all attributes are returned)
- o = list attributes to be omitted
- m = omits attributes that apply only to AD Objects
- n = binary values should not be exported
- a = userdistiguishedname password during import user name and password
- b = Username domain password during import username, domain and password
Using OUs
can reduce the number of domains used
Process for creating one includes:
assigning the OU owner
creating account and resource OUs
designing its structure
assigning the OU owner
forest ownder assigns an OU owner in a domain. owners manage data and control a subtree of objects int eh AD DS. it governs functions, (how to delegate admin contorl, apply policies to objects within their OU. can create new subtrees and delegate admin control to them.
creating account and resource OUs
Account OUs include users, groups and all computer objects. REsource are created to provide autonomy to the mgmt of data and computer equipment. Best practice is to create two separate OU structures in the domain
Resource OUs do not contain any default child OUs
designing the OU structure
documenting the structure is important. list of names of the OUs, type, owners and origin.
add an OU using cmd.exe
dsadd
dsadd ou Organizational UnitDN
ie: dsadd ou “OU=Tellers, dc=EasyNOmadTravel, dc=com”
three configurations you can apply to a group
- Modifying group membership
- Changing the group type
- Changing the group scope
dsmod group GroupDN -addmbr MemberDN
use addmbr to add the member to the group from the cmd.exe dsmod command
dsmod group”CN=US INfo, OU=Mangers,DC=EasyNomadTravel,DC=com”
-addmber “CN=Jennifer Westlein, CN=Users,DC=EasyNomadTravel,DC=com” -secgrp no
use secgrp parameter for security group yes or no. Same as above - dsmod gorup GroupDN -secgrp [yes|no]
change scope parameter L, G or U
Domain local, global or universal
dsmod group GroupDN -scope L|G|U
IF you are on a global catalog server, you can only go from a universal to a local scope
group policies can (GPOs)
modify permissions on a file system modify permissions on a registry object change settings in the registry change assignment of user rights configure and audit event logs set account and password policies
applied on three levels
Domain level - specifies common user security requirements, such as account and password policies, which are applied on all the servers present on the domain -user acct and psswd
Baseline Level - specify server security req that are applied to all the servers in a domain structure - user accts account policy- applied to users and computers in a domain
Role specific Level - specify the security req for specific server roles.
gpo default config
password policy
account lockout policy
kerberos policy
password policies contain the following options
1 enforce a password history - 0 and 24 default
2 configure a max password age - 42 days default
3 configure a min password age - 1 day default
4 configure a min password length (7 default)
5 ensure that a password meets complexity req
6 store a password using reversible encryption _passwords can be easily retrieved which is a security consideration
5 kerberos policy settings
Enforce user logon restrictions
max lifetime for service ticket - 600 minutes by default
max lifetime for user ticket -TGT 10 hours by default
max lifetime for user ticket renewal - TGT 7 days default
max tolerance for computer clock synch -5 min default
AD DS in 2008 have two new object classes
Password settings object - PSO has attributes that are used to define all the password settings, except kerberos for the default doamin policy
Password settings container - PSC contains PSOs (password settings objects) for a domain and is an object class created by default under the system container in the domain. You cannot modify and existing PSC but you can create addtl custom PSCs
PSOs have 3 lockout policies:
reset acct lockout counterafter,
account lockout threshold,
account lockout duration
PSO links (2 attributes)
- msDS-PSOAppliesTo Attribute - contains forward link to users or group objects, multivalue attr enables you to apply PSO to multi users or groups. use to apply one password policy to different sets of users or groups.
2 msDS-PSOApplied attribute - backward link to the PSO. added to user and group objects in 2008 to enable them to have multi PSOs applied to them.
