Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Windows - ADFS (Active Directory Federation Services) Server
Knowledge Base Questions & Answers.
What is ADFS, and what is its primary purpose in an organization?
-
ADFS is a Microsoft technology that lets users sign in once and access multiple applications and services without repeatedly entering credentials.
-
Its primary purpose is to provide SSO (Single Sign-On).
-
ADFS is commonly used in scenarios where organizations need to provide SSO and federated identity services for non-AD (Active Directory) solutions, such as cloud applications, partner services, or web-based resources.
-
While ADFS can be used for AD-to-AD scenarios, its primary purpose often extends beyond AD-only environments.
How does ADFS contribute to SSO (Single Sign-On) functionality?
-
ADFS enables SSO (Single Sign-On) by verifying a user’s identity once and issuing a secure token.
-
Users can use this token to access multiple applications without re-entering their credentials, streamlining the login process.
-
Users must use the same opened internet browser to open other applications without prompting for credentials. ADFS and SSO rely on browser sessions and cookies to track authentication status.
What are the eight main components of ADFS?
The main eight components of ADFS are:
-
“Federation Server” - Handles authentication and token issuance.
-
“Federation Metadata” - Contains configuration information.
-
“Federation Service Proxy” - Provides secure access from external networks.
-
“Active Directory” - Stores user accounts and authentication data.
-
“Relying Party Trusts” - Define trust relationships with applications.
-
“STS (Security Token Service)” - Generates and manages security tokens.
-
“Token Signing Certificate” - Ensures token integrity and authenticity.
-
“Claims Rules” - Determine how user claims are processed.
What is the role of the “Federation Metadata” in ADFS?
The role of “Federation Metadata” in ADFS is to share essential configuration details and trust information between ADFS and its federation partners, making it easier to set up a secure identity federation and ensuring both sides are on the same page regarding communication and security.
What is the purpose of the ADFS “Federation Service Proxy”?
-
ADFS “Federation Proxy Server” enables secure access to ADFS from external networks.
-
It forwards external requests to the internal ADFS server, which handles authentication.
What is the function n of “Relying Party Trust” in ADFS?
-
“Relying Party Trust” in ADFS establishes a secure connection and trust between ADFS (identity provider) and an application or service (relying party).
-
It enables SSO and secure authentication.
What is the role of the “Token Signing Certificate” in ADFS?
-
“Token Signing Certificate” signs security tokens, ensuring their integrity and authenticity.
-
Relying parties trust ADFS because they can validate the tokens using this certificate.
-
It’s vital for authorization, access control, and interoperability in federated identity scenarios.
What are the different authentication methods supported by ADFS?
ADFS supports various authentication methods, including:
-
Username and Password.
-
Windows Integrated Authentication
-
MFA (Multi-Factor Authentication)
-
Certificate-Based Authentication
-
OTP (One-Time Password)
-
Biometric Authentication
-
Social Identity Providers
-
OAuth and “OpenID Connect.”
-
Custom Authentication Providers
-
Smart Cards
How does ADFS support MFA (Multi-Factor Authentication)?
-
ADFS supports MFA (Multi-Factor Authentication) by integrating with MFA solutions.
-
After verifying the user’s credentials, it prompts an extra authentication step, like a mobile app or fingerprint scan, before granting access, adding an extra layer of security.
What is the purpose of the “Extranet Lockout Protection” feature in ADFS?
-
ADFS “Extranet Lockout Protection” is a security feature that helps prevent unauthorized access by temporarily locking out users who exceed a threshold of failed login attempts.
-
It enhances security and safeguards against brute-force attacks in extranet scenarios.
Experience-Based/Practical Questions & Answers
What are the steps to install ADFS?
There are the following steps to install and configure ADFS:
-
Connect to the “Certificate Authority” server. Create a new certificate template for ADFS and enable it. After this step, all domain servers can access the ADFS certificate.
-
Install the ADFS certificate on the server, which will be used as ADFS. Do following:
-
Open the Certificate console for “Computer Account.”
-
On the “Personal Certificates” folder, request a “New Certificate.”
-
Configure properties of the ADFS certificate on the Subject and General tabs.
-
Enroll the certificate to the local server.
-
-
Optional - Create a “Group Managed Service Account”. Connect to DC (Domain Controller). Create kdsRootkey by using PowerShell.
-
Optional - Create DNS for the ADFS Service. Do the following:
-
Connect to DC.
