Overview
This chapter discusses various aspects of administration of the SEE Server instance(s), including details about the ADAM client account and ADAM Administrator account, instructions on how to back up and restore the SEE Server instance(s), as well as use of the Recover OTP Keys Utility and batch file.
ADAM Account Password Changes
The two domain user accounts created during the installation of the SEE Server are:
An ADAM Administrator domain user account which is used by the SEE snap-ins for communication with the SEE Server, and
An ADAM client domain user account which is used by the SEE Client Computers for communication with the SEE Server.
Additionally, when the SEE Server is installed on a domain controller, a domain account is created for use by the SEE Server instance.
Good security practice dictates that account passwords be changed regularly. For regular Windows user accounts, users are typically prompted to change their passwords in response to a Windows password policy. Because the ADAM accounts are not associated with specific users but instead are used by the SEE snap-ins and SEE Client application, any changes to the passwords for these accounts could cause an interruption in operation to either or both the administrative functions of SEE, or result in a communication failure between the SEE Server and the SEE Client Computers.
To prevent such failures from taking place while allowing for regular password changes for the ADAM accounts, you should observe the following if you plan to change the password or expire the account of the ADAM client account.
Create a new GPO, enter the new ADAM client credentials in the Framework Computer Policy - Client Monitor settings panel, and apply this GPO containing the updated ADAM client information to all SEE Client Computers.
This will ensure that the SEE Client Computers will have uninterrupted communication with the SEE Server.
SEE Server Backup and Restore
The need for a comprehensive back-up strategy goes beyond the obvious immediate goal of maintaining a high availability system. Making frequent backups provides the ability to quickly restore previously deleted objects or to roll back a set of modifications to a previous version with minimum impact on users. Although the scenarios presented here use the Windows backup utility, you may use any backup utility capable of doing a System State back-up.
The various data comprising the SEE system is stored in two places:
Active Directory holds the user, group, and policy information.
The SEE Server is the repository for all keying material, Full Disk recovery data, status, and other information generated by client workstations.
A full backup or restore of an SEE installation requires that all data files associated with both the Active Directory and the SEE Server environments be backed up or restored separately. Because most organizations already perform a regular backup of Active Directory, backing up the SEE Server is the only additional task necessary. This section shows the individual steps necessary for accomplishing a back-up and restore of the SEE data stored in the SEE Server.
Policy Administrator Guide SEE Server
SEE Server Backup and Restore Basics
Both Active Directory and the SEE Server may be backed up in place while they are running, however, they may be restored only when they are offline. Taking Active Directory off-line entails restarting in Directory Restore Mode.
Because ADAM runs as a system service, taking the SEE Server offline only requires stopping the ADAM instance while the back-up is executing. The SEE Server instance may be restarted at the end of the back-up or restore operation. Back-ups made while the SEE Server or Active Directory is running may not reflect any changes written to them while the back-up operation is executing.
Authoritative Restore vs. Non-Authoritative Restore
Multiple 2003 Servers used together offer built-in load balancing and fault tolerance by replicating any directory changes between domain controllers. A server containing a current copy of data is said to be authoritative, while a non-authoritative domain controller would be one containing older data, such as one that has just been restored from a back-up and has not yet been updated.
It’s a good idea to run multiple domain controllers to take advantage of this fault-tolerant behavior, but if you are only operating a single domain controller and thus cannot update a restored server from a second one via replication, you will instead need to perform a partial or full authoritative restore using the ntdsutil command line utility.
A partial or full authoritative restore may also be necessary in cases where objects or subtrees have been deleted or corrupted, or if you wish to roll back object modifications to a previous version.
ADAM Components to be Backed up
Database and log files specific to the SEE Server instance reside in the path:
\%ProgramFiles%\Microsoft ADAM\Instance Name where Instance Name is the SEE Server instance name.
ADAM application files and administration tools reside in the path:
\windir\ADAM
Example Scenarios for SEE Server Backup and Restore
The following scenario demonstrates a backup followed by an authoritative restore and verify.
