In this lab, we will be working within the Server VM.
I need to install Active Directory Certificate Services through the roles and features tab.
Now we need to configure AD CS.
This lab we will examine the AD CS role we installed.
First, we need to go to tools and open AS CS and look at the properties of classroom-SERVER-CA.
Now in the general tab and clicking on ‘View Certificate’ we get more information.
This certificate is to sign other certificates.
In this lab, we learn how to configure EFS recovery agents, this is done within the Active Directory Users and Computers.
First, we go to the user’s folder and create a new user named Bob.
Now we add Bob into the domain admins group.
Now back in the Certificate Services window and right-clicking the Certificate Templates folder, then going to manage we can go into Key Recovery Agent properties.
In the security tab, we can add our user, Bob.
And lastly adding bob into the classroom-SERVER-CA security.
In this lab, we will be Configuring a Certificate Enrollment Website
We start by going to the IIS Manager;
Here we can double-click the Server Certificates and create a domain certficiate, and add the comman name.
And then just fill in the next few dialog boxes.
Now going back to the IIS and navigating to Default Web Site.
Now we just need to make a binding.
In this exercise, we will sign in as Bob to request the new certificate from the CA Web Enrollment server.
Once we are logged in we need to go to run and type in https://SERVER.classroom.local/certsrv
Here we need to log in as bob again and follow the prompts to get to the Advance Certificate Request Screen.
Now in the Advance Certificate screen we can install the certificate.
In this lab, we configure Domain EFS Recovery
We start by going to MMC and adding a certificate snap in. ( I had massive issues here, will talk about it at the end of the blog)
Now we need to export this certificate.
Now we need to sign out of the Client and log into the server.
In the Server, we need to go to Group Policy Management and add the Add Data Recovery
I keep getting an error every time I tried to add bobs certificate, so I’ll have to find another way to approach this.
After talking on the class forum a classmate found a fix which was to also add the user bob into EFS Recovery Agent and the Key Recovery Agent template.
After adding the new GPO I need to restart run gpupdate and restart the client.
Now back on the Server VM I need to create a new user and add them to the remote user’s group.
This lab covers using encryption.
First, I need to log into Sue and create a subfolder within gtslabs and insert a few picture and text files.
Now we can encrypt the Secrets folder, by going into advance the properties. Once the files are encrypted we just need to check we can still open them.
Now I need to log in as the local Admin and try to access the files.
No matter what I tried I was unable to gain access to the files, so that was a success.
We now need to export Sues certificate.
We also deleted Sues certificate, this then locks Sue out of her encrypted files. Silly Sue.
In this exercise, we log in as Bob to unencrypt Sues Secrets so she can access it again.
Now that the files are no longer encrypted sue can now access her important text files.
This lab was an absolute headache, I’ll make a list of issues I faced.
- The lab’s instructions sometimes do not match with what I am seeing on the screen
- The certificate could not be added because of a user not being added to the right security groups
- The lab fails to mention what the end result should be like
- Finally, I feel like this is zombie work, I mean it’s just following a books steps, sure it’s teaching me a few things but it takes little to no understanding of the system itself.
I was lucky to have a classmate who found out Bob needed to be added to extra security groups, as this was not mentioned in the lab at all.
These labs really do teach good information, but I feel like it’s just lacking something.