RSoP - Resultant Set of Policy
msDS-REsultantPSO of the PSOs applied to a user or group to determine the RSoP
PSO sets priority by using the msDS-PasswordSettingPrecedence
Has an default interger of value > zero
If it returns a lower value than what is set it will get a higher priority
Can determine the resultant PSO of a user or group by
directly - based on global membership - lowest value will take precedence
indirectly - pso is linked to groups of which the user is a member. no PSO is obtained by using the direct method. Default domain policy is applied to obtain a resultant PSO
each pso should be set with its own unique value at time of creation
multi PSOs with the same value are obtained, then the PSO with the smallest gloabally unique identifier (GUID) is applied to the user.
by default, account lockout policies are
set to 30 minutes for lockout threshold and the reset account lockout coutner - local and domain policies default the same
to configure and manage fine grained password policies in AD - two tools
AD Users and Computers Console
ADSI Edit Tool - Active Directory Services Interface Editor Tool - adsiedit.msc
choose CN=Password Settings Container is where all the PSO objects are stored for the domain
GPO you can
- maange the desktop that displays to users and reduce support calls and total cost of ownership (TCO) by locking the desktops
- Install and manage software
- Manage the running state of services
- redirect My Documents Folder
- Configure Internet Explorer options and security settings
- Automate administrative tasks by using logon, logoff, startup and shutdown scripts
each gpo has 2 admin templates
computer settings
user settings
Admin Templates identifies where registry based policy settings are stored in the registry.
DC known as the GPT (Group Policy Template) which is stored in a sysvol shared folder and enables config of group policy settings.
2 types of GPOs
apply according to security, needs, roles and location of users and computers
last applied GPO takes precedence if a conflict and same for user and computer setting conflicts, the computer wins
Local (LGPO) apply only to computers where they are located.usaully where there is no AD DS or used to apply specific group policy to a specific computer.
2008 server feature allows multiple LGPOs on the same computer - apply to different users on the same computer.
AD GPOs - all users and computers in the AD container where they are linked. Can apply the GPO to specific OUs or sties, all users, computers in a domain
GPOs are processed in this order
GPMC - Group policy Management Console
- LGPOs
- GPOs linked to the site
- Domain Level GPOs
- GPOs linked to OUs
Exceptions: they are only applied if the speed of data transfer is 500 kpbs or higher between a computer and DC. Broken link can keep a GPO from being applied. 2008 uses NIaSvc - Network Location Awareness Service to detect slow networks and looses its connection to the DC
Credential caching - user logs on locally instead of Domain - GPOs not applied
GPO default process order can be changed by
Changing Link order (give link 1 processed last)
Blocking inheritance
specifically enforcing particular policies - can cause security risks so test first
using GPO filtering (WMI tool allows you to filter)
disabling GPOs - can do it by site, comain or OU and can choose only user or computer settings
using loopback processing - ensures computer policies are applied regardless of user policies
GPCO members
do not have rights to link GPOs to containers
2008 registry policy settings are stored in a file
ADMX that are XML based. replaces ADM files used previous versions of server. Has to be a vista or higher client
can store files in a centrally located place if in a domain accessible to anyone with create or edit GPOs rights
need to manually add ADMS or ADML files to the SYSVOL folder if a change is made to the local machine
To GPOs you can add the following options
- disabling mobile storage devices (usb, mp3 players, camera’s)
- Controlling the functionality of specific windows features
- Adding or modifying registry keys
- Modifying the windows security
security template
doesn’t introduce new security but organizes it.
text based file with .inf extension
contains all public key policies and security attributes.
This be used with security configuration and analysis snap-ins to examine a system for security holes or policy violations.
Security Templates define:
- Account Policies
- Local Policies
- Event Log settings
- Restricted Groups
- System Services Settings
- File and Registry permissions
predefined templates are stored systemroot\security\templates directory
Windows 2008 doesn’t provide predefined security templates but you can download and install GPOAccelerator to obtain ones that were included in previous versions
Predefined Security templates include
- Default Secuirty (setup security.inf) - cannot be applied to DCs
- DC Default - DCsecurity.inf - Becomes a DC use the Security Configuration and Analysis snap-in or the Secedit command line tool.