-
On the DNS (Domain Name System) MMC (Microsoft Management Console) snap-in, create a new “Forward Lookup Zone.”
-
Create a new “A Host” record for the ADFS server.
-
-
Install the ADFS Server. Do the following:
-
Install ADFS role.
-
Do ADFS configuration. Choose which database you will use during configuration: “Windows Internal” or “MS SQL Server (Microsoft Structured Query Language Server).”
-
Reboot server.
-
-
Optional - Enable the SSO page. On PowerShell, enable IdPInitiatedSignonPage.
How do you configure ADFS to work with a specific application or service?
To configure ADFS for a specific application or service:
-
Set up ADFS with your organization’s settings.
-
Configure the application or service to support federation, often using SAML (Security Assertion Markup Language) or OAuth.
-
Create a “Relying Party Trust” in ADFS for the application.
-
Define claim rules to specify user attributes to share with the application.
-
Share “Federation Metadata” with the application.
-
Test, troubleshoot, and ensure secure communication.
-
Optionally, implement additional features like MFA.
-
Document and maintain the configuration.
Can you describe the typical authentication flow process in ADFS?
In ADFS authentication flow:
-
The user requests access.
-
ADFS validates credentials.
-
ADFS generates a signed token.
-
The token is sent to the application.
-
Application grants access.
-
The user is authenticated for the app.
What is “Claims-Based Authentication,” and how does it work with web applications?
“Claims-Based Authentication” is a method applications use to obtain user identity information:
-
Users are redirected to an identity provider’s login page when they attempt to access a web application.
-
Upon authenticating the user, the identity provider issues a security token.
-
STS generates this token and contains verified information about the user, known as claims.
-
The application, relying on its trust relationship with the identity provider, accepts this token as proof of the user’s identity.
-
The application grants the user access to specific features and functionalities based on the claims within the token, effectively managing authorization in a secure and streamlined manner.
Can you describe the HA (High Availability) options for ADFS?
To achieve high availability for ADFS:
-
Set up an ADFS server farm with LB (Load Balancing).
-
Use WAP (Web Application Proxy) servers in HA (High Availability) for external access.
-
Ensure HA for the ADFS configuration database.
-
Employ LBs for traffic distribution.
-
Consider multi-data center deployments for DR (Disaster Recovery).
-
Implement database replication.
-
Securely back up ADFS configurations and databases.
-
Monitor and alert for issues proactively.
-
Test your HA configuration and disaster recovery plan periodically.
How do you handle certificate renewal and rollover in ADFS?
To handle certificate renewal and rollover in ADFS:
-
Identify expiring certificates.
-
Prepare new certificates.
-
Import new certificates into ADFS.
-
Update relying parties with new certificate information.
-
Change ADFS settings to use new certificates.
-
Monitor and test the transition.
-
Remove old certificates when confident in the new ones.
-
Maintain backups and documentation.
-
Communicate the process to stakeholders.
Explain how ADFS can be integrated with on-premise AD.
To integrate ADFS with on-premises AD:
-
Deploy ADFS.
-
Set up ADFS farm for reliability.
-
Establish trust between ADFS and on-premises AD.
-
Configure “Relying Party Trusts” for applications.
-
Users authenticate with on-premises AD through ADFS.
-
ADFS issues “Security Tokens” with claims.
-
Tokens grant access to federated applications.
-
ADFS handles “Token Renewal” and Expiration.
-
“Federation Metadata” helps establish trust.
How do you troubleshoot common ADFS issues?
To troubleshoot common ADFS issues:
-
Check “Event Logs” and IIS (Internet Information Services) logs.
-
Test network connectivity.
-
Review ADFS configuration.
-
Verify certificates and clock synchronization.
-
Check DNS settings.
-
Validate “Federation Metadata.”
-
Test with different browsers and devices.
-
Verify MFA and authentication methods.
-
Examine error messages.
-
Consult vendor documentation and support if needed.
How can you monitor and audit ADFS activities and events?
To monitor and audit ADFS activities:
-
Enable “ADFS Auditing.”
-
Centralize logs for analysis.
-
Review ADFS event logs regularly.
-
Use built-in reporting.
-
Set up alerts for critical events.
-
Perform periodic health checks.
-
Integrate with SIEM (Security Information and Event Management) solutions.
-
Retain log data according to policies.
-
Develop an incident response plan.