Backing up an ADAM Instance
1. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup.
2. In the Backup or Restore Wizard, click the link for Advanced Mode.
3. Click the Backup tab, and then, on the Job menu, click New.
4. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my computer.
5. To select an instance of ADAM folders to back up, select the check box to the left of the folders. The following table lists default ADAM file directories:
DirectoryContents
\%ProgramFiles%\Microsoft ADAM\Instance Name
where Instance Name indicates the ADAM instance name Database files and log files The application files and administration tools are stored in \%windir%\ADAM.
To back up the system state, select the System State check box.
Policy Administrator Guide SEE Server
If a tape drive is not connected to the computer, the Backup destination option is unavailable and is automatically set to File.
2. In Backup media or file name:
When backing up files and folders to a file, type a path and file name for the backup (BKF) file, or click Browse to find a file.
If backing up files and folders to a tape, select the tape to use.
3. To select another backup option, such as the backup type and the backup log type, on the Tools menu, click Options.
4. Click Start Backup, and then make any changes in the Backup Job Information dialog box.
5. To set advanced backup options, such as data verification or hardware compression, click Advanced.
6. Click Start Backup to start the backup operation.
Restoring an ADAM Instance
To restore a backup of an ADAM instance, stop the ADAM instance using the Services Administrative Tool and then use the Windows interface of Backup to perform the restore operation. If objects in the directory are inadvertently deleted or modified and if those objects are replicated in a configuration set, you must authoritatively restore those objects so that the correct version of the objects are replicated.
Non-Authoritative Restore of an ADAM Instance
1. After stopping the ADAM instance, open Backup. Click Start, point to All Programs, point to Accessories, point to System Tools, then click Backup.
2. In the Backup or Restore Wizard, click the link for Advanced Mode.
3. In Advanced Mode, click the Restore and Manage Media tab.
4. Select the backup file for the instance to restore by clicking its checkbox.
5. In Restore files to, click Original location.
6. From the Tools menu, click Options. In the Restore tab of Options, click Always replace the file on my computer. Click OK.
7. Click Start Restore.
8. When the Confirm Restore dialog appears, click OK.
9. When the restore is done, click Close in the Restore Progress dialog.
After restoring a backup of an ADAM instance, perform the authoritative restore of the ADAM instance.
Authoritative Restore of an ADAM Instance Open an ADAM tools command prompt.
1. Click Start, point to All Programs, point to ADAM, then click ADAM Tools Command Prompt.
2. At the command prompt, type dsdbutil.
3. At the dsdbutil prompt, type authoritative restore.
If data has been backed up from an NTFS volume, it is recommended that you restore the data to an NTFS volume which uses the same version of NTFS in order to prevent loss of data.
Policy Administrator Guide SEE Server
4. At the authoritative restore prompt, type one of the commands listed in the following table.
The ADAM instance has now been restored.
Backup and Restore of the OTP Keys
The OTP keys are critical key material used for various SEE tasks. These keys are created the very first time the SEE Framework is installed on a Manager Computer. The ability to restore an existing set of OTP keys from a backup is crucial to SEE Server recovery.
OTP Key Backup
When the OTP keys are created during the SEE Framework installation process, you are prompted to save a backup of the OTP keys. This backup, known as the random string backup, is encrypted using the Management Password.
You can also perform a backup of the OTP keys after they have been created. Using a batch file, RecoverOTP.bat, you can extract the OTP key data from the SEE Server and save it in standard LDF format.
Using the RecoverOTP Batch File
Note that the RecoverOTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server.
1. Launch the RecoverOTP batch file to see the command syntax.
Table 6.1 —Authoritative Restore Commands
Command Description
restore database Performs authoritative restore of the entire directory database restore object [dn] Performs authoritative restore of the directory object whose
distinguished name is represented by [dn]
restore subtree [dn] Performs authoritative restore of the directory subtree whose distinguished name is represented by [dn]
Policy Administrator Guide SEE Server
2. Invoke the RecoverOTP batch file with the following command-line parameters:
RecoverOTP /export "[path]\filename.ldf" port username domain password
where [path] is the actual path on the SEE Server where you want to save the exported key file filename.ldf, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account.