- Compatible - compatws.inf - applies to Admin , power users and user
- Secure - secure*.inf - sends only NT lan Manager v2 responses and configures servers to refuse Lan manager responses
- Highly Secure - hisec.inf - secure data transmissions between server message block (SMB) clients and servers by imposing strict restrictions on the levels of encryption and authentication. superset of the secure.inf templates
cmd for secedit tool
secedit/configure /db filename[/cfg file name][/overwrite][/areasArea1 Area2…][/logfilename][/quiet]
use tool to apply security templates local computer, analyze, export, validate
/configure to local computer security by applying the settings stored in a database
ie:
secedit /configure /db database1.sdb cfg/ template1.inf /overwrite /quiet
/db = database name /cfg = specifies a template to be improted into db before computer is configured
/overwrite = clears db before import. if not in line them settings will accumulate in the db. if a conflict template settings take precedence.
/areas = security areas to be applied to the system. if not in the line, settins defined in the db will be applied to the system. to specify multiple areas use a space
/logfilename = if not specified in line, config data is automatically logged in the scesrv.log %windir%\security\logs
/quiet = process runs without prompt
4 phases to software development
preparation, deployment, maintenance, and removal. YOu can use group policy gpedit.exe to manage each phase
2 components of windows installer
- Software installation package files .msi
- Windows Installer Service msiexec.exe
can enable users to install via
- file extension or com based activation
- start menu or a shortcut on the desktop
publishing software does not install anything on the computer but to the user
no local registry changes are made, no shortcuts, but the attributes are stored in AD
use gpme gpedit
patch file to a software install in gpedit
.msp (patach file
.msi
GPMC Group Policy Manangement Console can be used to
search for GPOs in a forest
backing up and restoring GPO
importing settings from a backed up GPO to an existing GPO in the same forest
it is not installed by default. install it by using Server Manager interface (in features) or the command line cmd = servermanagercmd -install gpmc
launch by going to run gpmc.msc or run from cmd
default file location for ADMX files is
c:\windows\policydefinitions
AD DS maintains a log that stores old values for AD objects and their attributes, as well as new values when alterations are made. This feature is new in Windows Server 2008
new in Server 2008
The controls used to incorporate auditing features in Windows Server 2008
global audit policy
a system access control list (SACL)
A control Schema
To enable AD object Auditing
enable the audit directory service access audit policy then set it to audit successful events, failed events or both
Audit Policies that you can choose to configure
audit:
logon events account logon events system events account management privilege use directory service access object access policy change process tracking
2008 server introduced audit policy subcategories
better control
specific events
use auditpol command to display the current audit policy display selectable policy elements and to set audit policy subcategories
auditpol /get /subcategory:* or “Application Group Management” /success:disable /failure:disable
Dns namespace hiearchy
internal.mesacounty.us
internal is the bottom level (all the way to the left)
mesacounty is the next level up
.us is the highest level and is called the root. Servers that maintain the root are called root servers (TLD)
13 root domains are presently being used to administer the global internet root namespace domain.
2008 supports the following DNS zones
Primary - is writeable, update of zone info
Secondary - full read only copy of primary zone data, can’t be updated
Integrated - server 2000, storage of zone inf in AD, modify resource records on any DC associated with AD
Stub - has just enough info from the primary to allow for reach to authoritative DNS Servers- don’t increase network traffic during replication because they stay small
Only store 3 types of info:
1. Start of Authority (SOA) - first record in a zone
- Name Server (NS) - mapping of a domain name with all the authoritative DNS servers
- Address Record (A) - contains the IP Address.
Features in DNS in 2008 include
DNAME resource record -allows for the creation of alias for multiple nodes at a time, aka non-terminal domain name redirection - you can use one DNAME record to rename a root and all its child nodes simultaneously.
RODCs
IPv6
GlobalName Zone - enables users to store single label host names. don’t need WINS
Integration with MIcrosoft networking services (AD, WINS, DHCP)
RFC compliant dynamic updates - RFC 2136 protocol dynamically update, only authenticated users can update records
global query block list - blocks queries from unauthorized requests
advanced features:
Forwarding
root hints
server scavanging
DNS to use forwarding, configure either
forwarder - to an external server, it uses caching so a larger cache will be good and won’t effect performance
conditional forwarder - used to resolve queries between two organizations
CAche.dns
%systemroot%\System32\DNS
name server and resource records are part of the file
in-addr.arpa domain was created to
be used as a reserved internet Namespace for reverse lookups.
dnscmd command line utility
convert host names into IP addresses,
add a forward lookup zone
recursive queries - dns
its a forwarder,
client either gets an erroror gets an exact answer, if resolved send it to the client
if it can’t resolve it changes the query to a iterative query by searching a list of forwarders and sending iterative queries to each one of them.
iterative queries -dns
dns serve is asked to resolve a query or make a best guess referral to a dns server that may be able to resolve it.