Figure 6.2—RecoverOTP Batch File, Command Line for Export
The export process is shown in the following screen shot.
Figure 6.3—RecoverOTP Batch File, Export Completed
3. Once completed, press any key to exit the batch file. The OTP keys have now been exported and saved.
OTP Key Restore
Two methods are available for restoring OTP key data:
Recover OTP Keys Utility, and RecoverOTP batch file.
The Recover OTP Keys Utility is a stand alone application that restores the OTP Key data from a random string backup file. The RecoverOTP batch file restores a previously saved LDF format backup to the SEE Server.
These tools are designed to be used in the following situations:
You are restoring to a freshly prepared SEE Server, the SEE Framework has not been installed, and the OTP keys have not been generated.
Any existing OTP keys have been manually deleted using ADAM ADSI Edit (see “Remove Existing OTP Keys”
on page 37).
Whether restoring using either the Recover OTP Keys Utility or the batch file, the target SEE Server you are restoring to should not contain OTP keys.
Policy Administrator Guide SEE Server
Using the Recover OTP Keys Utility
1. Launch the Recover OTP Keys Utility, RecoverOTPKeys.exe.
Figure 6.4—Recover OTP Keys Utility
2. In the ADAM admin username and ADAM admin password boxes, type the credentials of the ADAM administrator account. Click Connect to ADAM. The status window shows a list of discovered ADAM instances.
Policy Administrator Guide SEE Server
3. Click Check OTP keys. This searches ADAM for an existing set of OTP keys. The status window shows the results of the search.
Figure 6.6—Recover OTP Keys Utility, Check OTP keys
In Figure 6.6, the status window indicates that existing OTP keys have been found and that they must be removed before continuing. If your ADAM instance contains existing OTP keys, see “Remove Existing OTP Keys” on page 37. If you are restoring to a fresh installation of the SEE Server that has not yet been populated with OTP keys, the status window indicates that the OTP key pair was not found in ADAM (see Figure 6.7).
Policy Administrator Guide SEE Server
Figure 6.7—Recover OTP Keys Utility, OTP Key Pair Missing
You are now ready to restore the OTP key pair from the random string backup you saved as part of the SEE Framework installation process.
4. Click Browse, navigate to the random string backup file and select it, then click OK.
5. In Management Password, type the 16–32 character Management Password you established when saving the random string backup. Type the password again in Confirm Password.
6. Click Create new OTP keys. The Confirm OTP creation dialog displays showing the LDAP address of the AdminsStore object being created in ADAM. Click Yes.
Figure 6.8—Confirm OTP Creation
Policy Administrator Guide SEE Server
7. The status window of the Recover OTP Keys Utility indicates that the OTP key pair was sucessfully restored.
Figure 6.9—Recover OTP Keys Utility, OTP Key Pair Created
8. Click Close. The OTP keys have now been restored.
If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored.
Using the RecoverOTP Batch File
Note that the Recover OTP batch file uses the ldifde.exe utility installed as part of ADAM and must be run from the SEE Server.
1. Launch the RecoverOTP batch file to see the command syntax.
Figure 6.10—RecoverOTP Batch File, Usage
Policy Administrator Guide SEE Server
In this example, we are importing a backup of the OTP keys that we exported previously using the same batch file.
2. Invoke the RecoverOTP batch file with the following command-line parameters:
RecoverOTP /import "[path]\filename.ldf" port username domain password
where [path] is the actual path on the SEE Server where the previously exported file filename.ldf was saved, port is the port used by the SEE Server, and username, domain, and password are the credentials of the ADAM administrator account.
Figure 6.11—RecoverOTP Batch File, Command Line for Import
3. The import process is shown in the following screen.
Figure 6.12—RecoverOTP Batch File, Import Completed
4. Once completed, press any key to exit the batch file. The OTP keys have now been restored.
If you are running multiple SEE Servers, you should initiate a manual replication operation to make sure that all SEE Servers in the system will use the OTP keys you have just restored.
Remove Existing OTP Keys
Use the following steps to manually remove the OTP keys from the SEE Server by binding to the ADAM instance and deleting the AdminsStore object.
1. Click Start, point to All Programs, point to ADAM, then click ADAM ADSI Edit. The ADAM ADSI Edit snap-in opens.
Exercise extreme caution when preforming this procedure, as objects deleted from ADAM can only be restored from a valid backup. Deleting other objects from the SEE Server can cause serious problems, such as loss of client connectivity and the ability to recover client data.
Policy Administrator Guide SEE Server
Figure 6.13—ADAM ADSI Edit, Bind to the ADAM Instance
3. In the Connection Settings window, use the following settings to bind to the SEE Server instance:
In the Server name box, use the default value localhost.
In the Port box, type 389 (or whatever LDAP port number you specified during ADAM installation)
Click Distinguished name (DN) or naming context, and in the box type dc=EncryptionAnywhere,dc=com Click This account, select the domain user account of the ADAM Admin from the User name list, then type in the password for that account.
4. Click OK to bind to the SEE Server instance.
5. Once your credentials have been accepted, expand the My Connection object in the left navigation pane of the snap-in window. Expand the container named dc=EncryptionAnywhere,dc=com and click on the container OU=AdminsStore. In the right pane, right-click the CN=AdminPassRecovery object and choose Delete. Click Yes to confirm the delete operation.
Policy Administrator Guide SEE Server
Figure 6.14—ADAM ADSI Edit, Delete AdminsPassRecovery Object
The AdminPassRecovery object, including the OTP keys, have been deleted. You are now ready to restore the OTP keys using either the Recover OTP Utility or the RecoverOTP batch file.
Policy Administrator Guide
Appendix A
Framework System Events List
The following table lists the 196 individual SEE Framework–generated Windows system events logged on the client.
The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility).
Table A.1—Framework System Events
Event ID Severity Description
0 Error Internal: Cannot map event ID to string. Framework 1 Info Internal: Audit functions started. Framework
2 Info Internal: Audit functions ended. Framework
3 Info Program Action: Successful client logon/authentication attempted with password. Framework
4 Warning Program Action: Unsuccessful client logon/authentication attempted with password. Framework
5 Info Program Action: Successful client logon/authentication attempted with token.
Framework
6 Warning Program Action: Unsuccessful client logon/authentication attempted with token. Framework
7 Info Program Action: Successful logon/authentication attempted with One-Time Password. Framework
8 Warning Program Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework
9 Info Program Action: Successful logon/authentication attempted with Authenti-Check. Framework
10 Warning Program Action: Unsuccessful logon/authentication attempted with Authenti-Check. Framework
11 Warning Program Action: Number of client logon attempts exceeded the maximum allowed. Framework
12 Info Program Action: User password changed successfully. Framework 13 Info Program Action: User password changed unsuccessfully. Framework 14 Warning Program Action: User program uninstallation attempted. Framework 15 Info Program Action: User changed Authenti-Check questions and answers
successfully. Framework
16 Info Program Action: Client Administrator has unregistered user. Framework 17 Info Program Action: User password resynchronized with Windows password.
Framework
18 Warning Program Action: Computer locked due to failure to communicate with SEE Manager. Framework
Policy Administrator Guide
19 Warning Program Action: User password expired. Framework 20 Info Program Action: User registration completed. Framework 21 Warning Program Action: Final grace logon reached. Framework 22 Info Program Action: User logged on after hibernation. Framework 23 Info Program Action: Client program installation attempted. Framework 24 Info Program Action: Client program upgrade attempted. Framework 25 Info Program Action: Grace logon attempted. Framework
26 Info Program Action: Authenti-Check questions and answers created. Framework
26 Info Program Action: Authenti-Check questions and answers created. Framework