Some delay can occur
a time out setting on the dns server determines the max wait time for a response
unmanaged decayed dns records can cause the following problems:
- unnecessarily long zone transfers
- degradation of the performance and response time of the DNS server with the accumulation of stale records
- Possible conflicts, if an ip address in a dynamic DNS environment is assigned to a different host
scavenging is disabled by default
enable in the zone and DNS server
a dns serer sets the data time value to start scavenging on a per zone basis when
Start scavenging time =
current server time
+
refresh interval
users enable dynamic updates for the zone
primary zone that is enabled to use the scavenging technique is loaded by a DNS server
DNS server starts
zone resumes its service after it has been paused
administrator manually activates the Scavenge stale resource records function
dns round robin technique -enabled by default on windows 2008 servers
dns server rotates the records for each incoming request so that successive visitors are directed to different web servers
drawbacks:
doesn’t offer any failover functionality
does not control the order in which connections are rotated - not true load balancing
Zone transfer can occur when
- the refresh interval has expired for a zone
- notification to make changes in the zone file is sent by the primary server to a secondary server
- Secondary server queries the primary DNS server for a change inthe zone
- A DNS console ata secondary server for the zone manually initiates a transfer from the primary server.
Transfers maybe
Full Zone Transfer - entire dns db is transferred using an asynchronous full transfer zone (AXFR) query to update the zoen data on another DNS server. This is used prior to 2003 or when a new DNS server is configured for the first time.
An INcremental Zone Transfer (IXFR)
query is used to request data from primary and compared to secondary db, if the same no transfer, if different on the needed updated parts are transferred.
Server keeps records of the incremental changes so it can answer the IXFR queries. These are fast and crewate less traffice and are standard in server 2008
Steps occur to complete an incremental zone transfer
- SOA query is sent from secondary DNS
- Prmiary responds
- Secondary compares the serial # against its own
- Secondary server sends an IXFR or AXFR query
- Primary responds with transfer
When AD is installed or upgraded on a DC - 2 specific DNS partitions are created
Forest DNS Zone
Domain DNS Zone
if zones are not created when installed, every time service is started they will be created again automatically
Zone replication scopes can you set an AD DS integrated DNS zone to use?
- All DNS servers in a domain
- all DC in domain
- all DC in the scope of a specified app directory partition
- All DNS servers in a forest
You can install windows server 2008 support tools for AD DS integrated DNS zone
Server 2008 dvd - Support\Tools and click on suptools.msi
to create custom app directory partition that enables replication of zone data between 2 domains , access the command prompt and then
- Create an app directory part on a DC
- Configure and addtl dc
- Check that the app dir part was created successfully
4 Activate the Knowledge Consistency Checker (KCC) to create a connection object on each DC - Verify AD replication over the new replica link that you have created
- Configure the replication scope of the relevant DNS zones to that of the new app dir part
dnscmd commands
/createdirectory partition FQDN
/ServerName/enlistdirectorypartition FQDN_of_partition - cibfu ab addtk dc ti beysed as a dbs server ti gist tge created app dir part
/enumdirectorypartitions - checks if app dir part was created successfully
/directorypartitioninfo FQDN - displays detailed info about the app dir part on a DC
repadmin /kcc DCName
create a KCC connection object for ea of the DCs
use this on the first DC
Do it on the second one and a replication link is created
repadmin /showrepl ServerName
to verify that AD replication can occur over the new replica link
if new namning context is not displayed this may indicate uninstantiated replicas that occur when:
temp naming context head is configured by the KCC until the next AD DS replication cycle occures
AD DS replication has not yet occurred.
To Add Certificate snap in
open the mmc
When a CA receives an enrollment request, the following actions take place
- CA decrypts the digital sig in the cert
- CA performs a hash on the request
- CA digitally signs the user’s public key
- User distributes copies of its x.509 cert
- entities authenticate the user’s x.509 cert
to configure autoenrollment
- confi the cert template for it
- specify the group policy settings
to config template go to cert template
Choose CA Exchange, properties, security tab, Add Enroll and Autoenroll to authenticated users group
Then config the group GPO both users and computers to auto issue a cert on receipt of cert request. If requester selects the autoenroll cert option, the cert will automatically be issued
go to gpmc, select default policy
under security settings choose public key policies folder, then the option on r. menu of “Certificate Services Client - Auto Entrollment”
Enable
same for computer and user
for computer do the additional steps:
Automatic Certificate Request Settings folder in r. menu, action, new request and do the wizard
Now you need to issue a new certificate template
Certificate Template folder in the mmc
Actions, new, choose from list CA exchange
This will bring the template into the Certificate Templates folder in the mmc ca
2 ways an admin can config default actions that a CA can take when received cert request
- can be automatically approved by CA
- CA admin can review the request - which changes the status of the request ot pending in the CA and take appropriate actions
after config you need to stop and start services
When a cert is issued it is copied to a file
FileName.cer and then copied to the CertENroll folder on the CA
Four Roles can be assigned to users in a CA
- Certificate Manager - can approve certs and revocation requests. use the cedrt auth snap in mmc - The issue and manage cert permissionis assigned to this role
- Auditor - can config, maintain, view, and audit logs. O/S Role. Manage Auditing and Security Log permission is assigned to this role.
- CA Administrator - config and maintain a CA, can do everything. Account is built in by default on the CA. Manage CA security permission is assigned to this role.
- Backup Operator - can perform system backup and recovery. Backup Files and Directories and Restore files and directories permissions are assigned to this role.
A CA is used to issue digital certificates and the directories are used to store policies and certificates
CRL (Certificate Revocation List) list is a digitally isgned list of unexpired certs revoked by CA
Certificates are stored
in AD DS - the forest will have access and because they are in one place the subordinates will get the most up to date cert template to use.
Maintains consistency
default cert templates in 2008 enterprise are
- Computer - cannot be publishe to AD
- Cross Certification Authority - issueing CA to a sub CA that is linked to 2 root CA’s to verify identity of the CA the cert is issued
- Directory Email Replication - is used to replicate emails with AD DS . It is assigned to a DirEmailREp CA and can be published to AD DS
- CEP Encryption - enables holders to perform as a registration auth for SCEP Simple Certificate Enrollment Protocol requests. issues and revockes digital certs for software running on netowrk devices, routers, switches. this protocol is assigned to computer and cannot be published to AD DS
- Code Signing- used to digitally sign software. It is assigned to users and cannot be published in AD DS
- DC - all purpose certs. Assigned to the Dir EmailRep CA and can be published to the AD DS
- DC Authentication - authenticate AD computers and users. cannot be published to AD DS
- EFS Recovery Agent - enables users to decrypt files that were encrypted File system (EFS). assigned to users and cannot be published to AD DS
Microsoft CAs support 3 cert types of templates
backwards compatible
Version1 - 2000 PKI and 2003 Standard Edition, not customizable
Version 2 - customizable settings and permissions. ONly Enterprise CAs on 2003 or higher
Version 3 - enable an admin to add the advanced Suite B cryptographic settings to their certs. advanced options for digital sigs, encryption, hashing, and key exchange. Admin can only issue certs based on version 3 certs templates on 2008 CAs Only used on 2008 or Vista and higher
Permission you can assign to a cert template are
Full Control - user, machine or service full control
Enroll - need read as well to enroll for certs
Autoenroll
Read - needs this to enroll or autoenroll, certificate server to access the cert templates on the AD (user group has this by default and usually enterprise CA in included in users group
Write
KRA
Key Recovery Agent. key archival which allows the agent to tetrieve private keys, original certs, public keys from a db, to help prevent data loss due to a a lost key.
Can identify one by issueing a KRA cert. A KRA agent requires membership with Domain Admins or something similar
To config a KRA environment
Config a KRA cert template and enroll the KRA for a KRA cert - use the key Recovery Agent in the manage certs
Enable key archival for a CA - configure the KRA cert template you just created and enroll the key recovery agent for a KRA certificate
Admin of CA enables key archival for a cA
Who can perform a CA backup
Backup Operators Group
The CA Administrator
Steps for enabling key archival for a CA
- Add the cert auth snap in
- access the properties for the CA
- Set the number of key recovery agents that will be used to encrypt the archived key
- Choose the key recovery cert you want to use
- Restart the CA
SCEP
NDES - only on Enterprise and Datacenter 2008
Has to have IIS
Simple Certification Enrollment Protocol
Network Device Enrollment Service
recovers cert requests that are pending
accepts auth requests
prepares and sends one time enrollment passwords for admin
Enrolling for a cert with NDES requires
software used to manage the network device, registartion auth (RA) and computer hosting NDES and the CA
To install NDEs you need to do 2 things
Config user account to act as a RA
Config and install NDES
RA is part of a PKI - verifies requests for digital certs and records all the info that a CA requires for certs and then sends to a CA who issues the cert
Configure RA
add user account to the IIS_IUSRS Group
IIS_IUSRS is a security group IIS uses to establish and work with remote connections, no user is a member by default users and computers in AD
web enrollment domain page allows you to
- submit a cert request
- Check the status of a pending request
- download a CA cert, cert chain, cert revocation list (CRL)
have users via the web, not on your domain request certs
2008 enables enrollment agents by using cert templates:
Can restrict enrollment rights - new in 2008
not on standard editions of CAs
Enrollment Agent
Enrollment Agent Computer
Exchange Enrollment Agent (offline request)
2 types of revoked certs
on the CRL
base is a full set of revoked certs
Delta CRL is only certs since the last full Base CRL was implemented
CRL Distribution Piont (CDP)need to have this file extension in order to locate and retrieve the list. for each revoked cert you need a CDP
CDPs can be located in
AD
local directory
config online responders tabs
certificates
Online responder should not be installed on a CA so it can perform more efficiently but needs to be on a IIS system
Web Proxy
Audit
Security
enable an online responder to enroll for signing certs you need to
- Configure the OCSP response signing template
- include the URL for the online responder in the AIA extensions of the cert
- Assign the OCSP response signing template to the CA
- Create a revocation configuration
To test and online responder configuration you can
issue a new certificate
revoke a certificate
publish a CRL
remove CRL CDP extensions from the issuing CA
confirm that client computers can obtain revocation data
YOu can publish a new CRL or Delta CRL update to make a certificate change or revocation effective immediately
Open admin tools, cert auth, issued cert folder
Pick cert and choose your action date and time.
PUblish, command line certutil -crl (crl to be published
can also use the windows interface -
go to cert auth, pick revoked cert folder, actions, all tasks, Publish, choose type, new or delta crl
Steps to configure OCSP online responder
Configure the OCSP Response Signing Template and assign ti to a certificate authority -CA
need to include the URL for the Online Repsonder in the AIA extensions of the certificates and create a revocation config
A cert revocation list (CRL) is automatically published at a specified interval. or you can manually publish it and you can choose to overwrite or update an existing CRL
setup RA account by
going to AD for users and computers choosing built in and adding user to the IIS_Users
On a windows server 2008 CA domain
an RA account setup for NDES
Cert Auth Web Enrollment service installed
restricted enrollment agent has been configured
OCSP has been installed
Sequence the steps you follow to configure the NDES
- Server Manager, access the list of roles installed for AD DS
- Launch the Add Role services Wizard
- Choose the NDES role
- Specify the username and account of the RA for NDES
- Alter the default RA info and cryptography settings if necessary, and install NDES
steps to config a smart card enrollment station
- Access the Certificates snap in via mmc
- Select the folder that contains personal certs
- Request a new cert
- Specify the Enrollment Agent cert type and enroll the cert
